Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Combining Higher-Order Logic with Set Theory Formalizations

Combining Higher-Order Logic with Set Theory Formalizations The Isabelle Higher-order Tarski–Grothendieck object logic includes in its foundations both higher-order logic and set theory, which allows importing the libraries of Isabelle/HOL and Isabelle/Mizar. The two libraries, however, define all the basic concepts independently, which means that the results in the two are disconnected. In this paper, we align significant parts of these two libraries, by defining isomorphisms between their concepts, including the real numbers and algebraic structures. The isomorphisms allow us to transport theorems between the foundations and use the results from the libraries simultaneously. Keywords Higher-order logic · Set theory · Transport 1 Introduction Among the various foundations for formal proofs, set theory on top of higher-order logic has been tried a number of times in systems such as HOLZF [42], ProofPeer [43], Egal [10], and Isabelle/Mizar [28]. This foundation is attractive for formalization, as it offers a natural mathematical foundation combined with the automation present in HOL. The formal proof libraries of Isabelle/HOL [55] and that of Mizar [4, 16] are among the largest proof libraries in existence today. Indeed, the HOL library together with the Archive of Formal Proofs consist of more than 100,000 theorems [6], while the Mizar Mathematical Library (MML) contains 59,000 theorems. Furthermore, the results contained in the libraries are incomparable: Almost all of the Mizar library concerns itself with mathematics, while the majority of the Isabelle/AFP library are results closer to computer science [6]. For example, the Mizar library includes results about lattice theory [9], topology, and manifolds [46] not present in the Isabelle library, while the Isabelle library has many results related to algorithms not in the MML [13, 36, 37]. Cezary Kaliszyk cezary.kaliszyk@uibk.ac.at Karol Pak ˛ pakkarol@uwb.edu.pl Department of Computer Science, University of Innsbruck, Innsbruck, Austria INDRC, International Neurodegenerative Disorders Research Center, Prague, Czech Republic Institute of Computer Science, University of Białystok, Białystok, Poland 0123456789().: V,-vol 123 20 Page 2 of 23 C. Kaliszyk, K. Pąk In our previous work [7], we have presented a model of higher-order Tarski–Grothendieck, which justifies the use of higher-order logic formalizations with set theory-based ones simul- taneously. This model will allow us to combine the results present in these two major Isabelle libraries. We will specify isomorphisms between various basic types present in the libraries, such as functions and lists, leading to isomorphisms between various number structures including the real numbers, and algebraic structures. The last requires mappings between extensible soft record types and Isabelle type classes [24]. We will use the isomorphisms to transport proved theorem including the theorems of Lagrange, Bertrand, cases of Fermat’s last theorem and the Intermediate Value Theorem. We will also merge the formalizations of groups and rings in the two libraries. This paper is an extended version of our paper presented at ITP 2019 [7]. In particular the new content presented is as follows: – we specify the alignments between many more complex types in the two proof libraries including the rationals and the real numbers; – we transfer more advanced theorems between the two foundations, including the inter- mediate value theorem in the merged HOL-Set theory library, together with a large set of theorems that connect Dedekind cuts with Cauchy sequences; and – we complete the model of higher-order Tarski–Grothendieck presented in our previous work [7], by justifying that the Grothendieck-style axioms are equivalent to the Tarski style (for example used in the Mizar Mathematical Library), formalizing the relationship between them in Isabelle. The rest of the paper is structured as follows. In Sect. 2, we introduce the Isabelle HOTG foundations, which will be the basis for all the work, we describe the various axiomatizations of higher-order Tarski–Grothendieck (HOTG) and prove some of them to be equivalent. The basics of the aligned libraries are presented in Sect. 3. The subsequent Sects. 4 and 5, 6 discuss our isomorphisms between the different types concerning functions, numbers, and algebra respectively. Section 7 shows practical examples of theorems we can move using the isomorphisms. Section 8 discusses the Tarski–Grothendieck equivalence proofs. Finally, Sect. 9 discusses the related work on combining foundations and Sect. 10 presents the existing automated transfer methods in higher-order logic and discusses the limitations of the current work in this respect. 2 Isabelle and Isabelle/Mizar The Isabelle logical framework’s meta-logic Pure is a variant of simple type theory with shallow polymorphism. The framework provides functionality that makes it convenient to define object logics, namely allowing easily defining their types, objects, and inference rules as well as their notations. Isabelle/HOL is today the most developed Isabelle object logic. Further Isabelle object logics [48] include constructive type theory or untyped set theory [49]. As Isabelle/HOL is relatively well known and documented, we assume that the reader is familiar with the HOL foundations, Isabelle’s basic commands (such as definition and theorem) and the basic Isabelle objects (numbers and lists). For details, we refer the reader to the Isabelle Manual [54]. The details of Isabelle/Mizar’s design and implementation have been presented previously [28], therefore, we present only the main commands needed for understanding the current paper. Isabelle/Mizar can be loaded on top of Isabelle/FOL or Isabelle/HOL. It re-uses the type of propositions of the underlying basic logic (o of FOL or bool of HOL) and its basic 123 Combining Higher-Order Logic... Page 3 of 23 20 propositional connectives (negation, conjunction, disjunction, implication), as well as the polymorphic equality present there. However, as the intention of Isabelle/Mizar is to provide a sofly-typed set theory, the universal and existential quantifiers are actually bounded quan- tifiers that for each quantified object require the type over which it ranges (e.g., ∀xbeing Nat. …). These propositional and predicate quantifiers together with quality are sufficient for representing firest-order logic with quality and to represent Jask ´ owski [26] style natural deduction proofs present in Mizar. To introduce the soft type system, a meta logic type of soft-types ty is declared together with the an infix operator is that corresponds to the element satisfying the predicate associated with a type. Types can be combined with an intersection operator (e.g., xiseven | number) and can be negated (e.g., y is non-negative) with natural semantics to these operations. The meta-logic abstractions can be used to parametrize the types by other types or even by terms (e.g., A is m,n-matrix corresponds to m-by-n matrices). To improve automation, the user can prove properties of types, including inhabited and sethood. The first one is useful for eliminating quantifiers, whereas the latter is useful for forming compregension operators. Finally, a choice operator (denoted the on the level of types allows for getting a term of a given type). For example, given the type of sets, that is intersected with empty, it is possible to define the empty set as the empty | set. The Isabelle/Mizar object logic subsequently introduces the axioms of set theory, specif- ically, the Tarski–Grothendieck axioms. In particular, the Fraenkel axiom is sufficient to construct set comprehensions written as {F(x)where x be Element-of X: P(x)} (called Fraenkel terms)for agiven set X, function F and predicate P. In the Mizar language, it is not always possible to define such a functor for arbitrary X, F, P, to avoid inconsistency (variants of Russell’s paradox), however, with the help of sethood safe comprehension terms can be interpreted. In Isabelle/Mizar the semantics of comprehension are defined with sethood as a precondition, which means that the property is only valid for terms for which sethood has been proved. This completes the axiomatic part of the object logic, and subsequent parts are introduced as definitional extensions. In particular, the possibility for users to define all kinds types and objects, as well as syntax that allows an easier interaction with softly-typed set theory will be added in this way. Isabelle/Mizar allows four kinds of user-level definitions corresponding to the same four kinds of user-level definitions in Mizar [16]. Defining predicates is not different from the usual Isabelle definitions. We present the definition of a set theoretic functor by the example of the set theoretic union of two sets : mdef xboole-0-def-3 (infixl ∪ 65) where mlet X be set, Y be set func X ∪ Y → set means λit. ∀ x. xinit ←→ xinX ∨ xinY The mdef command starts with the handle used to refer to the definition, followed by an optional notation (union denoted by infix ∪), a typing environment in which the definition is made (mlet) and then the actual defined operator is given after the keyword func. The return type is given after the keyword →. A definition by means is supposed to correspond to a concept where the it has the desired property. The user needs to show the existence and the uniqueness as proof obligations. When the user completes these proofs, the Isabelle/Mizar The Isabelle definitions and lemmas that directly correspond to the definitions and lemmas in the Mizar Mathematical Library have been names with the same identifiers in order to ease comparison. For example the Isabelle/Mizar definition xboole-0-def-3 directly corresponds to the MML definition XBOOLE_0:def_3 (colon is not allowed in Isabelle labels). 123 20 Page 4 of 23 C. Kaliszyk, K. Pąk definition package introduces the identifier together with the theorems corresponding to the property of the object and its type for further use. Functors can also be defined by equals where the term is given directly in a given environment and with a given return type of the defined term. There, the obligation is to show that the result has the return type. Type definitions are similar. In order to make type inference and checking automatable, types are divided into modes (more primitive types that are known to be inhabited) and attributes (the types that are used to restrict other types with intersection). Consider for example the definition of the type of a finite sequences over the type D (which are the set-theoretic equivalents of polymorphic lists used are often used in formal proofs): mdef finseq-1-def-4 (FinSequence−of -) where mlet D be object mode FinSequence−of D → FinSequence means (λit. rng it ⊆ D) Again mlet introduces an environment (these are preconditions for the definitional the- orems but can be used in the proofs) and the definition can describe the desired properties that all objects of the defined type must have. After the proof obligation (non-emptiness) is proved, definitional theorems are derived and given to the user. The already mentioned attributes are also similar. They restrict a given type to a subtype. An example type intro- duced with the help of an attribute is the type of relations. First, the attribute Relation_like is introduced, which can be later used to define the type of relations as just an abbreviation, as follows. mdef relat-1-def-1 (Relation-like) where attr Relation-like for set means (λit. ∀ x. xinit −→ (∃ y, z. x = [y, z])) .. This approach allows for all definitions and operations defined for a Relation to also imme- diately be available for a Function, which is defined as a type restriction using the attribute Function_like. The type FinSequence is similarly defined by the attribute FinSequence_like as follows: mdef funct-1-def-1 (Function-like) where attr Function-like for set means (λit. ∀ x,y1,y2 being object. [x,y1] in it ∧[x,y2] in it −→ y1 = y2) .. mdef finseq-1-def-2 (FinSequence−like) where attr FinSequence−like for Relation means (λit. ∃ n be Element−of NAT . dom it = Seg n) .. abbreviation Relation ≡ Relation-like | set abbreviation Function ≡ Function-like | Relation abbreviation FinSequence ≡ FinSequence−like | Function Finally, Isabelle/Mizar introduces the mtheorem command, that is similar to the standard theorem command, but additionally allows the introduction of soft-type assumptions with the mlet keyword and hiding these from the user as long as the automated type inference can handle these. Additionally to imitate the Mizar automation the mby proof method has been included, that combines type inference with Isabelle’s auto proof method. Parallel to the system development, the Mizar community puts a significant effort into building the Mizar Mathematical Library (MML) [4]. Parts of the MML library (including 123 Combining Higher-Order Logic... Page 5 of 23 20 numbers or parts of algebra) have been translated to Isabelle/Mizar [29] and are being used in the current paper. 3 Proof Integration The Isabelle higher-order Tarski–Grothendieck foundations allow the import of results proved in higher-order logic and in set theory. This is possible both theoretically (we have previously presented a model that supports the combined foundation [7] and discussed its adequacy more in Sect. 8) and practically, that is the Isabelle logical framework allows us to import various results from the two libraries of Isabelle/HOL and Isabelle/Mizar in the same environment. Note, however, that the imported developments are initially disconnected. In this and the next sections, we will define transfer methods between these results. These will allow us to use theorems proved in one of the foundations using the term language of the other. All the definitions and theorems presented in these sections have been formalized in Isabelle and will be presented close to the Isabelle notation. The Isabelle environment will import both Isabelle/HOL [41] and Isabelle/Mizar [28] object logics along with a number of results formalized in the standard libraries of the two. Isabelle distinguishes between meta- level implication ( ⇒) and object-level implication (−→) and our notation in examples below reflects this distinction. The remaining notations will follow first-order conventions. In particular, the symbols = and = will refer to the HOL and set-theoretic equality H S operations respectively. Then, be is the Mizar infix operator for specifying the type of a set in the Mizar intersection type system [31]. In order to transfer results between the foundations, we will first define bijections between types that are isomorphic. We will next show that these bijections preserve various constants and operators. This will allow us to transfer results using higher-order rewriting, in the style of quotient packages for HOL [23, 34] and the Isabelle transfer package [21]. Note, that we are not able to use these packages directly. We discuss this in Sect. 10. In the Mizar set theory there are often two ways to express domains of objects. It is already the case for the natural numbers, where it is common to reason both about the type of the natural numbers and the members of the set of natural numbers. This is necessary since the arguments of all operations must be sets, while the reasoning engine allows more advanced reasoning steps for types [4]. We, therefore, define two operators, one that specifies a bijection between a HOL type and a set-theoretic set and one that specified a bijection between a HOL type and a set-theoretic type. The definitions are analogous and we show only the former one here. We will define an isomorphism between a type σ and a set d ∈  to be a pair ( f , g) of functions (at the type theory level) where f maps sets to objects of type σ and g maps objects of type σ to sets in such a way that objects of type σ (in the type theory) correspond uniquely to elements of d (in the set theory). Definition 3.1 Let σ be a type, d ∈  be a set and s2h ∈  and h2s ∈  be ι ι⇒σ σ ⇒ι functions. The predicate beIso h2s, s2h, d holds whenever all of the following hold: – ∀x : σ.s2h(h2s(x )) = x, – ∀x : ι.x ∈ d −→ h2s(s2h(x )) = x, – ∀x : σ.h2s(x ) ∈ d. In Isabelle the definition appears as follows: definition beIsoS(h2s,s2h,d) ←→ ((∀ y. s2h(h2s(y)) = y) ∧ L H (∀ x:Element−of d. h2s(s2h(x)) = x)∧ (∀ y. h2s(y) in d)) 123 20 Page 6 of 23 C. Kaliszyk, K. Pąk The existence of a bijection does not immediately imply the inhabitation of the type/set. However, as types need to be non-empty in both formalisms, we can derive this result as below. For space reasons we only present the statements, all the theorems are proved in our formalization. theorem beIsoS-d: beIsoS(h2s,s2h,d) ⇒ d is non empty 4 Integrating Basic Infrastructure: Functions and Lists We will denote the morphisms from set theory to HOL with the prefix s2h and the inverse ones with the prefix h2s. We will initially give the complete types for readability, omitting them later, where the types are clear. The first type, for which we build an isomorphism, is the type of functions. In order to transfer a function of the type α → β between set theory and HOL, we will require isomorphisms for the types α and for the type β. In order to transfer a set-theoretic function (set of pairs) to HOL, given transfer functions on the range, on the domain, and the function itself, we return the lambda expression, that given a HOL input to the function, transfers it, applies the function to it and transfers it back. The formal definition is as follows. definition s2hf :: (Set ⇒ b) ⇒ (a ⇒ Set) ⇒ Set ⇒ (a ⇒ b)(s2h (-,-,-)) where s2h (s2hr,h2sd,f ) = (λx. s2hr(f .(h2sd(x)))) Similarly, to build a set-theoretic function (set of pairs) given a HOL function and the transfer operations, and the domain, we directly build this set: definition h2sf :: (Set ⇒ a) ⇒ (b ⇒ Set) ⇒ Set ⇒ (a ⇒ b) ⇒ Set (h2s (-,-,-,-)) where h2s (s2hd,h2sr,d,f ) = the set−of −all [x,h2sr(f (s2hd(x)))] where x be Element−of d f S We are then able to directly show that these two functions are inverses of each other on their domains. We also show the existence of an isomorphism, and show that this isomorphism preserves the function application operation: theorem beIsoT-Function: assumes beIsoS(h2sd,s2hd,d) beIsoS(h2sr,s2hr,r) shows beIsoT (λf . h2s (s2hd,h2sr,d,f ),λf . s2h (s2hr,h2sd,f ),Function−of d,r) f f theorem HtoSappl: assumes beIsoS(h2sd,s2hd,d) and beIsoS(h2sr,s2hr,r) shows h2s (s2hd,h2sr,d,f ).h2sd(x) = h2sr(f (x)) Isabelle/HOL lists are realized as a polymorphic algebraic datatype, corresponding to functional programming language lists. MML lists (called finite sequences, FinSequence) are functions from an initial segment of the natural numbers. Higher-order lists behave like stacks, with access to the top of the stack, whereas for the set-theoretic ones the natural operations are the restriction or extension of the domain. To build a bijection between these types, we note that the Cons operator corresponds to the concatenation of a singleton list and the second argument. Since the list type is polymorphic (in the shallow polymorphism sense used in HOL), in order to build this bijection, we also need to map the actual elements of the list. Therefore the bijection on lists will be parametric on a bijection on elements: fun h2sfs :: (a ⇒ Set) ⇒ aList.list ⇒ Set (h2s (-,-))where h2s (h2s, Nil) = <∗> L S | h2s (h2s, Cons(h, t)) = ((<∗h2s(h)∗>) ˆM (h2s (h2s, t))) L S L 123 Combining Higher-Order Logic... Page 7 of 23 20 Where <∗> and ˆM represent the Mizar empty sequence and the concatenation of sequences respectively. The converse operation needs to decompose a sequence into its first element x.1 and the remainder of the sequence shifted by one /ˆM1 . We define this operation S S in Isabelle/Mizar and complete the definition. Isabelle will again require us to show the termination of the function, which can be done by induction on the length of the list/sequence: function s2hl :: (Set ⇒ a) ⇒ Set ⇒aList.list (s2h (-,-)) where ¬ x be FinSequence ⇒ s2h (s2h,x) = undefined L H | s2h (s2h,<∗>) = Nil L H | x be FinSequence ⇒ x = <∗> ⇒ s2h (s2h,x) = Cons (s2h(x.1 ),s2h (s2h,x/ˆM1 )) L H S L S For the transformation introduced above, we can show that if we have a good homomor- phism between the elements of the lists, then lists over this type are homomorphic with finite sequences. We can again show that this homomorphism preserves various basic operations, such as concatenation, the selection of n-th element, length, etc. theorem s2hL-Prop: assumes p be FinSequence and q be FinSequence and nbeNat and ninlen p shows length(s2h (s2h,p)) = s2h (len p) L IN s2h (s2h,pˆMq) = s2h (s2h,p) @ s2h (s2h,q) L H L L s2h (s2h,p) ! s2h (n) = s2h(p.(succ n)) L IN H Note, that the sequences in the Mizar library, FinSequence, are indexed starting at 1, whereas Isabelle/HOL’s nth starts from 0, which justifies the usage of a shift (succ n). Fur- thermore, since Mizar Mathematical Library uses natural numbers in the Peano sense, the expression ninlen p actually means n < len p. To actually use these in order to move the- orems between the libraries we show how the morphisms interact with the operations. For example, for reverse these are: theorem rev-Rev: assumes p be FinSequence shows rev(s2h (s2h,p)) = s2h (s2h,Rev p) L H L theorem Rev-rev: Rev(h2s (h2s,p)) = h2s (h2s,rev(p)) L L Moving a polymorphic statement from the Isabelle/HOL library to Isabelle/Mizar requires an additional assumption about the existence of an isomorphism on the parametrized type. The usual statement about the length of a reversed list, therefore becomes (of course this simple statement is already available in the Isabelle/Mizar library, and can be used by referring to finseq_5_def_3, but its simplicity is good to demonstrate moving polymorphic statements): theorem assumes p be FinSequence−of d and beIsoS(h2s,s2h,d) shows len Rev p = len p using Rev-rev[of h2s s2h (s2h, p)] len-length[of h2s s2h (s2h, p)] len-length[of h2s rev(s2h (s2h, p))] by (simp only: length-rev FLF-prop[OF assms]) 123 20 Page 8 of 23 C. Kaliszyk, K. Pąk We also show the proof here. It is still straightforward, just like the other proofs of the moved statements given the morphisms, but with polymorphism it no longer follows by higher-order rewriting. 5Numbers The way numbers are constructed in set-theory based libraries is very different from the majority of the libraries based on HOL or type-theory. In particular, in Isabelle/Mizar sub- sequently defined number types are extended (in the sense of set-theoretic subset) by new elements. This is as opposed to hard-type-based systems, in which subsequently defined number types are independent and projections or coercions which preserve the functions are necessary. In particular, Isabelle/Mizar’s real numbers are constructed as Dedekind cuts. Note, however, that the cuts corresponding to the rational numbers are replaced by the rational numbers themselves, in order to preserve the inclusion Q ⊂ R. A second, less important, distinction is the fact that in the Mizar library the non-negative ≥0 ≥0 types (N, Q , R ) are constructed first. After this, the negative reals are built as Kuratowski pairs of the singleton zero and the positive element. Finally, the rationals and integers are ≥0 ≥0 subsets of the set of all reals. In particular, the sets N, Q , R , R are already constructed with the basic operations on these sets and addition, subtraction, multiplication directly re- use the real operations. The only additional thing to prove is that the types are preserved, so for example the addition of integers returns a real that is also an integer. The inclusions, together with the order of the construction are depicted in Fig. 1.Inorder to realize this construction in Isabelle/Mizar, we first define the set of the natural numbers, as the smallest limit ordinal. The formal definition is as follows: mdef ordinal1-def-11 (omega) where func omega → set means (λit. 0 in it ∧ it be limit-ordinal ∧ it be Ordinal ∧ (∀ A:Ordinal. 0 in A ∧ A is limit-ordinal −→ it ⊆ A)) The definition introduces the constant (zero-argument functor) omega of the Mizar type set, which satisfies the condition specified after the keyword means, that is, the defined constant it is a limit ordinal with 0 as a member, and it is the smallest such set (considering set inclusion). As a reminder, the mdef command requires the formalization to specify the existence of the constant (proof is only included in the formalization), which is a consequence of the Tarski universe property and its uniqueness. On the other hand, the Isabelle natural numbers are a subtype of the type of individuals. In order to merge these two different approaches, we specified a functor that preserves zero and the successor. Note that the functor is specified only for the type of the natural numbers which in Isabelle/HOL is implicit, but in the softly-typed set theory needs to be written and checked explicitly. This is the reason for having an undefined case, which as we will see later, still gives an isomorphism. Fig. 1 The inclusions between the sets in the Mizar Mathematical Library. The arrows show the construction order between the sets in the MML and our Isabelle set formalization 123 Combining Higher-Order Logic... Page 9 of 23 20 0 if n = 0 , S H H h2s (n) = N S S (h2s (k)) if n = S (k) for some H-natural k. S N H H ⎨ 0 if n = 0 , H S S s2h (n) = S (s2h (k)) if n = S (k) for some S-natural k, N H H N S S undefined otherwise. The functor and its inverse are formally defined in Isabelle as follows fun h2sn :: nat ⇒ Set (h2s (-)) where IN h2s (0::nat) = 0 | h2s (Suc(x)) = succ h2s (x) IN S S IN S IN function s2hn :: Set ⇒ nat (s2h (-)) where IN ¬xbeNat ⇒ s2h (x) = undefined IN H | s2h (0 ) = 0 IN S H | xbeNat ⇒ s2h (succ(x)) = Suc(s2h (x)) IN IN Note that h2s is defined only on the HOL natural numbers (nat), while s2h is defined on IN IN all sets and its definition is only meaningful for arguments that are of the type Nat.The soft- type system of Mizar requires us to give this assumption explicitly here, but it can normally be hidden in the contexts where the argument type is restricted appropriately. Isabelle requires us to prove the termination of the definition, which can be done using the proper subset relation defined on natural numbers in the Peano sense. Using the induction principles for natural numbers present in both libraries, we can show the property beIsoS(h2s , s2h ,NAT ),where NAT is the set of all Nat. In particular, it gives a IN IN bijection (note the hidden type restriction to sets of type nat). We show also that the functors h2s , s2h preserve all the basic operations. IN IN theorem Nat-to-Nat: fixes x::nat and y::nat assumes nbeNat and mbeNat IN shows h2s (x + y) = h2s (x) + h2s (y) IN H S IN S IN IN s2h (n + m) = s2h (n) + s2h (m) IN S H IN H IN IN h2s (x ∗ y) = h2s (x) ∗ h2s (y) IN IN IN H S S IN s2h (n ∗ m) = s2h (n) ∗ s2h (m) IN S H IN H IN x < y ←→ h2s (x) ⊂ h2s (y) IN IN n ⊂ m ←→ s2h (n)< s2h (m) IN IN xdvd y ←→ h2s (x) divides h2s (y) IN IN n divides m ←→ s2h (n) dvd s2h (m) IN IN prime(x) ←→ h2s (x) is prime IN S nisprime ←→ prime(s2h (n)) S IN 5.1 Isabelle/Mizar Number Hierarchy After the natural numbers, MML constructs the non-negative rationals as pairs of relatively prime naturals. Additionally, to preserve the set-theoretic inclusion of the set of natural numbers, not only pairs with the denominator zero but also those with denominator one are excluded and the original natural numbers added. We follow the same construction in Isabelle/Mizar. ≥0 mdef arytm-3-def-7 (RAT ) where ≥0 func RAT → set equals ({[i,j] where i be Element−of NAT, j be Element−of NAT : i,j are−coprime & j = 0 }\ the set−of −all [k,1 ] where k be Element−of NAT ) ∪ NAT S S 123 20 Page 10 of 23 C. Kaliszyk, K. Pąk Non-negative real numbers are constructed in a similar way. To the set of non-negative rationals, we add Dedekind cuts corresponding to the positive irrational numbers. A standard definition of Dedekind cuts is used, only restricted to non-negative rationals. We assume that a proper subset A of non-negative rationals is a cut, if it is closed under smaller elements ≥0 ≥0 Q (∀r, s:Element−of RAT . rin A ∧ s ≤ r −→ sinA) and for every element in the set A ≥0 there is a larger element in the set A (∀r :Element −of R AT .rin A −→(∃s:Element −of ≥0 ≥0 Q ≥0 RAT .sin A ∧ r < s)). Note that RAT fulfills this condition, however, it is not a proper subset of non-negative rationals. In contrast, in this approach, the empty set is a ≥0 Dedekind cut, but we do not need to add it in the construction of REAL , since empty corresponds to zero. mdef arytm-2-def-1(DEDEKIND-CUTS) where ≥0 func DEDEKIND-CUTS → Subset−Family−of RAT equals ≥0 { A where A be Subset−of RAT : ≥0 ∀ r: Element−of RAT . rinA −→ ≥0 ≥0 Q (∀ s: Element−of RAT . s ≤ r −→ sinA) ∧ ≥0 ≥0 Q ≥0 (∃ s: Element−of RAT . sinA ∧ r < s)}\{RAT } In order to preserve the inclusion between the rationals and reals, again the non-negative real numbers are obtained as a union of the non-negative rationals as defined above and the Dedekind cuts corresponding to the irrational numbers, that is cuts that cannot be realized in ≥0 the form {swhere sbe Element−of RAT +: s < q} where q is rational. ≥0 mdef arytm-2-def-2 (REAL ) where ≥0 ≥0 func REAL → set equals (RAT ∪ DEDEKIND-CUTS) \ ≥0 ≥0 Q ≥0 {{s where s be Element−of RAT : s < t} where t be Element−of RAT : t = 0 } Finally, the complete reals (REAL) are constructed by adding the negative real numbers. In the Mizar set theory the negative numbers are represented by the pairs [0 ,r],where r is a positive real number. For this, we add the pairs corresponding to r,where r is a non-negative real and then remove the pair [0 ,0 ] to avoid duplicating 0. The sets of rationals and integers S S are then appropriate subsets of the set REAL. Of course, it would be possible to build these sets directly, together with their respective arithmetic operations, however, this would require the introduction of different symbols for these operations in the different datatypes. The ≥0 ≥0 Isabelle/Mizar formalization only temporarily introduces the operations Q , R which will almost never be used in the library, and the operations for the type R, which will be directly reused for Z and Q. In particular, this allows using the operations in the context of homomorphisms between integers, rationals, and reals. mdef numbers-def-1 (REAL) where func REAL → set equals ≥0 ≥0 REAL ∪[:{0 },REAL :] \ {[0 ,0 ]} S S S mdef numbers-def-3 (RAT ) where func RAT → set equals ≥0 ≥0 RAT ∪[:{0 },RAT :] \ {[0 ,0 ]} S S S mdef numbers-def-4 (INT ) where func INT → set equals NAT ∪[:{0 },NAT :] \ {[0 ,0 ]} S S S 123 Combining Higher-Order Logic... Page 11 of 23 20 5.2 Integrating Numbers Given the Isabelle/Mizar number hierarchy specified in the previous section, we can start building bridges between the types. We start with the integers. The set-theoretic definition is again different from the one used in Isabelle/HOL. There, an equivalence relation (equal modulo the difference) is defined on pairs of natural numbers, and the quotient package [34] is used to construct the new type. Still, it is straightforward to define a bijection between the two, using the constructed bijections between natural numbers. We also show that these bijections preserve all the basic operators. function h2sZ :: int ⇒ Set (h2s (-))where ZZ x ≥ 0 ⇒ h2s (x) = h2s (nat(x)) ZZ S IN IR | x < 0 ⇒ h2s (x) = − h2s (nat(− (x))) ZZ S S IN H function s2hZ :: Set ⇒ int (s2h (-))where ZZ ¬xisInteger ⇒ s2h (x) = undefined ZZ H | x is natural ⇒ s2h (x) = int(s2h (x)) ZZ H IN IR | xisInteger & not x is natural ⇒ s2h (x) = − (int(s2h (− x))) ZZ IN H H S theorem beIsoS-INT : beIsoS(h2s ,s2h ,INT ) ZZ ZZ For the rational numbers, we construct the natural bijection h2s , s2h using the bijections Q Q between the integers and the unique representation of any rational as an irreducible fraction. We again show that the operations behave well on arbitrary (including reducible) fractions. theorem s2hQI: fixes n::nat shows n = 0 −→ Fract(i,n) = s2h (h2sZ(i)/ h2sZ(n)) H H Q Q theorem s2hQM: iisInteger ∧ nisNat ∧ n ={}−→ s2h (i / n) = Fract(s2h (i),s2h (n)) Q Q ZZ ZZ The constructions of the real numbers are significantly different in the two considered proof libraries. Indeed, in Isabelle/HOL reals are quotients of Cauchy sequences whereas the MML one uses Dedekind cuts. More precisely, in the MML, Dedekind cuts are used to construct the irrational, and operations on them are defined on the cuts. To build a homomorphism between the two definitions and to use it for all the operators requires considering cases, namely whether the given argument is a rational number of a cut. The same is true for the results of the operators. To ease these constructions we first introduce two operators: DEDEKIND_CUT which transform a real number to a Dedekind cut, i.e., for positive rationals it associates to the number ≥0 ≥0 Q r the cut {swhere sbe Element−of RAT : s < r}, and for irrational numbers, which are already cuts, it is the identity. We also define the inverse operator GLUE, which transforms ≥0 ≥0 Q cuts that can be represented in the form {swhere sbe Element−of RAT :s < r} for a rational r, returns r, and is the identity otherwise. mdef arytm-2-def-3 (DEDEKIND-CUT-) where ≥0 mlet x be Element−of REAL func DEDEKIND-CUT x → Element−of DEDEKIND-CUTS means ≥0 λit. ∃ r:Element−of RAT . x = r ∧ ≥0 ≥0 Q it ={s where s be Element−of RAT : s < r} ≥0 if x in RAT otherwise λit. it = x 123 20 Page 12 of 23 C. Kaliszyk, K. Pąk mdef arytm-2-def-4 (GLUED -) where mlet x be Element−of DEDEKIND-CUTS ≥0 func GLUED x → Element−of REAL means ≥0 λit. ∃ r : Element−of RAT . it = r ∧ ≥0 ≥0 Q (∀ s : Element−of RAT . sinx ←→ s < r) ≥0 ≥0 if ∃ r : Element−of RAT . ∀ s : Element−of RAT . ≥0 sinx ←→ s < r otherwise λ it. it = x We will now construct the homomorphism between the real number representations. Con- sider a non-empty Dedekind cut A. We observe, that by multiplying all the elements of A by a positive rational q, we obtain a non-empty Dedekind cut. We denote this cut by q ∗ A.Next, we denote by max A the largest natural number in the set A. Consider the sequence of non- IN max (2 ∗ A) IN D negative rationals . It easily follows that this sequence is non-decreasing n∈IN and that for every n ≤ k it is true that n k n max (2 ∗ A) max (2 ∗ A) max (2 ∗ A) 1 IN D IN D IN D ≤ ≤ + n k n n 2 2 2 2 which shows that this sequence is a Cauchy sequence. This allows us to associate any positive real number with a Cauchy sequence of rationals: mdef Rat2C(rC - 110) where ≥0 mlet r be Element−of REAL func rC r → Function−of NAT,RAT means λit. ∀ n:Nat. it. n = (max (( 2 |ˆn) ∗ (DEDEKIND-CUT r))) / ( 2 |ˆn) IN S D Q S Using the previously defined homomorphisms between the naturals and rationals as well as between the types of functions (Sect. 4 and previous subsections of Sect. 5), we can transform this set-theoretic function to a HOL one. We show that this transformation preserves Cauchy convergence: definition s2hseq :: Set ⇒ (nat ⇒ rat)(s2hseq(-)) where s2hseq(f ) = s2hf (s2hQ,h2sn,f ) theorem MICauchy: assumes f is Function−of NAT,RAT shows f is Cauchy ←→ Real.cauchy (s2hseq(f )) Which allows us to define the final homomorphism that given a set-theoretic real trans- forms it to a HOL real. function s2hR :: Set ⇒ real (s2h (-))where IR ¬xisMReal ⇒ s2h (x) = undefined IR ≥0 | x is Element−of REAL ∧ x=0 ⇒ s2h (x) = Real.Real(s2hseq(rC x)) S IR H ≥0 | x is Element−of REAL ∧ x=0 ⇒ s2h (x) = 0 S IR H ≥0 | xisMReal ∧ x=0 ∧¬ x is Element−of REAL ⇒ IR s2h (x) = − Real.Real(s2hseq(rC(− x))) IR H H S where for non-negative real number x, we use it to produce the sequence of rational numbers rC x, which are subsequently transformed to a sequence of HOL reals s2hseq(rC x), and finally we return the abstraction of the Cauchy sequence class to which the sequence belongs. For negative real numbers, we use minus twice, analogously to the integer and rational IR constructions. − (...( − x)) H S 123 Combining Higher-Order Logic... Page 13 of 23 20 In order to build the inverse transformation, we will construct the Dedekind cut based on a real number. First, for any real number r, we start with one of the Cauchy sequence real2seqL(r) belonging to its equivalence class r. We consider the equivalence of this sequence in set theory: h2sseq(r). This sequence is non-decreasing and has non-negative values if r is non-negative. Additionally, if r is positive, this sequence h2sseq(r) is also positive starting from some index. This means that for any positive real r, the sequence ≥0 ≥0 Q {swhere sbe Element−of RAT : s < h2sseq(r).n } is non-empty (from some posi- n∈IN tion, to be precise when h2sseq(r).n =0 ) and non-decreasing and its union (seq2Dedekind)isa Dedekind cut. definition real2seqL :: real ⇒ (nat⇒rat) where real2seqL(r) = (λn::nat. Fract(r ∗ (2ˆn),2ˆn)) H H definition h2sseq :: real ⇒ Set (h2sseq(-)) where h2sseq(r) = h2sf (s2hn,h2sQ,NAT,real2seqL(r)) mdef seq2Dedekind where mlet f be Function−of NAT, RAT ≥0 func seq2Dedekind(f ) → Subset−of RAT means ≥0 IR λit. ∀ x:Element−of RAT . xinit ←→ (∃ k:Nat. x < (f .k)) The final transformation that given a HOL real number extracts its Cauchy sequence and transforms it to an Isabelle/Mizar real is: function h2sR :: real ⇒ Set (h2s (-))where IR x > 0 ⇒ h2s (x) = GLUED(seq2Dedekind(h2sseq(x))) IR | x = 0 ⇒ h2s (x) = 0 IR H S IR | x < 0 ⇒ h2s (x) =− GLUED(seq2Dedekind(h2sseq(− x))) IR S H The two defined operations s2h and h2s are not as straightforward as for the naturals or IR IR rationals. We do nonetheless prove (details are only in the formalization) that they do indeed give an isomorphism and that this isomorphism preserves the basic arithmetic operations and the standard less than order. theorem beIsoS-Real: beIsoS(h2sR,s2hR,REAL) theorem Real-to-Real: fixes x::real and y::real assumes rbeMReal and sbeMReal IR shows h2s (x + y) = h2s (x) + h2s (y) IR IR IR H S S IR s2h (r + s) = s2h (r) + s2h (s) IR IR IR S H H IR h2s (x ∗ y) = h2s (x) ∗ h2s (y) IR H S IR S IR IR s2h (r ∗ s) = s2h (r) ∗ s2h (s) IR S H IR H IR IR x ≤ y ←→ h2s (x) ≤ h2s (y) IR IR IR r ≤ s ←→ s2h (r) ≤ s2h (s) IR IR We are now ready to practically move proved theorems about numbers between HOL and Isabelle/Mizar. 6 Algebra The structure representations used in higher-order logic and set theory are usually different. This will be particularly visible when it comes to algebraic structures. In the Isabelle/HOL formalization, algebraic structures are type-classes while in set theory a common approach 123 20 Page 14 of 23 C. Kaliszyk, K. Pąk would be partial functions. We will illustrate the difference on the example of groups. A type α forms a group when we can indicate a binary function on this type that will serve as the group operation satisfying the group axioms. On the other hand, in the usual set-theoretic approach a group in set theory would consist of an explicitly given set (the carrier), and the group operation. With an intersection type system, the fact that the given set with an operation is a group is specified by intersecting the type of structures with the types that specify their individual properties (i.e., a group is a non-empty associative Group-like multMagma) There are two more differences in the particular formalizations we consider, that we will not focus on, but we will only mention them in this paragraph and consider them only in the formalization. First, the existence and uniqueness of the neutral element can be either assumed in the group specification or derived from the axioms. We will not focus on that, as this is only the choice of a group axiomatization. Second, in the Mizar library, there are two theories of groups: additive groups and multiplicative groups. Rings and fields inherit the latter, while some group-theoretic results are derived only for the former. Even if the Isabelle/HOL group includes a field for the unit, we will ignore it in the morphism, since the set-theoretic definition does not use one. The neutral element along with the other properties is, however, necessary to justify that the result of the morphism is a group in the set-theoretic sense. definition h2sg (h2s (-,-,-,-)) where h2s (s2hc,h2sc,c,g) = [# G S carrier → c; multF → h2s (s2hc,h2sc,c,mult(g)) #] BinOp definition s2hg (s2h (-,-,-)) where s2h (s2hc,h2sc,g) = Igroup( G H Collect(λx. h2sc(x) in the carrier of g), s2h (s2hc,h2sc,the multF of g), BinOp s2hc(1. )) For the dual morphism, we indicate the result of the operation selecting the neutral element (1. ) as the field needed in the construction of the type-class element. With its help, we can justify that the fields of the translated structure are translations of the fields. theorem s2hg-Prop: assumes beIsoS(h2sc,s2hc,c) and g be Group and the carrier of g = c and x ∈ carrierI(s2h (s2hc, h2sc, g)) y ∈ carrierI(s2h (s2hc, h2sc, g)) shows one(s2h (s2hc,h2sc,g)) = s2hc(1. ) G g x ⊗ y = s2hc(h2sc(x) ⊗ h2sc(y)) s2h (s2hc,h2sc,g) group (s2h (s2hc,h2sc,g)) A number of proof assistant systems based both on higher-order logic (including Isabelle/HOL) and set theory (including Mizar) support inheritance between their algebraic structures. As part of our work aligning the libraries we also want to verify that such inher- itance is supported in the combined library. For this, we align the ring structures present in the two libraries. The isomorphism between the structures is defined in a similar way to the one for groups, we refer the interested reader to our formalization. We can show that the morphisms form an isomorphism and derive some basic preservation properties. The most basic one is the fact that the isomorphism preserves being a ring. theorem s2hr-Prop: assumes beIsoS(h2sc,s2hc,c) and rbeRing and the carrier of r = c 123 Combining Higher-Order Logic... Page 15 of 23 20 and x ∈ carrierI(s2h (s2hc,h2sc,r)) y ∈ carrierI(s2h (s2hc,h2sc,r)) R R shows zero(s2h (s2hc,h2sc,r)) = s2hc(0 ) R H one(s2h (s2hc,h2sc,r)) = s2hc(1 ) R H x ⊕ y = s2hc(h2sc(x) ⊕ h2sc(y)) H r s2h (s2hc,h2sc,r) x ⊗ y = s2hc(h2sc(x) ⊗ h2sc(y)) s2h (s2hc,h2sc,r) ring (s2h (s2hc,h2sc,r)) Finally, we introduce the equivalent of the definition of the integer ring introduced in the MML in [52]. We have previously discussed the semantics of Mizar structures and the way they are represented in Isabelle/Mizar in [27]. Here, with the previously defined isomorphisms for the subfields, we can show that s2h and h2s determine an isomorphism between the R R fields of the rings developed in Isabelle/HOL and the Mizar Mathematical Library. mdef int-3-def-3 (ZZ−ring) where func ZZ−ring → strict(doubleLoopStr) equals [# carrier → INT ; addF → addint; ZeroF → 0 ; multF → multint; OneF → 1 #] theorem H-Zring-to-S-Zring: h2s (s2h , h2s ,INT,Z) = ZZ−ring R ZZ ZZ S s2h (s2h , h2s , ZZ−ring) = Z R ZZ ZZ 7 Integrated Libraries: Practical Examples We are now ready to use the existence of isomorphisms to automatically transform theorems about continuity of functions, including the Intermediate Value Theorem and the theorem that states that the image of a closed interval is a closed interval: theorem continuous-atM: fixes fa assumes f be Function−of REAL,REAL a is MReal shows isCont(s2h IR(f ),s2hR(a)) ←→ f is-continuous-in a theorem continuous-atI: fixes f ::real⇒real shows isCont(f,a) ←→ (h2s IR(f )) is-continuous-in (h2sR(a)) theorem IVTmiz: IR IR IR ∀ f :Function−of REAL,REAL. ∀ a,b,v:MReal. f . a ≤ v & v ≤ f . b & a ≤ b & f is-continuous-on [.a, b.]−→ IR IR (∃ x:MReal. a ≤ x & x ≤ b & f . x = v) theorem IVT-img: ∀ f :Function−of REAL,REAL. ∀ a,b:MReal. IR a ≤ b ∧ f is-continuous-on [.a, b.]−→ IR (∃ c,d:MReal. c ≤ d ∧ f .:[. a, b .]= [. c, d .]) We also show the projection theorem, which again states that the homomorphisms agree and do not require any projections: theorem nisNat ⇒ of-nat(s2h (n)) = of-int(s2h (n)) IN ZZ iisInteger ⇒ of-int(s2h (i)) = of-rat(s2h (i)) ZZ H Q qisRat ⇒ of-rat(s2h (q)) = s2h (q) Q H IR 123 20 Page 16 of 23 C. Kaliszyk, K. Pąk It is now possible to translate the Lagrange’s Four Squares theorem and Bertrand’s postu- late between the libraries. We can prove the Isabelle/Mizar counterpart of the Isabelle/HOL theorem only using higher-order rewriting and the above properties. theorem LagrangeFourSquares: ∀ n:Nat. ∃ a,b,c,d:Nat. IN IN IN IN IN IN IN a ∗ a + b ∗ b + c ∗ c + d ∗ d = n S S S S S S S S theorem Bertrand: ∀ n:Nat. 1 ⊂ n −→ IN (∃ p:Nat. pbeprime ∧ n ⊂ p ∧ p ⊂ (2 ∗ n)) S S S This allows translating the proved Fermat’s last theorem for powers divisible by 3 and 4 from Isabelle/HOL to Isabelle/Mizar. The original proof involved quite some computation and therefore has not been attempted in Mizar so far. However, thanks to the isomorphisms, the translated version can be proved automatically (higher-order rewriting combined with Isabelle/Mizar type automation): theorem Fermat-divides-3-4: ∀ x,y,z:Integer. ∀ n:Nat. IR (3 divides n ∨ 4 divides n) ∧ (xIˆn) + (y Iˆn) = z Iˆn S S S S IR IR −→ x ∗ y ∗ z = 0 S S S S theorem Fermat-3: ∀ x:Integer. ∀ y:Integer. ∀ z:Integer. IR IR IR (xIˆ3 ) + (y Iˆ3 ) = zIˆ3 −→ x ∗ y ∗ z = 0 S S S S S S S S theorem rev-Rev: assumes p be FinSequence shows rev(s2h (s2h,p)) = s2h (s2h,Rev p) L H L 8 Tarski’s Axiom vs. Grothendieck Universes The theoretical part of our previous work [7] formally introduced a foundation for computer verified proofs based on higher-order Tarski–Grothendieck set theory (HOTG) and prove that this theory has a model if a 2-inaccessible cardinal exists. Referring to the former as the axioms of Tarski–Grothendieck is, however, slightly misleading, as there are two not immediately equivalent families of axioms. In particular, the two axiom families are equivalent assuming the axiom of choice. Additionally, the axiom of choice is a consequence of the Tarski axioms, but it is not the case for the Grothendieck formulation. Both of these facts are now also formalized in Isabelle, and shortly discussed in this section. The formalization done in this section is done independently from Isabelle/HOL or Isabelle/Mizar as its goal is to formally justify that Tarski’s axiom A is valid in the model pro- posed in [7]. Recall, that Tarski’s axiom A is used in the Mizar library and in Isabelle/Mizar, whereas the existence of a Grothendieck universe is used for example in Egal. Tarski’s Axiom A states that every set N is a member of some Tarski universe M which is closed under subsets, powersets, and every subset of the universe is either a member of the universe or is equipotent with that universe. To state this formally, the equipotence between the sets X and Y can be defined by a set of Kuratowski pairs, which defines a bijection from X to Y using only a minimal set of definitions, as it is done for example in the MML: 123 Combining Higher-Order Logic... Page 17 of 23 20 definition Tarski-axiom-A where Tarski-axiom-A ≡∀ N . ∃ M. N ∈ M ∧ (∀ XY . X ∈ M ∧ Y ⊆ X −→ Y ∈ M)∧ (∀ X. X ∈ M −→ Pow X ∈ M)∧ (∀ X. X ⊆ M −→ (∃ b. b: bij X M) ∨ X ∈ M) In the Grothendieck approach, for an arbitrary set X, we can explicitly obtain the Grothendieck universe UnivX. The universe UnivX is transitive (Trans (Univ X)), closed under union, powerset, and replacement (ZFclosed (Univ X)) and it is the smallest set (w.r.t. set inclusion) having these properties. axiomatization Univ :: set ⇒ set where UnivIn: X ∈ Univ X and UnivTransSet: Trans (Univ X) and UnivZF: ZFclosed (Univ X) and UnivMin: X ∈ U ∧ Trans U ∧ ZFclosed U ⇒ Univ X ⊆ U To compare these two axiomatizations, we have previously shown in the higher-order logic of Egal that every Grothendieck universe, under the axiom of choice assumption, satisfies Tarski’s Axiom A (see [8]), but, not vice versa. Tarski universes, as opposed to Grothendieck universes, might not be transitive. We constructed such a Tarski universe of a set N that is a proper subset of UnivN in [47] in the first-order logic of Mizar, as well as proved that UnivN included in every Tarski universe of a set N if N is transitive. In particular, using these properties, we proved in Isabelle that assuming HOTG and the axiom of choice, Univ N is a Tarski universe, i.e., that in the model [7], Tarski’s Axiom A is valid. Rather than repeat the proofs already described in [8] we show the final statement that we proved under the axiom of choice as rendered by Isabelle: definition AC-axiom where AC-axiom ≡∀ X. {} ∈ / X −→ (∃ f .(f ∈ X → X) ∧ (∀ A. A∈ X −→ f‘ A ∈ A)) theorem AC-axiom −→ Tarski-axiom-A In order to even more closely show the adequacy of the HOTG model for importing the Isabelle/HOL proofs, one might also consider polymorphism, which is present in the foun- dations of the HOL families of provers. Andrew Pitts has provided a custom semantics to HOL that factors in polymorphism [50]. We however believe, that since the polymorphism in HOL is shallow (rank-one), it can be considered a notation for monomorphic HOL, namely all proofs can be translated to monomorphic ones and that the Grothendieck universes offer enough room for the quantification incurred by polymorphism. Extending the model to sup- port all the custom extensions present in Isabelle/HOL (such as e.g., type classes [22] or local type definitions [30]) is left as future work. 9 Related Work Since proof assistants based on plain higher-order logic lack the full expressivity of set theory, the idea of adding set theory axioms on top of HOL has been tried multiple times. Gordon [17] discusses approaches to combine the power of HOL and set theory. Obua has proposed HOLZF [42], where Zermelo-Fraenkel axioms are added on top of Isabelle/HOL. With this, he was able to show results on partisan games, that would be hard to show in 123 20 Page 18 of 23 C. Kaliszyk, K. Pąk plain higher-order logic. Later, as part of the ProofPeer project [43], the combination of HOL with ZF became the basis for an LCF system, reducing the proofs in the higher-order logic part to a minimum (again, since there was no guarantee, that combining the results is safe). Kuncar ˇ [35] attempted to import the Tarski–Grothendieck-based library into HOL Light. Here, the set-theoretic concepts were immediately mapped to their HOL counterparts, but it soon came out that without adding the axioms of set theory the system was not strong enough. Brown [10] proposed the Egal system which again combines a specification of higher-order logic with the axioms of set theory. The system uses explicit universes, which is in fact the same presentation as given in this work. This work therefore also gives a model for the Egal system. Finally, we have specified [28] and imported [29] significant parts of the Mizar library into Isabelle. In this work, we only use the specification of Mizar in Isabelle and the re-formalized parts of the MML. The idea to combine proof assistant libraries across different foundations also arose in the Flyspeck project [18] formalizing the proof of the Kepler conjecture [20]. Krauss and Schropp [33] specified and implemented a translation from Isabelle/HOL proof terms to set-theoretic proved theorems. The translation is sound and only relies on the Isabelle/ZF logic, however, it is too slow to be useful in practice, in fact, it is not possible to translate the basic Main library of Isabelle/HOL into set theory in reasonable time It is also possible to deep embed multiple libraries in a single meta-theory. Rabe [51] does this practically in the MMT framework deep embedding various proof assistant foundations and providing category-theoretic mappings between some foundations. Logical frameworks allow import- ing multiple libraries at the same time. In the Dedukti framework, Assaf and Cauderlier [1, 2] have combined properties originating from the Coq library and the HOL library. Both were imported in the same system, based on the λ calculus modulo, however, the two parts of the library relied on different rewrite rules. Most implementations of set theory in logical frameworks could implicitly use some higher-order features of the framework, as this is already used for the definition of the object logic. The definition of the Zermelo-Fraenkel object logic [49] in Isabelle uses lambda abstractions and higher-order applications for example to specify the quantifiers. This is also the case in Isabelle/TLA [38]. These object logics are normally careful to restrict the use of higher-order features to a minimum, however, the system itself does not restrict this usage. The first author together with Gauthier [15] has previously proposed heuristics for auto- matically finding alignments across proof assistant libraries. Such alignments, even without merging the libraries can be useful for conjecturing new properties [39]aswellasimproving proof assistant automation [14]. The fact that Grothendieck universes are the same as transitive Tarski classes has been formalized by Carneiro in Metamath. 10 Automated Transfer and Limitations of Current Work In this section, we discuss transfer in higher-order logic based systems, transport in intuition- istic type theory, and the limitations of the current work when it comes to automating the transfer of theorems between the foundations. As part of an ongoing project to export Isabelle proof to Dedukti and the project exporting Isabelle to MMT [32] some of the proofs in Isabelle/Main are being currently optimized. http://us.metamath.org/mpeuni/grutsk.html. 123 Combining Higher-Order Logic... Page 19 of 23 20 Automating the transfer of theorems between different types in higher-order logic has a long history. Today, higher-order rewriting-based packages for the creation of quotient types are present in the libraries of most HOL-based proof assistants. These packages can automatically translate theorems from the raw types to the quotient types. For example, HOL Light [19] includes the quot.ml package already since the nineties. This package defines two ML functions: lift_function and lift_theorem.The former automatically defines constants (often of higher-order function types) in a quotient type based on corresponding constants in a raw type. The latter ML function uses higher-order rewriting to transfer theorems that use the lifted constants to raw ones. The procedure has been further improved by Homeier [23] in HOL4. The HOL4 quotient package allows an explicit declaration of properties of functions and relations (preserves and respects properties). These allow for quotients for polymorphic types. A similar architecture has been considered in the initial quotient package for Isabelle/HOL co-developed by the first author [34]. By further considering the interplay between the transfer in the outside and inside types it is possible to automatically quotient lists into finite sets with operations such as concatenation of a list of lists automatically translated into a finite set union. The Isabelle/HOL quotient package has been modularized by Huffman and Kuncar ˇ [21]. The functionality has been separated into two packages: lifting and transfer. Lifting allows the automated translation of definitions in a source type to definitions in a target type (including quotient-based definitions). Transfer uses higher-order rewriting to move theorems between types. This modular construction allows the use of transfer also for cases of isomorphic types (including almost isomorphic ones, as was already the case for example with quotients), but where the target is actually not defined as a quotient of the source type. A further improvement to the transfer mechanism in Isabelle/HOL has been developed by Kuncar and Popescu [30] in their work on local type definitions. There, the transfer package is extended to allow relativizing type-based statements to more set-based forms in a principled way. In the context of intuitionistic type theory, translating theorems from types to their quo- tients is much more complex. This is because of the more intricate nature of equality in type theories, which in particular does not allow replacing equal things in all contexts (all above HOL packages rely not only on the axiom of choice but also on extensionality). An traditional approach to moving theorems between types that allows computation has been the use of setoids. This allows moving some theorems to quotients for example in the CoRN project [12]. More recently, foundations based on homotopy type theory [3] have been proposed. There, propositional equality between terms is interpreted as homotopy. The univalence axiom of Voevodsky [53] assumed in such foundations allows transporting properties and structures expressed over isomorphisms and equivalences. In its simplest variant, transport in HoTT/UF is an operation that takes a type family P : A → U,apath a = b in A, and returns a function Pa → Pb [40]. This allows transport between isomorphic types but does not take computation into account. This is further extended in cubical type theories [11]. There, it is possible to directly manipulate n-dimensional cubes based on an interpretation of dependent type theory in a cubical set model. Cubical type theories furthermore are specified in a way that allows Voevodsky’s axiom to be provable. Transport in cubical type theories [5] can take as input a line of types A : I → U. This more primitive transport operation can however take computation into account. We are not aware of any automated tactics/packages allowing for transport of theorems between types in the same way as it is possible in Isabelle/HOL’s transfer package. 123 20 Page 20 of 23 C. Kaliszyk, K. Pąk The work presented here, similar to the higher-order automated transfer packages, uses higher-order rewriting to translate the statements between the HOL types and the set-based representation, however, we have not been able to use the Isabelle transfer package for this. The reason for this is that on the Mizar side additional typing predicates are needed to express soft types and reasoning about these types is necessary. The Mizar soft types are additionally dependent. As such, we combine higher-order rewriting with our dedicated Isabelle/Mizar tactic for proving the Mizar type obligations (the mty tactic). As the tactic is responsible for Prolog-style type inference on the predicate level integrating its use with the existing Isabelle transfer package would be rather involved. In principle, the equivalences provided by the isomorphisms allow translating the state- ments both in the assumptions and in the conclusions, however, we cannot directly use the transfer package, since type constraints not present on the term level in HOL correspond to explicit typing judgments in the set-theoretic types. Consider the isomorphism between the Mizar finite sequences and Isabelle/HOL lists. All the proved statements require the Mizar dependently typed assumptions stating that an argument is of a finite sequence type over some Mizar domain l be FinSequence-of t as well as an additional isomorphism for the domain. We have added the necessary assumptions to the theorems, and in the automated proofs, the Isabelle/Mizar type inference (including the automated proof of Mizar type inhabitation) is necessary to fulfill these obligations. We believe, that is it possible to augment the lifting and transfer packages to add soft type constraints on the term level and fulfill them wherever possible. The details are however unclear and are left as future work. 11 Conclusion We have used Isabelle HOTG to combine results proved in TG set theory with results proved in higher-order logic. This allows us to combine large parts of two major proof assistant libraries: the Mizar Mathematical library and the Isabelle/HOL library. Supplementary to the theorems and proofs coming from both, we define a number of isomorphisms that allow us to translate theorems proved in part of one of these libraries and use them in the corresponding part of the other library. As part of the library merging, we have formally defined and proved in Isabelle the neces- sary concepts. Apart from porting proofs to Isabelle/Mizar, the isomorphism formalizations and the theorems moved using those amount to 10179 lines of proofs. The formalization is available at: http://cl-informatik.uibk.ac.at/cek/ckkp-jar2022-hotg.tgz Apart from higher-order and set-theoretic foundations, the third most commonly used foundation is dependent type theory. The most important future work direction would inves- tigate combining the results proved here with those proved in such type-theoretic foundations. So far, we have mostly moved results that have been proved in HOL to set theory. It could be also interesting to transfer the Brouwer’s theorem for n-dimensional case (the fixed point theorem [44], the topological invariance of degree, and the topological invariance of dimension [45]) that are essential to define and develop topological manifolds since the Mizar library results on manifolds are much developed than those in Isabelle/HOL [25]. Funding This work has been supported by the European Research Council (ERC) Starting Grant Number 714034 SMART, the Polish National Science Center granted by decision n DEC-2015/19/D/ST6/01473, and the COST Action CA20111 Number E-COST-GRANT-CA20111-9d20b2ad. Open access funding provided by University of Innsbruck and Medical University of Innsbruck. 123 Combining Higher-Order Logic... Page 21 of 23 20 Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/. References 1. Assaf, A., Cauderlier, R.: Mixing HOL and Coq in Dedukti. In: Kaliszyk, C., Paskevich, A. (eds.) Proof eXchange for Theorem Proving (PxTP 2015), vol. 186 of EPTCS, pp. 89–96 (2015) 2. Assaf, A.: A framework for defining computational higher-order logics. (Un cadre de définition de logiques calculatoires d’ordre supérieur). PhD thesis, École Polytechnique, Palaiseau, France (2015) 3. Awodey, S: Type theory and homotopy. In: Dybjer, P., Lindström, S., Palmgren, E., Sundholm, G. (eds.) Epistemology versus Ontology - Essays on the Philosophy and Foundations of Mathematics in Honour of Per Martin-Löf, vol. 27 of Logic, Epistemology, and the Unity of Science, pp. 183–201. Springer (2012) 4. Bancerek, G., Bylinski, ´ C., Grabowski, A., Korniłowicz, A., Matuszewski, R., Naumowicz, A., Pak, ˛ K.: The role of the Mizar Mathematical Library for interactive proof development in Mizar. J. Automat. Reason. 61, 9–32 (2017) 5. Bezem, M., Coquand, T., Huber, S.: The univalence axiom in cubical sets. J. Autom. Reason. 63(2), 159–171 (2019) 6. Blanchette, J.C., Haslbeck, M., Matichuk, D., Nipkow, T.: Mining the archive of formal proofs. In: Manfred, K., Jacques, C., Cezary, K., Florian, R., Volker, S. (eds.) Intelligent Computer Mathematics (CICM 2015), vol. 9150 of LNCS, pp. 3–17. Springer (2015) 7. Brown, C., Kaliszyk, C., Pak, ˛ K.: Higher-order Tarski Grothendieck as a foundation for formal proof. In: John, H., John O., Andrew, T. (eds.) 10th International Conference on Interactive Theorem Proving (ITP 2019), vol. 141 of LIPIcs, pp. 9:1–9:16. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2019) 8. Brown, C.E., Pak, ˛ K: A tale of two set theories. In: Kaliszyk, C., Brady, E.C., Kohlhase, A., Coen, C.S. (eds.) Intelligent Computer Mathematics-Proceedings of the of Lecture Notes in Computer Science 12th International Conference, CICM, Prague, Czech Republic, July 8–12, vol. 11617 , pp. 44–60. Springer (2019) 9. Bancerek, G., Rudnicki, P.: A compendium of continuous lattices in MIZAR. J. Autom. Reason. 29(3–4), 189–224 (2002) 10. Brown, C.E.: The Egal Manual (2014) 11. Cohen, C., Coquand, T., Huber, S., Mörtberg, A.: Cubical type theory: a constructive interpretation of the univalence axiom. FLAP 4(10), 3127–3170 (2017) 12. Cruz-Filipe, L., Geuvers, H., Wiedijk, F.: C-corn, the constructive coq repository at nijmegen. In: Asperti, A., Bancerek, G., Trybulec, A. (eds.) Mathematical Knowledge Management (MKM 2004), vol. 3119 of LNCS, pp. 88–103. Springer (2004) 13. Eberl, M., Haslbeck, M.W., Nipkow, T.: Verified analysis of random binary tree structures. J. Autom. Reason. 64(5), 879–910 (2020) 14. Gauthier, T., Kaliszyk, C.: Sharing HOL4 and HOL Light proof knowledge. In: Davis, M., Fehnker, A., McIver, A., Voronkov, A. (eds.) 20th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR 2015), vol. 9450 of Lecture Notes in Computer Science, pp. 372–386. Springer (2015) 15. Gauthier, T., Kaliszyk, C.: Aligning concepts across proof assistant libraries. J. Symb. Comput. 90, 89–123 (2019) 16. Grabowski, A., Korniłowicz, A., Naumowicz, A.: Four decades of Mizar. J. Automat. Reason. 55(3), 191–198 (2015) 17. Gordon, M.: Set theory, higher order logic or both? In: von Wright, J., Grundy, J., Harrison, J. (eds.) Theorem Proving in Higher Order Logics, TPHOLs’96, vol. 1125 of LNCS, pp. 191–201. Springer (1996) 18. Hales, T., Adams, M., Bauer, G., Dang, T.D., Harrison, J., Le Truong, H., Kaliszyk, C., Magron, V., McLaughlin, S., Nguyen, T.T., Nguyen, Q.T., Tran, N.T., Trieu, T.D., Urban, J., Vu, K., Zumkeller, R.: A Formal Proof of the Kepler Conjecture Forum of Mathematics, Pi, 5. Cambridge University Press, Cambridge (2017) 123 20 Page 22 of 23 C. Kaliszyk, K. Pąk 19. Harrison, J.: HOL light: an overview. In: Stefan, B., Tobias, N., Christian, U., Makarius, W. (eds.) Theorem Proving in Higher Order Logics, Proceedings of Lecture Notes in Computer Science 22nd International Conference, TPHOLs 2009, Munich, Germany, August 17–20, vol. 5674, pp. 60–66. Springer (2009) 20. Hales, T.C., Harrison, J., McLaughlin, S., Nipkow, T., Obua, S., Zumkeller, R.: A revision of the proof of the kepler conjecture. Discret. Comput. Geom. 44(1), 1–34 (2010) 21. Huffman, B., Kuncar ˇ , O.: Lifting and transfer: a modular design for quotients in Isabelle/HOL. In: Gonthier, G., Norrish, M. (eds.) Certified Programs and Proofs - Proceedings of the Third International Conference, CPP 2013, Melbourne, VIC, Australia, December 11–13, vol. 8307 of LNCS, pp. 131–146. Springer (2013) 22. Haftmann, F., Nipkow, T.: Code generation via higher-order rewrite systems. In: Blume, M., Kobayashi, N., Vidal, G. (eds.) Functional and Logic Programming, 10th International Symposium, FLOPS 2010, vol. 6009 of LNCS, pp. 103–117. Springer (2010) 23. Homeier, P.V.: A design structure for higher order quotients. In: Hurd, J., Melham, T.F. (eds.) Theorem Proving in Higher Order Logics, Proceedings of the 18th International Conference, TPHOLs 2005, Oxford, UK, August 22–25, vol. 3603 of Lecture Notes in Computer Science, pp. 130–146. Springer (2005) 24. Haftmann, F., Wenzel, M.: Constructive type classes in Isabelle. In: Altenkirch, T., McBride, C. (eds.) Types for Proofs and Programs, International Workshop, TYPES 2006, vol. 4502 of LNCS, pp. 160–174. Springer (2007) 25. Immler, F., Zhan, B.: Smooth manifolds. Archive of Formal Proofs. https://isa-afp.org/entries/Smooth_ Manifolds.html (2018) 26. Jask ´ owski, S.: On the rules of suppositions. Studia Logica, 1 (1934) 27. Kaliszyk, C., Pak, ˛ K.: Isabelle formalization of set theoretic structures and set comprehensions. In: Blamer, J., Kutsia, T., Simos, D. (eds.) Mathematical Aspects of Computer and Information Sciences, MACIS 2017, vol. 10693 of LNCS. Springer (2017) 28. Kaliszyk, C., Pak, ˛ K.: Semantics of Mizar as an Isabelle object logic. J. Automat. Reason. 63, 557–595 (2018) 29. Kaliszyk, C., Pak, ˛ K.: Declarative proof translation (short paper). In Harrison, J., O’Leary, J., Tolmach, A. (eds.) 10th International Conference on Interactive Theorem Proving (ITP 2019), vol. 141 of LIPIcs, pp. 35:1–35:7 (2019) 30. Kuncar, O., Popescu, A.: From types to sets by local type definition in higher-order logic. J. Autom. Reason. 62(2), 237–260 (2019) 31. Kaliszyk, C., Pak, ˛ K., Urban, J.: Towards a Mizar environment for Isabelle: foundations and language. In: Avigad , J., Chlipala, A. (eds.) Proceedings of the 5th Conference on Certified Programs and Proofs (CPP 2016), pp. 58–65. ACM (2016) 32. Kohlhase, M., Rabe, F., Wenzel, M.: Making isabelle content accessible in knowledge representation formats. https://corr.org/abs/2005.08884 (2020) 33. Krauss, A., Schropp, A.: A mechanized translation from higher-order logic to set theory. In: Kaufmann, M., Paulson, L.C. (eds.) Interactive Theorem Proving (ITP 2010), vol. 6172 of LNCS, pp. 323–338. Springer (2010) 34. Kaliszyk, C., Urban, C.: Quotients revisited for Isabelle/HOL. In: Chu, W.C., Wong, W.E., Palakal, M.J., Hung, C.C. (eds.) Proceedings of the 26th ACM Symposium on Applied Computing (SAC’11), pp. 1639–1644. ACM (2011) 35. Kuncar ˇ , O.: Reconstruction of the Mizar type system in the HOL Light system. In: Pavlu, J., Safrankova, J. (eds.) WDS Proceedings of Contributed Papers: Part I - Mathematics and Computer Sciences, pp. 7–12. Matfyzpress (2010) 36. Lammich, P.: Refinement to imperative HOL. J. Autom. Reason. 62(4), 481–503 (2019) 37. Lochbihler, A., Sefidgar, S.R., Basin, D.A., Maurer, U.: Formalizing constructive cryptography using crypthol. In: Proceedings of the 32nd IEEE Computer Security Foundations Symposium, CSF 2019, Hoboken, NJ, USA, June 25–28, 2019, pp. 152–166. IEEE (2019) 38. Merz, S.: Mechanizing TLA in Isabelle. In: Rodošek, R. (ed.) Workshop on Verification in New Orien- tations, pp. 54–74. Univ. of Maribor, Maribor (1995) 39. Müller, D., Gauthier, T., Kaliszyk, C., Kohlhase, M., Rabe, F.: Classification of alignments between concepts of formal mathematical systems. In: Geuvers„ H. England, M., Hasan, O., Rabe, F., Teschke, O. (eds.) 10th International Conference on Intelligent Computer Mathematics (CICM’17), vol. 10383 of LNCS, pp 83–98. Springer (2017) 40. Mörtberg, A.: Cubical methods in homotopy type theory and univalent foundations. Math. Struct. Comput. Sci. 31(10), 1147–1184 (2021) 41. Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: a proof assistant for higher-order logic, vol. 2283 of LNCS. Springer (2002) 123 Combining Higher-Order Logic... Page 23 of 23 20 42. Obua, S.: Partizan games in Isabelle/HOLZF. In: Barkaoui, K., Cavalcanti, A., Cerone, A. (eds.) Theo- retical Aspects of Computing-ICTAC 2006, vol. 4281 of LNCS, pp. 272–286. Springer (2006) 43. Obua, S., Fleuriot, J.D., Scott, P., Aspinall, D.: ProofPeer: collaborative theorem proving. http://corr.org/ abs/1404.6186 (2014) 44. Pak, ˛ K.: Brouwer fixed point theorem in the general case. Formaliz. Math. 19(3), 151–153 (2011) 45. Pak, ˛ K.: Brouwer invariance of domain theorem. Formaliz. Math. 22(1), 21–28 (2014) 46. Pak, ˛ K.: Topological manifolds. Formaliz. Math. 22(2), 179–186 (2014) 47. Pak, ˛ K.: Grothendieck universes. Formaliz. Math. 28(2), 211–215 (2020) 48. Paulson, L.C.: Isabelle: the next 700 theorem provers. Log. Comput. Sci. 1990, 361–386 (1990) 49. Paulson, L.C.: Set theory for verification: I. From foundations to functions. J. Autom. Reason. 11(3), 353–389 (1993) 50. Pitts, A.: The HOL logic. In: Gordon, M.J.C., Melham, T.F. (eds.) Introduction to HOL: A Theorem Proving Environment for Higher Order Logic. Cambridge University Press, Cambridge (1993) 51. Rabe, F.: How to identify, translate and combine logics? J. Log. Comput. 27(6), 1753–1798 (2017) 52. Schwarzweller, C.: The ring of integers, Euclidean rings and modulo integers. Formaliz. Math. 8(1), 29–34 (1999) 53. Voevodsky, V.: Univalent semantics of constructive type theories. In: Jouannaud, J.P., Shao, Z. (eds.) Certified Programs and Proofs- Proceedings of the First International Conference, CPP 2011, Kenting, Taiwan, December 7–9, vol. 7086 of Lecture Notes in Computer Science, p. 70. Springer (2011) 54. Wenzel, M.: The Isabelle/Isar Reference Manual (2021) 55. Wenzel, M., Paulson, L.C., Nipkow, T.: The Isabelle framework. In: Mohamed, O.A., Muñoz, C.A., Tahar, S. (eds.) Theorem Proving in Higher Order Logics, 21st International Conference, TPHOLs 2008, vol. 5170 of LNCS, pp. 33–38. Springer (2008) Publisher’s Note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Journal of Automated Reasoning Springer Journals

Combining Higher-Order Logic with Set Theory Formalizations

Download PDF
23 pages

Loading next page...
 
/lp/springer-journals/combining-higher-order-logic-with-set-theory-formalizations-x9qmkdW1lS

References (96)

Publisher
Springer Journals
Copyright
Copyright © The Author(s) 2023
ISSN
0168-7433
eISSN
1573-0670
DOI
10.1007/s10817-023-09663-5
Publisher site
See Article on Publisher Site

Abstract

The Isabelle Higher-order Tarski–Grothendieck object logic includes in its foundations both higher-order logic and set theory, which allows importing the libraries of Isabelle/HOL and Isabelle/Mizar. The two libraries, however, define all the basic concepts independently, which means that the results in the two are disconnected. In this paper, we align significant parts of these two libraries, by defining isomorphisms between their concepts, including the real numbers and algebraic structures. The isomorphisms allow us to transport theorems between the foundations and use the results from the libraries simultaneously. Keywords Higher-order logic · Set theory · Transport 1 Introduction Among the various foundations for formal proofs, set theory on top of higher-order logic has been tried a number of times in systems such as HOLZF [42], ProofPeer [43], Egal [10], and Isabelle/Mizar [28]. This foundation is attractive for formalization, as it offers a natural mathematical foundation combined with the automation present in HOL. The formal proof libraries of Isabelle/HOL [55] and that of Mizar [4, 16] are among the largest proof libraries in existence today. Indeed, the HOL library together with the Archive of Formal Proofs consist of more than 100,000 theorems [6], while the Mizar Mathematical Library (MML) contains 59,000 theorems. Furthermore, the results contained in the libraries are incomparable: Almost all of the Mizar library concerns itself with mathematics, while the majority of the Isabelle/AFP library are results closer to computer science [6]. For example, the Mizar library includes results about lattice theory [9], topology, and manifolds [46] not present in the Isabelle library, while the Isabelle library has many results related to algorithms not in the MML [13, 36, 37]. Cezary Kaliszyk cezary.kaliszyk@uibk.ac.at Karol Pak ˛ pakkarol@uwb.edu.pl Department of Computer Science, University of Innsbruck, Innsbruck, Austria INDRC, International Neurodegenerative Disorders Research Center, Prague, Czech Republic Institute of Computer Science, University of Białystok, Białystok, Poland 0123456789().: V,-vol 123 20 Page 2 of 23 C. Kaliszyk, K. Pąk In our previous work [7], we have presented a model of higher-order Tarski–Grothendieck, which justifies the use of higher-order logic formalizations with set theory-based ones simul- taneously. This model will allow us to combine the results present in these two major Isabelle libraries. We will specify isomorphisms between various basic types present in the libraries, such as functions and lists, leading to isomorphisms between various number structures including the real numbers, and algebraic structures. The last requires mappings between extensible soft record types and Isabelle type classes [24]. We will use the isomorphisms to transport proved theorem including the theorems of Lagrange, Bertrand, cases of Fermat’s last theorem and the Intermediate Value Theorem. We will also merge the formalizations of groups and rings in the two libraries. This paper is an extended version of our paper presented at ITP 2019 [7]. In particular the new content presented is as follows: – we specify the alignments between many more complex types in the two proof libraries including the rationals and the real numbers; – we transfer more advanced theorems between the two foundations, including the inter- mediate value theorem in the merged HOL-Set theory library, together with a large set of theorems that connect Dedekind cuts with Cauchy sequences; and – we complete the model of higher-order Tarski–Grothendieck presented in our previous work [7], by justifying that the Grothendieck-style axioms are equivalent to the Tarski style (for example used in the Mizar Mathematical Library), formalizing the relationship between them in Isabelle. The rest of the paper is structured as follows. In Sect. 2, we introduce the Isabelle HOTG foundations, which will be the basis for all the work, we describe the various axiomatizations of higher-order Tarski–Grothendieck (HOTG) and prove some of them to be equivalent. The basics of the aligned libraries are presented in Sect. 3. The subsequent Sects. 4 and 5, 6 discuss our isomorphisms between the different types concerning functions, numbers, and algebra respectively. Section 7 shows practical examples of theorems we can move using the isomorphisms. Section 8 discusses the Tarski–Grothendieck equivalence proofs. Finally, Sect. 9 discusses the related work on combining foundations and Sect. 10 presents the existing automated transfer methods in higher-order logic and discusses the limitations of the current work in this respect. 2 Isabelle and Isabelle/Mizar The Isabelle logical framework’s meta-logic Pure is a variant of simple type theory with shallow polymorphism. The framework provides functionality that makes it convenient to define object logics, namely allowing easily defining their types, objects, and inference rules as well as their notations. Isabelle/HOL is today the most developed Isabelle object logic. Further Isabelle object logics [48] include constructive type theory or untyped set theory [49]. As Isabelle/HOL is relatively well known and documented, we assume that the reader is familiar with the HOL foundations, Isabelle’s basic commands (such as definition and theorem) and the basic Isabelle objects (numbers and lists). For details, we refer the reader to the Isabelle Manual [54]. The details of Isabelle/Mizar’s design and implementation have been presented previously [28], therefore, we present only the main commands needed for understanding the current paper. Isabelle/Mizar can be loaded on top of Isabelle/FOL or Isabelle/HOL. It re-uses the type of propositions of the underlying basic logic (o of FOL or bool of HOL) and its basic 123 Combining Higher-Order Logic... Page 3 of 23 20 propositional connectives (negation, conjunction, disjunction, implication), as well as the polymorphic equality present there. However, as the intention of Isabelle/Mizar is to provide a sofly-typed set theory, the universal and existential quantifiers are actually bounded quan- tifiers that for each quantified object require the type over which it ranges (e.g., ∀xbeing Nat. …). These propositional and predicate quantifiers together with quality are sufficient for representing firest-order logic with quality and to represent Jask ´ owski [26] style natural deduction proofs present in Mizar. To introduce the soft type system, a meta logic type of soft-types ty is declared together with the an infix operator is that corresponds to the element satisfying the predicate associated with a type. Types can be combined with an intersection operator (e.g., xiseven | number) and can be negated (e.g., y is non-negative) with natural semantics to these operations. The meta-logic abstractions can be used to parametrize the types by other types or even by terms (e.g., A is m,n-matrix corresponds to m-by-n matrices). To improve automation, the user can prove properties of types, including inhabited and sethood. The first one is useful for eliminating quantifiers, whereas the latter is useful for forming compregension operators. Finally, a choice operator (denoted the on the level of types allows for getting a term of a given type). For example, given the type of sets, that is intersected with empty, it is possible to define the empty set as the empty | set. The Isabelle/Mizar object logic subsequently introduces the axioms of set theory, specif- ically, the Tarski–Grothendieck axioms. In particular, the Fraenkel axiom is sufficient to construct set comprehensions written as {F(x)where x be Element-of X: P(x)} (called Fraenkel terms)for agiven set X, function F and predicate P. In the Mizar language, it is not always possible to define such a functor for arbitrary X, F, P, to avoid inconsistency (variants of Russell’s paradox), however, with the help of sethood safe comprehension terms can be interpreted. In Isabelle/Mizar the semantics of comprehension are defined with sethood as a precondition, which means that the property is only valid for terms for which sethood has been proved. This completes the axiomatic part of the object logic, and subsequent parts are introduced as definitional extensions. In particular, the possibility for users to define all kinds types and objects, as well as syntax that allows an easier interaction with softly-typed set theory will be added in this way. Isabelle/Mizar allows four kinds of user-level definitions corresponding to the same four kinds of user-level definitions in Mizar [16]. Defining predicates is not different from the usual Isabelle definitions. We present the definition of a set theoretic functor by the example of the set theoretic union of two sets : mdef xboole-0-def-3 (infixl ∪ 65) where mlet X be set, Y be set func X ∪ Y → set means λit. ∀ x. xinit ←→ xinX ∨ xinY The mdef command starts with the handle used to refer to the definition, followed by an optional notation (union denoted by infix ∪), a typing environment in which the definition is made (mlet) and then the actual defined operator is given after the keyword func. The return type is given after the keyword →. A definition by means is supposed to correspond to a concept where the it has the desired property. The user needs to show the existence and the uniqueness as proof obligations. When the user completes these proofs, the Isabelle/Mizar The Isabelle definitions and lemmas that directly correspond to the definitions and lemmas in the Mizar Mathematical Library have been names with the same identifiers in order to ease comparison. For example the Isabelle/Mizar definition xboole-0-def-3 directly corresponds to the MML definition XBOOLE_0:def_3 (colon is not allowed in Isabelle labels). 123 20 Page 4 of 23 C. Kaliszyk, K. Pąk definition package introduces the identifier together with the theorems corresponding to the property of the object and its type for further use. Functors can also be defined by equals where the term is given directly in a given environment and with a given return type of the defined term. There, the obligation is to show that the result has the return type. Type definitions are similar. In order to make type inference and checking automatable, types are divided into modes (more primitive types that are known to be inhabited) and attributes (the types that are used to restrict other types with intersection). Consider for example the definition of the type of a finite sequences over the type D (which are the set-theoretic equivalents of polymorphic lists used are often used in formal proofs): mdef finseq-1-def-4 (FinSequence−of -) where mlet D be object mode FinSequence−of D → FinSequence means (λit. rng it ⊆ D) Again mlet introduces an environment (these are preconditions for the definitional the- orems but can be used in the proofs) and the definition can describe the desired properties that all objects of the defined type must have. After the proof obligation (non-emptiness) is proved, definitional theorems are derived and given to the user. The already mentioned attributes are also similar. They restrict a given type to a subtype. An example type intro- duced with the help of an attribute is the type of relations. First, the attribute Relation_like is introduced, which can be later used to define the type of relations as just an abbreviation, as follows. mdef relat-1-def-1 (Relation-like) where attr Relation-like for set means (λit. ∀ x. xinit −→ (∃ y, z. x = [y, z])) .. This approach allows for all definitions and operations defined for a Relation to also imme- diately be available for a Function, which is defined as a type restriction using the attribute Function_like. The type FinSequence is similarly defined by the attribute FinSequence_like as follows: mdef funct-1-def-1 (Function-like) where attr Function-like for set means (λit. ∀ x,y1,y2 being object. [x,y1] in it ∧[x,y2] in it −→ y1 = y2) .. mdef finseq-1-def-2 (FinSequence−like) where attr FinSequence−like for Relation means (λit. ∃ n be Element−of NAT . dom it = Seg n) .. abbreviation Relation ≡ Relation-like | set abbreviation Function ≡ Function-like | Relation abbreviation FinSequence ≡ FinSequence−like | Function Finally, Isabelle/Mizar introduces the mtheorem command, that is similar to the standard theorem command, but additionally allows the introduction of soft-type assumptions with the mlet keyword and hiding these from the user as long as the automated type inference can handle these. Additionally to imitate the Mizar automation the mby proof method has been included, that combines type inference with Isabelle’s auto proof method. Parallel to the system development, the Mizar community puts a significant effort into building the Mizar Mathematical Library (MML) [4]. Parts of the MML library (including 123 Combining Higher-Order Logic... Page 5 of 23 20 numbers or parts of algebra) have been translated to Isabelle/Mizar [29] and are being used in the current paper. 3 Proof Integration The Isabelle higher-order Tarski–Grothendieck foundations allow the import of results proved in higher-order logic and in set theory. This is possible both theoretically (we have previously presented a model that supports the combined foundation [7] and discussed its adequacy more in Sect. 8) and practically, that is the Isabelle logical framework allows us to import various results from the two libraries of Isabelle/HOL and Isabelle/Mizar in the same environment. Note, however, that the imported developments are initially disconnected. In this and the next sections, we will define transfer methods between these results. These will allow us to use theorems proved in one of the foundations using the term language of the other. All the definitions and theorems presented in these sections have been formalized in Isabelle and will be presented close to the Isabelle notation. The Isabelle environment will import both Isabelle/HOL [41] and Isabelle/Mizar [28] object logics along with a number of results formalized in the standard libraries of the two. Isabelle distinguishes between meta- level implication ( ⇒) and object-level implication (−→) and our notation in examples below reflects this distinction. The remaining notations will follow first-order conventions. In particular, the symbols = and = will refer to the HOL and set-theoretic equality H S operations respectively. Then, be is the Mizar infix operator for specifying the type of a set in the Mizar intersection type system [31]. In order to transfer results between the foundations, we will first define bijections between types that are isomorphic. We will next show that these bijections preserve various constants and operators. This will allow us to transfer results using higher-order rewriting, in the style of quotient packages for HOL [23, 34] and the Isabelle transfer package [21]. Note, that we are not able to use these packages directly. We discuss this in Sect. 10. In the Mizar set theory there are often two ways to express domains of objects. It is already the case for the natural numbers, where it is common to reason both about the type of the natural numbers and the members of the set of natural numbers. This is necessary since the arguments of all operations must be sets, while the reasoning engine allows more advanced reasoning steps for types [4]. We, therefore, define two operators, one that specifies a bijection between a HOL type and a set-theoretic set and one that specified a bijection between a HOL type and a set-theoretic type. The definitions are analogous and we show only the former one here. We will define an isomorphism between a type σ and a set d ∈  to be a pair ( f , g) of functions (at the type theory level) where f maps sets to objects of type σ and g maps objects of type σ to sets in such a way that objects of type σ (in the type theory) correspond uniquely to elements of d (in the set theory). Definition 3.1 Let σ be a type, d ∈  be a set and s2h ∈  and h2s ∈  be ι ι⇒σ σ ⇒ι functions. The predicate beIso h2s, s2h, d holds whenever all of the following hold: – ∀x : σ.s2h(h2s(x )) = x, – ∀x : ι.x ∈ d −→ h2s(s2h(x )) = x, – ∀x : σ.h2s(x ) ∈ d. In Isabelle the definition appears as follows: definition beIsoS(h2s,s2h,d) ←→ ((∀ y. s2h(h2s(y)) = y) ∧ L H (∀ x:Element−of d. h2s(s2h(x)) = x)∧ (∀ y. h2s(y) in d)) 123 20 Page 6 of 23 C. Kaliszyk, K. Pąk The existence of a bijection does not immediately imply the inhabitation of the type/set. However, as types need to be non-empty in both formalisms, we can derive this result as below. For space reasons we only present the statements, all the theorems are proved in our formalization. theorem beIsoS-d: beIsoS(h2s,s2h,d) ⇒ d is non empty 4 Integrating Basic Infrastructure: Functions and Lists We will denote the morphisms from set theory to HOL with the prefix s2h and the inverse ones with the prefix h2s. We will initially give the complete types for readability, omitting them later, where the types are clear. The first type, for which we build an isomorphism, is the type of functions. In order to transfer a function of the type α → β between set theory and HOL, we will require isomorphisms for the types α and for the type β. In order to transfer a set-theoretic function (set of pairs) to HOL, given transfer functions on the range, on the domain, and the function itself, we return the lambda expression, that given a HOL input to the function, transfers it, applies the function to it and transfers it back. The formal definition is as follows. definition s2hf :: (Set ⇒ b) ⇒ (a ⇒ Set) ⇒ Set ⇒ (a ⇒ b)(s2h (-,-,-)) where s2h (s2hr,h2sd,f ) = (λx. s2hr(f .(h2sd(x)))) Similarly, to build a set-theoretic function (set of pairs) given a HOL function and the transfer operations, and the domain, we directly build this set: definition h2sf :: (Set ⇒ a) ⇒ (b ⇒ Set) ⇒ Set ⇒ (a ⇒ b) ⇒ Set (h2s (-,-,-,-)) where h2s (s2hd,h2sr,d,f ) = the set−of −all [x,h2sr(f (s2hd(x)))] where x be Element−of d f S We are then able to directly show that these two functions are inverses of each other on their domains. We also show the existence of an isomorphism, and show that this isomorphism preserves the function application operation: theorem beIsoT-Function: assumes beIsoS(h2sd,s2hd,d) beIsoS(h2sr,s2hr,r) shows beIsoT (λf . h2s (s2hd,h2sr,d,f ),λf . s2h (s2hr,h2sd,f ),Function−of d,r) f f theorem HtoSappl: assumes beIsoS(h2sd,s2hd,d) and beIsoS(h2sr,s2hr,r) shows h2s (s2hd,h2sr,d,f ).h2sd(x) = h2sr(f (x)) Isabelle/HOL lists are realized as a polymorphic algebraic datatype, corresponding to functional programming language lists. MML lists (called finite sequences, FinSequence) are functions from an initial segment of the natural numbers. Higher-order lists behave like stacks, with access to the top of the stack, whereas for the set-theoretic ones the natural operations are the restriction or extension of the domain. To build a bijection between these types, we note that the Cons operator corresponds to the concatenation of a singleton list and the second argument. Since the list type is polymorphic (in the shallow polymorphism sense used in HOL), in order to build this bijection, we also need to map the actual elements of the list. Therefore the bijection on lists will be parametric on a bijection on elements: fun h2sfs :: (a ⇒ Set) ⇒ aList.list ⇒ Set (h2s (-,-))where h2s (h2s, Nil) = <∗> L S | h2s (h2s, Cons(h, t)) = ((<∗h2s(h)∗>) ˆM (h2s (h2s, t))) L S L 123 Combining Higher-Order Logic... Page 7 of 23 20 Where <∗> and ˆM represent the Mizar empty sequence and the concatenation of sequences respectively. The converse operation needs to decompose a sequence into its first element x.1 and the remainder of the sequence shifted by one /ˆM1 . We define this operation S S in Isabelle/Mizar and complete the definition. Isabelle will again require us to show the termination of the function, which can be done by induction on the length of the list/sequence: function s2hl :: (Set ⇒ a) ⇒ Set ⇒aList.list (s2h (-,-)) where ¬ x be FinSequence ⇒ s2h (s2h,x) = undefined L H | s2h (s2h,<∗>) = Nil L H | x be FinSequence ⇒ x = <∗> ⇒ s2h (s2h,x) = Cons (s2h(x.1 ),s2h (s2h,x/ˆM1 )) L H S L S For the transformation introduced above, we can show that if we have a good homomor- phism between the elements of the lists, then lists over this type are homomorphic with finite sequences. We can again show that this homomorphism preserves various basic operations, such as concatenation, the selection of n-th element, length, etc. theorem s2hL-Prop: assumes p be FinSequence and q be FinSequence and nbeNat and ninlen p shows length(s2h (s2h,p)) = s2h (len p) L IN s2h (s2h,pˆMq) = s2h (s2h,p) @ s2h (s2h,q) L H L L s2h (s2h,p) ! s2h (n) = s2h(p.(succ n)) L IN H Note, that the sequences in the Mizar library, FinSequence, are indexed starting at 1, whereas Isabelle/HOL’s nth starts from 0, which justifies the usage of a shift (succ n). Fur- thermore, since Mizar Mathematical Library uses natural numbers in the Peano sense, the expression ninlen p actually means n < len p. To actually use these in order to move the- orems between the libraries we show how the morphisms interact with the operations. For example, for reverse these are: theorem rev-Rev: assumes p be FinSequence shows rev(s2h (s2h,p)) = s2h (s2h,Rev p) L H L theorem Rev-rev: Rev(h2s (h2s,p)) = h2s (h2s,rev(p)) L L Moving a polymorphic statement from the Isabelle/HOL library to Isabelle/Mizar requires an additional assumption about the existence of an isomorphism on the parametrized type. The usual statement about the length of a reversed list, therefore becomes (of course this simple statement is already available in the Isabelle/Mizar library, and can be used by referring to finseq_5_def_3, but its simplicity is good to demonstrate moving polymorphic statements): theorem assumes p be FinSequence−of d and beIsoS(h2s,s2h,d) shows len Rev p = len p using Rev-rev[of h2s s2h (s2h, p)] len-length[of h2s s2h (s2h, p)] len-length[of h2s rev(s2h (s2h, p))] by (simp only: length-rev FLF-prop[OF assms]) 123 20 Page 8 of 23 C. Kaliszyk, K. Pąk We also show the proof here. It is still straightforward, just like the other proofs of the moved statements given the morphisms, but with polymorphism it no longer follows by higher-order rewriting. 5Numbers The way numbers are constructed in set-theory based libraries is very different from the majority of the libraries based on HOL or type-theory. In particular, in Isabelle/Mizar sub- sequently defined number types are extended (in the sense of set-theoretic subset) by new elements. This is as opposed to hard-type-based systems, in which subsequently defined number types are independent and projections or coercions which preserve the functions are necessary. In particular, Isabelle/Mizar’s real numbers are constructed as Dedekind cuts. Note, however, that the cuts corresponding to the rational numbers are replaced by the rational numbers themselves, in order to preserve the inclusion Q ⊂ R. A second, less important, distinction is the fact that in the Mizar library the non-negative ≥0 ≥0 types (N, Q , R ) are constructed first. After this, the negative reals are built as Kuratowski pairs of the singleton zero and the positive element. Finally, the rationals and integers are ≥0 ≥0 subsets of the set of all reals. In particular, the sets N, Q , R , R are already constructed with the basic operations on these sets and addition, subtraction, multiplication directly re- use the real operations. The only additional thing to prove is that the types are preserved, so for example the addition of integers returns a real that is also an integer. The inclusions, together with the order of the construction are depicted in Fig. 1.Inorder to realize this construction in Isabelle/Mizar, we first define the set of the natural numbers, as the smallest limit ordinal. The formal definition is as follows: mdef ordinal1-def-11 (omega) where func omega → set means (λit. 0 in it ∧ it be limit-ordinal ∧ it be Ordinal ∧ (∀ A:Ordinal. 0 in A ∧ A is limit-ordinal −→ it ⊆ A)) The definition introduces the constant (zero-argument functor) omega of the Mizar type set, which satisfies the condition specified after the keyword means, that is, the defined constant it is a limit ordinal with 0 as a member, and it is the smallest such set (considering set inclusion). As a reminder, the mdef command requires the formalization to specify the existence of the constant (proof is only included in the formalization), which is a consequence of the Tarski universe property and its uniqueness. On the other hand, the Isabelle natural numbers are a subtype of the type of individuals. In order to merge these two different approaches, we specified a functor that preserves zero and the successor. Note that the functor is specified only for the type of the natural numbers which in Isabelle/HOL is implicit, but in the softly-typed set theory needs to be written and checked explicitly. This is the reason for having an undefined case, which as we will see later, still gives an isomorphism. Fig. 1 The inclusions between the sets in the Mizar Mathematical Library. The arrows show the construction order between the sets in the MML and our Isabelle set formalization 123 Combining Higher-Order Logic... Page 9 of 23 20 0 if n = 0 , S H H h2s (n) = N S S (h2s (k)) if n = S (k) for some H-natural k. S N H H ⎨ 0 if n = 0 , H S S s2h (n) = S (s2h (k)) if n = S (k) for some S-natural k, N H H N S S undefined otherwise. The functor and its inverse are formally defined in Isabelle as follows fun h2sn :: nat ⇒ Set (h2s (-)) where IN h2s (0::nat) = 0 | h2s (Suc(x)) = succ h2s (x) IN S S IN S IN function s2hn :: Set ⇒ nat (s2h (-)) where IN ¬xbeNat ⇒ s2h (x) = undefined IN H | s2h (0 ) = 0 IN S H | xbeNat ⇒ s2h (succ(x)) = Suc(s2h (x)) IN IN Note that h2s is defined only on the HOL natural numbers (nat), while s2h is defined on IN IN all sets and its definition is only meaningful for arguments that are of the type Nat.The soft- type system of Mizar requires us to give this assumption explicitly here, but it can normally be hidden in the contexts where the argument type is restricted appropriately. Isabelle requires us to prove the termination of the definition, which can be done using the proper subset relation defined on natural numbers in the Peano sense. Using the induction principles for natural numbers present in both libraries, we can show the property beIsoS(h2s , s2h ,NAT ),where NAT is the set of all Nat. In particular, it gives a IN IN bijection (note the hidden type restriction to sets of type nat). We show also that the functors h2s , s2h preserve all the basic operations. IN IN theorem Nat-to-Nat: fixes x::nat and y::nat assumes nbeNat and mbeNat IN shows h2s (x + y) = h2s (x) + h2s (y) IN H S IN S IN IN s2h (n + m) = s2h (n) + s2h (m) IN S H IN H IN IN h2s (x ∗ y) = h2s (x) ∗ h2s (y) IN IN IN H S S IN s2h (n ∗ m) = s2h (n) ∗ s2h (m) IN S H IN H IN x < y ←→ h2s (x) ⊂ h2s (y) IN IN n ⊂ m ←→ s2h (n)< s2h (m) IN IN xdvd y ←→ h2s (x) divides h2s (y) IN IN n divides m ←→ s2h (n) dvd s2h (m) IN IN prime(x) ←→ h2s (x) is prime IN S nisprime ←→ prime(s2h (n)) S IN 5.1 Isabelle/Mizar Number Hierarchy After the natural numbers, MML constructs the non-negative rationals as pairs of relatively prime naturals. Additionally, to preserve the set-theoretic inclusion of the set of natural numbers, not only pairs with the denominator zero but also those with denominator one are excluded and the original natural numbers added. We follow the same construction in Isabelle/Mizar. ≥0 mdef arytm-3-def-7 (RAT ) where ≥0 func RAT → set equals ({[i,j] where i be Element−of NAT, j be Element−of NAT : i,j are−coprime & j = 0 }\ the set−of −all [k,1 ] where k be Element−of NAT ) ∪ NAT S S 123 20 Page 10 of 23 C. Kaliszyk, K. Pąk Non-negative real numbers are constructed in a similar way. To the set of non-negative rationals, we add Dedekind cuts corresponding to the positive irrational numbers. A standard definition of Dedekind cuts is used, only restricted to non-negative rationals. We assume that a proper subset A of non-negative rationals is a cut, if it is closed under smaller elements ≥0 ≥0 Q (∀r, s:Element−of RAT . rin A ∧ s ≤ r −→ sinA) and for every element in the set A ≥0 there is a larger element in the set A (∀r :Element −of R AT .rin A −→(∃s:Element −of ≥0 ≥0 Q ≥0 RAT .sin A ∧ r < s)). Note that RAT fulfills this condition, however, it is not a proper subset of non-negative rationals. In contrast, in this approach, the empty set is a ≥0 Dedekind cut, but we do not need to add it in the construction of REAL , since empty corresponds to zero. mdef arytm-2-def-1(DEDEKIND-CUTS) where ≥0 func DEDEKIND-CUTS → Subset−Family−of RAT equals ≥0 { A where A be Subset−of RAT : ≥0 ∀ r: Element−of RAT . rinA −→ ≥0 ≥0 Q (∀ s: Element−of RAT . s ≤ r −→ sinA) ∧ ≥0 ≥0 Q ≥0 (∃ s: Element−of RAT . sinA ∧ r < s)}\{RAT } In order to preserve the inclusion between the rationals and reals, again the non-negative real numbers are obtained as a union of the non-negative rationals as defined above and the Dedekind cuts corresponding to the irrational numbers, that is cuts that cannot be realized in ≥0 the form {swhere sbe Element−of RAT +: s < q} where q is rational. ≥0 mdef arytm-2-def-2 (REAL ) where ≥0 ≥0 func REAL → set equals (RAT ∪ DEDEKIND-CUTS) \ ≥0 ≥0 Q ≥0 {{s where s be Element−of RAT : s < t} where t be Element−of RAT : t = 0 } Finally, the complete reals (REAL) are constructed by adding the negative real numbers. In the Mizar set theory the negative numbers are represented by the pairs [0 ,r],where r is a positive real number. For this, we add the pairs corresponding to r,where r is a non-negative real and then remove the pair [0 ,0 ] to avoid duplicating 0. The sets of rationals and integers S S are then appropriate subsets of the set REAL. Of course, it would be possible to build these sets directly, together with their respective arithmetic operations, however, this would require the introduction of different symbols for these operations in the different datatypes. The ≥0 ≥0 Isabelle/Mizar formalization only temporarily introduces the operations Q , R which will almost never be used in the library, and the operations for the type R, which will be directly reused for Z and Q. In particular, this allows using the operations in the context of homomorphisms between integers, rationals, and reals. mdef numbers-def-1 (REAL) where func REAL → set equals ≥0 ≥0 REAL ∪[:{0 },REAL :] \ {[0 ,0 ]} S S S mdef numbers-def-3 (RAT ) where func RAT → set equals ≥0 ≥0 RAT ∪[:{0 },RAT :] \ {[0 ,0 ]} S S S mdef numbers-def-4 (INT ) where func INT → set equals NAT ∪[:{0 },NAT :] \ {[0 ,0 ]} S S S 123 Combining Higher-Order Logic... Page 11 of 23 20 5.2 Integrating Numbers Given the Isabelle/Mizar number hierarchy specified in the previous section, we can start building bridges between the types. We start with the integers. The set-theoretic definition is again different from the one used in Isabelle/HOL. There, an equivalence relation (equal modulo the difference) is defined on pairs of natural numbers, and the quotient package [34] is used to construct the new type. Still, it is straightforward to define a bijection between the two, using the constructed bijections between natural numbers. We also show that these bijections preserve all the basic operators. function h2sZ :: int ⇒ Set (h2s (-))where ZZ x ≥ 0 ⇒ h2s (x) = h2s (nat(x)) ZZ S IN IR | x < 0 ⇒ h2s (x) = − h2s (nat(− (x))) ZZ S S IN H function s2hZ :: Set ⇒ int (s2h (-))where ZZ ¬xisInteger ⇒ s2h (x) = undefined ZZ H | x is natural ⇒ s2h (x) = int(s2h (x)) ZZ H IN IR | xisInteger & not x is natural ⇒ s2h (x) = − (int(s2h (− x))) ZZ IN H H S theorem beIsoS-INT : beIsoS(h2s ,s2h ,INT ) ZZ ZZ For the rational numbers, we construct the natural bijection h2s , s2h using the bijections Q Q between the integers and the unique representation of any rational as an irreducible fraction. We again show that the operations behave well on arbitrary (including reducible) fractions. theorem s2hQI: fixes n::nat shows n = 0 −→ Fract(i,n) = s2h (h2sZ(i)/ h2sZ(n)) H H Q Q theorem s2hQM: iisInteger ∧ nisNat ∧ n ={}−→ s2h (i / n) = Fract(s2h (i),s2h (n)) Q Q ZZ ZZ The constructions of the real numbers are significantly different in the two considered proof libraries. Indeed, in Isabelle/HOL reals are quotients of Cauchy sequences whereas the MML one uses Dedekind cuts. More precisely, in the MML, Dedekind cuts are used to construct the irrational, and operations on them are defined on the cuts. To build a homomorphism between the two definitions and to use it for all the operators requires considering cases, namely whether the given argument is a rational number of a cut. The same is true for the results of the operators. To ease these constructions we first introduce two operators: DEDEKIND_CUT which transform a real number to a Dedekind cut, i.e., for positive rationals it associates to the number ≥0 ≥0 Q r the cut {swhere sbe Element−of RAT : s < r}, and for irrational numbers, which are already cuts, it is the identity. We also define the inverse operator GLUE, which transforms ≥0 ≥0 Q cuts that can be represented in the form {swhere sbe Element−of RAT :s < r} for a rational r, returns r, and is the identity otherwise. mdef arytm-2-def-3 (DEDEKIND-CUT-) where ≥0 mlet x be Element−of REAL func DEDEKIND-CUT x → Element−of DEDEKIND-CUTS means ≥0 λit. ∃ r:Element−of RAT . x = r ∧ ≥0 ≥0 Q it ={s where s be Element−of RAT : s < r} ≥0 if x in RAT otherwise λit. it = x 123 20 Page 12 of 23 C. Kaliszyk, K. Pąk mdef arytm-2-def-4 (GLUED -) where mlet x be Element−of DEDEKIND-CUTS ≥0 func GLUED x → Element−of REAL means ≥0 λit. ∃ r : Element−of RAT . it = r ∧ ≥0 ≥0 Q (∀ s : Element−of RAT . sinx ←→ s < r) ≥0 ≥0 if ∃ r : Element−of RAT . ∀ s : Element−of RAT . ≥0 sinx ←→ s < r otherwise λ it. it = x We will now construct the homomorphism between the real number representations. Con- sider a non-empty Dedekind cut A. We observe, that by multiplying all the elements of A by a positive rational q, we obtain a non-empty Dedekind cut. We denote this cut by q ∗ A.Next, we denote by max A the largest natural number in the set A. Consider the sequence of non- IN max (2 ∗ A) IN D negative rationals . It easily follows that this sequence is non-decreasing n∈IN and that for every n ≤ k it is true that n k n max (2 ∗ A) max (2 ∗ A) max (2 ∗ A) 1 IN D IN D IN D ≤ ≤ + n k n n 2 2 2 2 which shows that this sequence is a Cauchy sequence. This allows us to associate any positive real number with a Cauchy sequence of rationals: mdef Rat2C(rC - 110) where ≥0 mlet r be Element−of REAL func rC r → Function−of NAT,RAT means λit. ∀ n:Nat. it. n = (max (( 2 |ˆn) ∗ (DEDEKIND-CUT r))) / ( 2 |ˆn) IN S D Q S Using the previously defined homomorphisms between the naturals and rationals as well as between the types of functions (Sect. 4 and previous subsections of Sect. 5), we can transform this set-theoretic function to a HOL one. We show that this transformation preserves Cauchy convergence: definition s2hseq :: Set ⇒ (nat ⇒ rat)(s2hseq(-)) where s2hseq(f ) = s2hf (s2hQ,h2sn,f ) theorem MICauchy: assumes f is Function−of NAT,RAT shows f is Cauchy ←→ Real.cauchy (s2hseq(f )) Which allows us to define the final homomorphism that given a set-theoretic real trans- forms it to a HOL real. function s2hR :: Set ⇒ real (s2h (-))where IR ¬xisMReal ⇒ s2h (x) = undefined IR ≥0 | x is Element−of REAL ∧ x=0 ⇒ s2h (x) = Real.Real(s2hseq(rC x)) S IR H ≥0 | x is Element−of REAL ∧ x=0 ⇒ s2h (x) = 0 S IR H ≥0 | xisMReal ∧ x=0 ∧¬ x is Element−of REAL ⇒ IR s2h (x) = − Real.Real(s2hseq(rC(− x))) IR H H S where for non-negative real number x, we use it to produce the sequence of rational numbers rC x, which are subsequently transformed to a sequence of HOL reals s2hseq(rC x), and finally we return the abstraction of the Cauchy sequence class to which the sequence belongs. For negative real numbers, we use minus twice, analogously to the integer and rational IR constructions. − (...( − x)) H S 123 Combining Higher-Order Logic... Page 13 of 23 20 In order to build the inverse transformation, we will construct the Dedekind cut based on a real number. First, for any real number r, we start with one of the Cauchy sequence real2seqL(r) belonging to its equivalence class r. We consider the equivalence of this sequence in set theory: h2sseq(r). This sequence is non-decreasing and has non-negative values if r is non-negative. Additionally, if r is positive, this sequence h2sseq(r) is also positive starting from some index. This means that for any positive real r, the sequence ≥0 ≥0 Q {swhere sbe Element−of RAT : s < h2sseq(r).n } is non-empty (from some posi- n∈IN tion, to be precise when h2sseq(r).n =0 ) and non-decreasing and its union (seq2Dedekind)isa Dedekind cut. definition real2seqL :: real ⇒ (nat⇒rat) where real2seqL(r) = (λn::nat. Fract(r ∗ (2ˆn),2ˆn)) H H definition h2sseq :: real ⇒ Set (h2sseq(-)) where h2sseq(r) = h2sf (s2hn,h2sQ,NAT,real2seqL(r)) mdef seq2Dedekind where mlet f be Function−of NAT, RAT ≥0 func seq2Dedekind(f ) → Subset−of RAT means ≥0 IR λit. ∀ x:Element−of RAT . xinit ←→ (∃ k:Nat. x < (f .k)) The final transformation that given a HOL real number extracts its Cauchy sequence and transforms it to an Isabelle/Mizar real is: function h2sR :: real ⇒ Set (h2s (-))where IR x > 0 ⇒ h2s (x) = GLUED(seq2Dedekind(h2sseq(x))) IR | x = 0 ⇒ h2s (x) = 0 IR H S IR | x < 0 ⇒ h2s (x) =− GLUED(seq2Dedekind(h2sseq(− x))) IR S H The two defined operations s2h and h2s are not as straightforward as for the naturals or IR IR rationals. We do nonetheless prove (details are only in the formalization) that they do indeed give an isomorphism and that this isomorphism preserves the basic arithmetic operations and the standard less than order. theorem beIsoS-Real: beIsoS(h2sR,s2hR,REAL) theorem Real-to-Real: fixes x::real and y::real assumes rbeMReal and sbeMReal IR shows h2s (x + y) = h2s (x) + h2s (y) IR IR IR H S S IR s2h (r + s) = s2h (r) + s2h (s) IR IR IR S H H IR h2s (x ∗ y) = h2s (x) ∗ h2s (y) IR H S IR S IR IR s2h (r ∗ s) = s2h (r) ∗ s2h (s) IR S H IR H IR IR x ≤ y ←→ h2s (x) ≤ h2s (y) IR IR IR r ≤ s ←→ s2h (r) ≤ s2h (s) IR IR We are now ready to practically move proved theorems about numbers between HOL and Isabelle/Mizar. 6 Algebra The structure representations used in higher-order logic and set theory are usually different. This will be particularly visible when it comes to algebraic structures. In the Isabelle/HOL formalization, algebraic structures are type-classes while in set theory a common approach 123 20 Page 14 of 23 C. Kaliszyk, K. Pąk would be partial functions. We will illustrate the difference on the example of groups. A type α forms a group when we can indicate a binary function on this type that will serve as the group operation satisfying the group axioms. On the other hand, in the usual set-theoretic approach a group in set theory would consist of an explicitly given set (the carrier), and the group operation. With an intersection type system, the fact that the given set with an operation is a group is specified by intersecting the type of structures with the types that specify their individual properties (i.e., a group is a non-empty associative Group-like multMagma) There are two more differences in the particular formalizations we consider, that we will not focus on, but we will only mention them in this paragraph and consider them only in the formalization. First, the existence and uniqueness of the neutral element can be either assumed in the group specification or derived from the axioms. We will not focus on that, as this is only the choice of a group axiomatization. Second, in the Mizar library, there are two theories of groups: additive groups and multiplicative groups. Rings and fields inherit the latter, while some group-theoretic results are derived only for the former. Even if the Isabelle/HOL group includes a field for the unit, we will ignore it in the morphism, since the set-theoretic definition does not use one. The neutral element along with the other properties is, however, necessary to justify that the result of the morphism is a group in the set-theoretic sense. definition h2sg (h2s (-,-,-,-)) where h2s (s2hc,h2sc,c,g) = [# G S carrier → c; multF → h2s (s2hc,h2sc,c,mult(g)) #] BinOp definition s2hg (s2h (-,-,-)) where s2h (s2hc,h2sc,g) = Igroup( G H Collect(λx. h2sc(x) in the carrier of g), s2h (s2hc,h2sc,the multF of g), BinOp s2hc(1. )) For the dual morphism, we indicate the result of the operation selecting the neutral element (1. ) as the field needed in the construction of the type-class element. With its help, we can justify that the fields of the translated structure are translations of the fields. theorem s2hg-Prop: assumes beIsoS(h2sc,s2hc,c) and g be Group and the carrier of g = c and x ∈ carrierI(s2h (s2hc, h2sc, g)) y ∈ carrierI(s2h (s2hc, h2sc, g)) shows one(s2h (s2hc,h2sc,g)) = s2hc(1. ) G g x ⊗ y = s2hc(h2sc(x) ⊗ h2sc(y)) s2h (s2hc,h2sc,g) group (s2h (s2hc,h2sc,g)) A number of proof assistant systems based both on higher-order logic (including Isabelle/HOL) and set theory (including Mizar) support inheritance between their algebraic structures. As part of our work aligning the libraries we also want to verify that such inher- itance is supported in the combined library. For this, we align the ring structures present in the two libraries. The isomorphism between the structures is defined in a similar way to the one for groups, we refer the interested reader to our formalization. We can show that the morphisms form an isomorphism and derive some basic preservation properties. The most basic one is the fact that the isomorphism preserves being a ring. theorem s2hr-Prop: assumes beIsoS(h2sc,s2hc,c) and rbeRing and the carrier of r = c 123 Combining Higher-Order Logic... Page 15 of 23 20 and x ∈ carrierI(s2h (s2hc,h2sc,r)) y ∈ carrierI(s2h (s2hc,h2sc,r)) R R shows zero(s2h (s2hc,h2sc,r)) = s2hc(0 ) R H one(s2h (s2hc,h2sc,r)) = s2hc(1 ) R H x ⊕ y = s2hc(h2sc(x) ⊕ h2sc(y)) H r s2h (s2hc,h2sc,r) x ⊗ y = s2hc(h2sc(x) ⊗ h2sc(y)) s2h (s2hc,h2sc,r) ring (s2h (s2hc,h2sc,r)) Finally, we introduce the equivalent of the definition of the integer ring introduced in the MML in [52]. We have previously discussed the semantics of Mizar structures and the way they are represented in Isabelle/Mizar in [27]. Here, with the previously defined isomorphisms for the subfields, we can show that s2h and h2s determine an isomorphism between the R R fields of the rings developed in Isabelle/HOL and the Mizar Mathematical Library. mdef int-3-def-3 (ZZ−ring) where func ZZ−ring → strict(doubleLoopStr) equals [# carrier → INT ; addF → addint; ZeroF → 0 ; multF → multint; OneF → 1 #] theorem H-Zring-to-S-Zring: h2s (s2h , h2s ,INT,Z) = ZZ−ring R ZZ ZZ S s2h (s2h , h2s , ZZ−ring) = Z R ZZ ZZ 7 Integrated Libraries: Practical Examples We are now ready to use the existence of isomorphisms to automatically transform theorems about continuity of functions, including the Intermediate Value Theorem and the theorem that states that the image of a closed interval is a closed interval: theorem continuous-atM: fixes fa assumes f be Function−of REAL,REAL a is MReal shows isCont(s2h IR(f ),s2hR(a)) ←→ f is-continuous-in a theorem continuous-atI: fixes f ::real⇒real shows isCont(f,a) ←→ (h2s IR(f )) is-continuous-in (h2sR(a)) theorem IVTmiz: IR IR IR ∀ f :Function−of REAL,REAL. ∀ a,b,v:MReal. f . a ≤ v & v ≤ f . b & a ≤ b & f is-continuous-on [.a, b.]−→ IR IR (∃ x:MReal. a ≤ x & x ≤ b & f . x = v) theorem IVT-img: ∀ f :Function−of REAL,REAL. ∀ a,b:MReal. IR a ≤ b ∧ f is-continuous-on [.a, b.]−→ IR (∃ c,d:MReal. c ≤ d ∧ f .:[. a, b .]= [. c, d .]) We also show the projection theorem, which again states that the homomorphisms agree and do not require any projections: theorem nisNat ⇒ of-nat(s2h (n)) = of-int(s2h (n)) IN ZZ iisInteger ⇒ of-int(s2h (i)) = of-rat(s2h (i)) ZZ H Q qisRat ⇒ of-rat(s2h (q)) = s2h (q) Q H IR 123 20 Page 16 of 23 C. Kaliszyk, K. Pąk It is now possible to translate the Lagrange’s Four Squares theorem and Bertrand’s postu- late between the libraries. We can prove the Isabelle/Mizar counterpart of the Isabelle/HOL theorem only using higher-order rewriting and the above properties. theorem LagrangeFourSquares: ∀ n:Nat. ∃ a,b,c,d:Nat. IN IN IN IN IN IN IN a ∗ a + b ∗ b + c ∗ c + d ∗ d = n S S S S S S S S theorem Bertrand: ∀ n:Nat. 1 ⊂ n −→ IN (∃ p:Nat. pbeprime ∧ n ⊂ p ∧ p ⊂ (2 ∗ n)) S S S This allows translating the proved Fermat’s last theorem for powers divisible by 3 and 4 from Isabelle/HOL to Isabelle/Mizar. The original proof involved quite some computation and therefore has not been attempted in Mizar so far. However, thanks to the isomorphisms, the translated version can be proved automatically (higher-order rewriting combined with Isabelle/Mizar type automation): theorem Fermat-divides-3-4: ∀ x,y,z:Integer. ∀ n:Nat. IR (3 divides n ∨ 4 divides n) ∧ (xIˆn) + (y Iˆn) = z Iˆn S S S S IR IR −→ x ∗ y ∗ z = 0 S S S S theorem Fermat-3: ∀ x:Integer. ∀ y:Integer. ∀ z:Integer. IR IR IR (xIˆ3 ) + (y Iˆ3 ) = zIˆ3 −→ x ∗ y ∗ z = 0 S S S S S S S S theorem rev-Rev: assumes p be FinSequence shows rev(s2h (s2h,p)) = s2h (s2h,Rev p) L H L 8 Tarski’s Axiom vs. Grothendieck Universes The theoretical part of our previous work [7] formally introduced a foundation for computer verified proofs based on higher-order Tarski–Grothendieck set theory (HOTG) and prove that this theory has a model if a 2-inaccessible cardinal exists. Referring to the former as the axioms of Tarski–Grothendieck is, however, slightly misleading, as there are two not immediately equivalent families of axioms. In particular, the two axiom families are equivalent assuming the axiom of choice. Additionally, the axiom of choice is a consequence of the Tarski axioms, but it is not the case for the Grothendieck formulation. Both of these facts are now also formalized in Isabelle, and shortly discussed in this section. The formalization done in this section is done independently from Isabelle/HOL or Isabelle/Mizar as its goal is to formally justify that Tarski’s axiom A is valid in the model pro- posed in [7]. Recall, that Tarski’s axiom A is used in the Mizar library and in Isabelle/Mizar, whereas the existence of a Grothendieck universe is used for example in Egal. Tarski’s Axiom A states that every set N is a member of some Tarski universe M which is closed under subsets, powersets, and every subset of the universe is either a member of the universe or is equipotent with that universe. To state this formally, the equipotence between the sets X and Y can be defined by a set of Kuratowski pairs, which defines a bijection from X to Y using only a minimal set of definitions, as it is done for example in the MML: 123 Combining Higher-Order Logic... Page 17 of 23 20 definition Tarski-axiom-A where Tarski-axiom-A ≡∀ N . ∃ M. N ∈ M ∧ (∀ XY . X ∈ M ∧ Y ⊆ X −→ Y ∈ M)∧ (∀ X. X ∈ M −→ Pow X ∈ M)∧ (∀ X. X ⊆ M −→ (∃ b. b: bij X M) ∨ X ∈ M) In the Grothendieck approach, for an arbitrary set X, we can explicitly obtain the Grothendieck universe UnivX. The universe UnivX is transitive (Trans (Univ X)), closed under union, powerset, and replacement (ZFclosed (Univ X)) and it is the smallest set (w.r.t. set inclusion) having these properties. axiomatization Univ :: set ⇒ set where UnivIn: X ∈ Univ X and UnivTransSet: Trans (Univ X) and UnivZF: ZFclosed (Univ X) and UnivMin: X ∈ U ∧ Trans U ∧ ZFclosed U ⇒ Univ X ⊆ U To compare these two axiomatizations, we have previously shown in the higher-order logic of Egal that every Grothendieck universe, under the axiom of choice assumption, satisfies Tarski’s Axiom A (see [8]), but, not vice versa. Tarski universes, as opposed to Grothendieck universes, might not be transitive. We constructed such a Tarski universe of a set N that is a proper subset of UnivN in [47] in the first-order logic of Mizar, as well as proved that UnivN included in every Tarski universe of a set N if N is transitive. In particular, using these properties, we proved in Isabelle that assuming HOTG and the axiom of choice, Univ N is a Tarski universe, i.e., that in the model [7], Tarski’s Axiom A is valid. Rather than repeat the proofs already described in [8] we show the final statement that we proved under the axiom of choice as rendered by Isabelle: definition AC-axiom where AC-axiom ≡∀ X. {} ∈ / X −→ (∃ f .(f ∈ X → X) ∧ (∀ A. A∈ X −→ f‘ A ∈ A)) theorem AC-axiom −→ Tarski-axiom-A In order to even more closely show the adequacy of the HOTG model for importing the Isabelle/HOL proofs, one might also consider polymorphism, which is present in the foun- dations of the HOL families of provers. Andrew Pitts has provided a custom semantics to HOL that factors in polymorphism [50]. We however believe, that since the polymorphism in HOL is shallow (rank-one), it can be considered a notation for monomorphic HOL, namely all proofs can be translated to monomorphic ones and that the Grothendieck universes offer enough room for the quantification incurred by polymorphism. Extending the model to sup- port all the custom extensions present in Isabelle/HOL (such as e.g., type classes [22] or local type definitions [30]) is left as future work. 9 Related Work Since proof assistants based on plain higher-order logic lack the full expressivity of set theory, the idea of adding set theory axioms on top of HOL has been tried multiple times. Gordon [17] discusses approaches to combine the power of HOL and set theory. Obua has proposed HOLZF [42], where Zermelo-Fraenkel axioms are added on top of Isabelle/HOL. With this, he was able to show results on partisan games, that would be hard to show in 123 20 Page 18 of 23 C. Kaliszyk, K. Pąk plain higher-order logic. Later, as part of the ProofPeer project [43], the combination of HOL with ZF became the basis for an LCF system, reducing the proofs in the higher-order logic part to a minimum (again, since there was no guarantee, that combining the results is safe). Kuncar ˇ [35] attempted to import the Tarski–Grothendieck-based library into HOL Light. Here, the set-theoretic concepts were immediately mapped to their HOL counterparts, but it soon came out that without adding the axioms of set theory the system was not strong enough. Brown [10] proposed the Egal system which again combines a specification of higher-order logic with the axioms of set theory. The system uses explicit universes, which is in fact the same presentation as given in this work. This work therefore also gives a model for the Egal system. Finally, we have specified [28] and imported [29] significant parts of the Mizar library into Isabelle. In this work, we only use the specification of Mizar in Isabelle and the re-formalized parts of the MML. The idea to combine proof assistant libraries across different foundations also arose in the Flyspeck project [18] formalizing the proof of the Kepler conjecture [20]. Krauss and Schropp [33] specified and implemented a translation from Isabelle/HOL proof terms to set-theoretic proved theorems. The translation is sound and only relies on the Isabelle/ZF logic, however, it is too slow to be useful in practice, in fact, it is not possible to translate the basic Main library of Isabelle/HOL into set theory in reasonable time It is also possible to deep embed multiple libraries in a single meta-theory. Rabe [51] does this practically in the MMT framework deep embedding various proof assistant foundations and providing category-theoretic mappings between some foundations. Logical frameworks allow import- ing multiple libraries at the same time. In the Dedukti framework, Assaf and Cauderlier [1, 2] have combined properties originating from the Coq library and the HOL library. Both were imported in the same system, based on the λ calculus modulo, however, the two parts of the library relied on different rewrite rules. Most implementations of set theory in logical frameworks could implicitly use some higher-order features of the framework, as this is already used for the definition of the object logic. The definition of the Zermelo-Fraenkel object logic [49] in Isabelle uses lambda abstractions and higher-order applications for example to specify the quantifiers. This is also the case in Isabelle/TLA [38]. These object logics are normally careful to restrict the use of higher-order features to a minimum, however, the system itself does not restrict this usage. The first author together with Gauthier [15] has previously proposed heuristics for auto- matically finding alignments across proof assistant libraries. Such alignments, even without merging the libraries can be useful for conjecturing new properties [39]aswellasimproving proof assistant automation [14]. The fact that Grothendieck universes are the same as transitive Tarski classes has been formalized by Carneiro in Metamath. 10 Automated Transfer and Limitations of Current Work In this section, we discuss transfer in higher-order logic based systems, transport in intuition- istic type theory, and the limitations of the current work when it comes to automating the transfer of theorems between the foundations. As part of an ongoing project to export Isabelle proof to Dedukti and the project exporting Isabelle to MMT [32] some of the proofs in Isabelle/Main are being currently optimized. http://us.metamath.org/mpeuni/grutsk.html. 123 Combining Higher-Order Logic... Page 19 of 23 20 Automating the transfer of theorems between different types in higher-order logic has a long history. Today, higher-order rewriting-based packages for the creation of quotient types are present in the libraries of most HOL-based proof assistants. These packages can automatically translate theorems from the raw types to the quotient types. For example, HOL Light [19] includes the quot.ml package already since the nineties. This package defines two ML functions: lift_function and lift_theorem.The former automatically defines constants (often of higher-order function types) in a quotient type based on corresponding constants in a raw type. The latter ML function uses higher-order rewriting to transfer theorems that use the lifted constants to raw ones. The procedure has been further improved by Homeier [23] in HOL4. The HOL4 quotient package allows an explicit declaration of properties of functions and relations (preserves and respects properties). These allow for quotients for polymorphic types. A similar architecture has been considered in the initial quotient package for Isabelle/HOL co-developed by the first author [34]. By further considering the interplay between the transfer in the outside and inside types it is possible to automatically quotient lists into finite sets with operations such as concatenation of a list of lists automatically translated into a finite set union. The Isabelle/HOL quotient package has been modularized by Huffman and Kuncar ˇ [21]. The functionality has been separated into two packages: lifting and transfer. Lifting allows the automated translation of definitions in a source type to definitions in a target type (including quotient-based definitions). Transfer uses higher-order rewriting to move theorems between types. This modular construction allows the use of transfer also for cases of isomorphic types (including almost isomorphic ones, as was already the case for example with quotients), but where the target is actually not defined as a quotient of the source type. A further improvement to the transfer mechanism in Isabelle/HOL has been developed by Kuncar and Popescu [30] in their work on local type definitions. There, the transfer package is extended to allow relativizing type-based statements to more set-based forms in a principled way. In the context of intuitionistic type theory, translating theorems from types to their quo- tients is much more complex. This is because of the more intricate nature of equality in type theories, which in particular does not allow replacing equal things in all contexts (all above HOL packages rely not only on the axiom of choice but also on extensionality). An traditional approach to moving theorems between types that allows computation has been the use of setoids. This allows moving some theorems to quotients for example in the CoRN project [12]. More recently, foundations based on homotopy type theory [3] have been proposed. There, propositional equality between terms is interpreted as homotopy. The univalence axiom of Voevodsky [53] assumed in such foundations allows transporting properties and structures expressed over isomorphisms and equivalences. In its simplest variant, transport in HoTT/UF is an operation that takes a type family P : A → U,apath a = b in A, and returns a function Pa → Pb [40]. This allows transport between isomorphic types but does not take computation into account. This is further extended in cubical type theories [11]. There, it is possible to directly manipulate n-dimensional cubes based on an interpretation of dependent type theory in a cubical set model. Cubical type theories furthermore are specified in a way that allows Voevodsky’s axiom to be provable. Transport in cubical type theories [5] can take as input a line of types A : I → U. This more primitive transport operation can however take computation into account. We are not aware of any automated tactics/packages allowing for transport of theorems between types in the same way as it is possible in Isabelle/HOL’s transfer package. 123 20 Page 20 of 23 C. Kaliszyk, K. Pąk The work presented here, similar to the higher-order automated transfer packages, uses higher-order rewriting to translate the statements between the HOL types and the set-based representation, however, we have not been able to use the Isabelle transfer package for this. The reason for this is that on the Mizar side additional typing predicates are needed to express soft types and reasoning about these types is necessary. The Mizar soft types are additionally dependent. As such, we combine higher-order rewriting with our dedicated Isabelle/Mizar tactic for proving the Mizar type obligations (the mty tactic). As the tactic is responsible for Prolog-style type inference on the predicate level integrating its use with the existing Isabelle transfer package would be rather involved. In principle, the equivalences provided by the isomorphisms allow translating the state- ments both in the assumptions and in the conclusions, however, we cannot directly use the transfer package, since type constraints not present on the term level in HOL correspond to explicit typing judgments in the set-theoretic types. Consider the isomorphism between the Mizar finite sequences and Isabelle/HOL lists. All the proved statements require the Mizar dependently typed assumptions stating that an argument is of a finite sequence type over some Mizar domain l be FinSequence-of t as well as an additional isomorphism for the domain. We have added the necessary assumptions to the theorems, and in the automated proofs, the Isabelle/Mizar type inference (including the automated proof of Mizar type inhabitation) is necessary to fulfill these obligations. We believe, that is it possible to augment the lifting and transfer packages to add soft type constraints on the term level and fulfill them wherever possible. The details are however unclear and are left as future work. 11 Conclusion We have used Isabelle HOTG to combine results proved in TG set theory with results proved in higher-order logic. This allows us to combine large parts of two major proof assistant libraries: the Mizar Mathematical library and the Isabelle/HOL library. Supplementary to the theorems and proofs coming from both, we define a number of isomorphisms that allow us to translate theorems proved in part of one of these libraries and use them in the corresponding part of the other library. As part of the library merging, we have formally defined and proved in Isabelle the neces- sary concepts. Apart from porting proofs to Isabelle/Mizar, the isomorphism formalizations and the theorems moved using those amount to 10179 lines of proofs. The formalization is available at: http://cl-informatik.uibk.ac.at/cek/ckkp-jar2022-hotg.tgz Apart from higher-order and set-theoretic foundations, the third most commonly used foundation is dependent type theory. The most important future work direction would inves- tigate combining the results proved here with those proved in such type-theoretic foundations. So far, we have mostly moved results that have been proved in HOL to set theory. It could be also interesting to transfer the Brouwer’s theorem for n-dimensional case (the fixed point theorem [44], the topological invariance of degree, and the topological invariance of dimension [45]) that are essential to define and develop topological manifolds since the Mizar library results on manifolds are much developed than those in Isabelle/HOL [25]. Funding This work has been supported by the European Research Council (ERC) Starting Grant Number 714034 SMART, the Polish National Science Center granted by decision n DEC-2015/19/D/ST6/01473, and the COST Action CA20111 Number E-COST-GRANT-CA20111-9d20b2ad. Open access funding provided by University of Innsbruck and Medical University of Innsbruck. 123 Combining Higher-Order Logic... Page 21 of 23 20 Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/. References 1. Assaf, A., Cauderlier, R.: Mixing HOL and Coq in Dedukti. In: Kaliszyk, C., Paskevich, A. (eds.) Proof eXchange for Theorem Proving (PxTP 2015), vol. 186 of EPTCS, pp. 89–96 (2015) 2. Assaf, A.: A framework for defining computational higher-order logics. (Un cadre de définition de logiques calculatoires d’ordre supérieur). PhD thesis, École Polytechnique, Palaiseau, France (2015) 3. Awodey, S: Type theory and homotopy. In: Dybjer, P., Lindström, S., Palmgren, E., Sundholm, G. (eds.) Epistemology versus Ontology - Essays on the Philosophy and Foundations of Mathematics in Honour of Per Martin-Löf, vol. 27 of Logic, Epistemology, and the Unity of Science, pp. 183–201. Springer (2012) 4. Bancerek, G., Bylinski, ´ C., Grabowski, A., Korniłowicz, A., Matuszewski, R., Naumowicz, A., Pak, ˛ K.: The role of the Mizar Mathematical Library for interactive proof development in Mizar. J. Automat. Reason. 61, 9–32 (2017) 5. Bezem, M., Coquand, T., Huber, S.: The univalence axiom in cubical sets. J. Autom. Reason. 63(2), 159–171 (2019) 6. Blanchette, J.C., Haslbeck, M., Matichuk, D., Nipkow, T.: Mining the archive of formal proofs. In: Manfred, K., Jacques, C., Cezary, K., Florian, R., Volker, S. (eds.) Intelligent Computer Mathematics (CICM 2015), vol. 9150 of LNCS, pp. 3–17. Springer (2015) 7. Brown, C., Kaliszyk, C., Pak, ˛ K.: Higher-order Tarski Grothendieck as a foundation for formal proof. In: John, H., John O., Andrew, T. (eds.) 10th International Conference on Interactive Theorem Proving (ITP 2019), vol. 141 of LIPIcs, pp. 9:1–9:16. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2019) 8. Brown, C.E., Pak, ˛ K: A tale of two set theories. In: Kaliszyk, C., Brady, E.C., Kohlhase, A., Coen, C.S. (eds.) Intelligent Computer Mathematics-Proceedings of the of Lecture Notes in Computer Science 12th International Conference, CICM, Prague, Czech Republic, July 8–12, vol. 11617 , pp. 44–60. Springer (2019) 9. Bancerek, G., Rudnicki, P.: A compendium of continuous lattices in MIZAR. J. Autom. Reason. 29(3–4), 189–224 (2002) 10. Brown, C.E.: The Egal Manual (2014) 11. Cohen, C., Coquand, T., Huber, S., Mörtberg, A.: Cubical type theory: a constructive interpretation of the univalence axiom. FLAP 4(10), 3127–3170 (2017) 12. Cruz-Filipe, L., Geuvers, H., Wiedijk, F.: C-corn, the constructive coq repository at nijmegen. In: Asperti, A., Bancerek, G., Trybulec, A. (eds.) Mathematical Knowledge Management (MKM 2004), vol. 3119 of LNCS, pp. 88–103. Springer (2004) 13. Eberl, M., Haslbeck, M.W., Nipkow, T.: Verified analysis of random binary tree structures. J. Autom. Reason. 64(5), 879–910 (2020) 14. Gauthier, T., Kaliszyk, C.: Sharing HOL4 and HOL Light proof knowledge. In: Davis, M., Fehnker, A., McIver, A., Voronkov, A. (eds.) 20th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR 2015), vol. 9450 of Lecture Notes in Computer Science, pp. 372–386. Springer (2015) 15. Gauthier, T., Kaliszyk, C.: Aligning concepts across proof assistant libraries. J. Symb. Comput. 90, 89–123 (2019) 16. Grabowski, A., Korniłowicz, A., Naumowicz, A.: Four decades of Mizar. J. Automat. Reason. 55(3), 191–198 (2015) 17. Gordon, M.: Set theory, higher order logic or both? In: von Wright, J., Grundy, J., Harrison, J. (eds.) Theorem Proving in Higher Order Logics, TPHOLs’96, vol. 1125 of LNCS, pp. 191–201. Springer (1996) 18. Hales, T., Adams, M., Bauer, G., Dang, T.D., Harrison, J., Le Truong, H., Kaliszyk, C., Magron, V., McLaughlin, S., Nguyen, T.T., Nguyen, Q.T., Tran, N.T., Trieu, T.D., Urban, J., Vu, K., Zumkeller, R.: A Formal Proof of the Kepler Conjecture Forum of Mathematics, Pi, 5. Cambridge University Press, Cambridge (2017) 123 20 Page 22 of 23 C. Kaliszyk, K. Pąk 19. Harrison, J.: HOL light: an overview. In: Stefan, B., Tobias, N., Christian, U., Makarius, W. (eds.) Theorem Proving in Higher Order Logics, Proceedings of Lecture Notes in Computer Science 22nd International Conference, TPHOLs 2009, Munich, Germany, August 17–20, vol. 5674, pp. 60–66. Springer (2009) 20. Hales, T.C., Harrison, J., McLaughlin, S., Nipkow, T., Obua, S., Zumkeller, R.: A revision of the proof of the kepler conjecture. Discret. Comput. Geom. 44(1), 1–34 (2010) 21. Huffman, B., Kuncar ˇ , O.: Lifting and transfer: a modular design for quotients in Isabelle/HOL. In: Gonthier, G., Norrish, M. (eds.) Certified Programs and Proofs - Proceedings of the Third International Conference, CPP 2013, Melbourne, VIC, Australia, December 11–13, vol. 8307 of LNCS, pp. 131–146. Springer (2013) 22. Haftmann, F., Nipkow, T.: Code generation via higher-order rewrite systems. In: Blume, M., Kobayashi, N., Vidal, G. (eds.) Functional and Logic Programming, 10th International Symposium, FLOPS 2010, vol. 6009 of LNCS, pp. 103–117. Springer (2010) 23. Homeier, P.V.: A design structure for higher order quotients. In: Hurd, J., Melham, T.F. (eds.) Theorem Proving in Higher Order Logics, Proceedings of the 18th International Conference, TPHOLs 2005, Oxford, UK, August 22–25, vol. 3603 of Lecture Notes in Computer Science, pp. 130–146. Springer (2005) 24. Haftmann, F., Wenzel, M.: Constructive type classes in Isabelle. In: Altenkirch, T., McBride, C. (eds.) Types for Proofs and Programs, International Workshop, TYPES 2006, vol. 4502 of LNCS, pp. 160–174. Springer (2007) 25. Immler, F., Zhan, B.: Smooth manifolds. Archive of Formal Proofs. https://isa-afp.org/entries/Smooth_ Manifolds.html (2018) 26. Jask ´ owski, S.: On the rules of suppositions. Studia Logica, 1 (1934) 27. Kaliszyk, C., Pak, ˛ K.: Isabelle formalization of set theoretic structures and set comprehensions. In: Blamer, J., Kutsia, T., Simos, D. (eds.) Mathematical Aspects of Computer and Information Sciences, MACIS 2017, vol. 10693 of LNCS. Springer (2017) 28. Kaliszyk, C., Pak, ˛ K.: Semantics of Mizar as an Isabelle object logic. J. Automat. Reason. 63, 557–595 (2018) 29. Kaliszyk, C., Pak, ˛ K.: Declarative proof translation (short paper). In Harrison, J., O’Leary, J., Tolmach, A. (eds.) 10th International Conference on Interactive Theorem Proving (ITP 2019), vol. 141 of LIPIcs, pp. 35:1–35:7 (2019) 30. Kuncar, O., Popescu, A.: From types to sets by local type definition in higher-order logic. J. Autom. Reason. 62(2), 237–260 (2019) 31. Kaliszyk, C., Pak, ˛ K., Urban, J.: Towards a Mizar environment for Isabelle: foundations and language. In: Avigad , J., Chlipala, A. (eds.) Proceedings of the 5th Conference on Certified Programs and Proofs (CPP 2016), pp. 58–65. ACM (2016) 32. Kohlhase, M., Rabe, F., Wenzel, M.: Making isabelle content accessible in knowledge representation formats. https://corr.org/abs/2005.08884 (2020) 33. Krauss, A., Schropp, A.: A mechanized translation from higher-order logic to set theory. In: Kaufmann, M., Paulson, L.C. (eds.) Interactive Theorem Proving (ITP 2010), vol. 6172 of LNCS, pp. 323–338. Springer (2010) 34. Kaliszyk, C., Urban, C.: Quotients revisited for Isabelle/HOL. In: Chu, W.C., Wong, W.E., Palakal, M.J., Hung, C.C. (eds.) Proceedings of the 26th ACM Symposium on Applied Computing (SAC’11), pp. 1639–1644. ACM (2011) 35. Kuncar ˇ , O.: Reconstruction of the Mizar type system in the HOL Light system. In: Pavlu, J., Safrankova, J. (eds.) WDS Proceedings of Contributed Papers: Part I - Mathematics and Computer Sciences, pp. 7–12. Matfyzpress (2010) 36. Lammich, P.: Refinement to imperative HOL. J. Autom. Reason. 62(4), 481–503 (2019) 37. Lochbihler, A., Sefidgar, S.R., Basin, D.A., Maurer, U.: Formalizing constructive cryptography using crypthol. In: Proceedings of the 32nd IEEE Computer Security Foundations Symposium, CSF 2019, Hoboken, NJ, USA, June 25–28, 2019, pp. 152–166. IEEE (2019) 38. Merz, S.: Mechanizing TLA in Isabelle. In: Rodošek, R. (ed.) Workshop on Verification in New Orien- tations, pp. 54–74. Univ. of Maribor, Maribor (1995) 39. Müller, D., Gauthier, T., Kaliszyk, C., Kohlhase, M., Rabe, F.: Classification of alignments between concepts of formal mathematical systems. In: Geuvers„ H. England, M., Hasan, O., Rabe, F., Teschke, O. (eds.) 10th International Conference on Intelligent Computer Mathematics (CICM’17), vol. 10383 of LNCS, pp 83–98. Springer (2017) 40. Mörtberg, A.: Cubical methods in homotopy type theory and univalent foundations. Math. Struct. Comput. Sci. 31(10), 1147–1184 (2021) 41. Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: a proof assistant for higher-order logic, vol. 2283 of LNCS. Springer (2002) 123 Combining Higher-Order Logic... Page 23 of 23 20 42. Obua, S.: Partizan games in Isabelle/HOLZF. In: Barkaoui, K., Cavalcanti, A., Cerone, A. (eds.) Theo- retical Aspects of Computing-ICTAC 2006, vol. 4281 of LNCS, pp. 272–286. Springer (2006) 43. Obua, S., Fleuriot, J.D., Scott, P., Aspinall, D.: ProofPeer: collaborative theorem proving. http://corr.org/ abs/1404.6186 (2014) 44. Pak, ˛ K.: Brouwer fixed point theorem in the general case. Formaliz. Math. 19(3), 151–153 (2011) 45. Pak, ˛ K.: Brouwer invariance of domain theorem. Formaliz. Math. 22(1), 21–28 (2014) 46. Pak, ˛ K.: Topological manifolds. Formaliz. Math. 22(2), 179–186 (2014) 47. Pak, ˛ K.: Grothendieck universes. Formaliz. Math. 28(2), 211–215 (2020) 48. Paulson, L.C.: Isabelle: the next 700 theorem provers. Log. Comput. Sci. 1990, 361–386 (1990) 49. Paulson, L.C.: Set theory for verification: I. From foundations to functions. J. Autom. Reason. 11(3), 353–389 (1993) 50. Pitts, A.: The HOL logic. In: Gordon, M.J.C., Melham, T.F. (eds.) Introduction to HOL: A Theorem Proving Environment for Higher Order Logic. Cambridge University Press, Cambridge (1993) 51. Rabe, F.: How to identify, translate and combine logics? J. Log. Comput. 27(6), 1753–1798 (2017) 52. Schwarzweller, C.: The ring of integers, Euclidean rings and modulo integers. Formaliz. Math. 8(1), 29–34 (1999) 53. Voevodsky, V.: Univalent semantics of constructive type theories. In: Jouannaud, J.P., Shao, Z. (eds.) Certified Programs and Proofs- Proceedings of the First International Conference, CPP 2011, Kenting, Taiwan, December 7–9, vol. 7086 of Lecture Notes in Computer Science, p. 70. Springer (2011) 54. Wenzel, M.: The Isabelle/Isar Reference Manual (2021) 55. Wenzel, M., Paulson, L.C., Nipkow, T.: The Isabelle framework. In: Mohamed, O.A., Muñoz, C.A., Tahar, S. (eds.) Theorem Proving in Higher Order Logics, 21st International Conference, TPHOLs 2008, vol. 5170 of LNCS, pp. 33–38. Springer (2008) Publisher’s Note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Journal

Journal of Automated ReasoningSpringer Journals

Published: Jun 1, 2023

Keywords: Higher-order logic; Set theory; Transport

There are no references for this article.