Modeling and Proving in

Computational Type Theory

Using the Coq Proof Assistant

Textbook under Construction

Version of July 13, 2024

Gert Smolka
Saarland University

Copyright © 2021-24 by Gert Smolka, all rights reserved

Contents

Preface xi

I Basics 1

1 Getting Started 3
1.1 Booleans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Notational Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4 Structural Induction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.5 Quantified Inductive Hypotheses . . . . . . . . . . . . . . . . . . . . . . . . 10
1.6 Preview of Proof Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.7 Procedural Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.8 Pairs and Polymorphic Functions . . . . . . . . . . . . . . . . . . . . . . . . 15
1.9 Argument Inference and Implicit Arguments . . . . . . . . . . . . . . . . . 17
1.10 Iteration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.11 Ackermann Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.12 Unfolding Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.13 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2 Basic Computational Type Theory 25

2.1 Simply Typed Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2 Dependently Typed Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3 Inductive Type Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.4 Inductive Function Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.5 Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.6 Plain Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.7 Lambda Abstractions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.8 Let Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.9 Matches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.10 Terms and Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.11 Function Definitions in Coq . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.12 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.13 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

iii
Contents

3 Propositions as Types 43
3.1 Implication and Universal Quantification . . . . . . . . . . . . . . . . . . . 44
3.2 Falsity and Negation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.3 Conjunction and Disjunction . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.4 Propositional Equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.5 Notational Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.6 Impredicative Characterizations . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.7 Proof Term Construction using Proof Tables . . . . . . . . . . . . . . . . . 52
3.8 Law of Excluded Middle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.9 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

4 Conversion and Leibniz Equality 59

4.1 Conversion Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.2 Abstract Propositional Equality . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.3 Basic Equational Facts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
4.4 Definition of Leibniz Equality . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.5 Abstract Constants and Theorems . . . . . . . . . . . . . . . . . . . . . . . 67
4.6 Theorems in this Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4.7 Abstract Presentation of Propositional Connectives . . . . . . . . . . . . . 69
4.8 Computational Equality and Eta Equivalence . . . . . . . . . . . . . . . . . 71
4.9 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

5 Inductive Eliminators 75
5.1 Generalized Subtyping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
5.2 Propositional Discrimination Restriction . . . . . . . . . . . . . . . . . . . 76
5.3 Universe Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
5.4 Boolean Eliminator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.5 Example: Boolean Case Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 80
5.6 Kaminski’s Equation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.7 Eliminator for Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
5.8 A Formal Inductive Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
5.9 Equality of Numbers is Logically Decidable . . . . . . . . . . . . . . . . . . 85
5.10 Eliminator for Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
5.11 Disequality of Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
5.12 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

6 Existential Quantification 91
6.1 Inductive Definition and Basic Facts . . . . . . . . . . . . . . . . . . . . . . 91
6.2 Barber Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
6.3 Lawvere’s Fixed Point Theorem . . . . . . . . . . . . . . . . . . . . . . . . . 95

iv
 Contents

7 Arithmetic Pairing 97
7.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
7.2 Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
7.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

8 Abstract Syntax 103

8.1 Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
8.2 Expressions and Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
8.3 Code and Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
8.4 Compilation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
8.5 Decompilation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
8.6 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

9 Certifying Functions and Sum Types 111

9.1 Sum Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
9.2 Proving at Type Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
9.3 Decision Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
9.4 Certifying Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
9.5 Certifying Equality Deciders . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
9.6 Computational Decidability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

10 Certifying Functions and Sigma Types 119

10.1 Dependent Pair Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
10.2 Certifying Division . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
10.3 Translation Theorems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
10.4 Projections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
10.5 Truncation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
10.6 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

11 More Computational Types 131

11.1 Injections and Bijections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
11.2 Option Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
11.3 Numeral Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
11.4 Vector Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
11.4.1 Position Element Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
11.4.2 Concatenation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

12 Linear Arithmetic 141

12.1 Inductive Definition of Numbers . . . . . . . . . . . . . . . . . . . . . . . . 141
12.2 Addition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
12.3 Subtraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
12.4 Comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

v
Contents

12.5 Arithmetic Testers and Deciders . . . . . . . . . . . . . . . . . . . . . . . . 146

12.6 Linear Arithmetic Prover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
12.7 Multiplication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
12.8 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

13 Least Witness Operators 149

13.1 Least Witness Predicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
13.2 Certifying Least Witness Operators . . . . . . . . . . . . . . . . . . . . . . . 150
13.3 Decidability Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
13.4 Reducible LWOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
13.5 Least Witness Existence and Excluded Middle . . . . . . . . . . . . . . . . 155

14 EWOs 157
14.1 Linear Search Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
14.2 EWO for Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
14.3 General EWOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
14.4 EWO Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
14.5 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

15 Indexed Inductives 165

15.1 Inductive Equality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
15.2 Reflexive Transitive Closure . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
15.3 Inductive Comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
15.4 Inductive Numeral Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
15.5 Inductive Vector Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
15.6 Post Correspondence Problem . . . . . . . . . . . . . . . . . . . . . . . . . . 173
15.7 Index Elimination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
15.8 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

16 Extensionality 177
16.1 Extensionality Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
16.2 Set Extensionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
16.3 Proof Irrelevance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
16.4 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

17 Excluded Middle and Double Negation 181

17.1 Characterizations of Excluded Middle . . . . . . . . . . . . . . . . . . . . . 181
17.2 Double Negation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
17.3 Definite Propositions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
17.4 Stable Propositions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
17.5 Variants of Excluded Middle . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
17.6 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

vi
 Contents

18 Provability 191
18.1 Provability Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
18.2 Consistency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

II More Basics 195

19 Arithmetic Recursion 197

19.1 Complete Induction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
19.2 Size Induction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
19.3 Euclidean Quotient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
19.4 Step-Indexed Function Construction . . . . . . . . . . . . . . . . . . . . . . 202
19.5 Greatest Common Divisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
19.6 Course-of-values Recursion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

20 Euclidean Division 207

20.1 Existence of Quotient and Remainder . . . . . . . . . . . . . . . . . . . . . 207
20.2 Uniqueness of Quotient and Remainder . . . . . . . . . . . . . . . . . . . . 209
20.3 Quotient and Remainder with Repeated Subtraction . . . . . . . . . . . . 210
20.4 Divisibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
20.5 Greatest Common Divisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
20.6 Inductive GCD Predicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
20.7 Reducible Quotient and Remainder Functions . . . . . . . . . . . . . . . . 215
20.8 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

21 Lists 217
21.1 Inductive Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
21.2 Basic Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
21.3 Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
21.4 Inclusion and Equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
21.5 Nonrepeating Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
21.6 Lists of Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
21.7 Position-Element Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
21.8 Constructive Discrimination Lemma . . . . . . . . . . . . . . . . . . . . . . 229
21.9 Element Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
21.10 Cardinality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
21.11 Setoid Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

22 Finite Types 235

22.1 Coverings and Listings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
22.2 Basics of Finite Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
22.3 Finiteness by Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

vii
Contents

22.4 Existence of Injections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

22.5 Upgrade Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
22.6 Listless Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
22.7 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

23 Countable Types 245

23.1 Enumerable Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
23.2 Countable Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
23.3 Injection into N via List Enumeration . . . . . . . . . . . . . . . . . . . . . . 248
23.4 More Countable Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
23.5 Alignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
23.6 Alignment Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
23.7 Bijection Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
23.8 Alignments of Finite Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
23.9 Finite or Infinite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
23.10 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

III Case Studies 257

24 Propositional Deduction 259

24.1 ND Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
24.2 Intuitionistic ND System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
24.3 Formalization with Indexed Inductive Type Family . . . . . . . . . . . . . 262
24.4 The Eliminator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
24.5 Induction on Derivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
24.6 Classical ND System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
24.7 Glivenko’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
24.8 Intuitionistic Hilbert System . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
24.9 Heyting Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
24.10 Boolean Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
24.11 Boolean Formula Decomposition . . . . . . . . . . . . . . . . . . . . . . . . 278
24.12 Certifying Boolean Solvers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
24.13 Boolean Entailment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
24.14 Cumulative Refutation System . . . . . . . . . . . . . . . . . . . . . . . . . . 285
24.15 Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
24.16 Entailment Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
24.17 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

25 Boolean Satisfiability 293

25.1 Boolean Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
25.2 Boolean Formulas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

viii
 Contents

25.3 Clausal DNFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

25.4 DNF Solver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
25.5 DNF Recursion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
25.6 Tableau Refutations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
25.7 Abstract Refutation Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

26 Regular Expression Matching 307

26.1 Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
26.2 Decidability of Regular Expression Matching . . . . . . . . . . . . . . . . . 310

27 Abstract Reduction Systems 313

27.1 Paths Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
27.2 Reflexive Transitive Closure . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

IV Foundational Studies 319

28 Axiom CT and Semidecidability 321

28.1 Tests and Basic Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
28.2 UT and Undecidability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
28.3 Diophantine Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
28.4 Axiom CT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
28.5 Recusant Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
28.6 Inconsistent Strengthening of UT . . . . . . . . . . . . . . . . . . . . . . . . 328
28.7 Post Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
28.8 Semidecidable Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
28.9 More Semidecidability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
28.10 Markov’s Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
28.11 Promises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
28.12 Promising Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
28.13 Recusant Partial Deciders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
28.14 Universal Partial Deciders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
28.15 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

29 Inductive Equality 345

29.1 Basic Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
29.2 Uniqueness of Identity Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . 347
29.3 Hedberg’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
29.4 Inversion with Casts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
29.5 Constructor Injectivity with DPI . . . . . . . . . . . . . . . . . . . . . . . . . 351
29.6 Inductive Equality at Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
29.7 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

ix
Contents

30 Well-Founded Recursion 355

30.1 Recursion Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
30.2 Well-founded Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
30.3 Unfolding Equation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
30.4 Example: GCDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
30.5 Unfolding Equation without FE . . . . . . . . . . . . . . . . . . . . . . . . . . 362
30.6 Witness Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
30.7 Equations Package and Extraction . . . . . . . . . . . . . . . . . . . . . . . . 364
30.8 Padding and Simplification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
30.9 Classical Well-foundedness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
30.10 Transitive Closure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
30.11 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

31 Aczel Trees and Hierarchy Theorems 371

31.1 Inductive Types for Aczel Trees . . . . . . . . . . . . . . . . . . . . . . . . . 371
31.2 Propositional Aczel Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
31.3 Subtree Predicate and Wellfoundedness . . . . . . . . . . . . . . . . . . . . 374
31.4 Propositional Hierarchy Theorem . . . . . . . . . . . . . . . . . . . . . . . . 375
31.5 Excluded Middle Implies Proof Irrelevance . . . . . . . . . . . . . . . . . . 376
31.6 Hierarchy Theorem for Computational Universes . . . . . . . . . . . . . . 376

V Appendices 379

Appendix: Typing Rules 381

Appendix: Inductive Definitions 383

Appendix: Basic Definitions 387

Appendix: Exercise Sheets 389

Appendix: Glossary 413

Appendix: Author’s Notes 415

Bibliography 418

x
Preface

This text teaches topics in computational logic computer scientists should know
when discussing correctness of software and hardware. We acquaint the reader with
a foundational theory and a programming language for interactively constructing
computational models with machine-checked proofs. As common with program-
ming languages, we teach foundations, case studies, and practical programming in
an interleaved fashion.
The foundational theory we are using is a computational type theory extending
Martin-Löf type theory with inductive definitions and impredicative propositions.
All functions definable in the theory are computable. The proof rules of the theory
are intuitionistic while assuming the law of excluded middle is possible. As it will
become apparent through case studies in this text, computational type theory is
a congenial foundation for computational models and correctness arguments, im-
proving much on the set-theoretic language coming with mainstream mathematics.
We will use the Coq proof assistant, an implementation of the computational
type theory we are using. The interactive proof assistant assists the user with
the construction of theories and checks all definitions and proofs for correctness.
Learning computational logic with an interactive proof assistant makes a dramatic
difference to learning logic offline. The immediate feedback from the proof as-
sistant provides for rapid experimentation and effectively teaches the rules of the
underlying type theory. While the proof assistant enforces the rules of type theory,
it provides much automation as it comes to routine verifications.
We will use mathematical notation throughout this text and confine all Coq code
to Coq files accompanying the chapters. We assume a reader unfamiliar with type
theory and the case studies we consider. So there is a lot of material to be ex-
plained and understood at mathematical levels abstracting from the Coq program-
ming language. In any case, theories and proofs need informal explanations to be
appreciated by humans, and informal explanations are needed to understand for-
malisations in Coq.
The abstraction level coming with mathematical notation gives us freedom in ex-
plaining the type theory and helps with separating type-theoretic design principles
from engineering aspects coming with the Coq language. For instance, we will have
equational inductive function definitions at the mathematical level and realize them
with Coq’s primitives at the coding level. This way we get mathematically satisfying
function definitions and a fine explanation of Coq’s pattern matching construct.

xi
Preface

Acknowledgements
This text has been written for the course Introduction to Computational Logic I teach
every summer semester at Saarland University (since 2003). In 2010, we switched to
computational type theory and the proof assistant Coq. From 2010–2014 I taught
the course together with Chad E. Brown and we produced lecture notes discussing
Coq developments (in the style of Benjamin Pierce’s Software Foundations at the
time). It was great fun to explore with Chad intuitionistic reasoning and the propo-
sitions as types paradigm. It was then I learned about impredicative characteriza-
tions, Leibniz equality, and natural deduction. Expert advice on Coq often came
from Christian Doczkal.
By Summer 2017 I was dissatisfied with the programming-centered approach we
had followed so far and started writing lectures notes using mathematical language.
There were also plenty of exciting things about type theory I still had to learn. My
chief teaching assistants during this time were Yannick Forster (2017), Dominik
Kirst (2018-2020), and Andrej Dudenhefner (2021), all of them contributing exer-
cises and ideas to the text.
My thanks goes to the undergraduate and graduate students who took the course
and who worked on related topics with me, and to the persons who helped me teach
the course. You provided the challenge and motivation needed for the project. And
the human touch making it fun and worthwhile.

xii
Part I

Basics

1
1 Getting Started

We start with basic ideas from computational type theory and Coq. The main issues
we discuss are inductive types, structural recursion, and equational reasoning with
structural induction. We will see inductive types for booleans, natural numbers, and
pairs. Based on inductive types, we will define inductive functions using equations
and structural case analysis. This will involve functions that are cascaded, recursive,
higher-order (i.e., take functions as arguments), and polymorphic (i.e., take types
as leading arguments). Recursion will be limited to structural recursion so that
functional computation always terminates.
Our main interest is in proving equations involving recursive functions (e.g., com-
mutativity of addition, x + y = y + x). This will involve proof steps known as
simplification, rewriting, structural case analysis, and structural induction. Equal-
ity will appear in a general form called propositional equality, and in a specialized
form called computational equality. Computational equality is a prominent design
aspect of type theory that is important for mechanized proofs.
We will follow the equational paradigm and define functions with equations. We
will mostly define cascaded functions and use the accompanying notation known
from functional programming.
Type theory is a foundational theory starting from computational intuitions. Its
approach to mathematical foundations is very different from set theory. We may say
that type theory explains things computationally while set theory explains things
at a level of abstraction where computation is not an issue. When working with
computational type theory, set-theoretic explanations (e.g., of functions) are often
not helpful, so free your mind for a foundational restart.

1.1 Booleans

In Coq, even basic types like the type of booleans are defined as inductive types.
The type definition for the booleans

B ::= true | false

3
1 Getting Started

introduces three typed constants called constructors:

B: T
true : B
false : B

The constructors represent the type B and its two values true and false. Note that
the constructor B also has a type, which is the universe T (a special type whose
elements are types).
Inductive types provide for the definition of inductive functions, where a
defining equation is given for each value constructor. Our first example for an
inductive function is a boolean negation function:

!: B→B
! true := false
! false := true

There is a defining equation for each of the two value constructors of B. We say
that an inductive function is defined by discrimination on an inductive argument
(an argument that has an inductive type). There must be exactly one defining equa-
tion for every value constructor of the type of the inductive argument the func-
tion discriminates on. In the literature, discrimination is known as structural case
analysis.
The defining equations of an inductive function serve as computation rules. For
computation, the equations are applied as left-to-right rewrite rules. For instance,
we have

! ! ! true = ! ! false = ! true = false

by rewriting with the first, the second, and again with the first defining equation of !.
Note that ! ! ! true is to be read as !(!(! true)), and that the first rewrite step replaces
the subterm ! true with false. Computation in Coq is logical and is used in proofs.
For instance, the equation

! ! ! true = ! true

follows by computation:

! ! ! true ! true
= ! ! false = false
= ! true
= false

4
 1.2 Numbers

We speak of a proof by computational equality.

Proving the equation

!!x = x

involving a boolean variable x takes more than computation since none of the defin-
ing equations applies. What is needed is discrimination (i.e., case analysis) on the
boolean variable x, which reduces the claim ! ! x = x to the equations ! ! true = true
and ! ! false = false, which both hold by computational equality.
Next we define inductive functions for boolean conjunction and boolean disjunc-
tion:

& : B→B→B |: B→B→B

true & y := y true | y := true
false & y := false false | y := y

Both functions discriminate on their first argument. Alternatively, one could de-
fine the functions by discrimination on the second argument, resulting in different
computation rules. There is the general principle that computation rules must be
disjoint (at most one computation rule applies to a given term).
The left hand sides of defining equations are called patterns. Often, patterns
bind variables that can be used in the right hand side of the equation. The patterns
of the defining equations for & and | each bind the variable y.
Given the definitions of the basic boolean connectives, we can prove the usual
boolean indenties with discrimination and computational equality. For instance, the
distributivity law

x & (y | z) = (x & y) | (x & z)

follows by discrimination on x and computation, reducing the law to the trivial

equations y | z = y | z and false = false. Note that the commutativity law

x &y =y &x

needs case analysis on both x and y to reduce to computationally valid equations.

1.2 Numbers

The inductive type for the numbers 0, 1, 2, . . .

N ::= 0 | S(N)

5
1 Getting Started

introduces three constructors

N: T
0: N
S: N→N

The value constructors provide 0 and the successor function S. A number n can
be represented by the term that applies the constructor S n-times to the construc-
tor 0. For instance, the term S(S(S0)) represents the number 3. The constructor
representation of numbers dates back to the Dedekind-Peano axioms.
We will use the familiar notations 0, 1, 2, . . . for the terms 0, S0, S(S0), . . . .
Moreover, we will take the freedom to write terms like S(S(Sx)) without parentheses
as SSSx.
We define an inductive addition function discriminating on the first argument:

+:N→N→N
0 + y := y
Sx + y := S(x + y)

The second equation is recursive since it uses the function ’+’ being defined at the
right hand side.
Computational type theory does not admit partial functions. To fulfill this de-
sign principle, recursion must always terminate. To ensure termination, recursion is
restricted to inductive functions and must act on a single discriminating argument.
One speaks of structural recursion. Recursive applications must be on variables
introduced by the constructor of the pattern of the discriminating argument. In the
above definitions of ’+’, only the variable x in the second defining equation quali-
fies for recursion. Intuitively, structural recursion terminates since every recursion
step skips a constructor of the recursive argument. The condition for structural
recursion can be checked automatically by a proof assistant.
We define truncating subtraction for numbers:

− : N→N→N
0 − y := 0
Sx − 0 := Sx
Sx − Sy := x − y

This time we have two discriminating arguments (we speak of a cascaded

discrimination). The primary discrimination is on the first argument, followed by
a secondary discrimination on the second argument in the successor case. The re-
cursion is on the first argument. We require that a structural recursion is always on
the first discriminating argument.

6
 1.3 Notational Conventions

Truncating subtraction gives us a test for comparisons x ≤ y of numbers. We

have x ≤ y if and only if x − y = 0.
Following the scheme we have seen for addition, functions for multiplication and
exponentiation can be defined as follows:

· : N→N→N ˆ: N→N→N
0 · y := 0 x 0 := 1
Sx · y := y + x · y x Sn := x · x n

Exercise 1.2.1 Define functions as follows:

a) A function N → N → N yielding the minimum of two numbers.
b) A function N → N → B testing whether two numbers are equal.
c) A function N → N → B testing whether a number is smaller than another number.

Exercise 1.2.2 (Symmetric boolean conjunction and disjunction) Using cascaded

discrimination, we can define an inductive function for boolean conjunction with
symmetric defining equations:

& :B→B→B
true & true := true
true & false := false
false & true := false
false & false := false

a) Prove that the symmetric function satisfies the defining equations for the stan-
dard boolean conjunction function (true & y = y and false & y = false).
b) Prove that the symmetric function agrees with the standard boolean conjunction
function.
c) Define a symmetric boolean disjunction function and show that it agrees with
the standard boolean disjunction function.

1.3 Notational Conventions

We are using notational conventions common in type theory and functional pro-
gramming. In particular, we omit parentheses in types and applications relying on
the following rules:

s→t→u Ž s → (t → u)
stu Ž (st)u

7
1 Getting Started

x+0=x induction x
1 0+0=0 computational equality
2 IH : x + 0 = x Sx + 0 = Sx simplification
S(x + 0) = Sx rewrite IH
Sx = Sx computational equality

Figure 1.1: Proof table for Equation 1.1

For the arithmetic operations we assume the usual precedences, so multiplication ’·’
binds before addition ’+’ and subtraction ’−’, and all three of them are left associa-
tive. For instance:

x+2·y −5·x+z Ž ((x + (2 · y)) − (5 · x)) + z

1.4 Structural Induction

We will now discuss proofs of the equations

x+0=x (1.1)
x + Sy = S(x + y) (1.2)
x+y =y +x (1.3)
(x + y) − y = x (1.4)

None of the equations can be shown with structural case analysis and computation
alone. In each case structural induction on numbers is needed. Structural induction
strengthens structural case analysis by providing an inductive hypothesis in the
successor case. Figure 1.1 shows a proof table for Equation 1.1. The induction rule
reduces the initial proof goal to two subgoals appearing in the lines numbered 1
and 2. The two subgoals are obtained by discrimination on x and by adding the
inductive hypothesis (IH) in the successor case. The inductive hypothesis makes it
possible to close the proof of the successor case by simplification and by rewriting
with the inductive hypothesis. A simplification step simplifies a claim by applying
defining equations from left to right. A rewriting step rewrites with an equation
that is either assumed or has been established as a lemma. In the example above,
rewriting takes place with the inductive hypothesis, an assumption introduced by
the induction rule.
We will explain later why structural induction is a valid proof principle. For now
we can say that inductive proofs are recursive proofs.
We remark that rewriting can apply an equation in either direction. The above
proof of Equation 1.1 can in fact be shortened by one line if the inductive hypothesis
is applied from right to left as first step in the second proof goal.

8
 1.4 Structural Induction

x+y −y =x induction y
1 x+0−0=x rewrite Equation 1.1
x−0=x case analysis x
1.1 0−0=0 comp. eq.
1.2 Sx − 0 = Sx comp. eq.
2 IH : x + y − y = x x + Sy − Sy = x rewrite Equation 1.2
S(x + y) − Sy = x simplification
x+y −y =x IH

Figure 1.2: Proof table for Equation 1.4

Note that Equations 1.1 and 1.2 are symmetric variants of the defining equations
of the addition function ’+’. Once these equations have been shown, they can be
used for rewriting in proofs.
Figure 1.2 shows a proof table giving an inductive proof of Equation 1.4. Note
that the proof of the base case involves a structural case analysis on x so that
the defining equations for subtraction apply. Also note that the proof rewrites
with Equation 1.1 and Equation 1.2, assuming that the equations have been proved
before. The successor case closes with an application of the inductive hypothesis
(i.e., the remaining claim agrees with the inductive hypothesis).
We remark that a structural case analysis in a proof (as in Figure 1.2) may also
be called a discrimination or a destructuring.
The proof of Equation 1.3 is similar to the proof of Equation 1.4 (induction on x
and rewriting with 1.1 and 1.2). We leave the proof as exercise.
One reason for showing inductive proofs as proof tables is that proof tables
explain how one construct proofs in interaction with Coq. With Coq one states the
initial proof goal and then enters commands called tactics performing the proof
actions given in the rightmost column of the proof tables. The induction tactic
displays the subgoals and automatically provides the inductive hypothesis. Except
for the initial claim, all the equations appearing in the proof tables are displayed
automatically by Coq, saving a lot of tedious writing. Replay all proof tables shown
in this chapter with Coq to understand what is going on.
A proof goal consists of a claim and a list of assumptions called context. The
proof rules for structural case analysis and structural induction reduce a proof goal
to several subgoals. A proof is complete once all subgoals have been closed.
A proof table comes with three columns listing assumptions, claims, and proof
actions.1 Subgoals are marked by hierarchical numbers and horizontal lines. Our

1
In this section, only inductive hypotheses appear as assumption. We will see more assumptions
once we prove claims with implication in Chapter 3.

9
1 Getting Started

proof tables may be called have-want digrams since they come with separate
columns for assumptions we have, claims we want to prove, and actions we per-
form to advance the proof.

Exercise 1.4.1 Give a proof table for Equation 1.2. Follow the layout of Figure 1.2.

Exercise 1.4.2 Prove that addition is commutative (1.3). Use equations (1.1)
and (1.2) as lemmas.

Exercise 1.4.3 Shorten the given proofs for Equations 1.1 and 1.4 by applying the
inductive hypothesis from right to left thus avoiding the simplification step.

Exercise 1.4.4 Prove that addition is associative: (x + y) + z = x + (y + z). Give a

proof table.

Exercise 1.4.5 Prove the distributivity law (x + y) · z = x · z + y · z. You will need

associativity of addition.

Exercise 1.4.6 Prove that multiplication is commutative. You will need lemmas.

Exercise 1.4.7 (Truncating subtraction) Truncating subtraction is different from

the familiar subtraction in that it yields 0 where standard subtraction yields a neg-
ative number. Truncating subtraction has the nice property that x ≤ y if and only
if x − y = 0. Prove the following equations:
a) x − 0 = x
b) x − (x + y) = 0
c) x − x = 0
d) (x + y) − x = y
Hint: (d) follows with equations shown before.

1.5 Quantified Inductive Hypotheses

Sometimes it is necessary to do an inductive proof using a quantified inductive hy-

pothesis. As an example we consider a variant of the subtraction function returning
the distance between two numbers:

D: N→N→N
D 0 y := y
D (Sx) 0 := Sx
D (Sx)(Sy) := Dxy

10
 1.5 Quantified Inductive Hypotheses

∀y. Dxy = (x − y) + (y − x) induction x

1 ∀y. D0y = (0 − y) + (y − 0) disc. y
1.1 D00 = (0 − 0) + (0 − 0) comp. eq.
1.2 D0(Sy) = (0 − Sy) + (Sy − 0) comp. eq.
2 IH : ∀y. · · · ∀y. D(Sx)y = (Sx − y) + (y − Sx) disc. y
2.1 D(Sx)0 = (Sx − 0) + (0 − Sx) simpl.
Sx = Sx + 0 apply (1.1)
2.2 D(Sx)(Sy) = (Sx − Sy) + (Sy − Sx) simpl.
Dxy = (x − y) + (y − x) apply IH

Figure 1.3: Proof table for a proof with a quantified inductive hypothesis

The defining equations discriminate on the first argument and in the successor
case also on the second argument. The recursion occurs in the third equation and
is structural in the first argument.
We now want to prove

Dxy = (x − y) + (y − x)

We do the proof by induction on x followed by discrimination on y. The base cases

with either x = 0 or y = 0 are easy. The interesting case is

D(Sx)(Sy) = (Sx − Sy) + (Sy − Sx)

After simplification (i.e., application of defining equations) we have

Dxy = (x − y) + (y − x)

If this was the inductive hypothesis, closing the proof is trivial. However, the actual
inductive hypothesis is

Dx(Sy) = (x − Sy) + (Sy − x)

since it was instantiated by the discrimination on y. The problem can be solved by

starting with a quantified claim

∀y. Dxy = (x − y) + (y − x)

where induction on x gives us a quantified inductive hypothesis that is not affected

by a discrimination on y. Figure 1.3 shows a complete proof table for the quantified
claim.
You may have questions about the precise rules for quantification and induction.
Given that this is a teaser chapter, you will have to wait a little bit. It will take until
Chapter 5 that quantification and induction are explained in depth.

11
1 Getting Started

Exercise 1.5.1 Prove Dxy = Dyx by induction on x. No lemma is needed.

Exercise 1.5.2 (Maximum)

Define an inductive maximum function M : N → N → N and prove the following:
a) Mxy = Myx (commutativity)
b) M(x + y)x = x + y (dominance)
Hint: Commutativity needs a quantified inductive hypothesis.
Extra: Do the exercise for a minimum function. Find a suitable reformulation for (b).

Exercise 1.5.3 (Symmetric addition) Using cascaded discrimination, we can define

an inductive addition function with symmetric defining equations:

+:N→N→N
0 + 0 := 0
0 + Sy := Sy
Sx + 0 := Sx
Sx + Sy := S(S(x + y))

a) Prove that the symmetric addition function is commutative: x + y = y + x.

b) Prove that the symmetric addition function satisfies the defining equations for
the standard addition function (0 + y = y and Sx + y = S(x + y)).
c) Prove that the symmetric addition function agrees with the standard addition
function.

1.6 Preview of Proof Rules

We have seen a number of proofs using structural case analysis and structural in-
duction on numbers. Our presentation is informal and leaves important issues
unexplained, in particular as it comes to structural induction on numbers. Latter in
this text, we will derive formal proof rules for structural case analysis and induction
from first principle in type theory. We now give a preview of the formal proof rules
explaining their meaning informally.
The rule for structural case analysis on booleans takes the form

EB : ∀p B→P . p true → p false → ∀[Link]

The rule says that we can prove a proposition px for all booleans x by proving it
for true and false. Type-theoretically, we see EB as a function that given proofs of
the propositions p true and p false yields a proof of the proposition px for every
boolean x.

12
 1.7 Procedural Specifications

The rule for structural case analysis on numbers takes the form

MN : ∀p N→P . p0 → (∀n. p(Sn)) → ∀[Link]

The rule says that we can prove a proposition pn for all numbers n by giving proofs
for 0 and all successors Sn. Type-theoretically, we see MN as a function that given
proofs of the propositions p0 and ∀n. p(Sn) yields a proof of the proposition
∀[Link].
The rule for structural induction on numbers takes the form

EN : ∀p N→P . p0 → (∀n. pn → p(Sn)) → ∀[Link]

It says that a proposition pn can be proved for all numbers n by giving proofs for
the zero case p0 and the successor case ∀n. pn → p(Sn). A proof of the successor
case ∀n. pn → p(Sn) is a function that given a number n and a proof of pn yields
a proof of the proposition p(Sn). In the context of the rule EN the proposition pn
acts as an assumption which is usually referred to as inductive hypothesis.
We may see the proof of the successor case of the induction rule as a method
that for every n upgrades a proof of pn to a proof of p(Sn). By iterating this
method n-times on a proof of p0

p0, p1, p2, . . . , pn

we can obviously get a proof of pn for every n.

We remark that in practice inductive proofs are obtained backwards: One first
announces that the claim is shown by induction and then works on the proof obli-
gations for the zero and the successor case.

1.7 Procedural Specifications

The rules we have given for defining inductive functions are very restrictive as it
comes to termination. There are many cases where a function can be specified
with a system of equations that are exhaustive, disjoint, and terminating. We then
speak of a procedural specification and its specifying equations. It turns out that
in practice using strict structural recursion one can construct inductive functions
satisfying procedural specifications relying on more permissive termination argu-
ments.
Our first example for a procedural specification specifies a function E : N → B
that checks whether a number is even:

E(0) = true
E(S0) = false
E(S(Sn)) = E(n)

13
1 Getting Started

The equations are exhaustive, disjoint, and terminating (two constructors are
skipped). However, the equations cannot serve as defining equations for an in-
ductive function since the recursion skips two constructors (rather that just one).
We can define an inductive function satisfying the specifying equations using the
defining equations

E(0) := true
E(Sn) := ! E(n)

(recall that ’!’ is boolean negation). The first and the second equation specifying E
hold by computational equality. The third specifying equation holds by simplifica-
tion and by rewriting with the lemma ! ! b = b.
Our second example specifies the Fibonacci function F : N → N with the equa-
tions

F0 = 0
F1 = 1
F (S(Sn)) = F n + F (Sn)

The equations do not qualify as defining equations for the same reasons we ex-
plained for E. It is however possible to define a Fibonacci function using strict
structural recursion. One possibility is to obtain F with a helper function F ′ taking
an extra boolean argument such that, informally, F ′ nb yields F (n + b) :

F′ : N → B → N
F ′ 0 false := 0
F ′ 0 true := 1
F ′ (Sn) false := F ′ n true
F ′ (Sn) true := F ′ n false + F ′ n true

Note that F ′ is defined by a cascaded discrimination on both arguments. We now

define

F : N→N
F n := F ′ n false

That F satisfies the specifying equations for the Fibonacci function follows by com-
putational equality.
Note that F is defined with a single defining equation without a discrimination.
We speak of a plain function and a plain function definition. Since there is no
discrimination, the defining equation of a plain function can be applied as soon

14
 1.8 Pairs and Polymorphic Functions

as the function is applied to enough arguments. The defining equation of a plain

function must not be recursive.
There are other possibilities for defining a Fibonacci function. Exercise 1.10.8
will obtain a Fibonacci function by iteration on pairs, and Exercise 1.12.5 will obtain
a Fibonacci function with a tail recursive helper function taking two extra argu-
ments. Both alternatives employ linear recursion, while the definition shown above
uses binary recursion, following the scheme of the third specifying equation.
We remark that Coq supports a more permissive scheme for inductive functions,
providing for a straightforward definition of a Fibonacci function essentially follow-
ing the specifying equations. In this text we will stick to the restrictive format
explained so far. It will turn out that every function specified with a terminating
system of equations can be defined in the restrictive format we are using here (see
Chapter 30).

Exercise 1.7.1 Prove E(n · 2) = true.

Exercise 1.7.2 Verify that F n := F ′ n false satisfies the specifying equations for the
Fibonacci function.

Exercise 1.7.3 Define a function H : N → N satisfying the equations

H0=0
H1=0
H(S(Sn)) = S(Hn)

using strict structural recursion. Hint: Use a helper function with an extra boolean
argument.

1.8 Pairs and Polymorphic Functions

We have seen that booleans and numbers can be accommodated as inductive types.
We will now see that pairs (x, y) can also be accommodated with an inductive type
definition.
A pair (x, y) combines two values x and y into a single value such that the
components x and y can be recovered from the pair. Moreover, two pairs are equal
if and only if they have the same components. For instance, we have (3, 2 + 3) =
(1 + 2, 5) and (1, 2) ≠ (2, 1).
Pairs whose components are numbers can be accommodated with the inductive
definition

Pair ::= pair(N, N)

15
1 Getting Started

which introduces two constructors

Pair : T
pair : N → N → Pair

A function swapping the components of a pair can be defined with a single equation:

swap : Pair → Pair

swap (pair x y) := pair y x

Using discrimination for pairs, we can prove the equation

swap (swap p) = p

for all pairs p (that is, for a variable p of type Pair). Note that discrimination for
pairs involves only a single case for the single value constructor for pairs.
Above we have defined pairs where both components are numbers. Given two
types X and Y , we can repeat the definition to obtain pairs whose first component
has type X and whose second component has type Y . We can do much better,
however, by defining pair types for all component types in one go:

Pair(X : T, Y : T) ::= pair(X, Y )

This inductive type definition gives us two constructors:

Pair : T → T → T
pair : ∀X Y . X → Y → Pair X Y

The polymorphic value constructor pair comes with a polymorphic function type
saying that pair takes four arguments, where the first argument X and the second
argument Y fix the types of the third and the fourth argument. Put differently, the
types X and Y taken as first and second argument are the types for the components
of the pair constructed. We say that the first and second argument of the value
constructor pair are parametric and the third and fourth are proper.
We shall use the familiar notation X × Y for product types Pair X Y .
We can write partial applications of the value constructor pair :

pair N : ∀Y . N → Y → N × Y
pair N B : N → B → N × B
pair N B 0 : B → N × B
pair N B 0 true : N × B

16
 1.9 Argument Inference and Implicit Arguments

We can also define a polymorphic swap function working for all pair types:

swap : ∀X Y . X × Y → Y × X
swap X Y (pair x y) := pair Y X y x

Note that the parametric arguments of pair are omitted in the pattern of the defin-
ing equation (i.e, the left hand side of the defining equation). The reason for the
omission is that the parametric arguments of pair don’t contribute relevant infor-
mation in the pattern of a defining equation.

1.9 Argument Inference and Implicit Arguments

If we look at the type of the polymorphic pair constructor

pair : ∀X Y . X → Y → X × Y

we see that the first and second argument of pair provide the types of the third and
fourth argument. This means that the first and second argument can be derived
from the third and fourth argument. In Coq, we can write the underline symbol “_”
for arguments the proof assistant should derive from the context. For instance, we
may write pair _ _ 5 true for the term pair N B 5 true. More generally, we may write

pair _ _ s t

for the term pair u v s t if the types of the terms s and t can be determined as u
and v. We can now define the usual pair notation for applications of the constructor
pair:

(s, t) := pair _ _ s t

We remark that Coq will accept an input only if it can derive all terms specified with
the underline symbol.
Coq offers the possibility to declare arguments of functional constants as im-
plicit arguments. This has the effect, that the implicit arguments will always be
inserted as underlines. For instance, if we declare the type arguments of

swap : ∀X Y . X × Y → Y × X

as implicit arguments, we can write

swap (swap (x, y)) = (x, y)

for the otherwise bloated equation

swap _ _ (swap _ _ (x, y)) = (x, y)

17
1 Getting Started

We will routinely use implicit arguments for polymorphic constructors and func-
tions.
With implicit arguments, argument inference, and the notation for pairs we can
write the definition of swap as follows:

swap : ∀X Y . X × Y → Y × X
swap (x, y) := (y, x)

Note that it takes considerable effort to recover the usual mathematical nota-
tion for pairs in the typed setting of computational type theory. There were four
successive steps:
1. Polymorphic function types for functions taking types as arguments.
2. Argument inference requested with the underline symbol.
3. Notation for pairs and pair types.
4. Implicit arguments for polymorphic functions.
Finally, we define two functions providing the first and the second projection
for pairs:

π1 : ∀X Y . X × Y → X π2 : ∀X Y . X × Y → Y
π1 (x, y) := x π2 (x, y) := y

Note that X and Y are accommodated as implicit arguments of π1 and π2 . We can

now state the η-law for pairs

(π1 a, π2 a) = a

To prove the η-law, one discriminates on the variable a, which replaces it with a
general pair (x, y). This leaves us with the claim

(π1 (x, y), π2 (x, y)) = (x, y)

which follows by computational equality. We will refer to discriminations where

there is only a single constructor as destructurings.

Exercise 1.9.1 Write the definitions of the projections and the η-law and in full
detail not using the notations (x, y) and X × Y , underlines, or implicit arguments.
Give the types of all variables.

Exercise 1.9.2 Let a be a variable of type X ×Y . Write proof tables for the equations
swap (swap a) = a and (π1 a, π2 a) = a.

18
 1.10 Iteration

1.10 Iteration

If we look at the equations (all following by computational equality)

3 + x = S(S(Sx))
3 · x = x + (x + (x + 0))
x 3 = x · (x · (x · 1))

we see a common scheme we call iteration. In general, iteration takes the form f n x
where a step function f is applied n-times to an initial value x. With the notation
f n x the equations from above generalize as follows:

n + x = Sn x
n · x = (+x)n 0
x n = (· x)n 1

The partial applications (+x) and (· x) supply only the first argument to the func-
tions for addition and multiplication. They yield functions N → N, as suggested by
the cascaded function type N → N → N of addition and multiplication.
We formalize the notation f n x with a polymorphic function:

iter : ∀X. (X → X) → N → X → X
iter X f 0 x := x
iter X f (Sn) x := f (iter X f n x)

We will treat X as implicit argument of iter. The equations

3 + x = iter S 3 x
3 · x = iter (+x) 3 0
x 3 = iter (· x) 3 1

now hold by computational equality. More generally, we can prove the following
equations by induction on n:

n + x = iter S n x
n · x = iter (+x) n 0
x n = iter (· x) n 1

Figure 1.4 gives a proof table for the equation for multiplication.

Exercise 1.10.1 Check that iter S 2 = λx. S(Sx) holds by computational equality.

19
1 Getting Started

n · x = iter (+x) n 0 induction n

1 0 · x = iter (+x) 0 0 comp. eq.
2 IH : n · x = iter (+x) n 0 Sn · x = iter (+x) (Sn) 0 simpl.
x + n · x = x + iter (+x) n 0 rewrite IH
x + iter (+x) n 0 = x + iter (+x) n 0 comp. eq.

Figure 1.4: Correctness of multiplication with iter

Exercise 1.10.2 Prove n + x = iter S n x and x n = iter (· x) n 1 by induction.

Exercise 1.10.3 Check that the plain function

add : N → N → N
add x y := iter S x y

satisfies the defining equations for inductive addition

add 0 y = y
add (Sx) y = S(add x y)

by computational equality.

Exercise 1.10.4 (Shift) Prove iter f (Sn) x = iter f n (f x).

Exercise 1.10.5 (Tail recursive iteration) Define a tail recursive version of iter and
verify that it agrees with iter.

Exercise 1.10.6 (Even) The term !n true tests whether a number n is even (’!’ is
boolean negation). Prove iter ! (n · 2) b = b and iter ! (S(n · 2)) b = ! b.

Exercise 1.10.7 (Factorials with iteration) Factorials n! can be computed by itera-

tion on pairs (k, k!). Find a function f such that (n, n!) = f n (0, 1). Define a factorial
function with the equations 0! = 1 and (Sn)! = Sn · n! and prove (n, n!) = f n (0, 1)
by induction on n.

Exercise 1.10.8 (Fibonacci with iteration) Fibonacci numbers (§1.7) can be com-
puted by iteration on pairs. Find a function f such that F n := π1 (f n (0, 1)) satisfies
the specifying equations for the Fibonacci function:

F0 = 0
F1 = 1
F (S(Sn)) = F n + F (Sn)

Hint: If you formulate the step function with π1 and π2 , the third specifying equa-
tion should follow by computational equality, otherwise discrimination on a sub-
term obtained with iter may be needed.

20
 1.11 Ackermann Function

1.11 Ackermann Function

The following equations specify a function A : N → N → N known as Ackermann

function:

A0y = Sy
A(Sx)0 = Ax1
A(Sx)(Sy) = Ax(A(Sx)y)

The equations cannot serve as a defining equations since the recursion is not struc-
tural. The problem is with the nested recursive application A(Sx)y in the third
equation.
However, we can define a structurally recursive function satisfying the given
equations. The trick is to use a higher-order helper function: 2

A:N→N→N A′ : (N → N) → N → N
A0 := S A′ h0 := h1
A(Sx) := A′ (Ax) A′ h(Sy) := h(A′ hy)

Verifying that A satisfies the three specifying equations is straightforward. Here is

a verification of the third equation:

A(Sx)(Sy) Ax(A(Sx)y)
′
= A (Ax)(Sy) = Ax(A′ (Ax)y)
= Ax(A′ (Ax)y)

Note that the three specifying equations hold by computational equality (i.e., both
sides of the equations reduce to the same term). Thus verifying the equations with
a proof assistant is trivial.
We remark that the three equations specifying A are exhaustive and disjoint.
They are also terminating, which can be seen with a lexical argument: Either the
first argument is decreased, or the first argument stays unchanged and the second
argument is decreased.

Exercise 1.11.1 (Truncating subtraction without cascaded discrimination)

Define a truncating subtraction function that discriminates on the first argument
and delegates discrimination on the second argument to a helper function. Prove
that your function agrees with the standard subtraction function sub from §1.2.
Arrange your definitions such that your function satisfies the defining equations of
sub by computational equality.
2
A higher-order function is a function taking a function as argument.

21
1 Getting Started

Fib : (N → N) → N → N Ack : (N → N → N) → N → N → N
Fib f 0 := 0 Ack f 0 y := Sy
Fib f 1 := 1 Ack f (Sx) 0 := f x1
Fib f (SSn) := f n + f (Sn) Ack f (Sx)(Sy) := f x(f (Sx) y)

Figure 1.5: Unfolding functions for the Fibonacci and Ackermann functions

Exercise 1.11.2 (Ackermann with iteration)

There is an elegant iterative definition of the Ackermann function

An := B n S

using a higher-order helper function B defined with iteration. Define B and verify
that A satisfies the specifying equations for the Ackermann function by computa-
tional equality. Consult Wikipedia to learn more about the Ackermann function.

1.12 Unfolding Functions

Procedural specifications can be faithfully represented as non-recursive inductive

functions taking a continuation function as first argument. We speak of unfold-
ing functions. Figure 1.5 shows the unfolding functions for the procedural spec-
ifications of the Fibonacci and Ackermann functions we have discussed in § 1.7
and § 1.11.
An unfolding function is a higher-order function specifying a recursive function
without recursion. It does so by abstracting out the recursion by means of a contin-
uation function taken as argument.
Intuitively, it is clear that a function f satisfies the specifying equations for the
Fibonacci function if and only if it satisfies the unfolding equation

f n = Fib f n

for the unfolding function Fib. Formally, this follows from the fact that the specify-
ing equations for the Fibonacci function are computationally equal to the respective
instances of the unfolding equation:

f 0 = Fib f 0
f 1 = Fib f 1
f (SSn) = Fib f (SSn)

The same is true for the Ackermann function.

22
 1.13 Concluding Remarks

Exercise 1.12.1 Verify with the proof assistant that the realizations of the Fibonacci
function defined in §1.7 and Exercise 1.10.8 satisfy the unfolding equation for the
specifying unfolding function.

Exercise 1.12.2 Verify with the proof assistant that the realizations of the Acker-
mann function defined in §1.11 satisfies the unfolding equation for the specifying
unfolding function.

Exercise 1.12.3 Give unfolding functions for addition and truncating subtraction
and show that the unfolding equations are satisfied by the inductive functions we
defined for addition and subtraction.

Exercise 1.12.4 The unfolding function Fib is defined with a nested pattern SSn
in the third defining equation. Show how the nested pattern can be removed by
formulating the third equation with a helper function.

Exercise 1.12.5 (Iterative definition of a Fibonacci function) There is a different

definition of a Fibonacci function using the helper function

g: N→N→N→N
gab0 := a
gab(Sn) := gb(a + b)n

The underlying idea is to start with the first two Fibonacci numbers and then iterate
n-times to obtain the n-th Fibonacci number. For instance,

g015 = g114 = g123 = g232 = g351 = g580 = 5

a) Prove gab(SSn) = gabn + gab(Sn) by induction on n.

b) Prove that g01 satisfies the unfolding equation for Fib.
c) Compare the iterative computation of Fibonacci numbers considered here with
the computation using iter in Exercise 1.10.8.

1.13 Concluding Remarks

The equational language we have seen in this chapter is a sweet spot in the type-
theoretic landscape. With a minimum of luggage we can define interesting func-
tions, explore equational computation, and prove equational properties using struc-
tural induction. Higher-order functions and polymorphic functions are natural fea-
tures of this equational language. The power of the language comes from the fact
that functions and types can be passed as arguments and results of functions.

23
1 Getting Started

We have seen how booleans, numbers, and pairs can be accommodated as

inductive types using constructors, and how inductive functions discriminating on
inductives types can be defined using equations. Functional recursion is restricted
to structural recursion so that termination of computation is ensured.
We use the word function with two meanings. Usually, when we talk about a
function, we refer to its concrete definition in type theory. This way, we can distin-
guish between inductive and plain functions, or recursive and non-recursive func-
tions. Sometimes, however, we refer to a function as an abstract object that relates
inputs to outputs but hides how this is done. The abstract view makes it possible
to speak of a uniquely determined Fibonacci function or of a uniquely determined
Ackermann function.
Here is a list of important technical terms introduced in this chapter:
• Inductive type definitions, type and value constructors
• Inductive functions, plain functions
• Booleans, numbers, and pairs obtained with inductive types
• Defining equations, patterns, computation rules
• Disjoint, exhaustive, termining systems of equations
• Cascaded function types, partial applications
• Polymorphic function types, argument inference, implicit arguments
• Structural recursion, structural case analysis, discrimination
• Structural induction, (quantified) inductive hypotheses
• Proof digrams, proof goals, subgoals, proof actions (tactics)
• Simplification steps, rewriting steps , computational equality
• Truncated subtraction, Fibonacci function, Ackermann function
• Iteration
• Procedural specifications, specifying equations
• Unfolding functions, unfolding equations, continuation functions

24
2 Basic Computational Type Theory

This chapter presents the basic fragment of computational type theory (CTT) in
a nutshell. The basic fragment covers the type and function definitions we have
seen in Chapter 1. The next two chapters will extend the basic fragment such that
propositions and proofs are covered.
We start with the grammar and the typing rules for terms obtained with ap-
plications and dependent function types. The typing rules yield a type checking
algorithm assigning unique types to well-typed terms.
We continue with inductive type definitions and inductive function definitions.
The defining equations of inductive functions provide for rewriting of terms, a form
of computation we call reduction. The essential properties of reduction are type
preservation, termination, unique normal forms, and canonicity. The properties
will be maintained by all further extensions of CTT. The properties crucially de-
pend on the assumption that only well-typed terms are admitted, a discipline proof
assistants will enforce.
The basic fragment also comes with plain definitions, lambda abstractions, let
expressions, and matches. Matches and plain definitions can be expressed with
inductive function definitions, and let expressions can be expressed with lambda
abstractions.
The proof assistant Coq we are targeting deviates from the architecture of CTT
in that it obtains inductive functions with recursive abstractions and native matches
rather than with defining equations. Thus we also consider recursive abstractions.

2.1 Simply Typed Terms

We start with a small fragment of CTT featuring simple function types and applica-
tions. The terms of the simply typed fragment are given by the grammar

s, t, u, v ::= c | T | s → t | st

The letter c ranges over constants. The term T is called universe and serves as the
type of all types. A function type s → t applies to functions taking arguments of
type s and returning results of type t. An application st describes the application
of the function described by the term s to the argument described by the term t.

25
2 Basic Computational Type Theory

The typing rules for simply typed terms are as follows:

⊢s:T ⊢t:T ⊢s:u→v ⊢t:u

⊢T:T ⊢s→t:T ⊢st : v

The rule for T says that T has type T (an arrangement to be refined in § 5.3). The
rule for function types says that s → t has type T if the constituents s and t have
type T. The rule for applications st says that s can be applied to t if s has a function
type u → v and t has type u. In this case the application has type v.
A term s is well-typed and has type t if a typing ⊢ s : t can be derived with the
rules. Given unique types for the involved constants, well-typed terms have unique
types. For instance, we can derive the typings

⊢T→T : T
⊢ T → (T → T ) : T

An example for an ill-typed term (i.e., not well-typed term) is the application T T.
Given the typings of the constructors for numbers

⊢N:T
⊢0:N
⊢S:N→N

we can derive the typings

⊢N→N : T
⊢ N → (N → N) : T
⊢ S0 : N
⊢ S(S0) : N

using the typing rules.

Type theory comes with the principle that only well-typed terms are admitted.
Type checking is an algorithm that determines whether a term is well-typed. In
case a term is well-typed, the unique type of the term is determined. The proof
assistant always checks well-typedness of a given term and computes its unique
type. Terns that are not well-typed are rejected. Examples for ill-typed terms are
the applications S T and S S. We will not say much about type checking but rather
rely on the reader’s intuition and the implementation of type checking in the proof
assistant. In case of doubt you may always ask the proof assistant.

26
 2.2 Dependently Typed Terms

CTT treats types and functions like all other values. We say that types and
functions are first-class citizens in CTT.
Parentheses in right-nested function types may be omitted:

T→T→T Ž T → (T → T )
N→N→N Ž N → (N → N)
s→t→u Ž s → (t → u)

Correspondingly, parentheses may be omitted in left-nested applications:

stu Ž (s t) u

2.2 Dependently Typed Terms

A distinguishing feature of CTT are dependent function types ∀x : s. t, which may

also be written as ∀x s . t. A dependent function type ∀x : u. v applies to functions
taking arguments of type u and returning a result of type v x s for an argument s.
x
The notation v s stands for the term that is obtained from the term v by replacing
the variable x with the term s. We speak of substitution.
CTT sees simple function types s → t as dependent function types ∀x : s. t where
the target type t does not depend on the argument x. In other words, s → t is
notation for ∀x : s. t, provided the variable x does not occur in t. For instance,
N → N is notation for ∀x : N. N. You can check this fact with the proof assistant.
Dependently typed terms are given by the grammar

s, t, u, v ::= c | x | T | ∀x : s. t | st

where c ranges over constants and x ranges over variables. The typing rules for
dependently typed terms are as follows:

⊢s:T x:s ⊢ t : T ⊢ s : ∀x : u. v ⊢t:u

⊢T:T ⊢ ∀x : s. t : T ⊢ s t : vx
t

Using the typing rules for dependent types, we can derive the typing

⊢ T→T→T : T

which in turn validates the typing

⊢ Pair : T → T → T

of the type constructor for pairs. We can now derive the typing

⊢ ∀X : T.∀Y : T. X → Y → Pair X Y : T

27
2 Basic Computational Type Theory

which validates the typing of the value constructor for pairs:

⊢ pair : ∀X : T.∀Y : T. X → Y → Pair X Y

Given the typings of the constructors for numbers and pairs, we can derive the
following typings:

⊢ Pair N : T → T
⊢ pair N : ∀Y : T. N → Y → Pair N Y
⊢ pair N N : N → N → Pair N N
⊢ pair N N 0 (S0) : Pair N N

The names of the variables of dependent function types ∀x : s. t do not matter,

as is standard for bound variables in programming languages and mathematics.
For instance, the terms ∀X. X → X and ∀Y . Y → Y are considered equal.
Note that the typing rules admit any type ⊢ u : T as argument type of a depen-
dent function type ∀x : u.v. So far we have only seen examples where u is T but
dependent function types ∀x : u.v where u is not T will turn out to be important
(for instance, u may be the type of numbers N).

Exercise 2.2.1 Convince yourself that the terms

S, Pair N, Pair (Pair N (N → N)), Pair N T, pair (N → N) T S N

are well-typed given the typings for the constructors for numbers and pairs. In each
case determine the type of the term.

2.3 Inductive Type Definitions

Inductive type definitions introduce typed constants called constructors. We have

already seen inductive definitions for a type of numbers and a family of pair types:

N ::= 0 | S(N)
Pair(X : T, Y : T) ::= pair(X, Y )

Every inductive type definition introduces a system of typed constants consisting

of a type constructor and a list of value constructors:

N: T
0: N
S: N→N

Pair : T → T → T
pair : ∀X T .∀Y T . X → Y → Pair X Y

28
 2.4 Inductive Function Definitions

Note that the constructors S, Pair, and pair have types classifying them as functions.
From the types of 0 and S and the information that there are no other value con-
structors for N it is clear that the values of N are obtained as the terms 0, S0, S(S0),
S(S(S0)) and so forth. Analogously, given two types s and t, the values of the type
Pair st are described by terms pair stuv where u has type s and v has type t.
We say that the value constructor pair for pairs has two parametric and two
proper arguments. The parametric arguments are the leading arguments shared
with the type constructor Pair.
We take the opportunity to define two particular inductive types called unit and
void by listing their constructors:

1 : T
U : 1
0 : T

Note that 1 (unit) has exactly one value U, and that 0 (void) has no value at all.

2.4 Inductive Function Definitions

Inductive function definitions define functions by case analysis on one or more

inductive arguments called discriminating arguments. We will speak of inductive
functions. Figure 2.4 defines four inductive functions that will serve as examples.
An inductive function definition first declares the name (a constant) and the type
of the defined function. Then defining equations are given realizing a disjoint and
exhaustive case analysis. Note that add, swap, and Fib have one discriminating
argument, while sub has two discriminating arguments. There is only one defining
equation for swap since there is only one value constructor for pairs.
The left hand sides of defining equations are called patterns. The variables oc-
curring in a pattern are local to the equation and can be used in the right hand
side of the equation. We say that a pattern binds the variables occurring in it. An
important requirement for patterns is linearity, that is, none of the variables bound
by a pattern can occur more that once in the pattern. For this reason the parametric
arguments of the constructor pair in the pattern of the defining equation of swap
are omitted (the parametric arguments may also be indicated with the underline
symbol).
The defining equations for a function must be disjoint and exhaustive. In the
simplest case with only one discriminating argument and no nested discrimination
(e.g., add and swap in Figure 2.4), there will be exactly one defining equation for ev-
ery value constructor of the type of the discriminating argument. Fib is an example
for a nested discrimination.

29
2 Basic Computational Type Theory

add : N → N → N
add 0 y := y
add (Sx) y := S(add xy)

sub : N → N → N
sub 0 y := 0
sub (Sx) 0 := Sx
sub (Sx) (Sy) := sub xy

swap : ∀X T .∀Y T . PairXY → PairY X

swap XY (pair xy) := pairY Xyx

Fib : (N → N) → N → N
Fib f 0 := 0
Fib f (S0) := 1
Fib f (S(Sn)) := f n + f (Sn)

Figure 2.1: Inductive function definitions

The defining equations of an inductive function must all take the same number
n ≥ 1 of arguments. We speak of the arity of an inductive function. In Figure 2.4,
add, sub, and Fib have arity 2 and swap has arity 4.
Every defining equation must be well-typed. Using the type declared for the func-
tion, every variable bound by the pattern of a defining equation receives a unique
type. Give the types for the bound variables, type checking of a defining equation
works as usual.
If an inductive function recurses, the recursion must be on the first discriminat-
ing argument and the variables introduced by the pattern for this argument. In the
examples in Figure 2.4, only the variable x in the defining equations for add and
sub qualifies for recursion. We refer to this severely restricted form of recursion as
structural recursion.

2.5 Reduction

The defining equations of an inductive function serve as reduction rules that

rewrite applications of the defined function. For instance, the application
sub (Ss) (St) can be reduced to sub s t using the third defining equation of sub.

30
 2.5 Reduction

Things are arranged such that at most one defining equation applies to an applica-
tion (disjointness), and such that every application of an inductive function can be
reduced (exhaustiveness) provided all arguments required by the defining equations
are given such that the discriminating arguments start with value constructors. We
refer to the process of applying reductions rules as reduction. We see reduction as
computation and refer to reduction rules also as computation rules.
We consider reduction only for well-typed terms. Reduction has the important
property that it preserves well-typedness and the type of a term.
Things are arranged such that reduction always terminates. Without a restric-
tion on recursion, non-terminating inductive functions are possible. The structural
recursion requirement is a sufficient condition for termination that can be checked
algorithmically.
Since reduction always terminates, we can compute a normal form for every
term. There is no restriction on the application of reduction rules: Reduction rules
can be applied to any subterm of a term and in any order. Since the reduction
rules obtained from the defining equations do not overlap, terms nevertheless have
unique normal forms. We say that a term evaluates to its normal form and refer to
irreducible terms as normal terms.
Terms that are normal and closed (i.e., no unbound variables) are called canoni-
cal terms. Reduction preserves closedness of terms.
We now formulate the key properties of reduction:
• Termination Reduction always terminates.
• Unique normal forms Terms reduce to unique normal forms.
• Type preservation Reduction preserves types: If a term of type t is reduced,
the obtained term is again of type t.
• Canonicity Canonical terms of an inductive type start with a value constructor
of the type.
Canonicity gives an important integrity guarantee for inductive types saying that the
elements of an inductive type do not change when inductive functions returning
values of the type are added. Canonicity ensures that the canonical terms of an
inductive type are exactly the terms that can be obtained with the value constructors
of the type.
The definition format for inductive functions is carefully designed such that the
key properties are preserved when a definition is added. Exhaustiveness of the
defining equations is needed for canonicity, disjointness of the defining equations
is needed for uniqueness, and the structural recursion requirement ensures termi-
nation. Moreover, the type checking conditions for defining equations are needed
for type preservation.
Given an inductive type, we refer to the canonical terms of this type as the values

31
2 Basic Computational Type Theory

of t. This speak is justified by the canonicity property of reduction. The values of

the type N are exactly the terms 0, S0, SS0, . . . .

Exercise 2.5.1 Give all reduction chains that reduce the term

sub (S0) (add (S(S0)) 0)

to its normal form. Note that there are chains of different length. Here is an example

sub (S0) (Sy) ≻ sub 0 y ≻ 0

for a reduction chain to normal form using s ≻ t as notation for a reduction step.

2.6 Plain Definitions

A plain definition introduces a constant with a type, an arity n ≥ 0, and a single

defining equation not discriminating on an argument:

c:t
cx1 . . . xn := s

Chapter 1 contains several examples for plain definitions. Plain definitions can
be expressed as inductive function definitions discriminating on an extra argument
of type 1:

c:1→t
c U x1 . . . xn := s

Expressing plain definitions as inductive function definitions has the benefit that
type checking of plain definitions is explained as type checking of inductive func-
tions. Moreover, reduction of plain function applications is explained with reduc-
tion of inductive function applications. Most importantly, expressing plain defini-
tions as inductive function definitions has the advantage that the properties of the
type theory remain unchanged.

Exercise 2.6.1 Argue why plain definitions cannot be recursive.

Exercise 2.6.2 Recall the definition of iter (§ 1.10). Explain the difference between
the following plain definitions:

A := iter S
Bxy := iter S x y

Note that the terms Axy and Bxy both reduce to the normal term iter S x y. More-
over, note that the terms A and Ax are reducible, while the terms B and Bx are not
reducible.

32
 2.7 Lambda Abstractions

Exercise 2.6.3 Type checking is crucial for termination of reduction. Consider the
ill-typed plain function definition cx := xx and the ill-typed term cc, which reduces
to itself: cc ≻ cc. Convince yourself that there cannot be a type for c such that the
self application cc type checks.

2.7 Lambda Abstractions

A key ingredient of computational type theory are terms of the form

λx : t. s

called lambda abstractions. Lambda abstractions describe functions with a single

argument. They come with an argument variable x, an argument type t, and a
body s. A lambda abstraction does not give a name to the function it describes.

The typing rule for lambda abstractions is

⊢u:T x:u ⊢ s : v
⊢ λx : u. s : ∀x u . v

A nice example is the typing

⊢ λX T .λx X .x : ∀X T . X → X

of a polymorphic identity function.

The reduction rule for lambda abstractions

(λx t .s) u ≻β s x
u

is called β-reduction and replaces an application (λx t .s) u with the term s x u ob-
tained from the term s by replacing every free occurence of the argument variable x
with the term u. Applications of the form (λx t .s) u are called β-redexes. Here is an
example featuring two consecutive β-reductions of an application of the polymor-
phic identity function:

(λX T .λx X .x) N 7 ≻β (λx N .x) 7 ≻β 7

As with dependent function types, the particular name of an argument variable

of a lambda abstractions does not matter. For instance, λX T .λx X .x and λY T .λy Y .y
are understood as equal terms. One speaks of alpha renaming of bound variables
in the textual representation of terms.
A complex operation the β-reduction rules builds on is substitution s x t . Substi-
tution must be performed such that local binders do not capture free variables (a

33
2 Basic Computational Type Theory

free variable is an unbound variable). To make this possible, substitution must be

allowed to rename local variables. For instance, (λx.λy.f xy)y must not reduce to
λy.f yy but to a term λz.f yz where the new bound variable z avoids capture of
the free variable y. We speak of capture-free substitution. We remark that capture-
free substitution s x
t is also used with the dependent typing rule for applications and
with reduction steps rewriting with defining equations of inductive functions.
For notational convenience, we usually omit the type of the argument variable of
a lambda abstraction (assuming that it is determined by the context). We also omit
parentheses and lambdas relying on two basic notational rules:

λ[Link] Ž λx.(st)
λxy.s Ž λx.λy.s

To specify the type of an argument variable, we use either the notation x t or the
notation x : t, depending on what we think is more readable.
Adding lambda abstractions and β-reduction to a computational type theory pre-
serves all key properties: unique types, unique normal forms, termination, type
preservation, and canonicity.

Exercise 2.7.1 Type checking is crucial for termination of β-reduction. Convince

yourself that β-reduction of the ill-typed term (λ[Link])(λ[Link]) does not terminate,
and that no typing of the argument variable x makes the term well-typed.

2.8 Let Expressions

We will also use let expressions

let x : t = s in u

providing for local definitions. The reduction rule for let expressions is

let x : t = s in u ≻ ux
s

The typing rule for let expressions is

⊢t:T ⊢s:t x:t ⊢ u : v x not in v

⊢ let x : t = s in u : v

It turns out that in the system we are considering let expressions can be expressed
with β-redexes:

let x : t = s in u Ž (λx : t.u) s

34
 2.9 Matches

This syntactic transformation explains the typing rule and the reduction rule for let
expressions.
There will be a feature of full computational type theory (the conversion rule
in § 4.1) that distinguishes let expressions from β-redexes in that let expressions
introduce local reduction rules.

2.9 Matches

Matches are a defined notation for applicative expressions providing structural case
analysis for inductive types. A match has a clause for every constructor of the
underlying inductive type.
Matches for numbers take the form

match s [ 0 ⇒ u | Sx ⇒ v ]

and reduce with the derived reduction rules

match 0 [ 0 ⇒ u | Sx ⇒ v ] ≻ u
match S s [ 0 ⇒ u | Sx ⇒ v ] ≻ (λx.v) s

Matches for booleans take the form

match s [ true ⇒ u | false ⇒ v ]

and reduce with the derived reduction rules

match true [ true ⇒ u | false ⇒ v ] ≻ u

match false [ true ⇒ u | false ⇒ v ] ≻ v

Matches for pairs take the form

match s [ (x, y) ⇒ u ]

and reduce with the derived reduction rule

match (s, t) [ (x, y) ⇒ u ] ≻ (λxy.u) s t

Matches are accommodated as applications of match functions:

match s [ 0 ⇒ u | Sx ⇒ v ] Ž MN _ s u (λx.v)
match s [ true ⇒ u | false ⇒ v ] Ž MB _ s u v)
match s [ (x, y) ⇒ u ] Ž M× _ _ _ s (λxy.u)

35
2 Basic Computational Type Theory

Match functions are inductive functions defined as one would expect form the de-
rived reduction rules:

MN : ∀Z T . N → Z → (N → Z) → Z MB : ∀Z T . B → Z → Z → Z
MN Z 0 e1 e2 := e1 MB Z true e1 e2 := e1
MN Z (Sx) e1 e2 := e2 x MB Z false e1 e2 := e2

M× : ∀XY Z T . X × Y → (X → Y → Z) → Z
M× XY Z (x, y) e := exy

Note that the definition of the match notation as an application of a match func-
tion provides both for type checking and reduction. Informally, we may summarize
the typing of matches as follows: A term match s [· · · ] has type u if s is has an
inductive type v, the match has a clause for every constructor of v, and every clause
of the match yields a result of type u.
We may write boolean matches with the familiar if-then-else notation:

if s then t1 else t2 Ž match s [ true ⇒ t1 | false ⇒ t2 ]

More generally, we may use the if-then-else notation for all inductive types with ex-
actly two value constructors, exploiting the order of the constructors. For numbers
we have

if s then t1 else t2 Ž match s [ 0 ⇒ t1 | S _ ⇒ t2 ]

Recall that x − y = 0 iff x ≤ y. Thus if s1 − s2 then t1 else t2 is a conditional

testing s1 ≤ s2 . We may use the notation

if s1 ≤ s2 then t1 else t2 Ž match (s1 − s2 ) [ 0 ⇒ t1 | S _ ⇒ t2 ]

Another notational device we take from Coq writes matches with exactly one
clause as let expressions. For instance:

let (x, y) = s in t Ž match s [ (x, y) ⇒ t ]

2.10 Terms and Values

We see terms as syntactic descriptions of informal semantic objects called values.

Examples for values are numbers, functions, and types. Reduction of a term pre-
serves the value of the term, and also the type of the term. Informally, we often
talk about values ignoring their syntactic representation as terms. In a proof as-
sistant, however, values will always be represented through syntactic descriptions.

36
 2.11 Function Definitions in Coq

The same is true for formalizations on paper, where we formalize syntactic descrip-
tions, not values. We may see values as objects of our mathematical imagination.
The values of a type are also referred to as elements, members, or inhabitants
of the type. We call a type inhabited if it has at least one inhabitant, and uninhab-
ited or empty or void if it has no inhabitant. Values of functional types are referred
to as functions, and values of T are referred to as types.
As syntactic objects, terms may not be well-typed. Ill-typed terms are semanti-
cally meaningless and must not be used for computation and reasoning. Ill-typed
terms are always rejected by a proof assistant. Working with a proof assistant is the
best way to develop a reliable intuition for what goes through as well-typed. When
we say term in this text, we always mean well-typed term.
Recall that a term is closed if it has no free variables, and canonical if it is closed
and irreducible. CTT is designed such that every canonical term is either a constant,
or a constant applied to canonical terms, or an abstraction (obtained with λ), or a
function type (obtained with ∀), or a universe (so far we have T). A constant is
either a constructor or the name of an inductive function.
CTT is designed such that every closed term reduces to a canonical term of the
same type. More generally, every term reduces to an irreducible term of the same
type.
Different canonical terms may describe the same value, in particular when it
comes to functions.
For simple inductive types such as N, the canonical terms of the type are in
one-to-one correspondence with the values of the type. In this case we may see
the canonical terms of the type as the values of the type. For function types the
situation is more involved since semantically we may want to consider two functions
as equal if they agree on all arguments.

2.11 Function Definitions in Coq

The proof assistant Coq realizes function definitions based on plain definitions of
the form

c : t := s

using lambda abstractions, native matches, and recursive abstractions. In fact, all
plain definitions in Coq have arity 0. Not having function definitions with arity
n ≥ 1 results in more fine-grained reduction and introduces intermediate normal
forms one doesn’t want to see from the application perspective. To mitigate the
problem, Coq refines the basic reduction rules with simplification rules simulating
the reductions one would have with inductive function definitions. Sometimes the

37
2 Basic Computational Type Theory

simulation is not perfect and the user is confronted with unpleasant intermediate
terms.
Coq comes with syntactic sugar facilitating the translation of inductive and plain
function definitions into Coq’s kernel language.
In this text we work with inductive function definitions and do not use recursive
abstractions at all. The accompanying demo files show how our high-level style can
be simulated with Coq’s primitives.
Having recursive abstractions and native matches is a design decision from Coq’s
early days (around 1990) when inductive types where added to a language designed
without having inductive types in mind (around 1985). Agda is a modern implemen-
tation of computational type theory that comes with inductive function definitions
and does not offer matches and recursive abstractions.
To express recursive inductive functions, Coq has recursive abstractions. Recur-
sive abstractions take the form

fix f s→t x s . u

and represent recursive functions as unfolding functions. There are two local vari-
ables f and x, where f acts as continuation function and x as argument. The type
of u must be t, and the type of the recursive abstraction itself is s → t.
We restrict our discussion to simply typed recursive abstractions. To gain full
expressivity, recursive abstractions in Coq are dependently typed.
Using an inductive function definition, a function D doubling its argument can
be defined as follows:

D: N→N
D 0 := 0
D (Sx) := S(S(Dx))

To express this definition in Coq, we use a plain definition with a recursive abstrac-
tion and a match:

D N→N := fix f N→N x N . match x [ 0 ⇒ 0 | Sx ⇒ S(S(f x)) ]

The reduction rule for recursive abstractions looks as follows:

(fix f x. s) t ≻ (λf .λx. s) (fix f x. s) t

Without limitations on recursive abstractions, one can easily write recursive abstrac-
tions whose reduction does not terminate. Coq imposes two limitations:
• An application of a recursive abstraction can only be reduced if the argument
term t starts with a constructor.

38
 2.11 Function Definitions in Coq

D(S0) ≻ (fix f x. match x [ 0 ⇒ 0 | Sx ′ ⇒ S(S(f x ′ )) ]) (S0) δ

= D̂ (S0)
≻ (λf x. match x [0 ⇒ 0 | Sx ′ ⇒ S(S(f x ′ ))]) D̂ (S0) fix
′ ′
≻ (λx. match x [0 ⇒ 0 | Sx ⇒ S(S(D̂x ))]) (S0) β
′ ′
≻ match (S0) [0 ⇒ 0 | Sx ⇒ S(S(D̂x ))] β
≻ (λx ′ . S(S(D̂x ′ ))) 0 match
≻ S(S(D̂0)) β
′ ′
≻ S(S((λx. match x [0 ⇒ 0 | Sx ⇒ S(S(D̂x ))]) 0)) fix, β
′ ′
≻ S(S(match 0 [0 ⇒ 0 | Sx ⇒ S(S(D̂x ))])) β
≻ S(S0) match

D̂ is the term the constant D reduces to

Figure 2.2: Reduction chain for D(S0) defined with a recursive abstraction

• A recursive abstraction is only admissible if its recursion goes through a match

and is structural.
Figure 2.2 shows a complete reduction chain for an application D(S0) where D
is defined with a recursive abstraction as shown above. The example shows the
tediousness coming with Coq’s fine-grained reduction style.

Exercise 2.11.1 (Boolean negation) Consider the inductive type definition

B : T ::= true | false

for booleans and the plain definition

! := λx B . match x [ true ⇒ false | false ⇒ true ]

of a boolean negation function. Give a complete reduction chain for !(! true).

Exercise 2.11.2 (Swap function for pairs)

a) Define a function swap swapping the components of a pair using a plain defini-
tion, lambda abstraction, and a match.
b) Give a complete reduction chain for swap N B (S0) true.

Exercise 2.11.3 Verify every single reduction step in Figure 2.2 and convince your-
self that there is no other reduction chain.

39
2 Basic Computational Type Theory

2.12 Summary

We have outlined a typed and terminating functional language where functions and
types are first-class values that may appear as arguments and results of functions.
Termination is ensured by restricting recursion to structural recursion on inductive
types. Termination buys two important properties: decidability of computational
equality and integrity of inductive types (canonicity).
A key feature of modern type theories are dependent function types generalizing
simple function types. One speaks of dependent type theories to acknowledge the
presence of dependent function types.
In the system presented so far type checking and reduction are separated: Type
checking does not involve reduction, and reduction does not involve type checking.
Soon we will boost the expressivity of the system by extending it such that type
checking operates modulo computational equality of types. Type checking modulo
computational equality is needed so that the proof rules for equational rewriting
and induction on numbers can be obtained within computational type theory.
The computational type theory we are considering in this text is based on depen-
dent function types and inductive function definitions. In addition there are lambda
abstractions and let expressions. The language of the proof assistant Coq we are
using differs in that it replaces native function definitions with native matches and
recursive abstractions
Last but not least we mention that every function expressible with a closed term
in computational type theory is algorithmically computable. This claim rests on
the fact that there is an algorithm that evaluates every closed term to a canonical
term. The evaluation algorithm performs reduction steps as long as reduction steps
are possible. The order in which reduction steps are chosen matters neither for
termination nor for the canonical term finally obtained.

2.13 Notes

Our presentation of computational type theory is informal. We took some motiva-

tion from the previous chapter but it may take time until you fully understand what
is said in the current chapter. Previous familiarity with functional programming
will help. The next few chapters will explore the expressivity of the system and
provide you with examples and case studies. For details concerning type checking
and reduction, the Coq proof assistant and the accompanying demo files will prove
helpful.
Formalizing the system presented in this chapter and proving the claimed prop-
erties is a substantial project we will not attack in this text. Instead we will explore
the expressivity of the system and study numerous formalizations based on the

40
 2.13 Notes

system.
A comprehensive discussion of the historical development of computational type
theories can be found in Constable’s survey paper [8]. We recommend the book
on homotopy type theory [30] for a complementary presentation of computational
type theory. The reader may also be interested in learning more about lambda
calculus [4, 17], a minimal computational system arranged around lambda abstrac-
tions and beta reduction.

41
3 Propositions as Types

A great idea coming with computational type theory is the propositions as types
principle. The principle says that propositions (i.e., logical statements) can be rep-
resented as types, and that the elements of the representing types can serve as
proofs of the propositions. This simple approach to logic works incredibly well
in practice and theory: It reduces proof checking to type checking, accommodates
proofs as first-call values, and provides a basic form of logical reasoning known as
intuitionistic reasoning.
The propositions as types principle is just perfect for implications s → t and
universal quantifications ∀x s . t. Both kind of propositions are accommodated as
function types (note the notational coincidence) and thus receive proofs as follows:
• A proof of an implication s → t is a function mapping every proof of the
premise s to a proof of the conclusion t.
• A proof of an universal quantification ∀x s .t is a function mapping every element
of the type of s to a proof of the proposition t.
The types for conjunctions s∧t and disjunctions s∨t will be obtained with inductive
type constructors such that a proof of s ∧ t consists of a proof of s and a proof of t,
and a proof of s ∨ t consists of either a proof of s or a proof of t. The proposition
falsity having no proof will be expressed as an empty inductive type ⊥. With falsity
we will express negations ¬s as implications s → ⊥. The types for equations s = t
and existential quantifications ∃x s .t will be discussed in later chapters once we
have extended the type theory with the conversion rule.
In this chapter you will see many terms describing proofs with lambda abstrac-
tions and matches. The construction of proof terms is an incremental process that
can be carried out in interaction with a proof assistant. On paper we will facilitate
the construction of proof terms with proof tables.

43
3 Propositions as Types

3.1 Implication and Universal Quantification

We extend our type theory with a second universe of propositional types:

⊢u:P ⊢u:T x:u ⊢ v : P

⊢P:T ⊢u:T ⊢ ∀x : u. v : P

The second rule establishes P as a subuniverse P ⊆ T of T. The third rule popu-

lates P with all function types ∀x u .v whose target type v is a propositional type.
Given the typing rules for P, we can derive the typings

⊢ ∀X P . X → X : P
⊢ λX P .λx X . x : ∀X P . X → X

We can now write propositions with implications and universal quantifications

as propositional types. For instance, the propositional type ∀X P . X → X represents
a proposition saying that every proposition implies itself, and the term λX P x X .x
appears as proof of this proposition. From now on we reserve the word proposition
for propositional types.
We will soon see inductive propositional types. Two obvious examples are the
propositional variants of void and unit from § 2.3:

⊥ : P ::= []
⊤ : P ::= I

For propositions and proofs to be meaningful, there must be propositions that

do not have a proof. In our setup this means that there must be empty propositional
types. Examples for empty propositional types are ⊥ and ∀X P . X.
Here are more examples for propositions and their proofs assuming that X, Y ,
and Z are propositional variables (i.e., variables of type P):

X→X λx.x
X→Y →X λxy.x
X→Y →Y λxy.y
(X → Y → Z) → Y → X → Z λf yx.f xy

We have omitted the types of the argument variables appearing in the lambda ab-
stractions on the right since they can be derived from the propositions appearing
on the left.
Our final examples express mobility laws for universal quantifiers:

∀X T P P p X→P . (∀x. P → px) → (P → ∀[Link]) λXP pf ax. f xa

T P X→P
∀X P p . (P → ∀[Link]) → (∀x. P → px) λXP pf xa. f ax

44
 3.2 Falsity and Negation

Functions that yield propositions once all arguments are supplied are called
predicates. In the above examples p is a unary predicate on the type X. In gen-
eral, a predicate has a type ending with P.

Exercise 3.1.1 (Exchange law)

Give a proof for the proposition ∀XY T ∀p X→Y →P . (∀[Link]) → (∀yx. pxy).

Exercise 3.1.2 Give proofs of the following propositions:

a) ∀XY P . (X → Y ) → ((X → Y ) → X) → Y
b) ∀XY P . (X → X → Y ) → ((X → Y ) → X) → Y

3.2 Falsity and Negation

A propositional constant ⊥ having no proof will be helpful since negations ¬s can

be expressed as implications s → ⊥. The official name for ⊥ is falsity. We obtain
falsity as the type constructor of an inductive type definition not declaring a value
constructor:

⊥ : P ::= []

Since ⊥ has no value constructor, the canonicity property of computational type

theory ensures that ⊥ has no element.1 We define an inductive function

E⊥ : ∀Z P . ⊥ → Z

discriminating on its second argument of type ⊥. Since ⊥ has no value constructor,

no defining equation for E⊥ is required. The function E⊥ realizes an important log-
ical principle known as explosion rule or ex falso quodlibet: Given a hypothetical
proof of falsity, we can get a proof of everything. More generally, given a hypo-
thetical proof of falsity, E⊥ gives us an element of every type. Following common
language we explain later, we call E⊥ the eliminator for ⊥.
We now define negation ¬s as notation for an implication s → ⊥:

¬s Ž s→⊥

With this definition we have a proof of ⊥ if we have a proof of s and ¬s. Thus, given
a proof of ¬s, we can be sure that there is no proof of s. We say that we can disprove
a proposition s if we can give a proof of ¬s. The situation that we have some
proposition s and hypothetical proofs of both s and ¬s is called a contradiction
1
Suppose there is a closed term of type ⊥. Because of termination and type preservation there is a
closed and normal term of type ⊥. By canonicity this term must be obtained with a constructor
for ⊥. Contradiction.

45
3 Propositions as Types

X → ¬X → ⊥ λxf . f x
X → ¬X → Y λxf . E⊥ Y (f x)
(X → Y ) → ¬Y → ¬X λf gx. g(f x)
X → ¬¬X λxf .f x
¬X → ¬¬¬X λf g. gf
¬¬¬X → ¬X λf x. f (λ[Link])
¬¬X → (X → ¬X) → ⊥ λf g. f (λ[Link])
(X → ¬X) → (¬X → X) → ⊥ λf g. let x = g(λx.f xx) in f xx

Variable X ranges over propositions.

Figure 3.1: Proofs of propositions involving negations

in mathematical language. A hypothetical proof is a proof based on unproven

assumptions (called hypotheses in this situation).
Figure 3.1 shows proofs of propositions involving negations. To understand the
proofs, it is essential to see a negation ¬s as an implication s → ⊥. Only the proof
involving the eliminator E⊥ makes use of the special properties of falsity. Note the
use of the let expression in the proof in the last line. It introduces a local name x
for the term g(λx.f xx) so that we don’t have to write it twice. Except for the proof
with let all proofs in Figure 3.1 are normal terms.
Coming from boolean logic, you may ask for a proof of ¬¬X → X. Such a proof
does not exist without assumptions in the type-theoretic system we are exploring.
However, such a proof exists if we assume the law of excluded middle familiar from
ordinary mathematical reasoning. We will discuss this issue later.
Occasionally, it will be useful to have a propositional constant ⊤ having exactly
one proof. The official name for ⊤ is truth. The natural idea for obtaining truth is
using an inductive type definition declaring a single value constructor:

⊤ : P ::= I

We have now seen two inductive type definitions whose type constructors ⊥
and ⊤ are declared as propositional types. We will call the value constructors for
inductive propositions (e.g., ⊤) proof constructors.
We speak of consistency if a type theory can express empty types. Consistency
is needed for a type theory so that it can express negative propositions.

Exercise 3.2.1 Show that ∀X P . X has no proof. That is, disprove ∀X P . X. That is,
prove ¬∀X P . X.

46
 3.3 Conjunction and Disjunction

3.3 Conjunction and Disjunction

Most people are familiar with the boolean interpretation of conjunctions s ∧ t and
disjunctions s ∨ t. In the type-theoretic interpretation, a conjunction s ∧ t is a
proposition whose proofs consist of a proof of s and a proof of t, and a disjunction
s ∨ t is a proposition whose proofs consist of either a proof of s or a proof of t. We
make this design explicit with two inductive type definitions:

∧ (X : P, Y : P) : P ::= C(X, Y ) ∨ (X : P, Y : P) : P ::= L(X) | R(Y )

The definitions introduce the following constructors:

∧: P→P→P ∨: P→P→P
P P
C : ∀X Y . X → Y → X ∧ Y L : ∀X P Y P . X → X ∨ Y
R : ∀X P Y P . Y → X ∨ Y

With the type constructors ’∧’ and ’∨’ we can form conjunctions s ∧ t and disjunc-
tions s ∨ t from given propositions s and t. With the proof constructors C, L, and R
we can construct proofs of conjunctions and disjunctions:
• If u is a proof of s and v is a proof of t, then the term Cuv is a proof of the
conjunction s ∧ t.
• If u is a proof of s, then the term Lu is a proof of the disjunction s ∨ t.
• If v is a proof of t, then the term Rv is a proof of the disjunction s ∨ t.
Note that we treat the propositional arguments of the proof constructors as implicit
arguments, something we have seen before with the value constructor for pairs.
Since the explicit arguments of the proof constructors for disjunctions determine
only one of the two implicit arguments, the other implicit argument must be derived
from the surrounding context. This works well in practice.
The type constructors ’∧’ and ’∨’ have the type P → P → P, which qualifies
them as predicates. We will call type constructors inductive predicates if their type
qualifies them as predicates. We may say that disjunctions are accommodated with
an inductive predicate coming with two proof constructors.
Proofs involving conjunctions and disjunctions will often make use of matches.
Recall that matches are notation for applications of match functions obtained with
inductive function definitions. For conjunctions and disjunctions, we will use the
definitions appearing in Figure 3.2.
We note that E⊥ (§ 3.2) is the match function for the inductive type ⊥. We define
the notation

match s [] Ž E⊥ _ s

47
3 Propositions as Types

M∧ : ∀XY Z P . X ∧ Y → (X → Y → Z) → Z
M∧ XY Z (C xy) e := exy

M∨ : ∀XY Z P . X ∨ Y → (X → Z) → (Y → Z) → Z
M∨ XY Z (L x) e1 e2 := e1 x
M∨ XY Z (R y) e1 e2 := e2 y

match s [ C xy ⇒ t ] Ž M∧ _ _ _ s (λxy.t)
match s [ L x ⇒ t1 | R y ⇒ t2 ] Ž M∨ _ _ _ s (λx.t1 ) (λy.t2 )

Figure 3.2: Match functions for conjunctions and disjunctions

X →Y →X ∧Y CXY
X →X ∨Y LXY
Y →X ∨Y RXY
X ∧Y →X λa. match a [ Cxy ⇒ x ]
X ∧Y →Y λa. match a [ Cxy ⇒ y ]
X ∧Y →Y ∧X λa. match a [ Cxy ⇒ Cyx ]
X ∨Y →Y ∨X λa. match a [ Lx ⇒ RY X x | Ry ⇒ LY X y ]

The variables X, Y , Z range over propositions.

Figure 3.3: Proofs for propositions involving conjunctions and disjunctions

Figure 3.3 shows proofs of propositions involving conjunctions and disjunctions.

The propositions formulate familiar logical laws. Note that we supply the implicit
arguments of the proof constructors C, L, and R as subscripts when we think it is
helpful.
Figure 3.4 shows proofs involving matches with nested patterns. Matches with
nested patterns are a notational convenience for nested plain matches. For in-
stance, the match

match a [ C(Cxy)z ⇒ Cx(Cyz) ]

with the nested pattern C(Cxy)z translates into the plain match

match a [ Cbz ⇒ match b [ Cxy ⇒ Cx(Cyz) ] ]

nesting a second plain match.

48
 3.4 Propositional Equivalence

(X ∧ Y ) ∧ Z → X ∧ (Y ∧ Z)
λa. match a [ C(Cxy)z ⇒ Cx(Cyz) ]

(X ∨ Y ) ∨ Z → X ∨ (Y ∨ Z)
λa. match a [ L(Lx) ⇒ Lx | L(Ry) ⇒ R(Ly) | R z ⇒ R(R z) ]

X ∧ (Y ∨ Z) → (X ∧ Y ) ∨ (X ∧ Z)
λa. match a [ Cx(Ly) ⇒ L(Cxy) | Cx(Rz) ⇒ R(Cxz) ]

Figure 3.4: Proofs with nested patterns

Exercise 3.3.1 Elaborate the proofs in Figure 3.4 such that they use nested plain
matches. Moreover, annote the implicite arguments of the constructors C, L and R
provided the application does not appear as part of a pattern.

3.4 Propositional Equivalence

We define propositional equivalence s ←→ t as notation for the conjunction of two

implications:

s ←→ t Ž (s → t) ∧ (t → s)

Thus a propositional equivalence is a conjunction of two implications, and a proof

of an equivalence is a pair of two proof-transforming functions. Given a proof of
an equivalence s ←→ t, we can translate every proof of s into a proof of t, and every
proof of t into a proof of s. Thus we know that s is provable if and only if t is
provable.

Exercise 3.4.1 Give proofs for the equivalences shown in Figure 3.5. The equiva-
lences formulate well-known properties of conjunction and disjunction.

49
3 Propositions as Types

X ∧ Y ←→ Y ∧ X commutativity
X ∨ Y ←→ Y ∨ X
X ∧ (Y ∧ Z) ←→ (X ∧ Y ) ∧ Z associativity
X ∨ (Y ∨ Z) ←→ (X ∨ Y ) ∨ Z
X ∧ (Y ∨ Z) ←→ X ∧ Y ∨ X ∧ Z distributivity
X ∨ (Y ∧ Z) ←→ (X ∨ Y ) ∧ (X ∨ Z)
X ∧ (X ∨ Y ) ←→ X absorption
X ∨ (X ∧ Y ) ←→ X

Figure 3.5: Equivalence laws for conjunctions and disjunctions

Exercise 3.4.2 Give proofs for the following propositions:

a) ¬¬⊥ ←→ ⊥
b) ¬¬⊤ ←→ ⊤
c) ¬¬¬X ←→ ¬X
d) ¬(X ∨ Y ) ←→ ¬X ∧ ¬Y
e) (X → ¬¬Y ) ←→ (¬Y → ¬X)
f) ¬(X ←→ ¬X)
Equivalence (d) is known as de Morgan law for disjunctions. We don’t ask for a
proof of the de Morgan law for conjunctions ¬(X ∧ Y ) ←→ ¬X ∨ ¬Y since it requires
the law of excluded middle (§ 3.8). We call proposition (f) Russell’s law. Russell’s
law will be used in a couple of prominent proofs.

Exercise 3.4.3 Propositional equivalences yield an equivalence relation on proposi-

tions that is compatible with conjunction, disjunction, and implication. This high-
level speak can be validated by giving proofs for the following propositions:

X ←→ X reflexivity
(X ←→ Y ) → (Y ←→ X) symmetry
(X ←→ Y ) → (Y ←→ Z) → (X ←→ Z) transitivity
′ ′ ′ ′
(X ←→ X ) → (Y ←→ Y ) → (X ∧ Y ←→ X ∧ Y ) compatibility with ∧
(X ←→ X ′ ) → (Y ←→ Y )′ → (X ∨ Y ←→ X ′ ∨ Y ′ ) compatibility with ∨
′ ′ ′ ′
(X ←→ X ) → (Y ←→ Y ) → ((X → Y ) ←→ (X → Y )) compatibility with →

50
 3.5 Notational Issues

3.5 Notational Issues

Following Coq, we use the precedence order

¬ ∧ ∨ ←→ →

for the logical connectives. Thus we may omit parentheses as in the following ex-
ample:

¬¬X ∧ Y ∨ Z ←→ Z → Y Ž (((¬(¬X) ∧ Y ) ∨ Z) ←→ Z) → Y

The connectives ¬, ∧, and ∨ are right-associative. That is, parentheses may be

omitted as follows:

¬¬X Ž ¬(¬X)
X ∧Y ∧Z Ž X ∧ (Y ∧ Z)
X ∨Y ∨Z Ž X ∨ (Y ∨ Z)

3.6 Impredicative Characterizations

Quantification over propositions has amazing expressivity. Given two propositional

variables X and Y , we can prove the equivalences

⊥ ←→ ∀Z P . Z
X ∧ Y ←→ ∀Z P . (X → Y → Z) → Z
X ∨ Y ←→ ∀Z P . (X → Z) → (Y → Z) → Z

which say that ⊥, X ∧Y , and X ∨Y can be characterized with just function types. The
equivalences are known as impredicative characterizations of falsity, conjunction,
and disjunction. Figure 3.6 gives proof terms for the equivalences. One speaks of
an impredicative proposition if the proposition contains a quantification over all
propositions.
Note that the impredicative characterizations are related to the types of the
match functions for ⊥, X ∧ Y , and X ∨ Y .

Exercise 3.6.1 Find an impredicative characterization for ⊤.

Exercise 3.6.2 (Exclusive disjunction)

Consider exclusive disjunction X ⊕ Y ←→ (X ∧ ¬Y ) ∨ (¬X ∧ Y ).
a) Define exclusive disjunction with an inductive type definition. Use two proof
constructors and prove the specifying equivalence.
b) Find and verify an impredicative characterization of exclusive disjunction.

51
3 Propositions as Types

⊥ ←→ ∀Z P . Z
C (E⊥ (∀Z P . Z)) (λf . f ⊥)

X ∧ Y ←→ ∀Z P . (X → Y → Z) → Z
C (λaZf . match a [ Cxy ⇒ f xy ]) (λf . f (X ∧ Y )CXY )

X ∨ Y ←→ ∀Z P . (X → Z) → (Y → Z) → Z
C (λaZf g. match a [ Lx ⇒ f x | Ry ⇒ gy ]) (λf . f (X ∨ Y ) LXY RXY )

The subscripts give the implicit arguments of C, L, and R.

Figure 3.6: Impredicative characterizations with proof terms

3.7 Proof Term Construction using Proof Tables

The natural direction for proof term construction is top down, in particular as it
comes to lambda abstractions and matches. When we construct a proof term top
down, we need an information structure keeping track of the types we still have
to construct proof terms for and recording the typed variables introduced by sur-
rounding lambda abstractions and patterns of matches. It turns out that the proof
tables we have introduced in Chapter 1 provide a convenient information structure
for constructing proof terms.
Here is a proof table showing the construction of a proof term for a proposition
we call Russell’s law:

¬(X ←→ ¬X) intro

f : X → ¬X
g : ¬X → X ⊥ assert X
1 X apply g
¬X intro
x:X ⊥ exact f xx
2 x:X ⊥ exact f xx

The table is written top-down beginning with the initial claim. It records the con-
struction of the proof term

λaX←→¬X . match a [ Cf g ⇒ let x = g(λx.f xx) in f xx ]

for the proposition ¬(X ←→ ¬X).

Recall that proof tables are have-want tables that record on the left what we have
and on the right what we want. When we start, the proof table is partial and just

52
 3.7 Proof Term Construction using Proof Tables

consists of the first line. As the proof term construction proceeds, we add further
lines and further proof goals until we arrive at a complete proof table.
The rightmost column of a proof table records the actions developing the table
and the corresponding proof term.
• The action intro introduces λ-abstractions and matches.
• The action assert creates subgoals for an intermediate claim and the current
claim with the intermediate claim assumed. An assert action is realised with a
let expression in the proof term.
• The action apply applies a function and creates subgoals for the arguments.
• The action exact proves the claim with a complete proof term. We will not write
the word “exact” in future proof tables since that an exact action is performed
will be clear from the context.
With Coq we can construct proof terms interactively following the structure of
proof tables. We start with the initial claim and have Coq perform the proof actions
with commands called tactics. Coq then maintains the proof goals and displays the
assumptions and claims. Once all proof goals are closed, a proof term for the initial
claim has been constructed.
Technically, a proof goal consists of a list of assumptions called context and a
claim. The claim is a type, and the assumptions are typed variables. There may
be more than one proof goal open at a point in time and one may navigate freely
between open goals.
Interactive proof term construction with Coq is fun since writing, bookkeeping,
and verification are done by Coq. Here is a further example of a proof table:

¬¬X → (X → ¬X) → ⊥ intro

f : ¬¬x
g : X → ¬X ⊥ apply f
¬x intro
x:X ⊥ gxx

The proof term constructed is λf g.f (λ[Link]). As announced before, we write the
proof action “exact gxx” without the word “exact”.
Figure 3.7 shows a proof table for a double negation law for universal quantifi-
cation. Since universal quantifications are function types like implications, no new
proof actions are needed.
Figure 3.8 shows a proof table using a destructuring action contributing a match
in the proof term. The reason we did not see a destructuring action before is that
so far the necessary matches could be inserted by the intro action.
Figure 3.9 gives a proof table for a distributivity law involving 6 subgoals. Note
the symmetry in the proof digram and the proof term constructed.

53
3 Propositions as Types

∀X T ∀p X→P . ¬¬(∀x. px) → ∀x. ¬¬px intro

X : T, p : X → P
f : ¬¬(∀x. px)
x : X, g : ¬px ⊥ apply f
¬(∀x. px) intro
f ′ : ∀x. px ⊥ g(f ′ x)

Proof term constructed: λXpf xg.f (λf ′ .g(f ′ x))

Figure 3.7: Proof table for a double negation law for universal quantification

∀X T ∀p X→P ∀qX→P .
(∀x. px ←→ qx) → (∀x. qx) → ∀x. px intro
X : T, p : X → P, q : X → P
f : ∀x. px ←→ qx
g : ∀x. qx
x:X px destruct f x
h : qx → px h(gx)

Proof term constructed: λXpqf gx. match f x [ C_h ⇒ h(gx) ]

Figure 3.8: Proof table using a destructuring action

X ∧ (Y ∨ Z) ←→ (X ∧ Y ) ∨ (X ∧ Z) apply C
1 X ∧ (Y ∨ Z) → (X ∧ Y ) ∨ (X ∧ Z) intro
x:X
1.1 y :Y (X ∧ Y ) ∨ (X ∧ Z) L(Cxy)
1.2 z:Z (X ∧ Y ) ∨ (X ∧ Z) R(Cxz)
2 (X ∧ Y ) ∨ (X ∧ Z) → X ∧ (Y ∨ Z) intro
2.1 x : X, y : Y X ∧ (Y ∨ Z) Cx(Ly)
2.2 x : X, z : Z X ∧ (Y ∨ Z) Cx(Rz)

Proof term constructed:

C (λa. match a [ Cx(Ly) ⇒ L(Cxy) | Cx(Rz) ⇒ R(Cxz)])

(λa. match a [ L(Cxy) ⇒ Cx(Ly) | R(Cxz) ⇒ Cx(Rz) ])

Figure 3.9: Proof table for a distributivity law

54
 3.7 Proof Term Construction using Proof Tables

¬¬(X → Y ) ←→ (¬¬X → ¬¬Y ) apply C, intro

1 f : ¬¬(X → Y )
g : ¬¬X
h : ¬Y ⊥ apply f , intro
f′ : X → Y ⊥ apply g, intro
x:X ⊥ h(f ′ x)
2 f : ¬¬X → ¬¬Y
g : ¬(X → Y ) ⊥ apply g, intro
x:X Y exfalso
⊥ apply f
2.1 ¬¬X intro
h : ¬X ⊥ hx
2.2 ¬Y intro
y :Y ⊥ g(λx.y)

Proof term constructed:

C (λf gh. f (λf ′ . g(λx. h(f ′ x))))

(λf g. g(λx. E⊥ Y (f (λh. hx) (λy. g(λx.y)))))

Figure 3.10: Proof table for a double negation law for implication

Figure 3.10 gives a proof table for a double negation law for implication. Note
the use of the exfalso action applying the explosion rule as realized by E⊥ .

Exercise 3.7.1 Give proof tables and proof terms for the following propositions:
a) ¬¬(X ∨ ¬X)
b) ¬¬(¬¬X → X)
c) ¬¬(((X → Y ) → X) → X)
d) ¬¬((¬Y → ¬X) → X → Y )
e) ¬¬(X ∨ ¬X)
f) ¬(X ∨ Y ) ←→ ¬X ∧ ¬Y
g) ¬¬¬X ←→ ¬X
h) ¬¬(X ∧ Y ) ←→ ¬¬X ∧ ¬¬Y
i) ¬¬(X → Y ) ←→ (¬¬X → ¬¬Y )
j) ¬¬(X → Y ) ←→ ¬(X ∧ ¬Y )

Exercise 3.7.2 Give a proof table and a proof term for the distribution law
∀X T ∀p X→P ∀qX→P . (∀x. px ∧ qx) ←→ (∀x. px) ∧ (∀x. qx).

55
3 Propositions as Types

Exercise 3.7.3 Find out why one direction of the equivalence

∀X T ∀Z P . (∀x X. Z) ←→ Z cannot be proved.

Exercise 3.7.4 Prove ∀X T ∀p X→P ∀Z P . (∀[Link]) → Z → ∀x. px ∧ Z.

3.8 Law of Excluded Middle

The propositions as types approach presented here yields a rich form of logical rea-
soning known as intuitionistic reasoning. Intuitionistic reasoning refines reasoning
in mathematics in that it does not build in the law of excluded middle. This way in-
tuitionistic reasoning makes finer differences than the so-called classical reasoning
used in mathematics. Since type-theoretic logic can quantify over propositions, the
law of excluded middle can be expressed as the proposition ∀P P . P ∨ ¬P . Once we
assume excluded middle, we can prove all the propositions we can prove in boolean
logic.

Exercise 3.8.1 Let XM be the proposition ∀P P . P ∨ ¬P formalizing the law of ex-

cluded middle. Construct proof terms for the following propositions:
a) XM → ∀P P . ¬¬P → P double negation law
b) XM → ∀P QP . ¬(P ∧ Q) → ¬P ∨ ¬Q de Morgan law
c) XM → ∀P QP . (¬Q → ¬P ) → P → Q contraposition law
d) XM → ∀P QP . ((P → Q) → P ) → P Peirce’s law
It turns out that the reverse directions of the above implications can also be shown
intuitionistically, except in one case. Exercise 17.5.5 will tell you more.

3.9 Discussion

In this chapter we have seen that computational type theory can elegantly express
propositions and their proofs. Implications are expressed as function types s → t,
and functions of type s → t are taken as proofs of the implication s → t. More gen-
erally, universal quantifications ∀x u . t are expressed as dependent function types
∀x u . t. One speaks of the propositions as types approach. In contrast to conven-
tional mathematical reasoning, the propositions as types approach accommodates
propositions and proofs as first-class values that can be passed around with func-
tions.
We have expressed falsity ⊥, conjunction s ∧ t, and disjunction s ∨ t as inductive
propositions. We have seen that these propositions can be characterized without
inductive types just using function types. Negation ¬s is obtained as implication
s → ⊥.

56
 3.9 Discussion

The logical reasoning coming with the propositions as types approach is known
as intuitionistic reasoning. Intuitionistic reasoning is more basic than conventional
mathematical reasoning in that it does not provide the law of excluded middle. Con-
ventional mathematical reasoning is then recovered by having the law of excluded
middle as an explicit assumption when needed. The law of excluded middle may be
expressed with the proposition ∀X P . X ∨ ¬X quantifying over propositions. Having
a dedicated universe P : T for propositional types is essential so that assumptions
such as excluded middle can be limited to propositional types and do not concern
computational types such as B and N.
In later chapters, we will see that the propositions as types approach extends to
equations and existential quantifications.
The propositions as types approach uses the typing rules of the underlying type
theory as proofs rules. This reduces proof checking to type checking and much
simplifies the implementation of proof assistants.
In the propositions as types approach, formal proofs are obtained as terms built
with constants, variables, function application, and lambda abstraction. Constants
appear as proof constructors for s ∧ t, and s ∨ t and with the inductive match
functions for ⊥, s ∧ t, and s ∨ t. The construction of (proof) terms is best done in
a type-driven top-down fashion recorded with a proof table. The main operation is
function application, where the function applied yields the required propositional
type and subgoals are issued for the arguments of the function. The resulting proof
language is amazingly elegant and easily yields familiar proof patterns: making
assumptions (lambda abstraction), destructuring of assumptions (application of a
match function), applying implicational assumptions (function application).
For the beginner, this chapter is the place where you will get fluent with lambda
abstractions, matches (i.e. applications of match functions), and dependent func-
tion types. We offer dozens of examples for exploration on paper and in interaction
with a proof assistant. For proving on paper, we use proof tables recording incre-
mental top-down constructions of proof terms. When we construct proof terms in
interaction with a proof assistant, we issue proof actions that incrementally build
the proof term and display the information recorded in the proof table.
In the system presented so far, proofs are verified with the typing rules and
no use is made of the reduction rules. This will change in the next chapter where
we extend the typing discipline with a conversion rule identifying computationally
equal types.
The details of the typing rules matter. What prevents a proof of falsity are the
typing rules and the rules restricting the form of inductive definitions. In this text,
we explain the details of the typing rules mostly informally, exploiting that compli-
ance with the typing rules is verified automatically by the proof assistant. To be sure
that something is well-typed or has a certain type, it is always a good idea to have it

57
3 Propositions as Types

checked by the proof assistant. We expect that you deepen your understanding of
the typing rules using the proof assistant.
We have already pointed out that we have a separate universe P of propositional
types so that assumptions like the law of excluded middle do not affect computa-
tional types. If we were not interested in computational types, we could work with
a single universe T and consider all types as propositions.

58
4 Conversion and Leibniz Equality

This chapter introduces a typing rule called conversion. The conversion rule
strengthens basic computational type theory so that propositional equality, exis-
tential quantification, and induction lemmas can be defined. The conversion rule
relaxes the type discipline so that the typing rules apply modulo computational
equality of types.
We will define propositional equality s = t following a scheme known as Leibniz
equality. Three typed constants will suffice: One constant accommodating equa-
tions s = t as propositions, one constant providing proofs of trivial equations s = s,
and one constant providing for equational rewriting. As it turns out, the constants
provide for equational reasoning by means of their types, the actual definitions of
the constants are not needed.
The conversion rule of the type theory gives the constants for trivial equations
and for rewriting the proof power required. Due to the conversion rule, proposi-
tional equality will subsume computational equality, and a single rewriting constant
will capture all equational rewriting situations.
We extend the type theory with abstract constant definitions hiding the defini-
tion of constants except for the types of the constants. Abstract constants suffice
for propositional equality and many other purposes, including propositional con-
nectives and theorems.
While abstract constants don’t strengthen the type theory as it comes to what
can be defined and to what can be proven, they provide a means for enforcing
abstraction layers. A system of abstract constants constitutes an interface between
the uses and the definitions of the constants.
In this chapter we start proving theorems in type theory. Theorems will be rep-
resented as abstract constants in type theory. On paper, we will transition from
formal proofs (proof terms) to informal proofs similar to informal proofs in math-
ematical presentations. Our informal proofs will be formulated such that they can
be elaborated into formal proofs, and the scripts constructing the formal proofs in
the proof assistant will appear in the accompanying Coq files.
There is much elegance and surprise in this chapter. There are plenty of new
subjects, including typing modulo computational equality, propositional equality,
abstract constants, and the representation of theorems. Take your time to fully
understand the beautiful constructions.

59
4 Conversion and Leibniz Equality

4.1 Conversion Rule

Recall the typing rules from Chapter 2. The conversion rule is an additional typing
rule relaxing typing by making it operate modulo computational equality of types:

⊢ s : u′ u ≈ u′ ⊢u:T
⊢s:u

The rule says that a term s has type u if s has type u′ and u and u′ are compu-
tationally equal. We use the notation u ≈ u′ to say that two terms u and u′ are
computationally equal. For now two terms are computationally equal if they reduce
to the same term (up to renaming of bound variables). Later, we will strengthen
computational equality with a law for lambda abstractions called eta equivalence.
Note that the conversion rule has a premise ⊢ u : T, which ensures that the
term u describes a type. Importantly, the conversion rule also applies to proposi-
tional types (since there is a typing rule typing types in P also as types in T).
Adding the conversion rule to the basic typing rules preserves the key properties
of computational type theory (§ 2.5). As before, there is a type checking algorithm
deriving types for well-typed terms, where the type is now unique up to computa-
tional equality and minimality with respect to universes.
For a first example of the use of the conversion rule consider the proposition

∀p N→P . p(4) → p(2 + 2)

Without the conversion rule, the proposition has no proof. To see this, consider the
term

λp N→P . λap(4) . a

which has the propositional type ∀p N→P . p(4) → p(4), which is equal to the given
proposition up to computational equality. Using the conversion rule the term is a
proof of the proposition. There is also the possibility to use the conversion rule
early as shown in the proof table

∀p N→P . p(4) → p(2 + 2) intro

p:N→P
a : p(4) p(2+2) conversion p(2 + 2) ≈ p(4)
p(4) a

The proof table gives us exactly the proof term shown above. So we learn that a
term leaves open where type checking uses the conversion rule. On the other hand,
we can use proof tables to say where the conversion rule is used with type checking.

60
 4.2 Abstract Propositional Equality

Negation and propositional equivalence as plain functions

Exploiting the presence of the conversion rule, we can accommodate negation and
propositional equivalence as plain functions:
¬: P→P ←→ : P → P → P
¬X := X → ⊥ X ←→ Y := (X → Y ) ∧ (Y → X)
The plain definitions provide us with the constants ¬ and ←→ for functions con-
structing negations and propositional equivalences. Reduction replaces applica-
tions ¬s with propositions s → ⊥, and applications s ←→ t with propositions
(s → t) ∧ (t → s). The conversion rules ensures that proofs of s → ⊥ are proofs
of ¬s (and vice versa), and that proofs of (s → t) ∧ (t → s) are proofs of s ←→ t (and
vice versa).
A proof term for the proposition ¬X → X → ⊥ is λf ¬X . f The conversion facili-
tating the type checking is X → ⊥ ≈ ¬X, or alternatively, ¬X → X → ⊥ ≈ ¬X → ¬X.

Type ascription and polymorphic identity function

Type ascription is the ability to annotate a term with the type we want it to have.
Type ascriptions can be expressed with the polymorphic identity function:
id : ∀X T . X → X
id X x := x
If we write id t s, we force a conversion of the type of s to the type t. If the two
types are not computationally equal, id t s will not type check. Note that the terms
id t s and s are computationally equal.
Exercise 4.1.1 Prove ∀p N→P . p(2) → p(7 − 5) ∨ p(3) with a proof table and give
the constructed proof term.

Exercise 4.1.2 (Leibniz symmetry)

Prove ∀X T ∀xy X . (∀p X→P . px → py) → (∀p X→P . py → px) with a proof table
and give the constructed proof term. Hint: Instantiate the predicate p in the premise
with λ[Link] → px where p is the predicate from the conclusion.

4.2 Abstract Propositional Equality

With the conversion rule at our disposal, we can now show how the propositions
as types approach can accommodate propositional equality. It turns out that all we
need are three typed constants:
eq : ∀X T . X → X → P
Q : ∀X T ∀x X . eq X x x
R : ∀X T ∀xy X ∀p X→P . eq Xxy → px → py

61
4 Conversion and Leibniz Equality

We will keep the constants abstract. It turns out that we can do equational reasoning
without knowing the definitions of the constants. All we need are the types of the
constants.
The constant eq : ∀X T . X → X → P allows us to write equations as proposi-
tional types:

s=t Ž eq _ st
s≠t Ž ¬eq _ st

The constants Q and R provide the basic proof rules for equations. For applications
of Q and R the conversion rule of the type theory is essential.

Q provides computational equality

The constant Q : ∀X T ∀x X . eq X x x provides for proofs by computational equal-
ity. Obviously, Q can prove trivial equations s = s. Given the conversion rule, Q
can also proof every equation s = t where s and t are computationally equal. This
is the case since computational equality is compatible with the term structure. For
instance, s ≈ s ′ and t ≈ t ′ implies (s = t) ≈ (s ′ = t ′ ).
For instance, Q proves 2 + 3 = 9 − 4 using the conversion rule. This is the case
since 2 + 3 ≈ 5 and 9 − 4 ≈ 5 imply (2 + 3 = 9 − 4) ≈ (5 = 5). This justifies the
proof term Q N 5. Other possible proof terms for 2 + 3 = 9 − 4 are Q N (9 − 4) and
Q N (4 + 1).

R provides equational rewriting

The constant R : ∀X T ∀xy X ∀p X→P . eq Xxy → px → py provides for equational
rewriting. Given a proof of an equation s = t, we can replace a claim pt with
the claim ps using R. Moreover, we can get from an assumption ps an additional
assumption pt by asserting pt and proving pt with R and ps.
We refer to R as rewriting law, and to the argument p of R as rewriting pred-
icate. Moreover, we refer to the predicate eq as propositional equality or just
equality. We will treat X, x and y as implicit arguments of R, and X as implicit
argument of eq and Q.
The conversion rule is essential for working with the rewriting law. Suppose we
want to prove x = y → y = z → x = z. Then we assume e : x = y and prove
y = z → x = z. With the conversion rule we rewrite the claim to

(λy.y = z → x = z)y

Now rewriting with R and e : x = y reduces the claim to (λy.y = z → x = z)x,

which simplifies to the trivial implication x = z → x = z using the conversion rule.
This reasoning is best represented with a proof table:

62
 4.2 Abstract Propositional Equality

x=y →y =z→x=z intro

e:x=y y =z→x=z conversion
(λy.y = z → x = z)y apply R _ e
(λy.y = z → x = z)x conversion
x=z→x=z λe.e

The table constructs the proof term

λex=y . R (λy.y=z→x=z) e (λex=z .e)

While the uses of the conversion rule appear prominently in the proof table, they
don’t show up explicitly in the proof term. While the first conversion is forced
by the rewriting predicate in the application of R, the second conversion will only
appear if the context imposes the type x = y → y = z → x = z for the proof term.

Target type functions

The type of the rewrite law is our first use of a target type function:

R : ∀X T ∀xy X ∀p X→P . eq Xxy → px → py

Here the predicate p taken as argument determines the target type py of the rewrit-
ing constant R. Target type functions work because of the conversion rule and
lambda abstractions. We will see nonpropositional target type functions in Chap-
ter 5.
Exercise 4.2.1 Give a proof term for the equation ! true = false. Explain why the
term is also a proof term for the equation false = ! ! false.

Exercise 4.2.2 Give a proof term for the converse rewriting law
∀X T ∀xy∀p X→P . eq Xxy → py → px.

Exercise 4.2.3 Suppose we want to rewrite a subterm u in a proposition t using the

rewriting law R. Then we need a rewrite predicate λx.s such that t and (λx.s)u
are convertible and s is obtained from t by replacing the occurrence of u with the
variable x. Let t be the proposition x + y + x = y.
a) Give a predicate for rewriting the first occurrence of x in t.
b) Give a predicate for rewriting the second occurrence of y in t.
c) Give a predicate for rewriting all occurrences of y in t.
d) Give a predicate for rewriting the term x + y in t.
e) Explain why the term y + x cannot be rewritten in t.

Exercise 4.2.4 Give a term applying R to 7 arguments (including implicit argu-

ments). In fact, for every number n there is a term that applies R to exactly n
arguments.

63
4 Conversion and Leibniz Equality

⊤≠⊥ propositional disjointness

true ≠ false constructor disjointness for B
N
∀x . 0 ≠ Sx constructor disjointness for N
N N
∀x y . Sx = Sy → x = y injectivity of successor
T X X
∀X x y . x = y → y = x symmetry
∀X T x X y X zX . x = y → y = z → x = z transitivity

Figure 4.1: Basic equational facts

4.3 Basic Equational Facts

The constants Q and R give us straightforward proofs for many equational facts.
To say it once more, Q together with the conversion rule provides proofs by com-
putational equality, and R together with the conversion rule provides equational
rewriting. Figure 4.1 shows a collection of basic equational facts, and Figure 4.2
gives proof tables and the resulting proof terms for most of them. The remaining
proofs are left as exercise. It is important that you understand each of the proofs
in detail.
Note that the proof tables in Figure 4.2 all follow the same scheme: First comes
a step introducing assumptions, then a conversion step making the rewriting pred-
icate explicit, then the rewriting step as application of R, then a conversion step
simplifying the claim, and then the final step proving the simplified claim.
We now understand how the basic proof steps “rewriting” and “proof by compu-
tational equality” used in the tables in Chapter 1 are realized in the propositions as
types approach.
Interestingly, the proof of the transitivity law

∀X T x X y X zX . x = y → y = z → x = z

can be simplified so that the conversion rule is not used. The simplified proof term

λXxyze1 e2 . R (eq x) e2 e1

exploits the fact that the equation x = z is the application (eqx)z up to notation.

Constructor laws
If we look at the facts in Figure 4.2, we see that three of them

true ≠ false constructor disjointness for B

N
∀x . 0 ≠ Sx constructor disjointness for N
N N
∀x y . Sx = Sy → x = y injectivity of successor

64
 4.3 Basic Equational Facts

Fact: ⊤ ≠ ⊥
Proof term: λe. R (λX P .X) e I

⊤≠⊥ intro
e:⊤=⊥ ⊥ conversion
(λX P .X)⊥ apply R _ e
(λX P .X)⊤ conversion
⊤ I

Fact: true ≠ false

Proof term: λe. R (λx B . match x [ true⇒⊤|false⇒⊥ ]) e I

true ≠ false intro

e : true = false ⊥ conversion
B
(λx . match x [ true ⇒ ⊤ | false ⇒ ⊥ ]) false apply R _ e
(λx B . match x [ true ⇒ ⊤ | false ⇒ ⊥ ]) true conversion
⊤ I

Fact: ∀xy N . Sx = Sy → x = y
Proof term: λxye. R (λz. x=match z [ 0⇒0|Sz′ ⇒z′ ]) e (Qx)

x : N, y : N Sx = Sy → x = y intro
e : Sx = Sy x=y conversion
′ ′
(λz. x = match z [ 0 ⇒ 0 | Sz ⇒ z ]) (Sy) apply R _ e
(λz. x = match z [ 0 ⇒ 0 | Sz′ ⇒ z′ ]) (Sx) conversion
x=x Qx

Fact: ∀X T ∀xyzX . x = y → y = z → x = z
Proof term: λXxyze. R (λy. y=z→x=z) e (λe.e)

X : T, x : X, y : X, z : X, x=y →y =z→x=z intro

e:x=y y =z→x=z conversion
(λy. y = z → x = z) y apply R _ e
(λy. y = z → x = z) x conversion
x=z→x=z λe.e

Figure 4.2: Proof terms for some equational facts

65
4 Conversion and Leibniz Equality

concern inductive types while the others are not specifically concerned with induc-
tive types. We speak of constructor laws for inductive types. Note that the proofs
of the constructor laws all involve a match on the underlying inductive type, and
recall that matches are obtained as inductive functions. So to prove a constructor
law, one needs to discriminate on the underlying inductive type at some point. A
proof assistant will automatically provide constructor laws for every inductive type
definition it accepts.

Exercise 4.3.1 Study the two proof terms given for transitivity in detail using Coq.
Give the proof table for the simplified proof term. Convince yourself that there is
no proof term for symmetry that can be type-checked without the conversion rule.

Exercise 4.3.2 Give proof tables and proof terms for the following propositions:
a) ∀x N . 0 ≠ Sx
b) ∀X T x X y X . x = y → y = x
c) ∀X T Y T f X→y x y. x = y → f x = f y
d) ∀X T Y T f X→Y g X→Y x. f = g → f x = gx
e) (∀X P . X → X) ≠ (∀X P . X)

Exercise 4.3.3 (Constructor law for pairs)

Prove that the pair constructor is injective: pair x y = pair x ′ y ′ → x = x ′ ∧ y = y ′ .

Exercise 4.3.4 (Leibniz characterization of equality)

Verify the following characterization of equality:

x = y ←→ ∀p X→P . px → py

The equivalence is known as Leibniz characterization or as impredicative character-

ization of equality. Also verify the symmetric Leibniz characterization

x = y ←→ ∀p X→P . px ←→ py

which may be phrased as saying that two objects are equal if and only if they satisfy
the same properties.
Note that each of the two equivalences suggests a possible definition of the con-
stant eq. We will choose the first equivalence.

Exercise 4.3.5 (Disequality) From the Leibniz characterization of equality it fol-

lows that x ≠ y if there is a predicate that holds for x but does not hold for y.
Prove the proposition ∀X T ∀xy X ∀p X→P . px → ¬py → x ≠ y expressing this
insight.

66
 4.4 Definition of Leibniz Equality

4.4 Definition of Leibniz Equality

Here are plain function definitions defining the constants for abstract propositional
equality:

eq : ∀X T . X → X → P
eq Xxy := ∀p X→P . px → py

Q : ∀X T ∀x. eq X x x
Q Xx := λpa.a

R : ∀X T ∀xy∀p X→P . eq Xxy → px → py

R Xxypf := f p

The definitions are amazingly simple. Note that the conversion rule is needed to
make use of the defining equation of eq. The definition of eq follows the Leibniz
characterization of equality established in Exercise 4.3.4.
The above definition of propositional equality is known as Leibniz equality and
appears in Whitehead and Russell’s Principia Mathematica (1910-1913). Computa-
tional type theory also provides for the definition of a richer form of propositional
equality using an indexed inductive type family. We will see the definition of induc-
tive equality in § 15.1 and study it carefully in Chapter 29. Except for Chapter 29
the concrete definition of propositional equality does not matter since everything
we need can be obtained from the abstract equality constants eq, Q, R introduced
in § 4.2.

Arithmetic Comparisons as defined functions

Now that we have equality, we define arithmetic comparisons as plain functions:

≤: N→N→P
x ≤ y := (x − y = 0)

In addition, we will use three notational variants:

x ≥ y := y ≤ x x < y := Sx ≤ y x > y := y < x

4.5 Abstract Constants and Theorems

We now extend the definitional facilities of our type theory with abstract constant
definitions. An abstract constant definition is like a plain constant definition but
comes with the proviso that the defining equation is not available for reduction.

67
4 Conversion and Leibniz Equality

Thus when we use an abstract constant we cannot make use of its definition. We
may say that the definition of an abstract constant is hidden.
We may use abstract constants to represent the constants for equality, conjunc-
tion, disjunction, and falsity. For using these constructs the definitions of the con-
stants are not needed, all we need are the types of the constants.
In the examples considered so far always a group of constants is defined and the
formation constants can only be made abstract after the accompanying introduction
and elimination constants have been defined.
A mathematical development is a carefully arranged collection of definitions and
theorems that build on each other. Theorems are observations that have been ver-
ified. In type theory, we model theorems as abstract constants with propositional
types. The use of an abstract constant for a theorem models the fact that theorems
can be used without knowing their proofs. It suffices to know that there is a proof.
Sometimes theorems have involved proofs appearing in the literature the user has
never worked through.
Theorems come with several different names including facts, lemmas, and corol-
laries. The different names are a matter of presentation and do not have technical
significance. In type theory all we have are abstract constants with propositional
types. We often use the term lemma to refer to abstract constants with proposi-
tional types.

4.6 Theorems in this Text

All theorems stated as such in this text are theorems in type theory. They are given
informal proofs in the text and formal proofs in the accompanying Coq files, where
they appear as abstract constants with propositional types. The informal proofs we
give in the text are designed such that they can be elaborated into the formal proofs
appearing in the accompanying Coq files.
In this text, we mostly use the heading “Fact” to state theorems obtained in type
theory. Here is a first example.

Fact 4.6.1 (Applicative closure)

∀XY T ∀f X→Y ∀xx ′X . x = x ′ → f x = f x ′ .

Proof Rewriting. ■

Following the usual mathematical conventions we use a numbering scheme to

name facts in this text. In addition we may give a fact a more telling name, such as
“applicative closure” in the above example.
We will mostly give informal proofs for the theorems we state in this text. The
informal proofs will carry enough information so that they can be elaborated into

68
 4.7 Abstract Presentation of Propositional Connectives

formal proofs (i.e., proof terms) using a proof assistant. Typically, we will delegate
the elaboration to the accompanying Coq files. For the purpose of illustration, we
give a complete proof table for the proof of Fact 4.6.1:

∀XY T ∀f X→Y ∀xx ′X . x = x ′ → f x = f x ′ intro

X, Y : T
f : X→Y
x, x ′ : X
e : x = x′ f x = f x′ conversion
(λx ′ .f x = f x ′ ) x ′ apply R _ e
(λx ′ .f x = f x ′ ) x conversion
fx = fx Q (f x)

To demonstrate the use of Fact 4.6.1, we will prove the constructor laws for
numbers using inductive functions for predecessors and not-zero tests:

pred : N → N notzero : N → P
pred 0 := 0 notzero 0 := ⊥
pred (Sx) := x notzero (S_) := ⊤

Fact 4.6.2 (Injectivity of successor function) Sx = Sy → x = y.

Proof We assume Sx = Sy and prove x = y. By conversion it suffices to prove

pred (Sx) = pred (Sy), which follows by rewriting with the assumption. ■

Fact 4.6.3 (Disjointness of successor and zero) Sx ≠ 0.

Proof We assume Sx = 0 and prove ⊥.

By conversion it suffices to prove notzero 0. Follows by rewriting with the assump-
tion. ■

Exercise 4.6.4 Give proof terms for Facts 4.6.1, 4.6.2, and 4.6.3.

Exercise 4.6.5 Prove ∀XY T ∀f g X→Y ∀x X . f = g → f x = gx. We shall often

tacitly use this applicative closure law.

4.7 Abstract Presentation of Propositional Connectives

Similar to propositional equality, the propositional connectives falsity, conjunction,

and disjunction can be accommodated with systems of abstract constants as shown
in Figure 4.3. This phenomenon demonstrates a general abstractness property of
logical reasoning. Among the constants in Figure 4.3, we distinguish between con-
structors and eliminators. The inductive definitions of falsity, conjunction, and

69
4 Conversion and Leibniz Equality

⊥ : P
E⊥ : ∀Z P . ⊥ → Z

∧ : P→P→P
C : ∀X P Y P . X → Y → X ∧ Y
E∧ : ∀X P Y P Z P . X ∧ Y → (X → Y → Z) → Z

∨ : P→P→P
L : ∀X P Y P . X → X ∨ Y
R : ∀X P Y P . Y → X ∨ Y
E∨ : ∀X P Y P Z P . X ∨ Y → (X → Z) → (Y → Z) → Z

Figure 4.3: Abstract constants for falsity, conjunctions, and disjunctions

disjunction in Chapter 3 provide the constructors directly as constructors. The

eliminators may then be obtained as inductive functions. We have seen the elimina-
tors before as match functions (Figure 3.2). If we look at the abstract constants for
equality,

eq : ∀X T . X → X → P
Q : ∀X T ∀x X . eq X x x
E= : ∀X T ∀xy X ∀p X→P . eq Xxy → px → py

we can identify eq and Q as constructors and E= as eliminator. We now use E= for

the equational constant R to avoid a conflict with the constant R for disjunction.
There is great beauty to the abstract presentation of the propositional connec-
tives and equality with typed constants. Each constant serves a particular purpose:
• The formation constants (⊥, ∧, ∨, =) provide the abstract syntax for the respec-
tive connectives.
• The introduction constants (C, L, R, Q) provide the basic proof rules for the
connectives.
• The elimination constants (E⊥ , E∧ , E∨ , E= ) provide proof rules that for the proof
of an arbitrary proposition make use of the proof of the respective connective.
We emphasize that the definitions of the constants do not matter for the use of the
constants as proof rules. In other words, the definitions of the constants do not
contribute to the essence of the propositional connectives.
There is another important fact about the abstract presentation of the logical
connectives: In each case the impredicative characterization can be established us-

70
 4.8 Computational Equality and Eta Equivalence

ing the abstract constants, and in each case the impredicative characterization can
be read of the type of the elimination constants. Thus any definition of a forma-
tion constant satisfying the impredicative characterization will be equivalent to the
abstract formation constant. Moreover, in each case, the impredicative characteri-
zation of the formation constant suggests a definition of the abstract constants.
One more observation. If we have the type of the formation constant, the type
of the elimination constant follows from the types of the introduction constants
by thinking of the given constants an as inductive definition. Conversely, given
the types of the formation and elimination constants, the types of the introduction
constants follow from the type of the elimination constant by reconstructing the
connecting inductive definition.
We will see in § 6.1 that existential quantification can also be captured with a sys-
tem of abstract constants following the formation-introduction-elimination scheme,
and that the constants can be defined either inductively or impredicatively.

Exercise 4.7.1 (Impredicative characterizations) Assume the abstract constants

for falsity, conjunction, and disjunction and in each case establish the impredicative
characterization of the formation constant.

Exercise 4.7.2 (Impredicative definitions) Define the abstract constants for falsity,
conjunction, and disjunction using the impredicative characterization of the forma-
tion constant. Do not use the inductive definitions.

Exercise 4.7.3 Prove commutativity of conjunction and disjunction using the ab-
stract constants for conjunction and disjunction.

4.8 Computational Equality and Eta Equivalence

Computational equality is an algorithmically decidable equivalence relation on well-

typed terms. Two terms are computationally equal if and only if their normal forms
are identical up to α-equivalence and η-equivalence. The notions of α-equivalence
and η-equivalence will be defined in the following.
Two terms are α-equivalent if they are equal up to renaming of bound vari-
ables. We have introduced several constructs involving bound variables, including
dependent function types ∀x t .s, patterns of defining equations, lambda abstrac-
tions λx t .s, and let expressions. Alpha equivalence abstracts away from the par-
ticular names of bound variables but preserves the reference structure described
by bound variables. For instance, λX T .λx X .x and λY T .λy Y .y are α-equivalent ab-
stractions having the α-equivalent types ∀X T . X → X and ∀Y T . Y → Y . For all tech-
nical purposes α-equivalent terms are considered equal, so we can write the type of
λX T .λx X .x as either ∀X T . X → X or ∀Y T . Y → Y .

71
4 Conversion and Leibniz Equality

Alpha equivalence is ubiquitous in mathematical language. For instance, the

terms { x ∈ N | x 2 > 100 · x } and { n ∈ N | n2 > 100 · n } are α-equivalent and thus
describe the same set.
The notion of η-equivalence is obtained with the η-equivalence law

(λ[Link]) ≈η s if x does not occur free in s

which equates a well-typed lambda abstraction λ[Link] with the term s, provided x
does not occur free in t. Eta equivalence realizes the commitment to not distinguish
between the function described by a term s and the lambda abstraction λ[Link]. A
concrete example is the η-equivalence between the constructor S and the lambda
abstraction λnN .Sn.
Computational equality is compatible with the term structure. That is, if we
replace a subterm of a term s with a term that has the same type and is computa-
tionally equal, we obtain a term that is computationally equal to s.
We say that two terms are convertible if they are computationally equal, and
call conversion the process of replacing a term with a convertible term. A simpli-
fication is a conversion where the final term is obtained from the initial term by
reduction. Examples for conversions that are not simplifications are applications of
the η-equivalence law, or expansions, which are reductions in reverse order (e.g.,
proceeding from x to 0+x). Figure 4.2 contains several proof tables with expansion
steps.

Exercise 4.8.1 (Currying) Assume types X, Y , Z and define functions

C : (X × Y → Z) → (X → Y → Z)
U : (X → Y → Z) → (X × Y → Z)

such that the equations C(U f ) = f and U(Cg)(x, y) = g(x, y) hold by computa-
tional equality. Find out where η-equivalence is used.

Exercise 4.8.2 Verify that the following equations hold by computational equality
using the definitions of +, −, and iter from Chapter 1.
a) (+)1 = S
b) (+)2 = λx. S(Sx)
c) (+)(3 − 2) = S
d) (λx. 1 + x) = S
e) (λx. 3 + x − 2) = S
f) iter S 2 = λx. S(Sx)
Note that all right hand sides are canonical terms. Thus it suffices to compute the
normal forms of the left hand sides and then check whether the two normal forms
are equal up to α- and η-equivalence.

72
 4.9 Notes

4.9 Notes

Computational equality is also known as definitional equality in type theory.

There are plenty of new ideas in this chapter playing a major role from now on:
• Type checking modulo computational equality of types
• Target type functions
• Abstract constants
• Representation of equality with abstract constants
• Representation of theorems with abstract constants
• Representation of propositional connectives with abstract constants
• Informal proofs rather than formal proofs in the text
• Elaboration of informal proofs in the text into formal proofs in the Coq files

Exercise 4.9.1 Figure 4.4 summarizes the equational laws we have discussed in this
chapter. Make sure you can give for each law the complete quantifier prefix and a
proof term using the abstract constants eq, Q, and R.

73
4 Conversion and Leibniz Equality

Equivalence

x=x
x=y →y =x
x=y →y =z→x=z

Rewriting

x = y → px → py
x = y → py → px

Applicative closure

x = y → fx = fy
f = g → f x = gx

Impredicative characterization

x = y ←→ ∀p. px → py

Disequality

px → ¬py → x ≠ y

Constructor laws

true ≠ false
0 ≠ Sx
Sx = Sy → x = y
(x, y) = (x ′ , y ′ ) → x = x ′ ∧ y = y ′

Figure 4.4: Summary of equational laws

74
5 Inductive Eliminators

For the inductive types we have seen we have defined match functions. Match func-
tions are general inductive functions applying continuations given as arguments.
The type of a match function may be formulated with a target type function, some-
thing we have seen before with the rewriting law. Target type functions raise the
proof power of match functions substantially, as we will see with booleans, num-
bers, and pairs.
Following comon language, we call general inductive functions like match func-
tions (inductive) eliminators. For every inductive type there is a canonical elimina-
tor, which, in some sense, is most general. If the inductive type is recursive (like
the type of numbers), the canonical eliminator will also take care of the recursion.
Speaking from the perspective of proving, the types of eliminators describe proof
rules for structural case analysis and structural induction. With the canonical elimi-
nators for booleans, numbers, and pairs we can finally formalize all informal proofs
we have seen in Chapter 1.
We will study the eliminators for booleans, numbers, and pairs using examples.
This will include a formal proof of the disequation N ≠ B. We will also look at the
eliminators for void and unit.
It is time to spell out two important restrictions of the typing discipline. The
restrictions are needed so that we obtain a consistent type theory that cannot
prove falsity. The restrictions concern propositional discrimination and the self-
containment T : T.
With this chapter we arrive at a computational type theory that can formalize a
large variety of theorems, including all theorems in Chapter 1. The only extension
of computational type theory still to come concerns generalized inductive types
(Chapter 15).

5.1 Generalized Subtyping

The subtyping rule from § 3.1

⊢s:P
⊢s:T

75
5 Inductive Eliminators

makes it possible to see propositional types as types of the full universe T. We now
generalize the subtyping rule such that predicates can be seen as type functions:

⊢ s : ∀x1 : t1 . · · · ∀xn : tn . P
n≥0
⊢ s : ∀x1 : t1 . · · · ∀xn : tn . T

To have an example for the use of the subtyping rule, suppose we have a function

E : ∀p B→T . p true → p false → ∀b. pb

Then both λp B→P . E p and λp B→T . E p are well-typed terms. A function E with the
given type will appear as the boolean eliminator in § 5.4, and the generalized sub-
typing rule frees us from defining E separately for predicates and type functions.

5.2 Propositional Discrimination Restriction

There is a prominent restriction on inductive functions discriminating on argu-

ments with inductive propositional types. The restriction says that in such a case
the target type of the function must be propositional. We speak of the propo-
sitional discrimination restriction (PDR). PDR is needed so that excluded middle
∀X P . X ∨ ¬X can be assumed consistently. Without the propositional discrimina-
tion restriction, we would have a proof of (∀X P . X ∨ ¬X) → ⊥ (see Chapter 31).
There are two exceptions to the propositional discrimination restriction. The
first exception says that discrimination on inductive propositions with no proof
constructor is admissible. Thus the definition of an inductive function

E⊥ : ∀Z T . ⊥ → Z

generalizing the function E⊥ : ∀Z P . ⊥ → Z from § 3.2 is admissible. We speak of

computational falsity elimination when we apply E⊥ to a nonpropositional target
type. It will turn out that computational falsity elimination is essential for the
definition of many functions. Examples will appear in § 11.1, § 11.2, and § 19.1.
The second exception to the propositional discrimination restriction concerns
inductive propositions with a single proof constructor where all nonparametric ar-
guments of the proof constructor have propositional types. This exception applies
to the inductive proposition

⊤ : P ::= I

and provides for the definition of the inductive function

E⊤ : ∀p ⊤→T . p I → ∀a. pa
E⊤ pa I := a

76
 5.2 Propositional Discrimination Restriction

We will refer to E⊥ and E⊤ as the eliminators for the inductive propositions ⊥ and ⊤.
The eliminator E⊥ makes it possible to obtain a value for every type in a proposi-
tionally contradictory situation. The eliminator E⊤ makes it possible to prove that I
is the only value of ⊤.
The inductive types 0 (void) and 1 (unit) defined in § 2.3 correspond to the induc-
tive propositions ⊥ (falsity) and ⊤ (truth). The propositional variants ⊥ and ⊤ are
more flexible than 0 and 1 since they can also be used as propositions. As a matter
of style, we will prefer 1 over ⊤ in computational situations.
We call inductive predicates that are exempted from the discrimination restric-
tion computational predicates. It will take some time until we see computational
predicates that matter. You may check § 14.1 (linear search) and Chapter 30 (well-
founded recursion). The inductive predicate ∧P→P→P providing conjunction also
comes out as computational, but there are no worthwhile applications of this fea-
ture.
We call a discrimination on a value of a propositional inductive type a proposi-
tional transfer discrimination if the traget type of the discrimination is not propo-
sitional.1 A propositional transfer discrimination is only admissible if its proposi-
tional inductive type is computational. The defining equations of the eliminators E⊥
and E1 are examples for transfer discriminations.
A helpful intuition for the propositional discrimination restriction is that it en-
sures that no information is leaked from the propositional level to the computa-
tional level. For instance, given a proof of a disjunction, it cannot be leaked to the
computational level which side of the disjunction is served by the proof.

Exercise 5.2.1 We can obtain an empty inductive proposition using a recursive

proof constructor:

F : P ::= C(F)

The propositional discrimination restriction does not apply to F since the argument
of the single proof constructor C has a propositional type.
a) Define an inductive function E : ∀Z T . F → Z.
b) Prove F ←→ ⊥.

Exercise 5.2.2 Prove ∀x ⊤ . x = I in two ways:

1. By defining an inductive function of this type.
2. Using the eliminator E⊤ .

1
In Coq slang transfer discriminations are called large eliminations.

77
5 Inductive Eliminators

5.3 Universe Levels

The typing rules involving the universe T need to be refined with universe levels
in order that a consistent type theory is obtained. The problem is with the self-
containment T : T, which permits vicious cycles if not restricted.2 To fix the problem,
every occurrence of the universe T is assigned a positive integer called a universe
level during type checking. The typing rules containing more than one occurrence
of T are augmented so that they exclude cycles Ti : Ti .

⊢ u : Ti x : u ⊢ v : Ti
⊢ Ti : Ti+1 ⊢ ∀x : u. v : Ti

So we have Ti : Ti+1 but not Ti : Ti .

Higher universe levels can be forced with function types taking types as argu-
ments. For instance, consider the function type

u := ∀X : Ti . t

where t : Tj but t is not propositional. Then u can only be typed with some Tk
where k > i and k ≥ j. The situation completely changes if t is propositional.
Then u can be typed with P no matter how large the level i is.
One may think of graded universes Ti as an infinite cumulative hierarchy of
universes:

P ⊆ T1 ⊆ T2 ⊆ T3 ⊆ · · ·
P : T1 : T2 : T3 : · · ·

The lowest universe P is distinguished from the higher universes in that it is closed
under function types taking types as arguments. Speaking propositionally, propo-
sitions are closed under all quantifications, including big quantifications over uni-
verses. This feature of P is known as impredicativity. The impredicative character-
izations we have seen for falsity, conjunction, disjunction, and equality exploit the
impredicativity of P.
In practice, there is no need to worry about universe levels since the proof as-
sistant will verify that they can be assigned consistently. It requires agressive con-
structions to force a universe level inconsistency. In Chapter 31 we will present a
construction where universe levels become crucial and ignoring them would lead to
a proof of falsity.
Finally, there is a generalized subtyping rule for graded universes:

⊢ s : ∀x1 : t1 . · · · ∀xn : tn . Ti
n≥0
⊢ s : ∀x1 : t1 . · · · ∀xn : tn . Ti+1
2
A related problem appears in set theory, where the set of all sets must be excluded.

78
 5.4 Boolean Eliminator

Exercise 5.3.1 Consider the following terms describing functions:

λaT1 . 0 : T1 → N : T2
λaT1 →N . 0 : (T1 → N) → N : T3
λa(T1 →N)→N . 0 : ((T1 → N) → N) → N : T4

a) Check the consistency of the given universe level assignments.

b) Explain why the application (λaT1 . 0)(T) has no consistent universe level assign-
ment and hence cannot be typed.
c) Explain why the application (λaT . 0)(P) has a consistent universe level assign-
ment and hence can be typed.
d) Give the least types of the terms λaT1 .⊤ and λaT1 →N .⊤.

5.4 Boolean Eliminator

Recall the definition of the inductive type of booleans from §1.1 :

B : T ::= true | false

An inductive function f discriminating on a boolean argument has two defining

equations:

f true := s1
f true := s2

We generalize the format by taking the terms s1 and s2 as arguments:

f e1 e2 true := e1
f e1 e2 true := e2

A possible type for this format is

f : ∀Z T . Z → Z → B → Z

A more general type for this format uses a target type function:3

f : ∀p B→T . p true → p false → ∀[Link]

It turns out that the general format with the target type function is necessary when
we use f to do a boolean case analysis. We fix the definition

EB : ∀p B→T . p true → p false → ∀[Link]

EB p e1 e2 true := e1 : p true
EB p e1 e2 false := e2 : p false
3
Recall that target type functions appeared first with the rewriting law for propositional equality.

79
5 Inductive Eliminators

and call the function EB the boolean eliminator. We refer to the arguments e1 and e2
of EB as continuations.
The type of EB says that we obtain a proof of ∀x B . px if we provide proofs
of p true and p false. This provides us with a general means to do boolean case
analysis. To do a boolean case analysis with EB , the defining equations of EB are not
needed.
Consider the defining equations of EB . They are well-typed since the patterns
EB pab true and EB pab false on the left instantiate the target type to p true and
p false, which are the types of the variables e1 and e2 .
∀p B→T . p true→p false→∀[Link]
Note that the eliminator EB generalizes the match func-
T
tion MB ∀Z . B→Z→Z→Z from § 2.9. The generalization comes with the target type
function p of EB , which provides more flexibility than the target type Z of MB .
Recall that in type theory a boolean conditional is an abbreviation for an appli-
cation of an inductive function discriminating on B. From now on we shall use the
boolean eliminator for this purpose:

if s1 then s2 else s3 Ž EB t s2 s3 s1

Note that the term t describing the target type function must be derived from the
context of the boolean conditional.

Exercise 5.4.1 Define boolean negation and boolean conjunction with the boolean
eliminator.

5.5 Example: Boolean Case Analysis

Informally, the proposition

∀x B . x = true ∨ x = false

can be proved with a boolean case analysis reducing it to the subgoals

false = true ∨ false = false and false = true ∨ false = false. Formally, we obtain
a proof term for the proposition using the boolean eliminator:

EB (λx. x = true∨x = false) [true = true∨true = false\ [false = true∨false = false\

The types enclosed in the upper corners are placeholders for terms having the given
types. We refer to the placeholders as subgoals. Note that the types of the subgoals
are obtained with the conversion rule. We may now use the proof terms L(Q true)
and R(Q false) for the subgoals and obtain the complete proof term

EB (λx. x = true ∨ x = false) (L(Q true)) (R(Q false))

80
 5.6 Kaminski’s Equation

∀x. x = true ∨ x = false conversion

∀x. (λx. x = true ∨ x = false) x apply EB
1 (λx. x = true ∨ x = false) true conversion
true = true ∨ true = false trivial
2 (λx. x = true ∨ x = false) false conversion
false = true ∨ false = false trivial

Proof term constructed: EB (λx. x = true ∨ x = false) (L(Q true)) (R(Q false))

Figure 5.1: Proof table for a boolean elimination

Figure 5.1 shows a proof table constructing the proof term. The table makes
explicit the conversions handling the applications of the target type functions.
That all boolean case analysis can be obtained with a single eliminator crucially
depends on the use of a target type function in the type of the eliminator. A simply
typed boolean eliminator ∀Z T . Z → Z → B → Z can for instance not express the
boolean case analysis needed for ∀x B . x = true ∨ x = false. And recall that target
type functions only work with lambda abstractions and a conversion rule taking
care of β-reductions.

Exercise 5.5.1 For each of the following propositions give a proof term applying
the boolean eliminator.
a) ∀p B→P ∀x. (x = true → ptrue) → (x = false → pfalse) → px.
b) x & y = true ←→ x = true ∧ y = true.
c) x | y = false ←→ x = false ∧ y = false.
d) ∀p B→P . (∀xy. y = x → px) → ∀[Link].

5.6 Kaminski’s Equation

Here is a somewhat challenging fact known as Kaminski’s equation4 that can be

shown with boolean elimination:

∀f B→B ∀x. f (f (f x)) = f x

Obviously, a boolean case analysis on just x does not suffice for a proof. What we
need in addition is boolean case analysis on the terms f true and f false. To make
this possible, we prove the equivalent claim

∀xyz. f true = y → f false = z → f (f (f x)) = f x

4
The equation was brought up as a proof challenge by Mark Kaminski in 2005 when he wrote his
Bachelor’s thesis on a calculus for classical higher-order logic.

81
5 Inductive Eliminators

by boolean case analysis on x, y, and z. This yields 8 subgoals, all of which have
straightforward equational proofs. Here is the subgoal for x = false, y = false, and
z = true :

f true = false → f false = true = → f (f (f false)) = f false

Speaking informally, the proof of Kaminski’s equation proceeds by cascaded dis-

crimination on x, f true, and f false, where the equations recording the discrimina-
tions on the terms f true, and f false are made available as assumptions. While this
proof pattern is not primitive in type theory, it can be expressed as shown above. A
proof assistant may support this and other proof patterns with specialized tactics.5

Exercise 5.6.1 (Boolean pigeonhole principle)

a) Prove the boolean pigeonhole principle: ∀xyzB . x = y ∨ x = z ∨ y = z.
b) Prove Kaminski’s equation based on the instance of the boolean pigeonhole
principle for f (f x), f x, and x.

Exercise 5.6.2 (Boolean enumeration) Prove ∀x B . x = true ∨ x = false and use it

to prove Kaminski’s equation by enumerating x, f x, and f (f x) and solving the
resulting 23 cases with Coq’s congruence tactic.

5.7 Eliminator for Numbers

Recall the definition of the inductive type of numbers from §1.2 :

N : T ::= 0 | S(N)

An inductive function f discriminating on a numeric argument has two defining

equations:

f 0 := s1
f (Sn) := s2

We generalize the format by taking the terms s1 and s2 as arguments:

f e1 e2 0 := e1
f e1 e2 (Sn) := e2 n (f n)

Note that the argument e2 is a function taking the predecessor n and the result of
the recursive application f n as arguments.6
5
Coq supports the pattern with the eqn modifier of the destruct tactic.
6
Since computation in type theory is always terminating, eager recursion cannot cause problems.

82
 5.7 Eliminator for Numbers

We now come to the typing of the eliminator function. To obtain enough flexi-
bility, we shall employ a target type function p N→T . Given the equations for f , this
design decision forces the type

∀p N→T . p0 → (∀n. pn → p(Sn)) → ∀n. pn

We now fix the definition

EN : ∀p N→T . p0 → (∀n. pn → p(Sn)) → ∀n. pn

EN p e1 e2 0 := e1 : p0
EN p e1 e2 (Sn) := e2 n (EN p e1 e2 n) : p(Sn)

of the arithmetic eliminator EN . We refer to the arguments e1 and e2 of EN as

continuations. We say that the arithmetic eliminator takes continuations for the
zero case and the successor case.
Next we look at the type of EN as a proof rule:

EN : ∀p N→T . p0 → (∀n. pn → p(Sn)) → ∀n. pn

It says that we can obtain a proof of ∀n. pn by supplying proofs for p0 and
∀n. pn → p(Sn). For the second proof obligation we have to supply a function
that for every n yields a proof of p(Sn) given a proof of pn. Thus EN gives us a
proof rule for structural induction on numbers. Note that the so-called inductive
hypothesis appears as pn in the type ∀n. pn → p(Sn) of the continuation function
for the successor case.
We have just seen one of the most elegant and novel aspects of computational
type theory: Induction on numbers is obtained through (the type of) the arithmetic
eliminator, which is obtained as a recursive inductive function on numbers.
The type of EN clarifies many aspects of informal inductive proofs. For instance,
the type of EN makes clear that the variable n in the final claim ∀n. pn is different
from the variable n in the successor case ∀n. pn → p(Sn). Nevertheless, it makes
sense to use the same name for both variables since this makes the inductive hy-
pothesis pn agree with the final claim.
We shall use the notations

match s [ 0 ⇒ s1 | Sx ⇒ s2 ] Ž EN t s1 (λx _.s2 ) s

if s then s1 else s2 Ž EN t s1 (λ_ _.s2 ) s

for arithmetic case analysis. The terms t describing the target type function must
be inferred from the context.

Exercise 5.7.1 (Match function for numbers)

A match function for numbers has the type

∀p N→T . p0 → (∀n. p(Sn)) → ∀n. pn

83
5 Inductive Eliminators

x+0=x conversion
(λx. x + 0 = x) x apply EN
1 (λx. x + 0 = x) 0 conversion
0=0 comp. eq.
2 ∀x. (λx. x + 0 = x) x → (λx. x + 0 = x)(Sx) conversion
∀x. x + 0 = x → Sx + 0 = Sx intro
IH : x + 0 = x Sx + 0 = Sx conversion
S(x + 0) = Sx rewrite IH
Sx = Sx comp. eq.

Proof term constructed:

EN (λx.x + 0 = x) (Q 0) (λxh. R′ (λ[Link] = Sx) h (Q(Sx))) x

Figure 5.2: Proof table for x + 0 = x

a) Explain how a match function for numbers provides for case analysis.
b) Define a match function for numbers as an inductive function.
c) Define a match function for numbers using the arithmetic eliminator EN .

5.8 A Formal Inductive Proof

We can now do inductive proofs completely formally. As our first example we con-
sider a proof of the fact
∀x. x + 0 = x

We do the proof by induction on x, which amounts to an application of the elimi-

nator EN :

EN (λx. x + 0 = x) [0 + 0 = 0\ [∀x. x + 0 = x → Sx + 0 = Sx\

The application yields two subgoals known as base case and successor case. Both
subgoals have straightforward proofs. Note how the inductive hypothesis appears
as an implicational premise in the successor case. Figure 5.2 shows a proof table
for a proof term completing the partial proof term.
We will see many inductive proofs in this text. We shall write inductive proofs in
an informal style making sure that the informal proof can be easily elaborated into
a formal proof with the proof assistant. A (detailed) informal proof for our example
may look as follows.

84
 5.9 Equality of Numbers is Logically Decidable

Fact 5.8.1 x + 0 = x.

Proof By induction on x. If x = 0, the claim follows by computational equality.

In the successor case we have the claim Sx + 0 = Sx and the inductive hypothesis
x+0 = x. By conversion is suffices to show S(x+0) = Sx, which follows by rewriting
with the inductive hypothesis. ■

Exercise 5.8.2 Consider the following facts about numbers.

a) Sn ≠ n
b) n + Sk ≠ n
c) x + y = x + z → y = z (addition is injective in its 2nd argument)
In each case an inductive proof is required. Use the proof assistant to obtain infor-
mal and formal proofs of the facts. Remark: The Coq file accompanying Chapter 1
contains many examples of inductive proofs.

Exercise 5.8.3 Prove the following equations stating the correctness of addition
functions obtained with the arithmetic eliminator. Both equations require inductive
proofs.
a) x + y = EN (λ_.N) y (λ_.S) x
b) x + y = EN (λ_.N → N) (λy.y) (λ_ay.S(ay)) x y

5.9 Equality of Numbers is Logically Decidable

We now show that equality of numbers is logically decidable.

Fact 5.9.1 ∀x N y N . x = y ∨ x ≠ y.

Proof By induction on x with y quantified followed by case analysis on y.

1. x = 0 and y = 0. Then x = y.
2. x = 0 and y = S_. Then x ≠ y by constructor law.
3. x = S_ and y = 0. Then x ≠ y by constructor law.
4. x = Sx ′ and y = Sy ′ . The induction hypothesis gives us two cases:
a) x ′ = y ′ . Then x = y.
b) x ′ ≠ y ′ . We assume Sx ′ = Sy ′ and prove ⊥. Injectivity of S gives us x ′ = y ′ ,
which contradicts the assumption x ′ = y ′ . ■

The informal proof is burdened with many cases and much detail. Constructing
a formal proof with a proof assistant will organize the cases and the details in a
pleasant and more manageable way.

85
5 Inductive Eliminators

∀x N y N . x = y ∨ x ≠ y apply EN , intro y
1 0=y ∨0≠y destruct y
1.1 0=0∨0≠0 trivial
1.2 0 = Sy ∨ 0 ≠ Sy constructor law
2 IH: ∀y N . x = y ∨ x ≠ y Sx = y ∨ Sx = y destruct y
2.1 Sx = 0 ∨ Sx ≠ 0 constructor law
2.2 Sx = Sy ∨ Sx ≠ Sy destruct IH y
2.2.1 H: x = y Sx = Sy rewrite H, trivial
2.2.2 H: x ≠ y Sx ≠ Sy intro, apply H
H1 : Sx = Sy x=y injectivity S

Figure 5.3: Proof table with a quantified inductive hypothesis

If you are not experienced with inductive proofs, the remark that y be quantified
in the inductive hypothesis may be confusing. The confusion will go away with the
formal proof.
A proof table constructing a proof term following the informal proof appears in
Figure 5.3.
Following the table, we begin the construction of the formal proof with the par-
tial proof term

EN (λx. ∀y. x = y ∨ x ≠ y)
[∀y. 0 = y ∨ 0 ≠ y\
[∀x. (∀y. x = y ∨ x ≠ y) → ∀y. Sx = y ∨ Sx ≠ y\

This first step makes explicit the quantified inductive hypothesis. Both subgoals are
shown by case analyis on the quantfied target. This can be done with the elimina-
tor EN . To keep things manageable we will work with a match function

MN : ∀p N→T . p0 → (∀n.p(Sn)) → ∀n. pn

omitting the inductive hypothesis.

In the zero case [∀y. 0 = y ∨ 0 ≠ y\ we proceed with

MN (λy. 0 = y ∨ 0 ≠ y)
[0 = 0 ∨ 0 ≠ 0\
[∀y. 0 = Sy ∨ 0 ≠ Sy\

The first subgoal is trivial, and the second subgoal follows with constructor dis-
jointness.

86
 5.10 Eliminator for Pairs

In the successor case [∀x. (∀y. x = y ∨ x ≠ y) → ∀y. Sx = y ∨ Sx ≠ y\ we

proceed with

x=y∨x≠y
λxh∀y. . MN (λy. Sx = y ∨ Sx ≠ y)
[Sx = 0 ∨ Sx ≠ 0\
[∀y. Sx = Sy ∨ Sx ≠ Sy\

The first subgoal follows with constructor disjointness. The second subgoal follows
with the instantiated inductive hypothesis hy and injectivity of S.
This completes our explanation of a (formal) proof of Fact 5.9.1. If we do the
proof with a proof assistant, a fully formal proof is constructed but most of the
details are taken care of by the assistant. To document the proof informally for a
human reader, it’s probably best to write something like the following:

The claim follows by induction on x and case analysis on y, where y is quanti-

fied in the inductive hypothesis and disjointness and injectivity of the construc-
tors 0 and S are used.

Exercise 5.9.2 (Boolean equality decider for numbers)

Write a function eqb : N → N → B such that ∀xy. x = y ←→ eqb xy = true. Prove
the correctness of your function.

Exercise 5.9.3 (Antisymmetry)

Prove x ≤ y → y ≤ x → x = y.
Hint: Induction on x with y quantified using the constructor laws.

5.10 Eliminator for Pairs

Recall the inductive type definition for pairs from § 1.8 :

Pair(X : T, Y : T) : T ::= pair(X, Y )

As before we use use the notations

s×t Ž Pair st
(s, t) Ž pair _ _ st

Following the scheme we have seen for booleans and numbers, we define an elimi-
nator for pairs as follows:

E× : ∀X T Y T ∀p X×Y →T . (∀xy. p(x, y)) → ∀[Link]

E× X Y p e (x, y) := exy : p(x, y)

87
5 Inductive Eliminators

We shall use the notation

let (x1 , x2 ) = s in s1 Ž E× t1 t2 t3 (λxy.s1 ) s

for cartesian destructuring. The terms t1 , t2 , and t1 describing the component types
and the target type function must be inferred from the context.
Exercise 5.10.1 Prove the following facts for pairs a : X × Y using the eliminator E× :
a) (π1 a, π2 a) = a η-law
b) swap(swap a) involution law
See § 1.8 for the definitions of the projections π1 and π2 and the function swap.
Exercise 5.10.2 Use E× to write functions that agree with π1 , π2 , and swap.

Exercise 5.10.3 By now you know enough to formalize all proofs of Chapter 1 in
computational type theory. Do some of the proofs in Coq without using the tactics
for destructuring and induction. Apply the eliminators you have seen in this chapter
instead.

5.11 Disequality of Types

The types N and B of booleans and numbers are different since they have different
cardinality: While there are infinitely many numbers, there are only two booleans.
But how can we show this fact in the logical system we have arrived at?
Since B and N both have type T, we can write the propositions N = B and N ≠ B.
So the question is whether we can prove N ≠ B. We can do this with a property
distinguishing the two types (Exercise 4.3.5). We choose the predicate

p(X T ) := ∀xyzX . x = y ∨ x = z ∨ y = z

saying that a type has at most two elements. It now suffices to prove pB and ¬pN.
With boolean case analysis on the variables x, y, z we can show that p holds for B.
Moreover, we can disprove pN by choosing x = 0, y = 1, and z = 2 and proving

(0 = 1 ∨ 0 = 2 ∨ 1 = 2) → ⊥

by disjunctive case analysis and the constructor laws for 0 and S.

Fact 5.11.1 N ≠ B.

On paper, it doesn’t make sense to work out the proof in more detail since this
involves a lot of writing and routine verification. With Coq, however, doing the
complete proof is quite rewarding since the writing and the tedious details are taken
care of by the proof assistant. When we do the proof with Coq, we can see that the
techniques introduced so far smoothly scale to more involved proofs.

88
 5.12 Notes

Exercise 5.11.2 Prove the following inequations between types.

a) B ≠ B × B d) B ≠ ⊤
b) ⊥ ≠ ⊤ e) P ≠ ⊤
c) ⊥ ≠ B f) B ≠ T

Exercise 5.11.3 Note that one cannot prove B ≠ B × ⊤ since one cannot give a pred-
icate that distinguishes the two types. Neither can one prove B = B × ⊤.

5.12 Notes

We may accommodate the eliminators in this chapter as abstract constants (§ 4.5)

hiding their defining equations. The abstract eliminators will be fine when we use
them as proof rules. However, there are two uses of the eliminators where the
reductions provided by the defining equations matter:
• Reducible matches contributing to type checking through the conversion rule.
See the proofs of the constructor laws for B and N (§ 4.3).
• Local definitions of reducible inductive functions contributing to type checking.
No examples yet.
We remark that the eliminators for conjunction and disjunction

M∧ : ∀XY Z P . X ∧ Y → (X → Y → Z) → Z
M∨ : ∀XY Z P . X ∨ Y → (X → Z) → (Y → Z) → Z

used in Chapter 3 (Figure 3.2) don’t use target type functions. In fact, there is no
need for target type functions since in ordinary mathematical reasoning proposi-
tions don’t talk about their proofs.
Functions typed with target type functions are polymorphic in the number of
their arguments. For instance:

E⊥ N : ⊥ → N
E⊥ (N → N) : ⊥ → N → N
E⊥ (N → N → N) : ⊥ → N → N → N

We remark that the proof assistant Coq automatically derives eliminators for
every inductive type definition it processes. For the inductive types discussed in
this chapter Coq derives the eliminators we have presented (except for ⊤).

89
6 Existential Quantification
An existential quantification ∃x t . s says that the predicate λx t .s is satisfiable, that
is, that there is some u such that the proposition (λx t .s)u is provable. Follow-
ing this idea, a basic proof of ∃x t . s is a pair (u, v) consisting of a witness u : t
and a certificate v : (λx t .s)u. This design may be realized with an inductive type
definition.
We will prove two prominent logical facts involving existential quantification:
Russell’s Barber theorem (a non-existence theorem) and Lawvere’s fixed point theo-
rem (an existence theorem). From Lawvere’s theorem we will obtain a type-theoretic
variant of Cantor’s power set theorem (there is no surjection from a set to its power
set).

6.1 Inductive Definition and Basic Facts

We first assume a formation constant

ex : ∀X T . (X → P) → P

so that we can write an existential quantifications as function applications (as

usual, X is treated as implicit argument):

∃x t . s Ž ex (λx t . s)

Next we assume an introduction constant

E : ∀X T ∀p X→P ∀x X . px → ex X p

so that we can prove an existential quantification ∃x t . s by providing a witness u : t

and a certificate v : (λx t .s)u. Finally, we assume an elimination constant

M∃ : ∀X T ∀p X→P ∀Z P . ex p → (∀x. px → Z) → Z

so that given a proof of an existential quantification we can prove an arbitrary

proposition Z by assuming that there is a witness and certificate as asserted by
the existential quantification.
We will see that the constants E and M∃ provide us with all the proof rules we
need for existential quantification. As usual, the definitions of the constants are not
needed for proving with existential quantifications.

91
6 Existential Quantification

The constants ex and E can be defined with an inductive type definition:

ex (X : T, p : X → P) : P ::= E (x : X, px)

The inductive type definition for ex and E has two parameters where the type of
the second parameter p depends on the first parameter X. This is the first time
we see such a parameter dependence. The inductive definitions for pair types and
conjunctions also have two parameters, but there is no dependency. Also, the def-
inition for existential quantification is the first time we see a parameter (p) that is
not a type. Moreover, the proof constructor E comes with an additional dependency
between its first proper argument x and the type px of its second proper argument.
Again, this is the first time we see such a dependency. Inductive type definitions
with dependencies between parameters and proper arguments of constructors are
standard in computational type theory.
The elimination constant M∃ can now be defined as an inductive function:

M∃ : ∀X T ∀p X→P ∀Z P . ex p → (∀x. px → Z) → Z
M∃ XpZ (E _ _ xa) f := f xa

We now recognize M∃ as the simply typed match function for existential types.
When convenient, we will use the match notation

match s [ E xa ⇒ t ] Ž M∃ _ _ _ s (λxa.t)

for applications of M∃ . Note that the propositional discrimination restriction applies

to all inductive propositions ex Xp.
Figure 6.1 shows a proof table and the constructed proof term for a de Morgan
law for existential quantification. The proof table makes all conversions explicit so
that you can see where they are needed. Each of the two conversions can be justified
with either the η- or the β-law for λ-abstractions. We also have

(∃[Link]) = ex(λ[Link]) = ex(p)

where the first equation is just a notational change and the second equation is by
application of the η-law.
In practice, it is not a good idea to make explicit inessential conversions like the
ones in Figure 6.1. Instead, it is preferable to think modulo conversion. Figure 6.2
shows a proof table with implicit conversions constructing the same proof term.
This is certainly a better presentation of the proof. The second table gives a fair
representation of the interaction you will have with Coq. In fact, Coq will immedi-
ately reduce the first two β-redexes you see in Figure 6.1 as part of the proof actions
introducing them. This way there will be no need for explicit conversion steps.

92
 6.1 Inductive Definition and Basic Facts

X : T, p : X → P ¬(∃[Link]) ←→ ∀x.¬px apply C

1 ¬(∃[Link]) → ∀x.¬px intro
f : ¬(∃[Link]), x : X, a : px ⊥ apply f
∃[Link] apply E x
(λ[Link]) x conversion
px a
2 (∀x.¬px) → ¬(∃[Link]) intro with M∃
f : ∀x.¬px, x : X
a : (λ[Link])x ⊥ apply f x
px conversion
(λ[Link]) x a

Proof term: C (λf xa.f (Ep xa)) (λf b. match b [ E xa ⇒ f xa ])

Figure 6.1: Proof of existential de Morgan law with explicit conversions

X : T, p : X → P ¬(∃[Link]) ←→ ∀x.¬px apply C

1 ¬(∃[Link]) → ∀x.¬px intro
f : ¬(∃[Link]), x : X, a : px ⊥ apply f
∃[Link] E xa
2 (∀x.¬px) → ¬(∃[Link]) intro with M∃
f : ∀x.¬px, x : X, a : px ⊥ f xa

Proof term: C (λf xa.f (Ep xa)) (λf b. match b [ E xa ⇒ f xa ])

Figure 6.2: Proof of existential de Morgan law with implicit conversions

Exercise 6.1.1 Prove the following propositions with proof tables and give the re-
sulting proof terms. Mark the proof actions involving implicit conversions.

a) (∃x∃y. pxy) → ∃y∃x. pxy e) (∃x. px ∨ qx) ←→ (∃[Link]) ∨ (∃[Link])

b) (∃[Link]) → ¬∀x. ¬px f) ¬¬(∃[Link]) ←→ ¬∀x.¬px
c) ((∃[Link]) → Z) ←→ ∀x. px → Z g) (∃x. ¬¬px) → ¬¬∃[Link]
d) (∃[Link]) ∧ Z ←→ ∃x. px ∧ Z h) ∀X P . X ←→ ∃x X .⊤
Exercise 6.1.2 Give a proof term for (∃[Link]) → ¬∀x. ¬px using the constants ex,
E, and M∃ . Do not use matches.

Exercise 6.1.3 Verify the following existential characterization of disequality:

x ≠ y ←→ ∃p. px ∧ ¬py

93
6 Existential Quantification

Exercise 6.1.4 Verify the impredicative characterization of existential quantifica-

tion:

(∃[Link]) ←→ ∀Z P . (∀x. px → Z) → Z

Exercise 6.1.5 Universal and existential quantification are compatible with propo-
sitional equivalence. Prove the following compatibility laws:

(∀x. px ←→ qx) → (∀[Link]) ←→ (∀[Link])

(∀x. px ←→ qx) → (∃[Link]) ←→ (∃[Link])

Exercise 6.1.6 (Abstract presentation) We have seen that conjunction, disjunction,

and propositional equality can be modeled with abstract constants (§4.7). For exis-
tential quantification, we may use the constants

Ex : ∀X T . (X → P) → P
E : ∀X T ∀p X→P ∀x X . px → Ex X p
M : ∀X T ∀p X→P ∀Z P . ex p → (∀x. px → Z) → Z

we have obtained above with inductive definitions.

a) Assuming the constants, prove that the impredicative characterization holds:
Ex Xp ←→ ∀Z P . (∀x. px → Z) → Z.
b) Define the constants impredicatively (i.e., not using inductive types).

Exercise 6.1.7 (Intuitionistic drinker) Using excluded middle, one can argue that
in a bar populated with at least one person one can always find a person such that
if this person drinks milk everyone in the bar drinks milk:

∀X T ∀ p X→P . (∃x X .⊤) → ∃x. px → ∀[Link]

The fact follows intuitionistically once two double negations are inserted:

∀X T ∀ p X→P . (∃x X .⊤) → ¬¬∃x. px → ∀y. ¬¬ py

Prove the intuitionistic version.

6.2 Barber Theorem

Nonexistence results often get a lot of attention. Here are two famous examples:
1. Russell: There is no set containing exactly those sets that do not contain them-
selves: ¬∃x ∀y. y ∈ x ←→ y ∉ y.

94
 6.3 Lawvere’s Fixed Point Theorem

2. Turing: There is no Turing machine that halts exactly on the codes of those
Turing machines that don’t halt on their own code: ¬∃x ∀y. Hxy ←→ ¬Hyy.
Here H is a predicate that applies to codes of Turing machines such that Hxy
says that Turing machine x halts on Turing machine y.
It turns out that both results are trivial consequences of a straightforward logical
fact known as barber theorem.

Fact 6.2.1 (Barber Theorem)

∀X T ∀p X→X→P . ¬∃x ∀y. pxy ←→ ¬pyy.

Proof Suppose there is an x such that ∀y. pxy ←→ ¬pyy. Then pxx ←→ ¬pxx.
Contradiction by Russell’s law ¬(X ←→ ¬X) as shown in §3.7. ■

The barber theorem is related to a logical puzzle known as barber paradox.

Search the web to find out more.

Exercise 6.2.2 Give a proof table and a proof term for the barber theorem. Con-
struct a detailed proof with Coq.

Exercise 6.2.3 Consider the following predicate on types:

p(X T ) := ∃f g X→X ∀xy. f x = y ∨ gy = x

Prove p(B) and ¬p(N).

Hint: It suffices to consider the numbers 0, 1, 2.

6.3 Lawvere’s Fixed Point Theorem

Another famous non-existence theorem is Cantor’s theorem. Cantor’s theorem says

that there is no surjection from a set into its power set. If we analyse the situation
in type theory, we find a proof that for no type X there is a surjective function
X → (X → B). If for X we take the type of numbers, the result says that the function
type N → B is uncountable. It turns out that in type theory facts like these are best
obtained as consequences of a general logical fact known as Lawvere’s fixed point
theorem.
A fixed point of a function f X→X is an x such that f x = x.

Fact 6.3.1 Boolean negation has no fixed point.

Proof Consider ! x = x and derive a contradiction with boolean case analysis on x.■

Fact 6.3.2 Propositional negation λP .¬P has no fixed point.

95
6 Existential Quantification

Proof Suppose ¬P = P . Then ¬P ←→ P . Contradiction with Russell’s law. ■

A function f X→Y is surjective if ∀y∃x. f x = y.

Theorem 6.3.3 (Lawvere) Suppose there exists a surjective function X → (X → Y ).

Then every function Y → Y has a fixed point.

Proof Let f X→(X→Y ) be surjective and g Y →Y . Then f a = λx.g(f xx) for some a.
We have f aa = g(f aa) by rewriting and conversion. ■

Corollary 6.3.4 There is no surjective function X → (X → B).

Proof Boolean negation doesn’t have a fixed point. ■

Corollary 6.3.5 There is no surjective function X → (X → P).

Proof Propositional negation doesn’t have a fixed point. ■

We remark that Corollaries 6.3.4 and 6.3.5 may be seen as variants of Cantor’s
theorem.

Exercise 6.3.6 Construct with Coq detailed proofs of the results in this section.

Exercise 6.3.7
a) Prove that all functions ⊤ → ⊤ have fixed points.
b) Prove that the successor function S : N → N has no fixed point.
c) For each type Y = ⊥, B, B × B, N, P, T give a function Y → Y that has no fixed
point.

Exercise 6.3.8 With Lawvere’s theorem we can give another proof of Fact 6.3.2
(propositional negation has no fixed point). In contrast to the proof given with
Fact 6.3.2, the proof with Lawvere’s theorem uses mostly equational reasoning.
The argument goes as follows. Suppose (¬X) = X. Since the identity is a surjec-
tion X → X, the assumption gives us a surjection X → (X → ⊥). Lawvere’s theorem
now gives us a fixed point of the identity on ⊥ → ⊥. Contradiction since the type of
the fixed point is falsity.
Do the proof with Coq.

96
7 Arithmetic Pairing

Cantor discovered that numbers are in bijection with pairs of numbers. Cantor’s
proof rests on a counting scheme where pairs appear as boxes in a plane. Based
on Cantors scheme, we realize the bijection between numbers and pairs with two
functions inverting each other. We obtain an elegant formal development using only
a few basic facts about numbers.

7.1 Definitions

We will construct and verify two functions

E : N×N→N encode
D : N→N×N decode

that invert each other: D(E(x, y)) = (x, y) and E(Dn)) = n. The functions are
based on the counting scheme for pairs shown in Figure 7.1. The pairs appear as
points in the plane following the usual coordinate representation. Counting starts
at the origin (0, 0) and follows the diagonals from right to left:

(0, 0) 1st diagonal 0

(1, 0), (0, 1) 2nd diagonal 1, 2
(2, 0), (1, 1), (0, 2) 3rd diagonal 3, 4, 5

Assuming a function
η: N×N→N×N

that for every pair yields its successor on the diagonal walk described by the count-
ing scheme, we define the decoding function D as follows:

D(n) := ηn (0, 0)

The definition of the successor function η for pairs is straightforward:

η(0, y) := (Sy, 0)
η(Sx, y) := (x, Sy)

97
7 Arithmetic Pairing

..
y .
5 20
4 14 19
3 9 13 18
2 5 8 12 17
1 2 4 7 11 16
0 0 1 3 6 10 15 ···
0 1 2 3 4 5 x

Figure 7.1: Counting scheme for pairs of numbers

We now come to the definition of the encoding function E. We first observe that
all pairs (x, y) on a diagonal have the same sum x + y, and that the length of the
nth diagonal is n. We start with the equation

E(x, y) := σ (x + y) + y

where σ (x + y) is the first number on the diagonal x + y. We now observe that

σn = 0 + 1 + 2 + ··· + n

Thus we define σ recursively as follows:

σ (0) := 0
σ (Sn) := Sn + σ n

We remark that σ n is known as Gaussian sum.

7.2 Proofs

We will prove E(Dn)) = n and D(Ea) = a. The first equation is easier than the sec-
ond equation. Both directions will profit from an equation saying that the encoding
of the successor of a pair is the successor of the encoding of the pair.

Fact 7.2.1 (Successor equation) E(ηa) = S(Ea) for all pairs a.

Proof Case analysis on a = (0, y), (Sx, y) and straightforward arithmetic. ■

Fact 7.2.2 E(Dn) = n for all numbers n.

Proof By induction on n using Fact 7.2.1 for the successor case. ■

98
 7.2 Proofs

We now come to the proof of the second equation D(Ea) = a. The difficulty
here is that there is no n we can do induction on. We solve the problem by doing
induction on the number Ea using an auxiliary variable n = Ea.1 We prepare the
necessary case analysis for the induction with three conditional equations for the
encoding function. Two of the equations tell us how we can obtain for Ea = Sn a
pair a′ such that η(Ea′ ) = a. Note that a′ is clear from the geometric presentation
of the counting scheme.

Fact 7.2.3 (Backwards equations)

1. Ea = 0 → a = (0, 0)
2. E (Sx, 0) = Sn → E(0, x) = n
3. E (x, Sy) = Sn → E(Sx, y) = n

Proof (1) Follows with a = (x, y) and case analysis on x and y using S _ ≠ 0.
(2) follows with (Sx, 0) = η (0, x) and Fact 7.2.1. (3) follows with (x, Sy) = η (Sx, y)
and Fact 7.2.1. ■

Fact 7.2.4 D(Ea) = a for all pairs a.

Proof Given the recursive definition of D and E, we need to do an inductive proof.

The idea is to do induction on the number Ea. Formally, we prove the proposition

∀n ∀a. Ea = n → Dn = a

by induction on n.
For n = 0, Fact 7.2.3 gives us a = (0, 0) making the conclusion trivial.
For the successor case we prove

Ea = Sn → D(Sn) = a

We consider three cases: a = (0, 0), (Sx, 0), (x, Sy). The case a = (0, 0) is trivial
since the premise is contradictory. The other two cases follow with (2) and (3) of
Fact 7.2.3 and the inductive hypothesis. ■

Exercise 7.2.5 (Walking diagonals the other way) The encoding function for
pairs walks diagonals from right to left. One may also walk the diagonals from
left to right. Rework the Coq development accordingly.
The exercise will help you with your understanding of arithmetic pairing.
The exercise will boost your understanding of the role a proof assistant can play
in a mathematical development. Modifying a development with a proof assistant is
more efficient and more reliable than doing it on paper. Type checking and proof
checking turn out to be very helpful for this task.
1
We have seen a similar unfolding step with Kaminski’s equation in § 5.6.

99
7 Arithmetic Pairing

Exercise 7.2.6 (Bijections) A bijection between two types X and Y consists of two
functions f X→Y and g Y →X such that ∀x. g(f x) = x and ∀y. f (gy) = y.
a) Give and verify a bijection between N and (N × N) × N.
b) Prove that there is no bijection between B and 1.
c) Prove that there is no bijection between N and N → B.
Exercise 7.2.7 (Internal Arithmetic pairing)
Arithmetic pairing establishes N as a universal type that can represent pairs inter-
nally. To make this insight explicit, define functions

π :N→N→N π1 : N → N π2 : N → N

such that you can verify the equations

π1 (π nk) = n π2 (π nk) = k π (π1 n)(π2 n) = n

for all n and k.

7.3 Discussion

Arithmetic pairing is a great case study at several levels. The magic starts with
the geometrical presentation of the counting scheme, which informally establishes
a computable bijection. All the rest is about formal verification of what we see
geometrically. The first step is the recursive definition of the encoding and decoding
function, which is a nice programming exercise in computational type theory. As it
comes to the verification of the two roundtrip equations, it is clear that both require
induction on numbers. For one of the equations, the number we can do induction
on needs to be explicated. Both inductive proofs hinge on the fact that a successor
function η for pairs is made explicit that commutes with the successor function on
numbers.
The elaboration of the proof in the accompanying Coq file is enlightening. We
use it to demo several advanced features of the tactic language. As with most proofs
in the text, the informal proofs in this chapter were written only after formal proofs
had been constructed and polished with the proof assistant.
It is interesting to look up Cantor’s pairing function in the mathematical liter-
ature and in Wikipedia, where the computational aspects of the construction are
ignored as much as possible. One typically starts with the encoding function using
the Gaussian sum formula to avoid the recursion. Then injectivity and surjectivity
of the encoding function are shown, which non-constructively yields the existence
of the decoding function. The simple recursive definition of the decoding function
does not appear. The construction presented here is due to Andrej Dudenhefner
(March 2020) who contributed it to Coq’s standard library.

100
 7.3 Discussion

What I like about the development of the pairing function is the interplay be-
tween the geometric presentation of the counting scheme and the formalization
with function definitions and proofs. Their is much elegance at all levels. Cantor’s
pairing function could make a great example for an educated Programming 1 course
addressing functional programming and program verification.

101
8 Abstract Syntax

Inductive types provide for a tree-structured representation of syntactic objects.

One speaks of abstract syntax if syntactic objects are represented as tree-structured
objects, and of concrete syntax if syntactic objects are represented as character
strings.
As example we consider arithmetic expressions and verify a compiler translating
arithmetic expressions into code for a stack machine. We use a reversible compila-
tion scheme and verify a decompiler reconstructing expressions from their codes.
The example hits a sweet spot of computational type theory: Inductive types pro-
vide a perfect representation for abstract syntax, and structural recursion on the
abstract syntax provides for the definitions of the necessary functions (evaluation,
code execution, compiler, decompiler). The correctness conditions for the functions
can be expressed with equations, and generalized versions of the equations can be
verified with structural induction.
This is the first time we see an inductive type with binary recursion and two
inductive hypotheses. Moreover, we see a notational convenience for function defi-
nitions known as catch-all equation.
This chapter is also our first encounter with lists. Lists are obtained with a
recursive inductive type definition refining the definition of numbers with elements.
To be self-contained, we give a quick introduction to lists.
An important point of the chapter is in explaining that the principles behind the
inductive definitions of numbers and pairs also cover lists and expressions. The
constructor laws and the eliminators for lists and expressions can be obtained with
the same scheme we have practiced with numbers and pairs.

8.1 Lists

Finite sequences [x1 , . . . , xn ] may be represented as tree-structured values using

two constructors nil and cons:

[] , nil
[x] , cons x nil
[x , y] , cons x (cons y nil)
[x , y , z] , cons x (cons y (cons z nil))

103
8 Abstract Syntax

The constructor nil provides the empty list. The constructor cons yields for a
value x and a list representing the sequence [x1 , . . . , xn ] a list representing the
sequence [x , x1 , . . . , xn ]. Given a list cons x A, we call x the head and A the tail
of the list. We say that lists provide a nested pair representation of sequences.
Following the above design in type theory, we obtain lists with an inductive type
definition

L(X : T) : T ::= nil | cons (X, L(X))

The type constructor L : T → T gives us a list type L(X) for every base type X. The
value constructor nil : ∀X T . L(X) gives us an empty list for every base type. Finally,
the value constructor cons : ∀X T . X → L(X) → L(X) provides for the construction
of nonempty lists by adding an element in front of a given list. The type of cons
ensures that all elements of a list of type L(X) are of type X.
For nil and cons, we don’t write the first argument X. We use the notations

[] := nil
x :: A := cons x A

and omit parentheses as follows:

x :: y :: A Ž x :: (y :: A)

When convenient, we shall use the sequence notation [x1 , . . . , xn ] for lists.
The inductive definition of lists provides for case analysis, recursion, and induc-
tion on lists, in a way that is similar to what we have seen for numbers. We may see
the constructors nil and cons as refinements of the constructors 0 and S.
Concatenation of sequences

[x1 , . . . , xm ] +
+ [y1 , . . . , yn ] = [x1 , . . . , xm , y1 , . . . , yn ]

appends two sequences. You may be familiar with concatenation of strings, which
are sequences of characters.
We provide concatenation of lists with an inductive function

+ : ∀X T . L(X) → L(X) → L(X)

+
[] +
+ B := B
(x :: A) +
+ B := x :: (A +
+ B)

Concatenation of lists is similar to addition of numbers. Two basic laws for addition
are x + 0 and (x + y) + z = x + (y + z). We prove the list versions A + +[] = A and
A++(B ++ C) = (A +
+ B) ++ C of the laws. The proofs are very similar to the arithmetic
proofs with induction on lists replacing induction on numbers.

104
 8.2 Expressions and Evaluation

Fact 8.1.1 (Concatenation with nil) A +

+[] = A.

Proof By induction on A, which yields the proof obligations

[] +
+[] = []
(x :: A) +
+[] = x :: A

The first obligations holds by computational equality. The second obligation sim-
plifies to x :: (A +
+[]) = x :: A and follows with the induction hypothesis. ■

Fact 8.1.2 (Associativity) A + + C) = (A +

+(B + + B) +
+ C.

Proof By induction on A. Check the details with the proof assistant. ■

As with numbers, induction on lists is formalized with an eliminator function

EL : ∀X T ∀p L(X)→T . p [] → (∀xA. pA → p(x :: A)) → ∀A. pA

which is obtained with a scheme generalizing the scheme we have seen for numbers.
Proof assistants will generate a suitable eliminator function when they accept an
inductive type definition.

Exercise 8.1.3 (Eliminator for lists) Define the eliminator function for lists with the
type stated above. Verify that the inductive proofs of Facts 8.1.2 and 8.1.1 can be
formalized with the inductive eliminator function.

Exercise 8.1.4 (Length) Define a length function len : ∀X. L(X) → N for lists and
prove len (A +
+ B) = len A + len B. Note that the length function prunes a list into the
number that remains if one cuts away the elements coming with cons.

Exercise 8.1.5 (Reversal) Define a function rev : ∀X. L(X) → L(X) reversing lists
and prove rev (A + + B) = rev B +
+ rev A and rev (rev A) = A. For instance, we have
rev [1, 2, 3, 4] = [4, 3, 2, 1].

8.2 Expressions and Evaluation

We will consider arithmetic expressions obtained with constants, addition, and sub-
traction. Informally, we describe the abstract syntax of expressions with a scheme
known as a BNF grammar:

e : exp ::= x | e1 + e2 | e1 − e2 (x : N)

105
8 Abstract Syntax

The grammar models expressions as tree-structured objects. Following the gram-

mar, we represent expressions with an inductive type

exp : T ::= con(N) | add(exp, exp) | sub(exp, exp)

Note that the inductive type exp has one value constructor for every form of ex-
pression identified by the grammar.
To ease our presentation, we will write the formal expressions provided by the
inductive type exp using the notation suggested by the BNF. For instance:

e1 + e2 − e3 Ž sub(add e1 e2 )e3

We can now define an evaluation function computing the value of an expression:

E : exp → N
E x := x
E (e1 + e2 ) := E e1 + E e2
E (e1 − e2 ) := E e1 − E e2

Note that E is defined with binary structural recursion. Moreover, E is executable.

For instance, E(3 + 5 − 2) reduces to 6, and the equation E(3 + 5 − 2) = E(2 + 3 + 1)
holds by computational equality.

Exercise 8.2.1 Do the reduction E(3 + 5 − 2) ≻∗ 6 step by step (at the equational
level).

Exercise 8.2.2 (Constructor Laws for expressions) Prove some of the constructor
laws for expressions. For instance, show that con is injective and that add and sub
are disjoint.

Exercise 8.2.3 (Eliminator for expressions) Define an eliminator for expressions

providing for structural induction on expressions. As usual the eliminator has a
clause for each of the three constructors for expression. Since additions and sub-
tractions have two subexpressions, the respective clauses of the eliminator have
two inductive hypotheses. Following this design, the type of the eliminator is

∀p exp→T .
(∀x. p(con x) →
(∀e1 e2 . pe1 → pe2 → p(add e1 e2 ) →
(∀e1 e2 . pe1 → pe2 → p(sub e1 e2 ) →
∀[Link]

106
 8.3 Code and Execution

8.3 Code and Execution

We will compile expressions into lists of numbers. We refer to the list obtained for
an expression as the code of the expression. The compilation will be such that an
expression can be reconstructed from its code, and that execution of the code yields
the same value as evaluation of the expression.
Code is executed on a stack and yields a stack, where stacks are list of numbers.
We define an execution function RCA executing a code C on a stack A as follows:

R : L(N) → L(N) → L(N)

R [] A := A
R (0 :: C) (x1 :: x2 :: A) := R C (x1 + x2 :: A)
R (1 :: C) (x1 :: x2 :: A) := R C (x1 − x2 :: A)
R (SSx :: C) A := R C (x :: A)
R _ _ := []

Note that the function R is defined by recursion on the first argument (the code) and
by case analysis on the second argument (the stack). From the equations defining R
you can see that the first number of the code determines what is done:
• 0 : take two numbers from the stack and put their sum on the stack.
• 1 : take two numbers from the stack and put their difference on the stack.
• SSx : put x on the stack.
The first equation defining R returns the stack obtained so far if the code is ex-
hausted. The last equation defining R is a so-called catch-all equation: It applies
whenever none of the preceding equations applies. Catch-all equations are a nota-
tional convenience that can be replaced by several equations providing the full case
analysis.
Note that the execution function is defined with tail recursion, which can be real-
ized with a loop at the machine level. This is in contrast to the evaluation function,
which is defined with binary recursion. Binary recursion needs a procedure stack
when implemented with loops at the machine level.

Exercise 8.3.1 Do the reduction R[5, 7, 1][] ≻∗ [2] step by step (doing operations
on numbers in one step).

8.4 Compilation

We will define a compilation function γ : exp → L(N) such that ∀e. R(γe)[] = [Ee].
That is, expressions are compiled to code that will yield the same value as evaluation
when executed on the empty stack.

107
8 Abstract Syntax

We define the compilation function by structural recursion on expressions:

γ : exp → L(N)
γx := [SSx]
γ(e1 + e2 ) := γe2 +
+ γe1 +
+[0]
γ(e1 − e2 ) := γe2 +
+ γe1 +
+[1]

We now would like to show the correctness of the compiler:

R (γe) [] = [Ee]

The first idea is to show the equation by induction on e. This, however, will fail
since the recursive calls of R leave us with nonempty stacks and partial codes not
obtainable by compilation. So we have to generalize both the possible stacks and the
possible codes. The generalization of codes can be expressed with concatenation.
Altogether we obtain an elegant correctness theorem telling us more about code
execution than the correctness equation we started with. Formulated in words, the
correctness theorem says that executing the code γe + + C on a stack A gives the
same result as executing the code C on the stack Ee :: A.

Theorem 8.4.1 (Correctness) R (γe +

+ C) A = R C (Ee :: A).

Proof By induction on e. The case for addition proceeds as follows:

R (γ(e1 + e2 ) +
+ C) A
= R (γe2 +
+ γe1 + + C) A
+[0] + definition γ
= R (γe1 + + C) (Ee2 :: A)
+[0] + inductive hypothesis
= R ([0] +
+ C) (Ee1 :: Ee2 :: A) inductive hypothesis
= R C ((Ee1 + Ee2 ) :: A) definition R
= R C (E(e1 + e2 ) :: A) definition E

The equational reasoning shown tacitly employs conversion and associativity of

concatenation (Fact 8.1.2). The details can be explored with the proof assistant. ■

Corollary 8.4.2 R (γe) [] = [Ee].

Proof Theorem 8.4.1 with C = A = [] and Fact 8.1.1. ■

Exercise 8.4.3 Do the reduction γ(5 − 2) ≻∗ [4, 7, 1] step by step (at the equational
level).

Exercise 8.4.4 Explore the proof of the correctness theorem starting with the proof
script in the accompanying Coq development.

108
 8.5 Decompilation

8.5 Decompilation

We now define a decompilation function that for all expressions recovers the expres-
sion from its code. This is possible since the compiler uses a reversible compilation
scheme, or saying it abstractly, the compilation function is injective. The decompi-
lation function closely follows the scheme used for code execution, where this time
a stack of expressions is maintained:

δ : L(N) → L(exp) → L(exp)

δ [] A := A
δ (0 :: C) (e1 :: e2 :: A) := δ C (e1 + e2 :: A)
δ (1 :: C) (e1 :: e2 :: A) := δ C (e1 − e2 :: A)
δ (SSx :: C) A := δ C (x :: A)
δ _ _ := []

The correctness theorem for decompilation closely follows the correctness the-
orem for compilation.

Theorem 8.5.1 (Correctness) δ (γe +

+ C) B = δ C (e :: B).

Proof By induction on e. The case for addition proceeds as follows:

δ (γ(e1 + e2 ) +
+ C) B
= δ (γe2 +
+ γe1 + + C) B
+[0] + definition γ
= δ (γe1 + + C) (e2 :: B)
+[0] + inductive hypothesis
= δ ([0] +
+ C) (e1 :: e2 :: B) inductive hypothesis
= δ C ((e1 + e2 ) :: B) definition δ

The equational reasoning tacitly employs conversion and associativity for concate-
nation +
+. ■

Corollary 8.5.2 δ (γe) [] = [e].

8.6 Notes

The semantics of the expressions and codes considered here is particularly simple
since evaluation of expressions and execution of codes can be accounted for by
structural recursion.
Expressions are represented as abstract syntactic objects using an inductive
type. Inductive types are the canonical representation of abstract syntactic objects.

109
8 Abstract Syntax

A concrete syntax for expressions would represent expressions as strings. While

concrete syntax is important for the practical realization of programming systems,
it has no semantic relevance.
Early papers (late 1960’s) on verifying compilation of expressions are McCarthy
and Painter [25] and Burstall [6]. Burstall’s paper is remarkable because it seems to
be the first exposition of structural recursion and structural induction. Compilation
of expressions appears as first example in Chlipala’s textbook [7], where it is used
to get the reader acquainted with Coq.
The type of expressions is the first inductive type in this text featuring binary
recursion. This has the consequence that the respective clauses in the induction
principle have two inductive hypotheses. We find it remarkable that the generaliza-
tion from linear recursion (induction) to binary recursion (induction) comes without
intellectual cost.

110
9 Certifying Functions and Sum Types

In computational type theory one can write function types that specify the input-
output relation of their functions. We speak of certifying function types and of
certifying functions. When proving properties of a certifying function, one ignores
its definition and relies on its type. For this reason, we will accommodate certifying
functions with abstract constants.
Certifying functions are at the heart of type theory and will play a main role
from now on. As it turns out, language used for mathematical proofs generalizes
to language for constructing certifying functions.
Certifying functions are the computational analogue of propositional lemmas.
Like lemmas, they come as abstract constants whose definition does not matter for
their use. Like lemmas, certifying functions are constructed with informal argu-
ments providing for their formal construction in tactic mode. As with lemmas, the
details of the formal definition of certifying functions do not matter.
The types of certifying functions are often obtained with sum types and sigma
types, which are computational variants of propositional disjunctions and existen-
tial quantifications. To keep the amount of new ideas digestible, we postpone the
discussion of sigma types to the next chapter.
One important application of sum type are certifying equality deciders. We refer
to types having a certifying equality decider as discrete types. We will see that the
class of discrete types is closed under taking product types and under taking sum
types. Moreover, discrete types are closed under taking injective preimages.

9.1 Sum Types

Sum types are a basic type construction and it is about time we introduce them.
Like product types X × Y sum types X + Y combine two types X and Y . However,
sum types are dual to product types in that their elements carry a value of one of
the types rather than values of both types. Sum types may be seen as disjoint type
unions. The propositional versions of sum types and product types are conjunc-
tions and disjunctions.

111
9 Certifying Functions and Sum Types

We define the family of sum types inductively as follows:1

+ (X : T, Y : T) : T ::= L(X) | R(Y )

The definition gives us 3 constructors:

+: T→T→T
L : ∀XY T . X → X + Y
R : ∀XY T . Y → X + Y

A value of a sum type X + Y carries a value of X or a value of Y , where the infor-

mation which alternative is present can be used computationally. The elements of
sum types are called variants.
Sum types are computational variants of disjunctions. In contrast to disjunc-
tions, sum types are not restricted to propositions and are not subject to the dis-
crimination restriction.
A simply typed eliminator for sum types has the type

∀XY Z T . X + Y → (X → Z) → (Y → Z) → Z

We will see destructurings where a simply typed eliminator doesn’t suffice. We

define a dependently typed eliminator for sum types as follows:

E+ : ∀XY T ∀p X+Y →T . (∀x. p(L x)) → (∀y. p(R y)) → ∀a. pa

E+ XY pe1 e2 (L x) := e1 x
E+ XY pe1 e2 (R y) := e2 y
We can use sum types to construct finite types of any cardinality:

⊥ no element
⊥+1 1 element
(⊥ + 1) + 1 2 elements
((⊥ + 1) + 1) + 1 3 elements

Exercise 9.1.1 Give all elements of the type ((⊥ + 1) + 1) + 1 and prove that your
enumeration is complete: ∀a((⊥+1)+1)+1 . a = R I ∨ · · · .
Exercise 9.1.2 (Constructor laws for sum types)
Prove the constructor laws for sum types:
a) L x ≠ R y.
b) L x = L x ′ → x = x ′ .
c) R y = R y ′ → y = y ′ .
Hint: The techniques used for numbers (Figure 4.2) also work for sums.
1
Relying on the context for disambiguation, we reuse the names L and R also used for the proof
constructors of disjunctions.

112
 9.2 Proving at Type Level

Exercise 9.1.3 Define a truncation function T : ∀XY . X + Y → B such that

∀a. if T a then (∃x. a=L x) else (∃y. a=R y).

9.2 Proving at Type Level

It will be handy to have equivalence types:

X a Y := (X → Y ) × (Y → X)

A value of an equivalence type X a Y is a pair of two functions translating between

the types X and Y . For instance, the equivalence types

(X × Y → Z) a (X → Y → Z)
(X + Y → Z) a (X → Z) × (Y → Z)
(X → Y × Z) a (X → Y ) × (X → Z)

are inhabited for all types X, Y , Z.

Equivalence types X a Y are similar to equivalence propositions P ←→ Q. Equiv-
alence types X a Y are more general than equivalence propositions P ←→ Q in that
they can take all types as arguments and not just propositions.
It is often advantageous to approach the construction of a value of a type X as a
proof of X. For instance, the construction of a value of the type equivalence

∀XY Z T . (X × Y → Z) a (X → Y → Z)

is at a certain abstraction level identical with a proof of the propositional equiva-

lence

∀XY Z P . (X ∧ Y → Z) ←→ (X → Y → Z)

The advantage of taking the proof view for types is that the construction of a value
can be done at the proof level rather than at the term level. As we know from
propositions, writing an informal proof that can be elaborated into a formal proof
is much easier than writing a formal proof. Moreover, the elaboration of informal
proofs into formal proofs is greatly assisted by the tactic interpreter of a proof
assistant. It is now time to acknowledge that the tactic interpreter of Coq works for
types in general, not just propositions. The only significant difference between the
propositional and the general level is the propositional discrimination restriction,
which imposes extra conditions on propositional destructuring.

Exercise 9.2.1 Prove the following type equivalences:

a) ∀XY Z T . (X × Y → Z) a (X → Y → Z)

113
9 Certifying Functions and Sum Types

b) ∀XY Z T . (X + Y → Z) a (X → Z) × (Y → Z)
c) ∀XY Z T . (X → Y + Z) a (X → Z) × (X → Z)

Exercise 9.2.2 Prove the following types:

a) ∀bB . (b = true) + (b = false).
b) ∀xy B . x & y = false a (x = false) + (y = false).
c) ∀xy B . x | y = true a (x = true) + (y = true).
The above types can all be shown by boolean case analysis. To see the dramatic
reduction of formal detail obtained by using proof-oriented language construct the
functions asked for at the term level.

Exercise 9.2.3 Prove that double negated disjunction agrees with double negated
sum: ¬¬(P ∨ Q) ←→ ¬(P + Q → ⊥).

Exercise 9.2.4 (Functional characterization)

Prove X + Y a ∀Z T . (X → Z) → (Y → Z) → Z.
Note that the equivalences is analogous to the impredicative characterization of
disjunctions.

Exercise 9.2.5 Construct a truncation function ∀P QP . P + Q → P ∨ Q for sum

types. Note that a converse function ∀P QP . P ∨ Q → P + Q cannot be obtained
because of the propositional discrimination restriction.

9.3 Decision Types

An important application of sum types are so-called decision types:

D(X T ) : T := X + (X → ⊥)

A value of type D(X) is a decision carrying either an element of X or a proof X → ⊥

verifying that X is void. In particular, if X is a proposition, a decision of type D(X)
carries either a proof of X or a proof of ¬X.
If we have a decision D(X), we call X a decided type. It turns out that ⊥ and 1
are decided types, and that decided types are closed under taking function types,
product types and sum types. Moreover, decided types are closed under type equiv-
alence. Finally, decided propositions are closed under the propositional connectives
and propositional equivalence.

114
 9.4 Certifying Functions

Fact 9.3.1 (Closure laws for decided types)

1. D(1) and D(⊥).
2. ∀XY T . D(X) → D(Y ) → D(X → Y ).
3. ∀X T . D(X) → D(X → ⊥).
4. ∀XY T . D(X) → D(Y ) → D(X × Y ).
5. ∀XY T . D(X) → D(Y ) → D(X + Y ).
6. ∀XY T . (X a Y ) → D(X) → D(Y ).
7. ∀XY P . D(X) → D(Y ) → D(X ∧ Y ).
8. ∀XY P . D(X) → D(Y ) → D(X ∨ Y ).
Proof The proofs are identical with the propositional proofs where + and a are
replaced with ∨ and a. ■

Exercise 9.3.2 Prove Fact 9.3.1 with the proof assistant.

Exercise 9.3.3 Prove ∀XY T . (X a Y ) → (D(X) a D(Y )).

Exercise 9.3.4 Prove ∀X T f X→B x X . D(f x = true).

Exercise 9.3.5 Prove ∀X T . (D(X) → ⊥) → ⊥.

9.4 Certifying Functions

Our lead example for certifying functions are certifying equality deciders for num-
bers:

∀xy N . (x = y) + (x ≠ y)

Functions of this type take two numbers and decide whether they are equal. The
decision is returned with a proof asserting the correctness of the decision. When
convenient, we will refer to such proofs as certificates.
Constructing a certifying equality decider for numbers in tactic mode is routine.
In fact, we have carried out the construction before (Fact 5.9.1) for the proposition
∀xy N . (x = y) ∨ (x ≠ y).

Fact 9.4.1 ∀x N y N . (x = y) + (x ≠ y).

Proof By induction on x and case analysis on y with y quantified in the inductive

hypothesis. There are four cases which follow with the constructor laws for num-
bers. The most interesting case is the successor-successor case, where we need to
show (Sx = Sy) + (Sx ≠ Sy) given the inductive hypothesis (x = y) + (x ≠ y). If
we have x = y, we also have Sx = Sy. If we have x ≠ y, Sx ≠ Sy follows with the
injectivity of S. ■

115
9 Certifying Functions and Sum Types

Suppose we have a function F : ∀xy N . (x = y) + (x ≠ y). Then we know exactly

what F gives us without knowing how F is defined. So we can use F in proofs
without knowing its definition. The situation is the same as with a propositional
lemma L : ∀xy N . (x = y) ∨ (x ≠ y) that we use without knowing its proof. Recall
that we call defined constants with a propositional type lemmas if their definition
is blocked for reduction. We now generalize the notion of a lemma such that it
can have any type. We will use the term certifying functions for lemmas with a
non-propositional functional type.
Recall that the type of a lemma serves as in interface between the uses of a
lemma and possible proofs of the lemma. As with a software interface, the type of
a lemma decouples uses of the lemma from proofs of the lemma.
In practice, most functions we construct in computational type theory are ac-
commodated as certifying functions or propositional lemmas. Accommodating a
function as a lemma is perfect whenever we have a relational specification of the
function. Nevertheless, there are important cases where a function is best speci-
fied with defining equations. Example are the basic operations on numbers (e.g.,
addition) and booleans (e.g., boolean negation).
An interesting kind of functions are eliminators. They are always defined with
as inductive functions with defining equations. However, when we destructure as-
sumptions and do case analysis and induction in proofs, we apply the eliminators
without using their defining equations. So we could restrict the use of eliminators
in proofs to irreducible versions hiding their definitions. There remains one impor-
tant use of reducible eliminators in that they facilitate local definitions of inductive
functions.
To summarize, we will see many certifying functions from now on, and we will
always construct them in tactic mode.

Exercise 9.4.2
a) Construct a certifying equality decider F : ∀xy B . (x = y) + (x ≠ y).
b) Prove ∀xy. if F xy then x = y else x ≠ y.
c) Define a boolean equality decider f B→B→B and prove
∀xy. if f xy then x = y else x ≠ y.
d) Prove ∀xy. f xy = if F xy then true else false.

9.5 Certifying Equality Deciders

A certifying equality decider for a type X is a function

∀xy X . D(x = y)

116
 9.6 Computational Decidability

Given two values of type X, a certifying equality deciders decides whether the val-
ues are equal and returns its decision together with a certificate (a proof that the
decision is correct).
We say that a type is discrete if it has a certifying equality decider. It will be con-
venient to have a notation for the type of certifying equality deciders for a type X:

E(X) := (∀xy X . D(x = y))

Formally, E is a plain function T → T.

It turns out that ⊥, 1, B, and N are discrete types, and that discrete types are
closed under taking product types and sum types.

Fact 9.5.1 (Transport of equality deciders)

1. E(⊥), E(1), E(B), E(N).
2. ∀XY T . E(X) → E(Y ) → E(X × Y ).
3. ∀XY T . E(X) → E(Y ) → E(X + Y ).
4. ∀XY T . E(X + Y ) → E(X).
5. ∀XY T . E(X × Y ) → Y → E(X).
6. ∀XY T . E(X × Y ) → E(Y × X).
7. ∀XY T . E(X + Y ) → E(Y + X).

Proof E(N) is Fact 9.4.1. The remaining claims are left as exercises. ■

Discrete types are also closed under injective preimages.

Fact 9.5.2 (Transport)

Injective functions transport equality deciders backwards:
∀XY T ∀f X→Y . injective f → E(Y ) → E(X).

Exercise 9.5.3 Proof Facts 9.5.1 and 9.5.2.

Exercise 9.5.4 Prove E(1 → ⊥).

Exercise 9.5.5 (Boolean equality)

Define an inductive function f N→N→B testing equality of numbers and prove
∀xy. if f xy then x = y else x ≠ y.

9.6 Computational Decidability

Computational type theory is designed such that every definable function is algo-
rithmically computable. Thus we can prove that predicates are computationally de-
cidable within computational type theory by constructing (certifying) deciders for

117
9 Certifying Functions and Sum Types

them. Decidability proofs in computational type theory are formal computability

proofs that avoid the unmanageable formal details coming with explicit models of
computation (e.g., Turing machines).
We call a predicate decidable if it has a certifying decision function:

dec (p X→T ) := ∀x. D(px)

Decidable predicates are algorithmically decidable. Moreover, every decidable

predicate p is logically decidable in that it satisfies the law of excluded middle
∀x. px ∨ ¬px.
The above definition of dec(p) is for unary predicates. It can be extended to
predicates with two arguments:

dec2 (p X→Y →T ) := ∀xy. D(pxy)

We can also define dec0 (X) := D(X). We remark that type theory cannot express a
uniform and readable definition of a type family decn for n ≥ 0.
So far we have focussed on deciders for the equality predicate. We have seen
that the data types ⊥, 1, B, and N have equality deciders, and that this extends to
their closure under product and sum types and injective preimages.
We remark that type theory can easily express undecidable predicates. We will
formalize Post correspondence problem with an inductive predicate in § 15.6.

118
10 Certifying Functions and Sigma Types

Sigma types are dependent pair types. Sigma types are obtained with a type function
p X→T and take as values pairs (x, y) with x : X and y : px. Sigma types are the
computational version of the propositional types for existential quantification.
Sigma types are essential for certifying function types. Given a relation p X→Y →P ,
we can write the function type ∀x. Σy. pxy whose functions take an argument x X
and yield a result y Y such that pxy. More precisely, functions of type ∀x. Σy. pxy
yield for every x a pair (y, a) where a : pxy. A concrete example we will consider
is a certifying function type

∀x N . Σn. (x = 2 · n) + (x = 2 · n + 1)

for division by 2. Functions of this type take a number x and yield the Euclidean
quotient of x/2. Moreover, functions of this type decide whether there is a remain-
der and yield a proof for the correctness of the result (a certificate).
We can translate a certifying function into a simply typed function and a cor-
rectness proof. The translation from simply typed to certified is also possible. For
certifying deciders, we can state the presence of the translations with the computa-
tional equivalence

(∀x. D(px)) a (Σ f X→B . ∀x. px ←→ f x = true)

We will define a truncation operator □X that for a type X yields a proposition □X

that is provable if and only if X is inhabited. Using truncation, the correspondence
between disjunctions and sum types and existential quantifications and sigma types
can be expressed with the propositional equivalences

(P ∨ Q) ←→ □(P + Q)
(∃[Link]) ←→ □(Σ[Link])

10.1 Dependent Pair Types

We have seen pair types (better known a product types)

(x, y) : X × Y

119
10 Certifying Functions and Sigma Types

fixing the types X and Y of their components a priori. Dependent pair types

(x, y) : sig p

employ a type function p X→T and admit all pairs (x, y) such that x : X and y : px.
Thus a dependent pair type doesn’t fix the type of the second component a priory
but instead determines it for each pair depending on the first component.
Dependent pair types sig p are usually written as

Σx X .px

using a quantifier-style notation emphasizing the relationship with existential quan-

tifications ∃x X . px and dependent function types ∀x X . px. All three type families
accommodate a type dependency with a type function p and generalize their sim-
ply typed versions X × Y , X ∧ Y , and X → Y . Note that function types are native
to the type theory while pair types, conjunctions, and existential quantifications are
obtained as inductive types.
The inductive definition of dependent pair types is now routine:

sig (X : T, p : X → T) : T ::= E (x : X, px)

The definition yields a type constructor and a value constructor as follows:

sig : ∀X T . (X → T) → T
E : ∀X T ∀p X→T ∀x X . px → sigX p

We will write (x, a) or (x, a)p for a dependent pair E Xpxa and call x and a the
first and second component of the pair. When p is a predicate, we may refer to x
as the witness and to a as the certificate, as we did for existential quantification.
We often write Σx X .px for sigX p. Following common speak, we will often refer to
dependent pair types as sigma types.
We define the universal eliminator for sigma types:

EΣ : ∀X T ∀p X→T ∀qsig p→T . (∀xy. q (x, y)) → ∀a. qa

EΣ X p q e (x, y) := exy

There is considerable typing bureaucracy but the basic idea is familiar from product
types X × Y and existential quantifications ∃x X . px: If we have a pair s : sigX p, we
can assume x and y and replace s with (x, y). This idea becomes apparent with
the simple type

(∀x X . px → Z) → (sigX p → Z)

Using the eliminator with the simple type suffices whenever s : sigX p occurs only
once in the context we are working in.
We extend the correspondence table between propositional type constructors
and computational type constructors with ∀, ∃, and Σ:

120
 10.2 Certifying Division

∀ → + × Σ a computational types in T
∀ → ∨ ∧ ∃ ←→ propositional types in P

10.2 Certifying Division

We discuss certifying division as our lead example for certifying functions whose
target type is a sigma type:

∀x N . Σn. (x = 2 · n) + (x = 2 · n + 1)

A function of this type takes a number x and returns the Euclidean quotient n of x
and 2 together with a decision of whether x is even or odd. In each case a certificate
(i.e., correctness proof) is provided.
Proving that there is a certifying division function of the given type is straight-
forward. As it comes to the informal proof, there is no difference to proving the
propositional version obtained by replacing Σ with ∃ and + with ∨.
Fact 10.2.1 ∀x N . Σn. (x = 2 · n) + (x = 2 · n + 1).

Proof By induction on x. For the zero case x = 0, we choose n = 0 and prove

x = 2 · 0. For the successor case x = Sx ′ , the inductive hypothesis gives us n such
that (x ′ = 2 · n) + (x ′ = 2 · n + 1). If x ′ = 2 · n, we have x = 2 · n + 1. If x ′ = 2 · n + 1,
we have x = 2 · Sn. ■

We remark that the proof uses simply typed applications of the eliminators for
sigma and sum types for destructuring the inductive hypothesis. As usual we do
not mention these type-theoretic details.
Fact 10.2.2 Let F : ∀x N . Σn. (x = 2 · n) + (x = 2 · n + 1) and D and M be functions
N → N defined as follows:

Dx := let (n, _) = F x in n
Mx := let (_, a) = F x in if a then 0 else 1

Then ∀x. x = 2 · Dx + Mx and ∀x. Mx ≤ 1.

Proof The let expressions used in the definitions of D and M are notation for sim-
ply typed applications of the eliminator for sigma types. The conditional in the
definition of M is notation for a simply typed application of the eliminator for sum
types.
We fix x and prove x = 2 · Dx + Mx and Dx ≤ 1. Let F x = (n, a).
If a = L_, we have x = 2 · n, Dx = n, and Mx = 0. Thus x = 2 · Dx + Mx and
Mx ≤ 1.
If a = R_, we have x = 2 · n + 1, Dx = n, and Mx = 1. Thus x = 2 · Dx + Mx
and Mx ≤ 1. ■

121
10 Certifying Functions and Sigma Types

The type-theoretic details of the proof can be elaborated and verified with a proof
assistant. On paper, one follows mathematical intuition and ignores type-theoretic
details as done above. In case of doubt, one elaborates the informal proof with a
proof assistant.
We provide a few remarks on the type-theoretic details of the above proof. The
equation x = 2 · Dx + Mx is shown after unfolding of D and M (conversion rule)
by destructuring F x into (n, a) (dependently typed application of eliminator for
sigma types) and destructuring a (simply typed application of the eliminator for
sum types). If interested, elaborate the proof with the proof assistant so that all de-
structuring is done by explicitly applying the eliminators for sigma and sum types.
Note that Fact 10.2.2 makes explicit that a definition of the assumed certifying
division function F is not available for the proof.
We remark that in tactic mode eliminators are typically used as certifying
functions whose definition is not needed (here the eliminators for numbers in
Fact 10.2.1, and the eliminators for sum types and sigma types in Fact 10.2.2). The
exception are the applications of the eliminators in the local definitions of D and M
in Fact 10.2.2, where the defining equations of the eliminators are needed for the
proof.

Exercise 10.2.3 (Certifying distance function)

Prove ∀xy N Σ zN . (x + z = y) ∨ (y + z = x).
Hint: Induction on x with y quantified.

Exercise 10.2.4 (Equational match function for numbers)

Construct a certifying function ∀x N . (x = 0) + (Σk. x = Sk).

Exercise 10.2.5 (Equational match function for sum types)

Construct a certifying function ∀aX+Y . (Σx. a = L x) + (Σy. a = R y).

Exercise 10.2.6 (Certifying division by 2)

Assume a function F : ∀x N Σn. (x = 2n) + (x = 2n + 1).
a) Use F to define a function that for a number x yields a pair (n, k) such that
x = 2n + k and k is either 0 or 1. Prove the correctness of your function.
b) Use F to define a function N → B that tests whether a number is even. Prove the
correctness of your function.

Exercise 10.2.7 (Certifying division by 2)

Define a recursive function N → N × B such that

∀x. let (n, b) = f x in x = 2 · n + if b then 0 else 1

Verify the correctness statement.

122
 10.3 Translation Theorems

Exercise 10.2.8 (Functional characterization)

Prove sig p a ∀Z T . (∀x. px → Z) → Z. Note that the equivalence is analogous to
the impredicative characterization of existential quantification.

Exercise 10.2.9 Prove that double negated existential quantification agrees with
double negated sigma quantification: ¬¬ex p ←→ ¬¬sig p.

Exercise 10.2.10 Define a function ∀X T ∀p X→P . sig p → ex p. Note that a converse

function ex p → sig p cannot be defined because of the propositional discrimination
restriction.

10.3 Translation Theorems

We can translate between certifying and boolean deciders for types and equality.
Using sigma types, we can state this fact formally.
Recall the notation for certifying deciders for type functions:

dec (p X→T ) := ∀x. D(px)

A function of type dec (p X→T ) decides for every x whether the type px is inhabited.
In case px is inhabited, a witness is returned, and otherwise a proof px → ⊥.

Fact 10.3.1 (Decider translations)

1. ∀X T . E(X) a Σf X→X→B . ∀xy. x = y ←→ f xy = true
2. ∀X ∀p X→T . dec p a Σf X→B . ∀x. px a f x = true

Proof We argue (1), claim (2) is similar.

Suppose we have certifying equality decider d for X. Then

f xy := if dxy then true else false

satisfies the equivalence.

Suppose we have a boolean function f deciding equality on x. Then we have px
if f xy = true, and px → ⊥ if f xy = false. ■

Often it is convenient to specify a function f X→Y with a type function p X→Y →T

such that ∀x. px(f x). Given the specification, we may construct either a simply
typed function f as specified, or a certifying function F : ∀x. Σy. pxy giving us
both f and its correctness proof. In most cases it turns out that constructing a
certifying function F : ∀x. Σy. pxy first is the way to go. For a concrete example
consider the type function λxn. (x = 2 · n) + (x = 2 · n + 1) specifying a certifying
division function as discussed in § 10.2

123
10 Certifying Functions and Sigma Types

Fact 10.3.2 (Skolem translations)

∀XY T ∀p X→Y →T . (∀x Σy. pxy) a (Σf . ∀x. px(f x)).

Proof Suppose we have a certifying function F : ∀x Σy. pxy. Then

f x := let (y, _) = F x in y

satisfies px(f x) for all x. The other direction is obvious since px(f x). ■

We speak of Skolem translations since there is a ressemblance with Skolem func-

tions in first-order logic.
You may have noticed that in the proofs of the translation theorems we omitted
all type-theoretical details. Discussing them on paper would just be too boring. As
always, we recommend stepping through the accompanying Coq scripts. The scripts
in turn hide considerable type-theoretic detail since they rely on Coq’s destructuring
facilities. If you want to see more, do the proofs following the scripts but do all
destructuring with explicit eliminator applications.

10.4 Projections

We assume a type function p : X → T and define projections yielding the first and
the second component of a dependent pair asig p :

π1 : sig p → X π2 : ∀asig p . p(π1 a)

π1 (x, y) := x π2 (x, y) := y

Note that the type of π2 is given using the projection π1 . The use of π1 is necessary
since the type of the second component of a depends on the first component of a.
Type checking the defining equation of π2 requires a conversion step applying the
defining equation of π1 .

Fact 10.4.1 (Eta Law) ∀asig p . a = (π1 a, π2 a).

Proof By computational equality after destructuring of a. ■

Using the projections we can describe the Skolem translations from Fact 10.3.2
concisely as terms.

λF . (λx.π1 (F x), λx.π2 (F x)) : (∀x Σy. pxy) → (Σf . ∀x. px(f x))
λax. (π1 ax, π2 ax) : (Σf . ∀x. px(f x)) → (∀x Σy. pxy)

We emphasize that in practice one would establish the Skolem translations in tactic
mode (see Fact 10.3.2). Still writing the term descriptions using a proof assistant is
fun and demonstrates the smooth working of implicit argument inference and type
conversion.

124
 10.4 Projections

Exercise 10.4.2 Define a simply typed match function

∀X T ∀p X→T ∀Z T . sig p → (∀x. px → Z) → Z

using the projections π1 and π2 .

Exercise 10.4.3 Construct the eliminator for sigma types as a certifying function
using the projections and the eta law (Fact 10.4.1).

Exercise 10.4.4 Express the projections π1 and π2 for sigma types with terms t1
and t2 using the eliminator EΣ such that π1 ≈ t1 and π2 ≈ t2 .

Exercise 10.4.5 (Certifying Distance)

Assume a function D : ∀xy N Σz. (x + z = y) + (y + z = x) and prove the following:
a) π1 (Dxy) = (x − y) + (y − x).
b) π1 (D 3 7) = 4.
c) x − y = if π2 (Dxy) then 0 else π1 (Dxy).
Note that a definition of D is not needed for the proofs since all information needed
about D is in its type. Hint: For (a) and (c) discriminate on Dxy and simplify. What
remains are equations involving truncating subtraction only.

Exercise 10.4.6 (Propositional Skolem) Due to the propositional discrimination re-

striction for existential quantification, the direction → of the Skolem correspon-
dence cannot be shown for all types X and Y if Σ-quantification is replaced with ex-
istential quantification. (The unprovability persists if excluded middle is assumed.)
There are two noteworthy exceptions. Prove the following:
a) ∀Y T ∀p B→Y →P . (∀x∃y. pxy) → ∃f ∀x. px(f x).
b) ∀X T ∀Y P ∀p X→Y →P . (∀x∃y. pxy) → ∃f ∀x. px(f x).
Remarks: (1) The boolean version (a) generalizes to all finite types X presented with
a covering list. (2) The unprovability of the propositional Skolem correspondence
persists if the law of excluded is assumed. The difficulty is in proving the existence
of the function f since functions must be constructed with computational princi-
ples. (3) In the literature, f is often called a choice function and the direction → of
the Skolem correspondence is called a choice principle.

Exercise 10.4.7 (Existential quantification) Existential quantifications ex Xp are

subject to the propositional discrimination restriction if and only if X is not a propo-
sitional types. Thus a function extracting the witness can only be defined if X is a
proposition.
a) Define projections π1 and π2 for quantifications ex Xp where X is a proposition.
b) Prove a = E (π1 a)(π2 a) for all a : ex Xp where X is a proposition.

125
10 Certifying Functions and Sigma Types

Exercise 10.4.8 (Injectivity laws)

One would think that the injectivity laws for dependent pairs

E xy = E x ′ y ′ → x = x ′
E xy = E xy ′ → y = y ′

are both provable. While the first law is easy to prove, the second law cannot be
shown in general in computational type theory. This certainly conflicts with in-
tuitions that worked well so far. The problem is with subtleties of dependent type
checking and conversion. In Chapter 29, we will show that the second injectivity law
holds if we assume proof irrelevance, or if the type of the first component discrete.
a) Prove the first injectivity law.
b) Try to prove the second injectivity law. If you think you have found a proof on
paper, check it with Coq to find out where it breaks. The obvious proof idea that
rewrites π2 (Exy) to π2 (Exy ′ ) does not work since there is no well-typed rewrite
predicate validating the rewrite.

10.5 Truncation

We define a type constructor □ : T → P mapping a type X to a proposition □X such

that the proposition □X is provable if and only if the type X is inhabited:

□(X : T) : P ::= T(X)

We refer to a proposition □X as truncation of X. We may read a truncation □X

as “X is inhabited”. If X is a computational type, a truncation T x : □X disables
the computational facilities coming with the inhabitant x : X. This is due to the
propositional discrimination restriction for □X and matters if X is a sum type or a
sigma type.
As one would expect, conjunction, disjunction, and existential quantification can
be characterized by the truncations of their computational counterparts (pair types,
sum types, and sigma types).

Fact 10.5.1 (Logical truncations)

1. (P ∧ Q) ←→ □(P × Q).
2. (P ∨ Q) ←→ □(P + Q).

We obtain truncation with an inductive predicate. Alternatively, truncation can

be obtained with existential quantification or impredicatively with function types.

126
 10.5 Truncation

Fact 10.5.2 (Characterizations of truncation)

1. ∀X T . □X ←→ ∃x X .⊤
2. ∀X T . □X ←→ ∀Z P . (X → Z) → Z
3. ∀P P . □(P ) ←→ P

Exercise 10.5.3 Define a simply typed match function for inhabitation types and
prove Facts 10.5.1 and 10.5.2. Moreover, prove ∀P P . □(P ) ←→ P .

Exercise 10.5.4 Prove the following truncation laws for all types X:
a) X → □X
b) □X → (X → □Y ) → □Y
c) ¬□X ←→ ¬X
d) □X → ¬¬X
e) XM → □X ∨ ¬X

Exercise 10.5.5 (Advanced material) We define the type functions

choice X Y := ∀p X→Y →P . (∀x∃y. pxy) → ∃f ∀x. px(f x)

witness X := ∀p X→P . ex p → sig p

You will show that there are translations between ∀XY T . choice X Y and
□(∀X T . witness X). The translation from choice to witness needs to navigate
cleverly around the propositional discrimination restriction. The presence of the
inhabitation operator is essential for this direction.
a) Prove □(∀X T . witness X) → (∀XY T . choice X Y ).
b) Prove (∀XY T . choice X Y ) → □(∀X T . witness X).
c) Convince yourself that the equivalence

(∀XY T . choice X Y ) ←→ □(∀X T . witness X)

is not provable since the two directions require different universe levels for X
and Y .
Hints. For (a) use f := λx. π1 (W Y (px)(F x)) where W is the witness operator and F
is the assumption from the choice operator. For (b) use the choice operator with
the predicate λa Σ(X,p). ex p . λb Σ(X,p). sig p . π1 a = π1 b where p X→P . Keeping the argu-
ments of the predicate abstract makes it possible to obtain the choice function f
before the inhabitation operator is removed. The proof idea is taken from the Coq
library ChoiceFacts.

127
10 Certifying Functions and Sigma Types

10.6 Notes

Sum and sigma types may be seen as computational variants of disjunctions and
existential quantifications. While sum types provide disjoint unions of types, sigma
types are dependent pair types where the type of the second component depends
on the first component (similar to a dependent function type where the type of the
result depends on the argument). With sum and sigma types we can write function
types specifying an input-output relation. Using such informative function types,
we can construct functions together with their correctness proofs, which often is
superior to a separate construction of the function and the correctness proof. We
speak of certifying functions if the type of the function includes the relational speci-
fication of the function. It turns out that the abstract techniques for proof construc-
tion (e.g., induction) apply to the construction of certifying functions starting from
their types, thus eliminating the need to start with defining equations. Certifying
functions are an essential feature of constructive type theories having no equivalent
in set-theoretic mathematics. With informative types we can describe computational
situations often lacking adequate descriptions in set-theoretic language.
Mathematics comes with a rich language for describing proofs. Using this lan-
guage, we can write informal proofs for human readers that can be elaborated into
formal proofs when needed. The tactic level of the Coq proof assistant provides an
abstraction layer for the elaboration of informal proofs making it possible to dele-
gate to the proof assistant the type-theoretic details coming with formal proofs.
It turns out that the idea of informal proof extends to the construction of
certifying functions, which are functions whose type encompasses an input-output
relation. The proof-style construction of certifying functions turns out to be benefi-
cial in practice. It comes for free in a proof assistant since the tactic level addresses
types in general, not just propositional types. The proof-style construction of certi-
fying functions is guided by the specifying type and uses high-level building blocks
like induction. Often, one shows a for-all-exists lemma ∀x X Σy Y .pxy and then
extracts a function f X→Y and a correctness lemma ∀x. px(f x).
Most propositions have functional readings. Once we describe propositions as
computational types using sum and sigma types, their proofs become certifying
functions that may be used in computational contexts. Certifying functions carry
their specifications in their types and may be seen as computational lemmas. Like
propositional lemmas, certifying functions are best described with high-level proof
outlines, which may be translated into formal proof terms using the tactic inter-
preter of a proof assistant.
Product, sum, and sigma types are obtained as inductive types. In contrast to
the propositional variants, where simply typed eliminators suffice, constructions
involving product, sum, and sigma types often require dependently typed elimina-

128
 10.6 Notes

tors. Existential quantifications and sigma types are distinguished from the other
inductive types we have encountered so far in that their value constructors model
a dependency between witness and certificate using a type function.
Computational type theory originated with Martin-Löf type theory [23]. In con-
trast to the type theory we are working in, Martin-Löf type theory does not have a
special universe for propositions but accommodates propositions as ordinary types.
So there is no propositional discrimination restriction and there are no proposi-
tional variants of product, sum and sigma types. This simplicity comes at the price
that assumptions like excluded middle can only be formulated for all types, which
is not meaningful (but consistant). Having an impredicative universe of proposi-
tions is a key feature of the computational type theory underlying the Coq proof
assistant [9].

129
11 More Computational Types

The main tool for relating types are injections and bijections. We consider injections
and bijections that come with inverse functions. For the types of injections and
bijections dependent tuple types are needed. We shall use customised inductive
types for injection and bijection types. We show Cantor’s theorem for injections.
We also show that sigma types can represent sum types and product types up to
bijection.
We discuss option types O(X), which extend a type X with an extra element.
Option types O(X) may be defined as sum types X + 1, but we shall use a dedicated
inductive type constructor. For option types, we construct a function that from a
bijection between O(X) and O(Y ) obtains a bijection between X and Y . For the
construction a clever use of a certifying function is essential.
We then discuss two prominent type families Nn and Vn X known as numeral
types and vector types. We obtain both families by structural recursion on the in-
dex n using option types and product types. Numeral types are finite types On ⊥
obtained by applying the option type constructor to void. Vector types are sequence
types (λY .X×Y )n 1 obtained by nesting pair types starting with unit. Both construc-
tions make full use of type conversion.
We remark that the basic notions discussed in this chapter (injections, bijections,
numerals, vectors) are computational refinements of notions that have been studied
in set theory for a long time.

11.1 Injections and Bijections

Given a function f X→Y , we say that a function g Y →X inverts f if ∀x. g(f x) = x.

We also say that g is an inverse function for f . We may picture the inversion
property as a roundtrip property allowing us to go with f from X to Y and to
return with g from Y to X to exactly the x we started from. It will be convenient to
have the inversion predicate

inv : ∀XY T . (X → Y ) → (Y → X) → P
invXY gf := ∀x. g(f x) = x

131
11 More Computational Types

Fact 11.1.1 (Inverse functions)

1. inv gf → injective f ∧ surjective g.
2. inv gf → surjective f ∨ injective g → inv f g.
3. All inverse functions of a surjective function agree:
surjective f → inv gf → inv g ′ f → ∀y. gy = g ′ y.

Proof The proofs are straightforward but interesting. Exercise. ■

We define injection types

I(X : T, Y : T) : T ::= I(f : X → Y , g : Y → X, inv gf )

and call their inhabitants injections. An injection IXY is an embedding of the

type X into the type Y where different elements of X are mapped to different ele-
ments of Y . We say that X embeds into Y or that X is a retract of Y if there is an
injection IXY .
Technically, injection types are specialized dependent tuple types. An injection
type IXY can be expressed as a nested sigma type Σ f X→Y Σ g Y →X . inv gf .

Fact 11.1.2 (Reflexivity and Transitivity)

IXX and IXY → IY Z → IXZ.

Proof Exercise. ■

Fact 11.1.3 (Transport)

IXY → E(Y ) → E(X).

Proof By Fact 9.5.2 it suffices to have an injective function X → Y , which exists by

Fact 11.1.1. ■

Fact 11.1.4 (Cantor) I(X → B)X → ⊥. That is, X → B does not embed into X.

Proof Follows from Fact 6.3.4 since the inverse function of the embedding function
is surjective. ■

A bijection is a symmetric injection where the two functions invert each other in
either direction. We define bijection types

B(X : T, Y : T) : T ::= B(f : X → Y , g : Y → X, inv gf , inv f g)

and call their inhabitants bijections.

We say that two types X and Y are in bijection if there is a bijection BXY .
Bijectivity is a basic notion in mathematics. A bijection between X and Y establishes
a one-to-one correspondence between the elements of X and the elements of Y .

132
 11.1 Injections and Bijections

Speaking informally, a bijection between X and Y says that X and Y are renamed
versions of each other. This is not necessarily the case for an injection IXY where
the target type Y may have elements not appearing as images of elements of the
source type X.

Fact 11.1.5 BXY → IXY × IY X.

Fact 11.1.6 (Reflexivity, Symmetry, Transitivity)

Bijectivity is a computational equivalence relation on types:
BXX, BXY → BY X, and BXY → BY Z → BXZ.

Fact 11.1.7 All empty types are in bijection: (X → ⊥) → (Y → ⊥) → B XY .

Proof We have functions X → ⊥ and Y → ⊥. Computational falsity elimination

gives us functions X → Y and Y → X. The inversion properties hold vacuously with
the assumptions. ■

Note that computational falsity elimination is essential in this proof.

We have already established a prominent bijection.

Fact 11.1.8 N × N and N are in bijection.

Proof Arithmetic pairing as developed in Chapter 7. ■

Fact 11.1.9 (Sigma types can express product and sum types)
Sigma types can express product types X × Y and sum types X + Y up to bijection.
1. X × Y and sig (λx X .Y ) are in bijection.
2. X + Y and sig (λbB . if b then X else Y ) are in bijection.

Proof The functions for the bijections can be defined with the simply typed match
function for sigma types. The proofs of the roundtrip equations, however, require
the dependently typed eliminator (with one exception). ■

Exercise 11.1.10 Prove the claims of all facts stated without proofs.

Exercise 11.1.11 Give a function f N→N that has two non-agreeing inverse functions.

Exercise 11.1.12 (Boolean functions) Prove the following:

a) A function B → B is injective if and only if it is surjective.
b) Every injective function B → B agrees with either the identity or boolean negation.
c) Every injective function B → B has itself as unique inverse function:
∀f B→B . inv f f ∧ (∀g. inv gf → agree gf ).
Hint: A proof assistant helps to manage the necessary case analysis.

133
11 More Computational Types

Exercise 11.1.13 Show that N → N → X and N → X are in bijection.

Exercise 11.1.14 Show that the following types are in bijection using bijection
types.
a) B and ⊤ + ⊤.
b) X × Y and Y × X.
c) X + Y and Y + X.
d) X and X × ⊤.
Exercise 11.1.15
Show that BXY and Σ f X→Y Σ g Y →X . inv gf ∧ inv f g are in bijection:
a) BXY a Σ f X→Y Σ g Y →X . inv gf ∧ inv f g.
b) B (BXY ) (Σ g Y →X . inv gf ∧ inv f g).
Exercise 11.1.16 Prove B N B → ⊥.

Exercise 11.1.17
Prove that bijections transport equality deciders: BXY → E(X) → E(Y ).

11.2 Option Types

Given a type X, we may see the sum type X + 1 as a type extending X with an
additional element. Such one-element extensions are often useful and can be ac-
commodated with dedicated inductive types called option types:

O(X : T) : T ::= ◦X | œ

The inductive type definition introduces the constructors

O: T→T
◦
: ∀X T . X → O(X)
œ : ∀X T . O(X)

We treat the argument X of the value constructors as implicit argument. Following

language from functional programming, we pronounce the constructors ◦ and œ as
some and none. We offer the intuition that œ is the new element and that ◦ injects
the elements of X into O(X).

Fact 11.2.1 (Equality deciders)

Option types transport equality deciders in both directions:
∀X T . E(X) a E(O(X)).

Proof Direction → follows by discrimination on options and both constructor laws

for options. Direction ← follows with the injectivity of the some constructor. ■

134
 11.2 Option Types

Bijection Theorem for Option Types

Given a bijection between O(X) and O(Y ), we can construct a bijection between X
and Y . This intuitively clear result needs a clever proof using a certifying function
through a Skolem translation.
Suppose f and g provide a bijection between O(X) and O(Y ). We first define a
bijective function f ′X→Y . To map x, we look at f (◦x). If f (◦x) = ◦y, we map x to y.
If f (◦x) = œ, we have f œ = ◦y for some y and map x to y. The other direction is
symmetric.
Defining a function f ′X→Y as described above involves a computational falsity
elimination. For this reason we work with a cleverly designed certifying function so
that the definition of the function is not needed for proving the required properties.
We work with the following specification:
′
lower f O(X)→O(Y ) f ′X→Y := ∀x. match f (◦x) [ ◦y ⇒ f ′ x = y | œ ⇒ ◦f x = f œ ]

Lemma 11.2.2 ∀f O(X)→O(Y ) . injective f → sig (lower f ).

Proof By the Skolem translation (Fact 10.3.2) it suffices to prove

∀x Σz. match f (◦x) [ ◦y ⇒ z = y | œ ⇒ ◦z = f œ ]. Straightforward. ■

Lemma 11.2.3 ∀f O(X)→O(Y ) . lower f f ′ → lower gg ′ → inv gf → inv f g → inv g ′ f ′ .

Proof Case analysis following lower f f ′ and lower gg ′ . ■

Theorem 11.2.4 (Bijection) ∀XY . B (O(X)) (O(Y )) → BXY .

Proof Follows with Lemmas 11.2.2 and 11.2.3. ■

Exercise 11.2.5 (Eliminator and constructor laws)

Define an eliminator for option types and use it to prove the constructor laws.
Follow the techniques used for numbers in § 4.3.

Exercise 11.2.6 Prove ∀aO(X) . a ≠ œ a Σx. a = ◦x.

The direction → needs computational falsity elimination.

Exercise 11.2.7 Prove ∀f X→O(Y ) . (∀x. f x ≠ œ) → ∀x Σy. f x = ◦y.

Note the need for computational falsity elimination. Show that assuming the above
claim yields computational falsity elimination in the form ∀X T . ⊥ → X (instantiate
with X := ⊥, Y := X, and f = λ_.œ).
3⊥
Exercise 11.2.8 Prove ∀x O . x = œ ∨ x = ◦œ ∨ x = ◦◦œ.
Exercise 11.2.9 (Bijectivity) Show that the following types are in bijection:

a) ⊤ and O⊥. c) O(X) and X + ⊤.

b) B and O2 ⊥. d) N and O(N).

135
11 More Computational Types

Exercise 11.2.10 Prove BXY → B(OX)(OY ).

Exercise 11.2.11 Prove the bijection theorem with the proof assistant not looking
at the code we provide. Formulate a lemma providing for the two symmetric cases
in the proof of Theorem 11.2.4.

Exercise 11.2.12 (Counterexample) Find a type X and functions f : X → O(X) and

g : O(X) → X such that you can prove inv g f and disprove inv f g.

Exercise 11.2.13 (Truncating subtraction with flag)

Define a recursive function f : N → N → O(N) that yields ◦(x − y) if the subtraction
x − y doesn’t truncate, and œ if the subtraction x − y truncates. Prove the equation
f xy = if y − x then ◦(x − y) else œ.

Exercise 11.2.14 (Kaminski reloaded)

3 3
Prove ∀f O ⊥→O ⊥ ∀x. f 8 (x) = f 2 (x).
3
Hint: Prove ∀x O ⊥ . x = œ ∨ x = ◦œ ∨ x = ◦◦œ and use it to enumerate x, f x, f 2 x,
and f 3 x. This yields 34 cases, all of which are solved by Coq’s congruence tactic.

11.3 Numeral Types

We define numeral types recursively:

N0 := ⊥
NSn := O(Nn )

By construction, Nn is a finite type with n elements. For instance, the elements of

N3 are œ, ◦œ, ◦◦œ. We may think of the elements of NSn as the numbers 0, . . . , n.
Formally, numeral types are obtained with an inductive function N → T.

Fact 11.3.1 (Equality Deciders) E(Nn ).

Proof By induction on n using Facts 9.5.1(1) and 11.2.1. ■

We can now give a formal definition of what it means that a type has n elements.

Definition 11.3.2 A type X has cardinality n if it is in bijection with Nn . Moreover,

a type X is finite if it is in bijection with some numeral type Nn .

We would like to prove that a type X has at most one cardinality. Suppose X is
in bijection with Nm and Nn . Then Nm and Nn are in bijection.

136
 11.4 Vector Types

Fact 11.3.3 (Cardinality) B Nm Nn → m = n.

Proof By induction on m and discrimination on n with n quantified in the inductive

hypothesis. There are three nontrivial cases, two of which follows by contradiction
since N0 and NSk cannot be in bijection. The remaining case B NSm NSn → Sm = Sn
follows with the bijection theorem 11.2.4 for option types and the inductive hypoth-
esis. ■

Exercise 11.3.4 (Decidable quantification)

Let d be a certifying decider for p : Nn → T. Prove the following:
a) (Σ[Link]) + (∀[Link] → ⊥)
b) D(∀[Link])
c) D(Σ[Link])
Hint: Use induction on the cardinality n.

11.4 Vector Types

Vectors are sequences ⟨x1 , . . . , xn ⟩ of values from a common base type. We define
vector types Vn X recursively:

V0 X := 1
VSn X := X × Vn X

Formally, vector types are obtained with an inductive function V : N → T → T

recursing on numbers and representing vectors as nested pairs.1 As an example,
we offer

(1, (2, (3, I))) : V3 N ≈ N × (N × (N × 1))

The single element of V0 X ≈ 1 is I, and the elements of VSn X ≈ X × Vn X are pairs

(x, v) where x : X and v : Vn X.

Fact 11.4.1 (Equality deciders) E(X) → E(Vn X).

Proof By induction on n. We have a decider E(V0 X) since V0 X ≈ ⊥. Moreover, we

have a decider E(VSn X) since VSn X ≈ X × Vn X, we have a decider E(X), and the
inductive hypothesis gives us a decider E(Vn X). ■

1
The nested pair representation is well-known from lists. It appeared in set theory where it us used
to represent tuples of arbitrary length.

137
11 More Computational Types

Vector types can be seen as refinement of list types where in addition to the
element type the length is prescribed. We define a dedicated constant nil for the
empty vector and list-style operations cons, hd, and tl:

nil : ∀X. V0 X hd : ∀Xn. VSn X → X

nil := I hd Xn (x, v) := x

cons : ∀Xn. X → Vn X → VSn X tl : ∀Xn. VSn X → Vn X

cons Xn xv := (x, v) tl Xn (x, v) := v

Note that we have defined hd and tl as inductive functions and that conversion is
needed for type checking the patterns of the defining equations. We remark that
for list types hd cannot be defined as a total function since we don’t have a default
value for the empty list. We will treat X and n as implicit arguments.

Fact 11.4.2 (Eta law) cons (hd a)(tl a) = a.

Proof Discrimination on a : VSn X and computational equality. ■

We define a function returning arithmetic vectors:

enum : N → ∀n. Vn N
enum k 0 := nil
enum k (Sn) := cons k (enum (Sk) n)

For instance, we have enum 1 3 ≈ cons 1 (cons 2 (cons 3 nil)).

Exercise 11.4.3 (Tuple types) Tuple types generalize vector types in that they de-
termine their component types with a type function N → T:

tup : (N → T) → N → T
tup p 0 := I
tup p (Sn) := pn × tup p n

Construct functions as follows:

a) ∀p N→T . (∀n. tup pn → pn) → ∀n. tup pn
b) ∀p N→T . (∀n. tup p n → pn) → ∀n. pn

138
 11.4 Vector Types

11.4.1 Position Element Maps

We may number the positions of a vector from left to right starting with 0. We define
a function that given a vector and a position returns the element at the position:

sub : ∀Xn. VSn X → N → X

sub X 0 vk := hd v
sub X (Sn) v 0 := hd v
sub X (Sn) v (Sk) := sub Xn(tl v) k

Note that the primary discrimination is on n. Also note that the type of sub ensures
that in case the given position k is too large the last element of the vector can be
returned.
Note that the numeral type Nn has exactly as many elements as the vectors of
type Vn have positions. Using numerals, we can define a safe position element map
always returning the element at the given position:

sub′ : ∀Xn. Vn X → Nn → X
sub′ X 0 va := E⊥ Xa
sub′ X (Sn) v ◦a := sub′ Xn (tl v) a
sub′ X (Sn) v œ := hd v

Note the use of the eliminator for void in the contradictory case handled by the first
defining equation.

Exercise 11.4.4 We treat X and n as implicit arguments of sub and sub′ . Prove the
following equations. For each equation, first determine the most general type for v.

sub v 0 = hd v sub′ v œ = hd v
sub v 1 = hd(tl v) sub′ v ◦œ = hd(tl v)

Exercise 11.4.5
a) Define a function last : ∀Xn. VSn X → X returning the element at the last
position of a vector.
b) Prove ∀v VSn X . sub vn = last v.
c) Define a function snoc : ∀Xn. Vn → X → VSn appending an element at the end
of a vector.
d) Prove last(snoc vx) = x.
e) Define a function rev : ∀Xn. Vn X → Vn X reversing a vector.
f) Prove rev (rev v) = v.

139
11 More Computational Types

11.4.2 Concatenation

We define a concatenation operation for vectors.

con : ∀Xmn. Vm X → Vn X → Vm+n X

con X 0 nvw := w
con X (Sm) nvw := cons (hd v) (con Xmn(tl v)w)

We treat X, m, n as implicit arguments and write v +

+ w for con vw.
Now suppose we have three vectors u : Vm X, v : Vn X, w : Vk X. Then the two
concatenations

(u +
+ v) +
+ w : V(n+m)+k X
u+ + w) : Vn+(m+k) X
+(v +

have incompatible types (that is, nonconvertible types) although they yield the same
value. Thus the associativity law for vector concatenation cannot be expressed di-
rectly. The problem goes away if m, n, and k are concrete numbers rather than
variables.
The type checking problem can be bypassed with a dedicated cast function:

cast : ∀Xmnk. V(m+n)+k X → Vm+(n+k) X

con X 0 nkv := v
con X (Sm) nkv := cons (hd v) (cast Xmnk (tl v))

We treat X, m, n, k as implicit arguments.

Fact 11.4.6 (Associativity)

∀uVm X ∀v Vn X ∀w Vk X . cast ((u +
+ v) +
+ w) = u + + w).
+(v +

Proof By induction on m with u quantified. Straightforward. ■

The formulation and proof of the associativity law for vector concatenation come
with massive type conversion and with massive elaboration of implicit arguments.
This is quite feasible with a proof assistant but too tedious to be done with pen and
paper.

Exercise 11.4.7 Prove V(n+m)+k X = Vn+(m+k) X.

Exercise 11.4.8 Convince yourself that the equation

(enum 0 3 +
+ enum 3 3) +
+ enum 6 3 = enum 0 3 +
+(enum 3 3 +
+ enum 6 3)

type checks and holds by computational equality.

140
12 Linear Arithmetic
Numbers 0, 1, 2, . . . are the basic recursive data structure. Starting from the induc-
tive definition of numbers, we study the algebraic properties of addition and trun-
cating subtraction. Comparisons x ≤ y will be obtained as equations x − y = 0.
The system obtained with addition and subtraction of numbers is called linear
arithmetic. Proof assistants come with automatic provers for linear arithmetic free-
ing users from knowing the basic lemmas for numbers. Linear arithmetic provers
realize an abstraction level that is commonly used in informal proofs.
We also define multiplication and prove its basic algebraic properties.
Studying linear arithmetic in computational type theory starting from first prin-
ciples is fun. As always, the thrill is in finding the right definitions and the right
theorems in the right order. There is beauty and elegance in the development pre-
sented here.

12.1 Inductive Definition of Numbers

The type of numbers 0, 1, 2 . . . is obtained with an inductive definition

N ::= 0 | S(N)

introducing three constructors:

N : T, 0 : N, S:N→N

Based on the inductive type definition, we can define inductive functions. A basic
inductive function is an eliminator providing for inductive proofs:

EN : ∀p N→T . p 0 → (∀x. px → p(Sx)) → ∀[Link]

EN pe1 e2 0 := e1
EN pe1 e2 (Sx) := e2 x(EN paf x)

A discussion of the eliminator appears in §5.7. Matches for numbers can be ob-
tained as applications of the eliminator where no use of the inductive hypothesis
is made. Or more directly, a specialized elimination function for matches omitting
the inductive hypothesis can be defined.
We shall often use the if-then-else notation for zero testing:

if s then s1 else s2 Ž match s [ 0 ⇒ s1 | S _ ⇒ s2 ]

141
12 Linear Arithmetic

Fact 12.1.1 (Constructor laws)

1. Sx ≠ 0 (disjointness)
2. Sx = Sy → x = y (injectivity)

Proof The results follow with matches, rewriting, and conversion. The proofs are
discussed in § 4.3. ■

Exercise 12.1.2 Prove Sx ≠ x.

12.2 Addition

We accommodate addition of numbers with an inductive function:

+:N→N→N
0 + y := y
Sx + y := S(x + y)
Fact 12.2.1 (Commutativity) x + y = y + x.

Proof By induction on y using the lemmas x + 0 = x and x + Sy = Sx + y. Both

lemmas follow by induction on x. ■

We remark that addition is not symmetric at the level of computational equality

although it is commutative at the level of propositional equality. This unpleasant
situation cannot be avoided in the type theory we work in.
Fact 12.2.2 (Associativity) (x + y) + z = x + (y + z).

Proof By induction on x. ■

Associativity and commutativity of addition are used tacitly in informal proofs.

moreover, parentheses may be omitted; For instance, x + y + z Ž (x + y) + z. The
symmetric versions x + 0 = x and x + Sy = S(x + y) of the defining equations may
also be used tacitly.
Fact 12.2.3 (Zero propagation) x + y = 0 ←→ x = 0 ∧ y = 0.

Proof By discrimination on x and constructor disjointness. ■

Fact 12.2.4 (Injectivity) x + y = x + y ′ → y = y ′

Proof By induction on x. ■

Corollary 12.2.5 (Injectivity) x + y = x → y = 0.

Proof Follows with injectivity since x = x + 0. ■

Corollary 12.2.6 (Contradiction) x + Sy ≠ x.

Proof Follows with injectivity since x = x + 0. ■

142
 12.3 Subtraction

12.3 Subtraction

We define (truncating) subtraction of numbers as an inductive function that yields 0

whenever the standard subtraction operation for integers yields a negative number:

− : N→N→N
0 − y := 0
Sx − 0 := Sx
Sx − Sy := x − y

The recursion is on the first argument. The successor case is realized with a sec-
ondary discrimination on the second argument.

Fact 12.3.1 x − 0 = x.

Proof Discrimination of x and computational equality. ■

Fact 12.3.2
1. x + y − x = y
2. x − (y + z) = x − y − z

Proof Both claims follow by induction on x and discrimination on y. ■

Corollary 12.3.3
1. x − x = 0
2. x − (x + y) = 0

12.4 Comparisons

We define comparisons using truncating subtraction:

x ≤ y := (x − y = 0)

We define the usual notational variants for comparisons:

x < y := Sx ≤ y
x ≥ y := y ≤ x
x > y := y < x

We refer to the predicate (≤) : N → N → P as order relation.

Fact 12.4.1 The following equations hold by computational equality:

143
12 Linear Arithmetic

1. (Sx ≤ Sy) = (x ≤ y) (shift law)

2. 0 ≤ x
3. 0 < Sx

Fact 12.4.2
1. x ≤ x + y
2. x ≤ x
3. x ≤ Sx
4. x − y ≤ x

Proof (1) follows with Fact 12.3.3(2). (2) and (3) follow from (1). (4) follows with
Fact 12.3.2(2) and (1). ■

Fact 12.4.3 (Additive characterization) x ≤ y ←→ x + (y − x) = y.

Proof By induction on x with y quantified followed by discrimination on y. ■

Fact 12.4.4 (Antisymmetry) x ≤ y → y ≤ x → x = y.

Proof Follows by equational reasoning after x ≤ y is replaced with the additive

characterization. ■

Fact 12.4.5 (Transitivity)

1. x ≤ y → y ≤ z → x ≤ z
2. x < y → y ≤ z → x < z
3. x ≤ y → y < z → x < z

Proof For (1), replace z and then y in the claim with the additive characterization
for the assumptions. The reduced claim follows with Fact 12.4.2(1).
(2) is an instance of (1), and (3) is an instance of (1) modulo conversion. ■

Fact 12.4.6 x − y = Sz → y < x.

Proof By induction on x with y quantified followed by discrimination on y in the

successor case. ■

Fact 12.4.7 (Contradictions)

1. (x < 0) → ⊥
2. (x + y < x) → ⊥
3. (x < x) → ⊥

Proof (1) follows by the disjointness constructor law. (2) follows by Fact 12.3.2(1).
(3) follows from (2). ■

144
 12.4 Comparisons

Fact 12.4.8 (Negative Characterizations)

1. x ≤ y ←→ (y < x → ⊥)
2. x < y ←→ (y ≤ x → ⊥)

Proof (2) is a conversion instance of (1). (1) follows by induction on y followed by

discrimination on y with y quantified in the inductive hypothesis. ■

Exercise 12.4.9 (Equality by contradiction)

Prove (x < y → ⊥) → (y < x → ⊥) → x = y.

Exercise 12.4.10 Prove the following:

a) x ≤ y → x ≤ Sy
b) x < y → x ≤ y
c) x + y ≤ z → x ≤ z
d) x ≤ y → x ≤ y + z
e) x + y ≤ x + z ←→ y ≤ z.
f) 0 < x → x − Sy < x.

Exercise 12.4.11 (Brute force proofs)

Most facts about comparisons can be proved without lemmas using a single induc-
tion and case analysis on variables. A notable exception is x − y ≤ x.
Prove the following types not using lemmas.
a) x ≤ x
b) x ≤ y → y ≤ z → x ≤ z
c) x < y → y ≤ z → x < z
d) x ≤ y → y < z → x < z
e) x ≤ y → y ≤ x → x = y
f) x ≤ x + y
g) x ≤ 0 → x = 0
h) x ≤ y → x + (y − x) = y
i) (x ≤ y) + (y < x)
j) x ≤ y ←→ ¬(y < x)
k) x ≤ y → y ≤ Sx → (x = y) + (y = Sx)
l) if x − y then x ≤ y else y < x
m) if (x − y) + (y − x) then x = y else x ≠ y

145
12 Linear Arithmetic

12.5 Arithmetic Testers and Deciders

We say that a function f : N → N → N is reducible if f st reduces to a canonical

term whenever s and t are canonical terms. Addition and subtraction are reducible
functions.
We say that a reducible function f : N → N → N is an arithmetic tester for a
predicate p : N → N → P if the proposition if f xy then px else ¬px is provable.

Fact 12.5.1 Predicates that have an arithmetic tester have a certifying decider.

Proof Trivial. ■

Fact 12.5.2 (Arithmetic testers)

The predicates x ≤ y, x < y, and x = y have arithmetic testers:

if x − y then x ≤ y else ¬(x ≤ y)

if Sx − y then x < y else ¬(x < y)
if (x − y) + (y − x) then x = y else x ≠ y

Proof All three propositions follow by discrimination on the guard of the condi-
tional. For the third proposition we need memorizing discrimination. In the zero
case, zero propagation (Fact 12.2.3) gives us x ≤ y and y ≤ x, so the claim follows
with antisymmetry. In the successor case, we assume x = y and obtain a contradic-
tion with constructor disjointness since (x − x) + (x − x) = 0 with Fact 12.3.3(1). ■

Corollary 12.5.3 (Certifying deciders)

The predicates x ≤ y, x < y, and x = y have certifying deciders.

Based on Fact 12.5.2 we shall use the notations

if s ≤ t then u else v Ž if s − t then u else v

if s < t then u else v Ž if S s − t then u else v
if s = t then u else v Ž if (s − t) + (t − s) then u else v

Fact 12.5.4 (Certifying Deciders)

a) ∀xy. (x ≤ y) + (y < x)
b) ∀xy. (x ≤ y) → (x < y) + (x = y)
c) ∀xy. (x ≤ y) → (y ≤ Sx) → (x = y) + (y = Sx) (tightness)

Proof All claims follow by induction on x and discrimination on y. ■

Exercise 12.5.5 Define a boolean decider for x ≤ y and prove its correctness.

146
 12.6 Linear Arithmetic Prover

12.6 Linear Arithmetic Prover

Proof assistants come with terminating provers that for linear arithmetic propo-
sitions construct a proof whenever the proposition is provable. Linear arithmetic
propositions are obtained with =, ≤, ⊥, →, ∧, and ∨ from linear arithmetic ex-
pressions obtained with +, −, and S from numbers and variables. In Coq a linear
arithmetic prover is available through the automation tactic lia (linear integer arith-
metic). A linear arithmetic prover frees the user from knowing the lemmas for linear
arithmetic, a service making a dramatic difference with more involved proofs where
the details of linear arithmetic would be overwhelming. A linear arithmetic prover
will for instance find a proof for ¬(x > y) ←→ ¬(x ≥ y) ∨ ¬(x ≠ y).
From now on we will write proofs involving numbers assuming the abstraction
level provided by linear arithmetic.
Coq defines comparisons x ≤ y with an inductive type constructor, a definition
that is quite different from our definition. The difference doesn’t matter if compar-
isons are handled with lia, and we will do this from now on.
Coq’s automation tactic lia cannot do type sums. Still, a certifying decider like
∀xy. (x ≤ y) + (y < x) can be constructed with a single memorizing arithmetic
discrimination and linear arithmetic. The trick is matching on the number x − y,
which determines the result decision. The certificates are then obtained with the
linear arithmetic prover. Similar ideas work for the other deciders in § 12.5.

Exercise 12.6.1 Define the certifying deciders in § 12.5 in Coq using in each case a
single memorizing arithmetic discrimination and the linear arithmetic prover lia.

12.7 Multiplication

We accommodate addition of numbers with a recursively defined function:

· :N→N→N
0 · y := 0
Sx · y := y + x · y

With this definition the equations

0·y =0 1·y =y +0 2 · y = y + (y + 0)

hold by computational equality.

147
12 Linear Arithmetic

Fact 12.7.1 (Distributivity)

a) (x + y) · z = x · z + y · z
b) (x − y) · z = x · z − y · z

Proof Both equations follow by induction on x and linear arithmetic. For the equa-
tion with subtraction discrimination on y is needed in the successor case. Hence y
must be quantified in the inductive hypothesis. ■

Fact 12.7.2 (Associativity) (x · y) · z = x · (y · z).

Proof By induction on x. The successor case follows with distributivity over “+”. ■

Fact 12.7.3 (Commutativity) x · y = y · x.

Proof By induction on y using x · 0 = 0 in the zero case and x · Sy = x + x · y in

the successor case. Both lemmas follow by induction on x. The successor case of
the successor lemma needs linear arithmetic. ■

12.8 Notes

The inclined reader may compare the computational development of linear arith-
metic given here with Landau’s [22] classical set-theoretic development from 1929.

148
13 Least Witness Operators

A least witness operator (LWO) decides for a decidable predicate p N→P and a
bound n whether p is satisfied by some k ≤ n. In this is the case, the operator
returns the least such k called the least witness of p.
The most principled way to obtain an LWO is, as usual, to construct it as a certi-
fying function in tactic mode. Based on the certifying LWO, we construct certifying
deciders for finite quantifications ∀k<n. pk and ∃k<n. pk.
We also present and verify a number of simply typed reducible least witness
functions. The correctness proofs for these functions provide us the with opportu-
nity to demonstrate basic program verification techniques in the context of compu-
tational type theory.
We define divisibility and primality of numbers with finite quantification and
obtain deciders for the corresponding predicates with the general deciders for finite
quantification.
On the foundational side, and related to LWOs, we prove that satisfiable pred-
icates on numbers have least witnesses if and only if the law of excluded middle
holds.

13.1 Least Witness Predicate

In this chapter, p will denote a predicate N → P and n and k will denote numbers.
We will use the notations (with ≤)

∀k<n. pk := ∀k. k < n → pk

∃k<n. pk := ∃k. k < n ∧ pk
Σ k<n. pk := Σk. k < n ∧ pk

and speak of finite quantifications. We say that n is a witness of p if pn is provable,

and that p is satisfiable if ∃[Link] is provable. We define a least witness predicate
as follows:

safe p n := ∀k<n. ¬pk

least p n := pn ∧ safe pn

Note that safe pn says that no number below n is a witness.

149
13 Least Witness Operators

Fact 13.1.1 (Uniqueness)

Least witnesses are unique: least p n → least p n′ → n = n′ .

Proof Follows with antisymmetry. ■

Fact 13.1.2 (Safety propagation)

1. safe p0 (init)
2. safe pn → ¬pn → safe p(Sn) (upgrade)

Proof (1) follows with linear arithmetic. For (2), we have the assumption k < Sn.
Thus k < n or k = n. Both cases are straightforward. ■

Exercise 13.1.3 Prove the following:

a) safe pn ←→ ∀k. pk → k ≥ n
b) safe p(Sn) ←→ safe pn ∧ ¬pn
c) safe pn → k ≤ n → pk → k = n

Exercise 13.1.4 (Subtraction) Prove x − y = z ←→ least (λz. x ≤ y + z) z.

Exercise 13.1.5 (Extensionality)

Prove (∀n. pn ←→ p ′ n) → (∀n. least pn ←→ least p ′ n).

13.2 Certifying Least Witness Operators

A least witness operator (LWO) decides for a decidable predicate p N→P and a
bound n whether p is satisfied by some k < n. In the positive case the opera-
tor yields the least such k (that is, the least witness of p). In the negative case the
operator yields a certificate that there is no witness below n.

Fact 13.2.1 (Certifying LWO)

There is a function dec p → ∀n. (Σk<n. least pk) + safe pn.

Proof By induction on n using the propagation rules for safety (Fact 13.1.2).
The zero case is trivial since we have safe p 0. In the successor case we have
(Σk<n. least pk) + safe pn and need

(Σk<Sn. least pk) + safe p(Sn)

The case Σk<n. least pk is straightforward. Otherwise, we have safe pn. If pn, we
have least pk and the claim follows. Otherwise, we have ¬pn and hence safe p(Sn)
by the safety upgrade rule (Fact 13.1.2(2)). ■

150
 13.3 Decidability Results

Corollary 13.2.2 (Certifying LWO)

There is a function dec p → ∀n. (Σk≤n. least pk) + safe p(Sn).

Proof Instantiate the LWO from Fact 13.2.1 with Sn. ■

Given a witness, we can obtain a least witness.

Corollary 13.2.3 (Informed LWO)

There is a function dec p → sig p → sig (least p).

Proof Straightforward with the LWO from Fact 13.2.1. ■

Corollary 13.2.4 There is a function dec p → ex p → ex (least p).

Proof Straightforward with the LWO from Fact 13.2.1. ■

Fact 13.2.5 (Existential least witness operator)

There is a function dec p → ex p → sig(least p).

Proof Immediate with Corollary 13.2.3 and Fact 14.2.2. ■

The existential least witness operator is obviously extensional; that is, the wit-
ness computed does not depend on the decider and does not change if we switch
to an equivalent predicate.

Fact 13.2.6 (Extensional EWO) Assume W : ∀p N→P . dec p → exp → sig(least p)

and two predicates p, p ′ : N → P with deciders d and d′ and satisfiability proofs
h : ex p and h′ : ex p ′ . Then π1 (W pdh) = π1 (W p ′ d′ h′ ) whenever ∀n. pn ←→ p ′ n.

Proof Straightforward. Exercise. ■

Exercise 13.2.7 (Greatest witness operator)

Let greatest pnk := pk ∧ (k < n) ∧ (∀i. k<i<n → ¬pi). Construct a certifying func-
tion ∀n. sig(greatest pn) + (∀k<n. ¬pk) computing the greatest witness below n
of p if there is one.

13.3 Decidability Results

Fact 13.3.1 (Decidability)
1. dec p → dec(safe p)
2. dec p → dec(least p)

Proof The construction of the decider (1) is straightforward with the LWO from
Fact 13.2.1. The construction of (2) is straightforward with the decider (1) ■

151
13 Least Witness Operators

Finite quantifications over decidable predicates satisfy both de Morgan laws.

Fact 13.3.2 (De Morgan laws for finite quantifications)

1. ¬(∃k<n. pk) ←→ (∀k<n. pk)
2. dec p → ¬(∀k<n. pk) ←→ (∃k<n. pk)

Proof (1) is straightforward and holds for all quantifications. This is also true for
the direction “←” of (2). In contrast, the direction “→” of (2) depends on the decid-
ability of p. If follows with the certifying LWO from Fact 13.2.1 instantiated with
λk.¬pk and exploits the double negation law for p. ■

Finite quantifications over decidable predicates are decided.

Fact 13.3.3 (Deciders for finite quantifications)

1. dec p → dec(λn.∀k<n. pk)
2. dec p → dec(λn.∃k<n. pk)

Proof (1) follows with the decider for the safeness predicate (Fact 13.3.1) instanti-
ated with λk.¬pk exploiting the double negation law for p.
(2) follows with the certifying LWO from Fact 13.2.1 and the de Morgan law for
negated finite existential quantification (Fact 13.3.2(1)). ■

Exercise 13.3.4 Obtain deciders for finite quantification with “≤” using the deciders
for “<” instantiated with Sn.
Exercise 13.3.5 (Decidability of Primality)
We define divisibility and primality using finite quantification:

n | x := x ≠ 0 → n ≠ 1 → n ≠ x → ∃k<x. x = k · n
prime x := x ≥ 2 ∧ ∀k<x. k | x → k = 1

a) Prove that both predicates are decidable.

b) Prove n | x ←→ ∃k. x = k · n.
Remark. In Coq we can define a reducible certifying decider for primality computing
proofs for prime 101 and ¬prime 117, for instance. This approach requires that
the underlying proof scripts carefully separate the computational level from the
propositional level where automation tactics will insert abstract proof functions.
See the accompanying Coq file to learn more.

13.4 Reducible LWOs

The deciders and LWOs obtained so far are not reducible since they are derived
from the abstract certifying LWO provided by Fact 13.2.1. We can obtain a reducible

152
 13.4 Reducible LWOs

LWO by defining a simply typed recursive function following the construction of the
certifying LWO.
We assume a predicate p N→P with a boolean decider p̂ N→B such that

∀n. if p̂n then pn else ¬pn

and define an inductive function

G : N → O(N)
G 0 := œ
G (Sn) := match Gn [ ◦k ⇒ ◦k | œ ⇒ if p̂n then ◦n else œ ]

We also define an inductive predicate

ϕ : N → O(N) → P
ϕn œ := safe pn
ϕn ◦k := least pk ∧ k < n

Fact 13.4.1 (Correctness)

∀n. ϕn(Gn).

Proof By induction on n. In the zero case, the claim reduces to safe p0, which holds
by Fact 13.1.2(1). In the successor case, we have the inductive hypothesis ϕn(Gn)
and the claim ϕ(Sn)(G(Sn)). We discriminate on Gn. If Gn = ◦k, the inductive
hypothesis simplifies to k < n ∧ least pk and the claim to k < Sn ∧ least pk. The
claim follows.
If Gn = œ, the inductive hypothesis is safe pn. We discriminate on p̂n in the claim.
If pn, the claim reduces to n < Sn ∧ least pn and follows. If ¬pn, the claim reduces
to safe p(Sn) and follows with Fact 13.1.2(2). ■

Step-indexed linear search

The canonical algorithm for computing least witnesses is linear search: Test p on
a counter m = 0, 1, 2, . . . until the first m satisfying p is found. Linear search
terminates if and only if p is satisfiable. Realizing linear search with a terminat-
ing function in computational type theory requires a modification. The trick is to
switch to a step-indexed linear search function Lnm testing p starting from m for
at most n steps:

L : N → N → O(N)
L 0 m := œ
L (Sn) m := if p̂m then ◦m else L n (Sm)

153
13 Least Witness Operators

Note that L tail-recurses on the step index n.

We would like to prove Ln0 = Gn. To do so, we need to understand the linear
search function Lnm for all n and m.

Fact 13.4.2 (Correctness) ∀nm. safe pm → ϕ(n + m)(Lnm).

Proof By induction on n with m quantified. The zero case is trivial. In the successor
case we discriminate on p̂m. If pm, we have the trivial proof obligation

pm → safe pm → m < S(n + m) ∧ least pm

If ¬pm, we have the proof obligation

¬pm → safe pm → ϕ(Sn + m)(Ln(Sm))

which reduces to an instance of Fact 13.1.2(2) using the inductive hypothesis for Sm
and rewriting with Sn + m = n + Sm. ■

Fact 13.4.3 (Correctness) ∀n. ϕn(Ln0).

Proof Fact 13.4.2 instantiated with m = 0. ■

Fact 13.4.4 (Agreement) Ln0 = Gn.

Proof Given the correctness theorems for G and L (Facts 13.4.1 and 13.4.3), the
claim follows with the uniqueness of ϕn which follows with the uniqueness of
least p after discrimination on the option arguments. ■

The proofs we have just seen for L are typical for program verifications. While
the underlying ideas are clear, the detailed execution of the proofs is tedious and
calls for the help of a proof assistant.

Exercise 13.4.5 (Invariant Puzzle) We have one more reducible LWO in the offer.
Consider the function

W :N→N
W 0 := 0
W (Sn) := let k = W n in if p̂k then k else Sn

Verify that F n := if n ≤ W n then œ else ◦W n agrees with G.

Hint: The worker function W computes the largest k ≤ n that is safe for p.
Hint: You need a specification δ for W such that ∀n. δn(W n). For the correct-
ness proof to go through, δ must be an invariant for W ’s recursion, which imposes
the proof obligation ∀nk. δnk → if p̂n then δ(Sn)k else δ(Sn)(Sn).

154
 13.5 Least Witness Existence and Excluded Middle

Exercise 13.4.6 (Reducible deciders for finite quantifications)

a) Obtain the deciders for finite quantifications as reducible functions using G or L.
b) Verify the correctness of your deciders.
c) Prove prime 101 in the proof assistant using a boolean decider for primality.

13.5 Least Witness Existence and Excluded Middle

It turns out that the existence of least witnesses for satisfiable predicates on num-
bers is equivalent to the law of excluded middle:

ELW := ∀p N→P . ex p → ex(least p)

XM := ∀P P . P ∨ ¬P

The direction XM → ELW is unsurprising since XM gives us decidability of predicates

at the propositional level, which means that we can use the construction for LWOs
if we lower them to the propositional level.

Fact 13.5.1 XM → ELW.

Proof Assume XM. Then every predicate is logically decidable: ∀n. pn ∨ ¬pn.
Hence we can carry out the constructions of Facts 13.2.1 and 13.2.4 at the proposi-
tional level:

∀p N→P ∀n. (∃k < n. least pk) ∨ safe pn

∀p N→P . ex p → ex (least p) ■

The other direction ELW → XM is very easy to prove.

Fact 13.5.2 ELW → XM.

Proof We pick a proposition P and prove P ∨¬P . Using the assumption, we discrim-
inate on the least witness n of the satisfiable predicate pn := if n then P else ⊤.
We have p0 ←→ P . Thus if the least witness is 0, we have P , and otherwise ¬P . ■

Exercise 13.5.3 (Boolean least witness existence)

Prove XM ←→ ∀p N→B . ex p → ∃x. px ∧ (ptrue → x = true).

Exercise 13.5.4 Prove that the following propositions are equivalent.

1. XM
2. ∀pn. ex(least p) ∨ safe pn
3. ∀p. ex p → ex(least p).

155
14 EWOs

In computational type theory, functional recursion comes as structural recursion

based on recursive inductive types. A canonical recursive type is the type of num-
bers. In this chapter we will consider a recursive type constructor

T (p : N → P)(n : N) : P ::= C (¬pn → T p(Sn))

featuring a higher-order structural recursion through the right-hand side of a func-

tion type serving as argument type of a single proof constructor C. We will see that
with the inductive predicate T we can construct an existential witness operator

∀p N→P . dec p → ex p → sig p

testing p on n = 0, 1, 2, . . . until a number satisfying p is found. For this construc-

tion the higher-order recursion of T and the fact that T is a computational predicate
(no PDR) are essential. Recall that a naive witness operator just unpacking the given
existential witness is not possible since it would violate the PDR.
EWOs (existential witness operators) exist for many computational types, not
just the type of numbers. In particular, finite types and types embedding into the
numbers do have EWOs. Moreover, EWOs transport through option types. With
EWOs we can construct inverses for bijective functions and co-inverses for surjec-
tive functions.

14.1 Linear Search Types

We start with the definition of an inductive predicate1

T (p : N → P)(n : N) : P ::= C (¬pn → T p(Sn))

The first point to notice about the definition of T is that there is recursion through
the right-hand side of the function type serving as argument type of the single proof
constructor C. Such higher-order structural recursions are legal in computational
type theory. The second point to notice about the definition of T is that T is a com-
putational predicate (§ 5.2) since the type ¬pn → T p(Sn) of the proper argument
1
The letter T derives from the intuition that propositions obtained with the computational T provide
for a transfer from the propositional level to the computational level.

157
14 EWOs

of the proof constructor C is propositional. This means that inductive propositions

obtained with T are exempted from the discrimination restriction (§ 5.2).
There is a third aspect of the inductive type definition of T deserving discussion:
The parameter n of T pn is nonuniform in that it is changed to Sn in the recursive
application of T . We remark that nonuniform parameters are fine in computational
type theory, and in fact are needed for meaningful higher-order structural recur-
sion.
Recall that proofs of computational propositions can be decomposed at the com-
putational level although they have been constructed at the propositional level. Re-
cursive computational propositions thus provide for computational recursion.
The next essential step is the definition of an eliminator for T making use of the
higher-order recursion provided by T :

E : ∀p N→P ∀qN→T . (∀n. (¬pn → q(Sn)) → qn) → ∀n. T pn → qn

E pqe n (Cϕ) := e n (λa. E pqe (Sn) (ϕa))

Note that the discrimination of the defining equation is a propositional transfer

discrimination. It is admissible since T is computational. As it comes to the guard
condition for termination, the argument is that every application of the continuation
function ϕ (appearing as proper argument of the constructor C in the pattern of the
defining equation) qualifies for (higher-order) structural recursion.
Why does this liberal guard condition for higher-order structural recursion pre-
serve termination of reduction in computational type theory? We can offer two
answers to this question:
1. Computational type theory is designed such that reduction terminates in the
presence of higher-order recursion.
2. Before we can construct a value Cϕ, we need to construct the function ϕ. Hence
all values ϕa are in some sense smaller than Cϕ.
We remark that the eliminator E is the only inductive function we will consider
for T . So, all the magic of higher-order structural recursion is in the definitions
of T and E.
We will refer to the propositions T pn as linear search types.

14.2 EWO for Numbers

We will construct an EWO for N based on an abstract interface that we realize with
the inductive predicate T . The interface provides an abstract computational predi-
cate T ′ with two constructors.

158
 14.2 EWO for Numbers

Fact 14.2.1 (First-order interface)

For every predicate p N→P there are functions as follows:

T′ : N → P
I : ∀n. pn → T ′ n
D : ∀n. T ′ (Sn) → T ′ n
E ′ : ∀qN→T . dec p → (∀n. pn → qn) → (∀n. q(Sn) → qn) → (∀n. T ′ n → qn)

We refer to I and D as abstract constructors and to E ′ as abstract eliminator.

Proof Assume p N→P . We set T ′ := T p. Now the abstract constructors I and D are
easily obtained from the concrete constructor C. The abstract eliminator E ′ can
be obtained with the concrete eliminator E. Having a decider for p is essential to
separate the base case pn from the recursive case ¬pn. ■

Note that the abstract constructors I and D and the abstract eliminator E ′ make
the predicate T ′ appear as a computational inductive predicate obtained with two
first-order constructors. A proof of T ′ pn verifies that there is k ≥ n such that pk.
Fact 14.2.2 (EWO for numbers)
There is a function ∀p N→P . dec p → ex p → sig p.

Proof We assume d : dec p, H : ex p, and the functions from Fact 14.2.1. We obtain
sig p with E ′ instantiated with qn := sig p, d, and n := 0. This results in three
proof obligations:
1. ∀n. pn → sigp
2. ∀n. sigp → sigp
3. T ′ 0.
Obligations (1) and (2) are trivial. For (3) we note that T ′ 0 is a proposition. Thus we
can unpack H and obtain pn and T ′ n using I. We now close the proof by proving
∀n. T ′ n → T ′ 0 by induction on n using D. ■

Exercise 14.2.3 (Computational characterization of linear search predicate)

Assume a predicate p N→P and prove the following:
a) m ≤ n → T pn → T pm
b) dec p → T pn → Σm. m ≥ n ∧ pm
c) dec p → (T pn a Σm. m ≥ n ∧ pm)

Exercise 14.2.4 (Empty search type) With linear search types we can express an
empty propositional type allowing for computational elimination:

V : P := T (λn.⊥)0

Define a function V → ∀X T . X.

159
14 EWOs

Exercise 14.2.5 With higher-order recursion we can define an empty propositional

type allowing for computational elimination as follows:

V : P ::= C(⊤ → V )

Define an elimination function V → ∀X T . X.

Exercise 14.2.6 Let p be a decidable predicate on numbers. Construct a function

∀n. T pn → Σk. k ≥ n ∧ pk.

Exercise 14.2.7 (Strict positivity condition)

We remark that computational type theory admits recursion only through the right-
hand side of function types, a restriction known as strict positivity condition.
Assume that the inductive type definition B : T ::= C(B → ⊥) is admitted al-
though it violates the strict positivity condition. Give a proof of falsity assuming
that the illegal definition of B provides constants as follows:

B : T
C : (B → ⊥) → B
E : ∀Z. B → ((B → ⊥) → Z) → B → Z

First define a function f : B → ⊥ using the constant E.

14.3 General EWOs

We define the type of EWOs for a type X as follows:

EWO X T := ∀p X→P . dec p → ex p → sig p

Fact 14.3.1 The types ⊥, 1, B, and N have EWOs.

Proof The EWO for N was obtained with Fact 14.2.2. For the other three types
computational falsity elimination is essential. For ⊥ an EWO is trivial since it is
given an element of ⊥. For ⊤ and B we can check p for all elements and obtain a
contradiction if p holds for no element. ■

Fact 14.3.2 (Disjunctive EWOs)

Let p and q be decidable predicates on a type X with an EWO.
Then there is a function (ex p ∨ ex q) → (sig p + sig q).

Proof Use the EWO for X with the predicate λ[Link] ∨ qx. ■

160
 14.3 General EWOs

Next we show that all numeral types On ⊥ have EWOs. The key insight for this
result is that EWOs transport from X to O(X). It turns out that EWOs also transport
backwards from O(X) to X.

Fact 14.3.3 (Option types transport EWOs)

EWO (O(X)) a EWO X.

Proof Suppose p is a decidable and satisfiable predicate on X. Then

λa. match a [ ◦x ⇒ px | œ ⇒ ⊥ ]

is a decidable and satisfiable predicate on O(X). The EWO for O(X) gives us ◦x such
that px.
For the other direction, suppose p is a decidable and satisfiable predicate
on O(X). Then λx.p(◦x) is a decidable and satisfiable predicate on X. The EWO
for X gives x with p(◦x). ■

Corollary 14.3.4 (Numeral types have EWOs)

The numeral types On ⊥ have EWOs.

Proof By induction on n using Facts 14.3.1 and 14.3.3. ■

It turns out that injections transport EWOs backwards.

Fact 14.3.5 (Injections transport EWOs)

IXY → EWO Y → EWO X.

Proof Let invXY f g. To show that there is an EWO for X, we assume a decidable and
satisfiable predicate p X→P . Then λy.p(gy) is a decidable and satisfiable predicate
on Y . The EWO for Y now gives us a y such that p(gy). ■

Fact 14.3.6 Every type that embeds into N has an EWO: IXN → EWO X.

Proof Facts 14.3.5 and 14.2.2. ■

Fact 14.3.7 N × N has an EWO.

Proof Follows with Fact 14.3.6 since N × N and N are in bijection (Fact 11.1.8). ■

Fact 14.3.8 (Binary EWO)

There is a function ∀p N→N→P . (∀xy. D(pxy)) → (∃[Link]) → (Σ[Link]).

Proof Follows with the EWO for N × N and the predicate λa. p(π1 a)(π2 a). ■

161
14 EWOs

Exercise 14.3.9 (EWO for boolean deciders)

We will consider EWOs for boolean deciders on numers:

∀f N→B . (∃n. f n = true) → (Σn. f n = true)

a) Define an EWO for boolean deciders (i) using the EWO for numbers, and (ii) from
scratch using customized linear search types.
b) Using an EWO for boolean deciders, define an EWO for decidable predicates on
numbers.
c) Using an EWO for boolean deciders, define an EWO

∀X T ∀p X→P . sig(enum p) → ex p → sig p

for enumerable predicates

enum p X→P f N→O(X) := ∀x. px ←→ ∃n. f n = ◦x

14.4 EWO Applications

Fact 14.4.1 (Co-inverse for surjective functions)
Let f X→Y be a surjective function. Then there is a function
EWO X → E Y → Σg. inv f g yielding a co-inverse function for f .

Proof It suffices to construct a function ∀y. Σx. f x = y. We fix y and use the EWO
for X to obtain x with f x = y. This works since f is surjective and equality on Y
is decidable. ■

Fact 14.4.2 (Inverse for bijective functions)

Let f X→Y be a bijective function. Then there is a function
EWO X → E Y → Σg. inv gf ∧ inv f g yielding an inverse function for f .

Proof Fact 14.4.1 gives us g with inv f g. Now inv gf follows since f is injective
(Fact 11.1.1). ■

The following fact was discovered by Andrej Dudenhefner in March 2020.

Fact 14.4.3 (Discreteness via step-indexed boolean equality decider)

Let f X→X→N→B be a function such that ∀xy. x = y ←→ ∃n. f xyn = true.
Then X has an equality decider.

Proof We prove D(x = y) for fixed x, y : X. Using the EWO for numbers we
obtain n such that f xxn = true. If f xyn = true, we have x = y. If f xyn = false,
we have x ≠ y. ■

162
 14.5 Notes

Exercise 14.4.4 (Infinite path)

Let p N→N→P be a decidable predicate that is total: ∀x∃y. pxy.
a) Define a function f N→N such that ∀x. px(f x).
b) Given x, define a function f N→N such that f 0 = x and ∀n. p(f n)(f (Sn)). We
may say that f describes an infinite path starting from x in the graph described
by the edge predicate p.

Exercise 14.4.5 Let f : N → B. Prove the following:

a) (∃n. f n = true) a (Σn. f n = true).
b) (∃n. f n = false) a (Σn. f n = false).

14.5 Notes

With linear search types we have seen an inductive predicate going beyond of the
inductive type definitions we have seen so far. The proof constructor of linear
search types employs higher-order structural recursion through the right-hand side
of a function type. Higher-order structural recursion greatly extends the power
of structural recursion. Higher-order structural recursion means that an argument
of a recursive constructor is a function that yields a structurally smaller value for
every argument. That higher-order structural recursion terminates is a basic design
feature of computational type theories.

163
15 Indexed Inductives

Indexed inductive type definitions are generalized inductive type definitions where
the target types of value constructors may instantiate nonparametric arguments
(called indices) of their type constructors. Indexed inductive type definitions pro-
vide for the formalization of derivation systems as they appear in the study of proof
systems, computational systems, and programming languages.
We discuss indexed inductives at the example of two derivation systems, one for
the reflexive transitive closure of relations, and one for arithmetic comparisons. We
also model numeral types and vector types as indexed inductive types and show
that the inductive formalizations are in bijection with non-inductive formalizations
employing arithmetic recursion.
It turns out that the constants for equality can be defined as indexed inductives,
and that the inductive definition adds properties to the Leibniz characterization of
equality that are of foundational interest.

15.1 Inductive Equality

We start with inductive equality since its indexed inductive definition is particularly
simple. Recall that we have accommodated equality with three constants (§ 4.2):

eq : ∀X T . X → X → P
Q : ∀X T ∀x X . eq X x x
R : ∀X T ∀xy X ∀p X→P . eq Xxy → px → py

We can obtain eq and Q with an indexed inductive definition:

eq (X : T, x : X) : X → P ::=
| Q : eq Xxx

Note that the target type of the constructor Q is eq X x x and not eq X x y. This
means that only X and x are parametric arguments of eq X x y, and that y is a
nonparametric argument. Following common speak we will refer to nonparametric
arguments of type constructors as indices. The extra freedom coming with index-
ical arguments of type constructors is that they can be freely instantiated in the
target types of value constructors.

165
15 Indexed Inductives

We can now obtain the rewriting constant R with an inductive function definition:

R : ∀X T ∀xy X ∀p X→T . eq Xxy → px → py

R X x _ p _ Q a := a : px

The definition discriminates on the inductive argument of type eq Xxy. Note that
the value constructor Q equates the variables x and y in the defining equation. Also
note that the pattern of the defining equation of R gives the argument y with an
underline. The accounts for the fact that the argument y of R is determined by the
discrimination with Q.
We have defined R with a general type function p X→T rather than just a predicate
p X→P . This is possible since the inductive predicate eq is computational since the
value Q has no proper argument.
There is a single but important restriction on the types of inductive functions
discriminating on arguments of indexed inductive types: The indexed argument
type must be given with variables in the index positions that don’t occur otherwise
in the argument type. We speak of the index condition. The index condition dis-
allows an inductive function discriminating on an argument of type eq Xxx, for
instance.
Inductive equality has a number of properties Leibniz equality doesn’t have, an
issue we will study in Chapter 29.

15.2 Reflexive Transitive Closure

We may see a relation R X→X→P as a description of a graph with vertices in X and

edges Rxy. We will write R ∗ xy if there is a path x → · · · → y from x to y in the
graph described by R. We may characterize R ∗ xy with two derivation rules:

Rxy R ∗ yz
R ∗ xx R ∗ xz

The first rule says that for every x : X there is a path R ∗ xx. The second rule says
that there is a path R ∗ xz if there is an edge Rxy and a path R ∗ yz.
We formalize the notation R ∗ xy and the two derivation rules with an indexed
inductive predicate star defined as follows:

star (X : T, R : X → X → P, x : X) : X → P ::=
| Nil : star XRxx
| Cons : ∀yz. Rxy → star XRyz → star XRxz

We now write R ∗ for the relation star XR. Note that a proof of R ∗ xy with the
constructors Nil and Cons describes a path from x to y. We may see an inductive

166
 15.2 Reflexive Transitive Closure

proposition R ∗ xy as the type of all paths from x to y. We remark that the inductive
formalization of R ∗ is minimal in that it doesn’t presuppose numbers or lists.
Considering the inductive predicate star XRxy from a formal point of view, the
arguments X and R are uniform parameters, x is a nonuniform parameter, and y
is an index. That y is an index is forced by the type of the constructor Nil.
Let p and p ′ be predicates X → X → P. We define inclusion of predicates as one
would expect:

p ⊆ p ′ := ∀xy. pxy → p ′ xy

The relation R ∗ is known as the reflexive transitive closure of the relation R.

This speak is justified since every reflexive and transitive relation that contains R
also contains R ∗ . We are going to prove this fact.

Fact 15.2.1 (Inclusion) R ⊆ R ∗ .

Proof Let Rxy. We show R ∗ xy. We have R ∗ yy with Nil. Thus R ∗ xy with Cons. ■

We would like to prove that the relation R ∗ is transitive; that is, if there are paths
R ∗ xy and R ∗ yz, then there is a path R ∗ xz. We prove this fact by induction on the
first path R ∗ xy.

Fact 15.2.2 (Transitivity) R ∗ xy → R ∗ yz → R ∗ xz.

Proof By induction on the path R ∗ xy. If R ∗ xy is obtained with Nil, we have x = y

and the claim is trivial. If R ∗ xy is obtained with Cons, we have an edge Rxx ′ and
a shorter path R ∗ x ′ y. The inductive hypothesis gives us a path R ∗ x ′ z. Now we
obtain a path R ∗ xz with Cons. ■

To formalize the path induction in the transitivity proof, we need an eliminator

function for the inductive predicate star. An eliminator function with the type

E : ∀X ∀R ∀p X→X→P .
(∀x. pxx) →
(∀xyz. Rxy → pyz → pxz) →
∀xy. R ∗ xy → pxy

will suffice. For the transitivity proof E can be used with the target predicate

pxy := R ∗ yz → R ∗ xz

assuming that z is introduced outside. The formalization of the proof is now

straightforward. While checking the details with paper and pencil is tedious, con-
structing the formal proof with the proof assistant is pleasant. See the accompany-
ing Coq file.

167
15 Indexed Inductives

We define the eliminator function E following its type

E : ∀X ∀R ∀p X→X→P .
(∀x. pxx) →
(∀xyz. Rxy → pyz → pxz) →
∀xy. R ∗ xy → pxy

as an inductive function discriminating on paths R ∗ xy:

E XRp e1 e2 x _ Nil := e1
E XRp e1 e2 x _ (Cons x ′ z r a) := e2 xx ′ z r (E XRp e1 e2 x ′ za)

The equation for Cons may look complicated but it is just a routine construction
following the types of E and Cons.

Fact 15.2.3 (Reflexive transitive closure)

Let p X→X→P be a reflexive and transitive relation. Then R ⊆ p → R ∗ ⊆ p.

Proof We prove ∀xy. R ∗ xy → pxy by induction on the path R ∗ xy. If R ∗ xy

is obtained with Nil, we have x = y and the claim holds since p is reflexive. If
R ∗ xy is obtained with Cons, we have an edge Rxx ′ and a shorter path R ∗ x ′ y.
Now pxx ′ since R ⊆ p and px ′ y by the inductive hypothesis. Hence pxy since p
is transitive. ■

Exercise 15.2.4 Prove R ∗ (R ∗ ) ⊆ R ∗ .

Exercise 15.2.5 (Definition with arithmetic recursion)

There is an elegant definition of the relation R ∗ as a recursive predicate:

path : ∀X. (X → X → P) → N → X → X → P
path XR0xy := (x = y)
path XR(Sn)xy := (∃x ′ . Rxx ′ ∧ path XRnxy)

Prove star XRxy ←→ ∃n. path XRnxy.

Exercise 15.2.6 Here is another inductive definition of reflexive transitive closure:

star′ (X : T, R : X → X → P, x : X) : X → P ::=
| Incl : ∀xy. Rxy → star′ XRxy
| Refl : star′ XRxx
| Trans : ∀xyz. → star′ XRxy → star′ XRyz → star′ XRxz

Prove star XRxy ←→ star′ XRxy.

168
 15.3 Inductive Comparisons

15.3 Inductive Comparisons

Two derivation rules for arithmetic comparisons x ≤ y are

x≤y
x≤x x ≤ Sy

The rules are obviously correct. We will show that they are also complete in the
sense that they can derive every valid comparison.
We formalize the derivation system comprised by the two rules with an inductive
type definition:

le (x : N) : N → P ::=
| leE : le xx
| leS : ∀y. le xy → le x (Sy)

Note that in le xy the argument x is a uniform parameter and the argument y is

an index.
Completeness of the derivation system le can now be shown with induction on
numbers.

Fact 15.3.1 (Completeness) x ≤ y → le xy.

Proof By induction on y.
Let y = 0. The x = 0 and hence le xy with leE.
In the successor case we assume x ≤ Sy and show le x(Sy). If x = Sy, the claim
follows with leE. If x ≤ y, the inductive hypothesis gives us le xy. The claim
follows with leS. ■

The other direction is intuitively obvious since both derivation rules represent
valid facts about arithmetic comparisons. To do the proof formally, we need induc-
tion on derivations of comparisons le xy, which can be provided with an inductive
function

E : ∀x ∀p N→P .
pxx →
(∀y. py → p(Sy)) →
∀y. x ≤ y → py
E xpe1 e2 _ leE := e1
E xpe1 e2 _ (leS ya) := e2 y(E xpe1 e2 ya)

169
15 Indexed Inductives

Fact 15.3.2 (Soundness) le xy → x ≤ y.

Proof By induction on the derivation of le xy. If le xy is obtained with leE, we have

x = y and hence x ≤ y. If le xy is obtained with leS, we have a smaller derivation
le xy ′ and y = Sy ′ . The inductive hypothesis gives us x ≤ y ′ , which give us the
claim x ≤ Sy ′ . ■

Exercise 15.3.3 Give two derivation rules for comparisons x < y and show their
soundness and completeness.

15.4 Inductive Numeral Types

Numeral types are a family of finite types providing a canonical finite type for every
cardinality. In § 11.3, we obtained numeral types recursively as On ⊥. Numeral types
may also be obtained as indexed inductive types:

fin : N → T ::=
| Old : ∀n. fin n → fin (Sn)
| New : ∀n. fin (Sn)

the constructors Old and New are in correspondence with the option type construc-
tor some and none. The definition suggests that fin0 is empty and that finSn has one
more element than finn . We prove this fact by establishing a bijection between finn
and Nn :

f : ∀n. finn → Nn g : ∀n. Nn → finn

◦
f _ (Old na) := f na g 0 a := E⊥ fin0 a
f _ (New n) := œ g (Sn) ◦a := Old n(gna)
g (Sn) œ := New n

The definitions of the inductive functions f and g clarify how the numeral types
finn and Nn relate to each other. While the definition of f is straightforward, the
definition of g is quite involved. In the zero case void elimination E⊥ is needed. In
the successor case a secondary discrimination on options is needed. Note that in the
patterns of the equations defining f the first argument n is given as an underline,
as is required by the fact that n provides the index argument of finn in the type
of f .

170
 15.4 Inductive Numeral Types

Fact 15.4.1 gn(f na) = a.

Proof By induction on a : finn . For the constructor Old we have the proof obligation
g(Sn)(f (Sn)(Old na)) = Old na, which simplifies to Old n(gn(f na)) = Old na,
which holds by the inductive hypothesis gn(f na) = a. For the constructor New
we have the proof obligation g(Sn)(f (Sn)(New n)) = New n, which simplifies to
New n = New n. ■

The proof does an induction on values of the inductive type finn . The induction
can be formalized with an eliminator function defined as follows:

finn →T
E : ∀p ∀n.
(∀na. pna → p(Sn)(Old na)) →
(∀n. p(Sn)(New n)) →
∀na. pna

E pe1 e2 _ (Old na) := e1 na(E pe1 e2 na)

E pe1 e2 _ (New n) := e2 n

Fact 15.4.2 f n(gna) = a.

Proof By induction on nN and discrimination on aNn . The proof obligation

f 0(g0a) = a is trivial since a : ⊥. The proof obligation f (Sn)(g(Sn)(◦a)) = ◦a
reduces to ◦f n(gna) = ◦a and follows with the inductive hypothesis. The proof
obligation f (Sn)(g(Sn)œ) = œ reduces to œ = œ. ■

Corollary 15.4.3 The types finn and Nn and are in bijection.

Exercise 15.4.4 Use the bijection between inductive and recursive numeral types to
show that the inductive numeral types finn have equality deciders and EWOs.

Exercise 15.4.5 We want to prove that the inductive numeral type fin0 is empty.
Formally, we represent this statement with the proposition fin0 → ⊥.
a) Prove fin0 → ⊥ using the eliminator for inductive numeral types.
b) Prove fin0 → ⊥ using the bijection between inductive and recursive numeral
types.
Hint: For (a) prove the equivalent proposition ∀n. finn → n ≠ 0.

171
15 Indexed Inductives

15.5 Inductive Vector Types

Vector types as introduced in § 11.4 have an elegant definition as indexed inductive

types:

vec (X : T) : N → T ::=
| Nil : vec X 0
| Cons : ∀n. X → vec Xn → vec X(Sn)

The constructors Nil and Cons give us the functions nil and cons we defined for the
recursive representation with products and unit.
We define a bijection between inductive and recursive vector types. For simplic-
ity we don’t write the base type X.

f : ∀n. vecn → Vn g : ∀n. Vn → vecn

f _ Nil := I g 0 a := Nil
f _ (Cons nxa) := (x, f na) g (Sn) (x, a) := Cons nx(gna)
The definitions demonstrate that the structure of inductive and recursive vector
types is in full agreement.
Fact 15.5.1 gn(f na) = a.

Proof By induction on a : vecn .

The proof obligation g0(f 0Nil) = Nil simplifies to Nil = Nil.
The proof obligation g(Sn)(f (Sn)(Cons nxa)) = Cons nxa simplifies to the
equation Cons nx(gn(f na)) = Cons nxa, which follows with the inductive hy-
pothesis. ■

The proof does an induction on values of inductive vector types vecn . The in-
duction can be formalized with an eliminator function defined as follows:
vecn →T
E : ∀p ∀n.
p 0 Nil →
(∀nxa. pna → p(Sn)(Cons nxa)) →
∀na. pna

E pe1 e2 _ Nil := e1
E pe1 e2 _ (Cons nxa) := e2 nxa(E pe1 e2 na)

Fact 15.5.2 f n(gna) = a.

Proof By induction on nN and discrimination on aVn . The proof obligation

f 0(g 0 I) = I reduces to I = I. The proof obligation f (Sn)(g(Sn)(x, a)) = (x, a)
reduces to (x, f n(gna)) = (x, a) and follows with the inductive hypothesis. ■

172
 15.6 Post Correspondence Problem

Corollary 15.5.3 The types vecn X and Vn X are in bijection.

Exercise 15.5.4 Use the bijection between inductive and recursive vector types to
show that inductive vector types have equality deciders and EWOs.

15.6 Post Correspondence Problem

Many problems in computer science have elegant specifications using inductive rela-
tions. As an example we consider the Post correspondence problem (PCP), a promi-
nent undecidable problem providing a base for undecidability proofs. The problem
involves cards with an upper and a lower string. Given a list C of cards, one has to
decide whether there is a nonempty list D of cards in C (possibly containing dupli-
cates) such that the concatenation of all upper strings equals the concatenation of
all lower strings. For instance, assuming the binary alphabet {a, b}, the list

C = [a/ϵ, b/a, ϵ/bb]

has the solution

D = [ϵ/bb, b/a, b/a, a/ϵ, a/ϵ]

On the other hand,

C ′ = [a/ϵ, b/a]

has no solution.
We formalize PCP over the binary alphabet B with an inductive predicate

post : L(L(B) × L(B)) → L(B) → L(B) → P

defined with the rules

(A, B) ∈ C (A, B) ∈ C post C A′ B ′

post C A B + A′ ) (B +
post C (A + + B′)

Note that post CAB is derivable if there is a nonempty list D ⊆ C of cards such that
the concatenation of the upper strings of D is A and the concatenation of the lower
strings of D is B. Undecidability of PCP over a binary alphabet now means that there
is no computable function

∀C. D(∃A. post CAA) (15.1)

Since Coq’s type theory can only define computable functions, we can conclude that
no function of type (15.1) is definable.
As it comes to the arguments of the inductive predicate post CAB, the defining
rules establish C as a uniform parameter and A and B as indices.

173
15 Indexed Inductives

15.7 Index Elimination

Inductive type definitions with indices can be translated into inductive type defini-
tions without indices using equations in the premises. For instance, the initial rule
for reflexive transitive closure may be written as

x=y Rxx ′ R∗ x ′ y
R ∗ xy R ∗ xy

which yields an equivalent inductive predicate

star (X : T, R : X → X → P, x : X, y : X) : P ::=
| Nil : x = y → star XRxy
| Cons : ∀x ′ . Rxx ′ → star XRx ′ y → star XRxy

with no index and a single nonuniform parameter x.

Index elimination will not work for inductive equality. Here the best we can do
is to express the coreference in the target type with Leibniz equality:

∀p X→P . px → py
eq Xxy

Formally, this yields the inductive predicate definition

eq (X : T, x : X, y : X) : P ::=
| L : (∀p X→P . px → py) → eq Xxy

Based on this definition we can define

Q : ∀X T ∀x X . eq X x x
R : ∀X T ∀xy X ∀p X→P . eq Xxy → px → py

What we cannot do, however, is define R with a type function p X→T . The only way to
obtain rewriting of types is to work with the indexed inductive equality predicate.
We remark that rewriting of types is not needed for the usual things we do in
computational type theory. We may thus say that indexed inductive types are a
convenience not essential for our purposes. The benefits of inductive equality only
show at an internal technical level we will explore in Chapter 29.

15.8 Notes

The index condition is a restriction on the types of inductive function discriminating

on values of indexed inductive types. It simply says that the index positions of an

174
 15.8 Notes

discriminating argument type must be given with variables not appearing otherwise
in the argument type.
Recall that the proof assistant Coq simulates inductive functions as plain func-
tions discriminating with native matches. There are situations called inversions in
the literature where a match for an indexed inductive type does not type check al-
though intuition says it should. An example appears as Exercise 15.4.5. The reason
for the mismatch with intuition is that the type of the inductive function explaining
the match would violate the index condition.
As it comes to expressivity added by indexed inductives, inductive equality gives
us something we didn’t have before (see Chapter 29). Numeral types and vector
types can be obtained elegantly with type functions recursing on numbers not in-
volving indexed inductives. There is a noninductive definition of a reflexive tran-
sitive closure predicate using recursion on the path length (Exercise 15.2.5), but
the representation with indexed inductives is simpler and doesn’t involve numbers,
which need to be erased anyway (with existential quantification) to state the transi-
tivity law (see the discussion for vectors in § 11.4.2).
Indexed inductives really pay when it comes to derivation systems as they
are common in proof theory and programming languages. Examples appear in
Chapters 24 (propositional deduction systems) and Chapter 26 (regular expression
matching).
Section § 20.6 gives an indexed inductive predicate characterizing greatest
comon divisors with three computation rules.

175
16 Extensionality

Computational type theory does not fully determine equality of functions, propo-
sitions, and proofs. The missing commitment can be added through extensionality
assumptions.

16.1 Extensionality Assumptions

Computational type theory fails to fully determine equality between functions,

propositions, and proofs:
• Given two functions of the same type that agree on all elements, computational
type theory does not prove that the functions are equal.
• Given two equivalent propositions, computational type theory does not prove
that the propositions are equal.
• Given two proofs of the same proposition, computational type theory does not
prove that the proofs are equal.
From a modeling perspective, it would be desirable to add the missing proof power
for functions, propositions, and proofs. This can be done with three assumptions
expressible as propositions:
• Function extensionality
FE := ∀X T ∀p X→T . ∀f g ∀[Link] . (∀x.f x = gx) → f = g
• Propositional extensionality
PE := ∀P QP . (P ←→ Q) → P = Q
• Proof irrelevance
PI := ∀QP . ∀abQ . a = b
Function extensionality gives us the equality for functions we are used to from
set-theoretic foundations. Together, function and propositional extensionality turn
predicates X → P into sets: Two predicates (i.e., sets) are equal if and only if they
have the same witnesses (i.e., elements). Proof irrelevance ensures that functions
taking proofs as arguments don’t depend on the particular proofs given. This way
propositional arguments can play the role of preconditions. Moreover, dependent
pair types sig p taken over predicates p X→P can model subtypes of X. Proof irrele-
vance also gives us dependent pair injectivity in the second component (§29.2).

177
16 Extensionality

We can represent boolean functions f B→B as boolean pairs (f true, f false). Un-
der FE, the boolean function can be fully recovered from the pair.

Fact 16.1.1 FE → ∀f B→B . f = (λab. if b then π1 a else π2 a) (f true, f false).

Exercise 16.1.2 Prove the following:

a) FE → ∀f g B→B . f true = gtrue → f false = gfalse → f = g.
b) FE → ∀f B→B . (f = λb. b) ∨ (f = λb. ! b) ∨ (f = λb. true) ∨ (f = λb. false).

Exercise 16.1.3 Prove the following:

a) FE → ∀f ⊤→⊤ . f = λa⊤ .a.
b) FE → B (⊤ → ⊤) ⊤.
c) FE → B ≠ (⊤ → ⊤).
d) FE → B (B → B) (B × B).
e) FE → E(B → B).

16.2 Set Extensionality

Given FE and PE, predicates over a type X correspond exactly to sets whose elements
are taken from X. We may define membership as x ∈ p := px. In particular, we
obtain that two sets (represented as predicates) are equal if they have the same
elements (set extensionality). Moreover, we can define the usual set operations:

œ := λx X .⊥ empty set
X
p ∩ q := λx .px ∧ qx intersection
X
p ∪ q := λx .px ∨ qx union
p − q := λx X .px ∧ ¬qx difference

Exercise 16.2.1 Prove x ∈ (p − q) ←→ x ∈ p ∧ x ∉ q. Check that the equation

(x ∈ (p − q)) = (x ∈ p ∧ x ∉ q) holds by computational equality.

Exercise 16.2.2 We define set extensionality as

SE := ∀X T ∀pqX→P . (∀x. px ←→ qx) → p = q

Prove the following:

a) FE → PE → SE.
b) SE → PE.
c) SE → (∀x. x ∈ p ←→ x ∈ q) → p = q.
d) SE → p − (q ∪ r ) = (p − q) ∩ (p − r ).

178
 16.3 Proof Irrelevance

16.3 Proof Irrelevance

We call a type unique if it has at most one element:

unique (X T ) := ∀xy X . x = y

Note that PI says that all propositions are unique.

Fact 16.3.1 ⊥ and ⊤ are unique.

Proof Follows with the eliminators for ⊥ and ⊤. ■

It turns out that PI is a straightforward consequence of PE.

Fact 16.3.2 PE → PI.

Proof Assume PE and let a and b be two proofs of a proposition X. We show a = b.

Since X ←→ ⊤, we have X = ⊤ by PE. Hence X is unique since ⊤ is unique. The claim
follows. ■

Exercise 16.3.3 Prove D(unique(⊤ + ⊥)) and D(unique(⊤ + ⊤)).

Exercise 16.3.4 Prove the following for all types X:

a) unique(X) → E(X).
b) X → unique(X) → BX⊤.

Exercise 16.3.5 Prove the following:

a) Uniqueness propagates forward through surjective functions:
∀XY T ∀f X→Y . surjective f → unique(X) → unique(Y ).
b) Uniqueness propagates backwards through injective functions:
∀XY T ∀f X→Y . injective f → unique(Y ) → unique(X).

Exercise 16.3.6 Prove FE → unique (⊤ → ⊤).

Exercise 16.3.7 Assume PI and p X→P . Prove ∀xy ∀ab. x = y → (x, a)p = (y, b)p .

Exercise 16.3.8 Suppose there is a function f : (⊤ ∨ ⊤) → B such that f (L I) = true

and f (R I) = false. Prove ¬ PI. Convince yourself that without the propositional
discrimination restriction you could define a function f as assumed.

Exercise 16.3.9 Suppose there is a function f : (∃x B .⊤) → B such that f (E x I) = x

for all x. Prove ¬ PI. Convince yourself that without the propositional discrimination
restriction you could define a function f as assumed.

Exercise 16.3.10 Assume functions E : P → A and D : A → P embedding P into a

proposition A. That is, we assume ∀P P . D(EP ) ←→ P . Prove that A is not unique.
Remark: Later we will show Coquand’s theorem (31.4.1), which says that P embeds
into no proposition.

179
16 Extensionality

16.4 Notes

There is general agreement that a computational type theory should be extensional,

that is, prove FE and PE. In our case, we may assume FE and PE as constants. There
are general results saying that adding the extensionality assumptions is consistent,
that is, does not enable a proof of falsity. There is research underway aiming at
a computational type theory integrating extensionality assumptions in such a way
that canonicity of the type theory is preserved. This is not the case in our setting
since reduction of a term build with assumed constants may get stuck on one of the
constants before a canonical term is reached.
Coq offers a facility that determines the assumed constants a constant depends
on. Terms not depending on assumed constants are guaranteed to reduce to canon-
ical terms.
We will always make explicit when we use extensionality assumptions. It turns
out that most of the theory in this text does not require extensionality assumptions.

180
17 Excluded Middle and Double Negation

One of the first laws of logic one learns in an introductory course on mathematics
is excluded middle saying that a proposition is either true or false. On the other
hand, computational type theory does not prove P ∨ ¬P for every proposition P .
It turns out that most results in computational mathematics can be formulated
such that they can be proved without assuming a law of excluded middle, and that
such a constructive account gives more insight than a naive account using excluded
middle. On the other hand, the law of excluded middle can be formulated with the
proposition
∀P P . P ∨ ¬P
and assuming it in computational type theory is consistent and meaningful.
In this chapter, we study several characterizations of excluded middle and the
special reasoning patterns provided by excluded middle. We show that these rea-
soning patterns are locally available for double negated claims without assuming
excluded middle.

17.1 Characterizations of Excluded Middle

We formulate the law of excluded middle with the proposition

XM := ∀P P . P ∨ ¬P

Computational type theory neither proves nor disproves XM. Thus it is interesting
to assume XM and study its consequences. This study becomes most revealing if
we assume XM only locally using implication.
There are several propositionally equivalent characterizations of excluded mid-
dle. Most amazing is may be Peirce’s law that formulates excluded middle with just
implication.

Fact 17.1.1 The following propositions are equivalent. That is, if we can prove one
of them, we can prove all of them.
1. ∀P P . P ∨ ¬P excluded middle
2. ∀P P . ¬¬P → P double negation
3. ∀P P QP . (¬P → ¬Q) → Q → P contraposition
4. ∀P P QP . ((P → Q) → P ) → P Peirce’s law

181
17 Excluded Middle and Double Negation

Proof We prove the implications 1 → 2 → 3 → 4 → 1.

1 → 2. Assume ¬¬P and show P . By (1) we have either P or ¬P . Both cases are
easy.
2 → 3. Assume ¬P → ¬Q and Q and show P . By (2) it suffices to show ¬¬P . We
assume ¬P and show ⊥. Follows from the assumptions.
3 → 4. By (3) it suffices to show ¬P → ¬((P → Q) → P )). Straightforward.
4 → 1. By (4) with P , (P ∨ ¬P ) and Q , ⊥ we can assume ¬(P ∨ ¬P ) and prove
P ∨ ¬P . We assume P and prove ⊥. Straightforward since we have ¬(P ∨ ¬P ). ■

A common use of XM in mathematics is proof by contradiction: To prove s, we

assume ¬s and derive a contradiction. The lemma justifying proof by contradiction
is double negation:

XM → (¬P → ⊥) → P

There is another characterization of excluded middle asserting existence of

counterexamples, often used as tacit assumption in mathematical arguments.

Fact 17.1.2 (Counterexample) XM ←→ ∀X T ∀p X→P . (∀[Link]) ∨ ∃x.¬px.

Proof Assume XM and p X→P . By XM we assume ¬∃x.¬px and prove ∀[Link]. By the
de Morgan law for existential quantification we have ∀x.¬¬px. The claim follows
since XM implies the double negation law.
Now assume the right hand side and let P be a proposition. We prove P ∨ ¬P . We
choose p := λa⊤ .P . By the right hand side and conversion we have either ∀a⊤ .P or
∃a⊤ .¬P . In each case the claim follows. Note that choosing an inhabited type for X
is essential. ■

Figure 17.1 shows prominent equivalences whose left-to-right directions are only
provable with XM. Note the de Morgan laws for conjunction and universal quantifi-
cation. Recall that the de Morgan laws for disjunction and existential quantification

¬(P ∨ Q) ←→ ¬P ∧ ¬Q de Morgan
¬(∃[Link]) ←→ ∀x. ¬px de Morgan

have constructive proofs.

Exercise 17.1.3
a) Prove the right-to-left directions of the equivalences in Figure 17.1.
b) Prove the left-to-right directions of the equivalences in Figure 17.1 using XM.

182
 17.1 Characterizations of Excluded Middle

¬(P ∧ Q) ←→ ¬P ∨ ¬Q de Morgan
¬(∀[Link]) ←→ ∃x. ¬px de Morgan
(¬P → ¬Q) ←→ (Q → P ) contraposition
(P → Q) ←→ ¬P ∨ Q classical implication

Figure 17.1: Prominent equivalences only provable with XM

Exercise 17.1.4 Prove the following equivalences possibly using XM. In each case
find out which direction needs XM.

¬(∃x.¬px) ←→ ∀[Link]
¬(∃x.¬px) ←→ ¬¬∀[Link]
¬(∃x.¬px) ←→ ¬¬∀x.¬¬px
¬¬(∃[Link]) ←→ ¬∀x.¬px

Exercise 17.1.5 Make sure you can prove the de Morgan laws for disjunction and
existential quantification (not using XM).

Exercise 17.1.6 Prove that ∀P QR P . (P → Q) ∨ (Q → R) is equivalent to XM.

Exercise 17.1.7 Explain why Peirce’s law and the double negation law are indepen-
dent in Coq’s type theory.

Exercise 17.1.8 Prove the equivalence of Peirce’s law and the double negation law
directly without going through other laws or disjunction. In each case only a single
instance of the other law is needed, which can be taken right at the beginning. Use
Coq’s tactic tauto to convince yourself that you have chosen the right instance.

Exercise 17.1.9 (De Morgan for universal quantification)

Prove XM ←→ ∀X T ∀p X→P . ¬(∀[Link]) → (∃x. ¬px).
Hint: For direction ← prove P ∨ ¬P with X := P ∨ ¬P and λ_.⊥, and exploit that
¬¬(P ∨ ¬P ) is provable.

Exercise 17.1.10 (Drinker Paradox) Consider a bar populated by at least one per-
son. Using excluded middle, one can argue that one can pick some person in the
bar such that everyone in the bar drinks Wodka if this person drinks Wodka.
We assume an inhabited type X representing the persons in the bar and a pred-
icate p X→P identifying the persons who drink Wodka. The job is now to prove the
proposition ∃x. px → ∀[Link]. Do the proof in detail and point out where XM and

183
17 Excluded Middle and Double Negation

inhabitation of X are needed. A nice proof can be done with the counterexample
law Fact 17.1.2.
An informal proof may proceed as follows. Either everyone in the bar is drinking
Whisky. Then we can pick any person for x. Otherwise, we pick a person for x not
drinking Whisky, making the implication vacuously true.

Exercise 17.1.11 (Drinker implies excluded middle)

When formulated in full generality

∀X T ∀p X→P . X → ∃x. px → ∀[Link]

the drinker proposition implies excluded middle. The proof was found by Dominik
Kirst in March 2023 and goes as follows. We show P ∨ ¬P for some proposition P .
To do so, we instantiate the drinker proposition with the type X := O(P ∨ ¬P ) and
the predicate defined by p(◦_) := ¬P and p(œ) := ⊤. We now obtain some a such
that pa → ∀[Link]. If a is obtained with some, a gives us a proof of the claim P ∨¬P .
Otherwise, we have ∀[Link] and prove ¬P . We assume P and obtain a contradiction
with the some case of p.
Kirst’s proof exploits that we are in a logical framework where proofs are values.
There is a paper [31] discussing the drinker paradox and suggesting it does not
imply excluded middle in a more conventional logical framework.

Exercise 17.1.12 (Dual drinker)

Prove that the so-called dual drinker proposition

∀X ∀p X→P . X → ∃x. (∃[Link]) → px

is equivalent to excluded middle.

17.2 Double Negation

Given a proposition P , we call ¬¬P the double negation of P . It turns out that the
double negation of a quantifier-free proposition is provable even if the proposition
by itself is only provable with XM. For instance,

∀P P . ¬¬(P ∨ ¬P )

is provable. This metaproperty cannot be proved in Coq. However, for every in-
stance a proof can be given in Coq. Moreover, for concrete propositional proof
systems the translation of classical proofs into constructive proofs of the double
negated claim can be formalized and verified (Glivenko’s theorem 24.7.2).
There is a useful proof technique for working with double negation: If we have a
double negated assumption and need to derive a proof of falsity, we can drop the

184
 17.2 Double Negation

double negation. The lemma behind this is an instance of the polymorphic identity
function:

¬¬P → (P → ⊥) → ⊥

With excluded middle, double negation distributes over all connectives and
quantifiers. Without excluded middle, we can still prove that double negation dis-
tributes over implication and conjunction.
Fact 17.2.1 The following distribution laws for double negation are provable:

¬¬(P → Q) ←→ (¬¬P → ¬¬Q)

¬¬(P ∧ Q) ←→ ¬¬P ∧ ¬¬Q
¬¬⊤ ←→ ⊤
¬¬⊥ ←→ ⊥

Exercise 17.2.2 Prove the equivalences of Fact 17.2.1.

Exercise 17.2.3 Prove the following propositions:

¬(P ∧ Q) ←→ ¬¬(¬P ∨ ¬Q)

(¬P → ¬Q) ←→ ¬¬(Q → P )
(¬P → ¬Q) ←→ (Q → ¬¬P )
(P → Q) → ¬¬(¬P ∨ Q)

Exercise 17.2.4 Prove ¬(∀x.¬px) ←→ ¬¬∃[Link].

Exercise 17.2.5 Prove the following implications:

¬¬P ∨ ¬¬Q → ¬¬(P ∨ Q)

(∃x. ¬¬px) → ¬¬∃[Link]
¬¬(∀[Link]) → ∀x. ¬¬px

Also prove the converse directions using excluded middle.

Exercise 17.2.6 Make sure you can prove the double negations of the following
propositions:

P ∨ ¬P
¬¬P → P
¬(P ∧ Q) → ¬P ∨ ¬Q
(¬P → ¬Q) → Q → P
((P → Q) → P ) → P
(P → Q) → ¬P ∨ Q
(P → Q) ∨ (Q → P )

185
17 Excluded Middle and Double Negation

Exercise 17.2.7 (Double negation shift)

An prominent logical law is double negation shift:

DNS := ∀X T ∀p X→P . (∀x. ¬¬px) → ¬¬∀x. px

DNS is provable for finite types but unprovable in general. Prove the following:
a) ∀p B→P . (∀x. ¬¬px) → ¬¬∀x. px
b) ¬¬XM ←→ DNS
c) ∀X T ∀p X→P . ¬¬(∀x. px) → (∀x. ¬¬px)
Hint: Direction ← of (b) follows with λP .P ∨ ¬P .

Exercise 17.2.8 (Double negation shift for existential quantification)

Prove XM ←→ ∀X T ∀p X→P . (¬¬∃x. px) → ∃x. ¬¬px.
Hint: For direction ← prove P ∨ ¬P with X := P ∨ ¬P and p := λ_.⊤, and exploit that
¬¬(P ∨ ¬P ) is provable.

17.3 Definite Propositions

We define definite propositions as propositions for which excluded middle holds:

definite P P := P ∨ ¬P

Fact 17.3.1 XM ←→ ∀P P . definite P .

We may see definite propositions as propositionally decided propositions. Com-

putationally decided propositions are always propositionally decided, but not nec-
essarily vice versa.
Fact 17.3.2
1. Decidable propositions are definite: ∀P P . D(P ) → definite P .
2. ⊤ and ⊥ are definite.
3. Extensionality: Definiteness is invariant under propositional equivalence:
(P ←→ Q) → definite P → definite Q.

Fact 17.3.3 (Closure Rules)

Implication, conjunction, disjunction, and negation preserve definiteness:
1. definite P → definite Q → definite (P → Q).
2. definite P → definite Q → definite (P ∧ Q).
3. definite P → definite Q → definite (P ∨ Q).
4. definite P → definite (¬P ).

Fact 17.3.4 (Definite de Morgan) definite P ∨ definite Q → ¬(P ∧Q) ←→ ¬P ∨¬Q.

Exercise 17.3.5 Prove the above facts.

186
 17.4 Stable Propositions

17.4 Stable Propositions

We define stable propositions as propositions where double negation elimination

is possible:

stable P P := ¬¬P → P

Stable propositions matter since there are proof rules providing classical reason-
ing for stable claims.

Fact 17.4.1 XM ←→ ∀P P . stable P .

Definite propositions are stable, but not necessarily vice versa.

Fact 17.4.2 Definite propositions are stable: ∀P P . definite P → stable P .

A negated proposition ¬P where P is a variable is stable but not definite.

Fact 17.4.3 (Characterization) stable P ←→ ∃QP . P ←→ ¬Q.

Corollary 17.4.4 Negated propositions are stable: ∀P P . stable(¬P ).

Fact 17.4.5 ⊤ and ⊥ are stable.

Fact 17.4.6 (Closure Rules)

Implication, conjunction, and universal quantification preserve stability:
1. stable Q → stable (P → Q).
2. stable P → stable Q → stable (P ∧ Q).
3. (∀x. stable (px)) → stable (∀[Link]).

Fact 17.4.7 (Extensionality) Stability is invariant under propositional equivalence:

(P ←→ Q) → stable P → stable Q.

Fact 17.4.8 (Classical reasoning rules for stable claims)

1. stable Q → (definite P → Q) → Q.
2. stable Q → (stable P → Q) → Q.

The rules say that when we prove a stable claim, we can assume for every propo-
sition P that it is definite or stable. Note that the second rule follows from the first
rule since definiteness implies stability.

Exercise 17.4.9 Prove the above facts.

187
17 Excluded Middle and Double Negation

Exercise 17.4.10 Prove the following classical reasoning rules for stable claims:
a) stable Q → (P → Q) → (¬P → Q) → Q.
b) stable Q → ¬(P1 ∧ P2 ) → (¬P1 ∨ ¬P2 → Q) → Q.
c) stable Q → (¬P1 → ¬P2 ) → ((P2 → P1 ) → Q) → Q.

Exercise 17.4.11 Prove (∀x. stable (px)) → ¬(∀[Link]) ←→ ¬¬∃x. ¬px.

Exercise 17.4.12 Prove FE → ∀f g N→B . stable(f = g).

Exercise 17.4.13 Prove XM ←→ ∀P P ∃QP . P ←→ ¬Q.

Exercise 17.4.14 We define classical variants of conjunction, disjunction, and ex-

istential quantification:

P ∧c Q := (P → Q → ⊥) → ⊥ ¬(P → ¬Q)
P ∨c Q := (P → ⊥) → (Q → ⊥) → ⊥ ¬P → ¬¬Q
∃c [Link] := (∀x. px → ⊥) → ⊥ ¬(∀x. ¬px)

The definitions are obtained from the impredicative characterizations of ∧, ∨, and ∃

by replacing the quantified target proposition Z with ⊥. At the right we give com-
putationally equal variants using negation. The classical variants are implied by
the originals and are equivalent to the double negations of the originals. Under
excluded middle, the classical variants thus agree with the originals. Prove the fol-
lowing propositions.
a) P ∧ Q → P ∧c Q and P ∧c Q ←→ ¬¬(P ∧ Q).
b) P ∨ Q → P ∨c Q and P ∨c Q ←→ ¬¬(P ∨ Q).
c) (∃[Link]) → ∃c [Link] and (∃c [Link]) ←→ ¬¬(∃[Link]).
d) P ∨c ¬P .
e) ¬(P ∧c Q) ←→ ¬P ∨c ¬Q.
f) (∀x. stable (px)) → ¬(∀[Link]) ←→ ∃c x. ¬px.
g) P ∧c Q, P ∨c Q, and ∃c x. px are stable.

17.5 Variants of Excluded Middle

A stronger formulation of excluded middle is truth value semantics:

TVS := ∀P P . P = ⊤ ∨ P = ⊥

TVS is equivalent to the conjunction of XM and PE.

Fact 17.5.1 TVS ←→ XM ∧ PE.

188
 17.6 Notes

Proof We show TVS → PE. Let P ←→ Q. We apply TVS to P and Q. If they are both
assigned ⊥ or ⊤, we have P = Q. Otherwise we have ⊤ ←→ ⊥, which is contradictory.
The remaining implications TVS → XM and XM ∧ PE → TVS are also straightforward.■

There are interesting weaker formulations of excluded middle. We consider two

of them in exercises appearing below:

WXM := ∀P P . ¬P ∨ ¬¬P weak excluded middle

P P
IXM := ∀P Q . (P → Q) ∨ (Q → P ) implicational excluded middle

Altogether we have the following hierarchy: TVS ⇒ XM ⇒ IXM ⇒ WXM.

Exercise 17.5.2 Prove TVS ←→ ∀XY Z : P. X = Y ∨ X = Z ∨ Y = Z. Note that the

equivalence characterizes TVS without using ⊤ and ⊥.

Exercise 17.5.3 Prove TVS ←→ ∀p P→P . p⊤ → p⊥ → ∀[Link]. Note that the equiva-
lence characterizes TVS without using propositional equality.

Exercise 17.5.4 Prove (∀X T . X = ⊤ ∨ X = ⊥) → ⊥.

Exercise 17.5.5 (Weak excluded middle)

a) Prove XM → WXM.
b) Prove WXM ←→ ∀P P . ¬¬P ∨ ¬¬¬P .
c) Prove WXM ←→ ∀P P QP . ¬(P ∧ Q) → ¬P ∨ ¬Q.
Note that (c) says that WXM is equivalent to the de Morgan law for conjunction. We
remark that computational type theory proves neither WXM nor WXM → XM.

Exercise 17.5.6 (Implicational excluded middle)

a) Prove XM → IXM.
b) Prove IXM → WXM.
c) Assuming that computational type theory does not prove WXM, argue that com-
putational type theory proves neither IXM nor XM nor TVS.
We remark that computational type theory does not prove WXM. Neither does com-
putational type theory prove any of the implications WXM → IXM, IXM → XM, and
XM → TVS.

17.6 Notes

Proof systems not building in excluded middle are called intuitionistic proof systems,
and proof systems building in excluded middle are called classical proof systems.
The proof system coming with computational type theory is clearly an intuitionistic

189
17 Excluded Middle and Double Negation

system. What we have seen in this chapter is that an intuitionistic proof system pro-
vides for a fine grained analysis of excluded middle. This is in contrast to a classical
proof system that by construction does not support the study of excluded middle.
It should be very clear from this chapter that an intuitionistic system provides for
classical reasoning (i.e., reasoning with excluded middle) while a classical system
does not provide for intuitionistic reasoning (i.e., reasoning without excluded mid-
dle).
Classical and intuitionistic proof systems have been studied for more than a
century. That intuitionistic reasoning is not made explicit in current introductory
teaching of mathematics may have social reasons tracing back to early advocates of
intuitionistic reasoning who argued against the use of excluded middle.

190
18 Provability

A central notion of computational type theory and related systems is provability.

A type (or more specifically a proposition) is provable if there is a term that type
checks as a member of this type. Importantly, type checking is a decidable relation
between terms that can be machine checked. We say that provability is a verifiable
relation. Given the explanations in this text and the realization provided by the
proof assistant Coq, we are on solid ground when we construct proofs.
In contrast to provability, unprovability is not a verifiable relation. Thus the
proof assistant will, in general, not be able to certify that types are unprovable.
As it comes to unprovability, this text makes some strong assumptions that
cannot be verified with the methods the text develops. The most prominent such
assumption says that falsity is unprovable.
Recall that we call a type X disprovable if the type X → ⊥ is provable. If we trust
in the assumption that falsity is unprovable, every disprovable type is unprovable.
Thus disprovable types give us a class of types for which unprovability is verifiable
up to the assumption that falsity is unprovable.
Types that are neither provable nor disprovable are called independent types.
There are many independent types. In fact, the extensionality assumptions from
Chapter 16 and the different variants of excluded middle from Chapter 17 are all
claimed independent. These claims are backed up by model-theoretic studies in the
literature.

18.1 Provability Predicates

It will be helpful to assume an abstract provability predicate

provable : P → P

With this trick provable (P ) and ¬provable (P ) are both propositions in compu-
tational type theory we can reason about. We define three standard notions for
propositions and the assumed provability predicate:

disprovable (P ) := provable (¬P )

consistent (P ) := ¬provable (¬P )
independent (P ) := ¬provable (P ) ∧ ¬provable (¬P )

191
18 Provability

With these definitions we can easily prove the following implications:

independent (P ) → consistent (P )
consistent (P ) → ¬disprovable (P )
provable (P ) → ¬independent (P )

To show more, we make the following assumptions about the assumed provability
predicate:

PMP : ∀P Q. provable (P → Q) → provable (P ) → provable (Q)

PI : ∀P . provable (P → P )
PK : ∀P Q. provable (Q) → provable (P → Q)
PC : ∀P QZ. provable (P → Q) → provable ((Q → Z) → P → Z)

Since the provability predicate coming with computational type theory satisfies
these properties, we can expect that properties we can show for the assumed prov-
ability predicate also hold for the provability predicate coming with computational
type theory.

Fact 18.1.1 (Transport)

1. provable(P → Q) → ¬provable Q → ¬ provable (P ).
2. provable(P → Q) → consistent (P ) → consistent (Q).

Proof Claim 1 follows with PMP. Claim 2 follows with PC and (1). ■

From the transport properties it follows that a proposition is independent if it

can be sandwiched between a consistent and an unprovable proposition.

Fact 18.1.2 (Sandwich) A proposition Z is independent if there exists a consistent

proposition P and an unprovable proposition Q such that P → Z and Z → Q are
provable: consistent (P ) → ¬provable Q → (P → Z) → (Z → Q) → independent (Z).

Proof Follows with Fact 18.1.1. ■

Exercise 18.1.3 Show that the functions λP P .P and λP P .⊤ are provability predi-
cates satisfying PMP, PI, PK, and PC.

Exercise 18.1.4 Let P → Q be provable. Show that P and Q are both independent
if P is consistent and Q is unprovable.

Exercise 18.1.5 Assume that the provability predicate satisfies

PE : ∀P P . provable (⊥) → provable (P )

in addition to PMP, PI, PK, and PC. Prove ¬provable (⊥) ←→ ¬∀P P . provable (P ).

192
 18.2 Consistency

18.2 Consistency

Fact 18.2.1 (Consistency) The following propositions are equivalent:

1. ¬ provable (⊥).
2. consistent (¬⊥).
3. ∃P . consistent (P ).
4. ∀P . provable (P ) → consistent (P ).
5. ∀P . disprovable (P ) → ¬provable (P ).

Proof 1 → 2. We assume provable (¬¬⊥) and show provable (⊥). By PMP it suffices
to show provable(¬⊥), which holds by PI.
2 → 3. Trivial.
3 → 1. Suppose P is consistent. We assume provable ⊥ and show provable (¬P ).
Follows by PK.
1 → 4. We assume that ⊥ is unprovable, P is provable, and ¬P is provable. By
PMP we have provable ⊥. Contradiction.
4 → 1. We assume that ⊥ is provable and derive a contradiction. By the primary
assumption it follows that ¬⊥ is unprovable. Contradiction since ¬⊥ is provable
by PI.
1 → 5. Follows with PMP.
5 → 1. Assume disprovable (⊥) → ¬provable (⊥). It suffices to show
disprovable(¬⊥), which follows with PI. ■

Exercise 18.2.2 We may consider more abstract provability predicates

provable : prop → P

where prop is an assumed type of propositions with an assumed constant

impl : prop → prop → prop

Show that all results of this chapter hold for such abstract proof systems.

Exercise 18.2.3 (Hilbert style assumptions) The assumptions PI, PK, and PC can be
obtained from the simpler assumptions

PK′ : ∀P Q. provable (P → Q → P )
PS : ∀P QZ. provable ((P → Q → Z) → (P → Q) → P → Z)

that will look familiar to people acquainted with propositional Hilbert systems.
Prove PK, PI, and PC from the two assumptions above. PK and PI are easy. PC
is difficult if you don’t know the technique. You may follow the proof tree
S(S(KS)(S(KK)I))(KH). Hint: PI follows with the proof tree SKK.
The exercise was prompted by ideas of Jianlin Li in July 2020.

193
 Part II

More Basics

195
19 Arithmetic Recursion

This chapter is about functions recursing on numeric arguments in a non-structural

manner. The examples we consider are Euclidean division, greatest common divi-
sors, and the Fibonacci numbers. We describe the functions with procedural speci-
fications and construct satisfying reducible functions using structural recursion on
a step index formalizing the arithmetic termination argument. We show uniqueness
of the procedural specifications using complete induction and size induction, two
induction operators obtained by structural induction on a step index.
We also define course-of-values recursion as structural recursion on the length
of vectors. With course-of-values recursion we obtain a Fibonacci function from the
step function generating the Fibonacci sequence.

19.1 Complete Induction

Complete induction is a well-known proof rule saying that to prove px it is ok to

assume py holds for all y < x:

∀p N→T . (∀x. (∀y. y < x → py) → px) → ∀[Link]

We will establish complete induction as a certifying function with the above type.
Complete induction can be used to construct functions since p may be a type
function.
When we use complete induction to construct a proof, we will refer to the hy-
pothesis

∀y. y < x → py

as the inductive hypothesis. When we use complete induction to construct a func-

tion, we will refer to the function of the type

∀x. (∀y. y < x → py) → px

as the step function. Moreover, we will refer to the certifying function for complete
induction as the complete induction operator.
Compared to structural induction

∀p N→T . p0 → (∀x. px → p(Sx)) → ∀[Link]

197
19 Arithmetic Recursion

complete induction introduces only one proof obligation. Moreover, the inductive
hypothesis of complete induction is stronger than the inductive hypothesis of struc-
tural induction in that it provide py for all y < x, not just the predecessor.
Computationally, complete induction says that when we compute a function f
for a number x, we can obtain f y for all y < x by recursion.
Constructing a complete induction operator with a structural induction operator
is straightforward. The trick is to replace the claim ∀[Link] with the equivalent claim
∀nx. x < n → px and do structural induction on the introduced upper bound n.
Definition 19.1.1 (Complete induction operator)
∀p N→T . (∀x. (∀y. y < x → py) → px) → ∀[Link].

Proof We assume p and the step function

F : ∀x. (∀y. y < x → py) → px

and show ∀[Link]. The trick is to prove the equivalent claim

∀nx. x < n → px

by structural induction on the upper bound n. For n = 0, the claim follows withe
computational falsity elimination since we have the hypothesis x < 0. In the suc-
cessor case, we assume x < Sn and prove px. We apply the step function F , which
gives us the assumption y < x and the claim py. By the inductive hypothesis it
suffices to show y < n, which follows by linear arithmetic ■

Exercise 19.1.2 (Uniqueness of procedural specification)

We call a procedural specification unique if all functions satisfying the specifica-
tion agree. Prove with complete induction that the procedural specification (of the
Fibonacci function)

Fib : (N → N → N) → N → N
Fib f n := if n ≤ 1 then n else f (n − 2) + f (n − 1)

is unique: ∀f f ′ . (∀n. f n = Fib f n) → (∀n. f ′ n = Fib f ′ n) → (∀n. f n = f ′ n).

Exercise 19.1.3 (Uniqueness of procedural specification)
Prove that the procedural specification (of the Ackermann function)

Ack : (N → N → N) → N → N → N
Ack f 0 y := Sy
Ack f (Sx) 0 := f x1
Ack f (Sx)(Sy) := f x(f (Sx) y)

is unique.

198
 19.2 Size Induction

Exercise 19.1.4 (Double induction) Prove the following double induction principle
for numbers (from Smullyan and Fitting [27]):

∀p N→N→T .
(∀x. px0) →
(∀xy. pxy → pyx → px(Sy)) →
∀xy. pxy

There is a nice geometric intuition for the truth of the principle: See a pair (x, y) as
a point in the discrete plane spanned by N and convince yourself that the two rules
are enough to reach every point of the plane.
Hint: First do induction on y with x quantified. In the successor case, first apply
the second rule and then prove pxy by induction on x.

19.2 Size Induction

Size induction is a generalization of complete induction working for all types that
have a numeric size function:

∀X T ∀σ X→N ∀p X→T .
(∀x. (∀y. σ y < σ x → py) → px) →
∀x. px

With size induction, when we prove px, we can assume py for all y whose size
is smaller than the size of x. The construction of the size induction operator is a
straightforward adaption of the construction of the complete induction operator.

Definition 19.2.1 (Size induction operator)

∀X T ∀σ X→N ∀p X→T .
(∀x. (∀y. σ y < σ x → py) → px) →
∀x. px

Proof We assume X, σ , p and the step function F : ∀x. (∀y. y < x → py) → px
and show ∀[Link]. We prove the equivalent claim

∀nx. σ x < n → px

by structural induction on the upper bound n. For n = 0, the claim follows withe
computational falsity elimination since we have the hypothesis x < 0. In the succes-
sor case, we assume σ x < Sn and prove px. We apply the step function F , which
gives us the assumption σ y < σ x and the claim py. By the inductive hypothesis it
suffices to show σ y < σ n, which follows by linear arithmetic ■

199
19 Arithmetic Recursion

There will be applications of size induction where the size function has two
arguments. We establish a binary size induction operator adapted to this situation.
Definition 19.2.2 (Binary size induction operator)

∀XY T ∀σ X→Y →N ∀p X→Y →T .

(∀xy. (∀x ′ y ′ . σ x ′ y ′ < σ xy → px ′ y ′ ) → pxy) →
∀xy. pxy

Proof Straightforward adaption of the construction of the unary size induction op-
erator (Fact 19.2.1). ■

Exercise 19.2.3 Assume a size induction operator and construct a binary size
induction operator and a structural induction operator not using structural induc-
tion.

19.3 Euclidean Quotient

The Euclidean quotient of two numbers x and Sy is the number of times Sy can be
subtracted from x without truncation. This computational characterization of the
Euclidean quotient can be formalized with a procedural specification

Dxy = if x ≤ y then 0 else S(D(x − Sy)y)

The computation captured by the equation terminates since the first argument is
decreased upon recursion. Thus if D is a function satisfying the equation, Dxy is
the Euclidean quotient of x and Sy for all numbers x and y. There are obvious
questions about the procedural specification of Euclidean division:
• Existence: Is there a function satisfying the specification?
• Uniqueness: Do all functions satisfying the specification agree?
• Formalization: How can the specification be expressed in type theory?
We will answer the first two questions positively. Existence will be shown with a
general technique called step indexing that applies to all procedural specifications
whose recursion is guarded by an arithmetic size function. Uniqueness will follow
with complete induction on the first argument x.
First we take care of the formalization of the procedural specification. We ex-
press the procedural specification with an unfolding function (§ 1.12)

∆ : (N → N) → N → N → N
∆ f xy := if x ≤ y then 0 else S(f (x − Sy)y)

We prepare the uniqueness statement with a notation for function agreement:

f ≡ f′ Ž ∀xy. f xy = f ′ xy

200
 19.3 Euclidean Quotient

Fact 19.3.1 (Uniqueness)

All functions satisfying ∆ agree:
∀f f ′ . f ≡ ∆f → f ′ ≡ ∆f ′ → f ≡ f ′ .

Proof We assume H1 : f ≡ ∆f and H2 : f ′ ≡ ∆f ′ and prove f xy = f ′ xy by

complete induction on x. By rewriting with H1 and H2 the claim reduces to

(if x ≤ y then 0 else S(f (x − Sy)y))

= (if x ≤ y then 0 else S(f ′ (x − Sy)y))

We now discriminate on x − y. If x ≤ y, the claim reduces to 0 = 0. If x > y, the

claim reduces to

S(f (x − Sy)y) = S(f ′ (x − Sy)y)

which follows with the inductive hypothesis instantiated with x − Sy < x. ■

Exercise 19.3.2 Let D be a function satisfying the procedural specification for the
Euclidean quotients: D ≡ ∆D. Prove Dxy · Sy ≤ x < Dxy · Sy + Sy.

Exercise 19.3.3 (Euclidean remainder) The Euclidean remainder of x and Sy is the

number that remains if Sy is subtracted from x as long as this is possible without
truncation.
a) Give a procedural specification Γ formalizing the specification of the remainder.
b) Show that Γ is unique.
c) Show that every function M satisfying Γ satisfies Mxy ≤ y.
d) Let D be a function satisfying δ and M be a function satisfying Γ .
Show x = Dxy · Sy + Mxy.

Exercise 19.3.4 We have shown some results about the procedural specification ∆
using complete induction. It turns out that the results can also be shown using
structural induction on an upper bound for the variable used for complete induc-
tion. For instance, if D satisfies Γ , one may prove

∀nx. x < n → Dxy · Sy ≤ x < Dxy · Sy + Sy

by structural induction on n to obtain ∀x. Dxy · Sy ≤ x < Dxy · Sy + Sy.

Exercise 19.3.5 Construct an induction operator

∀y N ∀p N→T .
(∀x ≤ y. px) →
(∀x > y. p(x − Sy) → px) →
∀x. px

201
19 Arithmetic Recursion

19.4 Step-Indexed Function Construction

We now introduce a technique called step indexing providing for the direct con-
struction of functions satisfying procedural specifications. Step indexing works
whenever the termination of the procedural specification can be argued with an
arithmetic size function.
Suppose we have a procedural specification whose termination can be argued
with an arithmetic size function. Then we can define an helper function taking the
size (a number) as an additional argument called step index and arrange things such
that the recursion is structural recursion on the step index. We obtain the specified
function by using the helper function with a sufficiently large step index.
We demonstrate the technique with the procedural specification δ of Euclidean
quotients. The step-indexed helper function comes out as follows:

Div 0 x y := 0
Div (Sn) x y := ∆ (Div n) x y

The essential result about Div is index independence : Div nxy = Div n′ xy whenever
the step indices are large enough.

Lemma 19.4.1 (Index independence)

∀nn′ xy. n > x → n′ > x → Div nxy = Div n′ xy.

Proof By induction on n with n′ and x quantified. The base case has a contradictory
assumption. In the successor case, we destructure n′ . The case n′ = 0 has a
contradictory assumption. If n = Sn1 and n′ = Sn′1 , the claim reduces to

if x ≤ y then 0 else S(Div n1 (x − Sy)y)

= if x ≤ y then 0 else S(Div n2 (x − Sy)y)

The claim now follows by discrimination on x − y using the inductive hypothesis

for n1 > x − Sy and n2 > x − Sy. ■

Fact 19.4.2 (Existence) Let Dx := Div(Sx)x. Then D ≡ ∆D.

Proof The claim simplifies to

if x ≤ y then 0 else S(Div x(x − Sy)y)

= if x ≤ y then 0 else S(Div (S(x − Sy))(x − Sy)y)

The reduced claim follows by discrimination on x − y using index independence

(Lemma 19.4.1) for x > x − Sy and S(x − Sy) > x − Sy. ■

202
 19.5 Greatest Common Divisor

19.5 Greatest Common Divisor

The techniques we have seen for Euclidean quotients also work for GCDs (greatest
common divisors). Recall that the GCD of two numbers can be computed by re-
peated non-truncating subtraction. We formalize the algorithm with the procedural
specification

Γ : (N → N) → N → N → N
Γ f xy := if x then y else if x ≤ y then f x(y − x) else f yx

The recursion of the specification terminates since it decreases the binary size func-
tion σ xy := 2 · x + y.

Fact 19.5.1 (Uniqueness)

All functions satisfying Γ agree:
∀f f ′ . f ≡ Γ f → f ′ ≡ Γ f ′ → f ≡ f ′ .

Proof We assume H1 : f ≡ Γ f and H2 : f ′ ≡ Γ f ′ and prove f xy = f ′ xy by

binary size induction on σ xy. Following Γ , we consider three cases: (1) x = 0,
(2) 0 < x ≤ y, and (3) y > x > 0. The base case follows by computational equality,
and the recursive cases follow with the inductive hypothesis. ■

To construct a function satisfying Γ , we define a step-indexed helper function:

Gcd 0 x y := 0
Gcd (Sn) x y := Γ (Gcd n) x y

Lemma 19.5.2 (Index independence)

∀nn′ xy. n > σ xy → n′ > σ xy → Gcd nxy = Gcd n′ xy.

Proof By induction on n with n′ , x, and y quantified. The base case has a contra-
dictory assumption. In the successor case, we destructure n′ . The case n′ = 0 has
a contradictory assumption. Let n = Sn1 and n′ = Sn′1 . Following Γ , we consider
three cases: (1) x = 0, (2) 0 < x ≤ y, and (3) y > x > 0. The base case follows by
computational equality, and the recursive cases follow with the inductive hypothe-
sis. ■

Fact 19.5.3 (Existence) Let Gxy := Gcd(S(σ xy))xy. Then G ≡ Γ G.

Proof Following Γ , we consider three cases: (1) x = 0, (2) 0 < x ≤ y, and (3)
y > x > 0. The base case follows by computational equality, and the recursive cases
follow with index independence (Lemma 19.5.2). ■

203
19 Arithmetic Recursion

Exercise 19.5.4 Construct a GCD induction operator

∀p N→N→T .
(∀y. p0y) →
(∀xy. x ≤ y → px(y − x) → pxy) →
(∀xy. pxy → pyx) →
∀xy. pxy

19.6 Course-of-values Recursion

Recall the definition of vector types in § 11.4 with a type function recursing on
numbers:
V:T→N→T
V X 0 := 1
V X (Sn) := X × V X n
Also recall that we are using the notation Vn X for V X n. The values of a vector
type Vn X represent sequences ⟨x1 , . . . , xn ⟩ whose elements are of type X. For in-
stance, we have
(1, (2, (3, I))) : V3 N ≈ N × (N × (N × 1))
Given a step function f : ∀n. Vn X → X, we can start from the empty vector and
recursively compute vectors (f nv, v) : VSn X. We speak of vector recursion and
formalize the computation scheme with a function
vecrec : ∀X T . (∀n. Vn X → X) → ∀n. Vn X
vecrec X f 0 := I
vecrec X f (Sn) := let v = vecrec X f n in (f nv, v)
Building on vector recursion, we define course-of-values recursion as follows:
covrec : ∀X T . (∀n. Vn X → X) → N → X
covrec X f n := π1 (vecrec X f (Sn))
An untyped form of course by value recursion appeared with the study of primitive
recursive functions in the 1920s.
Course-of-values recursion can be used to construct the functions representing
sequences like those of the square numbers, factorials, and Fibonacci numbers:
1, 4, 9, 16, 25, 36, . . .
1, 1, 2, 6, 24, 120, . . .
0, 1, 1, 2, 3, 5, . . .

204
 19.6 Course-of-values Recursion

The function for the square number sequence is

covrec N (λn_. n2 )

The function for the factorial sequence is obtained with the step function

facstep : ∀n. Vn N → N
facstep 0 _ := 1
facstep (Sn) v := Sn · π1 v

Note that type checking of the second defining equation requires conversion to
validate the application of the projection π1 . Finally the function for the Fibonacci
sequence is obtained with the step function.

fibstep : ∀n. Vn N → N
fibstep 0 _ := 0
fibstep 1 _ := 1
fibstep (SSn) v := π1 (π2 v) + π1 v

Informally, the step function says that the first two Fibonacci numbers are 0 and 1,
and that higher Fibonacci numbers are obtained as the sum of the two preceding
Fibonacci numbers.
We prove that the Fibonacci function obtained with course-of-values recursion
satisfies the standard specification of the Fibonacci sequence.

Fact 19.6.1 (Correctness) Let fib := covrec N fibstep.

Then ∀n. fib n = if n ≤ 1 then n else fib (n − 2) + fib (n − 1).

Proof The claim follows by case analysis on n. If n = 0 or n = 1, the claim follows

by computational equality. If n = SSn′ , the claim follows by computational equality
after SSn′ − 2 is replaced with n′ . ■

205
20 Euclidean Division

We study functions for Euclidean division. We start with a relational specifica-

tion and show with a certifying function that Euclidean quotients and remainders
uniquely exist. The certifying function gives us abstract quotient and remainder
functions satisfying a defining property. We show that the abstract functions can
be computed with repeated subtraction.
Following the ideas used for quotient and remainder, we construct an abstract
GCD function satisfying a relational specification of greatest common divisors. We
show that the abstract GCD function can be computed by taking remainders. We
also give an inductive characterization of greatest common divisors.

20.1 Existence of Quotient and Remainder

Suppose you have a chocolate bar of length x and you want to cut it in pieces of
length Sy. Then the number of pieces you can obtain is the Euclidean quotient of
x and Sy and the short piece possibly remaining is the Euclidean remainder of x
and Sy.
Mathematically speaking, the Euclidean quotient of x and Sy is the maximal
number a such that a · Sy ≤ x. Following this characterization, we define a
relational specification

δxyab := x = a · Sy + b ∧ b ≤ y

Given δxyab, we say that a is the quotient and b is the remainder of x and Sy.
For instance, we have 8 = 2 · 3 + 2 saying that 2 is the quotient and the remainder
of 8 and 3.
Note that we consider Euclidean division for x and Sy to avoid the division-by-
zero problem.
We will construct functions that for x and y compute a and b such that δxyab.
This tells us that Euclidean quotients and remainders always exist. We will also
show that quotients and remainders uniquely exist.
Given x and y, we compute a and b such that δxyab by structural recursion
on x. The zero case is trivial:

0 = 0 · Sy + 0

207
20 Euclidean Division

In the successor case, we obtain

x = a · Sy + b and b ≤ y

by recursion. If b < y, then

Sx = a · Sy + Sb and Sb ≤ y

Otherwise, b = y and we have

Sx = Sa · Sy + 0

Fact 20.1.1 (Certifying division function) ∀xy. Σab. δxyab.

Proof By induction on x with y fixed following the arguments given above. ■

Definition 20.1.2 (D and M)

We fix two function D N→N→N and M N→N→N such that ∀xy. δxy(Dxy)(Mxy).

Proof Let F be a function ∀xy. Σab. δxyab as provided by Fact 20.1.1. We define
the functions D and M as Dxy := π1 (F xy) and Mxy := π1 (π2 (F xy)). Now
π2 (π2 (F xy)) is a proof of δxy(Dxy)(Mxy) (up to conversion). ■

Note that Definition 20.1.2 provides D and M as abstract constants. The only
thing we know about the functions D and M is that they yield quotients and re-
mainders as asserted by the defining property ∀xy. δxy(Dxy)(Mxy). We know
have examples for simply typed abstract functions that are specified with a defining
property.

Corollary 20.1.3 Mxy < Sy.

Corollary 20.1.4 Mxy = 0 ←→ x = Dxy · Sy.

Exercise 20.1.5
Convince yourself that the following statements follow by linear arithmetic:
a) δxyab → b = x − a · Sy
b) Mxy = x − Dxy · Sy

Exercise 20.1.6 Prove least (λk. x ≤ Sk · Sy) (Dxy).

208
 20.2 Uniqueness of Quotient and Remainder

20.2 Uniqueness of Quotient and Remainder

We now show that quotients and remainders are unique.

Fact 20.2.1 (Uniqueness of δ)

δxyab → δxya′ b′ → a = a′ ∧ b = b′ .

Proof Using linear arithmetic, it suffices to prove

(b ≤ y) → (b′ ≤ y) → (a · Sy + b = a′ · Sy + b′ ) → a = a′

We prove the claim by induction on a with a′ quantified, followed by discrimination

on a′ .
The three cases where a = 0 or a′ = 0 follow by linear arithmetic.
Suppose a = Sa1 and a′ = Sa2 . Then the inductive hypothesis reduces the claim to
a1 · Sy + b = a2 · Sy + b′ , which follows by linear arithmetic (injectivity of S and
injectivity of + (Fact 12.2.4)). ■

To obtain a solid proof, the above outline needs elaboration and verification.
This is best done with a proof assistant, where the reasoner for linear arithmetic
takes care of all arithmetic details.
The uniqueness of δ has important applications.

Fact 20.2.2 x = a · Sy ←→ Dxy = a ∧ Mxy = 0.

Proof Follows with linear arithmetic from uniqueness of δ (20.2.1) and the defining
property of D and M 20.1.2. ■

Example 20.2.3 To show the ground equations D 100 3 = 25 and M 100 3 = 0, it

suffices to show δ 100 3 25 0 (because of uniqueness of δ and the defining property
of D and M). The reduced claim δ 100 3 25 0 follows with computational equality.

Exercise 20.2.4 Let b ≤ y. Prove D(a · Sy + b) y = a and M(a · Sy + b) y = b.

Exercise 20.2.5 Prove the following:

a) Dxy = a ←→ ∃b. δxyab
b) Mxy = b ←→ ∃a. δxyab

Exercise 20.2.6 There is a specification ofthe Euclidean quotient not mentioning

the remainder: γxya := a · Sy ≤ x < a · Sy + Sy. Prove the following:
a) γxya ←→ ∃b. δxyab
b) Dxy = a ←→ γxya
c) γxy(Dxy)

209
20 Euclidean Division

Exercise 20.2.7 Prove x · SSz + 1 ≠ y · SSz + 0.

Hint: Use uniqueness of δ.

Exercise 20.2.8 Let even n := ∃k. n = k · 2. Prove the following:

a) D (even n)
b) even n → ¬even (Sn)
c) ¬even n → even (Sn)
Hint: Characterize even with the remainder function M.

20.3 Quotient and Remainder with Repeated Subtraction

Euclidean quotient and reminder can be computed by repeated subtraction. The

geometric intuition tells us that the Euclidean quotient of x and Sy is the number
of times Sy can be subtracted from x without truncation, and that the remainder
of x and Sy is the number that remains.
How can we formalize this insight in computational type theory? We face the
difficulty that repeated subtraction is a recursive process whose recursion is not
structurally recursive. What we can do in this situation is to verify that the func-
tions D and M satisfy the equations for repeated subtraction. Moreover, we can
formulate and verify the subtraction rules for the relational specification δ.

Fact 20.3.1 (Repeated subtraction, relational version)

The following rules hold for all numbers x, y, a, b :
1. x ≤ y → δxy0x
2. x > y → δ(x − Sy)yab → δxy(Sa)b

Proof Both rules follow by linear arithmetic. ■

The rules justify an algorithm taking x and y as input and computing a and b
such that δxyab by repeated subtraction. The relational algorithm can be factor-
ized into two functional algorithms computing quotient and remainder separately.
The functional algorithms can be formalized with unfolding functions as follows:

DIV : (N → N) → N → N → N
DIV f xy := if x ≤ y then 0 else S(f (x − Sy)y)

MOD : (N → N) → N → N → N
MOD f xy := if x ≤ y then 0 else S(f (x − Sy)y)

Fact 20.3.2 (Repeated subtraction, functional version)

The following equations hold for all numbers x, y :
D xy = DIV D xy and M xy = MOD M xy.

210
 20.4 Divisibility

Proof By the uniqueness of δ (Fact 20.2.1) and the definition of D and M (Defini-
tion 20.1.2) it suffices to show

δxy (if x ≤ y then 0 else S(D(x − Sy) y))

(if x ≤ y then x else M(x − Sy) y)

We discriminate on x − y. If x ≤ y, the claim reduces to δxy0x, which follows

with Fact 20.3.1(1). If x > y, the claim reduces to

δxy (S(D(x − Sy)y)) (M(x − Sy)y)

which with Fact 20.3.1(2) reduces to

δ(x − Sy)y (D(x − Sy) y) (M(x − Sy) y)

which is an instance of the defining property of D and M. ■

Fact 20.3.2 is remarkable, both as it comes to the result and to the proof. It states
that the abstract functions D and M satisfy procedural specifications employing re-
peated subtraction. The proof of the result hinges on the uniqueness of the rela-
tional specifications δ, the correctness of repeated subtraction for δ (Fact 20.3.1),
and the definition of D and M.
Recall that we studied the procedural specifications DIV and Mod in § 19.3. In
particular we showed that both specifications are unique (Fact 19.3.1 and Exer-
cise 19.3.3). Thus we now know that all functions satisfying the specifications agree
with D and M.
Corollary 20.3.3 All functions satisfying DIV agree with D, and all functions satis-
fying MOD agree with M.

Exercise 20.3.4 Let F : ∀xy. Σab. δxyab and f xy := (π1 (F xy), π1 (π2 (F xy)).
a) Prove that f satisfies δxy(π1 (f xy))(π2 (f xy)).
b) Prove that f satisfies the equation
f xy = if x ≤ y then (0, x) else let (a, b) = f (x − Sy) y in (Sa, b).
Remark: Both proof are straightforward when done with a proof assistant. Checking
the details rigorously is annoyingly tedious if done by hand. The second proof best
follows the proof of Fact 20.3.2 using uniqueness (Fact 20.2.1) and the rules for
repeated subtraction (Fact 20.3.1). No induction is needed.

20.4 Divisibility

We define a divisibility predicate as follows:

n | x := ∃k. x = k · n

We read n | x as either n divides x, or n is a divisor of x, or n is a factor of x.

211
20 Euclidean Division

Fact 20.4.1 Sn | x ←→ Mxn = 0.

Proof Follows with Facts 20.2.2 and 20.1.4. ■

Corollary 20.4.2 (Decidability) ∀nx. D(n | x)

Fact 20.4.3 (Divisibility)

1. n | 0 and x | x.
2. x ≤ y → n | x → (n | y ←→ n | y − x).
3. x > 0 → n | x → n ≤ x.
4. n > x → n | x → x = 0.
5. (∀n. n | x ←→ n | y) → x ≤ y.
6. (∀n. n | x ←→ n | y) → x = y.

Proof Claims 1–4 have straightforward proofs unfolding the definition of divisibil-
ity. Claim 6 follows from claim 5.
For claim 5, we consider y = 0 and y > 0. For y = 0, we obtain x = 0 by (4) with
n := Sx and (1). For y > 0, we obtain x ≤ y by (3) and (1). ■

20.5 Greatest Common Divisors

The greatest common divisor of two numbers x and y is a number z such that the
divisors of z are exactly the common divisors of x and y. Following this character-
ization, we define a GCD predicate:

γxyz := ∀n. n | z ←→ n | x ∧ n | y

We say z is the GCD of x and y if γxyz.

Fact 20.5.1 (Uniqueness) γxyz → γxyz′ → z = z′ .

Proof Straightforward with Fact 20.4.3(6). ■

Similar to Euclidean quotients, GCDs can be computed with repeated subtrac-

tion. This follows from the fact that non-truncating subtraction leaves the common
divisors of two numbers unchanged.

Fact 20.5.2 x ≤ y → n | x → (n | y ←→ n | y − x).

Proof Straightforward using distribution a · n + b · n = (a + b) · n. ■

Corollary 20.5.3 (Subtraction rule) x ≤ y → γx(y − x)z → γxyz.

212
 20.5 Greatest Common Divisors

Recall that Mxy subtracts Sy from x as long as the subtraction doesn’t truncate.
Thus we may use the remainder function to compute GCDs.
Fact 20.5.4 (Remainder rule) γ(Sx)(Myx)z → γ(Sx)yz.

Proof By complete induction on y using Facts 20.3.2 and 20.5.3. ■

To compute GCDs, we need two further rules for γ. The correctness of both
rules is obvious from the definition of δ.
Fact 20.5.5 (Symmetry rule) γyxz → γxyz.

Fact 20.5.6 (Zero rule) γ0yy.

We formulate a GCD algorithm using remainders with a procedural specification:

Γ : (N → N → N) → N → N → N
Γ f 0 y := y
Γ f (Sx) y := f (Myx)(Sx)

The recursion terminates since the first argument is decreased. We use the algo-
rithm to show that GCDs exist.
Fact 20.5.7 (Existence) ∀xy. Σz. γxyz.

Proof We prove the claim by complete induction on x. If x = 0, the claim follows

with the zero rule. Otherwise we prove Σz. γ(Sx)yz. The inductive hypothesis
gives us γ(Myx)(Sx)z since Myx < Sx (Fact 20.1.3). The claim follows with the
symmetry and the remainder rule. ■

Definition 20.5.8 (GCD function)

We fix a function gcd such that ∀xy. γxy(gcdxy).

Proof Immediate with Fact 20.5.7 ■

It remains to show that gcd satisfies the procedural specification.

Fact 20.5.9 gcd ≡ Γ gcd.

Proof By uniqueness of γ and the defining property of gcd it suffices to show

γxy(Γ gcd xy). If x = 0, the claim follows with the zero rule. Otherwise the claim
reduces to γ(Sx)y(gcd(Myx)(Sx)), which in turn reduces with the remainder and
symmetry rule to an instance of the defining property of gcd. ■

Exercise 20.5.10
Show that every function satisfying the procedural specification Γ agrees with gcd.

Exercise 20.5.11
Show gcd xy = if x then y else if x ≤ y then gcd x(y − x) else gcd yx.

213
20 Euclidean Division

20.6 Inductive GCD Predicate

The three computation rules for GCDs

G xyz x≤y G x(y − x)z

G1 G2 G3
G 0yy G yxz G xyz

yield an inductive predicate G : N → N → N → P. We accommodate all three argu-

ments of G as non-parametric. We will show that G agrees with the GCD predicate γ.
This establishes G as an inductive characterization of GCDs.
We will cary out the equivalence proof for abstract predicates p N→N→N→P satisfy-
ing the computation rules for GCDs:
1. p0yy zero rule
2. pxyz → pyxz symmetry rule
3. x ≤ y → px(y − x)z → pxyz subtraction rule
We call such predicates gcd relations.

Fact 20.6.1 (Soundness) For every gcd relation: Gxyz → pxyz.

Proof By induction on the derivation of Gxyz. Straightforward since the defining

rules of G agree with the properties required for gcd relations. ■

We may phrase soundness as saying that G is the least gcd relation. The other
direction of the equivalence is more demanding.

Fact 20.6.2 (Totality) ∀xy. Σz. Gxyz.

Proof By size induction of x + y. If x = 0 or y = 0, the claim follows with the zero

and possibly the symmetry rule. Otherwise we have either 1 ≤ x ≤ y or 1 ≤ y ≤ x.
Using the symmetry rule the case 1 ≤ x ≤ y remains. The inductive hypothesis
gives us Gx(y − x)z. The claim follows with the subtraction rule. ■

For the completeness direction we need a functional gcd relation:

∀xyzz′ . pxyz → pxyz′ → z = z′

Fact 20.6.3 (Completeness) For every functional gcd relation: pxyz → Gxyz.

Proof Let pxyz. By totality and soundness we have Gxyz′ and pxyz′ . Now z = z′
by functionality of p. Thus Gxyz′ . ■

Corollary 20.6.4 G agrees with every functional gcd relation.

214
 20.7 Reducible Quotient and Remainder Functions

Theorem 20.6.5 G agrees with the GCD predicate γ.

Proof We have shown in § 20.5 that γ is a functional gcd relation. ■

Assuming extensionality (PE and FE), our results say that G = γ and that γ is the
only functional gcd relation.

Exercise 20.6.6 Give and verify an inductive characterization of the Euclidian divi-
sion predicate λxyz. z · Sy ≤ x < Sz · Sy.

Exercise 20.6.7 Give and verify an inductive characterization of the Euclidian re-
mainder predicate.

Exercise 20.6.8 Define an eliminator for G justifying induction on derivations as

used in the proof of the soundness result (Fact 20.6.1).

20.7 Reducible Quotient and Remainder Functions

We now define reducible functions Div xcy and Mod xcy for quotient and remain-
der by structural recursion on x. The auxiliary argument c will be decremented
upon recursion. We will have Dxy = Div xyy and Mxy = Mod xyy.

Definition 20.7.1

Div : N → N → N → N Mod : N → N → N → N
Div 0 c y := 0 Mod 0 c y := y − c
Div Sx 0 y := S(Div xyy) Mod Sx 0 y := Mod xyy
Div Sx Sc y := Div xcy Mod Sx Sc y := Mod xcy

The design of Div and Mod is explained with a correctness lemma relating the
functions with the specification δ.

Lemma 20.7.2 (Correctness of Div and Mod)

c ≤ y → δ (x + y − c) y (Div xcy) (Mod xcy).

Proof By induction on x with c quantified.

Let x = 0 and c ≤ y. We show δ(y − c)y0(y − c). Follows by linear arithmetic.
For the successor case we assume c ≤ y and show
δ(Sx + y − c)y(Div (Sx)cy) (Mod(Sx)cy). We discriminate on c.
Let c = 0. Then the claim simplifies to δ(x + Sy) y (S(Div xyy)) (Modxyy).
The inductive hypothesis instantiated with y gives us δxy (Div xyy) (Modxyy).
The claim follows with linear arithmetic.
Let c = Sc ′ . Then the claim simplifies to δ(x + y − c) y (Div xcy) (Modxcy),
which is the inductive hypothesis instantiated with c. ■

215
20 Euclidean Division

Fact 20.7.3 (Correctness of Div and Mod)

Dxy = Div xyy and Mxy = Mod xyy.

Proof Follows with the uniqueness of δ, the defining property of D and M, and
Lemma 20.7.2 instantiated with c = y. ■

Exercise 20.7.4 (Remainder without subtraction) The first equation of Mod uses
subtraction. The use of subtraction can be eliminated with an additional argument d
acting as a counter initialized with 0 and being incremented such that c + d = y.
Verify the correctness of such a remainder function.

20.8 Notes

Informally, one may start a development of Euclidean division with separate recur-
sive functions for quotient and remainder applying subtraction. However, this is
not an option in a computational type theory where recursion is restricted to struc-
tural recursion. Thus our development started with a certifying division function
obtaining quotient and remainder with structural recursion. The certifying func-
tion gives us abstract functions for quotient and remainder. Using the uniqueness
of the specification of Euclidean division, we showed that the abstract functions
satisfy the equations for repeated subtraction and agree with reducible functions
employing an auxiliary argument.
The proofs in this section often involve considerable formal detail, which is typ-
ical for program verification. They are examples of proofs whose construction and
analysis profits much from working with a proof assistant, where a prover for linear
arithmetic takes care of tedious arithmetic details. When done by hand, the details
of the proofs can be overwhelming and their verification is error-prone.

216
21 Lists
Finite sequences [x1 , . . . , xn ] are omnipresent in mathematics and computer
science, appearing with different interpretations and notations, for instance, as
vectors, strings, or states of stacks and queues. In this chapter, we study inductive
list types providing a recursive representation for finite sequences whose elements
are taken from a base type. Besides numbers, lists are the most important recursive
data type in computational type theory. Lists have much in common with numbers,
given that recursion and induction are linear for both data structures. Lists also
have much in common with finite sets, given that both have a notion of member-
ship. In fact, our focus will be on the membership relation for lists.
We will see recursive predicates for membership and disjointness of lists, and
also for repeating and nonrepeating lists. We will study nonrepeating lists and
relate non-repetition to cardinality of lists.

21.1 Inductive Definition

Lists represent finite sequences [x1 , . . . , xn ] with two constructors nil and cons:

[] , nil
[x] , cons x nil
[x , y] , cons x (cons y nil)
[x , y , z] , cons x (cons y (cons z nil))

The constructor nil provides the empty list. The constructor cons yields for a
value x and a list representing the sequence [x1 , . . . , xn ] a list representing the
sequence [x , x1 , . . . , xn ]. Given a list cons x A, we call x the head and A the tail
of the list. We say that lists provide a nested pair representation of sequences.
Formally, we obtain lists with an inductive type definition

L(X : T) : T ::= nil | cons (X, L(X))

The type constructor L : T → T gives us a list type L(X) for every base type X. The
value constructor nil : ∀X T . L(X) gives us an empty list for every base type. Finally,
the value constructor cons : ∀X T . X → L(X) → L(X) provides for the construction
of nonempty lists by adding an element in front of a given list. Lists of type L(X)
are called lists over X. Note that all elements of a list over X must have type X.

217
21 Lists

For nil and cons, we don’t write the first argument X. We use the notations

[] := nil
x :: A := cons x A

and omit parentheses as follows:

x :: y :: A Ž x :: (y :: A)

When convenient, we shall use the sequence notation [x1 , . . . , xn ] for lists.
Given a list [x1 , . . . , xn ], we call n the length of the list, x1 , . . . , xn the elements
of the list, and the numbers 0, . . . , n − 1 the positions of the list. An element may
appear at more than one position in a list. For instance, [2 , 2 , 3] is a list of length 3
that has 2 elements, where the element 2 appears at positions 0 and 1.
The inductive definition of lists provides for case analysis, recursion, and induc-
tion on lists, in a way that is similar to what we have seen for numbers. We define
the eliminator for lists as follows:

EL : ∀X T ∀p L(X)→T . p [] → (∀xA. pA → p(x :: A)) → ∀A. pA

EL Xpe1 e2 [] := e1
EL Xpe1 e2 (x :: A) := e2 xA(EL Xpe1 e2 A)

The eliminator provides for inductive proofs, recursive function definitions, and
structural case analysis.

Fact 21.1.1 (Constructor laws)

1. [] ≠ x :: A (disjointness)
2. x :: A = y :: B → x = y (injectivity)
3. x :: A = y :: B → A = B (injectivity)
4. x :: A ≠ A (progress)

Proof The proofs are similar to the proofs for numbers in § 4.3. Claim (4) corre-
sponds to Sn ≠ n and follows by induction on A with x quantified. ■

Fact 21.1.2 (Decidable Equality) If X is a discrete type, then L(X) is a discrete type:
E(X) → E(L(X)).

Proof Let X be discrete and A, B be lists over X. We show D(A = B) by induction

over A with B quantified followed by destructuring of B using disjointness and
injectivity from Fact 21.1.1. In case both lists are nonempty with heads x and y, an
additional case analysis on x = y is needed. ■

Exercise 21.1.3 Prove ∀X T AL(X) . D(A = []).

Exercise 21.1.4 Prove ∀X T AL(X) . (A = []) + Σ xB. A = x :: B.

218
 21.2 Basic Operations

21.2 Basic Operations

We introduce three basic operations on lists, which yield the length of a list, con-
catenate two lists, and apply a function to every position of a list:

len [x1 , . . . , xn ] = n length

[x1 , . . . , xm ] +
+ [y1 , . . . , yn ] = [x1 , . . . , xm , y1 , . . . , yn ] concatenation
f @ [x1 , . . . , xn ] = [f x1 , . . . , f xn ] map

Formally, we define the operations as recursive functions:

len : ∀X T . L(X) → N
len [] := 0
len (x :: A) := S (len A)

+ : ∀X T . L(X) → L(X) → L(X)

+
[] +
+ B := B
(x :: A) +
+ B := x :: (A +
+ B)

@ : ∀XY T . (X → Y ) → L(X) → L(Y )

f @ [] := []
f @(x :: A) := f x :: (f @A)

We treat X and Y as implicit arguments.

Fact 21.2.1
1. A + + C) = (A +
+(B + + B) +
+C (associativity)
2. A +
+[] = A
3. len (A +
+ B) = len A + len B
4. len (f @A) = len A
5. len A = 0 ←→ A = []

Proof The equations follow by induction on A. The equivalence follows by case

analysis on A. ■

21.3 Membership

Informally, we may characterize membership in lists with the equivalence

x ∈ [x1 , . . . , xn ] ←→ x = x1 ∨ · · · ∨ x = xn ∨ ⊥

219
21 Lists

Formally, we define the membership predicate by structural recursion on lists:

(∈) : ∀X T . X → L(X) → P
(x ∈ []) := ⊥
(x ∈ y :: A) := (x = y ∨ x ∈ A)

We treat the type argument X of the membership predicate as implicit argument. If

x ∈ A, we say that x is an element of A.

Fact 21.3.1 (Existential Characterization) x ∈ A ←→ ∃A1 A2 . A = A1 +

+ x :: A2 .

Proof Direction → follows by induction on A. The nil case is contradictory. In

the cons case a case analysis on x ∈ a :: A′ closes the proof with the inductive
hypothesis.
Direction ← follows by induction on A1 . ■

Fact 21.3.2 ∀xaX ∀AL(X) . E(X) → x ∈ a :: A → (x = a) + (x ∈ A).

Proof Straightforward. ■

Fact 21.3.3 (Factorization) ∀x X AL(X) . E(X) → x ∈ A → Σ A1 A2 . A = A1 +

+ x :: A2 .

Proof By induction on A. The nil case is contradictory. In the cons case a case
analysis using Fact 21.3.2 closes the proof. ■

Fact 21.3.4 (Decidable Membership) ∀x X ∀AL(X) . E(X) → D(x ∈ A).

Proof By induction on A. ■

Fact 21.3.5 (Membership laws)

1. x ∈ A +
+ B ←→ x ∈ A ∨ x ∈ B.
2. x ∈ f @A ←→ ∃a. a ∈ A ∧ x = f a.

Proof By induction on A. ■

Fact 21.3.6 (Injective map)

injective f → f x ∈ f @A → x ∈ A.

Proof Follows with 21.3.5(2). ■

220
 21.4 Inclusion and Equivalence

Recall that finite quantification over numbers preserves decidability (Fact 13.3.3).
Similarly, quantification over the elements of a list preserves decidability. In fact,
quantification over the elements of a list is a form of finite quantification.
We will use the notations

∀x∈A. px := ∀x. x ∈ A → px
∃x∈A. px := ∃x. x ∈ A ∧ px
Σx∈A. px := Σx. x ∈ A × px

for quantifications over the elements of a list.

Fact 21.3.7 (Bounded Quantification) Let p X→T be a decidable type function. Then
there are decision functions as follows:
1. ∀A. (Σ x∈A. px) + (∀x∈A. ¬px)
2. ∀A. D(∀x∈A. px)
3. ∀A. D(Σ x∈A. px)
Proof By induction on A. ■

Exercise 21.3.8
Define a function δ : L(O(X)) → L(X) such that x ∈ δA ←→ ◦x ∈ A.

Exercise 21.3.9 (EWO) Let p be a decidable predicate on a type X.

Construct a function ∀A. (∃x ∈ A. px) → (Σx ∈ A. px).

21.4 Inclusion and Equivalence

We may see a list as a representation of a finite set. List membership then corre-
sponds to set membership. The list representation of sets is not unique since the
same set may have different list representations. For instance, [1 , 2], [2 , 1], and
[1 , 1 , 2] are different lists all representing the set {1, 2}. In contrast to sets, lists
are ordered structures providing for multiple occurrences of elements.
From the type-theoretic perspective, sets are informal objects that may or may
not have representations in type theory. This is in sharp contrast to set-based math-
ematics where sets are taken as basic formal objects. The reason sets don’t appear
natively in computational type theory is that sets in general are noncomputational
objects.
We will take lists over X as type-theoretic representations of finite sets over X.
With this interpretation of lists in mind, we define list inclusion and list equiva-
lence as follows:

A ⊆ B := ∀x. x ∈ A → x ∈ B
A ≡ B := A ⊆ B ∧ B ⊆ A

221
21 Lists

Note that two lists are equivalent if and only if they represent the same set.

Fact 21.4.1 List inclusion A ⊆ B is reflexive and transitive. List equivalence A ≡ B

is reflexive, symmetric, and transitive.

Fact 21.4.2 We have the following properties for membership, inclusion, and equiv-
alence of lists.

x ∉ [] x ∈ [y] ←→ x = y
[] ⊆ A A ⊆ [] → A = []
x ∈ y :: A → x ≠ y → x ∈ A x ∉ y :: A → x ≠ y ∧ x ∉ A
A⊆B→x∈A→x∈B A ≡ B → x ∈ A ←→ x ∈ B
A ⊆ B → x :: A ⊆ x :: B A ≡ B → x :: A ≡ x :: B
A ⊆ B → A ⊆ x :: B x :: A ⊆ B ←→ x ∈ B ∧ A ⊆ B
x :: A ⊆ x :: B → x ∉ A → A ⊆ B x :: A ⊆ [y] ←→ x = y ∧ A ⊆ [y]
x :: A ≡ x :: x :: A x :: y :: A ≡ y :: x :: A
x ∈ A → A ≡ x :: A
x ∈ A+
+ B ←→ x ∈ A ∨ x ∈ B
A ⊆ A′ → B ⊆ B ′ → A +
+ B ⊆ A′ +
+ B′ A+
+ B ⊆ C ←→ A ⊆ C ∧ B ⊆ C

Proof Except for the membership fact for concatenation, which already appeared
as Fact 21.3.5, all claims have straightforward proofs not using induction. ■

Fact 21.4.3 (Rearrangement)

x ∈ A → ∃B. A ≡ x :: B ∧ len A = len(x :: B).

Proof Follows with Fact 21.3.1. There is also a direct proof by induction on A. ■

Fact 21.4.4 (Rearrangement)

E(X) → ∀x X . x ∈ A → ΣB. A ≡ x :: B ∧ len A = len(x :: B).

Proof Follows with Fact 21.3.3. There is also a direct proof by induction on A using
Fact 21.3.2. ■

Fact 21.4.5 Let A and B be lists over a discrete type. Then D(A ⊆ B) and D(A ≡ B).

Proof Holds since membership is decidable (Fact 21.3.4) and bounded quantifica-
tion preserves decidability (Fact 21.3.7). ■

222
 21.5 Nonrepeating Lists

21.5 Nonrepeating Lists

A list is repeating if it contains some element more than once. For instance, [1, 2, 1]
is repeating and [1, 2, 3] is nonrepeating. Formally, we define repeating lists over a
base type X with a recursive predicate:

rep : L(X) → P
rep [] := ⊥
rep (x :: A) := x ∈ A ∨ rep A

Fact 21.5.1 (Characterization)

For every list A over a discrete type we have:
rep A ←→ ∃xA1 A2 . A = A1 + + x :: A2 ∧ x ∈ A2 .

Proof By induction on rep A using Fact 21.3.1. ■

We also define a recursive predicate for nonrepeating lists over a base type X:

nrep : L(X) → P
nrep [] := ⊤
nrep (x :: A) := x ∉ A ∧ nrep A

Theorem 21.5.2 (Partition) Let A be a list over a discrete type. Then:

1. rep A → nrep A → ⊥ (disjointness)
2. rep A + nrep A (exhaustiveness)

Proof Both claims follow by induction on A. Discreteness is only needed for the
second claim, which needs decidability of membership (Fact 21.3.4) for the cons
case. ■

Corollary 21.5.3 Let A be a list over a discrete type. Then:

1. D(rep A) and D(nrep A).
2. rep A ←→ ¬nrep A and nrep A ←→ ¬rep A.

Fact 21.5.4 (Equivalent nonrepeating list)

For every list A over a discrete type one can obtain an equivalent nonrepeating list B
such that len B ≤ len A: ∀A. ΣB. B ≡ A ∧ nrep B ∧ len B ≤ len A.

Proof By induction on A. For x :: A, let B be the list obtained for A with the
inductive hypothesis. If x ∈ A, B has the required properties for x :: A. If x ∉ A,
x :: B has the required properties for x :: A. ■

223
21 Lists

The next fact formulates a key property concerning the cardinality of lists (num-
ber of different elements). It is carefully chosen so that it provides a building block
for further results (Corollary 21.5.6). Finding this fact took experimentation. To
get the taste of it, try to prove that equivalent nonrepeating lists have equal length
without looking at our development.

Fact 21.5.5 (Discriminating element)

Every nonrepeating list over a discrete type contains for every shorter list an ele-
ment not in the shorter list: ∀AB. nrep A → len B < len A → Σx. x ∈ A ∧ x ∉ B.

Proof By induction on A with B quantified. The base case follows by computational

falsity elimination. For A = a :: A′ we do case analysis on (a ∈ B) + (a ∉ B). The
case a ∉ B is trivial. For a ∈ B, Fact 21.4.4 yields some B ′ shorter than B such that
B ≡ a :: B ′ . The inductive hypothesis now yields some x ∈ A′ such that x ∉ B ′ . It
now suffices to show x ∉ B. We assume x ∈ B ≡ a :: B ′ and derive a contradiction.
Since x ∉ B ′ , we have x = a, which is in contradiction with nrep (a :: A′ ). ■

Corollary 21.5.6 Let A and B be lists over a discrete type X. Then:

1. nrep A → A ⊆ B → len A ≤ len B.
2. nrep A → nrep B → A ≡ B → len A = len B.
3. A ⊆ B → len B < len A → rep A.
4. nrep A → A ⊆ B → len B ≤ len A → nrep B.
5. nrep A → A ⊆ B → len B ≤ len A → B ≡ A.

Proof Interestingly, all claims follow without induction from Facts 21.5.5, 21.5.1,
and 21.5.3.
For (1), assume len A > len B and derive a contradiction with Fact 21.5.5.
Claims (2) and (3) follow from Claim (1), where for (3) we assume nrep A and
derive a contradiction (justified by Corollary 21.5.3).
For (4), we assume rep B and derive a contradiction (justified by Corollary 21.5.3).
By Fact 21.5.1, we obtain a list B ′ such that A ⊆ B ′ and len B ′ < len A. Contradiction
with (1).
For (5), it suffices to show B ⊆ A. We assume x ∈ B and show x ∈ A. Exploiting
the decidability of membership we assume x ∉ A and derive a contradiction. Using
Fact 21.5.5 for x :: A and B, we obtain z ∈ x :: A and z ∉ B, which is contradictory.■

We remark that Corollary 21.5.6 (3) may be understood as a pigeonhole lemma.

Exercise 21.5.7 Prove the following facts about map and nonrepeating lists:
a) injective f → nrep A → nrep (f @A).
b) nrep (f @A) → x ∈ A → x ′ ∈ A → f x = f x ′ → x = x ′ .
c) nrep (f @A) → nrep A.

224
 21.5 Nonrepeating Lists

Exercise 21.5.8 (Injectivity-surjectivity agreement) Let X be a discrete type and A

be a list containing all elements of X. Prove that a function X → X is injective if and
only if it is surjective.
This is an interesting exercise. It can be stated as soon as membership in lists
is defined. To solve it, however, one needs properties of length, map, element
removal, and nonrepeating lists. If one doesn’t know these notions, the exercise
makes an interesting project since one has to invent these notions. Our solution
uses Corollary 21.5.6 and Exercise 21.5.7.
We can sharpen the problem of the exercise by asking for a proof that a function
O (X) → On (X) is injective if and only if it is surjective. There should be a proof
n

not using lists. See § 22.6.

Exercise 21.5.9 (Factorization) Let A be a list over a discrete type.

Prove rep A → ΣxA1 A2 A3 . A = A1 + + x :: A2 +
+ x :: A3 .

Exercise 21.5.10 (Partition) The proof of Corollary 21.5.3 is straightforward and

follows a general scheme. Let P and Q be propositions such that P → Q → ⊥
and P + Q. Prove dec P and P ←→ ¬Q. Note that dec Q and Q ←→ ¬P follow by
symmetry.

Exercise 21.5.11 (List reversal)

Define a list reversal function rev : L(X) → L(X) and prove the following:
+ B) = rev B +
a) rev(A + + rev A
b) rev(rev A) = A
c) x ∈ A ←→ x ∈ rev A
d) nrep A → x ∉ A → nrep(A +
+[x])
e) nrep A → nrep(rev A)
f) Reverse list induction: ∀p X→T . p[] → (∀xA. p(A) → p(A + +[x])) → ∀A. pA.
Hint: By (a) it suffices to prove ∀A. p(rev A), which follows by induction on A.

Exercise 21.5.12 (Equivalent nonrepeating lists) Show that equivalent nonrepeat-

ing lists have equal length without assuming discreteness of the base type. Hint:
Show nrep A → A ⊆ B → len A ≤ len B by induction on A with B quantified using the
rearrangement lemma 21.4.3.

Exercise 21.5.13 (Even and Odd) Define recursive predicates even and odd on
numbers and show that they partition the numbers: even n → odd n → ⊥ and
even n + odd n.

225
21 Lists

21.6 Lists of Numbers

We now come to some facts about lists of numbers whose truth is intuitively clear
but whose proofs are surprisingly tricky. The facts about nonrepeating lists turn
out to be essential.
A segment is a list containing all numbers smaller than its length:

segment A := ∀k. k ∈ A ←→ k < len A

A list of numbers is serial if for every element it contains all smaller numbers:

serial A := ∀n∈A. ∀k≤n. k ∈ A

We will show that a list is a segment if and only if it is nonrepeating and serial.

Fact 21.6.1 The empty list is a segment.

Fact 21.6.2 Segments of equal length are equivalent.

Fact 21.6.3 Segments are serial.

Fact 21.6.4 (Segment existence)

∀n. Σ A. segment A ∧ len A = n ∧ nrep A.

Proof By induction on A. ■

Fact 21.6.5 Segments are nonrepeating.

Proof Let A be a segment. By Facts 21.6.4 and 21.6.2 we have an equivalent nonre-
peating segment B of the same length. Hence A is nonrepeating by Fact 21.5.6(4). ■

Fact 21.6.6 (Large element)

Every nonrepeating list of numbers of length Sn contains a number k ≥ n:
∀A. nrep A → len A = Sn → Σk∈A. k ≥ n.

Proof Let A be a nonrepeating list of numbers of length Sn. By Fact 21.3.7(1) we can
assume ∀k∈A. k < n and derive a contradiction. Fact 21.6.4 gives us a nonrepeating
list B of length n such that ∀k. k ∈ B ←→ k < n. Now A ⊆ B and len B < len A.
Contradiction by Fact 21.5.6(1). ■

Fact 21.6.7 A nonrepeating serial list is a segment.

Proof Let A be a nonrepeating serial list. If A = [], the claim is trivial. Otherwise,
len A = Sn. Fact 21.6.6 gives us x ∈ A such that x ≥ n. Fact 21.6.4 gives us a
nonrepeating segment B of length Sn. We now see that A is a segment if A ≡ B. We
have B ⊆ A since A is serial and hence contains all k ≤ n ≤ x. Now A ⊆ B follows
with Fact 21.5.6(5). ■

226
 21.7 Position-Element Mappings

Fact 21.6.8 (Next number) There is function that for every list of numbers yields a
number that is not in the list: ∀AL(N) . Σn. ∀k∈A. k < n.

Proof By induction on A. ■

Fact 21.6.8 says that there are infinitely many numbers. More generally, if we
have an injection INX, we can obtain a new element generator for X and thus know
that X is infinite.

Fact 21.6.9 (New element generator)

Given an injection INX, there is function that for every list over X yields a number
that is not in the list: ∀AL(X) . Σx. ∀a∈A. a ≠ x.

Proof Let invNX f g and ALX . Then Fact 21.6.8 gives us a number n ∉ g@A. To
show f n ∉ A, assume f n ∈ A. Then n = g(f n) ∈ g@A contradicting an above
assumption. ■

Exercise 21.6.10 (Pigeonhole) Prove that a list of numbers whose sum is greater
than the length of the list must contain a number that is at least 2:

sum A > len A → Σx. x ∈ A ∧ x ≥ 2

First define the function sum.

Exercise 21.6.11 (Andrej’s Puzzle) Assume an increasing function f N→N (that is,
∀x. x < f x) and a list A of numbers satisfying ∀x. x ∈ A ←→ x ∈ f @A. Show
that A is empty.
Hint: First verify that A contains for every element a smaller element. It then
follows by complete induction that A cannot contain an element.

Exercise 21.6.12 Define a function seq : N → N → L(N) for which you can prove the
following:
a) seq 2 5 = [2, 3, 4, 5, 6]
b) seq n (Sk) = n :: seq (Sn) k
c) len (seq nk) = k
d) x ∈ seq nk ←→ n ≤ x < n + k
e) nrep (seq nk)

21.7 Position-Element Mappings

The positions of a list [x1 , . . . , xn ] are the numbers 0, . . . , n − 1. More formally, a

number n is a position of a list A if n < len A. If a list is nonrepeating, we have a

227
21 Lists

bijective relation between the positions and the elements of the list. For instance,
the list [7, 8, 5] gives us the bijective relation

0 ‘ 7, 1 ‘ 8, 2‘5

It turns out that for a discrete type X we can define two functions

pos : L(X) → X → N
sub : X → L(X) → N → X

realizing the position-element bijection:

x ∈ A → sub yA (pos Ax) = x

nrep A → n < len A → pos A (sub yAn) = n

The function pos uses 0 as escape value for positions, and the function sub uses
a given y X as escape value for elements of X. The name sub stands for subscript.
The functions pos and sub will be used in Chapter 22 for constructing injections
and bijections between finite types and in Chapter 23 for constructing injections
into N.
Here are the definitions of pos and sub we will use:

pos : L(X) → X → N
pos [] x := 0
pos (a :: A) x := if [a = x\ then 0 else S(pos Ax)

sub : X → L(X) → N → X
sub y [] n := y
sub y (a :: A) 0 := a
sub y (a :: A) (Sn) := sub yAn

Fact 21.7.1 Let A be a list over a discrete type. Then:

1. x ∈ A → sub a A (pos Ax) = x
2. x ∈ A → pos Ax < len A
3. n < len A → sub aA n ∈ A
4. nrep A → n < len A → pos A (sub a A n) = n

Proof All claims follow by induction on A. For (3), the inductive hypothesis must
quantify n and the cons case needs case analysis on n. ■

Exercise 21.7.2 Prove (∀X T . L(X) → N → X) → ⊥.

228
 21.8 Constructive Discrimination Lemma

Exercise 21.7.3 Let A and B be lists over a discrete type X. Prove the following:
a) x ∈ A → pos Ax = pos (A +
+ B)x
b) k < len A → sub Ak = sub (A +
+ B)k
c) x ∈ A → y ∈ A → pos Ax = pos Ay → x = y
Note that (a) relies on the fact that pos Ax yields the first position of x in A, which
matters if x occurs more than once in A.
Exercise 21.7.4 One can realize pos and sub with option types

pos : L(X) → X → O(N)

sub : L(X) → N → O(X)

and this way avoid the use of escape values. Define pos and sub with option types
for a discrete base type X and verify the following properties:
a) x ∈ A → Σn. pos Ax = ◦n
b) n < len A → Σx. sub An = ◦x
c) pos Ax = ◦n → sub An = ◦x
d) nrep A → sub An = ◦x → pos Ax = ◦n
e) sub An = ◦x → x ∈ A
f) pos Ax = ◦n → n < len A

21.8 Constructive Discrimination Lemma

Using XM, we can prove that every non-repeating list contains for every shorter list
an element that is not in the shorter list:

XM → ∀X ∀AB L(X) . nrep A → len B < len A → ∃x. x ∈ A ∧ x ∉ B

We speak of the classical discrimination lemma. We have already shown a computa-

tional version of the lemma (Fact 21.5.5)

∀X ∀AB L(X) . E(X) → nrep A → len B < len A → ∃x. x ∈ A ∧ x ∉ B

replacing XM with an equality decider for the base type X. In this section our main
interest is in proving the constructive discrimination lemma

∀X ∀AB L(X) . nrep A → len B < len A → ¬¬∃x. x ∈ A ∧ x ∉ B

which assumes neither XM nor an equality decider. Note that the classical discrim-
ination lemma is a trivial consequence of the constructive discrimination lemma.
We may say that the constructive discrimination lemma is obtained from the classi-
cal discrimination lemma by eliminating the use of XM by weakening the existential

229
21 Lists

claim with a double negation. Elimination techniques for XM have useful applica-
tions.
We first prove the classical discrimination lemma following the proof of
Fact 21.5.5.
Lemma 21.8.1 (Classical discrimination)
XM → ∀AB L(X) . nrep A → len B < len A → ∃x. x ∈ A ∧ x ∉ B.

Proof By induction on A with B quantified. The base case follows by computational

falsity elimination. For A = a :: A′ , we do case analysis on (a ∈ B) ∨ (a ∉ B)
exploiting XM. The case a ∉ B is trivial. For a ∈ B, Fact 21.4.3 yields some B ′ shorter
than B such that B ≡ a :: B ′ . The inductive hypothesis now yields some x ∈ A′ such
that x ∉ B ′ . It now suffices to show x ∉ B. We assume x ∈ B ≡ a :: B ′ and derive a
contradiction. Since x ∉ B ′ , we have x = a, which contradicts nrep (a :: A′ ). ■

We observe that there is only a single use of XM. When we prove the constructive
version with the double negated claim, we will exploit that XM is available for stable
claims (Fact 17.4.8 (1)). Moreover, we will use the rule formulated by Fact 17.4.8 (2)
to erase the double negation from the inductive hypothesis so that we can harvest
the witness.
Lemma 21.8.2 (Constructive discrimination)
∀AB L(X) . nrep A → len B < len A → ¬¬∃x. x ∈ A ∧ x ∉ B.

Proof By induction on A with B quantified. The base case follows by computational

falsity elimination. Otherwise, we have A = a :: A′ . Since the claim is stable, we
can do case analysis on a ∈ B ∨ a ∉ B (Fact 17.4.8 (1)). If a ∉ B, we have found a
discriminating element and finish the proof with ∀P . P → ¬¬P . Otherwise, we have
a ∈ B. Fact 21.4.3 yields some B ′ shorter than B such that B ≡ a :: B ′ . Using
Fact 17.4.8 (2), the inductive hypothesis now gives us x ∈ A′ such that x ∉ B ′ .
By ∀P . P → ¬¬P it now suffices to show x ∉ B, which follows as in the proof of
Fact 21.8.1. ■

Exercise 21.8.3 Prove that the double negation of ∃ agrees with the double negation
of Σ : ¬¬ex p ←→ ((sig p → ⊥) → ⊥).

21.9 Element Removal

We assume a discrete type X and define a function A \ x for element removal as

follows:

\ : L(X) → X → L(X)
[]\_ := []
(x :: A)\y := if [x = y\ then A\y else x :: (A\y)

230
 21.10 Cardinality

Fact 21.9.1
1. x ∈ A\y ←→ x ∈ A ∧ x ≠ y
2. len (A\x) ≤ len A
3. x ∈ A → len (A\x) < len A.
4. x ∉ A → A\x = A

Proof By induction on A. ■

Exercise 21.9.2 Prove x ∈ A → A ≡ x :: (A \ x).

Exercise 21.9.3 Prove the following equations, which are useful in proofs:
1. (x :: A)\x = A\x
2. x ≠ y → (y :: A)\x = y :: (A\x)

21.10 Cardinality

The cardinality of a list is the number of different elements in the list. For instance,
[1, 1, 1] has cardinality 1 and [1, 2, 3, 2] has cardinality 3. Formally, we may say
that the cardinality of a list is the length of an equivalent nonrepeating list. This
characterization is justified since equivalent nonrepeating lists have equal length
(Corollary 21.5.6 (3)), and every list is equivalent to a non-repeating list (Fact 21.5.4).
We assume that lists are taken over a discrete type X and define a cardinality
function as follows:

card : L(X) → N
card [] := 0
card(x :: A) := if [x ∈ A\ then card A else S(card A)

Note that we write [x ∈ A\ for the application of the membership decider provided
by Fact 21.3.4. We prove that the cardinality function agrees with the cardinalities
provided by equivalent nonrepeating lists.

Fact 21.10.1 (Cardinality)

1. ∀A ΣB. B ≡ A ∧ nrep B ∧ len B = card A.
2. card A = n ←→ ∃B. B ≡ A ∧ nrep B ∧ len B = n.

Proof Claim 1 follows by induction on A. Claim 2 follows with Claim 1 and Corol-
lary 21.5.6 (2). ■

Corollary 21.10.2

231
21 Lists

1. card A ≤ len A
2. A ⊆ B → card A ≤ card B
3. A ≡ B → card A = card B.
4. rep A ←→ card A < len A (pigeonhole)
5. nrep A ←→ card A = len A
6. x ∈ A ←→ card A = S(card(A \ x))

Proof All facts follow without induction from Fact 21.10.1, Corollary 21.5.6, and
Corollary 21.5.3. ■

Exercise 21.10.3 Given direct proofs of (1), (4) and (5) of Corollary 21.10.2 by in-
duction on A. Use (1) for (4) and (5).

Exercise 21.10.4 (Cardinality predicate) We define a recursive cardinality predi-

cate:

Card : L(X) → X → P
Card [] 0 := ⊤
Card [] (Sn) := ⊥
Card (x :: A) 0 := ⊥
Card (x :: A) (Sn) := if [x ∈ A\ then Card A (Sn) else Card A n

Prove that the cardinality predicate agrees with the cardinality function:
∀An. Card An ←→ card A = n.

Exercise 21.10.5 (Disjointness predicate) We define disjointness of lists as fol-

lows:
disjoint A B := ¬∃x. x ∈ A ∧ x ∈ B

Define a recursive predicate Disjoint : L(X) → L(X) → P in the style of the cardinal-
ity predicate and verify that it agrees with the above predicate disjoint.

21.11 Setoid Rewriting

It is possible to rewrite a claim or an assumption in a proof goal with a propositional

equivalence P ←→ P ′ or a list equivalence A ≡ A′ , provided the subterm P or A to
be rewritten occurs in a compatible position. This form of rewriting is known as
setoid rewriting. The following facts identify compatible positions by means of
compatibility laws.

232
 21.11 Setoid Rewriting

Fact 21.11.1 (Compatibility laws for propositional equivalence)

Let P ←→ P ′ and Q ←→ Q′ . Then:

P ∧ Q ←→ P ′ ∧ Q′ P ∨ Q ←→ P ′ ∨ Q′ (P → Q) ←→ (P ′ → Q′ )
¬P ←→ ¬P ′ (P ←→ Q) ←→ (P ′ ←→ Q′ )

Fact 21.11.2 (Compatibility laws for list equivalence)

Let A ≡ A′ and B ≡ B ′ . Then:

x ∈ A ←→ x ∈ A′ A ⊆ B ←→ A′ ⊆ B ′ A ≡ B ←→ A′ ≡ B ′
x :: A ≡ x :: A′ + B ≡ A′ +
A+ + B′ f @A ≡ f @A′

Coq’s setoid rewriting facility makes it possible to use the rewriting tactic for
rewriting with equivalences, provided the necessary compatibility laws and equiv-
alence relations have been registered with the facility. The compatibility laws for
propositional equivalence are preregistered.

Exercise 21.11.3 Which of the compatibility laws are needed to justify rewriting
+ B) with the equivalence A ≡ A′ ?
the claim ¬(x ∈ y :: (f @A) +

233
22 Finite Types

We may call a type finite if we can provide a list containing all its elements. With
this characterization we capture the informal notion of finitely many elements with
covering lists. If the list covering the elements of a type is nonrepeating, the length
of the list gives us the cardinality of the type (the number of its elements). This leads
us to defining a finite type as a tuple consisting of a type, a list covering the type, and
an equality decider for elements of the type. The equality decider ensures that the
finite type is sufficiently concrete so that we can compute a covering nonrepeating
list yielding the cardinality of the type.
With this definition the numeral types Nn are in fact finite types of cardinality n.
We will show that finite types are closed under retracts and that two finite types of
equal cardinality are always in bijection. It then follows that finite types have EWOs,
and that the class of finite types is generated from the empty type by taking option
types and including types that are in bijection with a member of the class. We also
show that a function between finite types of the same cardinality
• is injective if and only if it is surjective.
• has an inverse function if it is surjective or injective.
• yields a bijection with every inverse function.

22.1 Coverings and Listings

We prepare the definition of finite types by looking at lists covering all elements of
their base type.
A covering of a type is a list that contains every member of the type:

coveringX A := ∀x X . x ∈ A

A listing of a type is a nonrepeating covering of the type:

listingX A := covering A ∧ nrep A

We need a couple of results for coverings and listings of discrete types. First note
that all coverings of a type are equivalent lists.

235
22 Finite Types

Fact 22.1.1 Given a covering of a discrete type, one can obtain a listing of the type:
EX → coveringX A → Σ B. listingX B ∧ len B ≤ len A.

Proof Follows with Facts 21.5.4. ■

Fact 22.1.2 All listings of a discrete type have the same length.

Proof Immediate with Fact 21.5.6 (2). ■

Fact 22.1.3 Let A and B be lists over a discrete type X. Then:

listing A → len B = len A → (nrep B ←→ covering B).

Proof Follows with Fact 21.5.6 (4,5). ■

Exercise 22.1.4 Prove IXY → coveringY B → ΣA. coveringX A.

Exercise 22.1.5 Let A and B be lists over a discrete type X. Prove:

a) covering A → nrep B → len A ≤ len B → listing B.
b) listing A → covering B → len B ≤ len A → listing B.

22.2 Basics of Finite Types

We define finite types as discrete types that come with a covering list:

fin X T := E(X) × ΣA. coveringX A

We may see the values of fin X as handlers providing an equality decider for X and a
listing of X. A handler fin X turns a type X into a computational type where we can
iterate over all elements and decide equality of elements. Given a handler fin X, we
can compute a listing of X and thus determine the cardinality of X (i.e., the number
of elements). It will be convenient to have a second type of handlers

finn X T := E(X) × ΣA. listingX A ∧ len A = n

declaring the cardinality of the type and providing a listing rather than a covering
of the type.

Fact 22.2.1 For every type X:

1. finm X → finn X → m = n (uniqueness of cardinality)
2. fin X a Σn. finn X (existence of cardinality)

Proof Facts 22.1.2 and 22.1.1. ■

236
 22.2 Basics of Finite Types

Fact 22.2.2 (Empty types)

Finite types with cardinality 0 are the empty types: fin0 X a (X → ⊥).

Proof Exercise. ■

Fact 22.2.3 (Closure under O)

Finite types are closed under O: finn X → finSn (OX).

Proof Fact 11.2.1 gives us an equality decider for OX. Moreover, œ :: (◦)@A) is a
listing of OX if A is a listing of X. ■

Recall the recursive definition of numeral types Nn in § 11.3.

Fact 22.2.4 (Numeral types) finn Nn .

Proof Induction on n using Facts 22.2.2 and 22.2.3. ■

Finite types are also closed under sums and products.

Fact 22.2.5 If X and Y are finite types, then so are X + Y and X × Y :

1. finm X → finn Y → finm+n (X + Y ).
2. finm X → finn Y → finm·n (X × Y ).

Proof Discreteness follows with Fact 9.5.1. We leave the construction of the listing
as exercise. ■

Quantification over finite types preserves decidability. This fact can be obtained
from the fact that quantification over lists preserves decidability.

Fact 22.2.6 (Decidability)

Let p be a decidable predicate on a finite type X. Then:
1. D(∀[Link])
2. D(∃[Link])
3. (Σ[Link]) + (∀x.¬px)

Proof Follows with Fact 21.3.7. ■

Fact 22.2.7 (Type of numbers is not finite)

The type N of numbers is not finite: fin N → ⊥.

Proof Suppose N is finite. Then we have a list A containing all numbers. Contradic-
tion with Fact 21.6.8. ■

237
22 Finite Types

Exercise 22.2.8 Prove fin0 ⊥, fin1 ⊤, and fin2 B.

Exercise 22.2.9 (Double negation shift)

Prove ∀n ∀p Nn →P . (∀x. ¬¬px) → ¬¬∀x. px.

Exercise 22.2.10 (EWO) Give an EWO for finite types.

Hint: Use an EWO for lists as in Exercise 21.3.9.

Exercise 22.2.11 (Pigeonhole)

Prove finm X → finn Y → m > n → ∀f X→Y . Σxx ′ . x ≠ x ′ ∧ f x = f x ′ .
Intuition: If we have m pigeons sitting in n < m holes, there must be two pigeons
sitting in the same hole.

22.3 Finiteness by Injection

We can establish the finiteness of a nonempty type by embedding it into a finite type
with large enough cardinality. More precisely, a type is finite with cardinality m ≥ 1
if it can be embedded into a finite type with cardinality n ≥ m.
Fact 22.3.1 (Finiteness by embedding)
IXY → finn Y → Σm ≤ n. finm X.

Proof Let invXY gf and B be a listing of Y such that len B = n. Fact 9.5.2 gives us an
equality decider for X. Moreover, g@B is a covering of X because of the inversion
property. By Fact 22.1.1 we obtain a listing A of X such that len A ≤ len (g@B) =
len B = n. The claim follows. ■

Corollary 22.3.2 (Alignment)

IXY → finm X → finn Y → m ≤ n.

Proof Facts 22.3.1 and 22.2.1 (1). ■

Corollary 22.3.3 (Transport)

IXY → IY X → finn X → finn Y .

Proof Follows with Facts 22.3.1 and 22.3.2. ■

Corollary 22.3.4 (Closure under bijection)

BXY → finn X → finn Y .

Proof Follows with Facts 22.3.3 and 11.1.5. ■

Corollary 22.3.5 The type N of numbers does not embed into finite types:
I N X → fin X → ⊥.

Proof Facts 22.3.1 and 22.2.7. ■

238
 22.4 Existence of Injections

22.4 Existence of Injections

Given two finite types, the smaller one can always be embedded into the larger one.
There is the caveat that the smaller type must not be empty so that the embedding
function can have an inverse.

Fact 22.4.1 (Existence)

finm X → finn Y → 1 ≤ m ≤ n → IXY .

Proof Let A and B be listings of X and Y . Then A has length m and B has length n.
Since 1 ≤ m ≤ n, we can map the elements of A to elements of B preserving the
position in the lists. We realize the resulting bijection between X and Y using the
list operations sub and pos with escape values a ∈ A and b ∈ B (§21.7):

f x := sub b B (pos A x)
gy := sub a A (pos B y)

Recall that pos yields the position of a value in a list, and that sub yields the value
at a position of a list. ■

An embedding of a finite type into a finite type of the same cardinality is in fact
a bijection since in this case the second roundtrip property does hold.

Fact 22.4.2 finn X → finn Y → invXY gf → inv f g.

Proof We show f (gy) = y for arbitrary y. We choose a covering A of X and know

by Fact 22.1.3 that f @A is a covering of Y . Hence f x = y for some x. We now have
f (gy) = f (g(f x)) = f x = y. ■

Next we show that all finite types of the same size are in bijection.

Corollary 22.4.3 (Existence) finn X → finn Y → B XY .

Proof For n = 0 the claim follows with Facts 22.2.2 and 11.1.7. For n > 0 the claim
follows with Facts 22.4.1 and 22.4.2. ■

Corollary 22.4.4 (Existence) IXY → IY X → fin X → B XY .

Proof Facts 22.2.1 (2), 22.3.3, and 22.4.3 ■

Corollary 22.4.5 (Listless Characterization) finn X a BXNn .

Proof Direction → follows with Facts 22.2.4 and 22.4.3. Direction ← follows with
Facts 22.2.4 and 22.3.4. ■

239
22 Finite Types

Corollary 22.4.6 fin X → Σn. BXNn

Proof Facts 22.2.1 and 22.4.5. ■

Corollary 22.4.7 (EWOs) Finite types have EWOs.

Proof Follows with Fact 22.4.5 since numeral types have EWOs (Fact 14.3.4) and
injections transport EWOs (Fact 14.3.5). ■

Fact 22.4.8 (Existence) Every nonempty finite type can be embedded into N:
finSn X → I XN.

Proof Let A be a listing of X. We realize the injection of X into N using the list
operations pos and sub with an escape values a ∈ A (§21.7):

f x := pos A x
gn := sub a A n ■

Exercise 22.4.9 Show the following facts:

a) finm Nn → m = n.
b) B Nm Nn → m = n.

22.5 Upgrade Theorem

Fact 22.5.1 (Injectivity-surjectivity agreement)

Functions between finite types of the same cardinality are injective if and only if
they are surjective: finn X → finn Y → (injective XY f ←→ surjective XY f ).

Proof Let A and B be listings for X and Y , respectively, with len A = len B. We fix
f X→Y and have covering(f @A) ←→ nrep(f @A) by Fact 22.1.3.
Let f be injective. Then f @A is nonrepeating by Exercise 21.5.7 (a). Thus f @A
is covering. Hence f is surjective.
Let f be surjective. Then f @A is covering and thus nonrepeating. Thus f is
injective by Exercise 21.5.7 (b). ■

Fact 22.5.2 (Upgrade) Let f X→Y be a surjective or injective function between finite
types of the same cardinality. Then one can obtain a function g such that f and g
constitute a bijection between X and Y .

Proof Let finn X and finn Y . The both types have equality deciders and EWOs
(Fact 22.4.7). By Fact 22.5.1 we can assume a surjective function f X→Y . Fact 14.4.1
gives us a function g such that inv f g. Fact 22.4.2 gives us inv gf as claimed. ■

240
 22.6 Listless Development

Exercise 22.5.3
Prove finm X → finn Y → m > 0 → (∀f X→Y . injective f ←→ surjective f ) → m = n.

Exercise 22.5.4 Show that all inverse functions of an injective function between
finite types of the same cardinality agree.

22.6 Listless Development

Fact 22.4.5 characterizes finite types with numeral types and bijections not using
lists. In fact, in set theory finite sets are usually obtained as sets that are in bijection
with canonical finite sets. Moreover, a number n is represented as a particular set
with exactly n elements. Following the development in set theory, one may study
finite types in type theory not using lists. Important results of such a development
would be the following theorems:
1. B Nm Nn → m = n
2. ∀f g Nn →Nn . inv gf → inv f g
3. I Nn N
4. I N Nn → ⊥
In the proofs of these results induction over numbers (i.e., the cardinality n) will
replace induction over lists.
We will give a few list-free proofs for numeral types since they are interesting
from a technical perspective. They require a different mindset and sometimes re-
quire tricky techniques for option types.
The main tool for proving properties of numeral types Nn is induction on the
cardinality n. An important insight we will use is that we can lower an embedding
of O2 (X) into O2 (Y ) into an embedding of O(X) into O(Y ). We realize the idea with
a lowering operator as follows:

L : ∀XY . (O(X) → O2 (Y )) → X → O(Y )

LXY f x := match f (◦x) [ ◦b ⇒ b | œ ⇒ match f œ [ ◦b ⇒ b | œ ⇒ œ ] ]

The idea behind L is simple: Given x, Lf checks whether f maps ◦x to ◦b. If so, Lf
maps x to b. Otherwise, Lf checks whether f maps œ to ◦b. If so, Lf maps x to b.
If not, Lf maps x to œ.

Lemma 22.6.1 (Lowering) Let f : O2 (X) → O2 (Y ) and g : O2 (Y ) → O2 (X).

Then inv gf → inv (Lg)(Lf ).

Proof Let inv gf . We show (Lg)(Lf a) = a by brute force case analysis following the
matches of Lf and Lg. There are 24 cases that all follow with equational reasoning
as provided by the ongruence tactic. ■

241
22 Finite Types

We can now show that a self-injection of a numeral type is always a bijection.

Theorem 22.6.2 (Self-injection)

Let f and g be functions Nn → Nn . Then inv gf → inv f g.

Proof We prove the claim by induction on n. For n = 0 and n = 1 the proofs are
straightforward.
Let f , g : OSSn (⊥) → OSSn (⊥) and inv gf . By Lemma 22.6.1 and the inductive
hypothesis we have inv (Lf )(Lg). We consider 2 cases:
1. f (gœ) = œ. We show f (g ◦b) = ◦b. We have (Lf )(Lgb) = b. The claim now
follows by case analysis and linear equational reasoning following the definitions
of Lf and Lg (7 cases are needed).
2. f (gœ) = ◦b. We derive a contradiction.
a) f œ = ◦b′ We have (Lf )(Lgb′ ) = b′ . A contradiction follows by case anal-
ysis and linear equational reasoning following the definitions of Lf and Lg
(4 cases are needed).
b) f œ = œ. Contradictory since inv gf . ■

The above proof requires the verification of 12 cases by linear equational reason-
ing as realized by Coq’s congruence tactic. The cascaded case analysis of the proof
is cleverly chosen as to minimize the cases that need to be considered. The need
for cascaded case analysis of function applications so that linear equational rea-
soning can finish the current branch of the proof appeared before with Kaminski’s
equation (§5.4).
We remark that the lowering operator L is related to the certifying lowering op-
erator established by Lemma 11.2.2. However, there are essential differences. The
lowering operator L uses a default value while Lemma 11.2.2 exploits an assump-
tion and computational falsity elimination to avoid the need for a default value.
In fact, the default value is not available in the setting of Lemma 11.2.2, and the
assumption is not available in the setting of the lowering operator.
Theorem 22.6.2 stands out in that its proof requires the verification of more
cases than one feels comfortable with on paper. Here the accompanying verification
with a proof assistant gives confidence beyond intuition and common belief.
We now generalize self-injection to general finite types.

Corollary 22.6.3 BXNn → BY Nn → invXY gf → inv f g.

Proof Let f1 , g1 form a bijection BXNn and f2 , g2 form a bijection BXNn . We have

inv (λa.f 1(g(g2 a))) (λa.f 2(f (g1 a)))

by equational reasoning (congruence tactic in Coq). Theorem 22.6.2 gives us

inv (λa.f 2(f (g1 a))) (λa.f 1(g(g2 a)))

242
 22.6 Listless Development

This gives us inv f g by equational reasoning (congruence tactic in Coq). ■

Using the lowering lemma, we can also prove a cardinality result for numeral
types.

Theorem 22.6.4 (Cardinality)

I(Nm )Nn → m ≤ n.

Proof Let f : Nm → Nn and inv gf . If m = 0 or n = 0 the claim is straightforward.

Otherwise we have f : OSm (⊥) → OSn (⊥) and inv gf . We prove m ≤ n by induction
on m with n, f , and g quantified. For m = 0 the claim is trivial. In the successor
case, we need to show Sm ≤ n. If n = 0, we have f : OSSm (⊥) → O(⊥) contradicting
inv gf . If n > 0, the claim follows by Lemma 22.6.1 and the inductive hypothesis. ■

Exercise 22.6.5 Show B Nm Nn → m = n using induction and the bijection theorem

for option types (11.2.4).

Exercise 22.6.6 Try to do the proof of Theorem 22.6.2 without looking at the details
of the given proof. This will make you appreciate the cleverness of the case analysis
of the given proof. It took a few iterations to arrive at this proof. Acknowledgements
go to Andrej Dudenhefner.

Exercise 22.6.7 (Pigeonhole)

Prove ∀f NSn →Nn . Σab. a ≠ b ∧ f a = f b not using lists.
Hint: A proof similar to the proof of Theorem 22.6.4 works, but the situation is
simpler. The decision function from Fact 22.2.6 (c) is essential.

Exercise 22.6.8 (Double negation shift)

Prove ∀n ∀p Nn →P . (∀x. ¬¬px) → ¬¬∀x. px not using lists.

Exercise 22.6.9 (Embedding numeral types into the type of numbers)

Numeral types can be embedded into the numbers by interpreting the constructor œ
as 0 and the constructor ◦ as successor.
a) Define an encoding function E : ∀n. Nn → N.
b) Define a decoding function D : N → ∀n. NSn .
c) Prove Ena < n.
d) Prove D(E(Sn)a)n = a.
e) Prove k ≤ n → E(Sn)(Dkn) = k.
Hint: The definition of E needs computational falsity elimination.

243
22 Finite Types

Exercise 22.6.10 (Decidability)

Let p be a decidable predicate on Nn . Then:
1. D(∀[Link])
2. D(∃[Link])
3. (Σ[Link]) + (∀x.¬px)

Exercise 22.6.11 (Finite Choice)

We define the choice property for two types X and Y as follows:

choice XY := ∀p X→Y →P . (∀x∃y. pxy) → ∃f ∀x. px(f x)

The property says that every total relation from X to Y contains a function from X
to Y . Prove choice XY for all finite types X:
a) choice ⊥ Y
b) choice X Y → choice (OX) Y
c) choice Nn Y
d) B X Nn → choice XY
The proposition choice N Y is known as countable choice for Y . The computational
type theory we are considering cannot prove countable choice for B.

22.7 Notes

We have chosen to define finite types using lists. This is a natural and convenient
definition given that lists are a basic computational data structure. On the other
hand, we could define finite types more abstractly as types that are in bijection with
numeral types obtained with option types and recursion. This definition is backed
up by two bijection theorems (22.6.4 and 22.6.2).

244
23 Countable Types

Countable types include finite types and N, and are closed under retracts, sums,
cartesian products, and list types. All countable types have equality deciders, enu-
merators, and EWOs. Infinite countable types are in bijection with N. Typical ex-
amples for infinite countable types are inductive types for syntactic objects (e.g.,
expressions and formulas). As it comes to characterizations of countable types, a
type X is countable iff X has an enumerator and an equality decider, or iff OX is a
retract of N, or iff X is a retract of N and also inhabited.

23.1 Enumerable Types

An enumerator of a type X is a function f N→O(X) that reaches all elements of X.

Formally, we define the type of enumerators of a type X as follows:

enum′ X f N→OX := ∀x ∃n. f n = ◦x

enum X := Σf . enum′ Xf

We say that a type is enumerable if it has an enumerator.

Fact 23.1.1 (Enumerable types)

1. ⊥ and N are enumerable types: enum ⊥ and enum N.
2. Enumerable types are closed under retracts, O, +, and × :
a) IXY → enum Y → enum X
b) enum X a enum(O X)
c) enum X × enum Y a enum(X + Y )
d) enum X → enum Y → enum(X × Y )
3. Finite types are enumerable: fin X → enum X.

Proof Straightforward. Closure under + and × follows with I(N × N)N (Chapter 7).
(3) follows since fin X → Σn. IX(On ⊥) (Fact 22.4.6). ■

Given a function f N→OX , we call a function g X→N such that ∀x. f (gx) = ◦x
a co-enumerator for f .

245
23 Countable Types

Fact 23.1.2 (Co-enumerator) If f N→OX has a co-enumerator g, then f is an enumer-

ator of X, g is injective, and X has an equality decider.

Fact 23.1.3 (Co-enumerator) Enumerators of discrete types have co-enumerators:

EX → enum′ Xf → Σg. ∀x. f (gx) = ◦x.

Proof It suffices to show ∀x. Σn. f n = ◦x. Follows with an EWO of N since OX is
discrete. ■

23.2 Countable Types

A countable type is a type coming with an equality decider and an enumerator:

cty X := E(X) × enum X

Fact 23.2.1 (Countable types)

1. ⊥ and N are countable types: cty ⊥ and cty N.
2. Countable types are closed under retracts, O, +, and × :
a) IXY → cty Y → cty X
b) cty X a cty(O X)
c) cty X × cty Y a cty(X + Y )
d) cty X → cty Y → cty(X × Y )
3. Finite types are countable: fin X → cty X.

Proof Follows with Fact 23.1.1 and the concomitant closure facts for discrete
types. ■

Fact 23.2.2 (Co-enumerator characterization)

A type X is countable if and only if there are functions f N→OX and g X→N such that g
is a co-enumerator of f .

Proof Facts 23.1.3 and 23.1.2. ■

It turns out that a type X is countable if and only if OX is a retract of N.

246
 23.2 Countable Types

Fact 23.2.3 (Retract characterization) cty X a I(OX)N.

Proof Suppose cty X. Fact 23.2.2 gives us f and g such that ∀x. f (gx) = ◦x. We
obtain an injection I(OX)N as follows:

g ′ a := match a [ ◦x ⇒ S(gx) | œ ⇒ 0]
f ′ n := match n [ 0 ⇒ œ | Sn ⇒ f n]

The other direction follows with the transport lemmas for equality deciders 11.1.3
and 11.2.1 and the observation that the inverse function of the injection is an enu-
merator of X. ■

Fact 23.2.4 (EWOs) Countable types have EWOs.

Proof Follows with an EWO for N (Fact 14.2.2) and Facts 23.2.3, 14.3.5, and 14.3.3.■

Fact 23.2.5 An injection IXN can be raised into an injection I(OX)N.

Proof Let f and g be the functions of IXN. Then

f ′ a := match a [ ◦x ⇒ S(f x) | œ ⇒ 0]
g ′ n := match n [ 0 ⇒ œ | Sn ⇒ ◦gn]

yield an injection I(OX)N. ■

Fact 23.2.6
An injection I(OX)Y with X inhabited can be lowered into an injection IXY :
I(OX)Y → X → IXY .

Proof Let f and g be the functions of I(OX)Y and x0 an element of X. Then

f ′ x := f (◦x)
g ′ y := match gy [ ◦x ⇒ x | œ ⇒ x0 ]

yield an injection IXY . ■

Fact 23.2.7 Nonempty countable types are exactly the retracts of N:

X → (cty X a IXN).

Proof Follows with Facts 23.2.3, 23.2.5, and 23.2.6. ■

Fact 23.2.8 (Uncountable type) The function type N → B is not countable.

Proof Suppose N → B is countable. Then Fact 23.2.7 give us an injection I(N → B)N
and thus a surjective function N → (N → B). Contradiction with Cantor’s theorem
(Fact 6.3.4). ■

247
23 Countable Types

23.3 Injection into N via List Enumeration

Infinite countable types appear frequently in computational settings. Typical exam-

ples are the syntactic types for expressions and for formulas appearing in Chap-
ters 8 and 24. For these types constructing equality deciders is routine, but so
far we don’t have a method for constructing enumerators. In fact, constructing an
enumerating function N → O(X) directly is not feasible since we need recursion
on N but don’t have the necessary termination arguments. We are now providing a
method obtaining enumerators by constructing injections IXN.
The key idea is to have an infinite sequence L1 , L2 , L3 , . . . of lists over X such
that Ln is a prefix of LSn and every x appears eventually is some Ln . Because of the
prefix property, the first position of x in Ln does not dependent on the n as long
as x ∈ Ln . For the retract, we now map x to its first position in some list Ln with
x ∈ Ln , and n to the element at position n of a sufficiently long list Lm .
We define prefixes as follows: prefix A B := ∃C. A + + C = B.

Fact 23.3.1 prefix A B → k < len A → sub A k = sub B k.

Proof ∀k. k < len A → sub A k = sub (A +

+ C) k follows by induction on A. ■

Theorem 23.3.2 (List enumeration)

An injection IXN can be obtained from an equality decider for X and two functions
LN→L(X) and βX→N such that:
1. ∀n. prefix Ln LSn ∧ len Ln < len LSn
2. ∀x. x ∈ Lβx

Proof Let X be a discrete type and L and β be functions as specified. Since L1 is not
empty by (1), we have a default value x0 : X. We define functions f X→N and g N→X

f x := pos Lβx x
gn := sub LSn n

and show inv gf . We prepare the proof with the following lemmas:
3. m ≤ n → prefix Lm Ln
4. prefix Lm Ln ∨ prefix Ln Lm
5. k < len Lm → k < len Ln → sub Lm k = sub Ln k
6. n ≤ len Ln
(3) follows by induction on n. (4) is a straightforward consequence of (3). (5) follows
with Fact 23.3.1 and (4). (6) follows by induction on n and (1).
To show inv gf , we fix x and set k := pos Lβx x and show sub LSk k = x. By
Fact 21.7.1(1) it suffices to show sub LSk k = sub Lβx k, which follows by (5) since
k < len LSk by (6) and k < len Lβx by (2) and Fact 21.7.1(2). ■

248
 23.4 More Countable Types

Given a type X, we call functions L and β as specified by Theorem 23.3.2 a list

enumeration of X. Note that types are inhabited if they have a list enumeration.

23.4 More Countable Types

Using a list enumeration, we now show that the recursive inductive type

tree ::= A (N) | T (tree, tree)

closing N under pairing is countable.

Fact 23.4.1 E(tree).

Proof Routine. By induction and case analysis on trees. ■

To define a list enumeration for tree, we need a function that given a list A of
trees returns a list containing all trees Tst with s, t ∈ A.
Lemma 23.4.2 (List product)
∀AB L(tree) . ΣC. ∀u. u ∈ C ←→ ∃ s∈A ∃ t∈B. u = Tst.

Proof We fix B and prove the claim by induction on A following the scheme

[] · B = []
(s :: A) · B = (Ts)@B +
+ A·B ■

Fact 23.4.3 I tree N.

Proof By Theorem 23.3.2 and Fact 23.4.1 it suffices to construct a list enumeration
for tree. We define:

L(0) := []
L(Sn) := L(n) +
+An+
+{ T(s, t) | s, t ∈ L(n) }

β(A n) := Sn
β(T st) := S(βs + βt)

where { T(s, t) | s, t ∈ L(n) } is notation for the application of the list product
function from Lemma 23.4.2 to L(n) and L(n). We show ∀t. t ∈ L(βt) by induction
on t, the rest is obvious.
For A, we show A n ∈ L(Sn), which is straightforward.
For T, we show T st ∈ L(S(βs + βt)). By induction we have s ∈ L(βs) and
t ∈ L(βt). It suffices to show s, t ∈ L(βs + βt). Follows with the monotonicity
property
∀mn. m ≤ n → Lm ⊆ Ln
which in turn follows by induction on n. ■

249
23 Countable Types

Fact 23.4.4 cty tree.

Proof Follows with Facts 23.4.3, 23.2.1(2a), and 23.2.1(1). ■

We can now show countability of a type by embedding it into tree. This is in

many cases straightforward.
Fact 23.4.5 cty (N × N).

Proof By Facts 23.4.4 and 23.2.1(2a) it suffices to embed N × N into tree, which can
be done as follows:

f (x, y) := T(A x)(A y)

g(T(A x)(A y)) := (x, y)

g _ := (0, 0)

Now g(f (x, y)) = (x, y) holds by computational equality. ■

Note that Fact 23.4.5 can also be obtained with Cantor pairing (Fact 11.1.8). The
point is that Fact 23.4.5 obtains countability of N × N with a routine method rather
than the ingenuous Cantor pairing.
Fact 23.4.6 cty (L N).

Proof By Facts 23.4.4 and 23.2.1(2a) it suffices to embed L N into tree, which can be
done as follows:

f [] := A 0
f (x :: A) := T(A x)(f A)

g(T(A x) t) := x :: gt
g _ := []

Now g(f A) = A follows by induction on A. ■

Fact 23.4.7 Countable types are closed under taking list types: cty X → cty(L X).

Proof Let cty X. The retract characterization (Fact 23.2.3) gives us functions F OX→N
and GN→OX such that inv GF . By Facts 23.4.6 and 23.2.1(2a) it suffices to embed L X
into L N, which can be done as follows:

f A := (λx. F (◦x)) @ A

g [] := []
g (n :: A) := match Gn [ ◦x ⇒ x :: gA | œ ⇒ [] ]

Now ∀A. g(f A) = A follows by induction on A. ■

250
 23.5 Alignments

Exercise 23.4.8 Prove IXN → I(LX)(LN).

Exercise 23.4.9 Prove that the type of expressions (§ 8.2) and the type of formu-
las (§ 24.1) are countable by embedding them into tree. No recursion is needed for
the embedding.

Exercise 23.4.10 (General list product) Assume a function f X→Y →Z . Construct a

function ∀AB. ΣC. ∀z. z ∈ C ←→ ∃ x∈A ∃ y∈B. z = f xy.

23.5 Alignments

We start with an informal presentation of ideas we are going to formalize. An

alignment of a type X is a nonrepeating sequence x0 , x1 , x2 , . . . listing all values
of X. The sequence may be finite or infinite depending on the cardinality of X.
Countable types have alignments since they have enumerators. If a type has an
infinite alignment, it is in bijection with N. Moreover, a type is finite if and only if it
has a finite alignment.
Formally, we define alignments as follows:

hitX f X→N n := ∃x. f x = n

serialX f X→N := ∀nk. hit f n → k ≤ n → hit f k
alignmentX f X→N := serial f ∧ injective f

We call an alignment infinite if it is surjective. We call an alignment finite if it

it has a cutoff n such that it hits exactly the numbers k < n. Formally, we define
cutoffs as follows:

cutoffX f X→N n := ∀k. hit f k ←→ k < n

Fact 23.5.1 Cutoffs are unique. That is, all cutoffs of a function X → N agree.

Fact 23.5.2 The surjective alignments are exactly the bijective functions X → N.

Fact 23.5.3 (Bijection)

Countable types with surjective alignments are in bijection with N:
cty X → alignmentX f → surjective f → BXN.

Proof Follows with Fact 14.4.2 since countable types have EWOs (Fact 23.2.4). ■

Fact 23.5.4 (Witnesses of Hits)

Witnesses of hits over countable types are computable:
cty X → hitX f n → Σx. f x = n.

Proof Immediate since countable types have EWOs and equality on N is decidable.■

251
23 Countable Types

Lemma 23.5.5 (Segment)

Let f be an alignment of a countable type. Then for every n hit by f one can obtain
a nonrepeating list A of length Sn such that f @A is a segment.

Proof Let f be an alignment of a countable type X. Let hit f n. By induction on n

we construct a non-repeating list B of length Sn such that f @B is a segment.
Base case n = 0. Since countable types have EWOs, we can obtain x such that
f x = 0. Then A = [x] satisfies the claim.
Successor case. We assume hit f (Sn) and construct a nonrepeating list A of
length SSn such that f @A is a segment. Since f is serial, we have hit f n. The
inductive hypothesis gives us a nonrepeating list A of length Sn such that f @A is
a segment. Since countable types have EWOs, we can obtain x such that f x = Sn.
Now x :: A satisfies the claim. We show x ∉ A, the rest is obvious. Suppose x ∈ A.
Then f x < Sn contradicting f x = Sn. ■

23.6 Alignment Construction

We will now show that countable types have alignments. The construction proceeds
in two steps and starts from the enumerator of a countable type. The first step
obtains a nonrepeating enumerator by removing repetitions.
An enumerator f N→OX is nonrepeating if ∀mn. f m = f n ≠ œ → m = n.
Fact 23.6.1 (Nonrepeating enumerator)
Every countable type has a nonrepeating enumerator:
cty X → Σ f N→OX . enum′ f ∧ nonrepeating f .

Proof Let f be an enumerator of a countable type X. We obtain a nonrepeating

enumerator of X by keeping for all x only the first n such that f n = ◦x:



 œ if f n = œ

f ′ n := ◦x if f n = ◦x ∧ least (λn.f n = ◦x)n


œ if f n = ◦x ∧ ¬least (λn.f n = ◦x)n


The definition of f ′ is admissible since D(least (λn.f n = ◦x)n) since X is discrete

and least preserves decidability (Fact 13.3.1). That f ′ enumerates X and is nonre-
peating follows with Facts 13.2.4 and 13.1.1 for least. ■

There is a second characterization of seriality that is useful for the second step
of the alignment construction.
Fact 23.6.2 A function f X→N is serial if and only if ∀n. hit f (Sn) → hit f n.

Proof One direction is trivial. For the other direction we assume ∀n. hit f (Sn) →
hit f n and prove ∀nk. hit f n → k ≤ n → hit f k by induction on n. ■

252
 23.7 Bijection Theorem

Theorem 23.6.3 (Alignment)

Every countable type has an alignment:
∀X. cty X → Σ g X→N . alignment g.

Proof Let X be a countable type. By Facts 23.6.1 and 23.1.3 X has a nonrepeating
enumerator f N→OX with a co-enumerator g X→N . We define a function hN→N such
that hn is the number of hits f has for k < n:

h(0) := 0
h(Sn) := if f n ≠ œ then S(hn) else hn

By induction on n we show two intuitively obvious facts about h:

1. ∀kn. hn = Sk → Σ my. m < n ∧ f m = ◦y ∧ hm = k.
2. ∀mxn. f m = ◦x → m < n → hm < hn.
We now show that g ′ x := h(gx) is an alignment of X.
That g ′ is serial follows with (1) and Fact 23.6.2.
That g ′ is injective follows with
3. ∀xy. h(gx) = h(gy) → gx = gy
since the co-enumerator g is injective. To see (3), assume h(gx) = h(gy). Then
f hits both gx and gy. By (2) we have that gx < gy and gy < gx are both
contradictory. Hence gx = gy. ■

23.7 Bijection Theorem

We now show that two countable types are in bijection if they are retracts of each
other: cty X → cty Y → IXY → IY X → BXY .

Lemma 23.7.1 (Transport)

Let X and Y be countable types with alignments f and g and IXY . Then:
∀x. Σy. gy = f x.

Proof Let F X→Y and GY →X be such that ∀x. G(F x) = x. We fix x and show
Σy. gy = f x. By Fact 23.5.4 it suffices to show that g hits f x. With the Seg-
ment Lemma 23.5.5 we obtain a nonrepeating list A : L(X) of length S(f x). Now
g@(F @A) has length S(f x) and is nonrepeating since g and F are injective. The
Large Element Lemma 21.6.6 gives k ∈ g@(F @A) such that k ≥ f x. Thus g hits k.
Since g is serial and f x ≤ k, g hits f x. ■

253
23 Countable Types

Theorem 23.7.2 (Bijection)

Countable types are in bijection if they are retracts of each other:
cty X → cty Y → IXY → IY X → BXY .

Proof X and Y have alignments f and g by Fact 23.6.3. With the Transport
Lemma 23.7.1 we obtain functions F : ∀x. Σy. gy = f x and G : ∀y. Σx. f x = gy.
Using the injectivity of f and g one verifies that λx.π1 (F x) and λy.π1 (Gy) form
a bijection. ■

Corollary 23.7.3 Infinite countable types are in bijection with N:

INX → cty X → BXN.

Proof Let INX and cty X. Then X is inhabited and thus IXN by Fact 23.2.7. Now
the bijection theorem 23.7.2 gives us a bijection BXN since cty N. ■

23.8 Alignments of Finite Types

We will show that a countable type X is finite with cardinality n if and only if n is
the cutoff of some alignment of X.

Fact 23.8.1 Let n be the cutoff of an alignment of a countable type X. Then finn X.

Proof Let X be a countable type, f be an alignment of X, and n be the cutoff of f .

It suffices to show that X has a listing of length n.
If n = 0, then X is empty and [] is a listing as required.
Now assume n > 0. Then f hits n − 1. The Segment Lemma 23.5.5 gives us a
nonrepeating list A of length n such that f @A contains exactly the numbers k < n.
We assume x : X and show that x ∈ A. Since n is a cutoff of f , we have f x < n.
Hence f x ∈ f @A. Since f is injective, we have x ∈ A. ■

Fact 23.8.2 If finn X, then n is a cutoff of every alignment of X.

Proof Let finn X and f be an alignment of X. Let A be a listing of X. Then f @A

is a nonrepeating list of length n containing exactly the numbers hit by f . Thus
it suffices to show that f @A contains exactly the numbers k < n. Follows with
Fact 21.6.7 since f @A is serial and nonrepeating. ■

Corollary 23.8.3 Alignments of finite types are not surjective.

Proof Let finn X and f be a alignment of X. It suffices to show that f doesn’t hit n.
By Fact 23.8.2 we have a cutoff n of f . Thus n < n if f hits n. ■

254
 23.9 Finite or Infinite

23.9 Finite or Infinite

Assuming the law of excluded middle, we show that a serial function either has a
cutoff or is surjective. Since there is no algorithm deciding this property, assuming
excluded middle seems necessary.

Fact 23.9.1 XM → serial f → ex(cutoff f ) ∨ surjective f .

Proof Assume XM and let f be serial. Using XM, we assume that f is not surjective
and show that f has a cutoff. Using XM, we obtain a k not hit by f . Using XM and
Fact 13.5.2, we obtain the least n not hit by f . Since f is serial, n is the cutoff of f .■

We now have that under XM a countable type is either finite or in bijection with N.

Fact 23.9.2 XM → cty X → □ (fin X + bijection X N).

Proof Follows with Facts 23.6.3, 23.9.1, 23.8.1, and 23.5.3. ■

The truncation □ in Fact 23.9.2 is needed so that the disjunctive assumption XM

can be harvested. Truncations are introduced in § 10.5.

Fact 23.9.3 XM → cty X → □ I XN ∨ (X → ⊥).

Proof Follows with Facts 23.9.2, 22.2.2 and 22.4.8. ■

23.10 Discussion

We have shown that a countable type is either a finite type or an infinite type that
is in bijection with N. In fact, most results in this chapter generalize results we
have already seen for finite types. The generalized results include the construction
of alignments for countable types and the construction of bijections for countable
types of the same cardinality.
Cantor pairing is an ingenuous construction establishing N × N as an infinite
countable type. We gave a more general construction (list enumeration) that works
for N × N and for syntactic types in general.
We did not give a formal definition of infinite types since there are several possi-
bilities: We may call a type X infinite if X is not a finite type, if there is an injection
INX, or if there is a new element generator, among other possibilities.
As it comes to cardinalities of countable types, we may say that the cardinality
of a countable type is a value of O(N), where ◦n represents the finite cardinality n
and œ represents the single infinite cardinality.

255
 Part III

Case Studies

257
24 Propositional Deduction

In this chapter we study propositional deduction systems. Propositional deduction

systems can be elegantly formalized with indexed inductive type families. The chap-
ter is designed such that it can serve as an introduction to propositional deduction
systems and to indexed inductive type definitions at the same time. No previous
knowledge of indexed inductive type definitions is assumed.
We present ND systems and Hilbert systems for intuitionistic provability and for
classical provability. We show the equivalence of the respective systems and that
classical provability reduces to intuitionistic provability (Glivenko’s theorem). We
consider three-valued and two-valued interpretations of formulas and show that
certain formulas are unprovable in the systems (e.g., the double negation law in
intuitionistic systems).
We characterize classical provability with a refutation system based on boolean
formula decomposition. The refutation system provides the basis for a certifying
solver, from which we obtain that classical provability is decidable and agrees with
boolean entailment. We construct the certifying solver using size induction.
The chapter can serve as an introduction to deduction systems in general,
preparing the study of deduction systems for programming languages (e.g., type
systems, operational semantics). More specifically, in this chapter we learn how in-
ductive types elegantly represent abstract syntax, judgments, and derivation rules.

24.1 ND Systems

We start with an informal explanation of natural deduction systems. Natural deduc-

tion systems (ND systems) come with a class of formulas and a system of deduction
rules for building derivations of judgments A ⊢ s consisting of a list of formulas A
serving as assumptions and a single formula s serving as conclusion. That a judg-
ment A ⊢ s is derivable with the rules of the system is understood as saying that s
is provable with the assumptions in A and the rules of the system. Given a concrete
class of formulas, we can have different sets of rules and compare their deductive
power. Given a concrete deduction system, we may ask the following questions:

259
24 Propositional Deduction

• Consistency: Are there judgments we cannot derive?

• Weakening property: Given a derivation of A ⊢ s and a list B containing A, can
we always obtain a derivation of B ⊢ s?
• Cut property: Given derivations of A ⊢ s and s :: A ⊢ t, can we always obtain a
derivation of A ⊢ t?
• Decidability: Is it decidable whether a judgment A ⊢ s is derivable?
We will consider the following type of formulas:

s, t, u, v : For := x | ⊥ | s → t | s ∧ t | s ∨ t (x : N)

Formulas of the kind x are called atomic formulas. Atomic formulas represent
atomic propositions whose meaning is left open. For the other kinds of formulas the
symbols used give away the intended meaning. Formally, the type For of formulas
is accommodated as an inductive type that has a value constructor for each kind of
formula (5 altogether).1 We will use the familiar notation

¬s := s → ⊥

to express negated formulas.

Exercise 24.1.1 (Formulas)

a) Show some of the constructor laws for the type of formulas.
b) Define an eliminator providing for structural induction on formulas.
c) Define a certifying equality decider for formulas.

24.2 Intuitionistic ND System

The deduction rules of the intuitionistic ND system we will consider are given in
Figure 24.1 using several notational gadgets:
• Comma notation A, s for lists s :: A.
• Ruler notation for deduction rules. For instance,

A⊢s→t A⊢s
A⊢t

describes a rule (known as modus ponens) that obtains a derivation of A ⊢ t

from derivations of A ⊢ (s → t) and A ⊢ s. We say that the rule has two
premises and one conclusion.

1
The use of abstract syntax is discussed more carefully in Chapter 8.

260
 24.2 Intuitionistic ND System

s∈A A⊢⊥ A, s ⊢ t A⊢s→t A⊢s

A E⊥ I→ E→
A⊢s A⊢s A⊢s→t A⊢t

A⊢s A⊢t A⊢s∧t A, s, t ⊢ u

I∧ E∧
A⊢s∧t A⊢u

A⊢s A⊢t A⊢s∨t A, s ⊢ u A, t ⊢ u

I1∨ I2∨ E∨
A⊢s∨t A⊢s∨t A⊢u

Figure 24.1: Deduction rules of the intuitinistic ND system

All rules in Figure 24.1 express proof rules you are familiar with from mathematical
reasoning and the logical reasoning you have seen in this text. In fact, the system
of rules in Figure 24.1 can derive exactly those judgments A ⊢ s that are known to
be intuitionistically deducible (given the formulas we consider). Since reasoning
in type theory is intuitionistic, Coq can prove a goal (A, s) if and only if the rules
in Figure 24.1 can derive the judgment A ⊢ s (where atomic formulas are accom-
modated as propositional variables in type theory). We will exploit this coincidence
when we construct derivations using the rules in Figure 24.1.
The rules in Figure 24.1 with a logical constant (i.e., ⊥, →, ∧, ∨) in the conclusion
are called introduction rules, and the rules with a logical constant in the leftmost
premise are called elimination rules. The first rule in Figure 24.1 is known as
assumption rule. Note that every rule but the assumption rule is an introduction or
an elimination rule for some logical constant. Also note that there is no introduction
rule for ⊥, and that there are two introduction rules for ∨. The elimination rule for ⊥
is also known as explosion rule.
Note that no deduction rule contains more than one logical constant. This re-
sults in an important modularity property. If we want to omit a logical constant, for
instance ∧, we just omit all rules containing this constant. Note that every system
with ⊥ and → can express negation. When trying to understand the structural prop-
erties of the system, it is usually a good idea to just consider ⊥ and →. Note that the
assumption rule cannot be omitted since it is the only rule not taking a derivation
as premise.
Here are common conveniences for the turnstile notation we will make use of in
the following:

s⊢u Ž [s] ⊢ u
s, t ⊢ u Ž [s, t] ⊢ u
⊢u Ž [] ⊢ u

261
24 Propositional Deduction

Example 24.2.1 Below is a derivation for s ⊢ ¬¬s depicted as a derivation tree:

A A
s, ¬s ⊢ ¬s s, ¬s ⊢ s
E→
s, ¬s ⊢ ⊥
I→
s ⊢ ¬¬s

The labels A, E→ , and I→ at the right of the lines are the names for the rules used
(assumption, elimination, and introduction).

Constructing ND derivations
Generations of students have been trained to construct ND derivations. In fact,
constructing derivations in the intuitionistic ND system is pleasant if one follows
the following recipe:
1. Construct a proof table as if the formulas were propositions.
2. Translate the proof table into a derivation using the proof assistant.
Step 1 is the more difficult one, but you already well-trained as it comes to con-
structing intuitionistic proof tables. Once the proof assistant is used, constructing
derivations becomes fun. Using the proof assistant becomes possible once the rele-
vant ND system is realized as an inductive type.
The proof assistant comes with a decision procedure for intuitionistically prov-
able quantifier-free propositions. If in doubt whether a certain derivation can be
constructed in the intuitionistic ND system, the decision procedure of the proof
assistant can readily decide the question.

Exercise 24.2.2 Give derivation trees for A ⊢ (s → s) and ¬¬⊥ ⊢ ⊥.

Exercise 24.2.3 If you are eager to construct more derivations, Exercise 24.3.3 will
provide you with interesting examples.

24.3 Formalization with Indexed Inductive Type Family

It turns out that propositional deduction systems like the one in Figure 24.2 can be
formalized elegantly and directly with inductive type definitions accommodating
deduction rules as value constructors of derivation types A ⊢ s.
Let us explain this fundamental idea. We may see the deduction rules in Fig-
ure 24.1 as functions that given derivations for the judgments in the premises yield
a derivation for the judgment appearing as conclusion. The introduction rule for
conjunctions, for instance, may be seen as a function that given derivations for
A ⊢ s and A ⊢ t yields a derivation for A ⊢ s ∧ t. We now go one step further

262
 24.3 Formalization with Indexed Inductive Type Family

s∈A → A⊢s A
A⊢⊥ → A⊢s E⊥
A, s ⊢ t → A ⊢ (s → t) I→
A ⊢ (s → t) → A ⊢ s → A ⊢ t E→
A ⊢ s → A ⊢ t → A ⊢ (s ∧ t) I∧
A ⊢ (s ∧ t) → A, s, t ⊢ u → A ⊢ u E∧
A ⊢ s → A ⊢ (s ∨ t) I1∨
A ⊢ t → A ⊢ (s ∨ t) I2∨
A ⊢ (s ∨ t) → A, s ⊢ u → A, t ⊢ u → A ⊢ u E∨

Prefixes for A, s, t, u omitted, constructor names given at the right

Figure 24.2: Value constructors for derivation types A ⊢ s

and formalize the deduction rules as the value constructors of an inductive type
constructor

⊢ : L(For) → For → T

This way the values of an inductive type A ⊢ s represent the derivations of the
judgment A ⊢ s we can obtain with the deduction rules. To emphasize this point,
we call the types A ⊢ s derivation types.
The value constructors for the derivation types A ⊢ s of the intuitionistic ND
system appear in Figure 24.2. Note that the types of the constructors follow exactly
the patterns of the deduction rules in Figure 24.1.
When we look at the target types of the constructors in Figure 24.2, it becomes
clear that the argument s of the type constructor A ⊢ s is not a parameter since
it is instantiated by the constructors for the introduction rules (I→ , I∧ , I1∨ , I2∨ ). Such
nonparametric arguments of type constructors are called indices. In contrast, the
argument A of the type constructor A ⊢ s is a parameter since it is not instanti-
ated in the target types of the constructors. More precisely, the argument A is a
nonuniform parameter of the type constructor A ⊢ s since it is instantiated in some
argument types of some of the constructors (I→ , E∧ , and E∨ ).
We call inductive type definitions where the type constructor has indices indexed
inductive definitions. Indexed inductive definitions can also introduce indexed
inductive predicates. In fact, we alternatively could introduce ⊢ as an indexed
inductive predicate and this way demote derivations from computational objects to
proofs.
The suggestive BNF-style notation we have used so far to write inductive type

263
24 Propositional Deduction

definitions does not generalize to indexed inductive type definitions. So we will

use an explicit format giving the type constructor together with the list of its value
constructors. Often, the format used in Figure 24.2 will be convenient.

Fact 24.3.1 (Double negation)

1. ¬¬⊥ ⊢ ⊥
2. s ⊢ ¬¬s
3. (A ⊢ ¬¬⊥) a (A ⊢ ⊥)

Proof See Example 24.2.1 and the remarks there after. ■

In §24.9 we will show that ¬¬s ⊢ s is not derivable for some formulas s. In
particular, ¬¬s ⊢ s is not derivable if s is a variable. However, as the above proof
shows, ¬¬s ⊢ s is derivable for s = ⊥. This fact will play an important role.

Fact 24.3.2 (Cut) A ⊢ s → A, s ⊢ t → A ⊢ t.

Proof We assume A ⊢ s and A, s ⊢ t and derive A ⊢ t. By I→ we have A ⊢ (s → t).

Thus A ⊢ t by E→ . ■

The cut lemma gives us a function that given a derivation A ⊢ s and a derivation
A, s ⊢ t yields a derivation A ⊢ t. Informally, the cut lemma says that once we have
derived s from A, we can use s like an assumption.

Exercise 24.3.3 Construct derivations as follows:

a) A ⊢ ¬¬⊥ → ⊥
b) A ⊢ s → ¬¬s
c) A ⊢ (¬s → ¬¬⊥) → ¬¬s
d) A ⊢ (s → ¬¬t) → ¬¬(s → t)
e) A ⊢ ¬¬(s → t) → ¬¬s → ¬¬t
f) A ⊢ ¬¬¬s → ¬s
g) A ⊢ ¬s → ¬¬¬s

Exercise 24.3.4 Establish the following functions:

a) A ⊢ (s1 → s2 → t) → A ⊢ s1 → A ⊢ s2 → A ⊢ t
b) ¬¬s ∈ A → A, s ⊢ ⊥ → A ⊢ ⊥
c) A, s, ¬t ⊢ ⊥ → A ⊢ ¬¬(s → t)
Hint: (c) is routine if you first show A ⊢ (¬t → ¬s) → ¬¬(s → t).

Exercise 24.3.5 Prove the implicative facts (1)–(6) appearing in Exercise 24.11.6.

264
 24.4 The Eliminator

24.4 The Eliminator

For more interesting proofs it will be necessary to do inductions on derivations.

As it was the case for non-indexed inductive types, we can define an eliminator
providing for the necessary inductions. The definition of the eliminator is shown in
Figure 24.3. While the definition of the eliminator is frighteningly long, it is regular
and modular: Every deduction rule (i.e., value constructor) is accounted for with a
separate type clause and a separate defining equation. To understand the definition
of the eliminator, it suffices that you pick one of the deduction rules and look at the
type clause and the defining equation for the respective value constructor.
The eliminator formalizes the idea of induction on derivations, which informally
is easy to master. With a proof assistant, the eliminator can be derived automatically
from the inductive type definition, and its application can be supported such that
the user is presented the proof obligations for the constructors once the induction
is initiated.
As it comes to the patterns (i.e., the left-hand sides) of the defining equations,
there is a new feature coming with indexed inductive types. Recall that patterns
must be linear, that is, no variable must occur twice, and no constituent must be
referred to by more than one variable. With parameters, this requirement was easily
satisfied by not furnishing constructors in patterns with their parameter arguments.
If the type constructor we do the case analysis on has indices, there is the additional
complication that the value constructors for this type constructor may instantiate
the index arguments. Thus there is a conflict with the preceding arguments of the
defined function providing abstract arguments for the indices. Again, there is a sim-
ple general solution: The conflicting preceding arguments of the defined function
are written with the underline symbol ’_’ and thus don’t introduce variables, and
the necessary instantiation of the function type is postponed until the instantiating
constructor is reached. In the definition shown in Figure 24.3, the critical argument
of E⊢ that needs to be written as ’_’ in the defining equations is s in the target type
∀As. A ⊢ s → pAs of E⊢ .

24.5 Induction on Derivations

We are now ready to prove interesting properties of the intuitionistic ND system

using induction on derivations. We will carry out the inductions informally and
leave it to reader to check (with Coq) that the informal proofs translate into formal
proofs applying the eliminator E⊢ .
We start by defining a function translating derivations A ⊢ s into derivations
B ⊢ s provided B contains every formula in A.

265
24 Propositional Deduction

E⊢ : ∀p L(For)→For→T .
(∀As. s ∈ A → pAs) →
(∀As. pA⊥ → pAs) →
(∀Ast. p(s :: A)t → pA(s → t)) →
(∀Ast. pA(s → t) → pAs → pAt) →
(∀Ast. pAs → pAt → pA(s ∧ t)) →
(∀Astu. pA(s ∧ t) → p(s :: t :: A)u → pAu) →
(∀Ast. pAs → pA(s ∨ t)) →
(∀Ast. pAt → pA(s ∨ t)) →
(∀Astu. pA(s ∨ t) → p(s :: A)u → p(t :: A)u → pAu) →
∀As. A ⊢ s → pAs

E⊢ pe1 . . . e9 A _ (A sh) := e1 Ash

(E⊥ sd) := e2 As(E⊢ . . . A⊥d)
(I→ std) := e3 Ast(E⊢ . . . (s :: A)td)
(E→ std1 d2 ) := e4 Ast(E⊢ . . . A(s → t)d1 )(E⊢ . . . Asd2 )
(I∧ std1 d2 ) := e5 Ast(E⊢ . . . Asd1 )(E⊢ . . . Atd2 )
(E∧ stud1 d2 ) := e6 Astu(E⊢ . . . A(s ∧ t)d1 )(E⊢ . . . (s :: t :: A)ud2 )
(I1∨ std) := e7 Ast(E⊢ . . . Asd)
(I2∨ std) := e8 Ast(E⊢ . . . Atd)
(E∨ stud1 d2 d3 ) := e9 Astu(E⊢ . . . A(s ∨ t)d1 )
(E⊢ . . . (s :: A)ud2 )
(E⊢ . . . (t :: A)ud3 )

Figure 24.3: Eliminator for A ⊢ s

266
 24.5 Induction on Derivations

Fact 24.5.1 (Weakening) A ⊢ s → A ⊆ B → B ⊢ s.

Proof By induction on A ⊢ s with B quantified. All proof obligations are straight-

forward. We consider the constructor I→ . We have A ⊆ B and a derivation A, s ⊢ t,
and we need a derivation B ⊢ (s → t). Since A, s ⊆ B, s, the inductive hypothesis
gives us a derivation B, s ⊢ t. Thus I→ gives us a derivation B ⊢ (s → t). ■

Next we show that premises of top level implications are interchangeable with
assumptions.

Fact 24.5.2 (Implication) A ⊢ (s → t) a A, s ⊢ t.

Proof Direction ⇐ holds by I→ . For direction ⇒ we assume A ⊢ (s → t) and obtain

A, s ⊢ (s → t) with weakening. Now A and E→ yield A, s ⊢ t. ■

As a consequence, we can represent all assumptions of a derivation A ⊢ s as

premises of implications at the right-hand side. To this purpose, we define a rever-
sion function A · s with [] · t := t and (s :: A) · t := A · (s → t). For instance, we have
[s1 , s2 , s3 ] · t = (s3 → s2 → s1 → t). To ease our notation, we will write ⊢ s for [] ⊢ s.

Fact 24.5.3 (Reversion) A ⊢ s a ⊢ A · s.

Proof By induction on A with s quantified using the implication lemma. ■

A formula is ground if it contains no variable. We assume a recursively defined

predicate ground s for groundness.

Fact 24.5.4 (Ground Prover) ∀s. ground s → (⊢ s) + (⊢ ¬s).

Proof By induction on s using weakening. ■

Design principles
The intuitionistic ND system satisfies the following design principles:
1. Modularity: Every logical constant is accommodated with introduction and elim-
ination rules where the constant appears once and no other constant appears.
2. Weakening: If s can be derived for A, s can be derived for every B containing all
formulas in A.
3. Agreement: Implication → agrees with the external turnstile ⊢.

Exercise 24.5.5 Prove ∀s. ground s → ⊢ (s ∨ ¬s).

Exercise 24.5.6 Prove ∀As. ground s → A, s ⊢ t → A, ¬s ⊢ t → A ⊢ t.

Exercise 24.5.7 Prove the deduction laws for conjunctions and disjunctions:
a) A ⊢ (s ∧ t) a A ⊢ s × A ⊢ t
b) A ⊢ (s ∨ t) a ∀u. A, s ⊢ u → A, t ⊢ u → A ⊢ u

267
24 Propositional Deduction

Exercise 24.5.8 Construct derivations for the following judgments:

a) ⊢ (t → ¬s) → ¬(s ∧ t)
b) ⊢ ¬¬s → ¬¬t → ¬¬(s ∧ t)
c) ⊢ ¬s → ¬t → ¬(s ∨ t)
d) ⊢ (¬t → ¬¬s) → ¬¬(s ∨ t)
e) ⊢ ¬¬s → ¬t → ¬(s → t)
f) ⊢ (¬t → ¬s) → ¬¬(s → t)

Exercise 24.5.9 (Order-preserving reversion)

We define a reversion function A · s preserving the order of assumptions:

[] · s := s
(t :: A) · s := t → (A · s)

Prove A ⊢ s a ⊢ A · s.
Hint: Prove the generalization ∀B. B +
+ A ⊢ s a B ⊢ A · s by induction on A.

24.6 Classical ND System

The classical ND system is obtained from the intuitionistic ND system by replacing

the explosion rule

A⊢⊥
A⊢s

with the proof by contradiction rule:

A, ¬s ⊢ ⊥
A⊢s

Formally, we accommodate the classical ND system with a separate derivation type

constructor
˙ : L(For) → For → T
⊢

with separate value constructors. Classical ND can prove the double negation law.

˙ (¬¬s → s).
Fact 24.6.1 (Double Negation) A ⊢

Proof Straightforward using the contradiction rule. ■

˙ s → A, s ⊢
Fact 24.6.2 (Cut) A ⊢ ˙ t → A⊢
˙ t.

Proof Same as for the intuitionistic system. ■

268
 24.6 Classical ND System

˙s →A⊆B →B⊢
Fact 24.6.3 (Weakening) A ⊢ ˙ s.

Proof By induction on A ⊢ ˙ s with B quantified. Same proof as for intuitionistic ND,

except that now the proof obligation (∀B. A, ¬s ⊆ B → B ⊢ ˙ ⊥) → A ⊆ B → B ⊢ ˙s
for the contradiction rule must be checked. Straightforward with the contradiction
rule. ■

The classical system can prove the explosion rule. Thus every intuitionistic
˙ s.
derivation A ⊢ s can be translated into a classical derivation A ⊢

˙ ⊥ → A⊢
Fact 24.6.4 (Explosion) A ⊢ ˙ s.

Proof By contradiction and weakening. ■

˙ s.
Fact 24.6.5 (Translation) A ⊢ s → A ⊢

Proof By induction on A ⊢ s using the explosion lemma for the explosion rule. ■

˙ t a A⊢
Fact 24.6.6 (Implication) A, s ⊢ ˙ (s → t).

Proof Same proof as for the intuitionistic system. ■

˙ s a ⊢ A · s.
Fact 24.6.7 (Reversion) A ⊢

Proof Same proof as for the intuitionistic system. ■

Because of the contradiction rule the classical system has the distinguished prop-
erty that every proof problem can be turned into a refutation problem.

˙ s a A, ¬s ⊢
Fact 24.6.8 (Refutation) A ⊢ ˙ ⊥.

Proof Direction ⇒ follows with weakening. Direction ⇐ follows with the contradic-
tion rule. ■

While the refutation lemma tells us that classical ND can represent all infor-
mation in the context, the implication lemmas tell us that both intuitionistic and
classical ND can represent all information in the claim.

Exercise 24.6.9 Show (A ⊢ s → t → u) ⇐⇒ (A ⊢ t → s → u).

˙ s ∨ ¬s and ⊢
Exercise 24.6.10 Show ⊢ ˙ ((s → t) → s) → s.

Exercise 24.6.11 Prove the deduction laws for conjunctions and disjunctions:
˙ (s ∧ t) a A ⊢
a) A ⊢ ˙ s × A⊢
˙t
˙ (s ∨ t) a ∀u. A, s ⊢
b) A ⊢ ˙ u → A, t ⊢
˙ u → A⊢
˙u

269
24 Propositional Deduction

Exercise 24.6.12 Show that classical ND can express conjunction and disjunction
with implication and falsity. To do so, define a translation function f st not using
conjunction and prove ⊢˙ (s ∧ t → f st) and ⊢
˙ (f st → s ∧ t). Do the same for disjunc-
tion.

Exercise 24.6.13 (Double negation rule)

A classical ND system can also be obtained with a double negation rule

˙ ¬¬s → s
A⊢

in place of the contradiction rule.

a) Show that the modified system can derive the contradiction rule.
b) Show that the unmodified system can derive the double negation rule.
c) Show that the two systems are equivalent (that is, derive the same pairs (A, s)).
d) Note that weakening is not required for the equivalence proof.

Modularity with Peirce’s rule

The contradiction rule of the classical system violates the modularity principle since
it involves 2 logical constants (⊥ and →). This design flaw can be fixed by replacing
the contradiction rule with the elimination rule for ⊥ (as in the intuitionistic system)
and a rule formulating Peirce’s law (§ 17.1):

˙⊥
A⊢ ˙s
A, s → t ⊢
E⊥ Peirce
˙s
A⊢ ˙s
A⊢

Exercise 24.6.14 (Peirce’s rule)

a) Show that the system with the contradiction rule can derive Peirce’s rule:
˙ s) → (A ⊢
∀Ast. (A, s → t ⊢ ˙ s).
b) Assume Peirce’s rule (∀Ast. (A, s → t ⊢ ˙ s) → (A ⊢
˙ s)) and derive the contradic-
˙ ⊥) → (A ⊢
tion rule (∀As. (A, ¬s ⊢ ˙ s)) using explosion.
c) Model the system with Peirce’s rule as a separate inductive type familiy and show
that the system with Peirce’s rule and E⊥ can derive the same pairs (A, s) as the
system with the contradiction rule.

24.7 Glivenko’s Theorem

It turns out that a formula is classically provable if and only if its double negation
is intuitionistically provable. Thus a classical provability problem can be reduced
to an intuitionistic provability problem.

270
 24.7 Glivenko’s Theorem

˙ s → A ⊢ ¬¬s.
Lemma 24.7.1 A ⊢

Proof By induction on A ⊢ ˙ s. This yields the following proof obligations (the obli-
gations for conjunctions and disjunctions are omitted).
• s ∈ A → A ⊢ ¬¬s
• A, ¬s ⊢ ¬¬⊥ → A ⊢ ¬¬s.
• A, s ⊢ ¬¬t → A ⊢ ¬¬(s → t)
• A ⊢ ¬¬(s → t) → A ⊢ ¬¬s → A ⊢ ¬¬t
Using rule E→ of the intuitionistic system, the obligations can be strengthened to:
• ⊢ s → ¬¬s
• ⊢ (¬s → ¬¬⊥) → ¬¬s
• ⊢ (s → ¬¬t) → ¬¬(s → t)
• ⊢ ¬¬(s → t) → ¬¬s → ¬¬t.
The proofs of the strengthened obligations are routine (Exercise 24.3.3). ■

˙ s a A ⊢ ¬¬s.
Theorem 24.7.2 (Glivenko) A ⊢

Proof Direction ⇒ follows with Lemma 24.7.1. Direction ⇐ follows with translation
(24.6.5) and double negation (24.6.1). ■

˙ ¬s a A ⊢ ¬s.
Corollary 24.7.3 (Agreement on negated formulas) A ⊢

Corollary 24.7.4 (Refutation agreement)

˙ ⊥.
Intuitionistic and classical refutation agree: A ⊢ ⊥ a A ⊢

Proof Glivenko’s theorem and the bottom law 24.3.1. ■

Corollary 24.7.5 (Equiconsistency)

Intuitionistic ND is consistent if and only if classical ND is consistent:
((⊢⊥) → ⊥) ⇐⇒ ((˙ ⊢⊥) → ⊥).

Proof Immediate consequence of Corollary 24.7.4. ■

Exercise 24.7.6 We call a formula s stable if ¬¬s ⊢ s. Prove the following:

a) ⊥ is stable.
b) If t is stable, then s → t is stable.
˙ s a A ⊢ s.
c) If s is stable, then A ⊢

271
24 Propositional Deduction

24.8 Intuitionistic Hilbert System

Hilbert systems are deduction systems predating ND systems.2 They are simpler
than ND systems in that they come without assumption management. While it is
virtually impossible for humans to write proofs in Hilbert systems, one can con-
struct compilers translating derivations in ND systems into derivations in Hilbert
systems.
To ease our presentation, we restrict ourselves in this section to formulas not
containing conjunctions and disjunctions. Since implications are the primary con-
nective in Hilbert systems and conjunctions and disjunctions appear as extensions,
adding conjunctions and disjunctions will be an easy exercise.
We consider an intuitionistic Hilbert system formalized with an inductive type
constructor H : For → T and the derivation rules

H (s → t) H (s)
HMP HK
H (t) H (s → t → s)

HS H⊥
H ((s → t → u) → (s → t) → s → u) H (⊥ → s)

There are a single two-premise rule called modus ponens and three premise-free
rules called axiomatic rules. So all the action comes with modus ponens, which
puts implication into the primary position. Note that the single argument of the
type constructor H comes out as an index.
A Hilbert system internalizes the assumption list of the ND system using impli-
cation. It keeps the elimination rule for implications (now called modus ponens)
but reformulates all other rules as axiomatic rules using implication. Surprisingly,
only two rules (HK and HS ) suffice to simulate the assumption management and the
introduction rule for implication. The axiomatic rules for conjunction and disjunc-
tion follow the ND rules and the translation scheme we see in the falsity elimination
rule H⊥ and come with the following conclusions:

s →t →s∧t
s ∧ t → (s → t → u) → u
s →s∨t
t →s∨t
s ∨ t → (s → u) → (t → u) → u

2
Hilbert systems are also known as axiomatic systems. They originated with Gottlob Frege before
they were popularized by David Hilbert and coworkers.

272
 24.8 Intuitionistic Hilbert System

s∈A Aðs→t Aðs

Hð
A Hð
MP Hð
K
Aðs Aðt Aðs→t→s

Hð
S Hð
⊥
A ð (s → t → u) → (s → t) → s → u Að⊥→s

Figure 24.4: Generalized Hilbert system ð : L(For) → For → T

We will prove that H derives exactly the formulas intuitionistic ND derives in

the empty context (that is, H s a ⊢s). One direction of the proof is straightforward.

Fact 24.8.1 (Soundness for ND) H (s) → ([] ⊢ s).

Proof By induction on the derivation of H (s). The modus ponens rule can be
simulated with E→ , and the conclusions of the axiomatic rules are all easily derivable
in the intuitionistic system. ■

The other direction of the equivalence proof (completeness for ND) is challenging
since it has to internalize the assumption management of the ND system. We will
see that this can be done with the axiomatic rules HK and HS . We remark that
the conclusions of HK and HS may be seen as types for the functions λxy.x and
λf gx.(f x)(gx).
The completeness proof uses the generalized Hilbert system ð shown in Fig-
ure 24.4 as an intermediate system. Similar to the ND system, the generalized
Hilbert system maintains a context, but this time no rule modifies the context. The
assumption rule Hð A is the only rule reading the context. The context can thus be
accommodated as a uniform parameter of the type constructor ð.

Fact 24.8.2 (Agreement) H (s) ←→ [] ð s.

Proof Both directions are straightforward inductions. ■

It remains to construct a function translating ND derivations A ⊢ s into Hilbert

derivations A ð s. For this we use a simulation function for every rule of the ND
system (Figure 24.1). The simulation functions are obvious for all rules of the ND
system but for I→ .

Fact 24.8.3 (Basic simulation functions)

1. ∀As. s ∈ A → A ð s.
2. ∀Ast. (A ð s → t) → (A ð s) → (A ð t).
3. ∀As. (A ð ⊥) → (A ð s).

273
24 Propositional Deduction

Proof Functions (1) and (2) are exactly Hð ð

A and HMP . Function (3) can be obtained
ð ð
with H⊥ and HMP . ■

The translation function for I→ needs several auxiliary functions.

Fact 24.8.4 (Operational versions of K and S)
1. ∀Asu. (A ð u) → (A ð s → u).
2. ∀Astu. (A ð s → t → u) → (A ð s → t) → (A ð s → u).

Proof (1) follows with Hð ð ð ð

K and HMP . (2) follows with HS and HMP . ■

Fact 24.8.5 (Identity) ∀As. A ð s → s.

Proof Follows with the operational version of S (with s := s, t := s → s, and u := s)

using Hð
K for both premises. ■

The next fact is the heart of the translation of ND derivations into Hilbert deriva-
tions. It is well-known in the literature under the name deduction theorem.
Fact 24.8.6 (Simulation function for I→ ) ∀Ast. (A, s ð t) → (A ð s → t).

Proof By induction on the derivation A, s ð t (the context argument of ð is a uni-

form parameter).
• Hð ð
A . If s = t, the claim follows with Fact 24.8.5. If t ∈ A, the claim follows with HA
and the operational version of K (Fact 24.8.4(1)). The case distinction is possible
since equality of formulas is decidable.
• Hð
MP . Follows with the operational version of S (Fact 24.8.4(2)) and the inductive
hypotheses.
• Hð ð ð
K , HS , H⊥ . The axiomatic cases follow with the operational version of K
(Fact 24.8.4(1)) and Hð ð ð
K , HS , H⊥ , rspectively. ■

Fact 24.8.7 (Completeness for ND) (A ⊢ s) → (A ð s).

Proof By induction on the derivation of A ⊢ s using Facts 24.8.3 and 24.8.6. ■

Theorem 24.8.8 (Agreement) H (s) a ⊢s.

Proof Follows with Facts 24.8.1, 24.8.7, and 24.8.2. ■

Exercise 24.8.9 Show (A ð s) a (A ⊢ s).

Exercise 24.8.10 Extend the development of this section to formulas with conjunc-
tions and disjunctions. Add the axiomatic rules shown at the beginning of § 24.8.

Exercise 24.8.11 Define a classical Hilbert system and show its equivalence with
the classical ND system. Do this by replacing the axiomatic rule for ⊥ with an
axiomatic rule providing the double negation law ¬¬s → s.

274
 24.9 Heyting Evaluation

24.9 Heyting Evaluation

The proof techniques we have seen so far do not suffice to show negative results
about the intuitionistic ND system. By a negative result we mean a proof saying that
a certain derivation type is empty, for instance,

̸⊢ ⊥ ̸⊢ x ̸⊢ (¬¬x → x)

(we write ̸⊢ s for the proposition ([] ⊢ s) → ⊥). Speaking informally, the above
propositions say that falsity, atomic formulas, and the double negation law for
atomic formulas are not intuitionistically derivable.
A powerful technique for showing negative results is evaluation of formulas into
a finite and ordered domain of so-called truth values. Things are arranged such that
all derivable formulas evaluate under all assignments to the largest truth value.3 A
formula can then be established as underivable by presenting an assignment under
which the formula evaluates to a different truth value.
Evaluation into the boolean domain 0 < 1 is well-known and suffices to disprove
⊢ ⊥ and ⊢ x. To disprove ⊢ (¬¬x → x), we need to switch to a three-valued
domain 0 < 1 < 2. Using the order of the truth values, we interpret conjunction
as minimum and disjunction as maximum. Falsity is interpreted as the least truth
value (i.e., 0). Implication of truth values is interpreted as a comparison that in the
positive case yields the greatest truth value 2 and in the negative case yields the
second argument:

imp ab := if a ≤ b then 2 else b

Note that the given order-theoretic interpretations of the logical constants agree
with the familiar boolean interpretations for the two-valued domain 0 < 1. The
order-theoretic evaluation of formulas originated around 1930 with the work of
Arend Heyting.
We represent our domain of truth values 0 < 1 < 2 with an inductive type V and
the order of truth values with a boolean function a ≤ b. As a matter of convenience,
we write the numbers 0, 1, 2 for the value constructors of V. An assignment is a
function α : N → V. We define evaluation of formulas Eαs as follows:

E : (N → V) → For → V
Eαx := αx
Eα⊥ := 0
Eα(s → t) := if Eαs ≤ Eαt then 2 else Eαt
Eα(s ∧ t) := if Eαs ≤ Eαt then Eαs else Eαt
Eα(s ∨ t) := if Eαs ≤ Eαt then Eαt else Eαs
3
An assignment assigns a truth value to every atomic formula.

275
24 Propositional Deduction

Note that conjunction is interpreted as minimum, disjunction is interpreted as max-

imum, and implications is interpreted as described above.
We will show that all formulas derivable in the Hilbert system H defined in §24.8
evaluate under all assignments to the largest truth value 2:

∀αs. H (s) → Eαs = 2

For the proof we fix an assignment α and say that a formula s is true if Eαs = 2.
Next we verify that the conclusions of all axiomatic rules (see §24.8) are true, which
follows by case analysis on the truth values Eαs, Eαt, and Eαu. It remains to show
that modus ponens derives true formulas from true formulas, which again follows
by case analysis on the truth values Eαs and Eαt.

Fact 24.9.1 (Soundness) ∀αs. H (s) → Eαs = 2.

Proof By induction on the derivation H (s). The cases for the axiomatic rules follow
by case analysis on the truth values Eαs, Eαt, and Eαu. The case for modus
ponens follows by the inductive hypotheses and case analysis on the truth values
Eαs and Eαt. ■

Corollary 24.9.2 (Soundness) ⊢ s → Eαs = 2.

Proof Fact 24.9.1 and Theorem 24.8.8. ■

With our definitions we have the computational equalities

E(λ_.1)⊥ = 0
E(λ_.1)x = 1
E(λ_.1)(¬x) = 0
E(λ_.1)(¬¬x) = 2
E(λ_.1)(¬¬x → x) = 1

Thus, with soundness, we can now disprove ⊢ ⊥, ⊢ x, and ⊢ (¬¬x → x).

A formula s is independent in ⊢ if one can prove both (⊢ s) → ⊥ and
(⊢ ¬s) → ⊥.

Corollary 24.9.3 (Independence) x, ¬¬x → x and x ∨ ¬x are independent in ⊢.

Proof Follows with Corollary 24.9.2 and the assignment λ_.1. ■

̸ ˙ ⊥.
Corollary 24.9.4 (Consistency) ̸⊢ ⊥ and ⊢

Proof Intuitionistic consistency follows with Corollary 24.9.2 and the assignment
λ_.1. Classic consistency follows with equiconsistency (Corollary 24.7.5). ■

276
 24.9 Heyting Evaluation

Exercise 24.9.5 Show that x, ¬x, and (x → y) → x) → x are independent in ⊢.

Exercise 24.9.6 Show ¬∀s. ((⊢ (¬¬s → s)) → ⊥).

Exercise 24.9.7 Show that classical ND is not sound for the Heyting interpretation:
¬(∀αs. ⊢˙ s → Eαs = 2).

˙ x and ⊢
Exercise 24.9.8 Disprove ⊢ ˙ ¬x.

˙ (s ∨ t) a ⊢
Exercise 24.9.9 Disprove ⊢ ˙s ∨ A ⊢
˙ t.

Exercise 24.9.10 (Heyting interpretation for ND system) One can define evalua-
tion of contexts such that (A ⊢ s) → EαA ≤ Eαs and Eα[] = 2.
a) Define evaluation of contexts as specified.
b) Show EαA ≤ Eαs → A = [] → Eαs = 2.
c) Prove (A ⊢ s) → EαA ≤ Eαs by induction on A ⊢ s.
Hint: Define evaluation of contexts such that contexts may be seen as conjunctions
of formulas.

Exercise 24.9.11 (Diamond Heyting interpretation) The formulas

¬x ∨ ¬¬x
(x → y) ∨ (y → x)

evaluate in our Heyting interpretation to 2 but are unprovable intuitionistically.

They can be shown unprovable with a 4-valued diamond-ordered

⊥ < a, b < ⊤

Heyting interpretation as follows:

• x ∧ y is the infimum of x and y.
• x ∨ y is the supremum of x and y.
• x → y is the maximal z such that x ∧ z ≤ y.
a) Verify (¬a ∨ ¬¬a) = ⊥
b) Verify ((a → b) ∨ (b → a)) = ⊥.
c) Prove H (s) → Eαs = ⊤.
To know more, google Heyting algebras.

277
24 Propositional Deduction

24.10 Boolean Evaluation

We define boolean evaluation of formulas following familiar ideas:

E : (N → B) → For → B
Eαx := αx
Eα⊥ := false
Eα(s → t) := if Eαs then Eαt else true
Eα(s ∧ t) := if Eαs then Eαt else false
Eα(s ∨ t) := if Eαs then true else Eαt

We call functions α : N → B boolean assignments.

Boolean evaluation may be seen as a special Heyting evaluation with only two
truth values false < true.
We define

sat α s := (Eαs = true) α satisfies s

sat α A := ∀s ∈ A. sat αs α satisfies A
sat A := Σα. sat α A A is satisfiable

It will be convenient to use the word clause for lists of formulas. It is well
known that boolean satisfiability of clauses is decidable. There exist various prac-
tical tools for deciding boolean satisfiability. We will develop a certifying decider
˙ s)
∀A. D(sat A) for satisfiability and refine it into a certifying decider ∀As. D(A ⊢
for classical ND.

24.11 Boolean Formula Decomposition

Our decider ∀A. D(sat A) for boolean satisfiability will be based on boolean formula
decomposition. We describe boolean formula decomposition with the decompo-
sition table in Figure 24.5. One way to read the table is saying that a boolean
assignment satisfies the formula on the left if and only if it satisfies both or one of

278
 24.11 Boolean Formula Decomposition

¬⊥ nothing
s∧t s and t
¬(s ∧ t) ¬s or ¬t
s∨t s or t
¬(s ∨ t) ¬s and ¬t
s→t ¬s or t
¬(s → t) s and ¬t

Figure 24.5: Boolean decomposition table

the possibly negated subformulas on the right. Formally we have the equivalences

sat α (¬⊥) ←→ ⊤
sat α (s ∧ t) ←→ sat α s ∧ sat α t
sat α (¬(s ∧ t)) ←→ sat α (¬s) ∨ sat α (¬t)
sat α (s ∨ t) ←→ sat α s ∨ sat α t
sat α (¬(s ∨ t)) ←→ sat α (¬s) ∧ sat α (¬t)
sat α (s → t) ←→ sat α (¬s) ∨ sat α t
sat α (¬(s → t)) ←→ sat α s ∧ sat α (¬t)

for all boolean assignment α. The equivalences follow with the de Morgan laws

Eα(¬(s ∧ t)) = Eα(¬s ∨ ¬t)

Eα(¬(s ∨ t)) = Eα(¬s ∧ ¬t)

and the implication and double negation laws:

Eα(s → t) = Eα(¬s ∨ t)
Eα(¬¬s) = Eα(s)

The decomposition table suggests an algorithm that given a list of formulas re-
places decomposable formulas with smaller formulas. This way we obtain from an
initial list A one or several decomposed lists A1 , . . . , An containing only formulas of
the forms

x, ¬x, ⊥

such that an assignment satisfies the initial list A if and only if it satisfies one of the
decomposed lists A1 , . . . , An . We may get more than one decomposed list since the

279
24 Propositional Deduction

decomposition rules for ¬(s ∧ t), s ∨ t and s → t are branching (see Figure 24.5). For
a decomposed list, we can either construct an assignment satisfying all its formulas,
or prove that no such satisfying assignment exists. Put together, this will give us a
certifying decider ∀A. D(sat A).
We are now facing the challenge to give a formal account of boolean formula
decomposition. We do this with two derivation systems σ (A) and ρ(A) for clauses
shown in Figures 24.6 and 24.7. Like the derivation systems we have seen before,
σ (A) and ρ(A) can be formalized as inductive type families L(For) → T. We will
see that σ derives all satisfiable clauses and ρ derives all unsatisfiable clauses. We
define the application conditions for the terminal rules as follows:
• solved A := ∀s ∈ A. Σx. (s = x ∧ ¬x ∉ A) + (s = (¬x) ∧ x ∉ A)
Every formula in A is either a variable or a negated variable and there is no
clash x ∈ A ∧ ¬x ∈ A.
• clashed A := ⊥ ∈ A + Σs. s ∈ A ∧ (¬s) ∈ A
A contains either ⊥ or a clash s ∈ A ∧ ¬s ∈ A.

Fact 24.11.1 (Solved and clashed clauses)

Solved clauses are satisfiable, and clashed clauses are unsatisfiable and refutable:
1. solved A → sat A
2. clashed A → sat A → ⊥
˙ ⊥)
3. clashed A → (A ⊢

Proof Straightforward. Exercise. ■

Except for the terminal rule and the second so-called rotation rule, the derivation
rules of both systems correspond to the decomposition schemes in Figure 24.5. The
relationship with the decomposition rules becomes clear if one reads the derivation
rules backwards from the conclusion to the premises. If a scheme decomposes
with an “or”, this translates for σ to two rules and for ρ to one rule with two
premises. The rotation rule (second rule in both systems) makes it possible to move
a decomposable formula into head position, as required by the decomposition rules.
The informal design rational for the rules of ρ is as follows: An assignment
satisfies the conclusion of the rule if and only if it satisfies one premise of the rule.

Fact 24.11.2 (Boolean soundness)

σ A → sat A.

Proof By induction on the derivation of σ A exploiting that solved clauses are sat-
isfiable, and that for every recursive rule assignments satisfying the premise satisfy
the conclusion. ■

280
 24.11 Boolean Formula Decomposition

solved A σ (A +
+[s]) σ (A)
σ (A) σ (s :: A) σ (¬⊥ :: A)

σ (s :: t :: A) σ (¬s :: A) σ (¬t :: A)
σ (s ∧ t :: A) σ (¬(s ∧ t) :: A) σ (¬(s ∧ t) :: A)

σ (s :: A) σ (t :: A) σ (¬s :: ¬t :: A)
σ (s ∨ t :: A) σ (s ∨ t :: A) σ (¬(s ∨ t) :: A)

σ (¬s :: A) σ (t :: A) σ (s :: ¬t :: A)
σ (s → t :: A) σ (s → t :: A) σ (¬(s → t) :: A)

Figure 24.6: Corefutation system σ (A)

clashed A ρ(A +
+[s]) ρ(A)
ρ(A) ρ(s :: A) ρ(¬⊥ :: A)

ρ(s :: t :: A) ρ(¬s :: A) ρ(¬t :: A)

ρ(s ∧ t :: A) ρ(¬(s ∧ t) :: A)

ρ(s :: A) ρ(t :: A) ρ(¬s :: ¬t :: A)

ρ(s ∨ t :: A) ρ(¬(s ∨ t) :: A)

ρ(¬s :: A) ρ(t :: A) ρ(s :: ¬t :: A)

ρ(s → t :: A) ρ(¬(s → t) :: A)

Figure 24.7: Refutation system ρ(A)

281
24 Propositional Deduction

Fact 24.11.3 (Boolean soundness)

ρA → sat A → ⊥.

Proof By induction on the derivation of ρA. As a representative example, we con-

sider the proof obligation for the positive implication rule:

(sat(¬s :: A) → ⊥) → (sat(t :: A) → ⊥) → sat((s → t) :: A) → ⊥

By assumption we have an assignment α satisfying A and s → t. Thus α satisfies

either ¬s or t. Hence α satisfies either ¬s :: A or t :: A. Both cases are contradictory
with the assumptions. ■

We now observe that ρ is also sound for ND refutation.

Fact 24.11.4 (ND soundness)

ρA → (A ⊢˙ ⊥).

Proof By induction on the derivation of ρA. As a representative example, we con-

sider the proof obligation for the positive implication rule:

˙ ⊥) → (t :: A ⊢
(¬s :: A ⊢ ˙ ⊥) → (s → t :: A ⊢
˙ ⊥)

˙ ¬¬s → ¬t → ¬(s → t),

By the implication lemma (Fact 24.5.2). it suffices to show ⊢
which is routine. ■

Exercise 24.11.5 Define the derivation systems σ and ρ as inductive type families
and say whether the arguments are parameters or an indices.

Exercise 24.11.6 Verify the proof of ND soundness (Lemma 24.11.4) in detail. The
proof is modular in that there is a separate proof obligation for every rule of the
refutation systems (Figure 24.7). The obligation for the rotation rule

(A +
+[s] ⊢ ⊥) → (s :: A ⊢ ⊥)

follows with weakening, and the obligations for the terminal rules are obvious.
The obligations for the decomposition rules follow with the implication lemma
(Fact 24.5.2) and the derivability of the ND judgments from Exercise 24.5.8.

24.12 Certifying Boolean Solvers

We now construct a certifying solver ∀A. σ (A) + ρ(A). Given the soundness
theorems for σ and ρ, this solver yields certifying solvers ∀A. D(sat A) and
∀A. sat A+(A ⊢ ˙ ⊥). The main issue in constructing the basic solver ∀A. σ (A)+ρ(A)
is finding a terminating strategy for formula decomposition.

282
 24.12 Certifying Boolean Solvers

We start with a presolver ∀A. decomposable(A) + solved(A) + clashed(A) that

given a clause A either exhibits a decomposable formula in A or established A as
solved or clashed. A formula is decomposable if it has the form s ∧ t, ¬(s ∧ t),
s ∨ t, ¬(s ∨ t), s → t with t ≠ ⊥, or ¬(s → t). A clause is decomposable if it
contains a decomposable formula:

decomposable(A) := ΣBsC. A = B +
+ s :: C ∧ decomposable(s)

Lemma 24.12.1 (Presolver)

∀A. decomposable(A) + solved(A) + clashed(A).

Proof By induction on A. Straightforward. ■

To establish the termination of our decomposition strategy, we employ a size

function
γ : L(For) → N

counting the constructors in the formulas in the list but omitting top-level nega-
tions. For instance,

γ [(x → ¬x), ¬(¬x ∧ x), ¬x] = 11

Note that ¬x counts 1 if appearing at the top level, but 3 if not appearing at the top
level (since ¬x abbreviates x → ⊥). We observe that every scheme in the decompo-
sition table (Figure 24.5) reduces the size of a clause as obtained with γ.
Next we obtain a certifying function rotating a given formula in a clause to the
front of the clause such that derivability with σ and τ is propagated and the size
of the clause is preserved.

Lemma 24.12.2 (Rotator)

∀AsB. Σ C. (σ (s :: C) → σ (A +
+ s :: B)) ×
(ρ(s :: C) → ρ(A ++ s :: B)) ×
(γ(s :: C) = γ(A ++ s :: B)).

Proof By induction on A using the rotation rules of σ and ρ. ■

Lemma 24.12.3 (Basic certifying solver)

∀A. σ (A) + ρ(A).

Proof By size induction on A. We first apply the presolver to A. If the presolver

yields the claim using the terminal rules, we are done. Otherwise, we use the rotator
to move the decomposable formula found by the presolver into head position. We
now recurse following the unique decomposition scheme applying. ■

We now come to the theorem we were aiming at in this and the previous section.

283
24 Propositional Deduction

Theorem 24.12.4 (ND solver) ˙ ⊥).

∀A. sat A + (A ⊢

Proof Lemma 24.12.3 and soundness theorems. ■

Exercise 24.12.5 (Decidability of satisfiability)

Prove the following facts.
a) ∀A. σ (A) a sat(A)
b) ∀A. ρ(A) a (sat(A) → ⊥)
c) ∀A. D(σ (A))
d) ∀A. D(ρ(A))
e) ∀A. D(sat(A)).

Exercise 24.12.6 From our development it is clear that a solver ∀A. sat A + (A ⊢ ˙ ⊥)
can be constructed without making the derivation systems σ and ρ and the accom-
panying soundness lemmas explicit. Try to rewrite the existing Coq development
accordingly. This will lead to a shorter (as it comes to lines of code) but less trans-
parent proof.

24.13 Boolean Entailment

We define boolean entailment as follows:

A î̇ s := ∀α. sat αA → sat αs

Boolean entailment describes the boolean consequence relation commonly used in

mathematics. We will show that classical ND agrees with boolean entailment.

Fact 24.13.1 (ND soundness) ˙ s) → (A î̇ s).

(A ⊢

˙ s.
Proof By induction on the derivation A ⊢ ■

Fact 24.13.2 (ND completeness) ˙ s).

(A î̇ s) → (A ⊢

Proof We assume A î̇ s. Using the ND solver (Theorem 24.12.4), we have

˙ ⊥). If ¬s :: A ⊢
sat(¬s :: A) + (¬s :: A ⊢ ˙ ⊥, the claim follows with the contradiction
rule. If sat(¬s :: A), we have a contradiction with A î̇ s. ■

˙ s agree.
Corollary 24.13.3 Boolean entailment A î̇ s and classical ND A ⊢

Note that the proofs of the two directions of the agreement (A ⊢ ˙ s) a (A î̇ s)

are independent, and that only the completeness direction requires the ND solver.
Next we observe that boolean entailment reduces to unsatisfiability.

284
 24.14 Cumulative Refutation System

Fact 24.13.4 (Reduction to unsatisfiability)

(A î̇ s) a (sat(¬s :: A) → ⊥).

Proof Direction → is easy. For the other direction we assume sat(¬s :: A) → ⊥ and
sat αA and show Eαs = true. We now assume Eαs = false and obtain a contradic-
tion from our assumptions since Eα(¬s) = true. ■

˙ s).
Fact 24.13.5 (ND decidability) ∀As. D(A ⊢

Proof With the ND solver (Theorem 24.12.4) we obtain sat(¬s :: A) + (¬s :: A ⊢˙ ⊥).
˙ ⊥, we have A ⊢
If ¬s :: A ⊢ ˙ s by the contradiction rule. Otherwise, we assume
˙ s and obtain a contradiction with soundness (Fact 24.13.1) and
sat(¬s :: A) and A ⊢
Fact 24.13.4. ■

Exercise 24.13.6 Note that the results in this section did not use results from the
previous two sections except for the ND solver (Theorem 24.12.4). Prove the follow-
ing facts using the results from this section and possibly the ND solver.
a) ∀As. D(A î̇ s)
b) ∀A. D(sat A)
˙ ⊥) → ⊥)
c) ∀A. sat A a ((A ⊢

Exercise 24.13.7 Give a consistency proof for classical ND that does not make use
of intuitionistic ND.

˙.
Exercise 24.13.8 Show that x and ¬x are independent in ⊢

˙.
Exercise 24.13.9 Show that ¬¬¬x is independent in ⊢

˙ (s ∨ t) → ( ⊢
Exercise 24.13.10 Show (∀st. ⊢ ˙ s) ∨ ( ⊢
˙ t)) → ⊥.

24.14 Cumulative Refutation System

Refutation systems based on formula decomposition exist in many variations in the

literature, where they often appear under the names tableaux systems and Gentzen
systems. They also exist for intuitionistic provability and modal logic. See Troel-
stra’s and Schwichtenberg’s textbook [28] to know more.
Figure 24.8 shows a refutation system γ modifying our refutation system ρ so
that the formula to be decomposed can be at any position of the list and is not
deleted when it is decomposed. Hence no rotation rule is needed.
We speak of the cumulative refutation system. When realized with an inductive
type family, the argument A of the type constructor γ comes out as a nonuniform

285
24 Propositional Deduction

⊥∈A s∈A ¬s ∈ A
γ(A) γ(A)

(s ∧ t) ∈ A γ(s :: t :: A) ¬(s ∧ t) ∈ A γ(¬s :: A) γ(¬t :: A)

γ(A) γ(A)

(s ∨ t) ∈ A γ(s :: A) γ(t :: A) ¬(s ∨ t) ∈ A γ(¬s :: ¬t :: A)

γ(A) γ(A)

(s → t) ∈ A γ(¬s :: A) γ(t :: A) ¬(s → t) ∈ A γ(s :: ¬t :: A)

γ(A) γ(A)

Figure 24.8: Cumulative refutation system

parameter. So, in contrast to the derivation systems we considered before, the

inductive type family γ(A) has no index argument and thus belongs to the BNF
class of inductive types.

Fact 24.14.1 (Boolean soundness)

γ(A) → ∃s ∈ A. Eαs = false.

Proof By induction on the derivation γ(A). Similar to the proof of Fact 24.11.3. ■

Fact 24.14.2 (Weakening)

γ(A) → A ⊆ B → γ(B).

Proof By induction on γ(A) with B quantified. ■

Fact 24.14.3 (Completeness)

ρ(A) → γ(A).

Proof Straightforward using weakening. ■

Fact 24.14.4 (Agreement)

ρ(A) a γ(A).

Proof Completeness (Fact 24.14.3), certifying boolean solver for ρ (Theo-

rem 24.12.3), and boolean soundness (Fact 24.14.1). ■

The rules of the cumulative refutation system yield a method for refuting formu-
las working well with pen and paper. We demonstrate the method at the example
of the unsatisfiable formula ¬(((s → t) → s) → s).

286
 24.15 Substitution

¬(((s → t) → s) → s) negated implication

(s → t) → s positive implication
¬s
1 ¬(s → t) negative implication
s clash with ¬s
¬t
2 s clash with ¬s

Exercise 24.14.5 Refute the negations of the following formulas with the cumula-
tive refutation system writing a table as in the example above.

a) s ∨ ¬s e) ⊢ (t → ¬s) → ¬(s ∧ t)
b) s → ¬¬s f) ⊢ ¬¬s → ¬¬t → ¬¬(s ∧ t)
c) ⊢ ¬¬s → ¬t → ¬(s → t) g) ⊢ ¬s → ¬t → ¬(s ∨ t)
d) ⊢ (¬t → ¬s) → ¬¬(s → t) h) ⊢ (¬t → ¬¬s) → ¬¬(s ∨ t)
Exercise 24.14.6 (Saturated lists) A list A is saturated if the decomposition rules
of the cumulative refutation system do not add new formulas:
1. If (s ∧ t) ∈ A, then s ∈ A and t ∈ A.
2. If ¬(s ∧ t) ∈ A, then ¬s ∈ A or ¬t ∈ A.
3. If (s ∨ t) ∈ A, then s ∈ A or t ∈ A.
4. If ¬(s ∨ t) ∈ A, then ¬s ∈ A and ¬t ∈ A.
5. If (s → t) ∈ A, then ¬s ∈ A or t ∈ A.
6. If ¬(s → t) ∈ A, then s ∈ A and ¬t ∈ A.
Prove that an assignment α satisfies a saturated list A not containing ⊥ if it satisfies
all atomic formulas (x and ¬x) in A.
Hint: Prove

∀s. (s ∈ A → Eαs = true) ∧ (¬s ∈ A → Eα(¬s) = true)

by induction on s.

24.15 Substitution

In the deduction systems we consider in this chapter, atomic formulas act as vari-
ables for formulas. We will now show that derivability of formulas is preserved if
one instantiates atomic formulas. To ease our language, we call atomic formulas
propositional variables in this section.
A substitution is a function θ : N → For mapping every number to a formula.
Recall that propositional variables are represented as numbers. We define applica-
tion of substitutions to formulas and lists of formulas such that every variable is

287
24 Propositional Deduction

replaced by the term provided by the substitution:

θ·x := θx
θ·⊥ := ⊥
θ·(s → t) := θ·s → θ·t
θ·(s ∧ t) := θ·s ∧ θ·t
θ·(s ∨ t) := θ·s ∨ θ·t

θ·[] := []
θ·(s :: A) := θ·s :: θ·A

We will write θs and θA for θ·s and θ·A.

We show that intuitionistic and classical ND provability are preserved under ap-
plication of substitutions. This says that atomic formulas may serve as variables
for formulas.

Fact 24.15.1 s ∈ A → θs ∈ θA.

Proof By induction on A. ■

˙ s → θA ⊢
Fact 24.15.2 (Substitutivity) A ⊢ s → θA ⊢ θs and A ⊢ ˙ θs.

˙ s using Fact 24.15.1 for the assumption rule.■

Proof By induction on A ⊢ s and A ⊢

Exercise 24.15.3 Prove that substitution preserves derivability in the intuitionistic

Hilbert system H . Note that the proof obligation for the axiomatic rules all follow
with the same technique. Now use the equivalence with the ND system and Glivenko
to show substitutivity for the other three systems.

24.16 Entailment Relations

An entailment relation is a predicate4

ð: L(For) → For → P

satisfying the properties listed in Figure 24.9. Note that the first five requirements
don’t make any assumptions on formulas; they are called structural requirements.
Each of the remaining requirements concerns a particular form of formulas: Vari-
ables, falsity, implication, conjunction, and disjunction.

4
We are reusing the turnstile ð previously used for Hilbert systems.

288
 24.16 Entailment Relations

1. Assumption: s ∈ A → A ð s.
2. Cut: A ð s → A, s ð t → A ð t.
3. Weakening: A ð s → A ⊆ B → B ð s.
4. Consistency: ∃s. ̸ð s.
5. Substitutivity: A ð s → θA ð θs.
6. Explosion: A ð ⊥ → A ð s.
7. Implication: A ð (s → t) ←→ A, s ð t.
8. Conjunction: A ð (s ∧ t) ←→ A ð s ∧ A ð t.
9. Disjunction: A ð (s ∨ t) ←→ ∀u. A, s ð u → A, t ð u → A ð u.

Figure 24.9: Requirements for entailment relations

˙ s) are
Fact 24.16.1 Intuitionistic provability (A ⊢ s) and classical provability (A ⊢
entailment relations.

Proof Follows with the results shown so far. ■

Fact 24.16.2 Boolean entailment A î̇ s is an entailment relation.

Proof Follows with Fact 24.16.1 since boolean entailment agrees with classical ND
(Fact 24.13.3). ■

It turns out that every entailment relation is sandwiched between intuitionistic

provability at the bottom and classic provability at the top. Let ð be an entailment
relation in the following.

Fact 24.16.3 (Modus Ponens) A ð (s → t) → A ð s → A ð t.

Proof By implication and cut. ■

Fact 24.16.4 (Least entailment relation)

Intuitionistic provability is a least entailment relation: A ⊢ s → A ð s.

Proof By induction on A ⊢ s using modus ponens. ■

Fact 24.16.5 ð s → ð ¬s → ⊥.

Proof Let ð s and ð ¬s. By Fact 24.16.3 we have ð ⊥. By consistency and explosion
we obtain a contradiction. ■

Fact 24.16.6 (Reversion) A ð s ←→ ð A · s.

Proof By induction on A using implication. ■

289
24 Propositional Deduction

We now come to the key lemma for showing that abstract entailment implies
boolean entailment. The lemma was conceived by Tobias Tebbi in 2015. We define a
conversion function that given a boolean assignment α : N → B yields a substitution
as follows: α̂n := if αn then ¬⊥ else ⊥.

Lemma 24.16.7 (Tebbi) if Eαs then ð α̂s else ð ¬α̂s.

Proof Induction on s using Fact 24.16.3 and assumption, weakening, explosion, and
implication. ■

Note that we have formulated the lemma with a conditional. While this style of
formulation is uncommon in mathematics, it is compact and convenient in a type
theory with computational equality.

Lemma 24.16.8 ð s → î̇ s.

Proof Let ð s. We assume Eαs = false and derive a contradiction. By Tebbi’s

Lemma we have ð ¬α̂s. By substitutivity we obtain ð α̂s from the primary assump-
tion. Contradiction by Fact 24.16.5. ■

Fact 24.16.9 (Greatest entailment relation)

Boolean entailment is a greatest entailment relation: A ð s → A î̇ s.

Proof Follows with reversion (Facts 24.16.6 and 24.16.2) and Lemma 24.16.8. ■

˙.
Theorem 24.16.10 (Sandwich) Every entailment relation ð satisfies ⊢ ⊆ ð ⊆ ⊢

Proof Facts 24.16.4, 24.16.9, and 24.13.3. ■

Exercise 24.16.11 Let ð be an entailment relation. Prove the following:

a) ∀s. ground s → ( ð s) + ( ð ¬s).
b) ∀s. ground s → dec(ð s).

Exercise 24.16.12 Tebbi’s lemma provides for a particularly elegant proof of

Lemma 24.16.8. Verify that Lemma 24.16.8 can also be obtained from the facts
(1) ⊢ α̂s ∨ ⊢ ¬α̂s and (2) î̇ α̂s → Eαs = true using Facts 24.16.4 and 24.16.5.

24.17 Notes

The study of natural deduction originated in the 1930’s with the work of Gerhard
Gentzen [14, 15] and Stanisław Jaśkowski [19]. The standard text on natural deduc-
tion and proof theory is Troelstra and Schwichtenberg [28].

290
 24.17 Notes

Decidability of intuitionistic ND One can show that intuitionistic ND is decidable.

This can be done with a formula decomposition method devised by Gentzen in the
1930s. First one shows that intuitionistic ND is equivalent to a proof system called
sequent calculus that has the subformula property. Then one shows that sequent
calculus is decidable, which is feasible since it has the subformula property.

Kripke structures and Heyting structures One can construct evaluation-based

entailment relations that coincide with intuitionistic ND using either finite Heyting
structures or finite Kripke structures. In contrast to classical ND, where a single two-
valued boolean structure invalidates all classically unprovable formulas, one needs
either infinitely many finite Heyting structures or infinitely many finite Kripke struc-
tures to invalidate all intuitionistically unprovable formulas. Heyting structures are
usually presented as Heyting algebras and were invented by Arend Heyting around
1930. Kripke structures were invented by Saul Kripke in the late 1950’s.

Intuitionistic Independence of logical constants In the classical systems, falsity

and implication can express conjunction and disjunction. On the other hand, one
can prove using Heyting structures that in intuitionistic systems the logical con-
stants are independent.

Certifying Functions The construction of the certifying solvers and their auxil-
iary functions in this chapter are convincing examples for the efficiency and power
of certifying functions. Imagine you would have to carry out these constructions
in a functional programming language with simply typed functions defined with
equations based on informal specifications.

291
25 Boolean Satisfiability
We study satisfiability of boolean formulas by constructing and verifying a DNF
solver and a tableau system. The solver translates boolean formulas to equivalent
clausal DNFs and thereby decides satisfiability. The tableau system provides a proof
system for unsatisfiability and bridges the gap between natural deduction and satis-
fiability. Based on the tableau system one can prove completeness and decidability
of propositional natural deduction.
The development presented here works for any choice of boolean connectives.
The independence from particular connectives is obtained by representing conjunc-
tions and disjunctions with lists and negations with signs.
The (formal) proofs of the development are instructive in that they showcast
the interplay between evaluation of boolean expressions, nontrivial functions, and
indexed inductive type families (the tableau system).

25.1 Boolean Operations

We will work with the boolean operations conjunction, disjunction, and negation,
which we obtain as inductive functions B → B → B and B → B:

true & b := b true | b := true ! true := false

false & b := false false | b := b ! false := true

With these definitions, boolean identities like

a&b=b&a a|b=b|a !!b = b

have straightforward proofs by boolean case analysis and computational equality.

Recall that boolean conjunction and disjunction are commutative and associative.
An important notion for our development is disjunctive normal form (DNF). The
idea behind DNF is that conjunctions are below disjunctions, and that negations are
below conjunctions. Negations can be pushed downwards with the negation laws

!(a & b) = ! a | ! b !(a | b) = ! a & ! b !!a = a

and conjunctions can be pushed below disjunctions with the distribution law

a & (b | c) = (a & b) | (a & b)

293
25 Boolean Satisfiability

Besides the defining equations, we will also make use of the negation law

b ∧ ! b = false

to eliminate conjunctions.
There are the reflection laws

a & b = true ←→ a = true ∧ b = true

a | b = true ←→ a = true ∨ b = true
! a = true ←→ ¬(a = true)

which offer the possibility to replace boolean operations with logical connectives.
As it comes to proofs, this is usually not a good idea since the computation rules
coming with the boolean operations are lost. The exception is the reflection rule
for conjunctions, which offers the possibility to replace the argument terms of a
conjunction with true.

25.2 Boolean Formulas

Our main interest will be in boolean formulas, which are syntactic representations
of boolean terms. We will consider the boolean formulas

s, t, u : For ::= x | ⊥ | s → t | s ∧ t | s ∨ t (x : N)

realized with an inductive data type For representing each syntactic form with a
value constructor. Variables x are represented as numbers. We will refer to formu-
las also as boolean expressions.
Our development would work with any choice of boolean connectives for formu-
las. We have made the unusual design decision to have boolean implication as an
explicit connective. On the other hand, we have omitted truth ⊤ and negation ¬,
which we accommodate at the meta level with the notations

⊤ := ⊥ → ⊥ ¬s := s → ⊥

Given an assignment α : N → B, we can evaluate every formula to a boolean

value. We formalize evaluation of formulas with the evaluation function shown
in Figure 25.1. Note that every function Eα translates boolean formulas (object
level) to boolean terms (meta level). Also note that implications are expressed with
negation and disjunction.
We define the notation

αsats := Eαs = true

294
 25.2 Boolean Formulas

Eαx := αx
Eα⊥ := false
Eα(s → t) := ! Eαs | Eαt
Eα(s ∧ t) := Eαs & Eαt
Eα(s ∨ t) := Eαs | Eαt

Figure 25.1: Definition of the evaluation function E : (N → B) → For → B

and say that α satisfies s, or that α solves s, or that α is a solution of s. We say

that a formula s is satisfiable and write sat s if s has a solution. Finally, we say that
two formulas are equivalent if they have the same solutions.
As it comes to proofs, it will be important to keep in mind that the notation αsats
abbreviates the boolean equation Eαs = true. Reasoning with boolean equations
will be the main workhorse in our proofs.

Exercise 25.2.1 Prove that s → t and ¬s ∨ t are equivalent.

Exercise 25.2.2 Convince yourself that the predicate αsats is decidable.

Exercise 25.2.3 Verify the following reflection laws for formulas:

αsat(s ∧ t) ←→ αsats ∧ αsatt

αsat(s ∨ t) ←→ αsats ∨ αsatt
αsat¬s ←→ ¬(αsats)

Exercise 25.2.4 (Compiler to implicative fragment) Write and verify a compiler

For → For translating formulas into equivalent formulas not containing conjunc-
tions and disjunctions.

Exercise 25.2.5 (Equation compiler) Write and verify a compiler

γ : L(For × For) → For

translating lists of equations into equivalent formulas:

∀α. αsatγA ←→ ∀(s, t) ∈ A. Eαs = Eαt

Exercise 25.2.6 (Valid formulas) We say that a formula is valid if it is satisfied by

all assignments: val s := ∀α. αsats. Verify the following reductions.
a) s is valid iff ¬s is unsatisfiable: ∀s. val s ←→ ¬sat(¬s).

295
25 Boolean Satisfiability

b) ∀s. stable(sat s) → (sat s ←→ ¬val(¬s)).

Exercise 25.2.7 Write an evaluator f : (N → B) → For → P such that f αs ←→ αsats

and f α(s ∨ t) ≈ f αs ∨ f αt for all formulas s, t.
Hint: Recall the reflection laws from §25.1.

25.3 Clausal DNFs

We are working towards a decider for satisfiability of boolean formulas. The decider
will compute a DNF (disjunctive normal form) for the given formula and exploit
that from the DNF it is clear whether the formula is decidable. Informally, a DNF
is either the formula ⊥ or a disjunction s1 ∨ · · · ∨ sn of solved formulas si , where
a solved formula is a conjunction of variables and negated variables such that no
variable appears both negated and unnegated. One can show that every formula is
equivalent to a DNF. Since every solved formula is satisfiable, a DNF is satisfiable if
and only if it is different from ⊥.
There may be many different DNFs for satisfiable formulas. For instance, the
DNFs x ∨¬x and y ∨¬y are equivalent since they are satisfied by every assignment.
Formulas by themselves are not a good data structure for computing DNFs of
formulas. We will work with lists of signed formulas we call clauses:

S, T : SFor ::= s + | s − signed formula

C, D : Cla := L(SFor) clause

Clauses represent conjunctions. We define evaluation of signed formulas and

clauses as follows:

Eα(s + ) := Eαs Eα [] := true

Eα(s − ) := ! Eαs Eα(S :: C) := EαS & EαC

Note that the empty clause represents the boolean true. We also consider lists of
clauses

∆ : L(Cla)

and interpret them disjunctively:

Eα [] := false
Eα (C :: ∆) := EαC | Eα∆

Satisfaction of signed formulas, clauses, and lists of clauses is defined analogously

to formulas, and so are the notations αsatS, αsatC, αsat∆, and sat C. Since for-
mulas, signed formulas, clauses, and lists of clauses all come with the notion of

296
 25.4 DNF Solver

satisfying assignments, we can speak about equivalence between these objects al-
though they belong to different types. For instance, s, s + , [s + ], and [[s + ]], are all
equivalent since they are satisfied by the same assignments.
A solved clause is a clause consisting of signed variables (i.e., x + and x − ) such
that no variable appears positively and negatively. Note that a solved clause C is
satisfied by every assignment that maps the positive variables in C to true and the
negative variables in C to false.

Fact 25.3.1 Solved clauses are satisfiable. More specifically, a solved clause C is
satisfied by the assignment λx. [x + ∈ C\.

A clausal DNF is a list of solved clauses.

Corollary 25.3.2 A clausal DNF is satisfiable if and only if it is nonempty.

+ ∆′ ) = Eα∆ | Eα∆′ .
+ D) = EαC & EαD and Eα(∆ +
Exercise 25.3.3 Prove Eα(C +

Exercise 25.3.4 Write a function that maps lists of clauses to equivalent formulas.

Exercise 25.3.5 Our formal proof of Fact 25.3.1 is unexpectedly tedious in that it
requires two inductive lemmas:
1. αsatC ←→ ∀S ∈ C. αsatS.
2. solved C → S ∈ C → ∃x. (S = x + ∧ x − ∉ C) ∨ (S = x − ∧ x + ∉ C).
The formal development captures solved clauses with an inductive predicate. This
is convenient for most purposes but doesn’t provide for a convenient proof of
Fact 25.3.1. Can you do better?

25.4 DNF Solver

We would like to construct a function computing clausal DNFs for formulas. For-
mally, we specify the function with the informative type

∀s Σ ∆. DNF ∆ ∧ s ≡ ∆

where

s ≡ ∆ := ∀α. αsats ←→ αsat∆

DNF ∆ := ∀C ∈ ∆. solved C

To define the function, we will generalize the type to

∀CD. solved C → Σ ∆. DNF ∆ ∧ C +

+D ≡ ∆

297
25 Boolean Satisfiability

dnf C [] = [C]
dnf C (x + :: D) = if [x − ∈ C\ then [] else dnf (x + :: C) D
dnf C (x − :: D) = if [x + ∈ C\ then [] else dnf (x − :: C) D
dnf C (⊥+ :: D) = []
dnf C (⊥− :: D) = dnf C D
dnf C ((s → t)+ :: D) = dnf C (s − :: D) +
+ dnf C (t + :: D)
dnf C ((s → t)− :: D) = dnf C (s + :: t − :: D)
dnf C ((s ∧ t)+ :: D) = dnf C (s + :: t + :: D)
dnf C ((s ∧ t)− :: D) = dnf C (s − :: D) +
+ dnf C (t − :: D)
dnf C ((s ∨ t)+ :: D) = dnf C (s + :: D) +
+ dnf C (t + :: D)
dnf C ((s ∨ t)− :: D) = dnf C (s − :: t − :: D)

Figure 25.2: Specification of a procedure dnf : Cla → Cla → L(Cla)

where C ≡ ∆ := ∀α. αsatC ←→ αsat∆. To compute a clausal DNF of a formula s,

we will apply the function with C = [] and D = [s + ].
We base the definition of the function on a purely computational procedure

dnf : Cla → Cla → L(Cla)

specified with equations in Figure 25.2. We refer to the first argument C of the
procedure as accumulator, and to the second argument as agenda. The agenda
holds the signed formulas still to be processed, and the accumulator collects signed
variables taken from the agenda. The procedure processes the formulas on the
agenda one by one decreasing the size of the agenda with every recursion step. We
define the size of clauses and formulas as follows:

σ [] := 0 σ x := 1
+
σ (s :: C) := σ s + σ C σ ⊥ := 1
σ (s − :: C) := σ s + σ C σ (s ◦ t) := 1 + σ s + σ t

Note that the equations specifying the procedure in Figure 25.2 are clear from the
correctness properties stated for the procedure, the design that the first formula on
the agenda controls the recursion, and the boolean identities given in §25.1.
Lemma 25.4.1 ∀CD. solved C → Σ ∆. DNF ∆ ∧ C +
+ D ≡ ∆.

Proof By size induction on σ D with C quantified in the inductive hypothesis aug-

menting the design of the procedure dnf with the necessary proofs. Each of the 13
cases is straightforward. ■

298
 25.5 DNF Recursion

Theorem 25.4.2 (DNF solver) ∀C Σ ∆. DNF ∆ ∧ C ≡ ∆.

Proof Immediate from Lemma 25.4.1. ■

Corollary 25.4.3 ∀s Σ ∆. DNF ∆ ∧ s ≡ ∆.

Corollary 25.4.4 There is a solver ∀C. (Σα. αsatC) + ¬sat C.

Corollary 25.4.5 There is a solver ∀s. (Σα. αsats) + ¬sat s.

Corollary 25.4.6 Satisfiability of clauses and formulas is decidable.

Exercise 25.4.7 Convince yourself that the predicate S ∈ C is decidable.

Exercise 25.4.8 Rewrite the equations specifying the DNF procedure so that you
obtain a boolean decider D : Cla → Cla → B for satisfiability of clauses. Give an in-
formative type subsuming the procedure and specifying the correctness properties
for a boolean decider for satisfiability of clauses.

Exercise 25.4.9 Recall the definition of valid formulas from Exercise 25.2.6. Prove
the following:
a) Validity of formulas is decidable.
b) A formula is satisfiable if and only if its negation is not valid.
c) ∀s. val s + (Σα. Eαs = false).

Exercise 25.4.10 If you are already familiar with well-founded recursion in compu-
tational type theory (Chapter 30), define a function Cla → Cla → L(Cla) satisfying
the equations specifying the procedure dnf in Figure 25.2.

25.5 DNF Recursion

From the equations for the DNF procedure (Figure 25.2) and the construction of the
basic DNF solver (Lemma 25.4.1) one can abstract out the recursion scheme shown
in Figure 25.3. We refer to this recursion scheme as DNF recursion. DNF recursion
has one clause for every equation of the DNF procedure in Figure 25.2 where the
recursive calls appear as inductive hypotheses. DNF recursion simplifies the proof
of Lemma 25.4.1. However, DNF recursion can also be used for other constructions
(our main example is a completeness lemma (25.6.5) for a tableau system) given
that it is formulated with an abstract type function p. Note that DNF recursion
encapsulates the use of size induction on the agenda, the set-up and justification
of the case analysis, and the propagation of the precondition solved C. We remark
that all clauses can be equipped with the precondition, but for our applications the
precondition is only needed in the clause for the empty agenda.

299
25 Boolean Satisfiability

∀p Cla→Cla→T
(∀C. solved C → pC[]) →
(∀CD. x − ∈ C → pC(x + :: D)) →
(∀CD. x − ∉ C → p(x + :: C)D → pC(x + :: D)) →
(∀CD. x + ∈ C → pC(x − :: D)) →
(∀CD. x + ∉ C → p(x − :: C)D → pC(x − :: D)) →
(∀CD. pC(⊥+ :: D)) →
(∀CD. pCD → pC(⊥− :: D)) →
(∀CD. pC(s − :: D) → pC(t + :: D) → pC((s → t)+ :: D)) →
(∀CD. pC(s + :: t − :: D) → pC((s → t)− :: D)) →
(∀CD. pC(s + :: t + :: D) → pC((s ∧ t)+ :: D)) →
(∀CD. pC(s − :: D) → pC(t − :: D) → pC((s ∧ t)− :: D)) →
(∀CD. pC(s + :: D) → pC(t + :: D) → pC((s ∨ t)+ :: D)) →
(∀CD. pC(s − :: t − :: D) → pC((s ∨ t)− :: D)) →
∀CD. solved C → pCD

Figure 25.3: DNF recursion scheme

Lemma 25.5.1 (DNF recursion)

The DNF recursion scheme shown in Figure 25.3 is inhabited.

Proof By size induction on the σ D with C quantified using the decidability of mem-
bership in clauses. Straightforward. ■

DNF recursion provides the abstraction level one would use in an informal cor-
rectness proof of the DNF procedure. In particular, DNF recursion separates the
termination argument from the partial correctness argument. We remark that DNF
recursion generalizes the functional induction scheme one would derive for a DNF
procedure.

Exercise 25.5.2 Use DNF recursion to construct a certifying boolean solver for
clauses: ∀C. (Σα. αsatC) + (¬sat(C)).

300
 25.6 Tableau Refutations

tab(S :: C +
+ D)
+ S :: D)
tab(C + tab(x + :: x − :: C) tab(⊥+ :: C)

tab(s − :: C) tab(t + :: C) tab(s + :: t − :: C)

tab((s → t)+ :: C) tab((s → t)− :: C)

tab(s + :: t + :: C) tab(s − :: C) tab(t − :: C)

tab((s ∧ t)+ :: C) tab((s ∧ t)− :: C)

tab(s + :: C) tab(t + :: C) tab(s − :: t − :: C)

tab((s ∨ t)+ :: C) tab((s ∨ t)− :: C)

Figure 25.4: Inductive type family tab : Cla → T

25.6 Tableau Refutations

Figure 25.4 defines an indexed inductive type family tab : Cla → T for which we will
prove
tab(C) a ¬sat(C)

We call the inhabitants of a type tab(C) tableau refutations for C. The above equiv-
alence says that for every clause unsatisfiability proofs are inter-translatable with
tableau refutations. Tableau refutations may be seen as explicit syntactic unsatis-
fiability proofs for clauses. Since we have ¬sat s a ¬sat [s + ], tableau refutations
may also serve as refutations for formulas.
We speak of tableau refutations since the type family tab formalizes a proof
system that belongs to the family of tableau systems. We call the value construc-
tors for the type constructor tab tableau rules and refer to type constructor tab as
tableau system.
We may see the tableau rules in Figure 25.4 as a simplification of the equations
specifying the DNF procedure in Figure 25.2. Because termination is no longer an
issue, the accumulator argument is not needed anymore. Instead we have a tableau
rule (the first rule) that rearranges the agenda.
We refer to the first rule of the tableau system as move rule and to the second
rule as clash rule. Note the use of list concatenation in the move rule.
The tableau rules are best understood in backwards fashion (from the conclusion
to the premises). All but the first rule are decomposition rules simplifying the
clause to be derived. The second and third rule derive clauses that are obviously
unsatisfiable. The move rule is needed so that non-variable formulas can be moved

301
25 Boolean Satisfiability

to the front of a clause as it is required by most of the other rules.

Fact 25.6.1 (Soundness)

Tableau refutable clauses are unsatisfiable: tab(C) → ¬sat(C).

Proof Follows by induction on tab. ■

For the completeness lemma we need a few lemmas providing derived rules for
the tableau system.

Fact 25.6.2 (Clash)

All clauses containing a conflicting pair of signed variables are tableau refutable:
x + ∈ C → x − ∈ C → tab(C).

Proof Without loss of generality we have C = C1 + + x + :: C2 +

+ x − :: C3 . The primitive
+ −
clash rule gives us tab(x :: x :: C1 +
+ C2 +
+ C3 ). Using the move rule twice we obtain
tab(C). ■

Fact 25.6.3 (Weakening)

Adding formulas preserves tableau refutability:
∀CS. tab(C) → tab(S :: C).

Proof By induction on tab. ■

The move rule is strong enough to reorder clauses freely.

Fact 25.6.4 (Move Rules) The following rules hold for tab:

tab(rev D +
+C +
+ E) +C +
tab(D + + E) + S :: D)
tab(C +
+D+
tab(C + + E) +D+
tab(C + + E) tab(S :: C +
+ D)

We refer to the last rule as inverse move rule.

Proof The first rule follows by induction on D. The second rule follows from the
first rule with C = [] and rev (rev D) = D. The third rule follows from the second
rule with C = [S]. ■

Lemma 25.6.5 (Completeness)

∀DC. solved C → ¬sat (D +
+ C) → tab(D +
+ C).

Proof By DNF recursion. The case for the empty agenda is contradictory since
solved clauses are satisfiable. The cases with conflicting signed variables follow
with the clash lemma. The cases with nonconflicting signed variables follow with
the inverse move rule. The case for ⊥− follows with the weakening lemma. ■

302
 25.7 Abstract Refutation Systems

Theorem 25.6.6
A clause is tableau refutable if and only if it is unsatisfiable:
tab(C) a ¬sat(C).

Proof Follows with Fact 25.6.1 and Lemma 25.6.5. ■

Corollary 25.6.7 ∀C. tab(C) + (tab(C) → ⊥).

We remark that the DNF solver and the tableau system adapt to any choice of
boolean connectives. We just add or delete cases as needed. An extreme case would
be to not have variables. That one can choose the boolean connectives freely is due
to the use of clauses with signed formulas.
The tableau rules have the subformula property, that is, a derivation of a
clause C does only employ subformulas of formulas in C. That the tableau rules
satisfies the subformula property can be verified rule by rule.
+ S :: D +
Exercise 25.6.8 Prove tab(C + + T :: E) ←→ tab(C +
+ T :: D +
+ S :: E).

Exercise 25.6.9 Give an inductive type family deriving exactly the satisfiable
clauses. Start with an inductive family deriving exactly the solved clauses.

25.7 Abstract Refutation Systems

An unsigned clause is a list of formulas. We will now consider a tableau system for
unsigned clauses that comes close to the refutation system associated with natural
deduction. For the tableau system we will show decidability and agreement with un-
satisfiability. Based on the results for the tableau system one can prove decidability
and completeness of classical natural deduction (Chapter 24).
The switch to unsigned clauses requires negation and falsity, but as it comes to
the other connectives we are still free to choose what we want. Negation could be
accommodated as an additional connective, but formally we continue to represent
negation with implication and falsity.
We can turn a signed clause C into an unsigned clause by replacing positive
formulas s + with s and negative formulas s − with negations ¬s. We can also turn
an unsigned clause into a signed clause by labeling every formula with the positive
sign. The two conversions do not change the boolean value of a clause for a given
assignment. Moreover, going from an unsigned clause to a signed clause and back
yields the initial clause. From the above it is clear that satisfiability of unsigned
clauses reduces to satisfiability of signed clauses and thus is decidable.
Formalizing the above ideas is straightforward. The letters A and B will range
over unsigned clauses. We define αsatA and satisfiability of unsigned clauses anal-
ogous to signed clauses. We use Ĉ to denote the unsigned version of a signed clause
and A+ to denote the signed version of an unsigned clause.

303
25 Boolean Satisfiability

ρ (s :: A +
+ B)
ρ (A +
+ s :: B) ρ (x :: ¬x :: A) ρ (⊥ :: A)

ρ (¬s :: A) ρ (t :: A) ρ (s :: ¬t :: A)
ρ ((s → t) :: A) ρ (¬(s → t) :: A)

ρ (s :: t :: A) ρ (¬s :: A) ρ (¬t :: A)
ρ ((s ∧ t) :: A) ρ (¬(s ∧ t) :: A)

ρ (s :: A) ρ (t :: A) ρ (¬s :: ¬t :: A)
ρ ((s ∨ t) :: A) ρ (¬(s ∨ t) :: A)

Figure 25.5: Rules for abstract refutation systems ρ : L(For) → P

Fact 25.7.1 EαĈ = EαC, EαA+ = EαA, and A

d + = A.

Fact 25.7.2 (Decidability) Satisfiability of unsigned clauses is decidable.

Proof Follows with Corollary 25.4.6 and EαA+ = EαA. ■

We call a type family ρ on unsigned clauses an abstract refutation system if it

satisfies the rules in Figure 25.5. Note that the rules are obtained from the tableau
rules for signed clauses by replacing positive formulas s + with s and negative for-
mulas s − with negations ¬s.

Lemma 25.7.3 Let ρ be a refutation system. Then tab C → ρ Ĉ.

Proof Straightforward by induction on tab C. ■

Fact 25.7.4 (Completeness)

Every refutation system derives all unsatisfiable unsigned clauses.

Proof Follows with Theorem 25.6.6 and Lemma 25.7.3. ■

We call an abstract refutation system sound if it derives only unsatisfiable

clauses (that is, ∀A. ρA → ¬sat A).

Fact 25.7.5 A sound refutation system is decidable and derives exactly the unsatis-
fiable unsigned clauses.

Proof Facts 25.7.4 and 25.7.2. ■

304
 25.7 Abstract Refutation Systems

Theorem 25.7.6 The minimal refutation system inductively defined with the rules
for abstract refutation systems derives exactly the unsatisfiable unsigned clauses.

Proof Follows with Fact 25.7.4 and a soundness lemma similar to Fact 25.6.1. ■

Exercise 25.7.7 (Certifying Solver) Construct a function ∀A. (Σα. αsatA) + tab A.

Exercise 25.7.8 Show that boolean entailment

A î̇ s := ∀α. αsatA → αsats

is decidable.

Exercise 25.7.9 Let A ⊢ ˙ s be the inductive type family for classical natural deduc-
˙ s is decidable and agrees with boolean entailment. Hint: Exploit
tion. Prove that A ⊢
refutation completeness and show that A ⊢ ˙ ⊥ is a refutation system.

305
26 Regular Expression Matching
We consider regular expressions describing list of numbers. The expressions are
formed with constructors for singleton lists, concatenation, star concatenation, and
union, among others. Using derivatives, we show that regular expression matching
is decidable.

26.1 Basics

Regular expressions are patterns for strings used in text search. There is a relation
A ⊢ s saying that a string A satisfies a regular expression s. One also speaks of a
regular expression matching a string. We are considering regular expressions here
since the satisfaction relation A ⊢ s has an elegant definition with derivation rules.
We represent strings as lists of numbers, and regular expressions with an induc-
tive type realizing the BNF

s, t : exp ::= x | 0 | 1 | s + t | s · t | s ∗ (x : N)

We model the satisfaction relation A ⊢ s with an indexed inductive type family

⊢ : L(N) → exp → T

providing value constructors for the following rules:

A⊢s A⊢t
[x] ⊢ x [] ⊢ 1 A⊢s+t A⊢s+t

A⊢s B⊢t A⊢s B ⊢ s∗

A+
+B ⊢ s · t [] ⊢ s ∗ + B ⊢ s∗
A+

Note that both arguments of ⊢ are indices. Concrete instances of the satisfaction
relation, for instance,

[1, 2, 2] ⊢ 1 · 2∗

can be shown with just constructor applications. Inclusion and equivalence of

regular expressions are defined as follows:

s ⊆ t := ∀A. A ⊢ s → A ⊢ t
s ≡ t := ∀A. A ⊢ s a A ⊢ t

307
26 Regular Expression Matching

An easy to show inclusion is

s ⊆ s∗ (26.1)

(only constructor applications and rewriting with A +

+[] = A are needed). More
challenging is the inclusion
s∗ · s∗ ⊆ s∗ (26.2)

We need an inversion function

A ⊢ s · t → ΣA1 A2 . (A = A1 +
+ A2 ) × (A1 ⊢ s) × (A2 ⊢ t) (26.3)

and a lemma
A ⊢ s∗ → B ⊢ s∗ → A +
+ B ⊢ s∗ (26.4)

The inversion function can be obtained as an instance of a more general inversion

operator

∀As. A ⊢ s → match s
[ x ⇒ A = [x]
|0⇒⊥
| 1 ⇒ A = []
| u + v ⇒ (A ⊢ u) + (A ⊢ v)
| u · v ⇒ Σ A1 A2 . (A = A1 +
+ A2 ) × (A1 ⊢ u) × (A2 ⊢ v)
| u∗ ⇒ (A = []) + ΣA1 A2 . (A = A1 +
+ A2 ) × (A1 ⊢ u) × (A2 ⊢ u∗ )
]

which can be defined by discrimination on A ⊢ s. Note that the index s determines

a single rule except for s ∗ .
We now come to the proof of lemma (26.4). The proof is by induction on the
derivation A ⊢ s ∗ with B fixed. There are two cases. If A = [], the claim is trivial.
Otherwise A = A1 + + A2 , A1 ⊢ s, and A2 ⊢ s ∗ . Since A2 ⊢ s ∗ is obtained by a sub-
derivation, the inductive hypothesis gives us A2 + + B ⊢ s ∗ . Hence A1 + + B ⊢ s∗
+ A2 +
by the second rule for s ∗ .
The above induction is informal. It can be made formal with an universal elimi-
nator for A ⊢ s and a reformulation of the claim as follows:

∀As. A ⊢ s → match s [ s ∗ ⇒ B ⊢ s ∗ → A +
+ B ⊢ s∗ | _ ⇒ ⊤ ]

The reformulation provides an unconstrained inductive premises A ⊢ s so that

no information is lost by the application of the universal eliminator. Defining the
universal eliminator with a type function ∀As. A ⊢ s → T is routine. We remark
that a weaker eliminator with a type function L(N) → exp → T suffices.

308
 26.1 Basics

We now have (26.2). A straightforward consequence is

s∗ · s∗ ≡ s∗

A less obvious consequence is the equivalence

(s ∗ )∗ ≡ s ∗ (26.5)

saying that the star operation is idempotent. Given (26.1), it suffices to show

A ⊢ (s ∗ )∗ → A ⊢ s ∗ (26.6)

The proof is by induction on A ⊢ (s ∗ )∗ . If A = [], the claim is obvious. Other-

wise, we assume A1 ⊢ s ∗ and A2 ⊢ (s ∗ )∗ , and show A1 + + A2 ⊢ s ∗ . The inductive
hypothesis gives us A2 ⊢ s ∗ , which gives us the claim using (26.4).
The above proof is informal since the inductive premise A ⊢ (s ∗ )∗ is index
constrained. A formal proof succeeds with the reformulation

∀As. A ⊢ s → match s [ (s ∗ )∗ ⇒ A ⊢ s ∗ | _ ⇒ ⊤ ]

Exercise 26.1.1 (Certifying solver)

Define a certifying solver ∀s. (ΣA. A ⊢ s) + (∀A. A ⊢ s → ⊥).

Exercise 26.1.2 (Restrictive star rule) The second derivation rule for star expres-
sions can be replaced with the more restrictive rule

x :: A ⊢ s B ⊢ s∗
+ B ⊢ s∗
x :: A +

Define an inductive family A ⊢ ˙ s adopting the more restrictive rule and show that
˙ s a A ⊢ s.
it is intertranslatable with A ⊢ s : ∀As. A ⊢

Exercise 26.1.3 After reading this section, do the following with a proof assistant.
a) Define a universal eliminator for A ⊢ s.
b) Define an inversion operator for A ⊢ s.
c) Prove s ∗ · s ∗ ≡ s ∗ .
d) Prove (s ∗ )∗ ≡ s ∗ .

Exercise 26.1.4 (Denotational semantics) The informal semantics for regular ex-
pressions described in textbooks can be formalized as a recursive function on reg-
ular expressions that assigns languages to regular expressions. We represent lan-
guages as type functions L(N) → T and capture the semantics with a function

R : exp → L(N) → T

309
26 Regular Expression Matching

defined as follows:

R x A := (A = [x])
R 0 A := ⊥
R 1 A := (A = [])
R (s + t) A := RsA + RtA
R (s · t) A := ΣA1 A2 . (A = A1 +
+ A2 ) × RsA1 × RtA2
R (s ∗ ) A := Σn. P (Rs)nA

P ϕ 0 A := (A = [])
P ϕ (Sn) A := ΣA1 A2 . (A = A1 +
+ A2 ) × ϕA1 × P ϕ n A

a) Prove R sA a A ⊢ s.
b) We have represented languages as type functions L(N) → T. A representation
as predicates L(N) → P would be more faithful to the literature. Rewrite the
definitions of ⊢ and R accordingly and show their equivalence.

26.2 Decidability of Regular Expression Matching

We will now construct a decider for A ⊢ s. The decidability of A ⊢ s is not obvious.

We will formalize a decision procedure based on Brzozowski derivatives [5].
A function D : N → exp → exp is a derivation function if

∀xAs. x :: A ⊢ s a A ⊢ Dxs

In words we may say that a string x :: A satisfies a regular expression s if and only
if A satisfies the derivative Dxs. If we have a decider ∀s. D([] ⊢ s) and in addition
a derivation function, we have a decider for A ⊢ s.

Fact 26.2.1 ∀s. D([] ⊢ s).

Proof By induction on s. For 1 and s ∗ we have a positive answer, and for x and 0
we have a negative answer using the inversion function. For s + t and s · t we rely
on the inductive hypotheses for the constituents. ■

Fact 26.2.2 ∀As. D(A ⊢ s) provided we have a derivation function.

Proof By recursion on A using Fact 26.2.1 in the base case and the derivation func-
tion in the cons case. ■

310
 26.2 Decidability of Regular Expression Matching

We define a derivation function D as follows:

D : N → exp → exp
Dxy := if [x = y\ then 1 else 0
Dx 0 := 0
Dx 1 := 0
Dx (s + t) := Dxs + Dxt
Dx (s · t) := if [[] ⊢ s\ then Dxs · t + Dxt else Dxs · t
Dx (s ∗ ) := Dxs · s ∗

It remains to show that D is a derivation function. For this proof we need a strength-
ened inversion lemma for star expressions.

Lemma 26.2.3 (Eager star inversion)

∀xAs. x :: A ⊢ s ∗ → ΣA1 A2 . A = A1 +
+ A2 × x :: A1 ⊢ s × A2 ⊢ s ∗ .

Proof By induction on the derivation of x :: A ⊢ s ∗ . Only the second rule for star
expressions applies. Hence we have x :: A = A1 + + A2 and subderivations A1 ⊢ s
and A2 ⊢ s ∗ . If A1 = [], we have A2 = x :: A and the claim follows by the inductive
hypothesis. Otherwise, we have A1 := x :: A′1 , which gives us the claim.
The formal proof follows this outline but works on a reformulation of the claim
providing an unconstrained inductive premise. ■

Theorem 26.2.4 (Derivation) ∀xAs. x :: A ⊢ s a A ⊢ Dxs.

Proof By induction on s. All cases but the direction ⇒ for s ∗ follow with the inver-
sion operator and case analysis. The direction ⇒ for s ∗ follows with the eager star
inversion lemma 26.2.3. ■

Corollary 26.2.5 ∀As. D(A ⊢ s).

Proof Follows with Fact 26.2.2 and Theorem 26.2.4. ■

311
27 Abstract Reduction Systems

Warning: This chapter is under construction.

27.1 Paths Types

We assume a relation R : X → X → T. We see R as a graph whose vertices are the

elements of X and whose edges are the pairs (x, y) such that Rxy. Informally,
a path in R is a walk

R R R
x0 → x1 → · · · → xn

through the graph described by R following the edges. We capture this design
formally with an indexed inductive type

path (x : X) : X → T ::=
| P1 : path xx
| P2 : ∀x ′ y. Rxx ′ → path x ′ y → path xy

The constructors are chosen such that that the elements of a path type path xy
formalize the paths from x to y. The first argument of the type constructor path is
a nonuniform parameter and the second argument of path is an index. The second
argument cannot be made a parameter because it is instantiated to x by the value
constructor P1 . Here are the full types of the constructors:

path : ∀X T . (X → X → T) → X → X → T
P1 : ∀X T ∀R X→X→P ∀x X . pathXR xx
P2 : ∀X T ∀R X→X→P ∀xx ′ y X . Rxx ′ → pathXR x ′ y → pathXR xy

Note that the type constructor path takes three parameters followed by a single in-
dex as arguments. There is the general rule that parameters must go before indices.
We shall use notation with implicit arguments in the following. It is helpful to
see the value constructors in simplified form as inference rules:

Rxx ′ pathR x ′ y
P1 P2
pathR xx pathR xy

313
27 Abstract Reduction Systems

The second constructor is reminiscent of a cons for lists. The premise Rxx ′ ensures
that adjunctions are licensed by R. And, in contrast to plain lists, the endpoints of
a path are recorded in the type of the path.

Fact 27.1.1 (Step function) ∀xy. Rxy → pathR xy.

Proof The function claimed can be obtained with the value constructors P1 and P2 :

P1
Rxy pathR yy
P2
pathR xy

We now define an inductive function len that yields the length of a path (i.e., the
number of edges the path runs trough).

len : ∀xy. path xy → N

len x _ (P1 _) := 0
len x _ (P2 _ x ′ y r a) := S(len x ′ y a)

Note the underlines in the patterns. The underlines after P1 and P2 are needed since
the first arguments of the constructors are parameters (instantiated to x by the pat-
tern). The underlines before the applications of P1 and P2 are needed since the re-
spective argument is an index argument. The index argument appears as variable y
in the type declared for len. We refer to y (in the type of len) as index variable.
What identifies y as index variable is the fact that it appears as index argument
in the type of the discriminating argument. The index argument must be written
as underline in the patterns since the succeeding pattern for the discriminating ar-
gument determines the index argument. There is the general constraint that the
index arguments in the type of the discriminating argument must be variables not
occurring otherwise in the type of the discriminating argument (the so-called index
condition). Moreover, the declared type must be such that all index arguments are
taken immediately before the discriminating argument.
Type checking elaborates the defining equations into quantified propositional
equations where the pattern variables are typed and the underlines are filled in. For
the defining equations of len, elaboration yields the following equations:

∀x N . len x x (P1 x) = 0
′ ′
∀xx ′ y N ∀r Rxx ∀apath x y . len x y (P2 x x ′ y r a) = S(len x ′ y a)

We remark that the underlines for the parameters are determined by the declared
type of the discriminating argument, and that the underlines for the index argu-
ments are determined by the elaborated type for the discriminating argument.

314
 27.1 Paths Types

We now define an append function for paths

app : ∀zxy. path xy → path yz → path xz

discriminating on the first path. The declared type and the choice of the discrimi-
nating argument (not explicit yet) identify y as an index variable and fix an index
argument for app. Note that the index condition is satisfied. The argument z is
taken first so that the index argument y can be taken immediately before the dis-
criminating argument. We can now write the defining equations:

app zx _ (P1 _) := λb.b : path xz → path xz

′ ′ ′
app zx _ (P2 _ x y r a) := λb. P2 xx z r (app zx y ab) : path yz → path xz

As always, the patterns are determined by the declared type and the choice of the
discriminating argument. We have the types r : Rxx ′ and a : path x ′ y for the
respective pattern variables of the second equation. Note that the index argument
is instantiated to x in the first equation and to y in the second equation.
We would now like to verify the equation

∀xyz ∀apath xy ∀bpath yz . len (app ab) = len a + len b

which is familiar from lists. As for lists, the proof is by induction on a. Doing the
proof by hand, ignoring the type checking, is straightforward. After conversion, the
case for P2 gives us the proof obligation

S(len (app ab)) = S(len a + len b)

which follows by the inductive hypothesis, Formally, the induction can be validated
with the universal eliminator for path:

path xy→T
E : ∀p ∀xy. .
(∀x. pxx(P1 x)) →
(∀xyz ∀r Rxy ∀apath yz . pxz(P2 xyz r a)) →
∀xya. pxya

E pe1 e2 x _ , (P1 _) := e1 x
E pe1 e2 x _ (P2 _ x ′ y r a) := e2 xx ′ y r (E pe1 e2 x ′ y a)

Not that the type function p takes the nonuniform parameter, the index, and the dis-
criminating argument as arguments. The general rule to remember here is that all
nonuniform parameters and all indices appear as arguments of the target type func-
tion of the universal eliminator. As always with universal eliminators, the defining

315
27 Abstract Reduction Systems

equations follow from the type of the eliminator, and the types of the continuation
functions e1 and e2 follow from the types of the value constructors and the type of
the target type function.
No doubt, type checking the above examples by hand is a tedious exercise, also
for the author. In practice, one leaves the type checking to the proof assistant
and designs the proofs assuming that the type checking works out. With trained
intuitions, this works out well.

Exercise 27.1.2 Give the propositional equations obtained by elaborating the defin-
ing equations for len, app, and E. Hint: The propositional equations for len are
explained above. Use the proof assistant to construct and verify the equations.

Exercise 27.1.3 Define the step function asserted by Fact 27.1.1 with a term.

Exercise 27.1.4 (Index eliminator) Define an index eliminator for path:

∀p X→X→T .
(∀x. pxx) →
(∀xx ′ y. Rxx ′ → px ′ y → pxy) →
(∀xy. path xy → pxy)

Note that the type of the index eliminator is obtained from the type of the universal
eliminator by deleting the dependencies on the paths.

Exercise 27.1.5 Use the index eliminator to prove that the relation path is transi-
tive: ∀xyz. path xy → path yz → path xz.

Exercise 27.1.6 (Arithmetic graph) Let Rxy := (Sx = y). We can see R as the
graph on numbers having the edges (x, Sx). Prove pathR xy a x ≤ y.
Hints. Direction ⇒ follows with index induction (i.e., using the index eliminator
from Exercise 27.1.4). Direction ⇐ follows with ∀k. pathR x(k + x), which follows
by induction on k with x quantified.

27.2 Reflexive Transitive Closure

We can see the type constructor path as a function that maps relations X → X → T
to relations X → X → T. We will write R ∗ for pathR in the following and speak
of the reflexive transitive closure of R. We will explain later why this speak is
meaningful.
We first note that R ∗ is reflexive. This fact is stated by the type of the value
constructor P1 .

316
 27.2 Reflexive Transitive Closure

We also note that R ∗ is transitive. This fact is stated by the type of the inductive
function app.
Moreover, we note that R ∗ contains R (i.e., ∀xy. Rxy → R ∗ xy). This fact is
stated by Fact 27.1.1.
Fact 27.2.1 (Star recursion)
Every reflexive and transitive relation containing R contains R ∗ :
∀p X→X→T . refl p → trans p → R ⊆ p → R ∗ ⊆ p.

Proof Let p be a relation as required. We show ∀xy. R ∗ xy → pxy using the index
eliminator for path (Exercise 27.1.4). Thus we have to show that p is reflexive, which
holds by assumption, and that ∀xx ′ y. Rxx ′ → px ′ y → pxy. So we assume Rxx ′
and px ′ y and show pxy. Since p contains R we have pxx ′ and thus we have the
claim since p is transitive. ■

Star recursion as stated by Fact 27.2.1 is a powerful tool. The function realized
by star recursion is yet another eliminator for path. We can use star recursion to
show that R ∗ and (R ∗ )∗ agree.
Fact 27.2.2 R ∗ and (R ∗ )∗ agree.

Proof We have R ∗ ⊆ (R ∗ )∗ by Fact 27.1.1. For the other direction (R ∗ )∗ ⊆ R ∗

we use star recursion (Fact 27.2.1). Thus we have to show that R ∗ is reflexive,
transitive, and contains R ∗ . We have argued reflexivity and transitivity before, and
the containment is trivial. ■

Fact 27.2.3 R ∗ is a least reflexive and transitive relation containing R.

Proof This fact is a reformulation of what we have just shown. On the one hand, it
says that R ∗ is a reflexive and transitive relation containing R. On the other hand,
it says that every such relation contains R ∗ . This is asserted by star recursion. ■

If we assume function extensionality and propositional extensionality,

Fact 27.2.2 says R ∗ = (R ∗ )∗ . With extensionality R ∗ can be understood as a
closure operator which for R yields the unique least relation that is reflexive,
transitive, and contains R. In an extensional setting, R ∗ is commonly called the
reflexive transitive closure of R.
We have modeled relations as general type functions X → X → T rather than as
predicates X → X → P. Modeling path types R ∗ xy as computational types gives us
paths as computational values and provides for computational recursion on paths
as it is needed for the length function len. If we switch to propositional relations
X → X → P, everything we did carries over except for the length function.
Exercise 27.2.4 (Functional characterization)
Prove R ∗ xy a ∀p X→X→T . refl p → trans p → R ⊆ p → pxy.

317
 Part IV

Foundational Studies

319
28 Axiom CT and Semidecidability

All functions definable in CTT without assumptions are computable. Nevertheless,

there are noncomputational interpretations of CTT where the function type N → N
contains uncomputable functions. Moreover, there are degenerate interpretations
of CTT where all predicates N → P are decidable. Consequently, CTT can only prove
undecidability if we have an assumption excluding degenerate interpretations. In
this chapter, we study such an assumption called Axiom CT. Axiom CT is consistent
with excluded middle and extensionality and provides for undecidability proofs
within CTT.
We will base Axiom CT on the diophantine characterization of recursively enu-
merable sets, which has a straightforward formalization in CTT. Axiom CT will say
that for every function f N→N→B there is a diophantine expression describing the
predicate λn. ∃k. f nk = true.
We will give a self-contained development of type-theoretic computability not as-
suming knowledge of set-theoretic computability theory. The main notions in this
enterprise are semidecidable predicates and promising functions. While semidecid-
able predicates model recursively enumerable sets, promising functions model com-
putable set-theoretic functions as step-indexed type-theoretic functions. Assuming
Axiom CT, we will construct undecidable semidecidable predicates and promising
functions not having total extensions.
Remarkably, our primary development does not use excluded middle. If we as-
sume excluded middle, we can characterize decidable predicates as semidecidable
predicates that are cosemidecidable. As it turns out, this characterization is equiv-
alent to a prominent instance of excluded middle known as Markov’s principle.
We will make essential use of the extra-expressivity computational type theory
has over set theory:
• Functions in CTT are computational. In contrast, set theory has no native no-
tion of computability. Set-theoretic functions are merely notational sugar for
functional relations.
• Computational availability (Σ) can be used besides propositional existence (∃).
• Complex computational constructions can be carried out with certifying func-
tions combining specification and verification using the Skolem translation.

321
28 Axiom CT and Semidecidability

28.1 Tests and Basic Predicates

Basic predicates are an abstract type-theoretic version of r.e. sets from set-theoretic
computability theory. R.e. sets are sets of numbers that can be algorithmically
enumerated. R.e. sets are also known recursively enumerable sets.
We define complement and equivalence of predicates p X→P and qX→P :

p := λx.¬px complement
p ≡ q := ∀x. px ←→ qx equivalence

We have p ≡ q → p ≡ q. We define basic predicates as follows:

T := N → B unary tests
T2 := N → N → B binary tests
T
Kf := ∃k. f k = true satisfiability
D f T2 := λn. K(f n) domain
N→P T2
basic p := ∃f . p ≡ Df basic predicates

We say that basic predicates are the domains of binary tests, and that basic predi-
cates are generated by binary tests.

Fact 28.1.1 Decidable predicates on numbers are basic: ∀p N→P . dec p → basic p.

Proof p is equivalent to the domain of the test λnk. if pn then true else false. ■

Computational intuition tells us that K and K are computationally undecidable.

For K the situation is somewhat better than for K since every n such that f n = true
is a certificate for K f . For K no such certificate system exists.
Given a test f , we can perform a linear search f 0, f 1, f 2, . . . that halts with the
first n such that f n = true. We refer to this n is the least witness of f . Using an
EWO, we can compute the least witness of a satisfiable test and use it as a certificate
for sat f .

Fact 28.1.2 (Witness)

For a satisfiable test one can compute a satisfying number: sat f → Σn. f n = true.

Proof Follows with an EWO for N (Fact 14.2.2) since boolean equality is decidable.■

Exercise 28.1.3 Prove the following:

a) ¬ K f ←→ ∀k. f k = false
b) D (λn.f ) ≡ D (λn.g) ←→ (K f ←→ K g)
c) D (λn.f ) ≡ D (λ[Link]) ←→ ¬ K f

322
 28.2 UT and Undecidability

Exercise 28.1.4 Construct certifying functions as follows:

a) ∀P P . DP → Σf . P ←→ K f
b) ∀p N→P . dec p → Σf . ex p ←→ K f

Exercise 28.1.5 (Conjunction and disjunction of tests)

Construct certifying functions for unary tests as follows:
a) ∀f g. Σh. K h ←→ K f ∧ K g
b) ∀f g. Σh. K h ←→ K f ∨ K g

28.2 UT and Undecidability

Before we formulate Axiom CT, we look at a consequence of Axiom CT that suffices

for almost all results in this chapter:

UT := Σ U N→T2 ∀f T2 ∃c. D f ≡ D (Uc)

We refer to the function U provided by UT as universal test, and to the number c as

the code for the test f . We see U as a function enumerating the domains of binary
tests via binary tests. That computational objects are computationally enumerable
is a prominent insight in computability theory.
With UT we will show a number of undecidability results, including the existence
of an undecidable basic set and the undecidability of the satisfaction predicate K
for unary tests.
We now come to our first undecidability result. The key idea of the proof is to
show that the complement of the domain of the diagonal test λ[Link] of a universal
test U is not basic.

Fact 28.2.1 (Undecidability)

UT → Σ f T2 . ¬ basic D f .

Proof We show that the complement of the domain of the diagonal binary test
λ[Link] is not basic. Suppose D f ≡ (λn.¬K(Unn)) for some binary test f . By UT
we have D f ≡ D (Uc) for some c. Hence ¬K(Ucc) ←→ D (Uc)c = K(Ucc), which is
contradictory. ■

Fact 28.2.2 (Undecidability)

1. UT → Σ p. basic p ∧ ¬ basic p
2. UT → Σ p. basic p ∧ ¬ dec p

Proof (1) follows from Fact 28.2.1 with p := D f . (2) follows from (1) since comple-
ments of decidable predicates are decidable and hence basic. ■

323
28 Axiom CT and Semidecidability

Fact 28.2.3 (Undecidability)

1. UT → ¬ dec K
2. UT → ¬ dec K

Proof (2) follows from (1) since complements of decidable predicates are decidable.
For (1), we assume a decider d : ∀f . ¬K f and derive a contradiction. We consider
the binary test f n := if d(Unn) then λ[Link] else λ[Link] with D f ≡ D (Uc).
We have K (f c) ←→ K (Ucc). We do a case analysis on d(Ucc). If ¬K (Ucc), f c =
λ[Link] and we have a contradiction. If ¬¬K (f c), f c = λ[Link] and we also have a
contradiction. ■

Note that in the above proof the diagonal test plays a key role again. Later
(Fact 28.8.5) we will see a different proof building on Fact 28.2.1 rather than UT.

Fact 28.2.4 (Undecidability)

Domain membership and domain satisfiability are undecidable for binary tests:
1. UT → ∀n. ¬dec (λf T2 . D f n)
2. UT → ¬dec (λf T2 . ex (D f ))

Proof Straightforward consequences of the undecidability of K (Fact 28.2.3 (2)). ■

Exercise 28.2.5 Assuming UT, prove that there is a basic predicate that cannot be
expressed as a unary test: UT → Σ p. basic p ∧ (¬∃f T ∀n. npn ←→ f n = true).

Exercise 28.2.6 Assuming UT, prove that there is a binary test f such that for every
binary test g whose domain is disjoint from the domain of f there exists a number n
such that neither f n nor gn is satisfiable.

28.3 Diophantine Expressions

Axiom CT will say that every basic predicate can be described with a diophantine
expression. CT implies that all basic predicates are generated by countably many
arithmetic expressions.
In what follows arithmetic pairing will be essential.

324
 28.3 Diophantine Expressions

Fact 28.3.1 (Arithmetic pairing) There are functions

π :N→N→N π1 : N → N π2 : N → N

satisfying the equations

π1 (π n1 n2 ) = n1 π2 (π n1 n2 ) = n2 π (π1 n)(π2 n) = n

for all n1 , n2 , and n.

Proof Exercise 7.2.7. ■

Diophantine expressions are arithmetic expressions obtained with variables, the

constants 0 and 1, and addition, subtraction, and multiplication. We obtain dio-
phantine expressions with an inductive type:

e : exp ::= x | 0 | 1 | e + e | e − e | e · e (x : N)

To evaluate an expression, we need values for the variables occurring in the expres-
sion. We assemble the values of variables into a single number using arithmetic
pairing:

cons n1 n2 := S(π n1 n2 )
get 0 _ := 0
get Sn 0 := π1 n
get Sn Sk := get (π2 n) k

Note that get nk gets the value for variable k from n. If n doesn’t provide an explicit
value for a variable, get returns 0 as default value.
We evaluate expressions with a function evaN→exp→N defined follows:

eva n x := get n x
eva n 0 := 0
eva n 1 := 1
eva n (e1 + e2 ) := eva n e1 + eva n e2
eva n (e1 − e2 ) := eva n e1 − eva n e2
eva n (e1 · e2 ) := eva n e1 · eva n e2

We now define functions obtaining diophantine predicates and diophantine tests

from diophantine expressions:

P e : N → P := λn. ∃k. eva (cons n k) e) = 0

τ e : T2 := λnk. if eva (cons n k) e then true else false

325
28 Axiom CT and Semidecidability

Fact 28.3.2 (Diophantine predicates)

Diophantine predicates are basic:
1. pred e ≡ D (τe)
2. basic (pred e)

Proof Straightforward. ■

Diophantine predicates are a type-theoretic representation of recursively enu-

merable sets. Augmenting diophantine expressions with additional operations, for
instance the arithmetic pairing functions π , π1 , and π2 , will not change the class
of diophantine predicates. That addition, subtraction, and multiplication suffice
to obtain all recursively enumerable sets is a famous result of Yuri Matiyasevich
from 1970. The result implies that satisfiability of diophantine equations is unde-
cidable, thus solving Hilbert’s tenth problem from 1900. See Matiyasevich [24] for
a fascinating first-hand discussion of the diophantine representation of recursively
enumerable sets.

Fact 28.3.3 The type exp of expressions is in bijection with N.

Proof By Corollary 23.7.3 and Theorem 23.3.2, it suffices to construct an equality

decider and a list enumeration for exp. We leave these routine constructions as
exercises. It is also necessary to show that exp is an infinite type, which is straight-
forward. ■

Exercise 28.3.4 (Binary universal test) UT models a universal test as a ternary test.
With arithmetic pairing, a universal test can be modeled equivalently with a binary
test. Prove UT a Σ g ∀f ∃c. D f ≡ D (λn.g(π cn)).

28.4 Axiom CT

We now formulate Axiom CT:

CT := ∀f T2 ∃e. D f ≡ P e

Axiom CT is consistent with excluded middle and extensionality. CT excludes de-

generate interpretations of CTT where all predicates are interpreted as computa-
tionally decidable predicates. We may say that type theory becomes fully computa-
tional only once CT is assumed.
We mention that in informal constructive mathematics there is an assumption
called Church’s thesis saying that every total function is computable. CT as defined
here may be seen as an adaption of Church’s thesis to CTT and the diophantine
representation of recursive enumerability.

326
 28.4 Axiom CT

Fact 28.4.1 CT → UT.

Proof Let δN→exp the surjective function provided by Fact 28.3.3. We verify that
U := λc. τ(δc) is a universal test. We assume f T2 and prove ∃c. D f ≡ D (Uc). CT
gives us an expression e such that D f ≡ P e. Since δ is surjective, we have δc = e
for some c. It remains to show D f ≡ D (Uc), which holds by the assumptions and
P e ≡ D (τe) (Fact 28.3.2 (1)). ■

Fact 28.4.2 (Undecidability)

1. CT → ∃e. ¬basic (Pe)
2. CT → ∃e. ¬dec (Pe)
3. CT → ¬∀en. D(Pen)

Proof (1) follows with Facts 28.2.1 and 28.4.1. (2) is a consequence of (1), and (3) is
a consequence of (2). ■

Exercise 28.4.3
Prove CT → (basic p ←→ diophantine p) where diophantine p := ∃e. p ≡ Pe.

Exercise 28.4.4 Prove the following:

a) ∀e ∃e′ ∀k. eva (cons 0 k) e = eva k e′
b) CT → ∀f T ∃e. K f ←→ ∃n. eva ne = 0

Exercise 28.4.5 (Undecidability challenges) We formulate proof challenges that

will require serious work with diophantine arithmetic.
a) CT → ¬ dec(λe. ∃n. P en)
b) CT → ¬ dec(λe. ∃n. eva ne = 0)
Note that the second challenge is a variant of the undecidability of the satisfiability
of diophantine equations (Hilbert’s 10th problem). The best starting point we can
offer is Fact 28.4.2.

Exercise 28.4.6 (Abstract CT)

We have chosen to obtain the r.e. predicates with diophantine expressions building
on Matiyasevich’s result. There is also the possibility to obtain the r.e. predicates
with expressions describing partial recursive functions or Turing machines. In any
case we have a countable type of expressions that yields the r.e. predicates through
binary tests. We may capture the generating expressions and Axiom CT with an
abstraction described by the predicate

ACT AT τ A→T2 δN→A := (∀f ∃a. D f ≡ D (τa)) ∧ (∀a ∃n. δn = a)

where A is an abstract type of expressions. Prove the following:

327
28 Axiom CT and Semidecidability

a) CT → sig (ACT exp τ)

b) ACT Aτδ → ∀p. basic p ←→ ∃a. p ≡ D (τa)
c) ACT Aτδ → UT

28.5 Recusant Relations

We may ask whether there are functional and total relations that cannot be repre-
sented with functions. Assuming UT, we will show that such relations exist. This
confirms our expectation that relations are more expressive than functions since
there is no computability constraint for relations.
We define the characteristic relation ρp of predicates p X→P :

ρ : ∀X. (X → P) → (X → B → P)
ρpxb := if b then px else ¬px

Fact 28.5.1 Characteristic relations are functional. Moreover, assuming XM, charac-
teristic relations are total.

Next we show that the characteristic predicate ρp can be represented as a func-

tion if and only if p is decidable.

Fact 28.5.2 dec p a Σf ∀x. ρpx(f x).

Proof Let d be a decider for p. Then f x := if dx then true else false repre-
sents ρp. Conversely, let f represent ρp. Then f is a boolean decider for p. ■

Assuming UT and XM, we can now construct a functional and total relation
N→B→P
R that cannot be represented with a function. We speak of a recusant re-
lation.

Fact 28.5.3 (Recusant relation)

UT → XM → ΣR N→B→P . functional R ∧ total R ∧ ¬∃f ∀x. Rx(f x).

Proof Fact 28.2.2 gives us an undecidable predicate p N→P . By Fact 28.5.2 we know
that ρp cannot be represented with a function. Moreover, Fact 28.5.1 tells us that
ρp is functional and total. ■

28.6 Inconsistent Strengthening of UT

One must be extremely careful with axioms one adds to a foundational sytem. A
good example is

UTΣ := Σ U N→T2 ∀f T2 Σc. D f ≡ D (Uc)

328
 28.7 Post Hierarchy

which strengthens UT by replacing propositional existence of c with computational

availability of c. We will show that UTΣ is inconsistent with function extensionality.1
In fact, extensionality for tests

TE := ∀f g T . (∀n. f n = gn) → f = g

suffices for the inconsistency.

Lemma 28.6.1 UTΣ → TE → dec K.

Proof UTΣ gives us functions U N→T2 and γ T→N such that ∀f . K f ←→ K (U(γf ) 0).
We now assume f and construct a decision D(¬K f ). We consider the codes γf and
γ(λ[Link]).
If γf = γ(λ[Link]), we assume K f and derive a contradiction. We have K f ←→
K (λ[Link]), a contradiction.
If γf ≠ γ(λ[Link]), we assume ¬K f and prove γf = γ(λ[Link]). By the extension-
ality assumption it suffice to show ∀k. f k = false, which follows from ¬K f . ■

Fact 28.6.2 (Inconsistency) UTΣ → TE → ⊥.

Proof Follows with Lemma 28.6.1 and Fact 28.2.3. ■

Exercise 28.6.3 Prove UT → UTΣ .

28.7 Post Hierarchy

The Post hierarchy is obtained with a preorder p ⪯ q on unary predicates such

that p is decidable if q is decidable. We shall use the Post hierarchy to define the
semidecidable predicates as the predicates p ⪯ K. Semidecidable predicates are a
generalization of basic predicates to general argument types.
Given predicates p X→P and qY →P , a reduction of p to q is a function f X→Y such
that ∀x. p(x) ←→ q(f x). Given a reduction of p to q, we can obtain a decider for p
from a decider of q. We define a predicate

red : ∀XY . (X → P) → (Y → P) → (X → Y ) → P
redXY pqf := ∀x. p(x) ←→ q(f x)

expressing that p reduces to q with f . We now define reduction types:

p ⪯ q := sig (red pq)

1
The result appears in Troelstra and Van Dalen [29] and Forster [10].

329
28 Axiom CT and Semidecidability

Reduction types p ⪯ q describe a preorder on predicates called reducibility

that is compatible with predicate complement, subsumes predicate equivalence,
and transports predicate decidability from right to left. We read p ⪯ q as p is
below q or as q is above p. We will use two standard notations for the reduction
preorder:

p ç q := ¬(p ⪯ q)
p ≺ q := (p ⪯ q) × (p ç q)

Informally, we may see a preorder as a hierarchy. With this metaphor in mind, we

refer to reducibility as the Post hierarchy to remember Emil Post who came up with
computational reductions (called many-one reductions in computability theory) and
studied their hierarchy in the 1940’s.

Fact 28.7.1 We have functions as follows:

1. p ⪯ p
2. p ⪯ q → q ⪯ r → q ⪯ r
3. p ⪯ q → p ⪯ q
4. p ≡ q → p ⪯ q
5. p ⪯ q → dec q → dec p

We also define interreduction types:

p ≈ q := (p ⪯ q) × (q ⪯ p)

Interreduction types p ≈ q describe the equivalence relation obtained as the sym-

metric closure of the reduction preorder p ⪯ q. We speak of reduction equivalence.

Fact 28.7.2 We have functions as follows:

1. p ≈ p
2. p ≈ q → q ≈ p
3. p ≈ q → q ≈ r → q ≈ r
4. p ≈ q → p ≈ q
5. p ≡ q → p ≈ q
6. p ≈ q → dec p → dec q

When we construct concrete reductions, it is often helpful to make use of the

Skolem translation (Fact 10.3.2).

Fact 28.7.3 (Skolem for Reductions)

(∀x Σy. px ←→ qy) → p ⪯ q.

330
 28.7 Post Hierarchy

Under XM we have p ≡ p for all predicates p. We analyse the situation on a

per-predicate basis using stability of predicates:

stable p := ∀x. ¬¬px → px

Fact 28.7.4 (Stable predicates)

1. stable p ←→ p ≡ p
2. stable p
3. dec p → stable p
4. p ⪯ q → stable q → stable p
5. stable p → p ⪯ q → p ⪯ q
6. stable q → p ⪯ q → p ⪯ q
The above fact is sharp in that in no statement an implication can be replaced
with an equivalence.
Exercise 28.7.5 (Constancy of tests)
Prove that the following predicates on tests are reduction equivalent to K :
1. λg T .∀n. gn = false
2. λg T .∀n. gn = true
3. λg T .∃b. ∀n. gn = b
4. λf T2 . ∃b ∀nk. f nk = b
Exercise 28.7.6 (Domain membership and domain satisfiability)
Prove the following:
a) ∀n. (λf . D f n) ≈ K
b) (λf . ex (D f )) ≈ K
Hint for (b): Use arithmetic pairing to translate between unary and binary tests.

Exercise 28.7.7 (General Tests) Besides unary and binary tests we may also con-
sider tests with three and more arguments. With arithmetic pairing we can show
that satisfiability of tests with n > 1 arguments is interreducible with satisfiabil-
ity of unary tests. What makes the problem interesting is its dependently typed
formalization. We define a family T N→T of test types

T0 := B
TSn := N → Tn
Tn → P
and a family sat∀n. of satisfaction predicates :

sat0 f := (f = true)
satSn f := ∃k. satn (f k)

Prove the following:

331
28 Axiom CT and Semidecidability

a) ∀n. satSSn ≈ satSn

b) ∀n. satSn ≈ K
Hint: The proof for (a) is basically the proof for Exercise 28.7.6.

28.8 Semidecidable Predicates

We will define semidecidable predicates as the predicates p ⪯ K. We also introduce

a decidable predicate D ⪯ K such that a predicate p is decidable if and only if p ⪯ D.
We define D as follows:

D := λbB . b = true

Fact 28.8.1 (Decidable predicates)

1. dec D
2. stable D
3. p ⪯ D a dec p
4. dec p → dec p
5. p ⪯ D → p ⪯ D
6. D ≈ D

We call a predicate semidecidable if it is below K and refer to reductions of p to

K as semideciders for p. In other words, a predicate p X→P is semidecidable if and
only if there is a function f X→T such that ∀x. px ←→ K(f x). We refer to reductions
of p to K as semideciders for p and define a notation for semidecider types:

sdecX p X→P := (p ⪯ K)

Finally, we call a predicate cosemidecidable if its complement is semidecidable.

Fact 28.8.2 Basic predicates are the semidecidable predicates on numbers:

∀p N→P . basic p ←→ □ (sdec p).

Recall that □ is the truncation operator defined in § 10.5.

Fact 28.8.3
1. ∀f T2 . D f ⪯ K
2. D ⪯ K
3. D ⪯ K
4. K ⪯ D → K ⪯ K

332
 28.8 Semidecidable Predicates

Proof (1) is obvious from the definitions.

(2) λb.λn.b reduces D to K.
3 We have D ⪯ D ⪯ D ⪯ K. Thus D ⪯ K and hence D ⪯ K.
(4) We have K ⪯ D ⪯ K. Thus K ⪯ D since D is closed under complements. Now
K ⪯ K. ■

Fact 28.8.4
1. sdec K
2. p ⪯ q → sdec q → sdec p
3. dec p → sdec p
4. dec p → sdec p
5. ∀f T2 . sdec (D f )

We already know that K and K are undecidable (Fact 28.2.3). We now show
the stronger result that K is not semidecidable building on Fact 28.2.1. The proof
demonstrates the elegance of arguing within the Post hierarchy.

Fact 28.8.5 (Undecidabilty)

1. UT → ¬ sdec K
2. UT → ¬ dec K

Proof (1) We have ¬ sdec D f for some binary test f by Fact 28.2.1. By contraposi-
tion we assume sdec K and prove sdec D f . It now suffices to prove D f ⪯ K, which
follows from D f ⪯ K.
(2) We have ¬ sdec K by (1). By contraposition we assume dec K and prove sdec K.
Easy since the assumption yields dec K and thus K ⪯ D ⪯ K. ■

Exercise 28.8.6 Argue D ≺ K and K ç K.

Exercise 28.8.7 (Extensionality law via transport law)

Prove the extensionality law p ≡ p ′ → sdec p → sdec p ′ using the transport law for
sdec and the reduction law p ≡ p ′ → p ⪯ p ′ .

Exercise 28.8.8 (Constancy of tests)

Prove that constancy of tests λg T .∃b. ∀n. gn = b is not semidecidable.
Hint: Exercise 28.7.5.

Exercise 28.8.9 Prove that domain emptiness of binary tests is not semidecidable:
¬ sdec (λf T2 . ¬ex(D f )).

333
28 Axiom CT and Semidecidability

28.9 More Semidecidability

One may see semidecidable predicates as arithmetic projections λx.∃k. p(x, k) of

decidable predicates p X×N→P . In fact, because of arithmetic pairing, the projection
predicate λx.∃k. p(x, k) is semidecidable already if the underlying predicate p is
semidecidable. Moreover, the underlying predicate p may have more than one step
index. For instance, λx.∃k1 k2 . p(x, k1 , k2 ) is semidecidable if p X×N×N→P is semide-
cidable.
In the following we assume that π1 and π2 are the projections for an arithmetic
pairing function π (Exercise 7.2.7).
Fact 28.9.1 (Arithmetic projection)
Given a semidecidable predicate p X×N→P , λx. ∃n. p(x, n) is semidecidable:
∀p X×N→P . sdec p → sdec (λx.∃n. p(x, n)).

Proof Let f X×N→T be a semidecider for p X×N→P . We show that

gxn := if f (x, π1 n)(π2 n) then true else false

satisfies (∃n. p(x, n)) ←→ K (gx) for all x.

For →, we assume p(x, n) and show K(gx). From p(x, n) we obtain K (f (x, n)) and
thus f (x, n)k for some k. Now gx(π nk) = true follows.
For ←, we assume gxk = true and show p(x, π1 k). By the primary assumption it
suffices to show f (x, π1 k)(π2 k), which follows. ■

Corollary 28.9.2 (Arithmetic double projection)

Given a semidecidable predicate p X×N×N→P , λx. ∃nk. pxnk is semidecidable:
∀p X×N×N→P . sdec p → sdec (λx. ∃nk. p(x, n, k)).

Proof Apply Fact 28.9.1 twice. Note that X ×N×N = (X ×N)×N, and that (x, n, k) =
((x, n), k). ■

It took several iterations until the author arrived at the formalization of arith-
metic projection appearing above. There are two essential design decisions: Assume
that the underlying predicate is semidecidable (rather than decidable) and use the
cartesian representation for predicates with more than one argument.
Using arithmetic pairing, we can obtain an EWO for basic predicates, a fact no-
ticed by Andrej Dudenhefner in 2020.
Fact 28.9.3 (EWO for basic predicates)
∀p N→P . sdec p → ex p → sig p.

Proof Suppose sdec pf and ex p. Then qn := (f (π1 n)(π2 n) = true) is decidable

and satisfiable. Hence an EWO for decidable predicates gives us n such that qn.
Thus p(π1 n). ■

334
 28.10 Markov’s Principle

Andrej Dudenhefner also discovered in 2020 that semidecidable equality predi-

cates are decidable.

Fact 28.9.4 (Semidecidable Equality)

Equality predicates are decidable if and only if they are semidecidable:
EX a Σf X→X→T . ∀xy X . x = y ←→ K(f xy).

Proof Direction → is obvious. For direction ← suppose ∀xy X . x = y ←→ satf xy

and fix x, y : X. We need to construct a decision D(x = y). With an arithmetic
EWO we compute k such that f xxk = true. Now if f xyk then x = y else x ≠ y
providing the decision. ■

Exercise 28.9.5 (Arithmetic projection) Show the following using Fact 28.9.1:
a) ∀p X→N→P . (∀xn. D(pxn)) → sdec (λx. ex(px))
b) ∀p X×N×N×N→P . sdec p → sdec (λx. ∃k1 k2 k3 . p(x, k1 , k2 , k3 ))

Exercise 28.9.6 Construct a function sdec p → ∀xy. px → (py + (y ≠ x)).

Hint: The proof is similar to the proof of Fact 28.9.4. Using the witness operator one
obtains n such that f xn = true and then discriminates on f yn. In fact, Fact 28.9.4
is a consequence of the above result. The exercise was contributed by Marc Hermes
in March 2021.

28.10 Markov’s Principle

Suppose we have a proposition P and two tests f and g characterizing P and ¬P :

P ←→ K f and ¬P ←→ K g. Then we can perform a linear search

f 0 | g0, f 1 | g1, f 2 | g2, . . .

on the disjunctive test λn. f n | gn. If the proposition P is definite (i.e., P ∨ ¬P ),

the disjunctive test is satisfiable and the linear search will find the first n such that
f n | gn = true. From f n | gn = true we can obtain a decision K f + K g, from which
we can obtain a decision DP . In short, if we have a definite proposition P and tests
characterizing P and ¬P , we can construct a decision for P .
The definiteness of all propositions P where P and ¬P can be characterized by
tests can be obtained from an instance of excluded middle known as Markov’s
principle :

MP := ∀f N→B . ¬¬K f → K f

Markov’s principle says that satisfiability of tests is stable. In fact, MP = stable K.

335
28 Axiom CT and Semidecidability

Fact 28.10.1 (Markov equivalenc)

The following propositions are equivalent: MP ←→ stable K ←→ K ≡ K.

Fact 28.10.2 (Markov complement law) MP → p ⪯ K → p ⪯ K.

Proof Follows with Facts 28.7.1 and 28.10.1. ■

We define the disjunction f | g of two tests f and g as the test

f | g := λn. if f n then true else gn

Fact 28.10.3 K f ∨ K g ←→ K(f | g) a K f + K g.

Proof Follows with Fact 28.1.2. ■

Fact 28.10.4 (Markov)

The following types are equivalent:
1. MP
2. ∀f g N→B . (¬K f ←→ K g) → (K f + K g)
3. ∀P P ∀f g N→B . (P ←→ K f ) → (¬P ←→ K g) → DP

Proof 1 → 2. Let ¬K f ←→ K g. Using Fact 28.10.3 and (1) we assume ¬satf |g and
derive a contradiction. Using the assumptions, we have ¬K f and ¬¬K f .
2 → 1. We assume ¬¬K f and prove K f . It suffices to prove K f + satλ[Link].
By (2) it suffices to prove ¬K f ←→ ⊥, which follows from the assumption ¬¬K f .
2 → 3. We assume P ←→ K f and ¬P ←→ K g and prove DP . It suffice to show
K f + K g, which follows with (2).
3 → 2. We assume ¬K f ←→ K g and prove K f + K g. We instantiate (3) with
P := K f and obtain DK f , which yields the claim. ■

Corollary 28.10.5 (Bi-Testability) MP → (P ←→ K f ) → (¬P ←→ K g) → DP .

Under MP, a predicate is decidable if and only if both the predicate and its com-
plement are semidecidable.

Fact 28.10.6 (Bisemidecidability) ∀p X→P . MP → sdec p → sdec p → dec p.

Proof Suppose f and g are semideciders for p and p. We fix x and construct
a decision D(px). The assumptions give us tests f x and gx characterizing px
and ¬px. Now Corollary 28.10.5 yields a decision D(px). ■

The results on Markov’s principle and semi-decidability appear in [12].

Exercise 28.10.7 Prove the following equivalences:

336
 28.11 Promises

a) MP → dec p a sdec p × sdec p

b) MP → dec K a sdec K

Exercise 28.10.8 Prove ∀X T . X → (∀p X→P . sdec p → sdec p → dec p) → MP

Exercise 28.10.9 Prove MP → ¬(∀n. f n = b) ←→ (∃n. f n = ! b).

28.11 Promises

We call functions f N→OX promises. We see promises as tests with output. Given
a promise f , we can perform a linear search f 0, f 1, f 2, . . . until we find the first n
and x such that f n = ◦x. If the search terminates, we refer to n as the span and
to x as the value of f . Formally, we define the predicates

del f N→OX n := (f n ≠ œ)
span f N→OX n := least (del f ) n
δ f N→OX x n := span f n ∧ f n = ◦x
f ⇓ := ex (del f )
f ↓ x := ex (δf x)

The least witness predicate least is from § 13.1.

We assume the implicit typings f N→OX and x X for the rest of the section.

Fact 28.11.1 f ↓ x → f ⇓.

Fact 28.11.2 (Uniqueness)

Spans and values of promises are unique:
1. span f n → span f n′ → n = n′
2. f ↓ x → f ↓ x ′ → x = x ′

Proof Follows with the uniqueness of least (Fact 13.1.1). ■

Fact 28.11.3 (Decidability)

1. D (del f n)
2. D (span f n)
3. E(X) → D (δf xn)

Proof Follows with the decidability of least (Fact 13.3.1). ■

Fact 28.11.4 (Computability)

337
28 Axiom CT and Semidecidability

1. f ⇓ → Σn. span f n
2. f ⇓ → Σx. f ↓ x

Proof (1) follows with an existential least witness operator (Fact 13.2.5) and the
decidability of del (Fact 28.11.3). (2) is a straightforward consequence of (1). ■

Fact 28.11.5 (Semidecidability)

1. sdec (λf .f ⇓)
2. EX → sdec (λf .f ↓ x)

Proof (1) λf n. if f n then true else false is a reduction (λf .f ⇓) ⪯ K.

(2) λf n. if df xn then true else false where d decides δ (Fact 28.11.3) is a reduc-
tion (λf .f ↓ x) ⪯ K. ■

Lemma 28.11.6 (Reductions)

1. X → K ⪯ (λf .f ⇓)
2. (λf .f ⇓) ⪯ (λf .f ↓ x)

Proof (1) λgn. if gn then ◦x else œ is a reduction K ⪯ (λf .f ⇓).

(2) λf n. if f n then ◦x else œ is a reduction (λf .f ⇓) ⪯ (λf .f ↓ x). Direction
f ⇓ → r f ↓ x of the correctness proof uses Fact 28.11.4 (2). ■

Fact 28.11.7 (Interreducibility)

Promise delivery and test satisfiability are interreducible:
1. X → (λf .f ⇓) ≈ K
2. EX → (λf .f ↓ x) ≈ K

Proof Follows with Facts 28.11.5 and 28.11.6. ■

Fact 28.11.8 (Pruning) For every promise one can construct a value-equivalent
promise that delivers at most once:
∀f Σ f ′ . (∀x. f ↓ x ←→ f ′ ↓ x) ∧ (∀xn. f ′ n = ◦x → δf xn).

Proof Function f ′ n := if df n then f n else œ where d is a decider for span f n

(Fact 28.11.3) does it. Correctness can be verified by a case analysis following the
definition of f ′ . ■

Exercise 28.11.9 Show that the promise delivery predicates λf . f ⇓ and λf . f ↓ x

are not cosemidecidable, assuming UT and an inhabited and discrete output type.

338
 28.12 Promising Functions

28.12 Promising Functions

A promising function is a function f X→(N→OY ) mapping values to promises. We use

the notation

PF XY := X → N → OY

for the types of promising functions. Given a promising function f PF XY , we call

the predicate λx.f x⇓ the domain of f and the predicate λxy.f x ↓ y the delivery
relation of f . We call a promising function is total if its delivery relation is total.

Fact 28.12.1 (Promising functions)

1. The delivery relation of a promising function is functional.
2. The values of promising functions are computable: f x⇓ → Σy. f x ↓ y.

Proof Immediate with Facts 28.11.2 and 28.11.4. ■

Fact 28.12.2 (Total promising functions)

Functions g X→Y and total promising functions f PF XY are intertranslatable:
1. ∀g X→Y Σ f PF XY . ∀x. f x ↓ hx.
2. ∀f PF XY . (∀x. f x⇓) → Σ hX→Y . ∀x. f x ↓ hx.

Proof (1) follows with constant promises. (2) follows with the Skolem translation
and Fact 28.12.1 (2). ■

Fact 28.12.3 (Composition)

Promising functions are closed under composition:
∀f PF XY ∀g PF Y Z Σ h PF XZ ∀xz. hx ↓ z ←→ (∃y. f x ↓ y ∧ gy ↓ z).

Proof We combine the spans for f x ↓ y and gy ↓ z with arithmetic pairing and
make use of the decidability of span:

hxn := match f x(π1 n)

[œ ⇒ œ
| ◦ y ⇒ if span (f x)(π1 n)
then if span (gy)(π2 n) then gy(π2 n) else œ
else œ ]

Correctness of h can be verified with a case analysis following the definition of h

and using the uniqueness of span. ■

339
28 Axiom CT and Semidecidability

Promising functions are semideciders with output. They can be seen as type-
theoretic representation of computable functions as they appear in set-theoretic
computability theory. We can translate between semideciders and promising func-
tions such that the domain is preserved.

Fact 28.12.4 (Translations)

1. Y → ∀g X→N→B . Σf PF XY . ∀x. K(gx) ←→ f x⇓
2. ∀f PF XY . Σ g X→N→B . ∀x. K(gx) ←→ f x⇓

Proof (1) follows with f xn := if gxn then ◦y else œ assuming y Y . (2) follows
with gxn := if f xn then true else false. ■

It follows that a predicate is semidecidable if and only if it agrees with the do-
main of a promising function.

Fact 28.12.5 (Semidecidable domains)

1. ∀f PF XY . sdec (λx.f x⇓)
2. Y → ∀p X→P . sdec p a Σf PF XY . p ≡ λx.f x⇓

Fact 28.12.6 (Undecidable domain)

UT → Y → Σ f PF N Y . ¬ sdec λn. f n⇓.

Proof Follows with Facts 28.2.1 and 28.12.5 (2). ■

Fact 28.12.7 (Semidecidability of delivery)

EY → ∀f PF XY . sdec (λx. f x ↓ y).

Proof Let f PF XY . We use the Skolem translation and show

∀x. Σ g. f x ↓ y ←→ K g

The test gn := if d(f x)yn then true else false where d decides δ (Fact 28.11.3)
does it. ■

28.13 Recusant Partial Deciders

We call a promising function f PF XY recusant if it cannot be extended to a total

promising function:

recusant f PF XY := ∀g. (∀xy. f x ↓ y → gx ↓ y) → ∃x. ¬gx⇓

Note that the definition of recusant states the nontotality of the extending func-
tion g existentially as ∃x. ¬gx⇓ rather than negatively as ¬(∀x. gx⇓). While the

340
 28.13 Recusant Partial Deciders

existential version implies the negative version, it takes excluded middle for the
negative version to imply the existential version.
We call promising functions f PF X B partial deciders. Assuming UT, we will con-
struct a recusant partial decider. Recusant partial deciders capture the notion of
recursively inseparable sets from set-theoretic computability theory. If f PF N B is a
recusant partial decider, the predicates λx. f x ↓ true and λx. f x ↓ false represent re-
cursively inseparable sets of numbers. The idea to capture recursive inseparability
with partial deciders appears in Kirst and Peters [20].
Fact 28.13.1 (Decidable domain)
Promising functions with decidable domains have total extensions:
Y → ∀f PF XY . dec (λx. f x⇓) → Σg. (∀x. gx⇓) ∧ (∀xy. f x ↓ y → g ↓ y).

Proof Suppose y Y and ddec (λx. f x⇓) . Then gx := if dx then f x else λk.y is a
total extension of f . ■

Corollary 28.13.2 (Undecidable domain)

Recusant functions have undecidable domains: recusant f → ¬ dec (λx.f x⇓).

Fact 28.13.3 (Right composition)

∀f PF XY ∀hY →Z Σ g PF XZ ∀xy. f x ↓ y → gx ↓ hy.

Proof gxn := match f xk [ ◦y ⇒ ◦hy | œ ⇒ œ ] does it. ■

We define universal partial deciders as follows:

UPD := Σ U N→PF N B . ∀f PF N B ∃c ∀nb. f n ↓ b ←→ Ucn ↓ b

Given a universal partial decider U, we show that the diagonal partial decider
λ[Link] is recusant.
Fact 28.13.4 (Recusant partial decider)
UPD → Σ f PF N B . recusant f .

Proof Let U be a universal partial decider. We show that the diagonal partial de-
cider λ[Link] is recusant. Suppose f PF N B is an extension of λ[Link]. Fact 28.13.3
gives us g PF N B such that ∀nb. f n ↓ b → gn ↓ ! b. Since U is universal, we have
∀nb. gn ↓ b ←→ Ucn ↓ b for some c. We now assume f c⇓ and derive a contradic-
tion. By Fact 28.11.4 (2) we have f c ↓ b. We instantiate the assumptions as follows:

Ucc ↓ ! b → f c ↓ ! b
gc ↓ ! b ←→ Ucc ↓ ! b
f c ↓ b → gc ↓ ! b

Hence we have both f c ↓ b and f c ↓ ! b. Contradiction with functionality of delivery

(Fact 28.11.2). ■

341
28 Axiom CT and Semidecidability

Exercise 28.13.5 We say that a partial decider f PF X B is sound for a predicate p X→P
if ∀x. if f x then px else ¬px. Show that a predicate is decidable if and only if it
has a sound and total partial decider.

28.14 Universal Partial Deciders

We now construct a universal partial decider from a universal test. The idea is as
follows: Given a partial decider f PF N B , we slice it into two binary tests g1 and g2
such that the domains of g1 and g2 agree with λn.f n ↓ true and λn.f n ↓ false.
From the slices g1 and g2 we can rebuild the partial decider f . The universal partial
decider will now use the code π c1 c2 for a partial decider whose slices have the
codes c1 and c2 for the given universal test.
We define a function γf g combining two unary tests into a boolean promise:

γ : (N → B) → (N → B) → (N → OB)
γf g := λn. if f n then ◦true else if gn then ◦false else œ

Fact 28.14.1 γf g ↓ b → if b then K f else K g.

Proof We assume γf gn = ◦b and prove if b then K f else K g by case analysis on

f n and gn. Straightforward. ■

We define disjointness of unary tests as follows: f ∥ g := K f → K g → ⊥.

Fact 28.14.2 (Disjoint test combination)

f ∥ g → γf g ↓ b ←→ (if b then K f else K g).

Proof Direction → follows with Fact 28.14.1. We prove direction ← for b = true, the
other case is analogous.
We assume f ∥ g and K f and prove γf g ↓ true. The assumption gives us f n = true
for some n and thus γf g⇓. Now γf g ↓ b for some b with Fact 28.11.4 (2). This
closes the proof since γf g ↓ false is contradictory by Fact 28.14.1 and f ∥ g. ■

Fact 28.14.3 UT → UPD.

Proof Let U be a universal test. We define

V cn := γ (U(π1 c)n) (U(π2 c)n)

and show

∀f PF N B ∃c ∀nb. f n ↓ b ←→ V cn ↓ b

342
 28.15 Notes

We assume f PF N B and slice it into binary tests g1 and g2 using Fact 28.12.7:

∀n. f n ↓ true ←→ K (g1 n)

∀n. f n ↓ false ←→ K (g2 n)

We now exploit the universality of U and obtain the codes for g1 and g2 :

∀n. K (g1 n) ←→ K (Uc1 n)

∀n. K (g2 n) ←→ K (Uc2 n)

We now show

f n ↓ b ←→ V (π c1 c2 )n ↓ b

for given n and B. Using the definition of V , it remains to show

f n ↓ b ←→ γ(Uc1 n)(Uc2 n) ↓ b

We now verify Uc1 n ∥ Uc2 n using uniqueness of delivery for f n (Fact 28.11.2) and
reduce the claim to

f n ↓ b ←→ if b then K(Uc1 n) else K(Uc2 n)

using Fact 28.14.2. This closes the proof since the equivalence is a straightforward
consequence of the assumption for c1 and c2 . ■

Theorem 28.14.4 (Recusant partial decider) UT → Σ f PF N B . recusant f .

Proof Follows with Facts 28.13.4 and 28.14.3. ■

28.15 Notes

This chapter was written January to April 2024. I’m thankful to Dominik Kirst,
whose slides for an Australian summer school got me started, and with whom I
had weekly lunches and discussions during the writing. Dominik supplied me with
results from the literature that evolved into Facts 28.5.3, 28.6.2, and 28.13.4.
We may say that this chapter investigates results from set-theoretic computabil-
ity in computational type theory. The type-theoretic development profits from the
fact that an explicit model of computation (e.g. Turing machines) can be replaced
with the synthetic notion of computability that comes with CTT.
Different variants of Axiom CT (Church’s thesis) appear in the literature. Troel-
stra and Van Dalen [29] discuss CT informally in the context of constructive Math-
ematics. Forster [10, 11] is the first to study CT in computational type theory.
Forster [11] shows for a call-by-value lambda calculus L [13] formalized in CTT the
following formulations of CT are equivalent:

343
28 Axiom CT and Semidecidability

1. Every function N → N in CTT is computable in L.

2. Every function N → B in CTT is computable in L.
3. The domain of every binary test in CTT can be obtained as the domain of a
function in L.
Forster [11] also covers the diophantine representation of recursively enumerable
sets.

344
29 Inductive Equality
Inductive equality extends Leibniz equality with eliminators discriminating on iden-
tity proofs. The definitions are such that inductive identities appear as computa-
tional propositions enabling reducible casts between computational types.
There is an important equivalence between uniqueness of identity proofs (UIP)
and injectivity of dependent pairs (DPI) (i.e., injectivity of the second projection). As
it turns out, UIP holds for discrete types (Hedberg’s theorem) but is unprovable in
computational type theory in general
Hedberg’s theorem is of practical importance since it yields injectivity of depen-
dent pairs and reducibility of identity casts for discrete types, two features that are
essential for inversion lemmas for indexed inductive types.
The proofs in this chapter are of surprising beauty. They are obtained with de-
pendently typed algebraic reasoning about identity proofs and often require tricky
generalizations.

29.1 Basic Definitions

We define inductive equality as an inductive predicate with two parameters and one
index:

eq (X : T, x : X) : X → P ::=
| Q : eq X x x

We treat the argument X of the constructors eq and Q as implicit argument and

write s = t for eq st. Moreover, we call propositions s = t identities, and refer to
proofs of identities s = t as paths from s to t.
Note that identities s = t are computational propositions. This provides for
expressivity we cannot obtain with Leibniz equality. We define two eliminators for
identities

C : ∀X T ∀x X ∀p X→T ∀y. x = y → px → py
C Xxp _ (Q_) a := a : px

J : ∀X T ∀x X ∀p ∀y. x=y→T
. px(Qx) → ∀ye. pye
J Xxpa _ (Q_) := a : px(Qx)

345
29 Inductive Equality

called cast operator and full eliminator. For C we treat the first four arguments as
implicit arguments, and for J the first two arguments.
We call applications of the cast operator casts. A cast Cp ea with ex=y changes
the type of a from px to py for every admissible type function p. We have

C(Qx)a ≈ a

and say that trivial casts C(Qx)a can be discharged. We also have

∀p X→T ∀ex=y ∀apx . Cp ea ≈ J(λy_.py)aye

which says that the cast eliminator can be expressed with the full eliminator.
Inductive quality as defined here is stronger than the Leibniz equality considered
in Chapter 4. The constructors of the inductive definition give us the constants eq
and Q, and with the cast operator we can easily define the constant for the rewrit-
ing law. Inductive equality comes with two essential generalizations over Leibniz
equality: Rewriting can now take place at the universe T using the cast operator,
and both the cast operator and the full eliminator come with computation rules.
We will make essential use of both features in this chapter.
We remark that equality in Coq is defined as inductive equality and that the full
eliminator J corresponds exactly to Coq’s matches for identities.
The laws for propositional equality can be seen as operators on paths. It turns
out that that these operators have elegant algebraic definitions using casts:

σ : x=y →y =x
σ e := C(λy.y=x) e (Qx)

τ: x=y →y =z→x=z
τe := C(λy.y=z→x=z) e (λe.e)

ϕ : x = y → fx = fy
ϕe := C(λy.f x=f y) e (Q(f x))

It also turns out that these operators satisfy familiar looking algebraic laws.

Exercise 29.1.1 Prove the following algebraic laws for casts and identities ex=y .
a) Ce(Qx) = e
b) Cee = Qy
In each case, determine a suitable type function for the cast.

346
 29.2 Uniqueness of Identity Proofs

Exercise 29.1.2 (Groupoid operations on paths)

Prove the following algebraic laws for σ and τ:
a) σ (σ e) = e
b) τe1 (τe2 e3 ) = τ(τe1 e2 )e3
c) τe(σ e) = Qx
Note that σ and τ give identity proofs a group-like structure: τ is an associative
operation and σ obtains inverse elements.

Exercise 29.1.3 Show that J is more general that C by defining C with J.

Exercise 29.1.4 Prove (true = false) → ∀X T . X not using falsity elimination.

Exercise 29.1.5 (Impredicative characterization)

Prove x = y ←→ ∀p X→P . px → py for inductive identities. Note that the equiva-
lence says that inductive identities agree with Leibniz identities (§4.5).

29.2 Uniqueness of Identity Proofs

We will now show that the following properties of types are equivalent:

UIP(X) := ∀xy X ∀ee′ x=y . e = e′ uniqueness of identity proofs

′ X x=x
UIP (X) := ∀x ∀e . e = Qx u. of trivial identiy proofs
x=x→P
K(X) := ∀x ∀p . p(Qx) → ∀[Link] Streicher’s K
CD(X) := ∀p X→T ∀x ∀apx ∀ex=x . Cea = a cast discharge
X→T
DPI(X) := ∀p ∀xuv. (x, u)p = (x, v)p → u = v dependent pair injectivity

The flagship property is UIP (uniqueness of identity proofs), saying that identities
have at most one proof. What is fascinating is that UIP is equivalent to DPI (de-
pendent pair injectivity), saying that the second projection for dependent pairs is
injective. While UIP is all about identity proofs, DPI doesn’t even mention identity
proofs. There is a famous result by Hofmann and Streicher [18] saying that compu-
tational type theory does not prove UIP. Given the equivalence with DPI, this result
is quite surprising. On the other hand, there is Hedberg’s theorem [16] (§29.3)
saying that UIP holds for all discrete types. We remark that UIP is an immediate
consequence of proof irrelevance.
We now show the above equivalence by proving enough implications. The proofs
are interesting in that they need clever generalization steps to harvest the power of
the identity eliminators J and C. Finding the right generalizations requires insight
and practice.1
1
We acknowledge the help of Gaëtan Gilbert, (Coq Club, November 13, 2020).

347
29 Inductive Equality

Fact 29.2.1 UIP(X) → UIP′ (X).

Proof Instantiate UIP(X) with y := x and e′ := Qx. ■

Fact 29.2.2 UIP′ (X) → K(X).

Proof Instantiate UIP′ (X) with e from K(X) and rewrite. ■

Fact 29.2.3 K(X) → CD(X).

Proof Apply K(X) to ∀ex=x . Cea = a. ■

Fact 29.2.4 CD(X) → DPI(X).

Proof Assume CD(X) and p X→T . We obtain the claim with backward reasoning:

∀xuv. (x, u)p = (x, v)p → u = v by instantiation

sig p π1 a=π1 b
∀ab . a = b → ∀e . Ce(π2 a) = π2 b by elimination on a = b
sig p π1 a=π1 a
∀a ∀e . Ce(π2 a) = π2 a by CD ■

Fact 29.2.5 DPI(X) → UIP′ (X).

Proof Assume DPI(X). We obtain the claim with backward reasoning:

∀ex=x . e = Qx by DPI
x=x
∀e . (x, e)eq x = (x, Qx)eq x by instantiation
∀ex=y . (y, e)eq x = (x, Qx)eq x by J ■

Fact 29.2.6 UIP′ (X) → UIP(X).

Proof Assume UIP′ (X). We obtain the claim with backward reasoning:

∀e′ ex=y . e = e′ by J on e′
∀ex=x . e = Qx by UIP′ ■

Theorem 29.2.7 UIP(X), UIP′ (X), K(X), CD(X), and DPI(X) are equivalent.

Proof Immediate by the preceding facts. ■

Exercise 29.2.8 Verify the above proofs with a proof assistant to appreciate the
subtleties.

Exercise 29.2.9 Give direct proofs for the following implications: UIP(X) → K(X),
K(X) → UIP′ (X), and CD(X) → UIP′ (X).

Exercise 29.2.10 Prove that dependent pair types are discrete if their component
types are discrete: ∀X ∀p X→T . E(X) → (∀x. E(pX)) → E(sig p).

348
 29.3 Hedberg’s Theorem

29.3 Hedberg’s Theorem

We will now prove Hedberg’s theorem [16]. Hedberg’s theorem says that all discrete
types satisfy UIP. Hedberg’s theorem is important in practice since it says that the
second projection for dependent pair types is injective if the first components are
numbers.
The proof of Hedberg’s theorem consists of two lemmas, which are connected
with a clever abstraction we call Hedberg functions. In algebraic speak one may see
a Hedberg function a polymorphic constant endo-function on paths.

Definition 29.3.1 A function f : ∀xy X . x = y → x = y is a Hedberg function

for X if ∀xy X ∀ee′ x=y . f e = f e′ .

Lemma 29.3.2 (Hedberg) Every type that has a Hedberg function satisfies UIP.

Proof Let f : ∀xy X . x = y → x = y be a Hedberg function for X. We treat x, y as

implicit arguments and prove the equation

∀xy ∀ex=y . τ(f e)(σ (f (Qy))) = e

We first destructure e, which reduces the claim to

τ(f (Qx))(σ (f (Qx))) = Qx

which is an instance of equation (c) shown in Exercise 29.1.2.

Now let e, e′ : x = y. We show e = e′ . Using the above equation twice, we have

e = τ(f e)(σ (f (Qy))) = τ(f e′ )(σ (f (Qy))) = e′

since f e = f e′ since f is a Hedberg function. ■

Lemma 29.3.3 Every discrete type has a Hedberg function.

Proof Let d be an equality decider for X. We define a Hedberg function for X as

follows:

f xye := if dxy is L ê then ê else e

We need to show f xye = f xye′ . If dxy = L ê, both sides are ê. Otherwise, we
have e : x = y and x ≠ y, which is contradictory. ■

Theorem 29.3.4 (Hedberg) Every discrete type satisfies UIP.

Proof Lemma 29.3.3 and Lemma 29.3.2. ■

349
29 Inductive Equality

Corollary 29.3.5 Every discrete type satisfies DPI.

Proof Theorems 29.3.4 and 29.2.7. ■

Exercise 29.3.6 Prove Hedberg’s theorem with the weaker assumption that equality
on X is propositionally decidable: ∀xy X . x = y ∨ x ≠ y.

Exercise 29.3.7 Construct a Hedberg function for X assuming FE and stability of

equality on X: ∀xy X . ¬¬(x = y) → x = y.

Exercise 29.3.8 Assume FE and show that N → B satisfies UIP.

Hint: Use Exercises 29.3.7 and 17.4.12.

29.4 Inversion with Casts

Sometimes a full inversion operator for an indexed inductive type family can only
be expressed with a cast. As example we consider derivation types for comparisons
x < y defined as follows:

L (x : N) : N → T ::=
| L1 : L x(Sx)
| L2 : ∀y. L xy → L x(Sy)

The type of the inversion operator for L can be expressed as

∀xy ∀aL xy . match y return L xy → T

[ 0 ⇒ λa. ⊥
′ ′ =x
| Sy ′ ⇒ λaL x(Sy ) . (Σey . Cea = L1 x) + (Σa′ . a = L2 xy ′ a′ )
]a

The formulation of the type follows the pattern we have seen before, except that
there is a cast in the branch for L1 :
′ =x
Σey . Cea = L1 x

The cast is necessary since a has the type L x(Sy ′ ) while L1 x has the type L x(Sx).
A formulation without a cast seems impossible. The defining equations for the
inversion operator discriminate on a, as usual, which yields the obligations

Σex=x . Ce(L1 x) = L1 x
Σa′ . L2 xy ′ a = L2 xy ′ a′

350
 29.5 Constructor Injectivity with DPI

The first obligation follows with cast discharge and UIP for numbers. The second
obligation is trivial.
We need the inversion operator to show derivation uniqueness of L. As it turns
our, we need an additional fact about L:

L xx → ⊥ (29.1)

This fact follows from a more semantic fact

L xy → x < y (29.2)

which follows by induction on L xy. We don’t have a direct proof of (29.1).

We now prove derivation uniqueness

∀xy ∀abL xy . a = b

for L following the usual scheme (induction on a with b quantified followed by

inversion of b). This gives four cases, where the contradictory cases follow with
(29.1). The two remaining cases

∀bL x(Sx) ∀ex=x . Ceb = b

L2 xya′ = L2 xyb′

follow with UIP for numbers and the inductive hypothesis, respectively.
We can also define an index inversion operator for L

∀xy ∀aL xy . match y [ 0 ⇒ ⊥ | Sy ′ ⇒ x ≠ y ′ → L xy ′ ]

by discriminating on a.

Exercise 29.4.1 The proof sketches described above involve sophisticated type
checking and considerable technical detail, more than can be certified reliably on
paper. Use the proof assistant to verify the above proof sketches.

29.5 Constructor Injectivity with DPI

We present another inversion fact that can only be verified with UIP for numbers.
This time we need DPI for numbers. We consider the indexed type family

K (x : N) : N → T ::=
| K1 : K x(Sx)
| K2 : ∀zy. K xz → K zy → K xy

351
29 Inductive Equality

which provides a derivation system for arithmetic comparisons x < y taking tran-
sitivity as a rule. Obviously, K is not derivation unique. We would like to show that
the value constructor K2 is injective:

∀aK xz ∀bK zy . K2 xzyab = K2 xzya′ b′ → (a, b) = (a′ , b′ ) (29.3)

We will do this with a customized index inversion operator

Kinv : ∀xy. K xy → (y = Sx) + (Σz. K xz × K zy)

satisfying

Kinv xy(K2 xzyab) ≈ R (z, (a, b))

(R is one of the two value constructors for sums). Defining the inversion operator
Kinv is routine. We now prove (29.3) by applying Kinv using Fact 4.6.1 to both sides
of the assumed equation of (29.3), which yields

R (z, (a, b)) = R (z, (a′ , b′ ))

Now the injectivity of the sum constructor R (a routine proof) yields

(z, (a, b)) = (z, (a′ , b′ ))

which yields (a, b) = (a′ , b′ ) with DPI for numbers.

The proof will also go through with a simplified inversion operator Kinv where
in the sum type is replaced with the option type O(Σz. K xz × K zy). However, the
use of a dependent pair type seems unavoidable, suggesting that injectivity of K2
cannot be shown without DPI.

Exercise 29.5.1 Prove injectivity of the constructors for sum using the applicative
closure law (Fact 4.6.1).

Exercise 29.5.2 Prove injectivity of K2 using a customized inversion operator em-

ploying an option type rather than a sum type.

Exercise 29.5.3 Prove injectivity of K2 with the dependent elimination tactic of

Coq’s Equations package.

Exercise 29.5.4 Define the full inversion operator for K.

Exercise 29.5.5 Prove K xy a x < y.

Exercise 29.5.6 Prove that there is no function ∀xy. K xy → Σz. K xz × K zy.

352
 29.6 Inductive Equality at Type

29.6 Inductive Equality at Type

We define an inductive equality type at the level of general types

id (X : T, x : X) : X → T ::=
| I : id X x x

and ask how propositional inductive equality and computational inductive equal-
ity are related. In turns out that we can go back and forth between proofs of propo-
sitional identities x = y and derivations of general identities id xy, and that UIP
at one level implies UIP at the other level. We learn from this example that as-
sumptions concerning only the propositional level (i.e., UIP) may leak out to the
computational level and render nonpropositional types inhabited that seem to be
unconnected to the propositional level.
First, we observe that we can define transfer functions

↑ : ∀X ∀xy X ∀ex=y . id xy
↓ : ∀X ∀xy X ∀aid xy . x = y

such that ↑(Qx) ≈ Ix and ↓(Ix) ≈ Qx for all x, and ↓(↑ e) = e and ↑(↓ a) = a for
all e and a. We can also define a function

ϕ : ∀XY ∀f X→Y ∀xx ′X . id xx ′ → id (f x)(f x ′ )

Fact 29.6.1 UIP X → ∀xy X ∀abid xy . id ab.

Proof We assume UIP X and x, y : X and a, b : id xy. We show id ab. It suffices to

show
id (↑ (↓ a))(↑ (↓ b))

By ϕ it suffices to show id (↓ a)(↓ b). By ↑ it suffices to show ↓a = ↓b, which holds

by the assumption UIP X. ■

Exercise 29.6.2 Prove the converse direction of Fact 29.6.1.

Exercise 29.6.3 Prove Hedberg’s theorem for general inductive equality. Do not
make use of propositional types.

Exercise 29.6.4 Formulate the various UIP characterizations for general inductive
equality and prove their equivalence. Make sure that you don’t use propositional
types. Note that the proofs from the propositional level carry over to the general
level.

353
29 Inductive Equality

29.7 Notes

The dependently typed algebra of identity proofs identified by Hofmann and

Streicher [18] plays an important role in homotopy type theory [30], a recent branch
of type theory where identities are accommodated as nonpropositional types and
UIP is inconsistent with the so-called univalence assumption. Our proof of Hed-
berg’s theorem follows the presentation of Kraus et al. [21]. That basic type theory
cannot prove UIP was discovered by Hofmann and Streicher [18] in 1994 based on
a so-called groupoid interpretation.

354
30 Well-Founded Recursion
Well-founded recursion is provided with an operator

wf (R) → ∀p X→T . (∀x. (∀y. Ryx → py) → px) → ∀x. px

generalizing arithmetic size induction such that recursion can descend along any
well-founded relation. In addition, the well-founded recursion operator comes with
an unfolding equation making it possible to prove for the target function the equa-
tions used for the definition of the step function. Well-foundedness of relations is
defined constructively with recursion types

AR (x : X) : P ::= C (∀y. Ryx → AR y)

obtaining well-founded recursion from the higher-order recursion coming with in-
ductive types. Being defined as computational propositions, recursion types medi-
ate between proofs and computational recursion.
The way computational type theory accommodates definitions and proofs by
general well-founded recursion is one of the highlights of computational type
theory.

30.1 Recursion Types

We assume a binary relation R X→X→P and pronounce the Ryx as y below x. We

define the recursion types for R as follows:

AR (x : X) : P ::= C (∀y. Ryx → AR y)

and call the elements of recursion types recursion certificates. Note that recur-
sion types are computational propositions. A recursion certificate of type AR (x)
justifies all recursions starting from x and descending on the relation R. That a
recursion on a certificate of type AR (x) terminates is ensured by the built-in ter-
mination property of computational type theory. Note that recursion types realize
higher-order recursion.
We will harvest the recursion provided by recursion certificates with a recursion
operator

W ′ : ∀p X→T . (∀x. (∀y. Ryx → py) → px) → ∀x. AR x → px

W ′ pF x(C ϕ) := F x(λyr . W ′ pF y(ϕyr ))

355
30 Well-Founded Recursion

Computationally, W ′ may be seen as an operator that obtains a function

∀x. AR x → px

from a step function

∀x. (∀y. Ryx → py) → px

The step function describes a function ∀[Link] obtained with a continuation func-
tion

∀y. Ryx → py

providing recursion for all y below x. We also speak of recursion guarded by R.

We define well-founded relations as follows:

wf (R X→X→P ) := ∀x. AR (x)

Note that a proof of a proposition wf (R) is a function that yields a recursion cer-
tificate AR (x) for every x of the base type of R. For well-founded relations, we can
specialize the recursion operator W ′ as follows:

W : wf (R) → ∀p X→T . (∀x. (∀y. Ryx → py) → px) → ∀x. px

W hpF x := W ′ pF x(hx)

We will refer to W ′ and W as well-founded recursion operators. Moreover, we will

speak of well-founded induction if a proof is obtained with an application of W ′
or W .
It will become clear that W generalizes the size induction operator. For one thing
we will show that the order predicate <N→N→N is a well-founded relation. Moreover,
we will show that well-founded relations can elegantly absorbe size functions.
The inductive predicates AR are often called accessibility predicates. They in-
ductively identify the accessible values of a relation as those values x for which all
values y below (i.e., Ryx) are accessible. To start with, all terminal values of R are
accessible in R. We have the equivalence

AR (x) ←→ (∀y. Ryx → AR (y))

Note that the equivalence is much weaker than the inductive definition in that it
doesn’t provide recursion and in that it doesn’t force an inductive interpretation of
the predicate AR (e.g., the full predicate would satisfy the equivalence).
We speak of recursion types AR (x) rather than accessibility propositions AR (x)
to emphasize that the propositional types AR (x) support computational recursion.

356
 30.2 Well-founded Relations

Fact 30.1.1 (Extensionality) Let R and R ′ be relations X → X → P.

Then (∀xy. R ′ xy → Rxy) → ∀x. AR (x) → AR′ (x).

Proof By well-founded induction with W ′ . ■

Exercise 30.1.2 Prove AR (x) ←→ (∀y. Ryx → AR (y)) from first principles. Make
sure you understand both directions of the proof.

Exercise 30.1.3 Prove AR (x) → ¬Rxx.

Hint: Use well-founded induction with W ′ .

Exercise 30.1.4 Prove Rxy → Ryx → ¬AR (x).

Exercise 30.1.5 Show that well-founded relations disallow infinite descend:

AR (x) → px → ¬∀x. px → ∃y. py ∧ Ryx.

Exercise 30.1.6 Suppose we narrow the propositional discrimination restriction of

the underlying type theory such that recursion types are the only propositional
types allowing for computational discrimination. We can still express an empty
propositional type with computational falsity elimination:

V : P ::= A(λab⊤ .⊤) (I)

Define a function V → ∀X T . X.

30.2 Well-founded Relations

Fact 30.2.1 The order relation on numbers is well-founded.

Proof We prove the more general claim ∀nx. x < n → A< (x) by induction on the
upper bound n. For n = 0 the premise x < n is contradictory. For the successor
case we assume x < Sn and prove A< (x). By the single constructor for A we
assume y < x and prove A< (x). Follows by the inductive hypothesis since y < n.■

Given two relations R X→X→P and S Y →Y →P , we define the lexical product R × S as

a binary relation X × Y → X × Y → P :

R × S := λ(x ′ , y ′ ) (x, y)X×Y .Rx ′ x ∨ x ′ = x ∧ Sy ′ y

Fact 30.2.2 (Lexical products) wf (R) → wf (S) → wf (S × R).

357
30 Well-Founded Recursion

Proof We prove ∀xy. AR×S (x, y) by nested well-founded induction on first x in R

and then y in S. By the constructor for AR×S (x, y) we assume Rx ′ x∨x ′ = x∧Sy ′ y
and prove AR×S (x ′ , y ′ ). If Rx ′ x, the claim follows by the inductive hypothesis
for x. If x ′ = x ∧ Sy ′ y, the claim is AR×S (x, y ′ ) and follows by the inductive
hypothesis for y. ■

The above proof is completely straightforward when carried out formally with
the well-founded recursion operator W .
Another important construction for binary relations are retracts. Here one has
a relation R Y →Y →P and uses a function σ X→Y to obtain a relation Rσ on X:

Rσ := λx ′ x. R(σ x ′ )(σ x)

We will show that retracts of well-founded relations are well-founded. It will also
turn out that well-founded recursion on a retract Rσ is exactly well-founded size
induction on R with the size function σ .
Fact 30.2.3 (Retracts) wf (R) → wf (Rσ ).

Proof Let R Y →Y →P and σ X→Y . We assume wf (R). It suffices to show

∀yx. σ x = y → ARσ (x)

We show the lemma by well-founded induction on y and R. We assume σ x = y

and show ARσ (x). Using the constructor for ARσ (x), we assume R(σ x ′ )(σ x) and
show ARσ (x ′ ). Follows with the inductive hypothesis for σ x ′ . ■

Corollary 30.2.4 (Well-founded size induction)

Let R Y →Y →P be well-founded and σ X→Y . Then:
∀p X→T . (∀x. (∀x ′ . R(σ x ′ )(σ x) → px ′ ) → px) → ∀x. px.

We now obtain the arithmetic size induction operator from § 19.2 as a special
case of the well-founded size induction operator.
Corollary 30.2.5 (Arithmetic size induction)
∀σ X→N ∀p X→T . (∀x. (∀x ′ .σ x ′ < σ x → px ′ ) → px) → ∀x. px.

Proof Follows with Corollary 30.2.4 and Fact 30.2.1. ■

There is a story here. We came up with retracts to have an elegant construction

of the wellfounded size induction operator appearing in Corollary 30.2.4. Note that
conversion plays an important role in type checking the construction. The proof
that retracts of well-founded relations are well-founded (Fact 30.2.3) is interesting in
that it first sets up an intermediate that can be shown with well-founded recursion.
The equational premise σ x = y of the intermediate claim is needed so that the
well-founded recursion is fully informed. Similar constructions will appear once we
look at inversion operators for indexed inductive types.

358
 30.3 Unfolding Equation

Exercise 30.2.6 Prove R ⊆ R ′ → wf (R ′ ) → wf (R) for all relations R, R ′ : X → X → P.

Tip: Use extensionality (Fact 30.1.1).

Exercise 30.2.7 Give two proofs for wf (λxy. Sx = y) : A direct proof by structural
induction on numbers, and a proof exploiting that λxy. Sx = y is a sub-relation of
the order relation on numbers.

30.3 Unfolding Equation

Assuming FE, we can prove the equation

W F x = F x(λyr . W F y)

for the well-founded recursion operator W . We will refer to this equation as un-
folding equation. The equation makes it possible to prove that the function W F
satisfies the equations underlying the definition of the guarded step function F .
This is a major improvement over arithmetic size induction where no such tool is
available. For instance, the unfolding equation gives us the equation

0 if x ≤ y
Dxy =
S(D(x − Sy)y) if x > y

for an Euclidean division function D defined with well-founded recursion on <N :

Dxy := W (F y)x

F : N → ∀x. (∀x ′ . x ′ < x → N) → N


0 if x ≤ y
F yxh :=
S(h(x − Sy)[x − Sy < x\) if x > y

Note that the second argument y is treated as a parameter. Also note that the
equation for D is obtained from the unfolding equation for W by computational
equality.
We now prove the unfolding equation using FE. We first show the remarkable
fact that under FE all recursion certificates are equal.

Lemma 30.3.1 (Uniqueness of recursion types)

Under FE, all recursion types are unique: FE → ∀x ∀abAR (x) . a = b.

Proof We prove
∀x ∀aAR (x) ∀bc AR (x) . b = c

359
30 Well-Founded Recursion

using W ′ . This gives us the claim ∀bc AR (x) . b = c and the inductive hypothesis
′
∀x ′ . Rx ′ x → ∀bc AR (x ) . b = c

We destructure b and c, which gives us the claim

Cϕ = Cϕ′

for ϕ, ϕ′ : ∀x ′ . Rx ′ x → AR (x ′ ). By FE it suffices to show

ϕx ′ r = ϕ′ x ′ r
′
for r Rx x . Holds by the inductive hypothesis. ■

Fact 30.3.2 (Unfolding equation)

′ ′ ′
Let R X→X→P , p X→T , and F ∀x. (∀x . Rx x→px )→px .
Then FE → wf (R) → ∀x. W F x = F x(λx ′ r . W F x ′ ).

Proof We prove W F x = F x(λx ′ r . W F x ′ ). We have

W F x = W ′ F xa = W ′ F x(Cϕ) = F x(λx ′ r . W ′ F x ′ (ϕx ′ r ))

for some a and ϕ. Using FE, it now suffices to prove the equation

W ′ F x ′ (ϕx ′ r ) = W ′ F x ′ b

for some b. Holds by Lemma 30.3.1. ■

(∀x ′ . Rx ′ x→px ′ )→px

For functions f ∀x. px and F ∀x. we define

f î F := ∀x. f x = F x(λyr .f y)

and say that f satisfies F . Given this notation, we may write

FE → wf (R) → W F î F

for Fact 30.3.2. We now prove that all functions satisfying a step function agree if
FE is assumed and R is well-founded.

Fact 30.3.3 (Uniqueness)

′ ′ ′
Let R X→X→P , p X→T , and F ∀x. (∀x . Rx x→px )→px .
Then FE → wf (R) → (f î F ) → (f ′ î F ) → ∀x. f x = f ′ x.

Proof We prove ∀x. f x = f ′ x using W with R. Using the assumptions for f and f ′ ,
we reduce the claim to F x(λx ′ r .f x ′ ) = F x(λx ′ r .f ′ x ′ ). Using FE, we reduce that
claim to Rx ′ x → f x ′ = f ′ x ′ , an instance of the inductive hypothesis. ■

Exercise 30.3.4 Note that the proof of Lemma 30.3.1 doubles the quantification
of a. Verify that this is justified by the general law (∀a.∀[Link]) → ∀[Link].

360
 30.4 Example: GCDs

g:N→N→N
g0y = y
g (Sx) 0 = Sx

g (Sx) (y − x) if x ≤ y
g (Sx) (Sy) =
g (x − y) (Sy) if x > y

guard conditions
x ≤ y → Sx + (y − x) < Sx + Sy
x > y → (x − y) + Sy < Sx + Sy

Figure 30.1: Recursive specification of a gcd function

30.4 Example: GCDs

Our second example for the use of well-founded recursion and the unfolding equa-
tion is the construction of a function computing GCDs (§ 20.5). We start with the
procedural specification in Figure 30.1. We will construct a function g N→N→N satis-
fying the specification using W on the retract of <N for the size function

σ : N×N→N
σ (x, y) := x + y

The figure gives the guard conditions for the recursive calls adding the precondi-
tions established by the conditional in the third specifying equation.
Given the specification in Figure 30.1, the formal definition of the guarded step
function is straightforward:

F : ∀c N×N . (∀c ′ . σ c ′ < σ c → N) → N

F (0, y) _ := y
F (Sx, 0) _ := Sx

h (Sx, y − x) [Sx + (y − x) < Sx + Sy\ if x ≤ y
F (Sx, Sy) h :=
h (x − y, Sy) [(x − y) + Sy < Sx + Sy\ if x > y

We now define the desired function

g:N→N→N
gxy := W HF (x, y)

361
30 Well-Founded Recursion

using the recursion operator W and the function

H : ∀c N×N . A(<N )σ (c)

obtained with the functions for recursion certificates for numbers (Fact 30.2.1) and
retracts (Fact 30.2.3). Each of the three specifying equations in Figure 30.1 can now
be obtained as an instance of the unfolding equation (Fact 30.3.2).
In summary, we note that the construction of a function computing GCDs with a
well-founded recursion operator is routine given the standard constructions for re-
tracts and the order on numbers. Proving that the specifying equations are satisfied
is straightforward using the unfolding equation and FE.
That the example can be done so nicely with the general retract construction is
due to the fact that type checking is modulo computational equality. For instance,
the given type of the step function F is computationally equal to

∀c N×N . (∀c ′ . (<N )σ c ′ c → N) → N

Checking the conversions underlying our presentation is tedious if done by hand

but completely automatic in Coq.

Exercise 30.4.1 Construct a function f N→N→N satisfying the Ackermann equations

(§1.11) using well-founded recursion for the lexical product <N × <N .

30.5 Unfolding Equation without FE

We have seen a proof of the unfolding equation assuming FE. Alternatively, one
can prove the unfolding equation assuming that the step function has a particular
extensionality property. For concrete step function one can usually prove that they
have this extensionality without using assumptions.
We assume a relation R X→X→P , a type function p X→T , and a step function

F : ∀x. (∀x ′ . Rx ′ x → px ′ ) → px

We define extensionality of F as follows:

ext(F ) := ∀xhh′ . (∀yr . hyr = h′ yr ) → F xh = F xh′

The property says that F xh remains the same if h is replaced with a function agree-
ing with h. We have FE → ext(F ). Thus all proofs assuming ext(F ) yields proofs for
the stronger assumption FE.

Fact 30.5.1 ext(F ) → ∀xaa′ . W ′ F xa = W ′ F xa′ .

362
 30.6 Witness Operator

Proof We assume ext(F ) and show ∀x∀aAR (x) . ∀aa′ . W ′ F xa = W ′ F xa′ using W ′ .
This give us the inductive hypothesis

∀y ∀r Ryx ∀aa′ . W ′ F ya = W ′ F ya′

By destructuring we obtain the claim W ′ F x(Cϕ) = W ′ F x(Cϕ′ ) for two functions

ϕ, ϕ′ : ∀y. Ryx → AR (y). By reducing W ′ we obtain the claim

F x(λyr . W ′ F y(ϕyr )) = F x(λyr . W ′ F y(ϕ′ yr ))

By the extensionality of F we now obtain the claim

W ′ F y(ϕyr ) = W ′ F y(ϕ′ yr )

for r Ryx , which is an instance of the inductive hypothesis. ■

Fact 30.5.2 (Unfolding equation)

Let R be well-founded. Then ext(F ) → ∀x. W F x = F x(λyr . W F y).

Proof We assume ext(F ) and prove W F x = F x(λyr . W F y). We have W F x =

W ′ F x(Cϕ) = F x(λyr . W ′ F y(ϕyr )). Extensionality of F ′ now gives us the claim
W ′ F y(ϕyr ) = W ′ F y(ϕ′ yr ), which follows by Fact 30.5.1. ■

Exercise 30.5.3 From the definition of extensionality for step function it seams
clear that ordinary step functions are extensional. To prove that an ordinary step
function is extensional, no induction is needed. It suffices to walk through the
matches and confront the recursive calls.
a) Prove that the step function for Euclidean division is extensional (§30.3).
b) Prove that the step function for GCDs is extensional (§30.4).
c) Prove that the step function for the Ackermann equations is extensional (Exer-
cise 30.4.1).

Exercise 30.5.4 Show that all functions satisfying an extensional step function for
a well-founded relation agree.

30.6 Witness Operator

There is an elegant and instructive construction of an existential witness operator

for numbers (Fact 14.2.2) using recursion types. We assume a decidable predicate
p N→P and define a relation

Rxy := x = Sy ∧ ¬py

on numbers. We would expect that p is satisfiable if and only if AR is satisfiable.

And given a certificate AR (x), we can compute a witness of p doing a linear search
starting from x using well-founded recursion.

363
30 Well-Founded Recursion

Lemma 30.6.1 p(x + y) → AR (y).

Proof Induction on x with y quantified. The base case follows by falsity elimina-
tion. For the successor case, we assume H : p(Sx + y) and prove AR (y). Using the
constructor for AR , we assume ¬py and prove AR (Sy). By the inductive hypothe-
sis it suffices to show p(x + Sy). Holds by H. ■

Lemma 30.6.2 AR (x) → sig(p).

Proof By well-founded induction with W ′ . Using the decider for p, we have two
cases. If px, we have sig(p). If ¬px, we have R(Sx)x and thus the claim holds by
the inductive hypothesis. ■

Fact 30.6.3 (Existential witness operator)

∀p N→P . (∀x. D(px)) → ex(p) → sig(p).

Proof We assume a decidable and satisfiable predicate p N→P and define R as above.
By Lemma 30.6.2 it suffices to show AR (0). We can now obtain a witness x for p.
The claim follows with Lemma 30.6.2. ■

We may see the construction of an existential witness operator for numbers with
linear search types (Fact 14.2.2) as a specialization of the construction shown here
where the general recursion types used here are replaced with special purpose linear
search types.

Exercise 30.6.4 Prove AR (n) ←→ T (n).

Exercise 30.6.5 Prove that AR yields the elimination lemma for linear search types:

∀qN→T . (∀n. (¬pn → q(Sn)) → qn) → ∀n. AR (n) → qn

Do the proof without using linear search types.

30.7 Equations Package and Extraction

The results presented so far are such that, given a recursive specification of a func-
tion, we can obtain a function satisfying the specification, provided we can supply a
well-founded relation and proofs for the resulting guard conditions (see Figure 30.1
for an example). Moreover, if we don’t accept FE as an assumption, we need to prove
that the specified step function is extensional as defined in §30.5.
The proof assistant Coq comes with a tool named Equations package making it
possible to write recursive specifications and associate them with well-founded re-
lations. The tool then automatically generates the resulting proof obligations. Once

364
 30.8 Padding and Simplification

the user has provided the requested proofs for the specification, a function is de-
fined and proofs are generated that the function satisfies the specifying equations.
This uses the well-founded recursion operator and the generic proofs of the unfold-
ing equation we have seen. One useful feature of Equations is the fact that one can
specify functions with several arguments and with size induction. Equations then
does the necessary pairing and the retract construction, relieving the user from
tedious coding.
Taken together, we can now define recursive functions where the termination
conditions are much relaxed compared to strict structural recursion. In contrast
to functions specified with strict structural recursion, the specifying equations are
satisfied as propositional equations rather than as computational equations. Nev-
ertheless, if we apply functions defined with well-founded recursion to concrete
and fully specified arguments, reduction is possible and we get the accompanying
computational equalities (e.g., gcd 21 56 ≈ 7).
This is a good place to mention Coq’s extraction tool. Given a function speci-
fied in computational type theory, one would expect that one can extract related
programs for functional programming languages. In Coq, such an extraction tool
is available for all function definitions, and works particularly well for functions
defined with Equations. The vision here is that one specifies and verifies functions
in computational type theory and then extracts programs that are correct by con-
struction. A flagship project using extraction is CompCert ([Link]) where a
verified compiler for a subset of the C programming language has been developed.

30.8 Padding and Simplification

Given a certificate a : AR (x), we can obtain a computationally equal certificate

b : AR (x) that exhibits any number of applications of the constructor for certifi-
cates:

a ≈ Cx(λyr . a′ )
a ≈ Cx(λyr .Cy(λy ′ r ′ . a′′ ))

We formulate the idea with two functions

D : ∀x. AR (x) → ∀y. Ryx → AR (y)

D xa := match a [ C ϕ ⇒ ϕ ]

P : N → ∀x. AR (x) → AR (x)

P 0xa := a
P (Sn)a := Cx(λyr . P ny(Dxayr ))

365
30 Well-Founded Recursion

and refer to P as padding function. We have, for instance,

P (1 + n)xa ≈ Cx(λy1 r1 . P ny1 (Dxay1 r1 ))

P (2 + n)xa ≈ Cx(λy1 r1 . Cy1 (λy2 r2 . P ny2 (Dy1 (Dxay1 r1 )y2 r2 )))

The construction appears tricky and fragile on paper. When carried out with a proof
assistant, the construction is fairly straightforward: Type checking helps with the
definitions of D and P , and simplification automatically obtains the right hand sides
of the two examples from the left hand sides.
When we simplify a term P (k + n)xa where k is a concrete number and n, x,
and a are variables, we obtain a term that needs at least 2k additional variables to be
written down. Thus the example tells us that simplification may have to introduce
an unbounded number of fresh variables.
The possibility for padding functions seems to be a unique feature of higher-
order recursion.

Exercise 30.8.1 Write a padding function for linear search types (§ 14.1).

30.9 Classical Well-foundedness

Well-founded relations and well-founded induction are basic notions in set-theoretic

foundations. The standard definition of well-foundedness in set-theoretic founda-
tions asserts that all non-empty sets have minimal elements. The set-theoretic def-
inition is rather different the computational definition based on recursion types.
We will show that the two definitions are equivalent under XM, where sets will be
expressed as unary predicates.
A meeting point of the computational and the set-theoretic world is well-founded
induction. In both worlds a relation is well-founded if and only if it supports well-
founded induction.

Fact 30.9.1 (Characterization by well-founded induction)

∀R X→X→P . wf (R) ←→ ∀p X→P . (∀x. (∀y. Ryx → py) → px) → ∀x. px.

Proof Direction → follows with W . For the other direction, we instantiate p

with AR . It remains to show ∀x. (∀y. Ryx → AR y) → AR x, which is an instance
of the type of the constructor for AR . ■

The characterization of well-foundedness with the principle of well-founded in-

duction is very interesting since no inductive types and only a predicate p X→P is
used. Thus the computational aspects of well-founded recursion are invisible. They
are added by the presence of the inductive predicate AR admitting computational
elimination.

366
 30.9 Classical Well-foundedness

Next we establish a positive characterization of the non-well-founded elements

of a relation. We define progressive predicates and progressive elements for a
relation R X→X→P as follows:

proR (p X→P ) := ∀x. px → ∃y. py ∧ Ryx

proR (x X ) := ∃p. px ∧ proR (p)

Intuitively, progressive elements for a relation R are elements that have an infinite
descent in R. Progressive predicates are defined such that every witness has an
infinite descent in R. Progressive predicates generalize the frequently used notion
of infinite descending chains.

Fact 30.9.2 (Disjointness) ∀x. AR (x) → proR (x) → ⊥.

Proof By well-founded induction with W ′ . We assume a progressive predicate p

with px and derive a contradiction. By destructuring we obtain y such that py and
Ryx. Thus proR (y). The inductive hypothesis now gives us a contradiction. ■

Fact 30.9.3 (Exhaustiveness) XM → ∀x. AR (x) ∨ proR (x).

Proof Using XM, we assume ¬AR (x) and show proR (x). It suffices to show
proR (λz.¬AR (z)). We assume ¬AR (z) and prove ∃y. ¬AR (y) ∧ Ryz. Using XM,
we assume H : ¬∃y. ¬AR (y) ∧ Ryz and derive a contradiction. It suffices to prove
AR (z). We assume Rz′ z and prove AR (z′ ). Follows with H and XM. ■

Fact 30.9.4 (Characterization by absence of progressive elements)

XM → (wf (R) ←→ ¬∃x. proR (x)).

Proof For direction → we assume wf (R) and proR (x) and derive a contradiction.
We have AR (x). Contradiction by Fact 30.9.2.
For direction ← we assume ¬∃x. proR (x) and prove AR (x). By Fact 30.9.3 we
assume proR (x) and have a contradiction with the assumption. ■

We define the minimal elements in R X→X→P and p X→P as follows:

minR,p (x) := px ∧ ∀y. py → ¬Ryx

Using XM, we show that a predicate is progressive if and only if it has no minimal
element.

Fact 30.9.5 XM → (proR (p) ←→ ¬∃x. minR,p (x)).

367
30 Well-Founded Recursion

Proof For direction →, we derive a contradiction from the assumptions proR (p),
px, and ∀y. py → ¬Ryx. Straightforward.
For direction ←, using XM, we derive a contradiction from the assumptions
¬∃x. minR,p (x), px, and H : ¬∃y. py ∧ Ryx. We show minR,p (x). We assume
py and Ryx and derive a contradiction. Straightforward with H. ■

Next we show that R has no progressive element if and only if every satisfiable
predicate has a minimal witness.

Fact 30.9.6 XM → (¬(∃x. proR (x)) ←→ ∀p. (∃x. px) → ∃x. minR,p (x)).

Proof For direction →, we use XM and derive a contradiction from the assumptions
¬∃x. proR (x), px, and ¬∃x. minR,p (x). With Fact 30.9.5 we have proR (p). Contra-
diction with ¬∃x. proR (x).
For direction ←, we assume px and proR (p) and derive a contradiction.
Fact 30.9.5 gives us ¬∃x. minR,p (x). Contradiction with the primary assumption. ■

We now have that a relation R is well-founded if and only if every satisfiable

predicate has a minimal witness in R.

Fact 30.9.7 (Characterization by existence of minimal elements)

XM → (wf (R) ←→ ∀p X→P . (∃x. px) → ∃x. minR,p (x).

Proof Facts 30.9.4 and 30.9.6. ■

The above proofs gives us ample opportunity to contemplate about the role of
XM in proofs. An interesting example is Fact 30.9.3, where XM is used to show that
an element is either well-founded or progressive.

30.10 Transitive Closure

The transitive closure R + of a relation R X→X→P is the minimal transitive relation

containing R. There are different possibilities for defining R + . We choose an induc-
tive definition based on two rules:

Rxy R + xy ′ Ry ′ y
R + xy R + xy

We work with this format since it facilitates proving that taking the transitive clo-
sure of a well-founded relation yields a well-founded relation. Note that the induc-
tive predicate behind R + has four parameters X, R, x, y, where X, R, x are uniform
and y is non-uniform.

368
 30.11 Notes

Fact 30.10.1 Let R X→X→P . Then wf (R) → wf (R + ).

Proof We assume wf (R) and prove ∀y. AR+ (y) by well-founded induction on y
and R. This gives us the induction hypothesis and the claim AR+ (y). Using the
constructor for recursion types we assume R + xy and show AR+ (x). If R + xy is
obtained from Rxy, the claim follows with the inductive hypothesis. Otherwise we
have R + xy ′ and Ry ′ y. The inductive hypothesis gives us AR+ (y ′ ). Thus AR+ (x)
since R + xy ′ . ■

Exercise 30.10.2 Prove that R + is transitive.

Hint: Assume R + xy and prove ∀z. R + yz → R + xz by induction on R + yz. First
formulate and prove the necessary induction principle for R + .

30.11 Notes

The inductive definition of the well-founded points of a relation appears in Aczel [1]
in a set-theoretic setting. Nordström [26] adapts Aczel’s definition to a constructive
type theory without propositions and advocates functions recursing on recursion
types. Balaa and Bertot [3] define a well-founded recursion operator in Coq and
prove that it satisfies the unfolding equation. They suggest that Coq should support
the construction of functions with a tool taking care of the tedious routine proofs
coming with well-founded recursion, anticipating Coq’s current Equations package.

369
31 Aczel Trees and Hierarchy Theorems

Aczel trees are wellfounded trees where each node comes with a type and a function
fixing the subtree branching. Aczel trees were conceived by Peter Aczel [2] as a
representation of set-like structures in type theory. Aczel trees are accommodated
with inductive type definitions featuring a single value constructor and higher-order
recursion.
We discuss the dominance condition, a restriction on inductive type definitions
ensuring predicativity of nonpropositional universes. Using Aczel trees, we will
show an important foundational result: No universe embeds into one of its types.
From this hierarchy result we obtain that proof irrelevance is a consequence of
excluded middle, and that omitting the propositional discrimination restriction in
the presence of the impredicative universe of propositions results in inconsistency.

31.1 Inductive Types for Aczel Trees

We define an inductive type providing Aczel trees:

T : T ::= T (X : T, X → T )

There is an important constraint on the universe levels of the two occurrences of T

we will discuss later. We see a tree T Xf as a tree taking all trees f x as (immediate)
subtrees, where the edges to the subtrees are labelled with the values of X. We
clarify the idea behind Aczel trees with some examples. The term

T ⊥ (λa. match a [])

describes an atomic tree not having subtrees. Given two trees t1 and t2 , the term

T B (λb. match b [ true ⇒ t1 | false ⇒ t2 ])

describes a tree having exactly t1 and t2 as subtrees where the boolean values are
used as labels. The term

T N (λ_. T⊥ (λh. match h [])

describes an infinitely branching tree that has a subtree for every number. All
subtrees of the infinitely branching tree are equal (to the atomic tree).

371
31 Aczel Trees and Hierarchy Theorems

Consider the term

T T (λs.s)

which seems to describe a universal tree having every tree as subtree. It turns out
that the term for the universal tree does not type check since there is a universe
level conflict. First we note that Coq’s type theory admits the definition

T : Ti ::= T (X : Tj , X → T )

only if i > j. This reflects a restriction on inductive definitions we have not dis-
cussed before. We speak of the dominance condition. In its general form, the
dominance condition says that the type of every value constructor (without the pa-
rameter prefix) must be a member of the universe specified for the type constructor.
The dominance condition admits the above definition for i > j since then Tj : Ti ,
X : Ti , and T : Ti and hence

(∀X Tj . (X → T ) → T ) : Ti

using the universe rules from §5.3. For the reader’s convenience we repeat the rules
for universes

T1 : T2 : T3 : · · ·
P ⊆ T1 ⊆ T2 ⊆ T3 ⊆ · · ·
P : T2

and function types

⊢u:U x:u⊢v:U ⊢u:U x:u ⊢ v : P

u u
⊢ ∀x .v : U ⊢ ∀x . v : P

here. The variable U ranges over the computational universes Ti . The first rule
says that every computational universe is closed under taking function types. The
second rule says that the universe P enjoys a stronger closure property known as
impredicativity.
Note that the term for the universal tree T T (λs.s) does not type check since we
do not have T : Tj for i > j.

Exercise 31.1.1 The dominance condition for inductive type definitions requires
that the types of the value constructors are in the target universe of the type con-
structor, where the types of the value constructor are considered without the pa-
rameter prefix. That the parameter prefix is not taken into account ensures that

372
 31.2 Propositional Aczel Trees

the universes Ti are closed under the type constructors for pairs, options, and lists.
Verify the following typings for lists:

L(X : Ti ) : Ti ::= nil | cons (X, L(X))

L : Ti → Ti : Ti+1
nil : L(X) : Ti (X : Ti )
cons : X → L(X) → L(X) : Ti (X : Ti )
Ti
nil : ∀X . L(X) : Ti+1
Ti
cons : ∀X . X → L(X) → L(X) : Ti+1

Write down an analogous table for pairs and options.

31.2 Propositional Aczel Trees

We now note that the definition

Tp : P ::= Tp (X : P, X → Tp )

of the type of propositional Aczel trees satisfies the dominance condition since the
type of the constructor Tp is in P by the impredicativity of the universe P:

(∀X U . (X → Tp ) → Tp ) : P

Moreover, the term for the universal tree

up := Tp Tp (λs.s)

does type check for propositional Aczel trees. So there is a universal propositional
Aczel tree.
The universal propositional Aczel tree up is paradoxical in that it conflicts with
our intuition that all values of an inductive type are wellfounded. A value of an
inductive type is wellfounded if descending to a subvalue through a recursion in the
type definition always terminates. Given that reduction of recursive functions is as-
sumed to be terminating, one would expect that values of inductive types are well-
founded. However, the universal propositional Aczel tree Tp Tp (λs.s) is certainly
not wellfounded. So we have to adopt the view that because of the impredicativity
of the universe P certain recursive propositional types do admit non-wellfounded
values. This does not cause harm since the propositional discrimination restriction
reliably prevents recursion on non-wellfounded values.
We remark that there are recursive propositional types providing for functional
recursion. A good example are the linear search types for the existential witness op-
erator for numbers (§ 14.1)). It seems that the values of computational propositions
are always wellfounded.

373
31 Aczel Trees and Hierarchy Theorems

31.3 Subtree Predicate and Wellfoundedness

We will consider computational Aczel trees at the lowest universe level

T : T2 ::= T (X : T1 , X → T )

and propositional Aczel trees

Tp : P ::= Tp (X : P, X → Tp )

as defined before. We reserve the letters s and t for Aczel trees.

To better understand the situation, we define a subtree predicate for computa-
tional Aczel trees:

∈: T →T →P
s ∈ T Xf := ∃x. f x = s

Remarkably, the propositional discrimination restriction prevents us from defining

an analogous subtree predicate for propositional Aczel trees (since the target type
is not a proposition but the universe P).
For computational Aczel trees we can prove ∀s. s ∉ s, which disproves the exis-
tence of a universal tree. We will prove ∀s. s ∉ s by induction on s.

Definition 31.3.1 (Eliminator for computational Aczel trees)

ET : ∀p T →T . (∀Xf . (∀x. p(f x)) → p(T Xf )) → ∀s. ps

ET p F (T Xf ) := F Xf (λx. ET p F (f x))

Fact 31.3.2 (Irreflexivity) ∀s T . s ∉ s.

Proof By induction on s (using ET ) it suffice to show TXf ∉ TXf given the induc-
tive hypothesis ∀x. f x ∉ f x. It suffices to show for every x X that f x = TXf is
contradictory. Since f x = TXf implies f x ∈ f x, we have a contradiction with the
inductive hypothesis. ■

For propositional Aczel trees we can prove that a subtree predicate R Tp →Tp →P
such that
R s (Tp Xf ) ←→ ∃x. f x = s
does not exist. This explains why the existence of the universal propositional Aczel
tree does not lead to a proof of falsity.

Definition 31.3.3 (Eliminator for propositional Aczel trees)

ETp : ∀p Tp →P . (∀Xf . (∀x. p(f x)) → p(Tp Xf )) → ∀s. ps

ETp p F (Tp Xf ) := F Xf (λx. ETp p F (f x))

374
 31.4 Propositional Hierarchy Theorem

Fact 31.3.4 ¬∃R Tp →Tp →P . ∀sXf . Rs(Tp Xf ) ←→ ∃x. f x = s.

Proof Let R Tp →Tp →P be such that ∀sXf . Rs(Tp Xf ) ←→ ∃x. f x = s. We derive a

contradiction. Since the universal propositional Aczel tree up := Tp Tp (λs.s) satis-
fies Ruu, it suffices to prove ∀s. ¬Rss. We can do this by induction on s (using ETp )
following the proof for computational Aczel trees (Fact 31.3.2). ■

We summarize the situation as follows. Given a type

T : U ::= T(X : V , X → T )

of Aczel trees, if we can define a subtree predicate ∈ : T → T → P such that

s ∈ TXf ←→ ∃x. f x = s

we cannot define a universal tree u ∈ u. This works out such that for propositional
Aczel trees we cannot define a subtree predicate (because of the propositional dis-
crimination restriction) and for computational Aczel trees we cannot define a uni-
versal tree (because of the dominance restriction).
Exercise 31.3.5 Suppose you are allowed exactly one violation of the propositional
discrimination restriction. Give a proof of falsity.

31.4 Propositional Hierarchy Theorem

A fundamental result about Coq’s type theory says that the universe P of proposi-
tions cannot be embedded into a proposition, even if equivalent propositions may
be identified. This important result was first shown by Thierry Coquand [9] in 1989
for a subsystem of Coq’s type theory. We will prove the result for Coq’s type theory
by showing that an embedding as specified provides for the definition of a subtree
predicate for propositional Aczel trees.
Theorem 31.4.1 (Coquand) There is no proposition AP such that there exist func-
tions E P→A and D A→P such that ∀P P . D(E(P )) ←→ P .

Proof Let AP , E P→A , D A→P be given such that ∀P P . D(E(P )) ←→ P . By Fact 31.3.4
is suffices to show that

Rst := D (match t [ Tp Xf ⇒ E(∃x. f x = s)])

satisfies ∀sXf . Rs(Tp Xf ) ←→ ∃x. f x = s, which is straightforward. Note that the

match in the definition of R observes the propositional discrimination restriction
since the proposition ∃x. f x = s is encoded with E into a proof of the proposition
A. ■

Exercise 31.4.2 Show ¬∃AP ∃E P→A ∃D A→P ∀P P . D(E(P )) = P .

Exercise 31.4.3 Show ∀P P . P ≠ P.

375
31 Aczel Trees and Hierarchy Theorems

31.5 Excluded Middle Implies Proof Irrelevance

With Coquand’s theorem we can show that the law of excluded middle implies proof
irrelevance (see §5.2 for definitions). The key idea is that given a proposition with
two different proofs we can define an embedding as excluded by Coquand’s theo-
rem. For the proof to go through we need the full elimination lemma for disjunc-
tions (see Exercise 31.5.2).

Theorem 31.5.1 Excluded middle implies proof irrelevance.

Proof Let d∀X : P. X∨¬X and let a and b be proofs of a proposition A. We show a = b.
Using excluded middle, we assume a ≠ b and derive a contradiction with Coquand’s
theorem. To do so, we define an encoding E P→A and a decoding D A→P as follows:

E(X) := if dX then a else b

D(c) := (a = c)

It remains to show D(E(X)) ←→ X for all propositions X. By computational equality

it suffices to show

(a = if dX then a else b) ←→ X

By case analysis on dX : X ∨ ¬X using the full elimination lemma for disjunctions

(Exercise 31.5.2) we obtain two proof obligations

X → (a = a ←→ X)
¬X → (a = b ←→ X)

which both follow by propositional reasoning (recall the assumption a ≠ b). ■

Exercise 31.5.2 Prove the full elimination lemma for disjunctions

∀XY P ∀p X∨Y →P . (∀x X . p(L x)) → (∀y Y . p(R y)) → ∀a. pa

which is needed for the proof of Theorem 31.5.1.

31.6 Hierarchy Theorem for Computational Universes

We will now show that no computational universe embeds into one of its types. Note
that by Coquand’s theorem we already know that the universe P does not embed
into one of its types.
We define a general embedding predicate E T→T→P for types:

EXY := ∃E X→Y ∃D Y →X ∀x. D(Ex) = x

376
 31.6 Hierarchy Theorem for Computational Universes

Fact 31.6.1 Every type embeds into itself: ∀X T : EXX.

Fact 31.6.2 ∀XY T : ¬EXY → X ≠ Y .

Fact 31.6.3 P embeds into no proposition: ∀P P . ¬E PP .

Proof Follows with Coquand’s theorem 31.4.1. ■

We now fix a computational universe U and work towards a proof of

∀AU . ¬EUA. We assume a type AU and an embedding EUA with functions E U→A
and D A→U satisfying D(EX) = X for all types X U . We will define a customized type
T : U of Aczel trees for which we can define a subtree predicate and a universal
tree. It then suffices to show irreflexivity of the subtree predicate to close the proof.
We define a type of customized Aczel trees:

T : U ::= T (a : A, Da → T )

and a subtree predicate:

∈: T →T →P
s ∈ T af := ∃x. f x = s

Fact 31.6.4 (Irreflexivity) ∀s T . s ∉ s.

Proof Analogous to the proof of Fact 31.3.2. ■

Recall that we have to construct a contradiction. We embark on a little de-

tour before we construct a universal tree. By Fact 31.6.1 and the assumption we
have ET (D(ET )). Thus there are functions F T →D(E T ) and G D(E T )→T such that
∀s T . G(F s) = s. We define
u := T(ET )G
By Fact 31.6.1 it suffices to show u ∈ u. By definition of the membership predicate
it suffices to show
∃x. Gx = u
which holds with the witness x := F u. We now have the hierarchy theorem for
computational universes.

Theorem 31.6.5 (Hierachy) ∀X U . ¬EUX.

Exercise 31.6.6 Show ∀X U . X ≠ U for all universes U .

Exercise 31.6.7 Let i ≠ j. Show Ti ≠ Tj .

Exercise 31.6.8 Assume the inductive type definition A : T1 ::= C(T1 ) is admitted
although it violates the dominance condition. Give a proof of falsity.

377
31 Aczel Trees and Hierarchy Theorems

Acknowledgements

Thorsten Altenkirch suggested Aczel trees as a means for obtaining negative results
in January 2016 at the POPL conference in St. Petersburg, Florida. Steven Schäfer
came up with an elegant proof of Coquand’s theorem using Aczel trees in June 2018
at the Types conference in Braga, Portugal.

378
 Part V

Appendices

379
Appendix: Typing Rules

We give the typing rules for graded universes T0 , T1 , . . . and P := T0 . In this

formulation P = T0 requires one extra rule distinguishing it from the other graded
universes. The extra rule says that P = T0 admits impredicative function types.

⊢ u : Ti x : u ⊢ v : Ti ⊢ u : Ti x : u ⊢ v : T0
u
⊢ Ti : Ti+1 ⊢ ∀x : u. v : Ti ⊢ ∀x . v : T0

⊢ s : ∀x : u. v ⊢t:u ⊢ u : Ti x:u ⊢ s : v
⊢st : vx
t ⊢ λx . s : ∀x u . v
u

⊢ s : u′ u′ ≈ u ⊢ u : Ti
⊢s:u

⊢ s : ∀x1 : t1 . · · · ∀xn : tn . Ti
n≥0
⊢ s : ∀x1 : t1 . · · · ∀xn : tn . Ti+1

• In practice, one writes just P and T and checks that all occurrences of T can be
assigned universe levels i ≥ 1. The particular universe level assignment does not
matter, provided it type checks.
• The subtyping rule (appearing last) realizes P ⊆ T1 ⊆ T2 ⊆ · · · with n = 0.
• We have ø Ti : Ti .
• vx
t is capture-free substitution.
• Computational equality s ≈ t is defined with reduction and α- and η-equivalence.
• Variable typings (x : u before ⊢) are introduced by the rules for ∀ and λ and the
patterns of defining equations.
• Simple function types u → v are notation for dependent function types ∀x : u. v
where x does not occur in v.
• Functions whose type ends with the universe P are called predicates.
• Functions whose type ends with a universe Ti with i > 0 are called type functions.

381
Appendix: Inductive Definitions

We collect technical information about inductive definitions here. Inductive defini-

tions come in two forms, inductive type definitions and inductive function defini-
tions. Inductive type definitions introduce typed constants called constructors, and
inductive function definitions introduce typed constants called inductive functions.
Inductive function definitions come with defining equations serving as computation
rules. Inductive definitions are designed such that they preserve consistency.

Inductive Type Definitions

An inductive type definition introduces a system of typed constants consisting of a

type constructor and n ≥ 0 value constructors. The type constructor must target
a universe, and the value constructors must target a type obtained with the type
constructor. The first n ≥ 0 arguments of the type constructor may be declared as
parameters. The remaining arguments of a type constructor are called indices.
Parameter condition: Each value constructor must take the parameters of the
type constructor as leading arguments and must target the type constructor ap-
plied to these arguments. We speak of the parametric arguments and the proper
arguments of a value constructor.
Strict positivity condition: If a value constructor uses the type constructor in an
argument type, the path to the type constructor must not go through the left-hand
side of a function type.
Dominance condition: If the type constructor targets a universe Ti , the types
of the proper arguments of the value constructors must be in Ti .

Inductive Function Definitions

An inductive function definition introduces a constant called an inductive function

together with a system of defining equations serving as computation rules. An
inductive function must be defined with a functional type, a number of required
arguments, and a distinguished required argument called the discriminating argu-
ment. The type of an inductive function must have the form

∀x1 . . . xk ∀y1 . . . ym . cs1 . . . sn y1 . . . ym → t

383
Appendix: Inductive Definitions

where the following conditions are satisfied:

• cs1 . . . sn y1 . . . ym types the discriminating argument.
• c is a type constructor with n ≥ 0 parameters and m ≥ 0 indices.
• Index condition: The index variables y1 , . . . , ym must be distinct and must not
occur in s1 , . . . , sn .
• Propositional discrimination restriction: t must be a proposition if c is not
computational. A type constructor c is computational if in case it targets P it
has at most one proof constructor d and all proper arguments of d have propo-
sitional types.
For every value constructor of c a defining equation must be provided, where the
pattern and the target type of the defining equations are determined by the type of
the inductive function, the position of discriminating argument, and the number of
arguments succeeding the discriminating argument. Each pattern contains exactly
two constants, the inductive function and a value constructor in the position of the
discriminating argument. Patterns must be linear (no variable appears twice) and
must give the index arguments of the inductive function as underlines. The patterns
for constructors must omit the parametric arguments of the constructor.
Every defining equation must satisfy the guard condition, which constrains the
recursion of the inductive function to be structural on the discriminating argument.
The guard condition must be realized as a decidable condition. There are different
possibilities for the guard condition. In this text we have been using the strictest
form of the guard condition.
The format of inductive function definitions is such that for every inductive type
a universal inductive function (a universal eliminator) can be obtained taking as
arguments continuations for the value constructors of the type. A particular induc-
tive function for the type can then be obtained by providing the particular continua-
tions. If a constructor is recursive, its continuation takes the results of the recursive
calls as arguments. Eager recursion is fine since computation terminates. Universal
eliminators usually employ target type functions.

Remarks

1. The format for inductive functions is such that universal eliminators can be
defined that can express all other inductive functions. Inductive functions may
also be called eliminators.
2. The special case of zero value constructors is redundant. A proposition ⊥ with
an eliminator ⊥ → ∀X T . X can be defined with a single proof constructor ⊥ → ⊥.
3. Assuming type definitions at the computational level, accommodating type def-
initions also at the propositional level is responsible for the propositional dis-

384
 crimination restriction.
4. The dominance condition is vacuously satisfied for propositional type defini-
tions.
5. Defining equations with a secondary case analysis (e.g., subtraction) come as
syntactic convenience. They can be expressed with auxiliary functions defined
as inductive functions.
6. Our presentation of inductive definitions is compatible with Coq but takes away
some of the flexibility provided by Coq. Our format requires that in Coq a re-
cursive abstraction (i.e., fix) is directly followed by a match on the discriminating
argument. This excludes a direct definition of Euclidean division. It also excludes
the (redundant) eager recursion pattern sometimes used for well-founded recur-
sion in the Coq literature.

Examples

We give for some inductive type families discussed in this text

• the type of the type constructor.
• the type of one of the value constructors.
• the type of the eliminator we have been using (prefix and target, clauses for value
constructors omitted).
• The pattern of the defining equation for the eliminator and the given value con-
structor.

Lists

L : T→T
cons : ∀X. X → L(X) → L(X)
E : ∀X.∀p L(X)→T . . . . → ∀A. pA
E Xp · · · (cons xA) := e xA(E · · · A)

L(X) has uniform parameter X.

Linear search types

T : (N → P) → N → T
C : ∀qn. (¬qn → T q(Sn)) → T qn
E : ∀q.∀p N→T . . . . → ∀n. T qn → pn
E qp · · · n (Cϕ) := e n(λa.E · · · (Sn)(ϕa))

T qn has uniform parameter q and nonuniform parameter n.

385
Appendix: Inductive Definitions

Hilbert derivation types

H : For → T
K : ∀st. H (s → t → s)
E : ∀p For→T . . . . → ∀s. H (s) → ps
E p · · · _ (Kst) := e st

H (s) has index s.

ND derivation types

⊢ : L(For) → For → T
I→ : ∀Ast. (s :: A ⊢ t) → (A ⊢ (s → t))
E : ∀p L(For)→For→T . . . . → ∀As. (A ⊢ s) → pAs
E p · · · A _ (I→ std) := e Ast(E · · · (s :: A)td)

A ⊢ s has nonuniform parameter A and index s.

386
Appendix: Basic Definitions

We summarize basic definitions concerning functions and predicates. We make

explicit the generality coming with dependent typing. As it comes to arity, we state
the definitions for the minimal number of arguments and leave the generalization
to more arguments to the reader (as there is no formal possibility to express this
generalization).
A fixed point of a function f X→X is a value x X such that f x = x.
Two types X and Y are in bijection if there are functions f X→Y and g Y →X invert-
ing each other; that is, the roundtrip equations ∀x. g(f x) = x and ∀y. f (gy) = y
are satisfied. We define:

inv g f := ∀x. g(f x) = x g inverts f

For functions f : ∀x X . px we define:

injective (f ) := ∀xx ′ . f x = f x ′ → x = x ′ injectivity

surjective (f ) := ∀y ∃x. f x = y surjectivity
bijective (f ) := injective (f ) ∧ surjective (f ) bijectivity
′ ′
f ≡f := ∀x. f x = f x agreement

The definitions extend to functions with n ≥ 2 arguments as one would expect.

Note that injectivity, surjectivity, and bijectivity are invariant under agreement.
For binary predicates P : ∀x X . px → P we define:

functional (P ) := ∀xyy ′ . P xy → P xy ′ → y = y ′ functionality

total (P ) := ∀x ∃y. P xy totality

The definitions extend to predicates with n ≥ 2 arguments as one would expect. To

functional relations we may also refer as unique relations.
For unary predicates P , Q : X → P we define:

P ⊆ Q := ∀x. P x → Qx respect
P ≡ Q := ∀x. P x ←→ Qx agreement

The definitions extend to predicates with n ≥ 2 arguments as one would expect.

387
Appendix: Basic Definitions

For functions f : ∀x X . px and predicates P : ∀x X . px → P:

f ⊆ P := ∀x. P x(f x) respect

The definitions extend to functions with n ≥ 2 arguments and predicates with n + 1

arguments as one would expect.

The following facts have straightforward proofs:

1. P ⊆ Q → functional (Q) → functional (P )
2. P ⊆ Q → total (P ) → total (Q)
3. P ⊆ Q → total (P ) → functional (Q) → P ≡ Q
4. f ⊆ P → functional (P ) → (∀xy. P xy ←→ f x = y)

388
Appendix: Exercise Sheets

Below you will find the weekly exercise sheets for the course Introduction to
Computational Logic as given at Saarland University in the summer semester 2022
(13 weeks of full teaching). The sheets tell you which topics of MPCTT we covered
and how much time we spent on them.

389
Appendix: Exercise Sheets

Assignment 1

Do the following exercises on paper using mathematical notation and also with the
proof assistant Coq. Follow the style of Chapter 1 and the accompanying Coq file
gs.v. For each function state the type and the defining equations. Make sure you
understand the definitions and proofs you give.

Exercise 1.1 Define an addition function add for numbers and prove that it is com-
mutative.

Exercise 1.2 Define a distance function dist for numbers and prove that it is com-
mutative. Do not use helper functions.

Exercise 1.3 Define a minimum function min for numbers and prove that it is com-
mutative. Do not use helper functions. Prove min x (x + y) = x.

Exercise 1.4 Define a function fib satisfying the procedural Fibonacci equations.
Define the unfolding function for the equations and prove your function satisfies
the unfolding equation.

Exercise 1.5 Define an iteration function computing f n (x) and prove the shift laws
f Sn (x) = f n (f x) = f (f n (x)).

Exercise 1.6 Give the types of the constructors pair and Pair for pairs and pair
types. Give the inductive type definition. Define the projections fst and snd and
prove the η-law. Define a swap function and prove that it is self-inverting. Do not
use implicit arguments.

Want More?
You will find further exercises in Chapter 1 of MPCT. You may for instance define
Ackermann functions using either a higher-order helper function or iteration and
verify that your functions satisfy the procedural specification given as unfolding
function.

390
Assignment 2

Do the exercises on paper using mathematical notation and also with the proof
assistant Coq.

Exercise 2.1 Define a truncating subtraction function using a plain constant defini-
tion and a recursive abstraction.

Exercise 2.2 Assume A := fix f x. λy. match x [ 0 ⇒ y | Sx ⇒ S(f xy) ].

a) Gives the types for A, f , x, and y.
b) For each of the following equations, give the normal forms of the two sides and
say which reduction rules are needed. Decide whether the equation holds by
computational equality.
(i) A 1 = S.
(ii) A 2 = λ[Link]
(iii) (let f = A 1 in f ) = S
(iv) A = λ[Link]
(v) A = fix f x. match x [ 0 ⇒ λy.y | Sx ⇒ λy. S(f xy) ]

Exercise 2.3 Prove the following propositions (tables, terms, and Coq). Assume
that X, Y , Z are propositions.
a) X → Y → X
b) (X → Y → Z) → (X → Y ) → X → Z
c) (X → Y ) → ¬Y → ¬X
d) (X → ⊥) → (¬X → ⊥) → ⊥
e) ¬(X ↔ ¬X)
f) ¬¬(¬¬X → X)
g) ¬¬(((X → Y ) → X) → X)
h) ¬¬((¬Y → ¬X) → X → Y )
i) (X ∧ Y → Z) → (X → Y → Z)
j) (X → Y → Z) → (X ∧ Y → Z)
k) ¬¬(X ∨ ¬X)
l) ¬(X ∨ Y ) → ¬X ∧ ¬Y
m) ¬X ∧ ¬Y → ¬(X ∨ Y )

391
Appendix: Exercise Sheets

Assignment 3

Do the exercises on paper using mathematical notation and also with the proof
assistant Coq.

Exercise 3.1 (Match functions and impredicative characterizations) Give the

types and the defining equations for the matching functions for ⊥, ∧ and ∨.
Following the types of the matching functions, state the impredicative characteriza-
tions for ⊥, ∧ and ∨. Make sure you can prove the impredicative characterizations
(proof table, proof term, coq script). Type the type arguments of the matching
functions with T (rather than P) if this is possible (propositional discrimination
restriction). Explain why in the impredicative characterizations all type arguments
must be typed with P.

Exercise 3.2 (Exclusive disjunction) Exclusive disjunction X ⊕ Y is a logical con-

nective satisfying the equivalence X ⊕ Y ←→ (X ∧ ¬Y ) ∨ (Y ∧ ¬X).
a) Give an inductive definition of exclusive disjunction and prove the above equiv-
alence.
b) Define the matching function for inductive exclusive disjunction.
c) Give and verify the impredicative characterization of exclusive disjunction.

Exercise 3.3 (Double negation law) Prove the equivalence

(∀X P . X ∨ ¬X) ←→ (∀X P . ¬¬X → X)

to show that the law of excluded middle is intuitionistically equivalent to the double
negation law. Do the proof first with a table and then verify your reasoning with
Coq.

Exercise 3.4 (Conversion rule) Prove

(∀p X→P . py → px) → (∀p X→P . px ←→ py)

with a table and with Coq. Assume X : T and determine the types of the variables x
and y.

392
Exercise 3.5 (Propositional equality) Assume the constants

eq : ∀X T . X → X → P
Q : ∀X T ∀x X . eq X x x
R : ∀X T ∀xy X ∀p X→P . eq Xxy → px → py

for propositional equality and prove the following proposition assuming the vari-
able types x : X, y : X, z : X, f : X → Y , X : T, and Y : T:
a) eq xy → eq yx
b) eq xy → eq yz → eq xz
c) eq xy → eq (f x) (f y)
d) ¬eq ⊤ ⊥
e) ¬eq true false
For each occurrence of eq determine the implicit argument.

393
Appendix: Exercise Sheets

Assignment 4

Do the exercises on paper using mathematical notation and verify your findings
with the proof assistant Coq.

Exercise 4.1 Define the equational constants eq, Q, and R.

Exercise 4.2 MPCTT gives two proofs of transitivity, one using the conversion rule
and one not using the conversion rule. Give each proof as a table and as a term and
verify your findings with the proof assistant Coq.

Exercise 4.3 Define the eliminators for booleans, numbers, and pairs.

Exercise 4.4 (Truncating subtraction)

Define a truncating subtraction function using the eliminator for numbers and not
using discrimination. Show that your function agrees with the standard subtraction
function from Chapter 1 using the eliminator for numbers.

Exercise 4.5 (Boolean equality decider)

Define a boolean equality decider eqb : N → N → B using the eliminator for numbers
and not using discrimination. Show that your function satisfies eqb x y = true ←→
x = y using the eliminator for numbers. Use this result to show ∀xy N . x = y ∨x ≠
y.
Exercise 4.6 (Boolean pigeonhole principle)
a) Prove the pigeonhole principle for B: ∀xyzB . x = y ∨ x = z ∨ y = z.
b) Prove Kaminski’s equation based on the instance of the boolean pigeonhole
principle for f (f x), f x, and x.
Exercise 4.7 (Pair types)
a) Define the eliminator for pair types.
b) Prove that the pair constructor is injective using the eliminator.
c) Use the eliminator to define the projections π1 , π2 and swap.
d) Prove the eta law using the eliminator.
e) Prove swap(swap a) = a.

Exercise 4.8 (Unit type ⊤)

a) Define the eliminator for ⊤ (following the scheme for B).
b) Prove the pigeonhole principle for ⊤: ∀xy ⊤ . x = y.
c) Prove B ≠ ⊤.

Exercise 4.9 Show B ≠ T.

We remark that B = P cannot be proved or disproved.

394
Assignment 5

Do the exercises on paper and verify your findings with Coq.

Exercise 5.1 Define the constants ex, E, and M∃ for existential quantification both
inductively and impredicatively.

Exercise 5.2 Give and verify the impredicative characterization of existential quan-
tification.

Exercise 5.3 Give a proof term for (∃[Link]) → ¬∀x. ¬px using the constants for
existential quantification. Do not use matches.

Exercise 5.4 Prove the following facts about existential quantification:

a) (∃x∃y. pxy) → ∃y∃x. pxy
b) (∃x. px ∨ qx) ←→ (∃[Link]) ∨ (∃[Link])
c) ((∃[Link]) → Z) ←→ ∀x. px → Z
d) ¬¬(∃[Link]) ←→ ¬∀x.¬px
e) (∃x. ¬¬px) → ¬¬∃[Link]
f) (∃[Link]) ∧ Z ←→ ∃x. px ∧ Z
g) x ≠ y ←→ ∃p. px ∧ ¬py

Exercise 5.5 (Fixed points)

a) Prove that all functions ⊤ → ⊤ have fixed points.
b) Prove that the successor function S : N → N has no fixed point.
c) For each type Y = ⊥, B, B × B, N, P, T give a function Y → Y that has no fixed
point.
d) State and prove Lawvere’s fixed point theorem.

Exercise 5.6 (Intuitionistic drinker) Using excluded middle, one can argue that in
a bar populated with at least one person one can always find a person such that if
this person drinks milk everyone in the bar drinks milk:

∀X T ∀ p X→P . (∃x X .⊤) → ∃x. px → ∀y. py

The fact follows intuitionistically once two double negations are inserted:

∀X T ∀ p X→P . (∃x X .⊤) → ¬¬∃x. px → ∀y. ¬¬ py

Prove the intuitionistic version.

395
Appendix: Exercise Sheets

Exercise 5.7 Give the procedural specification for the Fibonacci function as an un-
folding function and prove that all functions satisfying the unfolding equation
agree.

Exercise 5.8 (Puzzle) Give two types that satisfy and dissatisfy the predicate
λX T . ∀f g X→X ∀xy X . f x = y ∨ gy = x.

396
Assignment 6

Exercise 6.1 (Constructor laws for sum types)

Prove the constructor laws for sum types.
a) L x ≠ R y.
b) L x = L x ′ → x = x ′ .
c) R y = R y ′ → y = y ′ .

Exercise 6.2 (Sum and sigma types)

a) Define the universal eliminator for sum types and use it to prove
∀aX+Y . (Σx. a = L x) + (Σy. a = R y).
b) Define the projections π1 and π2 for sigma types.
c) Write the eta law ∀asig p . a = (π1 a, π2 a) for sigma types without notational
sugar and without implicit arguments and fully quantified.
d) Define the universal eliminator for sigma types and use it to prove the eta law.
e) Prove ∀xy B . x & y = false a (x = false) + (y = false).

Exercise 6.3 (Certifying division by 2)

Define a function ∀x N Σn. (x = n · 2) + (x = S(n · 2)).

Exercise 6.4 (Certifying distance function)

Assume a function ∀xy N Σ z. (x + z = y) + (y + z = x) and use it to define
functions f as follows. Verify that your functions satisfy the specifications.
a) f xy = x − y
b) f xy = true ←→ x = y
c) f xy = (x − y) + (y − x)
d) f xy = true ←→ (x − y) + (y − x) ≠ 0

Exercise 6.5 (Certifying deciders) Define functions as follows.

a) ∀XY T . D(X) → D(Y ) → D(X + Y ).
b) ∀X T . (D(X) → ⊥) → ⊥.
c) ∀X T f X→B x X . D(f x = true).
d) ∀X T . D(X) a ΣbB . X a b = true.

397
Appendix: Exercise Sheets

Exercise 6.6 (Bijectivity)

a) Prove B B (⊤ + ⊤).
b) Prove (B B ⊤) → ⊥.
c) Prove B (X × Y ) (sig (λx X .Y )).
d) Prove B (X + Y ) (sig (λbB . if b then X else Y )).
e) Find a type X for which you can prove B X (X + ⊤).
f) Assume function extensionality and prove B (⊤ → ⊤) ⊤.
g) Assume function extensionality and prove B (B → B) (B × B).

398
Assignment 7

Do the proofs with the proof assistant and explain the proof ideas on paper.

Exercise 7.1 (Option types)

a) State and prove the constructor laws for option types.
b) Give the universal eliminator for option types.
c) Prove B (O(X)) (X + ⊤).
d) Prove E(X) a E(O(X)).
e) Prove ∀aO(X) . a ≠ œ a Σx. a = ◦x.
f) Prove ∀f X→O(Y ) . (∀x. f x ≠ œ) → ∀x Σy. f x = ◦y.
3 (⊥)
g) Prove ∀x O . x = œ ∨ x = ◦œ ∨ x = ◦◦œ.
3 (⊥)→O3 (⊥)
h) Prove ∀f O ∀x. f 8 (x) = f 2 (x).
i) Find a type X and functions f : X → O(X) and g : O(X) → X such that you can
prove inv g f and disprove inv f g.

Exercise 7.2 (Finite types)

Let d be a certifying decider for p : On (⊥) → T. Prove the following:
a) D(∀[Link]).
b) D(Σ[Link]).
c) (Σ[Link]) + (∀[Link] → ⊥).
d) The type N of numbers is not finite.

Exercise 7.3 (Pigeonhole)

Sn n
Prove ∀f O (⊥)→O (⊥) . Σab. a ≠ b ∧ f a = f b.
Intuition: If n + 1 pigeons are in n holes, there must be a hole with at least two
pigeons in it.

Exercise 7.4 (Function extensionality)

Assume function extensionality and prove the following.

a) ∀f ⊤→⊤ . f = λa⊤ .a. c) B ≠ (⊤ → ⊤).

b) B (⊤ → ⊤) ⊤. d) E(B → B).

Exercise 7.5 (Proof irrelevance)

a) Prove PE → PI.
b) Suppose there is a function f : (⊤ ∨ ⊤) → B such that f (L I) = true and f (R I) =
false. Prove ¬ PI. Why can’t you define f inductively?

399
Appendix: Exercise Sheets

Exercise 7.6 (Set extensionality)

We define set extensionality as SE := ∀X T ∀pqX→P . (∀x. px ←→ qx) → p = q.
Prove the following:

a) FE → PE → SE. c) SE → p − (q ∪ r ) = (p − q) ∩ (p − r ).
b) SE → PE.

400
Assignment 8

Do the proofs with the proof assistant and explain the proof ideas on paper.

Exercise 8.1 (Arithmetic proofs from first principles)

Prove the following statements not using lemmas from the Coq library. Use
the predefined definitions of addition and subtraction and define order as
(x ≤ y) := (x − y = 0). Start from the accompanying Coq file providing the nec-
essary definitions.

a) x + y = x → y = 0 n) x ≤ x
b) x − 0 = x o) x ≤ y → y ≤ z → x ≤ z
c) x − x = 0 p) x ≤ y → y ≤ x → x = y
d) (x + y) − x = y q) x ≤ y < z → x < z
e) x − (x + y) = 0 r) ¬(x < 0)
f) x ≤ y → x + (y − x) = y s) ¬(x + y < x)
g) (x ≤ y) + (y < x) t) ¬(x < x)
h) ¬(y ≤ x) → x < y u) x ≤ y → x ≤ y + z
i) x ≤ y ←→ ∃z. x + z = y v) x ≤ y → x ≤ Sy
j) x ≤ x + y w) x < y → x ≤ y
k) x ≤ Sx x) ¬(x < y) → ¬(y < x) → x = y
l) x + y ≤ x → y = 0 y) x ≤ y ≤ Sx → x = y ∨ y = Sx
m) x ≤ 0 → x = 0 z) x + y ≤ x + z → y ≤ z

Exercise 8.2 (Arithmetic proofs with automation)

Do the problems of Exercise 1 with Coq’s definition of order and the automation
tactic lia.

401
Appendix: Exercise Sheets

Exercise 8.3 (Complete induction)

a) Define a certifying function ∀xy. (x ≤ y) + (y < x).
b) Prove a complete induction lemma.
c) Prove ∀xy.Σab. x = a · Sy + b ∧ b ≤ y using complete induction and repeated
subtraction.
d) Formulate the procedural specification

f :N→N→N
f x y := if [x ≤ y\ then x else f (x − Sy y) y

as an unfolding function using the function from (a).

e) Prove that all functions satisfying the procedural specification agree.
f) Let f be a function satisfying the procedural specification.
i) Prove ∀xy. f xy ≤ y.
ii) Prove ∀xy. Σk. x = k · Sy + f xy.

402
Assignment 9

Do all exercises with the proof assistant.

Exercise 9.1 (Certifying deciders with lia)

Define deciders of the following types using lia but not using induction.

a) ∀xy. (x ≤ y) + (y < x) c) ∀xy N . (x = y) + (x ≠ y)

b) ∀xy. (x ≤ y) + ¬(x ≤ y) d) ∀xy. (x < y) + (x = y) + (y < x)

Exercise 9.2 (Uniqueness with trichotomy)

Show the uniqueness of the predicate δ for Euclidean division using nia but not
using induction.

Exercise 9.3 (Euclidean quotient)

We consider γ xya := (a · Sy ≤ x < Sa · Sy).
a) Show that γ specifies the Euclidean quotient: γ xya ←→ ∃b. δxyab.
b) Show that γ is unique: γxya → γxya′ → a = a′ .
c) Show that every function f N→N→N satisfies

(∀xy. γ xy(f xy)) ←→ ∀xy. f xy = if [x ≤ y\ then 0 else S(f (x − Sy)y)

d) Consider the function

f :N→N→N
f 0yb := 0
f (Sx)yb := if [b = y\ then S(f xy0) else f xy(Sb)

Show γ xy(f xy0); that is, f xy0 is the Euclidean quotient of x and Sy. This
requires a lemma. Hint: Prove b ≤ y → γ (x + b) y (f xyb).

Exercise 9.4 (Least and safe predicates)

a) Prove safe p(Sn) ←→ safe pn ∧ ¬pn.
b) Prove least (λa. x < Sa · Sy)a ←→ ∃b. x = a · Sy + b ∧ b ≤ y.
c) Prove least (λz. x ≤ y + z)z ←→ z = x − y.
d) Show that the predicates in (b) and (c) are decidable using lia.
e) Prove (∀p N→P . ex p → ex (least p)) → ∀x. safe p x ∨ ex (least p).

403
Appendix: Exercise Sheets

Exercise 9.5 (Least witness search)

Let p N→P be a decidable predicate and L and G be the functions from §17.4 of
MPCTT. Prove the following:
a) ∀n. least p (Gn) ∨ (Gn = n ∧ safe pn)
b) ∀n. pn → least p (Gn)
c) ∀nk. safe pk → least p (Lnk) ∨ (Lnk = k + n ∧ safe p(k + n)
d) ∀n. pn → least p (Ln0)

404
Assignment 10

Do all exercises with the proof assistant.

Exercise 10.1 (Relational specification of least witness operators)

One can give a relational specification of least witness operators in the way we have
seen it for division operators. Given a decidable predicate p N→P , we define

δxy := (least py ∧ y ≤ x) ∨ (y = x ∧ safe px)

Understand and prove the following:

a) ∀nxy. pn → n ≤ x → δxy → least py soundness
′ ′ ′
b) ∀xyy . δxy → δxy → y = y uniqueness
c) ∀x Σy. δxy satisfiability
d) ∀x. δx(Gx) correctness of G
e) ∀x. δx(Lx0) correctness of L
Claim (e) needs to be generalized to Lxy for the induction to go through.

Exercise 10.2 (List basics)

Define the universal eliminator and the constructor laws for lists. First on paper
using mathematical notation, then with Coq.

Exercise 10.3 (List facts)

Understand and prove the following facts about lists:

a) x :: A ≠ A d) x ∈ A +
+ B ←→ x ∈ A ∨ x ∈ B.
b) (A +
+ B) +
+C = A+ + C)
+(B + e) x ∈ f @A ←→ ∃a. a ∈ A ∧ x = f a.
c) len (A +
+ B) = len A + len B

Exercise 10.4 (Lists over discrete type)

Understand and prove the following facts about lists over a discrete type:

a) rep A + nrep A d) x ∈ A → ΣB. len B < len A ∧ A ⊆ x :: B

b) nrep A ←→ ¬rep A e) nrep A → len B < len A → Σz. z ∈ A ∧ z ̸∈ B
c) dec (rep A) f) nrep A → nrep B → A ≡ B → len A = len B

Exercise 10.5 (Pigeonhole)

Prove that a list of numbers whose sum is greater than the length of the list must
contain a number that is at least 2: sum A > len A → Σx. x ∈ A ∧ x ≥ 2. First
define the function sum.

405
Appendix: Exercise Sheets

Exercise 10.6 (Andrej’s Challenge)

Assume an increasing function f N→N (i.e., ∀x. x < f x) and a list A of numbers
satisfying ∀x. x ∈ A ←→ x ∈ f @A. Show that A is empty.

406
Assignment 11

Exercise 11.1 (Even and Odd)

Define recursive predicates even and odd on numbers and show that they partition
the numbers: even n → odd n → ⊥ and even n + odd n.

Exercise 11.2 (Non-repeating lists)

Assume a discrete base type and prove the following facts. You may use the dis-
criminating element lemma.
a) D(x ∈ A) and D(A ⊆ B)
b) ∀A.ΣB. B ≡ A ∧ nrep B
c) A ⊆ B → len B < len A → rep A
d) nrep A → A ⊆ B → len B ≤ len A → nrep B
e) nrep A → A ⊆ B → len B ≤ len A → B ≡ A
f) nrep (f @A) → nrep A
g) nrep A → nrep(rev A)

Exercise 11.3 (Equivalent nonrepeating lists)

Show that equivalent nonrepeating lists have equal length without assuming dis-
creteness of the base type. Hint: Show nrep A → A ⊆ B → len A ≤ len B by induction
on A with B quantified using a deletion lemma.

Exercise 11.4 (Existential characterizations)

Give non-recursive existential characterizations for x ∈ A and rep A and prove their
correctness.

Exercise 11.5 (Existential witness operator for booleans)

Let p B→P be a decidable predicate. Prove ex p → sig p.

Exercise 11.6 (Search types)

Prove the following facts about search types for a decidable predicate p N→P .

a) pn → T n d) T n → T 0
b) T (Sn) → T n e) pn → T 0.
c) T (k + n) → T n f) pn → m ≤ n → T m

g) ∀Z T . ((¬pn → T (Sn)) → Z) → T n → Z
h) ∀qN→T . (∀n. (¬pn → q(Sn)) → qn) → ∀n. T n → qn
i) T n ←→ ∃k. k ≥ n ∧ pk
Note that (h) provides an induction lemma for T useful for direction → of (i).

407
Appendix: Exercise Sheets

Exercise 11.7 (Strict positivity)

Assume that the inductive type definition B : T ::= C(B → ⊥) is admitted although
it violates the strict positivity condition. Give a proof of falsity. Hint: Assume the
definition gives you the constants

B:T C : (B → ⊥) → B M : ∀Z. B → ((B → ⊥) → Z) → Z

First define a function f : B → ⊥ using the matching constant M.

408
Assignment 12

Exercise 12.1 (Intuitionistic ND)

Assume the weakening lemma and prove the following facts with tables giving for
each line the names of the deduction rules used:
a) (A ⊢ ¬¬⊥) → (A ⊢ ⊥)
b) (A ⊢ ¬¬¬s) → (A ⊢ ¬s)
c) (A ⊢ s) → (A ⊢ ¬¬s)
d) A ⊢ s → A, s ⊢ t → A ⊢ t
e) A ⊢ ¬¬(s → t) → ¬¬s → ¬¬t
f) ( ⊢ s → t → u) → (A ⊢ s) → (A ⊢ t) → (A ⊢ u)
g) (A ⊢ s → t) → (A, s ⊢ t)
h) (A ⊢ s ∨ t) a ∀u. (A, s ⊢ u) → (A, t ⊢ u) → (A ⊢ u)

Exercise 12.2 (Classical ND)

Assume the weakening lemma and prove the following facts with tables giving for
each line the names of the deduction rules used:
˙ ⊥) → (A ⊢
a) (A ⊢ ˙ s)
˙ ¬¬s) → (A ⊢
b) (A ⊢ ˙ s)
˙ s ∨ ¬s
c) ⊢
˙ ((s → t) → s) → s
d) ⊢

Exercise 12.3 (Glivenko)

˙ s) and ∀As. (A ⊢
Assume ∀As. (A ⊢ s) → (A ⊢ ˙ s) → (A ⊢ ¬¬s) and prove the
following:
˙ ¬s a A ⊢ ¬s
a) A ⊢
˙⊥ a A⊢⊥
b) A ⊢
c) ((⊢⊥) → ⊥) a ((˙
⊢⊥) → ⊥)

Exercise 12.4 (Induction)

a) (A ⊢ s) → pAs can be shown by induction on the derivation of A ⊢ s. Give the
proof obligation for each of the 9 deduction rules.
b) How do the obligations change if we switch to the classical system and prove
˙ s) → pAs?
(A ⊢
c) As an example, give the proof obligations for a proof of
˙ s) → (A ⊢ ¬¬s).
(A ⊢

409
Appendix: Exercise Sheets

Exercise 12.5 (Reversion, challenging)

We define a reversion function A · s preserving the order of assumptions:

[] · s := s
(t :: A) · s := t → (A · s)

Prove (A ⊢ s) a ( ⊢ A · s).

410
Assignment 13

Exercise 13.1 (Formulas)

We consider an inductive type for formulas s ::= x | ⊥ | s → t with the constructors
for, Var, Bot, and Imp.
a) Give the types of the constructors.
b) Give the type of the eliminator for formulas.
c) Define a recursive predicate ground for formulas saying that a formula contains
no variables.
d) Prove ground(s) → ([] ⊢ s) + ([] ⊢ ¬s) using the eliminator from (b).

Exercise 13.2 (Hilbert Systems)

We consider formulas s ::= x | ⊥ | s → t | s ∨ t.
a) Give the rules for the Hilbert systems H (s).
b) Give the types of the constructors for the inductive type family A ð s. Explain
why A is a uniform parameter and s is an index.
c) Complete the type of the induction lemma ∀Ap. · · · → ∀s. A ð s → ps.
d) Prove (A ð s → s).
e) Prove (A ð t) → (A ð s → t).
f) Prove (s :: A ð t) → (A ð s → t).

Exercise 13.3 (Heyting evaluation)

Consider the Heyting interpretation 0 < 1 < 2.
a) Define the evaluation function E.
b) Give an assignment such that ((x → y) → x) → x evaluates to 1.
c) Explain how one shows H (((x → y) → x) → x) → ⊥ using (b).
d) Give a formula that evaluates under all assignments to 2 but is not intuitionisti-
cally provable.

Exercise 13.4 (Certifying solver)

Assume that E is the boolean evaluation function and that every refutation pred-
icate ρ has a certifying solver ∀A. (Σ α. ∀s ∈ A. Eαs = true) + ρA. Show the
following:
˙ ⊥ is a refutation predicate.
a) λA.A ⊢
˙ s).
b) D( ⊢
˙ s a ∀α. Eαs = true.
c) ⊢

411
Appendix: Exercise Sheets

Exercise 13.5 (Refutation system)

Consider the predicate ρ For→P inductively defined with the following rules:

⊥∈A s∈A ¬s ∈ A
ρ(A) ρ(A)

(s → t) ∈ A ρ(¬s :: A) ρ(t :: A) ¬(s → t) ∈ A ρ(s :: ¬t :: A)

ρ(A) ρ(A)

(s ∧ t) ∈ A ρ(s :: t :: A) ¬(s ∧ t) ∈ A ρ(¬s :: A) ρ(¬t :: A)

ρ(A) ρ(A)

(s ∨ t) ∈ A ρ(s :: A) ρ(t :: A) ¬(s ∨ t) ∈ A ρ(¬s :: ¬t :: A)

ρ(A) ρ(A)

a) Show ρ(¬(((s → t) → s) → s)).

b) Show ρ(A) → ∃s. s ∈ A ∧ Eαs = false.
c) Show the weakening property: ρ(A) → A ⊆ B → ρ(B).
d) Show ρ is a refutation predicate.

412
Appendix: Glossary

Here is a list of technical terms used in the text but not used (much) in the literature.
The technical terms are given in the order they appear first in the text.
• Discrimination
• Inductive function
• Target type function
• Propositional discrimination restriction
• Computational falsity elimination
• Index condition and index variables
• Reloading match

413
Appendix: Author’s Notes

Coq Wishlist

• Have equational function definitions with fixed arity and iterated and nested
discrimination. This is realized in Agda already.
• Change type inference so that the universe Set is not derived as default. Set is
not needed and smuggling it in as default is confusing.
• Have standard notations for sum and sigma types.
• An inductive predicate definition should say explicitly if it wants to lift the
propositional discrimination restriction, and have the assistant check whether
this can be granted. Conjunction can then be defined without granting compu-
tational discrimination.

Clarify

• Named functions come as constructors, reducible functions, or abstract func-

tions.
– Constructors have a fixed arity.
– Reducible functions have a declared arity but may take additional arguments.
– Reducible functions are defined with equations respecting their arity.
– Reducible functions may be inductive or plain.
– Certifying functions and theorems are abstract functions.
– Abstract functions matter; reducible functions are overrated, often don’t want
to know their defining equations.
• Term construction is incremental and type driven.
• Term construction is programmed with scripts.
• Term construction can be top down (backwards), bottom up (forward), and mid-
dle out (let).
• Coq’s tactic mode is term construction mode, not limited to propositional types.
• Proof tables to support term construction on paper.
• Propositions as types is foundation of mathematical reasoning, explains formu-
lation, application, and proofs of theorems.

415
Appendix: Author’s Notes

Editorial decisions

• Refer to all kinds of theorems as facts

• Assert certifying functions as facts when no name is given
• Define certifying functions in Coq with Fact/Qed

Maybe

• refinement types; numeral types as refinement type of N could be nice; but do we

have applications? target types of certifying functions may be seen as refinement
types and occur frequently

Work to do

• summary Part Basics

• chapter Introduction
• Coq development of certifying boolean solver (§ 24.12) needs update

Changelog

2024

• plain definitions explained with inductive function definitions

• η-equivalence and computational equality moved to Chapter 4
• new chapter Axiom CT and Semidecidability

2023

• chapters on certifying functions

• abstract syntax
• finite types, countable types, EWOs
• arithmetic recursion and Euclidean division
• vectors recursive and inductive, bijection
(prompted by Lean’s course by values recursion, via Yannick)
• numerals recursive and inductive, bijection
• chapter on indexed inductives with inductive equality, reflexive transitive clo-
sure, comparisons, numerals, vectors, PCP and bijections with recursive vari-
ants
• inductive GCD relation
• Revised structure, now 4 parts named Basics, More Basics, Case Studies, and
Foundational Studies

416
2021

• MPCTT started
• switch to inductive and plain functions in Chapter 2
• unfolding functions and procedural specifications
• computational falsity elimination
• Andrej Dudenhefner was lead TA

2020

• x ≤ y as x − y = 0, game changer
• chapters on finite types and data types appeared

2019

• semi-decidability

Done

• introduce injections and bijections early

• introduce finite types based on lists early
• countable types.
• linear arithmetic as abstraction level
• abstract constants; equality and Euclidean division as simply typed examples
• construct certifying deciders in tactic mode and provide with abstract constants
• introduce indexed inductives in Part Basics
• constructor patterns always omit arguments of type constructor
• upgrade regular expressions
• harmonize recursive and inductive numeral types

417
Bibliography
[1] Peter Aczel. An introduction to inductive definitions. In Jon Barwise, editor,
Handbook of Mathematical Logic, pages 739–782. North-Holland, 1977.

[2] Peter Aczel. The Type Theoretic Interpretation of Constructive Set Theory.
Studies in Logic and the Foundations of Mathematics, 96:55–66, January 1978.

[3] Antonia Balaa and Yves Bertot. Fix-point equations for well-founded recursion
in type theory. In Mark Aagaard and John Harrison, editors, Theorem Proving
in Higher Order Logics, pages 1–16. Springer Berlin Heidelberg, 2000.

[4] Henk P. Barendregt. The Lambda Calculus: Its Syntax and Semantics. North-
Holland, 2nd revised edition, 1984.

[5] Janusz A. Brzozowski. Derivatives of regular expressions. Journal of the ACM

(JACM), 11(4):481–494, 1964.

[6] Rod M. Burstall. Proving properties of programs by structural induction. The

Computer Journal, 12(1):41–48, 1969.

[7] Adam Chlipala. Certified Programming with Dependent Types: A Pragmatic

Introduction to the Coq Proof Assistant. The MIT Press, 2013.

[8] R. L. Constable. Computational type theory. Scholarpedia, 4(2):7618, 2009.

[9] Thierry Coquand. Metamathematical investigations of a calculus of construc-

tions, 1989.

[10] Yannick Forster. Church’s thesis and related axioms in Coq’s type theory. In
Christel Baier and Jean Goubault-Larrecq, editors, 29th EACSL Annual Confer-
ence on Computer Science Logic, CSL 2021, January 25-28, 2021, Ljubljana,
Slovenia (Virtual Conference), volume 183 of LIPIcs, pages 21:1–21:19, 2021.

[11] Yannick Forster. Computability in Constructive Type Theory. PhD thesis, Saar-
land University, 2021.

[12] Yannick Forster, Dominik Kirst, and Gert Smolka. On synthetic undecidability
in Coq, with an application to the Entscheidungsproblem. In 8th ACM SIGPLAN
International Conference on Certified Programs and Proofs, CPP 2019, Cascais,
Portugal, January 14-15, 2019, New York, NY, USA, Jan 2019. ACM.

419
Bibliography

[13] Yannick Forster and Gert Smolka. Weak call-by-value lambda calculus as a
model of computation in Coq. In ITP 2017, Brasília, Brazil, volume 10499 of
LNCS, pages 189–206. Springer, 2017.

[14] Gerhard Gentzen. Untersuchungen über das logische Schließen I. Mathematis-

che Zeitschrift, 39(1):176–210, 1935. Translation in: Collected papers of Ger-
hard Gentzen, ed. M. E. Szabo, North-Holland,1969.

[15] Gerhard Gentzen. Untersuchungen über das logische Schließen II. Mathematis-
che Zeitschrift, 39(1):405–431, 1935. Translation in: Collected papers of Ger-
hard Gentzen, ed. M. E. Szabo, North-Holland, 1969.

[16] Michael Hedberg. A coherence theorem for Martin-Löf’s type theory. Journal
of Functional Programming, 8(4):413–436, 1998.

[17] J. Roger Hindley and Jonathan P. Seldin. Lambda-Calculus and Combinators,

an Introduction. Cambridge University Press, 2008.

[18] Martin Hofmann and Thomas Streicher. The groupoid model refutes unique-
ness of identity proofs. In LICS 1994, pages 208–212, 1994.

[19] Stanisław Jaśkowski. On the rules of supposition in formal logic, Studia Logica
1: 5—32, 1934. Reprinted in Polish Logic 1920-1939, edited by Storrs McCall,
1967.

[20] Dominik Kirst and Benjamin Peters. Gödel’s theorem without tears - essential
incompleteness in synthetic computability. In Bartek Klin and Elaine Pimentel,
editors, 31st EACSL Annual Conference on Computer Science Logic, CSL 2023,
February 13-16, 2023, Warsaw, Poland, volume 252 of LIPIcs, pages 30:1–30:18,
2023.

[21] Nicolai Kraus, Martín Hötzel Escardó, Thierry Coquand, and Thorsten Al-
tenkirch. Generalizations of Hedberg’s theorem. In Proceedings of TLCA 2013,
volume 7941 of LNCS, pages 173–188. Springer, 2013.

[22] Edmund Landau. Grundlagen der Analysis: With Complete German-English Vo-
cabulary, volume 141. American Mathematical Soc., 1965.

[23] Per Martin-Löf and Giovanni Sambin. Intuitionistic type theory, volume 9. Bib-
liopolis Naples, 1984.

[24] Yuri V. Matiyasevich. Martin Davis and Hilbert’s Tenth Problem. In Eugenio G.
Omodeo and Alberto Policriti, editors, Martin Davis on Computability, Compu-
tational Logic, and Mathematical Foundations, volume 10 of Outstanding Con-
tributions to Logic, pages 35–54. Springer, 2016.

420
 Bibliography

[25] John McCarthy and James Painter. Correctness of a compiler for arithmetic
expressions. Mathematical aspects of computer science, 1, 1967.

[26] Bengt Nordström. Terminating general recursion. BIT Numerical Mathematics,

28(3):605–619, Sep 1988.

[27] Raymond M. Smullyan and Melvin Fitting. Set Theory and the Continuum Hy-
pothesis. Dover, 2010.

[28] A. S. Troelstra and H. Schwichtenberg. Basic proof theory. Cambridge University

Press, 2nd edition, 2000.

[29] A.S. Troelstra and D. Van Dalen. Constructivism in Mathematics. Vol. 121 of
Studies in Logic and the Foundations of Mathematics. North-Holland, Amster-
dam, 1988.

[30] The Univalent Foundations Program. Homotopy Type Theory: Univalent Foun-
dations of Mathematics. [Link] Institute
for Advanced Study, 2013.

[31] Louis Warren, Hannes Diener, and Maarten McKubre-Jordens. The drinker para-
dox and its dual. CoRR, abs/1805.06216, 2018.

421