Realizability at Work: Separating Two Constructive Notions of Finiteness
T Y P E S
Realizability at Work: Separating Two Constructive Notions of Finiteness
Marc Bezem 0 1 2
Thierry Coquand Chalmers tekniska h?gskola 0 1 2
Data och informationsteknik 0 1 2
G?teborg 0 1 2
Sweden 0 1 2
0 Universitetet i Bergen , Institutt for informatikk, Postboks 7800, N5020 Bergen , Norway
1 Erik Parmann Universitetet i Bergen , Institutt for informatikk, Postboks 7800, N5020 Bergen , Norway
2 Keiko Nakata SAP Innovation Center Network , KonradZuseRing 10, 14469 Potsdam , Germany
We elaborate in detail a realizability model for MartinL?f dependent type theory with the purpose to analyze a subtle distinction between two constructive notions of finiteness of a set A. The two notions are: (1) A is Noetherian: the empty list can be constructed from lists over A containing duplicates by a certain inductive shortening process; (2) A is streamless: every enumeration of A contains a duplicate. 2012 ACM Subject Classification Theory of computation ? Type theory, Theory of computation ? Constructive mathematics Acknowledgements The research for this paper has been carried out for a large part while the first two authors were member of the Institute for Advanced Study in Princeton, as part of the program Univalent Foundations of Mathematics. We are grateful for the generous support by the IAS. The paper has benefitted much from comments by Michael Beeson on an early draft.
and phrases Type theory; realizability; constructive notions of finiteness

We will analyze in detail in type theory the following observation. Let P be a unary predicate
of natural numbers. Define
P = {n ? N  ?k < n. P k ? ?P k}
Of course, in classical mathematics P = N, but in constructive mathematics this is not true
for all P . Let D be a unary predicate of lists over P with D` expressing that ` contains
a duplicate, that is, two occurrences of the same natural number (which by definition is in
P ). Then one can prove constructively that D is inductive in the following sense (?inductive
shortening?):
The proof is as follows. Let ` be a list over P and assume D(x :: `) for all x ? P (IH). We
clearly have D` ? ?D`, so we can reason by contradiction. Assume ?D`. We clearly have
` = nil ? ?` = nil, so we can reason by cases. If ` = nil, we use 0 ? P and apply IH to get
D(0 :: nil), which is absurd. If ` 6= nil, then ` contains a largest natural number, say m ? P .
If P m ? ?P m, then m + 1 ? P and we can apply IH to get D((m + 1) :: `), which per
construction yields D`, as m + 1 is larger than all elements of `, and therefore not duplicating
some element of `. This conflicts with the assumption ?D`, so we conclude ?(P m ? ?P m),
which is also absurd, since ??(P m ? ?P m) is a constructive tautology. This completes the
proof of the inductivity of D.
Since D is inductive in the way above, and Dnil is absurd, D cannot be an inductive
bar in the tree of lists over P . (The concept of an inductive bar making a tree of lists
wellfounded will be formalized by the concept of a Noetherian relation in Section 3.) This
should not come as a surprise, since classically P = N, so the tree of lists without duplicates
is classically not wellfounded, since it is always possible to extend a list without introducing
a duplicate. The above argument shows that we can also do this constructively with lists
over P , for any unary predicate P .
In view of the above, only a nonclassical axiom can cause P to have fewer elements.
Of course we cannot downright postulate ?n ? N. ?(P n ? ?P n) without running into
inconsistency. But we can consistently postulate ? = ??n ? N. P n ? ?P n. From ? we
immediately infer ??n ? N. n ? P , so P 6= N. Since one easily (and constructively) sees
that P is downward closed, ? ?somehow? achieves that P is finite. Of course the results in
the previous paragraphs still stand, and ? does not make P finite in the sense that D is an
inductive bar.
In order to better understand in which way ? achieves that P is finite, assume f : N ? P
is an injection. Then we would be able to find arbitrarily large elements in P , and hence
prove ?n ? N. P n ? ?P n, conflicting with ?. As a consequence, no f : N ? P is injective.
In other words, for every f : N ? P we have ??m, n ? N. f m=f n ? m=n. By an appeal to
Markov?s Principle we get ?m, n ? N. f m = f n ? m 6= n, that is, there exists a prefix of f
which contains a duplicate. If we view lists over P not containing duplicates as a tree, then
we have just proved that this tree is wellfounded, which is another way of saying that P is
finite. (This notion of finiteness will be made precise by the concept of a streamless relation
in Section 3.)
The results in the previous two paragraphs capitalize on Markov?s Principle (a weak form
of classical reasoning) being consistent with ? (a nonclassical axiom). They are known
to coexist in, for example, the recursive model of type theory. In that model, ? can be
validated by the unsolvability of the halting problem. Although this model has been known
for quite some time, it is an important sidegoal of this paper to give a detailed account. Our
main objective is to formalize the argument above in type theory, and prove that finiteness
based on equality being Noetherian is strictly stronger than finiteness based on equality
being streamless. This confirms a conjecture formulated by Coquand and Spiwack in [3]. We
also give a novel proof that every Noetherian relation is streamless. This proof is due to the
last author [11, Chapter 4] and formalized in Coq [10].
In type theory, a subset of N is a type ?x:N. P x given a type family P : N ? U. Elements
of this ?type (to be defined in Section 2) are pairs (n, p) consisting of a natural number
n and a proof p : P n. It may happen that also p0 : P n, with p0 different from p. This
phenomenon is called proof relevance. We do not want to count (n, p) and (n, p0) as two
elements of the subset of N defined by P . Therefore we only count the first projections of
objects in ?x:N. P x. Another approach would be to take the type ?x:N. kP xk, where k_k
stands for propositional truncation, a way of making all inhabitants of P x indistinguishable,
see [15, Section 3.7].
The remainder of the paper is organized as follows. In Section 2, we define the basic
type theory. We introduce Noetherian relations and streamless relations in Section 3 and
prove that any Noetherian relation is streamless. The realizability model is constructed in
Section 4, with realizers for Markov?s Principle in Section 5 and for the unsolvability of the
halting problem in Section 6. This shows that the type theory can be consistently extended
with these two axioms. Then, in Section 7 we show that it cannot be proved in type theory
that any streamless set is Noetherian. We conclude with a discussion of related work, in
particular the Kleene Tree, in Section 8. For readers already familiar with dependent type
theory and inductive bars it might be efficient to read the conclusion first.
2
Dependent Type Theory
We closely follow the approach of Coquand and Spiwack [3]. We define MartinL?f dependent
type theory as a set of typing rules defining a typing relation ? ` M : A where M and A
are terms in an extension ? of the untyped lambda calculus, and ? is a context. A context
is a sequence x1 : A1, . . . , xn : An, where the xi are pairwise distinct variables and the
Ai are terms of ? (representing types). The approach of [3] makes the construction of a
realizability model easier: all typable terms are already terms of ? realizing their types, and
their computational behaviour can be studied in ?.
An important aspect is that the type theory is openended, new constants and inductive
definitions can be (and will be) added. If the type theory is extended, then also ? is
extended, and the realizability model is extended accordingly. We start by describing the
main characteristics of ?.
2.1
The Underlying Computational System
The calculus ? is an extension of the untyped lambda calculus with two sorts of constants,
constructors and operators. Constructors typically represent types (e.g., the type of the
natural numbers), type forming constructions (e.g., the sum of two types), and term forming
constructions (e.g., 0, S, nil). Operators typically represent destructors (e.g., recursors),
operations (e.g., the length of a list), and convenient abbreviations.
The abstract syntax for terms of ? is
M, N ::= x  ?x. M  M N  c  o,
where c is the syntactic category of the constructors and o that of the operators. We write
FV(M ) to denote the set of free variables in M ; we call M closed if FV(M ) is empty. The
computational behavior of the terms is determined by ?reduction plus socalled ?reduction
rules. The latter are leftlinear and mutually disjoint (nonoverlapping), ensuring confluence
of ??reduction [8]. (Confluence is important to warrant the correct interpretation of elements
of an inductive type as ??equivalence classes of terms. For example, the normal forms 0 and
S0 are in different classes because of confluence.) All ?reduction rules are of the form
o p1 . . . pk = M,
p ::= x  c p1 . . . pl,
where c is a constructor.
where o is an operator and p1, . . . , pk are socalled constructor patterns. For any ?reduction
rule we require FV(M ) ? FV(o p1 . . . pk), that is, no new variables can be introduced.
Constructor patterns p1, . . . , pk are defined by the following abstract syntax
`
? `
? ` U
? ` A
?, x : A `
? ` A : U
? ` A
? ` A ?, x : A ` B
? ` ?x:A. B
? `
? ` x : A x:A ? ?
? ` M : A ? ` B A =?? B
? ` M : B
? ` A
? ` ?x:A. B ?, x : A ` M : B
? ` ?x. M : ?x:A. B
? ` M : ?x:A. B ? ` N : A
? ` M N : B(N )
? ` A : U ?, x : A ` B : U
? ` ?x:A. B : U
Constructors, as well as operators with their ?reduction rules, will be introduced in the
sequel, as need arises, always complying with the above syntax.
Notational conventions.
We tacitly assume capturefree substitution and consider terms up to ?conversion. We
write M =?? N or just M = N if M and N are ??convertible. By M (x/N ) we denote the
result of substituting N for all the free occurences of the variable x in M . We may write
M (N ) if the variable x is clear from the context. For example, (?x. M )N = M (x/N ) and
(?x. M )N = M (N ) both denote a ?step. We abbreviate (?x. xx)(?x. xx) to ?.
2.2
General rules of the type theory
There are three forms of judgments in the type theory:
? `
and ? ` A and ? ` M : A.
The judgment ? ` means that ? is a welltyped context, ? ` A means that the type A is
wellformed in the context ?, and ? ` M : A means that the term M has the type A in the
context ?. We (mostly) use metavariables A, B for types, and M, N for terms, but recall
that they are all terms of ?.
For the general rules, we have a constructor U for the universe since we want type families
to be firstclass citizens. We add an operator Pi for dependent products, with ?reduction
Pi A B x = B x. For readability, we write ?x:A. B instead of Pi A (?x. B), and A ? B instead
of Pi A (?x. B) if x does not occur free in B. The typing rules are the standard rules for the
MartinL?f type theory, given in Figure 1.
We can derive, for example, A : U `, and so ` U ? U, and in some more steps
A : U ` A ? U. The latter A ? U is the type of unary predicates on a type A (also called
type families over A). The former U ? U is the type of functions on the universe. Both are
large types, i.e., types not in U. Types in U are called small types.
2.3
Specific rules of the type theory
We extend the type theory by specific inductive types, which are all standard. We add
constants and give typing rules, as well as ?reduction rules for the operators.
Empty type
We define the empty type with no constructors:
? `
? ` N0 : U
? ` A : U
? ` ExF : N0 ? A
and its elimination rule (also known as the ex falso rule):
We define negation as the abbreviation ? := ?A. A ? N0.
Sum
We have the sum type with its two constructors:
and may perform case analysis on terms of type A + B:
? ` A : U ? ` B : U ? ` C : U ? ` (A + B) : U
? ` case : (A ? C) ? (B ? C) ? A + B ? C
where the ?reductions are given by:
case M N (inl a) =
case M N (inr b) =
M a
N b
? ` A : U ? ` B : U
? ` A + B : U
? ` A : U ? ` A + B : U
? ` inl : A ? A + B
? ` B : U ? ` A + B : U
? ` inr : B ? A + B
With negation and sum type used for constructive disjunction we can define the concept
of decidability that will play an important role in the sequel.
I Definition 1. We call a type A : U decidable if A : U ` M : A + ?A for some M . The
type A + ?A will often be abbreviated by dec A. In such cases we also say that dec A is
inhabited, without explicit reference to ? or M . Predicates are called decidable if they are
pointwise decidable. For example, P : A ? U is decidable if ?a:A. dec (P a) is inhabited;
R : A ? A ? U is decidable if ?a, a0: A. dec (Raa0) is inhabited. The latter is an example of
how we denote two ?abstractions with the same base type A.
Unit type
We have the unit type with one single constructor:
? `
? ` N1 : U
? `
? ` 0 : N1
Booleans
We have the type for Booleans with two constructors:
? `
? ` N2 : U
? `
? ` 0 : N2
? `
? ` 1 : N2
and a conditional expression:
? ` C : N2 ? U
? ` brec : C 0 ? C 1 ? ?b:N2. C b
with the ?reduction given by
brec M N 0 =
brec M N 1 =
M
N
Note that brec does not make it possible to define a function f : N2 ? U with, e.g., f i = Ni,
since that would require C = ?b. U, which cannot be typed. Therefore, certain useful
operators have to be defined adhoc. Here we define a decidable equality for Booleans:
? `
? ` beq : N2 ? N2 ? U
whose ?reductions are given by:
beq 0 0 =
beq 0 1 =
beq 1 0 =
beq 1 1 =
N1
N0
N0
N1
Natural numbers
We have the type N with the two wellknown constructors:
? `
? ` N : U
? `
? ` 0 : N
? `
? ` S : N ? N
Notice that 0 is adhoc polymorphic and is a constructor of N1, N2 and N. We have the
recursor (dependent eliminator) rec:
? ` C : N ? U
? ` rec : C 0 ? (?n:N. C n ? C (S n)) ? ?n:N. C n
with ?reductions given by
rec M N 0 = M
rec M N (S n) = N n (rec M N n).
We also define a decidable equality on natural numbers:
? `
? ` eq : N ? N ? U
whose ?reductions are given by:
eq 0 0 = N1
eq (S x) 0 = N0
eq 0 (S x) = N0
eq (S x) (S y) = eq x y.
By double induction one can easily prove:
I Lemma 2. There exist proofs deqN2 , deqN such that
` deqN2 : ?x, y: N2. dec (beq x y)
` deqN : ?n, m: N. dec (eq n m)
Lists
We have the usual type of lists over A, denoted by [A]:
? ` A : U
? ` [A] : U
? ` A : U
? ` nil : [A]
? ` A : U
? ` cons : A ? [A] ? [A]
and the list recursor, writing a :: l for cons a l here and below:
? ` A ? ` C : [A] ? U
? ` lrec : C nil ? (?a:A. ?l:[A]. C l ? C(a :: l)) ? ?l:[A]. C l
with ?reductions given by
lrec M N nil = M
lrec M N (a :: l) = N a l (lrec M N l).
Dependent pairs
We have the ?type for dependent pairs:
with dependent eliminator (recursor):
with ?reduction given by:
srec Q (w, p) =
Q w p
? ` A : U ?, x : A ` B : U
? ` ?x:A. B : U
? ` ?x:A. B : U ? ` W : A ? ` P : B(W )
? ` (W, P ) : ?x:A. B
? ` A : U ?, x : A ` B : U ? ` ?x:A. B : U ? ` C : (?x:A. B) ? U
? ` srec : (?x:A. ?p:B. C (x, p)) ? ?y:(?x:A. B). C y
We use similar notational conventions for ?x:A. B as for ?x:A. B. This means that the actual
syntax is Sig A (?x. B). When x does not appear free in B, we may abbreviate ?x:A. B as
A ? B.
3
Noetherian relations and streamless relations
In this section we define the concepts Noetherian and streamless for relations. When applied
to the equality relation on a type A, they yield two classically equivalent definitions of
finiteness. We first extend the type theory with new constants and rules to facilitate these
definitions.
3.1
Auxiliary constants and rules
Given a list l of elements of a type A and a predicate P on A, we define a predicate exists P l
to be true if l contains an element that satisfies P . Formally, we add a typing rule for exists
? ` A : U
? ` exists : (A ? U) ? [A] ? U
and ?reductions given by:
exists P nil = N0
exists P (a :: l) = (P a) + exists P l
Note that exists is not definable by list recursion since it would require C = ?l. U, which
cannot be typed. A similar remark holds for good which we define now.
Given a binary relation R on a type A and a list l over A, we define a predicate good R l
to be true if l contains elements that are related by R in the same order in which they occur
in l. Formally, we define a typing rule for good by
? ` A : U
? ` good : (A ? A ? U) ? [A] ? U
and ?reductions by:
good R nil = N0
good R (a :: l) = exists (R a) l + good R l
? ` A : U
? ` length : [A] ? N
with ?reductions given by:
length nil = 0
length (h :: t) = S(length t)
The following functions are actually definable by the recursors in Section 2.3. We define
the length function on lists:
Given a function f from natural numbers to a type A, the function take f returns for
every natural number n the list consisting of the first n values of f . Formally, we define a
typing rule for take by
? ` A : U
? ` take : (N ? A) ? N ? [A]
and, writing f n for (take f n), ?reductions:
f 0 = nil
f (S n) = (f n) :: (f n).
Given a type A and a predicate P on [A], we define by induction the predicate bar A P
of lists over A that are ?barred? by P . The classical intuition is that a list is ?barred?
by P if every extension eventually satisfies P . More precisely, by the inductive definition
below, bar A P is the smallest predicate which contains P and which is closed under inductive
shortening, that is, holds of l whenever it holds of a :: l for all a : A. Since the type A will
be the same in this section, we will use the abbreviation bAr for bar A, where the capital in
bAr should remind the reader of the implicit argument A. We add the following typing rules
for proving that the list l is barred by P :
? ` A : U
? ` bAr : ([A] ? U) ? [A] ? U
? ` A : U ? ` l : [A] ? ` P : [A] ? U ? ` X : P l
? ` base X : bAr P l
? ` A : U ? ` l : [A] ? ` P : [A] ? U ? ` Y : ?a:A. bAr P (a :: l)
? ` step Y : bAr P l
The eliminator for bAr P will be called a bar recursor, but should not be confused with
Spector?s bar recursor from [13]. The latter is an ingenious combinator of much greater proof
theoretic strength than the one here. Our bar recursor has the following type:
? ` A : U ? ` P : [A] ? U ? ` C : [A] ? U
? ` barrec : (?l:[A]. P l ? C l) ? (?l:[A]. (?a:A. C (a :: l)) ? C l) ? ?l:[A]. bArP l ? C l
and its computational behaviour is described by the following ?reductions:
barrec B S l (base X)
barrec B S l (step Y )
=
=
B l X
S l (?a. barrec B S (a :: l) (Y a)).
3.2
Definition of streamless and Noetherian
Streamless and Noetherian can both be defined as properties of a binary relation R : A ?
A ? U. Informally speaking, R is streamless if every stream, i.e., infinite sequence in A,
contains two elements related by R in the reversed order as they appear in the sequence.1
I Definition 3. A relation R : A ? A ? U on a type A : U is streamless if every function
f : N ? A from natural numbers to A has a prefix that is Rgood, i.e.,
streamless R := ?f :N ? A. ?n:N. good R (f n)
The equality relation on A being streamless expresses that every stream contains a duplicate,
i.e., is constructively noninjective. This is classically equivalent to saying that A is finite.
Noetherian is not so easily explained, it is an acquired taste. We call P an inductive bar
in [A] if bAr P nil holds, that is, if nil is barred by P . By the inductive definition of bAr P
this means that nil can be obtained from lists satisfying P by inductive shortening. We call
a relation R Noetherian if (good R) is an inductive bar.
I Definition 4. A relation R : A ? A ? U on a type A : U is Noetherian if bAr (good R) nil
holds:
Noetherian R := bAr (good R) nil
The equality relation on A being Noetherian is also classically equivalent to A being finite.
However, unlike streamless, Noetherian allows us to use induction on bAr. It is exactly this
which allows us to prove that Noetherian relations are streamless. The novelty of this proof
is that it does not use a relation l ? f of a list being a prefix of a function, and hence not an
equality relation on the type A. Of course, adding equality would not be problematic, but
is it somehow pleasing that equality is not used for proving a result that does not involve
equality (the normal form of any such proof would not involve equality anyway). A nice
corollary of the next theorem is that every Noetherian relation is reflexive, a fact that would
otherwise require a nontrivial proof.
I Theorem 5. There is a proof M such that
A : U, R : A ? A ? U ` M : Noetherian R ? streamless R
1 The name streamless may well be considered a misnomer if R is not an equality relation. Classically,
streamless means that there is no f such that i > j ? Rij for all i, j (R the complement of R).
Proof. We prove in the context A : U, R : A ? A ? U, f : N ? A that the following type is
inhabited:
?l:[A]. bAr (good R) l ? subG R f l ? subEx R f l ? ?m:N. good R (f m),
(1)
where subG R f l and subEx R f l are defined as the following abbreviations.
subG R f l := good R l ? good R (f (length l))
subEx R f l := ?a:A. (exists (R a) l ? exists (R a) (f (length l)))
These abbreviations express that the good/exists properties of l imply those of f (length l),
which will suffice to show (1) . Also note that they both trivially hold for nil, so that (1)
with l = nil implies Theorem 5. (Note that both are trivially implied by l = f (length l).)
We prove (1) by induction on bAr (good R) l, that is, using the last rule of the previous
section with the predicate P := (good R) and the predicate
C := ?l:[A]. subG R f l ? subEx R f l ? ?m:N. good R (f m).
Thus the proof of (1) will be of the form barrec Hb Hs with Hb : ?l:[A]. P l ? C l and
Hs : ?l:[A]. (?a:A. C(a :: l)) ? Cl,
corresponding to the base case and the step case, respectively, elaborated below.
Base case. To construct Hb : ?l:[A]. P l ? C l, assume l : [A] such that good R l,
subG R f l, and subEx R f l. From subG R f l and good R l we immediately get the goal
good R (f (length l)).
Step case. To construct Hs : ?l:[A]. (?a:A. C(a :: l)) ? Cl, assume l : [A] such that
?a:A. C(a :: l). We have to show C l. The latter expands to subG R f l ? subEx R f l ?
?m:N. good R (f m), so we assume subG R f l and subEx R f l, and show ?m:N. good R (f m).
Expanding the induction hypothesis (?a:A. C(a :: l)) yields
?a:A. subG R f (a :: l) ? subEx R f (a :: l) ? ?m:N. good R (f m).
We apply this to a = f (length l), and proceed to proving the two assumptions in the following
two subcases.
Subcase subG R f (f (length l) :: l). Expanding the abbreviation subG we get
good R (f (length l) :: l) ? good R (f (length (f (length l) :: l))).
Since (length (f (length l) :: l)) reduces to S(length l), the conclusion of the above formula
reduces to good R (f (length l) :: f (length l)). Using the definition of good in both the
antecedent and the consequent it becomes clear that we have to prove:
(exists (R (f (length l))) l + good R l) ?
(exists (R (f (length l))) (f (length l)) + good R (f (length l))).
The latter is easily proved by cases using the assumption subEx R f l with a = f (length l) for
the left summand and the assumption subG R f l for the right summand.
Subcase subEx R f (f (length l) :: l). Expanding the abbreviation subEx and reducing we
get
?a:A. exists (R a) (f (length l) :: l) ?
exists (R a) (f (length l) :: f (length l)).
Using the definition of exists we get by reducing
?a:A. ((R a (f (length l))) + exists (R a) l) ?
((R a (f (length l))) + exists (R a) (f (length l))).
The latter follows easily from the assumption subEx R f l. This finishes the second subcase
of the step case and we are done. J
4
The Model Construction
In this section, we construct the realizability model for the type theory, based on the
underlying computational system ?. Terms are interpreted by ??equivalence classes of the
terms of ?. Types are interpreted by sets of such equivalence classes. Typically, if ? ` M : A,
then the interpretation of M is an element of the interpretation of A (both relative to the
interpretation of ?).
We use the realizability model to show the unprovability of the converse of Theorem 5.
For this result, we use (the functional version of) Markov?s principle and a nonclassical
axiom ??n:N. (Hn) + ?(Hn) for a halting predicate H. Both will be shown to be true in
the model in later sections.
4.1
Pointed DCPOs and fixpoints
We recall Pataraia?s fixpoint theorem [12], which states that every monotone endofunction2
on a pointed directed complete partial order (DCPO) has a least fixpoint.
I Definition 6. Let (P, ?) be a partial order. A subset X of P is directed if it is nonempty
and, for every x, y ? X, there exists z ? X such that x ? z and y ? z.
I Definition 7. A partial order (P, ?) is a directed complete partial order (DCPO) if every
directed subset of P has a least upper bound (supremum) in P . A DCPO (P, ?) is pointed
if the empty set has a supremum, which is then the least element ?P of P .
I Definition 8. An endofunction f : P ? P is monotone if it is orderpreserving, i.e., for
every x, y ? P , x ? y implies f (x) ? f (y).
I Theorem 9. Every monotone endofunction function on a pointed DCPO has a least
fixpoint, which is also the least prefixpoint.
A short proof can be found in [6]. The standard argument, transfinite iteration of the function
starting at the least element, also works. The reason is that the transfinite sequence is
directed.
We will use Pataraia?s Theorem with the following DCPO. Let D be a set. Elements
of the DCPO are pairs (S, F ) where S ? P (D), that is, S is a subset of D, and F is a
function S ? P (D), viewed as a singlevalued set of pairs. We can order such pairs by
(S, F ) ? (S0, F 0) if S ? S0 and F ? F 0. The latter conjunct can be rephrased by saying that
F is the restriction of F 0 to S. This does not yield a complete lattice on pairs (S, F ), even
though (P (D) , ?) is. For example, if D = {d, e} and S = {d} and Fd maps d to {d} and Fe
maps d to {e}, then there is no F such that Fd, Fe ? F . (It is tempting but wrong to think
that F mapping d to {d, e} extends Fd and Fe.)
2 An endofunction is a function with the same domain and codomain.
However, if X is a directed set of pairs (S, F ), then the pair
(
is the least upper bound of X. Note that, since X is directed, S(S,F )?X F is a function
from S(S,F )?X S to P (D) as required. If X = ?, we get the least element (?, ?) by the
same formula above. It follows that the set of pairs ordered as above is a pointed DCPO.
Consequently, every monotone endofunction has a least fixpoint.
We shall now define the realizability model. The domain D is the set of terms in the extended
untyped lambda calculus modulo ??equality. Hence, elements of D are equivalence classes of
terms. For simplicity, however, we will often call them just terms, and write M to denote
the equivalence class of M . Next, we define which elements of D represent types and how to
find the subset of elements associated with each type.
We shall first prepare the interpretation of the inductive types. Define Num ? D as the
smallest set containing 0 and closed under the successor, i.e., S n is in Num if n is in Num.
Formally, we define Num as the least fixpoint of the following monotone endofunction ?Num
on P (D):
?Num(X) := {0} ? {S n  n ? X}.
The poset (P (D) , ?) is a complete lattice, hence the least fixpoint exists by the
KnasterTarski theorem, which is a special case of Pataraia?s theorem.
Similarly, given a set A ? D, we define List(A) ? D as the least fixpoint of the following
monotone endofunction ?List(A) on (P (D) ?):
?List(A)(X) := {nil} ? {cons a l  a ? A ? l ? X}.
Informally, List(A) consists of classes that are ??equivalent to lists over A.
Note that bAr is an inductively defined function on [A] ? U. Given a set A ? D, consider
the poset (List(A) ? P (D) , ?), where Q ? Q0 if Q(l) ? Q0(l) for all l in List(A)3. This
poset forms a complete lattice, hence every monotone function on it has a least fixpoint.
Given also a function P in List(A) ? P (D), define Bar(A, P ) as the least fixpoint of the
following monotone endofunction ?Bar(A,P ) on (List(A) ? P (D) , ?):
?Bar(A,P )(Q)(l) := {base X  X ? P (l)} ? {step Y  ?a ? A. Y a ? Q (cons a l)}.
Finally, we introduce the DCPO L of pairs (S, F ) with S ? D and F ? S ? P (D) as
described in Section 4.1. Here S is to be viewed as a set of types, and F as a function giving
the set of elements F (T ) ? D for each T ? S. We are now ready to define which terms of
? are types, and which elements each type has. We do so in two stages, first for the small
types and then for all types, using monotone endofunctions ?0 and ?1 on L, respectively.
An important observation is that only constructors play a role here, not operators, and
that the only difference between ?0 and ?1 is that the latter includes the constructor U.
3 Abusing notation, we denote by A ? B the set of functions from the set A to the set B in the ambient
naive set theory in which we develop the realizability model.
?0 on L:
where
We define (T0, El0) in L to be the least fixpoint of the following monotone endofunction
?0(S, F ) := (S1 ? S2 ? ? ? ? ? S9, F1 ? F2 ? ? ? ? ? F9)
In the last line, the notation List(F (A)) 3 l0 7? F (P l0) denotes the function which maps l0
in List(F (A)) to F (P l0).
The endofunction ?0 is monotone on the DCPO L, hence the least fixpoint (T0, El0)
exists by Theorem 9.
I Definition 10. (T0, El0) is the least fixpoint of ?0 above.
Given T0, we define
?1(S, F ) := ({U} ? S1 ? S2 ? ? ? ? ? S9, {(U, T0)} ? F1 ? F2 ? ? ? ? ? F9)
with Si, Fi for i = 1, . . . , 9 are as defined earlier. The endofunction ?1 is monotone.
I Definition 11. (T1, El1) is the least fixpoint of ?1 above.
I Remark. An important observation about the definitions of ?0 and ?1 is that F occurs
negatively in some clause, namely in S7 for dependent products. This is the reason that
we use DCPOs and not CPOs. Typetheoretically, the construction of the model goes by
inductionrecursion [5], as opposed to mutual induction. A different device, replacing negative
occurrences by positive conditions on the complements, has been used in [1] and can be
traced back to Scott and Feferman.
I Remark. The set T1 is intended to contain all representatives of types in the type theory,
both small and large, but it actually contains much more. Likewise, for A ? T1, El1(A)
intends to contain all interpretations of terms of type A in the type theory, but it actually
contains much more. For instance, the set El1(N ? N) contains all (total) recursive functions
f := ?n. rec 0 (?m. ?x. 0) n
g := ?n. rec 0 ? (f n).
h := ?n. (rec N ? (f n)
on Num. In particular, elements in T1 or El1(A) (with A ? T1) may not be normalizing. For
instance, let
and, deliberately using the term ? which is not typable,
Then f always returns 0 on a numeral, i.e., f n is ??equivalent to 0 for any n in Num, so
that also gn =?? 0 for all numerals n. The term g is in El1(N ? N), but is not even weakly
normalizing, since g reduces to itself by a contraction of ?. Likewise, for the term
we have hn =?? N for all numerals n. Hence Pi N h is in T0, but is not weakly normalizing.
We have f, g ? El0(Pi N h) = El0(N ? N). While we have ` f : N ? N, it is neither possible
to derive ` g : N ? N, nor ` Pi N h, let alone ` f : Pi N h or ` g : Pi N h. The realizability
model is not a term model. This is not a bug, but a feature that we will exploit: types that
are inhabited in the model, can be consistently added as axioms to the type theory.
The following lemma states that El0 and El1 agree on T0.
I Lemma 12. (T0, El0) ? (T1, El1).
Proof. The claim follows from Theorem 9, since (T1, El1) is a prefixpoint of ?0.
J
From the fact that (T1, El1) (resp. (T0, El0)) is a fixpoint of ?1 (resp. ?0), we obtain the
following lemma.
I Lemma 13. For i = 0, 1, the following conditions hold:
1) N0 ? Ti, and Eli(N0) = ?;
2) N1 ? Ti, and Eli(N1) = {0};
3) N2 ? Ti, and Eli(N2) = {0, 1};
4) N ? Ti, and Eli(N) = Num;
5) A + B ? Ti if A, B ? Ti, and then
Eli(A + B) = {inl a  a ? Eli(A)} ? {inr b  b ? Eli(B)} ;
6) [A] ? Ti if A ? T0, and then Eli([A]) = List(El0(A));
7) ?x:A. B ? Ti if A ? Ti and B(a) ? Ti for all a ? Eli(A), and then
Eli(?x:A. B) = {M  ?a ? Eli(A), M a ? Eli(B(a))} ;
8) ?x:A. B ? Ti if A ? Ti and B(a) ? Ti for all a ? Eli(A), and then
Eli(?x:A. B) = {(W, P )  W ? Eli(A) ? P ? Eli(B(W ))} ;
9) bAr P l ? Ti if A ? T0, l ? El0([A]) and P l0 ? T0 for all l0 ? El0([A]), and then
Eli(bAr P l) = Bar(El0(A), El0([A]) 3 l0 7? El0(P l0))(l);
4.3
Soundness
We now give the semantics of expressions and types a priori, that is, without any assumption
of them being welltyped.
I Definition 14. An environment is a mapping from the set of variables to the domain D.
We let ?, ?0, . . . range over environments and let Env denote the set of all environments. By
?(x/a) we denote the environment ?0 with ?0(x) = a and ?0(y) = ?(x) for variables y 6= x.
I Definition 15. Let M be a term, i.e., either an expression or a type, and ? an environment.
The semantics [[M ]]? ? D of M in ? denotes the (??equivalence class of the) result of the
simultaneous substitution in M of all free occurrences of variables x by ?(x).
We write [[M ]] to denote [[M ]]? with ? being the empty environment, or when M is closed.
We may also write M for [[M ]]? in that case.
As usual, we need a substitution lemma.
I Lemma 16. For all M, N and ?, we have [[(?x. M )N ]]? = [[M (N )]]? = [[M ]]?(x/[N]?).
Proof. By a routine induction on the structure of M .
J
We have to take into account certain sanity conditions on environments with respect to
typing contexts.
I Definition 17. An environment ? is ?correct if for all (x : A) ? ?, [[A]]? ? T1 and
?(x) ? El1([[A]]?).
The following lemma states that the type theory is sound with respect to the semantics.
I Lemma 18. For all ?, M, A and for any ?correct ? we have the following:
1. if ? ` A, then [[A]]? ? T1;
2. if ? ` M : A, then [[A]]? ? T1 and [[M ]]? ? El1([[A]]?).
Proof. Since the rules in Figure 1 mix (1) and (2), we prove the lemma by simultaneous
induction on derivations. We start with the general typing rules in Figure 1.
Suppose ? ` U by ? `, and ? is ?correct. Then, the claim holds trivially since
[[U]]? = U ? T1 by Lemma 13.
Suppose ? ` A by ? ` A : U, and ? is ?correct. We have [[A]]? ? El1(U) by induction
hypothesis and El1(U) = T0 ? T1 by Lemma 12, from which the claim follows.
Suppose ? ` ?x:A. B by ? ` A and ?, x : A ` B, and ? is ?correct. We have to prove
that [[?x:A. B]]? ? T1. By induction hypothesis on ? ` A, we have [[A]]? ? T1. By Lemma 13
and an appeal to the Substitution Lemma, it suffices that [[B]]?(x/a) ? T1 for all a ? El1([[A]]?).
For this, it suffices by induction hypothesis on ?, x : A ` B that ?(x/a) is (?, x : A)correct,
which follows from a ? El1([[A]]?).
Suppose ? ` x : A by (x : A) ? ?. Then the claim follows by that ? is ?correct and
[[x]]? = ?(x).
Suppose ? ` M : B by A =?? B, ? ` M : A and ? ` B. By induction hypothesis on
? ` M : A, we have [[A]]? ? T1 and [[M ]]? ? El1([[A]]?). By A =?? B, we have [[A]]? = [[B]]?,
hence we get [[B]]? ? T1 and [[M ]]? ? El1([[B]]?)4
4 We do not use the induction hypothesis on ? ` B. In fact, we do not use the hypothesis ? ` B. This
manifests that the typing rules are more restrictive than the semantics.
Suppose ? ` ?x. M : ?x:A. B by ? ` A, and ? ` ?x:A. B and ?, x : A ` M : B.
By induction hypothesis, we have [[A]]? ? T1 and [[?x:A. B]]? ? T1. We have to show
[[?x. M ]]? ? El1([[?x:A. B]]?). By the Substitution Lemma, it suffices that [[?x. M ]]? a =
[[M ]]?(x/a) ? El1([[B]]?(x/a)) for all a ? El1([[A]]?). This follows from induction hypothesis on
?, x : A ` M : B, noting that ?(x/a) is (?, x : A)correct.
Suppose ? ` M N : B(N ) by ? ` M : ?x:A. B and ? ` N : A. By induction hypothesis,
we have [[?x:A. B]]? ? T1, [[M ]]? ? El1([[?x:A. B]]?), and [[A]]? ? T1, [[N ]]? ? El1([[A]]?). By
Lemma 13, it follows that [[M ]]? [[N ]]? ? El1([[B]]?([[N ]]?)). Using the Substitution Lemma,
we conclude [[M N ]]? = [[M ]]? [[N ]]? ? El1([[B]]?([[N ]]?)) = El1([[B]]?(x/[N]?)) = El1([[B(N )]]?).
Suppose ? ` ?x:A. B : U by ? ` A : U and ?, x : A ` B : U. By induction hypothesis
on ? ` A : U and by Lemma 13, we know that [[U]]? = U ? T1, and [[A]]? ? El1(U) = T0.
We have to show [[?x:A. B]]? ? T0. By Lemma 13 again and by the Substitution Lemma,
it suffices that [[B]]?(x/a) ? T0 for all a ? El0([[A]]?). Recalling that El0 and El1 agree on
T0 (Lemma 12), hence in particular on [[A]]?, this follows from induction hypothesis on
?, x : A ` B : U since ?(x/a) is (?, x : A)correct.
We are done with the general typing rules. We move on to the specific typing rules in
Section 2.3. In the following, we will often tacitly use that El1(U) = T0 ? T1 and that El1
extends El0 (Lemma 12).
Regarding the empty type, we have U ? T1 and N0 ? El1(U) from Lemma 13. If
? ` ExF : N0 ? A by ? ` A : U, then by induction hypothesis, we have [[A]]? ? T0. It follows
that N0 ? [[A]]? ? T0, and ExF ? El0(N0 ? [[A]]?) since El0(N0) is empty.
Regarding the typing rules for the unit type, we get the claim from Lemma 13.
Regarding Booleans, we get the claim from Lemma 13 for the typing rules for N2, 0 and
1. Suppose ? ` brec : C 0 ? C 1 ? ?b:N2. C b by ? ` C : N2 ? U. By induction hypothesis,
we have N2 ? U ? T1 and [[C]]? ? El1(N2 ? U), so [[C 0]]? ? T0, [[C 1]]? ? T0, and [[C b]]? ? T0
for all b ? El1(N2). It follows that [[C 0 ? C 1 ? ?b:N2. C b]]? ? T1. Let M ? El0([[C 0]]?)
and N ? El0([[C 1]]?). For every b ? El1(N2), we have either b = 0 or b = 1. Hence we get
brec ? El1([[C 0 ? C 1 ? ?b:N2. C b]]?) from the ?reduction for brec. We get the claim for
the typing rule for beq from Lemma 13 and the ?reduction for beq.
Regarding natural numbers, the only nontrivial rules are those for rec and eq. Suppose
? ` rec : C 0 ? (?n:N. C n ? C (S n)) ? ?n:N. C n by ? ` C : N ? U. By induction
hypothesis, we have N ? U ? T1 and [[C]]? ? El1(N ? U). It follows that [[C 0]]? ? T0,
[[?n:N. C n ? C (S n)]]? ? T0 and [[?n:N. C n]]? ? T0, hence [[C 0 ? (?n:N. C n ? C (S n)) ?
?n:N. C n]]? ? T0. We have to prove that rec M N n ? El0([[C n]]?) for all M ? El0([[C 0]]?),
N ? El0([[?n:N. Cn ? C(Sn)]]?) and n ? El0(N). This is proved by induction on n ?
El0(N) = Num, using the ?rule for rec. It follows that rec ? El0([[C 0 ? (?n:N. C n ? C (Sn))
? ?n:N. C n]]?). Suppose ? ` eq : N ? N ? U by ? `. That N ? N ? U ? T1 follows from
Lemma 13. In order to show eq ? El1(N ? N ? U), we have to prove eq m n ? T0 for all m
and n in Num. This is proved by nested induction on m and n.
Regarding lists, if ? ` [A] : U by ? ` A : U, then by induction hypothesis we get
[[A]]? ? T0. It follows from Lemma 13 that [[[A]]]? = [[[A]]?] ? T0. If ? ` nil : [A] by
? ` A : U, the claim follows easily from the induction hypothesis and Lemma 13. The
case for ? ` cons : A ? [A] ? [A] by ? ` A : U is similar. Suppose ? ` lrec : C nil ?
(?a:A. ?l:[A]. C l ? C (a :: l)) ? ?l:[A]. C l by ? ` A and ? ` C : [A] ? U. By induction
hypothesis on ? ` C : [A] ? U, we have [[[A] ? U]]? ? T1 and [[C]]? ? El1([[[A] ? U]]?).
From Lemma 13, it follows that [[Cnil]]? ? T0, [[?a:A. ?l:[A]. C l ? C (a :: l)]]? ? T1 and
[[?l:[A]. C l]]? ? T1, hence [[C nil ? (?a:A. ?l:[A]. C l ? C (a :: l)) ? ?l:[A]. C l]]? ? T1. In
order to show that lrec ? El1([[C nil ? (?a:A. ?l:[A]. C l ? C(a :: l)) ? ?l:[A]. C l]]?), we
have to prove, for all M ? El1([[C nil]]?), N ? El1([[?a:A. ?l:[A]. C l ? C (a :: l)]]?) and l ?
El1([[[A]]?]), that lrec M N l ? El1([[C l]]?). This is proved by induction on l ? El1([[[A]]?]) =
List([[A]]?), using the ?rewrite rules for lrec.
Sum types can be dealt with in a similar (but simpler) manner as list types.
Regarding dependent pairs, if ? ` ?x:A. B : U by ? ` A : U and ?, x : A ` B :
U, then we argue analogously to the case for ? ` ?x:A. B : U. Suppose ? ` (W, P ) :
?x:A. B by ? ` ?x:A. B : U, ? ` W : A and ? ` P : B(W ). We obtain ?x:A. B ? T1
by induction hypothesis. To show that [[(W, P )]]? = ([[W ]]?, [[P ]]?) ? El1([[?x:A. B]]?), it
suffices to prove [[W ]]? ? El1([[A]]?) and [[P ]]? ? El1([[B]]?([[W ]]?)) = El1([[B(W )]]?), both
of which follow from induction hypothesis. Suppose ? ` srec : (?x:A. ?p:B. C (x, p)) ?
?y:(?x:A. B). C y by ? ` A : U, ?, x : A ` B : U, ? ` ?x:A. B : U, and ? ` C : (?x:A. B) ?
U. Induction hypotheses give us [[A]]? ? T0, [[B]]?(x/a) ? T0 for all a ? El0([[A]]?), [[?x:A. B]]? ?
T0, and [[C]]? ? El1([[?x:A. B]]? ? U). It follows that [[?x:A. ?p:B. C (x, p)]]? ? T0 and
[[?y:(?x:A. B). C y]]? ? T0, and hence [[?x:A. ?p:B. C (x, p) ? ?y:(?x:A. B). C y]]? ? T0.
By using the ?rule for srec and by Lemma 13, we get srec ? El0([[?x:A. ?p:B. C (x, p) ?
?y:(?x:A. B). C y]]?).
Regarding the constant bAr, if ? ` bAr : ([A] ? U) ? [A] ? U by ? ` A : U, then
we have [[([A] ? U) ? [A] ? U]]? ? T1 by induction hypothesis and Lemma 13. To show
that bAr ? El1([[([A] ? U) ? [A] ? U]]?) = El1(([[[A]]]? ? U) ? [[[A]]]? ? U), it suffices
that bAr P l ? T0 for all P ? El1([[[A]]]? ? U) and l ? El0([[[A]]]?). This follows from
Lemma 13, since P l0 ? T0 for all l0 ? El0([[[A]]]?). Suppose ? ` base X : bAr P l by ? ` A : U,
? ` l : [A], ? ` P : [A] ? U and ? ` X : P l. By induction hypothesis, we have [[A]]? ? T0,
[[l]]? ? El1([[[A]]]?), and [[P ]]? ? El1([[[A] ? U]]?) = El1([[[A]]]? ? U), hence [[P ]]? l0 ? T0 for
all l0 ? El1([[[A]]]?). This proves bAr P l ? T0. The induction hypothesis on ? ` X : P l gives
us [[X]]? ? El1([[P ]]? [[l]]?), which proves [[base X]]? ? El1([[bAr P l]]?) by Lemma 13. The case
for ? ` step Y : bAr P l follows analogously. We will elaborate the last and most interesting
case in some detail. Suppose
? ` barrec : (?l:[A]. P l ? C l) ?
(?l:[A]. (?a:A. C (a :: l)) ? C l) ? ?l:[A]. bArP l ? C l
by ? ` A : U , ? ` P : [A] ? U , and ? ` C : [A] ? U . By induction hypothesis, using
Lemma 13 many times, we get that the type of barrec is in T1. In order to show that barrec
is an element of the corresponding set
El1(([[?l:[A]. P l ? C l) ?
(?l:[A]. (?a:A. C (a :: l)) ? C l) ? ?l:[A]. bArP l ? C l]]?),
it suffices that
El1(bAr [[P ]]? l) ? {M ? D  barrec B S l M ? El1([[C]]? l)}
for all B ? El1([[?l:[A]. (P l ? C l)]]?), S ? El1([[?l:[A]. ((?a:A. C (a :: l)) ? C l)]]?), and
l ? El1([[[A]]]?). We prove this by fixpoint induction, recalling that, for fixed A, El1(bAr [[P ]]? l)
is defined as the fixpoint of ?Bar(El1([A]?), El1([[A]]?)3l7?El1([P ]?l)). The latter operator will
be abbreviated to ?, as A and P do not change in the proof.
We show that the function
? : El1([[[A]]]?) 3 l 7? {M ? D  barrec S B l M ? El1([[C]]? l)}
is a prefixpoint of ?, i.e., ?(?)(l) ? ?(l) for all l ? El1([[[A]]]?). By definition, there are
two forms of elements in ?(?)(l). The first is base X with X ? El1([[P ]]? l). Then we have
barrec B S l (base X) = B l X ? El1([[C]]? l by the assumptions on B and l. The second
is step Y with, for all a ? El1([[A]]?), Y a ? ? (a :: l), that is, barrec B S (a :: l) (Y a) ?
El1([[C]]? (a :: l)). Then we have barrec B S l (step Y ) = S l (?a. barrec B S (a :: l) (Y a) ?
El1([[C]]? l) by the assumptions on S and l.
It remains to prove that the auxiliary rules are sound. These rules define the type and
computational behaviour of the constants exists, good, length, take.
Regarding the constant exists, if ? ` exists : (A ? U) ? [A] ? U by ? ` A : U, then
we have [[(A ? U) ? [A] ? U]]? ? T1 by induction hypothesis and Lemma 13. To show
that exists ? El1([[(A ? U) ? [A] ? U]]?) = El1(([[A]]? ? U) ? [[[A]]]? ? U), it suffices that
exists P l ? T0 for all P ? El1([[A]]? ? U) and l ? List(El0([[A]]?). This follows by induction
on l from the ?reduction rules for exists. The argumentation for the other constants is very
similar, and will hence be left to the reader. J
We obtain that if an expression M has a type A, then M realizes A.
I Corollary 19. If ` M : A, then A ? T1 and M ? El1(A).
5
A Realizer for Markov?s Principle
Markov?s Principle is the following type:
MP := ?f :N?N2. (???n:N. beq (f n) 1) ? ?n:N. beq (f n) 1
Clearly ` MP : U, so MP ? T1 by Corollary 19. As a proposition, MP is classically true but
unprovable in Heyting Arithmetic [14]; MP is not inhabited in our type theory. However, as
we will show in this section, MP can be consistently added to the type theory: El1(MP) is
nonempty. In other words, MP is true in the realizability model.
The realizer RMP ? El1(MP) to be defined below essentially performs an unbounded
search for an n such that f n = 1. This is possible since the computational system, based on
untyped lambda calculus, is Turing complete. To prove that the search always finds such
an n, we use Markov?s Principle on the metalevel. This is possible since we are allowed to
reason classically in the ambient naive set theory.
Recall that beq : N2 ? N2 ? U , beq 1 1 = N1 and 0 : N1. Let Y be any fixed point
operator in the untyped lambda calculus, for example Y := ?f. (?x. f (x x)) (?x. f (x x)).
Then Y F = F (Y F ) for any F , in particular for
F := ?s f n. brec (s f (S n)) (n, 0) (f n)
Then we have, for search := Y F , that
search f n = (F search) f n = brec (search f (S n)) (n, 0) (f n)
This means that search f 0 performs the required search for the first n such that f n = 1. If
n is found, (n, 0) is returned, that is, the pair consisting of the numeral n and the proof term
0 of type beq (f n) 1.
We define RMP = ?f p. search f 0 and it remains to prove RMP ? El1(MP). Note that p
does not occur in search f 0. This is typical for realizability: realizers of negative statements
carry no computational content, they only witness that the statement that is negated has no
realizers. To show RMP ? El1(MP), let f ? El1(N?N2) and p ? El1(???n:N. beq (f n) 1).
We have to prove that search f 0 ? El1(?n:N. beq (f n) 1). Towards a contradiction, assume
the latter set is empty. Then, any term foo is in El1(??n:N. beq (f n) 1). It follows that
p foo ? El1(N0). This is absurd, so El1(?n:N. beq (f n) 1) is nonempty. Since it is decidable
for any numeral n, whether or not (n, 0) ? El1(?n:N. beq (f n) 1), it follows by Markov?s
Principle that there exists a pair (n, 0) ? El1(?n:N. beq (f n) 1). Hence there is also such a
pair with the smallest n, that is, search f 0 ? El1(?n:N. beq (f n) 1). Note the role of p in
the above argument: it serves to prove termination of the search but does not influence the
actual outcome.
6
A Realizer for the Undecidability of the Halting Problem
The purpose of this section is to argue that, in addition to MP, we can consistently add the
undecidablity of the halting problem to the type theory. Define
Ht := ?n. ?k:N. beq (t n n k) 1
for t : N ? N ? N ? N2 as described below. The intention is that Ht is a halting predicate,
with t the characteristic function of Kleene?s T predicate [7, 2]. Using rec, we can define
all primitive recursive functions, and actually many more. Since Kleene?s T predicate is
primitive recursive, its characteristic function t is definable in the type theory. Kleene?s
T predicate, T e x w, is based on a standard encoding of partial recursive functions as natural
numbers. The first argument e of T is such a code of a partial recursive function, whereas
the second argument x encodes an input to this function. The third argument w encodes
a (terminating) computation sparked off by the function with code e on input with code x.
Hence, Ht n holds if and only if the function encoded by n terminates on the input coded by
n.
Let UH be the type:
UH := ??n:N. (Ht n + ?Ht n).
Clearly ` UH : U, so UH ? T1 by Corollary 19. We want to show that El1(UH) is nonempty.
As UH is negative, it suffices to show that ?n:N. (Ht n + ?Ht n) cannot be realized. Then any
term realizes UH, so El1(UH) contains all terms of ? (!). Towards a contradiction, assume
f ? El1(?n:N. (Ht n + ?Ht n)). Diagonalizing over f we define:
d = ?n. case ? 1 (f n)
d n = ? ?? f n = inl(k, 0) ?? T (n, n, k),
such that in view or the definition of Ht we have for all n : N:
where (k, 0) ? El1(?k:N. beq (t n n k) 1).
As a lambda term, d represents a partial recursive function with code a numeral nd5.
Then we have d nd = ? ?? T (nd, nd, k) where inl(k, 0) = f nd, a plain contradiction with
the choice of T and f . Therefore f as above cannot exist, and any term realizes UH. We
conclude that UH can be consistently added to the type theory.
7
A set that is provably streamless but not provably Noetherian
In this section we shall prove that the converse of Theorem 5 is unprovable in type theory.
The argument sketched in the introduction is that the converse is false when MP and UH
5 The code nd can in principle be constructed from d, but this is outside the scope of this paper.
are assumed. The unprovability in type theory then follows from the realizability model in
which MP and UH are both valid. We start by some auxiliary definitions.
Given a predicate P on natural numbers, we define a binary relation =P to be the equality
on the set of natural numbers n which satisfy P , irrelevant of the proof of P n. Formally, we
define a typing rule for =P by
? ` P : N ? U
? ` =P : (?n:N. P n) ? (?n:N. P n) ? U
and ?reduction, with =P written infix, given by
(n, hn) =P (m, hm) = eq n m.
Since eq is decidable, =P is decidable for any P .
Given a predicate P on natural numbers, we define a predicate P n to be true if P k is
decidable for all k < n. Formally, we define a typing rule for P by
? ` P : N ? U
? ` P : N ? U
and ?reductions give by
P 0 = N1
P (Sn) = (P n + ?P n) ? P n
I Lemma 20. There is a proof M such that
P : N ? U, n : N ` M : P n ? ??P (Sn).
The realizability model can easily be extended with sound interpretations of the above.
Proof. We have to prove absurdity from P n and ?P (Sn). Assume P n + ?P n, then by P n
we get P (Sn), which contradicts the assumption ?P (Sn). Hence ?(P n + ?P n), which is
absurd, as ??(A + ?A) is a constructive tautology. J
I Corollary 21. There is a proof M such that P : N ? U ` M : ?n:N. ??P n.
Proof. By induction on n, using P 0 and basic facts about ??.
Recall the terminology and notaion on decidability from Definition 1. We have the
following easy lemmas about decidability.
J
I Lemma 22. There exists proofs M1, M2, M3, M4 such that
A : U, P : A ? U ` M1 : (?x:A. dec (P x)) ? ?l:[A]. dec (exists P l) :
A : U, R : A ? A ? U ` M2 : (?x:A. ?y:A. dec (R x y)) ? ?l:[A]. dec (good R l);
P : N ? U ` M3 : ?p1:?n:N. P n. ?p2:?n:N. P n. dec (p1 =P p2);
P : N ? U ` M4 : ?l:[?n:N. P n]. dec (good =P l).
Proof. The first two are easily proved by induction on l, where the second uses the first.
The third follows from the definition of =P and Lemma 2. The fourth follows from the second
and the third. Note that the fourth typing states that it is decidable whether a list over a
subset of natural numbers contains proofirrelevant duplicates. J
In order to prove that the converse of Theorem 5 is not provable in the type theory, we
construct a set which is provably not Noetherian, but can be proved streamless using MP
and UH.
The following lemma is an abstract form of the argument in the introduction. In order to
see this, recall that (good =Q ) is a predicate expressing that a list contains a proofirrelevant
duplicate.
I Lemma 23. Let A in bAr be the type ?n:N. Q n. There is a proof M such that
Q : N ? U ` M : (?n:N. ??Q n) ? ?l:[?n:N. Q n]. bAr (good =Q ) l ? good =Q l.
Proof. Let Q : N ? U and hQ : ?n:N. ??Q n. We use induction on bAr (good =Q )l. If
bAr (good =Q ) l by good =Q l, the claim holds immediately. Assume as induction hypothesis
?x:(?n:N. Q n). good =Q (x :: l). We have to prove good =Q l. By Lemma 22 we can reason by
contradiction. Assume ?(good =Q l). We prove this is absurd and we are done. We perform
case analysis on the shape of l. In case l = nil, if h0 : Q 0, then good =Q ((0, h0) :: nil) by the
induction hypothesis. This is absurd, so ?Q 0, which is absurd by assumption hQ. In case l
is a nonempty list, let (n, hn) be a maximum element in l, that is, for any (m, hm) such that
Q
exists ( = (m, hm)) l, we have that n ? m. A maximum element exists since l is nonempty.
It suffices to prove ?Q (S n), which contradicts hQ. Assume we have a proof hS n : Q (S n).
By induction hypothesis, we have good =Q ((S n, hS n) :: l). Since we assumed ?(good =Q l), it
must be that exists ( =Q (S n, hS n)) l, which contradicts with (n, hn) being a maximum element
in l. J
Noticing that it is absurd that the empty list is good, we deduce, from Lemma 23 and
Corollary 21, that it is absurd that =H is Noetherian.
I Lemma 24. There is a proof M such that H : N ? U ` M : ?(Noetherian =H ).
On the other hand, in the presence of MP and UH, for Ht : N ? U as defined in Section 6,
we can prove that H=t is streamless.
I Lemma 25. There is a proof M such that
` M : MP ? UH ? streamless =Ht .
Proof. Assume MP and UH. Given f : N ? ?n:N. Htn, we want to prove ?n:N. good =Ht (f n).
Noting that (good =Ht ) is decidable by Lemma 22, we can construct a function e : N ? N2 such
that eq (e n) 1 is true if and only if good =Ht (f n) is true, for all n : N. Thus, we may apply
MP and it then suffices to prove ???n:N. good =Ht (f n). Suppose ??n:N. good =Ht (f n), or
equivalently, ?n:N. ?good =Ht (f n). Then, for any given n : N, the list f (S(Sn)) gives us a
proof of Ht n + ?Ht n6. This contradicts UH. J
6 Informally, the list f(S(Sn)) contains a maximum element (m, hm) such that m ? n. The proof hm of
Htm gives us H n + ?H n.
We have now shown that, in the presence of MP and UH, there is a relation that is
streamless but cannot be Noetherian. Recalling that MP and UH are consistent with the
type theory we work in, we conclude that it is unprovable in the type theory that every
streamless relation is Noetherian.
I Theorem 26. There is no proof M such that
` M : streamless =Ht
? Noetherian =Ht .
I Corollary 27. There is no proof M such that
` M : ?A:U. ?R:A ? A ? U. streamless R ? Noetherian R.
8
Related work and concluding remarks
We have constructed a realizability model for MartinL?f dependent type theory, viewed as
a set of typing rules typing terms of an untyped lambdacalculus ?. Similar realizability
models have been given by Martin L?f [9] and Beeson [1]. We have paid extra attention to
the details, in particular to those of the type of an inductive bar.
The purpose of the model is to demonstrate a particular unprovability result. It may be
illuminating to discuss this result in connection with the wellknown Kleene Tree [7, 2], a
primitive recursive relation P on binary sequences which defines an infinite tree without an
infinite recursive branch. The Kleene Tree is the prime example that Brouwer?s Fan Theorem
(an intuitionistic version of K?nig?s Lemma) fails in recursive analysis. In the context of this
paper, Kleene?s result yields that, with A = N2 and for a specific decidable P : [N2] ? U, the
following type is not inhabited:
(?f :N ? A. ?n:N. P (f n)) ? bAr P nil.
(?f :N ? A. ?n:N. Q (f n)) ? bAr Q nil.
For comparison, our result, with A = ?n:N. Htn and Q := good =Ht , states that the following
type is not inhabited:
The important difference between the two results is the instantiation of the type A, that is,
A = N2 for Kleene and A = ?n:N. Htn for us. Clearly, A = N2 is the simpler of the two. On
the other hand, with Ql := good =Ht l expressing that the list l contains a duplicate, we are
allowed far less expressive power than Kleene?s P . This explains to some extent why we
use a more complicated base type A = ?n:N. Htn, which is the simplest type we could find
defining a subset of the natural numbers that is not finite in the sense of Noetherian, and at
the same time finite in the sense of streamless in a consistent extension of the type theory.
This confirms a conjecture formulated by Coquand and Spiwack in [4]. We conclude by
formulating an open problem: does there exist a decidable P such that ?n:N. P n distinguishes
between Noetherian and streamless?
1
2
4
5
9
10
11
12
13
14
15
T. Coquand and A. Spiwack . A proof of strong normalisation using domain theory . Logical Methods in Computer Science , 3 ( 4 ), 2007 .
T. Coquand and A. Spiwack . Constructively finite? In L. Lamb?n, A. Romero , and J. Rubio, editors, Contribuciones cient?ficas en honor de Mirian Andr?s G?mez , pages 217  230 . Publicaciones de la Universidad de La Rioja, 2010 . ISBN 9788496487505.
P. Dybjer . A general formulation of simultaneous inductiverecursive definitions in type theory . Journal of Symbolic Logic , 65 ( 2 ): 525  549 , 2000 .
M. Escard? . Joins in the frame of nuclei . Applied Categorical Structures, 11 : 117  124 , 2003 .
S.C. Kleene . Recursive functions and intuitionistic mathematics . In L.M. Graves , E. Hille, P.A. Smith , and O. Zariski, editors, Proceedings of the International Congress of Mathematicians , pages 679  685 . AMS, 1952 .
J. W. Klop , V. van Oostrom, and F. van Raamsdonk. Combinatory reduction systems: Introduction and survey . Theoretical Computer Science , 121 ( 1 &2): 279  308 , 1993 .
P. MartinL?f . An intuitionistic theory of types: predicative part . In H.E. Rose and J.C. Shepherdson, editors, Logic Colloquium '73 , volume 80 of Studies in Logic and the Foundations of Mathematics , pages 73  118 , Amsterdam, 1975 . NorthHolland.
E. Parmann . https://github.com/epa095/noetherianimpliesstreamless.
E. Parmann . Case Studies in Constructive Mathematics . PhD thesis , University of Bergen, 2016 .
D. Pataraia . A constructive proof of Tarski's fixedpoint theorem for DCPOs . Presented at the 65th Peripatetic Seminar on Sheaves and Logic , November 1997 .
C. Spector . Provably recursive functionals of analysis: a consistency proof of analysis by an extension of principles formulated in current intuitionistic mathematics . In J.C.E. Dekker, editor, Recursive function theory, Proc. Symp . in pure mathematics V, pages 1  27 . AMS, 1962 .
A. S. Troelstra , editor. Metamathematical Investigation of Intuitionistic Arithmetic and Analysis , volume 344 of Lecture Notes in Mathematics. Springer, 1973 .
The Univalent Foundations Program. Homotopy Type Theory: Univalent Foundations of Mathematics. The Univalent Foundations Program, Institute for Advanced Study , 2013 .