Theory

‘Upon This Quote I Will Build My Church Thesis’

In this paper, we prove that it is possible to add CTΣ to MLTT without disrupting any of the desirable properties of the resulting system such as consistency, strong normalization, and canonicity.

By Pierre-Marie Pédrot

Posted May 29 2025

Introduction
A Comprehensive CT Scan
High-Level Description
Basic Type Theory
“MLTT” Extensions
Adequacy and Soundness
A MLTT Logical Relation Primer
The “MLTT” Logical Relation
Mechanization
Future Work
Conclusion
References
Footnotes

Read the related Technical Perspective

Abstract

The internal Church thesis (𝗖𝗧) is a logical principle stating that one can associate to any function f : ℕ → ℕ a concrete code, in some Turing-complete language, that computes f. While the compatibility of 𝗖𝗧 in simpler systems has been long known, its compatibility with dependent type theory is still an open question. In this paper, we answer this question positively. We define “𝗠𝗟𝗧𝗧”, a type theory extending 𝗠𝗟𝗧𝗧 with quote operators in which 𝗖𝗧 is derivable. We furthermore prove that “𝗠𝗟𝗧𝗧” is consistent, strongly normalizing, and enjoys canonicity using a rather standard logical relation model. All the results in this paper have been mechanized in Coq.^a

1. Introduction

“Calculemus!” With this word, Leibniz famously enjoined the reader to compute. Contemporary logicians took this motto as a founding principle after the progressive discovery of the proof-as-program correspondence. This major breakthrough, also known as the Curry-Howard equivalence, is the seemingly simple observation that proofs and programs are the same object, in an essential way.

One major offshoot of the Curry-Howard philosophical stance is Martin-Löf’s type theory (MLTT), the theoretical underpinning of several widely used proof assistants such as Agda, Coq, or Lean.¹⁶ In these systems, there is no formal separation between proofs and programs, as they live in the same syntax and obey the same rules. This monistic credo turns MLTT into the quintessential intuitionistic foundation of our modern times, blending logic and computation into the very same cast. Moreover, in the wake of the Swedish tradition of neutrality, MLTT does not pick a side in the constructivist feud. It neither proves fan principles from the Brouwerian band nor mechanistic axioms from the Markovian clique, and adheres to a strict Bishopian minimalism. If set theory is the paradise of mathematics, then type theory truly is the paradise of constructive mathematics.

Meanwhile, on the other side of the iron curtain, the Russian constructivists led by Markov pushed the computability tenet to an extreme point, postulating that all mathematical objects were indeed algorithms. Their doctrine¹⁵ is materialized by a foundational system that can be summarily described as a neutral Bishop intuitionistic logic extended with two additional axioms: Markov’s principle (MP) and Church’s thesis (CT).²³

Of those two axioms, Markov’s principle is the simplest to state, as it is pretty much self-contained:

\forall f : N \to N . \neg \neg (\exists n : N . f n = 0) \to \exists n : N . f n = 0 .

Common alternative formulations include “a Turing machine that does not loop terminates” or “non-zero reals are apart from zero”. $MP$ is a sweet spot of semi-classical logic, as it can be given a computational content preserving the witness property.⁷

Church’s thesis is somewhat more involved, as it requires the internal definition of a computation model in the logic itself. Assuming a logic rich enough, this is traditionally¹³ achieved by defining the decidable Kleene predicate $T$ and its associated primitive recursive decoding function $U : N \to N$ . Assuming $p : N$ to be the syntactic code of some program in the chosen Turing-complete computation model, $n : N$ some integer argument, and $k : N$ some encoding of evaluation traces of the model, then $T (p, n, k)$ holds whenever $k$ is the trace of the fact that $p$ applied to $n$ evaluates to some integer $v$ . Furthermore, if indeed the predicate holds, then $U k$ should return the value $v$ .

Assuming we have settled this computational paraphernalia, $CT$ is simply the internal statement

\forall f : N \to N . \exists p : N . \forall n : N . \exists k : N . T (p, n, k) \land U k = f n .

Said otherwise, any function $f$ definable in the theory is known to be computable by some concrete algorithm $p$ from within the theory.

Contrarily to $MP$ , which is a consequence of excluded middle, $CT$ is a very anti-classical axiom.²³ Assuming very weak forms of choice, it contradicts lesser variants of excluded middle. Similarly, it disproves choice-like principles, such as double negation shift. Finally, it also makes the logic very intensional as it contradicts function extensionality, under the same kind of weak choice assumptions.

The consistency of $MP$ and $CT$ with regard to some logical system is typically proved via realizability, which is the intended model of the Russian dogma. Quite remarkably, Kleene’s seminal paper¹⁴ already proves that $CT$ is compatible with Heyting’s arithmetic. For a more expressive theory, the effective topos is a famous example of a realizability topos in which both principles hold.¹⁰

Considering the claim above that in $MLTT$ proofs are programs, it does seem a bit surprising that it is not biased toward the Russian school. Surely it ought to be easy to convert $MLTT$ to the Markovian orthodoxy, for otherwise the Curry-Howard mantra would be but a misleading advertisement. Let us survey the current status of each Russian axiom individually in the canon of dependent type theory.

As we already hinted at, it is known that $MP$ is not derivable in $MLTT$ .⁴ Since it is a consequence of classical logic, it holds in classical models such as the set-theoretical one,²⁵ but it is also possible to add $MP$ to $MLTT$ while retaining the computational properties through a form of delimited exceptions.¹⁹ Note that, due to the minimalism of $MLTT$ , the alternative statements of $MP$ mentioned previously are not equivalent in this setting.³

As for $CT$ , we already stated that it is negated by classical models, and thus is not a consequence of $MLTT$ . By contrast with $MP$ , the compatibility of $CT$ with dependent type theory is a much more contentious subject. To make things simpler, we will therefore focus on this single principle in this paper, and deliberately ignore Markov’s principle. The proviso about phrasing of the statement mattering a lot is even more paramount with $CT$ , which is the chief reason why the problem and its answers are a matter of debate. In the remainder we will prove that $MLTT$ is indeed compatible with the strongest form of Church’s thesis usually agreed upon, but for this we first need to explain what we actually mean by these sibylline words. We dedicate the next section to a thorough exegesis of this topic.

2. A Comprehensive $CT$ Scan

Contrarily to more archaic systems, $MLTT$ does not need a realizability interpretation to turn its proofs into programs. In some sense, it is already a realizability interpretation, as $MLTT$ terms are literally bona fide programs. It should therefore be very natural to add $CT$ to $MLTT$ .

As a matter of fact, as long as the context is empty, the following rule is admissible

\frac{⊢ M : N \to N}{⊢ 〈 M 〉 : Σ p : N . Π n : N . Σ k : N . T (p, n, k) \times U k = M n}

where $〈 M 〉$ is some term derived from $M$ in a systematic way. Depending on the pursued goal, this process is variously known in the type theory world as extraction¹⁸ or quotation.²¹ Obviously, a rule that is derivable for closed sequents is not necessarily internalizable in the theory, so there is a non-trivial gap to fill there.

An additional issue is that dependent type theories have various notions of existence. Typically, they contrast dependent sum types $Σ x : A . B$ with existential types $\exists x : A . B$ . The precise details depend on the exact theory considered, but the general rule is that the former corresponds to actual, constructive evidence, while the latter stands for mere existence—that is, no computational content can be extracted from this type. Such non-computational types are called propositions, an umbrella term for mildly related concepts. The three most common instances of propositions are captured by the realizability-driven $Prop$ universe of $CIC$ ,¹⁸ the $hProp$ subuniverse inspired by the univalent world,²⁴ and the $SProp$ universe of strict propositions.⁶ Regardless of the setting, $Σ$ -types validate choice by construction through large elimination or projections, while existential types do not, in general.

The arithmetic statement of $CT$ mentions two existential quantifiers, hence we have a priori at least four possible translations into $MLTT$ . In practice, the second one returns an enumerable proposition, so that for most notions of proposition, namely $Prop$ with singleton elimination or $hProp$ with unique choice, the use of $\exists$ or $Σ$ results in equivalent statements. We will thus always stick to a $Σ$ -type for this quantifier. More problematic is the first existential quantifier, the nature of which leads to radically different worlds. We will call ${CT}_{Σ}$ (resp. ${CT}_{\exists}$ ) the statement of Church’s thesis with a $Σ$ (resp. $\exists$ ) type as the first existential quantifier.

As mere existence does not validate choice by default, ${CT}_{\exists}$ is much closer to the traditional first-order setting. When $\exists$ is taken to live in the $Prop$ universe of $CIC$ , the relative expressivity of ${CT}_{\exists}$ has been studied extensively in the setting of synthetic computatibility.⁵ An important remark is that the lack of choice prevents building an internal quoting function $(N \to N) \to N$ that associates to some function its concrete code. As already suggested before, this means that ${CT}_{\exists}$ does not necessarily contradict function extensionality. Actually, we can even go much further: In the case where propositions are identified with $hProp$ s, ${CT}_{\exists}$ turns out to be compatible not only with $MLTT$ but also with full-blown univalence.²² More generally and quite counterintuitively, univalence is compatible with many principles that would make the hardcore Bishop-style intuitionist raise a suspicious eyebrow, as long as they are squashed enough and thus made computationally harmless.²²^,²⁴

Contrastingly, as $Σ$ -types come with intuitionistic (non)-choice built-in, ${CT}_{Σ}$ is the telltale of an extremely weird mathematical realm. For starters, it immediately implies the existence of a quoting function and breaks both function extensionality and classical logic. The consistency of ${CT}_{Σ}$ with $MLTT$ is an open problem that has been lingering for a while and seems to be considered a difficult question by experts.¹¹^,²² The best result thus far is the consistency of ${CT}_{Σ}$ with a stripped-down version of $MLTT$ without the so-called $ξ$ rule:

\frac{Γ, x : A ⊢ M \equiv N : B}{Γ ⊢ λ x : A . M \equiv λ x : A . N : Π x : A . B}

The model used to prove this fact is a variant of Kleene realizability tailored for dependent types. Briefly, in this model, terms are interpreted directly as their code in Kleene’s first algebra, that is, a natural number, and the equational theory in a context is defined as the closure of code equality by ground substitutions.

This representation makes the implementation of ${CT}_{Σ}$ trivial, as it boils down to the identity. Yet, for this to work, it is critical that two functions convertible in the model have literally the same code. This is exactly where the restriction to ground substitutions comes into play, as it will identify functions with their concrete syntax. Unfortunately, the same restriction also destroys non-trivial higher-order equations and in particular invalidates the $ξ$ rule.

Although we understand the difficulties experienced by the authors of this paper and acknowledge their distinct goals, we consider that removing this congruence from $MLTT$ when precisely trying to implement a principle implying the existence of a quoting function is unarguably throwing the baby with the bath water. Ubiquitary conversion under $λ$ -abstractions is a stepping stone of $MLTT$ for program reasoning, so treating functions as black boxes is a no-go and the $ξ$ rule a sine qua non.

Given the strong relationship between quoting functions and metaprogramming, we should also mention some attempts at making the latter a first-class citizen of dependent type theory. These systems are built with practical programming in mind rather than constructive mathematics, but the endeavours are similar enough that they are worth highlighting. There is in particular a wealth of literature on contextual types,¹⁷ a special kind of modal type⁸ capturing well-typed terms in an object context. Although contextual types can coexist with dependent types, the ability to pattern-match on code in these settings is still a difficult problem that is only satisfyingly handled in the absence of dependent types.¹²

3. High-Level Description

We now give the high-level intuitions that we develop technically later on. In this paper, we define $“ MLTT ”$ , read “ $MLTT$ with quotes”, a minute extension of $MLTT$ with quoting operators that implement ${CT}_{Σ}$ in a straightforward way. As already explained, ${CT}_{Σ}$ holds externally in $MLTT$ . If we want it as an internal rule, there are two problems to solve: first, handling terms in an arbitrary context, and second, showing that our hypothetical internalization preserves conversion.

Despite the aura of complexity surrounding this question, our solution is disappointingly simple. The first problem will be handled in the most trivial way one can think of. Namely, the primitives computing the internal version of ${CT}_{Σ}$ will simply block as long as their arguments are not closed. Since the return type of these primitives is first-order, this will not be a problem as it will not endanger canonicity.

The second problem is solved in a similarly obvious manner. Given two terms $M \equiv N : N \to N$ one needs to ensure that the quotation of these terms agree. In particular, the integer code returned by these operations must be the same. This sounds complicated, as in general two equivalent functions may have different codes. In Turing-complete languages, this is actually impossible to achieve in a computable way, due to Rice’s theorem. But in $MLTT$ , there is a very simple way to find a canonical representative of an equivalence class of functions: ust pick the normal form! Conversion in $MLTT$ is decidable, as it virtually amounts to comparing the normal forms of the considered terms for syntactic equality. This requires that all well-typed terms have a normal form, but this property is usually taken for granted in dependent type theories and will for sure hold true in $“ MLTT ”$ .

As the astute reader may complain about, this is not enough in presence of $η$ -rules, which are included in our system. But even in this case, our normalization trick can be adapted simply by maximally $η$ -reducing and stripping $λ$ and pair annotations from the normal form.

Despite the intuitive simplicity of the above guiding ideas, proofs about dependent type theory are very tedious and error-prone, let alone when they contain bits of computability. To keep the naysayer at bay, all proofs were mechanized in the Coq proof assistant.

4. Basic Type Theory

Let us fix some conventions. Since we will be juggling quite a bit between levels, we will use a different font style to refer to objects from the metatheory, with types in $bold$ and type ascription written in set-theoretic style $x \in X$ . Some metatheoretical types of interest are $X \Rightarrow Y$ , the metafunctions from $X$ to $Y$ , and $N$ the metaintegers. We will write $term$ for the type of $“ MLTT ”$ terms defined later on.

Our base theory will be an instance of $MLTT$ featuring one Russell-style universe, negative $Π$ and $Σ$ types with definitional $η$ -rules, together with a natural number type, an empty type and an identity type. We recall the syntax of this theory in Figure 1. The typing rules are standard and we let the reader refer to the mechanization for details.

Figure 1. Syntax of $MLTT.$

We use the usual notations $A \to B$ and $A \times B$ for non-dependent product and sum. We write $M = N$ for $Id A M N$ when $A$ is clear from the context. Similarly, we sometimes drop the annotations of $λ$ -abstrations and pairs. If $n \in N$ , we write ${[n]}_{N} \in term$ for the unary numeral associated to $n$ . We write $Λ : = N$ for numbers intended to code for programs.

Partial computations are usually defined through the partiality monad $℘ (A) : = N \to option A$ . Since we will only ever consider partial integers, we use a simpler encoding.

Definition 1 (Partial integers).

We define the type of partial integers $N_{℘} : = N \to N$ . The intuitive meaning of a partial integer $P : N_{℘}$ is the following.

If for all $n : N$ , $P n = 0$ , then $P$ is undefined.
Otherwise, let $n_{0}$ be the smallest integer such that $P n_{0} = S v$ for some $v$ . Then $P$ evaluates to $v$ .

This can be easily internalized in $MLTT$ .

Definition 2 (Step evaluation).

Given $M : N_{℘}$ , $V : N$ and $K : N$ , we define the step-evaluation predicate.

$M ⇝ V ∥ K : □$

read “ $M$ evaluates to $V$ in $K$ steps” by recursion on $K$ , that captures the above intuition. Most notably if $n \in N$ , $M ⇝ V ∥ {[n]}_{N}$ is convertible to

$(M 0 = 0) \times \dots \times (M {[n - 1]}_{N} = 0) \times (M {[n]}_{N} = S V) .$

Given the algorithmically friendly nature of $MLTT$ , we will pick a slightly nicer, but equivalent, phrasing of ${CT}_{Σ}$ . We will merge the Kleene predicate $T$ and its decoding function $U$ into a single function $run : Λ \to N \to N_{℘}$ .

Definition 3.

Henceforth, we will define $CT$ in $MLTT$ as

$Π f : N \to N . Σ p : Λ . Π n : N . Σ k : N . run p n ⇝ f n ∥ k$

for some $MLTT$ term $run : Λ \to N \to N_{℘}$ .

5. $“ MLTT ”$ Extensions

We now turn to the definition of the extensions that define $“ MLTT ”$ proper.

Definition 4.

The new term constructors of $“ MLTT ”$ are defined in Figure 2, and will be collectively referred to as the quoting primitives.

Figure 2. Additional syntax of

“ MLTT ”.

We give names exposing the intuition of the meaning of those terms. The term $ϙ M$ is the quote of $M$ , which is intended to return the code of the function $M$ . The term $Ϛ M N$ is the step-count of $M$ applied to $N$ —that is, it will return the number of steps needed to evaluate the quote of $M$ on argument $N$ . Finally, $ϱ M N$ is the reflection of $M$ applied to $N$ , which produces a proof that indeed the quote of $M$ fullfils the expected runtime behavior.

Definition 5.

A computation model for $“ MLTT ”$ is given by a metafunction $⌈ \cdot ⌉ \in term \Rightarrow N$ and an internal evaluation function $run \in term$ .

To define the typing system alone we do not need any additional requirements on those objects, but let us offer some intuition before proceeding any further.

The $⌈ \cdot ⌉$ function is just some arbitrary Gödel numbering of the syntax. As already explained, the $run$ function is going to serve as a Kleene predicate expressed in a functional form. In particular, we expect $run : Λ \to N \to N_{℘}$ and $run p n$ to compute the result of the application of the program $p$ to the argument $n$ if it exists. In practice, $run$ is expected to be defined in $MLTT$ alone, or for that matter, in a much weaker fragment corresponding to $PRA$ . In the remainder of this paper, we assume a fixed computation model.

Notation 6.

We write $M Ϙ N : = run (ϙ M) N ⇝ M N ∥ Ϛ M N$

for the specification of the quoting operators on $M$ and $N$ . Furthermore, given any $p, n, k \in N$ , let

$run p n k \in term : = run {[p]}_{N} {[n]}_{N} {[k]}_{N} .$

We now have enough to define the typing rules of the additional $“ MLTT ”$ primitives in Figure 3. We delay the description of the conversion rules of these primitives to a later point, because we still need more infrastructure.

Still, these rules are enough for the following theorem.

Theorem 7.

$“ MLTT ”$ proves $CT$ .

Proof.

The types are just the Skolemization of $CT$ .

To finish the specification of $“ MLTT ”$ , we need to define its conversion rules. This requires some heavy definitions.

Definition 8 (Quasi-closedness).

Given $M \in term$ and $Γ \in ctx$ , we say that $M$ is $Γ$ -quasi-closed, written ${clos}_{Γ} M$ if, ignoring $λ$ and pair annotations, all free variables of $M$ are in $Γ$ . When $Γ$ is empty, we will write $clos M$ .

Definition 9 (Deep normal and neutral forms).

We recall the inductive definition of deep normal and neutral forms of $MLTT$ terms at Figure 4 and define the additional rules for $“ MLTT ”$ at Figure 5.

Normal forms are, as usual, terms which cannot be simplified further. Neutral forms are a subcase of the former, intuitively capturing the notion of a term whose evaluation is blocked due to a variable not bound to a value. In particular, they cannot trigger new conversions when they are substituted for a variable. Our definition is standard for the $MLTT$ fragment, except maybe that we we ignore $λ$ and pair type annotations just like for the $clos$ predicate. Only worth discussing are the newly introduced terms of $“ MLTT ”$ .

The quote primitives do not generate any new non-neutral normal forms, as their types are concrete, canonical datatypes. They do generate new neutrals, though. The intuition is that these primitives only compute on closed normal forms, so if one of their argument is not closed, they will block and thus be neutral.

Notation 10.

We write $clnf M$ if both $clos M$ and $dnf M$ .

The last non-trivial ingredient that is needed is erasure of $“ MLTT ”$ terms. We rely on it to quotient normal forms with regard to the various $η$ -rules of our system.

Definition 11 (Erasure).

Given $M \in term$ , we define its erasure $∥ M ∥ \in term$ . This operation can be understood as the composition of two finer-grained primitives: first, replace $λ$ and pair type annotations with a dummy term, and second, perform maximal $η$ -reduction of $λ$ and pair nodes. We choose $□$ for the dummy term, but any closed normal term would do. We give the relevant operations in Figure 6, all other cases are term homomorphisms.

Notation 12.

If $M \in term$ , we write $⌈ ⌈ M ⌉ ⌉ \in N : = ⌈ ∥ M ∥ ⌉$ .

Definition 13.

Given $k, v \in N$ we define ${[k, v]}_{Ϙ} \in term$ by induction on $k$ as

$\begin{matrix} {[0, v]}_{Ϙ} & : = & refl N (S {[v]}_{N}) \\ {[k + 1, v]}_{Ϙ} & : = & 〈 refl N 0, {[k, v]}_{Ϙ} 〉 . \end{matrix}$

We now have all the necessary definitions to define the new conversion rules of $“ MLTT ”$ at Figure 7. We omit the obvious congruence rules, and we give some intuitions by paraphrasing the rules. The computation rule for $ϙ M$ is simply stating that quoting a closed normal term produces the Gödel number of its erasure. The two other rules reflect the behavior of the $run$ operator in the theory itself. They start by assuming that $M$ is a closed normal term, so its quote is a concrete code. Assuming canonicity, for any $n, k \in N$ , $run ⌈ ⌈ M ⌉ ⌉ n k$ must be convertible to a numeral. Similarly, $M {[n]}_{N}$ must be convertible to some numeral $v$ .

Since we expect $run$ to model the computation of $“ MLTT ”$ , there must be some smallest $k_{0} \in N$ s.t. $run ⌈ ⌈ M ⌉ ⌉ n k_{0}$ is convertible to $S v$ . Then $Ϛ M {[n]}_{N}$ returns $k_{0}$ , and $ϱ M {[n]}_{N}$ must provide a closed proof of $M Ϙ {[n]}_{N}$ . But given the previous assumptions, $M Ϙ {[n]}_{N}$ is convertible to a finite sequence of products of equalities $0 = 0$ with a trailing equality $S v = S v$ . This type is trivially inhabited by ${[k_{0}, v]}_{Ϙ}$ .

6. Adequacy and Soundness

There is still one missing piece for $“ MLTT ”$ to make sense. Indeed, in the intuitive explanation above, we argued that $run$ should model the runtime behavior of $“ MLTT ”$ . In spite of this, we have made no additional assumption on Definition 5 so far. We make this requirement formal as computational adequacy in this section. This first forces us to endow $“ MLTT ”$ with a notion of evaluation.

Definition 14 (Evaluation).

We define in the metatheory a step-indexed evaluation function $⇓$ that computes the deep normal form. We omit the standard rules for the $MLTT$ fragment, and give them for $“ MLTT ”$ extensions in Figure 8.

**Figure 8.** **Step-indexed evaluation of $“ MLTT ”$ extensions**.

Although we describe it using inference rules, evaluation really is a step-indexed recursive function in the metatheory, of type $term \Rightarrow N \Rightarrow option term$ . We write $M ⇑_{k}$ when it returns $None$ . We write $M ⇓ N$ when there exists $k \in N$ s.t. $M ⇓_{k} N$ .

We discuss briefly the evaluation rules for the quoting primitives. They start by deeply evaluating the subterms and checking whether they are quasi-closed. If not, they immediately return. Otherwise, they perform a macroscopic evaluation step. For $ϙ M$ , that just means quoting the closed normal form into a number. For $Ϛ M N$ and $ϱ M N$ , it performs a guarded $μ$ -recursion to find the smallest index such that the erasure of $M N$ evaluates to a numeral.

Definition 15 (Computational adequacy).

We say that the computation model is adequate if it satisfies the following:

We have a derivation $⊢ run : Λ \to N \to N_{℘}$ .
For all $M \in term$ and $n, k, v \in N$ ,
- if $M {[n]}_{N} ⇑_{k}$ then $run ⌈ ⌈ M ⌉ ⌉ n k ⇓ 0$ ,
- if $M {[n]}_{N} ⇓_{k} {[v]}_{N}$ then $run ⌈ ⌈ M ⌉ ⌉ n k ⇓ S {[v]}_{N}$ .

The last point is essentially stating that the metatheoretical evaluation $⇓$ and the internal evaluation $run$ coincide.

From now on, we implicitly assume that our globally fixed computational model is adequate. The remainder of the paper is dedicated to the proof of the following theorem.

Theorem 16.

$“ MLTT ”$ is consistent and strongly normalizing. Furthermore, any closed $“ MLTT ”$ term $⊢ M : N$ normalizes to a numeral.

7. A $MLTT$ Logical Relation Primer

We will prove Theorem 16 using a logical relation model. The base model is basically the now famous inductive-recursive one from Abel et al.,¹ with a handful of surprisingly minor tweaks. In this section, we briefly recall the principles of Abel-style logical relations.

From a high-level point of view, Abel-style logical relations for $MLTT$ are just a glorified kind of realizability with a lot of bells and whistles. Notably, in the semantic world, well-formed types $Γ ⊩ A$ are defined inductively, while well-typed terms $p_{A} | Γ ⊩ M : A$ are defined recursively over a proof $p_{A} \in Γ ⊩ A$ . In turn, well-typedness is extremely similar to, say, Kleene realizability,²³ that is, $p_{A} | Γ ⊩ M : A$ essentially means that $M$ weak-head normalizes to some value $V$ , further satisfying some conditions depending on $A$ . Due to conversion being an integral part of typing, one also needs to provide predicates for type and term convertibility at some semantic type.

The major departure from usual realizability in this kind of model is the proper handling of variables. All semantic predicates are actually presheaves over contexts equipped with weakenings. Furthermore neutral terms enjoy a very specific status; see, for example, Lemma 22. This will turn out to be important for our goals.

The relation itself is parameterized by syntactic predicates for the various notions of typing and reduction. These predicates must satisfy a list of closure properties, which are typically weaker than the ones enjoyed by the standard typing rules of $MLTT$ . Another way to understand this is that logical relations turn a liberal type system, called declarative, with many closure rules that is easy to work with, into a lower-level type system that is hardly usable but which is similar in spirit to the steps performed by a typing algorithm. Proofs in this generic system are in some sense normalized compared to the declarative system. As a matter of fact, this is a way to prove decidability of type-checking, since an algorithmic presentation of type-checking will satisfy the low-level closure properties. A notable difference with the declarative system is that generic typing requires making explicit the notion of neutral terms, through the introduction of neutral convertibility, which can be understood as the usual convertibility restricted to neutral terms.

In the remainder of this section we assume fixed some instance of syntactic typing and reduction rules for $MLTT$ . Due to their sheer size and the fact they are neither surprising nor new, we will not state the closure properties here, but rather refer to the corresponding Coq code.

Definition 17.

A set of typing rules is generic when it enjoys a specific list of (weak) closure properties.

Given generic notions of typing and reduction, one can define reducibility in the abstract. Our base logical relation is unchanged with regard to Abel et al.,¹ so we will not give the full definition here. To begin with, writing everything in full on paper would be both unreadable and uninformative, and probably ridden with typos. Rather, we sketch below some representative type formers to build intuition. We also ignore bookkeeping details that clutter the simplicity of logical relations, such as universe levels. Our results are backed up by a mechanized proof, so we can go for a fearless human-readable paper.

Definition 18 (Reducibility).

We give a partial but evocative definition of reducibility at Figure 9.

As already explained, we gloss over the details and instead concentrate on the high-level view. We abuse implicit arguments in Figure 9 to keep things readable, and we also omit additional well-formedness conditions. At the risk of repeating ourselves, this is really just the run-of-the-mill complete presheaf model for $MLTT$ , where presheaves have been manually encoded by means of quantifications over all weakenings of the current context. Note the lack of naturality conditions thanks to Lemma 19. In our setting, typed reduction is simply untyped reduction annotated with proofs that both sides are well-typed and convertible. Similarly, well-typed neutrals are untyped neutrals together with a proof of well-typedness and self-convertibility. Without further consideration for the low-level details, the logical relation satisfies some salient properties that we list below.

Lemma 19 (Reducibility irrelevance).

For all proofs of type reducibility $p_{A}, q_{A} \in Γ ⊩ A$ , if $p_{A} | Γ ⊩ M : A$ then $q_{A} | Γ ⊩ M : A$ and similarly for the other statements.

This allows us to silently drop the proof of type formation for reducibility statements as a notational device. As long as there is one, it does not matter which one we pick.

Lemma 20 (Escape).

If $Γ ⊩ M : A$ then $Γ ⊢ M : A$ and similarly for the other statements.

Lemma 21 (Anti-reduction).

Reducibility is closed by typed anti-weak-reduction.

Lemma 22 (Reflection).

Well-typed neutrals are reducible.

Just like for standard realizability, we need to close reducibility by substitution to state the fundamental lemma. The relation resulting from this closure is known in the literature as validity. We refer to the development for reference.

Theorem 23.

Well-typed $MLTT$ terms are valid.

8. The $“ MLTT ”$ Logical Relation

For technical reasons, we will work with a slightly tweaked version of $“ MLTT ”$ rules. Figure 7 is given for readability purposes; these rules will be derivable in the actual system. The differences are the following.

First, instead of a global typing axiom for $run$ , we add it as a premise to the $“ MLTT ”$ rules for $Ϛ$ and $ϱ$ . This is a cosmetic change to strengthen induction over $“ MLTT ”$ derivations.

Second, for reasons that will become clear soon, we turn the well-typedness premises of those rules into self-convertibility. For instance, the introduction rule of $ϙ$ becomes:

\frac{Γ ⊢ M \equiv M : N \to N}{Γ ⊢ ϙ M : Λ}

By reflexivity of term conversion, it is clear that these rules imply the ones from Figure 7. After Theorem 33, we will also be able to derive that self-convertibility implies well-typedness, which shows that the two versions are equivalent.

The model itself is defined in terms of a small-step reduction relation, so we need to define it properly for $MLTT$ , in addition to the big-step variant from Section 6.

Definition 24.

We mutually define weak-head and deep reductions, respectively written $M \to \to N$ and $M \Rightarrow \Rightarrow N$ . The $MLTT$ rules are standard, and the $“ MLTT ”$ rules are defined in Figure 10. Weak-head and deep reductions coincide for the quoting primitives.

Figure 10. Weak-head reduction of $“ MLTT ”$ extensions.

Note that deep reduction is simply iterated weak-head reduction on the subterms of weak-head normal forms. Deep reduction is a specific sequentialization of evaluation, and its reflexive-transitive closure computes the same normal forms. Importantly, both reductions are deterministic.

One major remark for our proof to go through is that in Abel-style logical relations, the closure properties of conversion preserve deep normalization. Said otherwise, we never perform conversion on terms potentially introducing non-termination. We leverage this by the following decoration.

Definition 25 (Deep Conversion).

We define deep term conversion $Γ ⊢_{nf} M \equiv N : A$ as the predicate $Γ ⊢ M \equiv N : A$ extended with the following side-conditions.

For $T \in {M, N}$ , there is some $T_{0}$ s.t. $T ⇓ T_{0}$ and $Γ ⊢ T \equiv T_{0} : A$ .
$M_{0}$ and $N_{0}$ have the same erasure, that is, $∥ M_{0} ∥ = ∥ N_{0} ∥$ .

We define similarly deep-type and neutral conversions.

When instantiating the logical relation with deep conversions, one gets access to the fact that both sides of the conversion deeply normalize to terms that have the same erasure. This is why we turn the typing premises of the quoting primitives into self-convertibility. Before the fundamental lemma, syntactic deep self-convertibility gives more information than just syntactic typability.

Lemma 26 (Deep Typing).

The typing rules where the various conversion predicates are replaced by their deep equivalent satisfy the generic typing interface.

Note that erasing normal forms before comparing them is critical for the above lemma. Indeed, generic conversion rules for negative types are given directly as $η$ -expansions. Therefore, two convertible normal forms may differ on their annotations or up to some $η$ -expansion. Erasing all annotations and maximally $η$ -reducing ensures thus that the result is unique for each equivalence class.

As a result, the logical relation instantiated with deep typing is a model of $MLTT$ . We only have to check that the additional $“ MLTT ”$ rules are also interpreted. Since semantic self-convertibility is equivalent to semantic well-typedness, it is enough to check the rules from Figure 7, the ones from Figure 3 are a consequence of the former.

Lemma 27 (Quote Reducibility).

The conversion rules for the $ϙ$ primitive hold in the reducibility model.

Proof.

We focus on the more general congruence rule. Assume $Γ ⊩ M \equiv M^{'} : N \to N$ , we now have to show that $Γ ⊩ ϙ M \equiv ϙ M^{'} : N$ . By escape, $Γ ⊢_{nf} M \equiv M^{'} : N \to N$ . We thus have two terms $M_{0}$ and $M_{0}^{'}$ s.t. $M ⇓ M_{0}$ , $M^{'} ⇓ M_{0}^{'}$ and $∥ M_{0} ∥ = ∥ M_{0}^{'} ∥$ . Either both $M_{0}$ and $M_{0}^{'}$ are quasi-closed or both are not. In the latter case, both $ϙ M_{0}$ and $ϙ M_{0}^{'}$ are neutral and convertible, so by reflection they are reducibly convertible. Otherwise, they reduce to ${[⌈ ⌈ M_{0} ⌉ ⌉]}_{N}$ and ${[⌈ ⌈ M_{0}^{'} ⌉ ⌉]}_{N}$ , which are equal numerals and thus reducibly convertible. In either case we conclude by anti-reduction.

To prove reducibility of $Ϛ$ and $ϱ$ , we need a fair amount of rewriting theory. The computation model is completely untyped, and we only care about erased terms, so we must consider reductions that ignore $λ$ and pair annotations. The following are textbook results, except for the interleaving of weak and deep reduction for the quoting primitives.

Definition 28.

We define parallel and standard reductions up to $λ$ and pair annotations for $“ MLTT ”$ in the usual way.

Lemma 29.

$Deep red. \subseteq parallel red. \subseteq standard red.$

Lemma 30.

Parallel reduction is confluent.

Lemma 31.

Standard reduction to a $dnf$ implies deep evaluation up to annotations, and is preserved by erasure.

We can now tackle the remaining reducibility proofs.

Lemma 32.

The conversion rules for the $Ϛ$ and $ϱ$ primitives hold in the reducibility model.

The conversion rules for the $Ϛ$ and $ϱ$ primitives hold in the reducibility model.

Proof.

Once again we focus on the congruence rule. Since the two primitives behave computationally the same, we only treat the $ϱ$ case which is more involved typingwise. Let us assume $Γ ⊩ M \equiv M^{'} : N \to N$ and $Γ ⊩ N \equiv N^{'} : N$ . As before, we have deeply normal terms $M_{0}$ , $M_{0}^{'}$ (resp. $N_{0}$ and $N_{0}^{'}$ ) convertible to the original terms and with the same erasure, and thus the same closedness.

If not all these terms are closed, then $ϱ M_{0} N_{0}$ and $ϱ M_{0}^{'} N_{0}^{'}$ are convertible neutral terms, we conclude as above.

Otherwise, by reducibility, $N_{0} = N_{0}^{'} = {[n]}_{N}$ for some $n \in N$ . Since reducibility is closed by application, we get $Γ ⊩ M N \equiv M^{'} N^{'} : N$ . This implies that both applications deeply evaluate to the same semantic integer, that is, a series of successors ending either with $0$ or a neutral. By confluence, we rule out the second case as $M_{0} N_{0}$ is closed, so these terms reduce to some numeral ${[v]}_{N}$ . By confluence and standardisation, $M_{0} {[n]}_{N}$ also evaluates to ${[v]}_{N}$ . By irrelevance of erasure, $∥ M_{0} ∥ {[n]}_{N}$ also evaluates to ${[v]}_{N}$ . By computational adequacy, there exists some $k_{0}$ s.t. $run ⌈ ⌈ M_{0} ⌉ ⌉ n k_{0} ⇓ S {[v]}_{N}$ and $run ⌈ ⌈ M_{0} ⌉ ⌉ n k^{'} ⇓ 0$ for all $k^{'} < k_{0}$ . Given that $M_{0}$ and $M_{0}^{'}$ have the same erasure, this also holds for $M_{0}^{'}$ . Hence, $Ϛ M N$ and $Ϛ M^{'} N^{'}$ evaluate to ${[k_{0}]}_{N}$ and $ϱ M N$ and $ϱ M^{'} N^{'}$ evaluate to ${[k_{0}, v]}_{Ϙ}$ . The only remaining problem is to show that this value is indeed of semantic type $M Ϙ {[n]}_{N}$ . But this is a trivial consequence of the normalization properties of the terms implied.

Finally, one also has to prove validity for these conversion rules, that is, that they are stable by substitution. This turns out to be obvious. Congruence rules are stable by substitution by construction. For the other rules, it is enough to observe that both quasi-closedness and erasure of quasi-closed terms are stable by substitution. We thus get the result below, of which Theorem 16 is an immediate corollary.

Theorem 33.

Well-typed $“ MLTT ”$ terms are valid.

9. Mechanization

While the Abel et al. proof has been implemented in Agda,¹ our mechanization is written in Coq and is based upon a recent work by Adjedj et al.² that relies on a small induction-recursion encoding.⁹ Apart from this, the two formalizations are globally the same. The only advantage of the Coq version, which we believe to be decisive, is the availability of tactics. The largish corpus of proofs relating the numerous untyped reductions is rendered tractable by careful automation.

All theorems stated in the paper have been formalized. The only thing that we did not formally prove was the actual existence of adequate models of computation. We globally axiomatized one in the development instead.

The reader may reasonably complain about the use of axioms, as they may very well be inconsistent. Yet, the existence of adequate models is at the same time an utterly trivial fact, and a technically extremely challenging task. Indeed, at an intuitive level $run$ has already been implemented in $MLTT$ , because we defined evaluation as a step-indexed function in our metatheory, which turns out to be a variant of $MLTT$ . As explained before, we do not even need that much, the fragment we use to implement it basically fits into $PRA$ . In any paper proof, such a computability result would be immediately brushed off as obvious, barely requiring any explanation. Now, given the non-trivial size of our untyped language, implementing evaluation and proving anything about it in Coq was already quite cumbersome. By contrast, doing the same directly in the object theory is monstruous enough to drive any sane person into sheer madness, not even mentioning that we have to work up to a Gödel encoding. Out of common decency we will not attempt to close this unquestionable gap.

10. Future Work

Although we did not formally prove it out of unrepented sloth, it is quite clear that $“ MLTT ”$ enjoys decidability of type-checking. Since type interpretation is unchanged in the logical relation, the global shape of the algorithm remains the same as the one for $MLTT$ . Handling the quoting primitives should not cause any trouble since their reduction rules enjoy the same kind of properties as in vanilla $MLTT$ . Given that our Coq proof is based on a development that proves decidability of type-checking for $MLTT$ , it should be quite simple to extend it to $“ MLTT ”$ .

Another interesting topic is the compatibility of $MLTT$ with the full Russian axiomatic. We now know that it is compatible with $MP$ and $CT$ in isolation. Hence a natural question is whether it can accommodate both axioms at the same time. We are convinced that not only this is the case, but also that the model described here can be easily extended to handle $MP$ . The reason for this confidence lies in the uncanny similarity between those two principles. Just like $CT$ , it is true that Markov’s rule, the external version of $MP$ , is derivable in $MLTT$ using Friedman’s trick.²⁰ Again, like $CT$ , the return type of this rule is a concrete data type, that is, a $Σ_{1}^{0}$ formula. It should therefore be easy to add a term

\frac{Γ ⊢ M : ℕ \to ℕ Γ ⊢ N : \neg \neg ​ (Σ n : ℕ . M n = 0)}{Γ ⊢ μ M N : Σ n : ℕ . M n = 0}

that only computes when both arguments are closed and returns the witness extracted by Friedman’s trick. One must be careful to return the same integer for convertible arguments, but this is easily obtained by returning the smallest index $k$ s.t. $M k$ is 0.

We believe that many axioms can be added to $MLTT$ this way, provided they are admissible on closed terms and return $Σ_{1}^{0}$ formulae that have sufficiently unique inhabitants. We leave the exploration of this subject to a later time.

11. Conclusion

In this paper, we proved that it was possible to add ${CT}_{Σ}$ to $MLTT$ without disrupting any of the desirable properties of the resulting system such as consistency, strong normalization, and canonicity. Against all odds, the model used for this is the most straightforward one can conceive, as it boils down to the standard logical relation for $MLTT$ . The computational content of our variant of Church’s thesis is too borderline stupid to even be considered unsurprising: it computes on closed terms, period. The only mildly non-trivial phenomenon is the need for erasure of annotations and maximal $η$ -reduction, but that trick is hardly worthy of attention. As a result, we are still bewildered about the reason for which this problem was believed to be hard.

The theorems have been formalized in Coq, greatly reducing the risk of an accidental error in the proof. For simplicity, the development still axiomatizes the computation model in the object theory. In all likelihood, these axioms would be deemed self-evident in a computability theory paper proof.

Finally, we believe that the generic recipe we followed for this model can be generalized to many other admissible principles in dependent type theory.

Submit an Article to CACM

CACM welcomes unsolicited submissions on topics of relevance and value to the computing community.

You Just Read

‘Upon This Quote I Will Build My Church Thesis’

View in the ACM Digital Library

This work is licensed under a Creative Commons Attribution International 4.0 License.

DOI

10.1145/3715707

June 2025 Issue

Vol. 68 No. 6

Pages: 75-83

Table of Contents

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Explore More

News Jun 5 2025

Robot, Teach Thyself!

Samuel Greengard

Architecture and Hardware

BLOG@CACM Jun 4 2025

GenAI-Assisted Fantasies

Berry Billingsley and Ted Selker

Artificial Intelligence and Machine Learning

woman in white dress and bare feet walking in surreal landscape of floating orbs

News Jun 4 2025

Homomorphic Technologies Could Process Still-Encrypted Data

Mark Halper

Computing Applications

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More

Abstract

1. Introduction

2. A Comprehensive CT Scan

3. High-Level Description

4. Basic Type Theory

5. “MLTT” Extensions

6. Adequacy and Soundness

7. A MLTT Logical Relation Primer

8. The “MLTT” Logical Relation

9. Mechanization

10. Future Work

11. Conclusion

‘Upon This Quote I Will Build My Church Thesis’

DOI

June 2025 Issue

Related Reading

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

Shape the Future of Computing

Communications of the ACM (CACM) is now a fully Open Access publication.

2. A Comprehensive $CT$ Scan

5. $“ MLTT ”$ Extensions

7. A $MLTT$ Logical Relation Primer

8. The $“ MLTT ”$ Logical Relation