Semantics of Intensional Type Theory extended with Decidable Equational Theories ∗

Incorporating extensional equality into a dependent intensional type system such as the Calculus of Constructions (CC) provides with stronger type-checking capabilities and makes the proof development closer to intuition. Since strong forms of extensionality generally leads to undecidable type-checking, it seems a reasonable trade-oﬀ to extend intensional equality with a decidable ﬁrst-order theory, as experimented in earlier work on CoqMTU and its implementation CoqMT . In this work, CoqMTU is extended with strong eliminations. The meta-theoretical study, particularly the part relying on semantic arguments, is more complex. A set-theoretical model of the equational theory is the key ingredient to derive the logical consistency of the formalism. Strong normalization, the main lemma from which type-decidability follows, is proved by attaching realizability information to the values of the model. The approach we have followed is to ﬁrst consider an abstract notion of ﬁrst-order equational theory, and then instantiate it with a particular instance, Presburger Arithmetic. These results have been formalized using Coq.


Introduction
Most proof assistants, such as Coq [19], implement intensional type theory because extensional type theory is usually undecidable.Coq implements ECIC, a type theory that extends CC [8] with two more features: inductive types in the style of the Calculus of Inductive Constructions (CIC) [12], and a predicative hierarchy of universes, in the style of the Extended Calculus of Constructions (ECC) [10].
The purely intensional version of type-theory may become awkward when it comes to programming with dependent types.In the well-known examples of "vectors", one has the type Vect(n) of lists of length n, a concatenation function @ such that v 1 @v 2 has length n 1 + n 2 whenever v i has length n i .But showing that v@nil = v is not possible because it is not even a well-typed statement: lengths n + 0 and n are not identified because + is defined recursively on the first argument (n here) which is not in the form of 0 or successor.
Several works tried to fix this problem by either adding rewrite rules to increase the computing ability [5] or including in extensional equalities [14,15,11].Unfortunately, such solutions have never been implemented as a proof assistant until CoqMT [17] which is evolved from [6,7,16] and further generalized by CoqMTU [4].The idea is a tradeoff between decidability and type-checking capabilities, only allowing decidable extensional theory and automatically checking the theory equality by a decision procedure.Though this solution looks nice, the meta-theory of CoqMTU is not well understood yet: confluence and subject reduction of the full calculus are proved, but strong normalization (SN) and consistency are only proved in absence of strong elimination.
Our first contribution, shown in Section 4, is that formalizing a new schema (CCT) incorporating an abstract decidable theory into CC family, which is not only ECIC implemented by Coq, but a further extension of it.The abstract theory can be instantiated by any concrete one of interest if it can be represented in CCT and satisfies special assumptions to ensure the main meta-theoretical properties.CCT captures many calculus, but we provide a uniform way of establishing the meta-theoretical properties proved semantically.
Our second contribution, shown in Section 5, is about proving the key properties of CCT: consistency and strong normalization (with strong elimination), the basis for proving the meta-theory of other calculus extending CC and admitting a decidable theory.As often, this requires a set-theoretical model.We have based our study on the work of the second author [3,2], that provides a modular framework for modeling a wide range of type theories from CC to the formalism of Coq.In this article, we show that this framework can be reused and that it accommodates the extra features of CCT.
To implement CICUT as a proof assistant, we must investigate its syntactic properties, among which only Church-Rosser can not be proved in the usual way, because we do not embed extensional equations into ι-reduction as CoqMTU does.Nevertheless, it is not a disaster because we believe Church-Rosser still hold and will study the whole syntactic properties of CICUT in the future.
Finally, our last contribution, shown in Section 6, is to show that Presburger Arithmetic fits perfectly in this abstract notion of decidable first-order theory, which also demonstrates our abstraction philosophy works well.
In the following sections, most of the proofs will not be shown in the paper due to the page limit.They have been done in the Coq development and available to whom are interested 1 .Many similar notations are overloaded to avoid ambiguity, such as λ is overloaded by λ and λ to represent abstractions of set and pure λ-term respectively.We will detail when we need.
The notations without overloading are Coq primitives, such as ∀ for universal quantification because the whole work is formally done in Coq.To make the concepts easier to understand, we use → for function types only, and use ⇒ for implication.We also try to hide De Bruijn index, though it is heavily used in the development.

CICUT
Since the focus of this paper is the semantic meta-theory, the syntax of CICUT will not be exhaustively introduced here.The core of CICUT is almost the same as that of the CC. Figure 1 shows a judgmental presentation of the typing rules of CC, it is different from the usual one by replacing an equivalence relation on untyped λ-terms by equality judgments.Γ M = M : T expresses that M is equal to M , both being of type T in context Γ. [13] shows these two representations are equivalent, and we will extend this conclusion for all of the extensions considered in this article, leaving the proof to the future.The main novel feature of CICUT and CoqMTU in the syntax of terms is the embedding of a type of first-order terms.Regarding the typing rules, the main difference is the extension of the definitional equality with a decidable theory ∼ T on these first-order terms.See [4] for a more detailed presentation.Let us just give the extra inference rules (besides Presburger arithmetic axioms) that need to be considered to have CICUT instantiated with Presburger arithmetic.It introduces three canonical constants and a defined symbol (Rec): The main difference between CICUT and CoqMTU is the abandon of incorporating definitional equalities into reductions and restore the strong elimination, which is witnessed by the fact that the eliminator of natural numbers (Rec) can be used with a term P belonging to any sort s.By contrast, weak eliminations are obtained by restricting s to the Prop, the sort of propositions.In other words, weak elimination provides the induction principle of the natural numbers, but not the possibility to define functions by structural induction.

3
Extensible set-theoretical realizability model of CC This section gives a short introduction to a general method used to build consistency and strong normalization models of a wide range of type-theories with dependent types.See [2] for more details.Consistency of such formalisms is often achieved by providing a set-theoretical model, that interprets terms and types as sets.The judgment that a term has a given type is interpreted by the proposition that the term is interpreted by a member of the interpretation of the type.The soundness of such a model implies the consistency of the formalism, as soon as one type (representing the absurd proposition) is interpreted by the empty set.
Strong normalization (SN) is the property that any well-typed term of a type system cannot be reduced ad infinitum.It often captures the logical strength of the type system seen as a logical formalism.This is why it generally requires a particular model construction.Types are not mere sets of values anymore, but they should also be interpreted as sets of strongly normalizing λ-terms, that represent the possible terms that have this type.The latter are often called "realizers".The soundness of the model shall also require that the term can be interpreted by a realizer of its type.SN is thus a consequence of the construction of such a realizability model.
The main ingredient in this model construction is the notion of saturated sets due to Tait [18] (but Girard's reducibility candidates serve the same purpose).They are sets of strongly normalizing λ-terms such that the type constructors (such as the arrow type or intersection) can be interpreted.
SN of CC and CIC in presence of weak elimination can be proved in this setting.However, to take care of strong elimination, we need a more subtle definition of realizers: a saturated set for the value of each type is not enough, each member of the value of a type should have its own saturated set of realizers (see the R function below).This is closely related to the notion of Λ-sets introduced by Altenkirch [1].
In the remainder of this section, we show how the model construction can be carried out, provided we can implement the two signatures below: the first one gathers what is required to build a set-theoretical model (the set-denotation, symbols will be overloaded with a ˙); the second one corresponds to the extra requirements to have a full realizability model (the term-denotation, symbols will be overloaded with aˇ), from which SN will follow.

Abstract Parameterized Models
The first abstract model is designed to provide a uniform structure of set denotations to all the models, hiding the implementation until instantiation.It contains the set-denotation for all closed terms in the model together with the properties to ensure soundness.It uses a higher-order presentation: binding constructions are represented using functional arguments.
X is the type of values, that can be seen as a kind of set-theory since we assume we have relations ∈ and = (equality and membership).
is the set of all the values.Other symbols and related properties are specific to CC, hence look similar to their counterpart in CC.
The second abstract model is an supplement of the first one when upgrading a consistency model to a SN model.The key parameter is the function R that takes a type and one of its elements, and returns the saturated set formed by the realizers of this element.

Definition 2 (Abstract supplement of SN model).
This model aims at building a saturated set for each type and indicates that each proposition is inhabited.
where SAT and SN are the sets of all saturated sets and all SN pure λ-terms respectively.and sat → are standard set intersection and product on saturated sets.
The instance (the daimon) ensures that any type is inhabited including False, such that SN is guaranteed in arbitrary type context.Consequently, consistency can not be proved as in the consistency model, but as a matter of fact, it still can be deduced as will be shown in Section 5.

Main Model Construction
The main model is called M, consisting in giving an account of all syntactic entities (terms, judgments, derivations) based on an instance of the signatures above.The denotations of open terms depend on the valuations of free variables, thus a term is encoded as a pair of functions each taking a valuation (N → X for set-denotation, or N → Λ for term-denotation) as a parameter returning a set or a pure λ-term as denotation, with some requirements to ensure consistency.Since de Bruijn indices are used, the arguments of valuations are natural numbers.Λ is the type of pure λ-terms.
Due to space constraints, we do not expose the full details of how sorts are dealt with.In the following, we will only consider the sort of propositions.See the formal development or [2] for an exact account.And the symbols of M will be overloaded with a˜.

Definition 3 (Pseudo-terms).
A term is a pair of a set and term denotation: where sub(g) and lift(g) assert that g commutes with substitution and relocation.
We use Val(t) i ∆ = f (i) and Tm(t) j ∆ = g(j) to denote the set-denotation and termdenotation of term t with certain valuations i and j.

C S L ' 1 3
Definition 4 (Explicit substitution).An explicit substitution is a pair: where El(g) and Es(g) are commutation properties similar to the previous definition.
We use σ(i) and σ(j) to represent f (i) and g(j) for an explicit substitution σ.

Definition 5 (Term constructors)
. Constructors in M are encoded as: where k is the combinator λx.λy.x, i is the function such that i (0) = x and i (n+1 and j is defined as j (0) = j(0) and j (n + 1) = ↑1 j(n).
Note that we just show the pair omitting the trivial proof of the assertions.The k combinator used in the second component of λ and Π allows to simulate CC-reductions occurring in types.Many properties such as Val(M @N ) i = Val(M ) i @Val(N ) i follow straightforwardly.
Similarly, we define several instances of explicit substitution, identity and cons: where ).An explicit substitution σ applied to a term M is defined as: Definition 6 (Judgment).A type judgment, denoted by M : T , holds for valuations i j iff: where t T x stands for x ∈T ∧ t ∈R(T, x), which reads as "t realizes x of type T ".Definition 7 (Semantics of context).The denotation of a M-context Γ is a set of pairs of valuations defined as : We will write membership of (i, j) to [Γ] as (i, j) ∈[Γ].

Definition 8 (Judgments with context).
There are four kinds of judgments: To express strong normalization, we need to express the notion of reduction between pseudo-terms.This can be based on the set-denotation since the [β] parameter of Def. 1 assigns the same set to β-equivalent pseudo-terms.A pseudo-term reduces to another if the term-denotation of the former reduces to that of the latter, whatever the valuation: Definition 9.The pseudo-reduction (one step or more) in M is defined as: A pseudo-term is said strongly normalizing if there is no infinite chain of pseudo-reduction starting from it.The abstract SN lemma can be proved now: Lemma 10 (Abstract SN).For any well-typed term t in a valid context Γ, t is SN.
) is a saturated set, we have Tm(t) q is SN by applying (p, q).Any reduction from t can be simulated by a reduction from Tm(t) q , hence t is SN as a consequence of Tm(t) q is SN.

Soundness of the Main Model
There are four steps to investigate the meta-theories of CC using the model above.The first is to prove the existence of a model, that is, there are instances of the abstract models.We can show that the abstract models can be instantiated in intuitionistic Zermelo-Frankel set theory with replacement (IZF R ).Types are encoded as a couples formed of a set of values and a function from this set towards saturated set.
All propositions have the same set-denotation {∅}, and associate a saturated set to ∅.So the type of all propositions is defined as Dependent product is based on an alternative encoding of functions due to Aczel (see [2] for details), in order to interpret the impredicativity of Prop.The term-denotation of products is fixed by the abstract model.Finally, the daimon has to be taken as ∅.The second step is to prove that the model interprets CC correctly.Syntax maps to semantic terms in the model straightforwardly.
The third step is the prove the consistency and SN in M. Consistency can now be proved independently from strong normalization: Theorem 12 (Consistency).The model M is consistent.

∀M, ¬([ ] ˜ M ∈( ΠP : Prop.P ))
Proof.Assume there is closed proof t of F alse ∆ = ΠProp.0 in the model.Then, the term interpretation of the proof t should be closed by commutation with substitution.By the properties of Π, Tm(t) j @u, where u and j are respectively a closed term and a closed valuation, should be in all saturated sets.As a consequence, it must contain free variables which must be in Tm(t) j since u is closed.Since both t and j are closed, Tm(t) j should be closed, a contradiction.

Theorem 13 (Strong normalization). Well typed M-terms are SN.
Finally, by soundness result, consistency and SN of CC is an immediate consequence of the consistency and SN of M.

C S L ' 1 3 A Sound Model of Abstract First Order Theory
Compared with sticking to some specific first-order theory, we are more interested in investigating an abstract model (M T ) such that the abstract meta-theoretical results established in that model can apply to any of its instance.
There are three principles to design such an abstract model.Firstly, this model should capture as many theories as possible which leads to an abstract expression of its signature and axioms.Secondly, this model should provide enough evidence to ensure only the valid theories are included : including in such a theory would not break the meta-theories established in M. The evidence can be taken as abstract property about the abstract expressions, which we call assumption.At last, we want to carry out the tough work as much as possible, such that it is not so hard to instantiate this model later for any allowable specific theory.There should be as few assumptions as possible and each assumption should be the familiar concept.Many decidable theories are first order, hence we restrict us to first-order theories.
To prove the soundness, we also need to abstractly formalize the syntax of the theory as well as the interpretation rules following the abstraction schema of M T .There are two kinds of abstraction: abstract expressions and assumptions.When instantiating, all abstract expressions and assumptions should be specified and proved respectively.Following Coq's convention, environment Parameter and Axiom are used for abstract expression and assumption respectively.Environment Definition and Lemma are only used for concrete definition and property.Since M T is an extension of M, the symbols in M T are also reloaded by˜.Syntactic symbols are overloaded byˆfor formulas and¯for terms.

Syntax of the Abstract Theory
Classically, first-order theory consists in four parts: the signature, the formulas, the axioms and the inference rules.
Parameter 14 (Signature).The domain and the operations of signature are: where Set is the Coq's primitive type, [..N..] is the list of natural numbers.Θu k t is the substitution operation on t, Φk t the function collecting the free variables in t, and ↑n k t the operation relocating the free variables in t.The latter three operations are indexed by some number k corresponding to the depth at which the operator is applied.Definition 15 (Formulas).Formulas are defined inductively upon signature: where f and g are formulas, and t and u are first-order terms.
Note that equality is the only predicate we are interested in.We shall (again) use Φk f , ↑n k f and ΘN k f to denote respectively the set of free variables, the relocation of free variables and the substitution operating on formulas.

Definition 16 (Context).
The context (notated as C) is a list of declarations corresponding to either a term variable or an assumption: Since theories considered here are first-order, a well-formed formula should contain term variables only.

Definition 17 (Well-formed term and formula). Given a context H,
A valid formula should be a well-formed formula justified from the axioms by a succession of judgments.We define first the (abstract) notion of axiom, which should be well-formed formulas.Inference rules for generating theorems from the axioms come next.They are defined here in terms of introduction rules, elimination rules and judgmental rules.
Parameter 18 (Axioms).Axioms are Coq's predicates which judges special formulas in a context, further they should be well-formed : Definition 19 (Derivation rules).A derivation rule ( ˆ : C → F → Prop) is a Coq's predicate with arity two defined inductively as followings: Valid formulas (or theorems) are those formulas that can be derived by application of the above rules.Valid formulas should be well-formed:

The abstract model of the theory
M T is another formalization of the theory using the material provided by M. The domain of first-order term is encoded by a constant S : Term in M T .First-order terms also encoded by Term should satisfy the following assumptions: Axiom 21.The following assumptions aims at ensuring the meta-theory: ∀Γ, Γ ˜ S ∈Kind [1]  ↑n ∃P, P ∈( Πx ∈S. ) ∧ P @Val(x) i =true ∧ P @Val(x) i =f alse [4] where true ∆ = ΠP ∈ .Πp ∈P.P and f alse ∆ = ΠP ∈ .P .

C S L ' 1 3
Assumption [1] and [2] assert that S is a closed object of type Kind.Assumption [3] asserts that equation of set-denotations of the first-order term should be decidable.The last assumption is included to ensure we could define the equality of the theory as Leibniz equality later.The idea is that there exists a predicate that discriminates between different values of S.
We further assume that axioms actually hold in the model M T : Axiom 22. Axioms are formulas interpreted by provable M-terms.
The encoding of formulas is given by a standard impredicative encoding due to Girard [9].
Definition 23 (Formulas).The formulas are defined impredicatively: x =y ∆ = Πp : ( Πx : S.Prop).Πt : (p @x).(p @y) ¬f We can prove similar properties to those in Definition 19, but in the format of typing judgments.Among the 26 properties, we only show the following by using Rule [3] and [4] of the previous Assumption 21.
Lemma 24.Equality of theory can be embedded into the typed equality.
where WFCE(Γ), standing for well-formed closed environment, is defined as: CPT(j) stands for Closed Pure Term, means j always returns a closed term to any index.WFCE looks strange but necessary.In M, the value of any proposition is the singleton of empty, the distinction between true propositions and false propositions reflects in their realizers.False proposition contains open realizers only, while true proposition contains at least one close realizer.A well-formed context Γ can contain false propositions and of course false proposition (x =y) is derivable from Γ indicating that x and y may have different values.That's why we need a constraint WFCE on the context showing that the term-valuation of each variable should be the closed to ensure that Γ does not contain false propositions.

Interpretation Rules and Soundness
Soundness of M T can be proved by defining abstract interpretation rules.
Parameter 25 (Signature mapping).There exists a function I T : T → Term which assigns a M-term for each first-order term.
Definition 26 (Formula mapping).The function I F : F → Term, which assigns a M-term to each formula, is defined as: The We now need to assume or prove that each one of these semantic mappings produces expressions of the expected type (S for terms and Prop for formulas).Omitting the trivial case of contexts, this yields: All axioms are formulas provable in the model.
Soundness of M T is not a trivial result: Theorem 31 (Soundness).M T is sound, that is any derivable formula can be proved in M T by induction on the syntactic derivation rules (Definition 19):

Soundness of CCT and CICUT
Having a sound model of the theory, the work remaining to ensure the meta-theory of CCT is to prove the soundness of the conversion rule extended with first-order equations.
The theorem is introduced step by step.When the original conversion checking fails to check Γ A B, a decision procedure Preprocess is called to check whether the theory can be used to check this equation.If the theory is applicable, Preprocess will refine the context and relocate the variables and the theory will check whether A and B are equal in the context Γ .If any of the above steps fails, then it makes no difference to Coq.Hence, we can start the proof from the conditions that the equality is derivable in the theory: The Preprocess function should maintain some invariants: By Lemma 20, any derivable formula should be a well-formed formula, particularly for equation in condition [2], its sub-term A and B should be well-formed in Γ .Further, by Axiom 28, they should be interpreted in the scope S: [6] I Γ (Γ ) ˜ I T (B ) ∈S [7] By the soundness theorem (Theorem 31) the interpretation of this equality should be inhabited in M T (condition [8]).If Γ does not contain false formula, then we have WFCE(I Γ (Γ )), hence the equality judgment can correctly interpret the equality in theory by Lemma 24 using conditions [6], [7] and [8]: C S L ' 1 3

Semantics of Intensional Type Theory extended with Decidable Equational Theories
Finally, by the substitution lemma applied to conditions [2], [3], [4] and [5], we derive: Following the above analysis, the new conversion rule is justified by proving: Theorem 32.Equal terms in theory have the same values in the model: Since we require WFCE(I Γ (Γ )), not all first-order objects (terms and formulas) can be extracted from Γ.That means we may not extract satisfiable equations to Γ and use these equations to check another equation as SMT solvers do.Nevertheless, it is still an significant improvement of conversion checking.
The sound model of CCT can be built now by adding a sound model for the abstract theory and proving the extended conversion rule.Further, since we no longer incorporate the equality of the theory into ι-reduction, we can absorb the models of inductive types and universes built by Barras to yield a sound model for CICUT.All the meta-theoretical properties that we have established for CC can be established for CCT and CICUT as well.

6
Example: Presburger Arithmetic In this section, we take Presburger Arithmetic as an example to illustrate how to instantiate the above abstract setting for a specific theory.Firstly, we define the signature and axioms of Presburger, and prove it correctly instantiates the abstract syntax of theory in Subsection 4.1.

Formalization of Presburger Arithmetic
The definition of the signature and axioms instantiate Parameter 14 and 18.
Definition 33 (Signature).Presburger signature is defined inductively: where n indicates the free variables, C0 and C1 are two constants representing zero and one respectively, + is the addition relation.
With this definition, variable relocation, substitution and free variable operations can be defined by recursion on the structure of T.
Definition 34 (Axioms).An axiom is a special formula presented by a predicate in Coq taking a context and formula as arguments and checking whether this formula is an axiom: The assumption in Parameter 18 can be proved, because g is well-typed in (T :: H).
Secondly, we give a brief introduction to the formalization of natural number in [2]: useful definition (maybe abstract) and properties without proof.Then the M T will be instantiated by the these definitions and properties.The abstract interpretation rules are instantiated accordingly which will not be detailed here.
By the induction scheme provided in the values of natural numbers, we can prove the last two assumptions in Axiom 21, while others are trivial according to the definition.
Instantiating Presburger axioms in M is just a translation work according to the interpretation rules, but proving them requires more efforts: the main task is to construct the proof term for each axiom.We have all the detailed proofs in our development to ensure: Lemma 40.M T instantiated by Presburger arithmetic is sound.
Then, all the meta-theoretical properties holding in M T preserve after instantiation by Presburger arithmetic, therefore we can conclude: Lemma 41.Presburger arithmetic is a safe theory to be embedded, hence CoqMT is safe.
Let us finish with an important remark.We have proven the strong normalization for CICUT instantiated with Presburger arithmetic, but the reduction considered includes βand ι-reduction (the reduction of NatRec when its main argument is either 0 or successor), but not the reduction associated to the last two rules of Section 2. The main difficulty is that the latter is not sequential (both S(n) + m and n + S(m) reduce to a successor), while the β-reduction of λ-calculus is sequential.We thus cannot claim yet the decidability of type-checking for the presented version of CICUT.

Conclusion
In this paper, we give an abstract proof of consistency and SN to CCT, which extends CC family by incorporating extensional equalities from an abstract theory.Presburger arithmetic is proved to correctly instantiate the abstract theory which, on the one hand, ensures Presburger arithmetic is safe to be embedded, on the other hand demonstrates that our abstraction strategy works well for adding a new theory of interest.Actually, this proof is applicable to a richer type system contains more features if each feature has a sound model and it does not have interference with other features, such as CICUT.That's our original motivation to do this research: improving the Coq by incorporating decidable extensional equalities.
We don't embed theory in the ι-reduction to ensure the consistency and SN, the side effect is that Church-Rosser can not be proved in the usual way, as well as the decidability of type checking (DoTC).However we have another way to prove DoTC, that's our next work : formalize the syntax of CCT or CICUT, and build a complete formal proof of all the properties required.
interpretation of the context is a combination of I T and I F : Definition 27.The function I Γ : C → [..Term..] is defined as: f (x) :: I Γ (l) (e = x :: l) and f (x) = I Γ (x) ((x = f ) : F)) S (x = T)