On the strength of proof-irrelevant type theories

We present a type theory with some proof-irrelevance built into the conversion rule. We argue that this feature is useful when type theory is used as the logical formalism underlying a theorem prover. We also show a close relation with the subset types of the theory of PVS. We show that in these theories, because of the additional extentionality, the axiom of choice implies the decidability of equality, that is, almost classical logic. Finally we describe a simple set-theoretic semantics.


Introduction
A formal proof system, or proof assistant, implements a formalism in a similar way a compiler implements a programming language.Among existing formalisms, dependent type systems are quite widespread.This can be related to various pleasant features; among them (1) Proofs are objects of the formalism.The syntax is therefore smoothly uniform, and proofs can be rechecked at will.Also, only the correctness of the type-checker, a relatively small and well-identified piece of software, is critical for the reliability of the system (the "de Bruĳn principle").(2) The objects of the formalism are programs (typed λ-terms) and are identified modulo computation (β-conversion).This makes the formalism well-adapted for problems dealing with program correctness.But also the conversion rule allows the computation steps not to appear in the proof; for instance 2 + 2 = 4 is simply proved by one reflexivity step, since this proposition is identified with 4 = 4 by conversion.In some cases this can lead to a dramatic space gain, using the result of certified computations inside a proof; spectacular recent applications include the formal proof of the four-color theorem [15] or formal primality proofs [18].(3) Finally, type theories are naturally constructive.This makes stating decidability results much easier.Furthermore, combining this remark with the two points above, one comes to program extraction: taking a proof of a proposition ∀x : A.∃y : B.P (x, y), one can erase pieces of the λ-term in order to obtain a functional program of type A → B, whose input and result are certified to be related by P .Up to now however, program extraction was more an external feature of implemented proof systems1 : programs certified by extraction are no longer objects of the formalism and cannot be used to assert facts like in the point above.Some related formalisms only build on some of the points above.For example PVS implements a theory whose objects are functional programs, but where proofs are not objects of the formalism.
An important remark about (2) is that the more terms are identified by the conversion rule, the more powerful this rule is.In order to identify more terms it thus is tempting to combine points (2) and (3) by integrating program extraction into the formalism so that the conversion rule does not require the computationally irrelevant parts of terms to be convertible.
In what follows, we present and argue in favor of a type-theory along this line.More precisely, we claim that such a feature is useful in at least two respects.For one, it gives a more comfortable type theory, especially in the way it handles equality.Furthermore it is a good starting point to build a platform for programming with dependent types, that is to use the theorem prover also as a programming environment.Finally, on a more theoretical level, we will also see that by making the theory more extensional, proof-irrelevance brings type theory closer to set-theory regarding the consequences of the axiom of choice.
The central idea of this work is certainly simple enough to be adjusted to various kinds of type theories, whether they are predicative or not, with various kinds of inductive types, more refined mechanisms to distinguish the computational parts of the proofs etc. . . .In what follows we illustrate it by using a marking of the computational content which is as simple as possible.The extraction function we use is quite close to Letouzey's [21,22], except that we discard the inclusion rule Prop ⊂ Type, which would complicate the definition of the type theory and the semantics (see [29] for the last point).
Related work Almost surprisingly, proof-irrelevant type theories do not seem to enjoy wide use yet.In the literature, they are often not studied for themselves, but as means for proving properties of other systems.This is the case for the work of Altenkirch [3] and Barthe [6].One very interesting work is Pfenning's modal type theory which involves proofirrelevance and a sophisticated way to pinpoint which definitional equality is to be used for each part of a term; in comparision we here stick to much simpler extraction mechanism.The NuPRL approach using a squash type [9] is very close to ours, but the extentional setting gives somewhat different results.Finally, let us mention recent work [5] by Barras and Bernardo who present a type theory with implicit arguments.This interesting proposal can be understood as a theory with proof-irrelevance, where the computational fragment is precisely Miquel's calculus [28].Their proposal can be understood as a theory similar to ours, but with a more sophisticated way to mark what is computational and what is not.

The Theory
2.1.The λ-terms.The core of our theory is a Pure Type System (PTS) extended with Σ-types and some inductive type definitions.In PTS's, the types of types are sorts; the set of sorts is S ≡ {Prop} ∪ {Type(i)|i ∈ N} As one can see, we keep the sort names of Coq.As usual, Prop is the impredicative sort and the sorts Type(i) give the hierarchy of predicative universes.It comes as no surprise that the system contains the usual syntactic constructs of PTSs; however it is comfortable, both for defining the conversion rule and constructing a model to tag the variables to indicate whether they correspond to a computational piece of code or not; in our case this means whether they live in the impredicative or a predicative level (i.e.whether the type of their type is Prop or a Type(i)).A similar tagging is done on the projections of Σ-types.Except for this detail, the backbone of the theory considered hereafter is essentially Luo's Extended Calculus of Constructions (ECC) [23].
The syntax of the ECC fragment is therefore We sometimes call raw terms these terms, when we want to stress that they are considered independently of typing issues.The tagging of Σ is there to indicate whether the second component of the pair is computational or not (the first component will always be).For the same technical reason, we also tag the second projection π 2 .
We will sometimes write x for x s , Σx : A.B for Σ s x : A.B or π 2 (t) for π s 2 (t) omitting the tag s when it is not relevant or can be infered from the context.
The binding of variables is as usual.We write t[x \ u] for the substitution of the free occurrences of variable x in t by u.As has become custom, we will not deal with α-conversion here, and leave open the choice between named variables and de Bruĳn indices.

Relaxed conversion.
The aim of this work is the study of a relaxed conversion rule.While the idea is to identify terms with respect to typing information, the tagging of impredicative vs. predicative variables is sufficient to define such a conversion in a simple syntactic way.A variable or a second projection π 2 (t) is computationally irrelevant when tagged with the * mark.This leads to the following definition.Definition 2.1 (Extraction).We can simply define the extraction relation ⊲ ε as the contextual closure of the following rewriting equations ε for the reflexive-transitive closure of ⊲ ε .We say that a term t is of tag * if t ⊲ * ε ε and of tag ⋄ if not.We write s(t) for the tag of t.
The restrictions on the right-hand side are there in order to ensure that the tag is preserved by reduction.Without them (λx ⋄ : Prop.x ⋄ Prop) can reduce either to ε or to Prop which would falsify the Church-Rosser property.Actually we will see that these restrictions are always satisfied on well-typed terms, but are necessary in order to assert the meta-theoretic properties below.While these restrictions are specific to our way of marking computational terms, other methods will probably yield similar technical difficulties.
The relaxed reduction ⊲ βε is the union of ⊲ β and ⊲ ε .We write = βε for the reflexive, symmetric and transitive closure of ⊲ βε and ⊲ * βε for the transitive-reflexive closure of ⊲ βε .It is a good feature to have the predicative universes to be embedded in each other.It has been observed (Pollack, McKinna, Barras. . . ) that a smooth way to present this is to define a syntactic subtyping relation which combines this with = β (or here = βε ).Note that this notion of subtyping should not be confused with, for instance, subtyping of subset types in the style of PVS.Definition 2.3 (Syntactic subtyping).The subtyping relation is defined on raw-terms as the transitive closure of the following equations

2.3.
Functional fragment typing rules.The typing rules for the kernel of our theory are given in PTS-style [4] and correspond to Luo's ECC.The differences are the use of subtyping in the conversion rule and the tagging of variables when they are "pushed" into the context.The rules are given in figure 1.In the rule Prod, max is the maximum of two sorts for the order Prop < Type(0) < Type(1) < . . .

Treatment of propositional equality.
Propositional equality is a first example whose treatment changes when switching to a proof-irrelevant type theory.The definition itself is unchanged; two objects a and b of a given type A are equal if and only if they enjoy the same properties a = A b ≡ ΠP : A → Prop.(P a) → (P b) It is well-known that reflexivity, symmetry and transitivity of equality can easily be proved.When seen as an inductive definition, the definition of "= A " is viewed as its own elimination principle.
Let us write refl for the canonical proof of reflexivity refl ≡ λA : Type(i).λx: A.λP : A → Prop.λp : (P x).pIn many cases, it is useful to extend this elimination over the computational levels There is however a peculiarity to Eq_rec: in Coq, it is defined by case analysis and therefore comes with a computation rule.The term (Eq_rec A P a b p e) of type (P b) reduces to p in the case where e is a canonical proof by reflexivity; in this case, a and b are convertible and thus coherence and normalization of the type theory are preserved.
As shown in the next section, such a reduction rule is useful, especially when programming with dependent types.In our proof-irrelevant theory however, we cannot rely on the information given by the equality proof e, since all equality proofs are treated as convertible.Furthermore, allowing, for any e, the reduction rule (Eq_rec A P a b p e) ⊲ p is too permissive, since it easily breaks the subject reduction property in incoherent contexts.
We therefore put the burden of checking convertibility between a and b on the reduction rule of Eq_rec by extending reduction with the following, conditional rule When being precise, this means that = εβ and ⊲ are actually two mutual inductive definitions.
An alternative would be the non-linear rule (Eq_rec A P a a p e) ⊲ p but this allows an encoding of Klop's counter-example [20] and thus breaks the Church-Rosser property (for untyped terms).We thus develop the metatheory for the first version.
2.5.Generalization.In Coq, computational eliminations are provided for more inductive definitions than just propositional equality.The condition is that (1) The definition has at most one constructor, (2) the arguments of this constructor are all, themselves, non-computational.
It appears that it is reasonably straightforward to extend our type theory, by generalizing the Eq_rec feature, in order to capture this Coq behavior in the case where the inductive definition is non-recursive.We briefly indicate how but without precise justification.The remainder of this paragraph is thus not considered in the meta-theoretical justifications; it is also not necessary for the rest of the article.We write Π x : A.T for Πx To understand the last condition, one should note that although the variables y are free in u, they do not interfere with the conversion since their types ensure they are all tagged by * .
2.6.Data Types.In order to be practical, the theory needs to be extended by inductive definitions in the style of Coq, Lego and others.We do not detail the typing rules and liberally use integers, booleans, usual functions and predicates ranging over them.We refer to the Coq documentation [11,14]; for a possibly more modern presentation [8] is interesting.
Let us just mention that data types live in Type.That is, for instance, nat : Type(0); thus, their elements are of tag ⋄.

Basic metatheory
We sketch the basic meta-theory of the calculus defined up to here.The proof techniques are relatively traditional, even if one has to take care of the more delicate behavior of relaxed reduction for the first lemmas (similarly to [29]).The delicate point was to choose the right formulation of the reduction rule specific to the elimination of propositional equality, as mentioned in section 2.4.

Corollary 3.4 (Uniqueness of product formation). If
Furthermore, ⊲ ε is obviously strongly normalizing.One therefore can "pre-cook" all terms by ⊲ ε when checking relaxed convertibility.Lemma 3.6 (pre-cooking of terms).Let t 1 and t 2 be raw terms.Let Proof.By straightforward induction over the structure of t.One uses the fact that, since x s(u) and u have the same syntactic sort, the terms t and t[x s(u) \ u] also have the same syntactic sort.

B. WERNER
Lemma 3.9 (Substitution).If Γ(x : A)∆ ⊢ t : T and Γ ⊢ a : A are derivable, if a and x have the same (syntactic) sort, then Γ∆ Proof.By induction over the structure of the first derivation, like in the usual proof.The condition over the syntactic sorts is necessary for the case of the conversion rule, in order to apply the previous lemma.Lemma 3.10 (Inversion or Stripping).If Γ ⊢ t : T is derivable, then so are Γ ⊢ wf and Γ ⊢ T : s for some sort s.Furthermore, the following clauses hold.
Simultaneously by induction over the derivation.

Corollary 3.11 (Principal type).
If Γ ⊢ t : T , then there exists U such that Γ ⊢ t : U and for all V , if Γ ⊢ t : V , then U ≤ V .
Proof.By induction over the structure of t, using the previous lemma and corollaries 3.4 and 3.5.
Of course, subject reduction holds only for ⊲ β -reduction, since ε is not meant to be typable.
Proof.By induction over the structure of t.Depending upon the position of the redex, one uses either the substitution or the stripping lemmas above.We only detail the case where a β-reduction occurs at the root of the term. If Thus we can apply lemma 3.9 to deduce s where s is the sort such that Γ(x s : U ) ⊢ V : s.The result then follows through one application of the conversion rule.Lemma 3.13.If Γ ⊢ t : T is derivable, then there exists a sort s such that Γ ⊢ T : s; furthermore Γ ⊢ T : Prop if and only if t is of tag * .
Proof.By induction over the structure of t.The Church-Rosser property ensures that Prop and Type(i) are not convertible.
A most important property is of course normalization.We do not claim any proof here, although we very strongly conjecture it.A smooth way to prove it is probably to build on top of the simple set-theoretical model using an interpretation of types as saturated Λ-sets as first proposed by Altenkirch [2,27].Conjecture 3.14 (Strong Normalization).If Γ ⊢ t : T is derivable, then t is strongly normalizing.
Stating strong normalization is important in the practice of proof-checking, since it entails decidability of type-checking and type-inference.Corollary 3.15.Given Γ, it is decidable whether Γ ⊢ wf.Given Γ and a raw term t, it is decidable whether there exists T such that Γ ⊢ t : T holds.
Proof.By induction over the structure of t, using the stripping lemma.Normalization ensures that the relation ≤ is decidable for well-formed types.
The other usual side-product of normalization is a syntactic assessment of constructivity.Proof.By case analysis over the normal form of t, using the stripping lemma.

Programming with dependent types
We now list some applications of the relaxed conversion rule, which all follow the slogan that proof-irrelevance makes programming with dependent types more convenient and efficient.
From now on, we will write {x : A|P } for Σ * x : A.P , that is for a Σ-type whose second component is non-computational.

Dependent equality.
Programming with dependent types means that terms occur in the type of computational objects (i.e.not only in propositions).The way equality is handled over such families of types is thus a crucial point which is often problematic in intensional type theories.
Let us take a simple example.Suppose we have defined a data-type of arrays over some type A. If n is a natural number, (tab n) is the type of arrays of size n.That is tab : nat → Type(i).Furthermore, let us assume we have a function modeling access to the array acc : Πn : nat.tab n → nat → A.
Commutativity of addition can be proved in the theory: com : Πm, p : nat.(m + p) = (p + m).Yet tab (m + p) and tab (p + m) are two distinct types with distinct inhabitants.For instance, if we have an array t : tab (m + p), we can use the operator Eq_rec described above to transform it into an array of size p + m Of course, t and t ′ should have the same inhabitants, and we would like to prove Πi : nat.acc (m + p) t i = A acc (p + m) t ′ i It is known [19,25] that in order to do so, one needs the reduction rule for Eq_rec together with a proof that equality proofs are unique.where refl stands for the canonical proof by reflexivity.
Here, since equality proofs are also irrelevant to conversion, this axiom becomes trivial.Actually, since (P e) and (P (refl a)) are convertible, this statement does not even need to be mentioned anymore, and the associated reduction rule becomes superfluous.
In general, it should be interesting to transpose work like McBride's [25] in the framework of proof-irrelevant theories.

Partial functions and equality over subset types.
In the literature of type theory, subset types come in many flavors; they designate the restriction of a type to the elements verifying a certain predicate.The type {x : A|P } can be viewed as the constructive statement "there exists an element of A verifying P ", but also as the data-type A restricted to elements verifying P .In most current intensional type theories, the latter approach is not very practical since equality is defined over it in a too narrow way.We have < a, p > = β < a ′ , p ′ > only if a = β a ′ and p = β p ′ ; the problem is that one would like to get rid of the second condition.The same is true for propositional Leibniz equality and one can establish < a, p > = {x:A|P } < a, p ′ > → p = P [x\a] p ′ In general however, one is only interested in the validity of the assertion (P a), not the way it is proved.A program awaiting an argument of type {x : A|P } will behave identically if fed with < a, p > or < a, p ′ > .Therefore, each time a construct {x : A|P } is used indeed as a data-type, one cannot use Leibniz equality in practice.Instead, one has to define a less restrictive equivalence relation ≃ A,P which simply states that the two first components of the pair are equal < a, p > ≃ A,P < a ′ , p ′ > ≡ a = A a ′ But using ≃ A,P instead of = {x:A|P } quickly becomes very tedious; typically, for every function f : {x : A|P } → B one has to prove and even more specific statements if B is itself a subset type.
In our theory, one can prove without difficulties that = {x:A|P } and ≃ A,P are equivalent, and there is indeed no need anymore for defining ≃ A,P .Furthermore, one has < a, p > = βε < a, p ′ > , so the two terms are computationally identified which is stronger than Leibniz equality, avoids the use of the deductive level and makes proofs and developments more concise.
Array bounds.The same can be observed when partial functions are curryfied.Let us take again the example of arrays, but suppose this time the access function awaits a proof that the index is within the bounds of the array.tab : nat → Type(i) acc : Πn : nat.tab n → Πi : nat.i < n → A So given an array t of size n, its corresponding access function is a ≡ acc n t : Πi : nat.i < n → A In traditional type theory, this definition is cumbersome to use, since one has to state explicitly that the values (a i p i ), where p i : i < n do not depend upon p i .The type above is therefore not sufficient to describe an array; instead one needs the additional condition T irr : Πi : nat.Πp i , p ′ i : i < n.(a i p i ) = A (a i p ′ i ) where = A stands for the propositional Leibniz equality.This is again verbose and cumbersome since T irr has to be invoked repeatedly.In our theory, not only the condition T irr becomes trivial, since for any p i and p ′ i one has (a i p i ) = βε (a i p ′ i ), but this last coercion is stronger than propositional equality: there is no need anymore to have recourse to the deductive level and prove this equality.The proof terms are therefore clearer and smaller.

On-the-fly extraction.
An important point, which we only briefly mention here is the consequence for the implementation when switching to a proof-irrelevant theory.In a proofchecker, the environment consists of a sequence of definitions or lemmas which have been type-checked.If the proof-checker implements a proof-irrelevant theory, it is reasonable to keep two versions of each constant: the full proof-term, which can be printed or re-checked, and the extracted one (that is ⊲ ε -normalized) which is used for conversion check.This would be even more natural when building on recent Coq implementations which already B. WERNER use a dual storing of constants, the second representation being non-printable compiled code precisely used for fast conversion check.
In other words, a proof-system built upon a theory as the one presented here would allow the user to efficiently exploit the computational behavior of a constructive proof in order to prove new facts.This makes the benefits of program extraction technology available inside the system and helps transforming proof-system into viable programming environments.

Relating to PVS
Subset types also form the core of PVS.In this formalism the objects of type {x : A|P } are also of type A, and objects of type A can be of type {x : A|P }.This makes type checking undecidable and is thus impossible in our setting.But we show that it is possible to build explicit coercions between the corresponding types of our theory which basically behave like the identity.
What is presented in this section is strongly related to the work of Sozeau [35], which describes a way to provide a PVS style input mode for Coq.
The following lemma states that the construction and destruction operations of our subset types can actually be omitted when checking conversion.

Lemma 5.1 (Singleton simplification). The typing relation of our theory remains unchanged if we extend the ⊲ ε reduction of our theory by
The following definition is directly transposed3 from PVS [31].We do not treat dependent types in full generality (see chapter 3 of [31]).Definition 5.2 (Maximal super-type).The maximal super-type is a partial function µ from terms to terms, recursively defined by the following equations.In all these equations, A and B are of type Type(i) in a given context.
Definition 5.3 (η-reduction).The generalized η-reduction, written ⊲ η , is the contextual closure of We can now construct the coercion function from A to µ(A).

Lemma 5.4. If
• there exists a function µ(A) which is of type A → µ(A) in Γ, • furthermore, when applying the singleton simplification S to µ(A) one obtains an ηexpansion of the identity function; to be precise, S(µ(A)) ⊲ * εβη λx : A.x. Proof.It is almost trivial to check that Γ ⊢ µ(A) : Type(i).The two other clauses are proved by induction over the structure of A.
Furthermore, since P : Prop, π 1 (x) is here simplified to x, and by induction hypothesis we know that S(µ(B)) x reduces to x.We can conclude that S(µ(A)) ⊲ * εβη λx : {x Again, the induction hypotheses assure that µ(A) ⊲ * εβη λx : B × C.x.The opposite operation, going from from µ(A) to A, can only be performed when some conditions are verified (type-checking conditions, or TCC's in PVS terminology).We can also transpose this to our theory, still keeping the simple computational behavior of the coercion function.This time however, our typing being less flexible than PVS', we have to define the coercion function and its type simultaneously; furthermore, in general, this operation is well-typed only if the type-theory supports generalized η-reduction 4 .
This unfortunate restriction is typical when defining transformations over programs with dependent types.It should however not be taken too seriously, and we believe this cosmetic imperfection can generally be tackled in practice 5 .Lemma 5.5 (subtype constraint).Given Γ ⊢ A : Type(i), if µ(A) is defined, then one can define π(A) and π(A) such that, in the theory where conversion is extended with ⊲ η , one has Proof.By straightforward induction.We only provide detail for the case where For one, in practical cases, η-does not seem necessary very often (only with some nested existentials).And even then, it should be possible to tackle the problem by proving the corresponding equality on the deductive level.

A more extensional theory
Especially during the 1970s and 1980s, there was an intense debate about the respective advantages of intensional versus extensional type theories.The latter denomination seems to cover various features like replacing conversion by propositional equality in the conversion rule or adding primitive quotient types.In general, these features provide a more comfortable construction of some mathematical concepts and are closer to set-theoretical practice.But they break other desirable properties, like decidability of type-checking and strong normalization.
The theory presented here should therefore be considered as belonging to the intentional family.However, we retrieve some features usually understood as extensional.If we use a Σ-type, we get a type which obviously inhabited, using the projections π 1 and π 2 .However, if we read the existential quantifiers of AC as defined above, we obtain a (non-computational) proposition which is not provable in type theory.
Schematically, this propositions states that if Πx : A.∃y : B.R(x, y) is provable, then the corresponding function from A to B exists "in the model".This assumption is strong and allows to encode IZF set theory into type theory (see [36]).
What is new is that our proof-irrelevant type theory is extensional enough to perform the first part of Goodman and Myhill's proof based on Diaconescu's observation.Assuming AC, we can prove the decidability of equality.Consider any type A and two objects a and b of type A. We define a type corresponding to the unordered pair Finally given such a function f , one can compare (f a ′ ) and (f b ′ ), since both are booleans over which equality is decidable.
The key point is then that, thanks to proof-irrelevance, the equivalence between a ′ = {a,b} b ′ and a = A b is provable in the theory.Therefore, if (f a ′ which is a quite classical statement.We have formalized this proof in Coq, assuming proofirrelevance as an axiom.Note of course that this "decidability" is restricted to a disjunction in Prop and that it is not possible to build an actual generic decision function.Indeed, constructivity of results in the predicative fragment of the theory are preserved, even if assuming the excluded-middle in Prop.

6.2.
Other classical non-computational axioms.At present, we have not been able to deduce the excluded middle (EM) from the statement above6 .We leave this theoretical question to future investigations but it seems quite clear that in most cases, when admitting AC one will also be willing to admit EM.In fact both axioms are validated by the simple set-theoretical model and give a setting where the Type(i)'s are inhabited by computational types (i.e. from {x : A|P } we can compute x of type A) and Prop allows classical reasoning about those programs.
Another practical statement which is validated by the set-theoretical model is the axiom that point-wise equal functions are equal (EXT) ΠA, B : Type(i).Πf, g : Note that combining this axiom with AC (and thus decidability of equality) is already enough to prove (in Prop) the existence of a function deciding whether a Turing machine halts.6.3.Quotients and normalized types.Quotient sets are a typically extensional concept whose adaptation to type theory has always been problematic.Again, one has to choose between "effective" quotients and decidability of type-checking.Searching for a possible compromise, Courtieu [13] ended up with an interesting notion of normalized type 7 Finally we write x ∈ A → t for the set-theoretical function construction and, of course, f (x) for set-theoretical function application.7.2.Construction.Over the ECC fragment of the type theory, the interpretation is constructed straightforwardly.The fact that non-computational terms are syntacticly tagged makes the definition easier.We define Definition 7.1.For any mapping I from variables to i∈N U i , we define a mapping associating a set |Γ ⊢ t| I to a term t and a context Γ.This function is defined by induction over the size of t by the following equations of figure 2; we can restrict ourselves to the case where Γ ⊢ t : T for some T .
The following extension of interpretations to contexts is the usual.• The cases of the projections, since |Γ ⊢ π i (t)| I is only defined when |Γ ⊢ t| I is a (settheoretic) pair.Note also that the definition depends upon Γ only to discriminate between the case where Πx : A.B is impredicative and is not.A more interesting technical point is the last clause: by anticipating the reduction of Eq_rec we have a total definition which is obviously invariant by reduction.Proof.By a simple induction over the structure of the derivation.
Note that in the case where t is of the form Πy : A.B, one uses the fact that typing is preserved by substitution (lemma 3.9) in order to ensure that the applied clause remains the same (Πx : A.B being of type Prop or Type(i)).Proof.By induction over the typing derivation.As pointed out in [29], the restriction on the β-reduction that ensures that the tag does not change is essential here.It is easy to check that the axioms AC, EM and EXT of the previous section are valid in this model.

Conclusion and further work
We have tried to show that a relaxed conversion rule can make type theories more practical, without necessarily giving up normalization or decidable type checking.In particular, we have shown that this approach brings closer the world of PVS and type theories of the Coq family.
We also view this as a contribution to closing the gap between proof systems like Coq and safe programming environments like Dependent ML or ATS [10,37].But this will only be assessed by practice; the first step is thus to implement such a theory.

Acknowledgements
Christine Paulin deserves special thanks, since she me gave the idea of a relaxed conversion rule long ago as well as the hint for the computation rule of paragraph 2.4.Bruno Barras was very helpful by pointing out some errors and Makoto Tatsuta by helping me to check that defining simultaneously reduction and conversion did not break Church-Rosser.A question of Russell O'Connor suggested the generalization of paragraph 2.5.This work also benefited from discussions with Bruno Barras, Hugo Herbelin and Benjamin Grégoire.Anonymous referees gave numerous useful comments and hints.

Definition 2 . 2 (
Reduction).The β-reduction ⊲ β is defined as the contextual closure of the following equations
The latter property being generally established by a variant of what Streicher calls the "K axiom" K : ΠA : Type.Πa : A.ΠP : a = A a → Prop.(P (refl a)) → Πe : a = A a.(P e)

6. 1 .
The axiom of choice.Consider the usual form of the (typed) axiom of choice (AC)(∀x : A.∃y : B.R(x, y)) ⇒ ∃f : A → B.∀x : A.R(x, f x)When we transpose it into our type theory, we can choose to translate the existential quantifier either by a Σ-type, or the existential quantifier defined in Prop ∃x : A.P ≡ ΠQ : Prop.(Πx : A.P → Q) → Q : Prop {a, b} ≡ {x : A|x = A a ∨ x = A b} Let us write a ′ (resp.b ′ ) for the element of {a, b} corresponding to a (resp.b); so π 1 (a ′ ) = βε a and π 1 (b ′ ) = βε b.It is then easy to prove that Πz : {a, b}.∃e : bool.(e= bool true ∧ π 1 (z) = A a) ∨ (e = bool false ∧ π 1 (z) = A b) and from the axiom of choice we deduce ∃f : {a, b} → bool.Πz : {a, b}.(f z = bool true ∧ π 1 ) and (f b ′ ) are different, so are a and b.On the other hand, if (f a ′ ) = bool (f b ′ ) = bool true then π 1 (b ′ ) = A a and so b = A a. In the same way, (f a ′ ) = bool (f b ′ ) = bool false entails b = A a. We thus deduce a = A b ∨ a = A b and by generalizing with respect to a, b and A we obtain ΠA : Type(i).Πa, b : A.a = A b ∨ a = A b . The idea is remarkably simple: given a function f : A → B, we can define {(f x)|x : A} which is the subtype of B corresponding to the range of f .His rules are straightforwardly translated into our theory by simply taking {f (x)|x : A} ≡ {y : B|∃x : A.y = B f x} Courtieu also gives the typing rules for functions going from A to {f (x)|x : A}, and back in the case where f is actually of type A → A. The relation with quotients being that in the case f : A → A we can understand {f (x)|x : A} as the type A quotiented by the relation x R y ⇐⇒ f x = A f y In practice this appears to be often the case, and Courtieu describes several applications.|Γ ⊢ t| I ≡ ∅ if t is of sort * In the other cases: |Γ ⊢ x ⋄ | I ≡ I(x ⋄ ) |Γ ⊢ λx : A.t| I ≡ α ∈ |Γ ⊢ A| I → |Γ(x : A) ⊢ t| I;x←α |Γ ⊢ (t u)| I ≡ |Γ ⊢ t| I (|Γ ⊢ u| I ) |Γ ⊢ Σx : A.B| I ≡ Σ α∈|Γ⊢A| I |Γ(x : A) ⊢ B| I;x←α |Γ ⊢ Πx : A.B| I ≡ α∈|Γ⊢A| I |Γ(x : A) ⊢ B| I;x←α if Γ ⊢ Πx : A.B : Prop |Γ ⊢ Πx : A.B| I ≡ Π α∈|Γ⊢A| I |Γ(x : A) ⊢ B| I;x←α in the other cases

Figure 2 :
Figure 2: Definition of the semantics

Definition 7 . 2 .
We define the condition I ∈ |Γ| by the following clauses • I ∈ |[]|, • I ∈ |Γ| ∧ I(x) ∈ |Γ ⊢ A| I ⇒ I ∈ |Γ(x : A)|.This definition should not be surprising.It is a partial definition, because of two clauses • The case of the application, since |Γ ⊢ (t u)| I is only defined when |Γ ⊢ t| I is a (settheoretic) function and its domains contains |Γ ⊢ u| I .
Thus, the same is true if t ⊲ * βε t ′ .Proof.By a straightforward case analysis of the form of t. (β-postponement).If t ⊲ * βε t ′ , then there exists t ′′ such that t ⊲ * ε t ′′ and t ′′ ⊲ * β t ′ .Proof.One first shows that if t ⊲ β t ′ ⊲ ε t ′′ , then there exists t ′′′ such that t ⊲ * ε t ′′′ and either t ′′′ = t ′′ or t ′′′ ⊲ β t ′′ .This is done by checking how the two redexes are located with respect to each other.The proof of the lemma then easily follows.(Church-Rosser).For t a raw term, if t ⊲ * βε t 1 and t ⊲ * βε t 2 , then there exists t 3 such that t 2 ⊲ * βε t 3 and t 2 ⊲ * βε t 3 .Proof.By a quite straightforward adaptation of the usual Tait and Martin-Löf method.
t ′ 1 and t ′ 2 be their respective ⊲ ε -normal forms.Then, t 1 = βε t 2 if and only if t ′ 1 = β t ′ 2 .While this property is important for implementation, its converse is also true and semantically understandable.Computationally relevant β-reductions are never blocked by not-yet-performed ε-reductions.Let t 1 be any raw term.Suppose t 1 ⊲ ε t 2 ⊲ β t 3 .Then there exists t 4 such that t 1 ⊲ β t 4 ⊲ * ε t 3 .Proof.It is easy to see that ⊲ ε cannot create new β-redexes, nor does it duplicate existing ones.If t⊲ βε t ′ , for any term u and variable x s(u) , one has t[x s