Procedural vs Declarative Proof

State of the art proof assistants provide two main approaches to formalize proofs in a computer: the so-called procedural style of proof, and the declarative style of proof.

A procedural proof consists of a sequence of tactic applications that reduce the theorem to be proved to trivial facts. While allowing for an efficient execution of recorded proofs, these kind of proofs are difficult to understand. This is because intermediate proof states become only visible when considering the changes caused by the stepwise execution of the tactics. Tactic proofs can be extremely fragile, or reliant on a lot of hidden, assumed details, and are therefore difficult to maintain and modify (see for example [Zam99] or [Har96c] for a general discussion). As the only information during the processing of a

proof is the current proof state and the next tactic to be executed, a procedural prover has to stop checking at the first error it encounters.

The ability to define and execute tactics represents a key advancement for interactive theorem provers, as tactics reduce the number of proof commands a user needs to issue to construct a proof. However, tactics do not reduce the length of the proof which is to be checked by a proof checker (or a mathematician), since each tactic has to be expanded to a low level proof which makes use only of calculus level rules. Moreover, proof languages based on tactics were mainly designed to support the interactive discovery of a proof, rather than to represent a proof in a readable format. Indeed, tactic proofs are considered to be difficult to read, and therefore difficult to modify and to maintain. An example of a procedural proof is shown in Figure 2.1(a), which shows a formalization of the proof of the irrationality of √2 in the Hol system. The cryptic style is not due to the peculiarity of the Hol system, but typical for a procedural proof due to the facts mentioned above. An alternative to the procedural proof, a so-called declarative proof, is shown in Figure 2.1(b). In the declarative style, a proof consists of intermediate statements that refer to each other, as shown in Figure 2.1(c).

The roots of the declarative style of proof can be traced back to the Automath project which addressed the problem of developing a formal language with a natural-language- like syntax that allows for both the exact formalization and for the easy reading and writing of mathematical documents. Whereas the original Automath language was still quite mechanical, its descendants Mathematical Vernacular [dB94], Weak Type Theory [KN04], and Mathlang [KMW04], are close to natural language. Similar to Automath, the Mizar system [TB85] pioneered the declarative approach to proof languages. In a declarative proof language, a proof step states what is proved at each step, as opposed to a list of interactions required to derive it. They are thus closer to informal mathematics and reasoning and therefore more readable. Moreover, as a declarative proof contains explicit statements for all reasoning steps, a proof checker can recover from errors and continue checking proofs after the first error. It has been noted in [Wen99a] that a proof language can be implemented rather independently of the underlying logic and thus provides an additional abstraction layer. Disadvantages of the declarative approach are that the resulting proofs are longer, therefore more tedious to write, and that they cannot be processed as efficiently as procedural proofs.

Due to its advantage many interactive theorem provers nowadays support declarative proofs (see for example [Sym99, Wen99a, AF06, Cor07, Sym97]). However, the design of a proof language that is both readable and supports the discovery of proof is a non-trivial task. One shortcoming of the declarative approach is that almost all details needed for a formal verification of a proof have to be filled in by the user. Therefore, even declarative, formal proofs still significantly differ from proofs which can be found in mathematical textbooks, because of the standard practice to omit easily inferable proof steps. However, in principle a declarative proof can simply be a sequence of intermediate assertions, acting as islands or step stones between the assumptions and the conclusion (by omitting the con- straints indicating how to find a justification of the proof step) leaving the task of closing the gaps to automation tools. Such islands are sometimes also called proof plans [DJP06] or proof sketches [Wie04]. In recent years, many systems – sometimes called proof finders or proof planner – have been developed trying to automatically close such gaps, such as Mizar, Nqthm [BM88], Spl [Zam99], Sad [VLP07], Naproche [KCKS09], Scu- nak [Bro06], Tutch [ACP01], or the Ωmega proof checker [DSW08].

local open realTheory transcTheory in

val SQRT 2 IRRATIONAL = Q.prove (‘ Rational (sqrt 2r)‘, RW TAC std ss [Rational def,abs, SQRT POS LE,REAL POS] THEN Cases on ‘q = 0‘ THEN ASM REWRITE TAC [] THEN SPOSE NOT THEN (MP TAC o Q.AP TERM ‘_{\x. x} pow 2‘) THEN RW TAC arith ss [SQRT POW 2, REAL POS, REAL POW DIV,

REAL EQ RDIV EQ,REAL LT, REAL POW LT] THEN REWRITE TAC [REAL OF NUM POW, REAL MUL, REAL INJ] THEN PROVE TAC [lemma])

end;

(a) Procedural Proof

theorem sqrt 2 is irrational proof

assume sqrt 2 is rational;

then consider i being Integer, n being Nat such that W1: n<>0 and

W2: sqrt 2=i/n and

W3: for i1 being Integer, n1 being Nat st n1<>0 & sqrt 2=i1/n1 holds n<=n1 by RAT 1:25;

A5: i=sqrt 2*n by W1,XCMPLX 1:88,W2;

C: sqrt 2>=0 & n>0 by W1,NAT 1:19,SQUARE 1:93; then i>=0 by A5,REAL 2:121;

then reconsider m = i as Nat by INT 1:16; A6: m*m = n*n*(sqrt 2*sqrt 2) by A5

.= n*n*(sqrt 2)^2 by SQUARE 1:def 3 .= 2*(n*n) by SQUARE 1:def 4; then 2 divides m*m by NAT 1:def 3; **** remaining 17 lines removed *****

(b) Declarative Proof

Assume √2 is rational, i.e., there exists natural numbers p, q with no common divisor such that √2 = p/q. Then q√2 = p, and thus 2q2 _{= p}2_{. Hence p}2 _{is even and, since odd}

numbers square to odds, p is even; say p = 2m. Then 2q2 _{= (2m)}2 _{= 4m}2_{, i.e. q}2 _{= 2m}2_.

But now q2 _{is even too and so is q. But then both q and p are even, contradicting the}

fact that they do not have a common divisor.

(c) Textbook Proof

Figure 2.1: Proof of irrationality of √2 in procedural style, declarative style, and in textbook style.