SHARING PROOFS WITH PREDICATIVE THEORIES THROUGH UNIVERSE POLYMORPHIC ELABORATION

. As the development of formal proofs is a time-consuming task, it is important to devise ways of sharing the already written proofs to prevent wasting time redoing them. One of the challenges in this domain is to translate proofs written in proof assistants based on impredicative logics to proof assistants based on predicative logics, whenever impredicativity is not used in an essential way. In this paper we present a transformation for sharing proofs with a core predicative system supporting prenex universe polymorphism (like in Agda ). It consists in trying to elaborate each term into a predicative universe polymorphic term as general as possible. The use of universe polymorphism is justified by the fact that mapping each universe to a fixed one in the target theory is not sufficient in most cases. During the elaboration, we need to solve unification problems in the equational theory of universe levels. In order to do this, we give a complete characterization of when a single equation admits a most general unifier. This characterization is then employed in a partial algorithm which uses a constraint-postponement strategy for trying to solve unification problems. The proposed translation is of course partial, but in practice allows one to translate many proofs that do not use impredicativity in an essential way. Indeed, it was implemented in the tool Predicativize and then used to translate semi-automatically many non-trivial developments from Matita ’s library to Agda , including proofs of Bertrand’s Postulate and Fermat’s Little Theorem, which (as far as we know) were not available in Agda yet.


Introduction
An important achievement of the research community in logic is the invention of proof assistants.Such tools allow for interactively writing proofs, which are then checked automatically and can then be reused in other developments.Proof assistants do not only help mathematicians to make sure that their proofs are indeed correct, but are also used to verify the correctness of safety-critical software.
Interoperability of proof assistants.Unfortunately, a proof written in a proof assistant cannot be directly reused in another one, which makes each tool isolated in its own library of proofs.This is specially the case when considering two proof assistants with incompatible logics, as in this case simply translating from one syntax to another would not work.Therefore, in order to share proofs between systems it is often required to do logical transformations.
A naive approach to share proofs from a proof assistant A to a proof assistant B is to define a transformation acting directly on the syntax of A and then implement it using the codebase of A. However, this code would be highly dependent on the implementation of A and can easily become outdated if the codebase of A evolves.Moreover, if there is another proof assistant A 1 whose logic is very similar to the one of A then this transformation would have to be implemented once again in order to be used with A 1 -the translation is implementation dependent.
Logical Frameworks & Dedukti.A better solution is instead to first define the logics of all proof assistants in a common formalism, a logical framework.Then, proof transformations can be defined uniformly inside the logical framework.Hence, such transformations do not depend on the implementations anymore, but instead on the logics that are implemented.
The logical framework Dedukti [ABC `16] is a good candidate for a system where multiple logics can be encoded, allowing for logical transformations to be defined uniformly inside Dedukti.Indeed, first, the framework was already shown to be sufficiently expressive to encode the logics of many proof assistants [BDG `23].Moreover, previous works have shown how proofs can be transformed inside Dedukti.For instance, Thiré describes in [Thi18] a transformation to translate a proof of Fermat's Little Theorem from the Calculus of Inductive Constructions to Higher Order Logic (HOL), which can then be exported to multiple proof assistants such as HOL, PVS, Lean, etc. Géran also used Dedukti to export the formalization of Euclid's Elements Book 1 in Coq [BNW19] to several proof assistants [Gé].
(Im)Predicativity.One of the challenges in proof interoperability is sharing proofs coming from impredicative proof assistants (the majority of them) with predicative ones such as Agda.Indeed, impredicativity, which states that propositions can refer to entities of arbitrary sizes, is a logical principle absent from predicative systems.It is therefore clear that any proof that uses impredicativity in an essential way cannot be translated to a predicative system.Nevertheless, one can wonder if most proofs written in impredicative systems really use impredicativity and, if not, how one could devise a way for detecting and translating them to predicative systems.
A predicativization transformation.In this paper, we tackle this problem by proposing a transformation that tries to do precisely this.Our translation works by forgetting all the universe information of the initial impredicative term, and then trying to elaborate it into a predicative universe-polymorphic term as general as possible.The need for universe polymorphism arises from the fact that mapping each universe to a unique one in the target theory does not work in most cases -this is explained in details in Section 3.
Universe level unification.During the translation, we need to solve level unification problems which are generated when elaborating the impredicative term into a universe polymorphic one.We therefore develop a unification algorithm for the equational theory of universe levels.This is done by first giving a novel and complete characterization of which equations admit a most general unifier (m.g.u.), along with an explicit description of a m.g.u.when it exists.This characterization is then employed in a unification algorithm implementing a constraint-postponement strategy: at each step, we look for an equation admitting a m.g.u. and solve it while applying the obtained substitution to the other equations, in the hope of bringing new ones to the fragment admitting a m.g.u..The implementation.Our predicativization algorithm was implemented on top of the DkCheck type-checker for Dedukti with the tool Predicativize (openly available at https://github.com/Deducteam/predicativize),allowing for the translation of proofs semi-automatically inside Dedukti.These proofs can then be exported to Agda, the main proof assistant based on predicative type theory.
Translating Matita's library.The tool has been used to translate to the proof assistant Agda the whole of Matita's arithmetic library in a semi-automatic way, making many important mathematical developments available to Agda users.In particular, this work has lead to (as far as we know) the first ever proofs of Fermat's Little Theorem and Bertrand's Postulate in Agda.The proof of Bertrand's Postulate in Matita had even been the subject of a whole journal publication [AR12], evidencing its complexity and importance.Thanks to Predicativize, the same hard work did not have to be repeated to make it available in Agda, as the transformation allowed the translation of the whole proof without any need of specialist knowledge about it.
Outline.We start in Section 2 with an introduction to Dedukti, before moving to Section 3, where we present informally the problems that appear when translating proofs to predicative systems.We then introduce in Section 4 a predicative universe-polymorphic system, which is a subsystem of Agda and is used as the target of the translation.This is followed by Section 5, in which we present the elaboration algorithm.Section 6 then contributes with a complete characterization of equations admitting a m.g.u., which is then used to give an algorithm for universe level unification.We then introduce the tool Predicativize in Section 7, and describe the translation of Matita's library in Section 8. Finally, Section 9 concludes and discusses related and future work.

Related version.
A preliminary version of this work [FBB23] was published in the proceedings of the 31st EACSL Annual Conference on Computer Science Logic.This journal version contains a number of improvements, among which are the following: (1) A main novelty with respect to [FBB23] is that we provide a complete characterization of when a single equation between universe levels admit a m.g.u.(most general unifier), along with an explicit description of such a m.g.u..This characterization then allows us to give a much improved algorithm for level unification, which in particular is complete for singleton problems, whereas the original algorithm is not.
(2) The confluence proof of UPP in [FBB23] relied on the ad hoc restriction that level variables could only be replaced by levels.We make this condition more precise and integrate it in the definition of Dedukti by adopting a presentation featuring confinement, a technique first proposed in [ADJL17] which allows to isolate a first-order subset of terms from the higher-order part of the syntax.(3) Finally, most of the text has been rewritten in order to improve the presentation.

Dedukti
In this work we use Dedukti [ABC `16, BDG `23] as the framework in which we express the various type theories and define our proof transformation.Therefore, we start with a quick introduction to this system.For a reader familiar with Dedukti, see Remark 2.1 for a comparison of our presentation of Dedukti with more standard ones -in particular, note that we use a version with confinement [ADJL17].
The syntax of Dedukti is defined by the following grammars.Here, c ranges in a set of constants C and f ranges in a set of confined constants F. Similarly, x ranges in an infinite set of variables V, whereas i ranges in a infinite set of confined variables I, and we write α for either x or i.We assume that each confined constant f comes with an arity n P N. We write α.t for abstraction, pα : Aq Ñ B for the dependent function type, and whenever α does not appear free in B we write A Ñ B instead of pα : Aq Ñ B. A substitution θ is a finite set of pairs x Þ Ñ t or i Þ Ñ e, and we write trθs or erθs for its application to a term or confined term, and dompθq for the set of variables that are assigned to a term or confined term by θ.
pConfined termsq e, e 1 ::" i | f pe 1 , ..., e n q where aritypf q " n A context Γ is a finite sequence of entries of the form α : A. A signature Σ is a finite sequence of entries of the form c : A or c : A :" t or f : pi 1 : B 1 ..i n : B n q Ñ A, where we must have aritypf q " n.We adopt the convention of writing the names of constants of the signature in blue sans serif font.
A rewrite system R is a set of rewrite rules, which are pairs of the form c ⃗ t ÝÑ u or f p⃗ eq ÝÑ e 1 .Given a signature Σ, we also consider the δ rules allowing for the unfolding of definitions: we have c ÝÑ t P δ for each c : A :" t P Σ.We then denote by ÝÑ R the closure by context and substitution of R, and by ÝÑ δ the closure by context of δ.Finally, we define ÝÑ β as the closure by context of px.tqu ÝÑ tru{xs, ÝÑ βc as the closure by context of pi.tqe ÝÑ tre{is, and we write Rewriting allows us to define equality by computation, but not all equalities can be defined like this in a well-behaved way, e.g. the commutativity of some operator.Therefore, we also consider rewriting modulo equations [Bla03].If E is a set of equations of the form t » t 1 or e » e 1 , we write » E for its congruence closure -that is, its reflexitive, symmetric and transitive closure by context and substitution.Because R and E are usually kept fixed, in the following we write ÝÑ for ÝÑ ββc Rδ , » for » E and " for the reflexitive, symmetric and transitive closure of ÝÑ Y ».
One notion central in Dedukti is that of theory, which is a triple T " pΣ, R, Eq where Σ is a signature and all constants appearing in R and E are declared in Σ. Theories are used to define in Dedukti the object logics in which we work (for instance, predicate logic).Given a theory T, we define the typing rules of Dedukti as the ones of Figure 1.There, we write Note moreover that the signature Σ and the conversion relation " are the ones defined by the theory T. Whenever the underlying theory is not clear from the context, we write Γ $ T t : A.
A signature entry c : A or c : where Σ 1 is the prefix of Σ T preceding the entry in question, and R 1 , E 1 are the restrictions of R T , E T to rules and equations only containing constants in Σ 1 .
Remark 2.1.Compared with most presentations of Dedukti [ABC `16, BDG `23], ours feature three relevant differences: (1) We consider a syntax with non-annotated abstractions.As shown in [Dow93], this leads to undecidable type checking.However, in this article we only work with adequate encodings [Fel22], in which the only terms of interest are the β-normal forms, for which type checking remains decidable and thus annotations would be redundant.(2) As mentioned previously, we consider a version with confinement.This notion, first introduced in [ADJL17], allows to syntactically isolate a first-order part of the syntax from the higher-order one.In [ADJL17] it is used to provide a confluence criterion for non-left linear rewriting, and in this work we also rely on it to show confluence of one of our theories.
(3) Like some other works [ADJL17, Gen20, Bla22], we consider a version of Dedukti with rewriting modulo.This is essential to support some equations which cannot be oriented into rewrite rules.
We recall the following basic metaproperties of Dedukti.
If Γ, i : B, Γ 1 $ t : A and Γ $ e : B then Γ, Γ 1 re{is $ tre{is : Are{is In the following, suppose that the underlying theory is well-formed.
Validity: If Γ $ t : A then either A " Kind or Γ $ A : s for some sort s Subject reduction for δ: If Γ $ t : A and t ÝÑ δ t 1 then Γ $ t 1 : A We say that injectivity of dependent products holds when px : Aq Ñ B " px : A1 q Ñ B 1 implies A " A 1 and B " B 1 .
Subject reduction for β and β c : If injectivity of dependent products holds, then Γ $ t : A and t ÝÑ ββc t 1 implies Γ $ t 1 : A.
A rule l ÝÑ r P R is said to preserve typing whenever Γ $ lrθs : A implies Γ $ r rθs : A, for every θ, Γ, A.
Subject reduction for R: If every rule in R preserves typing, then Γ $ t : A and t ÝÑ R t 1 implies Γ $ t 1 : A.
Proof.All proofs are by induction on the typing derivation.We refer to [Bla01,Sai15a] for detailed proofs -even if there the definition of the typing system is not exactly the same, the proofs for the variant used here are straightforward adaptions of their proofs.
2.1.Defining type theories in Dedukti.We briefly review how one can define type theory with Russell-style universes and dependent products [Fel22] 1 .Given a set S of sorts, we start by declaring for each s P S a framework type of object types, and a framework family of object terms indexed by object types.
Ty s : Type for s P S Tm s : Ty s Ñ Type for s P S Then, an object type A is represent as an element of Ty s for some sort s, and an object term t of type A is represented as an element of Tm s A, where s is the level of A. That is, we write A : Ty s to represent the object-level judgment form A type s , and t : Tm s A to represent the object-level judgment form t : s A. As an example, if we wanted to add natural numbers at sort s 0 P S, we would add constants Nat : Ty s 0 , 0 : Tm s 0 Nat, S : Tm s 0 Nat Ñ Tm s 0 Nat, and then a constant for its elimination principle along with its corresponding rewrite rules.
We now add universes.To do this, we suppose we are given a functional relation A Ď S 2 , relating a sort to its successor, and then postulate a type U s in Ty s 1 for each ps, s 1 q P A. We now want the terms of type U s to correspond to the types in Ty s .One way of achieving this is by postulating a definitional isomorphism Tm s 1 U s » Ty s , which defines Coquand-style universes [Coq18, KHS19,ABKT19].But because in Dedukti we have type-level rewrite rules, we can replace this isomorphism with an identification using a rewrite rule, yielding Russell-style universes.The terms of the object-level type U s thus become the same as the object-level types at sort s.
U s : Ty s 1 for ps, s 1 q P A Tm s 1 U s ÝÑ Ty s for ps, s 1 q P A Let us now define dependent products.We now suppose we are given a relation R Ď S 3 , which is functional when seen as a relation S 2 ˆS.Then, for each pair ps, s 1 , s 2 q P R, we postulate a constant Π s,s 1 mapping a type A : Ty s and a family B : Tm s A Ñ Ty s 1 to a type in Ty s 2 .Then we add abstraction λ s,s 1 , mapping a family px : Tm s Aq Ñ Tm s 1 pB xq to an element of Tm s 2 pΠ s,s 1 A Bq, and application @ s,s 1 , mapping terms t : Tm s 2 pΠ s,s 1 A Bq and u : Tm s A to a term in Tm s 1 pB uq.Π s,s 1 : pA : Ty s q Ñ pB : Tm s A Ñ Ty s 1 q Ñ Ty s 2 for ps, s 1 , s 2 q P R λ s,s 1 : pA : Ty s q Ñ pB : Tm s A Ñ Ty s 1 q Ñ ppx : Tm s Aq Ñ Tm s 1 pB xqq Ñ Tm s 2 pΠ s,s 1 A Bq for ps, s 1 , s 2 q P R @ s,s 1 : pA : Ty s q Ñ pB : Tm s A Ñ Ty s 1 q Ñ pt : Tm s 2 pΠ s,s 1 A Bqq Ñ pu : Tm s Aq Ñ Tm s 1 pB uq for ps, s 1 , s 2 q P R Finally, we need to state the associated computation rule of dependent products.The most natural choice would be to take the following rule.@ s,s 1 A B pλ s,s 1 A B tq u ÝÑ t u for ps, s 1 , s 2 q P R However, this rule is non left-linear, and thus the rewrite system it generates is non-confluent on raw terms [Klo63].Instead, the standard solution is to linearize [Bla05, Sai15b, MW96] the rule, by replacing the second occurrences of variables A, B by new fresh variables A 1 , B 1 .
Note that the left-hand side is not well-typed anymore, but this is not a problem.Indeed, the important property we can show is that for all well-typed instances of the left-hand side, A becomes convertible to A 1 and B becomes convertible to B 1 , which then guarantees that the right-hand side is well-typed with the same type as the left one.This concludes the definition of the theory, which is resumed in Figure 2. In the following, we adopt some conventions to make the notation lighter.First, we write Π s,s 1 x : A.B for Π s,s 1 A px.Bq, or A ⇝ s,s 1 B when x R fvpBq.Moreover, in order to keep examples readable it will be essential to treat some arguments as implicit: namely, we will write Tm A instead of Tm s A, Πx : A.B instead of Π s,s 1 x : A.B, t @ u instead of @ s,s 1 A B t u and λx.t instead of λ s,s 1 A B px.tq.Nevertheless, note that this is just an informal notation, as there is no support in Dedukti for omitting arguments -alternatively, one can work with a framework with native support for erased arguments, such as [Fel23].
Remark 2.3.In the Pure Type Systems (PTS) [Bar93] literature, the triple pS, A, Rq is known as a (functional) PTS specification, and each such specification defines a PTS.The main result of [Fel22] is that the theory in Figure 2 defines an adequate encoding of the associated PTS in Dedukti.

An informal look at predicativization
In this informal section we present the problem of proof predicativization and discuss the challenges that arise through the use of examples.Even though the examples might be unrealistic, they showcase real problems we found during our first predicativization attempt of Fermat's little theorem library in HOL [Thi18] -some of them being already noted in [Del20].
We first start by defining the predicative theory P and the impredicative theory I, which will serve respectively as source and target of our proof transformation.They are defined by Ty s : Type for s P S Tm s : Ty s Ñ Type for s P S U s : Ty s 1 for ps, s 1 q P A Tm s 1 U s ÝÑ Ty s for ps, s 1 q P A Π s,s 1 : pA : Ty s q Ñ pB : Tm s A Ñ Ty s 1 q Ñ Ty s 2 for ps, s 1 , s 2 q P R λ s,s 1 : pA : Ty s q Ñ pB : Tm s A Ñ Ty s 1 q Ñ ppx : Tm s Aq Ñ Tm s 1 pB xqq Ñ Tm s 2 pΠ s,s 1 A Bq for ps, s 1 , s 2 q P R @ s,s 1 : pA : Ty s q Ñ pB : Tm s A Ñ Ty s 1 q Ñ pt : Tm s 2 pΠ s,s 1 A Bqq Ñ pu : Tm s Aq Ñ Tm s 1 pB uq for ps, s 1 , s 2 q P R @ s,s 1 A B pλ s,s 1 A 1 B 1 tq u ÝÑ t u for ps, s 1 , s 2 q P R Figure 2: Dedukti theory defined by specification pS, A, Rq instantiating the theory of Figure 2 with the following specifications -following Remark 2.3, they can equivalently be seen as the Pure Type Systems defined by these specifications.
S I :" {Ω, □} S P :" N A I :" {pΩ, □q} A P :" {pn, n `1q | n P N} R I :" {pΩ, Ω, Ωq, p□, Ω, Ωq, p□, □, □q} R P :" {pn, m, max{n, m}q | n, m P N} Note that in the theory I we have p□, Ω, Ωq P R I , and thus for Γ $ A : Ty □ and Γ, x : Tm A $ B : Ty Ω we have Γ $ Πx : A.B : Ty Ω .Therefore, the sort Ω is closed under dependent products indexed over types in □, a larger sort, so I is indeed an impredicative theory.Finally, we note that P is a subtheory of the one implemented in Agda, whereas I is a subtheory of the ones implemented in Coq, Matita, Isabelle, etc, justifying why they are of interest.
In the following, a signature Φ is said to be well-formed in a theory T when the theory pΣ 1 , R T , E T q is well-formed, where Σ 1 :" Σ T , Φ.In this case, Φ is said to be a local signature, in contrast to Σ T which is global.We will also write names of constants in the local signature in sans serif black in order to distinguish them, whereas names in global one are still written in sans serif blue.
Then, the problem of proof predicativization consists in defining a transformation such that, given a local signature Φ well-formed in I, allows to translate it to a local signature Φ 1 well-formed in P. Stated informally, we would like to translate constants declarations c : A (which represent axioms) and constant definitions c : A :" t (which also represent proofs) from I to P -confined constant declarations f : ∆ Ñ A will not be of interest here.Note in particular that such a transformation is not applied to a single term but to a sequence of constants and definitions, which can be related by dependency -this dependency turns out to be a major issue as we will see.Now that our basic notions are explained, let us try to predicativize proofs.For our first step, consider a very simple development showing that for every type A in U Ω we can build a term in A ⇝ A -this is actually just the polymorphic identity function at sort Ω.
Note that we adopt an Agda-like syntax to display entries of the local signature.id : Tm pΠA : U Ω .A ⇝ Aq id :" λA.λx.x To translate this simple development, the first idea that comes to mind is to define a mapping on sorts: the sort Ω is mapped to 0 and the universe □ is mapped to 1.If this mapping defined a specification morphism 2 then this transformation would always produce a valid definition in P [Geu93, Lemma 4.2.6].Unfortunately, it is easy to check that it does not define a specification morphism (worst, no function S I Ñ S P defines a specification morphism).Nevertheless, this does not mean that it cannot produce something well-typed in P in some cases.For instance, by applying it to id we get the following entry, which is actually well-typed in P.
id : Tm pΠA : U 0 .A ⇝ Aq id :" λA.λx.xThis naive approach however quickly fails when considering other cases.For instance, suppose now that one adds the following definition.

id-to-id : Tm
If we try to perform the same syntactic translation as before, we get the following result.
id-to-id : Tm ppΠA : U 0 .A ⇝ Aq ⇝ pΠA : U 0 .A ⇝ Aqq id-to-id :" id @ pΠA : U 0 .A ⇝ Aq However, one can verify that this term is not well typed.Indeed, in the original term one quantifies over all types in U Ω in the term ΠA : U Ω .A ⇝ A, and because of impredicativity this term stays at U Ω .However, in P quantifying over all elements of the universe U 0 in ΠA : U 0 .A ⇝ A lifts the overall type of the term to U 1 .As id expects a term of type U 0 , the term id @ pΠA : U 0 .A ⇝ Aq is not well-typed.
The takeaway lesson from this first try is that impredicativity introduces a kind of typical ambiguity, as it allows us to put in a single universe U Ω types which, in a predicative setting, would have to be stratified and placed in larger universes.Therefore, we should not translate every occurrence of Ω as 0 naively as we did, but try to compute for each occurrence of Ω some natural number n such that replacing it by n would produce a valid term in P. In other words, we should erase all sort information and then elaborate it into a well-typed term in P.
Thankfully, performing such kind of transformations is exactly the goal of the tool Universo [Thi20].To understand how it works, let us come back to the previous example.Universo starts here by replacing each sort i by a fresh metavariable representing a natural 2 That is, if ps, s 1 q P A I implied pϕpsq, ϕps 1 qq P A P and ps, s 1 , s 2 q P R I implied pϕpsq, ϕps 1 q, ϕps 2 qq P R P , where ϕ : S I Ñ S P is the sort mapping.number.
Then, in the following step Universo tries to elaborate the term into a well-typed one in P. To do so, it first tries to typecheck it and generates constraints in the process.These constraints are then given to a SMT solver, which is used to compute for each metavariable i a natural number so that the local signature is valid in P. For instance, applying Universo to our previous example would produce the following local signature, which is indeed valid with respect to P.
By using Universo it is possible to go much further than with the naive method shown before.Still, this approach also fails when being employed with real libraries.To see the reason, consider the following minimum example, in which one uses id twice to build another element of the same type.
If we repeat the same procedure as before, we get the following entries, which when type checked generate unsolvable constraints.
The reason is that the application id @ pΠA : U i 3 .A ⇝ Aq @ id forces i 1 to be both i 3 and i 3 `1, which is of course impossible.Therefore, the takeaway lesson from this second try is that impredicativity does not only hide the fact that types need to be stratified, but also the fact that they need to be usable at multiple levels of this stratification.Indeed, in our example we would like to use id both at type ΠA : U i 3 .A ⇝ A and at type ΠA : In practice, when trying to translate libraries using Universo we found that at very early stages a translated proof or object was already needed at multiple universes at the same time, causing the translation to fail.
Therefore, in order to properly compensate for the lack of impredicativity, we should not translate entries by fixing once and for all their universes, but instead we should let them vary by using universe polymorphism [HP91,ST14].This feature, present in some type theories (and also in the one of Agda [Tea]), allows defining terms containing universe variables, which can later be instantiated at various concrete universes.
Our translation will then work by first computing for each definition or declaration its set of constraints.However, instead of assigning concrete values to metavariables, we perform unification which allows us to solve constraints in a symbolic way.The result will then be a universe polymorphic term, which will be usable at multiple universes when translating the next entries.In order to define this formally, we first start in the next section by refining the target type theory P with universe polymorphism.

A Universe-Polymorphic Predicative Theory
In this section we define UPP, a theory which refines P by internalizing sort annotations and allowing for prenex universe polymorphism [HP91,Gen20].This is in particular a subsystem of the one underlying the Agda proof assistant [Tea].
The main change with respect to P is that, instead of indexing constants externally, we index them inside the framework [Ass15].To do this, we first introduce in Dedukti a syntax for universe levels (which is just the terminology used in the literature for predicative sorts, i.e.N), using the following declarations.Note that the constants 0, S, \ are declared as confined, which will be needed later to show the confluence of the theory.
Lvl : Type S : pi : Lvlq Ñ Lvl (confined) In the following, we write \ in infix notation, S in curryfied notation, and consider \ as having a lower precedence than S -for instance, S i \ S j should be parsed as \ pSpiq, pSpjqq.We now call level a confined term containing only \ , S or 0 as constants, and from now on we refer to them by the letter l.Equivalently, they are generated by the following grammar.
l, l 1 :: The definitions of Figure 2 are then replaced by the following ones.Note that the two rewrite rules are presented in linearized form, in order for them to be left-linear.
Ty : pl : Lvlq Ñ Type Tm : pl : Lvlq Ñ Ty l Ñ Type U : pl : Lvlq Ñ Ty pS lq Tm l 1 pU lq ÝÑ Ty l Π : pl l 1 : Lvlq Ñ pA : Ty lq Ñ pB : Tm l A Ñ Ty l 1 q Ñ Ty pl \ l 1 q λ : pl l 1 : Lvlq Ñ pA : Ty lq Ñ pB : Tm l A Ñ Ty l 1 q Ñ ppx : Tm l Aq Ñ Tm l 1 pB xqq Ñ Tm pl \ l 1 q pΠ l l 1 A Bq @ : pl l 1 : Lvlq Ñ pA : Ty lq Ñ pB : Tm l A Ñ Ty l 1 q Ñ pt : Tm pl \ l 1 q pΠ l l 1 A Bqq Ñ pu : Tm l Aq Ñ Tm l 1 pB uq @ l l 1 A B pλ l 2 l 3 A 1 B 1 tq u ÝÑ t u In the following, we adopt a subscript notation for levels and write Ty l , Tm l , U l , Π l,l 1 , λ l,l 1 and @ l,l 1 to improve clarity.We also continue to write Π l,l 1 x : A.B for Π l,l 1 A px.Bq or A ⇝ l,l 1 B when x R fvpBq.Finally, in order to keep examples readable we also reuse our convention for implicit arguments and write Tm A for Tm l A, Πx : A.B for Π l,l 1 x : A.B, λx.t for λ l,l 1 A B px.tq, and t @ u for @ l,l 1 A B t u.
Universe polymorphism can now be represented directly with the use of the framework's function type [Ass15].Indeed, if a definition contains free level variables, it can be made universe polymorphic by abstracting over such variables.The following example illustrates this.
Example 4.1.The universe polymorphic identity function is given by id : pi : Lvlq Ñ Tm pΠA : U i .A ⇝ Aq id :" i.λA.λa.aThis then allows to use id at any universe level: for instance, we can obtain the polymorphic identity function at the level 0 with the application id 0, which has type Ty pΠA : U 0 .A ⇝ Aq.
Remark 4.2.Note that unlike some other proposals [BCDE23] there is no object-level operation for universe level abstraction, which is instead handled by the framework function type.Therefore, universe polymorphic definitions are best understood as schemes.
In order to finish the definition of the theory we need to specify the definitional equality satisfied by levels, which is the one generated by the following equations [Tea].This then concludes the definition of the theory UPP.
As we will see later with Proposition 6.7, the definition of » ensures us that two levels are convertible exactly when they are arithmetically equivalent, allowing us for instance to exchange S i \ i \ 0 and S i.

Metatheory of UPP.
We now look at the metatheory of UPP.
Proof.Can be easily verified manually, or automatically with Lambdapi [Ded].
Proposition 4.4.The rewrite system R UPP is confluent together with the rules β, β c and δ.
Proof.Follows from the fact that the rewrite rules define an orthogonal combinatory rewrite system [Kvv93].
The following basic property is similar to [Voe14, Lemma 4.1.6]and shows that ÝÑ and » interact well.(1) If u ÝÑ u 1 with a δ rule, then u is a constant, so u " t and t ÝÑ u 1 . (2 and other relations that we will not need.Therefore, t ÝÑ v 1 s 1 » v s " u 1 .(4) If u " px.v qs ÝÑ v rs{xs, then t " px.v 1 qs 1 with v » v 1 and s » s 1 .Therefore, t ÝÑ v 1 rs 1 {xs and v 1 rs 1 {xs » v rs{xs follows by stability under substitution.(5) If u " pi.v ql ÝÑ v rl{is, then t " pi.v 1 ql 1 with v » v 1 and l » l 1 .Therefore, t ÝÑ v 1 rl 1 {is and v 1 rl 1 {is » v rl{is follows by stability under substitution.
We will need the following simple property about abstract rewriting.Recall that an abstract equational rewrite system p▶, "q is given by a binary relation ▶ Ď X 2 and an equivalence relation " Ď X 2 .Then p▶, "q is said to be Church-Rossier modulo if x p▶ Y ◀ Y "q ˚y implies x ▶ ˚" ˚◀ y , where we write juxtaposition for composition of relations, and ◀ for the inverse of ▶.
Proposition 4.6.Let p▶, "q be an abstract equational rewrite system.If ▶ is confluent and " is a simulation for ▶, then p▶, "q is Church-Rossier modulo.
Proof.If x p▶ Y ◀ Y "q ˚y , then we have x p▶ Y ◀ Y "q n y for some n.We prove the result by induction on n, the base case being trivial.For the inductive step, we have for some z.First note that by i.h.we have x ▶ ˚" ˚◀ z.We now have three possibilities: (1) z ▶ y : We have x ▶ ˚" ˚◀ ▶ y , and so by confluence we have x ▶ ˚" ▶ ˚˚◀ y .Using the fact that " is a simulation with respect to ▶, we then get x ▶ ˚" ˚◀ y .(2) z ◀ y : We have x ▶ ˚" ˚◀ ◀ y , and thus x ▶ ˚" ˚◀ y .
(3) z " y : We have x ▶ ˚" ˚◀ " y , thus using the fact that " is a simulation with respect to ▶, we get x ▶ ˚" ˚◀ y .
Proof.Direct consequence of Propositions 4.5 and 4.6.
The previous corollary has two important consequences.First, in order to check t " u we do not need to employ matching modulo », but instead only regular syntactic matching.This is important because it means that in order to decide " we do not need to design a specific matching algorithm for », but only to decide » (which is indeed decidable by Theorem 6.6) and to show ÝÑ to be strongly normalized for well-typed terms (a property we conjecture to be true).Second, Church-Rossier modulo easily implies injectivity of type formers, from which subject reduction follows, a property that will be essential to show soundness of elaboration (in particular, it is used in Theorem 5.5).
Proof.From Church-Rossier modulo we get the injectivity of the framework's dependent function type, so from Proposition 2.2 we conclude subject reduction of δ, β and β c .
By Proposition 2.2 once again, to show subject reduction for R UPP it suffices to prove that all rewrite rules preserve typing, which easily follows from inversion of typing and Proposition 4.8.Alternatively, preservation of typing can also be verified using Lambdapi [Ded,Bla20] or DkCheck [Sai15b].
Observation 4.10.Coming back to the proof of Proposition 4.5, we remark that the use of confinement was essential there.Indeed, had \ , S, 0 been declared as regular constants, their associated equations would also have to be declared with regular variables, and we would have x » x \ x.Then, this equation could be used in cases in which x is instantiated by redexes: for instance, we could have But then Ty 0 is the only reduct of Tm 0 U 0 , yet Ty 0 » Ty 0 \ Tm 0 U 0 does not hold, showing that Proposition 4.5 fails in this setting.
Because Proposition 4.5 is a key lemma to show Church-Rossier modulo, which is in turn needed to show subject reduction, it is less clear how to derive these properties in a setting without confinement.Because R UPP is left-linear and there are no critical pairs between R UPP and E UPP , nor between R UPP and itself, one possibility would be to apply [MN98, Theorem 5.11] to show the restriction of " to strongly normalizing (s.n.) terms to be Church-Rossier modulo.
However, to show Church-Rossier modulo for the well-typed restriction of " and then subject reduction we would then need to show ÝÑ to be s.n. for well-typed terms.The use of confinement is thus an interesting alternative to this option, as it allows us to establish the main correctness property of elaboration (Theorem 5.5) without relying on strong normalization.

Universe-polymorphic elaboration
We are now ready to define the (partial) transformation of a local signature Φ to the theory UPP.As hinted at the end of Section 3, our translation works by incrementally trying to elaborate each entry of Φ into a universe-polymorphic one in UPP, such that at the end we get a local signature Φ UPP well-formed in UPP, if no errors are produced in the process.
In order to explain it, we now suppose that we have already translated a local signature Φ to a local signature Φ UPP well-formed in UPP, and try to translate a new entry either of the form c : A or c : A :" t.In order to understand all the following steps intuitively, we will make use of a running example.Note that, following our previously established convention, we keep some arguments as implicit in order to improve readability.Therefore, as a running example, we will translate step by step the second entry id 1 .
5.1.Schematic terms.The source syntax of our elaborator will be the one of UPP, but where the only allowed confined terms are unsolved confined variables i -we henceforth call such terms schematic terms.Therefore, in order to translate proofs from I the first step is defining a translation from the syntax of I to the schematic terms of UPP, given by Figure 3.However, note that because the first step is erasing sort information, this actually defines a translation starting from any theory defined by instantiating Figure 2 with a specification.Therefore, it can also be applied to theories using much more complex universe hierarchies, such as those of the proof assistants Matita or Coq.
Let us explain the translation of Figure 3. First, all of the constants in the definition of I are mapped to their correspondants in UPP, except that they are also applied to fresh level metavariables which are to be solved during elaboration.Then, constants from Φ are translated as they are, except that they are also given fresh level variables in order to fill in the number of level arguments that they expect.Note that this second step is necessary because the translation of the entries preceding the current one introduced new dependencies on level variables which were not present in I.
Example 5.2.When applying | ´| to id 1 we get the following entry.
Note that the occurrences of U Ω have been replaced by U i (which is just a notation for U i) for some fresh i.Moreover, because the type of id in Φ UPP is pi : Lvlq Ñ Tm pΠA : U i .A ⇝ Aq, each occurrence of id is replaced by id i for some fresh i.Finally, note that because of implicit arguments we are hiding many new metavariables that were also inserted.For instance, the subterm ΠA : U i 1 .A ⇝ A is an implicit notation for Π i 5 ,i 6 A : U i 1 .A ⇝ i 7 ,i 8 A. However, the term pid i 2 q @ pΠA : U i 3 .A ⇝ Aq @ pid i 4 q without implicit arguments would not even fit into a line, so for readability reasons we will not write it fully.5.2.Computing the constraints.Our next step is then to define a typing judgment for computing constraints.This is done by adapting the seminal work of Harper and Pollack [HP91], with the difference that our system will be bidirectional.
In regular bidirectional type systems, the typing judgment Γ $ t : A is split in modes infer Γ $ t ñ A and check Γ $ t ð A. In mode infer we start with Γ, t and we should find a type A for t in Γ, whereas in mode check we are given Γ, t, A and we should check that t indeed has type A in Γ. Crucial in bidirectional typing is the proper bookkeeping of pre-conditions and post-conditions, which are resumed in the following table -there, we mark inputs with ´and outputs with `.

Judgment
Pre-condition Post-condition In order to define our typing judgment for computing constraints, we refine the bidirectional approach by adding two problems C, D, yielding judgments Γ ↑ D $ t ñ A ↓ C for mode infer and Γ ↑ D $ t ð A ↓ C for mode check.In this context, a (unification) problem C is a set containing constraints of the form l ?" l 1 (referred to also as equations), and we write θ ( C when lrθs » l 1 rθs for all l ?" l 1 P C, in which case θ is called a unifier (or solution) for C.Then, given a substitution θ, let us write Ξ θ for a context containing j : Lvl for all j P fvpirθsq, for all level variables i inserted in the schematic terms.We then write Γ $ C when, for all θ with dompθq Ď fvpCq, θ ( C implies Ξ θ , Γrθs $, and Γ $ C t : A when θ ( C implies Ξ θ , Γrθs $ trθs : Arθs.
Intuitively, just like the context Γ in Γ $ t : A allows us to state a typing judgment t : A with typing hypothesis of the form x : B P Γ, the set of constraints C in Γ $ C t : A refines this with equational hypothesis of the form l » l 1 .With this in mind, we can now explain the new typing judgments by the following table.Compared with the previous table, we now start with a set of constraints D, which guarantees that the pre-condition holds, and in the process we must also find a C ensuring that the post-condition holds.

Judgment
Pre-condition Post-condition We now come to the definition of the bidirectional typing judgments for computing constraints, given in Figure 4.Note that it also relies on two new conversion judgments A " B ↓ C and A " whnf B ↓ C used to compute a set of constraints needed for the conversion to hold.In the given rules, we write t ÝÑ wh u for the reduction of t to a weak-head normal form (whnf) u.
Example 5.3.In order to compute the constraints of the entry id 1 : Tm pΠA : U i 1 .A ⇝ Aq id 1 :" pid i 2 q @ pΠA : U i 3 .A ⇝ Aq @ pid i 4 q we first compute the constraints necessary for its type to be of type Type: Then, once we know that the type is valid under the constraints C 1 , we can do the same with the term: In the end we get the constraints where the hidden constraints concern level variables appearing in implicit arguments.
We can show the soundness of the new typing judgment by verifying that each rule locally preserves the invariants of the table -this is the essence of the proof of Theorem 5.5.Before showing it, we first need a lemma establishing soundness of conversion checking.We now claim that Ξ θ , Γrθs, x : Arθs $ Brθs : s.Indeed, by validity (Proposition 2.2) we have either C " Kind or Ξ θ , Γrθs, x : Arθs $ C rθs : s 1 for some s 1 .If C rθs " Kind then we must have s " Kind, and thus the claim follows from Ξ θ , Γrθs, x : Arθs $ Brθs : C rθs.If Ξ θ , Γrθs, x : Arθs $ C rθs : s 1 for some s 1 , then by subject reduction we have Ξ θ , Γrθs, x : Arθs $ s : s 1 , in which case we must have s " Type and s 1 " Kind.Then, from Ξ θ , Γrθs, x : Arθs $ we can show Ξ θ , Γrθs, x : Arθs $ Type : Kind, and thus by the conversion rule with C rθs " Type we get Ξ θ , Γrθs, x : Arθs $ Brθs : Type.
Using validity and inversion of typing, we can also derive Γ $ C 1 YD A : Type from Γ $ C 1 YD t : px : Aq Ñ B, and thus we can apply the i.h.once again to get Γ $ C 1 YC 2 YD u : A.
We thus have Ξ θ , Γrθs $ trθs : px : Arθsq Ñ Brθs and Ξ θ , Γrθs $ urθs : Arθs, so by the application rule we get Ξ θ , Γrθs $ trθs urθs : Brθsrurθs{xs.Because Brθsrurθs{xs " pBru{xsqrθs, the result follows.‚ Case Abs : By hypothesis we have Γ $ D C : s.We claim that Γ $ D px : Aq Ñ B : s.Indeed, let θ ( D. Then Ξ θ , Γrθs $ C rθs : s.By subject reduction and C rθs ÝÑ ˚px : Arθsq Ñ Brθs we thus get Ξ θ , Γrθs $ px : Arθsq Ñ Brθs : s.Now let θ ( C Y D. From Γ $ D px : Aq Ñ B : s we get Ξ θ , Γrθs $ px : Arθsq Ñ Brθs : s, thus by inversion we have Ξ θ , Γrθs $ Arθs : Type and Ξ θ , Γrθs, x : Arθs $ Brθs : s.It is easy to see that Γ $ D px : Aq Ñ B : s implies Γ, x : A $ D B : s, so by the i.h.we also get Γ, x : A $ CYD t : B, and thus Ξ θ , Γrθs, x : Arθs $ trθs : Brθs.We therefore conclude Ξ θ , Γrθs $ x.t : px : Arθsq Ñ Brθs by the abstraction rule. Remark 5.6.One could also wonder if the calculation of constraints always terminates, either with a valid set of constraints or with an error indicating the term cannot be elaborated.By supposing strong normalization for UPP, and by checking at each step of the rules in Figure 4 that the constraints are consistent, one could show termination of the algorithm by using a similar technique as in [HP91].As we do not investigate strong normalization of UPP in this paper -and doing so would further deviate us from the goals of this work -, we leave this for future work.However, as we will see in Section 8, when using it in practice we were able to translate many proofs without non-termination issues.5.3.Solving the constraints.Once the constraints are computed, the next step is solving them.However, as explained in Section 3, we do not want a numerical assignment of level variables that satisfies the constraints, but rather a general symbolic solution which allows the term to be instantiated later at different universe levels.This thus requires unification: given a set of constraints C, we need to compute a substitution θ satisfying lrθs » l 1 rθs for all l ?" l 1 P C.However, because levels are not purely syntactic entities, one needs to devise a unification algorithm specific for the equational theory of universe levels.For now, let us postpone this to the next section and assume we are given a (partial) function Unify which computes from a set of constraints C a unifier θ.
Once a unifier for the constraints is found, we can just apply it to the entry and generalize over all free level variables ⃗ i, and get either c : p ⃗ i : Lvlq Ñ Arθs or c : p ⃗ i : Lvlq Ñ Arθs :" ⃗ i.trθs.However, a last optimization can be made: let us write ⃗ i Arθs for the free level variables occuring in Arθs, and ⃗ i trθszArθs for the free level variables occuring in trθs but not in Arθs.Then we can reduce the number of level arguments of the entry by setting all the ⃗ i trθszArθs to 0, without changing the type of the entry: we then get c : p ⃗ i Arθs : Lvlq Ñ Arθs or c : p ⃗ i Arθs : Lvlq Ñ Arθs :" ⃗ i Arθs .trθsr⃗ i trθszArθs Þ Ñ 0s.
Example 5.7.Recall that when calculating the constraints of entry id 1 we found The algorithm of the next section is able to compute the unifier We can now apply the unifier to the entry and generalize over the free level variables of the type, while mapping the other ones to 0, which gives at the end id 1 : pi 4 : Lvlq Ñ Tm pΠA : U i 4 .A ⇝ Aq id 1 :" i 4 .pidpS i 4 qq @ pΠA : U i 4 .A ⇝ Aq @ pid i 4 q Note that in the resulting term, id is used at two different universes.This illustrates the importance of the use of universe polymorphism in the translation.
Let us now show the final correctness theorem for elaboration.
Theorem 5.8 (Correctness of elaboration).Let Φ UPP be a local signature well-formed in UPP, and A, t schematic terms.
Proof.We show the first point, the second one being similar.By Theorem 5.5, we have pq $ C 1 YC 2 t : A, so because θ ( C 1 Y C 2 we get Ξ θ $ trθs : Arθs.Consider a substitution mapping all level variables in Ξ θ not in Arθs to 0. By the substitution property, we get ⃗ i Arθs : Lvl $ trθsr ⃗ i trθszArθs Þ Ñ 0s : Arθs, and then by abstracting ⃗ i Arθs we get Hence, we conclude Φ UPP , c : p ⃗ i Arθs : Lvlq Ñ Arθs :" ⃗ i Arθs .trθsr⃗ i trθszArθs Þ Ñ 0s is well-formed in UPP.

Solving universe level unification problems
Our elaborator relies on an unspecified algorithm for universe level unification, which we now present.But before addressing this, the first natural question that comes to mind is if one can always find a most general unifier (m.g.u.) when the unification problem is solvable.
The following result answers this negatively.
Theorem 6.1.Not all solvable problems of unification modulo » over levels have a most general unifier.
Proof.Consider the equation S i 1 " i 2 \ i 3 , which is a solvable unification problem, and suppose it had a m.g.u.θ.Note that thus there is some τ such that i 3 rθsrτ s » 0. Therefore, there can be no occurrence of S in i 3 rθs.By taking θ 2 " i 1 Þ Ñ 0, i 2 Þ Ñ 0, i 3 Þ Ñ S 0 we can show similarly that there can be no occurrence of S in i 2 rθs.But by taking the substitution θ 1 " Þ Ñ 0 mapping all variables to 0, we get pi 2 \ i 3 qrθsrθ 1 s » 0, which cannot be equivalent to pS i 1 qrθsrθ 1 s.Hence, S i 1 " i 2 \ i 3 has no m.g.u.. Therefore, one cannot expect to be able to compute a m.g.u. for all solvable problems of universe level unification.One can then also wonder if, by restricting to the fragment of problems generated by the elaborator, one can expect to recover the property that all solvable problems admit a m.g.u..The following result also answers this negatively.Theorem 6.2.There is a schematic term whose constraints computed by the elaborator are solvable but have no most general unifier.
Proof.Consider the following term (once again, we reuse our convention of keeping some arguments implicit).
If we try to elaborate it in mode infer in the empty context, we get a unification problem that can be simplified to {S i 7 ?" i 1 \ i 2 }.This is because the application of R @ U i 6 : Tm pU i 6 ⇝ U i 6 ⇝ U i 4 q to U i 7 and pA ⇝ Bq require the last two to be in the same universe level, which are respectively S i 7 and i 1 \ i 2 .This equation is solvable but, by Theorem 6.1, does not admit a most general unifier.Remark 6.3.In the above proof, one can alternatively verify the calculation of constraints automatically in Agda by typechecking the code test : pA : Set q Ñ pB : Set q Ñ pR : pC : Set q Ñ C Ñ C Ñ Set q Ñ Set test " λA B R Ñ R pSet q pSet q pA Ñ Bq which returns the error Failed to solve the following constraints: _0 \ _1 (A = A) = lsuc _10 showing that Agda's elaborator also simplifies the problem to find the same constraint.
In other words, some terms may not admit a most general universe-polymorphic instance, even when they admit some well-typed instances.A possible strategy would be to look not for a m.g.u., but instead for a minimal set of incomparable unifiers, as is often done in the equational unification literature [BS94].However, this would not only require to duplicate each term being translated, one for each incomparable unifier, but this strategy would also risk of growing the output size exponentially.Indeed, a term using a previous translated entry that was duplicated n times would then need to be elaborated multiple times, one with each of these n variants.
Therefore, we instead insist in looking only for m.g.u.s, even if by Theorem 6.2 this approach can fail in cases in which multiple incomparable unifiers exist.To do this, we proceed as follows in this section.
Our main contribution, given in Subsection 6.2, is a complete characterization of the equations l ?" l 1 that admit a most general unifier.More precisely, our result says exactly when such an equation (1) admits a m.g.u., in which case we also have an explicit description of one, (2) does not admit any unifier, or (3) admits at least two incomparable unifiers.
Our characterization thus yields a complete 3 algorithm for solving equations.However, because we are interested in unification problems that may contain multiple equations, in Subsection 6.3 we then apply this characterization in the design of an algorithm using a constraint-postponing strategy [ZS17, DHKP96, Ree09]: at each step, we look for an equation which admits a m.g.u. and eliminate it, while applying the obtained substitution to the other constraints.This can then bring new equations to the fragment admitting a m.g.u., allowing us to solve them next.This is similar to how most proof assistants handle higher-order unification problems, by trying to solve the equations that are in the pattern fragment, in the hope of unblocking some other ones in the process.6.1.Properties of levels.Before presenting our main results, we first start by reviewing some important properties about universe levels that will be useful in our proofs.Notation 6.4.We adopt new notation conventions to improve the readability of large level expressions.In the following, we write n `l for the level S n l, n for the level S n 0, and we drop the blue color in \.For instance, the level S 0 \ S pS i \ 0q will henceforth be written 1 \ 1 `p1 `i \ 0q -note that `binds tighter then \, and that the left argument of `is always a natural number, so this expression can be parsed unambiguously.
In order to be able to compare levels syntactically, it is useful to introduce a notion of canonical form.A level is said to be in canonical form [Voe14,Gen20] when it is of the form with n k ď p for all k " 1..m, and each variable occurs only once.In this case we call p the constant coefficient, and n k the coefficient of i k .We recall the following fundamental property, which appears in [Voe14,Gen20,Bla22], and which we reprove here for completeness reasons.Theorem 6.5.Every level is equivalent to a canonical form, which is unique modulo permutations.Moreover, the function mapping each level to is canonical form is computable.
Proof.Given a level l, we first replace each variable i by i \ 0 (which are convertible levels).Then, by repeatedly applying 1`pl \l 1 q » 1`l \1`l 1 , we get a level of the form l 1 \...\l p , in which each l k is either of the form n k `ik or n k .Note that we can easily show n `i \ i » n `i for all n P N, by induction on n.Using this equation, we can merge all constant coefficients, and then all coefficients of a same variable, by always taking the maximum between them.Because in the beginning we started by replacing each variable i by i \ 0, it follows that the constant coefficient of the resulting level must be greater or equal to all variable coefficients, hence it is in canonical form.
To see that the canonical form is unique modulo permutations, it suffices to note that if two canonical forms have different coefficients for a variable i, then by applying a substitution mapping i to some n large enough and the other variables to 0 we get two levels which are not convertible, hence the canonical forms we started with could not have been convertible.Similarly, if the constant coefficients are different, it suffices to take the substitution mapping all variables to 0, which then also yields non-convertible levels.
In view of Theorem 6.5 and the notion of canonical form, we introduce the following notation: given a level l, we write l⟨i⟩ for the coefficient of i in its canonical form, and set it to ´8 if i R fvplq.We extend this notation to l⟨0⟩, which denotes the constant coefficient of the canonical form of l.Note that from the definition of canonical forms, we always have l⟨0⟩ ‰ ´8, and l⟨0⟩ ě l⟨i⟩ for all i, and l⟨i⟩ ‰ ´8 only for finitely many i -and moreover, an assignment I Y {0} Ñ N Y {´8} defines a valid canonical form exactly when these conditions are met.
In the following, let j 0 stand for either a variable j or the constant 0. Then Theorem 6.5 says exactly that l » l 1 iff for all j 0 we have l⟨j 0 ⟩ " l 1 ⟨j 0 ⟩.This principle will be very useful when proving or disproving that two levels are equivalent.
The definition of » can now be justified by the following property.Given a function ϕ mapping each confined variable to a natural number, define the interpretation l ϕ of a level l by interpreting the symbols 0, S and \ as zero, successor and max, and by interpreting each variable i by ϕpiq.Proposition 6.7.We have l 1 » l 2 iff @ϕ, l 1 ϕ " l 2 ϕ .
Proof.Note that for each l » l 1 P E UPP we have l ϕ " l 1 ϕ for all ϕ, and thus the direction ñ can be showed by an easy induction on l 1 » l 2 .
For the other direction, let us take the canonical forms l 1 1 of l 1 and l 1 2 of l 2 .By the left to right implication, we have l 1 ϕ " l 1 1 ϕ and l 2 ϕ " l 1 2 ϕ for all ϕ, hence l 1 1 ϕ " l 1 2 ϕ for all ϕ.By varying ϕ over suitable valuations we can show that l 1 1 and l 1 2 have the same constant coefficients, and that each variable appearing in one also appears in the other with the same coefficient.Therefore, l 1 1 and l 1 2 are equal modulo permutations, and thus l 1 » l 2 .
In other words, » allows one to simplify level expressions which are semantically the same -for instance, 1 `i \ i \ 0 and 1 `i.This also shows that our definition of », which is also used in [Tea], agrees with the one used in some other works about universe levels [Gen20, Voe14, Fer21, Bla22].6.2.Characterizing equations that admit a m.g.u.With the preliminaries now set up, we can move to the main contribution of this section: a characterization of the equations that admit a most general unifier, along with an explicit description of an mgu in these cases.Our first step is to introduce a notion of canonical form for equations.Definition 6.8.An equation l 1 ?" l 2 is said to be in canonical form if (1) Both l 1 , l 2 are in canonical form.
(2) If i P fvpl 1 q X fvpl 2 q, then l 1 ⟨i⟩ " l 2 ⟨i⟩ (3) At least some coefficient in l 1 or l 2 is equal to 0 The main motivation for introducing this notion is the following result, stating that in our analysis it suffices to consider only equations in canonical form.Proposition 6.9.For all equations l 1 ?" l 2 , there is an equation l 1 1 ?" l 1 2 in canonical form, such that for all θ, l 1 rθs » l 2 rθs iff l 1 1 rθs » l 1 2 rθs.
Proof.Let l 1 ?" l 2 be any equation.We apply transformations so the properties (1)-(3) that define canonical forms are satisfied one by one, and we argue that they do not change the set of unifiers.
(1) We put each level l p in canonical form l 1 p .It is clear that this preserve the set of unifiers, as any level is convertible to its canonical form.
(2) If some variable i appears in l 1 1 and l 1 2 with different coefficients, we remove it from the side with smaller coefficient, and we name the resulting equation l 2 1 ?" l 2 2 -this step is then repeated until condition (2) of the canonical form definition is met.By decomposing l 1 1 » l a \ n `i and l 1 2 » l b \ m `i with n ă m (or the symmetric), the correctness of this step follows from l 1 1 rθs » l 1 2 rθs iff l a rθs \ n `irθs » l b rθs \ m `irθs iff l a rθs » l b rθs \ m `irθs, where the last equivalence follows from the fact that max{k a , n `q} " max{k b , m `q} ðñ k a " max{k b , m `q} for all k a , k b , n, m, q P N with n ă m, and then by Proposition 6.7.
(3) Finally, if no coefficient in l 2 1 or l 2 2 is equal to zero, we subtract from all coefficients the value of the current minimal coefficient, and we name the resulting equation l 3 1 ?" l 3 2 .If we call this value k, then the correctness of this step follows from the fact that l 2 p » k `l3 p for p " 1, 2, and so l 2 1 rθs » l 2 2 rθs iff k `l3 1 rθs » k `l3 2 rθs iff l 3 1 rθs » l 3 2 rθs, where the last equivalence follows by applying Proposition 6.7.
It is clear that l 3 1 ?" l 3 2 is in canonical form, and we have shown that each step of the transformation preserved the set of unifiers.
Example 6.10.Consider the equation i \ 1 `pi \ 1 `jq ?" j \ 2 `i and let us show how it can be put in canonical form using the underlying algorithm of the above proof.First, we compute the level canonical forms of each side, yielding As the variables i and j appear in both sides, we then remove from each of the sides the occurrence with the smaller index, yielding Finally, as the minimum among all coefficients is 2, we subtract this from all of them, giving We are now able to state the main theorem that we are going to show.In the following, if k P N we write rks for the set {1, ..., k}, and we call an equation l 1 ?" l 2 trivial when l 1 » l 2 .We also call l 2 ?" l 1 the symmetric of the equation l 1 ?" l 2 .Theorem 6.11.A non-trivial equation has (1) a most general unifier iff its canonical form (or its symmetric) is of the form (a) n \ i ?" l with n ă l⟨0⟩, in which case in which case a m.g.u. is given by θ " i k 0 Þ Ñ x k \ p\ nPrp 1 s y k,n q \ p\ mPrp 2 s z k,m q pk P rp 0 sq i n 1 Þ Ñ p\ kPrp 0 s y k,n q \ p\ mPrp 2 s v n,m q pn P rp 1 sq i m 2 Þ Ñ p\ kPrp 0 s z k,m q \ p\ nPrp 1 s v n,m q pm P rp 2 sq where p 0 , p 1 , p 2 are the lengths of ⃗ i 0 , ⃗ i 1 and ⃗ i 2 respectively, and where {x k } kPrp 0 s , {y k,n } kPrp 0 s,nPrp 1 s , {z k,m } kPrp 0 s,mPrp 2 s and {v n,m } nPrp 1 s,mPrp 2 s are disjoint sets of variables.
(2) no unifier iff its canonical form (or its symmetric) is of the form n ?" l with n ă l⟨0⟩ (3) two or more incomparable unifiers iff its canonical form (or its symmetric) is not of any of the previous forms Before proving the result, let us consider some examples to see how it can be used.
‚ The equation i 0 \ i 1 ?" i 0 \ i 2 has the canonical form and therefore, by point (1.b) it admits the m.g.u.
and therefore, by point (2) it admits no unifier.
Let us now move to the proof of Theorem 6.11. Figure 5 shows its structure: we take a non-trivial equation in canonical form and consider its possible forms.Each leaf is annotated with the lemma or proposition associated with its proof, along with 1 when a m.g.u.exists, ą 1 when there are at least two incomparable unifiers, or 0 when no unifier exists.Finally, we write |l 2 | for the number of free variables occurring in l 2 .
We now proceed with the proofs of the lemmas and propositions needed for showing Theorem 6.11.6.2.1.Equations with m.g.u.s.Proposition 6.13.The equation in canonical form n \ i ?" l with n ă l⟨0⟩ has the mgu τ " i Þ Ñ l.
Now we can show that τ is more general then θ: we have jrτ srθs » jrθs for all j P fvplqY{i}.Indeed, the equation holds trivially for i ‰ j, and for i " j it follows from lrθs » irθs.Proposition 6.14.The equation 0 where p 0 , p 1 , p 2 are the lengths of ⃗ i 0 , ⃗ i 1 and ⃗ i 2 respectively, and where {x k } kPrp 0 s , {y k,n } kPrp 0 s,nPrp 1 s , {z k,m } kPrp 0 s,mPrp 2 s and {v n,m } nPrp 1 s,mPrp 2 s are disjoint sets of variables.
Proof.It is easy to see that θ is a unifier: all introduced variables appear in both sides, with coefficient 0. Given a unifier τ , define τ 1 by setting for each j 0 x k rτ 1 s⟨j 0 ⟩ :" i k 0 rτ s⟨j 0 ⟩ y k,n rτ 1 s⟨j 0 ⟩ :" min{i k 0 rτ s⟨j 0 ⟩, i n 1 rτ s⟨j 0 ⟩} z k,m rτ 1 s⟨j 0 ⟩ :" min{i k 0 rτ s⟨j 0 ⟩, i m 2 rτ s⟨j 0 ⟩} v n,m rτ 1 s⟨j 0 ⟩ :" min{i n 1 rτ s⟨j 0 ⟩, i m 2 rτ s⟨j 0 ⟩} Note that this assignment indeed defines for each i 1 a canonical form i 1 rτ 1 s: the constant coefficient of i 1 rτ 1 s is never equal to ´8, it is always greater or equal than the variable coefficients of i 1 rτ 1 s, and i 1 rτ 1 s⟨j⟩ is different from ´8 only for finitely many j.Let us now show that i 1 rτ s » i 1 rθsrτ 1 s for all i 1 among ⃗ i 0 , ⃗ i 1 , ⃗ i 2 .
Because i k 0 rτ s⟨j 0 ⟩ is greater or equal than min{i k 0 rτ s⟨j 0 ⟩, i n 1 rτ s⟨j 0 ⟩} and min{i k 0 rτ s⟨j 0 ⟩, i m 2 rτ s⟨j 0 ⟩} for all n, m, we have for all j 0 and k P rp 0 s.Therefore, we get i k 0 rθsrτ 1 s » i k 0 rτ s for all k P rp 0 s.Because τ is a unifier, we have 0 \ ⃗ i 0 rτ s \ ⃗ i 1 rτ s » 0 \ ⃗ i 0 rτ s \ ⃗ i 2 rτ s, from which we get max{ ⃗ i 0 rτ s⟨j 0 ⟩, ⃗ i 1 rτ s⟨j 0 ⟩} " max{ ⃗ i 0 rτ s⟨j 0 ⟩, ⃗ i 2 rτ s⟨j 0 ⟩} (1) Because τ is a m.g.u., for some θ 1 we have irτ srθ 1 s » irθs " 0, so if irτ s contains an occurrence of S then irτ srθ 1 s will also contain one, and therefore will not be convertible to 0. (2) Because τ is a m.g.u., for some θ 1 we have jrτ srθ 1 s » jrθs " m, and for p " 1..k we have i p rτ srθ 1 s » i p rθs " n p with m ą n p .Now if we suppose that jrτ s is flat, then the only way to have jrτ srθs 1 » m is if some variable i 1 in jrτ s is mapped to m by θ 1 .Therefore, it is clear that i 1 cannot appear in any of the i p rτ s.
(3) Follows from the fact that, if τ is a unifier, then the same variables that appear in l 1 rτ s must also appear in l 2 rτ s.
Proposition 6.18 (Equations with no mgu).The following non-trivial equations in canonical form do not admit a m.g.u.: Proof.The structure of the proof is the same in all cases: we suppose the existence of a most general unifier τ which we use to obtain a contradiction.
A : Let i, j be two different variables in l 2 .By Lemma 6.17 (1), the unifiers θ , and because τ is a unifier we must then have l 1 ⟨0⟩ " l 2 ⟨0⟩, contradiction with l 1 ⟨0⟩ ą l 2 ⟨0⟩.B : First note that Þ Ñ 0 is a unifier, so by Lemma 6.17 (1), i 1 rτ s is flat for all i 1 .Because the equation is supposed to be in canonical form and non-trivial, some variable i appears in only one side.Take such a i with a minimal coefficient, which we henceforth call p.
Suppose now that p " l 1 ⟨0⟩.Because the equation is in canonical form and the constant coefficient of each side is different from 0, then some variable j must appear with coefficient 0.Moreover, because the minimal coefficient of a variable occurring in only one side is p ‰ 0, it follows that j must appear in both sides (both occurrences, of course, with coefficient 0).Because p " l 1 ⟨0⟩ ą 0, by Lemma 6.17 (2) the unifier θ 2 " i Þ Ñ 1, j Þ Ñ p `1, Þ Ñ 0 shows that some variable i 1 P fvpirτ sq does not appear in any j 1 rτ s with j 1 different from j and i.Therefore, because i 1 can only also occur in jrτ s, and because the coefficient of i is p and the coefficient of j is 0, by composing τ with i 1 Þ Ñ 1, Þ Ñ 0 we get p `1 at the side in which i occurs but p at the other side, a contradiction.C : Because we suppose the equation is in canonical form, some j different from i must occur in l with coefficient 0. By Lemma 6.17 (1), the unifier θ 1 " i Þ Ñ l⟨0⟩ ´k, Þ Ñ 0 shows that jrτ s is flat, and by Lemma 6.17 (2) the unifier θ shows that some variable in jrτ s does not occur in irτ s, given that l⟨0⟩ ´k ă l⟨0⟩.
Because i is the only variable that appears in the right side, this establishes a contradiction with Lemma 6.17 (3).
Example 6.23.Consider the problem C :" {1 `i0 We can check that, according to Theorem 6.11, both equations admit multiple incomparable unifiers, so neither the step (Solve) nor (Fail) apply.Nevertheless, by combining both equations we get i 2 \ 1 `i1 a problem that can be solved by our algorithm, yielding the m.g.u.
It follows that C also admits θ as a m.g.u., yet our algorithm does not return any m.g.u., showing it is not complete for problems with more than one equation.Moreover, Theorem 6.2 shows that, even if our algorithm were complete, it would still get stuck in problems which are solvable but admit no m.g.u..In practice, it is very unsatisfying for the unification to get stuck, as this means that the whole predicativization algorithm has to halt.Thus, in order to prevent this, in our implementation we extended the unification with heuristics that are only applied when none of the presented rules applies.Then, whenever the heuristics are applied, the computed substitution is still a unifier, but might not be a most general one.This means that the term which generated the unification problem can still be translated to a valid term in UPP, but the resulting term might not be a most general universe-polymorphic instance.

Predicativize, the implementation
In this section we present Predicativize, an implementation publicly available at https: //github.com/Deducteam/predicativize/ of a variant of our algorithm.
Our tool is implemented on top of DkCheck [Sai15a], a type-checker for Dedukti, and thus does not rely neither on the codebase of Agda, nor on the codebase of any other proof assistant.Like Universo [Thi20], our implementation instruments DkCheck's conversion checker in order to implement the constraint computation algorithm described in Section 5.
Because the currently available type-checkers for Dedukti do not implement rewriting modulo for equational theories other than AC (associative commutative), we used Genestier's encoding of the equational theory of universe levels [Gen20] in order to define the theory UPP in a DkCheck file.
To see how everything works in practice, one can run make running-example which translates our running example and produces a Dedukti file output/running_example.dk and an Agda file agda_output/running-example.agda.In order to test the tool with a more realistic example, the reader can also run make test_agda, which translates a proof of Fermat's little theorem from the Dedukti encoding of HOL [Thi18] to UPP.
We also note that for the moment the implementation lags behind the theory in some aspects, in particular by still using the older unification algorithm proposed in [FBB23].
In the following, let us go through some important particularities of how the tool works.
User added constraints.As we have seen, our tool tries to compute the most general type for a definition or declaration to be typable.However, it is not always desirable to have the most general type, as shown by the following example.However, we normally would like to impose i to be equal to j in the type of succ, or even to impose Nat not to be universe polymorphic.
In order to solve this problem, we added to Predicativize the possibility of adding constraints by the user, in such a way that we can for instance impose Nat to be in U 0 , or i " j in the type of the successor.Adding constraints can also be useful to help the unification algorithm.
Rewrite rules.The algorithm that we presented and proved correct covers two types of entries: definitions and constants.This is enough for translating proofs written in higherorder logic or similar systems, in which every step either poses an axiom or makes a definition or proof.
However, when dealing with full-fledged type theories, such as those implemented by Coq or Matita, which also feature inductive types, it is customary to use rewrite rules to encode recursion and pattern matching.If we simply ignore these rules when performing the translation, we would run into problems as the entries that appear after may need those rewrite rules to typecheck.
Therefore, our implementation extends the presented algorithm and also translates rewrite rules.In order to do this, we use DkCheck's subject reduction checker to generate constraints and proceed similarly as in the algorithm.Because this feature is still work in progress, this step requires user intervention in most cases.Moreover, its correctness has yet to be formalized.Nevertheless, it has been successfully used on the translation of Matita's arithmetic library to Agda.
Agda output.Predicativize produces proofs in the theory UPP, which is a subtheory of the one implemented by the Agda proof assistant.In order to produce proofs that can be used by Agda, we also integrated in Predicativize a translator that performs a simple syntactical translation from a Dedukti file in the UPP theory to an Agda file.For instance, make test_agda_with_typecheck translates Fermat's Little Theorem proof from HOL to Agda and typechecks it.

Translating Matita's arithmetic library to Agda
We now discuss how we used Predicativize to translate Matita's arithmetic library to Agda.The translation is summarized in Figure 7, where CIC stands for a Dedukti theory defining the Calculus of Inductive Constructions, the underlying type theory of the Matita proof assistant.
Matita's arithmetic library was already available in Dedukti thanks to Krajono [Ass15], a translator from Matita to the theory CIC in Dedukti.Therefore, the first step of the translation was already done for us.
Then, using Predicativize we translated the library from CIC to UPP.As the encoding of Matita's recursive functions uses rewrite rules, their translation required some user intervention to add constraints over certain constants, as mentioned in the previous section.Once this step is done, the library is known to be predicative, as it typechecks in UPP.We then used Predicativize to translate these files to Agda files.However, because the rewrite rules in the Dedukti files cannot be translated to Agda, and given that they are needed for typechecking the proofs, the library does not typecheck directly.
Therefore, to finish our translation we had to define the inductive types and recursive functions manually in Agda.This step of the translation is admittedly very tedious, however most of the library is made of proofs, whose translation we do not need to change.Note that this manual step is not exclusive to our work as it is also needed in [Thi18].
Defining inductive types also required us to add constraints over some constants.For instance, we saw in Example 7.1 that successor is translated as succ : pi j : Lvlq Ñ Tm pNat iq Ñ Tm pNat jq, but in order to implement this constant as a constructor of an inductive type, we need to impose i " j.If one then wishes to align Nat with the built-in type of natural numbers in Agda, we would also have to impose i " 0, which would then allow us to replace Nat by the built-in type in the output of the translation.
The result of this translation is available at https://github.com/thiagofelicissimo/matita_lib_in_agda and, as far as we know, contains the very first proofs in Agda of Bertrand's Postulate and Fermat's Little Theorem.It also contains a variety of other interesting results such as the Binomial Law, the Chinese Remainder Theorem, and the Pigeonhole Principle.Moreover, this library typechecks with the --safe flag, attesting that it does not use any of Agda's more exotic and unsafe features.

Conclusion
We have tackled the problem of sharing proofs with predicative systems.Our implementation allowed to translate many non-trivial proofs from Matita's arithmetic library to Agda, showing that our proposal works well in practice.
Our solution is based on the use of universe polymorphic elaboration.Even if elaboration algorithms are already well-studied in the literature, our proposal differs from most on the use of universe level unification, which is needed in our setting for handling universepolymorphism.Other proposals for universe-polymorphic elaboration such as [HP91] and [ST14] avoid the use of universe level unification by allowing in their target languages for entries in the signature to come with associated sets of constraints, which are then verified locally at each use.This feature is however unfortunately not supported by Agda, the main target of our translation.

Figure 1 :
Figure 1: Typing rules of Dedukti Proposition 4.5.The relation » is a simulation with respect to ÝÑ. Diagrammatically, By induction on the rewrite context of u ÝÑ u 1 .The induction steps are easy, we only show the base cases.

Figure 3 :
Figure 3: Translation from the syntax of Figure 2 to the schematic terms of UPP(each inserted level variable is assumed to be different from the previous ones) Lemma 5.4.Suppose that A " B ↓ C or A " whnf B ↓ C. If θ ( C then Arθs " Brθs.Proof.By an easy mutual induction on A " B ↓ C and A " whnf B ↓ C. Theorem 5.5 (Soundness of typing judgment for computing constraints).

Figure 4 :
Figure 4: Bidirectional typing judgment for computing universe level constraints