Computational Higher Type Theory (CHTT)

Robert Harper
Lecture Notes of Week 5 by Farzaneh Derakhshan and Di Wang

1 Setting the Scene

Thus far in the course, we have explored closed term computation and open term calculation
for the simply typed lambda calculus (STLC) augmented with inductive types, with the goal
to prove that all well-typed programs terminate as well as all well-typed terms normalize. We
also have studied closed term computation for polymorphism, i.e., the type-level quantification.
Our exploration led us to rediscover Tait’s method and Girard’s method.
From now on, we are going to study equality. Before developing behavioral equality (i.e.,
exact equality) in computational type theory, we first recall traditional structural equality
(i.e., definitional equality) in formal type theory.

2 Structural Equality

Recall the STLC augmented with an answer type ans and a natural number type nat:
A ::= ans | nat | A1 → A2
M ::= ↑ | ↓ | x | λx : A.M | M1 M2 | z | s(M ) | recA {Mz ; x.Ms }(M )

The typing judgment is defined as follows:

Γ ` ↑ : ans Γ ` ↓ : ans Γ, x : A ` x : A

Γ, x : A1 ` M : A2 Γ ` M 1 : A1 → A2 Γ ` M 2 : A1
Γ ` λx : A1 .M : A1 → A2 Γ ` M 1 M 2 : A2

Γ ` M : nat Γ ` M : nat Γ ` Mz : A Γ, x : A ` Ms : A
Γ ` z : nat Γ ` s(M ) : nat Γ ` recA {Mz ; x.Ms }(M ) : A

Structural equality for STLC, written Γ ` M ≡ M 0 : A, is the strongest congruence respecting

β-principles:

Γ`M :A Γ ` M0 ≡ M : A Γ ` M ≡ M0 : A Γ ` M 0 ≡ M 00 : A
Γ`M ≡M :A Γ ` M ≡ M0 : A Γ ` M ≡ M 00 : A

Γ, x : A1 ` M ≡ M 0 : A2 Γ ` M ≡ M 0 : A1 → A2 Γ ` N ≡ N 0 : A1
Γ ` λx : A1 .M ≡ λx : A1 .M 0 : A1 → A2 Γ ` M N ≡ M N 0 : A2
0

Γ ` M ≡ M 0 : nat Γ, x : A1 ` M : A2 Γ ` N : A1
Γ ` s(M ) ≡ s(M 0 ) : nat Γ ` (λx : A.M ) N ≡ [N/x]M : A2

Γ ` M ≡ M 0 : nat Γ ` Mz ≡ Mz0 : A Γ, x : A ` Ms ≡ Ms0 : A

Γ ` recA {Mz ; x.Ms }(M ) ≡ recA {Mz0 ; x.Ms0 }(M 0 ) : A

1
Lecture Notes Week 5 Lecture Notes Week 5

Γ ` Mz : A Γ, x : A ` Ms : A
Γ ` recA {Mz ; x.Ms }(z) ≡ Mz : A

Γ ` M : nat Γ ` Mz : A Γ, x : A ` Ms : A
Γ ` recA {Mz ; x.Ms }(s(M )) ≡ [recA {Mz ; x.Ms }(M )/x]Ms : A

Methodologically, structural equality is intended to be decidable. However, this approach

never turns out to be efficient and the decidability could be very hard to prove.

3 Behavioral Equality

Under structural equality, one will not be able to prove x : nat, y : nat ` x + y ≡ y + x : nat,
where plus is defined by recursion on one of its arguments. In other words, structural equality
is a very strong equality. Similar to the exploration of closed term computation, we want to
develop a characterization of behavioral equality in terms of program behaviors.
.
Intuitively, we want to “binarize logical relations”, written Γ  M = M 0 ∈ A, with the
following fundamental theorem:
.
Theorem 1 (FTLR). If Γ ` M ≡ M 0 : A, then Γ  M = M 0 ∈ A.
.
Similar to Γ  M ∈ A, Γ  M = M 0 ∈ A is extensional and functional. In other words,
.
suppose we have a behavioral equality relation for closed terms M = M 0 ∈ A where M, M 0
. 0 0
are programs and A is a type, if γ = γ ∈ Γ where γ, γ are closed substitution mappings (i.e.,
. .
for all x ∈ B ∈ Γ, γ(x) = γ 0 (x) ∈ B), then γ
b(M ) = γb0 (M 0 ) ∈ A. Now we develop the logical
.
relation M = M 0 ∈ A, which can be seen as a binary version of hereditary termination
relation.
.
Definition 2. M = M 0 ∈ A is defined inductively on the structure of A.
.
• M = M 0 ∈ ans iff either M ⇓ ↑ and M 0 ⇓ ↑, or M ⇓ ↓ and M 0 ⇓ ↓.
.
• M = M 0 ∈ nat iff either M ⇓ z and M 0 ⇓ z, or M ⇓ s(N ), M 0 ⇓ s(N 0 ), and
. 0
N = N ∈ nat (following the horizontal induction principle).
.
• M = M 0 ∈ A1 → A2 iff M ⇓ λx : A1 .M1 , M 0 ⇓ λx : A1 .M10 , and for all N, N 0 such
. .
that N = N 0 ∈ A1 , [N/x]M1 = [N 0 /x]M10 ∈ A2 .
.
The first property we want to establish is that M = M 0 ∈ A is symmetric and transitive.
Lemma 3. For any type A,
. .
• M = M 0 ∈ A implies M 0 = M ∈ A.
. . .
• M = M 0 ∈ A and M 0 = M 00 ∈ A imply M = M 00 ∈ A.

Proof. By induction on the structure of A:

• Case A = ans:
– Symmetry: By inversion we know that either M ⇓ ↑, M 0 ⇓ ↑, or M ⇓ ↓, M 0 ⇓ ↓.
.
In either case it is straightforward to show M 0 = M ∈ ans.
.
– Transitivity: By inversion on M = M 0 ∈ ans we know that either M ⇓ ↑, M 0 ⇓ ↑,
or M ⇓ ↓, M 0 ⇓ ↓. If M, M 0 evaluates to ↑, then by the determinism of evaluation
.
and inversion on M 0 = M 00 ∈ ans, we know that M 00 also evaluates to ↑, hence
.
by definition we know M = M 00 ∈ ans. It is similar to prove for the case where
M, M 0 evaluates to ↓.

2
Lecture Notes Week 5 Lecture Notes Week 5

• Case A = nat:
– Symmetry: By inversion and then a case analysis:
.
∗ Subcase M ⇓ z, M 0 ⇓ z: By definition we know that M 0 = M ∈ nat.
.
∗ Subcase M ⇓ s(N ), M 0 ⇓ s(N 0 ), N = N 0 ∈ nat: By induction hypothesis on
. .
N = N 0 ∈ nat we know that N 0 = N ∈ nat. Thus by definition we know that
.
M 0 = M ∈ nat.
.
– Transitivity: By inversion on M = M 0 ∈ nat and then a case analysis:
∗ Subcase M ⇓ z, M 0 ⇓ z: By the determinism of evaluation and inversion on
.
M 0 = M 00 ∈ nat, we know that M 00 also evaluates to z. By definition we have
.
M = M 00 ∈ nat.
.
∗ Subcase M ⇓ s(N ), M 0 ⇓ s(N 0 ), N = N 0 ∈ nat: By the determinism of
.
evaluation and inversion on M 0 = M 00 ∈ nat, we know that M 00 evaluates to
.
s(N 00 ) for some N 00 and N 0 = N 00 ∈ nat. Then by induction hypothesis we
. 00 .
know that N = N ∈ nat. By definition we have M = M 00 ∈ nat.
• Case A = A1 → A2 :

– Symmetry: By inversion we know that M ⇓ λx : A1 .M1 , M 0 ⇓ λx : A1 .M10 and for

. .
all N, N 0 such that N = N 0 ∈ A1 , [N/x]M1 = [N 0 /x]M10 ∈ A2 . We are supposed
. .
to show that for all N 0 , N such that N 0 = N ∈ A1 , [N 0 /x]M10 = [N/x]M1 ∈ A2 .
.
By induction hypothesis, we have N = N 0 ∈ A1 , and it suffices to show that
.
[N/x]M1 = [N 0 /x]M10 ∈ A2 . It follows directly from assumptions.
. .
– Transitivity: By inversion on M = M 0 ∈ A1 → A2 , M 0 = M 00 ∈ A1 → A2 , and
determinism of evaluation, we know that M ⇓ λx : A1 .M1 , M 0 ⇓ λx : A1 .M10 ,
. .
M 00 ⇓ λx : A1 .M100 , for all N, N 0 such that N = N 0 ∈ A1 , [N/x]M1 = [N 0 /x]M10 ∈
. .
A2 , and for all N 0 , N 00 such that N 0 = N 00 ∈ A1 , [N 0 /x]M10 = [N 00 /x]M100 ∈ A2 .
. .
We are suppose to show that for all N, N 00 such that N = N 00 ∈ A1 , [N/x]M1 =
.
[N 00 /x]M100 ∈ A2 . By assumption, we know that [N/x]M1 = [N 00 /x]M10 ∈ A2 .
.
Then it suffices to show that [N 00 /x]M10 = [N 00 /x]M100 ∈ A2 . It turns out that
. .
we need to prove N 00 = N 00 ∈ A1 . By induction hypothesis on N = N 00 ∈ A1
.
for symmetry, we know that N 00 = N ∈ A1 . Then by induction hypothesis for
.
transitivity, we have N 00 = N 00 ∈ A1 . Thus we conclude the proof.

The symmetry and transitivity can also be proved for open behavioral equality.
Lemma 4. For any typing context Γ and type A,
. .
• Γ  M = M 0 ∈ A implies Γ  M 0 = M ∈ A.
. . .
• Γ  M = M 0 ∈ A and Γ  M 0 = M 00 ∈ A imply Γ  M = M 00 ∈ A.
. .
Proof. • Suppose γ = γ 0 ∈ Γ. It suffices to show γ
b(M 0 ) = γb0 (M ) ∈ A. By symmetry
. .
we know that γ 0 = γ ∈ Γ. By assumption we know that γb0 (M ) = γ b(M 0 ) ∈ A. By
0 . b0
b(M ) = γ (M ) ∈ A.
symmetry again we conclude that γ
. .
• Suppose γ = γ 00 ∈ Γ. It suffices to show γb(M ) = γc00 (M 00 ) ∈ A. By symmetry we know
. .
that γ 00 = γ ∈ Γ. By transitivity we know that γ = γ ∈ Γ. By assumption we know
. .
that γ
b(M ) = γ b(M 0 ) ∈ A. By assumption we know that γ b(M 0 ) = γc00 (M 00 ) ∈ A. By
.
transitivity we conclude that γ b(M ) = γc00 (M 00 ) ∈ A.

3
Lecture Notes Week 5 Lecture Notes Week 5

Because behavioral equality reasons about behavioral equivalence of programs, and the
evaluation of the STLC is deterministic, the equality relation should also be closed under
reverse execution.
. .
Lemma 5 (Head expansion). If M = M 0 ∈ A, N 7→∗ M , and N 0 7→∗ M 0 , then N = N 0 ∈ A.

Proof. By induction on the structure of A:

• Case A = ans: By inversion we know that either M ⇓ ↑, M 0 ⇓ ↑, or M ⇓ ↓, M 0 ⇓ ↓.

If M, M 0 evaluates to ↑, then N 7→∗ M and N 0 7→∗ M 0 imply that N ⇓ ↑ and N 0 ⇓ ↑,
.
thus N = N 0 ∈ ans. It is similar to prove for the case where M, M 0 evaluates to ↓.
• Case A = nat: By inversion and a then a case analysis:

– Subcase M ⇓ z, M 0 ⇓ z: N 7→∗ M and N 0 7→∗ M 0 imply that N ⇓ z and N 0 ⇓ z,

.
thus N = N 0 ∈ nat.
.
– Subcase M ⇓ s(M1 ), M 0 ⇓ s(M10 ), M1 = M10 ∈ nat: N 7→∗ M and N 0 7→∗ M 0
.
imply that N ⇓ s(M1 ) and N ⇓ s(M1 ), thus by definition we have N = N 0 ∈ nat.
0 0

• Case A = A1 → A2 : By inversion we know that M ⇓ λx : A1 .M1 , M 0 ⇓ λx : A1 .M10 ,

. .
and for all M2 , M20 such that M2 = M20 ∈ A1 , [M2 /x]M1 = [M20 /x]M10 ∈ A2 . N 7→∗ M
and N 0 7→∗ M 0 imply that N ⇓ λx : A1 .M1 and N 0 ⇓ λx : A1 .M10 . By definition we
.
know that N = N 0 ∈ A1 → A2 .

Now we turn to prove the fundamental theorem to show that structural equality suffices
for behavioral equality. We start with a lemma which justifies the positive definition of
behavioral equality for function types.
. . .
Lemma 6. M = M 0 ∈ A1 → A2 and N = N 0 ∈ A1 imply M N = M 0 N 0 ∈ A2 .
.
Proof. By inversion on M = M 0 ∈ A1 → A2 we know that M ⇓ λx : A1 .M1 , M 0 ⇓ λx :
. .
A1 .M1 , and for all N, N such that N = N 0 ∈ A1 , [N/x]M1 = [N 0 /x]M10 ∈ A2 . Thus we
0 0
. 0 0 ∗
know that [N/x]M1 = [N /x]M1 ∈ A2 . Observe that M N 7→ (λx : A1 .M1 ) N 7→ [N/x]M1 ,
and M 0 N 0 7→∗ (λx : A1 .M10 ) N 0 7→ [N 0 /x]M10 . Thus by head expansion we conclude that
.
M N = M 0 N 0 ∈ A2 .

We show that well-typed terms are behaviorally equal to itself for its type.
.
Lemma 7. Γ ` M : A implies Γ  M = M ∈ A.
. .
Proof. We are supposed to show for all γ, γ 0 such that γ = γ 0 ∈ Γ, γ
b(M ) = γb0 (M ) ∈ A. The
proof proceeds by induction on the derivation of Γ ` M : A. We consider several nontrivial
cases.

Γ, x : A1 ` M : A2
•
Γ ` λx : A1 .M : A1 → A2
Observe that γ b(λx : A1 .M ) = λx : A1 .bγ (M ). By definition we are supposed to show
. .
that for all N, N 0 such that N = N 0 ∈ A1 , [N/x]b γ (M ) = [N 0 /x]γb0 (M ) ∈ A2 . Let
.
γx = γ[x 7→ N ] and γx = γ [x 7→ N ]. By assumption we know that γx = γx0 ∈ Γ, x : A1 .
0 0 0
. c0
Thus by induction hypothesis we know that γ cx (M ) = γx (M ) ∈ A2 . Observe that
γ
cx (M ) = [N/x]b cx0 (M ) = [N 0 /x]γb0 (M ). Thus we conclude this case.
γ (M ) and γ

4
Lecture Notes Week 5 Lecture Notes Week 5

Γ ` M 1 : A1 → A2 Γ ` M 2 : A1
•
Γ ` M 1 M 2 : A2
Observe that γb(M1 M2 ) = γ b(M1 ) γ b(M2 ). By induction hypothesis we know that
. b0 .
b(M1 ) = γ (M1 ) ∈ A1 → A2 and γ
γ b(M2 ) = γb0 (M2 ) ∈ A1 . By Lemma 6 we conclude
. b0
that γ b(M2 ) = γ (M10 ) γb0 (M20 ) ∈ A2 .
b(M1 ) γ
Γ ` M : nat Γ ` Mz : A Γ, x : A ` Ms : A
•
Γ ` recA {Mz ; x.Ms }(M ) : A
We are supposed to show that
.
recA {b
γ (Mz ); x.b γ (M )) = recA {γb0 (Mz ); x.γb0 (Ms )}(γb0 (M )) ∈ A.
γ (Ms )}(b
.
b(M ) = γb0 (M ) ∈ nat. By
By induction hypothesis on Γ ` M : nat we know that γ
horizontal induction on natural numbers:
b(M ) ⇓ z, γb0 (M ) ⇓ z: Observe that
– Subcase γ

recA {b
γ (Mz ); x.b
γ (Ms )}(b
γ (M )) 7→∗ γ
b(Mz )

recA {γb0 (Mz ); x.γb0 (Ms )}(γb0 (M )) 7→∗ γb0 (Mz ).

.
By induction hypothesis on Γ ` Mz : A we know that γ b(Mz ) = γb0 (Mz ) ∈ A. Thus
by head expansion we conclude this subcase.
.
b(M ) ⇓ s(N ), γb0 (M ) ⇓ s(N 0 ), N = N 0 ∈ nat assuming that
– Subcase γ
.
recA {b γ (Ms )}(N ) = recA {γb0 (Mz ); x.γb0 (Ms )}(N 0 ) ∈ A :
γ (Mz ); x.b

Observe that
recA {b
γ (Mz ); x.b γ (M )) 7→∗
γ (Ms )}(b [recA {b
γ (Mz ); x.b
γ (Ms )}(N )/x]b
γ (Ms )

recA {γb0 (Mz ); x.γb0 (Ms )}(γb0 (M )) 7→∗ [recA {γb0 (Mz ); x.γb0 (Ms )}(N 0 )/x]γb0 (Ms ).

Let
γx = γ[x 7→ recA {b
γ (Mz ); x.b
γ (Ms )}(N )], and
γx0 = γ 0 [x 7→ recA {γb0 (Mz ); x.γb0 (Ms )}(N 0 )].
.
By assumption we know that γx = γx0 ∈ Γ, x : A. Thus by induction hypothesis
. c0
on Γ, x : A ` Ms : A we know that γ cx (Ms ) = γ x (Ms ) ∈ A.
Observe that

cx (Ms ) = [recA {b
γ γ (Mz ); x.b
γ (Ms )}(N )/x]b
γ (Ms ), and

cx0 (Ms ) = [recA {γb0 (Mz ); x.γb0 (Ms )}(N 0 )/x]γb0 (Ms ).
γ
Hence by head expansion we conclude this subcase.

Now we proceed to prove the fundamental theorem.

.
Theorem 8 (FTLR). If Γ ` M ≡ M 0 : A, then Γ  M = M 0 ∈ A.

Proof. The proof proceeds by induction on the derivation of Γ ` M ≡ M 0 : A. We consider

several nontrivial cases.

5
Lecture Notes Week 5 Lecture Notes Week 5

Γ`M :A
• .
Γ`M =M :A
We conclude this case by Lemma 7.
Γ ` M0 ≡ M : A
•
Γ ` M ≡ M0 : A
We conclude this case by induction hypothesis and then Lemma 4.
Γ ` M ≡ M0 : A Γ ` M 0 ≡ M 00 : A
•
Γ ` M ≡ M 00 : A
We conclude this case by induction hypothesis and then Lemma 4.
Γ, x : A1 ` M : A2 Γ ` N : A1
•
Γ ` (λx : A1 .M ) N ≡ [N/x]M : A2
. .
Suppose γ = γ 0 ∈ Γ. It suffices to show that (λx : A1 .b b(N ) = [γb0 (N )/x]γb0 (M ) ∈
γ (M )) γ
. b0
A2 . By Lemma 7 on Γ ` N : A1 we know that γ b(N ) = γ (N ) ∈ A1 . Let γx = γ[x 7→
.
b(N )] and γx = γ [x 7→ γ (N )]. By assumption we know that γx = γx0 ∈ Γ, x : A1 .
γ 0 0 b0
. c0
By Lemma 7 on Γ, x : A1 ` M : A2 we know that γ cx (M ) = γx (M ) ∈ A2 . Thus
.
[b γ (M ) = [γb0 (N )/x]γb0 (M ) ∈ A2 . Observe that
γ (N )/x]b

(λx : A1 .b b(N ) 7→ [b
γ (M )) γ γ (N )/x]b
γ (M ).

Thus by head expansion we conclude this case.

Γ ` M ≡ M 0 : A1 → A2 Γ ` N ≡ N 0 : A1
•
Γ ` M N ≡ M 0 N 0 : A2
We conclude this case by induction hypothesis and then Lemma 6.
Γ, x : A1 ` M ≡ M 0 : A2
•
Γ ` λx : A1 .M ≡ λx : A1 .M 0 : A1 → A2
. .
Suppose γ = γ 0 ∈ Γ. It suffices to show that λx : A1 .bγ (M ) = λx : A1 .γb0 (M 0 ) ∈ A1 →
.
A2 . By definition we are supposed to show that for all N, N 0 such that N = N 0 ∈ A1 ,
.
[N/x]bγ (M ) = [N 0 /x]γb0 (M 0 ) ∈ A2 . Let γx = γ[x 7→ N ] and γx0 = γ 0 [x 7→ N 0 ].
.
By assumption we know that γx = γx0 ∈ Γ, x : A1 . Thus by induction hypothesis
. c0
we know that γ cx (M ) = γx (M 0 ) ∈ A2 . Observe that γ cx (M ) = [N/x]b γ (M ) and
cx0 (M ) = [N /x]γb0 (M 0 ). Hence we conclude this case.
γ 0 0

Γ ` M ≡ M 0 : nat Γ ` Mz ≡ Mz0 : A Γ, x : A ` Ms ≡ Ms0 : A

•
Γ ` recA {Mz ; x.Ms }(M ) ≡ recA {Mz0 ; x.Ms0 }(M 0 ) : A
.
Suppose γ = γ 0 ∈ Γ. By induction hypothesis on Γ ` M ≡ M 0 : nat we know that
. b0
b(M ) = γ (M 0 ) ∈ nat. By horizontal induction on natural numbers:
γ

b(M ) ⇓ z, γb0 (M 0 ) ⇓ z: Observe that

– Subcase γ

recA {b
γ (Mz ); x.b γ (M )) 7→∗
γ (Ms )}(b γ
b(Mz )

recA {γb0 (Mz0 ); x.γb0 (Ms0 )}(γb0 (M 0 )) 7→∗ γb0 (Mz0 ).

.
By induction hypothesis on Γ ` Mz ≡ Mz0 : A we know that γ b(Mz ) = γb0 (Mz0 ) ∈ A.
Thus by head expansion we conclude this subcase.
.
b(M ) ⇓ s(N ), γb0 (M 0 ) ⇓ s(N 0 ), N = N 0 ∈ nat assuming that
– Subcase γ
.
recA {b γ (Ms )}(N ) = recA {γb0 (Mz0 ); x.γb0 (Ms0 )}(N 0 ) ∈ A :
γ (Mz ); x.b

6
Lecture Notes Week 5 Lecture Notes Week 5

Observe that
recA {b γ (Mz ); x.bγ (Ms )}(b 7 ∗
γ (M )) → [recA {b
γ (Mz ); x.b γ (Ms )}(N )/x]b γ (Ms )
0 0 0
recA {γb0 (Mz ); x.γb0 (Ms )}(γb0 (M )) →7 ∗ [recA {γb0 (Mz0 ); x.γb0 (Ms0 )}(N 0 )/x]γb0 (Ms0 ).
Let
γx = γ[x 7→ recA {bγ (Mz ); x.b
γ (Ms )}(N )], and
γx = γ [x 7→ recA {γ (Mz ); x.γb0 (Ms0 )}(N 0 )].
0 0 b0 0

.
By assumption we know that γx = γx0 ∈ Γ, x : A. Thus by induction hy-
. c0
pothesis on Γ, x : A ` Ms ≡ Ms0 : A we know that γ cx (Ms ) = γ 0
x (Ms ) ∈
A. Observe that γ cx (Ms ) = [recA {b
γ (Mz ); x.b
γ (Ms )}(N )/x]b cx0 (Ms0 ) =
γ (Ms ) and γ
0 0 0 0 0 0 0
[recA {γ (Mz ); x.γ (Ms )}(N )/x]γ (Ms ). Hence by head expansion we conclude
b b b
this subcase.
Γ ` M : nat Γ ` Mz : A Γ, x : A ` Ms : A
•
Γ ` recA {Mz ; x.Ms }(s(M )) ≡ [recA {Mz ; x.Ms }(M )/x]Ms : A
. .
Suppose γ = γ 0 ∈ Γ. It suffices to show that recA {b γ (Mz ); x.bγ (Ms )}(s(bγ (M )) =
[recA {γb0 (Mz ); x.γb0 (Ms )}(γb0 (M ))/x]γb0 (Ms ) ∈ A. By assumption we can derive Γ `
.
recA {Mz ; x.Ms }(M ) : A. Thus by Lemma 7 we know that Γ  recA {Mz ; x.Ms }(M ) =
recA {Mz ; x.Ms }(M ) ∈ A.
.
Hence recA {b γ (Mz ); x.b γ (Ms )}(bγ (M )) = recA {γb0 (Mz ); x.γb0 (Ms )}(γb0 (M )) ∈ A. Let γx =
γ[x 7→ recA {b γ (Mz ); x.bγ (Ms )}(bγ (M )) and γx0 = γ 0 [x 7→ recA {γb0 (Mz ); x.γb0 (Ms )}(γb0 (M )).
.
By assumption we know that γx = γx0 ∈ Γ, x : A. By Lemma 7 on Γ, x : A ` Ms : A we
. c0
know that γ cx (Ms ) = γx (Ms ) ∈ A. Thus
.
[recA {b
γ (Mz ); x.bγ (Ms )}(b γ (M ))/x]bγ (Ms ) = [recA {γb0 (Mz ); x.γb0 (Ms )}(γb0 (M ))/x]γb0 (Ms ) ∈ A.
Observe that
recA {b
γ (Mz ); x.b γ (M )) 7→ [recA {b
γ (Ms )}(s(b γ (Mz ); x.b
γ (Ms )}(b
γ (M ))/x]b
γ (Ms ).
Hence by head expansion we conclude this subcase.

4 Discussion
.
Suppose we want to prove x : nat  M = M 0 ∈ A in a proof assistant such as RedPRL.
. .
In other words, we want to show that if N = N ∈ nat, then [N/x]M = [N 0 /x]M 0 ∈ A. By
horizontal induction on natural numbers, it suffices to show
.
1. If N ⇓ z, N 0 ⇓ z, then [N/x]M = [N 0 /x]M 0 ∈ A.
. . .
2. If N ⇓ s(P ), N 0 ⇓ s(P 0 ), P = P 0 ∈ nat, and [P/x]M = [P 0 /x]M 0 ∈ A, then [N/x]M =
0 0
[N /x]M ∈ A.

Intuitively, the second condition can be expressed using the following “judgment”:
. .
[P/x]M = [P 0 /x]M 0 ∈ A |=P =P
. 0 ∈nat [s(P )/x]M = [s(P 0 )/x]M 0 ∈ A
That is, we can derive a proof of equality from a proof of equality. We can even rewrite it as
follows informally:
P ∈ nat, P 0 ∈ nat, y : Eqnat (P, P 0 ), z : EqA ([P/x]M, [P 0 /x]M 0 )  · · · ∈ EqA ([s(P )/x]M, [s(P 0 )/x]M 0 )
EqA (M, M 0 ) can be seen as an “equality type” whose inhabitants are proofs for equality of
M and M 0 for type A. This fact motivates the “propositions-as-types” principle, which leads
to the exploration of dependent type theory.