THÈSE D’HABILITATION À DIRIGER LES RECHERCHES presentée À L’UNIVERSITÉ PARIS 7 - DENIS DIDEROT soutenue par Bruno Barras le ?? ?? 2012 Title: Semantical Investigations in Intuitionistic Set Theory and Type Theories with Inductive Families ———– Jury: Contents 1 Introduction 5 1.1 Motivations for formal semantics . .5 1.2 Which model do we want ? . .6 1.3 How can we accept a formal model of Coq in Coq ? . .7 1.4 Formalizing in the large . .7 1.5 Overview of the thesis . .9 1.6 Mathematical conventions . 10 I Intuitionistic Set Theory 11 2 Basics of Intuitionistic Set Theory 13 2.1 Introduction . 13 2.2 Basic Setup: Sets and Axiomatized Constructions . 14 2.3 Derived constructions . 17 2.4 Relations and functions . 19 2.5 Grothendieck Universes . 21 2.6 Other axiomatizations of set theory in Coq . 23 3 Ordinals and Fixpoint Theorems 25 3.1 Motivations for an intuitionistic theory of ordinals . 25 3.2 Plump and Directed Ordinals . 27 3.3 Transfinite Iteration . 28 3.4 Supremum of ordinals . 32 3.5 Limits . 33 3.6 Least Fixpoint Theorems . 34 3.7 Cardinal numbers as isomorphism classes . 39 3.8 Ordinals and Grothendieck Universes . 42 4 Models of Set Theory in Coq 43 4.1 Logics . 43 4.2 Zermelo with functional replacement . 50 4.3 Extending Zermelo with Replacement or Collection . 54 4.4 Models of IZF_R, IZF_C and ZF in type theory . 56 4.5 Encoding Grothendieck universes . 58 3 4 CONTENTS II Models of Type Theories with Inductive Types 61 5 CC with Universes and Natural Numbers 63 5.1 Introduction to Models of Type Theory . 63 5.2 Calculus of Constructions . 66 5.3 Calculus of Constructions with natural numbers . 75 5.4 Extended Calculus of Constructions . 76 6 Strong Normalization Models 79 6.1 Girard’s reducibility candidates and saturated sets . 79 6.2 Abstract Strong Normalization of CC . 82 6.3 Implementing the abstract model . 92 6.4 Strong elimination . 94 6.5 Natural numbers . 97 6.6 Related works . 102 7 Natural numbers and type-based termination 103 7.1 Natural numbers with stages . 105 7.2 Model construction . 108 7.3 Strong normalization . 114 7.4 Comparison with other works . 117 8 Inductive types 119 8.1 Theory of W -types . 121 8.2 Strictly positive inductive definitions . 125 8.3 Inductive types and universes . 132 8.4 Encoding ZF as an inductive type . 133 8.5 Inductive types in Prop . 135 8.6 Advanced features of inductive types . 136 8.7 Towards a strong normalization proof . 150 III Conclusions 151 9 Conclusions 153 9.1 Summary of results . 153 9.2 Conclusions about the formalization . 155 9.3 Suggestions for future work . 158 Index and Notations 163 Bibliography 167 Chapter 1 Introduction The goal of this manuscript is to give a formal presentation of the set-theoretical se- mantics of the Calculus of Inductive Constructions (CIC),1 and related formalisms of type theory. This calculus form the logical foundations upon which the proof assis- tant Coq and others have been built. The presentation culminates with the proof of essential properties of these formalisms, such as the logical consistency, and strong normalization. Logical consistency, the property that the absurd proposition cannot be derived, is the least one can expect from a formal system intended to be used for encoding proofs. The strong normalization property is sometimes considered as just a technical lemma which is ultimately only useful because it implies logical consistency. But philosophically, it provides a much more interesting guarantee. It tells that any proof can be “simplified”, producing a normalized proof that uses possibly less principles than the original proof. One can imagine a scenario where the formalism happens to be inconsistent, but the normalized proof remains valid, because it uses a reduced subset of principles which is consistent. 1.1 Motivations for formal semantics Type theories have started to be thought as real alternatives to older formalism of set theory such as ZFC in the 60s and 70s. An unavoidable milestone is Martin-Löf’s Type Theory (MLTT). In 1985, Coquand and Huet have proposed an extension of this theory, incorporating Girard’s system F. This theory, the Calculus of Constructions, incorpo- rates an impredicative sort of propositions (inherited from system F’s polymorphism), that reduced the gap between the strong intuitionist taste of MLTT and the usual first- order style, which allowed to quantify propositions over any type. This calculus has had many extensions, to make it even more suitable for the formalization of advanced mathematical concepts and the refinement, without losing the original view that proofs are computational objects. The Calculus of Inductive Constructions is among the most popular of these extensions. Its main implementation, Coq, has over the years given the demonstration that type theory could tame top-tier mathematical theorems (four- color theorem, parts of Kepler’s conjecture, classification of simple finite groups), sup- port significant results in computer science (correctness proof of a realistic C-compiler, 1...or at least one possible view of it. 5 6 CHAPTER 1. INTRODUCTION large prime numbers certification), and have applications to software verification (smart cards). But the story of type theory, as that of set theory decades before, has also been marked by paradoxes, and the properties that we mentioned, have always been an ac- tive research topic. From the purely logical paradoxes of the early days (the famous Type:Type paradox), the situation has slightly changed. Nowadays, issues rather come from a bad interaction of the multiple features that have been studied independently. Let us mention the Chicli-Pottier-Simpson paradox [14]. It results from mixing a com- putational impredicative sort (Set), which has been studied by Werner [56], and a description axiom, valid in set theory. The problem came from the fact that most of the features of Coq had been studied in a set-theoretical model: mainly inductive types and predicative universes, But it had not been checked whether the impredicative Set fea- ture could be interpreted as a “locally non set-theoretical” type within a set-theoretical model. The impredicative Set feature has been dropped from the system by default, but still one cannot exclude that such unfortunate scenario happen again. It is “widely ac- cepted” that the intuitive set-theoretical model is sound. Many authors have contributed to this, most of the time considering only a subset of the features. Very few works put the focus on covering the full system. Lee and Werner [34], or H. Goguen [29] are so far the best effort in that domain, but they are still complex pen-and-paper proofs. Strong normalization proofs are amazingly tricky, and erroneous (reviewed) proofs are not so uncommon. A natural answer to this doubt that we may have on these informal proofs, is to try and encode them in a formal system. First of all, let us specify what we expect from the model. 1.2 Which model do we want ? There might be different goals for constructing a model: • to give an intuition of a formalism by providing a model that explains how the primitives can be translated to a more familiar or widely accepted formalism (e.g. set theory), • or study what is the theoretical strength of a formalism. In the second case, we want to build the “smallest” model. On the other hand, in the first case, we do not have this constraint, and prefer a model that will validate more properties than what is derivable, with the idea that then such properties can be safely added as axiom to our formalism. In this manuscript we focus more on the first alternative. This should help answer questions of users of Coq that want to extend the system with standard set theoretical axioms that are not provable in Coq. This ranges from the excluded-middle to powerful description principles, or adding extensional principles. If it is clear that the target formalism will be set theory (the exact system will be made precise later on), it remains to decide which implementation is going to be used. It should be a reliable system that we are familiar with. Coq is such a system. Usually, the project to prove the soundness of a formalism within an implementa- tion of the same formalism immediately raises objections that we are going to address. 1.3. HOW CAN WE ACCEPT A FORMAL MODEL OF COQ IN COQ ? 7 1.3 How can we accept a formal model of Coq in Coq ? There are two kinds of reasons to object against such a goal. The first one is logical: because of Gödel’s second incompleteness theorem, the proof of consistency (implied by strong normalization) of the formalism of Coq cannot be done within Coq, unless it is inconsistent. This is addressed by remarking that consistency (and strong normalization) proofs are never absolute proofs of a statement.2 Rather, they are relative to the formalism they are expressed in. This is the reason why we insisted in developing the proof relying on an encoding of set theory, which will be accepted by the majority of mathematicians. In order to obtain stronger results and reduce the risk of objections, We have tried to rely on as few axioms as possible. The second objection is about the implementation itself: a bug in Coq may have it accept an incorrect proof of its correctness. We dispatch the latter objection by recalling that this is true of any implementation we may use. Hence the choice for a system with a principled architecture (small kernel, explicit construction of proof objects, etc.), and the ability to express proofs naturally, thanks to its higher-order features.