Encoding of Predicate Subtyping with Proof Irrelevance in the λ Π -Calculus Modulo Theory

The λ Π-calculus modulo theory is a logical framework in which various logics and type systems can be encoded, thus helping the cross-verification and interoperability of proof systems based on those logics and type systems. In this paper, we show how to encode predicate subtyping and proof irrelevance , two important features of the PVS proof assistant. We prove that this encoding is correct and that encoded proofs can be mechanically checked by Dedukti , a type checker for the λ Π-calculus modulo theory using rewriting. 2012 ACM Subject Classification Theory of computation → Type theory


Introduction
A substantial number of proof assistants can be used to develop formal proofs, but a proof developed in an assistant cannot, in general, be used in another one.This impermeability generates redundancy since theorems are likely to have one proof per proof assistant.It also prevents adoption of formal methods by industry because of the lack of standards and the difficulty to use adequately formal methods.Logical frameworks are a part of the answer.Because of their expressiveness, different logics and proof systems can be stated in a common language.The λΠ-calculus modulo theory, or λΠ/≡, is such a logical framework.It is the simplest extension of simply typed λ-calculus with dependent types and arbitrary computation rules.Fixed-length vectors are a common example of dependent type, that can be represented in the λΠ-calculus as ∀n : N, Vec(n).The λΠ-calculus modulo theory already allows to formulate first order logic, higher order logic [5] or proof systems based on Pure Type Systems [12] such as Matita [3], Coq [10] or Agda [16].
PVS [28] is a proof assistant that has successfully been used in collaboration by academics and industrials to formalise and specify real world systems [27].More precisely, PVS is an environment comprising a specification language, a type checker and a theorem prover.One of the specificities of PVS is its ability to blend type checking with theorem proving by requiring terms to validate arbitrary predicates in order to be attributed a certain type.This ability is a consequence of predicate subtyping [30].It facilitates the development of specifications and provides a more expressive type system which allows to encode more constraints.For instance, one can define the inverse function inv : R * → R, where R * is a predicate subtype defined as reals which are not zero.
If predicate subtyping provides a richer type system, it also makes type checking of specifications undecidable.In [17], F. Gilbert paved the way of the expression of PVS into In [32], predicate subtyping is weakened into a language named Russell to be then converted into CIC.This conversion amounts to the insertion of coercions and unsolved meta-variables, the latter embody PVS type correctness conditions (TCC).The equational theory used in the CIC encoding is richer than ours since it includes surjective pairing e = pair T U (fst T U e) (snd T U e) and η-equivalence f = λx, f x in addition to proof irrelevance.
In [36], proof irrelevance is embedded into Luo's ECC [25] and its dependent pairs.Pairs and dependent pair types come in two flavours, the proof irrelevant one and the normal one.The flavour is noted by an annotation, and proof irrelevance is implemented by a reduction which applies only on annotated pairs.The article presents as well an application to pvs.
On a slightly more practical side, the automated first-order prover ACL2 [21] reproduces the system of "guards" provided by predicate subtyping into its logic based on Common Lisp with the concept of gold symbols.Approximately, a symbol is gold if all its TCC have been solved.Some theories-often based on Martin-Löf's Type Theory-blend together a decidable (called definitional or intensional) equality with an undecidable (said extensional) equality.In [29], a judgement "A is provable" is introduced, to say that a proof of A exists, but no attention is paid to what it is.Similarly, [1] introduces proof irrelevance in Martin-Löf's logical framework using a function to distinguish propositions A from "proof-irrelevant propositions Prf(A)".While A can be inhabited by several normal terms, Prf(A) is inhabited by only one normal form noted ⋆, to which all terms of Prf(A) reduce.Still in Martin-Löf's type theory, [31] provides proof irrelevance for predicate subtyping (here called subset types) for two different presentations, one is intensional, and the other extensional.The interested reader may have a look at Nuprl [11], an implementation of Martin-Löf's Type Theory with extensional equality and subset types.
Proof irrelevance has also been added to LF to provide a new system LFI in [24], where proof irrelevance is used in the context of refinement types.In LFI, proof irrelevance is not limited to propositions, nor it is attached to a certain type: terms are irrelevant based on the function they are applied to.A similar system is implemented in Agda [33].
More generally, concerning proof irrelevance in proof assistants, Coq and Agda [18] each have a sort for proof irrelevant propositions (SProp for Coq and Prop for Agda [33]).Lean [14] is by design proof irrelevant, and Matita supports proof irrelevance as well [2, section 9.3].

Outline
Encoding predicate subtyping requires a clear definition of it, which is done in Section 2. Predicate subtyping is encoded into λΠ/≡ using the signatures provided in Section 3.This encoding is put in use into some examples as well.The encoding is proved correct in Section 4: any well typed term of the source language can be encoded into λΠ/≡, and its type in λΠ/≡ is the encoding of its type in the source language.Finally, we show that a type checker for the λΠ-calculus modulo rewriting can be used to type check terms that have been encoded as described in Section 3.

PVS-Cert: A Minimal System With Predicate Subtyping
Because of its size, encoding the whole of PVS cannot be achieved in one step.Consequently, F. Gilbert in his PhD [17] extracted, formalised and studied a subsystem of PVS which captures the essence of predicate subtyping named PVS-Cert.Unlike PVS, PVS-Cert contains proof terms, which has for consequence that type checking is decidable in PVS-Cert while it is not in PVS.Hence PVS-Cert is a good candidate to be a logical system in which PVS proofs and specifications can be encoded to be rechecked by external tools.
In this paper, we use an equational presentation of PVS-Cert, that is, we use equations rather than reduction rules and slightly change the syntax of terms.We describe PVS-Cert, as done in [17], namely the addition of predicate subtyping over simple type theory.

Type Systems Modulo Theory
To describe PVS-Cert and λΠ/≡ in a uniform way, we will use the notion of Type Systems Modulo described in [8].Type Systems Modulo are an extension of Pure Type Systems [7] with symbols of fixed arity whose types are given by a typing signature Σ, and an arbitrary conversion relation ≡ instead of just β-conversion ≡ β .
The terms of such a system are characterised by a finite set of sorts S, a countably infinite set of variables V and a signature Σ.The set of terms T (Σ, S, V) is inductively defined in Figure 1.The contexts are noted Γ ::= ∅ | Γ, v : T and the judgements Γ ⊢ W F or Γ ⊢ M : T .The typing rules are given in Figure 2 and depend   of → R .The substitution of x by N in M is noted {x → N } M .We use a vectorised notation for products (

M, N, T, U
and more generally for any construction that can be extended to a finite sequence, such as a parallel substitution can also be written For all relations on terms R and S, we write RS = {(t, u) | ∃v, tRv ∧ vSu} the composition of R and S, and R * the reflexive and transitive closure of R.

Predicate Subtyping
Predicate subtyping has two main benefits for a specification language.The first is to provide a richer type system thanks to the entanglement of type-checking and proof-checking.
In consequence, any property can by encoded in the type system, which allows to easily create "guards" such as tail : nonempty_stack → stack where nonempty_stack is a predicate subtype defined from a predicate empty?.It is also essential in the expression of mathematics: the judgement M : T is akin to the statement M ∈ T in the usual language of mathematics when T is a set defined by comprehension such as E = {n : With predicate subtyping, we can represent the set E by the type (psub N P ), and the judgement Γ ⊢ M : psub N P is derivable if term M contains a proof of P (n) for some n.The other benefit of predicate subtyping, which is essential in PVS developments, is that it separates the process of writing specifications from the proving phase.In PVS, this separation appears through type correctness conditions (TCC): the development of specifications creates proof obligations that may be solved at any time.This separation is also visible in usual mathematical developments, where if we want to prove that t ∈ E, we prove once that P (t) is valid to then forget the proof and simply use t.
The type system of PVS-Cert can be seen as λHOL with a non empty signature Σ PVS defined in Figure 3  A predicate subtype (psub T U ) is defined from a supertype T and predicate U which binds a variable of type T to a proposition.Terms inhabiting a predicate subtype (psub T U ) are built with the pair construction (pair T U M N ) where M is a term of the supertype T and N is a proof of (U M ).While the pair construction allows to coerce a term from any type to a predicate subtype, the converse, that is the coercion from a type to its supertype is done with fst, the left projection of the pair.The right projection, snd, provides a witness that the left projection of the pair validates the predicate defining the subtype.Unlike PVS-Cert, PVS does not use coercions pair, fst and snd.In PVS, subtyping is implicit: terms do not have a unique type, and the choice of this type is left to the type checker.
▶ Remark 1. Unlike the original presentation of PVS-Cert in [17], this one annotates fst and snd, using fst T p m instead of fst m to ease the well-definedness proof of the translation of PVS-Cert terms (Proposition 4).

Equations and Proof Irrelevant Pairs
So far, no real difference has been evinced between PVS-Cert and dependent pairs: predicate subtype (psub T p) may be encoded as the dependent pair type Σx : T, p x [17, Definition 4.2.3].The difference lies in the equivalence relations and the fact that PVS-Cert implements proof irrelevance in pairs.
The equivalence of PVS-Cert is noted ≡ pvs and contains Equations ( 5), ( 6), and (β) which provide proof irrelevance: We will now motivate the use of these equations in PVS-Cert.Proofs contained in terms are essential for typing purposes.On the other hand, these proofs are a burden regarding equivalence of terms.Were these proofs taken into account (as ≡ β does), too many terms would be distinguished.For example, consider two terms t = pair N Even 2 h and t ′ = pair N Even 2 h ′ typed as even numbers.Then t and t ′ are not considered equal because T Y P E S 2 0 2 0 6:6 Predicate Subtyping with Proof Irrelevance in LPMT they don't have the same proof (h and h ′ ) that 2 is even.We end up with one even number 2 per proof that 2 is even.
As stated in [13], most mathematicians seek convertibility of t and t ′ and care more about what h and h ′ prove than the proofs themselves.To this end, PVS-Cert has proof irrelevant pairs: proofs attached to terms are not taken into account when checking the equivalence of two pairs.This property is embedded in the equivalence relation ≡ pvs used in the conversion rule of PVS-Cert which must verify Equation (5).
Equation ( 6) allows the projection to compute, but because of proof irrelevance, we cannot allow the right projection to compute, otherwise, all terms of type P rop would be considered equivalent.
A proof of T ≡ β U or T ≡ pvs U can use untyped intermediate terms, which can be problematic when one wants to prove some property on typed terms only.In the case of ≡ β , the problem is solved by using the fact that → β is confluent, that is We now prove a similar property for ≡ pvs : ▶ Lemma 2 (Properties of the PVS-Cert conversion).Let → βfst = → β ∪ → fst where → fst is the closure by substitution and context of Equation (6) oriented from left to right, and let ↔ pi be the closure by substitution and context of Equation ( 5) and = pi =↔ * pi .For all relation on terms R, let R ty be the restriction of R to typable terms.Then: we simply say that → is confluent.First note that → βfst is confluent since it can be seen as a Combinatory Reduction System that is orthogonal (i.e. whose rules are left-linear and non-overlapping) [22].
We now prove that ↔ pi steps can be postponed: is the reflexive closure of → βfst .Assume that the ↔ pi step is at position p and the → βfst step is at position q.If p and q are disjoint, this is immediate.If p is above q, we have pair and similarly in the case of a fst step.
We now prove that (3) → fst preserves typing.Assume that fst T 0 P 0 (pair Next, note that (4) = pi = ⇔ pi where ⇔ pi consists in applying several ↔ pi steps at disjoint positions.Indeed, if t = pair T P M N 1 ↔ pi u = pair T P M (. . .(pair Moreover, we have (5) ⇔ ty pi = (↔ ty pi ) * .Indeed, A ⇔ ty pi B means that we can obtain B from A by replacing some subterms of A, that are typable since A is typable, by some subterms of B, that are typable since B is typable.
We can now conclude as follows.Assume that A ≡ pvs ty B. By (1), there are A ′ and B ′ such 3), ( 4) and (5), We provide an encoding of PVS-Cert into the logical framework λΠ/≡.This encoding allows to express terms of PVS-Cert into λΠ/≡.Because logical frameworks strive to remain minimal, constructions such as pair or psub are not built-in: they must be expressed into the language of the logical framework through an encoding.We hence define the symbols allowing to emulate predicate subtyping using the terms of λΠ/≡.

Encoding Simple Type Theory
The encoding of λHOL given in Figures 4 and 5 follows the method settled in [12] for pure type systems.
In the following, we write the function symbols of a signature in blue and the other constructions of λΠ/≡ in black, to better distinguish them.
The general idea is to manipulate types and terms of λHOL as terms of λΠ/≡.Sorts are both objectified as type and prop and encoded as types by Kind, Type and Prop in Equations ( 7)- (11).Sorts as types are used to type sorts as objects to encode the axioms in A. Terms of type T ype are encoded as terms of type Type.These encoded types can be interpreted as λΠ/≡ types with function El (12).Similarly, propositions are reified as terms of type prop and interpreted by function Prf.For instance, given a λHOL type T and a λHOL proposition P both encoded as λΠ/≡ terms, the abstractions λx : El T , x and λh : Prf P , h are valid λΠ/≡ terms.The signature exposed in Figure 4 is noted Σ λHOL .
Equations ( 18)-( 20) are used to map encoded products to λΠ/≡ products.Equation ( 17) makes sure that the objectified sort prop is the same as the sort Prop when interpreted as a type.

Encoding Predicate Subtyping
Predicate subtypes are defined in Equation (21) as encoded types (i.e.terms of type Type) built from encoded type t and predicate defined on t.Pairs are encoded in Equation (22), where the second argument is the predicate that defines the type of the pair.The two projections are encoded in Equations ( 23) and ( 24), and we note the signature of ⊢ Type : TYPE : KIND ⊢ Prop : TYPE : KIND ⊢ type : Kind : TYPE ⊢ prop : Type : TYPE  El prop = Prop ( 17) with the signature Σ PC and the congruence ≡ λΠ generated by Equations ( 5), ( 6), ( 17)- (20), and (β) where, in Equations ( 5) and ( 6), psub, pair and fst (PVS-Cert symbols in black) are replaced by psub, pair and fst (λΠ/≡ symbols in blue).

Translation of PVS-Cert Terms
Figure 6 Signature Σ psub of the encoding of predicate subtyping into λΠ/≡.

Examples of Encoded Theories
We provide here some examples that take advantage of proof irrelevance or predicate subtyping.
While these examples could have been presented in PVS-Cert, we unfold them into the encoding of PVS-Cert into λΠ/≡ to show how it can be used in practice.All examples are available as Dedukti files 1 and can be type-checked with Lambdapi 2 .In the examples, the first two arguments of fst, pair and snd are implicit.
▶ Example 5 (Stacks with predicate subtypes).This example comes from the language reference manual of PVS [26] and illustrates the use of predicate subtyping and the generation of TCC through a specification of stacks in Figure 10.Predicate subtyping is used to define the type of nonempty stacks, which allows the function pop to be total.Symbol pop_push is an axiom that uses Leibniz equality = on stacks.In the definition of the theorem pop2push2, term ?0 is a meta-variable that must be instantiated with a proof that the first argument of the pair is not empty, and represents, in the encoding, the TCC generated by PVS.We can thus see that the concept of TCC of PVS has a clear and explicit representation in the encoding, allowing its benefits to be transported to λΠ/≡.▶ Example 6 (Bounded lists and proof irrelevance).This example is inspired by sorted lists in the Agda manual [33] 3 .Because we have not encoded dependent types, we cannot encode the type of lists bounded by a variable.We thus declare the bound in the signature.The specification is given in Figure 11.
We first notice that the predicate subtype allows to encode the proof head ≤ bound passed as a standalone argument in Agda in the type of an argument in our encoding, providing a shorter type for bcons.In Figure 12, we define two (non-convertible) axioms p 1 and p 2 as proofs of zero ≤ suc bound, and two lists containing zero but proved to be bounded by suc bound using p 1 for ℓ 1 and p 2 for ℓ 2 .Type checking ℓ i requires axioms p i .These axioms are like TCC's in PVS.Assuming that one wants to prove ℓ 1 = ℓ 2 , had we lacked proof irrelevance, we would have had to prove that p 1 ≡ p 2 , which is not possible.In : Prf(pop(pair (pop(push x (fst(push y s)))) ?0 ) = s) := . . .; our case, the equality is simply the result of refl ℓ 1 .

Correctness of the Encoding
In this section, we prove that the encoding is correct: if a PVS-Cert type is inhabited then its translation is inhabited too.Any type-checker for λΠ/≡ could thus be used to recheck PVS-Cert typings.However, to make sure that our encoding is faithful (the encoding that maps any PVS-Cert term to the same well-typed ground term is correct, but useless), completeness (also called conservativity) ought to be proved too: a PVS-Cert type is inhabited whenever its encoding is inhabited.However, as completeness is often difficult to establish (see [3,34]), we leave it for future work.
In the following, s stands for T ype, P rop or Kind; T, U designate terms of type T ype; M, N, t, u designate expressions that have a type T : T ype; P, Q are propositions of type P rop, or predicates of type T → P rop; h stands for a proof typed by a proposition.Typing judgements in PVS-Cert are noted with ⊢ PVS , and typing judgements in λΠ/≡ are noted with ⊢ λΠ/≡ .
Proof.By structural induction on M .◀ ▶ Lemma 8 (Preservation of equivalence).Let M and N be two well typed terms in Γ.
Proof.Each item is proved separately.
where R is any of the two relations applied at the head of M and N .We will only detail the base cases of inductions, the other cases being straightforward.

Preservation of Computation
There are two possible cases, Case M = ((λx, t) u) → β {x → u} t, we have, where the equivalence is given by Lemma 7. Case M = fst T 1 P 1 (pair T 0 P 0 t h) → fst t, we have the following equalities with the last equivalence provided by Equation (6).

Preservation of Proof Irrelevance Assume that M = pair T P t h ↔ pi pair T P t h ′ [pair T P t h]
where the equivalence is given by Equation (5).

2.
By Lemma 2, we know that there are H 0 and [u] by induction on the number of R ty steps, using Item 1 for the base case.Therefore, Proof.By induction on the typing derivation of Γ ⊢ PVS M : T and case distinction on the last inference rule.

prod
Γ ⊢ PVS T : s 1 Γ, x : T ⊢ PVS U : s 2 (s 1 , s 2 , s 3 ) ∈ P Γ ⊢ PVS (x : T ) → U : s 3 We only detail for the product (T ype, P rop, P rop), others being processed similarly.We have [(x : We first observe from Figure 6 that for each f ∈ Σ PVS , we have a counterpart symbol x:T , TYPE .By induction hypothesis, for each i, we have Γ ⊢ λΠ/≡ [t i ] Γ : {(x j → t j ) j<i } T i Γ which we can write as, thanks to Lemma 7, Γ ⊢ λΠ/≡ [t i ] Γ : (x j → [t j ] Γ ) j<i T i Γ .Now, using the signature rule, we are able to conclude Γ ⊢ . Moreover, we have taken care to define the translation in Figure 8 such that f (

Mechanised Type Checking
The encoding of PVS-Cert into λΠ/≡ can be used to proof check terms of PVS-Cert using a type checker for λΠ/≡.But because of the rule type checking is decidable only if ≡ is.A decidable relation equivalent to ≡ can be obtained using the convertibility relation stemming from the rewriting relation of a convergent rewrite system, yielding the type system λΠ/R (R for rewriting).Consequently, while type checkers cannot be provided for λΠ/≡ in general, they can for λΠ/R, as can be seen with Dedukti4 .Such rewrite systems can be obtained through completion procedures [6].However, completion procedures rely on a well-founded order that cannot be provided here because of Equation ( 5) which cannot be oriented since each side of the equation has a free variable which is not in the other side.
A possible solution would be to rewrite all proofs of a pair to a canonical proof with a rule of the form pair t p m h → pair t p m (canon t p m) where t : Type, p : El t → Prop, m : El t ⊢ canon t p m : Prf(p m) : TYPE.But this creates a rewrite rule that duplicates three variables.
Otherwise, as noted in [23], the addition of a symbol to the signature can circumvent the issue.Hence, we add a symbol for proof irrelevant pairs, and make it equal to pairs Prf(p ⇒ q) → (h : Prf p) → (Prf(q h)) (33) Figure 13 Rewrite system R resulting from the completion of the equations of the encoding of PVS-Cert in λΠ/≡.▶ Proposition 10.Let → R be the closure by context and substitution of the rewrite rules of Figure 13, and ≡ R be the smallest equivalence containing → R .Then, for all M, N ∈ T Proof.It suffices to prove that every equation of PVS-Cert is included in ≡ R .This is immediate for the Equations ( 17)-( 20) and (β) since they are equal to the rules ( 27) and ( 30)- (33).For the Equation ( 5), we have pair t p m h 0 → R pair † t p m ← R pair t p m h 1 .Finally, for the Equation ( 6), we have fst t 0 p 0 (pair Rewrite system R is confluent because it is orthogonal.Termination of R is required to obtain the decidability of ≡ R .A possible approach to prove it would be to extend the termination model of λHOL described in [15].In order to prove the completeness of the encoding, that is, the fact that a type is inhabited whenever its encoding is, it could be useful to have the reciprocal implication, that is, if M ≡ R N and M, N ∈ T (Σ PC , S λΠ , V), then M ≡ λΠ N .We leave this for future work too.
A priori, the introduction of pair † allows one to craft terms that cannot be proof checked in PVS-Cert.Indeed, given a predicate Even on natural numbers, the term (pair † N Even 3) is the encoding of (pair N Even 3 h) which cannot be type checked in PVS-Cert since there is no proof h that 3 is even.However, Dedukti relies on a system of modules and tags attached to symbols to define where and how symbols can be used.A symbol tagged protected cannot be used to build terms outside of the module where it is defined, but it may appear during type checking because of conversion, a trick first introduced in [35] and used also for encoding Cumulative Type Systems in λΠ/≡ [34].In our case, one may protect pair † in the module that defines the encoding of PVS-Cert, so that users of the encoding are forced to use pair.

Conclusion
This work provides an encoding of predicate subtyping with proof irrelevance into the λΠcalculus modulo theory, λΠ/≡ [4].We first recall PVS-Cert, an extension of higher-order logic with predicate subtyping and proof irrelevance [17].We then provide a λΠ/≡ signature to encode terms of PVS-Cert, and prove that the encoding is correct: if a PVS-Cert type is inhabited, then its translation in λΠ/≡ is inhabited too.Finally, we show that the equational theory of our encoding is equivalent to a confluent set of rewrite rules which enable us to use Dedukti to type check encoded specifications.
However, two important problems are left open.First, is our encoding complete, that is, is a PVS-Cert type inhabited if its translation is?Second, is the confluent rewrite system T Y P E S 2 0 2 0

6:16
Predicate Subtyping with Proof Irrelevance in LPMT used in the encoding terminating?We believe that these two properties hold but leave their difficult study for future work.

Perspectives
The encoding of PVS-Cert in λΠ/R is the stepping stone towards an automatic translator from PVS to Dedukti.Indeed, PVS does not have proof terms in its syntax, and consequently type checking is undecidable.The creation of PVS-Cert allows to convert PVS terms to a syntax whose type checking is decidable.This was the work of F. Gilbert in [17].Now we are able to express this decidable syntax in λΠ/R and hence in Dedukti.However, the type system proposed here only allows to coerce from a type to its direct supertype or a subtype, that is, we can go from (psub (psub ι P ) Q) to psub ι P in one coercion, but we cannot coerce from (psub (psub ι P ) Q) to ι, whereas PVS can.Consequently, an algorithm to elaborate the correct sequence of coercions is needed to obtain terms that can be type checked in Dedukti.
Other features of PVS can be integrated into PVS-Cert and the encoding: dependent types like (psub list (λℓ, length ℓ = n)), recursive definitions of functions, and dependent records.With those features encoded, almost all the standard library 5 of PVS can be translated to Dedukti.
Finally, while the previous points were concerned with the translation of specifications from PVS, we may also want to translate proofs developed in PVS.These proofs are witnesses of type correctness conditions (TCC), which are required to type check terms.Since PVS is a highly automated prover, proof terms often come from application of complex tactics that cannot be mimicked into Dedukti.However, proof terms may either be provided by hand, emulating the interaction provided by TCC's, or we may call external solvers [19].

Figure 1
Figure 1Terms of the type system characterised by S, V and Σ.

Figure 2
Figure 2 Typing rules of a Type System Modulo.
By inversion of typing rules, pair T 1 P 1 M N is of type psub T 0 P 0 and T 0 ≡ pvs C. By inversion again, M is of type T 1 and psub T 0 U 0 ≡ pvs psub T 1 P 1 .By (1), T 0 ≡ pvs T 1 and P 0 ≡ pvs P 1 .Therefore, M is of type C.

Figure 5
Figure 5 Equations of the encoding of λHOL into λΠ/≡.
and hence s Γ is either Prop by conversion (because El prop ≡ λΠ Prop), Type or Kind.If s is Kind, then T is T ype.Since Γ ⊢ λΠ/≡ Type : TYPE because Σ PC (Type) = ( ⃗ 0, (TYPE, KIND)), we can derive with the declaration rule Γ, v : T ⊢ λΠ/≡ W F because T ype = Type.Otherwise, s is T ype or P rop and T = ξ [T ] Γ where ξ is El or Prf.By typing of El or Prf (with the signature), Γ ⊢ λΠ/≡ T Γ : TYPE and finally, Γ, v : T ⊢ λΠ/≡ W F by application of the declaration rule. var

T Y P E S 2 0 2 0 6:4 Predicate Subtyping with Proof Irrelevance in LPMT empty
Notations Rewriting relations are noted → R , where R is a set of rewriting rules.→ R is the closure of R by substitution and context.≡ R is the symmetric, reflexive and transitive closure

2 0 6:12 Predicate Subtyping with Proof Irrelevance in LPMT b
. equational steps of ↔ ty pi are preserved.These two properties are shown by induction on a context C such that M 1. Taking back the notations of the proof of Lemma 2, we show that a. computational steps of → ty βfst are preserved, T Y P E S 2 0 t : Type, p : El t → Prop, m : El t ⊢ pair † t p m : El(psub t p) : TYPE El(t ⇝ u) → (x : El t) → El(u x)