Interactive Theorem Proving in Lean

Lecture 2: Basic tactics.

Florent Schaffhauser
Heidelberg University

Outline of the lectures

• Lecture 1: An introduction to Lean.
• Lecture 2: Basic tactics.
• Lecture 3: Dependent types.
• Lecture 4: Algebraic structures.

Recap from Lecture 1

• Statically-typed functional programming languages with type inference capabilities such as Lean 4 can be used to formalise mathematics.
• Type-checking means verifying that our code is syntactically correct.- Curried functions and inductive types are used in a variety of contexts and for many purposes, in particular to formalise mathematics.
• To each inductive type there is associated an induction principle. In practice, we can define functions out of an inductive type by pattern matching on the constructors of an inductive type.

Lecture 2 - Tactics for deductive reasoning (basic tactics)

1. Natural deduction.
2. Basic tactics.

Practice file

If you prefer to learn the basic tactics by manipulating them directly, here is a practice file:

Basic tactics.

Natural deduction

• Natural deduction is a branch of logic that concerns itself with the study of inference rules.
• A famous inference rule, of constant use in mathematics, is the modus ponens:

• We can also write this as a theorem. But to prove that theorem, we first need to define implications and conjunctions.

Implications

• What does it mean to prove an implication ? The answer to this question depends on the choice of your logic.
• In the classical approach, it is usually defined as , which requires first defining and . Equivalently, it can (from the classical viewpoint) be defined as , which requires first defining and .
• In the constructive approach, which is the logic underlying Lean and other modern proof assistants, proving means to take a proof of and, from it, construct a proof of . This means constructing a function from to and can be pictured as follows:

Conjunctions

• What does it mean to prove the conjunction ?
• By definition, a proof of is constructed from two objects: a proof of and a proof of .
• In other words, this is an inductive definition, similar to what we saw for product types in Lecture 1. The proposition And P Q has only one constructor, called And.intro.

inductive And (P Q : Prop) : Prop
| intro : P → Q → And P Q

So, formally, defining a proposition is no different from defining a type.

The modus ponens rule revisited

We are starting to see that propositions behave like types, with functions between those types representings implications:

• By definition, a proof of an implication can be seen as a function which sends a proof of P to a proof of Q. The arrow is then denoted simply by .
• And the proof of a conjunction is the pair constructed from a proof of and a proof of .
• So having a proof of means having a function and a proof . And having a proof of the modus ponens rule means defiining a function that sends and to a proof of . Note that .

Propositions-as-types

• With this interpretation of propositions as types, the modus ponens rule is just evaluation of a function at a point:

• More generally, Gentzen's rules of natural deduction are equivalent to the rules of the (simply-typed) -calculus, which was introduced by Church in the 1930s.
• This is known as the Brouwer-Heyting-Kolmogorov interpretation of propositional logic (BHK), or as the basic case of the Curry-Howard correspondence.

Falsity and negation

• The BHK interpretation of propositional logic is purely syntactic. There is no logical value (Boolean) attached to a proposition.
• The negation of a proposition is defined without any reference to whether has a proof or not. Instead, we have:

• Here, is the proposition defined as the inductive type with no constructor. And by definition, proving means proving that, given a proof of , we can construct a proof of , which is considered an absurdity.

inductive False : Prop

The induction principle attached to implies that .

Constructive vs. classical

• Let us now compare and . The following program provides a proof of the implication

def cons_imp_classical {P Q : Prop} : (P → Q) → ¬(P ∧ ¬Q) :=
fun (f : P → Q) ↦ fun (And.intro (p : P) (g : Q → False)) ↦ g (f p)

• The reverse implication actually does not hold constructively. To prove it for all , you would need to use the LEM (or double negation). Note that the constructive approach is more general (less axioms).
• In Lean, you can choose to work constructively or classically. In Mathlib, most proofs use classical logic in one form or another (, for instance).

Disjunctions

• Disjunctions are the propositional analogues of the sum types from Lecture 1. They are defined inductively, using two constructors (Or.inl and Or.inr).

inductive Or (P Q : Prop) : Prop
| inl : P → Or P Q
| inr : Q → Or P Q

• To construct a proof of , we must construct either a proof of or a proof of .
• This is classically but not constructively equivalent to .

Truth tables

• In classical logic, a proposition is assumed to have an associated logical value (true or false, of type Bool) that completely characterises . And is defined as the proposition that is true if is false and false if is true.
• One can then define the propositions and via their so-called truth tables.

Implications in classical logic

• In classical logic, the proposition is defined as the proposition with the same truth tables as , or equivalently .

• That table contains the fact that, when is false, the proposition is true regardless of the logical value of .
• As we have seen, this approach to implication is very different from the constructive approach. Constructively, the following implications hold, but their converses do not.

De Morgan's rules

• A good way to manipulate these concepts is to prove the De Morgan rules, starting with the first one:

• This requires giving a definition of and of .
• In the second De Morgan rule, only one implication can be proved constructively, namely .

Logical equivalences

• The type of logical equivalences is also defined inductively. Its terms are pairs where and .

inductive Iff (P Q : Prop) : Prop
| intro : (P → Q) → (Q → P) → Iff P Q

• In Lean and other modern proof assistants, most (but not all) inductive types with only one constructor are passed as structures, which are not technically part of Martin-Löf's type theory but are useful for the implementation (they are record types, declared using the keyword structure).

structure Iff (P Q : Prop) : Prop where
intro :: (mp : P → Q) (mpr : Q → P)

Equivalent types

• More generally, we can define a notion of equivalence between types. If and are types, a function is said to be an equivalence if it has a left inverse and a right inverse.
• Saying that is a left inverse for means that . This implies that is injective. Saying that is a right inverse for means that . This implies that is surjective.
• Note that, for such and , we have which, by function extensionality, implies that .
• If is a function between sets that is both injective and surjective, we should be able to construct an inverse for it. The notion of equivalence between types is fundamental in homotopy type theory.

Proofs as programs

• As we have seen in examples, a proof is a program. To prove a proposition, we must construct a term of the relevant type.
• To do so, we must follow the syntactic rules. Our theorem will be proved if the type-checker validates the program.
• To write Lean programs, we can get assistance from the kernel: this is done by entering Lean's tactic mode, which will show a goal (which is a type) and a context (which is a list of terms, of various types). Goal and context put together constitute the \textit{proof state}.
• As we introduce tactics, our context and goal will change, until the goal is closed via unification, which occurs when a term is constructed, whose type coincides with the goal.

Basic tactics for deductive reasoning

The basic tactics we shall need are the following:

• exact and apply.
• intro and revert.
• constructor.
• rcases and cases.
• left and right.
• rfl.
• exact? and apply?.
• refine.

All these tactics are presented in the accompanying file for this lecture.

Modus ponens, one last time

Let us use tactic mode to prove the modus ponens rule. The point is to see the proof state and the goal evolve after each use of a tactic, until the goal is closed.

theorem mp {P Q : Prop} : (P → Q) ∧ P → Q :=
by {                    -- shows the goal to be `(P → Q) ∧ P → Q`
  intro t               -- introduces a term `t` of type `(P → Q) ∧ P` in the local context (the goal is now `Q`)
  rcases t with ⟨f, p⟩  -- destructs the term `t` into `f : P → Q` and `p : P` (goal is still `Q`)
  exact f p             -- constructs a term `f p : Q`, which closes the goal (unification)
}

For comparison, the term mode proof would be of a similar length and structure. The type ascriptions are optional and the program can even be shortened to fun ⟨f, p⟩ ↦ f p.

theorem mp {P Q : Prop} : (P → Q) ∧ P → Q :=
fun t ↦ match (t :(P → Q) ∧ P) with | And.intro (f : P → Q) (p : P) => f p

Tautologies

A tautology is a proposition which is built up from older ones and which has a proof regardless of whether the old ones do. Proving such propositions help familiarise oneself with the basic tactics. Can you state and prove the following ones?

• , , .
• , , .
• , .
• .
• .
• , , .

Wrap-up and where to go from here

• Propositions are defined as types. We can form new propositions from old ones using , , and . The modus ponens rule corresponds to evaluating a function.
• The logic is not external to our typing system. There are no logical values or truth tables. The rules of inference are syntactic rules, not axioms.
• To prove a theorem, you write a program. If the program type-checks, the theorem is proved.
• To write proofs in Lean, you can get assistance from the kernel by entering Lean's tactic mode.
• In the next lecture, we will learn how to encode the and quantifiers, so we can state and prove more sophisticated mathematical statements.

Exercises of deductive reasoning

• Let us now see the basic tactics in action (same file as at the start of the lecture).
• I also include one more practice file, whose exercises are meant to illustrate the difference between constructive and classical logic.
• Both are designed to help you get acquainted with Lean's basic tactics.

Basic tactics. Logic.