Proof Normalisation in a Logic Identifying Isomorphic Propositions

HAL Id: hal-02909135

https://hal.inria.fr/hal-02909135

Submitted on 30 Jul 2020

HAL

is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire

destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Propositions

Alejandro Díaz-Caro, Gilles Dowek

To cite this version:

Alejandro Díaz-Caro, Gilles Dowek. Proof Normalisation in a Logic Identifying Isomorphic Proposi-

tions. FSCD 2019 - International Conference on Formal Structures for Computation and Deduction,

Jun 2019, Dortmund, Germany. �hal-02909135�

Isomorphic Propositions

Alejandro Díaz-Caro

Instituto de Ciencias de la Computación (CONICET-Universidad de Buenos Aires) Universidad Nacional de Quilmes, Argentina

adiazcaro@icc.fcen.uba.ar

Gilles Dowek

Inria, LSV, ENS Paris-Saclay, France gilles.dowek@ens-paris-saclay.fr

Abstract

We define a fragment of propositional logic where isomorphic propositions, such asA∧B andB∧A, orA⇒(B∧C) and (A⇒B)∧(A⇒C) are identified. We define System I, a proof language for this logic, and prove its normalisation and consistency.

2012 ACM Subject Classification Theory of computation→Proof theory; Mathematics of comput- ing→Lambda calculus; Theory of computation→Type theory

Keywords and phrases Simply typed lambda calculus, Isomorphisms, Logic, Cut-elimination, Proof- reduction.

Related Version A variant of the system presented in this paper, has been published in https:

//arxiv.org/abs/1303.7334v1(LSFA 2012 [13]), with a sketch of a subject reduction proof but no normalisation or consistency proofs.

Funding Partially supported by ECOS-Sud A17C03, PICT 2015-1208, and the French-Argentinian laboratory SINFIN.

1 Introduction

1.1 Identifying isomorphic propositions

In mathematics, addition is associative and commutative, multiplication distributes over addition, etc. In contrast, in logic conjunction is neither associative nor commutative, implication does not distribute over conjunction, etc. For instance, the propositionsA∧B andB∧Aare different: ifA∧B has a proof, then so doesB∧A, but ifris a proof ofA∧B, then it is not a proof ofB∧A.

A first step towards consideringA∧B andB∧Aas the same proposition has been made in [6, 11, 12, 26], where a notion of isomorphic propositions has been defined: two propositions AandB are isomorphic if there exist two proofs ofA⇒B andB⇒Awhose composition, in both ways, is the identity.

For the fragment of propositional logic restricted to the operations ⇒and ∧, all the isomorphisms are consequences of the following four:

A∧B≡B∧A (1)

A∧(B∧C)≡(A∧B)∧C (2)

A⇒(B∧C)≡(A⇒B)∧(A⇒C) (3)

(A∧B)⇒C≡A⇒B ⇒C (4)

For example, (A⇒B⇒C)≡(B ⇒A⇒C) is a consequence of (4) and (1) [6].

arXiv:1501.06125v8 [cs.LO] 22 Apr 2019

In this paper, we go one step further and define a proof language, System I, for the fragment ⇒, ∧, such that when A ≡B, then any proof of A is also a proof ofB, so the propositionsA∧B andB∧A, for instance, are really identical, as they have the same proofs.

The idea of identifying some propositions has already been investigated, for example, in Martin-Löf’s type theory [23], in the Calculus of Constructions [8], and in Deduction modulo theory [17, 19], where definitionally equivalent propositions, for instanceA ⊆ B, A∈ P(B), and∀x(x∈A⇒x∈B) can be identified. But definitional equality does not handle isomorphisms. For example, A∧B andB ∧A are not identified in these logics.

Beside definitional equality, identifying isomorphic types in type theory, is also a goal of the univalence axiom [27].

Isomorphisms make proofs more natural. For instance, to prove (A∧(A⇒B))⇒B in natural deduction we need to introduce conjunctive hypothesisA∧(A⇒B) which has to be decomposed intoAandA⇒B, while using the isomorphism (4) allows to transform the goal toA⇒(A⇒B)⇒B and introduce directly the hypothesesAandA⇒B, eliminating completely the need for conjunctive hypotheses.

1.2 Lambda-calculus

The proof-language of the fragment of propositional logic restricted to the operations ⇒ and ∧ is simply typed lambda-calculus extended with Cartesian product. So, System I is an extension of this calculus where, for example, a pair of functions hr, si of type (A⇒B)∧(A⇒C)≡A⇒(B∧C) can be applied to an argumentt of typeA, yielding a termhr, sit of typeB∧C. For example, the termhλx^τ.x, λx^τ.xiy has typeτ∧τ. With the usual reduction rules of lambda calculus with pairs, such a term would be normal, but we can also extend the reduction relation, with an equationhr, sithrt, sti, such that this term is equivalent toh(λx^τ.x)y,(λx^τ.x)yiand thus reduces tohy, yi. Taking too many of such equations may lead to non termination (Section 8.1), and taking too few multiplies undesired normal forms. The choice of the rules in this paper is motivated by the goal to have both termination of reduction (Section 5) and consistency (Section 6), that is, no normal closed term of atomic types.

To stress the associativity and commutativity of the notion of pair, we writer×sinstead ofhr, siand thus write this equivalence as

(r×s)trt×st

Several similar equivalence rules on terms are introduced: one related to the isomorphism (1), the commutativity of the conjunction,r×ss×r; one related to the isomorphism (2), the associativity of the conjunction, (r×s)×tr×(s×t); two to the isomorphism (3), the distributivity of implication with respect to conjunction,λx.(r×s)λx.r×λx.s and (r×s)trt×st; and one related to the isomorphism (4), the currification,rstr(s×t).

One of the difficulties in the design of System I is the design of the elimination rule for the conjunction. A rule like “ifr:A∧B thenπ₁(r) :A”, would not be consistent. Indeed, if AandB are two arbitrary types,sa term of typeAandta term of typeB, thens×thas both typeA∧B and type B∧A, thusπ1(s×t) would have both typeAand type B. A solution is to consider explicitly typed (Church style) terms, and parametrise the projection by the type: ifr:A∧BthenπA(r) :Aand the reduction rule is then thatπA(s×t) reduces tosifshas typeA.

This rule makes reduction non-deterministic. Indeed, in the particular case where A happens to be equal toB, then both sandt have typeA andπA(s×t) reduces both tos and tot. Notice that, although this reduction rule is non-deterministic, it preserves typing,

like the calculus developed in [18], where the reduction is non-deterministic, but verifies subject reduction.

1.3 Non-determinism

Therefore, System I is one of the many non-deterministic calculi in the sense, for instance, of [5,7,9,10,24] and our pair-construction operator×is also the parallel composition operator of a non-deterministic calculus.

In non-deterministic calculi, the non-deterministic choice is such that ifrandsare twoλ- terms, the termr⊕srepresents the computation that runs eitherrorsnon-deterministically, that is such that (r⊕s)treduces either tortorst. On the other hand, the parallel composition operator|is such that the term (r|s)treduces tort|stand continue running bothrtandst in parallel. In our case, givenrandsof typeA⇒B andt of typeA, the termπB((r×s)t) is equivalent toπ_B(rt×st), which reduces tortorst, while the termrt×stitself would run both computations in parallel. Hence, our×is equivalent to the parallel composition while the non-deterministic choice⊕is decomposed into×followed by π.

In System I, the non-determinism comes from the interaction of two operators, ×andπ.

This is similar to quantum computing where the non-determinism comes from the interaction of two operators, the fist allowing to build a superposition, that is a linear combination, of two termsα.r+β.t, and the measurement operator π. In addition, in such calculi, the distributivity rule (r+s)trt+stis seen as the point-wise definition of the sum of two functions.

More generally, the calculus developed in this paper is also related to the algebraic calculi [1–4,14,16,28], some of which have been designed to express quantum algorithms. There is a clear link between the pair constructor×and the projectionπ, with the superposition constructor + and the measurementπon these calculi. In these cases, the pairs+tis not interpreted as a non-deterministic choice, but as a superposition of two processes runnings andt, and the operatorπis the projection related to the measurement, which is the only non-deterministic operator.

Outline

In Section 2, we define the notion of type isomorphism and prove elementary properties of this relation. In Section 3, we introduce System I. In Section 4, we prove its subject reduction.

In Section 5, we prove its strong normalisation. In Section 6, we prove its consistency. Finally, in Section 7, we discuss how System I could be used as a programming language.

2 Type isomorphisms 2.1 Types and isomorphisms

Types are defined by the following grammar A, B, C, . . . ::= τ | A⇒B |A∧B whereτ is the only atomic type.

IDefinition 2.1 (Size of a type). The size of a type is defined as usual by s(τ) = 1

s(A⇒B) =s(A) +s(B) + 1 s(A∧B) =s(A) +s(B) + 1

IDefinition 2.2(Congruence). The isomorphisms(1),(2), (3), and (4)define a congruence on types.

A∧B ≡B∧A (1)

A∧(B∧C)≡(A∧B)∧C (2)

A⇒(B∧C)≡(A⇒B)∧(A⇒C) (3)

(A∧B)⇒C≡A⇒B⇒C (4)

2.2 Prime factors

IDefinition 2.3 (Prime types). A prime type is a type of the form C₁⇒ · · · ⇒ Cn ⇒τ, withn≥0.

A prime type is equivalent to (Vn

i=1C_i)⇒τ, which is either equivalent toτ or toC⇒τ, for someC. For uniformity, we may write∅ ⇒τ forτ.

We now show that each type can be decomposed into a conjunction of prime types. We use the notation [Ai]ⁿ_i=1 for the multiset whose elements areA1, . . . , An. We may write [Ai]i

when the number of elements is not important. IfR = [Ai]i is a multiset of types, then conj(R) =V

iA_i.

IDefinition 2.4. We write[A₁, . . . , An]∼[B₁, . . . , Bm]if n=m andBi≡Ai.

IDefinition 2.5 (Prime factors). The multiset of prime factors of a typeA is inductively defined as follows

PF(τ) = [τ]

PF(A⇒B) = [(A∧C_i)⇒τ]_i=1ⁿ where[C_i⇒τ]ⁿ_i=1=PF(B) PF(A∧B) =PF(A)]PF(B)

with the convention thatA∧ ∅=A.

Note that ifB⇒τ∈PF(A), thens(B)< s(A).

ILemma 2.6. For allA,A≡conj(PF(A)).

Proof. By induction ons(A).

IfA=τ, thenPF(τ) = [τ], and soconj(PF(τ)) =τ.

If A = B ⇒ C, then PF(A) = [(B∧Ci) ⇒ τ]i, where [Ci ⇒ τ]i = PF(C). By the induction hypothesis, C ≡V

i(Ci ⇒ τ), hence, A = B ⇒ C ≡ B ⇒ V

i(Ci ⇒ τ) ≡ V

i(B⇒Ci⇒τ)≡V

i((B∧Ci)⇒τ).

If A = B∧C, then PF(A) = PF(B)]PF(C). By the induction hypothesis, B ≡ conj(PF(B)), andC≡conj(PF(C)). Therefore,A=B∧C≡conj(PF(B))∧conj(PF(C))≡ conj(PF(B∧C))≡conj(PF(B)]PF(C)) =conj(PF(A)). J ILemma 2.7. IfA≡B, thenPF(A)∼PF(B).

Proof. First we check thatPF(A∧B)∼PF(B∧A) and similar for the other three isomorph- isms. Then we prove by structural induction that ifA andB are equivalent in one step, thenPF(A)∼PF(B). We conclude by an induction on the length of the derivation of the

equivalenceA≡B. J

2.3 Measure of types

The size of a type is not preserved by equivalence. For instance,τ ⇒(τ∧τ)≡(τ ⇒τ)∧(τ⇒ τ), buts(τ ⇒(τ∧τ)) = 5 ands((τ⇒τ)∧(τ⇒τ)) = 7. Thus, we define another notion of measure of a type.

IDefinition 2.8 (Measure of a type). The measure of a type is defined as follows m(A) =X

i

(m(C_i) + 1) where [C_i ⇒τ]_i=PF(A)

with the convention thatm(∅) = 0.

ILemma 2.9. If A≡B, thenm(A) =m(B).

Proof. By induction on s(A). Let PF(A) = [C_i ⇒ τ]_i and PF(B) = [D_j ⇒ τ]_j. By Lemma 2.7, [Ci ⇒ τ]i ∼ [Di ⇒ τ]i. Without lost of generality, take Ci ≡ Di. By the induction hypothesis,m(Ci) =m(Di). Then,m(A) =P

i(m(Ci) + 1) =P

i(m(Di) + 1) =

m(B). J

The following lemma shows that the measure m(A) verifies the usual properties.

ILemma 2.10.

1. m(A∧B)> m(A) 2. m(A⇒B)> m(A) 3. m(A⇒B)> m(B)

Proof.

1. PF(A) is a strict submultiset ofPF(A∧B).

2. Let PF(B) = [C_i⇒τ]ⁿ_i=1. Then,PF(A⇒B) = [(A∧C_i)⇒τ]ⁿ_i=1. Hence,m(A⇒B)≥ m(A∧C1) + 1> m(A∧C1)≥m(A).

3. m(A⇒B) =P

im(A∧C_i) + 1>P

im(C_i) + 1 =m(B). J

2.4 Decomposition properties on types

In simply typed lambda calculus, the implication and the conjunction are constructors, that is A ⇒ B is never equal to C∧D, if A ⇒ B = A⁰ ⇒ B⁰, then A = A⁰ and B =B⁰, and the same holds for the conjunction. This is not the case in System I, where τ⇒(τ∧τ)≡(τ⇒τ)∧(τ⇒τ), but the connectors still have some coherence properties:

If A⇒B ≡Vn

i=1Ci, then each Ci is equivalent to an implication A⇒Bi, where the conjunction of theBiis equivalent to B.

If A∧B ≡ V

iC_i, then each C_i is a conjunction of elements, possibly empty, that contribute to Aand toB.

We state these properties in Corollary 2.12 and Lemma 2.15.

I Lemma 2.11. If A ⇒ B ≡ C₁∧C₂, then C₁ ≡ A ⇒ B₁ and C₂ ≡ A ⇒ B₂ where B≡B1∧B2.

Proof. By Lemma 2.7, PF(A ⇒ B) ∼ PF(C1∧C2) = PF(C1)]PF(C2). Let PF(B) = [Di ⇒ τ]ⁿ_i=1, so PF(A ⇒ B) = [(A∧Di) ⇒ τ]ⁿ_i=1. Without lost of generality, take PF(C₁)∼[(A∧D_i)⇒τ]^k_i=1 andPF(C₂)∼[(A∧D_i)⇒τ]ⁿ_i=k+1. Therefore, by Lemma 2.6, we have A ⇒ B ≡ Vk

i=1((A∧Di) ⇒ τ)∧Vn

i=k+1((A∧Di) ⇒ τ) ≡ (A ⇒ Vk

i=1(Di ⇒ τ))∧(A⇒Vn

i=k+1(Di⇒τ)). TakeB₁=Vk

i=1Di⇒τ andB₂=Vn

i=k+1Di⇒τ. Remark

thatC1≡A⇒B1,C2≡A⇒B2 andB≡B1∧B2. J

W Y V X R S

T U

W₁W₂ V1 V2

W_n Vn

R S

T1 T2 Tn

Figure 1

ICorollary 2.12. If A ⇒ B ≡ Vn

i=1Ci, then for i ∈ {1, . . . , n}, we have Ci ≡A ⇒ Bi

whereB≡Vn i=1Bi.

Proof. By induction onn. By Lemma 2.11,Vn−1

i=1 C_i ≡A⇒B⁰ andC_n≡A⇒B_n, with B≡B⁰∧Bn. By the induction hypothesis, fori≤n−1,Ci≡A⇒Bi whereB⁰≡Vn−1

i=1 Bi. Hence,B≡Vn

i=1Bi. J

ILemma 2.13. LetR, S, T and U be four multisets such that R]S=T]U, then there exist four multisetsV, W,X, and Y such that R=V ]X,S=W ]Y,T =V ]W, and

U =X]Y, cf. Figure 1.

Proof. Consider an elementa∈R]S =T]U. Letrbe the multiplicity of ainR,s its multiplicity inS,t its multiplicity inT, anduits multiplicity inU. We haver+s=t+u.

Ifr≤twe put rcopies ofainV,t−rinW, 0 inX, anduinY. Otherwise, we put tinV,

0 inW,r−t inX, andsinY. J

ICorollary 2.14. LetR andS be two multisets and(T_i)ⁿ_i=1 be a family of multisets, such thatR]S=Un

i=1Ti. Then, there exist multisetsV1, . . . , Vn, W1, . . . , Wn such thatR=U

iVi

andS =U

iW_i and for eachi,T_i=V_i]W_i, cf. Figure 1.

Proof. By induction onn. We haveR]S=Un−1

i=1 Ti]Tn. Then, by Lemma 2.13, there exist R⁰, S⁰, Vn, Wn such that R=R⁰]Vn, S=S⁰]Wn,Un−1

i=1 Ti=R⁰]S⁰, andTn =Vn]Wn. By induction hypothesis, there existV₁, . . . , V_n−1andW₁, . . . , W_n−1such thatR⁰=Un−1

i=1 V_i, S⁰=Un−1

i=1 Wi and eachTi=Vi]Wi. Hence,R=Un

i=1Vi andS =Un

i=1Wi. J

ILemma 2.15. IfA∧B ≡Vn

i=1Ci then there exists a partition E]F]Gof {1, . . . , n}

such that

Ci=Ai∧Bi, wheni∈E;

C_i=A_i, wheni∈F; Ci=Bi, wheni∈G;

A=V

i∈E]FAi; and B=V

i∈E]GB_i. J

Proof. LetR=PF(A),S=PF(B), andTi=PF(Ci). By Lemma 2.7, we havePF(A∧B)∼ PF(V

iC_i), that is R]S ∼ U

iT_i. By Corollary 2.14, there exist V_i and W_i such that R=Un

i=1Vi, S =Un

i=1Wi, andTi ∼Vi]Wi. As Ti is non-empty, Vi andWi cannot be both empty.

IfV_i andW_i are both non-empty, we leti∈E andA_i =conj(V_i) andB_i=conj(W_i). By Lemma 2.6,Ci≡conj(Ti)≡conj(Vi]Wi)≡Ai∧Bi.

IfV_i is non-empty andW_iis empty, we let i∈F, andA_i=conj(V_i)≡conj(T_i)≡C_i. IfWi is non-empty andViis empty, we let i∈G, andBi=conj(Wi)≡conj(Ti)≡Ci. AsVi=∅wheni∈G, we haveA≡conj(R)≡conj(U

i∈E]FVi)≡V

i∈E]FAi. AsWi=∅ wheni∈F, we haveB≡conj(S)≡conj(U

i∈E]GWi)≡V

i∈E]GBi. J

[x∈V_A]

x:A ^{(ax) [A≡B]}

r:A r:B ^(≡) r:B

λx^A.r:A⇒B

(⇒i) r:A⇒B s:A rs:B ^(⇒e)

r:A s:B r×s:A∧B ^(∧i)

r:A∧B πA(r) :A

(∧e)

Table 1The type system.

r×ss×r (comm)

(r×s)×tr×(s×t) (asso)

λx^A.(r×s)λx^A.r×λx^A.s (distλ)

(r×s)trt×st (distapp)

rstr(s×t) (curry)

Table 2Symmetric relation.

3 System I 3.1 Syntax

We associate to each (up to equivalence) prime typeA an infinite set of variablesVA such that ifA≡B thenVA=VB and ifA6≡B thenVA∩ VB =∅. The set of terms is defined inductively by the grammar

r, s, t, . . . ::= x|λx.r |rs|r×s|π_A(r)

We recall the type on binding occurrences of variables and writeλx^A.tforλx.twhenx∈ VA. α-equivalence and substitution are defined as usual. The type system is given in Table 1. We use a presentation of typing rules without explicit context following [21, 25], hence the typing judgments have the formr:A. The preconditions of a typing rule is written on its left.

3.2 Operational semantics

The operational semantics of the calculus is defined by two relations: an equivalence relation, and a reduction relation.

I Definition 3.1. The symmetric relation is the smallest contextually closed relation defined by the rules given in Table 2.

Each isomorphism induces an equivalence between terms. Two rules however correspond to the isomorphism (3), depending on which distribution is taken into account: elimination or introduction of implication. We write^∗for the transitive and reflexive closure of. Note that^∗ is an equivalence relation.

Because of the associativity property of ×, the termr×(s×t) is equivalent to the term (r×s)×t, so we can just write itr×s×t.

As explained in the introduction, variables of conjunctive types are useless, hence all variables have prime types. This way, there is no termλx^τ∧τ.x, but a termλy^τ.λz^τ.y×z which is equivalent to (λy^τ.λz^τ.y)×(λy^τ.λz^τ.z).

P(x) = 0 M(x) = 1

P(λx^A.r) =P(r) M(λx^A.r) = 1 +M(r) +P(r)

P(rs) =P(r) M(rs) =M(r) +M(s) +P(r)M(s) P(r×s) = 1 +P(r) +P(s) M(r×s) =M(r) +M(s)

P(π_A(r)) =P(r) M(π_A(r)) = 1 +M(r) +P(r) Table 3Measure on terms.

The size of a term is not invariant through the equivalence . Hence, we introduce a measureM(·), which is given in Table 3.

ILemma 3.2. IfrsthenP(r) =P(s).

Proof. We check the case of each rule of Table 2, and then conclude by structural induction to handle the contextual closure.

(comm): P(r×s) = 1 +P(r) +P(s) =P(s×r).

(asso): P((r×s)×t) = 2 +P(r) +P(s) +P(t) =P(r×(s×t)).

(distλ): P(λx^A.(r×s)) = 1 +P(r) +P(s) =P(λx^A.r×λx^A.s).

(distapp): P((r×s)t) = 1 +P(r) +P(s) =P(rt×st).

(curry): P((rs)t) =P(r) =P(r(s×t)). J

ILemma 3.3. IfrsthenM(r) =M(s).

Proof. We check the case of each rule of Table 2, and then conclude by structural induction to handle the contextual closure.

(comm): M(r×s) =M(r) +M(s) =M(s×r).

(asso): M((r×s)×t) =M(r) +M(s) +M(t) =M(r×(s×t)).

(distλ): M(λx^A.(r×s)) = 2 +M(r) +M(s) +P(r) +P(s) =M(λx^A.r×λx^A.s)

(distapp): M((r×s)t) =M(r) +M(s) + 2M(t) +P(r)M(t) +P(s)M(t) =M(rt×st)

(curry): M((rs)t) =M(r) +M(s) +P(r)M(s) +M(t) +P(r)M(t) =M(r(s×t)) J ILemma 3.4. M(λx^A.r) > M(r), M(rs) > M(r), M(rs) > M(s), M(r×s) > M(r), M(r×s)> M(s), andM(πA(r))> M(r).

Proof. By induction onr, M(r)≥1. We conclude with a case inspection. J We use the measure to prove that the equivalence class of a term is a finite set.

ILemma 3.5. For any termr, the set{s| s^∗r} is finite (moduloα-equivalence).

Proof. Since{s | s ^∗ r} ⊆ {s | F V(s) = F V(r) and M(s) = M(r)} ⊆ {s | F V(s) ⊆ F V(r) and M(s) ≤M(r)}, where F V(t) is the set of free variables of t, all we need to prove is that for all natural numbersn, for all finite sets of variablesF, the setH(n, F) = {s|F V(s)⊆F andM(s)≤n}is finite.

By induction onn. Forn= 1 the set{s|F V(s)⊆F andM(s)≤1}contains only the variables ofF. Assume the property holds forn, then, by the Lemma 3.4 the setH(n+ 1, F) is a subset of the finite set containing the variables ofF, the abstractions (λx^A.r) forrin H(n, F ∪ {x}), the applications (rs) forrandsinH(n, F), the productsr×sforr ands inH(n, F), the projectionsπA(r) forrinH(n, F). J

Ifs:A, (λx^A.r)s ,→r[s/x] (β) Ifr:A, πA(r×s),→r (π)

Table 4Reduction relation.

I Definition 3.6. The reduction relation ,→ is the smallest contextually closed relation defined by the rules given in Table 4. We write,→^∗ for the transitive and reflexive closure of ,→.

IDefinition 3.7. We write for the relation ,→ modulo ^∗ (i.e. r s iff r^∗ r⁰ ,→ s^0∗s), and ^∗ for its transitive and reflexive closure.

Remark that, by Lemma 3.5, a term has a finite number of reducts in one step and these reducts can be computed.

3.3 Examples

IExample 3.8. Letr:Aand s:B. Then (λx^A.λy^B.x)(r×s) :Aand (λx^A.λy^B.x)(r×s)(λx^A.λy^B.x)rs ,→^∗r

However, ifA≡B, it is also possible to reduce in the following way (λx^A.λy^A.x)(r×s)(λx^A.λy^A.x)(s×r)(λx^A.λy^A.x)sr ,→^∗s

Hence, the usual encoding of the projector also behaves non-deterministically.

IExample 3.9. Lets:Aandt:B, and letTF=λx^A.λy^B.(x×y).

Then TF : A ⇒ B ⇒ (A∧B) ≡ ((A∧B) ⇒ A)∧((A∧B) ⇒ B). Therefore, π_(A∧B)⇒A(TF) : (A∧B)⇒A. Hence,π_(A∧B)⇒A(TF)(s×t) :A.

This term reduces as follows:

π_(A∧B)⇒A(TF)(s×t)π_(A∧B)⇒A(TF)st

π_(A∧B)⇒A(λx^A.(λy^B.x)×(λy^B.y))st π_(A∧B)⇒A((λx^A.λy^B.x)×(λx^A.λy^B.y))st ,→(λx^A.λy^B.x)st

,→(λy^B.s)t ,→s

IExample 3.10. LetT=λx^A.λy^B.xandF=λx^A.λy^B.y. The termT×F×TFhas type ((A∧B)⇒(A∧B))∧((A∧B)⇒(A∧B)).

Hence,π(A∧B)⇒(A∧B)(T×F×TF) is well typed and reduces non-deterministically either toT×For toTF. Moreover, asT×FandTFare equivalent, the non-deterministic choice does not play any role in this particular case. We will come back to the encoding of booleans in System I on Section 7.

4 Subject Reduction

The set of types assigned to a term is preserved under and ,→. Before proving this property, we prove the unicity of types (Lemma 4.1), the generation lemma (Lemma 4.2), and the substitution lemma (Lemma 4.3). We only state the lemmas in this section. The detailed proofs can be found in Appendix A.

The following lemma states that a term can be typed only by equivalent types.

ILemma 4.1(Unicity). Ifr:Aandr:B, thenA≡B.

Proof.

If the last rule of the derivation ofr:Ais (≡), then we have a shorter derivation of r:C withC≡A, and, by the induction hypothesis,C≡B, henceA≡B.

If the last rule of the derivation ofr:B is (≡) we proceed in the same way.

All the remaining cases are syntax directed. J

ILemma 4.2(Generation).

1. If x∈ VA andx:B, thenA≡B.

2. If λx^A.r:B, thenB≡A⇒C andr:C.

3. If rs:B, then r:A⇒B ands:A.

4. If r×s:A, thenA≡B∧C withr:B ands:C.

5. If πA(r) :B, thenA≡B andr:B∧C.

Proof. Each statement is proved by induction on the typing derivation. For the statement 1, we havex∈ VA andx:B. The only way to type this term is either by the rule (ax) or (≡).

In the first case,A=B, henceA≡B.

In the second case, there existsB⁰ such thatx:B⁰ has a shorter derivation, andB ≡B⁰. By the induction hypothesisA≡B⁰ ≡B.

For the statement 2, we haveλx^A.r:B. The only way to type this term is either by rule (⇒i), (≡).

In the first case, we haveB =A⇒C for some,C andr:C.

In the second, there existsB⁰ such that λx^A.r:B⁰ has a shorter derivation, andB ≡B⁰. By the induction hypothesis,B⁰ ≡A⇒C andr:C. Thus,B≡B⁰≡A⇒C.

The three other statements are similar. J

ILemma 4.3(Substitution). Ifr:A,s:B, andx∈ VB, thenr[s/x] :A.

Proof. By structural induction onr(cf. Appendix A). J

ITheorem 4.4 (Subject reduction). If r:A andr ,→sor rsthen s:A.

Proof. By induction on the rewrite relation (cf. Appendix A). J

5 Strong Normalisation

In this section we prove the strong normalisation of reduction : every reduction sequence fired from a typed term eventually terminates. The set of strongly normalising terms with respect to reduction is written SN. The size of the longest reduction issued fromt is written|t|(recall that each term has a finite number of reducts).

To prove that every term is inSN, we associate, as usual, a setJAKof strongly normalising terms to each typeA. A termr:Ais said to be reducible whenr∈JAK. We then prove an adequacy theorem stating that every well typed term is reducible.

In simply typed lambda calculus we can either defineJA1⇒A2⇒ · · · ⇒An ⇒τKas the set of termsrsuch that for alls∈JA1K,rs∈JA2⇒ · · · ⇒An⇒τKor, equivalently, as the set of termsrsuch that for alls_i∈JA_iK,rs₁. . . s_n∈JτK=SN. To prove that a term of the formλx^A.tis reducible, we need to use the so-called CR3 property [22], in the first case, and the property that a term whose all one-step reducts are inSNis inSN, in the second.

In System I, an introduction can be equivalent to an elimination e.g. rt×st (r×s)t, hence, we cannot define a notion of neutral term and have an equivalent to the CR3 property.

Therefore, we use the second definition.

Before we prove the normalisation of System I, we first reformulate the proof of strong normalisation of simply typed lambda-calculus along these lines.

5.1 Normalisation of simply typed lambda calculus

IDefinition 5.1(Elimination context). Consider an extension of simply typed lambda calculus where we introduce an extra symbol[]^A, called hole of type A.

An elimination context with a hole []^{B1⇒···⇒Bn⇒τ} is a term K_B^τ

1⇒···⇒Bn⇒τ of typeτ of the form[]^{B1⇒···⇒Bn⇒τ}r1. . . rn. We writeK_A^τ[t], for the termK_A^τ[t/[]^A] =tr1. . . rn. IDefinition 5.2 (Terms occurring in an elimination context). T([]^Ar1. . . rn) ={r1, . . . , rn}.

Note that the types of the elements of T([]^Ar₁. . . rn) are smaller than A, and that if r1, . . . , rn ∈SN, then[]^Ar1. . . rn∈SN.

I Definition 5.3 (Reducibility). The set JAK of reducible terms of type A is defined by structural induction on Aas the set of termst:A such that for any elimination contextK_A^τ such that the terms in T(K_A^τ)are all reducible, we haveK_A^τ[t]∈SN.

IDefinition 5.4 (Reducible elimination context). An elimination context K_A^B is reducible, if all the terms in T(K_A^B) are reducible.

ILemma 5.5. For all A,JAK⊆SNand all the variables of type A are inJAK.

Proof. By induction onA. J

ILemma 5.6(Adequacy of application). If r∈JA⇒BKands∈JAK, thenrs∈JBK. Proof. Let K_B^τ be a reducible elimination context. We need to prove thatK_B^τ[rs]∈SN. As s∈JAK, the elimination contextK_A⇒B^0τ =K_B^τ[[]^A⇒Bs] is reducible, and sincer∈JA⇒BK,

we haveK_B^τ[rs] =K_A⇒B^0τ [r]∈SN. J

I Lemma 5.7 (Adequacy of abstraction). If for all t ∈ JAK, r[t/x] ∈ JBK, then λx^A.r ∈ JA⇒BK.

Proof. We need to prove that for every reducible elimination contextK_A⇒B^τ ,K_A⇒B^τ [λx^A.r]∈ SN, that is that all its one step reducts are inSN. By Lemma 5.5,x∈JAK, sor∈JBK⊆SN.

Then, we proceed by induction on|r|+|K_A⇒B^τ |. J

IDefinition 5.8(Adequate substitution). A substitutionσ is adequate if for all x:A, we have σ(x)∈JAK.

ITheorem 5.9 (Adequacy). If r:A, the for allσ adequate, we haveσr∈JAK.

Proof. By induction onr. J

ITheorem 5.10(Strong normalisation). If r:A, thenr∈SN.

Proof. By Lemma 5.5, the idendity substitution is adequate. Thus, by Theorem 5.9 and

Lemma 5.5,r∈JAK⊆SN. J

5.2 Reduction of a product

When simply-typed lambda-calculus is extended with pairs, proving that if r₁ ∈ SNand r2 ∈ SNthen r1×r2 ∈ SNis easy. However, in System I this property (Lemma 5.13) is harder to prove, as it requires a characterisation of the terms equivalent to the product r1×r2 (Lemma 5.11) and of all the reducts of this term (Lemma 5.12).

In Lemma 5.11, we characterise the terms equivalent to a product.

ILemma 5.11. If r×s^∗t then either 1. t=u×v where either

a. u^∗t11×t21 andv^∗t12×t22 withr^∗t11×t12 ands^∗t21×t22, or b. v^∗w×s withr^∗u×w, or any of the three symmetric cases, or c. r^∗uands^∗v, or the symmetric case.

2. t=λx^A.a anda^∗a₁×a₂ withr^∗λx^A.a₁ ands^∗λx^A.a₂. 3. t=av anda^∗a₁×a₂, withr^∗ a₁v ands^∗a₂v.

Proof. By a double induction, first on M(t) and then on the length of the relation ^∗

(cf. Appendix B.1). J

In Lemma 5.12, we characterise the reducts of a product.

ILemma 5.12. If r₁×r₂^∗s ,→t, there exists u₁,u₂ such thatt^∗ u₁×u₂ and either (r1 u1 andr2 u2), or (r1 u1 andr2^∗u2), or (r1^∗u1 andr2 u2).

Proof. By induction onM(r₁×r₂). J

ILemma 5.13. If r₁∈SN andr₂∈SN, thenr₁×r₂∈SN.

Proof. By Lemma 5.12, from a reduction sequence starting fromr1×r2 we can extract one starting fromr1, or r2 or both. Hence, this reduction sequence is finite. J

5.3 Reduction of a term of a conjunctive type

The next lemma takes advantage of the fact that all the variables have prime types to prove that all terms of conjunctive type, even open ones, reduce to a product. For instance, instead of the termλx^τ∧τ.x, of type ((τ∧τ)⇒τ)∧((τ∧τ)⇒τ), we must write λy^τ.λz^τ.y×z, which is equivalent to (λy^τ.λz^τ.y)×(λy^τ.λz^τ.z).

ILemma 5.14. If r:Vn

i=1Ai, thenr ^∗Qn

i=1ri whereri:Ai. Proof. By induction onr.

r=x, then it has a prime type, so taker₁=r.

Letr=λx^C.s. Then, by Lemma 4.2,s:D withC⇒D≡V

iA_i. So, by Corollary 2.12, D ≡ V

iDi, and so, by the induction hypothesis, s ^∗ Q

isi. Therefore, λx^C.s ^∗ Q

iλx^C.s_i.

Letr=st. Then, by Lemma 4.2, s:C⇒V

iA_i, sos:V

i(C⇒A_i). Therefore, by the induction hypothesis,s ^∗Q

isi, and sost ^∗Q

isit.

Letr=s×t. Then, by Lemma 4.2,s:B andt:C, withB∧C≡V

iAi. By Lemma 2.15, there exists a partition E]F]Gof {1, . . . , n} such that A_i ≡B_i∧C_i, when i∈ E;

Ai ≡ Bi, when i ∈ F; Ai ≡ Ci, when i ∈ G; B ≡ V

i∈E]FBi; andC ≡ V

i∈E]GCi. By the induction hypothesis, s ^∗ Q

i∈E]Fsi andt ^∗ Q

i∈E]Gti. If i ∈ E, we let ri=si×ti, ifi∈F, we letri=si, ifi∈G, we letri=ti. We haver=s×t ^∗Qn

i=1ri.

Let r= πV

iAi(s). Then, by Lemma 4.2, s : V

iAi∧B, and hence, by the induction hypothesis,s ^∗Q

isi×t wheresi:Ai andt:B, hencer Q

isi. J

ICorollary 5.15. Ifr:A∧B, thenr ^∗r₁×r₂ wherer₁:Aandr₂:B.

Proof. LetPF(A) = [A_i]_i,PF(B) = [B_j]_j, by Lemma 2.6,A∧B≡V

iA_i∧V

jB_j. Then, by Lemma 5.14,r ^∗Q

ir1i×Q

jr2j. Taker1=Q

ir1i andr2=Q

jr2j. J

5.4 Reducibility

IDefinition 5.16 (Elimination context). Consider an extension of the language where we introduce an extra symbol []^A, called hole of type A. We define the set of elimination contexts with a hole []^A as the smallest set such that:

[]^A is an elimination context of type A,

if K_A^B⇒C is an elimination context of typeB⇒C with a hole of typeA, and r:B then K_A^B⇒Cris an elimination context of type C with a hole of type A,

and ifK_A^B∧Cis an elimination context of typeB∧Cwith a hole of typeA, thenπ_B(K_A^B∧C) is an elimination context of typeB with a hole of typeA.

We write K_A^B[t] for K_A^B[t/[]^A], where []^A is the hole of K_A^B. In particular, t may be an elimination context.

I Example 5.17. Let K_τ^τ = []^τ andK_{τ⇒(τ∧τ)}^0τ =K_τ^τ[πτ([]^{τ⇒(τ∧τ)}x)]. Then K_{τ⇒(τ∧τ)}^0τ = πτ([]^{τ⇒(τ∧τ)}x), andK_{τ⇒(τ∧τ)}^0τ [λy^τ.y×y] =πτ((λy^τ.y×y)x).

IDefinition 5.18 (Terms occurring in an elimination context). Let K_A^B be an elimination context. The multiset of terms occurring inK_A^B is defined as

T([]^A) =∅; T(K_A^B⇒Cr) =T(K_A^B⇒C)] {r}; T(πB(K_A^B∧C)) =T(K_A^B∧C) We write|K_A^B| forPn

i=1|ri| where[r₁, . . . , rn] =T(K_A^B).

IExample 5.19. T([]^Ars) = [r, s] andT([]^A(r×s)) = [r×s]. Remark thatK_A^B[t]^∗K_A^0B[t]

does not implyT(K_A^B)∼ T(K_A^0B).

Remark that ifK_A^B is a context,m(B)≤m(A) and hence if a term inT(K_A^B) has type C, thenm(C)< m(A).

I Lemma 5.20. Let K_A^τ be an elimination context such thatT(K_A^τ)⊆ SN, let PF(A) = [B1, . . . , Bn], and letxi∈ VBi. ThenK_A^τ[x1× · · · ×xn]∈SN.

Proof. By induction on the number of projections inK_A^τ.

IfK_A^τ does not contain any projection, then it has the form []^A r1... rm. LetCi be the type of r_i, we haveA≡C₁⇒... ⇒C_n ⇒τ, thus A is prime,n= 1, and we need to prove that x1 r1 ... rmis inSNwhich is a consequence of the fact thatr1, ...,rn are in SN.

Otherwise, K_A^τ =K_B^0τ[πB([]^Ar1. . . rm)], and K_A^τ[x1× · · · ×xn] = K_B^0τ[πB((x1× · · · × x_n)r₁. . . r_m)]^∗K_B^0τ[π_B(x₁r₁. . . r_m× · · · ×x_nr₁. . . r_m)]. We prove that this term is in SN by showing, more generally, that if si are reducts ofxir1. . . rm, then K_B^0τ[πB(s1×

· · · ×sn)]∈SN. To do so, we show, by induction on|K_B^0τ|+|s1× · · · ×sn|, that all the one step reducts of this term are inSN.

If the reduction takes place in one of the terms inT(K_B^0τ) or in one of thesi, we apply the induction hypothesis.

Otherwise, the reduction is a (π) reduction of πB(s1× · · · ×sn) yielding, without lost of generality, a term of the form K_B^0τ[s1× · · · ×sq]. This term is a reduct of K_B^0τ[(x₁× · · · ×x_q)r₁. . . r_m]. As the contextK_B^0τ[([]^Cr₁. . . r_m)] contains one projection less thanK_A^τ this term is inSN. Hence so does its reductK_B^0τ[s1× · · · ×sq]. J I Definition 5.21 (Reducibility). The set JAK of reducible terms of type A is defined by induction onm(A)as the set of termst:A such that for any elimination contextK_A^τ such that the terms of T(K_A^τ) are all reducible, we haveK_A^τ[t]∈SN.

IDefinition 5.22(Reducible elimination context). An elimination contextK_A^B is reducible, if all the terms inT(K_A^B)are reducible.

From now on we consider all the elimination contexts to be reducible.

The following lemma is a trivial consequence of the definition of reducibility.

ILemma 5.23. If A≡B, thenJAK=JBK. J

ILemma 5.24. For all A,JAK⊆SNandJAK6=∅.

Proof. By induction onm(A). By the induction hypothesis, for all theB such thatm(B)<

m(A),JBK6=∅. Thus, there exists an elimination contextK_A^τ. Hence, ifr∈JAK,K_A^τ[r]∈SN, hencer∈SN.

We then prove that if PF(A) = [B1, . . . , Bn] andxi ∈ VB_i thenQ

ixi ∈ JAK. By the induction hypothesis,T(K_A^τ)⊆SN, hence, by Lemma 5.20,K_A^τ[x₁× · · · ×x_n]∈SN. J

5.5 Adequacy

We finally prove the adequacy theorem (Theorem 5.30) showing that every typed term is reducible, and the strong normalisation theorem (Theorem 5.31) as a consequence of it.

ILemma 5.25(Adequacy of projection). If r∈JA∧BK, thenπA(r)∈JAK.

Proof. We need to prove that K_A^τ[πA(r)] ∈ SN. Take K_A∧B^0τ = K_A^τ[πA[]^A∧B] and since r∈JA∧BK, we haveK_A^τ[πA(r)] =K_A∧B^0τ [r]∈SN. J ILemma 5.26(Adequacy of application). If r∈JA⇒BK, ands∈JAK, thenrs∈JBK. Proof. We need to prove that K_B^τ[rs] ∈ SN. Take K_A⇒B^0τ = K_B^τ[[]^A⇒Bs] and since r ∈

JA⇒BK, we haveK_B^τ[rs] =K_A⇒B^0τ [r]∈SN. J

ILemma 5.27(Adequacy of product). If r∈JAK ands∈JBK, thenr×s∈JA∧BK. Proof. We need to prove thatK_A∧B^τ [r×s]∈SN. We proceed by induction on the number of projections inK_A⇒B^τ . Since the hole of K_A∧B^τ has typeA∧B, andK_A∧B^τ [t] has type τ for any t : A, we can assume, without lost of generality, that the context K_A∧B^τ has the formK_C^0τ[π_C([]^A∧Bt₁. . . t_n)]. We prove that allK_C^0τ[π_C(rt₁. . . t_n×st₁. . . t_n)]∈SNby showing, more generally, that ifr⁰ ands⁰ are two reducts ofrt1. . . tn andst1. . . tn, then K_C^0τ[πC(r⁰×s⁰)]∈SN. For this, we show that all its one step reducts are inSN, by induction on|K_C^0τ|+|r⁰|+|s⁰|. Full details are given in Appendix B.2. J ILemma 5.28 (Adequacy of abstraction). If for all t ∈JAK, r[t/x]∈ JBK, then λx^A.r ∈ JA⇒BK.