## Periodic Reporting for period 4 - CoqHoTT (Coq for Homotopy Type Theory)

Reporting period: 2019-12-01 to 2021-05-31

Every year, software bugs cost hundreds of millions of euros to companies and administrations, as assessed by Intel Pentium division bug or Ariane 5 first flight failure. Hence, software quality is a notion that becomes more and more prevalent, going beyond the usual scope of embedded systems. In particular, the development of tools to construct softwares that respect a given specification is a major challenge of current and future researches in computer science. Interactive theorem provers based on type theory, such as Coq, have shown their efficiency to prove correctness of important pieces of software like the C compiler of the CompCert project. One main interest of using such theorem provers from a computer science point of view is the ability to extract the code that has been proven directly from the proof, being able to run it as any other pieces of code. Unfortunately, the democratization of theorem provers such as Coq suffers from a major drawback, the mismatch between the conception of equality in mathematics and equality in type theory. As a consequence, significant Coq developments can be done by virtuosos playing around with advanced concepts of both computer science and mathematics, but not by working computer scientists or mathematicians. A first step towards solving this issue has been performed recently by the development of homotopy type theory (HoTT). This extension of type theory with homotopical concepts is gaining traction in the community because it allows for the first time to marry many expected principles of equality inside the same theory.

The goal of the CoqHoTT project has been to provide a new generation of proof assistants with a better notion of equality and use them as a base to implement effective logical model transformation so that the power of the internal logic of the proof assistant needed to prove the correctness of a program can be decided and changed at compile time.

Conclusion of the action:

The challenges of the project have all been addressed, either by the PI and his team, or by other international teams that are working on the same area

(in particular the work on cubical type theory by Coquand et al at Chalmers University, and the work on higher inductive type in a cubical setting by harper et al at CMU).

The fact that other leading researchers have solved before us some of the challenges has enabled us to go beyond the initially planned work packages.

The goal of the CoqHoTT project has been to provide a new generation of proof assistants with a better notion of equality and use them as a base to implement effective logical model transformation so that the power of the internal logic of the proof assistant needed to prove the correctness of a program can be decided and changed at compile time.

Conclusion of the action:

The challenges of the project have all been addressed, either by the PI and his team, or by other international teams that are working on the same area

(in particular the work on cubical type theory by Coquand et al at Chalmers University, and the work on higher inductive type in a cubical setting by harper et al at CMU).

The fact that other leading researchers have solved before us some of the challenges has enabled us to go beyond the initially planned work packages.

We want to mention the creation of a workshop on homotopy type theory in 2015 at the start of the project.

The workshop happens every year since then (https://hott-uf.github.io/).

We now proceed to an overview of the main results of the project:

- Univalent parametricity.

Reasoning modulo equivalences is natural for everyone, including mathematicians. Unfortunately, in proof assistants based on type theory, which are frequently used to

mechanize mathematical results and carry out program verification efforts, equality is appallingly syntactic and, as a result, exploiting equivalences is cumbersome at best.

Parametricity and univalence are two major concepts that have been explored in the literature to transport programs and proofs across type equivalences, but they fall short

of achieving seamless, automatic transport. Our work devises a fruitful marriage between both.

The resulting concept, called univalent parametricity, is an extension of parametricity strengthened with univalence that fully realizes programming and proving modulo equivalences.

In addition to the study of the theory of univalent parametricity, we have developed a lightweight framework implemented in the Coq proof assistant

that allows the user to transparently transfer definitions and theorems for a type to an equivalent one, as if they were equal.

Published at ICFP (rank A* conference) and Journal of the ACM

Implemented using the Coq proof assistant

- SProp.

Definitional equality---or conversion---for a type theory with a decidable type checking is the simplest tool to prove that two objects are the same, letting the system decide just using computation.

Therefore, the more things are equal by conversion, the simpler it is to use a language based on type theory. Proof-irrelevance, stating that any two proofs of the same proposition are equal, i

s a possible way to extend conversion to make a type theory more powerful.

Taking inspiration from homotopy type theory, we have proposed a general way to extend a type theory with definitional

proof irrelevance, in a way that keeps type checking decidable and is compatible with univalence.

Published at POPL (the best conference of our field).

Implementation in both Coq and Agda

- Rewrite Rules.

Dependently typed programming languages and proof assistants such as Agda and Coq rely on computation to automatically simplify

expressions during type checking. To overcome the lack of certain programming primitives or logical principles in those systems, it is common to appeal to axioms

to postulate their existence. However, one can only postulate the bare existence of an axiom, not its computational behaviour.

To solve this tension, we have developed a type theory where it is possible to add computational assumptions in the

form of rewrite rules. Rewrite rules go beyond the computational capabilities of intensional type theory, but in contrast to extensional type theory,

they are applied automatically so type checking does not require input from the user.

Published at POPL (the best conference of our field).

Implementation in Agda

- Certification of Coq in MetaCoq.

Coq is built around a well-delimited kernel that perfoms typechecking for definitions in a variant of the Calculus of Inductive

Constructions (CIC). Although the metatheory of CIC is very stable and reliable, the correctness of its implementation in

Coq is less clear. Indeed, implementing an efficient type checker for CIC is a rather complex task, and many parts of the code rely

on implicit invariants which can easily be broken by further evolution of the code. Therefore, on average, one critical bug has

been found every year in Coq.

We have been able to develop the first implementation of a type checker for the kernel of Coq which is proven correct in Coq with respect to its

formal specification and axiomatisation of part of its metatheory.

Published at POPL (the best conference of our field).

Formalization in Coq

The workshop happens every year since then (https://hott-uf.github.io/).

We now proceed to an overview of the main results of the project:

- Univalent parametricity.

Reasoning modulo equivalences is natural for everyone, including mathematicians. Unfortunately, in proof assistants based on type theory, which are frequently used to

mechanize mathematical results and carry out program verification efforts, equality is appallingly syntactic and, as a result, exploiting equivalences is cumbersome at best.

Parametricity and univalence are two major concepts that have been explored in the literature to transport programs and proofs across type equivalences, but they fall short

of achieving seamless, automatic transport. Our work devises a fruitful marriage between both.

The resulting concept, called univalent parametricity, is an extension of parametricity strengthened with univalence that fully realizes programming and proving modulo equivalences.

In addition to the study of the theory of univalent parametricity, we have developed a lightweight framework implemented in the Coq proof assistant

that allows the user to transparently transfer definitions and theorems for a type to an equivalent one, as if they were equal.

Published at ICFP (rank A* conference) and Journal of the ACM

Implemented using the Coq proof assistant

- SProp.

Definitional equality---or conversion---for a type theory with a decidable type checking is the simplest tool to prove that two objects are the same, letting the system decide just using computation.

Therefore, the more things are equal by conversion, the simpler it is to use a language based on type theory. Proof-irrelevance, stating that any two proofs of the same proposition are equal, i

s a possible way to extend conversion to make a type theory more powerful.

Taking inspiration from homotopy type theory, we have proposed a general way to extend a type theory with definitional

proof irrelevance, in a way that keeps type checking decidable and is compatible with univalence.

Published at POPL (the best conference of our field).

Implementation in both Coq and Agda

- Rewrite Rules.

Dependently typed programming languages and proof assistants such as Agda and Coq rely on computation to automatically simplify

expressions during type checking. To overcome the lack of certain programming primitives or logical principles in those systems, it is common to appeal to axioms

to postulate their existence. However, one can only postulate the bare existence of an axiom, not its computational behaviour.

To solve this tension, we have developed a type theory where it is possible to add computational assumptions in the

form of rewrite rules. Rewrite rules go beyond the computational capabilities of intensional type theory, but in contrast to extensional type theory,

they are applied automatically so type checking does not require input from the user.

Published at POPL (the best conference of our field).

Implementation in Agda

- Certification of Coq in MetaCoq.

Coq is built around a well-delimited kernel that perfoms typechecking for definitions in a variant of the Calculus of Inductive

Constructions (CIC). Although the metatheory of CIC is very stable and reliable, the correctness of its implementation in

Coq is less clear. Indeed, implementing an efficient type checker for CIC is a rather complex task, and many parts of the code rely

on implicit invariants which can easily be broken by further evolution of the code. Therefore, on average, one critical bug has

been found every year in Coq.

We have been able to develop the first implementation of a type checker for the kernel of Coq which is proven correct in Coq with respect to its

formal specification and axiomatisation of part of its metatheory.

Published at POPL (the best conference of our field).

Formalization in Coq

The two main results of the project that go definitely beyond the state of the art are:

- the development of the first certified proof assistant (see Certification of Coq in MetaCoq)

- the introduction of a new universe of proof irrelevant proposition (see SProp)

- the development of the first certified proof assistant (see Certification of Coq in MetaCoq)

- the introduction of a new universe of proof irrelevant proposition (see SProp)