Indexed Induction-Recursion

Cronfa - Swansea University Open Access Repository _____________________________________________________________ This is an author produced version of a paper published in : The Journal of Logic and Algebraic Programming Cronfa URL for this paper: http://cronfa.swan.ac.uk/Record/cronfa1732 _____________________________________________________________ Paper: Dybjer, P. & Setzer, A. (2006). Indexed induction–recursion. The Journal of Logic and Algebraic Programming, 66(1), 1 http://dx.doi.org/10.1016/j.jlap.2005.07.001 _____________________________________________________________ This article is brought to you by Swansea University. Any person downloading material is agreeing to abide by the terms of the repository licence. Authors are personally responsible for adhering to publisher restrictions or conditions. When uploading content they are required to comply with their publisher agreement and the SHERPA RoMEO database to judge whether or not it is copyright safe to add this version of the paper to this repository. http://www.swansea.ac.uk/iss/researchsupport/cronfa-support/ Indexed Induction-Recursion Peter Dybjer∗and Anton Setzer† September 24, 2001 Abstract We give two finite axiomatizations of indexed inductive-recursive definitions in intuitionistic type theory. They extend our previous finite axiomatizations of inductive-recursive definitions of sets to indexed families of sets and encompass virtually all definitions of sets which have been used in intuitionistic type theory. The more restricted of the two axiomatization arises naturally by considering indexed inductive-recursive definitions as initial algebras in slice categories, whereas the other admits a more general and convenient form of an introduction rule. The class of indexed inductive-recursive definitions properly contains the class of indexed inductive definitions (so called “inductive families”). Such definitions are ubiquitous when using intuitionistic type theory for formalizing mathematics and program correctness. A side effect of the present paper is to get compact finite axiomatizations of indexed inductive definitions in intuitionistic type theory as special cases. Proper indexed inductive-recursive definitions (those which do not correspond to indexed inductive definitions) are useful in intuitionistic metamathematics, and as an example we formalize Tait-style computability predicates for dependent types. We also show that Palmgren’s prooftheoretically strong construction of higher-order universes is an example of a proper indexed inductive-recursive definition. A third interesting example is provided by Bove and Capretta’s definition of termination predicates for functions defined by nested recursion. Our axiomatizations form a powerful foundation for generic programming with dependent types by introducing a type of codes for indexed inductive-recursive definitions and making it possible to define generic functions by recursion on this type. Keywords: Dependent type theory, Martin-Löf Type Theory, inductive definitions, inductive-recursive definitions, inductive families, initial algebras, normalization proofs, generic programming. ∗ Department of Mathematics and Computing Science, Chalmers University of Technology. Email: peterd@cs.chalmers.se, Fax: +46 31 165655. † Supported by Nuffield Foundation, grant No. NAL/00303/G; Department of Computer Science, University of Wales Swansea, Singleton Park, Swansea SA2 8PP, UK. Email: a.g.setzer@swan.ac.uk, Fax: +44 1792 295651. 1 1 Introduction In [8], the first author introduced the concept of inductive-recursive definitions, an extension of ordinary inductive definitions. By inductive-recursive definitions one can inductively define a set U while simultaneousely recursively defining a function T : U → D, where D is an arbitrary type. The prime example of an inductive-recursive definition is a universe, that is, a set U of codes for sets together with a decoding function T : U → set, which assigns to a code in U the set it denotes. As an example consider the b introducing codes for the Σ-type. We have Σ b : (a : U, b : T (a) → constructor Σ U ) → U (the reader not familiar with this notation, which will be explained in Sec. 2, might temporarily substitute Πa : U.Πb : (T (a) → U ).U for the b Note that the second argument b of Σ(a, b b) refers to T (a). This type of Σ). b b) is introduced, a : U has to be established, and makes sense since before Σ(a, when a : U is established, one can recursively define T (a). We then define b b)) = Σ(T (a), (x)T (b(x))) (or in more traditional notation recursively T (Σ(a, b T (Σ(a, b)) = Σx : T (a).T (b(x))). This is possible, since T (a) and T (b(x)) b b). Here we see the novelty of inductiveare known before we introduce Σ(a, recursive definitions relative to inductive definitions: an introduction rule for U may refer to the function T which is simultaneously defined. Note that T even can appear negatively in the type of a constructor, as in the type of b However, the constructor refers only strictly positively to elements of the Σ. inductively defined set U . In the special case where T : U → 1, where 1 is the type with only one element, so that T does not contain any information, inductive-recursive definitions specialize to inductive definitions. For a detailed explanation of the concept of inductive-recursive definitions, the reader is advised to read the aforementioned article [8]. In [8] the case of indexed inductive-recursive definitions (IIR) is also considered. In an IIR one defines a family of sets U (i), indexed over i : I, inductively, while simultaneously recursively defining a family of functions T (i) : U (i) → D[i] for some collection of types D[i] (i : I). (We have to write D[i], the result of substituting i for a fixed variable in D here, since D[i] is a type and we cannot write D : I → type.) Again constructors of U (i) can refer to T (j) applied to elements of U (j). In [9] and [10] we presented closed axiomatizations of the theory of nonindexed inductive-recursive definitions. It is the objective of this article to extend this to indexed inductive-recursive definitions. We will see that the resulting rules are not much more complicated than the rules for the non-indexed case. We will look at two alternatives: In restricted IIR (introduced by T. Coquand for use in the Half and Agda [4] systems) we can determine for each index i the set of arguments of the constructors introducing elements of the set Ui . In unrestricted IIR [8], for a constructor C with arguments ~a, the index i s.t. C(~a) : Ui depends on the arguments ~a of C. Indexed inductive definitions (IID) subsume inductively defined relations, such as the identity relation understood as the least reflexive relation. The identity relation was indeed the only example of an IID in the early versions of Martin-Löf type theory [13]. Theoretically, this is not very limiting since one can define many other families of sets (predicates) using the identity together with 2 the other set formers of type theory. But from a more practical point of view it became desirable to extend Martin-Löf type theory with a general notion of inductive definition of an indexed family of sets (often called “inductive family” for short) [6, 7]. Such a general mechanism is also a key part of the Calculus of Inductive Constructions [21], the impredicative type theory underlying the Coq system. Indexed inductive definitions are ubiquitous in formalizations carried out in the different proof systems for Martin-Löf type theory and the Calculus of Inductive Constructions. No proper IIR were part of the original versions of Martin-Löf type theory. However, when proving normalization for an early version of this theory, MartinLöf made use of an informal construction on the metalevel which has an implicit indexed inductive-recursive character. Plan. In Section 2 we introduce the logical framework of dependent types which is the basis for our theories of IIR. This section also explains the notation used in the paper. In Section 3 we begin by reviewing a few examples of IID, such as finitely branching trees, the even and odd numbers, the accessible part of a relation, the identity set, and context free grammars. Then we give some examples of proper IIR: Martin-Löf’s computability predicates for dependent types, Palmgren’s higher order universes, and Bove and Capretta’s analysis of the termination of nested recursive definitions of functional programs. We also introduce the restricted form of an inductive-recursive definition which has an easier syntax and is easier to implement. In Section 4 we first explain how the restricted version of indexed inductive-recursive definitions arises from the existence of initial algebras of strictly positive endofunctors on slice categories over the category of indexed families of types. Then we show how to formalize the general notion of an indexed inductive-recursive definition and give a uniform theory for both the general and the restricted form by giving a type of codes for IIR and then derive the formation, introduction, elimination and equality rules for a particular code. In Section 5 we show how to instantiate the general theory to some of the examples given in Section 3. 2 The Logical Framework Before giving the rules for IIR we need to introduce the basic Logical Framework of dependent types. This is essentially Martin-Löf’s Logical Framework [18] extended with rules for the types 0, 1, and 2. A more detailed presentation can be found in [10]. The Logcial Framework has the following forms of judgements: Γ context, and A : type, A = B : type, a : A, a = b : A, depending on contexts Γ (written as Γ ⇒ A : type, etc.). We have set : type and if A : set, then A : type. The collection of types is closed under the formation of dependent function types written as (x : A) → B (which is often written as Πx : A.B in the literature – we prefer to reserve Πx : A.B for the inductive-recursively defined set with constructor λ : ((x : A) → B) → (Πx : A.B)). The elements of (x : A) → B are denoted by (x : A)a (abstraction of x in a; this is often denoted by λx : A.a in the literature) and application is written in the form a(b). We have β− and η-rules. Types are also closed under the formation of dependent products written as (x : A) × B (often denoted by Σx : A.B which is here reserved for the 3 inductively defined set with introduction rule p : ((x : A) × B) → (Σx : A.B)). The elements of (x : A) × B are denoted by ha, bi, the projection functions by π0 and π1 and again we have β and η-rule (surjective pairing). There is the type 1, with unique element ⋆ : 1 and η-rule expressing that, if a : 1, then a = ⋆ : 1. Further we have the empty type 0 with elimination rule Efq (ex falsum quodlibet). Moreover, we include in our logical framework the type 2 with two elements ⋆0 : 2 and ⋆1 : 2, ordinary elimination rule C2 : (a : 2, A[⋆0 ], A[⋆1 ]) → A(a) (where x : 2 ⇒ A[x] : type) and the strong elimination rule a:2 A : type B : type Ctype (a, A, B) : type 2 with equality rules Ctype (⋆0 , A, B) = A , 2 Ctype (⋆1 , A, B) = B . 2 It is necessary to have the strong elimination rule, since we want to inductively define indexed families of sets U : I → set and functions T : (i : I) → U (i) → D[i] where D[i] depends non-trivially on i, as in the definition of Palmgren’s higher-order universe (where for instance D[0] = set, D[1] = Fam(set) → Fam(set), see 3.2 for more explanation). We will also add a level between set and type, which we call stype for small types: stype : type. (The reason for the need for stype is discussed in [8].) If a : set then a : stype. Moreover, stype is also closed under dependent function types, dependent products and includes 0, 1, 2. However, set itself will not be in stype. The logical framework does not have any rules for introducing elements of set, they will be introduced by IIR later and set will therefore consist exactly of the sets introduced by IIR. We also use some abbreviations, such as omitting the type in an abstraction, that is, writing (x)a instead of (x : A)a, and writing repeated application as a(b1 , . . . , bn ) instead of a(b1 ) · · · (bn ) and repeated abstraction as (x1 : A1 , . . . , xn : An )a instead of (x1 : A1 ) · · · (xn : An )a. In the following we will sometimes refer to a type depending on a variable x. We want to use the notation D[t] for D[x := t] for some fixed variable x and D for (x)D[x]. Note that we can’t simply introduce D : I → type, since this goes beyond the logical framework. Instead we introduce the notion of an abstracted expression, which is an expression together with one or several designated free variables. For an abstracted expression E, E[t1 , . . . , tn ] means the substitution of the variables by t1 , . . . , tn . If we take for D above an abstracted expression of the form (x)E, then D[t] denotes D[x := t] and we can write D as parameter for (x)E. More formally: Definition 1 (a) An n-times abstracted expression is an expression (x1 , . . . , xn )E where x1 , . . . , xn are distinct variables and E an expression of the language of type theory. An abstracted expression is a 1-times abstracted expression. (b) ((x1 , . . . , xn )E)[t1 , . . . , tn ] := E[x1 := t1 , . . . , xn := tn ]. (c) Whenever we write s[a1 , . . . , an ], s is to be understood as an n-times abstracted expression. (d) If U : A → B, we identify U with the abstracted expression (a)U (a). 4 3 3.1 Some Examples Indexed Inductive Definitions Trees and forests. Many IID occur as the simultaneous inductive definition of finitely many sets, each of which has a different name. One example is the set of well-founded trees Tree with finite branching degrees, which is defined together with the set Forest of finite lists of such trees. The constructors are: tree : Forest → Tree , nil : Forest , cons : Tree → Forest → Forest . If we replace Tree by Tree′ (⋆0 ) and Forest by Tree′ (⋆1 ), where x : 2 ⇒ Tree′ (x) : set, we obtain an IID with index set 2. Since for every index we know the set of constructors introducing elements of it in advance, we have an example of restricted IID. The even number predicate. Another simple example of an IID is the predicate Even : N → set. This is inductively generated by the two rules C0 : Even(0) , C1 : (n : N) → Even(n) → Even(S(S(n))) . In this form we have unrestricted IID, since in this form the constructors introducing an element of Even(n) is not given in advance. The accessible part of a relation. Let I be a set and < : I → I → set be a binary relation on it. We define the accessible part (the largest well-founded initial segment) of < as a predicate Acc : I → set by a generalized indexed inductive definition with one introduction rule: acc : (i : I) → ((x : I) → (x < i) → Acc(x)) → Acc(i) . Note that acc introduces elements of Acc(i) while referring to possibly infinitely many elements of the sets Acc(x) (for each x : I and each proof of x < i). Acc is an example of a restricted IID. The identity relation. The only example of an IID in Martin-Löf’s original formulation of type theory, which is not an ordinary inductive-recursive definition is the identity type (“identity type” is only used for historic reason – a more appropriate name would be “identity set”). Assume A : set. The identity on A is given as the least reflexive relation on A × A, and is the intensional equality type on A. We have as formation rule a : A, b : A ⇒ I(A, a, b) : set. The introduction rule expresses that it is reflexive: r : (a : A) → I(A, a, a) . The elimination rule inverts the introduction rule. Assume we have a type which is a reflexive relation on A × A and a subrelation of the identity type on A. So assume a : A, b : A, p : I(A, a, b) ⇒ C[a, b, p] : type and for every a : A we have 5 s[a] : C[a, a, r(a)] (so s is the step-function corresponding to the constructor r). Then for every a, b : A and p : I(A, a, b) we have J(a, b, p, (x)s[x]) : C[a, b, p]. The equality rule now uses the step function in case an element is introduced by a constructor: J(a, a, r(a), (x)s[x]) = s[a]. If we write I′A (ha, bi) instead of I(A, a, b), we obtain for every A : set an unrestricted IID I′A with index set A × A. Context free grammars. IID occur very frequently in applications in computer science. For example a context free grammars over a finite alphabet Σ and a finite set of nonterminals NT can be seen as an NT×Σ∗ -indexed inductive definition L, where each production corresponds to an introduction rule. As an example consider the context free grammar with Σ = {a, b}, NT = {A, B} and productions A −→ a, A −→ BB, B −→ AA, B −→ b. This corresponds to an inductive definition of an indexed family L, where L(A, α) is the set of derivation trees of the string α from the start symbol A. So α is in the language generated by the grammar with start symbol A iff L(A, α) is inhabited. L has one constructor for each production: C0 : L(A, a), C1 : L(B, α) → L(B, β) → L(A, αβ), C2 : L(A, α) → L(A, β) → L(B, αβ), C3 : L(B, b). Alternatively, we can inductively define an NT-indexed set D of “abstract syntax trees” for the grammar, and then recursively define the string d(A, p) (“concrete syntax”) corresponding to the abstract syntax tree p : D(A). In the example given before we get C0 : D(A), C1 : D(B) → D(B) → D(A), C2 : D(A) → D(A) → D(B), C3 : D(B). Further d(A, C0 ) = a, d(A, C1 (p, q)) = d(B, p) ∗ d(B, q), d(B, C2 (p, q)) = d(A, p) ∗ d(B, q), d(B, C3 ) = b. More examples. There are many more examples (eg. the set of formulas derivable in a formal system, computation rules of the operational semantics of a programming language) of similar nature. If Formula is a set of formulas of the formal system, then to be a theorem is given by a Formula-indexed inductive definition Theorem : Formula → set, where the axioms and inference rules correspond to introduction rules. An element d : Theorem(φ) is a notation for a derivation (or proof tree) with conclusion φ. Yet more examples are provided by the computation rules in the definition of the operational semantics of a programming language. Proofs by induction on the structure of an indexed inductive definition of these kinds are often called proofs by “rule induction”. Thus the general form of rule induction is captured by the elimination rule for unrestricted IIR which we will give later. 3.2 Indexed Inductive-Recursive Definitions Martin-Löf ’s computability predicates for dependent types. We shall now turn to proper IIR. As a first example we shall formalize the Tait-style computability predicates for dependent types introduced by Martin-Löf [17]. This example was crucial for the historical development of IIR, since it may be viewed as an early occurrence of the informal notion of an IIR. In [17] Martin-Löf presents an early version of his intuitionistic type theory and proves a normalization theorem using such Tait-style computability predicates. He works in an informal intuitionistic metalanguage but gives no explicit justification for the 6 meaningfulness of these computability predicates. (Later Aczel [1] has shown how to model a similar construction in classical set theory.) Since the metalanguage is informal the inductive-recursive nature of this definition is implicit. One of the objectives of the current work is indeed to formalize an extension of Martin-Löf type theory where the inductive-recursive nature of this and other definitions is formalized. In this way we hope to help clarify the reason why it is an acceptable notion from the point of view of intuitionistic meaning explanations in the sense of Martin-Löf [14, 16, 15]. First recall that for the case of the simply typed lambda calculus the Taitcomputability predicates φA are predicates on terms of type A which are defined by recursion on the structure of A. We read φA (a) as “a is a computable term of type A”. To match Martin-Löf’s definition [17] we consider here a version where the clause for function types is • If φB (b[a]) for all closed terms a such that φA (a) then φA→B (λx.b[x]). (Here b[x] denotes an expression with a possible occurrence of the free variable x and b[a] denotes the expression which is obtained by substituting x by a in b[x].) How can we generalize this to dependent types? First we must assume that we have introduced the syntax of expressions for dependent types including Πtypes, with lambda abstraction and application. Now we cannot define φA for all (type) expressions A but only for those which are “computable types”. The definition of φA has several clauses, such as the following one for Π [17, p. 161]: 4.1.1.2. Suppose that φA has been defined and that φB[a] has been defined for all closed terms a of type A such that φA (a). We then define φΠx:A.B[x] by the following three clauses. 4.1.1.2.1. If λx.b[x] is a closed term of type Πx : A.B[x] and φB[a] (b[a]) for all closed terms a of type A such that φA (a), then φΠx:A.B[x] (λx.b[x]). 4.1.1.2.2. . . . 4.1.1.2.3. . . . (We omit the cases 4.1.1.2.2 and 4.1.1.2.3, which express closure under reduction, since they are not relevant for the present discussion. Note also that the complete definition of the computability predicate also has one case for each of the other type formers of type theory.) We also note that Martin-Löf does not use the term “A is a computable type” but only states “that φA has been defined”. We can understand MartinLöf’s definition as an indexed inductive-recursive definition by introducing a predicate Φ on expressions, where Φ(A) stands for “φA is defined” or “A is a computable type”. Moreover, we add a second argument to φ so that φA (p, a) means that “a is a computable term of the computable type A, where p is a proof that A is computable. Now we observe that we define Φ inductively while we simultaneously recursively define φ. It would be possible to formalize Martin-Löf’s definition verbatim, but for simplicity we shall follow a slightly different version due to C. Coquand [5]. Assume that we have inductively defined the set Exp of expressions and have an operation Apl : Exp → Exp → Exp for the application of one expression to another. Apl is a constructor of Exp, and there will be additional reduction 7 rules for expressions, like reduction of β-redexes. We will write in the following A b for Apl(A, b). Now define an Exp-indexed IIR Ψ ψ : Exp → set , : (A : Exp) → Ψ(A) → Exp → set . So the index set is Exp, Ψ plays the rôle of U , ψ the rôle of T : (a : U ) → D[a], where D[a] = Exp → set for a : Exp. Note that ψ depends negatively on Ψ, so this is not a simultaneous inductive definition. The introduction rule for Ψ (corresponding to Martin-Löf’s 4.1.1.2) is: π : (A : Exp) → (p : Ψ(A)) → (B : Exp) → (q : (a : Exp) → ψ(A, p, a) → Ψ(B a)) → Ψ(Π(A, B)) . Note that q refers to ψ(A, p, a) which is short notation for ψ(A, p)(a), where ψ(A, p) is the result of the recursively defined function for the second argument p. The corresponding equality rule is ψ(Π(A, B), π(A, p, B, q), b) = ∀a : Exp.∀x : ψ(A, p, a).ψ(B a, q(a, x), b a) . Again, the reader should be aware that we have presented only one crucial case of the complete IIR in [5]. For instance there are clauses corresponding to closure under reductions. Palmgren’s higher-order universes [20]. This construction generalizes Palmgren’s super universe [19], that is, a universe which for any family of sets in it contains a universe containing this family. It is outside the scope of this paper to give a full explanation of higherorder universes, and the interested reader is referred to Palmgren [20]. They are included here as an example of a proof-theoretically strong construction which is subsumed by our theory of IIR: they are conjectured to reach (without elimination rules into arbitrary types) the strength of Kripke-Platek set theory with one recursive Mahlo ordinal. They also provide an example where we have decoding functions Tk : Uk → D[k] with D[k] = OPk (set) which depend non-trivially on k and, for k > 0, is a higher type which goes beyond set. The higher-order universes of level n is a family of universes Uk , Tk , indexed by k < n, where Uk is a set of codes for operators on families of sets of level k, and Tk : Uk → OPk (set) is the decoding function. The set OPk (set) of such operators is defined by introducing more generally for A : type Fam(A) := n Op (A) := (X : set) × (X → A) , Op(A) := Fam(A) → Fam(A) , Op(· · · (Op(A)) · · ·) , | {z } n times Let n : N, Ak : set , Bk : Ak → Opk (set) (k = 0, . . . , n) . In the following all sets and constructors are parameterized with respect to n, Ak , Bk , but for simplicity we omit those parameters. 8 U0 , T0 have the standard closure properties of a universe. Additionally we have for k = 0, . . . , n the two constructors (with decodings) b k : U0 , A b Bk : Ak → Uk , b k ) = Ak , T0 (A b k (a)) = Bk (a) . Tk (B Furthermore, under the additional assumptions i ∈ {0, . . . , n − 1}, f : Ui+1 , we have two more constructors (with decodings) ap0i (f ) : (u : U0 , T0 (u) → Ui ) → U0 , T0 (ap0i (f, u, v)) = π0 (Ti+1 (f )(hT0 (u), Ti ◦ vi)) , ap1i (f ) : (u : U0 , v : T0 (u) → Ui , π0 (Ti+1 (f )(hT0 (u), Ti ◦ vi))) → Ui , Ti (ap1i (f, u, v, a)) = π1 (Ti+1 (f )(hT0 (u), Ti ◦ vi))(a) . If we let I := {0, . . . , n} (which more formally should be replaced by Nn+1 ), then we observe that we have introduced U : I → set together with T : (i : I, U(i)) → Di where Di = Opi (set). For each i : I we can determine a collection of constructors, each of which refers strictly positively to U and (positively and negatively) to T applied to the arguments of U referred to. Bove and Capretta’s analysis of the termination of nested recursive definitions of functional programs. In a recent paper [3], Bove and Capretta use indexed inductive-recursive definitions in their analysis of the termination of functions defined by nested general recursion. Given such a function f the idea is to simultaneously define a predicate D(x) expressing that f (x) terminates, and a function f ′ (x, p) which returns the same value as f (x) but has as second argument a proof p : D(x) that f (x) terminates. Assume for instance the rewrite rules f (0) −→ f (f (1)), f (1) −→ 2, f (2) −→ f (1) on the domain {0, 1, 2}. We now inductive-recursively define the termination predicate D for for f . We get one constructor for each rewrite rule: C0 : (p : D(1), q : D(f ′ (1, p))) → D(0), C1 : D(1), C2 : (p : D(1)) → D(2). Furthermore, the equality rules for f ′ are f ′ (0, C0 (p, q)) = f ′ (f ′ (1, p), q), f ′ (1, C1 ) = 2, f ′ (2, C2 (p)) = f ′ (1, p). This is a proper IIR, since in the type of C0 the second argument depends on f ′ (1, p), where p is the first argument. 3.3 Restricted Indexed Inductive-Recursive Definitions There are reasons for focussing attention on IIR where we can determine for every index i the set of constructors introducing elements of Ui . More precisely this means that if C is a constructor of the IIR, and we write its type in uncurried form, then its type is of the form ((i : I) × A(i)) → Ui , so the first argument determines the index i. An example which satisfies this restriction is the accessible part of a relation. We can also determine the set of constructors for Ui , where a constructor has type B → Ui and i does not depend on B, provided the equality on I is decidable. In this case the type of C can be replaced by (i′ : I) → Ctype (i =dec 2 i′ , B, 0) → Ui′ , where =dec is the decidable equality on I, with result in 2). In this way for example finitely branching trees and forests can be seen to be captured by restricted IIR. 9 In the implementation of the Half proof system of type theory Thierry Coquand enforced this restriction, and it was kept in the Agda system [4], the successor of Half. One reason is that both the introduction and elimination rules can be specified more simply: for introducing an IIR, the constructors Ci of Uj are just listed in the form data{C1 (~a1 ) | · · · | Cn (~an )}, and one doesn’t have to include the index j in the arguments of ~ai of Ci (~ai ) – this simplifies the syntax of the system substantially. If one wants to define g(x) for x : Ui , one can write it in the form case x of {C1 (~a1 ) → f1 (~an ); ··· Cn (~an ) → fn (~a); } For defining unrestricted IIR, a more complicated syntax has to be used, especially the elimination rules have to make use of a more general form of pattern matching. See for instance the proof assistant Alf ([12], [2]), where unrestricted IIR can be implemented. Another reason for this restriction is that it is easier to construct mathematical models: below we will see that restricted IIR can be modelled as initial algebras in an I-indexed slice category. Furthermore, domain-theoretic models of restricted IIR can be given more easily. That complications arise when modelling unrestricted IIR is one of the reasons why many believe that a fully satisfactory understanding of the identity type has not yet been achieved. It is often possible to replace general IIR by restricted IIR, especially if we have a decidable equality on the index set. For example, we can define a function by recursion which tests equality of natural numbers. Using this equality we can write the introduction rules for the even number predicate in an alternative way: Even(n) holds iff n = 0 or there exists m such that n = S(S(m)) and Even(m). That is, we have two constructors: C0 (n) : (n = 0) → Even(n), and C1 (n) : (m : N) × (n = S(S(m))) × (Even(m)) → (Even(n)). (It is also worth mentioning here that alternatively, we can directly define the even numbers by primitive recursion on the natural numbers: Even(0) is true and Even(S(n)) is the negation of Even(n), using the two element universe 2 with decoding T : 2 → set.) However, it is not always possible to transform a definition into the restricted form. The prime example is that of the identity relation. In [11] we however show that if we have extensional equality, we can simulate general IIR by restricted IIR. The definitions are quite complicated though, and the resulting programs may be computationally inefficient. 4 4.1 Formalizing the Theory of Indexed InductiveRecursive Definitions The Category of Indexed Families of Types As for the non-indexed case, we shall derive a formalization of IIR by modeling them as initial algebra constructions in slice categories. Let R be a set of rules for the language of type theory (where each rule is given by a finite set of judgements as premisses and one judgement as conclusion) which includes the 10 logical framework used in this article and an equality. For such R let TT(R) be the resulting type theory. The category Type(R) is the category, the objects of which are A s.t. TT(R) proves A : type, and the morphisms from A to B of which are terms f s.t. TT(R) proves f : A → B. Objects A, A′ such that TT(R) proves A = A′ : type and functions f, f ′ s.t. TT(R) proves f = f ′ : B → C are identified. In order to model I-indexed inductive-recursive definitions, where I is an arbitrary stype, we will use the category Fam(R, I) of I-indexed families of types. An object of Fam(R, I) is an I-indexed family of types, that is, an abstracted expression A for which we can prove i : I ⇒ A[i] : type in TT(R). An arrow from A to B is a I-indexed function, that is, an abstracted expression f for which we can prove (in TT(R)) i : I ⇒ f [i] : A[i] → B[i]. Again we identify A, A′ s.t. we can prove i : I ⇒ A[i] = A′ [i] : type and f, f ′ s.t. we can can prove i : I ⇒ f [i] = f ′ [i] : B[i] → C[i]. We will usually omit the argument R in Fam(R, I). If C is a category, D an object of it, then C/D is the slice category with objects pairs (A, f ) where A is an object of C and f an arrow A → D, and as morphisms from (A, f ) to (B, g) morphisms h : A → B s.t. g ◦ h = f . Note that we write pairs with round brackets on this level. This is different from the notation ha, bi for the pair of a and b in the logical framework. General assumption 4.1.1 In the following we assume in all rules I : stype, i : I ⇒ D[i] : type (D an abstracted expression). 4.2 Coding Several Constructors by One We can code several constructors of an IIR into one as follows: let J be a finite index set for all constructors and Aj be the type of the jth constructor. Then replace all constructors by one constructor of type (j : J) → Aj , which is definable using case distinction on 2. In case of restricted IIR we can obtain one constructor in restricted form with type (i : I, j : J) → Aij → Ci , if the type of the jth constructor is i : I → Aij → Ci . In this way it will suffice to consider only IIR with one constructor in the sequel. 4.3 Restricted IIR as Initial Algebras in Slice Categories Assume we have a restricted IIR with one constructor intro : (i : I) → HU (U, T, i) → U(i) (with all arguments of intro except i in uncurried form), which introduces U : I → set and T : (i : I, U(i)) → D[i]. Here HU : (U : I → set, T : (i : I, U (i)) → D[i], I) → stype with no free occurrences of U , T and i. Let further the equality rule for T be T(i, intro(i, a)) = HT (U, T, i, a) , where HT : (U : I → set, T : (i : I, U (i)) → D[i], i : I, HU (U, T, i)) → D[i] with no free occurrences of U, T, i or a. Now one observes that the introduction rule and equality rule are captured as an I-indexed family of algebras for H in Fam(I)/D, where H(U, T ) = (HU (U, T ), HT (U, T )):1 1 To be pedantic: one has to replace H(U, T ), H U (U, T ), HT (U, T ) by uncurried variants H′ ((U, T )), H′ U ((U, T )), H′ T ((U, T )) 11 intro(i) ✲ U(i) HU (U, T, i) HT (U , T(i) T, i) ✲ ❄ D[i] Note that the situation generalizes the situation for non-indexed inductionrecursion [10], where the rules for U and T are captured as an algebra of an appropriate endofunctor F on the slice category Type/D. If D[i] = 1 and therefore H(U, T, i) does not depend on T , we have the important special case of a restricted indexed inductive definition. We show the example of the accessible part of a relation: (x : I) → (x < i) → Acc(x) acc(i) ✲ Acc(i) ! ! ✲ ❄ 1 i.e. HU (U, T, i) = (x : I) → (x < i) → U (x). 4.4 A Diagram for General IIR If a particular IIR does not have the restricted form then we do not prima facie know the set of constructors for a particular expression. On the other hand, given an argument to the constructor, we can determine the index of the constructed element. To capture this situation the categorical representation must be changed. Depending on U : I → set and T : (i : I, U (i)) → D[i] we have an stype G U (U, T ) of the arguments of the constructor intro, and, depending on a : G U (U, T ), we have G I (U, T, a) : I, which provides the i s.t. intro(a) : Ui , and G T (U, T, a) : D[G I (U, T, a)], which determines the value of T(i, intro(a)). The diagram is: intro ✲ U (G I (U, T, a)) (a : G U (U, T )) G T (U , T, T (G I (U, T, a)) a) ✲ ❄ D[G (U, T, a)] I As a first simple instance we look at the identity relation on A. It has index set I := A × A, D[i] = 1, and GU (U, T ) = A, GI (U, T, a) = ha, ai, and 12 U(ha, ai) = IA (a, a): (a : A) r✲ I(a, a) ! ! ✲ ❄ 1 As a second illustration we show how to obtain the rules for computability predicates for dependent types. (As in Section 3 we only give a definition containing one case, but the complete definition [5] can be obtained by expanding the definition corresponding to the additional constructors). G U (Ψ, ψ) = G I (Ψ, ψ, hA, p, B, qi) = G T (Ψ, ψ, hA, p, B, qi) = (A : Exp) × (p : Ψ(A)) × (B : Exp) × ((a : Exp) → ψ(A, p, a) → ψ(B a)) , Π(A, B) , (b)∀a : Exp.∀x : ψ(A, p, a).ψ(B a, q(a, x), b a) . Note that in the general case we no longer have an endofunctor Fam(I)/D → Fam(I)/D. 4.5 A Uniform Theory for Restricted and General IIR If we look at the functors arising in general IIR we observe that we have obtained one stype GU (U, T ) and two functions GI (U, T ) : GU (U, T ) → I , GT (U, T ) : (a : GU (U, T )) → D[GI (U, T, a)] . where (U, T ) is an element of Fam(I)/D, GIT (U, T ) := hGI (U, T ), GT (U, T )i an element of E := (i : I) × D[i], so (GU (U, T ), GIT (U, T )) is an element of Type/E. This can be expanded to a functor G : Fam(I)/D → Type/E . In restricted IIR we have for i : I HU (U, T, i) : stype , HT (U, T, i) : (a : HU (U, T, i)) → D[i] , which can be combined to an endofunctor (with obvious arrow part and extension to U s.t. i : I ⇒ U [i] : type) H : Fam(I)/D → Fam(I)/D . Consider the functor πi : Fam(I)/D → Type/D[i] with object part πi (U, T ) := (U [i], T [i]) and obvious arrow part. Every element (U, T ) : Fam(I)/D is uniquely determined by its projections πi (U, T ). One also notes that for every sequence of functors Hi : Fam(I)/D → 13 Type/D[i] there exists a unique functor H : Fam(I)/D → Fam(I)/D s.t. πi ◦ H = Hi . H and G will be strictly positive functors in much the same way as F in [10] . But since H is determined by πi ◦ H and both πi ◦ H and G are functors Fam(I)/D −→ Type/E, (where E = (i : I) × D[i] in the general case and E = D[i] in the restricted case), it is more economical to more generally introduce the notion of a strictly positive functor F : Fam(I)/D −→ Type/E for an arbitrary type E. From this we can derive the functors G and H. As in [10], we define for E : type the type of indices for strictly positive functors E : type , OPI,D,E : type together with, for γ : OPI,D,E (we omit I, D, E, if the parameter γ is given) FU γ : (U : I → set, T : (i : I, U (i)) → D[i]) → stype , FT γ : (U : I → set, T : (i : I, U (i)) → D[i], a : F U γ (U, T )) → E . (It is straightforward to define arrow parts of these functor and the extension to arguments (U, T ) s.t. i : I ⇒ U [i] : type.) We construct elements of OPI,D,E in a similar way as in the non-indexed case: • Base Case: This corresponds to having IIR with no arguments of the constructor and one only has to determine the result of E: ι : E → OPI,D,E , FU ι(e) (U, T ) = 1 , FT ι(e) (U, T, ⋆) = e . • Nondependent union of functors: This corresponds to the situation where the constructor has an argument A and (depending on a : A) further arguments coded as γ(a). σ : (A : stype, γ : A → OPI,D,E ) → OPI,D,E , FU (U, T ) = (a : A) × F U σ(A,γ) γ(a) (U, T ) , T FT σ(A,γ) (U, T, ha, bi) = F γ(a) (U, T, b) . • Dependent union of functors: This corresponds to the situation where the constructor has one inductive argument indexed over A. For each element a : A we have to determine an index i(a) : I, which indicates the set U (i(a)), the inductive argument is chosen from. The result of T for this argument is an element of (a : A) → D[i(a)] and the other arguments depend on this function. Let T ◦ [i, f ] := (x)T (i(x), f (x)). δ : (A : stype, i : A → I, γ : ((a : A) → D[i(a)]) → OPI,D,E ) → OPI,D,E , FU δ(A,i,γ) (U, T ) = FT δ(A,i,γ) (U, T, hf, bi) = (f : (a : A) → U (i(a))) × F U γ(T ◦[i,f ]) (U, T ) , FT γ(T ◦[i,f ]) (U, T, b) . 14 We finish this subsection by drawing a diagram which shows the relationship between the functors G and H for general and restricted IIR: G Fam(I)/D ✲ Type/(i : I) × D[i] ✻ e H πi ◦ H ✲ ❄ Type/D[i] ✛ πi Fam(I)/D where e(U, T ) = ((i : I) × U (i), (a)hπ0 (a), T (π0 (a), π1 (a))i). So the functors in the restricted case are those which factor through an endofunctor H, which itself is determined by the “fibers” πi ◦ H. The functors for the restricted case have codes of the form σ(I, (i) · · · δ(A, f, (a) · · · δ(B, g, (b) · · · σ(C, (c) · · · δ(D, (d) · · · ι(hi, ei)))))) , ie. the codes always start with σ(I, (i) . . . and the innermost parts are of the form ι(hi, ei) where i is value of the first non-inductive argument. (Note that the order of the constructors in an element of OP might depend on arguments preceding them). That a functor G has such a code corresponds exactly to the fact that it is obtained by the above diagram from strictly positive functors πi ◦ H. 4.6 Formation and Introduction Rules for Restricted IIR Restricted IIR (indicated by a superscript r) are given by strictly positive endofunctors H in the category Fam(I)/D, which can be given by their (strictly positive) projections πi ◦ H : Fam(I)/D → Type/D[i]. So the set of codes for these functors is given as a family of codes for πi ◦ H, and the type of codes is given as OPrI,D : type , OPrI,D = (i : I) → OPI,D,D[i] . Assume now γ : OPrI,D , U : I → set, T : (i : I, U (i)) → D[i], i : I. The object part of H (restricted to U : I → set) is defined as HU γ (U, T, i) := HT γ (U, T, i, a) := FU γ(i) (U, T ) : stype FT γ(i) (U, T, a) : D[i] for a : H U γ (U, T, i). We have the following formation rules for Urγ and Trγ : Urγ (i) : set , Trγ (i) : Urγ (i) → D[i] . Urγ (i) has constructor r r r introrγ (i) : H U γ (Uγ , Tγ , i) → Uγ (i) , and the equality rule for Trγ (i) is: r r Trγ (i, introrγ (i, a)) = H T γ (Uγ , Tγ , i, a) . 15 4.7 Formation and Introduction Rules for General IIR In general IIR (as indicated by superscript g) we have to consider strictly positive functors in G : Fam(I)/D → Type/(i : I) × D[i]. The type of codes is given as OPgI,D : type , OPgI,D = OPI,D,(i:I)×D[i] . Assume now γ : OPgI,D , U : I → set, T : (i : I, U (i)) → D[i]. The components of G needed in the following are GU γ (U, T ) := FU γ (U, T ) : stype G Iγ (U, T, a) := π0 (F T γ (U, T, a)) : I GT γ (U, T, a) := I π1 (F T γ (U, T, a)) : D[G γ (U, T, a)] for a : G U γ (U, T ). We have essentially the same formation rules for Ugγ and Tgγ Ugγ : I → set , Tgγ : (i : I, Ugγ (i)) → D[i] . There is one constructor for all Ugγ (i). Depending on its arguments G Iγ (Ugγ , Tgγ , a) determines the index it belongs to. So the introduction rule is: introgγ : (a : G γU (Ugγ , Tgγ )) → Ugγ (G Iγ (Ugγ , Tgγ , a)) . The equality rule for Tgγ is: g g Tg (G Iγ (Ugγ , Tgγ , a), introgγ (a)) = G T γ (Uγ , Tγ , a) . 4.8 Elimination Rules for IIR We now define the induction principle both for the restricted and the general map for γ : OPI,D,E . Assume F case. We define first more generally F IH γ and F γ is a twice abstracted expression and γ : OPI,D,E , U : I → set , T : (i : I, U (i)) → D[i] , i : I, u : U (i) ⇒ F [i, u] : type . The rules for F IH and F map are as follows: a : FU γ (U, T ) IH F γ (U, T, F, a) : type h : (i : I, a : U (i)) → F [i, u] IH F map (U, T, F, h) : (a : F U γ γ (U, T )) → F γ (U, T, F, a) F IH ι(e) (U, T, F, ⋆) = 1 , F map ι(e) (U, T, F, h, ⋆) = ⋆ , IH F IH σ(A,γ) (U, T, F, ha, bi) = F γ(a) (U, T, F, b) , map F map σ(A,γ) (U, T, F, h, ha, bi) = F γ(a) (U, T, F, h, b) , IH F IH δ(A,i,γ) (U, T, F, hf, bi) = ((a : A) → F [i(a), f (a)]) × F γ(T ◦[i,f ]) (U, T, F, b) , map F map δ(A,i,γ) (U, T, F, h, hf, bi) = hh ◦ [i, f ], F γ(T ◦[i,f ]) (U, T, F, h, b)i . 16 In the restricted case we have now under the assumptions γ : OPrI,D , i : I, a : Urγ (i) ⇒ F [i, a] : type , r r r IH r r h : (i : I, a : H U γ (Uγ , Tγ , i), F γ(i) (Uγ , Tγ , F, a)) → F [i, introγ (i, a)] , Rrγ,F (h) : (i : I, a : Urγ (i)) → F [i, a] , map Rrγ,F (h, i, introrγ (i, a)) = h(i, a, F γ(i) (Urγ , Trγ , F, Rrγ,F (h), a)) . And for the general case we have under the assumptions γ : OPgI,D , i : I, a : Ugγ (i) ⇒ F [i, a] : type , g g I g g g g g IH h : (a : G U γ (Uγ , Tγ ), F γ (Uγ , Tγ , F, a)) → F [G γ (Uγ , Tγ , a), introγ (a)] , Rgγ,F (h) : (i : I, a : Ugγ (i)) → F [i, a] , Rgγ,F (h, G Iγ (Ugγ , Tgγ , a), introgγ (a)) = h(a, F map (Ugγ , Tgγ , F, Rgγ,F (h), a)) . γ In the restricted case one can show that the above rules express that the family (Urγ (i), Trγ (i)) for i : I is (the carrier of) an initial algebra for the endofunctor H on Fam(I)/D. This generalizes a theorem in [10] about the connection between inductive-recursive definitions of a set U and a function T : U → D and initial algebras in the slice category Type/D. Definition 2 (a) The basic theory of indexed inductive recursive definitions (Bas-IIR) consists of the rules for the logical framework as introduced in this article, the formation and introduction rules for OP and the defining rules for F U , F T , F IH and F map . (b) The theory IIRr of restricted indexed inductive recursive definitions consists of Bas-IIR, the defining rules for OPr , H U , H T , and the formation/introduction/elimination/equality rules for Ur and Tr . (c) The theory IIRg of general indexed inductive recursive definitions consists of Bas-IIR, the defining rules for OPg , G U , G I , G T , and the formation/introduction/elimination/equality rules for Ug and Tg . (d) IIDr and IIDg are the restrictions of IIRr and IIRg , where in all rules in this article D[i] = 1. These are the theories of restricted and general indexed inductive definitions. 5 The Examples Revisited We first introduce the following abbreviations: γ +OP γ ′ := σ(2, (x)C2 (x, γ, γ ′ )) and γ1 +OP · · · +OP γn := (· · · ((γ1 +OP γ2 ) +OP γ3 ) +OP · · · +OP γn ) if n ≥ 3. 17 So if γ1 , . . . , γn are codes for constructors Ci then γ1 +OP · · ·+OP γn is a code for a constructor C. The first argument of C codes an element i of {1, . . . , n}. The later arguments of C are the arguments of the constructor Ci . In the following (−) stands for an abstraction (x) for a variable x, which is not used later. Let ιg⋆ (a) := ι(ha, ⋆i), ιr⋆ := ι(⋆). • The trees and forests have code γ : OPr2,(−)1 (= 2 → OP2,(−)1,1 ), where γ(⋆0 ) = δ(1, (−)⋆1 , (−)ιr⋆ ) , γ(⋆1 ) = ιr⋆ +OP δ(1, (−)⋆0 , (−)δ(1, (−)⋆1 , (−)ιr⋆ )) . Then Tree = Ur2,(−)1,γ (⋆0 ), Forest = Ur2,(−)1,γ (⋆1 ). • The even number predicate has code ιg⋆ (0) +OP σ(N, (n)δ(1, (−)n, (−)ιg⋆ (S(S(n))))): OPgN,(−)1 (= OPN,(−)1,N×1 ) . • The accessible part of a relation has code (i)δ((x : I) × (x < i), (z)π0 (z), (−)ιr⋆ ): OPrI,(−)1 (= (i : I) → OPI,(−)1,1 ) . As a general IIR it has code σ(I, (i)δ((x : I) × (x < i), (z)π0 (z), (−)ιg⋆ (i))): OPgI,(−)1 (= OPI,(−)1,I×1 ) . • The identity set has code σ(A, (a)ιg⋆ (ha, ai)) : OPgA×A,(−)1 (= OPA×A,(−)1,(A×A)×1 ) . • For the Tait-style computability predicates for dependent types we have I = Exp, D[i] = Exp → set. The rules given in Subsection 3.2 are incomplete, additional constructors have to be added by using +OP (the current definition actually defines the empty set). The code for the constructor given in Subsection 3.2 is σ(Exp, (A) δ(1, (−)A, (ψA ) σ(Exp, (B) δ((a : Exp) × ψA (⋆, a), (y)(B π0 (y)), (ψB ) ι(hΠ(A, B), (b)∀a : Exp.∀x : ψA (⋆, a).ψB (ha, xi, (b a))i))))) : OPgI,(i)D[i] (= OPI,(i)D[i],(i:I)×D[i] ) . • E. Palmgren’s higher order universe has code γ : OPr{0,...,n},(l)Opl (set) (= (k : {0, . . . , n}) → OP{0,...,n},(l)Opl (set),Opk (set) ) , where γ(0) := γ(i) := γ(n) := γUniv +OP γA b 0 +OP · · · +OP γA b n +OP γB b 0 +OP γap00 +OP γap01 +OP · · · +OP γap0n +OP γap10 , γB (i = 1, . . . , n − 1) , b i +OP γap1i γB . bn 18 and γUniv γA bk γB bk γap0i γap1i is a := := := code for all standard universe constructors, ι(Ak ) , σ(Ak , (a)ι(Bk (a))) , δ(1, (−)(i + 1), (Tf ) δ(1, (−)0, (Tu ) δ(Tu (⋆), (−)i, (Tv ) ι(π0 (Tf (⋆, hTu (⋆), Tv i)))))) , := δ(1, (−)(i + 1), (Tf ) δ(1, (−)0, (Tu ) δ(Tu (⋆), (−)i, (Tv ) σ(π0 (Tf (⋆, hTu (⋆), Tv i)), (a) ι(π1 (Tf (⋆), hTu (⋆), Tv i)(a)))))) . (To be formally correct we would have to work with Nn+1 instead of {0, . . . , n}). 6 Further Results There is an extended version [11] of this article which contains some additional topics. In particular we show the consistency of our theories by constructing a model in classical set theory where type-theoretic function spaces are interpreted as full set-theoretic function spaces, and some axioms for large cardinals are used for interpreting the type of sets closed under IIR and also to interpret the logical framework. This construction is a generalization of the model for non-indexed induction-recursion given in [9]. Furthermore, we show that the restricted and general form of an IIR are intertranslatable under certain conditions. We also show how to simulate certain forms of IIR by non-indexed inductive-recursive definitions (IR). References [1] P. Aczel. Frege Structures and the Notions of Proposition, Truth, and Set, pages 31–59. North-Holland, 1980. [2] T. Altenkirch, V. Gaspes, B. Nordström, and B. von Sydow. A user’s guide to ALF. http://www.www.cs.chalmers.se/ComputingScience/Research/ Logic/alf/guide.html, 1996. [3] A. Bove and V. Capretta. Nested general recursion and partiality in type theory. To appear in the Proceedings of TPHOL 2001. [4] C. Coquand. Agda. 2000. http://www.cs.chalmers.se/ catarina/agda/. [5] C. Coquand. A realizability interpretation of Martin-Löf’s type theory. In G. Sambin and J. Smith, editors, Twenty-Five Years of Constructive Type Theory. Oxford University Press, 1998. 19 [6] P. Dybjer. Inductive sets and families in Martin-Löf’s type theory and their set-theoretic semantics. In G. Huet and G. Plotkin, editors, Logical Frameworks, pages 280–306. Cambridge University Press, 1991. [7] P. Dybjer. Inductive families. Formal Aspects of Computing, 6:440–465, 1994. [8] P. Dybjer. A general formulation of simultaneous inductive-recursive definitions in type theory. Journal of Symbolic Logic, 65(2), June 2000. [9] P. Dybjer and A. Setzer. A finite axiomatization of inductive-recursive definitions. In J.-Y. Girard, editor, Typed Lambda Calculi and Applications, volume 1581 of Lecture Notes in Computer Science, pages 129–146. Springer, April 1999. [10] P. Dybjer and A. Setzer. Induction-recursion and initial algebras. Submitted for publication, April 2000. [11] P. Dybjer and A. Setzer. Indexed induction-recursion. To appear as a Report of Institut Mittag-Leffler, 2001. [12] L. Magnusson and B. Nordström. The ALF proof editor and its proof engine. In Types for proofs and programs, volume 806 of Lecture Notes in Computer Science, pages 213–317. Springer, 1994. [13] P. Martin-Löf. An intuitionistic theory of types: Predicative part. In H. E. Rose and J. C. Shepherdson, editors, Logic Colloquium ‘73, pages 73–118. North-Holland, 1975. [14] P. Martin-Löf. Constructive mathematics and computer programming. In Logic, Methodology and Philosophy of Science, VI, 1979, pages 153–175. North-Holland, 1982. [15] P. Martin-Löf. On the meaning of the logical constants and the justification of the logical laws, 1983. Notes from a series of lectures given in Siena. [16] P. Martin-Löf. Intuitionistic Type Theory. Bibliopolis, 1984. [17] P. Martin-Löf. An intuitionistic theory of types. In G. Sambin and J. Smith, editors, Twenty-Five Years of Constructive Type Theory. Oxford University Press, 1998. Reprinted version of an unpublished report from 1972. [18] B. Nordström, K. Petersson, and J. Smith. Programming in Martin-Löf ’s Type Theory: an Introduction. Oxford University Press, 1990. [19] E. Palmgren. On Fixed Point Operators, Inductive Definitions and Universes in Martin-Löf ’s Type Theory. PhD thesis, Uppsala University, 1991. [20] E. Palmgren. On universes in type theory. In G. Sambin and J. Smith, editors, Twenty-Five Years of Constructive Type Theory. Oxford University Press, 1998. [21] C. Paulin-Mohring. Inductive definitions in the system Coq - rules and properties. In Proceedings Typed λ-Calculus and Applications, pages 328– 245. Springer-Verlag, LNCS, March 1993. 20