A Type-Free Formalization of Mathematics where Proofs are Objects

We present a rst order untyped axiomatization of mathematics where proofs are objects in the sense of Heyting-Kolmogorov functional interpretation. The consistency of this theory is open. Key-words: formalization of mathematics, set theory, functionnal interpretation of proofs, re ection, G odel's theorem, Tarski's theorem (R esum e : tsvp) [email protected] Unit e de recherche INRIA Rocquencourt Domaine de Voluceau, Rocquencourt, BP 105, 78153 LE CHESNAY Cedex (France) T el ephone : (33 1) 39 63 55 11 { T el ecopie : (33 1) 39 63 53 30 Une formalisation des math ematiques non typ ee dans laquelle les d emonstrations sont des objets R esum e : On pr esente une axiomatisation des math ematiques en logique du premier ordre non typ ee dans laquelles les d emonstrations sont des objets au sens de l'interpr etation fonctionnelle de Hetying et Kolmororov. La coh erence de cette th eorie est ouverte. Mots-cl e : formalisation des math ematiques, th eorie des ensembles, interpr etation fonctionnelle des d emonstrations, r e exion, th eor eme de Godel, th eor eme de Tarski A type-free formalization of mathematics where proofs are objects 3 Introduction As mathematical truth is not decidable, mathematical statements need to be proved. In the usual formalizations of the language of mathematics, proofs are sequences of propositions produced by some deduction rules. Such proofs are not terms of the language i.e. not elements of the universe of the discourse. Without going back to ancient greeks for whom the universe of the mathematical discourse contained only natural numbers, this situation can be compared to that of functions that were used, but not considered as objects before the seventeenth century or sets that were not considered as objects before the nineteenth century. In contrast, in natural languages, the truth of a proposition can be justi ed by a complement. For example, the truth of the proposition \there are natural numbers such that x2 + y2 = z2" can be justi ed by adding a complement \there are natural numbers such that x2 + y2 = z2, e.g. 3; 4; 5". In contrast, the truth of this proposition must be decided by some algorithm to avoid endless justi cations of justi cations. It must be decided also by an algorithm that the rst proposition is true as the second is. To do the same thing in a formal way, we want to de ne a language with a symbol pr such that if P is a provable proposition, then there is a term t such that t 2 pr(P ) is also a provable proposition and moreover the truth of this proposition can be established by a proof-checking algorithm. We do not need every provable proposition of the form t 2 pr(P ) to be established by the algorithm, but we need that for each provable proposition P there is at least one term t such that the proposition t 2 pr(P ) is established by the algorithm. Such a term t is called a checkable proof-term. Having such proof-terms can be useful. For instance, if we skolemize the proposition 8x 8y (y 6= 0)) 9z x = y z we introduce a binary function symbol = and the proposition 8x 8y (y 6= 0)) x = y (x=y) Although we cannot prove the proposition 1 = 0 (1=0) we can form the term 1=0. This term is usually considered as meaningless. But the meaningfulness of such a term may be di cult to establish in particular, as we cannot decide if a real number is 0 or not. If, in contrast, we skolemize the proposition 8x 8y 8p (p 2 pr(y 6= 0))) 9z x = y z then we get a ternary function symbol and the proposition 8x 8y 8p (p 2 pr(y 6= 0))) x = y =(x; y; p) Again, we can form the meaningless term =(1; 0; t) but now we can easily check that t is not a checkable proof of 0 6= 0 and thus that this term is meaningless [18]. Deciding if a term =(x; y; p) is meaningful or not permits to decide if we get back x or not when we multiply it by y. The same holds when we want to de ne a function on a quotient set. If f is a function from a set A to a set B and R is an equivalence relation on A, we can de ne a function g = Quo(f;A;B;R) from A=R to B if the proposition 8x 2 A 8y 2 A R(x; y)) f(x) = f(y) is provable. Again, this term is meaningless when this proposition is not provable. Meaningfulness is decidable if we include the proof of this proposition in the term g, g = Quo(f;A;B;R; p). A last example is the choice operator (resp. descriptions operator). The term C(A) is meaningful only when A is a non empty set (resp. a singleton). Providing a proof that A is nonempty (resp. a singleton), C(A; p) permits to decide if such an expression is meaningful. Giving such an existence proof permits also to de ne this choice operator. A proof of the existence of an object in A is a pair consisting in an object and a proof that this object is in A. Thus the chosen object RR n 2915 4 Gilles Dowek C(A;< a; p >) can be a. This way, the choice operator can be de ned as the function projecting a pair on its rst component. Thus, there is no need to extend the language with a new operator because the choice operator can be de ned in the language [22]. Having a choice operator taking a proof in argument is needed to program computers in the language of mathematics [21, 19, 24]. In this case, we want to have, as usual, the possibility to de ne a function using the choice operator. For instance, as we know that there exists a function f such that (f 0 m) = m (f (S n) m) = (S (f n m)) we want to express it by the term + = C(ff 2 N ! N ! N j 8m 2 N (f 0 m) = m ^ 8n 2 N 8m 2 N (f (S n) m) = (S (f n m))g) But, we want also to be able to execute this program, i.e. for instance to compute the term (S (S (S 0))) from the term (+ (S (S 0)) (S 0)). This computation cannot be done when the choice operator takes only a set in argument, but it can when this operator takes also a (constructive) proof of the existence of an element in this set. Such proof-terms are also useful in automated theorem proving. Trying to prove the proposition P can be reduced to searching a term t such that t 2 pr(P ) is decided by the algorithm. Having proofs as objects is also a natural way to construct truth predicates (see, for instance, [13]) taking 9y (y 2 pr(x)) for T (x) and thus to formalize indirect arguments through re ection. For instance we may want to state an axiom expressing that an undecided statement asserting the existence of some natural number verifying some decidable property is false. At last, we could hope that some metamathematical results, like Godel's incompleteness theorem, showing the existence of a true but unprovable proposition would be theorems in such a theory 9P (P ^ :9x (x 2 pr(P ))) (however, this is still not the case in the the simple approach suggested below, see the discussion in section 3.5.2). 1 State of the art This idea of having proofs as genuine mathematical objects has already been developed in several ways. 1.1 Proof theory An early occurrence of proofs considered as mathematical objects is the notion of proof as de ned in FregeHilbert systems, and then in natural deduction and sequent calculus. Since Gentzen's work, such proofs have been extensively studied in proof theory. However, the goal of proof theory is to study the proofs of some theories in the usual language of mathematics, not to extend the language of mathematics by internalizing the proofs of the language itself. Thus, goals are di erents, but tools can be shared. 1.2 Re ection Another approach to proofs as objects comes from the proof of Godel's incompleteness theorems. These proofs require the construction of a proposition Proof in arithmetic such that Proof(n; p) express that n is the Godel number of a proposition A and p the Godel number of a proof of A. Godel numbers may be avoided if one considers a theory of trees instead as a theory of natural numbers [12]. But, in both cases, the proof terms (numbers or trees) are dependent of the way proofs are written. Two proofs di ering by a renaming of bound variables are di erent objects, two proofs di ering by the permutation of two steps are Inria A type-free formalization of mathematics where proofs are objects 5 di erent objects and two proofs di ering by cut elimination are di erent objects. A proof t of a proposition P containing a free variable x is a closed term, thus to construct a proof of P [x u] we cannot substitute x by u in t, but we must apply a function mimicking substitution at the level of the encoding. The same holds if the proof uses an hypothesis. Thus, although this encoding meets its goal and permits to prove incompleteness theorems, it does not respect proofs structure and it does not provide a simple and direct expression of proofs. 1.3 Proofs according to Heyting and Kolmogorov Such a simple and direct expression can be provided by Heyting-Kolmogorov interpretation. As opposed to formal proof trees or Godel numbers of proof trees, this interpretation of proofs as mathematical objects respects proof structure: two proofs di ering by a renaming of bound variables are equal objects, two proofs di ering by the permutation of two steps are equal objects and two proofs di ering by cut elimination are equal objects. A proof of a proposition P containing a free variable x is expressed by a term t containing also this variable x and t[x u] is a proof of P [x u]. A proof t using an hypothesis is expressed by a term containing a free variable x standing for a proof of this hypothesis and if u is a proof of this hypothesis, then t[x u] is also a proof of P . Heyting-Kolmogorov interpretation is only de ned for intuitionistic proofs. This is not as much a restriction as it could seem because classical mathematics can be built within intuitionistic mathematics, for instance taking the excluded middle as an axiom or de ning classical connectives by double negation. De nition (Heyting-Kolmogorov interpretation) A proof of a proposition of the form A) B is a function mapping any proof of A to a proof of B. A proof of a proposition of the form 8x A is a function mapping any object a to a proof of A[x a]. A proof of a proposition of the form A ^ B is a pair formed with a proof of A and a proof of B. A proof of a proposition of the form 9x A is a pair formed with an object a and a proof of A[x a]. A proof of a proposition of the form A _ B is either a proof of A or a proof of B. There is no proof of ?. The proposition :A is an alternative notation for A) ?, the proposition A, B for (A) B)^(B ) A) and the proposition > for ? ) ?. This interpretation has been used in proof theory to express proofs of various logical systems in typed lambda-calculi (Curry [9], Tait [26], Howard [17], Girard [14], Krivine and Parigot [19], etc.). It has also been used to formalize mathematics with proofs as objects (de Bruijn [4], Martin-L of [22], Coquand and Huet [8], Paulin [23], etc.). In proof theory, proofs are encoded in a language of functions independent of the logical formalism (even if this formalism provides a language for functions) while in the formalization of mathematics proofs are encoded in the language of functions of the logical formalism itself. 1.4 Propositions as types v.s. propositions as sets From Heyting-Kolmogorov interpretation, a proof of a proposition A) B is a function mapping proofs of A to proofs of B. Thus, it is an element of the set of functions from the set of proofs of A to the set of proofs of B. In proof theory where proofs are encoded in typed lambda-calculi or in typed combinatoric languages, but with no sets available, this has often been stated as the fact that proofs of A) B have type A0 ! B0 where A0 (resp. B0) is the type of proofs of A (resp. B). Thus propositions and types (i.e. propositions of the logical formalism and types of the lambda-calculus) have isomorphic structures. In formalization of mathematics with proofs as objects, propositions and types (i.e. propositions and types of the logical formalism) also have RR n 2915 6 Gilles Dowek isomorphic structure. This isomorphism is used to ensure decidability of proof-checking: the decidability of type-checking implies that of proof-checking. In formalization of mathematics with proofs as objects, this propositions-as-types choice has however some drawbacks. In typed formalizations of mathematics (Whitehead and Russell [27], Church [5], etc.) types are syntactical devices used to restrict the formation of terms and propositions. Thus, because types play this double game, the relation between a proposition and one of its proofs cannot be expressed in the language. Indeed, if we had a symbol pr in such a language, the proposition p 2 pr(A) would either be well typed and true when p is a proof of A or ill-typed when it is not, thus we cannot express in the language a well-typed proposition expressing that some term is not a proof of a proposition. In such formalisms, the statement p 2 pr(P ), usually written p : P , is expressed in language di erent of that of propositions. Moreover, using a typed formalization of mathematics introduces a distinction between the notions of type and set, that one may want to avoid [11]. To be able to express such a proposition, we propose in this paper an untyped formalization of mathematics where proofs are objects. Thus, the decidability of proof-checking will not be a property built in the language, but a fact proved a posteriori. Although, the language proposed here is untyped, and permits the expression of a symbol pr, it takes a lot from the typed languages proposed by de Bruijn [4], Martin-L of [22], Coquand and Huet [8] and Paulin [23]. More precisely, this language can be seen as an untyped formulation of the Calculus of Constructions [8]. 1.5 Beeson's theory C Another source of inspiration of this language is Beeson's theory C [2] that also uses Heyting-Kolmogorov interpretation of proofs in an untyped setting. This theory introduces a modal operator proof such that proof(p; P ) expresses that p is a proof of the proposition P . A minor di erence is that, in the language proposed here, propositions are objects, thus we do not need to introduce a modal operator, but a predicate symbol or a function symbol is enough. Another minor di erence is that the theory C uses a formalization of mathematics based on a partial combinatory language, i.e. functions have no explicit domain of de nition and self application paradoxes are avoided by using a predicate # for denoting terms, while we use a more common notion of function explicitly given with a domain of de nition. The theory C also permits quanti cation over all the universe while our quanti ers are bounded. A more important di erence is that we provide a proof-checking algorithm recognizing the truth of some propositions of the form t 2 pr(P ) and we show that whenever a proposition P is provable, there is a term t such that the proposition t 2 pr(P ) is recognized by the algorithm (although not all true propositions of the form t 2 pr(P ) are). As a consequence we can drop usual proofs rules and use proof-terms to justify, in practice, the truth of propositions. At last, while in the theory C, a proof of the proposition A ) B is a function f from proofs of A to proofs of B together with a proof that f is a function from proofs of A to proofs of B, here, a proof of A) B is merely a function f from proofs of A to proofs of B. For checkable proof-terms, the fact that t expresses a function from proofs of A to proofs of B must be recognized by the algorithm. If we want to justify the truth of a proposition P by a non checkable proof-term t justifying the proposition t 2 pr(P ) by a checkable proof term u. Then we have to use the axiom 8x 2 pr(P ) P . Call c the proof of this axiom, the term (c t u) is a checkable proof-term of the proposition P . Thus we can still use indirect arguments by proving that some object is a proof of some proposition, but the use of this axioms forces us to take into account that the justi cation of justi cations must come to an end, where the soundness of the justi cation must be recognized by an algorithm. 2 A variant of set theory We want to extend the language of mathematics to include a symbol pr such that pr(A) is the set of proofs of A. The rst candidate to such an extension is the most common formalization of mathematics, i.e. set Inria A type-free formalization of mathematics where proofs are objects 7 theory formalized with Zermelo's axioms or Zermelo-Fraenkel axioms. However extending set theory with a notion of explicit proofs requires a few minor modi cations of set theory itself. This section is devoted to the presentation of such modi cations. The language developed here is rather close to the untyped formulation of type theory developed in [11]. 2.1 Set theory Set theory is a rst order theory in a language containing two binary predicate symbols = and 2. Deduction rules can be any formulation of deduction, we use a formulation of natural deduction. We start with equality axioms: the identity axiom x = x (1) and Leibniz scheme a = b) P [z a]) P [z b] (2) Then come axioms expressing the existence of some sets. For instance, the power set axiom states that for each set x there is a set X such that the elements of X are the subsets of x 8x 9X 8y ((y 2 X), 8z ((z 2 y)) (z 2 x))) The union axiom and the pairing axiom are formulated in a similar way. The subset scheme (restricted comprehension scheme) expresses that for each set x we can build the subset of x containing the elements verifying the property P . Thus for each proposition P such that z1; :::; zn are the free variables of P minus x we have the axiom 8z1 ::: 8zn 8a 9y 8x (x 2 y), ((x 2 a) ^ P ) Using this scheme we can, for instance, deduce the existence of the empty set 9y 8x :(x 2 y) 2.2 Existential axioms v.s. algebraic axioms This scheme does not provide any notation for the empty set. This choice is not a very good one when we want to use set theory as a practical language to formalize mathematics. Indeed, we cannot express the proposition ; = ; but only a proposition 9x ((x = x) ^ (E x)) where E is a characteristic property of the empty set. Moreover as we want to express proofs as objects, for instance a proof of the proposition A) A as the identity function over proofs of A, we want a term id for this object to be able to express the proposition id 2 pr(A ) A) and not 9y (y 2 pr(A ) A)). Indeed, to ensure the decidability of proof-checking we want to use the information carried by the term id. An explicit presentation of set theory is obtained by skolemizing the axioms. For instance, skolemizing the power set axiom introduces a function symbol P and an axiom 8x 8y ((y 2 P(x)), 8z ((z 2 y)) (z 2 x))) In this language, the power set of some set x is now written P(x). Skolemizing the union axiom introduces a function symbol S and a notation S(a) for the union of the elements of a. Skolemizing the pairing axiom introduces a function symbol f; g and a notation fa; bg for the pair containing the object a and the object b. Skolemizing the subset scheme introduces an in nite number of function symbols hx;z1;:::;zn;P and the axioms 8z1 ::: 8zn 8a 8x (x 2 hx;z1;:::;zn;P (z1; :::; zn; a)), ((x 2 a) ^ P ) We write fx 2 a j Pg for the term hx;z1;:::;zn;P (z1; :::; zn; a). Notice that the free variables of fx 2 a j Pg are those of P minus x and those of a. In this language we can form the term fx 2 a j Pg only when P contains no Skolem symbols. Nested abstractions can be built by applying the symbol hx;z1;:::;zn;P to terms b1; :::; bn containing Skolem symbols, but the variables free in these terms cannot be bound in P . This language is however equivalent to one with the full power of nested abstraction (see, for instance, [10]). RR n 2915 8 Gilles Dowek 2.3 Functions as primitive objects The next point concerns functions. In set theory, functions are de ned as functional relations and relations as sets of ordered pairs. Thus to express a function, for instance the function square, we need to express rst the set of pairs i.e. G = f< x; y >2 N N j x x = yg and then a proof of the proposition 8x 2 N 91y 2 N < x; y >2 G Thus a function is expressed by a set and a proof. If, following Heyting-Kolmogorov interpretation, we want to express a proof of A ) A as a function mapping proofs of A to proofs of A, we express this proof as a function, i.e. as a set G = f< x; y >2 pr(A) pr(A) j x = yg and a proof of the proposition 8x 2 pr(A) 91y 2 pr(A) < x; y >2 G Thus we get a circular de nition: a proof is expressed by a set and a proof. This circularity could be avoided if the proof-checking algorithm could establish by itself the functionality of G, but this seems to be rather di cult in the general case. In contrast, if we express the function above by the term x 7! x or rather x 2 pr(A) 7! x, then to establish that this term expresses a function of pr(A) ! pr(A) we only need to prove the proposition 8x 2 pr(A) x 2 pr(A) and this proposition can be established by the proof-checking algorithm (see section 4 below). Here, we take a formalization of mathematics where functions are primitive objects, i.e. we axiomatize and not de ne what functions are. But, the important point its not that f< x; y >2 pr(A) pr(A) j x = yg and x 2 pr(A) 7! x are di erent objects, it is that we need also the notation x 2 pr(A) 7! x for this object. We rst introduce a new function symbol (for \apply"). We write (f a) for (f; a) and (f a1 ::: an) for (:::(f a1) ::: an). There is a notational di erence between the application of a function symbol f to a term a, written f(a), and the \application" of a term a to a term b, written (a b), that is an alternative notation for (a; b). Then we take a functional comprehension scheme 9f 8x1 2 a1 ::: 8xn 2 an (f x1 ::: xn) = t Notice that to build a function, we need to give its domain a1; :::; an, but we do not need to give its codomain. In set theory the codomain of such a function can always be constructed with the replacement scheme. When we skolemize this axiom scheme we introduce function symbols f(a1;:::;an);(z1;:::;zp);(x1;:::;xn);t where z1; :::; zp are the free variables of t minus x1; :::; xn, and an axiom 8x1 2 a1 ::: 8xn 2 an (f(a1;:::;an);(z1;:::;zp);(x1;:::;xn);t(a1; :::; an; z1; :::; zp) x1 ::: xn) = t We write x1 2 a1:::; xn 2 an 7! t for the term f(a1;:::;an);(z1;:::;zp);(x1;:::;xn);t(a1; :::; an; z1; :::; zp) Then we need to axiomatize the notion of function space. We introduce a new function symbol ! to construct such function spaces. We write a ! b for ! (a; b) and a1 ! ::: ! an 1 ! an for a1 ! (::: ! (an 1 ! an):::). We take the axioms (f 2 A! B)) (a 2 A)) ( (f; a) 2 B) ((8x1 2 a1 ::: 8xn 2 an t 2 b)) f(a1;:::;an);(z1;:::;zp);(x1;:::;xn);t(a1; :::; an; z1; :::; zp) 2 a1 ! :::! an ! b Remark As shown in [10] we cannot iterate the de nition of functions of one argument to build function of n arguments. Remark Let B be the function from N to P(N) mapping a natural number x to the singleton fxg and f be the function x 2 N 7! x. We have 8x 2 N (f x) 2 N Inria A type-free formalization of mathematics where proofs are objects 9 From this proposition we can deduce f 2 N ! N . But we also have 8x 2 N (f x) 2 (B x) and we do not have any notation for the set of functions verifying this property. To express proofs, we want to give a name and a notation for this set. Thus, we extend the function symbol ! to a function symbol and we take the axiom f 2 (A;B)) a 2 A) (f a) 2 (B a) (3) and the functional comprehension scheme 9f 8x1 2 a1 ::: 8xn 2 (an x1 ::: xn 1) (f x1 ::: xn) = t When we skolemize this scheme, we introduce function symbols f(a1;:::;an);(z1;:::;zp);(x1;:::;xn);t and an axiom 8x1 2 a1 ::: 8xn 2 (an x1 ::: xn 1) (f(a1;:::;an);(z1;:::;zp);(x1;:::;xn);t(a1; :::; an; z1; :::; zp) x1 ::: xn) = t (4) We also take the axiom (8x1 2 a1 ::: 8xn 2 (an x1 ::: xn 1) t 2 (b x1 ::: xn)) ) f(a1;:::;an);(z1;:::;zp);(x1;:::;xn);t(a1; :::; an; z1; :::; zp) 2 (a1; :::; (an; b)) (5) At last we take a functional extensionality axiom 8f 2 (A;B) 8g 2 (A;B) (8x 2 A (f x) = (g x))) f = g (6) Now the symbol ! is not needed anymore, the term A! B is an alternative notation for (A; x 2 A 7! B) where x is a variable not occurring in B. Remark (Lambda-calculus as an abuse of notation) In this language we can form the term x 2 A 7! t only when t contains no Skolem symbols. Nested abstractions can be built by considering a term t applying the symbol f(a1;:::;an);(z1;:::;zp);(x1;:::;xn);t to terms u1; :::; up containing Skolem symbols, but the variables free in these terms cannot be bound in t [10]. This language is however equivalent to one with the full power of nested abstraction. Each time we want to build the function x 2 A 7! t, we rst replace every abstractions y1 2 B1; :::; yn 2 Bn 7! u in t by the term ((x 2 A; y1 2 B1; :::; yn 2 Bn 7! u) x). This way x in not free in abstractions subterms of t0 and the function x 2 A 7! t0 can be constructed with the scheme above. 2.4 Propositions as objects To form a term pr(P ) we need the statement P to be a term. Statements must be both terms and propositions of the language. Thus instead of taking 2 and = to be predicate symbols, we take them to be functions symbols. This permits to have atomic propositions as objects. The case of propositions formed with connectors and quanti ers is studied below. The expression 0 = 0 is now a term and not a proposition. This term can be seen as the content (lexis) of the proposition. We introduce also an individual symbol O for a set containing contents of propositions. Then we need a unary predicate symbol " to assert a proposition-term, i.e. to express that the proposition is indeed true. We take an extensionality axiom expressing that two equivalent propositions have the same content (("(x), "(y)))) "(x = y) (7) Now, in the notation fz 2 A j Pg, P also is a term. RR n 2915 10 Gilles Dowek 2.5 Sets as functions When functions are primitive objects, sets can in turn be de ned as their characteristic functions, i.e. sets need not be primitive objects anymore. Thus, the term a 2 B is now an alternative notation for (B a) and fx 2 A j Pg for x 2 A 7! P . Remark As functions are de ned with a domain of de nition, when we de ne a set A by its characteristic function f 2 B ! O, we cannot say anything of (f x) if x is outside of B. Thus we need a special axiom to state that elements outside of B are not in A (i.e. all the elements of A are in B). ("(a 2 (B ! O)) ^ "(b 2 a))) "(b 2 B) (8) Remark Now the term P(A) is an alternative notation for A! O. Notice that if A is an element of B ! O and A 6= B then A 62 P(A). Indeed, A cannot have both the domain A and B. But the set jAj = x 2 A 7! > belongs to P(A) and with the axiom above we have (x 2 A), (x 2 jAj). 2.6 Connectors and Quanti ers Taking = and 2 as function symbol permits to have atomic propositions as objects. To have all propositions as objects we take new individual symbols ^, _, ) and ?. To avoid confusion, from now on, we write ^, _,),?, 8 and 9 for the true connectors and quanti ers of the language. Then we take the axioms "(^ 2 (O ! O ! O)) (9) "(_ 2 (O ! O ! O)) (10) "()2 (O ! O ! O)) (11) "(? 2 O) (12) "(^ A B),("(A)^"(B)) (a) "(_ A B),("(A)_"(B)) (b) "() A B),("(A) "(B)) (c) "(?),? (d) Then, we want to take some symbols allowing to build contents of propositions built by quanti cation. In the languages of propositions quanti ers are unbounded, i.e. we can quantify over all the objects of the universe. But Heyting-Kolmogorov interpretation of proofs restricts the use of quanti ers to bounded ones. Indeed, a proof of the unboundedly quanti ed proposition 8x P would need to be a function mapping any object of the universe to a proof. The domain of this function would need to be the set of all objects and postulating the existence of such a set leads to known paradoxes. Thus, it seems that if we want to express proofs with Heyting-Kolmogorov interpretation, we have to banish the use of unbounded quanti cation. Thus, we introduce a unary function symbol 8 and axioms "(8(A) 2 ((A! O)! O)) (13) "(8(A) f),8x ("(x 2 A) "(f x)) (e) Now the proposition 8x 2 A P is an alternative notation for (8(A) (x 2 A 7! P )). In the same way, we introduce a unary function symbols 9 and axioms "(9(A) 2 ((A! O)! O)) (14) "(9(A) f),9x ("(x 2 A)^"(f x)) (f) Inria A type-free formalization of mathematics where proofs are objects 11 and the proposition 9x 2 A P is an alternative notation for (9(A) (x 2 A 7! P )). The proposition 9x 2 A is an alternative notation for 9x 2 A >. Remark Not all propositions have contents, because the language of proposition uses unbounded quanti ers, while that of contents of propositions bounded ones. Remark According to the Heyting-Kolmogorov interpretation, a proof of a proposition of the form (8(A) B) would be a function f mapping any object a of A to a proof of (B a). But if a is a term, to know if (f a) is a proof of (B a) we have to decide if a is in A or not. Thus a better choice is to take for proofs of (8(A) B) a function mapping any objet a and any proof b of a 2 A to a proof of (B a). This choice is close to that of na ve Heyting-Kolmogorov interpretation. In such an interpretation, a proof of (8(A) B) is a proof of 8x ((x 2 A) (B x)) and thus a function mapping any object a and proof b of the proposition a 2 A to a proof of (B a). The only di erence is that we use the fact that quanti cation is bounded to give a domain to this function. In the same way a proof of a proposition of the form (9(A) B) is a triple < a; b; c > where a is an element of A, b a proof of the proposition a 2 A and c a proof of the proposition (B a). Remark The connectors and quanti ers in the axioms (1) to (6) can be read as function symbols, thus we only need to add a " predicate symbol in front of these propositions. Axiom (7) and (8) can be rewritten "((x, y)) (x = y)) (7) "((a 2 (B ! O)) ^ (b 2 a))) (b 2 B) (8) Remark The axioms above and below contain free variable. What is meant is the universal closure of these propositions with the universal unbounded quanti er (not the function symbol). Axioms seems to be the only place where unbounded quanti cation is required. 2.7 Pairing, ordered pairs, disjoint unions and numbers In this theory, if we have a set A, we can build, its de nable subsets, its power set (A ! O), and if A is a set of sets (i.e. if it belongs to (B ! O) ! O for some set B) we can de ne the union of its elements as a subset of B, i.e. as an element of B ! O. If we compare this with Zermelo's set theory, only one construction is missing: the possibility to construct pairs fA;Bg with any two elements. Of course, if A and B already belong to a common set C then we can construct the subset of C of objects equal to A or B, but we cannot, for instance, construct the set fA; fAgg. In the construction of mathematical objects, pairs are used at several places, rst they are used to build ordered pairs < a; b >= ffag; fa; bgg. Then, they are used to form unions of any to sets A [ B = SfA;Bg and thus disjoint unions A B = (f0g A) [ (f1g B). At last they are used to form numbers 0 = ;, 1 = f0g, 2 = f0; 1g, etc. Instead of taking this pairing construct, we rather take as primitive ordered pairing and disjoint unions, i.e. we take function symbols , pair, , , i, j and and the axioms expressing the meaning of these symbols. In fact, like for dependent function space, we want dependent cartesian products. An element of (A;B) is a pair pair(A;B; a; b) such that a is an element of A and b is an element of (B a). The term < a; b >A;B is an alternative notation for pair(A;B; a; b). The term A B is an alternative notation for (A; x 2 A 7! B)."(8x 2 A 8y 2 (B x) (< x; y >A;B2 (A;B))) (15) "((f 2 x 2 A ((B x)! C))) (A;B;C;< x; y >A;B; f) = (f x y)) (16) "((x 2 A)) (i(A;B; x) 2 (A B))) (17) RR n 2915 12 Gilles Dowek "((y 2 B)) (j(A;B; y) 2 (A B))) (18) "( (A;B;C; i(A;B; x); f; g) = (f x)) (19) "( (A;B;C; j(A;B; x); f; g) = (g x)) (20) Remark The condition f 2 x 2 A ((B x)! C) in axiom (16) above de nes the so-called weak dependent cartesian product. Indeed, we can build the function mapping an element of (A;B) to its rst component by de ning f = x 2 A; y 2 (B x) 7! x, proving f 2 x 2 A ((B x) ! A) and de ning the function 1 = a 2 (A;B) 7! (A; x 2 A 7! B;A; a; f). But we cannot construct the function mapping an element of (A;B) to its second component because g = x 2 A; y 2 (B a) 7! y fails to be in a set x 2 A ((B x)! C). In contrast we can build the function mapping an element of A B to its second component by de ning g = x 2 A; y 2 B 7! y, proving g 2 A! B ! B and de ning the function 2 = a 2 A B 7! (A; x 2 A 7! B;B; a; g). Remark The term 1(A;B; a) is an alternative notation for a 2 (A;B) 7! (A; (x 2 A 7! B); A; a; (x 2 A; y 2 (B x) 7! x)). Remark The term < a; b; c >A;B;C is an alternative notation for < a;< b; c >(B a);y2(B a)7!(C a y)>A;x2A7! ((B x);y2(B x)7!(C x y)) and the term 0(A;B;C;D; e; f) for (A; x 2 A 7! ((B x); y 2 (B x) 7! (C x y)); D; e; (x 2 A; z 2 ((B x); y 7! (C x y)) 7! ((B x); y 2 (B x) 7! (C x y); D; z; (f x)))) We have f 2 x 2 A y 2 (B x) ((C x y)! D)) 0(A;B;C;D;< a; b; c >; f) = (f a b c) Remark To construct natural numbers, we consider an in nite set I of atoms, i.e. a set having a non surjective injection. "(9z 2 I 9s 2 I ! I (8x 2 I (:((s x) = z))) ^ 8x 2 I 8y 2 I ((s x) = (s y)) (x = y))) When we skolemize this axiom we get "((8x 2 I (:((s x) = z)))) (21) "(8x 2 I 8y 2 I ((s x) = (s y)) (x = y))) (22) We can then either construct natural numbers as nite cardinals in (I ! O) ! O or take numbers as atoms, de ning n as being the object (s ::: (s z):::) and thus the set of numbers as the smallest set containing z and closed by s. 2.8 A rst order theory The axioms (1)-(22) and (a)-(f) above de ne a rst order theory in the language containing the only predicate symbol " and the function symbols =, O, ^, _, ), ?, 8, 9, , , f(a1;:::;an);(z1;:::;zp);(x1;:::;xn);t, , pair, , , i, j, , I , z, s. As usual, when functions are primitive and not de ned as sets of pairs, the comprehension scheme alone does not provide enough functions to formalize mathematics, the description axioms (or the axiom of choice) needs to be added (see section 3.4). Inria A type-free formalization of mathematics where proofs are objects 13 2.9 Consistency The relative consistency of the axioms above with respect to Zermelo-Fraenkel set theory seems to be easy to establish. Interpreting the set O by f0; 1g and following the usual de nitions of function spaces, cartesian products, disjoint unions and numbers in set theory. The di erences between this theory and Zermelo-Fraenkel set theory concern three points. the axioms are skolemized, the predicate symbols = and 2 are decomposed into two function symbols = and 2 and a predicate symbol " and consequently a set O is introduced and connectors and quanti ers are replicated as function symbols, function spaces, cartesian products, disjoint unions and numbers are axiomatized and not de ned thus we can drop the pairing axiom, the replacement scheme and have a slightly weaker union axiom. The third point is in some sense optional. We could take the Zermelo-Fraenkel axioms instead and de ne these notions as usual in set theory, provided we extend the language to be allowed to write x 2 N 7! x x and not only f< x; y >2 N N j y = x xg (it is well-known that there is little di erences between de ning some notions and axiomatizing them rst and then proving consistency by constructing a model.) However this permits to formalize mathematics with weaker axioms than Zermelo-Fraenkel and as we shall see to avoid some paradoxes when we add proofs as objects. 3 Proofs as objects 3.1 The symbol pr We add a function symbol pr that maps the contents of propositions to the sets of their proofs. We extend the comprehension scheme to instances containing the symbol pr. We take the axioms: "(pr(P ) Q) = pr(P )! pr(Q)) (23) "(pr(P ^Q) = pr(P ) pr(Q)) (24) "(pr(P _Q) = pr(P ) pr(Q)) (25) "(pr(?) = ;I) (26) "(pr(8(A) f) = ( x 2 A y 2 pr(x 2 A) pr(f x))) (27) "(pr(9(A) f) = ( x 2 A y 2 pr(x 2 A) pr(f x))) (28) Example (x 2 O; y 2 pr(x) 7! y) 2 pr(8X 2 O (X ) X)) 3.2 Leibniz scheme, equality of denotations and equality of meanings In contrast with the comprehension scheme, we do not extend Leibniz scheme with instances containing the symbol pr. Indeed even if we can prove a = b we do not want p 2 pr(P a) and p 2 pr(P b) to be equivalent propositions. We do not want every proof of (P a) to be a proof of (P b) because we want the proof of (P b) to be built from the proof of (P a) and the proof of a = b. This behavior of equality can be compared with the behavior of equality in some modal logics where from \The murder = Professor Moriarty" and \Sherlock Holmes knows (The murder = The murder)" we cannot deduce \Sherlock Holmes knows (The murder = Professor Moriarty)". This relation between modal logic and the provability operator has already been noticed in many ways [15, 2, 3]. A consequence is that equality cannot be interpreted as equality in a RR n 2915 14 Gilles Dowek model: even if a and b are two terms provably equal they are not always interpreted as the same object in the model. Equality is just a casual binary predicate symbol. We may now introduce another symbol for genuine equality, and axioms "(x x) (29) "(a b) P [z a]) P [z b]) (30) Where P here can be any proposition, i.e. may contain the symbol pr. The proposition a = b expresses that the terms a and b have the same denotation while the proposition a b expresses that they have the same meaning. Indeed if a b then any proof of (P a) is a proof of (P b). In other words, two propositions A and B have the same meaning if what what is needed to be done to prove A is what is needed to be done to prove B and two terms a and b have the same meaning is P [x a] and P [x b] always have the same meaning. If we only have the two axioms above, we can prove propositions of the form a b only when a and b are the same term. But, if R is a decidable equivalence relation on terms such that if a R b then a = b is a provable proposition, then we can extend the equality of meanings by an axiom scheme a b for each pair of R-equivalent terms keeping decidability of proof-checking (compare with the opposition internal equality/external equality in Martin-L of type theory [22] or and in the Calculus of Constructions [8] and with Plotkin-Andrews program in automated theorem proving [25, 1]). Consequently, the extensionality axioms do not jeopardize the intentional aspects of terms. The axiom "((x, y)) (x = y)) only states that if x and y are equivalent propositions, they have the same denotation, not that they have the same meaning. 3.3 Truth as provability Now, we wish to be able to prove propositions by constructing an object that is a proof of this proposition. Also we wish to prove an implication A ) B, proving B using not only the truth, but also the proof of A. Thus, we take the axiom \truth = proof" i.e. "(P , 9x 2 pr(P )) This axiom can de decomposed in two axioms: the conecessitation axiom "(8x 2 pr(P ) P ) (31) and the necessitation axiom "(P ) (9x 2 pr(P ))) When we skolemize this axiom we introduce a new function symbol c and the axiom becomes "(P ) (c(P ) 2 pr(P ))) (32) RemarkWhen proofs are encoded as Godel numbers, if P is an unprovable proposition valid in the standard model of arithmetic, then the proposition P ) 9x proof(x; `P ') is false in the standard model. Thus the standard model is not a model of the necessitation axiom. In other words the necessitation axiom implies the existence of non standard numbers for proofs of true but unprovable propositions (McGee [20] shows that even very weak conditions on a truth predicate imply !-inconsitency and thus the loss of the standard model of arithmetic.) Here, it only implies the existence of non standard functions, i.e. more functions that can be proved to exist with the usual axioms. Remark The use of dummy proofs c(P ) can jeopardize constructivity, i.e. the possibility to compute a value from any term. Thus, from a constructive point of view, we might want to drop this axiom. Inria A type-free formalization of mathematics where proofs are objects 15 3.4 The axiom of choice The functional comprehension scheme permits to prove the existence of explicitly de nable functions. Usually the descriptions axiom or the axiom of choice is added to be able to de ne, for instance, addition. When proofs are objects, the choice operator can take in argument, a proof of the existence of an element in A and this operator can be the rst projection. But we still need an axiom to state that 1(p) has the right property 8p 2 pr(9(A) P )) (( 1(A; x 2 A 7! pr(x 2 A) pr(P x); p)) 2 A ^(P ( 1(A; x 2 A 7! pr(x 2 A) pr(P x); p)))) (33) To prove this proposition we would need the second projection [22] (p 2 pr(9(A) P ) 7!< 1 2p; 2 2p >>). 3.5 Paradoxes The consistency of this theory is open and can be doubted. We have two kinds of paradoxes that could jeopardize its consistency. First, the proofs as objects principle permits to construct too large sets or functions with a too large domains allowing to reproduce variants of Russell's or Burali-Forti's paradox. Then Godel's incompleteness theorems and Tarski's unde nability theorem could be turned into paradoxes when we take the axiom \truth = proof". 3.5.1 Russell-like paradoxes Remark The language presented in this paper is not polymorphic, because we cannot build, for instance the polymorphic identity, taking as argument a set A and an element x of A and giving back x id = A 2?; x 2 A 7! x We can build a function taking as argument a proposition A, a proof x of A and giving it back id = A 2 O; x 2 pr(A) 7! x but sets of the form pr(A) are not all the sets, in particular, the set O in not one of them. This prevents a na ve encoding of the (inconsistent) polymorphic higher order logic [7]. Like in set theory, we can de ne Refl(A;R) as an alternative notation for the proposition 8x 2 A (R x x), and we can de ne the set of re exive relations over a given set fR 2 A ! A ! O j 8x 2 A (R x x)g but there is no set of all re exive relations. Like in set theory, we can introduce an axiom stating the existence of a set C0 containing I and O and closed by the usual operations, then a set C1 containing I , O, C0, etc. very closely to the predicative polymorphism universe hierarchy of [6]. Remark Above, we have given a presentation where function spaces, cartesian products, disjoint unions and numbers are axiomatized and not de ned. We may wonder what could happen if we had kept ZermeloFraenkel axioms and de ned such notions. In that case, extending the replacement scheme with instances containing occurrences of the symbol pr permits to construct the set = fpr(x) j x 2 Og. Then the union axiom permits to form the set of all proofs 0 = S( ). If a is any object of the universe and p a proof of a 2 A and t a proof of >, then the set 0 contains an encapsulation < a; p; t > of a as a proof of 9x 2 A > and this is enough to express Russell's paradox: R = fx 2 0 j x 62 1(x)g RR n 2915 16 Gilles Dowek we have R 2 P( 0), let p be a proof of this proposition. We have < R; p; t >2 pr(9y 2 P( 0) >) 2 thus < R; p; t >2[( ) < R; p; t >2 0 thus < R; p; t >2 R,< R; p; t >62 1(< R; p; t >) < R; p; t >2 R,< R; p; t >62 R This justi es the need to weaken Zermelo-Fraenkel set theory, as we did above. Remark In the language above, we have no way to construct the second projection mapping any ordered pair to its second element. If we could we would get an inconsistent system, because we could express Coquand's strong dependent cartesian product paradox [6]. Indeed consider the proposition A0 = 9x 2 O 9R 2 pr(x) ! pr(x) ! O > A proof of this proposition is a tuple formed with a proposition P an proof that P is a proposition, a binary relation R on proofs of P , a proof that R is a binary relation on proofs of P and a proof of the proposition >. Any binary relation over the proof of any proposition can therefore be encapsulated into a proof of A0 and with the second projection, from such a proof we can get back the proposition and the relation. This is enough to express Girard's paradox [14, 6]. Even if we weaken set theory as we did in section 2, the set of the proofs of the proposition 9x 2 O 9R 2 pr(x) ! pr(x) ! O > is large enough to express Coquand's strong dependent cartesian product paradox. There are two ways to avoid this paradox. Either, like in the Calculus of Constructions [8] and in this paper, we weaken the cartesian product to avoid the second projection, but this forces us to take the axiom of choice as an axiom, or, as it is done in Martin-L of type theory [22], we avoid quanti cation over sets and relations. A less radical position might be to avoid quanti cations over sets of proofs but not over all sets. 3.5.2 Godel-like paradoxes Godel's rst incompleteness theorem is often read \there is a true proposition that is not provable". Thus we may try to reproduce the proof of Godel's theorem within this theory to prove the inconsistency of the axiom \truth = proof". We would construct a predicate G such that (G P x) = 9y 2 pr(P x) then we would construct H such that (H x) = :(G x x) and A = (H H) yielding A = (H H) = :(G H H) = :9y 2 pr(H H) = :9y 2 pr(A) hence with the axiom \truth = proof" A, :A which is contradictory. Inria A type-free formalization of mathematics where proofs are objects 17 This contraction can also be seen as a consequence of Tarski's theorem that there is no predicate T such that P , T (P ). Again, we would construct a predicate G such that (G P x) = T (P x) then we would construct H such that (H x) = :(G x x) and A = (H H) yielding A = (H H) = :(G H H) = :T (H H) = :T (A) hence A, :A which is contradictory. In fact, these proofs do not go through as in the de nition of G we need to give a domain to it. If we take, for instance, G = P 2 E ! O; x 2 E 7! 9y 2 pr(P x) and H = x 2 E 7! :(G x x) applyingH toH we get ((x 2 E 7! :(G x x)) (x 2 E 7! :(G x x))) but to reduce this term to :9y 2 pr(H H) we rst need to prove that H 2 E and this cannot be done. Godel's and Tarski's proofs rely on the existence of a proposition Subst such that Subst(`P '; `x'; `t'; `Q') is provable if and only if Q = P [x t] thus the \function" Subst permits to apply the \function" P to (the Godel number of) any object. It is well-known that postulating the existence of functions de ned on all the universe leads to paradoxes. In Godel's and Tarski's proofs such a function can be de ned because all the objects, predicates and propositions are replicated as numbers. Thus the problem is not with the axiom \truth = proof" but with the fact that internalization replicates anything as a number and permits to speak about all the expressions (i.e. all the objects) at the same time. Here, interalization is much weaker. First, objects are not replicated (we do not have one term for the number 0 and another for the Godel number of the term \0"). Then, propositions are replicated as object in the set O. Thus we have no way to construct a \function" Subst applying any function to any object. This seems to permit to state the axiom \truth = proof" without contradiction. It seems also that there is no contradiction between Godel's second incompleteness theorem and the fact that, from the conecessitation axiom, we have 9y 2 pr(?) ) ? and hence that the theory seems to prove its own consistency. 4 Judgements Now we want to prove that each time a proposition "(P ) is provable, there is a term t such that t 2 pr(P ) is provable and moreover we want to build a proof-checking algorithm to recognize that the proposition t 2 pr(P ) is provable. De nition Let T be the set of axioms containing the universal closure of the propositions (1) to (33) and (a) to (f) above (the universal quanti er is the unbounded quanti er of the language, not the function symbol) and T the set of axioms containing the universal closure of the propositions (1) to (33). RR n 2915 18 Gilles Dowek 4.1 Natural deduction on contents First, we replace the axioms (a) to (f) by new deduction rules replicating natural deduction rules at the level of contents. e.g. ` "(A ^B) ` "(A) keeping obvioulsy an equivalent theory. These rules are called internal rules. The true natural deduction rules are called external rules. Proposition (External cut elimination) In the system using external rules and internal rules, the elimination of external cuts terminates. Proof We rst de ne a translation on propositions, if P is a proposition, P 0 is the proposition P obtained by replacing every atomic proposition "(a) by the propositional constant E. If is a set of proposition 0 is obtained by translating every proposition of and adding the proposition E to it. We translate every proof in the system using external rules and internal rules of ` P to a proof in the system using external rules only of 0 ` P 0. By induction over the structure of the proof of ` P . If the last rule of this proof is a external rule, for instance, p ` A^B ^ elim ` A we translate it into the proof p0 0 ` A0^B0 ^ elim 0 ` A0 If the last rule is a unary internal rule, for instancep [ f"(A)g ` "(B) ` "(A) B) then by induction hypothesis p0 is a proof of 0 [ fEg ` E. But 0 [ fEg = 0 thus p0 is a proof of 0 ` E, i.e. 0 ` "(A) B)0 we translate this proof into p0. If the last rule is a binary (or ternary) internal rule for instance p1 ` "(A) B) p2 ` "(A) ` "(B) then we translate this proof into p01 0 ` E p02 0 ` E ^ intro 0 ` E^E ^ elim 0 ` E By induction over the structure of the proof p, if q is obtained by the elimination of some external cut in p then q0 is obtained by the elimination of some external cut in p0. Thus, as by the cut elimination for rst order logic, there is no in nite sequence of reductions starting from p0, there is no in nite sequence of reductions starting from p and elimination of external cuts terminates. Inria A type-free formalization of mathematics where proofs are objects 19 Proposition Let be a set of propositions that are either atomic propositions "(P ) or universal closures of such atomic propositions. If the sequent ` "(Q) has a proof free of external cuts and whose last rule is external, then "(Q) is an instance of some axiom 8x1:::8xn "(P ). Proof As the proved proposition is atomic, the last rule cannot be an external introduction rule. It is not an internal rule, thus it is either an axiom rule or an external elimination rule. If it is an axiom rule, then the proposition "(Q) is an axiom. If it is an external elimination rule, then the lowest rule that is not an external elimination rule cannot be an introduction rule (the proof contains no external cuts), it cannot be a internal rule (the proved proposition is not atomic) thus it is an axiom rule. Thus, all the elimination rules below are elimination of the universal quanti er and "(Q) is an instance of some axiom 8x1:::8xn "(P ). Corollary For sequents of the form T ` "(A), the system is equivalent to the system with internal rules only and an axiom rule axiom [ f8x1:::8xn "(P )g ` "(P [x1 t1; :::; xn tn]) 4.2 An algorithm Call S the set of propositions A such that T ` "(A). In this section we de ne a subset S 0 of S such that S 0 is decidable and whenever a proposition A is in S there is a term t such that the proposition t 2 pr(A) is in S 0. De nition [ f8x1 ::: 8xn "(t 2 pr(A))g > (t 2 pr(A))[x1 t1; :::; xn tn] [ fx 2 pr(A)g > t 2 pr(B) > (x 2 pr(A) 7! t)) 2 pr(A) B) > f 2 pr(A) B) > a 2 pr(A) > (f a) 2 pr(B) [ fx0 2 pr(x 2 A)g > t 2 (B x) x; x0 fresh > (x 2 A; x0 2 pr(x 2 A) 7! t) 2 pr(8(A) B) > f 2 pr(8(A) B) > p 2 pr(a 2 A) > (f a p) 2 pr(B a) > a 2 pr(A) > b 2 pr(B) > < a; b >pr(A);x2pr(A)7!pr(B)2 pr(A ^ B) > t 2 pr(A ^ B) > (pr(A); x 2 pr(A) 7! pr(B); pr(A); t; (x 2 pr(A); y 2 pr(B) 7! x)) 2 pr(A) > t 2 pr(A ^ B) > (pr(A); x 2 pr(A) 7! pr(B); pr(B); t; (x 2 pr(A); y 2 pr(B) 7! y)) 2 pr(B) > p 2 pr(a 2 A) > b 2 pr(B a) > < a; p; b >A;x2A7!pr(x2A);x2A;q2pr(x2A)7!pr(B x)2 pr(9(A) B) > t 2 pr(9(A) B) > f 2 pr(8(A) (x 2 A 7! (B ) C))) 0(A; x 2 A 7! pr(x 2 A); x 2 A; y 2 pr(x 2 A) 7! pr(B x); pr(C); t; f) 2 pr(C) > t 2 pr(A) > i(A;B; t) 2 pr(A _ B) > t 2 pr(B) > j(A;B; t) 2 pr(A _ B) RR n 2915 20Gilles Dowek> t 2 pr(A _ B) [ fx 2 pr(A)g > t 2 pr(C) [ fy 2 pr(B)g > u 2 pr(C)> (pr(A); pr(B); pr(C); t; x 2 pr(A) 7! t; x 2 pr(B) 7! u) 2 pr(C)De nition Let A the set containing for each proposition 8x1 ::: 8xn "(P ) of T the proposition8x1 ::: 8xn "(c(P ) 2 pr(P ))A proposition P is said to be provable in the system above if A > PProposition If P is provable in the system above (i.e. if A >P ) then "(P ) is provable in the theory T (i.e.T ` "(P )).Remark Some propositions are provable in T but not in this system.Proposition The set of sequents provable with the system above is decidable.Proof By induction over the structure of t we compute a nite number of terms A such that > t 2 pr(A)is derivable.4.3 From proofs to termsDe nition Let be a set of atomic propositions, we let + be the set containing for each proposition "(P )of , the proposition x 2 pr(P ) where x is a new variable.Proposition If T ` "(P ) is intuitionistically provable then there is a term t such that A > t 2 pr(P ).Proof If T ` "(P ) is provable then there is a proof of T ` "(P ) in natural deduction with internal rulesonly. By induction over proof structure we prove that if T [ ` "(P ) in natural deduction using internalrules only then there is a term t such that A[ + ` t 2 pr(P ).If the proof has the formaxiomT [ ` Athen either A is an instance of some axiom of T of the form 8x1 ::: 8xn "(P ) (A = "(P [x1t1; :::; xn tn])) and there is in A an axiom 8x1 ::: 8xn "(c(P ) 2 pr(P )) thus we have T 0 [ + >c(P [x1 t1; :::; xn tn]) 2 pr(A), or there is a proposition A in and a proposition x 2 pr(A) in +and thus T 0 [ + > x 2 pr(A). In both cases there is some term t such that A [ + > t 2 pr(A).If the proof has the formp1T [ ` A) Bp2T [ ` A) elimT [ ` BThen by induction hypothesis there are terms t1 and t2 such that A [ + > t1 2 pr(A ) B) andT 0 [ + > t2 2 pr(A). Then we haveA[ + > t1 2 pr(A) B) A [ + > t2 2 pr(A)A[ + > (t1 t2) 2 pr(B)If the proof has the formpT [ [ fAg ` B ) introT [ ` A) BInria A type-free formalization of mathematics where proofs are objects21Then by induction hypothesis there is a term t such that A[ + [ fx 2 pr(A)g > t 2 pr(B). Then webuild the derivationA [ ( [ fAg)+ > t 2 pr(B)A [ + > (x 2 pr(A) 7! t) 2 pr(A) B)etc.Remark It is not the case that each time a proposition of the form t 2 pr(P ) is provable, it is decided bythe algorithm above (for instance a proposition of the form c(P ) 2 pr(P ) is almost never decided by thisalgorithm). But for each provable proposition, there is a term such that the proposition t 2 pr(P ) is decidedby this algorithm.De nition Let S 0 be the decidable set of propositions "(P ) such that A > P .Theorem A proposition "(P ) is intuitionistically provable in the theory T if and only if it is provable in thesystem having all the propositions of S 0 as axioms and the single deduction rule"(t 2 pr(P ))"(P )ConclusionWe have developed a rst order theory that formalizes mathematics in such a way that proofs are objects,as are numbers, functions and sets. In this system proving a proposition can be replaced by providing aproof-term.Having proofs as objects does not require to formalize mathematics in a typed language. But, it seemsto require to formalize mathematics with weaker axioms than Zermelo-Fraenkel set theory, that togetherwith the proofs-as-objects axioms permits to form too large sets and encode paradoxes. Even with a weakertheory, like that presented in section 2, paradoxes may be encoded when we have both the possibility toquantify over any set and the strong cartesian product. Thus we have to drop one or the other.The truth of a proposition P and of a proposition t 2 pr(P ) are de ned di erently as the latter needsto be decided by an algorithm and the former cannot. But these propositions are expressed in the sameuniversal language and the two notions of truth are compatible: if t 2 pr(P ) is true for the second de nitionof truth, then it is also true for the rst.When proofs are objects, equality splits into two symbols: equality of denotation and equality of meaning.The latter being the true equality and the former verifying a restricted Leibniz scheme.In an extension of the theory presented here, we can add a rewriting system, and extend equality ofmeaning with the relation de ned by this system. Proofs are shorter, because some equational reasoning arebe erased from them. If this reduction eliminates cuts when applied to proof-terms, proving its terminationmay be a way to prove the consistency of the theory.Waiting for a model, a normalization proof or a paradox, the consistency of this theory is open.References[1] P.B. Andrews, Resolution in type theory, The Journal of Symbolic Logic, 36, 3 (1971) pp. 414-432.[2] M.J. Beeson, Foundations of Constructive Mathematics, Springer-Verlag (1985).[3] G. Boolos, The logic of provability, Cambridge University Press (1993).[4] N.G. de Bruijn, A Survey of the project automath, To H.B. Curry: Essays on Combinatory Logic,Lambda Calculus and Formalism, J.R. Hindley, J.P. Seldin (Eds.), Academic Press (1980).RR n 2915 22Gilles Dowek[5] A. Church, A formulation of the simple theory of types, The Journal of Symbolic Logic, 5 (1940) pp.56-68.[6] Th. Coquand, An analysis of Girard's paradox, Rapport de Recherche 531, Institut National de Re-cherche en Informatique et en Automatique (1986).[7] Th. Coquand, A new paradox in type theory, Logic, Methodology and Philosophy of Science IX, D.Prawitz, B. Skyrms and D. Westerst ahl (Ed.), Elsevier (1994) pp. 555-570.[8] Th. Coquand, G. Huet, The calculus of constructions, Information and Computation, 76 (1988) pp.95-120.[9] H.B. Curry, R.Feys, Combinatory logic, Vol. 1, North Holland, Amsterdam (1958).[10] G. Dowek, Lambda-calculus, combinators and the comprehension scheme, Typed Lambda Calculi andApplications, Lecture Notes in Computer Science 902 (1995) pp. 154-170. Rapport de Recherche 2565,Institut National de Recherche en Informatique et en Automatique (1995).[11] G. Dowek, Collections, sets and types, (abstract) Logic, Methodology and Philosophy of Science X(1995). Rapport de Recherche 2708, Institut National de Recherche en Informatique et en Automatique(1995).[12] S. Feferman, Finitary inductively presented logics, Logic Colloquium '88, R. Ferro, C. Bonotto, S.Valentini and A. Zanardo (Ed.), North Holland (1989).[13] S. Feferman, Re ecting on incompleteness, The Journal of Symbolic Logic, 56, 1, (1991) pp. 1-49.[14] J.Y. Girard, Interpr etation fonctionnelle et elimination des coupures dans l'arithm etique d'ordre sup e-rieur, Th ese de Doctorat d' Etat, Universit e de Paris 7 (1972).[15] K. Godel, An interpretation of the intuitionistic propositional calculus, 1933, in K. Godel collectedworks, S. Feferman, J.W. Dawson Jr., S.C. Kleene G.H. Moore, R.M. Solovay, J. van Heijenoort (Ed.),Oxford University Press (1986).[16] V. Halbach, A system of complete and consistent truth, Notre Dame Journal of Formal Logic, 35, 3(1994) pp. 311-327.[17] W.A. Howard, The Formul -as-type notion of construction, 1969, To H.B. Curry : Essays on Combi-natory Logic, Lambda Calculus and Formalism, J.R. Hindley, J.P. Seldin (Ed.), Academic Press (1980).[18] G. Huet, personal communication.[19] J.L. Krivine, M. Parigot, Programming with proofs, J. Inf. Process. Cybern. EIK 26 (1990) pp. 149-167.[20] V. McGee, How truthlike can a predicate be ? A negative result, Journal of Philosophical Logic 14(1985) pp. 399-410.[21] P. Martin-Lof, Constructive mathematics and computer programming, Logic, Methodology and Philo-sophy of Science VI, 1979, L.J. Cohen, J. Lo s, H. Pfei er, K.-P. Podewski (Ed.), North-Holland (1982)pp. 153-175.[22] P. Martin-Lof, Intuitionistic type theory, Bibliopolis, Napoli (1984).[23] Ch. Paulin-Mohring, Inductive de nitions in the system COQ, Rules and properties, Typed LambdaCalculi and Applications, Lecture Notes in Computer Science 664 (1993) pp. 328-345.[24] Ch. Paulin-Mohring, B. Werner, Synthesis of ML programs in the system Coq, Journal of SymbolicComputation, 15, 5-6 (1993) pp. 607-640.Inria A type-free formalization of mathematics where proofs are objects23[25] G.Plotkin. Building-in equational theories, Machine Intelligence, 7 (1972) pp. 73-90.[26] W. W. Tait, In nitely long terms of trans nite type, Formal Systems and Recusrive Functions, J.N.Crossley, M. Dummett (Ed.), North-Holland (1965).[27] A.N. Whitehead, B. Russell, Principia mathematica, Cambridge University Press, (1910-1913, 1925-1927).