”Upon This Quote I Will Build My Church Thesis”

The internal Church thesis ( CT ) is a logical principle stating that one can associate to any function 𝑓 : N → N a concrete code, in some Turing-complete language, that computes 𝑓 . While the compatibility of CT in simpler systems has been long known, its compatibility with dependent type theory is still an open question. In this paper, we answer this question positively. We define “ MLTT ”, a type theory extending MLTT with quote operators in which CT is derivable. We furthermore prove that “ MLTT ” is consistent, strongly normalizing and enjoys canonicity using a rather standard logical relation model. All the results in this paper have been mechanized in Coq 1 .


INTRODUCTION
"Calculemus!"By these words, Leibniz famously enjoined the reader to compute.Contemporary logicians took this motto as a founding principle after the progressive discovery of the proof-as-program correspondence.This major breakthrough, also known as the Curry-Howard equivalence, is the seemingly simple observation that proofs and programs are the same object, in an essential way [11].
Although not primarily associated to the Curry-Howard school of thought, the Russian constructivists led by Markov pushed this tenet to an extreme point, postulating that all mathematical objects were indeed algorithms.Their doctrine [25] is materialized by a foundational system that can be summarily described as a neutral Bishop-style intuitionistic logic extended with two additional axioms [36]: Markov's principle (MP) and Church's thesis (CT). 1 Development browsable at https://github.com/ppedrot/quote-mltt-lics24.
Of those two axioms, Markov's principle is the simplest one, as it requires little to state: ∀ : N → N. ¬¬ (∃ : N.   = 0) → ∃ : N.   = 0 and is equally easy to understand.Common alternative formulations include "a Turing machine that does not loop terminates" or "non-zero reals are apart from zero".Markov's principle is a sweet spot of semi-classical logic, as it can be given a computational content preserving the witness property [12].
Church's thesis is somewhat more involved, as it requires the internal definition of a computation model in the logic itself.Assuming a logic rich enough, this is traditionally [20] achieved by defining the decidable Kleene predicate T (, , ) and its associated primitive recursive decoding function U : N → N. Here,  : N is assumed to be the syntactic code of some program in the chosen Turing-complete computation model,  : N some integer argument, and  : N some encoding of evaluation traces of the model.Under these assumptions, T (, , ) holds whenever  is the trace of the fact that  applied to  evaluates to some integer .Furthermore, if indeed the predicate holds, then U  should return the value .
Said otherwise, any function  definable in the theory is known to be computable by some concrete algorithm  from within the theory.
Contrarily to MP, which is a consequence of excluded middle, CT is a very anti-classical axiom [36].Assuming very weak forms of choice, it contradicts excluded middle, or even LPO.Similarly, it is also incompatible with choice-like principles like double negation shift.Finally, it also makes the logic very intensional as it contradicts function extensionality, under the same kind of weak choice assumptions.
The consistency of MP and CT w.r.t.some logical system is typically proved via realizability.Quite remarkably, Kleene's seminal paper [21] already proves that CT is compatible with Heyting's arithmetic.For a more expressive theory, the effective topos is a famous example of a realizability topos in which both principles hold [17].
On the other side of the iron curtain, one major offshoot of the Curry-Howard philosophical stance is Martin-Löf's type theory [26], in short MLTT, a famous foundation for constructive mathematics.It is the theoretical underpinning of several widely used proof assistants such as Agda, Coq or Lean.In these software systems, there is no formal separation between proofs and programs, as they live in the same syntax and obey the same typing and computation rules.This monistic credo turns MLTT into the quintessential intuitionistic foundation of our modern times, blending logic and computation into the very same cast.
In the wake of the Swedish tradition of neutrality, MLTT does not pick a side in the constructivist feud.It neither proves fan principles from the Brouwerian band nor mechanistic axioms from the Markovian clique.Considering the claim above that in MLTT proofs are programs, it does seem a bit surprising that it is not biased towards the latter side.Surely it ought to be easy to convert MLTT to the Markovian orthodoxy, for otherwise the Curry-Howard mantra would be but a misleading advertisement.Let us survey the current status of each Russian axiom individually in the canon of dependent type theory.
As we have just explained, it is known that MP is not derivable in MLTT [5].Since it is a consequence of classical logic, it holds in classical models like the ZF one [38], but it is also possible to add MP to MLTT while retaining the computational properties through a form of delimited exceptions [30].Note that, due to the minimalism of MLTT, the alternative statements of MP mentioned previously are not equivalent in this setting [4].
As for CT, we already stated that it is negated by classical models, and thus is not a consequence of MLTT.By contrast with MP, the compatibility of CT with dependent type theory is a much more contentious subject.To make things simpler, we will therefore focus on this single principle in this paper, and deliberately ignore Markov's principle.The proviso about phrasing of the statement mattering a lot is even more paramount with CT, which is the chief reason why the problem and its answers are a matter of debate.In the remainder we will prove that MLTT is indeed compatible with the strongest form of Church's thesis usually agreed upon, but for this we first need to explain what we actually mean by these sibylline words.We dedicate the next section to a thorough exegesis of this topic.

A COMPREHENSIVE CT SCAN
Contrarily to more archaic systems, MLTT does not need a realizability interpretation to turn its proofs into programs.In some sense, it is already a realizability interpretation, as MLTT terms are literally bona fide programs.It should therefore be very natural to add CT to MLTT.
As a matter of fact, as long as the context is empty, the following rule is admissible where ⟨⟩ is some term derived from  in a systematic way.Depending on the pursued goal, this process is variously known in the type theory world as extraction [22] or quotation [34].Obviously, a rule that is derivable for closed sequents is not necessarily internalizable in the theory, so there is a non-trivial gap to fill there.An additional issue is that dependent type theories have various notions of existence.Typically, they contrast dependent sum types Σ : . with existential types ∃ : ..The precise details depend on the exact theory considered, but the general rule is that the former corresponds to actual, constructive evidence, while the latter stands for mere existence, i.e. no computational content can be extracted from this type.Such non-computational types are called propositions, an umbrella term for mildly related concepts.
The three most common instances of propositions are captured by the realizability-driven Prop universe of CIC [29], the hProp subuniverse inspired by the univalent world [37], and the SProp universe of strict propositions [10].Regardless of the setting, Σtypes validate choice by construction through large elimination or projections, while existential types may or may not validate choice.
The arithmetic statement of CT mentions two existential quantifiers, hence we have a priori at least 4 possible translations into MLTT.In practice, the second one returns an enumerable proposition, so that for most notions of proposition, namely Prop with singleton elimination or hProp with unique choice, the use of ∃ or Σ results in equivalent statements.We will thus always stick to a Σ-type for this quantifier.More problematic is the first existential quantifier, the nature of which leads to radically different worlds.For conciseness, we will call CT Σ (resp.CT ∃ ) the statement of Church's thesis with a Σ (resp.∃) type as the first existential quantifier.
As mere existence does not validate choice by default, CT ∃ is much closer to the traditional first-order setting.When ∃ is taken to live in the Prop universe of CIC, the relative expressivity of CT ∃ has been studied extensively in the setting of synthetic computatibility [7,8].An important remark is that the lack of choice prevents building an internal quoting function (N → N) → N that associates to some function its concrete code.As already hinted at before, this means that CT ∃ does not necessarily contradict function extensionality.Actually, we can even go much further: in the case where propositions are identified with hProps, CT ∃ turns out to be compatible not only with MLTT but also with full-blown univalence [35].More generally and quite counterintuitively, univalence is compatible with many principles that would make the hardcore Bishop-style intuitionist raise a suspicious eyebrow, as long as they are squashed enough and thus made computationally harmless [33,35,37].
Contrastingly, as Σ-types come with intuitionistic (non)-choice built-in, CT Σ is the telltale of an extremely weird mathematical realm.For starters, it immediately implies the existence of a quoting function and breaks both function extensionality and classical logic.The consistency of CT Σ with MLTT is an open problem that has been lingering for a while and seems to be considered a difficult question by experts [23,24,35].The best result thus far [18] is the consistency of CT Σ with a stripped-down version of MLTT without the so-called  rule: Γ,  :  ⊢  ≡  :  Γ ⊢  : . ≡  : . : Π : .
The model used to prove this fact is a variant of Kleene realizability tailored for dependent types.Briefly, in this model terms are interpreted directly as their code in Kleene's first algebra, i.e. a natural number, and the equational theory in a context is defined as the closure of code equality by ground substitutions.
This representation makes the implementation of CT Σ trivial, as it boils down to the identity.Yet, for this to work, it it critical that two functions convertible in the model have literally the same code.This is exactly where the restriction to ground substitutions comes into play, as it will identify functions with their concrete syntax.Unfortunately, the same restriction also destroys non-trivial higher-order equations and in particular invalidates the  rule.
Although we understand the difficulties experienced by the authors of this paper and acknowledge their distinct goals, we consider that removing this congruence from MLTT when precisely trying to implement a principle implying the existence of a quoting function is unarguably throwing the baby with the bathwater.Ubiquitary conversion under -abstractions is a stepping stone of MLTT for program reasoning, so treating functions as blackboxes is a no-go and the  rule a sine qua non.
Given the strong relationship between quoting functions and metaprogramming, we should also mention some attempts at making the latter a first-class citizen of dependent type theory.These systems are built with practical programming in mind rather than constructive mathematics, but the endeavours are similar enough that they are worth highlighting.There is in particular a wealth of literature on contextual types [27], a special kind of modal types [13] capturing well-typed terms in an object context.Although contextual types can coexist with dependent types [16], the ability to pattern-match on code in these settings is still a difficult problem that is only satisfyingly handled in the absence of dependent types [3,19].The closest thing to what we achieve in this paper is an unpublished line of work for dependently-typed quoting [14].

HIGH-LEVEL DESCRIPTION
We now give the high-level intuitions that we develop technically later on.In this paper, we define "MLTT", read "MLTT with quotes", a minute extension of MLTT with quoting operators that implement CT Σ in a straightforward way.As already explained, CT Σ holds externally in MLTT.If we want it as an internal rule, there are two problems to solve: first, handling terms in an arbitrary context, and second, showing that our hypothetical internalization preserves conversion.
Despite the aura of complexity surrounding this question, our solution is disappointingly simple.The first problem will be handled in the most trivial way one can think of.Namely, the primitives computing the internal version of CT Σ will simply block as long as their arguments are not closed.Since the return type of these primitives is first-order, this will not be a problem as it will not endanger canonicity.
The second problem is solved in a similarly obvious manner.Given two terms  ≡  : N → N one needs to ensure that the quotation of these terms agree.In particular, the integer code returned by these operations must be the same.This sounds complicated, as in general two equivalent functions may have different codes.In Turing-complete languages, this is actually impossible to achieve in a computable way, due to Rice's theorem.But in MLTT, there is a very simple way to find a canonical representative of an equivalence class of functions: just pick the normal form!Conversion in MLTT is decidable, as it virtually amounts to comparing the normal forms of the considered terms for syntactic equality.This requires that all well-typed terms have a normal form, but this property is usually taken for granted in dependent type theories and will for sure hold true in "MLTT".
As the astute reader may complain about, this is not enough in presence of -rules, which are included in our system.But even in this case, our normalization trick can be adapted by simply maximally -reducing and stripping all annotations from the normal form.As a result, it is possible to associate a canonical code to equivalence classes of convertible terms even up to -conversion, and importantly, the resulting program has the same extensional behaviour as the source term, i.e. they produce the same output numeral when applied to the same input numeral.
Despite the intuitive simplicity of the above guiding ideas, proofs about dependent type theory are very tedious and error-prone, let alone when they contain bits of computability.To keep the naysayer at bay, all proofs were mechanized in the Coq proof assistant.For easy reference, we will add hyperlinks to the Coq development signalled by the icon.Note that for readability, we use named variables in the paper, but the actual formalization relies on De Bruijn indices.This will add some impedance to the matching between the paper statements and the actual Coq code, but it should be straightforward to go back and forth.

BASIC TYPE THEORY
Let us fix some conventions.Since we will be juggling quite a bit between levels, we will use a different font style to refer to objects from the metatheory, with types in bold and type ascription written in set-theoretic style  ∈ X.Some metatheoretical types of interest are X ⇒ Y, the metafunctions from X to Y, and N the metaintegers.We will write term for the type of "MLTT" terms defined later on.
Our base theory will be an instance of MLTT featuring one Russell-style universe, negative Π and Σ types with definitional -rules, together with a natural number type, an empty type and an identity type.We recall the syntax of this theory in Figure 1.The typing rules are standard and feature five kinds of judgments: context well-formedness, type well-formedness, term well-typedness, type conversion and typed term conversion.To pin down the conventions we expose a representative excerpt of the rules in Figure 2.
We use the usual notations  →  and  ×  for non-dependent product and sum respectively.We will write  =  for Id    when  is clear from the context.In practice, we will almost always use it with  := N. Similarly, we will sometime drop the annotations of -abstrations and pairs.If  ∈ N, we write [] N ∈ term for the unary numeral associated to .
We will also use some notational devices to discriminate between intended meanings.We will write Λ := N for numbers coding for programs.
Partial functions will play an important role.In type theory, there is a standard encoding [32] going through the partiality monad ℘() := N → option .A term  : ℘() is undefined if for all  : N,   = None.Otherwise its associated value is the first  s.t.  = Some .
Although we could encode it, we do not have a built-in option type in MLTT.Since we will only ever consider partial integers in this paper, we will rely on a simpler encoding.Definition 4.1 (Partial integers).We define the type of partial integers N ℘ := N → N. The intuitive meaning of a partial integer  : N ℘ is the following.
• If for all  : N,   = 0, then  is undefined.
• Otherwise, let  0 the smallest integer such that   0 = S  for some .Then  evaluates to .Given the algorithmically-friendly nature of MLTT, we will pick a slightly nicer, but equivalent, phrasing of CT Σ .Following [8], we will merge the Kleene predicate T and its associated decoding function U into a single function run : Λ → N → N ℘ .Computation traces will simply be the number of steps needed to reach a value, which will be accounted for by the step-evaluation predicate.

"MLTT" EXTENSIONS
We now turn to the definition of the extensions that define "MLTT" proper.Definition 5.1.The new term constructors of "MLTT" are defined in Figure 3, and will be collectively referred to as the quoting primitives.
We give names exposing the intuition of the meaning of those terms.The term ϙ  is the quote of  which is intended to return the code of the function .The term ϛ   is the step-count of  applied to  , i.e. it will return the number of steps needed to evaluate the quote of  on argument  .Finally,    is the reflection of  applied to  , which produces a proof that indeed the quote of  fullfils the expected runtime behaviour.
To define the typing system alone we do not need any additional requirements on those objects, but let us give some intuition before proceeding any further.
The ⌈•⌉ function is just some arbitrary Gödel numbering of the syntax.As already explained, the run function is going to serve as a Kleene predicate expressed in a functional form.In particular, we expect run : Λ → N → N ℘ and run   to compute the result of the application of the program  to the argument  if it exists.In practice, run is expected to be defined in MLTT alone, or for that matter, in a much weaker fragment corresponding to PRA.In the remainder of this paper, we assume a fixed computation model.We now have enough to define the typing rules of the additional "MLTT" primitives in Figure 4. We delay the description of the conversion rules of these primitives to a later point, because we still need more infrastructure.
Nonetheless, these rules are already sufficient to state the one internal property of "MLTT" we care about.Theorem 5.4."MLTT" proves CT.To finish the specification of "MLTT", we now need to define the conversion rules of the theory.This requires some heavy definitions.Normal forms are, as usual, terms which cannot be simplified further.Neutral forms are a subcase of the former, intuitively capturing the notion of a term whose evaluation is blocked due to a variable not bound to a value.In particular, they cannot trigger new conversions when they are substituted for a variable.Our definition is standard for the MLTT fragment, except maybe that we we ignore  and pair type annotations just like for the clos predicate.Only worth discussing are the newly introduced terms of "MLTT".
The quote primitives do not generate any new non-neutral normal forms.Indeed, their expected types are concrete datatypes, so if we want canonicity we just cannot create new constructors for those.They do generate new neutrals, though.The intuition is that these primitives only compute on closed normal forms, so if one of their argument is not closed, they will block and thus be neutral.Notation 5.7.We write clnf  if both clos  and dnf .
The last non-trivial ingredient needed is erasure of "MLTT" terms.We rely on it to quotient normal forms w.r.t. the various -rules of our system.Definition 5.8 (Erasure).Given  ∈ term, we define its erasure ∥ ∥ ∈ term by induction on .This operation can be understood as the composition of two finer-grained primitives: first, replace  and pair type annotations with a dummy term, and second, perform maximal -reduction of  and pair nodes.We choose □ for the dummy term, but any closed normal term would do.We give the relevant operations in Figure 8, all other cases are term homomorphisms.We now have all the necessary definitions to define the new conversion rules of "MLTT" at Figure 9.We give some intuitions about these conversion rules by paraphrasing the rules.The congruence rules are self-evident.The computation rule for ϙ  is simply stating that quoting a closed normal term produces the Gödel number of its erasure.The two other rules reflect the behaviour of the run operator in the theory itself.They start by assuming that  is a closed normal term, so its quote is a concrete code.Assuming canonicity, for any ,  ∈ N, run ⌈ ⌈⌉ ⌉   must be convertible to a numeral.Similarly,  [] N must be convertible to some numeral .
Since we expect run to model the computation of "MLTT", there must be some  0 ∈ N s.

COMPUTATIONAL ADEQUACY
There is still one missing piece for "MLTT" to make sense.Indeed, in the intuitive explanation of the conversion rules for the quoting primitives we gave above, we argued that run should model the runtime behaviour of "MLTT".In spite of this, we have made no additional assumption on Definition 5.2 so far.We make this requirement formal as computational adequacy in this section.This first forces us to endow "MLTT" with a notion of evaluation.We define weak-head normal whnf and neutral whne forms similarly to their deep counterparts from Figure 6, the only difference being that we do not require non-neutral subterms to be in normal form.Weak neutral forms for the quoting operators are the same as deep neutral forms from Figure 7.
Step-indexed evaluation for MLTT (excerpt) Definition 6.2 (Evaluation).We mutually define in the metatheory two step-indexed evaluation relations ↓ and ⇓, respectively computing the weak-head and the deep normal form.An excerpt of the MLTT fragment is presented in Figure 10.Weak evaluation for "MLTT" extensions is defined in Figure 11, the rules for deep evaluation being the same.
Although both relations are given as inference rules, they really are step-indexed recursive functions in the metatheory, of type term ⇒ N ⇒ option term.We write  ↑  and  ⇑  when no derivation is possible, implicitly meaning that the corresponding function returns None.We will use the same notations without the  index to existentially quantify over this index, e.g. ↓  means that there exists some  ∈ N s.t. ↓   .
The evaluation rules for the MLTT fragment are, once again, standard.The only interesting rules are the ones for the quoting primitives, as they make weak-head evaluation depend on deep evaluation.All evaluation paths for the quoting primitives start by deeply evaluating their arguments and checking whether they are quasi-closed.If not, they immediately return.Otherwise, they perform a macroscopic evaluation step.For ϙ , that just means quoting the closed normal form into a number.For ϛ   and    , it corresponds to performing a guarded -recursion to find the smallest index such that the erasure of   evaluates to a numeral.Definition 6.3 (Computational adequacy).We say that the computation model is adequate if it satisfies the following properties.
Step-indexed weak-head evaluation of "MLTT" extensions • For all  ∈ term and , ,  ∈ N whenever The last two points are essentially stating that the metatheoretical deep evaluation function coincides with the object run evaluation function.This leaves very little leeway in the potential implementation of run.

SOUNDNESS THEOREMS
In the remainder of this paper, we assume that our globally fixed computational model is adequate.Under this implicit assumption, we get the following results.The rest of this paper is dedicated to the sketch of the proof of the three above theorems, which all derive from the same property.

BASICS OF MLTT LOGICAL RELATIONS
We will prove our metatheoretical results about "MLTT" using a logical relation model.The base model is basically the now famous inductive-recursive one from Abel et al. [1], with a handful of surprisingly minor tweaks.In this section we briefly recall the principles of Abel-style logical relations.
From a high-level point of view, Abel-style logical relations for MLTT are just a glorified kind of realizability with a lot of bells and whistles.Notably, in the semantic world, well-formed types Γ ⊩  are defined inductively, while well-typed terms p  | Γ ⊩  :  are defined recursively over a proof p  ∈ Γ ⊩ .In turn, welltypedness is extremely similar to, say, Kleene realizability [36], i.e. p  | Γ ⊩  :  essentially means that  weak-head normalizes to some value  , further satisfying some conditions depending on .Due to conversion being an integral part of typing, one also needs to associate to a given semantic type additional predicates for type and term convertibility, but they are the expected ones.
The major departure from usual realizability in this kind of model is the proper handling of variables.All semantic predicates are actually presheaves over contexts equipped with weakenings.Furthermore neutral terms enjoy a very specific status, see e.g.Lemma 8.6.This will turn out to be important for our goals.
The relation itself is parameterized by syntactic predicates for the various notions of typing and reduction.These predicates must satisfy a list of closure properties, which are typically weaker than the ones enjoyed by the standard typing rules of MLTT.Another way to understand this is that logical relations turn a liberal type system, called declarative, with many closure rules that is easy to work with, into a lower-level type system that is hardly usable but which is similar in spirit to the steps performed by a typing algorithm.Proofs in this generic system are in some sense normalized compared to the declarative system.As a matter of fact, this is a way to prove decidability of type-checking, since an algorithmic presentation of type-checking will satisfy the low-level closure properties.A notable difference with the declarative system is that generic typing requires making explicit the notion of neutral terms, through the introduction of neutral convertibility which can be understood as the usual convertibility restricted to neutral terms.
In the remainder of this section we assume fixed some instance of syntactic typing and reduction rules for MLTT.Due to their sheer size and the fact they are neither surprising nor new, we will not state the closure properties here, but rather link the corresponding Coq code directly.Definition 8.1 (Generic Typing).We define the notion of generic typing as a list of closure properties that our typing rules must satisfy.
Given generic notions of typing and reduction, one can define reducibility in the abstract.Our base logical relation is unchanged w.r.t.Abel et al. [1], so we will not give the full definition in this paper.To begin with, writing everything in full on paper would be both unreadable and uninformative, and probably ridden with typos.Rather, we recall below some representative type formers to build intuition and point to the Coq development for more details.We will also consciously ignore universe level issues.They are technical although important bookkeeping details, but we consider that they clutter the simple principles behind logical relations, and since our results are backed up by a mechanized proof, we should not have to care about such minutiae in the human-readable paper.As already explained, we gloss over the details and instead concentrate on the high-level view.We abuse implicit arguments in Figure 12 to keep things readable, and we also omit additional wellformedness conditions.At the risk of repeating ourselves, this is really just the run-of-the-mill complete presheaf model for MLTT, where presheaves have been manually encoded by means of quantifications over all weakenings of the current context.Note the lack of naturality conditions thanks to Lemma 8.3.In our setting, typed reduction is simply untyped reduction annotated with proofs that both sides are well-typed and convertible.Similarly, well-typed neutrals are untyped neutrals together with a proof of well-typedness and self-convertibility.Without further consideration for the lowlevel details, the logical relation satisfies some salient properties that we are going to list below.Lemma 8.3 (Reducibility irrelevance).For all proofs of type reducibility p  , q  ∈ Γ ⊩ , if p  | Γ ⊩  :  then q  | Γ ⊩  :  and similarly for the other statements.This allows us to silently drop the proof of type formation for reducibility statements as a notational device.As long as there is one, it does not matter which one we pick.Just like for standard realizability, we need to close reducibility by substitution to state the fundamental lemma.The relation resulting from this closure is known in the literature as validity.We link to the various notions of validity from the development for reference, but refrain from writing them in full in the paper.Theorem 8.7 (Fundamental lemma).Well-typed MLTT terms are valid.

THE LOGICAL RELATION FOR "MLTT"
For technical reasons, we will work with a slightly tweaked version of the additional typing rules of "MLTT".The rules from Figure 9 are presented for readability purposes, and will be derivable rules of the actually considered system.The differences are the following.
First, instead of a global typing axiom for run, we add it as a premise to the "MLTT" rules that require it, i.e. those for ϛ and  .This is just a cosmetic change that strengthens induction over "MLTT" derivations.
Second, for reasons that will become clear soon, we turn the well-typedness premises of those rules into self-convertibility.For instance, the introduction rule of ϙ becomes: The exact rules are defined as an inductive type in the following file .By reflexivity of term conversion, it is clear that these rules imply the ones from Figure 9. Once we have proved Theorem 9.13, we will also be able to derive that self-convertibility implies well-typedness, which actually shows that the two versions are equivalent.
The model itself is defined in terms of a small-step reduction relation, so we need to define it properly for MLTT, in addition to the big-step variant from Section 6. Definition 9.1 (Reduction).We mutually define weak-head and deep reductions, respectively written  → →  and  ⇒ ⇒  in Figure 13 for an MLTT excerpt and in Figure 14 for the quoting primitives.Once again, deep reduction for the latter is the same as weak-head reduction.
Note that deep reduction is simply iterated weak-head reduction on the subterms of weak-head normal forms.These reductions are a specific sequentialization of the corresponding evaluation function, and their reflexive-transitive closure compute the same normal forms.Importantly, these relations are deterministic.
One major remark for our proof to go through is that in Abelstyle logical relations, the closure properties of type and term conversion are compatible with the existence of a deep normal form.Said otherwise, we never perform conversion on terms potentially introducing non-termination.This can be leveraged by the following definition.
We define similarly deep type conversion Γ ⊢ nf  ≡  and deep neutral conversion.
When instantiating the logical relation with deep conversions, one gets access to the fact that both sides of the conversion deeply normalize, and furthermore they have the same erasure, i.e. they are equal up to -expansions and  and pair annotations.This is the reason for the alternative "MLTT" presentation where typing premises of quoting primitives are turned into self-convertibility.Before proving the fundamental lemma, syntactic deep self-convertibility gives more information than just syntactic typability.It is somewhat insightful to remark that the requirement that we erase the normal forms before comparing them is critical for the above lemma.Indeed, the generic conversion rules for the negative Π and Σ types are given directly as -expansions.Therefore, two convertible normal forms may differ on their annotations or up to some -expansion.Erasing all annotations and maximally reducing ensures thus that the result is unique for each equivalence class.
As a result, the logical relation instantiated with deep typing is a model of MLTT.We only have to check that the additional "MLTT" rules are also interpreted.Due to the fact that semantic self-convertibility is equivalent to semantic well-typedness, it is enough to check the rules from Figure 9, the ones from Figure 4 are a consequence of the former.Lemma 9.4 (Quote Reducibility).The conversion rules for the ϙ primitive hold in the reducibility model.
Proof.We focus on the congruence rule, since the reduction one is a subcase.Let us assume Γ ⊩  ≡  ′ : N → N. In particular, we know by escape that Γ ⊢ nf  ≡  ′ : N → N. We thus have two terms  0 and  ′ 0 s.t. ⇓  0 ,  ′ ⇓  ′ 0 and ∥ 0 ∥ = ∥ ′ 0 ∥.From this equality, either both  0 and  ′ 0 are quasi-closed or both are not.
In the latter case, both ϙ  0 and ϙ  ′ 0 are neutral and convertible, so by reflection they are reducibly convertible.We conclude by antireduction.
Otherwise, they reduce to numerals [⌈ ⌈ 0 ⌉ ⌉] N and [⌈ ⌈ ′ 0 ⌉ ⌉] N , which are equal by erased equality, and thus reducibly convertible.We conclude again by anti-reduction.□ In order to prove reducibility of the two remaining quoting primitives, we need some fair amount of rewriting theory about our quote-extended -calculus.The computation model is completely untyped, and we will only ever care about erased terms, so we are forced to consider variants of reductions that ignore  and pair annotations.The following results are standard [6], although maybe for the interleaving of weak and deep reduction when reducing the quoting primitives.The equivalences linking these various reductions and evaluations make it easy to switch to one view or another, depending on the kind of property one wants to show.With these tools in hand, we can tackle the remaining reducibility proofs.Note also that computational adequacy is not required for any of the above properties, it is only used in the following lemma.Proof.Once again we focus on the congruence rule.Since the two primitives behave computationally the same, we only treat the  case which is more involved typingwise.Let us assume Γ ⊩  ≡  ′ : N → N and Γ ⊩  ≡  ′ : N. By the same argument as before, we have deeply normal terms  0 ,  ′ 0 (resp. 0 and  ′ 0 ) convertible to the original terms and with the same erasure, and thus with the same closedness.
If not all these terms are closed, then   0  0 and   ′ 0  ′ 0 are convertible neutral terms, we conclude by the same argument as above.
Otherwise, they are all closed.In this case, by reducibility,  0 =  ′ 0 = [] N for some  ∈ N. Since reducibility is closed by application, we get Γ ⊩   ≡  ′  ′ : N.This implies that both applications deeply evaluate to the same semantic integer, i.e. a series of successors ending either with 0 or a neutral.By confluence, we rule out the second case as  0  0 is closed, so these terms reduce to some numeral [] N .By confluence and standardisation,  0 [] N also evaluates to [] N .By irrelevance of erasure, ∥ 0 ∥ [] N also evaluates to [] N .By computational adequacy, there exists some  0 s.t.run ⌈ ⌈ 0 ⌉ ⌉   0 ⇓ S [] N and run ⌈ ⌈ 0 ⌉ ⌉   ′ ⇓ 0 for all  ′ <  0 .Given that  0 and  ′ 0 have the same erasure, this also holds for  ′ 0 .Hence, we can fire the ϛ and  reduction rules, so that ϛ   and ϛ  ′  ′ evaluate to [ 0 ] N and    and   ′  ′ evaluate to [ 0 , ] Ϙ .We are almost done, the only remaining problem is to show that this value is indeed of semantic type  Ϙ [] N .But this is a trivial, albeit technically annoying consequence of the previous normalizations properties of the various terms implied.□ Finally, one also has to prove validity for these conversion rules, that is to say that they are stable by substitution.This turns out to be a trivial fact.Congruence rules are stable by substitution by construction.As for the other conversion rules, it is enough to observe that both quasi-closedness and erasure of quasi-closed terms are stable by substitution.We get the generalization below as an immediate result.Theorem 9.13 (Fundamental Lemma for "MLTT").Welltyped "MLTT" terms are valid.
The metatheoretical facts we claimed in Section 7 are direct consequences of the basic properties of the logical relation.Hence we are done.

MECHANIZATION
While the Abel et al. proof has been implemented in Agda [1], our mechanization is written in Coq and is based upon a recent work by Adjedj et al. [2] that encodes away induction-recursion into standard inductive types through a technique known as small induction recursion [15].Apart from this, the two formalizations are globally the same.The only advantage of the Coq version, which we believe to be decisive, is the availability of tactics.The largish corpus of proofs relating the numerous untyped reductions are rendered tractable by the reliance on handcrafted automatization, when such proofs would have been a nightmare to write explicitly in Agda as terms.
All theorems stated in the paper have been formalized.The only thing that we did not formally prove was the actual existence of adequate models of computation.We globally axiomatized one in the development instead.The precise list of axioms can be retrieved by applying the Print Assumptions command to the toplevel theorems .
The reader may reasonably complain about the use of axioms, as they may very well be inconsistent.Yet, the existence of adequate models is at the same time an utterly trivial fact, and a technically extremely challenging task.Indeed, at an intuitive level run has already been implemented in MLTT, because we defined evaluation as a step-indexed function in our metatheory, which turns out to be a variant of MLTT.As explained before, we do not even need that much, the fragment we use to implement basically fits into PRA.In any paper proof, such a computability result would be immediately brushed off as obvious, barely requiring any explanation.Now, in the land of formal proofs, given the non-trivial size of our untyped language, implementing evaluation and proving anything about it in Coq was already cumbersome with transparent conversion rules, tactics and handy notations.By contrast, doing the same directly in the object theory is monstruous enough to drive any sane person into sheer madness, let alone considering that we have to work up to a Gödel encoding.Out of common decency we will not attempt to close this unquestionable gap.

FUTURE WORK
Although we did not formally prove it out of unrepented sloth, it is quite clear that "MLTT" enjoys decidability of type-checking.Since type interpretation is unchanged in the logical relation, the global shape of the algorithm remains the same as the one for MLTT.The only potential trouble comes from computational behaviour of the quoting primitives.We briefly discuss why they cause no issue.
At heart, the usual algorithm applies rules eagerly for typing, and switches to another behaviour when facing conversion, in which case it recursively weak-head reduces the compared terms and compares subterms modulo -expansion.In order to handle "MLTT", we thus need to ensure that weak-head evaluation to a normal form is computable on well-typed terms.But this is a consequence of the fundamental lemma, and actually, if we squint at our reducibility proofs long enough, they already contain a conversion algorithm.Also, given that our Coq proof is based on a development that proves decidability of type-checking for MLTT [2], it should be quite simple to prove it for "MLTT".
Another topic that may be of interest is the compatibility of MLTT with the full Russian axiomatic.We know that MLTT is compatible with MP, and after this paper we know that MLTT is compatible with CT.Hence a natural question is whether MLTT can accommodate both axioms at the same time.We are convinced that not only this is the case, but also that the model described here can be easily extended to handle MP.The reason for this confidence lies in the uncanny similarity between those two principles.Just like CT, it is true that Markov's rule, the external version of MP, is derivable in MLTT.This can be showed using a variant of Friedman's trick [9,28,31].Again, like CT, the return type of this rule is a concrete data type, i.e. a Σ 0 1 formula.It should therefore be easy to add a binary term former  for MP Γ ⊢  : N → N Γ ⊢  : ¬¬ (Σ : N.   = 0) Γ ⊢    : Σ : N.   = 0 that blocks until both arguments are closed and returns the witness extracted by Friedman's trick when this is the case.If we do not care about decidability, we could even opt for an unbounded search.Note that one must be careful to return the same integer for convertible arguments, i.e.  must be congruent, but this is easily obtained as the return type can be turned into an hProp by considering instead the smallest index where  evaluates to 0. More generally, we trust that many such axioms can be added to MLTT this way.The constraints are that these axioms should be admissible on closed terms and return Σ 0 1 formulae.Furthermore, the external process turning closed proofs into proofs of the conclusion should produce a unique term for each equivalence class of convertible arguments.We leave the exploration of this subject for a later time.

CONCLUSION
In this paper, we proved that it was possible to add CT Σ to MLTT without disrupting any of the desirable properties of the resulting system such as consistency, strong normalization and canonicity.Against all odds, the model used for this is the most straightforward one can conceive, as it boils down to the standard logical relation for MLTT.The computational content of our variant of Church's thesis is too borderline stupid to even be considered unsurprising: it computes on closed terms, period.The only mildly non-trivial phenomenon is the need for erasure of annotations and maximal -reduction, but that trick is hardly worthy of attention.As a result, we are still bewildered about the reason for which this problem was believed to be hard.
The theorems have been formalized in Coq, greatly reducing the risk of an accidental error in the proof.For simplicity, the development still axiomatizes the computation model in the object theory.In all likelihood, these axioms would be deemed self-evident in a computability theory paper proof.
Finally, we believe that the generic recipe we followed for this model can be generalized to many other admissible principles in dependent type theory.
t. run ⌈ ⌈⌉ ⌉   0 is convertible to S .If  0 is the smallest such bound, then ϛ  [] N returns  0 , and   [] N must provide a closed proof of  Ϙ [] N .But given the previous assumptions,  Ϙ [] N is convertible to a finite sequence of products of equalities 0 = 0 with a trailing equality S  = S .This type is trivially inhabited by the term [ 0 , ] Ϙ .

Lemma 8 . 6 (
Neutral reflection).Given a weakly neutral term syntactically self-convertible at some type , then it is reducible at that type.

Lemma 9 . 3 (
Deep Typing).The typing rules where the various conversion predicates are replaced by their deep equivalent satisfy the generic typing interface.

Definition 9 . 5 (
Parallel Reduction).We define parallel reduction up to  and pair annotations for "MLTT" in the usual way.Since the reduction rules for the quoting primitives are macroscopic, their parallel version cause no trouble.Lemma 9.6 (Inclusion).Parallel reduction contains deep reduction.Lemma 9.7 (Confluence).Parallel reduction is confluent.Definition 9.8 (Standard Reduction).We define standard reduction up to  and pair annotations for "MLTT" in the usual way.Standard reduction for quoting primitives is defined through standard reduction of the subterms rather than closure by weak-head reduction.Lemma 9.9 (Parallel inclusion).Standard reduction contains parallel reduction.

Lemma 9 .
10 (Standardisation).Standard reduction to a deep normal form implies deep evaluation up to  and pair annotations.

Lemma 9 . 11 (
Erasure Irrelevance).Standard reduction to a deep normal form is preserved by erasure.