Extracting Programs from Constructive HOL Proofs via IZF Set-Theoretic<br> Semantics

Logical Methods in Computer Science V ol. 4 (3:5) 2008, pp. 1–17 www .lmcs-online.org Submitted Jan. 31 , 2007 Published Sep . 9, 2008 EXTRA CTING PR OGRAMS FR OM CONSTR UCTIVE HOL PR OOFS VIA IZF SET-T H EORETIC SEMANTICS ROBER T L. CONST ABLE a AND WOJCIECH MOCZYD LOWSKI b a,b Department of Computer Science, Cornell Universit y , Ith aca, NY,14853, U SA e-mail addr ess : { rc,w o jtek } @cs.cornell.edu Abstra ct. Ch urch’s Higher Order Logic is a b asis for influential proof assistan ts — H OL and PVS . Ch urc h’s logic has a simple set-theoretic seman tics, making it tru st w orth y and extensible. W e factor HOL into a constructiv e core plus axioms of excluded middle and c hoice. W e si milarly f actor standard set theory , ZF C, into a constructiv e core, IZF, and axioms of excluded midd le and choice . Then w e provide the standard set-theoretic se- manti cs in such a wa y that the constructiv e core of HOL is mapp ed into IZF. W e use the disjunction, numerica l e xistence and term existence properties of IZF to pro v ide a program extraction capability from pro ofs in the constructive core. W e can implement th e disjunction and numerical existence p rop erties in tw o differen t w a ys: one u sing Rathjen’s realizabilit y for IZF and th e oth er using a new direct w eak normalizatio n result for IZF by Moczyd lo wski. The latter can also be used for the term existence prop erty . 1. Introduction Ch urc h’s Higher-Order logic [Ch u40, Lei 94] has b een remark ably successful at capturing the in tuitiv e reasoning of mathematicians. I t w as distilled from Principia Mathematic a , and is sometimes calle d the S imple Theory of T yp es b ased on that legacy . It incorp orates the λ calculus as its notation for fu nctions, in cluding pr op ositional functions, th us inte rfacing w ell with computer s cience, w here the λ calculus is fundamenta l. One of the reasons Higher-Ord er logic is su ccessful is that its axiomatic basis is v ery small, and it has a clean s et-theoret ic semant ics at a lo w leve l of the cumm ulativ e h ierarc hy of sets (up to ω + ω ) and can th u s b e formalized in a small fragmen t of ZF C set theory . This means it in terface s w ell with s tandard mathematics and provides a strong basis for tru st. Moreo ve r, the set theory seman tics is the basis f or man y extensions of the core logic; for example, it is straigh tforw ard to add arra ys, recursiv e d ata t yp es, and records to the logic. Ch urc h’s theory is the logical basis of t w o of the most successful inte ractiv e prov ers used in hardwa re and soft w are verificati on, HOL [GM93 ] and PVS [ORS 92]. This is due in 1998 A CM Subje ct Cl assific ation: F.4.1. Key wor ds and phr ases: Churc h’s Higher-Order Logic, HO L, PVS, pro of assistants, typ e theory , con- structive set theory , program-extraction, pro ofs-as-programs, λ calculus. a,b The authors hav e b een p artly supp orted by NSF grants DUE-0333526 and 04301 61. LOGICAL METHODS l IN COMPUTER SCIENCE DOI:10.216 8/LMCS-4 (3:5) 2008 c  R.L. Consta ble and W . Moczydłowski CC  Creative Commons part to the t w o charac teristics men tioned ab ov e in addition to its elegan t automation based on Milner’s tactic mec hanism and its elegan t formulatio n in the ML metalanguage . Un til r ecen tly , one of the f ew dra wbac ks of HOL w as that its logica l base did not allo w a w ay to express a constructiv e subset of the logic. This issue was considered by Harrison for HOL-light [Har96], and recen tly Berghofer implement ed a constru ctiv e version of HOL in the Isab elle implementa tion [Ber04, BN02] in large p art to enable the extraction of pr ograms from constru ctiv e pro ofs. This raises the qu estion of fi nding a seman tics for HOL that ju stifies this in tuitiv ely sound extraction. The standard ju stification for program extraction is based on logics that em b edded extractio n d eeply in to their seman tics; this is the case for the C alculus of Inductiv e Con- structions (CIC) [CPM90, BC04], Minlog [BBS + 98], Compu tational T yp e Theory (CTT) [ABC + 06, C + 86] or the closely related Intuiti onistic T yp e Theory (ITT) [ML82, NPS90]. The mec hanism of extraction is b uilt d eeply into logic and the prov ers based on it, e.g. Agda [A C N90] on I TT, Co q [The04] on C IC, MetaPRL [HNC + 03] and Nuprl [A CE + 00] on CTT. In this pap er we show that there is a w a y to provide a clean set-theoret ic seman tics for HOL and at the same time use it to seman tical ly j ustify p rogram extraction. T he idea is to first factor HOL in to its constructiv e core, say Constructive HOL, plus the axioms of excluded middle a nd c hoice. Th e seman tics for this languag e c an b e giv en in ZF C set t heory , and if that logic is factored into its constructiv e core, called IZF, p lus excluded m iddle and c h oice (c hoice is sufficient to give excluded middle), then in the stand ard semantic s, IZF pro vides the seman tics for Constru ctiv e HOL. Moreo v er, we can base program extraction on the IZ F seman tics. The constructiv e con ten t of IZF is not as transparent as in the constru ctiv e set theory CZF of Aczel [Acz 78], as he is a ble to in terpret CZF in T yp e Theory , wh ile no suc h in terpre- tation is kno w n for IZF. Ho w ev er, it is not p ossible to express the impredicativ e nature of Higher-Order Logic in C ZF. Also, IZF is not as expressiv e as How e’s ZFC [Ho w96, Ho w98] with inaccessible cardinals and computational primitive s, but this make s IZF a more stan- dard theory . Our seman tics i s app ealing not only because it factors so elegan tly , but also b ecause the computational issu es and p rogram extraction can b e reduced to the standard constructiv e prop erties of IZF — the disj unction, n umerical existence and term existence prop erties. W e can implement the disjunction and numerical existence prop erties in tw o d iffer- en t w a ys: one using Rathjen’s r ealiza bilit y for CZF [Rat 05], recent ly ext ended to IZF [Rat06], and the other u sing a new direct w eak normalization result f or IZF by Mo czyd lo wski [Moc06a , Mo c06b]. The latter can also b e used f or the term existence prop erty . In this pap er, we pr o v ide a set-theoretic seman tics for HOL whic h h as the follo w ing prop erties: • It is as simp le as the stand ard seman tics, present ed in Gordon and Melham’s [GM93]. • It w orks in constructive set-theory . • It pro vides a s eman tica l b asis for program extractio n. • It can b e applied to the constru ctiv e version of HOL recent ly imp lemen ted in Isab elle- HOL as a means of using constru ctiv e HOL p ro ofs as pr ograms. This pap er is organized as follo w s. I n section 2 we pr esen t a v ersion of HOL. In section 3 w e defin e set-theo retic semanti cs. Section 4 defines constructiv e set theory IZF and states its main p rop erties. W e show ho w these prop erties can b e used f or program extractio n in section 5. 2. Higher-order logic In this section, w e present in detail higher-order logic. There are tw o synt actic cate- gories: terms and typ es . The t yp es are generated by the follo wing abstract grammar: τ ::= nat | bool | pr op | τ → τ | τ × τ The distinction b et wee n bool and p r op corresp onds to the distinction b etw een the tw o- elemen t t yp e and the t yp e of p rop ositions in t yp e theory , or b et w een the t w o-e lemen t ob ject and the sub ob ject classifier in category theory or, as we sh all see, b et ween 2 and the set of all subsets of 1 in constructiv e set theory . The terms of HOL are generated b y the follo wing abstract grammar: t ::= x τ | c τ | ( t τ → σ u τ ) σ | ( λx τ . t σ ) τ → σ | ( t τ , s σ ) τ × σ Th us eac h term t α in HOL is annotated with a t yp e α , whic h we call the typ e of t . W e will often skip annotating of terms with t yp es, this p ractice should not lead to confusion, as the implicit t yp e system is very simple. T erms of t yp e p r op are called formulas . The free v ariables of a term t are denoted by F V ( t ) and defin ed as usual. W e consider α -equiv alent terms equal. The notation t [ x := u ] stands for a capture-a v oiding subs titution and denotes the r esult of sub stituting u for x in the term t . Our v ersion of HOL has a set of built-in constan ts. T o increase r eadabilit y , we write c : τ in stead of c τ to provi de the information ab out the type of c . If the t yp e of a constan t in v olve s α , it is a constan t schema , there is one constan t for eac h t yp e τ substituted for α . There are thus constan ts = bool , = nat and so on. ⊥ : pr op ⊤ : pr op = α : α × α → pr op → : pr op × pr op → pr op ∧ : pr op × prop → pr op ∨ : pr op × pr op → pr op ∀ α : ( α → p r op ) → pr op ∃ α : ( α → pr op ) → pr op ε α : ( α → p r op ) → α 0 : nat S : nat → nat f als e : bool tr ue : bool W e presen t the pr o of rules f or HOL in a sequent- based natural d eduction st yle. A se quent is a pair (Γ , t ), w here Γ is a list of f orm ulas and t is a formula. The free v ariables of a con text are the f ree v ariables of all its form ulas. A sequen t (Γ , t ) is written as Γ ⊢ t . W e write b inary constan ts (equalit y , implication, etc.) using infix notation. W e use standard abbreviations for qu an tifiers: ∀ a : τ . φ abbreviates ∀ τ ( λa τ . φ ), similarly with ∃ a : τ . φ . Th e pro of ru les for HOL are as follo ws: Γ ⊢ t t ∈ Γ Γ ⊢ t = t Γ ⊢ t = s Γ ⊢ λx τ . t = λx τ . s x τ / ∈ F V (Γ) Γ ⊢ t Γ ⊢ s Γ ⊢ t ∧ s Γ ⊢ t ∧ s Γ ⊢ t Γ ⊢ t ∧ s Γ ⊢ s Γ ⊢ ⊤ Γ ⊢ t Γ ⊢ t ∨ s Γ ⊢ s Γ ⊢ t ∨ s Γ ⊢ t ∨ s Γ , t ⊢ u Γ , s ⊢ u Γ ⊢ u Γ , t ⊢ s Γ ⊢ t → s Γ ⊢ s → t Γ ⊢ s Γ ⊢ t Γ ⊢ s = u Γ ⊢ t [ x := u ] Γ ⊢ t [ x := s ] Γ ⊢ f α → pr op t α Γ ⊢ ∃ α ( f α → pr op ) Γ ⊢ ∃ α ( f α → pr op ) Γ , f α → pr op x α ⊢ u Γ ⊢ u x α new Finally , we list HOL axioms. (1) (F ALSE) ⊥ = ∀ b : pr op. b . (2) (F ALSENOTTRUE) f al se = tr ue → ⊥ . (3) (BET A) ( λx τ . t σ ) s τ = t σ [ x τ := s τ ]. (4) (ET A) ( λx τ . f τ → σ x τ ) = f τ → σ , where x / ∈ F V ( f ). (5) (F OR ALL) ∀ α = λP α → pr op . ( P = λx α . ⊤ ). (6) (P3) ∀ n : nat. (0 = S ( n )) → ⊥ . (7) (P4) ∀ n, m : nat. S ( n ) = S ( m ) → n = m . (8) (P5) ∀ P : nat → pr op. P (0) ∧ ( ∀ n : nat. P ( n ) → P ( S ( n ))) → ∀ n : nat. P ( n ). (9) (BOOL) ∀ x : bool . ( x = f alse ) ∨ ( x = tr ue ). (10) (EM) ∀ x : pr op. ( x = ⊥ ) ∨ ( x = ⊤ ). (11) (CHOICE) ∀ P : α → pr op. ∀ x : α. P x → P ( ε ( α → pr op ) → α ( P )). Our c h oice of rules and axioms is redundant. Prop ositional connectiv es, for example, could b e defined in terms of quan tifiers and bool . Ho w ev er, w e b eliev e that th is makes the accoun t of the seman tics clearer and s ho ws ho w easy it is to d efine a sound seman tics for su c h sys tem. Our presentat ion is based on the core part of the theory of [GM93]. It do es not includ e t yp e definitions and p arametric p olymorph ism. W e b eliev e extending it to incorp orate these f eatures s hould not b e very difficult. The theory CHOL (Constructiv e HOL) arises by taking aw a y from HOL the axioms (CHOICE) and (EM). W e write ⊢ H φ and ⊢ C φ to denote that HO L and C HOL, resp ectiv ely , pro v es φ . W e will generally use letters P , Q to denote pr o of trees. A notation P ⊢ C φ means that P is a pro of tree in CHOL of φ . 3. Seman tics 3.1. Set theory. Th e set-theoretic seman tics needs a s mall p art of the cumulativ e hierarc h y — R ω + ω is sufficien t to ca rry out all the constructions. The Axiom of Choice is necessary in order to define the meaning of the ε constan t. F or this pur p ose, C w ill denote a 1 necessarily non-constructiv e fu nction suc h that for any X , Y ∈ R ω + ω : • If X is n on-empt y , then C ( X, Y ) ∈ X . • If X is emp t y and Y is non-empt y , then C ( X, Y ) ∈ Y . • Otherwise, C ( X, Y ) is ∅ . Recall that in the w orld of set theory , 0 = ∅ , 1 = { 0 } and 2 = { 0 , 1 } . Classically P (1), the set of all su bsets of 1, is equal to 2. This is not the case constructiv ely; th ere is n o uniform wa y of transformin g an arbitrary su bset of 1 into an elemen t of 2. In fact, it is easy to see that P (1) = 2 en tails the la w of excluded middle: Lemma 3.1. If P (1) = 2, then for an y φ , φ or ¬ φ . Pr o of. Su pp ose P (1) = 2 and tak e a formula φ . Consider A = { x ∈ 1 | φ } and B = { x ∈ 1 | ¬ φ } . S ince A ∪ B ∈ P (1), A ∪ B ∈ 2, s o either A ∪ B = 0 or A ∪ B = 1. In the former case, 0 / ∈ A and 0 / ∈ B . Then w e ha v e ¬ φ b ecause f rom φ w e obtain 0 ∈ A , wh ic h is a con tradiction. But w e also hav e ¬¬ φ b ecause f rom ¬ φ we obtain 0 ∈ B , wh ic h is also a 1 Note that if w e w ant to pinp oint C , we need to assume more th an AC, as the existence of a definable c hoice function for R ω + ω is not pro v able in ZFC . con tradiction. Thus w e hav e refuted the assum ption A ∪ B = 0, s o A ∪ B = 1. Therefore 0 ∈ A ∪ B , so either 0 ∈ A in whic h case φ , or 0 ∈ B in which case ¬ φ . So either φ or ¬ φ . The follo w ing helpful lemma, ho w ev er, do es h old in a constructiv e world: Lemma 3.2. If A ∈ P (1), then A = 1 iff 0 ∈ A . Let us also defin e precisely the function app licatio n op eration in set theory . W e b orrow the defin ition fr om [Acz99]. App ( f , x ) = { z | ∃ y . z ∈ y ∧ ( x, y ) ∈ f } The a dv an tage of using this definition o ver an in tuitiv e one (“the unique y su c h t hat ( x, y ) ∈ f ”) is that it is defin ed for all sets f and x . P artialit y of App wo uld enta il serious p roblems in the constructiv e setting. Th is definition is equiv alent to the standard one wh en f is a function: Lemma 3.3. If f is a fu nction from A to B and x ∈ A , then App ( f , x ) is th e un ique y suc h that ( x, y ) ∈ f . Pr o of. Let y b e th e unique element of B such that ( x, y ) ∈ f . If z ∈ App ( f , x ) then there is y ′ suc h that z ∈ y ′ and ( x, y ′ ) ∈ f . Since y ′ = y , z ∈ y . F or the other d irection, if z ∈ y , then ob viously z ∈ App ( f , x ). F r om no w on, the notation f ( x ) means App ( f , x ). W e will also use a lam b da notation in set theory to define fun ctions: λx ∈ A. B ( x ) means { ( x, B ( x )) | x ∈ A } . 3.2. The definition of the seman t ics. W e first defin e a meaning [ [ τ ] ] of a t yp e τ by structural induction on τ . • [ [ nat ] ] = N . • [ [ bool ] ] = 2. • [ [ pr op ] ] = P (1). • [ [ τ × σ ] ] = [ [ τ ] ] × [ [ σ ] ], wh ere A × B denotes the cartesian pr o duct of sets A and B . • [ [ τ 1 → τ 2 ] ] = [ [ τ 1 ] ] → [ [ τ 2 ] ], where A → B denotes the set of all fu nctions from A to B . The meaning of a constan t c α is denoted by [ [ c α ] ] and is defin ed as follo ws. • [ [= α ] ] = λ ( x 1 , x 2 ) ∈ [ [ α ] ] × [ [ α ] ] . { x ∈ 1 | x 1 = x 2 } . • [ [ → ] ] = λ ( b 1 , b 2 ) ∈ [ [ pr op ] ] × [ [ pr op ] ] . { x ∈ 1 | x ∈ b 1 → x ∈ b 2 } . • [ [ ∨ ] ] = λ ( b 1 , b 2 ) ∈ [ [ pr op ] ] × [ [ pr op ] ] . b 1 ∪ b 2 . • [ [ ∧ ] ] = λ ( b 1 , b 2 ) ∈ [ [ pr op ] ] × [ [ pr op ] ] . b 1 ∩ b 2 . • [ [ f al se ] ] = [ [ ⊥ ] ] = 0. • [ [ tr ue ] ] = [ [ ⊤ ] ] = 1. • [ [ ∀ α ] ] = λf ∈ [ [ α ] ] → [ [ pr op ] ] . T a ∈ [ [ α ] ] f ( a ). • [ [ ∃ α ] ] = λf ∈ [ [ α ] ] → [ [ pr op ] ] . S a ∈ [ [ α ] ] f ( a ). • [ [ ε α ] ] = λP ∈ [ [ α ] ] → [ [ pr op ] ] . C ( P − 1 ( { 1 } ) , [ [ α ] ]). • [ [0] ] = 0. • [ [ S ] ] = λn ∈ N . n + 1 Standard seman tics, presente d for example b y Gordon and Melham in [GM93], uses a truth table app roac h — implication φ → ψ is false iff φ is tru e and ψ is false etc. It is easy to see that w ith excluded middle, our seman tics is equ iv alen t to the standard one. Lemma 3.4 (ZF) . F or any A, B ∈ P (1), [ [ → ] ]( A, B ) = 0 iff A = 1 and B = 0. Pr o of. Su pp ose [ [ → ] ]( A, B ) = 0. Then { x ∈ 1 | x ∈ A → x ∈ B } = 0, so 0 / ∈ { x ∈ 1 | x ∈ A → x ∈ B } , so it is n ot the case th at 0 ∈ A → 0 ∈ B , so 0 ∈ A and 0 / ∈ B . Thus, A = 1 and B = 0. The other direction is easy . The defin ition of our seman tics is not original. The meaning of logical constan ts is essen tial ly a com bination of the fact that an y complete lattice with pseudo-complemen ts is a mo d el for h igher-order logic and that P (1) is a complete lattice with p seudo-complemen t defined in th e clause for → [RS63]. Similar semant ics for HOL ha v e also b een p ro vided in catego ry-theoretica l setting [LS86]. The no v elt y of our appr oac h lies in utilizing this kind of semant ics for the purp ose of pr ogram extraction in Section 5. T o pr esen t the rest of the semantic s, w e need to introduce en vir onmen ts. An envi- r onment is a function from HOL v ariables to sets s uc h th at ρ ( x τ ) ∈ [ [ τ ] ]. W e will use the sym b ol ρ exclusive ly for enviro nmen ts. The meaning [ [ t ] ] ρ of a term t is parameterized by an en vironmen t ρ and d efined b y structural ind uction on t : • [ [ c τ ] ] ρ = [ [ c τ ] ]. • [ [ x τ ] ] ρ = ρ ( x τ ). • [ [ s u ] ] ρ = App ([ [ s ] ] ρ , [ [ u ] ] ρ ). • [ [ λx τ . u ] ] ρ = { ( a, [ [ u ] ] ρ [ x τ := a ] ) | a ∈ [ [ τ ] ] } . • [ [( s, u )] ] ρ = ([ [ s ] ] ρ , [ [ u ] ] ρ ). 3.3. The prop erties of the semantic s. Th ere are several standard prop erties of the seman tics we ha v e d efined. Lemma 3.5 (Su bstitution Lemma) . F or an y terms t, s and environmen ts ρ , [ [ t ] ] ρ [ x :=[ [ s ] ] ρ ] = [ [ t [ x := s ]] ] ρ . Pr o of. By structural induction on t . Case t of: • c — the claim is obvi ous. • x . Th en [ [ x ] ] ρ [ x :=[ [ s ] ] ρ ] = [ [ s ] ] ρ = [ [ x [ x := s ]] ] ρ . • u v . Then [ [ u v ] ] ρ [ x :=[ [ s ] ]] = App ([ [ u ] ] ρ [ x :=[ [ s ] ] ρ ] , [ [ v ] ] ρ [ x :=[ [ s ] ] ρ ] ). By the inductiv e hyp othesis, this is equal to App ([ [ u [ x := s ]] ] ρ , [ [ v [ x := s ]] ] ρ ) = [ [ u [ x := s ] v [ x := s ]] ] ρ = [ [ t [ x := s ]] ] ρ . • ( u, v ). S imilar to the p revious case. • λy τ . u . Without loss of generalit y we ma y assume that y / ∈ { x } ∪ F V ( s ). Then [ [ t ] ] ρ [ x := s ] = { ( a, [ [ u ] ] ρ [ x :=[ [ s ] ] ρ ][ y := a ] ) | a ∈ [ [ τ ] ] } . By the ind uctiv e hyp othesis, this is equal to { ( a, [ [ u [ x := s ]] ] ρ [ y := a ] ) | a ∈ [ [ τ ] ] } = [ [( λy τ . u [ x := s ])] ] ρ = [ [ t [ x := s ]] ] ρ . Lemma 3.6. F or any type α , ∃ x. x ∈ [ [ α ] ]. Pr o of. Easy . Lemma 3.7. If x σ / ∈ F V ( t ), then for an y b ∈ [ [ σ ] ], [ [ t ] ] ρ = [ [ t ] ] ρ [ x σ := b ] . Pr o of. Straight forw ard induction on t . W e only show the case wh en t = λy τ . u . Without loss of generalit y w e can assume th at y 6 = x . W e ha v e [ [ t ] ] ρ = { ( a, [ [ u ] ] ρ [ y := a ] ) | a ∈ [ [ τ ] ] } . Since x / ∈ F V ( u ), by the indu ctiv e hypothesis this is equal to { ( a, [ [ u ] ] ρ [ y := a ][ x := b ] ) | a ∈ [ [ τ ] ] } . Since x 6 = y , this is also equal to { ( a, [ [ u ] ] ρ [ x := b ][ y := a ] ) | a ∈ [ [ τ ] ] } = [ [ λy τ . u ] ] ρ [ x := b ] . Lemma 3.8. F or any ρ , [ [ t α ] ] ρ ∈ [ [ α ] ]. By indu ction on t . Case t of: • x τ . T he claim follo w s by the definition of en vironmen ts. • c τ . W e pro ceed by case analysis of c . W e sho w the interesti ng cases. − ∀ α . The type of c is ( α → pr op ) → pr op . W e n eed to sho w that if f is a fun ction from [ [ α ] ] to P (1), then T a ∈ [ [ α ] ] f ( a ) is in P (1) . S ince for any a ∈ [ [ α ] ], f ( a ) ∈ P (1) and P (1) is closed u nder in tersectio ns, the claim f ollo ws. − ∃ α . T he pro of is s imilar and follo w s b y the fact th at P (1) is closed under unions. − ε α . The t yp e of ε α is ( α → p r op ) → α . T ak e any fun ction F from [ [ α ] ] to P (1). Then F − 1 ( { 1 } ) ⊆ [ [ α ] ]. By the definition of C , if F − 1 ( { 1 } ) 6 = ∅ , then [ [ ε α ] ]( F ) ∈ [ [ α ] ]. So supp ose F − 1 ( { 1 } ) = ∅ . By Lemma 3.6, [ [ α ] ] is not empt y , so by the d efinition of C , [ [ ε α ] ]( F ) ∈ [ [ α ] ] as well. In particular, this implies that for an y form ula t , [ [ t ] ] ρ ⊆ 1. S o if we wan t to pr o ve that [ [ t ] ] ρ = 1, then by Lemma 3.2 it su ffices to sho w that 0 ∈ [ [ t ] ] ρ . 3.4. Soundness. Th e soundn ess theo rem establishes v alidit y of the pro of rules and axio ms with resp ect to the seman tics. Definition 3.9. W e w rite [ [Γ] ] ρ = 1 if [ [ t 1 ] ] ρ = 1 , . . ., [ [ t n ] ] ρ = 1, where Γ = t 1 , t 2 , . . . , t n . Theorem 3.10 (Sound ness) . If Γ ⊢ t then for any ρ , if [ [Γ] ] ρ = 1 , then [ [ t ] ] ρ = 1 . Pr o of. Straight forw ard ind uction on Γ ⊢ t . W e sho w sev eral inte resting cases. • Γ ⊢ t t ∈ Γ The claim is trivial. • Γ ⊢ t = s Γ ⊢ λx τ . t = λx τ . s W e n eed to s ho w that { ( a, [ [ t ] ] ρ [ x τ := a ] ) | a ∈ [ [ τ ] ] } = { ( a, [ [ s ] ] ρ [ x τ := a ] ) | a ∈ [ [ τ ] ] } . That is, that for an y a ∈ [ [ τ ] ], [ [ t ] ] ρ [ x τ := a ] = [ [ s ] ] ρ [ x τ := a ] . Let ρ ′ = ρ [ x τ := a ]. W e get the claim b y the indu ctiv e hyp othesis. • Γ , t ⊢ s Γ ⊢ t → s Supp ose [ [Γ] ] ρ = 1. W e need to sh o w that 0 ∈ { x ∈ 1 | x ∈ [ [ t ] ] ρ → x ∈ [ [ s ] ] ρ } . Since 0 ∈ 1, assu me 0 ∈ [ [ t ] ] ρ . Then [ [Γ , t ] ] ρ = 1. By the inductiv e hyp othesis [ [ s ] ] ρ = 1 thus also 0 ∈ [ [ s ] ] ρ . • Γ ⊢ t → s Γ ⊢ t Γ ⊢ s Supp ose [ [Γ] ] ρ = 1. By the inductiv e hyp othesis, 0 ∈ { x ∈ 1 | x ∈ [ [ t ] ] ρ → x ∈ [ [ s ] ] ρ } and 0 ∈ [ [ t ] ] ρ , so easily 0 ∈ [ [ s ] ] ρ . • Γ ⊢ s = u Γ ⊢ t [ x := u ] Γ ⊢ t [ x := s ] Assume [ [Γ] ] ρ = 1. By the inductiv e hypothesis, [ [ s ] ] ρ = [ [ u ] ] ρ and [ [ t [ x := u ]] ] ρ = 1. Using the Su bstitution Lemma w e get [ [ t [ x := u ]] ] ρ = [ [ t ] ] ρ [ x :=[ [ u ] ] ρ ] = [ [ t ] ] ρ [ x :=[ [ s ] ] ρ ] = [ [ t [ x := s ]] ] ρ . • Γ ⊢ f t α Γ ⊢ ∃ α ( f α → pr op ) Assume [ [Γ] ] ρ = 1. W e hav e to show that 0 ∈ S a ∈ [ [ α ] ] ([ [ f ] ] ρ ( a )), so that th ere is a ∈ [ [ α ] ] suc h that 0 ∈ [ [ f ] ] ρ ( a ). By Lemma 3.8, [ [ t α ] ] ρ ∈ [ [ α ] ], so taking a = [ [ t α ] ] ρ w e get the claim b y the indu ctiv e h yp othesis. • Γ ⊢ ∃ α ( f α → pr op ) Γ , f x α ⊢ u Γ ⊢ u x α new Supp ose [ [Γ] ] ρ = 1. By the inductiv e hyp othesis, there is a ∈ [ [ α ] ] suc h that 0 ∈ [ [ f ] ] ρ ( a ). Let ρ ′ = ρ [ x α := a ]. By the ind uctiv e h yp othesis we get 0 ∈ [ [ u ] ] ρ ′ . As x α / ∈ F V ( u ), by Lemma 3.7 [ [ u ] ] ρ = 1. Ha ving v erified the s oundness of the HOL p ro of rules, w e pro ceed to v erify the soundness of the axioms. Theorem 3.11. F or any axiom t of HO L and any ρ define d on F V ( t ) , 0 ∈ [ [ t ] ] ρ . Pr o of. W e pro ceed axiom by axiom and sk etc h the resp ectiv e pro ofs. • (F ALSE) [ [ ⊥ ] ] ρ = ∅ = T a ∈ P (1) a = [ [ ∀ b : pr op . b ] ] ρ . The second equalit y follo w s by 0 ∈ P (1). • (BET A) W e hav e [ [( λx τ . t σ ) s τ ] ] ρ = App ([ [ λx τ . t σ ] ] ρ , [ [ s τ ] ] ρ ) = App ( { ( a, [ [ t ] ] ρ [ x := a ] ) | a ∈ [ [ τ ] ] } , [ [ s τ ] ] ρ ) = [ [ t ] ] ρ [ x τ :=[ [ s τ ] ] ρ ] = (b y the Su bstitution Lemma) = [ [ t σ [ x τ := s τ ]] ] ρ . • (ET A) [ [ λx τ . f τ → σ x τ ] ] ρ = { ( a, [ [ f x τ ] ] ρ [ x τ := a ] ) | a ∈ [ [ τ ] ] } = { ( a, App ([ [ f ] ] ρ [ x τ := a ] , a )) | a ∈ [ [ τ ] ] } = (since x τ / ∈ F V ( f )) = { ( a, [ [ f ] ] ρ ( a )) | a ∈ [ [ τ ] ] } = [ [ f ] ] ρ , as b y Lemma 3.8, [ [ f ] ] ρ ∈ [ [ τ ] ] → [ [ σ ] ] and functions in set theory are repr esen ted by their graphs. • (F ORALL) W e h a ve: [ [ ∀ α ] ] ρ = { ( F, \ a ∈ [ [ α ] ] F ( a )) | F ∈ [ [ α ] ] → P (1) } F u rthermore: [ [ λF α → pr op . F = λx α . ⊤ ] ] ρ = { ( F, { z ∈ 1 | F = λx ∈ [ [ α ] ] . 1 } ) | F ∈ [ [ α ] ] → P (1) } So tak e any F ∈ [ [ α ] ] → P (1). I t suffices to show that T a ∈ [ [ α ] ] F ( a ) = { z ∈ 1 | F = λx ∈ [ [ α ] ] . 1 } . W e ha v e x ∈ T a ∈ [ [ α ] ] F ( a ) iff for all a ∈ [ [ α ] ], x ∈ F ( a ) and x = 0. This happ ens if and only if x = 0 and for all a ∈ [ [ α ] ], F ( a ) = 1 whic h is equ iv alent to x ∈ { z ∈ 1 | P = λx ∈ [ [ α ] ] . 1 } . The claim f ollo ws. • The axioms P 3 , P 4 , P 5 follo w b y the fact that natural num b ers satisfy the resp ectiv e P eano axioms. • (BOOL) W e n eed to show that [ [ ∀ bool . ( λx bool . x = f al se ∨ x = tr ue )] ] ρ = 1. Un winding the defin ition, this is equiv alen t to T x ∈ 2 ( { z ∈ 1 | x = 0 } ∪ { z ∈ 1 | x = 1 } ) = 1. and furthermore to: for all x ∈ 2 and y , y ∈ { z ∈ 1 | x = 0 } ∪ { z ∈ 1 | x = 1 } iff y = 0. T ak e an y x ∈ 2 and y . The left-to-righ t direction is ob vious, for the righ t-to -left direction, either x = 0 or x = 1. In the former case, 0 ∈ { z ∈ 1 | x = 0 } , in the latter 0 ∈ { z ∈ 1 | x = 1 } . • (EM) W e need to sh o w that [ [ ∀ pr op . ( λx pr op . x = ⊥ ∨ x = ⊤ )] ] ρ = 1. Reasoning as in the case of (BOOL), we find that this is equiv alent to: for all x ∈ P (1) and y , y ∈ { z ∈ 1 | x = 0 } ∪ { z ∈ 1 | x = 1 } iff y = 0. Sup p ose x ∈ P (1). At this p oin t, it is imp ossible • Extensionalit y T w o sets are equal if they hav e the same element s. • Empt y Set There is an empt y set. • P airing F or any sets a, b , there is a set consisting of a and b . • Infinit y There is a set closed un der the successor op eration and cont aining th e emp t y set. • Union F or an y set a , there is a set S a whic h is a union of all elemen ts of a . • P ow er Set F or an y set a , there is a set of all subsets of a . • Separation F or any formula φ , for an y set a , there is a set of all elemen ts of a satisfying φ . • Replacemen t F or any form ula φ ( x, y , z ), for any set a , if for all x ∈ a there is exactly one y s uc h that φ ( x, y , z ) holds, then there is a s et b such that for all x ∈ a there is y ∈ b suc h that φ ( x, y , z ) holds. • ∈ -Induction F or an y form u la φ ( a, z ), if for all sets b ( ∀ x ∈ b.φ ( x, z )) implies φ ( b, z ), then for all a , φ ( a, z ) holds. Figure 1: The axioms of IZF w ith Replacemen t to pr o ceed f urther constructiv ely , all w e kno w is that x is a subset of 1, whic h d o es not pro vide enough in formation to decide wh ether x = 0 or x = 1. Ho w ev er, classically , usin g the rule of excluded middle, P (1) = 2 and we pro ceed as in the previous case. • (CHOICE) W e argue classically , so in p articular P (1) = 2. W e need to show that: [ [ ∀ α → pr op ( λP α → pr op . ∀ α ( λx α . P x → P ( ε ( α → pr op ) → α ( P ))] ] = 1 , whic h is equiv alen t to T P ∈ [ [ α ] ] → 2 [ [ ∀ α ( λx α . P x → P ( ε ( α → pr op ) → α ( P ))] ] = 1 , whic h is equiv alen t to T P ∈ [ [ α ] ] → 2 T x ∈ [ [ α ] ] [ [ P x → P ( ε ( α → pr op ) → α ( P ))] ] = 1 , whic h is equiv alen t to \ P ∈ [ [ α ] ] → 2 \ x ∈ [ [ α ] ] { a ∈ 1 | a ∈ P ( x ) → a ∈ P ( C ( P − 1 ( { 1 } ) , [ [ α ] ])) } = 1 . T o show this, it suffices to sho w that for all P ∈ [ [ α ] ] → 2, for all x ∈ [ [ α ] ], if 0 ∈ P ( x ) then 0 ∈ P ( C ( P − 1 ( { 1 } ) , [ [ α ] ])). T ak e an y P and x . Su pp ose 0 ∈ P ( x ). Then P ( x ) = 1, so x ∈ P − 1 ( { 1 } ). Therefore C ( P − 1 ( { 1 } ) , [ [ α ] ])) ∈ P − 1 ( { 1 } ), so P ( C ( P − 1 ( { 1 } ) , [ [ α ] ]) = 1, whic h sho ws the claim. Corollary 3.12. HOL is consisten t: it is not the case that ⊢ H ⊥ . Pr o of. Otherwise we w ould ha v e [ [ ⊥ ] ] = [ [ ⊤ ] ], that is 0 = 1. 4. IZF The essent ial adv an tage of the semant ics in the p revious section ov er a s tandard one is that f or the constructiv e part of HOL this seman tics can b e defined in constructiv e set theory IZF. An obvious app roac h to creating a constru ctiv e ve rsion of Z F C set theory is to replace the u nderlying first-order logic with intuitionisti c firs t-order logic. As many auth ors ha ve explained [Myh73, B ee85, McC86, ˇ S85], the ZF axioms nee d to be reform ulated so that they do not imply the la w of excluded middle. In a n utshell, to get IZF from ZF C, the Axiom of C hoice and E xcluded Middle are tak en a w ay and F oundation is reform ulated as ∈ -induction. The axioms of IZF are th us Extensionalit y , Union, Infi nit y , Po wer Set, Sep aration, Replacemen t or Collection 2 and ∈ - Induction. The list of axioms for the v ersion with Replacemen t can b e found in Figure 1. A d etailed account of the theory can b e found f or example in F riedman [F ri73]. Beso on’s b o ok [Bee85] and ˇ S ˇ cedro v’s pap er [ ˇ S85] con tain a lot of information on metamathematical prop erties of IZF and related set theories. F or con v enience, we assume th at the first-order logic has built-in b ounded quan tifiers ( ∀ x ∈ a. φ and ∃ x ∈ a. φ ), defined as abb reviations in the standard w a y . W e also include in the signature all the set terms corresp onding to the axioms of I ZF — N , S t, P ( a ) etc. F or the full list, see [Mo c07]. Myhill [Myh73] hav e pro v ed sev eral imp ortant pr op erties of I ZF: • Disjunction Prop ert y (DP) : If IZF ⊢ φ ∨ ψ , then IZF ⊢ φ or IZF ⊢ ψ . • Numerical Existence Prop erty (NEP) : If IZF ⊢ ∃ x ∈ N . φ ( x ), then there is a n atural n um b er n such that IZF ⊢ φ ( n ), wh ere n = S ( S ( . . . (0))) and S ( x ) = x ∪ { x } . • T erm Existence Prop erty (TEP) : If IZF ⊢ ∃ x. φ ( x ), then for some term t , IZF ⊢ φ ( t ). Moreo ve r, the seman tics and the soundn ess theorem for CHOL work in IZ F, as neither Choice nor Excluded Middle are necessary to carry out these dev elopmen ts. Note th at the existence of P (1) is crucial for the seman tics. All the prop erties are constructiv e — there i s a rec ursiv e procedur e extracting a natural n um b er, a disj unct or a term from a pro of. A trivial one is to look through all the pro ofs for the correct one. F or example, if IZF ⊢ φ ∨ ψ , a pr o cedure could en umerate all theorems of IZF lo oking for either φ or ψ ; its termination would b e ensured b y DP . W e discuss more efficien t alternativ es in section 5.3. 5. Extraction W e will show that the seman tics we hav e defined can serve as a basis for pr ogram extractio n from pro ofs. All that is necessary for program extractio n from constructiv e HOL pro ofs is provi ded by the semant ics and the sound ness pr o of. Th erefore, if one wan ts to pro vide an extraction mec hanism for the constru ctiv e part of the logic, it ma y b e su fficien t to carefully define s et-theoret ic seman tics, pro v e the soundness theorem and the extraction mec h anism for IZF w ould tak e care of the r est. W e s p eculate on practical uses of this approac h in section 6. 5.1. IZF Extraction. W e first describ e extracti on from IZF pro ofs. T o facilit ate the description, we will u se a ve ry simp le f ragmen t of t yp e theory , wh ic h w e call T T 0 . The typ es of T T 0 are generated b y the follo win g abstract grammar. T hey should not b e confused with HOL types; the con text will make it clear whic h types we refer to. τ ::= ∗ | P φ | nat | bool | τ × τ | τ + τ | τ → τ W e asso ciate with eac h t yp e τ of T T 0 a set of its elemen ts, wh ic h are finitistic ob jects. The set of element s of τ is denoted by E l ( τ ) and defined by stru ctural induction on τ : • E l ( ∗ ) = {∗} . • E l ( P φ ) is the set of all IZ F pro ofs of the formula φ . • E l ( nat ) = N , the set of natural num b ers. • E l ( bool ) = { tr ue, f al se } . 2 There is a difference, in particular t he version with Collection does not satisfy T erm Existence Prop erty (TEP), defin ed on the n ext page. A concerned reader can replace IZF with I ZF R whenever TEP is used. • E l ( τ 1 × τ 2 ) = E l ( τ 1 ) × E l ( τ 2 ). • M ∈ E l ( τ 1 + τ 2 ) iff either M = inl ( M 1 ) and M 1 ∈ E l ( τ 1 ) or M = inr ( M 1 ) and M 1 ∈ E l ( τ 2 ). • M ∈ E l ( τ 1 → τ 2 ) iff M is a metho d wh ic h given an y elemen t of E l ( τ 1 ) returns an elemen t of E l ( τ 2 ). In the last clause, we use an abstract notion of “method ”. It will not b e necessary to formalize this notion, but for the in tereste d reader, all “metho ds“ we use are functions pro v ably recursiv e in Z F + C on ( Z F ), where C on ( Z F ) denotes consistency of ZF. The notation M : τ stands for M ∈ E l ( τ ). W e call a T T 0 t yp e pur e if it do es n ot con tain ∗ and P φ . There is a natural m apping of pure t yp es T T 0 to sets. It is so similar to the meaning of the HOL t yp es that w e will use the same n otatio n. • [ [ nat ] ] = N . • [ [ bool ] ] = 2. • [ [ τ × σ ] ] = [ [ τ ] ] × [ [ σ ] ]. • [ [ τ + σ ] ] = [ [ τ ] ] + [ [ σ ] ], th e disjoin t union of [ [ τ ] ] and [ [ σ ] ]. • [ [ τ → σ ] ] = [ [ τ ] ] → [ [ σ ] ]. If a set (and a corresp onding IZF term) is in a cod omain of the map ab o v e, we call it typ e- like . If a set A is t yp e-lik e, then there is a u nique pure typ e τ suc h that [ [ τ ] ] = A . W e denote this t yp e T y p e ( A ). Thus, t yp e-lik e sets are these “generated” b y pu re T T 0 t yp es via natural semanti cs. F ormally , we define a recursiv e set T L of IZF terms suc h that for an y t ∈ T L , t is t yp e-lik e and we can find effectiv ely T y pe ( A ). Th e definition of T L follo ws the definition ab o ve : T L is the sm allest set suc h that N , 2 ∈ T L and if t, u ∈ T L , then t × u , t + u and t → u are also elemen ts of T L . Thus, the sentence “ A is type-lik e” stands for “ A ∈ T L ”. Note that for an y term t ∈ T L w e can fin d a term t ′ suc h that IZF ⊢ t = t ′ and t ′ / ∈ T L — it suffices to tak e t ′ ≡ t ∪ ∅ . Before we pro ceed further, let us extend T T 0 with a new typ e Q τ , where τ is an y p ure t yp e of T T 0 . In tuitiv ely , Q τ is the prov able counterpart of [ [ τ ] ]. F ormally , the mem b ers of E l ( Q τ ) are p airs ( t, P ) suc h that P ⊢ I Z F t ∈ [ [ τ ] ] ( P is an IZF pro of of t ∈ [ [ τ ] ]). Note that there is a natural mapping from closed HOL terms M of type τ in to Q τ — it is easy to construct using Lemma 3.8 a pr o of P of the fact that [ [ M ] ] ρ ∈ [ [ τ ] ], so the pair ([ [ M ] ] ρ , P ) : Q τ . In particular, an y natural num b er n can b e injected in to Q nat . T he set of pure t yp es sta ys unc hanged. W e are going to tailor e xtraction from IZF pro ofs to the HOL logi c. F or this purp ose, w e will sp ecify whic h elemen ts of IZF pr o ofs/form ulas carry int eresting computational conte n t for us. W e will use the t yp e ∗ to m ark the parts of pro ofs we are not in terested in. W e first define a help er function T , w hic h tak es a pu re t yp e τ and returns another t yp e. In tuitiv ely , T ( τ ) is the t yp e of the extract f rom a statemen t ∃ x. x ∈ [ [ τ ] ]. The function T is defined by induction on τ : • T ( bool ) = bool . • T ( nat ) = nat . • T ( τ × σ ) = T ( τ ) × T ( σ ). • T ( τ + σ ) = T ( τ ) + T ( σ ). • T ( τ → σ ) = Q τ → T ( σ ). The rationale for this d efinition is th at in order to utilize an IZF fun ction from [ [ τ ] ] to [ [ σ ] ] w e n eed to supp ly an elemen t of a set [ [ τ ] ], wh ic h is an elemen t of Q τ . F u rthermore, we assign to eac h formula φ of IZF a T T 0 t yp e φ , whic h int uitiv ely describ es the c omputational c ontent of an IZF pr o of of φ . W e d o it by induction on φ : • a ∈ b = ∗ . • a = b = ∗ (atomic formulas carry no useful computational cont en t). • φ 1 ∨ φ 2 = φ 1 + φ 2 . • φ 1 ∧ φ 2 = φ 1 × φ 2 . • φ 1 → φ 2 = P φ 1 → φ 2 . • ∃ a ∈ A. φ 1 = T ( T y pe ( A )) × φ 1 , if A is t yp e-lik e. • ∃ a ∈ A. φ 1 = ∗ , if A is not type-lik e. • ∃ a. φ 1 = ∗ . • ∀ a ∈ A. φ 1 = Q T yp e ( A ) → φ 1 , if A is t yp e-lik e. • ∀ a ∈ A. φ 1 = ∗ , if A is not type-lik e. • ∀ a. φ 1 = ∗ . The defin ition is tailored for HOL logic and could b e extended to allo w meaningful extractio n from a larger class of formulas. F or example, w e could extract a term from ∃ a. φ 1 using T erm Existence Pr op ert y . W e p resen t several natural examples of our translation in action: (1) ∃ x ∈ N . x = x = nat × ∗ . (2) ∀ x ∈ N . ∃ y ∈ N . φ = Q nat → nat × φ . (3) ∀ f ∈ N → N . ∃ x ∈ N . f ( x ) = 0 = Q nat → nat → nat × ∗ . These types are ric her than what w e intuitiv ely w ould exp ect — nat in the first case, nat → nat in the second an d ( nat → n at ) → nat in the third, b ecause any closed HOL term of t yp e nat or nat → nat can b e injected into Q nat or Q nat → nat via the soun dness theorem. Th e extra ∗ can b e easily d iscarded from t yp es (and extracts). Lemma 5.1. F or any IZ F term t , wh ic h is not typ e-lik e, φ [ a := t ] = φ . Pr o of. Straight forw ard ind uction on φ . Lemma 5.2 (IZF) . ( ∃ a ∈ 2 . φ ( a )) iff φ (0) ∨ φ (1). W e are no w r eady to describ e the extractio n fun ction E , whic h tak es an IZF pro of P of a form ula φ and r eturns an ob ject of T T 0 t yp e φ . W e do it by induction on φ , c hec kin g on the wa y that the ob ject return ed is of t yp e φ . Reca ll that DP , TEP and NEP denote Disjunction, T erm and Numerical Existence Prop ert y , r esp ectiv ely . Case φ of: • a ∈ b — return ∗ . W e hav e ∗ : ∗ . • a = b — return ∗ . W e ha v e ∗ : ∗ , to o. • φ 1 ∨ φ 2 . App ly DP to P to get a p ro of P 1 of either φ 1 or φ 2 . In the former case return inl ( E ( P 1 )), in the latter return inr ( E ( P 1 )). By the inductiv e hyp othesis, E ( P 1 ) : φ 1 (or E ( P 1 ) : φ 2 ), so E ( P ) : φ follo ws. • φ 1 ∧ φ 2 . Th en there are pro ofs P 1 and P 2 suc h that P 1 ⊢ φ 1 and P 2 ⊢ φ 2 . Return a pair ( E ( P 1 ) , E ( P 2 )). By the inductiv e hyp othesis, E ( P 1 ) : φ 1 and E ( P 2 ) : φ 2 , so ( E ( P 1 ) , E ( P 2 )) : φ 1 ∧ φ 2 . • φ 1 → φ 2 . Return a f unction G which tak es an IZ F pro of Q of φ 1 , applies P to Q (using the mo dus-p onens rule of the first-order logic) to get a pro of R of φ 2 and returns E ( R ). By the indu ctiv e h yp othesis, an y such E ( R ) is in E l ( φ 2 ), so G : P φ 1 → φ 2 . • ∃ a ∈ A. φ 1 ( a ), where A is type-lik e. Let T = T y pe ( A ). W e pro ceed by ind uction on T . Case T of: − bool . By Lemma 5.2, w e h a ve φ 1 (0) ∨ φ 1 (1). App ly DP to get a pro of Q of either φ 1 (0) or φ 1 (1). Let b b e f al se or t r ue , resp ectiv ely . Retur n a pair ( b, E ( Q )). By the indu ctiv e hypothesis, E ( Q ) : φ 1 ([ [ b ] ]) . By Lemma 5.1, since [ [ b ] ] ρ is not type-lik e, E ( Q ) : φ 1 , so ( b, E ( Q )) : T ( bool ) × φ = ∃ a ∈ 2 . φ 1 ( a ). − nat . Apply NEP to P to get a natural n um b er n and a pr o of Q of φ 1 ( n ). Return a pair ( n, E ( Q )). By the inductive hyp othesis, E ( Q ) : φ 1 ( n ). By Lemma 5.1 , since w e can assume without loss of generalit y that n is not t yp e-lik e, E ( Q ) : φ 1 , so ( n, E ( Q )) : T ( nat ) × φ 1 . − ( τ , σ ). Construct a p ro of Q of ∃ a 1 ∈ [ [ τ ] ] ∃ a 2 ∈ [ [ σ ] ] . a = h a 1 , a 2 i ∧ φ 1 . L et M = E ( Q ). By the inductiv e h yp othesis M is a pair h M 1 , M 2 i such that M 1 : T ( τ ) and M 2 : ∃ a 2 ∈ [ [ σ ] ] . a = h a 1 , a 2 i ∧ φ 1 . Th erefore M 2 is a pair h M 21 , M 22 i , M 21 : T ( σ ) and M 22 : a = h a 1 , a 2 i ∧ φ 1 . Therefore M 22 is a pair h N , O i , wh ere O : φ 1 . Therefore h M 1 , M 21 i : T ( τ × σ ), so hh M 1 , M 21 i , O i : T ( τ × σ ) × φ 1 and w e are justified to return hh M 1 , M 21 i , O i . − τ + σ . Construct a pro of Q of ( ∃ a ∈ [ [ τ ] ] . φ 1 ) ∨ ( ∃ a ∈ [ [ σ ] ] . φ 1 ). Apply D P to get the pro of Q 1 of (without loss of generalit y) ∃ a ∈ [ [ τ ] ] . φ 1 . Let M = E ( Q 1 ). By the in ductiv e h yp othesis, M = h M 1 , M 2 i , where M 1 : T ( τ ) and M 2 : φ 1 . Return h inl ( M 1 ) , M 2 i , whic h is of type ( T ( τ + σ ) , φ 1 ). − τ → σ . Use TEP to get a term f suc h that ( f ∈ [ [ τ ] ] → [ [ σ ] ]) ∧ φ 1 ( f ). Construct pro ofs Q 1 of ∀ x ∈ [ [ τ ] ] ∃ y ∈ [ [ σ ] ] .f ( x ) = y and Q 2 of φ 1 ( f ). Without loss of generalit y , w e can assum e that f is not t yp e-lik e. By the inductiv e h yp othesis and Lemma 5.1, E ( Q 2 ) : φ . Let G b e a fu nction w hic h works as follo ws: G tak es a p air ( t, R ) such that R ⊢ t ∈ [ [ τ ] ], applies Q 1 to t, R to get a pro of R 1 of ∃ y ∈ [ [ σ ] ] . f ( t ) = y and calls E ( R 1 ) to get a term M . By the indu ctiv e h yp othesis, M : ∃ y ∈ [ [ σ ] ] . f ( t ) = y , so M = h M 1 , M 2 i , where M 1 : T ( σ ). Th e function G return s M 1 . Ou r extraction pro cedure E ( P ) returns h G, E ( Q 2 ) i . The t yp e of h G, E ( Q 2 i ) is ( Q τ → T ( σ )) × φ 1 whic h is exactly ( T ( τ → σ )) × φ 1 . • ∃ a ∈ A. φ 1 ( a ), where A is not type-lik e. Return ∗ . • ∃ a. φ 1 ( a ). Return ∗ . • ∀ a ∈ A. φ 1 ( a ), where A is typ e-lik e. Return a fun ction G which tak es an element ( t, Q ) of Q T yp e ( A ) , applies P to t and Q to get a pr o of R of φ 1 ( t ), and returns E ( R ). Without loss of generalit y , w e can assume that t is n ot t yp e-lik e. By the in ductiv e h yp othesis and Lemma 5.1, E ( R ) : φ 1 , so G : Q T yp e ( A ) → φ 1 = ∀ a ∈ A. φ 1 ( a ). • ∀ a ∈ A. φ 1 ( a ), where A is not type-lik e. Return ∗ . • ∀ a. φ 1 ( a ). Return ∗ . 5.2. HOL extraction. As in case of IZF, w e will s ho w ho w to do extrac tion from a sub class of C HOL p ro ofs. The choic e of the sub class is largely arbitrary , our choic e illustrates the metho d and can b e easily extended. W e say that a CHOL form ula is extr actable if it is generated by the follo wing abstract grammar, where τ v aries ov er p ure T T 0 t yp es and ⊕ ∈ {∧ , ∨ , →} . φ ::= ∀ x : τ . φ | ∃ x : τ . φ | φ ⊕ φ | ⊥ | t = t W e will define extraction for CHOL p ro ofs of extractable form ulas. By Theorem 3.11, if CHOL ⊢ φ , then IZF ⊢ 0 ∈ [ [ φ ] ]. W e need to slight ly transform this I ZF pro of in order to come up with a v alid input to E fr om the previous s ection. T o this means, for an y extractable φ ( a 1 , . . ., a n ) w e defin e an IZF form ula φ ′ ( b 1 , . . . , b n ) such that IZF ⊢ 0 ∈ [ [ φ ( a 1 , . . . , a n )] ] ρ [ a 1 := b 1 ,...,a n := b n ] ↔ φ ′ . The f orm ula φ ′ is essenti ally φ with t yp e mem b ership information replaced b y set me m b ership in formation. W e define φ ′ b y induction on φ , c hecki ng the correctness on the wa y . W e w ork in IZF. Let ρ ′ = ρ [ a 1 := b 1 , . . . , a n := b n ]. Th us w e w an t to show IZF ⊢ 0 ∈ [ [ φ ] ] ρ ′ ↔ φ ′ . Case φ of: • ⊥ . T ak e φ ′ ≡ 0 ∈ [ [ ⊥ ] ] ρ ′ . T he correctness is trivial. • t = s . T ake φ ′ ≡ 0 ∈ [ [ t = s ] ] ρ ′ . T he correctness is trivial. • φ 1 ∨ φ 2 . By the ind uctiv e h yp othesis we get φ ′ 1 and φ ′ 2 suc h that 0 ∈ [ [ φ 1 ] ] ρ ′ ↔ φ ′ 1 and 0 ∈ [ [ φ 2 ] ] ρ ′ ↔ φ ′ 2 . T ak e φ ′ ≡ φ ′ 1 ∨ φ ′ 2 . W e hav e 0 ∈ [ [ φ 1 ∨ φ 2 ] ] ρ ′ iff 0 ∈ [ [ φ 1 ] ] ρ ′ or 0 ∈ [ [ φ 2 ] ] ρ ′ iff φ ′ 1 ∨ φ ′ 2 , whic h sho ws the claim. • φ 1 ∧ φ 2 . By the ind uctiv e h yp othesis we get φ ′ 1 and φ ′ 2 suc h that 0 ∈ [ [ φ 1 ] ] ρ ′ ↔ φ ′ 1 and 0 ∈ [ [ φ 2 ] ] ρ ′ ↔ φ ′ 2 . Set φ ′ ≡ φ ′ 1 ∧ φ ′ 2 . The correctness follo ws easily . • φ 1 → φ 2 . By the indu ctiv e h yp othesis w e get φ ′ 1 suc h that 0 ∈ [ [ φ 1 ] ] ρ ′ ↔ φ ′ 1 and φ ′ 2 suc h that 0 ∈ [ [ φ 2 ] ] ρ ′ ↔ φ ′ 2 . S et φ ′ = φ ′ 1 → φ ′ 2 . T he correctness follo w s easily . • ∀ a : τ . φ 1 ( a, a 1 , . . ., a n ). By th e ind uctiv e hyp othesis we get φ ′ 1 ( b, b 1 , . . . , b n ) su c h that ∀ b, b 1 , . . . , b n , 0 ∈ [ [ φ ′ 1 ] ] ρ ′ [ a := b ] ↔ φ ′ 1 . Set φ ′ ≡ ∀ a ∈ [ [ τ ] ] . φ ′ 1 ( a, b 1 , . . . , b n ). F or the cor- rectness, we ha v e 0 ∈ [ [ ∀ a : τ . φ 1 ( a, a 1 , . . ., a n )] ] ρ ′ iff ∀ A ∈ [ [ τ ] ], 0 ∈ [ [ φ 1 ] ] ρ ′ [ a := A ] . By the inductiv e hyp othesis, th is is equiv alent to ∀ A ∈ [ [ τ ] ] . φ ′ 1 ( A, b 1 , . . ., b n ) whic h is precisely φ ′ 1 . • ∃ a : τ . φ 1 . By the inductive hyp othesis we get φ ′ 1 ( b, b 1 , . . . , b n ) such that ∀ b, b 1 , . . . , b n . 0 ∈ [ [ φ ′ 1 ] ] ρ ′ [ a := b ] ↔ φ 1 . Set φ ′ ≡ ∃ a ∈ [ [ τ ] ] . φ ′ 1 ( a, b 1 , . . ., b n ). Th e correctness follo ws as in the previous case. No w we can fin ally define the extraction pr o cess. S upp ose C HOL ⊢ φ , wh ere φ is closed and extractable. Let ρ b e the empt y environmen t. Using the s oundness theorem, construct an IZF pro of P that 0 ∈ [ [ φ ] ] ρ . Use the definition ab o v e to get φ ′ suc h that IZ F ⊢ 0 ∈ [ [ φ ] ] ρ ↔ φ ′ and using P obtain a pro of R of φ ′ . Finally , apply th e extractio n function E to R to get the computational extract. 5.3. Implementation issues. The extraction pro cess is parameterized by the implemen- tation of NEP , DP and TEP for IZ F. Obviously , searc hing thr ough all IZF p ro ofs to get a witnessing natural n um b er, term or a d isjunct w ould n ot b e a very effectiv e metho d . W e discuss t w o alternativ e app roac h es. The first approac h is based on realizabili t y . Rathjen defin es a realizabili t y relat ion in [Rat05] for we ak er, predicativ e constructiv e set theory CZ F. F or an y CZF p ro of of a form ula φ , there is a realizer e suc h that th e realizabilit y relation e  φ holds, moreov er, this realizer can b e foun d constructiv ely from th e pro of. R ealiz ers pro vide the information for DP and NEP — whic h of the disju ncts holds and the witnessing num b er. They could b e implemen ted using lam b da terms. These results ha v e b een also recen tly extended to IZF [Rat06]. The appr oac h has the dra wbac k of not provi ding the pro of of TEP , whic h wo uld restrict the extraction p ro cess fr om statemen ts of the form ∃ x ∈ [ [ τ ] ] . φ to atomic t yp es τ . Moreo ve r, th e gap b et ween the existing theoretical resu lt and p ossible implementa tion is quite wide. The second, more direct approac h i s based o n Mo czyd lo wski’s pro of in [Moc06a] o f w eak normalizatio n of the lam b da c alculus λZ corresp onding to proofs in IZF. The normaliz ation is used to prov e NEP , DP and TEP for the theory a nd the necessary information is ext racted from the normal form of the lam b da term corresp onding to the IZF pr o of. T h us in order to p ro vide the implemen tati on of DP , NEP and TEP for IZF, it would suffice to implement λZ , w hic h is sp ecified completely in [Moc06a , Mo c06b]. An a lternativ e approac h has b een present ed by Berghofer [Ber04]. He defines extraction for a constructiv e v arian t of HOL logic d irectly in the generic theorem prov er Isab elle and uses realizabilit y to justify its correctness. His app roac h could lik ely b e tailored to our CHOL, so that it w ould yield extracts equiv alen t to ours. An exciting pro ject would b e to formalize IZF and b oth metho ds of extracti on in Isab elle and sho w their equiv alence and correctness. 6. Conclus ion W e hav e pr esen ted a computational semantic s for HOL via standard int erpretation in in tuitionistic set theory . The seman tics is clean, s imple and agrees with the standard on e. The adv anta ge of this approac h is that the extract ion mec hanism is complet ely external to Constru ctiv e HOL. Usin g only the s eman tics, we can tak e an y constructiv e HOL p ro of and extract from it computational in formation. No enric hmen t of the logic in normalizing pro of terms is n ecessary . The separation of the extraction mec h anism fr om the logic m ak es the logic v ery easily extendable. F or example, in ductiv e datat yp es and su bt yping ha v e clean s et-theoret ic se- man tics, so can easily b e added to HOL preserving consistency , as witnessed in PVS. As the s eman tics w ould w ork constructiv ely , the extractio n mechanisms from section 5 could b e easily adapted to incorp orate them. S imilarly , one could defin e a set-theoretic semantic s for the constructiv e v ersion of HOL implemen ted in Isab elle ([Ber04, BN02]) in the same spirit, with the same adv anta ges. The mo d ularit y of our approac h and the fact that it is muc h easier to giv e set-theoretic seman tics f or the logic than to p ro v e normalization, could make the devel opmen t of new trust w orth y prov ers w ith extraction capabilities muc h easier and faster. W e would like to thank anonymous r eview ers for their h elpful commen ts. Referenc es [ABC + 06] S tuart Allen, Mark Bickfo rd, Rob ert Constable, Richard Eaton, Christoph K reitz, Lori Lorigo, and Eva n Moran. I nnov ations in computational typ e theory using Nu prl. Journal of Applie d L o gic , 4(4):428–469 , 2006. [AC E + 00] Stu art Allen, Rob ert Constable, R ic hard Eaton, Christoph K reitz, and Lori Lorigo. The Nupr l open logical environmen t. In David McAllester, editor, Pr o c e e dings of the 17 th International Confer enc e on Automate d De duction , volume 1831 of L e ctur e Notes in Artificial I ntel ligenc e , pages 170–176. S pringer V erlag, 2000. [AC N90] Lennart A ugustsson, Thierry Coq uand, and Bengt Nordstr¨ om. A short description of another logical framew ork. In Pr o c e e dings of the First Annual Workshop on L o gic al F r ameworks , pages 39–42, Sophia-Antip olis, F rance, 1990. [Acz78] P eter Aczel. The typ e theoretic interpretation of constructive set theory . In A. MacInt yre, L. P a- c holski, and J. Pa ris, editors, L o gic Col l o quium ’77 , p ages 55–66. North Holland, 1978. [Acz99] P eter Aczel. O n relating type theories and set th eories. In T. Altenkirch, W. Naraschewski, and B. R eus, ed itors, T yp es for Pr o ofs and Pr o gr ams: International Workshop, TYPES ’98, Kloster Irse e, Germany, Mar ch 1998 , volume 1657 of LNCS , pages 1–18, 1999. [BBS + 98] H. Benl, U. Berger, H . Sch wic htenberg, et al. Proof theory at w ork: Program d evel opment in the Minlog sy stem. In W. Bibel and P . G. Schmitt, editors, Au tomate d De duction , volume II , pages 41–71. Kluw er, 1998. [BC04] Yves Bertot and Pierre Cast ´ eran. Inter active The or em Pr oving and Pr o gr am Development; Co q’Art: The Calculus of Inductive Constructions . T exts in Theoretical Computer Science. Springer-V erlag, 2004. [Bee85] Mic hael J. Beeson. F oundations of Constructive Mathematics . Springer-V erlag, 1985. [Ber04] Stefan Berghofer. Pr o ofs, Pr o gr ams and Exe cutable Sp e ci fic ations in Hi gher Or der L o gic . PhD thesis, T echnisc he U niversi t¨ at M¨ unchen, 2004. [BN02] Stefan Berghofer and T obias N ipko w. Executing Higher Order Logic. In P . Callaghan, Z. Luo, J McKinna, and R. Pollac k, editors, T yp es for Pr o ofs and Pr o gr ams: TYPES’2000 , volume 2277 of LNCS , pages 24–40. Sp ringer-V erlag, 2002. [C + 86] Rob ert L. Constable et al. I m plementing Mathematics with the Nup rl Pr o of Development System . Pren tice-Hall, NJ, 1986. [Ch u40] Alonzo Churc h. A formula tion of the simple theory of types. The Journal of Symb olic L o gic , 5:55–6 8, 1940. [CPM90 ] Thierry Coquand and Christine Paulin-Mohring. Indu ctive ly defined types, preliminary version. In COLOG ’88, International Confer enc e on Computer L o gic , volume 4 17 of LNCS , pages 50–66. Springer, Berlin, 1990. [F ri73] Harvey F riedman. The consistency o f classical set theory rela tive to a set theory with intuitionistic logic. The Journal of Symb olic L o gic , pages 315– 319, 1973. [GM93] Mic hael Gordon and T om Melham. Intr o duction to HOL : A The or em Pr oving Envir onment for Higher-Or der L o gic . Cambridge Un ive rsit y Press, Cambridge, 1993. [Har96] John Harrison. HOL Light: A tutorial in trodu ction. In F ormal Metho ds in Computer-A ide d Design (FMCAD’96) , volume 1166 of LNCS , pages 265–269. Springer, 1996. [HNC + 03] Jason Hick ey , Aleksey Nogin, Robert L. Constable, Brian E. Aydemir, Eli Barzila y , Y egor Bryukhov, Ric hard Eaton, Adam Granicz, Alexei Kopylo v, Christoph Kreitz, Vladimir N. Krup- ski, Lori Lorigo, Stephan Schmitt, Carl Witty , and Xin Y u . MetaPRL — A mo du lar logical enviro nment. In D a vid Basin and Burkhart W olff, editors, Pr o c e e dings of the 16 th International Confer enc e on The or em Pr oving in Higher Or der L o gi cs (TPHOLs 2003) , volume 275 8 of LNCS , pages 287–303. S pringer-V erlag, 2003. [Ho w96] Douglas J. Ho w e. Semantic foundations for embedding HOL in Nupr l . In Martin Wirsing and Maurice Niv at, editors, Algebr aic Metho dolo gy and Softwar e T e chnolo gy , volume 1101 of LNCS , pages 85–101. Springer-V erlag, Berlin, 1996. [Ho w98] Douglas J. How e. T ow ard sharing libraries of mathematics b etw een theorem pro ve rs. In F r ontiers of Combining Systems, F r oCoS’98, ILLC . Kluw er Academic Publishers, 1998. [Lei94] Daniel Leiv ant. Higher order logic. In D. M. Gabba y , C. J. H ogger, and J. A. Robinson, edi- tors, Handb o ok of Lo gic in Ar tificial I ntel li genc e and L o gic Pr o gr amming, V olume 2: De duction Metho dolo gies , pages 229–321. Clarendon Press, Oxford, 1994. [LS86] J. Lam bek and P . J. Scott. Intr o duction to Higher-Or der Cate goric al L o gic , v olume 7 of Cambridge Studies in A dvanc e d Mathematics , page ? Cam bridge U nivers it y Press, Cambridge , UK, 1986. [McC86 ] David McCart y . Realiza bilit y and recursive set theory . Jo urnal of Pur e and Applie d L o gic , 32 :153– 183, 1986. [ML82] Pe r Martin-L¨ of. Constructive mathematics and computer programming. In Pr o c e e dings of the Sixth International Congr ess for L o gic, M etho dolo gy, and Philosophy of Scienc e , pages 153–175 , Amsterdam, 1982. North Holland. [Moc06a] W o jciech Moczyd lo wski. Normalization of IZF with Rep lacemen t. In Pr o c. 15th Ann. Conf . of the EACSL (CSL 2006) , volume 4207 of LNCS . Springer, 2006. [Moc06b] W o jciec h Moczyd lo wski. A N ormalizing Intuitionistic Set Theory with Inaccessible S ets. T echni- cal Rep ort TR2006 -2051, Cornell Universit y , 2006. [Moc07] W o jciec h Mo czyd lo wski. A Normalizing Intuitionistic Set Theory with In accessible Sets. L o gic al Metho ds in Computer Scienc e , 3, 2007. [Myh73] John Myhill. Some p roperties of intuitionistic Zer melo-Fraenk el set theory . In Cambridge Summer Scho ol in Mathematic al L o gic , volume 29, p ages 206–23 1. Springer, 1973 . [NPS90] Bengt N ordstr¨ om, Kent Petersson, and Jan M. Smith . Pr o gr amm ing i n Martin-L¨ of ’s T yp e The- ory . Oxford S ciences Publication, Ox ford, 1990. [ORS92] S. Owre, J. M. Rushb y , and N. Shank ar. PVS : A protot yp e verificatio n system. In Deepak Kapur, editor, Pr o c e e dings of the 11 th International Confer enc e on Automate d De duction , volume 607 of L e ctur e Notes in A rtificial I ntel li genc e , page s 74 8–752 , Saratoga, NY, June 199 2. Springer-V erlag. [Rat05] Michael Rathjen. The disjunction and related p roperties for constructive Zermelo-Fraenkel set theory . Journal of Symb olic L o gic , 70:12 33–125 4, 2005. [Rat06] Michael Rathjen. Metamathematical prop erties of intuitionistic set theories with choi ce princi- ples. 2006. Man uscript, a v ailable from the w eb page of the author. [RS63] Helena Rasio wa and Roman Sik orski. The Mathematics of M etamathemat ics . Number 41 in Mono- grfie Matematyczne. Pol ish Scientific Publishers, 1963. [The04] T he Co q Devel opment T eam. The Co q Pr o of Assistant R efer enc e Manual – V ersion V8.0 , Ap ril 2004. [ ˇ S85] Andrej ˇ Sˇ cedrov. Intuiti onistic set th eory . In Morley, S ˘ cedrov, Harrington and Simpson, editors, Harvey F rie dman ’s R ese ar ch on the F oundations of Mathematics , p ages 257–284. North-Holland, 1985. This work is licensed u nder the Creative Commons Attribution-NoDe rivs License. T o view a copy of t his license, visit http: //cre ativ ecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Co mmons, 559 Na than Abbott W ay , Stanford, Califor nia 94305, USA.