The n-Category Café

Do you know Martin-Löf’s paper Analytic and Synthetic Judgements in Type Theory? He links synthetic judgements to the “existential form of judgement” since this requires the construction of an object, rather than merely checking by virtue of the meanings of the terms involved.

(I didn’t notice this comment from yesterday.)

I’m not an expert, but from what I can tell, “analytic” and “synthetic” are about whether the (intuitionistic) truth of a judgment is “self-evident” (analytic) or not (synthetic).

That is, we derive a judgment like A,B ⊢ A×B using the pairing operation, and so on.

Judgments like that are synthetic: it’s not self-evident when a type is inhabited.

Semantically, each judgment is a “kind of object or morphism” in some categorical structure, and each derivation of that judgment represents a particular object or morphism.

This roughly corresponds to the fact that a naive syntactic representation of a derivation could be tacked onto the judgment to make it analytic. It is self-evident when a given derivation correctly derives a given judgment.

Now those derivation trees are generally too unwieldy to work with directly, so we annotate them by variables and terms in such a way that the entire tree can be reconstructed from the term that it assigns to the root, like x:A,y:B ⊢ ⟨x,y⟩ : A×B.

Except that’s not what ETT does, since a derivation generally cannot be reasonably reconstructed from a term. In fact, you’ve just pretty much described the whole idea of ITT. In ITT, a judgment like that is analytic, as a requirement. In ETT, a judgment like that is still synthetic.

There are three a priori reasonable responses to that problem, that I know of.

1) ETT is broken, so use ITT.

2) ETT terms are not proof terms, so add proof terms to get a different analytic judgment with “secondary witnesses”.

3) ETT judgments are synthetic, so don’t rely on proof terms, use LCF-style proof.

In each case, you get a way to reconstruct a derivation of the original “termless” judgment. But of course the termless judgment is not enough, because of dependency. (2) and (3) turn out to not affect the semantics of ETT, (1) changes things quite a bit. Perhaps OTT has essentially the same semantics as ETT.

(I am not going to bite your head off for restricting attention to intrinsic semantics of type theory, but be aware that there’s more to the story.)

I guess that’s a good idea.
--------------

The “verifier” in an LCF-style system checks the validity of [derivation] steps as they are performed. In the case of Andromeda, this also involves building a [meaning] term. One might be tempted to call it a “proof term”, but that’s misleading because it’s not checked or even feasibly checkable. It’s well-typed by construction. The [derivation] steps are performed by Andromeda MetaLanguage (AML).

Formal systems that don’t use propositions-as-types make the LCF approach less subtle: [meaning] terms are typechecked [I was assuming something like HOL, with decidable typechecking.], [any form of formal proofs of propositions, which aren’t types] need not ever be built, but are known to exist because the steps were successful.

For Andromeda, it’s best to think of [derivation] as the process of establishing the existence of a derivation of a judgment. It’s judgments that get proven [sic] (because it’s impractical to systematically check them), not types. [This was an unsuccessful attempt to explain why, in ETT, the emphasis of formal proof shifts to the judgments. I don’t know how to update it, because I deliberately conflated derivations (for ETT) and proof terms (for ITT).] Types have “evidence” (their inhabitants) but [in ETT] one cannot feasibly recognize evidence without [a derivation] that it has the expected type.

In some systems, you have proof terms, so an alternative to the LCF approach is to typecheck proof terms. This is what Coq and Agda do. Don’t be fooled into thinking Coq is LCF-style because it has tactics! It’s about the design of the trusted kernel. Coq’s kernel is a trusted typechecker. Andromeda’s “nucleus” is a trusted implementation of the primitive tactics. (Invoked from AML.)

Now why might an LCF kernel be simpler than a typechecking kernel? Probably because a rather LCF-ish kernel is a part of a [sufficiently-sane] typechecker! A typechecker will traverse a proof term, performing checks as it goes. These checks are exactly the checks that would be performed by trustworthy tactics. The beauty of LCF-style is the recognition that only the steps need to be checked. How they’re “fed into” the computer is irrelevant. There’s no technical need for proof terms, which merely script the [derivation] steps in the least imaginative possible way. [Keep in mind, the derivation process also yields a meaning term.]

I oversimplify: The reason switching Coq to an LCF-style kernel would actually probably not be so simple is termination checking. [Which is not sufficiently-sane.] It’s a non-compositional check, so you cannot check the term in one pass, like you’d have to if proof terms were literally degenerate proof scripts. I see this as one bad idea chasing another. You wouldn’t need termination checking in the kernel if you could prove termination without gunking up the term. Woe is ITT. Or, if you’re happy with gunky terms, you could ask for an LCF-style system for plain ITT (without termination checking).

So to answer your question, the real reason why Coq’s kernel is larger than that of HOL Light or Andromeda is simply that Gallina is a dramatically more complicated language than HOL or extensional Type:Type. ;)

1) I don’t see any reason to store a proof representation in the sense of “saving it for later”. But for a proof assistant to be producing a proof it has to represent that proof somehow in the process of producing it.

Fair enough. I was taking it for granted that you wouldn’t produce a proof that you’re not going to use. So I have to add a question:
3) Under what conditions should a proof assistant produce a proof representation?

My answer:
3) Only when the user asks it explicitly to convert the inputted proof representation to output it in a different format. (E.g. for compatibility with other proof assistants.)

Did you think it was a technical requirement somehow to create a proof in order to check that a proof exists? Programmers aren’t that constructive! :)

The whole idea of LCF-style proof assistants is precisely that nothing like a derivation tree needs to be built. It’s as Andrej says: The (trace of the) process of proof (“argument”) checking itself contains a derivation.

2) “Sufficiently close” is a judgment call, and different people may make that call differently. I’m saying that decidability of type-checking is one reasonable, and actually fairly minimal, condition that gives some indication of “sufficient closeness”.

We’ll have to postpone discussion of this till we have an agreed-upon reason to be working with proofs in the first place.

Maybe an analogy will help: consider the relationship between spoken English and written English…

This is an interesting analogy, but it doesn’t fit tightly enough. Humans are happy to invent pronunciations for written sentences. When the pronunciation of a sentence affects its meaning, the written form is often misinterpreted.

Or, to put it even more baldly: if you are happy with semi-decidable type checking of “proof representations”, then here is a proof representation for you. Every proof is represented by the word “foo”…

Yes, for an RE formal system, brute force search is the canonical semi-decidable proof checker. I’m not happy with semi-decidable checking. I demand checking that’s feasible in practice. Neither semi-decidability nor decidability is sufficient. The point is that decidability is not necessary or even helpful. In case it doesn’t go without saying, I also demand that there exists an argument that will convince the checker if and only if a derivation exists.

…and then generates all possible arguments in some other language and checks one by one whether they are a proof of the desired statement.

Even in this deliberately absurd scenario, you have an odd assumption. The checker would not need to generate arguments in any concrete representation just to semi-decide the existence of a derivation. Only terms and judgments would need to be represented. Note that this applies even to systems where terms are not a reasonable proof representation. (E.g. ETT, HOL)

I think there is too much confusion going on because we are using “formal proof” instead of “formal derivation”. I am going to switch to “formal derivation”.

And just to be sure, let me call proof-checking a procedure which accepts a representation r of a formal derivation and outputs the conclusion c of the formal derivation represented by r, provided that there exists a formal derivation that r represents. Depending on what the procedure does with an invalid r it is:

1. decidable: if it terminates and reports failure
2. semi-decidable: if it might run forever

We shall assume that we always have at least a semi-decidble procedure. Furthermore, we shall also require:

• completeness: every formal derivation has a representation
• derivation-irrelevance: r may represent several formal derivations, and it does not matter which one is found (explicitly or implicitly) by the procedure.
• uniqueness of conclusion: all formal derivations represented by r have the same conclusion

Derivation-irrelevance means that r represents an inhabited set of formal derivations, while uniqueness of conclusion states that all formal derivations in this inhabited set have the same conclusion.

Now, to answer your question: under the stated assumptions, foo just by itself violates uniqueness of conclusion, but the pair (foo,C) where C is the conclusion is a valid reprenstation of a formal derivation.

The thing called “proof certificate” or “proof term” by Coq/Agda has the exact same status as (foo,C), except that it carries a little more useful information that increases efficiency, and also restricts the set of formal derivations represented. It does not cut down the set to a singleton because it does not specify how equalities should be derived.

In the realm of proof assistants, the game is how to communicate and verify existence of formal derivations efficiently so the only interesting questions are those of efficiency. The only reason we reject (foo,C) as the universal proof representation is that it is too inefficient in time. It’s got great space efficiency, though.

In fact, we can imagine a formal system in which (foo,C) would be the perfect representation of the existence of a formal derivation of C. For instance, if we are in possesion of a complete linear-time proof-search procedure, then there is no point in communicating proofs, because already reading them takes as long as it does to reconstruct them.

Something like:

modusPonens : forall f a:Judg,
  option {fa:Judg | exists A B:Fmla,
    Proves f (Impl A B) /\ Proves a A /\
    Proves fa B}

You’re probably going to ask, why not:

modusPonens : forall (f a:Judg) (A B:Fmla),
  Proves f (Impl A B)->Proves a A->
  {fa:Judg | Proves fa B}

Well, that would make perfect sense if the tactic language you’re actually implementing will actually know how to check that type. But most tactic languages don’t have such types, so we can only model the way tactics actually do checking.

You must take into account the fact that the meta-language on top of type theory is simply typed. Then you will be able to think of a rule application that looks correct from the simply-typed ML-level but is actually not.

For instance, impliciation elimination is a smart constructor of type imply_elim : judgment -> judgment -> judgment. If we already computed judgments j1 and j2, it can easily happen that the well-typed computation imply_elim j1 j2 will trigger an exception because j1 is not of correct form, i.e,. not an implication.

You will not be able to get around this by saying that ML itself should be dependently typed. Somebody has to implement ML in a language that is not dependently typed, and at that level the same phenomenon will happen. It cannot be dependent type theories all the way down.

What part of the italicized phrases in

it was ill-typed in the real dependently typed version

and

Can you please give an example of a fully dependently typed rule

was unclear?

I am perfectly aware that the actual implementation language is simply typed. In fact, the original paragraph you are objecting to was exactly my acknowledgment of this fact. My point is that if you write it all in a dependently typed language then there is no “failure”; but because the actual implementation language is not dependently typed there will be failed applications. I.e. exactly what you are saying.

Oh, did you mean to ask why people don’t like equality types that have reflection rules?

No.

HTS sort of permits HoTT. But it at least appears to tie the semantics more closely to model-categorical presentations in which there is a “point-set level equality” present with which to interpret the strict equality.

I’m pretty sure that’s not a consequence of ITT vs ETT. Thorsten Altenkirch, Paolo Capriotti, and Nicolai Kraus have a HoTT with Strict Equality based on ITT + K that I think has the same issue.

…it seems more likely to me that this will be possible with ITT because its judgmental equality is more controlled than HTS’s strict equality.

I don’t know. There must be a version of HoTT that we could both approve of. My problem with ITT is that it gunks up the terms with hints needed for proof checking, but that correspond to nothing in the semantics. Find a semantics that takes advantage of Book HoTT’s abstraction, then design good, gunkless meaning terms for it, and you will have the right system.

This new paper on a strongly …

I really wish people wouldn’t provide blind links directly to .PDF files, especially when the file has a web page home.

Robin Adams, Marc Bezem, Thierry Coquand: A Strongly Normalizing Computation Rule for Univalence in Higher-Order Minimal Logic, arXiv:1610.00026

See? I can tell that Coquand is an author without having to download a PDF.