>
(
/0DTimes New Roman5bb )0bY0DArialNew Roman5bb )0bY0" DWingdingsRoman5bb )0bY00DSymbolgsRoman5bb )0bY0@DAlbertus Extra Boldb )0bY0"PDCourier Newra Boldb )0bY01e.
@n?" dd@ @@``0%`#
3
!
c$ ff@f{uʚ;*A9ʚ;g48d8d )0b6ppp@<4!d!d0b6b<4dddd0b6b<4BdBdby0bb?%
$!%" !"# ` ` ̙33` 333MMM` ff3333f` f` f` 3>?" dd@,?" dd@ " @ ` n?" dd@ @@``PR @ ` `p>><4 (
6t P
k7Haga clic para modificar el estilo de ttulo del patrn8
8/
0w
kHaga clic para modificar el estilo de texto del patrn
Segundo nivel
Tercer nivel
Cuarto nivel
Quinto nivel7
l
0 ``
R*
00 `
T*
0< `
T* B
s*h ? ̙33 *Diseo predeterminadof^0(
<
o%Emulating proofbyhand with Isabelle&&&
<
uJulio Rubio
Departamento Matemticas y Computacin
Universidad de La Rioja (Spain)
(Based on joint work with J. Aransay & C. Ballarin)
B
s*h ? ̙33i@(
<$
a(Remarks by a naive user) r
<(,$D0
jRemark 1. Work with a computeraided proof tool
is difficult
(independently of the automation degree).8kbk (
</ ,$D0
Remark 2. Thus, a computeraided version of a proof
tends to be considerably more difficult
than the corresponding byhand proof.(.` $ B
s*h ? ̙33QIP(
<(:
a(Remarks by a naive user)
< >I
hRemark 3. In situations where the benefits of a
computerbased proof are relevant
(v. g. in problems related to program
certification)
and
where the underlying mathematical
problem is nontrivial,
some new resources are needed. Fa H
0h ? ̙33ia`(
<J
a(Remarks by a naive user) n
<lN,$D0
XRemark 4. Each byhand proof has an
animating spirit . (This is why we
talk about different proofs of a same
theorem, beyond syntactic or
presentation differences.)FO M v
<UX D,$D0
dRemark 5. That vaporous spirit cannot be
captured by general strategies,
heuristics or tacticals.(e]&Z H
0h ? ̙33]Up(
<^
a(Remarks by a naive user)
<b
nRemark 6. These orienting ideas can
be expressed a posteriori by logical
tools, by they are not easily deduced
or inferred from logic (they depend
on the universe of discourse ).F*z<
z X
<kX ',$D0
`Remark 7. But these ideas are rarely linked
to an isolated theorem; so they are
open to reuse (likely in the same
universe of discourse of the theorem
which raised them).( H
0h ? ̙33k
(
<v
a(Remarks by a naive user) 8
<zo
ZRemark 8. In each case, a tradeoff between
immediacy and genericity must be looked
for.([S&;
1
< ,$D0
9Hope 1. This tradeoff point can be in many cases
found.(:4: l p
@ ,$D0
BCDEFL0X@ p
BCDEFL0X@ p
< ,$D0
Q and hopes
2
<*
,$D0
:Claim 1. This is a way (the only one?) in which
the mechanised reasoning tools can be
usable and relevant in standard mathematics
and its applications.(
<ȏ
,$D0
R
and claims z p
,$D0
BCDEFL0X@ p
BCDEFL0X@ p
<
P
,$D0
S tentative
0F
`@,$D0
U(Tentative) H
0h ? ̙33+ k(
<w
a(Remarks by a naive user)
< ,$D0
Hope 2. These informal guidelines can be used
in our problem of constructing a mechanised
proof of the Basic Perturbation Lemma (BPL).d0@ F p
@
BCDEFL0X@ p
BCDEFL0X@ p
<
Q and hopes
<0
R
and claims F p
BCDEFL0X@ p
BCDEFL0X@ p
<`
P
S tentative
8 0
B
<x{
<0
B
Claim 2. The guidelines illustrated in the
previous remarks (or some variants
of them) should have been used in
the successful applications of
computerbased proof tools.(
00
U(Tentative) H
0h ? ̙33$*(
$2
$
<
.A casestudy in mechanised homological algebra//Z
$
< v,$D0
FInitial problem:
Kenzo, symbolic computation system
for Algebraic Topology (Sergeraert).
Brand new results.
BPL: the central algorithmic tool in Kenzo.(Z :
= R
$
<l0 ,$D0
ZApproach:
formal methods in symbolic computation
to increase the reliability of systems.([
Q[ p
$
<c,$D0
HPrevious studies:
algebraic specification of the Kenzo data structures.(I7<2 H
$0h ? ̙33Y
((
(L
(
<,$D0
Definitions (ungraded version)82
(
<,$D0
tA group homomorphism f between two differential groups
(G1,d1) and (G2,d2) is nothing but a group homomorphism
f : G1 G2 
+
@
M
(
<,$D0
(A differential group homomorphism f between two
differential groups (G1,d1) and (G2,d2) is a group
homomorphism f : G1 G2 satisfying f d1 = d2 f
J%
T
A j
(
<`,$D0
A differential group (G,d) is an abelian group G together
with a homomorphism d : G G satisfying d d = 0Tk@~!
(
<XQ,$D0
Mc[ The homology group of a differential group (G,d) is the
quotient group H(G,d) := Ker(d) / Im(d) ]VdNp8 H
(0h ? ̙33< ,(
,
,
<
Definitions (ungraded version)8&
,
<&0 ,$D0
DfThose equations imply that: H (G1,d1) @ H (G2,d2) 4!
4
,
<70,$D0
A reduction between two differential groups (G1,d1)
and (G2,d2) is a triple (f,g,h) where f : (G1,d1) (G2,d2)
and g : (G2,d2) (G1,d1) are differential group
homomorphisms and h : (G1,d1) (G1,d1) is a
group endomorphism satisfying some simple equations. #
"
2
@
%
#
,
<T ,$D0
>(A perturbation of a differential group (G,d)
is a group homomorphism d : G G such that
d + d is a new differential on G, i. e. (d + d) (d + d) = 0
6(&7
Q
,
<`1
r,$D0
A group endomorphism a : G G is locally nilpotent
if for each x G there exists a natural number n
such that an(x) = 0{.
&
g H
,0h ? ̙33?7 0
(
0
0
<p ,$D0
^Statement of the BPL
0
<u0 ,$D0
`dLet (f,g,h) be a reduction from (G1,d1) to (G2,d2),
and let d : G1 G1 be a perturbation of (G1,d1)
such that (d h) is locally nilpotent.
Then a new reduction
(f ,g ,h ) from (G1,d1+d) to (G2,d2+d )
can be explicitly defined by means of a series :
S = 1  (d h) + (d h)2  (d h)3 + ...3"
E
@
3
0
<i
c!,$D0
XProof. By hand (by Sergeraert s hand) proof with
two parts:
Part I. Dealing with the series.
Part II. A quasi equational (rather based on
formula rewriting ) proof.(@ S
0
0
<,0 P,$D0
]Part II: Seven lemmas H
00h ? ̙337
4w
(
4M
4
<iU
Lemma 1. Let (f,g,h) be a reduction from (G1,d1) to (G2,d2).
Then Im(g f) and (G2,d2) are canonically isomorphic by
means of F(x) := f(x) and F1(x) := g(x).#
;
&B Z 
4
<8,$D0
`Lemma 1 . Let f : G1 G2, g : G2 G1 two group
homomorphisms such that f g = 1.
Then Im(g f) and G2 are canonically isomorphic by
means of F(x) := f(x) and F1(x) := g(x).
@
:
@2
U B
4
<L>
,$D0
JIsabelle proof. Adhoc, reasonable size (1300 code lines),
no problem.(K;K
4
<Y+,$D0
Lemma 2. Let (G,d) be a differential group,
h : G G a group endomorphism satisfying
h h = 0 and hdh = h. Let s define p := dh + hd.
Then (1p,i,h) is a reduction from (G,d) to Ker(p). F,?
2 H
40h ? ̙338!(
8
8
<PV
DLemma 2 . In the same conditions as in Lemma 2.
Then 1p : G Ker(p) and (1p)h = 0. F[ 8&C
8
<]
,$D0
8Isabelle proof . Script size explosion:
400 code lines before deploying
the complete set of hypothesis.
Worst and worst in the next lemmas.
No fundamental (in the sense of foundational )
problem.
Only a practical one.( V
8
<h
f,$D0
LWhy?
8
<
,$D0
aLow level of abstraction. T
8
<6
,$D0
NLet s look at the real byhand proof...6(( H
80h ? ̙33 m e <(
<V
<
<hPw<
Lemma 2 . In the same conditions as in Lemma 2
(hh = 0, hdh = h, p = dh + hd)
Then 1p : G Ker(p) and (1p)h = 0. Fz W1
<
<*,$D0
~Proof.
(1p)h = h (dh + hd)h = h dhh  hdh = h 0 h = 0
(and p(1p) = 0, since pp = p)(`Yt 0
<
<,$D0
M#
$ (
<
<H
iu!,$D0
So, this is very easy.
Almost trivial!
No vaporous spirit .
A student exercise.
This really looks like an actual equational proof! 6k&r
<
<$
,$D0
4Let s take it seriously... H
<0h ? ̙33"@V(
@8
@
<MT9
Lemma 2 . Let R be a ring and h,d,p R satisfying:
hh = 0, hdh = h, p = dh + hd
Then (1p)h = 0. di
5
t6 "
@
<"*}0,$D0
Isabelle proof.
by algebra6
@
<(`d,$D0
M#
$ <
@
<.i,$D0
TIs this a proof of Lemma 2 for the BPL ? +++
@
<1 ,$D0
Mby...
@
<5 ,$D0
fClemens Ballarin d
@
<9Y_
,$D0
RIn a (loose) sense, yes:
there is an abstraction (or interpretation) function:SS6 4 l
u
@
u,$D0
@
B+
,$D0
RIsabelle
@
BBfM,$D0
IR B
@
0Dp,$D 0
@
BF
u,$D
0
UMathematics
@
BIF
%
NEnd(G)
@
<Nf
,$D0
k#and then the proof is transferred !$$$
@
<P
R0,$D 0
_Is this a dirty trick ? H
@0h ? ̙33
DZ (
D^
D
<W6
The representational step is always present
(as in any computerbased mathematics).VVV p
D
<[yfK,$D0
Let s illustrate this point with the example of
homomorphisms:
f : G1 G2
is a total map satisfying the usual equations.F
%&0
? F
D
<Dfp
,$D0
Now, in Isabelle (the representation of) a group
has a type a, a carrier set on a and the corresponding
operations.t7#t
D
<q$p,$D0
VSo, if G1 has a type a1 and G2 has a type a2, it is natural
to think that (the representation of) f has in Isabelle
type a1 a2
Q
H
D0h ? ̙33S0H(
H~
H
<P
DBut:
1) functions in Isabelle are always total
2) f only determines the behaviour of its
representation on (carrier G1)
and no on the rest of data in a1 +A
#
l
H ,$D0
H
<9
8So, the typed nature of Isabelle leds us to a situation:99&!
H
<
RIsabelle
H
<(/
MTotal fB
H
6Dp` `
H
<Tu
UMathematics
H
<q
MTotal
H
<GA
UPartiality? l l
Hl
,$D0
H
<بl
=
7So, the abstraction function in this case is mandatory:888
H
<T
RIsabelle P
H
<
f :: a1 a2
ZB
H
s*Dd
0d
H
<ķ
UMathematics 2
H
<{
nf : G1 G2
such that f(x) := f(x),
" x (carrier G1) 8
8
H
<K4E
UAbstraction H
H0h ? ̙337
@Lw(
Ll }E
L }E,$D0
L
<@(H
RIsabelle P
L
<`Qoq
f :: a1 a2
ZB
L
s*D
L
<p _@
UMathematics N
L
<[)}
nf : G1 G2
such that f(x) := f(x),
" x (carrier G1) <8
8
L
<
UAbstraction
L
<T&Y2E
Obviously, this abstraction function is not
injective:
f1 f2 abstraction equality^9
&, ) Al D
LD,$D0y
L
<4V
This establishes a clear link between mathematical
objects and its computer counterparts. This allows
us, for instance, to construct a mechanised proof in
Isabelle of the following result: D
L
<4D
VTheorem. The set End(G) can be endowed with
a canonical (nonAbelian) ring structure.(WO.> H
L0h ? ̙33
{
s
P
P
(
P
P
<T
SAbstraction is always present (even if unnoticed
or in a trivial, literal costume).TT"R l y
Py,$D0
P
<y
y1Which are the constraints for an abstraction map?222 y
P
<
(being a mathematical resource, it can be as complex
as imaginable; even broking the barriers between the
computable and the noncomputable).<H <
P
<Yy ,$D0
TThe answer:
&
P
<#Yqy ,$D0
>it depends on the user s aims. ;
P
< '9
& ?,$D0
9The representation given for a group homomorphism
is OK ?::&$
P
<+yV
,$D0
U
It depends... R
P
<X/
V,$D0
PNo, at least if we want to reason in a fully equational
way in Isabelle with it.QQ&
H
P0h ? ̙33`TO(
T8 0
T 0
Z2
T
s*
0 0P
Z2
T
s*P
`Z2
T
s*P
0PZ2
T
s*P
``2
T
0`0`2
T
0`B
T
0Dpp
T
B9p
If `B
T
0D`0`B
T
0D
T
B=0P
I* `B
T
0D@`B
TB
0D0
T
HA
o carrier G6
T
HF` M@
\a*
`2
T
0` 0
`2
T
0
`B
T
0Dpp
T
BKp
If `B
T
0D 0 `B
T
0D
T
BOfp
Jid
T
B
0d*>,$D0P
'd
B*>
f : Ua1 Ua2
+d
<P
T
computable
,d
< ,$D0
Endcompl(G)6
H
d0h ? d ̙33@
h(
h
h
<8Y.E
Lemma 2 . h,d,p Endcompl(G) satisfying:
hh = 0, hdh = h, p = dh + hd
Then (1p)h = 0. `
#
h
<Ÿ*0,$D0
Isabelle proof.
by algebra6
h
<˸
t,$D0
M#
$
h
<(ϸy,$D0
VIs it enough ?
h
<ҸPG
,$D0
Lemma 2 . In the same conditions as in Lemma 2
(hh = 0, hdh = h, p = dh + hd)
Then 1p : G Ker(p) and (1p)h = 0. Fz W1
h
<۸p,$D0
l$There are different groups involved.%%%
h
<(&{
,$D0
z2The abstraction trick ? n
h
<
p,$D0
rNo, we need computational content in the proof objects.:: $ H
h0h ? ̙33w
'
l (
l
l
<x n9
,$D0
z equational reasoning +&
l
l
<%P
V,$D0
Z the same names are representing different
morphisms (with different sources and targets)(+0[&, & 8 P)
lP)^
l
<@,Pw<
Lemma 2 . In the same conditions as in Lemma 2
(hh = 0, hdh = h, p = dh + hd)
Then 1p : G Ker(p) and (1p)h = 0. Fz W1
l
<3*
Proof.
(1p)h = h (dh + hd)h = h dhh  hdh = h 0 h = 0
(and p(1p) = 0, since pp = p) (b[ / ,
l
<:)
pSo, which is the vaporous spirit animating this proof?999
l
<("d,$D0
M#
$
H
l0h ? ̙33)
pi
(
p8 fi
pif
p
<dEfii
%New representation for homomorphisms:&&&
R
p
<lJ
*< A, B, f : G1 G2 >
p
<(R
Rwhere A <= G1, Im(f) <= B
and f is, as before, a completion w.r.t. G1 and G2dS
<
: 3 l
p
,$D07
p
<Z~
CThe composite of two triples can be defined in
a quite general way:DDD X
p
B4a
)
0p
*< A, B, f : G1 G2 >
p
BDj0)
p
B*< C, D, g : G2 G3 >
p
p
<t&9
Y
S=
p
<x`D
S=
p
<4@yD
.< A, D, g f : G1 G3 >
H
p
<ЄV5
qassuming that B <= C. H
p0h ? ̙335
(
Y8
<`
^If A and B are fixed, d
<XF
5'
.{< A, B, f : G1 G2 >}
<,D
B
<
/can be endowed with an Abelian group structure.00. \
<,,$D0
8If A = B = G1 = G2, it is endowed with a ring structure.T9
'9 ^
<t06,$D0
\So, this allows equational reasoning, as above.
(Isabelle equality is abstraction equality.)]]&
C b
<
,$D0
PNote that the information in < A, G2, f : G1 G2 >
is strictly richer than in f : A G2 because the
completion on A erases more information than the
completion on G1.
!
L
6O W H
0h ? ̙33~
.
&
t (
td
t
<nP@
xThe essential tool for reasoning (at a very high
level) with triples (let s call them morphisms instead
of maps or functions) is almost trivial from a standard
mathematics point of view:6V ^&V ^ p
t
<L ,$D0
FLaureano s Lemma.
If < C, D, g > < A, B, f > = < A, D, h > and
A <=A, Im(f) <= B <= C , Im(g) <= D , Im(h)<= D .
Then < C , D , g > < A , B , f > = < A , D ,h >*
=
<
t
<n
@,$D0
This lemma allows us to going up (for equational
reasoning) and to going down to obtain the real
conclusions (the part p(1p) = 0, since pp = p as
in the end of the byhand proof of Lemma 2 ).:(
g  H
t0h ? ̙33<4(
s*pP,$D0V
<Pw<
Lemma 2 . In the same conditions as in Lemma 2
(hh = 0, hdh = h, p = dh + hd)
Then 1p : G Ker(p) and (1p)h = 0. Fz W1 ?l *
*,$D0
<H*#
Proof.
By equational reasoning (by algebra) on the ring
{< G, G, f : G G >} :
\
;
Bp*
'< G, G, 1p > < G, G, h > = < G, G, 0 >(
l
,$D0'
<
Now, again by algebra, 4
D 9
B
%< G, G, p > < G, G, p > = < G, G, p >&
l P
P,$D0
<$P
Uand ;
B0(p
'< G, G, p > < G, G, 1p > = < G, G, 0 >(
<$56W,$D0
jThus, Im(1p) <= Ker(p), and by Laureano s
Lemma on 66^
BL<,$D0
1< G, Ker(p), 1p > < G, G, h > = < G, Ker(p), 0 >2
B
s*D0,$D0
<L,$D 0
M#
$
<P
,$D0
j(dd=0)( l 0
0 ,$D
0Z
s*0 9
<pTVk
!In Isabelle:
work in
progress...4"L H
0h ? ̙33
x:
(
xk8 >*
x>**
x
<_>*,$D0
Claim 3. These two tools (equational reasoning +
Laureano s Lemma) capture the spirit of
the proofbyhand of Lemma 2 .(u@
@
x
0fZT,$D0
U(Tentative) l
x,$D0z
x
<0j,$D0
(Claim 3 . These tools are enough to emulate
accurately and stepbystep the proof
byhand (as presented in usual mathematical
texts) of Lemma 2 .d%
M"
x
0\s
,$D0
U(Tentative)
x
<Xw0
,$D0
Remark 9. Very likely the number of Isabelle code
lines needed to implement these tools will
be greater than the number of lines needed
to prove in Isabelle Lemma 2 , by means of
a bruteforce strategy.( H
x0h ? ̙33~(


<TR,$D0
QHope 3. These tools reach the right tradeoff point
between immediacy and genericity (i. e. they
will be directly applicable to the rest of lemmas
needed to the proof of the second part of the BPL).(<! (
u

<`L ,$D0
BRemark 10. It is quite probable that these tools are not
sufficient to end the proof emulating the byhand
style.(v mv l F '
 F'
,$D0

<F
EFor instance, it is foreseen that another equality will be
necessary:FF"" `

B'
r< Ker(f), B, f : G1 G2 > < Ker(f), B, 0 : G1 G2 >:
@ H
0h ? ̙33rj (
*8 I
I
<Ȥ )
VConclusions.
<VC
~6Abstraction is always present in automated
reasoning.777
<I
ZUltimate reason: the final users (and interpreters)
of formalised proofs are human beings.[[[ "
< ,$D0
:Different abstraction degrees can be designed
and chosen.;;; nl
e
e,$D0n
<
,$D0
dIn our concrete problem in formalised homological
algebra we have detected three abstraction levels:ee&% 4 
<y
eH@8___PPT9
>The symbolic level.
The pointwise level.
The morphisms level.??&. @`H
0h ? ̙33B (
Z
<pi6oH@8___PPT9
4Symbolic level.
We work in generic rings or groups.$%55 @`
<v ,$D0
Y Very efficient. P
<vX,$D0
h Too rigid and it lacks of computational content .555 J
<Xyfge ,$D0
b2) Pointwise level.
Work with functions, reasoning always with the
elements of the image. ccc 4
<, ,$D0
< Sufficiently flexible and complete from any
point of view.(==
<
,$D0
a Scripts size explosion. H
0h ? ̙33VN0
(
:
<T6
V3) Morphisms level.
This is an intermediary abstraction degree
between (1) and (2).WW& J @`8
<0VA,$D0
6It allows the user a pointless reasoning,
where the same symbol function can be
used in different contexts (i. e. with different
domains and codomains).& ,
< Q,$D0
We hope this level is the right one in order
to emulate in Isabelle the proofbyhand
of the BPL that we are trying to mechanise.J * + H
0h ? ̙33r`
'V%u,:G
Nn[jIvq6`"T,7PtӈLE_[ %
Oh+'0
`h
Presentacin de PowerPointWindowsWindows211Microsoft PowerPointPoi@Z@ L%@w' Gg u@& &&#TNPPx2OMi
&
TNPP &&TNPP
 " ! "&G&
 &Gy& ) @"Arial .2
Emulating proof
. . 2
. .
2
by. . 2
. ."2
hand with Isabelle
.X'z @"Arial .2
KJulio Rubio . .@2
q&Departamento Matemticas y Computacin
. .62
Universidad de La Rioja (Spain)
. . 2
(. .2
Based on j
. .62
&oint work with J. Aransay & C. . .2
Ballarin. . 2
B)."System&TNPP &
՜.+,04
Presentacin en pantallao
MicrosoftnY" )Times New RomanArial
WingdingsSymbolAlbertus Extra BoldCourier NewDiseo predeterminadoPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointPresentacin de PowerPointFuentes usadasPlantilla de diseoTtulos de diapositiva"_5WindowsWindows
!"#$%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{}~Root EntrydO)Current UserSummaryInformation(PowerPoint Document(YDocumentSummaryInformation8