Interactive Theorem Provers: Coq, Isabelle, and Beyond

Introduction

Interactive theorem provers (also called proof assistants) are software systems that help humans construct formal proofs. Unlike automated theorem provers that work independently, interactive provers require human guidance but provide powerful tools for verifying complex mathematical theorems and software systems. They have been used to verify everything from mathematical theorems to operating system kernels.

This article explores interactive theorem provers, their capabilities, and practical applications.

Historical Context

Interactive theorem provers emerged in the 1970s and 1980s. Early systems like LCF (Logic for Computable Functions) pioneered the approach of using tactics to guide proof search. Modern systems like Coq (developed since 1989) and Isabelle (developed since 1986) have become mature, powerful tools used in both mathematics and computer science. The CompCert C compiler and the seL4 microkernel are notable examples of large-scale formal verification projects.

Core Concepts

Proof Assistants

Definition: Software systems that help construct formal proofs

Components:

• Type Checker: Verifies proof correctness
• Tactic Engine: Applies proof strategies
• Library: Reusable theorems and definitions
• Interface: User interaction (IDE, REPL)

Advantages:

• Guarantees correctness (type-checked proofs)
• Supports complex mathematics
• Enables large-scale verification

Disadvantage:

• Requires significant human effort

Tactics

Definition: Proof strategies that transform goals into simpler subgoals

Examples:

• intro: Introduce assumptions
• apply: Apply a theorem
• rewrite: Rewrite using equations
• simp: Simplify using lemmas
• induction: Prove by induction

Tactic Proof:

Goal: ∀n, n + 0 = n
Proof:
  intro n
  induction n
  - simp
  - simp [IH]

Type Theory

Foundation: Many provers use type theory instead of set theory

Advantages:

• Constructive (proofs are programs)
• Computational (can extract code)
• Avoids paradoxes

Curry-Howard Correspondence: Proofs ↔ Programs

Major Proof Assistants

Coq

Language: Gallina (functional language) Logic: Calculus of Inductive Constructions (CIC) Strengths: Powerful type system, code extraction, large library Weaknesses: Steep learning curve, verbose syntax

Example:

Theorem add_comm : ∀ n m : nat, n + m = m + n.
Proof.
  intro n m.
  induction n.
  - simp.
  - simp [IHn].
Qed.

Applications:

• CompCert C compiler verification
• Mathematical proofs
• Security protocol verification

Isabelle

Language: Isar (structured proof language) Logic: Higher-order logic (HOL) Strengths: Flexible, good automation, readable proofs Weaknesses: Less computational than Coq

Example:

theorem add_comm: "n + m = m + (n :: nat)"
proof (induction n)
  case 0 show "0 + m = m + 0" by simp
next
  case (Suc n) show "Suc n + m = m + Suc n"
    by simp [Suc.IH]
qed

Applications:

• seL4 microkernel verification
• Hardware verification
• Security analysis

Lean

Language: Lean (functional language) Logic: Dependent type theory Strengths: Modern design, good automation, active community Weaknesses: Younger than Coq/Isabelle

Example:

theorem add_comm (n m : ℕ) : n + m = m + n := by
  induction n with
  | zero => simp
  | succ n ih => simp [ih]

Applications:

• Mathlib (mathematics library)
• Formal verification
• Educational use

Other Systems

HOL Light: Minimal HOL implementation PVS: Specification and verification system Agda: Dependently typed language Idris: Dependently typed language with effects

Proof Development Workflow

Step 1: Define Theorem

Theorem my_theorem : ∀ n : nat, P(n).

Step 2: Start Proof

Proof.

Step 3: Apply Tactics

  intro n.
  induction n.
  - (* base case *)
  - (* inductive case *)

Step 4: Complete Proof

Qed.

Common Tactics

Introduction Tactics

intro: Introduce assumptions

Goal: ∀ x, P x
After intro x:
Goal: P x

intros: Introduce multiple assumptions

Goal: ∀ x y z, P x y z
After intros:
Goal: P x y z

Application Tactics

apply: Apply a theorem

Goal: P x
Theorem: ∀ y, Q y → P y
After apply theorem:
Goal: Q x

exact: Provide exact proof term

Goal: P x
After exact proof_of_P_x:
Proof complete

Simplification Tactics

simp: Simplify using lemmas

Goal: (x + 0) + y = x + y
After simp:
Goal: x + y = x + y (then closes)

rewrite: Rewrite using equations

Goal: f (g x) = y
Lemma: f (g x) = h x
After rewrite lemma:
Goal: h x = y

Induction Tactics

induction: Prove by induction

Goal: ∀ n, P n
After induction n:
Goal 1: P 0 (base case)
Goal 2: ∀ n, P n → P (n+1) (inductive case)

Proof Strategies

Forward Reasoning

Strategy: Start with assumptions, derive conclusion

Advantages: Intuitive, follows logical flow Disadvantage: May explore irrelevant paths

Backward Reasoning

Strategy: Start with goal, work backward

Advantages: Focused on goal Disadvantage: Requires knowing what to assume

Mixed Strategy

Strategy: Combine forward and backward

Advantages: Efficient, flexible Disadvantage: Requires skill

Practical Example: Proving Commutativity

Theorem: Addition is commutative

Coq Proof:

Theorem add_comm : ∀ n m : nat, n + m = m + n.
Proof.
  intro n m.
  induction n as [| n' IHn'].
  - (* Base case: 0 + m = m + 0 *)
    simp.
  - (* Inductive case: S n' + m = m + S n' *)
    simp [IHn'].
Qed.

Isabelle Proof:

theorem add_comm: "n + m = m + (n :: nat)"
proof (induction n)
  case 0 show "0 + m = m + 0" by simp
next
  case (Suc n) show "Suc n + m = m + Suc n"
    by simp [Suc.IH]
qed

Large-Scale Verification Projects

CompCert C Compiler

Goal: Verify a C compiler Size: ~20,000 lines of Coq Achievement: Proved that compiled code behaves correctly Impact: Ensures compiler doesn’t introduce bugs

seL4 Microkernel

Goal: Verify operating system kernel Size: ~200,000 lines of Isabelle Achievement: Proved functional correctness Impact: Highest assurance OS kernel

Mathlib

Goal: Formalize mathematics Size: ~1 million lines of Lean Achievement: Thousands of theorems formalized Impact: Demonstrates feasibility of formal mathematics

Challenges and Limitations

Learning Curve

Challenge: Steep learning curve for new users Solution: Better documentation, tutorials, communities

Proof Size

Challenge: Proofs can be very long Solution: Better automation, tactic libraries

Performance

Challenge: Type checking can be slow Solution: Better algorithms, incremental checking

Expressiveness

Challenge: Some mathematics hard to formalize Solution: Better libraries, domain-specific tactics

Glossary

Axiom: Assumed true without proof

Lemma: A proved theorem used in other proofs

Proof Term: Explicit proof object (program)

Tactic: Proof strategy that transforms goals

Theorem: A proved statement

Type Checking: Verifying proof correctness

Unification: Finding substitution making terms equal

Practice Problems

Problem 1: Write a Coq proof that 2 + 2 = 4.

Solution:

Theorem two_plus_two : 2 + 2 = 4.
Proof.
  reflexivity.
Qed.

Problem 2: Write an Isabelle proof that n + 0 = n.

Solution:

theorem add_zero: "n + 0 = (n :: nat)"
proof (induction n)
  case 0 show "0 + 0 = 0" by simp
next
  case (Suc n) show "Suc n + 0 = Suc n"
    by simp [Suc.IH]
qed

Problem 3: Prove that if P and P → Q, then Q (modus ponens).

Solution (Coq):

Theorem modus_ponens : ∀ P Q : Prop, P → (P → Q) → Q.
Proof.
  intro P Q hp hpq.
  apply hpq.
  exact hp.
Qed.

Related Resources

• Coq: https://coq.inria.fr/
• Isabelle: https://isabelle.in.tum.de/
• Lean: https://leanprover.github.io/
• Proof Assistants: https://en.wikipedia.org/wiki/Proof_assistant
• Formal Verification: https://en.wikipedia.org/wiki/Formal_verification
• Type Theory: https://plato.stanford.edu/entries/type-theory/
• Curry-Howard: https://en.wikipedia.org/wiki/Curry–Howard_correspondence
• CompCert: http://compcert.inria.fr/
• seL4: https://sel4.systems/
• Mathlib: https://github.com/leanprover-community/mathlib
• Dependent Types: https://en.wikipedia.org/wiki/Dependent_type
• Tactics: https://en.wikipedia.org/wiki/Tactic_(proof_assistant)
• Formal Methods: https://plato.stanford.edu/entries/formal-methods/
• Software Verification: https://en.wikipedia.org/wiki/Software_verification
• Hardware Verification: https://en.wikipedia.org/wiki/Hardware_verification

Conclusion

Interactive theorem provers represent a powerful approach to formal verification, combining human insight with computational verification. By providing tactics and automation while maintaining correctness guarantees, these systems enable the verification of complex mathematical theorems and software systems.

Understanding interactive theorem provers is essential for anyone involved in formal verification, mathematical formalization, or high-assurance software development. As these tools mature and communities grow, they are becoming increasingly important for ensuring correctness in critical systems.

The success of large-scale projects like CompCert and seL4 demonstrates that formal verification is not just theoretically sound but practically feasible for real-world systems.