Deducteam investigates the design of logical frameworks, that is frameworks where various theories can be defined, and the use of such frameworks for interoperability between proof systems, cross verification of proofs, and the sustainability of proof libraries.

To achieve these goals, we develop

The development of computerized proof systems such as Coq, HOL Light, or PVS is a major step forward in the quest of mathematical rigor.
But it jeopardizes, once again, the
universality of mathematical truth: we used to have proofs of Fermat's little
theorem, we now have Coq proofs of Fermat's little theorem, HOL Light
proofs of Fermat's little theorem, PVS proofs of Fermat's little theorem, etc., as each proof system defines its own language
for mathematical statements and its own truth conditions for these statements. See, for instance, our invited talk at IJCAR 2022: From the Universality of Mathematical Truth to the Interoperability of Proof Systems.

One way to address this issue is to express the theories implemented in these systems in a common logical framework and to determine, for each proof, which axioms it depends on. This way, a proof can be used in any system that supports these axioms, independently of the system it has been developed in.

The idea that systems such as Euclidean geometry, non-Euclidean geometries, set theory, with or without the axiom of choice, etc. should be expressed in the same logical framework appeared, in 1928, with the design of the first logical framework in the history of logic: predicate logic. Later, several more powerful logical frameworks have been designed:

The logical framework that we use is a simple Dedukti.

The first implementation of Dedukti, now called Dkcheck, was developed in 2011 by Mathieu Boespflug 33. Then, new versions of this implementation were developed and several theories were expressed in Dedukti, allowing to import proofs developed in Matita (with the tool Krajono), HOL Light (with the tool Holide), FoCaLiZe (with the tool Focalide), iProver, and Zenon, totalizing several hundred of megabytes of proofs.

We now focus on the translation of proofs from one Dedukti theory to another and on the exporting of proofs to other proof systems. In particular the Matita arithmetic library has been translated to a much weaker theory: constructive simple type theory, allowing to export it to Coq, Lean, PVS, HOL Light, and Isabelle/HOL. In the same way, the first book of Euclid's elements, formalized in Coq, has been translated to predicate logic and exported to several systems, and a proof of Bertrand's theorem, originally developed in Matita, has been translated to predicative type theory, allowing its export to Agda.

This led us to develop an on-line proof repository Nubo and an on-line encyclopedia Logipedia, allowing to share and browse this library.

We also focus on the development of new theories in Dedukti, such as Simple type theory with predicate subtyping, implemented in the system PVS, several formulations of homotopy type theory, various formulations of set theory, in particular those used in B and TLA+, matching logic, etc.

Finally, we develop an interactive theorem prover Lambdapi for Dedukti. This interactive theorem prover is also used as a tool in the process of translating proofs from PVS and from automated theorem provers.

A thesis, which is at the root of our research effort, is that
logical systems should be expressed as theories in a logical framework. As a consequence, proof-checking systems should not be focused on one theory, such as Simple type theory, Martin-Löf's type theory, or the Calculus of constructions, but should be theory-independent.
In the same way, proof-search algorithms or the algorithmic interpretation of proofs should not depend on a theory, but this theory should just be a parameter. This is, for instance, expressed in the title of our
invited talk at ICALP 2012: A theory independent Curry-De
Bruijn-Howard correspondence35.

Various limits of Predicate logic have led to the development of various families of logical frameworks:

The Dedukti, is a synthesis of the Edinburgh logical framework and of Deduction modulo theory, and subsumes them all.
Our goal is to express as many theories as possible in Dedukti, express proofs in these theories and translate proofs from one theory to another, and from one system to another via Dedukti.

Using a single prover to check proofs coming from different systems and translating these proofs from one theory to another naturally leads to investigate how these proofs can be used in a system different from the one they have been developed in.

This issue is of prime importance because developments in proof systems are getting bigger and, unlike other communities in computer science, the proof-checking community has put little effort in the direction of standardization and interoperability.

A more recent trend is to use logical frameworks and proof translations for cross-checking. Checking a proof in several systems introduces some redundancy and hence reduces the probability that an incorrect proof is nevertheless successfully verified because of a bug in the proof-checker. This problem can be mitigated by developing proofs in systems that rely on a small and auditable trust base, that ensure a significantly lower probability for such undesirable events. In practice, however, this is not always possible, and our argument gets stronger when the proof has been developed in a theory that does not enjoy a small proof checker, but, instead, a complex, and sometimes heterogeneous, proof-construction system. This is for instance the case of B set theory, the theory on which the B method is based. There are several powerful tools to build proofs in this theory, but no small independent proof checker. Defining such a theory in a logical framework such as Dedukti and translating the proofs built by these tools into this theory permits to increase in a substantial way the trust we can have in these proofs.

Finally, on a more long-term perspective, we know that some proof-checking systems are not maintained anymore (this is, for instance the case of Automath and LCF, the two first proof checkers in history). When such a system disappears, its libraries often disappear with it. We can hope that expressing the proofs in a universal format in place of a system-specific one and preserving these proofs into a system-independent on-line repository such as Nubo or Logipedia will increase the sustainability of these libraries.

We also investigate how the

This has led to the development of Lambdapi, which is an interactive theorem prover for the

Such an interactive theorem prover happens to be very useful when we translate to Dedukti proofs coming from laconic systems that output a proof sketch rather than a full proof. In these cases, one first produces a proof skeleton with many gaps, that are filled, in a second step of the translation, with the help of automatic tactics.

Interoperability between interactive and automatic theorem provers can be fruitful to both systems: results coming from automatic solvers can be checked by a third-party software with an identified kernel, and interactive provers can benefit from more automation. We are pushing towards this last application by extending the SMTCoq plugin for the Coq proof assistant with new logical transformations that encode Coq goals into first-order logic, which is the input logic of the class of automatic provers called SMT solvers. We also develop tools for checking proofs in the TSTP and Alethe formats generated by automated theorem provers and SMT solvers.

Our research project has lead us to focus on applications directed to the proof-checking community itself rather than to users of proof-checking. Indeed, translating proofs from one system to another, or building a system-independent proof library is more a service to the proof-checking community than to the users of formal methods.

This situation is evolving fast, along with the rise of cross-verification.

Providing a complementary small-trust-base proof checker for B leads us to be in closer connection with the community using formal methods in the railways industry and more generally to the modelization of industrial system community.

This is materialized with the ICSPA ANR project. We also have a long-term collaboration with the air traffic control community through the PVS community.

Lambdapi is an interactive proof development system featuring dependent types like in Martin-Lőf’s type theory, but allowing to define objects and types using oriented equations, aka rewriting rules, and reason modulo those equations. This allows to simplify some proofs, and formalize complex mathematical objects that are otherwise impossible or difficult to formalize in more traditional proof systems.

Lambdapi comes with Emacs and VSCode support.

Lambdapi can also read and output Dedukti files, and can thus be used as an higher-level intermediate language for translating proofs from one system to Dedukti.

Lambdapi is a logical framework and does not come with a pre-defined logic. However, it is easy to define a logic by declaring a few symbols and rules. A library of pre-defined logic is also provided.

Here are some of the features of Lambdapi: - Emacs and VSCode plugins (based on LSP) - support for unicode (UTF-8) and user-defined infix operators - symbols can be declared commutative, or associative and commutative - some arguments can be declared as implicit: the system will try to find out their value automatically - symbol and rule declarations are separated so that one can easily define inductive-recursive types or turn a proved equation into a rewriting rule - support for interactive resolution of typing goals, and unification goals as well, using tactics - a rewrite tactic similar to the one of SSReflect in Coq - the possibility of calling external automated provers - a command is provided for automatically generating an induction principle for (mutually defined) strictly-positive inductive types - Lambdapi can call external provers for checking the confluence and termination of user-defined rewriting rules by translating them to the XTC and HRS formats used in the termination and confluence competitions

Dedukti is a proof-checker for the LambdaPi-calculus modulo. As it can be parametrized by an arbitrary set of rewrite rules, defining an equivalence relation, this calculus can express many different theories. Dedukti has been created for this purpose: to allow the interoperability of different theories.

Dedukti's core is based on the standard algorithm for type-checking semi-full pure type systems and implements a state-of-the-art reduction machine inspired from Matita's and modified to deal with rewrite rules.

Dedukti's input language features term declarations and definitions (opaque or not) and rewrite rule definitions. A basic module system allows the user to organize his project in different files and compile them separately.

Dedukti features matching modulo beta for a large class of patterns called Miller's patterns, allowing for more rewriting rules to be implemented in Dedukti.

Logipedia is composed of two distinct parts: 1) A back-end that translates proofs expressed in a theory encoded in Dedukti to other systems such as Coq, Lean or HOL 2) A front-end that prints these proofs in a "nice way" via a website. Using the website, the user can search for a definition or a theorem then, download the whole proof into the wanted system.

Currently, the available systems are: Coq, Matita, Lean, PVS and OpenTheory. The proofs comes from a logic called STTForall.

In the long run, more systems and more logic should be added.

Lambdapi has been improved and extended in various ways. The most notable novelties are:

In a dependently typed lambda calculus, subject reduction, confluence and termination are inter-dependent, which makes difficult to add dependently typed higher-order rewrite rules, as needed is some complex encodings. It then makes sense to check confluence in the untyped lambda-calculus. The case of left-linear rewrite rules is treated in 36: confluence is preserved by adding terminating rewrite rules whose critical pairs are joinable by Van Oostrom's decreasing diagrams. Unfortunately, the use of higher-order rewrite rules with non-linear left-hand sides destroys the confluence property of the untyped lambda-calculus, this is the case with very simple critical pair free rewrite rules like F(x) -> x. In 38, it is shown that confluence is preserved on a subset of layered terms, provided "nested critical pairs" are joinable by some "layer non-increasing" van Oostrom decreasing diagram. A yet open question is under which assumptions the set of layered terms contains all typable terms of interest, a property that happens to be true in some practical cases. In a yet unpublished work, we have described a way to layer even more terms by a simpler definition of layering which is at the same time more easily implementable, a first simple step towards a solution to this question.

Bidirectional typing is a discipline in which the typing judgment is decomposed explicitly into inference and checking modes, allowing to control the flow of type information in typing rules and to specify algorithmically how they should be used. Bidirectional typing has been fruitfully studied and bidirectional systems have been developed for many type theories. However, the formal development of bidirectional typing has until now been kept confined to specific theories, with general guidelines remaining informal. In this work 28, we give a generic account of bidirectional typing for a general class of dependent type theories.

As a practical outcome, we obtain a theory-independent bidirectional typechecker that has been implemented in a prototype and used in practice with many theories. The use of bidirectionality allows in particular the omission of many type annotations, proividing a much more succint syntax when compared with fully-annotated presentations of type theory as available in logical frameworks. As a result, we expect our implementation to provide important performance gains when compared with Dedukti. This work has been accepted at ESOP 2024.

The imax operator defined by

We are currently expressing two set-based specification formalisms used in industry, B and TLA+ and their proof tools. A translator, called pogtranslator, has been developed: it translates proof obligations generated by Atelier B expressed in the framework of the B set theory, into TPTP proof obligations, expressed in first-order logic.

TLAPS, the TLA+ proof system,
is a proof assistant that mechanically checks TLA+ proofs by calling automatic provers such as
veriT, cvc4, cvc5, or Zenon, on proof obligations. In collaboration with Stephan Merz (Loria), we are developing a ckecker for these proofs by reconstructing a proof term
from a trace in the new Alethe proof format 34. The term produced uses the encoding of TLA+ in
Dedukti as defined by Stephan Merz.

During his internship supervised by Bruno Barras, Nicolas Margulies has integrated the various elements of an proof import procedure from Cubical to Dedukti. He has mainly worked on two components. Firstly, he has updated the encoding of Cubical Type Theory to follow the minor evolutions of this language. He also adapted the work of Luc Chabassier (translation from extensional to intensional type theory inside Dedukti), to translate Cubical proofs in their usual presentation into the encoding of Cubical Type Theory as a 2-level Type Theory. This adaptation appeared to be tedious but most of it has been implemented.

In the framework of his PHC Sakura project, Frédéric Blanqui, together with Jérémy Dubut and Akihisa Yamada (AIST Tokyo, Japan) continued to improve isabelle_dedukti, the translator from Isabelle to Dedukti and Lambdapi. It is now possible to export most of the Isabelle/HOL standard library, as well as some libraries of the Archive of Formal Proofs (AFP). Frédéric Blanqui started also to work on the translation of the obtained Dedukti files to Coq.

hol2dk is a new software making HOL-Light to generate proofs, simplifying them, and translating them to Dedukti and Lambdapi, and in turn to Coq by using the new export feature of Lambdapi described above. To translate the proofs generated by HOL-Light, which can be quite big, it is necessary to simplify them, prune useless proofs and translate them in parallel. hol2dk can currently handle the whole base library of HOL-Light as well as some other libraries. Some further improvement is necessary to handle all the HOL-Light libraries. For the obtained Coq theorems to be usable, it is necessary to align the definitions of the types and functions of HOL-Light to those given in the Coq standard library. We did this for natural numbers and several common mathematical functions on natural numbers. The obtained Coq library is available in the Opam package coq-hol-light. Our goal is to make this alignement up to real numbers, so as to allow Coq users to import and reuse the large library of real analysis of HOL-Light to Coq.

For his PhD thesis started in March, Rishikesh Vaishnav started to write a framework implementation for translating Lean code to Dedukti (lean2dk) that reads in Lean code, elaborates, runs a translation function, and prints out the translated Dedukti code. He began the implementation of a Dedukti library for the encoding of Lean (generally following an interpretation of Lean as a Pure Type System). He added debugging utilities and various command line options to lean2dk control what code is translated from the input file, and wrote code to test the translation and various aspects of the rewrite systems. He worked with Yoan on the implemenation and theory of a rewrite system for deciding impredicative universe terms, and integrated this system into lean2dk. Finally, he implemented the translation of a number of features of Lean including universe impredicativity, let expressions, inductive types and recursors.

As the development of formal proofs is a time-consuming task, it is important to devise ways of sharing the already written proofs to prevent wasting time redoing them. One of the challenges in this domain is to translate proofs written in proof assistants based on impredicative logics, such as Coq, Matita and the HOL family, to proof assistants based on predicative logics like Agda, whenever impredicativity is not used in an essential way.

In 2022, we proposed an algorithm to do such a translation between a core impredicative type system and a core predicative one allowing prenex universe polymorphism like in Agda. It was implemented in the tool Predicativize and then used to translate semi-automatically many non-trivial developments from Matita's arithmetic library to Agda, including Bertrand's Postulate and Fermat's Little Theorem, which were not available in Agda yet.

In 2023, this work has been published at the conference Computer Science Logic 2023 (CSL 23) 19. An extended version of this work is currently under submission for the special issue of CSL at Logical Methods in Computer Science 37.

dkpltact is a software that translates proof from Predicate Logic, expressed in Dedukti, into the tactic language of Coq. Thus, it permits to obtain proof that are more readable and lighter than proof terms.

An encoding from Dedukti via Matching Logic using the Dedukti has been defined and implemented in the tool KaMeLo. We have contributed in particular to a paper
formalization of the translation from

The Metamath formal language for specification of mathematical proofs, comes with a
proof checker. A deep and a shallow embedding of Metamath into Dedukti have been defined. With an extended version of the deep encoding, all the proofs of the Metamath standard library
have been translated into Dedukti and checked by it using the tool
MM2DK 23.

We have developed a new version of extensional type theory where
equality reflection is restricted to certain types so that the type
theory still enjoys desirable properties like type constructor
discrimination (the ability to distinguish, e.g. the type
of natural numbers from a function type) and termination (although
this last point remains a conjecture for now). We show that this theory
is conservative over an intensional type theory, without having to
rely on the usual axioms of function extensionality and uniqueness of
indentity proofs.

We build this restriction by considering ghost dependent types. Values in a ghost type can be safely erased for computation (for instance at extraction), but are nevertheless distinguishable. They thus have a spot in-between propositions (whose proofs are all equal) and relevant data. In the type theory we consider, reflection is restricted to those ghost values. We have written a preprint 32 containing two translations, one from ghost extensional type theory to ghost type theory and one for ghost type theory to the usual intensional one with a universe of definitionally proof-irrelevant propositions (for instance that of Coq or Agda), showing consistency of the two theories.

We studied 25 the possibility to transform proofs of the Dedukti, that would allow one to get rid of rewrite rules used for one encoding of a theory in order to produce a proof
in a different system without these rules.

In order to automatize the Coq proof assistant, Valentin Blot and Louise Dubois de Prisque, with the external collaboration of Chantal Keller, develop the Sniper plugin 17 (see 6.1.17).

The plugin contains:

The use of modular and independent transformations allows incremental development. A rewriting of the orchestrator that combines them, in order to make the tactic more powerful and more efficient, is under progress.

We have started an implementation of user-defined rewrite rules in the Coq proof assistant, which, although still at an experimental stage, is waiting to be integrated in a coming official release. This practical was conducted in parallel to a formalisation of the meta-theory of Coq extended with rewrite rules as part of the MetaCoq project which contains a specification of Coq's type theory, theorems about its meta-theory and a certified implementation of type checker. This is still work in progress, but we identified a criterion to ensure confluence of whole system and proceeded with its formal proof of correctness.

Valentin Blot described an interpretation of the double-negation shift (and hence of the classical axiom of countable choice and of second-order arithmetic) in the Diller-Nahm variant of the Dialectica interpretation 18. Using the Diller-Nahm variant allows in particular for non-decidable atomic formulas, and provides a naturally structured interpretation.

Alejandro Díaz-Caro and Gilles Dowek are investingting applications of proof-theory to the design of quantum progrmming languages. More precisely they try to understand in which way propositional logic must be extended or restricted in such a way that its proof-term language is a quantum programming language. First, their 2021 work on the extension of propostional logic with a non-harmonious connective "sup" (for "superposition") has been published in a journal. A linear restriction of this calculus has been presented in 2022. The final version of this paper has been published in a journal 13.

A new work has been started on new introduction rues for the disjunction, that allow a better elimination process for comuting cuts. The obtained calculus has some similarities with the sup-calculus. This work will be submitted for publication in 2024.

Luc Chabassier and Bruno Barras have explored the potential of using dedukti powerful definitional equality to work around the complexities of the use of dependent types in category theory formalisations. Indeed, the intrisically dependent nature of category theory means any formalisation suffers from the drawbacks of dependent types. To work around that without going to a full extensional theory, they implemented some categories in dedukti such that the rewrite system of Dedukti perfectly captured the equality on morphisms of those categories. However, despite some success on simple categories, the approach failed to generalize to more complex categories.

Jean-Pierre Jouannaud and two external collaborators (Nachum Dershowitz, Tel Aviv University, and Fernando Orejas, Universitat Politecnica de Catalugna) have developed a new algebraic framework for rewriting term-graphs equiped with variables, seen as input ports, and roots, seen as output ports of some computation. Term-graphs are just graphs whose every vertex is labeled by a function symbol whose arity dictates the number of its outgoing edges. They describe an algorithm for unification and use it for deciding local confluence (hence confluence under a termination assumption) in 16. They have recently improved their framework and shown that it now encodes faithfully first-order term rewriting, which has been a long standing open problem only solved in particular cases so far 26. The next, ongoing step is the generalization of this framework to arbitrary graphs equiped with variables and roots, that is, whose number of outgoing edges at a given vertex can be arbitrary.

Gilles Dowek has published a paper 14 showing a paralelism between the notion of explanation used in ethics and the notion of cut used in logic.

Valentin Blot and Chantal Keller have funding for a 4-year project (2021–2025) involving a PhD student, a research engineer (2 years) and a post-doctoral researcher (2 years). This funding is part of the Inria - Nomadic labs partnership for Tezos blockchain.

Gilles Dowek received a grant from Amazon to hire a post-doc working on checking proofs produced by SMT solvers. The post-doctoral researcher will start at the beginning of 2024.

Frédéric Blanqui is the chair of the COST action CA20111 EuroProofNet 2022-2025 which is a research network on proofs gathering more than 400 members from 43 different countries.

The ANR project (2022-2025) ICSPA (Interoperable and Confident Set-based Proof Assistants) has been accepted in the context of the AAPG 2021 call. It is coordinated by Catherine Dubois and has the following academic partners Samovar – Inria Grand Est – Inria Paris-Saclay – LIRMM – IRIT with the industrial partner Clearsy. The project starts on January 1st 2022. This project aims at reinforcing the confidence in proofs carried out mechanically for the set-based specification formalisms B, Event-B, and TLA+ that are used in industry.This will be done by verifying these proofs formally and independently with the proof verifier Dedukti. The project also aims at designing and implementing an exchange framework, through which those three systems can share their proofs and theories, making them effectively interoperable.

The ANR PROGRAMme is an ANR for junior researcher Liesbeth Demol (CNRS, UMR 8163 STL, University Lille 3) to which G. Dowek participates. The subject is: “What is a program? Historical and Philosophical perspectives”. This project aims at developing the first coherent analysis and pluralistic understanding of “program” and its implications to theory and practice.

Frédéric Blanqui organized several Dedukti developers meetings.

Frédéric Blanqui organized with Geoff Sutcliffe the 2023 TPTP Tea Party.

Valentin Blot is the workshop chair and a member of the steering committee of the ACM/IEEE Symposium on Logic In Computer Science (LICS).

Catherine Dubois is the chair of the steering committee of the international conference Test and Proof (TAP).

Catherine Dubois was chairing with Manfred Kerber the program committee of the international conference on Intelligent Computer Mathematics, held in September 2023 (CICM 2023).

Frédéric Blanqui was a member of the program committee of the international workshop on Logical Frameworks and Meta-Languages: Theory and Practice, held in July 2023 (LFMTP 2023).

Catherine Dubois was a member of the program comittee of the international Symposium on Applied Computing, Software Verification and Testing Track, (SAC-SVT 2024), that will be held in April 2024.

Théo Winterhalter was a member of the program committee of in the international conference on Certified Programs and Proofs (CPP 2024) held in January 2024.

Frédéric Blanqui gave an invited talk at the 16th Conference on Intelligent Computer Mathematics.

Frédéric Blanqui gave a talk at the annual meeting of the IFIP WG1.6 on rewriting.

Frédéric Blanqui is member of the IFIP WG1.6 on rewriting.

Frédéric Blanqui was elected member of the Evaluation committee of Inria until August 2023.

Frédéric Blanqui is member of the Scientific committee of Inria Saclay.

Frédéric Blanqui is the chair of the COST action CA20111 EuroProofNet 2022-2025 which is a research network on proofs gathering more than 400 members from 43 different countries.

Catherine Dubois is one of the two co-chairs of Groupement de Recherche Génie de la Programmation et du Logiciel (Gdr GPL).

Gilles Dowek has been appointed at the Conseil Supérieur des Programmes, in charge of defining the curricula for K-12 education on all topics.