1. Introduction
Due to their numerous advantages, formal proofs and proof assistants, such as Coq, are becoming increasingly popular. However, one disadvantage of using proof assistants is that the resulting proofs can sometimes be hard to read and understand, particularly for lessexperienced users. In an attempt to address this issue, Coscoy et al. (Coscoy et al., 1995) developed in 1995 an algorithm capable of generating natural language proofs from Coq proofterms (i.e., calculus of inductive construction terms) and implemented their approach in two development environments: CtCoq (et al., 1997; Bertot, 1999) and its successor Pcoq (et al., 2003; Amerkad et al., 2001). Unfortunately, these development environments are no longer available or maintained; Pcoq’s last version dates from 2003 and requires Coq 7.4.
In order to bring this useful feature to modern development environments, we have implemented our own rewriting algorithm: Coqatoo.
2. Overview of Coqatoo
Much like Nuprl’s text generation algorithm
(HollandMinkley et al., 1999), Coqatoo generates natural language proofs from highlevel proof scripts instead of the lowlevel proofterms used by Coscoy et al. By doing so, we can avoid the verbosity that comes from using lowlevel proofterms (Coscoy, 1996) and avoid losing valuable information such as the tactics that are used, the user’s comments and the variable names.Coqatoo’s rewriting algorithm can be decomposed in three steps: information extraction, proof tree construction and tacticbased rewriting.
Step 1: Information extraction
Using an instance of the coqtop process and the proof script given as input, Coqatoo executes the tactics one by one and captures the intermediary proof states.
For example, Listing 1 represents the initial state of Listing 3’s proof and Listing 2 represents the state after executing the first intros tactic.
These intermediary states, which contain the current assumptions and remaining goals, allow us to identify the changes caused by a tactic’s execution (e.g., added/removed variables, hypotheses or subgoals).
Step 2: Proof tree construction
We then build a tree representating the proof’s structure (e.g., Figure 1). This is a necessary step for our rewriting algorithm as it allows it to determine where bullets should be inserted and when lines should be indented.
Step 3: Tacticbased rewriting
Finally, we generate the actual final natural language version of the proof using simple rewriting rules. Each supported tactic has its own set of rules. For example, for the intros tactic we first determine the types of the objects that are introduced. If they are variables, then we produce a sentence of the form "Assume that ... are arbitrary objects of type ...". If they are hypotheses, then we instead produce a sentence of the form "Suppose that ... are true". Finally, we insert a sentence indicating what is left to prove: "Let us show that ...".
Note that the sentences that we use to produce natural language versions are kept in files that are separate from the code. This allows Coqatoo to support multiple languages and proof styles. For the moment, it can output proofs in English or French, in plain text or in annotation mode (see Listing
4 for example). In annotation mode, each tactic is accompanied with an informal explanation. We believe that this format will be particularly useful for new Coq users.2.1. Example
2.2. Comparison
Compared to Coscoy et al., our approach presents a few disadvantages and advantages.
Disadvantages

It only works on proofs whose tactics are supported (see Section 3), while the approach of Coscoy et al. worked on any proof.

It may require additional verifications to ensure that unecessary information (e.g., an assertion which isn’t used) is not included in the generated proof.
Advantages

It enables us to more easily control the size and verbosity of the generated proof (one or two sentences per tactic by default).

It maintains the order and structure of the user’s original proof script; this is not necessarily the case in Coscoy et al.
3. Future Work
Coqatoo is only a proofofconcept for the moment. As such, there remains much to be done before it can be of real use.
Increase the number of supported tactics
The number of tactics that it supports is limited to only a handful (see Coqatoo’s GitHub repository (Bedford, 2017) for more details). We expect that, with the help of the community, we will be able to support enough tactics to generate natural language versions of most proofs in Software Foundations (Pierce et al., 2010).
Add partial support for automation
In regards to automation, Coqatoo only supports the auto tactic: if the auto tactic is present within the script, it is replaced with info_auto in order to obtain the sequence of tactics that is used by auto. We plan on adding partial support for automation in the future, starting with the chaining operator ";". To support this operator we will use our tree representation of proofs to "distribute" tactics on branches.
Integration with development environments
Once it is sufficiently developed, we plan on integrating our utility in modern Coq development environments such as CoqIDE and ProofGeneral.
Add a LaTeX output mode
We plan on adding a LaTeX output mode so that the generated proofs can be easily inserted into LaTeX documents.
Acknowledgements.
We would like to thank Josée Desharnais, Nadia Tawbi, Souad El Hatib and the reviewers for their comments. We would also like to thank the Coq community for the large number of resources and tutorials that are available online.References
 (1)
 Amerkad et al. (2001) Ahmed Amerkad, Yves Bertot, Loïc Pottier, and Laurence Rideau. 2001. Mathematics and proof presentation in Pcoq. Ph.D. Dissertation. INRIA.
 Bedford (2017) Andrew Bedford. 2017. Coqatoo’s Repository. https://github.com/andrewbedford/coqatoo. (2017).
 Bertot (1999) Yves Bertot. 1999. The CtCoq system: Design and architecture. Formal aspects of Computing 11, 3 (1999), 225–243.
 Coscoy (1996) Yann Coscoy. 1996. A Natural Language Explanation for Formal Proofs. In Logical Aspects of Computational Linguistics, First International Conference, LACL ’96, Nancy, France, September 2325, 1996, Selected Papers. 149–167. https://doi.org/10.1007/BFb0052156
 Coscoy et al. (1995) Yann Coscoy, Gilles Kahn, and Laurent Théry. 1995. Extracting Text from Proofs. In Typed Lambda Calculi and Applications, Second International Conference on Typed Lambda Calculi and Applications, TLCA ’95, Edinburgh, UK, April 1012, 1995, Proceedings. 109–123. https://doi.org/10.1007/BFb0014048
 et al. (1997) Yves Bertot et al. 1997. CtCoq. https://wwwsop.inria.fr/croap/ctcoq/ctcoqeng.html. (1997).
 et al. (2003) Yves Bertot et al. 2003. Pcoq. http://wwwsop.inria.fr/lemme/pcoq/. (2003).

HollandMinkley et al. (1999)
Amanda M. HollandMinkley,
Regina Barzilay, and Robert L.
Constable. 1999.
Verbalization of HighLevel Formal Proofs. In
Proceedings of the Sixteenth National Conference on Artificial Intelligence and Eleventh Conference on Innovative Applications of Artificial Intelligence, July 1822, 1999, Orlando, Florida, USA.
277–284. http://www.aaai.org/Library/AAAI/1999/aaai99041.php  Pierce et al. (2010) Benjamin C Pierce, Chris Casinghino, Marco Gaboardi, Michael Greenberg, Cătălin Hriţcu, Vilhelm Sjöberg, and Brent Yorgey. 2010. Software foundations. http://www.cis.upenn.edu/bcpierce/sf/current/index.html.