Introduction to Dependent Type Theory (3/4) Matthieu Sozeau, Inria Paris & IRIF, University Paris 7

Home , Pure type system

TYPES 2018 August 9th 2018 Ohrid, Macedonia Lectures

1 Typed Lambda Calculi 2 The Curry-Howard Correspondence 3 Pure Type Systems 4 Dependent Type Theory

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 2 Pure Type Systems

1 Pure type systems

2 PTS metatheory Canonicity

3 Beyond PTS: Extending the Calculus of Constructions Predicative types and Prop Dependent sums

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 3 A uniﬁorm framework for typed lambda-calculi

We’ve seen three calculi: I λ→: simply-typed λ-calculus, only one binder: λ for terms depending on terms (i.e. functions). I System F: extended with a new binder Λ for type variables. I System F ω: extended with a new binder λ for type variables (of arbitrary kind) at the type level. We’re missing term quantiﬁcation in types, i.e. dependent types!

Pure Type Systems aim to give abstract treatment of these languages, accomodating all these binding choices.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 4 The λ-cube

Axis: I x: Types depend on values (dependent types): Πx : B.x = x I y: Values depend on types (polymorphism) (λ2 is System F): Λα(x : α).x :Πα.α → α

I z: Types depend on types (type operators) (λω is F ω): F : ∗ → ∗, α β : ∗, f : α → β ` map f : F α → F β

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 5 The λ-cube

I The Calculus of Constructions (λC) combines all three features. I It only has one λ-abstraction and one Π quantiﬁcation constructs. I Formalized as a particular Pure Type System.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 6 PTS deﬁnition

Pure Type Systems are parameterized by: I a set of sorts S (similar to F ω’s kinds) I axioms A ⊆ S × S giving the types of sorts. I rules A ⊆ S × S × S giving the types of products. For now, set S = {∗, } and A = {(∗, )}. For the sake of example we also assume nat : ∗, 0 : nat, S : nat → nat and its associated operations. Terms and types:

T, U, t, u ::= x ∈ V variable s ∈ S sort λx : T.u abstraction t u application Πx : T.U product / pi-type

Contexts: ordered sequences of pairs (x : T ) with distinct x.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 7 PTS typing deﬁnition

Start Weakening Γ ` T : s x 6∈ Γ Γ ` t : T Γ ` U : s x 6∈ Γ Γ, x : T ` x : T Γ, x : U ` t : T

Ax Product 0 (s, s ) ∈ A Γ ` T : s1 Γ, x : T ` U : s2 (s1, s2, s3) ∈ R 0 ` s : s Γ ` Πx : T.U : s3

Abs Γ, x : U ` t : V Γ ` Πx : U.V : s Γ ` (λx : U.t):Πx : U.V

App Γ ` t :Πx : U.V Γ ` u : U Γ ` t u : V [x := u]

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 8 PTS typing deﬁnition

Conv Γ ` t : T Γ ` U : s T ≡β U Γ ` t : U

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 9 Allowed products

Assume R = {(∗, ∗, ∗)}, then the product rule becomes:

Product Γ ` T : ∗ Γ, x : T ` U : ∗ Γ ` Πx : T.U : ∗

I This corresponds to simply typed lambda-calculus. I The only inhabitants of ∗ are formed from nat and Πx : T.U. I The dependent product degenerates to the non-dependent T → U as U can not depend on x.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 10 Example PTSs

I λ→: R = {(∗, ∗, ∗)} I λ2, System F: R = {(∗, ∗, ∗), (, ∗, ∗)} One can quantify on a type to build a term. I λP : R = {(∗, ∗, ∗), (∗, , )} One can quantify on a term to build a type. Type level quantiﬁcation on terms. I λω: R = {(∗, ∗, ∗), (, , )} One can quantify on a type to build a type: type level operators. ω I λω, System F : R = {(∗, ∗, ∗), (, , ), (, ∗, ∗)} Mixes λω with λ2. I λC: R = {(∗, ∗, ∗), (, , ), (, ∗, ∗), (∗, , )} All of the above.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 11 Dependent types and conversion

In λP (and λC), one can quantify on terms in types. (∗, , ) ∈ R so the product rule allows:

Product Γ ` T : ∗ Γ, x : T ` U : Γ ` Πx : T.U :

Assume an equality predicate eq : nat → nat → . We can form the dependent type:

Product Γ ` nat : ∗ Γ, x : nat ` eq x x : Γ ` Πx : nat.eq x x :

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 12 Dependent types and conversion

Assume a proof eqreﬂ :Πx : nat.eq x x. The following type is also valid in λC:

` Πx : nat.eq x (0 + x)

To give a witness we have to ﬁnd:

x : nat ` ?: eq x (0 + x)

We can derive this using the conversion rule assuming 0 + x ≡β x:

x : nat ` eqreﬂ x : eq x x x : nat ` eq x (0 + x): ∗ eq x x ≡β eq x (0 + x) x : nat ` eqreﬂ x : eq x (0 + x)

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 13 Type dependency

I As a logic, λP corresponds to: many-sorted ﬁrst-order intuitionistic logic. I We have the universal quantiﬁer for terms:

∀x ∈ N.P ::= Πx : nat.P ∀-intro ∀-elim Γ ` P x 6∈ FV(Γ) Γ ` ∀x ∈ τ.P ` ∀x ∈ τ.P Γ ` P [t]

Product Application Γ ` T : ∗ Γ, x : T ` P : Γ ` f :Πx : T.P Γ ` t : T Γ ` Πx : T.P : Γ ` f t : P [x := t]

I Systems based on this were proposed by de Bruijn, Harper I At the basis of AUTOMATH, LF and λΠ-modulo (Dedukti)

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 14 Pure Type Systems

1 Pure type systems

2 PTS metatheory Canonicity

3 Beyond PTS: Extending the Calculus of Constructions Predicative types and Prop Dependent sums

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 15 Properties of interest of PTSs

I Church-Rosser / Conﬂuence I Subject Reduction / Type preservation I Strong Normalization / (relative) Consistency We now assume an arbitrary PTS (S, A, R).

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 16 Church-Rosser

Deﬁnition (Church-Rosser property) ∗ ∗ ∗ If t →β u and t →β v then there exists w s.t. u →β w and ∗ v →β w. Holds on well-typed terms for all functional, strongly-normalizing PTSs (Geuvers’92)

Deﬁnition (Functional PTS) A PTS (S, A, R) is functional when A is a function from S to itself and R is a function from S × S to S. All the example PTSs we gave are functional.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 17 Free variables

Deﬁnition (Valid context) I is valid I For all Γ, T, if Γ is valid and there exists s s.t. Γ ` T : s then Γ, x : T is valid.

Lemma (Context validity) If Γ ` t : T , then Γ is valid.

Lemma (Free variables) −−−→ Assume Γ ≡ xi : Ti ` t : T , then: −→ I Variables xi are mutually distinct −→ I FV(t), FV(T ) ⊆ {xi } I FV(Ti) ⊆ {x1, . . . xi−1} for i = 1, . . . n

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 18 Start

Lemma (Start) Assume Γ a valid context then: I If (s, s0) ∈ A then Γ ` s : s0 I If x : T ∈ Γ then Γ ` x : T

Proof sketch. Using the Ax, Start and Weakening rules and context validity.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 19 Weakening

Lemma (Weakening) If Γ, ∆ are valid contexts such that Γ ⊆ ∆ then: Γ ` t : T implies ∆ ` t : T

Proof sketch. By induction on the typing derivation, using weakening.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 20 Substitution

Deﬁnition (Context Substitution) If Γ, ∆ are valid contexts then a substitution σ :Γ ` ∆ is deﬁned inductively as:

σ :Γ ` ∆ Γ ` t : T [σ] :Γ ` σ, x := t :Γ ` ∆, x : T

It associates to each variable of ∆ a term of Γ.

Lemma (Substitution) If δ :Γ ` ∆ and ∆ ` t : T then Γ ` t[σ]: T [σ]

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 21 Thinning

Lemma (Thinning) If Γ, x : T, ∆ ` t : T and x 6∈ FV(∆) ∪ FV(t) ∪ FV(T ) then Γ, ∆ ` t : T .

I This lemma is not necessary in general but allows removing useless abstractions in terms. I Note that it cannot be derived from substitution if T is not inhabited. I It is not valid in extentional type theories where dependencies on hypothesis can be implicit in the term and type.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 22 Generation

Lemma (Generation)

0 0 0 Γ ` s : T ⇒ ∃ s .T ≡β s ∧ (s, s ) ∈ A 0 0 0 0 Γ ` x : T ⇒ ∃ T s. T ≡β T ∧ Γ ` T : s ∧ (x : T ) ∈ Γ

Γ ` (Πx : U.V ): T ⇒ ∃(s1, s2, s3) ∈ R.T ≡β s3 ∧

Γ ` U : s1 ∧ Γ, x : U ` V : s2 0 0 Γ ` (λx : U.t): T ⇒ ∃ T s. T ≡β (Πx : U.T ) Γ ` Πx : U.T 0 : s ∧ Γ, x : U ` t : T 0 Γ ` t u : T ⇒ ∃ UV.T ≡β V [x := u] Γ ` t :Πx : U.V ∧ Γ ` u : U

Proof. By case analysis of the last rule of the derivation.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 23 Validity

In all the cases we consider we can prove: Lemma (Validity) If Γ ` t : T then T = or ∃ s.Γ ` T : s.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 24 Subject Reduction

Lemma (Subject Reduction) ∗ If Γ ` t : T and t →β u then Γ ` u : T .

Proof. By induction on the typing derivation, and case analysis of the reduction. Similarly to the STLC case, we use the substitution lemma for β-reductions. The proof is left as an exercise.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 25 Type uniqueness

Functional PTSs have unicity of types: Lemma (Uniqueness of types)

If Γ ` t : T and Γ ` t : U then T ≡β U.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 26 Summary

All functional, strongly-normalizing PTS enjoy: I Generation I Substitution I Thining I Subject Reduction I Type uniqueness What about strong-normalization? Strong Normalization property (SN):

Γ ` M : T ⇒ ¬∃(Mi)i∈N.M = M0 →β M1 →β ···

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 27 Strong normalization of λ-Cube

Theorem (Coquand’85, Geuvers and Nederhof’91) All systems of the λ-cube are strongly normalizing.

Proof. 1 λω (System F ω) is SN. 2 λω is SN implies that λC is SN.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 28 Strong Normalization proof sketch

I Deﬁne a degree function on terms: #(t) depending on the kind of t: object, type, dependent type, polymorphic type, ... I Deﬁne erasure functions ρ(t), τ(t), t depending on the degree of t that preserve reductions.J K I Show: Theorem

I Γ `λC M : N implies τ(Γ) `λω τ(M): ρ(N)

I Γ `λC M : N implies τ(Γ) `λω M : τ(N) J K I Γ `λC M : T and Γ `λC N : U then M →β N implies + M →β N J K J K I By preservation of normalization: an inﬁnite reduction sequence in λC would imply an inﬁnite reduction sequence in λω.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 29 System λU

A system with two impredicative sorts one above the other:

S = {∗, , ∆} A = {(∗, ), (, ∆)} R = {(∗, ∗, ∗), (, ∗, ∗), (, , ), (∆, , ), (∆, ∗, ∗)}

Theorem (Girard) I In λU there is a term M such that ` M :Πx : ∗.x. I M is not strongly normalizing I Every type in ∗ is inhabited

Girard-Hurkens paradox. Replicates Cantor’s paradox in this type theory: There is no 1-1 function: P(A) → A, where P(X) ::= X → ∗.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 30 Pure Type Systems

1 Pure type systems

2 PTS metatheory Canonicity

3 Beyond PTS: Extending the Calculus of Constructions Predicative types and Prop Dependent sums

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 31 Consistency

Gödel’s 2nd incompleteness theorem: a formal system as strong as arithmetic cannot prove its own consistency, unless it is inconsistent. ⇒ Consistency and SN cannot be proved in arithmetic. Need a stronger formalism, e.g. set theory.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 32 Canonicity

Characterization of inhabitants (in normal form) of type constructors Using inversion lemmas, if M in normal form (atomic terms: x t1 ··· tn): I Γ ` M :Πx : A.B implies M is either a λ or an atomic term. I Γ ` M : s implies M is either a sort, a Π or an atomic term. Note: when Γ = [ ], the atomic case does not apply If the formalism encodes arithmetic, we expect: I Γ ` M : N implies M is either 0 or a successor, or an atomic term.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 33 Canonicity + SN: Constructivity

Using SN: I ` M :Πx : A.B then M reduces to a λ. I ` M : s then M reduces to a sort or a Π. I ` M : N then M reduces to a numeral.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 34 Constructivity and Consistency

Constructivitiy: canonicity applied to connectives (cut elimination) I ` M : A ∨ B implies M reduces to an introduction rule, thus we get either a proof of A or a proof of B. I ` M : ∃x : A.B implies M reduces to a pair (a, b) where a is a witness. I ` M : ⊥ is impossible: consistency. Note: non-normalization of a type theory often (not always!) lead to inconsistency.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 35 Pure Type Systems

1 Pure type systems

2 PTS metatheory Canonicity

3 Beyond PTS: Extending the Calculus of Constructions Predicative types and Prop Dependent sums

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 36 Propositions and types

Up to now we’ve only considered impredicative type theory where:

Πα : ∗.τ : ∗

I This implies that set-theoretic models “collapse” the interpretation of inhabitants of types in ∗ into a singleton set: either inhabited or not. I This is ﬁne for reasonning about consistency but not about the intensional behavior of terms. I Requires moving to a predicative sort hiearchy.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 37 Predicative types

In Coq’s type theory, an impredicative Prop sort (morally ∗) cohabits with an inﬁnite predicative hiearchy Typei.

S = {Prop} ∪ {Typei | i ∈ N}

A = {(Prop, Type0)} ∪ {(Typei, Typei+1) | i ∈ N}

R = {(Prop, Typei, Typei) type depends on prop (Prop, Prop, Prop) prop depends on prop (Typei, Prop, Prop) impredicative quantiﬁcation (Typei, Typej, Typemax(i,j)) type quantiﬁcation} This is a strongly normalizing functional PTS.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 38 Examples

We now assume that natural numbers are deﬁned in Type0. Impredicativity:

(Π PQ : Prop.(P → Q) → Q): Prop

Proposition depending on proposition:

(Πx : nat, x > 0 → x ∗ x > 0) : Prop

Predicativity: (ΠX : Type0,X): Type1

I A system with only predicative types can be shown strongly-normalizing with arithmetic means. Impredicativity requires the candidates of reducibility method.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 39 Prop vs Typei

This system is using propositions-as-props!

∧, ∨, ↔, ⇒ : Prop → Prop → Prop ×, +, IsEquiv, → : Typei → Typei → Typemax(i,j) Sorry for the confusion.

This system is designed to allow extraction:

I Take a judgment `Coq t : nat I Erase everything in Prop inside t to get an (untyped) term t0 I t and t0 evaluate to the same natural number.

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 40 Dependent Sums

Dependent Type Theory includes an additional type constructor not derivable from dependent products: Terms and types:

T, U, t, u ::= x ∈ V variable s ∈ S sort λx : T.u abstraction t u application Πx : T.U product / pi-type Σx : T.U sum / sigma-type (t, u) dependent pair t.i i ∈ {1, 2} projections

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 41 Typing Σ-types

Sum Γ ` T : Typei Γ, x : T ` U : Typej

Γ ` Σx : T.U : Typemax(i,j)

Pair Γ ` Σx : T.U : Typei Γ ` t : T Γ ` u : U[x := t] Γ ` (t, u):Σx : T.U

Fst Snd Γ ` t :Σx : T.U Γ ` t :Σx : T.U Γ ` t.1 : T Γ ` t.2 : U[x := t.1]

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 42 Example Σ-types

Example: ` (0, eqreﬂ 0) : Σx : nat.x = x Non-unique types:

` (0, eqreﬂ 0) : Σx : nat.x = 0

` (0, eqreﬂ 0) : Σx : nat.0 = 0 ⇒ Solved by adding type annotations to the constructor: ( , )Σx:A.B

Using conversion: eq 0 0 ≡β eq ((λx : nat.0) 1) 0

` ((λx : nat.0), eqreﬂ 0) : Σf : nat → nat.f 1 = 0

Matthieu Sozeau - Introduction to Dependent Type Theory (3/4) 43 t.1 : (∃ x : T.U x) → T t.1 ::= t T (λ(x : T )(u : U x).x) t.2 :(∃ x : T.U x) → U t.1 t.2 ::= t (U t.1) (λ(x : T )(u : U x).?) “Impredicative” sums hide information about the witness while Σ-types reveal the dependency of the second component. ⇒ Sigma-types are not abstract types.

Typing Σ-types