Realizability at Work: Separating Two Constructive Notions of Finiteness

LIPICS - Leibniz International Proceedings in Informatics, Oct 2018

We elaborate in detail a realizability model for Martin-L�f dependent type theory with the purpose to analyze a subtle distinction between two constructive notions of finiteness of a set A. The two notions are: (1) A is Noetherian: the empty list can be constructed from lists over A containing duplicates by a certain inductive shortening process; (2) A is streamless: every enumeration of A contains a duplicate.

A PDF file should load here. If you do not see its contents the file may be temporarily unavailable at the journal website or you do not have a PDF plug-in installed and enabled in your browser.

Alternatively, you can download the file locally and open with any standalone PDF reader:

Realizability at Work: Separating Two Constructive Notions of Finiteness

T Y P E S Realizability at Work: Separating Two Constructive Notions of Finiteness Marc Bezem 0 1 2 Thierry Coquand Chalmers tekniska h?gskola 0 1 2 Data- och informationsteknik 0 1 2 G?teborg 0 1 2 Sweden 0 1 2 0 Universitetet i Bergen , Institutt for informatikk, Postboks 7800, N-5020 Bergen , Norway 1 Erik Parmann Universitetet i Bergen , Institutt for informatikk, Postboks 7800, N-5020 Bergen , Norway 2 Keiko Nakata SAP Innovation Center Network , Konrad-Zuse-Ring 10, 14469 Potsdam , Germany We elaborate in detail a realizability model for Martin-L?f dependent type theory with the purpose to analyze a subtle distinction between two constructive notions of finiteness of a set A. The two notions are: (1) A is Noetherian: the empty list can be constructed from lists over A containing duplicates by a certain inductive shortening process; (2) A is streamless: every enumeration of A contains a duplicate. 2012 ACM Subject Classification Theory of computation ? Type theory, Theory of computation ? Constructive mathematics Acknowledgements The research for this paper has been carried out for a large part while the first two authors were member of the Institute for Advanced Study in Princeton, as part of the program Univalent Foundations of Mathematics. We are grateful for the generous support by the IAS. The paper has benefitted much from comments by Michael Beeson on an early draft. and phrases Type theory; realizability; constructive notions of finiteness - We will analyze in detail in type theory the following observation. Let P be a unary predicate of natural numbers. Define P = {n ? N | ?k < n. P k ? ?P k} Of course, in classical mathematics P = N, but in constructive mathematics this is not true for all P . Let D be a unary predicate of lists over P with D` expressing that ` contains a duplicate, that is, two occurrences of the same natural number (which by definition is in P ). Then one can prove constructively that D is inductive in the following sense (?inductive shortening?): The proof is as follows. Let ` be a list over P and assume D(x :: `) for all x ? P (IH). We clearly have D` ? ?D`, so we can reason by contradiction. Assume ?D`. We clearly have ` = nil ? ?` = nil, so we can reason by cases. If ` = nil, we use 0 ? P and apply IH to get D(0 :: nil), which is absurd. If ` 6= nil, then ` contains a largest natural number, say m ? P . If P m ? ?P m, then m + 1 ? P and we can apply IH to get D((m + 1) :: `), which per construction yields D`, as m + 1 is larger than all elements of `, and therefore not duplicating some element of `. This conflicts with the assumption ?D`, so we conclude ?(P m ? ?P m), which is also absurd, since ??(P m ? ?P m) is a constructive tautology. This completes the proof of the inductivity of D. Since D is inductive in the way above, and Dnil is absurd, D cannot be an inductive bar in the tree of lists over P . (The concept of an inductive bar making a tree of lists well-founded will be formalized by the concept of a Noetherian relation in Section 3.) This should not come as a surprise, since classically P = N, so the tree of lists without duplicates is classically not well-founded, since it is always possible to extend a list without introducing a duplicate. The above argument shows that we can also do this constructively with lists over P , for any unary predicate P . In view of the above, only a non-classical axiom can cause P to have fewer elements. Of course we cannot downright postulate ?n ? N. ?(P n ? ?P n) without running into inconsistency. But we can consistently postulate ? = ??n ? N. P n ? ?P n. From ? we immediately infer ??n ? N. n ? P , so P 6= N. Since one easily (and constructively) sees that P is downward closed, ? ?somehow? achieves that P is finite. Of course the results in the previous paragraphs still stand, and ? does not make P finite in the sense that D is an inductive bar. In order to better understand in which way ? achieves that P is finite, assume f : N ? P is an injection. Then we would be able to find arbitrarily large elements in P , and hence prove ?n ? N. P n ? ?P n, conflicting with ?. As a consequence, no f : N ? P is injective. In other words, for every f : N ? P we have ??m, n ? N. f m=f n ? m=n. By an appeal to Markov?s Principle we get ?m, n ? N. f m = f n ? m 6= n, that is, there exists a prefix of f which contains a duplicate. If we view lists over P not containing duplicates as a tree, then we have just proved that this tree is well-founded, which is another way of saying that P is finite. (This notion of finiteness will be made precise by the concept of a streamless relation in Section 3.) The results in the previous two paragraphs capitalize on Markov?s Principle (a weak form of classical reasoning) being consistent with ? (a non-classical axiom). They are known to co-exist in, for example, the recursive model of type theory. In that model, ? can be validated by the unsolvability of the halting problem. Although this model has been known for quite some time, it is an important side-goal of this paper to give a detailed account. Our main objective is to formalize the argument above in type theory, and prove that finiteness based on equality being Noetherian is strictly stronger than finiteness based on equality being streamless. This confirms a conjecture formulated by Coquand and Spiwack in [3]. We also give a novel proof that every Noetherian relation is streamless. This proof is due to the last author [11, Chapter 4] and formalized in Coq [10]. In type theory, a subset of N is a type ?x:N. P x given a type family P : N ? U. Elements of this ?-type (to be defined in Section 2) are pairs (n, p) consisting of a natural number n and a proof p : P n. It may happen that also p0 : P n, with p0 different from p. This phenomenon is called proof relevance. We do not want to count (n, p) and (n, p0) as two elements of the subset of N defined by P . Therefore we only count the first projections of objects in ?x:N. P x. Another approach would be to take the type ?x:N. kP xk, where k_k stands for propositional truncation, a way of making all inhabitants of P x indistinguishable, see [15, Section 3.7]. The remainder of the paper is organized as follows. In Section 2, we define the basic type theory. We introduce Noetherian relations and streamless relations in Section 3 and prove that any Noetherian relation is streamless. The realizability model is constructed in Section 4, with realizers for Markov?s Principle in Section 5 and for the unsolvability of the halting problem in Section 6. This shows that the type theory can be consistently extended with these two axioms. Then, in Section 7 we show that it cannot be proved in type theory that any streamless set is Noetherian. We conclude with a discussion of related work, in particular the Kleene Tree, in Section 8. For readers already familiar with dependent type theory and inductive bars it might be efficient to read the conclusion first. 2 Dependent Type Theory We closely follow the approach of Coquand and Spiwack [3]. We define Martin-L?f dependent type theory as a set of typing rules defining a typing relation ? ` M : A where M and A are terms in an extension ? of the untyped lambda calculus, and ? is a context. A context is a sequence x1 : A1, . . . , xn : An, where the xi are pairwise distinct variables and the Ai are terms of ? (representing types). The approach of [3] makes the construction of a realizability model easier: all typable terms are already terms of ? realizing their types, and their computational behaviour can be studied in ?. An important aspect is that the type theory is open-ended, new constants and inductive definitions can be (and will be) added. If the type theory is extended, then also ? is extended, and the realizability model is extended accordingly. We start by describing the main characteristics of ?. 2.1 The Underlying Computational System The calculus ? is an extension of the untyped lambda calculus with two sorts of constants, constructors and operators. Constructors typically represent types (e.g., the type of the natural numbers), type forming constructions (e.g., the sum of two types), and term forming constructions (e.g., 0, S, nil). Operators typically represent destructors (e.g., recursors), operations (e.g., the length of a list), and convenient abbreviations. The abstract syntax for terms of ? is M, N ::= x | ?x. M | M N | c | o, where c is the syntactic category of the constructors and o that of the operators. We write FV(M ) to denote the set of free variables in M ; we call M closed if FV(M ) is empty. The computational behavior of the terms is determined by ?-reduction plus so-called ?-reduction rules. The latter are left-linear and mutually disjoint (non-overlapping), ensuring confluence of ??-reduction [8]. (Confluence is important to warrant the correct interpretation of elements of an inductive type as ??-equivalence classes of terms. For example, the normal forms 0 and S0 are in different classes because of confluence.) All ?-reduction rules are of the form o p1 . . . pk = M, p ::= x | c p1 . . . pl, where c is a constructor. where o is an operator and p1, . . . , pk are so-called constructor patterns. For any ?-reduction rule we require FV(M ) ? FV(o p1 . . . pk), that is, no new variables can be introduced. Constructor patterns p1, . . . , pk are defined by the following abstract syntax ` ? ` ? ` U ? ` A ?, x : A ` ? ` A : U ? ` A ? ` A ?, x : A ` B ? ` ?x:A. B ? ` ? ` x : A x:A ? ? ? ` M : A ? ` B A =?? B ? ` M : B ? ` A ? ` ?x:A. B ?, x : A ` M : B ? ` ?x. M : ?x:A. B ? ` M : ?x:A. B ? ` N : A ? ` M N : B(N ) ? ` A : U ?, x : A ` B : U ? ` ?x:A. B : U Constructors, as well as operators with their ?-reduction rules, will be introduced in the sequel, as need arises, always complying with the above syntax. Notational conventions. We tacitly assume capture-free substitution and consider terms up to ?-conversion. We write M =?? N or just M = N if M and N are ??-convertible. By M (x/N ) we denote the result of substituting N for all the free occurences of the variable x in M . We may write M (N ) if the variable x is clear from the context. For example, (?x. M )N = M (x/N ) and (?x. M )N = M (N ) both denote a ?-step. We abbreviate (?x. xx)(?x. xx) to ?. 2.2 General rules of the type theory There are three forms of judgments in the type theory: ? ` and ? ` A and ? ` M : A. The judgment ? ` means that ? is a well-typed context, ? ` A means that the type A is well-formed in the context ?, and ? ` M : A means that the term M has the type A in the context ?. We (mostly) use metavariables A, B for types, and M, N for terms, but recall that they are all terms of ?. For the general rules, we have a constructor U for the universe since we want type families to be first-class citizens. We add an operator Pi for dependent products, with ?-reduction Pi A B x = B x. For readability, we write ?x:A. B instead of Pi A (?x. B), and A ? B instead of Pi A (?x. B) if x does not occur free in B. The typing rules are the standard rules for the Martin-L?f type theory, given in Figure 1. We can derive, for example, A : U `, and so ` U ? U, and in some more steps A : U ` A ? U. The latter A ? U is the type of unary predicates on a type A (also called type families over A). The former U ? U is the type of functions on the universe. Both are large types, i.e., types not in U. Types in U are called small types. 2.3 Specific rules of the type theory We extend the type theory by specific inductive types, which are all standard. We add constants and give typing rules, as well as ?-reduction rules for the operators. Empty type We define the empty type with no constructors: ? ` ? ` N0 : U ? ` A : U ? ` ExF : N0 ? A and its elimination rule (also known as the ex falso rule): We define negation as the abbreviation ? := ?A. A ? N0. Sum We have the sum type with its two constructors: and may perform case analysis on terms of type A + B: ? ` A : U ? ` B : U ? ` C : U ? ` (A + B) : U ? ` case : (A ? C) ? (B ? C) ? A + B ? C where the ?-reductions are given by: case M N (inl a) = case M N (inr b) = M a N b ? ` A : U ? ` B : U ? ` A + B : U ? ` A : U ? ` A + B : U ? ` inl : A ? A + B ? ` B : U ? ` A + B : U ? ` inr : B ? A + B With negation and sum type used for constructive disjunction we can define the concept of decidability that will play an important role in the sequel. I Definition 1. We call a type A : U decidable if A : U ` M : A + ?A for some M . The type A + ?A will often be abbreviated by dec A. In such cases we also say that dec A is inhabited, without explicit reference to ? or M . Predicates are called decidable if they are pointwise decidable. For example, P : A ? U is decidable if ?a:A. dec (P a) is inhabited; R : A ? A ? U is decidable if ?a, a0: A. dec (Raa0) is inhabited. The latter is an example of how we denote two ?-abstractions with the same base type A. Unit type We have the unit type with one single constructor: ? ` ? ` N1 : U ? ` ? ` 0 : N1 Booleans We have the type for Booleans with two constructors: ? ` ? ` N2 : U ? ` ? ` 0 : N2 ? ` ? ` 1 : N2 and a conditional expression: ? ` C : N2 ? U ? ` brec : C 0 ? C 1 ? ?b:N2. C b with the ?-reduction given by brec M N 0 = brec M N 1 = M N Note that brec does not make it possible to define a function f : N2 ? U with, e.g., f i = Ni, since that would require C = ?b. U, which cannot be typed. Therefore, certain useful operators have to be defined ad-hoc. Here we define a decidable equality for Booleans: ? ` ? ` beq : N2 ? N2 ? U whose ?-reductions are given by: beq 0 0 = beq 0 1 = beq 1 0 = beq 1 1 = N1 N0 N0 N1 Natural numbers We have the type N with the two well-known constructors: ? ` ? ` N : U ? ` ? ` 0 : N ? ` ? ` S : N ? N Notice that 0 is ad-hoc polymorphic and is a constructor of N1, N2 and N. We have the recursor (dependent eliminator) rec: ? ` C : N ? U ? ` rec : C 0 ? (?n:N. C n ? C (S n)) ? ?n:N. C n with ?-reductions given by rec M N 0 = M rec M N (S n) = N n (rec M N n). We also define a decidable equality on natural numbers: ? ` ? ` eq : N ? N ? U whose ?-reductions are given by: eq 0 0 = N1 eq (S x) 0 = N0 eq 0 (S x) = N0 eq (S x) (S y) = eq x y. By double induction one can easily prove: I Lemma 2. There exist proofs deqN2 , deqN such that ` deqN2 : ?x, y: N2. dec (beq x y) ` deqN : ?n, m: N. dec (eq n m) Lists We have the usual type of lists over A, denoted by [A]: ? ` A : U ? ` [A] : U ? ` A : U ? ` nil : [A] ? ` A : U ? ` cons : A ? [A] ? [A] and the list recursor, writing a :: l for cons a l here and below: ? ` A ? ` C : [A] ? U ? ` lrec : C nil ? (?a:A. ?l:[A]. C l ? C(a :: l)) ? ?l:[A]. C l with ?-reductions given by lrec M N nil = M lrec M N (a :: l) = N a l (lrec M N l). Dependent pairs We have the ?-type for dependent pairs: with dependent eliminator (recursor): with ?-reduction given by: srec Q (w, p) = Q w p ? ` A : U ?, x : A ` B : U ? ` ?x:A. B : U ? ` ?x:A. B : U ? ` W : A ? ` P : B(W ) ? ` (W, P ) : ?x:A. B ? ` A : U ?, x : A ` B : U ? ` ?x:A. B : U ? ` C : (?x:A. B) ? U ? ` srec : (?x:A. ?p:B. C (x, p)) ? ?y:(?x:A. B). C y We use similar notational conventions for ?x:A. B as for ?x:A. B. This means that the actual syntax is Sig A (?x. B). When x does not appear free in B, we may abbreviate ?x:A. B as A ? B. 3 Noetherian relations and streamless relations In this section we define the concepts Noetherian and streamless for relations. When applied to the equality relation on a type A, they yield two classically equivalent definitions of finiteness. We first extend the type theory with new constants and rules to facilitate these definitions. 3.1 Auxiliary constants and rules Given a list l of elements of a type A and a predicate P on A, we define a predicate exists P l to be true if l contains an element that satisfies P . Formally, we add a typing rule for exists ? ` A : U ? ` exists : (A ? U) ? [A] ? U and ?-reductions given by: exists P nil = N0 exists P (a :: l) = (P a) + exists P l Note that exists is not definable by list recursion since it would require C = ?l. U, which cannot be typed. A similar remark holds for good which we define now. Given a binary relation R on a type A and a list l over A, we define a predicate good R l to be true if l contains elements that are related by R in the same order in which they occur in l. Formally, we define a typing rule for good by ? ` A : U ? ` good : (A ? A ? U) ? [A] ? U and ?-reductions by: good R nil = N0 good R (a :: l) = exists (R a) l + good R l ? ` A : U ? ` length : [A] ? N with ?-reductions given by: length nil = 0 length (h :: t) = S(length t) The following functions are actually definable by the recursors in Section 2.3. We define the length function on lists: Given a function f from natural numbers to a type A, the function take f returns for every natural number n the list consisting of the first n values of f . Formally, we define a typing rule for take by ? ` A : U ? ` take : (N ? A) ? N ? [A] and, writing f n for (take f n), ?-reductions: f 0 = nil f (S n) = (f n) :: (f n). Given a type A and a predicate P on [A], we define by induction the predicate bar A P of lists over A that are ?barred? by P . The classical intuition is that a list is ?barred? by P if every extension eventually satisfies P . More precisely, by the inductive definition below, bar A P is the smallest predicate which contains P and which is closed under inductive shortening, that is, holds of l whenever it holds of a :: l for all a : A. Since the type A will be the same in this section, we will use the abbreviation bAr for bar A, where the capital in bAr should remind the reader of the implicit argument A. We add the following typing rules for proving that the list l is barred by P : ? ` A : U ? ` bAr : ([A] ? U) ? [A] ? U ? ` A : U ? ` l : [A] ? ` P : [A] ? U ? ` X : P l ? ` base X : bAr P l ? ` A : U ? ` l : [A] ? ` P : [A] ? U ? ` Y : ?a:A. bAr P (a :: l) ? ` step Y : bAr P l The eliminator for bAr P will be called a bar recursor, but should not be confused with Spector?s bar recursor from [13]. The latter is an ingenious combinator of much greater proof theoretic strength than the one here. Our bar recursor has the following type: ? ` A : U ? ` P : [A] ? U ? ` C : [A] ? U ? ` barrec : (?l:[A]. P l ? C l) ? (?l:[A]. (?a:A. C (a :: l)) ? C l) ? ?l:[A]. bArP l ? C l and its computational behaviour is described by the following ?-reductions: barrec B S l (base X) barrec B S l (step Y ) = = B l X S l (?a. barrec B S (a :: l) (Y a)). 3.2 Definition of streamless and Noetherian Streamless and Noetherian can both be defined as properties of a binary relation R : A ? A ? U. Informally speaking, R is streamless if every stream, i.e., infinite sequence in A, contains two elements related by R in the reversed order as they appear in the sequence.1 I Definition 3. A relation R : A ? A ? U on a type A : U is streamless if every function f : N ? A from natural numbers to A has a prefix that is R-good, i.e., streamless R := ?f :N ? A. ?n:N. good R (f n) The equality relation on A being streamless expresses that every stream contains a duplicate, i.e., is constructively non-injective. This is classically equivalent to saying that A is finite. Noetherian is not so easily explained, it is an acquired taste. We call P an inductive bar in [A] if bAr P nil holds, that is, if nil is barred by P . By the inductive definition of bAr P this means that nil can be obtained from lists satisfying P by inductive shortening. We call a relation R Noetherian if (good R) is an inductive bar. I Definition 4. A relation R : A ? A ? U on a type A : U is Noetherian if bAr (good R) nil holds: Noetherian R := bAr (good R) nil The equality relation on A being Noetherian is also classically equivalent to A being finite. However, unlike streamless, Noetherian allows us to use induction on bAr. It is exactly this which allows us to prove that Noetherian relations are streamless. The novelty of this proof is that it does not use a relation l ? f of a list being a prefix of a function, and hence not an equality relation on the type A. Of course, adding equality would not be problematic, but is it somehow pleasing that equality is not used for proving a result that does not involve equality (the normal form of any such proof would not involve equality anyway). A nice corollary of the next theorem is that every Noetherian relation is reflexive, a fact that would otherwise require a non-trivial proof. I Theorem 5. There is a proof M such that A : U, R : A ? A ? U ` M : Noetherian R ? streamless R 1 The name streamless may well be considered a misnomer if R is not an equality relation. Classically, streamless means that there is no f such that i > j ? Rij for all i, j (R the complement of R). Proof. We prove in the context A : U, R : A ? A ? U, f : N ? A that the following type is inhabited: ?l:[A]. bAr (good R) l ? subG R f l ? subEx R f l ? ?m:N. good R (f m), (1) where subG R f l and subEx R f l are defined as the following abbreviations. subG R f l := good R l ? good R (f (length l)) subEx R f l := ?a:A. (exists (R a) l ? exists (R a) (f (length l))) These abbreviations express that the good/exists properties of l imply those of f (length l), which will suffice to show (1) . Also note that they both trivially hold for nil, so that (1) with l = nil implies Theorem 5. (Note that both are trivially implied by l = f (length l).) We prove (1) by induction on bAr (good R) l, that is, using the last rule of the previous section with the predicate P := (good R) and the predicate C := ?l:[A]. subG R f l ? subEx R f l ? ?m:N. good R (f m). Thus the proof of (1) will be of the form barrec Hb Hs with Hb : ?l:[A]. P l ? C l and Hs : ?l:[A]. (?a:A. C(a :: l)) ? Cl, corresponding to the base case and the step case, respectively, elaborated below. Base case. To construct Hb : ?l:[A]. P l ? C l, assume l : [A] such that good R l, subG R f l, and subEx R f l. From subG R f l and good R l we immediately get the goal good R (f (length l)). Step case. To construct Hs : ?l:[A]. (?a:A. C(a :: l)) ? Cl, assume l : [A] such that ?a:A. C(a :: l). We have to show C l. The latter expands to subG R f l ? subEx R f l ? ?m:N. good R (f m), so we assume subG R f l and subEx R f l, and show ?m:N. good R (f m). Expanding the induction hypothesis (?a:A. C(a :: l)) yields ?a:A. subG R f (a :: l) ? subEx R f (a :: l) ? ?m:N. good R (f m). We apply this to a = f (length l), and proceed to proving the two assumptions in the following two subcases. Subcase subG R f (f (length l) :: l). Expanding the abbreviation subG we get good R (f (length l) :: l) ? good R (f (length (f (length l) :: l))). Since (length (f (length l) :: l)) reduces to S(length l), the conclusion of the above formula reduces to good R (f (length l) :: f (length l)). Using the definition of good in both the antecedent and the consequent it becomes clear that we have to prove: (exists (R (f (length l))) l + good R l) ? (exists (R (f (length l))) (f (length l)) + good R (f (length l))). The latter is easily proved by cases using the assumption subEx R f l with a = f (length l) for the left summand and the assumption subG R f l for the right summand. Subcase subEx R f (f (length l) :: l). Expanding the abbreviation subEx and reducing we get ?a:A. exists (R a) (f (length l) :: l) ? exists (R a) (f (length l) :: f (length l)). Using the definition of exists we get by reducing ?a:A. ((R a (f (length l))) + exists (R a) l) ? ((R a (f (length l))) + exists (R a) (f (length l))). The latter follows easily from the assumption subEx R f l. This finishes the second subcase of the step case and we are done. J 4 The Model Construction In this section, we construct the realizability model for the type theory, based on the underlying computational system ?. Terms are interpreted by ??-equivalence classes of the terms of ?. Types are interpreted by sets of such equivalence classes. Typically, if ? ` M : A, then the interpretation of M is an element of the interpretation of A (both relative to the interpretation of ?). We use the realizability model to show the unprovability of the converse of Theorem 5. For this result, we use (the functional version of) Markov?s principle and a non-classical axiom ??n:N. (Hn) + ?(Hn) for a halting predicate H. Both will be shown to be true in the model in later sections. 4.1 Pointed DCPOs and fixpoints We recall Pataraia?s fixpoint theorem [12], which states that every monotone endofunction2 on a pointed directed complete partial order (DCPO) has a least fixpoint. I Definition 6. Let (P, ?) be a partial order. A subset X of P is directed if it is nonempty and, for every x, y ? X, there exists z ? X such that x ? z and y ? z. I Definition 7. A partial order (P, ?) is a directed complete partial order (DCPO) if every directed subset of P has a least upper bound (supremum) in P . A DCPO (P, ?) is pointed if the empty set has a supremum, which is then the least element ?P of P . I Definition 8. An endofunction f : P ? P is monotone if it is order-preserving, i.e., for every x, y ? P , x ? y implies f (x) ? f (y). I Theorem 9. Every monotone endofunction function on a pointed DCPO has a least fixpoint, which is also the least pre-fixpoint. A short proof can be found in [6]. The standard argument, transfinite iteration of the function starting at the least element, also works. The reason is that the transfinite sequence is directed. We will use Pataraia?s Theorem with the following DCPO. Let D be a set. Elements of the DCPO are pairs (S, F ) where S ? P (D), that is, S is a subset of D, and F is a function S ? P (D), viewed as a single-valued set of pairs. We can order such pairs by (S, F ) ? (S0, F 0) if S ? S0 and F ? F 0. The latter conjunct can be rephrased by saying that F is the restriction of F 0 to S. This does not yield a complete lattice on pairs (S, F ), even though (P (D) , ?) is. For example, if D = {d, e} and S = {d} and Fd maps d to {d} and Fe maps d to {e}, then there is no F such that Fd, Fe ? F . (It is tempting but wrong to think that F mapping d to {d, e} extends Fd and Fe.) 2 An endofunction is a function with the same domain and codomain. However, if X is a directed set of pairs (S, F ), then the pair ( is the least upper bound of X. Note that, since X is directed, S(S,F )?X F is a function from S(S,F )?X S to P (D) as required. If X = ?, we get the least element (?, ?) by the same formula above. It follows that the set of pairs ordered as above is a pointed DCPO. Consequently, every monotone endofunction has a least fixpoint. We shall now define the realizability model. The domain D is the set of terms in the extended untyped lambda calculus modulo ??-equality. Hence, elements of D are equivalence classes of terms. For simplicity, however, we will often call them just terms, and write M to denote the equivalence class of M . Next, we define which elements of D represent types and how to find the subset of elements associated with each type. We shall first prepare the interpretation of the inductive types. Define Num ? D as the smallest set containing 0 and closed under the successor, i.e., S n is in Num if n is in Num. Formally, we define Num as the least fixpoint of the following monotone endofunction ?Num on P (D): ?Num(X) := {0} ? {S n | n ? X}. The poset (P (D) , ?) is a complete lattice, hence the least fixpoint exists by the KnasterTarski theorem, which is a special case of Pataraia?s theorem. Similarly, given a set A ? D, we define List(A) ? D as the least fixpoint of the following monotone endofunction ?List(A) on (P (D) ?): ?List(A)(X) := {nil} ? {cons a l | a ? A ? l ? X}. Informally, List(A) consists of classes that are ??-equivalent to lists over A. Note that bAr is an inductively defined function on [A] ? U. Given a set A ? D, consider the poset (List(A) ? P (D) , ?), where Q ? Q0 if Q(l) ? Q0(l) for all l in List(A)3. This poset forms a complete lattice, hence every monotone function on it has a least fixpoint. Given also a function P in List(A) ? P (D), define Bar(A, P ) as the least fixpoint of the following monotone endofunction ?Bar(A,P ) on (List(A) ? P (D) , ?): ?Bar(A,P )(Q)(l) := {base X | X ? P (l)} ? {step Y | ?a ? A. Y a ? Q (cons a l)}. Finally, we introduce the DCPO L of pairs (S, F ) with S ? D and F ? S ? P (D) as described in Section 4.1. Here S is to be viewed as a set of types, and F as a function giving the set of elements F (T ) ? D for each T ? S. We are now ready to define which terms of ? are types, and which elements each type has. We do so in two stages, first for the small types and then for all types, using monotone endofunctions ?0 and ?1 on L, respectively. An important observation is that only constructors play a role here, not operators, and that the only difference between ?0 and ?1 is that the latter includes the constructor U. 3 Abusing notation, we denote by A ? B the set of functions from the set A to the set B in the ambient naive set theory in which we develop the realizability model. ?0 on L: where We define (T0, El0) in L to be the least fixpoint of the following monotone endofunction ?0(S, F ) := (S1 ? S2 ? ? ? ? ? S9, F1 ? F2 ? ? ? ? ? F9) In the last line, the notation List(F (A)) 3 l0 7? F (P l0) denotes the function which maps l0 in List(F (A)) to F (P l0). The endofunction ?0 is monotone on the DCPO L, hence the least fixpoint (T0, El0) exists by Theorem 9. I Definition 10. (T0, El0) is the least fixpoint of ?0 above. Given T0, we define ?1(S, F ) := ({U} ? S1 ? S2 ? ? ? ? ? S9, {(U, T0)} ? F1 ? F2 ? ? ? ? ? F9) with Si, Fi for i = 1, . . . , 9 are as defined earlier. The endofunction ?1 is monotone. I Definition 11. (T1, El1) is the least fixpoint of ?1 above. I Remark. An important observation about the definitions of ?0 and ?1 is that F occurs negatively in some clause, namely in S7 for dependent products. This is the reason that we use DCPOs and not CPOs. Type-theoretically, the construction of the model goes by induction-recursion [5], as opposed to mutual induction. A different device, replacing negative occurrences by positive conditions on the complements, has been used in [1] and can be traced back to Scott and Feferman. I Remark. The set T1 is intended to contain all representatives of types in the type theory, both small and large, but it actually contains much more. Likewise, for A ? T1, El1(A) intends to contain all interpretations of terms of type A in the type theory, but it actually contains much more. For instance, the set El1(N ? N) contains all (total) recursive functions f := ?n. rec 0 (?m. ?x. 0) n g := ?n. rec 0 ? (f n). h := ?n. (rec N ? (f n) on Num. In particular, elements in T1 or El1(A) (with A ? T1) may not be normalizing. For instance, let and, deliberately using the term ? which is not typable, Then f always returns 0 on a numeral, i.e., f n is ??-equivalent to 0 for any n in Num, so that also gn =?? 0 for all numerals n. The term g is in El1(N ? N), but is not even weakly normalizing, since g reduces to itself by a contraction of ?. Likewise, for the term we have hn =?? N for all numerals n. Hence Pi N h is in T0, but is not weakly normalizing. We have f, g ? El0(Pi N h) = El0(N ? N). While we have ` f : N ? N, it is neither possible to derive ` g : N ? N, nor ` Pi N h, let alone ` f : Pi N h or ` g : Pi N h. The realizability model is not a term model. This is not a bug, but a feature that we will exploit: types that are inhabited in the model, can be consistently added as axioms to the type theory. The following lemma states that El0 and El1 agree on T0. I Lemma 12. (T0, El0) ? (T1, El1). Proof. The claim follows from Theorem 9, since (T1, El1) is a prefixpoint of ?0. J From the fact that (T1, El1) (resp. (T0, El0)) is a fixpoint of ?1 (resp. ?0), we obtain the following lemma. I Lemma 13. For i = 0, 1, the following conditions hold: 1) N0 ? Ti, and Eli(N0) = ?; 2) N1 ? Ti, and Eli(N1) = {0}; 3) N2 ? Ti, and Eli(N2) = {0, 1}; 4) N ? Ti, and Eli(N) = Num; 5) A + B ? Ti if A, B ? Ti, and then Eli(A + B) = {inl a | a ? Eli(A)} ? {inr b | b ? Eli(B)} ; 6) [A] ? Ti if A ? T0, and then Eli([A]) = List(El0(A)); 7) ?x:A. B ? Ti if A ? Ti and B(a) ? Ti for all a ? Eli(A), and then Eli(?x:A. B) = {M | ?a ? Eli(A), M a ? Eli(B(a))} ; 8) ?x:A. B ? Ti if A ? Ti and B(a) ? Ti for all a ? Eli(A), and then Eli(?x:A. B) = {(W, P ) | W ? Eli(A) ? P ? Eli(B(W ))} ; 9) bAr P l ? Ti if A ? T0, l ? El0([A]) and P l0 ? T0 for all l0 ? El0([A]), and then Eli(bAr P l) = Bar(El0(A), El0([A]) 3 l0 7? El0(P l0))(l); 4.3 Soundness We now give the semantics of expressions and types a priori, that is, without any assumption of them being well-typed. I Definition 14. An environment is a mapping from the set of variables to the domain D. We let ?, ?0, . . . range over environments and let Env denote the set of all environments. By ?(x/a) we denote the environment ?0 with ?0(x) = a and ?0(y) = ?(x) for variables y 6= x. I Definition 15. Let M be a term, i.e., either an expression or a type, and ? an environment. The semantics [[M ]]? ? D of M in ? denotes the (??-equivalence class of the) result of the simultaneous substitution in M of all free occurrences of variables x by ?(x). We write [[M ]] to denote [[M ]]? with ? being the empty environment, or when M is closed. We may also write M for [[M ]]? in that case. As usual, we need a substitution lemma. I Lemma 16. For all M, N and ?, we have [[(?x. M )N ]]? = [[M (N )]]? = [[M ]]?(x/[N]?). Proof. By a routine induction on the structure of M . J We have to take into account certain sanity conditions on environments with respect to typing contexts. I Definition 17. An environment ? is ?-correct if for all (x : A) ? ?, [[A]]? ? T1 and ?(x) ? El1([[A]]?). The following lemma states that the type theory is sound with respect to the semantics. I Lemma 18. For all ?, M, A and for any ?-correct ? we have the following: 1. if ? ` A, then [[A]]? ? T1; 2. if ? ` M : A, then [[A]]? ? T1 and [[M ]]? ? El1([[A]]?). Proof. Since the rules in Figure 1 mix (1) and (2), we prove the lemma by simultaneous induction on derivations. We start with the general typing rules in Figure 1. Suppose ? ` U by ? `, and ? is ?-correct. Then, the claim holds trivially since [[U]]? = U ? T1 by Lemma 13. Suppose ? ` A by ? ` A : U, and ? is ?-correct. We have [[A]]? ? El1(U) by induction hypothesis and El1(U) = T0 ? T1 by Lemma 12, from which the claim follows. Suppose ? ` ?x:A. B by ? ` A and ?, x : A ` B, and ? is ?-correct. We have to prove that [[?x:A. B]]? ? T1. By induction hypothesis on ? ` A, we have [[A]]? ? T1. By Lemma 13 and an appeal to the Substitution Lemma, it suffices that [[B]]?(x/a) ? T1 for all a ? El1([[A]]?). For this, it suffices by induction hypothesis on ?, x : A ` B that ?(x/a) is (?, x : A)-correct, which follows from a ? El1([[A]]?). Suppose ? ` x : A by (x : A) ? ?. Then the claim follows by that ? is ?-correct and [[x]]? = ?(x). Suppose ? ` M : B by A =?? B, ? ` M : A and ? ` B. By induction hypothesis on ? ` M : A, we have [[A]]? ? T1 and [[M ]]? ? El1([[A]]?). By A =?? B, we have [[A]]? = [[B]]?, hence we get [[B]]? ? T1 and [[M ]]? ? El1([[B]]?)4 4 We do not use the induction hypothesis on ? ` B. In fact, we do not use the hypothesis ? ` B. This manifests that the typing rules are more restrictive than the semantics. Suppose ? ` ?x. M : ?x:A. B by ? ` A, and ? ` ?x:A. B and ?, x : A ` M : B. By induction hypothesis, we have [[A]]? ? T1 and [[?x:A. B]]? ? T1. We have to show [[?x. M ]]? ? El1([[?x:A. B]]?). By the Substitution Lemma, it suffices that [[?x. M ]]? a = [[M ]]?(x/a) ? El1([[B]]?(x/a)) for all a ? El1([[A]]?). This follows from induction hypothesis on ?, x : A ` M : B, noting that ?(x/a) is (?, x : A)-correct. Suppose ? ` M N : B(N ) by ? ` M : ?x:A. B and ? ` N : A. By induction hypothesis, we have [[?x:A. B]]? ? T1, [[M ]]? ? El1([[?x:A. B]]?), and [[A]]? ? T1, [[N ]]? ? El1([[A]]?). By Lemma 13, it follows that [[M ]]? [[N ]]? ? El1([[B]]?([[N ]]?)). Using the Substitution Lemma, we conclude [[M N ]]? = [[M ]]? [[N ]]? ? El1([[B]]?([[N ]]?)) = El1([[B]]?(x/[N]?)) = El1([[B(N )]]?). Suppose ? ` ?x:A. B : U by ? ` A : U and ?, x : A ` B : U. By induction hypothesis on ? ` A : U and by Lemma 13, we know that [[U]]? = U ? T1, and [[A]]? ? El1(U) = T0. We have to show [[?x:A. B]]? ? T0. By Lemma 13 again and by the Substitution Lemma, it suffices that [[B]]?(x/a) ? T0 for all a ? El0([[A]]?). Recalling that El0 and El1 agree on T0 (Lemma 12), hence in particular on [[A]]?, this follows from induction hypothesis on ?, x : A ` B : U since ?(x/a) is (?, x : A)-correct. We are done with the general typing rules. We move on to the specific typing rules in Section 2.3. In the following, we will often tacitly use that El1(U) = T0 ? T1 and that El1 extends El0 (Lemma 12). Regarding the empty type, we have U ? T1 and N0 ? El1(U) from Lemma 13. If ? ` ExF : N0 ? A by ? ` A : U, then by induction hypothesis, we have [[A]]? ? T0. It follows that N0 ? [[A]]? ? T0, and ExF ? El0(N0 ? [[A]]?) since El0(N0) is empty. Regarding the typing rules for the unit type, we get the claim from Lemma 13. Regarding Booleans, we get the claim from Lemma 13 for the typing rules for N2, 0 and 1. Suppose ? ` brec : C 0 ? C 1 ? ?b:N2. C b by ? ` C : N2 ? U. By induction hypothesis, we have N2 ? U ? T1 and [[C]]? ? El1(N2 ? U), so [[C 0]]? ? T0, [[C 1]]? ? T0, and [[C b]]? ? T0 for all b ? El1(N2). It follows that [[C 0 ? C 1 ? ?b:N2. C b]]? ? T1. Let M ? El0([[C 0]]?) and N ? El0([[C 1]]?). For every b ? El1(N2), we have either b = 0 or b = 1. Hence we get brec ? El1([[C 0 ? C 1 ? ?b:N2. C b]]?) from the ?-reduction for brec. We get the claim for the typing rule for beq from Lemma 13 and the ?-reduction for beq. Regarding natural numbers, the only non-trivial rules are those for rec and eq. Suppose ? ` rec : C 0 ? (?n:N. C n ? C (S n)) ? ?n:N. C n by ? ` C : N ? U. By induction hypothesis, we have N ? U ? T1 and [[C]]? ? El1(N ? U). It follows that [[C 0]]? ? T0, [[?n:N. C n ? C (S n)]]? ? T0 and [[?n:N. C n]]? ? T0, hence [[C 0 ? (?n:N. C n ? C (S n)) ? ?n:N. C n]]? ? T0. We have to prove that rec M N n ? El0([[C n]]?) for all M ? El0([[C 0]]?), N ? El0([[?n:N. Cn ? C(Sn)]]?) and n ? El0(N). This is proved by induction on n ? El0(N) = Num, using the ?-rule for rec. It follows that rec ? El0([[C 0 ? (?n:N. C n ? C (Sn)) ? ?n:N. C n]]?). Suppose ? ` eq : N ? N ? U by ? `. That N ? N ? U ? T1 follows from Lemma 13. In order to show eq ? El1(N ? N ? U), we have to prove eq m n ? T0 for all m and n in Num. This is proved by nested induction on m and n. Regarding lists, if ? ` [A] : U by ? ` A : U, then by induction hypothesis we get [[A]]? ? T0. It follows from Lemma 13 that [[[A]]]? = [[[A]]?] ? T0. If ? ` nil : [A] by ? ` A : U, the claim follows easily from the induction hypothesis and Lemma 13. The case for ? ` cons : A ? [A] ? [A] by ? ` A : U is similar. Suppose ? ` lrec : C nil ? (?a:A. ?l:[A]. C l ? C (a :: l)) ? ?l:[A]. C l by ? ` A and ? ` C : [A] ? U. By induction hypothesis on ? ` C : [A] ? U, we have [[[A] ? U]]? ? T1 and [[C]]? ? El1([[[A] ? U]]?). From Lemma 13, it follows that [[Cnil]]? ? T0, [[?a:A. ?l:[A]. C l ? C (a :: l)]]? ? T1 and [[?l:[A]. C l]]? ? T1, hence [[C nil ? (?a:A. ?l:[A]. C l ? C (a :: l)) ? ?l:[A]. C l]]? ? T1. In order to show that lrec ? El1([[C nil ? (?a:A. ?l:[A]. C l ? C(a :: l)) ? ?l:[A]. C l]]?), we have to prove, for all M ? El1([[C nil]]?), N ? El1([[?a:A. ?l:[A]. C l ? C (a :: l)]]?) and l ? El1([[[A]]?]), that lrec M N l ? El1([[C l]]?). This is proved by induction on l ? El1([[[A]]?]) = List([[A]]?), using the ?-rewrite rules for lrec. Sum types can be dealt with in a similar (but simpler) manner as list types. Regarding dependent pairs, if ? ` ?x:A. B : U by ? ` A : U and ?, x : A ` B : U, then we argue analogously to the case for ? ` ?x:A. B : U. Suppose ? ` (W, P ) : ?x:A. B by ? ` ?x:A. B : U, ? ` W : A and ? ` P : B(W ). We obtain ?x:A. B ? T1 by induction hypothesis. To show that [[(W, P )]]? = ([[W ]]?, [[P ]]?) ? El1([[?x:A. B]]?), it suffices to prove [[W ]]? ? El1([[A]]?) and [[P ]]? ? El1([[B]]?([[W ]]?)) = El1([[B(W )]]?), both of which follow from induction hypothesis. Suppose ? ` srec : (?x:A. ?p:B. C (x, p)) ? ?y:(?x:A. B). C y by ? ` A : U, ?, x : A ` B : U, ? ` ?x:A. B : U, and ? ` C : (?x:A. B) ? U. Induction hypotheses give us [[A]]? ? T0, [[B]]?(x/a) ? T0 for all a ? El0([[A]]?), [[?x:A. B]]? ? T0, and [[C]]? ? El1([[?x:A. B]]? ? U). It follows that [[?x:A. ?p:B. C (x, p)]]? ? T0 and [[?y:(?x:A. B). C y]]? ? T0, and hence [[?x:A. ?p:B. C (x, p) ? ?y:(?x:A. B). C y]]? ? T0. By using the ?-rule for srec and by Lemma 13, we get srec ? El0([[?x:A. ?p:B. C (x, p) ? ?y:(?x:A. B). C y]]?). Regarding the constant bAr, if ? ` bAr : ([A] ? U) ? [A] ? U by ? ` A : U, then we have [[([A] ? U) ? [A] ? U]]? ? T1 by induction hypothesis and Lemma 13. To show that bAr ? El1([[([A] ? U) ? [A] ? U]]?) = El1(([[[A]]]? ? U) ? [[[A]]]? ? U), it suffices that bAr P l ? T0 for all P ? El1([[[A]]]? ? U) and l ? El0([[[A]]]?). This follows from Lemma 13, since P l0 ? T0 for all l0 ? El0([[[A]]]?). Suppose ? ` base X : bAr P l by ? ` A : U, ? ` l : [A], ? ` P : [A] ? U and ? ` X : P l. By induction hypothesis, we have [[A]]? ? T0, [[l]]? ? El1([[[A]]]?), and [[P ]]? ? El1([[[A] ? U]]?) = El1([[[A]]]? ? U), hence [[P ]]? l0 ? T0 for all l0 ? El1([[[A]]]?). This proves bAr P l ? T0. The induction hypothesis on ? ` X : P l gives us [[X]]? ? El1([[P ]]? [[l]]?), which proves [[base X]]? ? El1([[bAr P l]]?) by Lemma 13. The case for ? ` step Y : bAr P l follows analogously. We will elaborate the last and most interesting case in some detail. Suppose ? ` barrec : (?l:[A]. P l ? C l) ? (?l:[A]. (?a:A. C (a :: l)) ? C l) ? ?l:[A]. bArP l ? C l by ? ` A : U , ? ` P : [A] ? U , and ? ` C : [A] ? U . By induction hypothesis, using Lemma 13 many times, we get that the type of barrec is in T1. In order to show that barrec is an element of the corresponding set El1(([[?l:[A]. P l ? C l) ? (?l:[A]. (?a:A. C (a :: l)) ? C l) ? ?l:[A]. bArP l ? C l]]?), it suffices that El1(bAr [[P ]]? l) ? {M ? D | barrec B S l M ? El1([[C]]? l)} for all B ? El1([[?l:[A]. (P l ? C l)]]?), S ? El1([[?l:[A]. ((?a:A. C (a :: l)) ? C l)]]?), and l ? El1([[[A]]]?). We prove this by fixpoint induction, recalling that, for fixed A, El1(bAr [[P ]]? l) is defined as the fixpoint of ?Bar(El1([A]?), El1([[A]]?)3l7?El1([P ]?l)). The latter operator will be abbreviated to ?, as A and P do not change in the proof. We show that the function ? : El1([[[A]]]?) 3 l 7? {M ? D | barrec S B l M ? El1([[C]]? l)} is a prefixpoint of ?, i.e., ?(?)(l) ? ?(l) for all l ? El1([[[A]]]?). By definition, there are two forms of elements in ?(?)(l). The first is base X with X ? El1([[P ]]? l). Then we have barrec B S l (base X) = B l X ? El1([[C]]? l by the assumptions on B and l. The second is step Y with, for all a ? El1([[A]]?), Y a ? ? (a :: l), that is, barrec B S (a :: l) (Y a) ? El1([[C]]? (a :: l)). Then we have barrec B S l (step Y ) = S l (?a. barrec B S (a :: l) (Y a) ? El1([[C]]? l) by the assumptions on S and l. It remains to prove that the auxiliary rules are sound. These rules define the type and computational behaviour of the constants exists, good, length, take. Regarding the constant exists, if ? ` exists : (A ? U) ? [A] ? U by ? ` A : U, then we have [[(A ? U) ? [A] ? U]]? ? T1 by induction hypothesis and Lemma 13. To show that exists ? El1([[(A ? U) ? [A] ? U]]?) = El1(([[A]]? ? U) ? [[[A]]]? ? U), it suffices that exists P l ? T0 for all P ? El1([[A]]? ? U) and l ? List(El0([[A]]?). This follows by induction on l from the ?-reduction rules for exists. The argumentation for the other constants is very similar, and will hence be left to the reader. J We obtain that if an expression M has a type A, then M realizes A. I Corollary 19. If ` M : A, then A ? T1 and M ? El1(A). 5 A Realizer for Markov?s Principle Markov?s Principle is the following type: MP := ?f :N?N2. (???n:N. beq (f n) 1) ? ?n:N. beq (f n) 1 Clearly ` MP : U, so MP ? T1 by Corollary 19. As a proposition, MP is classically true but unprovable in Heyting Arithmetic [14]; MP is not inhabited in our type theory. However, as we will show in this section, MP can be consistently added to the type theory: El1(MP) is non-empty. In other words, MP is true in the realizability model. The realizer RMP ? El1(MP) to be defined below essentially performs an unbounded search for an n such that f n = 1. This is possible since the computational system, based on untyped lambda calculus, is Turing complete. To prove that the search always finds such an n, we use Markov?s Principle on the metalevel. This is possible since we are allowed to reason classically in the ambient naive set theory. Recall that beq : N2 ? N2 ? U , beq 1 1 = N1 and 0 : N1. Let Y be any fixed point operator in the untyped lambda calculus, for example Y := ?f. (?x. f (x x)) (?x. f (x x)). Then Y F = F (Y F ) for any F , in particular for F := ?s f n. brec (s f (S n)) (n, 0) (f n) Then we have, for search := Y F , that search f n = (F search) f n = brec (search f (S n)) (n, 0) (f n) This means that search f 0 performs the required search for the first n such that f n = 1. If n is found, (n, 0) is returned, that is, the pair consisting of the numeral n and the proof term 0 of type beq (f n) 1. We define RMP = ?f p. search f 0 and it remains to prove RMP ? El1(MP). Note that p does not occur in search f 0. This is typical for realizability: realizers of negative statements carry no computational content, they only witness that the statement that is negated has no realizers. To show RMP ? El1(MP), let f ? El1(N?N2) and p ? El1(???n:N. beq (f n) 1). We have to prove that search f 0 ? El1(?n:N. beq (f n) 1). Towards a contradiction, assume the latter set is empty. Then, any term foo is in El1(??n:N. beq (f n) 1). It follows that p foo ? El1(N0). This is absurd, so El1(?n:N. beq (f n) 1) is non-empty. Since it is decidable for any numeral n, whether or not (n, 0) ? El1(?n:N. beq (f n) 1), it follows by Markov?s Principle that there exists a pair (n, 0) ? El1(?n:N. beq (f n) 1). Hence there is also such a pair with the smallest n, that is, search f 0 ? El1(?n:N. beq (f n) 1). Note the role of p in the above argument: it serves to prove termination of the search but does not influence the actual outcome. 6 A Realizer for the Undecidability of the Halting Problem The purpose of this section is to argue that, in addition to MP, we can consistently add the undecidablity of the halting problem to the type theory. Define Ht := ?n. ?k:N. beq (t n n k) 1 for t : N ? N ? N ? N2 as described below. The intention is that Ht is a halting predicate, with t the characteristic function of Kleene?s T -predicate [7, 2]. Using rec, we can define all primitive recursive functions, and actually many more. Since Kleene?s T -predicate is primitive recursive, its characteristic function t is definable in the type theory. Kleene?s T -predicate, T e x w, is based on a standard encoding of partial recursive functions as natural numbers. The first argument e of T is such a code of a partial recursive function, whereas the second argument x encodes an input to this function. The third argument w encodes a (terminating) computation sparked off by the function with code e on input with code x. Hence, Ht n holds if and only if the function encoded by n terminates on the input coded by n. Let UH be the type: UH := ??n:N. (Ht n + ?Ht n). Clearly ` UH : U, so UH ? T1 by Corollary 19. We want to show that El1(UH) is non-empty. As UH is negative, it suffices to show that ?n:N. (Ht n + ?Ht n) cannot be realized. Then any term realizes UH, so El1(UH) contains all terms of ? (!). Towards a contradiction, assume f ? El1(?n:N. (Ht n + ?Ht n)). Diagonalizing over f we define: d = ?n. case ? 1 (f n) d n = ? ?? f n = inl(k, 0) ?? T (n, n, k), such that in view or the definition of Ht we have for all n : N: where (k, 0) ? El1(?k:N. beq (t n n k) 1). As a lambda term, d represents a partial recursive function with code a numeral nd5. Then we have d nd = ? ?? T (nd, nd, k) where inl(k, 0) = f nd, a plain contradiction with the choice of T and f . Therefore f as above cannot exist, and any term realizes UH. We conclude that UH can be consistently added to the type theory. 7 A set that is provably streamless but not provably Noetherian In this section we shall prove that the converse of Theorem 5 is unprovable in type theory. The argument sketched in the introduction is that the converse is false when MP and UH 5 The code nd can in principle be constructed from d, but this is outside the scope of this paper. are assumed. The unprovability in type theory then follows from the realizability model in which MP and UH are both valid. We start by some auxiliary definitions. Given a predicate P on natural numbers, we define a binary relation =P to be the equality on the set of natural numbers n which satisfy P , irrelevant of the proof of P n. Formally, we define a typing rule for =P by ? ` P : N ? U ? ` =P : (?n:N. P n) ? (?n:N. P n) ? U and ?-reduction, with =P written infix, given by (n, hn) =P (m, hm) = eq n m. Since eq is decidable, =P is decidable for any P . Given a predicate P on natural numbers, we define a predicate P n to be true if P k is decidable for all k < n. Formally, we define a typing rule for P by ? ` P : N ? U ? ` P : N ? U and ?-reductions give by P 0 = N1 P (Sn) = (P n + ?P n) ? P n I Lemma 20. There is a proof M such that P : N ? U, n : N ` M : P n ? ??P (Sn). The realizability model can easily be extended with sound interpretations of the above. Proof. We have to prove absurdity from P n and ?P (Sn). Assume P n + ?P n, then by P n we get P (Sn), which contradicts the assumption ?P (Sn). Hence ?(P n + ?P n), which is absurd, as ??(A + ?A) is a constructive tautology. J I Corollary 21. There is a proof M such that P : N ? U ` M : ?n:N. ??P n. Proof. By induction on n, using P 0 and basic facts about ??. Recall the terminology and notaion on decidability from Definition 1. We have the following easy lemmas about decidability. J I Lemma 22. There exists proofs M1, M2, M3, M4 such that A : U, P : A ? U ` M1 : (?x:A. dec (P x)) ? ?l:[A]. dec (exists P l) : A : U, R : A ? A ? U ` M2 : (?x:A. ?y:A. dec (R x y)) ? ?l:[A]. dec (good R l); P : N ? U ` M3 : ?p1:?n:N. P n. ?p2:?n:N. P n. dec (p1 =P p2); P : N ? U ` M4 : ?l:[?n:N. P n]. dec (good =P l). Proof. The first two are easily proved by induction on l, where the second uses the first. The third follows from the definition of =P and Lemma 2. The fourth follows from the second and the third. Note that the fourth typing states that it is decidable whether a list over a subset of natural numbers contains proof-irrelevant duplicates. J In order to prove that the converse of Theorem 5 is not provable in the type theory, we construct a set which is provably not Noetherian, but can be proved streamless using MP and UH. The following lemma is an abstract form of the argument in the introduction. In order to see this, recall that (good =Q ) is a predicate expressing that a list contains a proof-irrelevant duplicate. I Lemma 23. Let A in bAr be the type ?n:N. Q n. There is a proof M such that Q : N ? U ` M : (?n:N. ??Q n) ? ?l:[?n:N. Q n]. bAr (good =Q ) l ? good =Q l. Proof. Let Q : N ? U and hQ : ?n:N. ??Q n. We use induction on bAr (good =Q )l. If bAr (good =Q ) l by good =Q l, the claim holds immediately. Assume as induction hypothesis ?x:(?n:N. Q n). good =Q (x :: l). We have to prove good =Q l. By Lemma 22 we can reason by contradiction. Assume ?(good =Q l). We prove this is absurd and we are done. We perform case analysis on the shape of l. In case l = nil, if h0 : Q 0, then good =Q ((0, h0) :: nil) by the induction hypothesis. This is absurd, so ?Q 0, which is absurd by assumption hQ. In case l is a non-empty list, let (n, hn) be a maximum element in l, that is, for any (m, hm) such that Q exists ( = (m, hm)) l, we have that n ? m. A maximum element exists since l is non-empty. It suffices to prove ?Q (S n), which contradicts hQ. Assume we have a proof hS n : Q (S n). By induction hypothesis, we have good =Q ((S n, hS n) :: l). Since we assumed ?(good =Q l), it must be that exists ( =Q (S n, hS n)) l, which contradicts with (n, hn) being a maximum element in l. J Noticing that it is absurd that the empty list is good, we deduce, from Lemma 23 and Corollary 21, that it is absurd that =H is Noetherian. I Lemma 24. There is a proof M such that H : N ? U ` M : ?(Noetherian =H ). On the other hand, in the presence of MP and UH, for Ht : N ? U as defined in Section 6, we can prove that H=t is streamless. I Lemma 25. There is a proof M such that ` M : MP ? UH ? streamless =Ht . Proof. Assume MP and UH. Given f : N ? ?n:N. Htn, we want to prove ?n:N. good =Ht (f n). Noting that (good =Ht ) is decidable by Lemma 22, we can construct a function e : N ? N2 such that eq (e n) 1 is true if and only if good =Ht (f n) is true, for all n : N. Thus, we may apply MP and it then suffices to prove ???n:N. good =Ht (f n). Suppose ??n:N. good =Ht (f n), or equivalently, ?n:N. ?good =Ht (f n). Then, for any given n : N, the list f (S(Sn)) gives us a proof of Ht n + ?Ht n6. This contradicts UH. J 6 Informally, the list f(S(Sn)) contains a maximum element (m, hm) such that m ? n. The proof hm of Htm gives us H n + ?H n. We have now shown that, in the presence of MP and UH, there is a relation that is streamless but cannot be Noetherian. Recalling that MP and UH are consistent with the type theory we work in, we conclude that it is unprovable in the type theory that every streamless relation is Noetherian. I Theorem 26. There is no proof M such that ` M : streamless =Ht ? Noetherian =Ht . I Corollary 27. There is no proof M such that ` M : ?A:U. ?R:A ? A ? U. streamless R ? Noetherian R. 8 Related work and concluding remarks We have constructed a realizability model for Martin-L?f dependent type theory, viewed as a set of typing rules typing terms of an untyped lambda-calculus ?. Similar realizability models have been given by Martin L?f [9] and Beeson [1]. We have paid extra attention to the details, in particular to those of the type of an inductive bar. The purpose of the model is to demonstrate a particular unprovability result. It may be illuminating to discuss this result in connection with the well-known Kleene Tree [7, 2], a primitive recursive relation P on binary sequences which defines an infinite tree without an infinite recursive branch. The Kleene Tree is the prime example that Brouwer?s Fan Theorem (an intuitionistic version of K?nig?s Lemma) fails in recursive analysis. In the context of this paper, Kleene?s result yields that, with A = N2 and for a specific decidable P : [N2] ? U, the following type is not inhabited: (?f :N ? A. ?n:N. P (f n)) ? bAr P nil. (?f :N ? A. ?n:N. Q (f n)) ? bAr Q nil. For comparison, our result, with A = ?n:N. Htn and Q := good =Ht , states that the following type is not inhabited: The important difference between the two results is the instantiation of the type A, that is, A = N2 for Kleene and A = ?n:N. Htn for us. Clearly, A = N2 is the simpler of the two. On the other hand, with Ql := good =Ht l expressing that the list l contains a duplicate, we are allowed far less expressive power than Kleene?s P . This explains to some extent why we use a more complicated base type A = ?n:N. Htn, which is the simplest type we could find defining a subset of the natural numbers that is not finite in the sense of Noetherian, and at the same time finite in the sense of streamless in a consistent extension of the type theory. This confirms a conjecture formulated by Coquand and Spiwack in [4]. We conclude by formulating an open problem: does there exist a decidable P such that ?n:N. P n distinguishes between Noetherian and streamless? 1 2 4 5 9 10 11 12 13 14 15 T. Coquand and A. Spiwack . A proof of strong normalisation using domain theory . Logical Methods in Computer Science , 3 ( 4 ), 2007 . T. Coquand and A. Spiwack . Constructively finite? In L. Lamb?n, A. Romero , and J. Rubio, editors, Contribuciones cient?ficas en honor de Mirian Andr?s G?mez , pages 217 - 230 . Publicaciones de la Universidad de La Rioja, 2010 . ISBN 978-84-96487-50-5. P. Dybjer . A general formulation of simultaneous inductive-recursive definitions in type theory . Journal of Symbolic Logic , 65 ( 2 ): 525 - 549 , 2000 . M. Escard? . Joins in the frame of nuclei . Applied Categorical Structures, 11 : 117 - 124 , 2003 . S.C. Kleene . Recursive functions and intuitionistic mathematics . In L.M. Graves , E. Hille, P.A. Smith , and O. Zariski, editors, Proceedings of the International Congress of Mathematicians , pages 679 - 685 . AMS, 1952 . J. W. Klop , V. van Oostrom, and F. van Raamsdonk. Combinatory reduction systems: Introduction and survey . Theoretical Computer Science , 121 ( 1 &2): 279 - 308 , 1993 . P. Martin-L?f . An intuitionistic theory of types: predicative part . In H.E. Rose and J.C. Shepherdson, editors, Logic Colloquium '73 , volume 80 of Studies in Logic and the Foundations of Mathematics , pages 73 - 118 , Amsterdam, 1975 . North-Holland. E. Parmann . E. Parmann . Case Studies in Constructive Mathematics . PhD thesis , University of Bergen, 2016 . D. Pataraia . A constructive proof of Tarski's fixed-point theorem for DCPOs . Presented at the 65th Peripatetic Seminar on Sheaves and Logic , November 1997 . C. Spector . Provably recursive functionals of analysis: a consistency proof of analysis by an extension of principles formulated in current intuitionistic mathematics . In J.C.E. Dekker, editor, Recursive function theory, Proc. Symp . in pure mathematics V, pages 1 - 27 . AMS, 1962 . A. S. Troelstra , editor. Metamathematical Investigation of Intuitionistic Arithmetic and Analysis , volume 344 of Lecture Notes in Mathematics. Springer, 1973 . The Univalent Foundations Program. Homotopy Type Theory: Univalent Foundations of Mathematics. The Univalent Foundations Program, Institute for Advanced Study , 2013 .

This is a preview of a remote PDF:

Marc Bezem, Thierry Coquand, Keiko Nakata, Erik Parmann. Realizability at Work: Separating Two Constructive Notions of Finiteness, LIPICS - Leibniz International Proceedings in Informatics, 2018, 6:1-6:23, DOI: 10.4230/LIPIcs.TYPES.2016.6