A Focused Sequent Calculus Framework for Proof Search in Pure Type Systems

Basic proof-search tactics in logic and type theory can be seen as the root-first applications of rules in an appropriate sequent calculus, preferably without the redundancies generated by permutation of rules. This paper addresses the issues of defining such sequent calculi for Pure Type Systems (PTS, which were originally presented in natural deduction style) and then organizing their rules for effective proof-search. We introduce the idea of Pure Type Sequent Calculus with meta-variables (PTSCalpha), by enriching the syntax of a permutation-free sequent calculus for propositional logic due to Herbelin, which is strongly related to natural deduction and already well adapted to proof-search. The operational semantics is adapted from Herbelin's and is defined by a system of local rewrite rules as in cut-elimination, using explicit substitutions. We prove confluence for this system. Restricting our attention to PTSC, a type system for the ground terms of this system, we obtain the Subject Reduction property and show that each PTSC is logically equivalent to its corresponding PTS, and the former is strongly normalising iff the latter is. We show how to make the logical rules of PTSC into a syntax-directed system PS for proof-search, by incorporating the conversion rules as in syntax-directed presentations of the PTS rules for type-checking. Finally, we consider how to use the explicitly scoped meta-variables of PTSCalpha to represent partial proof-terms, and use them to analyse interactive proof construction. This sets up a framework PE in which we are able to study proof-search strategies, type inhabitant enumeration and (higher-order) unification.


Introduction
[Bar92] form a convenient framework for representing a range of dierent extensions of the simply-typed λ-calculus, such as those comprising the Barendregt Cube. System F , System F ω [Gir72], System λΠ [Daa80, HHP87], and the Calculus of Constructions (CoC) [CH88] are examples of such systems, on which several major proof assistants are based (e.g. Coq [Coq], Lego [LP92], and the Edinburgh Logical Framework [HHP87]; Higher-Order Logic can also be presented as a PTS, but this is not the basis of its principal implementation [HOL]).
With typed λ-calculus as their basis, such systems are traditionally presented in natural deduction style, with rules introducing and eliminating logical constants (aka type constructors). Dowek [Dow93] and Muñoz [Muñ01] show how to perform proof search in this style, enumerating type inhabitants in such systems.
This however misses out on the advantages of sequent calculus [Gen35] for proof search. As suggested by Plotkin [Plo87], a Gentzen-style sequent calculus (with left and right introduction rules) can be used as a basis for proof search in the case of λΠ [PW91,Pym95] (later extended to any PTS [GR03]). However, the permutations of inference steps available in a Gentzen-style calculus (such as G3 [Kle52]) introduce some extra non-determinism in proof search.
Herbelin [Her94,Her95] introduced a permutation-free calculus LJT for intuitionistic logic, exploiting the focusing ideas of Andreoli [And92], Danos et al [DJS95] and (ultimately) ideas from Girard's linear logic [Gir87]. Such calculi have been considered as a basis for proof search in Intuitionistic logic [DP99b], generalising the uniform proof approach to logic programming (see [MNPS91] for hereditary Harrop logic). A version with cut rules and proof-terms forms an explicit substitution calculus λ [Her94, DU03] with a strong connection to (call-by-name) β-reduction and abstract machines such as that of Krivine [Kri].
This forms a sequent calculus counterpart to the Curry-Howard correspondence, on the basis of which type theory can be reformulated with a view to formalising proof search. This paper (detailing and extending [LDM06]; see also [Len06]) completes this programme, reformulating PTSs as Pure Type Sequent Calculi (265+). It follows the earlier work in [PD98] that relates λ to proof search in the ΛΠ calculus [PW91,Pym95].
This gives a secure but simple theoretical basis for the implementation of PTSbased systems such as Coq [Coq] and Lego [LP92]; these proof assistants feature interactive proof construction methods using proof search tactics. As noticed by [McK97], the primitive tactics are in an inexact correspondence with the elimination rules of the underlying natural deduction formalism: while the tactic intro does correspond to the right-introduction rule for Π-types (whether in natural deduction or in sequent calculus), the tactics apply in Coq and Rene in Lego, however, are much closer (in spirit) to the left-introduction rule for Π-types in the focused sequent calculus LJT (below) than to the Π-elimination rule in natural deduction. The rule However the aforementioned tactics are also able to postpone the investigation of the rst premiss and start investigating the second, which leads to incomplete proofterms and unication constraints to be solved. This paper integrates these features to PTSC using explicitly scoped meta-variables (whereas [McK97] investigated the use of Lego's local denition mechanism [LP92]). This sets up a framework, called PTSCα, for the analysis and denition of interactive proof construction tactics (as in Coq and Lego), as well as type inhabitant enumeration (see [Dow93,Muñ01]).
Of course, formalising proof-search mechanisms has been investigated, if only to design tactic languages like Delahaye's L J=? and L F@J [Del01]. Also noteworthy here are McBride's and Jojgov's PhD theses [McB00,GJ02], which consider extensions of type theory to admit partial proof objects. Using meta-variables similar to ours, Jojgov shows how to manage explicitly their progressive instantiation via a denitional mechanism and compares this with Delahaye's L J=? and L F@J .
While formalising the connections with this line of research remains as future work, the novelty of our approach here is to use the sequent calculus to bridge the usual gap (particularly wide for PTS and their implementations) between the rules dening a logic and the rules describing proof search steps. A by-product of this bridge is ensuring correctness of proof-search, whose output thus need not be type-checked (which it currently is, in most proof assistants).
One reason why this is possible in our framework is that it can decompose (and thus account for) some mechanisms that are usually externalised and whose outputs usually need to be type-checked, like unication (including higher-order [Hue76]). Indeed, it integrates the fact, rst exposed in [Dow93], that proof-search and unication generalise in type theory to a single process.
While the rules of our framework may not be deterministic enough to be considered as specifying an algorithm, they are atomic enough to provide an operational semantics in which algorithms such as above can be specied. They thus provide a semantics not only for type inhabitation algorithms, but also more generally for tactic languages, and more originally to unication algorithms.
It is convenient to summarise the relationship between our work and that of our predecessors as follows:

System PE
As an example, we consider the commutativity of conjunction expressed in (the PTSCα corresponding to) System F , presented in [LDM06] with no meta-variables. We show here how meta-variables improve the formalisation of proof-search.
The paper's structure is as follows: Section 1 presents the syntax of PTSCα and gives the rewrite rules for normalisation. Section 2 connects the syntax with that of λ-calculus and derives from this connection the conuence of the PTSCαcalculus. Section 3 presents a parametric typing system PTSC for ground terms (i.e. terms with no meta-variables), and states and proves properties such as Subject Reduction. Section 4 establishes the correspondence between a PTSC and the PTS with the same parameters; we show type preservation and the strong normalisation result. Section 5 discusses proof-search in a PTSC. Section 6 introduces the inference system PTSCα, i.e. with meta-variables, as a way to formalise incomplete proofs and operationalise proof-search. Section 7 shows the aforementioned example. These are followed by a conclusion and discussion of directions for further work.
Some ideas and results of this paper (namely Sections 2, 3 and 4, which were already in [LDM06]) have been formalised and proved in Coq [Sil09]. This was done using a De Bruijn index representation, as provided by e.g. [Len06].
1 Syntax and operational semantics of 265+α 1.1 Syntax We consider an extension (with type annotations) of the proof-term syntax λ of Herbelin's focused sequent calculus LJT [Her95]. As in λ, Pure Type Sequent Calculi feature two syntactic categories: that of terms and that of lists. The syntax of PTSCα depends on a given set S of sorts, written s, s ′ , . . ., a denumerable set X of variables, written x, y, z, . . ., and two denumerable sets of metavariables : those for terms, written α, α ′ , . . ., and those for lists, written β, β ′ , . . .. These meta-variables come with an intrinsec notion of arity.
Denition 1 (Terms) The set T of terms (denoted M, N, P, . . . , A, B, . . .) and the set L of lists (denoted l, l ′ , . . .) are inductively dened as where n is the arity of α and β. Πx A .M , λx A .M , and N/x M bind x in M , and M/x l binds x in l, thus dening the free variables of a term M (resp. a list l), denoted FV(M ) (resp. FV(l)), as well as α-conversion, issues of which are treated in the usual way. Note that FV(α(M 1 , . . . , M n )) = FV(β(M 1 , . . . , M n )) = n i=1 FV(M n ), see the discussion on meta-variables below.
Let A→B denote Πx A .B when x ∈ FV (B). Terms and lists without meta-variables are called ground terms and ground lists, respectively. (Previously, these were just called terms and lists in [LDM06]).
A term M is closed if FV(M ) = ∅.
Lists are used to represent sequences of arguments of a function, with the term x l (resp. M l) representing the application of x (resp. M ) to the list of arguments l. Note that a variable alone is not a term; it has to be applied to a list, possibly the empty list, denoted []. The list with head M and tail l is denoted M ·l, with a typing rule corresponding to the left-introduction of Π-types (cf. Section 3). The following gure shows the generic structure of a λ-term and its representation in λ: Successive applications give rise to the concatenation of lists, denoted l@l ′ , and M/x N and M/x l are explicit substitutions, on terms and lists, respectively. They will be used in two ways: rst, to instantiate a universally quantied variable, and second, to describe explicitly the interaction between the constructors in the normalisation process (given in section 1.2).
Among the features that we add to the syntax of λ, our meta-variables can be seen as higher-order variables. This is quite similar to +45 [Klo80], in that unknown terms are represented with (meta/higher-order) variables applied to the series of (term-)variables that could occur freely in those terms, e.g. α(x, y) (or more formally α(x [], y [])) to represent an unknown term M in which x and y could occur free. These arguments can later be subject to substitutions, so that α(N, P ) will represent N,P x,y M . In other words, a meta-variable on its own stands for something closed, e.g. x.y.M with .8(M ) ⊆ {x, y}. This allows us to consider a simple notion of α-conversion, with λx s .α( This kind of meta-variable diers from that in [Muñ01], which is rather in the style of -45 [Kha90] where the variables that could occur freely in the unknown term are not specied explicitly. The drawback of our approach is that we have to know in advance the free variables that might occur free in the unknown term, but in a typed setting such as proof search these are actually the variables declared in the typing environment. Moreover, although specifying explicitly the variables that could occur free in an unknown term might seem heavy, it actually avoids the usual (non-)conuence problems when terms contain meta-variables in the style of -45. The solution in [Muñ01] has the drawback of not simulating β-reduction (although the reductions reach the expected normal forms).

Operational semantics
The operational semantics of 265+α is given by a reduction system presented in Fig 1, extending (with rules )", +α, ,β) that in [LDM06], and comprising subsystems *, N ′ , NIK>IJ ′ and combinations thereof. Side-conditions to avoid variable capture can be inferred from the reduction rules. Conuence of the system is proved in section 2. We denote by −→ G the contextual closure of the reduction relation dened by any system G of rewrite rules (such as *, NIK>IJ ′ , N ′ ). The transitive closure Also, there is no binding mechanism for meta-variables in the syntax of 265+α, but at the meta-level there is a natural notion of instantiation, which we present only in section 6. We thus emphasise the fact that instantiation of meta-variables never occurs during computation; in that respect, meta-variables really behave like constants or term constructors.
See the discussion at the end of section 2. of −→ G is denoted by −→ + G , its reexive and transitive closure is denoted by −→ * G , and its symmetric reexive and transitive closure is denoted by ←→ * G . The set of strongly normalising elements (those from which no innite −→ G -reduction sequence starts) is SN G . When not specied, G is assumed to be the system B, x ′ from Fig. 1. We now show that system x ′ is terminating. If we add rule B, then the system fails to be terminating unless we only consider terms that are typed in a normalising typing system.
We can encode terms and lists into a rst-order syntax given by the following signature: We may then equip this signature with the well-founded precedence relation dened by The lexicographic path ordering (lpo) induced on the rst-order terms is also well-founded (denitions and results can be found in [KL80]). The aforementioned encoding is given in Fig 2. Theorem 1 Proof: By simultaneous induction on M, l.

λ-terms and Conuence
In this section we dene encodings between the syntax of PTSCα and that of Pure Type Systems (PTS), i.e. a variant of λ-terms. Since, in the latter, the only reduction rule (namely, β) is conuent, we infer from the encodings the conuence of PTSCα.
The diculty lies in the encoding of meta-variables.
We briey recall the syntax and operational semantics of PTS. The terms have the following syntax: t, u, v, T, U, V, . . . : which is equipped with the β-reduction rule (λx v .t) u −→ β { u x }t, in which the substitution is implicit, i.e. is a meta-operation.
In order to interpret the meta-variables of PTSCα, we need to reserve some of the traditional variables of PTS to the specic purpose of encoding meta-variables.
More specically, for each meta-variable α (resp. β) of arity k, we reserve a λcalculus variable which we write α k (resp. β k ).  Fig. 3 shows the encoding of the syntax of PTSCα into that of PTS. Metavariables for terms are encoded naturally, although note that we make their arity explicit in the encoding. The case of meta-variables for lists is more subtle, since the translation of lists is parameterised by the future head variable. How can we relate such a variable to a list of terms that is (yet) unknown? We simply give it as an extra argument (the rst, in fact) of the encoded meta-variable.
which are proved by simultaneous induction on the derivation step and case analysis. Figure 4: From a 265 to a 265+α Fig. 4 shows the encoding of the syntax of 265 into that of 265+α. It is simply the adaptation to the higher-order case of Prawitz's translation from natural deduction to sequent calculus [Pra65]: the encoding of an application relies on a parameterised version of the translation.
Note how we spot the situations which arose from encoded meta-variables, using the explicitly displayed arity to identify the arguments. Note that the case n < k never arises from the encoding of a 265+α-term, but by only requiring n ≤ k (rather than n = k) we have a total (rather than partial) translation.
In order to prove conuence, we rst need the following results: Proof: Each of the above points is obtained by straightforward inductions on t. Note that in order to prove point 4 we need rules )! and )". These are not needed (for simulation of β-reduction and for conuence) when only ground terms were concerned.
Theorem 5 (Simulation of 265) which are proved by induction on the derivation step, using Lemma 4.4 for the base case and Lemma 4, point 3.

Now we study the composition of the two encodings:
Lemma 6 Suppose M and l are N ′ -normal forms.
Proof: By simultaneous induction on l and M . Again, rules )! and )" (as well as +α and ,β) are needed for this lemma to capture the notion of normal form corresponding to the 265-terms, when meta-variables are present.
Theorem 7 then we can apply the induction hypothesis on N and by Theorem 3 we have the result.
Proof: We use the technique of simulation as for instance in [KL05]: consider two reduction sequences starting from a term in a 265+. They can be simulated through B by β-reductions, and since a 265 is conuent, we can close the diagram. Now the lower part of the diagram can be simulated through A back in the 265+, which closes the diagram there as well, as shown in Fig. 5 for *N ′ . Notice that the proof of conuence has nothing to do with typing and does not rely on any result in section 3 (in fact, we use conuence in the proof of Subject Reduction in the Appendix).
Considering meta-variables in the style of +45 [Klo80] avoids the usual problem of non-conuence coming from the critical pair between * and +" which generate the two terms N/x P/y M and N/x P /y N/x M . Indeed, with -45-style meta-variables these two terms need not reduce to a common term, but with the +45-approach, they now can (using the rules +α and ,β). Again, note how the critical pair between *! and itself (or * ) needs rule )! in order to be closed, while it was only there for convenience when all terms were ground. * • Environments are lists of pairs from X × T denoted (x : A).
• We dene the domain of an environment and the application of a substitution to an environment as follows: • It is useful (see Section 6) to dene Dom(Γ) as a list, for which the meaning We dene the following inclusion relation between environments: The inference rules in Fig. 6 inductively dene the derivability of three kinds of statements: 1. context well-formedness, Γ wf, and we use the abbreviation ∆ ⊑ Γ wf for ∆ ⊑ Γ and Γ wf. We freely abuse the notation in the customary way, by not distinguishing between a statement and its derivability according to the rules of Fig. 6.
There are three conversion rules conv R , conv ′ R , and conv L in order to deal with the two kinds of statements and, for one of them, convert the type in the stoup. Since the substitution of a variable in an environment aects the rest of the environment (which could depend on the variable), the two rules for explicit substitutions (Cut 2 and Cut 4 ) must have a particular shape that manipulates the environment, if the PTSC is to satisfy basic required properties like those of a PTS. The lemmas of this section are proved by induction on typing derivations: Corollary 10 (Properties of well-formed environments) Using all of the results above, Subject Reduction can be proved (see the Appendix).
Theorem 13 (Subject Reduction in a 265+) Type preservation There is a logical correspondence between a PTSC given by the sets S, A and R and the PTS given by the same sets.
We prove this by showing that (when restricted to ground terms) the encodings preserve typing. 1. If Γ ⊢ 265 t : u and Γ ⊑ ∆ wf then ∆ ⊢ 265 t : u (where the relation ⊑ is dened similarly to that of PTSC, but with β-equivalence).

If
We now extend the encodings to environments: Now note that the simulations in section 2 imply: Preservation of typing is proved by induction on the typing derivations: Theorem 16 (Preservation of typing 1)

Equivalence of Strong Normalisation
Theorem 18 A 265+ given by the sets S, A, and R is strongly normalising if and only if the 265 given by the same sets is. Proof: Assume that the PTSC is strongly normalising, and let us consider a welltyped t of the corresponding PTS, i.e. Γ ⊢ 265 t : T for some Γ, T . By Theorem 16, SN. Now by Theorem 5, any reduction sequence starting from t maps to a reduction sequence of at least the same length starting from A (t), but those are nite. Now assume that the PTS is strongly normalising and that Γ ⊢ ⊢ ⊢ M : A in the corresponding PTSC. By subject reduction, any N such that M −→ * N satises Γ ⊢ ⊢ ⊢ N : A and any sub-term P (resp. sub-list l) of any such N is also typable. By Theorem 17, for any such P (resp. l), B(P ) (resp. B y (l)) is typable in the PTS, so it is strongly normalising by assumption.
We now rene the rst-order encoding of any such P and l (as dened in section 1), emulating the technique of Bloo and Geuvers [BG99].
Accordingly, we rene the rst-order signature from section 1 by labelling the symbols cut t (_, _) and sub t (_, _) with all strongly normalising terms t of a PTS, thus generating an innite signature. The precedence relation is rened as follows but we also set sub t (_, _) ≺ cut t ′ (_, _) whenever t ′ −→ + β t. The precedence is still well-founded, so the induced (lpo) is also still well-founded (denitions and results can be found in [KL80]). The renement of the encoding is given in Fig 8. An induction on terms shows that reductions decrease the lpo. Proof-search considers as inputs an environment Γ and a type A, and the output, if successful, will be a term M such that Γ ⊢ ⊢ ⊢ M : A, moreover one in normal form. When we search for a list Γ; B ⊢ ⊢ ⊢ l : A, the type B in the stoup is also an input. Henceforth, A will be called simply a goal.
The inference rules now need to be syntax-directed, that is determined by the shape of the goal (or of the type in the stoup), and the proof-search system (PS, for short) is then obtained by optimising appeals to the conversion rules, yielding the presentation given in Fig. 9. The incorporation of the conversion rules into the other rules is similar to that of the constructive engine in natural deduction [Hue89,vBJMP94]; however the latter algorithm was designed for type synthesis, for which the inputs and outputs are not the same as in proof-search, as mentioned in the introduction. Figure 9: Rules for Proof-search Note one small dierence with [LDM06]: we do not, in rule ΠR, require that A be a normal form. As in [LDM06], soundness and completeness hold, but because of this dierence, we get quasi-normal forms rather than normal forms. Denition 3 A term (or a list) is a quasi-normal form if all its redexes are within type annotations of λ-abstractions, e.g. A in λx A .M .
Notice that, as we are searching for (quasi-)normal forms, there are no cut-rules in PS. However, in PTSC even terms in normal form may need instances of the cut-rule in their typing derivation. This is because, in contrast to logics where well-formedness of formulae is pre-supposed (such as rst-order logic, where cut is admissible), PTSC checks well-formedness of types. For instance in rule ΠL of PTSC a type which is not normalised ( M/x B) occurs in the stoup of the third premiss, so cuts might be needed to type it inside the derivation.
We conjecture that if we modify rule ΠL by now requiring in the stoup of its third premiss a normal form to which M/x B reduces, then any typable normal form can be typed with a cut-free derivation. However, this would make rule ΠL more complicated and, more importantly, we do not need such a conjecture to hold in order to perform proof-search. In contrast, system PS avoids this problem by obviating such type-checking constraints altogether, because types are the input of proof-search, and should therefore be checked before starting search. This is the spirit of the type-checking proviso in the following soundness theorem.
PS is sound and complete in the following sense: Note that neither part of the theorem relies on the unsolved problem of expansion postponement [vBJMP94,Pol98]. Indeed, as indicated above PS does not check types. When recovering a full derivation tree from a PS one by the soundness theorem, expansions and cuts might be introduced at any point, arising from the derivation of the type-checking proviso.
Basic proof-search can be done in PS simply by • reducing the goal, or the type in the stoup; • depending on its shape, trying to apply one of the inference rules bottom-up; and • recursively calling the process on the new goals (called sub-goals) corresponding to each premise.
However, some degree of non-determinism is expected in proof search. Such nondeterminism is already present in natural deduction, but the sequent calculus version conveniently identies where it occurs exactly. There are three potential sources of such non-determinism: • The choice of a variable x for applying rule Select x , knowing only Γ and B (this corresponds in natural deduction to the choice of the head-variable of the proof-term). Not every variable of the environment will work, since the type in the stoup will eventually have to be unied with the goal, so we still need backtracking.
• When the goal reduces to a Π-type, there is an overlap between rules ΠR and Select x ; similarly, when the type in the stoup reduces to a Π-type, there is an overlap between rules ΠL and axiom. Both overlaps disappear when Select x is restricted to the case when the goal does not reduce to a Π-type (and sequents with stoups never have a goal reducing to a Π-type). This corresponds to looking only for η-long normal forms in natural deduction.
This restriction also brings the derivations in LJT (and in our PTSC) closer to the notion of uniform proofs. Further work includes the addition of η to the notion of conversion in PTSC.
• When the goal reduces to a sort s, three rules can be applied (in contrast to the rst two points, this source of non-determinism does not already appear in the propositional case).
Such classication is often called don't care non-determinism in the case of the choice to apply an invertible rule and don't know non-determinism when the choice identies a potential backtracking point.
Don't know non-determinism can be in fact quite constrained by the need to eventually unify the stoup with the goal, as an example in Section 7 below illustrates.
Indeed, the dependency created by a Π-type forces the searches for proofs of the two premisses of rule ΠL to be sequentialised in a way that might prove inecient: the proof-term produced for the rst premiss, selected among others at random, might well lead to the failure to solve the second premiss, leading to endless backtracking.
Hence, there is much to be gained by postponing the search for a proof of the rst premiss and trying to solve the second with incomplete inputs. This might not terminate with success or failure but will send back constraints that may be useful in helping to solve the rst premiss with the correct proof-term. Helping could just be giving some information to orient and speed-up the search for the right proof-term, but it could well dene it completely (saving numerous attempts with proof-terms that will lead to failure). Unsurprisingly, these constraints are produced by the axiom rule as unication constraints.
In Coq [Coq], the proof-search tactic apply x can be decomposed into the bottom-up application of Select x followed by a series of bottom-up applications of ΠL and nally axiom, but it either postpones the solution of sub-goals or automatically solves them from the unication attempt, often avoiding obvious back-tracking.
In the next section we use the framework with meta-variables we have introduced to capture this behaviour in an extended sequent calculus.

Using meta-variables for proof-search
We now use the meta-variables in PTSCα to delay the solution of sub-goals created by the application of rules such as ΠL. In this way, the extension from PTSC to PTSCα supports not only an account of tactics such as apply x of Coq, but also The rst main novelty is that the search-tree is made of the inference rules of sequent calculus and its exploration is merely the root-rst construction of a derivation tree; this greatly simplies the understanding and the description of what such algorithms do.
The second main novelty is the avoidance of the complex phenomenon known as r-splitting that features in traditional inhabitation and unication algorithms (e.g. [Dow93]). In natural deduction, lists of arguments are not rst-class objects; hence, when choosing a head variable in the construction of a λ-term, one also has to anticipate how many arguments it will be applied to (with polymorphism, there could be innitely many choices). This anticipation can require a complex analysis of the sorting relations during a single search step and result in an innitely branching search-tree whose exploration requires interleaving techniques. This is avoided by the use of meta-variables for lists of unknown length, which allows the choice of a head variable without commitment to the number of its arguments.
In Goals of a goal environment are required to declare distinct meta-variables.
• A constraint is solved if it is of the form A Γ = B where A and B are ground and A←→ * B.
• A goal environment is solved if it contains no term or list goals and consists only of solved constraints.
• A substitution is a nite function that maps a meta-variable for term (resp. list), of arity n, to a higher-order term (resp. list) of arity n, that is to say, a term (resp. list) under a series of n bindings that capture (at least) its free variables (e.g. x.y.M with FV(M) ⊆ {x, y}).
Such a series of bindings can be provided by a typing environment Γ, e.g.
• The application of a substitution to terms and lists is dened by induction on these. Only the base cases are interesting: If σ(α) = x 1 . . . x n .M , then σ(α(N 1 , . . . , N n )) is the x ′ -normal form ! of σ(N 1 )/x 1 . . . σ(N n )/x n M ! N ′ is convergent even on untyped terms, see Theorems 1 and Corollary 8 (with the usual capture-avoiding conditions). Similarly, if σ(β) = x 1 . . . x n .l, then σ(β(N 1 , . . . , N n )) is the N ′ -normal form of The application of a substitution to an environment is the straightforward extension of the above. The reason why we N ′ -normalise the instantiation of meta-variables is that if M is already N ′ -normal then (α → x 1 . . . x n .M )(α(y 1 [], . . . , y n [])) really is a renaming of M (and also an N ′ -normal form). This ensures that only normal forms are output by our system for proof-search, which we can more easily relate to 25.
We now introduce this system, called 2for Proof Enumeration, which can be seen as an extension of 25 to open terms.
Denition 5 (An inference system for proof enumeration) The inference rules for proof enumeration, presented in Fig. 10, manipulate three kinds of statement: • The third kind of statement is of the form Σ =⇒ σ, where Σ is a goal environment. σ is a substitution as dened above.
In the bottom part of the gure we use the notational convention that a substitution denoted σ Σ has the meta-variables of the goal environment Σ as its domain.

Derivability in 2of the three kinds of statement is denoted
The sequents Γ ⊢ ⊢ ⊢ M : A | | | Σ and Γ; B ⊢ ⊢ ⊢ M : A | | | Σ have the same intuitive meaning as the corresponding statements in system 25, but note the extra goal environment Σ, which represents the list of sub-goals and constraints that have been produced by proof-search and that remain to be solved. Thus, the inputs of proof synthesis are Γ and A (and B for the second kind of statement) and the outputs are M (or l) and Σ. Statements of 25 are in fact particular cases of these statements with Σ being always solved.
In contrast, in a statement of the form Σ =⇒ σ, Σ is the list of goals to solve, together with the constraints that the solutions must satisfy. It is the input of proof synthesis and σ is meant to be its solution, i.e. the output. Now we prove that 2is sound. For that we need the following notion: Denition 6 (Solution) We dene the property σ is a solution of a goal environment Σ, by induction on the length of Σ.
• σ is a solution of [].
• If σ is a solution of Σ and   For soundness we also need the following lemma: Lemma 20 Suppose that σ(M ) and σ(l) are ground.
Proof: By simultaneous induction on the derivation of the reduction step, checking all rules for the base case of root reduction.
Proof: By induction on derivations.
Proof: By induction on the derivation, using Theorem 21.
System PE is complete in the following sense: Proof: By induction on derivations. The rules of PE generalise those of PS. In fact, the completeness of the full system PE is not surprising, since it is quite general. In particular, nothing is said about when the process should decide to abandon the current goal and start working on another one. Hence we should be interested in completeness of particular strategies dealing with that question. For instance: • We can view the system PS as supporting the strategy of eagerly solving sub-goals as soon as they are created, never delaying them with the sub-goal environment.
• The algorithm for proof enumeration in [Dow93] would correspond here to the lazy strategy that always abandons the sub-goal generated by rule ΠL 25 , but this in fact enables unication constraints to guide the solution of this subgoal later, so in that case laziness is probably more ecient than eagerness.
This is probably what should be chosen for automated theorem proving.
• Mixtures of the two strategies can also be considered and could be the basis of interactive theorem proving. Indeed in some cases the user's input might be more ecient than the automated algorithm, and rule ΠL 25 would be a good place to ask whether the user has any clue to solve the sub-goal (since it could help solving the rest of the unication). If he or she has none, then by default the algorithm might abandon the sub-goal and leave it for later.
In Coq, the tactic apply x does something similar: it tries to automatically solve the sub-goals that interfere with the unication constraint (leaving the other ones for later, visible to the user), but, if unication fails, it is always possible for the user to use the tactic and give explicitly the proof-term to make it work. However, such an input is not provided in proof synthesis mode and the user really has to give it fully, since the tactic will fail if unication fails.
In PE, the unication constraint can remain partially solved. All these behaviours can be simulated in PE, which is therefore a useful framework for the study of proof synthesis strategies in type theory and for comparison with the work of Jojgov [GJ02], McBride [McB00] and Delahaye [Del01]. 7 Example: commutativity of conjunction We now give an example of proof-search (rst introduced in [LDM06] without the use of meta-variables).
We consider the PTSC equivalent to System F , i.e. the one given by the sets: For brevity we omit the types on λ-abstractions, we abbreviate x [] as x for any variable x and simplify N/x P as P when x ∈ FV(P ). We also write A ∧ B for ΠQ ⋆ .(A→(B→Q))→Q.
Proof-search in system PS would result in the following derivation: We now reconsider the above example in the light of system PE. It illustrates the need for delaying the search for a proof of the rst premiss of rule ΠL. Let We get the PE-derivation below: is the solution to be obtained from the right premiss.
In the above derivation, we have systematically abandoned the sub-goals and recorded them for later. The only choice we made was that of the head-variable y, because it led to the production of the (solved) unication constraint ( We now continue the proof-search with the right premiss, solving the two subgoals (Γ ⊢ ⊢ ⊢ α B : B) and (Γ ⊢ ⊢ ⊢ α A : A) that have been delayed. For instance, we can now decide to solve (Γ ⊢ ⊢ ⊢ α A : A), which will eventually produce α A → Dom(Γ).N A In the above derivation, we have also abandoned the generated sub-goals. Again we made one committing choice: that of the head-variable x, which led to the unication constraint α 1 (Γ) Γ = A. Any other choice of head-variable would have led to a unication constraint with no solution. Here, this fact (and the subsequent choice of x) can be mechanically noticed by a simple syntactic check.
We now continue the proof-search with the right premiss. We can decide to solve (Γ ⊢ ⊢ ⊢ α B : B), (Γ ⊢ ⊢ ⊢ α 1 : ⋆), or (Γ ′ ⊢ ⊢ ⊢ α ′ 1 : α 1 (Γ)). The order in which we solve (Γ ⊢ ⊢ ⊢ α B : B) has little importance (the structure is similar to that of the derivation above), but clearly we cannot solve (Γ ′ ⊢ ⊢ ⊢ α ′ 1 : α 1 (Γ)) before we know α 1 (Γ). Hence, we need to solve (Γ ⊢ ⊢ ⊢ α 1 : ⋆) rst, which will produce α 1 → Dom(Γ).A: In this derivation we had to inhabit ⋆. This is a fundamental step of the proof, even when expressed with ground terms (in system PS) as above. Here, having delayed the solution of sub-goals, we are now able to infer the correct inhabitation, directly from the unication constraint (α 1 (Γ) Γ = A) which we have generated previously. Our delaying mechanism thus avoids many situations in which the correct choice for inhabiting a type has to be guessed in advance, anticipating the implicit constraints that such a choice will have to satisfy at some point. This is hardly mechanisable and thus leads to numerous backtrackings.
Finally we proceed to the right premiss by solving (Γ ′ ⊢ ⊢ ⊢ α ′ 1 : A): In this derivation we had to inhabit A. Again we made one committing choice: that of the head-variable x ′ , which led to the unication constraint A any other choice of head-variable would have led to obvious failure, a fact which can be mechanically noticed by a simple syntactic check.
We can then proceed with (Γ ⊢ ⊢ ⊢ α B : B), in a way very similar to that of (Γ ⊢ ⊢ ⊢ α A : A). We get eventually Putting everything together, system PE has produced a proof for commutativity of conjunction: The system has mechanically inferred the relevant choices of the head-variables structuring the proof-term, by nite checks and using the unication constraints generated by delaying the solution of sub-goals.

Conclusion and Further Work
In this paper we have developed a framework that serves as a good theoretical basis for proof-search in type theory.
Proof-search tactics in natural deduction depart from the simple bottom-up application of the typing rules, so that their readability and usage become more complex, as illustrated in proof-assistants such as Coq. Just as in propositional logic [DP99a], permutation-free sequent calculi can be a useful theoretical approach to study and design those tactics, in the hope of improving semi-automated reasoning.
Following these ideas, we have dened a parameterised formalism that gives a sequent calculus for each PTS. It comprises a syntax, a rewrite system and typing rules. In contrast to previous work, the syntax of both types and proof-terms of PTSC is in a sequent-calculus style, thus avoiding the use of implicit or explicit conversions to natural deduction [GR03,PD98].
A strong correspondence with natural deduction has been established (regarding both logic and strong normalisation), and we have derived from it the conuence of each PTSC. These results and their proofs were formalised in Coq [Sil09]. We can give as examples the corners of Barendregt's Cube, for which we now have an elegant theoretical framework for proof-search: We have shown how to deal with conversion rules so that basic proof-search tactics are simply the root-rst application of the typing rules.
These ideas have then been extended, in the calculi PTSCα, by the use of metavariables to formalise the notion of incomplete proofs, and their theory has been studied. The approach diers from [Muñ01] both in that we use sequent calculus rules, which match proof-search tactics, and in that our system can simulate βreduction.
We have shown that, in particular, the explicit use of meta-variables avoids the phenomenon of r-splitting and allows for more exibility in proof-search, where subgoals can be tackled in the order that is most suitable for each situation. Such a exibility avoids some of the need for guess-work in proof-search, and formalises some mechanisms of proof-search tactics in proof assistants. This approach has been illustrated by the example of commutativity of conjunction.
Our system does not commit to specic proof-search strategies a priori, so that it can be used as a general framework to investigate these strategies, as discussed at the end of Section 6. This could reect various degrees of user interaction in proof-search.
Ongoing work includes the incorporation of some of these ideas into the redesign of the Coq proof engine [Coq]. It also includes the treatment of η-conversion, a feature that is currently lacking in the PTS-based system Coq. We expect that, by adding η-expansion to our system, our approach to proof-search can be related to that of uniform proofs in logic programming. Further work includes studying direct proofs of strong normalisation (such as Kikuchi's for propositional logic [Kik04]), and dealing with inductive types such as those used in Coq. Their specic proof-search tactics should also clearly appear in sequent calculus. Finally, given the importance of sequent calculi for classical logic, it would be interesting to build classical Pure Type Sequent Calculi.  Proof: Straightforward induction on the typing tree.
Remark 25 The following rule is derivable, using a conversion rule: Proving subject reduction relies on the following properties of −→ *N : Lemma 26 • Two distinct sorts are not convertible.
• A Π-construct is not convertible to a sort.
• M/y N/x P ←→ * M/y N /x M/y P (provided x ∈ F V (M )). Proof: The rst three properties are a consequence of the conuence of the rewrite system (Corollary 8). The last two rely on the fact that the system NIK>IJ is terminating, so that only the case when P is an NIK>IJ-normal form remains to be checked, which is done by structural induction. Using all of the results above, subject reduction can be proved: By simultaneous induction on the typing tree. For every rule, if the reduction takes place within a sub-term that is typed by one of the premisses of the rule (e.g. the conversion rules), then we can apply the induction hypothesis on that premiss. In particular, this takes care of the cases where the last typing rule is a conversion rule.