Interactive Theorem Proving in Lean

Compact course
Heidelberg Graduate School
Mathematical and Computational Methods for the Sciences

Florent Schaffhauser
Heidelberg University

Outline of the lectures

• Lecture 1: An introduction to Lean
• Lecture 2: Basic tactics
• Lecture 3: Dependent types
• Lecture 4: Algebraic structures

Recap from Lecture 1

• Functional programming languages based on dependent type theory with inductive types (such as Lean 4) can be used to formalise mathematics.
• Typechecking means verifying that our code is syntactically correct.
• It is important to get acquainted with curried functions and inductive types, as they can be used in a variety of contexts and for many purposes, in particular to formalise mathematics.
• To each inductive type there is associated an induction principle. It enables us to define functions out of an inductive type by pattern matching.

Lecture 2 - Tactics for deductive reasoning (basic tactics)

1. Natural deduction
2. Basic tactics

Practice file

If you prefer to learn the basic tactics by manipulating them directly, here is a practice file:

Basic tactics

Natural deduction

• Natural deduction is a branch of logic that concerns itself with the study of inference rules.
• A famous inference rule, of constant use in mathematics, is the modus ponens:

• We can also write this as a theorem. But to prove that theorem, we first need to define implications and conjunctions.

Implications

• What does it mean to prove an implication ? The answer to this question depends on the choice of your logic.
• In the classical approach, it means , which requires defining and first.
• In the constructive approach, which is the logic underlying Lean and other modern proof assistants, proving means to take a proof of and, from it, construct a proof of . This can be pictured as follows:

Conjunctions

• What does it mean to prove the conjunction ?
• By definition, a proof of is constructed from two objects: a proof of and a proof of .
• In other words, this is an inductive definition, similar to what we saw for product types in Lecture 1. The proposition And P Q has only one constructor, called And.intro.

inductive And (P Q : Prop) : Prop
  | intro : P → Q → And P Q

So, formally, defining a proposition is no different from defining a type.

The modus ponens rule revisited

We are starting to see that propositions behave like types, with functions between those types representings implications:

• By definition, a proof of an implication can be seen as a function which sends a proof of P to a proof of Q. The arrow is then denoted simply by .
• And the proof of a conjunction is the pair constructed from a proof of and a proof of .
• So having a proof of means having a function and a proof . And having a proof of the modus ponens rule means defiining a function that sends and to a proof of . Note that .

Propositions-as-types

• With this interpretation of propositions as types, the modus ponens rule is just evaluation of a function at a point:

• More generally, Gentzen's rules of natural deduction are equivalent to the rules of the (simply-typed) -calculus, which was introduced by Church in the 1930s.
• This is known as the Brouwer-Heyting-Kolmogorov interpretation of propositional logic (BHK), or as the basic case of the Curry-Howard correspondence.

Falsity and negation

• The BHK interpretation of propositional logic is purely syntactic. There is no logical value (Boolean) attached to a proposition.
• The negation of a proposition is defined without any reference to whether has a proof or not. Instead, we have:

• Here, is the proposition defined as the inductive type with no constructor. And by definition, proving means proving that, given a proof of , we can construct a proof of , which is considered an absurdity.

inductive False : Prop

The induction principle attached to implies that .

Constructive vs. classical

• Let us now compare and . The following program provides a proof of the implication

def cons_imp_classical {P Q : Prop} : (P → Q) → ¬(P ∧ ¬Q) :=
  fun (f : P → Q) ↦ fun (And.intro (p : P) (g : Q → False)) ↦ g (f p)

• The reverse implication does actually not hold constructively. To prove it for all , you would need to use the LEM. So the constructive approach is more general (less axioms).
• In Lean, you can choose to work constructively or classically. In Mathlib, most proofs use classical logic in one form or another (, for instance).

De Morgan's rules

• A good way to manipulate these concepts is to prove the De Morgan rules, starting with the first one:

• This requires giving a definition of and of .
• In the second De Morgan rule, only one implication can be proved constructively, namely .

Disjunctions

• Disjunctions are the propositional analogues of the sum types from Lecture 1. They are defined inductively, using two constructors (Or.inl and Or.inr).

inductive Or (P Q : Prop) : Prop
  | inl : P → Or P Q
  | inr : Q → Or P Q

• To construct a proof of , we must construct either a proof of or a proof of .
• This is classically but not constructively equivalent to .

Logical equivalences

• The type of logical equivalences is also defined inductively. Its terms are pairs where and .

inductive Iff (P Q : Prop) : Prop
  | intro : (P → Q) → (Q → P) → Iff P Q

• In Lean and other modern proof assistants, most (but not all) inductive types with only one constructor are passed as structures, which are not technically part of Martin-Löf's type theory but are useful for the implementation (they are record types, declared using the keyword structure).

structure Iff (P Q : Prop) : Prop where
  intro :: (mp : P → Q) (mpr : Q → P)

Equivalent types

• More generally, we can define a notion of equivalence between types. If and are types, a function is said to be an equivalence if it has a left inverse and a right inverse.
• Saying that is a left inverse for means that . This implies that is injective. In fact, it is logically equivalent to it.
• Saying that is a right inverse for means that . This implies that is surjective (the converse would require an axiom of choice).
• Note that, for such and , we have . The notion of equivalence between types is fundamental in homotopy type theory.

Proofs as programs

• As we have seen in examples, a proof is a program. To prove a proposition, we must construct a term of the relevant type.
• To do so, we must respect the syntactic rules. So our theorem will be proved if the type-checker validates the program.
• To write Lean programs, we can get assistance from the compiler: this is done by entering Lean's tactic mode, which will show a goal (which is a type) and a proof state (which is a list of terms, of various types).
• As we introduce tactics, our proof state and goal will change, until the goal is closed via unification, which is when a term is constructed, whose type coincides the goal.

Basic tactics for deductive reasoning

The basic tactic we shall need are the following:

• exact
• apply
• intro
• revert
• constructor
• rcases (and cases)
• left and right
• rfl

All these tactics are presented in the accompanying file for this lecture.

Modus ponens, one last time

Let us use tactic mode to prove the modus ponens rule. The point is to see the proof state and the goal evolve after each use of a tactic, until the goal is closed.

theorem mp {P Q : Prop} : (P → Q) ∧ P → Q := by  -- the goal is `(P → Q) ∧ P → Q`
  intro h  
  -- introduces a term of type `(P → Q) ∧ P` in the local context (new goal: `Q`)
  rcases h with ⟨f, p⟩  -- destructs `h` into `f : P → Q` and `p : P` (goal is still `Q`)
  exact f p  -- constructs a term `f p : Q`, which closes the goal (unification)

For comparison, the term mode proof would be more or less of the same length, but in term mode the infoview does not show anything, except the absence of an error message.

theorem mp {P Q : Prop} : (P → Q) ∧ P → Q :=
  fun (And.intro (f : P → Q) (p : P)) ↦ f p 

Tautologies

A tautology is a proposition which is built up from older ones and which has a proof regardless of whether the old ones do. Proving such propositions help familiarise oneself with the basic tactics. Can you state and prove the following ones?

• , , .
• , , .
• , .
• .
• .
• , , .

Wrap-up and where to go from here

• Propositions are defined as types. We can form new propositions from old ones using , , and . The modus ponens rule corresponds to evaluating a function.
• The logic is not external to our typing system. There are no logical values or truth tables. The rules of inference are syntactic rules, not axioms.
• To prove a theorem, you write a program. If the program type-checks, the theorem is proved.
• To write proofs in Lean, you can get assistance from the compiler by entering Lean's tactic mode.
• In the next lecture, we will learn how to encode the and quantifiers, so we can state and prove more sophisticated mathematical statements.

Exercises of deductive reasoning

• Let us now see the basic tactics in action (same file as at the start of the lecture).
• I also include one more practice file, whose exercises are meant to illustrate the difference between constructive and classical logic.
• Both are designed to help you get acquainted with Lean's basic tactics.

Basic tactics Logic