Samuel MIMRAM

Contents

0 Introduction 10
0.1 Proving instead of testing . . . . . . . . . . . . . . . . . . . . . . 10
0.2 Typing as proving . . . . . . . . . . . . . . . . . . . . . . . . . . 11
0.3 Checking programs . . . . . . . . . . . . . . . . . . . . . . . . . . 13
0.4 Checking proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
0.5 Searching for proofs . . . . . . . . . . . . . . . . . . . . . . . . . 14
0.6 Foundations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
0.7 In this course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
0.8 Other references on programs and proofs . . . . . . . . . . . . . . 16
0.9 About this document . . . . . . . . . . . . . . . . . . . . . . . . . 16

1 Typed functional programming 18

1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.1.1 Hello world . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.1.2 Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.1.3 A statically typed language . . . . . . . . . . . . . . . . . 19
1.1.4 A functional language . . . . . . . . . . . . . . . . . . . . 19
1.1.5 Other features . . . . . . . . . . . . . . . . . . . . . . . . 20
1.2 Basic constructions . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.2.1 Declarations . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.2.2 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.2.3 Booleans . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.2.4 Products . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.2.5 Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.2.6 Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.2.7 Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.3 Recursive types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.3.1 Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.3.2 Usual recursive types . . . . . . . . . . . . . . . . . . . . . 24
1.3.3 Abstract description . . . . . . . . . . . . . . . . . . . . . 26
1.3.4 Option types and exceptions . . . . . . . . . . . . . . . . 28
1.4 The typing system . . . . . . . . . . . . . . . . . . . . . . . . . . 29
1.4.1 Usefulness of typing . . . . . . . . . . . . . . . . . . . . . 29
1.4.2 Properties of typing . . . . . . . . . . . . . . . . . . . . . 30
1.4.3 Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
1.5 Typing as proving . . . . . . . . . . . . . . . . . . . . . . . . . . 38
1.5.1 Arrow as implication . . . . . . . . . . . . . . . . . . . . . 38
1.5.2 Other connectives . . . . . . . . . . . . . . . . . . . . . . 39
1.5.3 Limitations of the correspondence . . . . . . . . . . . . . 40
CONTENTS 3

2 Propositional logic 41
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.1.1 From provability to proofs . . . . . . . . . . . . . . . . . . 41
2.1.2 Intuitionism . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2.1.3 Formalizing proofs . . . . . . . . . . . . . . . . . . . . . . 43
2.1.4 Properties of logical system . . . . . . . . . . . . . . . . . 44
2.2 Natural deduction . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.2.1 Formulas . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2.2.2 Sequents . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2.2.3 Inference rules . . . . . . . . . . . . . . . . . . . . . . . . 46
2.2.4 Intuitionistic natural deduction . . . . . . . . . . . . . . . 46
2.2.5 Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
2.2.6 Fragments . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.2.7 Admissible rules . . . . . . . . . . . . . . . . . . . . . . . 49
2.2.8 Definable connectives . . . . . . . . . . . . . . . . . . . . 52
2.2.9 Equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.2.10 Structural rules . . . . . . . . . . . . . . . . . . . . . . . . 54
2.2.11 Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2.3 Cut elimination . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
2.3.1 Cuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
2.3.2 Proof substitution . . . . . . . . . . . . . . . . . . . . . . 57
2.3.3 Cut elimination . . . . . . . . . . . . . . . . . . . . . . . . 58
2.3.4 Consistency . . . . . . . . . . . . . . . . . . . . . . . . . . 61
2.3.5 Intuitionism . . . . . . . . . . . . . . . . . . . . . . . . . . 62
2.3.6 Commutative cuts . . . . . . . . . . . . . . . . . . . . . . 64
2.4 Proof search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
2.4.1 Reversible rules . . . . . . . . . . . . . . . . . . . . . . . . 65
2.4.2 Proof search . . . . . . . . . . . . . . . . . . . . . . . . . . 66
2.5 Classical logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
2.5.1 Axioms for classical logic . . . . . . . . . . . . . . . . . . 68
2.5.2 The intuition behind classical logic . . . . . . . . . . . . . 70
2.5.3 A variant of natural deduction . . . . . . . . . . . . . . . 72
2.5.4 Cut-elimination in classical logic . . . . . . . . . . . . . . 74
2.5.5 De Morgan laws . . . . . . . . . . . . . . . . . . . . . . . 75
2.5.6 Boolean models . . . . . . . . . . . . . . . . . . . . . . . . 79
2.5.7 DPLL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
2.5.8 Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
2.5.9 Double-negation translation . . . . . . . . . . . . . . . . . 89
2.5.10 Intermediate logics . . . . . . . . . . . . . . . . . . . . . . 91
2.6 Sequent calculus . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
2.6.1 Sequents . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
2.6.2 Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
2.6.3 Intuitionistic rules . . . . . . . . . . . . . . . . . . . . . . 96
2.6.4 Cut elimination . . . . . . . . . . . . . . . . . . . . . . . . 97
2.6.5 Proof search . . . . . . . . . . . . . . . . . . . . . . . . . . 97
2.7 Hilbert calculus . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
2.7.1 Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
2.7.2 Other connectives . . . . . . . . . . . . . . . . . . . . . . 103
2.7.3 Relationship with natural deduction . . . . . . . . . . . . 103
2.8 Kripke semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
CONTENTS 4

2.8.1 Kripke structures . . . . . . . . . . . . . . . . . . . . . . . 105

2.8.2 Completeness . . . . . . . . . . . . . . . . . . . . . . . . . 107

3 Pure λ-calculus 110

3.1 λ-terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
3.1.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
3.1.2 Bound and free variables . . . . . . . . . . . . . . . . . . . 112
3.1.3 Renaming and α-equivalence . . . . . . . . . . . . . . . . 112
3.1.4 Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . 113
3.2 β-reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
3.2.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
3.2.2 An example . . . . . . . . . . . . . . . . . . . . . . . . . . 115
3.2.3 Reduction and redexes . . . . . . . . . . . . . . . . . . . . 115
3.2.4 Confluence . . . . . . . . . . . . . . . . . . . . . . . . . . 115
3.2.5 β-reduction paths . . . . . . . . . . . . . . . . . . . . . . 116
3.2.6 Normalization . . . . . . . . . . . . . . . . . . . . . . . . . 116
3.2.7 β-equivalence . . . . . . . . . . . . . . . . . . . . . . . . . 117
3.2.8 η-equivalence . . . . . . . . . . . . . . . . . . . . . . . . . 117
3.3 Computing in the λ-calculus . . . . . . . . . . . . . . . . . . . . . 118
3.3.1 Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
3.3.2 Booleans . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
3.3.3 Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
3.3.4 Natural numbers . . . . . . . . . . . . . . . . . . . . . . . 120
3.3.5 Fixpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
3.3.6 Turing completeness . . . . . . . . . . . . . . . . . . . . . 126
3.3.7 Self-interpreting . . . . . . . . . . . . . . . . . . . . . . . 128
3.3.8 Adding constructors . . . . . . . . . . . . . . . . . . . . . 128
3.4 Confluence of the λ-calculus . . . . . . . . . . . . . . . . . . . . . 129
3.4.1 Confluence . . . . . . . . . . . . . . . . . . . . . . . . . . 129
3.4.2 The parallel β-reduction . . . . . . . . . . . . . . . . . . . 130
3.4.3 Properties of the parallel β-reduction . . . . . . . . . . . . 131
3.4.4 Confluence and the Church-Rosser theorem . . . . . . . . 135
3.5 Implementing reduction . . . . . . . . . . . . . . . . . . . . . . . 136
3.5.1 Reduction strategies . . . . . . . . . . . . . . . . . . . . . 136
3.5.2 Normalization by evaluation . . . . . . . . . . . . . . . . . 142
3.6 Nameless syntaxes . . . . . . . . . . . . . . . . . . . . . . . . . . 147
3.6.1 The Barendregt convention . . . . . . . . . . . . . . . . . 147
3.6.2 De Bruijn indices . . . . . . . . . . . . . . . . . . . . . . . 147
3.6.3 Combinatory logic . . . . . . . . . . . . . . . . . . . . . . 152

4 Simply typed λ-calculus 159

4.1 Typing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
4.1.1 Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
4.1.2 Contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
4.1.3 λ-terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
4.1.4 Typing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
4.1.5 Basic properties of the typing system . . . . . . . . . . . . 161
4.1.6 Type checking, type inference and typability . . . . . . . 162
4.1.7 The Curry-Howard correspondence . . . . . . . . . . . . . 164
4.1.8 Subject reduction . . . . . . . . . . . . . . . . . . . . . . . 167
CONTENTS 5

4.1.9 η-expansion . . . . . . . . . . . . . . . . . . . . . . . . . . 170

4.1.10 Confluence . . . . . . . . . . . . . . . . . . . . . . . . . . 171
4.2 Strong normalization . . . . . . . . . . . . . . . . . . . . . . . . . 171
4.2.1 A normalization strategy . . . . . . . . . . . . . . . . . . 171
4.2.2 Strong normalization . . . . . . . . . . . . . . . . . . . . . 172
4.2.3 First consequences . . . . . . . . . . . . . . . . . . . . . . 175
4.2.4 Deciding convertibility . . . . . . . . . . . . . . . . . . . . 176
4.2.5 Weak normalization . . . . . . . . . . . . . . . . . . . . . 176
4.3 Other connectives . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
4.3.1 Products . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
4.3.2 Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
4.3.3 Coproducts . . . . . . . . . . . . . . . . . . . . . . . . . . 184
4.3.4 Empty type . . . . . . . . . . . . . . . . . . . . . . . . . . 186
4.3.5 Commuting conversions . . . . . . . . . . . . . . . . . . . 187
4.3.6 Natural numbers . . . . . . . . . . . . . . . . . . . . . . . 188
4.3.7 Strong normalization . . . . . . . . . . . . . . . . . . . . . 189
4.4 Curry style typing . . . . . . . . . . . . . . . . . . . . . . . . . . 190
4.4.1 A typing system . . . . . . . . . . . . . . . . . . . . . . . 190
4.4.2 Principal types . . . . . . . . . . . . . . . . . . . . . . . . 191
4.4.3 Computing the principal type . . . . . . . . . . . . . . . . 192
4.4.4 Hindley-Milner type inference . . . . . . . . . . . . . . . . 198
4.4.5 Bidirectional type checking . . . . . . . . . . . . . . . . . 207
4.5 Hilbert calculus and combinators . . . . . . . . . . . . . . . . . . 211
4.6 Classical logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
4.6.1 Felleisen’s C . . . . . . . . . . . . . . . . . . . . . . . . . . 212
4.6.2 The λµ-calculus . . . . . . . . . . . . . . . . . . . . . . . 215
4.6.3 Classical logic as a typing system . . . . . . . . . . . . . . 217
4.6.4 A more symmetric calculus . . . . . . . . . . . . . . . . . 219

5 First-order logic 221

5.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
5.1.1 Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
5.1.2 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
5.1.3 Substitutions . . . . . . . . . . . . . . . . . . . . . . . . . 222
5.1.4 Formulas . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
5.1.5 Bound and free variables . . . . . . . . . . . . . . . . . . . 223
5.1.6 Natural deduction rules . . . . . . . . . . . . . . . . . . . 224
5.1.7 Classical first order logic . . . . . . . . . . . . . . . . . . . 225
5.1.8 Sequent calculus rules . . . . . . . . . . . . . . . . . . . . 227
5.1.9 Cut elimination . . . . . . . . . . . . . . . . . . . . . . . . 228
5.1.10 Eigenvariables . . . . . . . . . . . . . . . . . . . . . . . . 229
5.1.11 Curry-Howard . . . . . . . . . . . . . . . . . . . . . . . . 230
5.2 Theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
5.2.1 Equality . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
5.2.2 Properties of theories . . . . . . . . . . . . . . . . . . . . 233
5.2.3 Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
5.2.4 Presburger arithmetic . . . . . . . . . . . . . . . . . . . . 237
5.2.5 Peano and Heyting arithmetic . . . . . . . . . . . . . . . . 238
5.3 Set theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
5.3.1 Naive set theory . . . . . . . . . . . . . . . . . . . . . . . 240
CONTENTS 6

5.3.2 Zermelo-Fraenkel set theory . . . . . . . . . . . . . . . . . 242

5.3.3 Intuitionistic set theory . . . . . . . . . . . . . . . . . . . 246
5.4 Unification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
5.4.1 Equation systems . . . . . . . . . . . . . . . . . . . . . . . 252
5.4.2 Most general unifier . . . . . . . . . . . . . . . . . . . . . 252
5.4.3 The unification algorithm . . . . . . . . . . . . . . . . . . 253
5.4.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . 256
5.4.5 Efficient implementation . . . . . . . . . . . . . . . . . . . 257
5.4.6 Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

6 Agda 262
6.1 What is Agda? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
6.1.1 Features of proof assistants . . . . . . . . . . . . . . . . . 262
6.1.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . 266
6.2 Getting started with Agda . . . . . . . . . . . . . . . . . . . . . . 267
6.2.1 Getting help . . . . . . . . . . . . . . . . . . . . . . . . . 267
6.2.2 Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
6.2.3 The standard library . . . . . . . . . . . . . . . . . . . . . 268
6.2.4 Hello world . . . . . . . . . . . . . . . . . . . . . . . . . . 269
6.2.5 Our first proof . . . . . . . . . . . . . . . . . . . . . . . . 269
6.2.6 Our first proof, step by step . . . . . . . . . . . . . . . . . 271
6.2.7 Our first proof, again . . . . . . . . . . . . . . . . . . . . 272
6.3 Basic agda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
6.3.1 The type of types . . . . . . . . . . . . . . . . . . . . . . . 274
6.3.2 Arrow types . . . . . . . . . . . . . . . . . . . . . . . . . . 274
6.3.3 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
6.3.4 Postulates . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
6.3.5 Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
6.3.6 Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
6.4 Inductive types: data . . . . . . . . . . . . . . . . . . . . . . . . . 278
6.4.1 Natural numbers . . . . . . . . . . . . . . . . . . . . . . . 278
6.4.2 Pattern matching . . . . . . . . . . . . . . . . . . . . . . . 278
6.4.3 The induction principle . . . . . . . . . . . . . . . . . . . 281
6.4.4 Booleans . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
6.4.5 Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
6.4.6 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
6.4.7 Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
6.4.8 Finite sets . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
6.5 Inductive types: logic . . . . . . . . . . . . . . . . . . . . . . . . 287
6.5.1 Implication . . . . . . . . . . . . . . . . . . . . . . . . . . 287
6.5.2 Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
6.5.3 Unit type . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
6.5.4 Empty type . . . . . . . . . . . . . . . . . . . . . . . . . . 289
6.5.5 Negation . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
6.5.6 Coproduct . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
6.5.7 Π-types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
6.5.8 Σ-types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
6.5.9 Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
6.6 Equality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
6.6.1 Equality and pattern matching . . . . . . . . . . . . . . . 295
CONTENTS 7

6.6.2 Main properties . . . . . . . . . . . . . . . . . . . . . . . . 296

6.6.3 Half of even numbers . . . . . . . . . . . . . . . . . . . . . 296
6.6.4 Reasoning . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
6.6.5 Definitional equality . . . . . . . . . . . . . . . . . . . . . 298
6.6.6 More properties with equality . . . . . . . . . . . . . . . . 299
6.6.7 The J rule . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
6.6.8 Decidable equality . . . . . . . . . . . . . . . . . . . . . . 301
6.6.9 Heterogeneous equality . . . . . . . . . . . . . . . . . . . 302
6.7 Proving programs in practice . . . . . . . . . . . . . . . . . . . . 304
6.7.1 Extrinsic vs intrinsic proofs . . . . . . . . . . . . . . . . . 304
6.7.2 Insertion sort . . . . . . . . . . . . . . . . . . . . . . . . . 306
6.7.3 The importance of the specification . . . . . . . . . . . . . 308
6.8 Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
6.8.1 Termination and consistency . . . . . . . . . . . . . . . . 310
6.8.2 Structural recursion . . . . . . . . . . . . . . . . . . . . . 310
6.8.3 A bit of computability . . . . . . . . . . . . . . . . . . . . 312
6.8.4 The number of bits . . . . . . . . . . . . . . . . . . . . . . 313
6.8.5 The fuel technique . . . . . . . . . . . . . . . . . . . . . . 314
6.8.6 Well-founded induction . . . . . . . . . . . . . . . . . . . 315
6.8.7 Division and modulo . . . . . . . . . . . . . . . . . . . . . 321

7 Formalization of important results 324

7.1 Safety of a simple language . . . . . . . . . . . . . . . . . . . . . 324
7.2 Natural deduction . . . . . . . . . . . . . . . . . . . . . . . . . . 327
7.3 Pure λ-calculus . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
7.3.1 Naive approach . . . . . . . . . . . . . . . . . . . . . . . . 329
7.3.2 De Bruijn indices . . . . . . . . . . . . . . . . . . . . . . . 330
7.3.3 Keeping track of free variables . . . . . . . . . . . . . . . 333
7.3.4 Normalization by evaluation . . . . . . . . . . . . . . . . . 333
7.3.5 Confluence . . . . . . . . . . . . . . . . . . . . . . . . . . 334
7.4 Combinatory logic . . . . . . . . . . . . . . . . . . . . . . . . . . 337
7.5 Simply typed λ-calculus . . . . . . . . . . . . . . . . . . . . . . . 339
7.5.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
7.5.2 Strong normalization . . . . . . . . . . . . . . . . . . . . . 342
7.5.3 Normalization by evaluation . . . . . . . . . . . . . . . . . 346

8 Dependent type theory 351

8.1 Core dependent type theory . . . . . . . . . . . . . . . . . . . . . 351
8.1.1 Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . 351
8.1.2 Free variables and substitution . . . . . . . . . . . . . . . 352
8.1.3 Contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
8.1.4 Definitional equality . . . . . . . . . . . . . . . . . . . . . 353
8.1.5 Sequents . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
8.1.6 Rules for contexts . . . . . . . . . . . . . . . . . . . . . . 354
8.1.7 Rules for equality . . . . . . . . . . . . . . . . . . . . . . . 354
8.1.8 Axiom rule . . . . . . . . . . . . . . . . . . . . . . . . . . 355
8.1.9 Terms and rules for type constructors . . . . . . . . . . . 355
8.1.10 Rules for Π-types . . . . . . . . . . . . . . . . . . . . . . . 356
8.1.11 Admissible rules . . . . . . . . . . . . . . . . . . . . . . . 358
8.2 Universes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
CONTENTS 8

8.2.1 The type of Type . . . . . . . . . . . . . . . . . . . . . . . 359

8.2.2 Russell’s paradox in type theory . . . . . . . . . . . . . . 359
8.2.3 Girard’s paradox . . . . . . . . . . . . . . . . . . . . . . . 363
8.2.4 The hierarchy of universes . . . . . . . . . . . . . . . . . . 367
8.3 More type constructors . . . . . . . . . . . . . . . . . . . . . . . . 370
8.3.1 Empty type . . . . . . . . . . . . . . . . . . . . . . . . . . 370
8.3.2 Unit type . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
8.3.3 Products . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
8.3.4 Dependent sums . . . . . . . . . . . . . . . . . . . . . . . 373
8.3.5 Coproducts . . . . . . . . . . . . . . . . . . . . . . . . . . 374
8.3.6 Booleans . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
8.3.7 Natural numbers . . . . . . . . . . . . . . . . . . . . . . . 376
8.3.8 Other type constructors . . . . . . . . . . . . . . . . . . . 378
8.4 Inductive types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
8.4.1 W-types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
8.4.2 Rules for W-types . . . . . . . . . . . . . . . . . . . . . . 382
8.4.3 More inductive types . . . . . . . . . . . . . . . . . . . . . 382
8.4.4 The positivity condition . . . . . . . . . . . . . . . . . . . 385
8.4.5 Disjointedness and injectivity of constructors . . . . . . . 389
8.5 Implementing type theory . . . . . . . . . . . . . . . . . . . . . . 390
8.5.1 Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . 391
8.5.2 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . 392
8.5.3 Convertibility . . . . . . . . . . . . . . . . . . . . . . . . . 393
8.5.4 Typechecking . . . . . . . . . . . . . . . . . . . . . . . . . 396
8.5.5 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

9 Homotopy type theory 399

9.1 Identity types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
9.1.1 Definitional and propositional equality . . . . . . . . . . . 400
9.1.2 Propositional equality in Agda . . . . . . . . . . . . . . . 400
9.1.3 The rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
9.1.4 Leibniz equality . . . . . . . . . . . . . . . . . . . . . . . . 402
9.1.5 Extensionality of equality . . . . . . . . . . . . . . . . . . 404
9.1.6 Uniqueness of identity proofs . . . . . . . . . . . . . . . . 406
9.2 Types as spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
9.2.1 Intuition about the model . . . . . . . . . . . . . . . . . . 407
9.2.2 The structure of paths . . . . . . . . . . . . . . . . . . . . 411
9.3 n-types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
9.3.1 Propositions . . . . . . . . . . . . . . . . . . . . . . . . . 414
9.3.2 Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
9.3.3 n-types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
9.3.4 Propositional truncation . . . . . . . . . . . . . . . . . . . 426
9.4 Univalence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
9.4.1 Operations with paths . . . . . . . . . . . . . . . . . . . . 437
9.4.2 Equivalences . . . . . . . . . . . . . . . . . . . . . . . . . 439
9.4.3 Univalence . . . . . . . . . . . . . . . . . . . . . . . . . . 442
9.4.4 Applications of univalence . . . . . . . . . . . . . . . . . . 443
9.4.5 Describing identity types . . . . . . . . . . . . . . . . . . 444
9.4.6 Describing propositions . . . . . . . . . . . . . . . . . . . 445
9.4.7 Incompatibility with set theoretic interpretation . . . . . 447
CONTENTS 9

9.4.8 Equivalences . . . . . . . . . . . . . . . . . . . . . . . . . 449

9.4.9 Function extensionality . . . . . . . . . . . . . . . . . . . 449
9.4.10 Propositional extensionality . . . . . . . . . . . . . . . . . 456
9.5 Higher inductive types . . . . . . . . . . . . . . . . . . . . . . . . 456
9.5.1 Rules for higher types . . . . . . . . . . . . . . . . . . . . 456
9.5.2 Paths over . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
9.5.3 Circle as a higher inductive type . . . . . . . . . . . . . . 460
9.5.4 Useful higher inductive types . . . . . . . . . . . . . . . . 461

A Appendix 463
A.1 Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
A.1.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
A.1.2 Closure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
A.1.3 Quotient . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
A.1.4 Congruence . . . . . . . . . . . . . . . . . . . . . . . . . . 464
A.2 Monoids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
A.2.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
A.2.2 Free monoids . . . . . . . . . . . . . . . . . . . . . . . . . 464
A.3 Well-founded orders . . . . . . . . . . . . . . . . . . . . . . . . . 465
A.3.1 Partial orders . . . . . . . . . . . . . . . . . . . . . . . . . 465
A.3.2 Well-founded orders . . . . . . . . . . . . . . . . . . . . . 465
A.3.3 Lexicographic order . . . . . . . . . . . . . . . . . . . . . 466
A.3.4 Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
A.3.5 Multisets . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
A.4 Cantor’s diagonal argument . . . . . . . . . . . . . . . . . . . . . 469
A.4.1 A general Cantor argument . . . . . . . . . . . . . . . . . 469
A.4.2 Agda formalization . . . . . . . . . . . . . . . . . . . . . . 471
 Chapter 0

Introduction

These are the extended notes for the INF551 course which I taught at École
Polytechnique starting from 2019. The goal is to give a first introduction to the
Curry-Howard correspondence between programs and proofs, from a theoretical
programmer’s perspective: we want to understand the theory behind logic and
programming languages, but also to write concrete programs (in OCaml) and
proofs (in Agda). Although most of the material is self-contained, the reader is
supposed to be already acquainted with logic and programming.

0.1 Proving instead of testing

Most of the current software development is validated by performing tests: we
run the programs with various values for the parameters, chosen in order to
cover most branches of the program, and, if no bug has occurred during those
executions, we consider that the program is good enough for production. The
reason for this is that we consider that if the program uses “small” constants
and “regular enough” functions then a large number of tests should be able
to cover all the general behaviors of the program. Seriously following such a
discipline greatly reduces the number of bugs, especially the simple ones, but we
all know that it does not completely eliminates those: in some very particular
and unlucky situations, problems still do happen.
In mathematics, the usual approach is quite different. For instance, when
proving a property P (n) over natural numbers, a typical mathematician, will
not test that P (0) holds, P (1) holds, P (2) holds, and so on, up to a big number,
and if the property is experimentally always verified, he will claim: “I am almost
certain that the property P is always true”. He will maybe perform some tests in
order to verify whether the conjecture is plausible or not, but in the end he will
write down a proof, which ensures that the property P (n) is always verified, for
eternity, even if someone makes a particularly unlucky or pervert choice for n.
Proving instead of testing does require some extra work, but the confidence it
brings to the results is incomparable.
Let us present an extreme example of why this is the right way to proceed.
On day one, our mathematician finds out using a formal computation software
that Z ∞
sin(t) π
dt =
0 t 2
On day two, he tries to play around a bit with such formulas and finds out that
Z ∞
sin(t) sin(t/101) π
dt =
0 t t/101 2
On day three, he thinks maybe a pattern could emerge and discovers that
Z ∞
sin(t) sin(t/101) sin(t/201) π
dt =
0 t t/101 t/201 2
CHAPTER 0. INTRODUCTION 11

On day four, he gets quite confident and conjectures that, for every n ∈ N,
Z ∞ Y n
!
sin(t/(100n + 1)) π
dt =
0 i=0
t/(100n + 1) 2

He then spends the rest of the year heating his computer and the planet, suc-
cessfully proving the conjecture for increasing values of n. This approach seems
to be justified since the most complicated function involved in here is the sinus,
which is quite regular (it is periodic), and all the constants are small (we get
factors such as 100), so that if something bad ought to happen it will happen
for a not-so-big value of n and testing should discover it. In fact, the conjecture
breaks starting at

n = 15 341 178 777 673 149 429 167 740 440 969 249 338 310 889

and none of the usual tests would have found this out. There is a nice explana-
tion for this which we will not give here, see [BB01, Bae18], but the morale is:
if you want to be sure of something, don’t test it, prove it.
On the computer science side, analogous examples abound where errors have
been found in programs, although heavily tested. They have recently increased
with the advent of parallel computing (for instance, in order to exploit all the
cores that you have on your laptop or even your smartphone), where bugs might
be triggered by some particular and very rare scheduling of processes. Already
in the 70s, Dijkstra was claiming that program testing can be used to show
the presence of bugs, but never to show their absence! [Dij70], and the idea of
formally verifying programs can even be traced back 20 years before that by, as
usual, Turing [Tur49]. If we want to have software we can really trust (and not
trust most of the time), we should move from testing to proving in computer
science too.
In this course, you will learn how to perform such proofs, as well as the
theory behind it. Actually, the most complicated program we will prove correct
here is a sorting algorithm and I can already hear you thinking “come on,
we have been writing sorting algorithms for decades, we should know how to
write one by now”. While I understand your point, I have two arguments to
provide for this. Firstly, proving a more realistic program is only a matter
of time (and experience): the course covers most of the concepts required to
perform proofs, and attacking full-fledged code will not require new techniques,
only patience. Secondly, in 2015, some researchers found out, using formal
methods, that the default sorting algorithm (the one in the standard library, not
some obscure library found on the GitHub) in both Python and Java (not some
obscure programming language) was flawed, and the bug had been standing
there for more than a decade [dGdBB+ 19]...

0.2 Typing as proving

But how can we achieve this goal of applying techniques of proofs to programs?
It turns out that we do not even need to come up with some new ideas thanks to
the so-called proof-as-program correspondence discovered in the 1960s by Curry
and Howard: a program is secretly the same as a proof! More precisely, in a
typed functional programming language, the type of a program can be read as
CHAPTER 0. INTRODUCTION 12

a formula, and the program itself contains exactly the information required to
prove this formula. This is the one thing to remember from this course:
PROGRAM = PROOF
This deep relationship allows the use techniques from mathematics in order to
study programs, but also can be used to extract computational contents from
proofs in mathematics.
The goal of this course is to give a precise meaning to this vague description,
but let us give an example in order to understand it better. In a functional
language such as OCaml, we can write a function such as
let comp f g x = g (f x)
and the compiler will automatically infer a type for it. Here, it will be
('a -> 'b) -> ('b -> 'c) -> ('a -> 'c)
meaning that for any types ’a, ’b and ’c,
– if f is a function which takes a value of type ’a as argument and returns
a value of type ’b,
– if g is a function which takes a value of type ’b as argument and returns
a value of type ’c, and
– if x is a value of type ’a,
then the result is of type ’c. For instance, with the function succ of type
int -> int (it adds one to an integer), and the function string_of_int of type
int -> string (it converts an integer to a string), the expression
comp succ string_of_int 2
will be of type string (it will evaluate to "3"). Now, if we read -> as a logical
implication ⇒, the type can be written as
(A ⇒ B) ⇒ (B ⇒ C) ⇒ (A ⇒ C)
which is a valid formula. This is not by chance: in some sense, the program
comp can be considered as a way of proving that this formula is valid.
Of course, if we want to prove richer properties of programs (or use programs
to prove more interesting formulas), we should use a logic which is more expres-
sive than propositional logic. In this course, we will present dependent types
which achieve this, while keeping the proof-as-program correspondence. For
instance the euclidean division, which computes the quotient and remainder of
two integers is usually given the type
int -> int -> int * int
stating that it takes two integers as argument and returns a pair of integers.
This typing is very weak, in the sense that there are many different functions
which also have this type. With dependent types, we will be able to give it the
type
(m : int) → (n : int) → Σ(q : int).Σ(r : int).((m = nq + r) × (r < n))
which can be read as the formula
∀m ∈ int.∀n ∈ int.∃q ∈ int.∃r ∈ int.((m = nq + r) ∧ (r < n))
and entirely specifies its behavior.
CHAPTER 0. INTRODUCTION 13

0.3 Checking programs

In order to help developing proofs with the aid of a computer people have
developed proof assistants such as Coq or Agda: those are programs which help
the user to gradually develop proofs (which is necessary due to their typical size)
and automatically check that they are correct. While those have progressed
much over the years, in practice, proving that a program is correct still takes
much more time than testing it (but, again, the result is infinitely superior). For
this reason, they have been used in areas where there is a strong incentive to do
it: applications where human lives (or large amounts of money) are involved.
This technology is part of a bigger family of tools and techniques called
formal methods whose aim is to guarantee the functioning of programs, with
various automation levels and expressiveness. As usual, the more precise invari-
ants you are going to prove about your programs, the less automated you can
be:

abstract proof
interpretation assistants
(AbsInt, Astrée, ...) (Agda, Coq, ...)
automation expressiveness
Hoare logic
(Why3, ...)

There is quite a number of industrial successes of uses of formal methods. For

instance, the line 14 in Paris and the CDGVAL at Roissy airport have been
proved using the B-method, Airbus is heavily using various formal tools (AbsInt,
Astrée, CompCert, Frama-C), etc. We should also mention here the CompCert
project, which provides a fully certified compiler for a (subset of) C: even though
your program is proved to be bug-free, the compiler (which is not an easy piece
of software) might itself be the cause of problems in your program...
The upside of automated methods is that, of course, they allow for reaching
one’s goal much more quickly. Their downside is that when they do not apply to
a particular problem, one is left without a way out. On the other side, virtually
any property can be shown in a proof assistant, provided that one is smart
enough and has enough time to spend.

0.4 Checking proofs

Verifying that a proof is correct is a task which can be automatically and effi-
ciently performed (it amounts to checking that a program is correctly typed); in
contrast, finding a proof is an art. The situation is somewhat similar to analysis
in mathematics where derivating a function is a completely mechanical task,
while integrating requires the use of many methods and tricks [Mun19]. This
means that computer science can also be of some help to mathematicians: we
can formalize mathematical proofs in proof assistants and ensure that no one
has made a mistake. And it happens that mathematicians, even famous ones,
make subtle mistakes.
For instance, in the 1990s, the Fields medalist Voevodsky wrote a paper
solving an important conjecture by Grothendieck [KV91], which roughly states
CHAPTER 0. INTRODUCTION 14

that spaces are the same as strict ∞-categories in which all morphisms are
weakly invertible (don’t worry if you do not precisely understand all the terms
in this sentence). A few years later, this was shown to be wrong because someone
provided a counter-example [Sim98], but no one could exactly point out what
was the mistake in the original proof. Because of this, Voevodsky thought for
more than 20 years that his proof was still correct. Understanding that there
was indeed a mistake lead him to use proof assistants for all his proofs and, in
fact, propose a new foundation for mathematics using logics, which is nowadays
called homotopy type theory [Uni13]. Quoting him [Voe14]:
I now do my mathematics with a proof assistant and do not have to
worry all the time about mistakes in my arguments or about how to
convince others that my arguments are correct.
But I think that the sense of urgency that pushed me to hurry with
the program remains. Sooner or later computer proof assistants will
become the norm, but the longer this process takes the more misery
associated with mistakes and with unnecessary self-verification the
practitioners of the field will have to endure.
As a much simpler example, suppose that we want to prove that all horses
have the same color (sic). We show by induction on n the property P (n) =
“every set of n horses is monochromatic”. For n = 0 and n = 1, the property is
obvious. Now suppose that P (n) holds and consider a set H of n + 1 horses. We
can figure H as a big set, in which we can pick two distinct elements (horses)
h1 and h2 and consider the sets H1 = H \ {h2 } and H2 = H \ {h1 }:

h1 h2

H1 H2

By induction hypothesis all the horses in H1 have the same color and all the
horses in H2 have the same color. Therefore, by transitivity, all the horses in H
have the same color. Of course this proof is not valid, because we all know that
there are horses of various colors (can you spot the mistake?). Formalizing the
proof in a proof assistant will force you to fill in all the details, thus removing
the possibility for potential errors in vague arguments, and will ensure that the
arguments given are actually valid, so that flaws such as in the above proof
will be uncovered. This is not limited to small reasoning: large and important
proofs have been fully checked in Coq for instance, such as the four color theo-
rem [Gon08] in graph theory or the Feit-Thompson theorem [GAA+ 13] in group
theory.

0.5 Searching for proofs

Closely related to proof checking is proof search, or automated theorem proving,
i.e. have the computer try by itself to find a proof for a given formula. For
CHAPTER 0. INTRODUCTION 15

simple enough fragments of logic (e.g. propositional logic) this can be done:
proof theory allows to carefully design efficient new proof search procedures. For
richer logics, it quickly becomes undecidable. However, modern proof assistants
(e.g. Coq) have so called tactics which can fill in some specific proofs, although
the logic is rich. Typically, they are able to take care of showing boring identities
such as (x + y) − x = y in abelian groups.
Understanding proof theory allows to formulate problems in a logical fash-
ion and solve them. It thus applies to various fields, even outside theoretical
computer science. For instance, McCarthy, a founder of Artificial Intelligence
(the name is due to him!), was a strong advocate of using mathematical logic
to represent knowledge and manipulate it [McC60]. Neural networks are admit-
tedly more fashionable these days, but one never knows what the future will be
made of.
Although we will see some proof search techniques in this course, this will
not be a central subject. The reason for this is that the main message is that
we should take proofs seriously: since a proof is the same as a program, we are
not interested in provability, but rather in proofs themselves, and proof search
techniques give us very little control over the proofs they produce.

0.6 Foundations
At the beginning of the 20th century, some annoying paradoxes surfaced in
mathematics, such as Russell’s paradox, motivating Hilbert’s program to provide
an axiomatization on which all mathematics could be founded and show that
this axiomatization is consistent: this is sometimes called the foundational crisis.
Although Gödel’s incompleteness theorems established that there is no definite
answer to this question, various formalisms have been proposed in which one
can develop most of usual mathematics. One of the most widely used is set
theory, as axiomatized by Zermelo and Fraenkel, but other formalisms have
been proposed such as Russell’s theory of types [WR12], where the current type
theory originates from: in fact, type theory can be taken as a foundation of
mathematics. People usually see set theory as being more fundamental, since
we see a type as representing a set (e.g. A ⇒ B is the set of functions from
the set of A to the one of B), but we can also view type theory as being more
fundamental since we can formalize set theory in type theory. The one you take
for foundations is a matter of taste: are you more into chickens or into eggs?
Type theory also provides a solid framework in which one can study basic
philosophical questions such as: What is reasoning? What is a proof? If I know
that something exists do I know it? What does it mean for two things to be
equal? and so on. We could spend pages discussing those matters (and others
have done so), but we rather like to formalize things, and we will see that very
satisfactory answers to those questions can be given with a few inference rules.
The meaning of life remains an open question, though.
By taking an increasingly important part in our lives and influencing the
way we see the (mathematical) world, it has even evolved for some of us into
some sort of religion based on the computational trinitarism, which stems from
CHAPTER 0. INTRODUCTION 16

the observation that computation manifests itself in three forms [Har11]:

categories

logic programming

The aim of the present text is to explain the bottom line of the above diagram
and leave categories for other books [Mac71, LS88, Jac99]. Another closely
related religion is constructivism, a doctrine according to which something can
be accepted only if it can actually be constructed. It will play a central role in
here, because programs precisely constitute a mean to describe the construction
of things.

0.7 In this course

As a first introduction to functional and typed languages, we first present OCaml
in chapter 1, in which most example programs given here are written. We
present propositional logic in chapter 2 (the proofs), λ-calculus in chapter 3 (the
programs), and the simply-typed variant λ-calculus in chapter 4 (the programs
are the proofs). We then generalize the correspondence between proofs and
programs to richer logics: we present first-order logic in chapter 5, and the
proof assistant Agda in chapter 6 which is used in chapter 7 to formalize most
important results in this book, and is based on the dependent types detailed
in chapter 8. We finally given an introduction to the recent developments in
homotopy type theory in chapter 9.

0.8 Other references on programs and proofs

Although, we claim some originality in the treatment and the covered topics,
this book is certainly not the first one about the subject. Excellent references
include Girard’s Proofs and Types [Gir89], Girard’s Blind Spot [Gir11], Leroy’s
College de France course Programmer = démontrer ? La correspondance de
Curry-Howard aujourd’hui, Pierce’s Types and Programming Languages [Pie02],
Sørensen and Urzyczyn’s Lectures on the Curry-Howard isomorphism [SU06],
the “HoTT book” Homotopy Type Theory: Univalent Foundations of Mathemat-
ics [Uni13], Programming Language Foundations in Agda [WK19] and Software
foundations [PdAC+ 10].

0.9 About this document

The version you are currently reading was compiled on December 4, 2020. Reg-
ular revisions can be expected if mistakes are found. Should you find one, please
send me a mail at [email protected].

Reading on the beach. A printed copy of this course be ordered from Amazon:
https://www.amazon.fr/dp/B08C97TD9G/.
CHAPTER 0. INTRODUCTION 17

Color of the cover. In case you wonder, the color of the cover was chosen because
it seemed obvious to me that

program = proof = purple

Code snippets. Most of the code shown in this book is excerpted from larger files
which are regularly compiled in order to ensure their correctness. The process
of extracting snippets for inclusion into LATEX is automated with a tool whose
code is freely available at https://github.com/smimram/snippetor.

Thanks. Many people have (voluntarily or not) contributed to the elaboration

of this book. I would like to particularly express my thanks to David Baelde,
Olivier Bournez, Eric Finster, Emmanuel Haucourt, Stéphane Lengrand, Assia
Mahboubi, Paul-André Melliès, Gabriel Scherer, Pierre-Yves Strub, Benjamin
Werner.
I would also like to express my thanks to the readers of the book who have
suggested corrections and improvements: Eduardo Jorge Barbosa, Chhi’mèd
Künzang, Yuxi Liu.
 Chapter 1

Typed functional programming

1.1 Introduction
As an illustration of typed functional programming, we present here the OCaml
programming language which was developed by Leroy and collaborators, fol-
lowing ideas from Milner. We recall here some of the basics of the language
both because it will be used in order to provide illustrative implementations,
but also because we will detail the theory behind it and generalized it in later
chapters. This is not meant to be a complete introduction to programming
in OCaml: advanced courses and documentation can be found on the website
http://ocaml.org/, we well as in books [CMP00, MMH13].
After a brief tour of the language, we present the most important construc-
tions in section 1.2 and detail recursive types which are the main way of con-
structing types throughout the book section 1.3. In section 1.4, we present
the ideas behind the typing system and the guarantees it brings. Finally, we
illustrate how types can be thought of as formulas in section 1.5.

1.1.1 Hello world. The mandatory “Hello world!” program, which prints Hello
world!, can be written as follows:
(* Our first program. *)
print_endline "Hello, world!"

This illustrates the concise syntax of the language (compared to Java for in-
stance). Comments are written using (* ... *). Application of a function to
arguments does not require parenthesis. The indentation is not relevant in pro-
grams (contrarily to e.g. Python), but you are of course strongly encouraged to
correctly indent your programs.

1.1.2 Execution. The programs written in OCaml can be compiled to efficient

native code by using ocamlopt, but there is also a “toplevel” which allows to
interactively evaluate commands. It can be launched by typing ocaml, or utop
if you want a fancier version. For instance:
# 2 + 2;;
- : int = 4
We have typed 2 + 2, followed by ;; to indicate the end of our program. The
toplevel then indicates that this is an integer (it is of type int) and that the
result is 4. We call value an expression which cannot be reduced further: 2+2
is not a value whereas 4 is: the execution of a program consists in reducing
expressions into values in an appropriate way (e.g. 2+2 reduces to 4).
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 19

1.1.3 A statically typed language. The OCaml language is typed meaning

that every term has a type indicating the kind of data it is. A type can be
thought of as a particular set of values, e.g. int represents the set of integers,
string represents the set of strings, and so on. In this way, the expressions 2+2
and 4 have the type int (they are integers), and the function string_of_int
which gives the string representation of an integer has type int -> string,
meaning that it is a function which takes an integer as argument and returns a
string. Moreover, typing is statically checked: when compiling a program, the
compiler ensures that all the types match, and we use values of the expected
type. For instance, if we try to compile the program
let s = string_of_int 3.2
the compiler will complain with
Error: This expression has type float but an expression was
expected of type int
because the string_of_int function expects an integer whereas we have pro-
vided a float number as argument. This discipline is very strict in OCaml (we
sometimes say that the typing is strong): this ensures that the program will not
raise an error during execution because an unexpected value was provided to a
function (this is a theorem!). Otherwise said, quoting Milner [Mil78]:
Well-typed programs cannot go wrong.
Moreover, the types are inferred meaning that the user never has to specify the
types, they are guessed automatically. For instance, in the definition
let f x = x + 1
we know that the addition takes two integers as argument and returns an integer:
therefore x must be of type int and the compiler infers that f must be a function
of type int -> int. However, if for some reason we want to specify the types,
it is still possible:
let f (x : int) : int = x + 1

1.1.4 A functional language. The language is functional meaning that is

has good support for defining functions, and manipulate them just as any other
expression. For instance, suppose that we have a list l of integers, and we want
to double all its elements. We can use the List.map function from the standard
library, which is of type
('a -> 'b) -> 'a list -> 'b list
meaning that it takes as arguments a function f of type 'a -> 'b (here 'a
and 'b are intended to mean “any type”), and a list whose elements are of type
'a, and returns the list whose elements are of type 'b, obtained by applying f
to all the elements of the list. We can then define the “doubled list” by
let l2 = List.map (fun x -> 2 * x) l
where we apply the function x 7→ 2 × x to every element: note that the function
List.map takes a function as argument and that we did not even have to give
a name to the function above by using the construction fun (such a function is
sometimes called anonymous).
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 20

1.1.5 Other features. There are some other important features of the OCaml
language, that we mention only briefly here, because we will not use them much.

References. As in most programming languages, OCaml has support for values

that we can modify, called here references: they can be thought of as memory
cells, from which we can retrieve the value and also change it. We can create
a reference r containing x with let r = ref x, then we can obtain its contents
with !r and change it to y with r := y. For instance, incrementing 10 times a
counter is done by
let () =
let r = ref 0 in
for i = 0 to 9 do
r := !r + 1
done

Garbage collection. Contrarily to languages such as C, OCaml has a Garbage

Collector which takes care of allocating and freeing memory. This means that
freeing memory for a value which is not used anymore is taken care of for us.
This prevents many common bugs such as writing in a part of memory which
was freed or freeing twice a memory region by mistake.

Other traits. In addition to the functional programming style, OCaml has sup-
port for many other style of programming including imperative (e.g. references
described above), objects, etc. OCaml also has support for records, arrays, mod-
ules, generalized algebraic data types, etc.

1.2 Basic constructions

1.2.1 Declarations. Declarations of values are performed with the let key-
word. For instance,
let x = 3
declares that the variable x refers to the value 3. Note that, unless we explicitly
use the reference mechanism, these values cannot be modified. An expression
can also contain some local definitions which are only valid in the rest of the
expression. For instance, in
let x =
let y = 2 in
y * y
the definition of the variable y is only valid in the following expression y * y.
A program consists in a sequence of such definitions. In the case where a
function “does not return anything”, such as printing, by convention it returns
a value of type unit, and we generally use the construction let () = ... in
order to ensure that this is the case. For instance:
let x = "hello"

let () = print_string ("The value of x is " ^ x)

CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 21

1.2.2 Functions. Functions are also defined using let definition, specifying
the arguments after the name of the variable. For instance,
let add x y = x + y
which would be of type
int -> int -> int
Note that arrows are implicitly bracketed on the right: this type means
int -> (int -> int)
Application of a function to arguments is obtained by juxtaposing the function
and the arguments, e.g.
let x = add 3 4
(no need for parenthesis). There is a support for partial application, meaning
that we do not have to give all the arguments to a function (functions are
sometimes called curryfied). For instance, the incrementation of an integer can
be defined by
let incr = add 1
The value incr thus defined is the function which takes an argument y and
returns add 1 y, so that the above definition is equivalent to
let incr y = add 1 y
This is in accordance of the bracketing of the type above: add is a function
which, when given an integer argument, returns a function of type int -> int.
As mentioned above, anonymous functions can be defined by the construc-
tion fun x -> .... The add function could thus have equivalently been defined
by
let add = fun x y -> x + y
or even
let add x = fun y -> x + y
Functions can be recursive, meaning that they can call themselves. In this case,
the rec keyword has to be used. For instance the factorial function is defined
by
let rec fact n =
if n = 0 then 1 else n * fact (n - 1)

1.2.3 Booleans. The type corresponding to booleans is bool, its two values
being true and false. The usual operators are present: conjunction &&, dis-
junction ||, and negation not. In order to compare whether two values x and
y are equal or different, one should use x = y and x <> y. They can be used in
conditional branchings
if ... then ... else ...
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 22

or loops
while ... do ... done

as illustrated above.
Beware that the operators == and != also exist, but they compare values
physically, i.e. check whether they have the same memory location, not if they
have the same contents. For instance, using the toplevel, we have:
# let x = ref 0;;
val x : int ref = {contents = 0}
# let y = ref 0;;
val y : int ref = {contents = 0}
# x = x;;
- : bool = true
# x = y;;
- : bool = true
# x == x;;
- : bool = true
# x == y;;
- : bool = false

1.2.4 Products. The pair of x and y is noted x,y. For instance, we can con-
sider the pair 3,"hello" which has the product type int * string (it is a pair
consisting of an integer and a string). Note that addition could have been
defined as
let add' (x,y) = x + y
resulting in a slightly different function than above: it now has the type
(int * int) -> int

meaning that it takes one argument, which is a pair of integers, and returns a
pair of integers. This means that partial application is not directly available as
before, although we could still write
let incr' = fun y -> add (1,y)

1.2.5 Lists. We quite often use lists in OCaml. The empty list is denoted
[], and x::l is the list obtained by putting the value x before a list l. Most
expected functions on lists are available in the module List. For instance,

– @ concatenates two lists,

– List.length computes the length of a list,
– List.map maps a function on all the elements of a list,

– List.iter executes a function on all the elements of a list,

– List.mem tests whether a value belongs to a list.
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 23

1.2.6 Strings. Strings are written as "this is a string" and the related func-
tions can be found in the module String. For instance, the function String.length
computes the length of a string and String.sub computes a substring (at given
indices) of a string. Concatenation is obtained by ^.

1.2.7 Unit. In OCaml, the type unit contains only one element, written ().
As explained above, this is the value returned by functions which only have an
effect and return no meaningful value (e.g. printing a string). They are also
quite useful to define function having an effect. For instance, if we define
let f = print_string "hello"
the program will write “hello” at the beginning of the execution, because the
expression defining f is evaluated. However, if we define
let f () = print_string "hello"
nothing will be printed because we define a function taking a unit as argument.
In the course of the program, we can then use f () in order to print “hello”.

1.3 Recursive types

A very useful way of defining new data types in OCaml is by recursive types,
whose elements are constructed from other types according to specific construc-
tions, called constructors.

1.3.1 Trees. As a first example, consider trees (more specifically, planar binary
trees with integer labels) such as

4 1

1 3

5 2

Here, a tree consists of finitely many nodes which are labeled by an integer and
can either have two sons, which are themselves trees, or none (in which case
they are called leaves). This description translates immediately to the following
type definition in OCaml:

type tree =
| Node of int * tree * tree
| Leaf of int
This says that a tree is recursively characterized as being Node applied to a
triple consisting of an integer and two trees or Leaf applied to an integer. For
instance, the above tree is represented as
let t = Node (3, Node (4, Leaf 1, Node (3, Leaf 5, Leaf 2)), Leaf 1)
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 24

Here, Node or Leaf are not functions (Leaf 1 does not reduce to anything),
they are called constructors. By convention, constructors have to begin with a
capital letter, in order to distinguish them from functions (which have to begin
with a lowercase letter).

Pattern matching. Any element of the type tree is obtained as a constructor

applied to some arguments. OCaml provides the match construction which
allows to distinguish between the various possible cases of constructors and
return a result accordingly: this is called pattern matching. For instance, the
function computing the height of a tree can be programmed as
let rec height t =
match t with
| Node (n, t1, t2) -> 1 + max (height t1) (height t2)
| Leaf n -> 0
Here, Node (n, t1, t2) is called a pattern and n, t1 and t2 are variables which
will be defined as the values corresponding to the tree we are currently matching
with, and could be given any other name. As another example, the sum of the
labels in a tree can be computed as
let rec sum t =
match t with
| Node (n, t1, t2) -> n + sum t1 + sum t2
| Leaf n -> n

It is sometimes useful to add conditions to matching cases, which can be done

using the when construction. For instance, if we wanted to match only nodes
with strictly positive labels, we could have, in our pattern matching, a case of
the form

| Node (n, t1, t2) when n > 0 -> ...

In case where multiple patterns apply, the first one is chosen. OCaml tests that
all the possible values are handled in a pattern matching (and issues a warning
otherwise). Finally, one can write
let f = function ...

instead of
let f x = match x with ...
(this shortcut was introduced because it is very common to directly match on
the argument of a function).

1.3.2 Usual recursive types. It is interesting to note that many (most) usual
types can be encoded as recursive types.

Booleans. The type of booleans can be encoded as

type bool = True | False
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 25

although OCaml chose not to do that for performance reasons. A case construc-
tion

if b then e1 else e2
could then be encoded as
match b with
| True -> e1
| False -> e2

Lists. Lists are also a recursive type:

type 'a list =
| Nil
| Cons of 'a * 'a list
In OCaml, [] is a notation for Nil and x::l a notation for Cons (x, l). The
length of a list can be computed as

let rec length l =

match l with
| x::l -> 1 + length l
| [] -> 0
Note that the type of list is parametrized over a type ’a. We are thus able to
define, at once, the type of lists containing elements of type ’a, for any type ’a.

Coproducts. We have seen that the elements of a product type 'a * 'b are pairs
x , y consisting of an element x of type ’a and an element y of type ’b. We can
define coproducts consisting of an element of type ’a or an element of type ’b
by
type ('a, 'b) coprod =
| Left of 'a
| Right of 'b

An element of this type is namely of the form Left x with x of type ’a or Right y
with y of type ’b. For instance, we can define a function which provides the
string representation of a value which is either an integer or a float by
let to_string = function
| Left n -> string_of_int n
| Right x -> string_of_float x
which is of type (int, float) coprod -> string.

Unit. The type unit has () as only value. It could have been defined as
type unit =
| T
having () being a notation for T.
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 26

Empty type. The “empty type” can be defined as

type empty = |
i.e. a recursive type with no constructor (we still need to write | for syntactical
reasons). There is thus no value of that type.

Natural numbers. Natural numbers, in unary notation, can be defined as

type nat =
| Zero
| Suc of nat
(any natural number is either 0 or the successor of a natural number) and
addition programmed as
let rec add m n =
match m with
| Zero -> n
| Suc m -> Suc (add m n)
Of course, this would be a bad idea to use this type for heavy computations,
and int provides access to machine binary integers (and thus natural numbers),
which are much more efficient.

1.3.3 Abstract description. As indicated before, a type can be thought of as

a set of values. We would now like to briefly sketch a mathematical definition
of the set of values corresponding to inductive types.
Suppose fixed a set U, which we can think of as the set of all possible values
an OCaml program can manipulate. We write P(U) for the powerset of U,
i.e. the set of all subsets of U, which is ordered by inclusion. Any recursive
definition induces a function F : P(U) → P(U) sending a set X to the set
obtained by applying the constructors to the elements of X. For instance, with
the definition tree of section 1.3.1, the induced function is

F (X) = {Node(n,t1 ,t2 ) | n ∈ N and t1 , t2 ∈ X} ∪ {Leaf(n) | n ∈ N}

The set associated to tree is intuitively the smallest set X ⊆ U which is closed
under adding nodes and leaves, i.e. such that F (X) = X, provided that such a
set exists. Such a set X satisfying F (X) = X is called a fixpoint of F .
In order to be able to interpret the type of trees as the smallest fixpoint of F ,
we should first show that such a fixpoint indeed exists. A crucial observation in
order to do so is the fact that the function F : P(U) → P(U) is monotone, in
the sense that, for X, Y ∈ U,

X ⊆ Y implies F (X) ⊆ F (Y ).

Theorem 1.3.3.1 (Knaster-Tarski [Kna28, Tar55]). The set

\
fix(F ) = {X ∈ P(U) | F (X) ⊆ X}

is the least fixpoint of F : we have

F (fix(F )) = fix(F )
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 27

and, for every fixpoint X of F ,

fix(F ) ⊆ X

Proof. We write C = {X ∈ P(U) | F (X) ⊆ X} for the set of prefixpoints of F .

Given X ∈ C, we have \
fix(F ) = C⊆X (1.1)
and therefore, since F is increasing,

F (fix(F )) ⊆ F (X) ⊆ X (1.2)

Since this holds for any X ∈ C, we have

\
F (fix(F )) ⊆ C = fix(F ) (1.3)

Moreover, by monotonicity again, we have

F (F (fix(F ))) ⊆ F (fix(F ))

therefore, F (fix(F )) ∈ C, and thus by (1.1)

fix(F ) ⊆ F (fix(F )) (1.4)

From (1.3) and (1.4), we deduce that fix(F ) is a fixpoint of F . An arbitrary

fixpoint X of F necessarily belongs to C and, by (1.2), we have

fix(F ) = F (fix(F )) ⊆ X

fix(F ) is thus the smallest fixpoint of F .

Remark 1.3.3.2. The attentive reader will have noticed that all we really used in
the course of the proof was the fact that P(U) equipped with ∩ is a semilattice
with ∅ as smallest element. Under the more subtle hypothesis of the Kleene
fixpoint theorem (P(U) is a directed complete partial order and F is Scott-
continuous), one can even show that
[
fix(F ) = F n (∅)
n∈N

i.e. the fixpoint can be obtained by iterating F from the empty set. In the case
of trees,

F 0 (∅) = ∅
F 1 (∅) = {Leaf(n) | n ∈ N}
F 2 (∅) = {Leaf(n) | n ∈ N} ∪ {Nodes(n,t1 ,t2 ) | n ∈ N and t1 , t2 ∈ F 1 (∅)}

and more generally, F n (∅) is the set of trees of height strictly below n. The
theorem states that any tree is a tree of some (finite) height.
Remark 1.3.3.3. In general, there are multiple fixpoints. For instance, for the
function F corresponding to trees, the set of all “trees” where we allow to have
an infinite number of nodes is also a fixpoint of F .
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 28

As a direct corollary of theorem 1.3.3.1, we obtain the following induction prin-

ciple:
Corollary 1.3.3.4. Given a set X such that F (X) ⊆ X, we have fix(F ) ⊆ X.
Example 1.3.3.5. With the type nat of natural numbers, we have

F (X) = {Zero} ∪ {Suc(n) | n ∈ X}

We have

fix(F ) = {Sucn (Zero) | n ∈ N} = {Zero, Suc(Zero), Suc(Suc(Zero)), . . .}

In the following, we write 0 (resp. S n) instead of Zero (resp. Succ(n)), and

fix(F ) = N. The induction principle states that if X contains 0 and is closed
under successor then it contains all natural numbers. Given a property P (n)
on natural numbers, consider the set

X = {n ∈ N | P (n)}

The requirement F (X) ⊆ X translates as P (0) holds and P (n) implies P (S n).
The induction principle, is thus the classical recurrence principle:

P (0) ⇒ (∀n ∈ N.P (n) ⇒ P (S n)) ⇒ (∀n ∈ N.P (n))

Example 1.3.3.6. Consider the type empty. We have F (X) = ∅ and thus
fix(F ) = ∅. The induction principle states that any property is necessarily
valid on all the elements of the empty set:

∀x ∈ ∅.P (x)

Exercise 1.3.3.7. Define the function F associated to the type of lists. Show that
it also has a greatest fixpoint, distinct from the smallest fixpoint, and provide
concrete description of it.

1.3.4 Option types and exceptions. Another quite useful recursive type
defined in the standard library is the option type
type 'a option =
| Some of 'a
| None
A value of this type is either of the form Some x for some x of type ’a or None.
It can be thought of as the type ’a extended with the default value None and
can be used for functions which normally return a value excepting in some cases
(in other languages such as C or Java, one would return a NULL pointer in this
case). For instance, the function returning the head of a list is almost always
defined, excepting when the argument is the empty list. It thus makes sense to
implement it as the function of type 'a list -> 'a option defined by
let hd l =
match l with
| x::l -> Some x
| [] -> None
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 29

It is however quite cumbersome to use because each time we want to use the
result of this function, we have to match it in order to decide whether the result
is None or not. For instance, in order to double the head of a list l of integers
known to be non-empty, we still have to write something like
match head l with
| Some n -> 2*n
| None -> 0 (* This case cannot happen *)

See figure 1.2 for a more representative example.

Exceptions. In order to address this, OCaml provides the mechanism of excep-

tions, which are kinds of errors that can be raised and catched. For instance,
in the standard library, the exception Not_found is defined by
exception Not_found
and the head function by
let hd l =
match l with
| x::l -> x
| [] -> raise Not_found
It now has type 'a list -> 'a, meaning that we can write

2 * (hd l)
to double the head of a list l. In the case where we take the head of the empty
list, the exception Not_found is raised. We can catch it with the following
construction if we need:
try
...
with
| Not_found -> ...

1.4 The typing system

We have already explained in section 1.1.3 that OCaml is a strongly typed
language. We detail here some of the advantages and properties of such a
typing system.

1.4.1 Usefulness of typing. One of the main advantages of typed languages

is that typing ensures their safety: if the program passes the typechecking phase,
we are guaranteed that we will not have errors at execution because unexpected
data is provided to a function, see section 1.4.3. But there are other advantages
too.
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 30

Documentation. Knowing the type of a function is very useful for documenting

it: from the type we can generally deduce the order of the arguments of the
functions, what it is returning and so on. For instance, the function Queue.add
of the module implementing queues in OCaml has type
'a -> 'a queue -> unit
This allows us to conclude that the function takes two arguments: the first
argument must be the element we want to add and the second one the queue in
which we want to add it. Finally, the function does not return anything (to be
more precise it returns the only value of the type unit): this must mean that
the structure of queue is modified in place (otherwise, we would have had the
modified queue as return value).

Abstraction. Having a typing system is also good for abstraction: we can use a
data structure without knowing the details of implementation or even having
access to them. Taking the Queue.add function as example again, we only know
that the second argument is of type 'a queue, without any more details on
this type. This means that we cannot mess up with the internals of the data
structure, and that the implementation of queues can be radically modified
without us having to change our code.

Efficiency. Static typing can also be used to improve efficiency of compiled pro-
grams. Namely, since we know in advance the type of the values we are going to
handle, our code can be specific to the corresponding data structure, and avoid
performing some security checks. For instance, in OCaml, the concatenation
function on strings can simply put the two strings together; in contrast, in a
dynamically typed programming language such as Python, the concatenation
function on strings has first to ensure that the arguments are strings, if they are
not we will try to convert them as strings, and then we can put them together.

1.4.2 Properties of typing. There are various flavors of typing systems.

Dynamic vs static. The types of programs can either be checked during the ex-
ecution (the typing is dynamic) or during the compilation (the typing is static),
OCaml is using the latter. Static typing has many advantages: potential er-
rors are found very early, without having to perform tests, it can help to op-
timize programs, and provides very strong guarantees on the execution of the
program. The dynamic approach also has some advantages though: the code is
more flexible, the runtime can automatically perform conversions between types
if necessary, etc.

Weak vs strong. The typing system of OCaml is strong which means that it
ensures that the values in a type are actually of that type: there is no implicit
or dynamic type conversion, no NULL pointers, no explicit manipulation of
pointers, and so on. By opposition, when those requirements are not met, the
typing system is said to be weak.
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 31

Decidability of typing. A basic requirement of a typing system is that we should

be able to decide whether a given term has a given type, i.e. we should have a
type checking algorithm. For OCaml (and all decent programming languages)
this is the case, and type checking is performed during each compilation of a
program.

Type inference. It is often cumbersome to have to specify to write the type of

all the terms (or even to give many type annotations). In OCaml, the compiler
performs type inference, which means that it automatically generates a type for
the program, when there is one.

Polymorphism. The types in OCaml are polymorphic which means that they
can contain universally quantified variables. For instance, the identity function
let id x = x

has the type 'a -> 'a, which can also be read as the universally quantified type
∀A.A → A. This means that we can substitute ’a for any type and still get a
valid type for the identity.

Principal types. A program can admit multiple types. For instance, the identity
function admits the following types
'a -> 'a or int -> int or ('a -> 'b) -> ('a -> 'b)
and infinitely many others. The first one 'a -> 'a is however “more general”
than the others because all the other types can be obtained by substituting 'a
by some type. Such a most general type is called a principal type. The type
inference of OCaml has the property that it always generates a principal type.

1.4.3 Safety. The programs which are well-typed in OCaml are safe in the
sense that types are preserved during execution and programs do not get stuck.
In order to formalize these properties, we first need to introduce a notion of
reduction, which formalizes the way programs are executed. We will first do this
on a very small (but representative) subset of the language. Most of the concepts
used here, such as reduction or typing derivation, will be further detailed in
subsequent chapters.

A small language. We first introduce a small programming language, which can

be considered as a very restricted subset of OCaml, that we will implement in
OCaml itself. In this language, the values are either integers or booleans, and
can be encoded as
type value =
| Int of int
| Bool of bool
We define a program as being either a value, an addition (p + p’), a comparison
of integers (p < p’), or a conditional branching (if p then p’ else p”):
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 32

n1 + n2 −→ n1 + n2

p1 −→ p01 p2 −→ p02
p1 + p2 −→ p01 + p2 p1 + p2 −→ p1 + p02

n1 < n2 n1 > n2
n1 < n2 −→ true n1 < n2 −→ false

p1 −→ p01 p2 −→ p02
p1 < p2 −→ p01 < p2 p1 < p2 −→ p1 < p02

if true then p1 else p2 −→ p1 if false then p1 else p2 −→ p2

p −→ p0
if p then p1 else p2 −→ if p0 then p1 else p2

Figure 1.1: Reduction rules.

type prog =
| Val of value
| Add of prog * prog
| Lt of prog * prog
| If of prog * prog * prog
A typical program would thus be

if 3 < 2 then 5 else 1 (1.5)

which would be encoded as the term

If (Lt (Int 3 , Int 2) , Int 5 , Int 1)

Reduction. Given programs p and p0 , we write p −→ p0 when p reduces to p0 .

This reduction relation is defined as the smallest one such that, for each of
the rules listed in figure 1.1, if the relation above the horizontal bar holds, the
relation below it also holds. In these rules, we write ni to denote an arbitrary
integer and the first rule indicates that the formal sum of two integers reduces
to their sum (e.g. 3 + 2 −→ 5).
An implementation of the reduction in OCaml is given in figure 1.2: given a
program p, the function red either returns Some p0 if there exists a program p0
with p −→ p0 or None otherwise. Note that the reduction is not deterministic,
i.e. a program can reduce to distinct programs:

5 + (5 + 4) ←− (3 + 2) + (5 + 4) −→ (3 + 2) + 9

The implementation provided in figure 1.2 chooses a particular reduction when

there are multiple possibilities: we say that it implements a reduction strategy.
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 33

(** Perform one reduction step. *)

let rec red : prog -> prog option = function
| Bool _ | Int _ -> None
| Add (Int n1 , Int n2) -> Some (Int (n1 + n2))
| Add (p1 , p2) ->
(
match red p1 with
| Some p1' -> Some (Add (p1' , p2))
| None ->
match red p2 with
| Some p2' -> Some (Add (p1 , p2'))
| None -> None
)
| Lt (Int n1 , Int n2) -> Some (Bool (n1 < n2))
| Lt (p1 , p2) ->
(
match red p1 with
| Some p1' -> Some (Lt (p1' , p2))
| None ->
match red p2 with
| Some p2' -> Some (Lt (p1 , p2'))
| None -> None
)
| If (Bool true , p1 , p2) -> Some p1
| If (Bool false , p1 , p2) -> Some p2
| If (p , p1 , p2) ->
match red p with
| Some p' -> Some (If (p' , p1 , p2))
| None -> None

Figure 1.2: Implementation of the reduction.

CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 34

` n : int ` b : bool

` p1 : int ` p2 : int ` p1 : int ` p2 : int

` p1 + p2 : int ` p1 < p2 : bool

` p : bool ` p1 : A ` p2 : A
` if p then p1 else p2 : A

Figure 1.3: Typing rules.

A program is irreducible when it does not reduce to another program. It can

be remarked that
– values are irreducible,
– there are irreducible programs which are not values, e.g. 3 + true.

In the second case, the reason why the program 3 + true cannot be further
reduced is that an unexpected value was provided to the sum: we were hoping
for an integer instead of the value true. We will see that the typing system
precisely prevents such situations from arising.

Typing. A type in our language is either an integer (int) or a boolean (bool),

which can be represented by the type
type t = TInt | TBool

We write ` p : A to indicate that the program p has the type A and call it a
typing judgment. This relation is defined inductively by the rules of figure 1.3.
This means that a program p has type A when ` p : A can be derived using the
above rules. For instance, the program (1.5) has type int:

` 3 : int ` 2 : int
` 3 < 2 : bool ` 5 : int ` 1 : int
` if 3 < 2 then 5 else 1 : int

Such a tree showing that a typing judgment is derivable is called a derivation

tree. The principle of type checking and type inference algorithms of OCaml
is to try to construct such a derivation of a typing judgment, using the above
rules. In our small toy language, this is quite easy and presented in figure 1.4.
For a language with much more features as OCaml (we have functions and
polymorphism, not to mention objects or generalized algebraic data types) this
is much more subtle, but still follows the same general principle.
It can be observed that a term can have at most one type. We can thus
speak of the type of a typable program:
Theorem 1.4.3.1 (Uniqueness of types). Given a program p, if p is both of
types A and A0 then A = A0 .
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 35

exception Type_error

(** Infer the type of a program. *)

let rec infer = function
| Bool _ -> TBool
| Int _ -> TInt
| Add (p1 , p2) ->
check p1 TInt;
check p2 TInt;
TInt
| Lt (p1 , p2) ->
check p1 TInt;
check p2 TInt;
TBool
| If (p , p1 , p2) ->
check p TBool;
let t = infer p1 in
check p2 t;
t

(** Check that a program has a given type. *)

and check p t =
if infer p <> t then raise Type_error

Figure 1.4: Type inference and type checking.

CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 36

Proof. By induction on p: depending on the form of p, at most one rule applies.

For instance, if p is of the form if p0 then p1 else p2 , the only rule which
allows typing p is

` p0 : bool ` p1 : A ` p2 : A
` if p0 then p1 else p2 : A

Since p1 and p2 admit at most one type A by induction hypothesis, p also does.
Other cases are similar.

As explained in section 1.4.2, full-fledged languages such as OCaml do not gen-

erally satisfy such a strong property. The type of a program is not generally
unique, but in good typing systems there exists instead a type which is “the
most general”.

Safety. We are now ready to formally state the safety properties ensured for
typed programs. The first one, called subject reduction, states that the reduction
preserves typing:
Theorem 1.4.3.2 (Subject reduction). Given programs p and p0 such that p −→ p0 ,
if p has type A then p0 also has type A.
Proof. By hypothesis, we have both a derivation of p −→ p0 and ` p : A. We
reason by induction on the former. For instance, suppose that the last rule is

p1 −→ p01
p1 + p2 −→ p01 + p2

The derivation of ` p : A necessarily ends with

` p1 : int ` p2 : int
` p1 + p2 : int

In particular, we have ` p1 : int and thus, by induction hypothesis, ` p01 : int

is derivable. We conclude using the derivation

` p01 : int ` p2 : int

` p1 + p2 : int
0

Other cases are similar.

The second important property is called progress, and states that the program
is either a value or reduces.
Theorem 1.4.3.3 (Progress). Given a program p of type A, either p is a value or
there exists a program p0 such that p −→ p0 .

Proof. By induction on the derivation of ` p : A. For instance, suppose that

the last rule is
` p1 : int ` p2 : int
` p1 + p2 : int
By induction hypothesis, the following cases can happen:
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 37

– p1 −→ p01 : in this case, we have p1 + p2 −→ p01 + p2 ,

– p2 −→ p02 : in this case, we have p1 + p2 −→ p1 + p02 ,

– p1 and p2 are values: in this case, they are necessarily integers and p1 + p2
reduces to their sum.
Other cases are similar.
The safety property finally states that typable programs never encounter errors,
in the sense that their execution is never stuck: typically, we will never try to
evaluate a program such as 3 + true during the reduction.
Theorem 1.4.3.4 (Safety). A program p of type A is safe: either
– p reduces to a value v in finitely many steps

p −→ p1 −→ p2 −→ · · · −→ pn −→ v

– or p loops: there is an infinite sequence of reductions

p −→ p1 −→ p2 −→ · · ·

Proof. Consider a maximal sequence of reductions from p. If this sequence is

finite, by maximality, its last element p0 is an irreducible program. Since p is of
type A and reduces to p0 , by the subject reduction theorem 1.4.3.2 p0 also has
type A. We can thus apply the progress theorem 1.4.3.3 and deduce that either
p0 is a value or there exists p00 such that p0 −→ p00 . The second case is impossible
since it would contradict the maximality of the sequence of reductions.

Of course, in our small language, a program cannot give rise to an infinite

sequence of reductions, but the formulation and proof of previous theorem will
generalize to languages in which this is not the case. The previous properties of
subject reduction and progress are entirely formalized in section 7.1.

Limitations of typing. The typing systems (such as the one described above or
the one of OCaml) reject legit programs such as
(if true then 3 else false) + 1

which reduces to a value. Namely, the system imposes that the two branches
of a conditional branching should have the same type, which is not the case
here, even though we know that only the first branch will be taken, because the
condition is the constant boolean true. We thus ensure that typable programs
are safe, but not that all safe programs are typable. In fact, this has to be this
way since an easy reduction to the halting problem shows that the safety of
programs is undecidable as soon as the language is rich enough.
Also, the typing system does not prevent all errors from occurring during
the execution, such as dividing by zero or accessing an array out of its bounds.
This is because the typing system is not expressive enough. For instance, the
function

let f x = 1 / (x - 2)
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 38

should intuitively be given the type

{n : int | n 6= 2} → int

which states this function is correct as long as its input is an integer different
from 2, but this is of course not a valid type in OCaml. We will see in chapters 6
and 8 that some languages do allow such rich typing, at the cost of losing type
inference (but type checking is still decidable).

1.5 Typing as proving

We would now like to give the intuition for the main idea of this course, that
programs correspond to proofs. Understanding in details this correspondence
will allow us to design very rich typing systems which allow to formally prove
fine theorems and reason about programs.

1.5.1 Arrow as implication. As a first illustration of this, we will see here

that simple types (such as the ones used in OCaml) can be read as propositional
formulas. The translation is simply a matter of slightly changing the way we
read types: a type variable ’a can be read as a propositional variable A and the
arrow -> can be read as an implication ⇒. Now, we can observe that there is a
program of a given type (in a reasonable subset of OCaml, see below) precisely
when the corresponding formula is true (for a reasonable notion of true formula).
For instance, we expect that the formula

A⇒A corresponding to the type ’a -> ’a

is provable. And indeed, there is a program of this type, the identity:

let id : 'a -> 'a = fun x -> x
We have specified here the type of this function for clarity. We can give many
other such examples. For instance, A ⇒ B ⇒ A is proved by
let k : 'a -> 'b -> 'a = fun x y -> x
The formula (A ⇒ B) ⇒ (B ⇒ C) ⇒ (A ⇒ C) can be proved by the composi-
tion
let comp : ('a -> 'b) -> ('b -> 'c) -> ('a -> 'c) =
fun f g x -> g (f x)
The formula (A ⇒ B ⇒ C) ⇒ (A ⇒ B) ⇒ (A ⇒ C) is proved by
let s : ('a -> 'b -> 'c) -> ('a -> 'b) -> ('a -> 'c) =
fun f g x -> f x (g x)
and so on.
Remark 1.5.1.1. In general, there is not a unique proof of a given formula. For
instance, A ⇒ A can also be proved by
fun x -> k x 3
where k is the function defined above.
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 39

1.5.2 Other connectives. For now, the fragment of the logic we have is very
poor (we only have implication as connective), but other usual connectives also
have counterparts in types.

Conjunction. A conjunction proposition A ∧ B means that both A and B hold.

In terms of types, the counterpart is a product:

A∧B corresponds to ’a * ’b

and we have programs implementing usual propositions such as A ∧ B ⇒ A:

let proj1 : ('a * 'b) -> 'a = fun (a , b) -> a

or the commutativity of conjunction A ∧ B ⇒ B ∧ A:

let comm : ('a * 'b) -> ('b * 'a) = fun (a , b) -> b , a

Truth. The formula > corresponding to truth is always provable and we expect
that there is exactly one reason for which it should be true. Thus

> corresponds to unit

and we can prove A ⇒ >:

let unit_intro : 'a -> unit = fun x -> ()

Falsity. The formula ⊥ corresponds to falsity and we do not expect that it can
be proved (because false is never true). We can make it correspond to the empty
type, which can be defined as a type with no constructor:
type empty = |
The formula ⊥ ⇒ A is then shown by

let empty_elim : empty -> 'a = fun x -> match x with _ -> .
(the “.” is a “refutation case” meaning that the compiler should ensure that
this case should never happen, it is almost never used in OCaml unless you are
doing tricky stuff such as the above).

Negation. The negation can then be defined as usual by ¬A being a notation

for A ⇒ ⊥, and we can prove the reasoning by contraposition

(A ⇒ B) ⇒ (¬B ⇒ ¬A)

by
let contr : ('a -> 'b) -> (('b -> empty) -> ('a -> empty)) =
fun f g a -> g (f a)
or A ⇒ ¬¬A by

let nni : 'a -> (('a -> empty) -> empty) = fun a f -> f a
CHAPTER 1. TYPED FUNCTIONAL PROGRAMMING 40

Disjunction. A disjunction formula A ∨ B can be thought of as being either A

or B. We can implement it as a coproduct type, which is an inductive type
being either a ’a or a ’b, see section 1.3.2:
type ('a , 'b) coprod = Left of 'a | Right of 'b
We can then prove the formula A ∨ B ⇒ B ∨ A, stating that disjunction is
commutative, by
let comm : ('a , 'b) coprod -> ('b , 'a) coprod = fun x ->
match x with
| Left a -> Right a
| Right b -> Left b
or the distributivity A ∧ (B ∨ C) ⇒ (A ∧ B) ∨ (A ∧ C) of conjunction over
disjunction by
let dist : ('a * ('b , 'c) coprod) -> ('a * 'b , 'a * 'c) coprod =
fun (a , x) ->
match x with
| Left b -> Left (a , b)
| Right c -> Right (a , c)
or the de Morgan formula (¬A ∨ B) ⇒ (A ⇒ B) by
let de_Mogan : ('a -> empty, 'b) coprod -> ('a -> 'b) = fun x a ->
match x with
| Left f -> empty_elim (f a)
| Right b -> b

1.5.3 Limitations of the correspondence. This correspondence has some

limitations due to the fact that OCaml is, after all, a language designed to do
programming, not logic. It is easy to prove formulas which are not true if we
use “advanced” features of the language such as exceptions. For instance, the
following “proves” A ⇒ B:
let absurd : 'a -> 'b = fun x -> raise Not_found
More annoying counter-examples come from functions which are not terminating
(i.e. looping). For instance, we can also “prove” A ⇒ B by
let rec absurd : 'a -> 'b = fun x -> absurd x
Note that, in particular, both allow to “prove” ⊥:
let fake : empty = absurd ()
Finally, we can notice that there does not seem to be any reasonable way to
implement the classical formula ¬A ∨ A (apart from using the above tricks),
which would correspond to a program of the type
('a -> empty , 'a) coprod
In next chapters, we will see that it is indeed possible to design languages in
which a formula is provable precisely when there is a program of the corre-
sponding type. Such languages do not have functions with “side-effects” (such
as raising an exception) and enforce that all the programs are terminating.
 Chapter 2

Propositional logic

In this chapter, we present propositional logic: this is the fragment of logic

consisting of propositions (very roughly, something which can either be true or
false) joined by connectives. We will see various ways of formalizing the proofs
in propositional logic – with a particular focus on natural deduction – and study
the properties of those. We begin with the formalism of natural deduction in
section 2.2, show that it enjoys the cut elimination property in section 2.3 and
discuss strategies for searching for proofs in section 2.4. The classical variant
of logic is presented in section 2.5. We then present two alternative logical
formalisms: sequent calculus (section 2.6) and Hilbert calculus (section 2.7).
Finally, we introduce Kripke semantics in section 2.8, which can be considered
as an intuitionistic counterpart of boolean models for classical logic.

2.1 Introduction
2.1.1 From provability to proofs. Most of you are acquainted with boolean
logic based on the booleans, which we write here 0 for false, and 1 for true.
In this setting, every propositional formula can be interpreted as a boolean,
provided that we have an interpretation for the variables. The truth tables for
usual connectives are
A∧B 0 1 A∨B 0 1 A⇒B 0 1
0 0 0 0 0 1 0 1 1
1 0 1 1 1 1 1 0 1
For instance, we know that the formula A ⇒ A is valid because, for whichever
interpretation of A as a boolean, the induced interpretation of the formula is 1.
We have this idea that propositions should correspond to types. Therefore,
rather than booleans, propositions should be interpreted as sets of values and
implications as functions between the corresponding values. For instance, if
we write N for a proposition interpreted as the set of natural numbers, the
type N ⇒ N would correspond to the set of functions from natural numbers to
themselves. We now see that the boolean interpretation is very weak: it only
cares about whether sets are empty or not. For instance, depending on whether
X is empty (∅) or non-empty (¬∅), the following table indicates whether the set
X → X of functions from X to X is empty or not:
A→B ∅ ¬∅
∅ ¬∅ ¬∅
¬∅ ∅ ¬∅

Reading ∅ as “false” and ¬∅ as “true”, we see that we recover the usual truth
table for implication. In this sense, the fact that the formula N ⇒ N is true only
shows that there exists such a function, but in fact there are many such func-
tions, and we would be able to reason about the various functions themselves.
CHAPTER 2. PROPOSITIONAL LOGIC 42

Actually, the interpretation of implications as sets of functions, is still not

entirely satisfactory because, given a function of type N → N, there are many
ways to implement it. We could have programs of different complexities, using
their arguments in different ways, and so on. For instance, the constant function
x 7→ 0 can be implemented as
let f x = 0
or
let f x = x - x
or
let rec f x = if x = 0 then x else f (x - 1)
respectively in constant, linear and exponential complexity (if natural numbers
are coded in binary). We thus want to shift from an extensional perspective,
where two functions are equal when they have the same values on the same
inputs, to an intentional one where the way the result is computed matters.
This means that we should be serious about what is a program, or equivalently
a proof, and define it precisely so that we can reason about the proofs of a
proposition instead of its provability: we want to know what the proofs are
and not only whether there exist one or not. This is the reason why Girard
advocates that there are three levels for interpreting proofs [Gir11, section 7.1]:
0. the boolean level: propositions are interpreted as booleans and we are
interested in whether a proposition is provable or not,
1. the extensional level: propositions are interpreted as sets and we are in-
terested in which functions can be implemented,
2. the intentional level: we are interested in the proofs themselves (and how
they evolve via cut elimination).

2.1.2 Intuitionism. This shift from provability to proofs, was started by the
philosophical position of Brouwer starting from the early twentieth century,
called intuitionism. According to this point of view, mathematics do not con-
sist in discovering the properties of a preexisting objective reality, but is rather
a mental subjective construction, which is independent of the reality and has
an existence on its own, whose validity follows from the intuition of the mathe-
matician. From this point of view
– the conjunction A ∧ B of two propositions should be seen as having both
a proof of A and a proof of B: if we interpret propositions as sets, A ∧ B
should not be interpreted as the intersection A ∩ B, but rather are the
product A × B,
– a disjunction A∨B should be interpreted as having a proof of A or a proof
of B, i.e. it does not correspond to the union A ∪ B, but rather to the
disjoint union A t B,
– an implication A ⇒ B should be interpreted as having a way to construct
a proof of B from a proof of A,
CHAPTER 2. PROPOSITIONAL LOGIC 43

– a negation ¬A = A ⇒ ⊥ should be interpreted as having a counter-

example to A, i.e. a way to produce an absurdity from a proof of A.
Interestingly, this lead Brouwer to reject principles which are classically valid.
For instance, according to this point of view ¬¬A should not be considered as
equivalent to A because the implication

¬¬A ⇒ A

should not hold: if we can show that there is no counter-example to A, this

does not mean that we actually have a proof of A. For instance, suppose that
I cannot find my key inside my apartment and my door is locked: I must have
locked my door so that I know that my key is somewhere in the apartment and
it is not lost, but I still cannot find it. Not having lost my key (i.e. not not
having my key) does not mean that I have my key; otherwise said

¬¬Key ⇒ Key

does not hold (explanation borrowed from Ingo Blechschmidt). For similar
reasons, Brouwer also rejected the excluded middle

¬A ∨ A

given an arbitrary proposition A: in order to have a proof for it, we should

have a way, whichever the proposition A is, to produce a counter-example to it
or a proof of it. Logic rejecting these principles is called intuitionistic and, by
opposition, we speak of classical logic when they are admitted.

2.1.3 Formalizing proofs. Our goal is to give a precise definition of what a

proof is. This will be done by formalizing the rules using which we usually
construct our reasoning. For instance, suppose that we want to prove that the
function x 7→ 2 × x is continuous in 0: we have to prove the formula

∀ε.(ε > 0 ⇒ ∃η.(η > 0 ∧ ∀x.|x| < η ⇒ |2x| < ε))

This is done according to the following steps, resulting in the following trans-
formed formulas to be proved.
– Suppose given ε, we have to show:

ε > 0 ⇒ ∃η.(η > 0 ∧ ∀x.|x| < η ⇒ |2x| < ε)

– Suppose that ε > 0 holds, we have to show:

∃η.(η > 0 ∧ ∀x.|x| < η ⇒ |2x| < ε)

– Take η = ε/2, we have to show:

ε/2 > 0 ∧ ∀x.|x| < ε/2 ⇒ |2x| < ε

– We have to show both

ε/2 > 0 and ∀x.|x| < ε/2 ⇒ |2x| < ε

CHAPTER 2. PROPOSITIONAL LOGIC 44

– For ε/2 > 0:

– because 2 > 0, this amounts to show (ε/2) × 2 > 0 × 2,
– which, by usual identities, amounts to show ε > 0,
– which is an hypothesis.
– For ∀x.|x| < ε/2 ⇒ |2x| < ε:
– suppose given x, we have to show: |x| < ε/2 ⇒ |2x| < ε,
– suppose that |x| < ε/2 holds, we have to show: |2x| < ε,
– since 2 > 0, this amounts to show: |2x|/2 < ε/2,
– which, by usual identities, amounts to show: |x| < ε/2,
– which is an hypothesis.

Now that we have decomposed the proof is very small steps, it seems possible
to give a list of all the generic rules that we are allowed to apply in a reasoning.
We will do so and will introduce a convenient formalism and notations, so that
the above proof will be noted as:

ε > 0, |x| < ε/2 ` |x| < ε/2

ε > 0, |x| < ε/2 ` |2x|/2 < ε/2
ε>0`ε>0 ε > 0, |x| < ε/2 ` |2x| < ε
ε > 0 ` (ε/2) × 2 > 0 × 2 ε > 0 ` |x| < ε/2 ⇒ |2x| < ε
ε > 0 ` ε/2 > 0 ε > 0 ` ∀x.|x| < ε/2 ⇒ |2x| < ε
ε > 0 ` ε/2 > 0 ∧ ∀x.|x| < ε/2 ⇒ |2x| < ε
ε > 0 ` ∃η.(η > 0 ∧ ∀x.|x| < η ⇒ |2x| < ε)
` ε > 0 ⇒ ∃η.(η > 0 ∧ ∀x.|x| < η ⇒ |2x| < ε)
` ∀ε.(ε > 0 ⇒ ∃η.(η > 0 ∧ ∀x.|x| < η ⇒ |2x| < ε))

(when read from bottom to top, you should be able to see the precise corre-
spondence with the previous description of the proof).

2.1.4 Properties of logical system. Once we have formalized our logical sys-
tem we should do some sanity checks. The first requirement is that it should be
consistent: there is at least one formula A which is not provable (otherwise, the
system would be entirely pointless). The second requirement is that typecheck-
ing should be decidable: there should be an algorithm which checks whether a
proof is a valid proof or not. In contrast, the question of deciding whether a
formula is provable or not will not be decidable in general and we do not expect
to have an algorithm for that.

2.2 Natural deduction

Natural deduction is the first formalism for proofs that we will study. It was
introduced by Genzen [Gen35]. We first present the intuitionistic version.
CHAPTER 2. PROPOSITIONAL LOGIC 45

2.2.1 Formulas. We suppose fixed a countably infinite set X of propositional

variables. The set A of formulas or propositions is generated by the following
grammar
A, B ::= X | A ⇒ B | A ∧ B | > | A ∨ B | ⊥ | ¬A
where X denotes a propositional variable (in X ) and A and B denote propo-
sitions. They are respectively read as a propositional variable, implication,
conjunction, truth, disjunction, falsity and negation. By convention, ¬ binds
the most tightly, then ∧, then ∨, then ⇒:
¬A ∨ B ∧ C ⇒ D reads as ((¬A) ∨ (B ∧ C)) ⇒ D
Moreover, all binary connectives are implicitly bracketed on the right:
A1 ∧ A2 ∧ A3 ⇒ B ⇒ C reads as (A1 ∧ (A2 ∧ A3 )) ⇒ (B ⇒ C)
This is particularly important for ⇒, for the connectives ∧ and ∨ the other
convention could be chosen with almost no impact. We sometimes write A ⇔ B
for (A ⇒ B) ∧ (B ⇒ A).
A subformula of a formula A is a formula occurring in A. The set of subfor-
mulas of A can formally be defined by induction on A by
Sub(X) = {X} Sub(A ⇒ B) = {A ⇒ B} ∪ Sub(A) ∪ Sub(B)
Sub(>) = {>} Sub(A ∧ B) = {A ∧ B} ∪ Sub(A) ∪ Sub(B)
Sub(⊥) = {⊥} Sub(A ∨ B) = {A ∨ B} ∪ Sub(A) ∪ Sub(B)
Sub(¬A) = {¬A} ∪ Sub(A)

2.2.2 Sequents. A context

Γ = A1 , . . . , A n
is a list of propositions. A sequent, or judgment, is a pair
Γ`A
consisting of a context Γ and a variable A. Such a sequent should be read as
“under the hypothesis in Γ, I can prove A” or “supposing that I can prove the
propositions in Γ, I can prove A”. The comma in a context can thus be read
as a “meta” conjunction (the logical conjunction being ∧) and the sign ` as a
“meta” implication (the logical implication being ⇒).
Remark 2.2.2.1. The notation derives from Frege’s Begriffsschrift [Fre79], an
axiomatization of first-order logic based on a graphical notation, in which logical
connectives are noted by using wires of particular shapes: the formulas ¬A,
A ⇒ B and ∀x.A are respectively written
A A x A
B
In this system, given a proposition noted A , the notation A means
that A is provable. The assertion that (∀x.A) ⇒ (∃x.B) is provable would for
instance be written
x A
x B
(in classical logic, the formula ∃x.B is equivalent to ¬∀x.¬B). The symbol `
used in sequents, as well as the symbol ¬ for negation, originate from there.
CHAPTER 2. PROPOSITIONAL LOGIC 46

(ax)
Γ, A, Γ0 ` A

Γ`A⇒B Γ`A Γ, A ` B
(⇒E ) (⇒I )
Γ`B Γ`A⇒B

Γ`A∧B l Γ`A∧B r Γ`A Γ`B

(∧E ) (∧E ) (∧I )
Γ`A Γ`B Γ`A∧B

(>I )
Γ`>

Γ`A∨B Γ, A ` C Γ, B ` C Γ`A Γ`B

(∨E ) (∨l ) (∨r )
Γ`C Γ`A∨B I Γ`A∨B I

Γ`⊥
(⊥E )
Γ`A

Γ ` ¬A Γ`A Γ, A ` ⊥
(¬E ) (¬I )
Γ`⊥ Γ ` ¬A

Figure 2.1: NJ: rules of intuitionistic natural deduction.

2.2.3 Inference rules. An inference rule, noted

Γ 1 ` A1 ... Γn ` An
(2.1)
Γ`A

consists of n sequents Γi ` Ai , called the premises of the rule, and a sequent

Γ ` A, called the conclusion of the rule. We sometimes identify the rules by a
name given to them, which is written on the right of the rule. Some rules also
come with external hypothesis on the formulas occurring in the premises: those
are called side conditions. There are two ways to read an inference rule:
– the deductive way, from top to bottom: from a proof for each of the
premises Γi ` Ai we can deduce Γ ` A,
– the inductive or proof search way, from bottom to top: if we want to prove
Γ ` A we need to prove all the premises Γi ` Ai .
Both are valid ways of thinking about proofs, but one might be more natural
than the other one depending on the application.

2.2.4 Intuitionistic natural deduction. The rules for intuitionistic natural

deductions are shown in figure 2.1, the resulting system often being called NJ (N
for natural deduction and J for intuitionistic). Apart from the axiom rule (ax),
each rule is specific to a connective and the rules can be classified in two fam-
ilies depending on whether this connective appears in the conclusion or in the
premises:
CHAPTER 2. PROPOSITIONAL LOGIC 47

– the elimination rules allow the use of a formula with a given connec-
tive (which is in the formula in the leftmost premise, called the principal
premise),
– the introduction rules construct a formula with a given connective.
In figure 2.1, the elimination (resp. introduction) rules are figured on the left
(resp. right) and bear names of the form (. . .E ) (resp. (. . .I )).
The axiom rule allows the use of a formula in the context Γ: supposing that
a formula A holds, we can certainly prove it. This rule is the only one to really
make use of the context: when read from the bottom to top, all the other rules
either propagate the context or add hypothesis to it, but never inspect it.
The introduction rules are the most easy to understand: they allow proving
a formula with a given logical connective from the proofs of the immediate
subformulas. For instance, (∧I ) states that from a proof of A and a proof of B,
we can construct a proof of A ∧ B. Similarly, the rule (⇒I ) follows the usual
reasoning principle for implication: if, after supposing that A holds, we can
show B, then A ⇒ B holds.
In contrast, the elimination rules allow the use of a connective. For instance,
the rule (⇒E ), which is traditionally called modus ponens or detachment rule,
says that if A implies B and A holds then certainly B must hold. The rule
(∨E ) is more subtle and corresponds to a case analysis: if we can prove A ∨ B
then, intuitively, we can prove A or we can prove B. If in both cases we can
deduce C then C must hold. The elimination rule (⊥E ) is sometimes called ex
falso quodlibet or the explosion principle: it states that if we can prove false
then the whole logic collapses, and we can prove anything.
We can notice that there is no elimination rule for > (knowing that > is
true does not bring any new information), and no introduction rule for ⊥ (we
do not expect that there is a way to prove falsity). There are two elimination
rules for ∧ which are respectively called left and right rules, and similarly there
are two introduction rules for ∨.

2.2.5 Proofs. The set of proofs (or derivations) is the smallest set such that
given proofs πi of the sequent Γi ` Ai , for 1 6 i 6 n, and an inference rule of
the form (2.1) there is a proof of Γ ` A, often noted in the form of a tree as

π1 πn
...
Γ 1 ` A1 Γ n ` An
Γ`A

A sequent Γ ` A is provable (or derivable) when it is the conclusion of a proof.

A formula A is provable when it is provable without hypothesis, i.e. when the
sequent ` A is provable.
Example 2.2.5.1. The formula (A∧B) ⇒ (A∨B) is provable (for any formulas A
and B):
(ax)
A∧B `A∧B
(∧E )
A∧B `A
(∨lI )
A∧B `A∨B
(⇒I )
`A∧B ⇒A∨B
CHAPTER 2. PROPOSITIONAL LOGIC 48

Example 2.2.5.2. The formula (A ∨ B) ⇒ (B ∨ A) is provable:

(ax) (ax)
A ∨ B, A ` A A ∨ B, B ` B
(ax) (∨rI ) (∨lI )
A∨B `A∨B A ∨ B, A ` B ∨ A A ∨ B, B ` B ∨ A
(∨E )
A∨B `B∨A
(⇒I )
`A∨B ⇒B∨A

Example 2.2.5.3. The formula A ⇒ ¬¬A is provable:

(ax) (ax)
A, ¬A ` ¬A A, ¬A ` A
(¬E )
A, ¬A ` ⊥
(¬I )
A ` ¬¬A
(⇒I )
` A ⇒ ¬¬A

Example 2.2.5.4. The formula (A ⇒ B) ⇒ (¬B ⇒ ¬A) is provable:

(ax) (ax)
A ⇒ B, ¬B, A ` A ⇒ B A ⇒ B, ¬B, A ` A
(ax) (⇒E )
A ⇒ B, ¬B, A ` ¬B A ⇒ B, ¬B, A ` B
(¬E )
A ⇒ B, ¬B, A ` ⊥
(¬I )
A ⇒ B, ¬B ` ¬A
(⇒I )
A ⇒ B ` ¬B ⇒ ¬A
(⇒I )
` (A ⇒ B) ⇒ ¬B ⇒ ¬A

Example 2.2.5.5. The formula (¬A ∨ B) ⇒ (A ⇒ B) is provable:

(ax) (ax)
¬A ∨ B, A, ¬A ` ¬A ¬A ∨ B, A, ¬A ` A
(ax) (¬E ) (ax)
¬A ∨ B, A ` ¬A ∨ B ¬A ∨ B, A, ¬A ` B ¬A ∨ B, A, B ` B
(∨E )
¬A ∨ B, A ` B
(⇒I )
¬A ∨ B ` A ⇒ B
(⇒I )
` (¬A ∨ B) ⇒ (A ⇒ B)

Other typical provable formulas are

– ∧ and > satisfy the axioms of idempotent commutative monoids:

(A ∧ B) ∧ C ⇔ A ∧ (B ∧ C) A∧B ⇔B∧A
>∧A⇔A⇔A∧> A∧A⇔A

– ∨ and ⊥ satisfy the axioms of commutative monoids

– ∧ distributes over ∨ and conversely:

A ∧ (B ∨ C) ⇔ (A ∧ B) ∨ (A ∧ C)
A ∨ (B ∧ C) ⇔ (A ∨ B) ∧ (A ∨ C)

– ⇒ is reflexive and transitive

A⇒A (A ⇒ B) ⇒ (B ⇒ C) ⇒ (A ⇒ C)

– curryfication:
((A ∧ B) ⇒ C) ⇔ (A ⇒ (B ⇒ C))
CHAPTER 2. PROPOSITIONAL LOGIC 49

– usual reasoning structures with latin names, such as

(A ⇒ B) ⇒ (¬B ⇒ ¬A) (modus tollens)
(A ∨ B) ⇒ (¬A ⇒ B) (modus tollendo ponens)
¬(A ∧ B) ⇒ (A ⇒ ¬B) (modus ponendo tolens)

Reasoning on proofs. In this formalism, the proofs are defined inductively and
therefore we can reason by induction on them, which is often useful. Precisely,
the induction principle on proofs is the following one:
Theorem 2.2.5.6 (Induction on proofs). Suppose given a predicate P (π) on
proofs π. Suppose moreover that for every rule of figure 2.1 and every proof π
ending with this rule
π1 πn
...
Γ 1 ` A1 Γn ` An
π =
Γ`A
if P (πi ) holds for every index i, with 1 6 i 6 n, then P (π) also holds. Then
P (π) holds for every proof π.

2.2.6 Fragments. A fragment of intuitionistic logic is a system obtained by

restricting to formulas containing certain connectives and rules concerning these
connectives. By convention, the axiom rule (ax) is present in every fragment.
For instance, the implicational fragment of intuitionistic logic is obtained by
restricting to implication: formulas are generated by the grammar
A, B ::= X | A ⇒ B
and the rules are
Γ`A⇒B Γ`A Γ, A ` B
0 (ax) (⇒E ) (⇒I )
Γ, A, Γ ` A Γ`B Γ`A⇒B
The cartesian fragment is obtained by restricting to product and implication.
Another useful fragment is minimal logic obtained by considering formulas with-
out ⊥, and thus removing the rule (⊥E ).

2.2.7 Admissible rules. A rule is admissible when, whenever the premises are
provable, the conclusion is also provable. An important point here is that the
way the proof of the conclusion is constructed might depend on the proofs of the
premises, and not only on the fact that we know that the premises are provable.

Structural rules. We begin by showing that the structural rules are admissible.
Those rules are named in this way because they concern the structure of the
logical proofs, as opposed to the particular connectives we are considering for
formulas. They express some resource management possibilities for the hypoth-
esis in sequents: we can permute, merge and weaken them, see section 2.2.10.
A first admissible rule is the weakening rule, which states that whenever
one can prove a formula with some hypothesis, we can still prove it with more
hypothesis. The proof with more hypothesis is “weaker” in the sense that it
apply in less cases (since more hypothesis have to be satisfied).
CHAPTER 2. PROPOSITIONAL LOGIC 50

Proposition 2.2.7.1 (Weakening). The weakening rule

Γ, Γ0 ` B
(wk)
Γ, A, Γ0 ` B

is admissible.
Proof. By induction on the proof of the hypothesis Γ, Γ0 ` B.
– If the proof is of the form
(ax)
Γ, Γ0 ` B

with B occurring in Γ or Γ0 , then we conclude with

(ax)
Γ, A, Γ0 ` B

– If the proof is of the form

π1 π2
0
Γ, Γ ` B ⇒ C Γ, Γ0 ` B
(⇒E )
Γ, Γ0 ` C

then we conclude with

π10 π20
Γ, A, Γ0 ` B ⇒ C Γ, A, Γ0 ` B
0 (⇒E )
Γ, A, Γ ` C

where π10 and π20 are respectively obtained from π1 and π2 by induction
hypothesis:

π1 π2
0 0
Γ, Γ ` B⇒C Γ, Γ `B
π10 = 0 (wk) π20 = (wk)
Γ, A, Γ ` B ⇒ C Γ, A, Γ0 ` B

– If the proof is of the from

π
Γ, Γ0 , B ` C
(⇒I )
Γ, Γ0 ` B ⇒ C

then we conclude with

π0
Γ, A, Γ0 , B ` C
(⇒I )
Γ, A, Γ0 ` B ⇒ C

where π 0 is obtained from π by induction hypothesis.

– Other cases are similar.
CHAPTER 2. PROPOSITIONAL LOGIC 51

Also admissible is the exchange rule, which states that we can reorder hypothesis
in the contexts:
Proposition 2.2.7.2 (Exchange). The exchange rule

Γ, A, B, Γ0 ` C
(xch)
Γ, B, A, Γ0 ` C

is admissible.
Proof. By induction on the proof of the hypothesis Γ, A, B, Γ0 ` C.

Given a proof π of some sequent, we often write w(π) for a proof obtained by
weakening. Another admissible rule is contraction, which states that if we can
prove a formula with two occurrences of an hypothesis, we can also prove it with
one occurrence.
Proposition 2.2.7.3 (Contraction). The contraction rule

Γ, A, A, Γ0 ` B
(contr)
Γ, A, Γ0 ` B

is admissible.
Proof. By induction on the proof of the hypothesis Γ, A, A, Γ0 ` B.
We can also formalize the fact that knowing > does not bring information, what
we call here truth strengthening (we are not aware of a standard terminology
for this one):
Proposition 2.2.7.4 (Truth strengthening). The following rule is admissible:

Γ, >, Γ0 ` A
(tstr)
Γ, Γ0 ` A

Proof. By induction on the proof of the hypothesis Γ, >, Γ0 ` A, the only “sub-
tle” case being that we have to transform
(ax) (>I )
Γ, >, Γ0 ` > into Γ, Γ0 ` >

The cut rule. A most important admissible rule is the cut rule, which states
that if we can prove a formula B using an hypothesis A (thought of as a lemma
used in the proof) and we can prove the hypothesis A, then we can directly
prove the formula B.
Theorem 2.2.7.5 (Cut). The cut rule

Γ`A Γ, A, Γ0 ` B
(cut)
Γ, Γ0 ` B

is admissible.
CHAPTER 2. PROPOSITIONAL LOGIC 52

Proof. For simplicity, we restrict to the case where Γ0 is the empty context,
which is not an important limitation because the exchange rule admissible. The
cut rule can be derived from the rules of implication by
Γ, A ` B
(⇒I )
Γ`A Γ`A⇒B
(⇒E )
Γ`B
We will see in section 2.3.2 that the above proof is not satisfactory and will
provide another one, which brings much more information about the dynamics
of the proofs.

Admissible rules via implication. Many rules can be proved to be admissible by

eliminating provable implications:
Lemma 2.2.7.6. Suppose that the formula A ⇒ B is provable. Then the rule
Γ`A
Γ`B
is admissible.
Proof. We have
..
.
`A⇒B
(wk)
Γ`A Γ`A⇒B
(⇒E )
Γ`B
For instance, we have seen in example 2.2.5.4 that the implication
(A ⇒ B) ⇒ (¬B ⇒ ¬A)
is provable. We immediately deduce:
Lemma 2.2.7.7 (Modus tollens). The following two variants of the modus tollens
rule
Γ`A⇒B Γ`A⇒B Γ ` ¬B
Γ ` ¬B ⇒ ¬A Γ ` ¬A
are admissible.

2.2.8 Definable connectives. A logical connective is definable when it can be

expressed from other connectives in such a way that replacing the connective by
its expression and removing the associated logical rules preserves provability.
Lemma 2.2.8.1. Negation is definable as ¬A = A ⇒ ⊥.
Proof. The introduction and elimination rules of ¬ are derivable by
Γ, A ` ⊥ Γ, A ` ⊥
(¬I ) (⇒I )
Γ ` ¬A Γ`A⇒⊥
Γ ` ¬A Γ`A Γ`A⇒⊥ Γ`A
(¬E ) (⇒E )
Γ`⊥ Γ`⊥
CHAPTER 2. PROPOSITIONAL LOGIC 53

from which it follows that, given a provable formula A, the formula A0 ob-
tained from A by changing all connectives ¬− into − ⇒ ⊥ is provable, without
using (¬E ) and (¬I ). Conversely, suppose given a formula A, such that the
transformed formula A0 is provable. We have to show that A is also provable,
which is more subtle. In the proof of A0 , for each subproof of the form

π
Γ`B⇒⊥

where the conclusion B ⇒ ⊥ corresponds to the presence of ¬B as a subformula

of A, we can transform the proof as follows:

π
Γ`B
(wk) (ax)
Γ, B ` B ⇒ ⊥ Γ, B ` B
(⇒E )
Γ, B ` ⊥
(¬I )
Γ ` ¬B

Applying this transformation enough times, we can transform the proof of A0

into a proof of A. A variant of this proof is given in corollary 2.2.9.2.
Lemma 2.2.8.2. Truth is definable as A ⇒ A, for any provable formula A not
involving >. For instance: > = (⊥ ⇒ ⊥).
Remark 2.2.8.3. In intuitionistic logic, contrarily to what we expect from the
usual de Morgan formulas, the implication is not definable as

A ⇒ B = ¬A ∨ B

see sections 2.3.5 and 2.5.1.

2.2.9 Equivalence. We could have added to the syntax of our formulas an

equivalence connective ⇔ with associated rules

Γ`A⇔B Γ`A⇔B Γ`A⇒B Γ`B⇒A

(⇔lI ) (⇔rI ) (⇔E )
Γ`A⇒B Γ`B⇒A Γ`A⇔B

It would have been definable as

A ⇔ B = (A ⇒ B) ∧ (B ⇒ A)

Two formulas A and B are equivalent when A ⇔ B is provable. This notion of

equivalence relates in the expected way to provability:
Lemma 2.2.9.1. If A and B are equivalent then, for every context Γ, Γ ` A is
provable if and only if Γ ` B is provable.

Proof. Immediate application of lemma 2.2.7.6.

In this way, we can give a variant of the proof of lemma 2.2.8.1:
Corollary 2.2.9.2. Negation is definable as ¬A = (A ⇒ ⊥).
CHAPTER 2. PROPOSITIONAL LOGIC 54

Proof. We have ¬A ⇔ (A ⇒ ⊥):

(ax) (ax) (ax) (ax)
¬A, A ` ¬A ¬A, A ` A A ⇒ ⊥, A ` A ⇒ ⊥ A ⇒ ⊥, A ` A
(¬E ) (⇒E )
¬A, A ` ⊥ A ⇒ ⊥, A ` ⊥
(⇒I ) (¬I )
¬A ` A ⇒ ⊥ A ⇒ ⊥ ` ¬A
(⇒I ) (⇒I )
` ¬A ⇒ A ⇒ ⊥ ` (A ⇒ ⊥) ⇒ ¬A
(⇔E )
` ¬A ⇔ (A ⇒ ⊥)

and we conclude using lemma 2.2.9.1.

2.2.10 Structural rules. The rules of exchange, contraction, weakening and

truth strengthening are often called structural rules:

Γ, A, B, Γ0 ` C Γ, A, A, Γ0 ` B
(xch) (contr)
Γ, B, A, Γ0 ` C Γ, A, Γ0 ` B

Γ, Γ0 ` B Γ, >, Γ0 ` A
(wk) (tstr)
Γ, A, Γ0 ` B Γ, Γ0 ` A

We have seen in section 2.2.7 that they are admissible our system.

Contexts as sets. The rules of exchange and contraction allow to think of con-
texts as sets (rather than lists) of formulas, because a set is a list “up to permu-
tation and duplication of its elements”. More precisely, given a set A, we write
P(A) for the set of subsets of A, and A∗ for the set of lists over A. We define
an equivalence relation ∼ on A∗ as the smallest equivalence relation such that

Γ, A, B, ∆ ∼ Γ, B, A, ∆ Γ, A, A, ∆ ∼ Γ, A, ∆

Lemma 2.2.10.1. The function f : A∗ → P(A) which to a list associates its set
of elements is surjective. Moreover, given Γ, ∆ ∈ A∗ , we have f (Γ) = f (∆) if
and only if Γ ∼ ∆.
We could therefore have directly defined contexts to be sets of formulas, as is
sometimes done, but this would be really unsatisfactory. Namely, a formula A
in a context can be thought of as some kind of hypothesis which is to be proved
by an auxiliary lemma and we might have twice the same formula A, but proved
by different means: in this case, we would like to be able to refer to a particular
instance of A (which is proved in a particular way), and we cannot do this
if we have a set of hypothesis. For instance, there are intuitively two proofs
of A ⇒ A ⇒ A: the one which uses the left A to prove A and the one which
uses the right one (this will become even more striking with the Curry-Howard
correspondence, see remark 4.1.7.2). However, with contexts as sets, both are
the same:
(ax)
A`A
(⇒I )
A`A⇒A
(⇒I )
`A⇒A⇒A
A less harmful simplification which is sometimes done is to quotient by exchange
only (and not contraction), in which case the contexts become multisets, see
appendix A.3.5. We will refrain from doing that either here.
CHAPTER 2. PROPOSITIONAL LOGIC 55

Variants of the proof system. The structural rules are usually taken as “real”
(as opposed to admissible) rules of the proof system. Here, we have carefully
chosen the formulation of rules, so that they are admissible, but it would not
hold anymore if we had used subtle variants instead. For instance, if we replace
the axiom rule by

(ax) or (ax)
Γ, A ` A A`A

or replace the introduction rule for conjunction by

Γ`A ∆`B
(∧I )
Γ, ∆ ` A ∧ B

the structural rules are not all admissible anymore. The fine study of the struc-
ture behind this lead Girard to introduce linear logic [Gir87].

2.2.11 Substitution. Given types A and B and a variable X, we write

A[B/X]

for the substitution of X by B in A, i.e. the type A where all the occurrences
of X have been replaced by B. More generally, a substitution for A is a function
which to every variable X ∈ FV(A) assigns a type σ(X) and we also write

A[σ]

for the type A where every variable X has been replaced by σ(X). Similarly,
given a context Γ = x1 : A1 , . . . , xn : An , we define

Γ[σ] = x1 : A1 [σ], . . . , xn : An [σ]

We often write
[A1 /X1 , . . . , An /Xn ]
for the substitution σ such that σ(Xi ) = Ai and σ(X) = X for X different from
each Xi . It satisfies

A[A1 /X1 , . . . , An /Xn ] = A[A1 /X1 ] . . . [An /Xn ]

We always suppose that, for a substitution σ, the set

{X ∈ X | σ(X) 6= X}

is finite so that the substitution can be represented as the list of images of

elements of this set. Provable formulas are closed under substitution:
Proposition 2.2.11.1. Given a provable sequent Γ ` A and a substitution σ, the
sequent Γ[σ] ` A[σ] is also provable.
Proof. By induction on the proof of Γ ` A.
CHAPTER 2. PROPOSITIONAL LOGIC 56

2.3 Cut elimination

In mathematics, one often uses lemmas to show results. For instance, suppose
that we want to show that 6 admits a half, i.e. there exists a number n such
that n + n = 6. We could proceed in this way by observing that
– every even number admits a half, and
– 6 is even.
In this proof, we have used a lemma (even numbers can be halved) that we have
supposed to be already proved. Of course, there was another, much shorter,
proof of the fact that 6 admits a half: simply observe that 3 + 3 = 6. Somehow,
we should be able to extract the second proof (giving directly 3) from the first
one, but looking in details at the proof of the lemma: this process of extracting
a direct proof from a proof of a lemma is called cut elimination. We will see that
is has a number of applications and will allow us to take a “dynamic” point of
view on proofs: somehow, removing cuts somehow corresponds to “executing”
proofs.
Let us illustrate how this process works in more details on the above example.
We first need to make precise the notions we are using here, see section 6.6.3
for a full formalization. We say that a number m is a half of a number n
when m + m = n, and the set of even numbers is defined here the smallest set
containing 0 and such that n + 2 is even when n is. Moreover, our lemma is
proved in this way:
Lemma 2.3.0.1. Every even number admits a half.
Proof. Suppose given an even number n. By definition of evenness, it can be of
the two following forms and we can reason by induction.
– If n = 0 then it admits 0 as half, since 0 + 0 = 0.
– If n = n0 + 2 with n0 even, then by induction n0 admits a half m,
i.e. m + m = n, and therefore n admits m + 1 as half since
n = n0 + 2 = (m + m) + 2 = (m + 1) + (m + 1)

In our reasoning to prove that 6 can be halved, we have used the fact that 6 is
even, which we must have proved in this way:
– 6 is even because 6 = 4 + 2 and 4 is even, where
– 4 is even because 4 = 2 + 2 and 2 is even, where
– 2 is even because 2 = 0 + 2 and 0 is even, where
– 0 is even by definition.
From the proof of the lemma, we know that the half of 6 is the successor of the
half of 4, which is the successor of the half of 2 which is the successor of the half
of 0, which is 0. Writing, as usual, n/2 for a half of n, we have
6/2 = (4/2) + 1 = (2/2) + 1 + 1 = (0/2) + 1 + 1 + 1 = 0 + 1 + 1 + 1 = 3
Therefore the half of 6 is 3: we have managed to extract the actual value of the
half of 6 from the proofs the 6 is even and the above lemma. This example is
further formalized in section 6.6.3.
CHAPTER 2. PROPOSITIONAL LOGIC 57

2.3.1 Cuts. In logic, the use of a lemma to show a result is called a “cut”. This
must not be confused with the (cut) rule presented in theorem 2.2.7.5, although
they are closely related. Formally, a cut in a proof is an elimination rule whose
principal premise is proved by an introduction rule of the same connective. For
instance, the following are cuts:

π π0 π
Γ`A Γ`B Γ, A ` B π0
(∧I ) (⇒I )
Γ`A∧B Γ`A⇒B Γ`A
(∧lE ) (⇒E )
Γ`A Γ`B

The formula in the principal premise is called the cut formula: above, the cut
formulas are respectively A∧B and A ⇒ B. A proof containing a cut intuitively
does “useless work”. Namely, the one on the left starts from a proof π of A in
the context Γ, which it uses to prove A ∧ B, from which it deduces A: in order
to prove A, the proof π was already enough and the proof π 0 of B was entirely
superfluous. Similarly, for the proof on the right, we show in π that supposing A
we can prove B, and also in π 0 that we can prove A: we could certainly directly
prove B, replacing in π all the places where the hypothesis A is used (say by an
axiom) by the proof π 0 . For this reason, cuts are sometimes also called detours.
From a proof-theoretic point of view, it might seem a bit strange that some-
one would use such a kind of proof structure, but this is actually common in
mathematics: when we want to prove a result, we often prove a lemma which
is more general than the result we want to show and then deduce the result we
were aiming at. One of the reason for proceeding in this way is that we can
use the same lemma to cover multiple cases, and thus have shorter proofs (not
to mention that they are generally more conceptual and modular, since we can
reuse the lemmas for other proofs). We will see that, however, we can always
avoid using cuts in order to prove formulas. Before doing so, we first need to
introduce the main technical result which allows this.

2.3.2 Proof substitution. A different kind of substitution (than the one of

section 2.2.11) consists in replacing some axioms in a proof by another proof.
For instance, consider two proofs

(ax) (ax)
Γ, A ` A Γ, A ` A
(∧I ) ..
Γ, A, B ` A ∧ A 0 .
π= (⇒I ) π =
Γ, A ` B ⇒ A ∧ A Γ`A

The proof π 0 allows to deduce A from the hypothesis in Γ. Therefore, in the

proof π, each time the hypothesis A of the context is used (by an axiom rule),
we can instead use the proof π 0 and reprove A. Doing so, the hypothesis A
in the context becomes superfluous and we can remove it. The proof resulting
from this transformation is thus obtained by “re-proving” A each time we need
CHAPTER 2. PROPOSITIONAL LOGIC 58

it instead of having it as an hypothesis:

π0 π0
Γ`A Γ`A
(wk) (wk)
Γ, B ` A Γ, B ` A
(∧I )
Γ, B ` A ∧ A
(⇒I )
Γ`B ⇒A∧A

This process generalizes as follows:

Proposition 2.3.2.1. Given provable sequents

π π0
and
Γ, A, Γ0 ` B Γ`A

the sequent Γ, Γ0 ` B is also provable, by a proof that we denote π[π 0 /A]:

π[π 0 /A]
Γ, Γ0 ` B

Otherwise said, the (cut) rule

Γ`A Γ, A, Γ0 ` B
(cut)
Γ, Γ0 ` B

is admissible.
Proof. By induction on π.
We will see that the admissibility of this rule is the main ingredient to prove
cut elimination, thus its name.

2.3.3 Cut elimination. A logic has the cut elimination property when when-
ever a formula is provable then it is also provable with a proof which does not
involve cuts: we can always avoid doing unnecessary things. This procedure
was introduced by Gentzen under the name Hauptsatz [Gen35]. In general, we
not only want to know that such a proof exists, but also to have an effective
cut elimination procedure which transforms a proof into one without cuts. The
reason for this is that we will see in section 4.1.8 that this corresponds to some-
how “executing” the proof (or the program corresponding to it): this is why
Girard [Gir87] claims that
A logic without cut elimination is like a car without an engine.
Although the proof obtained after eliminating cuts is “simpler” in the sense that
it does not contains unnecessary steps (cuts), it cannot always be considered as
“better”: it is generally much bigger than the original one. The quote above
explains it: think of a program computing the factorial of 1000. We see that a
result can be much bigger than the program computing it [Boo84], and it can
take much time to compute [Ore82].
Theorem 2.3.3.1. Intuitionistic natural deduction has the cut elimination prop-
erty.
CHAPTER 2. PROPOSITIONAL LOGIC 59

π
Γ, A ` B π0
(⇒I )
Γ`A⇒B Γ`A π[π 0 /A]
(⇒E )
Γ`B Γ`B

π π0
Γ`A Γ`B
(∧I )
Γ`A∧B π
(∧lE )
Γ`A Γ`A

π π0
Γ`A Γ`B
(∧I )
Γ`A∧B π0
(∧rE )
Γ`B Γ`B

π
Γ`A π0 π 00
(∨lI )
Γ`A∨B Γ, A ` C Γ, B ` C π 0 [π/A]
(∨E )
Γ`C Γ`C

π
Γ`B π0 π 00
(∨rI )
Γ`A∨B Γ, A ` C Γ, B ` C π 00 [π/B]
(∨E )
Γ`C Γ`C

Figure 2.2: Transforming proofs in NJ in order to eliminate cuts.

Proof. Suppose given a proof which contains a cut. This means that at some
point in the proof we encounter one of the following situations (i.e. we have a
subproof of one of the following forms), in which case we transform the proof
as indicated by on figure 2.2 (we do not handle the cut on ¬ since ¬A can
be coded as A ⇒ ⊥). For instance,
(ax) (ax)
Γ, A ` A Γ, A ` A
(∧I )
Γ, A ` A ∧ A π
(⇒I )
Γ`A⇒A∧A Γ`A
(⇒E )
Γ`A∧A

is transformed into
π π
Γ`A Γ`A
(∧I )
Γ`A∧A
We iterate the process on the resulting proof until all the cuts have been re-
CHAPTER 2. PROPOSITIONAL LOGIC 60

moved.
As it can be noticed on the above example, applying the transformation
might duplicate cuts: if the above proof π contained cuts, then the transformed
proof contains twice the cuts of π. It is therefore not clear that the process
actually terminates, whichever order we choose to eliminate cuts. We will see
in section 4.2 that it indeed does, but the proof will be quite involved. It
is sufficient for now to show that a particular strategy for eliminating cuts is
terminating: at each step, we suppose that we eliminate a cut of highest depth,
i.e. there is no cut “closest to the axioms” (for instance, we could apply the above
transformation only if π has not cuts). We define the size |A| of a formula A as
its number of connectives and variables:

|X| = |>| = |⊥| = 1 |A ⇒ B| = |A ∧ B| = |A ∨ B| = 1 + |A| + |B|

The degree of a cut is the size of the cut formula (e.g. of A ⇒ A ∧ A in the above
example, whose size is 2 + 3|A|), and the degree of a proof is then defined as the
multiset (see appendix A.3.5) of the degrees of the cuts it contains. It can then
be checked that whenever we apply , the newly created cuts are of strictly
lower degree than the cut we eliminated and therefore the degree of the proof
decreases according to the multiset order, see appendix A.3.5. For instance, if
we apply a transformation
π
Γ, A ` B π0
(⇒I )
Γ`A⇒B Γ`A π[π 0 /A]
(⇒E )
Γ`B Γ`B

we suppose that π 0 has not cuts (otherwise the eliminated cut would not be of
highest depth). The degree of the cut is |A ⇒ B|. All the cuts present in the
resulting proof where already present in the original proof, excepting new cuts
on A which might be created by the substitution of π 0 in π, which are of degree
|A| < |A ⇒ B|. Since the multiset order is well-founded, see theorem A.3.5.1,
the process will eventually come to an end: we cannot have an infinite sequence
of transformations, chosen according to our strategy.
The previous theorem states that, as long as we are interested in provability, we
can restrict to cut-free proofs. This is of interest because we often have a good
idea of which rules can be used in those. In particular, we have the following
useful result:
Proposition 2.3.3.2. For any formula A, a cut-free proof of ` A necessarily ends
with an introduction rule.
Proof. Consider the a cut-free proof π of ` A. We reason by induction on it.
This proof cannot be an axiom because the context is empty. Suppose that π
ends with an elimination rule:
..
.
π= (?E )
`A
For each of the elimination rules, we observe that the principal premise is nec-
essarily of the form ` A0 , and therefore ends with an introduction rule, by
CHAPTER 2. PROPOSITIONAL LOGIC 61

induction hypothesis. The proof is then of the form

..
.
(?I )
` A0 ...
(?E )
`A

and thus contains a cut, which is excluded since we have supposed π to be cut-
free. Since π cannot end with an axiom nor an elimination rule, it necessarily
ends with an introduction rule.
In the above proposition, it is crucial that we consider a formula in an empty
context: a cut-free proof of Γ ` A does not necessarily end with an introduction
rule if Γ is arbitrary.

2.3.4 Consistency. The least one can expect from a non-trivial logical system
is that not every formula is provable, otherwise the system is of no use. A logical
system is consistent when there is at least one formula which cannot be proved
in the system. Since, by (⊥E ), one can deduce any formula from ⊥, we have:
Lemma 2.3.4.1. The following are equivalent:
(i) the logical system is consistent,
(ii) the formula ⊥ cannot be proved,

(iii) the principle of non-contradiction holds: there is no formula A such that

both A and ¬A can be proved.
Theorem 2.3.4.2. The system NJ is consistent.
Proof. Suppose that it is inconsistent, i.e. by lemma 2.3.4.1 that it can prove ` ⊥.
By theorem 2.3.3.1, there is a cut-free proof of ` ⊥ and, by proposition 2.3.3.2,
this proof necessarily ends with an introduction rule. However, there is no
introduction rule for ⊥, contradiction.
Remark 2.3.4.3. As a side note, we would like to point out that if we naively
allowed proofs to be infinite or cyclic (i.e. contain themselves as subproofs), then
the system would not be consistent anymore. For instance, we could prove ⊥
by
(ax)
⊥`⊥ π
(⇒I )
`⊥⇒⊥ `⊥
π = (⇒E )
`⊥
(this proof is infinite in the sense that we should replace π by the proof it-
self above). Also, for such a proof, the cut elimination procedure would not
terminate...
CHAPTER 2. PROPOSITIONAL LOGIC 62

2.3.5 Intuitionism. We have explained in the introduction that the intuition-

istic point of view about proofs is that they should be “accessible to intuition”
or “constructive”. This entails in particular that a proof of a disjunction A ∨ B
should imply that one of the two formulas A or B is provable: we not only know
that the disjunction is true, but we can explicitly say which one is true. This
property is satisfied for the system NJ we have defined above, and explains why
we have said that it is intuitionistic:
Proposition 2.3.5.1. If a formula A ∨ B is provable in NJ then either A or B is
provable.
Proof. Suppose that we have a proof of A ∨ B. By theorem 2.3.3.1, we can
suppose that this proof is cut-free and thus ends by an introduction rule by
proposition 2.3.3.2. The proof is thus of one of the following two forms
π π
`A `B
(∨l ) (∨r )
`A∨B I `A∨B I
which means that we either have a proof of A or a proof of B.
While quite satisfactory, this property means that truth in our logical sys-
tems behaves differently from usual systems (e.g. validity in boolean models),
which are called classical by contrast. Every formula provable in NJ is true in
classical systems, but the converse is not true. One of the most striking example
is the so-called principle of excluded middle stating that, for any formula A, the
formula
¬A ∨ A
should hold. While this is certainly classically true, this cannot be proved
intuitionistically for a general formula A:
Lemma 2.3.5.2. Given a propositional variable X, the formula ¬X ∨ X cannot
be proved in NJ.
Proof. Suppose that it is provable. By proposition 2.3.5.1, either ¬X or X is
provable and by theorem 2.3.3.1 and proposition 2.3.3.2, we can assume that
this proof is cut-free and ends with an introduction rule. Clearly, ` X is not
provable (because there is no corresponding introduction rule), so that we must
have a cut-free proof of the form
π
X`⊥
(¬I )
` ¬X
By proposition 2.2.11.1, if we had such a proof, we would in particular have one
where X is replaced by >:
π0
>`⊥
but, by proposition 2.2.7.4, we could remove > from the hypothesis and obtain
a proof
π 00
`⊥
CHAPTER 2. PROPOSITIONAL LOGIC 63

which is excluded by the consistency of NJ, see theorem 2.3.4.2.

Of course, the above theorem does not state that, for a particular given
formula A, the formula ¬A ∨ A is not provable. For instance, with A = >, we
have
(>I )
`>
(∨rI )
` ¬> ∨ >
It however states that we cannot prove ¬A ∨ A without entering the details
of A. This will be studied in more details in section 2.5, were other examples of
non-provable formulas are given.
Since the excluded-middle is not provable, maybe could it false in our logic?
It is not the case because we can show that the excluded-middle is not falsifiable
either, since we can prove the formula ¬¬(¬A ∨ A) as follows:

(ax)
¬(¬A ∨ A), A ` A
(ax) (∨rI )
¬(¬A ∨ A), A ` ¬(¬A ∨ A) ¬(¬A ∨ A), A ` ¬A ∨ A
(¬E )
¬(¬A ∨ A), A ` ⊥
(¬I )
¬(¬A ∨ A) ` ¬A
(ax) (∨lI )
¬(¬A ∨ A) ` ¬(¬A ∨ A) ¬(¬A ∨ A) ` ¬A ∨ A
(¬E )
¬(¬A ∨ A) ` ⊥
(¬I )
` ¬¬(¬A ∨ A)

(2.2)
This proof will be analyzed in more details in section 2.5.2.
A variant of the above lemma which is sometimes useful is the following one:
Lemma 2.3.5.3. Given a propositional variable X, the formula ¬X ∨¬¬X cannot
be proved in NJ.

Proof. Let us prove this in a slightly different way than in lemma 2.3.5.2. It
can be proved in NJ that ¬> ⇒ ⊥:
(ax) (>I )
¬> ` ¬> ¬> ` >
(¬E )
¬> ` ⊥
(⇒I )
` ¬> ⇒ ⊥

and that ¬¬⊥ ⇒ ⊥:

(ax)
¬¬⊥, ⊥ ` ⊥
(ax) (¬I )
¬¬⊥ ` ¬¬⊥ ¬¬⊥ ` ¬⊥
(¬E )
¬¬⊥ ` ⊥
(⇒I )
` ¬¬⊥ ⇒ ⊥

Now, suppose that we have a proof of ¬X ∨ ¬¬X. By proposition 2.3.5.1, either

¬X or ¬¬X is provable. By proposition 2.2.11.1, either ¬> or ¬¬⊥ is provable.
In both cases, by (⇒E ), using the above proof, ⊥ is provable, which we know is
not the case by consistency, see theorem 2.3.4.2
CHAPTER 2. PROPOSITIONAL LOGIC 64

Γ`⊥
(⊥E ) ...
Γ`A Γ`⊥
(?E ) (⊥E )
Γ`B Γ`B

π π0 π 00
Γ`A∨B Γ, A ` C Γ, B ` C
(∨E ) ...
Γ`C
(?E )
Γ`D

π0 π 00
... ...
π Γ, A ` C Γ, B ` C
(?E ) (?E )
Γ`A∨B Γ, A ` D Γ, B ` D
(∨E )
Γ`D

Figure 2.3: Elimination of commutative cuts.

2.3.6 Commutative cuts. Are the cuts the only situations where one is doing
useless work in proofs? No. It turns out that falsity and disjunction induce some
more situations where we would like to eliminate “useless work”. For instance,
consider the following proof:
(ax)
⊥`⊥
(⊥E ) (ax) (ax)
⊥`A∨A ⊥, A ` A ⊥, A ` A
(∨E )
⊥`A

For the hypothesis ⊥, we deduce the “general” statement that A ∨ A holds, from
which we deduce that A holds. Clearly, we ought to be able to simplify this
proof by into
(ax)
⊥`⊥
(⊥E )
⊥`A
where we directly prove A instead of using the “lemma” A∨A as an intermediate
step. Another example of a situation is the following one:
(ax) (ax) (ax) (ax)
A, B ∨ C, B ` A A, B ∨ C, B ` A A, B ∨ C, C ` A A, B ∨ C, C ` A
(ax) (∧I ) (∧I )
A, B ∨ C ` B ∨ C A, B ∨ C, B ` A ∧ A A, B ∨ C, C ` A ∧ A
(∨E )
A, B ∨ C ` A ∧ A
(∧lE )
A, B ∨ C ` A

Here, in a context containing A, we prove here A ∧ A, from which we deduce A,

whereas we could have directly proved A instead. This is almost a typical cut
situation between the rule (∧I ) and (∧lE ), excepting that we cannot eliminate
the cut because the two rules are separated by the intermediate rule (∨E ). In
order for the system to have nice properties, we should thus add to the usual
cut-elimination rules, the rules of figure 2.3, where (?E ) is meant to denote an
arbitrary elimination rule. Those rules eliminate what we call commutative cuts,
see [Gir89, section 10.3].
CHAPTER 2. PROPOSITIONAL LOGIC 65

2.4 Proof search

An important question is whether there is an automated procedure in order to
perform proof-search in NJ, i.e. answer the question:
Is a given sequent Γ ` A provable?
In general, the answer is yes, but the complexity is hard. In order to do so,
the basic idea of course consists in trying to construct a proof derivation whose
conclusion is our sequent, from bottom up.

2.4.1 Reversible rules. A rule is reversible when, if its conclusion is provable,

then its hypothesis are provable. Such rules are particularly convenient in order
to search for proofs since we know that we can always apply them: if the
conclusion sequent was provable then the hypothesis still are. For instance, the
rule
Γ`A
(∨lI )
Γ`A∨B
is not reversible: if, while searching for a proof of Γ ` A ∨ B, we apply it,
we might have to backtrack in the case where Γ ` A is not provable, since
maybe Γ ` B was provable instead, the most extreme example being
..
.
`⊥
(∨lI )
`⊥∨>
where we have picked the wrong branch of the disjunction and try to prove ⊥,
whereas > was directly provable. On the contrary, the rule
Γ`A Γ`B
(∧I )
Γ`A∧B
is reversible: during proof search, we can apply it without regretting our choice.
Proposition 2.4.1.1. In NJ, the reversible rules are (ax), (⇒I ), (∧I ), (>I ) and
(¬I ).
Proof. Consider the case of (⇒I ), the other cases being similar. In order to
show that this rule (recalled on the left) is reversible, we have to show that if
the conclusion is provable then the premise also is, otherwise said that the rule
on the right is admissible:
Γ, A ` B Γ`A⇒B
(⇒I )
Γ`A⇒B Γ, A ` B
Suppose that we have a proof π of the conclusion Γ ` A ⇒ B. We can construct
a proof of Γ, A ` B by
π
Γ`A⇒B
(wk) (ax)
Γ, A ` A ⇒ B Γ, A ` A
(⇒E )
Γ, A ` B
CHAPTER 2. PROPOSITIONAL LOGIC 66

For instance, want to prove the formula X ⇒ Y ⇒ X ∧ Y . We can try to

apply the reversible rules as long as we can, and indeed, we end up on a proof:
(ax) (ax)
X, Y ` X X, Y ` Y
(∧I )
X, Y ` X ∧ Y
(⇒I )
X `Y ⇒X ∧Y
(⇒I )
`X ⇒Y ⇒X ∧Y

2.4.2 Proof search. In order to have an idea of how proof search can be
performed in general in NJ, we now describe an algorithm, due to Statman,
see [Sta79] and [SU06, section 6.6]. For simplicity, we restrict to the implica-
tional fragment, where formulas are built out of variables and implication, and
the rules are (ax), (⇒E ) and (⇒I ).
Suppose fixed a sequent Γ ` A. A naive search for a proof tree of this sequent
might end up in a loop: the search space is not finite. For instance, looking for
a proof of X ⇒ X ` X, our search might try to construct an infinite proof tree
looking like this:
..
.
(ax) (⇒E )
Γ`X⇒X Γ`X
(ax) (⇒E )
Γ`X⇒X Γ`X
(ax) (⇒E )
Γ`X⇒X Γ`X
(⇒E )
Γ`X

where Γ = X ⇒ X. However, we can observe that such a proof contains

infinitely many cuts, whereas theorem 2.3.3.1 ensures that we can look for cut-
free proofs. We see another application of this theorem: it drastically shrinks
the search space. After some more thought, it can be observed that we can
always look on cut-free proofs of the following form, depending on the form of
the formula we are trying to prove:
– Γ ` A ⇒ B: the last rule must be
Γ, A ` B
(⇒I )
Γ`A⇒B

and we look for a proof of Γ, A ` B,

– Γ ` X: the proof must end with
..
.
(ax) ..
Γ ` A1 ⇒ A2 ⇒ . . . ⇒ An ⇒ X Γ ` A1 .
(⇒E )
Γ ` A2 ⇒ . . . ⇒ An ⇒ X Γ ` A2
(⇒E )
.. ..
. .
(⇒E )
Γ ` An ⇒ X Γ ` An
(⇒E )
Γ`X

where the particular case n = 0 is

(ax)
Γ`X
CHAPTER 2. PROPOSITIONAL LOGIC 67

(** Formulas. *)
type t =
| Var of string
| Imp of t * t

(** Arguments of an implication ending with x. *)

let rec split_imp x = function
| Var y -> if x = y then Some [] else None
| Imp (a, b) ->
match split_imp x b with
| Some l -> Some (a::l)
| None -> None

(** Determine whether a sequent is provable in a given context. *)

let rec provable env : t -> bool = function
| Var x ->
List.exists (fun a ->
match split_imp x a with
| Some l -> List.for_all (provable env) l
| None -> false
) env
| Imp (a, b) -> provable (a::env) b

Figure 2.4: Statman’s algorithm.

we thus try to find a formula of the form A1 ⇒ . . . ⇒ An ⇒ X in the

context such that all the Γ ` Ai are provable.
This results in an algorithm which is relatively easy to implement, see figure 2.4.
This algorithm can be shown to be in PSPACE and the problem is actually
PSPACE-complete.
Other methods for searching proofs in intuitionistic logic are presented in
section 2.6.5.

2.5 Classical logic

As we have seen in section 2.3.5, not all the formulas that we expect to hold in
logic are provable in intuitionistic logic, such as the excluded middle (lemma 2.3.5.2).
By opposition, the usual notion of validity (e.g. coming from boolean models) is
called classical logic. If classical logic is closer to the usual intuition of validity,
the main drawback for us is that this logic is not constructive, in the sense that
we cannot necessarily extract witnesses from proofs: if we have proved ¬A ∨ A,
we do not necessarily know which one of ¬A or A actually holds.
A well-known typical classical reasoning is the following. We want to prove
that there √exist two irrational√ numbers a and b such that ab is rational. We
know that 2 is irrational: if 2 = p/q then p2 = 2q 2 , but the number of prime
factors is even on the left and odd on√the right. Reasoning using the excluded
√ 2
middle, we know that the number 2 is either rational or irrational:
CHAPTER 2. PROPOSITIONAL LOGIC 68
√
– if it is rational, we conclude with a = b = 2,
√
√ 2 √
– otherwise, we take a = 2 and b = 2, and we have ab = 2 which
concludes the proof.
We have been able to prove the property, but we are not able to exhibit a
concrete value for a and b.
From the proof-as-program correspondence, the excluded middle is also quite
puzzling. Suppose that we are in a logic rich enough to encode Turing machines
(or, equivalently, execute a program in a usual programming language) and that
we have a predicate Halts(M ) which is holds when M is halting (you should find
this quite plausible after having read chapter 6). In classical logic, the formula

¬ Halts(M ) ∨ Halts(M )

holds for every Turing machine M , which seems to mean that we should be able
to decide whether a Turing machine is halting or not, but there is no hope of
finding such an algorithm since Turing has shown that the halting problem is
undecidable [Tur37].

2.5.1 Axioms for classical logic. A logical system for classical logic, called
NK (for K lassical N atural deduction), can be obtained from NJ (figure 2.1) by
adding a new rule corresponding to the excluded middle
(lem)
Γ ` ¬A ∨ A

In this sense, the excluded middle is the only thing which is missing in intu-
itionistic logic to be classical. This is shown in theorems 2.5.6.1 and 2.5.6.5.
In fact, excluded middle is not the only possible choice, and other equiva-
lent axioms can be added instead. Most of those axioms correspond to usual
reasoning patterns, which have been known for a long time, and thus bear latin
names.
Theorem 2.5.1.1. The following principles are equivalent in NJ:
(i) excluded middle, also called tertium non datur:

¬A ∨ A

(ii) double-negation elimination or reductio ad absurdum:

¬¬A ⇒ A

(iii) contraposition:
(¬B ⇒ ¬A) ⇒ (A ⇒ B)

(iv) counter-example principle:

¬(A ⇒ B) ⇒ A ∧ ¬B

(v) Peirce law:

((A ⇒ B) ⇒ A) ⇒ A
CHAPTER 2. PROPOSITIONAL LOGIC 69

(vi) Clavius’ law or consequentia mirabilis:

(¬A ⇒ A) ⇒ A

(vii) Tarski’s formula:

A ∨ (A ⇒ B)

(viii) one of the following de Morgan laws:

¬(¬A ∧ ¬B) ⇒ A ∨ B
¬(¬A ∨ ¬B) ⇒ A ∧ B

(ix) material implication:

(A ⇒ B) ⇒ (¬A ∨ B)

(x) ⇒/∨ distributivity:

(A ⇒ (B ∨ C)) ⇒ ((A ⇒ B) ∨ C)

By “equivalent”, we mean here that if we suppose that one holds for every
formulas A, B and C then the other one also holds for every formulas A, B
and C, and conversely.
Proof. We only show here the equivalence between the first two, the other ones
being left as an exercise. Suppose that the excluded middle holds, we can show
reductio ad absurdum by
(ax) (ax)
¬¬A, ¬A ` ¬¬A ¬¬A, ¬A ` ¬A
(¬E ) (ax)
¬¬A ` ¬A ∨ A ¬¬A, ¬A ` A ¬¬A, A ` A
(∨E )
¬¬A ` A
(⇒I )
` ¬¬A ⇒ A
(2.3)
Suppose that reductio ad absurdum holds, we can show the excluded middle by

π
` ¬¬(¬A ∨ A) ⇒ (¬A ∨ A) ` ¬¬(¬A ∨ A)
(∨E )
` ¬A ∨ A (2.4)
where π is the proof (2.2) on page 63.
Remark 2.5.1.2. One should be careful about the quantifications over formu-
las involved in theorem 2.5.1.1. In order to illustrate this, let us detail the
equivalence between excluded middle and reductio ad absurdum. We say that
a formula A is decidable when ¬A ∨ A holds and regular when ¬¬A ⇒ A holds.
The derivation (2.3) shows that every decidable formula is regular, but the con-
verse does not hold: the derivation (2.4) only shows that A is decidable when
¬A ∨ A (as opposed to A) is regular. In fact a concrete example of a formula
which is regular but not decidable, can be given by taking A = ¬X: the for-
mula ¬¬¬X ⇒ ¬X holds (lemma 2.5.9.4), but ¬¬X ∨ ¬X cannot be proved
(lemma 2.3.5.3). Thus, it is important to remark that theorem 2.5.1.1 does not
say that a formula is regular if and only if it is decidable, but rather that every
formula is regular if and only if every formula is decidable.
CHAPTER 2. PROPOSITIONAL LOGIC 70

Among those axioms, the Pierce law is less natural than others but has the
advantage of requiring only implication, so that it still makes sense in some
small fragments of logic such as minimal implicational logic. Also, note that
the fact that material implication occurs in this list means that A ⇒ B is not
equivalent to ¬A ∨ B in NJ, as it is in LK. For each of these axioms, we could
add more or less natural forms of rules. For instance, the law of the excluded
middle can also be implemented by the nicer looking rule

Γ, ¬A ` B Γ, A ` B
(lem)
Γ`B

similarly, reductio ad absurdum can be implemented by one of the following

rules
Γ ` ¬¬A Γ, ¬A ` ⊥ Γ, ¬A ` A
(¬¬E )
Γ ` ¬¬A ⇒ A Γ`A Γ`A Γ`A

Since classical logic is obtained from intuitionistic by adding axioms, it is

obvious that
Lemma 2.5.1.3. An intuitionistic proof is a valid classical proof.
We have seen that the converse does not hold (lemma 2.3.5.2), but we will see
in section 2.5.9 that we can still embed classical proofs in intuitionistic logic.

2.5.2 The intuition behind classical logic. Let us try to give some proof
theoretic intuition about how classical logic works.

Proof irrelevance. We have already mentioned that we can interpret a formula

as a set JAK, intuitively corresponding to all the proofs of A, and implications
as function spaces: JA ⇒ BK = JAK → JBK. In this interpretation, ⊥ of course
corresponds to the empty set since we do not expect to have a proof of it:
J⊥K = ∅. Now, given a formula A, its negation ¬A = (A ⇒ ⊥) is interpreted as
the set of functions from JAK to ∅:
– if JAK is non-empty, the set J¬AK = JAK → ∅ is empty,
– if JAK is empty, the set J¬AK = ∅ → ∅ contains exactly one element.
The last point might seem surprising, but if we think hard about it it makes
sense. For instance, in set theory, a function f : JAK → JBK is usually defined as
a relation f ⊆ JAK × JBK which satisfies some properties, expressing that each
element of JAK should have exactly one image in JBK. Now, when both the sets
are empty, we are looking for a relation f ⊆ ∅ × ∅ and there is exactly one such
relation: the empty set (which trivially satisfies the axioms for functions).
Applying twice the reasoning above, we get that
– if JAK is non-empty, J¬¬AK contains exactly one element,
– if JAK is empty, J¬¬AK is empty.
In other words, ¬¬A can be seen as the formula A where the only thing which
matters is not all the proofs of A (i.e. the elements of JAK), but only whether
there exists a proof of A or not, since we have reduced its contents to at most
CHAPTER 2. PROPOSITIONAL LOGIC 71

one point. For this reason, doubly negated formulas are sometimes said to be
proof irrelevant: again, the actual proof does not matter, only its existence. For
instance, we now understand why
¬¬(¬A ∨ A)
is provable intuitionistically: it states that it is true that there exists a proof
of ¬A or a proof of A, as opposed to ¬A ∨ A which states that we have a proof
of ¬A or a proof of A. From this point of view, the classical axiom
¬¬A ⇒ A
now seems like deep magic: it means that if we know that there exists a proof
of A we can actually extract a proof of A. This can only be true if we assume
that there can be at most one proof for a formula, i.e. formulas are interpreted
as booleans and not sets (see section 2.5.4 for a logical point of view on this).
This also explains why we can actually embed classical logic into intuitionistic
logic by double-negating formulas, see section 2.5.9: if we are only interested in
their existence, intuitionistic proofs behave classically.

Resetting proofs. Let us give another, more operational, point of view on the
axiom ¬¬A ⇒ A. We have mentioned that it is equivalent to having the rule
Γ ` ¬¬A
(¬¬E )
Γ`A
so that when searching for a proof of A, we can instead prove ¬¬A. What do
we gain in doing so? At first it does not seem much, since we can go back to
proving A:
..
.
(ax)
Γ, ¬A ` ¬A Γ, ¬A ` A
(¬E )
Γ, ¬A ` ⊥
(¬I )
Γ ` ¬¬A
But there is one difference, we now have the additional hypothesis ¬A in our
context, and we can use it at any point in the proof to go back to proving A
instead of the current goal B, while keeping the current context:
..
.
(ax)
Γ0 , ¬A ` ¬A 0
Γ , ¬A ` A
(⊥E )
Γ0 , ¬A ` ⊥
(¬E )
Γ0 , ¬A ` B
In other words, we can “reset proofs” during proof search, i.e. we can implement
the following behavior (up to minor details such as weakening):
..
.
0
Γ `A
(reset)
Γ0 ` B
..
.
Γ`A
CHAPTER 2. PROPOSITIONAL LOGIC 72

Note that we keep the context Γ0 after the reset.

Now, let us show how we can use this to prove ¬A ∨ A. When faced with the
disjunction, we choose the left branch, i.e. prove ¬A, which by (¬I ) this amounts
to prove ⊥, supposing A as hypothesis. Instead of going on and proving ⊥, which
is quite hopeless, we use our reset mechanism and go back to proving ¬A ∨ A:
while doing so we have kept A as hypothesis! So, this time we chose to prove A,
which can be done by an axiom. If we think of reset as the possibility of “going
back in time” and changing one’s mind, this proof implements the following
conversation between us, trying to build the proof, and an opponent trying to
prove us wrong:
— Show me the formula ¬A ∨ A.
— Ok, I will show that ¬A holds.
— Here is a proof π of A, show me how to deduce ⊥.
— Actually, I changed my mind, I will prove A, here is the proof: π.
The formal proof goes on like this
(ax)
A`A
(∨rI )
A ` ¬A ∨ A
(reset)
A`⊥
(¬I )
` ¬A
(∨lI )
` ¬A ∨ A

In more details, the proof begins by proving ¬¬(¬A ∨ A) instead of ¬A ∨ A and

proceeds as in (2.2) on page 63. This idea of resetting will be explored again,
under a different form, in section 4.6.

2.5.3 A variant of natural deduction. The presentation given in section 2.5.1

is not very “canonical” in the sense that it consists in randomly adding an axiom
in the list given in theorem 2.5.1.1. We would like to present another approach
which consists in slightly changing the calculus, and allows for a much more
pleasant proof system. We now consider sequents of the form

Γ`∆

where both Γ and ∆ are contexts. Such a sequent should be read as “supposing
all the formula in Γ, I can prove some formula in ∆”. This is a generalization of
previous sequents, where ∆ was restricted to exactly one formula. The rules for
this sequent calculus are given in figure 2.5. In order to ease the presentation,
we consider here that the formulas of ∆ can be explicitly permuted, duplicated,
and so on, using the structural rules (xchR ), (wkR ), (contrR ) and (⊥R ), which
we generally leave implicit in examples. Those rules are essentially the same as
those for NJ, with contexts added on the right, excepting for the rule (∨lI ) and
(∨rI ), which are now combined into the rule

Γ ` A, B, ∆
(∨I )
Γ ` A ∨ B, ∆
CHAPTER 2. PROPOSITIONAL LOGIC 73

(ax)
Γ, A, Γ0 ` A, ∆

Γ ` A ⇒ B, ∆ Γ ` A, ∆ Γ, A ` B, ∆
(⇒E ) (⇒I )
Γ ` B, ∆ Γ ` A ⇒ B, ∆

Γ ` A ∧ B, ∆ l Γ ` A ∧ B, ∆ r Γ ` A, ∆ Γ ` B, ∆
(∧E ) (∧E ) (∧I )
Γ ` A, ∆ Γ ` B, ∆ Γ ` A ∧ B, ∆

Γ`∆
(>I )
Γ ` >, ∆

Γ ` A ∨ B, ∆ Γ, A ` C, ∆ Γ, B ` C, ∆ Γ ` A, B, ∆
(∨E ) (∨I )
Γ ` C, ∆ Γ ` A ∨ B, ∆

Γ`∆
(⊥I )
Γ ` ⊥, ∆

Γ ` ¬A, ∆ Γ ` A, ∆ Γ, A ` ⊥, ∆
(¬E ) (¬I )
Γ ` ⊥, ∆ Γ ` ¬A, ∆

structural rules:

Γ ` ∆, A, B, ∆0 Γ ` ∆, ∆0
(xchR ) (wkR )
Γ ` ∆, B, A, ∆0 Γ ` ∆, A, ∆0

Γ ` ∆, A, A, ∆0 Γ ` ∆, ⊥, ∆0
(contrR ) (⊥R )
Γ ` ∆, A, ∆0 Γ ` ∆, ∆0

Figure 2.5: NK: rules of classical natural deduction.

CHAPTER 2. PROPOSITIONAL LOGIC 74

In order to prove a disjunction A ∨ B, we do not have anymore to choose if we

want to prove A or B: we can try to prove both at the same time. This means
that there can be some “exchange of information” between the proofs of A and
of B (via the context Γ). For instance, we have excluded middle can be proved
by
(ax)
A ` A, ⊥
(xchR )
A ` ⊥, A
(¬I )
` ¬A, A
(∨I )
` ¬A ∨ A
Note that the formula A in the context, obtained from the ¬A, is used in the
axiom in order to prove the other A. Similarly, double negation elimination is
proved by
(ax)
¬¬A, A ` A
(ax) (¬I )
¬¬A ` ¬¬A, A ¬¬A ` ¬A, A
(¬E )
¬¬A ` ⊥, A
(⊥E )
¬¬A ` A, A
(contrR )
¬¬A ` A
(⇒I )
` ¬¬A ⇒ A

Again, instead of proving A, we decide to either prove ⊥ or A.

The expected elimination rule for the constant ⊥ (shown on the left) is not
present, but it can be derived (as shown on the right):

Γ ` ⊥, ∆
(⊥R )
Γ ` ⊥, ∆ Γ`∆
(⊥E ) (wkR )
Γ ` A, ∆ Γ ` A, ∆

In fact the constant ⊥ is now superfluous, since one can convince himself that
proving ⊥ amounts to proving the empty sequent ∆.

2.5.4 Cut-elimination in classical logic. Classical logic also does have the
cut-elimination property, see section 2.3.3, although this is more subtle to show
than in the case of intuitionistic logic due to the presence of structural rules. In
particular, in addition to the usual cut elimination steps, we need to add rules
making elimination rules “commute” with structural rules: namely, an intro-
duction and the corresponding elimination rules can be separated by structural
rules. For instance, suppose that we want to eliminate the following “cut”:

π π0
Γ`A Γ`B
(∧I )
Γ`A∧B
(wkR )
Γ ` A ∧ B, C
(∧lE )
Γ ` A, C
CHAPTER 2. PROPOSITIONAL LOGIC 75

We first need to make the elimination rule for conjunction commute with the
weakening:
π π0
Γ`A Γ`B
(∧I )
Γ`A∧B
(∧lE )
Γ`A
(wkR )
Γ ` A, C
and then we can finally properly eliminate the cut:
π
(∧lE )
Γ`A
(wkR )
Γ ` A, C

Another surprising phenomenon was observed by Lafont [Gir89, section B.1].

Depending on the order in which we eliminate cuts, the following proof
π π0
Γ`A Γ`B
(wkR ) (wkR )
Γ ` ¬C, A Γ ` C, B
(¬E )
Γ ` ⊥, A, B
(⊥R )
Γ ` A, B

both cut-eliminates to
π π0
Γ`A Γ`B
(wkR ) and (wkR )
Γ ` A, B Γ ` A, B
This is sometimes called Lafont’s critical pair. We like to identify proofs up to
cut elimination (much more on this in chapter 4) and therefore those two proofs
should be considered as being “the same”. In particular, when both π and π 0
are proofs of Γ ` A, i.e. A = B, this forces us to identify the two proofs
π π0
Γ`A Γ`A
(wkR ) (wkR )
Γ ` A, A Γ ` A, A
(contrR ) and (contrR )
Γ`A Γ`A

and thus to identify the two proofs π and π 0 . More generally, by a similar
reasoning, any two proofs of a same sequent Γ ` ∆ should be identified. Cuts
can hurt! This gives another, purely logical, explanation about why classical
logic is “proof irrelevant”, as already mentioned in section 2.5.2: up to cut-
elimination, there is at most one proof of a given sequent.

2.5.5 De Morgan laws. In classical logic, the well-known de Morgan laws

hold:

¬(A ∧ B) ⇔ ¬A ∨ ¬B ¬> ⇔ ⊥ A ⇒ B ⇔ ¬A ∨ B
¬(A ∨ B) ⇔ ¬A ∧ ¬B ¬⊥ ⇔ > ¬¬A ⇔ A
CHAPTER 2. PROPOSITIONAL LOGIC 76

Definable connectives. Because of these laws, many connectives are superflu-

ous. For instance, classical logic can be axiomatized with ⇒ and ⊥ as only
connectives, since we can define

A ∨ B = ¬A ⇒ B A ∧ B = ¬(A ⇒ ¬B) ¬A = A ⇒ ⊥ >=⊥⇒⊥

and the logical system can be reduced to the four following rules:

Γ`∆
0 (ax) (⊥I )
Γ, A, Γ ` A, ∆ Γ ` ⊥, ∆

Γ ` A ⇒ B, ∆ Γ ` A, ∆ Γ, A ` B, ∆
(⇒E ) (⇒I )
Γ ` B, ∆ Γ ` A ⇒ B, ∆

together with the four structural rules. Several other choices of connectives are
possible.

Clausal form. It is natural to consider the equivalence relation on formulas which

relates any two formulas A and B such that A ⇔ B. The de Morgan laws can be
used to put every formula into some canonical representation into its equivalence
class up to this equivalence relation. We first need to introduce some classes of
formulas.
A literal L is either a variable or a negated variable:

L ::= X | ¬X

A clause C is a disjunction of literals:

C ::= L | C ∨ C | ⊥

A formula A is in clausal form or in conjunctive normal form when it is a

conjunction of clauses:
A ::= C | A ∧ A | >
Proposition 2.5.5.1. Every formula is equivalent to one in clausal form.
One way to show this result is to use the de Morgan laws, as well as usual
intuitionistic laws (section 2.2.5), in order to push negations toward variables
and disjunctions below conjunctions, i.e. we replace subformulas according to
the following rules, until no rule applies:

¬(A ∧ B) ¬A ∨ ¬B ¬> ⊥
¬(A ∨ B) ¬A ∧ ¬B ¬⊥ >
(A ∧ B) ∨ C (A ∨ C) ∧ (B ∨ C) >∨C >
A ∨ (B ∧ C) (A ∨ B) ∧ (A ∨ C) A∨> >
A⇒B ¬A ∨ B ¬¬A A

Those rules rewrite formulas into classically equivalent ones, since those are
instances of de Morgan laws. However, it is not clear that the process terminates.
It does, but it is not efficient, and we will see below a better way to put a formula
in clausal form.
CHAPTER 2. PROPOSITIONAL LOGIC 77

Example 2.5.5.2. A clausal form of (X ⇒ Y ) ⇒ (Y ⇒ Z) can be computed by

¬(¬X ∨ Y ) ∨ (¬Y ∨ Z) (¬¬X ∧ ¬Y ) ∨ (¬Y ∨ Z)

(X ∧ ¬Y ) ∨ (¬Y ∨ Z)
(X ∨ ¬Y ∨ Z) ∧ (¬Y ∨ ¬Y ∨ Z)

Efficient computation of the clausal form. Given a clause C, we write L(C) for
the set of literals occurring in it:

L(X) = {X} L(¬X) = {¬X} L(C ∨ D) = L(C) ∪ L(D) L(⊥) = ∅

A variable X occurs positively (resp. negatively) in A if we have X ∈ L(C)

(resp. ¬X ∈ L(C)). Up to equivalence, formulas satisfy the laws of commutative
idempotent monoids with respect to ∨ and ⊥:

(A ∨ B) ∨ C ⇔ A ∨ (B ∨ C) ⊥∨A⇔A B∨A⇔A∨B
A∨⊥⇔A A∨A⇔A

Because of this, a clause is characterized by the set of literals occurring in it,

see appendix A.2:
Lemma 2.5.5.3. Given clauses C and D, if L(C) = L(D) then C ⇔ D.
Similarly, a formula in clausal form is characterized by the set of clauses occur-
ring in it. A formula in clausal form A can thus be encoded as a set of sets of
literals:
A = {{L11 , . . . , L1k1 }, . . . , {Ln1 , . . . , Lnkn }}
Note that the empty set ∅ corresponds to the formula > whereas the set {∅}
corresponds to the formula ⊥. In practice, we can represent a formula as a list
of lists of clauses (where the order or repetitions of the elements of the lists do
not matter). Based on this, an algorithm for putting a formula in clausal form is
provided in figure 2.6. A literal is encoded as a pair consisting of a variable and
a boolean indicating whether it is negated or not (by convention, false means
negated), a clause as a list of literals, and clausal form as a list of clauses. Given
a formula A, the functions pos and neg, respectively compute the clausal form
of A and ¬A. They are using the function merge which, given two formulas in
clausal form

A = {C1 , . . . , Cm } and B = {D1 , . . . , Dn }

compute the clausal form of A ∨ B, which is

A ∨ B = {Ci ∪ Dj | 1 6 i 6 m, 1 6 j 6 n}

The notion clausal form can be further improved as follows. We say that a
formula is in canonical clausal form when
1. it is in clausal form,
2. it does not contains twice the same clause or > (this is automatic if it is
represented as a set of clauses),
3. no clause contains twice the same literal or ⊥ (this is automatic if they
are represented as sets of literals),
CHAPTER 2. PROPOSITIONAL LOGIC 78

type var = int

(** Formulas. *)
type t =
| Var of var
| And of t * t
| Or of t * t
| Imp of t * t
| Not of t
| True | False

type litteral = bool * var (** Litteral. *) (* false = negated *)

type clause = litteral list (** Clause. *)
type cnf = clause list (** Clausal formula. *)

let clausal a : cnf =

let merge a b =
List.flatten (List.map (fun c -> List.map (fun d -> c@d) b) a)
in
let rec pos = function
| Var x -> [[true, x]]
| And (a, b) -> let a = pos a in let b = pos b in a@b
| Or (a, b) -> let a = pos a in let b = pos b in merge a b
| Imp (a, b) -> let a = neg a in let b = pos b in merge a b
| Not a -> neg a
| True -> []
| False -> [[]]
and neg = function
| Var x -> [[false, x]]
| And (a, b) -> let a = neg a in let b = neg b in merge a b
| Or (a, b) -> let a = neg a in let b = neg b in a@b
| Imp (a, b) -> let a = pos a in let b = neg b in a@b
| Not a -> pos a
| True -> [[]]
| False -> []
in
pos a

Figure 2.6: Putting a formula in clausal form.

CHAPTER 2. PROPOSITIONAL LOGIC 79

4. no clause contains both a literal and its negation.

For the last point, given a clause C containing both X and ¬X, the equivalences
¬X ∨ X ⇔ > and > ∨ A ⇔ A imply that the whole clause is equivalent to > and
can thus be removed from the formula. For instance, the clausal form computed
in example 2.5.5.2 is not canonical because it does not satisfy the second point
above.
Exercise 2.5.5.4. Modify the algorithm of figure 2.6 so that it computes canonical
clausal forms.

De Morgan laws in intuitionistic logic. Let us insist once again on the fact that
the de Morgan laws do not hold in intuitionistic logic. Namely, the following
implications are intuitionistically true, but not their converse:

A ∨ B ⇒ ¬(¬A ∧ ¬B) ¬A ∨ ¬B ⇒ ¬(A ∧ B)

A ∧ B ⇒ ¬(¬A ∨ ¬B) ¬A ∨ B ⇒ A ⇒ B

However, the following equivalence does hold intuitionistically:

¬A ∧ ¬B ⇔ ¬(A ∨ B)

2.5.6 Boolean models. Classical natural deduction matches exactly the no-
tion of truth one would get from usual boolean models. Let us detail this. We
write B = {0, 1} for the set of booleans. A valuation ρ is a function X → B,
assigning booleans to variables. Such a valuation can be extended as a function
ρ : Prop → B, from propositions to booleans, by induction over the propositions
by

ρ(X) = 1 iff ρ(X) = 1

ρ(A ⇒ B) = 1 iff ρ(A) = 0 or ρ(B) = 1
ρ(A ∧ B) = 1 iff ρ(A) = 1 and ρ(B) = 1
ρ(>) = 1
ρ(A ∨ B) = 1 iff ρ(A) = 1 or ρ(B) = 1
ρ(⊥) = 0

Given a formula A and a valuation ρ, we write ρ A whenever ρ(A) = 1

and say that the formula A is satisfied in the valuation ρ. Given a context
Γ = A1 , . . . , An , we write Γ ρ A whenever ρ ( i=1 Ai ) ⇒ A. Finally, we
Vn
write Γ  A whenever Γ ρ A for every valuation ρ and, in this case, say that
A is valid in the context Γ or that the sequent Γ ` A is valid.
The system NK is correct in the sense that is only allows the derivation of
valid sequents.
Theorem 2.5.6.1 (Soundness). If Γ ` A is derivable then Γ  A.
Proof. By induction on the proof of Γ ` A.
Since NJ is a subsystem of NK, it thus also allows only the derivation of valid
sequents. As simple as it may seem, the above theorem allows proving the
consistency of intuitionistic and classical logic (which was already demonstrated
in theorem 2.3.4.2 for intuitionistic logic):
CHAPTER 2. PROPOSITIONAL LOGIC 80

Corollary 2.5.6.2. The system NK (and thus also NJ) is consistent.

Proof. Suppose that NK is not consistent. By lemma 2.3.4.1, we would have a
proof of ` ⊥. By theorem 2.5.6.1, we would have ρ(⊥) = 1. But ρ(⊥) = 0 by
definition, contradiction.
Conversely, we can show that the system NK is complete, meaning that if a
sequent Γ ` A is valid, i.e. we have Γ  A, then it is derivable. As a particular
case, we will have that if a formula A valid then it is provable, i.e. ` A is
derivable. We first need the following lemmas.
Lemma 2.5.6.3. For any formulas A and B, variable X and valuation ρ, we have
ρ(A[B/X]) = ρ0 (A), where ρ0 (X) = ρ(B) and ρ0 (Y ) = ρ(X) for X 6= Y .
Proof. By induction on A.
Lemma 2.5.6.4. For any formula A, the formula

((X ⇒ A[>/X]) ∧ (¬X ⇒ A[⊥/X])) ⇒ A

is derivable in NK.
Proof. For concision, we write

δX A = (X ⇒ A[>/X]) ∧ (¬X ⇒ A[⊥/X])

We reason by induction on the formula A. If A = X then

δX X = (X ⇒ >) ∧ (¬X ⇒ ⊥)

and we have
(ax)
δX X, ¬X ` (X ⇒ >) ∧ (¬X ⇒ ⊥)
(∧rE ) (ax)
δX X, ¬X ` ¬X ⇒ ⊥ δX X, ¬X ` ¬X
(⇒E )
δX X, ¬X ` ⊥
(¬I )
δX X ` ¬¬X
(¬¬E )
δX X ` X
(⇒I )
` δX X ⇒ X

If A = Y with Y 6= X, we have

δX Y = (X ⇒ Y ) ∧ (¬X ⇒ Y )

and, using the fact that X ∨ ¬X is derivable,

δX Y, X ` (X ⇒ Y ) ∧ (¬X ⇒ Y )
..
δX Y, X ` X ⇒ Y δX Y, X ` X .
δX Y ` X ∨ ¬X δX Y, X ` Y δX Y, ¬X ` Y
δX Y ` Y

Other cases are left to the reader.

CHAPTER 2. PROPOSITIONAL LOGIC 81

Theorem 2.5.6.5 (Completeness). If Γ  A holds then Γ ` A is derivable.

Proof. We proceed by induction on the number of free variables of A. If
FV(A) = ∅ then we easily show that Γ ` A by induction on A. Otherwise,
pick a variable X ∈ FV(A). By lemma 2.5.6.3, the sequents Γ, X ` A[>/X]
and Γ, ¬X ` A[⊥/X] are valid, and thus derivable by induction hypothesis.
Finally, using lemma 2.5.6.4, the fact that the excluded middle X ∨ ¬X holds,
we have the derivation
.. ..
. .
Γ, X ` A[>/X] Γ, ¬X ` A[⊥/X]
..
. Γ ` X ∨ ¬X Γ ` X ⇒ A[>/X] Γ ` ¬X ⇒ A[⊥/X]
(∨E )
Γ ` δX A ⇒ A Γ ` δX A
(⇒E )
Γ`A

which allows us to conclude.

A detailed and formalized version of this proof can be found in [CKA].
Of course, intuitionistic natural deduction is not complete with respect to
boolean models since there are formulas, such as ¬X ∨ X, which evaluate to
true under any valuation by are not derivable (lemma 2.3.5.2). One way to
understand this is that there are “not enough boolean models” in order to
detect that such formulas are not valid. A natural question is thus: is there a
way to generalize the notion of boolean model, so that intuitionistic is complete
with respect to this notion of model, i.e. a formula which is valid in any such
model is necessarily intuitionistically provable? We will see in section 2.8 that
such a notion of model exists: Kripke models.

2.5.7 DPLL. As an aside, we would like to present the usual algorithm to

decide the satisfiability of boolean formulas, which is based on the previous
observations. A propositional formula A is satisfiable when there exists a val-
uation ρ making it true, i.e. such that ρ A. An efficient way to test whether
this is the case or not is the DPLL algorithm, due to Davis, Putnam, Logemann
and Loveland [DLL62]. The basic idea here is the one we have already seen
in lemma 2.5.6.4: if the formula A is satisfiable by a valuation ρ then, given a
variable X occurring in A, we have either ρ(X) = ⊥ or ρ(X) = > and we can
test whether A is satisfiable both cases recursively since this makes the number
of variables decrease in the formula (we call this splitting on the variable X):
Lemma 2.5.7.1. Given a variable X, a formula A is satisfiable if and only if the
formula A[⊥/X] or A[>/X] is satisfiable.

Proof. If A is satisfiable, then there is a valuation ρ such that ρ(A) = 1. If

ρ(X) = 0 (resp. ρ(X) = 1) then, by lemma 2.5.6.3, ρ(A[⊥/X]) = ρ(A) = 1
(resp. ρ(A[>/X]) = ρ(A) = 1) and therefore A[⊥/X] (resp. A[>/X]) is sat-
isfiable. Conversely, if A[⊥/X] (resp. A[>/X]) is satisfiable by a valuation ρ
then, writing ρ0 for the valuation such that ρ0 (X) = 0 (resp. ρ0 (X) = 1) and
ρ0 (Y ) = ρ(Y ) for Y 6= X, by lemma 2.5.6.3 we have ρ(A[⊥/X]) = ρ0 (A) = 1
(resp. ρ(A[>/X]) = ρ0 (A) = 1).
CHAPTER 2. PROPOSITIONAL LOGIC 82

In the base case, the formula A has no variable and it thus evaluates to the
same value in any environment, and we can easily compute this value: it is
satisfiable if and only if this value is true. This directly leads to a very simple
implementation of a satisfiability algorithm, see figure 2.7: the function subst
compute the substitution of a formula into another one, the function var finds
a free variable, and finally the function sat tests the satisfiability of a formula.
As is, this algorithm is not very efficient: some subformulas get evaluated
many times during the search. It can however be much improved by using
formulas in canonical clausal form, as described in proposition 2.5.5.1. First,
substitution can be implemented on those as follows:
Lemma 2.5.7.2. Given a canonical clausal formula A and a variable X, a canon-
ical clausal formula for A[>/X] (resp. A[⊥/X]) can be obtained from A by
– removing all clauses containing X (resp. ¬X),

– removing ¬X (resp. X) from all remaining clauses.

The computation can be further improved by carefully choosing the variables
we are going to split on first. A unitary clause in a clausal formula A is a
clause containing exactly one literal L. If L is X (resp. ¬X) then, if we split
on X, the branch A[⊥/X] (resp. A[>/X]) will fail. Therefore,
Lemma 2.5.7.3. Consider a clausal formula A containing a unitary clause which
is a literal X (resp. ¬X). Then the formula A is satisfiable if and only if the
formula A[>/X] (resp. A[⊥/X]) is.
A literal X (resp. ¬X) is pure in a clausal formula A if ¬X (resp. X) does not
occur in any clause of A: the variable X always occurs with the same polarity
in the formula.
Lemma 2.5.7.4. A clausal formula A containing a pure literal X (resp. ¬X) is
satisfiable if and only if the formula A[>/X] (resp. A[⊥/X]) is satisfiable.
Another way to state the above lemma is that the clauses containing the pure
literal can be removed from the formula without changing its satisfiability.
The DPLL algorithm exploits theses optimizations in order to test the sat-
isfiability of formula A:
1. it first tries to see if A is obviously satisfiable (if it is >) or unsatisfiable
(if it contains the clause ⊥),
2. otherwise it tries to find a unitary clause and apply lemma 2.5.7.3,

3. otherwise it tries to find a pure clause and apply lemma 2.5.7.4,

4. otherwise it splits on an arbitrary variable by lemma 2.5.7.1.
For the last step, various heuristics have been proposed for choosing the split-
ting variable such as MOM (a variable with Maximal number of Occurrences
in the clauses
P of Minimum size) or Jeroslow-Wang (a variable with maximum
−|C|
J(X) = C2 where C ranges over clauses containing X and |C| is the
number of literals), and so on.
A concrete implementation is provided in figure 2.8. The function sub im-
plements substitution as described in lemma 2.5.7.2, the function unit finds a
unitary clause (or raises Not_found if there is none), the function pure finds a
CHAPTER 2. PROPOSITIONAL LOGIC 83

(** Formulas. *)
type t =
| Var of int
| And of t * t
| Or of t * t
| Not of t
| True | False

(** Substitute a variable by a formula in a formula. *)

let rec subst x c = function
| Var y -> if x = y then c else Var y
| And (a, b) -> And (subst x c a, subst x c b)
| Or (a, b) -> Or (subst x c a, subst x c b)
| Not a -> Not (subst x c a)
| True -> True | False -> False

(** Find a free variable in a formula. *)

let var a =
let exception Found of int in
let rec aux = function
| Var x -> raise (Found x)
| And (a, b) | Or (a, b) -> aux a; aux b
| Not a -> aux a
| True | False -> ()
in
try aux a; raise Not_found
with Found x -> x

(** Evaluate a closed formula. *)

let rec eval = function
| Var _ -> assert false
| And (a, b) -> eval a && eval b
| Or (a, b) -> eval a || eval b
| Not a -> not (eval a)
| True -> true | False -> false

(** Simple-minded satisfiability. *)

let rec sat a =
try
let x = var a in
sat (subst x True a) || sat (subst x False a)
with Not_found -> eval a

Figure 2.7: Naive implementation of the satisfiability algorithm.

CHAPTER 2. PROPOSITIONAL LOGIC 84

type var = int (** Variable. *)

type literal = bool * var (** Literal. *) (* false means negated *)
type clause = literal list (** Clause. *)
type cnf = clause list (** Clausal formula. *)

(** Substitution a[v/x]. *)

let subst (a:cnf) (v:bool) (x:var) : cnf =
let a = List.filter (fun c -> not (List.mem (v,x) c)) a in
List.map (fun c -> List.filter (fun l -> l <> (not v, x)) c) a

(** Find a unitary clause. *)

let rec unit : cnf -> literal = function
| [n,x]::a -> n,x
| _::a -> unit a
| [] -> raise Not_found

(** Find a pure literal in a clausal formula. *)

let pure (a : cnf) : literal =
let rec clause vars = function
| [] -> vars
| (n,x)::c ->
try
match List.assoc x vars with
| Some n' ->
if n' = n then clause vars c else
let vars = List.filter (fun (y,_) -> y <> x) vars in
clause ((x,None)::vars) c
| None -> clause vars c
with Not_found -> clause ((x,Some n)::vars) c
in
let vars = List.fold_left clause [] a in
let x, n = List.find (function (x,Some s) -> true | _ -> false) vars in
Option.get n, x

(** DPLL procedure. *)

let rec dpll a =
if a = [] then true
else if List.mem [] a then false
else
try let n,x = unit a in dpll (subst a n x)
with Not_found ->
try let n,x = pure a in dpll (subst a n x)
with Not_found ->
let x = snd (List.hd (List.hd a)) in
dpll (subst a false x) || dpll (subst a true x)

Figure 2.8: Implementation of the DPLL algorithm.

CHAPTER 2. PROPOSITIONAL LOGIC 85

pure literal (or raises Not_found) and finally the function dpll implements the
above algorithm. The function pure uses an auxiliary list vars of pairs X,b
where X is a variable and b is either Some true or Some false if the variable X
occurs only positively or negatively, or None if it occurs both positively and
negatively.

2.5.8 Resolution. The resolution procedure is a generalization of previous

DPLL algorithm, which was introduced by Davis and Putnam [DP60]. It is
not the most efficient algorithm, but one of its main interest is that is general-
izes well to first-order, see section 5.4.6. It stems from the following observation.
Lemma 2.5.8.1 (Correctness). Suppose given two clauses of the form C ∨ X
and ¬X ∨ D, respectively containing a variable X and its negation ¬X. Then
the formula C ∨ D is a consequence of them.
Proof. Given a valuation ρ such that ρ(C ∨ X) = ρ(¬X ∨ D) = 1,
– if ρ(X) = 1 then necessarily ρ(D) = 1 and thus ρ(C ∨ D) = 1,
– if ρ(X) = 0 then necessarily ρ(C) = 1 and thus ρ(C ∨ D) = 1.
From a logical point of view, this deduction corresponds to the following reso-
lution rule:
Γ`C ∨X Γ ` ¬X ∨ D
(res)
Γ`C ∨D
In the following, we implicitly consider formulas up to commutativity of dis-
junction, i.e. identify the formulas A ∨ B and B ∨ A, so that the above rule also
applies to clauses containing X and its negation:
Γ ` C1 ∨ X ∨ C2 Γ ` D1 ∨ ¬X ∨ D2
(res)
Γ ` C1 ∨ C2 ∨ D1 ∨ D2
Previous lemma can be reformulated in classical logic as follows:
Lemma 2.5.8.2. The resolution rule is admissible in classical natural deduction.
Proof. We have
Γ ` C0 ∨ X Γ ` ¬X ∨ D0
Γ ` C 0, X Γ ` ¬X, D0
0 0 (wkR ) (wkR )
Γ ` C , X, D Γ ` C 0 , ¬X, D0
(¬E )
Γ ` C 0 , ⊥, D0
(⊥R )
Γ ` C 0 , D0
where the rule
Γ`A∨B
Γ ` A, B
is derivable by
(ax) (ax)
Γ`A∨B Γ, A ` A, B Γ, B ` A, B
(∨E )
Γ ` A, B
(otherwise said, the rule (∨I ) is reversible).
CHAPTER 2. PROPOSITIONAL LOGIC 86

Remark 2.5.8.3. If we recall that, in classical logic, implication can be defined

as A ⇒ B = ¬A ∨ B, the resolution rule simply corresponds to the transitivity
of implication:
Γ ` ¬C ⇒ X Γ`X⇒D
Γ ` ¬C ⇒ D
For simplicity, in the following, a context Γ will be seen as a set of clauses
(as opposed to a list of clauses, see section 2.2.10) and will also be interpreted as
a clausal form (the conjunction of its clauses, see section 2.5.5). We will always
implicitly suppose that it is canonical (see section 2.5.5): a clause cannot contain
twice the same literal or a literal and its negation. Previous lemmas entail that,
if we can prove the sequent Γ ` ⊥ using axiom and resolution rules only then
Γ is not satisfiable: otherwise, ⊥ would also be satisfiable, which it is not by
definition. We are going to show in theorem 2.5.8.7 that this observation admits
a converse.

Resolvent. Given clauses C ∨ X and ¬X ∨ D, the clause C ∨ D does not con-

tain the variable X, which gives us the idea of using resolution to remove the
variable X from a set of formulas, by performing all the possible deductions we
can. Suppose given a set Γ of clauses and X a variable. We write

ΓX = {C | C ∨ X ∈ Γ} Γ¬X = {D | ¬X ∨ D ∈ Γ}

and Γ0 for the set of clauses in Γ which neither contain X nor ¬X. We supposed
that the clauses are in canonical form, so that we have a partition of Γ as

Γ = Γ0 ] {C ∨ X | C ∈ ΓX } ] {¬X ∨ D | D ∈ Γ¬X }

The resolvent Γ \ X of Γ with respect to X is

Γ \ X = Γ0 ∪ {C ∨ D | C ∈ ΓX , D ∈ Γ¬X }

Remark 2.5.8.4. As defined above, the resolvent might contain clauses not in
canonical form, even if C and D are. In order to keep this invariant, we should
remove all clauses of the form C ∨ D such that C contains a literal and D its
negation, which we will implicitly do; in clauses, we should also remove duplicate
literals.
As indicated above, computing the resolvent reduces the number of free variables
of Γ:
Lemma 2.5.8.5. Given a clausal form Γ and a variable X, we have

FV(Γ \ X) = FV(Γ) \ {X}

Its main interest lies in the fact that it preserves satisfiability:

Lemma 2.5.8.6. Given a clausal form Γ and a variable X, Γ is satisfiable if and
only if Γ \ X is satisfiable.
Proof. The left-to-right implication is immediate by correctness (lemma 2.5.8.1).
For the right-to-left implication, suppose that Γ \ X is satisfied under a valua-
tion ρ. We are going to show that Γ is satisfied under either ρ0 or ρ1 , where ρi
is defined, for i = 0 or i = 1, by ρi (X) = i and ρi (Y ) = ρ(Y ) whenever Y 6= X.
We distinguish two cases.
CHAPTER 2. PROPOSITIONAL LOGIC 87

– Suppose that we have ρ(C 0 ) = 1 for every clause C = C 0 ∨ X in ΓX . Then

we can take i = 0. Namely, given a clause C ∈ Γ = Γ0 ] ΓX ] Γ¬X :

– if C ∈ Γ0 then ρ0 (C) = ρ(C) = 1 because C does not contain the

literal X,
– if C ∈ ΓX then C = C 0 ∨ X and ρ0 (C) = 1 because, by hypothesis,
ρ0 (C 0 ) = ρ(C 0 ) = 1,
– if C ∈ Γ¬X then C = C 0 ∨ ¬X and ρ0 (C) = 1 because ρ0 (¬X) = 1
since ρ0 (X) = 0 by definition of ρ0 .
– Otherwise, there exists a clause C = C 0 ∨ X ∈ ΓX such that ρ(C 0 ) = 0.
Then we can take i = 1. Namely, given a clause D ∈ Γ = Γ0 ] ΓX ] Γ¬X :
– if D ∈ Γ0 then ρ1 (D) = ρ(D) = 1 because D does not contain the
literal X,
– if D ∈ ΓX then D = D0 ∨ X and ρ1 (D) = 1 because ρ1 (X) = 1,
– if D ∈ Γ¬X then D = D0 ∨¬X and ρ(C 0 ∨D0 ) = 1 by hypothesis, thus
ρ1 (D0 ) = ρ(D0 ) = 1 because ρ(C 0 ) = 0, thus ρ1 (D) = ρ1 (D0 ∨X) = 1.

Previous lemma implies that resolution is refutation complete in the sense that
is can always be used to show that a set of clauses cannot be satisfied (by
whichever valuation):
Theorem 2.5.8.7 (Refutation completeness). A set Γ of clauses is unsatisfiable
if and only if Γ ` ⊥ can be proved using the axiom and resolution rules only.
Proof. Writing FV(Γ) = {X1 , . . . , Xn } for the free variables of Γ, define the
sequence of sets of clauses Γ06i6n by Γ0 = Γ and Γi+1 = Γi \ Xi :
– the clauses of Γ0 can be deduced from those of Γ using the axiom rule,
– the clauses of Γi+1 can be deduced from those in Γi using the resolution
rule.

Lemma 2.5.8.6 ensures that Γi is satisfiable if and only if Γi+1 is satisfiable, and
thus, by induction, Γ0 is satisfiable if and only if Γn is satisfiable. Moreover, by
lemma 2.5.8.5, we have FV(Γn ) = ∅, thus Γn = ∅ or Γn = {⊥}, and therefore Γn
is unsatisfiable if and only if Γn = {⊥}. Finally, Γ is unsatisfiable if and only if
Γn = {⊥}, i.e. ⊥ can be deduced from Γ using axiom and resolution rules.

Completeness. Resolution is not complete: given a context Γ, there are clauses

that can be deduced which cannot using resolution only. For instance, from
Γ = X, we cannot deduce X ∨ Y using resolution only. However, resolution can
be used in order to decide whether a formula A is a consequence of a context Γ
in the following way:
Lemma 2.5.8.8. A formula A is a consequence of a context Γ if and only if
Γ ∪ {¬A} is unsatisfiable.
Proof. Given a clausal form Γ, we have Γ ⇒ A equivalent to ¬¬(Γ ⇒ A)
equivalent to ¬(Γ ∧ ¬A), i.e. Γ ∪ {¬A} not satisfiable.
CHAPTER 2. PROPOSITIONAL LOGIC 88

This lemma is the usual way we use resolution.

Example 2.5.8.9. We can show that given

X⇒Y Y ⇒Z X

we can deduce Z. Putting those in normal form and using previous lemma, this
amounts to show that Γ consisting of

¬X ∨ Y ¬Y ∨ Z X ¬Z

is not satisfiable. Indeed, we have

(ax) (ax)
Γ ` ¬X ∨ Y Γ`Y ∨Z
(res) (ax)
Γ ` ¬X ∨ Z Γ`X
(res) (ax)
Γ`Z Γ ` ¬Z
(res)
Γ`⊥

Implementation. We implement clausal forms using lists as in section 2.5.7. Us-

ing this representation, the resolvent of a clausal form Γ (noted g) with respect
to a variable X (noted x) can be computed using the following function:
let resolve x g =
let gx = List.filter (List.mem (true ,x)) g in
let gx = List.map (List.remove (true ,x)) gx in
let gx' = List.filter (List.mem (false,x)) g in
let gx' = List.map (List.remove (false,x)) gx' in
let g' = List.filter (List.for_all (fun (_,y) -> y <> x)) g in
let disjunction c d =
let union c d =
List.fold_left
(fun d l -> if List.mem l d then d else l::d)
d c
in
if c = [] && d = [] then raise False
else
if List.exists (fun (n,x) -> List.mem (not n,x) d) c then None
else Some (union c d)
in
g'@(List.filter_map_pairs disjunction gx gx')
Here, g’ is Γ0 and gx is ΓX and gx’ is Γ¬X and we return the resolvent computed
following the definition

Γ \ X = Γ0 ∪ {C ∨ D | C ∈ ΓX , D ∈ Γ¬X }

The function List.filter_map_pairs which is of type

('a -> 'b -> 'c option) -> 'a list -> 'b list -> 'c list
takes a function and two lists as arguments, maps the functions to every pair
of elements of one list and the other, and returns the list of images which are
CHAPTER 2. PROPOSITIONAL LOGIC 89

not None. It is used to compute the clauses C ∨ D in the definition of Γ \ X.

The disjunction is computed by disjunction with some subtleties. Firstly, as
noted in remark 2.5.8.4, we should be careful in order to produce formulas in
canonical form:
– a disjunction C ∨ D containing both a literal and its negation should not
be added,
– in a disjunction C ∨ D, if a literal occurs twice (once in C and once D),
we should only keep one instance.
Secondly, since we want to detect as early as possible when ⊥ can be deduced, we
raise an exception False when we find one. We can then see whether a clausal
form is inconsistent by iteratively eliminating free variables using resolution.
We use the auxiliary function free_var in order to find a free variable (it raises
Not_found if there is none), its implementation being left to the reader. By
theorem 2.5.8.7, if it is inconsistent then ⊥ will be produced during the process
(which is detected by the exception False) otherwise the free variables will be
exhausted (which is detected by the exception Not_found). This can thus be
computed with the following function:
let rec inconsistent g =
try inconsistent (resolve (free_var g) g)
with
| False -> true
| Not_found -> false
We can then decide whether a clause is a consequence of set of other by applying
lemma 2.5.8.8:
let prove g c =
inconsistent ((neg c)::g)
As an application, we can compute example 2.5.8.9 with

let () =
let g = [
[false,0;true,1];
[false,1;true,2];
[true,0]
] in
let c = [true,2] in
assert (prove g c)

2.5.9 Double-negation translation. We have seen in section 2.3.5 that some

formulas are not provable in intuitionistic logic, whereas those are valid in clas-
sical logic, a typical example being excluded middle ¬A ∨ A. But can we really
prove less in intuitionistic logic than in classical logic? A starting observation
is that, even though ¬A ∨ A is not provable, its double negation ¬¬(¬A ∨ A)
CHAPTER 2. PROPOSITIONAL LOGIC 90

becomes provable:

(ax)
¬(¬A ∨ A), A ` A
(ax) (∨rI )
¬(¬A ∨ A), A ` ¬(¬A ∨ A) ¬(¬A ∨ A), A ` ¬A ∨ A
(¬E )
¬(¬A ∨ A), A ` ⊥
(¬I )
¬(¬A ∨ A) ` ¬A
(ax) (∨lI )
¬(¬A ∨ A) ` ¬(¬A ∨ A) ¬(¬A ∨ A) ` ¬A ∨ A
(¬E )
¬(¬A ∨ A) ` ⊥
(¬I )
` ¬¬(¬A ∨ A)

One of the main ingredients behind this proof is that having ¬(¬A ∨ A) as
hypothesis in a context Γ allows to discard then current proof goal B and go
back to proving ¬A ∨ A:
..
.
(ax)
Γ ` ¬(¬A ∨ A) Γ ` ¬A ∨ A
(¬E )
Γ`⊥
(⊥E )
Γ`B

What do we get more than directly proving ¬A ∨ A? The fact that, during the
proof, we can reset our proof goal to ¬A ∨ A! We thus start by proving ¬A ∨ A
by proving ¬A, which requires proving ⊥ from A. At this point, we change our
mind and start again the proof of ¬A ∨ A, but this time we prove A, which we
can because we gained this information from the previously “aborted” proof.
A more detailed explanation of this kind of behavior was already developed
in section 2.5.2. This actually generalizes to any formula, by a result due to
Glivenko [Gli29]. Given a context Γ, we write ¬¬Γ for the context obtained
from Γ by double-negating every formula.
Theorem 2.5.9.1 (Glivenko’s theorem). Given a context Γ and propositional
formula A, the sequent Γ ` A is provable in classical logic if and only if the
sequent ¬¬Γ ` ¬¬A is provable in intuitionistic logic.
This result allows to relate the consistency of classical and intuitionistic logic
in the following way.
Theorem 2.5.9.2. Intuitionistic logic is consistent if and only if classical logic is
also consistent.
Proof. Suppose that intuitionistic logic is inconsistent: there is an intuitionistic
proof of ⊥. This proof is also a valid classical proof and thus classical logic is
inconsistent. Conversely, suppose that classical logic is inconsistent. There is
a classical proof of ⊥ and thus, by theorem 2.5.9.1, an intuitionistic proof π of
¬¬⊥. However, the implication ¬¬⊥ ⇒ ⊥ holds intuitionistically:
(ax)
¬¬⊥, ⊥ ` ⊥
(ax) (¬I )
¬¬⊥ ` ¬¬⊥ ¬¬⊥ ` ¬⊥
(¬E )
¬¬⊥ ` ⊥
(⇒I )
` ¬¬⊥ ⇒ ⊥
CHAPTER 2. PROPOSITIONAL LOGIC 91

We thus have an intuitionistic proof of ⊥:

..
. π
` ¬¬⊥ ⇒ ⊥ ` ¬¬⊥
(⇒E )
`⊥

and intuitionistic logic is inconsistent.

Remark 2.5.9.3. The theorem 2.5.9.1 does not generalize as is to first-order

logic, but some other translations of classical formulas into intuitionistic logic
do. The most brutal one is due to Kolmogorov and consists in adding ¬¬
in front of every subformula. Interestingly, it corresponds to the call-by-name
continuation-passing style translation of functional programming languages. A
more economic translation is due to Gödel, transforming a formula A into the
formula A∗ defined by induction by

X∗ = X
(A ∧ B)∗ = A∗ ∧ B ∗ (A ∨ B)∗ = ¬(¬A∗ ∧ ¬B ∗ )
>∗ = > ⊥∗ = ⊥
(A ⇒ B)∗ = A∗ ⇒ B ∗ (¬A)∗ = ¬A∗

Finally, it could be wondered if, by adding four negations to a formula we

could gain even more proof power, but this is not the case: the process stabilizes
after the first iteration.
Lemma 2.5.9.4. For every natural number n > 0, we have ¬n+2 A ⇔ ¬n A.
Proof. The implication A ⇒ ¬¬A is intuitionistically provable, as already shown
in example 2.2.5.3, as well as the implication ¬¬¬A ⇒ ¬A:
(ax) (ax)
¬¬¬A, A, ¬A ` ¬A ¬¬¬A, A, ¬A ` A
(¬E )
¬¬¬A, A, ¬A ` ⊥
(ax) (¬I )
¬¬¬A, A ` ¬¬¬A ¬¬¬A, A ` ¬¬A
(¬E )
¬¬¬A, A ` ⊥
(¬I )
¬¬¬A ` ¬A
(⇒I )
` ¬¬¬A ⇒ ¬A

We conclude by induction on n.
In particular, ¬¬¬¬A ⇔ ¬¬A, so that we gain nothing by performing twice the
double-negation translation.

2.5.10 Intermediate logics. Once again classical logic is obtained by adding

the excluded middle ¬A∨A (or any of the equivalent axioms, see theorem 2.5.1.1)
to intuitionistic logic so that new formulas are provable. A natural question is:
are there intermediate logics between intuitionistic and classical? This means:
can we add axioms to intuitionistic logic so that we get strictly more than intu-
itionistic logic, but strictly less than classical logic? In more details: are there
families of formulas, which are classically provable but not intuitionistically,
CHAPTER 2. PROPOSITIONAL LOGIC 92

such that, by adding those as axioms to intuitionistic logic we obtain a logic in

which some classical formulas are not provable?
The answer is yes. A typical such family of axioms is the weak excluded
middle:
¬¬A ∨ ¬A
Namely, the formula ¬¬X∨¬X is not provable intuitionistic logic (see lemma 2.3.5.3),
so that assuming the weak excluded middle (for every formula A) allows proving
new formulas. However, the formula ¬X ∨ X does not follow from the weak
excluded middle (example 2.8.1.4). There are many other possible families of
axioms giving rise to intermediate logics such as

– linearity (or Gödel-Dummett) axiom [God32, Dum59]:

(A ⇒ B) ∨ (B ⇒ A)

– Kreisel-Putnam axiom [KP57]:

(¬A ⇒ (B ∨ C)) ⇒ ((¬A ⇒ B) ∨ (¬A ⇒ C))

– Scott’s axiom [KP57]:

((¬¬A ⇒ A) ⇒ (A ∨ ¬A)) ⇒ (¬¬A ∨ ¬A)

– Smetanich’s axiom [WZ07]:

(¬B ⇒ A) ⇒ (((A ⇒ B) ⇒ A) ⇒ A)

– and many more [DMJ16].

Exercise 2.5.10.1. Show that the above linearity principle

(A ⇒ B) ∨ (B ⇒ A)

is equivalent to the following global choice principle for disjunctions

(A ⇒ B ∨ C) ⇒ (A ⇒ B) ∨ (A ⇒ C)

2.6 Sequent calculus

Natural deduction is “natural” in order to make a precise correspondence be-
tween logic and computation, see chapter 4. However, it has some flaws. On an
aesthetical point of view, the rules for ∧ and ∨ are not entirely dual, contrarily
to what one would expect: if they were the same, we could think of reducing
the work during proofs or implementations by handling them in the same way.
More annoyingly, proof search is quite difficult. Namely, suppose that we are
trying to prove
A∨B `B∨A
CHAPTER 2. PROPOSITIONAL LOGIC 93

The proof cannot begin with an introduction rule because we have no hope of
filling the dots:
.. ..
. .
A∨B `B A∨B `A
(∨l ) (∨r )
A∨B `B∨A I A∨B `B∨A I

This means that we have to use another rule such as (∨E )

Γ`A∨B Γ, A ` C Γ, B ` C
(∨E )
Γ`C

which requires us to come up with a formula A∨B which is not directly indicated
in the conclusion Γ ` C and it is not clear how to automatically generate such
formulas. Starting in this way, the proof can be ended as in example 2.2.5.2.
In order to overcome this problem, Gentzen has invented sequent calculus
which is another presentation of logic. In natural deduction, all rules operate on
the formula on the right of ` and there are introduction and elimination rules.
In sequent calculus, there are only introduction rules but those can operate
either on formulas on the left or on the right of `. This results in a highly
symmetrical calculus.

2.6.1 Sequents. In sequent calculus, sequents are of the form

Γ`∆

where Γ and ∆ are contexts: the intuition is that we have the conjunction
of formulas in Γ as hypothesis, from which we can deduce the disjunction of
formulas in ∆.

2.6.2 Rules. In all the systems we consider, unless otherwise stated, we always
suppose that we can permute, duplicate and erase formulas in context, i.e. that
the structural rules of figure 2.9 are always present. The additional rules for
sequent calculus are shown in figure 2.10 and the resulting system is called LK.
In sequent calculus, as opposed to natural deduction, the symmetry between
disjunction and conjunction has been restored: excepting for axiom and cut, all
rules come in a left and right flavor. Although the presentation is quite different,
the provability power of this system is the same as the one for classical natural
deduction presented in section 2.5:
Theorem 2.6.2.1. A sequent Γ ` ∆ is provable in NK (figure 2.5) if and only if
it is provable in LK (figure 2.10).
Proof. The idea is that, by induction, we can translate a proof in NK into a
proof in LK, by induction, and back. The introduction rules in NK correspond
to right rules in LK, the axiom rules match in both systems, the cut rule is
admissible in NK (the proof is similar to the one in proposition 2.3.2.1 for NJ),
as well as various structural rules (shown as in section 2.2.7), so that we only
have to show the that eliminations rules of NK are admissible in LK and the
left rules of LK are admissible in NK. We only handle the case of conjunction
here:
CHAPTER 2. PROPOSITIONAL LOGIC 94

Γ, B, A, Γ0 ` ∆ Γ ` ∆, B, A, ∆0
(xchL ) (xchR )
Γ, A, B, Γ0 ` ∆ Γ ` ∆, A, B, ∆

Γ, A, A, Γ0 ` ∆ Γ ` ∆, A, A, ∆0
(contrL ) (contrR )
Γ, A, Γ0 ` ∆ Γ ` ∆, A, ∆0

Γ, Γ0 ` ∆ Γ ` ∆, ∆0
(wkL ) (wkR )
Γ, A, Γ0 ` ∆ Γ ` ∆, A, ∆0

Γ, >, Γ0 ` ∆ Γ ` ∆, ⊥, ∆0
(>L ) (⊥R )
Γ, Γ0 ` ∆ Γ ` ∆, ∆0

Figure 2.9: Structural rules for sequent calculus

Γ ` A, ∆ Γ, A ` ∆
(ax) (cut)
Γ, A ` A, ∆ Γ`∆

Γ, A, B ` ∆ Γ ` A, ∆ Γ ` B, ∆
(∧L ) (∧R )
Γ, A ∧ B ` ∆ Γ ` A ∧ B, ∆

(>R )
Γ ` >, ∆

Γ, A ` ∆ Γ, B ` ∆ Γ ` A, B, ∆
(∨L ) (∨R )
Γ, A ∨ B ` ∆ Γ ` A ∨ B, ∆

(⊥L )
Γ, ⊥ ` ∆

Γ ` A, ∆ Γ, B ` ∆ Γ, A ` B, ∆
(⇒L ) (⇒R )
Γ, A ⇒ B ` ∆ Γ ` A ⇒ B, ∆

Γ ` A, ∆ Γ, A ` ∆
(¬L ) (¬R )
Γ, ¬A ` ∆ Γ ` ¬A, ∆

Figure 2.10: LK: rules of classical sequent calculus.

CHAPTER 2. PROPOSITIONAL LOGIC 95

– the rule (∧lE ) is admissible in LK:

..
.
(ax)
Γ ` A ∧ B, ∆ Γ, A, B ` A, ∆
(wkR ) (∧L )
Γ ` A ∧ B, A, ∆ Γ, A ∧ B ` A, ∆
(cut)
Γ ` A, ∆

and admissibility of (∧rE ) is similar,

– the rule (∧L ) is admissible in NK:
..
.
(ax)
Γ, A ∧ B, A ` A ∧ B, ∆ Γ, A, B `∆
(ax) (∧rE ) (wkR )
Γ, A ∧ B ` A ∧ B, ∆ Γ, A ∧ B, A ` B, ∆ Γ, A ∧ B, A, B ` ∆
(∧lE ) (cut)
Γ, A ∧ B ` A, ∆ Γ, A ∧ B, A ` ∆
(cut)
Γ, A ∧ B ` ∆

Other cases are similar.

Remark 2.6.2.2. As noted in [Gir89, chapter 5], the correspondence between
proofs in NK and LK is not bijective. For instance, the two proofs in LK
(ax) (ax) (ax) (ax)
A, B ` A A, B ` B A, B ` A A, B ` B
(∧R ) (∧R )
A, B ` A ∧ B A, B ` A ∧ B
(wkR ) (wkR )
A, B, B 0 ` A ∧ B A, B, B 0 ` A ∧ B
(wkR ) (wkR )
A, A0 , B, B 0 ` A ∧ B A, A0 , B, B 0 ` A ∧ B
0 0 (∧L ) 0 0 (∧L )
A, A , B ∧ B ` A ∧ B A ∧ A , B, B ` A ∧ B
0 0 (∧L ) 0 0 (∧L )
A ∧ A ,B ∧ B ` A ∧ B A ∧ A ,B ∧ B ` A ∧ B

get mapped to the same proof in NK.

Mutiplicative presentation. An alternative presentation (called multiplicative pre-

sentation) of the rules is given in figure 2.11: instead of supposing that we have
the same context, we can “merge” the contexts of the premises in the conclusion.

Single-sided presentation. By de Morgan laws, in classical logic, we can suppose

that only the variables are negated, and negated at most once, see section 2.5.5.
For instance, ¬(X ∨ ¬Y ) is equivalent to ¬X ∧ Y which satisfies this property.
Given a formula A of this form, we write A∗ for a formula of this form equivalent
to ¬A: it can be defined by induction by

X ∗ = ¬X (¬X)∗ = X
(A ∧ B)∗ = A∗ ∨ B ∗ (A ∨ B)∗ = A∗ ∧ B ∗
∗
> =⊥ ⊥∗ = >

We omit implication here, since it can be defined as A ⇒ B = A∗ ∨ B. Now, it

can be observed that proving a sequent of the form Γ, A ` ∆ is essentially the
same as proving the sequent Γ ` A∗ , ∆, excepting than all the rules get replaced
by their opposite:
CHAPTER 2. PROPOSITIONAL LOGIC 96

Γ ` A, ∆ Γ 0 , A ` ∆0
(ax) (cut)
A`A Γ, Γ ` ∆, ∆0
0

Γ, A, B ` ∆ Γ ` A, ∆ Γ0 ` B, ∆0
(∧L ) (∧R )
Γ, A ∧ B ` ∆ Γ, Γ0 ` A ∧ B, ∆, ∆0

(>R )
Γ ` >, ∆

Γ, A ` ∆ Γ 0 , B ` ∆0 Γ ` A, B, ∆
(∨L ) (∨R )
Γ, Γ0 , A ∨ B ` ∆, ∆0 Γ ` A ∨ B, ∆

(⊥L )
Γ, ⊥ ` ∆

Γ ` A, ∆ Γ0 , B ` ∆0 Γ, A ` B, ∆
(⇒L ) (⇒R )
Γ, Γ0 , A ⇒ B ` ∆, ∆0 Γ ` A ⇒ B, ∆

Γ ` A, ∆ Γ, A ` ∆
(¬L ) (¬R )
Γ, ¬A ` ∆ Γ ` ¬A, ∆

Figure 2.11: LK: rules of classical sequent calculus (multiplicative presentation).

Lemma 2.6.2.3. A sequent Γ, A ` ∆ is provable in LK if and only if Γ ` A∗ , ∆

is.
For instance the proof on the left below corresponds to the proof on the right:
(ax) (ax)
X ` X, ⊥ X ` X, ⊥
(¬L ) (¬R )
X, ¬X ` ⊥ ` ¬X, X, ⊥
(∧L ) (∨R )
X ∧ ¬X ` ⊥ ` ¬X ∨ X, ⊥

Because of this, we can restrict to proving sequents of the form ` ∆, which are
called single-sided. All the rules preserve single-sidedness excepting the axiom
rule, which is easily modified in order to satisfy this property. With some extra
care, we can even come up with a presentation which does not require any
structural rule (those are admissible): the resulting presentation of the calculus
is given in figure 2.12. If we do not want to consider only formulas where only
variables can be negated, then the de Morgan laws can be added as the following
explicit rules:

` ¬A ∨ ¬B, ∆ ` ¬A ∧ ¬B, ∆ ` ⊥, ∆ ` >, ∆ ` A, ∆

` ¬(A ∧ B), ∆ ` ¬(A ∨ B), ∆ ` ¬>, ∆ ` ¬⊥, ∆ ` ¬¬A, ∆

2.6.3 Intuitionistic rules. In order to obtain a sequent calculus adapted to

intuitionistic logic, one should restrict the two-sided proof system to sequents of
the form Γ ` A, i.e. those where the context on the right of ` contains exactly
one formula. We also have to take variants of rules such as (∨R ), which would
CHAPTER 2. PROPOSITIONAL LOGIC 97

(ax) (ax)
` ∆, A∗ , ∆0 , A, ∆00 ` ∆, A, ∆0 , A∗ , ∆00

` ∆, A, ∆0 ` ∆, A∗ , ∆0
(cut)
` ∆, ∆0

` ∆, A, ∆0 ` ∆, B, ∆0 ` ∆, A, B, ∆0
(∧) (∨)
` ∆, A ∧ B, ∆0 ` ∆, A ∨ B, ∆0

` ∆, ∆0
(>) (⊥)
` ∆, >, ∆0 ` ∆, ⊥, ∆0

Figure 2.12: LK: single-sided presentation.

otherwise not maintain the invariant of having one formula on the right. With
little more care, one can write rules which do not require adding structural rules
(they are admissible): the resulting calculus is presented in figure 2.13. Remark
that, in order for contraction to be admissible, one has to keep A ⇒ B in the
context of the left premise. Similarly to theorem 2.6.2.1, one shows:
Theorem 2.6.3.1. A sequent Γ ` A is provable in NJ if and only if it is provable
in LJ.

2.6.4 Cut elimination. By a similar argument as in section 2.3.3, it can be

shown:
Theorem 2.6.4.1. A sequent Γ ` ∆ (resp. Γ ` A) is provable in LK (resp. LJ) if
and only if it admits a proof without using the (cut) rule.

2.6.5 Proof search. From a proof-search point of view, sequent calculus is

much more well-behaved since, excepting from the cut rule, we do not have to
come up with new formulas when searching for proofs:
Proposition 2.6.5.1. LK has the subformula property: apart from the (cut) rule,
all the formulas occurring in the premise of a rule are subformulas of the formulas
occurring in the conclusion.
Since, by theorem 2.6.4.1, we can look for proofs without cuts, this means that
we never have to come up with a new formula during proof search! Moreover,
there is no harm in applying a rule whenever it applies thanks to the following
property:
Proposition 2.6.5.2. In LK, all the rules are reversible.

Implementation. We now implement proof search, which is most simple to do

using the single-sided presentation, see figure 2.12. We describe formulas as
type t =
| Var of bool * string (* false means negated variable *)
| Imp of t * t
| And of t * t
CHAPTER 2. PROPOSITIONAL LOGIC 98

Γ`A Γ, A ` B
0 (ax) (cut)
Γ, A, Γ ` A Γ`B

Γ, A, B, Γ0 ` C Γ`A Γ`B
(∧L ) (∧R )
Γ, A ∧ B, Γ0 ` C Γ`A∧B

(>R )
Γ`>

Γ, A, Γ0 ` C Γ, B, Γ0 ` C Γ`A Γ`B
(∨L ) (∨lL ) (∨rL )
Γ, A ∨ B, Γ0 ` C Γ`A∨B Γ`A∨B

(⊥L )
Γ, ⊥, Γ0 ` A

Γ, A ⇒ B, Γ0 ` A Γ, B, Γ0 ` C Γ, A ` B
0 (⇒L ) (⇒R )
Γ, A ⇒ B, Γ ` C Γ`A⇒B

Γ, ¬A, Γ0 ` A Γ, A ` ⊥
(¬L ) (¬R )
Γ, ¬A, Γ0 ` ⊥ Γ ` ¬A

Figure 2.13: Rules of intuitionistic sequent calculus (LJ).

| Or of t * t
| True | False
Using this representation, the negation of a formula can be computed with the
function
let rec neg = function
| Var (n, x) -> Var (not n, x)
| Imp (a, b) -> And (a, neg b)
| And (a, b) -> Or (neg a, neg b)
| Or (a, b) -> And (neg a, neg b)
| True -> False
| False -> True

Finally, the following function implements proof search in LK:

let rec prove venv = function
| [] -> false
| a::env ->
match a with
| Var (n, x) ->
List.mem (Var (not n, x)) venv ||
prove ((Var (n, x))::venv) env
| Imp (a, b) -> prove venv ((neg a)::b::env)
| And (a, b) -> prove venv (a::env) && prove venv (b::env)
| Or (a, b) -> prove venv (a::b::env)
CHAPTER 2. PROPOSITIONAL LOGIC 99

| True -> true

| False -> prove venv env
Since we are considering single sided sequents here, those can be encoded as
lists of terms. The above function takes as argument a sequent Γ0 = venv and
the sequent Γ to be proved. It picks a formula A in Γ and applies the rules of
figure 2.12 on it, until A is split into a list of literals: once this is the case, those
literals are put into the sequent Γ0 (of already handled formulas). Initially, the
context Γ0 is empty, and we usually want to prove one formula A, so that we
can define
let prove a = prove [] [a]

Proof search in intuitionistic logic. Proof search can be performed in LJ, but
the situation is more subtle. First remark that, similarly to the situation in LK
(proposition 2.6.5.1), we have
Proposition 2.6.5.3. LJ has the subformula property.
As an immediate consequence, we deduce
Theorem 2.6.5.4. We can decide whether a sequent Γ ` A is provable in LJ or
not.
Proof. There is only a finite number of subformulas of Γ ` A. We can restrict
to sequents where a formula occurs at most 3 times in the context [Gir11,
section 4.2.2] and therefore there is a finite number of possible sequents formed
with those subformulas. By testing all the possible rules, we can determine
which of those are provable, and thus determine whether the initial sequent is
provable.
Previous theorem is constructive, but the resulting algorithm is quite inefficient.
The problem of finding proofs is more delicate than for LK because not all
the rules are reversible: (∨lL ), (∨rL ) and (⇒L ) are not reversible. The rules (∨lL ),
(∨rL ) are easy to handle when performing proof search: when trying to prove a
formula A ∨ B, we either try to prove A or to prove B. The rule (⇒L )

Γ, A ⇒ B, Γ0 ` A Γ, B, Γ0 ` C
(⇒L )
Γ, A ⇒ B, Γ0 ` C

is more difficult to handle. If we apply it naively, it can loop for the same
reasons as in section 2.4.2:
.. ..
. .
(⇒L ) ..
Γ, A ⇒ B ` A Γ, B ` B .
(⇒L )
Γ, A ⇒ B ` A Γ, B ` B
(⇒L )
Γ, A ⇒ B ` A

Although we can detect loops by looking at whether we encounter the same

sequent twice during the proof search, this is quite impractical. Also, since the
rule (⇒L ) is not reversible, the order in which we apply it during proof search
is relevant, and we would like to minimize the number of times we have to
backtrack.
CHAPTER 2. PROPOSITIONAL LOGIC 100

Γ, A, Γ0 ` B X ∈ Γ, Γ0
(⇒X )
Γ, X ⇒ A, Γ0 ` B

Γ, B ⇒ C, Γ0 ` A ⇒ B Γ, C ` D
0 (⇒⇒ )
Γ, (A ⇒ B) ⇒ C, Γ ` D

Γ, A ⇒ (B ⇒ C), Γ0 ` D Γ, A ⇒ C, B ⇒ C, Γ0 ` D
(⇒∧ ) (⇒∨ )
Γ, (A ∧ B) ⇒ C, Γ0 ` D Γ, (A ∨ B) ⇒ C, Γ0 ` D

Γ, A, Γ0 ` B Γ, Γ0 ` B
(⇒> ) (⇒⊥ )
Γ, > ⇒ A, Γ0 ` B Γ, ⊥ ⇒ A, Γ0 ` B

Figure 2.14: Left implication rules in LJT.

The logic LJT was introduced by Dyckoff in order to overcome this prob-
lem [Dyc92]. It is obtained from LJ by replacing the (⇒L ) rule with the six
rules of figure 2.14, which allow proving sequents of the form Γ, A ⇒ B, Γ0 ` C,
depending on the form of A.
Proposition 2.6.5.5. A sequent is provable in LJ if and only if it is provable
in LJT.
The main interest of this variant is that proof search is always terminating (thus
the T in LJT). Moreover, the rules (⇒∧ ), (⇒∨ ), (⇒> ) and (⇒⊥ ) are reversible
and can thus always be applied during proof search. Many variants of this idea
have been explored, such as the SLJ calculus [GLW99].
A proof search procedure based on this sequent calculus can be implemented
as follows. We describe terms as usual as

type t =
| Var of string
| Imp of t * t
| And of t * t
| Or of t * t
| True | False
The procedure which determines whether a formula is provable is then shown
in figure 2.15. This procedure takes as argument two contexts Γ0 and Γ (respec-
tively called env’ and env) and a formula A. Initially, the context Γ0 is empty
and will be used to store the formulas of Γ which have already “processed”. The
procedure first applies all the reversible right rules, then all the reversible left
rules; a formula of Γ which does not give rise to a reversible left rule is put
in Γ0 . Once this is done, the procedure tries to apply the axiom rule, handles
disjunctions by trying to apply either (∨lL ) or (∨rL ), and finally successfully tries
all the possible applications of the non-reversible rules (⇒X ) and (⇒⇒ ). Here,
the function context_formulas returns, given a context Γ the list of all the pairs
consisting of a formula A and a context Γ0 , Γ00 such that Γ = Γ0 , A, Γ00 , i.e. the
context Γ where some formula A has been removed.
CHAPTER 2. PROPOSITIONAL LOGIC 101

let rec prove env' env a =

match a with
| True -> true
| And (a, b) -> prove env' env a && prove env' env b
| Imp (a, b) -> prove env' (a::env) b
| _ -> match env with
| b::env -> (match b with
| And (b, c) -> prove env' (b::c::env) a
| Or (b, c) -> prove env' (b::env) a && prove env' (c::env) a
| True -> prove env' env a
| False -> true
| Imp (And (b, c), d) ->
prove env' ((Imp (b, Imp (c,d)))::env) a
| Imp (Or (b, c), d) ->
prove env' ((Imp (b,d))::(Imp (c,d))::env) a
| Imp (True , b) ->
prove env' (b::env) a
| Imp (False, b) ->
prove env' env a
| Var _ | Imp (Var _, _) | Imp (Imp (_,_),_) ->
prove (b::env') env a
)
| [] ->
match a with
| Var _ when List.mem a env' -> true
| Or (a, b) -> prove env' env a || prove env' env b
| a ->
List.exists
(fun (b, env') ->
match b with
| Imp (Var x, b) when List.mem (Var x) env' ->
prove env' [b] a
| Imp (Imp (b, c), d) ->
prove env' [Imp (c, d)] (Imp (b, c)) && prove env' [d] a
| _ -> false
) (context_formulas env')

let prove a = prove [] [] a

Figure 2.15: Proof search in LJT

CHAPTER 2. PROPOSITIONAL LOGIC 102

2.7 Hilbert calculus

The Hilbert calculus is another formalism, due to Hilbert [Hil22], which makes
opposite “design choices” than previous formalisms (natural deduction and se-
quent calculus): it has lots of axioms and very few logical rules.

2.7.1 Proofs. In this formalism, sequents are of the form Γ ` A, with Γ a

context and A a formula, and are deduced according to the two following rules
only:

Γ`A⇒B Γ`A
(ax) (⇒E )
Γ, A, Γ0 ` A Γ`B

respectively called axiom and modus ponens. Of course, there is very little that
we can deduce with these two rules only. The other necessary logical principles
are added in the form of axiom schemes, which can be assumed at any time
during the proofs. In the case of the implicational fragment (implication is the
only connective from which are built the formulas), those are
(K) A ⇒ B ⇒ A,

(S) (A ⇒ B ⇒ C) ⇒ (A ⇒ B) ⇒ A ⇒ C.
By “axiom schemes”, we mean that the above formulas can be assumed, for
whichever given formulas A, B and C. In other words, this amounts to adding
the rules
(K) (S)
Γ`A⇒B⇒A Γ ` (A ⇒ B ⇒ C) ⇒ (A ⇒ B) ⇒ A ⇒ C

A sequent is provable when it is the conclusion of a proof built from the above
rules, and a formula A is provable when the sequent ` A is provable.
Example 2.7.1.1. For any formula A, the formula A ⇒ A is provable:
(S) (K)
` (A ⇒ (B ⇒ A) ⇒ A) ⇒ (A ⇒ B ⇒ A) ⇒ A ⇒ A ` A ⇒ (B ⇒ A) ⇒ A
(⇒E ) (K)
` (A ⇒ B ⇒ A) ⇒ A ⇒ A `A⇒B⇒A
(⇒E )
`A⇒A

Note the complexity compared to NJ or LJ.

None of the rules modify the context Γ, so that people generally omit writing
it. Also, traditionally, instead of using proof trees, a proof of A in the context Γ
is rather formalized as a finite sequence of formulas A1 , . . . , An , with An = A
such that either
– Ai belongs to Γ, or

– Ai is an instance of an axiom, or
– there are indices j, k < i such that Ak = Aj ⇒ Ai , i.e. Ai can be deduced
by
Γ ` Aj ⇒ Ai Γ ` Aj
(⇒E )
Γ ` Ai
CHAPTER 2. PROPOSITIONAL LOGIC 103

This corresponds to describing the proof tree by some traversal of it.

Example 2.7.1.2. The proof example 2.7.1.1 is generally noted as follows:

1. (A ⇒ (B ⇒ A) ⇒ A) ⇒ (A ⇒ B ⇒ A) ⇒ A ⇒ A by (S)
2. A ⇒ (B ⇒ A) ⇒ A by (K)
3. (A ⇒ B ⇒ A) ⇒ A ⇒ A by modus ponens on 1. and 2.
4. A ⇒ B ⇒ A by (K)

5. A ⇒ A by modus ponens on 3. and 4.

2.7.2 Other connectives. In the case where other connectives than implica-
tion are considered, appropriate axioms should be added:

conjunction: A∧B ⇒A A⇒B ⇒A∧B

A∧B ⇒B

truth: A⇒>

disjunction: A ∨ B ⇒ (A ⇒ C) ⇒ (B ⇒ C) ⇒ C A⇒A∨B
B ⇒A∨B

falsity: ⊥⇒A

negation: ¬A ⇒ A ⇒ ⊥ A ⇒ ⊥ ⇒ ¬A

It can be observed that the axioms are somehow in correspondence with elim-
ination and introduction rules in natural deduction (respectively left and right
column above). The classical variants of the system can be obtained by further
adding one of the axioms of theorem 2.5.1.1.

2.7.3 Relationship with natural deduction. In order to show that proofs

in Hilbert calculus corresponds to proofs in natural deduction, we first need to
study some of its properties. The usual structural rules are admissible in this
system:
Proposition 2.7.3.1. The rules of exchange, contraction, truth strengthening and
weakening are admissible in Hilbert calculus:

Γ, A, B, Γ0 ` C Γ, A, A ` C Γ, > ` A Γ`C
Γ, B, A, Γ0 ` C Γ, A ` C Γ`A Γ, A ` C

Proof. By induction on the proof of the premise.

The introduction rule for implication is also admissible. This is sometimes called
the deduction theorem and is due to Herbrand.
CHAPTER 2. PROPOSITIONAL LOGIC 104

Proposition 2.7.3.2. The introduction rule for implication is admissible:

Γ, A, Γ0 ` B
(⇒I )
Γ, Γ0 ` A ⇒ B

Proof. By induction on the proof of Γ, A, Γ0 ` B.

– If it is of the form
(ax)
Γ, A, Γ0 ` A
then we can show ` A ⇒ A by example 2.7.1.1 and thus Γ, Γ0 ` A ⇒ A
by weakening.
– If it is of the form
(ax)
Γ, A, Γ0 ` B
with B different from A which belongs to Γ or Γ0 , then we can show
B ` A ⇒ B by
(K) (ax)
B`B⇒A⇒B B`B
(⇒E )
B`A⇒B

and thus Γ, Γ0 ` A ⇒ B by weakening.

– If it is of the form
Γ, A, Γ0 ` C Γ, A, Γ0 ` C ⇒ B
(⇒E )
Γ, A, Γ0 ` B

then, by induction hypothesis, we have proofs of Γ, Γ0 ` A ⇒ C and of

Γ, Γ0 ` A ⇒ C ⇒ B and the derivation
..
.
0
Γ, Γ ` (A ⇒ C ⇒ B) ⇒ (A ⇒ C) ⇒ A ⇒ B
(S) 0
Γ, Γ ` A ⇒ C ⇒ B ...
(⇒E )
Γ, Γ0 ` (A ⇒ C) ⇒ A ⇒ B Γ, Γ0 ` A ⇒ C
(⇒E )
Γ, Γ0 ` A ⇒ B

allows us to conclude.

We can thus show that provability in this system is the usual one.
Theorem 2.7.3.3. A sequent Γ ` A is provable in Hilbert calculus if and only if
it is provable in natural deduction.
Proof. For simplicity, we restrict to the case of the implicational fragment. In
order to show that a proof in the Hilbert calculus induces a proof in NJ, we
should show that the rules (ax) and (⇒E ) are admissible in NJ (this is the case
by definition) and that the axioms (S) and (K) can be derived in NJ, which is
easy:
(ax) (ax) (ax) (ax)
A ⇒ B ⇒ C, A ⇒ B, A ` A ⇒ B ⇒ C A ⇒ B ⇒ C, A ⇒ B, A ` A A ⇒ B ⇒ C, A ⇒ B, A ` A ⇒ B A ⇒ B ⇒ C, A ⇒ B, A ` A
(⇒E ) (⇒E )
A ⇒ B ⇒ C, A ⇒ B, A ` B ⇒ C A ⇒ B ⇒ C, A ⇒ B, A ` B
(⇒E )
A ⇒ B ⇒ C, A ⇒ B, A ` C
(⇒I )
A ⇒ B ⇒ C, A ⇒ B ` A ⇒ C
(⇒I )
A ⇒ B ⇒ C ` (A ⇒ B) ⇒ A ⇒ C
(⇒I )
` (A ⇒ B ⇒ C) ⇒ (A ⇒ B) ⇒ A ⇒ C
CHAPTER 2. PROPOSITIONAL LOGIC 105

(this is voluntarily too small to read, you should prove this by yourself) and

(ax)
A, B ` A
(⇒I )
A`B⇒A
(⇒I )
`A⇒B⇒A

Conversely, in order to show that a proof in NJ induces one in Hilbert cal-

culus, we should show that the rules (ax), (⇒E ) and (⇒I ) are admissible in
Hilbert calculus: the two first are by definition, and the third one was proved
in proposition 2.7.3.2.

2.8 Kripke semantics

We have seen in section 2.5.6 that the usual boolean interpretation of formulas is
correct and complete, meaning that a formula is classically provable if and only if
it is valid in every boolean model. One can wonder if there is an analogous notion
of model for proofs in intuitionistic logic and this is indeed the case: Kripke
models are correct and complete for intuitionistic logic. They were discovered
in the 1960s by Kripke [Kri65] and Joyal for modal logic, and can be thought of
as a semantics of possible worlds evolving through time: as time progresses more
propositions may become true. The morale is thus that intuitionistic logic is
thus somehow a logic where the notion of truth is “local”, contrarily to classical
logic.

2.8.1 Kripke structures. A Kripke structure (W, 6, ρ) consists of is a par-

tially ordered set (W, 6) of worlds together with a valuation ρ : W × X → B
which indicates whether in a given world, a given propositional variable is true
or not. The valuation is always assumed to be monotonous, i.e. to satisfy
ρ(w, X) = 1 implies ρ(w0 , X) = 1 for every worlds such that w 6 w0 . We
sometimes simply write W for a Kripke structure (W, 6, ρ).
Given a Kripke structure W and a world w ∈ W , we write w W A (or
simply w  A when W is clear from the context) when a formula A is satisfied
in w: this is defined by induction on A by

w X iff ρ(w, X)
w > holds
w ⊥ does not hold
w A∧B iff w  A and w  B
w A∨B iff w  A or w  B
w A⇒B iff, for every w0 > w, w0  A implies w0  B
w  ¬A iff, for every w0 > w, w0  A does not hold

A Kripke structure is often pictured as a graph, whose vertices correspond to

worlds, an edge from w to w0 indicating that w 6 w0 , with the variables X
such that ρ(w, X) = 1 being written next to the node w, see examples 2.8.1.4
and 2.8.1.5.
We can think of a Kripke structure as describing the evolution of a world
trough time: given two worlds such that w 6 w0 , we think of w0 as being a
possible future for w. Since the order is not necessarily total, a given world
CHAPTER 2. PROPOSITIONAL LOGIC 106

might have different possible futures. In each world, the valuation indicates
which formulas we know are true, and the monotonicity condition imposes that
our knowledge can only grow: if we know that a formula is true then we will
still know it in the future.
Lemma 2.8.1.1. Satisfaction is monotonic: given a formula A, a Kripke structure
W and a world w, if w  A then w0  A for every world w0 > w.
Proof. By induction on the formula A.
Given a context Γ = A1 , . . . , An , a formula A, and a Kripke structure W , we
write Γ W A when, for every world w ∈ W in which all the formulas Ai are
satisfied, the formula A is also satisfied. We write Γ  A when Γ W A holds
for every structure W : in this case, we say that A is valid in the context Γ.
Remark 2.8.1.2. It should be observed that the notion of Kripke structure gen-
eralizes the notion of boolean model recalled in section 2.5.6. Namely, a boolean
valuation ρ : X → B can be seen as a Kripke structure W with a single world w,
the valuation being given by ρ. The notion of validity for Kripke structures
defined above then coincides with the one for boolean models.
A following theorem ensures that Kripke semantics are sound: a provable
formula is valid.
Theorem 2.8.1.3 (Soundness). If a sequent Γ ` A is derivable in intuitionistic
logic then Γ  A.
Proof. By induction on the proof of Γ ` A.
The contraposite of this theorem says that if we can find a Kripke structure in
which there is a world where a formula A is not satisfied, then A is not intu-
itionistically provable. This thus provides an alternative to methods based on
cut-elimination (see section 2.3.5) in order to discard the provability of formulas.
Example 2.8.1.4. Consider formula expressing double negation elimination ¬¬X ⇒ X
and the Kripke structure with W = {w0 , w1 }, with w0 6 w1 , and ρ(w0 , X) = 0
and ρ(w1 , X) = 1, which can be pictured as

X
· ·
w0 w1

We have w0 2 ¬X because (there is the future world w1 in which X holds) and

w1 2 ¬X, and thus w0  ¬¬X (in fact, it can be shown that w  ¬¬X in an
arbitrary structure iff for every world w0 > w there exists a world w00 > w0 such
that w00  X). Moreover, we have w0 2 X, and thus w0 2 ¬¬X ⇒ X. This
shows that ¬¬X ⇒ X is not intuitionistically provable. In the same Kripke
structure, we have w0 2 ¬X ∨ X and thus the excluded middle ¬X ∨ X is also
not intuitionistically provable either.
Given an arbitrary formula A, by lemma 2.8.1.1, in this structure, this for-
mula is either satisfied both in w0 and w1 , or only in w1 or in no world:

A A A
· · · · · ·
w0 w1 w0 w1 w0 w1

In the two first cases, ¬¬A is satisfied and in the last one ¬A is satisfied.
Therefore, the weak excluded middle ¬¬A ∨ ¬A is always satisfied: this shows
CHAPTER 2. PROPOSITIONAL LOGIC 107

that the weak excluded middle does not imply the excluded middle. By using a
similar reasoning, it can be shown that the linearity axiom (A ⇒ B) ∨ (B ⇒ A)
does not imply the excluded middle. Both thus give rise to intermediate logics,
see section 2.5.10.
Example 2.8.1.5. The Kripke structure

X Y
· · ·

shows that the linearity formula (X ⇒ Y ) ∨ (Y ⇒ X) is not intuitionistically

provable (whereas it is classically).

2.8.2 Completeness. We now consider the converse of theorem 2.8.1.3. We

will show that if a formula is valid then it is provable intuitionistically. Or
equivalently, that if a formula is not provable, then we can always exhibit a
Kripke structure in which it does not hold.
Given a possibly infinite set Φ of formulas, we write Φ ` A whenever there
exists a finite subset Γ ⊆ Φ such that Γ ` A is intuitionistically provable. Such
a set is consistent if Φ 0 ⊥. By lemma 2.3.4.1, we have:
Lemma 2.8.2.1. A set Φ of formulas is consistent if and only if there is a for-
mula A such that Φ 0 A.
A set Φ of formulas is disjunctive if Φ ` A ∨ B implies Φ ` A or Φ ` B.
Lemma 2.8.2.2. Given set Φ of formulas and a formula A such that Φ 0 A, there
exists a disjunctive set Φ such that Φ ⊆ Φ and Φ 0 A.
Proof. Suppose fixed an enumeration of all the formulas of the form B ∨ C
occurring in Φ. We construct by recurrence a sequence Φn of sets of formulas
which are such that Φn 0 A. We set Φ0 = Φ. Suppose constructed Φn and
consider the n-th formula B ∨ C in Φ:
– if Φn , B 0 A, we define Φn+1 = Φn ∪ {B},
– if Φn , B ` A, we define Φn+1 = Φn ∪ {C}.
In the first case, it is immediate that Φn+1 0 A. In the second one, we have
Φn ` B ∨ C and Φn , B ` A, if we also had Φn , C ` A then, by (∨E ), we would
S Φn ` A, which is excluded by recurrence hypothesis. Finally, we take
also have
Φ = n∈N Φn .
A set Φ of formulas is saturated if, for every formula A, Φ ` A implies A ∈ Φ.
Lemma 2.8.2.3. Given a set Φ of formulas, the set Φ = {A | Φ ` A} is saturated.
A set is complete if it is consistent, disjunctive and saturated. Combining the
above lemmas we obtain,
Lemma 2.8.2.4. Given a set Φ of formulas and a formula A such that Φ 2 A,
there exists a complete set Φ such that Φ ⊆ Φ and A 6∈ Φ.
Proof. By lemma 2.8.2.2, there exists a disjunctive set of formulas Φ such that
Φ ⊆ Φ and Φ 0 A. This set of consistent by lemma 2.8.2.1. Moreover, by
lemma 2.8.2.3, we can suppose that this set is saturated (the construction is
easily checked to preserve consistency and disjunctiveness) and such that A 6∈ Φ.
CHAPTER 2. PROPOSITIONAL LOGIC 108

The universal Kripke structure W is defined by

W = {wΦ | Φ is complete}

with wΦ 6 wΦ0 whenever Φ ⊆ Φ0 , and ρ(wΦ , X) = 1 iff X ∈ Φ.

Lemma 2.8.2.5. Let Φ be a complete set and A a formula. Then wΦ  A iff
A ∈ Φ.
Proof. By induction on the formula A.
– If A = X is a propositional variable, we have wΦ  X iff ρ(wΦ , X) = 1 iff
X ∈ Φ.
– If A = >, we always have wΦ  > and we always have > ∈ Φ because
Φ ` > by (>I ) and Φ is saturated.
– If A = ⊥, we never have wΦ  ⊥ and we never have ⊥ ∈ Φ because Φ is
consistent.
– If A = B ∧ C.
Suppose that wΦ  B ∧ C. Then wΦ  B and wΦ  C, and therefore
Φ ` B and Φ ` C by induction hypothesis. We deduce Φ ` B ∧ C by (∧I )
and weakening and thus B ∧ C ∈ Φ by saturation.
Conversely, suppose B∧C ∈ Φ and thus Φ ` B∧C. This entails Φ ` B and
Φ ` C by (∧lE ) and (∧rE ), and thus B ∈ Φ and C ∈ Φ by saturation. By
induction hypothesis, we have wΦ  B and wΦ  C, and thus wΦ  B ∧ C.
– If A = B ∨ C.
Suppose that wΦ  B ∨ C. Then wΦ  B or wΦ  C, and therefore Φ ` B
or Φ ` C by induction hypothesis. We deduce Φ ` B ∨ C by (∨lI ) or (∨rI )
and thus B ∨ C ∈ Φ by saturation.
Conversely, suppose B ∨ C ∈ Φ. Since Φ is disjunctive, we have B ∈ Φ or
C ∈ Φ. By induction hypothesis, we have wΦ  B or wΦ  C, and thus
wΦ  B ∨ C.
– If A = B ⇒ C.
Suppose that wΦ  B ⇒ C. Our goal is to show B ⇒ C ∈ Φ. By (⇒I )
and saturation, it is enough to show Φ, B ` C. Suppose that it is not the
case. By lemma 2.8.2.4, we can construct a complete set Φ0 with Φ ⊆ Φ0 ,
B ∈ Φ0 and C 6∈ Φ0 . Since B ∈ Φ0 , by induction hypothesis we have
wΦ0  B. Therefore, since wΦ  B ⇒ C and wΦ 6 wΦ0 , we have wΦ0  C,
a contradiction.
Conversely, suppose B ⇒ C ∈ Φ. Given Φ0 such that wΦ 6 wΦ0 ,
i.e. Φ ⊆ Φ0 , if wΦ0  B we have to show wΦ0  C. By induction hy-
pothesis, we have B ∈ Φ0 . Moreover, we have Φ0 ` B ⇒ C (because
Φ ` B ⇒ C and Φ ⊆ Φ0 ) and therefore Φ0 ` C by (⇒E ). By saturation
we have C ∈ Φ0 and thus Φ0  C, by induction hypothesis.
Theorem 2.8.2.6 (Completeness). If Γ  A then Γ ` A.
Proof. Suppose Γ  A and Γ 0 A. By lemma 2.8.2.4, there exists a complete
set of formulas Φ such that Γ ⊆ Φ and Φ 0 A. All the formulas of Γ are valid in
wΦ and thus wΦ  A, because we have Γ  A. By lemma 2.8.2.5, we therefore
have A ∈ Φ, a contradiction.
CHAPTER 2. PROPOSITIONAL LOGIC 109

Remark 2.8.2.7. It can be shown that we can restrict to Kripke models which are
tree-shaped and finite without losing completeness. With further restrictions,
various completeness results have been obtained. As an extreme example, if
we restrict to models with only one world, then we obtain boolean models
(remark 2.8.1.2) which are complete for classical logic (theorem 2.5.6.5). For a
more unexpected example, Kripke models which are total orders are complete
for intuitionistic logic extended with the linearity axiom (section 2.5.10), thus
its name.
 Chapter 3

Pure λ-calculus

We now introduce the λ-calculus, which is the functional core of a programming

language: this is what you obtain when you remove everything from a functional
programming language excepting variables, functions and application. In this
language everything is thus a function. In the OCaml syntax, a typical λ-term
would thus be
fun f x -> f (f x) (fun y -> y)
Since λ-calculus was actually invented before computer existed, the traditional
notation is somewhat different from the above, and we write λx.t instead of fun
x -> t so that the above term would rather be written

λf x.f (f x)(λy.y)

Bound variables. In a function, the name of the variable is not important, it

could be replaced by any other name without changing the meaning of the
function: we should consider λx.x and λy.y as the same. In a term of the form
λx.t, we say that the abstraction λ binds the variable in the term t: the name of
the variable x in t is not really relevant, what matters is that this is the variable
which was declared by this λ. In mathematics, we are somehow used to this in
other situations than functions. For instance, in the first definition below, t is
bound by the limit operator, in the second t is bound by the dt operator coming
with the integral, and in the last one the summation sign is binding i:
Z 1 n
x X
f (x) = lim f (x) = tx dt f (x) = ix
t→∞ t 0 i=0

This means that we can replace the name of the bound variable by any other
(as above) without changing the meaning of the expression. For instance, the
first one is equivalent to
x
lim
z→∞ z
This process of changing the name of the variable is called α-conversion and
is more subtle than it seems at first: there are actually some restrictions on
the names of the variables we can use. For instance, in the above example, we
cannot rename t to x since the following reasoning is clearly not valid:
x x
0 = lim = lim = lim 1 = 1
t→∞ t x→∞ x x→∞
The problem here is that we tried to change the name of t to a variable name
which was already used somewhere else. These issues are generally glossed over
in mathematics, but in computer science we cannot simply do that: we have to
understand in details these α-conversion mechanisms when implementing func-
tional programming languages, otherwise we will incorrectly evaluate programs.
Believe it or not this simple matter is a major source of bugs and headaches.
CHAPTER 3. PURE λ-CALCULUS 111

Evaluation. Another aspect we have to make precise is the notion of evaluation

or reduction of a functional programming language. In mathematics, if f is the
doubling function f (x) = x+x, then f (3) is 3+3, i.e. 6: with our λ notation, we
have (λx.x + x)3 = 6. In computer science, we want to see the way the program
is executed and we will consider that (λx.x + x)3 reduces to 3 + 3, which will
itself reduce to 6, which is the result of our program. The general definition of
the reduction in the language is given by the β-reduction rule, which is

(λx.t)u −→β t[x/u]

It means that the function which to x associates some expression t, when applied
to an argument u reduces to t where all the occurrences of x have been replaced
by u. The properties of this reduction relation is one of our main objects of
interest here.

In this chapter. We introduce the λ-calculus in section 3.1 and the β-reduction
in section 3.2. We then study the computational power of the resulting calculus
in section 3.3 and show that reduction in confluent in section 3.4. We discuss
the various ways in which reduction can be implemented in section 3.5, and the
ways to handle α-conversion in section 3.6.

References. Should you need a more detailed presentation of λ-calculus, its prop-
erties and applications, good introductions include [Bar84, SU06, Sel08].

3.1 λ-terms
3.1.1 Definition. Suppose fixed an infinite countable set X = {x, y, z, . . .}
whose elements are called variables. The set Λ of λ-terms is generated by the
following grammar:
t, u ::= x | t u | λx.t
This means that a λ-term is either

– a variable x,
– an application t u, which is a pair of terms t and u, though of as applying
the function t to an argument u,
– an abstraction λx.t, which is a pair consisting of a variable x and a term t,
thought of as the function which to x associates t.

For instance, we have the following λ-terms

λx.x (λx.(xx))(λy.(yx)) λx.(λy.(x(λz.y)))

By convention,

– application is associative on the left, i.e.

tuv = (tu)v

and not t(uv),

CHAPTER 3. PURE λ-CALCULUS 112

– application binds more tightly than abstraction, i.e.

λx.xy = λx.(xy)

and not (λx.x)y (otherwise said, abstraction extends as far as possible on

the right),
– we sometimes group abstractions, i.e.

λxyz.xz(yz) is read as λx.λy.λz.xz(yz).

3.1.2 Bound and free variables. In a term of the form λx.t, the variable x
is said to be bound in the term t: in a sense the abstraction “declares” the
variable in the term t, and all occurrences of x in t will make reference to the
variable declared here (unless it is bound again). Thus, in the term (λx.xy)x, the
first occurrence of x refers to the variable declared by the abstraction whereas
the second does not. Intuitively, this term is the same as (λz.zy)x, but not
to (λz.zy)z; this will be made formal below through the notion of α-equivalence,
but we should keep in mind that there is always the possibility of renaming
bound variables.
A free variable in a term is a variable which is not bound in a subterm. We
define the set FV(t) of a term t is formally defined, by induction on t by

FV(x) = {x}
FV(t u) = FV(t) ∪ FV(u)
FV(λx.t) = FV(t) \ {x}

A term t is closed when it has no free variable: FV(t) = ∅.

Example 3.1.2.1. The set of free variables of the term (λx.xy)z is {y, z}. This
term is thus not closed. The term λxy.x is closed.
A variable x is fresh with respect to a term t when it does not occur in t,
i.e. x ∈ X \ FV(t). Note that the set of variables of a term t is finite and the set
of variable is infinite so that we can always find a fresh variable with respect to
any term.

3.1.3 Renaming and α-equivalence. In order to define α-equivalence, we

first define the operation of renaming a variable x to y in a term t, and write

t{y/x}

for the resulting term. There is one subtlety though, we only want to rename
free occurrences of x, since the other ones refer to the abstraction to which they
are bound. Formally, the renaming t{y/x} is defined by

x{y/x} = y
z{y/x} = z if z 6= x
(t u){y/x} = (t{y/x}) (u{y/x})
(λx.t){y/x} = λx.t
(λy.t){y/x} = λx.(t{y/x})
(λz.t){y/x} = λz.(t{y/x}) if z 6= x and z 6= y
CHAPTER 3. PURE λ-CALCULUS 113

The tree last lines handle the possible cases when renaming a variable in an
abstraction: either we are trying to rename the bound variable, or we are trying
to rename a variable into the bound variable, or the bound variable and variables
involved in the renaming are distinct.
The α-equivalence ===α (or α-conversion) is the smallest congruence on
terms which identifies terms differing only by renaming bound variables, i.e.

λx.t ===α λy.(t{y/x})

whenever y is not free in t. For instance, we have

λx.x(λx.xy) ===α λz.z(λx.xy) =6==α λy.y(λx.xy)

Formally, the fact that α-equivalence is a congruence means that it is the small-
est relation such that whenever all the relations above the bar hold, the relation
below the bar also holds:
y 6∈ FV(t)
λx.t ===α λy.(t{y/x})

t ===α t0 u ===α u0 t ===α t0

t u ===α t0 u0 λx.t ===α λx.t0

t ===α t0 t ===α t0 t0 ===α t00

t ===α t t0 ===α t t ===α t00

The equation on the first line is the one we have already seen above, those
on the second line ensure that α-equivalence is compatible with application
and abstraction, and those on the third line imposes that α-equivalence is an
equivalence relation (i.e. reflexive, symmetric and transitive).

3.1.4 Substitution. Given λ-terms t and u and a variable x, we can define a

new term
t[u/x]
which is the λ-term obtained from t by replacing free occurrences of x by u.
Again we have to properly take care of issues related to the fact that some
variables are bound:
– we only want to replace free occurrences of the variable x in t, since the
bound ones refer to the corresponding abstractions in t and might be
renamed, i.e.

(x(λxy.x))[u/x] = u(λxy.x) but not u(λxy.u),

– we do not want free variables in u to become accidentally bound by some

abstraction in t, i.e.

(λx.xy)[x/y] = (λz.zy)[x/y] = λz.zx but not λx.xx.

CHAPTER 3. PURE λ-CALCULUS 114

Formally, the substitution t[u/x] is defined by induction on t by

x[u/x] = u
y[u/x] = y if y 6= x
(t1 t2 )[u/x] = (t1 [u/x]) (t2 [u/x])
(λx.t)[u/x] = λx.t
(λy.t)[u/x] = λy.(t[u/x]) if y 6= x and y 6∈ FV(t)
0 0
(λy.t)[u/x] = λy .(t{y /y}[u/x]) if y 6= x, y ∈ FV(t)
and y 0 6∈ FV(t) ∪ FV(u).

Because of the last line, the result of the substitution is not well-defined, be-
cause it depends on an arbitrary choice of fresh variable y 0 , but one can show
that this is a well-defined operation on λ-terms up to α-equivalence. For this
reason, as soon as we want to perform substitutions, it only makes sense to
consider the set of λ-terms quotiented by the α-equivalence relation: we will
implicitly do so in the following, and implicitly ensure that all the constructions
we perform are compatible with α-equivalence. The only time where we should
take α-conversion seriously is when dealing with implementation matters, see
section 3.6.2 for instance. Adopting this convention, the three last cases can be
replaced by
(λy.t)[u/x] = λy.(t[u/x])
where we suppose that y 6∈ FV(t) ∪ {x}, which we can always do up to α-con-
version.

3.2 β-reduction
Consider a term of the form
(λx.t) u (3.1)
It intuitively consists of a function expecting an argument x and returning a
result t(x), which is given an argument u. We expect therefore the computation
to reach the term t[u/x] consisting of the term t where all the free occurrences
of x have been replaced by u. This is what the notion of β-reduction does and
we write
(λx.t) u −→β t[u/x] (3.2)
to indicate that the term on the left reduces to the term on the right. Actually,
we want to be able to also perform this kind of reduction within a term: we call
a β-redex in a term t, a subterm of the form (3.1) and the β-reduction consists
in preforming the replacement (3.2) in the term.

3.2.1 Definition. Formally, the β-reduction is defined as the smallest binary

relation −→β on terms such that

t −→β t0
(βs ) (βλ )
(λx.t)u −→β t[u/x] λx.t −→β λx.t0

t −→β t0 u −→β u0
(βl ) (βr )
tu −→β t0 u tu −→β tu0
CHAPTER 3. PURE λ-CALCULUS 115

A “proof tree” showing that t −→β u is called a derivation of it. For instance,
a derivation of λx.(λy.y)xz −→β λx.xz is

(βs )
(λy.y)x −→β x
(βl )
(λy.y)xz −→β xz
(βλ )
λx.(λy.y)xz −→β λx.xz

Such derivations are often useful to reason about β-reduction steps, by induction
on the derivation tree.

3.2.2 An example. For instance, we have the following sequence of β-reduc-

tions, were each time we have underlined the β-redex:

(λx.y)((λz.zz)(λt.t)) −→β (λx.y)((λt.t)(λt.t))

−→β (λx.y)(λt.t)
−→β y

3.2.3 Reduction and redexes. Let us now make some basic observations
about how reductions interact with redexes. Reduction can create β-redexes:

(λx.xx)(λy.y) −→β (λy.y)(λy.y)

In the initial term there was only one redex, and after reducing it a new redex
has appeared. Reductions can duplicate β-redexes:

(λx.xx)((λy.y)(λz.z)) −→β ((λy.y)(λz.z))((λy.y)(λz.z))

The β-redex (λy.y)(λz.z) occurs once in the initial term and twice in the reduced
one. Reduction can also erase β-redexes:

(λx.y)((λy.y)(λz.z)) −→β y

There were two redexes in the initial term, but there is none left after reducing
one of them.

3.2.4 Confluence. The reduction is not deterministic since some terms can
reduce in multiple ways:

λy.y β ←− (λxy.y)((λx.x)(λx.x)) −→β (λxy.y)(λx.x)

We thus have to be careful when studying properties of reduction: in particular,

we always have to specify whether those properties hold for some reduction
or every reduction. It can be noted that, although the two above reductions
differ, they end up in the same term. For instance, the term on the right
above reduces to λy.y, which is the term on the left. This property is called
“confluence”: eventually, the order in which we chose to perform β-reductions
does not matter. This will be detailed and proved in section 3.4.
CHAPTER 3. PURE λ-CALCULUS 116

3.2.5 β-reduction paths. A reduction path

t = t0 −→β t1 −→β t2 −→β . . . −→β tn−1 −→β tn = u

from t to u is a finite sequence of terms t0 , t1 , . . . , tn such that ti β-reduces to

ti+1 for every index i, with t0 = t and tn = u. The natural number n is called
the length of the reduction. We write
∗
t −→β u

when there exists a reduction path from t to u as above, and say that t reduces
∗
in multiple steps to u. The relation −→β on terms is the reflexive and transitive
closure of the relation −→β .

3.2.6 Normalization. Some terms cannot reduce, they are called normal forms:

x x(λy.λz.y) ...

Those can be though of as “values” or “results” for computations in λ-calculus.

Those terms are easily characterized:
Proposition 3.2.6.1. The λ-terms in normal form can be characterized induc-
tively as the terms of the form

λx.t or x t1 . . . tn

where the ti and t are normal forms.

Proof. We reason by induction on the size of λ-terms (the size being the number
of abstractions and applications). Suppose given a λ-term in normal form: by
definition if can be of the following forms.

– x: it is a normal form and it is a term generated of the expected form.

– λx.t: by the rule (βλ ), this term is a normal form if and only if t is, i.e. by
induction, if and only if t is itself of the expected form.
– t u: by the rules (βl ) and (βr ), if it is a normal form then both t and u are
in normal form. By induction, t must be of the form λx.t0 or x t1 . . . tn
with t0 and ti of the expected form. The first case is impossible: other-
wise, t u = (λx.t0 )u would reduce by (βs ). Therefore, t u is of the form
x t1 . . . tn u with ti and u in normal form. Conversely, any term of this
form is a normal form.
Having identified normal forms as the notion of “result” in the λ-calculus, it
is natural to study whether every term will eventually give rise to a result: we
will see that this is not the case. A term t is weakly normalizing when it can
∗
reduce to a normal form, i.e. there exists a normal form u such that t −→β u. It
is strongly normalizing when every sequence of reduction will eventually reduce
to a normal form. Otherwise said, there is no infinite sequence of reductions
starting from t:
t = t0 −→β t1 −→β t2 −→β . . .
CHAPTER 3. PURE λ-CALCULUS 117

Not every term is strongly normalizing. For instance, the term

Ω = (λx.xx)(λx.xx)

reduces to itself and thus infinitely:

(λx.xx)(λx.xx) −→β (λx.xx)(λx.xx) −→β (λx.xx)(λx.xx) −→β . . .

As a variant, the following term keeps growing during the reduction:

(λx.xx)(λy.yyy) −→β (λy.yyy)(λy.yyy)

−→β (λy.yyy)(λy.yyy)(λy.yyy) −→β . . .

Clearly, a strongly normalizing term is weakly normalizing, but the converse

does not hold. For instance, the term

(λx.y)((λx.xx)(λx.xx))

can reduce to y, which is a normal form and is thus weakly normalizing. It can
also reduce to itself and is thus not strongly normalizing.

3.2.7 β-equivalence. We write ===β for the β-equivalence, which is the small-
est equivalence relation containing −→β . It is not difficult to show that this
∗
relation can be characterized as the transitive closure of the relation −→β : we
have
t ===β u
whenever there exists terms t0 , . . . , t2n such that
∗ ∗ ∗ ∗ ∗ ∗
t = t0β ←− t1 −→β t2β ←− t3 −→β . . . β ←− t2n−1 −→β t2n = u

The notion of β-equivalence is very natural on λ-terms: it identifies two terms

whenever they give rise to the same result. Two β-equivalent terms are some-
times also said to be β-convertible.

3.2.8 η-equivalence. In OCaml, the functions sin and fun x -> sin x are
clearly “the same”: one can be used in place of another without changing any-
thing, both will compute the sine of their input. However, they are not iden-
tical: their syntax differ. In λ-calculus, the η-equivalence relation relates two
such terms: it identifies a term t (which is a function, since everything is func-
tion in λ-calculus) with the function which to x associates t x. Formally, the
η-equivalence relation ===η is the smallest congruence such that

t ===η λx.tx

for every term t.

By analogy with β-reduction, it will sometimes be useful to consider the
η-reduction relation which is the smallest congruence such that

λx.tx −→η t

for every term t. The opposite relation

t −→η λx.tx
CHAPTER 3. PURE λ-CALCULUS 118

is also useful and called η-expansion. We have that η-equivalence is the reflexive,
symmetric and transitive closure of this relation. The converse relation

t −→ λx.tx

is also useful and called η-expansion.

Finally, we write ===βη for the βη-equivalence relation, which is small-
est equivalence relation containing both ===β and ===η . In this course, we
will mostly focus on β-equivalence, although most proofs generalize to βη-
equivalence.

3.3 Computing in the λ-calculus

The λ-calculus contains only functions. Even though we have removed most of
what is usually found in a programming language, we will see that it is far from
trivial as a programming language. In order to do so, we will gradually show
that usual programming constructions can be encoded in λ-calculus.

3.3.1 Identity. A first interesting term is the identity λ-term

I = λx.x

It has the property that, for any term t, we have

I t −→β t

3.3.2 Booleans. The booleans true and false can respectively be encoded as

T = λxy.x F = λxy.y

With this encoding, the usual if-then-else conditional construction can be en-
coded as
if = λbxy.bxy
Namely, we have
∗ ∗
if T t u −→β t if F t u −→β u

For instance, the first reduction is

if T t u = (λbxy.bxy)(λxy.x)tu −→β (λxy.(λxy.x)xy)tu

−→β (λy.(λxy.x)ty)u
−→β (λxy.x)tu
−→β (λy.t)u
−→β t

and the second one is similar.

From there, the usual boolean operations of conjunction, disjunction and
negation are easily defined by

and = λxy.x y F or = λxy.x T y not = λx.x F T

CHAPTER 3. PURE λ-CALCULUS 119

For instance, one can check that we have

and T T −→β T and T F −→β F and F T −→β F and F F −→β F

Above, we have defined conjunction (and other operations) from conditionals,

which quite classical. In OCaml, we would have written
let and x y = if x then y else false
which translates in λ-calculus as
∗ ∗
and ←−η λxy.and x y = λxy.if x y F −→β λxy. x y F

and suggests the definition we made. There are of course other possible imple-
mentations, e.g.
and = λxy.xyx
In the above implementations, we only guarantee that the expected reductions
will happen when the arguments are booleans, but nothing is specified when
the arguments are arbitrary λ-terms.

3.3.3 Pairs. The encoding of pairs can be deduced from booleans. We can
namely encode the pairing operator as

pair = λxyb.if b x y

When applied to two terms t and u, it reduces to

∗
pair t u −→β λb.if b t u

which can be thought of as an encoding of the pair ht, ui. In order to recover
the components of the pair, we can simply apply it to either T or F:
∗ ∗
(pair t u) T −→β t (pair t u) F −→β u

We thus define the two projections as

fst = λp.p T snd = λp.p F

and we have, as expected

∗ ∗
fst (pair t u) −→β t snd (pair t u) −→β u

More generally, n-uples can be encoded as

uplen = λx1 . . . xn b.b x1 . . . xn

with the associated projections

projni = λx1 . . . xn .xi

and one checks that

∗
projni (uplen t1 . . . tn ) −→β ti
CHAPTER 3. PURE λ-CALCULUS 120

3.3.4 Natural numbers. Given λ-terms f and x, and a natural number n ∈ N,

we write f n x for the λ-term f (f (. . . (f x))) with n occurrences of f :

f 0x = x f n+1 x = f (f n x)

The n-th Church numeral is the λ-term

n = λf x.f n x = λf x.f (f (. . . (f x)))

Otherwise said, the λ-term n is such that, when applied to arguments f and x,
iterates n times the application of f to x. For low values of n, we have

0 = λf x.x 1 = λf x.f x 2 = λf x.f (f x) 3 = λf x.f (f (f x)) ...

Successor. The successor function can be encoded as

succ = λnf x.f (nf x)

which applies f to f n x. It behaves as expected since

succ n === (λnf x.f (nf x))(λf x.f n x)

−→β λf x.f ((λf x.f n x)f x)
−→β λf x.f ((λx.f n x)x)
−→β λf x.f (f n x)
=== λf x.f n+1 x
=== n + 1

Another natural possible definition of successor would be

succ = λnf x.nf (f x)

Arithmetic functions. The addition, multiplication and exponentiation can sim-

ilarly be as

add = λmnf x.m succ n mul = λmnf x.m (add n) 0 exp = λmn.n (mul m) 1

or, alternatively, as

add = λmnf x.mf (nf x) mul = λmnf x.m(nf )x exp = λmn.nm

It can be checked that addition is such that, for every m, n ∈ N, we have

add m n = m + n: it computes the function which to x associates f applied m
times to f applied n times to x, i.e. f m+n x. And similarly for other operations.

Comparisons. The test-to-zero function takes a natural number n as argument

and returns the boolean true or false depending on whether n is 0 or not. It
can be encoded as
iszero = λnxy.n(λz.y)x
Given n, x and y, it applies n times the function f = λz.y to x: if the function
is applied 0 times then x is returned, otherwise if the function is applied at least
once then y is returned.
CHAPTER 3. PURE λ-CALCULUS 121

The predecessor function can also be encoded although it is more difficult

(this is detailed below):

pred = λnf x.n(λgh.h(gf ))(λy.x)(λy.y)

It allows defining subtraction as

sub = λmn.n pred m

where, by convention, the result of m − n is 0 when m < n. From there, we can

define comparisons of natural numbers such as the 6 relation since m 6 n is
equivalent to m − n = 0:

leq = λmn.iszero (sub m n)

Exercise 3.3.4.1. The Ackermann function [Ack28] from pairs of natural numbers
to natural numbers is the function A defined by

A(0, n) = n + 1
A(m + 1, 0) = A(m, 1)
A(m + 1, n + 1) = A(m, A(m + 1, n))

Show that, in λ-calculus, it can be implemented as

ack = λm.m(λf. n f (f 1)) succ

Predecessor. We are now going to see how we can implement the predecessor
function mentioned above. Before going into that, let us see how we can imple-
ment the Fibonacci sequence fn defined by f0 = 0, f1 = 1 and fn+1 = fn +fn−1 .
A naive implementation would be
let rec fib n =
if n = 0 then 0
else if n = 1 then 1
else fib (n-1) + fib (n-2)
This function is highly inefficient because many computations are performed
multiple times. For instance, to compute fn , we compute both fn−1 and fn−2 ,
but the computation of fn−1 will require computing another time fn−2 , and so
on. The usual strategy to improve that consists in computing two successive
values (fn−1 , fn ) of the Fibonacci sequence at a time. Given such a pair, the
next pair is computed by

(fn , fn+1 ) = (fn , fn−1 + fn )

We thus define the function

let fib_fun (q,p) = (p,p+q)
which computes the next pair depending on the current pair. If we iterate n
times this function on the pair (f0 , f1 ) = (0, 1), we obtain the pair (fn , fn+1 )
and we can thus obtain the n-th term of the Fibonacci sequence by projecting
to the first element:
CHAPTER 3. PURE λ-CALCULUS 122

let fib n = fst (iter n fib_fun (0,1))

where the function iter applies n times a function f to some element x:

let rec iter n f x =

if n = 0 then x
else f (iter (n-1) f x)
Now, suppose that we want to implement the predecessor function on natural
numbers without using subtraction. Given n ∈ N, there is one value for which
obviously know the predecessor: the predecessor of n + 1 is n. We will use
this fact, and the above trick in order to remember the value for the previous
predecessor, which is the n − 1 we are looking for! Let us write pn for the
predecessor of n. We can compute the pair (pn , pn+1 ) of two successive values
form the previous pair (pn−1 , pn ) by

(pn , pn+1 ) = (pn , pn + 1)

We thus define the function

let pred_fun (q,p) = (p,p+1)
If we iterate this function n times starting from the pair (p0 , p1 ) = (0, 0), we
obtain the pair (pn , pn+1 ) and can thus compute pn as its first component:
let pred n = fst (iter n pred_fun (0,0))
In λ-calculus, this translates as

pred = λn.fst (n (λx.pair (snd x) (succ (snd x))) (pair 0 0)))

The formula for predecessor provided above is a variant of this one.

3.3.5 Fixpoints. In order to define more elaborate functions on natural num-

bers such as the factorial, we need to have the possibility of defining functions
recursively. This can be achieved in λ-calculus thanks to the so-called fixpoint
combinators. In mathematics, a fixpoint of a function f is a value x such that
f (x) = x. Note that such a value may or may not exist: for instance f = x 7→ x2
has 0 and 1 as fixpoints whereas f = x 7→ x + 1 has no fixpoint.
Similarly, in λ-calculus a fixpoint for a term t is a term u such that

t u ===β u

A distinguishing feature of the λ-calculus is that

1. every term t admits a fixpoint,

2. this fixpoint can be computed within λ-calculus: there is a term Y such
that Y t is a fixpoint of t:

t (Y t) ===β Y t

A term Y as above is called a fixpoint combinator.

CHAPTER 3. PURE λ-CALCULUS 123

Fixpoints in OCaml. Before giving a λ-term which is fixpoint operator, let us see
how it can be implemented in OCaml and used to program recursive functions.
In practice, we will look for a function Y such that
Y t −→β t (Y t)
Note that such a function is necessarily non-terminating since there is an infinite
sequence of reductions
Y t −→β t (Y t) −→β t t (Y t) −→β t t t (Y t) −→β . . .
but might still be useful because since there might be other possible reductions
reaching a normal form. Following the conventions, we will write fix instead of
Y. A function which behaves as proposed is easily implemented:
let rec fix f = f (fix f)
Let us see how this can be used in order to implement the factorial function
without explicitly resorting to recursion. The factorial function satisfies 0! = 1
and n! = n × (n − 1)! so that it can be implemented as
let rec fact n =
if n = 0 then 1 else n * fact (n-1)
In order to implement it without using recursion, the trick is to first transform
this function into one which takes, as first argument, a function f which is to
be the factorial itself, and replace recursive calls by calls to this function:
let fact_fun f n =
if n = 0 then 1 else n * f (n - 1)
We then expect the factorial function to be obtained as its fixpoint:
let fact = fix fact_fun
Namely, this function will reduce to fact_fun (fix fact_fun), i.e. the above
function where f was replaced by the function itself, as expected. However, if
we try to define the function fact in this way, OCaml complains:
Stack overflow during evaluation (looping recursion?).
This is because OCaml always evaluates arguments first, so that it will fall into
the infinite sequence of reductions mentioned above (the stack will grow at each
recursive call and will exceed the maximal authorized value):
fix fact_fun −→β fact_fun (fix fact_fun) −→β . . .
The trick in order to avoid that in order to avoid that is to add an argument in
the definition of fix:
let rec fix f x = f (fix f) x
and now the above definition of factorial computes as expected: this time, the
argument fix f does not evaluate further because it is a function which is
still expecting its second argument. It is interesting to remark that the two
definitions of fix (the looping one and the working one) are η-equivalent, see
section 3.2.8, so that two η-equivalent terms can act differently depending on
the properties we consider.
CHAPTER 3. PURE λ-CALCULUS 124

Fixpoints in λ-calculus. The above definition of fix does not easily translate
to λ-calculus, because there is no simple way of defining recursive functions. A
possible implementation of the fixpoint combinator can be obtained by a variant
on the looping term Ω (see section 3.2.6). The Curry fixpoint combinator is

Y = λf.(λx.f (xx))(λx.f (xx))

Namely, given a term t, we have

Y t === (λf.(λx.f (xx))(λx.f (xx))) t

−→β (λx.t(xx))(λx.t(xx))
−→β t((λx.t(xx))(λx.t(xx)))
β ←− t (Y t)

which shows that we indeed have Y t ===β t (Y t), i.e. Y t is a fixpoint of t.

Another possible fixpoint combinator is Turing’s one defined as

Θ = (λf x.x(f f x))(λf x.x(f f x))

which satisfies, for any term t,

∗
Θ t −→β t(Θ t)

(we have here a proper sequence of β-reductions, as opposed to a mere β-equivalence

for Curry’s combinator).
The OCaml definition of the factorial

let fact = fix (fun f n -> if n = 0 then 1 else n * f (n - 1))

translates into λ-calculus as

fact = Y(λf n.if (iszero n) 1 (mul n (f (pred n))))

For instance, the factorial of 2 computes as

fact 2 === (YF ) 2

===β F (YF ) 2
∗
−→β if (iszero 2) 1 (mul 2 ((YF ) (pred 2)))
∗
−→β if false 1 (mul 2 ((YF ) (pred 2)))
∗
−→β mul 2 ((YF ) (pred 2))
∗
−→β mul 2 ((YF ) 1)
..
.
∗
−→β mul 2 (mul 1 1)
∗
−→β 2

Remark 3.3.5.1. Following Church’s initial intuition when introducing the λ-cal-
culus, we can think of λ-terms as describing sets, in the sense of set theory (see
section 5.3). Namely, a set t can be thought of as a predicate, i.e. a function
CHAPTER 3. PURE λ-CALCULUS 125

which takes an element u as argument and returns true or false depending on

whether the element u belongs to t or not. Following this point of view, instead
of writing u ∈ t, we write t u. Similarly, given a predicate t, the set {x | t} is
naturally written λx.t:
set theory λ-calculus
u∈t tu
{x | t} λx.t
In this context, the paradoxical Russell set
r = {x | ¬(x ∈ x)}
of naive set theory, see section 5.3.1, is written as
r = λx.¬(xx)
This set has the property that r ∈ r iff ¬(r ∈ r), i.e.
rr = ¬(rr)
Otherwise said rr is a fixpoint for ¬. Generalizing this to any f instead of ¬,
we recover the definition of Y:
Y = λf.rr
with r = λx.f (xx). In this sense, the fixpoint combinator is the Russell paradox
in disguise!

Church’s combinator in OCaml. If we try to implement Church’s combinator in

OCaml:
let fix = fun f -> (fun x -> f (x x)) (fun x -> f (x x))
we get a typing error concerning the variable x. Namely, x is applied to some-
thing in the above expression, so it should be of type ’a -> ’b, but its argument
is x itself, which imposes that we should have ’a = ’a -> ’b. The type of x
should thus be the infinite type
... -> ’b -> ’b -> ’b -> ’b
which is not allowed by default. There are two ways around this.
The first one consists in using the -rectypes option of OCaml in order allows
such types. If we use this function to define the factorial by
let fact = fix fact_fun
we get a stack overflow, meaning that the program is looping, which can be
solved with an η-expansion (we have already seen this trick above). We can
thus define instead
let fix = fun f -> (fun x y -> f (x x) y) (fun x y -> f (x x) y)
and now the definition of factorial works as expected.
The second one, if you do not want to use some exotic flag, consists in using
a recursive type, which allow such recursions in types. Namely, we can define
the type
CHAPTER 3. PURE λ-CALCULUS 126

type 'a t = Arr of ('a t -> 'a)

with which we can define the fixpoint operators as

let fix f =
(fun x y -> f (arr x x) y) (Arr (fun x y -> f (arr x x) y))
where we use the shorthand
let arr (Arr f) = f

In the same spirit, the Turing fixpoint combinator can be implemented as

let turing =
let t f x y = x (arr f f x) y in
t (Arr t)

3.3.6 Turing completeness. The previous encodings of usual functions, should

make it more or less clear that the λ-calculus is a full-fledged programming lan-
guage. In particular, from the classical undecidability results [Tur37] we can
deduce:
Theorem 3.3.6.1 (Undecidability). The following problems are undecidable:
– whether two terms are β-equivalent,
– whether a term can β-reduce to a normal form.

In order to make this result more precise, we should encode Turing machines
into λ-terms. Instead of doing this directly, we can rather encode recursive
functions, which are already known to have the same expressiveness as Turing
machines. The class of recursive functions is the smallest class of partially
defined functions f : Nk → N for some k ∈ N, which contains the zero constant
function z, the successor function s and the projections pki , for k ∈ N and
1 6 i 6 k:

z : N0 → N s : N1 → N pki : Nk → N
() 7→ 0 (n) 7→ n + 1 (n1 , . . . , nk ) 7→ ni

and is closed under

– composition: given recursive functions

f : Nl → N and g1 , . . . , gl : Nk → N

the function
compfg1 ,...,gl : Nl → N
(n1 , . . . , nk ) 7→ f (g1 (n1 , . . . , nk ), . . . , gl (n1 , . . . , nk ))

is also recursive,
– primitive recursion: given recursive functions

f : Nk → N and g : Nk+2 → N
CHAPTER 3. PURE λ-CALCULUS 127

the function
recf,g : Nk+1 → N
(0, n1 , . . . , nk ) 7→ f (n1 , . . . , nk )
(n0 + 1, n1 , . . . , nk ) 7→ g(recf,g (n0 , n1 , . . . , nk ), n0 , n1 , . . . , nk )

is also recursive,
– minimization: given a recursive function f : Nk+1 → N the function

minf : Nk → N

which to (n1 , . . . , nk ) ∈ Nk associates the smallest n0 ∈ N such that

f (n0 , n1 , . . . , nk ) = 0 is also recursive.
The presence of minimization is the reason why we need to consider partially
defined functions.
A function f : Nn → N is definable by a λ-term t when, for every natural
numbers (n1 , . . . , nk ) ∈ Nk , we have
∗
t n1 . . . nk −→β f (n1 , . . . , nk )

where n is the Church numeral associated to n.

Theorem 3.3.6.2 (Kleene). The functions definable in λ-calculus are precisely
the recursive ones.
Proof. The terms constructed in section 3.3 easily allow to encode total recursive
functions f as λ-terms Jf K: we define

JzK = 0 = λf x.x JsK = succ = λnf x.f nf x Jpki K = λx1 . . . xk .xi

composition is given by

Jcompfg1 ,...,gl K = λx1 . . . xk .Jf K(Jg1 Kx1 . . . xk ) . . . (Jgl Kx1 . . . xk )

primitive recursion by

Jrecf,g K = Y(λrx0 x1 . . . xk .if (iszero x0 )

(Jf Kx1 . . . xk )
(JgK(r(pred x0 ))(pred x0 )x1 . . . xk ))

and minimization by

Jminf K = Y(λrx0 x1 . . . xk .if (iszero (Jf Kx0 x1 . . . xk )) x0 (r(succ x0 )x1 . . . xk )) 0

In order to handle general recursive functions, which might be partial, there is

a subtlety with composition: if g is not defined on x, then compfg (x) should
not be defined, even if f is a constant function for instance, and this is not
the case with the current encoding. This is easily overcome with the following
construction: we write
t ↓ u = u t (λx.x)
for the term which should be read as “t provided u terminates”. It can be checked
∗
that t ↓ u does not reduce to a normal form if u does not and t ↓ n −→β t. We
CHAPTER 3. PURE λ-CALCULUS 128

can now use this trick to correct the behavior of our encoding. For instance,
the projection should be encoded as

Jpki K = λx1 . . . xk .(xi ↓ x1 ↓ . . . ↓ xk )

For the converse property, i.e. the definable functions are recursive, we should
encode λ-terms and their reduction into natural numbers, sometimes called
Gödel numbers. This can be done, see [Bar84] (or if you are willing to accept
that recursive functions are Turing-equivalent to usual programming languages,
this amounts to show that we can make a program which reduces λ-terms, which
we can, see section 3.5).

3.3.7 Self-interpreting. We see that λ-calculus provides yet another model

which is equivalent to Turing machines. This means that the functions we can
compute in both model are the same, but not that they are equally simple
to implement in both models. For instance, constructing a universal Turing
machine is not an easy task: we have to decide of an encoding of the transitions
on the tape and then build a Turing machine to use this encoding and the
resulting machine is usually not small nor particularly elegant.
In λ-calculus however, this is easy. For instance, we can encode a λ-term t
as a λ-term ptq, as follows. We first pick a fresh variable i (by fresh we mean
here i 6∈ FV(t)), replace every application u v in t by i t u and prepend λi to the
resulting term. For instance, the term

t = succ 0 = (λnf x.f (nf x))(λf x.x)

is encoded as
ptq = λi.i(λnf x.if (i(i n f )x))(λf x.x)
Even though the original term t could reduce, the term ptq cannot (because of
the manipulation we have performed on applications), and can thus be consid-
ered as a decent encoding of t. We can then define an interpreter as

int = λt.t (λx.x)

This term has the property that, for every λ-term t, int ptq β-reduces to the
normal form of t. More details can be found in [Bar91, Mog92, Lyn17].

3.3.8 Adding constructors. Even though we have seen that all the usual
constructions can be encoded in the λ-calculus, it is often convenient to add
those as new explicit constructions to the calculus. For instance, products can
be added to the λ-calculus by extending the syntax of λ-terms to

t, u ::= x | t u | λx.t | ht, ui | πl | πr

The new expressions are

– ht, ui: the pair of two terms t and u,
– πl and πr : the left and right projections respectively.
CHAPTER 3. PURE λ-CALCULUS 129

The β-reduction also has to be extended in order to account for those. We add
the two new reduction rules

πl ht, ui −→β t πr ht, ui −→β u

which express the fact that the left (resp. right) projection extracts the left
(resp. right) component of a pair. Although most important properties (such as
confluence) generalize to such variants of λ-calculus, we stick here to the plain
one for simplicity. Some extensions are used and detailed in section 4.3.

3.4 Confluence of the λ-calculus

In order to be reasonably useful, the λ-calculus should be reasonably deter-
ministic, i.e. we should somehow be able to speak about “the” result of the
evaluation (by which we mean the β-reduction) of a λ-term. The first observa-
tion we already made is that, on given a term, multiple distinct reductions may
be performed. For instance,

(λxy.y)((λa.a)(λb.b))

y (λxy.y)(λb.b)

Another hope might be that if we reduce long enough a term, we will end
up on a normal form (a term that cannot be reduced further), which can be
considered as a result of the computation, and that if we perform two such
reductions on a term, we will en up on the same normal form: the intermediate
steps might not be the same, but in the end we always end up with the same
result. For instance, on natural numbers, we can speak of 10 as the result of

(1 + 2) + (3 + 4)

because it does not depend on the intermediate steps used to compute it:

(1 + 2) + (3 + 4)

3 + (3 + 4) (1 + 2) + 7

3+7

10

However, in the case of λ-calculus, this hope is vain because we have seen that
some terms might lead to infinite sequence of β-reductions, thus never reaching
a normal form.

3.4.1 Confluence. The property which turns out to be satisfied in the case of
λ-calculus is called confluence: it states that if starting from a term t reduces
CHAPTER 3. PURE λ-CALCULUS 130

in many steps to a term u1 and also to a term u2 , then there exists a term v
such that both u1 and u2 reduce in many steps to v:

t
∗ ∗

u1 u2
∗ ∗
v

In other words, computation starting from a term t might lead to different

intermediate results, but there is always a way for those results to converge to
a common term.
Note that this result would not be valid if we required to have exactly one
reduction step each time. For instance, we need two reductions to complete the
following square on the right:

(λyx.xyy)(I I)

(λyx.xyy) I λx.x(I I)(I I)

λx.x(I I)I

λx.x I I

where I = λx.x is the identity. The easiest way to prove this confluence result
first requires to introduce a variant of the β-reduction.

3.4.2 The parallel β-reduction. The parallel β-reduction − is the smallest

relation on λ-terms such that

k t − t0 u − u0 k
(βx ) (βs )
x − x (λx.t)u − t0 [u0 /x]

t − t0 u − u0 k t − t0 k
(βa ) (β )
t u − t0 u0 λx.t − λx.t0 λ
∗
As usual, we write − for the reflexive and transitive closure of the relation −.
Informally, t − u means that u is obtained from t by reducing in one step
many of the β-redexes present in t at once. For instance, we have

(λxy.I x y)(I I) − λy.Iy − λy.y

where the first step intuitively corresponds to simultaneously performing the

three β-reductions

(λxy.I x y)(I I) −→β λy.I (I I) y I x −→β x I I −→β I

As for usual β-reduction, the parallel β-reduction might create some β-redexes
which were not present in the original term, and could thus not be reduced at
CHAPTER 3. PURE λ-CALCULUS 131

first. For this reason, even though we can reduce in multiple places at once, we
cannot perform a parallel β-reduction step directly from the term on the left to
the term on the right in the above example.
In parallel β-reduction, we are allowed not to perform all the available β-
reduction steps. In particular, we may perform none:
Lemma 3.4.2.1. For every λ-term t, we have t − t.
Proof. By induction on the term t.

3.4.3 Properties of the parallel β-reduction. We now study some proper-

ties of the parallel β-reduction. Since it corresponds to performing β-reduction
∗ ∗
steps in parallel, the relations − and −→β coincide: we can simulate parallel
β-reduction with β-reduction and conversely. Moreover, we will see that paral-
lel β-reduction is easily shown to be confluent, from which we will be able to
deduce the confluence of β-reduction.
First, any β-reduction step can be simulated by a parallel reduction step:
Lemma 3.4.3.1. If t −→β u then t − u.
Proof. By induction on the derivation of t −→β u.
Conversely, any parallel β-reduction step can be simulated by multiple β-re-
duction steps:
∗
Lemma 3.4.3.2. If t − u then t −→β u.

Proof. By induction on the derivation of t − u.

From this, we immediately deduce that the reflexive and transitive closure of
the two relations coincide:
∗ ∗
Lemma 3.4.3.3. We have t − u if and only if t −→β u.
∗
Proof. If t − u, this means that we have a sequence of parallel reduction steps

t = t0 − t1 − t2 − . . . − tn = u

Therefore, by lemma 3.4.3.2,

∗ ∗ ∗ ∗
t = t0 −→β t1 −→β t2 −→β . . . −→β tn = u
∗ ∗
and thus t −→β u. Conversely, if t −→β u, this means that we have a sequence
of β-reduction steps

t = t0 −→β t1 −→β t2 −→β . . . −→β tn = u

Therefore, by lemma 3.4.3.2,

t = t0 − t1 − t2 − . . . − tn = u
∗
and thus t − u.

Next, the parallel β-reduction is compatible with substitution.

Lemma 3.4.3.4. If t − t0 and u − u0 then t[u/x] − t0 [u0 /x].
CHAPTER 3. PURE λ-CALCULUS 132

Proof. By induction on the derivation of t − t0 .

– If the last rule is
k
(βx )
y − y
then t = y = t0 and we conclude with

y[u/x] = y − y = y[u/x]

or
x[u/x] = u − u0 = x[u/x]
depending on whether y 6= x or y = x.
– If the last rule is
t1 − t01 t2 − t02 k
(βs )
(λy.t1 ) t2 − t01 [t02 /y]
with y 6= x, then, by induction hypothesis, we have

t1 [u/x] − t01 [u0 /x] t2 [u/x] − t02 [u0 /x]

k
and thus, by (βs ),

(λy.t1 [u/x]) (t2 [u/x]) − t01 [u0 /x][t02 [u0 /x]/y]

which can be rewritten as

((λy.t1 ) t2 )[u/x] − t01 [t02 /y][u0 /x]

– If the last rule is

t1 − t01 t2 − t02 k
(βa )
t1 t2 − t01 t02
then, by induction hypothesis, we have

t1 [u/x] − t01 [u0 /x] t2 [u/x] − t02 [u0 /x]

k
and thus, by (βa ),

(t1 [u/x]) (t2 [u/x]) − (t01 [u0 /x]) (t02 [u0 /x])

otherwise said
(t1 t2 )[u/x] − (t01 t02 )[u0 /x]

– If the last rule is

t1 − t01 k
(β )
λy.t1 − λy.t01 λ
the by induction hypothesis we have

t1 [u/x] − t01 [u0 /x]

k
and thus, by (βλ ),

(λy.t1 )[u/x] = λy.t1 [u/x] − λy.t01 [u0 /x] = (λy.t01 )[u0 /x]

and we are done.

CHAPTER 3. PURE λ-CALCULUS 133

We can use this lemma to show that the β-reduction satisfies a variant of the
confluence property called the diamond property, or local confluence:
Lemma 3.4.3.5 (Diamond property). Suppose that t − u and t − u0 . Then
there exists v such that u − v and u0 − v:

u u0

Proof. Suppose that t − u and t − u0 . We show the result by induction on

the derivation of t − u.
– If the last rule of the derivation of t − u is
k
(βx )
x − x

then t = x = u and, by lemma 3.4.2.1, we have u0 − u0 :

x u0

u0

– If the last rule of the derivation of t − u is

t1 − u1 t2 − u2 k
(βs )
(λx.t1 )t2 − u1 [u2 /x]

we have two possible cases depending on the derivation of t − u0 .

– If the last rule of the derivation of t − u0 is
t1 − u01 t2 − u02 k
(βs )
(λx.t1 )t2 − u01 [u02 /x]

then, by induction hypothesis, there exists a term vi such that ui − vi

and u0i − vi , for i = 1 or i = 2:

t1 t2

u1 u01 u2 u02

v1 v2

Therefore, we have both

u1 [u2 /x] − v1 [v2 /x] and u01 [u02 /x] − v1 [v2 /x]
CHAPTER 3. PURE λ-CALCULUS 134

by lemma 3.4.3.4 and we can conclude:

(λx.t1 ) t2

u1 [u2 /x] u01 [u02 /x]

v1 [v2 /x]

– If the last rule of the derivation of t − u0 is

λx.t1 − t01 t2 − u02 k
(βa )
(λx.t1 ) t2 − t01 u02

then the last rule of the derivation of λx.t1 − t01 is necessarily of

the form
t1 − u01 k
(β )
λx.t1 − λx.u01 λ
with t01 = λx.u01 . By induction hypothesis, we have the existence of
the dotted reductions

t1 t2

u1 u01 u2 u02

v1 v2

We thus have
u1 [u2 /x] − v1 [v2 /x]
by lemma 3.4.3.4 and

(λx.u01 ) u02 − v1 [v2 /x]

k
by (βs ), from which we conclude:

(λx.t1 ) t2

u1 [u2 /x] (λx.u01 ) u02

v1 [v2 /x]

– If the last rule of the derivation of t − u is

t1 − u1 t2 − u2 k
(βa )
t1 t2 − u1 u2
k k
the derivation of t − u0 ends either with (βs ) or (βa ) and both cases are
handled similarly as above.
CHAPTER 3. PURE λ-CALCULUS 135

– If the last rule of the derivation of t − u is

t1 − u1 k
(β )
λx.t1 − λx.u1 λ

we can reason similarly as above.

From this, follows easily the confluence property of the relation − in two steps:
∗
Lemma 3.4.3.6. Suppose that t − u and t − u0 . Then there exists v such
∗ ∗
that u − v and u0 − v:
t
∗

u u0
∗
v
∗
Proof. By recurrence on the length of the upper-right reduction t − u0 , using
lemma 3.4.3.5.
∗ ∗
Theorem 3.4.3.7 (Confluence). Suppose that t − u and t − u0 . Then there
∗ ∗
exists v such that u − v and u0 − v:
t
∗ ∗

u u0
∗ ∗
v
∗
Proof. By recurrence on the length of the upper-left reduction t − u, using
lemma 3.4.3.6.

3.4.4 Confluence and the Church-Rosser theorem. As a consequence of

the above lemmas, we can finally deduce the confluence property of λ-calculus,
first proved by Church and Rosser [CR36], the proof presented here being due
to Tait and Martin-Löf:
∗
Theorem 3.4.4.1 (Confluence). The β-reduction is confluent: if t −→β u1 and
∗ ∗ ∗
t −→β u2 then there exists v such that u1 −→β v and u2 −→β v:

t
∗ ∗

u u0
∗ ∗
v
∗ ∗
Proof. Suppose that t −→β u1 and t −→β u2 . By lemma 3.4.3.3, we have
∗ ∗
t − u1 and t − u2 . From theorem 3.4.3.7, we deduce the existence of v such
∗ ∗ ∗
that u1 − v and u2 − v and, by lemma 3.4.3.3 again, we have u1 −→β v
∗
and u2 −→β v.
This implies the following theorem, sometimes called the Church-Rosser property
of λ-calculus:
CHAPTER 3. PURE λ-CALCULUS 136

Theorem 3.4.4.2 (Church-Rosser). Given two terms t and u such that t ===β u,
∗ ∗
there exists a term v such that t −→β v and u −→β v:
∗
t u
∗ ∗
v

Proof. By definition of β-equivalence, see section 3.2.7, there is n ∈ N and

terms ti for 0 6 i 6 2n such that
∗ ∗ ∗ ∗ ∗ ∗
t = t0β ←− t1 −→β t2β ←− t3 −→β . . . β ←− t2n−1 −→β t2n = u

We show the result by induction on n. For n = 0, the result is immediate.

Otherwise, we can complete the diagram as follows:

t1 t3 t2n−1
∗ ∗ ∗ ∗ ∗ ∗

t = t0 (c) t2 ... t2n = u

∗ ∗
v0 (ih)
∗
∗
v

where (c) is obtained by theorem 3.4.4.1 and (ih) by induction hypothesis.

One of the most important consequences is that a λ-term cannot reduce to two
distinct normal forms: if the computation terminates then its result is uniquely
defined.
Proposition 3.4.4.3. If t and u are two β-equivalent terms in normal forms then
t = u.
∗ ∗
Proof. By theorem 3.4.4.2, there exists v such that t −→β v and u −→β v.
Since t and u are normal forms, they cannot reduce and thus t = v = u.
Another byproduct is the so-called consistency of λ-calculus which states that
the β-equivalence relation does not identify all terms:
Theorem 3.4.4.4 (Consistency). There are terms which are not β-equivalent.

Proof. The terms λxy.x and λxy.y are normal forms. If they where equivalent
they would be equal by previous proposition, which is not the case.

3.5 Implementing reduction

3.5.1 Reduction strategies. We have seen that a λ-term can reduce in many
ways, but in practice people implement a particular deterministic way of choos-
ing reductions to perform: this is called a reduction strategy. This is the case
for OCaml and is easily observed by inserting prints. For instance, the program
let p = print_endline
let _ = (p "a"; (fun x y -> p "b"; x + y)) (p "c"; 2) (p "d"; 3)
CHAPTER 3. PURE λ-CALCULUS 137

will always print dcab in the toplevel. We shall now try to look at the options
we have here, in order to chose a strategy. A first question we have to answer is:
should we reduce functions or arguments first? Namely, consider a term of the
form (λx.t)u such that u reduces to u0 , we have two possible ways of reducing
it:
t[u/x]β ←− (λx.t)u −→β (λx.t)u0
which correspond to reducing functions or arguments first, giving rise to strate-
gies which are respectively called call-by-name and call-by-value. The call-by-
value has a tendency to be more efficient: even if the argument is used multiple
times in the function, we reduce it only once beforehand, whereas the call-by-
∗
name strategy reduces it each time it is used. For instance, if u −→β û, where
û is a normal form, we have the following sequences of reductions:
∗
– in call-by-value: (λx.f xx)u −→β (λx.f xx)û −→β f ûû,
∗ ∗
– in call-by-name: (λx.f xx)u −→β f uu −→β f ûu −→β f ûû.
The function λx.f xx uses twice its argument and therefore we have to reduce u
twice in the second case compared to only once in the first (and this can make a
huge difference if the argument is used much more than twice or if the reduction
of u requires many steps). However, there is a case where the call-by-value
strategy is inefficient: when the argument is not used in the function. Namely,
we always reduce the argument, even if it is not used afterward. For instance,
we have the following sequences of reductions:
∗
– in call-by-value: (λx.y)u −→β (λx.y)û −→β y
– in call-by-name: (λx.y)u −→β y
Otherwise said, we have already observed in section 3.2.3 that β-reduction can
duplicate and erase β-redexes. The call-by-value strategy is optimized for du-
plication and the call-by-name strategy is optimized for erasure. In practice,
people often write programs where they use a result multiple times and rarely
discard the result of computations, so that call-by-value strategies are generally
implemented (this is for instance the case in OCaml). However, for theoretical
purposes call-by-value strategies can be a problem: it might happen that a term
has a normal form and that this strategy does not find it. Namely, consider the
term
(λx.y)Ω
A call-by-value strategy will first try to compute the normal form for Ω and thus
loop, whereas a call-by-name strategy will directly reduce it to y. A strategy is
called normalizing when it will reach a normal form whenever a term has one:
we have seen that call-by-value does not have this property.

Orders on redexes. In more precise terms, to define a reduction strategy, we

have to chose the order in which we will reduce the redexes. Two partial orders
can be defined on redexes:
– the imbrication order: a redex is inside another redex when it is a subterm
of it, i.e. the redexes of t or of u are inside the redex

(λx.t)u
CHAPTER 3. PURE λ-CALCULUS 138

– the horizontal order: in a subterm

tu

every redex in t is on the left of every redex in u.

Any two redexes in a term can be compared with one of those orders; a strategy
can thus be specified by which redexes it favors with respect to each of these
orders:

– a strategy is innermost (resp. outermost) when it begins with redexes

which are the most inside (resp. outside),
– a strategy is left (resp. right) when it begins with redexes which are the
most on the left (resp. right).

For instance, the above examples illustrate the fact that the call-by-value and
call-by-name strategies are respectively innermost and outermost.

Partial evaluation. Another possibility which is generally offered when defining

a reduction strategy is to allow not reducing some terms which are not in normal
form. These terms can be thought of as “incomplete” and we are waiting for
some more information (e.g. an argument or the value of a free variable) in order
to further reduce them. Two such families are mainly considered:
– a strategy is weak when it does not reduce abstractions: a term of the
form λx.t will never be reduced, even if the term t contains redexes,
– a left strategy is head when it does not reduce variables applied to terms:
a term of the form x t1 . . . tn will never be reduced, even if some term ti
contains redexes.
A strategy is full when it is neither weak nor head.
The reason for considering weak strategies is that a function is usually
thought of as describing the actions to perform once arguments are given and
it is therefore natural to delay their execution until we actually know those ar-
guments. For instance, the strategy implemented in OCaml is weak: if it was
not the case then the program

let f n =
print_endline "Incrementing!";
n+1
would always print the message exactly once, even if the function is never called,
whereas we expect that the message is printed each time the function is called
(which is the case with a weak evaluation strategy). In pure λ-calculus, there is
no printing but one thing is easily observed: non-termination. For instance, we
want to be able to define a function which loops or not depending on a boolean
as follows:
λb.if b Ω I
This function takes a boolean as argument: if it is true it will return the term Ω
whose evaluation is going to loop, otherwise it returns the identity. If we evaluate
CHAPTER 3. PURE λ-CALCULUS 139

it with a weak strategy it will behave as expected, whereas if we use a non-

weak one, we might evaluate the body of the abstraction and thus loop when
reducing Ω, even if we give false as argument to the function.
Head reductions mostly make sense for strategies like call-by-name: in a
term (λx.t)u, we reduce to t[u/x] even if u is not in normal form because we
want to delay the evaluation of u until it is actually used. Now, in a term x u,
it might be the case that the free variable x will be replaced by an abstraction
later on, and we want therefore to delay the evaluation of u until this is the
case.
A term which cannot be reduced by a weak or head strategy is not necessarily
in normal form in the usual sense. Recall from proposition 3.2.6.1 that λ-terms
in normal form can be described by the following grammar:

v ::= λx.v | x v1 . . . vn

where v and vi are normal forms. A term is

– a weak normal form when it is generated by

v ::= λx.t | x v1 . . . vn

where t is a term and the vi are weak normal forms,

– a head normal form when it is generated by

v ::= λx.v | x t1 . . . tn

where v is a head normal form and the ti are terms,

– a weak head normal form when it is generated by

v ::= λx.t | x t1 . . . tn

where t and the ti are terms.

The terms which cannot be reduced in a weak (resp. head, resp. weak head)
strategy are precisely weak (resp. head, resp. weak head) normal forms. Weak
normal forms coincide with normal forms for terms which are not abstractions
(resp. closed terms): they do the job if we are mostly interested in those terms,
which we usually are. However, there are function which are weak (resp. head)
normal forms such as λx.I I (resp. x (I I)) and are not normal forms, so that a
weak (resp. head) strategy is never normalizing.

Summary of strategies. We will detail below four reduction strategies, whose

main properties are summarized below. Those strategies are the most well-
known and used ones, but other variants could of course be considered:
left. inner. weak head norm.
AO X X
CBV X X X
NO X X
CBN X X X
The columns respectively indicate whether the strategy is leftmost (or right-
most), innermost (or outermost), weak, head and normalizing.
CHAPTER 3. PURE λ-CALCULUS 140

Implementing λ-terms. In order to illustrate implementations of reduction strate-

gies in OCaml, we will encode λ-terms using the type

type term =
| Var of var
| App of term * term
| Abs of var * term
where var is an arbitrary type for identifying variables (in practice, we would
choose int or maybe string). We will also need a substitution function, such
that subst x t u computes the term u where all occurrences of the variable x
have been replaced by the term t:
let rec subst x t = function
| Var y -> if x = y then t else Var y
| App (u, v) -> App (subst x t u, subst x t v)
| Abs (y', u) ->
let y = fresh () in
let u = subst y' (Var y) u in
Abs (y, subst x t u)
In order to avoid name captures, we always refresh the names of the abstracted
variables when substituting under an abstraction (this is correct, but quite in-
efficient): in order to do so we use a function fresh which generates a new
variable name each time it is called, e.g. using an internal counter incremented
at each call. For each of the considered strategies below, we will define a func-
tion reduce which performs multiple β-reduction steps, in the order specified
by the strategy.

Call-by-value. The call-by-value strategy (CBV) is by far the most common,

this is the one used by OCaml for instance. Its name comes from the fact that
it computes the value of the argument of a function before applying the function
to the argument. It is defined as the weak leftmost innermost strategy. This
means that, given an application t u,
1. we evaluate t until we obtain a term of the form λx.t0 (where t0 is not
necessarily a normal form),

2. we then evaluate the argument u to a normal form û,

3. we then evaluate t0 [û/x].
The reduction function associated to this strategy can be implemented as fol-
lows:

let rec reduce = function

| Var x -> Var x
| Abs (x, t) -> Abs (x, t)
| App (t, u) ->
match reduce t with
| Abs (x, t') -> subst x (reduce u) t'
| t -> App (t, reduce u)
CHAPTER 3. PURE λ-CALCULUS 141

In the case App (t, u), it can be observed that both terms t and u are always
reduced, so that taking the rightmost variant of the strategy has little influ-
ence. Since it is a weak strategy, it is not normalizing, and normal forms for
this strategy will be weak normal forms. The above function does not directly
compute the weak normal form: it has to be iterated. For instance, applying it
to (λx.xy)(λx.x) will result in (λx.x)y, which further reduces to y.

Applicative order. The applicative order strategy (AO) is the leftmost innermost
strategy, i.e. the variant of call-by-name where we are allowed to reduce under
abstractions.
let rec reduce = function
| Var x -> Var x
| Abs (x, t) -> Abs (x, reduce t)
| App (t, u) ->
match reduce t with
| Abs (x, t') -> subst x (reduce u) t'
| t -> App (t, reduce u)

Normal forms are normal forms in the usual sense. As illustrated above, by the
term (λx.y)Ω, this strategy might not terminate even though the term has a
normal form, otherwise said the strategy is not normalizing.

Call-by-name. The call-by-name strategy (CBN) is the weak head leftmost out-
ermost strategy. Here, arguments are computed at each use and not once for all
as in call-by-value strategy. An implementation of the corresponding reduction
is

let rec reduce = function

| Var x -> Var x
| Abs (x, t) -> Abs (x, t)
| App (t, u) ->
match reduce t with
| Abs (x, t') -> subst x u t'
| t -> App (t, u)
Iterating this function computes the weak head normal form for a term, which
is the appropriate notion of normal form for the strategy. This strategy being
weak and head, it is not normalizing. However, it can be shown that if a term
has a weak head normal form, this strategy will compute it.

Normal order. The normal order strategy (NO) is the leftmost outermost strat-
egy. An implementation is

let rec reduce = function

| Var x -> Var x
| Abs (x, t) -> Abs (x, reduce t)
| App (t, u) ->
match reduce_cbn t with
| Abs (x, t') -> subst x u t'
| t -> App (reduce t, reduce u)
CHAPTER 3. PURE λ-CALCULUS 142

where reduce_cbn is the above call-by-name reduction strategy. Normal forms

for this strategy are normal forms and this strategy is actually normalizing: it
can be shown that if there is a way to reduce a λ-term to a normal form then
this strategy will find it, thus its name: this is a consequence of the so-called
standardization theorem in λ-calculus [Bar84, chapters 12 and 13].

Normalization. As indicated earlier, the reduce functions perform multiple re-

duction steps, in the order specified by the strategy, so that iterating it reduces
the term to its normal form following the strategy. A term can thus be normal-
ized according to one of the strategies using the following function:
let rec normalize t =
let u = reduce t in
if t = u then t else normalize u

3.5.2 Normalization by evaluation. The implementations provided in sec-

tion 3.5.1 are not really efficient because of one small reason: the substitution
function is not efficiently implemented. Doing this efficiently, while properly
taking bound variables in account, is actually quite difficult, see section 3.6.2.
When using a functional language such as OCaml, the compiler already has
support for that and we can use the reduction of the host language in order
to implement the β-reduction and compute normal forms. This is called nor-
malization by evaluation: we implement the normalization function using the
evaluation of the language. We shall now see how to perform that in practice.

Evaluation. We begin by describing our λ-terms as usual:

type term =
| Var of string
| Abs of string * term
| App of term * term
For convenience, variables names are described by strings. For instance, we can
define the looping λ-term Ω = (λx.xx)(λx.xx) by
let omega =
let o = Abs ("x", App (Var "x", Var "x")) in
App (o, o)
We are going to evaluate those terms to normal forms, that we call here values.
We know from proposition 3.2.6.1 that those normal forms can be characterized
as the λ-terms v generated by the grammar

v ::= λx.v | x v1 . . . vn

The terms of the second form x v1 . . . vn intuitively correspond to computations

which are “stuck” because we do not know the function which is to be applied to
the arguments: we only have a variable x here and will only be able to perform
the reduction when this variable is substituted by an actual abstraction. Those
are called neutral values and can be described by the grammar

n ::= x | n v
CHAPTER 3. PURE λ-CALCULUS 143

where v is a value. With this notation, values can be described by

v ::= λx.v | n

We can thus describe values as the following datatype:

type value =
| VAbs of string * value
| VNeu of neutral
and neutral =
| NVar of string
| NApp of neutral * value
Now, remember that our idea is to use the evaluation of the language. In order
to do so, the trick consists in describing λ-term λx.t not as a pair consisting of
the variable x and the term t, but as the function

u 7→ t[u/x]

which to a term u associates the term t with occurrences of x replaced by u:

after all, the only thing we want to be able to perform with the λ-term λx.t is
β-reduction! Instead of the above type, we thus actually describe values in this
way by
type value =
| VAbs of (value -> value)
| VNeu of neutral
and neutral =
| NVar of string
| NApp of neutral * value
We can then implement a function which evaluates a term to a value as follows:
let rec eval env = function
| Var x ->
(try List.assoc x env with Not_found -> VNeu (NVar x))
| Abs (x, t) -> VAbs (fun v -> eval ((x,v)::env) t)
| App (t, u) -> vapp (eval env t) (eval env u)
and vapp v w =
match v with
| VAbs f -> f w
| VNeu n -> VNeu (NApp (n, w))
The function eval takes as second argument the term to be evaluated (i.e. nor-
malized) and, as first argument, an “environment” env which is a list of pairs
(x, v) consisting of a variable x and a value v, such a pair indicating that the
free variable x has to be replaced by the value v in the term during the evalu-
ation (initially, this environment will typically be the empty list []). We then
evaluate terms as follows:
– if the term is a variable x, we try to lookup in the environment if there
is a value for it, in which case we return it, and return the variable x
otherwise,
CHAPTER 3. PURE λ-CALCULUS 144

– if the term is an abstraction λx.t, we return the value which is the function
which to a value v associates the evaluation of t in the environment where x
is bound to v,

– if the term is an application t u, we evaluate t to a value t̂ and u to a

value û; depending on the form of t̂, we have two cases:
– if t̂ = f is a function, we simply apply it to û,
– if t̂ = x v1 . . . vn , we return x v1 . . . vn û,

this last part being taken care of by the auxiliary function vapp (which
applies a value to another).
Finally, the environment is only really used during the evaluation and we define
let eval t = eval [] t

because from now on we will only use it in the empty environment.

You should remark that abstractions are not evaluated right away: we rather
construct a function which will evaluate it when an argument is given. In this
sense, the function actually computes the weak normal form for the term. This
function will not terminate if the β-reduction of the term does not. Typically,
the evaluation of Ω will not terminate:
let _ = eval omega

Readback. We are now pleased because we have a short and efficient imple-
mentation of normalization, excepting on one point: we cannot easily print or
serialize values because they contain functions. We now explain how we can
convert a value back to a term: this procedure is called readback. We will need
an infinite countable pool of fresh variables, so that we define the function

let fresh i = "x@" ^ string_of_int i

which generates the name of the i-th fresh variable, that we call here “x@i”,
supposing that initial terms will never contain variable names of this form (say
that the user cannot use “@” in a variable name). The readback function can
be implemented as follows:

let rec readback i v =

(* Read back a neutral term. *)
let rec neutral = function
| NVar x -> Var x
| NApp (n, v) -> App (neutral n, readback i v)
in
match v with
| VAbs f ->
let x = fresh i in
Abs (x, readback (i+1) (f (VNeu (NVar x))))
| VNeu n -> neutral n

It takes as argument an integer i (the index of the first fresh variable we have
not used yet) and a value v and returns the term corresponding to the value:
CHAPTER 3. PURE λ-CALCULUS 145

– if the value is a function f , we return the term λx.t where t = f (x) for
some fresh variable x,
– otherwise it is of the form x v1 . . . vn and we return x v 1 . . . v n where v i is
the term corresponding to the value vi .
We can then define function which normalizes a term by evaluating it to a value
and reading back the result:
let normalize t = readback 0 (eval t)
For instance, we can compute the normal form of the λ-term (λxy.x)y, which
is λz.y, by
let _ =
let t = App (Abs ("x", Abs ("y", Var "x")), Var "y") in
normalize t
which gives the expected result
Abs ("x@0", Var "y")
Note that this reduction requires α-converting the abstraction on y, and this
was correctly taken care of for us here.

Equivalence. Finally, we can test for β-equivalence of two λ-terms by comparing

their normal forms (see section 4.2.4):
let eq t u = (normalize t) = (normalize u)
This is not as obvious as is seems: it also takes care of α-conversion! Namely,
the readback function does not “randomly” generates fresh variables, but incre-
menting the counter i starting from 0 when progressing into the term. Because
of this, it canonically renames the variables. For instance, one can check that
the functions λx.x and λy.y are equal
let () =
let id = Abs ("x", Var "x") in
let id' = Abs ("y", Var "y") in
assert (eq id id')
Namely, both identity function are going to be normalized into the term
Abs ("x@0", Var "x@0")
The above equality normalizes two terms in order to compare them. It is
not as efficient as it could be in the case where the two terms are not equivalent:
we might ensure that two terms are not equivalent without fully normalizing
them. In order to understand why, first observe the following:
Lemma 3.5.2.1. Given a term t, the normal form of a term
– λx.t is necessarily of the form λx.t̂,
– x t is necessarily of the form x t̂
where t̂ is the normal form of t.
CHAPTER 3. PURE λ-CALCULUS 146

Proof. This follows from the facts that the only possible way to β-reduce a term
λx.t (resp. x t) is of the form λx.t −→β λx.t0 (resp. x t −→β x t0 ) by the rule (βλ )
(resp. (βr )).

For this reason, we know that two terms of the form λx.t and x u are never
β-convertible, no matter what the terms t and u are. In such a situation,
there is thus no need to fully normalize the two terms to compare them. More
generally, a term x t1 . . . tn is never equivalent to an abstraction. Based on this
observation, we can implement the test of β-equivalence as follows:

let eq t u =
(* Equality of values *)
let rec veq i v w =
match v, w with
| VAbs f, VAbs g ->
let x = VNeu (NVar (fresh i)) in
veq (i+1) (f x) (g x)
| VNeu m, VNeu n -> neq i m n
| _, _ -> false
(* Equality of neutral terms *)
and neq i m n =
match m, n with
| NVar x, NVar y -> x = y
| NApp (m, v), NApp (n, w) -> neq i m n && veq i v w
| _, _ -> false
in
veq 0 (eval t) (eval u)

Given two terms t and u, we reduce them to their weak normal form, i.e. we
reduce them until we find abstractions:
– if they are of the form λx.t0 and x u1 . . . un (or conversely), we know that
they are not equivalent (even though we have not computed the normal
form for t),
– if they are of the form λx.t0 and λx.u0 then we compare t0 and u0 (which
requires evaluating them further)
– if they are of the form x t1 . . . tm and y u1 . . . um , where the ti and ui are
weak normal forms, then they are equivalent if and only if x = y, m = n
and ti = ui for every index i.
For instance, this procedure allows ensuring that λx.Ω is not convertible to x:
let () =
let t = Abs ("x", omega) in
assert (not (eq t (Var "x")))
whereas the former equality procedure would loop when comparing the two
terms because it tries to fully evaluate λx.Ω.
CHAPTER 3. PURE λ-CALCULUS 147

3.6 Nameless syntaxes

It might be difficult to believe at first, but a great source of bugs in software
implementing compilers, proof-assistants, proving functional programs, and so
on, comes from incorrect handling of α-conversion. For instance, a naive imple-
mentation of substitution is:

x[u/x] = u
y[u/x] = y when y 6= x
(t t0 )[u/x] = (t[u/x]) (t0 [u/x])
(λy.t)[u/x] = λy.t[u/x]

The last case is incorrect, because we do not suppose that y 6∈ FV(t): we are
substituting x by t under the abstraction λy without taking in account the fact
that y might get bound in t in this way. For instance, this implementation
would lead to the following sequence of β-reductions

(λy.yy)(λf x.f x) −→ (λf x.f x)(λf x.f x) −→ λx.(λf x.f x)x −→ λxx.xx

In the second reduction step, there is an erroneous capture of x: a correct

normal form for the above term is λxy.xy. There are multiple ways around
this, and we have already seen in section 3.5.2 that normalization by evaluation
provides a satisfactory answer to this question. However, there are cases where
this technique is not an option (e.g. the host language is not functional, or we
want to perform more subtle manipulations than simply normalizing terms, or
we want to formalize λ-calculus in a proof assistant). We present below some
alternative syntaxes for λ-calculus which allow taking care of α-conversion in
terms and implement β-reduction correctly and efficiently.

3.6.1 The Barendregt convention. A first idea in order to avoid incorrect

captures of variables is to use the so-called Barendregt convention for naming
the variables of λ-terms: all variables which are λ-abstracted should be pairwise
distinct and distinct from all free variables.
Lemma 3.6.1.1. Every term is α-equivalent to one satisfying the Barendregt
convention.
This convention sometimes simplifies things. For instance, the above naive im-
plementation of β-reduction works on terms satisfying the convention. However,
after one β-reduction step, the λ-term is not guaranteed to satisfy the Baren-
dregt convention anymore (see the above example) and it is quite expensive to
have to α-convert the whole term at each reduction step in order to enforce the
convention.

3.6.2 De Bruijn indices. A more serious solution to this problem is given by

de Bruijn indices. The idea is that, in a closed term, every variable is created
by a specific abstraction in the term, so that instead of referring to a variable
by its name, we can identify it by the abstraction which created it. Moreover,
it turns out that there is a very convenient way to refer to an abstraction: the
number of abstractions we have to step over when going up in the syntactic tree
starting from the variable in order to reach the corresponding abstraction. This
CHAPTER 3. PURE λ-CALCULUS 148

number is called the de Bruijn index of the variable. For instance, consider the
λ-term
λx.x(λy.yx)
This lambda term can be graphically represented as a tree where a node la-
beled “λx” corresponds to an abstraction and a node “@” corresponds to an
application:
λx

x λy

y x
we have also figured in dotted arrows the links between a variable and the
abstraction which created it. In the first variables x and y, the abstraction we
are referring to is the one immediately above (we have to skip 0 λ’s), whereas
in the last occurrence of x, when going up starting from x in the syntactic tree,
the corresponding abstraction is not the first one (which is λy) but the second
one (we have to skip 1 λ). The information in the λ-term can thus equivalently
be represented by
λx.0(λy.01)
where each variable has been replaced by the number of λ’s we have to skip when
going up to reach to corresponding abstraction (note that a given variable, such
as x above, can have different indices, depending on its position in the term).
Now, the names of the variables do not really matter since we are working
modulo α-conversion: we might as well drop them and simply write

λ.0(λ.01)

This is a very convenient notation because it does not mention variables any-
more. What is not entirely clear yet is that we can implement β-reduction in
this formalism. We will see that it is indeed possible, but quite subtle and
difficult to get right.

Terms with de Bruijn indices. We thus consider a variant of the λ-calculus where
terms are generated by the grammar

t, u ::= i | t u | λ.t

where i ∈ N is the de Bruijn index of a variable. Following the preceding

remarks, a conversion function of_term from closed λ-terms into terms with de
Bruijn indices is provided in figure 3.1. It takes an auxiliary argument l which
is the list of variables already declared by abstractions: the de Bruijn index of
a variable is then the index of the variable in this list.
The preceding function will raise the exception Not_found if the term con-
tains free variables. It is however possible to adapt them to represent terms with
free variables using de Bruijn indices. The idea is that we should represent a
CHAPTER 3. PURE λ-CALCULUS 149

(** Traditional λ-terms. *)

type lambda =
| LVar of string
| LApp of lambda * lambda
| LAbs of string * lambda

(** De Bruijn λ-terms. *)

type deBruijn =
| Var of int
| App of deBruijn * deBruijn
| Abs of deBruijn

(** Index of an element in a list. *)

let rec index x = function
| y::l -> if x = y then 0 else 1 + index x l
| [] -> raise Not_found

(** De Bruijn representation of a closed term. *)

let of_term t =
let rec aux l = function
| LVar x -> Var (index x l)
| LApp (t, u) -> App (aux l t, aux l u)
| LAbs (x, t) -> Abs (aux (x::l) t)
in
aux [] t

Figure 3.1: Converting λ-terms into de Bruijn representation.

CHAPTER 3. PURE λ-CALCULUS 150

term t with n free variables FV(t) = {x0 , . . . , xn−1 } as if we were computing the
de Bruijn representation of t in the term λxn−1 . . . . λx0 .t, i.e. the free variables
are implicitly abstracted. For instance

λx.xx0 x2 is represented as λ.013

In practice, it is also possible (and convenient) to “mix” the two conventions:

have names for free variables and de Bruijn indices for bound variables. This is
called the locally nameless representation of λ-terms [Cha12].

Reduction. Our goal is now to implement β-reduction in the de Bruijn repre-

sentation of terms. The rule is, as usual,

(λ.t)u −→β t[u/0]

meaning that the variable 0 has to be replaced by u in t, where the substitution

t[u/0] remains to be defined. We actually need to define the substitution of any
variable since, when going under an abstraction, the index of the variable to be
substituted is increased by one. For instance, the β-reduction

λx.(λy.λz.y) (λt.t) −→β λx.(λz.y)[λt.t/y] = λx.λz.y[λt.t/y] = λx.λz.λt.t

i.e. graphically

λx λx

@ λz

λy λt −→β λt

λz t t

should correspond to the following steps

λ.(λ.λ.1) λ.0 −→β λ.(λ.1)[λ.0/0] = λ.λ.1[λ.0/1] = λ.λ.λ.0

We are thus tempted to define substitution by

i[u/i] = u
j[u/i] = j for j 6= i
0 0
(t t )[u/i] = (t[u/i]) (t [u/i])
(λ.t)[u/i] = λ.t[u/i + 1]

But it is incorrect because, in the last case, u might contain free variables, which
refer to above abstractions, and have to be increased by 1 when going under the
abstraction. For instance,

λx.(λy.λz.y) x −→β λx.(λz.y)[x/y] = λx.λz.y[x/y] = λx.λz.x

CHAPTER 3. PURE λ-CALCULUS 151

i.e. graphically

λx λx
@ λz
λy x −→β x

λz

will give rise to

λ.(λ.λ.1) 0 −→β λ.(λ.1)[0/0] = λ.λ.1[1/1] = λ.λ.1

The morale is that the last case of substitution should actually be

(λ.t)[u/i] = λ.t[u0 /i + 1] (3.3)

where u0 is the term obtained from u by increasing by 1 all free variables (and
leaving other variables untouched), what we will write u0 = ↑0 u in the following.
The “corrected version” with (3.3) still contains a bug, which comes from the fact
that β-reduction removes an abstraction, and therefore the indices of variables
in t referring to the variables abstracted above the removed abstraction have to
be decreased by 1. For instance

λx.(λy.x) (λt.t) −→β λx.x[λt.t/y] = λx.x

i.e. graphically

λx λx

@ x
−→β
λy λt

x t

corresponds to

λ.(λ.1) (λ.0) −→β λ.1[λ.0/0] = 0

This means that we should also correct the second case of substitution in order
to decrease the index of variables which were free in the original substitution.
And now we have it right.
In order to distinguish between bound and free variables in a term, it will be
convenient to maintain an index l, called the cutoff level, such that the indices
strictly below l correspond to bound variables and those above are free variables.
We thus first define a function ↑l such that ↑l t is the term obtained from t by
CHAPTER 3. PURE λ-CALCULUS 152

increasing by one all variables with index i > l, called the lifting of t at level l.
By induction,
(
i if i < l
↑l i =
i + 1 if i > l
↑l (t u) = (↑l t) (↑l u)
↑l (λ.t) = λ.(↑l+1 t)

The right way to think about it is that ↑l t is the term obtained from t by adding
a “new variable” of index l: the variables of index i > l have to be increased
by 1 in order to make room for the new variable. Similarly, we can define a
function ↓l such that, for every term t which does not contain the variable l, ↓l t
is the term obtained by removing the variable l (the unlifting of t): all variables
of index i > l have to be decreased by one. It turns out that we will only need
it when t is a variable so that we define
(
i − 1 if i > l
↓l i =
i if i < l

(it is not defined when i = l). With those at hand, we can finally correctly
define substitution:
Definition 3.6.2.1 (Substitution). Given terms t and u and variable i, we define
the substitution of i by u in t
t[u/i]
by induction by

i[u/i] = u
j[u/i] = ↓i j for j 6= i
(t t )[u/i] = (t[u/i]) (t0 [u/i])
0

(λ.t)[u/i] = λ.t[↑0 u/i + 1]

As indicated above, β-reduction can then be implemented with the rule

(λ.t)u −→β t[u/0]

An implementation of call-by-value β-reduction (see section 3.5.1) on λ-terms

in de Bruijn representation is given in figure 3.2.

3.6.3 Combinatory logic. Combinatory logic introduced by Schönfinkel, and

further studied by Curry, is another possible representation of λ-terms which
does not need to use variable binding or α-conversion: in this syntax, there is
simply no need for variables. Introductory references on the subject are [Bar84,
chapter 7] and [Sel02].
Our starting point is the following question: is there a small number of
“basic” λ-terms such that every λ-term can be obtained (up to β-equivalence)
by applying the basic λ-terms one to the other. This would mean that all the
abstractions we need in λ-terms can somehow be generated from those contained
in the basic λ-terms. It turns out that we only need three basic λ-terms, which
somehow encode some possible manipulations of variables:
CHAPTER 3. PURE λ-CALCULUS 153

(** Lambda terms. *)

type term =
| Var of int
| App of term * term
| Abs of term

(** Lift a term at l. *)

let rec lift l = function
| Var i -> if i < l then Var i else Var (i + 1)
| App (t, u) -> App (lift l t, lift l u)
| Abs t -> Abs (lift (l+1) t)

(** Unlift a variable i at l. *)

let unlift l i =
assert (l <> i);
if i < l then i else i-1

(** Substitute variable i for u in t. *)

let rec sub i u = function
| Var j -> if j = i then u else Var (unlift i j)
| App (t, t') -> App (sub i u t, sub i u t')
| Abs t -> Abs (sub (i+1) (lift 0 u) t)

(** Call-by-value reduction. *)

let rec reduce = function
| Var i -> Var i
| Abs t -> Abs t
| App (t, u) ->
match reduce t with
| Abs t' -> sub 0 (reduce u) t'
| t -> App (t, reduce u)

Figure 3.2: Normalization of λ-term using de Bruijn indices.

CHAPTER 3. PURE λ-CALCULUS 154

– I = λx.x corresponds to using a variable,

– S = λxyz.(xz)(yz) corresponds to duplicating a variable,
– K = λxy.x corresponds to erasing a variable.
Namely, it can be observed that the last abstracted variable of those terms is
used, duplicated and erased respectively. As surprising as it seems as first, we
can actually obtain any λ-term by application of those only. For instance, the
term λxy.yy can be obtained as K ((S I) I): you can check that
∗
K ((S I) I) −→β λxy.yy
Moreover, we can give the β-reduction rules directly for the basic terms: given
any terms t, u, and v, we have
I t −→β t S t u v −→β (t u)(t v) K t u −→β t
These are the only possible reductions for terms made of basic terms, and we
have thus described β-reduction without using variables. This motivates the
study, in the following of terms constructed from those, with the above rules as
reduction.

Definition. The terms of combinatory logic are generated by variables, appli-

cation and the three above constants. Formally, they are generated by the
grammar
T, U ::= x | T U | S | K | I
where x is a variable, T and U are terms in combinatory logic and S, K and I
are constants. The reduction rules are

S T U V −→ (T V ) (U V ) K T U −→ T I T −→ T

T −→ T 0 U −→ U 0
T U −→ T 0 U T U −→ T U 0
We implicitly bracket application on the left, i.e. T U V is read as (T U ) V . As
∗
usual, we write −→ for the reflexive and transitive closure of the relation −→,
∗
and ←→ for it reflexive, symmetric and transitive closure. A normal form is
a term which does not reduce. We write FV(T ) for the set of variables of a
term T . A combinator is a term without variables.

Implementation. In OCaml, the terms of combinatory logic can be described by

the type
type term =
| Var of var
| App of term * term
| S | K | I
The leftmost outermost reduction strategy (see section 3.5.1) can be shown to
be normalizing: if a term admits a normal form then this strategy will reach it
(we will see in theorem 3.6.3.3 that this normal form is necessarily unique). In
OCaml, it can be implemented as follows:
CHAPTER 3. PURE λ-CALCULUS 155

let rec normalize t =

match t with
| Var _ | S | K | I -> t
| App (t, v) ->
match normalize t with
| I -> v
| App (K, t) -> normalize t
| App (App (S, t), u) ->
normalize (App (App (t, v), App (u, v)))
| t -> App (t, normalize v)
An alternative, more elegant and efficient, implementation of this normalization
procedure can be achieved by taking an additional argument enc, which is a list
of arguments the current term is applied to, which is sometimes called Krivine’s
trick: compared to the previous implementation, we avoid normalizing multiple
times the same term.
let rec normalize t env =
match t, env with
| App (t, u), _ -> normalize t (u::env)
| I, t::env -> normalize t env
| K, t::u::env -> normalize t env
| S, t::u::v::env -> normalize t (v::(App(u,v))::env)
| t, env -> (* apply to normalized arguments *)
List.fold_left (fun t u -> App (t, normalize u [])) t env
Example 3.6.3.1. Consider the combinator S K K. It satisfies, for any term T ,

S K K T −→ K T (K T ) −→ T

Therefore the combinatory I is superfluous in our system, since it can be imple-

mented as
I = SKK
which means that we could have restricted ourselves to the two combinators S
and K only.
Example 3.6.3.2. The term (S I I) (S I I) leads to an infinite sequence of reductions:
∗
(S I I) (S I I) −→ (S I I) (I (S I I)) −→ (S I I) (S I I) −→ · · ·
∗
Theorem 3.6.3.3. The reduction relation −→ is confluent.
Proof. This can be shown as in section 3.4, by introducing a notion of parallel
reduction and showing that it has the diamond property.

Abstraction. We can simulate abstractions in combinatory logic as follows. Given

a variable x and a term T , we define a new term Λx.T by

Λx.x = I
Λx.T = K T if x 6∈ FV(T ),
Λx.(T U ) = S (Λx.T ) (Λx.U ) otherwise.
CHAPTER 3. PURE λ-CALCULUS 156

Example 3.6.3.4. We have

Λx.Λy.x = S (K K) I

Note that the term on the right is a normal form (in particular, it does not
reduce to K).
Given terms T, U , we write T [U/x] for the term T where the variable x has been
replaced by U .
Lemma 3.6.3.5. For any terms T, U and variable x, we have
∗
(Λx.T ) U −→ T [U/x]

Proof. By induction on T .

Translation. We can now define translations between λ-terms and combinatory

terms:
– we translate a λ-term t as a combinatory term JtKcl ,

– we translate a combinatory term T as a λ-term JT Kλ .

These transformations are defined inductively as follows:

JxKcl = x JxKλ = x
Jt uKcl = JtKcl JuKcl JT U Kλ = JT Kλ JU Kλ
Jλx.tKcl = Λx.JtKcl JSKλ = λxyz.(xz)(yz)
JKKλ = λxy.x
JIKλ = λx.x

Example 3.6.3.6. For instance, we have the following translations of λ-terms:

Jλxy.xKcl = S (K K) I Jλxy.yyKcl = K (S I I)

and of combinatory term:

JS (K K) IKλ = (λxyz.(xz)(yz))((λxy.x)(λxy.x))(λx.x)
∗ ∗
Lemma 3.6.3.7. For any terms T, U , if T −→ U then JT Kλ −→β JU Kλ .
Proof. By induction on T .
The reduction of combinatory terms can be simulated in λ-calculus:
∗
Lemma 3.6.3.8. For any term T , JΛx.T Kλ −→β λx.JT Kλ .
Proof. By induction on T .
Translating a λ-term back and forth has no effect up to β-equivalence:
∗
Lemma 3.6.3.9. For any λ-term t, JJtKcl Kλ −→β t.

Proof. By induction on t, using previous lemma in the case of abstraction.

CHAPTER 3. PURE λ-CALCULUS 157

The previous theorem, together with lemma 3.6.3.7, can be seen as the fact that
combinatory logic embeds into λ-calculus (modulo β-reduction). It also implies
that the basic combinators S, K and I can be thought of as a “basis” from which
all the λ-terms can be generated:
Corollary 3.6.3.10. Every closed λ-term is β-equivalent to one obtained from S,
K and I by application.
This dictionary between λ-calculus and combinatory logic unfortunately has
a number of minor defects. First, it is not true that
∗ ∗
t −→β u implies JtKcl −→ JuKcl
For instance, we have
Jλx.(λy.y) xKcl = S (K I) I Jλx.xKcl = I (3.4)
where both combinatory terms are normal forms. If we try to go through the
induction, the problem comes from the fact that β-reduction satisfies the rule
on the left below, often called (ξ), whereas the corresponding principle on the
right is not valid in combinatory logic:
t −→β t0 T −→ T 0
(ξ)
λx.t −→β λx.t0 Λx.T −→ Λx.T 0
as the above example illustrates. Intuitively, this is due to the fact that we have
not yet provided enough arguments to the terms. Namely, if we apply both
terms of (3.4) to an arbitrary term T , we obtain the same result:
S (K I) I T −→ K I T (I T ) −→ I (I T ) −→ I T −→ T and I T −→ T
In general, it can be shown that
∗ ∗
t −→β u implies JtKcl T1 . . . Tn −→ JuKcl T1 . . . Tn
for every terms Ti , provided that n is a large enough natural number depending
on t and u. It is also not true that the translation of a combinatory term in
normal form is a normal λ-term:
JK xKcl = (λxy.x) x −→β λy. x
Again, the term K x is intuitively a normal form only because it is not applied
to enough arguments. Finally, given a term T , the terms JJT Kλ Kcl and T are
not convertible in general. For instance
JJKKλ Kcl = Jλxy.xKcl = S (K K) I 6= K
Both terms are normal forms and if they were convertible, they would reduce to
a common term by theorem 3.6.3.3. This is again due to the lack of arguments:
for every term T , we have
∗
S (K K) I T −→ K T
Two combinatory terms T and T 0 are extensionally equivalent, when for every
∗
term U , we have T U ←→ T 0 U . It can be shown that combinatory terms modulo
reduction and extensional equivalence are in bijection with λ-terms modulo β
and η, via the translations we have defined.
CHAPTER 3. PURE λ-CALCULUS 158

Iota. We have seen in example 3.6.3.1 that the combinatory I is superfluous,

so that the two combinators S and K are sufficient. Can we remove another
combinator? With S and K we cannot. We can however come up with one
combinator which subsumes both S and K: if we define the λ-term

ι = λx.x S K

we have

I = ιι K = ι (ι (ι ι)) S = ι (ι (ι (ι ι)))

We can therefore base combinatory logic on the only combinator ι, the reduction
rule being
ι T −→ T S K = T (ι (ι (ι (ι ι)))) (ι (ι (ι ι)))
In the sense described above, any λ-term can thus be encoded as a combinator
based on ι, i.e. as a term generated by the grammar

t, u ::= ι | t u

Any λ-term t can thus be encoded as a binary word [t] defined by

[ι] = 1 [t u] = 0[t][u]

so that ι (ι (ι ι)) is encoded as 0101011.

 Chapter 4

Simply typed λ-calculus

If λ-calculus introduced in chapter 3 can be seen as the functional core of a

programming language, the simply typed λ-calculus studied in this chapter is
the core of a typed programming language. It will allow us to make formal the
title of the book: we will see that a type can be seen as a formula and a typable
λ-term corresponds precisely to a proof of its type. This is the so-called Curry-
Howard correspondence which is at the heart of this course. From a historical
point of view, this calculus was introduced by Church in the 40s [Chu40], in
order to provide a foundation of logics and mathematics. Good further reading
material on the subject include [Pie02, SU06].
We introduce types for λ-calculus in section 4.1, show that typable terms are
terminating in section 4.2, extend typing to other types constructors than arrows
in section 4.3, discuss the variant where abstracted variables are not typed in
section 4.4, discuss the relationship between Hilbert calculus and combinators
in section 4.5, and finally present extensions to classical logic in section 4.6.

4.1 Typing
4.1.1 Types. A simple type is an expression made of variables and arrows.
Those are generated by the grammar

A, B ::= X | A → B

A simple type is thus either

– a type variable X,
– an arrow type A → B read as the type of functions from A to B (which
are themselves simple types).
By convention arrows are implicitly bracketed on the right: A → B → C is read
as A → (B → C).

4.1.2 Contexts. A context

Γ = x 1 : A1 , . . . , x n : An

is a list of pairs consisting of a variable xi (in the sense of λ-calculus, see sec-
tion 3.1.1) and a type Ai . A context is thus either the empty context or of
the form Γ, x : A for some context Γ, which is useful to reason by induction on
contexts. The domain dom(Γ) of the context Γ is the set of variables occurring
in it:
dom(Γ) = {x1 , . . . , xn }
Given a variable x ∈ dom(Γ), sometimes write Γ(x) for the type associated with
it. Here, we do not require that in a context all the variables xi are distinct: to
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 160

be precise Γ(x) is the rightmost pair x : A occurring in Γ, which can be defined

by induction by

(Γ, x : A)(x) = A (Γ, y : A)(x) = Γ(x)

for y 6= x.

4.1.3 λ-terms. We are going to consider a small variation of λ-terms: we sup-

pose that all λ-abstractions specify the type of the abstracted variable. The
syntax for terms is thus
t, u ::= x | t u | λxA .t
where x is a variable, t and u are terms, and A is a type. An abstraction λxA .t
should be read as a function taking an argument x of type A and returning t.

Church vs Curry style for λ-terms. The above convention, where abstractions
are typed, is called Church style λ-terms. We will see that adopting it greatly
simplifies the questions one is usually interested in for those terms (such as type
checking, see section 4.1.6), at the cost of requiring small annotations from the
user (the type of the abstractions).
A variant of the theory where abstractions are not typed can also be devel-
oped and is called Curry style, see section 4.4. This is for instance the convention
used in OCaml: one would typically write
let f = fun x -> x

although the Church style is also supported, i.e. we can also write
let f = fun (x:int) -> x

4.1.4 Typing. A sequent is a triple noted

Γ`t:A (4.1)

consisting of context Γ, a λ-term t and a type A. A term t has type A in a

context Γ when the sequent (4.1) when it is derivable using the three rules of
figure 4.1 where, in the rule (ax), we suppose x ∈ dom(Γ) satisfied as a slide
condition. Those rules can be read as follows:
– (ax): in an environment where x is of type A, we know that x is of type A,
– (→I ): if, supposing x is of type A, t is of type B, then the function λx.t
which to x associates t is of type A → B,
– (→E ): given a function t of type A → B and an argument u of type A,
the result of the application t u is of type B.
We simply say that the term t has type A if it is so in the empty context. A
derivation in this system is sometimes called a typing derivation. A term t is
typable when it has some type A in some context Γ.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 161

(ax)
Γ ` x : Γ(x)

Γ, x : A ` t : B
(→I )
Γ ` λxA .t : A → B

Γ`t:A→B Γ`u:A
(→E )
Γ ` tu : B

Figure 4.1: Typing rules of simply-typed λ-calculus

Example 4.1.4.1. The term

λf A→A .λxA .f (f x)

has type
(A → A) → A → A
Namely, we have the typing derivation

(ax) (ax)
Γ`f :A→A Γ`x:A
(ax) (→E )
Γ`f :A→A Γ ` fx : A
(→E )
f : A → A, x : A ` f (f x) : A
(→I )
f : A → A ` λxA .f (f x) : A → A
(→I )
` λf A→A .λxA .f (f x) : (A → A) → A → A

with
Γ = f : A → A, x : A
Remark 4.1.4.2. Although this will mostly remain implicit in the following, we
consider sequents up to α-conversion: this means that, in a sequent Γ ` t : A,
we can change a variable x into y both in Γ and in t at the same time, provided
that y 6∈ dom(Γ). Because of this, we can always assume that all the variables
are distinct in the contexts we consider. This assumption is sometimes useful
to reason about proofs, e.g. with this convention, the axiom rule is equivalent
to
(ax)
Γ, x : A, Γ0 ` x : A
We do however feel bad about systematically assuming this because, in practice,
implementations of logical or typing systems do not maintain this invariant.

4.1.5 Basic properties of the typing system. We state here some basic
properties of the typing system, which will be used in the sequel. First, the
following variant of the structural rules (see section 2.2.10) hold.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 162

Lemma 4.1.5.1 (Weakening rule). The weakening rule is admissible

Γ, Γ0 ` t : B
(wk)
Γ, x : A, Γ0 ` t : B

provided that x 6∈ dom(Γ).

Proof. By induction on the proof of Γ, Γ0 ` t : B. The case of axiom rules uses
the fact that we can suppose that x 6∈ dom(Γ), since we are considering sequents
up to α-conversion, see remark 4.1.4.2.

Lemma 4.1.5.2 (Exchange rule). The exchange rule is admissible

Γ, x : A, y : B, Γ0 ` t : C
(xch)
Γ, y : B, x : A, Γ0 ` t : C

provided that x 6= y.
Proof. By induction on the proof of the premise.

Lemma 4.1.5.3 (Contraction rule). The contraction rule is admissible:

Γ, x : A, y : A, Γ0 ` t : B
(contr)
Γ, x : A, Γ0 ` t[x/y] : B

Proof. By induction on the proof of the premise.

All the free variables of a typable term are bound in the context:
Lemma 4.1.5.4. Given a derivable sequent Γ ` t : A, we have FV(t) ⊆ dom(Γ).
Proof. By induction on the proof of the sequent.
In particular, a term t typable in the empty context is necessarily closed,
i.e. FV(t) = ∅. Conversely, a variable which does not occur in the term can
be removed:
Lemma 4.1.5.5. Given a derivable sequent Γ, x : A, Γ0 ` t : A with x 6∈ FV(t),
the sequent Γ, Γ0 ` t : A is also derivable.
Proof. By induction on the proof of the sequent.

4.1.6 Type checking, type inference and typability. The three most im-
portant algorithmic questions when considering a typing system are the follow-
ing ones.

– The type checking problem consists, given a context Γ, a term t and a

type A, in deciding whether t has type A in context Γ.
– The type inference problem consists, given a context Γ and a type t which
is typable in the context Γ, in finding a type A such that t has type A in
context Γ.

– The typability problem consist, given a context Γ and a term t, in deciding

whether t admits a type in this context.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 163

In simply-typed λ-calculus all those three problems are very easy: they can
be answered in linear time over the size of the term t (neglecting the size of Γ):
Theorem 4.1.6.1 (Uniqueness of typing). Given a context Γ and a term t there
is at most one type A such that t has type A in the context Γ and at most one
derivation of Γ ` t : A.
Proof. By induction on the term t. We have the following cases depending on
its shape:

– if the term is of the form x then it is typable iff x ∈ dom(Γ) and in this
case the typing derivation is
(ax)
Γ`x:A

with A = Γ(x),
– if the term is of the form t u then it is typable iff both t and u are typable
in Γ, with respective types of the form A → B and A, and in this case the
typing derivation is
.. ..
. .
Γ`t:A→B Γ`u:A
(→E )
Γ ` tu : B

– if the term is of the form λxA .t then it is typable iff t is typable in con-
text Γ, x : A with some type B, and in this case the typing derivation
is
..
.
Γ, x : A ` B
(→I )
Γ ` λxA .t : A → B

This concludes the proof.

The above theorem allows one to speak of “the” type and “the” typing derivation
of a typable term. Moreover, its proof is constructive, in the sense that it allows
to explicitly construct the type of a term when it exists (i.e. perform type
inference) and determine that the type admits no type otherwise (i.e. perform
typability), by induction on the type of the term. Since a term admits a unique
type, the type checking problem can be reduced to type inference: in a given
context, a term t admits a type A if and only if the type inferred for t is A.

Implementation. An implementation is provided in figure 4.2.

– The function infer infers the type of a given term in a given context env,
which is a list of pairs consisting of a variable and a type, encoding the
typing context Γ (in reversed order). Depending on whether the term is
a variable, an abstraction or an application, the function will recursively
look for proofs, as indicated by the rules (ax), (→I ) and (→E ) respectively.
The function raises the exception Not_found when no such type exists.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 164

– The function check performs type checking: given an environment env, a

term t and a type a, it returns () if the term admits the given type and
raises Not_found otherwise. The implementation of this function corre-
sponds to the proof of theorem 4.1.6.1.
– The function typable determines whether a terms admits a type or not
in a given environment.

4.1.7 The Curry-Howard correspondence. The presentation and naming

of the rules of section 4.1.4 is intended to make it clear the relation with logic:
if we erase the term annotations and replace → by ⇒, we obtain precisely the
rules of the implicational fragment of intuitionistic logic, see section 2.2.6. This
parallel between the typing rules (on the left) and the rules in natural deduction
(on the right) is shown in the table below:

(ax) (ax)
Γ, x : A, Γ0 ` x : A Γ, A, Γ0 ` A

Γ, x : A ` t : B Γ, A ` B
A
(→I ) (⇒I )
Γ ` λx .t : A → B Γ`A⇒B

Γ`t:A→B Γ`u:A Γ`A⇒B Γ`A

(→E ) (⇒E )
Γ ` tu : B Γ`B

If we start from a typing derivation, we thus obtain a derivation in NJ by erasing

the terms, i.e. replacing a rule on the left column above by the corresponding rule
on the right column: we call it here the term erasing procedure. Abstractions
thus correspond to introduction rules of ⇒, applications to elimination rules
of ⇒, and variables to axiom rules. In fact, the relationship between typable
terms and proofs in NJ is very tight: this is known as the Curry-Howard cor-
respondence, also called proofs-as-programs correspondence or propositions-as-
types correspondence, which originates in works from the 1960s [CF58, How69].
Theorem 4.1.7.1 (Curry-Howard correspondence). Given a context Γ and a
type A, the term erasing procedure induces a one-to-one correspondence be-
tween
(i) λ-terms of type A in the context Γ, and
(ii) proofs in the implicational fragment of NJ of Γ ` A.
Proof. Suppose given a proof π of a sequent. We construct a term t having this
proof as typing derivation by induction on the proof:
– if the proof is of the form

(ax)
Γ, A, Γ0 ` A

then necessarily the corresponding typing derivation is

(ax)
Γ, x : A, Γ0 ` x : A
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 165

type var = string

(** Types. *)
type ty =
| TVar of string
| Arr of ty * ty

(** Terms. *)
type term =
| Var of var
| App of term * term
| Abs of var * ty * term

exception Type_error

(** Type inference. *)

let rec infer env = function
| Var x ->
(try List.assoc x env with Not_found -> raise Type_error)
| Abs (x, a, t) ->
Arr (a, infer ((x,a)::env) t)
| App (t, u) ->
match infer env t with
| Arr (a, b) -> check env u a; b
| _ -> raise Type_error

(** Type checking. *)

and check env t a =
if infer env t <> a then raise Type_error

(** Typability. *)
let typable env t =
try let _ = infer env t in true
with Type_error -> false

Figure 4.2: Type checking, type inference and typability.

CHAPTER 4. SIMPLY TYPED λ-CALCULUS 166

– if the proof is of the form

π π0
Γ`A⇒B Γ`A
(⇒E )
Γ`B

then by induction hypothesis we have a terms t and u with typing deriva-

tions
.. ..
. .
Γ`t:A→B Γ`u:A
and necessarily the typing derivation is
.. ..
. .
Γ`t:A→B Γ`u:A
(→I )
Γ ` tu : B

– if the proof is of the form

π
Γ, A ` B
(⇒I )
Γ`A⇒B

then by induction hypothesis we have a typing derivation

..
.
Γ, x : A ` t : B

and necessarily the typing derivation is of the form

..
.
Γ, x : A ` t : B
(→I )
Γ ` λxA .t : A → B

Conversely, given a term of type A in the context Γ, theorem 4.1.6.1 ensures

that there is at most one type derivation for it, and erasing it provides a proof
of Γ ` A. Finally, it can be shown that both translations establish a bijective
correspondence.
In the light of previous theorem, typable λ-terms can be thought of as witnesses
for proofs.
Remark 4.1.7.2 (Contexts as sets). The two λ-terms λxA .λy A .x and λxA .λy A .y
both have the type A → A → A:
(ax) (ax)
x : A, y : A ` x : A x : A, y : A ` y : A
(→I ) (→I )
x : A ` λy A .x : A → A x : A ` λy A .y : A → A
(→I ) (→I )
` λxA .λy A .x : A → A → A ` λxA .λy A .y : A → A → A
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 167

and they are clearly different (they respectively correspond to the first and the
second projection). This sheds a new light on our remark of section 2.2.10,
stating that contexts should be lists and not sets in proof systems. If we han-
dled them as sets, we would not be able to distinguish them since both would
correspond, via the “Curry-Howard correspondence”, to the proof
(ax)
A`A
(⇒I )
A`A⇒A
(⇒I )
`A⇒A⇒A

In other words, it is important, in axiom rules, to know exactly which hypothesis

we are using in the context when there are two of the same type.
Remark 4.1.7.3 (Equivalence vs isomorphism). In the same vein as previous re-
mark, there is a difference between equivalence and isomorphism in type theory.
For instance, we have an equivalence

(A ⇒ A ⇒ B) ⇔ (A ⇒ B)

but the types A ⇒ A ⇒ B and A ⇒ B are not isomorphic. The equivalence

amounts to having terms corresponding to both implications of the equivalence:

t : (A → A → B) → (A → B) u : (A → B) → (A → A → B)

Here, we can take

t = λf A→A→B .λxA .f x x u = λf A→B .λxA .λy A .f x

Such a pair of terms is an isomorphism when both composites are (βη-equivalent

to) the identity:

λf A→B .t (u f ) ===βη λf A→B .f

λf A→A→B .u (t f ) ===βη λf A→A→B .f

In the above example, the first equality does hold, but not the second since

λf A→A→B .u (t f ) = λf A→A→B .λxA .f x x =6==βη λf A→A→B .f

4.1.8 Subject reduction. An important property, relating typing and β-re-

duction in the λ-calculus is the subject reduction property, already encountered
in theorem 1.4.3.2: typing does not change during evaluation, by which we mean
here β-reduction. We first need an auxiliary lemma:
Lemma 4.1.8.1 (Substitution lemma). Suppose that we have a typing derivation
of
Γ, x : A, Γ0 ` t : B and Γ, Γ0 ` u : A
then we have a typing derivation of Γ, Γ0 ` t[u/x] : B. Otherwise said, the rule

Γ, x : A, Γ0 ` t : B Γ, Γ0 ` u : A
0
Γ, Γ ` t[u/x] : B

is admissible.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 168

Proof. By induction on the typing derivation of Γ, x : A, Γ0 ` t : B.

– If it is of the form
(ax)
Γ, x : A, Γ0 ` x : A
then we conclude with the proof of Γ, Γ0 ` u : A in the hypothesis.
– If it is of the form
(ax)
Γ, x : A, Γ0 ` y : B
where x 6= y and y : B occurs in Γ or Γ0 , then we conclude with
(ax)
Γ, Γ0 ` y : B

– If it is of the form
π1 π2
Γ, x : A, Γ0 ` t : B ⇒ C Γ, x : A, Γ0 ` t0 : B
(⇒E )
Γ, x : A, Γ0 ` t t0 : C

then we conclude with

π10 π20
Γ, Γ0 ` t[u/x] : B ⇒ C Γ, x : A, Γ0 ` t0 [u/x] : B
(⇒E )
Γ, Γ0 ` (t[u/x]) (t0 [u/x]) : C

where π10 and π20 are respectively obtained from π1 and π2 by induction
hypothesis.
– If it is of the form
π
0
Γ, x : A, Γ , y : B ` t : C
(⇒I )
Γ, x : A, Γ0 ` λy.t : B ⇒ C

then we conclude with

π0
0
Γ, Γ , y : B ` t[u/x] : C
(⇒I )
Γ, Γ0 ` λy.t[u/x] : B ⇒ C

where π 0 is obtained from

..
.
0
π Γ, Γ ` u : A
and (wk)
Γ, x : A, Γ0 , y : B ` t : C Γ, x : A, Γ0 ` u : A

by induction hypothesis.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 169

Remark 4.1.8.2. Note that, through the Curry-Howard correspondence, the sub-
stitution lemma precisely corresponds to the “proof substitution” of proposi-
tion 2.3.2.1: the term erasure of the rule of lemma 4.1.8.1 is the cut rule
Γ, A, Γ0 ` B Γ, Γ0 ` A
(cut)
Γ, Γ0 ` B

It should not be a surprise: under the Curry-Howard correspondence, substi-

tuting proofs corresponds to substituting terms.
Theorem 4.1.8.3 (Subject reduction). Suppose given a term t of type A in a
context Γ. If t β-reduces to t0 then t0 also has type A in the context Γ.
Proof. By induction on the derivation of t −→β t0 (see section 3.2.1).
– If the derivation ends with (βs ), it is of the form

(λx.t)u −→β t[u/x]

and the typing derivation of the term on the left is of the form
..
.
..
Γ, x : A ` t : B .
(→I )
Γ ` λx.t : A → B Γ`u:B
(→E )
Γ ` (λx.t) u : B

We conclude by lemma 4.1.8.1 which ensures the existence of a derivation

of the form
..
.
Γ ` t[u/x] : B

– If the derivation ends with (βl ), it is of the form

t u −→β t0 u

with t −→β t0 , and the typing derivation of the term on the left is of the
form
π1 π2
Γ`t:A→B Γ, x : A ` u : B
(→E )
Γ ` tu : B
We conclude with the derivation
π10 π2
0
Γ`t :A→B Γ, x : A ` u : B
(→E )
Γ ` t0 u : B

where π10 is obtained by induction hypothesis.

– The cases of (βr ) and (βλ ) are similar to the previous one.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 170

Example 4.1.8.4. We have the typing derivation

(ax)
x : A, y : A ` y : A
(→I ) (ax)
x : A ` λy A .y : A → A x:A`x:A
(→E )
x : A ` (λy A .y)x : A
(→I )
` λxA .(λy A .y)x : A → A

and the reduction

λxA .(λy A .y)x −→β λxA .x
It can be checked that the reduced term does admit the same type A → A:
(ax)
x:A`x:A
(→I )
` λxA .x : A → A

The proof of the above theorem deserves some attention. It should be observed
that, by erasing the terms, the β-reduction of a typable term described in the
above proof corresponds precisely to the procedure we used in section 2.3.3 in
order to eliminate a cut in the corresponding proof:
..
.
..
Γ, A ` B .
(⇒I ) ..
Γ`A⇒B Γ`B .
(⇒E )
Γ`B Γ`B

Thus,
Theorem 4.1.8.5 (Dynamical Curry-Howard correspondence). Through the Curry-
Howard correspondence, β-reduction corresponds to eliminating cuts.
This explains the remark already made in section 2.3.3: although cut-free proofs
are “simpler” in the sense that they do not contain cuts, they can be much bigger
than the corresponding cut-free proof, in a same way that executing a program
can give rise to a much bigger result than the program itself (e.g. a program
computing the factorial of 1000). As a direct consequence of previous theorem,
we have that
Corollary 4.1.8.6. Through the Curry-Howard correspondence, typable terms
in normal form correspond to cut-free proofs.

4.1.9 η-expansion. We have seen that a β-reduction step corresponds to elim-

inating a cut, which consists in an elimination rule followed by an introduction
rule. Similarly, an η-expansion step corresponds to introducing a “co-cut” (we
are not aware of an official name for those) consisting of an introduction rule
followed by an elimination rule. For instance, supposing that in some context Γ
we can show t : A → B, the η-expansion step

t −→η λxA .t x
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 171

corresponds to the following transformation of typing derivation

..
.
Γ`t:A→B
(wk) (ax)
Γ, x : A ` t : A → B Γ, x : A ` x : A
.. (→E )
. Γ, x : A ` t x : B
(→I )
Γ`t:A→B Γ ` λxA .t x : A → B
which, after term erasure, corresponds to the following proof transformation
π
Γ`A⇒B
(wk) (ax)
Γ, A ` A ⇒ B Γ, A ` A
(⇒E )
π Γ, A ` B
(⇒I )
Γ`A→B Γ`A⇒B

4.1.10 Confluence. Recall from section 3.4 that β-reduction of λ-terms is con-
fluent. By theorem 4.1.8.3, we can immediately extend this result to typable
terms:
Theorem 4.1.10.1 (Confluence). The β-reduction is confluent on typable terms
∗
(in some fixed context): given typable terms t, u1 and u2 such that t −→β u1
∗ ∗ ∗
and t −→β u2 , there exists a typable term v such that u1 −→β v and u2 −→β v.

4.2 Strong normalization

4.2.1 A normalization strategy. We have seen in theorem 4.1.8.5 that, under
the Curry-Howard correspondence, β-reduction corresponds to cut elimination.
Since, in theorem 2.3.3.1, we have established that every proof reduces to a
cut-free proof, this means that every typable term β-reduces to a term in nor-
mal form. More precisely, the proof produces a strategy to reduce a term to a
normal form: we can reduce a β-redex (λx.t) u whenever t and u do not contain
β-redexes. In fact, the proof only depends on the hypothesis that u does not
contain β-redexes, and we have to suppose this because those redexes could be
“duplicated” during the reduction, making it unclear that it will terminate. For
instance, writing I = λx.x for the identity, with t = λy.yxx and u = I I, we have
the following reductions:

(λxy.yxx)(I I) (λxy.yxx) I

λy.y(I I)(I I) λy.y I (I I) λy.y I I

We see that the redex I I −→β I on the top line has become two redexes in the
bottom line: this is because the term λxy.yxx contains twice the variable x and
the vertical reduction will thus cause the term substituted for x to be duplicated.
Following the terminology introduced in section 3.5.1, what theorem 2.3.3.1
establishes is thus that the innermost reduction strategies, such as call-by-value,
terminate for typable λ-terms.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 172

4.2.2 Strong normalization. We would now like to show a stronger result

called strong normalization: every typable term is strongly normalizing. This
mean that, starting from a given typable term t, we will always end up on a
normal form after a finite number of steps, whichever way we chose to reduce
it, see section 3.2.6. We show below a proof based on “reducibility candidates”
which is due to Tait and later refined by Girard, see [Gir89, Chapter 6]. Before
entering the details of this subtle proof, let us first explain why the naive ideas
for a proof do not work.

Failure of the naive proof. A first attempt to show the result would consist
in showing that, for any derivable sequent Γ ` t : A, the term t is strongly
normalizing by induction on the proof of the sequent.

– For the rule (ax), this is immediate since a variable is strongly normalizing
(it is even a normal form).
– For the rule (→I ), we have to show that a term λx.t is strongly normal-
izing knowing that t is strongly normalizing. A sequence of reductions
starting from λx.t is of the form λx.t −→β λx.t1 −→β λx.t2 −→β . . . with
t −→β t1 −→β t2 −→β . . ., and is thus finite since t is strongly normalizing
by induction hypothesis.
– For the rule (→E ), we have to show that a term t u is strongly normalizing
knowing that both t and u are strongly normalizing. However, a reduction
in t u is not necessarily generated by a reduction in t or in u in the case
where t is an abstraction, and we cannot conclude.
If we try to identify the cause of the failure, we see that we do not really use the
fact that the terms are typable in the last case. We are left proving that if t and
u are normalizable then t u is normalizable, and there is a counter-example to
that, already encountered in section 3.2.6: take t = λx.xx and u = λx.xx, both
are strongly normalizable, but t u is not since it leads to an infinite sequence of
reductions. This however not a counter-example to the strong normalizability
property, because λx.xx cannot be typed, but we have no easy way of exploiting
this fact.

Reducibility candidates. Instead, we now take an “optimistic” approach and,

given a type A, we define a set RA of terms, called the reducibility candidates
at A, which are terms such that
(i) for every term t such that Γ ` t : A is derivable, we have t ∈ RA ,

(ii) a term t in RA is “obviously” strongly normalizing.

Which will allow us to immediately conclude, once we have shown those prop-
erties.
The definition is performed by induction on the type A by

– for a type variable X, RX is the set of all strongly normalizable terms t,

– for an arrow type A → B, RA→B is the set of terms t such that for every
u ∈ RA , we have t u ∈ RB .
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 173

In the first case, we have not been particularly subtle: we wanted a set of
strongly normalizable terms which contains all the terms of type X, and we
simply took all strongly normalizable terms. However, in the second case, we
have crafted our definition to avoid the previous problem: in the case of the rule
(→E ), it will be immediate to deduce that, given t ∈ RA→B and u ∈ RA that
t u ∈ RB . However, it is not immediate that every term in RA→B is strongly
normalizing and we will have to prove that. A term is said to be reducible when
it belongs to a set of reducibility candidates RA for some type A.
We begin by showing that every term t ∈ RA is strongly normalizing by
induction on the type A, but in order to do so we need to strengthen the
induction hypothesis and show together additional properties on A. A term is
neutral when it is not an abstraction; otherwise said, a neutral term is of the
form t u or x.
Proposition 4.2.2.1. Given a type A and a term t, we have

(CR1) if t ∈ RA then t is strongly normalizing,

(CR2) if t ∈ RA and t −→β t0 then t0 ∈ RA ,
(CR3) if t is neutral, and t −→β t0 implies t0 ∈ RA , then t ∈ RA .

Proof. Consider a term t. We show simultaneously the three properties by

induction on A. In the base case, the type A is a type variable X.
(CR1) If t ∈ RX then it is strongly normalizable by definition of RX .
(CR2) Suppose that t ∈ RX (i.e. t is strongly normalizing) and t −→β t0 . Every
sequence of reductions t0 −→β . . . starting from t0 can be extended as
a sequence of reductions t −→β t0 −→β . . . starting from t, and is thus
finite. Therefore t0 is strongly normalizing and thus belongs to RX .
(CR3) Suppose that t is neutral and such that for every term t0 such that
t −→β t0 we have t0 ∈ RX . A sequence of reductions t −→β t0 −→β . . .
starting from t is such that t0 ∈ RX , and is thus finite. Therefore t ∈ RX .

Consider the case of an arrow type A → B.

(CR1) Suppose that t ∈ RA→B , i.e. for every u ∈ RA we have t u ∈ RB . A
variable x is neutral and a normal form and thus belongs to RA by (CR3).
By definition of RA→B , we have t x ∈ RB . Any sequence of reductions
t −→β t0 −→β . . . induces a sequence of reductions t x −→β t0 x −→β . . .
and is thus finite by (CR1) on B. Thus t is strongly normalizing.
(CR2) Suppose that t ∈ RA→B and t −→β t0 . Given a term u ∈ RA , by
definition of RA→B , we have t u ∈ RB . Since t u −→β t0 u, by (CR2)
on B, we have t0 u ∈ RB . Therefore t0 ∈ RA→B .
(CR3) Suppose that t is neutral and such that, for every term t0 with t −→β t0 ,
we have t0 ∈ RA→B . Suppose given a term u ∈ RA . By (CR1) on A, the
term u is strongly normalizing and we can show that t u ∈ RB for every
term u ∈ RA by well-founded induction on u (theorem A.3.2.1). Since t
is neutral, the term t u can only reduce in two ways.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 174

– If t u −→β t0 u then t0 u ∈ RB because, by hypothesis, we have

t0 ∈ RA→B .
– If t u −→β t u0 with u −→β u0 then u0 ∈ RA by (CR2) on A and,
by recurrence hypothesis on u, we have t u0 ∈ RB .
Therefore, by (CR3) on B, we have t u ∈ RB . We conclude that
t ∈ RA→B .
Lemma 4.2.2.2. Suppose given a term t such that t[u/x] ∈ RB for every term u ∈ RA .
Then λxA .t ∈ RA→B .
Proof. Given u ∈ RA , we have to show (λxA .t)u ∈ RB . By (CR1), the terms t
and u are strongly normalizing. We can thus show (λxA .t)u ∈ RB by induction
on the pair (t, u). The term (λxA .t)u can either reduce to
– t[u/x], which is in RB by hypothesis,

– (λxA .t0 )u with t −→β t0 , which is in RB by induction hypothesis,

– (λxA .t)u0 with u −→β u0 , which is in RB by induction hypothesis.
In every case, the neutral term (λxA .t)u reduces to a term in RB and therefore
belongs to RB by (CR3).

Lemma 4.2.2.3. Suppose given a term t such that Γ ` t : A is derivable for some
context Γ = x1 : A1 , . . . , xn : An and type A. Then, for every terms ti ∈ RAi ,
for 1 6 i 6 n, we have t[t1 /x1 , . . . , tn /xn ] ∈ RA .
Proof. We write t[t∗ /x∗ ] for the above substitution, and show the result by
induction on t. By induction on the derivation of Γ ` t : A.
– If the last rule is
(ax)
Γ ` x i : Ai
then, for every terms ti ∈ RAi , we have t[t∗ /x∗ ] = ti ∈ RAi .

– If the last rule is

Γ`u:A→B Γ`v:A
(→E )
Γ ` uv : B

then, for every terms ti ∈ RAi , by induction hypothesis, u[t∗ /x∗ ] ∈ RA→B
and v[t∗ /x∗ ] ∈ RA and therefore t[t∗ /x∗ ] = (u[t∗ /x∗ ])(v[t∗ /x∗ ]) ∈ RB .
– If the last rule is
Γ, x : A ` u : B
(→I )
Γ ` λx.u : A → B
then, by induction hypothesis, for every terms ti ∈ RAi and for every
term v ∈ RA , we have u[t∗ /x∗ ][v/x] = u[t∗ /x∗ , v/x] ∈ RB . Therefore, by
lemma 4.2.2.2, we have t[t∗ /x∗ ] = λx.(u[t∗ /x∗ ]) ∈ RA→B .

Proposition 4.2.2.4 (Adequacy). Given a term t such that Γ ` t : A is derivable,

we have t ∈ RA .
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 175

Proof. We write Γ = x1 : A1 , . . . , xn : An . A variable being neutral and in

normal form, by (CR3), we have xi ∈ RAi for every index i. Therefore, by
lemma 4.2.2.3, t = t[x∗ /x∗ ] ∈ RA .
Theorem 4.2.2.5 (Strong normalization). Every typable term t is strongly nor-
malizing.
Proof. By proposition 4.2.2.4, the term t is reducible, and thus strongly nor-
malizing by (CR1).
One of the remarkable strengths of this approach is that is generalizes well to
usual extensions of simply typed λ-calculus, see section 4.3.7.
Remark 4.2.2.6. There are many possible variants on the definition of reducibil-
ity candidates, see [Gal89]. The version presented here has the advantage of
being simple to define and leads to simple proofs. One of its drawbacks is that
the λ-terms of RA are not necessarily of type A (for instance, when A = X any
strongly normalizable term belongs to RA by definition). We can however define
a “typed variant” of reducibility candidates, by defining sets RΓ`A , indexed by
both a context Γ and a type A, by induction on A by
– for a type variable X, RΓ`X is the set of strongly normalizable terms t
such that Γ ` t : X is derivable,
– for an arrow type A → B, RΓ`A→B is the set of terms t such that
Γ ` t : A → B is derivable and for every u ∈ RΓ`A , we have t u ∈ RΓ`B .
The expected adaptation of the above properties hold in this context, see the
formalization proposed in section 7.5.2. In particular, the variant of proposi-
tion 4.2.2.4 ensures that every term t such that Γ ` t : A is derivable belongs
to RΓ`A ; conversely, one easily shows by induction on A that every term t of
RΓ`A is such that Γ ` t : A is derivable. With this formulation, it thus turns
out that reducibility candidates are simply a complicated way of defining

RΓ`A = {t | Γ ` t : A is derivable}

However, the way the definition is formulated allows to perform the proofs by
induction!

4.2.3 First consequences. We shall now present some easy consequences of

the strong normalization theorem.

Non-typable terms. A fist consequence of the strong normalization theorem 4.2.2.5

(or rather its contraposite) is that there are terms which are not typable. For
instance, the λ-term Ω = (λx.xx)(λx.xx) is not typable because it is not termi-
nating, see section 3.2.6.

Termination of cut elimination. By theorem 4.1.8.5, cut-elimination in the im-

plicational fragment of natural deduction corresponds to β-reduction. Since
for typable terms β-reduction is always terminating (theorem 4.2.2.5), we have
shown
Theorem 4.2.3.1. The cut elimination procedure of section 2.3.3 always termi-
nates (on a cut-free proof), whichever strategy we choose to eliminate the cuts.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 176

4.2.4 Deciding convertibility. In practice, the most important consequence

of the strong normalization theorem is that it provides us with an algorithm to
decide the β-convertibility of typable λ-terms t and u. Namely, suppose that
we start reduce t:
t = t0 −→β t1 −→β t2 −→β . . .
This means that we start from t, reduce it to a term t1 , then reduce t1 to a
term t2 , and so on. Note that we do not impose anything on the way ti+1
is constructed from ti : any reduction strategy would be acceptable. By theo-
rem 4.2.2.5, such a sequence cannot be infinite, which means that this process
will eventually give rise to a term tn which cannot be reduced: tn is a normal
∗
form. This shows that there exists a term in normal form t̂ such that t −→β t̂.
Similarly, u admits a normal form û. Clearly, t and u are β-convertible if and
only if t̂ and û are β-convertible. By proposition 3.4.4.3, this is the case if and
only if t̂ and û are equal:
t ∗? u
∗ ∗

t̂ ?
û

We have thus reduced the problem of deciding whether two terms are convertible
to deciding whether two terms are equal, which is easily done. Using the func-
tions defined in section 3.5, the following function eq tests for the β-equivalence
of two λ-terms which are supposed to be typable:

let eq t u = (normalize t) = (normalize u)

Remark 4.2.4.1. In fact, even if we do not suppose that the terms t and u given
as input of the above function are typable, it is still correct in the sense that
– if it answers true then t and u are convertible, and

– if it answers false then t and u are not convertible.

However, there is now a third possibility: nothing guarantees that the normal-
ization of t or u will terminate. This means that the procedure will not provide
a result in such a case. As such it is not an algorithm, since, by convention,
those should terminate on every input.

4.2.5 Weak normalization. The strong normalization theorem is indeed strong:

it shows that, starting from a typable term, whichever way we chose to reduce a
typable term, we will eventually end up on a normal form. In practice, we care
about much less than this: when implementing reduction and normalization, we
implement a particular reduction strategy (see section 3.5.1), and all we want to
know is that this particular strategy will end up on a normal form. We suppose
fixed a deterministic reduction strategy −→, i.e. we suppose here that −→ is a
relation on λ-terms such that

– t −→ u implies t −→β u,
– if t −→ u and t −→ u0 then u = u0 ,
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 177

the last point being the determinism of the strategy. In order words, the strategy
−→ picks, for every term t, at most one way to reduce it. We can then show
that every closed typable term is terminating with respect to −→ using a much
simplified version of the above proof, see [Pie02, Chapter 12].
We define sets RA of λ-terms by induction on A by
– t ∈ RX if ` t : X is derivable and t is strongly normalizing,
– t ∈ RA→B if ` t : A → B is derivable, t is strongly normalizing and
t u ∈ RB for every u ∈ RA .

Contrarily to section 4.2.2, by lemma 4.1.5.4, the sets RA contain only closed
terms of type A.
Above, we have been using the following property of reduction when showing
the properties of reducibility candidates in proposition 4.2.2.1:
Lemma 4.2.5.1. If t −→ t0 and t is strongly normalizing then t0 is.
Proof. An infinite sequence of reductions t0 −→ . . . starting from t0 can be
extended as one t −→ t0 −→ . . . starting from t, i.e. if t0 not strongly normalizing
then t is not either. We conclude by contraposition.
The main consequence of having a deterministic reduction is that the converse
now also holds:
Lemma 4.2.5.2. If t −→ t0 and t0 is strongly normalizing then t is.
Proof. By determinism, an infinite sequence of reductions starting from t is
necessarily of the form t −→ t0 −→ . . ., and thus induces one starting from t0 .

Remark 4.2.5.3. Again, this property would not be true with the relation −→β ,
which is not deterministic. For instance, we have (λx.y)Ω −→β y, where (λx.y)Ω
is not strongly normalizing but y is.
We can now easily show variants of the properties of proposition 4.2.2.1. Note
that the proof is greatly simplified because we do not need to prove them all at
once.
Lemma 4.2.5.4 (CR1). If t ∈ RA then is strongly normalizing.
Proof. By induction on A, immediate by definition of RA .
Lemma 4.2.5.5 (CR2). If t ∈ RA and t −→ t0 then t0 ∈ RA .
Proof. By induction on the type A.

– Suppose that t ∈ RX . Then t0 ∈ RX by lemma 4.2.5.1.

– Suppose that t ∈ RA→B . Then t is strongly normalizing, and thus also t0
by lemma 4.2.5.1. Given u ∈ RA , we have t u ∈ RB by definition of RA→B
and thus t0 u ∈ RB by induction hypothesis. Thus t0 ∈ RA→B .

The last one uses lemma 4.2.5.2 and thus relies on the fact that we have a
deterministic reduction:
Lemma 4.2.5.6 (CR3). If t −→ t0 and t0 ∈ RA then t ∈ RA .
Proof. By induction on the type A.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 178

– Suppose that t0 ∈ RX . Then t ∈ RX by lemma 4.2.5.2.

– Suppose that t0 ∈ RA→B . Then t0 is strongly normalizing, and thus also t
by lemma 4.2.5.2. Given u ∈ RA , we have t0 u ∈ RB by definition of RA→B
and thus t u ∈ RB by induction hypothesis. Thus t ∈ RA→B .
Similarly, to lemma 4.2.2.3, we can then show the following.
Lemma 4.2.5.7 (Adequacy). Suppose given a term t such that Γ ` t : A is
derivable for some context Γ = x1 : A1 , . . . , xn : An and type A. Then, for
every terms ti ∈ RAi , for 1 6 i 6 n, we have t[t1 /x1 , . . . , tn /xn ] ∈ RA .
Finally, we can deduce
Theorem 4.2.5.8. Given a term t, if there is a type A such that ` t : A is
derivable then t is strongly normalizing (with respect to −→).

Proof. Suppose that ` t : A holds. By lemma 4.2.5.7, we have that t ∈ RA .

Thus t is strongly normalizing by lemma 4.2.5.4.
A formalization of these properties is provided in section 7.5.2.
A strategy is complete when it is such that, for every term t, if there is a
term u such that t −→β u then there is a term u0 such that t −→ u. In other
words, our strategy can reduce any β-reducible term. By applying the previous
theorem to such a strategy, we deduce that
Theorem 4.2.5.9 (Weak normalization). Every typable term t is weakly normal-
izing.
Of course, this theorem is also immediately implied by theorem 4.2.2.5.

4.3 Other connectives

Up to now, for simplicity, we have been limiting ourselves to types built using
arrows as only connective. The Curry-Howard correspondence would be sad if
it stopped there: it actually extends to other usual connectives. For instance,
the product of two types corresponds to taking the conjunction the two corre-
sponding formulas. Other cases of the correspondence are given in the following
table:
Typing Logic
function → ⇒ implication
product × ∧ conjunction
unit 1 > truth
coproduct + ∨ disjunction
empty 0 ⊥ falsity
In order to study this, we will now consider types generated by the following
syntax:
A, B ::= X | A → B | A × B | 1 | A + B | 0
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 179

(ax)
Γ ` x : Γ(x)

Γ`t:A→B Γ`u:A Γ, x : A ` t : B
(→E ) (→I )
Γ ` tu : B Γ ` λxA .t : A → B

Γ`t:A×B Γ`t:A×B Γ`t:A Γ`u:B

(×lE ) (×rE ) (×I )
Γ ` πl (t) : A Γ ` πr (t) : B Γ ` ht, ui : A × B

(1I )
Γ ` hi : 1

Γ`t:A+B Γ, x : A ` u : C Γ, y : B ` v : C
(+E )
Γ ` case(t, x 7→ u, y 7→ v) : C

Γ`t:A Γ`B
(+lI ) (+rI )
Γ` ιB
l (t) :A+B Γ` ιA
r (t) :A+B

Γ`t:0
(0E )
Γ ` caseA (t) : A

Figure 4.3: Typing rules for λ-calculus with products and sums.

For each of those connectives, we add a connective between types, as well as

new constructions to the λ-calculus which correspond to introduction and elim-
ination rules, and the full syntax for λ-terms will be

t, u ::= x | t u | λxA .t
| ht, ui | πl (t) | πr (t) | hi
| ιA A A
l (t) | ιr (t) | case(t, x 7→ u, y 7→ v) | case (t)

Moreover, each such connective will give rise to typing rules and the full list of
rules is given in figure 4.3. In addition, we need to add new rules for β-reduction,
which correspond to cut elimination for the new rules (see section 4.1.8), re-
sulting in the rules of figure 4.4, and η-expansion rules which correspond to
introducing “co-cuts” (see section 4.1.9). We now gradually introduce each of
those.
Most of the important theorems extend to the λ-calculus with these new
added constructors and types, although we will not detail these:
– confluence (theorem 3.4.3.7),

– subject reduction (theorem 4.1.8.3),

– strong normalization (theorem 4.2.2.5),
– Curry-Howard correspondence (theorems 4.1.7.1 and 4.1.8.5).
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 180

β-reduction rules:

(λx.t) u −→β t[u/x]

πl (ht, ui) −→β t
πr (ht, ui) −→β u
case(ιB
l (t), x 7→ u, y 7→ v) −→β u[t/x]

case(ιA
r (t), x 7→ u, y 7→ v) −→β v[t/y]

Commuting reduction rules:

caseA→B (t) u −→β caseB (t)

πl (caseA×B (t)) −→β caseA (t)
πr (caseA×B (t)) −→β caseB (t)
case(caseA+B (t), x 7→ u, y 7→ v) −→β caseC (t)
caseA (case0 (t)) −→β caseA (t)
case(t, x 7→ u, y 7→ v) w −→β case(t, x 7→ u w, y 7→ v w)
πl (case(t, x 7→ u, y 7→ v)) −→β case(t, x 7→ πl (u), y 7→ πl (v))
πr (case(t, x 7→ u, y 7→ v)) −→β case(t, x 7→ πr (u), y 7→ πr (v))
caseC (case(t, x 7→ u, y 7→ v)) −→β case(t, x 7→ caseC (u), y 7→ caseC (v))
case(case(t, x 7→ u, y 7→ v), x0 7→ u0 , y 0 7→ v 0 )
−→β
case(t, x 7→ case(u, x 7→ u0 , y 0 7→ v 0 ), y 7→ case(v, x0 7→ u0 , y 0 7→ v 0 ))
0

Figure 4.4: Reduction rules for λ-calculus with products and sums.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 181

4.3.1 Products. In order to accommodate for products, we add the construc-

tion
A×B
to the syntax of our types, denoting the product of two types A and B. We also
extend λ-terms with three new constructions:

t, u ::= . . . | ht, ui | πl (t) | πr (t)

where
– ht, ui is the pair of two λ-terms t and u,

– πl (t) takes the first component of the λ-term t,

– πr (t) takes the second component of the λ-term t.
We add three new typing rules to our system, one for each of the newly added
constructors:
Γ`t:A×B Γ`t:A×B Γ`t:A Γ`u:B
(×lE ) (×rE ) (×I )
Γ ` πl (t) : A Γ ` πr (t) : B Γ ` ht, ui : A × B

The first one states that if t is a term, which is a pair consisting of an element
of A and an element of B, then the term πl (t), obtained by taking its first
projection, has type A. The second rule is similar. The last rule establishes
that if t is of type A and u is of type B then the pair ht, ui is of type A × B.
If apply our term erasing procedure of section 4.1.7, and replace the symbols
× by ∧, we recover the rules for conjunction:

Γ`A∧B l Γ`A∧B r Γ`A Γ`B

(∧E ) (∧E ) (∧I )
Γ`A Γ`B Γ`A∧B

This means that our extension of simply typed λ-calculus is compatible with
the Curry-Howard correspondence (theorem 4.1.7.1).
Recall that the cut-elimination rules for conjunction consist in the following
two cases:
π π0
Γ`A Γ`B
(∧I )
Γ`A∧B π
(∧lE )
Γ`A Γ`A
π π0
Γ`A Γ`B
(∧I )
Γ`A∧B π0
(∧rE )
Γ`B Γ`B

By the Curry-Howard correspondence, they correspond to the following trans-

CHAPTER 4. SIMPLY TYPED λ-CALCULUS 182

formations of typing derivations:

π π0
Γ`t:A Γ`u:B
(×I )
Γ ` ht, ui : A × B π
(×lE )
Γ ` πl (ht, ui) : A Γ`t:A
π π0
Γ`t:A Γ`u:B
(×I )
Γ ` ht, ui : A × B π0
(×rE )
Γ ` πr (ht, ui) : B Γ`u:A

which indicate that the reduction rules associated to the new connectives should
be

πl (ht, ui) −→β t πr (ht, ui) −→β u

as expected: taking the first component of a pair ht, ui returns t, and similarly
for the second component.
Finally, the η-expansion rule corresponds to the following transformation of
the proof derivation:

π π
Γ`t:A×B Γ`t:A×B
(×lE ) (×rE )
π Γ ` πl (t) : A Γ ` πr (t) : B
(×I )
Γ`t:A×B Γ ` hπl (t), πr (t)i : A × B

It should thus consist in the rule

t −→η hπl (t), πr (t)i

which states some form of “extensionality” of products: a term which is a prod-

uct should be the same as the pair consisting of its components.

Alternative formulations. Alternative formulations are possible for those con-

nectives. Instead of taking the first and second projection of some term t,
i.e. πl (t) and πr (t), we could simply add to our calculus the first and second
projection operators πlA,B and πrA,B , whose associated typing rules would be

Γ ` πlA,B : A × B → A Γ ` πrA,B : A × B → B

This would correspond to an approach using combinators, also called Hilbert-

style, see section 4.5.
Another alternative, could be to add a constructor

unpair(t, xy 7→ u)

which would corresponds to OCaml’s

let (x,y) = t in u
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 183

It binds the two components of a pair t as x and y in u. The corresponding

typing rule would be

Γ`t:A×B Γ, x : A, y : B ` u : C
Γ ` unpair(t, xy 7→ u) : C

This is the flavor of rules which has to be used when working with dependent
types, see section 8.3.3. We did not use it here because, through the Curry-
Howard correspondence, it corresponds to the following variant of elimination
rule for conjunction

Γ`A∧B Γ, A, B ` C
(∧E )
Γ`C

which is not the one which is traditionally used (the main reason is that it
involves a “new” formula C, whereas the usual rules (∧lE ) and (∧rE ) only use A
and B).

Curryfication. An important property of product types in λ-calculus is that they

are closely related to arrow types through an isomorphism called curryfication,
which states that a function with two arguments is the same as a function taking
a pair of arguments. More precisely, given types A, B and C, the two types

A×B →C and A→B→C

are isomorphic, see remark 4.1.7.3, where the first type is implicitly bracketed
as (A × B) → C. In OCaml, this means that it is roughly the same to write a
function of the form
let f x y = ...
or a function of the form
let f (x, y) = ...
More precisely, the isomorphism between the two types means that we have
λ-terms which allow converting elements of on type into an element of the other
type, in both directions:

λf A×B→C .λaA .λbB .f ha, bi : (A × B → C) → (A → B → C)

λf A→B→C .λxA×B .f πl (x) πr (x) : (A → B → C) → (A × B → C)

whose composites are both identities (up to βη-equivalence). Namely, respec-

tively writing t and u for those terms, we have
∗
λf A×B→C .u (t f ) −→β λf A×B→C .λxA×B .f hπl (x), πr (x)i ===η λf A×B→C .f
∗
λf A→B→C .t (u f ) −→β λf A→B→C .λaA .λbB .f a b ===η λf A→B→C .f

In most programming languages (Java, C, etc), a function with two arguments

would be given a type of the form A × B → C. Functional programming
languages such as the OCaml tend to prefer types of the form A → B → C
because they allows partial evaluation, meaning that we can give the argument
of type A, without giving the other one.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 184

4.3.2 Unit. We can add a unit type by adding a constant type

called unit. It corresponds to the unit type of OCaml and, through the Curry-
Howard correspondence to the formula >. We add a new constant λ-term hi
which is the only element of 1 (up to β-equivalence), and corresponds to () in
OCaml. The typing rule is
(1I )
Γ ` hi : 1
which corresponds to the usual rule for truth by term erasure:
(>I )
Γ`>

There are no β- or η-reduction rules.

4.3.3 Coproducts. For coproducts, we add the construction

A+B

on types, which represents the coproduct of the two types A and B. Intuitively,
this corresponds to the set-theoretic disjoint union: an element of A+B is either
an element of type A or an element of type B. We add three new constructions
to the syntax of λ-terms:

t, u, v ::= . . . | case(t, x 7→ u, y 7→ v) | ιA A
l (t) | ιr (t)

where t, u and v are terms, x and y are variables and A is a type. Since
A + B is the disjoint union of A and B, we should be able to see a term t of
type A (resp. B) as a term of type A + B: this is precisely represented by the
term ιB A
l (t) (resp. ιr (t)), which can be thought of as the term t “cast” into an
element of type A + B. For this reason, ιA A
l and ιr are often called the canonical
injections. Conversely, any element of A + B should either be an element of A
or an element of B. This means that we should be able to construct new values
by case analysis: typically, given a term t of type A + B,
– if t is of type A then we return u(t),
– if t is of type B then we return v(t).
Above, u (resp. v) should be a λ-term with a distinguished free variable x
(resp. y) which is to be replaced by t. In formal notation, such a case analysis
is written
case(t, x 7→ u, y 7→ v)
The symbol “7→” is purely formal here (it indicates bound variables), and our
operation takes 5 arguments t, x, u, y and w. With the above intuitions, it
should be no surprise that the typing rules are
Γ`t:A+B Γ, x : A ` u : C Γ, y : B ` v : C
(+E )
Γ ` case(t, x 7→ u, y 7→ v) : C
Γ`t:A Γ`B
(+lI ) (+rI )
Γ` ιB
l (t) :A+B Γ` ιA
r (t) :A+B
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 185

From a Curry-Howard perspective, + corresponds to disjunction ∨, and term

erasure of the above typing rules do indeed allow us to recover the usual rules
for disjunction:
Γ`A∨B Γ, A ` C Γ, B ` C
(∨E )
Γ`C
Γ`A Γ`B
(∨lI ) (∨rI )
Γ`A∨B Γ`A∨B
The β-reduction rules correspond to the cut-elimination step reducing
π
Γ`t:A π0 π 00
(+lI )
Γ ` ιB
l (t) : A + B Γ, x : A ` u : C Γ, y : B ` v : C
(+E )
Γ ` case(ιB
l (t), x 7→ u, y 7→ v) : C

to
π 0 [π/x]
Γ ` u[t/x] : C
as well as the symmetric one, obtained by suitably using ιr instead of ιl . The
β-reduction rules are thus
case(ιB
l (t), x 7→ u, y 7→ v) −→β u[t/x]

case(ιA
r (t), x 7→ u, y 7→ v) −→β v[t/y]

The η-expansion rule is

t −→η case(t, x 7→ ιB A
l (t), y 7→ ιr (t))

In OCaml. We recall from section 1.3.2 that coproducts can be implemented in

OCaml as the type
type ('a, 'b) coprod =
| Left of 'a
| Right of 'b
The injections ιl and ιr respectively correspond to Left and Right, and the
eliminator case(t, x 7→ u, y 7→ v) to
match t with
| Left x -> u
| Right y -> v

Church vs Curry style. Note that if we remove the type annotations on the
injections, i.e. write ιl (t) instead of ιB
l (t), then the typing of a λ-term is not
unique anymore. Namely, the type rules become
Γ`t:A Γ`t:B
(+lI ) (+rI )
Γ ` ιl (t) : A + B Γ ` ιr (t) : A + B
and, in the first rule, there is no way of guessing the type B in the conclusion
from the premise (and similarly for the other rule). Similar issues happen if we
remove the type annotations from abstractions and are detailed in section 4.4.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 186

α-conversion and substitution. The reason why we use the symbol “7→” in terms
case(t, x 7→ u, y 7→ v) is that it indicates that x is bound in u (and similarly for
v), in then sense that our α-equivalence should include

case(t, x 7→ u, y 7→ v) ===α case(t, x0 7→ u[x0 /x], y 0 7→ v[y 0 /y])

This also means that substitution should take care not to accidentally bind
variables: the equation

(case(t, x 7→ u, y 7→ v))[w/z] = case(t[w/z], x 7→ u[w/z], y 7→ v[w/z])

is valid only when x 6∈ FV(w) and y 6∈ FV(w).

Such details can be cumbersome in practice when performing implementa-
tions, and we already have spent a great deal of time doing this correctly for
abstractions. It is possible to use an alternative formulation of the elimina-
tor which allows the use of abstractions, thus simplifying implementations by
having abstractions being the only case where we have to be careful about cap-
ture of variables: in the construction case(t, x 7→ u, y 7→ v), instead of having
u (resp. v) be a λ-term with a distinguished free variable x (resp. y), we can
directly describe it as the function λx.u (resp. λy.v). Our eliminator thus now
has the form
case(t, u, v)
taking three terms in argument, with associated typing rule

Γ`t:A+B Γ`u:A→C Γ`v:B→C

(+E )
Γ ` case(t, u, v) : C

and the β-reduction rules become

case(ιB
l (t), u, v) −→β u t case(ιA
r (t), u, v) −→β v t

4.3.4 Empty type. The empty type is usually denoted 0. We extend the
syntax of λ-terms
t ::= . . . | caseA (t)
by adding one eliminator caseA (t) which allows us to construct an element of an
arbitrary type A, provided that we have constructed an element of the empty
type 0 (which we do not expect to be possible). The typing rule is thus

Γ`t:0
(0E )
Γ ` caseA (t) : A

Through the Curry-Howard correspondence, the type 0 corresponds to the fal-

sity formula ⊥, and we recover the usual elimination rule

Γ`⊥
(⊥E )
Γ`A

There is no β-reduction rule and the η-reduction rule is

case0 (t) −→η t

CHAPTER 4. SIMPLY TYPED λ-CALCULUS 187

for t of type 0, which corresponds to the transformation

π
Γ`t:0 π
0 (0E )
Γ ` case (t) : 0 Γ`t:0

As usual, negation can be implemented ¬A = A ⇒ ⊥, i.e. we could define

the corresponding type ¬A = A → 0.

4.3.5 Commuting conversions. As explained in section 2.3.6, when consid-

ering both conjunctions and disjunctions, usual cuts are not the only situations
where we want to simplify proofs, we also want to be able to remove the com-
mutative cuts. By the Curry-Howard correspondence, this means that when
having λ-terms with both products and coproducts, we want some additional
reduction rules, called commuting conversions, which are all listed in figure 4.4.
For instance, we have the following commutative cut

π π0 π 00
Γ`A∨B Γ, A ` C ∧ D Γ, B ` C ∧ D
(∨E )
Γ`C ∧D
(∧lE )
Γ`C

which reduces to
π0 π 00
π Γ, A ` C ∧ D Γ, B ` C ∧ D
(∧lE ) (∧lE )
Γ`A∨B Γ, A ` C Γ, B ` C
(∨E )
Γ`C

By the Curry-Howard correspondence, this means that the typing derivation

π π0 π 00
Γ`t:A+B Γ, x : A ` u : C ∧ D Γ, y : B ` v : C ∧ D
(+E )
Γ ` case(t, x 7→ u, y 7→ v) : C ∧ D
(×lE )
Γ ` πl (case(t, x 7→ u, y 7→ v)) : C

should reduce to
π0 π 00
π Γ, x : A ` u : C × D Γ, y : B ` v : C × D
(×lE ) (×lE )
Γ`t:A+B Γ, x : A ` πl (u) : C Γ, y : B ` πr (v) : C
(+E )
Γ ` case(t, x 7→ πl (u), y 7→ πr (v)) : C

and thus that we should add the reduction rule

πl (case(t, x 7→ u, y 7→ v)) −→β case(t, x 7→ πl (u), y 7→ πr (v))

which states that projections can “go through” case operators. Other rules are
obtained similarly.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 188

4.3.6 Natural numbers. In order to grow λ-calculus into a more full-fledged

programming language, it is also possible to add basic types (integers, strings,
etc.) as well as constants and functions to operate on those. In order to illus-
trate this, we explain here how to extend simply typed λ-calculus with natural
numbers. The resulting system, called system T , was originally studied by
Gödel [Göd58].
The types are generated by

A ::= X | A → B | Nat

where the newly added type Nat stands for natural numbers. Terms are gener-
ated by
t, u, v ::= x | t u | λx.t | Z | S(t) | rec(t, u, xy 7→ v)
where the term Z stands for the zero constant, and S(t) for the successor of a
term t (supposed to be a natural number). The construction rec(t, u, xy 7→ v)
allows to define a function by induction:
– if t is 0, it returns u,

– if t is n + 1, it returns v where x has been replaced by n and y by the

value recursively computed for n.

In OCaml. In OCaml, using int as representation for natural numbers, Z would

correspond to 0, S(t) to t+1 and the recursor to
let rec recursor t u v =
if t = 0 then u else v (t-1) (recursor t u v)

Alternatively, we can represent natural numbers as the type

type nat = Z | S of nat
where Z corresponds to Z, S to S and the recursor to
let rec recursor t u v =
match t with
| Z -> u
| S n -> v n (recursor n u v)
Traditionally, addition can be defined by recurrence by

let rec add m n =

match m with
| Z -> n
| S m -> S (add m n)
However, it can be observed that all the recurrence power we usually need is
already contained in the recursor, so that this can equivalently be defined as
let add m n = recursor m n (fun m r -> S r)
Similarly, multiplication can be defined as
let mul m n = recursor m Z (fun m r -> add r n)
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 189

and other traditional functions (exponentiation, Ackermann, etc.) are left to

the reader.
There are however some functions that can be written using recursion in
OCaml, but cannot be encoded in recursor. For instance, all functions written
with the recursor are total and therefore the function
let rec omega n = omega n
cannot be implemented using it, since it is defined nowhere and the recursor
always produces well-defined functions.

Rules. The typing rules for the new terms are the following ones:
Γ ` t : Nat
(ZI ) (SI )
Γ ` Z : Nat Γ ` S(t) : Nat

Γ ` t : Nat Γ`u:A Γ, x : Nat, y : Nat ` v : A

(NatE )
Γ ` rec(t, u, xy 7→ v) : A
The reduction rules ensure that the recursor implement the primitive recursion
rules:
rec(Z, u, xy 7→ v) −→β u
rec(S(t), u, xy 7→ v) −→β v[t/x, rec(t, u, xy 7→ v)/y]

Properties. It can be shown, see section 4.3.7, that this system is terminating
and confluent. Moreover, the functions of type
Nat → Nat
which can be implemented in this system are precisely the recursive functions
which are provably total (in Peano Arithmetic, see section 5.2.5), i.e. recursive
functions for which there is a proof that they terminate on every input. This
class of function strictly includes the primitive recursive ones, and it strictly
included in the class of total recursive functions.

4.3.7 Strong normalization. The strong normalization proof presented in

section 4.2.2 for simply typed λ-calculus extends to the other connectives pre-
sented above. For instance, following [Gir89, chapter 7], let us briefly explain
how to adapt the proof for a λ-calculus with products, unit and natural numbers.
Types are thus generated by
A, B ::= X | A → B | A × B | 1 | Nat
and terms by
t, u, v ::= x | λxA .t | t u | ht, ui | πl (t) | πr (t) | hi | Z | S(t) | rec(t, u, xy 7→ v)
We extend the notion of reducibility candidate by
RX = R1 = RNat = {t | t is strongly normalizable}
RA→B = {t | u ∈ RB implies t u ∈ RA }
RA×B = {t | πl (t) ∈ RA and πr (t) ∈ RB }
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 190

We also extend the notion of neutral term: a term is neutral when it is not of
the following forms

λxA .t ht, ui hi Z S(t)

which correspond to the possible introduction rules in our system. With those
definitions, the proofs can be performed following the same structure as in
section 4.2.2.

4.4 Curry style typing

In this section, we investigate simply typed λ-calculus à la Curry when ab-
stractions are of the form λx.t instead of λxA .t, i.e. we do not indicate the
type of abstracted variables. A detailed presentation of this topic can be found
in [Pie02, chapter 12] and [SU06, chapter 6].

4.4.1 A typing system. Curry-style typing is closer to languages such as

OCaml, where we do not have to indicate the type of the arguments of a func-
tion. For simplicity, we consider functions only, i.e. types are defined by

A, B ::= X | A → B

and terms are defined by

t, u ::= x | λx.t | t u

similarly to the beginning of this chapter. The typing rules are

(ax)
Γ ` x : Γ(x)

Γ, x : A ` t : B
(→I )
Γ ` λx.t : A → B

Γ`t:A→B Γ`u:A
(→E )
Γ ` tu : B

This seemingly minor change of not writing types for abstractions has strong
consequences on the properties of typing. In particular, theorem 4.1.6.1 does
not hold anymore: a given λ-term might admit multiple types. For instance,
the identity λ-term admits the following types:
(ax) (ax)
x:X`x:X x:Y →Z`x:Y →Z
(→I ) (→I )
` λx.x : X → X ` λx.x : (Y → Z) → (Y → Z)

and in fact, every type of the form A → A for some type A is an admissible
type for the identity.
The reason for this is that when we derive a type containing a type variable
in this system, we can always replace this variable by any other type. Formally,
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 191

given types A and B and a type variable X, we write A[B/X] for the type
obtained from A by replacing every occurrence of X by B in A. Similarly, given
a context Γ, we write Γ[B/X] for the context where X has been replaced by B
in every type. We have
Lemma 4.4.1.1. If Γ ` t : A is derivable then Γ[B/X] ` t : A[B/X] is also
derivable for every type B and variable X.
Proof. By induction on the derivation of Γ ` t : A.
For instance, since the identity admits the type X → X, it also admits the same
type where X has been replaced by Y → Z, i.e. (Y → Z) → (Y → Z). The
first type is “more general” than the second, in the sense that the second can
be obtained by substituting type variables in the first. We will see that any
term admits a type which is “most general”, in the sense that it is more general
than any other of its types. For instance, the most general type for identity
is X → X. Again, this phenomenon is not present in Church style typing,
e.g. the two terms

λxX .x : X → X λxY →Z .x : (Y → Z) → (Y → Z)

are distinct: Curry is more spicy than Church.

4.4.2 Principal types. Recall from section 2.2.11 that a substitution σ is a

function which to type variables in X associates a type. Its domain dom(σ) is
the set of type variables

dom(σ) = {X ∈ X | σ(X) 6= X}

This set will always be finite for the substitutions we consider here, so that, in
practice, a substitution can be described by the images of the variables X in its
domain. Given a type A, we write A[σ] for the type A where every variable X
has been replaced by σ(X). Formally, it is defined by induction on the type A
by

X[σ] = σ(X)
(A → B)[σ] = A[σ] → B[σ]

We say that a type A is more general than a type B, what we write A v B,

when there is a substitution σ such that B = A[σ].
Lemma 4.4.2.1. The relation v is a partial order on types modulo α-conversion.
Given a context Γ = x1 : A1 , . . . , xn : An , we also write

Γ[σ] = x1 : A1 [σ], . . . , xn : An [σ]

In this case, we sometimes say that the context Γ[σ] is a refinement of the
context Γ. It is easily shown that if a term admits a type, it also admits a less
general type: lemma 4.4.1.1 generalizes as follows.
Lemma 4.4.2.2. Given a term t such that Γ ` t : A is derivable and a substitu-
tion σ then Γ[σ] ` t : A[σ] is also derivable.
Proof. By induction on the derivation of Γ ` t : A.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 192

Definition 4.4.2.3 (Principal type). Given a context Γ and a λ-term t, a principal

type (or most general type) for t in the context Γ consists of a substitution σ
and a type A such that

– Γ[σ] ` t : A is derivable,
– for every substitution τ such that Γ[τ ] ` t : B is derivable, there exists a
substitution τ 0 such that τ = τ 0 ◦ σ and B = A[τ 0 ].
In other words, the most general type is a type A for t in some refinement of
the context Γ such that every other type can be obtained by substitution, in
the sense of lemma 4.4.2.2.
This is often used in the case where the context Γ is empty, in which case the
substitution σ is not relevant. In this case, the principal type for t is a type A
such that ` t : A is derivable and which is minimal: given a type B, we have
` t : B derivable if and only if A v B.
Example 4.4.2.4. The principal type for t = λx.x is X → X: the types of t are
those of the form A → A for some type A.
Example 4.4.2.5. The principal types for the λ-terms

λxyz.(xz)(yz) and λxy.x

are respectively

(X → Y → Z) → (X → Y ) → X → Z and X→Y →X

4.4.3 Computing the principal type. We now give an algorithm to compute

the principal type of a λ-term. A type equation system is a finite set

E = {A1 = ? Bn }
? B1 , . . . , A n = (4.2)

consisting of pairs types Ai and Bi , written Ai =

? Bi and called type constraints.
A substitution σ is a solution of the equation system (4.2) when applying it
makes every equation of E valid, i.e. for every 1 6 i 6 n we have

Ai [σ] = Bi [σ]

Typing with constraints. The idea is that to every context Γ and λ-term t, we
are going to associate a type A and a type equation system E which are complete
in the sense that

– for every solution σ of E, we have

Γ[σ] ` t : A[σ]

– if there is a substitution σ such that

Γ[σ] ` t : B

then σ is a solution of E such that B = A[σ].

CHAPTER 4. SIMPLY TYPED λ-CALCULUS 193

In this sense, the solutions of E describe all the possible types of t in the
refinements of the context Γ. Its elements are sometimes called constraints
since they encode constraints on acceptable substitutions. We will do so by
imposing the “minimal amount of equations” to E so that t admits a type A in
the context Γ. As usual, this is performed by induction on t, distinguishing the
three possible cases:
– x: we have a type A if and only if x ∈ dom(Γ), in which case A = Γ(x),
– λx.t: the type A should be of the form B → C for where C is the type
of t. Writing At for the type inferred for t, we thus define A = X → At
for some fresh variable X,
– t u: we have a type A if and only if t is of the form B → A and u is
of type B. Writing At for the type inferred for t and Au for the type
inferred for u, we thus define A = X for some fresh variable X and add
the equation

? (Au → X)
At =

Above, the fact that X is “fresh” means that it does not occur somewhere else
(in the contexts, the types or the equation systems).

Sequent presentation. More formally, this can be presented in the form of a

“sequent” calculus, where the sequents are of the form

Γ ` t : A|E

where Γ is a context, t is a term, A is a type and E is a type equation system:

given Γ and t, a the derivation of such a sequent will be seen as producing the
type A and the equations E. The rules are

(ax) with x ∈ dom(Γ)

Γ ` x : Γ(x) |

Γ, x : X ` t : At | Et
(→I ) with X fresh
Γ ` λx.t : X → At | Et

Γ ` t : At | Et Γ ` u : Au | Eu
(→E ) with X fresh
Γ ` t u : X | Et ∪ Eu ∪ {At =
? (Au → X)}

Example 4.4.3.1. For instance, for the term λf x.f x, we have the following
derivation:
(ax) (ax)
f : Z, x : X ` f : Z | f : Z, x : X ` x : X |
(→E )
f : Z, x : X ` f x : Y | Z = X → Y
(→I )
f : Z ` λx.f x : X → Y | Z = X → Y
(→I )
` λf.λx.f x : Z → (X → Y ) | Z = X → Y

The type A and the equations E describe exactly all the possible types for t
in the context Γ in the following sense.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 194

Lemma 4.4.3.2. Suppose that Γ ` t : A | E is derivable using the above rules,

then

– for every solution σ of E the sequent Γ[σ] ` t : A[σ] is derivable (in the
sense of section 4.1.4),
– if there is a substitution σ and a type B such that Γ[σ] ` t : B is derivable
then σ is a solution of E and B = σ[A].
Proof. By induction on the derivation of Γ ` t : A | E.

It is easily seen that given a context Γ and term t there is exactly one type A
and system E such that Γ ` t : A | E is derivable (up to the choice of type
variables), we can thus speak of the type A and the system E associated to a
term t in a context Γ. Moreover, the above rules are easily translated into a
method for computing those. An implementation of the resulting algorithm is
provided in figure 4.5: the function infer generates, given a an environment
env describing the context Γ, the type A and the equation system E, encoded
as a list of pairs of terms.

Computing the principal type. What is not clear yet is

– how to compute the solutions of E,
– how to compute the most general type for t in the context Γ.

We will see in section 5.4 that if a system of equations admits a solution then
it admits a most general one: provided there is a solution, there is a solution σ
such that the solutions are exactly substitutions of the form τ ◦ σ for some
substitution τ . Moreover, we will see an algorithm to actually compute this
most general solution: this is called the unification algorithm. This finally
provides us with what we were looking for.
Theorem 4.4.3.3. Suppose given a context Γ and a term t. Consider the type A
and the system E such that Γ ` t : A | E is derivable, and write σ for the most
general solution of E. Then the substitution σ together with the type A[σ] is a
principal type for t in the environment Γ.

In place unification. In practice, people do not implement the computation of

most general types by first generating equations and then solving them, although
there are notable exceptions [PR05]: we can directly change the value of the
variables instead of deferring this using equations. Moreover, this can be done
efficiently by using references. We will see in section 5.4.5 that unification can
always be performed in this way, and only describe here the implementation
specialized to our problem.
Instead of generating equations, we can replace type variables as follows:
– when we have an equation of the form X =
? A, we can directly replace X
by A, provided that X 6∈ FV(A),
– when we have an equation of the form A =
? X, we can directly replace X
by A, provided that X 6∈ FV(A),
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 195

(** Types *)
type ty =
| TVar of int
| TArr of ty * ty

(** Generate a fresh type variable. *)

let fresh =
let n = ref (-1) in fun () -> incr n; TVar !n

(** Terms. *)
type term =
| Var of string
| Abs of string * term
| App of term * term

(** Type constraints. *)

type teq = (ty * ty) list

(** Type and equations. *)

let rec infer env : term -> ty * teq = function
| Var x -> List.assoc x env, []
| Abs (x, t) ->
let ax = fresh () in
let at, et = infer ((x,ax)::env) t in
TArr (ax, at), et
| App (t, u) ->
let at, et = infer env t in
let au, eu = infer env u in
let ax = fresh () in
ax, (at, TArr (au, ax))::(et@eu)

Figure 4.5: Typability with constraints in OCaml.

CHAPTER 4. SIMPLY TYPED λ-CALCULUS 196

– when we have an equation of the form (A → B) = ? (A0 → B 0 ), we can

0 0
replace it by the two equations A =
? A and B =
? B , and recursively act
on those.
In order to perform this efficiently, we change the representation of type variables
to the following:
(** Types *)
type ty =
| TVar of tvar ref
| TArr of ty * ty

(** Type variables. *)

and tvar =
| Link of ty (* a substituted type variable *)
| AVar of int (* a type variable *)
A variable, corresponding to the constructor TVar, is now a reference, meaning
that its value can be changed. Initially, this reference will point to a value of
the form AVar n, meaning that it is the variable with number n. However, we
can replace its contents by another type A, in which case we make the reference
point to a value of the form Link A (it is a “link” to the type A): this method
has the advantage of changing at once the contents of all the occurrences of
the variable. The type tvar thus indicates the possible values for a variable:
it is either a real variable (AVar) or a substituted variable (Link). With this
representation, a variable containing a link to a type A should be handled as
if it was the type A. To this end, we implement a function which will remove
links at toplevel of types:
let rec unlink = function
| TArr (a, b) -> TArr (a, b)
| TVar v as a ->
match !v with
| Link a -> unlink a
| AVar _ -> a
In order to check the side condition X 6∈ FV(A) above, we need to implement
a function which checks whether a variable X occurs in a type A, i.e. whether
X ∈ FV(A). This easily done by induction on A:
let rec occurs x = function
| TArr (a, b) -> occurs x a || occurs x b
| TVar v ->
match !v with
| Link a -> occurs x a
| AVar _ as y -> x = y
Next, instead of generating an equation A = ? B, we will use the following function
which will replace the type variables in A and B following the method described
above, called unification:
let rec unify a b =
match unlink a, b with
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 197

| TVar v, b -> assert (not (occurs !v b)); v := Link b

| a, TVar v -> v := Link a
| TArr (a, b), TArr (a', b') -> unify a a'; unify b b'

Finally, the type inference algorithm can be implemented as before, excepting

that we do not return the equations anymore (only the type), since type vari-
ables are changed in place: in the case of application, instead of generating the
equation At = ? (Au → X), we instead call the function unify which will replace
type variables in a minimal way, in order to make the types At and Au → X
equal:
let rec infer env = function
| Var x ->
List.assoc x env
| App (t, u) ->
let a = infer env u in
let b = fresh () in
unify (infer env t) (TArr (a,b));
b
| Abs (x, t) ->
let a = fresh () in
let b = infer ((x,a)::env) t in
TArr (a, b)
Example 4.4.3.4. The term λf x.f x can be represented as the term
Abs ("f", Abs ("x", App (Var "f", Var "x")))

If we infer its type (in the empty environment) using the above function infer,
we obtain the following result
Arr
(TVar
{contents =
Link
(TArr (TVar {contents = AVar 1}, TVar {contents = AVar 2})
},
TArr (TVar {contents = AVar 1}, TVar {contents = AVar 2}))
which is OCaml’s way of saying

(X → Y ) → (X → Y )

(in OCaml, references are implemented as records with one mutable field la-
beled contents).
Remark 4.4.3.5. In the unification function, when facing an equation X = ? A,
it is important to check that X does not occur in A. For instance, let us try
to type λx.xx, which is not expected to be typable. The inference will roughly
proceed as follows.
1. Since it is an abstraction, the type of λx.xx must be of the form X → A,
where A is the type of xx. Let’s find the type of xx assuming x of type X.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 198

2. The term xx is an application whose function is x of type X and argument

is x of type X. We must therefore have X = ? (X → Y ) and the type of xx
is Y .

With the above implementation, the algorithm will raise an error: the unification
of X and X → Y will fail because X ∈ FV(X → Y ). If we forgot to check this,
we would generate for x the type X → Y where X is (physically) the type itself.
This would intuitively correspond to allowing the infinite type

(((. . . → Y ) → Y ) → Y ) → Y

which should not be allowed.

Typability. The above algorithms can also be used to decide the typability of a
term t, i.e. answer the following question: is there a context in which t admits
a type?
Theorem 4.4.3.6. The typability problem for λ-calculus is decidable.
Proof. Suppose given a term t. We write FV(t) = {x1 , . . . , xn } for the set of free
variables and define the context Γ = x1 : X1 , . . . , xn : Xn . Using lemma 4.1.5.1,
it is not difficult to show that t admits a type if and only if it admits a type in
the context Γ, which can be decided as above.

4.4.4 Hindley-Milner type inference. In this section, we go on a small ex-

cursion and investigate polymorphic types. We have seen that a Curry-style
λ-term usually admits multiple types. However, a given term cannot be used
within a same term with two different types. In a real-world programming lan-
guage this is a problem: for instance, if we define the identity function, we
cannot apply it both to integers and strings. If we want to do so, we need
to define two identity functions, one for integers and one for strings, with the
same definition. One way to overcome this problem is to allow functions to be
polymorphic, i.e. to have multiple types. For instance, we will be able to type
the identity as
∀X.X → X
meaning that it has type X → X for any possible value of the variable X.
OCaml features such types: variables beginning by a ’ are implicitly universally
quantified, so that the identity has type ’a -> ’a.

Type schemes. Formally, a type A is defined as before, and type schemes A are
generated by the grammar
A ::= A | ∀X.A
where X is a type variable and A is a type. In other words, a type scheme is a
type with some universally quantified variables at toplevel, i.e. a formula of the
form
∀X1 . . . . ∀Xn .A
Having such a “type” for a term means that it can have any type in the set

JAK = {A[A1 /X1 , . . . , An /Xn ] | A1 , . . . , An types}

CHAPTER 4. SIMPLY TYPED λ-CALCULUS 199

i.e. any type obtained by replacing the universally quantified type variables by
some types. As usual, in a type scheme ∀X.A, the variable X is bound in A and
could be renamed. The free variables of a type scheme are

FV(∀X1 . . . . ∀Xn .A) = FV(A) \ {X1 , . . . , Xn }

Given a variable X and a type B, we write A[B/X] for the type scheme A where
the variable X has been replaced by B (as usual, one has to properly take care
of bound variables):

(∀X1 . . . . ∀Xn .A)[B/X] = ∀X1 . . . . ∀Xn .A[B/X]

whenever Xi 6∈ FV(B) whenever 1 6 i 6 n. We consider type schemes modulo

α-conversion, which can be defined by:

∀X.A = ∀Y.A[Y /X]

We write A v B when the set of types described by A is included in the set

of types of B, i.e. JAK ⊆ JBK. In this case, we say that the type scheme A is
more general than B, and that B is less general or a specialization of A.
Lemma 4.4.4.1. We have

∀X1 . . . . ∀Xn .A v ∀Y1 . . . . ∀Yn .B

if and only if there are types A1 , . . . , An such that B = A[A1 /X1 , . . . , An /Xn ]
and the Yi are variables which are not free in ∀X1 . . . . ∀Xn .A.
When we have A v B, this thus means that B was obtained from A by replacing
some universally quantified variables Xi by types Ai , but not only: we can also
universally quantify some of the fresh variables introduced by the Ai afterwards.
For instance, we have

∀X.X → X v ∀Y.(Y → Y ) → (Y → Y ) v (Z → Z) → (Z → Z)

Hindley-Milner typing system. We are now going to give a typing system for a
programming language whose terms are

t, u ::= x | λx.t | t u | let x = t in u

Compared to λ-calculus, the only new construction is let x = t in u, and means

that we should declare x to be t in the term u. From an operational point
of view, it is thus the same as (λx.u) t. The two constructions however differ
from the typing point of view: the type of a variable defined by a let will be
generalized, which means that we are going to universally quantify the type
variables we can, so that it becomes polymorphic. A variable declared by a let
can thus be used with multiple types, which is not the case for an argument of
a function. For instance, in OCaml, we can define the identity once with a let,
and use it on an integer and on a string:
let () =
let id = fun x -> x in
print_int (id 3); print_string (id "a")
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 200

This is allowed because the type inferred for id is ∀X.X → X, which is poly-
morphic. On the other hand, the following code is rejected:

let () =
(fun id ->
print_int (id 3); print_string (id "a")
) (fun x -> x)
Namely, the type inferred for the argument id of the function is X → X. During
the type inference, OCaml sees that it is applied to 3, and therefore replaces
X by int, i.e. it guesses that the type of id must be int → int and thus
raises a type error when we also apply it to a string. The identity argument is
monomorphic: it can be applied to an integer, or to a string, but not both.
We now present an algorithm, due to Hindley and Milner [Hin69, Mil78]
which infers such types. A context Γ is a list

x 1 : A1 , . . . , x n : An

consisting of pairs of variables and type schemes. The free variables of such a
context are
n
[
FV(Γ) = FV(Ai )
i=1

We will consider sequents of the form Γ ` t : A where Γ is a context, t a term

and A a type: we still infer a type (as opposed to a type scheme) for a term.
The rules for our typing system, which assigns type schemes to terms are the
following ones:

Γ(x) = A AvB Γ`t:A Γ, x : ∀Γ A ` u : B

(ax) (let)
Γ`x:B Γ ` let x = t in u : B

Γ`t:A→B Γ`u:A Γ, x : A ` t : B
(→E ) (→I )
Γ ` tu : B Γ ` λx.t : A → B

The rules (→E ) and (→I ) for elimination and introduction of functions are the
usual ones. The rule (ax) allows to specialize the type of a variable in the
context: if x has type A in the context Γ, then we can assume that it actually
has any type B with A v B: with our above example, if id has the type scheme
∀X.X → X in the context, then we can assume that it has type int → int
(or string → string) when we use it, and we can make different assumptions
at each use. Finally, the rule let states that if we can show that t has type A,
then we can assume that it has the more general type scheme

∀Γ A = ∀X1 . . . . ∀Xn .A

where FV(A) \ FV(Γ) = {X1 , . . . , Xn }, called the generalization of A with

respect to Γ. We thus universally quantify over all type variables which are not
already present in the context.
Remark 4.4.4.2. In the rule (let), it is important that ∀Γ A does not universally
quantify over all the variables in A, but only those in FV(A) \ FV(Γ). Namely,
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 201

suppose that we did not put this restriction and quantify over all the variables
of A. We would then have the derivation
(ax) (ax)
x:X`x:X x : X, y : ∀X.X ` y : Y
(let)
x : X ` let y = x in y : Y
(→I )
` λx.let y = x in y : X → Y

This is clearly incorrect since the term λx.let y = x in y is essentially the iden-
tity, and thus should have X → X as principal type.
The following proposition shows that this typing system amounts to the
simple one of section 4.4.1, where we would allow us to infer the type of an
expression each time we use it:
Proposition 4.4.4.3. The sequent Γ ` let x = t in u : A is derivable if and only
if t is typable in the context Γ and Γ ` u[t/x] : A is derivable.

Algorithm W. Formulated as above, it is not immediate to write down an algo-

rithm which would infer the most general type of a term. The problem lies in
the (ax) rule: given a variable x which has type scheme A in the context, we
have to come up with a type B which specializes A, and there is no obvious way
of doing so. Instead, we will replace all the universally quantified variables of A
by fresh variables, and will gradually compute a substitution which will fill those
in. The resulting algorithm is called algorithm W [DM82]. It is very close to
the algorithm we have seen in section 4.4.3 excepting that, instead of generating
type equations and solving them afterward in order to obtain a substitution, we
compute the substitution during the inference. We can express this algorithm
using sequents of the form
Γ ` t : A|σ
where Γ is a context, t a term, A a type and σ a substitution. The rules are the
following ones, they should be read as producing A and σ from Γ and t:

Γ(x) = A
(ax)
Γ ` x : !A | id

Γ, x : X ` t : B | σ X fresh
(→I )
Γ ` λx.t : X[σ] → B | σ

Γ ` t : C |σ Γ ` u : A | σ0 X fresh σ 00 = mgu(A → X, C)
00 00 0 (→E )
Γ ` t u : X[σ ] | σ ◦ σ ◦ σ

Γ ` t : A|σ Γ[σ], x : ∀Γ[σ] A ` u : B | σ 0

(let)
Γ ` let x = t in u : B | σ 0 ◦ σ

Those can be explained as follows.

(ax) Given the type scheme A associated to the variable x in the context, we
declare that the type for x is !A, under the identity substitution. Here, !A
is a notation for the instantiation of A, by which we mean that we have
replaced all the universally quantified variables by fresh ones (i.e. variables
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 202

which do not already occur in Γ). If the type scheme A is ∀X1 . . . . ∀Xn .A,
the type !A is thus
A[Y1 /X1 , . . . , Yn /Xn ]
where the variables Yi are fresh and distinct.
(→I ) In order to infer the type of λx.t, we have to guess a type for x and infer
the type of t in the context where x has this type. Since we have no idea of
what this type should be, we simply infer the type of t in the environment
where x has type X, a fresh type variable. This will result in a type B
and a substitution σ such that Γ[σ], x : X[σ] ` t : B and therefore we can
deduce that λx.t has type X[σ] → B.
(→E ) We first infer a type A for u, and the type C for t. In order for t u
to be typable C should be of the form A → B. We therefore use the
unification procedure described in section 5.4 in order to compute the
most general substitution σ 00 such that σ 00 (A → X) = σ(B) for some
fresh variable X, and we will have B = X[σ]; this substitution being
noted σ 00 = mgu(A → X, C) (here, “mgu” means most general unifier, see
section 5.4.2). We deduce that t u has the type B we have computed.
(let) There is no real novelty in this rule compared to earlier. In order to infer
the type of let x = t in u, we infer a type A for t and then infer a type
B for u in the environment where x has the type scheme obtained by
generalizing A with respect to Γ.
This algorithm generates a valid type according to the previous rules:
Theorem 4.4.4.4 (Correctness). If Γ ` t : A | σ is derivable then Γ[σ] ` t : A is
derivable.
Moreover, it is actually the most general one that could be inferred:
Theorem 4.4.4.5 (Principal types). Suppose that Γ ` t : A | σ is derivable.
Then, for every substitution τ and type B such that Γ[τ ] ` t : B there exists a
substitution τ 0 such that τ = τ 0 ◦ σ and B = A[τ 0 ].
Example 4.4.4.6. Here are some principal types which can be computed with
the algorithm:

λx.let y = x in y : X → X
λx.let y = λz.x in y : X → Y → X
λx.let y = λz.x z in y : (X → Y ) → (X → Y )

Implementing algorithm W. Algorithm W can be coded by suitably implement-

ing the above rules. We define the type of terms as
type term =
| Var of var
| App of term * term
| Abs of var * term
| Let of var * term * term
where var is an alias for int for clarity. Then type schemes are encoded as the
following type:
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 203

type ty =
| EVar of int (* non-quantified variable *)
| UVar of int (* universally quantified variable *)
| TArr of ty * ty
Here, instead of universally quantifying some variables, we use two constructors:
UVar n is a variable which is universally quantified, and EVar n is a variable
which is not. The generation of fresh type variables can be achieved with a
counter, as usual:
let fresh =
let n = ref (-1) in fun () -> incr n; EVar !n
Next, the instantiation of a type scheme is performed by replacing each universal
variable with a fresh existential one (we use a list tenv in order to remember
when a universal variable has already been replaced by some variable, in order
to always replace it by the same variable):
let inst =
let tenv = ref [] in
let rec inst = function
| UVar x ->
if not (List.mem_assoc x !tenv) then
tenv := (x, fresh ()) :: !tenv;
List.assoc x !tenv
| EVar x -> EVar x
| TArr (a, b) -> TArr (inst a, inst b)
in
inst
The following function checks whether a variable occurs in a type:
let rec occurs x = function
| EVar y -> x = y
| UVar _ -> false
| TArr (a, b) -> occurs x a || occurs x b
We can then generalize a type with respect to a given a context by changing
each variable EVar n which does not occur in the context into the corresponding
universal variable UVar n:
let rec gen env = function
| EVar x ->
if List.exists (fun (_,a) -> occurs x a) env
then EVar x else UVar x
| UVar x -> UVar x
| TArr (a, b) -> TArr (gen env a, gen env b)
We can finally implement the function which will infer the type of a term in a
given environment and return it together with the corresponding substitution.
The four cases of the match correspond to the four different rules above:
let rec infer env = function
| Var x ->
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 204

let a =
try List.assoc x env
with Not_found -> raise Type_error
in
inst a, Subst.id
| Abs (x, t) ->
let a = fresh () in
let b, s = infer ((x,a)::env) t in
TArr (Subst.app s a, b), s
| App (t, u) ->
let a, su = infer env u in
let b = fresh () in
let c, st = infer env t in
let s = unify (TArr (a, b)) c in
Subst.app s b, Subst.comp s (Subst.comp su st)
| Let (x, t, u) ->
let a, st = infer env t in
let b, su = infer ((x, gen (Subst.app_env st env) a)::env) u in
b, Subst.comp su st
We have implemented substitutions as functions int -> ty associating a type to
a type variable. The functions Subst.id, Subst.comp, Subst.app and Subst.app_env
respectively compute the identity substitution, the composite of substitutions
and the application of a substitution to a term and to an environment. Their
implementation is left to the reader. Finally, above, the function unify imple-
ments the unification algorithm described in section 5.4:
let rec unify l =
match l with
| (EVar x, b)::l ->
if occurs x b then raise Type_error;
Subst.comp (unify l) (Subst.make [x, b])
| (a, EVar x)::l ->
unify ((EVar x, a)::l)
| (TArr (a, b), TArr (a', b'))::l ->
unify ([a, a'; b, b']@l)
| (UVar _, _)::_ | (_, UVar _)::_ -> assert false
| [] -> Subst.id
let unify a b = unify [a, b]

Algorithm J. Previous algorithm is theoretically nice. In particular, it is well

adapted to making correctness proofs. However, it is quite inefficient: we have
to apply substitutions to many types (including to the context) and we have to
go through the context to look for type variables which have been used. As in
section 4.4.3, a solution consists in modifying type variables in place by using
references. The resulting algorithm is sometimes called algorithm J. We thus
change the implementation of types to
type ty =
| EVar of tvar ref (* non-quantified variable *)
| UVar of int (* universally quantified variable *)
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 205

| TArr of ty * ty
and tvar =
| Unbd of int (* unbound variable *)
| Link of ty (* substituted variable *)
Most functions are straightforwardly adapted. The main novelties are the uni-
fication function, which now performs the modification of types in place:
let rec unify a b =
match unlink a, unlink b with
| EVar x, _ ->
if occurs x b then raise Type_error else x := Link b
| _, EVar y -> unify b a
| TArr (a1, a2), TArr (b1, b2) -> unify a1 b1; unify a2 b2
| _ -> raise Type_error

and the type inference function which is simpler to write, because it does not
need to propagate the substitutions:
let rec infer env = function
| Var x -> (try inst (List.assoc x env)
with Not_found -> raise Type_error)
| Abs (x, t) ->
let a = fresh () in
let b = infer ((x,a)::env) t in
TArr (a, b)
| App (t, u) ->
let a = infer env u in
let b = fresh () in
let c = infer env t in
unify (TArr (a,b)) c;
b
| Let (x, t, u) ->
let a = infer env t in
infer ((x, gen env a)::env) u
The substitutions are now very efficiently performed because we do not have
to go through terms anymore, references are doing the job for us. There is
however one last source of inefficiency in this code: in the function unify, the
function occurs x b has to go through all the type b to see whether the variable
x occurs in it or not. There is a very elegant solution to this due to Rémy [Rém92]
that we learned from [Kis13]. To each type variable, we are going to assign an
integer called its level, which indicates the depth of let-declaration when it was
created. Initially, the level is 0 by convention and in an expression let x = t in u
at level n, the variables created by t will have level n + 1, whereas the variables
of u will still have level n (it is some sort of de Bruijn index). For instance, in
the term
let a = (let b = λx.x in λy.y) in λz.z
the type variables associated to x, y and z will have level 2, 1 and 0 respectively.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 206

This can be figured graphically as follows:

level 2: let a = (let b = λx.x in λy.y) in λz.z
level 1: let a = (let b = λx.x in λy.y) in λz.z
level 0: let a = (let b = λx.x in λy.y) in λz.z
One can convince himself that, in a term let x = t in u, the variables which
should be generalized in the rule (let) are those which were “locally created”
during the inference of t, i.e. those which are at a strictly higher level than
the current one. We thus modify our implementation once more. We begin by
declaring a global reference, which will record the current level when performing
the type inference, along with two functions in order to increase and decrease
the current level:
let level = ref 0
let enter_level () = incr level
let leave_level () = decr level
We also change the representation of type variables: the constructor for unbound
variables becomes
| Unbd of int * int (* unbound variable (name / level) *)
It now takes two integers as argument: the number of the variable (acting as its
name) and its level. In the generalization function, we only generalize variables
which are above current level:
let rec gen a =
match a with
| EVar x -> if tlevel x <= !level then EVar x else UVar (tname x)
| UVar x -> UVar x
| TArr (a, b) -> TArr (gen a, gen b)
where tname and tlevel respectively return the name and type of a type vari-
able. Finally, levels get update in the infer function whose only change is in
the Let case:
| Let (x, t, u) ->
enter_level ();
let a = infer env t in
leave_level ();
infer ((x, gen a)::env) u
We increase the current level when typechecking the definition and decrease it
afterward.
Example 4.4.4.7. In the function
λx.let y = λz.z in y
the type variable Z associated to z has level 1, so that it gets generalized in the
type of y, because y is declared at level 0 and 0 < 1: in the environment, y will
have the type scheme ∀Z.Z → Z. However, in the function
λx.let y = λz.x in y
the type variable X associated to x does not get generalized because it is of
level 0, so that y has the type scheme ∀Y.Y → X, and not ∀X.∀Y.Y → X.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 207

There is a catch however: it might happen that, during unification (see the
function unify above), a variable X with low level ` gets substituted with a
type A containing variables of high level. In this case, all the levels of the
variables in A should be lowered to the minimum of their level and ` before
performing the substitution: their level get “contaminated” by the one of the
variable they are unified with. However, we are smart and see that the function
occurs is already going through the type just before we substitute, and it is the
only place where it is used, so that we can use it to both check the occurrence
and update the levels. We therefore change it to
let rec occurs x a =
match unlink a with
| EVar y when x = y -> raise Type_error
| EVar y ->
let l = tlevel y in
let l = match !x with Unbd (_,l') -> min l l' | _ -> l in
y := Unbd (tname y, l)
| UVar _ -> ()
| TArr (a, b) -> occurs x a; occurs x b
which changes the level of all variables by the minimum of their old level and
the current level. Without this modification of occurs, for the term

λx.let y = λz.x z in y

we would infer the unsound type (X → Y ) → (Z → W ) instead of the expected

type (X → Y ) → (X → Y ).

4.4.5 Bidirectional type checking. We present here another approach to

type checking, which does not try to come up with new or most general types:
this means that we will fail to infer the type for terms when we are not certain
about this type (for instance, if the term can have multiple types). However, we
will try to exploit has much as possible the already know type information about
terms. This is less powerful than previous methods in the context of λ-calculus,
but has the advantage of being simple to implement and of generalizing well to
richer logics, where principal types do not exist or type inference is undecidable,
see chapter 8.
When implementing type inference, we can see that two different phases are
actually involved:
– type inference: we come up with a type for the term,
– type checking: we make sure that the term has a given type.
For instance, when performing the type inference for a term t u, we first infer
the type for t, which should be of the form A → B, and then we check that
u has type A. Of course, this checking part usually done by inferring a type
for u and comparing it with A, but in some situations we can exploit the fact
that we are checking that the term t has type A, and that this A does bring
us some information. For instance, we can check that the term λx.x has the
type X → X, but we cannot unambiguously infer a type for λx.x because it
admits multiple types (we have seen that there are canonical choices such as the
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 208

principal type, see section 4.4.2, but here we do not want to make any choice
for the user).
This suggests splitting the usual typing judgment Γ ` t : A in two:
– Γ ` t ⇒ A: we infer the type A for the term t in the context Γ,
– Γ ` t ⇐ A: we check that the term t has type A in the context Γ.
We will consider terms of the form
t, u ::= x | λx.t | t u | (t : A)
The only new construction is the last one, (t : A), which means “check that t
has type A”. It will become handy since it allows bringing type information in
terms and is already present in languages such as OCaml, where we can define
the identity function on integers by
let id = fun x -> (x : int)
The rules for type inference and checking are the following ones:

(ax)
Γ ` x ⇒ Γ(x)

Γ`t⇒A→B Γ`u⇐A Γ, x : A ` t ⇐ B
(→E ) (→I )
Γ ` tu ⇒ B Γ ` λx.t ⇐ A → B

Γ`t⇐A Γ`t⇒A
(cast) (sub)
Γ ` (t : A) ⇒ A Γ`t⇐A
They read as follows:
(ax) If we know that x has type A then we can come up with a type for x:
namely A.
(→E ) If we can infer a type A → B for t and check that u has type A then we
can infer the type B for t u.
(→I ) In order to check that λx.t has type A → B, we should check that t has
type B when x has type A.
(cast) We can infer the type A for (t : A) provided that t actually has type A.
(sub) This subsumption rule states that, as last resort, if we do not know how
to check that a term t has type A, we can go back to the old method of
inferring a type for it and ensuring that this type is A.
Note that there is no rule for inferring the type of λx.t, because there is no way
to come up with a type for x without type annotations. Again, this means that
we cannot infer a type for the identity λx.x, but we can in presence of type
annotations:
(ax)
x:A`x⇒A
(sub)
x:A`x⇐A
(→I )
` λx.x ⇐ A → A
(cast)
` (λx.x : A → A) ⇒ A → A
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 209

An implementation is provided in figure 4.6: the two modes (type inference

and checking) are implemented by two mutually recursive functions (infer and
check). There are two kind of errors that can be raised: Type_error means
that the term is ill-typed as usual, and Cannot_infer means that the algorithm
could not come up with a type, but the term might still be typable.
Example 4.4.5.1. For illustration purposes, we suppose we have access to real
(or float) numbers, of type R, with the rule

Γ`r⇒R

for every real number r. We also suppose that we have access to the usual
mathematical functions (addition, multiplication), as well as a function which
computes the mean of a function between two points, i.e. Γ contains

mean : (R → R) → R → R → R

We can then type

Γ, x : R ` x ⇒ R
Γ, x : R ` x ⇐ R
Γ ` mean ⇒ (R → R) → R → R → R Γ ` λx.x ⇐ R → R Γ`5⇒R
Γ ` mean (λx.x × x) ⇒ R → R → R Γ`5⇐R Γ`7⇒R
Γ ` mean (λx.x × x) 5 ⇒ R → R Γ`7⇐R
Γ ` mean (λx.x × x) 5 7 ⇒ R

However, we cannot infer the type for the function

λf xy.(f x + f y)/2

which would be the definition of mean. When defining a function we have to

give its type and cast it accordingly: we can type

(λf xy.(f x + f y)/2 : (R → R) → R → R → R)

This is why in a programming language such as Agda you have to declare the
type of a function when defining it:
mean : (R → R) → R → R → R
mean f x y = (x + y) / 2

Remark 4.4.5.2. If we omit the rule (cast), it is interesting to note that the
terms v such that Γ ` v ⇐ A and the terms n such that Γ ` n ⇒ A is derivable
for some context Γ and type A are respectively generated by the grammars

v ::= λx.t | n n ::= x | n v

which is precisely the traditional definition of values (also called normal forms)
and neutral terms (already encountered in section 3.5.2 for instance).
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 210

(** Types. *)
type ty =
| TVar of string
| TArr of ty * ty

type var = string

(** Terms. *)
type term =
| Var of var
| App of term * term
| Abs of var * term
| Cast of term * ty

exception Cannot_infer
exception Type_error

(** Type inference. *)

let rec infer env = function
| Var x ->
(try List.assoc x env with Not_found -> raise Type_error)
| App (t, u) ->
(
match infer env t with
| TArr (a, b) -> check env u a; b
| _ -> raise Type_error
)
| Abs (x, t) -> raise Cannot_infer
| Cast (t, a) -> check env t a; a

(** Type checking. *)

and check env t a =
match t , a with
| Abs (x, t) , TArr (a, b) -> check ((x, a)::env) t b
| _ -> if infer env t <> a then raise Type_error

Figure 4.6: Bidirectional type checking.

CHAPTER 4. SIMPLY TYPED λ-CALCULUS 211

4.5 Hilbert calculus and combinators

We have seen in section 3.6.3 that every λ-term can be expressed using ap-
plication and the two combinators S and K, respectively corresponding to the
λ-terms

S = λxyz.(xz)(yz) K = λxy.x

We have also seen in example 4.4.2.5 that the principal types of those terms are
respectively

(X → Y → Z) → (X → Y ) → X → Z and X→Y →X

which means that they respectively have the type

(A → B → C) → (A → B) → A → C and A→B→A

for every types A, B and C.

It is thus natural to consider a typed version of combinatory terms (see
section 3.6.3) expressed by rules, where types and contexts are defined as above,
and sequents are of the form
Γ`t:A
where Γ is a context, t is a combinatory term and A is a type. The rules are
(ax)
Γ ` x : Γ(x)

(S)
Γ ` S : (A → B → C) → (A → B) → A → C

(K)
Γ`K:A→B→A

Γ`t:A→B Γ`u:A
(→E )
Γ ` tu : B

where in (ax) we suppose that x ∈ dom(Γ). If we apply an analogous of the

term erasing procedure (section 4.1.7), we obtain the following logical system:
(ax)
Γ, A, Γ0 ` A

(S)
Γ ` (A ⇒ B ⇒ C) ⇒ (A ⇒ B) ⇒ A ⇒ C

(K)
Γ`A⇒B⇒A

Γ`A⇒B Γ`A
(⇒E )
Γ`B

which is precisely the Hilbert calculus described in section 2.7! In other words,
in the same way that natural deduction corresponds, via the Curry-Howard cor-
respondence, to simply typed λ-calculus, Hilbert calculus corresponds to typed
combinatory terms.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 212

Example 4.5.0.1. We have seen in example 3.6.3.1 that, in combinatory logic,

identity could be expressed as
I = SKK
Its typing derivation is
(S) (K)
` S : (A → (B → A) → A) → (A → B → A) → A → A ` K : A → (B → A) → A
(→E ) (K)
` S K : (A → B → A) → A → A `K:A→B→A
(→E )
` SKK : A → A

from which, by term erasure, we recover the proof of A ⇒ A in Hilbert calculus

given in example 2.7.1.1.

4.6 Classical logic

Since classical logic is an extension of intuitionistic logic, in the sense that we
have more rules, we can expect that the Curry-Howard correspondence can
be extended to classical logic. For various reasons, it has been thought for a
long time that classical logic had no computational contents, one being that
naively imposing A ⇔ ¬¬A makes all proofs of a given type equal, see sec-
tion 2.5.4. It was thus somehow a surprise when Parigot introduced the λµ-cal-
culus [Par92], which is an extension of the λ-calculus suitable for classical logic.
In section 2.5.9, we have analyzed the proof of ¬A ∨ A (or rather its encoding
in intuitionistic logic). The main ingredient is the ability to “rollback” to a
previous proof goal at any point in the proof: we prove ¬A and at some point
we change our mind, go back to proving ¬A ∨ A, and chose proving A instead.
In λµ-calculus, this is achieved by a sort of “exception” mechanism: instead of
going on with the computation, we might raise an exception which is going to
be catched and change the computation flow. However, in this calculus, the ex-
ceptions follow a very particular discipline, making them behaving not exactly
as in usual languages such as OCaml.

4.6.1 Felleisen’s C. Let us try to naively try to extend the Curry-Howard

correspondence to classical logic. For clarity, we write here ⊥ instead of 0 for
the type corresponding to falsity. Starting from implicative intuitionistic natural
deduction, classical logic can be obtained by adding the rule

Γ ` ¬¬A
(¬¬E )
Γ`A

corresponding to double negation elimination. This suggests that we should add

a corresponding construction, say C(t), to our term calculus together with the
typing rule
Γ ` t : ¬¬A
(¬¬E )
Γ ` C(t) : A
This calculus allows for “static” Curry-Howard correspondence in a similar sense
to theorem 4.1.7.1: there is a bijective correspondence between typing deriva-
tion of λ-terms with C and proofs in natural deduction with double negation
elimination.
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 213

In order to hopefully extend this to a dynamical correspondence, we need

to introduce a notion of reduction, which should correspond to cut elimination.
First remark that, contrarily to usually, we do not need to add an introduction
rule for double negation. Namely, recalling that ¬A = A → ⊥, we can construct
a proof of ¬¬A from a proof of A as follows:
..
.
(ax)
Γ, k : A → ⊥ ` k : A → ⊥ Γ, k : A → ⊥ ` t : A
(→E )
Γ, k : A → ⊥ ` k t : ⊥
(→I )
Γ ` λk A→⊥ .k t : (A → ⊥) → ⊥
In other words, the introduction rule for double negation should be
Γ`t:A
(¬¬I )
Γ ` λk ¬A .k t : ¬¬A
We can therefore “guess” the reduction rule associated to C by observing the
corresponding cut elimination:
π
Γ`t:A
(¬¬I )
Γ ` λk ¬A .k t : ¬¬A π
¬A
(¬¬E )
Γ ` C(λk .k t) : A Γ`t:A
The β-reduction rule should thus be
C(λk ¬A .k t) −→β t
Note that this rule only makes sense when k does not occur in t, otherwise
the bound variable k could escape its scope... This is the main reduction rule
associated to C, but it turns out that two more reduction rules are required
for C:
C(λk ¬A .k t) −→β t if k 6∈ FV(t)
¬(A→B) 0¬B A→B
C(λk .t) u −→β C(λk .t[λf .k (f u)/k])
¬A 0¬A 00¬A
C(λk .k C(λk .t)) −→β C(λk .t[k /k, k 00 /k 0 ])
00

The second rule somehow states that the application to the argument u goes
through under C: if our calculus had products or coproducts, similar rules would
have to be added in order to enforce their compatibility with C.
Let us try to understand what this could mean. Suppose given a term v
of type ¬¬A. Since ¬¬A = (A → ⊥) → ⊥, this means that v must be an
abstraction taking an argument k of type A → ⊥ and return a value of type ⊥,
i.e. v will typically reduce to a term of the form λk A→⊥ .u. Since there is
no introduction rule for ⊥ (there is no way of directly constructing a term of
type ⊥), at some point during the evaluation of u, it must apply k to some
argument t of type A in order to produce the value of type ⊥, i.e. v will reduce
to λk A→⊥ .k t. Thus, C(v) will reduce to C(λk A→⊥ .k t), which will reduce to t.
A typical reduction is thus
∗ ∗
C(v) −→β C(λk ¬A .u) −→β C(λk ¬A .k t) −→β t
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 214

This means that C(v) waits for v to apply its argument k to some term t of
type A and returns this argument t. The term k can thus be thought of as an
analogous of return in some languages such as C, or maybe also as the raise
operator of OCaml which raises exceptions (more on this later on). However,
things are more subtle here because the returned term might itself use some of
the terms computed during the evaluation of v. In order to see that in action,
let us compute the term associated to the usual proof of ¬A ∨ A:
(ax)
k : ¬(¬A ∨ A), a : A ` a : A
(∨rI )
k : ¬(¬A ∨ A), a : A ` ιr (a) : ¬A ∨ A
(¬E )
k : ¬(¬A ∨ A), a : A ` k ιr (a) : ⊥
(¬I )
k : ¬(¬A ∨ A) ` λaA .k ιr (a) : ¬A
(∨lI )
k : ¬(¬A ∨ A) ` ιl (λaA .k ιr (a)) : ¬A ∨ A
(¬E )
k : ¬(¬A ∨ A) ` k ιl (λaA .k ιr (a)) : ⊥
(¬¬I )
` λk ¬A .k ιr (λaA .k ιl (a)) : ¬¬(¬A ∨ A)
(¬¬E )
` C(λk ¬A .k ιl (λaA .k ιr (a))) : ¬A ∨ A

As indicated above, the term C(λk ¬A .k ιl (λaA .k ιr (a))) cannot reasonably reduce
to
t = ιl (λaA .k ιr (a))
because the variable k occurs in t. The additional rules make it so that it
however acts as t, i.e. it states that it is a proof of ¬A = A → ⊥, albeit being
surrounded by C(λk ¬A .k . . .). If, at some point, we use this proof and apply it
to some argument u of type A, the term will thus reduce to

C(λk ¬A .k ιr (u))

which in turn will reduce to ιr (u) by the reduction rule associated to C. It thus
fakes being a proof of ¬A until we actually use this proof and apply it to some
argument u of type A, at which point it changes its mind and declares that it
was actually a of A, namely u. This is exactly the behavior we were describing
in section 2.5.2, when explaining that classical logic allows to “resetting proofs”.

Variants of the calculus. The operator C is due to Felleisen [FH92] and the
observation that it could be typed by double negation elimination was first made
by Griffin [Gri89], see also [SU06, chapter 7]. There are many small possible
variants of the calculus. First note that we could add C (as opposed to C(t))
as a constant to the language, which corresponds to adding double negation
elimination as an axiom instead of a rule:

Γ ` C : ¬¬A → A

If we instead use Clavius’ law instead of double negation, see theorem 2.5.1.1,
then we would have defined an operator cc called callcc (for call with current
continuation):
Γ ` cc : (¬A → A) → A
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 215

This operator is implemented in languages such as Scheme and C is a general-

ization of it: we have cc(λk.t) = C(λk.k t). Finally, double negation elimination
can also be implemented by the rule
Γ, ¬A ` ⊥
Γ`A

which suggests the following variant of the calculus

Γ, x : ¬A ` t : ⊥
Γ ` µxA .t : A

This means that we now add a construction µxA .t to our terms which corre-
sponds to
µxA .t = C(λx¬A .t)
in the previous calculus. In next section, we see an alternative calculus, based
on the similar ideas though, with much nicer and intuitive reduction rules.

4.6.2 The λµ-calculus. Let us now introduce the λµ-calculus [Par92]. We

suppose fixed two sorts of variables: the term variables x, y, etc. which behave
as usual and the control variables α, β, etc. which can be thought of as variables
of negated types. The terms are generated by the grammar

t, u ::= x | t u | λx.t | µα.t | [α]t

The first constructions are the usual ones from the λ-calculus. A term of the
form µα.t should be thought of as a term catching an exception named α and a
term [α]t as raising the exception α with the value t. The reduction will make
it so that the place where it is catched is replaced by t. For instance, we will
have a reduction
∗
t (µα.u ([α]v)) −→ t v
meaning that during the evaluation of the argument of t, the exception α will
be raised with value v and will thus replace the term at the corresponding µα.
The constructor µ is considered as a binder and terms are considered modulo
α-equivalence: µα.t = µβ.(t[β/α]). Beware of the unfortunate similarity in
notation between raising and substitution.
The three reduction rules of the calculus are
– the usual β-reduction:
(λx.t)u −→β t[u/x]

– the following rule commuting applications and µ-abstractions:

(µα.t) u −→β µβ.t[[β]−u/[α]−]

where the weird notation for in the substitution means that we should
replace every subterm of t of the form [α]v by [β]vu,
– the following reduction rule for µ, stating that if we catch exceptions raised
on α and immediately re-raise on β, we might as well raise them directly
on β:
[β](µα.t) −→β t[β/α]
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 216

Additionally, we require the following η-reduction rule, stating that if we catch

on α and immediately re-raise on α, we might as well do nothing:
µα.[α]t −→η t
when α 6∈ FV(t). It is proved in [Par92] that
Theorem 4.6.2.1. The λµ-calculus is confluent.
Remark 4.6.2.2. The translation between previous calculus based on C and
λµ-calculus was already hinted at at the end of previous section: µα.t cor-
responds to C(λα.t) and [α] corresponds to applying the argument given by C.
More formally, the operators cc and C can be encoded in the λµ-calculus as
cc = λy.µα.[α](y (λx.µβ.[γ]x))
C = λy.µα.[β](y (λx.µγ.[α]x))
The intuition is thus that µα.t corresponds to some sort of OCaml construc-
tion creating an exception and catching it:
let exception Alpha of 'a in
try t with Alpha u -> u
and [α]u would correspond to raising the exception:
raise (Alpha u)
However, there are differences. First, the name of the exception is generated on
the fly instead of being hard-coded: we have an α-conversion rule for µ binders.
More importantly, the exceptions can never escape their scope in λµ-calculus,
contrarily to OCaml. For instance, consider the following program in OCaml:
let f : int -> int =
let exception Alpha of (int -> int) in
try fun n -> raise (Alpha (fun x -> n * x))
with Alpha g -> g

let () = print_int (f 3)
Although, the exception Alpha seems to be catched (the raise is surrounded by
a try / catch), executing the program results in
Fatal error: exception Alpha(_)
meaning that it was not the case: when executing f 3, f is replaced by its value
and the reduction raises the exception. The analogous of this program in λµ is
f = µα.[α](λn.[α](λx.n × x))
(we allow ourselves to use integers and multiplication). It does not suffer from
this problem, and corresponds to a function which, when applied to an argu-
ment n, turns into the function which multiplies by n. When we apply it to 3,
it thus turns to the function which multiplies its argument (which is 3) by 3 and
the result will actually be 9 as expected:
f 3 −→ µβ.[β](λn.[β](λx.n × x)3)3
−→ µβ.[β][β](λx.3 × x)3
−→ µβ.[β][β](3 × 3)
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 217

which is η-equivalent to 3 × 3 using the two η-conversion rules.

Another possible interpretation is that µα.t stores the current evaluation
context and [α]u restores the evaluation context of the corresponding µα before
executing u: it is as if the term t had never been executed. In the above example,
it is as if f had directly been defined as λx.n × x.

4.6.3 Classical logic as a typing system. In order to type the λµ-calculus,

we consider types of the form

A, B ::= X | A → B | ⊥

We also consider a Church variant of the calculus, where λ- and µ-abstracted

variables are decorated by their types. The sequents are of the form

Γ ` t : A|∆

with t a term, A a type, and Γ and ∆ contexts of the form

Γ = x1 : B1 , . . . , x m : Bm ∆ = α1 : A1 , . . . , αn : An

where the variables of Γ are regular ones, whereas those of ∆ are control vari-
ables. Namely, Γ provides the type of the free variables of t as usual, whereas ∆
gives the type of exceptions that might be raised. Finally, A is the type of the
result of t, which might never be actually given if some exception is raised. In
particular, a term of type ⊥ is called a command: we know that it will never
return a value, and thus necessarily raises some exception.
The typing rules for λµ-calculus are

(ax)
Γ, x : A, Γ0 ` x : A | ∆

Γ ` t : A → B |∆ Γ ` u : A|∆ Γ, x : A ` t : B | ∆
(→E ) (→I )
Γ ` tu : B |∆ Γ ` λxA .t : A → B | ∆

Γ ` t : ⊥ | ∆, α : A, ∆0 Γ ` t : A | ∆, α : A, ∆0
(⊥E ) (⊥I )
A
Γ ` µα .t : A | ∆, ∆ 0
Γ ` [α]t : ⊥ | ∆, α : A, ∆0

The rule (⊥E ) says that a term µαA .t of type A is a command which raises some
value of type A on α and the rule (⊥I ) says that a term [α]t is a command (of
type ⊥, not returning anything) and that the type A of the raised term t has
to match the one expected for α.
Exercise 4.6.3.1. Shows that the Pierce law

((A → B) → A) → A

is the type of the following term:

λx(A→B)→A .µαA .[α](x (λy A .µβ B .[α]y))

It can be shown that this system has the expected properties [Par92, Par97],
which were detailed above in the case of simply-typed λ-calculus:
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 218

Theorem 4.6.3.2 (Subject reduction). If Γ ` t : A | ∆ is derivable and t −→β t0

then Γ ` t0 : A | ∆ is also derivable.
Theorem 4.6.3.3 (Strong normalization). Typed λµ-terms are strongly normal-
izing.
If we erase the terms from the rules, we obtain the following presentation of
classical logic:

(ax)
Γ, A, Γ0 ` A, ∆

Γ ` A ⇒ B, ∆ Γ ` A, ∆ Γ, A ` B, ∆
(⇒E ) (⇒I )
Γ ` B, ∆ Γ ` A ⇒ B, ∆

Γ ` ⊥, ∆, A, ∆0 Γ ` A, ∆, A, ∆0
(⊥E ) (⊥I )
Γ ` A, ∆, ∆0 Γ ` ⊥, ∆, A, ∆0

All the rules are the usual ones excepting for the rule (⊥I ) which combines
weakening, contraction and exchange:
Γ ` A, ∆, A, ∆0
(xch)
Γ ` ∆, A, A, ∆0
(contr)
Γ ` ∆, A, ∆0
(wk)
Γ ` ⊥, ∆, A, ∆0

The list of formulas in ∆ (nor Γ) is not supposed to be commutative, and

introduction and elimination rules are always performed on the leftmost formula.
During proof search, we can however put another formula of ∆ on the left
using elimination and introduction rules for ⊥, as shown on the left (and the
corresponding typing derivation is figured on the right):

Γ ` B, A, ∆, B, ∆0 Γ ` t : B | α : A, ∆, β : B, ∆0
(⊥I ) (⊥I )
Γ ` ⊥, A, ∆, B, ∆ Γ ` [β]t : ⊥ | A, ∆, B, ∆
(⊥E ) (⊥E )
Γ ` A, ∆, B, ∆0 Γ ` µαA .[β]t : A | ∆, β : B, ∆0

Adding the usual rules for coproducts, we can show the excluded middle as
follows in this settings
(ax)
x : A ` x : A | α : ¬A ∨ A
(∨rI )
x : A ` ι¬A
r (x) : ¬A ∨ A | α : ¬A ∨ A
(⊥I )
x : A ` [α]ι¬A
r (x) : ⊥ | α : ¬A ∨ A
(¬I )
` λxA .[α]ι¬A
r (x) : ¬A | α : ¬A ∨ A
¬A
(∨lI )
` ιA A
l (λx .[α]ιr (x)) : A ∨ B | α : ¬A ∨ A
¬A
(⊥I )
` [α]ιA A
l (λx .[α]ιr (x)) : ⊥ | α : ¬A ∨ A
(⊥E )
` µα¬A∨A .[α]ιA A ¬A
l (λx .[α]ιr (x)) : ¬A ∨ A |

In order to give a more concrete idea of this program, let us try to implement it in
OCaml. Remember from section 1.5 that the empty type ⊥ can be implemented
as
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 219

type bot
and negation as
type 'a neg = 'a -> bot
From those, the above term proving excluded middle can roughly be translated
as
let em () : (a neg, a) sum =
let exception Alpha of (a neg, a) sum in
try Left (fun x -> raise (Alpha (Right x)))
with Alpha x -> x
As explained above, this does not behave exactly as it should in OCaml, because
exceptions are not properly scoped there...

4.6.4 A more symmetric calculus. The reduction rule for (µα.t) u in the
λµ-calculus involves a slightly awkward substitution. In order to overcome this
defect and reveal the symmetry of terms and environments, Curien and Herbelin
have introduced a variant of the λµ-calculus called the λµµ̃-calculus [CH00]. In
this calculus there are three kinds of “terms”:

terms: t ::= x | λx.t | µα.c

environments: e ::= α | t · e | µ̃α.c
commands: c ::= ht | ei

with reduction rules

hλx.t | u · ei −→ hu | µ̃x.ht | eii

hµα.c | ei −→ c[e/α]
ht | µ̃x.ci −→ c[t/x]

The typing judgments are of the three possible forms

Γ ` t : A|∆ Γ|e : A ` ∆ c : (Γ ` ∆)

and the rules are

(axL ) (axR )
Γ | α : A ` α : A, ∆ Γ, x : A ` x : A | ∆

Γ ` t : A|∆ Γ|e : B ` ∆ Γ, x : A ` t : B | ∆
(→L ) (→R )
Γ, t · e : A → B ` ∆ Γ ` λx.t, A → B | ∆

c : (Γ, x : A ` ∆) c : (Γ ` α : A, ∆)
(⊥L ) (⊥R )
Γ | µ̃x.c : A ` ∆ Γ ` µα.c : A | ∆

Γ ` t : A|∆ Γ|e : A ` ∆
ht | ei : (Γ ` ∆)

You are strongly encouraged to observe their beautiful symmetry and find out
their meaning by yourselves. In particular, Lafont’s critical pair presented in
CHAPTER 4. SIMPLY TYPED λ-CALCULUS 220

section 2.5.4 corresponds to the fact that the following term can reduce in two
different ways, showing that the calculus is not confluent (for good reasons!):

c[µ̃x.d/α] ←− hµα.c | µ̃x.di −→ d[µα.c/x]

In particular, if α is not free in c and x is not free in d, c and d are convertible...

 Chapter 5

First-order logic

First-order logic is an extension of propositional logic where propositions are

allowed depend on terms over some fixed signature, and are then called predi-
cates. For instance, equality can be encoded as a predicate t = u which depends
on two terms t and u. There are thus two worlds at stake: the world of logic,
where formulas live, and the world of data, where terms live. This logic is the
one traditionally considered in mathematics (in particular, we will see that it
can be used to formally state the axiom of set theory). Good introductions on
the subject include [CK90, CL93].
We define first-order logic in section 5.1, present some well-known first-order
theories in section 5.2, and detail the particular case of set theory in section 5.3
(including in the intuitionistic setting). Finally, the firs-order unification algo-
rithm is presented in section 5.4.

5.1 Definition
5.1.1 Signature. A signature Σ is a set of function symbols together with a
function a : Σ → N associating an arity to each symbol: f can be thought of as
a formal operation with a(f ) inputs. In particular, symbols of arity 0 are called
constants.

5.1.2 Terms. We suppose fixed an infinite countable set X of variables. Given

a signature Σ, the set TΣ of terms is the smallest set such that

– every variable is a term: X ⊆ TΣ ,

– terms are closed under operations: given f ∈ Σ with a(f ) = n and
t1 , . . . , tn ∈ TΣ , we have f (t1 , . . . , tn ) ∈ TΣ .
This can also be stated as the fact that terms are generated by the grammar

t ::= x | f (t1 , . . . , tn )

where x is a variable, f is a term of arity n and the ti are terms. We often

implicitly suppose fixed a signature and simply write T instead of TΣ .
Example 5.1.2.1. Consider the signature Σ = {+ : 2, 0 : 0}. This notation means
that it contains two functions symbols + and 0, whose arities are respectively
a(+) = 2 and a(0) = 0. Examples of terms over this signature are

+(x, 0()) + (+(x, x), +(y, 0())) + (0(), 0())

In the following, we generally omit parenthesis for constants, e.g. write 0 instead
of 0().
CHAPTER 5. FIRST-ORDER LOGIC 222

Given a term t, its set of subterms ST(t) is defined by induction on t by

ST(x) = {x}
[
ST(f (t1 , . . . , tn )) = {f (t1 , . . . , tn )} ∪ ST(ti )
16i6n

We say that u is a subterm of t when u ∈ ST(t), it is a strict subterm when it

is distinct from t.

5.1.3 Substitutions. A substitution is a function σ : X → T such that the set

{x ∈ X | σ(x) 6= x} is finite. Given a term t, we write t[σ] for the term obtained
from t by replacing every variable x by σ(x):
x[σ] = σ(x) (f (t1 , . . . , tn ))[σ] = f (t1 [σ], . . . , tn [σ])
We sometimes write σ = [t1 /x1 , . . . , tn /xn ] for the substitution such that σ(xi ) = ti
and σ(x) = x for x 6= xi for every 1 6 i 6 n. A renaming is a substitution such
that the term σ(x) is a variable, for every variable x.

5.1.4 Formulas. We suppose fixed a set P of predicates (also sometimes called

relation symbols) together with a function a : P → N associating an arity to
each predicate. A formula A is an expression generated by the grammar
A ::= P (t1 , . . . , tn ) | A ⇒ B | A ∧ B | > | A ∨ B | ⊥ | ¬A | ∀x.A | ∃x.A
where P is a predicate of arity n, the ti are terms and x ∈ X is a term variable.
The quantifications bind the less tightly, e.g. ∀x.A ∧ B is implicitly bracketed
as ∀x.(A ∧ B) and not (∀x.A) ∧ B. Note that the definition of formulas depends
both on the considered signature Σ and the considered set P of predicates: we
sometimes say a formula on (Σ, P) to make this precise, although we generally
leave it implicit.
Example 5.1.4.1. Consider the signature Σ = {× : 2, 1 : 0}, which means that
we have two function symbols “×” and “1”, with × of arity 2 and 1 of arity 0.
We also suppose that P contains a predicate = of arity 2. We have the formula
∀x.∃y.(x × y = 1 ∧ y × x = 1)
which expresses that every element admits an inverse.
Example 5.1.4.2. With a predicate D of arity one, the drinker formula is
∃x.(D(x) ⇒ (∀y.D(y)))
The name of this formula comes from the following interpretation. If we see
terms as people in a pub and consider that D(t) holds when t drinks, it can be
read as:
There is someone in the pub such that,
if he is drinking, then everyone in the pub is drinking.
We will see in example 5.1.7.1 that this formula is classically true, but it not
intuitionistically so.
First order logic is an extension of propositional logic in the following sense.
Consider the empty signature Σ = ∅ and the set P = X consisting of all proposi-
tional variables, seen as predicates of arity 0. Then a propositional formula, such
as X ∨ ¬Y , corresponds precisely to a first order formula, such as X() ∨ ¬Y ().
CHAPTER 5. FIRST-ORDER LOGIC 223

5.1.5 Bound and free variables. In a formula of the form ∀x.A or ∃x.A, the
variable x is said to be bound in A. This means that the name of the variable x
does not really matter and we could have renamed it to some other variable
name, without changing the formula. We thus implicitly consider formulas up
to proper (or capture avoiding) renaming of variables (by “proper”, we mean
here that we should take care of not renaming a variable to some already bound
variable name). For instance, we consider that the two formulas

∀x.∃y.x + y = x and ∀z.∃y.z + y = z

are the same (the second is obtained from the first by renaming x to z), but
they are different from the formula

∀x.∃x.x + x = x

obtained by an “improper” renaming of y into x which was already bound.

Such a mechanism for renaming bound variables is detailed in section 3.1, for
the λ-calculus.
A variable which is not bound is said to be free and we write FV(A) for the
set of free variables of a formula A. This is formally defined by

FV(P (t1 , . . . , tn )) = FV(t1 ) ∪ . . . ∪ FV(tn )

FV(A ⇒ B) = FV(A × B) = FV(A + B) = FV(A) ∪ FV(B)
FV(>) = FV(⊥) = ∅
FV(¬A) = FV(A)
FV(∀x.A) = FV(∃x.A) = FV(A) \ {x}

where, given a term t, we write F V (t) for the set of all the variables occurring
in t. A formula A is closed when it has no free variable, i.e. FV(A) = ∅. We
sometimes write
A(x1 , . . . , xn )
for a formula A whose free variables are among x1 , . . . , xn . In this case, we write
A(t1 , . . . , tn ) instead of A[t1 /x1 , . . . , tn /xn ].
Given a formula A and a term t, we write A[t/x] for the formula A where all
the free occurrences of x have been substituted by t avoiding captures, i.e. we
suppose that all bound variables are different from the variables of t. For in-
stance, with A being
(∃y.x + x = y) ∨ (∃x.x = y)
we have that A[z + z/x] is

(∃y.(z + z) + (z + z) = y) ∨ (∃x.x = y)

but in order to compute A[y + y/y], we have to rename the bound variable y
(say, to z) and the result will be

(∃z.(y + y) + (y + y) = z) ∨ (∃x.x = y)

and not
(∃y.(y + y) + (y + y) = y) ∨ (∃x.x = y)
CHAPTER 5. FIRST-ORDER LOGIC 224

5.1.6 Natural deduction rules. The rules for first order logic in intuitionistic
natural deduction are the usual ones (see figure 2.1) together with the following
introduction and elimination rules for universal and existential quantification:

Γ ` ∀x.A Γ`A
(∀E ) (∀I )
Γ ` A[t/x] Γ ` ∀x.A

Γ ` ∃x.A Γ, A ` B Γ ` A[t/x]
(∃E ) (∃I )
Γ`B Γ ` ∃x.A

These rules are subject to the following (important) side conditions:

– in (∀I ), we suppose x 6∈ FV(Γ),

– in (∃E ), we suppose x 6∈ FV(Γ) ∪ FV(B).

where, given a context Γ = x1 : A1 , . . . , xn : An , we have
n
[
FV(Γ) = FV(Ai )
i=1

Example 5.1.6.1. We have

(ax)
∀x.¬A, ∃x.A, A ` ∀x.¬A
(∀E ) (ax)
∀x.¬A, ∃x.A, A ` ¬A ∀x.¬A, ∃x.A, A ` A
(ax) (¬E )
∀x.¬A, ∃x.A ` ∃x.A ∀x.¬A, ∃x.A, A ` ⊥
(∃E )
∀x.¬A, ∃x.A ` ⊥
(¬I )
∀x.¬A ` ¬(∃x.A)
(⇒I )
` (∀x.¬A) ⇒ ¬(∃x.A)

Remark 5.1.6.2. The side conditions avoid clearly problematic proofs such as
(ax)
A(x) ` A(x)
(∀I )
A(x) ` ∀x.A(x)
(⇒I )
` A(x) ⇒ ∀x.A(x)
(∀I )
` ∀x.(A(x) ⇒ ∀x.A(x))
(∀E )
` A(t) ⇒ ∀x.A(x)

which can be read as: if the formula A holds for some term t then it holds for
any term. The problematic rule is the (∀I ) just after the (ax) rule: x is not
fresh.

Properties of the calculus. We do not detail this here, but the usual properties
of natural deduction generalize to first order logic. In particular, the structural
rules (contraction, exchange, weakening) are admissible, see section 2.2.7. We
will also see in section 5.1.9 that cuts can be eliminated.
CHAPTER 5. FIRST-ORDER LOGIC 225

5.1.7 Classical first order logic. Following section 2.5, classical first order
logic, is the system obtained from the above one by adding one of the following
rules
Γ ` ¬¬A Γ, ¬A ` A
(lem) (¬¬E ) (raa)
Γ ` ¬A ∨ A Γ`A Γ`A

implementing the excluded middle, the elimination of double negation or Clav-

ius’ law (we could also have added any of the axioms of theorem 2.5.1.1).
Example 5.1.7.1. A typical formula which is provable in classical logic (and not
in intuitionistic logic) is

A = ∃x.(D(x) ⇒ (∀y.D(y)))

already presented in example 5.1.4.2. A proof is the following:

(ax) (ax)
. . . , ¬D(y) ` ¬D(y) . . . , D(y) ` D(y)
(¬E )
¬A, D(x), ¬D(y), D(y) ` ⊥
(⊥E )
¬A, D(x), ¬D(y), D(y) ` ∀y.D(y)
(⇒I )
¬A, D(x), ¬D(y) ` D(y) ⇒ (∀y.D(y))
(∃I )
¬A, D(x), ¬D(y) ` ∃x.(D(x) ⇒ (∀y.D(y)))
(¬E )
¬A, D(x), ¬D(y) ` ⊥
(¬I )
¬A, D(x) ` ¬¬D(y)
(¬¬E )
¬A, D(x) ` D(y)
(∀I )
¬A, D(x) ` ∀y.D(y)
(⇒I )
¬A ` D(x) ⇒ (∀y.D(y))
(∃I )
¬A ` ∃x.(D(x) ⇒ (∀y.D(y)))
(raa)
` ∃x.(D(x) ⇒ (∀y.D(y)))

If we interpret x as ranging of the people present in a pub, and the predi-

cate D(x) as “x drinks” this formula states that there is a “universal drinker”,
i.e. somebody such that if he drinks then everybody drinks. We can imagine
why this formula cannot be proved intuitionistically: if it was so, we should
be able to come up with an explicit name for this guy, see theorem 5.1.9.3,
which seems impossible in absence of further information on the pub. We do
not actually prove that there exists x such that D(x), which would require us to
come up with an explicit witness for x, but only show that it cannot be the case
that there is no x satisfying D, which is enough to conclude by double negation
elimination.
Example 5.1.7.2. Another formula provable in classical logic is the formula

¬(∀x.¬A(x)) ⇒ ∃x.A(x)

which states that if it is not the case that every element x does not satisfy A(x),
then we can actually produce an element which satisfies A(x). It can be proved
CHAPTER 5. FIRST-ORDER LOGIC 226

as follows:
(ax)
. . . ` A(x)
(ax) (∃I )
. . . ` ¬∃x.A(x) . . . ` ∃x.A(x)
(¬E )
¬∀x.¬A(x), ¬∃x.A(x), A(x) ` ⊥
(¬I )
¬∀x.¬A(x), ¬∃x.A(x) ` ¬A(x)
(ax) (∀I )
. . . ` ¬∀x.¬A(x) ¬∀x.¬A(x), ¬∃x.A(x) ` ∀x.¬A(x)
(¬E )
¬∀x.¬A(x), ¬∃x.A(x) ` ⊥
(¬I )
¬∀x.¬A(x) ` ¬¬∃x.A(x)
(¬¬E )
¬∀x.¬A(x) ` ∃x.A(x)
(⇒I )
` ¬(∀x.¬A(x)) ⇒ ∃x.A(x)

As in example 5.1.7.1, it is enough to show that it is not the case that there is
no x satisfying A.
Exercise 5.1.7.3. Another proof for the drinker formula of example 5.1.7.1 is the
following. We have two possibilities for the pub:
– either everybody drinks: in this case, we can take anybody as the universal
drinker,
– otherwise, there is someone who does not drink: we can take him as
universal drinker.
Formalize this reasoning in natural deduction.

De Morgan laws. In addition to the equivalences already shown in section 2.5.5,

the following de Morgan laws hold in classical first-order logic:

(∀x.A) ∧ B ⇔ ∀x.(A ∧ B) B ∧ (∀x.A) ⇔ ∀x.(B ∧ A)

(∀x.A) ∨ B ⇔ ∀x.(A ∨ B)
(∀x.A) ⇒ B ⇔ ∃x.(A ⇒ B)
(∃x.A) ∧ B ⇔ ∃x.(A ∧ B)
(∃x.A) ∨ B ⇔ ∃x.(A ∨ B)
(∃x.A) ⇒ B ⇔ ∀x.(A ⇒ B)
B ∧ (∀x.A) ⇔ ∀x.(B ∨ A)
B ⇒ (∀x.A) ⇔ ∀x.(B ⇒ A)
B ∧ (∃x.A) ⇔ ∃x.(B ∧ A)
B ∧ (∃x.A) ⇔ ∃x.(B ∨ A)
B ⇒ (∃x.A) ⇔ ∃x.(B ⇒ A)

whenever x 6∈ FV(B), as well as

¬(∀x.A) ⇔ ∃x.¬A ¬(∃x.A) ⇔ ∀x.¬A

Prenex form. A formula P is in prenex form when it is of the form

P ::= ∀x.P | ∃x.P | A

where A is a formula which does not contain any first-order quantification: a

formula in prenex form thus consists in a bunch of universal and existential
quantifications over a formula without quantifications. By using the above de
Morgan laws from left to right, one can show that
Lemma 5.1.7.4. Every formula is equivalent to a formula in prenex form.
CHAPTER 5. FIRST-ORDER LOGIC 227

Example 5.1.7.5. The formula of example 5.1.7.2 can be put into prenex form
as follows:

¬(∀x.¬A(x)) ⇒ ∃x.A(x) (∃x.¬¬A(x)) ⇒ ∃x.A(x)

∀x.¬¬A(x) ⇒ ∃x.A(x)
= ∀x.¬¬A(x) ⇒ ∃y.A(y)
∀x.∃y.¬¬A(x) ⇒ A(y)

More de Morgan laws. In addition to the above equivalences, we also have

∀x.(A ∧ B) ⇔ (∀x.A) ∧ (∀x.B) ∃x.(A ∨ B) ⇔ (∃x.A) ∨ (∃x.B)

∀x.> ⇔ > ∃x.⊥ ⇔ ⊥

5.1.8 Sequent calculus rules. The rules for first-order quantifiers in classical
sequent calculus are

Γ, ∀x.A, A[t/x] ` ∆ Γ ` A, ∆
(∀L ) (∀R )
Γ, ∀x.A ` ∆ Γ ` ∀x.A, ∆

Γ, A ` ∆ Γ ` A[t/x], ∃x.A, ∆
(∃L ) (∃R )
Γ, ∃x.A ` ∆ Γ ` ∃x.A, ∆

with the side condition for (∀R ) and (∃L ) that x 6∈ FV(Γ)∪FV(∆). Intuitionistic
rules are obtained, as usual, by restricting to sequents with one formula on the
right:
Γ, ∀x.A, A[t/x] ` B Γ`A
(∀L ) (∀R )
Γ, ∀x.A ` B Γ ` ∀x.A

Γ, A ` B Γ ` A[t/x]
(∃L ) (∃R )
Γ, ∃x.A ` B Γ ` ∃x.A
with the expected side conditions for (∀R ) a,d (∃L ).
Remark 5.1.8.1. In the rules (∀R ) and (∃L ), we have been careful to keep a copy
of the hypothesis: with this formulation, contraction is admissible.
Example 5.1.8.2. The drinker formula from example 5.1.4.2 can be proved clas-
sically by

(ax)
D(x), D(y) ` D(y), ∀y.D(y), ∃x.(D(x) ⇒ (∀y.D(y)))
(⇒R )
D(x) ` D(y), D(y) ⇒ (∀y.D(y)), ∃x.(D(x) ⇒ (∀y.D(y)))
(∃R )
D(x) ` D(y), ∃x.(D(x) ⇒ (∀y.D(y)))
(∀R )
D(x) ` ∀y.D(y), ∃x.(D(x) ⇒ (∀y.D(y)))
(⇒R )
` D(x) ⇒ (∀y.D(y)), ∃x.(D(x) ⇒ (∀y.D(y)))
(∃R )
` ∃x.(D(x) ⇒ (∀y.D(y)))

As noted in previous remark, we need to use twice the proved formula, an it is

thus crucial that we keep a copy of it in the rule (∃R ) at the bottom.
CHAPTER 5. FIRST-ORDER LOGIC 228

5.1.9 Cut elimination. The properties and proof techniques developed in sec-
tion 2.3 extend to first order natural deduction, allowing to prove that it has
the cut elimination property:
Theorem 5.1.9.1. A sequent Γ ` A admits a proof if and only if it admits a cut
free proof.
In the cut elimination procedure, there are two new cases, which can be handled
as follows:
π
Γ ` A(x)
(∀I )
Γ ` ∀x.A(x) π[t/x]
(∀E )
Γ ` A(t) Γ ` A(t)
π
Γ ` A(t) π0
(∃I )
Γ ` ∃x.A(x) Γ, A(x) ` B π 0 [t/x][π/A]
(∃E )
Γ`B Γ`B

Above, π[t/x] denote the proof π where all the free occurrences of the variable x
have been replaced by the term t (details left to the reader). As in the case of
propositional logic, it can be shown that a proof of a formula in an empty context
necessarily ends with an introduction rule (proposition 2.3.3.2) and thus deduce
(as in theorem 2.3.4.2):
Theorem 5.1.9.2 (Consistency). First order (intuitionistic or classical) natural
deduction is consistent: there is no proof of ` ⊥.
Another important consequence is that that the logic has the existence property:
if we can prove that there exists a term satisfying some property, then we can
actually construct such a term:
Theorem 5.1.9.3 (Existence property). A formula of the form ∃x.A is provable
in intuitionistic first order natural deduction if and only if there exists a term t
such that A[t/x] is provable.
Proof. For the left-to-right implication, if we have a proof of ∃x.A then, by
theorem 5.1.9.1, we have a cut-free one which, by proposition 2.3.3.2, ends with
an introduction rule, i.e. is of the form

π
` A[t/x]
(∃I )
` ∃x.A

We therefore have a proof π of A[t/x] for some term t. The right-to-left impli-
cation is given by an application of the rule (∃I ).

In contrast, we do not expect this property to hold in classical logic. For in-
stance, consider the drinker formula of example 5.1.7.2. We can feel that the
proof we have given is not constructive: there is no way of determining who is
the drinker in general (i.e. without performing a reasoning specific to the bar in
which we currently are).
CHAPTER 5. FIRST-ORDER LOGIC 229

5.1.10 Eigenvariables. The logic as we have presented it (which is the way it

is traditionally presented) suffers from a defect: in a given sequent, we do not
know the first order variables which are used. This is the subtle cause of some
surprising proofs. For instance, we can prove that there always exists a term,
whereas we would expect that the empty set is a perfectly reasonable way of
interpreting logic in the case where the signature is empty for instance:
(>I )
`>
(∃I )
` ∃x.>

Note that in the premise of the (∃I ), we use the fact that > = >[x/x], i.e. we
use x as witness for the existence. A variation on the previous example is the
following proof, which expresses the fact that if a property A is satisfied for
every term x, then we can exhibit a term satisfying A. Again, we would have
expect that this is not true when there is no element in the model, and moreover,
this does not feel like very constructive:
(ax)
∀x.A ` ∀x.A
(∀E )
∀x.A ` A
(∃I )
∀x.A ` ∃x.A
(⇒I )
` (∀x.A) ⇒ ∃x.A

Here also, in the premise of the (∃I ) rule, we use the fact that A = A[x/x],
i.e. we use x as witness for the existence. We will see in section 5.2.3 that this
is the reason why models are usually supposed to be non-empty, while there is
no good reason to exclude this particular case.
In order to fix that, we should keep track of the variables which are declared
in the context, which are sometimes called eigenvariables. This can be done by
adding a new context Ξ to our sequents, which is a list of first order variables
which are declared. We thus consider sequents of the form

Ξ|Γ`A

the vertical bar being there to mark the delimitation between the context of
eigenvariables and the traditional context. The rules for logical connectives
simply “propagate” the new context Ξ, e.g. the rules for conjunction become

Ξ|Γ`A∧B l Ξ|Γ`A∧B r Ξ|Γ`A Ξ|Γ`B

(∧E ) (∧E ) (∧I )
Ξ|Γ`A Ξ|Γ`B Ξ|Γ`A∧B

More interestingly, the rules for first order quantifiers become

Ξ | Γ ` ∀x.A Ξ, x | Γ ` A
(∀E ) (∀I )
Ξ | Γ ` A[t/x] Ξ | Γ ` ∀x.A

Ξ | Γ ` ∃x.A Ξ, x | Γ, A ` B Ξ | Γ ` A[t/x]
(∃E ) (∃I )
Ξ|Γ`B Ξ | Γ ` ∃x.A

where we suppose
CHAPTER 5. FIRST-ORDER LOGIC 230

– x 6∈ Ξ in (∀I ) and (∃E ),

– FV(t) ⊆ Ξ in (∀E ) and (∃I ).
Finally, the axiom rule and the truth introduction rule become
Ξ | Γ, A, Γ0 ` Ξ|Γ`
(ax) (>I )
Ξ | Γ, A, Γ0 ` A Ξ|Γ`>

where Ξ | Γ ` is a notation to mean that we suppose FV(Γ) ⊆ Ξ. Supposing

this for this two rules (which are the only two without premise) is enough
to ensure that whenever we prove a sequent Ξ | Γ ` A, we will always have
FV(Γ) ∪ FV(A) ⊆ Ξ (it is easy to check that the inference rules preserve this
invariant).
Example 5.1.10.1. We can still prove (∀x.A) ⇒ ∀x.A in this new system:
(ax)
x | ∀x.A ` ∀x.A
(∀E )
x | ∀x.A ` A[x/x]
(∀I )
|∀x.A `⇒ ∀x.A
(⇒I )
| ` (∀x.A) ⇒ ∀x.A

Example 5.1.10.2. We cannot prove ∃x.> in this system. In particular, the proof
(>I )
| ` >[x/x]
(∃I )
| ` ∃x.>

is not valid because the side condition is not satisfied for the rule (∃I ).
Exercise 5.1.10.3. Show that the formula (∀x.⊥) ⇒ ⊥ is provable with tradi-
tional rules, but not with the rules presented in this section.

5.1.11 Curry-Howard. The Curry-Howard correspondence can be extended

to first-order logic, following the intuition that
– a proof of ∀x.A should be a function which, when applied to a term t,
returns a proof that A is valid for this term,
– a proof of ∃x.A should be a pair consisting of a term t and a proof that
A is valid for this term.

Expressions. We begin with the language for proofs introduced in chapter 4, the
simply typed λ-calculus. In this section, we call expressions its terms in order
not to confuse them with first order terms, and write e for an expression. The
syntax for expressions is thus

e, e0 ::= λxA .e | e e0 | . . .

In order to account for first order logic, we extend them with the following
constructions:

e ::= . . . | λ∀ x.e | e t | ht, ei | unpair(e, xy 7→ e0 )

The newly added constructions are

CHAPTER 5. FIRST-ORDER LOGIC 231

– λ∀ x.e: a function taking a term as argument x and returning an expres-

sion e,
– e t: the application of an expression (typically a function as above) to a
term t,
– ht, ei: a pair consisting of a term t and an expression e,
– unpair(e, xy 7→ e0 ): the extraction of the components x and y of a pair e
for use in an expression e0 , which would be written in a syntax closer to
OCaml
let hx, yi = e in e0
We insist on the fact that there are two kinds of abstractions, respectively writ-
ten λ and λ∀ , and two kind of applications, which are distinct constructions.
Similarly, for products, there are two kinds of pairings and of eliminators. Al-
though they behave similarly, they are entirely distinct constructions. However,
we will manage to unify those constructions when going to dependent types in
chapter 8: there will be one kind of abstraction (resp. pairing) which covers
both cases.

Typing rules. The associated typing rules are

Γ ` e : ∀x.A Γ`e:A
(∀E ) (∀I )
Γ ` e t : A[t/x] Γ ` λ∀ x.e : ∀x.A

Γ ` e : ∃x.A Γ, y : A ` e0 : B Γ ` e : A[t/x]
(∃E ) (∃I )
Γ ` unpair(e, xy 7→ e0 ) : B Γ ` ht, ei : ∃x.A
and can be read as follows:
– (∀I ): a proof of ∀x.A is a function which takes a term x as argument and
returns a proof of A,
– (∀E ): using a proof of ∀x.A consists in applying it to a term t,
– (∃I ): a proof of ∃x.A(x) is a pair consisting of a term t and a proof that
A(t) is satisfied,
– (∃E ): we can use a proof of ∃x.A by extracting its components.
Example 5.1.11.1. Consider again the derivation of example 5.1.6.1. It can be
decorated with terms as follows:
(ax)
f : ∀x.¬A, e : ∃x.A ` e : ∃x.A
(ax)
f : ∀x.¬A, e : ∃x.A, a : A ` f : ∀x.¬A
(∀E )
f : ∀x.¬A, e : ∃x.A, a : A ` f x : ¬A
(ax)
f : ∀x.¬A, e : ∃x.A, a : A ` a : A
(¬E )
f : ∀x.¬A, e : ∃x.A, a : A ` f x a : ⊥
(∃E )
f : ∀x.¬A, e : ∃x.A ` unpair(e, xa 7→ f x a) : ⊥
(¬I )
f : ∀x.¬A ` λe∃x.A . unpair(e, xa 7→ f x a) : ¬(∃x.A)
(⇒I )
` λf ∀x.¬A .λe∃x.A . unpair(e, xa 7→ f x a) : (∀x.¬A) ⇒ ¬(∃x.A)
CHAPTER 5. FIRST-ORDER LOGIC 232

The corresponding proof term is thus

λf ∀x.¬A .λe∃x.A . unpair(e, xa 7→ f x a)
This function takes two arguments:
– f of type ∀x.A → ⊥, and
– e of type ∃x.A
and produces a value of type ⊥ by extracting from e a term x and a proof a
of A(t), and applying f to x and a.

Reduction. As usual, the β-reduction rules correspond to cut-elimination steps:

π
Γ`e:A
(∀I )
Γ ` λ∀ x.e : ∀x.A π[t/x]
∀
(∀E )
Γ ` (λ x.e) t : A[t/x] Γ ` e[t/x] : A[t/x]

i.e.

(λ∀ x.e) t −→β e[t/x]

and
π
Γ ` e : A[t/x] π0
(∃I )
Γ ` ht, ei : ∃x.A Γ, y : A ` e0 : B π 0 [t/x][π/A]
(∃E )
Γ ` unpair(ht, ei, xy 7→ e0 ) : B Γ ` e0 [t/x, e/y] : B

i.e.

unpair(ht, ei, xy 7→ e0 ) −→β e0 [t/x, e/y]

where π[t/x] is the proof obtained from π by replacing all free occurrences
of x by t (details left to the reader). Similarly, η-reduction rules correspond to
eliminate dual of cuts:
π
Γ ` e : ∀x.A
(∀E )
Γ ` e x : A[x/x] π
∀
(∀I )
Γ ` λ x.e x : ∀x.A Γ ` e : ∀x.A

i.e.

λ∀ x.e x −→η e
and
π
(ax)
Γ ` e : ∃x.A Γ, y : A ` y : A
(∃E )
Γ ` unpair(e, xy 7→ y) : A π
(∃I )
Γ ` hx, unpair(e, xy 7→ y)i : ∃x.A Γ ` e : ∃x.A
CHAPTER 5. FIRST-ORDER LOGIC 233

i.e.

hx, unpair(e, xy 7→ y)i −→η e

5.2 Theories
A first-order theory Θ on a given signature and set of predicates is a (possibly
infinite) set of closed formulas called axioms. A formula A is provable in a
theory Θ is there is a finite subset Γ ⊆ Θ such that Γ ` A is provable. Unless
otherwise specified, the ambient fist order logic is usually taken to be classical
when considering first order theories.

5.2.1 Equality. We often consider theories with equality. This means that we
suppose that we have a predicate “=” of arity 2, together with axioms
∀x.x = x
∀x.∀y.x = y ⇒ y = x
∀x.∀y.∀z.x = y ⇒ y = z ⇒ x = z
and, for every function symbol f of arity n, we have an axiom

∀x1 .∀x01 . . . . ∀xn .∀x0n .

x1 = x01 ⇒ . . . ⇒ xn = x0n ⇒ f (x1 , . . . , xn ) = f (x01 , . . . , x0n )
and, for every predicate P of arity n, we have an axiom

∀x1 .∀x01 . . . . ∀xn .∀x0n .

x1 = x01 ⇒ . . . ⇒ xn = x0n ⇒ P (x1 , . . . , xn ) ⇒ P (x01 , . . . , x0n )
These are sometimes called the congruence axioms.
Example 5.2.1.1. The theory of groups is the theory with equality over the
signature Σ = {× : 2, 1 : 0} whose axioms are
∀x.1 × x = x ∀x.∀y.∀z.(x × y) × z = x × (y × z) ∀x.∃y.y × x = 1
∀x.x × 1 = x ∀x.∃y.x × y = 1
together with the axioms for equality
∀x.x = x
∀x.∀y.x = y ⇒ y = x
∀x.∀y.∀z.x = y ⇒ y = z ⇒ x = z
∀x.∀x0 .∀y.∀y 0 .x = x0 ⇒ y = y 0 ⇒ x × y = x0 × y 0
1=1

5.2.2 Properties of theories. A theory is

– consistent when ⊥ is not provable in the theory,
– complete when for every formula A, either A or ¬A is provable in the
theory,
– decidable when there is an algorithm which, given a formula A decides
whether A is provable in the theory or not.
CHAPTER 5. FIRST-ORDER LOGIC 234

5.2.3 Models. Theories are though of as denoting structures made of sets and
functions satisfying axioms. For instance, the theory of groups of example 5.2.1.1
can be seen as a syntax for groups in the traditional sense. These structures
are called models of the theory and we very briefly recall those here. We do
not even scratch the surface of model theory here, and the reader interested in
knowing more about those is urged read some standard textbooks about that
such as [CK90].

Structure. Suppose given a signature Σ and a set P of predicates. A structure M

consists of
– a non-empty set M called the domain of the structure,
– a function Jf K : M n → M for every function symbol f ∈ Σ,
– a relation JP K ⊆ M n for every predicate symbol P ∈ P.

Interpretation. Suppose fixed such a structure. Given k ∈ N and a term t whose

free variables are among {x1 , . . . , xk }, we define its interpretation as the function

JtKk : M k → M

defined by induction by
Jxi Kk : M k → M
is the canonical i-th projection and, for every function symbol f of arity n, and
(m1 , . . . , mk ) ∈ M k ,

Jf (t1 , . . . , tn )Kk (m1 , . . . , mk ) =

Jf K(Jt1 Kk (m1 , . . . , mk ), . . . , Jtn Kk (m1 , . . . , mk ))

where Jf K is given by the structure and Jti Kk is computed inductively for every
index i. In other words, the interpretation of terms is the only extension of the
structure which is compatible with composition. Given k ∈ N and a formula A
whose free variables are among {x1 , . . . , xk }, we define its interpretation JAKk
as the subset of M k defined inductively as follows:

J⊥Kk = ∅ J>Kk = M k
JA ∧ BKk = JAKk ∩ JBKk JA ∨ BKk = JAKk ∪ JBKk
J¬AKk = M k \ JAKk JA ⇒ BKk = J¬A ∨ BKk

together with
\
J∀xk+1 .AKk = {(m1 , . . . , mk ) ∈ M k | (m1 , . . . , mk , m) ∈ JAKk+1 }
m∈M

and
[
J∃xk+1 .AKk = {(m1 , . . . , mk ) ∈ M k | (m1 , . . . , mk , m) ∈ JAKk+1 }
m∈M

The interpretation of A is thus intuitively the set of values in M for its free
variables making it true.
CHAPTER 5. FIRST-ORDER LOGIC 235

Satisfaction for closed formulas. Given a closed formula A, its interpretation JAK0
is a subset of M 0 = {()}, which is a set with one element, conventionally de-
noted (). There are therefore two possible values for JAK0 : ∅ and {()}. In the
second case, we say that the formula A is satisfied in the structure.

Model. A structure is a model of a theory Θ when each formula in Θ is satisfied

in the structure.
Example 5.2.3.1. Consider the theory of groups (example 5.2.1.1). A structure
consists of
– a set M ,
– a function J×K : M 2 → M ,

– a constant J1K : M 0 → M ,
– a relation J=K ⊆ M × M .
We say that such a structure has strict equality when the interpretation of the
equality is the diagonal relation

J=K = {(m, m) | m ∈ M }

Such a structure M is a model of the theory of groups, i.e. is a model for all
its axioms, precisely if (M, J×K, J1K) is a group in the traditional sense, and
conversely every group gives rise to a model where equality is interpreted in
such a way: the models with strict equality of the theory of groups are precisely
groups.
Remark 5.2.3.2. As can be seen in the previous example, it is often useful to
restrict to models with strict equality. Since equality is always a congruence
(because of the axioms imposed in section 5.2.1), from any model we can con-
struct a model with strict equality by quotienting the model under the relation
interpreting equality, so that this assumption is not very restrictive.

Validity. A sequent
y1 : A1 , . . . , yn : An ` A
is satisfied in M if for every k ∈ N such that the free variables of the sequent
are in {x1 , . . . , xk }, we have

JA1 Kk ∩ . . . ∩ JAn Kk ⊆ JAKk

which is equivalent to requiring that J¬(A1 ∧ . . . ∧ An ⇒ A)Kk is empty. A

sequent is valid when it is satisfied in every model.

Correctness. We can now formally state the fact that our notion of semantics is
compatible with our logical system.
Theorem 5.2.3.3 (Correctness). Every derivable sequent is valid.

Proof. By induction on the derivation of the sequent.

The above theorem has the following important particular case:
CHAPTER 5. FIRST-ORDER LOGIC 236

Corollary 5.2.3.4. For every theory Θ and closed formula A such that Θ ` A is
derivable, every model of Θ is also a model of A.
Example 5.2.3.5. In the theory of groups, one can show

∀x.∀y.∀y 0 .x × y = 1 ⇒ y 0 × x = 1 ⇒ y = y 0

by formalizing the following sequence of implications of equalities:

x×y =1
y 0 × (x × y) = y 0 × 1
y 0 × (x × y) = y 0
(y 0 × x) × y = y 0
1 × y = y0
y = y0

By correctness, it holds in every group: a left inverse of an element coincides

with any right inverse of the same element.
The contraposite of the above theorem is also quite useful:
Corollary 5.2.3.6. For every theory Θ and closed formula A, if there exists a
model of Θ which is not a model of A then Θ ` A is not derivable.
Example 5.2.3.7. In the theory of groups, consider the formula

∀x.∀y.x × y = y × x

We know that there exist non-abelian groups, for instance the symmetric group
on 3 elements S3 . Such a non-abelian group being a model for the theory of
groups but not for the above formula, we can conclude that this formula cannot
be deduced in the theory of groups.
Finally, a major consequence of the theorem is the following. A theory is satis-
fiable when it admits a model.
Proposition 5.2.3.8. A satisfiable theory is consistent.

Proof. Suppose that Θ is a theory with a model M . If we had Θ ` ⊥ then, by

corollary 5.2.3.4, we would have that M is a model of ⊥, which it is not since
J⊥K = ∅ by definition.
Remark 5.2.3.9. As explained in section 5.1.10, the handling of first-order vari-
ables in traditional first-order logic is not entirely satisfactory: we do not keep
track of the free variables we use. This is why we have to have k (the number
of first-order variables) as a parameter for the interpretation. This is also why
we need to restrict to non-empty domains in structures. Namely, the sequent
` ∃x.> is always derivable and it would not be satisfied in the structure with
an empty domain. See section 5.1.10 for a solution to this issue.

Skolemisation. Suppose fixed a signature Σ and a set P of predicates. A formula

on (Σ, P) of the form
∀x.∃y.A(x, y)
CHAPTER 5. FIRST-ORDER LOGIC 237

states that for every element x there exists a y such that A(x, y) is satisfied.
When this formula admits a model, we can construct a function f which to
every x associates one of the associated y. Thus it implies that the formula

∀x.A(x, f (x))

on (Σ0 , P) is also satisfiable, where the signature Σ0 is Σ extended with a sym-

bol f of arity one. By a similar reasoning, one shows that the satisfiability of
the second formula implies the satisfiability of the first formula. The two for-
mulas are thus equisatisfiable: one is satisfiable if and only if the second is. This
process of “replacing existential quantifications by function symbols” is due to
Skolem: it allows to replace a theory, by another equisatisfiable theory, whose
axioms do not contain existential quantifications, see section 5.4.6.
More generally, given a formula on (Σ, P) of the form

∀x1 . . . . ∀xn .∃y.A

a skolemization of it is the formula

∀x1 . . . . ∀xn .A[f (y1 , . . . , ym )/y]

on the signature (Σ0 , P) where FV(∃y.A) = {y1 , . . . , ym } and Σ0 is Σ extended

with a fresh symbol f of arity m.
Proposition 5.2.3.10. A formula of the form ∀x1 . . . . ∀xn .∃y.A is satisfiable if
and only if its skolemization is.
Example 5.2.3.11. In the theory of groups of example 5.2.1.1, we can skolemize
the axiom ∀x.∃y.y × x = 1. This forces us to introduce a new unary function
symbol i (which will be the function which to an element associates its inverse)
and reformulate the axiom as ∀x.i(x) × x = 1.
Remark 5.2.3.12. If we allowed to perform this process for any existential quan-
tification in a formula, proposition 5.2.3.10 would not be true. For instance,
the formula ¬(∃x.g(x) = x) means is satisfiable when g has no fixpoint. If we
“skolemize” it, we obtain the formula ¬(g(f ()) = f ()) where f is a fresh nullary
function symbol: this formula is satisfiable when there is an element which is
not a fixpoint for g. The two are thus not equisatisfiable.

5.2.4 Presburger arithmetic. The Presburger arithmetic axiomatizes the ad-

dition over natural numbers. It is the theory with equality over the signature
Σ = {0 : 0, S : 1, + : 2} whose axioms are those for equality together with

∀x.0 = S(x) ⇒ ⊥
∀x.∀y.S(x) = S(y) ⇒ x = y
∀x.0 + x = x
∀x.∀y.S(x) + y = S(x + y)

together with, for every formula A(x) with one free variable x, an axiom

A(0) ⇒ (∀x.A(x) ⇒ A(S(x))) ⇒ ∀x.A(x)

such an infinite family of axioms is sometimes called an axiom scheme, it ex-

presses here the recurrence principle.
CHAPTER 5. FIRST-ORDER LOGIC 238

Example 5.2.4.1. For instance, ∀x.x + 0 = x can be proved by recurrence on x.

Namely, consider the formula A(x) being x + 0 = x. We have

– A(0): 0 + 0 = 0.
– Suppose A(x), we have A(S(x)), namely S(x) + 0 = S(x + 0) = S(x).
This theory was shown by Presburger to be consistent, complete and decid-
cn
able [Pre29]. In the worse case, any decision algorithm has a complexity O(22 )
with respect to the size n of the formula to decide [FR98], although it is useful
in practice (it is for example implemented in the tactic omega of Coq). It is also
very weak: for instance, one cannot define the multiplication function in it (if
we could, it would not be decidable, see next section).

5.2.5 Peano and Heyting arithmetic. The Peano arithmetic, often written
PA, extends Presburger arithmetic by also axiomatizing multiplication. It is
the theory with equality on the signature Σ = {0 : 0, S : 1, + : 2, × : 2} whose
axioms are those of equality, those of Presburger arithmetic, and

∀x.0 × x = 0
∀x.∀y.S(x) × y = y + (x × y)

This theory is implicitly understood with an ambient classical first order logic.
When the logic is intuitionistic, the theory is called Heyting arithmetic (or HA).
Exercise 5.2.5.1. In HA, prove ∀x.x + 0 = x.

Consistency. The second of Hilbert’s list of 23 problems posed in 1900, consisted

in showing that Peano arithmetic is consistent, i.e. cannot be used to prove ⊥, or
equivalently that 0 = S(0) cannot be proved. A natural reaction would be to use
corollary 5.2.3.4 and build a model for this theory, whose existence would imply
its consistency, and there is an obvious model: the set N of natural numbers
with usual zero, successor, addition and multiplication functions. However,
the usual construction of this set of natural numbers is itself performed inside
(models of) set theory (see section 5.3) which is a much stronger theory. All
this would prove is that if set theory is consistent then Peano arithmetic is
consistent, which is like proving that if we have a nuclear bomb then we can
kill a fly. This is why people first hoped to prove the consistency of Peano
arithmetic in theories as weak as possible and, why not, in Peano arithmetic
itself. However, in 1931, Gödel showed in his second incompleteness theorem
that Peano arithmetic cannot prove its own consistency [Göd31] (unless it is
inconsistent). The cut elimination procedure was then introduced by Gentzen
in 1936, precisely in order to show consistency of Heyting arithmetic, using
similar methods as in theorem 5.1.9.2, although the proof is more involved due
to the presence of the axioms of the theory, from which one can deduce the
consistency of Peano arithmetic using double negation translations of Peano
arithmetic into Heyting arithmetic as in section 2.5.9, see [Gen36].

Induction up to ε0 . Gentzen’s proof brings no contradiction with Gödel’s the-

orem, because this proof (or more precisely the proof that the cut-elimination
procedure terminates) requires more than the recurrence principle: we need a
CHAPTER 5. FIRST-ORDER LOGIC 239

(** Finite rooted trees. *)

type tree = T of tree list

(** Lexicographic extension of an order. *)

let rec lex le l1 l2 =
match l1, l2 with
| x::l1, y::l2 ->
if x = y then lex le l1 l2
else le x y
| [], _ -> true
| _, [] -> false

(** Order on trees. *)

let rec le t1 t2 =
match t1, t2 with
| T l1, T l2 ->
let cmp t1 t2 =
if t1 = t2 then 0
else if le t1 t2 then -1 else 1
in
let l1 = List.sort cmp l1 in
let l2 = List.sort cmp l2 in
lex le l1 l2

Figure 5.1: ε0 in OCaml.

transfinite induction up to the ordinal ε0 (which is ω to the power ω to the power

ω and so on, i.e. ε0 = ω ε0 ). Otherwise said, while recurrence only requires us
to believe that the set of natural numbers is well-founded, the transfinite induc-
tion up to ε0 now requires that the following set of trees is well-founded. By a
classical result in ordinal arithmetic (which we cannot detail here), any ordinal
α < ε0 can be uniquely written as α = ω β1 + . . . + ω βn where α > β1 > . . . > βn
are ordinals, this is called the Cantor normal form of α, each of the βi having
a similar normal form. Such an ordinal α, can thus be represented as a planar
rooted tree, with one root and n sons, which are the trees corresponding to the
3 3
βi . For instance, the ordinals ω ω +1 + 2 and ω w · 3 + 2 respectively correspond
to the trees
· · · · · · · · · · · ·

· · x · · ·
>
· y · · · · · · ·

· z ·

These trees can be compared by lexicographically comparing the sons of the

root (which are supposed to be ordered decreasingly), so that for instance, the
tree on the left above is greater than the one on the right. An implementation
of this order is provided in figure 5.1. This order can also be interpreted using
CHAPTER 5. FIRST-ORDER LOGIC 240

the following Hydra game on trees [KP82]. This game with two players starts
with a tree as above and at each turn
– the first player removes a leaf x (a node without sons) of the tree,
– the second player chooses a number n, looks for the parent y of x and the
parent z of y (it does nothing if no such parents exist), and adds n copies
of the tree with y as root as new children of z.
The game stops when the tree is reduced to its root. We now see where the
game draws its name from: the first player cuts the head of the Hydra, but in
response the Hydra grows many new heads! For instance, in the figure above,
the tree on the right is obtained from the one of the left after one round. Given
trees α and β, it can be shown that α > β if and only if β can be obtained after
some finite number rounds of the game starting from α. Believing that ε0 is
well-founded is thus equivalent to believing that every such game will necessarily
end (try it, to convince yourself that it always does!).

Undecidability. Finally, we would like to mention that Peano arithmetic is also

undecidable, which was shown by Turing [Tur37]. Namely, a sequence of con-
figurations of a Turing machine can be suitably encoded as an integer, so that
one can write a formula expressing that a given natural number encodes such
a sequence, which ends on an accepting configuration. From there, it is easy to
construct a formula expressing the fact that the machine is not halting, and such
formulas cannot be decided, otherwise we would decide the halting problem.

5.3 Set theory

Set theory is a first-order theory whose intended models are sets. Everything is
a set there, in particular the elements of sets are themselves sets. This theory
was defined at the beginning of the 20th century while looking for axiomatic
foundations of mathematics. We only briefly scrap the subject and refer to
standard textbooks [Kri98, Deh17] for more details.

5.3.1 Naive set theory. The naive set theory is the theory with a binary pred-
icate “∈” and the following axiom scheme, called unrestricted comprehension

∃y.∀x.x ∈ y ⇔ A

for every formula A with x as only free variable. Informally, this states for every
property A(x), the existence of a set

y = {x | A(x)}

of elements x satisfying the property A(x). This theory is surprisingly simple

and works surprisingly well: we can perform all the usual constructions:
– the empty set is {x | ⊥},
– the union of two sets is x ∪ y = {z | z ∈ x ∨ z ∈ y},
– the intersection of two sets is x ∩ y = {z | z ∈ x ∧ z ∈ y},
CHAPTER 5. FIRST-ORDER LOGIC 241

– the product of two sets is x × y = {(i, j) | i ∈ x ∧ j ∈ y} with the notation

(i, j) = {{i}, {i, j}},

– the inclusion of two sets is x ⊆ y = ∀z.z ∈ x ⇒ z ∈ y,

– the powerset is P(x) = {y | y ⊆ x},
and so on.

Russell’s paradox. There is only a “slight” problem with this theory: it is in-
consistent, meaning that we can in fact prove any formula, which explains why
everything was so simple. This was first formalized by Russell in 1901, using
what is known nowadays as the Russell paradox, which goes as follows. Consider
the property
A = ¬(x ∈ x)
The unrestricted comprehension scheme ensures the existence of a set y such
that
∀x.x ∈ y ⇔ ¬(x ∈ x)
In particular, for x being y, we have

y ∈ y ⇔ ¬(y ∈ y)

In classical logic, we can easily conclude to an inconsistency:

– if y ∈ y then ¬(y ∈ y) and therefore we can prove ⊥,

– if ¬(y ∈ y) then y ∈ y and therefore we can prove ⊥.

Russell’s paradox in intuitionistic logic. This proof can be thought of as rea-

soning by case analysis on whether y ∈ y is true or not and, as such it seems
that it is not intuitionistically valid because we are using the excluded middle.
However, it can also be considered as a valid intuitionistic proof: namely, the
two cases amount to
– prove ¬(y ∈ y), and

– prove ¬¬(y ∈ y),

from which we can deduce ⊥. More generally, for any formula A, one can show
intuitionistically that
(A ⇔ ¬A) ⇒ ⊥
Namely, the equivalent formula

(A ⇒ ¬A) ⇒ (¬A ⇒ A) ⇒ ⊥

can be proved by
(ax) (ax) (ax) (ax)
Γ, ¬A ` ¬A ⇒ A Γ, ¬A ` ¬A Γ, A ` A ⇒ ¬A Γ, A ` A
(ax) (⇒E ) (⇒E ) (ax)
Γ, ¬A ` ¬A Γ, ¬A ` A Γ, A ` ¬A Γ, A ` A
(¬E ) (⇒E )
Γ, ¬A ` ⊥ Γ, A ` ⊥
(¬I ) (¬I )
Γ ` ¬¬A Γ ` ¬A
(¬E )
Γ`⊥
(⇒I )
` (A ⇒ ¬A) ⇒ (¬A ⇒ A) ⇒ ⊥
CHAPTER 5. FIRST-ORDER LOGIC 242

with Γ = A ⇒ ¬A, ¬A ⇒ A, whose corresponding proof-term is

λf A⇒¬A .λg ¬A⇒A .(λx¬A .x (g x))(λaA .f a a)

Another, more symmetrical proof term for the same formula is

λf A⇒¬A .λg ¬A⇒A .f (g (λaA .f a a)) (g (λaA .f a a))

In both cases, note that we recover the looping term Ω = (λx.xx)(λx.xx) if we

apply it to the identity twice.
The so-called Curry paradox is the following slight generalization of the
above formula
(A ⇔ (A ⇒ B)) ⇒ B
and can be shown using the same λ-terms.

Size issues. The problem with naive set theory is due to size: the collection of
all sets is “too big” to actually form a set. Once this issue identified, subsequent
attempts at formalizing set theory have struggled to take this issue in account.
We should not be able to consider this as a set and therefore we cannot consider
the set of all sets which satisfy a property, such as not belonging to itself...

Other paradoxes. Other paradoxes can be used to show the inconsistency of

naive set theory. For instance, an argument based on Cantor’s theorem is the
following one. Suppose that there exists a set u of all sets. Every subset x of u is
a set, and thus an element of u. In this way, we can construct an injection from
the powerset of u to u, which is excluded by Cantor’s diagonal argument, see
appendix A.4. Another classical paradox is the one of Burali-Forti, presented
in section 8.2.3.

5.3.2 Zermelo-Fraenkel set theory. The above observations lead to a re-

fined axiomatic for set theory, the most popular being called Zermelo-Fraenkel
set theory, or ZF [Zer08]. We make a very brief presentation of it here, mostly
discussing the axiom of choice. This is the classical first order theory with
equality with a binary predicate ∈, whose axioms are the following.

Axiom of extensionality. This axiom states that two sets with the same elements
are equal:
∀x.∀y.((∀z.z ∈ x ⇔ z ∈ y) ⇒ x = y)
If we introduce the notation x ⊆ y for the formula ∀z.z ∈ x ⇒ z ∈ y which
expresses that the set x in included in the set y, the axiom of extensionality can
be rephrased as
∀x.∀y.(x ⊆ y ∧ y ⊆ x) ⇒ x = y
i.e. two sets are equal precisely when they have the same elements.
CHAPTER 5. FIRST-ORDER LOGIC 243

Axiom of union. This axiom states that the union of the elements of a set is
still a set:
∀x.∃y.∀i.(i ∈ y ⇔ ∃z.(i ∈ z ∧ z ∈ x))
In more usual notation, this states the existence, for every set x, of the set
[ [
y= x= z
z∈x

In particular, we can construct the union of two sets x and y as

[
x ∪ y = {x, y}

where the set {x, y} is constructed using the axiom schema of replacement, see
below.

Axiom of powerset. This axiom states that given a set x, there is a set whose
elements are precisely the subsets of x, usually called the powerset of x and
denoted P(x):
∀x.∃y.∀z.(z ∈ y ⇔ (∀i.i ∈ z ⇒ i ∈ x))
In more usual notation,

∀x.∃y.∀z.(z ∈ y ⇔ z ⊆ x)

i.e. we can construct the set

y = P(x) = {z | z ⊆ x}

Axiom of infinity. The axiom of infinity states the existence of an infinite set:

∃x.(∅ ∈ x ∧ ∀y.y ∈ x ⇒ S(y) ∈ x)

where the empty set ∅ is defined using the axiom schema of replacement below
and S(y) = y ∪ {y} is the successor of a set. A set is called inductive when
it contains the empty set and is closed under successor: the axiom states the
existence of an inductive set. In particular, the set N of natural numbers can be
constructed as the intersection of all inductive sets. Here, the natural numbers
are encoded following the von Neumann convention:

0=∅ 1 = 0 ∪ {0} = {∅} 2 = 1 ∪ {1} = {∅, {∅}} ...

and more generally n + 1 = n ∪ {n}. The definition implies immediately the

following principle of induction: every inductive subset of the natural numbers
is the set of natural numbers.

Axiom schema of replacement. This axiom states that the image of a set under
a partial function is a set:

(∀i.∀j.∀j 0 .(A ∧ A[j 0 /j] ⇒ j = j 0 )) ⇒ ∀x.∃y.∀j.(j ∈ y ⇔ ∃i.(i ∈ x ∧ A))

where A is any formula such that j 0 6∈ FV(A) (but A might contain i or j or

other free variables). This is thus an axiom schema: it is an infinite family of
axioms, one for each such formula A.
CHAPTER 5. FIRST-ORDER LOGIC 244

For simplicity, we consider the case where the formula contains only i and j
as free variables, and is thus denoted A(i, j). In this case the axiom reads as

(∀i.∀j.∀j 0 .(A(i, j) ∧ A(i, j 0 ) ⇒ j = j 0 )) ⇒

∀x.∃y.∀j.(j ∈ y ⇔ ∃i.(i ∈ x ∧ A(i, j)))
The formula A encodes a relation: a set i is in relation with a set j when A(i, j)
is true. In particular, the relation corresponds to a partial function when every
element i is in relation with at most one element j, i.e.
∀i.∀j.∀j 0 .(A(i, j) ∧ A(i, j 0 ) ⇒ j = j 0 )
Namely, such a relation corresponds to the partial function f from sets to sets
such that f (i) is the unique j such that A(i, j), should there exists one, and is
undefined otherwise. Then, our axiom states that given a set x, we can construct
the set
y = {j | ∃i ∈ x.A(i, j)}
of its images under f .
For instance, the empty set ∅ is defined as the set y obtained in this way
from any set x (and there exists one by the axiom of infinity) using the nowhere
defined function, which can be encoded as the relation A = ⊥:
∅ = {j | ∃i ∈ x.⊥}
Given two sets x and y, we can construct the set {x, y} as the image of the
partial function over the natural numbers sending 0 (i.e. ∅) to x and 1 (i.e. {∅})
to y:
{x, y} = {j | ∃i ∈ N.(i = 0 ∧ j = x) ∨ (i = 1 ∧ j = y)}
and we can similarly construct a set containing any finite given family of sets.
Given two sets x and y, we can construct their intersection as
x ∩ y = {j | ∃i ∈ x ∪ y.j = i ∧ i ∈ x ∧ i ∈ y}
Given two sets x and y, we can encode a pair of elements i1 ∈ x and i2 ∈ y as
(i1 , i2 ) = {{i1 }, {i1 , i2 }}, which is an element of P(P(x ∪ y)), and thus construct
the product of the two sets as
x × y = {j | ∃i ∈ P(P(x ∪ y)).∃i1 .∃i2 .j = i ∧ i = (i1 , i2 ) ∧ i1 ∈ x ∧ i2 ∈ y}
More generally, given a predicate B(i) and a set x, we can we can construct the
set of elements of x satisfying B as
{i ∈ x | B(i)} = {j | i = j ∧ B(i)}
This construction corresponds to what is sometimes called the axiom schema of
restricted comprehension and can formally be stated as
∀x.∃y.∀i.(i ∈ y ⇔ (i ∈ x ∧ A))
where A is a formula such that x, y 6∈ FV(A), but A might contain i or other
free variables, i.e. in usual notation, for every set x we can construct the set
y = {i ∈ x | A}
Note that compared to the unrestricted comprehension scheme, which was at the
source of Russell’s paradox, we can only construct the set of elements of some set
which satisfy A.
CHAPTER 5. FIRST-ORDER LOGIC 245

Axiom of foundation. The axiom of foundation states that every non-empty set
contains a member which is disjoint from the whole set:

∀x.(∃y.y ∈ x) ⇒ ∃y.(y ∈ x ∧ ¬∃i.(i ∈ y ∧ i ∈ x))

or, in modern notation,

∀x.x 6= ∅ ⇒ ∃y ∈ x.y ∩ x = ∅

One of the main consequences of the axiom of foundation is the following:

Lemma 5.3.2.1. There is no infinite sequence of sets (xi ) such that xi+1 ∈ xi .
Proof. Suppose the contrary. The sequence of sets can be seen as a function f
with N as domain, which to every i associates f (i) = xi . By the axiom schema
of replacement, its image x = {xi | i ∈ N} is also a set and by the axiom of
foundation there exists y ∈ x such that y ∩x 6= ∅. By definition of x, there exists
some natural number i for which y = f (i) = xi . However, we have xi+1 ∈ xi
and therefore xi+1 ∈ y ∩ x. Contradiction.
In particular, there is not set x such that x ∈ x (otherwise, the constant sequence
xi = x would contradict previous lemma).
The axiom of foundation is, in presence of the other axioms, equivalent to
the following, better looking, axiom of induction, which is a variant of transfinite
induction (sometimes called ∈-induction):

(∀x.(∀y.y ∈ x ⇒ A(y)) ⇒ A(x)) ⇒ ∀x.A(x)

for every predicate A with FV(A) ⊆ {x}.

Avoiding Russell’s paradox. Intuitively, the way ZF avoids Russell’s paradox is

by considering that the collections such as the collection of all sets are “too
big” to be sets themselves: they are sometimes called classes and a set can be
considered as a “small class”.
For instance, we have the restricted schema of replacement, but not the
unrestricted one, which would allow defining the set of all sets as {x | >}: we
can only consider the collection of elements satisfying some property within a
set, i.e. a subset of a small class is itself small. This is also the reason why, in the
axiom scheme of replacement, we require A(x, y) to be functional: otherwise,
for a given x the set {y | A(x, y)} would not guaranteed to be a set (it could be
too big). Also, we have seen that the axioms of foundation ensures that no set
contains itself, which avoids that classes, such as the collection of all sets, are
themselves sets.

The axiom of choice. The axiom of choice states that given a collection x of
non-empty sets, we can pick an element in each of the sets:
[
∀x.∅ 6∈ x ⇒ ∃(f : x → x).∀y ∈ x.f (y) ∈ y

This states that given a set x of non-empty

S sets (i.e. x does not contain ∅),
there exists a function f from x to x (the union of the elements of x, which
can be constructed with the axiom of union) which, for every set y ∈ x picks an
CHAPTER 5. FIRST-ORDER LOGIC 246

element of y (i.e. f (y) ∈ y): this is called a choice function for x. The careful
reader will notice that the existence of a function is not a formal statement of
our language but it can be encoded: the formula ∃(f : x → y).A asserting the
existence of a function f from x to y such that A, is a notation for a formula of
the form
∃f.f ⊆ x × y ∧ . . .
which would state (details left to the reader) the existence of a subset f of x × y
which, as a relation, encodes a total function such that A is satisfied.
The axiom of choice has a number of classically equivalent formulations
among which
– every relation defined everywhere contains a function,
– every surjective function admits a section,
– the product of a family of non-empty sets is non-empty,
– every set can be well-ordered,
and so on.

5.3.3 Intuitionistic set theory. Set theory, as any other theory can also
be considered within intuitionistic first order logic, in which case it is called
IZF. The reason for is the usual one: we want to be able to exhibit explicit
witnesses when constructing elements of sets. We will however see that there is
a price to pay for this, which is that things behave much differently than usual:
intuitionism is not necessarily intuitive, see [Bau17] for a very good general
introduction to the subject.

Equivalent formulations of excluded middle. Most of the proofs related to the

excluded middle in set theory are using the following simple observation. Given
a proposition A, which might contain any free variable excepting y, consider the
set
x = {y ∈ N | A}
Then, given a natural number y ∈ N, we have y ∈ x if and only if A holds:
(y ∈ x) ⇔ A (5.1)
(in practice, we often use y = 0 as arbitrary natural number). In particular,
when A = ⊥, the set x is (by definition) the empty set ∅ and we have y ∈ ∅
if and only if ⊥. By the axiom of extensionality, we thus have that x = ∅ is
equivalent to ∀y ∈ N.(y ∈ x) ⇔ (y ∈ ∅) which is equivalent to A ⇔ ⊥, which is
equivalent to A ⇒ ⊥ (since ⊥ ⇒ A always holds): we have shown
(x = ∅) ⇔ ¬A (5.2)
For instance, a typical thing we cannot do in IZF is test whether an element
belongs to a given set or not:
Lemma 5.3.3.1. In IZF, the formula
∀y.∀x.(y ∈ x) ∨ (y 6∈ x)
is satisfied if and only if the law of excluded middle is.
CHAPTER 5. FIRST-ORDER LOGIC 247

Proof. The right-to-left implication is immediate. For the left-to-right impli-

cation, given any formula A, consider the natural number y = 0 and the set
x = {y ∈ N | A}: the set x contains the element 0 if and only if A holds. We
conclude using (5.1): the above proposition would imply

(0 ∈ {x ∈ N | A}) ∨ (0 6∈ {x ∈ N | A})

which is equivalent to
A ∨ ¬A
and we conclude.
The intuition behind this result is the following one. In a constructive world,
an element of x = {y ∈ N | A} consists of as an element of N together with a
proof that A holds. Therefore, in order to decide whether 0 belongs to x or not,
we have to decide whether A holds or not.
Considering the variant of the excluded middle recalled in lemma 2.3.5.3,
similarly, we cannot test a set for emptiness either:
Lemma 5.3.3.2. In IZF, the formula

∀x.(x = ∅) ∨ (x 6= ∅)

is satisfied if and only if we can prove

¬A ∨ ¬¬A

for every formula A.

Proof. The right-to-left implication is immediate. For the left-to-right impli-
cation, given a formula A, consider the set x = {y ∈ N | A}. We conclude
using (5.2): we have x = ∅ if and only if 0 ∈ {y ∈ N | A} ⇔ 0 ∈ {y ∈ N | ⊥}, if
and only if A ⇔ ⊥, if and only if ¬A.
More generally, we do not expect to be able to decide equality either: the formula

∀x.∀y.(x = y) ∨ (x 6= y)

would imply that we can test for emptiness as a particular case. Of course, this
does not imply that we cannot decide the equality of some particular sets. For
instance, one can show that 0 = ∅ =6 {∅} = 1 (because ∅ belongs to 1 but not
to 0) and therefore, writing

B = {0, 1} = {x ∈ N | x = 0 ∨ x = 1}

for the set of booleans, we can decide the equality of booleans. By a similar
reasoning, we can decide the equality of natural numbers.
Many other “unexpected” properties of IZF (compared to the classical case)
can be proved along similar lines. For instance, the finiteness of subsets of a
finite set is equivalent to being classical. By a finite set, we mean here a set x
for which there is a natural number n and a bijection f : {0, . . . , n − 1} → x.
Lemma 5.3.3.3. In IZF, every subset of a finite set is finite if and only if the law
of excluded middle is satisfied.
CHAPTER 5. FIRST-ORDER LOGIC 248

Proof. Suppose that every finite subset of a finite set is finite. Given a prop-
erty A, consider the set x = {y ∈ B | A}, which is a subset of the finite set B of
booleans. By hypothesis, this set is finite and therefore there exists a natural
number n and a function f as above. Since we can decide equality for natural
numbers as argued above, we have either n = 0 or n 6= 0: in the first case x = ∅
and thus ¬A holds, in the second case, f (0) ∈ x and thus A holds. We therefore
have A ∨ ¬A. Conversely, in classical logic, every subset of a finite set is finite,
as everybody knows.

The axiom of choice. Seen from a constructive perspective the axiom of choice
is quite dubious: it allows the construction of an element in each set of a family
of non-empty sets, without having to provide any hint at how such an element
could be constructed. In particular, given a non-empty set x, the axiom of
choice provides a function f : {x} → x, i.e. an element of x (the image of x
under f ), and allows proving
x 6= ∅ ⇒ ∃y.y ∈ x
i.e. we can construct an element in x by only knowing that there exists one.
This is precisely the kind of behavior we invoked in section 2.5.2 in order to
motivate the fact that double negation elimination was not constructive. In
fact, we will see below that having the axiom of choice implies that the ambient
logic is classical.
Another reason why the axiom of choice can be questioned is that it al-
lows proving quite counter-intuitive results, the most famous perhaps being the
Banach-Tarski theorem recalled below. Two sets A and B of points in R3 are
congruent if one can be obtained from the other by an isometry, i.e. by using
translations, rotations and reflections.
Theorem 5.3.3.4 (Banach-Tarski). Given two bounded subsets of R3 of non-
empty interior, there are partitions
A = A1 ] . . . ] An B = B1 ] . . . ] Bn
such that Ai is congruent to Bi for 1 6 i 6 n.
Proof. Using the axiom of choice and other ingredients...
In particular, consider the case where A is a ball in R3 and B is two copies of
the ball A. The theorem states that there is a way to partition the ball A and
move the subsets of the partition using isometries only, in order to make two
balls. If you try at home, you should convince yourself that there is no easy
way to do so.
For such reasons, people started to investigate the status of the axiom of
choice with respect to ZF. In 1938, Gödel constructed a model of ZFC (i.e. a
model of ZF satisfying the axiom of choice) inside an arbitrary model of ZF,
thus showing that ZFC is consistent if ZF is [Göd38]. In 1963, Cohen showed
that the situation is similar with the negation of the axiom of choice. The
axiom of choice is thus independent of ZF: neither this axiom nor its negation
is a consequence of the axioms of ZF and one can add it or its negation without
affecting consistency.
Constructivists however will reject the axiom of choice, because it implies
the excluded middle:
CHAPTER 5. FIRST-ORDER LOGIC 249

Theorem 5.3.3.5. In IZF with the axiom of choice, the law of elimination of
double negation holds.
Proof. Fix a formula A and suppose ¬¬A holds. The set

x = {y ∈ N | A}

is not empty. Namely, we have seen in (5.2) that x = ∅ implies ¬A which,

together with the hypothesis ¬¬A, implies ⊥. By the axiom of choice, the fact
that x 6= ∅ implies the existence of an element of x because we have a choice
function for {x}, which implies A by (5.1). Therefore ¬¬A ⇒ A.
The above proof is not entirely satisfactory because is it uses the following of
the axiom of choice:
any set y, whose elements x are not empty, admits a choice function.
The issue here is that we suppose that an element x of y is not empty, i.e. it is
not the case that x does not contain an element. From a constructive point of
view, this is not equivalent to supposing contains an element (not not containing
an element does not mean that we contain an element, because we do not admit
double negation elimination) and the latter is more constructive. A better
formulation of the axiom of choice would thus be
any set y, whose elements x are contain an element, admits a choice
function.
This hints at the fact that we should be careful in IZF about what we mean by
the axiom of choice: formulations which were equivalent in classical logic are not
any more in intuitionistic logic. This second formulation of the axiom of choice
still implies the excluded middle as first noticed by Diaconescu [Dia75, GM78],
but this is much more subtle:
Theorem 5.3.3.6 (Diaconescu). In IZF with the axiom of choice, the law of
excluded middle is necessarily satisfied.
Proof. Fix an arbitrary formula A: we are going to show ¬A ∨ A. Consider the
sets

x = {z ∈ B | (z = 0) ∨ A} and y = {z ∈ B | (z = 1) ∨ A}

Those sets are not empty since 0 ∈ x and 1 ∈ y. By the axiom of choice, there
is therefore a function f : {x, y} → B such that f (x) ∈ x and f (y) ∈ y. Now,
f (x) and f (y) are booleans, where equality is decidable, so that we can reason
by case analysis on those.
– If f (x) = f (y) = 0 then 0 ∈ y thus (0 = 1) ∨ A holds, thus A holds.
– If f (x) = f (y) = 1 then 1 ∈ x thus (1 = 0) ∨ A holds, thus A holds.
– If f (x) = 0 6= 1 = f (y) then x 6= y (otherwise, f (x) = f (y) would hold),
and we have ¬A: namely, supposing A, we have x = y = A, and thus thus
⊥ since x 6= y,
– If f (x) = 1 6= 0 = f (y) then we can show both A and ¬A as above (so
that this case cannot happen).
CHAPTER 5. FIRST-ORDER LOGIC 250

Therefore, we have ¬A ∨ A.
This motivates, for the reader convinced of the interest of intuitionistic logic,
which we hope you are by now, the exploration of set theory without choice,
but the reader should be warned that this theory behave much differently than
usual. For instance, Blass has shown the following result [Bla84]:
Theorem 5.3.3.7. In ZF, the axiom of choice is equivalent to the fact that every
vector space has a basis.
In fact, we know models of ZF where there is a vector space admitting no basis,
and one admitting two basis of different cardinalities.

Synthetic differential geometry. Since classical logic is obtained by adding ax-

ioms (e.g. excluded middle) to intuitionistic logic, a proof in intuitionistic logic
is valid in classical logic (we are not using the extra axioms). Therefore, one
is tempted to think that intuitionistic logic is less powerful than classical logic,
because it can prove less. Well, this is true, but this can also be seen as a
strength: this also means that we have more models of intuitionistic theories
than their classical counterparts. We would like to give an illustration of this.
The notion of infinitesimal is notoriously difficult to define in analysis. In-
tuitively, such a quantity is so small that it should be “almost 0”; in particular,
it should be smaller that any usual strictly positive real number. Having such
a notion is quite useful. For instance, we expect the derivative of a function
f : R → R at x be defined as

f 0 (x) = (f (x + ε) − f (x))/ε

for any non-zero infinitesimal ε. Namely, f 0 (x) should be the slope of the line
tangent to the slope of f at x, i.e.

f (x + ε) = f (x) + f 0 (x)ε

More precisely, by “almost 0”, we mean here that it should capture first-order
variations, i.e. it should be so small that ε2 = 0. If we are ready to accept
the existence of such entities, we find out that computations which traditionally
involve subtle concepts such as limits, become simple algebraic manipulations.
For instance, consider the function f (x) = x2 . We have

f (x + ε) = (x + ε)2 = x2 + 2xε + ε2 = x2 + 2xε

and therefore we should have f 0 (x) = 2x, as expected.

This suggests that we define the set of infinitesimals as

D = {ε ∈ R | ε2 = 0}

and postulate the following principle of microaffineness:

Axiom 5.3.3.8. Every function f : D → R is of the form

f (ε) = a + bε

for some unique reals a and b.

CHAPTER 5. FIRST-ORDER LOGIC 251

Once this axiom postulated, we necessarily have a = f (0) and we can define
f 0 (x) to be the coefficient b. We have already given an example of such a
computation above. We can similarly, compute the derivative of a product of
two functions by

(f × g)0 (x + ε)
= f (x + ε) × g(x + ε)
= (f (x) + f 0 (x)ε) × (g(x) + g 0 (x)ε)
= (f (x) + g(x)) + (f 0 (x)g(x) + f (x)g 0 (x))ε + (f 0 (x) + g 0 (x))ε2
= (f (x) + g(x)) + (f 0 (x)g(x) + f (x)g 0 (x))ε

and therefore (f × g)0 (x) = f 0 (x)g(x) + f (x)g 0 (x) as expected. Similarly, the
derivative of the composite of two functions can be computed by

g(f (x + ε)) = g(f (x) + f 0 (x)ε) = g(f (x)) + g 0 (f (x))f 0 (x)ε

because f 0 (x)ε is easily shown to be an infinitesimal and therefore

(g ◦ f )0 (x) = g 0 (f (x))f 0 (x)

This is wonderful, excepting that our microaffineness seems to be clearly

wrong. Namely,
ε2 = 0 implies ε=0
thus D = {0}, and therefore any coefficient b would suit. However... the above
implication uses a classical reasoning. Namely: if ε 6= 0, we have

ε = ε2 /ε = 0/ε = 0

from which we can conclude that ε = 0... in classical logic! In intuitionistic

logic, all that we have proved is that

¬¬(ε = 0)

This is the sense in which ε is infinitesimal: it is not nonzero.

This shows that there is no obvious contradiction in our axiomatic if we work
in intuitionistic logic, but it does not prove that there is no contradiction. This
can however be done by constructing models. The field of synthetic differential
geometry takes this idea of working in intuitionistic logic in order to define
infinitesimals as a starting point to study differential geometry [Bel98, Koc06].

5.4 Unification
Suppose fixed a signature. Given two terms t and u, a very natural question
is: is there a way to substitute their variables in order to make them equal? In
other words, we are trying to solve the equation

t=u

One quickly finds out that there is quite often an infinite number of solutions,
and we refine the question to: is there a “smallest” way of substituting the
CHAPTER 5. FIRST-ORDER LOGIC 252

variables of t and u in order to make them equal? Occurrences of this problem

have for instance already been encountered in section 4.4. We explain here how
to properly formulate the problem, which we have already encountered in sec-
tion 4.4.2, and exhibit an algorithm in order to solve it. A detailed introduction
to the subject can be found in [BN99].

5.4.1 Equation systems. An equation is a pair of terms (t, u) often written

t=
?u

where t and u are respectively called the left and right member of the equation.
A substitution σ, see section 5.1.3, is a solution of the equation when

t[σ] = u[σ]

in which case we also say that σ is an unifier of t and u. An equation system, or

unification problem, E is a finite set of equations. A substitution σ is a solution
(or an unifier) of E when it is a solution of every equation in E. We write E[σ]
for the equation system obtained by applying a substitution σ to every member
of an equation of E: σ is thus a solution of E when all the equations of E[σ]
are of the form t =? t.
Example 5.4.1.1. Let us give some examples of unifiers. We suppose that our
signature comprises two binary function symbols f and g, and two nullary sym-
bols a and b.

– f (x, b()) =
? f (a(), y) has one unifier: [a()/x, b()/y],
– x=
? f (y, z) has many unifiers: [f (y, z)/x], [f (a(), z)/x, a()/y], etc.
– f (x, y) =
? g(x, y) has no unifier,
– x=
? f (x, y) has no unifier.

Since the solution to an equation system is not unique in general, we can wonder
whether there is a best one in some sense when there is one. We will see that it
is indeed the case.

5.4.2 Most general unifier. A preorder 6 is a reflexive and transitive rela-

tion: a partial order is an antisymmetric preorder. We can define a preorder 6
on substitutions by setting σ 6 τ whenever there exists a substitution σ 0 such
that τ = σ 0 ◦ σ.
Example 5.4.2.1. With

σ = [f (y)/x] σ 0 = [g(x, x)/y] τ = [f (g(x, x))/x, g(x, x)/y]

we have σ 0 ◦ σ = τ and thus σ 6 τ .

A renaming is a substitution which replaces variables by variables (as opposed
to general terms). The relation 6 defined above is “almost” a partial order, in
the sense that it would be so if we considered substitutions up to renaming:
Lemma 5.4.2.2. Given substitutions σ and τ , we have both σ 6 τ and τ 6 σ if
and only if there exists a renaming σ 0 such that σ 0 ◦ σ = τ .
CHAPTER 5. FIRST-ORDER LOGIC 253

Suppose fixed an equation system E. It easy to see that its set of solutions
is upward closed:
Lemma 5.4.2.3. Given substitutions σ and τ such that σ 6 τ , if σ is a solution
of E then τ is also a solution of E.
A solution σ of E is a most general unifier when it generates all the solutions
by upward closure, i.e. when τ is a solution of E if and only if σ 6 τ . We will
see in next section that when an equation systems admits an unifier, it always
admits a most general one, and we have an algorithm to efficiently compute it.
We will thus prove, in a constructive way, the following:
Theorem 5.4.2.4. An equation system E has a solution if and only if it has a
most general unifier.

5.4.3 The unification algorithm. Suppose given an equation system E, for

which we are trying to compute a most general unifier. The idea of the algorithm
is to apply a series of transformations to E, which preserve the set of solutions
of the system, in order to simplify it and compute a solution. More precisely,
our goal is put the equation system in the following form: an equation system E
is in solved form when
– if is of the form
E = {x1 = ? tn }
? t1 , . . . , xn =
i.e. all its equations have a variable as left member,
– no variable in a left member of an equation occurs in a right member:
xi 6∈ FV(tj ) for every indices i and j,
– variables in left members are distinct: xi = xj implies i = j.

To every equation system in solved form E as above, one can canonically asso-
ciate the substitution
σE = [t1 /x1 , . . . , tn /xn ]
Lemma 5.4.3.1. Given an equation system in solved form E, the substitution σE
is a most general unifier of E.
Given an equation system E, the unification algorithm, due to Herbrand [Her30]
and Robinson [Rob65], applies the transformations of figure 5.2, in an arbitrary
order, and terminates when no transformation applies. We write

E E0

to indicate that the transformation replaces E by E 0 . At some point of the

execution, the algorithm might fail, which we write

E ⊥

Example 5.4.3.2. Suppose that the signature comprises symbols a of arity 0, f

of arity 3, and g and h of arity 1. Consider the equation system

E = {f (a(), g(x), g(x)) =

? f (a(), y, g(h(z)))}
CHAPTER 5. FIRST-ORDER LOGIC 254

Decompose (we propagate equation to subterms):

{f (t1 , . . . , tn ) =
? f (u1 , . . . , un )} ∪ E {t1 = ? un } ∪ E
? u1 , . . . , tn =

Clash (different symbols cannot be unified):

{f (t1 , . . . , tn ) =
? g(u1 , . . . , um )} ⊥

Delete (we remove trivial equations):

{f (t1 , . . . , tn ) =
? f (t1 , . . . , tn )} ∪ E E

Orient (we want variables as left members):

{f (t1 , . . . , tn ) =
? x} ∪ E {x =
? f (t1 , . . . , tn )} ∪ E

Occurs-check (we eliminate cyclic equations): when x ∈ FV(t1 ) ∪ . . . ∪ FV(tn ),

{x =
? f (t1 , . . . , tn )} ⊥

Propagate (we propagate substitutions): when x 6∈ FV(t) and x ∈ FV(E),

? t} ] E 0
{x = ? t} ∪ E 0 [t/x]
{x =

Figure 5.2: The unification algorithm.

CHAPTER 5. FIRST-ORDER LOGIC 255

We have

E {a() =
? a(), g(x) =
? y, g(x) =
? g(h(z))} by Decompose,
{g(x) =
? y, g(x) =
? g(h(z))} by Delete,
{y =
? g(x), g(x) =
? g(h(z))} by Orient,
{y =
? g(x), x =
? h(z)} by Decompose,
{y =
? g(h(z)), x =
? h(z)} by Propagate.

The size |t| of a term is the number of function symbols occurring in it:
n
X
|x| = 0 |f (t1 , . . . , tn )| = 1 + |ti |
i=1

Theorem 5.4.3.3. Given any equation system E as input the unification algo-
rithm always terminates. It fails if and only if E has no solution, otherwise the
equation system E 0 at the end of the execution is in solved form and σE 0 is a
most general unifier of E.
Proof. This is detailed in [BN99, section 4.6]. Termination can be shown by
observing that the rules make the size of the equation system E decrease: here,
the size is the triple (n1 , n2 , n3 ) of natural numbers, ordered lexicographically,
where n1 is the number of unsolved variables (a variable is solved
P when it occurs
exactly once in E, as a left member of an equation), n2 = (t = ? u)∈E |t| + |u|
is the size of the equation system and n3 is the number of equations of the
form t =? x in E. The other properties result from the fact that the transforma-
tions preserve the set of unifiers (⊥ has no unifier by convention) and that the
resulting equation system is in solved form.
Example 5.4.3.4. The most general unifier of example 5.4.3.2 is

[g(h(z))/y, h(z)/x]

Remark 5.4.3.5. The side conditions of propagate are quite important (and often
forgotten by students when first implementing unification). Without those,
unification problems such as {x = ? f (x)} would lead to an infinite number of
applications of rules Propagate and Decompose, and thus fail to terminate:

{x =
? f (x)} {f (x) =
? f (f (x))} {x =
? f (x)} ...

The side condition avoids this and the rule Occurs-check makes the unification
fail: the solution would intuitively be the “infinite term”

f (f (f (. . .)))

but those are not acceptable here.

In the worse case, the algorithm is exponential in time and space: hint, consider

{x1 =
? f (x0 , x0 ), x2 =
? f (x1 , x1 ), . . . , xn =
? f (xn−1 , xn−1 )}

but it performs well in practice.

CHAPTER 5. FIRST-ORDER LOGIC 256

5.4.4 Implementation. Terms can be implemented by the type

type term =
| Var of string
| App of string * term list
and we can check whether a variable x occurs in a term t, i.e. if x ∈ FV(t), with
let rec occurs x = function
| Var y -> x = y
| App (f, tt) -> List.exists (occurs x) tt
A substitution can be described as a list of pairs consisting of a variable (here, a
string) and a term. It can be applied to a term thanks to the following function:
let rec app s = function
| Var x -> (try List.assoc x s with Not_found -> Var x)
| App (f, tt) -> App (f, List.map (app s) tt)
Unification can finally be performed by the following function, which takes as
arguments the substitution being constructed (which is initially empty), and the
equation system (a list of pairs of terms) and returns the most general unifier:

let rec unify s = function

| (App (f, tt), App (g, uu))::e ->
(* clash *)
if f <> g then raise Not_unifiable
(* decompose *)
else unify s ((List.map2 (fun t u -> t, u) tt uu)@e)
| (App (f, tt), Var x)::e ->
(* orient *)
unify s ((Var x, App (f, tt))::e)
| (Var x, Var y)::e when x = y ->
(* delete *)
unify s e
| (Var x, t)::e ->
(* occurs check *)
if occurs x t then raise Not_unifiable
(* propagate *)
else
let t = app s t in
let e = List.map (fun (t,u) -> app s t, app s u) e in
let s = List.map (fun (x,t) -> x, app s t) s in
unify ((x, t)::s) e
| [] -> s
let unify = unify []

This function raises the exception Not_unifiable when the system has no solu-
tion. The unifier of example 5.4.3.2 can then be computed with
let s =
let t =
App ("f", [
CHAPTER 5. FIRST-ORDER LOGIC 257

App ("a", []);

App ("g", [Var "x"]);
App ("g", [Var "x"])
]) in
let u =
App ("f", [
App ("a", []);
Var "y";
App ("g", [App ("h", [Var "z"])])
]) in
unify [t, u]

5.4.5 Efficient implementation. The major source of inefficiency in previous

algorithm is due to substitutions. In order to apply a substitution to a term, we
have to go through the whole term to find variables to substitute, and moreover
we have to apply a substitution to all the terms in the Propagate phase. Instead,
if we are willing to use mutable structures, we can use the trick we have already
encountered in section 4.4.3: we can have variables be references, so that we can
modify their contents, and have them point to terms when we want to substitute
those. This suggests that we should implement terms as
type term =
| Var of var ref
| App of string * term list
and var =
| AVar of string
| Link of term
A variable x is represented as Var r where r is a reference containing AVar "x".
If, later on, we want to substitute it with a term t, we can then modify the
contents of r to Link t, which means that the variable has been replaced by t.
When we do so, the contents of all the occurrences of the variable will thus be
replaced at once.
While we could implement things in this way (similarly to section 4.4.3), we
would like to explain another point and give a variant of this implementation.
When encoding variables in this way, it is important that all the occurrences
of the variable x contain the same reference, which is error prone: we have to
ensure that, for a given variable name, the pointed memory cell is always the
same. In most applications, the precise name of variables does not matter, since
we are usually considering terms up to α-conversion. We can thus consider that
the reference itself is the name of the variable, i.e. the name is the location in
memory, which avoids the previous possibility for errors. Since two variables
are now the same when their references are physically the same (i.e. when they
point to the same memory cell, as opposed to having the same contents) and
we should thus compare them using physical equality == instead of the usual
extensional equality =. We can thus rather encode terms as
type term =
| Var of term option ref
| App of string * term list
CHAPTER 5. FIRST-ORDER LOGIC 258

A variable will initially be Var r with the reference r containing None (we do not
use a string to indicate the name of the variable since the name is not relevant,
only the position in memory where the None is stored is), and substitution with
a term t will amount to replace this value by Some t. We can thus generate a
fresh variable with
let var () = Var (ref None)
and the right notion of equality between terms is given by the following function

let rec eq t u =
match t, u with
| Var {contents = Some t}, u -> eq t u
| t, Var {contents = Some u} -> eq t u
| Var x, Var y -> x == y
| App (f, tt), App (g, uu) ->
f = g && List.for_all2 eq tt uu
| _ -> false
where we use the fact that a reference is implemented in OCaml as a record
with contents as only field, which is mutable. We can check whether a variable
occurs in a term with

let rec occurs x = function

| Var y -> x == y
| App (f, tt) -> List.exists (occurs x) tt
using, as indicated above, physical equality to compare variables, and unification
can be performed with
let rec unify t u =
match t, u with
| App (f, tt), App (g, uu) ->
(* clash *)
if f <> g then raise Not_unifiable
(* decompose *)
else List.iter2 unify tt uu
(* follow links *)
| Var {contents = Some t}, u -> unify t u
| t, Var {contents = Some u} -> unify t u
(* delete *)
| Var x, Var y when x == y -> ()
| Var x, u ->
(* occurs check *)
if occurs x u then raise Not_unifiable
(* propagate *)
else x := Some u
| _, Var _ ->
(* orient *)
unify u t
The unifier of example 5.4.3.2 can then be computed with
CHAPTER 5. FIRST-ORDER LOGIC 259

let () =
let x = var () in
let y = var () in
let z = var () in
let t =
App ("f", [
App ("a", []);
App ("g", [x]);
App ("g", [x])
]) in
let u =
App ("f", [
App ("a", []);
y;
App ("g", [App ("h", [z])])
]) in
unify t u

5.4.6 Resolution. A typical use of unification is to generalize the resolution

technique of section 2.5.8 to first-order classical logic [Rob65].

Clausal form. In order to do so, we must first generalize the notion of clausal
form:
– a literal L is a formula a predicate applied to terms or its negation

L ::= P (t1 , . . . , tn ) | ¬P (t1 , . . . , tn )

where P is a predicate of arity n and the ti are terms,

– a clause C is a disjunction of literals, i.e. a formula of the form

C ::= L1 ∨ L2 ∨ . . . ∨ Lk

We recall that a theory Θ on a given signature Σ is a set of closed formulas.

Any theory can be put in clausal form in the following sense:
Proposition 5.4.6.1. Given a finite theory Θ on a signature Σ, there is a theory Θ0
on a signature Σ0 such that all the formulas in Θ0 are clauses and the two theories
Θ and Θ0 are equisatisfiable.

Proof. The process of constructing Θ0 from Θ is done in six steps.

1. By lemma 5.1.7.4, we can replace any formula in Θ by an equivalent one
in prenex form.
2. By iterated use of proposition 5.2.3.10, we can replace any formula of
Θ by an equisatisfiable one without existential quantification on a larger
signature Σ0 .
3. By proposition 2.5.5.1, we can replace any formula in Θ, which is necessar-
ily of the form ∀x1 . . . . ∀xn .A where A is an arbitrary formula which does
CHAPTER 5. FIRST-ORDER LOGIC 260

not contain any first-order quantification, by an equivalent one where A

is a conjunction of disjunctions of literals, i.e. of the form
ni
m _
^
∀x1 . . . . ∀xk . Li,j
i=1 j=1

4. By repeated use of the equivalence

∀x.(A ∧ B) ⇔ (∀x.A) ∧ (∀x.B)

we can replace every formula of Θ by a conjunction of universally quanti-

fied clauses
m
^ ni
_
∀x1 . . . . ∀xk . Li,j
i=1 j=1

5. We can then replace every conjunction of clauses by all its universally

quantified clauses
ni
_
∀x1 . . . . ∀xk . Li,j
j=1

6. Finally, we can remove the universal quantifications in formulas if we sup-

pose that all the universally quantified variables are distinct, see lemma 5.4.6.2
below.
The theory Θ0 obtained in this way is equisatisfiable with Θ.
Lemma 5.4.6.2. Given formula ∀x.A and a theory Θ, the theories Θ ∪ {∀x.A}
and Θ ∪ {A} are equisatisfiable, provided that x 6∈ FV(Θ).

The resolution rule. We can assimilate a theory Γ in clausal form with a first
order context. The resolution rule of section 2.5.8 can then be modified as
follows in order to account for first-order:
Γ ` C ∨ P (t1 , . . . , tn ) Γ ` ¬P (u1 , . . . , un ) ∨ D
(res)
Γ ` (C ∨ D)[σ]

where σ is the most general unifier of the equation system

{t1 = ? un }
? u1 , . . . , tn =

Generalizing lemma 2.5.8.1, this rule is correct:

Lemma 5.4.6.3 (Correctness). If C can be deduced from Γ using the axiom and
resolution rules then the sequent Γ ` C is derivable in classical first-order logic.
Example 5.4.6.4. The standard example is the following one. We know that

– all men are mortal, and

– Socrates is a man,
CHAPTER 5. FIRST-ORDER LOGIC 261

which can be formalized as the theory

{∀x. man(x) ⇒ mortal(x), man(Socrates)}
in the signature with a constant symbol Socrates and with two unary predicates
man and mortal. By proposition 5.4.6.1, we can put it in clausal form:
{¬ man(x) ∨ mortal(x), man(Socrates)}
We want to show that this entails that Socrates is mortal. As explained in
lemma 2.5.8.8, this can be done using resolution by showing that adding
¬ mortal(Socrates)
to the theory makes it inconsistent. And indeed, writing Γ for the resulting
theory, we have
(ax) (ax)
Γ ` ¬ man(x) ∨ m(x) Γ ` man(S)
(res) (ax)
Γ ` m(S) Γ ` ¬ m(S)
(res)
Γ`⊥
(we shortened mortal as m and Socrates as S).

The factoring rule. As is, the resolution rule is not complete (see example 5.4.6.6
below). We can however make the system complete by adding the following
factoring rule
Γ ` C ∨ P (t1 , . . . , tn ) ∨ P (u1 , . . . , un )
(fac)
Γ ` (C ∨ P (t1 , . . . , tn ))[σ]
where σ is the most general unifier of {t1 = ? un }. With this rule,
? u1 , . . . , tn =
the completeness theorem 2.5.8.7 generalizes as follows:
Theorem 5.4.6.5 (Refutation completeness). A set Γ of clauses is not satisfiable
if and only if we can show Γ ` ⊥ using axiom, resolution and factoring rules
rules only.
Example 5.4.6.6. Given a unary predicate P , consider the theory
Γ = {P (x) ∨ P (y), ¬P (x) ∨ ¬P (y)}
which is not satisfiable. The resolution rule only allows us to deduce the clauses
P (x) ∨ ¬P (x) and P (y) ∨ ¬P (y), from which we cannot deduce any other clause:
without factoring, the resolution rule is not complete. With factoring, we can
show that Γ is inconsistent by
(ax)
Γ ` P (x) ∨ P (y)
(ax) (fac) (ax)
Γ ` P (x) ∨ P (y) Γ ` P (x) Γ ` ¬P (x) ∨ ¬P (y)
(fac)
Γ ` P (x) Γ ` ¬P (y)
(res)
Γ`⊥

Instead of adding the factoring rule, in order to gain refutation completeness,

the resolution rule can also be modified in order to unify multiple literals at
once.
 Chapter 6

Agda

6.1 What is Agda?

Agda is both a programming language and a proof assistant, originally devel-
oped by Norell in 2007. On the surface, it resembles to a standard functional
programming language such as OCaml or Haskell. However, it was designed
with the Curry-Howard correspondence in mind, see chapter 4, extended to a
much richer logic than propositional or first-order logic: it uses dependent types,
which will be the object of chapter 8. This means that the types can express
pretty much any proposition as a type and a program can be considered as a
way of proving such a proposition. In this sense the language can also be con-
sidered as a proof assistant. We start by writing a type, which can be read as
a formula, and gradually construct a program of this type, which can be read
as a proof of the formula. The type checking algorithm of Agda will verify that
the type is correct for the program actually admits the given type, i.e. that our
proof is correct!
A first introduction to Agda is given in sections 6.2 and 6.3, inductive types
are presented in section 6.4 for data types and section 6.5 for logical connectives,
we discuss the formalization of equality in section 6.6, the use of Agda to prove
the correctness of programs in section 6.7 and the issues related to termination
in section 6.8.

6.1.1 Features of proof assistants. We shall first present some of the gen-
eral features that Agda has, or has not. There is no room here for a detailed
comparison with other provers, the interested reader can find details in [Wie06]
for instance. Let us simply mention some difference with the main competitor,
which is currently Coq. Other well-known proof assistants include ACL2, HOL
Light, Isabelle, Lean, Mizar, PVS, etc.

No type inference. A first difference with functional programming languages

(e.g. OCaml) is that the typing is so rich in proof assistants that there are no
principal types and typability is undecidable. There is thus no type inference
and we have to explicitly to provide a type for all functions. The most precise
the type for a function is, the longer implementing the program will take, but
the stronger the guarantees will be. For instance, a sorting algorithm can be
given the type
List A → List A
as usual, but also the type
List A → SortedList A
i.e. the type expresses the fact that the output is a sorted list (the type of sorted
lists can be defined in the language). The second type is much more precise than
CHAPTER 6. AGDA 263

the first one, and it will be more involved to define a function of the second than
of first type (although not considerably so).

Programs vs tactics. The Agda code looks pretty much like a program in a
functional programming language. For instance, the proof of A × B → A is, as
expected a program which takes a pair (a, b) and returns a:

open import Data.Product

postulate A B : Set

proj : A × B → A
proj (a , b) = a

which is easily compared with the corresponding definition in the OCaml toplevel
# let proj (a , b) = a;;
val proj : 'a * 'b -> 'a = <fun>
On the contrary, Coq uses tactics which describe how to progress into the proof.
The same proof in Coq would look like this:
Variables A B : Prop.

Theorem proj : (A * B) -> A.

Proof.
intro p.
elim p.
intro a.
intro b.
exact a.
Qed.

It is not clear at all that it is implementing a projection, but the correspon-

dence with the proof in natural deduction is immediate. The tactics precisely
correspond to the rules, when read from bottom-up: the intro commands cor-
respond to introduction of ⇒ rules, elim to a variant of the usual elimination
rule for ∧, and exact to the axiom rule:
(ax)
p : A ∧ B, a : A, b : B ` A
(⇒I )
p : A ∧ B, a : A ` B ⇒ A
(⇒I )
p:A∧B `A⇒B ⇒A
(∧E )
p:A∧B `A
(⇒I )
`A∧B ⇒A

The difference between the two is mostly a matter of taste, both are quite con-
venient to use and have the same expressive power. The reason we chose to use
Agda in this course is that it makes more clear the Curry-Howard correspon-
dence, which is one of the main objects of this course.
CHAPTER 6. AGDA 264

Automation. There is one main advantage of using tactics over programs how-
ever: it allows more easily for automation, i.e. Coq can automatically build
parts of the proofs for us. For instance, the previous example can be proved in
essentially one line, which will automatically generate all the above steps:
Variables A B : Prop.

Theorem proj : (A * B) -> A.

Proof.
tauto.
Qed.
As a more convincing example, the following formula over integers

∀m ∈ Z.∀n ∈ Z.(1 + 2 × m) 6= (n + n)

can also be proved in essentially one line:

Require Import Omega.
Open Scope Z_scope.

Theorem thm : forall m n:Z, 1 + 2 * m <> n + n.

Proof.
intros; omega.
Qed.
whereas if we had to do it by hand, we would have needed many steps, using
small intermediate lemmas expressing facts such as n + n = 2 × n, etc. Agda
has only very limited support for automation, although it has been progressing
recently using reflection.

Program extraction. A major feature of Coq is that the typing system allows to
perform what is called program extraction: once the program is proved correct,
one can extract the program (in OCaml) and forget about the parts which are
present only to prove the correctness of the program. In contrast, the support
for program extraction in Agda is less efficient and more experimental.

Correctness. It might seem obvious, but let us state this anyway: a proof assis-
tant should be correct, in the sense that when it accepts a proof then the proof
should actually be correct. Otherwise, it would be very easy to write a proof
assistant:
let () =
while true do
let _ = read_line () in
print_endline "Your proof is correct."
done

We will see that sometimes the logic implemented in proof assistants is not
consistent for very subtle reasons (for instance, in section 8.2.2): in this case, the
program allows proving ⊥ and thus any formula, and thus essentially amounts
CHAPTER 6. AGDA 265

to the above although it is not obvious at all. For modern and well-developed
proof assistants, we however have good reasons to trust that this is not the case,
see below.

Small kernel. An important design point for a theorem prover is that it should
have a small kernel, whose correctness ensures the correctness of the whole
program: this is called the de Bruijn criterion. A proof assistant is made of a
large number of lines of code (roughly 100 000 lines of Haskell for Agda and
225 000 lines of OCaml for Coq), those lines are written by humans and there is
always the possibility that there is a bug in the proof assistant. For this reason,
it is desirable that the part of the software that we really have to trust, its
“kernel”, which mainly consists in the typechecker, is as small as possible and
isolated from the rest of the software, so that all the efforts for correctness can
be focused on this part. For instance, in Coq, a tactic can produce roughly any
proof in order to automate part of the reasoning: this is not really a problem
because, in the end, the typechecker will ensure that the proof is correct, so
that we do not have to trust the tactic. In Coq, the kernel is roughly 10% of the
software; in Agda, the kernel is a bit larger, because it contains more features
(dependent pattern matching in particular), which means that programming is
easier on some aspects, but the trust that we have in the proof checker is a bit
smaller.
In order to have a small kernel, it is desirable to reuse as much as possible
existing features; this principle is followed by most proof assistants. For instance
in OCaml, there is a type bool of booleans, but those could already have been
implemented using inductive types by
type bool = False | True
This is reasonable in OCaml to have a dedicated type for performance reasons
but, in a proof assistant, this would mean more code to trust which is a bad
thing: if we can encode a feature in some already existing feature, this is good.
In Agda, booleans are actually implemented as above:
data Bool : Set where false true : Bool
as well as in Coq:

Inductive bool : Set := false : bool | true : bool.

Bootstrapping. A nice idea in order to gain confidence in the proof checker would
be to bootstrap and prove its correctness inside itself: OCaml is programmed in
OCaml, why couldn’t we prove Agda in Agda? Gödel’s second incompleteness
theorem unfortunately shows that this is impossible. However, a fair amount
can be done, and has been done in the case of Coq [BW97]: the part which
is out of reach is to show the termination of Coq programs inside Coq (we
already faced a similar situation, in the simpler case of Peano arithmetic, see
section 5.2.5).

Termination. A proof assistant should be able to decide, in finite amount of

time, whether a proof is correct or not. In order to do so, it has to be able to
check that a given function will produce a given value. For this reason, all the
CHAPTER 6. AGDA 266

functions that you can write in proof assistants such as Agda are total: they
always produce a result in a finite amount of time. In order to ensure this,
heavy restrictions are imposed on the programs which can be implemented in
proof assistants. Firstly, since all functions are total, the language is not Turing-
complete: there are some programs that you can write in usual programming
languages that you will not be able to write in a proof assistant. Fortunately,
those are “rare” and typically arise when trying to bootstrap as explained above.
Secondly, since the problem of deciding whether a function terminates or not
is undecidable, the proof assistant actually implements conditions which ensure
that accepted programs will terminate, but some terminating programs will ac-
tually get rejected for “no good reason”. These issues are detailed in section 6.8.

6.1.2 Installation. In order to use Agda you will need two pieces of software:
Agda itself and an editor which supports interacting with Agda. The advised
editor is Emacs.

Linux. On Ubuntu or Debian, installing Agda and Emacs is achieved by typing

sudo apt-get install agda emacs
Or install cabal and

cabal update
cabal install Agda
agda-mode setup

Atom. For people thinking that Emacs looks too old, a most modern-looking
editor compatible with Agda is Atom1 , which is available for most platforms.
In order to activate Agda support, you should go into the menu
Edit > Preferences > Install

search for “agda”, and install both agda-mode and language-agda. In the pref-
erences, under the Editor tab, it is also recommended to activate the Scroll
Past End checkbox. If Atom has trouble finding the standard libraries, in the
settings of the Package agda-mode, change the Agda path to something like
/usr/bin/agda -i /usr/share/agda-stdlib

macOS. If you have brew:

brew install emacs agda
agda-mode setup
Otherwise, the manual way:
– download Haskell2
– run in a terminal:
1 https://atom.io/
2 https://www.haskell.org/platform/mac.html
CHAPTER 6. AGDA 267

cabal update
cabal install Agda
agda-mode setup

– install Emacs3 or Atom (see above).

Alternatively, you can try Agda Writer4 which looks nice and simple.

Windows. Follow those steps:

– download Haskell5
– run the same commands as for macOS (without brew) in a terminal

– install Emacs6 or Atom (see above).

Alternatively, there is an installer7 : you should choose the latest version.
After that, you still need to install the standard library by hand. It can be
downloaded8 , and you should copy the contents of the src directory of the
archive to the library directory of the Agda installed by the previous installer.

6.2 Getting started with Agda

6.2.1 Getting help. The first place to get started with Agda is the online
documentation, which is quite well written:
https://agda.readthedocs.io/en/latest/

As usual you can also search on the web. In particular, there are also various
forums such as Stackoverflow:
https://stackoverflow.com/questions/tagged/agda
A very good introduction to Agda is [WK19].

6.2.2 Shortcuts. When writing a proof in Agda, we do not have to write the
whole program directly: this would be almost impossible in practice. The editor
allows us to leave “holes” in proofs (written ?) and provides us with shortcuts
which can be used in order to fill those holes and refine programs. Below we
provide the shortcuts for the most helpful ones, writing C-x for the control key
+ the x key. They might seem a bit difficult to learn at first, but you will see
that they are easy to get along, and we can live our whole Agda life with only
six shortcuts.
3 https://emacsformacosx.com/
4 http://markokoleznik.github.io/agda-writer/
5 https://www.haskell.org/platform/windows.html
6 http://ftp.gnu.org/gnu/emacs/windows/emacs-26/
7 http://homepage.divms.uiowa.edu/~astump/agda/
8 https://wiki.portal.chalmers.se/agda/pmwiki.php/Libraries/StandardLibrary
CHAPTER 6. AGDA 268

Emacs. We should first recall the main Emacs shortcuts:

C-c C-s save file
C-w cut
M-w copy
C-y paste
Atom uses more standard ones.

Agda. The main shortcuts for Agda that we will need are the following ones,
their use is explained below in section 6.2.6.
C-c C-l typecheck and highlight the current file
C-c C-, get information about the hole under the cursor
C-c C-space give a solution
C-c C-c case analysis on a variable
C-c C-r refine the hole
C-c C-a automatic fill
middle click definition of the term
A complete list can be found in the online documentation. Shortcuts which are
also sometimes useful are C-c C-. which is like C-c C-, but also shows the
inferred type for the proposed term for a hole, and C-c C-n which normalizes a
term (useful to test computations).

Symbols. Agda allows for using fancy UTF-8 symbols: those are entered using
\ (backslash) followed by the name of the symbol (many names are shared with
LaTeX). Most of them can be found in the documentation. The most useful
ones are for logic
∧ \and \top → \to ∀ \all Π \Pi λ \Gl
∨ \or \bot ¬ \neg ∃ \ex Σ \Sigma ≡ \equiv
and some other useful ones are
\bN × \times ≤ \le ∈ \in
\uplus ∷ \:: ∎ \qed
Indices and exponents such as in x ₁ and x¹ are respectively typed \_1 and \^1,
and similarly for other.

6.2.3 The standard library. The standard library defines most of the ex-
pected data types. The default path is /usr/share/agda-stdlib and you are
encouraged to have a look in there or in the online documentation. We list
below some of the most useful modules.

Data types. The modules for common data types are:

Data.Empty Empty type ( )
Data.Unit Unit type ( )
Data.Bool Booleans
Data.Nat Natural numbers ( )
Data.List Lists
Data.Vec Vectors (lists of given length)
Data.Fin Types with finite number of elements
CHAPTER 6. AGDA 269

Other useful ones are : Data.Integer (integers), Data.Float (floating point

numbers), Data.Bin (binary natural numbers), Data.Rational (rational num-
bers), Data.String (strings), Data.Maybe (option types), Data.AVL (balanced
binary search trees).

Logic. Not much is defined in the core of the Agda language and most of the
type constructors are also defined in the standard library:
Data.Sum Sum types ( , ∨)
Data.Product Product types (×, ∧, ∃, Σ)
Relation.Nullary Negation (¬)
Relation.Binary.PropositionalEquality Equality (≡)

Algebra. The standard library contains modules for useful algebraic structures
in Algebra.*: monoids, rings, groups, lattices, etc.

6.2.4 Hello world. A mandatory example is the “hello world” program, see
section 1.1.1. We can of course write it in Agda:
open import IO

main = run (putStrLn "Hello, world!")

We however only give it for fun here: you will very rarely write such a program.
A more realistic example is detailed in next section.

6.2.5 Our first proof. As a first proof, let’s show that the propositional for-
mula
A∧B ⇒B∧A
is valid. By the Curry-Howard correspondence, we want a program of the type
A×B →B×A
showing that × is commutative. In OCaml, we would have typed
# let prod_comm (a , b) = (b , a);;
val prod_comm : 'a * 'b -> 'b * 'a = <fun>
The full proof in Agda goes as follows:
open import Data.Product

-- The product is commutative

×-comm : (A B : Set) → (A × B) → (B × A)
×-comm A B (a , b) = (b , a)
We should try to explain the various things we see there.

Importing modules. The programs in Agda, including the standard library, are
organized in modules which are collections of functions dedicated to some fea-
ture. Here, we want to use the product, and therefore we have to import the
corresponding module, which is called Data.Product in the standard library. In
order to do so, we use the open import command which loads all its functions.
CHAPTER 6. AGDA 270

Comments. In Agda, comments start by -- (two minus dashes), as in the second

line.

Declaring functions. We are defining a function named ×-comm. A function

declaration always contains (at least) two lines. The first one is of the form
name : type
declaring that the function name will have the type type, and the second one is
of the form
name a1 ... an = value
declaring that the function name takes arguments ai and returns a given value.

Types. Let us detail the type

(A B : Set) → (A × B) → (B × A)
we have given to the function. As indicated above, in OCaml the type would
have been
'a * 'b -> 'b * 'a
which means that for any types ’a and ’b the function can have the above type.
In Agda, there is not such implicit universal quantification over types, which
means that we have to do that by ourselves. We can do this because
1. we have the special type Set which is “the type of types” (we have uni-
verses),
2. we have the ability to name the arguments in types and use them in further
types (we have dependent types).
The type of the function will thus read as: given arguments A and B of type Set
(i.e. given types A and B), given a third argument of type A × B, we return a
result of type B × A. The fact that the arguments A and B are grouped here is
purely a syntactic convenience, and the above type is exactly the same as
(A : Set) → (B : Set) → (A × B) → (B × A)

Function definitions. The definition of the function is then the expected one
×-comm A B (a , b) = (b , a)
We take three arguments: A, B and a pair (a , b) and return the pair (b , a).
Note that the fact that we can write (a , b) for the third argument is because
Agda allows definitions by pattern matching (just as OCaml): here, the product
has only one constructor, the pair.

Spaces. A minor point, which is sometimes annoying at first, is that spaces

for constructors are important: you have to write (a , b) and not (a, b) or
(a,b). This is because the syntax of Agda is really extensible (the notation for
pairings is not builtin for instance, it is defined in Data.Product!), which comes
with some induced limitations. A side effect of this convention is that a,b is
a perfectly legit variable name (but it is not necessarily a good idea to make
heavy use of this opportunity).
CHAPTER 6. AGDA 271

Typesetting UTF-8 symbols. Since we want our proofs to look fancy, we have
used some nice UTF-8 symbols: for instance “→” and “×”. In the editor, such
symbols are typed by commands such as \to or \times as indicated above, in
section 6.2.2. There are usually text replacements (e.g. we could have written
-> and *), but those are not used much in Agda.

6.2.6 Our first proof, step by step. The above proof is very short, so that
we could have typed it at once and then made sure that it typechecks, but
even for moderately sized proofs, it is out of question to write them in one
go. Fortunately, we can input those gradually, by leaving “holes” in the proofs
which are refined later. Let us detail how one would have done this proof step
by step, in order to introduce all the shortcuts.
We begin by giving the type of the function and its declaration as
×-comm : (A B : Set) → (A × B) → (B × A)
×-comm A B p = ?
We know that our function takes three arguments (A, B and p), which is obvious
from the type, but we did not think hard enough yet of the result so that we
have written ? instead, which can be thought of as a “hole” in the proof. We
can then typecheck the proof by typing C-c C-l. Basically, this makes sure that
Agda is aware of what is in the editor (and report errors) so that you should
use it whenever you have changed something in the file (outside a hole). Once
we do that, the file is highlighted and changed to
×-comm : (A B : Set) → (A × B) → (B × A)
×-comm A B p = { }0
The hole has been replaced by { }0, meaning that Agda is waiting for some
term here (the 0 is the number of the hole). Now, place your cursor in the hole.
We can see the variables at our disposal (i.e. the context) by typing C-c C-,:
Goal: B × A
------------------------------------------------------------
p : A × B
B : Set
A : Set
This is useful to know where we are exactly in the proof: here we want to prove
B × A with A, B and p of given types. Now, we want to reason by case analysis
on p. We therefore use the shortcut C-c C-c, Agda then asks for the variable
on which we want to reason by case on, in this case we reply p (and enter). The
file is then changed to
×-comm : (A B : Set) → (A × B) → (B × A)
×-comm A B (fst , snd) = { }0
Since the type of p is a product, p must be a pair and therefore Agda changes p
to the pattern (fst , snd). Since we do not like the default names given by
Agda to the variables, we rename fst to a and snd to b:
×-comm : (A B : Set) → (A × B) → (B × A)
×-comm A B (a , b) = { }0
CHAPTER 6. AGDA 272

We should then do C-c C-l so that Agda knows of this change (remember that
we have to do it each time we modify something outside a hole). Now, we place
our cursor into the hole. By the same reasoning, the hole has a product as a
type, so that it must be a pair. We therefore use the command C-c C-r which
“refines” the hole, i.e. introduces the constructor if there is only one possible for
the given type. The file is then changed to
×-comm : (A B : Set) → (A × B) → (B × A)
×-comm A B (a , b) = { }1 , { }2

The hole was changed in a pair of two holes. In the hole { }1, we know that
the value should be b. We can therefore write b inside it and type C-c C-space
to indicate that we have given the value to fill the hole:
×-comm : (A B : Set) → (A × B) → (B × A)
×-comm A B (a , b) = b , { }2

We could do the same for the second hole (by giving a), but we get bored: this
hole is of type A so that the only possible value for it was a anyway. Agda is
actually able to find that by typing C-c C-a which is the command for letting
the prover try to automatically fill a hole:

×-comm : (A B : Set) → (A × B) → (B × A)
×-comm A B (a , b) = b , a

6.2.7 Our first proof, again. We would like to point out that these steps ac-
tually (secretly) correspond to constructing a proof. For simplicity, we suppose
that A and B are two fixed types, this can be done by typing
postulate A B : Set
and consider the proof

×-comm : (A × B) → (B × A)
×-comm (a , b) = b , a
which is a small variant of previous one. We now explain that constructing this
proof corresponds to constructing a proof in sequent calculus. As a general rule:

– doing a case split on a variable (C-c C-c) corresponds to performing a left

rule (or an elimination rule in natural deduction),
– refining a hole (C-c C-r) corresponds to performing a right rule (or a
introduction rule in natural deduction),

– providing a variable term (C-c C-space) corresponds to performing an

axiom rule.
In figure 6.1, we have shown how the steps of our proof in Agda translate
into the construction of the proof from bottom up, in sequent calculus. Also
note that there is a perfect correspondence with respect to the Curry-Howard
CHAPTER 6. AGDA 273

Agda Shortcut Proof Rule

?
×-comm = { }0 C-c C-r (⇒R )
`A∧B ⇒B∧A
?
A∧B `B∧A
×-comm p = { }0 C-c C-c p (∧L )
`A∧B ⇒B∧A
?
A, B ` B ∧ A
A∧B `B∧A
×-comm (a , b) = { }0 C-c C-r (∧R )
`A∧B ⇒B∧A
? ?
A, B ` B A, B ` A
A, B ` B ∧ A
A∧B `B∧A
×-comm (a , b) = { }1 , { }2 b C-c C-s (ax)
`A∧B ⇒B∧A
?
A, B ` B A, B ` A
A, B ` B ∧ A
A∧B `B∧A
×-comm (a , b) = b , { }2 a C-c C-s (ax)
`A∧B ⇒B∧A
A, B ` B A, B ` A
A, B ` B ∧ A
A∧B `B∧A
×-comm (a , b) = b , a
`A∧B ⇒B∧A

Figure 6.1: Agda proofs and sequent proofs.

CHAPTER 6. AGDA 274

correspondence if we allow ourselves to put patterns instead of variables in the

context:
(ax) (ax)
a : A, b : B ` b : B a : A, b : B ` a : A
(∧R )
a : A, b : B ` (b, a) : B ∧ A
(∧L )
(a, b) : A ∧ B ` (b, a) : B ∧ A
(⇒R )
` λ(a, b).(b, a) : A ∧ B ⇒ B ∧ A

This correspondence has some defects in general [Kri09], which is why we do

not detail it further here.

6.3 Basic agda

In this section we present the main constructions which are present in the core
of Agda, with the notable exception of inductive types which are described in
sections 6.4 and 6.5.

6.3.1 The type of types. In Agda, there is by default a type named Set,
which can be thought of as the type of all types: an element of type Set is a
type.

6.3.2 Arrow types. In Agda, we have the possibility of forming function types:
given types A and B, one can form the type

A → B
of functions taking an argument of type A and returning a value of type B. For
instance, the function isEven which determines whether a natural number is
boolean will be given the type

isEven : → Bool

Type constructors. Functions in Agda can operate on types. For instance, the
type of lists, is a type constructor: it is a function which takes a type A as
argument and produces a new type List A, the type of lists whose elements are
of type A. We can thus give it the type
List : Set → Set
The type List A can also be seen as a type which is parametrized by another
type, just as in OCaml the type of lists is ’a list is parametrized by the type ’a.

Named arguments. In Agda, we can give a name to the arguments in types,

e.g. we can give the name x to A and consider the type

(x : A) → B
For instance, the even function could also have been given the type
isEven : (x : ) → Bool
CHAPTER 6. AGDA 275

However, the added power comes from the fact that the type B is also allowed
to make use of the variable x. For instance, the function which constructs a
singleton list of some type can be given the following type (see section 6.3.3 for
the full definition of this function):
singleton : (A : Set) → A → List A
Both the second argument and the result use the type A which is given as first
argument. Such a type is called a dependent type: it can depend on a value,
which is given as an argument.

Universal quantification. Another way to read the type (x : A) → B is as a uni-

versal quantification: it corresponds to what we would have previously written

∀x ∈ A.B

For instance, we can define the type of equalities between two elements of a
given type A by
eq : (A : Set) → A → A → Set
and a proof that this equality is reflexive is given the type
refl : (A : Set) → (x : A) → eq A x x
which corresponds to the usual formula

∀A.∀x ∈ A.x = x

Implicit arguments. Sometimes, some arguments can be deduced from the type
of other arguments. For instance, in the singleton function above, A is the type
of the second argument. In this case, we can make the first argument implicit,
which means that we will not have to write it and we will let Agda guess it
instead. This is done by using curly brackets in the type
singleton : {A : Set} → A → List A
This allows us to simply write
singleton 3
and Agda will be able to find out that A has to be , since this is the type of
3. In case we want to specify the implicit argument, we have to use the same
brackets:
singleton { } 3
Another way of having Agda make a guess is to use _ which a placeholder that
has to be filled automatically by Agda. For instance, we could try to let Agda
guess the type of A (which is Set) by declaring
singleton : {A : _} → A → List A
which can equivalently be written
singleton : ∀ {A} → A → List A
CHAPTER 6. AGDA 276

6.3.3 Functions. As indicated in section 6.2.5, a function definition begins

with a line specifying the type of the function, followed by the definition of the
function itself. For instance, the singleton function which takes an element x
of some arbitrary type A and returns the list with x as only element, can be
defined as
singleton : (A : Set) → A → List A
singleton A x = x ∷ []
or as

singleton : {A : Set} → A → List A

singleton x = x ∷ []
or as

singleton : {A : Set} → A → List A

singleton = λ x → x ∷ []
In the second variant, A is an implicit argument. In the third variant, we
illustrate the fact that we can use λ-abstractions to define anonymous functions.

Infix notations. In function names, underscores (_) are handled as places where
the arguments should be put, which allows to easily define infix operators. For
instance, we can define the addition with type

_+_ : → →

and then use it as

3 + 2
The prefix notation is still available though, in case it is needed:

_+_ 3 2
The priorities of binary operators can be specified by commands such as
infix 6 _+_
which states that the priority of addition is 6 (the higher the number, the
higher the priority). Operations can also be specified to be left (resp. right)
associative by replacing infix by infixl (resp. infixr). For instance, addition
and multiplications are usually given priorities
infixl 6 _+_
infixl 7 _*_

so that the expression

2 + 3 + 5 * 2
is implicitly bracketed as
(2 + 3) + (5 * 2)
CHAPTER 6. AGDA 277

Auxiliary functions. In the definition of a function, it is possible to use auxiliary

function definitions using the where keyword. For instance, we can define the
function f which computes the fourth power of a natural number, i.e. f (x) = x4 ,
by using the square function as an auxiliary function, i.e. f (x) = (x2 )2 , as
follows:
fourth : →
fourth n = square (square n)
where
square : →
square n = n * n
Here, we define the fourth function in terms of the auxiliary function square,
which is defined afterwards, preceded by the where keyword.

6.3.4 Postulates. It rarely happens that we need to assume the existence of

a term of a given type without any hope of proving it: this is typically the case
for axioms. This can be achieved by the postulate keyword. For instance, in
order to work in classical logic, we can assume the law of excluded middle with

postulate lem : (A : Set) → ¬ A A

These should be avoided as much as possible because postulates will not com-
pute: if we apply lem to an actual type A, it will not reduce to either ¬ A or A,
as we would expect for a coproduct, see section 6.5.6: how could Agda possibly
know which one is the right one?

6.3.5 Records. Records in Agda are pretty similar to those in other language
(e.g. OCaml) and will not be used much here. In order to illustrate the syntax,
we provide here an implementation of pairs using records:
record Pair (A B : Set) : Set where
field
fst : A
snd : B

make-pair : {A B : Set} → A → B → Pair A B

make-pair a b = record { fst = a ; snd = b }

proj ₁ : {A B : Set} → Pair A B → A

proj ₁ p = Pair.fst p

6.3.6 Modules. A module is a collection of functions. It can be declared by

putting

module Name where

at the beginning of the file, where Name is the name of the module and should
match the name of the file. The functions of another module can be used by
issuing the command
open import Name
CHAPTER 6. AGDA 278

which will expose all the functions of the module Name. After this command the
modifiers hiding (...) or renaming (... to ...) in order to hide or rename
some of the functions.

6.4 Inductive types: data

Inductive types are the main way of defining new types in Agda. Apart from
a few exceptions (such as → and Set mentioned above), all the usual types are
defined using this mechanism in the standard library, including usual data types
and logical connectives; we first focus on data types in this section. An inductive
type T is declared using a statement of the form
data T : A where
cons ₁ : A ₁ → ... → A ᵢ → T
...
cons ₙ : B ₁ → ... → B ⱼ → T
which declares that T is an inductive type, whose type is A, with constructors
cons ₁ , . . . , cons ₙ . For each constructor, the line begins with two blank spaces,
followed by the name of the constructor, and ended by the type of the construc-
tor. Each constructor takes an arbitrary number of arguments and has T as
return type. Since the type T we are defining is itself a type, A is usually Set,
although some more general inductive types are supported (for instance, they
can depend on some other types, see section 6.4.7).

6.4.1 Natural numbers. As a first example, the natural numbers are defined
as the inductive type in the module Data.Nat by
data : Set where
zero :
suc : →

The first constructor is zero, which does not take any argument, and the second
constructor is suc, which takes a natural number as argument. A value of type
is

zero suc zero suc (suc zero) suc (suc (suc zero))

and so on. As a commodity, the usual notation for natural numbers is also
supported and we can write 2 as a shorthand for suc (suc zero).

6.4.2 Pattern matching. The way one typically uses elements of an inductive
type is by pattern matching: it allows inspecting a value of an inductive type
and return a result depending on the constructor of the value. As explained
above, the cases are usually generated by using the C-c C-c shortcut which
instructs the editor to perform case analysis on some variable. For instance, in
order to define the predecessor function, we start with
pred : →
pred n = ?
CHAPTER 6. AGDA 279

then, by C-c C-c we indicate that we want to reason by case analysis on n,

which turns the code into
pred : →
pred zero = ?
pred (suc n) = ?
We now have to give the result of the function when the argument is zero (by
convention the predecessor of 0 is 0) and when the argument is suc n, where
n is a natural number. We can finally fill in the holes in order to define the
predecessor:
pred : →
pred zero = zero
pred (suc n) = n
Of course, pattern matching also works with multiple arguments and we can
define addition by
_+_ : → →
zero + n = n
suc m + n = suc (m + n)
This definition can be tested by defining
t = 3 + 2
and use C-c C-n to normalize t (which give 5 as answer). Subtraction can be
defined similarly by
_∸_ : → →
zero ∸ n = zero
suc m ∸ zero = suc m
suc m ∸ suc n = m ∸ n
(by convention m − n = 0 when m < n) and multiplication by
_*_ : → →
zero * n = zero
suc m * n = (m * n) + n

Matching with other values. It is sometimes useful to define a function by case

analysis on a value which is not an argument. In this case, we can use the
where keyword followed by the value we want to match on. This value can then
be matched as an extra argument, which has to be separated from the other
argument by a symbol |. For instance, the modulo function on natural numbers
can be defined by induction on the second argument by the following definition:
(
m if m < n
m mod n =
(m − n) mod n otherwise

Here, we do not want to reason directly by induction on n, which would force

us to distinguish the case where n is zero or a successor, but rather on whether
m < n holds or not. This can be achieved by matching on m <? n which will
CHAPTER 6. AGDA 280

either be yes _ or no _ depending on whether m < n or m 6< n (the argument

of those constructors is not important for the moment and will be detailed in
section 6.5.6).
We begin our definition as usual with
_mod_ : → →
m mod n = ?
Since we want to match on m <? n, we use the with construction in order to
match on it additionally to the arguments:

_mod_ : → →
m mod n with m <? n
m mod n | p = ?
and we can then reason by case analysis on p. Incidentally, we can avoid typing
again the match on the arguments of the function by simply writing “...”:
_mod_ : → →
m mod n with m <? n
... | p = ?
At this point, we reason by case analysis on p (with C-c C-c p) which will
produce two cases depending on the value of p:
_mod_ : → →
m mod n with m <? n
m mod n | yes _ = ?
m mod n | no _ = ?

We can finally, fill those two cases, as indicated by the above formula:
_mod_ : → →
m mod n with m <? n
m mod n | yes _ = m
m mod n | no _ = (m ∸ n) mod n

As a side note, if you actually try the above definition in Agda, you will see that
it gets rejected because it is not clear for Agda that it is actually terminating.
The actual definition is slightly more involved because of this, see section 6.8.

Empty pattern matching. Some inductive types do not have any element. For
instance, we can define the empty type as
data : Set where

(this is an inductive type with no element). When performing pattern matching

on elements of this type there can be no case. In order to represent this, Agda
uses the pattern (), which means that no such pattern can happen. For instance,
one can show that if we have an element of type then we have an element of
an arbitrary type A as follows:

-elim : {A : Set} → → A
-elim ()
CHAPTER 6. AGDA 281

Of course, since the type A is arbitrary, there is no way for us in the proof to
actually exhibit a term of this type. But we do not have to: the pattern ()
states that there are no cases to handle when matching on the argument of
type , so that we are done.
It might seem at first that this is not so useful, unless one insists on using
the type (which is actually done quite often since negation is defined using it
as you can expect). This is not so because there are many less obvious ways of
constructing empty inductive types in Agda. For instance, the type zero ≡ suc
zero of equalities between 0 and 1 is also an empty inductive type.

Anonymous pattern matching. Anonymous functions can be defined by pattern

matching, although the syntax is slightly different from what one would expect:
we need to put curly brackets before the arguments, and cases are separated by
semicolons:
λ { x → ... ; ... }
For instance, the predecessor can be defined as an anonymous function by

pred : →
pred = λ { zero → zero ; (suc n) → n }

6.4.3 The induction principle. We would now like to briefly mention that
pattern matching in Agda corresponds to the presence of a recurrence or induc-
tion principle. For instance, if we define a function f from natural numbers to
some type A, we will typically define it using pattern matching by
f : → A
f zero = t
f (suc n) = u'
where t and u’ are terms of type A. Here, u’ might make use of the natural
number n provided by the argument, as well as the result of the recursive call
f n: we can suppose that u’ is of the form u n (f n) for some function u of
type → A → A. Any such terms t and u will give rise to a function of type
→ A in this way. The recurrence principle expresses this as a function which
takes two arguments (of type A and → A, respectively corresponding to t and
u) and produces the resulting function:
rec : {A : Set} → A → ( → A → A) → → A
rec t u zero = t
rec t u (suc n) = u n (rec t u n)

This is precisely the recursor we have already met when adding natural numbers
to simply typed λ-calculus in section 4.3.6. Moreover, any function of type →
A defined using pattern matching can be defined using this function instead: this
recurrence function encapsulates all the expressive power of pattern matching.
For instance, the predecessor function would be defined as

pred : →
pred = rec zero (λ n _ → n)
CHAPTER 6. AGDA 282

From a logical point of view, the recurrence principle corresponds to the elimi-
nation rule: for this reason it is also sometimes also called an eliminator.
Pattern matching in Agda is more powerful than this however: it can also be
used in order to define functions where the return type depends on the argument.
This means that we now consider functions of the form
f : (n : ) → P n
f zero = t
f (suc n) = u n (f n)

where P n is a type which depends on n, or equivalently P is a predicate, of

type → Set: here, t is of type P zero and u n (f n) is of type P (suc n).
The corresponding dependent variant of the recurrence principle is called the
induction principle and is the following one:
rec : (P : → Set) → P zero →
((n : ) → P n → P (suc n)) → (n : ) → P n
rec P Pz Ps zero = Pz
rec P Pz Ps (suc n) = Ps n (rec P Pz Ps n)
Given

– a predicate P,
– an element t of P zero, and
– a function u of type → P n → P (suc n),
this function allows us to construct a function of type (n : ) → P n. If, fol-
lowing the Curry-Howard correspondence, we read the type as a logical formula
(see section 6.5), we precisely recover the usual recurrence principle over natural
numbers:
P (0) ⇒ (∀n ∈ N.P (n) ⇒ P (n + 1)) ⇒ ∀n ∈ N.P (n)
For instance, the following proof by recurrence that n + 0 = n for every natural
number n
+-zero : (n : ) → n + zero ≡ n
+-zero zero = refl
+-zero (suc n) = cong suc (+-zero n)
can be expressed as follows using the dependent induction principle:
+-zero : (n : ) → n + zero ≡ n
+-zero = rec (λ n → n + zero ≡ n) refl (λ n p → cong suc p)

6.4.4 Booleans. The type of booleans is defined in Data.Bool by

data Bool : Set where
false : Bool
true : Bool
so that, for instance, boolean negation is defined by
CHAPTER 6. AGDA 283

neg : Bool → Bool

neg false = true
neg true = false
and conjunction by
_∧_ : Bool → Bool → Bool
false ∧ _ = false
true ∧ false = false
true ∧ true = true
In Agda, even conditional branchings are defined by pattern matching:
if_then_else_ : {A : Set} → Bool → A → A → A
if false then x else y = x
if true then x else y = y
Finally, the induction principle for booleans is
Bool-rec : (P : Bool → Set) → P false → P true →
(b : Bool) → P b
Bool-rec P Pf Pt false = Pf
Bool-rec P Pf Pt true = Pt

6.4.5 Lists. Lists are defined in Data.List by

data List (A : Set) : Set where
[] : List A
_∷_ : A → List A → List A
Here, “∷” is one UTF-8 symbol (entered with \::) and not two colons. As
indicated above, the type List depends on another type A, called the parameter
of the inductive type. The resulting type is thus called parametric type or a type
constructor. The usual functions are defined as usual by induction, for instance,
we can define the function which associates its length to a list by
length : {A : Set} → List A →
length [] = 0
length (x ∷ l) = suc (length l)
the function which maps a function to every element of a list by
map : {A B : Set} → (A → B) → List A → List B
map f [] = []
map f (x ∷ l) = f x ∷ map f l
or the function which concatenates two lists by
_++_ : {A : Set} → List A → List A → List A
[] ++ l' = l'
(x ∷ l) ++ l' = x ∷ (l ++ l')
Finally, the induction principle for lists is:
List-rec : {A : Set} → (P : List A → Set) → P [] →
((x : A) → (xs : List A) → P xs → P (x ∷ xs)) →
(xs : List A) → P xs
List-rec P Pe Pc [] = Pe
List-rec P Pe Pc (x ∷ xs) = Pc x xs (List-rec P Pe Pc xs)
CHAPTER 6. AGDA 284

6.4.6 Options. Option types are defined in Data.Maybe by

data Maybe (A : Set) : Set where
just : A → Maybe A
nothing : Maybe A
A value of this type is thus either nothing or just x for some value x of type A.
The type Maybe A can thus be seen as the type A extended with one new value,
nothing (it corresponds to option types of OCaml, see section 1.3.4). It is
often useful in order to accommodate for exceptional values (where we would
use “NULL pointers” in other languages). For instance, the function returning
the head of a list is not defined when the list is empty. It can be given the
following definition:
head : {A : Set} → List A → Maybe A
head [] = nothing
head (x ∷ l) = just x
This function in a bit cumbersome to use: each time we have to test whether
the result is nothing or not (monads might be of some help here though). A
more elegant solution is provided below.

6.4.7 Vectors. A vector is a list of given length. The type of vectors is defined
in Data.Vec by
data Vec (A : Set) : → Set where
[] : Vec A zero
_∷_ : {n : } → A → Vec A n → Vec A (suc n)
An element of Vec A n can be seen as a list whose elements are of type A and
whose length is n. In this type, we thus have both a parameter A of type Set
and an index of type , corresponding to the length of the vector, indicated
by the fact that the return type is → Set. Indices are roughly the same as
parameters, excepting that they can vary with constructors, as seen above: the
constructor [] produces a vector of length zero, whereas the constructor _∷_ a
list of length suc n. It is “pure coincidence” if the names of the constructors
are the same as for lists: they have nothing to do with those and could have
named differently (however, people chose to name them in the same way because
vectors are usually used as a replacement for lists).

Dependent types. It should be observed that the type Vec A n of vectors depends
on a term n, the natural number indicating its length: this is a defining feature
of dependent types. We can also define functions such that the type of the result
depend on the argument. For instance, we have the following function, building
a vector containing n occurrences of a given value:
replicate : {A : Set} → A → (n : ) → Vec A n
replicate x zero = []
replicate x (suc n) = x ∷ replicate x n
CHAPTER 6. AGDA 285

Dependent pattern matching. Another natural function on this type is the func-
tion returning the head of the list:
head : {n : } {A : Set} → Vec A (suc n) → A
head (x ∷ xs) = x
This is a good illustration of the dependent pattern matching present in Agda.
Since the argument is a list of type Vec A (suc n), Agda automatically infers
that this function will never be applied to an empty list, because it cannot have
such a type, thus avoiding the problem we had when defining the same function
on lists in section 6.4.6.

Convertibility. Even though the type is more informative than the one of lists,
typical functions are not significantly harder to write. For instance, the con-
catenation of vectors is comparable to the one of lists:
_++_ : {m n : } {A : Set} → Vec A m → Vec A n → Vec A (m + n)
[] ++ l = l
(x ∷ l) ++ l' = x ∷ (l ++ l')
Looking closely at the first case of the pattern matching, we can note that the
result l we are providing is of type Vec A n whereas the type of the function
indicates that we should provide a result of type Vec A (zero + n). This illus-
trates the fact that Agda is able to compare types up to β-reduction on terms
(zero + n reduces to n): we can never distinguish between two β-convertible
terms.

Induction principle. The induction principle for vectors is:

Vec-rec : {A : Set} → (P : {n : } → Vec A n → Set) → P [] →
({n : } (x : A) (xs : Vec A n) → P xs → P (x ∷ xs)) →
{n : } → (xs : Vec A n) → P xs
Vec-rec P Pe Pc [] = Pe
Vec-rec P Pe Pc (x ∷ xs) = Pc x xs (Vec-rec P Pe Pc xs)

Indices instead of parameters. In definition of vectors, we could have used an

index instead of a parameter for the type A:
data Vec : Set → → Set where
[] : {A : Set} → Vec A zero
_∷_ : {A : Set} {n : } (x : A) (xs : Vec A n) → Vec A (suc n)
This is a general fact: we can always encode a parameter as an index. However,
it is recommended to use parameters whenever possible, because Agda handles
them more efficiently.
Also, with the above definition, the induction principle is slightly different:
Vec-rec : (P : {A : Set} {n : } → Vec A n → Set) →
({A : Set} → P {A} []) →
({A : Set} {n : } (x : A) (xs : Vec A n) → P xs → P (x ∷ xs)) →
{A : Set} → {n : } → (xs : Vec A n) → P xs
Vec-rec P Pe Pc [] = Pe
Vec-rec P Pe Pc (x ∷ xs) = Pc x xs (Vec-rec P Pe Pc xs)
CHAPTER 6. AGDA 286

6.4.8 Finite sets. In section 6.4.4, we have defined the set of booleans, which
contains two elements, and clearly we could have defined a set with n elements
for any fixed natural number n. For instance, the following type has four ele-
ments:
data Four : Set where
a : Four
b : Four
c : Four
d : Four
In fact, we can define, once for all, a type Fin n which depends on a natural
number n and has n elements. The definition is done in Data.Fin by
data Fin : → Set where
zero : {n : } → Fin (suc n)
suc : {n : } → Fin n → Fin (suc n)
Looking at it, we can see that Fin n is essentially the collection of natural
numbers restricted to
Fin n = {0, . . . , n − 1}
The above inductive type namely corresponds to the following inductive set-
theoretic definition:

Fin 0 = ∅
Fin (n + 1) = {0} ∪ {i + 1 | i ∈ Fin n}

As for vectors, the fact that the constructors have the same name as for natural
numbers is “pure coincidence”: the elements of Fin n are not elements of ,
although there is obviously a canonical mapping:
to : {n : } → Fin n →
to zero = zero
to (suc i) = suc (to i)
Some black magic in Agda allows it to determine, using types, whether we are
using the constructors of Fin or those of .

The lookup function. The type Fin n is typically used to index elements over
finite sets. For instance, consider the lookup function, which returns the i-th
element of a vector l of length n. Clearly, this function is only well defined when
i < n, otherwise said when i belongs to Fin n. We can define this function as
follows:
lookup : {n : } {A : Set} → Fin n → Vec A n → A
lookup zero (x ∷ l) = x
lookup (suc i) (x ∷ l) = lookup i l
The typing ensures that the index will always be such that the function is well-
defined, i.e. that we will never request an element outside the boundaries of the
vector.
Let us present other possible implementations of this functions, using natural
numbers as the type of i, in order to show that they are more involved and less
CHAPTER 6. AGDA 287

elegant. Since the function is not defined for every natural number i, a first
possibility would be to have a return value of type Maybe A, where nothing
would indicate that the function is not defined:
lookup : → {A : Set} {n : } → Vec A n → Maybe A
lookup zero [] = nothing
lookup zero (x ∷ l) = just x
lookup (suc i) [] = nothing
lookup (suc i) (x ∷ l) = lookup i l
This is quite heavy to use in practice, because we have to account for the
possibility that the function is not defined each time we use it. Another option
could be to add, as argument a proof of i < n, ensuring that the index is not
out of bounds. This is more acceptable in practice, but the definition is not as
direct as the one above:
lookup : {i n : } {A : Set} → i < n → Vec A n → A
lookup {i} {.0} () []
lookup {zero} {.(suc _)} i<n (x ∷ l) = x
lookup {suc i} {.(suc _)} i<n (x ∷ l) = lookup (≤-pred i<n) l

6.5 Inductive types: logic

We have seen that inductive types can be used in order to implement usual data
types (and more). We now explain that they can also be used to implement usual
constructions on the logical side: though the Curry-Howard correspondence,
types can be read as logical formulas (and a program of a given type as a proof
of its type). We establish the dictionary between the two in this section. In
this way, Agda provides a formal framework in which proofs can be formalized,
as hinted in section 1.5, and we will see is much richer than the simply-typed
λ-calculus presented in chapter 4.

6.5.1 Implication. The first logical connective we have at our disposal is im-
plication, which corresponds to the arrow → in types. For instance, the classical
formulas

A⇒B⇒A (A ⇒ B ⇒ C) ⇒ (A ⇒ B) ⇒ A ⇒ C

can respectively be proved by

K : {A B : Set} → A → B → A
K x y = x
and
S : {A B C : Set} → (A → B → C) → (A → B) → A → C
S g f x = g x (f x)

6.5.2 Product. Products are defined in Data.Product by

data _×_ (A B : Set) : Set where
_,_ : A → B → A × B
CHAPTER 6. AGDA 288

The first projection is defined as

proj ₁ : {A B : Set} → A × B → A
proj ₁ (a , b) = a
and the second projection is defined similarly. The projections are named proj ₁
and proj ₂ in the standard library, even though we sometimes like to rename
them as fst and snd. From a logical point of view, a product corresponds to
conjunction. For instance, a proof of the formula A ∧ B ⇒ B ∧ A, expressing the
commutativity of conjunction, was given in section 6.2.5. As another example,
curryfication (see section 4.3.1) can be shown by
×-→ : {A B C : Set} → (A × B → C) → (A → B → C)
×-→ f x y = f (x , y)
and

→-× : {A B C : Set} → (A → B → C) → (A × B → C)
→-× f (x , y) = f x y

Introduction rule. It can be observed that the constructor corresponds to the

introduction rule for conjunction:

Γ`A Γ`B
(∧I )
Γ`A∧B

This is a general fact: when defining logical connectives with inductive types,
constructors correspond to introduction rules. We see below that the elimination
rule corresponds to the associated induction principle.

Induction principle. The induction principle for products is

×-ind : {A B : Set} → (P : A × B → Set) →
((x : A) → (y : B) → P (x , y)) → (p : A × B) → P p
×-ind P Pp (x , y) = Pp x y
In the case where P does not depend on its argument, the above induction
principle implies the following simpler principle
×-rec : {A B : Set} → (P : Set) → (A → B → P) → A × B → P
×-rec P Pp (x , y) = Pp x y

which corresponds to the elimination rule for conjunction:

Γ, A, B ` P Γ`A∧B
(∧E )
Γ`P

It namely states that if the premises are true then the conclusion is also true.
The dependent induction principle corresponds to the elimination rule in de-
pendent types, as we will see in section 8.3.3.
CHAPTER 6. AGDA 289

6.5.3 Unit type. The unit type is defined in Data.Unit by

data : Set where
tt :
From a logical point of view, the type corresponds to truth and the constructor
to the introduction rule
(>I )
Γ`>
Its induction principle is
-rec : (P : → Set) → P tt → (t : ) → P t
-rec P Ptt tt = Ptt
We know from logic that there is no introduction rule associated to truth. We
can however write the rule which corresponds to this induction principle:

Γ`P Γ`>
(>E )
Γ`P

This is not very interesting from a logical point of view: if we know that P holds
and > holds then we can deduce that P holds, which we already knew.

6.5.4 Empty type. The empty type is defined in Data.Empty by

data : Set where
and corresponds to falsity. It has no constructor, thus no introduction rule. The
associated induction principle is
-elim : (P : → Set) → (x : ) → P x
-elim P ()
The non-dependent variant of this principle
-elim : (P : Set) → → P
-elim P ()
corresponds to the explosion principle, which is the associated elimination rule

Γ`⊥
(⊥E )
Γ`P

We recall from section 6.4.2 that () is the empty pattern in Agda, which in-
dicates here that there are no cases to handle when matching on a value of
type .

6.5.5 Negation. As expected, negation is defined in Relation.Nullary by

¬ : Set → Set
¬ A = A →
For instance, the formula A ⇒ ¬¬A can be proved with
nni : {A : Set} → A → ¬ (¬ A)
nni x f = f x
CHAPTER 6. AGDA 290

6.5.6 Coproduct. Coproducts (or sums) are defined in Data.Sum by

data _ _ (A : Set) (B : Set) : Set where
inj ₁ : A → A B
inj ₂ : B → A B
The constructor inj ₁ (resp. inj ₂ ) is called the injection of A (resp. B) into
A B. The notation comes from the fact that the coproduct A B corresponds
to the disjoint unions if we see the types A and B as sets. Logically, coproduct
corresponds to disjunction. As an illustration, the commutativity of disjunction
is shown by
-comm : (A B : Set) → A B → B A
-comm A B (inj ₁ x) = inj ₂ x
-comm A B (inj ₂ y) = inj ₁ y
As a more involved example, a proof of

(A ∨ ¬A) ⇒ ¬¬A ⇒ A

is, following the proof of theorem 2.5.1.1,

lem-raa : {A : Set} → A ¬ A → ¬ (¬ A) → A
lem-raa (inj ₁ a) k = a
lem-raa (inj ₂ a') k = -elim (k a')
The induction principle is
-rec : {A B : Set} → (P : A B → Set) →
((x : A) → P (inj ₁ x)) → ((y : B) → P (inj ₂ y)) →
(u : A B) → P u
-rec P P ₁ P ₂ (inj ₁ x) = P ₁ x
-rec P P ₁ P ₂ (inj ₂ y) = P ₂ y
The two constructors correspond to the two introduction rules

Γ`A Γ`B
(∨lI ) (∨rI )
Γ`A∨B Γ`A∨B

and the non-dependent variant of the induction principle to the elimination rule

Γ, A ` P Γ, B ` P Γ`A∨B
(∨E )
Γ`P

Decidable types. A type A is decidable when we know whether it is inhabited or

not, i.e. we have a proof of A ∨ ¬A. We could thus define the predicate
Dec : Set → Set
Dec A = A ¬ A
A proof of Dec A is a proof that A is decidable: by definition of the disjunction, it
is either of the form inj ₁ p, where p is a proof of A, or inj ₂ q, where q is a proof
of ¬ A. Agda people like to write yes (resp. no) instead of inj ₁ (resp. inj ₂ ),
because it answers the question: is A provable? In the standard library, the
above type is thus actually defined in the module Relation.Nullary as follows:
CHAPTER 6. AGDA 291

data Dec (A : Set) : Set where

yes : A → Dec A
no : ¬ A → Dec A
Since the logic of Agda is intuitionistic, the formula A ∨ ¬A is not provable for
any type A, and not every type is decidable. However, it can be proved that no
type is not decidable, see section 2.3.5:
nndec : (A : Set) → ¬ (¬ (Dec A))
nndec A n = n (no (λ a → n (yes a)))
This is further discussed in section 6.6.8.

6.5.7 Π-types. A defining feature of Agda is that it uses dependent types: a

type can depend on a term. As we will see, some of the connectives admit
dependent generalizations. The first one is the generalization of function types
A → B
to dependent function types
(x : A) → B
where x might occur in B. These model functions where the type B of the returned
value depends on the argument x. A typical example is the replicate function
of section 6.4.7, which takes a natural number n as argument and returns a
vector of length n. Its type is the dependent function type
replicate : {A : Set} → A → (n : ) → Vec A n
Dependent function types are also called Π-types, and often written
Π(x : A).B
instead of using the above notation. Although there is a builtin notation in
Agda, one can define an inductive type for those by
data Π {A : Set} (A : Set) (B : A → Set) : Set where
Λ : ((a : A) → B a) → Π A B
Namely, an element of the Π type Π A B is simply a dependent function
(x : A) → B x
From a logical point of view, it corresponds to a universal quantification which
is bounded (we specify the type A over which the variable ranges): the above
type corresponds to the logical formula
∀x ∈ A.B(x)
and proof of such a formula corresponds to a function which to every x in A
associates a proof of B(x). This is why Agda also allows the notation
∀ x → B x
for the above type, if one is disposed to leave A implicit.
Exercise 6.5.7.1. Show that the type
Π Bool (λ { false → A ; true → B })
is isomorphic to A × B.
CHAPTER 6. AGDA 292

6.5.8 Σ-types. Σ-types are a dependent variant of product types, whose ele-
ments are of the form a , b where a is of type A and b is of type B a: the type
of the second component depends on the first component. They are defined in
Data.Product by
data Σ (A : Set) (B : A → Set) : Set where
_,_ : (a : A) → B a → Σ A B
(for technical reasons the actual definition in Agda is done using a record, but
is equivalent to the above one). As for usual products, we can define two pro-
jections by
proj ₁ : {A : Set} {B : A → Set} → Σ A B → A
proj ₁ (a , b) = a
and
proj ₂ : {A : Set} {B : A → Set} → (s : Σ A B) → B (proj ₁ s)
proj ₂ (a , b) = b
Again, in the second projection, note that the returned type depends on the
first component.

Logical interpretation. From a logical point of view, the type

Σ A B
can be read as a bounded existential quantification and corresponds to what
one would usually write
∃x ∈ A.B(x)
A proof of such a formula is a pair consisting of an element x of A and a
proof that x satisfies B(x). In a set theoretic interpretation, it corresponds to
constructing sets by comprehension, i.e. the set of elements x of A such that
B(x) is satisfied, what we would usually write

{x ∈ A | B(x)}

For instance, in set theory, given a function f : A → B (from a set A to a set B),
its image Im(f ) is the subset of B consisting of elements in the image of f . It
is formally defined as

Im(f ) = {y ∈ B | ∃x ∈ A.f (x) = y}

This immediately translates as a definition in Agda, with two Σ types (one for
the comprehension and one for the universal quantification):
Im : {A B : Set} (f : A → B) → Set
Im {A} {B} f = Σ B (λ y → Σ A (λ x → f x ≡ y))
and one can for instance show that every function f : A → B has a right inverse
(or section) g : Im(f ) → A:
sec : {A B : Set} (f : A → B) → Im f → A
sec f (y , x , p) = x
CHAPTER 6. AGDA 293

The axiom of choice. In a similar vein, the axiom of choice states that for every
relation R ⊆ A × B satisfying

∀x ∈ A.∃y ∈ B.(x, y) ∈ R (6.1)

there is a function f : A → B such that

∀x ∈ A.(x, f (x)) ∈ R

In section 6.5.9 below, we define a type Rel A B corresponding to relations

between two types A and B, from which we can easily write a type corresponding
to the axiom of choice. What might be a surprise to you is that this axiom is
actually provable in Agda:
AC : {A B : Set} (R : Rel A B) →
((x : A) → Σ B (λ y → R x y)) →
Σ (A → B) (λ f → ∀ x → R x (f x))
AC R f = (λ x → proj ₁ (f x)) , (λ x → proj ₂ (f x))
The reason is that the argument, which corresponds to the proof of (6.1), is
constructive: it is a function which to every element x of type A associates
a pair consisting of an element y of B and a proof that (x, y) belongs to the
relation. By projecting it on the first component, we thus obtain the function f
we are looking for (associating an element of B to each element of A), and we
can use the second component to prove that it satisfies the required property.
However, what people have in mind when thinking of the axiom of choice:
they rather have a “classical” variant where we do not have access to the proof
of (6.1), but we only know its existence. A more reasonable description is thus
the following formalization of the axiom of choice, where the double negation
has killed the contents of the proof, see section 2.5.9:
postulate CAC : {A B : Set} (R : Rel A B) →
¬ ¬ ((x : A) → Σ B (λ y → R x y)) →
¬ ¬ Σ (A → B) (λ f → ∀ x → R x (f x))

This is discussed in further details in section 9.3.4.

6.5.9 Predicates. Predicates can be expressed in Agda, we discuss this now.

Truth values. In classical logic, the set B of booleans is the set of truth values,
i.e. the values in which we evaluate predicates: a predicate on a set A can either
be false or true, and can thus be modeled as a function A → B. In Agda, we
use intuitionistic logic and therefore we are not so much interested in whether a
predicate is true or not, but rather in its proofs, so that the role of truth values
is now played by Set. A predicate P on a type A can thus be seen as a term of
type
A → Set

which to every element x of A associates the type of proofs of P x.

CHAPTER 6. AGDA 294

Relations. In classical mathematics, a relation R on a set A is a subset of A × A,

see also appendix A.1. An element x of A is said to be in relation with an
element y when (x, y) ∈ R. A relation on A can also be encoded as a function

A×A→B

or, equivalently by curryfication, as a function

A→A→B

In this representation, x is in relation with y when R(x, y) = 1.

In intuitionistic type theory, we can describe the type of relations between
two types A and B as the following type Rel A, obtained by replacing the set B
of truth values with Set in the above description:
Rel : Set → Set ₁
Rel A = A → A → Set
(this definition can be found in Relation.Binary in the standard library). For
instance, the usual order relation _≤_ on natural numbers (see below) can be
given the type Rel , and equality relation _≡_ on a type A (see section 6.6) can
be given the type Rel A.

Inductive predicates. In Agda, we can define types inductively, and these types
can depend on other types (inductive types can have parameters and indices).
This means that we can define predicates by induction! For instance, the pred-
icate on natural numbers of being even can be defined by induction by
data isEven : → Set where
even-z : isEven zero
even-s : {n : } → isEven n → isEven (suc (suc n))

We inductively state that 0 is even, and that if n is even then n + 2 is even.

Otherwise said, this corresponds to the definition of the set E ⊆ N of even
numbers as the smallest set of numbers such that 0 ∈ E and n ∈ E ⇒ n+2 ∈ E.
Similarly, the order relation on natural numbers can be defined with the
following inductive type:

data _≤_ : → → Set where

z≤n : {n : } → zero ≤ n
s≤s : {m n : } (m≤n : m ≤ n) → suc m ≤ suc n
This states that it is the smallest relation on natural numbers such that 0 6 0,
and m 6 n implies m+1 6 n+1. One of the main interest of defining predicates
or relations inductively is of course that we can then reason by induction over
those. For instance, we can show that the order relation is reflexive
≤-refl : {n : } → (n ≤ n)
≤-refl {zero} = z≤n
≤-refl {suc n} = s≤s ≤-refl

and transitive
CHAPTER 6. AGDA 295

≤-trans : {m n p : } → (m ≤ n) → (n ≤ p) → (m ≤ p)
≤-trans z≤n n≤p = z≤n
≤-trans (s≤s m≤n) (s≤s n≤p) = s≤s (≤-trans m≤n n≤p)
Because of the support in Agda for reasoning by induction (and dependent
pattern matching), this is often the best choice of style for defining predicates,
leading to the simplest proofs, although there are many other possible. In order
to illustrate this, the order on natural numbers could have been defined by
_≤_ : → → Set
m ≤ n = Σ (λ m' → m + m' ≡ n)
which is base on the classical equivalence, for m, n ∈ N,

m 6 n ⇔ ∃m0 ∈ N.m + m0 = n

We could also have defined it by

le : → → Bool
le zero n = true
le (suc m) zero = false
le (suc m) (suc n) = le m n

_≤_ : → → Set
m ≤ n = le m n ≡ true
We leave as an exercise to the reader to show reflexivity and transitivity with
those formalizations.
Finally, as a more involved example, the implicational fragment of intuition-
istic natural deduction is formalized in section 7.2: here, the relation Γ ` A
between a context Γ and a type A, which is true when the sequent is provable,
is defined inductively.

6.6 Equality
Even equality is defined as an inductive type in Agda. The definition is given
in Relation.Binary.PropositionalEquality by
data _≡_ {A : Set} (x : A) : A → Set where
refl : x ≡ x
The equality is typed, in the sense that we can compare only elements of the
same type A. Moreover, there is only one way to show that two elements are
equal: it is when they are the same! Because of dependent pattern matching,
we will see that it is not as dumb as it might seem at first.

6.6.1 Equality and pattern matching. As a first proof with equality, let us
show that the successor function on natural numbers is injective. Otherwise
said, for every natural numbers m and n, we have

m+1=n+1⇒m=n

This can be formalized as follows:

CHAPTER 6. AGDA 296

suc-injective : {m n : } → suc m ≡ suc n → m ≡ n

suc-injective refl = refl
In order to understand how such a proof works, let us study this proof step by
step and reveal the implicit arguments m and n. We start with
suc-injective : {m n : } → suc m ≡ suc n → m ≡ n
suc-injective {m} {n} p = ?
By pattern matching on p (using the shortcut C-c C-c), the proof is transformed
into
suc-injective : {m n : } → suc m ≡ suc n → m ≡ n
suc-injective {m} {.m} refl = ?
In order to do this, Agda uses the fact that p can only be the constructor refl,
but it also knows that, in this case, the variable m must be equal to n. This
explains the .m for the second optional argument: it means that it is not really
an argument but something which has to be equal to m. We are thus left prov-
ing m ≡ m, and we can conclude by using refl. Most proofs involving equality
are either performed in this way or by using the main properties of equality
shown in next section.

6.6.2 Main properties. Apart from reflexivity, which is ensured by the con-
structor refl, equality can be shown to be a congruence: it is symmetric, tran-
sitive and compatible with every operation.
sym : {A : Set} {x y : A} → x ≡ y → y ≡ x
sym refl = refl

trans : {A : Set} {x y z : A} → x ≡ y → y ≡ z → x ≡ z
trans refl refl = refl

cong : {A B : Set} (f : A → B) {x y : A} → x ≡ y → f x ≡ f y
cong f refl = refl
Two other important operations on equality are substitutivity which allows to
transport the elements of a type along an equality
subst : {A : Set} (P : A → Set) → {x y : A} → x ≡ y → P x → P y
subst P refl p = p
and coercion which allow to convert an element of type to another equal type
coe : {A B : Set} → A ≡ B → A → B
coe p x = subst (λ A → A) p x
The properties of equality will be discussed again in section 9.1.

6.6.3 Half of even numbers. As an application of the above properties, let

us formalize the fact that every even number has a half, following the proof
strategy presented in section 2.3. In traditional logical notation, we have to
show
∀n ∈ N. isEven(n) ⇒ ∃m ∈ N.m + m = n
CHAPTER 6. AGDA 297

The predicate isEven, which indicates whether a natural number is even or not,
was already defined in section 6.5.9 and we can thus formalize our property as
follows

even-half : {n : } → isEven n → Σ (λ m → m + m ≡ n)
even-half even-z = zero , refl
even-half (even-s e) with even-half e
even-half (even-s e) | m , p =
suc m , cong suc (trans (+-suc m m) (cong suc p))

In the second case, we have by induction a number m such that m + m = n,

and we want to construct a half for n + 2: this half will be m + 1, and we can
show that it is a half using the following reasoning

(m + 1) + (m + 1) = (m + (m + 1)) + 1 by definition of addition,

= ((m + m) + 1) + 1 by the lemma below,
= (n + 1) + 1 since m + m = n.

This can be implemented using the transitivity of equality (trans) as well as

the fact that it is a congruence (we use cong suc to deduce m + 1 = n + 1
from m = n). We also use, as an auxiliary lemma, the fact that

m + (n + 1) = (m + n) + 1

which can be shown by induction on m as follows:

+-suc : (m n : ) → m + suc n ≡ suc (m + n)
+-suc zero n = refl
+-suc (suc m) n = cong suc (+-suc m n)

6.6.4 Reasoning. The above handling of equality can be hard to track or

read. A more natural way of presenting proofs can be achieved by using the
≡-Reasoning module, which displays equality in way closer to the usual one in
mathematics. These helper functions can be accessed with

open ≡-Reasoning
Then, one can write a proof of t ₀ ≡ t ₙ in the form
begin t ₀ ≡ P₁ t₁ ≡ P₂ ... ≡ Pₙ tₙ ∎

where P ᵢ is a proof of t ᵢ₋₁ ≡ t ᵢ . For instance, a proof of the commutativity

of addition over natural numbers using this technique is
+-comm : (m n : ) → m + n ≡ n + m
+-comm m zero = +-zero m
+-comm m (suc n) =
begin
(m + suc n) ≡ +-suc m n
suc (m + n) ≡ cong suc (+-comm m n)
suc (n + m) ∎
CHAPTER 6. AGDA 298

The second case directly mimics the usual mathematical proof

m + (n + 1) = (m + n) + 1 by +-suc,
= (n + m) + 1 by induction hypothesis.

For comparison, a direct proof of this fact, using the properties of equality of
section 6.6.2, would have been
+-comm : (m n : ) → m + n ≡ n + m
+-comm m zero = +-zero m
+-comm m (suc n) = trans (+-suc m n) (cong suc (+-comm m n))

As usual in Agda, these notations not builtin but defined in the standard library
by
begin_ : {A : Set} {x y : A} → x ≡ y → x ≡ y
begin_ x≡y = x≡y

_≡ _ _ : {A : Set} (x {y z} : A) → x ≡ y → y ≡ z → x ≡ z
_ ≡ x≡y y≡z = trans x≡y y≡z

_∎ : {A : Set} (x : A) → x ≡ x
_∎ _ = refl

6.6.5 Definitional equality. In Agda, two terms which are convertible (i.e. re-
duce to a common term) are considered to be “equal”. The equality we are
referring to here is not ≡, but the equality which is internal to Agda, sometimes
referred to as definitional equality: one cannot distinguish between two defini-
tionally equal terms. For instance, over natural numbers, the term zero + n is
definitionally equal to n, because this is the way we defined addition. Of course,
definitional equality implies equality by refl:

+-zero' : (n : ) → zero + n ≡ n
+-zero' n = refl
On the other side, the terms n + zero and n are not definitionally equal (there
is nothing in the definition of addition which immediately allows to conclude
that). The equality between these two terms can of course be proved, but
requires some more work:
+-zero : (n : ) → n + zero ≡ n
+-zero zero = refl
+-zero (suc n) = cong suc (+-zero n)
Because of this, subtle variations in the definitions, even though they axioma-
tize isomorphic structures, can have a large impact on the length of the proofs,
and one should take care of choosing the “best definition” for a concept, which
requires some practice. Typically, for properties involving multiple natural num-
bers, the choice of the one on which we perform the induction can drastically
change the size of the proof.
CHAPTER 6. AGDA 299

6.6.6 More properties with equality. Having introduced the notion of equal-
ity, we show here some more example of properties involving it, for natural
numbers and lists.

Natural numbers. We can show that zero is not the successor of any natural
number (which is one of the axioms of Presburger and Peano arithmetic, see
section 5.2.4), by a direct use of pattern matching:
zero-suc : {n : } → zero ≡ suc n →
zero-suc ()
Namely, when matching on the argument of type zero ≡ suc n, Agda knows
that there can be no proof of such a type because zero and suc n do not begin
with the same constructor. We can thus use the empty pattern () to indicate
that the pattern matching contains no case to handle. This behavior is detailed
in section 8.4.5.
We can show that addition is associative by a simple induction:
+-assoc : (m n o : ) → (m + n) + o ≡ m + (n + o)
+-assoc zero n o = refl
+-assoc (suc m) n o = cong suc (+-assoc m n o)
Showing that multiplication is associative follows the same pattern, but requires
some algebraic reasoning
*-assoc : (m n o : ) → (m * n) * o ≡ m * (n * o)
*-assoc zero n o = refl
*-assoc (suc m) n o = begin
(m * n + n) * o ≡ *-+-dist-r (m * n) n o
m * n * o + n * o ≡ cong (λ m → m + n * o) (*-assoc m n o)
m * (n * o) + n * o ∎

where we use the fact that multiplication distributes over the addition:
*-+-dist-r : (m n o : ) → (m + n) * o ≡ m * o + n * o
*-+-dist-r zero n o = refl
*-+-dist-r (suc m) n o = begin
(m + n) * o + o ≡ cong (λ n → n + o) (*-+-dist-r m n o)
(m * o + n * o) + o ≡ +-assoc (m * o) (n * o) o
m * o + (n * o + o) ≡ cong (λ n → m * o + n) (+-comm (n * o) o)
m * o + (o + n * o) ≡ sym (+-assoc (m * o) o (n * o))
m * o + o + n * o ∎

Lists. Concatenation of lists satisfies similar properties than addition of natural

numbers (after all, the type of natural numbers is isomorphic to the type List
of lists whose elements are all tt). Namely, we can show that the empty list
is a neutral element for concatenation, on the left

++-empty' : {A : Set} → (l : List A) → [] ++ l ≡ l

++-empty' l = refl
and on the right
CHAPTER 6. AGDA 300

++-empty : {A : Set} → (l : List A) → l ++ [] ≡ l

++-empty [] = refl
++-empty (x ∷ l) = cong (λ l → x ∷ l) (++-empty l)

and that concatenation is associative

++-assoc : {A : Set} → (l l' l'' : List A) →
((l ++ l') ++ l'') ≡ (l ++ (l' ++ l''))
++-assoc [] l' l'' = refl
++-assoc (x ∷ l) l' l'' = cong (λ l → x ∷ l) (++-assoc l l' l'')

However, contrarily to addition, concatenation is not commutative. Namely, if

it was then the concatenation of the lists [1] and [2] in both orders would be the
same, which would mean that the lists [1, 2] and [2, 1] would be the same, which
we know they are not. This reasoning can be formalized in Agda as follows:

++-not-comm :
¬ ({A : Set} → (l l' : List A) → (l ++ l') ≡ (l' ++ l))
++-not-comm f with f (1 ∷ []) (2 ∷ [])
++-not-comm f | ()
We can also show that the concatenation of two lists produces a list whose
length is the sum of the lengths of the original lists:
++-length : {A : Set} → (l l' : List A) →
length (l ++ l') ≡ length l + length l'
++-length [] l' = refl
++-length (x ∷ l) l' = cong suc (++-length l l')

Finally, let us present an all-time classic. We can define a function rev which
reverse the order of the elements of a list: we show that applying this function
twice to a list gets us back to the original list. We begin by introducing a
function snoc (this is cons backwards) which adds an element at the end of a
list:

snoc : {A : Set} → List A → A → List A

snoc [] x = x ∷ []
snoc (y ∷ l) x = y ∷ (snoc l x)
We can then define the reversion function by adding all the elements of a list at
the end of the empty list:

rev : {A : Set} → List A → List A

rev [] = []
rev (x ∷ l) = snoc (rev l) x
We can then show that applying this function twice does not change the list
given in argument:

rev-rev : {A : Set} → (l : List A) → rev (rev l) ≡ l

rev-rev [] = refl
rev-rev (x ∷ l) =
trans (rev-snoc (rev l) x) (cong (λ l → x ∷ l) (rev-rev l))
CHAPTER 6. AGDA 301

This proof requires to first show the following auxiliary lemma, stating that
reversing a list l with x as last element will produce a list with x as first element,
followed by the reversal of the rest of the list:
rev-snoc : {A : Set} → (l : List A) → (x : A) →
rev (snoc l x) ≡ x ∷ (rev l)
rev-snoc [] x = refl
rev-snoc (y ∷ l) x = cong (λ l → snoc l y) (rev-snoc l x)

6.6.7 The J rule. If we define equality as

data _≡_ {A : Set} : A → A → Set where
refl : {x : A} → x ≡ x
the associated induction principle is called the J rule:
J : {A : Set} {x y : A} (p : x ≡ y)
(P : (x y : A) → x ≡ y → Set)
(r : (x : A) → P x x refl)
→ P x y p
J {A} {x} {.x} refl P r = r x
It reads as follows: in order to prove a property P depending on a proof p of
equality between two elements x and y, it is enough to prove it when this proof
is refl.
In practice, we have seen in section 6.6 that the definition usually taken in
Agda is slightly different (it uses an parameter instead of an index for the first
argument of type A), so that the resulting induction principle is a variant on the
above one:
J : {A : Set} (x : A) (P : (y : A) → x ≡ y → Set)
(r : P x refl) (y : A) (p : x ≡ y) → P y p
J x P r .x refl = r

6.6.8 Decidable equality. Recall from section 6.5.6 that a type A is decidable
when either A or ¬A is provable, and we write Dec A for the type of proofs of
decidability of A: such a proof is either yes p, where p is a proof of A, or no
q, where q is a proof of ¬A. A relation on a type A is decidable when the type
R x y is decidable for every elements x and y of type A. The standard library
defines, in the module Relation.Binary, the following predicate:
Decidable : {A : Set} (R : A → A → Set) → Set
Decidable {A} R = (x y : A) → Dec (R x y)
A term of type Decidable R is a proof that the relation R is decidable.
A type A has decidable equality when the equality relation _≡_ on A is
decidable. This means that we have a function (i.e. an algorithm) which is able
to determine, given two elements of A, whether they are equal or not. To be
precise, we not only have the information of whether they are equal or not,
which would be a boolean, but actually a proof of their equality or a proof of
their inequality (see section 8.4.5 for a use of this).
Equality on any finite type is always decidable. For instance, in the case of
booleans:
CHAPTER 6. AGDA 302

_ ≟ _ : Decidable {A = Bool} _≡_

false ≟ false = yes refl
false ≟ true = no (λ ())
true ≟ false = no (λ ())
true ≟ true = yes refl
The type of natural numbers also has decidable equality:
_ ≟ _ : Decidable {A = } _≡_
zero ≟ zero = yes refl
zero ≟ suc n = no (λ ())
suc m ≟ zero = no (λ ())
suc m ≟ suc n with m ≟ n
suc m ≟ suc .m | yes refl = yes refl
suc m ≟ suc n | no ¬p = no (λ p → ¬p (suc-injective p))

However, we do not expect that the equality is decidable on the type → .

One reason is that our reasoning techniques are very limited on functions, in
particular we cannot perform pattern matching on functions, and thus cannot
perform a proof in the same spirit as above. The other reason is that, intuitively,
two functions f and g on natural numbers are equal when they f (n) ≡ g(n) for
every natural number n (this is not always true though, see section 9.1.5), and
we do not expect that there is an algorithm which will be inspect to compare
all the images of f and g on every natural number n in finite time...

6.6.9 Heterogeneous equality. We would finally like to present a variant of

equality due to McBride [McB00], called heterogeneous equality, which allows to
compare (seemingly) distinct types. In order to understand its use, let us try to
show that the concatenation of vectors is associative. Given three vectors l, l’
and l”, with elements of type A, of respective lengths m, n and o, we thus want
to show
(l ++ l’) ++ l” ≡ l ++ (l’ ++ l”)
...excepting that this expression does not make sense! Namely, the equality ≡
can only be used to compare terms of the same type and, here, this is not the
case: the left and right member respectively have type

Vec A ((m + n) + o) Vec A (m + (n + o))

which are not the same. Of course, the two types are propositionally equal: we
can namely prove
Vec A ((m + n) + o) ≡ Vec A (m + (n + o))

by
cong (Vec A) (+-assoc m n o)
But the two types are not definitionally equal, which is what is required in order
to compare terms with ≡.
CHAPTER 6. AGDA 303

Proof with standard equality. In order, to perform our comparison, we can use
coe and the above propositional equality in order to cast one of the members
to have the same type as the other one. Namely, the term
coe (cong (Vec A) (+-assoc m n o))
has type
Vec A ((m + n) + o) → Vec A (m + (n + o))
and we can use it to “cast” (l ++ l’) ++ l” in order to change its type to the
same one as l ++ (l’ ++ l”), after which we can compare the two with ≡. We
can finally prove associativity of concatenation of vectors as follows:
++-assoc : {A : Set} {m n o : } →
(l : Vec A m) → (l' : Vec A n) → (l'' : Vec A o) →
coe (cong (Vec A) (+-assoc m n o))
((l ++ l') ++ l'') ≡ l ++ (l' ++ l'')
++-assoc [] l' l'' = refl
++-assoc {_} {suc m} {n} {o} (x ∷ l) l' l'' =
∷-cong x (+-assoc m n o) (++-assoc l l' l'')
The above proof uses the following auxiliary lemma which states that if l and
l’ are propositional equal vectors, up to propositional equality of their types as
above, then x ∷ l and x ∷ l’ are also propositionally equal:
∷-cong : {A : Set} → {m n : } {l : Vec A m} {l' : Vec A n} →
(x : A) → (p : m ≡ n) → coe (cong (Vec A) p) l ≡ l' →
coe (cong (Vec A) (cong suc p)) (x ∷ l) ≡ x ∷ l'
∷-cong x refl refl = refl
As you can observe, the statement of those properties is considerably obscured
by the use of coe, which is used to coerce the type of terms so that they can be
compared to other terms, as explained above.

Proof with heterogeneous equality. In order to overcome this problem, we can use
the heterogeneous equality relation, also sometimes called John Major equality,
which is defined by
data _ _ : {A B : Set} (x : A) (y : B) → Set where
refl : {A : Set} {x : A} → x x
in the module Relation.Binary.HeterogeneousEquality. It is a variant of
propositional equality, which allows comparing two elements x and y of dis-
tinct types A and B. It is however a reasonable notion of equality because the
constructor refl only allows to construct an heterogeneous equality when A
and B are the same. This ability of comparing elements of distinct types allows
formulating and proving in a much easier way the associativity of vectors:
++-assoc : {A : Set} {m n o : }
(l : Vec A m) (l' : Vec A n) (l'' : Vec A o) →
((l ++ l') ++ l'') (l ++ (l' ++ l''))
++-assoc [] l' l'' = refl
++-assoc {_} {suc m} {n} {o} (x ∷ l) l' l'' =
∷-cong x (+-assoc m n o) (++-assoc l l' l'')
CHAPTER 6. AGDA 304

with the preliminary lemma

∷-cong : {A : Set} {m n : } {l : Vec A m} {l' : Vec A n} →
(x : A) → m ≡ n → l l' → x ∷ l x ∷ l'
∷-cong x refl refl = refl
The reader should be warned that heterogeneous equality is not entirely sat-
isfactory. Firstly, if x and y are two elements of the same type A, we cannot
formally show that x y implies x ≡ y (unless we assume axiom K, see sec-
tion 9.1.6). Secondly, being able to compare elements of any two types A and B
seems quite worrying, the only thing we really need here is to compare elements
of such types when A ≡ B: a more satisfactory definition is given in section 9.5.2.

6.7 Proving programs in practice

We shall now briefly explain and illustrate how we can prove a program is
correct. Of course, there is no universally accepted notion of what we mean by
the correctness of a program: it only means that it agrees with a specification,
which can usually be expressed as a logical formula, and whose definition is
left to the person certifying the program. We can however classify correctness
properties in three rough families.
– Absence of errors: the program always uses functions with arguments
in the domain where functions are supposed to operate correctly. For
instance, we want to avoid dividing by zero or dereferencing null pointers.
– Invariants: we show that some properties are always satisfied during the
execution of the program, e.g. the variable x will always contain a strictly
positive number.
– Functional properties: the program computes the expected output on any
given input, e.g. given a natural number n, the function square n will
produce a natural number m such that m = n2 .
We have ordered them from the less to the most precise: the first kind only
ensures that basic programming errors are avoided, the second one that our
program satisfies some good properties, and the last one that it fully behaves
as expected. Of course, these are not disjoint: absence of errors is a particular
kind of invariant, and proving functional properties usually requires showing
invariants first.

6.7.1 Extrinsic vs intrinsic proofs. There are two common approaches in

order to prove properties of programs. The extrinsic approach is the way one
traditionally proceeds [CLRS09]: we first write our program and then we prove
properties about it. The intrinsic approach is often more adapted to proving
programs in dependent type theory: it consists in changing the type of our pro-
gram, so that this type incorporates the properties we want to prove (remember
that we can see any reasonable formula as a type!). For instance, suppose that
we want to show that our sorting algorithm sorts lists of natural numbers.
– In the extrinsic approach we implement our algorithm as a function sort
whose type is
CHAPTER 6. AGDA 305

List → List

as usual and then show that this function actually sorts a list, i.e. prove
the proposition

(l : List ) → sorted (sort l)

where sorted l is a predicate stating that a list l is sorted.

– In the intrinsic approach, we directly implement our algorithm as a func-

tion sort of type

List → Sorted

where Sorted is the type of sorted lists of natural numbers.

This example is detailed in section 6.7.2 for the insertion sort algorithm. The
intrinsic approach usually results in shorter code, and is not significantly harder
than the extrinsic one, although it usually requires more thought in order to
formulate the property we want to prove in a way which will give rise to an
elegant proof.

Length and concatenation. As a simple example, suppose that we want to show

that the the length of the concatenation of two lists is the sum of their lengths. In
the extrinsic approach, we would define concatenation as usual, see section 6.4.5:

_++_ : {A : Set} → List A → List A → List A

[] ++ l' = l'
(x ∷ l) ++ l' = x ∷ (l ++ l')
and then shows that it is additive with respect to lengths, see section 6.6.6:

++-length : {A : Set} → (l l' : List A) →

length (l ++ l') ≡ length l + length l'
++-length [] l' = refl
++-length (x ∷ l) l' = cong suc (++-length l l')
In the intrinsic approach, we would consider the type of lists of a given length,
i.e. the type of vectors, and give the following type to the concatenation, see
section 6.4.7:
_++_ : {m n : } {A : Set} → Vec A m → Vec A n → Vec A (m + n)
[] ++ l = l
(x ∷ l) ++ l' = x ∷ (l ++ l')

which both defines the concatenation and shows the property we were looking
for at once.
CHAPTER 6. AGDA 306

6.7.2 Insertion sort. As a more involved example, we consider the insertion

sort algorithm to sort a list. We recall that a list l = [x1 , x2 , . . . , xn ] is sorted
when x1 6 x2 6 . . . 6 xn . For simplicity, we consider here lists of natural
numbers, which are compared according to the usual total order. Given a list l,
and an element x, we can insert the element x into l, in order to get obtain a
sorted list, by comparing x with the elements of l from left to right and inserting
it before the first element which is greater than it. Formally, we can define a
function insert(x, l) by recurrence on l by

insert(x, []) = [x]

(
x :: y :: l if x 6 y,
insert(x, y :: l) =
y :: insert(x, l) otherwise.

The insertion sort algorithm then proceeds, in order to sort a given list, by
iteratively inserting all its elements in a list which is initially the empty list. We
write sort(l) for the list obtained in this way:

sort([]) = []
sort(x :: l) = insert(x, sort(l))

If you prefer OCaml code:

let rec insert x = function
| [] -> [x]
| y::l ->
if x <= y then x::y::l
else y::(insert x l)

let rec sort = function

| [] -> []
| x::l -> insert x (sort l)
In order to prove the functional correctness of our algorithm, we have to show
that, given any list as input, the output is a sorted list. It can be shown that
– the empty list is sorted,
– given a sorted list l and any element x, the list insert(x, l) is sorted,
from which we deduce by recurrence on l that the list sort(l) is sorted for any
list l, see [CLRS09, section 2.1].

Extrinsic approach. The correctness of insertion sort using the extrinsic ap-
proach is shown in figure 6.2. We can define the function insert, to insert an
element in a list, and sort, to sort a list, by a direct translation of the above
definitions (for simplicity, we only handle the case of lists of natural numbers).
Note that the sorting function has the usual type
sort : List → List
In the definition of the insertion function, we use the predicate
_≤?_ : (m n : ) → Dec (m ≤ n)
CHAPTER 6. AGDA 307

open import Data.Product

open import Data.Unit hiding (_≤_ ; _≤?_)
open import Relation.Nullary
open import Data.Nat
open import Data.Nat.Properties
open import Data.List

insert : (x : ) → (l : List ) → List

insert x [] = x ∷ []
insert x (y ∷ l) with x ≤? y
insert x (y ∷ l) | yes _ = x ∷ y ∷ l
insert x (y ∷ l) | no _ = y ∷ insert x l

sort : List → List

sort [] = []
sort (x ∷ l) = insert x (sort l)

_≤*_ : (x : ) → (l : List ) → Set

x ≤* [] =
x ≤* (y ∷ l) = x ≤ y × x ≤* l

≤*-trans : {x y : } → (x ≤ y) → (l : List ) → y ≤* l → x ≤* l
≤*-trans x≤y [] tt = tt
≤*-trans x≤y (z ∷ l) (y≤z , y≤*l) = ≤-trans x≤y y≤z , ≤*-trans x≤y l y≤*l

≤*-insert : {x y : } → (x ≤ y) → (l : List ) →
x ≤* l → x ≤* (insert y l)
≤*-insert x≤y [] tt = x≤y , tt
≤*-insert {x} {y} x≤y (z ∷ l) x≤*zl with y ≤? z
≤*-insert x≤y (z ∷ l) x≤*zl | yes _ = x≤y , x≤*zl
≤*-insert x≤y (z ∷ l) (x≤z , x≤*l) | no _ = x≤z , ≤*-insert x≤y l x≤*l

sorted : (l : List ) → Set

sorted [] =
sorted (x ∷ l) = x ≤* l × sorted l

insert-sorting : (x : ) → (l : List ) → sorted l → sorted (insert x l)

insert-sorting x [] s = tt , tt
insert-sorting x (y ∷ l) (y≤*l , sl) with x ≤? y
insert-sorting x (y ∷ l) (y≤*l , sl) | yes x≤y =
(x≤y , (≤*-trans x≤y l y≤*l)) , (y≤*l , sl)
insert-sorting x (y ∷ l) (y≤*l , sl) | no x≰y =
(≤*-insert (≰ ≥ x≰y) l y≤*l) , insert-sorting x l sl

sorting : (l : List ) → sorted (sort l)

sorting [] = tt
sorting (x ∷ l) = insert-sorting x (sort l) (sorting l)

Figure 6.2: Correctness of insertion sort (extrinsic version).

CHAPTER 6. AGDA 308

which shows that the order on natural numbers is decidable, which is proved
similarly as for equality, see section 6.6.8.
Since lists are defined by induction, and all the reasoning about those will
be performed by induction, it is better to define the predicate of being sorted
for a list by induction. In order to do so, we first define a relation 6∗ between
natural numbers and lists such that x 6∗ l whenever x 6 y for every element y
of l, i.e. the elements of l are bounded below by x. This is defined by induction
on l by
– x 6∗ l always holds when l is the empty list,
– x 6∗ (y :: l) whenever x 6 y and x 6∗ l.
We can then define the predicate of being sorted for a list by induction on the
list by
– the empty list is always sorted,
– a list x :: l is sorted whenever x 6∗ l and l is sorted.
Finally, using two easy lemmas involving the relation 6∗ , we can show that
given any number x and list l which is sorted, the list insert(x, l) is also sorted
(this is insert-sorting), from which we can deduced that, for any list l, the
list sort(l) is sorted (this is sorting).

Intrinsic approach. We show the intrinsic approach to show correctness of in-

sertion sort in figure 6.3. Here, we give to the sorting function the type
sort : (l : List ) → Sorted
which directly specifies that it returns a sorted list, based on the insertion
function, which is now given the type
insert : (x : ) → Sorted → Sorted
Here, Sorted is the type of sorted lists of natural numbers, which can be defined
inductively as follows: a sorted list is
– either empty, or
– of the form x :: l where x 6∗ l and l is a sorted list.
Once again, you can remark that the intrinsic approach is shorter and more
satisfactory and the extrinsic one.

6.7.3 The importance of the specification. Once we have performed such

a proof, does this guarantee that our function is correct? Well... yes and no!
On the bright side, our rigorous proof does indeed guarantee that the sorting
function will always return a sorted list, whichever list we provide to it as input.
This is actually true for eternity.
However, one might be surprised to find out the following function also has
the same type:
bad : (l : List ) → Sorted
bad l = empty
CHAPTER 6. AGDA 309

open import Data.Product

open import Data.Unit hiding (_≤_ ; _≤?_)
open import Relation.Nullary
open import Data.Nat
open import Data.Nat.Properties
open import Data.List

_≤*_ : (x : ) → (l : List ) → Set

x ≤* [] =
x ≤* (y ∷ l) = x ≤ y × x ≤* l

≤*-trans : {x y : } → (x ≤ y) → (l : List ) →
y ≤* l → x ≤* l
≤*-trans x≤y [] tt = tt
≤*-trans x≤y (z ∷ l) (y≤z , y≤*l) =
≤-trans x≤y y≤z , ≤*-trans x≤y l y≤*l

data Sorted : Set where

empty : Sorted
cons : (x : ) (l : List ) → x ≤* l → Sorted

insert : (x : ) → Sorted → Sorted

insert x empty = cons x [] tt
insert x (cons y l y≤*l) with x ≤? y
insert x (cons y l y≤*l) | yes x≤y =
cons x (y ∷ l) (x≤y , ≤*-trans x≤y l y≤*l)
insert x (cons y l y≤*l) | no x≰y =
cons y (x ∷ l) (≰ ≥ x≰y , y≤*l)

sort : (l : List ) → Sorted

sort [] = empty
sort (x ∷ l) = insert x (sort l)

Figure 6.3: Correctness of insertion sort (intrinsic version).

CHAPTER 6. AGDA 310

This function always returns the empty list, whichever list is provided as input.
This will not usually be considered as a valid sorting functions, although it fills
the bill. The empty list is, after all, a sorted list. The culprit is not the proof
assistant nor the proof here, but the specification itself: what we expect from a
sorting function is not only to return a sorted list, but also that the returned
list has the same elements as the one given as argument.
Exercise 6.7.3.1. Show that the insertion sort function satisfies the strengthened
specification.

6.8 Termination
6.8.1 Termination and consistency. In order to maintain consistency, Agda
ensures that all the defined functions are terminating, by which we mean that
they will always give a result after a finite amount of time. To understand
why this is required, we can force it to accept a non-terminating function and
this what happens (spoiler: inconsistency). This can be achieved by using the
pragma {-# TERMINATING #-} before the definition of a function, which means
“trust me, this function is terminating”. For instance, the function f defined on
natural numbers by f (n) = f (n + 1) is clearly not terminating. It can be given
the type → , from which it is easy to make the system inconsistent:
{-# TERMINATING #-}
f : →
f n = f (suc n)

absurd :
absurd = f zero

0≡1 : 0 ≡ 1
0≡1 = -elim absurd
Yes, we have managed to prove 0 = 1. If we do not use the pragma, Agda
correctly detects that the function f is problematic and prevents us from defining
it:

Termination checking failed for the following functions:

f
Problematic calls:
f (suc n)

6.8.2 Structural recursion. In order to ensure that the programs are termi-
nating, Agda uses a “rough” criterion, which is simple to check and safe, in
the sense that it ensures every accepted program is terminating. This criterion
is that recursive programs must be structurally recursive, meaning that all the
recursive calls must be done on strict subterms of the argument (we say that
the argument is structurally decreasing).
For instance, the following function computes the n-th term of the Fibonacci
sequence, defined by f0 = 0, f1 = 1 and fn+2 = fn+1 + fn :
CHAPTER 6. AGDA 311

fib : →
fib zero = zero
fib (suc zero) = suc zero
fib (suc (suc n)) = fib n + fib (suc n)
In the third case, the argument is suc (suc n), whose strict subterms are suc n
and n, see section 5.1.2. Since the recursive calls are performed with those as
argument, the program is accepted. If we had instead used recursive calls of
one of the following forms then the program would be rejected

– fib (suc (suc n)): the argument suc (suc n) is a subterm of itself, but
not a strict one,
– fib (zero + n): the term zero + n is not a strict subterm of suc (suc
n), i.e. the first does not occur in the second; as you can see the no-
tion of subterm has to be taken purely syntactically here, no reduction is
performed (the fact that zero + n reduces to n is not taken in account).

Multiple arguments. In the case where the function has two arguments (and
this generalizes to multiple arguments), either the first argument must be struc-
turally decreasing (in which case there is no restriction on the second one) or it
should stay the same and the second argument must be structurally decreasing.
Pairs of arguments are thus compared using the lexicographic order, see ap-
pendix A.3.3. For instance, the following Ackermann function is also accepted:

ack : (x y : ) ->
ack zero n = suc n
ack (suc m) zero = ack m (suc zero)
ack (suc m) (suc n) = ack m (ack (suc m) n)
In the second case, the first argument m is a subterm of the first argument suc m
of the function. In the third case, one recursive call is performed with m as
first argument, which is a subterm of the first argument suc m and the second
recursive call is performed with suc n as first argument, which stays unchanged,
and n as second argument, which is a subterm of the second argument suc n.

Rejecting valid programs. The restriction to structurally recursive functions has

the advantage to be simple, but the downside is that some programs which are
not problematic are rejected by Agda, because they do not satisfy this criterion
even though they are terminating. For instance, consider the following function
which computes the quotient of two natural numbers:
div : → →
div m n with m <? suc n
div m n | yes _ = zero
div m n | no _ = suc (div (m ∸ suc n) n)

To be precise, div m n computes the quotient of m and n + 1, in order to avoid

problematic divisions by zero. Even though it is terminating, this function is
rejected. Namely, in the second case, m ∸ suc n is not a strict subterm of m:
Agda is not smart enough to notice that the recursive calls are performed with
CHAPTER 6. AGDA 312

strictly decreasing values for m and must therefore be terminating. However,

this does not mean that we cannot define division in Agda: there are other
ways to formulate division, which are only slightly more complicated than the
usual way shown above and get accepted, see section 6.8.7.

6.8.3 A bit of computability. The criterion used by Agda to determine if a

program is terminating is overly restrictive and it has to be so: it was shown by
Turing that the halting problem, which consists in deciding whether a program
terminates or not is undecidable, i.e. there is no program which given a program
as input determines whether it eventually terminates or not [Tur37]. However,
we have indicated that for a given function, even if the straightforward termi-
nating implementation is abusively rejected by Agda, there is usually a way
to reformulate it in order to obtain an implementation which is accepted. We
show here that there are however some computable functions which cannot be
implemented: the language Agda is not Turing complete.

Computable functions. Given two sets A and B, a (partial) function f from A

to B, associates to some elements x of A an image f (x) in B. We write dom(f )
for the set of elements of A which have an image under f , called the domain
of f , and say that the function f is total when dom(f ) = A. We say that a
function
f :N→N
is implemented by an OCaml function
f : int -> int
when
– for every natural number n ∈ dom(f ), the computation of f n terminates
and its result is f (n),
– for every natural number n 6∈ dom(f ), the computation of f n does not
return a result.
Of course, we can define similarly the notion of an implementation of the func-
tion f in any other programming language which canonically contains the nat-
ural numbers, such as Agda, and we could extend the notion of computable
function to other data types than natural numbers. A function which can be
implemented by some function in OCaml is said to be computable (of course,
we could have chosen any other reasonable programming language in order to
define computable functions, see section 3.3.6 for another possible definition).
For instance, the function f : N → N such that dom(f ) is the set of odd
natural numbers and f (n) = n + 1 for every n ∈ dom(f ) can be implemented
in OCaml by
let rec f n = if n mod 2 = 0 then f n else n + 1
or by
let rec f n = while n mod 2 = 0 do () done; n + (n mod 2)
and is thus computable. As illustrated above, there are generally multiple ways
to implement a given function.
CHAPTER 6. AGDA 313

Programming with total functions. The programming language Agda has one
particularity compared to usual programming languages: since every function
is terminating, all the functions which can be implemented are total. From this
follows the following property.
Theorem 6.8.3.1. In a programming language such as Agda in which all the func-
tions which can be implemented are total, there is a total computable function
which cannot be implemented.
Proof. The idea is that the if all total computable functions were implementable
in Agda then some partial function would also be implementable. Here is a de-
tailed sketch of the proof. The functions f : N → N which can be implemented
in Agda are described by a string, and are therefore countable: we can enu-
merate those and write fi for the i-th implementable function. The function
g : N × N → N such that g(i, n) = fi (n) is also implementable: given an argu-
ment (i, n) the function g enumerates all strings in order and, for each string,
tests whether it is a valid Agda definition of a function of type N → N, until it
finds the i-th such function fi , at which points it returns the evaluation of fi
on the argument n (this would require programming an evaluator of Agda func-
tions in OCaml, which can be done). Suppose that g can be implemented in
Agda (otherwise, we can conclude immediately). Then the function d : N → N
defined by d(n) = g(n, n) + 1 is clearly also implementable. Therefore, there is
an index i such that d = fi and we have

d(i) = g(i, i) + 1 = fi (i) + 1 = d(i) + 1

Contradiction.

Functions which cannot be implemented are rare. In practice, all the usual func-
tions that one manipulates can be implemented in Agda. A typical function
which cannot be implemented in Agda is an interpreter for the Agda language
itself.

6.8.4 The number of bits. We have mentioned that the restriction to struc-
turally recursive functions is quite strong and rejects perfectly terminating func-
tions. Let us study an example and see the available workarounds. We consider
the function bits which associates to every natural number n, the number of
bits necessary to write it in base 2. For instance,

bits(0) = 0 bits(1) = 1 bits(2) = 2 bits(3) = 2 bits(4) = 3 ...

This function is essentially a rounded base 2 logarithm: it can be expressed as

bits(n) = 1 + blog2 (n)c

where, by convention, log2 (0) = −1. This function satisfies the following recur-
rence relation

bits(0) = 0 bits(n + 1) = 1 + bits(bn/2c)

which allows it to be computed recursively. In OCaml, it can thus be imple-

mented as
CHAPTER 6. AGDA 314

let rec bits n =

if n = 0 then 0 else 1 + bits (n / 2)

This function is terminating because the recursive call is done on a smaller

natural number, thanks to the division by 2. In order to perform an analogous
definition in Agda, we can define division by 2 with
div2 : →
div2 zero = zero
div2 (suc zero) = zero
div2 (suc (suc n)) = suc (div2 n)
and then translate the above OCaml definition as
bits : →
bits zero = zero
bits (suc n) = suc (bits (div2 (suc n)))
This function is not accepted by Agda (without enforcing termination), because
the recursive call of bits is performed on div2 (suc n), which is not a strict
subterm of the argument suc n.

6.8.5 The fuel technique. In order to define our function, a general technique
consists in adding new arguments to it, so that the recursive calls are performed
with one of these arguments being structurally decreasing. Typically, we can
add as argument a natural number which will decrease at each call (when the
function is called with suc n, the recursive call is performed with n), provided
that we know in advance a bound on the number of recursive calls (i.e. we also
have to add a proof that this argument will be non-zero so that we can decrease
it). This is called the fuel technique because this natural number can be thought
of as some fuel which we are consuming in order to perform the recursive calls.
For instance, in order to define the bits function, we can add a natural
number fuel as argument to the function, which is to be structurally decreasing:
bits-fuel : (n : ) → (fuel : ) →
bits-fuel zero f = zero
bits-fuel (suc n) zero = ?
bits-fuel (suc n) (suc f) = suc (bits-fuel (div2 (suc n)) f)

In the case the original argument n is

– zero: we can return zero,
– suc n:

– if the fuel is of the form suc f, we can make a recursive call on

div2 (suc n) with f as fuel: the fuel argument is structurally de-
creasing (we have consumed one unit of fuel),
– if the fuel is zero however, we do not know what to do (this is the ?
above): we cannot perform a recursive call with structurally smaller
fuel because we do not have fuel anymore (there is no strict subterm
of zero).
CHAPTER 6. AGDA 315

In order to overcome the problem encountered in the last case, we have to ensure
that we never “run out of fuel”, i.e. that the fuel is strictly positive when we need
to perform a recursive call. This can be achieved by adding a second additional
argument which ensures an invariant on the fuel which will enforce this. For
instance, we can add the requirement that the fuel is always greater than the
original argument n. When performing a recursive call, we will have to show
that this invariant is preserved: under the hypothesis n + 1 6 f + 1, we have to
show (n + 1)/2 6 f , which can be done as follows:

(n + 1)/2 6 (f + 1)/2 6 f

We thus define
bits-fuel : (n : ) → (fuel : ) → (n ≤ fuel) →
bits-fuel zero f p = zero
bits-fuel (suc n) zero ()
bits-fuel (suc n) (suc f) p = suc (bits-fuel (div2 (suc n)) f n+1/2≤f)
where
n+1/2≤f : div2 (suc n) ≤ f
n+1/2≤f = begin
div2 (suc n) ≤ ≤-div2 p
div2 (suc f) ≤ ≤-div2-suc f
f ∎

This follows the same pattern as the previous definition, excepting that we know
that the problematic case where the original argument is suc n and the fuel is
zero will not happen: by the third argument, we would have suc n ≤ zero,
which is impossible. The code is longer than above because, when performing
the recursive call on div2 n with f as fuel, we have to provide a third argument,
which shows that the invariant is preserved, i.e. div2 n ≤ f holds. This is shown
in the lemma named n+1/2≤f, using two auxiliary lemmas
≤-suc : (n : ) → n ≤ suc n

and
≤-div2-suc : (n : ) → div2 (suc n) ≤ n
whose proof is left to the reader. We can finally define the bits function by
providing, as fuel, a high enough number. For instance n is suitable:

bits : →
bits n = bits-fuel n n ≤-refl

6.8.6 Well-founded induction. We now present a generalization of this tech-

nique called well-founded induction. The fundamental reason why the fuel tech-
nique is working is that we are decreasing some natural number and there is
no infinite strictly decreasing sequence of integers so that we know that the re-
cursive calls will stop at some point. The technique presented here axiomatizes
this situation and is also detailed in appendix A.3.
CHAPTER 6. AGDA 316

Well-founded induction and recursion. In mathematics, a relation R on a set A

is a subset of A × A. Given elements x and y of A such that (x, y) ∈ R, we
write x R y, and think of x as being “smaller” than y. The relation R is well-
founded when there is no infinite sequence (xi )i∈N of elements of A which is
decreasing, i.e. such that xi+1 R xi for every index i:
. . . R x3 R x2 R x1 R x0
Example 6.8.6.1. On the set N of natural numbers the following two relations
are well-founded:
– the relation ≺ such that n ≺ n + 1 for every n ∈ N,
– the usual strict order relation <.
Example 6.8.6.2. If you are looking for counter-examples, the relation < on R
or on Q is not well-founded, nor is the relation 6 on N.
Given x ∈ A, we write
↓x = {y ∈ A | y R x}
for the set of predecessors of x. The following well-founded induction principle
holds for such relations, which generalizes the usual recurrence principle on
natural numbers:
Theorem 6.8.6.3 (Well-founded induction). Suppose given a set A, a well-founded
relation R on A and a predicate P on the elements of A such that, for every
x ∈ A, if P holds on every element of ↓x then P holds on x. Then P holds for
every element of A.
Example 6.8.6.4. On N, the well-founded induction principle associated to ≺
is the usual recurrence principle: given a predicate P such that P (0) holds,
and P (n) implies P (n + 1) for every n ∈ N, we have that P (n) holds for ev-
ery n ∈ N.
Example 6.8.6.5. On N, the well-founded induction principle associated to < is
the strong recurrence principle: given a predicate P such that, for every n ∈ N,
if P (i) holds for every i < n then P (n) holds, we have that P (n) holds for
every n ∈ N. In formulas, this induction principle can be formulated as
(∀n ∈ N.(∀m ∈ N.m < n ⇒ P (m)) ⇒ P (n)) ⇒ ∀n ∈ N.P (n)
for any predicate P on natural numbers.
Given a function f : A → B and A0 ⊆ A, we write f |A0 : A0 → B for the
function f restricted to A0 . The following well-founded recursion principle can
be shown, which generalizes the definition of a function by recurrence:
Theorem 6.8.6.6 (Well-founded recursion). Suppose given sets A and B, a well-
founded relation R on A and function r which to every x ∈ A and function
↓x → B associates an element of B. Then there is a unique function f : A → B
such that, for every x ∈ A,
f (x) = r(x, f |↓x )
In the above theorem, we are defining a function f by recurrence: the function r
describes how to produce the value of f (x) from x and all the values of f (y)
for y smaller than x, i.e. such that y R x. Note that the type of the r is the
dependent type (Σ(x : A).(↓x → B)) → B.
CHAPTER 6. AGDA 317

Example 6.8.6.7. Consider the well-founded relation ≺ on N. We have

↓0 = ∅ ↓(n + 1) = {n}

for n ∈ N. The associated well-founded recursion principle thus states that,

given a number r0 ∈ N and a function r : N × N → N, there is a unique function
f : N → N such that

f (0) = r0 f (n + 1) = r(n, f (n))

for every n ∈ N. If we use the following generic notation for the image of n
under the function associated to r0 and r,

f (n) = rec(n, r0 , r)

we have

rec(0, r0 , r) = r0 rec(n + 1, r0 , r) = r(n, rec(n, r0 , r))

which are precisely the rules for the usual recursor associated to natural numbers
in λ-calculus, see section 4.3.6.

The well-founded subterm order. We now explain that the kind of recursion
which can be found in Agda is a particular case of the on given in theorem 6.8.6.6.
Suppose given a first order signature Σ and consider the set TΣ of terms it
generates, see section 5.1.2. Given a term t, we write |t| for its size, defined as
the number of operators it contains:
X
|f (t1 , . . . , tn )| = 1 + |ti | |x| = 0
i

Given two terms s and t, we write s < t when s is a strict subterm of t. Note
that s < t implies |s| < |t|.
Lemma 6.8.6.8. The relation < on terms is well-founded.
Proof. Suppose that there is an infinite sequence of terms ti such that

t0 > t1 > t2 > . . .

the we have an infinite strictly decreasing sequence of natural numbers

|t0 | > |t1 | > |t2 | > . . .

which is impossible because > is well-founded on N, see example 6.8.6.1.

The recursion principle associated to this well-founded order is essentially the
one used in Agda in order to define function: a function can be defined by
recurrence from the current value of the argument, as well as the image of strict
subterms.
CHAPTER 6. AGDA 318

Accessible elements. Suppose given a set A and a relation R on it, not supposed
to be well-founded. We can define a subset of A, written AccR (A), which is
the largest subset of A on which well-founded induction and recursion works, as
follows.
A subset B ⊆ A is R-closed when, for every x ∈ A, ↓x ⊆ B implies x ∈ B:
if an element has all its predecessors in B then it is also in B. We define the
set AccR (A) as the smallest R-closed subset of A (such a set exists since it can
be obtained as the intersection of all R-closed subsets of A). An element of A
is accessible with respect to R when it belongs to AccR (A).
Theorem 6.8.6.9. A relation R on a set A is well-founded if and only if every
element of A is accessible, i.e. A = AccR (A).
In particular, given a relation R on a set A, the restriction of R to AccR (A) is
always well-founded.
Example 6.8.6.10. In N equipped with the relation ≺ or <, every element is
accessible.
Example 6.8.6.11. On the set Z equipped with the relation <, no element is
accessible.
Example 6.8.6.12. On the set R equipped with the relation ≺ such that x ≺ x+1
for every x in R+ , the set of positive reals, we have Acc≺ (R+ ) = N.

Well-foundedness in Agda. If Agda natively implements well-founded recursion

on the subterm order only, we will see that this is enough for most applications:
we can encode general well-founded recursion (at least for most usual well-
founded orders, some will always stay out of reach by arguments of the type of
section 6.8.3).
Recall from section 6.5.9 that we can define a type Rel A of relations on a
type A, which is A → A → Set. Typically, the strict order on natural numbers is
a relation:
_<_ : Rel
m < n = suc m ≤ n
In order to define the predicate of being well-founded for a relation, the di-
rect definition of well-foundedness is difficult to implement in Agda, inelegant
and difficult to use (mainly because it is defined using a negation). A much
more satisfactory approach consists in taking the characterization given in the-
orem 6.8.6.9 as a definition.
Following the module Induction.WellFounded of the standard library, we
define the predicate of being accessible as
data Acc {A : Set} (_<_ : Rel A) (x : A) : Set where
acc : ((y : A) → y < x → Acc _<_ y) → Acc _<_ x
Given a relation R on a type A and an element x of type A, having a proof of
Acc R x means that x is accessible with respect to R. Namely, the inductive
definition states that the predicate Acc R is defined as the smallest one such
that Acc R x whenever we have Acc R y for every predecessor y of x, which
is precisely the definition of accessibility. Finally, we define a relation to be
well-founded when every element is accessible with respect to it:
WellFounded : {A : Set} → (_<_ : Rel A) → Set
WellFounded {A} _<_ = (x : A) → Acc _<_ x
CHAPTER 6. AGDA 319

Natural numbers are well-founded. As an instance of the above formalization,

let us show that the strict order < on natural numbers is well-founded. It turns
out that the usual definition of the order (see section 6.5.9) is not very well-
suited for the induction we want to perform, and it proves simpler to use the
following alternative definition of the order:
data _≤′_ (m : ) : → Set where
≤′-refl : m ≤′ m
≤′-step : {n : } → m ≤′ n → m ≤′ suc n
the associated strict order being defined by
_<′_ : → → Set
m <′ n = suc m ≤′ n
We can then show that the relation <′ is well-founded as follows:
<′-wellFounded : WellFounded _<′_
<′-wellFounded n = acc (lem n)
where
lem : (n m : ) → m <′ n → Acc _<′_ m
lem (suc n) _ ≤′-refl = <′-wellFounded n
lem (suc n) m (≤′-step m<′n) = lem n m m<′n
Of course, one is usually rather interested in the fact that the usual definition
< of the strict order is well-founded. This can either be deduced from the fact
that the relations < and <′ are equivalent, or it can be shown directly. Namely,
the following lemma can be shown on the usual definition of the partial order
≤-last : {m n : } → m ≤ n → m ≡ n m < n
≤-last {n = zero} z≤n = inj ₁ refl
≤-last {n = suc n} z≤n = inj ₂ (s≤s z≤n)
≤-last (s≤s m≤n) with ≤-last m≤n
≤-last (s≤s m≤n) | inj ₁ m≡n = inj ₁ (cong suc m≡n)
≤-last (s≤s m≤n) | inj ₂ m<n = inj ₂ (s≤s m<n)
from which the above proof can be adapted to show that < is well-founded:
<-wellFounded : WellFounded _<_
<-wellFounded n = acc (lem n)
where
lem : (n m : ) → m < n → Acc _<_ m
lem (suc n) m m<n with ≤-last m<n
lem (suc n) _ _ | inj ₁ refl = <-wellFounded n
lem (suc n) m _ | inj ₂ (s≤s m<n) = lem n m m<n

Well-founded definition of bits. As an application, we shall define our favorite

bits functions by well-founded recursion on the order < on natural numbers.
Given an argument n, in order to perform recursive calls on smaller arguments
(with respect to the < order), we add an argument of type Acc _<_ n to the
naive definition of bits, which is a proof that n is accessible, i.e. that all the
elements strictly smaller than n are also accessible. Namely, an element of this
type is of the form acc a with a of type
(m : ) → m < n → Acc _<_ m
CHAPTER 6. AGDA 320

It is used here as a witness that the function is terminating. For instance, the
function bits becomes
bits-wf : (n : ) → Acc _<_ n →
bits-wf zero _ = zero
bits-wf (suc n) (acc a) =
suc
(bits-wf
(div2 (suc n))
(a (div2 (suc n)) (s≤s (≤-div2-suc n))))
In order to perform the recursive call on div2 (suc n), we have to show that
this number is accessible, which is deduced from the fact that div2 (suc n) <
suc n holds, as explained above. Finally, the usual bits function, without the
extra argument, is defined by providing the proof that every natural number is
accessible as second argument (which is precisely the fact that the relation < is
well-founded on natural numbers):
bits : →
bits n = bits-wf n (<-wellFounded n)

Well-founded recursion without accessibility. In practice, it is quite annoying to

require that the “average Agda user” should understand the definition of the
accessibility predicate, so that the standard library defines the following function
in the module Data.Nat.Induction, which expresses well-founded recursion in a
way which does not require using arguments of type Acc. It is also nicer to read,
since it precisely correspond to the strong induction principle, as formulated in
example 6.8.6.5:
<-rec : (P : → Set) →
((n : ) → ((m : ) → m < n → P m) → P n) →
(n : ) → P n
<-rec P r n = lem n (<-wellFounded n)
where
lem : (n : ) → Acc _<_ n → P n
lem n (acc a) = r n (λ m m<n → lem m (a m m<n))
In the end, this is all you will ever need to define functions by well-founded re-
cursion on natural numbers in practice (and of course the same can be performed
for any well-founded relation).
For instance, the function computing the number of bits of a natural number
n can be implemented by first adding to the naive implementation a new argu-
ment, which is a proof that the function is already defined for strictly smaller
arguments than the current natural number: this argument will have type

(m : ) → m < n →

and provides a function to compute the recursive calls on strictly smaller argu-
ments. We thus obtain the following function:
bits-rec : (n : ) → ((m : ) → m < n → ) →
bits-rec zero r = zero
bits-rec (suc n) r = suc (r (div2 (suc n)) (s≤s (≤-div2-suc n)))
CHAPTER 6. AGDA 321

Finally, we can deduce an implementation of the expected bits function by using

it as an argument of <-rec:
bits : →
bits = <-rec (λ n → ) bits-rec

6.8.7 Division and modulo. As another classical illustration of the above

techniques, we shall implement euclidean division. It associates to each pair
of natural numbers m and n, with n > 0, a pair of natural numbers q and r,
respectively called the quotient and remainder of the division of m by n such
that
m=q×n+r and r<n (6.2)
Numbers satisfying these properties can be shown to be unique, so that this
is a proper specification for euclidean division. Their traditional notations are
respectively

q = m/n r = m mod n

and they can be computed using the following classical algorithm, here imple-
mented in OCaml:
let rec euclid m n =
if m < n then (0, m) else
let (q, r) = euclid (m - n) n in
(q + 1, r)

Well-founded definition: external approach. The direct translation of the above

algorithm is naturally performed by well-founded induction on m, and is justified
by the fact that the recursive called is performed on m - n which is strictly
smaller than m because we assume that n is strictly positive. The type of the
division operation we want to define is

(m n : ) → 0 < n → ×

taking m and n as arguments, as well as a proof of 0 < n, and returning the pair
(q , r) as result. Since we perform the induction on the first argument, we are
going to define, by well-founded recursion on m, a function of type

(n : ) → 0 < n → ×

for every natural number m. In order not to have to type this every time, we
define the notation Euclid m for this type:
Euclid : → Set
Euclid m = (n : ) → 0 < n → ×
We can then implement euclidean division by well-founded recurrence, following
the above definition: when computing the result of the division of m and n, we
first check whether m < n holds or not, and provide an answer appropriately,
which requires performing a recursive call in the case m 6< n (which requires
additional code because we now have to provide a proof that m − n < n holds).
The definition is
CHAPTER 6. AGDA 322

div : (m : ) → Euclid m
div m = <-rec Euclid rec m
where
rec : (m : ) → ((m' : ) → m' < m → Euclid m') → Euclid m
rec m f n 0<n with m <? n
rec m f n 0<n | yes m<n = zero , m
rec m f n 0<n | no m≮n with
f (m ∸ n) (m∸n<m m n (<-trans ˡ 0<n (≮ ≥ m≮n)) 0<n) n 0<n
rec m f n 0<n | no m≮n | q , r = suc q , r

and uses the following auxiliary lemma (in addition to those already present in
the standard library):
m∸n<m : (m n : ) → 0 < m → 0 < n → m ∸ n < m
m∸n<m (suc m) (suc n) _ _ = s≤s (n∸m≤n n m)

Finally, it can be shown that this implementation is correct, in the sense that
it satisfies the specification (6.2). Formally, we can show
div-correct :
(m n : ) (0<n : 0 < n) →
m ≡ proj ₁ (div m n 0<n) * n + (proj ₂ (div m n 0<n)) ×
(proj ₂ (div m n 0<n)) < n
However, the proof is not immediate, due to the use of the well-founded induc-
tion and a more satisfactory approach is detailed in next section.

Well-founded definition: intrinsic approach. We now present the intrinsic ap-

proach which, as explained in section 6.7.1, consists in enriching the type, so that
the implementation is correct by definition (as opposed to being proved correct
after being defined). We first define a type corresponding to the specification of
euclidean division:

Euclid : → Set
Euclid m = (n : ) → 0 < n →
Σ (λ q → Σ (λ r → m ≡ q * n + r × r < n))
so that euclidean division will have type

(m : ) → Euclid m

and thus consist of a function which takes as arguments

– a natural number m,

– a natural number n,
– a proof of 0 < n,
and will return a dependent 4-uple consisting of
– a natural number q (the quotient),

– a natural number r (the remainder),

CHAPTER 6. AGDA 323

– a proof of m ≡ q * n + r,
– a proof of r < n,
which is a type theoretic description of the specification (6.2). The implemen-
tation is very similar to the above one, excepting that we now have to return,
in addition to the quotient and the remainder, the two proofs indicated above
which show that those results are correct. The full code is
div : (m : ) → Euclid m
div m = <-rec Euclid rec m
where
rec : (m : ) → ((m' : ) → m' < m → Euclid m') → Euclid m
rec m f n 0<n with m <? n
rec m f n 0<n | yes m<n = zero , m , refl , m<n
rec m f n 0<n | no m≮n with
f (m ∸ n) (m∸n<m m n (<-trans ˡ 0<n (≮ ≥ m≮n)) 0<n) n 0<n
rec m f n 0<n | no m≮n | q , r , e , r<n = suc q , r , lem , r<n
where
lem : m ≡ n + q * n + r
lem = begin
m ≡ sym (m+[n∸m]≡n (≮ ≥ m≮n))
n + (m ∸ n) ≡ cong (λ x → n + x) e
n + (q * n + r) ≡ sym (+-assoc n (q * n) r)
n + q * n + r ∎
Instead of trying to read it, the reader is urged to try this by himself instead.

Inductive definition. For general culture, we shall also mention that it is also
possible to implement euclidean division by structural definition, avoiding the
use of well-founded induction. This is the approach followed in Agda’s standard
library, in Data.Nat.DivMod. The trick consists in adding two extra arguments q
and r’ to the naive function, which will keep track of the quotient and remainder
(or, more precisely, n minus the remainder). Namely, given m and n, we will
perform our definition by induction on m. Initially q is 0 and r’ is n, each time
m is decreased by one,
– if r’ is strictly positive, we decrease it by one,
– if r’ is 0, we increase q by one and reset r’ to n.
Formally, the code follows:
euclid : (m n q r' : ) → ×
euclid zero n q r' = q , n ∸ r'
euclid (suc m) n q zero = euclid m n (suc q) n
euclid (suc m) n q (suc r') = euclid m n q r'
It can be shown that, for every m and n, the result of
euclid m n zero n
computes the quotient and remainder of m by suc n (we consider here suc n in
order to ensure that the denominator is non-zero).
Exercise 6.8.7.1. Show that this function is correct.
Exercise 6.8.7.2. Give an intrinsic inductive definition of euclidean division.
 Chapter 7

Formalization of important
results

In this chapter, we sketch the formalization in Agda of important concepts

and results presented in this book: type safety (section 7.1), natural deduction
(section 7.2), λ-calculus (section 7.3), combinatory logic (section 7.4), simply-
typed λ-calculus (section 7.5).

7.1 Safety of a simple language

In section 1.4.3, we have studied a simple typed language consisting of expres-
sions manipulating booleans and integers and have shown the two fundamental
properties satisfied by this language: subject reduction and progress. We now
explain how those can be formalized in Agda. We begin by importing the re-
quired libraries, renaming and hiding symbols so that we can redefine those used
by the standard library:
open import Data.Bool hiding (if_then_else_ ; _ ≟ _ ; _<_ ; _<?_)
open import Data.Nat renaming (_+_ to _+ _ ; _<?_ to _<? _)
hiding (_<_)
open import Relation.Nullary

The language. A value in the language is either a natural number or a boolean:

data Value : Set where
VNat : → Value
VBool : Bool → Value
A program is either a value, an addition, a comparison, or a conditional branch-
ing:
data Prog : Set where
V : Value → Prog
_+_ : Prog → Prog → Prog
_<_ : Prog → Prog → Prog
if_then_else_ : Prog → Prog → Prog → Prog
and we assign priorities to these constructors, in order to ease the writing of
programs:
infix 50 _+_
infix 40 _<_
infix 30 if_then_else_
We will need to compare natural numbers with this function which answers a
boolean depending on whether the first is strictly smaller than the second or
not:
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 325

_<?_ : → → Bool
m <? n with m <? n
(m <? n) | yes _ = true
(m <? n) | no _ = false
We then define the reduction relation as an inductive binary predicate _ _, so
that, given programs p and q, a proof of p q corresponds to a derivation of
` p −→ q using the rules of figure 1.1: we add one constructor to this inductive
predicate for each inference rule.
data _ _ : Prog → Prog → Set where
-Add : (m n : ) →
V (VNat m) + V (VNat n) V (VNat (m + n))
-Add-l : {p p' : Prog} → p p' → (q : Prog) →
p + q p' + q
-Add-r : {q q' : Prog} → (p : Prog) → q q' →
p + q p + q'
-Lt : (m n : ) →
V (VNat m) < V (VNat n) V (VBool (m <? n))
-Lt-l : {p p' : Prog} → p p' → (q : Prog) →
p < q p' < q
-Lt-r : {q q' : Prog} → (p : Prog) → q q' →
p < q p < q'
-If : {p p' : Prog} → p p' → (q r : Prog) →
if p then q else r if p' then q else r
-If-t : (p q : Prog) →
if V (VBool true) then p else q p
-If-f : (p q : Prog) →
if V (VBool false) then p else q q

Typing. We now define the typing system of our language, starting with the
definition of a type which is either a natural number or a boolean:
data Type : Set where
TNat TBool : Type
We then define the typing relation as an inductive binary predicate _∷_, so
that a proof of p ∷ A for a program p and type A corresponds precisely to a
proof of ` p : A using the type inference rules given in section 1.4.3:
data _∷_ : Prog → Type → Set where
-Nat : (n : ) →
V (VNat n) ∷ TNat
-Bool : (b : Bool) →
V (VBool b) ∷ TBool
-Add : {p q : Prog} → p ∷ TNat → q ∷ TNat →
p + q ∷ TNat
-Lt : {p q : Prog} → p ∷ TNat → q ∷ TNat →
p < q ∷ TBool
-If : {p q r : Prog} {A : Type} →
p ∷ TBool → q ∷ A → r∷A →
if p then q else r ∷ A
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 326

Type uniqueness. This formalization of typing as an inductive predicate has a

very interesting byproduct, the dependent pattern matching algorithm knows,
given the constructor of a program, the possible types this program can have
(and conversely, given a type, the possible program constructors which will give
rise to this type). Thanks to this, showing type uniqueness (theorem 1.4.3.1) is
almost immediate:
tuniq : {p : Prog} {A A' : Type} → p∷A → p ∷ A' → A ≡ A'

tuniq ( -Nat n) ( -Nat .n) = refl

tuniq ( -Bool b) ( -Bool .b) = refl
tuniq ( -Add t u) ( -Add t' u') = refl
tuniq ( -Lt t u) ( -Lt t' u') = refl
tuniq ( -If t u v) ( -If t' u' v') = tuniq v v'

For instance, in the first case (the program is a natural number), Agda infers
that its type is necessarily TNat and therefore A and A’ must be equal (to TNat).

Subject reduction. The subject reduction theorem (theorem 1.4.3.2) states that
if a program p reduces to p0 and p admits the type A, then p0 also admits the
type A. The proof is most easily done by induction on the derivation of p −→ p0 :
sred : {p p' : Prog} {A : Type} → (p p') → p∷A → p' ∷ A

sred ( -Add m n) ( -Add _ _) = -Nat (m + n)

sred ( -Add-l r q) ( -Add t t') = -Add (sred r t) t'
sred ( -Add-r p r) ( -Add t t') = -Add t (sred r t')
sred ( -Lt m n) ( -Lt t t') = -Bool (m <? n)
sred ( -Lt-l r q) ( -Lt t t') = -Lt (sred r t) t'
sred ( -Lt-r p r) ( -Lt t t') = -Lt t (sred r t')
sred ( -If p q r) ( -If t t ₁ t ₂ ) = -If (sred p t) t ₁ t ₂
sred ( -If-t p q) ( -If t t ₁ t ₂ ) = t₁
sred ( -If-f p q) ( -If t t ₁ t ₂ ) = t₂

Progress. The last important property of our typed language is progress (theo-
rem 1.4.3.3) which states that a typable program is either a value or reduces to
some other program. Given a program p which admits a type A, the proof is
performed on the derivation of ` p : A:
prgs : {p : Prog} {A : Type} → p∷A →
Σ Value (λ v → p ≡ V v) Σ Prog (λ p' → p p')

prgs ( -Nat n) = inj ₁ (VNat n , refl)

prgs ( -Bool b) = inj ₁ (VBool b , refl)
prgs ( -Add t t') with prgs t
prgs ( -Add t t') | inj ₁ (v , e) with prgs t'
prgs ( -Add t t') | inj ₁ (VNat m , refl) | inj ₁ (VNat n , refl) =
inj ₂ (V (VNat (m + n)) , -Add m n)
prgs ( -Add t ()) | inj ₁ (VNat m , refl) | inj ₁ (VBool b , refl)
prgs ( -Add () t') | inj ₁ (VBool b , refl) | inj ₁ (v' , refl)
prgs ( -Add {p} {q} t t') | inj ₁ (v , e) | inj ₂ (q' , r) =
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 327

inj ₂ (p + q' , -Add-r p r)

prgs ( -Add {p} {q} t t') | inj ₂ (p' , r) =
inj ₂ ((p' + q) , -Add-l r q)
prgs ( -Lt t t') with prgs t
prgs ( -Lt t t') | inj ₁ (VNat m , refl) with prgs t'
prgs ( -Lt t t') | inj ₁ (VNat m , refl) | inj ₁ (VNat n , refl) =
inj ₂ ((V (VBool (m <? n))) , -Lt m n)
prgs ( -Lt t ()) | inj ₁ (VNat m , refl) | inj ₁ (VBool b , refl)
prgs ( -Lt {p} {q} t t') | inj ₁ (VNat m , refl) | inj ₂ (q' , r) =
inj ₂ (V (VNat m) < q' , -Lt-r (V (VNat m)) r)
prgs ( -Lt () t') | inj ₁ (VBool b , refl)
prgs ( -Lt {p} {q} t t') | inj ₂ (p' , r) =
inj ₂ (p' < q , -Lt-l r q)
prgs ( -If t t ₁ t ₂ ) with prgs t
prgs ( -If () t ₁ t ₂ ) | inj ₁ (VNat x , refl)
prgs ( -If {_} {q} {r} t t ₁ t ₂ ) | inj ₁ (VBool false , refl) =
inj ₂ (r , -If-f q r)
prgs ( -If {_} {q} {r} t t ₁ t ₂ ) | inj ₁ (VBool true , refl) =
inj ₂ (q , -If-t q r)
prgs ( -If {p} {q} {r} t t ₁ t ₂ ) | inj ₂ (p' , pr) =
inj ₂ (if p' then q else r , -If pr q r)

Exercise 7.1.0.1. Formalize type inference and show that

– it is correct: if a type is inferred for a program then the program actually
admits this type,
– it is complete: if a program is typable then type inference will return a
type.

7.2 Natural deduction

The proofs in natural deduction are presented in section 2.2, we now briefly
present how those can be formalized in Agda. For concision, we only present
here the implicative fragment.

Formulas. A formula is either a variable (whose name is given by a natural

number) or the implication of two formulas (see section 2.2.1):
data Formula : Set where
X : → Formula
_ _ : Formula → Formula → Formula

Contexts. Next, we formalize a context as being either the empty context ε or

a pair Γ , A consisting of a context Γ and a formula A:
data Context : Set where
ε : Context
_,_ : (Γ : Context) → (A : Formula) → Context
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 328

We could also have formalized contexts as lists of formulas, but the above for-
malization allows for a slightly more natural notation. We write Γ ,, Δ for the
concatenation of two contexts Γ and Δ:
_,,_ : Context → Context → Context
Γ ,, ε = Γ
Γ ,, (Δ , A) = (Γ ,, Δ) , A

Provable sequents. We can define the type Γ A of provable sequents as an

inductive predicate, with one constructor corresponding to each inference rule:
data _ _ : Context → Formula → Set where
ax : ∀ {Γ A Γ'} → Γ , A ,, Γ' A
E : ∀ {Γ A B} → Γ A B → Γ A → Γ B
I : ∀ {Γ A B} → Γ , A B → Γ A B
(the axiom rule and the elimination and introduction rules for implication). This
formalization is not very convenient because the argument of the constructor ax
uses concatenation ,, which is a function and not a type constructor, and will
prevent pattern matching from working. Namely, contrarily to a constructor,
this function does not have the property that

Γ ,, Δ = Γ' ,, Δ' implies Γ = Γ’ and Δ = Δ’

In order to overcome this problem, we chose instead to formalize provable se-

quents as
data _ _ : Context → Formula → Set where
ax : ∀ {Γ A} → Γ , A A
wk : ∀ {Γ A B} → Γ B → Γ , A B
E : ∀ {Γ A B} → Γ A B → Γ A → Γ B
I : ∀ {Γ A B} → Γ , A B → Γ A B
which consists in replacing the usual axiom rule
(ax)
Γ, A, Γ0 ` A

by the two rules

Γ`B
(ax) (wk)
Γ, A ` A Γ, A ` B

which give rise to an equivalent logical system.

Admissible rules. This can be used to show that the usual rules are admissible.
For instance, we can prove that the contraction rule

Γ, A, A, Γ0 ` B
(contr)
Γ, A, Γ0 ` B

is admissible (see section 2.2.7) by induction, both on the context Γ0 and on the
proof of the premise, by
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 329

cont : ∀ {Γ A B} → ∀ Γ' → Γ , A , A ,, Γ' B → Γ , A ,, Γ' B

cont ε ax = ax
cont ε (wk p) = p
cont ε ( E p q) = E (cont ε p) (cont ε q)
cont ε ( I p) = I (cont (ε , _) p)
cont (Γ' , A) ax = ax
cont (Γ' , A) (wk p) = wk (cont Γ' p)
cont (Γ' , A) ( E p q) = E (cont (Γ' , A) p) (cont (Γ' , A) q)
cont (Γ' , A) ( I p) = I (cont (Γ' , A , _) p)

Similarly, admissibility of the cut rule

Γ`A Γ, A, Γ0 ` B
Γ, Γ0 ` B

is shown by
cut : ∀ {Γ A B} → ∀ Γ' → Γ A → Γ , A ,, Γ' B → Γ ,, Γ' B
cut ε p ax = p
cut ε p (wk q) = q
cut ε p ( E q r) = E (cut ε p q) (cut ε p r)
cut ε p ( I q) = I (cut (ε , _) p q)
cut (Γ' , A) p ax = ax
cut (Γ' , A) p (wk q) = wk (cut Γ' p q)
cut (Γ' , A) p ( E q r) = E (cut (Γ' , A) p q) (cut (Γ' , A) p r)
cut (Γ' , A) p ( I q) = I (cut (Γ' , A , _) p q)

Exercise 7.2.0.1. Formalize the admissibility of the other rules presented in

section 2.2.7.

7.3 Pure λ-calculus

In this section, we present a formalization of λ-calculus in Agda, using de Bruijn
indices.

7.3.1 Naive approach. We can first think of directly translating the definition
of λ-terms given in section 3.1. We suppose fixed an infinite set of variables (say,
the strings),

Var : Set
Var = String
and define the syntax of λ-terms as
data Tm : Set where
var : Var → Tm
_·_ : Tm → Tm → Tm
ƛ_,_ : Var → Tm → Tm
meaning that a term is either of the form var x (the variable x), or t · u (the
application of t to u) or ƛ x , t (the function which to x associates t). The
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 330

weird choice of symbols in the last case comes from the fact that the dot (.)
and lambda (λ) are reserved in Agda.
We could proceed in this way, but one should remember that λ-terms are
not terms generated by the above syntax, but rather of the quotient under
α-equivalence (section 3.1.3). This means that we will have to define this equiv-
alence and show that all the constructions we are going to make are compatible
with it. This is rather long and painful.
Exercise 7.3.1.1. Try to properly define β-reduction with this formalization.

7.3.2 De Bruijn indices. In order to efficiently handle the α-conversion prob-

lem, we are going to use de Bruijn indices for variables, as presented in sec-
tion 3.6.2. We thus define terms as
data Tm : Set where
var : → Tm
_·_ : Tm → Tm → Tm
ƛ_ : Tm → Tm
A term can thus be in one of the following forms:
– var x: the x-th variable with x a natural number,
– t · u: the application of a term t to a term u,
– ƛ t: the abstraction of the 0-th variable in t.

Lifting. The next thing we want to do is define β-reduction, but before being
able to do this, we first need to introduce helper functions in order to explicitly
manipulate variables, following section 3.6.2.
The first one is lifting which can be thought of as creating a fresh variable
numbered x. After performing this operation, all the variable indices y which
are greater to x have to be increased by one in order to make room for x. The
new index of y after the creation of x is written ↑x y and defined by
(
y if y < x,
↑x y =
y + 1 if y > x.

In Agda, this function can be defined by

↑ : → →
↑ zero y = suc y
↑ (suc x) zero = zero
↑ (suc x) (suc y) = suc (↑ x y)
and we write ↑ x y for ↑x y.
Conversely, the unlifting operation consists in removing an unused variable x.
After the removal, all the variable indices y which are greater than x have to be
decreased by one in order to fill in the “empty space” leaved by x. Their new
index will thus be ↓x y, defined by
(
y if y < x,
↓x y =
y − 1 if y > x.
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 331

The function is not defined when y = x, because we have supposed that the
variable x is not used. In Agda, this can be defined as

↓ : (x y : ) → x ≢ y →
↓ zero zero ¬p = -elim (¬p refl)
↓ zero (suc y) ¬p = y
↓ (suc x) zero ¬p = zero
↓ (suc x) (suc y) ¬p = suc (↓ x y (λ p → ¬p (cong suc p)))
and we write ↓ x y p for ↓x y: in addition to x and y, the Agda function takes
a third argument p which is a proof that x is different from y.
The above lifting operation can be extended to λ-terms. Given a variable x
and a λ-term t, the term ↑x t obtained after creating a fresh variable x will be
written here wk x t, because it is thought of as some form for weakening for the
term t. The weakening function wk is defined here by

wk : → Tm → Tm
wk x (var y) = var (↑ x y)
wk x (t · t') = wk x t · wk x t'
wk x (ƛ t) = ƛ (wk (suc x) t)
This definition uses lifting on variables, recursively applies weakening for ap-
plications and abstractions. There is a subtlety for the last case: since the
abstraction binds the variable 0 in a term t, a variable x in λ.t corresponds to
a the variable x + 1 in t, which explains why we have to increase by one the
weakened variable when going under abstractions.

Substitution. We can then define substitution, as detailed in section 3.6.2:

_[_/_] : Tm → Tm → → Tm
var y [ u / x ] with x ≟ y
(var y [ u / _ ]) | yes _ = u
(var y [ u / x ]) | no ¬p = var (↓ x y ¬p)
(t · t') [ u / x ] = (t [ u / x ]) · (t' [ u / x ])
(ƛ t) [ u / x ] = ƛ (t [ wk 0 u / ↑ 0 x ])
The two subtle corner cases when substituting a variable x by a term u in a
term t are:

– all the variables different from x have to be renumbered using ↓ since

substitution removes all occurrences of x, which is supposed not to be free
in u,
– when going under an abstraction, the term u has to be weakened using wk
and the variable x has to be renamed using ↑ in order to account for the
fact that the variable 0 is bound by the abstraction.

The β-reduction. Once substitution defined, we can define β-reduction by fol-

lowing the usual definition, which is given in section 3.2.1: we implement it as
an inductive predicate with one constructor for each inference rule defining the
reduction.
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 332

data _ _ : Tm → Tm → Set where

β : {t u : Tm} → (ƛ t) · u t [ u / 0 ]
l : {t t' u : Tm} → t t' → t · u t' · u
r : {t u u' : Tm} → u u' → t · u t · u'
λ : {t t' : Tm} → t t' → ƛ t ƛ t'
The iterated β-reduction relation * is the reflexive and transitive closure of the
β-reduction relation . In order to define it, we can use the module
Relation.Binary.Construct.Closure.ReflexiveTransitive
of the standard library which defines the closure of any relation by
data Star {A : Set} (R : Rel A) : Rel A where
ε : {x : A} → Star R x x
_ _ : {x y z : A} → R x y → Star R y z → Star R x z
which is based on the characterization given in lemma A.1.2.1. We can therefore
define the relation * by
_ *_ : Tm → Tm → Set
_ *_ = Star _ _

Church natural numbers. As explained in section 3.3.4, we can encode a natural

number n as the term λf.xf n x. We can define a function nat' which, given
a natural number n and two variables f and x, produces the term f n x by
induction on n by
nat' : (n : ) (f x : ) → Tm
nat' 0 f x = var x
nat' (suc n) f x = var f · nat' n f x
and the Church encoding of natural numbers can then be defined as
nat : → Tm
nat n = ƛ (ƛ (nat' n 1 0))
The term computing the successor of a natural number can then be defined as
succ : Tm
succ = ƛ ƛ ƛ (var 1 · (var 2 · var 1 · var 0))
and the one computing the addition of two natural numbers as
add : Tm
add = ƛ ƛ ƛ ƛ (var 3 · var 1 · (var 2 · var 1 · var 0))
Exercise 7.3.2.1. Show that those two last term are correct, in the sense that
they actually compute the successor and addition of natural numbers, i.e. we
have
succing : (n : ) → succ · nat n * nat (suc n)
and
adding : (m n : ) → add · nat m · nat n * nat (m + n)
In order to do so, you should be prepared to prove quite a few lemmas about
substitution and lifting (see below).
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 333

7.3.3 Keeping track of free variables. As a side note, let us present a re-
finement of the above formalization. Since the implementation of λ-calculus
with de Bruijn indices is quite technical and error-prone, it is sometimes useful
to have the most precise type as possible, in order to detect errors early. One
way to do so is to keep track of the free variables used in a term. Instead of
defining the type Tm of all terms, we can define, for each natural number n,
the type Tm n of terms whose free variables x are natural numbers such that
0 6 x < n. This last constraint is conveniently described by requiring that x is
an element of type Fin n, see section 6.4.8. This refinement of the formalization
avoids unnoticingly getting the wrong names for free variables and allows for
reasoning by induction on the number of free variables of terms. We thus define
terms as
data Tm (n : ) : Set where
var : Fin n → Tm n
_·_ : Tm n → Tm n → Tm n
ƛ_ : Tm (suc n) → Tm n
In the last case, the term t should have at least one free variable, so that its
type is of the form Fin (suc n), and will have one less free variable since one
variable was bound, so that the return type is Fin n.
Most previous functions can be adapted directly to this setting, so that we
only give the refined types for those. The type now makes it clear that lifting
inserts a fresh variable
↑ : {n : } → Fin (suc n) → Fin n → Fin (suc n)
as well as does weakening

↑ : {n : } → Fin (suc n) → Fin n → Fin (suc n)

and that unlifting removes a variables
↓ : {n : } (x y : Fin (suc n)) → x ≢ y → Fin n

as well as does substitution

_[_/_] : {n : } → Tm (suc n) → Tm n → Fin (suc n) → Tm n
Finally, the type of reduction should indicate that it preserves free variables:
_ _ {n : } : Tm n → Tm n → Set

The rest of the developments can be performed in this way. We did not present
those here because they are more cumbersome to perform: in all the proofs,
we have to show that the number of free variables is correctly handled. The
formalization of section 7.5 is also quite close to this one: here, in addition to
keeping track of the number of variables, we will also keep track of their type.

7.3.4 Normalization by evaluation. As another side note, the reader having

read section 3.5.2 might think that it could be a good idea to use normalization
by evaluation in order to implement β-reduction instead of de Bruijn indices.
This suggests defining the following notions of value and neutral term:
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 334

data Value : Set

data Neutral : Set
data Value where
ƛ_ : (Value → Value) → Value
N : Neutral → Value
data Neutral where
var : Var → Neutral
_·_ : Neutral → Value → Neutral
However, this definition is not accepted by Agda, which raises the following
error:
Value is not strictly positive, because it occurs to the left of an
arrow in the type of the constructor ƛ_ in the definition of Value.
This is explained in section 8.4.4, where we show that removing the associated
restriction leads to Agda being inconsistent. We will see in section 7.5.3 that we
can however implement normalization by evaluation for simply typed λ-calculus.

7.3.5 Confluence. Based on previous definitions, we now formalize one of the

main results: the confluence of β-reduction, following the proof given in sec-
tion 3.4 (see [Hue94] for an admirable other way to prove this).

The parallel β-reduction. We first define the parallel β-reduction by

data _ _ : Tm → Tm → Set where
v : (x : ) → var x var x
β : {t t' u u' : Tm} → t t' → u u' → ƛ t · u t' [ u' / 0 ]
a : {t t' u u' : Tm} → t t' → u u' → t · u t' · u'
λ : {t t' : Tm} → t t' → ƛ t ƛ t'
which mirrors the definition of section 3.4.2.

Local confluence of the parallel β-reduction. The local confluence of parallel

β-reduction (also called diamond property) states that given terms t, u and
v such that t parallel β-reduces to both u and v, there exists a term w such that
both u and v parallel β-reduce to w. The proof can be formalized in Agda by
case analysis on the reductions of t to u and t to v, closely following the proof
presented in lemma 3.4.3.5:
-lc : {t u v : Tm} → t u → t v →
Σ Tm (λ w → u w × v w)

-lc ( v x) ( v .x) = var x , v x , v x

-lc ( β r ₁ r ₂ ) ( β s ₁ s ₂ ) with -lc r ₁ s ₁ | -lc r ₂ s ₂
-lc ( β r ₁ r ₂ ) ( β s ₁ s ₂ ) | w ₁ , r ₁ ' , s ₁ ' | w ₂ , r ₂ ' , s ₂ ' =
w ₁ [ w ₂ / 0 ] , -sub 0 r ₁ ' r ₂ ' , -sub 0 s ₁ ' s ₂ '
-lc ( β r ₁ r ₂ ) ( a ( λ s ₁ ) s ₂ ) with -lc r ₁ s ₁ | -lc r ₂ s ₂
-lc ( β r ₁ r ₂ ) ( a ( λ s ₁ ) s ₂ ) | w ₁ , r ₁ ' , s ₁ ' | w ₂ , r ₂ ' , s ₂ ' =
w ₁ [ w ₂ / 0 ] , -sub 0 r ₁ ' r ₂ ' , β s ₁ ' s ₂ '
-lc ( a ( λ r ₁ ) r ₂ ) ( β s ₁ s ₂ ) with -lc r ₁ s ₁ | -lc r ₂ s ₂
... | w ₁ , r ₁ ' , s ₁ ' | w ₂ , r ₂ ' , s ₂ ' =
w ₁ [ w ₂ / 0 ] , β r ₁ ' r ₂ ' , -sub 0 s ₁ ' s ₂ '
-lc ( a r ₁ r ₂ ) ( a s ₁ s ₂ ) with -lc r ₁ s ₁ , -lc r ₂ s ₂
... | (w ₁ , r ₁ ' , s ₁ ') , (w ₂ , r ₂ ' , s ₂ ') =
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 335

w₁ · w₂ , a r₁ ' r₂ ' , a s₁ ' s₂ '

-lc ( λ r) ( λ s) with -lc r s
-lc ( λ r) ( λ s) | w , r' , s' = ƛ w , ( λ r') , ( λ s')
Apart from recursive calls and the definition of parallel β-reduction, this proof
uses the lemma -sub which states that parallel β-reduction is compatible with
substitution: if t reduces to t0 and u to u0 then t[u/x] reduces to t0 [u0 /x]. The
proof follows the one of lemma 3.4.3.4:
-sub : {t t' u u' : Tm} (x : ) → t t' → u u' →
t [ u / x ] t' [ u' / x ]

-sub x ( v y) ru with x ≟ y
-sub x ( v y) ru | yes p = ru
-sub x ( v y) ru | no ¬p = v (↓ x y ¬p)
-sub x ( a rt ₁ rt ₂ ) ru = a ( -sub x rt ₁ ru) ( -sub x rt ₂ ru)
-sub x ( λ rt) ru = λ ( -sub (suc x) rt ( -wk 0 ru))
-sub x ( β {t} {t'} {u} {u'} rt ₁ rt ₂ ) ru =
subst ₂ _ _ refl
(sym (sub-sub t' u' _ 0 x z≤n))
( β ( -sub (suc x) rt ₁ ( -wk 0 ru)) ( -sub x rt ₂ ru))
This function itself uses two auxiliary lemmas. The first one states that reduc-
tion is compatible with weakening:
-wk : {t t' : Tm} (x : ) → t t' → wk x t wk x t'

and the second one is a form of commutation for double substitution:

sub-sub : ∀ t u v x y → x ≤ y →
t [ u / x ] [ v / y ] ≡ t [ wk x v / suc y ] [ u [ v / y ] / x ]
The latest requires considering a large number of cases depending on the relative
values of x and y, and showing quite a few lemmas which were left behind the
curtain in section 3.4.3:
– commutation of liftings: when x 6 y,

↑x ↑y z = ↑y+1 ↑x z

– commutation of unliftings: when x > y,

↓x ↓y z = ↓y ↓x+1 z

– commutation of liftings and unliftings:

(
↓y ↑x+1 z when x > y,
↑x ↓y z =
↓y+1 ↑x z when x 6 y,

– commutation of weaknings: when x 6 y,

↑x ↑y t = ↑y+1 ↑x t
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 336

– commutation of weakening and substitution:

(
(↑y+1 t)[↑y u/x] when x 6 y,
↑y (t[u/x]) =
(↑y t)[↑y u/x + 1] when x > y,
and
(↑x t)[u/x] = t
Details are left to the reader (and beware, they are of a quite combinatorial
nature).

Confluence of the parallel β-reduction. In order to deduce that the parallel

β-reduction is confluent, we first need to define the relation * as the reflex-
ive and transitive closure of the parallel β-reduction relation :
_ *_ : Tm → Tm → Set
_ *_ = Star _ _
We can formally show lemma 3.4.3.6, stating that parallel β-reduction satisfies
a property between local confluence and confluence, by
-slconfl : {t u v : Tm} →
t u → t * v → Σ Tm (λ w → u * w × v w)

-slconfl {t} {u} {v} r ε = u , ε , r

-slconfl r (s ss) with -lc r s
... | w' , s' , r' with -slconfl r' ss
... | w , ss' , r'' = w , s' ss' , r''
and deduce the confluence of the parallel β-reduction as in theorem 3.4.3.7 by
-confl : {t u v : Tm} →
t * u → t * v → Σ Tm (λ w → u * w × v * w)

-confl {t} {u} {v} ε ss = v , ss , ε

-confl {t} {u} {v} (r rr) ss with -slconfl r ss
... | w' , ss' , r' with -confl rr ss'
... | w , ss'' , rr' = w , ss'' , r' rr'

Confluence of the β-reduction. We can finally deduce the confluence of β-re-

duction, following the proof presented in sections 3.4 and 3.4.3. We first define
the relation * as the reflexive and transitive closure of the β-reduction relation
:
_ *_ : Tm → Tm → Set
_ *_ = Star _ _
We can show that if a term t β-reduces to a term u then t parallel β-reduces
to u (lemma 3.4.3.1):
→ : {t u : Tm} → t u → t u
→ β = β -refl -refl
→ ( l r) = a ( → r) -refl
→ ( r r) = a -refl ( → r)
→ ( λ r) = λ ( → r)
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 337

where the reflexivity of parallel β-reduction (lemma 3.4.2.1) is shown with

-refl : {t : Tm} → t t
-refl {var x} = v x
-refl {t · t'} = a -refl -refl
-refl {ƛ t} = λ -refl
From there, we can easily show that iterated β-reduction implies iterated parallel
β-reduction:

*→ * : {t u : Tm} → t * u → t * u
*→ * ε = ε
*→ * (r rr) = → r *→ * rr
Conversely, we can show that iterated parallel β-reduction implies iterated
β-reduction (see lemma 3.4.3.3, formal proof is left to the reader):

*→ * : {t u : Tm} → t * u → t * u
We can finally use this to deduce the confluence β-reduction (theorem 3.4.4.1)
from the one of parallel β-reduction shown above:
-confl : {t u v : Tm} →
t * u → t * v → Σ Tm (λ w → u * w × v * w)
-confl rr ss with -confl ( *→ * rr) ( *→ * ss)
... | w , ss' , rr' = w , *→ * ss' , *→ * rr'

7.4 Combinatory logic

Combinatory logic, which was presented in section 3.6.3, can be implemented
in a similar way as pure λ-calculus. We begin by describing, the type CL of
combinatory logic terms:
data CL : Set where
var : → CL
_·_ : CL → CL → CL
S K I : CL
A term is thus either a variable, an application of a term to another, or one
of the combinators S, K or I. Reduction of terms can then be formalized as a
binary inductive predicate with constructors expressing the reduction rules for
the combinators, as well as the fact that it is compatible with composition:
data _ _ : CL → CL → Set where
-S : {T U V : CL} → S · T · U · V (T · V) · (U · V)
-K : {T U : CL} → K · T · U T
-I : {T : CL} → I · T T
-l : {T T' U : CL} → T T' → T · U T' · U
-r : {T U U' : CL} → U U' → T · U T · U'
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 338

Abstraction. Following the definition given in section 3.6.3, we can define an

analogous of abstraction for combinatory logic terms, which takes as argument
a variable and a term in which the variable should be abstracted:
abs : → CL → CL
abs x (var y) with x ≟ y
abs x (var _) | yes p = I
abs x (var y) | no ¬p = K · var (↓ x y ¬p)
abs x (T · T') = S · abs x T · abs x T'
abs x S = K · S
abs x K = K · K
abs x I = K · I
Our aim is now to show that this is a reasonable notion of abstraction. In order
to do so, we first define the substitution in a term T of a variable x by a term U :
_[_=:_] : CL → CL → → CL
var y [ U =: x ] with x ≟ y
(var y [ U =: _ ]) | yes p = U
(var y [ U =: x ]) | no ¬p = var (↓ x y ¬p)
(T · T') [ U =: x ] = (T [ U =: x ]) · (T' [ U =: x ])
S [ U =: x ] = S
K [ U =: x ] = K
I [ U =: x ] = I
We also need to consider the reflexive and transitive closure * of the reduction
relation by
_ *_ : CL → CL → Set
_ *_ = Star _ _
Finally, we can formalize lemma 3.6.3.5 which states that abstraction behave as
expected: (Λx.T ) U reduces to T [U/x].
cl-β : (x : ) (T U : CL) → (abs x T) · U * T [ U =: x ]
cl-β x (var y) U with x ≟ y
cl-β x (var _) U | yes p = -I ε
cl-β x (var y) U | no ¬p = -K ε
cl-β x (T · U) V = -S *-· (cl-β x T V) (cl-β x U V)
cl-β x S U = -K ε
cl-β x K U = -K ε
cl-β x I U = -K ε
This proof uses the auxiliary lemma
*-· : {T T' U U' : CL} → T * T' → U * U' → T · U * T' · U'
which states that reduction is compatible with concatenation and whose proof
is left to the reader.
Exercise 7.4.0.1. Formalize the translations between λ-terms and combinatory
logic terms of section 3.6.3, i.e. define functions
icl : Tm → CL
icl (var x) = var x
icl (t · t') = icl t · icl t'
icl (ƛ t) = abs zero (icl t)
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 339

and
ilam : CL → Tm
ilam (var x) = var x
ilam (T · T') = ilam T · ilam T'
ilam S = ƛ ƛ ƛ (var 2 · var 0 · (var 1 · var 0))
ilam K = ƛ ƛ var (suc 0)
ilam I = ƛ (var 0)
and show the various lemmas expressing preservation of reduction such as lemma 3.6.3.7:

ilam-red : {T U : CL} → T U → ilam T * ilam U

7.5 Simply typed λ-calculus

7.5.1 Definition. We now present a formalization of simply typed λ-calculus,
introduced in chapter 4. The reader is strongly advised to try this by himself
before reading the section: what is easy to read is not necessarily easy to write!
This is inspired of the excellent course [WK19].

Types. We suppose fixed an infinite countable set of type variables, say the
natural numbers:
TVar : Set
TVar =
and the types are inductively to be defined as type variables of arrows between
types:

data Type : Set where

X : TVar → Type
_ _ : Type → Type → Type

Contexts. A context is simply a list of types. However, in order to adopt the

usual notations, instead of defining the type Ctxt of context as List Type, we
use the following definition:
data Ctxt : Set where
∅ : Ctxt
_,_ : Ctxt → Type → Ctxt
a context is thus either the empty context ∅ or of the form Γ , A for some
context Γ and type A.

Terms. The type Γ A of terms of type A in the context Γ is defined by induction

by
data _ _ : Ctxt → Type → Set where
var : ∀ {Γ A} → Γ A → Γ A
_·_ : ∀ {Γ A B} → Γ (A B) → Γ A → Γ B
ƛ_ : ∀ {Γ A B} → Γ , A B → Γ A B
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 340

where the constructors of the inductive type correspond to the typing rules of
simply typed λ-calculus given in section 4.1.4. In this formalization, we are
right in the middle of the Curry-Howard correspondence: a proof that Γ ` A is
derivable is precisely a λ-term t of type A in the context Γ. In the constructor
corresponding to variables, we use Γ A, which is the type of proofs that a type
A belongs to Γ: such a proof essentially consists of a natural number n such that
the n-th element of Γ is A. Formally, it can be defined as follows:
data _ _ : Ctxt → Type → Set where
zero : ∀ {Γ A} → (Γ , A) A
suc : ∀ {Γ B A} → Γ A → (Γ , B) A
Note that this corresponds to identifying variables by their de Bruijn index in
the context.

Weakening. In order to define substitution and β-reduction, we have to make

use of the weakening rule

Γ`t:A
(wk)
Γ, x : B ` t : A

and thus need to show that this rule is admissible. A naive approach would
consist in trying to show the following corresponding lemma:
wk : ∀ {Γ A B} → Γ A → Γ , B A
However, we cannot manage to prove it because the induction hypothesis is not
strong enough in the case of abstraction: we have to show

Γ, x : B, y : A ` t : A0
(wk)
Γ, x : B ` λy A .t : A → A0

and we cannot use the induction hypothesis on the premise because the weak-
ened variable x is not in the last position in the context. In order to overcome
this problem, we could prove the following generalization of the weakening rule:

Γ, ∆ ` t : A
(wk)
Γ, x : B, ∆ ` t : A

It will turn out equally easy and more natural to prove the following even more
general version:
Γ`t:A
(wk)
∆`t:A
whenever Γ is obtained by from ∆ by removing multiple typed variables, what
we write Γ ⊆ ∆ (this corresponds to performing at once multiple weakening
rules in the previous version). We thus define the “inclusion” relation between
contexts as
data _⊆_ : Ctxt → Ctxt → Set where
∅⊆∅ : ∅ ⊆ ∅
keep : ∀ {Γ Δ A} → Γ ⊆ Δ → Γ , A ⊆ Δ , A
drop : ∀ {Γ Δ A} → Γ ⊆ Δ → Γ ⊆ Δ , A
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 341

and prove weakening as follows

wk : ∀ {Γ Δ A} → Γ ⊆ Δ → Γ A → Δ A
wk i (var x) = var (wk-var i x)
wk i (t · t') = wk i t · wk i t'
wk i (ƛ t) = ƛ wk (keep i) t
where, in the case of variables, we use the following lemma showing that if a
type belongs to a context, it still belongs to it if we add types to this context:

wk-var : ∀ {Γ Δ A} → Γ ⊆ Δ → Γ A → Δ A
wk-var (keep i) zero = zero
wk-var (keep i) (suc x) = suc (wk-var i x)
wk-var (drop i) x = suc (wk-var i x)
Finally, we can show that the first weakening rule considered above can be
deduced as the particular cases where the inclusion is of the form Γ ⊆ Γ, A:
wk-last : ∀ {Γ A B} → Γ A → Γ , B A
wk-last t = wk (drop ⊆-refl) t
where ⊆-refl is a proof that inclusion is reflexive:

⊆-refl : ∀ {Γ} → Γ ⊆ Γ
⊆-refl {∅} = ∅⊆∅
⊆-refl {Γ , A} = keep ⊆-refl

Substitution. We can define substitution as follows. Given a term t in a con-

text Γ, a variable x in the context Γ and a term u of the right type, we want to
construct a term t[u/x] obtained by replacing all occurrences of x by u in t. It
turns out to be simpler to define a generalization of this operation, and replace
all the variables of Γ at once in t: given a function σ (a substitution) which to
a variable of Γ associates a term of appropriate type, we define the term t[σ]
obtained from t by replacing every free variable x by σ(x) as follows.
_[_] : ∀ {Γ Δ A} → Γ A → (∀ {B} → Γ B → Δ B) → Δ A
var x [ σ ] = σ x
(t · t') [ σ ] = (t [ σ ]) · (t' [ σ ])
(ƛ t) [ σ ] = ƛ (t [ (λ { zero → var zero ;
(suc x) → wk-last (σ x) }) ])
In order to define β-reduction, we will only be interested in substituting the last
variable of the context, which can of course be recovered as a particular case:
_[_/0] : ∀ {Γ A B} → Γ , B A → Γ B → Γ A
t [ u /0] = t [ (λ { zero → u ; (suc x) → var x }) ]

β-reduction. The β-reduction can then be defined as follows, similarly to the

case of untyped λ-calculus:

data _ _ {Γ : Ctxt} : {A : Type} → Γ A → Γ A → Set where

β : ∀ {A B} (t : Γ , A B) (u : Γ A) →
(ƛ t) · u t [ u /0]
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 342

l : ∀ {A B} {t t' : Γ A B} → t t' → (u : Γ A) →
t · u t' · u
r : ∀ {A B} (t : Γ A B) → {u u' : Γ A} → u u' →
t · u t · u'
λ : ∀ {A B} {t t' : Γ , A B} → t t' →
ƛ t ƛ t'
where we use substitution in the first case, as indicated above.

7.5.2 Strong normalization. In order to show the effectiveness of the im-

plementation performed in previous section, we shall prove a major theorem
of λ-calculus: the strong normalization theorem (theorem 4.2.2.5) which states
that every typable term is strongly normalizing. We follow here the proof given
in section 4.2.2 using reducibility candidates. Similar proofs in Coq can be found
in [PdAC+ 10].

Strong normalizability. We first have to define what it means for the reduction
relation to be halting, or strongly normalizing. A term t is halting when there
is no infinite reduction starting from it. It is however generally a bad idea to
define concepts by negation, because we lose constructivity, and we will not
directly adopt this definition. Instead, we will define by induction a that a
term t is halting whenever all the terms it can reduce to are themselves halting:

data halts {Γ : Ctxt} {A : Type} : Γ A → Set where

sn : {t : Γ A} → ({t' : Γ A} → t t' → halts t') → halts t
Note that we could have equivalently defined t to be halting when it is acces-
sible (see section 6.8.6) with respect to the opposite of the reduction relation:

halts : ∀ {Γ A} → Γ A → Set
halts t = Acc _ _ t
where the opposite of the reduction relation is
_ _ : ∀ {Γ A} → Γ A → Γ A → Set
u t = t u

Recurrence of the reduction. We can define the iterated reduction relation as

usual by

_ *_ : ∀ {Γ A} → Γ A → Γ A → Set
_ *_ = Star _ _
Given a halting term t, the reduction relation is terminating on terms u such
that t * u. We can thus reason by well-founded induction on it, i.e. we have
the following induction principle:

-rec : ∀ {Γ A} {t : Γ A} → halts t → (P : Γ A → Set) →

({u : Γ A} → t * u → ({v : Γ A} → u v → P v) → P u) →
{u : Γ A} → t * u → P u
whose (easy) proof is left to the reader.
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 343

Reducibility candidates. We formalize here the “typed” variant of reducibility

candidates discussed in remark 4.2.2.6. We define sets RΓ`A , indexed by con-
texts Γ and types A, consisting of terms of type A in the context Γ, by induction
on the type A by
R : {Γ : Ctxt} {A : Type} (t : Γ A) → Set
R {Γ} {X _} t = halts t
R {Γ} {A B} t = {u : Γ A} → R u → R (t · u)
The core of the proof then consists in showing the three properties of proposi-
tion 4.2.2.1 satisfied by reducibility candidates:
CR1 : ∀ {Γ A} {t : Γ A} →
R t → halts t
CR2 : ∀ {Γ A} {t t' : Γ A} →
R t → t t' → R t'
CR3 : ∀ {Γ A} {t : Γ A} →
neutral t → ({t' : Γ A} → t t' → R t') → R t
where neutral terms are characterized by the following predicate:
data neutral : ∀ {Γ A} → Γ A → Set where
nvar : ∀ {Γ A} (x : Γ A) → neutral (var x)
napp : ∀ {Γ A B} (t : Γ A B) (u : Γ A) → neutral (t · u)
As in the proof of the above proposition, we show all three properties together
and reason by induction on the type A. The formal proof is shown below:
CR1 {Γ} {X _} r = r
CR1 {Γ} {A B} {t} r =
halts-vapp t x? (CR1 (r (CR3 (nvar x?) (λ ()))))
CR2 {Γ} {X _} (sn f) b = f b
CR2 {Γ} {A B} r b {u} Ru = CR2 (r Ru) ( l b u)
CR3 {Γ} {X _} n f = sn f
CR3 {Γ} {A B} {t} n f {u} Ru = lem u ε
where
CR2* : {t t' : Γ A} → t * t' → R t → R t'
CR2* ε Rt = Rt
CR2* {t} {t'} (b bb) Rt = CR2* bb (CR2 Rt b)
lem : ∀ v → u * v → R (t · v)
lem v u *v = -rec (CR1 Ru) (λ v → R (t · v))
(λ {w} u *w ind →
CR3 (napp t w)
λ { ( l t t' u) → f t t' (CR2* u *w Ru) ;
( r t w w') → ind w w' }
) u *v
We do not detail it, because it follows closely the proof of proposition 4.2.2.1,
excepting for two points in the second case of CR1.
We recall that this part of the proof consists in showing that for every
term t ∈ RΓ`A→B , we have that t is halting and goes on as follows. Con-
sider a variable x such that Γ ` x : A is derivable: this variable is neutral and
thus in RA by (CR3), therefore t x belongs to RΓ`B is thus halting, from there
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 344

we deduce that t must also be halting. The last step is taken care of by the
lemma halts-vapp, which states that if the term t x is terminating then t is also
terminating:
halts-vapp : ∀ {Γ A B} (t : Γ A B) → (x : Γ A) →
halts (t · var x) → halts t
The (easy) proof is left to the reader. We have to confess that we have been
cheating in the above proof: there is no reason that we should have a variable x
such that Γ ` x : A, unless A belongs to Γ, which nothing guarantees here (this
was not a problem in the proof of proposition 4.2.2.1, because we were working
in an untyped setting). In our Agda proof, we have simply been postulating the
existence of such a variable:
postulate x? : ∀ {Γ A} → Γ A
Of course, this is wrong, but can be mitigated in two ways. First, if we had
a more full fledged programming language with data types (natural numbers,
booleans, strings, etc.), we could prove that every program of a type which
does not contain type variables is terminating in the same way, by using values
instead of variables, and this would cover most cases of interest. For instance,
supposing that we have a type N of natural numbers, we can show that t ∈ RN→N
because, by induction hypothesis, we have that t 5 is terminating and reason as
above. Another way to solve the problem is to change slightly the proof of
the second case of CR1. Suppose that t ∈ RΓ`A , by weakening we have that
Γ, x : A ` t : A, and now we have the variable x such that Γ, x : A ` x : A: by
induction hypothesis we have that t x is halting, therefore the weakening of t is
terminating, and therefore t is terminating. In practice, this makes the proof
much more delicate, because we have to explicitly deal with matters related to
weakening: in Agda, the weakening of t is not the same as t. Moreover, the
definition of reducibility candidates has to be slightly generalized in order to
take weakening in account and have the right induction hypothesis [Sak14]:
R : {Γ : Ctxt} {A : Type} (t : Γ A) → Set ∋
R {Γ} {X _} t = halts t
R {Γ} {A B} t = {Γ' : Ctxt} {u : Γ' A} → ∋
(i : Γ ⊆ Γ') → R u → R (wk i t · u)

Strong normalization. Finally, we can deduce that simply typed λ-terms are
strongly normalizing by following section 4.2.2. We do not detail the proofs
here. Lemma 4.2.2.2 can be formalized as
R-abs : ∀ {Γ A B} (t : Γ , A B) →
((u : Γ A) → R (t [ u /0])) → R (ƛ t)
lemma 4.2.2.3 as
R-sub : ∀ {Γ A} (t : Γ A)
(σ : ∀ {B} → Γ B → Γ B) →
(∀ {B} → (x : Γ B) → R (σ x)) → R (t [ σ ])
the adequacy proposition 4.2.2.4 as
R-all : ∀ {Γ A} (t : Γ A) → R t
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 345

and finally the strong normalization theorem 4.2.2.5 as

SN : ∀ {Γ A} (t : Γ A) → halts t
SN t = CR1 (R-all t)
Exercise 7.5.2.1. Extend the language of section 7.1 adding abstractions and
show preservation of types, progress and strong normalization.

Weak normalization. In a typical study of a programming language, one is not

usually interested in showing that every possible way of reducing programs
terminates, but only that this is the case with the particular reduction strategy
used by the language. In this case, the above proof can be somewhat simplified,
as explained in section 4.2.5, which we now illustrate by showing that the call-
by-value reduction strategy terminates for the simply typed λ-calculus.
Following section 3.5.1, we can characterize values and neutral terms by
data value : ∀ {Γ A} (t : Γ A) → Set
data neutral : ∀ {Γ A} (t : Γ A) → Set

data value where

vabs : ∀ {Γ} {A B} (t : Γ , A B) → value (ƛ t)
vneu : ∀ {Γ A} {t : Γ A} → neutral t → value t
data neutral where
nvar : ∀ {Γ A} (x : Γ A) → neutral (var x)
napp : ∀ {Γ A B} {t : Γ A B} {u : Γ A} →
neutral t → value u → neutral (t · u)
the call-by-value reduction strategy is
data _ _ : ∀ {Γ A} → Γ A → Γ A → Set where
β : ∀ {Γ A B} (t : Γ , A B) → {u : Γ A} →
value u → (ƛ t) · u (t [ u /0])
l : ∀ {Γ A B} {t t' : Γ A B} →
t t' → (u : Γ A) → t · u t' · u
r : ∀ {Γ A B} {t : Γ A B} {u u' : Γ A} →
value t → u u' → t · u t · u'
and the iterated reduction * is defined as usual. It is not hard to show that
values and neutral terms are normal forms
value-nf : ∀ {Γ A} {t t' : Γ A} → value t → ¬ (t t')
neutral-nf : ∀ {Γ A} {t t' : Γ A} → neutral t → ¬ (t t')
value-nf (vneu (napp n v)) ( l r u) = neutral-nf n r
value-nf (vneu (napp n v)) ( r t r) = value-nf v r
neutral-nf (napp n v) ( l r u) = neutral-nf n r
neutral-nf (napp n v) ( r t r) = value-nf v r
and that the reduction is deterministic
det : ∀ {Γ A} {t t ₁ t ₂ : Γ A} → t t₁ → t t₂ → t₁ ≡ t₂
det ( β t u₁ ) ( β .t u ₂ ) = refl
det ( β t u) ( r t' r) = -elim (value-nf u r)
det ( l r ₁ u) ( l r ₂ .u) = cong ₂ _·_ (det r ₁ r ₂ ) refl
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 346

det ( l r ₁ u) ( r t r ₂ ) = -elim (value-nf t r ₁ )

det ( r t r₁ ) ( β t ₁ u) = -elim (value-nf u r ₁ )
det ( r t r₁ ) ( l r ₂ u) = -elim (value-nf t r ₂ )
det ( r t r₁ ) ( r x r ₂ ) = cong ₂ _·_ refl (det r ₁ r ₂ )
The definition of the predicate halts is the same as above and one can easily
show that it is preserved under reduction:
-halts : ∀ {Γ A} {t t' : Γ A} → t t' → halts t → halts t'
-halts r (sn h) = h r
In fact this could also be shown with the general β-reduction. The novelty
brought by using call-by-value reduction is that it is deterministic, and we thus
now also have the “converse” property:
-halts : ∀ {Γ A} {t t' : Γ A} → t t' → halts t' → halts t
-halts r h = sn (λ r' → subst halts (det r r') h)
Finally, the induction principle -rec presented for β-reduction of course still
holds with call-by-value reduction.
We take the following variant of the definition of reducibility candidates
(note that we suppose that t is halting in both cases):
R : {Γ : Ctxt} {A : Type} (t : Γ A) → Set
R {Γ} {X _} t = halts t
R {Γ} {A B} t = halts t × ({u : Γ A} → R u → R (t · u))
The three properties of candidates can now be proved independently and in a
much simpler way (in particular, we do not need the x? hack that we used
above):
CR1 : ∀ {Γ A} {t : Γ A} → R t → halts t
CR1 {Γ} {X x} r = r
CR1 {Γ} {A B} {t} r = fst r

CR2 : ∀ {Γ A} {t t' : Γ A} → R t → t t' → R t'

CR2 {Γ} {X x} r b = -halts b r
CR2 {Γ} {A B} {t} r b =
-halts b (fst r) , (λ {u} Ru → CR2 (snd r Ru) ( l b u))

CR3 : ∀ {Γ A} {t t' : Γ A} → t t' → R t' → R t

CR3 {Γ} {X x} b r = -halts b r
CR3 {Γ} {A A ₁ } b r =
( -halts b (fst r)) , (λ {u} Ru → CR3 ( l b u) (snd r Ru))

7.5.3 Normalization by evaluation. We finally present a way to compute

the normal form of term in simply typed λ-calculus using normalization by
evaluation, see section 3.5.2. The idea is that we are going to interpret λ-terms
as Agda functions on normal forms, so that we can use Agda’s builtin reduction
mechanism, and then translate the result back to λ-calculus. More precisely,
given a type A, we write JAK for the set defined inductively by
– JXK = NFA : the set associated to a type variable is the set of all terms of
type A in normal form,
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 347

– JA → BK = JAK → JBK: the set associated to the arrow type A → B is

the set of all functions from JAK to JBK.
Then, we are going to interpret a term t of type A as an element JtKρ of JAK.
Since we need to properly take care of the free variables of t, our interpretation
also depends on an environment ρ, which is is a function which to every free
variable of t associates a term in normal form. The interpretation is defined by
induction on t by
JxKρ = ρ(x) Jλx.tK = u 7→ JtK(ρ,x7→u) Jt uK = JtKρ (JuKρ )
(above, (ρ, x 7→ u) is the environment which behaves as ρ, excepting that it
associates u to x). Otherwise said, we evaluate the term t in the environment ρ.
Finally, we are going to define a reification function ↓A , for every type A, which
translates every element of the set JAK to a λ-term in normal form. The defini-
tion will of course be performed by induction on the type A. In order to handle
the case where A is an arrow type, it turns out that we also need a reflection
function ↑A which allows us to see a variable of type A as an element of JAK. Ac-
tually, in order to be able to perform the definition of ↑A by induction, we need
to define it on all neutral terms and not only variables and define it together
with reification. We thus define two functions
↓A : JAK → NFA ↑A : NEA → JAK
where NFA and NEA are respectively the normal forms and neutral terms of
type A, by induction on A by:
↓X t = t ↑X t = t
↓A→B f = λx. ↓B f (↑A x) ↑A→B t = u 7→↑B (t (↓A u))
where x is supposed to be “fresh” in the lower left case. Finally, we can compute
the normal form t̂ of a λ-term t by
t̂ =↓A JtKρ0
where ρ0 is the “trivial environment” which to a variable x associates the vari-
able x.

Terms. Our actual formalization is inspired of [Arn17]. We use the same defi-
nitions as above for types, contexts, and λ-terms. Inspired of the notation for
bidirectional typechecking (section 4.4.5), we write Γ A (resp. Γ A) for the
type of normal forms (resp. neutral terms) of type A in the context Γ, defined
as the following inductive types:
data _ _ : Ctxt → Type → Set
data _ _ : Ctxt → Type → Set

data _ _ where
abs : ∀ {Γ A B} → Γ , A B → Γ A B
neu : ∀ {Γ A} → Γ A → Γ A

data _ _ where
var : ∀ {Γ A} → Γ A → Γ A
app : ∀ {Γ A B} → Γ A B → Γ A → Γ B
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 348

Note that those are not characterized here by a predicate on terms as before,
but rather implemented as a new inductive type. For this reason, we need to
implement again substitution on those types:
_ [_] : ∀ {Γ Δ A} → Γ A → Γ ⊆ Δ → Δ A
_ [_] : ∀ {Γ Δ A} → Γ A → Γ ⊆ Δ → Δ A
abs t [ σ ] = abs (t [ keep σ ])
neu t [ σ ] = neu (t [ σ ])
var x [ σ ] = var (x v[ σ ])
app t u [ σ ] = app (t [ σ ]) (u [ σ ])
where the case of variables is handled by
_v[_] : ∀ {Γ Δ A} → Γ A → Γ ⊆ Δ → Δ A
zero v[ keep σ ] = zero
suc x v[ keep σ ] = suc (x v[ σ ])
x v[ drop σ ] = suc (x v[ σ ])

Interpreting types. The interpretation of types as sets of terms is performed

following the above definition. We actually need this definition to also depend
on a context and write Γ A for the interpretation of the type A in the
context Γ, which is defined by
_ _ : Ctxt → Type → Set
Γ X i = Γ X i
Γ A B = ∀ {Δ} → Γ ⊆ Δ → Δ A → Δ B
In the second case, we need to incorporate the weakening of context in the def-
inition in order to be able to produce “fresh variables” when reifying functions.

Reflection and reification. The reflection and reification functions are defined
by mutual induction by following their definition given above. We also need to
define a function Var which is the variable corresponding to the last element of
the context in the set JΓ ` AK:
Var : ∀ {Γ A} → Γ , A A
↑ : ∀ {Γ A} → Γ A → Γ A
↓ : ∀ {Γ A} → Γ A → Γ A

Var {Γ} {X i} = var zero

Var {Γ} {A B} σ t = ↑ ((var zero) [ σ ]) ⊆-refl t

↑ {Γ} {X i} t = t
↑ {Γ} {A B} t σ u = ↑ (app (t [ σ ]) (↓ u))

↓ {Γ} {X i} t = neu t
↓ {Γ} {A B} f = abs (↓ (f (drop ⊆-refl) Var))

Interpreting terms. We finally need to define the interpretation JtKρ of terms t,

for which we first need to introduce the notion of environment, which will be
done in a typeful fashion here. Given contexts Γ and Δ, we write Δ * Γ for
type of environment which to every variable of type A in Γ associates a normal
form of type A in Δ:
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 349

_ *_ : Ctxt → Ctxt → Set

Δ * Γ = ∀ {A} (x : Γ A) → Δ A

These are the environments adapted to terms whose free variables are in Γ. We
can define the interpretation of terms following the above definition by
_ : ∀ {Γ Δ A} → Γ A → Δ * Γ → Δ A
var x ρ = ρ x
t · u ρ = ( t ρ) ⊆-refl ( u ρ)
ƛ t ρ = λ σ u → t ((λ x → wk* σ (ρ x)) ,* u)
In this definition, we have used the following auxiliary function, which extends
an environment with a new value
_,*_ : ∀ {Γ Δ A} → Δ * Γ → Δ A → Δ * (Γ , A)
(ρ ,* t) zero = t
(ρ ,* t) (suc x) = ρ x
as well as the following weakening principle for sets of normal forms:
wk* : ∀ {Γ Δ A} → Γ ⊆ Δ → Γ A → Δ A
wk* {Γ} {Δ} {X i} σ t = t [ σ ]
wk* {Γ} {Δ} {A B} σ f = λ τ t → f (⊆-trans σ τ) t

Computing normal forms. We can finally define the normalization of λ-terms

by

normalize : ∀ {Γ A} → Γ A → Γ A
normalize t = ↓ ( t id*)
where the trivial environment is
id* : ∀ {Γ} → Γ * Γ
id* x = ↑ (var x)

An example. For instance, we can define the term t = (λx.λy.x) x whose type
is x : X0 ` t : X1 ⇒ X0 by

K : ∅ , X 0 X 0 X 1 X 0
K = ƛ (ƛ var (suc zero))

V : ∅ , X 0 X 0
V = var zero

t : ∅ , X 0 X 1 X 0
t = K · V
If we ask Agda to compute (i.e. normalize) the normalized term normalize t,
we obtain

abs (neu (var (suc zero)))

which is Agda’s way of saying λy.x, as expected.
CHAPTER 7. FORMALIZATION OF IMPORTANT RESULTS 350

Handling η-conversion. The above algorithm can be used in order to test whether
two λ-terms are β-convertible: in order to know whether t and u are convert-
ible, we simply need to look whether their respective normal forms t̂ and û are
equal. However this does not work if we want to test for βη-convertibility. For
instance, the terms t = λx.λy.x y and u = λx.x, of type (X → Y ) → X → Y
are η-convertible and in normal form: we have t̂ = t 6= u = û. In order to
overcome this problem, a nice solution consists in slightly tightening the notion
of normal form we consider, and require that terms with an arrow type should
be abstractions: normal forms satisfying this are called η-long normal forms. In
the definition of normal forms, this amounts to allow considering neutral terms
as normal ones, only when they have base types (and not arrow types), i.e. the
definition of normal forms becomes
data _ _ where
abs : ∀ {Γ A B} → Γ , A B → Γ A B
neu : ∀ {Γ i} → Γ X i → Γ X i
Exercise 7.5.3.1. Modify the above normalization by evaluation algorithm in
order to compute η-long normal forms.
 Chapter 8

Dependent type theory

We now introduce the logic we have seen at work in Agda. The type theory that
we are presenting here was originally introduced by Martin-Löf in 1972 [ML75,
ML82, ML98], most of Martin-Löf’s work being freely accessible at [ML]. Its
types are said to be dependent because they can depend on values. For instance,
we can define a type Vec n of lists of length n, which depends on the natural
number n. Another major feature of this type theory is that we can manipulate
types as any other data: for instance, we can define functions which create types
from other types, etc. In order to make this possible, the distinction between
types and terms is dropped: types are simply the terms which admit a particular
type, called “Type”. Making all this work together nicely requires quite some
care.
The core of the type theory is presented in section 8.1, universes being
properly added in section 8.2, other usual type constructors in section 8.3 and
inductive types in section 8.4. The ways a dependent proof assistant can be
implement is discussed in section 8.5

8.1 Core dependent type theory

In this section, we begin with the “minimal” version of dependent type theory,
i.e. with (dependently typed) functions only. This is extended with more type
constructors in section 8.3.

8.1.1 Expressions. As indicated above, there is no distinction between terms

and types and we call them both “expressions” in order to make this clear. As
usual, we suppose fixed an infinite countable supply of variables. An expression e
is a term of the form

e, e0 ::= x | e e0 | λxe .e0 | Π(x : e).e0 | Type

In the following, we keep the old habit of writing t and A for expressions thought
of as terms and as types, even though we cannot syntactically distinguish be-
tween both. The expressions can be read as follows:
– x: a term or a type variable,
– t u: application of a term to a term (or a type),
– λxA .t: the function (the λ-term) which to an element x of type A asso-
ciates t,
– Π(x : A).B: the type of (dependent) functions from A to B,
– Type: the type of all types.
In Agda notation, Π(x : A).B is written (x : A) → B and Type is written Set.
CHAPTER 8. DEPENDENT TYPE THEORY 352

8.1.2 Free variables and substitution. In an expression of the form λxA .t

(resp. Π(x : A).B), the variable x is said to be bound in t (resp. in B), and
expressions are considered modulo renaming of bound variables, which is called
α-equivalence. A variable which is not bound is free and we write FV(e) for the
set of free variables of an expression e, which is defined by

FV(x) = {x}
FV(t u) = FV(t) ∪ FV(u)
FV(λxA .t) = FV(A) ∪ (FV(t) \ {x})
FV(Π(x : A).B) = FV(A) ∪ (FV(B) \ {x})
FV(Type) = ∅

We say that a variable x occurs in an expression A when x ∈ FV(A).

Given expressions e and u and a variable x, we define the substitution e[u/x]
of x by u in e by induction on e by

x[u/x] = u
y[u/x] = y if x 6= y
(t t0 )[u/x] = (t[u/x]) (t0 [u/x])
(λy A .t)[u/x] = λy A[u/x] .t[u/x] with y 6∈ FV(u) ∪ {x}
(Π(y : A).B)[u/x] = Π(y : A[u/x]).B[u/x] with y 6∈ FV(u) ∪ {x}
Type [u/x] = Type

8.1.3 Contexts. A context Γ is a list

Γ = x 1 : A1 , . . . , x n : An

where the xi are variables and the Ai are expressions. We sometimes write ∅
for the empty context, although we usually omit writing it. The set of free
variables of a context is defined by
n
[
FV(Γ) = FV(Ai )
i=1

and we extend the operation of substitution to contexts by setting

Γ[t/x] = x1 : A1 [t/x], . . . , xn : An [t/x]

whenever no variable xi occurs in t.

Contrarily to the case of simply-typed λ-calculus, it might happen that a
context is not well-formed, in the sense that we do not expect it to make sense.
For instance, if Vec n denotes the type of vectors of length n, we expect that
the context
n : Nat, l : Vec n
which declares that n is a natural number and l is a vector of length n, is
well-formed. However, the context

l : Vec n, n : Nat
CHAPTER 8. DEPENDENT TYPE THEORY 353

is not well-formed: we begin by declaring that l is a vector of length n, without

having declared what n should be before: the order in which variables are
declared now really matters. Similarly, the context
n : Bool, l : Vec n
is not well-formed: the type Vec n only makes sense when n is a natural number,
and not a boolean.

8.1.4 Definitional equality. In order to have a manageable type theory, we

should identify some terms. Typically, we want to identify terms which are
β-equivalent. For instance, suppose that we have a function f of type Vec(2+2) → A,
taking a vector of length 2 + 2 as argument and returning a term of type A, and
a term t of type Vec(3 + 1). We expect to be able to apply f to t even though
the types do not match precisely: the term t can be thought of as having the
type Vec(2 + 2), because we all know that 2 + 2 = 3 + 1. This means that in
types, we consider terms up to some equivalence relation, called convertibility
or definitional equality, which usually only consists in the reduction.
Although we will formalize this definitional equality as an equivalence rela-
tion, we need some more properties on it: we need to be able to decide whether
two terms are equivalent or not. In practice, this is performed by generalizing
the method described in section 4.2.4 to test the β-convertibility of λ-terms: we
orient the equivalence in a way giving rise to a convergent (i.e. terminating and
confluent) relation, so that two terms are equivalent if and only if they have the
same normal form. For instance, if our addition satisfies (n+1)+m = n+(m+1)
and 0 + m = m, we orient those relations as (n + 1) + m n + (m + 1) and
0+m m. In order to know whether two expressions involving sums of natural
numbers are equal, we can then apply those relations as much as possible, and
compare the resulting expressions for equality. For instance,
2+2 1+3 0+4 4 and 1+3 0+4 4
and therefore the two terms are equivalent because they have the same normal
form 4.

8.1.5 Sequents. In order to take all of this in account, we need to have three
different forms of judgments in the sequent calculus:
– Γ ` means that Γ is a well-formed context,
– Γ ` t : A means that t has type A in the context Γ,
– Γ ` t = u : A means that t and u are equal (i.e. convertible) terms of
type A in the context Γ.
As usual, we will give rules which allow the derivation of those judgments
through derivation trees. The derivation rules for all these three kinds of judg-
ments mutually depend on each other, so that they all have to be defined at
once.
As indicated above, there is no syntactic distinction between terms and
types: both are expressions. The logic will however allow us to distinguish
between the two. An expression A for which Γ ` A : Type is derivable for some
context Γ is called a type. An expression t for which Γ ` t : A is derivable for
some context Γ and type A is called a term.
CHAPTER 8. DEPENDENT TYPE THEORY 354

8.1.6 Rules for contexts. There are two rules for contexts:

Γ ` A : Type
∅` Γ, x : A `

The first one states that the empty context ∅ is always well-formed. The second
one states that if A is a well-formed type in a context Γ, then Γ, x : A is a well-
formed context. In the second rule, one would expect that we require that Γ is
a well-formed context as a premise, as in

Γ` Γ ` A : Type
Γ, x : A `

but we will see in section 8.1.11 that from the premise Γ ` A : Type, we
will actually be able to deduce that Γ is a well-formed context (and similar
observations could be made on subsequent rules). As indicated above, the reason
why we need to ensure that A is a well-formed type in the context Γ is to avoid
considering a context such as

n : Bool, l : Vec n

as a well-formed context. Namely, the rules will not allow to derive

n : Bool ` Vec n : Type

i.e. that Vec n is a well-formed type in a context were n is a boolean.

8.1.7 Rules for equality. We now give the rules for definitional equality.
First, we have three rules ensuring that equality is an equivalence relation,
by respectively imposing reflexivity, symmetry and transitivity:

Γ`t:A Γ`t=u:A Γ`t=u:A Γ`u=v:A

Γ`t=t:A Γ`u=t:A Γ`t=v:A

We will need that the definitional equality is not only an equivalence relation,
but a congruence: rules expressing compatibility with type constructors will be
added later on for each type constructor.
Finally, we add rules expressing the fact that a type can be substituted by
an equal one in a typing derivation:

Γ`t:A Γ ` A = B : Type Γ`t=u:A Γ ` A = B : Type

Γ`t:B Γ`t=u:B

Example 8.1.7.1. The example of section 8.1.4, where a function f expecting an

argument of type Vec(2 + 2) is applied to an argument l of type Vec(1 + 3), can
be typed using these conversion rules as follows:
..
.
..
. . . . ` 1 + 3 = 2 + 2 : Nat
(ax)
. . . ` l : Vec(1 + 3) . . . ` Vec(1 + 3) = Vec(2 + 2)
(ax)
. . . ` f : Vec(2 + 2) → A . . . ` l : Vec(2 + 2)
f : Vec(2 + 2) → A, l : Vec(1 + 3) ` f l : A
CHAPTER 8. DEPENDENT TYPE THEORY 355

8.1.8 Axiom rule. We now turn to rules allowing the typing of a term. The
axiom rule is
Γ, x : A, Γ0 `
(ax)
Γ, x : A, Γ0 ` x : A
with the following side conditions:

– x 6∈ dom(Γ0 ), and
– FV(A) ∩ dom(Γ0 ) = ∅.
We follow the convention that a variable always refers to the rightmost occur-
rence of the variable in a context. With this in mind, the side conditions avoid
clearly wrong derivations such as
(ax) (ax)
x : A, x : B ` x : A n : Nat, l : Vec n, n : Bool ` l : Vec n

Alternatively, we could use the convention that the variables declared in a con-
text are always distinct, which we can always do because we consider terms up
to α-conversion, although this is a bad habit because we do not want to spend
our time performing α-conversions when implementing a proof assistant.

8.1.9 Terms and rules for type constructors. We now give the rules for
Π-types, which are generalized function types. As for any type constructor in
this type theory, we will need to have three constructions for expressions:

– a constructor for the type,

– a constructor for the terms of this type,
– an eliminator for the terms of this type,

together with six rules with the following purpose

– formation: construct a type with the type constructor,
– introduction: construct a term of the type,
– elimination: use a term of the type,

– computation: (β-)reduce a term of the type,

– uniqueness: express a uniqueness property of the constructed terms, which
corresponds to an η-equivalence rule,
– congruence: express that definitional equality is compatible with the term
constructors.
We insist here on this structure, because it will be the same for all the subsequent
type constructors, that we are going to see in section 8.3. Let’s see that in action
for Π-types.
CHAPTER 8. DEPENDENT TYPE THEORY 356

8.1.10 Rules for Π-types. The Π-types are dependent function types: they
are like the plain old function types, excepting that the type of the result might
depend on the argument. Such a type is noted

Π(x : A).B

which corresponds to the Agda notation

(x : A) → B

and should be read as the type of functions taking an argument x of type A and
returning a value of type B. Here, the variable x might occur in the type B,
i.e. the type B can depend on x. For instance, a function taking a natural
number n as argument and returning a vector of length n will have the type

Π(n : Nat). Vec n

see section 6.4.7 actual uses of such functions. In a Π-type as above, the vari-
able x is bound in the type B, and we can rename bound variables. For instance,
the previous type is α-equivalent to Π(m : Nat). Vec m. From a logical point of
view, a type Π(x : A).B, can be read as a universal quantification

∀x ∈ A.B

If we follow the lists given in section 8.1.9, the corresponding constructors

for expressions are
– the constructor for types: Π,

– the constructor for terms: the λ-abstraction,

– the eliminator for terms: the application.
Finally, we can give the six required rules for Π-types.

Formation. The type formation rule is

Γ ` A : Type Γ, x : A ` B : Type
(ΠF )
Γ ` Π(x : A).B : Type

and allows constructing a type Π(x : A).B whenever A and B are well-formed
types.

Introduction. The introduction rule is

Γ, x : A ` t : B
(ΠI )
Γ ` λxA .t : Π(x : A).B

and states that a λ-abstraction λxA .t is a function taking an argument x of

type A and returning a term t of some type B: it should thus have the type
Π(x : A).B.
CHAPTER 8. DEPENDENT TYPE THEORY 357

Elimination. The elimination rule is

Γ ` t : Π(x : A).B Γ`u:A
(ΠE )
Γ ` t u : B[u/x]

and states that if t is a function of type Π(x : A).B and u is an argument of

type A then we can apply t to u. Again, note that the type B can depend on x,
so that the type of the result t u should be B where x has been replaced by the
actual value u of the argument.

Computation. The computation rule is

Γ, x : A ` t : B Γ`u:A
A
(ΠC )
Γ ` (λx .t) u = t[u/x] : B

this is precisely the β-reduction rule.

Uniqueness. The uniqueness rule is

Γ ` t : Π(x : A).B
(ΠU )
Γ ` t = λxA .t x : Π(x : A).B

this is precisely the η-expansion rule.

Congruence. The three congruence rules are

Γ ` A = A0 : Type Γ, x : A ` B = B 0 : Type
Γ ` Π(x : A).B = Π(x : A0 ).B 0 : Type

Γ ` A = A0 : Type Γ, x : A ` B : Type Γ, x : A ` t = t0 : B
0
Γ ` λxA .t = λxA .t0 : Π(x : A).B
and
Γ ` t = t0 : Π(x : A).B Γ ` u = u0 : A
Γ ` t u = t0 u0 : B[t/x]
They express the expected compatibility of equality with all the constructors
for expressions: Π-types, λ-abstractions, and applications. We will generally
omit the congruence rules in the following, but they should be formulated in a
similar way for every constructor.
Example 8.1.10.1. The polymorphic identity function, which takes a type A and
returns the identity function from A to A can be typed as follows:
..
.
A : Type, x : A `
(ax)
A : Type, x : A ` x : A
(ΠI )
A : Type ` λxA .x : Π(x : A).A
(ΠI )
` λAType .λxA .x : Π(A : Type).Π(x : A).A
CHAPTER 8. DEPENDENT TYPE THEORY 358

Arrow types. The traditional arrow type A → B can be recovered as the partic-
ular case of a Π-type Π(x : A).B which is not dependent, meaning that x does
not occur as a free variable in B. We thus write

A→B = Π(_ : A).B

where “_” is a variable name which is supposed to never occur in any type; in
particular, we always have B[t/_] = B. It can be checked that all the rules give
back the usual ones, up to notations. For instance, (ΠE ) allows us to recover
the elimination rule:
Γ`t:A→B Γ`u:A
(→E )
Γ ` tu : B

8.1.11 Admissible rules. Many basic properties of the logical system can be
expressed as the admissibility of some rules, some of which we now indicate. We
concentrate on typing rules, i.e. judgments of the form Γ ` t : A, but similar
admissible rules can usually be formulated for the two other kinds of judgments:
well-formation of contexts (Γ `) and convertibility (Γ ` t = u : A), details being
left to the reader. The proofs are, as usual, performed by induction on the
derivation of the judgment in the premise.
Before stating those, we first make the following simple, but useful, obser-
vation:
Lemma 8.1.11.1. For every derivable sequent Γ ` t : A, we have the inclusions
FV(t) ⊆ dom(Γ) and FV(A) ⊆ dom(Γ).

Proof. By induction on the derivation of the sequent.

Basic checks. The rules ensure that only well-formed types and contexts can be
manipulated at any point in a proof. This can be formulated as the admissibility
of the following rules:

Γ`t:A Γ`t:A
Γ` Γ ` A : Type

Γ`t=u:A Γ`t=u:A Γ`t=u:A Γ`t=u:A

Γ` Γ`t:A Γ`u:A Γ ` A : Type

To be honest the admissibility of those rules is “almost” true: this will be

discussed in section 8.2.

Weakening rule. The following weakening rule is admissible, accounting for the
fact that if some typing judgment holds in some context, it also holds with more
hypothesis in the context.

Γ ` A : Type Γ, Γ0 ` t : B
(wk)
Γ, x : A, Γ0 ` t : B

with x 6∈ FV(Γ0 ) ∪ FV(t) ∪ FV(B).

CHAPTER 8. DEPENDENT TYPE THEORY 359

Exchange rule. The exchange rule states that we can swap two entries x : A and
y : B in a context, provided that there is no dependency between them, i.e. B
does not have x as free variable:
Γ ` B : Type Γ, x : A, y : B, ∆ ` t : C
Γ, y : B, x : A, ∆ ` t : C
Here, the hypothesis Γ ` B : Type ensures that B does not depend on x by
lemma 8.1.11.1.

Cut rule. The type theory has the cut elimination property, which corresponds
to the admissibility of the following rule:
Γ`t:A Γ, x : A, ∆ ` u : B
(cut)
Γ, ∆[t/x] ` u[t/x] : B[t/x]
see sections 2.3.3 and 4.1.8.

8.2 Universes
8.2.1 The type of Type. There is one missing thing in the type theory we have
given up to now. Everything should have a type in the sequent we manipulate,
but the constant Type does not, because there is no rule allowing us to do so.
For instance, in order to type the polymorphic identity in example 8.1.10.1, we
have show that the context
A : Type, x : A ` x : A
is well-formed, which will at some point require showing
` Type : Type
which we have no rule to derive for now.
There is an obvious candidate for the rule we are lacking: we are tempted
to add the rule
Γ`
Γ ` Type : Type
which is sometimes called the type-in-type rule. This rule was in fact present
in the original Martin-Löf type system, but Girard showed that the resulting
system was inconsistent [Gir72]. A variant of this proof is presented below.

8.2.2 Russell’s paradox in type theory. We show the inconsistency with

the above rule for Type by encoding, in Agda, Russell’s paradox presented in
section 5.3.1.

Encoding finite sets in OCaml. As a starter let’s first see how to implement
finite sets in OCaml. A finite set
A = {a1 , . . . , an }
whose elements ai belong to some fixed type ’a, can be described by giving its
elements: we can encode it as an array of elements. We thus define the type of
sets of elements of ’a as
CHAPTER 8. DEPENDENT TYPE THEORY 360

type 'a finset = Finset of 'a array

which is a type, with one constructor, which takes an array of ’a as argument.
This is thus essentially, an array of ’a, and the usefulness of the constructor
shall be explained below. It should be remarked that this representation is not
faithful: two arrays differing only by the order of their elements or repetitions
of elements represent the same set. For instance, the arrays

[|3;1;2|] and [|2;1;3;1;2;2|]

both encode the set {1, 2, 3}.

We can code the function which determines whether an element x belongs
to a set a, by looking whether the element occurs in the array:
let mem (x : 'a) (Finset a : 'a finset) =
let ans = ref false in
for i = 0 to Array.length a - 1 do
if a.(i) = x then ans := true
done;
!ans
or, more elegantly, using the standard library, as
let mem (x : 'a) (Finset a : 'a finset) =
Array.exists (fun y -> x = y) a
Similarly, inclusion of sets can be coded by
let included (Finset a : 'a finset) (b : 'a finset) =
Array.for_all (fun x -> mem x b) a
Finally, the equality of two sets can be tested with
let eq (a : 'a finset) (b : 'a finset) =
included a b && included b a
This is the right function to test equality of sets, which does not distinguish
between two representations of the same set, and should always be used to
compare sets, as opposed to the standard equality =.
In order to get closer to set theory, we shall now implement finite sets whose
elements are themselves finite sets, i.e. we now consider the type
type finset = Finset of finset array
The previous functions are now mutually recursive because membership should
be tested with respect to the suitable notion of equality:
let rec mem (x : 'a) (Finset a : finset) =
Array.exists (fun y -> eq x y) a

and included (Finset a : finset) (b : finset) =

Array.for_all (fun x -> mem x b) a

and eq (a : finset) (b : finset) =

included a b && included b a
CHAPTER 8. DEPENDENT TYPE THEORY 361

Encoding set theory in type theory. We can play the same game in type theory
and define finite sets of elements in a type A in the same way. Instead of using
arrays however, it is more natural to encode a finite set as a function of type

Fin n → A

for some natural number n: such a function f encodes the set

{f (0), f (1), . . . , f (n − 1)}

(we recall that Fin n is the type whose elements are (isomorphic to) natural
numbers from 0 to n − 1). We can thus define
data finset (A : Set) : Set where
Finset : {n : } → (Fin n → A) → finset A
In order to define “sets” of elements of A, instead of finite ones, we can allow
indexing by any type instead of Fin n. Finally, we can encode sets (in the sense
of type theory) as sets of sets. This suggests the following encoding of sets
data U : Set ₁ where
set : (I : Set) → (I → U) → U
which is due to Aczel [Acz78, Wer97]: a set consists of a type I of indices and a
function which assigns a set to every element of I. In order to avoid confusion
with the notation Set of Agda, we write U for the type of our sets.
With this encoding the usual constructions can be performed. For instance,
we can define the empty set:
∅ : U
∅ = set (λ ())
the pairing of two sets:
_,_ : (A B : U) → U
A , B = set Bool (λ {false → A ; true → B})
the product of two sets:
prod : (A B : U) → U
prod (set I f) (set J g) =
set (I × J) (λ { (i , j) → f i , g j })
the equality of two sets (which implements the extensionality axiom):
_==_ : (A B : U) → Set
set I f == set J g =
((i : I) → Σ J (λ j → f i == g j)) ∧
((j : J) → Σ I (λ i → f i == g j))
the membership relation:
_∈_ : (A B : U) → Set
A ∈ set I f = Σ I (λ i → A == f i)
the union of sets (which implements the axiom of union):
CHAPTER 8. DEPENDENT TYPE THEORY 362

_ : (A : U) → U
set I f =
set (Σ I (λ i → dom (f i))) (λ { (i , j) → F (f i) j })

where the domain is given by

dom : U → Set
dom (set I _) = I
and the function is given by

F : (A : U) → dom A → U
F (set _ f) = f
the von Neumann natural numbers (which implements the axiom of infinity):
vonN : → U
vonN .zero = ∅
vonN ( .suc n) = vonN n , [ vonN n ]

Nat : U
Nat = set vonN

and so on.

The Russell paradox. Now, suppose that we accept this type-in-type rule which
tells us that Type has type Type. This behavior can be achieved in Agda by
using the flag
{-# OPTIONS --type-in-type #-}
at the beginning of the file. As before, we define sets as

data U : Set where

set : (I : Set) → (I → U) → U
(the careful reader will notice that the type of U is now Set instead of Set ₁ ),
and we consider the following notion of membership
_∈_ : (A B : U) → Set
A ∈ set I f = Σ I (λ i → f i ≡ A)
This function is “wrong” because equality is tested here using propositional
equality instead of the proper equality == between sets, but it will be enough
for the purpose of implementing paradoxes and give rise to shorter code. We
declare a set to be regular if it does not contain itself, which can be defined by

regular : U → Set
regular A = ¬ (A ∈ A)
and consider Russell’s paradoxical set R of all sets which do not contain them-
selves, see section 5.3.1:

R : U
R = set (Σ U (λ A → regular A)) proj ₁
CHAPTER 8. DEPENDENT TYPE THEORY 363

This set can be shown to be both regular

R-nonreg : ¬ (regular R)
R-nonreg reg = reg ((R , reg) , refl)
and non-regular
R-reg : regular R
R-reg ((A , reg) , p) = subst regular p reg ((A , reg) , p)
from which we can deduce the inconsistency of the system:
absurd :
absurd = R-nonreg R-reg

8.2.3 Girard’s paradox. It is always good to have a handful of paradoxes

at hand in order to test a proof assistant: depending on the logic, one or the
other might be easier to encore. For instance, the above formalization crucially
depends on the fact that we have inductive types, which is not the case of all as-
sistants. As another example, we shall present Girard’s original paradox [Gir72],
which is based on the following set-theoretic paradox which shows that there is
no ordinal of all ordinals.

The Burali-Forti paradox. A well-ordered set is traditionally defined as a set A

equipped with a total order 6 which is well-founded, i.e. there is no infinite
strictly decreasing sequence of elements, see section 6.8.6 and appendix A.3.
Alternatively – and this is better suited to formalization – a well-ordered set
can be defined as a set A equipped with a relation < which is
– transitive,
– well-founded, and
– extensional.
By extensional, we mean here that, given y, z ∈ A, if x < y is equivalent to x < z
for every x ∈ A, then y = z:
(∀x ∈ A.x < y ⇔ x < z) ⇒ y = z
Two well-ordered sets are isomorphic when they are in bijection with order-
preserving functions. An ordinal is the isomorphism class of a well-ordered set.
An embedding of an ordinal A into an ordinal B is an increasing function f from
A to B, i.e. such that x < y implies f (x) < f (y) for every x, y ∈ A. Such an
embedding is bounded when there exists an element b ∈ B such that f (x) < b
for every x ∈ A. We define a relation < on ordinals by setting A < B whenever
there exists a bounded embedding of A into B. This relation can be shown to
be transitive, well-founded and extensional.
The Burali-Forti paradox [BF97] shows that the ordinal numbers do not
form a set: they are too big to be so, in the same sense that the collection of
all sets is too big to itself be a set. Namely, suppose that there is a set Ω of all
ordinals. By the above, when equipped with the relation <, this would induce
an ordinal that we still write Ω. It can be shown that for every ordinal A, we
have A < Ω. In particular, we have Ω < Ω, which is in contradiction with the
hypothesis that < should be well-founded. Details to follow.
CHAPTER 8. DEPENDENT TYPE THEORY 364

Formalizing Girard’s paradox. The Girard paradox [Gir72] is an implementation

of the above paradox in Martin-Löf type theory with the type-in-type rule. A
nice account this paradox can also be found in the introduction of [ML98]. We
present here a formalization of this paradox.
The notion of ordinal can be formalized in Agda by a record
record Ord : Set where
field
car : Set
rel : Rel car
trans : Transitive rel
wf : WellFounded rel
It is a 4-uple consisting of a carrier type car and a relation rel on it (see
section 6.5.9), together with a proof that this relation is transitive and well-
founded. Here, the predicate of being transitive for a relation is defined by
Transitive : {A : Set} → Rel A → Set
Transitive {A} R = {x y z : A} → R x y → R y z → R x z
and well-foundedness is detailed in section 6.8.6. The above definition actually
formalizes a generalization of the notion of ordinal: in order to define traditional
ones, we should also impose that they are extensional, i.e. a proof of Extensional
rel, where the extensionality predicate is
Extensional : {A : Set} → Rel A → Set
Extensional {A} R =
(y y' : A) → ((x : A) → R x y ↔ R x y') → y ≡ y'
but this will play no role in our proof so that we omit it for simplicity (we refer
the reader to [Uni13, Section 10.3] for a detailed formalization of ordinals).
Given an ordinal A, we use the more readable notation ∥ A ∥ for its carrier:
∥_∥ : Ord → Set
∥ A ∥ = car A
Since ordinals are well-founded, we can use the following induction principle in
order to reason on those:
Ord-rec : (A : Ord) → (P : ∥ A ∥ → Set) →
((x : ∥ A ∥) → ((y : ∥ A ∥) → rel A y x → P y) → P x) →
(x : ∥ A ∥) → P x
Ord-rec A = wfRec (wf A)
An embedding of an ordinal to the other, consists of a function between the
underlying carriers, together with a proof that it is increasing, and we write Emb
A B for the type of embeddings of A into B:
record Emb (A B : Ord) : Set where
field
fun : ∥ A ∥ → ∥ B ∥
inc : ∀ {x y} → rel A x y → rel B (fun x) (fun y)
Such an embedding is bounded by b in B when the image of every element of A is
below b and we write BEmb A B b for the type of embeddings of A into B which
are bounded by b:
CHAPTER 8. DEPENDENT TYPE THEORY 365

record BEmb (A B : Ord) (b : ∥ B ∥) : Set where

field
emb : Emb A B
bnd : (x : ∥ A ∥) → rel B (fun emb x) b
Based on this, we can define the relation < on ordinals, such that A < B whenever
there is a bounded embedding of A into B.
_<_ : Ord → Ord → Set
A < B = Σ ∥ B ∥ (λ b → BEmb A B b)
This relation is easily shown to be transitive
<-trans : Transitive _<_
<-trans (y , f) (z , g) = (fun (emb g) y) , (comp f g)

and well-founded with some more work:

<-wf : WellFounded _<_
<-wf A = acc lem
where
lem : (B : Ord) → B < A → Acc _<_ B
lem B (a , f) = Ord-rec A P' lem' a B f
where
P' : ∥ A ∥ → Set
P' a = (B : Ord) → BEmb B A a → Acc _<_ B
lem' : (a : ∥ A ∥) → ((a' : ∥ A ∥) → rel A a' a → P' a') → P' a
lem' a ind B f =
acc (λ { C (b , g) →
ind (fun (emb f) b) (bnd f b) C (comp g f) })
Namely, showing that this relation is well-founded amounts to show that every
ordinal A is accessible, which by definition of accessibility amounts to show that
every ordinal B with B < A is accessible. By definition of the relation < on
ordinals, this amounts to show that for every embedding f : B → A bounded
by a ∈ A, we have that B is accessible. This last property is noted P 0 (a) and
shown by induction on a ∈ A (with respect to the order <A on the elements
of the ordinal A, which is well-founded). Supposing that the property P 0 (a0 )
hold for every a0 ∈ A with a0 <A a, we have to show P (a), that is, given an
embedding f : B → A bounded by a, that B is accessible. By definition of
accessibility, this amounts to show that C is accessible for every C < B. Given
such an ordinal C, the fact that C < B means that there exists an embedding
g : C → B which is bounded by b ∈ B. By composing f and g, we therefore
have an embedding f ◦ g : C → A which is bounded by f (b) and we conclude
that C is accessible by applying P 0 (f (b)). In the above proof, the composition
of the embedding is handled by the function

comp : {A B C : Ord} {b : ∥ B ∥} {c : ∥ C ∥}
(f : BEmb A B b) (g : BEmb B C c) →
BEmb A C (fun (emb g) b)
whose proof is left to the reader. If we suppose that we have the type-in-type
rule with
CHAPTER 8. DEPENDENT TYPE THEORY 366

{-# OPTIONS --type-in-type #-}

we can therefore define the ordinal Ω of all ordinals:
Ω : Ord
car Ω = Ord
rel Ω = _<_
trans Ω = <-trans
wf Ω = <-wf
We can now show that Ω is the maximal element of ordinals:
A<Ω : {A : Ord} → A < Ω
A<Ω {A} = A , record {
emb = record {
fun = λ x → A ↓ x ;
inc = λ {x} {y} x<y → ↓-inc A x<y } ;
bnd = λ x → x , snd (↓-< A x) }
Above, given an ordinal A, we show that we have A < Ω: we need to construct
a bounded embedding f : A → Ω. Here, we take the function which takes
an element x ∈ A to the ordinal A ↓ x defined as the restriction of A to the
elements smaller than x, i.e.
_↓_ : (A : Ord) → ∥ A ∥ → Ord
car (A ↓ a) = Σ ∥ A ∥ (λ x → rel A x a)
rel (A ↓ a) x y = rel A (fst x) (fst y)
trans (A ↓ a) x<y y<z = trans A x<y y<z
wf (A ↓ a) = ↓wf
The proof of well-foundedness ↓wf, deduced from the well-foundedness of A, is
left to the reader. The proofs that the embedding is increasing
↓-inc : (A : Ord) {a b : ∥ A ∥} → rel A a b → A ↓ a < A ↓ b
and bounded
↓-< : (A : Ord) (a : ∥ A ∥) → (A ↓ a) < A
are also left to the reader. As a particular case of the above lemma, we have
that Ω < Ω:
Ω<Ω : Ω < Ω
Ω<Ω = A<Ω
which contradicts the fact that the relation < is well-founded. Namely, any rela-
tion R with x R x will have an infinite decreasing sequence: namely x R x R x R . . .
Constructively, this is of course shown by induction:
wf-irrefl : {A : Set} (R : Rel A) → WellFounded R →
(x : A) → R x x →
wf-irrefl R wf x =
wfRec wf (λ x → R x x → ) (λ y ind Ryy → ind y Ryy Ryy) x
From which we see that accepting Ω as an ordinal leads to the system being
inconsistent:
absurd :
absurd = wf-irrefl _<_ <-wf Ω Ω<Ω
CHAPTER 8. DEPENDENT TYPE THEORY 367

Variants and other paradoxes. The Girard paradox is analyzed by Coquand

in [Coq86] and simplified by Hurkens [Hur95]. Some other paradoxes have also
been produced by Coquand [Coq92a, Coq95]. For instance, one is, as translated
by Abel [Abe17]:
{-# OPTIONS --type-in-type #-}

data U : Set where

c : ({A : Set} → A → A) → U

empty : {A : Set} → U → A
empty (c f) = empty (f (c (λ z → z)))

absurd : {A : Set} → A
absurd = empty (c (λ z → z))

8.2.4 The hierarchy of universes. How should we fix this? If we think of the
situation we already faced when considering naive set theory, the explanation
was that the collection of all sets was “too big” to be a set. Similarly, we think
of Type as being “too big” to be a type. However, we still need to give it a
type, and the natural next move is to introduce a new constructor, say TYPE,
which is the type of “big types”, together with the rule

Γ`
Γ ` Type : TYPE

stating that Type is a big type. However, we now need to give a type to TYPE,
which forces us to introduce a type of “very big types” and so on.
In the end, we introduce a hierarchy of types Typei indexed by natural
numbers i ∈ N, together with the rule

Γ`
Γ ` Typei : Typei+1

for every i ∈ N. The type Type is simply a notation for Type0 , Type1 is the
type of “big types”, Type2 is the type of “very big types”, Type3 is the type of
“very very big types”, and so on:

Type0 : Type1 : Type2 : Type3 : . . .

The types Typei are called universes and i is called the level of the universe
Typei . In order to make the theory more manageable, we also add a cumulativity
rule
Γ ` A : Typei
Γ ` A : Typei+1
which states that a “small” type can always be seen as a “bigger” type. This
allows us to see a type in a given universe as a type in a universe of higher
level, so that all constructions can be cast in to higher levels if necessary and
we do not have to precisely take care of the levels. Finally, we change all the
CHAPTER 8. DEPENDENT TYPE THEORY 368

type formation rules by adding levels to occurrences of Type. For instance, the
formation rule for Π-types becomes

Γ ` A : Typei Γ, x : A ` B : Typei
(ΠF )
Γ ` Π(x : A).B : Typei

In the following, excepting in this section, we will not be precise on the

universe levels and still allow us to use the type Type. However, it can be
checked that all the subsequent constructions can be adapted as above in order
to properly take levels in account.

Universes in Agda. In Agda, Set is a notation for Type0 , Set ₁ is a notation for
Type1 and so on. For instance, we can define the type of predicates on a type A
as
Predicate : (A : Set) → Set ₁
Predicate A = A → Set

However, if we try to define Predicate as being of type (A : Set) → Set, Agda

will complain that we are trying to fit a type in Type1 into Type0 by issuing
the following error message:
Set ₁ != Set
when checking that the expression A → Set has type Set

Cumulative universes. Systems like Coq have the cumulativity rule builtin, but
systems such as Agda chose not to, mostly for technical reasons. Since we don’t
have it, the type formation rules now have to allow constructors to have different
levels, and for instance the formation rule for Π-types has to be changed to

Γ ` A : Typei Γ, x : A ` B : Typej
(ΠF )
Γ ` Π(x : A).B : Typemax(i,j)

We thus need three operations on levels i:

– we need to have a level 0,
– for every level i we need to have a successor level i + 1 (in order to type
Typei ), and

– we need to be able to compute the maximum of two levels.

This why in Agda levels are defined in the module Level by
postulate
Level : Set
lzero : Level
lsuc : (i : Level) → Level
_ _ : (i j : Level) → Level
CHAPTER 8. DEPENDENT TYPE THEORY 369

Universe polymorphism. Up to now, we have been defining equality as

data _≡_ {A : Set} (x : A) : A → Set where
refl : x ≡ x
This means that we can use it to compare the elements of a small type (for
instance, we can use it to compare natural numbers), but we cannot use it to
compare elements of a large type, typically types. For instance, suppose that
we wan to show that the type is different from the empty type , i.e. we want
to prove:
NB : ¬ ( ≡ )
If we try to prove this with the above definition for equality, Agda complains
that
Set ₁ != Set when checking that the expression has type Set
This is because we are trying to compare the types and , which are of type
Set, which is itself of type Set ₁ , whereas equality is defined on elements of a
type A whose type is Set. To overcome this, we could define another equality ≡ ₁
which allows for comparing types:
data _≡ ₁ _ {A : Set ₁ } (x : A) : A → Set where
refl : x ≡ ₁ x
But this is quite unsatisfactory. Apart from the subscript “ ₁ ”, this definition
is essentially the same as the one for ≡, and we have to prove again for this
notion of equality all the properties we have already proved for ≡, by copying
the proofs and inserting “ ₁ ” from time to time, which means lots of duplication
of code. Moreover, we would have to do this once again if we want to compare
elements of a type whose type is Set ₂ , Set ₃ , and so on.
In order to solve this problem, Agda allows for defining functions on type
Typei for every level i: this is called universe polymorphism. This means that we
can define functions which can take universe levels as arguments. For instance,
we can define equality as
data _≡_ {i : Level} {A : Set i} (x : A) : A → Set where
refl : x ≡ x
As you can observe, the Agda notation for Typei is Set i. This definition de-
pends on a universe level i which is implicit and thus automatically inferred,
and thus allows for comparing elements of types of any level. The actual defi-
nition of equality in the standard library is this one and we can now finish our
example with
NB : ¬ ( ≡ )
NB p with coe p 0
NB p | ()

Lifting. As an other application of universe polymorphism, we can derive in

Agda the cumulativity of universes: we can construct a function Lift which
takes a element of Typei and casts it as an element of Typej with j > i, called
the lifting of the type. Since we do not have access to the order on levels, but
CHAPTER 8. DEPENDENT TYPE THEORY 370

can compute the maximum t of two levels, we actually rather give it the type
Typei → Typeitj , which also ensures that the returned level is greater than the
one given as input. The definition is performed based on the observation that
the lifted type should have the “same” elements as the original one, which can
be expressed by the following inductive type:
data Lift {i} j (A : Set i) : Set (i j) where
lift : A → Lift j A

8.3 More type constructors

In this section, we give the rules in order to add many of the usual type construc-
tors in dependent type theory. All those will be subsumed by inductive types
introduced in section 8.4: as in Agda, these constructions can be implemented
as particular inductive types.

8.3.1 Empty type. For the empty type, or falsity, we add the following two
constructions to expressions

e ::= . . . | ⊥ | bot(e, x 7→ e0 )

The type ⊥ is the type for falsity, which is empty, and the construction

bot(t, x 7→ A)

eliminates a proof t of ⊥ in order to construct an element of type A (which

might depend on t via the variable x). The arrow 7→ is only a formal notation
here, and does not denote a function: bot is a formal constructor which takes
as argument an expression t, a variable x and an expression A. However, the
variable x is bound in A, and could be renamed to any other variable name. In
Agda, it would correspond to the operation which matches a proof of ⊥ in order
to produce an A, i.e. something like
bot : (x : ) → A x
elim ()
The rules are as follows.

Formation. ⊥ is a valid type in any valid context:

Γ`
(⊥F )
Γ ` ⊥ : Type

Introduction. There is no introduction rule, because we do not expect that there

is a way to prove falsity.

Elimination. Elimination allows proving anything from falsity:

Γ`t:⊥ Γ, x : ⊥ ` A : Type
(>E )
Γ ` bot(t, x 7→ A) : A[t/x]
CHAPTER 8. DEPENDENT TYPE THEORY 371

Computation. No rule.

Elimination. No rule.

8.3.2 Unit type. For the unit type, or truth, we add the following construc-
tions to expressions:

e ::= . . . | > | ? | top(e, x 7→ e0 , e00 )

where > is the type for truth, ? is the constructor for truth and

top(t, x 7→ A, u)

eliminates a proof t of > in order to construct a proof u of A.

Formation.
Γ`
(>F )
Γ ` > : Type

Introduction.
Γ`
(>I )
Γ`?:>

Elimination.
Γ`t:> Γ, x : > ` A : Type Γ ` u : A[?/x]
(>E )
Γ ` top(t, x 7→ A, u) : A[t/x]

Computation.

Γ, x : > ` A : Type Γ ` u : A[?/x]

(>C )
Γ ` top(?, x 7→ A, u) = u : A[?/x]

Uniqueness.
Γ`t:>
(>U )
Γ`t=?:>

In OCaml. The type > corresponds to unit, the constructor ? to (), the elimi-
nator top(t, x 7→ A, u) to

match t with
| () -> u
the computation rule says that
match () with
| () -> u
evaluates to u, and uniqueness says that () is the only value of type unit.
CHAPTER 8. DEPENDENT TYPE THEORY 372

8.3.3 Products. For the product, or conjunction, of two types, we add the
following constructions to expressions:
e ::= . . . | e × e0 | he, e0 i | unpair(e, x 7→ e0 , hy, zi 7→ e00 )
The type A × B is the product of A and B (it is sometimes also written A ∧ B).
The term ht, ui is the pair of two terms t and u and
unpair(t, z 7→ A, hx, yi 7→ u)
eliminates a pair t, extracting its components x and y, in order to construct a
proof u whose type is A which might depend on t as z.

Formation.
Γ ` A : Type Γ ` B : Type
(×F )
Γ ` A × B : Type

Introduction.
Γ`t:A Γ`u:B
(×I )
Γ ` ht, ui : A × B

Elimination.
Γ`t:A×B
Γ, z : A × B ` C : Type Γ, x : A, y : B ` u : C[hx, yi/z]
(×E )
Γ ` unpair(t, z 7→ C, hx, yi 7→ u) : C[t/z]

Computation.
Γ`t:A
Γ`u:B Γ, z : A × B ` C : Type Γ, x : A, y : B ` v : C[hx, yi/z]
(×C )
Γ ` unpair(ht, ui, z 7→ C, hx, yi 7→ v) = v[t/x, u/y] : C[ht, ui/z]

Uniqueness.
Γ`t:A×B
(×U )
Γ ` unpair(t, z 7→ A × B, hx, yi 7→ hx, yi) = t : A × B

In OCaml. The type A × B corresponds to a * b, the term ht, ui to the pair

(t , u), the eliminator unpair(t, z 7→ A, hx, yi 7→ u) to
match t with
| (x , y) -> u
the computation rule says that
match (t , u) with
| (x , y) -> v x y
evaluates to v t u, and the uniqueness rule says that
match t with
| (x , y) -> (x , y)
is the same as t.
CHAPTER 8. DEPENDENT TYPE THEORY 373

8.3.4 Dependent sums. Dependent sums, or Σ-types are a generalization the

previous notion of product, where the type of the second component might
depend on the term of the first component. Such a type is written

Σ(x : A).B

and the elements of this type are the pairs (t, u) consisting of a term t of type
A and a term u of type B[t/x]. From a logical point of view, this corresponds
to an existential quantification

∃x ∈ A.B

Namely, a proof of such a proposition consists of a term t in A together with

a proof that B(t) is satisfied. Formally, we add the following constructions to
expressions:

e ::= . . . | Σ(x : A).B | he, e0 i | unpair(e, x 7→ e0 , hy, zi 7→ e00 )

Formation.
Γ ` A : Type Γ, x : A ` B : Type
(ΣF )
Γ ` Σ(x : A).B : Type

Introduction.
Γ, x : A ` B : Type Γ`t:A Γ ` u : B[t/x]
(ΣI )
Γ ` ht, ui : Σ(x : A).B

Elimination.
Γ ` t : Σ(x : A).B
Γ, z : Σ(x : A).B ` C : Type Γ, x : A, y : B ` u : C[hx, yi/z]
(ΠE )
Γ ` unpair(t, z 7→ C, hx, yi 7→ u) : C[t/z]

Computation.

Γ`t:A Γ ` u : B[t/x]
Γ, z : Σ(x : A).B ` C : Type Γ, x : A, y : B ` v : C[hx, yi/z]
(ΠC )
Γ ` unpair(ht, ui, z 7→ C, hx, yi 7→ v) = v[t/x, u/y] : C[ht, ui/z]

Uniqueness.

Γ ` t : Σ(x : A).B
(ΠU )
Γ ` unpair(t, z →
7 Σ(x : A).B, hx, yi 7→ hx, yi) = t : Σ(x : A).B

Pairs. A pairs A × B is a particular case of a Σ-type Π(x : A).B which is not

dependent, i.e. x 6∈ FV(B). In other words, by setting

A×B = Π(_ : A).B

where _ is a variable which never occurs in B, we recover the rules previously

given for products.
CHAPTER 8. DEPENDENT TYPE THEORY 374

It might be puzzling at first that a product would correspond to a sum, but

one should recall that this is actually already the case for natural numbers
m−1
X
m×n= n
i=0

Here, a dependent sum would rather correspond to summing a finite family

(ni )06i<m of natural numbers:
m−1
X
ni
i=0

and a product is a particular case of this where the family is constant (i.e. ni = n
for every index i).

8.3.5 Coproducts. For coproducts, we add the following constructions to ex-

pressions:

e ::= . . . | e + e0 | ιel (e0 ) | ιer (e0 ) | case(x, e 7→ y, e0 7→ z, e00 7→ e000 )

The type A+B is the coproduct of A and B, which logically corresponds to their
disjunction. The elements of this type are either a term t of A, written ιB
l (t), or
a term u of B, written ιAr (u), and the eliminator case(t, z 7→ C, x 7→ u, y 7→ v)
eliminates t to construct a term of type C (which might depend on t as x) by
considering whether it is of the first or the second form, in which case u or v is
returned.

Formation.
Γ ` A : Type Γ ` B : Type
(+F )
Γ ` A + B : Type

Introduction.
Γ`t:A Γ ` B : Type Γ ` A : Type Γ`t:B
(+lI ) (+rI )
Γ` ιB
l (t) :A+B Γ` ιA
r (t) :A+B

Elimination.
Γ`t:A+B Γ, z : A + B ` C : Type
Γ, x : A ` u : C[ιB
l (x)/z] Γ, y : B ` v : C[ιA
r (y)/z]
(+E )
Γ ` case(t, z 7→ C, x 7→ u, y 7→ v) : C[t/z]

Computation.

Γ`t:A Γ ` B : Type Γ, z : A ` C : Type

Γ, x : A ` u : C[ιB
l (x)/z] Γ, y : B ` v : C[ιA
r (y)/z]
(+lC )
Γ ` case(ιB B
l (t), z 7→ C, x 7→ u, y 7→ v) = u[t/x] : C[ιl (t)/z]

Γ ` A : Type Γ`t:B Γ, z : A ` C : Type

Γ, x : A ` u : C[ιB
l (x)/z] Γ, y : B ` v : C[ιA
r (y)/z]
(+rC )
Γ ` case(ιA A
r (t), z 7→ C, x 7→ u, y 7→ v) = v[t/x] : C[ιr (t)/z]
CHAPTER 8. DEPENDENT TYPE THEORY 375

Uniqueness.
Γ`t:A+B
(+U )
Γ ` case(t, z 7→ A + B, x 7→ ιB A
l (x), y 7→ ιr (y)) = t : A + B

In OCaml. The type A + B corresponds to an inductive type of the form

type ('a , 'b) coprod =
| Left of 'a
| Right of 'b

l (t) to Left t, ιr (t) to Right t and the eliminator

ιB A

case(t, z 7→ C, x 7→ u, y 7→ v)
to
match t with
| Left x -> u
| Right y -> v
The left computation rule says that
match Left t with
| Left x -> u x
| Right y -> v y
reduces to u x (and similarly for the right one) and the uniqueness rule says
that
match t with
| Left x -> Left x
| Right y -> Right y
is the same as t.

In Agda. The standard notation for + is and the notations for ιl and ιr are
respectively inj ₁ and inj ₂ , see section 6.5.6.

8.3.6 Booleans. For booleans, we add the following constructions to expres-

sions:
e ::= . . . | Bool | 1 | 0 | ite(e, x 7→ e0 , e00 , e000 )
where Bool is the type of booleans, 1 and 0 are true and false respectively and
ite(t, x 7→ A, u, v) is conditional which returns u or v depending on whether t is
true or false.

Formation.
Γ`
(BoolF )
Γ ` Bool : Type

Introduction.
Γ` Γ`
(Bool1I ) (Bool0I )
Γ ` 1 : Bool Γ ` 0 : Bool
CHAPTER 8. DEPENDENT TYPE THEORY 376

Elimination.
Γ ` t : Bool
Γ, x : Bool ` A : Type Γ ` u : A[1/x] Γ ` v : A[0/x]
(BoolE )
Γ ` ite(t, x 7→ A, u, v) : A[t/x]

Computation.
Γ, x : Bool ` A : Type Γ ` u : A[1/x] Γ ` v : A[0/x]
(Bool1C )
Γ ` ite(1, x 7→ A, u, v) = v : A[1/x]

Γ, x : Bool ` A : Type Γ ` u : A[1/x] Γ ` v : A[0/x]

(Bool0C )
Γ ` ite(0, x 7→ A, u, v) = u : A[0/x]

Uniqueness.
Γ ` t : Bool
(BoolU )
Γ ` ite(t, x 7→ Bool, 1, 0) = t : Bool

In OCaml. Bool corresponds to the type bool, 1 and 0 correspond to true and
false respectively and the eliminator ite(x, A 7→ u, v, t) corresponds to
if t then u else v
The computation rule says that
if true then u else v
reduces to u and that
if false then u else v
reduces to v, and the uniqueness rule says that
if t then true else false
is the same as t.

8.3.7 Natural numbers. For natural numbers, we add the following construc-
tions to expressions:

e ::= . . . | Nat | Z | S(e) | rec(e, x 7→ e0 , e00 , yz 7→ e000 )

where Nat is the type of natural numbers, Z is zero, S(t) is the successor of t
and rec(z, A 7→ u, x, yv 7→ t) is the induction principle on t: u is the base case
and t is the inductive case.

Formation.
Γ`
(NatF )
Γ ` Nat : Type

Introduction.
Γ` Γ ` t : Nat
(NatZI ) (NatSI )
Γ ` Z : Nat Γ ` S(t) : Nat
CHAPTER 8. DEPENDENT TYPE THEORY 377

Elimination.
Γ ` t : Nat Γ, x : Nat ` A : Type
Γ ` u : A[Z /x] Γ, x : Nat, y : A ` v : A[S(x)/x]
(NatE )
Γ ` rec(t, x 7→ A, u, xy 7→ v) : A[t/x]

Computation.

Γ, x : Nat ` A : Type
Γ ` u : A[Z /x] Γ, x : Nat, y : A ` v : A[S(x)/x]
(NatZC )
Γ ` rec(Z, x 7→ A, u, xy 7→ v) = u : A[Z /x]

Γ ` t : Nat Γ, x : Nat ` A : Type Γ ` u : A[Z /x] Γ, x : Nat, y : A ` v : A[S(x)/x]

(NatSC )
Γ ` rec(S(t), x 7→ A, u, xy 7→ v) = v[t/x, rec(t, x 7→ A, u, xy 7→ v)/y] : A[S(t)/x]

Uniqueness.

Γ ` t : Nat
(NatU )
Γ ` rec(t, x 7→ Nat, Z, xy 7→ S(y)) = t : Nat

In OCaml. The type Nat corresponds to the type

type nat =
| Z
| S of nat
where the constructors Z and S respectively correspond to Z and S, and the
eliminator rec(t, x 7→ A, u, xy 7→ v) to
let rec ind t =
match t with
| Z -> u
| S x -> let y = ind x in v
The computation rule says that
ind Z

reduces to u and
ind (S t)
reduces v where x has been replaced by t and y by ind t, and the uniqueness
rule says that

let rec ind t =

match t with
| Z -> Z
| S x -> let y = ind x in S y

is the identity function.

CHAPTER 8. DEPENDENT TYPE THEORY 378

8.3.8 Other type constructors. There are two fundamental type construc-
tions which were not given in this section: inductive types are presented in
section 8.4 and identity types are presented in section 9.1.

8.4 Inductive types

We now present how to formalize general inductive types in type theory. We
have already seen lots of examples in Agda in sections 6.4 and 6.5. For instance,
the type of booleans is
data Bool : Set where
false : Bool
true : Bool
the type of natural numbers is

data : Set where

zero :
suc : →
the type of (rooted planar) binary trees is

data BTree : Set where

leaf : BTree
node : BTree → BTree → BTree
the type of (rooted planar) trees is

data Tree : Set where

nil : Tree
node : List Tree → Tree
the type of lists is
data List (A : Set) : Set where
nil : List A
cons : A → List A → List A
the type of vectors is
data Vec (A : Set) : → Set where
nil : Vec A zero
cons : {n : } → A → Vec A n → Vec A (suc n)
the type of finite sets is
data Fin : → Set where
zero : {n : } → Fin (suc n)
suc : {n : } → Fin n → Fin (suc n)
ans so on.
CHAPTER 8. DEPENDENT TYPE THEORY 379

8.4.1 W-types. The study and formalization of inductive types is notoriously

difficult and a source of bugs and inconsistencies. For simplicity, we begin by
studying a very restricted form of inductive types A, called polynomial types or
W-types, which are defined in such a way that each constructor takes a finite
number of arguments of type A (we will see that we can also easily generalize
this to accept arguments whose type do not involve A, the most important
part of the restriction is that constructors cannot have arguments whose type
involve A in non-trivial ways, such as having an argument of type A → A). In
pseudo-Agda code, such a type would be defined as
data A : Set where
C₁ : A → ... → A → A
C₂ : A → ... → A → A
...
Cₙ : A → ... → A → A
where A is the inductive type and the C ᵢ are the constructors. For instance, the
type Bool of booleans, Nat of natural numbers and the type BTree of binary
trees are of this form. In particular, the type BTree has two constructors (leaf
and node), respectively taking 0 and 2 arguments.
Such a type is entirely characterized by
– a number n of constructors, and
– a function f : {0, . . . , n − 1} → N which to i associates the number of
arguments of the i-th constructor.
For instance,
– for booleans, we have n = 2 and f (0) = f (1) = 0,
– for natural numbers, we have n = 2, f (0) = 0 and f (1) = 1 (the 0-th and
1-st constructors are respectively zero and successor),
– for binary trees, we have n = 2, f (0) = 0 and f (1) = 2 (the 0-th and 1-st
constructors are respectively leaf and node).
The problem with this data, namely the pair (n, f ), is that it does not consist of
types, and thus does not allow for very natural formalization in terms of typing
rules. We will see below that it can however be encoded quite naturally into
types.

Finite families of types. Suppose that our type theory contains the type ⊥ with 0
element (section 8.3.1), the type > with 1 element (section 8.3.2) and coproducts
(section 8.3.5). Given a natural number n, we can build a type Finn with n
elements as
Finn = > + > + . . . + >
the sum being ⊥ in the case n = 0. For instance, the type Fin4 with 4 elements
is
Fin4 = > + (> + (> + >))
A typical element of this type is ιr (ιr (ιl (?))), but we will simplify the notations
and write 0, 1, 2 and 3 for its elements. In Agda, we have already encountered
CHAPTER 8. DEPENDENT TYPE THEORY 380

this type in section 6.4.8. It can be noted that, given a type A, defining a
function f : Finn → A precisely amounts to specifying n elements of A, those
elements being f (0), . . . , f (n − 1).

W-types. Now that we have made the previous remark, we can reformulate our
definition of inductive types using types with finite number of elements instead
of natural numbers. A polynomial type consists of
– a type A with n elements, for some natural number n,
– for every element x of type A, a type B(x) with nx elements for some
natural number nx .

In other words, it consists of a pair (A, B), with

A : Type B : A → Type

such that A = Finn for some natural number n and, for every x : A, we have
B(x) = Finnx for some natural number nx . It turns out that this restriction to
the case where A and B(x) are finite types is not very useful in the following,
so that we will drop it. Having an infinite type A (e.g. natural numbers) corre-
sponds to having an infinite number of constructors, which seems worrying at
first, but we will see that it is actually reasonable and useful.
Given a type A, and a type B which might have x has free variable, we write

W(x : A).B

for the inductive type defined by this data and call it a W-type. Again, this
should be thought of as an inductive type with a constructor for each element x
of type A, this constructor taking as many arguments as there are elements
in B(x). The constructor W is binding x in B, and α-conversion allows us to
rename it as we want.
Example 8.4.1.1. The type of binary trees can be defined by

A = Fin2 B(0) = Fin0 B(1) = Fin2

We now wonder what the terms of type W(x : A).B look like. Consider the
type of binary trees as defined in Agda above. A typical element of this type is

node (node leaf (node leaf leaf)) leaf)

which consists of a the constructor node, applied to two binary trees: the trees
node leaf (node leaf leaf) and leaf. More generally, an element of the type
W(x : A).B consists of
– a constructor, i.e. an element a of A, and
– n elements of W(x : A).B, where n is the number of elements of the type
B a, which is most naturally specified by giving a function B a → W(x : A).B.
CHAPTER 8. DEPENDENT TYPE THEORY 381

W-types in Agda. The previous reformulation directly allows us to define W -

types in Agda as follows:

data W (A : Set) (B : A → Set) : Set where

sup : (a : A) → (B a → W A B) → W A B
The only constructor sup allows constructing an element of W(x : A).B by
specifying a constructor in A and arguments in the W -type, as explained above.
For instance, the type of natural numbers has two constructors, so that we
can take A = Bool where, by convention, false corresponds to the constructor
zero and true to suc. The first constructor takes zero argument, which means
that A false should be an empty type (we can take ⊥) and A true takes one
argument so that we should take Arg true to be a type with one element (we
can take >). We can thus define:
Nat : Set
Nat = W Bool (λ { false → ; true → })
Up to some syntactical heaviness (such as having to write booleans to call the
constructors), this is precisely the usual inductive type for natural numbers. For
instance, addition can be programmed “as usual”:

_+_ : Nat → Nat → Nat

sup false _ + n = n
sup true x + n = sup true (λ { tt → x tt + n })
Similarly, the type of binary trees is
BTree : Set
BTree = W Bool (λ { false → ; true → Bool })

Encoding into W-types. The class of types which we can handle looks quite
restricted because the arguments of constructors can only be of the W-type
itself. It is actually not, thanks to the extra generality brought by the possibility
of having arbitrary type as A and B(x), and not only finite types. For instance,
the type of lists
data List (A : Set) : Set where
nil : List A
cons : A → List A → List A
is not obviously a W-type because the constructor cons takes an argument of
type A, whereas we are trying to define List A, and thus the arguments of
constructors should have this type. However, instead of thinking of cons as one
constructor, we can think of it as an infinite family of constructors cons a, one
for each element a of A, each of which is taking one argument of type List A. In
this way, it is natural to take Maybe A as the type of constructors where nothing
corresponds to the constructor nil and just a corresponds to cons a, and we
define
List : (A : Set) → Set
List A = W (Maybe A) (λ { nothing → ; (just x) → })
CHAPTER 8. DEPENDENT TYPE THEORY 382

8.4.2 Rules for W-types. In order to add support for W-types, one should
add the following constructions to expressions:

e ::= . . . | W(x : e).e0 | sup(e, e0 ) | Wrec(e, x 7→ e0 , xyz 7→ e00 )

where W(x : A).B the W-type constructor, sup(t, u) constructs an element of

a W-type with t as constructor and u as function specifying arguments, and
Wrec(t, x 7→ C, xyz 7→ u) eliminate an element t of a W-type and produce an
element of type C.

Formation.
Γ, x : A ` B : Type
(WF )
Γ ` W(x : A).B : Type

Introduction.
Γ`t:A Γ ` u : B[t/x] → W(x : A).B
(WI )
Γ ` sup(t, u) : W(x : A).B

Elimination.
Γ ` t : W(x : A).B Γ, x : W(x : A).B ` C : Type
Γ, x : A, y : B → W(x : A).B, z : Π(w : B).C[(y w)/x] ` u : C[sup(x, y)/x]
(WE )
Γ ` Wrec(t, x 7→ C, xyz 7→ u) : C[t/x]

Computation.
Γ`t:A Γ, x : W(x : A).B ` C : Type Γ ` u : B[t/x] → W(x : A).B
Γ, x : A, y : B → W(x : A).B, z : Π(w : B).C[(y w)/x] ` v : C[sup(x, y)/x]
(WC )
Γ ` Wrec(sup(t, u), x 7→ C, xyz 7→ v) = v[t/x, u/y, λw. Wrec(u w, x 7→ C, xyz 7→ v)/z] : C[sup(t, u)/x]

Uniqueness. This is not usually considered and requires function extensionality.

8.4.3 More inductive types. W-types are very fine if you want to perform a
clean and easy implementation of inductive types, or want to study metatheo-
retic properties of types. In practice, provers have more involved implementa-
tions of inductive types. One reason is user-friendliness: we want to be able to
give nice names for constructors, have a nice syntax for pattern matching, gen-
erate pattern-matching cases automatically, etc. Also, we do not want the user
to have to explicitly encode his types into W-types, and more generally we want
to implement extensions of W-types. The interested reader is advised to look
at good descriptions of actual inductive types in Agda [Nor07], in Coq [PM93]
or theory [Dyb94]. We list below some common extensions of inductive types.

Indexed W-types. A first generalization of the notion of W-type is the support

for indices. For instance, the type of finite sets is defined as

data Fin : → Set where

zero : {n : } → Fin (suc n)
suc : {n : } → Fin n → Fin (suc n)
CHAPTER 8. DEPENDENT TYPE THEORY 383

so that Fin n is a type with n elements. Here, the type takes a natural number n
as argument, and various values for this argument are needed for constructors,
e.g. suc needs an argument of type Fin n to produce a Fin (n+1).
The definition of W-types can be modified in order to account for indices as
follows. We only give here the implementation in Agda:
data W (I : Set) (A : I → Set) (B : (i : I) → A i → I → Set) : I → Set
where
sup : (i : I) (a : A i) → ((j : I) → B i a j → W I A B j) → W I A B i
In this type, I is the type for indices, A i is the type indicating the constructors
with index i, and B a j indicates the number of arguments of index j of the
constructor a.
Example 8.4.3.1. For instance, in the case of Fin,
– I is the type of natural numbers,
– A 0 is the empty type (there is no constructor for Fin 0) and, for i > 0,
A i is the type Bool with two elements (there are two constructors for
Fin i: respectively zero and suc),
– for indices i and j,
– the constructor zero of type Fin j takes zero argument of type Fin i
– the constructor suc of type Fin j takes one argument of type Fin i
when suc i is j, and zero argument otherwise,
which determines the types B i a j.
We thus define the type A as

A : → Set
A zero =
A (suc n) = Bool
the type B as
B : (n : ) → A n → → Set
B (suc n) false m =
B (suc n) true m with n ≟ m
B (suc n) true m | yes _ =
B (suc n) true m | no _ =
and finally, the type of finite sets as

Fin : → Set
Fin n = W A B n
Exercise 8.4.3.2. Define the types Vec A n of vectors of length n containing
elements of type A using indexed W-types.
CHAPTER 8. DEPENDENT TYPE THEORY 384

Mutually inductive types. One might want to define two inductive types which
mutually depend on each other. For instance, trees and forest can be defined in
a mutually inductive fashion as follows:
data Tree : Set
data Forest : Set

data Tree where

leaf : Tree
node : Forest → Tree

data Forest where

nil : Forest
cons : Tree → Forest → Forest
A tree takes a forest as argument and a forest is a list of trees (although we
do not use the inductive type for lists here and define a new one adapted to
forests).

Nested inductive types. One might want to define inductive types in which argu-
ments are other inductive types applied to the type itself. For instance, trees can
also be defined as nodes taking lists of trees as argument, lists being themselves
defined as an inductive types:
open import Data.List

data Tree : Set where

nil : Tree
node : List Tree → Tree

Inductive-inductive types. One might want to define both

– an inductive type A and
– a predicate on A (i.e. a function A → Type)
whose definitions mutually depend on each other. For instance, the type of
sorted lists can be defined along the predicate _≤*_ (where x ≤* l means that x
is below every element of the list l, see section 6.7.2) as follows. In Agda, we
first have to declare the type of the two definitions by
data SortedList : Set
data _≤*_ : → SortedList → Set
and we can then define both types by mutual induction by
data SortedList where
nil : SortedList
cons : (x : ) (l : SortedList) (le : x ≤* l) → SortedList

data _≤*_ where

≤*-empty : {x : } → x ≤* nil
≤*-cons : {x y : } {l : SortedList} →
x ≤ y → (le : y ≤* l) → x ≤* (cons y l le)
Such types are called inductive-inductive types [FS12].
CHAPTER 8. DEPENDENT TYPE THEORY 385

Coinductive types. Inductive types are defined as a smallest fixpoint, see sec-
tion 1.3.3. For instance, the type of natural numbers is the smallest type con-
taining zero and closed under successor. It is also possible to consider greatest
fixpoints, and the resulting types are called coinductive types.

8.4.4 The positivity condition. When adding more general forms of induc-
tive types, one should be very careful. Adding seemingly useful or natural
inductive types can make the system inconsistent.

Inconsistent inductive types. As an illustration, consider inductive types where

the arguments of constructors are types built from basic types, the inductive
type we are defining, and arrows. For instance, with this formalism, the type of
binary trees could be implemented in Agda as
data BTree : Set where
leaf : BTree
node : (Bool → BTree) → BTree
where the argument of the node constructor is Bool → BTree which is an arrow
from a basic type (Bool) to the inductively defined type (BTree): given a function
f of this type, f false indicates the first child and f true indicates the second
child of the node.
Such inductive types also allow for a very natural implementation of λ-terms.
Namely, since Agda already implements λ-calculus (α-conversion, β-reduction,
etc.), we would like to use this instead of explicitly redefining those. One way
to do this is to observe that the only thing we can do with an abstraction λx.t is
to β-reduce it, and therefore implement it as the function which to a λ-term u
associates the term t[u/x], this is normalization by evaluation which is detailed
in section 3.5.2. This suggests implementing λ-terms as the type
data Term : Set where
abs : (Term → Term) → Term
(we should also add a constructor for variables, which we did not do here since
it will play no role in the following explanation) and application as
app : Term → Term → Term
app (abs f) t = f t
However, remembering the course about λ-calculus in section 3.2.6, we start
feeling bad because we remember that we can define a looping λ-term as

loop : Term
loop = app ω ω
where ω is defined as
ω : Term
ω = abs (λ x → app x x)

which contradicts the postulate that all terms should be terminating in Agda.
Indeed, if we consider the small variation where we define terms
CHAPTER 8. DEPENDENT TYPE THEORY 386

data Term : Set where

abs : (Term → ) → Term
then app has type Term → Term → and loop is a proof of ⊥, i.e. our logic is
inconsistent!
The proof can further be simplified by defining
data Bad : Set where
bad : (Bad → ) → Bad
(we are simply giving another name to the new Term here), which is now thought
of as a type equivalent to its own negation, thus allowing to prove ⊥. Namely,
we can show the negation of this type by
not-Bad : Bad →
not-Bad (bad f) = f (bad f)
we construct give a proof of the type
is-Bad : Bad
is-Bad = bad not-Bad
and thus conclude to an inconsistency:
absurd :
absurd = not-Bad is-Bad

The positivity condition. In practice, when defining the type Bad in Agda, we
get an error message stating that
Bad is not strictly positive, because it occurs to the left of an
arrow in the type of the constructor bad in the definition of Bad.
This message indicates that our type is rejected, thus preventing the logic from
being inconsistent, because it does not satisfies the “strict positivity condition”
explained below. In order to test the above examples, you can however disable
this check by writing
{-# NO_POSITIVITY_CHECK #-}
just before the definition of the type.
In order to build intuition, first consider traditional functions between sets.
We write A ⇒ B for the set of all functions from a set A to a set B. Given sets
A, B and B 0 , it can be noted that

B ⊆ B0 implies (A ⇒ B) ⊆ (A ⇒ B 0 )

Namely, given a function f : A → B, the image of every element of A is an

element of B and thus of B 0 , i.e. f is a function from A to B 0 . However, on the
left of arrows, the situation is reversed: for sets A, A0 and B, we rather have

A ⊆ A0 implies (A ⇒ B) ⊇ (A0 ⇒ B)

Namely, any function defined for every element of A0 is in particular defined

for every element of A. Because of this behavior, the arrow types are said to
CHAPTER 8. DEPENDENT TYPE THEORY 387

be covariant in B and contravariant in A; we also say that A varies negatively

and B varies positively in A ⇒ B. Traditionally, inductive types are obtained by
“adding elements” to the type. For instance, natural numbers contain zero and
for every natural number n, we add a new natural number, its successor. Now,
if some constructors have negative occurrences of the inductively defined type,
when adding more elements we should also remove some elements, because the
constructor is contravariant, and the meaning of the inductively defined type is
not clear at all. In terms of the formalization described in section 1.3.3, this
means that the function induced by the description of the inductive type might
not be increasing, so that we have no guarantee that it should have a smallest
fixpoint.
The polarity (positive or negative) of a type can be defined as follows. For
simplicity, we consider types of the form

A, B ::= X | A → B

consisting either of a variable or an arrow. Given a type A, the polarity of a

type which is a subterm of A, is defined by induction on A by
– the polarity of A is positive,

– in a type B → C, the polarity of C is the same as the polarity of B → C,

– in a type B → C, the polarity of B is the opposite of the polarity
of B → C.
In other terms, the polarity at toplevel is positive, stays the same when we go to
the right of an arrow and changes when we go to the left of an arrow. An Agda
formalization of this is given in figure 8.1. A type is strictly positive when it is
positive and we did not encounter negative types when computing the polarity.
Example 8.4.4.1. For instance, in the type

A → ((B → C) → (D → E))

the types A, C and D are negative and B and E is positive. The syntactic tree
of the type can be written as follows

→+

A− →+

→− →+

B+ C− D− E+

where + or − indicate the polarity of subtrees (positive or negative). The type E

is strictly positive, but the type B is not strictly positive, because we computed
its polarity by
– A → ((B → C) → (D → E)) is positive, thus
– (B → C) → (D → E) is positive, thus
CHAPTER 8. DEPENDENT TYPE THEORY 388

-- Polarities
data Polarity : Set where
pos : Polarity
neg : Polarity

-- Opposite of a polarity
op : Polarity → Polarity
op pos = neg
op neg = pos

-- Types
data Type : Set where
var : → Type
arr : Type → Type → Type

-- Subterm relation on types

data _<_ : Type → Type → Set where
top : {A : Type} → A < A
left : {A A' B : Type} → A < A' → A < arr A' B
right : {A B B' : Type} → B < B' → B < arr A B'

-- Polarity of a type A in a type B

polarity : {A B : Type} → A < B → Polarity
polarity top = pos
polarity (left p) = op (polarity p)
polarity (right p) = polarity p

Figure 8.1: Polarities of types in Agda.

CHAPTER 8. DEPENDENT TYPE THEORY 389

– B → C is negative, thus
– B is positive,

and we encountered negative types.

Agda (and most other provers such as Coq) implement the following restric-
tion on inductive types: given a constructor of an inductive type A, if A occurs
in the argument of an inductive type, then it must do so strictly positively.
For instance, Bad above is rejected because the constructor bad takes one argu-
ment of type Bad → , where Bad occurs negatively. The above counter-example
explains why we must forbid negative occurrences. The reason why we must
further restrict to strictly positive occurrences is explained for Coq in [CP88];
its usefulness in Agda is not so clear [Coq13], which is why we did not provide
a counter-example.

8.4.5 Disjointedness and injectivity of constructors. We present here two

important properties of inductive type constructors in Agda related to equality.

Disjointedness of constructors. Constructors are disjoint, meaning that values

made using two different constructors are necessarily different. For instance,
over natural numbers, zero cannot be equal to the successor of some number:

zero-suc : {n : } → zero ≡ suc n →

zero-suc ()
Here, the empty pattern () means that Agda should check by himself that the
case where zero is equal to suc n cannot happen, which it does thanks to the
disjointedness assumption.

Injectivity of constructors. Constructors are injective, meaning that if two con-

structed values are equal then the arguments are equal. For instance:

suc-injective : {m n : } → suc m ≡ suc n → m ≡ n

suc-injective refl = refl
(this could also directly be shown as a direct use of cong).

Injectivity of type constructors. Type constructors are not injective by default.

For instance, the following does not typecheck:
list-inj : {A B : Set} → List A ≡ List B → A ≡ B
list-inj refl = refl

We can however explicitly ask Agda to make type constructors injective, by

adding the following pragma at the beginning of the file:
{-# OPTIONS --injective-type-constructors #-}
The reason why it is not enabled by default is that it makes the system incon-
sistent together with the excluded middle, thus preventing from safely working
in classical logic. A counter-example was found by Hur based on the following
observation [Hur10]. We can define an inductive data type of the form
CHAPTER 8. DEPENDENT TYPE THEORY 390

data I : (Set → Set) → Set where

(the constructors will not matter, so we might as well choose to have none). The
injectivity of the type constructor I amounts to having an injection of Set → Set
into Set, which is excluded by a diagonal argument à la Cantor, appendix A.4.
Namely, with injective type constructors, we can show
inj : {x x' : Set → Set} → I x ≡ I x' → x ≡ x'
inj refl = refl
In order to use the Cantor diagonal argument formalized in appendix A.4.2, we
have to show that Set contains two distinct types, say > and ⊥,
≢ : ¬ ( ≡ )
≢ p = subst (λ A → A) p tt
and suppose that the law of excluded middle holds
postulate lem : (A : Set ₁ ) → Dec A
We finally conclude
absurd :
absurd = Cantor.no-injection ≢ lem I inj

8.5 Implementing type theory

We now explain how to implement a typechecker in dependent type theory in a
reasonably efficient and principled way. We chose to implement a type theory
with Π-types, natural numbers and identity types in order to show most of the
principles needed in order to implement a typechecker. Identity types will be
presented in section 9.1, and you can simply ignore them if you have not yet
read this part of the book. We could have more generally implemented inductive
types (or, at least, W-types) in a similar way [CKNT09], but felt that the code
would be more readable when specialized to natural numbers and identity types.
The version given here is a variant of the description standard implementations
for dependent types [Coq96, GL02, CKNT09, LMS10, Bau12].
The basic idea is to implement a bidirectional typechecking algorithm, simi-
lar to the one we already presented for simply-typed λ-calculus in section 4.4.5:
we try to check that a term has a given type when we have a candidate for
the type, otherwise we try to infer the type of the term. The reason for this is
that we generally declare the type of functions before defining them, but do not
want to annotate each λ-abstraction with the type of the variable. This is for
instance the way things are in Agda. There is a subtlety though: when com-
paring expressions (terms or types), we should do so modulo αβ-convertibility.
As detailed in section 4.2.4, by the confluence and termination of the calculus,
we can decide whether two expressions t and u are convertible, by computing
their normal forms (i.e. β-reducing them as much as we can) and checking the
resulting terms for α-convertibility. This means that we should choose a way to
implement β-reduction among the ones presented in section 3.5. The normaliza-
tion by evaluation technique (section 3.5.2) is the most suitable for us: it is quite
easy to implement because it relies on the implementation of the β-reduction of
CHAPTER 8. DEPENDENT TYPE THEORY 391

the programming language (OCaml in our case). Moreover, it allows for an effi-
cient implementation of convertibility: instead of fully performing β-reduction,
we can compute weak head normal forms, so that we can potentially detect
when two terms are not equal without fully reducing them.

8.5.1 Expressions. We begin by formally defining expressions as

type expr =
| Var of string (** a variable *)
| Abs of string * expr (** a lambda-abstraction *)
| App of expr * expr (** an application *)
| Pi of string * expr * expr (** a Pi-type *)
| Type of int (** a universe *)
| Nat (** type of natural numbers *)
| Zero (** zero *)
| Succ of expr (** successor *)
| Rec of expr * expr * expr * expr (** recurrence *)
| Id of expr * expr * expr (** identity type *)
| Refl of expr (** reflexivity *)
| J of expr * expr * expr * expr * expr * expr (** id elim *)
An expression is thus either a variable, a λ-abstraction

λx.t written Abs(x, t)

an application of an expression to another, a Π-type

Π(x : a).b written Pi(x, a, b)

a universe of given level, the type of natural numbers, zero, the successor of a
natural number, the recurrence principle

rec(n, x 7→ A, z, mr 7→ s)

written
Rec(n, Abs(x, a), z, Abs(m, Abs(r, s)))
(note that we use abstractions as arguments of Rec in order to avoid having
to handle α-conversion here, and only take care of it for abstractions, see sec-
tion 4.3.3) and identity type

IdA (t, u) written Id(a, t, u)

a reflexivity proof
refl(t) written Refl(t)
or a J eliminator
J(e, xye 7→ A, x 7→ r)
written

J(a, Abs(x, Abs(y, Abs(e, a))), Abs(x, r), t, u, e)

CHAPTER 8. DEPENDENT TYPE THEORY 392

Values. A term will evaluate to a value which is, by definition, a term which
does not reduce anymore. The type corresponding to values is
type value =
| VAbs of (value -> value) (** a lambda-abstraction *)
| VPi of value * (value -> value) (** a Pi-type *)
| VType of int (** a universe *)
| VNat (** type of natural numbers *)
| VZero (** zero *)
| VSucc of value (** successor *)
| VId of value * value * value (** identity type *)
| VRefl of value (** reflexivity *)
| VNeutral of neutral (** a neutral value *)
which roughly corresponds to the definition of expressions, with a few notable
differences, as we now explain. For abstractions (VAbs), the body is not yet
evaluated, because we are computing weak head normal forms: instead, we have
a function which given an argument, will compute the normal form of the body
with the argument substituted as expected. Similarly, a Π-type Π(x : A).B
is stored in VPi as the type A and the function λxA .B, which provides the
type B given the argument of type A. The last case corresponds to neutral
values: those are expressions in which the computation is not fully performed,
but is stuck because we do not know the value for some variable. For instance,
given a variable x and a term t, the term x t is a value: in order to evaluate
this application, we would need to know the value for x, which should be a
λ-abstraction. Neutral values are defined by the type
and neutral =
| NVar of string
| NApp of neutral * value
| NRec of neutral * value * value * value
| NJ of value * value * value * value * value * neutral
and thus consist either of a variable, or a neutral value applied to a value
(typically, x t), or a recurrence on a neutral value (e.g. a recurrence on a variable)
or an elimination of a neutral proof of identity.

8.5.2 Evaluation. We can then easily write a function which applies a value t
to another value u. In the case t is an abstraction, we apply it to u. Otherwise,
if we assume that the terms are suitably typed, t has to be a neutral value
(e.g. we cannot apply a natural number to some other term), in which case the
result is still a neutral value:
let vapp u v =
match u with
| VAbs f -> f v
| VNeutral t -> VNeutral (NApp (t, v))
| _ -> assert false
Thanks to this helper function, we can write a function eval which evaluates
an expression t to a value. The function also take an environment env, which
is a list of pairs associating to a free variable its value, in the case it is known.
CHAPTER 8. DEPENDENT TYPE THEORY 393

let rec eval env t =

match t with
| Var x ->
(try List.assoc x env with Not_found -> VNeutral (NVar x))
| Abs (x, e) -> VAbs (fun v -> eval ((x,v)::env) e)
| App (e1, e2) -> vapp (eval env e1) (eval env e2)
| Pi (x, a, e) -> VPi (eval env a, fun v -> eval ((x,v)::env) e)
| Type i -> VType i
| Nat -> VNat
| Zero -> VZero
| Succ e -> VSucc (eval env e)
| Rec (n, a, z, s) ->
let n = eval env n in
let a = eval env a in
let z = eval env z in
let s = eval env s in
let rec f = function
| VZero -> z
| VSucc n -> vapp (vapp s n) (f n)
| VNeutral n -> VNeutral (NRec (n, a, z, s))
| _ -> assert false
in
f n
| Id (a, t, u) -> VId (eval env a, eval env t, eval env u)
| Refl t -> VRefl (eval env t)
| J (a, p, r, t, u, e) ->
(
match eval env e with
| VRefl _ -> eval env r
| VNeutral e ->
VNeutral (NJ (eval env a, eval env p, eval env r,
eval env t, eval env u, e))
| _ -> assert false
)
As explained above, when evaluating a function (Abs), we return a function
which will return the value corresponding to the body, provided the argument,
which is stored in the environment. We use the function vapp in order to evalu-
ate applications (App). For constructors corresponding to types and introduction
rules, the function simply consists in evaluating all the arguments of the con-
structor. For the constructors corresponding to elimination rules, we evaluate
the argument we are eliminating and then evaluate the construction accordingly.
For instance, for recurrence (Rec), we evaluate the natural number n on which
the recurrence is applied and compute the result of the recurrence accordingly,
depending on whether the result is zero, a successor, or a variable.

8.5.3 Convertibility. Our goal is now to decide the convertibility of expres-

sions. As explained above, this is basically performed by evaluating expressions
to values and then comparing the resulting values for equality (we call veq
the function which compares two values). However, since values may contain
CHAPTER 8. DEPENDENT TYPE THEORY 394

functions (under the VAbs constructors), we first have to implement a read-

back function which will convert a value into an expression, following the same
techniques as in section 3.5.2.

Readback. The readback function takes as arguments an natural number k (to

generate fresh variables) and a value, and produces an expression:
let rec readback k v =
let rec neutral k = function
| NVar x ->
Var x
| NApp (t, u) ->
App (neutral k t, readback k u)
| NRec (n, a, z, s) ->
Rec (neutral k n, readback k a, readback k z, readback k s)
| NJ (a, p, r, t, u, e) ->
J (readback k a, readback k p, readback k r,
readback k t, readback k u, neutral k e)
in
match v with
| VAbs f ->
let x = fresh k in
Abs (x, readback (k+1) (f (var x)))
| VPi (a, b) ->
let x = fresh k in
Pi (x, readback k a, readback (k+1) (b (var x)))
| VType i -> Type i
| VNat -> Nat
| VZero -> Zero
| VSucc n -> Succ (readback k n)
| VId (a, t, u) ->
Id (readback k a, readback k t, readback k u)
| VRefl t -> Refl (readback k t)
| VNeutral t -> neutral k t
This function essentially consists in translating the constructors of value into
the corresponding constructors of expr. The only subtlety can be found in the
case of VAbs (and VPi which is similar). In order to generate the expression
corresponding to an abstraction VAbs f, we apply f to a fresh variable, whose
name is generated thanks to the natural number k. Namely, we use the following
helper function to construct a “fresh” variable name with index k:
let fresh k = "x@"^string_of_int k
(we suppose that the user will never input a variable name containing the char-
acter @). Above, the function var is a shorthand to construct a variable with
given name:
let var x = VNeutral (NVar x)

Equality of values. Because of the way the readback function is implemented, by

canonically generating variable names when needed using an index k, two values
CHAPTER 8. DEPENDENT TYPE THEORY 395

will be α-convertible when they have the same readback. We can therefore test
the equality of two values t and u with the following function:

let veq k t u = readback k t = readback k u

More efficient equality. The above test for equality of values is not very effi-
cient: it essentially requires evaluating the whole term, which can be very costly,
whereas this is unnecessary when the two terms are not equal. For instance,
the two terms VAbs f and VZero are not equal, and there is no need to proceed
to the evaluation of f in order to determine this. The following refined test for
equality takes this into account: it combines both readback and comparison,
and amounts to compute the weak head normal forms of the two terms (see
section 3.5.1) in order to compare them, and only evaluate under abstractions
if the two weak head normal forms are abstractions.
let rec veq k t u =
let rec neq k t u =
match t, u with
| NVar x, NVar y -> x = y
| NApp (t, v), NApp (t', v') ->
neq k t t' && veq k v v'
| NRec (n, a, z, s), NRec (n', a', z', s') ->
neq k n n' && veq k a a' && veq k z z' && veq k s s'
| NJ (a, p, r, t, u, e), NJ (a', p', r', t', u', e') ->
veq k a a' && veq k p p' && veq k r r' &&
veq k t t' && veq k u u' && neq k e e'
| _, _ -> false
in
match t, u with
| VAbs f, VAbs g ->
let x = var (fresh k) in
veq (k+1) (f x) (g x)
| VPi (a, b), VPi (a', b') ->
let x = var (fresh k) in
veq k a a' && veq (k+1) (b x) (b' x)
| VType i, VType j -> i = j
| VNeutral t, VNeutral u -> neq k t u
| VNat, VNat -> true
| VZero, VZero -> true
| VSucc t, VSucc u -> veq k t u
| VId (a, t, u), VId (a', t', u') ->
veq k a a' && veq k t t' && veq k u u'
| VRefl t, VRefl u -> veq k t u
| _, _ -> false
The helper function neq compares neutral values for equality.
Exercise 8.5.3.1. Modify this function in order to compare values for η-equi-
valence. You should start by adding a new argument to the function which is
the common type of the two values. See also exercise 7.5.3.1.
CHAPTER 8. DEPENDENT TYPE THEORY 396

8.5.4 Typechecking. Finally, we can implement a type inference function

infer as follows. We follow here the principles of bidirectional typechecking
and define it at the same time (by mutual recursion) as one performing type
checking, i.e. this is quite similar to the developments of section 4.4.5. The type
inference function takes as argument an index k for generating fresh variables
as above, a typing environment tenv associating to variable names a type, an
environment env associating to variable names a value, and a term t whose type
we would like to determine. This function is essentially, a translation in OCaml
of the natural deduction rules of sections 8.1, 8.3 and 9.1.3:

let rec infer k tenv env t =

match t with
| Var x ->
(
try List.assoc x tenv
with Not_found -> raise (Unbound_variable x)
)
| App (t, u) ->
(
match infer k tenv env t with
| VPi (a, b) ->
check k tenv env u a;
b (eval env u)
| _ -> raise Type_error
)
| Pi (x, a, b) ->
let i = universe k tenv env a in
let a = eval env a in
let j = universe k ((x,a)::tenv) env b in
VType (max i j)
| Type i -> VType (i+1)
| Nat -> VType 0
| Zero -> VNat
| Succ t ->
check k tenv env t VNat;
VNat
| Rec (n, a, z, s) ->
(
check k tenv env n VNat;
match eval env a with
| VPi (VNat, a) ->
let n = eval env n in
check k tenv env z (a VZero);
check k tenv env s
(VPi (VNat, fun n -> varr (a n) (a (VSucc n))));
a n
| _ -> raise Type_error
)
| Id (a, t, u) ->
let i = universe k tenv env a in
CHAPTER 8. DEPENDENT TYPE THEORY 397

let a = eval env a in

check k tenv env t a;
check k tenv env u a;
VType i
| Refl t ->
let a = infer k tenv env t in
let t = eval env t in
VId (a, t, t)
| J (a, p, r, t, u, e) ->
let i = universe k tenv env a in
let a = eval env a in
check k tenv env p
(VPi (a, fun x ->
VPi (a, fun y -> varr (VId (a, x, y)) (VType i))));
let p = eval env p in
let p x y e = vapp (vapp (vapp p x) y) e in
check k tenv env r (VPi (a, fun x -> p x x (VRefl x)));
check k tenv env t a;
check k tenv env u a;
let t = eval env t in
let u = eval env u in
check k tenv env e (VId (a, t, u));
let e = eval env e in
p t u e
| Abs _ -> raise Type_error

This function raises an error Unbound_variable when an undeclared variable

is used and Type_error when the expression does not typecheck. It uses the
following helper function to construct an arrow type, as a non-dependent Π-
type:
let varr a b = VPi (a, fun _ -> b)

This function is defined by mutual induction with a function which checks that
an expression is a type and returns its universe level:
and universe k tenv env t =
match infer k tenv env t with
| VType i -> i
| _ -> raise Type_error
and with a function which checks that a term t has a given type a:
and check k tenv env t a : unit =
match t, a with
| Abs (x, t), VPi (a, b) ->
let y = var (fresh k) in
check (k+1) ((x,a)::tenv) ((x,y)::env) t (b y)
| Refl t, VId (_, u, v) ->
let t = eval env t in
if not (veq k t u) then raise Type_error;
if not (veq k t v) then raise Type_error
CHAPTER 8. DEPENDENT TYPE THEORY 398

| t, a ->
let a' = infer k tenv env t in
if not (veq k a a') then raise Type_error

Note that the case where the term is an abstraction λx.t (constructor Abs) and
the type is a Π-type Π(y : A).B (constructor VPi) is subtle: when checking that
the body t has type B, we do so by after replacing both x and y by a fresh
variable name.

8.5.5 Testing. In order to test our implementation, we can check that the
addition has the type A = Nat → Nat → Nat:
let () =
let a = varr VNat (varr VNat VNat) in
let t =
Abs (
"m",
Rec (
Var "m",
Pi ("_", Nat, Pi ("_", Nat, Nat)),
Abs ("n", Var "n"),
Abs ("m",
Abs ("r",
Abs ("n", Succ (App (Var "r", Var "n")))))
)
)
in
check 0 [] [] t a
Of course, it is not reasonable to proceed in this way in order to use the im-
plementation and one should implement a proper lexer and parser. We do not
describe this part here since it is out of the scope of this book.
 Chapter 9

Homotopy type theory

In the introduction of chapter 2, we have motivated the exploration of intu-

itionistic logic by changing the intuitive meaning we give to types: instead of
thinking of them as denoting booleans, it is much more satisfactory to consider
that they should be interpreted as sets, where it makes sense to consider various
elements of a type. Namely, the boolean interpretation is too limited because
when a type A is not false (i.e. empty) there is only one reason why this could
be: A is necessarily true (i.e. the set with one element) and in this case there
is only one proof of A (the only element of the set). In this sense, the boolean
interpretation does not allow for considering the possibility that a type should
admit various proofs. Now, if we try to make sense of equality in type theory,
we discover that the set-theoretic interpretation of logic somehow suffers from
the same limitations. Namely, in a set, when two elements x and y are equal
there is only one reason why this could possibly be: this is because x is the
same as y.
This suggests changing once again the semantics we give to types and inter-
pret them, not as booleans, not as sets, but as spaces. In this interpretation,
proofs of equality correspond to paths, and we can thus conceive models where
there can be various ones. Homotopy type theory is dependent type theory
seen from this point of view, and was introduced by Awodey and Voevodsky in
the 2000’s. The later discovered that an additional axiom, called univalence,
was required for the logic to match the situation in spaces, and homotopy type
theory is usually understood with this axiom.
This makes the mathematician happy because he discovers that logic is se-
cretly all about geometry. We will not dive too far in this direction because
this would require introducing too much material and this is already wonder-
fully covered in [Uni13]. This also should make the computer scientist happy,
because it allows for a clean handling of isomorphic data structures. Namely,
it often occurs that we have the choice between various isomorphic ways of
representing data, typically lists or arrays, and we would like to automatically
transfer the properties on one to the other. We will see that univalence allows
this: two isomorphic types will be equal and we will thus be able to transport
functions on one to the other.
The reader interested in learning more about the topic is urged to read the
foundational book about the topic [Uni13]. The course notes of Altenkirch [Alt19]
and Escardó [Esc19] are also very helpful.
We begin by introducing identity types in section 9.1, explain how types
can be interpreted as space in section 9.2, discuss the classification of types as
n-types in section 9.3, introduce the univalence axiom in section 9.4 and present
higher inductive types in section 9.5.
CHAPTER 9. HOMOTOPY TYPE THEORY 400

9.1 Identity types

9.1.1 Definitional and propositional equality. In type theory, we have two
notions of equality.
– The definitional equality states that some terms cannot be distinguished:
this is the “=” relation in the inference rules, which corresponds to iden-
tifying terms under β-equivalence (or generalizations of it to terms with
other constructors than λ-abstractions).

– The propositional equality or identity is a particular type expressing the

fact that we consider two terms as equal.
In Agda, there is no notation for definitional equality, because there is simply
no way to distinguish between two definitionally equal terms. On the other
hand, t ≡ u expresses propositional equality between two terms t and u: we
can provide a proof of such a fact and reason about it, but, when using u in
place of t, we should perform some explicit manipulations (e.g. with subst) in
order to explain Agda that we can replace one by the other.
For instance, consider the usual definition of addition, see section 6.4.2:
_+_ : → →
zero + n = n
suc m + n = suc (m + n)
The terms zero + n and n are definitionally equal: the second line in the above
definition explicitly states that this should be the case. For this reason, the two
can be used interchangeably and, for instance, we can give a vector of length
zero + n where a vector of length n is expected. In contrast, the terms n +
zero and n are not definitionally equal (there is no line in the definition of the
addition which explicitly states that this should be the case), but we can show
that they are propositionally equal, i.e. n + zero ≡ n, which requires reasoning
on addition (by recurrence). This is the reason why the proof of left unitality
of addition is so simple

+-zero' : (n : ) → zero + n ≡ n
+-zero' n = refl
whereas the right unitality is more involved
+-zero : (n : ) → n + zero ≡ n
+-zero zero = refl
+-zero (suc n) = cong suc (+-zero n)
In this chapter, we mostly focus on propositional equality, leaving the def-
initional one implicit as it should be, and sometimes simply say equality for
propositional equality. The propositional equality is also referred to as identity
and a type t ≡ u as an identity type.

9.1.2 Propositional equality in Agda. We have already seen in section 6.6

that the definition of propositional equality is done in Agda with the following
inductive type:
CHAPTER 9. HOMOTOPY TYPE THEORY 401

data _≡_ {A : Set} (x : A) : A → Set where

refl : x ≡ x
It has only one constructor, refl, which expresses the reflexivity of equality: a
term is equal to itself. In particular, two definitionally equal terms are proposi-
tionally so.

9.1.3 The rules. The rules for propositional equality, or identity types, follow
from the above definition of equality as an inductive type, but can also be
given directly, as for other connectives. These were first formulated by Martin-
Löf [ML75].
We extend the syntax of expressions with
e ::= . . . | Ide (e0 , e00 ) | refl(e) | J(e, xyz 7→ e0 , x0 7→ e00 )
The new constructions are the following:
– the type IdA (t, u) is called an identity type and expresses the fact that two
terms t and u of type A are equal,
– refl(t) is the reflexivity of t, and
– J is the eliminator for identities.
In the following, we will often simply write t ≡ u instead of IdA (t, u), in accor-
dance with Agda’s notation for equality types.

Formation. The formation rule states that we can consider the type of propo-
sitional equalities, or identities, between any two terms t and u of the same
type:
Γ`t:A Γ`u:A
(IdF )
Γ ` IdA (t, u) : Type

Introduction. The constructor refl allows proving the reflexivity of equality on

a given term t:
Γ`t:A
(IdI )
Γ ` refl(t) : IdA (t, t)

Elimination. The eliminator states that in order to prove a property B depend-

ing on a proof p that two terms t and u of type A equal, it is enough to give a
proof r of it in the case where p is reflexivity:
Γ ` p : IdA (t, u) Γ, x : A, y : A, z : IdA (x, y) ` B : Type
Γ, x : A ` r : B[x/x, x/y, refl(x)/z]
(IdE )
Γ ` J(p, xyz 7→ B, x 7→ r) : B[t/x, u/y, p/z]

Computation. The computation rule expresses the fact that, when we use a
proof constructed by J in the case where the considered proof of identity is
reflexivity, we recover the proof r we provided:
Γ`t:A Γ, x : A, y : A, z : IdA (x, y) ` B : Type
Γ, x : A ` r : B[x/x, x/y, refl(x)/z]
(IdC )
Γ ` J(refl(t), xyz 7→ B, x 7→ r) = r[t/x] : B[t/x, t/y, refl(t)/z]
CHAPTER 9. HOMOTOPY TYPE THEORY 402

Uniqueness. The uniqueness rule states that using J to trivially construct a

proof of identity amounts to doing nothing:

Γ ` p : IdA (t, u)
(IdU )
Γ ` J(p, xyz 7→ IdA (x, y), x 7→ refl(x)) = p : IdA (t, u)

In Agda. The eliminator J corresponds to matching a proof of equality with refl:

J : {A : Set} {x y : A} (p : x ≡ y)
(B : (x y : A) → x ≡ y → Set)
(r : (x : A) → B x x refl)
→ B x y p
J {A} {x} {.x} refl B r = r x
Note that the second line corresponds precisely to the computation rule for
identity.
In Agda, the uniqueness rule does not hold, but the variant expressed with
propositional equality instead of definitional equality does:
J-eta : {A : Set} {x y : A} (p : x ≡ y) →
J p (λ x y _ → x ≡ y) (λ x → refl) ≡ p
J-eta refl = refl

9.1.4 Leibniz equality. The definition of equality given above is not the first
one one might think of. Another definition which is perhaps easier to accept
was proposed by Leibniz [Lei86]. In this context, two things are said to be

– identitical when they are propositionally equal,

– indiscernible when a property satisfied by one is necessarily satisfied by
the other.
There are two possible implications between those notions. The implication

identical ⇒ indiscernible

is called the principle of indiscernability of identicals. This is easy to take for

granted: if two things x and y are equal then we should be able to replace an
occurrence of x by y in every property. Otherwise said, equality should be a
congruence. The other implication

indiscernible ⇒ identical

is called the principle of identity of indiscernibles: it states that two things satis-
fying the same properties are the same. This is somehow an “interactive” point
of view on the world, considering that in order for two things to be distinct, there
should be some sort of experiment which allows distinguishing between the two.
Leibniz postulate that both principles hold, i.e. the two notions are equivalent.
The reference often quoted for the second principle is the following [Lei86]:

il n’est pas vray, que deux substances se ressemblent entierement et

soyent differentes solo numero
CHAPTER 9. HOMOTOPY TYPE THEORY 403

(which goes on with assertions such as “On peut même dire que toute substance
porte en quelque façon le caractere de la sagesse infinie et de la toute puissance
de Dieu, et l’imite autant qu’elle en est susceptible.” which are less clear from a
logical point of view). If we also accept this implication, then we can in fact take
indiscernability as a definition for equality. This is sometimes called Leibnitz
equality:
Definition 9.1.4.1 (Leibniz equality). Two things are equal when there every
property satisfied by one is also satisfied by the other.
.
We write x = y when x and y are equal according to Leibniz definition, i.e. when
for every predicate P (z), with a free variable z, we have

P (x) ⇒ P (y) (9.1)

In Agda, this can be formalized in the following way:

_≐_ : {A : Set} → (x y : A) → Set ₁
_≐_ {A} x y = (P : A → Set) → (P x → P y)
This relation is clearly reflexive:
≐-refl : {A : Set} {x : A} → x ≐ x
≐-refl P p = p
It is however not immediate that it is symmetric. In fact, our first inclina-
tion would have namely be to have taken P (x) ⇔ P (y) in the definition (9.1),
i.e. an equivalence instead of an implication, so that symmetry would be obvi-
ous. However, this is not necessary, because the converse implication can always
be deduced:
. .
Lemma 9.1.4.2. If x = y then y = x.
.
Proof. Suppose that x = y, and fix a predicate P . Consider the predicate
.
Q(z) = (P (z) ⇒ P (x)). By definition of x = y, we have Q(x) implies Q(y),
i.e. P (x) ⇒ P (x) implies P (y) ⇒ P (x). But, P (x) ⇒ P (x) is obviously true,
so that we have P (y) ⇒ P (x). Since, this holds for every predicate P , we
.
have y = x.
In Agda, this can be formalized as follows:
≐-sym : {A : Set} {x y : A} → x ≐ y → y ≐ x
≐-sym {x = x} e P = e (λ z → (P z → P x)) (λ p → p)
Transitivity can be shown in a similar fashion:
≐-trans : {A : Set} {x y z : A} → x ≐ y → y ≐ z → x ≐ z
≐-trans {x = x} e e' P = e' (λ z → (P x → P z)) (e P)
.
Now, the question is how this definition of equality = compares to the propo-
sitional equality ≡ of previous section: if the two did not agree then we would
have to discuss which one is the right one, which looks like a metaphysical
debate. Fortunately, both of them can be shown to coincide. The fact that
propositional equality implies Leibniz equality follows immediately by induc-
tion, since when x ≡ y, we can restrict to the case where x and y are the same
(and the proof of x ≡ y is reflexivity):
CHAPTER 9. HOMOTOPY TYPE THEORY 404

≡-to-≐ : {A : Set} {x y : A} → x ≡ y → x ≐ y
≡-to-≐ refl = ≐-refl
.
and the converse implication can be obtained as the variant of the proof that =
is symmetric:
≐-to-≡ : {A : Set} {x y : A} → x ≐ y → x ≡ y
≐-to-≡ {x = x} e = e (λ z → x ≡ z) refl
More details can be found in [ACD+ 18].

9.1.5 Extensionality of equality. Two things are said to extensionally equal

when their constituents are equal. We expect that equality coincides with ex-
tensional equality, and it is in fact so for inductively defined types.

Extensional equality on pairs. Two pairs are extensionally equal when their
members are equal. It is easy to show that two extensionally equal pairs are
equal:
×-≡ : {A B : Set} {x x' : A} {y y' : B} →
x ≡ x' → y ≡ y' → (x , y) ≡ (x' , y')
×-≡ refl refl = refl
and conversely, two equal pairs are extensionally so:
≡-× : {A B : Set} {x x' : A} {y y' : B} →
(x , y) ≡ (x' , y') → (x ≡ x') × (y ≡ y')
≡-× refl = refl , refl

Extensional equality on lists. Similarly, two lists are extensionally equal when
they have the same (i.e. equal) elements. In Agda, this relation can be defined
inductively by
data _==_ {A : Set} : (l l' : List A) → Set where
==-[] : [] == []
==-∷ : {x x' : A} {l l' : List A} →
x ≡ x' → l == l' → (x ∷ l) == (x' ∷ l')
This relation is easily shown to be reflexive by induction
==-refl : {A : Set} (l : List A) → l == l
==-refl [] = ==-[]
==-refl (x ∷ l) = ==-∷ refl (==-refl l)
from which one can show that equality implies extensional equality:
≡-== : {A : Set} {l l' : List A} → l ≡ l' → l == l'
≡-== {l = l} refl = ==-refl l
Conversely, one can show that two lists with the same head and the same tail
are equal:
≡-∷ : {A : Set} → {x x' : A} → {l l' : List A} →
x ≡ x' → l ≡ l' → x ∷ l ≡ x' ∷ l'
≡-∷ refl refl = refl
CHAPTER 9. HOMOTOPY TYPE THEORY 405

from which one can deduce that two extensionally equal lists are equal:
==-≡ : {A : Set} {l l' : List A} → l == l' → l ≡ l'
==-≡ ==-[] = refl
==-≡ (==-∷ x e) = ≡-∷ x (==-≡ e)

Extensional equality on functions. Similarly again, we declare that two functions

f and g of type A → B are extensionally equal when, for every element x of
type A, we have f (x) = g(x). Clearly, two equal functions are extensionally so
≡-ext : {A B : Set} → {f g : A → B} →
f ≡ g → (x : A) → f x ≡ g x
≡-ext refl x = refl
(this function will be called happly in section 9.4.1), but the converse property
cannot be shown because we have no induction principle at our disposal to show
that two functions are equal. For instance, one cannot show
id-add-0 : (λ n → n + 0) ≡ (λ n → n)
Try it for yourself in order to get convinced.
This means that there is no proof of the following function extensionality
principle:
FE : Set ₁
FE = {A B : Set} {f g : A → B} → ((x : A) → f x ≡ g x) → f ≡ g
not to mention the dependent function extensionality principle, which is the
generalization adapted to dependent functions:
DFE : Set ₁
DFE = {A : Set} {B : A → Set} {f g : (x : A) → B x} →
((x : A) → f x ≡ g x) → f ≡ g
See [BPT17] for a proof of this fact.
This situation is deeply unsatisfactory: this means that we cannot really use
equality to reason on functions. We could add (dependent) function extension-
ality as an axiom with
postulate funext : DFE
but we would not get very far because we would not have any computation rule
associated to it, making proofs very hard in practice. Also, function extension-
ality seems to be contradictory with constructivity of proofs. Namely, a given
function can be implemented in various ways, with various algorithms and vari-
ous complexities (see section 2.1.1 for an example), and function extensionality
seems to simply destroy it all, since we are considering all of them as equal. In
fact, this reasoning would hold if proofs of equality did not have any content...
but we will see that it is not the case in next section: the way we prove that two
functions are equal is relevant here and cannot simply be discarded. A much
better treatment of equality is performed in homotopy type theory, which is
presented in this chapter, and function extensionality will be a consequence of
its main axiom, univalence, see section 9.4.9. It somehow resolves the tension
by considering that two equal things are not the same, but can be deformed one
into the other.
CHAPTER 9. HOMOTOPY TYPE THEORY 406

9.1.6 Uniqueness of identity proofs. At some point in the 90s, people

started to wonder: is there a proof-theoretic content in proofs of equality? Or
more prosaically: can there be more than one proof of the equality between
two given terms? This suggested investigating the provability of the following
property called uniqueness of identity proofs
UIP : Set ₁
UIP = {A : Set} {x y : A} (p q : x ≡ y) → p ≡ q
which states that two proofs of x ≡ y for some terms x and y are necessarily
equal.
In particular, in the case x = y, we know a particular proof of x ≡ x,
namely refl(x). If we are only interested in such cases, we can also considering
the following variant, which we call here uniqueness of reflexivity proofs:
URP : Set ₁
URP = {A : Set} {x : A} (p : x ≡ x) → p ≡ refl
Clearly, URP is a particular case of UIP:
UIP-URP : UIP → URP
UIP-URP UIP r = UIP r refl
Interestingly, we can also recover UIP from URP. Namely, consider two identity
proofs p, q : x ≡ y. We can picture the identities p and q as paths from x to y,
as in the figure below:
p
x y
q

This diagram makes it plausible that showing that p is the same as q (in the
sense that p ≡ q), should be equivalent to showing that the path from y to y,
obtained as the concatenation of p taken backward followed by q is the same as
the reflexivity on y. And indeed, one can show the following implication:
loop-≡ : {A : Set} {x y : A} (p q : x ≡ y) →
trans (sym p) q ≡ refl → p ≡ q
loop-≡ refl q h = sym h
from which one deduces that URP implies UIP:
URP-UIP : URP → UIP
URP-UIP URP p q = loop-≡ p q (URP (trans (sym p) q))

The axiom K. A third equivalent property is called K, and is due to Stre-

icher [Str93]. It can be thought of as the “Leibniz variant” (see section 9.1.4) of
URP: if the only proof of an equality x ≡ x is reflexivity then, in order to show
that a property P depending on such a proof is valid, it should be enough to
show it in the case of reflexivity. This property can thus be formulated as
K : Set ₁
K = {A : Set} {x : A} →
(P : (x ≡ x) → Set) → P refl → (p : x ≡ x) → P p
It is simple to show that URP implies K:
CHAPTER 9. HOMOTOPY TYPE THEORY 407

URP-K : URP → K
URP-K URP P r p = subst P (sym (URP p)) r
and that K implies URP:
K-URP : K → URP
K-URP K p = K (λ p → p ≡ refl) refl p
Note that K is a slight variant of the eliminator J, where we consider proposi-
tions depending on proofs of x ≡ x (instead of x ≡ y), thus the name. However,
K cannot be proved from J (try it!): this can be demonstrated by observing
that the non-trivial models of homotopy type theory validate the later but not
the former: the first such model was found by Hofmann and Streicher [HS98],
by interpreting types as groupoids.

Pattern matching without K. If we try to prove UIP or K in vanilla Agda, using

pattern matching as usual, something unexpected happens, as first noticed by
Coquand [Coq92b]: we succeed! Namely, we can show UIP by
UIP-proof : UIP
UIP-proof refl refl = refl
and K by
K-proof : K
K-proof P r refl = r
This means that Agda is not implementing exactly dependent type theory as
we have presented it: in fact, the default pattern matching algorithm of Agda
is simply too permissive. In order to use a saner algorithm, we should always
start our files with
{-# OPTIONS --without-K #-}
and the above proofs of UIP and K will not be accepted anymore. The reason
why the current pattern matching is enabled by default is that it simplifies
proofs, if one is prepared to lose all information about identities: it can be
shown that using this algorithm essentially amounts to adding UIP (and not
more) to the dependent type theory [McB00].

9.2 Types as spaces

9.2.1 Intuition about the model. In order to better understand what logic
looks like in the absence of uniqueness of identity proofs, one should be prepared
to accept the following change of point view: types should be interpreted not
as booleans, nor as sets, but as spaces. Similarly, the elements of a type A → B
should be interpreted not as implications, nor as functions, but as continuous
functions. This interpretation is the starting point of homotopy type theory
which was pioneered by Voevodsky and other people [Uni13]. In order to make
this clear, even in Agda, starting from now, we will write Type instead of Set
to designate the type of types, which can be done by defining
Type : (i : Level) → Set (lsuc i)
Type i = Set i
Types are not always sets!
CHAPTER 9. HOMOTOPY TYPE THEORY 408

Spaces. We will deliberately remain vague about what we mean by a space,

but one can think of those as geometric shapes, in arbitrary dimension, i.e. as
topological spaces, or as something that can be obtained by gluing segments,
surfaces and volumes in arbitrary dimension. More details can be found in
standard algebraic topology textbooks such as [Hat02]. Some examples in low
dimensions are

Most importantly, those spaces should be considered up to “deformations” which

preserve the shape: we do not distinguish between spaces which look roughly
the same.

Paths. The reason why this interpretation is useful to reason about identities is
that we now have a representation for them: they correspond to paths, as we
now explain. We write I for the interval space:

Concretely, it can be defined as the set I = [0, 1] of reals between 0 and 1 (both
included) equipped with the euclidean topology. A path in a space A from a
point x to a point y is a continuous function

p:I→A

such that p(0) = x and p(1) = y:

x p y

Such a path can also be thought of as a continuous way to go from x to y

depending on a “time” parameter t ∈ I: at time t = 0 we are at x, at time t = 1
we are at y, and at a time t in between we are at p(t).
Given a point x there is always a path from x to x, the constant path, which
is the function defined as p(t) = x for every t ∈ I. This corresponds to remaining
at x.

Interpreting types. From now on, we are going to work with the following inter-
pretation of types in mind:
– we interpret a type A as a space,

– an element x of type A will be seen as a point of A,

– an identity proof p in IdA (x, y) as a path from x to y,
– a function f : A → B as a continuous function from A to B.

For this reason, we sometimes write p : x ≡ y for a path from x to y. In

particular, a reflexivity proof refl(x) : x ≡ x will be interpreted as the constant
CHAPTER 9. HOMOTOPY TYPE THEORY 409

path from x to x. We insist on the fact that the interpretations of functions are
always continuous, even if we omit mentioning it.
Given two elements x, y : A and two identities p, q : IdA (x, y), consider an
identity α : IdIdA (x,y) (p, q) from p to q. Topologically, it will correspond to a
continuous way of deforming the path p into the path q within paths from x
to y, i.e. the endpoints are fixed. It thus corresponds to a surface:

x α y
A
q

Similarly, paths between paths between paths correspond to volumes, and so

on.
In particular, consider a type corresponding to the circle (should there be
one). Given two distinct points x and y, we have two distinct paths p and q
going from x to y:
p
x y
q

Moreover, since the circle is hollow, there can be no continuous way of deform-
ing p into q. A type theory which can account for such a type will not validate
the principle of uniqueness of identity proofs.

Homotopy equivalence. We mentioned that spaces are considered up to defor-

mation and we now want to make more precise this notion of deformation we are
using. We say that two continuous functions f, g : A → B are homotopic when
for every point x : A there is a path f (x) ≡ g(x), which varies continuously
with x. We write f ∼ g when f and g are homotopic.
Two spaces A and B are homotopy equivalent when there are two functions
f :A→B and g:B→A
such that
g ◦ f ∼ idA and f ◦ g ∼ idB
where idA : A → A denotes the identity function, defined by idA (x) = x for x
in A, and similarly for idB . This is the notion we will take when we think of
two spaces as being equivalent up to deformation: the adjective homotopy in
homotopy type theory refers to the fact that we are considering spaces up to
homotopy equivalence.
For instance, the space A reduced to a point x (on the left) is homotopy
equivalent to the disk B (on the right):
f
−→ z
x ←−
g

y
CHAPTER 9. HOMOTOPY TYPE THEORY 410

Namely, we can take the function f : A → B which takes x to some point y

of B, and the function g : B → A which takes every point of B to x. This is
a homotopy equivalence since, for the only point x of A we have g ◦ f (x) = x,
and for every point z of B there is a path from y = f ◦ g(z) to z, which depends
continuously on z (see the picture).
Consider the variant of the preceding situation, where A is still reduced to
a point x, but B is now a circle instead of a disk:

−→
f z
x ←−
g

We can still define functions f and g in the same way. Moreover, given a point z
in B there is still a path from y = f ◦ g(z) to z. However, there is no way of
choosing such a path in a continuous way: when moving z around the circle, at
some point the path has to jump from turning counterclockwise to clockwise,
or from turning once around the circle to turning twice, etc. For this reason the
point and the circle are not homotopy equivalent.
Remark 9.2.1.1. In previous example, it can be noted that the circle has a
hole whereas the point does not. It can be shown that homotopy equivalence
preserves the number of holes in any dimension [Hat02] (these are called the
Betti numbers and are closely related to homotopy groups), from which we
could have easily seen that the two spaces are not equivalent. There is actually
even a subtle converse to this property. A map f : A → B between spaces is
a weak homotopy equivalence when it induces a bijection between the holes (in
any dimension) of A and those of B (as a particular case, it should induce a
bijection between the path components of A and those of B). When A and B
are “nice” spaces, by which we mean gluing of disks (traditionally called CW-
complexes), a map f : A → B is a weak homotopy equivalence if and only if
it is a homotopy equivalence (this is Whitehead theorem). The restriction to
CW-complexes is not really a limitation here, because any space can be shown
to be weakly homotopy equivalent to a CW-complex.

Eliminating identities. The elimination principle of identity types says that in

order to show a property on a space containing a path p, it is enough to show
this property on the corresponding space where p has been made a constant
path. For instance, suppose that we want to show that the circle A satisfies
UIP, i.e. any two paths are equal:
p
x y
q

We thus begin our proof with

UIP : (x y : A) (p q : x ≡ y) → p ≡ q
UIP x y p q = ?
We begin by eliminating p, and Agda takes us to the proof
CHAPTER 9. HOMOTOPY TYPE THEORY 411

UIP : (x y : A) (p q : x ≡ y) → p ≡ q
UIP x .x refl q = ?

which corresponds to restricting to the space A0

x
q

obtained from the circle by assimilating p to a constant path. This is a perfectly

valid thing to do because the spaces A and A0 are clearly homotopy equivalent.
However, if we proceed further and eliminate q, Agda gets us to

UIP : (x y : A) (p q : x ≡ y) → p ≡ q
UIP x .x refl refl = ?
which means that we are now restricting to the space A00 reduced to a point

obtained from A0 by assimilating q to the constant path. This step should not
be valid because, as we have seen, A0 and A00 are not homotopy equivalent. In
fact, if we activate the flag --without-K of Agda, as we should always do, Agda
rejects this last step by issuing an error:
I'm not sure if there should be a case for the constructor refl,
because I get stuck when trying to solve the following unification
problems (inferred index ≟ expected index):
x₁ ≟ x₁
Possible reason why unification failed:
Cannot eliminate reflexive equation x ₁ = x ₁ of type A ₁ because K
has been disabled.
when checking that the expression ? has type refl ≡ q
which is his verbose way of saying that you are trying to do something forbidden
in the absence of axiom K.

Univalence. We will see that the type theory (without K) does not exactly
match the intuition that we have of types as spaces: some properties that we
expect to be shown cannot be proved. The reason is that, we lack some ways of
constructing equalities. For instance, we cannot construct non-trivial equalities
between functions: typically, we cannot prove function extensionality. In order
for logic and topology to match precisely, one needs to assume an axiom, called
univalence. It will be only be presented in section 9.4, but we will mention some
of the properties which it allows to prove before that, in order to motivate the
need for it (e.g. function extensionality will be a consequence of it).

9.2.2 The structure of paths. We shall now study the constructions and
operations which are available on paths. The first one, which we have seen many
times, is the construction of the constant path on a point x, which is simply
given by refl. Given two paths p : x ≡ y and q : y ≡ z such that the end of p
CHAPTER 9. HOMOTOPY TYPE THEORY 412

matches the beginning of q (both are y), we can build their concatenation p · q,
which is a path from x to z. If we see them as continuous functions p : I → A
and q : I → A, where I is the interval [0, 1], this is defined as
(
p(t) if 0 6 t 6 1/2,
(p · q)(t) =
q(t − 1/2) if 1/2 6 t 6 1.

In the following, we will generally not give such explicit constructions, and
simply provide the formalization in Agda, which is in this case

_∙_ : ∀ {i} {A : Type i} {x y z : A} →

(p : x ≡ y) → (q : y ≡ z) → x ≡ z
refl ∙ q = q
Of course, we have already seen this proof in section 6.6.2: this is simply the
transitivity of ≡. As expected, the constant path is a unit for concatenation on
the left:
∙-unit-l : ∀ {i} {A : Type i} {x y : A} →
(p : x ≡ y) → refl ∙ p ≡ p
∙-unit-l p = refl
This does not mean that, given a path p : x ≡ y, the paths refl ·p and p are the
same. In fact, they are not since the one on the left is
(
t if 0 6 t 6 1/2,
(refl ·p)(t) =
p(t − 1/2) if 1/2 6 t 6 1.

and is a different function from p: we usually don’t have (refl ·p)(t) = p(t) for
every t ∈ I. They are however homotopic, in the sense that there is a path
(i.e. a deformation) from the former to the latter (exercise: explicitly define this
path). Similarly, the constant path is also a unit on the right for concatenation:

∙-unit-r : ∀ {i} {A : Type i} {x y : A} →

(p : x ≡ y) → p ∙ refl ≡ p
∙-unit-r refl = refl
and concatenation is associative:
∙-assoc : ∀ {i} {A : Type i} {x y z w : A} →
(p : x ≡ y) → (q : y ≡ z) → (r : z ≡ w) →
(p ∙ q) ∙ r ≡ p ∙ (q ∙ r)
∙-assoc refl refl refl = refl
Next, given a path p : x ≡ y, we can define the inverse path p−1 : y ≡ x by
p−1 (t) = p(1 − t), i.e. the path p taken “backwards”. In Agda, it is noted ! p
(or sym p) and defined by
!_ : ∀ {i} {A : Type i} {x y : A} → x ≡ y → y ≡ x
! refl = refl
Again, we can show the expected properties such as the fact that it is a neutral
element on the left:
CHAPTER 9. HOMOTOPY TYPE THEORY 413

∙-inv-l : ∀ {i} {A : Type i} {x y : A} →

(p : x ≡ y) → ! p ∙ p ≡ refl
∙-inv-l refl = refl

which means that taking a path backwards and then forward is the same (up to
homotopy) as doing nothing (try it in the street). The same holds on the right:
∙-inv-r : ∀ {i} {A : Type i} {x y : A} →
(p : x ≡ y) → p ∙ ! p ≡ refl
∙-inv-r refl = refl
and taking the inverse twice does nothing:
!-! : ∀ {i} {A : Type i} {x y : A} → (p : x ≡ y) → ! (! p) ≡ p
!-! refl = refl

Groupoids. If we sum up the situation, given a type A, we have

– a set A of points,

– for every points x and y in A, we have a set x ≡ y of paths from x to y,

– for every point x, we have a path refl(x) : x ≡ x,
– for every points x, y, z and paths p : x ≡ y and q : y ≡ z, we have a
concatenation p · q : x ≡ z,

such that
– concatenation is associative and admits constant paths as neutral elements
on both sides,
– every path admits an path which is an inverse on both sides.

A groupoid is precisely this structure, if we assume that the two above axioms
hold up to equality (as opposed to up to homotopy): it consists of a set (of
points or objects), together with a set (of paths or morphisms) between any
two pair of points, equipped with a composition and identities (constant paths),
such that composition is associative, unital and admit inverses. The first model
of dependent type theory which did not validate UIP, was precisely done by
interpreting types as groupoids [HS98]. It can be seen as a “degenerate” version
of the model of spaces, in the sense that the only paths between paths are
constant paths.

9.3 n-types
Now that we have this point of view on types as spaces, we can start classify-
ing types depending on their topological properties. A particularly interesting
classification is given by n-types, which are types which contain no holes of
dimension k > n, for some natural number n.
CHAPTER 9. HOMOTOPY TYPE THEORY 414

9.3.1 Propositions. The most simple kind of types are propositions [Uni13,
Section 3.3]. We can think of a proposition as either being

– a point meaning that it is true, or

– empty, meaning that it is false.
In particular, when it is true, we only allow for one point: if there were many,
it would mean that there would be many reasons why the proposition would be
true, which is not what we have in mind for propositions. One should be aware
that the above description is slightly misleading:
– it will not be the case that we can prove that a proposition is either empty
or not, i.e. either true or false, because we live in an intuitionistic world,
where the excluded middle is not expected to hold,

– in true, we require that there is only one point, call it x0 , up to homotopy:

this means that if there is another point x, it should be equal to x0 .
In both cases (true or false), we can remark that a proposition is such that any
two points x and y are related by a path x ≡ y: this property holds by definition
when the proposition is true and is vacuously true when the proposition is empty.

Definition. The previous remark suggests defining a predicate isProp by

isProp : ∀ {i} → Type i → Type i
isProp A = (x y : A) → x ≡ y

with the intended meaning that isProp A holds when the type A is a proposition.

Examples. We can show that ⊥ is a proposition (it corresponds to the empty

space):
-isProp : isProp
-isProp ()
or > is a proposition (it corresponds to the space with one point, namely tt):

-isProp : isProp
-isProp tt tt = refl
We can also show that the type of booleans is not a proposition since it has two
points, true and false, which are not equal:

Bool-isn'tProp : ¬ (isProp Bool)

Bool-isn'tProp P with P true false
Bool-isn'tProp P | ()
We insist once more on the fact that types are handled up to homotopy, so
that a disk
CHAPTER 9. HOMOTOPY TYPE THEORY 415

is also an acceptable proposition because it is homotopy equivalent to a point.

However, there is a worrying situation with our definition: it seems that the
circle C

should also be accepted by our definition although it is not equivalent to a point:

after all, given any pair of points there is a path between them in the circle.
However, C is not a proposition and one cannot show isProp C: the reason is
that there is now way choosing such paths in a continuous way, and we are only
allowed to manipulate continuous functions. Namely, one can convince himself
that there is no way of choosing a path px,y : x ≡ y for every pair of point x and
y in C, in a way which is continuous in both x and y (the reasoning is similar to
the one we have done above to show that the circle is not homotopy equivalent
to a point).

The type of propositions. We can define the type of all propositions as

hProp : ∀ i → Type (lsuc i)
hProp i = Σ (Type i) isProp
(we call it hProp and not Prop because the latter is a reserved keyword in recent
versions of Agda). It should be remarked that even though we know that this
type should be small, because we add at most one point on hProp per type in
Type i, the general rule for handling levels in Σ-types does not allow the result
to be in Type i, because Type i is at level i+1, so that we have to assume that
if forms a large type, i.e. at level i+1 (this is further discussed in section 9.3.4,
with the propositional resizing principle).

Operations on propositions. In the following, we will use the set-theoretic nota-

tions for usual operations on types and the logical notations for the correspond-
ing operations on propositions:

on types × t → Π Σ
on propositions ∧ ∨ ⇒ ∀ ∃

(we are using here the more traditional notation t instead of the usual Agda
notation ] for coproduct). The Curry-Howard correspondence allowed us to
identify both lines, but now that we have a rich type theory, we can tear logic
and types apart again! In order for this to make sense, we should check that the
operations are well-defined on propositions, i.e. that the result is a proposition
when applied to proposition. We will see that it is actually not always the case
and that their definition have to be adapted to properly operate on propositions.
Propositions are closed under products, i.e. the product of two propositions
is itself a proposition:
×-isProp : ∀ {i j} {A : Type i} {B : Type j} →
isProp A → isProp B → isProp (A × B)
×-isProp PA PB (a , b) (a' , b') with PA a a' , PB b b'
×-isProp PA PB (a , b) (.a , .b) | refl , refl = refl
We can therefore simply define the conjunction of propositions as their product:
CHAPTER 9. HOMOTOPY TYPE THEORY 416

_∧_ : ∀ {i j} → Type i → Type j → Type (lmax i j)

A ∧ B = A × B
Similarly, we expect that propositions are closed under functions spaces, so
that we can simply define implication as function space. In order to show this,
it turns out that we have to assume function extensionality (which will become
a theorem in section 9.4.9), because we have no useful way to show equalities
between functions otherwise, see section 9.1.5. If this is assumed, one can show
that A → B is a proposition as soon as B is:
→-isProp : ∀ {i j} {A : Type i} {B : Type j} →
isProp B → isProp (A → B)
→-isProp PB f g = funext (λ x → PB (f x) (g x))
and similarly for Π-types, if we assume dependent function extensionality:
Π-isProp : ∀ {i j} {A : Type i} → {B : A → Type j} →
((x : A) → isProp (B x)) → isProp ((x : A) → (B x))
Π-isProp PB f g = funext (λ x → PB x (f x) (g x))
In particular, the negation ¬A of a type A is always a proposition since it is the
type A → ⊥ by definition, and ⊥ is a proposition:
¬-isProp : ∀ {i} {A : Type i} → isProp (¬ A)
¬-isProp = →-isProp -isProp
The situation for the coproduct A + B of two propositions is more delicate.
We have to assume that the types A and B have an “empty intersection” in
order to show that their coproduct is itself a proposition. Here, having an
empty intersection amounts to suppose that ¬(A ∧ B) holds, or equivalently
that A ⇒ B ⇒ ⊥ holds.
-isProp : ∀ {i j} {A : Type i} {B : Type j} →
isProp A → isProp B → (A → B → ) → isProp (A B)
-isProp PA PB f (inl x) (inl y) = ap inl (PA x y)
-isProp PA PB f (inl x) (inr y) = -elim (f x y)
-isProp PA PB f (inr x) (inl y) = -elim (f y x)
-isProp PA PB f (inr x) (inr y) = ap inr (PB x y)
(the operation ap above is another name for cong, see section 6.6.2). The con-
dition on intersection is really needed. For instance, the type > is a proposition
but the type > t > is not because it has two points: one could show that it is
not a proposition in the same way we were able to show that Bool was not a
proposition in section 9.3.1 (after all, the types > t > and Bool are isomorphic).
An important consequence of the above lemma is that, for every proposition A,
the type ¬A t A is also a proposition:
isDec-isProp : ∀ {i} {A : Type i} → isProp A → isProp (isDec A)
isDec-isProp PA = -isProp PA ¬-isProp (λ a a' → a' a)
Above, isDec A is a simply a notation for ¬ A A, meaning that A is decidable:
we have just shown that, for a proposition, being decidable is a proposition.
We will be able to give a proper definition of ∨ (not just disjoint propositions)
in section 9.3.4, but we dot not have the tools to do so for now. For similar
CHAPTER 9. HOMOTOPY TYPE THEORY 417

reasons as for coproduct, propositions are not closed under Σ-types and we also
defer the definition of the ∃ quantifier.
As a final remark on connectives on propositions, we mention that it would
be cleaner and more conceptual to define them directly on hProp, i.e. have them
provide the proof that they produce propositions. For instance, conjunction
could be defined as
_∧_ : ∀ {i j} → hProp i → hProp j → hProp (lmax i j)
(A , PA) ∧ (B , PB) = (A × B) , ×-isProp PA PB
We choose not to do this here in order to keep closer to bare metal and avoid
small lemmas which would obfuscate the code at first read.

Predicates and propositions. For any type A, the type isProp A is itself a propo-
sition: being a proposition is a proposition. If this was not the case, there could
be multiple reasons why a proposition could be a proposition, and the meaning
of this would be rather obscure. The proof, which is called isProp-isProp, is
deferred to section 9.3.2.
Up to now, we have formalized a predicate on a type A as a function P
whose type is A → Set, see section 6.5.9. For the same reasons as above, such a
function really deserves the name of predicate only when it is the case that P x
is a proposition for every element x of type A. We can thus formalize the fact of
being a predicate as
isPred : ∀ {i j} {A : Type i} → (A → Set j) → Set (lmax i j)
isPred {_} {_} {A} P = (x : A) → isProp (P x)
The function isProp-isProp described above shows that isProp is a predicate:
isProp-isPred : ∀ {j} → isPred {j = j} isProp
isProp-isPred A = isProp-isProp
Similarly, as expected, being a predicate is itself a predicate:
isPred-isPred : ∀ {i j} {A} → isPred (isPred {i} {j} {A})
isPred-isPred P = Π-isProp (λ x → isProp-isProp)

Propositional extensionality. On propositions, there are two sensible notions of

being the same:
– propositional equality ≡,
– logical equivalence ⇔.
In Agda, the second one is defined as usual from implication an conjunction by
_↔_ : ∀ {i} → Type i → Type i → Type i
A ↔ B = (A → B) ∧ (B → A)
We now briefly investigate the relationship between the two.
It is easy to observe that two equal propositions are equivalent, by induction
on their equality:
≡-to-↔ : ∀ {i} → {A B : Type i} → A ≡ B → A ↔ B
≡-to-↔ refl = (λ x → x) , (λ x → x)
CHAPTER 9. HOMOTOPY TYPE THEORY 418

The converse implication is called propositional equality, or PE:

(A ⇔ B) ⇒ (A ≡ B)

which can be defined in Agda by

PE : ∀ {i} → Type (lsuc i)
PE {i} = ∀ {A B : Type i} → isProp A → isProp B → A ↔ B → A ≡ B
This implication cannot be shown and could be added as an axiom if one wants
to use it (for instance, we use it in order to show Diaconescu’s theorem in
section 9.3.4). In fact, we will add univalence, which is a generalization of
propositional equality, as an axiom, and show that it implies propositional ex-
tensionality in section 9.4.10.

Propositions as > or ⊥. At the beginning of this section, we have indicated that

a proposition should be either empty or a point (up to homotopy), i.e. either ⊥
or >. But can we formalize this? A first idea would be to show, for any type A,
the implication
isProp(A) ⇒ (A ≡ ⊥) ∨ (A ≡ >)
However, we will not be able to show this for any type A, because it would allow
us to decide whether A is true or not, which we cannot because we live in an
intuitionistic world. However, if we know that A holds then it should be equal
to >:
isProp(A) ⇒ A ⇒ (A ≡ >)
and if A does not hold then it should be equal to ⊥:

isProp(A) ⇒ ¬A ⇒ (A ≡ ⊥)

We currently cannot show that, but we will see in section 9.4.6 that it can be
proved if we assume the univalence axiom.

Classical logic. If one is disposed to work with classical logic, as presented in

section 2.5, one should add the law of excluded middle
LEM : ∀ {i} → Type (lsuc i)
LEM {i} = {A : Type i} → isProp A → A ∨ ¬ A
or double negation elimination
NNE : ∀ {i} → Type (lsuc i)
NNE {i} = {A : Type i} → isProp A → ¬ (¬ A) → A
as postulates. In the above formulation, the reader should note that we are
restricting those laws to propositions: they are only intended to talk about
logic. For instance, we expect that the law of excluded middle states that a
proposition is true or not, not that we can decide whether any type is empty
or not, and construct an element of this type in the latter case. This axiom is
consistent with homotopy type theory [KL20]. However, the general form of the
law of excluded middle
LEM' : ∀ {i} → Type (lsuc i)
LEM' {i} = {A : Type i} → A ∨ ¬ A
CHAPTER 9. HOMOTOPY TYPE THEORY 419

(not restricted to propositions) is inconsistent with the axiom of univalence:

it not only implies that we can choose an element in every non-empty type,
but also that we should be able in a continuous way, which is not possible, see
section 9.4.7.

9.3.2 Sets. After having considered propositions, the next interesting kind of
types are sets [Uni13, section 3.1]. Those are types which are collections of
points (up to homotopy). A typical set is thus:

However, the circle

is not a set because it is not a collection of points. In a set, two points x and y
are either in the same connected component, in which case they are equal in a
unique way (up to homotopy), or they are in distinct components, in which case
they are not equal. Otherwise said, if they are equal, they should be uniquely
so. This suggests defining the following predicate for sets:
isSet : ∀ {i} → Type i → Type i
isSet A = (x y : A) (p q : x ≡ y) → p ≡ q

Examples of sets. For instance, booleans form a set

Bool-isSet : isSet Bool
Bool-isSet false false refl refl = refl
Bool-isSet true true refl refl = refl
Natural numbers also form a set. First observe that, since equality is a
congruence, every path q : m ≡ n induces a path p : m + 1 ≡ n + 1:
suc-≡ : {m n : } → (m ≡ n) → (suc m ≡ suc n)
suc-≡ p = ap suc p
The path p is constructed from the path q by a direct application of ap, which
is another name for cong. Now, we can show a lemma stating that every path
p : m + 1 ≡ n + 1 is of this form, i.e. there are no more paths between successors
than those induced by congruence:
suc-pred-≡ : {m n : } →
(p : suc m ≡ suc n) → p ≡ ap suc (ap pred p)
suc-pred-≡ refl = refl
From there, we can show that N is a set, i.e. that any two paths p, q : m ≡ n
between natural numbers are equal. We proceed by induction on m and n. The
base case where both are 0 is immediate, for the inductive case where both are
successors, we can use the above lemma to reduce to the case where both p and
q are obtained by congruence and we can use the induction hypothesis:
CHAPTER 9. HOMOTOPY TYPE THEORY 420

-isSet : isSet
-isSet zero zero refl refl = refl
-isSet (suc m) (suc n) p q =
p ≡ suc-pred-≡ p
ap suc (ap pred p) ≡ ap (ap suc) ( -isSet m n _ _)
ap suc (ap pred q) ≡ sym (suc-pred-≡ q)
q ∎

More generally, all the basic datatypes we usually use (natural numbers, strings,
etc.) are sets. This includes the types of previous section, since one can show
that every proposition is a set, see below. Moreover, all usual type constructors
(lists, vectors, etc.) preserve the fact of being a set.
Exercise 9.3.2.1. Show that the type List A is a set when A is a set.

Closure properties. Sets are closed under most usual operations (products, co-
products, arrows, Π-types, Σ-types), as expected from set theory. As an illus-
tration, let us show the closure under products. Recall from section 9.1.5 that,
given two types A and B, a pair of paths p : x ≡ x0 in A and q : y ≡ y 0 in
B canonically induce a path from (x, y) to (x0 , y 0 ) in A × B, that we abusively
write (p, q) : (x, y) ≡ (x0 , y 0 ) here:
×-≡ : ∀ {i j} {A : Type i} {B : Type j} {x x' : A} {y y' : B} →
x ≡ x' → y ≡ y' → (x , y) ≡ (x' , y')
×-≡ refl refl = refl
Moreover, every path in A × B is equal to a path of this form. More precisely, a
path p : (x, y) ≡ (x0 , y 0 ) in A × B induces, by congruence under the projections,
paths pA : x ≡ x0 and pB : y ≡ y 0 , and the path induced by pA and pB using
previous function is equal to p, i.e. p ≡ (pA , pB ):
×-≡-η : ∀ {i} {j} {A : Type i} {B : Type j}
{z z' : A × B} {p : z ≡ z'} →
p ≡ ×-≡ (ap fst p) (ap snd p)
×-≡-η {p = refl} = refl
Finally, we can use this to show that the product A × B of the sets A and B is
itself a set. Namely, given parallel paths p and q in A × B, we have

p ≡ (pA , pB ) ≡ (qA , qB ) ≡ q

where the first and last equalities come from the previous observation, and the
one in the middle follows from the fact that we have pA ≡ qA and pB ≡ qB
because both A and B are sets:
×-isSet : ∀ {i j} {A : Type i} {B : Type j} →
isSet A → isSet B → isSet (A × B)
×-isSet SA SB (x , y) (x' , y') p q =
p ≡ ×-≡-η
×-≡ (ap fst p) (ap snd p) ap2 ≡ ×-≡
(SA x x' (ap fst p) (ap fst q))
(SB y y' (ap snd p) (ap snd q))
×-≡ (ap fst q) (ap snd q) ≡ sym ×-≡-η
q ∎
CHAPTER 9. HOMOTOPY TYPE THEORY 421

Propositions are sets. Any proposition is a set [Uni13, Lemma 3.3.4]. This is
intuitively expected because a proposition should be either empty or a point,
and thus a particular case of a collection of points. Consider a proposition A,
and two paths p, q : x ≡ y between points x and y of A. In order to show that A
is a set, we have to show that the paths p and q are equal, which is not easily
done directly. Instead, we are going to show that both are equal to a third
“canonical” path.
p

x y
q
px py
z
Fix a point z in A. Since A is a proposition, for every point x of A, there is
path px : z ≡ x. We now have a candidate for the canonical path: let’s show
that p ≡ p−1
x · py . By induction on p, this is immediate, since when p = refl(x),
we have refl(x) ≡ p−1
x · px , see section 9.2.2:

aProp-isSet-lem : ∀ {i} {A : Type i} {x y : A} → (P : isProp A) →

(z : A) (p : x ≡ y) → p ≡ ! (P z x) ∙ (P z y)
aProp-isSet-lem {x = x} P z refl = sym (∙-inv-l (P z x))
Similarly, we can show that q ≡ p−1
x · py , and therefore deduce p ≡ q, i.e. A is a
set:
aProp-isSet : ∀ {i} {A : Type i} → isProp A → isSet A
aProp-isSet {A = A} P x y p q =
(aProp-isSet-lem P x p) ∙ (sym (aProp-isSet-lem P x q))
This result allows deducing the fact that being a proposition is itself a propo-
sition using dependent function extensionality [Uni13, Lemma 3.3.5]. Namely,
consider a type A and two proofs f, g that A is a proposition: those are functions
taking two elements x and y of A and producing a path x ≡ y. By extension-
ality, is is enough to show that we have f x y ≡ g x y for every points x, y : A,
which follows immediately from the fact that A is a proposition (by f or g).
isProp-isProp : ∀ {i} {A : Type i} → isProp (isProp A)
isProp-isProp f g =
funext2 (λ x y → aProp-isSet f x y (f x y) (g x y))
Above, funext2 is the obvious variant of funext for functions with two argu-
ments.

Hedberg’s theorem. An abstract reason why most usual types are sets is because
they have decidable equality: Hedberg’s theorem states that any type with a
decidable equality is necessarily a set [Hed98, KECA16] and [Uni13, section 7.2].
For instance, we can decide the equality of natural numbers (see section 6.6.8),
therefore they form a set (which we have already proved directly above).
We recall that a type A is said to be decidable when ¬A t A holds, i.e. we
can either show that it is empty or produce an element of it:
isDec : ∀ {i} → Type i → Type i
isDec A = ¬ A A
CHAPTER 9. HOMOTOPY TYPE THEORY 422

In particular, a type A has decidable equality when we can decide whether any
two elements of A are equal or not:

isDecEq : ∀ {i} → Type i → Type i

isDecEq A = (x y : A) → isDec (x ≡ y)
Although this is the property usually considered, it will turn out to be more
convenient here to consider a variant of this property. We say that a type A has
the property of double negation elimination if ¬¬A → A:

isNNE : ∀ {i} → Type i → Type i

isNNE A = ¬ (¬ A) → A
and we write isNNEq when its equality has this property:
isNNEq : ∀ {i} → Type i → Type i
isNNEq A = (x y : A) → isNNE (x ≡ y)
It is well known that decidability of a type implies double negation elimination:
isDec-isNNE : ∀ {i} {A : Type i} → isDec A → isNNE A
isDec-isNNE (inl a') a'' = -elim (a'' a')
isDec-isNNE (inr a) _ = a

and therefore decidability of equality implies that equality has the double nega-
tion property. In this section, by “having a decidable equality”, we will therefore
without loss of generality mean “having an equality with the double negation
elimination property”.
Suppose that the type A has decidable equality. In order to show that A
is a set, we have to show that any two paths p, q : x ≡ y are equal. The
proof strategy here is the same as above: we should show that p is equal to
a “canonical” path of type x ≡ y, the path q will similarly be equal to this
path and we will be able to conclude. The fact that A has decidable equality
provides us with a canonical path between x and y. Namely, the existence of
the path p implies that we have a proof λk.kp of ¬¬(x ≡ y) and the double
negation elimination property provides us with a path x ≡ y:
nnePath : ∀ {i} {A : Type i} → isNNEq A →
{x y : A} → (p : x ≡ y) → x ≡ y
nnePath N {x} {y} p = N x y (λ k → k p)
This path is canonical, in the sense that it does not depend on the choice of
the path p. Namely, we know from section 9.3.1 that the type ¬¬(x ≡ y) is a
proposition (any negation of a type is). In particular, given two paths p and q
of type x ≡ y, the proofs λk.kp and λk.kq of ¬¬(x ≡ y) are equal and therefore
induce equal paths of type x ≡ y by elimination of double negation:
nnePathIndep : ∀ {i} {A : Type i} (N : isNNEq A) {x y : A}
(p q : x ≡ y) → nnePath N p ≡ nnePath N q
nnePathIndep N {x} {y} p q =
ap (N x y) ((¬-isProp (λ k → k p) (λ k → k q)))
In this way, we have constructed a canonical path px,y : x ≡ y, which depends
only on x and y. Finally, we want to show that p ≡ px,y , i.e. the arbitrary path p
CHAPTER 9. HOMOTOPY TYPE THEORY 423

is equal to the canonical one. By induction on p, this would require to show

that refl(x) = px,x , and there is no reason why this should hold. So instead, we
consider a variant of the canonical path and show that p ≡ p−1 x,x · px,y . Namely,
by induction on p, we are left proving refl(x) ≡ p−1
x,x · px,x , which does hold, see
section 9.2.2:
nnePathEq : ∀ {i} {A : Type i} (N : isNNEq A) {x y : A}
(p : x ≡ y) → p ≡ ! (nnePath N refl) ∙ nnePath N p
nnePathEq N {x} {y} refl = sym (∙-inv-l (N x x (λ z → z refl)))

Finally, we can conclude that p ≡ p−1

x,x · px,y ≡ q and therefore that A is a set:

Hedberg : ∀ {i} {A : Type i} (N : isNNEq A) → isSet A

Hedberg N x y p q =
p ≡ nnePathEq N p
(! (nnePath N refl) ∙ nnePath N p)
≡ ap (λ nnp → ! (nnePath N refl) ∙ nnp) (nnePathIndep N p q)
(! (nnePath N refl) ∙ nnePath N q)
≡ sym (nnePathEq N q)
q ∎

9.3.3 n-types. We now generalize the classification of types as propositions or

sets into a full hierarchy of types.

Groupoids. It can be observed that the definition of being a set can be reformu-
lated as:
isSet : ∀ {i} → Type i → Type i
isSet A = (x y : A) → isProp (x ≡ y)

i.e. a set is a type such that every pair of points x and y, the type x ≡ y is
a proposition. This reformulation suggests the next thing to try: we define a
groupoid as a type such that for every pair of points x and y, the type x ≡ y is
a set:
isGroupoid : ∀ {i} → Type i → Type i
isGroupoid A = (x y : A) → isSet (x ≡ y)
In a groupoid, two points x and y might be equal in multiple ways, but there
should be at most one equality between two paths p, q : x ≡ y. Typically, the
circle (on the left) is a groupoid

p p

x y x y

q q

but the sphere (on the right) is not a groupoid: between the point x and y there
are two paths p and q and between those paths there are two non-homotopic
paths (the deformations though the front or the back hemisphere).
CHAPTER 9. HOMOTOPY TYPE THEORY 424

The hierarchy. Continuing in this way, we define the notion of n-type, or a type
of homotopy level n, by recurrence on n [Uni13, Chapter 7]:
– a 0-type is a set, and
– an (n+1)-type is a type such that the type x ≡ y is an n-type, for every
points x and y.
In particular, a 1-type is a groupoid.
The intuition is that an n-type is a type which is trivial in dimension higher
than n, in the sense that it does not contain any non-trivial k-sphere for k > n.
In low dimensions k, the k-spheres (or spheres in dimension k) can be pictured
as follows:

0-sphere 1-sphere 2-sphere

A 0-sphere thus consists of two points, a 1-sphere is a circle and a 2-sphere is a

traditional sphere. For instance,
– a set (a 0-type) may contain two distinct points (a 0-sphere) but not a
circle (a 1-sphere),
– a groupoid (a 1-type) may contain distinct points or circles but no 2-spheres,
and so on.

Negative types. The choice of n = 0 for sets is done in order to agree with
traditional conventions in mathematics, but it can be extended a bit to negative
numbers. We have seen that in a proposition is such that x ≡ y is a 0-type (a
set) for every pair of point x and y, so that it makes senses to define a (−1)-type
as a proposition: if we adopt this convention, a 0-type is a type in which x ≡ y
is a (−1)-type, in accordance with the above definition.
Can we also make sense of a (−2)-type? In a (−1)-type, i.e. a proposition,
for every pair of points x and y, we should have that x ≡ y is a (−2)-type. Since
in a proposition every pair of points is related by a unique path, a (−2)-type can
be defined as a contractible type, i.e. a type which is a point up to homotopy,
see below. If we go on with this reasoning, we find that a (−3)-type should still
be a contractible type, so that we stop at dimension n = −2.

Contractible types. In Agda, the predicate of being contractible for a type can
be defined as
isContr : ∀ {i} → Type i → Type i
isContr A = Σ A (λ x → (y : A) → x ≡ y)
It expresses the fact that a type is contractible when it contains a point x such
that for every point y there is a path py from x to y. Typically, the type > is
contractible since every point of it is equal to the only constructor tt:
-isContr : isContr
-isContr = tt , (λ { tt → refl })
CHAPTER 9. HOMOTOPY TYPE THEORY 425

Once again, it might seem that the circle is contractible because there is a
path between any two pair of points, but it is not so because the choice of the
path py has to be made continuously in y, which is not possible for the circle.
A contractible type is thus homotopy equivalent to a point:

contractible contractible not contractible

Apart from >, an interesting contractible type is the singleton at a point x

in a type A, which consists of all the points of A equal to x:

Singleton : ∀ {i} {A : Type i} → A → Type i

Singleton {A = A} x = Σ A (λ y → x ≡ y)
Such a type is namely always contractible:
Singleton-isContr : ∀ {i} {A : Type i} (x : A) →
isContr (Σ A (λ y → x ≡ y))
Singleton-isContr x = (x , refl) , λ { (y , refl) → refl }
Since a contractible type contains only one point up to homotopy, all its
elements are necessarily equal, i.e. a contractible type is a proposition:
Contr-isProp : ∀ {i} {A : Type i} → isContr A → isProp A
Contr-isProp (x , p) y z with p y | p z
... | refl | refl = refl
(we will generalize this below when showing the cumulativity property).

n-types in Agda. We can define a predicate hasLevel such that hasLevel (n+2)
A holds when A is an n-type (we start at n = −2 instead of n = 0) by
hasLevel : ∀ {i} → → Type i → Type i
hasLevel zero A = isContr A
hasLevel (suc n) A = (x y : A) → hasLevel n (x ≡ y)
Remark 9.3.3.1. Note that for a type A, being a (−1)-type according to the
above definition (i.e. satisfying hasLevel 1) requires slightly more than the pre-
vious definition of propositions: for every pair of points x and y, there should
be a path p : x ≡ y as before, but we should also show that for every other
path q : x ≡ y, we have p ≡ q. However, the second requirement is automatic if
we carefully chose paths so that the two definitions coincide:
isProp-is1Type : ∀ {i} → {A : Type i} → isProp A → hasLevel 1 A
isProp-is1Type p x y = ! (p x x) ∙ p x y ,
λ { refl → ∙-inv-l (p x x) }

(we are using the same trick here than for Hedberg’s theorem, see section 9.3.2).
CHAPTER 9. HOMOTOPY TYPE THEORY 426

Cumulativity. We have seen in section 9.3.2 that a proposition is a set. More

generally, following the same ideas, one can show that every n-type is an
(n + 1)-type. This entails that the hierarchy of n-types is cumulative in the
sense that an n-type is an m-type for every n 6 m. This is shown by induction
on n. For the base case, we have to show that a contractible type A (i.e. a
(−2)-type) is also a proposition (i.e. a (−1)-type). Since A is contractible there
is a point a in A and a path px : a ≡ x for every point x in A. In order to show
that A is a proposition, we have to show that, for every points x and y in A, we
have a path x ≡ y: we can simply take p−1 x · py (and every other path q : x ≡ y
is easily shown to be equal to this one by induction on q). The inductive case
is immediate. Formally,
hasLevel-cumulative : ∀ {i} {n : } {A : Type i} →
hasLevel n A → hasLevel (suc n) A
hasLevel-cumulative {_} {zero} (a , p) x y =
! (p x) ∙ p y , λ { refl → ∙-inv-l (p x) }
hasLevel-cumulative {_} {suc n} L x y = hasLevel-cumulative (L x y)

The property of being an n-type. One can show that the property of being an
n-type is a proposition: a type either is an n-type or not, but there cannot be
multiple ways in which a type is an n-type.
For the base case, one has to show that being contractible is a proposition.
Suppose given two proofs (x, p) and (y, q) that a type A is contractible, where x
(resp. y) is a point of A and p (resp. q) associates to every point z of A a
path x ≡ z (resp. y ≡ z). Showing that these two proofs are equal amounts
to show that x ≡ y, which is given by py , and that p ≡ q. Assuming function
extensionality, this last point is equivalent to showing that, for every point z
in A, the paths pz : x ≡ z and qz : x ≡ z are equal, up to some transport of
the first. Since A is contractible (we have a proof (x, p) of it), it is a 0-type
(i.e. a set) by cumulativity, and therefore any two parallel paths in it are equal,
thus pz ≡ qz :
isContr-isProp : ∀ {i} {A : Type i} → isProp (isContr A)
isContr-isProp {_} {A} (x , p) (y , q) =
Σ-≡ (p y) (funext (λ z → fst (A-isSet y z _ (q z))))
where
A-isSet : hasLevel 2 A
A-isSet = hasLevel-cumulative (hasLevel-cumulative (x , p))
The inductive case is handled immediately using function extensionality:
hasLevel-isProp : ∀ {i} {A : Type i} (n : ) → isProp (hasLevel n A)
hasLevel-isProp zero = isContr-isProp
hasLevel-isProp (suc n) f g =
funext2 (λ x y → hasLevel-isProp n (f x y) (g x y))

9.3.4 Propositional truncation. We would now like to construct an oper-

ation, called propositional truncation, which turns an arbitrary type A into a
proposition kAk, as detailed in [Uni13, section 3.7]. The intuition is that if
a term of type A is a particular proof that A holds, a term of type kAk is a
witness that there exists a proof for A, but does not contain the information
CHAPTER 9. HOMOTOPY TYPE THEORY 427

of an actual proof. Therefore, the type kAk should be a empty when A is and
a point otherwise. If A is decidable, this operation is easy to define: either A
or ¬A holds, and we respectively define kAk = > or kAk = ⊥. However, since
we do not live in a classical world, we cannot define propositional truncation in
this way. A more faithful description is that the propositional truncation starts
from the type A and adds a path between any pair of points in order to turn it
into a proposition, see section 9.5.4.

Rules. Propositional truncation is not a definable operation and has to be added

as a new construction to the logic. We extend the syntax of expressions by

e ::= . . . | kek | kekisProp | |e| | rec(e, e0 , x 7→ e00 )

where
– kAk is the propositional truncation of A,
– kAkisProp is a proof that kAk is a proposition, and

– |t| provides a proof that kAk is non-empty when there is a term t of type A,
– rec(t, B, x 7→ u) is the eliminator for truncated types.
The formation rules state that the propositional truncation kAk exists for every
type A and is a proposition:

Γ ` A : Type Γ ` A : Type
(kkF ) (kk0F )
Γ ` kAk : Type Γ ` kAkisProp : isProp(A)

The introduction rule states that the propositional truncation kAk is non-empty
when A is
Γ`t:A
(kkI )
Γ ` |t| : kAk
The elimination rule states that if we have an element of kAk, then we can
assume that we have an element of A provided that the type we are currently
proving (or “eliminating into”) is a proposition:

Γ ` t : kAk Γ, x : A ` u : B Γ ` P : isProp(B)
(kkE )
Γ ` rec(t, B, x 7→ u) : B

The computation rule states that the element of A given by the elimination rule
above is t when the witness given for kAk is |t|:

Γ`t:A Γ, x : A ` u : B Γ ` P : isProp(B)
(kkC )
Γ ` rec(|t|, B, x 7→ u) = u[t/x] : B

The uniqueness rule is

Γ ` t : kAk Γ ` P : isProp(A)
(kkU )
Γ ` | rec(t, A, x 7→ x)| = t : kAk
CHAPTER 9. HOMOTOPY TYPE THEORY 428

Remark 9.3.4.1. For simplicity, we have given the rules in the non-dependent
case, which is the most useful one in practice. For full generality, we should
allow B to depend on kAk and adapt the rules accordingly. For instance, the
elimination rule should be
Γ ` t : kAk
Γ, x : kAk ` B Γ, x : A ` u : B[|x|/x] Γ, x : kAk ` P : isProp(B)
(kkE )
Γ ` rec(t, x 7→ B, x 7→ u) : B[t/x]

Definition. This construction can be implemented in Agda, by postulating ax-

ioms corresponding to the rules. Formation is
postulate ∥_∥ : ∀ {i} → Type i → Type i
postulate ∥∥-isProp : ∀ {i} {A : Type i} → isProp ∥ A ∥
introduction is

postulate ∣_∣ : ∀ {i} {A : Type i} → A → ∥ A ∥

elimination is
postulate ∥∥-rec : ∀ {i j} {A : Type i} {B : Type j} →
isProp B → (A → B) → (∥ A ∥ → B)

computation is
postulate ∥∥-comp : ∀ {i j} {A : Type i} {B : Type j} →
(P : isProp B) (f : A → B) (x : A) →
∥∥-rec P f ∣ x ∣ ≡ f x

and uniqueness is
postulate ∥∥-eta : ∀ {i} {A : Type i} (P : isProp A) (x : ∥ A ∥) →
∣ ∥∥-rec P id x ∣ ≡ x

Logical connectives. Remember from section 9.3.1 that we had difficulties defin-
ing the disjunction of propositions because the coproduct of two propositions is
not a proposition in general (we can only show that it is a set). Now that we
have the propositional truncation at hand, we can use it on order to squash the
result of the coproduct into a proposition. We can thus define disjunction as
_∨_ : ∀ {i j} → Type i → Type j → Type (lmax i j)
A ∨ B = ∥ A B ∥
The disjunction of two propositions is now a proposition by definition. Similarly,
the existential quantification is a truncated variant of Σ-types:

∃ : ∀ {i j} → (A : Type i) → (A → Type j) → Type (lmax i j)

∃ A B = ∥ Σ A B ∥
CHAPTER 9. HOMOTOPY TYPE THEORY 429

The axiom of choice. In order to illustrate the difference between operations

and their truncated variant, let us consider the possible implementations of the
axiom of choice in type theory, see [Uni13, section 3.8]. Recall that, in set theory,
a possible formulation of this axiom states that, given a relation R ⊆ A × B
between sets A and B such that every element x of A is in relation with an
element y of B contains a function. In type theory, the naive translation of this
is the formula
CAC : ∀ {i j k} → Type (lmax (lmax (lsuc i) (lsuc j)) (lsuc k))
CAC {i} {j} {k} = {A : Type i} {B : Type j}
(R : A → B → Type k) →
(r : (x : A) → Σ B (λ y → R x y)) →
Σ (A → B) (λ f → (x : A) → R x (f x))
is called the constructive axiom of choice, or CAC, and we have seen in sec-
tion 6.5.8 that this formula is easily proved. Namely, the argument of type

(x : A) → Σ B (λ y → R x y)

witnesses the fact that every element of A is in relation with some element of B.
A term of this type is a function r which to every x ∈ A associates a pair
consisting of an element y ∈ B together with a proof that the pair (x, y) is in
the relation R. From this data it is easy to construct a function A → B (by
post-composing r with the first projection) and a proof that we have (x, r(x))
in the relation R for every x ∈ A:
cac : ∀ {i j k} → CAC {i} {j} {k}
cac R f = (λ x → fst (f x)) , (λ x → snd (f x))

In some sense this was “too easy”, because the function r directly provided us
with a way to construct a suitable element of B from an element of A.
A more faithful way of implementing the axiom of choice in type theory con-
sists, instead of supposing that we have a function r as above, in only supposing
the existence of such a function, i.e. that its propositional truncation is inhab-
ited, otherwise said we use an existential quantification instead of a Σ-type.
Similarly, as a result, we only want to show that there exists a suitable function
from A to B, without explicitly constructing it. The “right” formulation of the
axiom of choice is thus:
AC : ∀ {i j k} → Type (lmax (lmax (lsuc i) (lsuc j)) (lsuc k))
AC {i} {j} {k} = {A : Type i} {B : Type j} →
isSet A → isSet B →
(R : A → B → Type k) →
((x : A) (y : B) → isProp (R x y)) →
(r : (x : A) → ∃ B (λ y → R x y)) →
∃ (A → B) (λ f → (x : A) → R x (f x))

Note that, since we are serious about homotopy levels, we have also restricted
to the case where A and B are sets and R x y is a proposition for every element
x of A and y of B (the axiom without this restriction would be inconsistent
with univalence [Uni13, Lemma 3.8.5]). There is also a dependent variant of
this axiom (where the type B is allowed to depend on A):
CHAPTER 9. HOMOTOPY TYPE THEORY 430

DAC : ∀ {i j k} → Type (lmax (lmax (lsuc i) (lsuc j)) (lsuc k))

DAC {i} {j} {k} = {A : Type i} {B : A → Type j} →
isSet A → ((x : A) → isSet (B x)) →
(R : (x : A) → B x → Type k) →
((x : A) (y : B x) → isProp (R x y)) →
(r : (x : A) → ∃ (B x) (λ y → R x y)) →
∃ ((x : A) → B x) (λ f → (x : A) → R x (f x))
It can be shown that AC and DAC equivalent (exercise: show it). Finally, these
axioms are also equivalent to the following axiom
PAC : ∀ {i j} → Type (lmax (lsuc i) (lsuc j))
PAC {i} {j} = {A : Type i} {B : A → Type j} →
isSet A → ((x : A) → isSet (B x)) →
((x : A) → ∥ B x ∥) → ∥ ((x : A) → B x) ∥
which is close to the usual alternative formulation of the axiom of choice: a
product of non-empty sets is non-empty, see section 5.3.2.

Diaconescu. We are now in position of formally proving Diaconescu’s theorem,

which states that
the axiom of choice implies the excluded middle.
The traditional proof of this theorem was presented in section 5.3.3 and the
reader is advised to read again the proof there before going one with current sec-
tion, which we learned from [Alt19]. We suppose here that both function exten-
sionality (see section 9.1.5) and propositional extensionality (see section 9.3.1)
hold in this section, both being consequences of univalence.
We take for granted that the following formulation of the axiom of choice
holds
PAC : ∀ {i j} → Type (lmax (lsuc i) (lsuc j))
PAC {i} {j} = {A : Type i} {B : A → Type j} →
((x : A) → ∥ B x ∥) → ∥ ((x : A) → B x) ∥
It can be remarked that we are not very serious about homotopy levels, i.e. we
do not restrict to the case where A and the B x are supposed to be sets: adding
this does not does not bring any interesting difficulty, but makes the proofs
a bit longer and thus more difficult to read. We suppose fixed an arbitrary
proposition P in Type i for some level i (here also, P should be taken to be a
proposition if we were more rigorous) and our goal is to show
P ∨ ¬ P
We write U for the set of non-empty subsets of booleans:
U = Σ (Bool → Type i) (λ Q → ∃ Bool Q)
An element of U consists of a subset Q of the booleans, encoded here as a
predicate on booleans (Q b holds when a boolean b belongs to the set) together
with a proof that the set is non-empty (Q b holds for some boolean b). In
particular, this set contains two elements of interest for us: the set
F = {b ∈ Bool | b = 0 ∨ P }
which is non-empty because it contains 0, formalized as
CHAPTER 9. HOMOTOPY TYPE THEORY 431

F : U
F = (λ b → b ≡ false ∨ P) , ∣ false , ∣ inl refl ∣ ∣

and the set

T = {b ∈ Bool | b = 1 ∨ P }
which is non-empty because it contains 1, formalized as

T : U
T = ((λ b → b ≡ true ∨ P)) , ∣ true , ∣ inl refl ∣ ∣
An element Q of U consists of a subset Q0 of Bool together with a proof Q00
that Q0 is non-empty. The family consisting of all Q0 such that Q belongs to U
is thus a family of non-empty sets and, by the axiom of choice, it is non-empty:
we have a function f which to every element Q of U associates an element of Q0 .
We will prove in the function
dec : ((Q : U) → Σ Bool (fst Q)) → P ∨ ¬ P
that this entails that P ∨ ¬P holds, from which we will be able to conclude as
explained above:
Diaconescu : isProp P → PAC → P ∨ ¬ P
Diaconescu prop ac = ∥∥-rec ∥∥-isProp dec
(ac {A = U} {B = (λ Q → Σ Bool (fst Q))} (λ Q → snd Q))
The crux of this proof is thus the function dec. It proceeds by case analysis
on f F and f T :
– if f F is true then true ≡ false ∨ P holds and thus P holds,
– if f T is false then false ≡ true ∨ P holds and thus P holds,
– if f F is false and f T is true then we can show that ¬P holds.

The subtle case is the last one, when f F is false and f T is true, because this
entails that false ≡ false ∨ P and true ≡ true ∨ P hold, from which we
cannot extract information. However, we can show that ¬P holds in this case.
Namely, suppose that P holds (we write x for its proof) and let us deduce ⊥.
Since P holds, by definition of F and T we have F b ⇔ T b for every boolean b,
thus F b ≡ T b by propositional extensionality, and thus F ≡ T by function
extensionality:
F≡T : F ≡ T
F≡T =
Σ-≡
(funext
λ {
false → propext ∥∥-isProp ∥∥-isProp
((λ _ → right x) , (λ _ → right x)) ;
true → propext ∥∥-isProp ∥∥-isProp
((λ _ → right x) , (λ _ → right x))
})
(∥∥-isProp (transport (∃ Bool) _ (snd F)) (snd T))
CHAPTER 9. HOMOTOPY TYPE THEORY 432

From there, we can deduce that the boolean of f F is equal to the boolean
of f T (recall that f Q is a pair consisting of a boolean and a proof that it
belongs to Q):

fF≡fT : fst (f F) ≡ fst (f T)

fF≡fT = ap (λ Q → fst (f Q)) F≡T
However, we know that those booleans are respectively false and true, and we
can deduce that false ≡ true

absurd : P → (fst (f F) ≡ false) → (fst (f T) ≡ true) →

false ≡ true
absurd x ff ft = transport2 _≡_ ff ft fF≡fT
from which we conclude to an absurdity. The proof of dec is finally

dec : ((Q : U) → Σ Bool (fst Q)) → P ∨ ¬ P

dec f with inspect (f F) | inspect (f T)
dec f | (true , p) , _ | (true , q) , _ =
∥∥-rec ∥∥-isProp ( -elim (λ ()) (λ x → ∣ inl x ∣)) p
dec f | (true , p) , _ | (false , q) , _ =
∥∥-rec ∥∥-isProp ( -elim (λ ()) (λ x → ∣ inl x ∣)) p
dec f | (false , p) , _ | (false , q) , _ =
∥∥-rec ∥∥-isProp ( -elim (λ ()) (λ x → ∣ inl x ∣)) q
dec f | (false , p) , k | (true , q) , l =
∣ inr (λ x → case absurd x (ap fst k) (ap fst l) of λ ()) ∣
Note that we don’t directly match f F because we would loose the fact that
the result of the match is equal to f F (and similarly for f T). Instead, we use
inspect, which is defined by
inspect : ∀ {i} {A : Type i} (x : A) → Σ A (λ y → x ≡ y)
inspect x = x , refl
and allows retrieving both the result of the match and the equality with the
matched value (using the terminology from section 9.3.3, this function returns
an element of the singleton at x).

Revealing truncation. As explained above, propositional truncation erases proofs,

keeping only the existence of a proof. However, sometimes knowing the exis-
tence of a witness is enough to reconstruct this witness [Esc19]. For instance,
suppose that we are given a function f : N → N and we know that this function
admits a root (i.e. a number n such that f (n) = 0), then we can actually con-
struct root of f : we compute f (0), f (1), f (2), and so on, until we find a natural
number n such that f (n) = 0. The point is that knowing the existence of the
root ensures that this process will eventually terminate. This can be formalized
and we are going to prove

(∃(n : N).f (n) = 0) ⇒ (Σ(n : N).f (n) = 0)

or, unfolding the notations,

kΣ(n : N).f (n) = 0k ⇒ Σ(n : N).f (n) = 0

CHAPTER 9. HOMOTOPY TYPE THEORY 433

We are thus able to extract a witness from knowing its existence. Note that
the fact that N can be enumerated is crucial here: the implication kAk ⇒ A
does not hold in general, for an arbitrary type A. For instance, if f was of type
(N → N) → N, we would not expect to be able to construct a root from knowing
its existence, because the type of functions N → N is not countable.
So, suppose that we have a proof E of ∃(n : N).f (n) = 0 and we want
to prove the proposition R which is Σ(n : N).f (n) = 0. We cannot directly
provide the required natural number n (we cannot magically guess the root)
and we cannot use the hypothesis E: in order to do so, we would have to use
the eliminator for propositional truncation, which we cannot do because the
goal we are proving is not a proposition. Namely, the type R is a set, the set of
all roots of f , and not a proposition (f might admit multiple roots). However,
we can take a variant of this type in order to have a proposition: instead of
constructing any root of f , we are going to construct a particular one, say the
smallest one. Namely, the set R0 of natural numbers which is a smallest root
of f contains exactly one element (the smallest root of f ) and will thus be a
proposition. We can prove it by using elimination of propositional truncation
on E and then conclude that we have an element of R because we have the
implication R0 ⇒ R (a smallest root of f is a root).
In Agda, we are going to reason on an arbitrary predicate P on natural
numbers, our above example being the particular case where P n is f (n) = 0.
We can define a predicate isFirst such that a natural number n satisfies isFirst n
when n is the smallest natural number for which P holds:
isFirst : ∀ {i} (P : → Type i) → → Type i
isFirst P n = P n × ((m : ) → P m → n ≤ m)

Moreover, using antisymmetry of the order on natural numbers, two smallest

numbers satisfying a property are equal (otherwise said, the smallest natural
number to satisfy a property is unique, when it exists):
isFirst-≡ : ∀ {i} (P : → Type i) → {m n : } →
isFirst P m → isFirst P n → m ≡ n
isFirst-≡ P {m} {n} (Pm , Fm) (Pn , Fn) =
≤-antisym (Fm n Pn) (Fn m Pm)
Using this, and the closure of properties of propositions under conjunction and
Π-types, we can show that if P is a predicate on natural numbers, in the sense
that P n is a proposition for every natural number n, then the type of first
natural numbers to satisfy this predicate is a proposition:

first-isProp : ∀ {i} (P : → Type i) → ((n : ) → isProp (P n)) →

isProp (Σ (isFirst P))
first-isProp P prop =
Σ-isProp
(λ n → ∧-isProp
(prop n)
(Π-isProp (λ n → Π-isProp (λ Pn → ≤-isProp))))
(λ m n → isFirst-≡ P)
Next, our goal is to show that if we know an arbitrary natural number m
satisfying a predicate P then we can construct the smallest one. In order to
CHAPTER 9. HOMOTOPY TYPE THEORY 434

perform inductions, it will be useful to consider the type of the smallest natural
number greater than a fixed number k satisfying a proposition:

isFirst-from : ∀ {i} → → (P : → Type i) → → Type i

isFirst-from k P n = isFirst (λ n → k ≤ n × P n) n
We will also use the following “downward” recurrence principle, which states
that if we know that P m holds and P (n + 1) implies P n for an arbitrary
number n, then P n holds for every n 6 m. Formally, it can be expressed as

rec-down : ∀ {i} (P : → Type i) (m : ) →

P m → ((n : ) → n < m → P (suc n) → P n) →
(n : ) → n ≤ m → P n
and its proof is left as an exercise to the reader. Suppose given a decidable
predicate P (i.e. P n∨¬(P n) holds for every n), for which we know a number m
such that P m holds. By downward recurrence on k 6 m, we can construct the
smallest number greater than k satisfying P . For the inductive step, if we know
the smallest one n greater than k + 1 then the smallest one greater than k is k
if P k is satisfied or n otherwise (we need to be able to decide P k to be able to
perform this case analysis). Formally,

find-first-from : ∀ {i} (P : → Type i) →

((n : ) → isDec (P n)) →
(m : ) → P m →
(k : ) → k ≤ m → Σ (λ n → isFirst-from k P n)
find-first-from P dec m Pm k k≤m =
rec-down
(λ k → Σ (λ n → isFirst-from k P n))
m
(m , (≤-refl , Pm) , (λ { n (m≤n , Pn) → m≤n }))
ind
k k≤m
where
ind : (k : ) → k < m →
Σ (λ n → isFirst-from (suc k) P n) →
Σ (λ n → isFirst-from k P n)
ind k k<m (n , Pn) with dec k
ind k k<m _ | inl Pk =
k , (≤-refl , Pk) , λ { n (k≤n , Pn) → k≤n }
ind k k<m (n , (k+1≤n , Pn) , Fn) | inr ¬Pk =
n , (≤-trans (n≤1+n k) k+1≤n , Pn) ,
λ { i (k≤i , Pi) →
case split-≤ k≤i of λ {
(inl k≡i) → -elim (¬Pk (transport P (sym k≡i) Pi)) ;
(inr k<i) → Fn i (k<i , Pi)
}
}
where split-≤ is
split-≤ : {m n : } → m ≤ n → m ≡ n m < n
CHAPTER 9. HOMOTOPY TYPE THEORY 435

(proof left to the reader). We can thus construct the first natural number n
satisfying P , by applying previous lemma to the case k = 0:
find-first : ∀ {i} (P : → Type i) → ((n : ) → isDec (P n)) →
(m : ) → P m → Σ (λ n → isFirst P n)
find-first P dec m Pm with find-first-from P dec m Pm 0 z≤n
find-first P dec m Pm | n , (_ , Pn) , Fn =
n , (Pn , λ n Pn → Fn n (z≤n , Pn))
It is now time for application to our original problem. Given a function f : N → N
for which we have a proof E that ∃(n : N).f (n) = 0. We can use the elimination
principle for propositional truncation in order to show Σ(n : N). isFirst(f (n) = 0),
which is a proposition, and we are left with showing

(Σ(n : N).f (n) = 0) ⇒ Σ(n : N). isFirst(f (n) = 0)

i.e. knowing a root of f we have to construct the smallest one, which is precisely
the purpose of our find-first function above:
extract-first-root : (f : → ) →
∃ (λ n → f n ≡ zero) →
Σ (isFirst (λ n → f n ≡ zero))
extract-first-root f E =
∥∥-rec
(first-isProp P (λ n → -isSet (f n) 0))
(λ { (n , Pn) → find-first P (λ n → f n ≟ 0) n Pn})
E
where
P : → Type ₀
P n = f n ≡ zero
Finally, we can conclude with our root extraction procedure:
extract-root : (f : → ) →
∃ (λ n → f n ≡ zero) →
Σ (λ n → f n ≡ zero)
extract-root f E with extract-first-root f E
extract-root f E | n , Pn , _ = n , Pn

Relationship with double negation. Given a type A, the type ¬¬A is a propo-
sition (as is the negation of any type) and there is a canonical map from the
former to the later:
¬¬-trunc : ∀ {i} {A : Type i} → A → ¬ (¬ A)
¬¬-trunc x k = k x
In this sense, double negation is very similar to propositional truncation, ex-
cepting that the resulting type is “classical” in the sense that it satisfies the
law of elimination of double negation (or, equivalently, the excluded middle).
If propositional truncation kAk can be seen as a quotient of A (we identify all
proofs), and ¬¬A can be thought of as a further quotient, making the type
classical. This quotient is witnessed by the existence of a canonical function
kAk → ¬¬A, which can be constructed by
CHAPTER 9. HOMOTOPY TYPE THEORY 436

∥∥-¬¬ : ∀ {i} {A : Type i} → ∥ A ∥ → ¬ ¬ A

∥∥-¬¬ = ∥∥-rec ¬-isProp (λ x ¬x → ¬x x)
In general, there is no converse map. In particular, for a proposition A, the
existence of such a map is equivalent to the type being “classical”, i.e. satisfying
the elimination of double negation:
¬¬-∥∥ : ∀ {i} {A : Type i} → isProp A →
(¬ (¬ A) → ∥ A ∥) ↔ (¬ (¬ A) → A)
¬¬-∥∥ PA = (λ f ¬¬a → ∥∥-rec PA id (f ¬¬a)) ,
(λ nne ¬¬a → ∣ nne ¬¬a ∣)
Thus, if we assume that the logic is classical, in the sense that every proposi-
tion satisfies NNE, propositional truncation can be defined as double negation,
see [KECA16] and [Uni13, Exercise 3.14].

Impredicative definition. Instead of defining propositional truncation axiomati-

cally, we can almost encode it in the following way [Uni13, Exercise 3.15]:
∥_∥ : ∀ {i} (A : Type i) → Type i
∥_∥ {i} A = {B : Type i} → isProp B → (A → B) → B
The propositional truncation of a type A is a type kAk which, by definition, is
such that, for every proposition B, if we have a map A → B then we have a
map kAk → B, i.e. satisfies the elimination rule (kkE ) stated earlier. We say
“almost” here because the above definition is not accepted by Agda: if A is a
type at level i then the type we have defined is not at level i but at level i + 1,
i.e. we should actually have given it the type
∥_∥ : ∀ {i} (A : Type i) → Type (lsuc i)
There are two ways out of it. The easy one is to simply disable universe checking
(with the option --type-in-type), but this makes the logic inconsistent, see
section 8.2. The other one is to adopt a principle weaker than having type
in type, called propositional resizing, which roughly says that a proposition in
i-th universe can be seen as a proposition in the j-th universe for any i and j
(including i > j): after all, a proposition contains at most one element (up to
homotopy), so that it is reasonable to consider that size does not matter in this
case.
Anyhow, with this encoding, function extensionality allows proving that the
truncation is a proposition
∥∥-isProp : ∀ {i} {A : Type i} → isProp ∥ A ∥
∥∥-isProp = Π'-isProp (λ B → Π-isProp (λ p → Π-isProp (λ f → p)))
the truncation is immediate to define
∣_∣ : ∀ {i} {A : Type i} → A → ∥ A ∥
∣ x ∣ _ f = f x
the recurrence principle is simple to show
∥∥-rec : ∀ {i j} {A : Type i} {B : Type j} →
isProp B → (A → B) → ∥ A ∥ → B
∥∥-rec p f x = x p f
CHAPTER 9. HOMOTOPY TYPE THEORY 437

as well is the computation principle

∥∥-comp : ∀ {i j} {A : Type i} {B : Type j} →
(p : isProp B) (f : A → B) (x : A) →
∥∥-rec p f ∣ x ∣ ≡ f x
∥∥-comp p f x = refl
and the uniqueness principle
∥∥-eta : ∀ {i} {A : Type i} (p : isProp A) (x : ∥ A ∥) →
∣ ∥∥-rec p id x ∣ ≡ x
∥∥-eta p x = funext2 (λ a f → p (f (x p id)) (x a f))

9.4 Univalence
As indicated before, we still lack ways to prove equalities which ought to hold
in our geometric model. We now introduce the univalence axiom, due to Vo-
evodsky, which fixes this in a satisfactory way.

9.4.1 Operations with paths. In this section, we describe some operations

involving paths, which will be useful in order to formulate and study univalence.

Application. The first one, called ap, states that all functions preserve paths:
given a function f : A → B and a path p : x ≡ y in A, we can construct a path
f (x) ≡ f (y) in B, sometimes abusively written f (p), by “applying” (thus the
name) f to p:
ap : ∀ {i j} {A : Type i} {B : Type j} {x y : A} →
(f : A → B) → x ≡ y → f x ≡ f y
ap f refl = refl
It can also be seen as a witness for the fact that equality is a congruence
(and we have already met this function under the name cong in section 6.6).
This application is compatible with concatenation of paths in the sense that
f (p · q) ≡ f (p) · f (q):

∙-ap : ∀ {i j} {A : Type i} {B : Type j} {x y z : A} →

(f : A → B) → (p : x ≡ y) → (q : y ≡ z) →
ap f (p ∙ q) ≡ ap f p ∙ ap f q
∙-ap f refl q = refl

Similarly, if two functions are equal and we apply them to the same argument,
the results will also be equal:
happly : ∀ {i j} {A : Type i} {B : A → Type j}
{f g : (x : A) → B x} →
f ≡ g → (x : A) → f x ≡ g x
happly refl x = refl
CHAPTER 9. HOMOTOPY TYPE THEORY 438

Transport. Given a type A, a family of types B : A → Type can be thought

of as a family of spaces B(x), indexed by x in A, which varies continuously
in x. As an illustration, we have figured the type A below as a segment at the
bottom, and the type B(x) above each point x of A as a disk. In passing, the
space above, consisting of all the spaces B(x), thus depicts the type Σ(x : A).B.

B(x)
B(y)

a
Σ(x : A).B b

A p
x y

Since the spaces B(z) vary continuously in z, given a path p : x ≡ y in A and

a point a in B(x), if we make z evolve from x to y, the spaces B(z) will evolve
from B(x) to B(y) and the point a will induce a path from a to some point b
in B(y). We call transport the operation which to every path p : x ≡ y and
point a in B(x) associates the point b in B(y) resulting from “transporting” the
point a in B along the path p. Formally, it can be defined as
transport : ∀ {i j} {A : Type i} {x y : A} (B : A → Type j) →
x ≡ y → B x → B y
transport B refl x = x
This can also be seen as the fact that equality is substitutive, meaning that,
in a type, we can replace an element by an equal one, and we have already
encountered this function under the name subst in section 6.6.
This transport function allows us to define a coercion function as a particular
case: if two types A and B are equal (witnessed by a path p) then we can always
transform an element of type A into an element of type B by transporting an
element of A into an element of B in the family where the indexing type is Type,
with the type A above each point A of Type:

A
B

x
coe p x

Type
p
A B

Formally,
coe : ∀ {i} {A B : Type i} → (A ≡ B) → A → B
coe p x = transport (λ A → A) p x
CHAPTER 9. HOMOTOPY TYPE THEORY 439

Of course, it could also be defined directly by induction by

coe : ∀ {i} {A B : Type i} → (A ≡ B) → A → B
coe refl x = x
Finally, we can define a variant of ap in the case where f is a dependent function,
i.e. its type is of the form Π(x : A).B(x). Given such a function and a path
p : x ≡ y in A, we cannot expect to have f (x) ≡ f (y) anymore because this
type does not even make sense: f (x) belongs to B(x) and f (y) belongs to B(y),
so that we cannot compare them for equality. What we can show however is
that if we transport f (x) along p in B(y) then the resulting element of B(y) is
equal to f (y):

B(x)
B(y)

f (x) transport(B, p, f (x))

f (y)

A p
x y

The intuitive reason for this is that f has to be a continuous function from A
to B. Formally,
apd : ∀ {i j} {A : Type i} {B : A → Type j} {x y : A} →
(f : (x : A) → B x) → (p : x ≡ y) →
transport B p (f x) ≡ f y
apd f refl = refl

9.4.2 Equivalences. We consider that two spaces are equivalent when they are
“isomorphic up to homotopy”, i.e. they are homotopy equivalent, in the sense
defined in section 9.2. We now formalize this notion, see [Uni13, Chapter 4] for
details. We will see that it behaves much like the notion of isomorphism.

Quasi-invertibility and homotopy equivalences. Recall that two functions f and

g of type A → B are homotopic, what we write f ∼ g, when f (x) ≡ g(x) for
every point x of A. Formally, this can be defined as
_ _ : ∀ {i j} {A : Type i} {B : A → Type j}
(f g : (x : A) → B x) → Type (lmax i j)
_ _ f g = ∀ x → f x ≡ g x
Also recall that a function f : A → B is a homotopy equivalence when there
exists a function g : B → A such that g ◦ f ∼ idA and f ◦ g ∼ idB . This suggests
defining the predicate isQinv such that isQinv(f ) holds when f is a homotopy
equivalence in this sense:
isQinv : ∀ {i j} {A : Type i} {B : Type j} →
(A → B) → Type (lmax i j)
CHAPTER 9. HOMOTOPY TYPE THEORY 440

isQinv {A = A} {B = B} f =
Σ (B → A) (λ g → (g ∘ f) id × (f ∘ g) id)

The name comes from the fact that, a function f satisfying this property is, in
this context, said to be quasi-invertible. Above, the identity is defined as
id : ∀ {i} {A : Type i} → A → A
id x = x
and the composition by

_∘_ : ∀ {i j k} {A : Type i} {B : Type j} {C : Type k} →

(B → C) → (A → B) → A → C
(g ∘ f) x = g (f x)
Surprisingly, this definition turns out not to be a good notion because it is not a
proper predicate: isQinv(f ) is not a proposition in general (see [Uni13, Theorem
4.1.3] for a counter-example) and being a quasi-inverse is thus not a property of
a function f , it involves more data. We can come with a simple variant of this
notion which actually is a predicate: instead of requiring that the left and the
right inverse are the same, we leave the possibility for them to be different. We
say that a function f : A → B is an equivalence when there exists g : B → A
and g 0 : B → A such that g ◦ f ∼ idA and f ◦ g 0 ∼ idB . In Agda,
isEquiv : ∀ {i j} {A : Type i} {B : Type j} →
(A → B) → Type (lmax i j)
isEquiv {A = A} {B = B} f =
Σ (B → A) (λ g → (g ∘ f) id) ×
Σ (B → A) (λ g → (f ∘ g) id)

and one can show that isEquiv(f ) is a proposition for every function f [Uni13,
Theorem 4.2.13]. Note that every quasi-invertible map is canonically an equiv-
alence:
isQinv-isEquiv : ∀ {i j} {A : Type i} {B : Type j} {f : A → B} →
isQinv f → isEquiv f
isQinv-isEquiv (g , gf , fg) = (g , gf) , (g , fg)
There is also a converse map (which is not obvious to define), the subtle point
being that the resulting pair of maps does not form an equivalence. That being
said, all the equivalences we will construct in practice will be quasi-inverses.

Contractibility. The notion of equivalence can be thought of as an “up-to-

homotopy” version of the notion of bijection in set theory. We can therefore
try to mimic the usual characterization of bijections: a function f : A → B is a
bijection when every element y in B has a unique preimage under f , otherwise
said f −1 (y) is a singleton. In homotopy type theory, the analogous of the notion
of preimage is given by the fiber of f at y which is the space of points x in A
equipped with a path from f (x) to y:
fib : ∀ {i j} {A : Type i} {B : Type j} →
(A → B) → B → Type (lmax i j)
fib {A = A} f y = Σ A (λ x → f x ≡ y)
CHAPTER 9. HOMOTOPY TYPE THEORY 441

We then say that a map is contractible when all its fiber are:
isContrMap : ∀ {i j} {A : Type i} {B : Type j} →
(A → B) → Type (lmax i j)
isContrMap {B = B} f = (y : B) → isContr (fib f y)
It can be shown for a map f , the types isEquiv(f ) and isContrMap(f ) are
equivalent, so that we could use contractibility as an alternative definition for
being an equivalence.

Equivalence of types. Two types A and B are equivalent when there is an equiv-
alence from A to B, what we write A ' B:
_ _ : ∀ {i j} (A : Type i) (B : Type j) → Type (lmax i j)
A B = Σ (A → B) isEquiv
This relation is an equivalence relation. It is reflexive:
-refl : ∀ {i} {A : Type i} → A A
-refl = id , (id , (λ x → refl)) , (id , λ x → refl)
transitive:
-trans : ∀ {i j k} {A : Type i} {B : Type j} {C : Type k} →
A B → B C → A C
-trans (f , (g , gf) , (g' , fg')) (h , (i , ih) , (i' , hi')) =
(h ∘ f) ,
(((g ∘ i) , λ x → trans (ap g (ih (f x))) (gf x)) ,
((g' ∘ i') , λ x → trans (ap h (fg' (i' x))) (hi' x)))
but also symmetric, which is not immediate because the definition of equivalence
is not:
-sym : ∀ {i j} {A : Type i} {B : Type j} → A B → B A
-sym {B = B} (f , (g , gf) , (g' , fg')) =
g , (f , left) , (f , gf)
where
g-g' : (x : B) → g x ≡ g' x
g-g' x = trans (sym (ap g (fg' x))) (gf (g' x))
left : (x : B) → f (g x) ≡ x
left x = trans (ap f (g-g' x)) (fg' x)
An equivalence e consists of a map f : A → B together with two maps
g, g 0 : B → A which are respectively left and right inverse for f . We can define
a function which to such an equivalence associates the corresponding f :
-→ : ∀ {i j} {A : Type i} {B : Type j} → A B → A → B
-→ (f , _) = f
and one associating the corresponding g:
-← : ∀ {i j} {A : Type i} {B : Type j} → A B → B → A
-← (_ , ((g , _) , _)) = g
It will also be useful to have a notation for the proof that g is a left inverse
for f , i.e. x = g(f (x)) for every x in A:
CHAPTER 9. HOMOTOPY TYPE THEORY 442

-η : ∀ {i j} {A : Type i} {B : Type j}
(e : A B) (x : A) → x ≡ -← e ( -→ e x)
-η (f , (g , gl) , (h , hr)) x = sym (gl x)
We also define one providing a proof that g is a right inverse for f , i.e. we have
f (g(x)) = x for every x in A:
-ε : ∀ {i j} {A : Type i} {B : Type j}
(e : A B) (y : B) → -→ e ( -← e y) ≡ y
-ε (f , (g , gl) , (h , hr)) y =
f (g y) ≡ sym (ap (λ y → f (g y)) (hr y))
f (g (f (h y))) ≡ ap f (gl (h y))
f (h y) ≡ hr y
y ∎

Note that the proof is slightly more complicated than the previous one because
we show here that g and not g 0 is a right inverse for f .
Finally, we show a last useful theorem. In set theory, a function f : A → B
which is bijective, i.e. which admits an inverse g, is always injective. This means
that for every elements x and y of A, if f (x) = f (y) then x = y. Namely, we
have
x = g(f (x)) = g(f (y)) = y
This property also holds in our context:
-inj : ∀ {i j} {A : Type i} {B : Type j}
(e : A B) {x y : A} → -→ e x ≡ -→ e y → x ≡ y
-inj e {x} {y} p =
x ≡ -η e x
-← e ( -→ e x) ≡ ap ( -← e) p
-← e ( -→ e y) ≡ sym ( -η e y)
y ∎

9.4.3 Univalence. We can easily define a function which shows that two equal
types A and B are equivalent:
id-to-equiv' : ∀ {i} {A B : Type i} → (A ≡ B) → (A B)
id-to-equiv' refl = id , ((id , (λ _ → refl)) , id , (λ _ → refl))
Namely, by induction on the equality p : A ≡ B we can suppose that A and B
are the same, and in this case we can take the identity function as equivalence
between the two types, left and right inverses being the identity. Given a path
p : A ≡ B, note that the induced function A → B is precisely given by coe f ,
so that it is conceptually better to define this operator as
id-to-equiv : ∀ {i} {A B : Type i} → (A ≡ B) → (A B)
id-to-equiv p = coe p , coe-isEquiv p
where the proof that coercion gives rise to equivalences is
coe-isEquiv : ∀ {i} {A B : Type i} (p : A ≡ B) → isEquiv (coe p)
coe-isEquiv refl = (id , (λ x → refl)) , (id , λ x → refl)
The univalence axiom introduced by Voevodsky states that this function is
itself an equivalence [Uni13, section 2.10]:
CHAPTER 9. HOMOTOPY TYPE THEORY 443

postulate univalence : ∀ {i} {A B : Type i} →

isEquiv (id-to-equiv {i} {A} {B})

i.e. we have an equivalence

ua-equiv : ∀ {i} {A B : Type i} → (A ≡ B) (A B)
ua-equiv = id-to-equiv , univalence
One of the main consequences of this axiom is that, since the types A × B and
A ' B are equivalent, there is a map

A'B→A≡B

which allows constructing a proof of equality from an equivalence:

ua : ∀ {i} {A B : Type i} → (A B) → (A ≡ B)
ua f = -← ua-equiv f
This map can be seen as the proper introduction rule for equality, the elimination
rule being id-to-equiv. The associated computation rule is
ua-comp : ∀ {i} {A B : Type i} (e : A B) → coe (ua e) ≡ (fst e)
ua-comp {A = A} {B = B} e = ap fst ( -ε ua-equiv e)

and uniqueness rule is

ua-ext : ∀ {i} {A B : Type i} {p : A ≡ B} → p ≡ ua (id-to-equiv p)
ua-ext {p = p} = -η ua-equiv p
As a side note, remark that when A and B are types at level i, the type
A ' B is also at level i whereas A ≡ B is at level i + 1. It is therefore crucial
that we allow equivalences to hold between types of different levels, which is
why we really had to properly take care of universes levels in the developments
in this chapter.

9.4.4 Applications of univalence. The way univalence is quite often used is

the following. It may happen that we have two different descriptions A and A0
of a same data. In this case, these types can be shown to be equivalent and
thus equal by ua. Since they are equal they can be used interchangeably: by
transport, we can always convert a property on one into a property on the other.
For instance, the coproduct type A t B can alternatively defined as the type

Σ(b : Bool).δA,B b

where δA,B : Bool → Type is the function such that δA,B false = A and
δA,B true = B. This means that we can describe an element of A t B as a
pair (b, x) where b is a boolean and x is an element of A (resp. B) when A is
false (resp. true). An equivalence

(A t B) ' (Σ(b : Bool).δA,B b)

is easily constructed, from which we can deduce

(A t B) ≡ (Σ(b : Bool).δA,B b)
CHAPTER 9. HOMOTOPY TYPE THEORY 444

meaning that we can convert any property on one representation into a property
on the other representation. Similarly, the type A × B can be described as the
type
(A × B) ≡ (Π(b : Bool).δA,B b)
As a more programming-oriented example, natural numbers can either be
defined in unary or binary representation, giving rise to equivalent types. By
univalence, we can automatically transport any operation on one representation
(e.g. addition) into the other.

9.4.5 Describing identity types. Using univalence, we can describe the iden-
tity types for most type constructions.

Identity types in products. Given types A and B, we expect that a path in A×B
consists of a pair of paths in A and B respectively, i.e. given x, x0 in A and y, y 0
in B, we should have
IdA×B ((x, y), (x0 , y 0 )) ≡ IdA (x, x0 ) × IdB (y, y 0 )
By univalence, this amounts to show that the corresponding equivalence between
types
IdA×B ((x, y), (x0 , y 0 )) ' IdA (x, x0 ) × IdB (y, y 0 )
which is easily constructed:
×- : ∀ {i j} {A : Type i} {B : Type j} {x y : A × B} →
(x ≡ y) ((fst x ≡ fst y) × (snd x ≡ snd y))
×- {x = x} {y = y} =
f , (g , λ { refl → refl }) , (g , λ { (refl , refl) → refl })
where
f : x ≡ y → (fst x ≡ fst y) × (snd x ≡ snd y)
f refl = refl , refl
g : (fst x ≡ fst y) × (snd x ≡ snd y) → x ≡ y
g (refl , refl) = refl

Identity types over natural numbers. For data types, similar characterizations
can be achieved. For instance, for natural numbers, we expect that there is one
proof of equality in IdN (n, n) for any natural number n and none in IdN (m, n)
for m 6= n. Otherwise said, we expect IdN (n, n) = > and IdN (m, n) = ⊥ for
m 6= n. We can therefore code the expected type for identity types between any
two natural numbers as
code : → → Type ₀
code zero zero =
code zero (suc n) =
code (suc m) zero =
code (suc m) (suc n) = code m n
By univalence, in order to show that natural numbers have the expected identity
types, it is enough to show that there is an equivalence
IdN (m, n) ' code m n
To this aim we define an encoding function
CHAPTER 9. HOMOTOPY TYPE THEORY 445

enc : {m n : } → m ≡ n → code m n
enc {zero} {.zero} refl = tt
enc {suc n} {.(suc n)} refl = enc {n} {n} refl
and a decoding function in the other direction
dec : {m n : } → code m n → m ≡ n
dec {zero} {zero} tt = refl
dec {suc m} {suc n} c = ap suc (dec c)
and finally show that they form an equivalence:
-eq : (m n : ) → (m ≡ n) code m n
-eq m n =
enc , ((dec , dec-enc) , (dec , enc-dec {m}))
where
dec-enc : {m n : } → (p : m ≡ n) → dec (enc p) ≡ p
dec-enc {zero} {.zero} refl = refl
dec-enc {suc m} {.(suc m)} refl = ap (ap suc) (dec-enc refl)
enc-suc : {m n : } → (p : m ≡ n) → enc (ap suc p) ≡ enc p
enc-suc refl = refl
enc-dec : {m n : } → (c : code m n) → enc (dec {m} c) ≡ c
enc-dec {zero} {zero} tt = refl
enc-dec {suc m} {suc n} c =
trans (enc-suc (dec {m} {n} c)) (enc-dec {m} {n} c)

9.4.6 Describing propositions. In this section, we use univalence to show

that a proposition is either ⊥ or >. First, we expect that ⊥ is the only empty
type, i.e. that for every type A such that ¬A holds, A ≡ ⊥. By univalence, this
amounts to showing ¬A → (A ' ⊥), which is easily done: the map A → ⊥ is
given by the argument ¬A and the map ⊥ → A is given by the elimination of
⊥. In Agda,
¬- - : ∀ {i} {A : Type i} → ¬ A → A
¬- - k = k ,
( -elim , λ x → -elim (k x)) ,
( -elim , λ x → -isProp _ _)
Similarly, > is the only contractible type, in the sense that any contractible type
is equivalent to >:
Contr- - : ∀ {i} {A : Type i} → isContr A → A
Contr- - {A = A} (x , p) =
f , ((g , λ y → p y) , (g , λ { tt → refl }))
where
f : A →
f _ = tt
g : → A
g _ = x
Moreover, any non-empty proposition is contractible:
aProp-isContr : ∀ {i} {A : Type i} → isProp A → A → isContr A
aProp-isContr PA x = x , (PA x)
CHAPTER 9. HOMOTOPY TYPE THEORY 446

From there, one easily deduces that a proposition is either ⊥ when empty
Prop- - : ∀ {i} {A : Type i} → isProp A → ¬ A → A
Prop- - PA k = ¬- - k
or > when non-empty
Prop- -T : ∀ {i} {A : Type i} → isProp A → A → A
Prop- -T PA x = Contr- - (aProp-isContr PA x)

Decidable propositions. Above, since the logic is not classical, we need to be

provided with a proof of ¬A or a proof of A in order to decide whether the
proposition A is ⊥ or >. But it is not the case that every proposition is either
⊥ or >, i.e. that Prop ≡ Bool. However, this does hold for propositions which
are decidable:
dec-Prop : ∀ {i} → Σ (Type i) (λ A → isProp A ∧ isDec A) Bool
(the proof is left as an exercise to the reader). By univalence, the above equiva-
lence can be turned into an equality, thus providing a conceptually much better
definition of booleans than the type with two elements: booleans is the type of
decidable propositions!

Truncation of propositions. Finally, we mention that propositional truncation

is idempotent on propositions, meaning that kAk ≡ A when A is a proposition.
By univalence, this amounts to show kAk ' A: the map kAk → A is given by
elimination of truncation and the map A → kAk is truncation.
trunc-prop : ∀ {i} {A : Type i} → isProp A → ∥ A ∥ A
trunc-prop P =
∥∥-rec P id ,
(∣_∣ , λ _ → ∥∥-isProp _ _) ,
(∣_∣ , λ _ → P _ _)

Describing contractible types. In a similar way as we have been able to describe

all propositions as being either ⊥ or >, we can of course characterize contractible
types as being >. Namely, one can show that any contractible type is equivalent
to >:

Contr- - : ∀ {i} {A : Type i} → isContr A → A

Contr- - {A = A} (x , p) =
f , ((g , λ y → p y) , (g , λ { tt → refl }))
where
f : A →
f _ = tt
g : → A
g _ = x
from which any contractible type can be shown to be equal to > by univalence.
Otherwise said, > is the only contractible type.
CHAPTER 9. HOMOTOPY TYPE THEORY 447

9.4.7 Incompatibility with set theoretic interpretation. The axiom of

univalence enforces that types act as spaces: if we assume this axiom, then it
cannot be the case that we think of them as spaces but they are secretly sets,
some of them have to exhibit non-trivial geometric structure. In order to show
this, we shall first show that there is at least one type which is not a set: Type.
Namely, we are going to show that it contains an element, namely the type
Bool of booleans, which has a non-trivial loop (i.e. a path from Bool to Bool),
whereas every loop has to be equal to the identity path in a set.

A non-trivial path. Consider the negation operator not : Bool → Bool on

booleans, which sends false to true and vice versa. This function is easily shown
to be involutive: applying negation twice gets us back to the boolean we started
with.
not-involutive : (b : Bool) → not (not b) ≡ b
not-involutive false = refl
not-involutive true = refl
From there, we can show that negation induces an equivalence from boolean to
themselves:
not- : Bool Bool
not- = not , (not , not-involutive) , (not , not-involutive)
Of course, we have seen that equivalence is reflexive, so that we have A ' A
for every type A, including A = Bool, but the equivalence Bool ' Bool is
non-trivial, in the sense that it exchanges false and true. By univalence, this
equivalence will induce a path

p : Bool ≡ Bool

which will not be the identity path. Geometrically, we can picture the situation
as follows. The type Bool is a point in the space of all types, which contains a
loop p on it induced by negation:

Bool p

If we assume that Type is a set, then we will assimilate this path to the identity
path, which will lead to a contradiction, because it will also force us to identify
false and true, which we know is not the case:
false≢true : ¬ (false ≡ true)
false≢true ()

Namely, the function coe p : Bool → Bool transports a boolean along p, and the
computation rule for univalence tells us that it is precisely negation. Now, if we
assume that Type is a set, the path p will be equal to the path refl : Bool → Bool
and therefore, we will have coe p ≡ coe refl, otherwise said the boolean negation
function is equal to the identity. If we apply both to true (using happly), we
get that false is equal to true, hence a contradiction.
CHAPTER 9. HOMOTOPY TYPE THEORY 448

Type-isn'tSet : ¬ (isSet Type ₀ )

Type-isn'tSet S = false≢true (
false ≡ happly (ap coe (S Bool Bool refl (ua not- ))) false
coe (ua not- ) false ≡ happly (ua-comp not- ) false
true ∎
)

Incompatibility of UIP with univalence. As an immediate consequence the unique-

ness of identity proofs principle
UIP : ∀ {i} → Type (lsuc i)
UIP {i} = {A : Type i} {x y : A} → (p q : x ≡ y) → p ≡ q
is inconsistent with univalence because it forces every type to be a set:
¬UIP : (∀ {i} → UIP {i}) →
¬UIP uip = Type-isn'tSet (λ x y → uip)

Incompatibility of double negation elimination with univalence. For similar rea-

sons, we cannot suppose that, for every type A, we have
¬¬A → A
see [Uni13, Theorem 3.2.2]. Intuitively, supposing this amounts to suppose that
we have picked a particular element in every non-empty type, and this cannot
reasonably be done in a continuous way.
In more details, suppose that we have a function
nne : Π(A : Type).¬¬A → A
and write f for nne Bool : ¬¬ Bool → Bool. We can easily construct an element
u of ¬¬ Bool (this amounts to showing that Bool is non-empty), from which
we can construct an element b = f u of Bool and we can show that not b ≡ b,
from which we are of course able to derive a contradiction. In order to show
the equality not b ≡ b, the main idea is, as before, to transport f along the
non-trivial path p : Bool ≡ Bool. The resulting function when applied to u can
be shown to be both equal to f u and not (f u).
¬NNE : (∀ {i} (A : Type i) → ¬ (¬ A) → A) →
¬NNE nne = not-≢ (f u) (
not (f u)
≡ sym (happly (ua-comp not- ) (f u))
transport (λ A → A) p (f u)
≡ ap (coe p) (ap f (¬-isProp u _))
transport (λ A → A) p (nne Bool (transport (λ A → ¬ (¬ A)) (! p) u))
≡ sym (happly (transport-→ p (λ A → ¬ (¬ A)) (λ A → A) f) u)
transport (λ A → ¬ (¬ A) → A) p f u
≡ happly (apd nne p) u
f u ∎)
where
u : ¬ (¬ Bool)
u k = k false
f : ¬ (¬ Bool) → Bool
f = nne Bool
p : Bool ≡ Bool
p = ua not-
CHAPTER 9. HOMOTOPY TYPE THEORY 449

Another way to prove this consists in using Hedberg’s theorem presented

in section 9.3.2. Namely, supposing that every type has the double negation
property amounts to supposing that every type is decidable. In particular, any
type should have decidable equality and thus be a set by Hedberg’s theorem.
But we have shown above that Type is not a set, contradiction:
¬NNE : (∀ {i} (A : Type i) → ¬ (¬ A) → A) →
¬NNE nne = Type-isn'tSet (Hedberg (λ x y → nne (x ≡ y)))
The above remark does not mean that univalence is incompatible with classi-
cal logic. It simply means that double negation elimination should be restricted
to propositions if one wants to use this as an axiom, see section 9.3.1.

9.4.8 Equivalences. Univalence makes equivalences behave like equalities. We

show here two instances of this which will be useful when proving function
extensionality in section 9.4.9.
Firstly, when we have a function f : A → B and an equality x ≡ y be-
tween elements x and y of A, we have seen that we have an induced equality
f (x) ≡ f (y) by the function ap of section 9.4.1. A similar property can be
shown for equivalences:
-ap : ∀ {i j} {A B : Type i} (f : Type i → Type j) →
A B → f A f B
-ap f e = id-to-equiv (ap f (ua e))
Secondly, the J rule presented in section 9.1.3 states that in order to prove
a property P depending on a path p, it is enough to prove it only in the case
where p is refl. This constitutes the induction principle for equalities. A similar
induction principle can be shown for equivalences:
-ind : ∀ {i j} (P : {A B : Type i} → (A B) → Type j) →
({A : Type i} → P ( -refl {A = A})) →
{A B : Type i} (e : A B) → P e
-ind {i} P r {A} {B} e =
transport P ( -ε ua-equiv e) (lem (ua e))
where
lem : (p : A ≡ B) → P (id-to-equiv p)
lem refl = r

9.4.9 Function extensionality. We have already seen in section 9.4.5 that,

given types A and B, and elements x and x0 in A and y and y 0 in B, we have

IdA×B ((x, y), (x0 , y 0 )) ≡ IdA (x, y) × IdA (x0 , y 0 )

An equality in the product is thus the same as an equality in each of the com-
ponents. Now, we have seen in section 9.4.4 that a product is a particular case
of a dependent function

(A × B) ≡ (Π(b : Bool).δA,B b)

and we therefore expect that the above characterization of paths in products

generalizes to dependent functions.
CHAPTER 9. HOMOTOPY TYPE THEORY 450

More precisely, we expect that for every functions f, g : Π(x : A).B, we have

IdΠ(x:A).B (f, g) ≡ (f ∼ g)

i.e. the two functions f and g are equal when we have f x ≡ g x for every
element x of A. While we will see that this is true, the proof performed for
products above does notes generalize easily. Namely, our first hope is to prove
this identity using univalence, by showing an equivalence between the two types.
However, this is not easy. Constructing a map from left to right is not a problem:
the function happly defined in section 9.4.1 provides us with such a function

IdΠ(x:A).B (f, g) → (f ∼ g)

However, constructing a map in the other direction

(f ∼ g) → IdΠ(x:A).B (f, g)

is much more difficult. It is called function extensionality and corresponds to

the DFE axiom we have seen in section 9.1.5. Intuitively, it can be proved as
follows. The maps f and g being functions, they are thus of the form f = λx.f 0
and g = λx.g 0 . Moreover, for every x, we have a path px : f x ≡ g x, and thus
f 0 ≡ g 0 . By induction on this path, we can suppose that f 0 and g 0 are the same,
in which case we can conclude that the two functions are equal by reflexivity.
So, it seems that this could be proved using the following Agda code:
hcontr : ∀ {i j} {A : Type i} {B : A → Type j}
(f g : (x : A) → B x) → f g → f ≡ g
hcontr (λ x → f') (λ x → g') h with h x
hcontr (λ x → f') (λ x → .f') | refl = refl
Unfortunately, this code is not accepted by Agda: it does not allow pattern
matching on functions (for good reasons) and we use an “arbitrary variable” x
when matching on h x, which is not valid either.

General approach. Instead, the trick is to show the equality for all pairs of
functions f and g at once, i.e. show
Σ(f : Π(x : A).B).Σ(g : Π(x : A).B). IdΠ(x:A).B (f, g)
≡
Σ(f : Π(x : A).B).Σ(g : Π(x : A).B).f ∼ g
We are thus lead to consider the type

Path(A) = Σ(x : A).Σ(x : A). IdA (x, y)

of all paths in a type A and the type

Homotopy(A, B) = Σ(f : Π(x : A).B).Σ(g : Π(x : A).B).f ∼ g

of all homotopies between functions from a type A to a type B. A homotopy

between a function f and a function g, is a function which to every x in A
associates a path between f (x) and g(x), so that the type of all homotopies
between functions from A to B can alternatively be described as

Homotopy(A, B) = Π(x : A). Path(B(x))

CHAPTER 9. HOMOTOPY TYPE THEORY 451

We will adopt this definition since it leads to simpler developments.

For every type A, we have a function Path(A) → A which associates its
source to a path and a function A → Path(A) which constructs the constant
path on an element of A. These two can be shown to form an equivalence,
i.e. we have
Path(A) ' A
We therefore have the following sequence of equivalences

Homotopy(A, B) = Π(x : A). Path(B) ' Π(x : A).B ' Path(Π(x : A).B)

and in particular, we have a map

funext : Homotopy(A, B) → Path(Π(x : A).B)

which witnesses the extensionality of functions. At least, this is the general

plan: if we look at this proof in details, there are some problems with it.
Firstly, the map funext above associates to each homotopy h between func-
tions f and g a path funext(h), but we have not shown yet that this path
actually also is between f and g and not some other functions. Here is how
we are going to prove it. In the type Homotopy(A, B), apart from h, there is
another notable homotopy, which we write h0 here: the “constant” homotopy
between f and itself. It can be shown that funext(h0 ) = funext(h), the proof
being just reflexivity, and therefore h0 = h because funext is an equivalence,
and as such is injective. We have an equality between a homotopy f ∼ f
and a homotopy f ∼ g: by projecting on the target endpoint, we can deduce
that f = g.
Secondly, the middle equivalence

Π(x : A). Path(B) ' Π(x : A).B

is easy to prove only when B does not depend on x. Namely, we have an

equivalence Path(B) ' B: if B does not depend on x, we can simply apply
the function λB.(A → B) to it in order to obtain the desired equivalence. If B
depends on x, there is no easy way to proceed, at least if we do not suppose
function extensionality, which is precisely what we are trying to prove. The
plan will thus be to proceed in three steps:
1. show function extensionality in the non-dependent case as above,
2. use it to deduce another property called weak function extensionality,
3. use weak function extensionality to deduce dependent function extension-
ality.

Paths. Let us first define the type Path(A) of all paths in a type A, as well as
simple helper functions. This type can be formalized in Agda as

Path : ∀ {i} → (A : Type i) → Type i

Path A = Σ A (λ x → Σ A (λ y → x ≡ y))
We can define a function which to a path associates its source:
CHAPTER 9. HOMOTOPY TYPE THEORY 452

Path-src : ∀ {i} {A : Type i} → Path A → A

Path-src (x , y , p) = x

and its target:

Path-tgt : ∀ {i} {A : Type i} → Path A → A
Path-tgt (x , y , p) = y
so that each path induces an equality from its source to its target:

Path-≡ : ∀ {i} {A : Type i} → (p : Path A) →

Path-src p ≡ Path-tgt p
Path-≡ (x , y , p) = p
Every identity can be seen as a path:
Path-of : ∀ {i} {A : Type i} {x y : A} → (p : x ≡ y) → Path A
Path-of {x = x} {y = y} p = x , y , p
and we can easily construct constant paths:
Path-cst : ∀ {i} {A : Type i} → A → Path A
Path-cst x = Path-of (refl {x = x})

Since every element of Path A consists of a path x ≡ y, we can “contract” each

of its element to its source x and show the equivalence that we have already
mentioned:
Path-contract : ∀ {i} {A : Type i} → Path A A
Path-contract =
(Path-src ,
(Path-cst , λ { (_ , _ , refl) → refl }) ,
(Path-cst , λ _ → refl))

Homotopies. We now define the type Homotopy(A, B) of all homotopies be-

tween dependent functions from A to B:
Homotopy : ∀ {i j} (A : Type i) (B : A → Type j) → Type (lmax i j)
Homotopy A B = (x : A) → Path (B x)

The source function of the homotopy can be recovered by

Homotopy-src : ∀ {i j} {A : Type i} {B : A → Type j} →
Homotopy A B → (x : A) → B x
Homotopy-src h x = Path-src (h x)
and similarly for its target

Homotopy-tgt : ∀ {i j} {A : Type i} {B : A → Type j} →

Homotopy A B → (x : A) → B x
Homotopy-tgt h x = Path-tgt (h x)
so that every homotopy induces a homotopy in the previous sense between its
source and its target:
CHAPTER 9. HOMOTOPY TYPE THEORY 453

Homotopy- : ∀ {i j} {A : Type i} {B : A → Type j}

(h : Homotopy A B) → Homotopy-src h Homotopy-tgt h
Homotopy- h x = Path-≡ (h x)

We can see a homotopy between two given functions as an element of this type
Homotopy-of : ∀ {i j} {A : Type i} {B : A → Type j}
{f g : (x : A) → B x} → f g → Homotopy A B
Homotopy-of h x = Path-of (h x)

and given a function f : A → B, we can construct the constant homotopy f ∼ f :

Homotopy-cst : ∀ {i j} {A : Type i} {B : A → Type j} →
((x : A) → B x) → Homotopy A B
Homotopy-cst f = Homotopy-of (λ x → refl {x = f x})

Non-dependent function extensionality. Finally, we can show the promised equiv-

alence. As explained above, we restrict here to the non-dependent case, where B
does not depend on x:

Homotopy- -Path : ∀ {i j} {A : Type i} {B : Type j} →

Homotopy A (λ _ → B) Path (A → B)
Homotopy- -Path {i} {j} {A} {B} =
(Homotopy A (λ _ → B)) -refl
(A → Path B) -to Path-contract
(A → B) -sym Path-contract
Path (A → B) ∎

where the function -to is detailed below. From there, the non-dependent
function extensionality is easily deduced, its type being
FE {i} {j} = {A : Type i} {B : Type j} → {f g : A → B} →
((x : A) → f x ≡ g x) → f ≡ g
We can namely proceed as explained before, by considering the constant homo-
topy h0 on f and the homotopy h between f and g, showing that they have the
same image under the function -→ Homotopy- -Path (the proof is simply refl
because we have carefully defined -to, see below), deducing by injectivity that
h0 = h and deducing that f = g by projecting on the respective targets of h0
and h.
funext-nd : ∀ {i j} → FE {i} {j}
funext-nd {A = A} {B = B} {f = f} {g = g} h =
ap (λ h x → Homotopy-tgt h x) p
where
p : Homotopy-cst f ≡ Homotopy-of h
p = -inj Homotopy- -Path refl

Functions to equivalent types. The core of the series of equivalences proving

Homotopy- -Path is the function -to which allows deducing

(A → B) ' (A → B 0 )
CHAPTER 9. HOMOTOPY TYPE THEORY 454

from
B ' B0
This is actually the only place where the univalence axiom is used. Since we
have application of functions to equivalences, this is actually pretty easy to
define:
-to : ∀ {i j} → {A : Type i} → {B B' : Type j} →
B B' → (A → B) (A → B')
-to {A = A} e = -ap (λ B → A → B) e
Given a function f : B → B 0 which is an equivalence, we have “no control” over
the function (A → B) → (A → B 0 ) which is the produced equivalence, which
complicates the proofs. However, there would be a natural candidate, namely
the function
λgx.f (g x) : (A → B) → (A → B 0 )
It simplifies much the proofs if we enforce this choice. This can be done by
defining instead:
-to : ∀ {i j} → {A : Type i} → {B B' : Type j} →
B B' → (A → B) (A → B')
-to {i} {j} {A} {B} {B'} e = (λ f x → ( -→ e) (f x)) , lem e
where
lem : {B B' : Type j} (e : B B') →
isEquiv (λ (f : A → B) x → ( -→ e) (f x))
lem = -ind
(λ {B} e → isEquiv (λ (f : A → B) x → ( -→ e) (f x)))
(λ {B} → snd ( -refl {A = A → B}))

Weak function extensionality. In order to generalize function extensionality to

non-dependent types, we will first show another principle called weak function
extensionality, which states that a product of contractible types is itself con-
tractible. It can also be seen as a degenerated form of axiom of choice where
the family of types we consider consists of types containing exactly one element
(up to homotopy). Formally, it can be stated as follows:
WFE {i} {j} = {A : Type i} {B : A → Type j} →
((x : A) → isContr (B x)) → isContr ((x : A) → B x)
Let us first explain why the “obvious proof” does not work. Suppose given a
family of contractible types B(x) indexed by x in A: for each x, there is an
element bx in B(x) and a path pyx : bx ≡ y for every y in B. We are therefore
tempted to prove that Π(x : A).B can be contracted on to λx.bx . To show that
this is the case, we have to construct, for every function f in Π(x : A).B a path
f (x)
λx.bx ≡ f . Since, we have the paths px : bx ≡ f (x) we are almost there,
but we cannot conclude since this would require function extensionality, which
is precisely what we are trying to prove...
The actual proof uses (non-dependent) function extensionality. Suppose
given a family of contractible types B(x) indexed by x in A. Each B(x) being
contractible, we have B(x) ' >, and thus B(x) ≡ > by univalence. Therefore,
B ≡ λx.> by function extensionality. By transport, instead of showing that
the type Π(x : A).B is contractible we are left with showing that the type
Π(x : A).> is contractible, which is easy: it can be contracted to λx. tt.
CHAPTER 9. HOMOTOPY TYPE THEORY 455

wfunext : ∀ {i j} → WFE {i} {j}

wfunext {A = A} {B = B} c =
transport (λ B → isContr ((x : A) → B x)) (sym p) contr
where
p : B ≡ (λ _ → Lift )
p = funext-nd (λ x → ua (Contr- -Lift- (c x)))
contr : ∀ {i} → isContr ((x : A) → Lift {i} )
contr = (λ x → lift tt) , (λ f → funext-nd (λ x → refl))

Function extensionality. We can finally prove the (dependent) function exten-

sionality, whose type is
DFE {i} {j} =
{A : Type i} {B : A → Type j} → {f g : (x : A) → B x} →
((x : A) → f x ≡ g x) → f ≡ g
Suppose given two dependent functions f and g of type Π(x : A).B, which
are homotopic (i.e. we have f ∼ g). Up to some minor details, those functions
can be seen as elements of type

Π(x : A).Σ(y : B). IdB (f (x), y)

which we respectively call f 0 and g 0 , the definition of the latter using the fact
that we have a homotopy. Recall that the type Σ(y : B). IdB (f (x), y), is what
we called the singleton at f (x) and is contractible, see section 9.3.3; therefore, by
weak function extensionality, the above type is also contractible. The functions
f 0 and g 0 being elements of a contractible type, they are necessarily equal, from
which one easily deduces that f and g are equal.
funext : ∀ {i j} → DFE {i} {j}
funext {A = A} {B = B} {f = f} {g = g} p =
ap (λ f x → fst (f x)) p'
where
f' : (x : A) → Singleton (f x)
f' x = f x , refl
g' : (x : A) → Singleton (f x)
g' x = g x , p x
contr : isContr ((x : A) → Singleton (f x))
contr = wfunext (λ x → Singleton-isContr (f x))
p' : f' ≡ g'
p' = Contr-isProp contr f' g'
The above proof does not use univalence and therefore, without univalence,
WFE implies DFE. The converse also holds, as explained above,

DFE-to-WFE : ∀ {i j} → DFE {i} {j} → WFE {i} {j}

DFE-to-WFE funext c =
(λ x → fst (c x)) , λ f → funext (λ x → snd (c x) (f x))
so that WFE and DFE are equivalent, even without assuming univalence.
CHAPTER 9. HOMOTOPY TYPE THEORY 456

9.4.10 Propositional extensionality. Recall from section 9.3.1 that the propo-
sitional extensionality axiom states that two logically equivalent propositions A
and B are equal:
PE : ∀ {i} → Type (lsuc i)
PE {i} = ∀ {A B : Type i} → isProp A → isProp B → A ↔ B → A ≡ B
This is intuitively justified because, since A and B are both propositions they
are either empty or a point, and since they are equivalent they are both empty
or both non-empty. We show here that this principle follows from univalence.
Namely, two logically equivalent propositions A and B are equivalent: the log-
ical equivalence provides functions f : A → B and g : B → A and we have
g ◦ f (x) ≡ x and f ◦ g(y) ≡ y for every x in A and y in B because A and B are
propositions (and thus any two elements are equal).
↔-to- : ∀ {i} {A B : Type i} →
isProp A → isProp B → A ↔ B → A B
↔-to- PA PB (f , g) =
f ,
(g , (λ x → PA (g (f x)) x)) ,
(g , (λ x → PB (f (g x)) x))
Finally, univalence provides us with the required equality:
propext : ∀ {i} → PE {i}
propext PA PB e = ua (↔-to- PA PB e)
By transport, this means that given two equivalent propositions, one can be
substituted for the other. We have already encountered an instance of this in
lemma 2.2.9.1.

9.5 Higher inductive types

We have seen in section 9.4.7 that, if we assume the axiom of univalence, we can
exhibit a type which is non-trivial, in the sense that it is not a set. However, we
cannot easily construct a type which corresponds to a space we have in mind. In
particular, we have mentioned in section 9.3.2 that all the usual (inductive) types
are sets (e.g. natural numbers, lists of elements of a set, etc.). Higher inductive
types are a generalization of inductive types that allow for constructing useful
types, which are typically not sets. The presentation given here is very brief and
the reader is invited to read [Uni13, chapter 6] for a more detailed presentation,
as well as [CCHM16] for a technical description of the theory behind the current
implementation in Agda.

9.5.1 Rules for higher types. In order to introduce types corresponding to

spaces of interest, one way to proceed consists in adding new constructors and
rules, as in section 8.3. We present this approach here.

The interval type. As a first example consider the interval space

path
beg end
CHAPTER 9. HOMOTOPY TYPE THEORY 457

This type is of course a set (and even a contractible type), but the approach will
generalize to types which are not. The corresponding type, that we are going
to write I, can be thought of as freely generated by two points beg and end, as
well as a path path : beg ≡ end, as figured above, which suggests the following
rules. The formation rule states that I is a well-formed type in any well-formed
context
Γ`
(IF )
Γ ` I : Type
The introduction rules states that beg and end are elements of the interval and
that path is a path between them:

Γ` Γ` Γ`
(Ibeg ) (Iend
I ) (Ipath )
Γ ` beg : I I Γ ` end : I Γ ` path : IdI (beg, end) I

The elimination rule is more subtle. What do we need in order to determine a

function from I to an arbitrary type A? In the case where A does not depend
on I, this is easy: we need two elements b and e of A (the respective images
of beg and end), as well as a path p from b to e (the image of path). The
corresponding rule should thus be

Γ`t:I Γ`b:A Γ`e:A Γ ` p : IdA (b, e)

(IE )
Γ ` rec(t, x 7→ A, b, e, p) : A

where rec(t, x 7→ A, b, e, p) can be thought of as the image of an arbitrary point t

of I when the path path is sent to p. As usual, we want to formulate this
elimination rule in the more general case where A depends on I, i.e. has a free
variable x of type I. We now expect b to be of type A[beg /x] and e of type
A[end /x], and now we are facing a problem: we cannot state anymore that
the path p should go from b to e, because b and e do not live in the same
type anymore! A way to overcome this problem, and be able to compare the
two points, consisting in transporting the point b along path, see section 9.4.1,
in order to obtain a point b0 in A[end /x] and then require the path p to lie
between b0 and e.

A(beg)
A(end)

b b0 = transport(A, path, b)
p
e

beg path end

The resulting dependent elimination rule is then

Γ`t:I Γ, x : I ` A : Type
Γ ` b : A[beg /x] Γ ` e : A[end /x] Γ ` p : IdA[end /x] (b0 , e)
(IE )
Γ ` rec(t, x 7→ A, b, e, p) : A[t/x]
CHAPTER 9. HOMOTOPY TYPE THEORY 458

where b0 is a shorthand for transport(A, path, b). The computation rules state
that when we apply the elimination rule in the case where t is beg, end and
path, we recover b, e and p respectively:

Γ, x : I ` A : Type
Γ ` b : A[beg /x] Γ ` e : A[end /x] Γ ` p : IdA[end /x] (b0 , e) beg
(IC )
Γ ` rec(beg, x 7→ A, b, e, p) = b : A[beg /x]

Γ, x : I ` A : Type
Γ ` b : A[beg /x] Γ ` e : A[end /x] Γ ` p : IdA[end /x] (b0 , e) end
(IC )
Γ ` rec(end, x 7→ A, b, e, p) = e : A[end /x]
Γ, x : I ` A : Type
Γ ` b : A[beg /x] Γ ` e : A[end /x] Γ ` p : IdA[end /x] (b0 , e) path
(IC )
Γ ` apd(rec(−, x 7→ A, b, e, p), path) = p : IdA[end /x] (b0 , e)
We do not include a uniqueness rules because it can be shown to hold proposi-
tionally (this is detailed in section 9.5.3 in the case of the circle type).

The circle type. A type Circle corresponding to the circle can easily be imple-
mented, if we think of the circle as being freely generated by a point, that we
call base, and a path loop : base ≡ base:

base loop

In other words, it is the above interval type, where the beginning and end point
have been identified.
The formation rule states that Circle is a well-formed type in a well-formed
context:
Γ`
(CircleF )
Γ ` Circle : Type
The introduction rules allow typing the point base and the path loop:

Γ` Γ`
(Circlebase
I ) (Circleloop
I )
Γ ` base : Circle Γ ` loop : IdCircle (base, base)

The elimination rule states that an application from the circle Circle into an
arbitrary type A is determined by a point b of A (the image of base) and a
path p (which determines the image of loop, as explained above):

Γ ` t : Circle
Γ, x : I ` A : Type Γ ` b : A[base /x] Γ ` p : IdA[base /x] (b0 , e)
(CircleE )
Γ ` rec(t, x 7→ A, b, e, p) : A[t/x]

where b0 is a shorthand for transport(A, loop, b). The computation rules are left
to the reader. The reader should get convinced that we could write the rules
for the type corresponding to the usual low dimensional spaces in this way.
CHAPTER 9. HOMOTOPY TYPE THEORY 459

Exercise 9.5.1.1. This is not the only way of implementing the circle. For in-
stance, formalize the type corresponding to the following description of the
sphere:
p
x y
q
i.e. freely generated by two points x and y and two paths p and q.
Exercise 9.5.1.2. Write down the rules for the type corresponding to the sphere.

9.5.2 Paths over. As noted above, when writing the elimination rule of types
involving paths as constructors one needs to compare elements (say, b and e) of
distinct types (say, A[beg /x] and A[end /x]), and the way we used to proceed
consisted in transporting the first along p into b0 , so that it lies in the same type
as the second. Here, a path between b0 and e can be thought of as representing
a path between b and e, i.e. as a way of comparing two elements which do not
live in the same type. This is similar to what we have done in section 6.6.9
when defining heterogeneous equality, although here we have to be more precise
about equalities here.
Given a path p : x ≡ y in a type A, a dependent type B : A → Type,
and two elements t : B(x) and u : B(y), we write t ≡B p u for the type of paths
over p between t and u. This intuitively corresponds to the collection of paths
between t and u whose projection onto A gives the path p:

B(x)
B(y)

t u

A p
x y

As indicated above, this type can be defined using transport

PathOver : ∀ {i j} {A : Type i} (B : A → Type j) {x y : A}
(p : x ≡ y) (t : B x) (u : B y) → Type j
PathOver B p t u = (transport B p t) ≡ u
although it is maybe clearer (and closer to the definition of heterogeneous equal-
ity, see section 6.6.9) to define it by induction on the path p:
PathOver : ∀ {i j} {A : Type i} (B : A → Type j) {x y : A}
(p : x ≡ y) (t : B x) (u : B y) → Type j
PathOver B refl t u = (t ≡ u)
It is convenient to introduce the following notation
syntax PathOver B p t u = t ≡ u [ B ↓ p ]
which allows writing in Agda
CHAPTER 9. HOMOTOPY TYPE THEORY 460

t ≡ u [ B ↓ p ]
what we have been writing t ≡B p u earlier. This new definition could be used
to simplify the types of functions in various places. For instance, the function
apd, see section 9.4.1, could be defined as
apd : ∀ {i j} {A : Type i} {B : A → Type j} (f : (a : A) → B a)
{x y : A} → (p : x ≡ y) → f x ≡ f y [ B ↓ p ]
apd f refl = refl

9.5.3 Circle as a higher inductive type. As usual in Agda, instead of im-

plementing types of interest one by one, we expect that they are particular cases
of inductive types. For instance, the circle being generated by a point and a
path, we expect that it can be described by the following inductive type:
data Circle : Type ₀ where
base : Circle
loop : base ≡ base
If you try this at home, of course Agda will reject it: as we have seen in sec-
tion 8.4, all the constructors defining an inductive type A should have A as
target, but here the type of the constructor loop is base ≡ base, i.e. an equal-
ity between elements of Circle i, not an element of Circle i (contrarily to
base for instance). Higher inductive types are a generalization of inductive
types allowing constructors of equalities between elements of the type. Defining
those properly is out of scope here, we will only try to give some examples of
those. An extension of Agda, called cubical Agda, allows for trying them by
beginning our files with
{-# OPTIONS --cubical #-}
and importing the dedicated library

open import Cubical.Core.Everything

This allows in particular for the above definition to be accepted by Agda. From
there, we can show the recurrence principle associated to the circle type:
Circle-rec : ∀ {i} {A : Type i} (b : A) (p : b ≡ b) → Circle → A
Circle-rec b p base = b
Circle-rec b p (loop ι) = p ι
It corresponds to the elimination rule and, as explained before, formalizes the
fact that a map from the circle to an arbitrary type A is determined by a point b
of A (the image of base) and a path p : b ≡ b (the image of loop). As it can
be observed above, when we perform pattern matching on an element of the
circle, Agda generate two cases: this element is either the point base or a point
loop ι in the loop path. Here, the variable ι can be thought of as indexing
the position where we are in the path loop: you can think of ι as being a real
number between 0 and 1 such that loop 0 (resp. loop 1) is the start (resp. end)
of the loop, although we will not need to understand precisely what this variable
precisely means here. The induction principle, which is the dependent variant
of the above can also be proved in the same way:
CHAPTER 9. HOMOTOPY TYPE THEORY 461

Circle-ind : ∀ {i} {A : Circle → Type i} (b : A base)

(p : b ≡ b [ A ↓ loop ]) (x : Circle) → A x
Circle-ind b p base = b
Circle-ind b p (loop ι) = p ι
We have indicated that the uniqueness rule could be derived propositionally: if
two maps f and g from the circle to some type A have the same (i.e. proposi-
tionally equal) image of the base and the same image of the loops then they are
equal:
Circle-unique : ∀ {i} {A : Type i} → (f g : Circle → A) →
(p : f base ≡ g base) →
ap f loop ≡ ap g loop [ (λ x → x ≡ x) ↓ p ] →
(x : Circle) → f x ≡ g x
Circle-unique f g p q base = p
Circle-unique f g p q (loop ι) ι' = q ι' ι
Exercise 9.5.3.1. Show that a map from the circle to a type A is the same as a
loop in in A, i.e. a path p : x ≡ x for some point x of A:
Circle-path :
∀ {i} {A : Type i} → (Circle i → A) Σ A (λ x → x ≡ x)
Exercise 9.5.3.2. Define the circle as a type Circle’ freely generated by two
points and two paths between them, as explained in exercise 9.5.1.1. Show that
the types Circle and Circle’ are equivalent and thus equal by univalence.

9.5.4 Useful higher inductive types. In order to further illustrate the use
of higher inductive types, we briefly present two quite useful ones: suspension
and propositional truncation.

Suspension. The suspension ΣA of a space A is the space obtained from A by

adding two new points N and S (for “north” and “south”, these two points
being thought of as respectively lying above and below the original space A),
as well as a path going from N to S passing by x for each point x of A. For
instance, starting from the space consisting of a point and segment figured on
the left, we obtain the space on the right:
N

S
In particular, if iteratively apply this suspension operation starting from the
empty space, we obtain the spheres:
N
S
N S N ...

Σ0 ∅ Σ1 ∅ Σ2 ∅ Σ3 ∅ ...
CHAPTER 9. HOMOTOPY TYPE THEORY 462

More precisely, the n-sphere is the (n+1)-th suspension of the empty space (the
empty space could thus be considered as a good notion of (−1)-sphere). In
Agda, we can define the suspension of a type as the higher inductive type

data Susp {i} (A : Type i) : Type i where

N : Susp A
S : Susp A
p : (x : A) → N ≡ S
and the function which to a natural number n associates the n-sphere by

Sphere : → Type ₀
Sphere zero = Susp
Sphere (suc n) = Susp (Sphere n)

Propositional truncation. The propositional truncation operation introduced in

section 9.3.4 can also be defined as a higher inductive type. In order to do so, we
should recall that the propositional truncation kAk of a type A is somehow the
type obtained from A by turning it into a proposition, i.e. by formally adding
a path between any pair of points. This suggests the following definition as a
higher inductive type:
data ∥_∥ {i} (A : Type i) : Type i where
∣_∣ : A → ∥ A ∥
∥∥-isProp : (x y : ∥ A ∥) → x ≡ y

The first constructor (∣_∣) states that any point of A is a point of kAk, and
the second one (∥∥-isProp) adds all the required paths. The resulting type
is trivially a proposition by ∥∥-isProp and the associated recurrence principle,
which corresponds to the elimination rule (kkE ), can be shown as follows:
∥∥-rec : ∀ {i j} {A : Type i} {B : Type j} →
isProp B → (A → B) → ∥ A ∥ → B
∥∥-rec PB f ∣ x ∣ = f x
∥∥-rec PB f (∥∥-isProp x y ι) =
PB (∥∥-rec PB f x) (∥∥-rec PB f y) ι
It can, for instance, be used to construct the canonical map kAk → ¬¬A for an
arbitrary type A described in section 9.3.4:
∥∥-¬¬ : ∀ {i} {A : Type i} → ∥ A ∥ → ¬ (¬ A)
∥∥-¬¬ = ∥∥-rec ¬-isProp (λ x f → f x)
 Appendix A

Appendix

A.1 Relations
A.1.1 Definition. Given a set A a relation R on A is a subset R ⊆ A × A. We
sometimes write a R b when (a, b) ∈ R. It is
– reflexive if a R a for every a ∈ A,
– transitive if a R c for every a, c ∈ A such that there exists b ∈ A for which
a R b and b R c,

– symmetric if b R a for every a, b ∈ A such that a R b,

– antisymmetric if a R b and b R a implies a = b.
A preorder is a reflexive and transitive relation. A partial order is a reflexive,
transitive and antisymmetric relation. An equivalence relation is a relation
which is reflexive, transitive and symmetric.

A.1.2 Closure. We suppose fixed a relation R on A. Its reflexive (resp. tran-

sitive, resp. symmetric) closure is the smallest reflexive (resp. ...) relation con-
taining R. It always exists since it can be shown to be the intersection of all
reflexive (resp. ...) relations containing R. Concretely,
– the reflexive closure of R is

R ∪ {(a, a) | a ∈ A}

– the transitive closure of R is

R ∪ {(a0 , an ) | n > 0, (a0 , a1 ) ∈ R, (a1 , a2 ) ∈ R, . . . , (an−1 , an ) ∈ R}

– the symmetric closure of R is

R ∪ {(b, a) | (a, b) ∈ R}

The following characterization is often useful (and similar results hold for other
closure operations):
Lemma A.1.2.1. The reflexive and transitive closure R∗ of a relation R on a
set A is the smallest subset of A such that
– a R a for every a ∈ A,
– a R c for every a, c ∈ A such that there exists b ∈ A for which a R b and
b R∗ c.
APPENDIX A. APPENDIX 464

A.1.3 Quotient. An equivalence class E under R is a subset E ⊆ A such

that for every a ∈ A and b ∈ E such that (a, b) ∈ R, we have a ∈ E. The
quotient A/R of A under R is the set of equivalence classes of A.

A.1.4 Congruence. Given a function f : An → A for some n ∈ N, the relation

R is a congruence for f when, given (a1 , . . . , an ) and (b1 , . . . , bn ) such that ai Rbi
for every 1 6 i 6 n, we have f (a1 , . . . , an ) R f (b1 , . . . , bn ). In this case, f induce
a quotient function on A/R defined by

f (E1 , . . . , En ) = f (a1 , . . . , an )

for some (a1 , . . . , an ) ∈ E1 × . . . × En : this function can be shown not to depend

on the choice of (a1 , . . . , an ).

A.2 Monoids
A.2.1 Definition. A monoid (M, ·, 1) is a set M equipped with
– a function _ · _ : M × M → M called multiplication,

– an element 1 ∈ M called unit,

such that for every elements u, v, w ∈ M we have

(u · v) · w = u · (v · w) 1·u=u=u·1

Such a monoid is

– commutative when u · v = v · u for every u, v ∈ M ,

– idempotent when u · u = u for every u ∈ M .
A morphism f from a monoid (M, ·M , 1M ) to a monoid (N, ·N , 1N ) is a function
f : M → N such that

f (u ·M v) = f (u) ·N f (v) f (1M ) = f (1N )

A.2.2 Free monoids. Given a set A, we write (A∗ , ·, 1) for the monoid such
that A∗ is the set of words on A, i.e. finite sequences a1 . . . an of elements of A,
multiplication is concatenation, i.e.

(a1 . . . an ) · (b1 . . . bm ) = a1 . . . an b1 . . . bm

and unit 1 is the empty sequence. We write |a1 . . . an | = n for the length of a
word.
Proposition A.2.2.1. The monoid (A∗ , ·, 1) is the free monoid on A: given a
monoid (M, ·, 1) and a function f : A → M , there exists a unique morphism of
monoids f such that f (a) = f (a) for every a ∈ A.
Given a set A, we define in appendix A.3.5 below the set A# of all multisets
on A. It is a monoid when equipped with disjoint union ] as multiplication and
empty multiset ∅ as unit.
APPENDIX A. APPENDIX 465

Proposition A.2.2.2. The monoid (A# , ], ∅) is the free commutative monoid

on A: given a commutative monoid (M, ·, 1) and a function f : A → M , there
exists a unique morphism of monoids f such that f (a) = f (a) for every a ∈ A.
Given a set A, we write P(A) for the set of subsets of A. It is a monoid when
equipped with union ∪ as multiplication and empty set ∅ as unit.
Proposition A.2.2.3. The monoid (P(A), ∪, ∅) is the free idempotent commu-
tative monoid on A: given an idempotent commutative monoid (M, ·, 1) and a
function f : A → M , there exists a unique morphism of monoids f such that
f (a) = f (a) for every a ∈ A.

A.3 Well-founded orders

A.3.1 Partial orders. A partially ordered set or poset (A, 6) is a set A equip-
ped with a relation 6, called partial order which is reflexive, transitive and
antisymmetric (see also appendix A.1). A partial order is total when for every
a, b ∈ A we have either a 6 b or b 6 a.

A.3.2 Well-founded orders. A poset is well-founded when there is no strictly

decreasing infinite sequence

a0 > a1 > a2 > . . .

This is equivalent to requiring that every infinite weakly decreasing sequence

a0 > a1 > a2 > . . .

is eventually stationary

∃n ∈ N.∀i ∈ N.(i > n) ⇒ (ai = ai+1 )

A chain in A is a totally ordered subset of A. It is ascending when it has a

minimal element and descending when it has a maximal element. A well-founded
poset is thus a poset in which every descending chain is finite.
Well-founded orders are particularly interesting because they satisfy the fol-
lowing induction principle:
Theorem A.3.2.1 (Well-founded induction). Suppose given a property P (a) on
the elements a of a well-founded poset (A, 6). Suppose moreover that for every
element a ∈ A, if P (b) holds for every element b < a then P (a) holds. Then
P (a) holds for every element a of A.
Proof. By contradiction, suppose that there exists an element a0 ∈ A such that
P (a0 ) does not hold. By hypothesis, this means that there is an element a1 < a0
such that P (a1 ) does not hold. By the same reasoning applied to a1 , we can
construct an element a2 < a1 such that P (a2 ) does not hold. Iterating this
reasoning, we construct an infinite sequence

a0 > a1 > a2 > . . .

of elements ai such that ai > ai+1 and P (ai ) does not hold. Since (A, 6) is
well-founded, such a sequence cannot exist.
APPENDIX A. APPENDIX 466

Remark A.3.2.2. None of the above reasoning does exploit the fact that < is
reflexive, transitive nor antisymmetric, and the reasoning would hold for any
relation R in place of <. A relation R on a set A is well-founded if there is no
infinite sequence of elements ai of A such that

a0 R a1 R a2 R . . .

An induction principle similar to theorem A.3.2.1 holds for such relations.

The prototypical well-founded order is the subterm order. Suppose fixed a
signature Σ, see section 5.1.1. We define the subterm order 6 on the terms in
this signature by u 6 t whenever u is a subterm of t, see section 5.1.2.
Lemma A.3.2.3. The relation 6 is a partial order.
Theorem A.3.2.4. The relation 6 is well-founded.

Proof. We define the height ht(t) of a term t by induction on t by

_
ht(x) = 0 ht(f (t1 , . . . , tn )) = 1 + ht(ti )
16i6n

It is easily shown that u < t implies ht(u) < ht(t). Therefore, if the subterm
order was not well-founded, (N, 6) would not be well-founded either.

A.3.3 Lexicographic order. Given two posets (A, 6A ) and (B, 6B ), we de-
fine the lexicographic order 6 on A × B by (a, b) < (a0 , b0 ) whenever a < a0 , or
a = a0 and b < b0 .
Lemma A.3.3.1. The relation 6 on A × B is a partial order.
Lemma A.3.3.2. The partial order 6 is total when both 6A and 6B are.
Theorem A.3.3.3. The partial order 6 is well-founded when both 6A and 6B
are.
Proof. Suppose given an infinite sequence

(a0 , b0 ) > (a1 , b1 ) > (a2 , b2 ) > . . .

By definition of >, for every index i, we either have ai > ai+1 or bi > bi+1 . The
sets
{i ∈ N | ai > ai+1 } and {i ∈ N | bi > bi+1 }
are such that their union is N, therefore one of them must be infinite. We thus
have an infinite strictly decreasing sequence of elements of A or of elements
of B. This is impossible since both posets (A, 6A ) and (B, 6B ) are supposed
to be well-founded.

Given a well-founded poset (A, 6), the lexicographic order is a well-founded

order on A2 = A × A, and we can iterate the construction in order to obtain
a well-founded order on An , still called lexicographic and noted 6lex , for any
natural number n, using the fact that An+1 = A×An . Finally, we can construct
an order 6 on A∗ , called the deglex order, such that u 6 v when
– |u| < |v| (u is shorter than v), or
APPENDIX A. APPENDIX 467

– |u| = |v| and u 6lex v (u is lexicographically smaller than v).

Theorem A.3.3.4. Given a well-founded poset (A, 6), the associated deglex order
on A∗ is well-founded. Moreover, it is total if the order 6 is.
Remark A.3.3.5. This order is different from the usual dictionary order (we
compare the first letter of the words, then the second, and so on) which is not
well-founded: with elements a, b ∈ A such that a > b, we have the infinite
decreasing sequence

a > ba > bba > bbba > bbbba > . . .

A.3.4 Trees. A (non-planar rooted) tree is a set T equipped with a distin-

guished element x0 and a function τ : T \ {x0 } → T , satisfying

∀x ∈ T.∃n ∈ N.τ n (x) = x0

The elements of T are called the nodes of the tree and x0 is called the root node.
Given x ∈ T , τ (x) is called the parent of x, and x is a child of τ (x). A node x
such that τ −1 (x) = ∅ is called a leaf. Given a node x ∈ T , the subtree at x is
the tree
Tx = {y ∈ T | ∃n ∈ N.τ n (y) = x}
with parent function τx such that τx (y) = τ (y) for y 6= x.
Lemma A.3.4.1. The set of nodes of a tree T satisfies
[
T = {x0 } ∪ Tx
x∈τ −1 (x0 )

where x0 is the root of T .

A tree is finite when its set of nodes is finite and infinite otherwise. A tree T
is finitely branching when for every node x ∈ T its set of children τ −1 (x) is
finite. A branch of a tree is a sequence of nodes x0 , x1 , . . . (finite or not) such
that x0 is the root of the tree and for every index i > 0, τ (xi ) = xi−1 .
Lemma A.3.4.2 (Kőnig’s lemma). A finitely-branching infinite tree has an infi-
nite branch.
Proof. Suppose fixed a finitely-branching infinite tree T . We define an infinite
branch (xi )i∈N , with the property that the subtree at xi is infinite, by recurrence
on i. We set x0 to be the root of T and, supposing that xi is defined, we
define xi+1 as follows. By hypothesis, the set τ −1 (xi ) is finite and T is infinite.
From lemma A.3.4.1, we deduce that there exists xi+1 ∈ τ −1 (x) such that the
subtree at xi+1 is infinite.

A labeled tree is a tree equipped with a function which to every node asso-
ciates a label, which is an element of some fixed set.
APPENDIX A. APPENDIX 468

A.3.5 Multisets. Suppose fixed a set A. A multiset is a function

M :A→N

It can be thought of as a finite collection of elements of A where each element

a ∈ A occurs M (a) times. We thus write a ∈ M whenever M (a) > 0. The set
of multisets on A is denoted A# .
The domain dom(M ) of a multiset M is the set

dom(M ) = {a ∈ A | M (a) > 0}

A multiset M is finite when dom(M ) is finite. We write A#

fin for the set of finite
multisets over A. We write ∅ for the empty multiset, such that ∅(a) = 0 for
every a ∈ A. Given a ∈ A, we write {a} for the singleton at a, which is the
multiset such that (
1 if b = a
{a}(b) =
0 if b 6= a.
Given multisets M and N on A their union M ] N is defined, for a ∈ A, by

(M ] N )(a) = M (a) + N (a)

We write M ⊆ N whenever M (a) 6 N (a) for every a ∈ A and in this case, we

define their difference M \ N by

(M \ N )(a) = M (a) − N (a)

for a ∈ A.
Suppose that (A, 6) is a poset. We define a partial order 6# on A# , called
the multiset extension of 6, by M 6# N whenever there exists finite multisets
X, Y ∈ A# such that

M = (N \ X) ] Y and ∀y ∈ Y.∃x ∈ X.y < x

This order is such that we get a smaller multiset by removing and element and
replacing it with an arbitrary number of smaller elements: the elements get
smaller and smaller, but also more and more numerous. It can still be shown
that the resulting order is well-founded when the original one is [DM79].
fin , 6 ) is well-founded if and only if (A, 6) is
Theorem A.3.5.1. The poset (A# #

well-founded.
Proof. The left-to-right implication is easy, we show the right-to-left implication.
We define a relation C on A# by M C N when there exists a ∈ A and a finite
multiset Y such that
M = (N \ {a}) ] Y
and b < a for every a ∈ Y . The relation 6# is easily shown to be the reflexive
and transitive closure by C. Now, by contradiction, suppose that there is an
infinite decreasing sequence for 6# . This means that there exists an infinite
sequence
M 0 B M1 B M2 B . . .
where
Mi+1 = (Mi \ {xi }) ] Yi
APPENDIX A. APPENDIX 469

for every index i. We construct a growing sequence of trees Ti labeled in At{⊥}

as follows. T0 is consisting of a root and for every element of a, we add to the
root as many sons labeled by a as the multiplicity of a in M . The tree Ti+1 is
obtained from Ti by picking an element labeled by xi and adding to it as sons
the elements of Yi counted with multiplicities. In the case where Yi is empty
we add a single node labeled by ⊥. The inductive limit of this process is a tree
T∞ , which is infinite because at least one node is added at each step (thus the
special case when Yi is empty). We deduce from lemma A.3.4.2 that the tree T
admits an infinite branch: the labels of its vertices x0 , x1 , x2 , . . . form an infinite
strictly decreasing sequence of elements of A. Contradiction.

A.4 Cantor’s diagonal argument

Cantor’s diagonal argument is a general method to show that two sets are not
in bijection. For instance, suppose that we have a bijection between sequences
of elements of N and N. By the bijection, we have an enumeration of all the
sequences and we write (nji )i∈N for the j-th sequence. We can build a table
whose columns and rows respectively correspond to i and j, and cells contain
the nji :
0 1 2 3 ...
0 n00 n01 n02 n03 . . .
1 n10 n11 n12 n13 . . .
2 n20 n21 n22 n23 . . .
3 n30 n31 n32 n33 . . .
.. .. .. .. .. . .
. . . . . .
Then pick any sequence (mi ) such that, for every index i, mi is a natural number
different from nii . Since we have an enumeration of all sequences, there is an
index k such that (mi ) = (nki ). But we have mk 6= nkk . Contradiction. There is
thus no bijection between NN and N.

A.4.1 A general Cantor argument. A more general form of the Cantor

argument is the following.
Theorem A.4.1.1. Suppose given sets A and B such that B contains at least
two distinct elements y0 and y1 . Then there is no surjection from A to A → B.

Proof. Suppose given a surjection φ : A → (A → B). We consider the function

f : A → B defined by
(
y1 if φ(x)(x) = y0 ,
f (x) =
y0 otherwise.

Given an element x ∈ A, we have φ(x)(x) 6= f (x) and thus φ is not surjective.

Contradiction.
A formalization of the above proof is given below. From a constructive point of
view, it requires to be able to decide equality with y0 in B. This is of course
the case when B has decidable equality, typically B = N, see section 6.6.8.
APPENDIX A. APPENDIX 470

Theorem A.4.1.2. Given sets A and B such that B contains at least two distinct
elements y0 and y1 , there is no injection from A → B to A.
Proof. Suppose given an injection ψ : (A → B) → A. We define a function
φ : A → (A → B) by
(
x 7→ y0 if there is no f : A → B such that ψ(f ) = x,
φ(x) =
f for some f : A → B such that ψ(f ) = x, otherwise.

Given f : A → B, we have, by definition,

ψ ◦ φ ◦ ψ(f ) = ψ(f )

Thus, by injectivity of ψ,
φ(ψ(f )) = f
and φ is surjective. We conclude using theorem A.4.1.2.
Note that the above proof implicitly requires the excluded middle in order to
construct the function φ. It is apparently not possible to prove this theorem in
a constructive setting [Bau11].
Corollary A.4.1.3. Given a set A, write P(A) for its powerset. There is no
surjection A → P(A) and no injection P(A) → A. In particular, there is no
bijection between A and P(A).
Proof. Taking B = {0, 1} in the previous theorems, we have P(A) ' (A → B)
and we conclude.
Corollary A.4.1.4. There is no bijection between N → N and N.
Proof. Take A = B = N in the previous theorems.
Lemma A.4.1.5. The set P of programs (in any reasonable language) is count-
able.
Proof. A program is a finite sequence of characters: writing Σ for the finite set of
characters (e.g. the UTF-8 characters), programs are elements of Σ∗ . Otherwise
said, writing P for the set of programs, we have P ⊆ Σ∗ . The set Σ can be
totally ordered (e.g. a < b < c < . . .), thus Σ∗ is totally ordered by the deglex
order (theorem A.3.3.4) and thus P is totally ordered, as a subset of a totally
ordered set. Given a program p F ∈ P ⊆ Σ∗ , writing n for its length, the elements
below it belong to the finite set i6n Σi which is finite, as a finite union of finite
sets. We can thus associate, to every program p ∈ P, the natural number np
defined as the cardinal of the longest ascending chain in P with p as maximal
element (which is finite by the previous argument). The function P → N thus
defined is easily seen to be a bijection.
Corollary A.4.1.6. There is a function N → N which is not computable by a
program.
Proof. By absurd, suppose that this is not the case. This means that there is a
surjection φ : P → (N → N) and, by precomposing with the isomorphism N ' P
of lemma A.4.1.5, a surjection N → (N → N). We conclude by theorem A.4.1.1.
APPENDIX A. APPENDIX 471

A.4.2 Agda formalization. We now provide a formalization of the above the-

orem A.4.1.1. Given a function f : A → B and an element y of B, the fiber of f
at y, also called the preimage of y under f , is the collection of elements of A
whose image is y:
fib : ∀ {i} {A B : Set i} → (f : A → B) → (y : B) → Set i
fib {_} {A} f y = Σ A (λ x → f x ≡ y)
Such a function is surjective when every element of B admits a pre-image un-
der f , i.e. there exists an element in the fiber of any point:

surjective : ∀ {i} {A B : Set i} (f : A → B) → Set i

surjective f = ∀ y → fib f y
The formal proof of the theorem then follows directly from the above one. We
suppose given two types A and B, the former containing two distinct elements
y ₀ and y ₁ such that we can decide the equality to y ₀ , and a surjective function
φ of type A → A → B and reach an absurdity:
no-surjection : ∀ {i} {A B : Set i} {y ₀ y ₁ : B} → y ₀ ≢ y ₁ →
((y : B) → Dec (y ≡ y ₀ )) →
(φ : A → A → B) → surjective φ →
no-surjection {_} {A} {B} {y ₀ } {y ₁ } y ₀ ≢y ₁ dec φ surj =
φxx≢fx x (cong-app p x)
where
f : A → B
f x with dec (φ x x)
f x | yes _ = y ₁
f x | no _ = y ₀
φxx≢fx : (x : A) → φ x x ≢ f x
φxx≢fx x p with dec (φ x x)
φxx≢fx x p | yes refl = y ₀ ≢y ₁ p
φxx≢fx x p | no ¬p = ¬p p
x : A
x = fst (surj f)
p : φ x ≡ f
p = snd (surj f)
Note that the construction of f requires us to be able to decide equality with y ₀
which we also have to suppose given as argument. The proof of theorem A.4.1.2
can also be formalized if we assume the law of excluded middle, called lem below.
We define the predicate of being injective by
injective : ∀ {i} {A B : Set i} (f : A → B) → Set i
injective f = ∀ {x x'} → f x ≡ f x' → x ≡ x'
and then show the theorem by following the proof given above, which is based
on the previous function
no-injection : ∀ {i} {A B : Set i} {y ₀ y ₁ : B} → y ₀ ≢ y ₁ →
(lem : (A : Set i) → Dec A) →
(ψ : (A → B) → A) → injective ψ →
no-injection {_} {A} {B} {y ₀ } {y ₁ } y ₀ ≢y ₁ lem ψ inj =
APPENDIX A. APPENDIX 472

no-surjection y ₀ ≢y ₁ (λ y → lem (y ≡ y ₀ )) φ surj

where
φ : A → A → B
φ x with lem (fib ψ x)
φ x | yes (f , p) = f
φ x | no ¬p = λ _ → y ₀
ψφψ≡ψ : (f : A → B) → ψ (φ (ψ f)) ≡ ψ f
ψφψ≡ψ f with lem (fib ψ (ψ f))
ψφψ≡ψ f | yes (g , p) = p
ψφψ≡ψ f | no ¬p = -elim (¬p (f , refl))
surj : surjective φ
surj f = ψ f , inj (ψφψ≡ψ f)
 Bibliography

[Abe17] Andreas Abel. How safe is Type:Type? Mail on the Agda mailing
list, 2017. Available at https://lists.chalmers.se/pipermail/
agda/2017/009337.html.
[ACD+ 18] Andreas Abel, Jesper Cockx, Dominique Devriese, Amin Timany,
.
and Philip Wadler. ='∼ = Leibniz Equality is Isomorphic to
Martin-Löf Identity, Parametrically. Unpublished, 2018.
[Ack28] Wilhelm Ackermann. Zum Hilbertschen Aufbau der reellen
Zahlen. Mathematische Annalen, 99(1):118–133, 1928.
[Acz78] Peter Aczel. The Type Theoretic Interpretation of Constructive
Set Theory. In Studies in Logic and the Foundations of Mathe-
matics, volume 96, pages 55–66. Elsevier, 1978.
[Alt19] Thorsten Altenkirch. Naïve type theory. In Reflections on the
Foundations of Mathematics, pages 101–136. Springer, 2019.
[Arn17] Michael Arntzenius. Normalisation by evaluation for the simply-
typed lambda calculus, in Agda, 2017. Available at https:
//gist.github.com/rntz/2543cf9ef5ee4e3d990ce3485a0186e2/
revisions.
[Bae18] John Baez. Patterns That Eventually Fail. Azimuth
blog, 2018. https://johncarlosbaez.wordpress.com/2018/09/
20/patterns-that-eventually-fail/.
[Bar84] Hendrik Pieter Barendregt. The Lambda Calculus: Its Syntax and
Semantics. 1984.
[Bar91] Henk P Barendregt. Self-interpretation in lambda calculus. 1991.
[Bau11] Andrej Bauer. An injection from NN to N. Unpublished note,
2011.
[Bau12] Andrej Bauer. How to implement dependent type theory. Blog
post, 2012. Available at http://math.andrej.com/2012/11/08/
how-to-implement-dependent-type-theory-i/.
[Bau17] Andrej Bauer. Five stages of accepting constructive mathemat-
ics. Bulletin of the American Mathematical Society, 54(3):481–
498, 2017.
[BB01] David Borwein and Jonathan M Borwein. Some remarkable prop-
erties of sinc and related integrals. The Ramanujan Journal,
5(1):73–89, 2001.
[Bel98] John Lane Bell. A primer of infinitesimal analysis. Cambridge
University Press, 1998.
BIBLIOGRAPHY 474

[BF97] Cesare Burali-Forti. Una questione sui numeri transfiniti. Rendi-

conti del Circolo Matematico di Palermo (1884-1940), 11(1):154–
164, 1897.

[Bla84] Andreas Blass. Existence of bases implies the axiom of choice.

Contemporary Mathematics, 31, 1984.
[BN99] Franz Baader and Tobias Nipkow. Term rewriting and all that.
Cambridge university press, 1999.

[Boo84] George Boolos. Don’t eliminate cut. Journal of Philosophical

Logic, pages 373–378, 1984.
[BPT17] Simon Boulier, Pierre-Marie Pédrot, and Nicolas Tabareau. The
next 700 syntactical models of type theory. In Certified Programs
and Proofs (CPP 2017), pages 182–194, 2017.

[BW97] Bruno Barras and Benjamin Werner. Coq in Coq. Available at

http://www.lix.polytechnique.fr/~barras/publi/coqincoq.
pdf, 1997.
[CCHM16] Cyril Cohen, Thierry Coquand, Simon Huber, and Anders Mört-
berg. Cubical type theory: a constructive interpretation of the
univalence axiom. arXiv preprint arXiv:1611.02108, 2016.
[CF58] Haskell B Curry and Robert Feys. Combinatory logic. Studies in
Logic and the Foundations of Mathematics, 1, 1958.
[CH00] Pierre-Louis Curien and Hugo Herbelin. The duality of computa-
tion. In ACM sigplan notices, volume 35, pages 233–243. ACM,
2000.
[Cha12] Arthur Charguéraud. The Locally Nameless Representation.
Journal of automated reasoning, 49(3):363–408, 2012.
[Chu40] Alonzo Church. A formulation of the simple theory of types. The
journal of symbolic logic, 5(2):56–68, 1940.
[CK90] Chen Chung Chang and H Jerome Keisler. Model theory. Elsevier,
1990.
[CKA] Leran Cai, Ambrus Kaposi, and Thorsten Altenkirch. Formalis-
ing the Completeness Theorem of Classical Propositional Logic in
Agda (Proof Pearl).
[CKNT09] Thierry Coquand, Yoshiki Kinoshita, Bengt Nordström, and
Makoto Takeyama. A simple type-theoretic language: Mini-TT.
From Semantics to Computer Science; Essays in Honour of Gilles
Kahn, pages 139–164, 2009.
[CL93] René Cori and Daniel Lascar. Logique mathématique: cours et ex-
ercices. Calcul propositionnel, algèbres de Boole, calcul des prédi-
cats. Masson, 1993.
BIBLIOGRAPHY 475

[CLRS09] Thomas H Cormen, Charles E Leiserson, Ronald L Rivest, and

Clifford Stein. Introduction to algorithms. MIT press, 2009.

[CMP00] Emmanuel Chailloux, Pascal Manoury, and Bruno Pagano.

Développement d’applications avec Objective Caml. O’Reilly Se-
bastopol, CA, 2000.
[Coq86] Thierry Coquand. An analysis of Girard’s paradox. Technical
report, 1986.

[Coq92a] Thierry Coquand. The paradox of trees in type theory. BIT

Numerical Mathematics, 32(1):10–14, 1992.
[Coq92b] Thierry Coquand. Pattern matching with dependent types. In
Informal proceedings of Logical Frameworks, volume 92, pages 66–
79, 1992.

[Coq95] Thierry Coquand. A new paradox in type theory. In Studies

in Logic and the Foundations of Mathematics, volume 134, pages
555–570. Elsevier, 1995.
[Coq96] Thierry Coquand. An algorithm for type-checking dependent
types. Science of Computer Programming, 26(1-3):167–177, 1996.
[Coq13] Thierry Coquand. Defining coinductive types. Mail on the
Agda mailing list, December 2013. https://lists.chalmers.se/
pipermail/agda/2013/006189.html.
[CP88] Thierry Coquand and Christine Paulin. Inductively defined types.
In International Conference on Computer Logic, pages 50–66.
Springer, 1988.
[CR36] Alonzo Church and J Barkley Rosser. Some properties of con-
version. Transactions of the American Mathematical Society,
39(3):472–482, 1936.

[Deh17] Patrick Dehornoy. Théorie des ensembles: Introduction à une

théorie de l’infini et des grands cardinaux. Calvage et Mounet,
2017.
[dGdBB+ 19] Stijn de Gouw, Frank S de Boer, Richard Bubel, Reiner Hähnle,
Jurriaan Rot, and Dominic Steinhöfel. Verifying openjdk’s sort
method for generic collections. Journal of automated reasoning,
62(1):93–126, 2019.
[Dia75] Radu Diaconescu. Axiom of choice and complementation. Proceed-
ings of the American Mathematical Society, 51(1):176–178, 1975.

[Dij70] Edsger Wybe Dijkstra. Notes on Structured Programming, 1970.

[DLL62] Martin Davis, George Logemann, and Donald Loveland. A ma-
chine program for theorem-proving. Communications of the ACM,
5(7):394–397, 1962.
BIBLIOGRAPHY 476

[DM79] Nachum Dershowitz and Zohar Manna. Proving termination with

multiset orderings. Communications of the ACM, 22(8):465–476,
1979.

[DM82] Luis Damas and Robin Milner. Principal type-schemes for func-
tional programs. In Proceedings of the 9th ACM SIGPLAN-
SIGACT symposium on Principles of programming languages,
pages 207–212, 1982.

[DMJ16] Hannes Diener and Maarten McKubre-Jordens. Classifying

Material Implications over Minimal Logic. arXiv preprint
arXiv:1606.08092, 2016.
[DP60] Martin Davis and Hilary Putnam. A computing procedure for
quantification theory. Journal of the ACM (JACM), 7(3):201–
215, 1960.

[Dum59] Michael Dummett. A propositional calculus with denumerable

matrix. The Journal of Symbolic Logic, 24(2):97–106, 1959.
[Dyb94] Peter Dybjer. Inductive families. Formal aspects of computing,
6(4):440–465, 1994.

[Dyc92] Roy Dyckhoff. Contraction-free sequent calculi for intuitionistic

logic. The Journal of Symbolic Logic, 57(3):795–807, 1992.
[Esc19] Martín Hötzel Escardó. Introduction to Univalent Foundations of
Mathematics with Agda. Course notes, 2019. Available at https:
//www.cs.bham.ac.uk/~mhe/HoTT-UF-in-Agda-Lecture-Notes/.

[FH92] Matthias Felleisen and Robert Hieb. The revised report on the
syntactic theories of sequential control and state. Theoretical com-
puter science, 103(2):235–271, 1992.
[FR98] Michael J Fischer and Michael O Rabin. Super-exponential com-
plexity of Presburger arithmetic. In Quantifier Elimination and
Cylindrical Algebraic Decomposition, pages 122–135. Springer,
1998.
[Fre79] Gottlob Frege. Begriffsschrift, eine der arithmetischen nachge-
bildete Formelsprache des reinen Denkens. Nebert, 1879.

[FS12] Fredrik Nordvall Forsberg and Anton Setzer. A finite axioma-

tisation of inductive-inductive definitions. Logic, Construction,
Computation, 3:259–287, 2012.
[GAA+ 13] Georges Gonthier, Andrea Asperti, Jeremy Avigad, Yves Bertot,
Cyril Cohen, François Garillot, Stéphane Le Roux, Assia Mah-
boubi, Russell O’Connor, Sidi Ould Biha, et al. A machine-
checked proof of the odd order theorem. In International Con-
ference on Interactive Theorem Proving, pages 163–179. Springer,
2013.
[Gal89] Jean H Gallier. On Girard’s “Candidats de Reductibilité”. 1989.
BIBLIOGRAPHY 477

[Gen35] Gerhard Gentzen. Untersuchungen über das logische Schließen.

Mathematische zeitschrift, 39(1):176–210, 405–431, 1935.
[Gen36] Gerhard Gentzen. Die Widerspruchsfreiheit der reinen Zahlenthe-
orie. Mathematische Annalen, 112(1):493–565, 1936.
[Gir72] Jean-Yves Girard. Interprétation fonctionnelle et élimination des
coupures de l’arithmétique d’ordre supérieur. PhD thesis, 1972.
[Gir87] Jean-Yves Girard. Linear logic. Theoretical computer science,
50(1):1–101, 1987.
[Gir89] Jean-Yves Girard. Proofs and types, volume 7. Cambridge univer-
sity press Cambridge, 1989.
[Gir11] Jean-Yves Girard. The Blind Spot: lectures on logic. European
Mathematical Society, 2011.
[GL02] Benjamin Grégoire and Xavier Leroy. A compiled implementation
of strong reduction. In ACM SIGPLAN Notices, volume 37, pages
235–246. ACM, 2002.
[Gli29] Valery Glivenko. Sur quelques points de la logique de M. Brouwer.
Bulletins de la classe des sciences, 15(5):183–188, 1929.
[GLW99] Didier Galmiche and Dominique Larchey-Wendling. Structural
sharing and efficient proof-search in propositional intuitionistic
logic. In Annual Asian Computing Science Conference, pages 101–
112. Springer, 1999.
[GM78] Nelson Goodman and John Myhill. Choice implies excluded mid-
dle. Mathematical Logic Quarterly, 24(25-30):461–461, 1978.
[Göd31] Kurt Gödel. Über formal unentscheidbare Sätze der Principia
Mathematica und verwandter Systeme I. Monatshefte für mathe-
matik und physik, 38(1):173–198, 1931.
[God32] Kurt Godel. Zum intuitionistischen Aussagenkalkul.
Anzeiger Akademie der Wissenschaften Wien, mathematisch-
naturwissenschaftliche Klasse, 69:65–66, 1932.
[Göd38] Kurt Gödel. The consistency of the axiom of choice and of the
generalized continuum-hypothesis. Proceedings of the National
Academy of Sciences of the United States of America, 24(12):556,
1938.
[Göd58] Von Kurt Gödel. Über eine bisher noch nicht benützte Er-
weiterung des finiten Standpunktes. Dialectica, 12(3-4):280–287,
1958.
[Gon08] Georges Gonthier. Formal proof–the four-color theorem. Notices
of the AMS, 55(11):1382–1393, 2008.
[Gri89] Timothy G Griffin. A formulae-as-type notion of control. In
Proceedings of the 17th ACM SIGPLAN-SIGACT symposium on
Principles of programming languages, pages 47–58, 1989.
BIBLIOGRAPHY 478

[Har11] Robert Harper. Computational trinitarianism, 2011. See https:

//ncatlab.org/nlab/show/computational+trinitarianism.

[Hat02] Allen Hatcher. Algebraic topology. Cambridge University Press,

Cambridge, 2002.
[Hed98] Michael Hedberg. A coherence theorem for Martin-Löf’s type the-
ory. Journal of Functional Programming, 8(4):413–436, 1998.
[Her30] Jacques Herbrand. Recherches sur la théorie de la démonstration.
PhD thesis, Faculté des sciences de Paris, 1930.
[Hil22] David Hilbert. Neubegründung der Mathematik (erste Mit-
teilung). In Abhandlungen aus dem Mathematischen Seminar der
Universität Hamburg, volume 1, pages 157–177. Springer, 1922.

[Hin69] Roger Hindley. The principal type-scheme of an object in combi-

natory logic. Transactions of the american mathematical society,
146:29–60, 1969.
[How69] William A. Howard. The formulae-as-types notion of construction.
notes, 1969. Private notes.

[HS98] Martin Hofmann and Thomas Streicher. The groupoid interpreta-

tion of type theory. Twenty-five years of constructive type theory
(Venice, 1995), 36:83–111, 1998.
[Hue94] Gérard Huet. Residual theory in λ-calculus: A formal develop-
ment. Journal of Functional Programming, 4(3):371–394, 1994.

[Hur95] Antonius JC Hurkens. A simplification of Girard’s paradox. In

International Conference on Typed Lambda Calculi and Applica-
tions, pages 266–278. Springer, 1995.
[Hur10] Chung Kil Hur. Agda with excluded middle is inconsistent. E-
mail, 2010. Available at https://lists.chalmers.se/pipermail/
agda/2010/001526.html.
[Jac99] Bart Jacobs. Categorical logic and type theory. Elsevier, 1999.
[KECA16] Nicolai Kraus, Martín Escardó, Thierry Coquand, and Thorsten
Altenkirch. Notions of anonymous existence in Martin-Löf type
theory. Logical Methods in Computer Science, 2016.
[Kis13] Oleg Kiselyov. How OCaml type checker works – or what poly-
morphism and garbage collection have in common, 2013. http:
//okmij.org/ftp/ML/generalization.html.

[KL20] Chris Kapulkin and Peter LeFanu Lumsdaine. The law of excluded
middle in the simplicial model of type theory, 2020.
[Kna28] Bronisław Knaster. Un théorème sur les functions d’ensembles.
Ann. Soc. Polon. Math., 6:133–134, 1928.
BIBLIOGRAPHY 479

[Koc06] Anders Kock. Synthetic differential geometry, volume 333. Cam-

bridge University Press, 2006. Available at http://home.imf.au.
dk/kock/sdg99.pdf.
[KP57] Georg Kreisel and Hilary Putnam. Eine Unableitbarkeitsbe-
weismethode für den intuitionistischen Aussagenkalkül. Archiv
für mathematische Logik und Grundlagenforschung, 3(3-4):74–78,
1957.
[KP82] Laurie Kirby and Jeff Paris. Accessible independence results for
Peano arithmetic. Bulletin of the London Mathematical Society,
14(4):285–293, 1982.
[Kri65] Saul A Kripke. Semantical analysis of intuitionistic logic I. In
Studies in Logic and the Foundations of Mathematics, volume 40,
pages 92–130. Elsevier, 1965.
[Kri98] Jean-Louis Krivine. Théorie des ensembles. Cassini, 1998.
[Kri09] Neelakantan R Krishnaswami. Focusing on pattern matching. In
POPL, volume 9, pages 366–378, 2009.
[KV91] Mikhail M Kapranov and Vladimir A Voevodsky. ∞-groupoids
and homotopy types. Cahiers de topologie et géométrie différen-
tielle catégoriques, 32(1):29–46, 1991.
[Lei86] Gottfried Wilhelm Leibniz. Discours de métaphysique. 1686.
[LMS10] Andres Löh, Conor McBride, and Wouter Swierstra. A tutorial
implementation of a dependently typed lambda calculus. Funda-
menta informaticae, 102(2):177–207, 2010.
[LS88] Joachim Lambek and Philip J Scott. Introduction to higher-order
categorical logic, volume 7. Cambridge University Press, 1988.
[Lyn17] Ben Lynn. Lambda Calculus, 2017. https://crypto.stanford.
edu/~blynn/lambda/.
[Mac71] Saunders MacLane. Categories for the working mathematician.
Graduate texts in mathematics, 5, 1971.
[McB00] Conor McBride. Dependently typed functional programs and their
proofs. PhD thesis, University of Edinburgh, 2000.
[McC60] John McCarthy. Programs with common sense. RLE and MIT
computation center, 1960.
[Mil78] Robin Milner. A Theory of Type Polymorphism in Programming.
Journal of computer and system sciences, 17(3):348–375, 1978.
[ML] Per Martin-Löf. The collected works of Per Martin-Löf. https:
//github.com/michaelt/martin-lof.
[ML75] Per Martin-Löf. An intuitionistic theory of types: Predicative
part. In Studies in Logic and the Foundations of Mathematics,
volume 80, pages 73–118. Elsevier, 1975.
BIBLIOGRAPHY 480

[ML82] Per Martin-Löf. Constructive mathematics and computer pro-

gramming. In Studies in Logic and the Foundations of Mathemat-
ics, volume 104, pages 153–175. Elsevier, 1982.

[ML98] Per Martin-Löf. An intuitionistic theory of types. Twenty-five

years of constructive type theory, 36:127–172, 1998.
[MMH13] Yaron Minsky, Anil Madhavapeddy, and Jason Hickey. Real World
OCaml: Functional programming for the masses. O’Reilly Media,
Inc., 2013.
[Mog92] Torben Ægidius Mogensen. Efficient self-interpretation in lambda
calculus. Journal of Functional Programming, (2 (3)):345–364,
1992.
[Mun19] Randall Munroe. Differentiation and Integration, 2019. https:
//xkcd.com/2117/.
[Nor07] Ulf Norell. Towards a practical programming language based on
dependent type theory. PhD thesis, Göteborg university, 2007.
[Ore82] Vladimir P Orevkov. Lower bounds for increasing complexity of
derivations after cut elimination. Journal of Soviet Mathematics,
20(4):2337–2350, 1982.
[Par92] Michel Parigot. λµ-calculus: an algorithmic interpretation of clas-
sical natural deduction. In International Conference on Logic for
Programming Artificial Intelligence and Reasoning, pages 190–
201. Springer, 1992.

[Par97] Michel Parigot. Proofs of strong normalisation for second or-

der classical natural deduction. The Journal of Symbolic Logic,
62(4):1461–1479, 1997.
[PdAC+ 10] Benjamin C Pierce, Arthur Azevedo de Amorim, Chris Casingh-
ino, Marco Gaboardi, Michael Greenberg, Catalin Hricu, Vilhelm
Sjöberg, Andrew Tolmach, and Brent Yorgey. Software Founda-
tions 2: Programming Language Foundations, 2010. Available at
https://softwarefoundations.cis.upenn.edu/plf-current/.
[Pie02] Benjamin C Pierce. Types and programming languages. MIT press,
2002.
[PM93] Christine Paulin-Mohring. Inductive Definitions in the System
Coq Rules and Properties. In International Conference on Typed
Lambda Calculi and Applications, pages 328–345. Springer, 1993.
[PR05] François Pottier and Didier Rémy. The essence of ML type infer-
ence, 2005.
[Pre29] Mojzesz Presburger. Über die Vollstandigkeiteines gewissen Sys-
tems der Arithmetik ganzer Zahlen, in welchen die Addition als
einzige Operation hervortritt. In Comptes-Rendus du 1er Congrès
des Mathématiciens des Pays Slaves, pages 92–101, 1929.
BIBLIOGRAPHY 481

[Rém92] Didier Rémy. Extension of ML Type System with a Sorted Equa-

tional Theory on Types. Technical Report 1766, INRIA, October
1992.

[Rob65] John Alan Robinson. A Machine-Oriented Logic Based on the

Resolution Principle. Journal of the ACM (JACM), 12(1):23–41,
1965.
[Sak14] Kazuhiko Sakaguchi. Formalizing Strong Normalization Proofs. In
Theorem proving and provers for reliable theory and implementa-
tions, volume 61, pages 16–23, 2014.
[Sel02] Peter Selinger. The Lambda Calculus is Algebraic. Journal of
Functional Programming, 12(6):549–566, 2002.
[Sel08] Peter Selinger. Lecture notes on the lambda calculus. 2008.

[Sim98] Carlos Simpson. Homotopy types of strict 3-groupoids. arXiv

preprint math/9810059, 1998.
[Sta79] Richard Statman. Intuitionistic propositional logic is polynomial-
space complete. Theoretical Computer Science, 9(1):67–72, 1979.

[Str93] Thomas Streicher. Investigations into intensional type theory. Ha-

bilitiation Thesis, Ludwig Maximilian Universität, 1993.
[SU06] Morten Heine Sørensen and Pawel Urzyczyn. Lectures on the
Curry-Howard isomorphism, volume 149. Elsevier, 2006.

[Tar55] Alfred Tarski. A lattice-theoretical fixpoint theorem and its ap-

plications. Pacific journal of Mathematics, 5(2):285–309, 1955.
[Tur37] Alan Mathison Turing. On computable numbers, with an appli-
cation to the Entscheidungsproblem. Proceedings of the London
mathematical society, 2(1):230–265, 1937.

[Tur49] Alan Turing. On checking a large routine. In Report of a Con-

ference on Speed Automatic Calculating Machines, pages 67–69,
1949.
[Uni13] The Univalent Foundations Program. Homotopy Type The-
ory: Univalent Foundations of Mathematics. https://
homotopytypetheory.org/book, Institute for Advanced Study,
2013.
[Voe14] Vladimir Voevodsky. Univalent foundations, March 2014. Pre-
sentation at IAS, http://www.math.ias.edu/~vladimir/Site3/
Univalent_Foundations_files/2014_IAS.pdf.

[Wer97] Benjamin Werner. Sets in types, types in sets. In International

Symposium on Theoretical Aspects of Computer Software, pages
530–546. Springer, 1997.
[Wie06] Freek Wiedijk. The Seventeen Provers of the World, volume 3600.
Springer, 2006.
BIBLIOGRAPHY 482

[WK19] Philip Wadler and Wen Kokke. Programming language founda-

tions in Agda, 2019. Available at http://plfa.inf.ed.ac.uk/.

[WR12] Alfred North Whitehead and Bertrand Russell. Principia mathe-

matica, volume 2. University Press, 1912.
[WZ07] Frank Wolter and Michael Zakharyaschev. Modal decision prob-
lems. In Studies in Logic and Practical Reasoning, volume 3, pages
427–489. Elsevier, 2007.

[Zer08] Ernst Zermelo. Untersuchungen über die Grundlagen der Men-

genlehre. I. Mathematische Annalen, 65(2):261–281, 1908.
 Index

Ω, 116 Heyting, 238

Π-type, 291, 356 Peano, 238
Σ-type, 292 Presburger, 237
α-conversion, 110, 186 arity, 221, 222
α-equivalence, 113, 352 arrow type, 274
β- automation, 264
convertibility, 176 axiom, 46, 102, 233
equivalence, 117 choice, 245, 248, 293, 429
redex, 114 extensionality, 242
reduction, 114, 150, 331, 341 foundation, 245
confluence, 135, 171, 336 infinity, 243
length, 116 K, 406
parallel, 130, 334 powerset, 243
η-equivalence, 117, 170, 350 replacement, 243
ι, 158 union, 243
λ-calculus, 111, 329 axiom rule, 355
simply typed, 339
λ-term, 111 B (booleans), 79, 247
closed, 112 Barendregt convention, 147
neutral, 173 bidirectional type checking, 207
strongly normalizing, 116 bits, 313
λµ-calculus, 215 boolean, 21, 24, 79, 118, 282, 375
λµµ̃-calculus, 219 bootstrap, 265
ε0 , 238 bound variable, 110, 112, 199, 223, 352
Burali-Forti paradox, 363
abstraction, 111
AC, 245, 293 CAC, 429
accessibility, 318 call-by-name, 137, 141
Ackermann function, 121, 311 call-by-value, 137, 140
addition, 120, 279 callcc, 214
admissible rule, 49, 328, 358 Cantor theorem, 469
Agda, 262 cartesian logic, 49
algorithm chain, 465
insertion sort, 306 choice function, 246
J, 204 Church numeral, 120, 332
Statman, 67 Church style, 160
unification, 253 Church-Rosser property, 136
W, 201 circle, 458
anonymous function, 19 class, 245
ap, 437 classical
apd, 439 logic, 225
application, 111 classical logic, 67, 212, 418
argument clausal form, 76, 259
implicit, 275 canonical, 77
arithmetic clause, 76, 259
unitary, 82

483
INDEX 484

Clavius’ law, 69 cut, 51, 57

closed commutative, 64
formula, 223 elimination, 58, 74, 97, 359
term, 112 rule, 359
coe, 296, 438 cut elimination, 228
coercion, 296 CW-complex, 410
coinductive type, 385
combinator de Bruijn criterion, 265
fixpoint, 122 de Bruijn index, 147, 330
combinatory logic, 152, 211, 337 de Morgan laws, 75, 79, 226
commutative cut, 64, 187 decidability, 233
commuting conversion, 187 decidable, 301
completeness, 80, 108, 233 formula, 69
refutation, 87 proposition, 446
comprehension, 244 type, 290, 416, 421
unrestricted, 240 deduction theorem, 104
computable function, 312 DFE, 405
concatenation, 283, 412 definable function, 127
conclusion, 46 definable connective, 52, 76
confluence, 115, 129, 135, 171, 336 definitional equality, 298
local, 334 deglex order, 466
cong, 296 dependent type, 270
congruence, 296, 354, 464 dependent sum, 373
axioms, 233 dependent type, 275
conjunction, 39, 45, 118, 287 derivability, 47
conjunctive normal form, 76 derivation, 47
connective detachment rule, 47
definable, 52, 76 determinism, 177
consistency, 44, 61, 80, 107, 228, 233, detour, 57
236, 238 Diaconescu theorem, 249, 430
λ-calculus, 136 diamond property, 133, 334
context, 45, 159, 200, 339, 352 disjunction, 40, 45, 118
contractibility, 441 domain, 159, 234, 468
contractible type, 424 double negation, 435
contraction rule, 51, 162 introduction, 48
contraposition, 68 translation, 89
convention DPLL, 81
Barendregt, 147 drinker formula, 222, 225
convertibility, 353, 393
coproduct, 25, 40, 184, 290, 374 eigenvariable, 229
Coq, 262 elimination rule, 47
Coquand paradox, 367 eliminator, 282
correctness, 235, 260, 304 empty type, 26, 39, 186, 289, 370
counter-example, 68 equality, 233, 295, 400
cumulativity, 367, 426 decidable, 301
Curry paradox, 242 definitional, 298, 353
Curry style, 160 extensional, 404
Curry-Howard correspondence, 164 heterogeneous, 302
dynamical, 170 Leibniz, 402
curryfication, 21, 183 strict, 235
INDEX 485

equation, 252 recursive, 21, 126

system, 252 function, 24
solved form, 253 function extensionality, 405, 449
equisatisfiability, 237 weak, 454
equivalence, 53, 167, 417, 440, 441, 449 functional language, 19
evaluation, 392 funext, 405, 455
even, 294
ex falso quodlibet, 47 garbage collector, 20
exception, 29, 216 generalization, 200
exchange rule, 51, 162 Girard paradox, 363
excluded middle, 62, 68, 246, 418 Glivenko’s theorem, 90
weak, 91 group, 233
existence property, 228 groupoid, 413, 423
existential quantification, 222, 292 Gödel number, 128
explosion principle, 47
exponentiation, 120 HA, 238
expression, 230, 351, 391 halting, 342
extensional equality, 404 halting problem, 68, 312
extensionality, 242 happly, 437
Hauptsatz, 58
factorial, 21 Hedberg theorem, 421
factoring, 261 hello world, 18, 269
false, 118, 289, 414 heterogeneous equality, 302
falsity, 39, 45 Heyting arithmetic, 238
FE, 405 higher inductive type, 456, 460
Felleisen operator, 212 Hilbert calculus, 102, 211
fiber, 440 Hindley-Milner system, 198
Fibonacci sequence, 121, 310 homotopy, 409, 439
Fin, 286 equivalence, 409, 439
finite set, 286 weak, 410
first-order logic, 221 level, 424
fixpoint, 26, 122 Hydra game, 240
formula, 45, 222
clausal form, 76 identical, 402
closed, 223 identity, 118
cut, 57 identity type, 401
drinker, 222, 225 implication, 38, 45, 287
prenex, 226 implicit argument, 275
satisfiable, 81 incompleteness theorem, 238
satisfied, 79, 105 independence, 248
valid, 79, 106 indiscernible, 402
foundation, 245 induction, 281
fragment, 49 on proofs, 49
free variable, 112, 199, 223, 333, 352 on recursive types, 28
fresh variable, 112 well-founded, 315, 465
fuel technique, 314 inductive type, 278, 378
fun, 19 higher, 460
function, 21, 276 inference rule, 46
computable, 312 infinitesimal, 250
definable, 127 infinity, 243
INDEX 486

injection, 184 first-order, 221

injectivity, 389 fragment, 49
inspect, 432 implicational, 49
instantiation, 201 linear, 55
intermediate logic, 91 minimal, 49
interpretation, 234 logic classical, 225
interval, 408, 456
introduction rule, 47 match, 24
intuitionism, 42, 62 material implication, 69
inverse, 412 maybe, 284
isDec, 416, 421 microaffineness, 250
isomorphism, 167 minimal logic, 49
isProp, 414 model, 235
isSet, 419 module, 269, 277
IZF, 246 modulo, 279
modus ponens, 47, 102
J, 301, 401 modus tollens, 52
judgment, 45 monoid, 464
most general unifier, 253
K, 406 multiplication, 120
Knaster-Tarski theorem, 26 multiset, 468
Kripke structure, 105
universal, 108 n-type, 413, 424
Kőnig’s lemma, 467 naive set theory, 240
natural deduction, 46, 73, 327
Lafont critical pair, 75 first order, 224
Leibniz equality, 402 natural number, 26, 120, 188, 278, 332,
lemma 376
Kőnig’s, 467 negation, 39, 45, 118, 289
substitution, 167 negative variable, 77
length, 283 neutral term, 142, 173, 347, 392
let, 20, 199 NJ, 46, 224, 327
level, 367 NK, 68, 73
lexicographic order, 466 non-contradiction, 61
lift, 152 normal form, 116, 347
lifting, 330, 369 normalization
linear logic, 55 strong, 172, 189, 344
linearity, 92 weak, 176, 345
list, 22, 25, 283 normalization by evaluation, 142, 333,
literal, 76, 259 346
pure, 82
LJ, 98 option, 28, 284
LJT, 100
LK, 93 PA, 238
local confluence, 334 pair, 22, 119
locally nameless, 150 paradox
logic Burali-Forti, 363
cartesian, 49 Coquand, 367
classical, 67, 212, 418 Curry, 242
combinatory, 152, 211 Girard, 363
INDEX 487

Russell, 241, 359 universal, 222, 275

parallel β-reduction, 130, 334 quasi-invertibility, 439
parameter, 283 quotient, 464
partial order, 252, 463, 465
path, 408 readback, 144, 394
over, 459 record, 277
pattern matching, 24, 270, 278 recurrence, 237, 281
PE, 417 recursion
Peano arithmetic, 238 structural, 310
Pierce law, 68, 217 recursive function, 21, 126
polymorphism, 198 recursive type, 23
poset, 465 reducibility candidate, 172, 189, 343
well-founded, 465 reducible, 173
positive variable, 77 reductio ad absurdum, 68
positivity condition, 386 reduction, 32
postulate, 277 reduction strategy, 136
powerset, 26, 243 reference, 20
predecessor, 121, 278 refl, 295, 411
predicate, 222, 293, 417 reflection, 347
premise, 46 regular formula, 69
principal, 47 regular set, 362
prenex form, 226 reification, 347
preorder, 252, 463 relation, 294, 316, 463
Presburger arithmetic, 237 decidable, 301
principal premise, 47 relation symbol, 222
principal type, 31, 192, 202 renaming, 112, 222, 252
product, 22, 181, 287, 372 replacement, 243
program extraction, 264 reset, 71
progress, 36, 326 resolution, 85, 260
proof, 47 reversible rule, 65, 97
proof assistant, 262 rule
proof irrelevance, 406 admissible, 49, 328, 358
proof search, 65, 99 contraction, 51, 162
proofs-as-programs, 164 cumulativity, 367
property cut, 51, 359
Church-Rosser, 136 detachment, 47
cut elimination, 58 elimination, 47
subject reduction, 167 exchange, 51, 162
proposition, 45, 414 inference, 46
decidable, 446 introduction, 47
variable, 45 J, 301, 401
propositional extensionality, 417, 456 modus tollens, 52
propositional resizing, 436 reversible, 65, 97
propositional truncation, 426, 462 side condition, 46
propositions-as-types, 164 structural, 49, 54, 103
provability, 47, 233 truth strengthening, 51
pure literal, 82 weakening, 50, 162, 358
Russell paradox, 241, 359
quantification
existential, 222, 292 safety, 37, 324
INDEX 488

SAT, 81 suspension, 461

satisfaction, 79, 105, 235 sym, 296
satisfiability, 81, 236 symbol, 221
section, 292 synthetic differential geometry, 250
sequent, 45, 93, 160 system T, 188
sequent calculus
classical, 93, 94, 96 tactic, 263
first order, 227 term, 221, 339, 353
intuitionistic, 96, 98 termination, 310
Set, 270, 274 tertium non datur, 68
set, 419 theorem
regular, 362 Cantor, 469
set theory deduction, 104
naive, 240 Diaconescu, 249, 430
Zermelo-Fraenkel, 242 Glivenko, 90
side condition, 46 Hedberg, 421
signature, 221 Kleene, 127
simply typed λ-calculus, 339 Knaster-Tarski, 26
singleton, 425 Whitehead, 410
size, 242 theory, 233, 259
of a formula, 60 of groups, 233
skolemization, 237 total order, 465
solved form, 253 trans, 296
sort, 306 transport, 438
soundness, 79, 106 tree, 23, 467
space, 408 true, 118, 289, 414
specification, 310 truth, 39, 45
splitting, 81 truth strengthening, 51
string, 23 truth value, 293
strong normalization, 116, 172, 189, 218, typability, 160, 162
342, 344 Type, 407
structural recursion, 310 type, 160, 353
structural rule, 49, 54, 103 Π, 291, 356
structure, 234 Σ, 292
style arrow, 274
Church, 160 boolean, 24, 282, 375
Curry, 160 checking, 162, 190, 396
subformula, 45 bidirectional, 207
property, 97 coinductive, 385
subject reduction, 36, 167, 169, 218, constructor, 274, 283
326 contractible, 424
subst, 296 coproduct, 25, 184, 290, 374
substitution, 55, 114, 152, 167, 191, decidable, 290, 416, 421
222, 223, 331, 341, 352 dependent, 270, 275
proof, 57 sum, 373
substitutivity, 296 derivation, 160
subsumption rule, 208 empty, 26, 39, 186, 289, 370
subterm, 222 equivalence, 441
subtraction, 121, 279 generalization, 200
successor, 120 inductive, 278
INDEX 489

inference, 19, 162 indexed, 382

instantiation, 201 weak function extensionality, 454
list, 22, 25, 283 weak normalization, 176, 345
maybe, 284 weakening, 50, 340
natural number, 26, 188, 278, 376 weakening rule, 162, 358
option, 28, 284 well-founded
parametric, 283 induction, 315, 465
principal, 31, 192, 202 Whitehead theorem, 410
product, 22, 181, 372
record, 277 Y, 122
recursive, 23
refinement, 191 Zermelo-Fraenkel set theory, 242
safety, 37 ZF, 242
scheme, 198
simple, 159
string, 23
uniqueness, 34, 163, 326
unit, 23, 25, 184, 289, 371
vector, 284
W-, 380
type equation system, 192
typing, 19, 29, 325
UIP, 406
undecidability, 240
unification, 194, 253
unifier, 252
most general, 253
union, 243
uniqueness of identity proofs, 406
unit, 23, 25, 184, 289, 371
unitary clause, 82
univalence, 442
universal quantification, 222, 275
universe, 270, 367
polymorphism, 369
unlift, 152
unlifting, 330

validity, 79, 106, 235

valuation, 79, 105
value, 18, 31, 142, 392
variable
λ-term, 111
bound, 110, 112, 199, 223, 352
free, 112, 199, 223, 333, 352
fresh, 112
propositional, 45
vector, 284

W-type, 380