Hilbert's Tenth Problem in Coq (Extended Version)

We formalise the undecidability of solvability of Diophantine equations, i.e. polynomial equations over natural numbers, in Coq's constructive type theory. To do so, we give the first full mechanisation of the Davis-Putnam-Robinson-Matiyasevich theorem, stating that every recursively enumerable problem -- in our case by a Minsky machine -- is Diophantine. We obtain an elegant and comprehensible proof by using a synthetic approach to computability and by introducing Conway's FRACTRAN language as intermediate layer. Additionally, we prove the reverse direction and show that every Diophantine relation is recognisable by $\mu$-recursive functions and give a certified compiler from $\mu$-recursive functions to Minsky machines.


Introduction
Hilbert's tenth problem (H10) was posed by David Hilbert in 1900 as part of his famous 23 problems [Hil02] and asked for the "determination of the solvability of a Diophantine equation. " A Diophantine equation 1 is a polynomial equation over natural numbers (or, equivalently, integers) with constant exponents, e.g. x 2 + 3z = yz + 2. When Hilbert asked for "determination, " he meant, in modern terms, a decision procedure, but computability theory was yet several decades short of being developed.
The first undecidable problems found by Church, Post and Turing were either native to mathematical logic or dependent on a fixed model of computation. H10, to the contrary, can be stated to every mathematician and its formulation is independent from a model of computation. Emil Post stated in 1944 that H10 "begs for an unsolvability proof" [Pos44]. From a computational perspective, it is clear that H10 is recursively enumerable (or recognisable), meaning there is an algorithm that halts on a Diophantine equation iff it is solvable.
Post's student Martin Davis conjectured that even the converse is true, i.e. that every recognisable set is also Diophantine. More precisely, he conjectured that if A ⊆ N k is PCP: Post correspondence problem, see e.g. [FL19]. (matching) MM: Given n : N, a Minsky machine P : L I n with n registers, and v : N n , does (1, P ) terminate from input state ( where Fig. 1 lists high-level descriptions of these problems. Furthermore, we prove that H10 H10 Z via Lagrange's theorem. In the present paper, we focus on explaining this factorisation of the proof and give some details for the different stages. While we contribute Coq mechanisations of Matiyasevich's theorem and the elimination of bounded universal quantification, we treat them mainly as black-boxes and only elaborate on their challenging formalisation rather than the proofs themselves (see Section 2.3).
To the best of our knowledge, we are the first to give a full verification of the DPRM theorem and the undecidability of Hilbert's tenth problem in a proof assistant. We base the notion of recognisability in the DPRM theorem on Minsky machines.
When giving undecidability proofs via many-one reductions, it is critical to show that all reduction functions are actually computable. We could in theory verify the computability of all functions involved using an explicit model of computation. In pen-and-paper proofs, this approach is however almost never used, because implementing high-level mathematical transformations as provably correct low-level programs is a daunting task. Instead, we rely on a synthetic approach [FHS18,FKS19,FL19] based on the computability of all functions definable in Coq's constructive type theory, which is closer to the practice of pen-and-paper proofs. In this approach, a problem P is considered undecidable if there is a reduction from an obviously undecidable problem, e.g. Halt P .
The axiom-free Coq formalisation of all the results in this paper is available online [FLWD + 21] and the main lemmas and theorems in the pdf version of the paper are hyper-linked with the html version of the source code at Starting from our already existing library which included most of the Minsky machine code [FL19], the additional code for proving the undecidability of H10 and the DPRM theorem consists of about 8k loc including 3k loc for Matiyasevich's results alone, together with a 4k loc addition to our shared libraries; see Appendix A for more details. The paper itself can be read without in-depth knowledge of Coq or type theory.
1.1. Contribution. This paper is an extended journal version of a conference paper [LWF19] which, besides a full mechanisation of the DPRM theorem, contributed a novel refactoring of the proof via FRACTRAN improving the explainability of the DPRM theorem. Compared to the conference version, we contribute mechanised proofs showing that • H10 reduces to solvability of Diophantine equations over integers, reduction obtained via a low-level implementation of Lagrange's theorem (Section 9); • Diophantine relations are recognisable by µ-recursive algorithms (Section 10); • µ-recursively recognisable relations are MM-recognisable (Section 10), thereby proving that all considered problems are in the same many-one reduction class; • µ-recursive algorithms can be simulated in the weak call-by-value λ-calculus (Section 11), thereby proving that all considered problems are in the same many-one reduction class as most problems in the Coq library of undecidable problems [FLWD + 20].
Apart from the new results, we have simplified the account of Diophantine logic considerably and expanded various explanations of proofs.

Preliminaries.
For the text, while we cannot completely avoid it, we will try to minimize reliance on type theoretic language and notations. We write P for the (impredicative) type of propositions and Type for the (predicative hierachy of) types of Coq. When X and Y are types, we write X → Y for functions from X to Y . 3 We write x × y or x · y for multiplication of natural numbers x, y : N and we will leave out the symbol where convenient. We write L X for the type of lists over X and l + + l for the concatenation of two lists. We write X n for vectors v over type X with length n, and F n for the finite type with exactly n elements. For p : F n , we write v p for the p-th component of v : X n . Notations for lists are overloaded for vectors.
We write O X for the type of options over X with elements x where x : X and ∅. We write X + Y for the type-theoretic sum of types X and Y , consisting of inl x for x : X and inr y for y : Y . For a list l : L X, l n : O X denotes the n-th value in l if it exists.
If P : X → P is a predicate (on X) and Q : Y → P is a predicate, we write P Q if there is a function f : X → Y s.t. ∀x : X, P x ↔ Q(f x), i.e. a many-one reduction from P to Q. In the synthetic approach [FHS18,FKS19,FL19], the computability of the reduction f is automatically ensured because f is typeable in Coq without relying on any axiom.

Diophantine Relations
Diophantine relations are composed of polynomials over natural numbers. There are several equivalent approaches to characterise these relations and oftentimes, the precise definition is omitted from papers. Basically, one can form equations between polynomial expressions and then combine these with conjunctions, disjunctions, and existential quantification. 4 For instance, these operations are assumed as Diophantine producing operators in e.g. [JM84,Mat70,Mat97,Mat00]. Sometimes Diophantine relations are restricted to a single polynomial equation. Sometimes the exponentiation function x, y → x y is assumed as Diophantine [JM84]. To complicate the picture, Diophantine relations might equivalently range over Z (instead of N) but expressions like x y implicitly assume that y never gets a negative value.
Although seemingly diverging, these approaches are not contradictory because in the end, they characterise the same class of relations on natural numbers. However, mechanisation does not allow for such implicit assumptions. To give some mechanisable structure to some of these approaches, we propose three increasingly restricted characterisations of Diophantine relations: Diophantine logic, elementary Diophantine constraints and single Diophantine equations, between which we provide computable transformations in Sections 3 and 4. In Section 9, we also elaborate on the case of polynomials over Z, i.e. we give an undecidability proof for Hilbert tenth problem over integers. But before turning to formal definitions, we motivate our approach for the automated analysis and recognition of Diophantine shapes.
2.1. Diophantine Shapes. We introduce the meta-level notion of Diophantine shape. On purpose, this notion does not have a precise formal definition because it is a dynamically evolving property of meta-level expressions that upgrades itself as more and more closure results are proved about those shapes.
Of course, we cannot rely on some blurry notion to formally prove theorems about Diophantine relations. So at some point, we have to choose one (or several) formal representation(s) of Diophantine relations. Irrelevant to the actual syntax we finally pick up for the formal description of Diophantine relations, we call them object-level representations.
The problem we face is the following: how can we minimize the work we have to do to actually build an object-level witness corresponding to a given meta-level expression representing a Diophantine relation. Directly manipulating object-level syntax is far from the ideal way to proceed for a lazy Coq programmer, 5 and indeed, this empirical lesson can be learned the painful way.
Let us illustrate this on the following complex example of meta-level expression . After a quick analysis of its structure, it appears that before being able to actually establish that this is a Diophantine relation, we would probably have to show that polynomials, identities, arithmetic congruences, the exponential function, binomial coefficients, conjunction, existential quantification and bounded universal quantification are all Diophantine admissible, hence to give procedures to derive object-level representations for all these meta-level constructions. This already amounts to significant work. But once this is done, we want to avoid both the hand-building of the object-level witness for the above expression, and the 35:6

HILBERT'S TENTH PROBLEM IN COQ (EXTENDED VERSION)
Vol. 18:1 proofs that it correctly reflects its semantics. We essentially require our framework to be able to automatically combine those procedures and build a provably correct witness for us. To summarise, we aspire at the formal definition of an object-level representation and at the same time, at avoiding its direct manipulation. This is where the dynamic notion of Diophantine shape plays a central role. At first, there are very few basic Diophantine shapes, typically constants, variables, addition, multiplication, equality. But at some point, we would e.g. have a result stating that if the expressions f and g have a Diophantine shape, then so does the expression f g , that is the Diophantine admissibility of the exponential function, nowadays called Matiyasevich's theorem. Critically, shapes can be added dynamically as they are proved admissible as opposed to be carved in the stone of a given object-level syntax. We now describe how to do this in a successful way using some of the automation provided by Coq.
2.2. Diophantine Logic. We define the type D form of Diophantine formulae for the abstract syntax of Diophantine logic. An atomic Diophantine logic formula is just expressing basic atomic identities between variables like x i= x j+ x k or x i= x j× x k and we combine those with binary disjunction, binary conjunction, and existential quantification.
The letters A, B range over formulae and n : N represents constant ranging over natural numbers. We use standard De Bruijn syntax with variables x 0 , x 1 , . . . of type V := N for better readability. If we have x i : V, we write x 1+i for the next variable in V. As an example, the meta-level formula ∃y, (y = 0 ∧ ∃z, y = z + k) would be represented as e.g. ∃ x 0= 0∧∃(x 1= x 0+ x 2 ) , i.e. the variable x i refers to the i-th binder in the context. Notice that there is no type or syntactic distinction between variables and parameters in Diophantine logic. However some variables are bound in their context and others are free.
We provide a semantics for Diophantine logic. Given a valuation for variables ν : V → N, we define the interpretation x i= . . . ν : P of atomic formulae by and A ν : P for a compound formula A : D form by the following recursive equations: where n·ν : V → N is the standard De Bruijn extension 6 of a valuation ν by n, defined by n·ν (x 0 ) := n and n·ν (x 1+i ) := ν x i . We give a first object-level representation of Diophantine relations as members of type (V → N) → P mapping valuations of variables to propositions. Moreover, they must be identical to λν. A ν for some Diophantine formula A, up to propositional extensionality. We give an informative content to this sub-type of (V → N) → P to be able to do some computations with the witness A : D form of Diophantineness, typically when moving to another formal representation like elementary Diophantine constraints in Section 3.
Definition 2.1. The class of Diophantine relations D rel : (V → N) → P → Type is the informative sub-type defined for R : (V → N) → P by D rel R := A : D form , ∀ν, A ν ↔ R ν . 6 The notation n·ν emphasizes that the value n is pushed ahead of the infinite sequence ν x0; ν x1; ν x2; . . . Note that denotes type-theoretic dependent pairs. Hence an inhabitant w of D rel R is a (dependent) pair (A, H A ) where A = π 1 (w) is a Diophantine formula and H A = π 2 (w) a proof that A (·) and R are extensionally equivalent. 7 The informal notion of Diophantine shape will correspond to the dynamically growing collection of established closure properties of the class D rel of Diophantine relations. Definition 2.1 of the sub-type D rel already entails that D rel is closed under conjunction, disjunction, existential quantification and renaming.
Proposition 2.2. Let R, S : (V → N) → P be relations, T : N → (V → N) → P be a relation with a singled out variable, and ρ : V → V be a renaming function. We have the maps: Understood as Diophantine shapes, maps number 1-3 recognise the logical connectives of conjunction, disjunction and existential quantification as newly allowed shapes. Map number 5 allows renaming (free) variables hence Diophantine shapes are closed under renaming. 8 Map number 4 provides a way to replace the goal D rel S with D rel R once a proof that they are logically equivalent is established. Hence, if S cannot be analysed because it does not currently have a Diophantine shape, it can still be replaced by an equivalent relation R, hopefully better behaved; see e.g. the proof of Proposition 2.4.
Working with Diophantine relations already gives a satisfying implementation of Diophantine shapes but it is sometimes more convenient to manipulate Diophantine functions instead of relations so we define the following specialization. We extend Diophantine shapes with polynomials expressions and equations between them. To illustrate the mechanics behind Diophantine shape recognition, for once we give a detailed account of the steps that are usually performed automatically in this framework.
Proposition 2.4. Let x i : V, n : N, ρ : V → V and f, g : (V → N) → N. We have the maps: Proof. Items 1, 2 and map 3 are for projections, constants and renaming functions respectively. The non-trivial cases are for +, × and =. We cover the cases of + and then = in details to illustrate how the representations of Diophantine relations/functions behave in proof scripts.
In particular, we prove the results reasoning backwards (as is usually done in Coq), applying established theorems to convert a given proof goal into (hopefully) simpler proof goals. For the goal D fun (λν.f ν + g ν), unfolding the assumptions D fun f and D fun g we have and we want to establish D fun (λν.f ν + g ν), i.e.
For the efficiency of computations, we usually hide the purely logical part HA into an opaque proof term. 8 ν • ρ : V → N denotes the composition λxi.ν xρ i of the valuation ν : V → N with the renaming ρ : V → V.
and we then apply map 3 of Proposition 2.2 twice to get the goal We now apply twice map 1 of Proposition 2.2 and we get the three following sub-goals: (1) For the first sub-goal, we use the formula x 2= x 1+ x 0 : D form as object-level witness; (2) for the second sub-goal, we consider the renaming function ρ 1 : V → V defined by ρ 1 (x 0 ) := x 1 and ρ 1 (x 1+i ) := x 3+i and derive D rel λν.ν x 1 = f (λx i .ν x 3+i ) by applying map 5 of Proposition 2.2 to the hypothesis D rel λν.ν x 0 = f (λx i .ν x 1+i ) in Eqs. (2.1); (3) the third and last sub-goal D rel λν.ν x 0 = g (λx i .ν x 3+i ) is solved similarly with the renaming function ρ 0 : V → V defined by ρ 0 (x 0 ) := x 0 and ρ 0 (x 1+i ) := x 3+i .
We now deal with map 6, hence with the goal D rel (λν.f ν = g ν) under the same previous assumptions D fun f and D fun g, i.e. Eqs. (2.1). We proceed in a somewhat less detailed explanation. We replace the goal by D rel (λν.∃a∃b, a = b ∧ a = f ν ∧ b = g ν) which is equivalent and then, after applying the maps of Proposition 2.2, we get three sub-goals D rel (λν.ν x 1 = ν x 0 ), D rel λν.ν x 1 = f (λx i .ν x 2+i ) and D rel λν.ν x 0 = g (λx i .ν x 2+i ) . In turn, the first sub-goal corresponds to the witness x 1= x 0 : D form , while the second and third sub-goals follow from Eqs. (2.1) respectively using straightforward renaming functions.
On paper these proofs look somehow complicated by the need to infer the renaming functions but from a mechanisation point of view, Coq's unification algorithm automatically solves such goals. Provided we populate the hint database with enough admissible shapes, we can automate the analysis of the meta-level syntax to establish Diophatineness and reflect a meta-level expression of Diophantine shape into the corresponding object-level witness of type D form together with the proof that it is an appropriate witness, hence packed into the types D rel R for relational expressions or D fun f for functional expressions.
With Propositions 2.2 and 2.4, we populate the hint database for relations with the shapes conjunction, disjunction, existential quantification, renaming and identity between two functional expressions, and for functions, we add the shapes of projections, constants, addition, multiplication and renaming. In our implementation, the analysis of Diophantine shapes is performed by the automatic dio auto tactic. With such an automated approach, the remaining (and sometimes difficult) work occurs when we apply map 4 of Proposition 2.2, that is, we have to find an equivalent expression of Diophantine shape, like in Eq. (2.3) and to prove it is indeed equivalent to Eq. (2.2), which, unlike that specific example, might be non-trivial; see e.g. the discussion in Section 5.
Vol Proof. For e.g. D rel (λν. f ν < g ν), we shift to the equivalent D rel (λν.∃a, 1 + a + f ν = g ν) using map 4 of Proposition 2.2 and finish the proof calling dio auto. 9 Again, we populate the hint database with the new shapes of Proposition 2.5. We follow up with the slightly more complex example of the "does not divide" relation defined by u v := ¬(∃k, v = k × u). At this point, this expression cannot be recognized as a Diophantine shape because it contains a negation.
Proposition 2.6. ∀f g : Proof. However, using Euclidean division, we (easily) prove the equivalence and this new expression can now be recognised as a Diophantine shape. Using this equivalence in combination with map 4 of Proposition 2.2, we replace the goal D rel (λν.f ν g ν) with and then let the magic of dio auto unfold.
Again, once established, we can add the map D fun f → D fun g → D rel (λν.f ν g ν) in the Diophantine hint database so that later encountered proof goals D rel (λν.f ν g ν) can be immediately solved by dio auto.
In this above described approach, the recovery of the object-level witness A of Definition 2.1 from meta-level syntax is automatic and hidden by the use of the dio auto tactic associated with the ever growing hint database. This allows us to proceed as in e.g. Matiyasevich papers where he usually transforms a relation into an equivalent Diophantine shape, accumulating more and more Diophantine shapes on the way. Instead of having to manipulate object-level witnesses by hand, obfuscating sometimes simple to understand proofs, we use Diophantine shapes as the cornerstone of the faithful implementation of existing pen and paper scripts.

Exponentiation and Bounded Universal Quantification.
For now, we introduce the elimination of the exponential relation and then of bounded universal quantification as black boxes expressed in the framework of Diophantine shapes, i.e. new closure properties of the classes D fun /D rel .
While we do contribute implementations for both of these hard results, on purpose, we choose to avoid the detailed presentation of these mechanised proofs for several reasons: • first of all, there are already fully detailed pen and paper accounts of these results and we implemented two of these somewhat faithfully; • then, in our modular approach, the proof of these admissibility results can be ignored without hindering the understanding of the overall structure of the main results, e.g. H10; • finally, already the above cited pen and paper proofs assume some not so standard results in arithmetic like e.g. Lucas's theorem, and we favoured giving accounts of those assumed theorems instead of simply reproducing the rest of the existing arguments. Hence, for the moment, we postpone remarks and discussions about the Diophantineness of the exponential function and the Diophantine admissibility of bounded universal quantification to Section 5. 9 Notice that the actual implemented proofs might differ slightly because we sometimes optimize the shape of expressions for smaller witnesses, especially for these basic shapes which pop up over and over again.

HILBERT'S TENTH PROBLEM IN COQ (EXTENDED VERSION)
Vol. 18:1 To prove it, one needs a meta-level Diophantine shape for the exponential relation, the proof of which is nothing short of extraordinary. This landmark result is due to Matiyasevich [Mat70], but we have implemented the shorter and more up-to-date proof of [Mat00].
This map can be compared with map 3 of Proposition 2.2 and allows to recognise bounded universal quantification as a legitimate Diophantine shape. We have implemented the direct proof of Matiyasevich [Mat97] which does not involve a detour through a model of computation. Notice that the bound f ν in ∀u, u < f ν → . . . is not assumed constant otherwise the elimination of the quantifier would proceed as a simple reduction to a finitary conjunction.
2.4. Reflexive-Transitive Closure is Diophantine. With these tools -elimination of the exponential relation and of bounded universal quantification -we can show that the reflexive and transitive closure of a Diophantine binary relation is itself Diophantine. We assume a binary relation R : N → N → P over natural numbers. The Diophantineness of R can be formalised by assuming that e.g. λν.
Lemma 2.9. For any binary relation R : Proof. Using Euclidean division, we define the is digit c q n d predicate stating that d is the n-th digit of the base q development of number c, as a Diophantine sentence: The Diophantineness of this follows from previous Diophantine shapes, including the exponential (Theorem 2.7). Then we define the is seq R c q i predicate stating that the first i + 1 digits of c in base q form an R-chain, again with a Diophantine shape, established using hypothesis D rel λν.R (ν x 1 ) (ν x 0 ) and the Diophantine admissibility of bounded universal quantification (Theorem 2.8): Then we encode R i u v by stating that there exists a (large enough) q and a number c such that the first i + 1 digits of c in base q form an R-chain starting at u and ending at v: and this expression is accepted as a Diophantine shape by dio auto. Then assuming Diophantineness of f , g and h, we easily derive that λν.R h ν (f ν) (g ν) is Diophantine.
We fill in Lemma 2.9 in the Diophantine hint database and we derive the Diophantineness of the reflexive-transitive closure as a direct consequence of the equivalence R * u v ↔ ∃i, R i u v.
Theorem 2.10 (RT-closure). For any binary relation R : N → N → P, we have the map

Elementary Diophantine Constraints
We now shift to another, seemingly less expressive, object-level representation of Diophantine relations. Elementary Diophantine constraints are very simple equations where only one instance of either+ or× is allowed. Schematically, starting from Diophantine logic, we remove disjunction and existential quantification and encode conjunctions into the structure of a list. We give a direct proof that any Diophantine logic formula is semantically equivalent to the simultaneous satisfiability of a list of elementary Diophantine constraints. Starting from two copies of N, one called U with u, v, w ranging over U for existentially quantified variables, and another one V = {x 0 , x 1 , . . .} for parameters, we define the type of elementary Diophantine constraints by: 10 where n : N Notice that these constraints do not have a "real" inductive structure, they are flat and of size (number of symbols) either 3 or 5. Given two interpretations, ϕ : U → N for variables and ν : V → N for parameters, it is trivial to define the semantics c ϕ ν : P of a single constraint c of type D cstr : Given a list l : L D cstr of constraints, we write l ϕ ν when all the constraints in l are simultaneously satisfied, i.e. l ϕ ν := ∀c, c ∈ l → c ϕ ν . We show the following result: Theorem 3.1. For any Diophantine formula A : D form one can compute a list of elementary Diophantine constraints l : L D cstr such that ∀ν : V → N, A ν ↔ ∃ϕ : U → N, l ϕ ν . Put in other terms, for any given interpretation ν of parameters, A ν holds if and only if the constraints in l are simultaneously satisfiable. Any Diophantine logic formula is equivalent to the satisfiability of the conjunction of finitely many elementary Diophantine constraints. The proof of Theorem 3.1 spans the rest of this section. We will strengthen the result a bit to be able to get an easy argument by induction on A.
Definition 3.2. Given a relation R : (V → N) → P and an interval [u a , u a+n [ ⊆ U, an elementary representation of R in [u a , u a+n [ is given by: (1) a list E : L D cstr of constraints and a reference variable r : U; (2) proofs that r and the (existentially quantified) variables of E belong to [u a , u a+n [; (3) a proof that the constraints in E are always (simultaneously) satisfiable, i.e. ∀ν∃ϕ E ϕ ν ; (4) a proof that the list (r= 0) :: E is equivalent to R, i.e. ∀ν, R ν ↔ ∃ϕ, ϕ r = 0 ∧ E ϕ ν . It is obvious that an elementary representation of λν. A ν in any interval [u a , u a+n [ is enough to prove Theorem 3.1 because of item 4 of Definition 3.2. But actually, computing such a representation is simpler than proving Theorem 3.1 directly. 11 Below, the size of a Diophantine formula A, denoted |A|, is defined as the number of nodes of its syntactic tree. The equation u= v is redundant because it could be replaced with z= 0∧ u= z+ v, for some fresh z.
However we keep u= v in the syntax because this simplifies arguments when parameters xi are mapped to existential variables v in the proof of Lemma 3.3, the type Dcstr being thus closed under this transformation. 11 Proving Theorem 3.1 directly involves renamings of existential variables and might produce exponential blow-up in the number of constraints when handled naively. Proof. We show the result by structural induction on A.
• If A is e.g.
x i= x j× x k , we get the representation with n := 8 and the pair (E, r) with Property (2) is obviously satisfied. Property (3), i.e. the satisfiability of E whatever the values of x i , x j and x k , is simple to establish: indeed, the values of u a+2 = x i , u a+3 = x j , u a+4 = x k and u a+5 = x j x k are uniquely determined. Pick u a := x j x k and u a+1 := x i and then again u a+6 = u a+7 = x i + x j x k are both uniquely determined. This assignment of variables satisfies all the constraints in E.
For property (4), let us now add the extra constraint u a+7= 0 and consider a valuation satisfying the constraints in (u a+7= 0) :: E. We must have u a+7 = u a + u a+1 = 0, hence Conversely, parameter values satisfying x i= x j× x k can be extended to a valuation of variables satisfying (u a+7= 0) :: E in a unique way with u a+7 , u a , u a+1 := 0, u a+6 , u a+5 , u a+2 := x i , u a+3 := x j and u a+4 := x k ; • We proceed similarly for the other atomic cases Let σ be the substitution mapping parameters in V and defined by σ(x 0 ) := u a+n B and σ(x 1+i ) := x i ; existential variables in U are left unmodified by this substitution. Then This concludes the recursive construction of a representation of λν. A ν .

Single Diophantine Equations
We now give our last and most naive object-level representation of Diophantine relations as a single polynomial equation. In this section, we show how a list of elementary Diophantine constraints can be simulated by a single identity between two Diophantine polynomials. We use the following well known convexity identity to achieve the reduction.
There are many possible justifications for this equivalence which, if ranging over Z, would more conventionally be written as i (p i − q i ) 2 = 0 ↔ ∀i, p i = q i . This form does not hold 12 Since the intervals [ua, ua+n B [ and [ua+n B , ua+n B  Similarly to elementary Diophantine constraints, we define Diophantine polynomials distinguishing the types of U of bound variables and V of parameters (or free variables) but the types U and V are not fixed copies of N anymore, but type parameters of arbitrary value.
Definition 4.2. The type of Diophantine polynomials D poly (U, V) and the type of single Diophantine equations D single (U, V) are defined by: For ϕ : U → N and ν : V → N we define the semantic interpretations of polynomials p ϕ ν : N and single Diophantine equations p= q ϕ ν : P in the obvious way.
. . . ; p n= q n ] and then use Proposition 4.1. In the code, we moreover show that the size of E is linear in the length of l. If needed, one could also show that the degree of the polynomial is less than 4.
Proof. Direct combination of Definition 2.1 and Theorems 3.1 and 4.3. In the formalisation, we also show that the size of the obtained single Diophantine equation is linearly bounded by the size of the witness formula contained in the proof of D rel R.
We have shown that the automation we designed to recognise relations of Diophantine shape entail that these relations are also definable by satisfiability of a single equation between Diophantine polynomials, so these tools are sound w.r.t. a formally restrictive characterisation of Diophantineness. One could argue that the above existential quantifier ∃ϕ encodes infinitely many existential quantifiers but it can easily be replaced by finitely many existential quantifiers over the bound variables that actually occur in p or q.
We pick n greater that the number of bound variables which occur in either p or q. This subset of N can be faithfully embedded into the finite type F n and we use such a renaming to compute (p , q ). Remark that the size of (p , q ) is the same as that of (p, q).
By Corollary 4.4 and Proposition 4.5, we see that a Diophantine logic formula A : D form potentially containing inner existential quantifiers and representing the Diophantine relation λν. A ν can effectively be reduced to a single Diophantine equation Because F n is the finite type of n elements, the (higher order) existential quantifier ∃ϕ simply encodes n successive (first order) existential quantifiers. The existential quantifiers that occur deep inside A are not erased by the reduction, they are moved at the outer level and to be ultimately understood as solvability for some polynomial equation of which the parameters match the free variables of A.

Remarks on the Implementation of Matiyasevich's Theorems
Matiyasevich's theorem stating that there is a Diophantine description of the exponential relation x = y z is a masterpiece which concluded the line of work by Davis, Putnam and Robinson, starting at Davis's conjecture in 1953. Already in 1952, Julia Robinson discovered that in order to show the exponential relation Diophantine, it suffices to find a single binary Diophantine relation exhibiting exponential growth [Rob52], a so-called Robinson predicate, i.e. a predicate J(u, v) in two variables s.t. J(u, v) implies v < u u and for every k there are u, v with J(u, v) and v > u k . Robinson's insight meant the only thing missing to prove what is nowadays called the DPRM theorem, was a single polynomial equation capturing any freely chosen Robinson predicate. Similar to other famous hard problems of mathematics, the question is easy to state, but from the start of the study of Diophantine equations to the late 60s, no such relation was known, rendering the problem one of the most baffling questions for mathematicians and computer scientists alike.
In 1970, Yuri Matiyasevich [Mat70] discovered that v = fib 2u is both a Robinson predicate and Diophantine. Here (fib n ) n∈N is the well known Fibonacci sequence defined by the second order recurrence relation fib 0 = 0, fib 1 = 1 and fib n+2 = fib n+1 + fib n . Combined with previous results, this concluded the multi-decades effort to establish the Diophantineness of all recursively enumerable predicates, implying a negative solution to Hilbert's tenth problem. That proof which included the original proof of Matiyasevich [Mat70] was later simplified. For instance, exploiting similar ideas but in the easier context of the solutions of another second order equation -namely Pell's equations x 2 − (a 2 − 1)y 2 = 1 with parameter a > 1, -Martin Davis [Dav73] gave a standalone proof of the DPRM-theorem where recursively enumerable predicates are characterised by a variant of µ-recursive functions. In that paper, Davis also provided a proof of the admissibility of bounded universal quantification using the Chinese remainder theorem to encode finite sequences of numbers. There exists more recent and simpler proofs of this admissibility result as well, see e.g. [Mat97].
Before we discuss the mechanisation of the Diophantineness of both the exponential relation and of bounded universal quantification, we want to remark on the difficulty of mechanising the former proof. Both on its own and as a stepping stone towards the negative solution to Hilbert's tenth problem, it is clear that Matiyasevich's theorem was an extremely difficult question which required superior intellectual resources to be solved. The mechanisation of a modernised form of the proof, although not trivial, cannot be compared to the difficulty of finding a solution. In particular, the modern proof relies on very mature background theories, lowering the number of possible design choices for the mechanisation. Moreover, very detailed pen and paper accounts of the proof are available, which can be followed closely.
An aspect that is more challenging in mechanisation than on paper are proofs regarding the computability of certain functions. Since paper proofs oftentimes rely on a vague notion of algorithm, most of the reasoning about these algorithms is hand-waved away by computer scientists, relying on the implicit understanding of what is an algorithm. By using a synthetic approach to computability [FHS18,FKS19,FL19], we make the notion of an algorithm precise and thus enable mechanisation, at the same time circumventing the verification of low-level programs. (Theorem 2.7). For our mechanised proof, we rely on a more recent account of Matiyasevich's theorem from [Mat00], which, among the many options we considered, seemed the shortest. The proof employs the equation x 2 −bxy +y 2 = 1 for b ≥ 2, also called Pell's equation in [Dav73]. We use the second order recurrence relation α b (−1) = −1, α b (0) = 0 and α b (n + 2) = bα b (n + 1) − α b (n) to describe the set of solutions of Pell's equation by (α b (n), α b (n + 1)) | n ∈ N . The recurrence can be characterised by the following square 2 × 2 matrix equation:

Exponential is Diophantine
Then, studying the properties of the sequence n → α b (n) in N or Z, one can show that α 2 (n) = n for all n and n → α b (n) grows exponentially for b ≥ 3. Studying the properties of the same sequence in Z/pZ (for varying values of the modulus p), one can for instance show that n = α 2 (n) ≡ α b (n) [b − 2], which relates n and α b (n) modulo (b − 2). With various intricate but elementary results, 14 such as e.g.
has a Diophantine representation. In our formalisation, we get a Diophantine logic formula of size 1445 as a witness (see dio rel alpha size).
Once α b (n) is proven Diophantine, one can recover the exponential relation x, y, z → x = y z using the eigenvalue λ of the matrix B b which satisfies λ 2 − bλ − 1 = 0. By wisely choosing m := bq − q 2 − 1, one gets λ ≡ q [m] and thus, using the corresponding eigenvector, . For a large enough value of m, hence a large enough value 15 of b, this gives a Diophantine representation of q n . In our code, we get a Diophantine logic formula of size 4903 as a witness (see dio fun expo example size).
The main libraries which are needed to solve Pell's equation and characterise its solutions are linear algebra (or at least square 2 × 2 matrices) over commutative rings such as Z and Z/pZ, a good library for modular algebra (Z/pZ), and the binomial theorem over rings. Without the help of the Coq ring tactic, such a development would be extremely painful. These libraries are then used again to derive the Diophantine encoding of the exponential. 5.2. Admissibility of Bounded Universal Quantification (Theorem 2.8). As hinted earlier, we provide an implementation of the algorithm for the elimination of bounded universal quantification described in [Mat97]. It does not involve the use of a model of computation, hence does not create a chicken-and-egg problem when used for the proof of the DPRM theorem. The technique of [Mat97] uses the exponential function and thus Theorem 2.7 (a lot), and a combination of arithmetic and bitwise operations over N through base 2 and base 2 q representations of natural numbers.
The Diophantine admissibility of bitwise operations over N is based on the relation stating that every bit of a is lower or equal than the corresponding bit in b and denoted a b. The equation a b ↔ C a b is odd 16 gives a Diophantine representation for a b and then bitwise operators are derived from in combination with regular addition +, in particular, the digit by digit AND operation called "projection. " To obtain that a b holds if and only if C a b ≡ 1 [2], we prove Lucas's theorem [Luc78] which allows for the computation of the 14 by elementary we certainly do not mean either simple or obvious, but we mean that they only involve standard tools from modular and linear algebra. 15 the largeness of which is secured using α itself again, but with other input values. But this works only in the case where n > 0 and q > 0. The cases where n = 0 (and hence q n = 1) or q = 0 and n > 0 (and hence q n = 0) are trivial and treated separately. 16 where C a b denotes the binomial coefficient with the usual convention that C a b = 0 when a > b.

HILBERT'S TENTH PROBLEM IN COQ (EXTENDED VERSION)
Vol. 18:1 binomial coefficient in base p. It states that C a b ≡ C an bn × · · · × C a 0 b 0 [p] holds when p is prime and a = a n p n + · · · + a 0 and b = b n p n + · · · + b 0 are the respective base p representations of a and b; see Appendix B for an elementary combinatorial proof of Lucas's theorem.
A Diophantine representation of the binomial coefficient can be obtained via e.g. the binomial theorem: C k n is the k-th digit of the development of (1 + q) n = n i=0 C i n q i in base q = 2 n+1 . This gives a Diophantine representation using the is digit relation of Lemma 2.9.
The rest of the admissibility proof for bounded universal quantification ∀i, i < n → A is a very nice encoding of vectors of natural numbers of type N n into natural numbers N such that regular addition + (resp. multiplication ×) somehow performs parallel/simultaneous additions (resp. multiplications) on the encoded vectors. More precisely, a vector (a 1 , . . . , a n ) ∈ [0, 2 q − 1] n of natural numbers is encoded as the "cipher" a 1 r 2 + a 2 r 4 + a 3 r 8 + · · · + a n r 2 n with r = 2 4q . In these sparse ciphers, only the digits occurring at r 2 i are non-zero. We remark that none of the parameters, including n or q, are constant in the encoding.
Besides the low-level inductive proof of Lucas's theorem presented in Appendix B, the essential library for the removal of bounded universal quantification consists of tools to manipulate the type N simultaneously and smoothly both as (a) usual natural numbers and (b) sparse base r = 2 4q encodings of vectors of natural numbers in [0, 2 q − 1]. Notice that r is defined as r = 2 2q in [Mat97] but we favour the alternative choice r = 2 4q which allows for an easier soundness proof for vector multiplication because there is no need to manage for digit overflows (see Appendix C). A significant step in the Diophantine encoding of + and × on N n is the Diophantine encoding of u = n i=1 r 2 i and u = n+1 i=2 r 2 i as the ciphers of the constant vectors [1; . . . ; 1] ∈ N n and [0; 1; . . . ; 1] ∈ N n+1 respectively, obtained by masking u 2 with w = 2 n+1 i=0 r i and 2w. Finally, it should be noted that prior to the elimination of the quantifier in ∀i, i < n → A, the Diophantine formula A is first normalised into a conjunction of elementary constraints using Theorem 3.1, and then the elimination is performed on that list of elementary constraints, encoding e.g. v 0= v 1+ v 2 and v 0= v 1× v 2 with their respective sparse cipher counterparts.

Minsky Machines Reduce to FRACTRAN
In previous work, we have reduced the halting problem for Turing machines to PCP [FHS18] and on to a specialised halting problem for Minsky machines [FL19] in Coq. The specialised halting problem asked whether a machine on a given input halts in a configuration with all registers containing zeros. In order to define Minsky machine recognisability, we consider a general halting problem which allows any final configuration, final meaning that computation cannot further proceed. The adaptation of the formal proofs reducing PCP via binary stack machines to Minsky machines is quite straightforward and reuses the certified compiler for low-level languages defined in [FL19].
We first show that one can remove self loops from Minsky machines, i.e. instructions which jump to their own location, using the compositional reasoning techniques developed in [FL19]. We then formalise the FRACTRAN language [Con87] and show how the halting problem for Minsky machines can be encoded into the halting problem for FRACTRAN programs. While the verification of Minsky machines can be complex and needs preliminary thoughts on compositional reasoning, the translation from Minsky machines to FRACTRAN is elementary and needs no heavy machinery. DEC α p decreases the value of register α by one if that is possible and increases the PC, or, if the register is already 0, jumps to PC value p. Given a Minsky machine (s, P ), we write (s, P ) // M (i 1 , v 1 ) k (i 2 , v 2 ) when (s, P ) transforms state (i 1 , v 1 ) into (i 2 , v 2 ) in k steps of computation. For (s, P ) to do a step in state (i, v) the instruction at label i in (s, P ) is considered. We define out i (s, P ) := i < s ∨ |P | + s ≤ i to characterize when label i is outside of the code of (s, P ). In that case (and only that case), no computation step can occur. We define the halting problem for Minsky Machines as meaning that the machine (1, P ) has a terminating computation starting at state (1, v), the value of the final state being irrelevant. Notice that since MM(n, P, v) considers only Minsky machines starting at PC value 1, the PC value 0 is always outside of their code (i.e. out 0 (1, P ) holds), hence computations can be halted by jumping there. We refer to [FL19] for a more in-depth formal description of those counter machines. Note that the halting problem defined there as MM 0 n : N, P : L I n , v : N n := (1, P ) // M (1, v) (0, 0) is more specific than the problem MM above defined but both are proved undecidable in our library.
We say that a machine has a self loop if it contains an instruction of the form i : DEC α i, i.e. jumps to itself in case the register α has value 0, leading necessarily to non-termination (in case the PC reaches value i). For every machine P with self loops, we can construct an equivalent machine Q using one additional register α 0 with constant value 0, which has the same behaviour but no self loops. Since the effect of a self loop i : DEC α i is either decrement and move to the next instruction at i + 1 if α > 0 or else enter in a forever loop at i, it is easily simulated by a jump to a length-2 cycle, i.e. replacing i : DEC α i with i : DEC α j and adding j : DEC α 0 (j + 1); j + 1 : DEC α 0 j somewhere near the end of the program.
Theorem 6.1. Given a Minsky machine P with n registers one can compute a machine Q with 1 + n registers and no self loops s.t. for any v, Proof. We explain how any Minsky machine (1, P ) with n registers can be transformed into an equivalent one that uses an extra 0 valued spare register α 0 = 0 ∈ F 1+n and avoids self loops. Let k be the length of P and let P be the Minsky machine with 1 + n registers defined by performing a 1-1 replacement of instructions of (1, P ): • instructions of the form i : INC α are replaced by i : INC (1 + α); • self loops i : DEC α i are replaced by i : DEC (1 + α) (2 + k); • proper inside jumps i : DEC α j for i = j and 1 ≤ j ≤ k are replaced by i : DEC (1 + α) j; • and outside jumps i : DEC α j for j = 0 ∨ k < j are replaced by i : DEC (1 + α) 0. Then we define Q := P + + [DEC α 0 0; DEC α 0 (3 + k); DEC α 0 (2 + k)]. Notice that P is immediately followed DEC α 0 0, i.e. by an unconditional jump to 0 (because α 0 has value 0), and that (1, Q) ends with the length-2 cycle composed of 2 + k : DEC α 0 (3 + k); 3 + k :

HILBERT'S TENTH PROBLEM IN COQ (EXTENDED VERSION)
Vol. 18:1 DEC α 0 (2 + k). We show that (1, Q) is a program without self loops (obvious) that satisfies the required simulation equivalence. Indeed, self loops are replaced by jumps to the length-2 cycle that uses the unmodified register α 0 to loop forever. One should just be careful that the outside jumps of (1, P ) do not accidentally fall into that cycle and this is why we redirect them all to PC value 0, which halts the computation because out 0 (1, Q) holds.
A predicate R : N n → P is MM-recognisable if there exist m : N and a Minsky machine P : L I n+m of (n+m) registers such that for any v : The last m registers serve as spare registers during the computation. Notice that not allowing for spare registers would make e.g. the empty predicate un-recognisable. 17 It is possible to limit the number of (spare) registers but that question is not essential in our development.
6.2. The FRACTRAN language. We formalise the language FRACTRAN, introduced as a universal programming language for arithmetic by Conway [Con87]. A FRACTRAN program Q consists of a list of positive fractions [p 1 /q 1 ; . . . ; p n /q n ]. The current state of a FRACTRAN program is just a natural number s. The first fraction p i /q i in Q such that s · (p i /q i ) is still integral determines the successor state, which then is s · (p i /q i ). If there is no such fraction in Q, the program terminates.
We make this precise inductively for Q being a list of fractions p/q : N × N: q · y = p · x (p/q :: Q) // F x y q p · x Q // F x y (p/q :: Q) // F x y i.e. at state x the first fraction p/q in Q where q divides p · x is used, and x is multiplied by p and divided by q. For instance, the FRACTRAN program [5/7; 2/1] runs forever when starting from state 7, producing the sequence 5 = 7 · (5/7), 10 = 5 · (2/1), 20 = 10 · (2/1) ... 18 We say that a FRACTRAN program Q = [p 1 /q 1 ; . . . ; p n /q n ] is regular if none of its denominators is 0, i.e. if q 1 = 0, . . . , q n = 0. For a FRACTRAN program Q : L (N × N) and s : N, we define the decision problem as the question "does Q halt when starting from s": Following [Con87], we now show how (regular) FRACTRAN halting can be used to simulate Minsky machines halting. The idea is to use a simple Gödel encoding of the states of a Minsky machine. We first fix two infinite sequences of prime numbers p 0 , p 1 , . . . and q 0 , q 1 , . . . all distinct from each other. We define the encoding of n-register Minsky machine states as (i, v) : . , x n−1 ]: • To simulate the step semantics of Minsky machines for i : INC α, we divide the encoded state by p i and multiply by p i+1 for the change in PC value, and increment the register α by multiplying with q α , hence we add the fraction p i+1 q α /p i ; • To simulate i : DEC α j when v α = 1 + n we divide by p i , multiply by p i+1 and decrease register α by dividing by q α , hence we add the fraction p i+1 /p i q α ; • To simulate i : DEC α j when v α = 0 we divide by p i and multiply by p j . To make sure that this is only executed when the previous rule does not apply, we add the fraction p j /p i after the fraction p i+1 /p i q α .
17 For any Minsky machine (1, P ), if it starts on large enough register values, for instance if they are all greater than the length of P , then no jump can occur and the machine terminates after its last instruction executes. Such unfortunate behavior can be circumvented with a 0-valued spare register. 18 No FRACTRAN program can ever stop when it contains a fraction having an integer value like 2/1. In short, we define the encoding of labelled instructions and then programs as Notice that we only produce regular programs and that a self loop like i : DEC α i, jumping on itself when v α = 0, will generate the fraction p i /p i potentially capturing any state (j, v) even when j = i. So this encoding does not work on Minsky machines containing self loops because the corresponding FRACTRAN program would never terminate, even when the PC never reaches self loops.
Lemma 6.2. If (1, P ) has no self loops then (1, Proof. Let (i, P ) be a Minsky machine with no self loops. We show that the simulation of (i, P ) by (i, P ) is 1-1, i.e. each step is simulated by one step. We first show the forward simulation, i.e. that (i, . Backward simulation involves the totality of MM one step semantics and the determinism of regular FRACTRAN one step semantics combined with the forward simulation. Using these two simulation results, the desired equivalence follows by induction on the length of terminating computations. 1 · · · q xn n ↓ holds for any x 1 , . . . , x n . Proof. Using Theorem 6.1, we first compute a Minsky machine (1, P 1 ) equivalent to (1, P ) but with one extra 0-valued spare register and no self loops. Then we apply Lemma 6.2 to (1, P 1 ) and let Q := (1, P 1 ). The program Q is obviously regular and given v = [x 1 ; . . . ; x n ], the encoding of the starting state (1, 0 :: v) for (1, P 1 ) is p 1 q 0 0 q x 1 1 · · · q xn n hence the result. This gives us a formal constructive proof that (regular) FRACTRAN is Turing complete as a model of computation and is consequently undecidable.
Proof. Theorem 6.3 gives us a reduction from MM to FRACTRAN which can be combined with the reduction of Halt to PCP from [FHS18] and a slight modification of PCP to MM from [FL19].

Diophantine Encoding of FRACTRAN
We show that a single step of FRACTRAN computation is a Diophantine relation. Proof. The map is built by induction on Q. If Q = [ ], then we show [ ] // F f ν g ν ↔ False, and thus D rel (λν.Q // F f ν g ν) by map 4 of Proposition 2.2 followed by dio auto. If Q is a composed list Q = p/q :: Q , then we show the equivalence p/q :: Q // F f ν g ν ↔ q · (g ν) = p · (f ν) ∨ q p · (f ν) ∧ Q // F f ν g ν 35:20

HILBERT'S TENTH PROBLEM IN COQ (EXTENDED VERSION)
Vol. 18:1 and we derive D rel (λν.Q // F f ν g ν) by map 4 of Proposition 2.2 followed by dio auto, the induction hypothesis being used locally as a hint for the tactic.
In addition, the "Q has terminated at x" predicate is Diophantine for any FRACTRAN program Q. The proof is similar to the previous one: Proof. The map ∀f, D fun f → D rel (λν.∀y, ¬ Q // F f ν y) is built by induction on Q. If Q = [ ], then we show (∀y, ¬ [ ] // F f ν y) ↔ True, and thus D rel (λν.∀y, ¬ Q // F f ν y) by map 4 of Proposition 2.2 followed by dio auto. If Q = p/q :: Q , then we show the equivalence ∀y, ¬ Q // F f ν y ↔ q p · (f ν) ∧ ∀y, ¬ Q // F f ν y and we get D rel (λν.∀y, ¬ Q // F f ν y) by map 4 of Proposition 2.2 followed by dio auto, the induction hypothesis being used as a hint again.
We can now deduce a core result of the paper which states that FRACTRAN programs have Diophantine termination predicates.
Proof. By definition we have Q // F f ν ↓ ↔ ∃x (Q // F f ν * x ∧ ∀y, ¬ Q // F x y) and hence we obtain the claim using Theorem 2.10 together with Lemma 7.1 and Lemma 7.2.
We conclude with the undecidability of Hilbert's tenth problem by a reduction chain starting from the Halting problem for single tape Turing machines: Theorem 7.4 (Hilbert's tenth problem). We have the following reduction chain

Halt PCP MM FRACTRAN DIO FORM DIO ELEM DIO SINGLE H10
and as a consequence, H10 is undecidable.
Proof. The proof combines previous results as Theorems 6.3 and 7.3 and Corollary 4.4.

The Davis-Putnam-Robinson-Matiyasevich Theorem
We give a proof of an instance of the DPRM theorem stating that recursively enumerable predicates are Diophantine. 19 Here we assume that the informal notion of "recursive enumerability" (justified by Church's thesis) can be characterised by Minsky machines recognisability as defined in Section 6.1.
Proof. By induction on n : N using Proposition 2.4 and Theorem 2.7. Notice that the q i 's are hard-coded in the Diophantine representation, which means we do not need to encode the algorithm that actually computes them, which would otherwise be very painful.
19 By instance, we mean that the DPRM is an open theorem bound to be extended for any newly proposed Turing complete model of computation. Lemma 8.2. For any FRACTRAN program Q we have D rel λν. Q // F p 1 q ν x 0 1 · · · q ν x n−1 n ↓ .
Proof. By Theorem 7.3, we only have to show D fun f for f ν := p 1 q ν x 0 1 · · · q ν x n−1 n . This follows from Propositions 2.4 and 8.1.
To simplify the notation p w v below, we abusively identify the vector v : N n (resp. w : N m ) with the valuation λ(i : F n ). v i (resp. λ(j : F m ). w j ) that accesses the components of the vector v (resp. w). 1 · · · q vn n q w 1 n+1 · · · q wm n+m ↓. Hence we deduce R [v 1 ; . . . ; v n ] ↔ Q // F p 1 q v 1 1 · · · q vn n ↓. As a consequence, the relation λν.R [ν x 0 ; . . . ; ν x n−1 ] is Diophantine by Lemma 8.2. By Corollary 4.4, there is a Diophantine equation p= q : D single (N, V) such that R [ν x 0 ; . . . ; ν x n−1 ] ↔ ∃ϕ, p ϕ ν = q ϕ ν . Notice that the value ν x i of any parameter of p= q greater than x n does not influence its solvability. Now let m be an upper bound of the number of (existentially quantified) variables in p= q. We injectively map those variables in F m and we project the parameters of p= q onto F n by replacing every parameter greater than x n with the 0 constant. We get a Diophantine equation p = q : D single (F m , F n ) of which the solvability at v is equivalent to R v.

Hilbert's Tenth Problem Over Integers
In our formalisation, polynomials are defined over natural numbers, that is both constants and solutions come from N. The standard way to extend the undecidability of H10 to a formalisation based on integers is via Lagrange's theorem, stating that an integer is positive if and only if it is the sum of four squares.
Similar to Definition 4.2, we define define polynomials over integers: Definition 9.1. The type of Diophantine polynomials D Z poly (U, V) over Z is defined by: The interpretation of a polynomial p : D Z poly (U, V) in Z given ϕ : U → Z, ν : V → Z and denoted p ϕ ν , is defined in the obvious way. Again, if p : D Z poly (F m , F n ) we abusively write p w v when v : N n and w : N m . We can then define H10 Z n, p : D Z poly (F n , F 0 ) := ∃ w : N n , p w [ ] = 0 that is "does the polynomial equation p(x 1 , . . . , x n ) = 0 in (at most) n variables have a solution in Z. " We first outline a proof of Lagrange's theorem and then reduce H10 to H10 Z .

HILBERT'S TENTH PROBLEM IN COQ (EXTENDED VERSION)
Vol. 18:1 9.1. Lagrange's theorem. The proof we have implemented roughly follows the "classical proof" in Wikipedia's account of the theorem. Their use of the "classical" qualifier should be understood as typical/standard, and certainly not as opposed to constructive/intuitionistic. The below proof perfectly fits in our constructive setting.
Proof. This holds in any commutative ring and the proof just calls the ring tactic.
Because of Proposition 9.2, "being the sum of four squares" is a multiplicative property. Hence to show that it holds for every natural number, it is enough to establish it for primes.
Theorem 9.3 (Prime induction). Let P : N → P be a predicate. To establish ∀n : N, P n, it is enough to prove these four induction steps: Proof. This is one possible form of the fundamental theorem of arithmetic. For the proof, first show by strong induction on n : N that one can discriminate whether n < 2 or compute a prime factor of n, including the possibility that n itself is prime. Then, to prove the prime induction principle, proceed by strong induction again.
Proof. Let us first rule out the case p = 2 which has an obvious solution. So let us write p = 2m + 1 because all the other primes are odd. In the field Z/pZ, let us study the modular equation a 2 ≡ −(1 + b 2 ) [p]. Because Z/pZ has no zero divisor, the map a → a 2 from [0, m] → Z/pZ is injective. As a consequence, so is the map b → −(1+b 2 ) from [0, m] → Z/pZ. Hence none of the two lists a 2 : Z/pZ | a ∈ [0, m] and −(1 + b 2 ) : Z/pZ | b ∈ [0, m] contain a duplicate. Since they have a combined length of 2(m + 1) > 2m + 1 and their concatenation is contained in a list of length p = 2m + 1 enumerating Z/pZ, by the pigeon hole principle, they must intersect and this gives a, b ∈ [0, m] such that a 2 ≡ −(1 + b 2 ) [p]. This in turn gives n : N such that np = 1 + a 2 + b 2 . Given that 2a < p and 2b < p, we deduce 0 < n < p.
Lagrange's theorem gives a Diophantine characterisation of those relative integers which are positive as the sum of four squares.
Theorem 9.5 (Lagrange, 1770). For any relative integer z : Z, z is positive if and only if there exists a, b, c, d : Z such that z = a 2 + b 2 + c 2 + d 2 .
Proof. It is enough to show that any natural number n : N is the sum of four squares, i.e. there exists a, b, c, d : Z such that n = a 2 + b 2 + c 2 + d 2 . By Euler's four-square identity (see Proposition 9.2) and the principle of prime induction (see Theorem 9.3), we only need to show the property for prime numbers.
We fix a prime number p and define the predicate "mp is the sum of four squares" as P (m : N) := ∃a b c d : Z, mp = a 2 + b 2 + c 2 + d 2 . We want to show that P 1 holds. By Lemma 9.4, we know that P n holds for some 0 < n < p.
The function f can now be used to define the reduction from H10 to H10 Z : Corollary 9.6. H10 H10 Z .

µ-Recursive Algorithms
In order to show that MM, FRACTRAN, and H10 are in the same many-one reduction class (i.e. interreducible via many-one reductions), we introduce µ-recursive algorithms as intermediate layer. Programming in this well-known model of computation resembles functional programming (in a first-order language) and we will use it first for a reduction H10 µ-rec. Afterwards, we explain a compiler to Minsky machines, yielding a reduction from µ-rec to MM. The next section will then connect µ-recursive algorithms to the weak call-by-value λ-calculus.
10.1. µ-Recursive Recognisability. We define a type A k of µ-recursive algorithms representing µ-recursive partial functions in N k − N.
We represent these µ-recursive partial functions using the standard relational semantics f : N k → N → P of the µ-recursive algorithm f : A k , formalised in Figure 2 as a fixpoint definition. Intuitively, cst n represents the constant n of arity 0, zero is the constant 0-function of arity 1, succ the successor function of arity 1, projection prj p returns the p-th argument, comp f g where g is a k-vector of functions of arity i first applies each element of g to the i inputs and then f to the resulting k numbers. rec f g is performing primitive recursion on the first argument. If the argument is 0, f is used. If the argument is 1 + n, g is applied to n, the recursive call and the rest of the arguments. Finally, minimisation µf performs unbounded search returning the smallest number x s.t. f on x returns 0 and f terminates on a non-zero value for every y < x.
Following [Lar17], in Fig. 3 we also formalise a cost aware big-step evaluation predicate x : N, and where c : N denotes the cost of a computation, the cost being tailored toward the naive step-indexed evaluator to be defined in the next section. 20 We can directly relate the relational semantics with the big-step semantics: 20 In the Coq code, the predicate has one additional auxiliary argument to ease the correctness proof for the step-indexed interpreter which is only internal to the proof and thus omitted here.  With these characterizations of the semantics of µ-recursive algorithms, we can define µ-recursive halting as follows: Definition 10.2. We call a relation k-ary relation R over natural numbers µ-recursively recognisable if there is a µ-recursive algorithm f : A k s.t. for any v : N k the equivalence R v ↔ ∃x, f v x holds.

10.2.
Compiling µ-recursive algorithms into Minsky machines. We describe how to compile a µ-recursive algorithm f : A k into a Minsky machine. To avoid solving complicated inequality constraints over the bounded numbers in F m , 21 we here work with Minsky machines where registers are indexed with N instead of F m . Hence the number of registers is not bounded a priori but of course, for a given Minsky machine, the number of register that actually occur in the code is bounded. And indeed, in the end of the process in Theorem 10.5, we project to Minsky machines with registers in F m (for some m) after the µ-recursive algorithm has been fully compiled. We will not enter into the details on how particular µ-recursive operators are implemented but instead focus on the global invariant of the compiler.
For a µ-recursive algorithm f : A k with k inputs and one output, we produce a Minsky machine P : I N with the following structure for registers, described by the four extra parameters i, p, o and m, all of type N: i : is the PC-index of the first instruction of P ; p : the k inputs for f are to be read in the k registers {p, . . . , p + k − 1} of P ; o : the output of f is to be written in the register o of P ; 21 Unlike N or Z, the inductive type Fm representing the numbers bounded by m is not equipped with powerful linear constraints solving tactics such as lia or omega. Working with bounded numbers here would require from us to manipulate embeddings of e.g. the disjoint sum Fi + Fj into F k (for some large enough k), which would also impact types that depend on i, j and k. For those who experienced it, this should instantly trigger the bad memory of setoid hell. Using the above mentioned tools, it is much simpler to work with intervals of N instead.

HILBERT'S TENTH PROBLEM IN COQ (EXTENDED VERSION)
Vol. 18:1 m : P can use spare registers above m and assume their initial value is 0. Moreover, we require that all registers except the output register o are returned to their initial value when the computation is terminated. In particular, spare registers return to their initial value 0.
Definition 10.3. We say that P properly compiles f under the constraints i, p, o, m and we write ra compiled k (f : A k ) (i p o m : N) (P : I N ) if for any v : N k and ρ : N → N such that (1) ∀u ≥ m, ρ u = 0 and (2) ∀q : F k , ρ q+p = v q , we have soundness: ∀x : In these N-indexed register machines, the state of a machine cannot be described by a finite vector v : N k but is instead represented by an environment ρ : N → N mapping register indices (in N) to the values they contain (in N also, but with a different meaning). The two conditions (1) and (2) state that ρ is null above register m and ρ contains v starting at register p. And under these conditions, (i, P ) should simulate a terminating computation of f on v outputting x (soundness), while conversely, whenever (i, P ) terminates starting from (i, ρ), this entails that f terminates on v (completeness).
We can now construct a certified compiler from µ-recursive algorithms to N-indexed Minsky machines. Literally, Theorem 10.4 below states that whenever the output register o does not belong to the input registers {p, . . . , p + k − 1} or the spare registers {m, m + 1, . . .} and that spare registers have indices above input registers, then one can properly compile f at PC value i.
Theorem 10.4. Given a µ-recursive algorithm f : A k , we can build a term: The proof proceeds by structural induction on f : A k . The details are quite involved and not exposed in here: we just wanted to state the above invariant, which is closed under each µ-recursive constructor. The sub-Minsky machines are built and composed using the compositional techniques already presented in [FL19]. Notice that the statement of ra compiled takes the output value x in f v x into account while in the below Theorem 10.5, we only care about termination. Because the termination of e.g. the µ-recursive composition comp f g depends not just on the termination of g p (for all p : F k ) but on the actual output values w p of g p v w p , it is necessary to be more precise in the stated invariant used in the inductive construction of the compiler.
Theorem 10.5. Given a µ-recursive algorithm f : A k , one can compute n : N and a list of Minsky machine instructions P : I F k+1+n such that for any v : N k , Proof. By Theorem 10.4, we compile f into P : I N under the constraints i := 1, p := 0, o := k and m := 1 + k. Then we compute n such that k + 1 + n is a strict upper bound of all the register indices that occur in P . Now we can map P : I N to P : I F k+1+n while preserving its semantics. Notice that contrary to Theorem 10.4, the resulting output value of f or (1, P ) can now be disregarded since we only care about termination.
Corollary 10.6. µ-rec MM. 10.3. Diophantine relations are µ-recursively recognisable. We encode n-ary Diophantine relations using µ-recursive algorithms. Following the DPRM Theorem 8.3, we consider a n-ary relation R : N n → P to be Diophantine if there is a single Diophantine equation p= q : D single (F m , F n ) with n parameters and m (existential) variables such that Again we abusively confuse vectors with maps using the equivalence X n F n → X. We will prove that every Diophantine relation in this sense is µ-recursively recognisable (see Definition 10.2). The proof idea is relatively straightforward. First, we implement eval : D poly (F m , F n ) → A m+n evaluating any polynomial: Lemma 10.7. Given any Diophantine polynomial p : D poly (F m , F n ), one can compute a µ-recursive algorithm eval p : Proof. The implementation relies on implementations of addition and multiplication on natural numbers, which are relatively straightforward for µ-recursive algorithms.
Secondly, we implement a bijection between N and N m for any m: Thirdly, given an equation p= q, we compute a test algorithm test p,q : A 1+n , always terminating and returning 0 iff p= q is satisfied when decoding the first argument as a vector w using pr m : Lemma 10.9. Given any p= q : D single (F m , F n ), one can compute a µ-recursive algorithm test p,q : A 1+n s.t. test p,q (x :: v) 0 ↔ p w v = q w v where w := pr m (x). Furthermore, test p,q is primitive recursive hence total.
To finish, given a vector v : N n describing the values of parameters, we use minimisation µ to search for a number x such that w := pr m (x) is a solution for p= q: Theorem 10.10. Given p= q : D single (F m , F n ), one can compute a µ-recursive algorithm find p,q : A n s.t. for any v : N n , we have the equivalence Notice that while find p,q cannot be primitive recursive (it does not terminate when the equation p= q is unsolvable), it is however implemented as a single unbounded minimization applied to an otherwise primitive recursive algorithm.

HILBERT'S TENTH PROBLEM IN COQ (EXTENDED VERSION)
Vol. 18:1 11. The Weak Call-by-Value λ-Calculus L Until now, we have shown that the problems MM, FRACTRAN, H10, and µ-rec are all interreducible w.r.t. many-one reductions. We contribute our proofs to the Coq library of undecidability proofs [FLWD + 20], which contains several other well-known reduction proofs. Amongst them is a chain of reductions published in related work and discussed in Section 12, establishing that the halting problem of Turing machines reduces to MM and thus to all other problems we consider. It is also possible to prove that all considered problems are in fact interreducible to the halting problem of Turing machines. We demonstrate one technique to do so, based on the weak call-by-value λ-calculus L, which is already shown interreducible with the halting problem of Turing machines in [FKSW21].
We briefly introduce L in this section and then reduce µ-rec to halting in L. Syntactically, L is just the untyped λ-calculus, De Bruijn style: The halting problem for L can then be defined as WCBV(s : L) := ∃t, s t.
It is possible to encode natural numbers, vectors over natural numbers, and other data types into L using Scott's encoding. We will denote with · such encoding functions. For further details on encodings and L we refer to [FS17], since they do not actually matter to understand the reduction.
In general, a predicate reduces to the L-halting problem WCBV if it is L-recognisable: Definition 11.1. We say that a function f : X 1 → · · · → X n → Y is L-computable if there exists a closed term t s.t. ∀x 1 : X 1 . . . . ∀x n : X n . t x 1 . . . x n f x 1 . . . x n . Given a type X encodable in L and a predicate P over X we say that P is L-recognisable if there is an L-computable function f : X → N → B s.t. P x ↔ ∃n, f x n = true.
Theorem 11.2. Let X be encodable in L. For a predicate P over X we have that P WCBV if and only if P is L-recognisable.
To instantiate the theorem to µ-rec one would like to give a step-indexed evaluation function for µ-recursive algorithms, i.e. for f : A k a function f : x and then show that it is computable in L. The second step, i.e. proving that this function is L-computable, is in principle fully automatic using the certifying extraction framework from Forster and Kunze [FK19], which is implemented using tools from the MetaCoq projet [SAB + 20]. The framework supports extracting nondependent, non-mutual, non-nested, simply-typed Coq functions to L automatically, and also generates a proof of correctness of the extract. However, recall that the type A k of µ-recursive functions is both heavily dependent and used nested constructions: It has a type index in k, makes use of finite types F k , and has a nested use of the dependent vector type, i.e. contains subterms of type (A k ) i . Thus, a direct step-indexed interpreter will not be extractable. Instead, we use a general technique and implement a step-indexed interpreter working on the syntactic skeleton of µ-recursive functions. A syntactic skeleton for a type I mirrors the constructors of I, but without any dependent types. If I furthermore has nested applications of types N 1 , . . . , N n , the syntactic skeleton also contains the constructors of N 1 , . . . , N n . That is, if I has i constructors and N 1 , . . . , N n have m 1 , . . . , m n constructors respectively, the syntactic skeleton of I has i + m 1 + · · · + m n constructors. The syntactic skeleton A of the type A is defined as follows: Note that we re-use constructor names. In the syntactic skeleton we have j : N instead of j : F k for prj j , g : A instead of G : (A k ) i for comp f g, and the constructors cons and nil as the constructors of the vector type are added.
It is straightforward to implement mutually recursive functions erase : A k → A and erase : (A k ) i → A which are essentially the identity. We call a skeleton s : A valid if it corresponds to a µ-recursive function or a vector, i.e. if ∃k : N, (∃f : A k , s = erase f ) ∨ (∃i : N, ∃l : (A k ) i , s = erase l).
For A we can now define a step-indexed evaluation function Proof. We use Theorem 11.2 and have to provide a function F s.t. µ-rec(k : N, f : A k , v : N k ) ↔ ∃c, F c (k, f, v) = true. We define F (k : N, f : A k , v : N k ) c := true if f 0 c (v2l v) = inl n for some n and F (k, f, v) c := false otherwise. Now F is part of the Coq fragment supported by the extraction framework in [FK19], since the step-indexed evaluator · does not use any dependent, nested, mutual, or nonsimple types. Thus F is L-computable.
Furthermore we have as wanted that

Related Work
Regarding formalisations of Hilbert's tenth problem, there are various unfinished and preliminary results in different proof assistants: Carneiro [Car18] formalises Matiyasevich's theorem (Diophantineness of exponentiation) in Lean, but does not consider computational models or the DPRM theorem. Pak formalises results regarding Pell's equation [Pak17] and proves that Diophantine sets are closed under union and intersection [Pak18], both as parts of the Mizar Mathematical Library. Stock et al. [S + 18,BDP + 19] report on an unfinished formalisation of the DPRM theorem in Isabelle based on [Mat00]. They cover some parts of the proof, but acknowledge for important missing results like Lucas's or "Kummer's theorem" and a "formalisation of a register machine. " Moreover, none of the cited reports considers the computability of the reductions involved or the verification of a universal machine in the chosen model of computation yet, one of them being a necessary proof goal for an actual undecidability result in the classical meta-theories of Isabelle/HOL and Mizar.
Regarding undecidability proofs in type theory, Forster,Heiter,and Smolka [FHS18] reduce the halting problem of Turing machines to PCP. Forster and Larchey-Wendling [FL19] reduce PCP to provability in linear logic via the halting problem of Minsky machines, which we build on. Forster, Kirst and Smolka develop the notion of synthetic undecidability in Coq and prove the undecidability of various notions in first-order logic [FKS19]. Spies and Forster mechanise the undecidability proof of second-order unification by reduction from H10 [SF20] originally shown by Goldfarb [Gol81]. Forster, Kunze, and Wuttke reduce the halting problem of multi-tape Turing machines to single-tape Turing machines [FKW20]. Dudenhefner and Rehof [DR19] mechanise a recently simplified undecidability proof for System F inhabitation.
Regarding formalisations of µ-recursive functions, Larchey-Wendling [Lar17] shows that every total µ-recursive function can directly be computed in Coq and Carneiro [Car19] mechanises standard computability theory based on µ-recursive functions. Xu, Zhang, and Urban [XZU13] mechanise µ-recursive functions and Turing machines in Isabelle and prove their computational equivalence. Their proof uses Abacus machines as intermediate layer, which are similar to our Minsky machines.