On Lists and Other Abstract Data Types in the

On Lists and Other Abstract Data Types in the Calculus of Constructions∗ Jonathan P. Seldin Department of Mathematics Concordia University Montreal, Quebec, Canada [email protected] January 29, 1999

Dedicated to Joachim Lambek on the occasion of his 75th birthday Abstract The representation of the inductively defined abstract data type for lists was left incomplete in [2, §9]. Here that representation is completed, and it is proved that all extra axioms needed are consistent. Among the innovations of this paper is a definition of cdr, whose definition was left for future work in [2, §9]. The results are then extended to other abstract data types, those of [1]. The method used to define cdr for lists is extended to obtain the definition of an inverse for each argument of each constructor of an abstract data type. These inverses are used to prove the injective property for the constructors. Also, Dedekind’s method of defining the natural numbers is used to define a predicate associated with each abstract data type, and the use of this predicate makes it unnecessary to postulate the induction principle. The only axioms left to be proved are those asserting the disjointness of the co-domains of different constructors, and it is shown that those axioms can be proved consistent. Key words: Calculus of constructions, abstract data types, lists This work was supported in part by grant RGP-23391-98 from the Natural Sciences and Engineering Research Council of Canada. ∗

1

The discussion of the representation of the inductively defined abstract data type for lists at the end of [2, §9] was left incomplete. The aim of this paper is to complete it. The matters left unfinished in [2, §9] include the definition of cdr and the proof that three axioms corresponding to two of the Peano axioms are consistent. These are the matters finished here. In order to make this paper as self-contained as is reasonable for a paper of this size, a brief presentation of the representation of lists is presented in §1. This presentation includes a discussion of the induction property associated with this data type. This induction property can be easily used to define a number of list functions, but defining cdr is not so easy; it will be defined in §2. In §3, it will be shown that two of the three axioms are, in fact, provable; these are the axioms asserting the injective property of cons with respect to each of its arguments, and the proof uses the car and cdr. In §4, it will be shown that the remaining axiom, which asserts that the empty list is not constructed by cons, is consistent. Finally, in §5, these methods will be extended to all of the abstract data types of [1]. In particular, the methods used to define car in §1 and cdr in §2 will be used to obtain an inverse for each constructor with respect to each argument. This will allow the proof of the injective property of constructors. The use of a predicate associated with each abstract data type that uses Dedekind’s method of defining an inductively defined set will be used to eliminate the need to postulate an induction axiom. This will leave only the axioms asserting that the co-domains of different constructors are disjoint, and these can be proved consistent by the method of §4. A familiarity with [2] will be assumed throughout. The version of the calculus of constructions will be assumed to be TOC0.

1

Preliminaries

Recall that the basic definitions are as follows [2, p. 86]: List ≡ λA : Prop . (∀u : Prop)((A → u → u) → u → u), nil ≡ λA : Prop . λB : Prop . λf : A → B → B . λy : B . y, cons ≡ λA : Prop . λx : A . λl : ListA . λB : Prop . λf : A → B → B . λy : B . f x(lBf y).

2

It is easy to prove the following: A : Prop ⊢ ListA : Prop, A : Prop ⊢ nilA : ListA, and A : Prop, x : A, L : ListA ⊢ consAxL : ListA. Now to do recursion on lists, define Listrec ≡ λA : Prop . λB : Prop . λh : A → B → B . λy : B . λl : ListA . lBhy. Then given A : Prop, B : Prop, H : A → B → B, and M : B, ListrecABHM (nilA)

=∗ =∗

nilABHM M,

and given, in addition, x : A and L : ListA, ListrecABHM (consAxL)

=∗ =∗ =∗

consAxLBHM Hx(LBHM ) Hx(ListrecABHM L).

This allows us to define functions by recursion. For example, the function append is characterized by appendA(nilA)L2 appendA(consAM L1 )L2

=∗ =∗

L2 , consAM (appendL1 L2 ).

This can be defined by append ≡ λA : Prop . λl : ListA . λm : ListA . ListrecA(ListA)HM lm, where H ≡ λx : A . λn : ListA . consAxn and M ≡ λl : ListA . l. We can also define length, which satisfies =∗ =∗

lengthA(nilA) lengthA(consAxL) 3

0, σ(lengthAL).

The definition is length ≡ λA : Prop . ListrecAN(λx : A . σ)0. Other examples will be fairly obvious. Two important functions used with the data type list are car and cdr. The first satisfies car(consAxL) =∗ x, while the second satisfies cdr(consAxL) =∗ L. There are problems defining both of these. The problem in defining car is that its value for nilA must be an object of type A. Since we do not know, in general, if there is any term in a given type, it is best to supply the object to be assigned to nilA as an argument of car. Thus, given A : Prop, M : A, x : A, and L : ListA, we will want carAM (nilA) carAM (consAxL)

=∗ =∗

M, x.

The definition is then car ≡ λA : Prop . λy : A . ListrecAA(λx : A . λu : A . x)y. The definition of cdr is more complicated, and is left until the next section. To incorporate the logical properties of lists, we want a predicate L similar to the predicate N for arithmetic: L ≡ λA : Prop . λx : ListA . (∀y : (∀A : Prop)(ListA → Prop)) ((∀u : A)(∀l : ListA)(yAl ⊃ yA(consAul)) ⊃ yA(nilA) ⊃ yAx). (There is an error in the corresponding formula and in a few other formulas in connection with lists, [2, §9].) This formula is based on Dedekind’s definition of the set of natural numbers, and it works whenever the logic is second order or higher order. It is then easy to prove ⊢ L : (∀A : Prop)(ListA → Prop), ⊢ M : (∀A : Prop)(LA(nilA)), 4

⊢ N : (∀A : Prop)(∀u : A)(∀l : ListA)(LAl ⊃ LA(consAul)), and ⊢

P : (∀B : (∀A : Prop)(ListA → Prop))(∀A : Prop) ((∀u : A)(∀l : ListA)(BAl ⊃ BA(consAul)) ⊃ BA(nilA) ⊃ (∀l : ListA)(LAl ⊃ BAl)),

for some closed terms M , N , and P . This gives us the desired induction property on lists. To complete our theory, we need results corresponding to Peano1 and Peano2: List1 ≡ (∀A : Prop)(∀x : A)(∀l : ListA)(¬consAxL =ListA nilA), List2 ≡ (∀A : Prop)(∀x : A)(∀y : A)(∀l : ListA)(∀m : ListA) (consAxl =listA consAym ⊃ x =A y), List3 ≡ (∀A : Prop)(∀x : A)(∀y : A)(∀l : ListA)(∀m : ListA) (consAxl =listA consAym ⊃ l =ListA m), We shall deal with List2 and List3 in §3 and with List1 in §4.

2

Definition of cdr

There is no great problem in deciding what the value of cdr should be for nilA: just assign nilA. The problem is getting access to the argument L in Hx(ListrecABHM L). So we must proceed by indirection. The idea is similar to the idea used in defining the numerical predecessor function π: we will define a function on lists whose value is an ordered pair of lists in which the first list of the pair is the argument of the function and the second is the result of applying cdr to the first. This function is definable using Listrec: G ≡ λA : Prop . λu : ListA . ListrecA(ListA × ListA)HM u, where H ≡ λx : A . λv : ListA × ListA . D(ListA)(ListA)(consAx(fst(ListA)(ListA)v))(fst(ListA)(ListA)v), M ≡ D(ListA)(ListA)(nilA)(nilA). 5

Theorem 1 Suppose A : Prop and L : ListA. Then GAL =∗ D(ListA)(ListA)L1 L2 , where L1 =∗ L and ½

nilA if L =∗ nilA, L′ if L =∗ consAxL′ .

L2 =∗

Proof By a list induction on L. Basis: L =∗ nilA. We have ListrecA(ListA × ListA)HM (nilA) D(ListA)(ListA)(nilA)(nilA).

=∗ =∗

GA(nilA)

Here L1 =∗ L2 =∗ nilA, and so the theorem is satisfied. Induction step: By the induction hypothesis, GAL =∗ D(ListA)(ListA)LL′ , where ′

L =∗

½

nilA if L =∗ nilA, L′′ if L′ =∗ consAxL′′ .

Then GA(consAxL)

=∗ =∗ =∗ =∗

ListrecA(ListA × ListA)HM (consAxL) Hx(ListrecA(ListA × ListA)HM L) Hx(D(ListA)(ListA)LL′ ) D(ListA)(ListA)(consAxL)L,

as desired. Definition 1 The term cdr is defined by cdr ≡ λA : Prop . λl : ListA . snd(ListA)(ListA)(GAl), where G is the term defined above. Corollary 1.1 If A : Prop, x : A, and L : ListA, then cdrA(nilA) cdrA(consAxL) 6

=∗ =∗

nilA, L.

Note that the first result here does not use the induction hypothesis, whereas the second does. Thus, if we formalize the proof of this corollary, we get the following: Corollary 1.2 There are closed terms R and S such that ⊢ R : (∀A : Prop)(cdrA(nilA) =ListA nilA) and ⊢ S : (∀A : Prop)(∀x : A)(∀l : ListA)(Ll ⊃ cdr(consAxl) =ListA l).

3

List2 and List3

As we have seen, we need List2 and List3 to hold to have the logical properties of lists. In this section, we will see that we can prove List2 and a formula which gives us the properties we need of List3. Theorem 2 There is a closed term M such that ⊢ M : List2. Proof Assume an environment Γ0 consisting of A : Prop, x : A, y : A, l : ListA, m : ListA, u : consAxl =ListA consAym. By the conversion properties of car, car(consAxl) =ListA x and car(consAym) =ListA y are both inhabited types. By the logical properties of equality, there is a term N such that Γ0 ⊢ N : x =A y, and the theorem follows. Unfortunately, we cannot prove List3 in the same way. However, we can prove a result which is just as good for our purposes.

7

Theorem 3 There is a closed term M such that ⊢

M : (∀A : Prop)(∀x : A)(∀y : A)(∀l : ListA)(∀m : ListA) (Ll ⊃ Lm ⊃ consAxl =ListA consAym ⊃ l =ListA m).

Proof Similar to the proof of Theorem 2. The extra antecedents Ll and Lm are necessary in order to use the second result of Corollary 1.2.

4

The consistency of List1

It does not appear possible to prove List1 or a variant of it in the way we were able to prove List2 and List3. However, it is possible to prove that adding it as a postulate to other appropriate postulates is consistent. The proof is similar to that for Peano1 in [2, §9]. Theorem 4 Let Γ be a strongly consistent environment. Then Γ, c : List1 is consistent. Proof This will be proved by showing that it is impossible to prove (1)

Γ, c : List1, z : Prop ⊢ M : z

where z does not occur free in Γ. Thus, suppose it is possible. Then there is a normal deduction of (1). There is thus a shortest such deduction, call it D. Since z is an atomic type, the only inferences in the left branch of D are by (∀e) and (Eq′′ ). It follows that the formula at the top of that branch is not discharged. That formula cannot be in Γ because Γ is strongly consistent, and it cannot be z : Prop. Hence, it must be c : List1, and D has the following form: z : Prop z : Prop z : Prop z : Prop D1 (z) D3 (z) D2 (z) D4 (z) c : List1 A : Prop X : A L : ListA M1 : B (∀e) × 4 cAXLM1 : ⊥ z : Prop (∀e) cAXLM1 z : z. where B ≡ consAXL =ListA nilA and A B

C F

D

8

E (∀e) × 4

is an abbreviaiton for A B (∀e) F1 C (∀e) F2 D (∀e) F3 E (∀e) F for some F1 , F2 , F3 . Now consider D4 (z). Written without abbreviations in the conclusion, it is z : Prop D4 (z) M1 : (∀r : ListA → Prop)(r(consAXL) ⊃ r(nilA)). Case 1. The last non-equality rule of D4 (z) is (∀e). Then, as before, the top formula of the left branch is not discharged and is c : List1. Thus, D4 (z) has the form z : Prop z : Prop z : Prop z : Prop D5 (z) D6 (z) D7 (z) D8 (z) c : List1 A′ : Prop X ′ : A′ L′ : ListA′ M2 : B ′ (∀e) × 4 cA′ X ′ L′ M2 : ⊥ D9 M1 : (∀r : ListA → Prop)(r(consAXL) ⊃ r(nilA)), where B ′ ≡ consA′ X ′ L′ =ListA′ nilA′ . But then z : Prop z : Prop z : Prop z : Prop D5 (z) D6 (z) D7 (z) D8 (z) c : List1 A′ : Prop X ′ : A′ L′ : ListA′ M2 : B ′ (∀e) × 4 cA′ X ′ L′ M2 : ⊥ z : Prop (∀e) ′ ′ ′ cA X L M2 z : z is a shorter proof of (1), contrary to hypothesis. Hence, this case is impossible. Case 2. The last non-equality rule of D4 (z) is (∀Ti). Then D4 (z) is 1 z : Prop,[r : ListA → Prop] standard proof ListA : Prop Prop : Type D41 (z, r) (PTF − v) ListA → Prop : Type M2 : r(consAXL) ⊃ r(nilA) (∀Ti - 1) λr : ListA → Prop . M2 : (∀r : ListA → Prop)(r(consAXL) ⊃ r(nilA)), 9

where M1 ≡ λr : ListA → Prop . M2 . Now consider D41 (z, r). By the argument of Case 1 above, the last non-equality rule is not (∀e), so it must be (∀Pi), and the left branch of D41 (z, r) is z : Prop, r : ListA → Prop, [u : r(consAXL)] D411 (z, r, u) M3 : r(nilA), where M2 ≡ λu : r(consAXL).M3 . Now consider D411 (z, r, u). by the argument of Case 1, the last rule is not (∀e), and it clearly cannot be (∀κi). Hence, it must be (Eq′′ ). This requires (2)

consAXL =∗ nilA,

but since consAXL =∗ λB : Prop . λf : A → B → B . λy : B . f X(LBf y) and nilA =∗ λB : Prop . λf : A → B → B . λy : B . y, the two terms on either side of (2) have distinct normal forms, and (2) is impossible. Hence, there is no proof of (1). This proof is very much like the proof of [2, Theorem 21]. In fact, the two proofs could be combined as two cases of a proof of the following: Corollary 4.1 If Γ is a strongly consistent environment, then Γ, c1 : Peano1, c2 : List1 is consistent. I conjecture that similar results can be obtained for other inductively generated free algebras.

10

5

Generalization to abstract data types

For any closed proposition A, ListA is almost an example of the data types considered by [1, Definition 4.1]: Definition 2 A CC-data type structure consists of 1. a closed proposition D0 , called the universe of the structure; 2. a set {M1 , . . . , Mn } of closed propositions called parameters of the CCdata type structure; and 3. a set {f1 , . . . , fm } of closed proofs of CC (the calculus of constructions), called constructors of the CC-data type structure. Each fj has type A1,j → . . . → Anj j → D0 , where each Ai,j is either D0 or is some Mk . Definition 3 The signature of a CC-data type structure consists of the sets of propositions {M1 , . . . , Mn } (the parameters) and {F1 [u], . . . , Fm [u]} (“types of constructors”), where each Fj [u] is obtained from A1,j → . . . → Anj j → D0 by replacing D0 and all Ak,j which are not parameters by u, which has type Prop. Definition 4 Given a signature {M1 , . . . , Mn }, {F1 [u], . . . , Fm [u]}, the CCparametric data type for this signature is the one given by 1. D0 ≡ (∀u : Prop)(F1 [u] → . . . → Fm [u] → X), 2. {M1 , . . . , Mn }, 3. fj ≡ λx1 : A1,j . . . . . λnnj : Anj j . λu : Prop . λy1 : F1 [u] . . . . . λym : Fm . yj t1 . . . tnj , where ti ≡

½

xi if Ai,j is some Mk , xi uy1 . . . ym if Ai,j is D0 .

Definition 5 A CC-data type is defined by induction as follows: D is a CCdate type if it is a CC-parametric data type and all of its parameters are CC-data types or are variables of type Prop. 11

Remark 1 Berardi limits parameters to CC-data types. This definition is generalized here to accomodate ListA, since A is such a variable. It is possible to abstract from such CC-data types with respect to these papameters, as is done in the case of lists. Berardi also defines what he calls an iterator, which corresponds to Listrec: Definition 6 The D-iterator is defined by Diter ≡ λu : Prop . λh1 : F1 [u] . . . . λhm : Fm [u] . λx : D . xuh1 . . . hm . Remark 2 This term corresponds exactly to Listrec. Listrec should probably have been called Listiter, since it is really an iterator rather than a recursion operator. Compare with the terms Z (iterator) and R (recursion operator) for natural numbers: the former satisfies Z(σx)f =∗ f (Zxf ), whereas the latter satisfies RM N (σx) =∗ N x(RM N x). Clearly, Listrec is more like the former than the latter, and this is why defining cdr was so difficult. The basic property of Diter is given by Theorem 5 If B : Prop and Hj : Fj [B] for j = 1, . . . , m, then DiterBH1 . . . Hm (fj t1 . . . tnj ) =∗ Hj T1 . . . Tnj , where Ti ≡

½

ti if Ai,j is some Mk , DiterBH1 . . . Hm ti if Ai,j is D0 .

Proof By Definition 4, DiterBH1 . . . Hm (fj t1 . . . tnj ) where Ti ≡

½

=∗ =∗

fj t1 . . . tnj BH1 . . . Hm Hj T1 . . . Tnj ,

ti if Ai,j is some Mk , ti BH1 . . . Hm if Ai,j is D0 , 12

and DiterBH1 . . . Hm ti =∗ ti BH1 . . . Hm by Definition 6. Berardi also defines propositions inductionD asserting that all elements of the domain of the data type D can be constructed by the constructors, and considers it surprising that these propositions cannot be proved. But it is not surprising that they cannot be proved: if =∗ does not include η-conversion, then the induction predicate for the natural numbers is not true. For the term λA : Prop . λx : A → A . x is a term of type N which is not convertible to any numeral (although it is η-convertible to 1 ≡ λA : Prop . λx : A → A . λy : A . xy). This is why I have used N and L to obtain induction for natural numbers and lists. If this approach is applied to CC-data types, the result is the following definition: Definition 7 If D is a CC-data type, then the predicate Dpred is defined as follows: Dpred ≡ λx : D . (∀y : D → Prop)(closef1 y ⊃ . . . ⊃ closefm y ⊃ yx), where, for each j = 1, 2, ..., m, closefj y ≡ (∀x1 : A1,j ) . . . (∀xnj : Anj j )(Y1 x1 ⊃ . . . ⊃ Ynj xnj ⊃ y(fj x1 . . . xnj ), where, for each i = 1, . . . , nj , Yi ≡

  y

if Ai.j is D0 , D′ pred if Ai,j is Mk , a CC-data type whose predicate is D′ pred,  λz : M . T if A is M , a variable, k i,j k

and where, T ≡ ⊥ ⊃ ⊥.

As in the case of N and L, we can prove the following: Theorem 6 The term Dpred satisfies ⊢ Dpred : D → Prop, and there are closed terms Nj and P such that ⊢ Nj : (∀x1 : A1,j ) . . . (∀xnj : Anj j )(Dpred (fj x1 . . . xnj )), and ⊢ P : (∀B : D → Prop)(closef1 B ⊃ . . . closefn B ⊃ (∀x : D)(Dpred x ⊃ Bx)). 13

The last of these expresses the induction property for D, so to have this property it is sufficient to replace formulas of the form (∀x : D)M by (∀x : D)(Dpred x ⊃ M ). This leaves the unicity conditions. They are that each constructor is injective and that the co-domains of the constructors are mutually disjoint. The methods used for lists here can deal with these conditions for CC-data types satisfying certain conditions. Let us start with the disjointness of the co-domains of the constructors. This is expressed by axioms of the form cj,l : (∀x1 : A1,j ) . . . (∀xnj : Anj j )(∀y1 : A1,l ) . . . (∀ynl : Anl l ) (¬fj x1 . . . xnj =D fl y1 . . . ynl ). Let us call these axioms ci,j : Ci,j . If we assume that different constructors have different normal forms, then these axioms can be proved consistent by the method of Theorem 4. But by Definition 4, the constructors will have distinct normal forms when no two of them have the same type (since the terms are determined by their signatures). This gives us Theorem 7 Let D be a CC-data type in which no two constructors have the same type. Let Γ be a strongly consistent environment. Let Γ′ be an environment consisting of Γ together with all the ci,j : Ci,j . Then Γ′ is consistent. Because of the way in which constructors are defined from their types, it is safe to assume that there are no CC-data types in which two constructors have the same type, so the restriction of this theorem is not a major one. Now let us turn to the injective property of constructors. In the case of natural numbers and lists, this is established by the use of inverses to the constructors. What we need is an inverse for each constructor fj for each of its arguments. Let us call πi,j the predecessor for argument i of the constructor fj . The property we want for πi,j : D → Ai,j is πi,j M =∗

½

ti if M =∗ fj t1 . . . tnj , N otherwise,

where N : Ai,j is any term of the right type. The definition will depend on the type Ai,j : if it is some Mk then our definition will be like that of car, whereas if it is D then the definition will be like that of cdr. For the case in which there is more than one i for which Ai,j is D, we will need n-tuples. 14

Definition 8 Tuples will be defined so that Dn A1 . . . An X1 . . . Xn : A1 ×. . .× An , where the association for × is to the right, so that A1 ×A2 ×. . .×An−1 ×An is A1 × (A2 × (. . . (An−1 × An ) . . .)). The definition will be for n ≥ 2, and will be as follows: D2 ≡ D and Dn+1 ≡ λu : Prop . λu1 : Prop . . . . . λun : Prop . λx : u . λx1 : u1 . . . . . λxn : un . Dux(Dn u1 . . . un x1 . . . xn ). Projection functions will be defined in the form kthn for 1 ≤ k ≤ n as follows (where 1th will mean fst and 2th will mean snd): kth2 ≡ kth, fstn+1 ≡ λu : Prop . λu1 : Prop . . . . . λun : Prop . λx : u × u1 × . . . × un . fstu(u1 × . . . × un )x, and, for k ≥ 2, kthn+1 ≡ λu : Prop . λu1 : Prop . . . . . λun : Prop . λx : u × u1 × . . . × un . (k − 1)thn u1 . . . un (sndux). Definition 9 Let D be a CC-data type. The terms πi,j of type D → Ai,j will be defined as follows: (1) if Ai,j is Mk for some k, then πi,j ≡ λy : Ai,j . λx : D . DiterAi,j H1 . . . Hm x, where Hl ≡

½

λx1 : A1,j . . . . . λxnj : Anj j . xi if l = j, λx1 : A1,l . . . . . λxnl : Anl l . y if l 6= j.

(2) if Ai,j is D, then let i1 , . . . , ir be the indices is for which Ais j is D, and assume that i = is . Then πis j ≡ λx : D . (s + 1)thr+1 D . . D}(Gj x), | .{z r+1

where

Gj ≡ λx : D . Diter(D × .{z . . × D})H1 . . . Hm x | r+1

and  λx1   

: A′1,j . . . . λxnj : A′nj j . Dr+1 D . . D}(fj X1 . . . Xnj )Xi1 . . . Xir if l = j, | .{z

r+1 Hl ≡  λx : A . . . . . λx : A . D D . . D} x . . x} otherwise, 1,l nl nl l r+1 | .{z  | .{z  1 r+1

15

r+1

and where A′h,j ≡

 × .{z . . × D}) (D |

Xh ≡

 . . D} xh fstr+1 D | .{z

and

if h = is for s = 1, . . . , r,

r+1



Ah,j otherwise, if h = is for s = 1, . . . , r,

r+1



xh otherwise.

Theorem 8 Let D be a CC-data type, and suppose i1 , . . . , ir are the indices is for which Ais j =∗ D. Suppose X : D. Then Gj X =∗ Dr+1 D . . D} Y Y1 . . . Yr , | .{z r+1

where Y =∗ X and Yl =∗

½

tis if X =∗ fj t1 . . . tnj and l = is , X otherwise.

Proof By induction on X as a member of the CC-data type D. Case 1. X =∗ fl t1 . . . tnl where l 6= j. Then Gj X

=∗

Diter(D × .{z . . × D})H1 . . . Hm X | r+1

=∗ =∗

Hj T1 . . . Tnj Dr+1 D . . D} X . . X}, | .{z | .{z r+1

r+1

and the theorem is satisfied. Case 2. X =∗ fj t1 . . . tnj . By the induction hypothesis, Gj ti =∗ Dr+1 D . . D} ti Y1 . . . Yr , | .{z r+1

so fst(Gi,j ti ) =∗ ti . Hence, Gj X

=∗

Diter(D × .{z . . × D})H1 . . . Hm X | r+1

=∗ =∗

Hj T1 . . . Tnj Dr+1 D . . D}(fj T1 . . . Tnj )Ti1 . . . Tir , | .{z r+1

16

where Th =∗ th for h 6= is and Tis = fstr+1 D . . D}(Gj tis ) for s = 1, . . . , r. | .{z r+1

Hence, by the induction hypothesis,

Gj X =∗ Dr+1 D . . D} Xti1 . . . tir , | .{z r+1

as desired. Corollary 8.1 For CC-data types D, if Ai,j =∗ D, then πi,j (fl t1 . . . tnl ) =∗

½

ti if l = j, fl t1 . . . tnl if l 6= j.

Theorem 9 Let D be a CC-data type and suppose that Ai,j is some Mk . Suppose N : Mk . Then πi,j N (fl t1 . . . tnl ) =∗

½

ti if l = i, N if l 6= i.

Proof We have, by Definition 9 (1), πi,j N (fj t1 . . . tnj )

=∗ =∗ =∗ =∗

DiterAi,j H1 . . . Hm (fj t1 . . . tnj ) Hj T1 . . . Tnj Ti ti ,

=∗ =∗ =∗

DiterAi,j H1 . . . Hm (fl t1 . . . tnl ) Hl T1 . . . Tnl N.

while if l 6= j, we have πi,j N (fl t1 . . . tnl )

Corollary 9.1 For any CC-data type D, πi,j (fj t1 . . . tnj ) =∗ ti . 17

The unicity conditions can now be proved for CC-data types as in Theorems 2 and 3. This means that the environment Σ (which the author calls a context) of [1, p. 49] can be made smaller: it will only need the axiom c : ¬0 =N σ0, which is a special case of Peano1 and is thus known to be consistent. Remark 3 It is worth pointing out that Berardi is not simply interested in whether or not his axioms are consistent in the terms we have considered here. He is interested in whether or not they are consistent with set theory. This is because he is using these axioms to verify the strong normal form theorem for Girard’s F , and he wants to show that this proof is valid in set theory. Merely proving the axioms consistent in the sense of this paper would only lead to the result that SN for the calculus of constructions implies SN for F , which is a much less interesting result.

References [1] Stefano Berardi. Encoding of data types in pure construction calculus: a semantic justification. In G´erard Huet and Gordon Plotkin, editors, Logical Environments, pages 30–60. Cambridge University Press, 1993. [2] Jonathan P. Seldin. On the proof theory of Coquand’s calculus of constructions. Annals of Pure and Applied Logic, 83:23–101, 1997.

18