Nominal Dependent Types as a Logical Framework

Transcription

1 ominal Dependent Types as a Logical Framework Elliot Fairweather, Maribel Fernández, ora Szasz, Alvaro Tasistro King s College London University ORT Uruguay July 20, 2011 Abstract We present a logical framework based on the nominal approach to representing syntax with binders. First we extend nominal terms, which have a built-in name-abstraction operator and a first-order notion of substitution for variables, with a capture-avoiding substitution operator for names. We then build a dependent type system for this extended syntax and show how it can be used to formalise systems with binding operators. 1 Introduction Logical frameworks and proof assistants (see for instance [28, 2, 29, 32, 35, 33, 6]) are used to specify formal systems (e.g., programming languages, mathematical structures, logics). Many formal systems involve binders, which induce a notion of α-equivalence on terms. For example, the let construct, well-known in functional languages, binds a name, and its operational semantics is usually defined in an informal way as follows. let a = in M (fun a.m) Another well-known system involving binding is the λ-calculus, where β and η-equivalences are defined by the axioms: (λx.m) = M[x/] (λx.mx) = M (x fv(m)) Logical frameworks therefore need to provide constructs to represent syntax with binders. Many logical frameworks are based on type theory - an alternative to set theory for the formalisation of mathematics. A logical framework is thus a type system, with sufficient expressive power to be used as a specification language (a meta-language) to represent formal systems. The basic ingredients in a type theory are the types, their elements (abstract syntax), and their inter-relations. Because of the need to represent syntax with binders, type theories traditionally use (some extension of) the λ-calculus: 1

2 binders are represented by λ-abstraction and substitution by application in the logical framework. This means that α-conversion is implicit in the syntax, and capture-avoiding substitution is a primitive notion. Since β-reduction is also part of the system, unification (i.e., checking whether two terms can be made equal) is undecidable in general. Moreover, the correspondence between the object-language entities and their representation in the framework is not precise (there are terms in the framework that do not represent object-entities, such as partially applied functions in the meta-language), and there may be more than one representative in the framework for a given object entity. These motivated the work on λ-free logical frameworks (see [1, 31, 39, 41] and also [40] for a recent survey). In this paper we explore the use of nominal syntax as an alternative for the definition of λ-free logical frameworks. Our aim is to define a nominal type theory (where the set of terms is defined using the nominal approach and the set of types includes types depending on terms) and use it to formalise systems with binding operators. In contrast with previous work on nominal type theories (see, e.g., Simple Type Theory [14] and ominal System T [38]), we do not use predicate logic or λ-calculus based theories. Instead, we design a system where the basic syntactical ingredients are names, variables, name-abstraction, name swapping, and substitution operators for both variables (capturing) and names (non-capturing), in addition to a user-defined signature (term and type constructors). We axiomatise the notions of α-equivalence of terms, and freshness of a name in a term, and give a dependent type system for this language, where types and terms are interdependent. We then show how to encode predicate logic or the λ-calculus in this system. These encodings are based on the idea that each formula ϕ in first-order logic can be represented as a term t ϕ of type P rop, and each proof of ϕ in a given formal system as a term of type P roof(t ϕ ). Similarly, each λ-term can be expressed as a term of type LT erm, and β-reduction can be expressed as a relation on terms of type LT erm. We prove the adequacy of the encodings. The language is user-defined: users define the type- and term-constructors of interest and give their type declarations. It is the user s responsibility to declare the types in accordance to the system to be formalised (adequacy). We do not consider equality axioms in this work; notions of equality or reduction can be represented in the system as relations. For instance, we show how β-reduction for the λ-calculus is encoded. It would interesting to consider an extension of the logical framework including a user-defined nominal equational theory, specified as a set of equality axioms or rewriting rules (see [26, 17, 21, 22]). Related work We follow the nominal approach to the specification of systems with binders [27]. ominal logic, a variant of first-order logic that axiomatises name-abstraction and α-equivalence using name-swappings, is defined in [36]. The syntax of our language can be seen as an extension of the nominal abstract syntax presented in [43], where nominal unification problems are shown to be decidable and to have unique most general unifiers when a unifier exists (see [10, 2

3 8, 30] for complexity results and implementation techniques). ominal sets have been used to give semantics to systems based on nominal abstract syntax (see, for instance, [36, 37, 24, 13]) and proof theories for nominal logic have also been considered (see, for instance, [25, 12]). ominal equational theories have been investigated in [26, 17, 21] and type system for nominal terms and equational theories, using rank 1 polymorphic types, are defined in [20, 19]. However, although proofs play an important role in all of these works, none of these systems deal explicitly with proof terms, and do not yield directly a nominal type theory. ominal type theory has been investigated by Schöpp and Stark [42], using categorical models of nominal logic. The nominal dependent type theories developed following this approach are very expressive, but it is not clear whether their computational properties make them suitable for use in a logical framework. ominal type theory as a basis for logical frameworks has been investigated by Cheney [14]. In the latter work, the author aims at identifying type-theoretic presentations of nominal logic with good computational properties, and proposes an extension of a typed λ-calculus with names, nameabstraction and concretion operators, and name-abstraction types. A system combining λ-calculus and nominal features is also investigated by Pitts [38] to define a nominal version of Gödel s System T. More recently, Westbrook [45] extends the Calculus of Inductive Constructions [34] with a name-abstraction construct in the style of [14]. Although, as in [42, 14, 38, 45], we aim at endowing nominal abstract syntax with a powerful type system that can serve as a basis for a logical framework, our approach is different. Instead of developing type-theoretic presentations of nominal logic by combining nominal syntax and the λ-calculus, we extend nominal syntax with a capture-avoiding substitution operator, and design a dependent type system for terms in this extended language. We illustrate the expressive power of the system by showing how first-order logic and the λ- calculus can be formalised in this system. One of the best known examples of logical frameworks is LF [28], based on a typed λ-calculus with dependent types: λp in Barendregt s cube [5]. Similarly, we can build term abstractions and type abstractions: the syntax for this is [a: τ]t, [a: τ]τ. However, unlike λp, there is no primitive notion of functional abstraction in our system, instead, there are function symbols in the user-defined signature: e.g. we can use S to represent successor, and declare it S : (at)at, which indicates that if t is of type at, then S(t) is a term of type at. We can also define a type constructor F un and a term constructor λ to build terms of function type, and there is a primitive notion of capture avoiding substitution that can be used to encode β-reduction. Other differences with LF include the distinction between atoms (which can be abstracted or unabstracted), variables (which cannot be abstracted but can be instantiated, with non-capture-avoiding substitutions), and the use of name swappings (or more generally, permutations), to axiomatise α-equivalence. Compared with previous approaches to the definition of λ-free logical frameworks [31, 1, 39], abstraction is a first-class ingredient in our syntax and can be used in arguments for term or type constructors (as in [31, 1, 39]), or on 3

4 its own (unlike [31, 1]) although we do not allow user-defined symbols of abstraction type. Also, as in [31, 1, 39], instantiation is a primitive notion in the system; it is used instead of the application operation used in λ-calculus based logical frameworks. A key difficulty encountered when following the approach of combining λ-calculus and nominal syntax is the interaction between name abstraction and functional abstraction (see [14] for a detailed discussion). It is therefore not surprising that in λ-free systems the interaction between captureavoiding substitution and name abstraction needs to be controlled carefully. We deal with this by using name swappings and freshness constraints for names, as is standard in nominal syntax (see for instance [43, 9, 11, 15]), instead of relying on explicit lists of arities and η-long normal forms as in [31, 1]. Variables in nominal terms may have suspended swappings and atom substitutions, and substitutions for variables may trigger atom-substitutions (similarly to the hereditary substitution mechanism of DMBEL [39]). Advantages of λ-free approaches were already discussed above. An advantage of a nominal approach for the definition of a λ-free logical framework is that from a semantical point of view, we remain within a first-order system extended with names, α-equivalence and substitution, instead of using higher-order functions to define binding and instantiation. The price to pay is that we need to include freshness as a primitive notion in the system, and reason explicitly about it (this could actually be seen as an advantage since freshness is a property that users might want to express in their formalisations any way). Compared with the approach of [14, 45], we do not assume that a name introduced by a name abstraction is different from names used outside, but we do offer syntax to declare freshness of names if freshness is needed (as in [43, 9, 15]). An alternative approach to deal with freshness assumptions consists of using global declarations, as described in [18]. 2 Background In this section we recall the basic notions of nominal syntax and type systems that we will need in the rest of the paper. 2.1 The nominal approach ominal techniques were introduced to facilitate the specification of systems with binders. In nominal syntax, there are two kinds of variables: atoms, which are names representing the variables of the object language that is being modelled, and variables or unknowns, representing meta variables. On atoms, there are operations of swapping, and more generally, permutations. ame swapping, i.e., swapping the atoms a and b in t, is denoted (a b) t. Permutations, π, π,..., are bijections on names, represented as lists of swappings. ominal terms are defined using atoms, variables, and function symbols (which are simply term constructors), and an abstraction operator, written [a]t. Permutations apply to terms in the natural way: each atom occurring in the 4

5 term is replaced by its image in the permutation, and permutations suspend on variables: π X denotes the variable X with the suspended permutation π. Terms are not defined as α-equivalence classes; instead, the α-equivalence relation on nominal terms is defined by induction using a freshness predicate. We write a#t to indicate that the atom a is fresh in the term t, in other words, a does not occur unabstracted in t. In nominal languages, there is a notion of substitution of terms for variables, which is like the usual first-order notion of substitution, except that if there is a permutation suspended on X, when a substitution θ of t for X is applied, π X is replaced by π t, that is, (π X)θ = π θ(x). In the next section we define the syntax of our language following the nominal approach and give full definitions of α-equivalence, freshness and substitution. 2.2 Dependent types Type systems have been extensively studied in the context of the λ-calculus. One of the most basic systems, the simply typed λ-calculus uses a set of types consisting of base types A, B,... and functional types τ τ. In more sophisticated type systems, the language of terms and the language of types might be interdependent. For the λ-calculus, type systems can be classified in a cube as shown by Barendregt [5] λ 2 λ ω λ P 2 λ C λ λ P The simply typed calculus (λ ) is on the bottom left corner, and the most expressive system, the Calculus of Constructions (λ C ), is on the top right. The system λ P is interesting because it permits types that depend on terms; these are usually called dependent types. In all the systems of the cube, terms inhabit types, and types inhabit, which is a kind. We refer to [5] for more details. 3 Syntax As mentioned in the introduction, the logical framework will be defined using nominal syntax. We will not use λ-terms, instead we will extend nominal terms with a primitive notion of atom substitution. 5

6 Consider denumerable and pairwise disjoint sets of atoms A, variables X (also called unknowns), and user-defined term-formers F (also called term constructors or function symbols) and type-formers C (also called type constructors). In the following, a, b,... A, X, Y,... X, f, g... F and C, D,... C. We follow a Church-style approach: we annotate atom-abstractions with types. Curry-style type systems (without type annotations) for nominal terms, using ML-style polymorphic types, are defined in [20, 19]. Here we prefer to use type annotations since we will have types that depend on terms. We do not consider polymorphism in this paper. We define first the sets of pseudoterms, pseudotypes and kinds, and then give the typing rules that will be used to select the well-formed elements in these sets, which will be the terms and types in the language. 3.1 Pseudoterms, Pseudotypes, Kinds The sets of pseudoterms and pseudotypes are defined by mutual induction. They are generated by the grammar: t ::= a (φ X)@t 1,..., t n [a: τ]t (t 1,..., t n ) f t τ ::= [a: τ]τ (τ 1,..., τ n ) C t where n 0, φ X is a pair of a variable X and a list φ of operations on atoms (swappings and atom substitutions; we give their syntax below) usually called a suspension, [a: τ]t and [a: τ]τ represent the abstraction of a in t and τ respectively, f is a term constructor and C a type constructor, denotes the destructor associated to abstraction, usually called concretion (if n = 0 we omit the concretion operator). If a#τ (read a fresh for τ ; we define freshness below) then [a: τ]τ is written as [τ]τ. If n = 0 we omit the brackets in application, and write f (resp. C) instead of f( ) (resp. C( )). There is only one kind: k ::= type We use the following syntax to denote swappings and atom substitutions: φ ::= Id (a b)φ {a t}φ If φ contains only swappings, we call it a permutation; π, π,..., range over permutations. If φ contains only atom substitutions we call it an a-substitution or just substitution if there is no ambiguity; σ, σ,..., range over a-substitutions. Permutations define bijections on atoms such that nontriv(π) = {a π(a) a} is finite. We usually omit Id in suspensions, and write simply X instead of Id X. We write π 1 for the inverse of π, and φ φ (or just φφ ) for the composition of φ and φ. A variable X stands for an unknown term. Substitutions of variables for terms (variable substitutions or v-substitutions for short) are generated by the following grammar, where we overload the notation and use again Id to denote 6

7 the identity since it will always be clear from the context whether it is an atom or a variable substitution: θ ::= Id [X t]θ Unlike a-substitutions, v-substitutions do not avoid capturing atoms. Below we define the action of permutations, a-substitutions and v-substitutions on terms. We use A(t) (resp. A(τ)) to denote the set of atoms occurring in t (resp. τ), and V (t) (resp. V (τ)) to denote the set of variables occurring in t (resp. τ). For instance, A([a: τ](b, (c b) X)) = {a, b, c} A(τ) and V ([a: τ](b, (c b) X)) = {X} V (τ). 3.2 Substitutions and permutations on terms Variable substitutions and atom substitutions act on pseudoterms and pseudotypes by instantiating their variables/atoms respectively. Swappings act on pseudoterms and pseudotypes by swapping atoms. Atom substitutions and swappings get suspended on variables. Concretions act on abstractions and suspend on variables. Definition 3.1 (Variable Substitution) A variable substitution θ is a partial function from variables to pseudoterms with finite domain. The variable substitution action tθ is defined by: aθ = a ((φ X)@t 1... t n )θ = (φθ X)@t 1 θ... t n θ (X dom(θ)) ((φ X)@t 1... t n )θ = (φθ θ(x))@t 1 θ... t n θ (X dom(θ)) ([a: τ]t)θ = [a: τθ](tθ) ([a: τ]τ )θ = [a: τθ](τ θ) (f t)θ = f (tθ) (C t)θ = C (tθ) (t 1,..., t n )θ = (t 1 θ,..., t n θ) (τ 1,..., τ n )θ = (τ 1 θ,..., τ n θ) ote that above we need to apply θ to φ because of φ may contain terms (in atom substitutions) and also to pseudotypes (because terms may be used with type constructors). The substitution θ acts on φ by instantiating the variables occurring in terms in atom-substitutions. Henceforth, if X dom(θ) then θ(x) denotes Id X. Definition 3.2 (Swapping and Atom Substitution) The action of atom operations (swappings and atom substitutions φ) on pseudoterms and pseudotypes is defined as follows: φ(a b) s = φ ((a b) s) φ{a t} s = φ ({a t} s) where the actions of an individual swapping (or more generally a permutation) 7

8 and an atom substitution are defined as follows: π a = π(a) π ((φ X)@t 1... t n ) = ((π φ) X)@π t 1... π t n π [a: τ]t = [π(a): π τ](π t) π [a: τ]τ = [π(a): π τ](π τ) π (t 1,..., t n ) = (π t 1,..., π t n ) π (τ 1,..., τ n ) = (π τ 1,..., π τ n ) π f t = f (π t) π C t = C (π t) ote that above π applies also to pseudotypes, which may contain atoms. {a t} a = t {a t} b = b {a t} ((φ X)@t 1... t n ) = ({a t} φ) X)@{a t} t 1... {a t} t n {a t} f s = f {a t} s {a t} C s = C {a t} s {a t} [a: τ]s = [a: τ]s {a t} [b: τ]s = [b: {a t}τ]{a t}s (b#t) {a t} (t 1,..., t n ) = ({a t}t 1,..., {a t}t n ) {a t} (τ 1,..., τ n ) = ({a t}τ 1,..., {a t}τ n ) {a t} [a: τ]τ = [a: τ]τ {a t} [b: τ]τ = [b: {a t}τ]{a t}τ (b#t) Above {a t} has to be applied also to pseudotypes because they may contain terms. The condition b#t (see the definition of # below) ensures that atom substitutions are non-capturing. Definition 3.3 (Concretion) The concretion operator acts only on abstractions, by destroying the abstraction and replacing the abstracted atom by a concrete term. It suspends on variables and does not affect other terms or types (since no term- or type-constructor can build an abstraction). ([a: τ]s)@t 1... t n = ({a t 1 } s)@t 2... t n ([a: τ]τ )@t 1... t n = ({a t 1 } τ )@t 2... t n a@t 1... t n = a (f s)@t 1... t n = f s (C s)@t 1... t n = C s (s 1,..., s n )@t 1... t n = (s 1,..., s n ) (τ 1,..., τ n )@t 1... t n = (τ 1,..., τ n ) Remark 3.4 The concretion operator can only occur next to a suspension (in well-typed terms, with a variable of abstraction type). Thus, it is always possible to replace the suspension by an abstraction (a sort of η-expansion ) on which the concretion operator can act. More precisely, if X is a variable of type [a 1 : τ 1 ]... [a n : τ n ]τ and we have (φ X)@t 1... t n, we can replace X with [a 1 : τ 1 ]... [a n : τ n ]X where X is a new variable and a 1,..., a n are fresh atoms. Then, we write {a 1 t 1 }... {a n t n }φ X ) instead of (φ X)@t 1... t n. We give detailed examples later. 8

9 Since the concretion operator is superfluous, we will not consider it in the rest of the paper. The following property allows us to define a canonical form for φ (it is reminiscent of the substitution lemma in the λ-calculus [4], used to compose substitutions). Property 3.5 Let M denote a ground pseudoterm s or ground pseudotype τ (i.e., no variables occur on M): (π{a t}) M = ({π(a) π t}π) M and ({a t}π) M) = (π{π 1 (a) π 1 t}) M. As a consequence, for any variable substitution θ such that θ(x) is a ground pseudoterm (i.e., a pseudoterm without variables): ((π{a t}) X)θ = (({π(a) π t}π) X)θ and (({a t}π) X)θ = ((π{π 1 (a) π 1 t}) X)θ Proof 3.6 By mutual induction on the structure of pseudoterms and pseudotypes. As a consequence, we will always assume φ to be in one of the two canonical forms πσ or σπ. 3.3 Pseudocontexts and pseudojudgements The typing judgements will have the form: Γ; t: τ Γ; τ : type where Γ and contain typing assumptions and freshness assumption, respectively. Freshness and typing assumptions are generated by the grammars below. C ::= a#x T ::= a : τ X : τ Pseudocontexts are pairs Γ; where Γ, the typing pseudocontext, is a list of typing assumptions (there may be more than one assumption for the same variable or atom; we give examples below), and, the freshness pseudocontext, is a set of freshness assumptions. Γ, a: τ (resp. Γ, X : τ) denotes the result of adding a: τ (resp. X : τ) at the end of Γ. If Γ or are empty, we omit the ;. 3.4 Pseudodeclarations We will assume that there is a declaration for each user-defined function symbol and type constructor. Declarations will have the form: Γ; t: τ; f t: τ Γ; t: τ; C t: type 9

10 Declarations can be understood intuitively as follows: If, under the assumptions in Γ and, t has type τ then f t (resp. C t) has type τ (resp. type). In other words, the declarations state the type constraints that t must satisfy so that the term (resp. type) built using f (resp. C) and t is correctly typed. 4 Freshness, α-equivalence and matching In this section we define by induction the freshness and α-equivalence relations on pseudoterms and pseudotypes. The type system introduced in the next section checks that term and type constructors are used in a way that is consistent with the declarations given by the user. For this, terms and types are matched against declarations. Thus, in addition to α-equivalence and fresheness, below we define a notion of matching, and give algorithms to check freshness, α-equivalence and matching. Definition 4.1 (Freshness) We say that the atom a is fresh for the pseudoterm t (resp. the pseudotype τ) under a set of freshness assumptions of the form a#x, written a#t (resp. a#τ), if a#t (resp. a#τ) can be derived, using the axioms and rules below, from the assumptions in. (atm) a#b π 1 (b)#im(σ supp(x) ) (π 1 (b) dom(σ) or π 1 (b)#x) (var) b#πσ X a#τ (absa) a#[a: τ]s a#s a#τ (absb) a#[b: τ]s a#s 1... a#s n (tpl) a#(s 1,..., s n ) a#s (f) a#f s a#τ (absa τ ) a#[a: τ ]τ a#τ a#τ (absb τ ) a#[b: τ ]τ a#τ 1 a#τ n (tplτ ) a#(τ 1,..., τ n ) a#t (C) a#c t The main differences with respect to standard nominal terms are the new rules for types (absa τ, absb τ, tpl τ and C), and the rule for variables (var) where take into account suspended atom substitutions as well as suspended permutations. This rule has two hypotheses, which correspond to conditions on π 1 (b) that ensure that b is fresh for πσ X. We explain them below. 1. The first one, π 1 (b)#im(σ supp(x) ), is an abbreviation for the set of freshness constraints: {π 1 (b)#σ(a) or a#x a dom(σ)} Thus, π 1 (b)#σ(a) for any a that may occur in an instance of X (i.e., any a such that we do not have a#x). In other words, we know that after X is instantiated and the substitution σ applied to the term that replaces X, the atom π 1 (b) will remain fresh. 10

11 2. The second condition is a disjunction: π 1 (b) dom(σ) or π 1 (b)#x, that is, it requires π 1 (b) in the domain of σ to ensure that it will be replaced by a term where it is fresh (due to the previous condition), otherwise, π 1 (b) must be fresh for X (so that no instance of X may contain this atom). Definition 4.2 (α-equivalence) We say that two pseudoterms t, t are α- equivalent under the set of freshness assumptions for variables, written t α t, if t α t can be derived, using the axioms and rules below, from the assumptions in. Similarly for two pseudotypes τ, τ. a α a ds(φ, φ )#X φ X α φ X s α t τ α τ [a : τ]s α [a : τ ]t a#t s α (a b) t τ α τ [a : τ]s α [b : τ ]t s 1 α t 1... s n α t n (s 1,..., s n ) α (t 1,..., t n ) s α t f s α f t τ α τ τ 1 α τ 2 a#τ [a : τ 1 ]τ α [a : τ 2 ]τ τ 1 α τ 1... τ n α τ n (τ 1,..., τ n ) α (τ 1,..., τ n) τ α (a b) τ τ 1 α τ 2 [a : τ 1 ]τ α [b : τ 2 ]τ s α t C s α C t where ds(φ, φ ) = {a φ a α φ a} is the difference set of φ, φ, that is, the set of atoms where they differ. In other words, two suspensions are α-equivalent if it is the same variable, and for any a, either φ a α φ a or a#x. For example, b#x {a c} X α {b c}(a b) X since {a c} a = c = {b c}(a b) a, {a c} c = c = {b c}(a b) c, and although {a c} b = b {b c}(a b) b = a, we have the assumption b#x. In this sense, the atom that is substituted behaves like a bound atom, but note that it does not behave like an abstraction: a#x X α {a c} X a#x X α [a: τ]x The notions of matching and unification for standard nominal terms extend in the natural way to our language. Definition 4.3 (Matching) Let l and s be a pair of pseudoterms with their corresponding freshness contexts, such that V ( l) V ( s) =. We say that l is the pattern against which the term s is matched. A solution to the matching problem is a variable substitution θ such that ( l)? ( s) θ and lθ α s and dom(θ) V ( l). 11

12 In the type system, declarations will be patterns against which terms will be matched. To avoid ambiguities, declarations should not overlap. This property can be easily checked by solving a unification problem. Definition 4.4 (Unification) A unification problem s?? t, where s, t are pseudoterms in a freshness context, has a solution if there exists a substitution θ such that sθ α tθ. 4.1 Checking freshness, α-equivalence, matching For standard nominal terms, freshness and α-equivalence are decidable [44] and can be checked efficiently [7]. ominal matching was also shown to be decidable and to have unique most general solutions (when there is a solution) in [44]. In the case when a pattern is matched against a ground term (i.e., a term without variables), as usual in functional programming, there is a linear time algorithm to find the most general solution when one exists [7]. Decidability of freshness, α-equivalence, matching and unification, for the extended language, is essential in order to build a logical framework based on this syntax. We show below that these problems are decidable. Since the definitions of freshness and α-equivalence are inductive and the rules are syntax directed, it is easy to derive recursive functions to check freshness and α-equivalence. However, note that, unlike the standard nominal syntax, where if a#t succeeds, there is a unique minimal such that a#t, here there may be several minimal freshness contexts i that allow us to derive i a#t, due to suspended atom substitutions. For instance, b#x, b#y b#{a Y } X and b#x, a#x b#{a Y } X because we can derive that b is fresh for the term {a Y } X using the assumptions b#x, b#y or b#x, a#x. Since freshness is used in the definition of α, this also means that there may be more than one minimal context such that s α t. This will not be a problem for the type system defined later on, since we will always work with a given set of type and freshness assumptions, so we will simply need an algorithm to check whether a#t or s α t is derivable from the given. We discuss the algorithms to check freshness and α-equivalence, and to solve matching problems, below Freshness Given an atom a, a pseudoterm t and a freshness pseudocontext, a function F resh? to check whether a#t can be defined recursively, following the syntax-directed rules given above. F resh?(, a, t) returns a Boolean indicating whether a#t holds or not. Base case - Axiom (atm), t A: F resh?(, a, t) = (a t) 12

13 Recursive cases: The only case that is not straightforward is the case of a variable, t = πσ X: F resh?(, a, πσ X) = if πσ Id then F reshs?(, π 1 (b), Im(σ supp(x) ) ((π 1 (b) dom(σ) F resh?(, π 1 (b), X)) else (π 1 (b)#x ) Here the function recursively checks freshness conditions on the image of the substitution and also checks a disjunction where one of the elements is a membership condition (note that π 1 (b) dom(σ) can be easily checked, and if this test fails then π 1 (b)#x should be in for the freshness check to succeed). We omit the other cases. To guarantee termination, we must show that checking freshness conditions on the image of the substitution is a smaller problem in a suitable sense. Since the substitution σ is part of the input term, this is the case (we assume that in the input term, all the atom substitutions have been simplified so that there is at most one element {a s} for each atom a and σ is idempotent; these are standard assumptions for substitutions and can be easily implemented, see for instance [3]). More generally, given just an atom a and a pseudoterm t, we can define recursively a function to check whether there exists a set of freshness assumptions for variables such that a#t holds, and output a minimal context i such that i a#t holds (if one exists). The base case corresponds to the axiom (atm): if t is an atom b different from a then the empty freshness context should be returned, otherwise, if t is a then there is no freshness context such that a#t can be derived (failure). Again we describe only the case of a variable, that is, when t is a suspension πσ X. Here the function should recursively check freshness conditions on the image of the substitution and also check a disjunction where one of the elements is a membership condition (π 1 (b) dom(σ) can be easily checked, and if this test fails then the condition π 1 (b)#x should be part of the output). Termination follows from the fact that checking freshness conditions on the image of the substitution is a smaller problem, since the substitution σ is part of the input term (again, we assume that in the input term, all the atom substitutions have been simplified so that there is at most one element {a s} for each atom a and σ is idempotent). According to the rules in Definition 4.1, the result of the function is a conjunction of disjunctions of freshness assumptions for variables, or failure. In the first case, by computing the disjunctive normal form, we obtain the set of freshness contexts i such that a#t: each conjunction in the disjunctive normal from corresponds to one of the i α-equivalence Given two pseudoterms s and t, and a freshness pseudocontext, a function to check whether s α t can be defined recursively, following the syntaxdirected rules given above. More generally, we can define recursively a function 13

14 that checks whether there exists a set of freshness assumptions for variables such that a α t holds, and outputs all the minimal i satisfying this property. As above, the only case that is not straightforward is the case where s and t are suspensions φ X, φ X. In this case, assuming without loss of generality (see Remark 3.4) φ = πσ and φ = π σ, we need to compute the difference set {a πσ a α π σ a}. This can be done recursively by going over the domains of σ and σ, checking additionally that π and π (which by definition are finite bijections of atoms) do not differ on atoms that are not in dom(σ) dom(σ ) Matching Solving matching problems in our language is more difficult than with standard nominal terms, due to the fact that variables may have suspended atom substitutions in addition to permutations, which will act when a variable substitution applies. The standard notion of matching for nominal terms enjoys uniqueness of most general solutions (modulo variable renamings). This is not the case in our language; as a counterexample, consider the problem ( {a b} X)? ( b) which has solutions {X a} and {X b}. The situation is similar for logical frameworks based on the λ-calculus. The solution there is to restrict the form of the matching problems. Inspired by LF, we will design the type system so that we will only need to match terms such that if {x t} P occurs in the pattern then Id P also occurs in the pattern, thus, the value of P is uniquely determined. ote that if an atom-substitution occurs in the matched term rather than in the pattern, then it can be treated as a constant subterm since variables in the matched term are not substituted. With this assumption, we can build an algorithm to solve a matching problem ( l)? ( s) by traversing the pattern l and checking the corresponding position in s, as in the algorithm to check α-equivalence, with the exception that when a suspension φ X is found in l and s i is the corresponding subterm in s: If φ is Id, we generate substitution {X s i } and apply it in the rest of the problem (the latter is needed because patterns may be non-linear, that is, the same variable may occur several times). If φ is not Id we generate an equation φ X? s i, and continue the traversal. The algorithm ends when all the equations have been processed or matching failure (clash) has been discovered. At this point, if there is no failure, we have computed a minimal substitution θ such that lθ α s. It remains to check that θ, which can be done using the algorithm to check freshness described above. Soundness, completeness and termination of the matching algorithm can be shown as for standard nominal matching. 14

15 Thus, even with this extended syntax, freshness and α-equivalence remain decidable. However, the notion of matching given above does not take into account equivariance. In other words, a pattern f a does not match with f b. This is natural because we have designed our matching algorithm to take into account α-renaming for abstracted atoms only; free atoms are treated like constants. Equivariant matching takes into account also renamings of free atoms in patterns; it is a more general notion of matching which, already for standard nominal terms, is known to be P-complete. To avoid the exponential cost, the solution proposed in [23, 21] is to restrict matching problems to closed patterns. In closed patterns, there are no unabstracted atoms, and for each variable X occurring in the pattern, all occurrences of X are under abstractions for the same atoms. Below we give a formal, operational definition of closedness, using freshened variants of pseudoterms. Definition 4.5 (Freshened variants) If t is a pseudoterm, we say that t is a freshened variant of t when t has the same structure as t, except that the atoms and unknowns have been replaced by fresh atoms and unknowns (so they are not in A(t) and V (t), and perhaps are also fresh with respect to some atoms and unknowns from other syntax, which we will always specify). We omit an inductive definition. Similarly, if is a freshness pseudocontext then will denote a freshened variant of (so if a#x then a #X, where a and X are chosen fresh for the atoms and unknowns of ). Example 4.6 The pair (a, b ) is a freshened variant of (a, b) and the abstraction [a : at][b : Bool]X is a freshened variant of [a: at][b: Bool]X. Also, a #X is a freshened variant of a#x. either [a : Bool][a : Bool]X nor [a : Bool][b : Bool]X are freshened variants of [a: Bool][b: Bool]X: the first, because we have wrongly identified two distinct atoms when we freshened them; the second, because we did not freshen X. Definition 4.7 (Closed pseudoterms) Let be a freshness pseudocontext and l a pseudoterm. We say that l is closed if there exists a solution for the matching problem (1) ( l )? (, A(, l )#V (, l) l). Example 4.8 Although there are no unabstracted atoms in the term f([a: Bool]X, X), it is not closed, since the atom a is abstracted in the first occurrence of X but not in the second. However, a#x f([a: Bool]X, X) is closed, since the freshness constraint ensures that a cannot occur in instances of X. For a descriptive, inductive definition of closed nominal terms, see [16]. Definition 4.7 above is given in the form of a simple test to check for closedness. Unification is also decidable (we omit the algorithm). 15

16 5 Type System 5.1 Typing Judgements Typing judgements are derived using the following axioms and rules, where we assume that we are given a valid set Σ of declarations for term and type constructors. The validity of contexts and sets of declarations is defined by mutual induction. Definition 5.1 (Declarations and Contexts) We write Σ valid to denote that Σ is a valid set of declarations and Σ Γ; to state that Γ; is a valid context with respect to the valid set of declarations Σ. Valid declarations are inductively defined as follows: valid If Σ valid, τ is not an abstraction and V (τ ) V (t, τ), (t, τ, τ ) is closed, and for any variable X, if πσ X occurs in (t, τ) with σ Id then π X also occurs in (t, τ) for some π, then: Σ Γ; Γ; Σ τ, τ : type Γ; Σ t: τ f t Σ Σ {Γ; t : τ; f t : τ } valid where f t Σ means that there is no declaration in Σ of the form f s, where s and t are unifiable. If Σ valid, (t, τ) is closed, and for any variable X, if πσ X occurs in (t, τ) with σ Id then π X also occurs in (t, τ) for some π, then: Σ Γ; Γ; Σ τ : type Γ; Σ t: τ C t Σ Σ {Γ; t : τ; C t : type}valid where C t Σ means that there is no declaration in Σ of the form C s, where s and t are unifiable. ote that the conditions on valid declarations imply that in a valid Σ, declarations do not overlap. Valid contexts, assuming Σ valid, are defined as follows: Σ ;, that is, the empty set of type assumptions is valid for any set of freshness assumptions. Σ Γ; Γ; Σ τ : type X dom(γ) Σ Γ, X : τ; Σ Γ; Γ; Σ τ : type Σ Γ, a: τ; 16

17 Below we assume a valid Σ and omit the subindex of Σ. In the rules for variables we use a property : Γ, X : τ; φ X : holds if, assuming φ = πσ: for any atom a such that σ(a) a and a#x, there exists τ such that Γ, X : τ; σ(a): τ ; for any atom a such that π(a) a and a#σ X, there exists τ such that Γ; a: τ and Γ; π(a): τ. Definition 5.2 (Typing rules) The typing judgements are derived using the following rules. Γ, a: τ; Γ, a: τ; a: τ (atm) Γ, X : τ; Γ, X : τ; φ X : (unkn) Γ, X : τ; φ X : φ τ Γ, a: τ; t: τ (abs) Γ; [a: τ]t: [a: τ]τ Γ; (tup 0 ) Γ; (): () Γ; t i : τ i (1 i n) (tup) Γ; (t 1,..., t n ): (τ 1,..., τ n ) Γ ; t : τ θθ Γ ; τθθ : type (cns) if Γ ; f t : τθθ Γ; t: τ ; f t: τ θ = ( t? t ) θ = (Γ, t :? τ θ) Γ, a: τ; τ : type (abs τ ) Γ; [a: τ]τ : type Γ; (tup τ 0) Γ; (): type Γ; τ i : type (1 i n) (tup τ ) Γ; (τ i,..., τ n ): type Γ ; t : τ θθ (cns τ ) if Γ ; C t : type Γ; t: τ; C t: type θ = ( t? t ) θ = (Γ, t :? τ θ) Γ; t: τ t α t, τ α τ (α) Γ; t : τ 17

18 We make some remarks about the rules. In the rules atm and unkn the validity of the context is needed as a premise because we do not asume Γ to be a valid context. The rules for term and type constructors use: a freshened copy of the declaration provided by the user, a substitution θ obtained using the nominal matching algorithm, and a substitution θ. Operationally, θ is computed by an auxiliary function that infers types for terms under a context, noted :?. The result of Γ, t :? τ is a substitution θ such that τθ is a type for t under Γ,. In other words, the function :? is used to infer a type for t by instantiating τ. This inference problem is decidable if the declarations provided in Σ satisfy certain conditions, described below; the type checking algorithm is given in a forthcoming paper. ote that the rule (α) is included in order to take into account the α-equivalence relation on terms and types. However, to implement the type checker, we use an equivalent syntax-directed version of the typing rules, where the α-equivalence relation is built into the rules (avoiding the use of an explicit rule α). 5.2 Full Declarations and Inference A full declaration for term constructors has the form: where Γ; t: τ, Γ; t: τ ; f t: τ Γ; τ : type, τ is not an abstraction and all the variables in τ occur in (t, τ ); (t, τ, τ ) is closed; for any variable X, if πσ X occurs in (t, τ) with σ Id then π X also occurs in (t, τ) for some π. Therefore, no term constructor can build a term of abstraction type, but abstractions can be used to build terms. We give a simple example below. Since in the typing rule for terms headed by function symbols, i.e., terms of the form ft (and similarly for terms Ct headed by type constructors) we obtain the type for ft by instantiating the type τ given in the declaration, we require all the variables in τ to occur in (t, τ ). The requirement of closedness ensures efficiency of matching, and the last condition ensures that most general matching solutions are unique. In practice, users will not need to give full declarations; it is sufficient to write Γ; f t: τ and the system will infer the full declaration (by computing the type of t). 18

19 A full declaration for type constructors has the form: Γ; t: τ; C t: type where Γ is a valid context, Γ; τ : type, (t, τ) is closed, and for any variable X, if πσ X occurs in (t, τ) with σ Id then π X also occurs in (t, τ) for some π. Again, users will only need to write Γ; C t: type and the system will infer the full declaration. Example 5.3 We may declare a term-constructor λ to build functions on natural numbers, assuming we have type constructors at representing the natural numbers and F un at representing functions from at to at: at: type F un at : type X : at [a: at]x : [a: at]at; λ[a: at]x : F un at We give more examples in Section 7. 6 Metatheory The typing rules satisfy the usual properties: Proposition 6.1 (Validity) If Γ; Σ t: τ then Σ valid, Σ Γ; and Γ; Σ τ : type. If Γ; Σ τ : type then Σ valid and Σ Γ;. Proof 6.2 By simultaneous induction on the type derivation. Proposition 6.3 (Weakening) If Γ; Σ t: τ (resp. Γ; Σ τ : type), Γ = Γ, a: τ or Γ = Γ, X : τ such that Γ ;, and a, X do not occur in t, τ, then Γ ; Σ t: τ. Proof 6.4 By simultaneous induction on the type derivation. Proposition 6.5 (Unicity of types) If Γ; Σ t : τ 1 and Γ; Σ t : τ 2 then τ 1 α τ 2. Proof 6.6 By induction on the type derivation. The only case that is not straightforward is the case in which the derivation concludes using the rule (cns). In this case, the unicity of the type is a consequence of the fact that declarations do not overlap (i.e., there is a unique declaration that matches the term considered) and matching problems have unique solutions under our assumptions for declarations (see section 5.2). 19

20 Equivariance is a sort of meta α-equivalence: An equivariant version of Σ, is a Σ where we rename atoms and variables. For example: given a declaration for the quantifier in first order logic P : P rop ([x: ]P ): P rop we can equivalently use P : P rop ([y : ]P ): P rop. The following proposition formalises this property. We give more details in section 7. Proposition 6.7 ( Σ-equivariance) If Γ; Σ t : τ and Σ equivariant to Σ then Γ; Σ t : τ Proof 6.8 Consequence of the fact that a valid Σ contains only closed declarations, the matching algorithm used in rules (cns) and (cns τ ) takes into account α-equivalence, and the type system includes the (α) rule. 7 Examples In this section we show how the nominal dependent type system can be used to specify various formal systems. 7.1 First Order Logic We start with the specification of first-order logic (FOL), a prototypical system with binding. Declarations We start with the basic types of natural numbers, propositions and proofs, and the constructors used to build numbers (0 and S) and propositions (, Imp (implication) and, other connectives could be added in a similar way). : type P rop: type P : P rop P roof (P ): type 0: X : S (X): P 1, P 2 : P rop Imp(P 1, P 2 ): P rop : P rop P : P rop ([x: ]P ): P rop We give next the declarations of the predicates used to build proofs (introduction and elimination of Imp and : Imp i, Imp e, i, e, and elimination of : e ). 20

21 P 1, P 2 : P rop, P : [x: P roof(p 1 )]P roof(p 2 ) Imp i (P ): P roof(imp(p 1, P 2 )) P 1, P 2 : P rop, Q: P roof(imp(p 1, P 2 )), Q 1 : P roof(p 1 ) Imp e (Q, Q 1 ): P roof(p 2 ) P : P rop, Q: P roof( ) e (P, Q): P roof(p ) P : P rop, Q: [n : ]P roof(p ) i Q: P roof( ([n : ]P )) P : P rop, Q : P roof( ([n : ]P )), X : e (Q, X): P roof({n X} P ) ote that in the declaration for e we need to use the variables P and Q as arguments because of the restriction that all variables in the type of e should occur in its arguments or in its types. Also note that in the declaration for i above, we use Q of type [n: ]P roof(p ), in other words, n is not free, as expected. The full declaration (which can be inferred) is: P : P rop, Q: [n: ]P roof(p ) Q : [n: ]P roof(p ); i Q: P roof ( ([n : ]P )) When this declaration is used to type terms built with i (i.e., when checking proofs of propositions that use universal quantification) we will use matching to obtain the values of Q and P (we give examples below). The declaration for e uses a non-capturing substitution. It would also be possible to give a declation for e using the context P : P rop, Q : P roof( P ), X : but then we would need to use a concretion operator: P : [n : ]P rop, Q : P roof( P ), X : e (Q, X): P As explained in Section 3, we prefer the encoding with an explicit abstraction which does not require concretion. Finally, we define the predicates GE (greater than or equal to, ) and Ev (even) for natural numbers. X, Y : GE(X, Y ): P rop X : G 0 (X): P roof(ge(x, 0)) X, Y :, P : P roof(ge(x, Y )) G s (P ): P roof(ge(s(x), S(Y ))) X : Ev(X): P rop E 0 : P roof(ev(0)) X :, P : P roof(ev(x)) E ss (P ): P roof(ev(s(s(x)))) ote that, similarly to the declaration of e, we need to use the variable X in the declaration for G 0. We could define a more general system where in a declaration Γ; t : τ ; f t: τ we permit variables in τ which are not in t, τ. For instance, these will be parameters representing meta-variables in the first-order logic example below. With this extension we could have declarations X : G 0 : P roof(ge(x, 0)), 21

22 and P : P rop, X : P roof( ) e (X) : P roof(p ) and then, prove X : G 0 : P roof(ge(x, 0)) and P : P rop, X : P roof( ) e (X) : P roof(p ). But then type inference would not be decidable. We now give examples to show how to derive proofs using the declarations given above. Example 1 We can prove that ([x: ]GE(x, 0)) is a well formed formula. Below we show the derivation of ([x: ]GE(x, 0)): P rop using the declaration for. First note that the full declaration P : P rop [x: ]P : [x: ]P rop; ([x: ]P ): P rop can be obtained from the abbreviated one by inferring the type of [x: ]P, as follows: (cnt) (cns τ ) : type (cnt) (cns τ ) x: P rop: type (cnt) x:, P : P rop Then we derive: x:, P : P rop P : P rop P : P rop [x: ]P : [x: ]P rop. (atm) (cns τ ) x: x: x: 0: tup x: (x, 0): (, ) (cns) 2 x: GE (x, 0): P rop (abs) [x: ]GE (x, 0): [x: ]P rop 1 (cns) ([x: ]GE (x, 0)): P rop where: 1. θ = {P GE (x, 0)} τ = [x: ]P rop θ = Id 2. θ = {X x, Y 0} τ = (, ) θ = Id x:, P : P rop P : (unkn) (abs) Example 2 We now show that i ([x: ]G 0 (x)) is a proof of ([x: ]GE(x, 0)). The full declaration of i can be easily inferred from the abbreviated declaration: P 1 : P rop, P 2 : [n : ]P roof(p 1 ) P 2 : [n : ]P roof(p 1 ); i P 2 : P roof ( ([n : ]P 1 )) 22

23 . (atm) x: x: (cns) 2 x: G 0 (x): P roof(ge(x, 0)) (abs) [x: ]G 0 (x): [x: ]P roof(ge(x, 0)) (α) [x: ]G 0 (x): [n: ]P roof(ge(n, 0)) (cns) 1 i ([x: ]G 0 (x)): P roof ( ([x: ]GE(x, 0))) where: 1. θ = {Q [x: ]G 0 (x)} τ = [n: ]P roof(p ) θ = {P GE(n, 0)} 2. θ = {X x} τ = θ = Id Example 3. (cns) x: G 0 (x): GE(x, 0) (abs) [x: ]G 0 (x): [x: ]GE(x, 0) (α) i ([x: ]G 0 (x)): P roof( ([x: ]GE(x, 0))) 2 (cns) i ([x: ]G 0 (x)): P roof( ([n: ]GE(n, 0))). (cns) 0: (tup) ( i ([x: ]G 0 (x)), 0): (P roof( ([n: ]GE(n, 0))), 0) 1 (cns) e ( i ([x: ]G 0 (x), 0): P roof (GE(0, 0)) where: 1. θ = {Q i ([x: ]G 0 (x)), X 0} τ = (P roof( ([n: ]P )), ) θ = {P GE(n, 0)} 2. θ = {Q [x: ]G 0 (x)} τ = [n: ](P roof(p )) θ = {P GE(n, 0)} Example 4. (cns) 0: (cns) S(0): 2 (cns) S(S(0)): (cns) 1 Ev(S(S(0))): P rop where: 1. θ = {X S(S(0))} τ = θ = Id 2. θ = {X S(0)} τ = θ = Id 23

24 Example 5 (cns) E 0 : P roof(ev(0)) (cns) 1 E SS (E 0 ): P roof(ev(s(s(0)))) where: 1. θ = {P E 0 } τ = P roof(ev(x)) θ = {X 0} Example 6 (cns) x: Ev(x): P rop. (cns) x: Ev(S(S(x))): P rop (tup) x: (Ev(x), Ev(S(S(x)))): (P rop, P rop) 2 (cns) x: Imp(Ev(x), Ev(S(S(x)))): P rop (abs) [x: ]Imp(Ev(x), Ev(S(S(x)))): [x: ]P rop 1 (cns) ([x: ]Imp(Ev(x), Ev(S(S(x))))): P rop where: 1. θ = {P Imp(Ev(x), Ev(S(S(x))))} τ = [x: ]P rop θ = Id 2. θ = {P 1 Ev(x), P 2 Ev(S(S(x)))} τ = (P rop, P rop) θ = Id Example 7. (cns) x:, z : P roof(ev(x)) E SS (z): P roof(ev(s(s(x)))) x: [z : P roof(ev(x))]e SS (z): [z : P roof(ev(x))]p roof(ev(s(s(x)))) (α) (abs) x: [z : P roof(ev(x))]e SS (z): [a: P roof(ev(x))]p roof(ev(s(s(x)))) (cns) 2 x: Imp i ([z : P roof(ev(x))]e SS (z)): P roof(imp(ev(x), Ev(S(S(x))))) (abs) [x: ]Imp i ([z : P roof(ev(x))]e SS (z)): [x: ]P roof(imp(ev(x), Ev(S(S(x))))) (α) [x: ]Imp i ([z : P roof(ev(x))]e SS (z)): [n: ]P roof(imp(ev(n), Ev(S(S(n))))) (cns) 1 i ([x: ]Imp i ([z : P roof(ev(x))]e SS (z))): P roof( ([x: ]Imp(Ev(x), Ev(S(S(x)))))) where: 1. θ = {Q [x: ]Imp i ([z : P roof(ev(x))]e SS (z))} τ = [n: ]P rop θ = {P Imp(Ev(n), Ev(S(S(n))))} 2. θ = {P [z : P roof(ev(x))]e SS (z)} τ = [a: P roof(p 1 )]P roof(p 2 ) θ = {P 1 Ev(x), P 2 Ev(S(S(x)))} 24

25 Example 8 Let Γ be the context P : P rop, Q: P roof( ([y : ] ([x: ]P ))), then:. (cnt) Γ, p: P roof( ([x: ] ([y : ]P ))) Γ, p: P roof( ([x: ] ([y : ]P ))) Q: (unkn) Γ, p: P roof( ([x: ] ([y : ]P ))) Q: P roof( ([y : ] ([x: ]P ))) (abs) Γ [p: P roof( ([x: ] ([y : ]P )))]Q: [p: ([x: ] ([y : ]P ))]P roof( ([y : ] ([x: ]P ))) (cn Γ Imp i ([p: P roof( ([x: ] ([y : ]P )))]Q): P roof(imp( ([x: ] ([y : ]P )), ([y : ] ([x: ]P )))) where: 1. θ = {P [p: P roof( ([x: ] ([y : ]P ))]Q} τ = [p: P roof(p 1 )]P roof(p 2 ) θ = {P 1 ([x: ] ([y : ]P )), P 2 ([y : ] ([x: ]P ))} 7.2 Simply Typed Lambda Calculus The λ-calculus is another well-known example of a system with binding. We can formalise the simply typed λ-calculus in our nominal type theory with the following declarations. Types: Otype denotes the types of the object language, and there is a ground type ι and function types: Otype : type ι: Otype A, B : Otype F un(a, B): Otype The λ-terms of a certain type T will be encoded as terms of type T rm(t ), where T rm is a type constructor in our system: T : Otype T rm(t ) : type We give below the representation of terms for simply typed λ-calculus. ote that we do not need a rule for variables since we use the atoms of our framework. We also use the framework s abstraction mechanism for representing abstractions in the object language: A, B : Otype, M : T rm(f un(a, B)), : T rm(a) App(M, ) : T rm(b) A, B : Otype, X : T rm(b) Lam([x : T rm(a)]x) : T rm(f un(a, B)) Beta reduction is specified as a relation between terms of the same type, with the usual reduction rule: A : Otype, X, Y : T rm(a) BRed(X, Y ) : type A, B : Otype, X : T rm(b), Y : T rm(a) Beta(App(Lam([x : T rm(a)]x), Y ), {x Y } X) : BRed(App(Lam([x : T rm(a)]x), Y ), {x Y } X) 25