Monotone recursive types and recursive data representations in Cedille

Guided by Tarksi's fixpoint theorem in order theory, we show how to derive monotone recursive types with constant-time roll and unroll operations within Cedille, an impredicative, constructive, and logically consistent pure typed lambda calculus. This derivation takes place within the preorder on Cedille types induced by type inclusions, a notion which is expressible within the theory itself. As applications, we use monotone recursive types to generically derive two recursive representations of data in lambda calculus, the Parigot and Scott encoding. For both encodings, we prove induction and examine the computational and extensional properties of their destructor, iterator, and primitive recursor in Cedille. For our Scott encoding in particular, we translate into Cedille a construction due to Lepigre and Raffalli that equips Scott naturals with primitive recursion, then extend this construction to derive a generic induction principle. This allows us to give efficient and provably unique (up to function extensionality) solutions for the iteration and primitive recursion schemes for Scott-encoded data.


Introduction
In type theory and programming languages, recursive types μ X. T are types where the variable X bound by μ in T stands for the entire type expression again. The relationship between a recursive type and its one-step unrolling [μ X. T/X]T (the substitution of μ X. T for X in T) is the basis for the important distinction of iso-and equi-recursive types (Crary et al., 1999) (see also Pierce, 2002, Section 20.2). With iso-recursive types, the two types are related by constant-time functions unroll ∶ μ X. T → [μ X. T/X]T and roll ∶ [μ X. T/X]T → μ X. T which are mutual inverses (composition of these two in either order produces a function that is extensionally the identity function). With equi-recursive types, the recursive type and its one-step unrolling are considered definitionally equal, and unroll and roll are not needed to pass between the two.
Adding unrestricted recursive types to an otherwise terminating theory allows the typing of diverging terms. For example, let T be any type and let B abbreviate μ X. (X → T). Then, we see that B is equivalent to B → T, allowing us to assign type B → T to λ x. x x. From that same type equivalence, we see that we may also assign type B to this term, allowing us to assign the type T to the diverging term = (λ x. x x) λ x. x x. This example shows that not only termination, but also soundness of the theory when interpreted as a logic under the Curry-Howard isomorphism (Sørensen and Urzyczyn, 2006), is lost when introducing unrestricted recursive types (T here is arbitrary, so this would imply all types are inhabited).
The usual restriction on recursive types is to require that to form (alternatively, to introduce or to eliminate) μ X. T, the variable X must occur only positively in T, where the function-type operator → preserves polarity in its codomain part and switches polarity in its domain part. For example, X occurs only positively in (X → Y) → Y, while Y occurs both positively and negatively. Since positivity is a syntactic condition, it is not compositional: if X occurs positively in T 1 and in T 2 , where T 2 contains also the free variable Y, this does not mean it will occur positively in [T 1 /Y]T 2 . For example, take T 1 to be X and T 2 to be Y → X.
In search of a compositional restriction for ensuring termination in the presence of recursive types, Matthes (1999Matthes ( , 2002 investigated monotone iso-recursive types in a theory that requires evidence of monotonicity equivalent to the following property of a type scheme F (where the center dot indicates application to a type): In Matthes's work, monotone recursive types are an addition to an underlying type theory, and the resulting system must be analyzed anew for such properties as subject reduction, confluence, and normalization. In the present paper, we take a different approach by deriving monotone recursive types within an existing type theory, the Calculus of Dependent Lambda Eliminations (CDLE) (Stump, 2017;Stump and Jenkins, 2021). Given any type scheme F satisfying a form of monotonicity, we show how to define a type Rec ⋅ F together with constant-time rolling and unrolling functions that witness the isomorphism between Rec ⋅ F and F ⋅ (Rec ⋅ F). The definitions are carried out in Cedille, an implementation of CDLE. 1 The main benefit to this approach is that the existing meta-theoretic results for CDLE -confluence, logical consistency, and normalization for a class of types that includes ones defined here -apply, since they hold globally and hence perforce for the particular derivation of monotone recursive types. polymorphism, and we explain the computational and extensional criteria we use to characterize implementations of the iteration scheme for the Scott and Parigot encodings. Section 5 covers the Scott encoding, introducing the case distinction scheme and giving first a concrete derivation of natural numbers supporting proof by cases, then the fully generic derivation. Section 6 covers the Parigot encoding, introducing the primitive recursion scheme and giving first a concrete example for Parigot-encoded naturals with an induction principle, then the fully generic derivation. Section 7 revisits the Scott encoding, showing concretely how to derive primitive recursion for Scott naturals, then generalizing to the derivation of the standard induction principle for generic Scott-encoded data. Section 8 gives a demonstration that our generic Scott encoding can be used for a wider class of datatypes than can our generic Parigot encoding. Finally, Section 9 discusses related work and Section 10 concludes and discusses future work.

Background: The Calculus of Dependent Lambda Eliminations
In this section, we review CDLE and its implementation in the Cedille programming language (Stump, 2017;Stump and Jenkins, 2021). CDLE is a logically consistent constructive type theory that contains as a subsystem the impredicative and extrinsically typed Calculus of Constructions (CC). It is designed to serve as a tiny kernel theory for interactive theorem provers, minimizing the trusted computing base. CDLE can be described concisely in 20 typing rules and is implemented by Cedille Core (Stump, 2018b), a type checker consisting of ∼1K lines of Haskell. For the sake of exposition, we present the less dense version of CDLE implemented by Cedille, described by Stump and Jenkins (2021) (Stump (2017) describes an earlier version); here, we have slightly simplified the typing rule for the ρ term construct.
To achieve compactness, CDLE is a pure typed lambda calculus. In particular, it has no primitive constructs for inductive datatypes. Instead, datatypes can be represented using lambda encodings. Geuvers (2001) showed that induction principles are not derivable for these in secondorder dependent type theory. Stump (2018a) showed how CDLE overcomes this fundamental difficulty by extending CC with three new typing constructs: the implicit products of Miquel (2001); the dependent intersections of Kopylov (2003); and equality over untyped terms. The formation rules for these new constructs are first shown in Figure 1, and their introduction and elimination rules are explained in Section 2.2.

Type and kind constructs
There are two sorts of classifiers in CDLE. Kinds κ classify type constructors, and types (type constructors of kind ⋆) classify terms. Figure 1 gives the inference rules for the judgment ⊢ κ that kind κ is well formed under context , and for judgment ⊢ T  functions that abstract over terms. The type constructs that CDLE inherits from CC are type variables, (impredicative) type constructor quantification ∀ X ∶ κ. T, dependent function (or product) types x ∶ T. T ′ , abstractions over terms λ x ∶ T. T ′ and over type constructors λ X ∶ κ. T, and applications of type constructors to terms T t and to other type constructors T 1 ⋅ T 2 .
The additional type constructs are types for dependent functions with erased arguments (or implicit product types) ∀ x ∶ T. T ′ , dependent intersection types ι x ∶ T. T ′ , and equality types {t ≃ t ′ }. Kinding for the first two of these follows the same format as kinding of dependent function types, for example, ∀ x ∶ T. T ′ has kind ⋆ if T has kind ⋆ and if T ′ has kind ⋆ under a typing context extended by the assumption x ∶ T. For equality types, the only requirement for the type {t ≃ t ′ } to be well formed is that the free variables of both t and t ′ (written FV(t t ′ )) are declared in the typing context. Thus, the equality is untyped, as neither t nor t ′ need be typable.  Figure 3 gives the type inference rules for the standard term constructs of CDLE. These type inference rules, as well as those listed in Figures 5, 6, and 7, are bidirectional (c.f. Pierce and Turner, 2000): judgment ⊢ t → ∈ T indicates term t synthesizes type T under typing context and judgment ⊢ t ← ∈ T indicates t can be checked against type T. These rules are to be read bottom-up as an algorithm for type inference, with and t considered inputs in both judgments and the type T an output in the synthesis judgment and input in the checking judgment. As is common for a bidirectional system, Cedille has a mechanism allowing the user to ascribe a type annotation to a term: χ Tt synthesizes type T if T is a well-formed type of kind ⋆ and t can be checked against this type. During type inference, types may be call-by-name reduced to weak head normal form in order to reveal type constructors. For brevity, we use the shorthand ⊢ t ↝ * n ∈ T (defined formally near the top of Figure 3) in some premises to indicate that t synthesizes some type T ′ that reduces to T.

Term constructs
We assume the reader is familiar with the type constructs of CDLE inherited from CC. Abstraction over types in terms is written X. t, and application of terms to types (polymorphic type instantiation) is written t ⋅ T. In code listings, type arguments are sometimes omitted when Cedille can infer these from the types of term arguments. Local term definitions are given with [x ◁ T 1 = t 1 ]t 2 to be read "let x of type T 1 be t 1 in t 2 , " and global definitions are given with x ◁ T = t. (ended with a period), where t is checked against type T.
In describing the new type constructs of CDLE, we make reference to the erasures of the corresponding annotations for terms. The full definition of the erasure function | − |, which extracts an untyped lambda calculus term from a term with type annotations, is given in Figure 4. For the term constructs of CC, type abstractions X. t erase to |t| and type applications t ⋅ T erase to |t|.    As a Curry-style theory, the convertibility relation of Cedille is βη-conversion for untyped lambda calculus terms -there is no notion of reduction or conversion for the type-annotated language of terms except modulo erasure.
The implicit product type ∀ x ∶ T 1 . T 2 of Miquel (2001) (Figure 5) is the type for functions which accept an erased (computationally irrelevant) input of type T 1 and produce a result of type T 2 . Implicit products are introduced with x. t, and the type inference rule is the same as for ordinary function abstractions except for the side condition that x does not occur free in the erasure of the body t. Thus, the argument can play no computational role in the function and exists solely for the purposes of typing. The erasure of the introduction form is |t|. For application, if t has type ∀ x ∶ T 1 . T 2 and t ′ has type T 1 , then t -t ′ has type [t ′ /x]T 2 and erases to |t|. When x is not free in ∀ x ∶ T 1 . T 2 , we may write T 1 ⇒ T 2 , similarly to writing T 1 → T 2 for x ∶ T 1 . T 2 .
Note that the notion of computational irrelevance here is not that of a different sort of classifier for types (e.g., Prop in Coq, c.f. The Coq development team, 2018) that separates terms in the language into those which can be used for computation and those which cannot. Instead, it is similar to quantitative type theory (Atkey, 2018): relevance and irrelevance are properties of binders, indicating how a function may use an argument.
The dependent intersection type ι x ∶ T 1 . T 2 of Kopylov (2003) (Figure 6) is the type for terms t which can be assigned both type T 1 and type [t/x]T 2 . It is a dependent generalization of intersection types (c.f. Barendregt et al., 2013, Part 3) in Curry-style theories, which allow one to express the fact that an untyped lambda calculus term can be assigned two different types. In Cedille's  annotated language, the introduction form for dependent intersections is written [t 1 , t 2 ] and can be checked against type ι x ∶ T 1 . T 2 if t 1 can be checked against type T 1 , t 2 can be checked against [t 1 /x]T 2 , and t 1 and t 2 are βη-equivalent modulo erasure. For the elimination forms, if t synthesizes type ι x ∶ T 1 . T 2 then t.1 (which erases to |t|) synthesizes type T 1 , and t.2 (erasing to the same) synthesizes type [t.1/x]T 2 .
Dependent intersections can be thought of as a dependent pair type where the two components are equal. Thus, we may "forget" the second component: [t 1 , t 2 ] erases to |t 1 |. Put another way, dependent intersections are a restricted form of computationally transparent subset types where the proof that some term t inhabits the subset must be definitionally equal to t. A consequence of this restriction is that the proof may be recovered, in the form of t itself, for use in computation.
The equality type {t 1 ≃ t 2 } is the type of proofs that t 1 is propositionally equal to t 2 . The introduction form β{t ′ } proves reflexive equations between βη-equivalence classes of terms: it can be checked against the type {t 1 ≃ t 2 } if |t 1 | = βη |t 2 | and if the subexpression t ′ has no undeclared free variables. We discuss the significance of the fact that t ′ is unrelated to the terms being equated, dubbed the Kleene trick, below. In code listings, if t ′ is omitted from the introduction form, it defaults to λ x. x.
The elimination form ρ t @x.T ′t ′ for the equality type {t 1 ≃ t 2 } replaces occurrences of t 1 in the checked type with t 2 before checking t ′ . The user indicates the occurrences of t 1 to replace with x in the annotation @x.T ′ , which binds x in T ′ . The rule requires that [t 2 /x]T ′ has kind ⋆, then checks t ′ against this type and finally confirms that [t 1 /x]T ′ is convertible with the expected type T. The entire expression erases to |t ′ |.
Example 1. Assume m and n have type Nat, suc and pred have type Nat → Nat, and furthermore that |pred (suc t)| = βη |t| for all t. If e has type {suc m ≃ suc n}, then ρ e @x.{pred x ≃ pred (suc n)} -β can be checked with type {m ≃ n} as follows: we check that {pred (suc n) ≃ pred (suc n)}, obtained from substituting x in the annotation with the right-hand side of the equation of the type of e, has kind ⋆; we check β against this type; and we check that substituting x with suc m is convertible with the expected type {m ≃ n}. By assumption |pred (suc m)| = βη |m| and |pred (suc n)| = βη |n|, so {m ≃ n} ≅ {pred (suc m) ≃ pred (suc n)}.
Equality types in CDLE come with two additional axioms: a strong form of the direct computation rule of NuPRL (see Allen et al., 2006, Section 2.2) given by ϕ, and proof by contradiction given by δ. The inference rule for an expression of the form ϕ tt ′ {t ′′ } says that the entire expression can be checked against type T if t ′ can be, if there are no undeclared free variables in t ′′ (so, t ′′ is a well-scoped but otherwise untyped term), and if t proves that t ′ and t ′′ are equal. The crucial feature of ϕ is its erasure: the expression erases to |t ′′ |, effectively enabling us to cast t ′′ to the type of t ′ .
An expression of the form δt may be checked against any type if t synthesizes a type convertible with a particular false equation, {λ x. λ y. x ≃ λ x. λ y. y}. To broaden the class of false equations to which one may apply δ, the Cedille tool implements the Böhm-out semi-decision procedure (Böhm et al., 1979) for discriminating between βη-inequivalent terms. We use δ only once in this paper as part of a final comparison between the Scott and Parigot encoding (see Section 7.3).
Finally, Cedille provides a symmetry axiom ς for equality types, with |t| the erasure of ς t. This axiom is purely a convenience; without ς , symmetry for equality types can be proven with ρ.

The Kleene trick
As mentioned earlier, the introduction form β{t ′ } for the equality type contains a subexpression t ′ that is unrelated to the equated terms. By allowing t ′ to be any closed (in context) term, we are able to define a type of all untyped lambda calculus terms.
We dub this the Kleene trick, as one may find the idea in Kleene's later definitions of numeric realizability in which any number is allowed as a realizer for a true atomic formula (Kleene, 1965).
Combined with dependent intersections, the Kleene trick also allows us to derive computationally transparent equational subset types. For example, let Nat again be the type of naturals with zero the zero value, Bool the type of Booleans with tt the truth value, and isEven ∶ Nat → Bool a function returning tt if and only if its argument is even. Then, the type Even of even naturals can be defined as ι x ∶ Nat. {isEven x ≃ tt}. Since |isEven zero| = βη |tt|, we can check [zero, β{zero}] against type Even, and the expression erases to |zero|. More generally, if n is a Nat and t is a proof that {isEven n ≃ tt}, then [n, ρ t @x.{x ≃ tt} − β{n}] can be checked against type Even: the erasure of the first and second components are equal, and within the second component ρ rewrites the expected type {isEven n ≃ tt} to {tt ≃ tt} then checks β{n} against this.

Meta-theory
It may concern the reader that, with the Kleene trick, it is possible to type nonterminating terms, leading to a failure of normalization in general in CDLE. For example, the looping term , β{(λ x. x x) λ x. x x}, can be checked against type Top. More subtly, the ϕ axiom allows nontermination in inconsistent contexts. Assume there is a typing context and term t such that ⊢ t → ∈ ∀ X ∶ ⋆. X, and let ω be the term: Under , ω synthesizes type ∀ X ∶ ⋆. X → X, and by the erasure rules it erases to λ x. x x. We can then type the looping term : Unlike the situation for unrestricted recursive types discussed in Section 1, the existence of non-normalizing terms does not threaten the logical consistency of CDLE. For example, extensional Martin-Löf type theory is consistent but, due to a similar difficulty with inconsistent contexts, is non-normalizing (Dybjer and Palmgren, 2016). Proposition 2. Stump and Jenkins, 2021. There is no term t such that ⊢ t → ∈ ∀ X ∶ ⋆. X.
Neither does nontermination from the Kleene trick nor ϕ with inconsistent contexts preclude the possibility of a qualified termination guarantee. In Cedille, closed terms of a function type are call-by-name normalizing.
Lack of normalization in general does, however, mean that type inference in Cedille is formally undecidable, as there are several inference rules in which full βη-equivalence of terms is checked. In practice, this is not a significant impediment: even in implementations of strongly normalizing dependent type theories, it is possible for type inference to trigger conversion checking between terms involving astronomically slow functions, effectively causing the implementation to hang. For the recursive representations of inductive types we derive in this paper, we show that closed lambda encodings do indeed satisfy the criterion required to guarantee call-by-name normalization.

Deriving Recursive Types in Cedille
Having surveyed Cedille, we now turn to the derivation of recursive types within it. This is accomplished by implementing a version of Tarski's fixpoint theorem for monotone functions over a complete lattice. We first recall the simple corollary of Tarski's more general result (c.f. Lassez et al., 1982).
Definition 4. (f -closed). Let f be a monotone function on a preorder (S, ⊑). An element x ∈ S is said to be f -closed when f (x) ⊑ x.
Theorem. (Tarski, 1955). Suppose f is a monotone function on complete lattice (S, ⊑, ⊓). Let R be the set of f -closed elements of S and r = ⊓R. Then f (r) = r.
The version we implement is a strengthening of this corollary, in the sense that it has weaker assumptions than Theorem 3: rather than require S be a complete lattice, we only need that S is a preorder and R has a greatest lower bound.

Tarski's Theorem
Theorem. Suppose f is a monotone function on a preorder (S, ⊑), and that the set R of all f -closed elements has a greatest lower bound r. Then f (r) ⊑ r and r ⊑ f (r).

Proof.
(1) First prove f (r) ⊑ r. Since r is the greatest lower bound of R, it suffices to prove f (r) ⊑ x for every x ∈ R. So, let x be an arbitrary element of R. Since r is a lower bound of R, r ⊑ x. By monotonicity, we therefore obtain f (r) ⊑ f (x), and since x ∈ R we have that f (x) ⊑ x. By transitivity, we conclude that f (r) ⊑ x.
(2) Now prove r ⊑ f (r). Using 1 above and monotonicity of f , we have that f (f (r)) ⊑ f (r). This means that f (r) ∈ R, and since r is a lower bound of R, we have r ⊑ f (r).  Notice in this proof prima facie impredicativity, we pick a fixpoint r of f by reference to a collection R which (by 1) contains r. We will see that this impredicativity carries over to Cedille. We will instantiate the underlying set S of the preorder in Theorem 3.1 to the set of Cedille types -this is why we need to relax the assumption of Theorem 3 that S is a complete lattice. However, we must still answer several questions: • how should the ordering ⊑ be implemented; • how do we express the idea of a monotone function; and • how do we obtain the greatest lower bound of R?
One possibility that is available in System F is to choose functions A → B as the ordering A ⊑ B, positive type schemes T (having a free variable X, and such that A → B implies [A/X]T → [B/X]T) as monotonic functions, and use universal quantification to define the greatest lower bound as ∀ X. (T → X) → X. This approach, described by Wadler (1990), is essentially a generalization of order theory to category theory, and the terms inhabiting recursive types so derived are Church encodings. However, the resulting recursive types lack the property that roll and unroll are constant-time operations.
In Cedille, another possibility is available: we can interpret the ordering relation as type inclusions, in the sense that T 1 is included into T 2 if and only if every term t of type T 1 is definitionally equal to some term of type T 2 . To show how type inclusions can be expressed as a type within Cedille (Cast, Section 3.3), we first demonstrate how to internalize the property that some untyped term t can be viewed has having type T (View, Section 3.2): type inclusions are thus a special case of internalized typing where we view λ x. x has having type T 1 → T 2 . Figure 8 summarizes the derivation of the View type family in Cedille, and Figure 9 gives its implementation. Type View ⋅ T t is the subset of type T consisting of terms provably equal to the untyped (more precisely Top-typed, see Definition 1) term t. It is defined using dependent intersection:

Views
Axiomatic summary. The introduction form intrView takes an untyped term t 1 and two computationally irrelevant arguments: a term t 2 of type T and a proof t that t 2 is equal to t 1 . The expression intrView t 1 -t 2 -t erases to (λ x. x) |t 1 |. The elimination form elimView takes an untyped term t and an erased argument v proving that t may be viewed as having type T and produces a term of type T. The crucial property of elimView is its erasure: elimView t -v also erases to (λ x. x) |t|, and so the expression is definitionally equal to t itself. Finally, eqView provides a reasoning principle for views. It states that every proof v that t may be viewed as having type T is equal to t. Implementation. We now turn to the Cedille implementation of View and its operations in Figure 9. The definition of intrView uses the ϕ axiom ( Figure 7) and the Kleene trick (Section 2.3) so that the resulting View ⋅ T t 1 erases to |t 1 | (see Figure 4 for erasure rules). Because of the Kleene trick, the requirement that a term both has type T and also proves itself equal to t 1 does not restrict the terms and types over which we may form a View. The elimination form uses ϕ to cast t to the type T of v.1 using the equality {v.1 ≃ t} given by v.2. The reasoning principle eqView uses ρ to rewrite the expected type {t ≃ v} with the equation {v.1 ≃ t} (v and v.1 are convertible terms).
The last two definitions of Figure 9, selfView and extView, are auxiliary. Since they can be derived solely from the introduction and elimination forms, they are not included in the axiomatization given in Figure 8. Definition selfView reflects the typing judgment that t has type T into the proposition that β{t} can be viewed as having type T. Definition extView provides an extrinsic typing principle for functions: if we can show of an untyped term t that for all inputs x of type S we have that t x can be viewed as having type T, then in fact t can be viewed as having type S → T.

Casts
Type inclusions, or casts, are represented by functions from S to T that are provably equal to λ x. x (see Breitner et al., 2016, andalso Firsov et al., 2018 for the related notion of Curry-style "identity functions"). With types playing the role of elements of the preorder, existence of a cast from type S to type T will play the role of the ordering S ⊑ T in the proof of Theorem 3.1. We summarize the derivation of casts in Cedille axiomatically in Figure 10 and show their implementation in Figure 11.   Axiomatic summary. The introduction form, intrCast, takes two erased arguments: a function t ∶ S → T and a proof that t is extensionally the identity function for all terms of type S. In intrinsic type theories, there would not be much more to say: identity functions cannot map from S to T unless S and T are convertible types. But in an extrinsic type theory like CDLE, there are many nontrivial casts, especially in the presence of the ϕ axiom. Indeed, by enabling the definition of extView, we will see that ϕ plays a crucial role in the implementation of intrCast.
The elimination form, elimCast, takes as an erased argument a proof c of the inclusion of type S into type T. Its crucial property is its erasure: in the Cedille implementation, elimCast -c erases to a term convertible with λ x. x. The last construct listed in Figure 10 is eqCast, the reasoning principle. It states that every witness of a type inclusion is provably equal to λ x. x. Implementation. We now turn to the implementation of Cast in Figure 11. The type Cast ⋅ S ⋅ T itself is defined to be the type of proofs that λ x. x may be viewed as having type S → T. The elimination form elimCast and reasoning principle eqCast are direct consequences of elimView and eqView, so we focus on the introduction form intrCast. Without the use of extView, we might  expect the definition of intrCast to be of the form: where • holds the place of a proof of {t ≃ λ x. x}. However, Cedille's type theory is intensional, so from the assumption that t behaves like the identity function on terms of type S we cannot conclude that t is equal to λ x. x. Since Cedille's operational semantics and definitional equality are over untyped terms, our assumption regarding the behavior of t on terms of type S gives us no guarantees about the behavior of t on terms of other types, and thus no guarantee about the intensional structure of t.
The trick used in the definition of intrCast is rather to give an extrinsic typing of the identity function, using the typing and property of t. In the body, we use extView with an erased proof that assumes an arbitrary x ∶ S and constructs a view of x having type T using the typing of t x and the proof t ′ x that {t x ≃ x}. So rather than showing t is λ x. x, we are showing that t justifies ascribing to λ x. x the type S → T.

Casts form a preorder on types
Recall that a preorder (S, ⊑) consists of a set S and a reflexive and transitive binary relation ⊑ over S. In the proof-relevant setting of type theory, establishing that a relation on types induces a preorder requires that we also show, for all types T 1 and T 2 , that proofs of T 1 ⊑ T 2 are uniqueotherwise, we might only be working in a category. We now show that Cast satisfies all three of these properties.
Theorem. Cast induces a preorder (or thin category) on Cedille types.

Monotonicity
Monotonicity of a type scheme F ∶ ⋆ → ⋆ in this preorder is defined as a lifting, for all types S and T, of any cast from S to T to a cast from F ⋅ S to F ⋅ T. This is Mono in Figure 13. In the subsequent derivations of Scott and Parigot encodings, we shall omit the details of monotonicity proofs; once the general principle behind them is understood, these proofs are mechanical and do not provide further insight into the encoding. Although these are somewhat burdensome to write by hand, their repetitive nature makes us optimistic such proofs can be automated for the signatures of standard datatypes.
We give an example in Figure 14 to illustrate the method. Type scheme NatF is the impredicative encoding of the signature for natural numbers. To prove that it is monotonic, we assume arbitrary types X and Y such that there is a cast c from the former to the latter and must exhibit a   cast from NatF ⋅ X to NatF ⋅ Y. We do this using intrCast on a function that is definitionally equal (βη-convertible modulo erasure) to the identity function.
After assuming n ∶ NatF ⋅ X, we introduce a term of type NatF ⋅ Y by abstracting over type Z and terms z ∶ Z and s ∶ Y → Z. Instantiating the type argument of n with Z, the second term argument we provide must have type X → Z. For this, we precompose s with the assumed cast c from X to Y. Figure 15 shows the translation of the proof of Theorem 3.1 to Cedille, deriving monotone recursive types. Cedille's module system allows us to parametrize the module shown in Figure 15 by the type scheme F, and all definitions implicitly take F as an argument. For the axiomatic presentation in Figure 17, we give F explicitly.

Translating the proof of Theorem 3.1 to Cedille
As noted in Section 3.1, it is enough to require that the set of f -closed elements (here, F-closed types) has a greatest lower bound. In Cedille's meta-theory (Stump and Jenkins, 2021), types are interpreted as sets of (βη-equivalence classes of) closed terms, and in particular the meaning of an impredicative quantification ∀ X ∶ ⋆. T is the intersection of the meanings (under different assignments of meanings to the variable X) of the body. Such an intersection functions as the greatest lower bound, as we will see.
The definition of Rec in Figure 15 expresses the intersection of the set of all F-closed types. This Rec corresponds to r in the proof of Theorem 3.1. Semantically, we are taking the intersection of all those sets X which are F-closed. So the greatest lower bound of the set of all f -closed elements in the context of a partial order is translated to the intersection of all F-closed types, where X being F-closed means there is a cast from F ⋅ X to X. We require just an erased argument of type Cast ⋅ (F ⋅ X) ⋅ X. By making the argument erased, we express the idea of taking the intersection of sets of terms satisfying a property, and not a set of functions that take a proof of the property as an argument.
Theorem. Rec is the greatest lower bound of the set of F-closed types.
Proof. In Figure 15, definition recLB establishes that Rec is a lower bound of this set and recGLB establishes that it greater than or equal to any other lower bound, that is, for any other lower bound Y there is a cast from Y to Rec. For recLB, assume we have an F-closed type X and some x ∶ Rec. It suffices to give a term of type X that is definitionally equal to x. Instantiate the type argument of x to X and use the proof that X is F-closed as an erased argument.
For recGLB, assume we have some Y which is a lower bound of the set of all F-closed types, witnessed by u, and a term y ∶ Y. It suffices to give a term of type Rec that is definitionally equal to y. By the definition of Rec, we assume an arbitrary type X that is F-closed, witnessed by c, and must produce a term of type X. Use the assumption u and c to cast y to the type X, noting that abstraction over X and c is erased.
In Figure 15, recRoll implements part 1 of the proof of Theorem 3.1, and recUnroll implements part 2. In recRoll, we invoke the property that Rec contains any other lower bound of the set of F-closed types in order to show Rec contains F ⋅ Rec and must show that F ⋅ Rec is included into any arbitrary F-closed type X. We do so using the fact that Rec is also a lower bound of this set (recLB) and so is contained in X, monotonicity of F, and transitivity of Cast with the assumption that F ⋅ X is contained in X. In recUnroll, we use recRoll and monotonicity of F to obtain that F ⋅ Rec is F-closed, then use recLB to conclude. It is here we see the impredicativity noted earlier: in recLB, we instantiate the type argument of x ∶ Rec to the given type X; in recUnroll, the given type is F ⋅ Rec. This would not be possible in a predicative type theory.

Operational semantics for Rec
We conclude this section by giving the definitions of the constant-time roll and unroll operators for recursive types in Figure 16. The derivation of recursive types with these operators is summarized axiomatically in Figure 17.
Operations roll and unroll are implemented using the elimination form for casts on resp. recRoll and recUnroll, assuming a proof m that F is monotonic. By erasure, this means both operations are definitionally equal to λ x. x. This is show in Figure 16 with two anonymous proofs (indicated by _) of equality types that hold by β alone. This fact makes trivial the proof that these operators for recursive types satisfy the desired laws.  We remark that, given the erasures of roll and unroll, the classification of Rec as either being iso-recursive or equi-recursive is unclear. On the one hand, Rec ⋅ F and its one-step unrolling are not definitionally equal types and require explicit operations to pass between the two. On the other hand, their denotations as sets of βη-equivalence classes of untyped lambda terms are equal, and in intensional type theories with iso-recursive types it is not usual that the equation roll (unroll t) = t holds by the operational semantics (however, the equation unroll (roll t) = t should, unless one is satisfied with Church encodings). Instead, we view Rec as a synthesis of these two formulations of recursive types.

Datatypes and Recursion Schemes
Before we proceed with the application of derived recursive types to encodings of datatypes with induction in Cedille, we first elaborate on the close connection between datatypes, structured recursion schemes, and impredicative encodings. An inductive datatype D can be understood semantically as the least fixpoint of a signature functor F. Together with D comes a generic constructor, inD ∶ F ⋅ D → D, which we can understand as building a new value of D from an "Fcollection" of predecessors. For example, the datatype Nat of natural numbers has the signature λ X ∶ ⋆. 1 + X, where + is the binary coproduct type constructor and 1 is the unitary type. The more familiar constructors zero ∶ Nat and suc ∶ Nat → Nat can be merged together into a single constructor inNat ∶ (1 + Nat) → Nat.
What separates our derived monotone recursive types (which also constructs a least fixpoint of F) and inductive datatypes is, essentially, the difference between preorder theory and category theory: proof relevance. In moving from the first setting to the second, we observe the following correspondences.  • The ordering corresponds to morphisms. Here, this means working with functions S → T, not type inclusions Cast ⋅ S ⋅ T. While there is at most one witness of an inclusion from one type to another, there of course may be multiple functions. • Monotonicity corresponds to functoriality. Here, this means that a type scheme F comes with an operation fmap that lifts, for all types S and T, functions This lifting must respect identity and composition of functions. We give a formal definition in Cedille of functors later in Section 6.2. • Where we had F-closed sets, we now have F-algebras. Here, this means a type T together with a function t ∶ F ⋅ T → T.
Carrying the correspondence further, in Section 3.4 we proved that Rec ⋅ F is a lower bound of the set of F-closed types. The related property for a datatype D with signature functor F is the existence of a iteration operator, foldD, satisfying both a typing and (because of the proof-relevant setting) a computation law. This is shown in Figure 18.
For the typing law, we read T as the type of results we wish to iteratively compute and t as a function that constructs a result from an F-collection of previous results recursively computed from predecessors. This reading is confirmed by the computation law, which states that for all T, t, and t ′ , the function foldD t acts on inD t ′ by first making recursive calls on the subdata of t ′ (accessed using fmap) then using t to compute a result from this. Instantiating F with the signature for Nat, and working through standard isomorphisms, we can specialize the typing and computation laws of the generic iteration scheme to the usual laws for iteration over Nat, shown in Figure 19.
Following the approach of Geuvers (2014), we present lambda encodings as solutions to structured recursion schemes over datatypes and evaluate them by how well they simulate the computation laws for these schemes. Read Figure 18 as a collection of constraints with unknowns D, foldD, and inD. From these constraints, we can calculate an encoding of D in System F ω that is a variant of the Church encoding. This is shown in Figure 20. For comparison, the figure also shows the familiar Church encoding of naturals, which we may similarly read from the iteration scheme for Nat.
For the typing law, we let D be the type of functions, polymorphic in X, that take functions of type F ⋅ X → X to a result of type X. For the iterator foldD, we provide the given a ∶ F ⋅ X → X as an argument to the encoding. Finally, we use the right-hand side of the computation law to  give a definition for constructor inD, and we can confirm that inD has type F ⋅ D → D. Thus, the Church encoding of D arises as a direct solution to the iteration scheme for D in (impredicative) polymorphic lambda calculi.
Notice that with the definitions of inD and foldD, we simulate the computation law for iteration in a constant number of β-reduction steps. For call-by-name operational semantics, we see that For call-by-value semantics, we would assume that t and t ′ are values and first reduce inD t ′ . The issue of inefficiency in computing predecessor for Church naturals has an analog for an arbitrary datatype D that only supports iteration. The destructor for datatype D is an operator outD satisfying the typing and computation law of Figure 21.
With foldD, we can define a candidate for the destructor that satisfies the desired typing as outD = foldD (fmap inD). However, this definition of outD does not efficiently simulate the computation law. By definitional equality alone, we have only which means we recursively destruct predecessors of t only to reconstruct them with inD. In particular, if t is a variable the recursive call becomes stuck, and we cannot reduce further to obtain a right-hand side of t.

Characterizing datatype encodings
Throughout the remainder of this paper, we will give a thorough characterization of our Scott and Parigot encodings. Specifically, in addition to the iteration scheme and destructor discussed above, we will later introduce the case distinction and primitive recursion schemes to explain the definitions of the Scott and Parigot encodings, respectively. Then, for each combination of encoding and scheme, we consider two properties: the efficiency (under call-by-name and call-by-value semantics) with which we can simulate the computation law of the scheme with the encoding, and the provability of the extensionality law for that scheme using the derived induction principle for the encoding.
We now detail the criteria we shall use, and the corresponding Cedille definitions, for the iteration scheme and destructor. This begins with Figure 22, which takes as a module parameter a type scheme F ∶ ⋆ → ⋆ and gives type definitions for the typing law of the iteration scheme. Type family  Alg gives the shape of the types of functions used in iteration, and family Iter gives the shape of the type of the combinator foldD itself. Iteration scheme. Figure 23 lists the computation and extensionality laws for the iteration scheme. For the module parameters, read fmap as the functorial operation lifting functions over type scheme F, D as the datatype, and inD as the constructor. IterBeta expresses the computation law using the auxiliary definition AlgHom (the category-theoretic notion of an F-algebra homomorphism from inD): for all xs ∶ F ⋅ D, X, and a ∶ Alg ⋅ X, we have that foldD a (inD x) is propositionally equal to a (fmap (foldD a) xs). For all datatype encodings and recursion schemes, we will be careful to note whether the computation law is efficiently simulated (under both call-by-name and call-by-value operational semantics) by the implementation we give for that scheme.
The extensionality law, given by IterEta, expresses the property that a candidate for the combinator foldD for iteration is a unique solution to the computation law. More precisely, if there is any other function h ∶ D → X that satisfies the computation law with respect to some a ∶ Alg ⋅ X, then foldD a and h are equal up to function extensionality. Extensionality laws are proved with induction.
Destructor. In Figure 24, Destructor gives the type of the generic data destructor, and Lambek1 and Lambek2 together state that the property that candidate destructor outD is a two-sided inverse of the constructor inD. The names for these properties come from Lambek's lemma (Lambek, 1968), which states that the action of the initial algebra is an isomorphism. For all encodings of datatypes, we will be careful to note whether Lambek1 (the computation law) is efficiently simulated by our solution for the encoding's destructor under call-by-name and call-by-value operational semantics. As we noted earlier, for the generic Church encoding the solution for outD is not an efficient one. Proofs of Lambek2 (the extensionality law) will be given by induction.

Scott Encoding
The Scott encoding was first described in unpublished lecture notes by Scott (1962) and appears also in the work of Parigot (1989Parigot ( , 1992. Unlike Church naturals, an efficient predecessor function  is definable for Scott naturals (Parigot, 1989), but it is not known how to express the type of Scott-encoded data in System F (Splawski and Urzyczyn, 1999, point toward a negative result) 2 . Furthermore, it is not obvious how to define recursive functions over Scott encodings without a general fixpoint mechanism for terms.
As a first application of monotone recursive types in Cedille -and as a warm-up for the generic derivations to come -we show how to derive Scott-encoded natural numbers with a weak form of induction. By weak, we mean that this form of induction does not provide an inductive hypothesis, only a mechanism for proof by case analysis. In Section 7, we will derive both primitive recursion and standard induction for Scott encodings.
The Scott encoding can be seen as a solution to the case distinction scheme in polymorphic lambda calculi with recursive types. We give the typing and computation laws for this scheme for Nat in Figure 25. Unlike the iteration scheme, in the successor case the case distinction scheme provides direct access to the predecessor itself but no apparent form of recursion.
Using caseNat, we can define the predecessor function pred for naturals: Function pred then computes as follows over the constructors of Nat: Thus, we see that with an efficient simulation of caseNat, we have an efficient implementation of the predecessor function.
Using the same method as discussed in Section 4.1, from the typing and computation laws we obtain the solutions for Nat, caseNat, zero, and suc given in Figure 26. For the definition of Nat, the premises of the typing law mention Nat itself, so a direct solution requires some form of recursive types. For readability, the solution in Figure 26 uses iso-recursive types -so |unroll(roll(t))| ↝ |t| for all t. It is then a mechanical exercise to confirm that the computation laws are efficiently simulated by these definitions.

Scott-encoded naturals, concretely
Our construction of Scott-encoded naturals supporting weak induction consists of three stages. In Figure 27, we give the definition of the noninductive datatype signature NatF with its constructors. In Figure 28, we define a predicate WkIndNatF over types N and terms n of type NatF ⋅ N that says a certain form of weak induction suffices to prove properties about n. Finally, in Figure 29, the type Nat is given using recursive types and the desired weak induction principle for Nat is derived.
Signature NatF. In Figure 27, type scheme NatF is the usual impredicative encoding of the signature functor for natural numbers. Terms zeroF and sucF are its constructors, quantifying over the parameter N; using the erasure rules (Figure 4), we can confirm that these have the erasures λ z. λ s. z and λ n. λ z. λ s. s n -these are the constructors for Scott naturals in untyped lambda calculus. The proof that NatF is monotone is omitted, indicated by <..> in the figure (we detailed the proof in Section 3.3.2). Predicate WkIndNatF. We next define a predicate, parametrized by a type N, over terms of type NatF ⋅ N. For such a term n, WkIndNat ⋅ N n is the property that, to prove P n for arbitrary P ∶ NatF ⋅ N → ⋆, it suffices to show certain cases for zeroF and sucF.
• In the base case, we must show that P holds for zeroF. • In the step case, we must show that for arbitrary m ∶ N that P holds for sucF m.
Next, in Figure 28, are proofs zeroWkIndNatF and sucWkIndNatF, which show resp. that zeroF satisfies the predicate WkIndNatF and sucF n satisfies this predicate for all n. Notice that zeroWkIndNatF is definitionally equal to zeroF and sucWkIndNatF is definitionally equal to sucF. We can confirm this fact by having Cedille check that β proves they are propositionally equal (_ denotes an anonymous proof): This correspondence, first observed for Church encodings by Leivant (1983), between lambdaencoded data and the proofs that elements of the datatype satisfy the datatype's induction principle, is an essential part of the recipe of Stump (2018a) for deriving inductive types in CDLE.
Nat, the type of Scott naturals. Figure 29 gives the third and final phase of the derivation of Scott naturals. The datatype signature NatFI is defined using a dependent intersection, producing the subset of those terms of type NatF ⋅ N that are definitionally equal to some proof that they satisfy the predicate WkIndNatF ⋅ N (since WkIndNatF is not an equational constraint, this restriction is not trivialized by the Kleene trick). Monotonicity of NatFI is given by monoNatFI (proof omitted).
Using the recursive type former Rec derived in Section 3, we define Nat as the least fixpoint of NatFI, and specializing the rolling and unrolling operators to NatFI we obtain rollNat and unrollNat. The operators, along with the facts that |zeroF| = βη |zeroWkIndNatF| and |sucF| = βη |sucWkIndNatF|, are then used to define the constructors zero and suc. From the fact that |rollNat| = βη λ x. x, and by the erasure of dependent intersection introductions, we see that the constructors for Nat are in fact definitionally equal to the corresponding constructors for NatF.
Weak induction for Nat. Weak induction for Nat, given by wkIndNat in Figure 29, allows us to prove P n for arbitrary n ∶ Nat and P ∶ Nat → ⋆ if we can show that P holds of zero and that for arbitrary m we can construct a proof of P (suc m). However, there is a gap between this proof principle and the proof principle WkIndNatF ⋅ Nat associated to n -the latter allows us to prove properties over terms of type NatF ⋅ Nat, not terms of type Nat! To bridge this gap, we introduce a predicate transformer LiftNat that takes properties of kind Nat → ⋆ to properties of kind NatF ⋅ Nat → ⋆. For any n ∶ NatF ⋅ Nat, the new property LiftNat ⋅ P n states that P holds for n if we have a way of viewing n at type Nat (View, Figure 8).
The key to the proof of weak induction for Nat is that by using View, the retyping operation of terms of type NatF ⋅ Nat to the type Nat is definitionally equal to λ x. x, and the fact that the constructors for NatF are definitionally equal to the constructors for Nat. We elaborate further on this point. Let z and s be resp. the assumed proofs of the base and inductive cases. From the second projection of the unrolling of n, we have a proof of WkIndNatF ⋅ Nat (unroll n).1. Instantiating the predicate argument of this with LiftNat ⋅ P gives us three subgoals: Assuming v ∶ View ⋅ Nat β{zeroF}, we wish to give a proof of P (elimView β{zeroF} -v). This is convertible with the type P zero of z, since |elimView β{zeroF} -v| = βη |zero|.
Assume we have such an m, and that v is a proof of View ⋅ Nat β{sucF m}. We are expected to give a proof of P (elimView β{sucF m.1} -v). The expression s m has type P (suc m), which is convertible with that expected type.
The whole expression synthesizes type: which is convertible with the expected type P n.

Computational and extensional character
As mentioned at the outset of this section, one of the crucial characteristics of Scott-encoded naturals is that they may be used to efficiently simulate the computation laws for case distinction. We now demonstrate this is the case for the Scott naturals we have derived. Additionally, we prove using weak induction that the solution we give for the combinator for case distinction satisfies the corresponding extensionality law, that is, it is the unique such solution up to function extensionality.
Computational laws. The definition of the operator caseNat for case distinction is given in Figure 30, along with predecessor pred (defined using caseNat) and proofs for both that they satisfy the desired computation laws (or β-laws) by definition. As both rollNat and unrollNat erase to Figure 17), our overhead in simulating case distinction is only a constant number of reductions. With an efficient operation for case distinction, we obtain an efficient predecessor pred.
To confirm the efficiency of this implementation, we consider the erasure of the right-hand side of the computation law for case distinction for the successor case (caseNatBeta2):   This both call-by-name and (under the assumption that n is a value) call-by-value reduces to s n in a constant number of steps.
Additionally, it is satisfying to note that the computational content underlying the weak induction principle is precisely that which underlies the case distinction operator caseNat. This is proven by wkIndComp, which shows not just that they satisfy the same computation laws, but in fact that the two terms are definitionally equal.
Extensional laws. Using weak induction, we can prove the extensionality law (or η-law) of the case distinction scheme. This is caseNatEta in Figure 31. The precise statement of uniqueness is that, for every type X and terms z ∶ X and s ∶ Nat → X, if there exists a function h ∶ Nat → X satisfying the computation laws of the case distinction scheme with respect to z and s, then h is extensionally equal to caseNat z s.
From uniqueness, we can obtain the proof reflectNat that using case distinction with the constructors themselves reconstructs the given number. The name for this is taken from the reflection law (Uustalu and Vene, 1999) of the iteration scheme for datatypes. The standard formulation of the reflection law and the variation given by reflectNat both express that the only elements of a datatype are those generated by its constructors. This idea plays a crucial role in the future derivations of (full) induction for both the Parigot and Scott encodings and is elaborated on in Section 6.

Scott-encoded data, generically
For the generic Scott encoding, we begin our discussion by phrasing the case distinction scheme generically (meaning parametrically) in a signature F ∶ ⋆ → ⋆. Let D be the datatype whose signature is F and whose constructor is inD ∶ F ⋅ D → D. Datatype D satisfies the case distinction scheme if there exists an operator caseD satisfying the typing and computation laws listed in Figure 32.
We understand the computation law as saying that when acting on data constructed with inD, the case distinction scheme gives to its function argument t the revealed subdata t ′ ∶ F ⋅ D directly. Notice that unlike the iteration scheme, for case distinction we do not require that F comes together with an operation fmap as there is no recursive call to be made on the predecessors.
From these laws, we can define outD ∶ D → F ⋅ D, the generic destructor that reveals the F-collection of predecessors used to construct a term of type D: This satisfies the expected computation law for the destructor in a number of steps that is constant with respect to t.
In System F ω extended with iso-recursive types, we can read an encoding directly from these laws, resulting in the solutions for D, caseD, and inD given in Figure 33. This is the generic Scott encoding and is the basis for the developments in Section 5.2.2.

Characterization criteria
We formalize in Cedille the above description of the generic case distinction scheme in Figures 34  and 35. Definitions for the typing law of case distinction for datatype D are given in Figure 34, where the module is parametrized by a type scheme F that gives the datatype signature. The type family AlgCase gives the shape of the types of functions used for case distinction, and Case gives the shape of the type of operator caseD itself. In Figure 35, we take the signature F as well as the datatype D and its constructor inD as parameters. We import the definitions of Figure 22 without specifying that module's type scheme parameter, so in the type of inD, Alg ⋅ F ⋅ D, we give this explicitly as F. For a candidate caseD ∶ Case ⋅ D for the operator for case distinction, the property CaseBeta caseD states that it satisfies the desired computation law, where the shape of the computation law is given by AlgCaseHom. CaseEta caseD is the property that caseD satisfies the extensionality law, that is, any other function h ∶ D → X that satisfies the computation law with respect to a ∶ AlgCase ⋅ D ⋅ X is extensionally equal to caseD a.

Generic Scott encoding
We now detail the generic derivation of Scott-encoded data supporting weak induction. The developments in this section are parametrized by a type scheme F ∶ ⋆ → ⋆ that is monotonic (the curly braces around mono indicate that it is an erased module parameter). As we did for the concrete derivation of naturals, the construction is separated into several phases. In Figure 36, we give the unrefined signature DF for Scott-encoded data and its constructor. In Figure 37, we define the predicate WkIndDF expressing that DF terms satisfy a certain weak induction principle and show that the constructor satisfies this predicate. In Figure 38, we take the fixpoint of the refined signature, defining the datatype D, and prove weak induction for D.
Signature DF. In Figure 36, DF is the type scheme whose fixpoint is the solution to the equation for D in Figure 33. Definition inDF is the polymorphic constructor for signature DF, that is, the generic grouping together of the collection of constructors for the datatype signature (e.g., zeroF and sucF, Figure 27). Finally, monoDF is a proof that type scheme DF is monotonic (definition omitted, indicated by <..>).
Predicate WkIndDF. In Figure 37, we give the definition of WkIndDF, the property (parametrized by type D) that terms of type DF ⋅ D satisfy a certain weak induction principle. More precisely, WkIndDF ⋅ D t is the type of proofs that, for all properties P ∶ DF ⋅ D → ⋆, P holds for t if a weak inductive proof can be given for P. The type of weak inductive proofs is WkPrfAlg ⋅ D ⋅ P, to be read "weak (F, D)-proof-algebras for P." A term a of this type takes an F-collection of D values and produces a proof that P holds for the value constructed from this using inDF.   In the concrete derivation of Scott naturals, the predicate WkIndNatF ( Figure 28) required terms of the following types be given in proofs by weak induction: We can understand WkPrfAlg as combing these types together into a single type, parametrized by the signature F: Next in the figure is inWkIndDF, which for all types D is a weak (F, D)-proof-algebra for WkIndDF ⋅ D. Put more concretely, it is a proof that every term of type DF ⋅ D constructed by inDF admits the weak induction principle given by WkIndDF ⋅ D. The corresponding definitions from Section 5.2 are zeroWkIndNatF and sucWkIndNatF. The Scott-encoded datatype D. With the inductivity predicate WkIndDF and weak proof algebra inWkIndDF for it, we are now able to form a signature refining DF such that its fixpoint supports weak induction (proof by cases). Observe that the proof inWkIndDF in Figure 37 is definitionally equal to inDF: This effectively allows us to use dependent intersections to form, for all D, the subset of the type DF ⋅ D whose elements satisfy WkIndDF ⋅ D. This is DFI in Figure 38.  Since DFI is monotonic (proof omitted), we can form the datatype D as the fixpoint of DFI using Rec, with rolling and unrolling operations rollD and unrollD that are definitionally equal to λ x. x. The constructor inD for D takes an F-collection of D predecessors xs and constructs a value of type D using the fixpoint rolling operator, the constructor inDF, and the proof inWkIndDF. Note again that, by the erasure of dependent intersections, we have that inD and inDF are definitionally equal.
Weak induction for D. As was the case for the concrete encoding of Scott naturals, we must now bridge the gap between the desired weak induction principle, where we wish to prove properties of kind D → ⋆, and what we are given by WkIndDF (the ability to prove properties of kind DF ⋅ D → ⋆). This is achieved using the predicate transformer LiftD that maps predicates over D to predicates over DF ⋅ D by requiring an additional assumption that the given x ∶ DF ⋅ D can be viewed as having type D.
The weak induction principle wkIndD for D states that a property P holds for term x ∶ D if we can provide a function a which, when given an arbitrary F-collection of D predecessors, produces a proof that P holds for the successor of this collection constructed from inD. In the body of wkIndD, we invoke the proof principle WkIndDF ⋅ D (unroll x).1, given by (unroll x).2, on the lifting of P. For the weak proof algebra, we apply the assumption a to the revealed predecessors xs. This expression has type P (inD xs), and the expected type is P (elimView β{inDF xs} -v). These two types are convertible, since the two terms in question are definitionally equal: |elimView β{inDF xs} -v| = βη |inD xs| since in particular |inDF| = βη |inD|. The whole expression, then, has type: which is convertible with the expected type P x.

Computational and extensional character
We now analyze the properties of our generic Scott encoding. In particular, we give the normalization guarantee for terms of type D and confirm that we can give implementations of the case distinction scheme and destructor that both efficiently simulate their computation laws and provably satisfy their extensionality laws. Iteration and primitive recursion are treated in Section 7.3.1.  Normalization guarantee. Recall that Proposition 3 guarantees call-by-name normalization for closed Cedille terms whose types can be included into some function type. The proof normD of Figure 39 establishes the existence of a cast from D to AlgCase ⋅ D ⋅ D → D, meaning that closed terms of type D satisfy this criterion.
Case distinction scheme. We next bring into scope the definitions for characterizing the case distinction scheme (Figure 35). For our solution caseD in Figure 39, caseDBeta proves it satisfies the computation law and caseDEta proves it satisfies the extensionality law. As we saw for the concrete example of Scott naturals in Section 5.1.1, the proof caseDBeta of the computation law holds by definitional equality, not just propositional equality, since the propositional equality is proved by β. By inspecting the definitions of inD and caseD, and the erasures of roll and unroll (Figure 17), we can confirm that in fact caseD t (inD t ′ ) reduces to t in a number of steps that is constant with respect to t ′ under both call-by-name and call-by-value operational semantics.
For caseDEta, we proceed by weak induction and must show that h (inD xs) is propositionally equal to caseD a (inD xs). This follows from the assumption that h satisfies the computation law with respect to a ∶ AlgCase ⋅ D ⋅ X. As an expected result of uniqueness, reflectD shows that applying caseD to the constructor produces a function extensionally equal to the identity function.
Destructor. In Figure 40, we give the definition we proposed earlier for the datatype destructor outD. The proof lambek1D establishes that |outD (inD t)| is definitionally equal to |t| for all terms t ∶ F ⋅ D. As caseD is an efficient implementation of case distinction, we know that outD is an efficient destructor. The proof lambek2D establishes the other side of the isomorphism between D and F ⋅ D and follows by weak induction.

Parigot Encoding
In this section, we derive Parigot-encoded data with (non-weak) induction, illustrating with a concrete example in Section 6.1 the techniques we use before proceeding with the generic derivation in Section 6.3. The Parigot encoding was first described by Parigot (1988Parigot ( , 1992 for natural numbers and later for a more general class of datatypes by Geuvers (2014) (wherein it is called the Church-Scott encoding). It is a combination of the Church and Scott encoding: it directly supports recursion with access to previously computed results as well as to predecessors. For the inductive versions we derive in this section, this means that unlike the weakly inductive Scott encoding of Section 5, we have access to an inductive hypothesis. However, for the Parigot encoding, this additional power comes at a cost: the size of the encoding of natural number n is exponential in n.
The Parigot encoding can be seen as a direct solution to the primitive recursion scheme in polymorphic lambda calculi with recursive types. For natural numbers, the typing and computation laws for this scheme are given in Figure 41. The significant feature of primitive recursion is that in the successor case, the user-supplied function t 2 has access both to the predecessor n and the result recursively computed from n.
With primitive recursion, we can give the following implementation of the predecessor function pred: The efficiency of this definition of pred depends on the operational semantics of the language. Under call-by-name semantics, we have that |pred (suc n)| reduces to n in a constant number of steps since the recursively computed result (the predecessor of n) is discarded before it can be further evaluated. This is not the case for call-by-value semantics: for closed n we would compute all predecessors of n, then discard these results.
In System F with iso-recursive types, we can obtain Parigot naturals from the typing and computation laws for primitive recursion over naturals. The solutions for Nat, recNat, zero, and suc we acquire in this way are shown in Figure 42.
Parigot naturals and canonicity. In addition to showing yet another application of derived recursive types in Cedille, this section serves two pedagogical purposes. First, the Parigot encoding more readily supports primitive recursion than the Scott encoding, for which the construction is rather complex (see Section 7). Second, the derivation of induction for Parigot-encoded data involves a very different approach than that used in Section 5, taking full advantage of the embedding of untyped lambda calculus in Cedille.  We elaborate on this second point further: as observed by Geuvers (2014), there is a deficiency in the definition of the type of Parigot-encoded data in polymorphic type theory with recursive types. For example, the above definition for the type Nat is not precise enough: it admits the definition of the following bogus constructor: The difficulty is that the type Nat does not enforce that the first argument to the bound s is the same number that we use to compute the second argument. Put another way, this represents a failure to secure the extensionality law (uniqueness) for the primitive recursion scheme with this encoding.
To address this, we observe that there is a purely computational characterization of the subset of Nat that contains only the canonical Parigot naturals. This characterization is the reflection law. As we will see by proving induction, the set of canonical Parigot naturals is precisely the set of terms n of type Nat satisfying the following equality: {recNat zero (λ m. suc) n ≃ n} As an example, the noncanonical Parigot natural suc ′ (suc zero) does not satisfy this criterion: rebuilding it with the constructors zero and suc produces suc (suc zero) (see also Ghani et al. (2012, Section 2), where it is shown that the reflection law together with dependent products guarantees induction for naturals).
With Top and the Kleene trick (Section 2.3), we can express the property that a term satisfies the reflection law before we give a type for Parigot naturals. This is good, because we wish to use the reflection law in the definition of the type of Parigot naturals!

Parigot-encoded naturals, concretely
We split the derivation of inductive Parigot naturals into three parts. In Figure 43, we define untyped operations for Parigot naturals and prove that the untyped constructors preserve the reflection law. In Figure 44, we define the type Nat of canonical Parigot naturals and its constructors. Finally, in Figure 45, we define the subset of Parigot naturals supporting induction, then show that the type Nat is included in this subset.
Reflection law. The first definitions in Figure 43 are untyped operations for Parigot naturals. Definition recNatU is the combinator for primitive recursion, and zeroU and sucU are the constructors (compare these to the corresponding definitions in Figure 42). The term reflectNatU is the function which rebuilds Parigot naturals with their constructors, and the predicate NatC expresses the reflection law for untyped Parigot naturals.
The proofs zeroC and sucC show, respectively, that zeroU satisfies the reflection law, and that if n satisfies the reflection law then so does sucU n. In the proof for sucU, the expected type reduces to an equality type whose left-hand side is convertible with:

sucU (reflectNatU n)
We finish the proof by rewriting with the assumption that n satisfies the reflection law.   Note that in addition to using the Kleene trick (Section 2.3) to have a type Top for terms of the untyped lambda calculus, we are also using it so that the proofs zeroC and sucC are definitionally equal to the untyped constructors zeroU and sucU (see Figure 4 for the erasure of ρ): (where _ indicates an anonymous proof). This is so that we may define Parigot naturals as an equational subset type with dependent intersection, which we will see next.
Nat, the type of Parigot naturals. In Figure 44, we first define the type scheme NatF ′ whose fixpoint over-approximates the type of Parigot naturals. Using dependent intersection, we then define  the type scheme NatF to map types N to the subset of terms of type NatF ′ ⋅ N which satisfy the reflection law. This type scheme is monotonic (monoNatF, definition omitted), so we may use the recursive type former Rec to define the type Nat with rolling and unrolling operators rollNat and unrollNat that are definitionally equal to λ x. x (see Figure 17).

Constructors of Nat.
Definitions recNat, zero, and suc are the typed versions of the primitive recursion combinator and constructors for Parigot naturals. The definitions of the constructors are split into two parts, with zero ′ and suc ′ constructing terms of type NatF ′ ⋅ Nat and the unprimed constructors combining their primed counterparts with the respective proofs that they satisfy the reflection law. For example, in suc, the second component of the dependent intersection proves {reflectNatU (sucU β{n}) ≃ sucU β{n}} by invoking the proof sucC with
NatI, the type of inductive Parigot naturals. The definition of the inductive subset of Parigot naturals begins in Figure 45 with the predicate IndNat over Nat. For all n ∶ Nat, IndNat n is the type of proofs that, in order to prove an arbitrary predicate P holds for n, it suffices to give corresponding proofs for the constructors zero and suc. We again note that in the successor case, we have access to both the predecessor m and a proof of P m as an inductive hypothesis. The type NatI is then defined with dependent intersection as the subset of Nat for which the predicate IndNat holds. Definition recNatI brings us close to the derivation of an induction principle for Nat, but does not quite achieve it. With an inductive proof of predicate P, we have only that P holds for the Parigot naturals in the inductive subset. It remains to show that every Parigot natural is in this subset. We begin this with proofs indZero and indSuc stating resp. that zero satisfies IndNat and, for every n in the inductive subset NatI, suc n.1 satisfies IndNat. We see that |indZero| = βη |zero|, and also that |indSuc| = βη |suc| since |recNatI| = βη |recNat|. Thus, the constructors zeroI and sucI for NatI can be formed with dependent intersection introduction.

Reflection and induction.
We can now show that every term of type Nat also has type NatI, that is, every (canonical) Parigot natural is in the inductive subset. We do this by leveraging the fact that satisfaction of the reflection law is baked into the type Parigot naturals. First, we define reflectNatI which uses recNat to recursively rebuild a Parigot natural with the constructors zeroI and sucI of the inductive subset. Next, we observe that |reflectNatI| = βη |reflectNatU|, so we define a cast toNatI where the given proof:

(unrollNat n).2 ∶ {reflectNatU β{(unrollNat n).1} ≃ β{(unrollNat n).1}}
has a type convertible with the expected type {reflectNatI n ≃ n}. So here we are using the full power of intrCast by exhibiting a type inclusion using a function that behaves extensionally like identity but is not intensionally the identity function. The proof indNat of the induction principle for Parigot naturals follows from recNatI and the use of toNatI to convert the given n ∶ Nat to the type NatI.

Computational and extensional character
We now give a characterization of Nat. From the code listing in Figure 44, it is clear recNat satisfies the typing law. Figure 46 shows the proofs of the computation laws (recNatBeta1 and recNatBeta2), which hold by definitional equality. By inspecting the definitions of recNat, zero, and suc, and from the erasures of roll and unroll, we can confirm that the computation laws are simulated in a constant number of reduction steps under both call-by-name and call-by-value semantics. Figure 46 also includes indNatComp, which shows that the computational content underlying the induction principle is precisely the recursion scheme, and the predecessor function pred with its expected computation laws. As mentioned earlier, we must qualify that with an efficient simulation of recNat we do not obtain an efficient solution for the predecessor function under call-by-value operational semantics.  Finally, in Figure 47, we use induction to prove that for all z ∶ X and s ∶ Nat → X → X, recNat z s is the unique solution satisfying the computation laws for primitive recursion with respect to z and s. Unlike the analogous proof for caseNat in Section 5.1.1, in the successor case, we reach a subgoal where we must prove s m (h m) is equal to s m (recNat z s m) for an arbitrary m ∶ Nat and function h ∶ Nat → X which satisfies the computation laws with respect to z and s. At that point, we use the inductive hypothesis, which is unavailable with weak induction, to conclude the proof.

Functor and Sigma
The statement of the generic primitive recursion scheme requires functors and pair types, and the induction principle additionally requires dependent pair types. As we will use this scheme to define the generic Parigot encoding, in this section, we first show our formulation of functors and the functor laws and give an axiomatic presentation of the derivation of dependent pair types with induction in Cedille.
Functors. Functors and the associated identity and composition laws for them are given in Figure 48. Analogous to monotonicity, functoriality of a type scheme F ∶ ⋆ → ⋆ means that F comes together with an operation fmap ∶ Fmap ⋅ F lifting functions S → T to functions F ⋅ S → F ⋅ T, for all types S and T. Unlike monotonicity, in working with functions we find ourselves in a proof-relevant setting, so we will require that this lifting respects identity (FmapId fmap) and composition (FmapCompose fmap).
Notice also that our definition of the identity law has an extrinsic twist: the domain and codomain of the lifted function c need not be convertible types for us to satisfy the constraint that c acts extensionally like the identity function. Phrasing the identity law in this way allows us to derive a useful lemma, monoFunctor in Figure 49, that establishes that every functor is a monotone type scheme (see Figure 13 for the definition of Mono). Figure 50 gives an axiomatic presentation of the dependent pair type Sigma (see the code repository for the full derivation). The constructor is mksigma, the first and second projections are proj1 and proj2, and the induction principle is indsigma. Below the type inference    rules, we confirm that the projection functions and induction principle compute as expected over pairs formed from the constructor. In Figure 51, the type Pair is defined in terms of Sigma as the special case where the type of the second component does not depend on the first component. Additionally, the figure also gives the utility function fork for constructing nondependent pairs to help express the computation law of the primitive recursion scheme.

Parigot-encoded data, generically
In this section, we derive inductive Parigot-encoded datatypes generically. The derivation is parametric in a signature functor F for the datatype with an operation fmap ∶ Fmap ⋅ F that satisfies the functor identity and composition laws.   The typing and computation laws for the generic primitive recursion scheme for datatype D with signature F and constructor inD are given in Figure 52. For the typing rule, we see that the primitive recursion scheme allows recursive functions to be defined in terms an F-collection of tuples containing both direct predecessors and the recursive results computed from those predecessors. This reading is affirmed by the computation law, which states that the action of recD t over values built from inD t ′ (for some t ′ ∶ F ⋅ D) is to apply t to the result of tupling each predecessor (accessed with fmap) with the result of recD t (here id is the polymorphic identity function). Assuming t and inD t ′ are typed according to the typing law, the right-hand side of the equation has type T with the following assignment of types to subexpressions: With primitive recursion, we can implement the datatype destructor outD: This simulates the desired computation law |outD (inD t)| = βη |t| only up to the functor identity and composition laws. With definitional equality, we obtain a right-hand side of: Additionally, and as we saw for Parigot naturals, this is not an efficient implementation of the destructor under call-by-value operational semantics since the predecessors of t are recursively destructed.
Using the typing and computation laws for primitive recursion to read an encoding for D, we obtain a generic supertype of canonical Parigot encodings in Figure 53. Similar to the case of the Scott encoding, we find that to give the definition of D we need some form of recursive types since D occurs in the premises of the typing law. For our derivation, we must further refine the type of D so that we only include canonical Parigot encodings (i.e., those built only from inD). We take the same approach used for Parigot naturals: Top and the Kleene trick help us express satisfaction of the reflection law for untyped terms, which is in turn used to give a refined definition of D.

Characterization criteria
We formalize in Cedille the above description of the generic primitive recursion scheme in Figures 54 and 55. Definitions for the typing law of the primitive recursion scheme are given in Figure 54,    of the type functions used for primitive recursion, and PrimRec gives the shape of the type of operator recD itself.
In Figure 55, we now assume that F has an operation fmap for lifting functions, and we take additional module parameters D for the datatype and inD for its constructor. We import the definitions of the modules defined in Figures 23 and 35 without specifying the type scheme module parameter, so it is given explicitly for definitions exported from these modules (e.g., Alg ⋅ F ⋅ D). AlgRecHom gives the shape of the computation law for primitive recursion with respect to a particular a ∶ AlgRec ⋅ D ⋅ X, PrimRecBeta is a predicate on candidates for the combinator for primitive recursion stating that they satisfy the computation law with respect to all such functions a, and PrimRecEta is a predicate stating that a candidate is the unique such solution up to function extensionality.  The figure also lists PrfAlgRec, a dependent version of AlgRec. Read the type PrfAlgRec ⋅ P as the type of "(F, D)-proof algebras for P." It is the type of proofs that take an F-collection of D predecessors tupled with proofs that P holds for them and produces a proof that P holds for the value constructed from these predecessors with inD. PrfAlgRec will be used in the derivations of full induction for both the generic Parigot and generic Scott encoding.
Finally, as the primitive recursion scheme can be used to simulate both the iteration and case distinction schemes, the figure lists the helper functions fromAlgCase and fromAlg. Definition fromAlgCase converts a function for use in case distinction to one for use in primitive recursion by ignoring previously computed results, and fromAlg converts a function for use in iteration by ignoring predecessors.

Generic Parigot encoding
We now detail the generic derivation of inductive Parigot-encoded data. The developments of this section are parametrized by a functor F, with fmap giving the lifting of functions and fmapId and fmapCompose the proofs that this lifting respects identity and composition. The construction is separated into several phases: in Figure 56, we give the computational characterization of canonical Parigot encodings as a predicate on untyped terms, then prove that the untyped constructor preserves this predicate; in Figure 57, we define the type of Parigot encodings, its primitive recursion combinator, and its constructors; in Figure 58, we define the inductive subset of Parigot encodings and its constructor; finally, in Figure 59, we show that every Parigot encoding is already in the inductive subset and prove induction. canonical Parigot encodings by recursively rebuilding the encoding with the constructor inU (compare to Figure 43 of Section 6.1). Predicate DC gives the characterization of canonical Parigot encodings that reflectU behaves extensionally like the identity function for them.
Even without yet having a type for Parigot-encoded data, we can still effectively reason about the behaviors of these untyped programs. This is shown in the proof of inC, which states inU xs satisfies the predicate DC if xs is an F-collection of untyped terms that satisfy DC. In the body, the expected type is convertible with the type:

{inU (fmap proj2 (fmap (fork id reflectU) xs)) ≃ inU xs}
We rewrite by the functor composition law to fuse the mapping of proj2 with that of fork id reflectU, and now the left-hand side of the resulting equation is convertible (by the computation law for proj2) with

inU (fmap reflectU xs)
Here, we can rewrite by the functor identity law using the assumption that, on the predecessors contained in xs, reflectU behaves as the identity function. Note that we use the Kleene trick, so that the proof inC is definitionally equal to the untyped constructor inU. This allows us to use dependent intersection to form the refinement needed to type only canonical Parigot encodings.
Parigot encoding D. In Figure 57, DF ′ is the type scheme whose least fixpoint is the solution to D in Figure 53, and DF is the refinement of DF ′ to those terms satisfying the reflection law. Since DF is a monotone type scheme (monoDF, proof omitted), we may define D as its fixpoint with rolling and unrolling operations rollD and unrollD. Following this is recD, the typed combinator for primitive recursion (see Figure 54 for the definition of PrimRec).
The constructor inD for D is defined in two parts. First, we define inD ′ to construct a value of type DF ′ ⋅ D from xs ∶ F ⋅ D, with the definition similar to that which we obtained in Figure 53. Then, with the auxiliary proof toDC that D is included into the type of untyped terms satisfying DC, we define the constructor inD for D using the rolling operation and dependent intersection   introduction. The definition is accepted by virtue of the following definitional equalities: We can use Cedille to confirm that the typed recursion combinator and constructor are definitionally equal to the corresponding untyped operations: Inductive Parigot encoding DI. In Figure 58, we give the definition of DI, the type for the inductive subset of Parigot-encoded data, and its constructor inDI. This definition begins by bringing PrfAlgRec into scope with an import, used to define the predicate IndD. For arbitrary x ∶ D, the property IndD x states that, for all P ∶ D → ⋆, to prove P x it suffices to give an (F, D)-proof-algebra for P. Then, we define the inductive subset DI of Parigot encodings that satisfy the predicate IndD using dependent intersections. Definition recDI is the induction principle for terms of type D in this subset and corresponds to the definition recNatI for Parigot naturals in Figure 45. With recDI, we can obtain the desired induction scheme for D if we show D is included into DI.
We begin the proof of this type inclusion by defining the constructor inDI for the inductive subset. This is broken into three parts. First, inDI ′ constructs a value of type D from an F-collection of DI predecessors using the inclusion of type DI into D (fromDI). Next, with indInDI ′ we prove that the values constructed from inDI ′ satisfy the inductivity predicate IndD using the functor identity and composition laws.
In the body of indInDI ′ , we use equational reasoning to bridge the gap between the expected type P (inDI ′ xs) and the type of the expression in the final line, which is mksigma x.1 (recDI a x)

)) xs))
The main idea here is that we first use the functor composition law to fuse the two lifted operations, then observe that this results in lifting a single function: .1 (recDI a x)) ∶ DI → D that is definitionally equal to the identity function (by the computation law for proj1, Figure 50, and the erasure of dependent intersection projections). We then use the functor identity law, exchanging inD for inDI ′ in the rewritten type (these two terms are definitionally equal). As inDI ′ and indInDI ′ are definitionally equal to each other (since |fork id (recD a)| = βη |λ x. mksigma x.1 (recDI a x)|), we can define the constructor inDI using the rolling operation and dependent intersection introduction.

Reflection and induction.
We can now show an inclusion of the type D into the type DI, giving us induction, by using the fact that terms of type D are canonical Parigot encodings. This is shown in Figure 59. First, we define the operation reflectDI which recursively rebuilds Parigotencoded data with the constructor inDI for the inductive subset, producing a value of type DI. Then, since |reflectDI| = βη |reflectU|, we can use reflectDI to witness the inclusion of D into DI, since every term x of type D is itself a proof that reflectU behaves extensionally as the identity function on x. From here, the proof indD of induction uses recDI in combination with this type inclusion.

Computational and extensional character
We now analyze the properties of our generic Parigot encoding. In particular, we wish to know the normalization guarantee for terms of type D and to confirm that recD is an efficient and unique solution to the primitive recursion scheme for D, which can in turn be used to simulate case distinction and iteration. We omit the uniqueness proofs, which make heavy use of the functor laws and rewriting (see the code repository for this paper).
Normalization guarantee. In Figure 60, normD establishes the inclusion of type D into the function type AlgRec ⋅ D ⋅ D → D. By Proposition 3, this guarantees call-by-name normalization of closed terms of type D.
Primitive recursion scheme With proof recDBeta, we have that our solution recD (Figure 57) satisfies the computation law by definitional equality. By inspecting the definitions of recD and inD, and the erasures of roll and unroll (Figure 17), we can confirm that the computation law is satisfied in a constant number of steps under both call-by-name and call-by-value operational semantics.
Definition recDEta establishes that this solution is unique up to function extensionality. The proof follows from induction, the functor laws, and a nonobvious use of the Kleene trick. The reflection law is usually obtained as a consequence of uniqueness, but as the generic Parigot encoding has been defined with satisfaction of this law baked in, the proof reflectD proceeds by appealing to that fact directly.  Case distinction scheme. In Figure 61, we define the candidate caseD for the operation giving case distinction for D using recD and fromAlgCase (Figure 55). This definition satisfies the computation law only up to the functor laws. With definitional equality alone, caseD a (inD xs) is joinable with a (fmap proj1 (fmap (fork id (caseD a)) xs)) meaning we have introduced another traversal over the signature with fmap. As we have seen before, under call-by-value semantics this would also cause caseD a to be needlessly computed for all predecessors. The proof of extensionality, caseDEta, follows from recDEta.  laws and is not efficient under call-by-name semantics. The extensionality law, lambek2D, holds by induction.
Iteration. The last property we confirm is that we may use recD to give a unique solution for the typing and computation laws of the iteration scheme (Figures 22 and 23). The proposed solution is foldD, given in Figure 63. The computation law, proven with foldDBeta, only holds by the functor laws, as there are two traversals of the signature with fmap instead of one (fromAlg, defined in Figure 55, introduces the additional traversal).

Example: Rose trees
We conclude the discussion of Parigot-encoded data by using the generic derivation to define rose trees with induction. Rose trees, also called finitely branching trees, are a datatype in which subtrees are contained within a list, meaning that nodes may have an arbitrary number of children. In Haskell, they are defined as:

data RoseTree a = Rose a [RoseTree a]
There are two motivations for this choice of example. First, while the rose tree datatype can be put into a form that reveals it is a strictly positive datatype by using containers (Abbott et al., 2003) and a nested inductive definition, we use impredicative encodings for datatypes (including lists), and so the rose tree datatype we define is not syntactically strictly positive. Second, the expected induction principle for rose trees is moderately tricky. Indeed, it is complex enough to be difficult to synthesize automatically: additional plugins (Ullrich, 2020) are required for Coq, and in the Agda standard library (The Agda Team, 2021) the induction principle can be obtained automatically by declaring rose trees as a size-indexed type (Abel, 2010).
The difficulty lies in giving users access to the inductive hypothesis for the subtrees contained within the list. To work around this, users of Coq or Agda can define a mutually inductive definition, forgoing reuse for the special purpose "list of rose trees" datatype, or prove the desired  induction principle manually for the definition that uses the standard list type. In this section, we use the induction principle derived for our generic Parigot encoding to take this second approach, proving an induction principle for rose trees in the style expected of a mutual inductive definition while re-using the list datatype. The presentation of a higher-level language, based on such a generic encoding, in which this induction principle could be automatically derived is a matter for future work.
Lists. Figure 64 shows the definition of the datatype List, and the types of the list constructors (nil and cons) and induction principle (indList). These are defined using the generic derivation of inductive Parigot encodings. This derivation is brought into scope as "R", and the definitions within that module are accessed with the prefix "R.", for example, "R.D" for the datatype. Note also that code in the figure refers to List as a datatype, not List ⋅ A, since A is a parameter to the module.
For the sake of brevity, we omit the definitions of the list signature (ListF), its mapping operation (listFmap), and the proofs this mapping satisfies the functor laws (listFmapId and listFmapCompose) (see signatures/list.ced in the code repository). In the figure, these are given as module arguments to the generic derivation. We also define the primitive recursion principle recList for lists as a nondependent use of induction.
In Figure 65, we change module contexts (so we may consider lists with different element types, e.g., List ⋅ B) to define the list mapping operation listMap by recursion. We also prove with listMapId and listMapCompose that this mapping operation obeys the functor laws.
Signature TreeF. Figure 66 gives the signature TreeF for a datatype of trees whose branching factor is given by a functor F, generalizing the rose tree datatype. The proofs that the lifting operation treeFmap respects identity and composition make use of the corresponding proofs for the given F. Rose trees. In Figure 67, we instantiate the module parameters for the signature of F-branching trees with List and listMap, then instantiate the generic derivation of inductive Parigot encodings with TreeF and treeFmap. We define the standard constructor rose for rose trees using the generic constructor R.inD and give a variant constructor rose ′ which we use in the definition of the induction principle for rose trees. This variant uses treeFmap to remove the tupled proofs that an inductive hypothesis holds for subtrees, introduced in the generic induction principle.  Finally, we give the induction principle for rose trees as indRoseTree in the figure. This is a mutual induction principle, with P the property one desires to show holds for all rose trees and Q the invariant maintained for collections of subtrees. We require that: • Q holds for nil, bound as n; • if P holds for t and Q holds for ts then Q holds for cons t ts, bound as c; and that • P holds for rose x ts when Q holds for ts, bound as r.
In the body of indRoseTree, we use the induction principle R.indD for the generic Parigot encoding, then indsigma (Figure 50, Section 6.2), revealing x ∶ RoseTree and ts ∶ List ⋅ (Sigma ⋅ RoseTree ⋅ P). With auxiliary function conv to convert ts to a list of rose trees, we use list induction on ts to prove Q holds for conv ts. With this proved as pf , we can conclude by using r.

Lepigre-Raffalli Encoding
We now revisit the issue of programming with Scott-encoded data. Neither the case distinction scheme nor the weak induction principle we derived in Section 5 provide an obvious mechanism for recursion. In contrast, the Parigot encoding readily admits the primitive recursion scheme, as it can be viewed as a solution to that scheme. So despite its significant overhead in space representation, the Parigot encoding appears to have a clear advantage over the Scott encoding in total typed lambda calculi. Amazingly, in some settings, this deficit of the Scott encoding is only apparent. Working with a logical framework, Parigot (1988) showed how to derive with "metareasoning" a strongly normalizing recursor for Scott naturals. More recently, Lepigre and Raffalli (2019) demonstrated a well-typed recursor for Scott naturals in a Curry-style theory featuring a sophisticated form of subtyping which utilizes "circular but well-founded" derivations. The Lepigre-Raffalli construction involves a novel impredicative encoding of datatypes, which we shall call the Lepigre-Raffalli encoding, that both supports recursion and is a supertype of the Scott encoding. In Cedille, we can similarly show an inclusion of the type of Scott encodings into the type of Lepigre-Raffalli encodings by using weak induction together with the fact that our derived recursive types are least fixpoints.
Lepigre-Raffalli recursion. We elucidate the construction of the Lepigre-Raffalli encoding by showing its relationship to the case distinction scheme. The computation laws for case distinction over natural numbers (Figure 25) do not form a recursive system of equations. However, having obtained solutions for Scott naturals and caseNat, we can introduce recursion into the computation laws by observing that for all n, |n| = βη |λ z. λ s. caseNat z s n|:  Viewing the computation laws this way, we see in the suc case that t 2 is given a function which will make a recursive call on n when provided a suitable base and step case. We desire that these be the same base and step cases originally provided, that is, that these in fact be t 1 and t 2 again. To better emphasize this new interpretation, we rename caseNat to recLRNat. By congruence of βη-equivalence, the two equations above give us: To give types to the terms involved in these equations, observe that we can use impredicative quantification to address the self-application occurring in the right-hand sides. Below, let the type T of the result we are computing be such that type variables Z and S are fresh with respect to its free variables, and let "?" be a placeholder for a type: This gives an interpretation of t 1 as a constant function that ignores its two arguments and returns a result of type T. For t 2 , "?" holds the place of the type of its first argument, λ z. λ s. recLRNat z s n. We are searching for a type that matches our intended reading that t 2 will instantiate the arguments z and s with t 1 and t 2 . Now, t 2 is provided copies of t 1 and t 2 at the universally quantified types Z and S, so we make a further refinement: We can complete the type of t 2 by observing that in the system of recursive equations for the computation law, recLRNat is a function of five arguments. Using η-expansion, we can rewrite the equation for the successor case to match this usage: where we understand that, from the perspective of t 2 , instantiations of z and z ′ should have the universally quantified type Z and that instantiations of s and s ′ should have universally quantified type S. We thus obtain the complete definition of the type of t 2 .
Now we are able to construct a typing rule for our recursive combinator, shown in Figure 68. From this, we obtain the type for Lepigre-Raffalli naturals: The remainder of this section is structured as follows. In Section 7.1, we show that the type of Lepigre-Raffalli naturals is a supertype of the type of Scott naturals and derive the primitive recursion scheme for Scott naturals from the Lepigre-Raffalli recursion scheme we have just discussed. In Section 7.2, we modify the Lepigre-Raffalli encoding and derive induction for Scott naturals. Finally, in Section 7.3, we generalize this modification and derive induction for generic Scott encodings.

Primitive recursion for Scott naturals, concretely
Our derivation of primitive recursion for Scott naturals is split into three parts. In Figure 69, we define the type of Lepigre-Raffalli naturals and the combinator for Lepigre-Raffalli recursion. In Figure 70, we prove that Scott naturals are a subtype of Lepigre-Raffalli naturals, giving us Lepigre-Raffalli recursion over them. Finally, in Figure 71, we implement primitive recursion for Scott naturals using Lepigre-Raffalli recursion.
Lepigre-Raffalli naturals. In Figure 69, we give in Cedille the definition for the type of Lepigre-Raffalli encodings we previously obtained. We use a qualified import of the concrete encoding of Scott naturals (Section 5.1), so to access a definition from that development we use "S." as a prefix (not to be confused with the quantified type variable S that appears with no period). The common shape Z → S → Z → S → X has been refactored into the type family NatRec, used in the definitions of NatS and Nat. We also give the definition for the recursive combinator recLRNat, which we observe is definitionally equal to S.caseNat ( Figure 30): whose definitions come from computation laws we derived for recLRNat. In particular, for successor the first argument to the bound s is λ z ′ . λ s ′ . recLRNat z ′ s ′ n, the handle for making recursive calls on the predecessor n that awaits a suitable base and step case. Because the computation laws for recLRNat are derived from case distinction, we have that zero and suc are definitionally equal to S.zero and S.suc: Recall that in Section 5.1.1, we saw that the function which rebuilds Scott naturals with its constructors behaves extensionally as the identity function. We can leverage this fact to define rollNat, which establishes an inclusion of S.NatFI ⋅ Nat into Nat by rebuilding a term of the first type with the constructors zero and suc for Lepigre-Raffalli naturals. The proof is given not by wkIndNat, but the even weaker pseudo-induction principle S.WkIndNatF ⋅ Nat n.1, ∀ P ∶ S.NatF ⋅ Nat → ⋆. P (S.zeroF ⋅ Nat) → ( m ∶ Nat. P (S.sucF m)) → P n.1 given by n.2. We saw in Section 5.1 that |S.zeroF| = βη |S.zero| and |S.sucF| = βη |S.suc|, so it follows that |S.zeroF| = βη |zero| and |S.sucF| = βη |suc|.
With rollNat, we have that Nat is an S.NatFI-closed type. Since S.Nat = Rec ⋅ S.NatFI is a lower bound of all such types with respect to type inclusion, using recLB ( Figure 15) we have a cast from Scott naturals to Lepigre-Raffalli naturals.
Primitive recursion for Scott naturals. The last step in equipping Scott naturals with primitive recursion is to translate this scheme to Lepigre-Raffalli recursion. This is done in three parts, shown in Figure 71. One complication that must be addressed is that Lepigre-Raffalli recursion reinterprets the predecessor as a function for making recursive calls, but primitive recursion enables direct access to the predecessor. So that it may serve both roles, we duplicate the predecessor. This means that if T is the type of results we wish to compute with primitive recursion, then we use Lepigre-Raffalli recursion to compute a function of type S.Nat → T.  If t ∶ T is the base case for primitive recursion, then recNatZ t is a constant polymorphic function that ignores its first three arguments and returns t. For the step case f ∶ S.Nat → T → T, recNatS f produces a step case for Lepigre-Raffalli recursion, introducing: • type variables Z and S, • r ∶ NatRec ⋅ (S.Nat → T) ⋅ Z ⋅ S, the handle for making recursive calls, • z and s, the base and step cases at the abstracted types Z and S, and • m ∶ S.Nat, which we intend to be a duplicate of r.
In the body of recNatS, f is given access to the predecessor m and the result recursively computed with r, where we decrement m as we pass through the recursive call. Finally, recNat gives us the primitive recursion scheme for Scott naturals by translating the base and step cases to the Lepigre-Raffalli style (and duplicating them), coercing the given Scott natural n to a Lepigre-Raffalli natural, and giving also the predecessor of n.
With recNatBeta1 and recNatBeta2, we use Cedille to confirm that the expected computation laws for the primitive recursion scheme hold by definition. To give a more complete understanding of how recNat computes, we show some intermediate steps involved for the step case for arbitrary untyped terms t 1 , t 2 , and n in Figure 72. In the figure, we omit types and erased arguments, and indeed it should be read as ordinary (full) β-reduction for untyped terms. In the last two lines of the figure, we switch the direction of reduction. Altogether, this shows that |recNat t 1 t 2 (S.suc n)| and |t 2 n (recNat t 1 t 2 n)| are joinable in a constant number of reduction steps.

Induction for Scott naturals, concretely
In this section, we describe modifications to the Lepigre-Raffalli encoding allowing us to equip Scott naturals with induction. For completeness, we show the full derivation, but as this development is similar to what preceded, we shall only highlight the differences.
In Figure 73, we begin our modification by making NatRec dependent: NatRec ⋅ P n ⋅ Z ⋅ S is the type of functions taking two arguments each of type Z and S and returning a proof that P holds for n. The next and most significant modification is to the type family NatS. We want that the handle n for invoking our inductive hypothesis will produce a proof that P holds for the predecessor -which is n itself! We can express the dual role of the predecessor as data (n) and function (λ z. λ s. recLRNat z s n) with dependent intersections, which recovers the view of the predecessor as a Scott natural. This duality is echoed in Nat, which is defined with dependent intersections as the type of Scott naturals x which, for an arbitrary predicate P, will act as a function taking two base (NatZ ⋅ P) and step (NatS ⋅ P) cases and produce a proof that P holds of x. By its definition, the type Nat of the modified Lepigre-Raffalli encoding is a subtype of Scott encodings. Using the same approach as in Section 7.1, we can show a type inclusion in the other direction. We define the constructors zero and suc, noting that the innermost intersection introduction in suc again shows the dual role of the predecessor, then show that Nat is S.NatFI closed by proving that rebuilding a term of type S.NatFI ⋅ Nat with these constructors reproduces the original term at type Nat.
Finally, we derive true induction for Scott naturals in Figure 74. Playing the same roles as recNatZ and recNatS (Figure 71), indNatZ and indNatS convert the usual base and step cases of an inductive proof into forms suitable for Lepigre-Raffalli-style induction. In particular, note that in indNatS the bound r plays the role of both predecessor (r.1) and handle for the inductive hypothesis (r.2).

Induction for Scott-encoded data, generically
In this section, we formulate a generic variant of the Lepigre-Raffalli encoding and use this to derive induction for our generic Scott encoding. To explain the generic encoding, we start by  deriving a Lepigre-Raffalli recursion scheme from the observation that, for the solution caseD for the case distinction scheme given in Figure 39, |t| = βη |λ a. caseD a t| for all t. This allows us to introduce recursion into the computation law for case distinction.
Let D be the type of Scott-encoded data whose signature is F, let t ∶ AlgCase ⋅ D ⋅ T for some T, and let t ′ ∶ F ⋅ D. For the sake of exposition, we will for now assume that F is a functor. Using the functor identity law, we can form the following equation from the computation law of case distinction: Renaming caseD to recLRD, we can read the above as a computational characterization of the generic Lepigre-Raffalli recursion scheme and use this to derive a suitable typing law. We desire that t should be a function which will be able to accept itself as a second argument in order to make recursive calls on predecessors: Under this interpretation, we are able to give the following type for terms t used in generic Lepigre-Raffalli recursion to compute a value of type T: Compare this to Lepigre-Raffalli recursion for naturals ( Figure 68).
• Quantification over Y replaces quantification over Z and S for the base and step case of naturals. Here, we intend that Y will be impredicatively instantiated with the type • The single handle for making a recursive call on the natural number predecessor becomes an F-collection of handles of type Y → Y → T for making recursive calls, obtained from the F-collection of D predecessors.
This leads to the typing law for recLRD listed in Figure 75. For the computation law, we desire it be precisely the same as that for caseD -meaning that we will not need to require F to be a functor for Lepigre-Raffalli recursion (or induction) over datatype D.
Unlike the other schemes we have considered, we are unaware of any standard criteria for characterizing Lepigre-Raffalli recursion, and the development of a categorical semantics for this scheme is beyond the scope of this paper. Instead, and under the assumption that F is a functor, we will show that from this scheme and the related induction principle we can give efficient and provably unique solutions to the iteration and primitive recursion schemes.
The derivations of this section are separated into three parts. In Figure 76, we give the type of our generic variant of the Lepigre-Raffalli encoding for a monotone signature. In Figure 77,  we derive Lepigre-Raffalli induction for Scott encodings. Finally, in Figure 78, we assume the stronger condition that the datatype signature is a functor and derive a standard induction principle for Scott encodings.
Generic Lepigre-Raffalli encoding. In Figure 76, we begin by importing the generic Scott encoding, using prefix "S." to access definitions in that module. Type family DRec gives the shape of the types of handles for invoking an inductive hypothesis for a particular term x of type S.D and predicate P ∶ S.D → ⋆ (compare this to NatRec in Figure 73). Next, for all predicates P over Scott encodings S.D, PrfAlgLR ⋅ P is the type of Lepigre-Raffalli-style proof algebras for P, corresponding to NatZ ⋅ P and NatS ⋅ P together in Figure 73. A term of this type is polymorphic in a type Y (which we interpret as standing in for PrfAlgLR ⋅ P itself) and takes an F-collection xs of terms which, with the use of dependent intersection types, are each interpreted both as a predecessor and a handle for accessing the inductive hypothesis for that predecessor. The argument of type Y is the step case to be given to these handles. To state that the result should be a proof that P holds for the value constructed from these predecessors, we need a variant constructor inDRec that first casts the predecessors to the type S.D using monotonicity of F. Note that we have |inDRec| = βη |S.inD|.
Type D is our generic Lepigre-Raffalli encoding, again defined with dependent intersection as the type for Scott encodings x that also act as functions that, for all properties P, produce a proof that P holds of x when given two Lepigre-Raffalli-style proof algebras for P. Finally, recLRD is the Lepigre-Raffalli-style induction principle restricted to those Scott encodings which have type D. To obtain true Lepigre-Raffalli induction, it remains to show that every term of type S.D has type D. Lepigre-Raffalli induction. In Figure 77, we begin the process of demonstrating an inclusion of the type S.D into D by defining the constructor inD for the generic Lepigre-Raffalli encoding. This definition crucially uses the auxiliary function instDRec to produce the two views of a given predecessor x ∶ D as subdata (x.1) and as a handle for the inductive hypothesis associated with that predecessor (λ a. recLRD a x) for a given predicate P; compare this to the definition of suc in Figure 73. As expected, we have that inD and S.inD (and also S.inDF) are definitionally equal.
With the constructor defined, we show with rollD that D is an S.DFI-closed type (S.DFI is defined in Figure 38) by giving a proof that rebuilding a term of type S.DFI ⋅ D with constructor inD reproduces the same term. As S.D = Rec ⋅ S.DFI is a lower bound of all such types, we thus obtain a proof toD of an inclusion of the type S.D into D using recLB ( Figure 15). With this, we have Lepigre-Raffalli-style induction as indLRD.

Standard induction for Scott encodings.
To derive the usual induction principle for Scott encodings using Lepigre-Raffalli induction, we change module contexts in Figure 78 and now assume that F is a functor (see Section 6.2 for the definitions of the functor laws). As we did for the derivation of induction for Scott naturals, our approach here is to convert a proof algebra of the form for standard induction: into one of the form for Lepigre-Raffalli induction.
Function fromPrfAlgRec gives the conversion of proof algebras, and its body is best read bottom-up. The bound xs is an F-collection of predecessors playing dual roles as subdata and handles for inductive hypotheses that require proof algebras at the universally quantified type Y, and the bound y ∶ Y is "self-handle" of the Lepigre-Raffalli proof algebra we are defining that gives us access to those inductive hypotheses. With applyDRec we separate these two roles, producing a dependent pair of type Sigma ⋅ S.D ⋅ P as expected for the usual formulation of induction.
The type of the final line of fromPrfAlgRec is P (S.inD (fmap proj1 (fmap (applyDRec y) xs))) We use the functor composition law to fuse the two mappings of proj1 and applyDRec y. Then, observing that this results in the mapping of a function that is definitionally equal λ x.  the computation law of proj1, Figure 50), we use the functor identity law to remove the mapping completely. The resulting type is convertible with the expected type P (inDRec xs) (since |inDRec| = βη |S.inD|). With the conversion complete, in indD we equip Scott encodings with the standard induction principle by invoking Lepigre-Raffalli induction on two copies of the converted proof algebra.

Computational and extensional character
With the standard induction principle derived for Scott encodings, we can now show that Scott-encoded datatypes enjoy the same characterization, up to propositional equality, as do Parigot-encoded datatypes. Concerning the efficiency of solutions to recursion schemes, we have already seen that Scott encodings offer a superior simulation of case distinction. We now consider primitive recursion and iteration. For the module listed in Figures 79 and 80, the generic Scott encoding is imported without qualification, and "LR." qualifies the definitions imported from generic Lepigre-Raffalli encoding.  and t ′ : The extensionality law recDEta (proof omitted) follows from induction. Iteration. While primitive recursion can be used to simulate iteration, we saw in Section 6.3.3 that this results in a definition of foldD that obeys the expected computation law only up to the functor laws. We now show in Figure 80 that with Lepigre-Raffalli recursion, we can do better and obtain a solution obeying the computation law by definitional equality alone. The first definition, lrFromAlg, converts a function of type Alg ⋅ X (used in iteration) to a function for use in Lepigre-Raffalli recursion. It maps over the F-collection of dual-role predecessors, applying each to two copies of the handle y specifying the next step of recursion. For the solution foldD for iteration, we use Lepigre-Raffalli recursion on two copies of the converted a ∶ Alg ⋅ X.
As was the case for recD, with foldD the left-hand and right-hand sides of the computation law for iteration are joinable using a constant number of full β-reductions. This means that the proof foldDBeta holds by definitional equality alone. The proof of the extensionality law, foldDEta, follows as a consequence of recDEta and a lemma that any function h ∶ D → X which satisfies the computation law for iteration with respect to some a ∶ Alg ⋅ X also satisfies the computation law for primitive recursion with respect to fromAlg a ( Figure 55).

Scott Encoding vs. Parigot Encoding
Satisfaction of the computation and extensionality laws of iteration, the destructor, case distinction, and primitive recursion by both the Scott and Parigot encoding establishes that both are adequate representations of inductive datatypes in Cedille. However, there are compelling reasons for preferring the Scott encoding. First, and as discussed earlier, the Parigot encoding suffers from significant space overhead: Parigot naturals are represented in exponential space compared to the linear space Scott naturals. Second, efficiency of the destructor for Scott encodings does not depend on the choice of evaluation strategy, and the computation law for iteration is satisfied by definitional equality. Finally, not all monotone type schemes in Cedille are functors. For such a type scheme F, we cannot use F as a datatype signature for the generic Parigot encoding. However, we can use F as a signature for the generic Scott encoding, and although we cannot obtain the (generic) standard induction principle for the resulting datatype, we still may still use Lepigre-Raffalli induction.
With our final example, we demonstrate that this last concern is not hypothetical: the set of monotone type schemes is a strict superset of the set of functorial type schemes. Consider a datatype for infinitely branching trees, which in Haskell would be defined as: data ITree = Leaf | Node (Nat -> ITree) The signature of ITree is positive. However, because the recursive occurrence of ITree in the node constructor's argument type occurs within an arrow, we cannot prove that the functor identity law as formulated in Figure 48 holds.
To see why this is the case, assume we have f ∶ Nat → S and g ∶ S → T. Lifting g over the type scheme λ X ∶ ⋆. Nat → X and applying the result to f , we obtain the expression: To prove the functor identity law, we must show that the expression above is propositionally equal to f while assuming only that g behaves extensionally like the identity function on terms of type S. Since Cedille's equality is intensional, we cannot conclude from this last assumption that g is itself equal to λ x. x.
In fact, in the presence of the δ axiom, we can prove that the covariant mapping for function types, and thus the mapping for the signature of infinitary trees does not satisfy the functor laws. Recall that δt (Figure 7) can be checked against any type if t proves an absurd equation, and that the Cedille implementation uses the Böhm-out algorithm to determine when an   equation is absurd. The counterexample proceeds by picking closed instances of f and g such that g behaves extensionally as the identity function, but nonetheless f and λ x. g (f x) are Böhm-separable.
Not every monotone scheme is functorial. In Figure 81, we give an axiomatic summary of derivable sum (coproduct) types with induction in Cedille. The constructors are in1 and in2, and the induction principle is indsum and follows the expected computation laws. In Figure 82, we define ITreeF, the signature for infinitely branching trees, and itreeFmap, its corresponding mapping operation (here Unit is the single-element type). Following this, we prove with monoITreeF that this type scheme is monotonic. The function from ITreeF ⋅ X to ITreeF ⋅ Y that realizes the type inclusion is itreeFmap (elimCast -c), and the proof that it behaves as the identity function follows by induction on Sum. Note that for the node case in particular, we know that the function we are mapping (elimCast -c) is definitionally equal to the identity function.
For the counterexample itreeFmapIdAbsurd, we consider two terms of type ITreeF ⋅ Nat: the first, t 1 , is defined using the second coproduct injection on the identity function for Nat, and the second, t 2 , is the result of mapping caseNat zero suc over t 1 . From reflectNat (Section 5.1.1), we know that caseNat zero suc behaves as the identity function on Nat. If itreeFmap satisfied the functor identity law, we would thus obtain a proof that t 1 and t 2 are propositionally equal. However, the erasures of t 1 and t 2 are closed untyped terms which are βη-inequivalent, so we use δ to derive a contradiction.
This establishes that our generic derivation of Scott-encoded data, together with Lepigre-Raffalli-style recursion and induction, allow for programming with a strictly larger set of inductive datatypes than does our generic Parigot encoding. Though the generic formulation of the standard induction principle is not derivable without assuming functoriality of the datatype signature, we observe that in some cases that Lepigre-Raffalli induction can be used to give an ordinary (datatype-specific) induction principle. For example, for ITree, we can derive indITree ◁ ∀ P: ITree → ⋆. P leaf → ( f: Nat → ITree. ( n: Nat. P (f n)) → P (node f)) → x: ITree. P x = <..> where leaf and node are the constructors for ITree (see lepigre-raffalli/examples/itree.ced in the code repository).

Related Work
Monotone inductive types. Matthes (2002) employs Tarski's fixpoint theorem to motivate the construction of a typed lambda calculus with monotone recursive types. The gap between this order-theoretic result and type theory is bridged using category theory, with evidence that a type scheme is monotonic corresponding to the morphism-mapping rule of a functor. Matthes shows that as long as the reduction rule eliminating an unroll of a roll incorporates the monotonicity witness in a certain way, strong normalization of System F is preserved by extension with monotone iso-recursive types. Otherwise, he shows a counterexample to normalization.
In contrast, we establish that type inclusions (zero-cost casts) induce a preorder within the type theory of Cedille and carry out a modification of Tarski's order-theoretic result directly within it. Evidence of monotonicity is given by an operation lifting type inclusions, not arbitrary functions, over a type scheme. As mentioned in the introduction, deriving monotone recursive types within the type theory of Cedille has the benefit of guaranteeing that they enjoy precisely the same metatheoretic properties as enjoyed by Cedille itself -no additional work is required. Impredicative encodings and datatype recursion schemes. Our use of casts in deriving recursive types guarantees that the rolling and unrolling operations take constant time, permitting the definition of efficient data accessors for inductive datatypes defined with them. However, when using recursive types to encode datatypes, one usually desires efficient solutions to datatype recursion schemes, and the derivation in Section 3.4 does not on its own provide this.
Independently, Mendler (1991) and Geuvers (1992) developed the category-theoretic notion of recursive F-algebras to give the semantics of the primitive recursion scheme for inductive datatypes, and Geuvers (1992) and Matthes (2002) use this notion in extending a typed lambda calculus with typing and computation laws for the primitive recursion scheme for datatypes. The process of using a particular recursion scheme to directly obtain an impredicative encoding is folklore knowledge (c.f. Abel et al., 2005, Section 3.6). Geuvers (2014) used this process to examine the close connection between the (co)case distinction scheme and the Scott encoding, and the primitive (co)recursion scheme and the Parigot encoding, for (co)inductive types in a theory with primitive positive recursive types. Using derived monotone recursive types in Cedille, we follow the same approach but for encodings of datatypes with induction principles. This allows us to establish within Cedille that the solution to the primitive recursion scheme is unique (i.e., that we obtain initial recursive F-algebras).
Recursor for Scott-encoded data. The nondependent impredicative encoding we used to equip Scott naturals with primitive recursion in Section 7.1 is based on a result by Lepigre and Raffalli (2019). We thus dub it the Lepigre-Raffalli encoding, though they report that the encoding is in fact due to Parigot. In earlier work, Parigot (1988) demonstrated the lambda term that realizes the primitive recursion scheme for Scott naturals, but the typing of this term involved reasoning outside the logical framework being used. The type system in which Lepigre and Raffalli (2019) carry out this construction has built-in notions of least and greatest type fixpoints and a sophisticated form of subtyping that utilizes ordinals and well-founded circular typing derivations based on cyclic proof theory (Santocanale, 2002). Roughly, the correspondence between their type system and that of Cedille's is so: both theories are Curry-style, enabling a rich subtyping relation which in Cedille is internalized as Cast; and in defining recursor for Scott naturals, we replace the cyclic subtyping derivation with an internally realized proof of the fact that our derived recursive types are least fixpoints of type schemes.
Our twofold generalization of the Lepigre-Raffalli encoding (making it both generic and dependent) is novel. To the best of our knowledge, the observation that the Lepigre-Raffalli-style recursion scheme associated with this encoding can be understood as introducing recursion into the computation laws for the case distinction scheme is also novel. This characterization informs both our minor modification to the encoding in Section 7.1 for natural numbers (we quantify over types for both base and step cases of recursion, instead of quantifying over only the latter as done by Lepigre and Raffalli (2019)) and the generic formulation. Presently, this connection between Lepigre-Raffalli recursion and case distinction serves a mostly pedagogical role; we leave as future work the task of providing a more semantic (e.g., category-theoretic) account of Lepigre-Raffalli recursion.
Lambda encodings in Cedille. Work prior to ours describes the generic derivation of induction for lambda-encoded data in Cedille. This was first accomplished by  for the Church and Mendler encodings, which do not require recursive types as derived in this paper. The approach used for the Mendler encoding was then further refined by  to enable efficient data accessors, resulting in the first-ever example of a lambda encoding in type theory with derivable induction, constant-time destructor, and whose representation requires only linear space. To the best of our knowledge, this paper establishes that the Scott encoding is the second-ever example of a lambda encoding enjoying these same properties.  and  also provide a computational characterization for their encodings, limited to Lambek's lemma and the computation law for Mendler-style iteration. For the Parigot and Scott encodings we have presented, we have shown Lambek's lemma and both the computation and extensionality laws for the case distinction, iteration, and primitive recursion schemes.

Conclusion and Future Work
We have shown how to derive monotone recursive types with constant-time roll and unroll operations within the type theory of Cedille by applying Tarski's least fixpoint theorem to a preorder on types induced by an internalized notion of type inclusion. By deriving recursive types within a theory, rather than extending it, we do not need to rework existing meta-theoretic results to ensure logical consistency or provide a normalization guarantee. As applications, we used the derived monotone recursive types to derive two recursive representations of data in lambda calculus, the Parigot and Scott encoding, generically in a signature F. For both encodings, we derived induction and gave a thorough characterization of the solutions they admit for case distinction, iteration, and primitive recursion. In particular, we showed that with the Scott encoding, all three of these schemes can be efficiently simulated. This derivation, which builds on a result described by Lepigre and Raffalli (2019), crucially uses the fact that recursive types in Cedille provide least fixpoints of type schemes.
In the authors' opinion, we have demonstrated that lambda encodings in Cedille provide an adequate basis for programming with inductive datatypes. Building from this basis to a convenient surface language requires the generation of monotonicity witnesses from datatype declarations. Our experience coding such proofs in Cedille leads us to believe they can be readily mechanized for a large class of positive datatypes, including infinitary trees and the usual formulation of rose trees. However, more care is needed for checking monotonicity of nested datatypes (Abel et al., 2005;Bird and Meertens, 1998).
Finally, we believe our developments have raised two interesting questions for future investigation. The first of these is the development of a categorical semantics for Lepigre-Raffalli recursion, which would complete the characterization of Scott-encoded datatypes whose signatures are positive but nonfunctorial. Second, in the derivation of primitive recursion for Scott encodings, leastness of the fixpoint formed from our derived recursive type operator plays a similar role to the cyclic subtyping rules of Lepigre and Raffalli (2019). If this correspondence generalizes, some subset of their type system might be translatable to Cedille, opening the way to a surface language with a rich notion of subtyping in the presence of recursive types that is based on internalized type inclusions.