From formal proofs to mathematical proofs: a safe, incremental way for building in first-order decision procedures

We investigate here a new version of the Calculus of Inductive Constructions (CIC) on which the proof assistant Coq is based: the Calculus of Congruent Inductive Constructions, which truly extends CIC by building in arbitrary first-order decision procedures: deduction is still in charge of the CIC kernel, while computation is outsourced to dedicated first-order decision procedures that can be taken from the shelves provided they deliver a proof certificate. The soundness of the whole system becomes an incremental property following from the soundness of the certificate checkers and that of the kernel. A detailed example shows that the resulting style of proofs becomes closer to that of the working mathematician.

💡 Research Summary

The paper proposes a new extension of the Calculus of Inductive Constructions (CIC), the underlying formalism of the Coq proof assistant, called the Calculus of Congruent Inductive Constructions (CCIC). The motivation is two‑fold. First, CIC’s conversion rule is limited to pure λ‑calculus reduction, which makes it impossible to define certain functions on dependent data structures (e.g., reversing a dependent list) because the required equalities (such as commutativity of addition on list lengths) are not computationally reducible. Second, existing attempts to integrate first‑order decision procedures into Coq—through custom tactics, rewrite rules, or the “little proof engines” of PVS—either lack a trustworthy soundness argument or force the user to manually hide the easy computational steps.

CCIC addresses these issues by cleanly separating deduction (handled by the unchanged CIC kernel) from computation (delegated to external first‑order decision procedures). When a proof goal is sent to a decision procedure, the procedure receives the goal together with all hypotheses currently in the context. It returns, besides the result, a proof certificate that can be checked by a small, independently verified certificate checker. The overall soundness of the system then follows from the soundness of the kernel and the soundness of each certificate checker, yielding an incremental safety model.

The authors formalize CCIC by extending CIC’s conversion rule with an abstract congruence relation derived from a fixed first‑order theory whose entailment is decidable (e.g., Presburger arithmetic). They embed parametric multi‑sorted algebras into CIC, illustrate the approach with natural numbers, parametric lists, and dependent words, and show how to define functions such as list append and list reversal that were previously impossible in pure CIC. The conversion rule is carefully restricted to remain below recursive definitions, preserving strong normalization, confluence, coherence, and decidability of type checking—properties that were proved by reusing the strong normalization proof of the Calculus of Algebraic Constructions (CAC) and by new arguments concerning product types.

Practically, the paper presents several examples demonstrating that CCIC enables a proof style closer to that of working mathematicians: complex calculations are hidden inside certified decision procedures, while the user only writes the high‑level logical steps. The framework also supports both a safe mode (certificates required) and an unsafe mode (direct use of a decision procedure without a certificate), and it can provide explanatory output when a decision procedure fails.

In summary, CCIC offers a modular, trustworthy way to enrich Coq with arbitrary first‑order decision procedures without compromising the kernel’s simplicity or its meta‑theoretic guarantees. The work opens avenues for further integration of richer theories, automated certificate generation, and broader compatibility with existing Coq libraries.