Deducteam investigates the design of logical frameworks, that is frameworks where various theories can be defined, and the use of such frameworks for interoperability between proof systems, cross verification of proofs, and the sustainability of proof libraries.

To achieve these goals, we develop

The development of computerized proof systems such as Coq, HOL Light, or PVS is a major step forward in the quest of mathematical rigor.
But it jeopardizes, once again, the
universality of mathematical truth: we used to have proofs of Fermat’s little
theorem, we now have Coq proofs of Fermat’s little theorem, HOL Light
proofs of Fermat’s little theorem, PVS proofs of Fermat’s little theorem, etc., as each proof system defines its own language
for mathematical statements and its own truth conditions for these statements. See, for instance, our invited talk at IJCAR this year 18: From the Universality of Mathematical Truth to the Interoperability of Proof Systems.

One way to address this issue is to express the theories implemented in these systems in a common logical framework and to determine, for each proof, which axioms it depends on. This way, a proof can be used in any system that supports these axioms, independently of the system it has been developed in.

The idea that systems such as Euclidean geometry, non-Euclidean geometries, set theory, with or without the axiom of choice, etc. should be expressed in the same logical framework appeared, in 1928, with the design of the first logical framework in the history of logic: predicate logic. Later, several more powerful logical frameworks have been designed:

The logical framework that we use is a simple Dedukti.

The first implementation of Dedukti, now called Dkcheck, was developed in 2011 by Mathieu Boespflug 30. Then, new versions of this implementation were developed and several theories were expressed in Dedukti, allowing to import proofs developed in Matita (with the tool Krajono), HOL Light (with the tool Holide), FoCaLiZe (with the tool Focalide), iProver, and Zenon, totalizing several hundred of megabytes of proofs.

We now focus on the translation of proofs from one Dedukti theory to another and on the exporting of proofs to other proof systems. In particular the Matita arithmetic library has been translated to a much weaker theory: constructive simple type theory, allowing to export it to Coq, Lean, PVS, HOL Light, and Isabelle/HOL. In the same way, the first book of Euclids elements, formalized in Coq, has been translated to predicate logic and exported to several systems, and a proof of Bertrand's theorem, originally developed in Matita, has been translated to predicative type theory, allowing its export to Agda.

This led us to develop an on-line proof repository Nubo and an on-line encyclopedia Logipedia, allowing to share and browse this library.

We also focus on the development of new theories in Dedukti, such as Simple type theory with predicate subtyping, implemented in the system PVS, several formulations of homotopy type theory, various formulations of set theory, in particular those used in B and TLA+, matching logic, etc.

Finally, we develop an interactive theorem prover Lambdapi for Dedukti. This interactive theorem prover is also used as a tool in the process of translating proofs from PVS and from automated theorem provers.

A thesis, which is at the root of our research effort, is that
logical systems should be expressed as theories in a logical framework. As a consequence, proof-checking systems should not be focused on one theory, such as Simple type theory, Martin-Löf's type theory, or the Calculus of constructions, but should be theory-independent.
In the same way, proof-search algorithms or the algorithmic interpretation of proofs should not depend on a theory, but this theory should just be a parameter. This is, for instance, expressed in the title of our
invited talk at ICALP 2012: A theory independent Curry-De
Bruijn-Howard correspondence31.

Various limits of Predicate logic have led to the development of various families of logical frameworks:

The Dedukti and that is a synthesis of the Edinburgh logical framework and of Deduction modulo theory, subsumes them all.
Our goal is to express as many theories as possible in Dedukti, express proofs in these theories and translate proofs from one theory to another.

Using a single prover to check proofs coming from different systems and translating these proofs from one theory to another naturally leads to investigating how these proofs can be used in a system different from the one they have been developed in.

This issue is of prime importance because developments in proof systems are getting bigger and, unlike other communities in computer science, the proof-checking community has put little effort in the direction of standardization and interoperability.

A more recent trend is to use logical frameworks and proof translations for cross-checking. Checking a proof in several systems introduces some redundancy and hence reduces the probability that an incorrect proof is nevertheless successfully verified because of a bug in the proof-checker. This problem can be mitigated by developing proofs in systems that rely on a small and auditable trust base, that ensure a significantly lower probability for such undesirable events. In practice, however, this is not always possible, and our argument gets stronger when the proof has been developed in a theory that does not enjoy a small proof checker, but, instead, a complex, and sometimes heterogeneous, proof-construction system. This is for instance the case of B set theory, the theory on which the B method is based. There are several powerful tools to build proofs in this theory, but no small independent proof checker. Defining such a theory in a logical framework such as Dedukti and translating the proofs built by these tools into this theory permits to increase in a substantial way the trust we can have in these proofs.

Finally, on a more long-term perspective, we know that some proof-checking systems are not maintained anymore (this is, for instance the case of Automath and LCF, the two first proof checkers in history). When such a system disappears, its libraries often disappear with it. We can hope that expressing the proofs in a universal format in place of a system-specific one and preserving these proofs into a system-independent on-line repository such as Nubo or Logipedia will increase the sustainability of these libraries.

We also investigate how the

This has led to the development of Lambdapi, which is an interactive theorem prover for the

Such an interactive theorem prover happens to be very useful when we translate to Dedukti proofs coming from laconic systems that output a proof sketch rather than a full proof. In these cases, one first produces a proof skeleton with many gaps, that are filled, in a second step of the translation, with the help of automatic tactics.

Interoperability between interactive and automatic theorem provers can be fruitful to both systems: results coming from automatic solvers can be checked by a third-party software with an identified kernel, and interactive provers can benefit from more automation. We are pushing towards this last application by extending the SMTCoq plugin for the Coq proof assistant with new logical transformations that encode Coq goals into first-order logic, which is the input logic of the class of automatic provers called SMT solvers.

Our research project has lead us to focus on applications directed to the proof-checking community itself rather than to users of proof-checking. Indeed, translating proofs from one system to another, or building a system-independent proof library is more a service to the proof-checking community than to the users of formal methods.

This situation is evolving fast, along with the rise of cross-verification.

Providing a complementary small-trust-base proof checker for B leads us to be in closer connection with the community using formal methods in the railways industry and more generally to the modelization of industrial system community.

This is materialized with the ICSPA ANR project. We also have a long-term collaboration with the air traffic control community through the PVS community.

Lambdapi is an interactive proof development system featuring dependent types like in Martin-Lőf’s type theory, but allowing to define objects and types using oriented equations, aka rewriting rules, and reason modulo those equations. This allows to simplify some proofs, and formalize complex mathematical objects that are otherwise impossible or difficult to formalize in more traditional proof systems.

Lambdapi comes with Emacs and VSCode support.

Lambdapi can also read and output Dedukti files, and can thus be used as an higher-level intermediate language for translating proofs from one system to Dedukti.

Lambdapi is a logical framework and does not come with a pre-defined logic. However, it is easy to define a logic by declaring a few symbols and rules. A library of pre-defined logic is also provided.

Here are some of the features of Lambdapi: - Emacs and VSCode plugins (based on LSP) - support for unicode (UTF-8) and user-defined infix operators - symbols can be declared commutative, or associative and commutative - some arguments can be declared as implicit: the system will try to find out their value automatically - symbol and rule declarations are separated so that one can easily define inductive-recursive types or turn a proved equation into a rewriting rule - support for interactive resolution of typing goals, and unification goals as well, using tactics - a rewrite tactic similar to the one of SSReflect in Coq - the possibility of calling external automated provers - a command is provided for automatically generating an induction principle for (mutually defined) strictly-positive inductive types - Lambdapi can call external provers for checking the confluence and termination of user-defined rewriting rules by translating them to the XTC and HRS formats used in the termination and confluence competitions

Dedukti is a proof-checker for the LambdaPi-calculus modulo. As it can be parametrized by an arbitrary set of rewrite rules, defining an equivalence relation, this calculus can express many different theories. Dedukti has been created for this purpose: to allow the interoperability of different theories.

Dedukti's core is based on the standard algorithm for type-checking semi-full pure type systems and implements a state-of-the-art reduction machine inspired from Matita's and modified to deal with rewrite rules.

Dedukti's input language features term declarations and definitions (opaque or not) and rewrite rule definitions. A basic module system allows the user to organize his project in different files and compile them separately.

Dedukti features matching modulo beta for a large class of patterns called Miller's patterns, allowing for more rewriting rules to be implemented in Dedukti.

Logipedia is composed of two distinct parts: 1) A back-end that translates proofs expressed in a theory encoded in Dedukti to other systems such as Coq, Lean or HOL 2) A front-end that prints these proofs in a "nice way" via a website. Using the website, the user can search for a definition or a theorem then, download the whole proof into the wanted system.

Currently, the available systems are: Coq, Matita, Lean, PVS and OpenTheory. The proofs comes from a logic called STTForall.

In the long run, more systems and more logic should be added.

A termination-checker for higher-order rewriting with dependent types.

Took part in the Termination Competition 2018 ( http://termination-portal.org/wiki/Termination_Competition_2018 ) in the "Higher-Order Rewriting (union Beta)" category.

Many improvements have been made on Lambdapi in 2022: replacement of the type-checking algorithm by a refinement algorithm, extension of the why3 tactic to handle quantifiers, incremental local confluence checking, postfix operators, addition of a coercion mechanism based on rewrite rules, and export to Coq. Moreover, an open Opam repository for Lambdapi developments has been created.

Lambdapi standard library has been extended. Quentin Buzet (Télécom Paris intern) formalized many functions and properties on natural numbers and polymorphic lists inspired of the SSreflect library in Coq. Quentin Garchery's (EPI Toccata) formalization of binary integers has been integrated by Frédéric Blanqui who simplified the used logic from the calculus of constructions to first-order logic.

Lambdapi has also new users. Stephan Merz (Inria Nancy) formalized the set theory on which the TLA proof system is based, Claude Stolze started to formalize the B set theory, Jean-Paul Bodeveix (Toulouse) used it to formalize proofs coming from Rodin, Artur Kornilowicz (Poland) started to use it to translate the proofs of the Mizar proof checker.

Bruno Barras has improved the efficiency of a call-by-need abstract machine that implements

The theory

For this theory, the fragment theory shows the modularity of the sub-theories of the theory

Émilie Grienenberger has provided a sufficient condition for a fragment to be well-typed if the theory from which it has been extracted is. This condition is inspired by well-typedness criteria studied by R. Saillard 33. She has proved that every fragment of a strongly well-formed theory is well typed.

She has then proved that if Saillard's algorithm establishing that a theory is weakly well-formed succeeds for one theory, then all its fragments are well typed.

This work based on the results of R. Saillard 33, has moreover led to a transformation of some of Saillard's proof that happened not to be fully correct.

Confluence and termination of rewrite
rules including beta-reduction in the
presence of dependent types, depend on each
other. In the general case, we must
therefore prove the confluence of untyped computations, a problem that we have completely solved in the case of left linear rules 12. In the left non-linear case, the confluence not being generally satisfied, we proposed a solution which proves the confluence of the only terms

In his last year of his programme recherche supervised by Bruno Barras, Loris Cros has finished the implementation of a completion algorithm in lambdapi. The main issue was to adapt an algorithm found in the literature to rewrite rules where the left handside is expressed as a pattern. When the algorithm terminates, it produces a confluent rewrite system which equational theory is the same as the system given as input. It remains to evaluate the cases where this algorithm produces a result. The main motivating example for this work is the de Morgan algebras.

Gabriel Hondet defended his PhD on expressing predicate subtyping in computational logical frameworks 26.
Safe programming as well as most proof
systems rely on typing. The more a type system
is expressive, the more these types can be used
to encode invariants which are therefore verified
mechanically through type checking procedures.
Predicate subtyping extends simple type theory
by allowing terms to be defined by predicates.
A predicate subtype Dedukti: a logical
framework with computation rules. We begin by
encoding explicit predicate subtyping for which
terms of type A are syntactically different from
terms of type PVS, a proof
assistant using extensively predicate subtyping, to
Dedukti.

Thiago Felicissimo worked on the theory of Dedukti encodings. Conservativity is an important property that ensures that every proof that is checked correct in Dedukti corresponds to a correct proof in the encoded system. But proving the conservativity of encodings is generally hard, and because of this many encodings used in practice lack a conservativity result. In 20, he proposes a different encoding of Pure Type Systems in Dedukti which do not only allow for simple conservativity proofs, but also provides an adequacy theorem — i.e., a one-to-one syntactic correspondence between the (quotiented) framework syntax and the syntax of the encoded system. Unlike most conservativity proofs, his proof does not rely on the normalization of the rewrite rules of the encoding, a property that is known to be hard to show. Given that Pure Type Systems are the basis of many other type systems, his approach should be in general applicable to most encodings.

Universes are a feature of several type theories, such as those implemented in Agda and Coq. These two theories have however different universe systems: the one of Agda is predicative and the one of Coq impredicative. In the past, the predicative case has been studied by Thiago Felicissimo and the impredicative one by Gaspard Férey. In this last case, however the confluence of the theory was left as a conjecture.

Yoan Géran has given a new definition of impredicative universes, simplifying Férey's and proved termination and confluence.

Most definitions of universes in Dedukti use a unary successor symbol and a binary max symbol. To decide the word problem in this max-successor algebra, all the proposed definitions use rewriting with matching modulo associativity and commutativity (AC), which is of high complexity and difficult to add in standard algorithms for β-reduction and type-checking. Frédéric Blanqui has shown that it is possible to get rid of matching modulo AC by enforcing terms to be in some special canonical form with respect to AC, and by using rewriting rules taking advantage of this canonical form. This work has been presented at the 7th International Conference on Formal Structures for Computation and Deduction (FSCD) 14.

Thomas Traversié, during his internship supervised by Valentin Blot and Gilles Dowek, implemented set theory in Lambdapi, using an encoding of sets with a structure of pointed graphs 25. This work has been presented in Haïfa, at the workshop LFMTP.

Claude Stolze started a post-doc in October 2022 on expressing in Dedukti the B set theory used by Atelier B. He is also working on a translator from proof obligations generated by Atelier B into Lambdapi. The translator can be found at B-pog-translator repository on github.

In his internship supervised by Bruno Barras, Émile Oléon has translated by hand a proof expressed in Cubical Agda in the Dedukti encoding of Two Layers Type Theory instantiated with the primitives of Cubical Type Theory. He translated the proof that the loop space of the circle is

Amélie Ledein defined a partial shallow embedding of Matching Logic. This embedding is partial because the positive occurrence criteria isn't check by the embedding itself, and it is difficult to find Matching Logic proofs using some rules of the Matching Logic proof system. This initial work began with the study of the formalization of Matching Logic in Metamath, and continues with the objective of better understanding Matching Logic. This is also the objective of other researchers doing similar work in Coq and Lean, with whom Amélie Ledein is collaborating, as well as the K team itself.

In the framework of his PHC Sakura project, Frédéric Blanqui, together with Jérémy Dubut and Akihisa Yamada (AIST Tokyo, Japan) improved the translator from Isabelle to Dedukti and Lambdapi. It is now possible to export most of the Isabelle/HOL standard library.

Gabriel Hondet developed a tool, Personoj, to translate the terms and statements of PVS to Lambdapi.

Thiago Felicissimo, Frédéric Blanqui and Ashish Kumar Barnawal (former intern from India) worked on the translation of proofs in impredicative type systems to predicative ones using universe polymorphism 28. As the development of formal proofs is a time-consuming task, it is important to devise ways of sharing the already written proofs to prevent wasting time redoing them. One of the challenges in this domain is to translate proofs written in proof assistants based on impredicative logics, such as Coq, Matita and the HOL family, to proof assistants based on predicative logics like Agda, whenever impredicativity is not used in an essential way. They developed an algorithm to do such a translation between a core impredicative type system and a core predicative one allowing prenex universe polymorphism like in Agda. It consists in trying to turn a potentially impredicative term into a universe polymorphic term as general as possible. The use of universe polymorphism is justified by the fact that mapping an impredicative universe to a fixed predicative one is not sufficient in most cases. During the algorithm, one needs to solve unification problems modulo the max-successor algebra on universe levels. But, in this algebra, there are solvable problems having no most general solution. They however provide an incomplete algorithm whose solutions, when it succeeds, are most general ones. The proposed translation is of course partial, but in practice allows one to translate many proofs that do not use impredicativity in an essential way. Indeed, it was implemented in the tool Predicativize and then used to translate semi-automatically many non-trivial developments from Matita’s arithmetic library to Agda, including Bertrand’s Postulate and Fermat’s Little Theorem, which were not available in Agda yet.

Yoan Géran worked on an encoding of the Coq universes in order to improve the translation from Coq to Dedukti. These universes are expressed with the functions max and successor, the natural numbers and variables together with another symbol

Yoan Géran has implemented a tool to translate proofs from a Dedukti expression of Predicate logic to the tactic language of Coq.
As an example, he translated the proofs of the first book of Euclid Elements: dktactgeo on github.

These proofs were obtained in three steps. The original developement is a Coq library
(GeoCoq/Elements/OriginalProofs on github). This library has been translated, by Gaspard Férey in a Dedukti expression of the type theory of Coq (GeoCoqInE-Euclid on github).

Yoan Géran then showed that these proofs can be expressed in Simple type theory with polymorphsm (which led to translations to Coq, HOL Light, Matita, Lean, Open Theory, and PVS using Logipedia (sttfa-geocoq-euclid on github) and to Predicate Logic (plth-geocoq-euclid on github).

The proofs obtained are then more readable than the one obtained using Logipedia, and translators from the encoding of the Predicate Logic to other proof system could be written in the same way, leading to the export of proofs in a readable format using Dedukti.

Amélie Ledein defined an encoding from K to Dedukti via Matching Logic, in order to execute programs within Dedukti. This work has been presented at JFLA2022 23.

This work was then extended by a pen-and-paper formalization of the translation performed internally by K. This extension has been submitted to TYPES2022 post-proceedings 29.

Amélie Ledein defined a partial shallow embedding of Matching Logic. To validate it, Amélie Ledein checked the proof objects generated by K's automatic prover in the particular case of program execution. Ongoing work consists in isolating a simpler fragment of Matching Logic that is sufficient for expressing this kind of proofs.

Metamath is an american logical framework from the 90's. Matching Logic (the theoretical foundation of K) was formalized within this framework. Moreover, 74 out of the 100 theorems of Freek Wiedijk's list were formalized in metamath.

Amélie Ledein defined both a deep and a shallow emdbeddings of Metamath into Dedukti24. During his M1 internship, Elliot Butte contributed to the implementation of the shallow embedding.

One future challenge consists in trying to determine the encoded features (subtyping, overloading, etc.) before translating them. Another challenge would be to define an interpretation, within Dedukti, from a deep embedding into a shallow one.

In order to automatize the Coq proof assistant, tactics which send a first-order goal to SMT solvers are available in the SMTCoq plugin.

Valentin Blot, Louise Dubois de Prisque and Pierre Vial, with the external collaboration of Denis Cousineau, Enzo Crance, Chantal Keller and Assia Mahboubi, developed a new Coq automatic tactic 16 which generates and proves first-order statements about Coq terms (datatypes and functions). This enriches the semantics of information transmitted to SMTCoq and increases automation in the Coq proof assistant.

This tactic snipe is modular and combines independent transformations, which allows incremental development.

Yann Leray has been working on an extension of the Coq proof assistant with user-defined rewrite rules: both on the practical level (as a fork of the Coq repository for now) and on the theoretical level. This latter point is performed as part of the MetaCoq project aiming to specify and verify Coq as well as studying its meta-theory. In other words, the idea is to both be able to enjoy and test new features while figuring out the proper restrictions needed to make sure good properties of the system (such as confluence or type safety) are preserved.

Théo Winterhalter has been working on pushing this idea of rewrite rules even further by considering local computation instead. More precisely, a type theory can be extended with a local binder for new computational theories, the same way new hypotheses can currently be introduced. This would allow a user to locally rely on rewrite rules to perform a proof, without polluting the global theory, or the base of assumptions of the whole system.

Valentin Blot defined a bar recursive computational interpretation of second-order arithmetic presented as a second-order theory with quantification on predicates 15, rather than a first-order theory equipped with the axiom scheme of comprehension. This brings closer together the two existing interpretations of second-order arithmetic: polymorphic

Gilles Dowek and Alejandro Díaz-Caro have extended linear logic with two rules for addtion and multiplication and shown a purely syntactic linearity theorem for this logic: the closed proof-terms of a linear implication commute with addition and multiplication by a scalar. Together with the supperposition connective introduced in a previous work, the proof-terms of this logic form a complete quantum programming language. This work has been presented at FSCD 2022 17.

In his PhD supervised by Bruno Barras, Luc Chabassier has carried out experiments to figure out how the difficulty of categoretical proof could be reduced in standard proof assistants, more specifically on Coq. He started developing a decision procedure for problems that were usually solved with diagrammatic reasoning, in an attempt to circumvent the difficulty of embedding diagrammatic reasoning in Coq. However, as this problem is undecidable. he designed a pretty good but incomplete algorithm for this problem, and he implemented it as a Coq plugin, released on opam. At that point it turned out to be too simple for real use-cases, but further work may extend it to cover more cases, making it more usable.

Another way to face the undecidability of the above problem is to create an interactive way to work with diagrams in proof assistants, that would use the previously created procedure as an helper. Luc Chabassier has started the design and implementation of such an idea. However it is not yet ready for release.

Valentin Blot and Chantal Keller have funding for a 4-year project (2021–2025) involving a PhD student, a research engineer (2 years) and a post-doctoral researcher (2 years). This funding is part of the Inria - Nomadic labs partnership for Tezos blockchain.

Frédéric Blanqui and Thiago Felicissimo both visited for 2 weeks Akihisa Yamada and Jérémy Dubut, AIST Tokyo, Japan, and Makoto Hamana, Gunma University, Kiryu, Japan (PHC Sakura project).

Amélie Ledein visited for 2 weeks the K Framework team in Iasi and Bucarest (Romania).

The ANR project (2022-2025) ICSPA (Interoperable and Confident Set-based Proof Assistants) has been accepted in the context of the AAPG 2021 call. It is coordinated by Catherine Dubois and has the following academic partners Samovar – Inria Grand Est – Inria Paris-Saclay – LIRMM – IRIT with the industrial partner Clearsy. The project starts on January 1st 2022. This project aims at reinforcing the confidence in proofs carried out mechanically for the set-based specification formalisms B, Event-B, and TLA+ that are used in industry.This will be done by verifying these proofs formally and independently with the proof verifier Dedukti. The project also aims at designing and implementing an exchange framework, through which those three systems can share their proofs and theories, making them effectively interoperable.

The ANR PROGRAMme is an ANR for junior researcher Liesbeth Demol (CNRS, UMR 8163 STL, University Lille 3) to which G. Dowek participates. The subject is: “What is a program? Historical and Philosophical perspectives”. This project aims at developing the first coherent analysis and pluralistic understanding of “program” and its implications to theory and practice.

Gilles Dowek is a member of the Conseil ational du numérique.

Gilles Dowek is a member of the Conseil National Pilote d'Éthique du numérique.

Gilles Dowek is a member of the Scientific board of the Société informatique de France.