LFP – A Logical Framework with External Predicates

HAL Id: hal-01146691

https://hal.inria.fr/hal-01146691

Submitted on 13 May 2015

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

LFP – A Logical Framework with External Predicates

Furio Honsell, Marina Lenisa, Luigi Liquori, Petar Maksimovic, Ivan Scagnetto

To cite this version:

Furio Honsell, Marina Lenisa, Luigi Liquori, Petar Maksimovic, Ivan Scagnetto. LFP – A Logical

Framework with External Predicates. 7th International Workshop on Logical Frameworks and Meta-

languages: Theory and Practice - LFMTP 2012. Copenhagen, Denmark - September 9, 2012, Sep

2012, Copenhagen, Denmark. pp.13-22, �10.1145/2364406.2364409�. �hal-01146691�

LF _P – A Logical Framework with External Predicates

Furio Honsell

Universit`a di Udine, Italy furio.honsell@uniud.it

Marina Lenisa

Universit`a di Udine, Italy marina.lenisa@uniud.it

Luigi Liquori

Institut National de Recherche en Informatique et en Automatique, France

Luigi.Liquori@inria.fr

Petar Maksimovic

Institut National de Recherche en Informatique et en Automatique, France,

Mathematical Institute of the Serbian Academy of Sciences and Arts, Serbia

petarmax@mi.sanu.ac.rs

Ivan Scagnetto

Universit`a di Udine, Italy ivan.scagnetto@uniud.it

Abstract

The LFP Framework is an extension of the Harper-Honsell- Plotkin’s Edinburgh Logical Framework LF withexternal pred- icates. This is accomplished by defining lock type constructors, which are a sort of -modality constructors, releasing their ar- gumentunder the conditionthat a possiblyexternal predicate is satisfied on an appropriate typed judgement. Lock types are de- fined using the standard pattern of constructive type theory,i.e. via introduction,elimination, andequality rules. UsingLFP, one can factor out the complexity of encoding specific features of logi- cal systems which would otherwise be awkwardly encoded inLF, e.g. side-conditions in the application of rules in Modal Logics, and substructural rules, as innon-commutative Linear Logic. The idea ofLFP is that these conditions need only to be specified, while theirverificationcan be delegated to an external proof engine, in the style of thePoincar´e Principle. We investigate and characterize the metatheoretical properties of the calculus underpinningLFP: strong normalization, confluence, and subject reduction. This latter property holds under the assumption that the predicates arewell- behaved, i.e.closed under weakening, permutation, substitution, andreductionin the arguments.

Categories and Subject Descriptors F.3.1 [Specifying and Verify- ing and Reasoning about Programs]: Mechanical verification General Terms Theory, Verification

Keywords Type theory, Logical frameworks

1. Introduction

The Edinburgh Logical FrameworkLFof [11] is a first-order con- structive type theory. It was introduced as ageneral metalanguage for logics, as well as a specification language forgeneric proof- development environments. In this paper, we consider an extension

ofLFwithexternal predicates. This is accomplished by defining lock type constructors, which are a sort of-modality constructors for building types of the shapeL^P_N,σ[ρ], wherePis a predicate on typed judgements.

Following the standard specification paradigm in Constructive Type Theory, we define lock types usingintroduction,elimination, andequality rules. Namely, we introduce a lockconstructorfor building objectsL^P_N,σ[M]of type L^P_N,σ[ρ], via theintroduction rule(I), presented below. Correspondingly, we introduce an unlock destructor,U_N,σ^P [M], and anelimination rule (E)which allows for the elimination of the lock type constructor, under the condition that a specific predicateP is verified, possiblyexternally, on an appropriatecorrect,i.e. derivable, judgement.

Γ`ΣM:ρ Γ`ΣN:σ Γ`ΣL<sup>P</sup><sub>N,σ</sub>[M] :L<sup>P</sup><sub>N,σ</sub>[ρ] (I) Γ`ΣM:L^PN,σ[ρ] Γ`ΣN:σ P(Γ`ΣN :σ)

Γ`ΣUN,σ^P [M] :ρ (E) Theequality rulefor lock types amounts to a lock reduction (L- reduction),U_N,σ^P [L^P_N,σ[M]] →L M, which allows for the elim- ination of alock, in the presence of anunlock. TheL-reduction combines with standardβ-reduction intoβL-reduction.

LFP is parametric over a set of (well-behaved) predicatesP, which are defined on derivable typing judgements of the form Γ`Σ N : σ. The syntax ofLFP predicates is not specified, the idea being that their truth is verified via anexternal callto a log- ical system; one can view this externalization as anoracle call.

Thus,LFPallows for the invocation of external “modules” which, in principle, can be executed elsewhere, and whose successful ver- ification can be acknowledged in the system viaL-reduction. Prag- matically, lock types allow for the factoring out of the complexity of derivations by delegating the{verification, computation}of such predicates to an external proof engine or tool. Proof terms do not contain explicit evidence for external predicates, but just record that a verification has{to be, been}carried out. Thus, we combine the reliability of formal proof systems based on constructive type the- ory with the efficiency of other computer tools, in the style of the Poincar´e Principle[4].

In this paper, we develop the metatheory ofLFP. Strong nor- malization and confluence are proven without any assumptions on predicates. For subject reduction, we require the predicates to be

well-behaved,i.e.closed under weakening, permutation,substitu- tion, andβL-reductionin the arguments.LFP is decidable, if the external predicates are decidable.

Moreover, we sketch a library of external predicates, which we use to present substantial examples of encodings inLFP, that are awkward inLF. In particular, we encode the call-by-valueλ- calculus, and we provide smooth encodings of side conditions in the rules of Modal Logics in Natural Deduction style, cf.[2, 8].

We also encode substructural logics, including non-commutative Linear Logic,cf.[8, 21].LFPcan naturally supportprogram cor- rectnesssystems and Hoare-like logics, see [15] for more details.

As far as expressivity is concerned,LFP is a stepping stone towards a general theory ofshallow vs. deep encodings, with our encodings being shallow by definition. Clearly, by Church’s thesis, all external decidable predicates inLFPcan be encoded, possibly with very deep encodings, in standardLF. It would be interesting to state in a precise categorical setting the relationship between such deep internal encodings and the encodings inLFP.LFP can also be viewed as a neat methodology for separating the logical contents from the verification of structural and syntactical properties, which is often cumbersome, but ultimately computable.

Comparison with related work.The present paper continues the research line of [13, 14], which present extensions of the original Logical FrameworkLF, where a notion ofβ-reductionmoduloa predicateP is considered. These capitalize on the idea ofstuck- reductionsin objects and types in the setting of higher-order term rewriting systems, by Cirstea-Kirchner-Liquori [5, 7]. In [13, 14]

the dependent function type is conditioned by a predicate, and we have a correspondingconditionedβ-reduction, which fires when the predicate holds on a{term, judgement}. In LFP, predicates are external to the system and the verification of the validity of the predicate is part of the typing system. Standard β-reduction is recovered and combined with anunconditionedlock reduction.

The move of having predicates as new type constructors rather than as parameters ofΠ’s andλ’s allowsLFP to be a merelanguage extensionof standard LF. This simplifies the metatheory, while providing a more modular approach.

Our approach generalizes and subsumes, in an abstract way, other approaches in the literature, which combine internal and ex- ternal derivations, and, in many cases, it can express and incorpo- rate these alternate approaches. The relationship with the systems of [5, 7, 13, 14], which combine derivation and computation, has been discussed above. Systems supporting thePoincar´e Principle [4], orDeduction Modulo[9], where derivation is separated from verification, can be directly incorporated inLFP. Similarly, we can abstractly subsume the system presented in [6], which addresses a specific instance of our problem: how to outsource the computation of a decision procedure in Type Theory in a sound and principled way via an abstract conversion rule.

The work presented here also has a bearing on proof irrelevance.

In [18], two terms inhabiting the sameproof irrelevant typeare set to be equal. However, when dealing with proof irrelevance in this way, a great amount of internal work is required, all of the relevant rules have to be explicitly specified in the signature, in that the irrelevantterms need to be derived in the system anyway. With our approach, we move one step further, and we do away completely withirrelevantterms in the system by simply delegating the task of building them to the external proof verifier. We limit ourselves, in LFP, to the recording, through a lock type, that one such evidence, possibly established somewhere else, needs to be provided, making our approach more modular.

In the present work, predicates are defined on derivable judge- ments, and hence may, in particular, inspect the signature and the context, which normalLFcannot. The ability to inspect the sig- nature and the context is reminiscent of [19, 20], although in that

approach the inspection was layered uponLF, whereas inLFPit is integrated in the system. This integration is closer to the approach of [16], but additional work is required in order to be able to pre- cisely compare their expressive powers.

Another interesting framework, which adds a layer on top of LF is the Delphin system [22], providing a functional programming language allowing the user to encode, manipulate, and reason over dependent higher-order datatypes. However, in this case as well, the focus is placed on the computational level inside the frame- work, rather than on the capability of delegating the verification of predicates to an external oracle.

LF with Side Conditions (LFSC), presented in [23], is more reminiscent of our approach as “it extendsLFto allow side con- ditions to be expressed using a simple first-order functional pro- gramming language”. Indeed, the author aims at factoring the ver- ifications of (complicated) side-conditions out of the main proof.

Such a task is delegated to the type checker, which runs the code associated with the side-condition, verifying that it yields the ex- pected output. The proposed machinery is focused on providing improvements for solvers related to Satisfiability Modulo Theories (SMT).

Synopsis. In Section 2, we present the syntax ofLFP, the typ- ing system, and theβL-reduction, together with the main meta- theoretical properties of the system. In Section 3, we show how to encode the call-by-valueλ-calculus, Modal Logics, and non- commutative Linear Logic. Conclusions and future work appear in Section 4. An extended version of the present paper, including a canonical version ofLFPand more examples, appears in [15].

2. The Framework

The pseudo-syntax ofLFPis presented in Figure 1 on page 2. It is essentially that ofLF, with the addition, on families and objects, of alock constructor,L^P_N,σ[−], and a correspondinglock destructor, U_N,σ^P [−], on objects, both parametrized over a logical predicate P. The predicatePranges over a set of unary predicates, defined on derivable type judgements of the formΓ `Σ N : σ. LFP is parametric over a finite set of such predicates, the syntax of which, as they are external, is not specified. However, these predicates have to satisfy certain conditions, which will be discussed below, in order to ensure subject reduction of the system. For notational completeness, the list of external predicates should appear in the signature. We omit it to increase readability.

Σ∈ S Σ ::= ∅ |Σ, a:K|Σ, c:σ Signatures

Γ∈ C Γ ::= ∅ |Γ, x:σ Contexts

K∈ K K ::= Type|Πx:σ.K Kinds

σ, τ, ρ∈ F σ ::= a|Πx:σ.τ|σ N| L^P_N,σ[ρ] Families M, N ∈ O M ::= c|x|λx:σ.M|M N|

L^P_N,σ[M]| U_N,σ^P [M] Objects Figure 1. LFPSyntax

Notational conventions and auxiliary definitions.LetTrange over any term of the calculus (kind, family, object). Let the symbol≡de- note syntactic identity on terms. The domainDom(Γ)is defined as usual. The definitions of free and bound variables, as well as substi- tution are naturally extended for locked and unlocked types and ob- jects. In particular, a substitution[M/x]on a termL^P_N,σ[T]affects T,N, andσ,i.e.(L^P_N,σ[T])[M/x] =L^PN[M/x],σ[M/x][T[M/x]], and similarly for terms with the lock destructor. As usual, we sup- pose that, in the contextΓ, x:σ, the variablexdoes not occur free inΓor inσ. We will work moduloα-conversion and Barendregt’s hygiene condition. All of the symbols can appear indexed.

The type system forLFPproves judgements of the shape:

Σ sig Σis a valid signature

`Σ Γ Γis a valid context inΣ Γ `Σ K Kis a kind inΓandΣ Γ `Σ σ:K σhas kindKinΓandΣ Γ `Σ M :σ M has typeσinΓandΣ We denote byΓ `Σ αany typing judgementΓ `Σ T : T⁰ orΓ `Σ T. In the two latter judgements,T will be referred to as the subject of that judgement. The typing rules of LFP are presented in Figure 2. The rule(F·Lock)is used to form a lock type; the rule(O·Lock)is the corresponding introduction rule for building objects of the lock type, while the rule(O·U nlock)is the elimination rule. It applies only when the predicatePholds.

In LFP, we will have two types of reduction: standard β- reduction and L-reduction. The latter allows for the dissolution of a lock, in the presence of an unlock (see Figure 3 for the main βL-reduction rules on “raw terms”, and Figures 4 and 5 for the contextual closure andβL-equivalence on families, with the corre- sponding rules for kinds and objects handled similarly).

(λx:σ.M)N→βLM[N/x] (β·Main) UN,σ^P [L^PN,σ[M]]→βLM (L·Main) Figure 3. Main one-step-βL-reduction rules inLFP

In [15] we also provide acanonicalpresentation ofLFP, in the style of [10, 24]. Here, we present the main properties ofLFP. Without any additional assumptions concerning predicates, the type system is strongly normalizing and confluent. The former follows from strong normalization ofLF(see [11]), while the latter follows from strong normalization and local confluence, using Newman’s Lemma. The proof of Subject Reduction, however, requires certain conditions to be placed on the predicates, and these conditions are summarized in the following definition ofwell-behaved predicates:

Definition 1(Well-behaved predicates). A finite set of predicates {Pi}i∈Iiswell-behavedif eachPin this set satisfies the following conditions:

Closure under signature, context weakening and permutation.

IfΣandΩare valid signatures with every declaration inΣalso occurring inΩ, andΓand∆are valid contexts with every dec- laration inΓalso occurring in∆, andP(Γ`Σα)holds, then P(∆`Ωα)also holds.

Closure under substitution.IfP(Γ, x:σ⁰,Γ⁰ `Σ N : σ)holds, and Γ `Σ N⁰ : σ⁰, then P(Γ,Γ⁰[N⁰/x] `Σ N[N⁰/x] : σ[N⁰/x])also holds.

Closure under reduction.IfP(Γ`ΣN :σ)holds andN →βL

N⁰(σ →βL σ⁰) holds, thenP(Γ `Σ N<sup>0</sup> :σ)(P(Γ`Σ N : σ⁰)) also holds.

Strong normalization. In order to prove strong normalization of LFP, we will rely on the strong normalization ofLF, as proven in [12]. First, we will introduce the function^{−U L}:LFP →LF, which mapsLFPterms intoLFterms, by deleting theLandUsymbols from anLFPterm, while preserving all of the relevant information, in the following manner:

([[Type|a|c|x]])^{−U L}= [[T ype|a|c|x]], ([[Π|λ]]x:σ.T)^{−U L}= [[Π|λ]]x:σ^{−U L}.T^{−U L},

(T M)^{−U L}=T^{−U L}M^{−U L},

([[L|U]]^P_N,σ[T])^{−U L}= (λxf:σ^{−U L}.T^{−U L})N^{−U L}, where, in the last item,xf is a variable which does not have free occurrences inT. Here, it should be noticed that, although we have

decided to remove abstractions in families inLFP, using ^{−U L}, we still translateLFP-terms into full-fledgedLF-terms, including those with abstractions in families. This is required so that theN andσ, which index theLand U symbols, are not lost. We can naturally extend^{−U L}to signatures and contexts ofLFP, obtaining signatures and contexts of LF, and then to judgements of LFP, obtaining judgements ofLF. With^{−U L}defined in this way, using structural induction, we obtain the following propositions:

Proposition 1. IfT=βLT⁰inLFP, thenT^{−U L}=βT^{0−U L}inLF.

Proposition 2. The function^{−U L} maps derivable judgements of LFPinto derivable judgements ofLF.

Next, we will denote the maximum number of β-reductions which can be executed in a given (LF- or LFP-) term T as maxβ(T). Notice that L-reductions cannot create entirely new β-redexes, but can only “unlock” potentialβ-redexes of the form U_N,σ^P [L^P_N,σ[λx:τ.M]]T, arriving at λx:τ.M T, and that this re- dex will be present in(U_N,σ^P [L^P_N,σ[λx:τ.M]]T)^{−U L}. Therefore, we have that, for anyLFP-term T, it holds thatmaxβ(T) ≤ maxβ(T^{−U L}). As LF is strongly normalizing, we have that maxβ(T^{−U L})is finite, therefore forcingmaxβ(T)into being fi- nite, leading to the following proposition:

Proposition 3. Only finitely manyβ-reductions can occur within anyLFP-term.

Next, we notice that anyLFP-term has only finitely manyL- redexes before any reductions take place, and that this number can be increased only throughβ-reductions, and only by a finite amount perβ-reduction. However, if we were to have anLFP- termT which has an infinite reduction sequence, then within this sequence, there would need to be infinitely manyL-reductions, since, due to Proposition 3, the number of β-reductions in this sequence has to be finite. On the other hand, with the number ofβ- reductions in the sequence being finite, it would not be possible to reach infinitely manyL-reductions, and such a termTcannot exist inLFP. Therefore, we have the Strong Normalization theorem:

Theorem 1(Strong normalization ofLFP).

1. IfΓ`ΣK, thenKisβL-strongly normalizing.

2. ifΓ`Σσ:K, thenσisβL-strongly normalizing.

3. ifΓ`ΣM :σ, thenMisβL-strongly normalizing.

Confluence. SinceβL-reduction is strongly normalizing, in or- der to prove the confluence of the system, byNewman’s Lemma ([3], Chapter 3), it is sufficient to show that the reduction on “raw terms” islocally confluent. First, we need a substitution lemma, the proof of which is routine:

Lemma 1(Substitution lemma for local confluence).

1. IfN→βLN⁰, thenM[N/x]→→βLM[N⁰/x].

2. IfM→βLM⁰, thenM[N/x]→→βLM⁰[N/x].

Next, we proceed to prove local confluence:

Lemma 2(Local confluence of LFP). βL-reduction is locally confluent, i.e. ifT →βL T⁰ andT →βL T⁰⁰, then there exists a T⁰⁰⁰, such thatT⁰→→βLT⁰⁰⁰andT⁰⁰→→βLT⁰⁰⁰.

Proof.By simultaneous induction on the two derivationsT →βL

T⁰andT →βL T⁰⁰. All of the cases whereT is a kind or family, as well as most of the cases whereT is an object are proven trivially, using the induction hypotheses. Here, we will show only the illustrative cases, involving base reduction rules:

1. Let us have, by(β·M ain), that(λx:σ.M)N →βLM[N/x].

Let us also have that(λx:σ.M)N →βL (λx:σ⁰.M)N, from

Signature rules

∅sig (S·Empty)

Σsig `ΣK a6∈Dom(Σ)

Σ, a:Ksig (S·Kind) Σsig `Σσ:Type c6∈Dom(Σ)

Σ, c:σsig (S·Type)

Context rules Σsig

`Σ∅ (C·Empty)

`ΣΓ Γ`Σσ:Type x6∈Dom(Γ)

`ΣΓ, x:σ (C·Type)

Kind rules

`ΣΓ

Γ`ΣType (K·Type) Γ, x:σ`ΣK

Γ`ΣΠx:σ.K (K·P i) Family rules

`ΣΓ a:K∈Σ

Γ`Σa:K (F·Const)

Γ, x:σ`Στ:Type

Γ`ΣΠx:σ.τ:Type (F·P i) Γ`Σσ: Πx:τ.K Γ`ΣN:τ

Γ`Σσ N:K[N/x] (F·App) Γ`Σρ:Type Γ`ΣN :σ

Γ`ΣL<sup>P</sup>N,σ[ρ] :Type (F·Lock) Γ`Σσ:K Γ`ΣK⁰ K=βLK⁰

Γ`Σσ:K⁰ (F·Conv) Object rules

`ΣΓ c:σ∈Σ

Γ`Σc:σ (O·Const)

`ΣΓ x:σ∈Γ

Γ`Σx:σ (O·Var) Γ, x:σ`ΣM :τ

Γ`Σλx:σ.M : Πx:σ.τ (O·Abs) Γ`ΣM: Πx:σ.τ Γ`ΣN:σ

Γ`ΣM N:τ[N/x] (O·App) Γ`ΣM:ρ Γ`ΣN:σ

Γ`ΣL^PN,σ[M] :L^PN,σ[ρ] (O·Lock)

Γ`ΣM:L<sup>P</sup><sub>N,σ</sub>[ρ] Γ`ΣN:σ P(Γ`ΣN :σ)

Γ`ΣU<sub>N,σ</sub><sup>P</sup> [M] :ρ (O·U nlock) Γ`ΣM:σ Γ`Στ :Type σ=βLτ

Γ`ΣM :τ (O·Conv)

Figure 2. TheLFPType System

σ→βLσ⁰

Πx:σ.τ→βLΠx:σ⁰.τ (F·Π1·βL) τ→βLτ⁰

Πx:σ.τ→βLΠx:σ.τ⁰ (F·Π2·βL) σ→βLσ⁰

σ N→βLσ⁰N (F·App1·βL) N→βLN⁰

σ N→βLσ N⁰ (F·App2·βL) N→βLN⁰

L^P_N,σ[ρ]→βLL^P_N0,σ[ρ] (F·Lock1·βL) σ→βLσ⁰

L^P_N,σ[ρ]→βLL^P_N,σ0[ρ] (F·Lock2·βL) ρ→βLρ⁰

L^P_N,σ[ρ]→βLL^P_N,σ[ρ⁰] (F·Lock3·βL) Figure 4. βL-context-closure on families

σ→βLσ⁰

σ=βLσ⁰ (F·M ain·EqβL) σ=βLσ (F·Ref l·EqβL)

σ=βLσ⁰

σ⁰=βLσ (F·Sym·EqβL) σ=βLσ⁰:K σ⁰=βLσ⁰⁰

σ=βLσ⁰⁰ (F·T rans·EqβL) Figure 5. βL-equivalence on families

σ →βL σ⁰, by the object rules for closure under context. In this case, we will show that the required conditions are met forM⁰⁰⁰ ≡ M[N/x]. Indeed, by the definition of→→βL, we have thatM[N/x]→→βLM[N/x], and also, by the reduction rule (β·M ain), we have that(λx:σ⁰.M)N →βL M[N/x], effectively having(λx:σ⁰.M)N→→βLM[N/x].

2. Let us have, by (β·M ain), (λx:σ.M)N →βL M[N/x].

Let us also have that(λx:σ.M)N →βL (λx:σ.M⁰)N, from M →βLM⁰, by the object rules for closure under context. In this case, we will show that the required conditions are met for M⁰⁰⁰≡M⁰[N/x]. By(β·M ain), we have(λx:σ.M⁰)N→βL

M⁰[N/x], from which we obtain(λx:σ.M⁰)N→→βLM⁰[N/x],

while we obtain that M[N/x]→→βLM⁰[N/x]from part 2 of Lemma 1.

3. Let us have, by (L·M ain), U_N,σ^P [L^P_N,σ[M]] →βL M, and, also, thatU_N,σ^P [L^P_N,σ[M]]→βLU_N^P0,σ[L^P_N,σ[M]], fromN →βL

N⁰, by the object rules for closure under context. In this case, we will show that the required conditions are met forM⁰⁰⁰ ≡ M. By the definition of→→βL, we have thatM→→βLM, which leaves us with needing to show thatU_N^P0,σ[L^PN,σ[M]]→→βLM. From N →βL N⁰, which we have as an induction hypothe- sis, using the object rules for closure under context, we first obtain that L^P_N,σ[M] →βL L^P_N0,σ[M], and then obtain that U_N^P0,σ[L^P_N,σ[M]] →βL U_N^P0,σ[L^P_N0,σ[M]], from which we fi- nally obtain thatU_N^P0,σ[L_N^P0,σ[M]]→βLM, by the reduction rule(L·M ain), effectively havingU_N^P0,σ[L^P_N,σ[M]]→→βLM. The remaining subcases are handled very similarly.

Having proven local confluence, finally, from Theorem 1, Lemma 2 and Newman’s Lemma, we obtain the confluence the- orem forLFP:

Theorem 2(Confluence ofLFP). βL-reduction is confluent, i.e. if T→→βLT⁰ and T→→βLT⁰⁰, then there exists a T⁰⁰⁰, such that T⁰→→βLT⁰⁰⁰andT⁰⁰→→βLT⁰⁰⁰.

Subject reduction. We begin by proving several auxilliary lem- mas and propositions:

Lemma 3(Auxiliary properties).

1. IfΠx:σ.T=βLT⁰⁰, thenT⁰⁰≡Πx:σ.⁰T⁰, for someσ⁰,T⁰, such thatσ⁰=βLσ, andT⁰=βLT.

2. IfL^P_N,σ[ρ]=βLθ, thenθ≡ L^P_N0,σ⁰[ρ⁰], for someN⁰,σ⁰, andρ⁰, such thatN⁰=βLN,σ⁰=βLσ, andρ⁰=βLρ.

3. IfΓ`ΣL<sup>P</sup><sub>N,σ</sub>[M] :L<sup>P</sup><sub>N,σ</sub>[ρ], thenΓ`ΣM:ρ.

The following property follows directly from the typing and conversion rules, using item 1 of Lemma 3:

Proposition 4(Abstraction typing). IfΓ`Σ λx:σ.M : Πx:σ.τ, thenΓ, x:σ`ΣM :τ.

By induction on the structure of the derivation, we obtain:

Proposition 5(Subderivation, part 1).

1. A derivation of`Σ∅has a subderivation ofΣsig.

2. A derivation of Σ, a:K sighas subderivations of Σsigand

`ΣK.

3. A derivation of Σ, f:σ sig has subderivations of Σ sigand

`Σσ:Type.

4. A derivation of`Σ Γ, x:σhas subderivations ofΣsig,`Σ Γ, andΓ`Σσ:Type.

5. A derivation ofΓ`Σαhas subderivations ofΣsigand`ΣΓ.

6. Given a derivationDof the judgementΓ `Σ α, and a sub- term occurring in the subject of this judgement, there exists a derivation of a judgement having this subterm as a subject.

Proposition 6 (Weakening and permutation). If predicates are closed under signature/context weakening and permutation, then:

1. IfΣandΩare valid signatures, and every declaration occur- ring inΣalso occurs inΩ, thenΓ`ΣαimpliesΓ`Ωα.

2. IfΓand∆are valid contexts w.r.t. the signatureΣ, and every declaration occurring in Γalso occurs in ∆, then Γ `Σ α implies∆`Σα.

Proposition 7 (Subderivation, part 2). If predicates are closed under signature/context weakening and permutation, then:

1. IfΓ`Σσ:K, thenΓ`ΣK.

2. IfΓ`ΣM:σ, thenΓ`Σσ:Type.

Proposition 8(Transitivity). If predicates are closed under sig- nature/context weakening and permutation and under substitution, then: ifΓ, x:σ,Γ⁰ `Σ α, andΓ`Σ N : σ, thenΓ,Γ⁰[N/x]`Σ

α[N/x].

Notice that, contrary to what happens in traditional type sys- tems, the followingclosure under expansiondoes not hold:Γ`Σ

M[N/x] :τ =⇒ Γ`Σ(λx:σ.M)N:τ, forΓ`ΣN:σ.

Proposition 9 (Unicity of types and kinds). If predicates are closed under signature/context weakening and permutation and under substitution, then: ifΓ`Σ T : T1andΓ`Σ T :T2, then T1=βLT2.

Finally, we have Subject Reduction:

Theorem 3(Subject reduction ofLFP). If predicates are well- behaved, then:

1. IfΓ`ΣK, andK→βLK<sup>0</sup>, thenΓ`ΣK⁰. 2. IfΓ`Σσ:K, andσ→βLσ<sup>0</sup>, thenΓ`Σσ⁰:K.

3. IfΓ`ΣM:σ, andM→βLM<sup>0</sup>, thenΓ`ΣM⁰:σ.

Proof.Here we prove Subject Reduction of a slightly extended type system. We consider the type system in which the rules(F·Lock), (O·Lock), and(O·U nlock)all have an additional premiseΓ`Σ

σ: Type, while the rule(O·U nlock)also has another additional premiseΓ`ΣL^P_N,σ[ρ] :Type, as shown in Figure 6.

Γ`Σρ:Type Γ`ΣN:σ Γ`Σσ:Type

Γ`ΣL<sup>P</sup><sub>N,σ</sub>[ρ] :Type (F·Lock) Γ`ΣM :ρ Γ`ΣN :σ Γ`Σσ:Type

Γ`ΣL<sup>P</sup><sub>N,σ</sub>[M] :L<sup>P</sup><sub>N,σ</sub>[ρ] (O·Lock) Γ`ΣN:σ Γ`Σσ:Type P(Γ`ΣN:σ)

Γ`ΣM:L<sup>P</sup>N,σ[ρ] Γ`ΣL^PN,σ[ρ] :Type

Γ`ΣU<sub>N,σ</sub><sup>P</sup> [M] :ρ (O·U nlock) Figure 6. An extension ofLFPtyping rules for Subject Reduction The proof proceeds by simultaneous induction on the derivation of Γ `Σ M and M →βL M⁰. Here we will show only the case in which the base reduction rule(β·M ain)is used, and one of the cases for which the well-behavedness of predicates is a requirement, while the other cases are handled either similarly or trivially, mostly by using the induction hypotheses.

1. We have thatΓ`Σλx:σ.M N:τ[N/x], by the rule(O·App), fromΓ `Σ λx:σ.M : Πx:σ.τ, andΓ `Σ N : σ, and that (λx:σ.M)N →βL M[N/x] by the rule (β·M ain). From Proposition 4, we get thatΓ, x:σ`ΣM :τ, and from this and Γ`ΣN :σ, we obtain the requiredΓ`ΣM[N/x] :τ[N/x], by an application of Proposition 8.

2. We have thatΓ `Σ U<sub>N,σ</sub><sup>P</sup> [M] : ρ, by the rule(O·U nlock), fromΓ`ΣM :L^P_N,σ[ρ],Γ`ΣL<sup>P</sup><sub>N,σ</sub>[ρ] :Type,Γ`ΣN:σ, Γ`Σσ:Type, andP(Γ`ΣN :σ), and thatU_N,σ^P [M]→βL

U_N,σ^P 0[M], by the reduction rules for closure under context, fromσ →βL σ⁰. First, from the induction hypothesis we have thatΓ`Σ σ<sup>0</sup> :Type, and we also have, fromσ →β:σ<sup>0</sup>, that σ=βLσ<sup>0</sup>. From this, usingΓ`ΣN:σ, and the rule(O·Conv), we obtain thatΓ `Σ N : σ<sup>0</sup>. Next, sinceΓ `Σ L^P_N,σ[ρ] : Typecould only have been obtained by the type system rule (F·Lock), fromΓ`Σρ:TypeandΓ`ΣN:σ, and since we

haveΓ`ΣN:σ<sup>0</sup>, we obtain thatΓ`ΣL^P_N,σ0[ρ] :Type. From this, givenσ=βLσ⁰, we obtain thatL^P_N,σ0[ρ] →βL L^P_N,σ0[ρ], and since we already have thatΓ `Σ M : L<sup>P</sup><sub>N,σ</sub>[ρ], we can use the type system rule (O·Conv) to obtain Γ `Σ M : L^P_N,σ0[ρ]. Finally, by the well-behavedness requirements for the predicates, we have thatP(Γ `Σ N : σ<sup>0</sup>)holds, and we can now use the type system rule(O·U nlock) to obtain the requiredΓ`Σ U_N,σ^P 0[M] :ρ. Here, we can notice that there are steps in this proof (in which we obtainΓ`Σσ<sup>0</sup>:Type, and Γ`Σ L^PN,σ[ρ] : Type), which could not have been made had the original system not been extended for this theorem.

Now, we can prove straightforwardly thatΓ`Σαin the extended systemiff Γ`Σαin the originalLFPsystem (i.e. that the judge- ments that these two systems derive are the same), by induction on the length of the derivation, With this, given that we have proven Subject Reduction of the extended system, we have that Subject Reduction also holds in the originalLFPsystem.

2.1 The expressive power ofLFP

Various natural questions arise as to the expressive power ofLFP. Here, we outline the answers to some of these.

- LFP is decidable, if the predicates are decidable; this can be proven as usual.

- If a predicate isdefinable inLF,i.e.it can be encoded via the inhabitability of a suitable LF dependent type, then it is well- behaved in the sense of Definition 1.

- All well-behaved recursively enumerable predicates are LF- definable by Church’s thesis. Of course, the issue is then on how

“deep” the encoding is. To give a more precise answer, we would need a more accurate definition of “deep” and “shallow” encod- ings, which we still lack. This paper can be seen as a stepping stone towards such a theory, with our approach being “shallow” by definition, and the encodings via Church’s thesis being potentially very, very deep. Considere.g.the well-behaved predicate “M, N are two different closed normal forms”, which can be immediately expressed inLFP.

- One may ask what relation is there between theLFencodings of, say, Modal Logics, discussed in [2, 8], and the encodings which appear in this paper (see Section 3.2 below). The former essen- tially correspond to the internal encoding of the predicates that are utilized in Section 3.2. In fact, one could express the mapping be- tween the two signatures as a forgetful functor going fromLFP

judgements toLFjudgements.

- Finally, we can say that, as far as decidable predicates,LFP is morally aconservative extensionofLF. Of course, pragmatically, it is very different, in that it allows for the neat factoring-out of the true logical contents of derivations from the mere effective verification of other, e.g. syntactical or structural properties. A feature of our approach is that of making such a separation explicit.

- The main advantage of having externally verified predicates amounts to a smoother encoding (the signature is not cluttered by auxiliary notions and mechanisms needed to implement the predicate). This allows for the optimization of performance, if the external system used to encode the predicate is an optimized tool, specifically designed for the issue at hand (e.g.analytic tableaux methods for propositional formulæ).

3. Pragmatics and Case Studies

In this section, we illustrate the pragmatics of using LFP as a metalanguage by encoding some crucial case studies.

We focus on formal systems where derivation rules are subject to side conditionswhich are either rather difficult or impossible to encode naively in a type theory-based LF, due to limitations of the latter or to the fact that they need to access the derivation

context, or the structure of the derivation itself, or other structures and mechanisms not available at the object level. This is the case for substructural and program logics [1, 2, 8].

We have isolated alibraryof predicates on proof terms, whose patterns frequently occur in the examples. The main archetype is that given constants or variables only occur with some modality Din subterms satisfying the decidable propertyC. Modalities can include any of the phrases such as: at least once, only once, the rightmost, does not occur, etc.Ccan refer to the syntactic form of the subterm or to that of its type, the latter being the main reason for allowing predicates inLFP to access the context. As a side remark, we have noticed that often the constraints on the type of a subterm can be expressed as constraints on the subterm itself by simply introducing suitable type coercion constants. In [15], we present a basic library of auxiliary functions, which can be used to introduce external predicates of the above archetypes.

We start with the encoding of the well known case of untyped λ-calculus, with a call-by-value evaluation strategy. Although this example is nicely handled using pure LF encodings already, we discuss it because it illustrates yet another way to deal with free and bound variables, using external predicates, as in the case of betavandcsiv in Definition 4. Next, we discuss modal logics and we give a sketch of how to encode the non-commutative linear logic introduced in [21]. Another example, on program logics`a la Hoare, appears in [15]. We state adequacy theorems, and, due to lack of space, here provide proofs for only some of them.

Notation:for the sake of simplicity, in the following examples, we use the notationsσ →τ forΠx:σ.τifx /∈ Fv(τ), andσⁿ⁺¹for then-ary abstractionσ →. . . →σ. Moreover, we will omit the typeσinL^P_N,σ[M], whenσis clear from the context.

In the adequacy theorems, we will use the notion ofjudgement inη-long normal form(η-lnf), defined as follows¹:

Definition 2(Judgements inη-long normal form).

- An occurrence ξ of a constant or a variable in a term of an LFP judgement is fully applied and unlocked with respect to its type or kindΠ#»x1:#»σ1.#»

L1[. . .Π#»xn:#»σn.#»

Ln[α]. . .], where

#»Li are vectors of locks, if ξ appears in contexts of the form U#»n[(. . .(#»

U1[ξ# »

M1]). . .)# »

Mn], where # » Mi and #»

Ui have the same arities of the corresponding vectors ofΠ’s and locks.

- A termT in a judgement is inη-lnfifT is in normal form and every constant and variable occurrence inT is fully applied and unlocked w.r.t. its classifier in the judgement.

- A judgement is inη-lnfif all terms appearing in it are inη-lnf.

3.1 The untypedλ-calculus 3.1.1 Free and bound variables.

Consider the well-known untypedλ-calculus:

M, N, . . .::=x|M N|λx.M

with variables, application and abstraction. We model free variables of the object language as constants inLFP. Bindable and bound variables are modeled with variables of the metalanguage, thus retaining the full Higher-Order-Abstract-Syntax (HOAS) approach, by delegatingα-conversion and capture-avoiding substitution to the metalanguage. Such an approach allows us to abide by the “closure under substitution” condition for external predicates, while still retaining the ability to handle “open” terms explicitly.

The abovementioned “bindable” variables must neither be con- fused with bound, nor with free variables. For instance, theλ-term x(in which the variable is free) will be encoded by means of the term`Σ(free n):termfor a suitable (encoding of a) natural

1See [15] for a presentation ofLFP using canonical forms, in the style of [20, 24].

numbern(see Definition 3 below). On the other hand, theλ-term λx.x(in which the variable is obviously bound) will be encoded by`Σ(lamλx:term.x). However, when we “open” the abstrac- tionλx.M, considering the bodyM, we will encode the latter as x:term `Σ {x}(M), where{x}is the encoding function defined later in this section. In this case,xis abindablevariable.

Definition 3(LFPsignatureΣλfor untypedλ-calculus).

nat, term : Type O : nat S : nat²

free : nat -> term app : term³ lam : term² -> term We use natural numbers as standard abbreviations for repeated applications ofSto0. Given an enumeration{xi}i∈N\{0}of the variables in the untypedλ-calculus, we put:

X(xi) =

xi, ifxi∈ X free i, ifxi6∈ X X(M N) = (appX(M)X(N)) X(λx.M) = (lamλx:term.X ∪{x}(M)) where, in the latter clause,x6∈ X.

Theorem 4(Adequacy of syntax). Let{xi}i∈N\{0}be an enumer- ation of the variables in theλ-calculus. Then, the encoding function Xis a bijection between theλ-calculus terms with bindable vari- ables inXand the termsM derivable in judgementsΓ`Σ_λ M : terminη-lnf, whereΓ ={x:term |x∈ X }. Moreover, the en- coding is compositional, i.e. for a termM, with bindable variables inX = {x1, . . . , xk}, andN1, . . . , Nk, with bindable variables in Y, the following holds: X(M[N1, . . . , Nk/x1, . . . , xk]) = X(M)[Y(N1), . . . , Y(Nk)/x1, . . . , xk].

Proof.The injectivity ofX follows by a straightforward inspec- tion of its definition, while the surjectivity follows by defining the

“decoding” functionδXon terms inη-lnf:

δX((free i)) = xi(wherexi6∈ X) δX(xi) = xi(wherexi∈ X) δX((app M N)) = δX(M)δX(N) δX(lamλx:term.M) = λx.δX ∪{x}(M)

Given the characterization ofη-lnfs, and the types of the construc- tors introduced inΣλ, it is easy to see thatδX is total and well- defined. It is not possible to derive aη-long normal form of type termcontaining aU-term, since no constructors inΣλuseL-types.

Finally, by induction on the structure ofM, it is possible to check thatδX(X(M)) =Mand thatXis compositional.

3.1.2 The call-by-value reduction strategy.

The call-by-value (CBV) evaluation strategy can be specified by:

`_CBV M=M (refl)

`_CBV N=M

`_CBV M=N (symm)

`CBV M=N `CBV N=P

`_CBV M=P (trans)

`<sub>CBV</sub> M=N `_CBV M⁰=N⁰

`_CBV M M⁰=N N⁰ (app) vis a value

`_CBV (λx.M)v=M[v/x] (βv)

`_CBV M=N

`_CBV λx.M=λx.N (ξv)

Definition 4 (LFP signature ΣCBV for λ-calculus CBV reduc- tion). We extend the signature of Definition 3 as follows:

triple :Type

h, , i: term -> term² -> term² -> triple eq : term -> term -> Type

refl :ΠM:term.(eq M M)

symm :ΠM:term.ΠN:term.(eq N M) -> (eq M N) trans :ΠM:term.ΠN:term.ΠP:term.

(eq M N) -> (eq N P) -> (eq M P) eq app :ΠM,N,M’,N’:term.

(eq M N) -> (eq M’ N’) ->

(eq (app M M’) (app N N’))

betav :ΠM:term².ΠN:term.L^Val_N [eq (app (lam M) N) (M N)]

csiv :ΠM,N:term².Πx:term.

L^ξ_h

x,M,Nⁱ[(eq (M x)(N x)) -> (eq (lam M)(lam N))]

where the predicatesVal andξare defined as follows, andtriple is the type of triples of terms with typesterm,term²andterm²: -Val(Γ`ΣN:term)holds iff eitherNis an abstraction orNis a constant (i.e. a term of the shape(free i));

-ξ(Γ`Σhx,M,Ni:triple)holds iffxis a constant (i.e. a term of the shape(free i)),MandNare closed andxdoes not occur in MandN.

Theorem 5(Adequacy of CBV reduction). Given an enumeration {xi}i∈N\{0}of the variables in theλ-calculus, there is a bijection between derivations of the judgment`CBV M =Non terms with no bindable variables in the CBVλ-calculus and proof termsh, such that`Σ_CBV h: (eq∅(M)∅(N))is inη-long normal form.

Proof.We define an encoding function⁼_∅ by induction on deriva- tions of the form`CBV M =N(on terms with no bindable vari- ables) as follows:

• if∇is the derivation with only(refl), we have that⁼_∅(∇) = (refl∅(M)):(eq∅(M)∅(M));

• if∇is the derivation with(symm)as the last applied rule, then, by the inductive hypothesis, there is a termhsuch that`Σ_CBV

h: (eq ∅(N)∅(M)). Hence, we will have that ⁼_∅(∇) = (symm∅(M)∅(N)h):(eq∅(M)∅(N));

• if∇is the derivation with(trans)as the last applied rule, then, by the inductive hypothesis, we have that there exist termshand h’, such that`Σ<sub>CBV</sub> h:(eq∅(M)∅(N)), and also`Σ_CBV

h⁰: (eq ∅(N)∅(P)). Hence, we will have that ⁼_∅(∇) = (trans∅(M)∅(N)∅(P)h h⁰):(eq∅(M)∅(P));

• if∇is the derivation with(eq app)as the last applied rule, then, by the inductive hypothesis, we have that there ex- ist terms h and h’ such that`Σ<sub>CBV</sub> h:(eq ∅(M) ∅(N)) and `Σ_CBV h⁰:(eq ∅(M⁰) ∅(N⁰)). Hence, we will have that⁼_∅(∇) = (eq app∅(M)∅(N)∅(M⁰)∅(N⁰)h h⁰):

(eq(app∅(M)∅(M⁰)) (app∅(N)∅(N⁰)));

• if∇is the derivation with only(βv), we have that⁼_∅(∇) = U^Val

∅(v)[(betav(λx:term.{x}(M))∅(v)):(eq(app(lamλx:

term.{x}(M))∅(v)) ((λx:term. {x}(M))(∅(v))))](no- tice the presence of the unlock operator in front of theLFP

encoding: this is possible thanks to the fact that we know, by hypothesis, thatvis a value, whence the predicateVal holds on`CBV ∅(v):term);

• if∇is the derivation with(ξv)as the last applied rule, then, by the inductive hypothesis, there is a termhsuch that`Σ_CBV

h:(eq ∅(M) ∅(N))². Hence, we will have that ⁼∅(∇) = (U_T,^ξ_triple[(csivλx:term.{x}(M)λx:term.{x}(N)∅(x))]

2Notice that the object variablexoccurring inM andN is represented by a constant ((free k), for a naturalk, such thatx ≡xk) here, since the encoding function takes the empty set as the set ofbindablevariables.

Instead, in the next line, the encoding function will take{x}as the set of bindable variables, yielding an encoding ofxthrough a metavariablexof the metalanguage ofLFP.

h):(eq (lam λx:term. {x}(M)) (lam λx:term.{x}(N))), whereTis the triple of the formh∅(x),(λx:term.{x}(M)), (λx:term.{x}(N))i.

The injectivity of ⁼_∅ follows by a straightforward inspection of its definition, while the surjectivity follows by defining the “de- coding” functionδ∅by induction on the derivations of the shape

`Σ<sub>CBV</sub> h:(eq M N)inη-long normal form. Since all the cases are rather straightforward, we analyze only the definition concerning the main rule (βv), since it involves an external predicate. So, if we derive fromΣCBV a proof termhinη-long normal form such asU<sub>N</sub><sup>Val</sup><sub>,term</sub>[betav M N]whose type is(eq (app (lam M) N) (M N))(whereM≡λx:term.M<sup>0</sup>, withM<sup>0</sup> inη-lnf), then the predicate Val(`Σ_CBV N:term) must hold, and N is encoding the value δ∅(N). Hence, thedecodingofhis the following derivation:

δ∅(N)is a value

`CBV δ∅(lam(λx:term.M⁰))δ∅(N) =δ∅((λx:term.M⁰)N), and since we have that δ∅((lam(λx:term.M⁰))) = λx.δ{x}(M⁰) (see proof of Th. 4), thatλx.δ{x}(M⁰)δ∅(N) =δ{x}(M⁰)[δ∅(N)/x]

(β-reduction in CBV λ-calculus), that δ∅((λx:term.M⁰)N) = δ∅(M⁰[N/x])(β-reduction inLFP) and thatδ{x}(M⁰)[δ∅(N)/x] = δ∅(M⁰[N/x]) (by induction on the structure of M⁰), we are done.

Therefore, it is easy to verify by induction onη-long normal forms thatδ_∅⁼is well-defined and total. Similarly, we can prove thatδ⁼_∅ is the inverse of⁼_∅, making⁼_∅ a bijection.

3.2 Substructural logics

In many formal systems, rules are subject to side conditions and structural constraints on the shape of assumptions or premises.

Typical examples are the necessitation rule or the2-introduction rules in Modal logics (see, e.g., [1, 2, 8]). For the sake of readability, in the following we will often use aninfixnotation for encoding binary logic operators.

3.2.1 Modal Logics in Hilbert style.

In this example, we show howLFP allows for smooth encodings of logical systems with “rules of proof” as well as “rules of deriva- tion”. The former apply only to premises which do not depend on any assumption, such asnecessitation, while the latter are the usual rules which apply to all premises, such asmodus ponens. The idea is to use suitable “lock types” in rules of proof and “standard” types in the rules of derivation.

By way of example, we give the signature for the classicalS4

Modal Logic (see Figure 8) in Hilbert style (see Figure 7), which features necessitation (ruleNECin Figure 7) as a rule of proof.

Due to lack of space, we limit the encoding in Figure 8 to the most significant cases. We make use of the predicateClosed(Γ`Σ

m:True(φ)), which holds iff “all free variables occurring inmhave typeo”. This is precisely what is needed to correctly encode the notion of rule of proof, ifo is the type of propositions. Indeed, if all the free variables of a proof term satisfy such a condition, it is clear, by inspection of the η-lnfs, that there cannot be free variables of type True(. . . ) in the proof term,i.e. the encoded modal formula does not depend on any assumption (see [15] for a formal specification of the predicate). This example requires that predicates inspect the environment and be defined on typed judgements, as indeed is the case in LFP. The above predicate is well-behaved. As in the previous examples, we ensure a sound derivation inLFPof a proof of2φ, by locking the typeTrue(2φ) in the conclusion ofNEC(see Figure 8).

Adequacy theorems are rather trivial to state and prove; as usual we define an encoding functionXon formulæ with free variables inX as follows, representing atomic formulæ by means ofLFP

metavariables:

A1 : φ→(ψ→φ)

A2 : (φ→(ψ→ξ))→(φ→ψ)→(φ→ξ) A3 : (¬φ→ ¬ψ)→((¬φ→ψ)→φ) K : 2(φ→ψ)→(2φ→2ψ)

> : 2φ→φ 4 : 2φ→22φ MP : φ φ→ψ

ψ

NEC : φ

2φ

Figure 7. Hilbert style rules for Modal LogicS4

o : Type → : o³ ¬ : o² 2 : o²

True : o -> Type

A1 : Πφ,ψ:o.True(φ→(ψ→φ))

K : Πφ,ψ:o.True(2(φ→ψ)→(2φ→2ψ)) MP : Πφ,ψ:o.True(φ)->True(φ→ψ)->True(ψ) NEC : Πφ:o.Πm:True(φ).L^Closed_m [True(2φ)]

Figure 8. The signatureΣfor theS4Modal Logic in Hilbert style X(x) =x, wherex∈ X; X(¬φ) =¬X(φ);

X(φ→ψ) =X(φ)→X(ψ); X(2φ) =2X(φ).

Then, we can prove, by structural induction on formulæ, the fol- lowing theorem:

Theorem 6 (Adequacy of S4 formulæ syntax). The encoding functionX is a bijection between the modal logic formulæ with free variables in X and the terms φ derivable in judgements Γ `Σ₂ φ:o in η-lnf, where Γ = {x:o | x ∈ X }. More- over, the encoding is compositional, i.e. for a formulaφ, with free variables inX = {x1, . . . , xk}, andψ1, . . . , ψk, with free vari- ables inY, the following holds:X(φ[ψ1, . . . , ψk/x1, . . . , xk]) = X(φ)[Y(ψ1), . . . , Y(ψk)/x1, . . . , xk].

If we denote byφ1, . . . , φn ` φ the derivation of the truth of a formulaφ, depending on the assumptions φ1, . . . , φn, in the Hilbert-style modal logicS4, the adequacy of our encoding can then be stated by the following theorem:

Theorem 7(Adequacy ofS4truth system in Hilbert-style). There is a bijection between derivationsφ1, . . . , φk ` φin the Hilbert- styleS4 modal logic and proof termshsuch thatΓ `Σ h:(True X(φ1 → . . . → φk → φ))in η-long normal form, where X ={x1, . . . , xn}is the set of propositional variables occurring inφ1, . . . , φk, φandΓ ={x1:o, . . . ,xn:o}.

3.2.2 Modal LogicsS4andS5in Prawitz style.

InLFP, one can also accommodate other modal logics, such as classical Modal LogicsS4andS5in Natural Deduction style, as de- fined by Prawitz, which have rules with rather elaborate restrictions on the shape of subformulae where assumptions occur. Figure 9 shows some of the rules common to both systems and all specific rules ofS4andS5. In order to illustrate the flexibility of the system, the rule forS4is given in the form which allows cut-elimination.

Figure 10 shows their encoding inLFP. Again, the crucial role is played by a predicate, namelyBoxed( ). The intended meaning is thatBoxed(Γ`Σm:True(φ))holds in the case ofS4iff the occur- rences of free variables ofmoccur in subterms whose type has the shapeTrue(2ψ)or iso. In the case ofS5the predicate holds iff the variables ofmhave typeTrue(2ψ),True(¬2ψ)oro. It is easy to