A Deductive Approach towards Reasoning about Algebraic Transition Systems

Algebraic transition systems are extended from labeled transition systems by allowing transitions labeled by algebraic equations for modeling more complex systems in detail. We present a deductive approach for specifying and verifying algebraic transition systems. We modify the standard dynamic logic by introducing algebraic equations into modalities. Algebraic transition systems are embedded in modalities of logic formulas which specify properties of algebraic transition systems.The semantics of modalities and formulas is defined with solutions of algebraic equations. A proof system for this logic is constructed to verify properties of algebraic transition systems. The proof system combines with inference rules decision procedures on the theory of polynomial ideals to reduce a proof-search problem to an algebraic computation problem.The proof system proves to be sound but inherently incomplete. Finally, a typical example illustrates that reasoning about algebraic transition systems with our approach is feasible.


Introduction
System verification requires a mathematical structure on which the system in question is described precisely.Labeled transition systems [1] are such structures proposed for this purpose, which are widely used to specify hardware and software systems [2], for example, integrated circuit system, communication protocols, and concurrent algorithms.A labeled transition system is a specified transition system (first presented by Keller [3]) whose transitions are labeled by abstract labels.Abstract labels are sufficient for modelling atomic actions which trigger transitions of systems, but they are insufficient to describe enough details on transitions of complex systems.For instance, we concern much with the details on how a train reduces its speed in the brake mode, which is usually specified by mathematical equations.
Algebraic transition systems [4] are extended from labeled transition systems by labeling transitions with algebraic assertions, which are conjunctions of polynomial equations.Transitions labeled with algebraic assertions are able to describe how states change according to those polynomial equations.That is very necessary for modelling complex systems.What is more significant is that many mathematical techniques on polynomials are available to the analysis of complex systems, such as the theory of polynomial ideals [5].On the other hand, conventional methods are not competent for the verification for algebraic transition systems due to the complexity of algebraic assertions.To the best of our knowledge, there is no approach for reasoning about algebraic transition systems.Our study is motivated mainly by this.
Our approach is related to theorem proving which is a well-established verification method of labeled transition systems.The theorem proving method [6,7] tries to find a proof of the desired property, which is written as a theorem in logic languages.Another verification method, called model checking, uses a finite-state traversal technique algorithm [8,9].Hence model checking method automatically checks whether a given system satisfies the desired properties by traversing the state space of the system.However, model checking requires systems to be finite-state systems or those systems whose state space can be divided into finite quotient subspaces [10,11].While theorem proving method is not restricted by finite-state systems and hence applies to complex systems, most of which have infinite state spaces.Since the state spaces of algebraic transition systems are defined on R  which is infinite, we choose theorem proving method to verify of algebraic transition systems.
Inspired by [4,[12][13][14], we present a deductive approach for specifying and verifying algebraic transition systems.Our approach includes a modification of dynamic logic () and a proof system for .The  is extended from dynamic logic [15] by allowing algebraic equations in modalities.There are two standard modalities [𝛼] and ⟨⟩ where  is defined with algebraic equations.The [] refers to the states reachable by all runs of , while ⟨⟩ indicates the states reachable by some runs of .The formal semantics of modalities is defined with zero sets of polynomials.These modalities embedded in logical formulas are used to model behaviors of algebraic transition systems.The properties of algebraic transition systems are specified with  formulas.The satisfaction of formulas is defined with zero sets of polynomials and the semantics of modalities.For deciding whether the desired properties are satisfied, a proof system of the sequent-calculus style, called  calculus, is constructed.This proof system aims to find a proof of the desired properties with inference rules.Several special rules are customized to handle modalities with algebraic equations by reducing the proof-search problem to an algebraic computation problem.The algebraic computation procedures enhance the reasoning power of our proof systems.The proof system is proved to be sound but inherently incomplete as many other proof systems.Reasoning about algebraic transition systems with our approach is demonstrated with a typical example.
In recent decades, the deductive approach for specifying and verifying transition systems has received fruitful results [16].TLA + [17] is a specification language designed by Lamport for formally describing and reasoning about distributed systems.Systems are specified in TLA + as formulas of the Temporal Logic of Actions (TLA) [6], which is a variant of temporal logic.The TLA + proof system (TLAPS) [18,19] is a general platform for development of TLA + proofs.A whole proof in TLAPS is decomposed into a collection of subproofs which are sent to backend verifiers including SMT solvers, theorem provers, and proof assistants.Compared with TLA + and TLAPS, our approach is designed for the direct proof of properties on algebraic transitions.With our approach the proof problem is reduced to an algebraic computation problem such as the ideal membership problem on ideal theory.Our proof system can be considered as a backend verifier of TLAPS for algebraic transition systems.
Combined with mathematical procedures, the deductive approach can be used for the verification of more complex systems, for example, real-time systems and reactive systems [20][21][22].Platzer [12,23] developed a deductive framework for the verification of hybrid systems, which are dynamic systems containing continuous evolutions and discrete transitions.A discrete transition in [12] is specified as an explicit assignment of a variable.For instance, the primed variable   in the discrete transition   = ( 1 , . . .,   ), which assigns the value of ( 1 , . . .,   ) to   , can be immediately eliminated by a replacement with ( 1 , . . .,   ).In contrast, a transition in algebraic transition system is modelled as an algebraic equation.Consider the transition (  ,  1 , . . .,   ) = 0 as an example.The primed variable   in this transition will be directly eliminated only if   can be equivalently written as a polynomial on  1 , . . .,   , such as   =   ( 1 , . . .,   ).In most cases, the transitions in algebraic transition systems generalise the discrete parts of hybrid systems.Algebraic transition systems cannot simply be seen as subsets of hybrid systems and therefore are not covered by usual methods.Somehow our approach can be considered as a complement to usual methods for verifying complex systems.
The rest of this paper is organized as follows.Section 2 presents some preliminary concepts and some theorems which lie in the core of our approach.We introduce our understanding of algebraic transition systems in Section 3. The algebraic modification of dynamic logic is described in Section 4. In Section 5 we construct a proof system for this logic and prove the soundness and inherent incompleteness of the proof system in Section 7. Our approach is illustrated by reasoning about a train control system in Section 6. Section 8 concludes with some ideas for future work.

Preliminary
In this section, we introduce several important conclusions on polynomial ideal theory, which lie in the core of our approach.
We begin with the concepts of polynomials and ideals.Let N be the set of natural numbers including 0, R the set of reals, and C the set of complex numbers obtained as the algebraic closure of the reals.Let V = { 1 , . . .,   } be a set of variables.The set of polynomials on the variables, whose coefficients are drawn from the reals, is denoted by R[ 1 , . . .,   ].Definition 1 (zero set).Let ( 1 , . . .,   ) ∈ R[ 1 , . . .,   ] be a polynomial on V; the zero set of ( 1 , . . .,   ), denoted by Zero(), is the set of points in the complex plane such that where ( ⃗ ) is obtained from ( 1 , . . .,   ) by replacing all variables with the elements of the point ⃗ .
An ideal generated by a set of polynomials  = { 1 , . . .,   }, denoted by ⟨⟩, is the smallest ideal containing  and equivalently The ideal ⟨⟩ is said to be finitely generated if the set  is finite.Hilbert's basis theorem says that every ideal in C[ 1 , . . .,   ] is finitely generated.
The basic relation of an ideal and its generators is that they have the same zero set according to the following theorem.Theorem 3. Given an ideal  = ⟨⟩ generated by  = { 1 , . . .,   }, then the zero set of  and the zero set of  are the same: Proof.
(1) Since  ⊂ , we immediately conclude that Zero() ⊃ Zero().That is, (2) Conversely, Definition 4 (radical ideal).Let  ⊂ R[ 1 , . . .,   ] be an ideal.The radical of , denoted by √ , is the set The following theorem asserts a significant relation between zero sets and ideal membership, which is the underlying algebraic principle of axiom rules in Section 5.
The proof of Hilbert's Nullstellensatz can be found in [5].
A fundamental question in ideal theory is checking whether a given polynomial belongs to the radical of an ideal, which is known as radical membership problem.This problem involves the following theorem.Theorem 6.Let  ∈ R[ 1 , . . .,   ] be a polynomial and let  = ⟨ 1 , . . .,   ⟩ ⊆ R[ 1 , . . .,   ] be an ideal.Then  belongs to the radical of the ideal  if and only if the constant 1 belongs to the ideal Ĩ = ⟨ 1 , . . .,   , 1 − ⟩ ⊂ R[ 1 , . . .,   , ]; that is, where  is a new variable different from  1 , . . .,   .
Proof.A proof of this theorem can be found in any standard text on ideal theory (see Proposition 8 in [5]).
The core of solving radical membership problem requires a special kind of generators, called reduced Gröbner basis.Every ideal of R[ 1 , . . .,   ] has a unique finite reduced Gröbner basis [24].
Another application of reduced Gröbner basis, shown by the following theorem, is deciding whether there exists a zero set for a finite set of polynomials.

. , 𝑥 𝑛 ] be a finite set of polynomials and 𝐺 the reduced Gröbner basis for ⟨𝐹⟩. Then 𝐹 has an empty zero set if and only if
Proof.A proof of this theorem can be found in Corollary 4.3.7 in text [24].

Algebraic Transition Systems
In this section, we demonstrate how algebraic assertions enrich the abstract labels of labeled transition systems.

Definition 8 (algebraic assertions
).An algebraic assertion  over the set of variables V is defined as a finite union of polynomial equations of the form where, for each For an algebraic assertion , its zero set is defined as We say that a point ⃗ ).An algebraic transition system is specialized from a labeled transition system.Each transition of an algebraic transition system is labeled with an algebraic assertion instead of an abstract label.
Definition 9 (algebraic transition system).An algebraic transition system A is a tuple A = ⟨S, T, Ψ, ⟩, where (i) S is the set of states; (ii) T ⊂ S × S is the set of transitions; (iii) Ψ is a set of algebraic assertions on V ∪ V  including the null label ; (iv)  : T → Ψ is a label function assigning each transition to an algebraic assertion.
For an algebraic transition system A, a state  ∈ S is a function which maps each variable in V to a real.According to the label function , each transition  ∈ T is labeled with an algebraic assertion denoted by () ∈ Ψ.The algebraic assertion () is defined on V ∪ V  , where V denotes the current-state variables and V  denotes the nextstate variables.
The transition relation of A, which describes how states change, is defined by algebraic assertions on V ∪ V  .For each  ∈ T, the transition relation   is determined by the label () as follows: where ,   indicate the current state and the next state, respectively, and ()(,   ) is evaluated by substituting each variable V ∈ V of () with the corresponding value in  and each variable V  ∈ V  with the corresponding value in   , respectively.In particular, the null label  specifies an identical relation on S; that is,   = {⟨, ⟩ |  ∈ S}.The transition labeled by  from  to   is denoted by    →   .An algebraic transition system is deterministic if there is at most one transition and one label for any state; otherwise it is nondeterministic.As for a deterministic algebraic transition system, the next state is determined uniquely by the current state.For instance, given an algebraic assertion  def =   −  − 1 = 0, the next state is obtained by adding 1 to the variable  in the current state.We say the transition labeled by  is deterministic and nondeterministic if Obviously, an algebraic transition must be deterministic if for all  ∈ Ψ each variable   ∈ V  in  can be written as a unique polynomial over V.In this case, each algebraic assertion can be written as Hence the value of each variable    in the next state is uniquely determined by  1 , . . .,   in the current state according to   ( 1 , . . .,   ).
Definition 10 (run).Given an algebraic transition system A = ⟨S, T, Ψ, ⟩, a run  of A is defined by a sequence of transitions as follows: where the th element of  is denoted by   and for each  ≥ 0 there exists a transition   = ⟨  ,  +1 ⟩ ∈ T from state   ∈ S to state  +1 ∈ S such that Example 11.In order to illustrate algebraic transition systems, we present a simplified train control system shown in Figure 1.Assume that a train has two modes: the acceleration mode (Acc) and the deceleration mode (Dec).The train keeps checking the current mode and velocity.If it is in mode Acc and its velocity reaches 10, it will invert the acceleration power ( = −) and change its mode to mode Dec. Then the position  of the train evolves with velocity V along  = +VΔ and V = V + Δ.If the velocity of the train slows down to 5 in mode Dec, it will invert its deceleration power ( = −) and switch to mode Acc.Compared with real-time systems and hybrid system, the behavior of algebraic transition systems is discrete, such as the discrete behavior of the train with time period Δ.Note that we use the relaxed version of algebraic assertions.For instance, we write   = − as the relaxed version of   +  = 0.The Dec and Acc can be any certain constants.
In contrast with classical labeled transition systems with abstract labels [3], algebraic transitions systems are widely useful for modeling data flows, due to algebraic assertions describing how data changes between states in detail.What is more significant is that the introduction of concepts on ideal theory leads to the presence of more powerful and efficient algebraic methods for reasoning about complex systems.

Algebraic Dynamic Logic
In this section, we present algebraic dynamic logic (), in which algebraic transition systems are modeled as modalities by modifying first-order dynamic logic.Properties about the behavior of algebraic transition systems can be expressed as  formulas.After introducing the syntax of algebraic programs and formulas, we define an algebraic semantics of , according to algebraic transition systems as mentioned in Section 3.

Syntax.
The formulas of  are strings built over a finite set V = { 1 , . . .,   } of real-valued variables and a signature Sig consisting of function symbols, predicate symbols, and constant symbols.In algebraic dynamic logic, modalities are extended to algebraic programs which are the combination of algebraic assertions and operational connectives.
Definition 12 (algebraic programs).The set of algebraic programs Prm(V, Sig) is defined inductively as follows.
(i) If  is an algebraic assertion on V ∪ V  defined in Definition 8, then the assignment  ∈ Prm(V, Sig) is an algebraic program.
(ii) If  is an algebraic assertion on V, then the guard ? ∈ Prm(V, Sig) is an algebraic program.
(iii) If  and  are algebraic programs, then the sequential composition ;  ∈ Prm(V, Sig).
(iv) If  and  are algebraic programs, then the nondeterministic choice  ∪  ∈ Prm(V, Sig).
(v) If  is an algebraic program, then the iteration  * ∈ Prm(V, Sig).
As previously mentioned, the effect of an assignment  def = ⋀  (  ( 1 , . . .,   ,   1 , . . .,    ) = 0) is specified as a transition relation of algebraic transition systems.Furthermore, each   of  simultaneously takes place to change the current state.Assignments in computer programming languages are special cases of algebraic assertions since each next-state variable can easily be written as a unique polynomial in currentstate variables according to assignment statements.The guard ? is used to check whether the subsequent transition is possible.For the guard of (?; ), the program  is allowed to happen, only when  is satisfied in the current state.Not all programs need a guard.Any program without a guard always takes place.The program ;  says that  is executed after doing .The program  ∪  means that one of  and  is nondeterministically chosen and executed, and the program  * says that  is executed some finite number of times.
Due to the operational structure of programs in standard dynamic logic [15], an algebraic transition system can be translated into an algebraic program without effort.Algebraic programs encode algebraic transition systems into modalities of  formulas, which specify properties of algebraic transition systems according to the following definition.
Definition 13 (formulas).The set of  formulas Frm(V, Sig) is obtained inductively as follows.
is an atomic formula.
The existential quantification can be defined with universal quantification and ∃  is abbreviated to ¬∀ ¬.

The relation between [𝛼]𝜙 and ⟨𝛼⟩𝜙 is ⟨𝛼⟩𝜙
The formula [] expresses that all runs of program  lead to the states on which the formula  holds.Likewise, ⟨⟩ means that there exists at least a run of program  after which the formula  holds.As for [] and ⟨⟩, the algebraic program  plays the role of encoding an algebraic transition system, while  claims that behavior of the algebraic transition system satisfies the property specified by .For example, the formula ⟨  = 0; (  =  + 1) * ⟩ ( − 3 = 0) asserts that there exists a run during the loop of   =  + 1 such that  reaches 3 eventually.
Variables occurring in the scope of the quantifiers ∀ and ∃ are bound to quantifiers, and variables of V  occurring in modalities are bound to modalities.Variables are free if they are not in the scope of quantifiers and modalities.We assume that all variables are not bound to both of quantifiers and modalities at the same time.The interaction of quantifiers ∀, ∃ and modalities [⋅], ⟨⋅⟩ makes the formulas subtle.Particularly, the order of quantifiers occurring before and after modalities makes the understanding of formulas slightly different.For instance, ∀[  = ] means that all the choices of the parameter  valued to   keep  true.However, for [  = ]∀, the variable  in [  = ] is free and different from  in ∀ which is a parameter and can be substituted with another variable symbol not occurring in .The way of unifying quantification and modalities in [15] is using a special wildcard assignment to redefine quantification such that ∀ ↔ [  = ?]and ∃ ↔ ⟨  = ?⟩,where the wildcard assignment   = ?indicates an arbitrary assignment to .
Example 14.We formalize the train control system shown in Figure 1 We use nondeterministic choice ∪ to join Ac and Dc together.In the phase of Ac, it tests whether the current mode is Acc and then checks whether the current velocity reaches 10.If so, the mode switches to Dec and the acceleration power  is inverted.The subsequent action is executing drive in which the velocity V and the position  evolve along V  − V − Δ = 0 and   −  − VΔ = 0, respectively.The phase of Dc is similar to Ac.The control system repeats (Ac ∪ Dc; drive) for indefinitely many times (or forever).
Furthermore, we express properties of the train control system as  formulas.For instance, the following statement about the train control system "the velocity of the train never reaches 11" is equivalently expressed as the formula 4.2.Semantics.The semantics of  is defined in the fashion of Kripke [25], where possible worlds represent states of algebraic transition systems and transition relations along the runs of algebraic transition systems are represented as the accessibility relation.
For the set V and signature Sig, an interpretation I is a map, which maps each function symbol in Sig to an algebraic assertion on V ∪ V  and each predicate symbol in Sig to an algebraic assertion on V.A state is a map  : V → R assigning a real value in R to each state variable in V whose value is only changed by algebraic programs.The free variables in V are mapped to the reals by an assignment  : V → R.These variables are also named logical variables.There is no need to distinguish logical variables and state variables except for the clarity of expressions.
The semantics of an algebraic program is interpreted as a transition relation consisting of pairs of states, while the satisfaction of an  formula is interpreted as a Boolean value by a state with respect to an interpretation and an assignment.We begin with the semantics of algebraic programs.
Definition 15 (semantics of algebraic programs).For each algebraic program  ∈ Prm(V, Sig), its semantics, denoted by (), specifies the state  which is reachable from the state V under the operation of .() is inductively defined as follows.
, where  is an algebraic assertion on V.
Note that the semantics of an algebraic program is defined according to zero sets of the algebraic assertion.Let  def =  be an algebraic program with the algebraic assertion  def = ⋀    = 0 on V ∪ V  ; the semantics of  is the common zero set of all   .For example, the semantics of ( + 1) 2 − (  ) 2 = 0 is the set of points lying on the two lines   −  − 1 = 0 and   +  + 1 = 0 in the  −   plane.There may exist more than one successive state for the current state.In most cases, the successive states of a given state are uniquely determined by algebraic programs.The guards in the form of ? are associated with those states which satisfy the algebraic assertion  for triggering the next program.An iteration  * points out all states reachable from the state V by successively executing  nondeterministically many times (zero or more).
The satisfaction of an  formula  involves an interpretation I, an assignment , and a state V.For a formula , we write I, , V ⊨  and say that V and  satisfy  in I or that  is true in state V with respect to I and .
We omit I,  and write V ⊨  when I and  are understood in the context.The notation V ⊭  means that V does not satisfy .We use [  → ] to denote the modification of the assignment  that agrees with  except for the variable  which is amended to  ∈ R.
Definition 16 (satisfaction of formulas).For two  formulas  and , the satisfaction is inductively defined according to the syntactic structure of  and .
( A formula  is valid in I and written as I ⊨  if  is true on all states and all assignments in interpretation I.If I ⊨  for all interpretations I, we write ⊨  and say that  is valid. After giving the semantics of algebraic dynamic logic, in order to prove the validity of  formulas, such as (17), we construct a proof system for  in the next section.

Proof System
In this section, we construct a sequent calculus for algebraic dynamic logic.In a sequent calculus a sequent is an expression of the form Γ ⊢ Δ, where the antecedent Γ = ( 1 , . . .,   ) and the succedent Δ = ( 1 , . . .,   ) are finite sequences of formulas.The meaning of Γ ⊢ Δ is equivalently expressed as the following formula: That is to say, a sequent Γ ⊢ Δ is satisfied by a state V if and only if V ⊨  1 ∧⋅ ⋅ ⋅∧  →  1 ∨⋅ ⋅ ⋅∨  .Equivalently, V makes the sequent false if V makes  1 , . . .,   all true and  1 , . . .,   all false.An inference rule is of the form where both  1 ⋅ ⋅ ⋅   and   are sequents.The upper sequents  1 ⋅ ⋅ ⋅   are called premises and the lower sequent   is called conclusion.The semantics of an inference rule is that each state satisfying all premises also makes the conclusion true.The direction of entailment is top-down which means that premises logically imply the conclusion, while the direction of applying rules is bottom-up.That means that the procedure of reasoning about a sequent starts from the conclusion at the bottom to the premises at the top.
The proof system, called  calculus, is constructed by customizing inference rules which manipulate  formulas in an algebraic fashion.The basic idea is evaluating the effects of algebraic programs with algebraic methods mentioned in Section 2 and transforming  formulas into first-order formulas without algebraic programs. calculus consists of axiom rules, rules for logical operators, rules for quantifier, rules for modalities, and programs.

Rules for Axioms.
In this and the following sections, the symbols Γ, Δ denote arbitrary sequences of  formulas and ,  denote  formulas unless otherwise noted.
Four basic rules ( 1 )-( 4 ) listed in (T1), named axiom rules, are composed for closing a proof search.Rules ( 1 )-( 3 ) are the same as in many other sequent calculus.The axiom rule ( 1 ) treats a sequent with a common formula in the antecedent and the succedent as an axiom, which can be inferred from nothing (denoted by ⊥): In  4 ,  and  are atomic formulas which are expressed as polynomials in variables of V, and Zero() ⊆ Zero().Rule ( 4 ) is customized to coordinate mathematical procedures on ideal theory implemented by computer algebra systems, such as REDUCE, Maple, Mathematica, AXIOM, and SINGULAR.Rule ( 4 ) reveals that any sequent whose antecedent has a formula  with its zero set included by the zero set of one formula  of the succedent can be applied as an axiom.By Theorems 5 and 6, the inclusion Zero() ⊆ Zero() can be transformed into the radical membership problem which is decided by radical membership algorithm on polynomial ideals [5,24].That is to say, if there is an atomic formula  in the succedent such that  belongs to the radical of the ideal generated by polynomials in  in the antecedent, that is,  ∈ √⟨⟩, then the sequent can be applied as an axiom.The radical membership algorithm is implemented in most computer algebra systems, such as the RadicalMembership command in Maple.The discussion on computer algebra systems is not in the scope of this paper.

Rules for Logical
Operators.The rules in (T2) are used to handle standard logical operators.There are two cases for the appearance of each logical operator, and each logical operator needs dual rules (left rule and right rule): Rules ( 1 )-( 8 ) are standard for propositional dynamic logic.These rules decompose formulas with propositional structures into smaller formulas with less logical operators.Rules ( 1 ) and ( 2 ) are dual and aim to reduce the negative operator ¬.Rule ( 3 ) just replaces the symbol ∧ with a comma, since formulas are combined conjunctively in antecedents of sequents by the definition of sequents.Rule ( 4 ) branches the sequent containing the operator ∧ in the succedent into two sequents, since conjuncts in the succedent can be proved separately due to the semantics of sequents.Dually, rule ( 5 ) is similar to ( 4 ) and ( 6 ) is similar to ( 3 ) according to the semantics of sequents.Rule ( 7 ) derives from rules ( 5 ) and ( 1 ) by the logical equivalence of ( → ) and (¬∨ ).Similarly, rule ( 8 ) is derived from rules ( 6 ) and ( 2 ).

Rules for Quantifiers.
Recall that variables of V  occurring in an algebraic program are bound to modalities.We assume that each modality-bound variable is not bound to any quantifier.A variable is free if it is not bound to modalities and quantifiers.
Definition 17 (substitution).A substitution of an algebraic assertion or a formula for a free variable is defined as a function which maps each object variable to a designated polynomial.Let  be a polynomial; the result of substituting  in an algebraic assertion  for a variable  is denoted by [  → ].The result of substituting  in a formula  for a variable  is denoted by [  → ].
A substitution with the result [  → ] is admissible for the formula  if no variables  in  are bound in the formula [  → ].That is to say, free variables in  are still free in the formula [  → ] after applying an admissible substitution.
As mentioned previously, algebraic programs are defined on V ∪ V  . formulas, which are defined on V, only assert properties on the final states of the runs of algebraic programs.Confusions about variable may emerge when an algebraic program needs to be lifted to a formula by rules in (T4).For eliminating the confusion, variables of algebraic programs need be renumbered by the variable numbering procedure defined by the following definition when an algebraic program is lifted to a formula with rule ( 1 ) and rule ( 2 ).
Definition 18 (variable numbering procedure).For each sequent Γ ⊢ Δ, there always exists a procedure such that a sequent, which does not produce any confusion about variable, is obtained from Γ ⊢ Δ by numbering all occurrences of variables.
Since every sequent is assumed to contain finite variables, numbering finite variables is easy and immediately leads to a variable numbering procedure.We assume that each sequent, which produces variable confusions, is implicitly numbered by the variable numbering procedure.For the sake of succinctness, the description of this procedure is not shown in detail.However, the effect of this procedure is illustrated by Example 19: (T4) In ( 1 ) and ( 2 ), Ψ denotes an algebraic assertion on V ∪ V  .In ( 3 ) and ( 4 ), Ψ denotes an algebraic assertion on V. Variables bound to Ψ are denoted by  Ψ .
Example 19.Consider the sequent It would have produced confusion of the variables  and   if we applied rules ( 1 ) and ( 2 ) directly.After doing the variable numbering procedure, we get the following sequent: which produces no confusions when applying  1 and  2 .
Rules ( 1 ) and ( 2 ) are used to deal with assignment programs in [⋅] and ⟨⋅⟩.The basic idea of ( 1 ) and ( 2 ) is transforming an  formula with assignment programs into a standard first-order formula by lifting assignment programs to logical formulas.( 1 ) expresses that the formula  always holds after executing the assignment program Ψ, if Ψ implies  for all values of variables bound to Ψ while ( 2 ) expresses that  holds for some execution of Ψ, if both Ψ and  hold for some value for variables bound to Ψ.Both ( 1 ) and ( 2 ) properly reflect the underlying logical principle that  formulas with assignment programs can be transformed into quantified formulas.The rules ( 3 ) and ( 4 ) can be understood in the same way as in [15], except that the logical formula of test is replaced with a guard specified by an algebraic assertion Ψ on V.
Rules ( 1 )-( 6 ) are used to decompose the structure of programs into simpler programs.In order to prove the sequential compositions of programs, nested modalities, which are obtained by decomposing sequential compositions, have to be proved by ( 1 )-( 2 ).Nondeterministic choices are proved by proving the conjunction by ( 3 ) or disjunction by ( 4 ) of its alternatives.( 5 ) and ( 6 ) are the usual iteration rules in dynamic logic [15], which unfold loops.

Miscellaneous Rules.
Besides the rules mentioned previously, some miscellaneous rules are necessary to our proof system.There are several types of rules listed in (T5).The first type is the usual generalization rules ( 1 and  2 ) which allow to derive [] ⊢ [] and ⟨⟩ ⊢ ⟨⟩ from ⊢  → .
( 1 ) is the usual cut rule [27] which does not make our proof system prove more theorems but just allows the proofs to be shorter and simpler.( 1 ) states that when a formula  can be concluded in the context and  can also serve as a premise for concluding other formulas, then the formula  can be cut out from the context.However, when searching a proof bottom-up with the cut rule, it requires one to guess the auxiliary formula .
Rule ( 1 ) is a variant of the usual induction rule with the inductive invariant  [15].It expresses that the invariant  will be true after any number of iterations of , if  is true in the current state and  is still true after the execution of  when    holds for all bound variables of .Rule ( 1 ) transforms a finite set of atomic formulas with an empty zero set into the Boolean value False.Whether atomic formulas have an empty zero set is decided by Theorem 7. Consider in ( 1 ) denotes all variables bound to the algebraic program .In rule ( 1 ) formulas  1 , . . .,   are atomic such that they have an empty zero set.

Verification Example
Reasoning about the safety property of the train control system, which is formulated by (17), is shown in Figures 2-4.Remark that we have assumed the parameter Δ is constant; that is, the time is discrete and modelled by Δ.In addition, the train evolves its velocity per Δ and keeps the velocity fixed in each Δ.We start by writing the safety property [train]¬(V − 11 = 0) into the proof obligation: We use the rule ( 1 ) to eliminate the iteration operator and split the sequent into two branches by applying rule ( 4 ).The left branch derives the open sequent V − 11 = 0 ⊢ from ⊢ ¬(V −11 = 0) by applying ( 2 ).Recall that by the semantics of sequent the proof obligation is valid if all premises are valid.Hence (24) is not valid if (V − 11 = 0) ⊢ is not valid.In other words, which makes (V − 11 = 0) ⊢ valid must be initially guaranteed in order to make (24) valid.

Conclusions and Future Work
In this paper, we present a deductive approach for reasoning about algebraic transition system.This approach models algebraic transition systems as algebraic programs of , which is obtained by allowing algebraic assertions in dynamic logic.The properties of algebraic transition systems are formalized as  formulas with our method.We explain the semantics of algebraic programs in  as transition relations of algebraic transition systems and define the satisfaction of  formulas zero sets of polynomials.A proof system for , called  calculus, is constructed for reasoning about algebraic transition systems.The  calculus is proved to be sound and is illustrated by the verification of the safety property of the train control system.
Our approach combines mathematical procedures on polynomial ideal theory with the deductive verification by customizing special rules for handling algebraic programs.The introduction of mathematical procedures enhances the reasoning power of our proof system.However proofs of properties related to iterations and quantifiers may be tedious and ineffective in complex cases.Future work includes a closer investigation for effective rules of iterations and quantifiers, for example, the invariant method [4,[30][31][32] and quantifiers elimination [33][34][35].On the other hand, there are properties which cannot be formalized as the  formulas such as properties with inequalities, since  formulas are defined with algebraic assertions which actually are polynomial equations.addition to the future work, more general  formulas should include inequalities and more complex structures, such as differential equations for specifying hybrid systems.

Figure 1 :
Figure 1: A simple train control system.

Figure 3 :
Figure 3: Proof of the right branch.