A short and flexible proof of strong normalization for the calculus of constructions

Reduction and Topology, p. 28. Non Interleaving Process Algebra, p. 17. Design and Analysis of Dynamic Leader Election Protocols in Broadcast Networks, p. 73. A general conservative extension theorem in process algebra, p. 17. Job Shop Scheduling by Constraint Satisfaction, p. 22. A Hierarchical Membership Protocol for Synchronous Distributed Systems, p. 43. Temporal operators viewed as predicate transformers, p. 11. Automatic Verification of Regular Protocols in P/T Nets, p. 23. A taxomomy of finite automata construction algorithms, p. 87. A taxonomy of finite automata minimization algorithms, p. 23. A precise clock synchronization protocol,p. Trcewidth and Patwidth of Cocomparability graphs of Bounded Dimension, p. 14. Browsing Semantics in the "Tower" Model, p. 19. Verifying Sequentially Consistent Memory using Interface Refinement, p. 20. The object-oriented paradigm, p. 28. 94/02 F. Kamareddine R.P. Nederpelt 94/03 L.B. Hartman K.M. van Hee 94/04 J.C.M. Baeten J.A. Bergstra 94/05 P. Zhou J. Hooman 94/06 T. Basten T. Kunz J. Black M. Coffin D. Taylor 94/07 K.R. Apt R. Bol 94/08 O.S. van Roosmalen 94/09 J. C.M. Baeten J.A. Bergstra 94/10 T. verhoeff 94/11 J. Peleska C. Huizing C. Petersohn 94/12 T. KIoks D. Kratsch H. Miiller


Introduction
Herman Geuvers' Faculty of Mathematics and Computer Science, Eindhoven University of Technology The Netherlands In the literature there are several different proofs of Strong Normalization (SN) for the Calculus of Constructions (CC). Some of them are of purely syntactical nature (like the ones in [Coquand 1985], [Geuvers and Nederhof 1991] and in [Coquand and Gallier 1990]), while others give a proof of normalization by describing an appropriate semantics (like lOng and Ritter 1994] and [Altenkirch 1993], who describe an denotational semantics, but also [Goguen 1994], who describes a typed operational semantics). Apart from these, proofs of SN for CC can be found in [Berardi 1988], [Luo 1990] (containing a proof of SN for the 'Extended' Calculus of Constructions), [Terlouw 1993] and [Geuvers 1993] (containing a proof of SN for CC with (3 and TJ reduction). Each of these proofs exploits the idea of interpreting types as specific sets of strongly normalizing A-terms. Then the terms are interpreted in such a way that, (1) if t is of type CT, then the interpretation of t is in the set associated with CT, and (2) for any term t, if its interpretation is SN, then t itself is SN. For systems without type dependency (like the polymorphic A calculus), it is rather wellknown by now how to give a proof of SN using so called 'saturated sets' as interpretations for the types. These saturated sets are sets of untyped A terms that satisfy some specific closure conditions and that are rather easy to work with. A possible drawback of this approach is that the interpretation of the typed term t should be an untyped term, and hence the interpretation will remove all type information from the term t (and hence it may remove some redexes). For the polymorphic .\ calculus, this is not a real problem, because the reduction that comes from type-abstractions and type-applications can not be the source of an infinite reduction. In a system with type dependency, the situation is rather more complicated, because types can contain terms as subexpressions. (So, if one removes all types, then one also removes some terms.) In the Calculus of Constructions the situation is furthermore complicated by the fact that the system is higher order, which means that there are reductions in type-constructors.
One possible approach to cope with type dependency is to look at sets of typed terms instead of untyped terms. This is done, for example, in [Berardi 1988] and [Coquand and Gallier 1990]. Another possibility is to reduce the question of SN for a system with type dependency to SN for a system without type dependency. This is done in [Geuvers and Nederhof 1991]. Both approaches lead to rather involved proofs that consist of putting several steps together. Furthermore, these proofs do not easily scale up to larger systems.
The approach that we use here is based on saturated sets. It yields a (relatively short) direct proof of SN for CC using two different interpretations, [-~< and a-Dp. The first gives a set or a set-theoretic function for every type, constructor, kind or universe of CC. This is done modulo a valuation function ~, which assigns a set or set-theoretic function to the constructor variables. (For those not familiar with CC, this terminology is explained below.) The second gives an untyped term for every object, type, constructor Or kind of CC. This is done modulo a valuation function p, which assigns an untyped term to the constructor variables and the object variables. SN for CC then follows from the fact that (1) if ~ and p are valuations that 'agree with' the context rand r I-M : T, then QMD p E [T~< (2) one can choose these valuations ~ and p in such a way that QMDp is SN if and only if M is SN.
In 3.1 we give some more technical intuition for the proof.
One nice aspect of this approach is that the proof of SN for CC is carried out in exactly the same structure as where the proof of SN for Fw is usually done. This again emphasises that the proof of SN for CC is of the same proof-theoretic complexity as the proof of SN for Fw. (This has already been shown in [Berardi 1988] and [Geuvers and Nederhof 1991].) Furthermore, the proof uses only a minimal part of the meta-theory of CC. This makes it possible to extend the proof of SN for CC to larger systems (with more type operators). This will be shown in Section 4, where we prove SN for CC with E-types, W-types, sum-types and recursive types. For each of these extensions, the proof of SN is a natural generalization of the proof of SN for CC.

The Calculus of Constructions
We now give a precise definition of the Calculus of Constructions and at the same time we fix some terminology. In CC there are two specific constants, * and o. The first represents the universe of types (so we shall say that (J is a type if (J : *) and the second represents the universe of kinds (so we shall say that A is a kind if A : 0). The universe * is a specific example of a kind, so it will be the case that * : o. To present the derivation rules for CC we first fix the set of pseudoterms from which the derivation rules select the (typable) terms. We also adopt from the untyped A calculus the conventions of denoting the transitive reflexive closure of --+1' by -I' and the transitive symmetric closure of -ttl' by =1'.
The typing of terms is done under the assumption of specific types for the free variables that occur in the term. These are listed in a context, which is a sequence of declarations  The equality in the side condition to the conversion rule (conv) is the j1-equality on the set of pseudoterms T.
The set of terms of CC is defined by The set of terms of CC is devided into layers, because, if M E Term, then one of the following six situations occurs: Of course, (2) is a special case of (3) and (4) is a special case of (5), so we can restrict to four cases. It is well-known that these cases are disjoint if we are slightly more careful with the presentation of the syntax. Hence the following definition is useful. Here r I-P : A : * denotes the fact that r I-P : A and r I-A : *.
For convenience we devide the set of variables Var in two disjoint sets Var* and Var o . We use x, y and z to denote variables of the first type, also called object variables, and we use n, (3 and ' Y to denote variables of the second type, also called constructor variables. In the (var) and (weak) rules we now make the restriction that, if r I-T : *, then the new variable has to be taken from the set Var* and if r I-T : 0, then the new variable has to be taken from the set The usefulness of this definition is due to the following lemma. (For a detailed proof see [Geuvers 1993].)

LEMMA (Classification). In CC we have
Kind n Type = 0, Constr n Obj = 0.
The Lemma implies that when we define a property for terms of CC by induction on the structure we can distinguish cases according to whether a specific subterm is a kind or type, respectively a constructor or object.
3. Strong Normalization for the Calculus of Constructions 3.1. Intuition for the proof Before giving the technical details we want to give some (technical) intuition for the proof. In order to do that we first look at the situation for Fw. In that case one defines mappings V : Kind--+Set, [-]e : Constr--+Set, and a-D p : Obj--+A. Here, ~ is a valuation of constructorvariables and p is a valuation of object-variables. These mappings are such that, if ~, P form a valuation of r (this notion will be defined in detail later), then This construction will only prove SN for the objects ofFw, and it requires some further tricks to show that this implies SN for all terms of Fw. For CC the situation is more complicated, 4 because constructors and kinds can also contain objects as subterms. So, even if one would have constructed mappings V, [-~e and U-D p as above, it is not so easy to see how SN for the objects of CC implies SN for the full Cc.
constructors kinds The solution that we propose here is to define the mapping a -D p for all terms of CC.
To show that the image of Q-D p is a strongly normalizing term, we also have to extend the

The proof
Let in the following SN e A be the set of untyped lambda terms that is Strongly Normalizing under ,a-reduction. For reasons of presentation we extend the untyped A with one specific constant d, for which there are no special reduction rules. The well-known notion of 'saturated set of A-terms' is defined in a slightly more general way than is necessary. This is done to make it easier to extend the proof of SN later. The term that is obtained from M by contracting its key redex is denoted by redk(M).
Notice that the key redex of M is unique, if it exists. Furthermore, every key redex is a head redex (but not the other way around).
By definition, SN is itself saturated and all saturated sets are nonempty. Furthermore, if N E SN and M E X E SAT, then KM N E X, where K is the well-known K-combinator >.xy.x.
As we already pointed out, the types of CC will be interpreted as saturated sets. This requires some closure properties for the set of saturated sets which will be proved in Lemma 3.5. The set-interpretation of the kinds of CC (by the map V) can be seen as first taking the underlying Fw-kind (which is a kind that consists of just the symbols -> and *), and then taking the set-interpretation of kinds of Fw. Here we define the set-interpretation of CC-kinds immediately.
3.4. DEFINITION. For A E Kind(CC), the set-interpretation of A, V(A), is defined inductively as follows. The types are interpreted as saturated sets and the kinds also have a second interpretation as saturated sets. We need the following (well-known) closure properties on SAT.   [>.x:u·QI,[IIx:u·71,[IIa:A.TI,[PI,([QI,), if Q is a constructor, It is easy to verify the substitution property for I-k From it one concludes that [-]< preserves equality: 3.8. FACT. Let ~ F O r and let P be a constructor, t an object, and Q a constructor or a kind in r. Then The following Lemma states that the interpretations of the constructors under 1-]< are elements of the right set.
3.9. LEMMA (Soundness for I-D<). For r a context of CC, Q, A E Term(CC) and ~ F O r, PROOF. By simultaneous induction on the structure of Q, respectively A. 0 3.10. DEFINITION. For r a context of CC and ~ F O r, an object valuation ofr with respect to ~ is a map p : Var - 3.11. DEFINITION. For r a context of CC with p, ~ F r, the interpretation function q-Dp : r-Term(CC) \ {D}-->A is defined inductively as follows. q*Dp In this definition, v is either an object variable or a constructor variable, T and U are either types or kinds and M and N are either objects or constructors. The term K is the combinator AXY.X and d is the extra constant that has been added to A.
The interpretation of terms (by q-Dp) does not depend on the interpretation of the constructors and kinds (by 1-D<). This is also expressed by the following fact.
3.12. FACT. For M a term, p a valuation as in the definition and x the vector of free variables in M, the interpretation q MD p can equivalently be defined by taking where p(i) is the vector obtained by consecutively applying p to i and r M' is inductively defined by PROOF. By induction on the structure of M we prove that if p, ~ 1= r, then QMD p E [T]e' So let p and ~ be valuations such that p, { 1= r. We treat six cases. • • M '" PQ, with P and Q constructors. Then r f-P : For the constructor valuation for r we take ~ with ~(a) = c A if a:A E r (and ~(a) arbitrary otherwise), and for the object valuation for r with respect to this ~ we take p with p(v) = v.
Hence M is SN. 0

Beyond CC
The above proof of SN for CC is very flexible and can be extended to many other cases. The main cause for this flexibility is that the proof does not rely on too much (difficult) meta theory of Cc. For one thing, we don't require the set of typable terms to be closed under reduction (the so called Subject Reduction property). The only property that is seriously used (although we did not mention it explicitly) is the fact that if two CC-terms M and N (of the same type in the same context) are convertible, then they are convertible via a path through the well-typed terms. In [Geuvers and Werner 1994] this property is called the 'soundness' of the system, because it implies the equivalence of the presentation of CC with a typed conversion rule with the presentation in Definition 2.2, in which the conversion is untyped. Soundness is a very desirable property because it confirms with our intuition about typed A-calculi that, if two types are convertible as pseudoterms (and hence the sets of terms of these types are the same), then there should be a reduction-expansion path from one type to the other via the well-typed terms. In the proof of SN for CC the soundness has been used in the proof of Fact 3.8 (iii). For our presentation of CC above, the soundness is an immediate consequence of the Church-Rosser property (for (3) and Subject Reduction (for (3), so we have no problem. However, a problem may arise if we want to add new type-constructors with new reduction rules for which the Church-Rosser property is unknown. A simple general solution to avoid all difficulties is to replace the conversion rule by a more fine-grained one.
4.1. DEFINITION. In the following, the conversion rule (conv) will not be the one in Definition 2.2, but the following.
Here --> is a one-step-reduction. (In Section 3 this would be -->fl.) The advantage of this slightly different conversion rule is that, in order to show the soundness of the (conv) rule in the proof of Theorem 3.14, one only needs that Q --> P ==> [Q]e = IP]" for Q and P typable. We treat four examples of extensions of CC and show that they are SN by adapting the proof of Section 3. The extensions that we treat are the ones with W-types (for representing types of well-founded trees), sum-types recursive typesand E-types. Before studying these examples we list some general properties about saturated sets that will be used. These properties are proved for the saturated set notion as it has been given in the previous paragraph. For each extension of CC that is treated herefater, the notion of saturated set is slightly adapted, but the proofs of these properties will still go through.

Saturated sets
Saturated sets are sets of untyped oX terms that contain all so-called 'base terms' and are closed under expanding a key redex. We define the notion of key reduction separately. We have already seen two constructions that can be performed on saturated sets, namely the function space construction and the intersection. There are many more of those, some of which will be defined and used later. An important trivial fact about SAT is the following. 4.4. FACT. SAT is a complete lattice. The ordering is the inclusion and suprema and infima are given by union and intersection, respectively. 4.5. REMARK. The function space construction on SAT: So, (SAT, u, n, --» is not a Heyting algebra and SAT (with nand --> representing universal quantification and implication, respectively) is not an algebraic model of second or higher order propositional logic. (See, for example, [Geuvers 1994J.) Of course, SAT can be made into a Heyting algebra by just taking for the arrow between X and Y the set n{Z I Xc Y -->Z}, but for the strong normalization proof this choice is not useful.
In spite of the previous Remark, the function space construction on SAT enjoys many nice properties. 4.6. DEFINITION. A morphism from SAT to SAT is an expression cI>(X) built up from variables ranging over SAT (among which X is one), arrows and intersections.
A morphism cI>(X) is positive if X occurs only to the left of an even number of arrows. A morphism cI>(X) is negative if X occurs only to the left of an odd number of arrows.
In Definition 4.6 we allow arbitrary intersections, so if cI>i(X) is a morphism for every i E I, then cI>(X) = niElcI>i(X) is also a morphism. This morphism is positive (resp. negative) if cI>i(X) is positive (resp. negative) for every i E I. PROOF. By induction on the structure of <I>(X). 0 The following is an immediate consequence of the fact that a positive morphism is a monotone increasing function on the complete lattice of saturated sets. 4.8. COROLLARY. If <I>(X) is a positive morphism on SAT, then there is a smallest saturated set lfp( <I» for which <I> (lfp ( <I») = lfp( <I».

CC with W -types
We now look at the extension of CC with Martin-Lof's W-types, a type constructor for representing types of well-founded trees. (See [Martin-Lof 1984] or [Nordstrom et al. 19901 for an extensive treatment of W-types and examples.) We just give the rules for W-types and the proof that the addition of these rules to CC preserves the SN property.
The definition of the set of base terms B is adapted by adding to Definition 3.1 the clause 3. If M E B and P E SN, then wrecPM E B. The notion of key redex is extended by adding to Definition 3.2 the clause 3. If M has key redex N, then wrec PM has key redex N (for any P). The definition of saturated set is the same as in Definition 3.3, with the notions of 'base term' and 'key redex' replaced by the above ones. This new collection of saturated sets is ambiguously denoted by SAT (but there will be no confusion).

W(X, Y):= Ifp(.\W.{M IV'ZV'P E X--+(Y--+W)--+(Y--+Z)--+Z[wrecPM E Z]}).
(Ifp denotes the least fixed point.) That this least fixed point exists is due to the fact that is a monotone function on SAT. This can be seen as follows.
The set W(X, Y) can equivalently be defined as PROOF. We use the fact that

13
Let p be a valuation that assigns terms to the free variables, as in Definition 3.10.
4.15. DEFINITION. For r a context of CCW with p,~ 1= r, the interpretation function ~-Dp : r-Term(CCW)-->A is defined by adding to Definition 3.11 the following clauses.
Again we have that PROOF. By induction on the derivation; we verify the two relevant cases, using Lemma 4.11.
Let p and ~ be valuations such that p, ~ 1= r .

CC with Sum types and recursive types
Strong Normalization for the extension of CC with product types and sum types can be proved in the same style as we have done before for the extension with ~-types and W-types.
Moreover, if products and sums are added only on the type level, the proof of SN follows immediately from the fact that these can already be defined inside the system: 0' x r := Other product types will be treated in the nest Section, when we look at the E-type constructor.
For sum types, we can also allow A + (J' : 0, (J' + A : 0 and A + B : 0, for A, B:O and (J':*. The proof of SN uses techniques that were introduced in for CC W To be a bit more specific, we give the rules for a rather general form of sum types and sum kinds and show how they are interpreted as sets and as saturated sets. In the above rules, when we write U[v], we mean that the expression U may contain the variable 'V and [-] marks all free occurrences of v in U. As a matter of fact, if 8 would be * we could just have written U : TI + TT->* and use the notation Uv in stead of U[v]. (In the (case )-rule, we have omitted some subscripts in the presmises for reasons of readability.) The reduction rules are The set of untyped lambda terms A is now extended with case, inl and inr for which we have the reduction rules The notions of base term, key redex and of saturated set are extended with cases for case and inl and inr. To be precise, if P E B and M, N E SN, then we let case M N P E B; if P has key redex Q, then case M N P has key redex Q and for X and Y saturated sets, X + Y is defined as Equivalently, one can define X + Y as n{Vlcase E nZESAT(X--+Z)--+(--+Z)--+V-Z}, The closure properties for X + Yare then easily verified.
The interpretation of T + U as a set (if T + U is a kind) is now as follows.
With these definitions it is not difficult to verify the Soundness Theorem (3.14) for ee with sum-types. The Strong Normalization follows easily from it.
It is also possible to add recursive types to ee and we can extend our proof method to show that this extension is SN. Of course we can not allow solutions for all type equations, but only for equations of the form where the type variable a occurs only positive in the type expression a( a). The solution to such a type equation is (as usual) denoted by "a.a(a) and the interpretation in terms of saturated sets is defined by The mapping Q-D p has to be extended to include a case for the ttconstructor as well. We put Qtta:A·QD p := dQAD p()..a·QQD pC<>:=<»)· 5. CC with E-types, extending the method to inductive kinds It is well-known that one can not extend CC with arbitrary ~::-types: Ea:A.a : * is not allowed if A : D. (If one allows this, it is possible to type non-normalizing terms.) In the proof of SN for CC with 'safe' E-types that we give here, it can be seen why the proof-construction does not extend to the 'unsafe' E-types.
It is possible to proof SN for CC E by a direct extension of the proof of SN for CC (as it was given in Section 3). This approach was taken in a previous version of this paper, which was spread at the BRA-Workshop itself. A drawback of this approach is that the untyped )..-calculus has to be extended with infinitary )..-terms of the form case {Mi liE I}, where I is an infinite index set and Mi is a )..-term for every i E I. These 'infinite terms' are needed to interpret terms of type Ev:T.U, for the case where T is a kind. It turns out that, if one modifies the proof of Section 3 a little bit, then these infinite terms can be avoided. This modification turns out to be of more general importance, since it also allows the interpretation of inductive kinds (like a kind of natural numbers that allows the same flexibility as the inductive type of natural numbers in Coq). This modification will be discussed later.
We now first give the rules for E-types. The definition of saturated set is the same as in Definition 3.3, with the notions of 'ba.se term' and 'key redex' replaced by the above ones. We ambiguously denote this new collection of saturated sets again by SAT (but there will be no confusion). 5.3. DEFINITION. For X, Y E SAT, the product of X and Y, X x Y is defined by That SAT is closed under products and that elements of product sets behave correctly is stated in the following two lemma.s. (The first is immediate.  N)) E X. Similarly, The notion of '~ I=D r' is defined analoguously to Definition 3.6.
The Soundness Lemma 3.9 is also easily verified:

LEMMA (Soundness for [-Ie)'
For r a context ofCCE', Q, A E Term(CC E ') and ~ I=D r, The interpretation of typable terms as (strongly normalizing) untyped >. terms is again done modulo a valuation p that assigns terms to the free variables. So, let p be as in Definition 3.10.
5.9. DEFINITION. For r a context of CC E ' with p, ~ 1= r, the interpretation function U-Dp : r-Term(CCE')->A is defined by adding to Definition 3.11 the following clauses.
Again we have that where v are the free variables in M, p( it) is obtained by consecutively applying p to v and rM' is defined in Fact 3.12. (The extension of r -' to include cases for (-, -), 7Ti and E is straightforward. ) The Strong Normalization follows immediately from the Soundness Theorem for Q-D p ' To prove the soundness we only have to verify the extra cases that arise from the additional derivation rules. This is straightforward.  [T]~ depends on the value that ~ takes for a. One would like to define a 'dependent product of saturated sets' and interpret Ea:A.T as such a dependent product. This turns out to be very complicated and we therefore take a different approach.

5.lD. THEOREM (Soundness Theorem
Instead of interpreting kinds as saturated sets under I -]~, we shall interpret kinds as saturated sets parametrized over their set-interpretation. So, if A is a kind, we define [A]~ as a function from VeAl to SAT. For the interpretation of types we take (as before) saturated sets. Then the statement of Soundness of the interpretation will have the following form.
where a stands for a type and A for a kind.
We now make precise how the definitions of V, [-I~ and Q-D p have to be adapted to achieve the above. Here, -denotes set-theoretic function space construction if it is in the subscript of a n; otherwise it denotes the function space on saturated sets. Furthermore, (-, -) denotes pairing and fst and snd denote projections in set-theory. Remember that (T and T stand for types, A and B stand for kinds, p and q stand for objects and P and Q stand for constructors. To understand why the ~-type has this interpretation, one can take a look at the interpretation of the weak existential quantifier :3a:A.T in CC. Following Definition 3.7, we have [:3a:A.TI~ = SN-n ( n [AI,-ITI~(",=a)-X)-X.
XESAT aEVCA) Now, for this interpretation we do not have a second projection. (It would have to be AZ.Z(AXY.Y), but this term is not in the right saturated set, because one can not take [TI«",=a) for X in the intersection.) Therefore we have to adapt the interpretation to get a rael strong ~>type (with projections).
It is now easy to verify the substitution property for I-I~ and to show that [-I, preserves reduction ( PROOF. By simultaneous induction on the derivation. 0 To define the interpretation Q -D p' we have to say when a valuation p satisfies r with respect to I; (notation p,{ 1= r; see also Definition 3.10). This is the case when Due to the definition of saturated sets, the valuation Po will always satisfy r with respect to ~.
The notion of r F M : T (r satisfies that M is of type T) now takes the following form. The approach to proving strong normalization can be generalised to inductive kinds. We treat the example for natural numbers. In the following, note that our 'inductive types' are kinds, whereas in a system like Coq, they are types. Having the natural numbers on the kind-level conforms better with a more traditional view on logical systems, where the level of 'domains' and the level of 'formulas' are separated. We now give the syntactic rules for the kind Nat. The system CC extended with this scheme for natural numbers will be denoted by CC N . The interpretation of CC N in the saturated sets framework is as follows.  • M == S. We have to prove that aSDp E npEN Nat(p)->Nat(p + 1). Let pEN and z E Nat(p). Let also X E N ...... SAT, x E X(O) and y E nmEN Nat(m)->X(m) ...... X(m+ 1). Then yz E X (p) ...... X(p + 1) and ()..v.vxy)z E X(p), so yz(()..v.vxy)z) E X(p+ 1). Hence, )..zxy.yz(()..v.vxy)z) E npENNat(p) ...... Nat(p + 1).
• M == RecM1M2. We have to prove that  The Corollary follows in a standard way from the Theorem (see the proof of Theorem 3.15) by taking for P the identity valuation Po and by observing that, if M -r N, then QMD PO reduces to QND po in at least one step. For the latter: QRecM 1 M 2 (Sx)D p == (Az.zQM 1 D p QM 2 D p )((AZpq.qZ((AV.Vpq)Z))p(x)), which reduces to QM2Dpp(x)((AV.vQM1DpQM2Dp)p(x)) == QM2(RecM 1 M 2 x)D p '

Concluding Remarks
We have given a short and flexible proof of Strong Normalization for the Calculus of Constructions. The flexiblity lies in the fact that the framework of saturated sets allows many basic constructions like function types, product types, sum types and positive recursive types. A question that has not been addressed here is whether this construction can be extended to higher universes (adding a sort 01 with 0 : 0 1 , etcetera). We did look into the extension with inductive types: the example of the natural numbers strongly suggests a general procedure for other inductive types by (roughly) interpreting an inductive type T as the parametrized saturated that corresponds with the elimination scheme of T. Note however, that, different from a system like Coq, the inductive types are in fact kinds here (also called 'large types'). This fits rather naturally with the approach that we have chosen, where the interpretation of a type does not depend on the interpretation of an object. It is not clear to us whether this approach yields some principle restriction to the extendibility of our proof. Furthermore, it is also not clear to us whether the fact that we have inductive kinds puts a limitation on the expresibility of the system (compared with inductive types).