From formal proofs to mathematical proofs: a safe, incremental way for building in first-order decision procedures

Fr om F ormal Pr oofs t o Mathematical Proo fs: A Safe, Incremental W ay f or Building in First-order Decision Procedur es Fr ´ ederic Blanqui and Jean-Pierre Jouannau d and Pierre-Yves St rub Abstract W e in vestigate here a new version of the Calcu lus of Inductive Construc- tions (CIC) on which the proof assistant Co q is based: the Calculus of Con gruent Inductive Constructions, which truly e xtends CIC by b uilding in arbitrary fir st-order decision proced ures: deduction is still in charge of the CIC kernel, while compu ta- tion is outsou rced to dedicated first-ord er decision procedures that can be taken from the sh elves p rovided they deliver a proof cer tificate. Th e sou ndness of the whole system beco mes an in cremental prop erty f ollowing fro m the sound ness of the ce r- tificate chec kers and that of the kern el. A detailed example shows that the resultin g style of proo fs becomes closer to that of the working mathematician. 1 Intr oduction Proof assistants based on th e Curr y-Howard isomorph ism such as Coq [ 9] allow to build the proof of a gi ven prop osition by applyin g appr opriate pro of tactics a v ailable from existing librar ies or th at can other wise b e dev eloped fo r a chieving a specific task. T hese ta ctics generate a proof term that can be checked with respect to the rules of logic. The proof-checker, also called the kernel of the proof a ssistant, implements the deduc tion rules of the log ic on top of a term manip ulation lay er . In this model, the mathematical correctness o f a pr oof development relies entirely on the kern el. T rusting the kernel is therefore vital. The ( intuitionist) logic on which Coq is based is the Calcu lus o f Constructions (CC) o f Coquand and Huet [ 10], an impred icativ e ty pe the ory in corpor ating poly- morph ism, dependen t types and t ype constructors. Unlike logics without dependent types, CC enjoys a powerful type-ch ecking rule, called conver sion , which inc orpo- rates co mputations within ded uctions, making d ecidability of typ e-checkin g a no n- trivial prope rty of the calculus. In CC, computatio n reduces to (pure) fu nctional ev aluation in the un derlying lambda calculus. The notion of c omputatio n is rich er in the Calculus of In ductive Constructions of C oquand and P aulin (CIC), obtained from CC by adding inductive Fr ´ ederic Blanqui INRIA & LORIA, Campus Scientifique, BP 239, 54506 V andoeuv re-l ` es-Nanc y Cede x, France, e- mail: blanqui @loria. fr Jean-P ierre Jouannaud · Pierre-Yv es Strub LIX, UMR 71 61, Project I NRIA T ypiCal, ´ Ecole Polytechnique, 91 128 Palaiseau, France, e-mail: jouanna ud, strub@li x.polytechnique.fr 1 2 F . Blanqui and J.-P . Jouannaud and P .-Y . Strub types and the co rrespond ing rules for higher-order primitive re cursion [11]. The recent versions o f Coq are based o n a slight generalization of this calculu s [15]. Still, such a simp le function as re verse of a dependent list cannot be defined in CIC as o ne would expect, becau se ( reverse l :: l ′ ) and ( reverse l ′ ) :: ( reverse l ) , assuming :: is list concatenation, hav e non-conv ertible types l ist ( n + m ) and list ( m + n ) , assuming ( re verse l ) has for ty pe the type of its argument l . This is so becau se the usual definition of + b y induction on o ne of its argumen ts does not reduce the pr oof of m + n = n + m to a computation . W e d o belie ve that s caling up the proof dev elopment process requires being able to mimic the mathematician wh en replacing th e proo f of a p roposition P by the proof o f an eq uiv alent p roposition P’ obtaine d fro m P thanks to p ossibly com plex calculations in wh ich e asy steps are hidden away . It is ou r pro gram to make this view a reality . A way to incor porate dec ision procedures to Coq is by developing a tactic and then use a refle xion tech nique to omit che cking the proof term being built by proving the d ecision pro cedure itself. But the soundness of the entire mech anism cannot be guaran teed in general [12]. Further , this does not answer the question of hiding easy steps away . A first attempt tow ards o ur goal is the Calculus of Algebraic Constructions (CA C), obtained by adding to CC user-defined computations as re write rules [5, 3]. Although conceptu ally quite p owerful since CA C captur es CIC [4], this paradigm does not yet fulfill all n eeds. In pa rticular, the user needs to hide aw ay the easy steps by h imself, that is by gi ving the necessary rewrite rules an d by verifying that they satisfy the assumptions of the general schema [5, 3]. The pro of assistant PVS uses a poten tially stronger p aradigm than Coq by com- bining its deduction mechanism with a notion of co mputation based on th e po werful Shostak’ s method for combining decision procedure s [ 20], a framew ork dubbed lit- tle pr oof engines by Shan kar [1 9]. Inde ed, the little engines of proof h ide away the easy computation al steps, without any user assistance. Unfortun ately , proo f- checking is not decid able in PVS. Fu rther, since the little engines of pr oofs in volve complex coding, as well as Sh ostak’ s algo rithm itself, one ca n on ly believe a PVS proof , while one can chec k and trust a Coq proof. T wo s teps in the directio n of integrating decision procedures into CC are Stehr’ s Open Calculus of Constructions (OCC) [ 21] and Oury’ s Extension al Calculu s of Constructions (ECC) [ 17]. Imp lemented in Maud e, OCC allows for the use of an arbitrary equational the ory in co n version. E CC can be seen as a particular ca se of OCC in which all provable equalities can be used in con version, which can also be ac hiev ed by addin g the extensionality and Streich er’ s axioms to CC [22], henc e the name of this calcu lus. Unfortun ately , stro ng norm alization an d decidability of type checking are then lost, w hich shows that we should seek for more restricti ve extensions. In a preliminar y work, we designed a new , quite restricti ve framework, the Calcu- lus of Co ngruen t Constructions (CCC), wh ich in corpor ates the cong ruence closur e algorithm in CC’ s co n version [7], while preserving th e g ood properties of CC, in- cluding the d ecidability of type ch ecking. In [6], we have described CC N , in which From Formal Pro ofs to Mathematical Proofs 3 the d ecision p rocedu re was Presburger arithmetic a nd stro ng elimin ation ruled ou t. The present work is a continuation of the latter . Theoretical contribution. Ou r m ain theoretical con tribution is the definition and the meta-theor etical in vestigation of the Calculus of Congruent Inductive Con struc- tions (CCIC), which incorpo rates arbitrary first-or d er theories for which entailment is decidable i nto deductions via an abstract conv ersion rule of the calculus. A major technical innovation o f this work lies in the computation mechanism: goals are sent to the decision procedu re together with the s et of user hypoth eses av ailable from the current context. Our main result shows that this extension of CIC does not compro- mise its prope rties: confluence, strong normalizatio n, coherence and decidability of proof -checking are all preserved. Unlike pre vious calculi, the dif ficulty with CCIC is not strong normalization, for which we have reused th e stron g no rmalization pro of of CA C [3]. A major d iffi- culty was a traditional step to wards subject-red uction: compatib ility of co n version with products. Decidability of type checking required restricting con versions belo w recursors [23]. Practical contrib ution. W e giv e several examp les showing the u sefulness o f this new calculus, in particular for using dependen t types such as dependent lists, which has been an im portant w eakness of Coq u ntil now . Further studies are ne eded to explore o ther p otential ap plications, to match indu cti ve definition- by-case modu lo theories of constructo rs-destructor s, another very different weakn ess of Coq. A d e- tailed example sho ws that the resulting style of proofs becomes closer to that of the working mathematician. Methodologica l contribu tion. The safety of proof assistants is based on their kernel. In the early days of Coq , the safety of its kern el relied on its sma ll size and its clear structure reflecting the inference rules of the intu itionist type theory , CC, on which it was based. Th e slogan was that of a r eadab le kernel . Moving later to CIC allowed to ease the specification tasks, making the system very popular among proof de velopers, but resulted in a more c omplex kernel that can no w hardly be read except b y a few spe cialists. T he s logan changed to a pr ovable kernel , and in deed one version of it was once proved with an earlier version (using strong normalization as an assumption), and a new s afe kernel extracted from that proo f. Of course, there has been many changes in the kernel since then, and its correct- ness proof w as n ot maintained. Th is is a first weakness with the r eadable kernel paradigm : it does not resist chan ges. There is a seco nd which relates direc tly to CCIC: th ere is no guaran tee that a decision procedu re taken from th e she lf im ple- ments co rrectly the complex mathema tical theorem on which it is b ased, since car- rying out such a proof may require an entire PhD work . Therefo re, th ese procedures canno t be part of the kernel. Our solution to these pro blems is a ne w shift of parad igm to that of an incr e- mental kernel . The calculus on which a proof assistant is based should come in two parts: a stable calculus implementing deduction, CIC in our case, which should sat- isfy the r eadable or pr ovable kernel paradigm; a collection of independent decision proced ures imp lementing computations, th at prod uce ch eckable proof ce rtificates. 4 F . Blanqui and J.-P . Jouannaud and P .-Y . Strub The certificate checker should of course itself satisfy the r eadable or pr ovab le code paradigm . Note that a Coq proof is a particular case of a checkab le certificate. This par adigm has many advantages. First, it allows for a mo dular, cooper ati ve development of the sy stem, by separating the development o f the kernel fr om that of the decision p rocedu res. Second, it allows for an unsafe mode in case a decision proced ure is used that does n ot have a certificate generator y et. T hird, it allows to better tr ace erro rs in case the system rejects a proof, by u sing de cision pr ocedure s that outp ut e xplanations when they fail. Last, it allows the user to use any decision proced ure s he needs by simply hook ing it to the system, possibly in unsafe mode. This incremental schema is quite flexible, assuming that decision proced ures come o ne by one. Howev er , even so, they are not indep endent, they must be com- bined. Combin ing first-order decision pro cedures is not a new problem , it was con- sidered in the ear ly 8 0’ s by Nelson and Op pen on the one han d, b y Sh ostak on the other hand, and has generated much w ork since then. There are se v eral possibilities to build in th is mechanism: in the kernel, via a certificate ge nerator and checker again, or by reflection. This design decision has not been made yet. 2 Congruent Inductiv e Constructions The Calculus of Congrue nt Inductive Constructions (CCIC) is an extension o f CIC which embeds in its con v ersion rule the validity en tailment of a fixed first order the- ory . First, we recall the basics of CIC b efore to introduce parametric multi-sorted algebras and then embed these first-or der algebras into CIC. W e are then a ble to define our calculus relativ e to a specific congruence that is defined last. For simplic- ity , we will o nly consider her e the particu lar case of parametric lists an d that of the natural numbers equipped with Presburger a rithmetic. This s imple case allows us to build lists of natural numbers, as well as lists of lis ts of natur al numbers, and s o on. It indeed has the complexity of the whole calculus, which is not at all the case when natural numbers only are consider ed as in [6]. 2.1 Calculus of Inductive Constructions T erms. W e start ou r presentation by fi rst describing the terms of CIC. CIC uses two sorts : ⋆ (or Prop, or object le vel universe ),  ( or T ype, or pr edicate level universe ) and △ . W e d enote { ⋆,  , △} , the set of CIC sorts, by S . Follo wing the presentation of Pur e T y pe Systems (PTS) [14], we use two classes of v ariables: X ⋆ and X  are countably infinite sets of term variables and pr ed icate variables such that X ⋆ and X  are disjoint. W e w rite X for X ⋆ ∪ X  . W e shall use u for a list ( u 1 , . . . , u n ) , s for a sort in S , x , y , . . . for variables in X ⋆ , X , Y , . . . for variables in X  . Definition 1 ( Pseudo-terms). T he algebra L of pseudo-terms of CIC is defin ed b y: t , u , T , U , . . . : = s ∈ S | x ∈ X | ∀ ( x : T ) . t | λ [ x : T ] . t | t u | Ind ( X : t ) { T i } | t [ n ] | Elim ( t : T [ u i ] → U ) { w j } From Formal Pro ofs to Mathematical Proofs 5 The notion of free variables is as usual - the binders b eing λ , ∀ an d Ind (in Ind ( X : t ) { T i } , X is bound in the T i ’ s). W e write FV ( t ) f or th e set o f free variables of t . W e say that t is closed if F V ( t ) = / 0. A v ariable x fr eely occurs in t if x ∈ FV ( t ) . Inductive ty pes. The novelty of CIC was to intro duce inductive types, denoted by I = Ind ( X : T ) { C i } where the C i ’ s describe the types of the constructors of I , and T the typ e (or arity ) of I which must be of the f orm ∀ ( x i : T i ) . ⋆ . The k -th constructor of the inductive type I , of typ e C k { X 7→ I } , will be denoted by I [ k ] . As a n easy first example, we define natural numb ers: nat : = In d ( X : ⋆ ) { X , X → X } . W e shall use 0 and S as co nstructors for natur al n umbers, of respective types na t and nat → nat , obtained by replacing X by nat in the above two e xpressions X and X → X . Elimination rules for nat are as follows : Elim N ( 0 , Q ) { v 0 , v S } ι − → v 0 Elim N ( S x , Q ) { v 0 , v S } ι − → v S x ( Elim N ( x , Q ) { v 0 , v S } ) with Q : n at → s , ∈ S . Similarly , we now d efine parametric lists: list : = λ [ T : ⋆ ] . Ind ( X : ⋆ ) { X , T → X → X } . W e shall u se nil and cons as constructo rs for par ametrized lists, of r espectiv e types ∀ ( T : ⋆ ) . list ( T ) an d ∀ ( T : ⋆ ) . T → list ( T ) → list ( T ) . Elimination rules for list are: Elim L ( nil , Q ) { v nil , v cons } ι − → v nil Elim L ( cons x l , Q ) { v nil , v cons } ι − → v cons x l El im L ( l , Q ) { v nil , v cons } ) Finally , we define dep endent w ords over an alphabet A : word = Ind ( X : nat → ⋆ ) { X 0 , A → X ( S 0 ) , ∀ ( y , z : nat ) . X y → X z → X ( y + z ) } W e shall u se ε , char and app for its thre e constructors, of r espectiv e types word 0 , A → word ( S 0 ) , and ∀ ( n , m : nat ) . word n → word m → word ( n + m ) obtained as previously by replacing X by word in the three expression s X 0 , A → X ( S 0 ) , and ∀ ( y , z : nat ) . X y → X z → X ( y + z ) . Elimination rules for dependen t words are: Elim W ( ε , Q ) { v ε , v char , v app } ι − → v ε Elim W ( char x , Q ) { v ε , v char , v app } ι − → v char x Elim W ( app n m l l ′ , Q ) { v ε , v char , v app } ι − → v app n m l l ′ ( Elim W ( l , Q ) { v ε , v char , v app } ) ( Elim W ( l ′ , Q ) { v ε , v char , v app } ) Definitions by induction. W e can no w d efine f unctions by induc tion over natural number s, lists or word s. Since using th e CIC syntax is a bit pa inful, we g iv e only a quite simple examp le definin g ap pend (written @) fo r lists of natur al num bers, o f type ∀ ( T : ⋆ ) . list ( T ) → list ( T ) → list ( T ) : @ : = λ [ l : list nat ][ l ′ : list nat ] . Elim L ( l , Q )    l ′ , λ [ x : na t ][ l ′′ : list nat ] . λ [ l 1 : list nat ][ l 2 : list nat ] . λ [ L : Q l 1 l 2 ] . cons x L    Strong and W eak reductions. CIC distinguishes str ong ι -elimination when the type Q of terms constru cted by induction is at predica te level, from weak ι - elimination when Q is at obje ct le vel. Stron g elimination is restricted to small in- ductive types to ensure logical consistency [24]. 6 F . Blanqui and J.-P . Jouannaud and P .-Y . Strub T yping judgments. A typing envir onme nt Γ is a sequence of pairs x i : T i made of a v ariable x i and a te rm T i (we say that Γ binds x i to the type T i ), such that Γ does not bin d a v ariable twice. Th e typing ju dgmen ts are classically written Γ ⊢ t : T , meaning tha t the well formed term t is a proof of the p roposition T (has typ e T ) under the well formed envir onme nt Γ . x Γ will den ote the type associated to x in Γ , and we write dom ( Γ ) for the domain of Γ as well. The typing ru les of CIC g i ven in 1 are made of the typing rules fo r CC and the typing rules for inductive types, gi ven for t he particular case of nat and list . [ A X - 1 ] ⊢ ⋆ :  [ A X - 2 ] ⊢  : △ Γ ⊢ T : s T Γ , [ x : T ] ⊢ U : s U [ P RO D ] Γ ⊢ ∀ ( x : T ) . U : s U Γ ⊢ ∀ ( x : T ) . U : s Γ , [ x : T ] ⊢ u : U [ A B S ] Γ ⊢ λ [ x : T ] . u : ∀ ( x : T ) . U Γ ⊢ t : ∀ ( x : U ) . V Γ ⊢ u : U [ A P P ] Γ ⊢ t u : V { x 7→ u } Γ ⊢ V : s Γ ⊢ t : T s ∈ { ⋆,  } x ∈ X s − dom ( Γ ) [ W E A K ] Γ , [ x : V ] ⊢ t : T x ∈ dom ( Γ ) ∩ X s x Γ ⊢ x Γ : s x [ V A R ] Γ ⊢ x : x Γ Γ ⊢ t : T Γ ⊢ T ′ : s ′ T β ι ← → ∗ T ′ [ C O N V ] Γ ⊢ t : T ′ ⊢ τ f : s ∈ { ⋆,  } [ S Y M B ] ⊢ f : τ f Γ ⊢ Q : nat → s ∈ { ⋆,  } Γ ⊢ n : nat Γ ⊢ v 0 : Q 0 Γ ⊢ v S : ∀ ( p : nat ) . Q p → Q ( S p ) [ E L I M ] Elim N ( n , Q ) { v 0 , v S } : Q n Γ ⊢ T : ⋆ Γ ⊢ p : nat Γ ⊢ l : list T p Γ ⊢ Q : ∀ ( n : na t ) . list T n → s ∈ { ⋆,  } Γ ⊢ v nil : Q 0 ( nil T ) Γ ⊢ v cons : ∀ ( x : T )( n : nat )( l : list T n ) . Q n l → Q ( S n )( cons T x n l ) [ E L I M ] Elim L ( l , Q ) { v 0 , v S } : Q p l Fig. 1 CIC typing rules for nat and list W e d id not give the general typin g elimination rule for arbitrary indu cti ve types, which is quite c omplicated. In stead, we gave the elimination rules obtaine d for our three inductive types nat , list and word . W e refer to [18, 24] for the general case, and for the precise typing rule of Elim W . 2.2 P arametric sorted alge bras Parametric sorted signat ure. Order-sorted alg ebras were intro duced as a for mal framework for the OBJ lang uage in [13], before to be genera lized as membership equation al logic in [8]. W e u se here a polymorph ic versio n of a restriction of th e latter , by assum ing g iv en a sign ature ( Λ , Σ ) , Λ for the sort constru ctors, and Σ for the fun ction symbols made of a set of c onstructor s for each sort con structor, a nd of a set of defin ed symbols. W e shall use th e no tation f : ∀ α . σ 1 × · · · × σ n → τ for symbol declaration s. As an example, we describe natural numbe rs and parametr ic From Formal Pro ofs to Mathematical Proofs 7 (non- depende nt) list using an O BJ-like syntax. W e r ule out h ere partiality , as intro- duced in practice by destructor symbols, for sake of clarity . W e shall u se V = { α , β , . . . } for the set of sort variables, and T ( Σ , V ) = { σ , τ , . . . } for the set of sort expressions. sort nat : ∗ sort li st : ∗ → ∗ svar α : ∗ cons 0 : nat cons S : nat → nat fun ˙ + : nat × nat → nat cons nil : list ( α ) cons cons : α × li st ( α ) → list ( α ) fun @ : list ( α ) × list ( α ) → list ( α ) Definition 2 ( T erms). F or any sort σ , let X σ be a countably infinite set of variables of sort σ , s.t. all the X σ ’ s are pairwise disjoint. Let X = S σ X σ . F or any x ∈ X , we say that x has sort σ if x ∈ X σ . For any sort σ , the set T σ ( Σ , X ) of terms o f sorts σ with variables X is the smallest set s.t.: 1. if x ∈ X τ , then x ∈ T τ ( Σ ) , 2. if t 1 , · · · , t n ∈ T σ 1 ξ ( Σ , X ) × · · · × T σ 2 ξ ( Σ , X ) wh ere f : ∀ α . σ 1 × · · · × σ n → τ and ξ is a sort substitution, then f ( t 1 , . . . , t n ) ∈ T τ ξ ( Σ , X ) . Let T ( Σ , X ) = S σ ( T σ ( Σ , X )) . A term t has sort σ if t ∈ T σ ( Σ , X ) . Note that the sets X σ play the role of a typing context. Example 1. Assumin g that x is a v ariable of sort nat , then 0 and 0 + x are of sort nat , while nil is of sort list ( α ) , list ( nat ) , list ( list ( nat )) , etc. Definition 3 ( Equations). Equation s t = σ u are pairs of terms of the same sort σ . Example 2. Assumin g x of sort nat and l o f sort list ( list (( nat )) , x + 0 = nat x is an equation of sort nat and cons ( x , nil ) = l ist ( nat ) car ( l ) is an equation of sort list ( nat ) . W e can therefore as usual build parametr ized algebras for list , algebras for na t and therefore get algebras f or nat , list ( nat ) , etc. Satis faction of an equation in these algebras is defined as usu al. In practice, type sup erscripts may b e omitted when the y can be infered from the context. 2.3 Embedding param etric alge bras in CIC Our purpose here is to embed parametric multi-sorted algebra into CIC. As a result, two different, but related kinds of symbols will coexist, in CIC and in the embedd ed algebraic sub-world. W e shall distingu ish them by underlying symbols in CIC. The first step of th e translation maps, respecti vely sort constructor s and construc- tor symbols to CIC inductive types and constructors. W e start with natu ral numbers and its s ort constructor nat . Constructor symbols of nat are simply all the construc- tors symbols whose codomain is n at , i.e. here 0 and S . W e th us define nat (the CIC inductive type attached to n at ) as an inductive ty pe with two constructor types (one for 0 , and one for S ): nat : = Ind ( X : ⋆ ) { C 1 ( X ) , C 2 ( X ) } . 8 F . Blanqui and J.-P . Jouannaud and P .-Y . Strub The constructor types of nat are simply the arities of 0 and S wher e nat is re- placed with the constru ctor typ e variable: C 1 ( X ) = X and C 2 ( X ) = X → X . As ex- pected, we obtain here the standard inductive defin ition of n atural numbe rs gi ven in Section 2.1: Ind ( X : ⋆ ) { X , X → X } . The tr anslation 0 of 0 ( resp. S of S ) is then simply nat [ 1 ] (resp. nat [ 2 ] ). T ranslating list is n ot very different. Being of arity 1, with tw o associated con- structor symbo ls ( nil and cons ), list is ma pped to the alread y seen parametrized inductive type list = λ [ A : T ] . Ind ( ⋆ ) { X , A → X → X } . T ranslation of constructors is do ne the same way . W e just nee d to care abou t curry fication of sym bols, and to replace sort variables with CIC type variables. Finally , de fined symb ols are ma pped to CIC defined sy mbols, after tr anslating their type appro priately . 2.4 Building in a first-order theory W e n ow start describing our new calculus CC IC. T erms. CCIC uses the same set of sorts S = { ⋆,  , △} and sets of v ariables X = X ⋆ ∪ X  of CIC. For any sort σ ∈ Λ , let X σ ⊆ X ⋆ a infinite set of variables of sort σ s.t. { X σ } σ is a family of pairwise disjoint sets. W e also assume that X − S σ X σ is infinite. Let A = { r , u } a set of two constants, called ann otations , totally ordered by u ≺ A r, where r stand s for r estricted and u fo r u nr estricted . W e use a for an a rbitrary annotation . The role of annotatio ns will be explained later . Definition 4 ( Pseudo-terms of CCIC). Gi ven a parametric sorted sig nature ( Λ , Σ ) , the algebra L of pseudo-terms of CCIC is defined as: t , u , T , U , . . . : = s ∈ S | x ∈ X | ∀ ( x : a T ) . t | λ [ x : a T ] . t | t u | f ∈ Σ | σ ∈ Λ | ˙ = | Eq T ( t ) | Ind ( X : t ) { T i } | t [ n ] | Elim ( t : T [ u i ] → U ) { w j } In order to make definitions more con v enient, we ass ume in the following that Λ contains the symbols ˙ = , nat and list , and that Σ contains the symbols 0 , S and Eq. Compared with CIC, the differences are: • the internalization of the first-order symbols, • the internalization of the equality predicate: - t ˙ = T u denotes the equality of the two terms (of type T ) t an d u , - Eq T ( t ) repre sents the reflexi vity proof of t ˙ = T t . • annotation s in products an d ab stractions are used to control th e f ormation of applications as it can be seen from the new [ A P P ] rule given at Figure 2. Notatio n 2.1 When x is not fr ee in t , ∀ ( x : a T ) . t is written T → a t . The default annota tion, when not specified in a pr oduct or abstr action, is the unrestricted one. As usual, there is a layered set of syntactic classes for L : From Formal Pro ofs to Mathematical Proofs 9 Definition 5 ( Syntactic classes). T he pairwise disjoint syntactic class es of CCIC called ob jects ( O ) , pr edicates ( P ), kinds ( K ), kinds pr edicates ( M ), an d △ are defined as usual: − O :: = X ⋆ | f ∈ Σ | O O | O P | λ [ x ⋆ : a P ] . O | λ [ x  : a K ] . O | Elim ( O : P [ O ] → O ) { O } − P : : = X  | σ ∈ Λ | P O | P P | λ [ x ⋆ : a P ] . P | λ [ x  : a K ] . P | Elim ( O : P [ O ] → P ) { P } | ∀ ( x ⋆ : a P ) . P | ∀ ( x  : a K ) . P − K :: = ⋆ | K O | K P | λ [ x ⋆ : a P ] . K | λ [ x  : a K ] . K | ∀ ( x ⋆ : a P ) . K | ∀ ( x  : a K ) . K − M :: =  | ∀ ( x ⋆ : a P ) . M | ∀ ( x  : a K ) . M − △ :: = △ This enum eration defin es a successor function + 1 on cla sses ( O + 1 = P , P + 1 = K , K + 1 = M , M + 1 = △ ). W e also define Class ( t ) = D if t ∈ D an d D ∈ { O , P , K , M , △} . From no w on, we only consider well-constructed terms (i.e. terms whose class is not ⊥ ) and well-constructed substitution (i.e. substitutions s.t. C lass ( x ) = Class ( x θ ) for any x in its domain). It is e asy to check that if t is a well-constru cted term and θ a well-construc ted sub stitution, then Class ( t ) = Class ( t θ ) . It is also well-k nown that β ι − → -reductio n preserves term classes. Definition 6 ( Pseudo-contex ts of CCIC). The typing en vironme nts of CIC are de- fined as Γ , ∆ :: = [] | Γ , [ x : a T ] s.t. a variable cannot be declared twice. W e use dom ( Γ ) for the domain of Γ and x Γ for the type associated to x in Γ . The rules defining the CCIC typ ing judg ment Γ ⊢ t : T are the same as fo r CIC except the rules for application and con version gi ven at Figure 2. Γ ⊢ t : ∀ ( x : a U ) . V Γ ⊢ u : U if a = r a nd U β − → ∗ t 1 ˙ = T t 2 with t 1 , t 2 ∈ O then t 1 ∼ Γ t 2 must hold [ A P P ] Γ ⊢ t u : V { x 7→ u } Γ ⊢ t : T Γ ⊢ T ′ : s ′ T ∼ Γ T ′ [ C O N V ] Γ ⊢ t : T ′ Fig. 2 CCIC modified typing rules 2.5 Con version W e a re no w lef t with defining th e con version re lation ∼ Γ , whose definition needs some prepara tion, s ince: • conv ersion is defined on CCIC terms, but the first-order decision proced ures op- erate on algebr aic terms. W e therefore need to translate CCIC terms into alge- braic terms, a process we call algebraisation . • conv ersion will oper ate on weak ter ms only , a notion introd uced in Sectio n 2. 5. Non-weak terms will be converted with β ι -reductio n only , to forbid lifting up in - consistencies fr om the object level to the type le vel. T his is crucial to a v oid b reak- ing strong normalization, a nd therefore decidability of ty pe-check ing in presence of inconsistent user’ s assumption s. 10 F . Blanqui and J.-P . Jouannaud and P .-Y . Strub Algebraisation. Our calculu s has a complex notion of compu tation reflecting its rich structure mad e o f three ingred ients: th e typed lambd a ca lculus, the induc- ti ve types with their recur sors and the integration of the first order theory T in its conv ersion. T o achieve th is integration , goals are sent to the first order theory T together with a set of proo f hypothe ses extracted from the curre nt context. Algebraisation is the fir st step of this extractio n: it allows tran sforming a CCIC term into its first-o rder counterpart. W e illustrate this with an examp le, T being Presburger’ s arithmetic. W e begin by the simplest case, dire ctly taken from CC N , the extraction of pure algebraic, non parametric, equations. Su ppose that the proof environment contain s equations o f the form c ˙ = 1 + d and d ˙ = 2 with c and d variables of sor t nat . What is expe cted is tha t the set of h ypoth eses sent to th e theo ry T contains the two well formed T -f ormulas c = 1 + d an d d = 2. This leads to a first definition of equations extraction: 1. a term is algebraic if it is of the form 0, or S t , o r t + u , or x ∈ X N . The alge- braisation A ( t ) o f an algebraic te rm is then defined by induction: A ( 0 ) = 0, A ( S t ) = S ( A ( t )) , A ( t + u ) = A ( t ) + A ( u ) and A ( x N ) = x N , 2. a term is an extractable eq uation if it is of the form t ˙ = u with t and u algebraic terms. The extracted equation is then A ( t ) = A ( u ) . The definition becom es har der fo r p arametric si gnatures. The th eory of lists gives us a paradig matic example. From the definition of embedd ing a polymo rphic multi- sorted algebra in to CIC, we know th at the sym bol @ h as ∀ ( T : ⋆ ) . li st T → list T → list T for type. Thu s, a fully applied, well form ed term ha ving th e symbol @ at head position m ust be o f the form ( @ T l 1 l 2 ) , T being the type of the elements of the lists l 1 and l 2. Alg ebraisation of such a term will er ase all ty pe par ameters: in our example, A ( @ T l 1 l 2 ) = @ ( A ( l 1 ) , A ( l 2 )) . Algebraisation of no n-pur e algebraic terms is d one by ab stracting non- algebraic subterms with fresh variables. For example, algeb raisation of 1 + t w ith t non- algebraic will lead to 1 + x nat where x nat is an abstraction v ariable of sort nat for t . Of course, if the pr oof context con tains tw o equations of th e form c ˙ = 1 + t and d ˙ = 1 + u with t and u β ι -convertible, t and u should be abstracted by a unique vari- able so that c = d can be de duced in T f rom c = 1 + y nat and d = 1 + y nat . Th e problem is harder for: • parametric symbo ls : in ( cons T t ( nil U )) with t no n alg ebraic, sh ould t b e ab- stracted by a variable of sort nat or list ( nat ) ? • ill-formed terms : sho uld ( cons T 0 ( co ns T ( nil U ) ( nil T ))) be abstracted as a list of natural number s or as a list of lists ? Our solution is to po stpone decisions: A ( t ) will be a f unction from Λ to the terms of T s.t. A ( t )( σ ) is the alge braisation of t un der the condition that t is a CCIC representatio n of a first order term of sort σ . W e n ow give the formal definition of A ( · ) . W e assume: - a Λ -sorted family { Y σ } σ of pairwise disjoint countable in finite sets of v ariables of sort σ . Let Y = S σ Y σ ; From Formal Pro ofs to Mathematical Proofs 11 - for any equiv alence relatio n R an d sort σ ∈ Λ , we assume a function π σ R : CCIC ( X ) → Y σ s.t. π σ R ( t ) = π σ R ( u ) if and only if t R u (i.e. π σ R ( t ) is the elem ent of Y σ representin g the class of t mo dulo R ). Definition 7 ( W ell applied t erm). A term is well applied if it is of the form f [ T α ] α ∈ α t 1 · · · t n with f : ∀ α . σ 1 × · · · × σ n → σ . Example 3. Ex ample of well applied terms are 0, S t , or cons T x l , T being the type parameter here. Note that we do not require the term to be well formed . In c ase of par tial symb ols, such as car for lists, this defin ition m ust be chang ed slightly by add ing a new argument, the proof that the inpu t satisfies the ap propriate guard, here that it is not nil . Definition 8 ( Algebraisation) . The algebraisation of t ∈ CCIC modulo an equiva - lence r elation R is th e function A R ( t ) : Λ → T ( X ⋆ ∪ Y ) d efined by: A R ( x σ )( σ ) = x σ A R ( f T [ u i ] i ∈ n )( τ ξ ) = f ( A R ( u 1 )( σ 1 ξ ) , . . . , A R ( u n )( σ n ξ )) A R ( t )( τ ) = π τ R ( t ) otherwise where f : ∀ α . σ 1 × · · · σ n → σ , f T [ u i ] i ∈ n is well applied, and ξ is a Λ -substitution. For any relation R , A R is defined as A R where R is the smallest eq uiv alence relation containing R . W e call σ -alien (or alien when the context is clear) a subterm of t abstracted by a variable in Y σ , and say that t is algebraic w .r .t. σ if contains no σ -alien. W e d enote by A lg σ the set of algeb raic terms w .r .t. σ , and b y A lg = S σ ∈ Λ A lg σ the set of algebraic terms. Example 4. Let t ≡ cons T 0 ( cons U ( nil V ) ( nil U )) , R be a relation on CCIC terms, σ = list ( nat ) , and x nat , y list , z nat , x α and y α be abstraction variables. Then: A R ( t )( σ ) = cons ( A R ( 0 )( nat ) , A R ( cons U ( nil V ) ( nil U ))( σ )) = cons ( 0 , cons ( A R ( nil V )( nat ) , A R ( nil U )( σ ))) = cons ( 0 , cons ( x nat , nil )) A R ( t )( list ( σ )) = cons ( A R ( 0 )( σ ) , A R ( cons U ( nil V ) ( nil U ))( list ( σ ))) = cons ( y list , cons ( A R ( nil V )( σ ) , A R ( nil U )( list ( σ )))) = con s ( y list , cons ( nil , ni l )) A R ( t )( list ( α )) = cons ( x α , cons ( y α , nil )) and A R ( t )( nat ) = z nat . It is clear from the above examp le that the alge braisation of a term depe nds on the expected sort of the result: when abstracting the (heterogen eous and ill-formed ) list 0 :: nil :: nil as a list of lis ts, 0 is seen as an alien which m ust be abstracted . When this list is abstracted as a list of natur al number s o r as a polym orphic list, 0 is considered algeb raic an d the first occur rence of nil as an alien to be abstracted . Finally , if the list is algeb raised as a natural number , it is abstracted by a variable. W eak t erms. W e first distinguish a class of term s called weak . This class o f terms will p lay a n importan t role in the f ollowing as they restrict the interactio n between the con version at object le vel and the strong ι -reductio n. An example of non weak term is t = λ [ x : na t ] . Elim S ( x : nat [] → Q ) { nat , λ [ x : na t ][ T : Q x ] . nat → nat } 12 F . Blanqui and J.-P . Jouannaud and P .-Y . Strub Such a term is p roblematic in the sense that when ap plied to conv ertible terms, it can β ι -reduce to type-level term s that a re n ot β ι -convertible. Supp ose that the conv ersion relation is canonically extended to CCIC. Assume a typing en vironment Γ s.t. 0 ∼ Γ S 0 , and hence, by congruence, t 0 ∼ Γ t ( S 0 ) . No w , it is easy to check that t 0 β ι − → ∗ nat and t ( S 0 ) β ι − → ∗ ( nat → nat ) . Strong normalization o f β -reductio n is then broken by encoding the term ω = λ [ x : nat ] . x x . In contrast, weak terms lift no inconsistencies from object le vel to a higher le vel: Definition 9 ( W eak terms). A ter m is weak if it contains no i) ap plied type-level variable, and ii) term of the form Elim ( t : I [ u ] → Q ) { f } with t open. Extractable terms. From now o n, let O + be an arbitrary set of CCIC terms. This set will be used in the co n version definition to r estrict the set of extractable equation s of a given environment: only equa tion of th e form t ˙ = u with t and u in O + will be considered . At the mom ent, we only r equire O + to be a su bset of O . Note that taking O + = O does not compromise the stand ard calculus properties (subject red uction, type unicity , strong normalizatio n of β ι -reductio n, . . . ) b ut the decid ability . E.g., if T is the Presburger arithmetic, allowing the extraction of λ [ x : a nat ] . f x ˙ = λ [ x : a nat ] . f ( x ˙ + 2 ) would require - for checking con version - to decide any statement of the form T  ( ∀ x . f ( x ) = f ( x + 2 )) → t = u , which is well known to be impossible. Con version relation. W e have now all ne cessary ingred ients to d efine our con- version relation ∼ Γ : Definition 10 (Co n version relation). Rules of Figure 3 defin e a family { ∼ Γ } of CCIC binary relations indexed by a (non- necessarily well-formed ) context Γ . Note that the r ule [ D E D ] performing deduction s in the first order theory , here Presburger arithmetic, ou tputs a certificate [ , , ] ma de o f the environment and th e two ter ms to be proved e quiv alent under this environment, each time it is called. While this certificate must depend on these th ree d ata, it may of course carr y addi- tional inform ation depending on the considered first-order theory . The main differences with the calculus CC N defined in [6] are the following: • The [ A P P ] ru le has b een split into two ru les: [ A P P S ] and [ A P P W ] . Con version for strong terms is restricted to β ι -conversion. • Con version for the first argument of an Elim is restricted to β ι -conversion. • The rules for tran siti vity and symmetry ha ve been removed, which eases the proof s, notably that the deduction part of the conversion relation w orks at object lev el only . W e prove later that t he con v ersion relation is transiti ve and symmetric on well formed terms, thus recovering type unicity . • The rules for β ι -conversion per form one r eduction step only , which also eases proof s. Therefore u β ι ← → ∗ v should be understo od as ∃ w s.t. u β ι − → w and v β ι − → w . From Formal Pro ofs to Mathematical Proofs 13 [ R E FL ] t ∼ Γ t [ x : r T ] ∈ Γ T β ι − → ∗ t ˙ = u t , u ∈ O + [ E Q ] t ∼ Γ u T ∼ Γ U t ∼ Γ , [ x : a T ] u [ L A M ] λ [ x : a T ] . t ∼ Γ λ [ x : a U ] . u T ∼ Γ U t ∼ Γ , [ x : a T ] u [ P RO D ] ∀ ( x : a T ) . t ∼ Γ ∀ ( x : a U ) . u t β ι − → t ′ t ′ ∼ Γ u [ β ι - L E F T ] t ∼ Γ u t , t ′ , f , f ′ are weak t β ι ← → ∗ t ′ I ∼ Γ I ′ Q ∼ Γ Q ′ v ∼ Γ v ′ f ∼ Γ f ′ Elim ( t : I [ v ] → Q ) { f } ∼ Γ Elim ( t ′ : I ′ [ v ′ ] → Q ′ ) { f ′ } u β ι − → u ′ t ∼ Γ u ′ [ β ι - R I G H T ] t ∼ Γ u t 1 ∼ Γ u 1 t 2 ∼ Γ u 2 t i , u i are weak [ A P P W ] t 1 t 2 ∼ Γ u 1 u 2 E  A ∼ Γ ( t )( τ ) = A ∼ Γ ( u )( τ ) t , u ∈ O + E = { A ∼ Γ ( w 1 )( σ ) = A ∼ Γ ( w 2 )( σ ) | w 1 ∼ Γ w 2 , σ ∈ Λ , w 1 , w 2 ∈ O + } [ D E D ] t ∼ Γ u [ Γ , t , u ] Fig. 3 CCIC con ve rsion relation 2.6 Decidability of type-che cking CCIC enjoys all needed meta-theoretical properties ( strong normalizatio n, co nflu- ence, subject reductio n), and therefor e consistency follo ws: Theorem 1. Ther e is no pr o of of ∀ ( x : ⋆ ) . x in the empty envir onment. All proofs are similar to those made for PTSs with the same s uccession of meta- theoretical lemmas, but need more pr eparation. This is in p articular the case with the substitution lemma which is much harder than usual. As said, type-ch ecking in a dependen t type theo ry is non- trivial, sin ce the rule [ C O N V ] is not syntax-oriented . The class ical solution to this problem is to eliminate [ C O N V ] and replace [ A P P ] by the following rule.The proof i s not difficult. Γ ⊢ t : ∀ ( x : a U ) . V Γ ⊢ u : U ′ U ∼ Γ U ′ if a = r and U β − → ∗ t 1 ˙ = T t 2 with t 1 , t 2 ∈ O th en t 1 ∼ Γ t 2 must hold [ A P P ] Γ ⊢ t u : V { x 7→ u } Decidability of type-checking in C CIC th erefore redu ces to decidability of ∼ Γ , the en vironment Γ being a rbitrary , possibly contain ing ill-fo rmed terms or even being in consistent. T o show that ∼ Γ is decidable, we proceed as pr eviously , by modify ing the definition in order to make it syntax-oriented : we show that t wo arbi- trary terms are conv ertible iff their β ι -norm al forms are c on vertible by the syntax- oriented w eak con vertibility r elation ≈ Γ giv en at Figure 4, in which, to an y en viron- ment Γ , we associate the set Eq ( Γ ) = { t = u | [ x : u T ] ∈ Γ , x Γ − → ∗ t ˙ = u , t , u ∈ A } . 14 F . Blanqui and J.-P . Jouannaud and P .-Y . Strub Lemma 1. Given Γ an en vir o nment and t , u two terms, t ∼ Γ u iff t ↓ β ι ≈ Γ u ↓ β ι . This is the main technical result of the decidability proof, which proceeds by induction on the defin ition of ∼ Γ . Note that the n umerou s cond itions of the form T , Eq ( Γ ) 6  0 = 1 in the rules defining ≈ Γ are required to make them mutually exclusi ve. [ R E FL - ⋆ ] ⋆ ≈ Γ ⋆ [ R E FL -  ]  ≈ Γ  x ∈ X T , Eq ( Γ ) 6  0 = 1 or x 6∈ X ⋆ [ R E FL - X ] x ≈ Γ x t , u ∈ O T , Eq ( Γ )  0 = 1 [ U N S AT ] t ≈ Γ u T ≈ Γ U t ≈ Γ , [ x : a T ] u T , Eq ( Γ ) 6  0 = 1 or λ [ x : a T ] . t and λ [ x : a U ] . u not in O [ L A M ] λ [ x : a T ] . t ≈ Γ λ [ x : a U ] . u T ≈ Γ U t ≈ Γ , [ x : a T ] u [ P RO D ] ∀ ( x : a T ) . t ≈ Γ ∀ ( x : a U ) . u t = t ′ I ≈ Γ I ′ Q ≈ Γ Q ′ v ≈ Γ v ′ f ≈ Γ f ′ t , t ′ , f , f ′ are weak T , Eq ( Γ ) 6  0 = 1 or Elim ( t , . . . ) { . . . } a nd Elim ( t ′ , . . . ) { · · · } not in O [ W ] Elim ( t : I [ v ] → Q ) { f } ≈ Γ Elim ( t ′ : I ′ [ v ′ ] → Q ′ ) { f ′ } t 1 ≡ u 1 t 2 ≡ u 2 T , Eq ( Γ ) 6  0 = 1 or t 1 t 2 and u 1 u 2 not in O t 1 t 2 or/and u 1 u 2 is not weak [ A P P S ] t 1 t 2 ≈ Γ u 1 u 2 t 1 ≈ Γ u 1 t 2 ≈ Γ u 2 t i , u i weak T , Eq ( Γ ) 6  0 = 1 or t 1 t 2 and u 1 u 2 not in O [ A P P W ] t 1 t 2 ≈ Γ u 1 u 2 T , Eq ( Γ ) 6  0 = 1 ) t = C t [ a 1 , . . . , a k ] u = C u [ a k + 1 , . . . , a k + l ] C t or C u is a non-empty algebraic conte xt all the a i ’ s have empty algebraic caps the c i ’ s are fresh constants s.t . c i = c j if f a i ≈ Γ b j T , Eq ( Γ )  C t [ c 1 , . . . , c k ] = C u [ c k + 1 , . . . , c k + l ] [ D E D ] t ≈ Γ u Fig. 4 CCIC syntax-oriented con v ersion Example 5. Let Γ = [ c : nat ] , [ p : r ( λ [ x : nat ] . x ) 0 ˙ = c ] . Th en ( λ [ x : na t ] . x + x ) 0 ≈ Γ c and ( λ [ x : nat ] . x + x ) 0 ≈ Γ c , using congru ence and deduction of ∼ Γ and ≈ Γ . In contr ast, β -reducin g ( λ [ x : nat ] . x + x ) 0 yield s 0 ˙ + 0 ∼ Γ c , but not 0 ˙ + 0 ≈ Γ c . Indeed , ( λ [ x : na t ] . x ˙ + x ) 0 and 0 ˙ + 0 are no more ≈ Γ -convertible, a direct conse- quence of removing β ι -reductio n from ∼ Γ : the equation ( λ [ x : na t ] . x ) 0 ˙ = c cann ot be used anymore, since 0 ˙ + 0 is not ≈ Γ conv ertible to ( λ [ x : nat ] . x ) 0 ). Now , nor malizing all terms as well as the en vironment Γ , we can recover con - vertibility for ≈ : 0 ˙ + 0 ≈ Γ ↓ β ι c , the extractable equation of Γ ↓ β ι being now 0 ˙ = c . As a consequenc e, we obtain: Theorem 2. ∼ Γ is decida ble for a ny e n vir on ment Γ when taking for O + the set of terms that ar e r educible to an algebr aic terms. and therefo re, our main result follows: Theorem 3. The type-checking r e lationship Γ ⊢ t : T is decid able in CCIC . From Formal Pro ofs to Mathematical Proofs 15 3 Using CCIC W e gi ve he re a detailed examp le illustrating the ad vantages of CCIC, b ased on the inductive type of words introduced in S ection 2.1. In Coq. First, we gi ve a de velopment in Coq, therefore based on CIC. Variable T : Set. Inductive word : nat -> Set := | epsilon : word 0 | char : T -> word 1 | append : forall n p, word n -> word p -> word (n+p). Lemma plus_n_0_transpare nt : fo rall n, n+0=n. Proof. induction n as [| n IHn]; simpl; [idtac | rewrite -> IHn]; trivial. Defined. Lemma plus_n_Sm_transpar ent: fo rall n m, n+(S m)=S(n+m). Proof. intros n m; induction n as [| n IHn]; simpl; [idtac | rewrite -> IHn]; trivial. Defined. Lemma plus_assoc_transpa rent: f orall n p q, (n+p)+q=n+(p+q). Proof. intros n p q; elim n; [trivial | intros k]. simpl; intros H; rewrite -> H; trivial. Defined. Definition reverse_acc : forall n, word n -> forall p, word p -> word (p+n). Proof. intros n wn; induction wn as [| c | n p wn IHwn wp IHwp]; intros k wk. rewrite plus_n_0_tr ansparent; exact wk. rewrite plus_n_Sm_transp arent; rewrite plus_n_0_transparent; exact (append (char c) wk). rewrite <- plus_assoc_tr ansparent; exact (IHwp _ (IHwn _ wk)). Defined. Fixpoint reverse n (w : word n) {struct w} : word n := match w in word k return word k with | epsilon => epsilon | char c => char c | append n1 n2 w1 w2 => reverse_acc w2 w1 end. The examp le of palindr o mes as words satisfy ing the property word_eq m reverse m is carried out in S trub’ s th esis (see his website). It yields a much more complex Coq development than t he above, since it in v olves the equality over (quotients) of words. In CCIC. W e n ow make the similar development in C CIC, using a self- explanatory syntax. The definition of reverse reduce s then to: Fixpoint reverse n (w : word n) {struct w} : word n := match w with | epsilon => epsilon | char c => char c | append _ _ w1 w2 => append (reverse w2) (reverse w1) end. T yping of the third clause o f reverse will use here Presburger’ s arithmetic, since append n1 n2 w1 w2 has type word (n1 + n2) , while append n2 n1 w2 w1 has type word (n2 + n1) , two types that are not con vertible in CIC, but which become con v ertible in CCIC. W e can easily see with this e xample the immense ben- efit brought by internalizing Presburger’ s arithmetic. Note that a single certificate is generated for this conv ersion: [n1 : nat, n2: nat, w1 : word n1, w2: word n2, n1 + n2, n2 + n1] 16 F . Blanqui and J.-P . Jouannaud and P .-Y . Strub 4 Conclusion CCIC is an extensio n of CIC by arb itrary first-order de cision pro cedures for equa l- ity . W e have shown here with a detailed example using Presburger’ s arithmetic the benefit of the approach with respe ct to the curren t implementation of Coq based on CIC: m ore terms can be ty ped espe cially in presence o f ty pes such as dependen t lists which beco me easy to use; many pro ofs get autom ated, mak ing the life of the user easier (dev eloping the example of re verse for depend ent lists in the currently distributed v ersion of Coq took us a day of work, and we don’t believ e this can be shrinked to one hour) ; an d pro ofs are mu ch smaller , some seemingly co mplex proof s b ecoming simple r eflexi vity proofs. W e believ e that the resu lting style of proof s becomes much closer to that of the working mathematician. W e hav e also explaine d the advantage of the ap proach insofar as it allows to clearly separate computation from deduction , therefore allo wing for an incremental development of the kernel of the s ystem. So far , we have consider ed o nly d ecidable -equality- theor ies. Howe ver , thanks to the decidability assumption, a decidable non-equality theory can always b e trans- formed into a decidable equality theory over the type Bool of truth v alues equipped with its usual operatio ns. There are s till many directions to be in vestigated. A first is to embed me mbership equationa l logic in CIC along the lines of th e simpler embed ding described here. A second is to consider the case of dependent algebras instead of the simpler paramet- ric algebras. This is a much more dif ficult question, which requires using a stronger notion of con version in the main argument of an elimination, but w ould further help us addressing other weaknesses of Coq. Finally , we strongly belie ve that the use of decision procedures outputin g certifi- cates whe n they succeed a nd explana tions when they fail will c hange our way of making formal, and enlarge the audience of proof ass istants. Acknowledgement. W e than k the Coq group f or many usefu l discu ssions and suggestions, and the referees for their useful remarks. Refer ences 1. H. Barendre gt. Lambda calculi with types. In S. Abramski, D. Gabba, and T . Maibaum, editors, Handbook of Log ic in Computer Science , volume 2. Oxford Uni ver sity Press, 1992. 2. B. Barras . Auto-validation d’un syst ` eme de pr euves avec fami lles inductives . PhD thesis, Univ ers ity of Paris VII, 1999. 3. F . Blanqui. Definitions by rewr iting in the c alculus of cons tructions. Mathematical Structur es in Computer Science , 15(1) :37–92, 2005. Journal version of LICS’01. 4. F . Blanqui. Inductiv e t ypes in the calculus of al gebraic constructions. Fundamenta Informat- icae , 65(1-2) :61–86, 2005. Journal ver sion of TLCA ’03. 5. F . Blanq ui, J.-P . Jouannaud , and M. Okada. The Calculus of Algebraic Co nstructions. In R T A, Lectur e Notes i n Computer Scienc e 1631:301–316. Springer -V erlag, 1999. 6. F . Blanqui, J. Jouannaud, and P . Strub . Building decision proc edures in the calculus of induc- tiv e con structions. In Pr oc eedings 16th CSL 2007. LNCS 4646 , 2007. 7. F . Blanqui, J.-P . Jouannaud, and P .-Y . Strub . A Ca lculus of Congr uent Constructions. Unpub- lished draft, 2005. From Formal Pro ofs to Mathematical Proofs 17 8. A. Bouhoula, J.-P . Jouannaud , and J. Mesegue r . Sp ecification and proof in member ship equa- tional logic. Theor etical Comput. Sci. , 236:35–1 32, 2000. 9. Coq-De velop ment-T eam. The Coq Pr oof Assistant Refer ence Manual - V ersion 8.0 . INRIA, INRIA Rocque ncourt, France, 2004. http:/ /coq.in ria.fr/ . 10. T . Coquand and G. Huet. The Calculus of Cons tructions. Information and Computation , 76(2-3 ):95–120, 1988. 11. T . Coquand and C. P aulin-Mohring. Inductiv ely defined types . Colog’- 88, International Con- fer enc e on Computer Logic , volume 417 of LNCS , pages 50–66 . Springer-V erlag, 1990. 12. P . Corbineau. D ´ emonstration automatique en Th ´ eorie des T ypes . PhD thesis, Univ ersity of Paris I X, 2005. 13. K. Futatsugi, J. Goguen, J.-P . Jouannaud, and J. Mesegue r . Principles of OBJ2. Pr ocee dings of 12th A CM Confer ence on Principles of Pr o gra mming Languag es , 1985. 14. J. H. Geuvers and M. Nederhof. A modular proof of strong normalization for t he calculus of construc tions. J. of Functional pr ogramming , 1,2:155–189, 1991. 15. E. Gim ´ enez. Structural recursi v e definitions in type theory . In Pr oce edings of ICALP’98 , volume 144 3 of LNCS , pages 397–408, July 1998. 16. G. Gonthier . The four color theorem in Coq. In TYPES 2004 International W orkshop , 2004. 17. N. Oury . Extensionality in the calculus o f constructions . In P r oce edings 1 8th TPHOL, Oxfor d, UK. LNCS 3603 , 2005. 18. C. Paulin-Mohring. Inducti ve definitions in t he system COQ. In T yped Lambda Calculi and Applications , pages 328–34 5. Springer V erlag, 1993. LNCS 664. 19. N. Shankar . Littl e engines of proof . In G. Plotkin, editor , Pr oceedings of the Seventeenth Annual IEEE Symp. on Log ic in Computer Science . IEEE Computer Society Press, 2002. 20. R. E. Shostak. An ef ficien t decision procedure for arithmetic wit h function symbols. J . of the Association for Computing Machine ry , 26(2):351–36 0, 1979. 21. M. Stehr . The Open Calculus of Constru ctions: An equational t ype theory wit h dependent types for programming, specification, and interactiv e t heorem pro ving (part I and II). Funda- menta Informaticae 68(1- 2), p. 131-174, 2005. 22. T . Streicher . In ves tigations into intensional type theory , Habilitation, M ¨ un ich Unive rsity , 1993. 23. P .-Y . Strub . The Calculus of Congr uent Inductive Constructions . PhD thesis, ´ Ecole Polytech- nique, 2008. 24. B. W erner . Une Th ´ eorie des Constructions Ind uctives . PhD thesis, Uni v ersity P aris VII, 199 4.