Consider the following following definition definition phi :: "nat ⇒ nat" where "phi n = card {k∈{0<..n}. coprime n k}" (see also this answer)
How can I then prove a very basic fact, like phi(p)=p-1 for a prime p ? Here is one possible formalization of this lemma, though I'm not sure it's the best one:
lemma basic:
assumes "prime_elem (p::nat) = true"
shows "phi p = p-1"
(prime_elem is defined in Factorial_Ring.thy)
Using try resp. try0 doesn't lead anywhere. (A proof by hand is immediate though, since the GCD between any m less than p and p is 1. But poking around various file didn't turn out to be very helpful, I imagine I have to guess some clever lemma that I have to give auto for the proof to succeed.)
First of all, true doesn't exist. Isabelle interprets this as a free Boolean variable (as you can see by the fact that it is printed blue). You mean True. Also, writing prime_elem p = True is somewhat unidiomatic; just write prime_elem p.
Next, I would suggest using prime p. It's equivalent to prime_elem on the naturals; for other types, the difference is that prime also requires the element to be ‘canonical’, i.e. 2 :: int is prime, but -2 :: int is not.
So your lemma looks like this:
lemma basic:
assumes "prime_elem (p::nat)"
shows "phi p = p - 1"
proof -
Next, you should prove the following:
from assms have "{k∈{0<..p}. coprime p k} = {0<..<p}"
If you throw auto at this, you'll get two subgoals, and sledgehammer can solve them both, so you're done. However, the resulting proof is a bit ugly:
apply auto
apply (metis One_nat_def gcd_nat.idem le_less not_prime_1)
by (simp add: prime_nat_iff'')
You can then simply prove your overall goal with this:
thus ?thesis by (simp add: phi_def)
A more reasonable and robust way would be this Isar proof:
lemma basic:
assumes "prime (p::nat)"
shows "phi p = p - 1"
proof -
have "{k∈{0<..p}. coprime p k} = {0<..<p}"
proof safe
fix x assume "x ∈ {0<..p}" "coprime p x"
with assms show "x ∈ {0<..<p}" by (cases "x = p") auto
next
fix x assume "x ∈ {0<..<p}"
with assms show "coprime p x" by (simp add: prime_nat_iff'')
qed auto
thus ?thesis by (simp add: phi_def)
qed
By the way, I would recommend restructuring your definitions in the following way:
definition rel_primes :: "nat ⇒ nat set" where
"rel_primes n = {k ∈ {0<..n}. coprime k n}"
definition phi :: "nat ⇒ nat" where
"phi n = card (rel_primes n)"
Then you can prove nice auxiliary lemmas for rel_primes. (You'll need them for more complicated properties of the totient function)
Related
Is it possible in Isabelle to define a terminating recursive function f where
f has a single parameter of type t such that values of type t may contain maps to values of type t, and
f performs its recursive calls on all elements in the range of such a map?
For example consider the datatype trie defined in theory Trie_Fun:
datatype 'a trie = Nd bool "'a ⇒ 'a trie option"
and my attempt at a simple function height intended to compute the height of tries (with finitely many outgoing edges):
theory Scratch
imports "HOL-Data_Structures.Trie_Fun"
begin
function height :: "'a trie ⇒ nat" where
"height (Nd _ edges) = (if dom edges = Set.empty ∨ ¬ finite (dom edges)
then 0
else 1 + Max (height ` ran edges))"
by pat_completeness auto
termination (* ??? *)
end
Here lexicographic_order does not suffice to prove the function to be terminating, but so far I have also not been able to formulate any measure on trie (for termination) that does not itself require a similar recursion.
I must admit here that I am not sure whether I have understood datatypes in Isabelle/HOL correctly (i.e., whether a trie of the above definition is actually always of finite height).
Is it possible to show that height terminates?
Based to the comment by Peter Zeller, I was able to prove termination of height by adding (domintros) to the definition and then performing induction on the trie, using the fact height.domintros, resulting in the following termination proof:
function (domintros) height :: "'a trie ⇒ nat" where
"height (Nd _ edges) = (if dom edges = Set.empty ∨ ¬ finite (dom edges)
then 0
else 1 + Max (height ` ran edges))"
by pat_completeness auto
termination apply auto
proof -
fix x :: "'a trie"
show "height_dom x"
proof (induction)
case (Nd b edges)
have "(⋀x. x ∈ ran edges ⟹ height_dom x)"
proof -
fix x assume "x ∈ ran edges"
then have "∃a. edges a = Some x"
unfolding ran_def by blast
then have "∃a. Some x = edges a"
by (metis (no_types))
then have "Some x ∈ range edges"
by blast
then show "height_dom x"
using Nd by auto
qed
then show ?case
using height.domintros by blast
qed
qed
I have the following subgoals:
proof (prove)
goal (2 subgoals):
1. ⋀y. ∃x. P x ⟹ P (?x6 y)
2. ⋀y. ∃x. P x ⟹ Q (?y8 y) ⟹ Q y
I want to conclude the proof or continue trying stuff but I don't know how to introduce things into the unknowns (schematic variables) i.e variables with ?.
How does one do that?
Firstly, it is necessary to understand how schematic variables appeared in your subgoals. Normally, unless you are using schematic_goal, schematic variables appear in the subgoals after some form of rule application, whether implicit or explicit.
If the rule application was explicit (e.g. apply (rule conjunct1)), then a reasonably standard methodology for dealing with the problem that you described is to substitute the variables that you wish to 'try' directly into the rule, e.g. apply (rule conjunct1[of A]). In this case, there will be no schematic variables in your goals and, therefore, the problem implicitly disappears.
If the rule application was implicit (e.g. via one of the tools for classical reasoning), then your options depend on whether the subgoals were generated in an apply script or within the body of an Isar proof. Nonetheless, before I proceed, I would like to mention that the proofs where you have to interact with subgoals generated after the application of any 'black-box' methods are not considered to be a very good style (at least, in my opinion).
In the case of the former, there is nothing that you need to do to "try stuff". Once the variable that you wish to substitute (e.g. z) is defined, you can use show "∃x. P x ⟹ P (z y)" in the body of the Isar proof. Similarly, in an apply script, you can resolve with pre-substituted variables.
I demonstrate all these methods in the context of a simplified example below:
context
fixes A B :: bool
assumes AB: "A ∧ B"
begin
lemma A by (rule conjunct1[of _ B]) (rule AB)
lemma A
by (rule conjunct1) (rule AB)
lemma A
proof(rule conjunct1)
show "A ∧ B" by (rule AB)
qed
end
The important parts are already explained by user9716869. I just wanted to add:
You current subgoal is probably not solvable if you don't have additional information available. If you need the x from ∃x. P x to instantiate the schematic variable ?x6 then you need to obtain the value of x before the schematic variable is created.
Schematic variables are instantiated automatically by matching.
This works well if the schematic variable is not a function, so you can just continue to write your proof as if the correct value was already there.
If you want to fix the value in an apply style proof (other cases are already given in the other answer), you could use subgoal_tac followed by assumption:
lemma "⋀y. ∃x. P x ⟹ ∃x::nat. P x"
apply (rule exI)
― ‹⋀y. ∃x. P x ⟹ P (?x y)›
apply (subgoal_tac "P 42", assumption)
― ‹⋀y. ∃x. P x ⟹ P 42›
oops ― ‹Not possible to prove›
lemma "⋀y. ∃x. P x ⟹ ∃x::nat. P x"
apply (erule exE)
― ‹⋀y x. P x ⟹ ∃x. P x›
apply (rule exI)
― ‹⋀y x. P x ⟹ P (?x2 y x)›
apply (subgoal_tac "P x", assumption)
― ‹⋀y x. P x ⟹ P x›
by assumption
Imagine the following theorem:
assumes d: "distinct (map fst zs_ws)"
assumes e: "(p :: complex poly) = lagrange_interpolation_poly zs_ws"
shows "degree p ≤ (length zs_ws)-1 ∧
(∀ x y. (x,y) ∈ set zs_ws ⟶ poly p x = y)"
I would like to eliminate the second assumption, without having to substitute the value of p on each occurrence. I did this in proofs with the let command:
let ?p = lagrange_interpolation_poly zs_ws
But it doesn't work in the theorem statement. Ideas?
You can make a local definition in the lemma statement like this:
lemma l:
fixes zs_ws
defines "p == lagrange_interpolation_poly zs_ws"
assumes d: "distinct (map fst zs_ws)"
shows "degree p ≤ (length zs_ws)-1 ∧ (∀(x,y) ∈ set zs_ws. poly p x = y)"
The definition gets unfolded when the proof is finished. So when you look at thm l later, all occurrences of p have been substituted by the right-hand side. Inside the proof, p_def refers to the definining equation for p (what you call e). The defines clause is most useful when you want to control in the proof when Isabelle's proof tools just see p and when they see the expanded right-hand side.
Proving a simple theorem I came across meta-level implications in the proof. Is it OK to have them or could they be avoided? If I should handle them, is this the right way to do so?
theory Sandbox
imports Main
begin
lemma "(x::nat) > 0 ∨ x = 0"
proof (cases x)
assume "x = 0"
show "0 < x ∨ x = 0" by (auto)
next
have "x = Suc n ⟹ 0 < x" by (simp only: Nat.zero_less_Suc)
then have "x = Suc n ⟹ 0 < x ∨ x = 0" by (auto)
then show "⋀nat. x = Suc nat ⟹ 0 < x ∨ x = 0" by (auto)
qed
end
I guess this could be proved more easily but I wanted to have a structured proof.
In principle meta-implication ==> is nothing to be avoided (in fact its the "native" way to express inference rules in Isabelle). There is a canonical way that often allows us to avoid meta-implication when writing Isar proofs. E.g., for a general goal
"!!x. A ==> B"
we can write in Isar
fix x
assume "A"
...
show "B"
For your specific example, when looking at it in Isabelle/jEdit you might notice that
the n of the second case is highlighted. The reason is that it is a free variable. While this is not a problem per se, it is more canonical to fix such variables locally (like the typical statement "for an arbitrary but fixed ..." in textbooks). E.g.,
next
fix n
assume "x = Suc n"
then have "0 < x" by (simp only: Nat.zero_less_Suc)
then show "0 < x ∨ x = 0" ..
qed
Here it can again be seen how fix/assume/show in Isar corresponds to the actual goal, i.e.,
1. ⋀nat. x = Suc nat ⟹ 0 < x ∨ x = 0
When writing structured proofs, it is best to avoid meta-implication (and quantification) for the outermost structure of the subgoal. I.e. instead of talking about
⋀x. P x ⟹ Q x ⟹ R x
you should use
fix x
assume "P x" "Q x"
...
show "R x"
If P x and Q x have some structure, it is fine to use meta-implication and -quantification for these.
There is a number of reasons to prefer fix/assumes over the meta-operators in structured proofs.
Somewhat trivially, you do not have to state them again in every have and show statement.
More important, when you use fix to quantify a variable, it stays the same in the whole proof. If you use ⋀, it is freshly quantified in each have statement (and doesn't exist outside). This makes it impossible to refer to this variable directly and often complicates the search space for automated tools. Similar things hold for assume vs ⟹.
A more intricate point is the behaviour of show in the presence of meta-implications. Consider the following proof attempt:
lemma "P ⟷ Q"
proof
show "P ⟹ Q" sorry
next
show "Q ⟹ P" sorry
qed
After the proof command, there are two subgoals: P ⟹ Q and Q ⟹ P. Nevertheless, the final qed fails. How did this happen?
The first show applies the rule P ⟹ Q to the first applicable subgoal, namely P ⟹ Q. Using the usual rule resolution mechanism of Isabelle, this yields P ⟹ P (assume Pshow Q` would have removed the subgoal).
The second show applies the rule Q ⟹ P to the first applicable subgoal: This is now P ⟹ P (as Q ⟹ P is the second subgoal), yielding P ⟹ Q again.
As a result, we are still have the two subgoals P ⟹ Q and Q ⟹ P and qed cannot close the goal.
In many cases, we don't notice this behaviour of show, as trivial subgoals like P ⟹ P can be solved by qed.
A few words on the behavior of show: As we have seen above, meta-implication in show does not correspond to assume. Instead, it corresponds to assumes lesser known brother, presume. presume allows you to introduce new assumptions, but requires you to discharge them afterwards. As an example, compare
lemma "P 2 ⟹ P 0"
proof -
presume "P 1" then show "P 0" sorry
next
assume "P 2" then show "P 1" sorry
qed
and
lemma "P 2 ⟹ P 0"
proof -
show "P 1 ⟹ P 0" sorry
next
assume "P 2" then show "P 1" sorry
qed
I define an inductive relation called step_g. Here is one of the inference rules:
G_No_Op:
"∀j ∈ the (T i). ¬ (eval_bool p (the (γ ⇩t⇩s j)))
⟹ step_g a i T (γ, (Barrier, p)) (Some γ)"
I want to invoke this rule in a proof, so I type
apply (rule step_g.G_No_Op)
but the rule cannot be applied, because its conclusion must be of a particular form already (the two γ's must match). So I adapt the rule like so:
lemma G_No_Op_helper:
"⟦ ∀j ∈ the (T i). ¬ (eval_bool p (the (γ ⇩t⇩s j))) ; γ = γ' ⟧
⟹ step_g a i T (γ, (Barrier, p)) (Some γ')"
by (simp add: step_g.G_No_Op)
Now, when I invoke rule G_No_Op_helper, the requirement that "the two γ's must match" becomes a subgoal to be proven.
The transformation of G_No_Op into G_No_Op_helper looks rather mechanical. My question is: is there a way to make Isabelle do this automatically?
Edit. I came up with a "minimal working example". In the following, lemma A is equivalent to A2, but rule A doesn't help to prove the theorem, only rule A2 works.
consts foo :: "nat ⇒ nat ⇒ nat ⇒ bool"
lemma A: "x < y ⟹ foo y x x"
sorry
lemma A2: "⟦ x < y ; x = z ⟧ ⟹ foo y x z"
sorry
theorem "foo y x z"
apply (rule A)
To my knowledge, nothing exists to automate these things. One could probably implement this as an attribute, i.e.
thm A[generalised x]
to obtain something like A2. The attribute would replace every occurence of the variable it is given (i.e. x here) but the first in the conclusion of the theorem with a fresh variable x' and add the premise x' = x to the theorem.
This shouldn't be very hard to implement for someone more skilled in Isabelle/ML than me – maybe some of the advanced Isabelle/ML hackers who read this could comment on the idea.
There is a well-known principle "proof-by-definition", i.e. you write your initial specifications in a way such the the resulting rules are easy to apply. This might occasionally look unexpected to informal readers, but is normal for formalists.
I had similar problems and wrote a method named fuzzy_rule, which can be used like this:
theorem "foo y x z"
apply (fuzzy_rule A)
subgoal "x < y"
sorry
subgoal "x = z"
sorry
The code is available at https://github.com/peterzeller/isabelle_fuzzy_rule