Eliminating Reflection from Type Theory Théo Winterhalter, Matthieu Sozeau, Nicolas Tabareau

To cite this version:

Théo Winterhalter, Matthieu Sozeau, Nicolas Tabareau. Eliminating Reflection from Type Theory: To the Legacy of Martin Hofmann. CPP 2019 - 8th ACM SIGPLAN International Conference on Certified Programs and Proofs, Jan 2019, Lisbonne, Portugal. pp.91-103, ￿10.1145/3293880.3294095￿. ￿hal-01849166v3￿

HAL Id: hal-01849166 https://hal.archives-ouvertes.fr/hal-01849166v3 Submitted on 22 Nov 2018

HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. 1 56 2 Eliminating Reflection from Type Theory 57 3 To the Legacy of Martin Hofmann 58 4 59 5 60 6 Théo Winterhalter Matthieu Sozeau Nicolas Tabareau 61 7 Gallinette Project-Team, Inria Pi.R2 Project-Team, Inria and IRIF Gallinette Project-Team, Inria 62 8 Nantes, France Paris, France Nantes, France 63 9 [email protected] [email protected] [email protected] 64 10 65 Abstract of equality inside type theory, whereas u ≡ v : A means 11 66 that u and v are convertible in the theory—and can thus 12 Type theories with equality reflection, such as extensional 67 be silently replaced by one another in any term. Several 13 type theory (ETT), are convenient theories in which to for- 68 variants of ETT have been considered and implemented, for 14 malise mathematics, as they make it possible to consider 69 example in NuPRL [Allen et al. 2000] and more recently in 15 provably equal terms as convertible. Although type-checking 70 Andromeda [Bauer et al. 2016]. The prototypical example of 16 is undecidable in this context, variants of ETT have been 71 the use of equality reflection is the definition of a coercion 17 implemented, for example in NuPRL and more recently in 72 function between two types A and B that are equal (but not 18 Andromeda. The actual objects that can be checked are not 73 convertible) by taking a term of type A and simply returning 19 proof-terms, but derivations of proof-terms. This suggests 74 it as a term of type B: 20 that any derivation of ETT can be translated into a typecheck- 75 21 able proof term of intensional type theory (ITT). However, λ AB (e : A = B)(x : A). x : Π AB. A = B → A → B. 76 this result, investigated categorically by Hofmann in 1995, 22 In intensional type theory (ITT), this term does not type- 77 and 10 years later more syntactically by Oury, has never 23 check because x of type A can not be given the type B by 78 given rise to an effective translation. In this paper, we pro- 24 conversion. In ETT, however, equality reflection can be used 79 vide the first effective syntactical translation from ETTto 25 to turn the witness of equality into a proof of conversion and 80 ITT with uniqueness of identity proofs and functional ex- 26 thus the type system validates the fact that x can be given the 81 tensionality. This translation has been defined and proven 27 type B. This means that one needs to guess equality proofs 82 correct in Coq and yields an executable plugin that translates 28 during type-checking, because the witness of equality has 83 a derivation in ETT into an actual Coq typing judgment. Ad- 29 been lost at the application of the reflection rule. Guessing it 84 ditionally, we show how this result is extended in the context 30 was not so hard in this example but is in general undecidable, 85 of homotopy type theory to a two-level type theory. 31 as one can for instance encode the halting problem of any 86 32 Keywords dependent types, translation, formalisation Turing machine as an equality in ETT. That is, the actual 87 33 objects that can be checked in ETT are not terms, but instead 88 34 1 Introduction derivations of terms. It thus seems natural to wonder whether 89 35 90 Type theories with equality reflection, such as extensional any derivation of ETT can be translated into a typecheckable 36 91 type theory (ETT), are convenient theories in which to for- term of ITT. And indeed, it is well know that one can find 37 92 malise mathematics, as they make it possible to consider a corresponding term of the same type in ITT by explicitly 38 93 provably equal terms as convertible, as expressed in the fol- transporting the term x of type A using the elimination of 39 94 lowing typing rule: internal equality on the witness of equality e, noted e∗: 40 95 λ AB (e : A = B)(x : A). e∗ x : Π AB. A = B → A → B. 41 Γ ⊢x e : u =A v 96 42 (1) This can be seen as a way to make explicit the silent use 97 Γ ⊢x u ≡ v : A 43 of reflection. Furthermore, by making the use of transport 98 44 Here, the type u =A v is Martin-Löf’s identity type with as economic as possible, the corresponding ITT term can 99 45 only one constructor refl u : u =A u which represents proofs be seen as a compact witness of the derivation tree of the 100 46 101 Permission to make digital or hard copies of part or all of this work for original ETT term. 47 personal or classroom use is granted without fee provided that copies are This result has first been investigated categorically in the 102 48 not made or distributed for profit or commercial advantage and that copies pioneering work of Hofmann [1995, 1997], by showing that 103 49 bear this notice and the full citation on the first page. Copyrights for third- the term model of ITT can be turned into a model of ETT by 104 50 party components of this work must be honored. For all other uses, contact quotienting this model with propositional equality. However, 105 the owner/author(s). 51 it is not clear how to extend this categorical construction 106 Conference’17, July 2017, Washington, DC, USA 52 107 © 2018 Copyright held by the owner/author(s). to an explicit and constructive translation from a derivation 53 ACM ISBN 978-x-xxxx-xxxx-x/YY/MM. in ETT to a term of ITT. In 2005, this result has been in- 108 54 https://doi.org/10.1145/nnnnnnn.nnnnnnn vestigated more syntactically by Oury [2005]. However, his 109 55 1 110 Conference’17, July 2017, Washington, DC, USA Théo Winterhalter, Matthieu Sozeau, and Nicolas Tabareau

111 presentation does not give rise to an effective translation. discuss limitations and related work. The main proofs are 166 112 By an effective translation we mean that it is entirely con- given in detail in Appendices B and C. 167 113 structive and can be used to deterministically compute the The Coq formalisation can be found in https://github.com/ 168 114 translation of a given ETT typing derivation. Two issues TheoWinterhalter/ett-to-itt. 169 115 prevent deriving an effective translation from Oury’s presen- 170 116 tation, and it is the process of actual formalisation of the 1.1 On the Need for UIP and Functional 171 117 result in a proof assistant that led us to these discoveries. Extensionality. 172 118 First, his handling of related contexts is not explicit enough, Our translation targets ITT plus UIP and functional exten- 173 119 which we fix by framing the translation using ideas coming sionality, which correspond to the two following axioms 174 120 from the parametricity translation (section 1.2). Addition- (where □i denotes the universe of types at level i): 175 121 ally, Oury’s proof requires an additional axiom in ITT on ′ ′ 176 UIP : Π(A : □i )(x y : A)(e e : x = y). e = e 122 top of functional extensionality and uniqueness of identity 177 FunExt : Π(A : i )(B : A → i )(f д : Π(x : A). B x). 123 □ □ 178 proofs, that has no clear motivation and can be avoided by (Π(x : A). f x = д x) → f = д 124 considering an annotated syntax (section 2.1). 179 125 The first axiom says that any two proofs of the same equality 180 126 Contributions. In this paper, we present the first effective are equal, and the other one says that two (dependent) func- 181 2 127 syntactical translation from ETT to ITT (assuming unique- tions are equal whenever they are pointwise equal . These 182 128 ness of identity proofs (UIP) and functional extensionality in two axioms are perfectly valid statements of ITT and they 183 129 ITT). By syntactical translation, we mean an explicit transla- can be proven in ETT. Indeed, UIP can be shown to be equiv- 184 130 tion from a derivation Γ ⊢x t : T of ETT (the x index testifies alent to the Streicher’s axiom K 185 ′ ′ 131 that it is a derivation in ETT) to a context Γ , term t and 186 ′ ′ ′ ′ K : Π(A : □i ). Π(x : A). Π(e : x = x). e = reflx 132 type T of ITT such that Γ ⊢ t : T in ITT. This translation 187 using the elimination on the identity type. But K is provable 133 enjoys the additional property that if T can be typed in ITT, 188 ′ in ETT by considering the type 134 i.e., Γ ⊢ T , then T ≡ T . This means in particular that a theo- 189 rem proven in ETT but whose statement is also valid in ITT 135 Π(A : □i ). Π(x y : A). Π(e : x = y). e = reflx 190 136 can be automatically transferred to a theorem of ITT. For 191 instance, one could use a local extension of the Coq proof which is well typed (using the reflection rule to show that e 137 has type x = x) and which can be inhabited by elimination of 192 138 assistant with a reflection rule, without being forced to rely 193 on the reflection in the entire development. the identity type. In the same way, functional extensionality 139 is provable in ETT because 194 140 This translation can be seen as a way to build a syntac- 195 141 tical model of ETT from a model of ITT as described more Π(x : A). f x = д x 196 142 generally in Boulier et al. [2017] and has been entirely pro- → x : A ⊢ f x ≡ д x by reflection 197 143 grammed and formalised in Coq [Coq development team → (λ(x : A).f x) ≡ (λ(x : A).д x) by congruence of ≡ 198 1 144 2017]. For this, we rely on TemplateCoq [Anand et al. 2018], → f ≡ д by η-law 199 145 which provides a reifier for Coq terms as represented in → f = д 200 146 Coq’s kernel as well as a formalisation of the type system of Therefore, applying our translation to the proofs of those 201 147 Coq. Thus, our formalisation of ETT is just given by adding theorems in ETT gives corresponding proofs of the same 202 148 the reflection rule to a subset of the original type system theorems in ITT. However, UIP is independent from ITT, as 203 149 of Coq. This allows us to extract concrete Coq terms and first shown by Hofmann and Streicher using the groupoid 204 150 types from a closed derivation of ETT, using a little trick to model [Hofmann and Streicher 1998], which has recently 205 151 incorporate Inductive types and induction. We do not treat been extended in the setting of univalent type theory using 206 152 cumulativity of universes which is an orthogonal feature of the simplicial or cubical models [Bezem et al. 2013; Kapulkin 207 153 Coq’s type theory. and Lumsdaine 2012]. Similarly, Boulier et al. have shown 208 154 209 Outline of the Paper. Before going into the technical devel- that functional extensionality is independent from ITT using 155 210 opment of the translation, we explain its main ingredients a simple syntactical translation [Boulier et al. 2017]. 156 211 and differences with previous works. Then, in Section 2, Therefore, our translation provides proofs of axioms in- 157 212 we define the extensional and intensional type theories we dependent from ITT, which means that the target of the 158 213 consider. In Section 3, we define the main ingredient of the translation already needs to have both UIP and functional 159 214 translation, which is a relation between terms of ETT and extensionality. Part of our work is to show formally that they 160 215 terms in ITT. Then, the translation is given in Section 4. Sec- are the only axioms required. 161 216 tion 5 describes the Coq formalisation and Sections 6 and 7 2In Homotopy Type Theory (HoTT) [Univalent Foundations Program 2013], 162 217 the functional extensionality axiom is stated in a more complete way, using 163 the notion of adjoint equivalences, but this more complete way collapses to 218 164 1https://template-coq.github.io/template-coq/ our simpler statement in presence of UIP. 219 165 2 220 Eliminating Reflection from Type Theory Conference’17, July 2017, Washington, DC, USA

221 1.2 Heterogeneous Equality and the Parametricity 2 Definitions of Extensional and 276 222 Translation. Intensional Type Theories 277 223 278 The basic idea behind the translation from ETT to ITT is This section presents the common syntax, typing and main 224 279 to interpret conversion using the internal notion of equal- properties of ETT and ITT. Our type theories feature a uni- 225 280 ity, i.e., the identity type. But this means that two terms of verse hierarchy, dependent products and sums as well as 226 281 two convertible types that were comparable in ETT become Martin Löf’s identity types. 227 comparable in ITT only up-to the equality between the two 282 228 types. One possible solution to this problem is to consider a 2.1 Syntax of ETT and ITT 283 229 284 native heterogeneous equality, such as John Major equality The common syntax of ETT and ITT is given in Figure 1. It 230 285 introduced by McBride [2000]. However, to avoid adding features: dependent products Π(x : A). B, with (annotated) 231 286 additional axioms to ITT as done by Oury [2005], we prefer λ-abstractions and (annotated) applications, negative depen- 232 287 to encode this heterogeneous equality using the following dent sums Σ(x : A). B with (annotated) projections, sorts i , 233 □ 288 dependent sums: identity types u =A v with reflection and elimination as 234 289 well as terms realising UIP and functional extensionality. An- 235 290 t T U u := Σ(p : T = U ). p∗ t = u. notating terms with otherwise computationally irrelevant 236 291 typing information is a common practice when studying the 237 292 During the translation, the same term occurring twice can syntax of type theory precisely (see [Streicher 1993] for a 238 293 be translated in two different manners, if the corresponding similar example). We will write A → B for Π(_ : A). B the 239 294 typing derivations are different. Even the types of the two non-dependent product / function type. 240 295 different translations may be different. However, wehave We consider a fixed universe hierarchy without cumula- 241 296 the strong property that any two translations of the same tivity, which ensures in particular uniqueness of typing (2.2) 242 297 term only differ in places where transports of proof of equal- which is important for the translation. 243 298 ity have been injected. To keep track of this property, we 244 About Annotations. Although it may look like a technical 299 introduce the relation t ∼ t ′ between two terms of ITT, of 245 detail, the use of annotation is more fundamental in ETT 300 possibly different types. The crux of the proof of the transla- 246 than it is in ITT (where it is irrelevant and doesn’t affect 301 tion is to guarantee that for every two terms t and t such 247 1 2 the theory). And this is actually one of the main differences 302 that Γ ⊢ t : T , Γ ⊢ t : T and t ∼ t , there exists p such that 248 1 1 2 2 1 2 between our work (and that of Martin Hofmann [1995] who 303 Γ ⊢ p : t T T t . However, during the proof, variables of 249 1 1 2 2 has a similar presentation) and the work of Oury [2005]. 304 different but (propositionally) equal types are introduced and 250 Indeed, by using the standard model where types are inter- 305 the context cannot be maintained to be the same for both t 251 1 preted as cardinals rather than sets, it is possible to see that 306 and t . Therefore, the translation needs to keep track of this 252 2 the equality nat → nat = nat → bool is independent from 307 duplication of variables, plus a proof that they are heteroge- 253 the theory, it is thus possible to assume it (as an axiom, or for 308 neously equal. This mechanism is similar to what happens 254 those that would still not be convinced, simply under a λ that 309 in the (relational) internal parametricity translation in ITT 255 would introduce this equality). In that context, the identity 310 introduced by Bernardy et al. [2012] and recently rephrased 256 map λ(x : nat). x can be given the type nat → bool and we 311 in the setting of TemplateCoq [Anand et al. 2018]. Namely, a 257 thus type (λ(x : nat). x) 0 : bool. Moreover, the β-reduction 312 context is not translated as a telescope of variables, but as a 258 of the non-annotated system used by Oury concludes that 313 telescope of triples consisting of two variables plus a witness 259 this expression reduces to 0, but cannot be given the type 314 that they are in the parametric relation. In our setting, this 260 bool (as we said, the equality nat → nat = nat → bool is 315 amounts to consider telescope of triples consisting of two 261 independent from the theory, so the context is consistent). 316 variables plus a witness that they are heterogeneously equal. 262 This means we lack subject reduction in this case (or unique- 317 We can express this by considering the following dependent 263 ness of types, depending on how we see the issue). Our 318 sums: 264 presentation has a blocked β-reduction limited to matching 319 265 annotations: (λ(x : A).B. t) @x:A.B u = t[x ←u], from which 320 Pack A A = Σ(x A ). Σ(y A ). x y. 266 1 2 : : 1 : 2 A1 A2 subject reduction and uniqueness of types follow. 321 267 Although subtle, this difference is responsible for Oury’s 322 268 This presentation inspired by the parametricity translation need for an extra axiom. Indeed, to treat the case of equality 323 269 is crucial in order to get an effective translation, because of applications in his proof, he needs to assume the congru- 324 270 it is necessary to keep track of the evolution of contexts ence rule for heterogeneous equality of applications, which 325 271 when doing the translation on open terms. This ingredient is not provable when formulated with John Major equality 326 272 is missing in Oury’s work [Oury 2005], which prevents him (Fig. 2). Thanks to annotations and our notion of hetero- 327 273 from deducing an effective (i.e., constructive and computable) geneous equality, we can prove this congruence rule for 328 274 translation from his theorem. applications. 329 275 3 330 Conference’17, July 2017, Washington, DC, USA Théo Winterhalter, Matthieu Sozeau, and Nicolas Tabareau

331 386 s ::= □i (i ∈ N) sorts (universes) 332 387 T , A, B, t,u,v ::= x | λ(x : A).B.t | t @x:A.B u | Π(x : A). B | s dependent λ-calculus 333 x:A.B x:A.B 388 | ⟨u;v⟩x:A.B | π p | π p | Σ(x : A). B dependent pairs 334 1 2 389 | reflA u | J(A,u, x.e.P,w,v,p) | u =A v propositional equality 335 | funext(x : A, B, f ,д, e) | uip(A,u,v,p,q) equality axioms 390 336 Γ, ∆ ::= • | Γ, x : A contexts 391 337 392 338 Figure 1. Common syntax of ETT and ITT 393 339 394 340 395 JMAPP so we could remove it from ETT, but keeping it allows us 341 396 f f u u to share a common syntax which makes the statements of 342 1 ∀(x:U1).V1 ∀(x:U2).V2 2 1 U1 U2 2 397 theorems simpler and does not affect the development. 343 f1 u1 V1[x←u1]V2[x←u2] f2 u2 398 344 2.3 General Properties of ITT and ETT 399 345 400 Figure 2. Congruence of heteogeneous equality We now state the main properties of both ITT and ETT. We 346 401 do not detail their proof as they are standard and can be 347 402 found in the Coq formalisation. 348 2.2 The Typing Systems 403 First, although not explicit in the typing system, weaken- 349 404 As usual in dependent type theory, we consider contexts ing is admissible in ETT and ITT. 350 which are telescopes whose declarations may depend on any 405 351 variable already introduced. We note Γ ⊢ t : A to say that t Lemma 2.1 (Weakening). If Γ ⊢ J and ∆ extends Γ (possibly 406 352 has type A in context Γ. Γ ⊢ A shall stand for Γ ⊢ A : s for interleaving variables) then ∆ ⊢ J . 407 353 some sort s and similarly Γ ⊢ A ≡ B stands for Γ ⊢ A ≡ B : s. Then, as mentioned above, the use of a non-cumulative 408 ′ ′ 354 We use two relations (s,s ) ∈ Ax (written (s,s ) for short) hierarchy allows us to prove that a term t can be given at 409 ′ ′′ ′ ′′ 355 and (s,s ,s ) ∈ R (written (s,s ,s )) to constrain the sorts most one type in a context Γ, up-to conversion. 410 356 in the typing rules for universes, dependent products and 411 Lemma 2.2 (Uniqueness of typing). If Γ ⊢ u : T and Γ ⊢ u : 357 dependent sums, as is done in any Pure Type System (PTS). 1 412 T then Γ ⊢ T ≡ T . 358 In our case, because we do not have cumulativity, the rules 2 1 2 413 359 are as follows: Finally, an important property of the typing system (seen 414 360 as a mutual inductive definition) is the possibility to deduce 415 ( , ) ∈ Ax ( , , ) ∈ R 361 □i □i+1 □i □j □max(i, j) hypotheses from their conclusion, thanks to inversion of 416 362 We give the typing rules of ITT in Figure 3. The rules are typing. Note that it is important here that our syntax is 417 363 standard and we do not explain them. Let us just point out the annotated for applications and projections as it provides a 418 364 conversion rule, which says that u : A can be given the type richer inversion principle. 419 365 u : B when A ≡ B, i.e., when A and B are convertible. As the Lemma 2.3 (Inversion of typing). 420 366 notion of conversion is central in our work—the conversion 421 1. If Γ ⊢ x : T then (x : A) ∈ Γ and Γ ⊢ A ≡ T . 367 of ETT being translated to an equality in ITT—we provide an 422 2. If Γ ⊢ i : T then Γ ⊢ i+1 ≡ T . 368 exhaustive definition of it, with computational conversion □ □ 423 3. If Γ ⊢ Π(x : A). B : T then Γ ⊢ A : s and Γ, x : A ⊢ B : s ′ 369 rules (including β-conversion or reduction of the elimination 424 and Γ ⊢ s ′′ ≡ T for some (s,s ′,s ′′). 370 principle of equality over reflexivity, see Figure 4), however 425 4. If Γ ⊢ λ(x : A).B.t : T then Γ ⊢ A : s and Γ, x : A ⊢ B : s ′ 371 congruence conversion rules can be found in Appendix A 426 and Γ, x : A ⊢ t : B and Γ ⊢ Π(x : A). B ≡ T . 372 (Figure 6). Note that we use Christine Paulin-Möhring’s vari- 427 5. If Γ ⊢ u @x:A.B v : T then Γ ⊢ A : s and Γ, x : A ⊢ 373 ant of the J rule rather than Martin-Löf’s original formulation. 428 B : s ′ and Γ ⊢ u : Π(x : A). B and Γ ⊢ v : A and 374 Although pretty straightforward, being precise here is very 429 Γ ⊢ B[x ←u] ≡ T . 375 important, as for instance the congruence rule for λ-terms 430 6. ... Analogous for the remaining term and type construc- 376 is the reason why functional extensionality is derivable in 431 tors. 377 ETT. Congruence of equality terms is a standard extension of 432 378 congruence to the new principles we add (UIP and functional Proof. Each case is proven by induction on the derivation 433 379 extensionality). (which corresponds to any number of applications of the 434 380 ETT is thus simply an extension of ITT (we write ⊢x for conversion rule following one introduction rule). □ 435 381 the associated typing judgment) with the reflection rule on 436 382 equality, which axiomatises that propositionally equal terms 3 Relating Translated Expressions 437 383 are convertible (see Equation 1). Note that, as already men- We want to define a relation on terms that equates two terms 438 384 tioned, in the presence of reflection and J, UIP is derivable that are the same up to transport. This begs the question of 439 385 4 440 Eliminating Reflection from Type Theory Conference’17, July 2017, Washington, DC, USA

441 what notion of transport is going to be used. Transport can 496 442 Well-formedness of contexts. be defined from elimination of equality as follows: 497 443 ⊢ ⊢ 498 ΓΓ A Definition 3.1 (Transport). Given Γ ⊢ p : T1 =s T2 and 444 (x < Γ) 499 ⊢ • ⊢ Γ, x : A Γ ⊢ t : T1 we define the transport of t along p, written p∗ t, as 445 500 J(s,T1, X .e. T1 → X, λ(x : T1).T1.x,T2,p) @T .T t such that 446 Types. 1 2 501 Γ ⊢ p∗ t : T2. 447 ′ 502 ⊢ Γ ′ Γ ⊢ A : s Γ, x : A ⊢ B : s ′ ′′ 448 (s,s ) (s,s ,s ) However, in order not to confuse the transports added by 503 ⊢ ′ ⊢ ′′ 449 Γ s : s Γ Π(x : A). B : s the translation with the transports that were already present 504 450 in the source, we consider p∗ as part of the syntax in the 505 ⊢ ⊢ ′ 451 Γ A : s Γ, x : A B : s ′ ′′ reasoning. It will be unfolded to its definition only after the 506 ′′ (s,s ,s ) 452 Γ ⊢ Σ(x : A). B : s complete translation is performed. This idea is not novel as 507 453 Hofmann already had a Subst operator that was part of his 508 454 Γ ⊢ A : s Γ ⊢ u : A Γ ⊢ v : A ITT (noted TTI in his paper [Hofmann 1995]). 509 455 We first define the (purely syntactic) relation ⊏ between 510 Γ ⊢ u =A v : s 456 ETT terms and ITT terms in Figure 5 stating that the ITT 511 457 Structural rules. term is simply a decoration of the first term by transports. Its 512 458 ⊢ Γ (x : A) ∈ Γ Γ ⊢ u : A Γ ⊢ A ≡ B : s purpose is to state how close to the original term its transla- 513 tion is. Then, we extend this relation to a similarity relation ∼ 459 Γ ⊢ x : A Γ ⊢ u : B 514 460 on ETT terms by taking its symmetric and transitive closure: 515 461 λ-calculus terms. ∼B (⊏ ∪ ⊏−1)+ 516 ′ 462 Γ ⊢ A : s Γ, x : A ⊢ B : s Γ, x : A ⊢ t : B 517 Lemma 3.2 (∼ is an equivalence relation). ∼ is reflexive, 518 463 Γ ⊢ λ(x : A).B.t : Π(x : A). B symmetric and transitive. 464 519 465 Γ ⊢ A : s Proof. For reflexivity we proceed by induction on the term. 520 466 Γ, x : A ⊢ B : s ′ Γ ⊢ t : Π(x : A). B Γ ⊢ u : A □ 521 467 522 Γ ⊢ t @x:A.B u : B[x ←u] The goal is to prove that two terms in this relation, that 468 are well-typed in the target type theory, are heterogeneously 523 469 524 Γ ⊢ u : A equal. As for this notion, we recall the definition we previ- 470 ′ 525 Γ ⊢ A : s Γ, x : A ⊢ B : s Γ ⊢ v : B[x ←u] ously gave: t T U u := Σ(p : T = U ). p∗ t = u. This defini- 471 tion of heterogeneous equality can be shown to be reflexive, 526 Γ ⊢ ⟨u;v⟩ : Σ(x : A). B 527 472 x:A.B symmetric and transitive. Because of UIP, heterogeneous 473 equality collapses to equality when taken on the same type. 528 474 Γ ⊢ p : Σ(x : A). B Γ ⊢ p : Σ(x : A). B 529 475 x:A.B x:A.B x:A.B Lemma 3.3. If Γ ⊢ e : u AA v then there exists p such that 530 Γ ⊢ π1 p : A Γ ⊢ π2 p : B[x ← π1 p] 476 Γ ⊢ p : u =A v. 531 Equality terms. 477 Proof. This holds thanks to UIP on equality, which implies K, 532 478 Γ ⊢ A : s Γ ⊢ u : A Γ ⊢ e1, e2 : u =A v and so the proof of A = A can be taken to be reflexivity. □ 533 479 534 Γ ⊢ reflA u : u =A u Γ ⊢ uip(A,u,v, e1, e2) : e1 = e2 480 Note. In particular,  on types corresponds to equality. This is 535 481 ′ not as trivial as it sounds, one might be concerned about what 536 Γ ⊢ A : s Γ ⊢ u,v : A Γ, x : A, e : u =A x ⊢ P : s ⊢ ′ 482 happens if we have Γ e : A s s B with two distinct sorts 537 Γ ⊢ p : u =A v Γ ⊢ w : P[x ←u, e ← reflA u] ′ ′ 483 s and s . We would thus have s = s , however, for this to be 538 ′ 484 Γ ⊢ J(A,u, x.e.P,w,v,p) : P[x ←v, e ←p] well-typed, we need to give a common type to s and s , which 539 ′ 485 can only be achieved if s and s are actually the same sort. 540 ⊢ , . 486 Γ f д : Π(x : A) B Before we can prove the fundamental lemma stating that 541 ⊢ . = 487 Γ e : Π(x : A) f @x:A.B x B д @x:A.B x two terms in relation are heterogeneously equal, we need 542 488 Γ ⊢ funext(x : A, B, f ,д, e) : f = д to consider another construction. As explained in the intro- 543 489 duction, when proving the property by induction on terms, 544 490 Figure 3. Typing rules we introduce variables in the context that are equal only 545 491 up-to heterogeneous equality. This phenomenon is similar 546 492 to what happens in the parametricity translation [Bernardy 547 493 et al. 2012]. Our fundamental lemma on the decoration re- 548 494 lation ∼ assumes two related terms of potentially different 549 495 5 550 Conference’17, July 2017, Washington, DC, USA Théo Winterhalter, Matthieu Sozeau, and Nicolas Tabareau

551 606 552 Computation. 607 553 Γ ⊢ A : s Γ, x : A ⊢ B : s ′ Γ, x : A ⊢ t : B Γ ⊢ u : A 608 554 609 Γ ⊢ (λ(x : A).B.t) @ u ≡ t[x ←u]: B[x ←u] 555 x:A.B 610 556 611 Γ ⊢ A : s Γ ⊢ u : A Γ, x : A, e : u = x ⊢ P : s ′ Γ ⊢ w : P[x ←u, e ← refl u] 557 A A 612 558 Γ ⊢ J(A,u, x.e.P,w,u, reflA u) ≡ w : P[x ←u, e ← reflA u] 613 559 614 ′ 560 Γ ⊢ A : s Γ ⊢ u : A Γ, x : A ⊢ B : s Γ ⊢ v : B[x ←u] 615 561 x:A.B 616 Γ ⊢ π1 ⟨u;v⟩x:A.B ≡ u : A 562 617 563 Γ ⊢ A : s Γ ⊢ u : A Γ, x : A ⊢ B : s ′ Γ ⊢ v : B[x ←u] 618 564 619 ⊢ x:A.B ⟨ ⟩ ≡ ← 565 Γ π2 u;v x:A.B v : B[x u] 620 566 Conversion. 621 567 622 Γ ⊢ t1 ≡ t2 : T1 Γ ⊢ T1 ≡ T2 568 623 Γ ⊢ t ≡ t : T 569 1 2 2 624 570 Figure 4. Main conversion rules (omitting congruence rules) 625 571 626 572 627 573 types T 1 and T 2 to produce an heterogeneous equality be- Implicitly, whenever we use the notation Pack Γ1 Γ2 it 628 574 tween them. For induction to go through under binders (e.g. means that the two contexts are of the same length and 629 575 for dependent products and abstractions), we hence need to well-formed with the same sorts. We can now state the fun- 630 576 consider the two terms under different, but heterogeneously damental lemma. 631 577 equal contexts. Therefore, the context we produce will not 632 Lemma 3.4 (Fundamental lemma). Let t1 and t2 be two terms. 578 only be a telescope of variables, but rather a telescope of 633 If Γ, Γ1 ⊢ t1 : T1 and Γ, Γ2 ⊢ t2 : T2 and t1 ∼ t2 then there exists 579 triples consisting of two variables of possibly different types, 634 p such that Γ, Pack Γ1 Γ2 ⊢ p : t1[γ1] T1[γ1] T2[γ2] t2[γ2]. 580 and a witness that they are heterogeneously equal. To make 635 581 this precise, we define the following macro: Proof. The proof is by induction on the derivation of t1 ∼ t2. 636 We show the three most interesting cases: 637 582 Pack A1 A2 := Σ(x : A1). Σ(y : A2). x  y 583 • Var 638 together with its projections 584 639 . . . . . x ∼ x 585 Proj1 p := π1 p Proj2 p := π1 π2 p Proje p := π2 π2 p. 640 641 586 We can then extend this notion canonically to contexts of If x belongs to Γ, we apply reflexivity—together with 642 587 the same length that are well formed using the same sorts: uniqueness of typing (2.2)—to conclude. Otherwise, 643 588 Proje x has the expected type (since x[γ1] ≡ Proj1 x Pack (Γ , x : A )(Γ , x : A ) := 644 589 1 1 2 2 and x[γ2] ≡ Proj2 x). 590 (Pack Γ1 Γ2), x : Pack (A1[γ1])(A2[γ2]) • Application 645 591 646 t1 ∼ t2 A1 ∼ A2 B1 ∼ B2 u1 ∼ u2 592 Pack •• := •. 647 t1 @x:A .B u1 ∼ t2 @x:A .B u2 593 When we pack contexts, we also need to apply the correct 1 1 2 2 648 594 ⊢ ⊢ 649 projections for the types in that context to still make sense. We have Γ, Γ1 t1@x:A1 .B1u1 : T1 and Γ, Γ2 t2@x:A2 .B2 595 650 Assuming two contexts Γ1 and Γ2 of the same length, we can u2 : T2 which means by inversion (2.3) that the sub- 596 define left and right substitutions: terms are well-typed. We apply the induction hypoth- 651 597 esis and then conclude. 652 γ := [x ← Proj x | (x : _) ∈ Γ ] 598 1 1 1 • TransportLeft 653 ← | ∈ 599 γ2 := [x Proj2 x (x : _) Γ2]. 654 t1 ∼ t2 600 These substitutions implement lifting of terms to packed 655 p∗ t1 ∼ t2 601 contexts: Γ, Pack Γ1 Γ2 ⊢ t[γ1] : A[γ1] whenever Γ, Γ1 ⊢ t : A 656 602 (resp. Γ, Pack Γ1 Γ2 ⊢ t[γ2]: A[γ2] whenever Γ, Γ2 ⊢ t : A). We have Γ, Γ1 ⊢ p∗ t1 : T1 and Γ, Γ2 ⊢ t2 : T2. By inver- 657 603 ′ ′ 658 For readability, when Γ1 and Γ2 are understood we will sion (2.3) we have Γ, Γ1 ⊢ p : T1 = T1 and Γ, Γ1 ⊢ t1 : T1 . 604 write Γp for Pack Γ1 Γ2. By induction hypothesis we have e such that Γ, Γp ⊢ e : 659 605 6 660 Eliminating Reflection from Type Theory Conference’17, July 2017, Washington, DC, USA

661 Proof. We proceed by induction on the derivation of t1 ∼ 716 662 t . □ 717 t ⊏ t 2 663 1 2 718 664 t1 ⊏ p∗ t2 4 Translating ETT to ITT 719 665 4.1 The Translation 720 666 A1 ⊏ A2 B1 ⊏ B2 721 We now define the translations (let us stress the plural here) 667 722 x ⊏ x Π(x : A1). B1 ⊏ Π(x : A2). B2 of an extensional judgment. We extend ⊏ canonically to 668 723 contexts (Γ ⊏ Γ when they bind the same variables and the 669 724 A1 ⊏ A2 B1 ⊏ B2 types are in relation for ⊏). 670 725 Σ(x : A ). B ⊏ Σ(x : A ). B Before defining the translation, we define aset Γ ⊢ t : A 671 1 1 2 2 x 726 of typing judgments in ITT associated to a typingJ judgmentK 672 727 A ⊏ A u ⊏ u v ⊏ v Γ ⊢ t : A in ETT. The idea is that this set describes all 673 1 2 1 2 1 2 x 728 the possible translations that lead to the expected property. 674 u1 =A v1 ⊏ u2 =A v2 s ⊏ s 729 1 2 Γ ⊢ ∈ Γ ⊢ Γ ⊢ 675 When t : A x t : A , we say that t : A realises 730 Γ ⊢ t : A. The translationJ willK be given by showing that this 676 A1 ⊏ A2 B1 ⊏ B2 t1 ⊏ t2 x 731 677 set is inhabited by induction on the derivation. 732 λ(x : A1).B1.t1 ⊏ λ(x : A2).B2.t2 678 Definition 4.1 (Characterisation of possible translations). 733 679 734 t1 ⊏ t2 A1 ⊏ A2 B1 ⊏ B2 u1 ⊏ u2 • For any ⊢x Γ we define ⊢x Γ as a set of valid judg- 680 J K 735 t1 @x:A .B u1 ⊏ t2 @x:A .B u2 ments (in ITT) such that ⊢ Γ ∈ ⊢x Γ if and only if 681 1 1 2 2 736 Γ ⊏ Γ. J K 682 737 A1 ⊏ A2 B1 ⊏ B2 t1 ⊏ t2 u1 ⊏ u2 • Similarly, Γ ⊢ t : A ∈ Γ ⊢x t : A iff ⊢ Γ ∈ ⊢x Γ and 683 738 A ⊏ A and t ⊏ t. J K J K 684 ⟨t1;u1⟩x:A1 .B1 ⊏ ⟨t2;u2⟩x:A2 .B2 739 685 In order to better master the shape of the produced realiser, 740 686 A1 ⊏ A2 B1 ⊏ B2 p1 ⊏ p2 we state the following lemma which shows that it has the 741 687 x:A1 .B1 x:A2 .B1 same head type constructor as the type it realises. This is 742 π1 p1 ⊏ π1 p2 688 important for instance for the case of an application, where 743 689 744 A1 ⊏ A2 B1 ⊏ B2 p1 ⊏ p2 A1 ⊏ A2 u1 ⊏ u2 we do not know a priori if the translated function has a 690 745 x:A .B x:A .B dependent product type, which is required to be able to use π 1 1 p π 2 2 p reflA u ⊏ reflA u 691 2 1 ⊏ 2 2 1 1 2 2 the typing rule for application. 746 692 747 693 A1 ⊏ A2 B1 ⊏ B2 f1 ⊏ f2 д1 ⊏ д2 e1 ⊏ e2 Lemma 4.2. We can always choose types T that have the 748 same head constructor as T . 694 funext(x : A1, B1, f1,д1, e1) ⊏ funext(x : A2, B2, f2,д2, e2) 749 695 750 Proof. Assume we have Γ ⊢ t : T ∈ Γ ⊢x t : T . By definition 696 A A u u v v p p q q J K ′ ′ 751 1 ⊏ 2 1 ⊏ 2 1 ⊏ 2 1 ⊏ 2 1 ⊏ 2 of ⊏, T ⊏ T means that T is shaped p∗ q∗ ... r∗ T with T 697 752 uip(A1,u1,v1,p1,q1) ⊏ uip(A2,u2,v2,p2,q2) having the same head constructor asT . By inversion (2.3), the ′ 698 subterms are typable, including T . Actually, from inversion, 753 699 ′ 754 A1 ⊏ A2 we even get that the type of T is a universe. Then, using 700 ′ 755 u1 ⊏ u2 P1 ⊏ P2 w1 ⊏ w2 v1 ⊏ v2 p1 ⊏ p2 lemma 3.4 and lemma 3.3, we get Γ ⊢ e : T = T . We conclude 701 ′ 756 702 J(A1,u1, x.e.P1,w1,v1,p1) ⊏ J(A2,u2, x.e.P2,w2,v2,p2) with Γ ⊢ e∗ t : T ∈ Γ ⊢x t : T . □ 757 J K 758 703 Figure 5. Relation ⊏ Finally, in order for the induction to go through, we need to 704 759 know that when we have a realiser of a derivation Γ ⊢x t : T , 705 760 we can pick an arbitrary other type realising Γ ⊢x T and 706 761 t1[γ1]  t2[γ2]. From transitivity and symmetry we still get a new derivation realising Γ ⊢x t : T with that type. 707 762 only need to provide a proof of t1[γ1]  p[γ1]∗ t1[γ1] This is important for instance for the case of an application, 708 763 which is inhabited by ⟨p[γ1]; refl (p[γ1]∗ t1[γ1])⟩_._. where the type of the domain of the translated function may 709 764 The complete proof can be found in Appendix B. □ differ from the type of the translated argument. So weneed 710 to be able to change it a posteriori. 765 711 We can also prove that ∼ preserves substitution. 766 712 Lemma 4.3. When we have Γ ⊢ t : T ∈ Γ ⊢x t : T and 767 ′ ′ J ′ K 713 Lemma 3.5. If t1 ∼ t2 and u1 ∼ u2 then t1[x ←u1] ∼ Γ ⊢ T ∈ Γ ⊢x T then we also have Γ ⊢ t : T ∈ Γ ⊢x t : T 768 J′ K J K 714 t2[x ←u2]. for some t . 769 715 7 770 Conference’17, July 2017, Washington, DC, USA Théo Winterhalter, Matthieu Sozeau, and Nicolas Tabareau

′ 771 Proof. By definition we have T ⊏ T and T ⊏ T and thus ⊢ T ∈ ⊢x T , and, using Lemma 4.3, we obtain ⊢ t : T ∈ ⊢x 826 ′ ′ 772 T ∼ T and T ∼ T , implying T ∼ T by transitivity (3.2). By t : T .J K J □ 827 ′ 773 ≡ ≡ • ⊢ K 828 lemma 3.4 (in the case Γ1 Γ2 ) we get Γ p : T  T for Corollary 4.6 (Relative consistency). Assuming ITT is con- 774 some p. By lemma 3.3 (and lemma 4.2 to give universes as 829 ′ ′ sistent, there is no term t such that ⊢x t : Π(A : □0). A. 775 types to T and T ) we can assume Γ ⊢ p : T = T . Then Γ ⊢ 830 776 ′ Proof. t 831 p∗ t : T is still a translation since ⊏ ignores transports. □ Assume such a exists. By the Corollary 4.5, because 777 832 ⊢ Π(A : □0). A, there exists t such that ⊢ t : Π(A : □0). A 778 We can now define the translation. This is done by mutual which contradicts the assumed consistency of ITT. □ 833 779 induction on context well-formedness, typing and conver- 834 780 sion derivations. Indeed, in order to be able to produce a 4.3 Optimisations 835 781 realiser by induction, we need to show that every conver- Up until now, we remained silent about one thing: the size 836 782 sion in ETT is translated as an heterogeneous equality in of the translated terms. Indeed, the translated term is a deco- 837 783 ITT. ration of the initial one by transports which appear in many 838 784 locations. For example, at each application we use a transport 839 Theorem 4.4 (Translation). 785 by lemma 4.2 to ensure that the term in function position 840 786 • If ⊢x Γ then there exists ⊢ Γ ∈ ⊢x Γ , is given a function type. In most cases—in particular when 841 J K 787 • If Γ ⊢x t : T then for any ⊢ Γ ∈ ⊢x Γ there exist t and translating ITT terms—this produces unnecessary transports 842 J K 788 T such that Γ ⊢ t : T ∈ Γ ⊢x t : T , (often by reflexivity) that we wish to avoid. 843 J K 844 789 • If Γ ⊢x u ≡ v : A then for any ⊢ Γ ∈ ⊢x Γ there In order to limit the size explosion, in the above we use a ′ 790 exist A ⊏ A, A ⊏ A ,u ⊏ u,v ⊏ v andJe suchK that different version of transport, namely transport′ such that 845 846 791 Γ ⊢ e : u ′ v. ′ AA transport (p, t) = t when A = A 792 A1,A2 1 α 2 847 793 Proof. We prove the theorem by induction on the derivation = p∗t otherwise. 848 in the extensional type theory. We only show the two most 794 The idea is that we avoid trivially unnecessary transports (we 849 interesting cases of application and conversion. The complete 795 do not deal with β-conversion for instance). We extend this 850 proof is given in Appendix C. 796 technique to the different constructors of equality (symmetry, 851 797 • Application transitivity, ...) so that they reduce to reflexivity whenever 852 798 ′ 853 Γ ⊢x A : s Γ, x : A ⊢x B : s possible. Take transitivity for instance: 799 854 Γ ⊢x t : Π(x : A). B Γ ⊢x u : A ′ 800 transitivity (refl u,q) = q 855 Γ ⊢ t @ u : B[x ←u] 801 x x:A.B transitivity′(p, refl u) = p 856 802 Using IH together with lemmata 4.2 and 4.3 we get transitivity′(p,q) = transitivity(p,q). 857 803 Γ ⊢ A : s and Γ, x : A ⊢ B : s ′ and Γ ⊢ t : Π(x : A). B 858 804 ⊢ ⊢ We show these defined terms enjoy the same typing rules 859 and Γ u : A meaning we can conclude Γ t @x:A.B u : 805 as their counterparts and use them instead. In practice it is 860 B[x ←u] ∈ Γ ⊢x t @x:A.B u : B[x ←u] . 806 • ConversionJ K enough to recover the exact same term when it is typed in 861 807 ITT. 862 Γ ⊢x u : A Γ ⊢x A ≡ B 808 863 809 Γ ⊢x u : B 5 Formalisation with Template-Coq 864 810 By IH and lemma 3.3 we have Γ ⊢ e : A = B which We have formalised the translation in the setting of Tem- 865 811 plateCoq [Anand et al. 2018] in order to have a more precise 866 implies Γ ⊢ A ∈ Γ ⊢x A by inversion (2.3), thus, 812 proof, but also to evidence the fact that the translation is in- 867 from lemma 4.3 andJ IH weK get Γ ⊢ u : A, yielding 813 deed constructive and can be used to perform computations. 868 Γ ⊢ e∗ u : B ∈ Γ ⊢x u : B . 814 J K TemplateCoq is a Coq library that has a representation of 869 815 □ Coq terms as they are in Coq’s kernel (in particular using de 870 816 Bruijn indices for variables) and a (partial) implementation 871 4.2 Meta-theoretical Consequences 817 of the type checking algorithm (not checking guardedness 872 818 We can check that all ETT theorems whose type are typable of fixpoints or positivity of inductive types). It comes with 873 819 in ITT have proofs in ITT as well: a Coq plugin that permits to quote Coq terms into their 874 820 representations, and to produce Coq terms from their rep- 875 Corollary 4.5 (Preservation of ITT). If ⊢x t : T and ⊢ T then 821 resentation (if they indeed denote well-typed terms). We 876 there exist t such that ⊢ t : T ∈ ⊢x t : T . 822 J K have integrated our formalisation within that framework in 877 823 Proof. Since ⊢ • ∈ ⊢x • , by Theorem (4.4), there exists t order to ensure our presentations of ETT and ITT are close 878 J K 824 and T such that ⊢ t : T ∈ ⊢x t : T But as ⊢ T , we have to Coq, but also to take advantage of the quoting mechanism 879 825 J K 8 880 Eliminating Reflection from Type Theory Conference’17, July 2017, Washington, DC, USA

881 to produce terms using the interactive mode (in particular fact that the theorem holds in Coq ensures we can actually 936 882 we get to use tactics). Note that we also rely on Mangin compute a translated term and type out of a derivation in 937 883 and Sozeau’s Equations [Sozeau 2010] plugin to derive nice ETT. 938 884 dependent induction principles. 939 885 Our formalisation takes full advantage of its easy interfac- 5.2 Inductive Types and Recursion 940 886 ing with TemplateCoq: we define two theories, namely ETT In the proof of Section 4, we didn’t mention anything about 941 887 and ITT, but ITT enjoys a lot of syntactic sugar by having inductive types, pattern-matching or recursion as it is a bit 942 888 things such as transport, heterogeneous equality and pack- technical on paper. In the formalisation, we offer a way to 943 889 ing as part of the syntax. The operations regarding these still be able to use them, and we will even show how it works 944 890 constructors—in particular the tedious ones—are written in in practice with the examples (5.4). 945 891 Coq and then quoted to finally be realised in the translation The main guiding principle is that inductive types and in- 946 892 from ITT to TemplateCoq. duction are orthogonal to the translation, they should more 947 893 or less be translated to themselves. To realise that easily, 948 Interoperability with TemplateCoq. The translation we 894 we just treat an inductive definition as a way to introduce 949 define from ITT to TemplateCoq is not proven correct, but 895 new constants in the theory, one for the type, one for each 950 it is not really important as it can just be seen as a feature to 896 constructor, one for its elimination principle, and one equal- 951 observe the produced terms in a nicer setting. In any case, 897 ity per computation rule. For instance, the natural numbers 952 TemplateCoq does not yet provide a complete formalisa- 898 can be represented by having the following constants in the 953 tion of CIC rules, as guard checking of recursive definitions 899 context: 954 900 and strict positivity of inductive type declarations are not 955 formalised yet. nat : □0 901 0 : nat 956 902 We also provide a translation from TemplateCoq to ETT 957 that we will describe more extensively with the examples (5.4). S : nat → nat 903 natrec : ∀P, P 0 → (∀m, P m → P (S m)) → ∀n, P n 958 904 959 5.1 Quick Overview of the Formalisation natrec0 : ∀PPz Ps , natrec PPz Ps 0 = Pz 905 960 natrecS : ∀PPz Ps n, 906 The file SAst.v contains the definition of the (common) ab- 961 natrec PPz Ps (S n) = Ps n (natrec PPz Ps n) 907 stract syntax of ETT and ITT in the form of an inductive 962 908 definition with de Bruijn indices for variables (like in Tem- Here we rely on the reflection rule to obtain the computa- 963 909 plateCoq). Sorts are defined separately in Sorts.v and we will tional behavior of the eliminator natrec. 964 910 address them later in Section 5.3. This means for instance that we do not consider inductive 965 Inductive sterm: Type := 911 types that would only make sense in ETT, but we deem this 966 | sRel(n: nat) 912 | sSort(s: sort) not to be a restriction and to the best of our knowledge isn’t 967 | sProd(nx: name)(AB: sterm) 913 something that is usually considered in the literature. With 968 | sLambda(nx: name)(A B t: sterm) 914 | sApp(u: sterm)(nx: name)(A B v: sterm) that in mind, our translation features a global context of 969 | sEq(A u v: sterm) 915 typed constants with the restriction that the types of those 970 | sRefl(A u: sterm) 916 | (* ... *). constants should be well-formed in ITT. Those constants are 971 thus used as black boxes inside ETT. 917 The files ITyping.v and XTyping.v define respectively the 972 With this we are able to recover what we were missing 918 typing judgments for ITT and ETT, using mutual inductive 973 from Coq, without having to deal with the trouble of proving 919 types. Then, most of the files are focused on the meta-theory 974 that the translation doesn’t break the guard condition of fixed 920 of ITT and can be ignored by readers who don’t need to see 975 points, and we are instead relying on a more type-based 921 yet another proof of subject reduction. 976 approach. 922 The most interesting files are obviously those where the 977 923 978 fundamental lemma and the translation are formalised: Fun- 5.3 About Universes and Homotopy 924 damentalLemma.v and Translation.v. For instance, here is 979 The experienced reader might have noticed that our treat- 925 the main theorem, as stated in our formalisation: 980 ment of universes (except perhaps for the absence of cumu- 926 Theorem complete_translation Σ : 981 type_glob Σ -> lativity) was really superficial and the notion of sorts used 927 P 982 (forall Γ (h: XTyping.wf ΣΓ), Γ', Σ |--i Γ' # Γ )* is rather orthogonal to our main development. This is even 928 (forall Γ t A(h: Σ ;;; Γ |-x t:A) J K 983 929 Γ' (hΓ : Σ |--i Γ' # Γ ), more apparent in the formalisation. Indeed, we didn’t fix a 984 P A' t', Σ ;;;; Γ' |---J [tK ']:A ' # Γ |---[t]:A )* specific universe hierarchy, but instead specify what proper- 930 J K 985 (forall Γ u v A(h: Σ ;;; Γ |-x u=v:A) 3 931 Γ' (hΓ : Σ |--i Γ' # Γ ), ties it should have, in what is reminiscent to a (functional ) 986 P J K 932 A' A'' u' v' p', eqtrans ΣΓ A u v Γ' A' A'' u' v' p'). PTS formulation. 987 933 Herein type_glob Σ refers to the fact that some global con- 3Meaning the sort of a sort, and the sort of a product are functions, necessary 988 934 text is well-typed, its purpose is detailed in Section 5.2. The to the uniqueness of types (2.2). 989 935 9 990 Conference’17, July 2017, Washington, DC, USA Théo Winterhalter, Matthieu Sozeau, and Nicolas Tabareau

991 Class Sorts.notion :={ 5.4 ETT-flavoured Coq: Examples 1046 992 sort: Type ; 1047 succ: sort -> sort; In this section we demonstrate how our translation can bring 993 prod_sort: sort -> sort -> sort; extensionality to the world of Coq in action. The examples 1048 994 sum_sort: sort -> sort -> sort; 1049 eq_sort: sort -> sort; can be found in plugin_demo.v. 995 eq_dec: forall s z: sort,{s=z}+{s <>z}; 1050 996 succ_inj: forall s z, succ s= succ z ->s=z First, a pedestrian approach. We would like to begin by 1051 }. 997 showing how one can write an example step by step before 1052 998 From the notion of sorts, we require functions to get the sort we show how it can be used in practice. For this we use a self- 1053 999 of a sort, the sort of a product from the sorts of its arguments, contained example without any inductive types or recursion, 1054 1000 and (crucially) the sort of an identity type. We also require illustrating a very simple case of reflection. The term we 1055 1001 some measure of decidable equality and injectivity on those. want to translate is the following: 1056 1002 This allows us to instantiate this by a lot of different no- λ A B e x. x : Π AB. A = B → A → B 1057 1003 tions including the one presented earlier in the paper or 1058 1004 even its extension with a universe Prop of propositions (like This is, in some sense the identity, relying on the equality 1059 1005 CIC [Bertot and Castéran 2004]). We present here two in- e : A = B to convert x : A to x : B. Of course, this definition 1060 1006 stances that have their own interest. isn’t accepted in Coq because the conversion doesn’t hold 1061 1007 in ITT. 1062 1008 Type in Type. One of the instances we provide is one with Fail Definition pseudoid(AB: Type)(e:A=B)(x:A):B :=x. 1063 1009 only one universe Type, with the inconsistent typing rule However, we still want to be able to write it in some way, in 1064 1010 Type : Type. Although inconsistent, this allows us to inter- order to avoid manipulating de Bruijn indices directly. For 1065 1011 face with TemplateCoq, without the—for the time being— this, we use a little trick by first defining a Coq axiom to 1066 1012 very time-consuming universe constraint checking. represent an ill-typed term: 1067 1013 Axiom candidate: forall AB(t:A),B. 1068 1014 Homotopy Type System and Two-Level Type Theory. An- candidate A B t is a candidate t of type A to inhabit type 1069 1015 other interesting application (or rather instance) of our for- B. We complete this by adding a notation that is reminiscent 1070 1016 malisation is a translation from Homotopy Type System to Agda’s [Norell 2007] hole mechanism. 1071 1017 (HTS) [Voevodsky 2013] to Two-Level Type Theory (2TT) [Al- Notation "'{!' t '!}'" :=(candidate__t). 1072 tenkirch et al. 2016; Annenkov et al. 2017]. 1018 We can now write the ETT function within Coq. 1073 HTS and 2TT arise from the incompatibility between UIP— 1019 Definition pseudoid(AB: Type)(e:A=B)(x:A):B :={!x !}. 1074 1020 recall it is provable in ETT—and univalence. The idea is 1075 to have two distinct notions of equality in the theory, a We can then quote the term and its type to TemplateCoq 1021 Quote 1076 strict one satisfying UIP, and a fibrant one corresponding thanks to the Definition command provided by the 1022 plugin. 1077 1023 to the homotopy type theory equality, possibly satisfying 1078 Quote Definition pseudoid_term := 1024 univalence. This actually induces a separation in the types ltac:(let t := eval compute in pseudoid in exact t). 1079 Quote Definition pseudoid_type := 1025 of the theory: some of them are called fibrant and the fibrant 1080 ltac:(let T := type of pseudoid in exact T). 1026 or homotopic equality can only be eliminated on those. HTS 1081 The terms that we get are now TemplateCoq terms, repre- 1027 can be seen as an extension of 2TT with reflection on the 1082 senting Coq syntax. We need to put them in ETT, meaning 1028 strict equality just like ETT is an extension of ITT. 1083 adding the annotations, and also removing the candidate 1029 We can recover HTS and 2TT in our setting by taking 1084 axiom. This is the purpose of the fullquote function that 1030 Fi and Ui as respectively the fibrant and strict universes 1085 we provide in our formalisation. 1031 of those theories (for i ∈ N), along with the following PTS 1086 Definition pretm_pseudoid := 1032 rules: Eval lazy in fullquote(2^18) Σ [] pseudoid_term empty empty nomap. 1087 1033 Definition tm_pseudoid := 1088 (F , F ) ∈ Ax (U , U ) ∈ Ax Eval lazy in match pretm_pseudoid with 1034 i i+1 i i+1 | Success t =>t 1089 1035 (Fi , Fj , Fmax(i, j) ) ∈ R (Fi , Uj , Umax(i, j) ) ∈ R | Error_ => sRel0 1090 end. 1036 (Ui , Fj , Umax(i, j) ) ∈ R (Ui , Uj , Umax(i, j) ) ∈ R 1091 1037 Definition prety_pseudoid := 1092 Eval lazy in fullquote(2^18) Σ [] pseudoid_type empty empty nomap. 1038 and the fact that the sort of the (strict) identity type on A : s Definition ty_pseudoid := 1093 1039 is the strictified version of s, i.e., Ui for s = Ui or s = Fi . In Eval lazy in match prety_pseudoid with 1094 | Success t =>t 1040 order to have the fibrant equality, one simply needs to doas | Error_ => sRel0 1095 1041 in Section 5.2. end. 1096 1042 In short, the translation from HTS to 2TT is basically the tm_pseudoid and ty_pseudoid correspond respectively to 1097 1043 same as the one from ETT to ITT we presented in this paper, the ETT representation of pseudoid and its type. We then 1098 1044 and this fact is factorised through our formalisation. produce, using our home-brewed Ltac type-checking tactic, 1099 1045 10 1100 Eliminating Reflection from Type Theory Conference’17, July 2017, Washington, DC, USA

1101 the corresponding ETT typing derivation (notice the use of Translate Θ "vv" 1156 1102 reflection to typecheck). ). 1157 1103 Lemma type_pseudoid: Σi ;;;[] |-x tm_pseudoid: ty_pseudoid. Here, ε is the empty translation context and the command 1158 Proof. 1104 1159 unfold tm_pseudoid, ty_pseudoid. TranslateConstant enriches it with the types the induc- 1105 ettcheck. cbn. tives and of their constructors. The translation context then 1160 eapply reflection with (e := sRel1). 1106 1161 ettcheck. also contains associative tables between our own represen- 1107 Defined. tation of constants and those of Coq. Unsurprisingly, the 1162 1108 We can then translate this derivation, obtain the translated translated Coq term is the same as the original term. 1163 1109 term and then convert it to TemplateCoq. 1164 Reversal of vectors. Next, we tackle a motivating example: 1110 Definition itt_pseudoid: sterm := 1165 1111 Eval lazy in reversal on vectors. Indeed, if you want to implement this 1166 let '(_;t;_) := operation, the same way you would do it on lists, you end 1112 type_translation type_pseudoid istrans_nil 1167 1113 in t. up having a conversion problem: 1168 Fail Definition vrev{A n m}(v: vec A n)(acc: vec A m) 1114 1169 Definition tc_pseudoid: tsl_result term := : vec A(n+m) := 1115 Eval lazy in vec_rect A( fun n_ => forall m, vec A m -> vec A(n+m)) 1170 tsl_rec(2^ 18) Σ [] itt_pseudoid empty. (fun m acc => acc) 1116 1171 (fun a n_ rv m acc => rv_(vcons a m acc)) 1117 Once we have it, we unquote the term to obtain a Coq term n v m acc. 1172 (notice that the only use of reflection has been replaced bya 1118 The recursive call returns a vector of length n+Sm where 1173 transport). 1119 S n+m 1174 fun (AB: Type)(e:A=B)(x:A) => transport e x the context expects one of length . In ITT these 1120 1175 : forall AB: Type,A=B ->A ->B types are not convertible. This example is thus a perfect fit 1121 for ETT where we can use the fact that these two expressions 1176 Making a Plugin with TemplateCoq. 1122 All of this work always compute to the same thing when instantiated with 1177 1123 is pretty systematic. Fortunately for us, TemplateCoq also concrete numbers. 1178 1124 features a monad to reify Coq commands which we can use Definition vrev{A n m}(v: vec A n)(acc: vec A m) 1179 1125 to program the translation steps. As such we have written a : vec A(n+m) := 1180 vec_rect A( fun n_ => forall m, vec A m -> vec A(n+m)) 1126 complete procedure, relying on Coq type checkers we wrote (fun m acc => acc) 1181 1127 for ITT and ETT, which can generate equality obligations. (fun a n_ rv m acc =>{! rv_(vcons a m acc) !}) 1182 n v m acc. 1128 Thanks to this, the user doesn’t have to know about the 1183 1129 details of implementation of the translation, and stay within Run TemplateProgram( 1184 Coq Θ <- TranslateConstant ε "nat";; 1130 the ecosystem. Θ <- TranslateConstant Θ "vec";; 1185 1131 For instance, our previous example now becomes: Θ <- TranslateConstant Θ "Nat.add";; 1186 Definition pseudoid(AB: Type)(e:A=B)(x:A):B :={!x !}. Θ <- TranslateConstant Θ "vec_rect";; 1132 Translate Θ "vrev" 1187 1133 Run TemplateProgram(Translate ε "pseudoid"). ). 1188 1134 This produces a Coq term pseudoid' corresponding to the This generates four obligations that are all solved automati- 1189 1135 translation. Notice how the user doesn’t even have to pro- cally. One of them contains a proof of S n+m=n+Sm 1190 1136 vide any proof of equality or derivations of any sort. The while the remaining three correspond to the computation 1191 1137 derivation part is handled by our own typechecker while the rules of addition (as mentionned before, add is simply a con- 1192 1138 obligation part is solved automatically by the Coq obligation stant and does not compute in our representation, hence the 1193 1139 mechanism. need for equalities). The returned term is the following, with 1194 1140 only one transport remaining (remember our interpretation 1195 1141 About inductive types. As we promised, our translation is map removes unnecessary transports). 1196 1142 able to handle inductive types. For this consider the inductive fun (A: Type)(n m: nat)(v: vec A n)(acc: vec A m) => 1197 1143 type of vectors (or length-indexed lists) below, together with vec_rect A 1198 (fun n_ => forall m, vec A m -> vec A(n+m)) 1144 a simple definition (we will remain in ITT for simplicity). (fun m acc => acc) 1199 1145 Inductive vec A: nat -> Type := (fun a n0 v0 rv m0 acc0 => 1200 | vnil: vec A0 transport(vrev_obligation_3 A n m v acc a n 0 v0 rv m0 acc0) 1146 1201 | vcons:A -> forall n, vec A n -> vec A(S n). (rv(S m 0)(vcons a m 0 acc0))) n v m acc 1147 : forall A n m, vec A n -> vec A m -> vec A(n+m) 1202 Arguments vnil {_}. 1148 Arguments vcons {_}___. 1203 1149 5.5 Towards an Interfacing between Andromeda 1204 Definition vv := vcons1_ vnil. 1150 and Coq 1205 1151 This time, in order to apply the translation we need to extend Andromeda [Bauer et al. 2016] is a proof assistant implement- 1206 1152 the translation context with nat and vec. ing ETT in a sense that is really close to our formalisation. 1207 Run TemplateProgram( 1153 1208 Θ <- TranslateConstant ε "nat";; Aside from a concise nucleus with a basic type theory, most 1154 Θ <- TranslateConstant Θ "vec";; things happen with the declaration of constants with given 1209 1155 11 1210 Conference’17, July 2017, Washington, DC, USA Théo Winterhalter, Matthieu Sozeau, and Nicolas Tabareau

1211 types, including equalities to define the computational be- 7 Related Works and Conclusion 1266 1212 haviour of eliminators for instance. This is essentially what The seminal works on the precise connection between ETT 1267 1213 we do in our formalisation. Furthermore, their theory relies and ITT go back to Streicher [1993] and Hofmann [1995, 1268 1214 on Type : Type, meaning, our modular handling of universes 1997]. In particular, the work of Hofmann provides a categor- 1269 1215 can accommodate for this as well. ical answer to the question of consistency and conservativity 1270 1216 All in all, it should be possible in the near future to use our of ETT over ITT with UIP and functional extensionality. Ten 1271 1217 translation to produce Coq terms out of Andromeda devel- years later, Oury [2005, 2006] provided a translation from 1272 1218 opments. Note that this would not suffer from the difficulties ETT to ITT with UIP and functional extensionality and other 1273 1219 in generating typing derivations since Andromeda does it axioms (mainly due to technical difficulties). Although a first 1274 1220 for you. step towards a move from categorical semantics to a syntactic 1275 1221 translation, his work does not stress any constructive aspect 1276 1222 5.6 Composition with other Translations of the proof and shows that there merely exist translations 1277 1223 This translation also enables the formalisation of translations in ITT to a typed term in ETT. 1278 1224 that target ETT rather than ITT and still get mechanised van Doorn et al. [2013] have later proposed and formalised 1279 1225 proofs of (relative) consistency by composition with this ETT a similar translation between a PTS with and without ex- 1280 1226 to ITT translation. This could also be used to implement plu- plicit conversion. This does not entail anything about ETT 1281 1227 gins based on the composition of translations. In particular, to ITT but we can find similarities in that there is awit- 1282 1228 supposing we have a theory which forms a subset of ETT ness of conversion between any term and itself under an 1283 1229 and whose conversion is decidable. Using this translation, explicit conversion, which internalises irrelevance of explicit 1284 1230 we could formalise it as an embedded domain-specific type conversions. This morally corresponds to a Uniqueness of 1285 1231 theory and provide an automatic translation of well-typed Conversions principle. 1286 1232 terms into witnesses in Coq. This would make it possible to The Program [Sozeau 2007] extension of Coq performs 1287 1233 extend conversion with the theory of lists for example. a related coercion insertion algorithm, between objects in 1288 1234 This would provide a simple way to justify the consistency subsets on the same carrier or in different instances of the 1289 1235 of CoqMT [Jouannaud and Strub 2017] for example, seeing same inductive family, assuming a proof-irrelevance axiom. 1290 1236 it as an extensional type theory where reflection is restricted Inserting coercions locally is not as general as the present 1291 1237 to equalities on a specific domain whose theory is decidable. translation from ETT to ITT which can insert transports in 1292 1238 any context. 1293 1239 1294 6 Limitations and Axioms In this paper we provide the first effective translation from 1240 ETT to ITT with UIP and functional extensionality. The 1295 1241 Currently, the representation of terms and derivations and translation has been formalised in Coq using TemplateCoq, 1296 1242 the computational content of the proof only allow us to deal 1297 a meta-programming plugin of Coq. This translation is also 1243 with the translation of relatively small terms but we hope 1298 effective in the sense that we can produce in theenda Coq 1244 to improve that in the future. As we have seen, the actual term using the TemplateCoq denotation machinery. With 1299 1245 translation involves the computational content of lemmata of ongoing work to extend the translation to the inductive 1300 1246 inversion, substitution, weakening and equational reasoning fragment of Coq, we are paving the way to an extensional 1301 1247 and thus cannot be presented as a simple recursive definition version of the Coq proof assistant which could be translated 1302 1248 on derivations. 1303 back to its intensional version, allowing the user to navigate 1249 As we already mentioned, the axioms K and functional between the two modes, and in the end produce a proof term 1304 1250 extensionality are both necessary in ITT if we want the trans- checkable in the intensional fragment. 1305 1251 lation to be conservative as they are provable in ETT [Hof- 1306 1252 mann 1995]. However, one might still be concerned about 1307 1253 having axioms as they can for instance hinder canonicity of References 1308 1254 the system. In that respect, K isn’t really a restriction since 1309 Stuart F. Allen, Robert L. Constable, Richard Eaton, Christoph Kreitz, and 1255 it preserves canonicity. The best proof of that is probably Lori Lorigo. 2000. The Nuprl Open Logical Environment. In Automated 1310 1256 Agda itself which natively features K—in fact, one needs Deduction - CADE-17, 17th International Conference on Automated De- 1311 1257 to explicitly deactivate it with a flag if they wish to work duction, Pittsburgh, PA, USA, June 17-20, 2000, Proceedings (Lecture Notes 1312 1258 without. in Computer Science), David A. McAllester (Ed.), Vol. 1831. Springer, 1313 170–176. https://doi.org/10.1007/10721959_12 1259 The case of functional extensionality is trickier. It is still 1314 T. Altenkirch. 1999. Extensional equality in intensional type theory. In Pro- 1260 possible to realise the axiom by composing our translation ceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158). 1315 1261 with a setoid interpretation [Altenkirch 1999] which vali- 412–420. https://doi.org/10.1109/LICS.1999.782636 1316 1262 dates it, or by going into a system featuring it, for instance Thorsten Altenkirch, Paolo Capriotti, and Nicolai Kraus. 2016. Extending 1317 1263 by implementing Observational Type Theory [Altenkirch Homotopy Type Theory with Strict Equality. CoRR abs/1604.03799 (2016). 1318 arXiv:1604.03799 http://arxiv.org/abs/1604.03799 1264 et al. 2007] like EPIGRAM [McBride 2004]. 1319 1265 12 1320 Eliminating Reflection from Type Theory Conference’17, July 2017, Washington, DC, USA

1321 Thorsten Altenkirch, Conor McBride, and Wouter Swierstra. 2007. Observa- Matthieu Sozeau. 2010. Equations: A Dependent Pattern-Matching Compiler. 1376 1322 tional equality, now!. In Proceedings of the 2007 workshop on Programming In Interactive Theorem Proving, First International Conference, ITP 2010, 1377 1323 languages meets program verification. ACM, 57–68. Edinburgh, UK, July 11-14, 2010. Proceedings (Lecture Notes in Computer 1378 Abhishek Anand, Simon Boulier, Cyril Cohen, Matthieu Sozeau, and Nico- Science), Matt Kaufmann and Lawrence C. Paulson (Eds.), Vol. 6172. 1324 1379 las Tabareau. 2018. Towards Certified Meta-Programming with Typed Springer, 419–434. https://doi.org/10.1007/978-3-642-14052-5_29 1325 Template-Coq. In Interactive Theorem Proving - 9th International Con- Thomas Streicher. 1993. Investigations into intensional type theory. 1380 1326 ference, ITP 2018, Held as Part of the Federated Logic Conference, FloC The Univalent Foundations Program. 2013. Homotopy Type Theory: Univalent 1381 1327 2018, Oxford, UK, July 9-12, 2018, Proceedings (Lecture Notes in Computer Foundations of Mathematics. Institute for Advanced Study. 1382 1328 Science), Jeremy Avigad and Assia Mahboubi (Eds.), Vol. 10895. Springer, Floris van Doorn, Herman Geuvers, and Freek Wiedijk. 2013. Explicit 1383 20–39. https://doi.org/10.1007/978-3-319-94821-8_2 convertibility proofs in pure type systems. In Proceedings of the Eighth 1329 1384 Danil Annenkov, Paolo Capriotti, and Nicolai Kraus. 2017. Two-Level Type ACM SIGPLAN international workshop on Logical frameworks & meta- 1330 Theory and Applications. CoRR abs/1705.03307 (2017). arXiv:1705.03307 languages: theory & practice. ACM, 25–36. 1385 1331 http://arxiv.org/abs/1705.03307 Vladimir Voevodsky. 2013. A simple type system with two identity types. 1386 1332 Andrej Bauer, Gaëtan Gilbert, Philipp G. Haselwarter, Matija Pretnar, and (2013). https://ncatlab.org/homotopytypetheory/files/HTS.pdf 1387 1333 Chris Stone. 2016. The ‘Andromeda’ prover. (2016). http://www. 1388 andromeda-prover.org/ 1334 1389 Jean-philippe Bernardy, Patrik Jansson, and Ross Paterson. 2012. Proofs for 1335 free: Parametricity for dependent types. Journal of Functional Program- 1390 1336 ming 22, 2 (2012), 107–152. 1391 1337 Yves Bertot and Pierre Castéran. 2004. Interactive Theorem Proving and 1392 1338 Program Development. (2004). 1393 Marc Bezem, Thierry Coquand, and Simon Huber. 2013. A Model of Type 1339 1394 Theory in Cubical Sets. (December 2013). http://www.cse.chalmers.se/ 1340 ~coquand/mod1.pdf 1395 1341 Simon Boulier, Pierre-Marie Pédrot, and Nicolas Tabareau. 2017. The Next 1396 1342 700 Syntactical Models of Type Theory. In Certified Programs and Proofs 1397 1343 – CPP 2017. 182–194. 1398 The Coq development team. 2017. The Coq proof assistant reference manual. 1344 1399 LogiCal Project. http://coq.inria.fr Version 8.7. 1345 Martin Hofmann. 1995. Conservativity of equality reflection over inten- 1400 1346 sional type theory. In International Workshop on Types for Proofs and 1401 1347 Programs. Springer, 153–164. 1402 1348 Martin Hofmann. 1997. Extensional constructs in intensional type theory. 1403 Springer. 1349 1404 Martin Hofmann and Thomas Streicher. 1998. The Groupoid Interpretation 1350 of Type Theory. In Twenty-five years of constructive type theory (Venice, 1405 1351 1995). Oxford Logic Guides, Vol. 36. Oxford Univ. Press, New York, 83– 1406 1352 111. http://www.tcs.informatik.uni-muenchen.de/lehre/SS97/types-vl/ 1407 1353 venedig.ps 1408 Jean-Pierre Jouannaud and Pierre-Yves Strub. 2017. Coq without Type Casts: 1354 1409 A Complete Proof of Coq Modulo Theory. In LPAR-21, 21st International 1355 Conference on Logic for Programming, Artificial Intelligence and Reasoning, 1410 1356 Maun, Botswana, May 7-12, 2017 (EPiC Series in Computing), Thomas 1411 1357 Eiter and David Sands (Eds.), Vol. 46. EasyChair, 474–489. http://www. 1412 1358 easychair.org/publications/paper/340342 1413 Chris Kapulkin and Peter LeFanu Lumsdaine. 2012. The simplicial model of 1359 1414 univalent foundations. arXiv preprint arXiv:1211.2851 (2012). 1360 Conor McBride. 2000. Dependently typed functional programs and their 1415 1361 proofs. Ph.D. Dissertation. University of Edinburgh. 1416 1362 Conor McBride. 2004. Epigram: Practical programming with dependent 1417 1363 types. In International School on Advanced Functional Programming. 1418 Springer, 130–170. 1364 1419 Ulf Norell. 2007. Towards a practical programming language based on depen- 1365 dent type theory. Vol. 32. Citeseer. 1420 1366 Nicolas Oury. 2005. Extensionality in the calculus of constructions. In Inter- 1421 1367 national Conference on Theorem Proving in Higher Order Logics. Springer, 1422 1368 278–293. 1423 Nicolas Oury. 2006. Egalité et filtrage avec types dépendants dans le calcul 1369 1424 des constructions inductives. Ph.D. Dissertation. http://www.theses.fr/ 1370 2006PA112136 Thèse de doctorat dirigée par Paulin-Mohring, Christine 1425 1371 Informatique Paris 11 2006. 1426 1372 Matthieu Sozeau. 2007. Program-ing Finger Trees in Coq. In ICFP’07. 1427 1373 ACM Press, Freiburg, Germany, 13–24. https://doi.org/10.1145/1291151. 1428 1291156 1374 1429 1375 13 1430 Conference’17, July 2017, Washington, DC, USA Théo Winterhalter, Matthieu Sozeau, and Nicolas Tabareau

1431 A Complementary rules 1486 1432 1487 1433 1488 1434 1489 1435 1490 Equivalence relation. 1436 1491 1437 Γ ⊢ u : A Γ ⊢ u ≡ v : A Γ ⊢ u ≡ v : A Γ ⊢ v ≡ w : A 1492 1438 Γ ⊢ u ≡ u : A Γ ⊢ v ≡ u : A Γ ⊢ u ≡ w : A 1493 1439 1494 1440 Congruence of type constructors. 1495 ′ ′ 1441 1496 Γ ⊢ A1 ≡ A2 : s Γ, x : A1 ⊢ B1 ≡ B2 : s ′ ′′ Γ ⊢ A1 ≡ A2 : s Γ, x : A1 ⊢ B1 ≡ B2 : s ′ ′′ 1442 ′′ (s,s ,s ) ′′ (s,s ,s ) 1497 Γ ⊢ Π(x : A1). B1 ≡ Π(x : A2). B2 : s Γ ⊢ Σ(x : A1). B1 ≡ Σ(x : A2). B2 : s 1443 1498 1444 1499 Γ ⊢ A1 ≡ A2 : s Γ ⊢ u1 ≡ u2 : A1 Γ ⊢ v1 ≡ v2 : A1 1445 1500 ⊢ ≡ 1446 Γ u1 =A1 v1 u2 =A2 v2 : s 1501 1447 Congruence of λ-calculus terms. 1502 1448 ′ 1503 Γ ⊢ A1 ≡ A2 : s Γ, x : A1 ⊢ B1 ≡ B2 : s Γ, x : A1 ⊢ t1 ≡ t2 : B1 1449 1504 1450 Γ ⊢ λ(x : A1).B1.t1 ≡ λ(x : A2).B2.t2 : Π(x : A1). B1 1505 1451 1506 ′ 1452 Γ ⊢ A1 ≡ A2 : s Γ, x : A1 ⊢ B1 ≡ B2 : s Γ ⊢ t1 ≡ t2 : Π(x : A1). B1 Γ ⊢ u1 ≡ u2 : A1 1507 1453 1508 Γ ⊢ t1 @x:A1 .B1 u1 ≡ t1 @x:A1 .B1 u1 : B1[x ←u1] 1454 1509 1455 ′ 1510 Γ ⊢ A1 ≡ A2 : s Γ ⊢ u1 ≡ u2 : A1 Γ, x : A1 ⊢ B1 ≡ B2 : s Γ ⊢ v1 ≡ v2 : B1[x ←u1] 1456 1511 Γ ⊢ ⟨u1;v1⟩x:A .B ≡ ⟨u2;v2⟩x:A .B : Σ(x : A1). B1 1457 1 1 2 2 1512 1458 ′ 1513 Γ ⊢ A1 ≡ A2 : s Γ, x : A1 ⊢ B1 ≡ B2 : s Γ ⊢ p1 ≡ p2 : Σ(x : A1). B1 1459 1514 x:A1 .B1 x:A2 .B2 1460 Γ ⊢ π1 p1 ≡ π1 p2 : A1 1515 1461 1516 ′ 1462 Γ ⊢ A1 ≡ A2 : s Γ, x : A1 ⊢ B1 ≡ B2 : s Γ ⊢ p1 ≡ p2 : Σ(x : A1). B1 1517

1463 x:A1 .B1 x:A2 .B2 x:A1 .B1 1518 Γ ⊢ π2 p1 ≡ π2 p2 : B1[x ← π1 p1] 1464 1519 1465 Congruence of equality terms. 1520 1521 1466 Γ ⊢ A1 ≡ A2 : s Γ ⊢ u1 ≡ u2 : A 1467 1522 Γ ⊢ reflA u1 ≡ reflA u2 : u1 =A u1 1468 1 2 1 1523 1469 1524 Γ ⊢ A1 ≡ A2 : s Γ ⊢ u1 ≡ u2 : A1 Γ ⊢ v1 ≡ v2 : A1 1470 ′ 1525 Γ, x : A1, e : u1 =A x ⊢ P1 ≡ P2 : s Γ ⊢ p1 ≡ p2 : u1 =A v1 Γ ⊢ w1 ≡ w2 : P1[x ←u1, e ← reflA u1] 1471 1 1 1 1526 1472 Γ ⊢ J(A1,u1, x.e.P1,w1,v1,p1) ≡ J(A2,u2, x.e.P2,w2,v2,p2) : P[x ←v1, e ←p1] 1527 1473 1528 ′ 1474 Γ ⊢ A1 ≡ A2 : s Γ, x : A1 ⊢ B1 ≡ B2 : s 1529

1475 Γ ⊢ f1 ≡ f2 : Π(x : A1). B1 Γ ⊢ д1 ≡ д2 : Π(x : A1). B1 Γ ⊢ e1 ≡ e2 : Π(x : A1). f1 @x:A1 .B1 x =B1 д1 @x:A1 .B1 x 1530

1476 Γ ⊢ funext(x : A1, B1, f1,д1, e1) ≡ funext(x : A2, B2, f2,д2, e2) : f1 = д1 1531 1477 1532 1478 1533 Γ ⊢ A1 ≡ A2 Γ ⊢ u1 ≡ u2 : A1 Γ ⊢ v1 ≡ v2 : A2 Γ ⊢ p1 ≡ p2 : u1 =A1 v1 Γ ⊢ q1 ≡ q2 : u1 =A1 v1 1479 1534 Γ ⊢ uip(A1,u1,v1,p1,q1) ≡ uip(A2,u2,v2,p2,q2) : p1 = q1 1480 1535 1481 Figure 6. Congruence rules 1536 1482 1537 1483 1538 1484 1539 1485 14 1540 Eliminating Reflection from Type Theory Conference’17, July 2017, Washington, DC, USA

1541 B Proof of the fundamental lemma 1596 1542 1597 Lemma B.1 (Fundamental lemma). Let t1 and t2 be two terms. If Γ, Γ1 ⊢ t1 : T1 and Γ, Γ2 ⊢ t2 : T2 and t1 ∼ t2 then there exists p 1543 1598 such that Γ, Pack Γ1 Γ2 ⊢ p : t1[γ1] T1[γ1] T2[γ2] t2[γ2]. 1544 1599 1545 For readability we will abbreviate the left and right substitutions _[γ1] and _[γ2] by ↿ and ↾ respectively. 1600 1546 1601 ∼ 1547 Proof. We prove it by induction on the derivation of t1 t2. 1602 1548 • Var 1603 1549 1604 1550 x ∼ x 1605 1606 1551 If x belongs to Γ, we apply reflexivity—together with uniqueness of typing (2.2)—to conclude. Otherwise, Proje x has the 1552 1607 expected type (since x[γ1] ≡ Proj1 x and x[γ2] ≡ Proj2 x). 1553 • TransportLeft 1608 1554 t1 ∼ t2 1609 1555 1610 p∗ t1 ∼ t2 1556 1611 ⊢ ⊢ ⊢ ′ ⊢ ′ 1557 We have Γ, Γ1 p∗ t1 : T1 and Γ, Γ2 t2 : T2. By inversion (2.3) we have Γ, Γ1 p : T1 = T1 and Γ, Γ1 t1 : T1 . Then by 1612 ⊢ 1558 induction hypothesis we have e such that Γ, Γp e : t1 ↿ t2 ↾. From transitivity and symmetry we only need to provide 1613 ⟨ ⟩ 1559 a proof of t1 ↿ p ↿∗ t1 ↿ which is inhabited by p ↿; refl (p ↿∗ t1 ↿) _._. 1614 • 1560 TransportRight 1615 ∼ 1561 t1 t2 1616 1562 t1 ∼ p∗ t2 1617 1563 Similarly. 1618 1564 • Product 1619 1565 1620 A1 ∼ A2 B1 ∼ B2 1566 1621 Π(x : A ). B ∼ Π(x : A ). B 1567 1 1 2 2 1622 1568 We have Γ, Γ1 ⊢ Π(x : A1). B1 : T1 and Γ, Γ2 ⊢ Π(x : A2). B2 : T2 so by inversion (2.3) we have Γ, Γ1 ⊢ A1 : s1 and 1623 ′ ′′ ′ ′′ 1569 Γ, Γ1, x : A1 ⊢ B1 : s1 and Γ, Γ1 ⊢ s1 ≡ T1 for (s1,s1,s1 ) ∈ R (and similarly with 2s). By induction hypothesis we have 1624 1570 Γ, Γp ⊢ pA : A1 ↿ A2 ↾ and Γ, Γp, x : Pack A1 A2 ⊢ pB : B1 ↿ B2 ↾ hence the result (using UIP and functional 1625 1571 extensionality, refer to the formalisation and especially to the file Quotes.v for more details on how to realise this 1626 1572 equality). 1627 1573 • Eqality 1628 1574 A1 ∼ A2 u1 ∼ u2 v1 ∼ v2 1629 1575 1630 u1 =A1 v1 ∼ u2 =A2 v2 1576 1631 , ⊢ , ⊢ , ⊢ , ⊢ 1577 We have Γ Γ1 u1 =A1 v1 : T1 and Γ Γ2 u2 =A2 v2 : T2 so, by inversion (2.3), we have Γ Γ1 A1 : s1 and Γ Γ1 u1 : A1 and 1632 , ⊢ , ⊢ ≡ , ⊢ 1578 Γ Γ1 v1 : A1 as well as Γ Γ1 s1 T1 (and the same with 2s). By induction hypothesis we thus have Γ Γp pA : A1  A2 1633 , ⊢ , ⊢ 1579 and Γ Γp pu : u1  u2 and Γ Γp pv : v1  v2. We can thus conclude. 1634 • 1580 Reflexivity 1635 1581 1636 s ∼ s 1582 1637 1583 This one holds by reflexivity and uniqueness of typing (2.2) (indeed, s ↿≡ s and s ↾≡ s). 1638 1584 • Lambda 1639 1585 A1 ∼ A2 B1 ∼ B2 t1 ∼ t2 1640

1586 λ(x : A1).B1.t1 ∼ λ(x : A2).B2.t2 1641 1587 1642 We have Γ, Γ1 ⊢ λ(x : A1).B1.t1 : T1 and Γ, Γ2 ⊢ λ(x : A2).B2.t2 : T2, thus, by inversion 2.3 the subterms are well-typed and 1588 we can apply induction hypothesis. The conclusion follows similarly to the Π case. 1643 1589 • Application 1644 1590 1645 t1 ∼ t2 A1 ∼ A2 B1 ∼ B2 u1 ∼ u2 1591 1646 ∼ 1592 t1 @x:A1 .B1 u1 t2 @x:A2 .B2 u2 1647 1593 1648 We have Γ, Γ1 ⊢ t1 @x:A1 .B1 u1 : T1 and Γ, Γ2 ⊢ t2 @x:A2 .B2 u2 : T2 which means by inversion (2.3) that the subterms are 1594 well-typed. We apply the induction hypothesis and then conclude. 1649 1595 15 1650 Conference’17, July 2017, Washington, DC, USA Théo Winterhalter, Matthieu Sozeau, and Nicolas Tabareau

1651 • Reflexivity 1706 1652 A1 ∼ A2 u1 ∼ u2 1707 1653 1708 reflA1 u1 ∼ reflA2 u2 1654 1709 Γ, Γ ⊢ refl u T Γ, Γ ⊢ refl u T Γ, Γ ⊢ A s Γ, Γ ⊢ u A 1655 We have 1 A1 1 : 1 and 2 A2 2 : 2 so by inversion (2.3) we have 1 1 : 1 and 1 1 : 1 1710 A A u u 1656 (same with 2s). By IH we have 1 ↿ 2 ↾ and 1 ↿A1↿A2↾ 2 ↾. The proof follows easily. 1711 • 1657 Funext 1712 A ∼ A B ∼ B f ∼ f д ∼ д e ∼ e 1658 1 2 1 2 1 2 1 2 1 2 1713 1659 funext(x : A1, B1, f1,д1, e1) ∼ funext(x : A2, B2, f2,д2, e2) 1714 1660 Similar. 1715 1661 • UIP 1716 1662 A1 ∼ A2 u1 ∼ u2 v1 ∼ v2 p1 ∼ p2 q1 ∼ q2 1717 1663 1718 uip(A1,u1,v1,p1,q1) ∼ uip(A2,u2,v2,p2,q2) 1664 1719 1665 Similar. 1720 • 1666 J 1721 1667 A1 ∼ A2 u1 ∼ u2 P1 ∼ P2 w1 ∼ w2 v1 ∼ v2 p1 ∼ p2 1722

1668 J(A1,u1, x.e.P1,w1,v1,p1) ∼ J(A2,u2, x.e.P2,w2,v2,p2) 1723 1669 Similar. 1724 1670 1725 □ 1671 1726 1672 C Correctness of the translation 1727 1673 1728 1674 Theorem C.1 (Translation). 1729

1675 • If ⊢x Γ then there exists ⊢ Γ ∈ ⊢x Γ , 1730 J K 1731 1676 • If Γ ⊢x t : T then for any ⊢ Γ ∈ ⊢x Γ there exist t and T such that Γ ⊢ t : T ∈ Γ ⊢x t : T , ′ 1677 • ⊢ ≡ ⊢J ∈ K⊢ J K ⊢ ′ 1732 If Γ x u v : A then for any Γ x Γ there exist A ⊏ A, A ⊏ A ,u ⊏ u,v ⊏ v and e such that Γ e : u AA v. 1678 J K 1733 1679 Proof. We prove the theorem by induction on the derivation in the extensional type theory. In most cases we need to assume 1734 1680 some Γ, translation of the context, we will implicitly refer to Γ in such cases as the one given as hypothesis. 1735 1681 • Empty 1736 1682 1737 1683 ⊢x • 1738 1684 1739 We have ⊢ • ∈ ⊢x • . 1685 • Extend J K 1740 1686 1741 ⊢x ΓΓ ⊢x A 1687 (x < Γ) 1742 ⊢x Γ, x : A 1688 1743 1689 By IH we have ⊢ Γ ∈ ⊢x Γ and, using Γ as well as lemma 4.2, Γ ⊢ A : s ∈ Γ ⊢x A : s . Thus ⊢ Γ, x : A ∈ ⊢x Γ, x : A . 1744 1690 • Sort J K J K J K 1745 1691 ⊢x Γ 1746 (s,s ′) 1692 ′ 1747 Γ ⊢x s : s 1693 1748 ′ ′ 1694 We have Γ ⊢ s : s ∈ Γ ⊢x s : s . 1749 J K 1695 • Product 1750 ⊢ , ⊢ ′ 1696 Γ x A : s Γ x : A x B : s ′ ′′ 1751 ′′ (s,s ,s ) 1697 Γ ⊢x Π(x : A). B : s 1752 1698 ′ 1753 By IH and lemma 4.2 we have Γ ⊢ A : s, meaning ⊢ Γ, x : A ∈ ⊢x Γ, x : A , and then Γ, x : A ⊢ B : s . We thus conclude 1699 ′′ ′′ J K 1754 Γ ⊢ Π(x : A). B : s ∈ Γ ⊢x Π(x : A). B : s . 1700 1755 • Sigma J K 1701 ′ 1756 Γ ⊢x A : s Γ, x : A ⊢x B : s 1702 ′ ′′ 1757 ′′ (s,s ,s ) 1703 Γ ⊢x Σ(x : A). B : s 1758 1704 Similar. 1759 1705 16 1760 Eliminating Reflection from Type Theory Conference’17, July 2017, Washington, DC, USA

1761 • Eqality 1816 1762 Γ ⊢x A : s Γ ⊢x u : A Γ ⊢x v : A 1817 1763 1818 Γ ⊢x u =A v : s 1764 1819 ⊢ ⊢ ⊢ 1765 By IH and lemma 4.2 we have Γ A : s, and—using lemma 4.3—we also have Γ u : A and Γ v : A. Then 1820 1766 Γ ⊢ u =A v : s ∈ Γ ⊢x u =A v : s . 1821 J K 1767 • Variable 1822 ⊢x Γ (x : A) ∈ Γ 1768 1823 1769 Γ ⊢x x : A 1824 1770 1825 We have ⊢ Γ ∈ ⊢x Γ (as we assumed, this is not an instance of the induction hypothesis) and (x : A) ∈ Γ. By definition 1771 J K 1826 of Γ ⊏ Γ we also have some (x : A) ∈ Γ with A ⊏ A, thus Γ ⊢ x : A ∈ Γ ⊢x x : A . 1772 • Conversion J K 1827 1773 Γ ⊢x u : A Γ ⊢x A ≡ B 1828 1774 1829 Γ ⊢x u : B 1775 1830 1776 By IH and lemma 3.3 we have Γ ⊢ e : A = B which implies Γ ⊢ A ∈ Γ ⊢x A by inversion (2.3), thus, from lemma 4.3 and 1831 J K 1777 IH we get Γ ⊢ u : A, yielding Γ ⊢ e∗ u : B ∈ Γ ⊢x u : B . 1832 J K 1778 • Lambda 1833 ⊢ , ⊢ ′ , ⊢ 1779 Γ x A : s Γ x : A x B : s Γ x : A x t : B 1834 1780 Γ ⊢x λ(x : A).B.t : Π(x : A). B 1835 1781 1836 By IH and lemma 4.2 we have Γ ⊢ A : s and thus ⊢ Γ, x : A ∈ ⊢x Γ, x : A , meaning we can apply IH and lemma 4.2 to 1782 ′ J ′ K 1837 the second hypothesis to get Γ, x : A ⊢ B : s ∈ Γ, x : A ⊢x B : s and then IH and lemma 4.3 to get Γ, x : A ⊢ t : B ∈ 1783 J K 1838 Γ, x : A ⊢x t : B . All of this yields Γ ⊢ λ(x : A).B.t : Π(x : A). B ∈ Γ ⊢x λ(x : A).B.t : Π(x : A). B . 1784 1839 • ApplicationJ K J K 1785 ′ 1840 Γ ⊢x A : s Γ, x : A ⊢x B : s Γ ⊢x t : Π(x : A). B Γ ⊢x u : A 1786 1841 Γ ⊢ t @ u : B[x ←u] 1787 x x:A.B 1842 ′ 1788 Using IH together with lemmata 4.2 and 4.3 we get Γ ⊢ A : s and Γ, x : A ⊢ B : s and Γ ⊢ t : Π(x : A). B and Γ ⊢ u : A 1843 1789 ⊢ ← ∈ ⊢ ← 1844 meaning we can conclude Γ t @x:A.B u : B[x u] Γ x t @x:A.B u : B[x u] . 1790 • Pair J K 1845 ′ 1791 Γ ⊢x u : A Γ ⊢x A : s Γ, x : A ⊢x B : s Γ ⊢x v : B[x ←u] 1846

1792 Γ ⊢x ⟨u;v⟩x:A.B : Σ(x : A). B 1847 1793 ⊢ ⟨ ⟩ ∈ ⊢ 1848 Using IH with lemmata 4.2 and 4.3 we translate all the hypotheses to conclude Γ u;v x:A.B : Σ(x : A). B Γ x 1794 J 1849 ⟨u;v⟩x:A.B : Σ(x : A). B . 1795 K 1850 • Proj1 1796 1851 Γ ⊢x p : Σ(x : A). B 1797 1852 x:A.B 1798 Γ ⊢x π1 p : A 1853 1799 Similar. 1854 1800 • Proj2 1855 1801 Γ ⊢x p : Σ(x : A). B 1856 1802 x:A.B x:A.B 1857 Γ ⊢x π2 p : B[x ← π1 p] 1803 Similar. 1858 1804 • Reflexivity 1859 1805 1860 Γ ⊢x A : s Γ ⊢x u : A 1806 1861 Γ ⊢x reflA u : u =A u 1807 1862 1808 By IH we have Γ ⊢ u : A and thus Γ ⊢ reflA u : u =A u ∈ Γ ⊢x reflA u : u =A u . 1863 1809 • J J K 1864 ′ 1865 1810 Γ ⊢x A : s Γ ⊢x u,v : A Γ, x : A, e : u =A x ⊢x P : s Γ ⊢x p : u =A v Γ ⊢x w : P[x ←u, e ← reflA u] 1811 1866 Γ ⊢x J(A,u, x.e.P,w,v,p) : P[x ←v, e ←p] 1812 1867 1813 By IH and lemma 4.2 we have Γ ⊢ A : s. From this and IH and lemma 4.3 we have Γ ⊢ u,v : A. We can thus deduce 1868 1814 ′ 1869 ⊢ Γ, x : A, e : u =A x ∈ Γ, x : A, e : u =A x which in turn gives us Γ, x : A, e : u =A x ⊢ P : s . Similarly we 1815 J K 17 1870 Conference’17, July 2017, Washington, DC, USA Théo Winterhalter, Matthieu Sozeau, and Nicolas Tabareau

1871 1926 also get Γ ⊢ p : u =A v and Γ ⊢ w : P[x ←u, e ← reflA u]. All of this allows us to conclude Γ ⊢ J(A,u, x.e.P,w,v,p) : 1872 1927 P[x ←v, e ←p] ∈ Γ ⊢x J(A,u, x.e.P,w,v,p) : P[x ←v, e ←p] . 1873 • Funext J K 1928 1874 Γ ⊢ f ,д : Π(x : A). B Γ ⊢ e : Π(x : A). f @x:A.B x =B д @x:A.B x 1929 1875 Γ ⊢ funext(x : A, B, f ,д, e) : f = д 1930 1876 1931 Similar. 1877 1932 • UIP 1878 1933 Γ ⊢x e1, e2 : u =A v 1879 1934 ⊢ , , , , = 1880 Γ x uip(A u v e1 e2) : e1 e2 1935 1881 Similar. 1936 1882 • Beta 1937 Γ ⊢ A : s Γ, x : A ⊢ B : s ′ Γ, x : A ⊢ t : B Γ ⊢ u : A 1883 x x x x 1938 1884 Γ ⊢x (λ(x : A).B.t) @x:A.B u ≡ t[x ←u]: B[x ←u] 1939 1885 From IH and the lemmata, we even get the conversion, we conclude using reflexivity. 1940 1886 • Proj1-Red 1941 ′ 1887 Γ ⊢x A : s Γ ⊢x u : A Γ, x : A ⊢x B : s Γ ⊢x v : B[x ←u] 1942 1888 x:A.B 1943 Γ ⊢x π1 ⟨u;v⟩x:A.B ≡ u : A 1889 1944 Likewise. 1890 1945 • Proj2-Red 1891 ′ 1946 Γ ⊢x A : s Γ ⊢x u : A Γ, x : A ⊢x B : s Γ ⊢x v : B[x ←u] 1892 1947 x:A.B 1893 Γ ⊢x π2 ⟨u;v⟩x:A.B ≡ v : B[x ←u] 1948 1894 Likewise. 1949 1895 • J-Red 1950 1896 1951 Γ ⊢x A : Ui Γ ⊢x u : A Γ, x : A, e : u =A x ⊢x P : Uj Γ ⊢x w : P[x ←u, e ← reflA u] 1897 1952 ⊢ , , . . , , , ≡ ← , ← 1898 Γ x J(A u x e P w u reflA u) w : P[x u e reflA u] 1953 1899 Likewise. 1954 1900 • Conv-Refl 1955 1901 Γ ⊢x u : A 1956

1902 Γ ⊢x u ≡ u : A 1957 1903 We conclude from IH and reflexivity of . 1958 1904 • Conv-Sym 1959 1905 Γ ⊢x u ≡ v : A 1960 1906 1961 Γ ⊢x v ≡ u : A 1907 1962 We conclude from IH and symmetry of . 1908  1963 • Conv-Trans 1909 1964 Γ ⊢x u ≡ v : A Γ ⊢x v ≡ w : A 1910 1965 ⊢ ≡ 1911 Γ x u w : A 1966 1912 We conclude from IH and transitivity of . 1967 1913 • Conv-Conv 1968 ⊢ ≡ ⊢ ≡ 1914 Γ x t1 t2 : T1 Γ x T1 T2 1969 1915 Γ ⊢x t1 ≡ t2 : T2 1970 1916 ′′ ′ ′′ 1971 By IH (and lemma 3.3) we have Γ ⊢ e : t ′ t and Γ ⊢ p : T = T . Also from lemmata 3.4 and 3.3 we have T = T 1 T 1 T 2 1 2 1 1 1917 ′′ ′ 1 1972 1918 and T 1 = T 1 , meaning we get T 1 = T 2 and T 1 = T 2. This allows us to conclude by transporting along the aforementioned 1973 1919 equalities. 1974 1920 • Conv-Prod 1975 Γ ⊢ A ≡ A : s Γ, x : A ⊢ B ≡ B : s ′ 1921 x 1 2 1 x 1 2 ′ ′′ 1976 ′′ (s,s ,s ) 1922 Γ ⊢x Π(x : A1). B1 ≡ Π(x : A2). B2 : s 1977 1923 We conclude exactly like we did in the proof of lemma 3.4. 1978 1924 • All congruences hold like in proof of lemma 3.4. 1979 1925 18 1980 Eliminating Reflection from Type Theory Conference’17, July 2017, Washington, DC, USA

1981 • Conv-Eq 2036 1982 Γ ⊢x e : u =A v 2037 1983 2038 Γ ⊢x u ≡ v : A 1984 2039 By IH and lemma 4.2 we have Γ ⊢ e : u =A v ∈ Γ ⊢x e : u =A v which yields the conclusion we wanted. 1985 J K 2040 1986 □ 2041 1987 2042 1988 2043 1989 2044 1990 2045 1991 2046 1992 2047 1993 2048 1994 2049 1995 2050 1996 2051 1997 2052 1998 2053 1999 2054 2000 2055 2001 2056 2002 2057 2003 2058 2004 2059 2005 2060 2006 2061 2007 2062 2008 2063 2009 2064 2010 2065 2011 2066 2012 2067 2013 2068 2014 2069 2015 2070 2016 2071 2017 2072 2018 2073 2019 2074 2020 2075 2021 2076 2022 2077 2023 2078 2024 2079 2025 2080 2026 2081 2027 2082 2028 2083 2029 2084 2030 2085 2031 2086 2032 2087 2033 2088 2034 2089 2035 19 2090