Verifiable certificates for predicate subtyping

. Adding predicate subtyping to higher-order logic yields a very expressive language in which type-checking is undecidable, making the deﬁnition of a system of veriﬁable certiﬁcates challenging. This work presents a solution to this issue with a minimal formalization of predicate subtyping, named PVS-Core, together with a system of veriﬁable certiﬁcates for PVS-Core, named PVS-Cert. PVS-Cert is based on the introduction of proof terms and explicit coercions. Its design is similar to that of PTSs with dependent pairs, at the exception of the deﬁnition of conversion, which is based on a speciﬁc notion of reduction → β ∗ , corresponding to β -reduction combined with the erasure of coercions . The use of this reduction instead of the more standard reduction → βσ allows to establish a simple correspondence between PVS-Core and PVS-Cert. On the other hand, a type-checking algorithm is designed for PVS-Cert, built on proofs of type preservation of → βσ and strong normalization of both → βσ and → β ∗ . Using these results, PVS-Cert judgements are used as veriﬁable certiﬁcates for predicate subtyping. In addition, the reduction → βσ is used to deﬁne a cut elimination procedure adapted to predicate subtyping. Its use to study the properties of predicate subtyping is illustrated with a proof of consistency.


Introduction
Extending higher-order logic with predicate subtyping yields a very expressive type system, used notably at the core of the proof system PVS [17].However, proof judgements and typing judgements become entangled in the presence of predicate subtyping, making type-checking undecidable.As a consequence, defining a language of verifiable proofs for predicate subtyping becomes challenging.In pure higher-order logic, complete judgement derivations are too heavy to be used in practice as certificates, but lighter certificates can be produced by removing typing rules, recording deduction rules only: as this approach requires the decidability of type-checking, it doesn't apply directly to predicate subtyping.
This paper presents a new formal language, PVS-Cert, designed to be used as a language of verifiable certificates for predicate subtyping.PVS-Cert is built starting from a minimal formalization of predicate subtyping named PVS-Core, by adding explicit proofs and coercions.PVS-Cert is also equipped with a notion of cut elimination, which can be used directly to study both PVS-Cert and PVS-Core meta-theoretical properties.
1.1 Extending higher-order logic with predicate subtyping Higher-order logic is characterized by the coexistence of types and predicates as two radically different kinds of attributes to mathematical expressions.For instance, the mathematical expression 1+1 can be assigned a type Nat expressing that it is a natural number, or a predicate Even expressing that it is divisible by two.The assignment of types remains very simple: in particular, type-checking is decidable in higher-order logic.In return, most attributes of mathematical expressions formulated as predicates cannot be formulated as types: for instance, being a natural number different from 0 is expressible as a predicate, but not as a type.
Predicate subtyping allows to recover a symmetrical situation between the expressivity of types and predicates.It is defined as the addition of new types, referred to as predicate subtypes.Given a predicate P defined on a domain A (e.g.Even, defined on the domain Nat), the predicate subtype {x : A | P (x)} is defined.An expression t can be assigned this type if and only if it can be assigned the type A and P (t) is provable.For instance, if Nonzero is a predicate of domain Nat expressing the difference of a natural number from 0, then 1 admits the type {x : Nat | Nonzero(x)} as long as Nonzero(1) is provable.
This augmented expressivity of the language of types permits to exclude many unwanted expressions from reasoning.For instance, defining the denominators domain of Euclidean division as {x : Nat | Nonzero(x)}, all divisions in which the denominator is not provably different from zero become ill-typed.
As expressions may have several types, predicate subtyping induces a form of subtyping: for instance, as any expression of type {x : Nat|Nonzero(x)} also admits the type Nat, the former can be considered as a subtype of the latter.
As previously mentioned, a major counterpart of this extension of higherorder logic is the fact that typing judgements and proof judgements become entangled.For instance, proving the equality (1/1) = 1 requires that 1 can be assigned the type {x : Nat|Nonzero(x)}, which, in turn, requires that Nonzero(1) is provable.As a direct consequence, type-checking is not decidable in the presence of predicate subtyping.

Contributions
PVS-Core Higher-order logic, as well as its extension with predicate subtyping, can be defined in various ways.The first contribution of this paper is the formalization, in Section 2, of a minimal system for predicate subtyping, denoted PVS-Core.Besides its minimality, the main design choice for this system is the use of β-equivalence as a conversion relation (or definitional equality).
PVS-Cert and its basic properties Starting from PVS-Core, the second contribution of this work is the formalization, in Section 3, of a language of verifiable proofs for PVS-Core.This new language, denoted PVS-Cert, is designed from PVS-Core with the addition of explicit proof terms, formalized as λ-terms, as well as the addition, at the level of expressions, of explicit coercions based on these proof terms.The addition of explicit proof terms follows the Curry-Howard isomorphism in the sense that PVS-Cert proofs terms are typed by their corresponding formulas.
PVS-Cert is an extension of the Pure Type System (PTS) λ-HOL (see for instance [4], where λ-HOL as well as the general notion of PTS are defined).More precisely, PVS-Cert is designed to extend λ-HOL in the same way as PVS-Core extends higher-order logic (denoted HOL in the following).This situation is illustrated in this diagram, where vertical arrows represent extensions and horizontal arrows represent the introduction of explicit proofs (and, in the case of PVS-Core and PVS-Cert, of explicit coercions).

λ-HOL
This choice of a PTS-like system is well-suited to describe reasoning modulo β: all steps of β-reduction or β-expansion are kept implicit in proof terms, which allows to keep them compact.As detailed in Section 3.3, PVS-Cert is comparable to the formalism of PTSs with dependent pairs.However, conversion in PVS-Cert is neither defined as ≡ β nor as its extension ≡ βσ (see for instance [16]) used in PTSs with dependent pairs: instead, it uses a new conversion relation ≡ β * corresponding to syntactical equality modulo β-reduction and coercion erasure (defined in Section 3.1).This distinctive definition allows to define a simple correspondence between PVS-Core and PVS-Cert -presented later in Section 9.
Basic properties of PVS-Cert are presented in Section 4, containing notably the Church-Rosser property for the reduction → β * underlying the conversion ≡ β * , as well as the uniqueness of types: contrary to the case of PVS-Core, a well-typed term admits a unique type up to ≡ β * .
As in λ-HOL, well-typed terms are organized according to a stratification, presented in Section 5, which includes a class of types, a class of expressions (containing notably propositions), and a class of proof terms.This stratification is at the core of the correspondence between PVS-Cert and PVS-Core.
Type preservation and strong normalization Instead of the case of the reduction → βσ in PTSs with dependent pairs, → β * is not a type preserving reduction in PVS-Cert.We prove however in Section 6 that → βσ is a type preserving reduction in PVS-Cert (Theorem 6).
In Section 7, we present the main ideas leading to a proof of strong normalization for both → β * and → βσ (Theorem 7) -the details of the proof can be found in the author's PhD dissertation [1].Moreover, the strong normalization of the type preserving reduction → βσ defines a cut elimination theorem (Theorem 8).This theorem is used in the following of this section to prove the consistency of PVS-Cert.This result is used in turn at the very end of this work to conclude the consistency of PVS-Core, illustrating how cut elimination in PVS-Cert can be used to study the meta-theoretical properties of predicate subtyping.
Type-checking in PVS-Cert We present in Section 8 the design of a typechecking algorithm for PVS-Cert, showing that, contrary to the case of PVS-Core, type-checking is decidable in PVS-Cert.This algorithm is based on the type preservation of → βσ as well as the strong normalization of → β * and → βσ .
Using PVS-Cert as a system of verifiable certificates for PVS-Core The connection between PVS-Core and PVS-Cert is formalized in Section 9. On the one hand, a translation from PVS-Cert to PVS-Core is defined through the erasure of coercions.On the other hand, the choice of conversion ≡ β * in PVS-Cert allows to define a very simple translation from PVS-Core derivations to PVS-Cert derivable judgements (Definition 7 and Theorem 11).
These translations are used in Section 10 together with the PVS-Cert typechecking algorithm to define how to use PVS-Cert judgements as verifiable certificates for PVS-Core (Definition 8), reaching the first purpose of this paper.Such certificates are much lighter than the PVS-Core derivations represented through them, as they only require to record one single judgement.
Last, the translations between PVS-Core and PVS-Cert are exploited to transpose the consistency property, established in PVS-Cert using cut elimination, to PVS-Core.This illustrates how the PVS-Cert cut elimination theorem can be used to study both PVS-Cert and PVS-Core meta-theoretical properties.

Related works
The most important related work is the author's PhD dissertation [1], which contains detailed versions of all proofs presented in this paper.
The introduction of predicate subtyping can be traced back to the first-order language OBJ2 [9] and its sort constraints, allowing to restrict some typing relations to the satisfaction of a predicate.This idea was later refined and combined with higher-order logic in the proof system PVS, which is the most important system based on predicate subtyping.Overviews of the PVS specification language and its use of predicate subtyping are given for instance in [17] and [20].
In the present work, the issue of the undecidability of predicate subtyping is handled with the introduction of an alternative system, PVS-Cert.An alternative approach to this issue is to weaken the definition of predicate subtyping sufficiently to obtain systems in which type-checking remains decidable.This approach has been followed in [19,13].A intermediate situation is followed in [15], in which predicate subtyping is weakened sufficiently to allow for run-time typechecking verifications.However, contrary to the case of PVS, predicate subtyping is not fully represented in these different systems.
As mentioned in the previous section, PVS-Cert is an adaptation of the formalism of Pure Type Systems (PTSs) -sometimes also referred to as Generalized Type Systems (GTSs) -, presented for instance in [4].The definition of PTSs is itself the result of several successive works, including notably [7, 24-26, 11, 3].More specifically, PVS-Cert is derived from the notion of PTSs with dependent pairs, which has its roots in the system ECC [16].A subsystem of PVS-Cert, named PVS-Cert − and presented in Section 3, corresponds directly to a fragment of ECC (PVS-Cert − is the system obtained from PVS-Cert by replacing ≡ β * by the standard conversion ≡ βσ of PTSs with dependent pairs).PVS-Cert − is also comparable to the notion of subset types in Coq [5].However, contrary to PVS-Cert, PVS-Cert − and subset types are not well-suited to reflect predicate subtyping, as conversion in these systems do not reflect conversion in PVS-Core -more precisely, Proposition 5 doesn't hold with ≡ βσ .
Another important related work is [8], in which two systems are presented: ICC Σ , a type system with implicit type constructions, and AICC Σ , a system obtained from ICC Σ by adding explicit coercions.ICC Σ contains several advanced features, including a generalization of predicate subtypes.The construction of PVS-Cert from PVS-Core follows the same idea as the construction of AICC Σ from ICC Σ : adding the missing information explicitly in the terms of the language to recover the decidability of type-checking.The main difference between the two approaches lies in the complexity of the respective languages.ICC Σ is a very rich and complex language, making its analysis difficult -in particular, strong normalization in ICC Σ is kept as a conjecture, on which the decidability of type-checking itself relies.Conversely, PVS-Core is designed as a minimal language including predicate subtyping, making its analysis simpler.
A variant of predicate subtyping was also formalized as an extension of the calculus of constructions in [22].In the same way as in the present work, this presentation contains two systems connected with each other.On the one hand, it includes one system, named Russell, which is comparable to a weakened version of PVS-Core in which a term t of type A admits the type {x : A | P } even when P [t/x] is not provable.In this variant of predicate subtyping named subset equivalence, type-checking is decidable.On the other hand, this work includes a system with explicit coercions which is comparable to PVS-Cert.Contrary to PVS-Core, Russell derivations are not intended to contain all information necessary to build complete terms with explicit coercions: instead, a translation producing incomplete terms in the system with explicit coercions is presented.This system allows to write programs and specifications together in Russell, and to prove their correctness in a second step by filling all proof holes produced through the translation, in a way which is similar to the functioning of PVS.
Contrary to the case of PVS-Core and Russell, PVS-Cert and the counterpart of Russell with explicit coercions have similar characteristics.Although its theoretical properties are not formalized, this latter system is presented as a simple extension of the proof-irrelevant type theory presented in [27].There exists indeed a tight connection between proof irrelevance and PVS-Cert: if one considers for instance the usual predicate Even on natural numbers expressing divisibility by two, the predicate subtype even = {x : Nat | Even(x)}, and two expression with explicit coercions 2, p even and 2, q even of this type with p and q two proofs of Even(2), then the hypothesis of proof irrelevance ensures that the expressions 2, p even and 2, q even are convertible, as does the choice of conversion relation ≡ β * in PVS-Cert.
This relation between proof irrelevance and predicate subtyping is explored further in [27].Besides the fact that this work is based on the calculus of constructions and besides some technical differences in the precise definition of conversion between the system presented in this paper and PVS-Cert, analyzing the strong relation between these two systems appears as a very interesting future work.In particular, it would provide a possible strategy for building a proof of strong normalization for this system from the proof of strong normalization presented in Section 7. Also following the relation between proof irrelevance and predicate subtyping, the system IITT presented in [2], which is equipped with explicit occurrences of irrelevant terms, also admits some similarities with PVS-Cert.However, it is restricted to predicative type theory, in which higher-order reasoning cannot be expressed.
Another important work carried out on predicate subtyping is the presentation of formal semantics for PVS in [18].This works defines, for some fragment of the PVS language including predicate subtyping but also other features such as parametric theories, set-theoretical interpretations of types and expressions.These interpretations are limited to standard interpretations: the interpretation of a function type is the set of all functions from the interpretation of the domain to the interpretation of the co-domain, and the interpretation of the type of propositions is a set containing exactly two elements, distinguishing true propositions from false ones.Such an approach is complementary to the presented paper, which is only focused on the distinction between provable propositions and unprovable ones.As a possible future work, it would be interesting to adapt the work presented in [18] to obtain a notion of standard model for PVS-Core.

PVS-Core: a minimal extension of HOL with predicate subtyping
This section is dedicated to the first contribution of this work: the formalization of a minimal system for predicate subtyping.This system is named PVS-Core, in reference to PVS [17].The main distinctive design choice for PVS-Core is the introduction of a conversion relation (or definitional equality), corresponding to β-equivalence.

Definitions
Variables and terms We first define a set of variables V as the disjoint union of two infinite countable sets of symbols V expressions and V types .We introduce the generic notation v or w to refer to a variable in general, as well as the following specific notations: -The notation X or Y refers to variables in V types .
-The notation x or y refers to variables in V expressions .
Then, we define a set of terms as the disjoint union of the three following sets.The last two are defined together recursively.
-The first set contains a unique symbol: T ype.
-The second set is the set of types.It is given with the following grammar: A, B := X | P rop | Πx : A.B | {x : A | P } -The last set is the set of expressions.It is given with the following grammar: t, u, P, Q := x | ∀x : There is no formal distinction between the expressions denoted t or u and the expressions denoted P or Q, as all of them refer to expressions in general.Yet, in the following, the notations P and Q will be often used to refer to expressions admitting the type P rop, also referred to as formulas or propositions.
Declarations, contexts, judgements We define: -Three kinds of declarations: We use the notation DV (Γ ) to refer to the set of variables declared in a context Γ : for instance, DV (P, x : A, X : T ype) = {x, X}.
Reduction We equip PVS-Core terms with the usual β-reduction.In the following, we use the notation β for the reduction of a β-redex, → β for the context closure of β , β for the reflexive transitive closure of β , and ≡ β for the symmetric closure of β , i.e. β-conversion.

Derivation rules
The rules of PVS-Core are the following:

A minimal system expressing of predicate subtyping
Predicate subtyping is expressed in PVS-Core with the term construction {x : A | P } and the following rules: -Subtype, the rule of formation of predicate subtypes.
-SubtypeIntro, which is a rule of introduction.-SubtypeElim1 and SubtypeElim2, which are rules of elimination.
The system obtained from PVS-Core by removing the construction {x : A | P } and these four rules is a formulation of constructive higher-order logic.In particular, the types of this subsystem correspond to the expected simple types : for any type of the form Πx : A.B in this subsystem, x cannot appear free in B, hence this type is a non-dependent function type.As a consequence, the rule TypeConversion can be safely removed from this subsystem to obtain a simpler but equivalent formulation of higher-order logic.
PVS-Core is a minimal constructive system, which can be extended with classical reasoning or extensionality principles through the addition of axioms.
The rule PropConversion, in which conversion is a side condition instead of a premise, allows to consider reasoning modulo β, which will be useful in the definition of PVS-Cert to keep proof terms compact.The rule TypeConversion is its counterpart at the level of typing, allowing to consider both types and expressions modulo β.

PVS-Cert: verifiable certificates for PVS-Core
This section is dedicated to the presentation of an alternative system, PVS-Cert, which will be used to achieve the purpose of the work: defining a language of verifiable certificates for predicate subtyping.
At first glance, there is no need to introduce any new system to design PVS-Core certificates: the language of PVS-Core derivations itself is a language of verifiable proofs for PVS-Core.However, this language is heavy as many parts of PVS-Core derivations contain unnecessary or redundant information.As a comparison, in higher-order logic, as type-checking is decidable, only the deduction rules need to be recorded.
The main idea in the definition of PVS-Cert as a language of certificates for predicate subtyping is to formalize proofs as new kinds of terms, in addition to the types and expressions which are already present in PVS-Core, and to introduce explicit coercions based on these proof terms in order to ensure the decidability of type-checking.As a consequence, a complete certificate is simply the typing judgement of some proof term with its corresponding theorem.Such certificates are much lighter than PVS-core derivations, as only one single judgement is recorded.
Moreover, PVS-Cert will be equipped (in Section 7) with a definition of cut elimination, defined as a computation rule on proof terms.

Definitions
As detailed further in Section 3.2, the definition of PVS-Cert is strongly related to the formalism of PTSs, presented for instance in [4].

Terms We define:
-Sorts S = {P rop, T ype, Kind} We use the notation s to refer to a sort.-Axioms A = {(P rop, T ype), (T ype, Kind)} -Rules R = {(P rop, P rop, P rop), (T ype, T ype, T ype), (T ype, P rop, P rop)} -Variables The set of variables V is the disjoint union of three infinite countable sets of symbols V proof s , V expressions , and V types .The sets V expressions and V types refer to their respective definitions in PVS-Core, while the set V proof s is new.We use the notation v to refer to a variable and s(v) to refer to the unique sort s such that v ∈ V s .
-Terms T is given by the following grammar: Contexts, judgements We define: Reduction The main specificity of PVS-Cert is the use of a distinctive notion of reduction and conversion.In addition to the usual β-redex reduction (λv : we introduce a new reduction relation * , defined with the following rules: We denote the union of β and * as β * .As in the definition of PVS-Core, we use the notation → β * for the context closure of β * , β * for the reflexive transitive closure of β * , and ≡ β * for the symmetric closure of β * .The new relation * , which can be interpreted as a the elimination of a coercion at the head of a term, allows the expression of predicate subtyping in PVS-Cert.More detailed motivations and justifications for this definition are given in Section 3.3.

Derivation rules
The rules of PVS-Cert are defined as follows:

An extension of λ-HOL
PVS-Cert is an extension of the PTS λ-HOL (see for instance [4]).More precisely, λ-HOL can be obtained from PVS-Cert by removing the term constructions {v : T | U }, π i (M ), and M, N T , removing the rules Subtype, Pair, Proj1, and Proj2, and replacing ≡ β * by ≡ β in the Conversion rule.
As PTS-like systems, the formalism of PVS-Cert allows to describe reasoning modulo β: all steps of β-reduction or β-expansion in reasoning are kept implicit, which allows to keep proofs terms compact, making PVS-Cert more scalable.Moreover, the choice of formalization of PVS-Cert as a PTS-like system allows to transpose some PTS properties to PVS-Cert, such as the thinning property and the substitution property mentioned in the next section.It also allows to describe this system using a small number of rules in comparison with PVS-Core, making the proof of certain expected properties of PVS-Cert lighter.
The well-typed terms of PVS-Cert are classified into the same classes as in the case λ-HOL, involving a class of types, a class of expressions, and a class of proof terms.This property is presented in Section 5, and referred to as stratification.

Expressing predicate subtyping
The expression of predicate subtyping in PVS-Cert is enlightened through the stratification: indeed, in any derivable judgement, terms of the form {v : T | U } are types, expressing predicate subtypes terms of the form M, N T of π 1 (M ) are expressions, and correspond respectively to explicit coercions going from a type to some of its predicate subtypes and back terms of the form π 2 (M ) are proofs, expressing the PVS-Core deduction rule SubtypeElim2.
As mentioned in the introduction, this formalism used to express predicate subtyping is very similar to the formalism of dependent pairs, used for instance in the type system ECC [16].More precisely, the terms {v : T | U } are comparable with types of dependent pairs (usually denoted Σv : T.U ), the terms M, N T are comparable with dependent pairs, and the terms π i (M ) are comparable with projections.
The only difference between PVS-Cert and the formalism of dependent pairs lies in the choice of conversion ≡ β * : in the case of a system with dependent pairs, ≡ β * is replaced by the more standard conversion ≡ βσ .This conversion is defined from the usual reduction π i M 1 , M 2 T σ M i .In the following, we define the relations βσ , → βσ , βσ , and ≡ βσ in the same way as done in the definition of ≡ β * in the definition of PVS-Cert.
Applied to well-typed terms, the conversion ≡ β * includes the more standard conversion ≡ βσ (this property is a direct consequence of Theorem 5 together with the Church-Rosser property of → βσ ).However, this inclusion is strict: for instance, it is not difficult to find two well-typed terms M, N 1 T and M, N 2 T which are not convertible using ≡ βσ , although they are convertible using ≡ β * .
As a direct consequence of this property, PVS-Cert is an extension of the system obtained from it by replacing ≡ β * by ≡ βσ , and this extension is strict.In this paper, this subsystem of will be referred to as PVS-Cert − .It is a PTS with dependent pairs, and corresponds more precisely to the system obtained from the PTS λ-HOL by adding the single dependent pair rule (T ype, P rop, T ype).It is strictly included in the type system ECC presented in [16].
An mentioned in the introduction, this choice of a strictly more flexible conversion allows to define a very simple translation from PVS-Core derivations to PVS-Cert derivable judgements.Indeed, using ≡ β * ensures that two PVS-Cert types (resp.expressions) are convertible as long as the corresponding types (resp.expressions) in PVS-Core are also convertible, which allows to define a very simple translation from PVS-Core derivations to PVS-Cert derivable judgements (Definition 7 and Theorem 11).
The reduction → β * underlying conversion does not preserve typing: for instance, the judgement x : P rop, h : x x, h T : T with T = {y : P rop | y} is derivable, and x, h T → β * x, but x : P rop, h : x x : T is not derivable.However, as presented in Section 6, the reduction → βσ is type preserving, and will be used both as a definition of cut elimination for PVS-Cert proofs (Section 7) and in the definition of a type checking-algorithm (Section 8).

Properties of PVS-Cert
One of the most important properties satisfied by PVS-Cert if the Church-Rosser property.
Proof.T equipped with → β * is an orthogonal combinatory reduction system (as defined in [14]), as rules are left-linear and non-overlapping.As proved in [14], such a system admits the Church-Rosser property.
In the case of PTSs, the Church-Rosser property of → β is at the core of the type preservation of → β .In the case of PVS-Cert, the situation is different, as → β * is not a type preserving reduction.However, in a first step, the Church-Rosser property of → β * will be used to establish the expected stratification theorem, presented in Section 5.In a second step, the Church-Rosser property of → β * will be used again together with the stratification theorem to establish the type preservation of an alternative reduction, → βσ , used both as a definition of cut elimination (Section 7) and at the core of the definition of a type-checking algorithm (Section 8).
Another important property of PVS-Cert used to design a type-checking algorithm is the uniqueness of types modulo conversion.As presented in Section 8, this property allows -together with the decidability of ≡ β * on well-typed terms -to reduce the problem of type-checking to a problem of type inference.This property also underlines the fact that that, even though PVS-Cert is designed to reflect predicate subtyping, it doesn't admit any subtyping itself.The proof of type uniqueness is standard, and does not involve any specific difficulty.
PVS-Cert also satisfies several other standard properties expected from PTSs and PTSs extended with dependent pairs, among which thinning and substitution, described for instance in [4]), as well as context conversion, described for instance in [21], which is based on the extension of conversion to contexts.In these three cases, the corresponding proofs are straightforwardly adapted from the case of PTS.
We end this section with the following important theorem, which also holds in λ-HOL.The proof is adapted from the case of λ-HOL and does not involve any specific difficulty.
T is derivable and T = Kind, there exists a sort s such that Γ T : s.

Stratification in PVS-Cert
The stratification of terms in PVS-Cert reveals a strong link between PVS-Cert and PVS-Core (defined in Section 9), in the same way as the stratification of terms in λ-HOL reveals its link with higher-order logic.The property of stratification holds for several other systems, such as the injective PTSs presented in [11] -in this paper, PTSs are referred to as GTSs, and this result is referred to as classification.
The main lemma used to establish such a result is the fact that, whenever the rule of conversion is used in some derivation, the two terms involved in the conversion belong to the same class of terms.The simplest way to prove this result is to choose classes of terms that are stable under reduction and to conclude using the Church-Rosser theorem.In the case of injective PTSs, these classes are specific classes of well-typed terms, and the stability under reduction follows from the type preservation of → β .
However, as mentioned in Section 3.3, type preservation does not hold for → β * in PVS-Cert.For this reason, we will choose a relaxed definition of stratified terms, where the different classes are not restricted to well-typed terms.Using this relaxed definition, it will be possible to prove, even in the absence of type preservation for → β * , that most classes of stratified terms are stable by reduction with → β * .
We first present three classes of terms: types, expressions, and proofs.The expected property of stability by reduction will only be proved for types and expressions (Proposition 1), which is not problematic as the conversion rules are never directly applied to proofs in valid derivations.

Definition 1 (Variables stratification). We introduce the notations:
-X, Y, Z for variables in V types x, y, z for variables in V expressions h for variables in V proof s Definition 2 (Stratified terms).We define stratified terms as follows.
-Types A, B := Remark 2. As in the case of PVS-Core (Remark 1), there is no formal distinction between the notations t, u, P , and Q although, in the following, the notations of expressions P, Q will be preferred for expressions of type P rop.
The most important remark on the definition of stratified terms is the fact that any pair t, M A (where t is an expression and A is a type) is accepted as a correct expression: the term M used in it can be arbitrary, and in particular it is not required to be a proof term.This choice is due to the fact that proofs are not stable by → β * : for instance, (λh : x.h)y is a proof, but y is not.Hence, compared to the alternative of restricting pairs to terms of the form t, p A , the present relaxed definition is necessary to ensure the stability of types and expressions under → β * , which is formalized in the following proposition -the proof does not involve any specific difficulty, as the definitions of types and expressions are designed to satisfy this property.Proposition 1. Whenever M → β * N and M is a type (resp.an expression), so is N .
Beyond its use in the proof of the stratification theorem (Theorem 4), this stability property is also directly useful in the proof of the strong normalization theorem for → β * and → βσ , as briefly mentioned in Section 7.
Finally, we present the expected stratification theorem, based on the following definitions.
Definition 3 (Stratified contexts, stratified judgements).We define -stratified contexts as contexts in which all declarations have the form X : T ype, x : A (for some type A), or h : P (for some expression P ).-stratified judgements as judgements of one of the following form, in which Γ is a stratified context: Γ W F Γ T ype : Kind Γ A : T ype Γ t : A Γ p : P Theorem 4 (Stratification).Any derivable judgement is stratified.
Proof.The proof is straightforward by induction the derivation.In the case of Conversion, Proposition 1 and the Church-Rosser property of → β * are used together to conclude that the two convertible terms are either both expressions, both types, both T ype, or both Kind.Basic stability properties of types and expressions under substitution are also involved in the cases Proj2 and App.They are proved directly by induction.

A type preserving reduction
Contrary to the case of PTSs (resp.PTSs with dependent pairs), in which → β (resp.→ βσ ) is a type preserving reduction, → β * is not a type preserving reduction in PVS-Cert.Instead, we present in this section the type preservation of the reduction → βσ in PVS-Cert.This reduction will be used both as a definition of cut elimination for PVS-Cert proofs (Section 7) and in the type-checking algorithm (Section 8).
The specificity of this proof of type preservation compared to similar results for PTSs lies in the fact that M → βσ N does not imply M ≡ β * N in general.However, this implication always holds if M is either a type or an expressionthe corresponding proof involves no particular difficulty.Theorem 5. Whenever M → βσ N and M is a type (resp.an expression), so is N , and M ≡ β * N .
Finally, the type preservation theorem for → βσ is the following.Theorem 6.Given a derivable judgement Γ M : T , and N such that M → βσ N , the judgement Γ N : T is derivable.
Proof.The proof is done by induction on the derivation.The situations where M βσ N and the cases where M βσ N are separated.We present here one case for each situation -the full proof can be found in the author's PhD dissertation [1].
-We illustrate the situation where M βσ N with the case of the rule Prod, which involves Theorem 5. Discarding the notations of the original statement, we describe the last inference step with the following new notations: If the reduction occurs in U , we conclude directly by induction hypothesis.If the reduction hypothesis occurs in T , we write T → βσ T .By induction hypothesis, Γ T : s 1 is derivable.By the stratification theorem, v ∈ V s1 , hence Γ, v : T W F is derivable using the Decl rule.By the stratification theorem and Theorem 5, T ≡ β * T .Hence, using the second premise and context conversion (mentioned in Section 4), Γ, v : T U : s 2 is derivable.Finally, using Prod, Γ Πv : T .U : s 3 is derivable.
-We illustrate the situation where M βσ N with the case of the rule Proj1.
As M is a first projection and M βσ N , M is a σ-redex.We replace the notation M and T of the original statement by π 1 M, N T βσ M and T .In this setting, the last inference step has the following form: We derive the expected judgement Γ M : T from the first premise of this latter derivation using conversion.For this, we need to prove T ≡ β * T and to derive Γ T : s for some s.These two requirement are proved as follows.
On the one hand, we establish T ≡ β * T from {v : T | U } ≡ β * {v : T | U } using the Church-Rosser property (Theorem 1).On the other hand, by the stratification theorem, T = Kind, hence we can use Theorem 3 on the original conclusion to establish that Γ T : s is derivable from some sort s, as expected.

Strong normalization and cut elimination
This section is dedicated to the strong normalization of both → βσ and → β * on well-typed PVS-Cert terms.These two reductions will be used separately in Section 8 to define a type-checking algorithm for PVS-Cert: more precisely, the reduction → β * is used to decide whether two well-typed terms are convertible with ≡ β * , while the type preserving reduction → βσ will be used in the typechecking of applications.Moreover, the strong normalization of → βσ combined with its type preservation property provides a cut elimination theorem, which is a powerful tool to study properties of both PVS-Cert and PVS-Core.Its use is illustrated in a proof of consistency of PVS-Cert (Theorem 9), used in turn to establish the consistency of PVS-Core (Theorem 12) at the end of this paper.

Strong normalization
A direct approach to prove the strong normalization of → βσ and → β * for welltyped terms would be to prove the strong normalization for well-typed terms of their union, referred to as → βσ * .Unfortunately, this reduction is not strongly terminating on well-typed terms, as shown in the following proposition.
Proposition 2. There exists a well-typed term admitting an infinite reduction using → βσ * .
Proof.We first define two well-typed terms M and N such that M N admits an infinite reduction.It is simple to find two such terms, using the fact that PVS-Cert is an extension of System F [12].For instance: -We take = ΠP : P rop.Πh : P.P together with M = λh : .hh and N = λh : .λh: .hh -M admits the type Πh : .and N admits the type Πh : .Πh : . .-M N admits an infinite reduction M N → βσ * N N → βσ * M N → βσ * ... Using these terms, we build the expected counter-example of normalization of → βσ * as follows: -We define N = λP : P rop.λh : P.h, T = {x : P rop | Πh : .Πh : .}, and U = {y : , N T , N U βσ * M N , hence it admits an infinite reduction.
Because of Proposition 2, we keep the expected strong normalization theorem in PVS-Cert formulated as follows.
Theorem 7 (Strong normalization).For any derivable judgement Γ M : T , M is strongly normalizing under both → βσ and → β * : any reduction sequence starting from M and using → β * terminates any reduction sequence starting from M and using → βσ terminates The proof of this theorem is left out of the scope of this paper.It is detailed in the author's PhD dissertation [1].We simply highlight here some of its specificities, which illustrate the consequences of the choice, in PVS-Cert, of a conversion relation which is not based on a type-preserving reduction.
-The proof uses Tait's approach based on saturated sets (see for instance [23]).However, only one single notion of saturated set is used: saturated sets are defined here as specific subsets of the set of terms which are both strongly normalizing under → βσ and strongly normalizing under → β * .As a consequence, compatibility properties for such saturated must be proved with respected to both reductions.-Following Tait's approach, an interpretation function is defined in order to prove that, whenever term M admits a type T , it belongs to the interpretation of T , which is the main theorem established to conclude strong normalization.The definition of this function is inspired from the definitions of Girard in [12] for the strong normalization of F ω -which corresponds to λ-HOL without type declarations -, but several ideas are also taken from [10], which presents, among other things, a proof of strong normalization of an extension of the calculus of constructions with dependent pairs.-As the interpretation function is expected to be stable under → β * , its domain cannot be restricted to well-typed terms only, as well-typed terms are not stable under → β * .For this reason, it is chosen to define this interpretation function on the classes of types and expressions, as presented in the definition of stratified terms (Definition 3): indeed, this specific definition, which uses arbitrary terms instead of proof terms in the construction t, M A , is designed to ensure the stability of types and expressions under → β * .

Cut elimination in PVS-Cert
The following cut elimination theorem is a direct corollary of the strong normalization theorem and the type preservation of → βσ .
Theorem 8 (Cut elimination).Whenever some PVS-Cert judgement of the form Γ p : P is derivable for some proposition P and some proof p, p can be reduced using the reduction → βσ to a normal form q such that the judgement Γ q : P is derivable.
Proof.By the strong normalization theorem, p can be reduced to a normal form q using the reduction → βσ .By the type preservation theorem (Theorem 6), the judgement Γ q : P is derivable.
We conclude this section showing how the cut elimination theorem can be used together with the properties of terms in normal form with respect to → βσ as a tool to analyze some meta-theoretical properties of PVS-Cert.As presented at the end of this work, this approach will also allow to use cut elimination in PVS-Cert to analyze some meta-theoretical properties of PVS-Core.This use of cut elimination is illustrated with the following proof of consistency.Theorem 9. PVS-Cert is consistent: there exists no proof term p such that p : Πx : P rop.x is derivable.
We use the following notion of elimination context in the proof : Definition 4 (Elimination contexts).
We define the set of elimination contexts E with the grammar e := • | π i (e) | e M .
For any term N we define the instantiation e[N ] by Proof (Theorem 9).We suppose that there exists a proof p such that the judgement p : Πx : P rop.x admits some derivation, and find a contradiction in the following way.Using the thinning property (mentioned in Section 4), x : P rop p : Πx : P rop.x is also derivable.Hence, applying the rule Lam followed by the rule App, λx : P rop.(px) : Πx : P rop.x is derivable.
By the cut elimination theorem 8, λx : P rop.(px) admits a normal form λx : P rop.q with respect to βσ , which is such that the judgement λx : P rop.q : Πx : P rop.x is derivable.
Considering the last rule different from Conversion used in such a derivation (which is necessarily Lam), and using the stratification theorem, there exists a derivable judgement x : P rop q : t for some expression t ≡ β * x.Hence, using Conversion, x : P rop q : x is also derivable.We consider D a possible derivation of this judgement.
As q is a proof and is in normal form with respect to βσ , we conclude from a careful case analysis that q has one of the following forms: λv : T.M or e [v].We discard the first possibility as follows.If q = λv : T.M , considering the last rule different from Conversion used in D (which is necessarily Lam), there exists some term of the form Πv : T .U such that Πv : T .U ≡ β * x.By the Church-Rosser property (Theorem 1), this conversion cannot hold.As a consequence, q has the form e[v] for some elimination context e and some variable v.
Considering the last rule different from Conversion, Proj1, Proj2, or App used in D (which is necessarily Var), some judgement of the form x : P rop v : T is derivable, and v = x.As q is a proof, e[x] = q = x.Hence, D admits some subderivation of judgement of the form x : P rop xt : T or x : P rop π i (x) : T .Considering the last rule different from Conversion in such a derivation, and using the uniqueness of types (Theorem 2), this implies that there exists a term U of the form Πv : T 1 .T 2 or {v : By the Church-Rosser property (Theorem 1), this conversion cannot hold.As a consequence, there exists no proof term p such that the judgement p : Πx : P rop.x is derivable.

Type-checking in PVS-Cert
The purpose of this section is to present the main ideas leading to the definition of a type-checking algorithm for PVS-Cert.The decidability of type-checking is one of the most important result expected for PVS-Cert.In particular, it will be used in Section 10 together with the translation from PVS-Core derivations to PVS-Cert established in Section 9 to show that PVS-Cert can be used as verifiable certificates for PVS-Core (Definition 8).
This algorithm is mainly based on the type preservation theorem 6 and the strong normalization theorem 7 presented in the previous sections.In this section, we will only focus on the main specificities of the algorithm.Its precise definition is presented in Appendix A, together with proof sketches of soundness, termination, and completeness, which don't involve any specific difficulty -a more detailed version can be found in the author's PhD dissertation [1].
The algorithm is comparable to the algorithm presented in [6] for the general case of injective PTSs (which applies to λ-HOL).Besides the fact that our algorithm is extended to handle predicate subtypes, coercions M, N T and projections π i (M ), the main difference between the two is the use of both reductions → β * and → βσ in the case of PVS-Cert, while only → β is used for injective PTSs.
On the one hand, → β * -normalization is used to check ≡ β * -conversion on well-typed terms: by the Church-Rosser property and strong normalization, two well-typed terms are ≡ β * -equivalent if and only if they admit the same normal form, which is unique.As in [6], this decision procedure for conversion on welltyped terms is used in turn together with the uniqueness of types (Theorem 2) to define type-checking from type inference, which is itself defined recursively.
Remark 3. In order to avoid redundant context well-formedness verifications in the multiple recursive calls of the type inference algorithm, we choose here to check the well-formedness of a context Γ beforehand when inferring a type for some term M in Γ .For this reason, type inference and type-checking are defined in two steps.First, we define auxiliary type inference and type-checking algorithms which are only ensured to operate soundly with well-formed contexts.Then, we use these auxiliary functions to define context well-formedness verification as well as complete type inference and type-checking algorithms, which operate soundly with any context.
On the other hand, → βσ is used in type inference to handle applications: In this situation, the recursive call on the first premise may produce a term U such that Γ M : U is derivable, but U is not ensured to have the form Πv : U 1 .U 2 -counterexamples can be easily found when M is a proof and U is a proposition.The usual solution to this issue, used e.g. in [6], is to reduce U using the reduction underlying conversion (or more specifically its restriction to weak head reduction, which is more economic): indeed, using the uniqueness of types as well as strong normalization, type preservation, and the Church-Rosser property, it can be proved that a term U will be obtained, that M admits the type U , and that U has the form Πv : U 1 .U 2 if M admits a type of this form.
However, in the case of PVS-Cert, this approach cannot be followed directly, as the reduction underlying conversion, which is → β * , is not type preserving: U is not necessary a valid type for M .For this reason, we use instead the type preserving reduction → βσ (again, we use more specifically its restriction to weak head reduction, which is more economic).Using the strong normalization theorem, this operation terminates and yields some term U .As a direct corollary of type preservation (based on Theorem 3 and Theorem 5), M admits the type U .What is left is to prove that U has the form Πv : U 1 .U 2 if M admits a type of this form, which is done as follows.If M admits a type of the form Πv : T 1 .T 2 , then U ≡ β * Πv : T 1 .T 2 by the uniqueness of types.Hence, analyzing the possible forms of the weak head normal form U and using the Church-Rosser property, we conclude that U has the form Πv : U 1 .U 2 , as expected.
Compared to [6], new cases must be added for predicate subtypes, coercions M, N T , and projections π i (M ).These cases are handled in a similar way as in the case of PTSs with dependent pairs (see for instance ECC [16]), and don't involve any specific difficulty.Instead, a more distinctive specificity of the algorithm lies in the case of λ-abstraction: Γ, v : T M : U Γ Πv : T.U : s Lam Γ λv : T.M : Πv : T.U As in the case of injective PTSs studied in [6], applying a recursive call on this second premise would be problematic.On the one hand, it would make the algorithm slower.On the other hand, it would break the simplicity of the proof of termination, based on the fact that recursive calls of type inference are done on subterms exclusively.
By the stratification theorem in PVS-Cert, all PVS-Cert derivable judgements are stratified judgements.Hence, unless they have the form Γ T ype : Kind, their erasure in PVS-Core is well-defined.We will prove in Theorem 10 that they are derivable in PVS-Core.This theorem relies in particular on the fact that conversion in PVS-Cert and PVS-Core are related through the erasure function • , established in the following proposition.The corresponding proof does not involve any specific difficulty.Proposition 3.For all terms M and N which are either expressions, types, or T ype, whenever M ≡ β * N , then M ≡ β N .
Using the two previous propositions and the stratification theorem in PVS-Cert, we conclude the following theorem, which allows to map PVS-Cert derivations to PVS-Core derivations.
Theorem 10.Every derivable PVS-Cert judgement either has the form Γ T ype : Kind or admits an image through • .In the latter case, this image is derivable in PVS-Core.
Proof.The first part of the proof is a direct consequence of the stratification theorem.The second part is proved by induction on the height of PVS-Cert derivations.All cases are straightforward, using the stratification theorem when necessary to establish a correspondence between stratified versions of PVS-Cert rules and PVS-Core rules.For instance: -Decl corresponds either to TypeDecl, EltDecl, or Assumption -Sort corresponds to Prop only (judgements of the form Γ T ype : Kind are not translated) -Prod corresponds either to Pi, Forall, or Imply

Expressing PVS-Core derivations as PVS-Cert judgements
Theorem 10 shows that a PVS-Cert derivable judgement can testify to the PVS-Core derivability of another judgement: its erasure.In this section, we show conversely that, given any PVS-Core derivation, we can build such a PVS-Cert judgement.For this purpose, we first present an algorithm Certificate, which translates a PVS-Core derivation into a PVS-Cert judgement.In a second step, we will prove that such PVS-Cert judgements are always derivable in PVS-Cert.In this definition, we use an injective function h(•) mapping natural numbers to PVS-Cert proof variables, which can be chosen arbitrarily.We present two cases: Assumption, which shows how h(•) is used, and ImplyElim.This latter case (as well as ForallElim) is more complex than others as it involves the computation of a normal form with respect to * , i.e. the erasure of coercions at the head of a term.The other cases are detailed in Appendix B.
-Γ P : P rop Assumption Γ, P W F We consider D 1 the derivation of Γ P : P rop.Certificate(D 1 ) has the form Γ 1 P 1 : P rop.We consider n the number of declarations of the form (h : Q) in Γ 1 , and we define Certificate We consider D 1 and D 2 the respective derivations of Γ P ⇒ Q and Γ P .Certificate(D 2 ) has the form Γ 2 p 2 : P 2 and Certificate(D 1 ) has the form Γ 1 p 1 : Q 1 .As Q 1 = (P ⇒ Q), its normal form with respect to * has the form Πh : As all proof terms are deleted through the erasure function, On the other hand, by induction hypothesis, Q 1 = Q, hence the erasure of this judgement is Γ Q, as expected.

Relating conversion in PVS-Core and PVS-Cert
In order to prove that the outputs of the algorithm Certificate are derivable in PVS-Cert (presented in Theorem 11), the main required lemma is the fact that is the converse of Proposition 3: for any terms M and N which are either expressions, types, or T ype and which verify M ≡ β N , then M ≡ β * N .More precisely, this property will be used in the proof Theorem 11 to handle the cases of conversion rules TypeConversion and PropConversion.
We first establish a modified version of this expected result, using equality and ≡ * instead of ≡ β and ≡ β * respectively.The proof is straightforward by induction on the two involved terms.

Soundness of the synthesis of certificates
The last proposition needed to prove the soundness of the algorithm Certificate is the following.It shows that the operation of normalization through * (which erases the coercions π 1 (•) and •, M T at the head of a term) is safely used in the definition of Certificate.
In fact, only the specific case n = 0 is used in the proof of soundness of Certificate, but this generalization is preferred as it admits a direct proof by induction on t, which does not involve any specific difficulty.
Last, we present the expected soundness property for Certificate: Theorem 11.For any PVS-Core derivation D, Certificate(D) is derivable in PVS-Cert.
Proof.The proof is done by induction on D. Most cases are proved without any specific difficulty.In particular, the cases of conversion rules TypeConversion and PropConversion are straightforward using Proposition 5.
The most complex cases correspond to the rules ImplyElim and Foral-lElim which involve, by definition of Certificate, some normalization with respect to * .In such cases, Proposition 6 is used to handle the specific difficulties related to this normalization.We present the case ImplyElim: We consider D 1 and D 2 the respective derivations of Γ P ⇒ Q and Γ P .Certificate(D 2 ) has the form Γ 2 p 2 : P 2 and Certificate(D 1 ) has the form Γ 1 p 1 : Q 1 .As Q 1 = (P ⇒ Q), its normal form with respect to * has the form Πh : P By induction hypothesis, Γ 1 p 1 : Q 1 and Γ 2 p 2 : P 2 are derivable in PVS-Cert.By Proposition 3 and the stratification theorem, Γ 1 Q 1 : P rop is derivable in PVS-Cert.Hence, by Proposition 6, Γ 1 Πh : P 1 .Q 1 : P rop is derivable as well.As Q 1 ≡ β * Πh : P 1 .Q 1 , we conclude applying the Conversion rule that Γ 1 p 1 : Πh : P 1 .Q 1 is derivable.
On the other hand, using Proposition 4, we can conclude from Γ 1 = Γ = Γ 2 that Γ 1 ≡ * Γ 2 as long as both contexts admit the list of declared proof variables, in the same order.This is the case as, by straightforward induction on PVS-Core derivations, this list is h(1), h(2), ..., h(n), where h(•) is the injective function used in the definition of Certificate and n is the number of proof variable declarations in Γ 1 and Γ 2 .Hence, Γ 1 ≡ * Γ 2 .
As Γ 1 p 1 : Πh : P 1 .Q 1 is derivable, by Theorem 3 and the stratification theorem, Γ 1 Πh : P 1 .Q 1 : P rop is derivable.Hence, considering the last rule different from Conversion used in such a derivation (which is necessarily Prod), and using the stratification theorem, Γ 1 P 1 : P rop is derivable as well.As a consequence, using context conversion (mentioned in Section 4), Γ 1 p 2 : P 1 is derivable in PVS-Cert.Hence, applying the rule App, Γ 1 p 1 p 2 : Q 1 [p 2 /h] is derivable, as expected.
10 Using PVS-Cert as a system of verifiable certificates for PVS-Core This final section shows how to use the different results presented in this paper to answer to the main question addressed in the current work: defining a system of verifiable certificates for PVS-Core.The type-checking algorithm for PVS-Cert presented in Section 8 is combined in the following way with the encoding of PVS-Core derivations into PVS-Cert presented in Section 9 to use PVS-Cert proof judgements as proof certificates for PVS-Core.

Definition 8 (PVS-Cert proof judgements as PVS-Core certificates).
A PVS-Cert judgement Γ p : P can be used as a certificate for its PVS-Core erasure Γ P (Definition 6), which is verifiable using the type-checking algorithm presented in Section 8 (whose complete definition is given in Appendix A).On the one hand, this approach is sound: whenever the type-checking algorithm succeed, Γ p : P is derivable in PVS-Cert, hence Γ P is derivable in PVS-Core by Theorem 10.
On the other hand, valid certificates can be generated for arbitrary PVS-Core theorems in the following way.Given some PVS-Core judgement ∆ Q derivable through some derivation D, the PVS-Cert judgement Certificate(D) can be used as a certificate of ∆ Q.Indeed, using the notations Γ p : P for Certificate(D), the following statements hold.
-By definition of Certificate, Γ = ∆ and P = Q, hence this judgement is a certificate for ∆ Q. -By Theorem 11, Γ p : P is derivable, hence the execution of the typechecking algorithm on this judgement succeeds: this certificate is valid.
We finally show that, through the construction of certificates, the PVS-Cert cut elimination theorem can be used to study meta-theoretical properties of PVS-Core.This possible use is illustrated with the case of consistency, proved in PVS-Cert in Theorem 9 using cut elimination.
Theorem 12.The system PVS-Core is consistent: the judgement ∀x : P rop.x is not derivable.
Proof.If the judgement ∀x : P rop.x admits a PVS-Core derivation D, we consider p : P = Certificate(D).By definition, P = ∀x : P rop.x = Πx : P rop.x .Hence, by proposition 5, P ≡ β * Πx : P rop.x.As Πx : P rop.x : P rop is derivable in PVS-Cert, we can apply the conversion rule to conclude that p : Πx : P rop.x is derivable in PVS-Cert, which is impossible by Theorem 9.
Definition 11.For any PVS-Core derivation D, we define recursively the PVS-Cert stratified judgement Certificate(D) such that Certificate(D) corresponds to the conclusion of D. This definition involves some injective function h(•) mapping natural numbers to PVS-Cert proof variables, which can be chosen arbitrarily.
In the following, we provide a proof of the fact that Certificate(D) corresponds to the conclusion of D only when it is not straightforward by induction hypothesis, i.e. in the cases corresponding to the rules App, ImplyElim, and ForallElim.The possible cases are the following.
N T : T Analyzing the derivation of the premise (and more precisely the last rule different from Conversion used in it, which is necessarily Pair), we conclude that T has the form {v : T | U } where {v : T | U } ≡ β * {v : T | U } and Γ M, N T : {v : T | U } admits a derivation ending with an inference step of the form

Definition 7 .
For any PVS-Core derivation D, we define recursively the PVS-Cert stratified judgement Certificate(D) such that Certificate(D) corresponds to the conclusion of D.

Proposition 4 .
For all terms M and N which are either expressions, types, or T ype, whenever M = N , then M ≡ * N .Then, we establish the expected converse of Proposition 3 as follows.Proposition 5.For all terms M and N which are either expressions, types, or T ype, whenever M ≡ β N , then M ≡ β * N .Proof.We present a proof based on the definition of a simple translation of PVS-Core terms as PVS-Cert expressions, types, or Type, which does not introduce any explicit coercion: for instance,-[Πx : A.B] = Πx : [A].[B] -[P ⇒ Q] = Πh : [P ].[Q] foran arbitrary proof variable hWe first show straightforwardly that the respective images through[•]  of two terms related by ≡ β are also related by ≡ β .As a consequence, [ M ] ≡ β [ N ].On the other hand, it is straightforward to show that [•] is a right inverse of the erasure function • .Hence, [ M ] = M .By Proposition 4, we conclude that [ M ] ≡ * M .Following the same reasoning, [ N ] ≡ * N .As a consequence, M ≡ β * [ M ] ≡ β * [ N ] ≡ β * N .

1 B 1 :
We define Certificate(D) = ∅ W F .-Γ W F TypeDecl X ∈ V types \DV (Γ ) Γ, X : T ype W F We consider D 1 the direct subderivation of D. Certificate(D 1 ) has the form Γ 1 W F .We define Certificate(D) = Γ 1 , X : T ype W F .-Γ A : T ype EltDecl x ∈ V expressions \DV (Γ ) Γ, x : A W F We consider D 1 the direct subderivation of D. Certificate(D 1 ) has the form Γ 1 A 1 : T ype.We define Certificate(D) = Γ 1 , x : A 1 W F .-Γ P : P rop Assumption Γ, P W F We consider D 1 the direct subderivation of D. Certificate(D 1 ) has the form Γ 1 P 1 : P rop.We consider n the number of declarations of the form (h : Q) in Γ 1 , and we define Certificate(D) = Γ 1 , h(n) : P 1 W F .-Γ W F TypeVar (X : T ype) ∈ Γ Γ X : T ype We consider D 1 the direct subderivation of D. Certificate(D 1 ) has the form Γ 1 W F .We define Certificate(D) = Γ 1 X : T ype.-Γ W F Prop Γ P rop : T ype We consider D 1 the direct subderivation of D. Certificate(D 1 ) has the form Γ 1 W F .We define Certificate(D) = Γ 1 P rop : T ype.-Γ, x : A B : T ype Pi Γ Πx : A.B : T ype We consider D 1 the direct subderivation of D. Certificate(D 1 ) has the form Γ 1 , x : A T ype.We define Certificate(D) = Γ 1Πx :