Internalizing Representation Independence with Univalence
11Internalizing Representation Independence with Univalence
CARLO ANGIULI,
Carnegie Mellon University, USA
EVAN CAVALLO,
Carnegie Mellon University, USA
ANDERS MÖRTBERG,
Stockholm University, Sweden
MAX ZEUNER,
Stockholm University, SwedenIn their usual form, representation independence metatheorems provide an external guarantee that twoimplementations of an abstract interface are interchangeable when they are related by an operation-preservingcorrespondence. If our programming language is dependently-typed, however, we would like to appealto such invariance results within the language itself, in order to obtain correctness theorems for compleximplementations by transferring them from simpler, related implementations. Recent work in proof assistantshas shown that Voevodsky’s univalence principle allows transferring theorems between isomorphic types, butmany instances of representation independence in programming involve non-isomorphic representations.In this paper, we develop techniques for establishing internal relational representation independenceresults in dependent type theory, by using higher inductive types to simultaneously quotient two relatedimplementation types by a heterogeneous correspondence between them. The correspondence becomes anisomorphism between the quotiented types, thereby allowing us to obtain an equality of implementations byunivalence. We illustrate our techniques by considering applications to matrices, queues, and finite multisets.Our results are all formalized in
Cubical Agda , a recent extension of
Agda which supports univalence andhigher inductive types in a computationally well-behaved way.CCS Concepts: •
Theory of computation → Type theory .Additional Key Words and Phrases: Representation Independence, Univalence, Higher Inductive Types, ProofAssistants, Cubical Type Theory
ACM Reference Format:
Carlo Angiuli, Evan Cavallo, Anders Mörtberg, and Max Zeuner. 2018. Internalizing Representation Indepen-dence with Univalence.
Proc. ACM Program. Lang.
1, CONF, Article 1 (January 2018), 30 pages.
There are countless representation independence results in the theory of programming languages,but common among them is the principle that two implementations of an abstract interface arecontextually equivalent provided one can exhibit an operation-preserving correspondence betweenthem [Mitchell 1986]. Early representation independence theorems were developed in the contextof System F, as “free theorems” obtained through parametricity metatheorems [Reynolds 1983;Wadler 1989]; researchers have since scaled these results to realistic module systems such as thosefound in
OCaml [Leroy 1995] and
Standard ML [Crary 2017].We consider the problem of representation independence for a programming language with full-spectrum dependent types. In this setting, metatheoretic invariance results leave much to be desired:ideally, we would like to appeal to these results within the language itself to obtain correctnesstheorems at deep discounts, by establishing a correspondence between two implementations andtransferring correctness theorems from the simpler one to the more complex one.
Authors’ addresses: Carlo Angiuli, Computer Science Department, Carnegie Mellon University, 5000 Forbes Avenue,Pittsburgh, PA, 15213, USA, [email protected]; Evan Cavallo, Computer Science Department, Carnegie Mellon University,5000 Forbes Avenue, Pittsburgh, PA, 15213, USA, [email protected]; Anders Mörtberg, Department of Mathematics,Stockholm University, Kräftriket Hus 6, Stockholm, 10691, Sweden, [email protected]; Max Zeuner, Departmentof Mathematics, Stockholm University, Kräftriket Hus 6, Stockholm, 10691, Sweden, [email protected]. 2475-1421/2018/1-ART1 $15.00https://doi.org/ Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. a r X i v : . [ c s . P L ] O c t :2 Carlo Angiuli, Evan Cavallo, Anders Mörtberg, and Max Zeuner Proof reuse and transfer.
This problem is closely related to one studied extensively in the contextof the
Coq proof assistant [The Coq Development Team 2020], namely, the ability to transferproofs between representations of mathematical structures [Cohen et al. 2013; Magaud 2003;Magaud and Bertot 2002; Tabareau et al. 2018]. A simple motivating example is that of the unarynatural numbers, which are well-suited to proofs for their natural induction principle, but toocomputationally inefficient to dispatch large arithmetic subgoals [Chyzak et al. 2014]; binarynumbers and machine integers are much more efficient, but are difficult to reason about.In the
Coq
Effective Algebra Library (
CoqEAL ), Cohen et al. [2013] developed a framework forrewriting proof goals from proof-oriented data structures and algorithms to computation-oriented structures and algorithms. In their framework, users parameterize their development over therelevant types, prove a refinement relation between the two instantiations, and then apply a freetheorem obtained via a syntactic translation of the Calculus of Inductive Constructions (CIC)into itself. The final step uses the fact that the CIC is sufficiently expressive to define its ownparametricity model, albeit externally [Anand and Morrisett 2017; Bernardy et al. 2012; Keller andLasson 2012]. However,
CoqEAL ’s transfer framework does not support dependently-typed goals.Recently, Tabareau et al. [2018] combined techniques from
CoqEAL with Voevodsky’s univalenceaxiom, which asserts that isomorphic types are equal (and thence, interchangeable) [Voevodsky2010a]. Their univalent parametricity approach transfers theorems, including dependently-typedones, between isomorphic types without appealing to a meta-level translation. However, theirframework is limited to isomorphisms, which does not cover all cases of mathematical interest: forexample,
CoqEAL handles sparse representations of matrices, which are often not unique, and aretherefore not isomorphic to standard representations.
Isomorphisms are not enough.
Restricting our attention to isomorphisms is particularly untenablein the context of programming. Consider a standard
Queue A interface, consisting of a type Q ,an empty queue, and functions enqueue : 𝐴 → Q → Q and dequeue : Q → Maybe ( Q × 𝐴 ) . Ifwe intend to prove our code correct, we may reach for a naive implementation Q = List A , which enqueue s on the front and dequeue s from the back (writing last for the function sending [] to nothing and xs ++ [ x ] to just ( 𝑥𝑠 , 𝑥 ) ): ListQueue : ( A : Type) → Queue A ListQueue A = queue (List A ) [] _ :: _ last If we intend to run our code on serious workloads, however, we may reach instead for batchedqueues (
Q = List A × List A ), which enqueue on the front of the first list and dequeue from thefront of the second list [Okasaki 1999, Section 5.2]: BatchedQueue : ( A : Type) → Queue A BatchedQueue A =queue (List A × List A ) ([] , [])( 𝜆 x ( xs , ys ) → fastcheck ( x :: xs , ys ))( 𝜆 { (_ , []) → nothing ; ( xs , x :: ys ) → just (fastcheck ( xs , ys ) , x ) })wherefastcheck : { A : Type} → List A × List A → List A × List A fastcheck ( xs , ys ) = if isEmpty ys then ([] , reverse xs ) else ( xs , ys ) Whereas
ListQueue
𝐴 . dequeue takes linear time,
BatchedQueue
𝐴 . dequeue is amortizedconstant-time (being constant-time except when ys is empty, in which case one must reverse xs ).To understand the batched representation, we can observe that each BatchedQueue has the sameextensional behavior as exactly one
ListQueue , computed as follows:
Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. nternalizing Representation Independence with Univalence 1:3 appendReverse : { A : Type} → BatchedQueue A .Q → ListQueue A .QappendReverse ( xs , ys ) = xs ++ reverse ys This correspondence is structure-preserving —it preserves empty and commutes with enqueue and dequeue —and therefore, by representation independence,
ListQueue s and
BatchedQueue s arecontextually equivalent. We are tantalizingly close to obtaining the same result internally by univa-lence, or rather, by the structure identity principle (SIP), a consequence of univalence which assertsthat isomorphic structured types (types equipped with operations) are equal, provided that the iso-morphism is structure-preserving [Univalent Foundations Program 2013, Section 9.8]. The gap issimple: appendReverse is not an isomorphism , as it sends both ([] , [ , ]) and ([ ] , [ ]) to [ , ] .We arrive at the core of our problem: representation independence metatheorems are unsatis-factory, because we want to leverage representation independence to prove internal correctnesstheorems; CoqEAL -style approaches do not allow us to replace
ListQueue s with
BatchedQueue s independently-typed goals; and univalence does not apply, because our types are not isomorphic.
Contribution.
In this paper, we develop techniques for establishing internal relational representa-tion independence results in dependent type theory, without appealing to parametricity translations.Taking inspiration from Homotopy Type Theory/Univalent Foundations (HoTT/UF), we use higherinductive types (HITs) to simultaneously quotient two related implementation types by a heteroge-neous correspondence between them, improving that correspondence to an isomorphism; we thenapply univalence (and in particular, the SIP) to obtain an equality of implementations. In the caseof
Queue s, our technique leaves
ListQueue s untouched while equating two
BatchedQueue s if andonly if appendReverse maps them to the same list.Our results are all formalized in
Cubical Agda [Vezzosi et al. 2019], an extension of
Agda [TheAgda Development Team 2020] which supports univalence and HITs in a computationally well-behaved way using ideas from Cubical Type Theory [Angiuli et al. 2018; Cohen et al. 2018].From the perspective of proof reuse, our work bridges the gap between
CoqEAL and univalentparametricity, because it applies to both dependently-typed goals and non-isomorphism correspon-dences. In addition, our techniques require less engineering work than these systems, because werely on built-in features of
Cubical Agda rather than typeclass instances for univalence or a
Coq plugin to generate parametricity translations. However, we stress that our theorems hold in anydependent type theory with univalence and HITs, features which can be added axiomatically to
Coq [Bauer et al. 2017] and
Lean [van Doorn et al. 2017], among other languages.
Outline.
In Section 2, we review some features of
Cubical Agda that we use in the remainderof the paper, including univalence and HITs. In Section 3, we state and prove a version of theSIP, which states that structure-preserving isomorphisms yield equal structured types; we alsodevelop reflection-based automation for automatically deriving the appropriate notion of structure-preservation for a given structure. In Section 4, we demonstrate how to use the SIP in concertwith HITs to obtain representation independence results for matrices and queues. In Section 5,we generalize these techniques by introducing the notion of a quasi–equivalence relation (QER),and present the main technical result of the paper: any structured QER can be improved to astructured isomorphism between quotients. To illustrate the technique, we apply our theorem totwo implementations of finite multisets. Finally, in Section 6, we conclude with future directionsand a discussion of related work.
In this section, we review some basic features of
Cubical Agda , a recent extension of
Agda . Allcode in this paper is formalized in
Agda
Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. :4 Carlo Angiuli, Evan Cavallo, Anders Mörtberg, and Max Zeuner our main results have been integrated into the agda/cubical library. Experts on Cubical TypeTheory or HoTT/UF can safely skim this section; readers who wish to learn more about
CubicalAgda are encouraged to consult Vezzosi et al. [2019] for a description of the system, or Cohen et al.[2018] and Coquand et al. [2018] for a detailed exposition of its core type theory.
Most languages with full-spectrum dependent types, including
Agda [The Agda Development Team2020],
Coq [The Coq Development Team 2020],
Idris [Brady 2013], and
Lean [de Moura et al.2015], have two notions of equality.
Definitional equality is a purely syntactic notion implementedin typechecking algorithms, which use computation to silently discharge many trivial obligations.Equations that cannot be discharged in this way are instead mediated by an equality type (or propositional equality) whose proofs are often provided by the user, and appeals to which aremarked explicitly in terms and types.In those languages, the equality type is defined as an inductive family Eq 𝐴 𝑥 𝑦 generatedby a reflexivity constructor refl 𝑥 : Eq 𝐴 𝑥 𝑥 , following Martin-Löf [1975]. One can easily showthat equality types satisfy many mathematical properties of equality (e.g., symmetry, transitivity,congruence) but they famously lack several others, including function extensionality : the propertythat pointwise-equal functions are equal as functions [Boulier et al. 2017].Principles such as function extensionality, univalence [Voevodsky 2010a], and excluded middlecan be added to type theory as axioms. However, axioms in type theory lack computational content,causing proofs using axioms to become “stuck,” and thus less amenable to definitional equality.More importantly, type theories with stuck terms cannot serve as programming languages becausethey lack canonicity , the property that all closed terms of natural number type compute numerals.Building on ideas from HoTT/UF, Cubical Type Theory is a computationally well-behaved exten-sion to dependent type theory whose formulation of equality types, called path types , resolve manylongstanding issues with Eq types, including the failure of function extensionality, propositionalextensionality (Section 2.2), and the inability to define quotients (Section 2.3). In Cubical TypeTheory, paths are defined as maps out of an interval type I which contains two elements i0 : I and i1 : I that are computationally distinct but logically equivalent, in the sense that no function canmap them to unequal objects. Therefore, functions f : I → 𝐴 serve as evidence that f ( i0 ) and f ( i1 ) are equal in 𝐴 , just as paths in topological spaces can be represented by continuous functions outof the real unit interval [ , ] ⊂ R . Iterated equality proofs in 𝐴 are thus functions I 𝑛 → 𝐴 whichcorrespond topologically to squares, cubes, etc. in 𝐴 , leading to the term cubical .In Cubical Agda , the interval I is a primitive type which, in addition to the elements i0 : I and i1 : I , is equipped with three operations— minimum ( _ ∧ _ : I → I → I ), maximum ( _ ∨ _ : I → I → I ), and reversal ( ∼ _ : I → I )—which satisfy the laws of a De Morgan algebra , i.e., a boundeddistributive lattice ( i0 , i1 , _ ∧ _ , _ ∨ _ ) with a De Morgan involution ∼ _ . Other formulations of CubicalType Theory requiring less structure on I are also possible [Angiuli et al. 2019, 2018]. Paths.
Path types are a special form of dependent function type ( 𝑖 : I ) → 𝐴 𝑖 that specify thebehavior of their elements on i0 and i1 : PathP : ( A : I → Type ℓ ) → A i0 → A i1 → Type ℓ Here, A : I → Type ℓ is a function from I to one of Agda ’s universes of types. (
Agda ’s universesare typically called
Set , but this paper and the agda/cubical library use
Type instead because, The current development version of
Agda is available at https://github.com/agda/agda, the agda/cubical library isavailable at https://github.com/agda/cubical, and our formalization is available at https://github.com/agda/cubical/blob/master/Cubical/Papers/RepresentationIndependence.agda.Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. nternalizing Representation Independence with Univalence 1:5 as we will discuss in Section 2.2, the term set has a technical meaning in HoTT/UF.) Elements of
PathP are 𝜆 -abstractions 𝜆 i → 𝑡 : PathP A 𝑡 [ i0 / 𝑖 ] 𝑡 [ i1 / 𝑖 ] where 𝑡 : 𝐴 𝑖 for 𝑖 : I . We can apply apath p : PathP
A a a to r : I , obtaining p r : A r , and paths satisfy 𝛽 - and 𝜂 -rules definitionally,just like ordinary Agda functions. The only difference between p : PathP
A a a and a function 𝑓 : ( 𝑖 : I ) → 𝐴 𝑖 is that 𝑝 is subject to additional definitional equalities p i0 = a and p i1 = a .Because the two “endpoints” of a path a : A i0 and a : A i1 have different types, PathP types infact represent heterogeneous equalities, or
Path s over P aths in the terminology of HoTT/UF [UnivalentFoundations Program 2013, Sect. 6.2]. We can recover homogeneous (non-dependent) paths interms of PathP as follows: _ ≡ _ : { A : Type ℓ } → A → A → Type ℓ _ ≡ _ { A = A } x y = PathP ( 𝜆 _ → A ) x y Here, { A = 𝐴 } tells Agda to bind the implicit argument A (the first A ) to a variable (the second 𝐴 )for use on the right-hand side. Path types allow us to manipulate equality proofs using standardfunctional programming idioms. For instance, a constant path represents a reflexive equality proof. refl : { x : A } → x ≡ x refl { x = x } = 𝜆 _ → x (Note that refl is a function, rather than a constructor.) We can directly apply a function to apath in order to prove that dependent functions respect equality: cong : { B : A → Type} ( f : ( a : A ) → B a ) { x y : A } ( p : x ≡ y ) → PathP ( 𝜆 i → B ( p i )) ( f x ) ( f y )cong f p i = f ( p i ) We can in fact define cong for 𝐵 : 𝐴 → Type ℓ , but to increase readability in the remainder ofthe paper, we henceforth suppress most universe levels and arguments such as { 𝐴 : Type } thatare easily inferred by the reader. As paths are just functions it is now trivial to prove functionextensionality, the property that pointwise equal functions are equal: funExt : { f g : A → B } → (( x : A ) → f x ≡ g x ) → f ≡ g funExt p i x = p x i The proofs of function extensionality for dependent and 𝑛 -ary functions are equally direct. Since funExt is definable in Cubical Agda , it has computational content: namely, to swap the argumentsto p . Functional programmers might recognize this as a special case of the flip function. Transport and composition.
One of the key operations of equality in type theory is transport ,which sends equalities between types to coercions between those types. In
Cubical Agda , thisprinciple is a special instance of a primitive called transp : transport : A ≡ B → A → B transport p a = transp ( 𝜆 i → p i ) i0 a Consequences of transport include the substitution principle and, using the minimum operationon the interval, the usual induction principle for inductively-defined Eq types: subst : ( B : A → Type) { x y : A } → x ≡ y → B x → B y subst
B p b = transport ( 𝜆 i → B ( p i )) b J : { x : A } ( P : ∀ y → x ≡ y → Type) ( d : P x refl) { y : A } ( p : x ≡ y ) → P y p J P d p = transport ( 𝜆 i → P ( p i ) ( 𝜆 j → p ( i ∧ j ))) d Using J we can easily reproduce the standard type-theoretic proofs that ≡ is symmetric andtransitive. One can also prove these properties directly using Cubical Agda ’s primitive homogeneous
Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. :6 Carlo Angiuli, Evan Cavallo, Anders Mörtberg, and Max Zeuner composition operation hcomp , which expresses these “groupoid laws” and their higher-dimensionalanalogues. Although hcomp is used extensively in the agda/cubical library, we do not need touse it directly in this paper.
The core innovation of HoTT/UF, and the main motivation behind Cubical Type Theory, is Voevod-sky’s univalence principle [Univalent Foundations Program 2013; Voevodsky 2010a], which statesthat any equivalence of types (written ≃ , a higher-dimensional analogue of isomorphism) yields anequality of types, such that transport ing along the equality applies the equivalence [Licata 2016]: ua : { A B : Type} → A ≃ B → A ≡ B ua 𝛽 : { A B : Type} ( e : A ≃ B ) ( x : A ) → transport (ua e ) x ≡ (equivFun e ) x Here, equivFun : 𝐴 ≃ 𝐵 → 𝐴 → 𝐵 returns the function underlying an equivalence. Because transport always produces an equivalence, univalence essentially states that 𝐴 ≃ 𝐵 is not only anecessary but also a sufficient condition for the existence of an equation 𝐴 ≡ 𝐵 .In the past decade, several libraries of formalized mathematics have been developed around anaxiomatic formulation of univalence, including the UniMath library in Coq [Voevodsky et al. 2020],and the HoTT libraries in
Coq [Bauer et al. 2017],
Agda [Brunerie et al. 2018], and
Lean [van Doornet al. 2017]. In contrast, ua and ua 𝛽 are definable in Cubical Agda using the
Glue types of Cohenet al. [2018], and have computational content. In particular, many instances of ua 𝛽 hold directly bycomputation (writing not ≃ for a proof that not : Bool → Bool is an equivalence): _ : transport (ua not ≃ ) false ≡ true_ = refl Recalling that all constructions in type theory respect the equality type by fiat, the force ofunivalence is therefore that all constructions respect equivalence/isomorphism . For instance, withoutinspecting the definition of
IsMonoid : Type → Type , we can conclude that an equivalence 𝐴 ≃ 𝐵 gives rise to a path 𝐴 ≡ 𝐵 , which in turn gives rise to a path IsMonoid 𝐴 ≡ IsMonoid 𝐵 . In Section 3,we will use the structure identity principle to show that a path between two monoids is exactly amonoid isomorphism in the usual sense. Sets and propositions.
Univalence refutes uniqueness of identity proofs (UIP), or Streicher’s axiomK [Streicher 1993], because it produces equality proofs in
Type that are not equal. For example, wecan see via transport that ua not ≃ and refl are unequal proofs of Bool ≡ Bool : not (cid:46) refl : ¬ (ua not ≃ ≡ refl)not (cid:46) refl e = true (cid:46) false (transport ( 𝜆 i → transport ( e i ) true ≡ false) refl) In the presence of univalence, it is important to keep track of which types satisfy UIP or relatedprinciples expressing the complexity of a type’s equality relation. In the terminology of HoTT/UF,a type satisfying UIP is called an h-set (homotopy set, henceforth simply set ), while a type whoseelements are all equal is called an h-proposition (henceforth proposition ): isProp : Type → TypeisProp A = ( x y : A ) → x ≡ y isSet : Type → TypeisSet A = ( x y : A ) → isProp ( x ≡ y ) Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. nternalizing Representation Independence with Univalence 1:7
The empty and unit types are propositions, and propositions are closed under many type formers.For instance, we can show that a dependent function type valued in propositions is a proposition,using a variation of function extensionality: isProp Π : { B : A → Type} ( h : ( x : A ) → isProp ( B x )) → isProp (( x : A ) → B x )isProp Π h p q i x = h x ( p x ) ( q x ) i Although all proofs of a proposition are equal, propositions cannot in general be erased—forexample, we will soon see that the property of being an equivalence is a proposition, but it impliesthe existence of an inverse function, which has computational content. We will consider a relatedprogramming application in Example 2.1.A set is a type whose equality types are propositions, and hence satisfies UIP. While CubicalType Theory has many non-sets, including
Type itself, most of the types used in this paper willbe sets. Hedberg’s theorem states that all types with decidable equality are sets [Hedberg 1998],which includes many datatypes such as
Bool , N , and Z . In addition, any proposition is a set, fromwhich it follows that isProp A and isSet A are propositions.Finally, a type is contractible if it has exactly one element: isContr : Type → TypeisContr A = Σ [ x ∈ A ] (( y : A ) → x ≡ y ) (Here, we are using the agda/cubical library’s notation for Agda ’s built-in Σ -types, which are record s with constructor _ , _ , projections fst and snd , and definitional 𝜂 .) We can characterizepropositions as types whose equality types are contractible, just as sets are types whose equalitytypes are propositions. Thus contractible types, propositions, and sets serve as the bottom threelayers of an infinite hierarchy of types introduced by Voevodsky, known as h-levels [Voevodsky2010b] or 𝑛 -types [Univalent Foundations Program 2013]. Equivalences and isomorphisms.
An equivalence A ≃ B is a function 𝐴 → 𝐵 such that thepreimage of every point in 𝐵 is contractible: preim : { A B : Type} ( f : A → B ) ( y : B ) → Typepreim { A = A } f y = Σ [ x ∈ A ] ( f x ≡ y )isEquiv : { A B : Type} ( f : A → B ) → TypeisEquiv { B = B } f = ( y : B ) → isContr (preim f y )_ ≃ _ : ( A B : Type) → Type A ≃ B = Σ [ f ∈ ( A → B ) ] (isEquiv f ) (In the HoTT/UF literature, preim is often called the homotopy fiber .) Every equivalence has aninverse which can be constructed by sending each 𝑦 : 𝐵 to the element of its preimage determinedby isContr . In practice, we often construct equivalences A ≃ B by first constructing ordinary isomorphisms Iso
A B (quadruples of a function 𝐴 → 𝐵 , its inverse 𝐵 → 𝐴 , and proofs that thesefunctions cancel in each direction), then applying the lemma isoToEquiv : Iso
𝐴 𝐵 → 𝐴 ≃ 𝐵 .One might wonder, why introduce equivalences at all? The reason is that isEquiv f is always aproposition (by isProp Π and the fact that isContr is a proposition), and thus two elements of A ≃ B are equal if and only if their underlying functions are equal (because their isEquiv proofs mustagree). In contrast, the property of a function 𝑓 : 𝐴 → 𝐵 being an isomorphism (i.e., the triple ofa function 𝐵 → 𝐴 and proofs that it is left and right inverse to 𝑓 ) is not a proposition [UnivalentFoundations Program 2013, Theorem 4.1.3]. A subtle consequence of this fact is that if one replaces ≃ in the statement of univalence with Iso , the resulting statement is actually inconsistent [Univalent
Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. :8 Carlo Angiuli, Evan Cavallo, Anders Mörtberg, and Max Zeuner
Foundations Program 2013, Exercise 4.6]! However, for the purposes of this paper, the reader cansafely imagine equivalences as isomorphisms.In dependent type theory, equality in Σ -types is notoriously difficult to manage, due to theequality of second projections being heterogeneous (usually stated with transports). In CubicalType Theory, however, the natural heterogeneity of PathP types allows us to straightforwardlycharacterize equality in Σ -types without any transports: Σ Path ≃ Path Σ : { B : A → Type} ( x y : Σ A B ) → ( Σ [ p ∈ (fst x ≡ fst y ) ] (PathP ( 𝜆 i → B ( p i )) (snd x ) (snd y ))) ≃ ( x ≡ y ) Σ Path ≃ Path Σ x y = isoToEquiv (iso ( 𝜆 { ( p , q ) i → ( p i , q i ) })( 𝜆 p → (( 𝜆 i → fst ( p i )) , ( 𝜆 i → snd ( p i ))))( 𝜆 _ → refl) ( 𝜆 _ → refl)) (Here, iso is the constructor for the Iso type.) Therefore, we can always exchange an equality proofin a Σ -type with a pair of equalities, which tends to be much easier than manipulating transports.Finally, by isoToEquiv it is easy to show that logically equivalent propositions are equivalent andthus equal by ua . This principle, propositional extensionality , is another often-assumed axiom intype theory that is provable (and hence has computational content) in Cubical Agda . prop ≃ : isProp A → isProp B → ( A → B ) → ( B → A ) → A ≃ B prop ≃ pA pB f g = isoToEquiv (iso f g ( 𝜆 _ → pB _ _) ( 𝜆 _ → pA _ _)) Finally,
Cubical Agda natively supports higher inductive types (HITs), a generalization of inductivedatatypes which allows for constructors of equality type [Cavallo and Harper 2019; Coquand et al.2018; Lumsdaine and Shulman 2019; Univalent Foundations Program 2013]. In HoTT/UF, HITsprovide analogues of topological spaces such as the circle, spheres, and torus; in this paper, we useHITs to take quotients of types by equivalence relations.
Propositional truncation.
Our first example of a HIT is propositional truncation , which quotientsa type by the total relation, yielding a proposition. It has two constructors: | _ | , which includeselements of A as elements of ∥ A ∥ , and squash , which equates any two elements of ∥ A ∥ . data ∥ _ ∥ ( A : Type) : Type where | _ | : A → ∥ A ∥ squash : ( x y : ∥ A ∥ ) → x ≡ y We write functions out of ∥ A ∥ by pattern-matching, noting that squash x y i constructs anelement of ∥ A ∥ . For example, we can define the functorial action of ∥ - ∥ on a function as follows: map : ( A → B ) → ∥ A ∥ → ∥ B ∥ map f | x | = | f x | map f (squash x y i ) = squash (map f x ) (map f y ) i In addition to checking that these clauses are well-typed,
Cubical Agda must also check thatthe clause for squash x y : x ≡ y is a path between map f x and map f y , by substituting i0 and i1 for i : I in the left- and right-hand sides of the definition.We have already seen with isEquiv that propositions can have computational content. In thefollowing example, we use propositional truncation to hide the mathematical content of a typewithout disturbing its computational content. Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. nternalizing Representation Independence with Univalence 1:9
Example 2.1 (Cost monad).
By pairing an element of ∥ N ∥ with the output of a function, weobtain a counter that can be incremented at will but whose value is “hidden” to the equality type: Cost : ( A : Type) → TypeCost A = A × ∥ N ∥ Cost ≡ : ( x y : Cost A ) → fst x ≡ fst y → x ≡ y Cost ≡ ( x , cx ) ( y , cy ) h i = ( h i , squash cx cy i ) We then define a monad structure on this type which counts the number of binds as a simpleproxy for computation steps, by starting at and incrementing once at each bind ( _»=_ ). Using Cost ≡ , it is straightforward to prove that these definitions satisfy the monad laws. (In the definitionof _»=_ , map2 is a binary version of map .) _»=_ : Cost A → ( A → Cost B ) → Cost B ( x , m ) »= g with g x ... | ( y , n ) = ( y , map suc (map2 _+_ m n ))return : A → Cost A return x = ( x , | | ) The computational behavior of this monad is precisely the same as one in which the propositionaltruncation is omitted. For example, if we compare a naive implementation of Fibonacci to a tail-recursive one, the former requires many more recursive calls, as expected: fib : N → Cost N fib 0 = return 0fib 1 = return 1fib (suc (suc x )) = do y ← fib (suc x ) z ← fib x return ( y + z )_ : fib 20 ≡ (6765 , | | )_ = refl fibAux : N → N → N → Cost N fibAux 0 res _ = return res fibAux (suc x ) res prev = do r ← fibAux x ( res + prev ) res return r fibTail : N → Cost N fibTail 0 = return 0fibTail (suc x ) = fibAux x ≡ (6765 , | | )_ = refl However, because we have truncated the cost, we are able to prove that fib and fibTail are equal as functions using
Cost ≡ , despite having different runtime behavior: fibEq : fib ≡ fibTail . Set quotients.
The main HIT that we use in this paper is the set quotient , which quotients a typeby an arbitrary relation, yielding a set. It has three constructors: [ _ ] , which includes elements ofthe underlying type, eq / , which equates all pairs of related elements, and squash / , which ensuresthat the resulting type is a set: data _/_ ( A : Type) ( R : A → A → Type) : Type where[_] : ( a : A ) → A / R eq/ : ( a b : A ) → ( r : R a b ) → [ a ] ≡ [ b ]squash/ : isSet ( A / R ) If we omitted squash / , then the unit type quotiented by the total relation would be a HIT generated by [ tt ] and a pathfrom [ tt ] to itself. But this is the circle type S1 , which is not a set [Univalent Foundations Program 2013, Section 8.1].Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. :10 Carlo Angiuli, Evan Cavallo, Anders Mörtberg, and Max Zeuner Once again, we can write functions out of 𝐴 / 𝑅 by pattern-matching; this amounts to writinga function out of 𝐴 (the clause for [ _ ] ) which sends 𝑅 -related elements of 𝐴 to equal results (theclause for eq / ), such that the image of the function is a set (the clause for squash / ). We thereforeobtain the universal property of set quotients, which states that functions from 𝐴 / 𝑅 to a set areprecisely the functions out of 𝐴 that respect 𝑅 : setQuotUniversal : { R : A → A → Type} { B : Type} → isSet B → ( A / R → B ) ≃ ( Σ [ f ∈ ( A → B ) ] (( a b : A ) → R a b → f a ≡ f b )) If we additionally assume that R is a proposition-valued equivalence relation, then we can show(by propositional extensionality) that the set quotients are effective , in the sense that if [ 𝑎 ] ≡ [ 𝑏 ] then 𝑅 𝑎 𝑏 [Voevodsky 2015].
Example 2.2 (Rational numbers). In Cubical Agda , we can define rational numbers Q (below, left)as pairs of integers and nonzero natural numbers, set quotiented by equality of cross multiplication.Contrast this with the standard type-theoretic definition of rational numbers Q ’ (below, right) aspairs of coprime numbers [The Mathematical Components Team 2020, rat ]: _ ∼ _ : Z × N + → Z × N + → Type( a , b ) ∼ ( c , d ) = a ∗ N + d ≡ c ∗ N + b Q : Type Q = ( Z × N + ) / _ ∼ _ Q ’ : Type Q ’ = Σ [ (a , b) ∈ Z × N + ] (coprime (abs a ) b ) In essence, Q ’ represents rational numbers by choosing a normal-form representative of eachequivalence class; because these normal forms are unique, one avoids the need for quotients orsetoids. However, the tradeoff is that all operations on Q ’ must maintain the coprimality invariant—which can be prohibitively expensive in practice [Chyzak et al. 2014]—whereas operations on theset quotient Q are free to return any representative as their result.Many quotients, such as the untyped 𝜆 -calculus modulo 𝛽 -conversion, cannot be defined intype theory without HITs, as they lack a normal form representation. This can be addressed bypassing to setoids , which supplant the equality type in favor of an explicitly-given equivalencerelation for each type [Barthe et al. 2003]. Users of setoids must manually prove that operationsrespect these relations, which is laborious and can lead to subtle bugs: it was recently discoveredthat the algebraic hierarchy in Agda ’s standard library incorrectly allows a type of rings to beequipped with one setoid structure used by the addition and a different setoid structure used bythe multiplication. The structure identity principle (SIP) is the informal principle that properties of mathematicalstructures should be invariant under isomorphisms of such structures. Making this precise requirescommitting to a notion of structure; consequently, different formalizations of the SIP are possible,varying in how structures are represented as well as in their scope and generality. The definitionwe present is a slight reformulation of one given by Escardó [2019]; ours differs by phrasing thecondition in terms of dependent paths, which are particularly convenient in Cubical Type Theory.
We begin by defining what we mean by a structure; for us, structures are defined over a carriertype and are equipped with a notion of structure-preserving equivalence. Then, we single out the https://lists.chalmers.se/pipermail/agda/2020/012009.htmlProc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. nternalizing Representation Independence with Univalence 1:11 structures (with their equivalences) that are well-behaved enough for the SIP to apply, which wecall univalent structures. The basic definitions closely follow Escardó’s account.A structure is a function 𝑆 : Type → Type . The type of 𝑆 -structures is defined as follows. TypeWithStr S = Σ [ X ∈ Type ] (
S X ) A notion of 𝑆 - structure-preserving equivalences is a term 𝜄 : StrEquiv 𝑆 , where StrEquiv S = ( A B : TypeWithStr S ) → fst A ≃ fst B → Type
Given two 𝑆 -structures 𝐴 𝐵 : TypeWithStr 𝑆 and an equivalence between the underlying types 𝑒 : fst 𝐴 ≃ fst 𝐵 , the type 𝜄 𝐴 𝐵 𝑒 is the type of proofs that 𝑒 is an 𝑆 - structure-preservingequivalence between 𝐴 and 𝐵 . The type of 𝑆 -structure-preserving equivalences (henceforth, 𝑆 - structured equivalences ) between 𝐴 and 𝐵 is then given by A ≃ [ 𝜄 ] B = Σ [ e ∈ fst A ≃ fst B ] ( 𝜄 A B e ) We say that ( 𝑆, 𝜄 ) defines a univalent structure if we have a term of the following type. UnivalentStr S 𝜄 = { A B : TypeWithStr S } ( e : fst A ≃ fst B ) → ( 𝜄 A B e ) ≃ PathP ( 𝜆 i → S (ua e i )) (snd A ) (snd B ) A univalent structure is a pair ( 𝑆, 𝜄 ) which satisfies the SIP. Our definition is equivalent toEscardó’s standard notion of structure , but interacts better with cubical machinery.Theorem 3.1 (SIP). For 𝑆 : Type → Type and 𝜄 : StrEquiv 𝑆 , we have a term SIP : UnivalentStr S 𝜄 → ( A B : TypeWithStr S ) → ( A ≃ [ 𝜄 ] B ) ≃ ( A ≡ B ) Proof. Suppose 𝜃 : UnivalentStr
𝑆 𝜄 , and let
𝐴 𝐵 : TypeWithStr 𝑆 . By applying Σ Path ≃ Path Σ on the right, we reduce the goal to the following. Σ [ 𝑒 ∈ fst 𝐴 ≃ fst 𝐵 ] ( 𝜄 𝐴 𝐵 𝑒 ) ≃ Σ [ 𝑝 ∈ fst 𝐴 ≡ fst 𝐵 ] ( PathP ( 𝜆 𝑖 → 𝑆 ( 𝑝 𝑖 )) ( snd 𝐴 ) ( snd 𝐵 )) The first components are equivalent by univalence, while the input 𝜃 is a proof that the secondcomponents are equivalent over the first equivalence. It is straightforward to check that any pair ofequivalences 𝑒 𝑋 : 𝑋 ≃ 𝑋 ′ and 𝑒 𝑌 : ( 𝑥 : 𝑋 ) → 𝑌 𝑥 ≃ 𝑌 ′ ( equivFun 𝑒 𝑋 𝑥 ) gives rise to an equivalence Σ [ 𝑥 ∈ 𝑋 ] ( 𝑌 𝑥 ) ≃ Σ [ 𝑥 ′ ∈ 𝑋 ′ ] ( 𝑌 ′ 𝑥 ′ ) ; applying this lemma concludes the proof. □ Writing the underlying map of this equivalence explicitly, we have the following. sip : A ≃ [ 𝜄 ] B → A ≡ B sip ( e , p ) i = (ua e i , equivFun ( 𝜃 e ) p i ) The
SIP itself is thus a nearly trivial consequence of the definition of univalent structure. Thework, then, is in equipping structures with useful definitions of structured equivalence that satisfy
UnivalentStr . (Note that there is always a distinctly useless definition of structured equivalence forany structure 𝑆 : 𝜄 𝐴 𝐵 𝑒 = PathP ( 𝜆 𝑖 → 𝑆 ( 𝑝 𝑖 )) ( snd 𝐴 ) ( snd 𝐵 ) , which is trivially univalent.) Inthe following, we show how this can be done systematically and with support by automation. Axioms.
A structure can typically be separated into two main components: a raw structure consisting of operations on the carrier type, and propositional axioms (often in the form of equations)governing the behavior of the raw structural components. As observed by Escardó [2019], the lattercan be ignored for the purpose of defining structured equivalences.
Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. :12 Carlo Angiuli, Evan Cavallo, Anders Mörtberg, and Max Zeuner
Definition 3.2.
Let 𝑆 : Type → Type be a structure and 𝜄 : StrEquiv 𝑆 . Suppose we have axiomson 𝑆 -structures in the form of a predicate 𝑎𝑥 : TypeWithStr 𝑆 → Type . We then define
AxiomsStr
S ax X = Σ [ s ∈ S X ] ( ax ( X , s ))AxiomsEquivStr 𝜄 ax ( X , s , _) ( Y , t , _) e = 𝜄 ( X , s ) ( Y , t ) e Lemma 3.3.
Let 𝑆 , 𝜄 , and ax be as above, and assume that ax is proposition-valued. Given some 𝜃 : UnivalentStr
𝑆 𝜄 , we have
UnivalentStr ( AxiomsStr 𝑆 ax ) ( AxiomsEquivStr 𝜄 ax ) . Proof. Let ( 𝑋 , 𝑠 , 𝑎 ) and ( 𝑌 , 𝑡 , 𝑏 ) : TypeWithStr ( AxiomsStr 𝑆 ax ) and 𝑒 : 𝑋 ≃ 𝑌 . By 𝜃 𝑒 and thedefinition of AxiomsEquivStr , AxiomsEquivStr 𝜄 ( 𝑋 , 𝑠 , 𝑎 ) (
𝑌 , 𝑡 , 𝑏 ) is equivalent to PathP ( 𝜆 𝑖 → 𝑆 ( ua 𝑒 𝑖 )) 𝑠 𝑡 . To see that this is equivalent to PathP ( 𝜆 𝑖 → AxiomsStr 𝑆 ( ua 𝑒 𝑖 )) ( 𝑠 , 𝑎 ) ( 𝑡 , 𝑏 ) , notethat by Σ Path ≃ Path Σ , the latter is equivalent to the following Σ -type: Σ [ 𝑝 ∈ PathP ( 𝜆 𝑖 → 𝑆 ( ua 𝑒 𝑖 )) 𝑠 𝑡 ] ( PathP ( 𝜆 𝑖 → ax ( ua 𝑒 𝑖 , 𝑝 𝑖 )) 𝑎 𝑏 ) Because we have assumed ax ( ua 𝑒 𝑖 , 𝑝 𝑖 ) is a proposition, the second component is contractible,and so the Σ -type is equivalent to its first component as needed. □ We can use the SIP to transport proofs of axioms between equivalent raw structures to obtainequivalent structures-with-axioms.Corollary 3.4 (Induced Structures).
Let 𝑆 , 𝜄 and ax be as above, and 𝜃 : UnivalentStr
𝑆 𝜄 .Suppose we have ( 𝑋 , 𝑠 , 𝑎 ) : TypeWithStr ( AxiomsStr 𝑆 ax ) and ( 𝑌 , 𝑡 ) : TypeWithStr 𝑆 and astructured equivalence 𝑒 : ( 𝑋 , 𝑠 ) ≃ [ 𝜄 ] ( 𝑌 , 𝑡 ) . Then there exists 𝑏 : ax ( 𝑌 , 𝑡 ) with ( 𝑋 , 𝑠 , 𝑎 ) ≡ (
𝑌 , 𝑡 , 𝑏 ) . Proof. Set 𝑏 = subst ax ( sip 𝑒 ) 𝑎 ; recall that sip 𝑒 : ( 𝑋 , 𝑠 ) ≡ (
𝑌 , 𝑡 ) , so 𝑏 has type ax ( 𝑌 , 𝑡 ) . Itfollows by definition that 𝑒 : ( 𝑋 , 𝑠 , 𝑎 ) ≃ [ AxiomsEquivStr 𝜄 ax ] ( 𝑌 , 𝑡 , 𝑏 ) , from which we get thedesired path by applying sip once more. □ Before we show how to build raw structures, we first illustrate the utility of the above lemmas.
Example 3.5 (Monoids).
We say that 𝑋 supports a raw monoid structure when it has a distin-guished neutral element 𝜀 and a binary operation _ · _: RawMonoidStructure X = X × ( X → X → X ) A raw monoid is simply a type equipped with a raw monoid structure:
RawMonoid = TypeWith-Str RawMonoidStructure . A (fully-cooked) monoid structure is a raw monoid structure whoseunderlying type is a set, and whose binary operation is unital and associative:
MonoidAxioms : RawMonoid → TypeMonoidAxioms ( X , 𝜀 , _·_ ) = (isSet X )× ( ∀ x y z → x · ( y · z ) ≡ ( x · y ) · z )× ( ∀ x → ( x · 𝜀 ≡ x ) × ( 𝜀 · x ≡ x ))MonoidStructure X = Σ [ ( 𝜀 , _·_) ∈ RawMonoidStructure X ] (MonoidAxioms ( X , 𝜀 , _·_ )) The type of monoids is thus
Monoid = TypeWithStr MonoidStructure . A structured equivalenceof monoids is a monoid isomorphism in the usual sense: an equivalence that commutes with themonoid operations.
MonoidEquiv : (
M N : Monoid) → fst M ≃ fst N → TypeMonoidEquiv (_ , ( 𝜀 𝑀 , _·_ ) , _) (_ , ( 𝜀 𝑁 , _ ∗ _ ) , _) ( 𝜑 , _) = ( 𝜑 𝜀 𝑀 ≡ 𝜀 𝑁 )× ( ∀ x y → 𝜑 ( x · y ) ≡ ( 𝜑 x ) ∗ ( 𝜑 y )) Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. nternalizing Representation Independence with Univalence 1:13
It is now easy to see that the monoid axioms are all proposition-valued: the first axiom requiresthe carrier type to be a set, which forces the equations to be propositions. In order to apply theSIP to monoids, it remains only to check that
RawMonoidStructure is a
UnivalentStr . Proving thisby hand is not so easy, but rather than proving it directly, we will build it up from elementarycombinators in a way that preserves
UnivalentStr . Having dealt with axioms, we now define a collection of combinators from which we can build rawstructures, their structured equivalences, and proofs they are univalent. We currently support:
Structures
𝑆 𝑋,𝑇 𝑋 (cid:66) 𝑋 | 𝐴 | 𝑆 𝑋 × 𝑇 𝑋 | 𝑆 𝑋 → 𝑇 𝑋 | Maybe ( 𝑆 𝑋 ) The raw fragment of all structures considered in this paper can be built using the above grammar.(Of course,
Maybe is just one of many inductive types we could consider.)
Constant and pointed structures.
Our two base cases are the constant structure 𝜆 _ → 𝐴 andthe pointed structure 𝜆 𝑋 → 𝑋 . Given ( 𝑋 , 𝑎 ) (
𝑌 , 𝑎 ′ ) : TypeWithStr ( 𝜆 _ → 𝐴 ) , an equivalence 𝑒 : 𝑋 ≃ 𝑌 is structured when we have a path 𝑎 ≡ 𝑎 ′ ; this is trivially univalent. For ( 𝑋 , 𝑥 ) (
𝑌 , 𝑦 ) : TypeWithStr ( 𝜆 𝑋 → 𝑋 ) , 𝑒 : 𝑋 ≃ 𝑌 is structured when equivFun 𝑒 𝑥 ≡ 𝑦 , i.e., the chosen elementsare related by the equivalence. Univalence of the pointed structure is a consequence of ua 𝛽 . Product structures.
We define the product structure of two structures equipped with notions ofstructured equivalence ( 𝑆 , 𝜄 ) and ( 𝑆 , 𝜄 ) , as follows: ProductStructure S S X = S X × S X ProductEquivStr 𝜄 𝜄 ( X , s , s ) ( Y , t , t ) e = 𝜄 ( X , s ) ( Y , t ) e × 𝜄 ( X , s ) ( Y , t ) e The product of
UnivalentStr uctures is univalent: productUnivalentStr : ( 𝜄 : StrEquiv S ) ( 𝜄 : StrEquiv S ) → UnivalentStr S 𝜄 → UnivalentStr S 𝜄 → UnivalentStr (ProductStructure S S ) (ProductEquivStr 𝜄 𝜄 ) The corresponding HoTT/UF-proof of Escardó [2019] uses the type-theoretic Yoneda lemma [Rijke2012, §2.8], but the nice interplay of Σ -types and dependent path types in Cubical Agda makes itsimple to construct the desired equivalence in the conclusion directly. productUnivalentStr _ _ 𝜃 𝜃 e = compEquiv ( Σ -cong-equiv ( 𝜃 e ) ( 𝜆 _ → 𝜃 e )) Σ Path ≃ Path Σ Here, the lemma Σ -cong-equiv with a non-dependent second argument gives an equivalence ofproducts from the equivalences on the projections 𝜃 𝑒 and 𝜃 𝑒 . Function structures.
We say that two ( 𝜆 𝑋 → 𝑆 𝑋 → 𝑇 𝑋 ) -structures 𝑓 and 𝑔 are related over 𝑒 when they take related 𝑆 -structures to related 𝑇 -structures: FunctionEquivStr : StrEquiv S → StrEquiv T → StrEquiv ( 𝜆 X → S X → T X )FunctionEquivStr 𝜄 𝜄 ( X , f ) ( Y , g ) e = ∀ { s t } → 𝜄 ( X , s ) ( Y , t ) e → 𝜄 ( X , f s ) ( Y , g t ) eMaybe structures. The definition of structured equivalence for 𝜆 𝑋 → Maybe ( 𝑆 𝑋 ) proceeds bycases on the pair of structures: MaybeEquivStr : StrEquiv S → StrEquiv ( 𝜆 X → Maybe (
S X ))MaybeEquivStr 𝜄 ( X , nothing) ( Y , nothing) e = UnitMaybeEquivStr 𝜄 ( X , nothing) ( Y , just x ) e = ⊥ Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. :14 Carlo Angiuli, Evan Cavallo, Anders Mörtberg, and Max Zeuner
MaybeEquivStr 𝜄 ( X , just x ) ( Y , nothing) e = ⊥ MaybeEquivStr 𝜄 ( X , just x ) ( Y , just y ) e = 𝜄 ( X , x ) ( Y , y ) eTransport structures. Although we have given a single definition for each type former thus far,we note that there is often more than one potentially useful definition of structured equivalencefor a given 𝑆 : Type → Type . For example, structured equivalences for 𝜆 𝑋 → Maybe 𝑋 can alsobe defined using the functorial action of Maybe as follows.
MaybeEquivStr’ : StrEquiv ( 𝜆 X → Maybe X )MaybeEquivStr’ ( X , s ) ( Y , t ) e = map-Maybe (equivFun e ) s ≡ t Indeed, this alternative definition is sometimes more convenient; we will use it (in slightly gen-eralized form) in Section 4.2. It belongs to a class of structured equivalence definitions that arisefrom a functorial action on equivalences (here, map-Maybe ) and which are captured by the SIP ofCoquand and Danielsson [2013]. We call these transport structures and define them as follows.
EquivAction : ( S : Type → Type) → Type EquivAction S = { X Y : Type} → X ≃ Y → S X ≃ S Y
TransportStr : { S : Type → Type} → EquivAction S → Type TransportStr { S } 𝛼 = { X Y : Type} ( e : X ≃ Y ) ( s : S X ) → equivFun ( 𝛼 e ) s ≡ subst S (ua e ) s Rather than a type of proofs that an equivalence is structured, we have an action by the structureon equivalences; this action is “correct” when it agrees with transport . (Coquand and Danielssonrequire only that equivFun ( 𝛼 ( idEquiv 𝑋 )) 𝑠 ≡ 𝑠 , but univalence implies that this is equivalent toour definition.) Any such action gives rise to a notion of structured equivalence defined as follows. EquivAction → StrEquiv : EquivAction S → StrEquiv S EquivAction → StrEquiv 𝛼 ( X , s ) ( Y , t ) e = equivFun ( 𝛼 e ) s ≡ t When we have an element of
TransportStr 𝛼 , this notion of structured equivalence is univalent. Infact, TransportStr 𝛼 and UnivalentStr ( EquivAction → StrEquiv 𝛼 ) are equivalent conditions. Note,however, that an element of StrEquiv 𝑆 does not induce an element of EquivAction 𝑆 in any usefulway; thus our primary definition of structure is the more permissive of the two, although transportstructures are also closed under the grammar at the head of this section.Transport structures are particularly convenient when we define structures on function types. Ifwe have an action on the domain, however, we can give a more convenient definition as follows. FunctionEquivStr+ : EquivAction S → StrEquiv T → StrEquiv ( 𝜆 X → S X → T X )FunctionEquivStr+ 𝛼 𝜄 ( X , f ) ( Y , g ) e = ∀ s → 𝜄 ( X , f s ) ( Y , g (equivFun ( 𝛼 e ) s )) eExample 3.6 (Monoids revisited). By Lemma 3.3, to prove the SIP for monoids it remains onlyto show that
RawMonoidEquiv is univalent, which we are now ready to do in a systematic way.First, observe that pointed and binary operation structures 𝜆 𝑋 → 𝑋 and 𝜆 𝑋 → ( 𝑋 → 𝑋 → 𝑋 ) are univalent with their canonical notions of structured equivalence. This is immediate for pointedstructures; for binary operations, we obtain the result by applying FunctionEquivStr+ twice to thepointed structure. Finally, we take the product of these two structures to see that
RawMonoidEquiv defines a univalent structure. Putting everything together, we get the desired SIP for monoids:
MonoidPath : (
M N : Monoid) → ( M ≃ [ MonoidEquiv ] N ) ≃ ( M ≡ N )MonoidPath = SIP monoidUnivalentStr Let us now illustrate the utility of Corollary 3.4. Given 𝑀 : Monoid and 𝑁 : RawMonoid anda
RawMonoidEquiv between 𝑁 and the underlying RawMonoid of 𝑀 , Corollary 3.4 allows us Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. nternalizing Representation Independence with Univalence 1:15 to transport the axioms from 𝑀 to 𝑁 so that we obtain an induced 𝑁 ′ : Monoid with 𝑀 ≡ 𝑁 ′ .Specialized to the case of unary and binary numbers, called N and Bin in agda/cubical [Vezzosiet al. 2019, Section 2.1], we could show that these types are equal Monoid s by proving only that ( , +) is a monoid on N , and defining + Bin such that the function underlying the N ≃ Bin equivalenceis a monoid homomorphism. By definition, N → Bin sends to bin0 , so we only have to show that ( 𝑥 𝑦 : N ) → N → Bin ( 𝑥 + 𝑦 ) ≡ ( N → Bin 𝑥 ) + Bin ( N → Bin 𝑦 ) which can be readily achieved by N -induction. Therefore, we can transport the theory of naturalnumbers from N to Bin without doing any proofs by
Bin -induction. This is similar to
CoqEAL ,in which such morphism lemmas were used to ensure that all proofs could be completed onproof-oriented types while computation-oriented types were only used for programming, therebyachieving a clear separation of concerns [Dijkstra 1974].Example 3.6 suggests that other algebraic structures can be treated similarly; indeed, the sameproof strategy applies directly to more complex structures like groups and rings. In fact, theseproofs are so uniform that we can automate them.
Automation.
Using
Agda ’s reflection mechanism, we have defined tactics for automatically gen-erating definitions of structured equivalence and proofs they are univalent. For instance, the macro
AutoEquivStr ( 𝜆 ( 𝑋 : Type ) → 𝑋 × ( 𝑋 → 𝑋 → 𝑋 )) generates a definition of structured equiva-lence for raw monoid structures, while autoUnivalentStr ( 𝜆 ( 𝑋 : Type ) → 𝑋 × ( 𝑋 → 𝑋 → 𝑋 )) produces a proof that the definition is univalent. Our tactics opt for transport structures in thedomain of a function type and univalent structures otherwise, but we allow annotations to overridethe default choice; for example, the following definition of equivalence for a queue data structurewill use the transport structure for the codomain of the final function. RawQueueEquivStr =AutoEquivStr ( 𝜆 ( X : Type) → X × ( A → X → X ) × ( X → Transp[ Maybe ( X × A ) ])) Given such a definition, the macro
AutoStructure removes annotations to produce the actualstructure definition, in this case 𝜆 ( 𝑋 : Type ) → 𝑋 × ( 𝐴 → 𝑋 → 𝑋 ) × ( 𝑋 → Maybe ( 𝑋 × 𝐴 )) . Before showing how to generalize the SIP to relational correspondences, we first show how touse the SIP to obtain representation independence results of interest to programmers. First, weconsider two representations of matrices: as functions out of a finite set of indices, which arewell-suited to proofs, and as vectors, which are well-suited to computations. Then, we revisit thequeue example from the introduction, and show how to achieve representation independencethrough a combination of set quotients and the SIP.
Matrices are a standard example in which dependent types can ensure the well-definedness ofoperations such as multiplication. We can achieve this in
Agda with length-indexed lists, or vectors: data Vec ( A : Type) : N → Type where[] : Vec A zero_ :: _ : ∀ { n } ( x : A ) ( xs : Vec A n ) → Vec A (suc n )VecMatrix : ( A : Type) ( m n : N ) → TypeVecMatrix
A m n = Vec (Vec
A n ) m Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. :16 Carlo Angiuli, Evan Cavallo, Anders Mörtberg, and Max Zeuner
We can define operations on vectors such as map , replicate , addition, and multiplication in theusual way. Unfortunately, this type is ill-suited for proofs, because one must perform inductionsthat match the structure of the functions one has written: it is quite difficult, for example, to provethat matrix addition addVecMatrix is commutative. Ideally, one would prefer to reason about matrixaddition in a pointwise fashion, in which commutativity is trivial. We therefore consider a secondimplementation better-suited to such reasoning: data Fin : N → Type wherezero : { n : N } → Fin (suc n )suc : { n : N } ( i : Fin n ) → Fin (suc n )FinMatrix : ( A : Type) ( m n : N ) → TypeFinMatrix
A m n = Fin m → Fin n → A If we now fix natural numbers m and n and assume G is an additive abelian group, it is trivial todefine matrix addition and prove it commutative by function extensionality: addFinMatrix : FinMatrix G m n → FinMatrix G m n → FinMatrix G m n addFinMatrix
M N i j = M i j + N i j addFinMatrixComm : (
M N : FinMatrix G m n ) → addFinMatrix M N ≡ addFinMatrix N M addFinMatrixComm
M N i k l = comm (
M k l ) (
N k l ) i Similarly, we can easily define the zero matrix and negation of matrices, and prove that these forman abelian group. In the absence of function extensionality, these results are typically stated usingsetoids, which complicates the proofs [Wood 2019]. Alternatively,
MathComp [The MathematicalComponents Team 2020] encodes matrices by the graphs of their indexing functions, which makesproofs simpler without relying on setoids, but requires a lot of additional theory that is trivializedby using functions directly.Although
FinMatrix is convenient for proofs, it is less natural for computations than
VecMatrix .Consider the following integer matrices:
M : FinMatrix Z i j = if i == j then 1 else 0 N : FinMatrix Z i j = if i == j then 0 else 1 Because if does not compute on variables, addFinMatrix M N ≡ ( 𝜆 _ _ → ) does not hold by refl .In a VecMatrix representation, however, the analogous equation does follow from computation(i.e., by refl ). Luckily, we can define functions between the two representations and prove that theyform an equivalence using funExt , which we can transform into a path by ua : FinMatrix ≡ VecMatrix : ( A : Type) ( m n : N ) → FinMatrix
A m n ≡ VecMatrix
A m n
FinMatrix ≡ VecMatrix
A m n = ua (FinMatrix ≃ VecMatrix
A m n ) Using this equivalence, we can easily obtain the aforementioned equation in
FinMatrix bytransferring the analogous equation in
VecMatrix : _ : addFinMatrix M N ≡ ( 𝜆 _ _ → ≃ VecMatrix Z The replaceGoal lemma takes an equivalence 𝑒 and transforms a goal of the form 𝑥 ≡ 𝑦 into 𝑒 − ( 𝑒 𝑥 ) ≡ 𝑒 − ( 𝑒 𝑦 ) , then discharges the former with a proof of the latter. Here, the latter proof is refl as addFinMatrix M N and ( 𝜆 _ _ → ) are mapped to definitionally-equal VecMatrix es.We could in fact transport the entire abelian group structure on
FinMatrix to VecMatrix alongthis equivalence, but the operations obtained this way are very naive: for example, the transported
Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. nternalizing Representation Independence with Univalence 1:17 addition on
VecMatrix converts both arguments to
FinMatrix , adds them with addFinMatrix , thenconverts them back to
VecMatrix . What we instead want is an abelian group structure on
VecMatrix whose addition is given by addVecMatrix . We can achieve this using the SIP.Using the tactics discussed in Section 3, we can automatically obtain a univalent definition ofstructured equivalence for abelian groups. By Corollary 3.4, we must only show that the functionunderlying
FinMatrix ≃ VecMatrix sends addFinMatrix to addVecMatrix . As FinMatrix is well-suitedfor proofs this poses no difficulties, and so we obtain an induced and equal abelian group structureon
VecMatrix whose addition operation is addVecMatrix . Using the equality between abeliangroups, we can now transport both proofs and programs between the two representations.
Thus far, our examples of the SIP have involved equivalent structured types; now, we turn to ouroriginal example of two non-equivalent implementations of
Queue s. Fix a set 𝐴 . Then a raw queuestructure consists of an empty queue and enqueue / dequeue functions: RawQueueStructure : Type → TypeRawQueueStructure X = X × ( A → X → X ) × ( X → Maybe ( X × A )) We add some axioms specifying how these operations should behave: that Q is a set, that dequeue of the empty queue is nothing , and what happens if we dequeue after enqueue : dequeueEnqueueAxiom Q ( empty , enqueue , dequeue ) = ∀ a q → dequeue ( enqueue a q ) ≡ just (returnOrEnq a ( dequeue q ))wherereturnOrEnq : A → Maybe ( Q × A ) → Q × A returnOrEnq a nothing = ( empty , a )returnOrEnq a (just ( q , b )) = ( enqueue a q , b ) These axioms form a proposition because we have assumed Q is a set. As in Section 3.2, weautomate the construction of a univalent raw queue structure, then add our axioms to obtain aunivalent QueueStructure . The
ListQueue implementation from Section 1 clearly satisfies our queueaxioms and therefore admits a
QueueStructure . Then every
BatchedQueue (a pair
List 𝐴 × List 𝐴 )corresponds to a single ListQueue computed by appendReverse (the function sending ( xs , ys ) to ( xs ++ reverse ys ) ), but this function is not an isomorphism: multiple BatchedQueue s are sent tothe same
ListQueue . Worse yet,
BatchedQueue is not even an instance of
QueueStructure , as it failsto satisfy dequeueEnqueueAxiom : we have dequeue ( enqueue 𝑐 ([ 𝑏 , 𝑎 ] , [])) ≡ just (([] , [ 𝑏 , 𝑐 ]) , 𝑎 ) but just ( returnOrEnq 𝑐 ( dequeue ([ 𝑏 , 𝑎 ] , []))) ≡ just (([ 𝑐 ] , [ 𝑏 ]) , 𝑎 ) .We can resolve both of these problems by identifying any two BatchedQueue s sent to the samelist by appendReverse , which we can do either with a set quotient, or equivalently with the HIT: data BatchedQueueHIT : Type whereQ ⟨ _,_ ⟩ : List A → List A → BatchedQueueHITtilt : ∀ xs ys a → Q ⟨ xs ++ [ a ] , ys ⟩ ≡ Q ⟨ xs , ys ++ [ a ] ⟩ squash : isSet BatchedQueueHIT We equip
BatchedQueueHIT with a
QueueStructure as follows. The empty queue is Q ⟨[] , []⟩ ,and we can define enqueue and dequeue functions that respect the tilt constructor using helperfunctions similar to fastcheck . The tilt constructor allows us to shift elements between the ends ofthe two lists back and forth, thus ensuring that any two BatchedQueueHIT s corresponding to thesame
ListQueue are identified. In particular, appendReverse can then be extended to an equivalence
BatchedQueueHIT ≃ List 𝐴 which is moreover structure-preserving, giving an induced raw queue Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. :18 Carlo Angiuli, Evan Cavallo, Anders Mörtberg, and Max Zeuner structure on
BatchedQueueHIT . We may now apply the SIP to transfer the axioms satisfied by
ListQueue to the quotiented
BatchedQueue operations.
In the queue case study above, we improve a structured relation between implementations (generatedby appendReverse ) to a structured equivalence by considering a quotient of one of the implementa-tions. In this section, we prove that a generalization of this technique is always applicable as soonas we have what we call a quasi–equivalence relation (QER) . Because we will use set quotients, it is natural (and ultimately necessary) to restrict our attentionto proposition-valued relations, i.e., 𝑅 : 𝑋 → 𝑌 → Type such that each
𝑅 𝑥 𝑦 is a proposition.Lemma 5.1.
We have the following operations on prop-valued relations: • For any prop-valued 𝑅 : 𝑋 → 𝑌 → Type , the inverse relation 𝑅 − is also prop-valued. • The identity prop-valued relation on 𝑋 is the truncated path type: IdRel
𝑋 𝑥 𝑥 = ∥ 𝑥 ≡ 𝑥 ∥ . • Given two prop-valued relations 𝑅 : 𝑋 → 𝑌 → Type and 𝑆 : 𝑌 → 𝑍 → Type , we define theirprop-valued composite 𝑅 · 𝑆 using truncation: ( 𝑅 · 𝑆 ) 𝑥 𝑧 = ∥ Σ [ 𝑦 ∈ 𝑌 ] 𝑅 𝑥 𝑦 × 𝑆 𝑦 𝑧 ∥ . • If 𝑓 : 𝑋 → 𝑌 where 𝑌 is a set, then its graph, ( graph 𝑓 ) 𝑥 𝑦 = ( 𝑓 𝑥 ≡ 𝑦 ) , is a prop-valuedrelation. In particular, if 𝑒 : 𝑋 ≃ 𝑌 , we define equivGraph 𝑒 = graph ( equivFun 𝑒 ) .Definition 5.2. A prop-valued relation 𝑅 : 𝑋 → 𝑌 → Type is zigzag-complete when for any 𝑟 : 𝑅 𝑥 𝑦 , 𝑟 : 𝑅 𝑥 ′ 𝑦 , and 𝑟 : 𝑅 𝑥 ′ 𝑦 ′ , we have 𝑅 𝑥 𝑦 ′ . This property can be visualized as follows: 𝑥𝑥 ′ 𝑦𝑦 ′ Zigzag-complete relations, also known as quasi-PERs or QPERs [Krishnaswami and Dreyer 2013],are a heterogeneous analogue of partial equivalence relations (PERs). A zigzag-complete relation 𝑅 : 𝑋 → 𝑌 → Type expresses a partial correspondence between elements of 𝑋 and elements of 𝑌 ; intuitively, if 𝑥 corresponds to 𝑦 , 𝑥 ′ corresponds to 𝑦 , and 𝑥 ′ corresponds to 𝑦 ′ , then 𝑥 shouldalso correspond to 𝑦 ′ . Note that a QPER induces a PER on each of the two types: 𝑅 · 𝑅 − on 𝑋 and 𝑅 − · 𝑅 on 𝑌 . We henceforth denote these two relations 𝑅 ← and 𝑅 → respectively. In fact, 𝑅 is zigzag-complete exactly when 𝑅 ← and 𝑅 → are PERs. In our setting, we require such a partialcorrespondence to be total by additionally asking for truncated choice functions in either direction. Definition 5.3.
A zigzag-complete relation 𝑅 : 𝑋 → 𝑌 → Type is a quasi–equivalence relation(QER) when there are functions ( 𝑥 : 𝑋 ) → ∥ Σ [ 𝑦 ∈ 𝑌 ] 𝑅 𝑥 𝑦 ∥ and ( 𝑦 : 𝑌 ) → ∥ Σ [ 𝑥 ∈ 𝑋 ] 𝑅 𝑥 𝑦 ∥ .As with QPERs, 𝑅 is a QER if and only if 𝑅 ← and 𝑅 → are equivalence relations. Moreover, thetruncated choice functions induce an equivalence between the set quotients 𝑋 / 𝑅 ← and 𝑌 / 𝑅 → .Lemma 5.4. Given a QER 𝑅 , there is an equivalence 𝑒 : 𝑋 / 𝑅 ← ≃ 𝑌 / 𝑅 → such that for every 𝑥 : 𝑋 and 𝑦 : 𝑌 , we have equivFun 𝑒 [ 𝑥 ] ≡ [ 𝑦 ] if and only if 𝑅 𝑥 𝑦 . Proof. Consider first the forward map, 𝑋 / 𝑅 ← → 𝑌 / 𝑅 → . Observe that for every 𝑥 : 𝑋 , we havea map [ _ ] ◦ fst : ( Σ [ 𝑦 ∈ 𝑌 ] 𝑅 𝑥 𝑦 ) → 𝑌 / 𝑅 → . Moreover, this map is constant : given 𝑦 𝑦 ′ : 𝐴 with 𝑅 𝑥 𝑦 and
𝑅 𝑥 𝑦 ′ , we have [ 𝑦 ] ≡ [ 𝑦 ′ ] by definition of the quotient. It therefore factors throughthe propositional truncation [Kraus et al. 2017], giving 𝑓 𝑥 : ∥ Σ [ 𝑦 ∈ 𝑌 ] 𝑅 𝑥 𝑦 ∥ → 𝑌 / 𝑅 → such that 𝑓 𝑥 ◦ [ _ ] ≡ [ _ ] ◦ fst . We precompose with the provided choice function ( 𝑥 : 𝑋 ) → ∥ Σ [ 𝑦 ∈ 𝑌 ] 𝑅 𝑥 𝑦 ∥ Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. nternalizing Representation Independence with Univalence 1:19 to get a map 𝑋 → 𝑌 / 𝑅 → . To show that this map factors through 𝑋 / 𝑅 ← , it is enough to checkthat for every 𝑥 𝑥 ′ : 𝑋 with 𝑅 ← 𝑥 𝑥 ′ and 𝑦 𝑦 ′ : 𝐴 with 𝑅 𝑥 𝑦 and
𝑅 𝑥 ′ 𝑦 ′ , we have [ 𝑦 ] ≡ [ 𝑦 ′ ] . Thisfollows by composing the relational witnesses and applying eq / , using that 𝑅 is zigzag-complete.Thus we have a map 𝑋 / 𝑅 ← → 𝑌 / 𝑅 → ; the candidate inverse is constructed in the same way.The two inverse conditions are propositions, so it suffices to check that they hold on inputs ofthe form [ 𝑥 ] and [ 𝑦 ] respectively, which is a straightforward consequence of the definitions. Thebi-implication between equivFun 𝑒 [ 𝑥 ] ≡ [ 𝑦 ] and 𝑅 𝑥 𝑦 is also a straightforward calculation; theforward direction uses effectivity of set quotients by equivalence relations [Voevodsky 2015]. □ Example 5.5 (Finite multisets).
We say that 𝑋 is a type of finite multisets (bags) over 𝐴 if it has anempty multiset 𝑋 , and functions for insertion 𝐴 → 𝑋 → 𝑋 , union 𝑋 → 𝑋 → 𝑋 , and multiplicity 𝐴 → 𝑋 → N . We can include axioms as well, but for the moment we focus on the raw structure;for simplicity, we also assume that 𝐴 has decidable equality. We consider two implementations:lists ( List 𝐴 ) and association lists ( AssocList 𝐴 = List ( 𝐴 × N ) ), where in the latter case each elementis tagged with a multiplicity. Both implementations take the empty list [] as the empty multiset;the remaining operations are defined as follows: addIfEq : ( a x : A ) → N → N → N addIfEq a x m n =if a == x then m + n else n module L whereinsert : A → List A → List A insert x xs = x :: xs union : List A → List A → List A union xs ys = xs ++ ys count : A → List A → N count a [] = 0count a ( x :: xs ) =addIfEq a x a xs ) insert* : N → A → AssocList A → AssocList A insert* m a [] = ( a , m ) :: []insert* m a (( y , n ) :: ys ) =if a == y then ( y , m + n ) :: ys else ( y , n ) :: insert* m a ys module AL whereinsert : A → AssocList A → AssocList A insert = insert* 1union : AssocList A → AssocList A → AssocList A union [] ys = ys union (( x , n ) :: xs ) ys = insert* n x (union xs ys )count : A → AssocList A → N count a [] = 0count a (( x , n ) :: ys ) = addIfEq a x n (count a ys ) Note that neither implementation satisfies many of the “extensional” laws we expect of multisets,such as insert 𝑎 ( insert 𝑎 ′ 𝑥𝑠 ) ≡ insert 𝑎 ′ ( insert 𝑎 𝑥𝑠 ) . We now define a QER between List 𝐴 and AssocList 𝐴 , identifying multisets that assign the same multiplicity to each element of 𝐴 . R : List A → AssocList A → TypeR xs ys = ( a : A ) → L.count a xs ≡ AL.count a ys
This relation is prop-valued because N is a set, and is zigzag-complete by transitivity andsymmetry of ≡ . We define functions in both directions using the implementations’ insert functions. 𝜑 : List A → AssocList A 𝜑 [] = [] 𝜑 ( x :: xs ) = AL.insert x ( 𝜑 xs ) 𝜓 : AssocList A → List A 𝜓 [] = [] 𝜓 (( x , 0) :: ys ) = 𝜓 ys 𝜓 (( x , suc n ) :: ys ) = L.insert x ( 𝜓 (( x , n ) :: ys )) Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. :20 Carlo Angiuli, Evan Cavallo, Anders Mörtberg, and Max Zeuner
Finally, proving ∀ 𝑥𝑠 → R 𝑥𝑠 ( 𝜑 𝑥𝑠 ) and ∀ 𝑦𝑠 → R ( 𝜓 𝑦𝑠 ) 𝑦𝑠 takes a bit more work, but theintuition is that these functions preserve the count of each element of 𝐴 . Note that the two derivedequivalence relations R ← and R → also wind up identifying multisets on either side precisely whenthey assign the same multiplicity to each element of 𝐴 . By Lemma 5.4, we have an equivalencebetween List 𝐴 and AssocList 𝐴 after quotienting by these relations on either side. We now generalize to structured relations and equivalences, defining a condition on notionsof structured relation such that any structured QER induces a structured equivalence betweenquotients. First, as with structured equivalences, a candidate notion of structured relation for astructure 𝑆 assigns, for each relation 𝑅 on types 𝑋 and 𝑌 and structures 𝑠 : 𝑆 𝑋 , 𝑡 : 𝑆 𝑌 , a type ofwitnesses that the relation is structured:
StrRel : ( S : Type → Type) → Type StrRel S = { X Y : Type} → ( X → Y → Type) → ( S X → S Y → Type) (For simplicity, we do not require the input relation to be prop-valued, but our correctnessconditions will only constrain behavior on prop-valued relations.) We now identify a correctnesscondition on notions of structured relations.
Definition 5.6.
A candidate 𝜌 : StrRel 𝑆 is suitable when the following hold:(1) Set- and prop-preservation: If 𝑋 is a set, then 𝑆 𝑋 is a set. If 𝑅 is a prop-valued-relation, then 𝜌 𝑅 is a prop-valued relation.(2) Symmetry:
For any prop-valued relation 𝑅 , if ( 𝜌 𝑅 ) 𝑠 𝑡 , then ( 𝜌 ( 𝑅 − )) 𝑡 𝑠 .(3) Transitivity:
For any prop-valued relations
𝑅, 𝑅 ′ , if ( 𝜌 𝑅 ) 𝑠 𝑡 and ( 𝜌 𝑅 ′ ) 𝑡 𝑢 , then ( 𝜌 𝑅 · 𝑅 ′ ) 𝑠 𝑢 .(4) Descent to quotients: If 𝑅 : 𝑋 → 𝑋 → Type is a prop-valued equivalence relation and ( 𝜌 𝑅 ) 𝑠 𝑠 for some 𝑠 : 𝑆 𝑋 , then there is a unique 𝑠 : 𝑆 ( 𝑋 / 𝑅 ) such that we have some 𝑟 : 𝜌 ( graph [ _ ]) 𝑠 𝑠 ; that is, the type Σ [ 𝑠 ∈ 𝑆 ( 𝑋 / 𝑅 ) ] ( 𝜌 ( graph [ _ ]) 𝑠 𝑠 ) is contractible.Note that the condition of being suitable is a proposition. First, we check that these conditionsare sufficient for our original motivation: obtaining structured equivalences from structured QERs.Theorem 5.7. Let 𝜌 : StrRel 𝑆 be a suitable notion of structured relation, and let structured types ( 𝑋 , 𝑠 ) : TypeWithStr 𝑆 and ( 𝑌 , 𝑡 ) : TypeWithStr 𝑆 be given. For any QER 𝑅 : 𝑋 → 𝑌 → Type structured by some 𝑟 : ( 𝜌 𝑅 ) 𝑠 𝑡 , the following exist: (1) a structure 𝑠 : 𝑆 ( 𝑋 / 𝑅 ← ) with 𝜌 ( graph [ _ ]) 𝑠 𝑠 , (2) a structure 𝑡 : 𝑆 ( 𝑌 / 𝑅 → ) with 𝜌 ( graph [ _ ]) 𝑡 𝑡 , (3) an element of 𝜌 ( equivGraph 𝑒 ) 𝑠 𝑡 , where 𝑒 : 𝑋 / 𝑅 ← ≃ 𝑌 / 𝑅 → is the equivalence obtained byapplying Lemma 5.4.In other words, we have the dotted lines in the following picture, where the inner lines indicate relationsand each outer line indicates an element of 𝜌 over the inner relation. 𝑋𝑋 / 𝑅 ← 𝑌𝑌 / 𝑅 → 𝑅 [ _ ] [ _ ] 𝑒 ≃ 𝑠𝑠 𝑡𝑡𝑟 : ( 𝜌 𝑅 ) 𝑠 𝑡 ∃ ! ∃ ! Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. nternalizing Representation Independence with Univalence 1:21
Proof. By symmetry and transitivity applied with 𝑟 , we have an element of ( 𝜌 𝑅 ← ) 𝑠 𝑠 . Bydescent to quotients, we thus obtain 𝑠 : 𝑆 ( 𝑋 / 𝑅 ← ) as above. We obtain 𝑡 analogously. From ( 𝜌 𝑅 ) 𝑠 𝑡 , 𝜌 ( graph [ _ ]) 𝑠 𝑠 , and 𝜌 ( graph [ _ ]) 𝑡 𝑡 , we get a proof of 𝜌 ( graph [ _ ] − · 𝑅 · graph [ _ ]) 𝑠 𝑡 bysymmetry and transitivity. We arrive at the final condition by checking that the composite relation ( graph [ _ ]) − · 𝑅 · graph [ _ ] is equal to equivGraph 𝑒 . □ If the restriction of 𝜌 to equivalences is moreover a univalent notion of structured equivalence,we obtain a path between ( 𝑋 / 𝑅 ← , 𝑠 ) and ( 𝑌 / 𝑅 → , 𝑡 ) as a corollary. Definition 5.8.
A notion of structured relation 𝜌 : StrRel 𝑆 is univalent when it is suitable and itsrestriction to equivalences, ( 𝜆 ( 𝑋 , 𝑠 ) (
𝑌 , 𝑡 ) 𝑒 → 𝜌 ( equivGraph 𝑒 ) 𝑠 𝑡 ) : StrEquiv 𝑆 , is univalent.As in Section 3, we can show that the collection of suitable and univalent relational structures isclosed under various type formers with reasonable definitions of structured relation. (Notably, theconstant structure 𝜆 _ → 𝐴 is only suitable when 𝐴 is a set.) Positive structures
𝑃 𝑋, 𝑄 𝑋 (cid:66) 𝑋 | 𝐴 | 𝑃 𝑋 × 𝑄 𝑋 | Maybe ( 𝑃 𝑋 ) Structures
𝑆 𝑋,𝑇 𝑋 (cid:66)
𝑃 𝑋 | 𝑆 𝑋 × 𝑇 𝑋 | 𝑃 𝑋 → 𝑆 𝑋 | Maybe ( 𝑆 𝑋 ) One major departure from the situation in Section 3 is that the suitable relation structures are not closed under function types in general, but only in restricted cases. We can see the issue byconsidering descent to quotients for the candidate structure 𝜆 𝑋 → ( 𝑋 → 𝑋 ) → 𝑋 . Given aninstance of this structure 𝑓 : ( 𝑋 → 𝑋 ) → 𝑋 and a QER 𝑅 : 𝑋 → 𝑋 → Type , we have no way ofobtaining an induced structure 𝑓 : ( 𝑋 / 𝑅 → 𝑋 / 𝑅 ) → 𝑋 / 𝑅 : at some point, we would need toextract maps 𝑋 → 𝑋 from maps 𝑋 / 𝑅 → 𝑋 / 𝑅 . Nevertheless, the function structure 𝑆 → 𝑇 is suitable when 𝑆 belongs to the restricted class of positive relation structures, which we define intwo steps as follows. Definition 5.9.
A candidate 𝜌 : StrRel 𝑆 acts on functions when the following hold:(1) For any 𝑓 : 𝑋 → 𝑋 , we have an action 𝑆 𝑓 : 𝑆 𝑋 → 𝑆 𝑋 with 𝑆 ( 𝜆 𝑥 → 𝑥 ) ≡ ( 𝜆 𝑠 → 𝑠 ) .(2) For any 𝑓 : 𝑋 → 𝑋 , 𝑔 : 𝑌 → 𝑌 , relations 𝑅 : 𝑋 → 𝑌 → Type and 𝑅 : 𝑋 → 𝑌 → Type ,and 𝛼 : ( 𝑥 : 𝑋 ) ( 𝑦 : 𝑌 ) → 𝑅 𝑥 𝑦 → 𝑅 ( 𝑓 𝑥 ) ( 𝑔 𝑦 ) , we have a map 𝜌 𝛼 : ( 𝑠 : 𝑆 𝑋 ) ( 𝑡 : 𝑆 𝑌 ) → ( 𝜌 𝑅 ) 𝑠 𝑡 → ( 𝜌 𝑅 ) ( 𝑆 𝑓 𝑠 ) (
𝑆 𝑔 𝑡 ) .Lemma 5.10. If 𝜌 : StrRel 𝑆 is suitable and acts on functions, then any prop-valued equivalencerelation 𝑅 : 𝑋 → 𝑋 → Type induces a map ( 𝑆 𝑋 ) / ( 𝜌 𝑅 ) → 𝑆 ( 𝑋 / 𝑅 ) . Proof. We have 𝑆 [ _ ] : 𝑆 𝑋 → 𝑆 ( 𝑋 / 𝑅 ) . The codomain is a set by set-preservation, so we justneed to show that 𝑆 [ _ ] 𝑥 ≡ 𝑆 [ _ ] 𝑥 whenever ( 𝜌 𝑅 ) 𝑥 𝑥 . To show this we use the uniquenesscondition for descent to quotients: it suffices to show that both 𝑆 [ _ ] 𝑥 and 𝑆 [ _ ] 𝑥 satisfy 𝜌 ( graph [ _ ]) 𝑥 . For the first, we start by deriving ( 𝜌 𝑅 ← ) 𝑥 𝑥 from ( 𝜌 𝑅 ) 𝑥 𝑥 using symmetryand transitivity. We have maps ( 𝜆 𝑥 → 𝑥 ) : 𝑋 → 𝑋 and [ _ ] : 𝑋 → 𝑋 / 𝑅 , and know that 𝑅 ← 𝑦 𝑦 ′ implies graph [ _ ] 𝑦 [ 𝑦 ′ ] for every 𝑦, 𝑦 ′ : 𝑋 . The action of 𝜌 on functions thus tells us that 𝜌 ( graph [ _ ]) ( 𝑆 ( 𝜆 𝑥 → 𝑥 ) 𝑥 ) ( 𝑆 [ _ ] 𝑥 ) and therefore 𝜌 ( graph [ _ ]) 𝑥 ( 𝑆 [ _ ] 𝑥 ) holds. Theproof of 𝜌 ( graph [ _ ]) 𝑥 ( 𝑆 [ _ ] 𝑥 ) proceeds similarly. □ Definition 5.11.
Let 𝜌 : StrRel 𝑆 be a suitable notion of relational structure that acts on functions.We say 𝜌 is positive when the following hold.(1) Reflexivity : For any 𝑋 : Type and 𝑠 : 𝑆 𝑋 , we have ( 𝜌 ( IdRel 𝑋 )) 𝑠 𝑠 .(2) Reverse transitivity : For any prop-valued relations 𝑅 : 𝑋 → 𝑌 → Type and 𝑅 ′ : 𝑌 → 𝑍 → Type and terms 𝑠 : 𝑆 𝑋 and 𝑡 : 𝑆 𝑍 , the map ( 𝜌 𝑅 · 𝜌 𝑅 ′ ) 𝑠 𝑡 → ( 𝜌 ( 𝑅 · 𝑅 ′ )) 𝑠 𝑡 supplied bytransitivity is an equivalence. Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. :22 Carlo Angiuli, Evan Cavallo, Anders Mörtberg, and Max Zeuner (3)
Quotients : For any prop-valued equivalence relation 𝑅 , the map ( 𝑆 𝑋 ) / ( 𝜌 𝑅 ) → 𝑆 ( 𝑋 / 𝑅 ) defined in Lemma 5.10 is an equivalence.These conditions are designed to validate the following result.Theorem 5.12. If 𝜌 : StrRel 𝑆 is a positive notion of relational structure and 𝜌 : StrRel 𝑆 is asuitable notion of relational structure, then the following is a suitable notion of relational structure. FunctionRelStr : StrRel ( 𝜆 X → S X → S X )FunctionRelStr R f g = ∀ { x y } → ( 𝜌 R ) x y → ( 𝜌 R ) ( f x ) ( g y ) Proof. The (formalized) proof is rather technical; here, we give just enough detail to pointout where the conditions in Definition 5.11 are used. Reflexivity and the quotient condition areboth used in the proof that
FunctionRelStr induces quotient structures. Given an equivalencerelation 𝑅 , we must be able to turn maps 𝑓 : 𝑆 𝑋 → 𝑆 𝑋 with FunctionRelStr
𝑅 𝑓 𝑓 into maps 𝑆 ( 𝑋 / 𝑅 ) → 𝑆 ( 𝑋 / 𝑅 ) . First, we use reflexivity to construct a map 𝑆 𝑋 → 𝑆 ( 𝑋 / 𝑅 ) . Given 𝑠 : 𝑆 𝑋 , we have some 𝑟 : ( 𝜌 ( IdRel 𝑋 )) 𝑠 𝑠 by reflexivity. By the action of 𝜌 on functions andreflexivity of 𝑅 , this implies 𝑟 : ( 𝜌 𝑅 ) 𝑠 𝑠 . Then by definition of FunctionRelStr
𝑅 𝑓 𝑓 , we have ( 𝜌 𝑅 ) ( 𝑓 𝑠 ) ( 𝑓 𝑠 ) . By descent to quotients for 𝜌 , we thereby obtain an element of 𝑆 ( 𝑋 / 𝑅 ) .The uniqueness condition in descent to quotients allows us to prove that this map 𝑆 𝑋 → 𝑆 ( 𝑋 / 𝑅 ) respects 𝜌 𝑅 , and thus induces a map 𝑆 𝑋 / 𝜌 𝑅 → 𝑆 ( 𝑋 / 𝑅 ) . We then apply thequotient condition to derive a map 𝑆 ( 𝑋 / 𝑅 ) → 𝑆 ( 𝑋 / 𝑅 ) . Finally, reverse transitivity in thedomain is naturally required when we prove that FunctionRelStr is transitive. □ We note that the definitions of suitability and positivity are somewhat negotiable, and are chosento make these proofs work. For example, one may instead require suitable (not only positive)structures to be reflexive. In that case we are still able to prove the closure conditions, but wemust also impose a reverse reflexivity condition for positive structures. Our positivity restrictionaccommodates the structures currently defined in the
Cubical Agda library; the most notableomission (besides 𝜆 𝑋 → ( 𝑋 → 𝑋 ) → 𝑋 , as noted earlier) is 𝜆 𝑋 → ( N → 𝑋 ) → 𝑋 . Example 5.13.
To apply Theorem 5.7 to the multiset implementations from Example 5.5, we mustshow that the QER R is structured as a relation between multiset implementations. We generatethe notion of structured relation using a relational equivalent of the tactics described in Section 3.(In this case, an annotation is required on the constant N verifying that it is a set.) multisetShape X = X × ( A → X → X ) × ( X → X → X ) × ( A → X → Const[ N , isSet N ])module S = RelMacro (autoRelDesc multisetShape) The module S defined here packages all the definitions and results we need to work with arelational structure: S.structure : Type → Type , definitions
S.equiv : StrEquiv S.structure and
S.relation : StrRel S.structure of structured equivalences and relations respectively, and proofs thatthey are univalent. Here, showing that R is structured requires four conditions: isStructuredEmp : R [] []isStructuredCount : ∀ x { xs ys } → R xs ys → L.count x xs ≡ AL.count x ys isStructuredInsert : ∀ x { xs ys } → R xs ys → R (L.insert x xs ) (AL.insert x ys )isStructuredUnion : ∀ { xs ys } → R xs ys → ∀ { xs’ ys’ } → R xs’ ys’ → R (L.union xs xs’ ) (AL.union ys ys’ ) The first holds by calculation, while the second holds by definition of R . The third and fourth boildown to proving that for all 𝑎 : 𝐴 , AL.count 𝑎 ( AL.insert 𝑥 𝑦𝑠 ) ≡ addIfEq 𝑎 𝑥 ( AL.count 𝑎 𝑦𝑠 ) Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. nternalizing Representation Independence with Univalence 1:23 and
AL.count 𝑎 ( AL.union 𝑦𝑠 𝑦𝑠 ′ ) ≡ AL.count 𝑎 𝑦𝑠 + AL.count 𝑎 𝑦𝑠 ′ ; both follow from a case anal-ysis on 𝑦𝑠 and the outputs of _==_ . Tupling these four proofs, we obtain an element of type S.relation R ([] , L.insert , L.union , L.count ) ([] , AL.insert , AL.union , AL.count ) .It remains only to turn the crank. Applying Theorem 5.7, we immediately obtain multiset struc-tures on List 𝐴 / R ← and AssocList 𝐴 / R → and a path between the two in TypeWithStr S.structure : L/R ← ≡ AL/R → : (List A / R ← , LMultisetStr) ≡ (AssocList A / R → , ALMultisetStr) Note that we never need to explicitly show that the multiset operations for
List 𝐴 and AssocList 𝐴 preserve R ← and R → respectively; this is a formal consequence of the proof that R is structured.As in Section 4, the path L/R ← ≡ AL/R → lets us transfer properties between our quotientedmultiset implementations. Consider the axiom that union is associative: unionAssocAxiom : TypeWithStr S.structure → TypeunionAssocAxiom ( X , emp , insert , union , count ) = ∀ xs ys zs → union ( union xs ys ) zs ≡ union xs ( union ys zs ) This axiom is immediate for
List 𝐴 / R ← because L.union (defined as _++_ ) is associative evenprior to quotienting. Then, writing
LUnionAssoc : unionAssocAxiom ( List 𝐴 / R ← , LMultisetStr ) ,associativity of union for AssocList 𝐴 / R → follows by transport ing across L/R ← ≡ AL/R → : ALUnionAssoc : unionAssocAxiom (AssocList A / R → , ALMultisetStr)ALUnionAssoc = subst unionAssocAxiom L/R ← ≡ AL/R → LUnionAssoc
We can also see our queue example from Section 4.2 as an instance of Theorem 5.7, as thegraph of appendReverse : BatchedQueue 𝐴 → ListQueue 𝐴 defines a QER. (The graph of anyfunction is zigzag-complete.) The quotient of BatchedQueue 𝐴 winds up being equivalent to ourhand-rolled BatchedQueueHIT , while the quotient of
ListQueue 𝐴 is the original type. Once wehave obtained the raw quotients, we can check that they satisfy any axioms we like; this usuallyreduces straightforwardly to showing that the axioms hold on the raw types up to 𝑅 ← or 𝑅 → . In this paper, we have shown how to combine univalence and higher inductive types to obtaininternal relational representation independence results in dependent type theory, specifically
Cubical Agda . Univalence captures internally the principle that isomorphic types are equal; thestructure identity principle lifts univalence to structured types and structured isomorphisms; andset quotients (via higher inductive types) allow us to improve structured relations to isomorphisms,in order to obtain representation independence results through the SIP, and validate axioms that aconcrete implementation may otherwise fail to satisfy.Our work lies at the intersection of formalized mathematics and programming language theory;we will navigate the related work moving from the former to the latter.
Proof reuse and transfer.
As we discuss in Section 1, an important problem in modern proofassistants is the automatic transfer of programs and proofs across related mathematical structures.In the context of
Coq , Magaud [2003]; Magaud and Bertot [2002] considered transferring proofsbetween isomorphic types by means of an external plugin, but their work did not handle dependenttypes. Cohen et al. [2013] designed a more general framework for
CoqEAL , which supported programand data refinements for arbitrary relations. Unlike our work, they support partial quotients oftypes, e.g., admitting Q as a direct refinement of Z × Z . We believe these are not particularly usefulin practice; indeed, at the time of writing, the CoqEAL library no longer uses partial quotients. Theirwork was implemented using a parametricity plugin and proof search using typeclass instances,
Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. :24 Carlo Angiuli, Evan Cavallo, Anders Mörtberg, and Max Zeuner but does not handle dependently typed goals, and therefore could only transport programs and notproofs between related structures.Tabareau et al. [2018, 2019] have recently improved this work by combining parametricity andtypeclass based proof search à la
CoqEAL with (axiomatic) univalence. This new
Coq framework,called univalent parametricity , enables the transport of programs and proofs between relatedstructures; however, unlike
CoqEAL , its scope is limited to isomorphic types due to its relianceon univalence. We emphasize that while their work relies on an axiom for univalence, it never-theless achieves code reuse in
Coq without losing computational content, by means of a carefulsetup in which the axiom does not interfere with computationally-relevant parts, and by usingtypeclass instances to mimic computation rules similar to those of Cubical Type Theory. However,their approach does not achieve all the niceties of Cubical Type Theory, including constructivequotients and functional and propositional extensionality. Ringer et al. [2019] automatically buildisomorphisms in
Coq between inductive types and transport programs and proofs across theseisomorphisms. This is accomplished using very similar techniques to those of Tabareau et al. [2018],but written as an external plugin instead of using typeclass instance search.Another major contribution of Tabareau et al. [2019] is a solution to the anticipation problem ,which concerns inferring an interface a posteriori and transporting programs and proofs across thisinferred interface. This is especially useful in dependent type theory, where concrete types enjoymany definitional equalities that abstract types do not. For example, if one parameterizes proofs byan implementation of N with + , the abstract + will not reduce on any input, whereas a concreteimplementation will reduce on . It is therefore very useful to allow users to develop librariesusing concrete types while still enjoying the benefits of automated program and data refinements.In the setting of representation independence, however, one usually considers programs that are parameterized by an interface, and that interface determines the notion of structure-preservation,making the anticipation problem less central. But even a partial solution to the anticipation problemin our setting would improve the applicability and ease of use of our framework.Similar frameworks exist for other proof assistants. The Isabelle/HOL code generator usesrefinements to make abstract code executable [Haftmann et al. 2013]; a similar refinement frame-work has been developed in
Coq by Delaware et al. [2015] to synthesize abstract datatypes andgenerate
OCaml code. There is also an external tool for
Isabelle/HOL called
Autoref which uses aparametricity-based translation to achieve
CoqEAL -style refinements [Lammich 2013].
The structure identity principle.
In the philosophy of mathematics, structuralism is an informalprinciple of representation independence: although mathematical objects may be realized in adhoc ways, reasonable mathematical arguments implicitly access these structures only throughinterfaces [Awodey 2013; Benacerraf 1965]. As the work on proof transfer illustrates, formalizedmathematics must often rely on this principle either implicitly or explicitly [Carette et al. 2014].Researchers in HoTT/UF noticed very early on that univalence captures a form of structuralism,and have subsequently formalized quite a few versions of the SIP in HoTT/UF. The first type-theoretic formalization and proof of the SIP for algebraic structures was given by Coquand andDanielsson [2013]. As discussed in Section 3.2, their notions of structure are given by maps 𝑆 : Type → Type with an action on equivalences. That action induces a notion of structured equivalence,which is then required to agree with paths.Section 9.8 of the HoTT Book [Univalent Foundations Program 2013] contains a version ofthe SIP for structured categories; Ahrens and Lumsdaine [2017] develop a variation of this SIPusing displayed categories. These principles are phrased in terms of structured functions betweenstructured types, splitting the definition of a structure into two components: what it means to equipa type with structure, and what it means for a function to preserve that structure. The SIP then
Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. nternalizing Representation Independence with Univalence 1:25 applies to structured functions that are also equivalences. This work is limited to structures on sets,as opposed to general types, due to the difficulty of formulating higher categories in HoTT/UF, butAhrens et al. [2020] have recently developed a higher generalization.Our SIP is derived from a version proposed by Escardó [2019]; like that of Coquand and Danielsson[2013], it is phrased in terms of equivalences rather than functions, but follows the categorical SIPsby allowing an arbitrary definition of structured equivalences rather than deriving one from anaction on equivalences. Our
UnivalentStr closely resembles Escardó’s standard notion of structure ,except for being stated in terms of dependent paths; the two conditions are equivalent.Our univalent structured relations follow the pattern of the categorical SIPs, with relationssubstituted for functions: a notion of structured relations is univalent when structured relationsthat are equivalences correspond to paths. However, our suitability conditions requires that evenrelations that are merely “equivalence-like” (i.e., are QERs) have some relationship with paths. Thisincreased power comes with a more limited applicability, seen in the lack of a suitable notion ofstructured relation for general function types.
Internalizing relational parametricity.
We have shown that univalence and HITs together recovera rich notion of representation independence, a concept which in programming languages is oftenobtained through parametricity theorems. We note that there are other “free theorems” whichcannot be proven in
Cubical Agda ; a simple example is the contractibility of ( 𝑋 : Type ) → 𝑋 → 𝑋 .Just as univalence internalizes the fact that type theory respects isomorphism, one can considerdependent type theories with internalized parametricity [Abel et al. 2020; Bernardy et al. 2015;Cavallo and Harper 2020; Krishnaswami and Dreyer 2013; Nuyts and Devriese 2018; Nuyts et al.2017]. Parametricity applies to representation independence in greater generality than univalence:for example, it implies that any computation parameterized by a Queue produces the same resultsfor
List 𝐴 and AssocList 𝐴 , while we only have such a result for the quotients described in Section 5.Nevertheless, it is worth noting that internal parametricity is not stronger than univalence, butrather incomparable: an action on relations does not imply an action on equivalences.From the standpoint of formalized mathematics, one drawback of internalized parametricityis that it is more difficult to combine with classical principles than univalence. For example, itis incompatible with excluded middle for h-propositions [Cavallo and Harper 2020, Theorem10], unlike univalence [Kapulkin and Lumsdaine 2020]. Furthermore, there are not currently anylarge-scale proof assistants which implement type theories with internal parametricity. Programming in HoTT/UF.
We are not the first to consider applications of univalence and HITs toprogramming languages. Angiuli et al. [2016] model
Darcs -style patch theories as HITs;
HoTTSQL [Chu et al. 2017] uses a univalent universe to define the semantics of a query language and proveoptimizations correct; and Basold et al. [2017] discuss HITs for types often used in programming,including modular arithmetic, integers and finite sets. These examples predate implementations ofCubical Type Theory, and would likely be significantly easier to formalize in
Cubical Agda .Countless variations of finite (multi)sets have been considered in all the main proof assistantsfor HoTT/UF; we limit our comparisons to those closest to our own. The finite sets of Basold et al.[2017] have been further studied by Frumin et al. [2018], and are defined by encoding finite subsetsof 𝐴 as the free join-semilattice on 𝐴 . If one drops idempotency of the union operation, one obtainsa HIT equivalent to List 𝐴 /R ← . They also discuss a variation called listed finite sets which are almostexactly List 𝐴 / R ← , except that they have a path constructor equating lists with duplicate elements.This HIT and a listed finite multisets version have been formalized in Cubical Agda by Choudhuryand Fiore [2019]; we have proven their type equivalent to
List 𝐴 / R ← as well as to a direct HITversion of AssocList 𝐴 / R → . Gylterud [2020] defines finite multisets using set quotients of W-typesof sets. As an application, Forsberg et al. [2020] define in Cubical Agda an ordinal notation system
Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. :26 Carlo Angiuli, Evan Cavallo, Anders Mörtberg, and Max Zeuner using a variation of listed finite multisets, which is then proven equivalent to two other definitionsof ordinal notation systems, and both programs and proofs are transported between the definitions.These transports are done in an ad-hoc way that can be done more elegantly with the SIP. Prior toHoTT/UF, Danielsson [2012] formalized finite multisets as a setoid of lists modulo “bag equivalence,”which is exactly the relation R that we use to quotient lists in Example 5.5.Batched queues maintain the invariant that the first list is only empty if the queue is empty. Onecan encode this invariant in the type of the Q ⟨ _ , _ ⟩ constructor, so that enqueue and dequeue arerequired to preserve the invariant. This variation of queues is equivalent to BatchedQueueHIT andhas been formalized independently in
Cubical Agda by Gjørup and Vindum [2019].
Abstract types.
There are of course countless papers on abstract types and representation inde-pendence in programming languages, but we limit our discussion to the few most relevant. Mostrepresentation independence theorems apply to structured heterogeneous relations [Mitchell 1986],much like the ones we consider. In the context of System F, Robinson [1994] uses invariance underisomorphism to derive a simple form of representation independence for abstract types.Extended ML [Kahrs et al. 1997] is an extension of Standard ML whose signatures can includeaxioms drawn from boolean expressions extended with quantifiers and termination predicates; thetechnique of algebraic specification [Sannella and Tarlecki 1987] is a method for establishing suchaxioms by successive structure-preserving refinements, much like
CoqEAL . Miranda’s data typeswith laws extend datatype constructors with a limited ability to maintain invariants [Turner 1985];as with the normal-form representations of quotients discussed in Example 2.2, these, unlike HITs,have the drawback of incurring runtime cost to maintain normal forms.
Future work.
A natural next direction is to formalize representation independence for moresophisticated data structures, such as self-balancing binary search trees. Our methodology alreadyapplies to these and other examples, but proving the correspondences suitable would be morecomplex. We can also extend the structure tactics described in Sections 3 and 5, particularly tosupport inductive types beyond
Maybe . Note, however, that these tactics apply to the types thatappear in interfaces —not in representations—which are usually quite limited.Finally, we would like to investigate whether our techniques are practical in
Coq using axiomaticunivalence and HITs. Although we rely heavily on these features computing automatically in
Cubical Agda , Tabareau et al. [2019] overcome similar difficulties with the univalence axiom bycleverly using typeclass instances to mimic computation rules.
ACKNOWLEDGMENTS
We thank Robert Harper and Jonathan Sterling for helpful conversations about this work.The material in this paper is based upon research supported by the Air Force Office of ScientificResearch under MURI grants FA9550-15-1-0053 and FA9550-19-1-0216, and the Swedish ResearchCouncil (Vetenskapsrådet) under Grant No. 2019-04545. The views and conclusions contained inthis document are those of the authors and should not be interpreted as representing the officialpolicies, either expressed or implied, of any sponsoring institution, the U.S. government, or anyother entity.
REFERENCES
Andreas Abel, Jesper Cockx, Dominique Devriese, Amin Timany, and Philip Wadler. 2020. Leibniz equality is isomorphicto Martin-Löf identity, parametrically.
Journal of Functional Programming
30 (2020), e17. https://doi.org/10.1017/S0956796820000155Benedikt Ahrens and Peter LeFanu Lumsdaine. 2017. Displayed Categories. In ,Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. nternalizing Representation Independence with Univalence 1:27
Dale Miller (Ed.). Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 5:1–5:16. https://doi.org/10.4230/LIPIcs.FSCD.2017.5Benedikt Ahrens, Paige Randall North, Michael Shulman, and Dimitris Tsementzis. 2020. A Higher Structure IdentityPrinciple. In
Proceedings of the 35th Annual ACM/IEEE Symposium on Logic in Computer Science (Saarbrücken, Germany) (LICS ’20) . Association for Computing Machinery, New York, NY, USA, 53–66. https://doi.org/10.1145/3373718.3394755Abhishek Anand and Greg Morrisett. 2017.
Revisiting Parametricity: Inductives and Uniformity of Propositions .arXiv:1705.01163 [cs.LO] http://arxiv.org/abs/1705.01163 Preprint.Carlo Angiuli, Guillaume Brunerie, Thierry Coquand, Kuen-Bang Hou (Favonia), Robert Harper, and Daniel R. Licata. 2019.Syntax and Models of Cartesian Cubical Type Theory. (February 2019). https://github.com/dlicata335/cart-cube Preprint.Carlo Angiuli, Kuen-Bang Hou (Favonia), and Robert Harper. 2018. Cartesian Cubical Computational Type Theory:Constructive Reasoning with Paths and Equalities. In , Dan Ghica and Achim Jung (Eds.). SchlossDagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 6:1–6:17. https://doi.org/10.4230/LIPIcs.CSL.2018.6Carlo Angiuli, Edward Morehouse, Daniel R. Licata, and Robert Harper. 2016. Homotopical patch theory.
Journal ofFunctional Programming
26 (2016). https://doi.org/10.1017/S0956796816000198 Special issue dedicated to ICFP 2014.Steve Awodey. 2013. Structuralism, Invariance, and Univalence.
Philosophia Mathematica
22, 1 (10 2013), 1–11. https://doi.org/10.1093/philmat/nkt030Gilles Barthe, Venanzio Capretta, and Olivier Pons. 2003. Setoids in type theory.
Journal of Functional Programming
13, 2(2003), 261–293. https://doi.org/10.1017/S0956796802004501Henning Basold, Herman Geuvers, and Niels van der Weide. 2017. Higher Inductive Types in Programming.
Journal ofUniversal Computer Science
23, 1 (January 2017), 63–88. https://doi.org/10.3217/jucs-023-01-0063Andrej Bauer, Jason Gross, Peter LeFanu Lumsdaine, Michael Shulman, Matthieu Sozeau, and Bas Spitters. 2017. The HoTTLibrary: A Formalization of Homotopy Type Theory in Coq. In
Proceedings of the 6th ACM SIGPLAN Conference onCertified Programs and Proofs (Paris, France) (CPP 2017) . ACM, New York, NY, USA, 164–172. https://doi.org/10.1145/3018610.3018615Paul Benacerraf. 1965. What Numbers Could not Be.
The Philosophical Review
74, 1 (1965), 47–73. https://doi.org/10.2307/2183530Jean-Philippe Bernardy, Thierry Coquand, and Guilhem Moulin. 2015. A Presheaf Model of Parametric Type Theory.
Electronic Notes in Theoretical Computer Science
319 (2015), 67–82. https://doi.org/10.1016/j.entcs.2015.12.006 31stConference on the Mathematical Foundations of Programming Semantics.Jean-Philippe Bernardy, Patrik Jansson, and Ross Paterson. 2012. Proofs for Free: Parametricity for Dependent Types.
Journal of Functional Programming
22, 2 (March 2012), 107–152. https://doi.org/10.1017/S0956796812000056Simon Boulier, Pierre-Marie Pédrot, and Nicolas Tabareau. 2017. The next 700 Syntactical Models of Type Theory. In
Proceedings of the 6th ACM SIGPLAN Conference on Certified Programs and Proofs (Paris, France) (CPP 2017) . Associationfor Computing Machinery, New York, NY, USA, 182–194. https://doi.org/10.1145/3018610.3018620Edwin Brady. 2013. Idris, a general-purpose dependently typed programming language: Design and implementation.
Journalof Functional Programming
23, 5 (2013), 552–593. https://doi.org/10.1017/S095679681300018XGuillaume Brunerie, Kuen-Bang Hou (Favonia), Evan Cavallo, Tim Baumann, Eric Finster, Jesper Cockx, Christian Sattler,Chris Jeris, Michael Shulman, et al. 2018. Homotopy Type Theory in Agda. https://github.com/HoTT/HoTT-AgdaJacques Carette, William M. Farmer, and Michael Kohlhase. 2014. Realms: A Structure for Consolidating Knowledge aboutMathematical Theories. In
Intelligent Computer Mathematics , Stephen M. Watt, James H. Davenport, Alan P. Sexton, PetrSojka, and Josef Urban (Eds.). Springer International Publishing, Cham, 252–266. https://doi.org/10.1007/978-3-319-08434-3_19Evan Cavallo and Robert Harper. 2019. Higher Inductive Types in Cubical Computational Type Theory.
Proceedings of theACM on Programming Languages
3, POPL, Article 1 (January 2019), 27 pages. https://doi.org/10.1145/3290314Evan Cavallo and Robert Harper. 2020. Internal Parametricity for Cubical Type Theory. In , Maribel Fernándezand Anca Muscholl (Eds.). Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 13:1–13:17. https://doi.org/10.4230/LIPIcs.CSL.2020.13Vikraman Choudhury and Marcelo Fiore. 2019. The finite-multiset construction in HoTT. https://hott.github.io/HoTT-2019/conf-slides/Choudhury.pdf Talk at the International Conference on Homotopy Type Theory (HoTT 2019).Shumo Chu, Konstantin Weitz, Alvin Cheung, and Dan Suciu. 2017. HoTTSQL: Proving Query Rewrites with Univalent SQLSemantics. In
Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation (Barcelona, Spain) (PLDI 2017) . ACM, New York, NY, USA, 510–524. https://doi.org/10.1145/3062341.3062348Frédéric Chyzak, Assia Mahboubi, Thomas Sibut-Pinote, and Enrico Tassi. 2014. A Computer-Algebra-Based Formal Proofof the Irrationality of 𝜁 (3). In Interactive Theorem Proving (Vienna, Austria) (ITP 2014) , Gerwin Klein and Ruben Gamboa(Eds.). Springer International Publishing, Cham, 160–176. https://doi.org/10.1007/978-3-319-08970-6_11Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. :28 Carlo Angiuli, Evan Cavallo, Anders Mörtberg, and Max Zeuner
Cyril Cohen, Thierry Coquand, Simon Huber, and Anders Mörtberg. 2018. Cubical Type Theory: A Constructive Interpreta-tion of the Univalence Axiom. In , Tarmo Uustalu (Ed.). Schloss Dagstuhl–Leibniz-Zentrum fuerInformatik, Dagstuhl, Germany, 5:1–5:34. https://doi.org/10.4230/LIPIcs.TYPES.2015.5Cyril Cohen, Maxime Dénès, and Anders Mörtberg. 2013. Refinements for Free!. In
Certified Programs and Proofs (CPP 2013) ,Georges Gonthier and Michael Norrish (Eds.). Springer International Publishing, Cham, 147–162. https://doi.org/10.1007/978-3-319-03545-1_10Thierry Coquand and Nils Anders Danielsson. 2013. Isomorphism is equality.
Indagationes Mathematicae
24, 4 (2013),1105–1120. https://doi.org/10.1016/j.indag.2013.09.002 In memory of N.G. (Dick) de Bruijn (1918–2012).Thierry Coquand, Simon Huber, and Anders Mörtberg. 2018. On Higher Inductive Types in Cubical Type Theory. In
Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in Computer Science (Oxford, United Kingdom) (LICS 2018) .ACM, New York, NY, USA, 255–264. https://doi.org/10.1145/3209108.3209197Karl Crary. 2017. Modules, Abstraction, and Parametric Polymorphism. In
Proceedings of the 44th ACM SIGPLAN Symposiumon Principles of Programming Languages (Paris, France) (POPL 2017) . ACM, New York, NY, USA, 100–113. https://doi.org/10.1145/3009837.3009892Nils Anders Danielsson. 2012. Bag Equivalence via a Proof-Relevant Membership Relation. In
Interactive Theorem Proving (Princeton, NJ, USA) (ITP 2012) , Lennart Beringer and Amy Felty (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg,149–165. https://doi.org/10.1007/978-3-642-32347-8_11Leonardo de Moura, Soonho Kong, Jeremy Avigad, Floris van Doorn, and Jakob von Raumer. 2015. The Lean TheoremProver (System Description). In
Automated Deduction – CADE-25 (Berlin, Germany), Amy P. Felty and Aart Middeldorp(Eds.). Springer International Publishing, Cham, 378–388. https://doi.org/10.1007/978-3-319-21401-6_26Benjamin Delaware, Clément Pit-Claudel, Jason Gross, and Adam Chlipala. 2015. Fiat: Deductive Synthesis of AbstractData Types in a Proof Assistant. In
Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principlesof Programming Languages (Mumbai, India) (POPL 2015)
Proceedings of the 9th ACM SIGPLAN International Conference on Certified Programs and Proofs (New Orleans, LA, USA) (CPP 2020) . Association for Computing Machinery, New York, NY, USA, 172–185. https://doi.org/10.1145/3372885.3373835Dan Frumin, Herman Geuvers, Léon Gondelman, and Niels van der Weide. 2018. Finite Sets in Homotopy Type Theory. In
Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs (Los Angeles, CA, USA) (CPP 2018) . Association for Computing Machinery, New York, NY, USA, 201–214. https://doi.org/10.1145/3167085Emil Gjørup and Simon Friis Vindum. 2019. Case Study: BatchedQueue. https://github.com/limemloh/CubicalAgda-BatchedQueueHåkon Robbestad Gylterud. 2020. Multisets in type theory.
Mathematical Proceedings of the Cambridge Philosophical Society
Interactive Theorem Proving (Rennes, France) (ITP 2013) , Sandrine Blazy, Christine Paulin-Mohring, and David Pichardie(Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 100–115. https://doi.org/10.1007/978-3-642-39634-2_10Michael Hedberg. 1998. A coherence theorem for Martin-Löf’s type theory.
Journal of Functional Programming
8, 4 (1998),413–436. https://doi.org/10.1017/S0956796898003153Stefan Kahrs, Donald Sannella, and Andrzej Tarlecki. 1997. The definition of Extended ML: A gentle introduction.
TheoreticalComputer Science
Theoryand Applications of Categories , Patrick Cégielskiand Arnaud Durand (Eds.). Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 381–395. https://doi.org/10.4230/LIPIcs.CSL.2012.381Nicolai Kraus, Martín Escardó, Thierry Coquand, and Thorsten Altenkirch. 2017. Notions of Anonymous Existence inMartin-Löf Type Theory.
Logical Methods in Computer Science
13, 1 (2017). https://doi.org/10.23638/LMCS-13(1:15)2017Neelakantan R. Krishnaswami and Derek Dreyer. 2013. Internalizing Relational Parametricity in the Extensional Calculus ofConstructions. In
Computer Science Logic 2013 (CSL 2013) (Leibniz International Proceedings in Informatics (LIPIcs), Vol. 23) ,Simona Ronchi Della Rocca (Ed.). Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 432–451.Proc. ACM Program. Lang., Vol. 1, No. CONF, Article 1. Publication date: January 2018. nternalizing Representation Independence with Univalence 1:29 https://doi.org/10.4230/LIPIcs.CSL.2013.432Peter Lammich. 2013. Automatic Data Refinement. In
Interactive Theorem Proving (Rennes, France) (ITP 2013) , SandrineBlazy, Christine Paulin-Mohring, and David Pichardie (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 84–99.https://doi.org/10.1007/978-3-642-39634-2_9Xavier Leroy. 1995. Applicative Functors and Fully Transparent Higher-Order Modules. In
Proceedings of the 22nd ACMSIGPLAN-SIGACT Symposium on Principles of Programming Languages (San Francisco, California) (POPL 1995) . ACM,New York, NY, USA, 142–153. https://doi.org/10.1145/199448.199476Dan Licata. 2016.
Weak univalence with “beta” implies full univalence . https://groups.google.com/d/msg/homotopytypetheory/j2KBIvDw53s/YTDK4D0NFQAJ Email to Homotopy Type Theory mailing list.Peter LeFanu Lumsdaine and Michael Shulman. 2019. Semantics of higher inductive types.
Mathematical Proceedings of theCambridge Philosophical Society (2019). https://doi.org/10.1017/S030500411900015XNicolas Magaud. 2003. Changing Data Representation within the Coq System. In
Theorem Proving in Higher Order Logics (Rome, Italy) (TPHOLs 2003) , David Basin and Burkhart Wolff (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg,87–102. https://doi.org/10.1007/10930755_6Nicolas Magaud and Yves Bertot. 2002. Changing Data Structures in Type Theory: A Study of Natural Numbers. In
Types forProofs and Programs (TYPES 2000) (Lecture Notes in Computer Science, Vol. 2277) , Paul Callaghan, Zhaohui Luo, JamesMcKinna, and Robert Pollack (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 181–196. https://doi.org/10.1007/3-540-45842-5_12Per Martin-Löf. 1975. An Intuitionistic Theory of Types: Predicative Part. In
Logic Colloquium ’73 , H. E. Rose and J. C.Shepherdson (Eds.). Studies in Logic and the Foundations of Mathematics, Vol. 80. North-Holland, 73–118. https://doi.org/10.1016/S0049-237X(08)71945-1John C. Mitchell. 1986. Representation Independence and Data Abstraction. In
Proceedings of the 13th ACM SIGACT-SIGPLANSymposium on Principles of Programming Languages (St. Petersburg Beach, Florida) (POPL ’86) . Association for ComputingMachinery, New York, NY, USA, 263–276. https://doi.org/10.1145/512644.512669Andreas Nuyts and Dominique Devriese. 2018. Degrees of Relatedness: A Unified Framework for Parametricity, Irrelevance,Ad Hoc Polymorphism, Intersections, Unions and Algebra in Dependent Type Theory. In
Proceedings of the 33rd AnnualACM/IEEE Symposium on Logic in Computer Science (Oxford, United Kingdom) (LICS 2018) . ACM, New York, NY, USA,779–788. https://doi.org/10.1145/3209108.3209119Andreas Nuyts, Andrea Vezzosi, and Dominique Devriese. 2017. Parametric Quantifiers for Dependent Type Theory.
Proceedings of the ACM on Programming Languages
1, ICFP, Article 32 (January 2017), 29 pages. https://doi.org/10.1145/3110276Chris Okasaki. 1999.
Purely functional data structures . Cambridge University Press. https://doi.org/10.1017/CBO9780511530104John C. Reynolds. 1983. Types, Abstraction and Parametric Polymorphism. In
Information Processing ’83: Proceedings of theIFIP 9th World Computer Congress , R. E. A. Mason (Ed.). North-Holland, 513–523.Egbert Rijke. 2012.
Homotopy Type Theory . Master’s thesis. University of Ljubljana. http://hottheory.files.wordpress.com/2012/08/hott2.pdfTalia Ringer, Nathaniel Yazdani, John Leo, and Dan Grossman. 2019. Ornaments for Proof Reuse in Coq. In ,John Harrison, John O’Leary, and Andrew Tolmach (Eds.). Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl,Germany, 26:1–26:19. https://doi.org/10.4230/LIPIcs.ITP.2019.26Edmund Robinson. 1994. Parametricity as isomorphism.
Theoretical Computer Science
J. Comput. SystemSci.
34, 2 (1987), 150–178. https://doi.org/10.1016/0022-0000(87)90023-7Thomas Streicher. 1993.
Investigations Into Intensional Type Theory
Proceedings of the ACM on Programming Languages
2, ICFP (September 2018), 92:1–92:29. https://doi.org/10.1145/3236787Nicolas Tabareau, Éric Tanter, and Matthieu Sozeau. 2019.
The Marriage of Univalence and Parametricity :30 Carlo Angiuli, Evan Cavallo, Anders Mörtberg, and Max Zeuner
D. A. Turner. 1985. Miranda: A non-strict functional language with polymorphic types. In
Functional Programming Languagesand Computer Architecture (FPCA 1985) , Jean-Pierre Jouannaud (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg,1–16.The Univalent Foundations Program. 2013.
Homotopy Type Theory: Univalent Foundations of Mathematics . Self-published.https://homotopytypetheory.org/book/Floris van Doorn, Jakob von Raumer, and Ulrik Buchholtz. 2017. Homotopy Type Theory in Lean. In
Interactive TheoremProving (Brasília, Brazil) (ITP 2017) , Mauricio Ayala-Rincón and César A. Muñoz (Eds.). Springer, Cham, 479–495.https://doi.org/10.1007/978-3-319-66107-0_30Andrea Vezzosi, Anders Mörtberg, and Andreas Abel. 2019. Cubical Agda: A Dependently Typed Programming Languagewith Univalence and Higher Inductive Types.
Proceedings of the ACM on Programming Languages
Mathematical Structures in Computer Science
25, 5 (2015), 1278–1294. https://doi.org/10.1017/S0960129514000577Vladimir Voevodsky, Benedikt Ahrens, Daniel Grayson, et al. 2020. UniMath — a computer-checked library of univalentmathematics. https://github.com/UniMath/UniMathPhilip Wadler. 1989. Theorems for Free!. In
Proceedings of the Fourth International Conference on Functional ProgrammingLanguages and Computer Architecture (Imperial College, London, United Kingdom) (FPCA ’89)(FPCA ’89)