Towards a Judgmental Reconstruction of Logical Relation Proofs

Carsten Sch¨urmann and Jeﬀrey Sarnat

Yale University and IT University of Copenhagen [email protected] and [email protected]

Abstract. Tait’s method (a.k.a. proof by logical relations) is a powerful proof technique frequently used for showing foundational properties of languages based on typed lambda-calculi. Historically, these proofs have been difficult to formalize in proof assistants with weak meta-logics, such as Twelf. Logical relations are notoriously difficult to define judgmentally. In this paper, we present and discuss a Twelf proof of weak normalization for System F making use of higher-order encodings. We exhibit a modular technique on how to formalize proofs of this kind, and make explicit all logical principles that one needs to trust in order believe in the proof.

1 Introduction

When formalizing meta-theoretic proofs about formal systems, one is usually first confronted with the choice of proof assistant. Driven by concerns of the expressive power of the proof assistant, the trust in its logical foundation, performance, the features of the tactic language, and often also the ease with which we can encode the formal system, the final decision of which system to choose varies in practice. Thomas Hales for example, has chosen HOL light [Har96] for his work on the formalization of Kepler’s conjecture, George Necula has chosen variants of the LF type theory for his work on proof-carrying code [Nec97], Daniel Lee, Karl Crary, and Bob Harper have chosen the Twelf system for formalizing the proof of the soundness of a SML type system [LCH07] and Georges Gonthier has used Coq for his formalized proof of the four color theorem [Gon05]. The proof theoretic strengths of different systems vary, and once the proof assistant question is settled and a proof development has begun, there is often no turning back. If unforseen challenges in the formalization of a meta-theoretic argument arise, one can find oneself in a situation where one is seemingly stuck. This might suggest that the best proof assistant is necessarily the most expressive, but such a perspective is too naive with respect to other considerations that influence the choice of proof assistant. In this paper we illustrate how limitations imposed by the meta-logic can sometimes be circumvented. We show in the setting of Twelf how one can push some of the burden related to logical expressivity down into an auxiliary logical system that is represented in LF. This trick not only works, but it allows us to point to the principles that we need to trust in order to believe the overall proof. This logical system is called assertion logic. We discuss a proof of weak normalization for System F in Twelf via logical relations. In formalizing the proof, we overcome two significant technical obsta- cles. First, we solve a previously open problem as to whether logical relations are representable in Twelf at all. Second, because the theorems provable in Twelf can informally be seen to be a subset of those provable in Peano arithmetic, Gödel’s second incompleteness theorem tells us that we should not be able to prove normalization of a calculus as proof-theoretically strong as System F. In- deed, Twelf cannot certify the validity of our entire proof: the consistency of a second-order assertion logic must be explicitly assumed, a leap of faith no larger than the one required to trust the soundness of any proof-assistant with the built-in expressive power to certify our proof in its entirety. In our encoding we carefully distinguish between the logical framework, in our case LF [HHP93], the assertion logic, encoded in LF, and the meta logic of LF, Twelf, in which we prove the aforementioned conjecture. Our proof is constructive and executable. This paper is structured as follows: In Section 2 we encode in LF both System F and the judgments that characterize when terms are weakly normalizing. In Section 3 we describe the assertion logic, its properties, and the formalization in LF. Next, we define the logical relation in the assertion logic by meta-level induction. With this definition, we are able to prove that for every term in System F there is an assertion-logic proof that the term is convertible to a canonical form. The desired theorem then follows from the assumption that our cut-elimination procedure for second-order logic terminates. In Section 4, we discuss implications and extensions of the result before we conclude. Please find the accompanying Twelf source code at http://www.cs.yale.edu/~sarnat/tphols.

2 System F in LF

System F [GTL90], independently discovered by Jean-Yves Girard and John Reynolds, is an extension of the simply typed λ-calculus by polymorphic types. Inspired by Church’s definition of higher-order logic using the simply-typed calculus as a logical framework [Chu40], we define our System F in the dependently typed logical framework LF [HHP93]. We define the syntactic category of types as follows.

Types: A ::= α | A1 ⇒ A2 | ∀(λα : tp.A)

λ stands for the binding construct of LF, and tp is an LF type constant. Next, we deﬁne the syntactic category of terms of type A. We write tm A for the corresponding LF type taking advantage of the fact that in LF type families may be indexed by LF objects.

Terms: e ::= x | lam (λx : tm A. e) | app e1 e2 | tlam (λα : tp. e) | tapp e A

The symbols lam, app, tlam and tapp are represented as constants in LF. In the interest of readability, we will not discuss the encoding of terms and types tm : tp → type. tp : type. lam :(tm A → tm B) → tm (A ⇒ B). ⇒: tp → tp → tp. app : tm (A ⇒ B) → tm A → tm B. ∀ :(tp → tp) → tp. tlam :(Πα:tp. tm (A α)) → tm (∀ (λα:tp. A α)). tapp : tm (∀ (λα:tp. A α)) → (Πα:tp. tm (A α)).

Fig. 1. LF Encoding of Types and Terms any further, simply because there is no diﬀerence between the formalized and the informal presentation. Every syntactic category given in this paper can be adequately represented in LF. Our encoding of terms ensures that all expressible terms are well-typed: 1. If e : tm B is a term with a hole, say x : tm A, then

lam (λx : tm A. e): tm (A ⇒ B).

2. If e1 : tm (A ⇒ B) and e2 : tm A then

app e1 e2 : tm B. 3. If e : tm B is a term with a hole, say α : tp, then

tlam (λα : tp. e): tm (∀(λα : tp.A)).

4. If e : tm (∀(λα : tp.A)) and A0 : tp then

tapp e A0 : tm (A[A0/α]).

The actual LF encoding of System F is given in Figure 1. →, Π, λ, and jux- tapositions are deﬁned by LF and substitutions are provided by LF. We follow the syntactic convention of Twelf by omitting leading Π abstraction from types that are easily inferable. In the setting of the logical framework LF, we usually encode judgments-as- types and derivations-as-objects where inferences rules are encoded as constants. We write e ⇓ if e is atomic, which means that the head of e is not a β-redex. We write e ⇑ if e is canonical, which means that it is a β-normal, η-long form. Note that the rule n1 can only be applied when e is of type tm α, which we express using a form a type ascription (e : tm α).

e1 ⇓ e2 ⇑ e ⇓ p1 p2 app e1 e2 ⇓ tapp e A ⇓ u x ⇓ . . (e : tm α) ⇓ e ⇑ e ⇑ n1 n2x,u n3α (e : tm α) ⇑ lam (λx : tm A. e) ⇑ tlam (λα : tp. e) ⇑ Next we deﬁne three judgments e −→ e0, e −→∗ e0, e −→whr e0.

r1 r2 app (lam (λx : tm A. e1)) e2 −→ e1[e2/x] tapp (tlam (λα : tp. e)) A −→ e[A/α] r3 r4 e −→ lam (λx : tm A. app e x) e −→ tlam (λα : tp. tapp e α)

0 0 0 e1 −→ e1 e2 −→ e2 e −→ e r5 r6 r7 0 0 0 app e1 e2 −→ app e1 e2 app e1 e2 −→ app e1 e2 tapp e A −→ tapp e A e −→ e0 e −→ e0 r8x r9α lam (λx : tm A. e) −→ lam (λx : tm A. e0) tlam (λα : tp. e) −→ tlam (λα : tp. e0)

r1 and r2 define β-reduction for objects and types, respectively, r3 and r4 define η expansion, and rules r5 – r9 define the usual congruence closure for βη. The following two rules describe the reflexive transitive closure of −→.

∗ e1 −→ e2 e2 −→ e3 r1∗ r2∗ ∗ ∗ e −→ e e1 −→ e3

Next, we deﬁne weak head reduction.

w1 whr app (lam (λx : tm A. e1)) e2 −→ e1[e2/x] w2 tapp (tlam (λα : tp. e)) A −→whr e[A/α]

whr 0 whr 0 e1 −→ e1 e −→ e w3 w4 whr 0 whr 0 app e1 e2 −→ app e1 e2 tapp e A −→ tapp e A w1 and w2 execute a β-reduction step, and w3 and w4 deﬁne the congruence closure for weak-head reduction. It is worth mentioning the reduction rules are only applicable to terms of the same type. Finally we deﬁne a judgment about the existence of atomic and canonical forms that will play a central role in our development. We capture the meaning that a term e can be reduced to canonical or atomic form with the judgments e ↓ and e ↑, respectively.

e1 ↓ e2 ↑ e ↓ a1 a2 app e1 e2 ↓ tapp e A1 ↓ u x ↓ . . app e x ↑ tapp e α ↓ c1x,u c2α e : tm (A1 ⇒ A2) ↑ e : tm (∀ (λα. A)) ↑

e −→whr e0 e0 ↑ e ↓ c3 c4 e : tm α ↑ e : tm α ↑

The judgment e ↓ is deﬁned by cases on the term e, and e ↑ by cases on the type of e. The latter is reﬂected by the type annotations in the conclusion of the rules. Hypothetical judgments such as e ⇑ and e ↑, whose rules may introduce new hypothesis, can be encoded into LF directly. A hypothetical premiss, such as the one in rules n2 and c1 is represented using the binding construct of the logical framework. For example, the derivation u x ⇓ n1 x ⇑ n2x,u lam (λx : tm α. x) ⇑ n3α tlam (λα. lam (λx : tm α. x)) ⇑ is encoded in LF as n3 (λα : tp. n2 (λx : tm α. λu : x ⇓. n1 u)), where

n2 :(Πx:tm A. x ⇓ → E x ⇑) → (lam (λx:tm A. E x)) ⇑.

All judgments here are adequately represented in LF. Twelf is a logic programming language that allows us to attach a computa- tional interpretation to LF type families [Pfe89]. Twelf’s mode system accom- modates assignments of input and output roles to arguments and enforces that they play their roles consistently during runtime.

Theorem 1 (Witness).

1. If e ↑ then there exists an e0, such that e0 ⇑ and e −→∗ e0. 2. If e ↓ then there exists an e0, such that e0 ⇓ and e −→∗ e0.

Proof. By induction on the derivation of e ↑ and e ↓, respectively. In Twelf, we encode this proof as follows. ccanok : E ↑ → ΠE0:tm A. E0 ⇑ → (E −→∗ E0) → type. catmok : E ↓ → ΠE0:tm A. E0 ⇓ → (E −→∗ E0) → type.

If a Twelf program is shown to be total, then it can be viewed as a proof that for every set of input objects there exists a set of output objects. This is the only mechanism provided for proving meta theorems. Despite its proof-theoretic weakness, Twelf derives its strength from the fact that proofs allow for induction over the structure of arbitrary, possibly open LF terms. Negative occurrences of function arrows in LF signatures are interpreted as embedded implications in the sense of hereditary Harrop formulas [MN86], which allows logic programs, in eﬀect, to go underneath λ-binders and extend programs dynamically by new base cases. In order for Twelf to certify that a program is total it must be told that suﬃciently many base cases have been provided. This information is provided in form of a world declaration; we omit them for the sake of brevity, as we do for most other cases.

3 Formalization of the Weak Normalization Argument

We prove that System F is weakly normalizing, by which we mean that every term can be reduced to a β-short, η-long normal form. This is diﬀerent from strong normalization, for which one needs to show that every reduction path is terminating. We leave further experiments along those lines to future work.

3.1 Deﬁnition of the Logical Relation

At the very heart of Tait’s method lies the definition of the logical relation. For this proof, the logical relation is unary. As with Girard-style reducibility candidates, we require that the logical relation satisfies three closure conditions. Because the theorem that we are proving is weak, not strong, normalization, these closure conditions differ from Girard’s.

Deﬁnition 1 (Logical relation for system F).

e ∈ [[α]] where α is a free type variable iff ` e ↑. e1 ∈ [[A2 ⇒ A1]] iff for every e2 ∈ [[A2]] it is the case that app e1 e2 ∈ [[A1]]. e ∈ [[∀ (λα : tp.A1)]] iff for every set P satisfying the following three closure conditions, tapp e A1 ∈ [[A2]], where [[α]] = P , and – if e ∈ P then e ↑, – if e ↓ then e ∈ P , – if e0 ∈ P and e −→whr e0 then e ∈ P . A logical relation could be more accurately described as being a family of relations, indexed by types. Indeed, we note that [[A]] is defined by cases and induction over A. Could we represent it as a type in LF? Unfortunately we cannot do this directly, but we could imagine representing it as a type that is generated from A in the following way. Let P : tm A → type represent the judgment that we would like to establish for all System F types A and terms e of that type (e.g. the weak-normalization predicate).

e ∈ [[α]] = P e : type e ∈ [[α ⇒ α]] = Πx : α. P x ⇒ P e : type e ∈ [[∀α. α ⇒ α]]Γ = Πα : tp. (Πx : α. P x ⇒ P e): type . .

LF does not provide us with the expressive power to deﬁne type families by induction. Although we could consider adding it, this would undoubtedly come at the price of more complex adequacy proofs, and simple adequacy proofs are the main appeal of LF. This is the fundamental obstacle when formalizing proofs by logical relations in Twelf. Shedding some light onto this problem can be considered one of the main contributions of this work. We solve this apparent dilemma by choosing a diﬀerent path to formalization, not outwardly directed towards a more expressive LF, but inwardly directed towards encoding those bits and pieces of set theory within LF that we need to carry out the argument formally. We call the embedded logical system assertion logic.

3.2 Assertion Logic

Our choice of assertion logic is driven by the definition of the logical relation, and thus contains only implication, and first-order and second-order universal quantifiers as logical connectives. For each type, the logical relation is defined to be a particular predicate. However, given a specific type, the calculation of the appropriate logical-relation predicate is performed by a meta-level induction. Note that, rather than using meta-level induction, we could have chosen to add induction to the level of the assertion logic. However, this would have not only been less convenient, but would have also made defining a cut-elimination procedure for our assertion logic more complicated, if not impossible. Note that, because our definition of logical relation quantifies over both System F types and terms, our assertion logic must provide two different first-order quantifiers, ∀a and ∀m. The second-order quantifier is denoted as ∀2 and ranges over predicates pred A, which abbreviates tm A → form, where form are the formulas of the assertion logic.

F,G ::= P x | F ⊃ G | ∀m(λx : tm A. F ) | ∀a(λα : tp.F ) | ∀2(λP : pred A. F ) We capture the notion of truth for this assertion logic sequent-style by declaring a judgment u1 : F1, . . . un : Fn =⇒ G and declaring left and right rules for every connective. The uis serve as names for the individual assumptions. In the interest of space, we refer the reader to Pfenning [Pfe95] for a detailed descrip- tion of this technique for the first-order fragment, of which our assertion logic is a straightforward extension. We do not introduce the formal system for the sequent calculus, as we believe that it is well-known. Instead, we concentrate on its representation in LF. Fol- lowing the technique outlined in Section 2, the judgment from above is encoded in LF as u1 un hyp F1 ... hyp Fn . . conc G where hyp and conc are type families of kind form → type, which represent the formulas occurring to the left and right of the sequent, respectively. The inference rules for the first-order fragment are straightforward. We only show the rules defining the meaning of the second-order quantifier.

∀2r :(Πp:pred A. conc (F p)) → conc (∀2 (λp:pred A. F p)). ∀2l : ΠP :pred A.(hyp (F1 P ) → conc F2) → hyp (∀2 (λf:pred A. F1 f)) → conc F2.

We follow [Pfe95] and deﬁne a type family conc∗ : form → type, which repre- sents derivability in a sequent calculus with cut. cut : ΠF1:form. conc∗ F1 → (hyp F1 → conc∗ F2) → conc∗ F2. From now on, we can safely distinguish between cut-free derivations of type family conc and derivations with cut of type family conc*. Next we turn to the interaction of the assertion logic and the judgments that were introduced in Section 2. In particular, we are concerned with the representation of the two judgments for e ↑ (e can be reduced to canonical form) and e ↓ (e can be reduced to atomic form). We axiomatize the meaning of those judgments as the following predicates.

ha : pred A. hc : pred A.

The inference rules deﬁning the meaning of the judgments are added as ax- ioms to the assertion logic, and are named in accordance with the inference rules presented in Section 2. tvar A is an auxiliary judgment that holds when A is a type variable. axW1 : conc (wh (app (lam (λx:tm A. E1 x)) E2)(E1 E2)). axW2 : conc (wh (tapp (tlam (λα:tp. E α)) A)(EA)). 0 0 axW3 : conc (wh E1 E1) → conc (wh (app E1 E2)(app E1 E2)). axW4 : conc (wh EE0) → conc (wh (tapp EA)(tapp E0 A)). axA1 : conc (hc E2) → conc (ha E1) → conc (ha (app E1 E2)). axA2 : conc (ha E) → conc (ha (tapp EA)). axC1 :(Πx:tm T . hyp (ha x) → conc (hc (app E x))) → conc (hc E). axC2 :(Πa:tp. tvar a → conc (hc (tapp E a))) → conc (hc E). axC3 : tvar A → conc (wh EE0) → conc (hc E0) → conc (hc (E:tm A)). axC4 : tvar A → conc (ha E) → conc (hc (E:tm A)).

The cut-elimination result easily extends to accommodate these rules. because, as the relevant cases fall into the class of right commutative conversions. Theorem 2 (Cut-Elimination). Given a derivation of conc∗ G we can pro- duce a derivation of conc G.

Proof. We are not aware of any known direct inductive proof of this property that does not rely on either a semantic proof, or yet another logical relation. In Twelf however, we provide a procedure, albeit one which we cannot prove will terminate. We follow [Pfe95] and use Twelf to encode the proof of the admissi- bility of cut as a relation ca : ΠF :form. conc F → (hyp F → conc G) → conc G → type.

We consider as one representative case the essential case where we cut a derivation ending in ∀2r on the left with a derivation ending in the rule ∀2l on the right. ca foralltwo : ca (FP )(D1 P )(λh:hyp (FP ). D3 h) E → (Πh2:hyp (FP ). ca (∀2 (λp:pred A. F p)) (∀2r (λp:pred A. D1 p)) (λh:hyp (∀2 (λp:pred A. F p)). D2 h h2) (D3 h2)) → ca (∀2 (λp:pred A. F p)) (∀2r (λp:pred A. D1 p)) (λh:hyp (∀2 (λp:pred A. F p)). ∀2l P (λh1:hyp (FP ). D2 h h1) h) E.

Twelf’s coverage checker certiﬁes that no cases has been forgotten, but in order for the Twelf signature to count as a proof, we must show that the cut- elimination procedure will always terminate. Perhaps not surprisingly (because System F is impredicative, and Twelf is not), this cannot possibly be done. We believe this procedure will terminate because we believe that our assertion-logic is consistent, but any such justiﬁcation will have to live in the realm of natural language. Cut elimination implies the consistency of the assertion logic. This is not only good to know, but also allows us to show that any proofs of atomic predicates in the assertion logic correspond to actual derivations. Theorem 3 (Unembedding). 1. For all derivations of conc (hc e), there exists a derivation of e ↑. 2. For all derivations of conc (ha e), there exists a derivation of e ↓. whr 3. For all derivations of conc (wh e1 e2), there exists a derivation of e1 −→ e2. Proof. In each case by induction on the cut-free derivation. These theorems can be directly implemented in Twelf as the following three type families. unembedhc : conc (hc e) → e ↑ → type. unembedha : conc (ha e) → e ↓ → type. whr unembedwh : conc (wh e1 e2) → e1 −→ e2 → type. The implementation of the proofs is straightforward, but only because the derivations are assumed to be cut-free.

3.3 Formalization of the Logical Relation Recall the three conditions stipulated on the third case of the logical relation. For any predicate P , we say P e is PHC if it implies the e has a canonical form. We say P e is HAP if it is a consequence from e having an atomic form. We say P e is CHE if it is closed under weak-head expansion. Formally, in LF we deﬁne the three abbreviations:

PHC = λp: pred A. ∀m (λe:tm A. p e ⊃ hc e). HAP = λp: pred A. ∀m (λe:tm A. ha e ⊃ p e). 0 CHE = λp: pred A. ∀m (λe:tm A. ∀m (λe :tm A. wh e e0 ⊃ p e0 ⊃ p e)). We now define by induction on types the logical relation predicate using judgments of the form described in Section 2. This is the central definition that ultimately motivated the design of the assertion logic. Recall that we write ∀ for the polymorphic type constructor of System F, ∀m, ∀a, and ∀2 for the assertion logic’s quantifiers. lr : ΠA:tp. pred A → type. lr tvar : tvar A → lr A (λe:tm A. hc e). lr arr : lr AP → lr BQ → lr (A ⇒ B)(λe:tm (A ⇒ B). 0 0 0 ∀m (λe :tm A. P e ⊃ Q (app e e ))). lr pi :(Πα:tp. Πp:pred α. lr α p → lr (A α)(λe:tm (A α). F α p) e)) → lr (∀ (λα:tp. A α)) (λe:tm (∀ (λα:tp. A α)). ∀a (λα:tp. ∀2 (λp:pred α. PHC p ⊃ HAP p ⊃ CHE p ⊃ F α p (tapp e α)))). Theorem 4 (Escape).

1. For all types A and derivations of lr AP , there exists a derivation of conc∗ (PHC P ). 2. For all types A and derivations of lr AP , there exists a derivation of conc∗ (HAP P ).

Proof. By induction on A. The two parts can also be directly represented in Twelf as two mutually dependent type families.

escape1 : lr AP → conc∗ (∀m (λe:tm A. P e ⊃ hc e)) → type. escape2 : lr AP → conc∗ (∀m (λe:tm A. ha e ⊃ P e)) → type.

Theorem 5 (Closure under weak head expansion). For all types A and derivations of lr AP , there exists a derivation of conc∗ (CHE P ).

Proof. By induction on A. This theorem can be directly represented in Twelf by the following type family.

0 cwhe : lr AR → conc∗ (∀m (λe:tm A. ∀m (λe :tm A. wh e e0 ⊃ R e0 ⊃ R e))) → type.

Theorem 6 (Fundamental). For all types A and for all terms e : tm A, there exist derivations of lr AP and conc∗ AP , for the appropriate predicate P .

Proof. By induction on e, using Theorem 5. In Twelf we represent this theorem by the following type family.

fund : Πe:tm A. lr AP → conc∗ (P e) → type.

Finally, we can paste all parts together, and we arrive at the weak normalization property of System F.

Theorem 7 (Weak normalization). Let e be a well-typed expression in system F of type A, then there exists an expression v, such that e −→∗ v and v ⇑ A.

Proof. We derive the predicate R from the type A, such that lr AR is derivable. By the Fundamental Theorem there exists a derivation of conc∗ (R e). By The- orem 4 we derive conc∗ (R e ⇒ hc e). By reasoning inside the assertion logic, we obtain a derivation of conc∗ (hc e). By the Cut-Elimination Theorem we obtain a derivation of conc (hc e). By Theorem 3, there exists a derivation of e ↑ A. The claim follows immediately from Theorem 1. The Twelf encoding of this proof is below. weaknorm : ΠE:tm A. ΠV :tm A. V ⇑ → (E −→∗ V ) → type. weakorm∗ : ccanok KVCR → unembedhc JK → ce (cut (∀m (λe:tm A1. F1 e ⊃ hc e)) H (λh:hyp (∀m (λe:tm A1. F1 e ⊃ hc e)). ∀ml∗ E (λh1:hyp (F1 E ⊃ hc E). impl∗ D (λh2:hyp (hc E). axiom∗ h2) h1) h)) J → escape1 LH → fund ELD → weaknorm EVCR.

4 Assessment and Conclusion

In this paper we have illustrated that it is possible to overcome the limitation of a proof-theoretically weak meta-logic while taking advantage of the conveniences of higher-order abstract syntax. The process of ﬁnding the formalization was by no means straightforward and is the result of numerous iterations of trial and error. We discuss our observations and experiences below.

4.1 Strong Normalization

We have chosen to formalize weak normalization here because it is a strong enough result to be interesting, yet simple to characterize within Twelf. It is not clear whether this is the case for strong normalization as well. Defining strong normalization requires more logical sophistication than defining weak normalization, and it is not clear how this is best tackled. One approach would be to characterize strong normalization within the assertion logic with an axiom of the form sn (e) ⇔ ∀me0.e → e0 ⇒ sn (e0). Such a definition can only be useful if sn(e) is vacuously true when e is normal, and we are able to derive absurdity from the assumption that a normal-form can be β-reduced. This sort of reasoning requires significant additions to the assertion logic, including universes, in the same way that Martin-Löf’s type theory needs universes to prove 0 6= 1 [ML84]. Another alternative is to define strong normalization in terms of the inductive characterization given in [vRSSX99]. We leave such efforts to future work.

4.2 The Impact of Higher-Order Abstract Syntax

We do not claim to be the first to define a logical relation in terms of the prov- ability of a logical predicate. Indeed, for informal proofs, this representation goes back to Tait’s original paper [Tai67]. For proofs formalized within a constructive type theory, such as Coq or Lego, a logical relation is typically defined as a predicate within the type-theory itself (e.g. [Alt93,BW97,DX06]). We believe that, in the context of mechanically verifiable formalized proofs, our use of an assertion logic that is separate from our meta-logic is novel. Without the benefits of higher-order abstract syntax, we may never have considered taking this path to formalization: System F types may contain free type-variables; System F terms may contain free type and term variables; assertion logic formulas may contain System F type variables, System F term variables and predicate variables; and assertion logic proofs may contain hypothetical variables, and any of the aforementioned variables. In a first order setting, the overhead necessary to represent and reason about the different notions of free variables and substitutions would be daunting enough to deter many. Because we employ higher-order abstract syntax, having multiple notions of free variables does not create any overhead in the least.

4.3 Scalability

Proofs by logical relations are popular in large part because they tend to scale well. We believe that our technique preserves this scalability. For example, we have successfully applied our technique to proofs of weak normalization for the simply-typed λ-calculus (inspired by [Pfe00]) and monadic λ-calculus (inspired by [LS05]), and have performed preliminary experiments with Gödel’s T. In each case, the basic structure of the proof remains unchanged, whereas the assertion logic must be appropriately modified. Both the simply-typed and monadic λ- calculi are proof-theoretically weak enough for Twelf to certify the totality of cut-elimination for their assertion logics; we do not expect this to be the case with Gödel’sT. Closely related to our work is that of Andreas Abel [Abe07]. He also proves weak normalization directly in Twelf, albeit only for the simply-typed λ-calculus. Though he does not use a logical relation, there are striking similarities between the structure of his proof and ours, which should be investigated further.

Acknowledgments We would like to thank Frank Pfenning for pointing out this interesting problem many years ago, and we would also like to thank others who have tried before us to formalize a proof by logical relations in Twelf, in particular Andrzej Filinski and Jeﬀ Polakow.

References

[Abe07] Andreas Abel. Normalization for the simply-typed lambda-calculus in Twelf. In Carsten Schürmann,editor, Logical Frameworks and Metalan- guages (LFM 04), Electronic Notes in Theoretical Computer Science, 2007. Workshop Post-Proceedings, to appear. [Alt93] Thorsten Altenkirch. A formalization of the strong normalization proof for the system F in LEGO. In M. Bezem and J.F. Groote, editors, Proceedings of the International Conference on Typed Lambda Calculi and Applications, TLCA’93, pages 13–28, Utrecht, The Netherlands, March 1993. Springer- Verlag LNCS 664. [BW97] B. Barras and B. Werner. Coq in Coq. Soumis, 1997. [Chu40] Alonzo Church. A formulation of the simple theory of types. Journal of Symbolic Logic, 5:56–68, 1940. [DX06] Kevin Donnelly and Hongwei Xi. A formalization of strong normalization for simply-typed lambda calculus and system f. In Proceedings of Workshop on Logical Frameworks and Meta-Languages: Theory and Prac- tice (LFMTP’06), Seattle, WA, August 2006. [Gon05] Georges Gonthier. A computer-checked proof of the four colour theorem. unpublished, 2005. [GTL90] Jean-Yves Girard, Paul Taylor, and Yves Lafont. Proofs and Types. Cam- bridge University Press, 1990. [Har96] John Harrison. HOL light: a tutorial introduction. In Mandayam Srivas and Albert Camilleri, editors, Proceedings of the First International Conference on Formal Methods in Computer-Aided Design, pages 265–269, 1996. [HHP93] Robert Harper, Furio Honsell, and Gordon Plotkin. A framework for defining logics. Journal of the Association for Computing Machinery, 40(1):143– 184, January 1993. [LCH07] Daniel K. Lee, Karl Crary, and Robert Harper. Towards a mechanized metatheory of standard ml. SIGPLAN Not., 42(1):173–184, 2007. [LS05] Sam Lindley and Ian Stark. Reducibility and >>-lifting for computation types. In Typed Lambda Calculi and Applications: Proceedings of the Sev- enth International Conference TLCA 2005, number 3461 in Lecture Notes in Computer Science, pages 262–277. Springer-Verlag, 2005. [ML84] Per Martin-Löf. Intuitionistic Type Theory. Bibioplois, Napoli, 1984. Notes of Giowanni Sambin on a series of lectues given in Padova. [MN86] Dale Miller and Gopalan Nadathur. Higher-order logic programming. In Ehud Shapiro, editor, Proceedings of the Third International Logic Program- ming Conference, pages 448–462, London, June 1986. [Nec97] George C. Necula. Proof-carrying code. In Neil D. Jones, editor, Conference Record of the 24th Symposium on Principles of Programming Languages (POPL’97), pages 106–119, Paris, France, January 1997. ACM Press. [Pfe89] Frank Pfenning. Elf: A language for logic definition and verified meta- programming. In Fourth Annual Symposium on Logic in Computer Sci- ence, pages 313–322, Pacific Grove, California, June 1989. IEEE Computer Society Press. [Pfe95] Frank Pfenning. Structural cut elimination. In D. Kozen, editor, Proceedings of the Tenth Annual Symposium on Logic in Computer Science, pages 156– 166, San Diego, California, June 1995. IEEE Computer Society Press. [Pfe00] Frank Pfenning. Computation and Deduction. Cambridge University Press, 2000. In preparation. Draft from April 1997 available electronically. [Tai67] W. W. Tait. Intensional interpretation of functionals of finite type I. Journal of Symbolic Logic, 32:198–212, 1967. [vRSSX99] Femke van Raamsdonk, Paula Severi, Morten Heine B. Srensen, and Hong- wei Xi. Perpetual reductions in λ-calculus. Information and Computation, 149(2):173–225, 1999.