In this chapter we have surveyed the main developments that build the foundations of computer assisted formal reasoning as it is known today. We have pointed out the differ- ence between proof discovery and presentation, as well as the importance of readability and maintainability of proofs within the interactive setting. Moreover, we presented two proof styles that are supported by current proof assistants: The procedural style which is purely based on tactics and hides intermediate proof states, and the declarative style which is more readable as it makes intermediate proof states explicit. Moreover, we have presented approaches that allow the generation of more abstract proofs automatically, namely proof planning that works above the underlying calculus, and deduction mod- ulo, supernatural deduction and superdeduction which build theory knowledge into the calculus.
3
Assertion Level Proofs
Proofs contain mathematical knowledge and for mathematical knowledge management it is important to represent this adequately. While tactics facilitate interactive proof construction, they do not reduce the length of the proof which is to be checked by a proof checker or by a mathematician, since each tactic has to be expanded to a low level proof which makes use only of calculus level rules. Moreover, though it might be easy to guess in some situations what the result of a tactic application is, “a HOL script looks nothing like a textbook proof. Even HOL experts cannot really read a typical HOL proof without replaying it in a session.” (see [Har96b], p. 2).
Indeed, it has been noted that “a major barrier to more common use of mechanical theorem provers in both software and hardware verification, or verification of mathemati- cal results in general, is the distance between the proof style natural for a mathematician and the proof style supported in various mechanical theorem provers” [AH97]. However, also from a practical point of view there is the need to search for the proofs at a more abstract level, as already noted in [ST89]: “it is practically impossible to prove theorems in calculus, using only basic logical rules”.
To present machine generated proofs at a more abstract level, techniques have been developed to convert (completed) resolution proofs or matrix proofs into human-oriented calculi, (see [And80, Mil84, Pfe87, Lin89, Wos90, And91, Mei00a]). However, as analyzed in [Hua99], although individual steps in natural deduction can be understood easily, the entire proof is still usually at a very low level of abstraction and contains too many steps to be adequate as input for a presentation in natural language.
To come close to the style of proofs as done by humans, Huang [Hua94b, Hua96] intro- duced the assertion-level, where individual proof steps are justified by axioms, definitions, or theorems, or even above at the so-called proof level, such as “by analogy”. The idea of the assertion-level is, for instance, that given the facts U ⊂ V and V ⊂ W we can prove U ⊂ W directly using the assertion:
⊂T rans:∀U.∀V.∀W.U ⊂ V ∧ V ⊂ W ⇒ U ⊂ W
An assertion level step usually subsumes several deduction steps in a standard calculus, say the classical sequent calculus [Gen69]. Therefore, traditional theorem provers can only achieve such conclusions after a number of proof steps. To use an assertion in the classical sequent calculus, it must be present in the antecedent of the sequent and be processed by
means of decomposition rules, usually leading to new branches in the derivation tree. Some of these branches are subsequently closed by means of the axiom rule which correspond to “using” that assertion on known facts or goals.
Huang characterizes assertions as macro steps and describes the following two ways for acquiring new assertion level rules: (i) learning by chunking-and-variablization, (ii) learning by contraposition. The former tries to find and remember repeated applications of an assertion as a new rule by inspecting proofs of a theory that have already be performed. The latter derives a new rule from a given rule by the following rule schema: If r is an existing rule of the form
Γ⊢ p1 . . . Γ⊢ pn
Γ⊢ q (3.1)
then r′ can be acquired by contraposition:
r′ = Γ⊢ p1 . . . Γ⊢ pi−1 Γ⊢ pi+1 . . . Γ⊢ pn Γ⊢ ¬q Γ⊢ ¬pi
(3.2) For instance, for the inference rule
Γ⊢ a ∈ U Γ ⊢ U ⊂ F
Γ⊢ a ∈ F (3.3)
the following two other rules can be derived by contraposition Γ⊢ a ∈ U Γ ⊢ a /∈ F
Γ⊢ U 6⊂ F (3.4)
Γ⊢ a /∈ F Γ ⊢ U ⊂ F
Γ⊢ a /∈ U (3.5)
Huang followed the approach of a human-oriented proof style and developed an algo- rithm to abstract a given ND proof to the assertion level by finding assertion applications and replacing them by a single rule. His algorithm had to consider each proof step indi- vidually and was therefore very expensive from a computational point of view. Moreover, he noted that “the algorithm works well on neatly structured ND proofs, but performs very poorly on machine generated proofs that are mainly indirect” ([Hua99] p. 13). This is because proof steps are often twisted in machine-generated proofs and need to be re- ordered before a transformation becomes possible. Indeed, it has been noted in [Mei00b] (p. 52) that there is “no practically usable algorithm to abstract ’bad’ ND proofs”.
Huang was mainly concerned with using the abstract representation at the asser- tion level for proof presentation in natural language [Hua96, Fie01]; therefore there was no proof theoretic foundation for the assertion level. In particular, it was not possible to directly search for a proof at the assertion level. The reconstruction approach had the dis- advantage that only proof parts of a specific form – corresponding to previously extracted assertions – could be abstracted. Moreover, due to the complexity of the abstraction mechanisms the abstraction had to be restricted to global assertions, i.e., definitions and theorems belonging to the theory. Local assertions such as an induction hypothesis were not considered.
It has been argued that assertion level should serve as a basis on which knowledge based proof planning should be based: “We are convinced that it will be possible to overcome at least some of the identified limitations and problems of proof planning as discussed in [BMM+01, Bun02], in particular those that are caused by an unfortunate intertwining
of the proof planning and calculus level theorem proving.” [VBA03]. However, this has not been studied so far. Therefore, in this thesis we will face this challenge and base the theorem proving process directly on the assertion level. This has the following advantages: • Assertion level proofs come close to hand written proofs (Contribution A1, Section 1.1). Therefore, they do not only provide a correctness guarantee, but also an expla- nation. Consequently, they become accessible to a broader audience. In particular, they can naturally be used in the domain of proof tutoring (Evaluation E1, Section 1.1).
• Assertion level proofs can naturally be translated to declarative proof scripts (Con- tribution A1(vi), Section 1.1), which have become the standard means to commu- nicate proofs in an interactive theorem prover. Therefore, (partial) proofs as well as failed proof attempts can be presented at an abstract level. Note that this is nontrivial, and not supported in state of the art interactive theorem provers, such as Isabelle or Coq: “There is currently no way to transform internal system-level representations of Isabelle proofs back to Isar text” (see [Wen99b], p. 11).
• The use of assertions naturally leads to a goal directed proof search, allowing for efficient proof search procedures that even outperform classical reasoners in specific domains (Contribution A1(iv), Section 1.1). More importantly, it generates much fewer sequents until a proof is found. In many cases, a proof can be found without any search at all by exploiting some abstract reduction properties, which get lost when normalizing the assertion.
• The problem of handling multiplicities of the quantifiers, which is the main problem in first order logic, can be handled for assertions in a natural way, as quantifiers belonging to a single assertion are grouped together.
• The assertion level allows the natural specification of heuristics which cannot easily be formulated at a lower level of abstraction (Contribution A2(i), Section 1.1).
3.1
Examples of Assertion Applications
Before presenting the technical details of the assertion level, we give several examples illustrating the difference between an assertion level justification – including deep assertion applications – and the corresponding justification in the sequent calculus. The key points which are illustrated are:
• Assertion level proofs are shorter than corresponding proofs in sequent calculus or natural deduction.
• Deep inference further shortens the proof size and makes rule application invariant under slight reformulations of the problem.
The first example shows the use of a proper definition at the assertion level, i.e., a formula ∀x.P ⇔ Q, where P is a predicate and Q is not necessarily atomic. This simple structure falls in the category which can be handled within superdeduction [BHK07a, BHK07b] and supernatural deduction [BDW07], which follows a similar motivation as the assertion level. It is important to note that the lifting of an assertion to a rule is more than just a “macro” collapsing a sequence of introductions into a single one: The formula corresponding to
the assertion is replaced by a rule, while the formula itself is removed from the proof state. This results in non-trivial proof theoretical questions, such as whether the lifting of assertions is a safe operation, i.e., whether provability is preserved when lifting an assertion. From a user’s perspective, the resulting sequents get much more readable, as the size of the antecedent is reduced. Moreover, the operational representation of an assertion as inference reflects its effective use as a means to transform a proof state. Example 3.1.1. Consider the assertion step that derives a1 ∈ V1 from U1 ⊆ V1 and
a1 ∈ U1 which we assume to be contained in Γ. The corresponding sequent calculus proof
is: Γ,∀U, V. U ⊆ V ⇔ ∀x.x ∈ U ⇒ x ∈ V ⊢ ∆ Γ,∀V. U1 ⊆ V ⇔ ∀x.x ∈ U1 ⇒ x ∈ V ⊢ ∆ ∀ L Γ, U1 ⊆ V1 ⇔ ∀x.x ∈ U1 ⇒ x ∈ V1 ⊢ ∆ ∀ L Γ, U1 ⊆ V1 ⇒ ∀x.x ∈ U1 ⇒ x ∈ V1 ⊢ ∆ ⇔L Γ⊢ U1 ⊆ V1∆ Ax Γ,∀x.x ∈ U1 ⇒ x ∈ V1 ⊢ ∆ ⇒L Γ, a1 ∈ U1 ⇒ a1 ∈ V1 ⊢ ∆ ∀ L Γ⊢ a1 ∈ U1, ∆ Ax ·· ·· ·· ·· ·· ·· Γ, a1 ∈ V1 ⊢ ∆ ⇒ L
Lifting the assertion ∀A, B.A ⊂ B ⇔ ∀x.x ∈ A ⇒ x ∈ B to the inference level makes the assertion directly available as a rule and allows for the following one step deduction:
Γ, a1 ∈ U, U ⊂ V, a1 ∈ V1 ⊢ ∆
Γ, a1 ∈ U, U ⊂ V ⊢ ∆
⊂-Def
The second example illustrates the use of an assertion that is not an equivalence. As such, it cannot be handled by superdeduction or supernatural deduction. Moreover, it illustrates the different ways the assertion can be applied.
Example 3.1.2. Consider the assertion
(⊂Trans) ∀A, B, C.A ⊂ B ∧ B ⊂ C ⇒ A ⊂ C
and a corresponding derivation shown below, illustrating how the assertion can be used to derive ∆ = {U ⊂ W } under the assumptions Γ = {U ⊂ V, V ⊂ W }:
∀L ∀L ∀L ⇒L ∧R Ax Γ⊢ U ⊂ V, ∆ Γ⊢ V ⊂ W, ∆ Ax Γ⊢ U ⊂ V ∧ V ⊂ W Γ, U ⊂ W ⊢ ∆ Ax Γ, U ⊂ V ∧ V ⊂ W ⇒ U ⊂ W ⊢ ∆ Γ,∀C.U ⊂ V ∧ V ⊂ C ⇒ U ⊂ C ⊢ ∆ Γ,∀B, C.U ⊂ B ∧ B ⊂ C ⇒ U ⊂ C ⊢ ∆ Γ,∀A, B, C.A ⊂ B ∧ B ⊂ C ⇒ A ⊂ C ⊢ U ⊂ W| {z } ∆
The crucial steps in this derivation are to use the assertion (⊂Trans) with the instanti-
ation [U/A, V /B, W/C] to show U ⊂ W . As before, the other steps can be understood as unfolding or preparation steps, yielding several branches in the derivation tree, some of
which can be closed using the axiom rule and the available facts Γ or goals ∆. In contrast, at the assertion level, the same derivation looks as follows:
U ⊂ V, V ⊂ W ⊢ U ⊂ W ⊂trans
The two examples show that the lifting of an initial assertion can be very beneficial. The next example illustrates that it is also beneficial to lift intermediate formulas, such as the induction hypothesis in an inductive proof. Note that the lifted formula is not closed. Example 3.1.3. Consider the proof of the following simple statement about natural num- bers ∀n, m.n < m ⇒ ∃u.n + u = m under the assertions
N at : ∀x.x = 0 ∨ ∃y.x = s(y) +s : ∀n, m.s(n) + m = s(n + m)
<s: ∀n, m.n < m ⇒ s(n) < s(m)
=<0: ∀n.n < 0 ⇒ ⊥
=s: ∀n, m.s(n) = s(m) ⇒ n = m
giving – among others – rise to the following rules:
Nat Γ, X = 0 ⊢ ∆ Γ, X = s(f[∃y.X=s(y)](X)⊢ ∆ Γ⊢ ∆ <s Γ, N < M ⊢ ∆ Γ, s(N ) < s(M )⊢ ∆ =<0 Γ, N < 0⊢ ∆
In the first rule, f[∃y.X=s(y)] corresponds to the Skolem function that is introduced by using
the liberalized δ++
rule [BHS93], which can be understood as follows: Standard Skolemiza- tion requires that the Skolem function f is new with respect to the whole sequent and takes as arguments all variables that occur free in the sequent. Contrary to that, the liberalized δ++
approach allows the use of the same Skolem function for all formulas that are equal modulo α-renaming. For example, the same Skolem function can be used for ∀x.P (x) and ∀y.P (y). We denote such Skolem-Functions by f[∀x.F ] where [∀x.F ] denotes the set of all
formulas α-equal to ∀x.F . Secondly, the arguments to the Skolem function are only all free variables that actually occur in ∀x.F .
During the proof, which is done by induction over n, many steps consists of the ap- plication of one of these assertions by decomposing and instantiating it in an appropriate way, thereby yielding several branches in the derivation tree, some of which can be closed using available facts and the axiom rule. Consider, for example, the derivation in Fig- ure 3.1, which shows the assertion derivation of <s from which the following assertions
can be extracted:
In the example above, we obtain the following possibilities:
< ① Γ, u < v, s(u) < s(v)⊢ ∆ Γ, u < v⊢ ∆ < ② Γ⊢ n < m, ∆ Γ⊢ s(n) < s(m), ∆ < ①② Γ, n < m⊢ s(n) < s(m), ∆
Ax ① Γ⊢ u < v ⊢ ∆ ② Γ, s(u) < s(v) ⊢ ∆ Ax Γ, u < v ⇒ s(u) < s(v), u < v ⊢ ∆ ⇒L Γ,∀m.u < m ⇒< m ⊢ ∆ ∀L Γ,∀n, m.n < m ⇒ s(n) < s(m) ⊢ ∆ ∀L
Figure 3.1: Example derivation
For instance, if ∆ = {} and Γ = {u < v}, then the axiom rule is no longer applicable in ① which gets a new open sequent. Note that this remains a valid derivation if we add arbitrary formulas Γ′ to the antecedent or ∆′ to the succedent. We get a variety of these
inferences depending on which application of axiom rules are enabled by filling the Γ and ∆; these rules all represent one possible application of the assertion. However, if there is not at least one axiom rule application, then we do not consider this as an application of the assertion (otherwise it would always be applicable); moreover, this derivation is somehow superfluous if none of the subformulas of the assertions is used in the proof. Skolem functions introduced by ∀R-rules are always the same, which results from the use
of the δ++
rule, where we use the same Skolem function for the same formulas. In the case of derived rules, these are always the subformulas of the assertion which are always the same. s(n) < 0, m = 0⊢ ∃u.s(n) + u = 0 <0 s(n) < 0, m = 0⊢ ∃u.s(n) + u = m =s n < f1(m), m = s(f1(m))⊢ n < f1(m), n + f1(f1(m)) = f1(m) Ax n < f1(m), m = s(f1(m))⊢ n + U = f1(m) Hyp1 n < f1(m), m = s(f1(m))⊢ s(n + U) = s(f1(m)) =s s(n) < s(f1(m)), m = s(f1(m))⊢ s(n + U) = s(f1(m)) <s s(n) < m, m = s(f1(m))⊢ ∃u.s(n) + u = m ∃ R,=∗ ·· ·· ·· ·· ·· · s(n) < m ⊢ ∃u.s(n) + u = m Nat ⊢ s(n) < m ⇒ ∃u.s(n) + u = m ⇒R ⊢ ∀m.s(n) < m ⇒ ∃u.s(n) + u = m ∀R
Figure 3.2: Induction Step of the example
Figure 3.2 shows the induction step of the example statement where the assertions {Nat, +s, , <s, =<0, =s} and the induction hypothesis (which contains free variables)
∀m′.n < m′ ⇒ ∃u′.n + u′ = m′
new inferences Hyp1 and Hyp2 Hyp1 Γ⊢ n < M′, n + f1(M′) = M′, ∆ Γ⊢ n + f1(M′) = M′, ∆ Hyp2 Γ, n < M′, n + f1(M′)⊢ ∆ Γ, n < M′ ⊢ ∆ where f1 stands for the Skolem constant f[∃y.X=s(y)].