Verifiable Certificates for Predicate Subtyping [chapter]

Frederic Gilbert
2019 Lecture Notes in Computer Science  
Adding predicate subtyping to higher-order logic yields a very expressive language in which type-checking is undecidable, making the definition of a system of verifiable certificates challenging. This work presents a solution to this issue with a minimal formalization of predicate subtyping, named PVS-Core, together with a system of verifiable certificates for PVS-Core, named PVS-Cert. PVS-Cert is based on the introduction of proof terms and explicit coercions. Its design is similar to that of
more » ... TSs with dependent pairs, with the exception of the definition of conversion, which is based on a specific notion of reduction → β * , corresponding to β-reduction combined with the erasure of coercions. The use of this reduction instead of the more standard reduction → βσ allows to establish a simple correspondence between PVS-Core and PVS-Cert. On the other hand, a type-checking algorithm is designed for PVS-Cert, built on proofs of type preservation of → βσ and strong normalization of both → βσ and → β * . Combining these results, PVS-Cert judgements are used as verifiable certificates for predicate subtyping. In addition, the reduction → βσ is used to define a cut elimination procedure for predicate subtyping. This definition provides a new tool to study the properties of predicate subtyping, as illustrated with a proof of consistency. Verifiable Certificates for Predicate Subtyping 441 starting from a minimal formalization of predicate subtyping named PVS-Core, by adding explicit proofs and coercions. PVS-Cert is also equipped with a notion of cut elimination, which can be used directly to study both PVS-Cert and PVS-Core meta-theoretical properties. Extending Higher-Order Logic with Predicate Subtyping Higher-order logic is characterized by the coexistence of types and predicates as two radically different kinds of attributes to mathematical expressions. For instance, the mathematical expression 1 + 1 can be assigned a type Nat expressing that it is a natural number, or a predicate Even expressing that it is divisible by two. The assignment of types remains very simple: in particular, type-checking is decidable in higher-order logic. In return, most attributes of mathematical expressions formulated as predicates cannot be formulated as types: for instance, being a natural number different from 0 is expressible as a predicate, but not as a type. Predicate subtyping allows to recover a symmetrical situation between the expressivity of types and predicates. It is defined as the addition of new types, referred to as predicate subtypes. Given a predicate P defined on a domain A (e.g. Even, defined on the domain Nat), the predicate subtype {x : A | P (x)} is defined. An expression t can be assigned this type if and only if it can be assigned the type A and P (t) is provable. For instance, if Nonzero is a predicate of domain Nat expressing the difference of a natural number from 0, proving Nonzero(1) allows to conclude that 1 admits the type {x : Nat | Nonzero(x)}. This augmented expressivity of the language of types permits to exclude many unwanted expressions from reasoning. For instance, defining the denominators domain of Euclidean division as {x : Nat | Nonzero(x)}, all divisions in which the denominator is not provably different from zero become ill-typed. As expressions may have several types, predicate subtyping induces a form of subtyping: for instance, as any expression of type {x : Nat|Nonzero(x)} also admits the type Nat, the former can be considered as a subtype of the latter. As previously mentioned, a major counterpart of this extension of higher-order logic is the fact that typing judgements and proof judgements become entangled. For instance, proving the equality (1/1) = 1 requires that 1 can be assigned the type {x : Nat|Nonzero(x)}, which, in turn, requires to prove Nonzero(1). As a direct consequence, type-checking is not decidable in the presence of predicate subtyping.
doi:10.1007/978-3-030-17184-1_16 fatcat:elvng7y4ojbe5a7cxnzvgde3zm