## Proof Assistants: history, ideas and future

Citations: | 3 - 0 self |

### BibTeX

@MISC{Geuvers_proofassistants:,

author = {H. Geuvers},

title = {Proof Assistants: history, ideas and future},

year = {}

}

### OpenURL

### Abstract

In this paper we will discuss the fundamental ideas behind proof assistants: What are they and what is a proof anyway? We give a short history of the main ideas, emphasizing the way they ensure the correctness of the mathematics formalized. We will also briefly discuss the places where proof assistants are used and how we envision their extended use in the future. While being an introduction into the world of proof assistants and the main issues behind them, this paper is also a position paper that pushes the further use of proof assistants. We believe that these systems will become the future of mathematics, where definitions, statements, computations and proofs are all available in a computerized form. An important application is and will be in computer supported modelling and verification of systems. But their is still along road ahead and we will indicate what we believe is needed for the further proliferation of proof assistants.

### Citations

1096 | Proof-carrying code
- Necula
- 1997
(Show Context)
Citation Context ...mation over more expressive but less powerful systems. The idea of independently checkable proof objects has nevertheless also found its way into computer science in the form of ‘Proof Carrying code’ =-=[53]-=-. The idea is to accompany a piece of code with a proof object that proves a safety property of the program. This proof object may also include a formalization of the architecture it will be executed ... |

696 | A framework for defining logics
- Harper, Honsell, et al.
- 1989
(Show Context)
Citation Context ...on the type theory, this can be more or less difficult. The original Automath systems had a small kernel, so for those it is rather simple. Later development based on the same idea are the systems LF =-=[30]-=-, Twelf [66], Lego [46], Alf [47], Agda [2], Coq [18] and NuPrl [15], which have increasingly complicated underlying formal systems and therefore increasingly complicated kernels and type checking alg... |

501 |
Introduction to HOL: A Theorem Proving Environment for Higher Order Logic
- Gordon, Melham
- 1993
(Show Context)
Citation Context ... predicate logic over the terms of typed λ-calculus. The first system was developed at Stanford in 1972 and later systems were developed at Edinburgh and Cambridge. The systems Isabelle [37, 69], HOL =-=[35, 25]-=- and HOL-light [34] are descendants from LCF, using the “LCF approach”. The first system that Milner developed in Stanford was a goal-directed system that had special tactics to break down goals into ... |

441 |
The formulae-as-type notion of construction
- Howard
- 1969
(Show Context)
Citation Context ...guage, at the same footing as other terms, occurs for the first time. In 8logic, this idea is known as the Curry-Howard formulas-as-types isomorphism, for the first time written up in 1968 by Howard =-=[36]-=-, going back to ideas of Curry who had noticed that the types of the combinators are exactly the axioms of Hilbert style deduction. De Bruijn reinvented the idea, emphasizing the proofsas-objects aspe... |

341 |
Intuitionistic type theory
- Martin-Löf
- 1984
(Show Context)
Citation Context ...artin-Löf has extended these ideas, developing constructive type theory as a foundation for mathematics, where inductive types and functions defined by well-founded recursion are the basic principles =-=[48, 55]-=-. (This goes also back to work of Scott [64], who had noticed that the Curry-Howard isomorphism could be extended to incorporate induction principles.) Martin-Löf has developed several type theories o... |

264 |
Computer-Aided Reasoning: An Approach
- Kaufmann, Monolios, et al.
- 2000
(Show Context)
Citation Context ...prove the lemmas automatically and then tries to prove the theorem using the new lemmas. This idea has also been used in the logical framework Twelf. The system Nqthm has evolved into the system ACL2 =-=[1, 40]-=-, which is very much based on the same ideas. 2.5.1 PVS The PVS (Prototype Verification System) [61] has been developed at SRI since 1992. It aims at combining the advantages of fully automated theore... |

139 | Mechanized metatheory for the masses: The POPLmark challenge
- Aydemir, Bohannon, et al.
- 2005
(Show Context)
Citation Context ...e want to mention here, because it reaches beyond the boundaries of one proof assistant, is the ‘PoplMark Challenge’ [60]. Popl is the conference ‘Principles of Programming Languages’. The authors of =-=[9]-=- challenge everyone to accompany a paper concerning programming languages with an appendix containing computer verified proofs of its meta-theoretic properties. A concrete challenge that is set is to ... |

108 | A proof of the Kepler conjecture
- Hales
(Show Context)
Citation Context ...Recently, proofs of mathematical theorems have been given that are indeed so large that they cannot simply be verified by a human. The most well-known example is Hales’ proof of the Kepler conjecture =-=[27]-=-. The conjecture states that the face-centered cubic packing is the optimal way of packing congruent spheres in three dimensional space. The proof, given by Hales in 1988, is 300 pages long and was su... |

93 |
The ALF proof editor and its proof engine
- Magnusson, Nordström
(Show Context)
Citation Context ...ore or less difficult. The original Automath systems had a small kernel, so for those it is rather simple. Later development based on the same idea are the systems LF [30], Twelf [66], Lego [46], Alf =-=[47]-=-, Agda [2], Coq [18] and NuPrl [15], which have increasingly complicated underlying formal systems and therefore increasingly complicated kernels and type checking algorithms. (NuPrl is based on a typ... |

87 |
Edinburgh LCF: A Mechanised Logic
- Gordon, Milner, et al.
- 1979
(Show Context)
Citation Context ...ave to store proofs in memory (but only the fact that a result had been proven), Milner developed what is now know as the LCF approach. 112.3.1 LCF approach The basic ideas of Milner’s LCF approach (=-=[26, 24]-=-) is to have an abstract data type of theorems thm, where the only constants of this data type are the axioms and the only functions to this data type are the inference rules. Milner has developed the... |

63 |
A computer-checked proof of the four-colour theorem. Available at http://research.microsoft.com/~gonthier/4colproof.pdf
- Gonthier
- 2011
(Show Context)
Citation Context ...in HOL light [28]. In Isabelle, the prime number theorem has been proved [8]. Another formalization of a large proof and a well-known theorem is Gonthier’s formalization of the 4-color theorem in Coq =-=[23]-=-. The proof of this theorem consists of the reduction of the problem to 633 cases, that then have to be verified using computer algorithms. Mathematicians sometimes feel uncomfortable with this proof,... |

59 | Formal verification of a C compiler frontend
- Blazy, Dargaye, et al.
- 2008
(Show Context)
Citation Context ...ive: ‘Mechanized meta-theory for the masses’. The challenge has already produced quite some discussion and research. That one can verify some serious software with a proof assistant has been shown in =-=[13]-=-, where a C compiler has been proved correct in Coq. In industrial applications, one may often be more inclined to go for speed and automation than for total correctness, thus often preferring automat... |

56 |
Literate Programming. Center for the Study of Language and Information
- Knuth
- 1992
(Show Context)
Citation Context ...ps to search on a high level. But it does not yet provide us with a logical “overview” of the material. This requires a kind of literate proving approach, comparable with Knuth’s literate programming =-=[41]-=-, where the documentation and the formal proofs are developed in one systems and in one file. To explain what the problem is with documentation, let me outline how the proof development in our own FTA... |

48 | Proof-assistants using dependent type systems
- Barendregt, Geuvers
- 2001
(Show Context)
Citation Context ...keptic user could easily write him/herself. De Bruijn’s Automath systems were the first to specifically focus on this aspect and therefore this property was coined “De Bruijn criterion” by Barendregt =-=[11]-=-. In De Bruijn’s systems, the proof objects are basically encodings of natural deduction derivations that can be checked by a type checking algorithm. 5If we look at the four mechanisms for improving... |

48 |
A Type Theoretical Alternative to ISWIM
- Scott
- 1969
(Show Context)
Citation Context ...extracted and be used as the type checking algorithm of a new version of Coq. 2.3 LCF LCF stands for “Logic for Computable Functions”, the name Milner gave to a formal theory defined by Scott in 1969 =-=[63]-=- to prove properties of recursively defined functions, using methods from denotational semantics. It is a predicate logic over the terms of typed λ-calculus. The first system was developed at Stanford... |

42 | Omdoc: Towards an internet standard for the administration, distribution, and teaching of mathematical knowledge
- Kohlhase
- 2001
(Show Context)
Citation Context ...thML. Proof assistants can also deal with OpenMath or MathML objects, but in the case of these systems one also wants to have a format for theorems, definitions and proofs, which is provided by OMDoc =-=[57, 42]-=-. The OMDoc format is not yet 22very much used by the proof assistant community, and maybe a different format is needed, but it is clear that mechanisms for the exchange of formal content between pro... |

37 |
Symbolic Logic. An Introduction
- Fitch
- 1952
(Show Context)
Citation Context ...of scripts above, the procedural one certainly doesn’t correspond to a proof in a logic, but the declarative one does, to some extent. The declarative script above can be seen as some form of a Fitch =-=[20]-=- style natural deduction. Another issue is how robust and adaptable the proof scripts are. If we change a definition, how difficult is it to adapt the proof script? In general, proof scripts are not v... |

24 | Paul(2007) ‘A formally verified proof of the prime number theorem
- Avigad, Donnelly, et al.
(Show Context)
Citation Context ... been done in various proof assistants. In Mizar there is a proof of the Jordan Curve theorem [43], which has also been proved in HOL light [28]. In Isabelle, the prime number theorem has been proved =-=[8]-=-. Another formalization of a large proof and a well-known theorem is Gonthier’s formalization of the 4-color theorem in Coq [23]. The proof of this theorem consists of the reduction of the problem to ... |

22 | Formal Proof Sketches
- Wiedijk
- 2004
(Show Context)
Citation Context ...is may be possible by letting the user type a procedural proof script but let the system expand this into a proof script with more declarative components. Interesting ideas about this can be found in =-=[72, 10]-=-. 2 History In this section we will shortly describe the history of proof assistants by describing the first systems and the main ideas behind them. We will look at these systems by taking the issues ... |

19 | C-CoRN: The Constructive Coq Repository at Nijmegen
- Cruz-Filipe, Geuvers, et al.
- 2004
(Show Context)
Citation Context ...thout proofs, in a nicely readable way, with mathematical notations, then we have a nice overview of the lemmas, but there are very many, with hardly any structure. In case of our own CoRN repository =-=[19]-=-, which aims at being a coherent library of constructive algebra and analysis in Coq, we have 962 definitions and 3554 lemmas on 394 pages. There are searching tools, like Whelp [7] that assist search... |

19 | Isabelle/Isar—A generic framework for human-readable proof documents
- Wenzel
(Show Context)
Citation Context ...yntactically correct but possibly has “holes”. The Mizar language has inspired other proof assistant to also develop a declarative proof language. Most notably, Wenzel has developed the Isar language =-=[70]-=- as a declarative input language for the Isabelle theorem prover, which is now used by very many Isabelle users. Also, Harrison has developed a Mizar 13mode for HOL-light [33] and Corbineau has devel... |

18 | Formal verification of IA-64 division algorithms
- Harrison
- 2000
(Show Context)
Citation Context ...istants. Some of the systems are really used for industrial verification projects: NASA [52] uses PVS to verify software for airline control and Intel uses HOL light to verify the design of new chips =-=[31]-=-. There are many other industrial uses of proof assistants that we will not list here, notably of PVS, ACL2, HOL, Isabelle and Coq. An interesting initiative that we want to mention here, because it r... |

17 | F.: Predicate abstractions for reachability analysis of hybrid systems
- Alur, Verimag, et al.
- 2006
(Show Context)
Citation Context ...ion of the discrete controller to another). The state space is uncountable, so if we want to use automated tools, like model checkers, we first have to make a discrete abstraction of this state space =-=[5]-=-. Proof assistants will be useful in modelling the continuous environment and in proving properties about the discrete abstraction, making sure that the final correctness claim of our model checker re... |

17 | The Isabelle framework
- Wenzel, Paulson, et al.
(Show Context)
Citation Context ...ntics. It is a predicate logic over the terms of typed λ-calculus. The first system was developed at Stanford in 1972 and later systems were developed at Edinburgh and Cambridge. The systems Isabelle =-=[37, 69]-=-, HOL [35, 25] and HOL-light [34] are descendants from LCF, using the “LCF approach”. The first system that Milner developed in Stanford was a goal-directed system that had special tactics to break do... |

16 | A content based mathematical search engine: Whelp
- Asperti, Guidi, et al.
- 2006
(Show Context)
Citation Context ...n CoRN repository [19], which aims at being a coherent library of constructive algebra and analysis in Coq, we have 962 definitions and 3554 lemmas on 394 pages. There are searching tools, like Whelp =-=[7]-=- that assist searching for lemmas of a certain structure. But we also want to search on a higher level and get a high level overview of the material, including motivations, intuitions and so forth. Ad... |

16 |
Computer programs for checking mathematical proofs. Recursive Function Theory
- McCarthy
- 1962
(Show Context)
Citation Context ...nown as the “Boyer-Moore theorem prover” is an automated reasoning system implemented in Lisp. The first version originates from 1973 and the system was very much inspired by earlier work of McCarthy =-=[50]-=-. The logic of Nqthm is quantifier-free first order logic with equality, basically primitive recursive arithmetic, which makes the automation very powerful, but the expressivity limited. Interesting i... |

10 |
On the rules of suppositions in formal logic
- Ja´skowski
- 1934
(Show Context)
Citation Context ... program that checks text files written in Mizar for mathematical correctness. The underlying system is Tarski-Grothendieck set theory with classical logic and the proofs are given in Jaskowski style =-=[38]-=-, which is now better know as Fitch-style [20] or flag-style natural deduction. In the beginning (see [49]) the emphasis was very much on editing and recording mathematical articles and not so much on... |

10 |
interfaces for proof assistants
- Kaliszyk, Web
(Show Context)
Citation Context ...any people can contribute in a simple and low level way: a Wikipedia for formalized mathematics. To achieve this, researchers in our research group have developed a web interface for proof assistants =-=[39]-=-. This way everyone with an internet connection can simply – without installing a system and letting the server take care of the file management – contribute to a joint repository of formalized mathem... |

6 |
From LCF to HOL: a short history’, Proof, language and interaction: essays
- Gordon
- 2000
(Show Context)
Citation Context ...ave to store proofs in memory (but only the fact that a result had been proven), Milner developed what is now know as the LCF approach. 112.3.1 LCF approach The basic ideas of Milner’s LCF approach (=-=[26, 24]-=-) is to have an abstract data type of theorems thm, where the only constants of this data type are the axioms and the only functions to this data type are the inference rules. Milner has developed the... |

6 |
Hybrid Verification of an Air Traffic Operational Concept
- Muñoz, Dowek
- 2005
(Show Context)
Citation Context ...r. The combination of a very expressive specification language and powerful techniques for proof automation makes PVS quite easy to use. It has been applied in several industrial verification studies =-=[52]-=-. The logic of PVS is not independently described and the system does not have a small proof kernel or independently checkable proof objects. Every now and then a bug (inconsistency) is found in the s... |

6 | Estimating the cost of a standard library for a mathematical proof checker
- Wiedijk
- 2001
(Show Context)
Citation Context ...o happen quickly. In this context it is interesting to make an estimate of the amount of work that is involved in creating a formalized library of mathematics. A well-motivated computation of Wiedijk =-=[71]-=- estimates that it requires about 140 man year to formalize the standard bachelor curriculum of mathematics. That is a lot and it exceeds the research budgets of one university by far. That doesn’t me... |

5 | Towards an Interactive Mathematical Proof Language
- Barendregt
- 2003
(Show Context)
Citation Context ...is may be possible by letting the user type a procedural proof script but let the system expand this into a proof script with more declarative components. Interesting ideas about this can be found in =-=[72, 10]-=-. 2 History In this section we will shortly describe the history of proof assistants by describing the first systems and the main ideas behind them. We will look at these systems by taking the issues ... |

5 |
C.: Cooperative repositories for formal proofs
- Corbineau, Kaliszyk
- 2007
(Show Context)
Citation Context ...ing formalizations through a web interface) and for creating high level pages that describe content of the repositories, with pointers to actual proof assistant files. Preliminary work is reported in =-=[16]-=-. Figure 2: A MathWiki mock up page A possible high level page is depicted in Figure 2: the idea is that we have Wikipedia like technology to describe a high level mathematical concept and that inside... |

5 | H.: A document-oriented Coq plugin for TEXmacs
- Mamane, Geuvers
- 2007
(Show Context)
Citation Context ...or that is the TexMacs system [65] that allows the editing of a mathematical document (in a wysiwyg L ATEX-like style) and at the same time interact with another computer program. In the system tmegg =-=[22]-=-, this is used to write a mathematical document with a Coq-formalization underneath: special commands open an interaction with the Coq system, whose output is rendered within the TexMacs document. A s... |

5 |
Constructive validity, Symposium on Automatic Demonstration
- Scott
- 1968
(Show Context)
Citation Context ...onstructive type theory as a foundation for mathematics, where inductive types and functions defined by well-founded recursion are the basic principles [48, 55]. (This goes also back to work of Scott =-=[64]-=-, who had noticed that the Curry-Howard isomorphism could be extended to incorporate induction principles.) Martin-Löf has developed several type theories over the years. The first extensional one has... |

5 |
M.: Authoring verified documents by interactive proof construction and verification in text-editors
- Dietrich, Schulz, et al.
- 2008
(Show Context)
Citation Context ...rneath: special commands open an interaction with the Coq system, whose output is rendered within the TexMacs document. A similar approach, combining TexMacs with the Omega proof tool is developed in =-=[68]-=-. Mathematical search is different from ordinary string based search because one also wants to search for mathematical structure and also modulo ‘mathematical equivalence’. An example is searching for... |

4 |
Towards self-verification of HOL
- Harrison
- 2006
(Show Context)
Citation Context ...well. The LCF approach has been very influential. Also a system like Coq has been implemented in this manner. 2.3.2 Checking the Checker The system HOL light has been checked within the system itself =-=[32]-=-. In HOL, there is no real point in checking the system with respect to the theory, because in the LCF approach one implements the theory almost directly. So, the statement proven inside HOL light is ... |

3 |
A declarative proof language for the Coq proof assistant
- Corbineau
- 2007
(Show Context)
Citation Context ...sabelle theorem prover, which is now used by very many Isabelle users. Also, Harrison has developed a Mizar 13mode for HOL-light [33] and Corbineau has developed a declarative proof language for Coq =-=[17]-=- (of which the proof in Section 1.3 is an example). 2.5 Nqthm Nqthm [3], also known as the “Boyer-Moore theorem prover” is an automated reasoning system implemented in Lisp. The first version originat... |

3 | On Correctness of Mathematical Texts from a Logical and Practical Point of View
- Verchinine, Lyaletski, et al.
- 2008
(Show Context)
Citation Context ...e project are all in Russian. The project has evolved into a system SAD (System for Automated Deduction) [45], which checks mathematical texts written in the language ForTheL (FORmal THEory Language) =-=[67]-=-. The latter is a declarative formal language for writing definitions, lemmas and proofs, very much in the spirit of Mizar, but developed independently from it. An interesting aspect of the ForTheL la... |

2 |
a language for mathematics, Department of Mathematics, Eindhoven University of Technology, TH-report 68-WSK-05
- Bruijn, Automath
- 1968
(Show Context)
Citation Context ...fathers”, some of which have been more influential than others. Before doing that, we will discuss a general issue, which is the input language of a proof assistant. 2.1 Automath The Automath project =-=[54, 14]-=- was initiated by De Bruijn in 1967 and had as aim to develop a system for the mechanic verification of mathematics. A related aim of the project was to develop a mathematical language in which all of... |

2 |
Theorem Proving and
- Lyaletski, Paskevich, et al.
- 2004
(Show Context)
Citation Context ...f the 1970s, but it hasn’t become known outside of Russia and Ukraine and publications about the project are all in Russian. The project has evolved into a system SAD (System for Automated Deduction) =-=[45]-=-, which checks mathematical texts written in the language ForTheL (FORmal THEory Language) [67]. The latter is a declarative formal language for writing definitions, lemmas and proofs, very much in th... |

2 | Theorem Proving in Higher Order Logics, LNCS, Verlag Springer Berlin - in - 2005 |

1 |
Sacerdoti Coen, An Interactive Algebra Course with Formalised Proofs and Definitions
- Asperti, Geuvers, et al.
- 2006
(Show Context)
Citation Context ...tants are the study of interactive mathematical documents and mathematical search. Ideally, one would like to extract a mathematical document from a formalization, but things are not that simple (see =-=[6]-=- for an example study). The outcome is a quite direct ‘pretty printed’ translation of the computer code, containing too many details. It is possible to suppress some of the details, so we only see the... |

1 |
Auto-validation d’un vérificateur de preuves avec familles inductives
- Barras
- 1999
(Show Context)
Citation Context ...ype theory based system that includes a functional programming language, like Coq, one can program and verify the type checker within the system itself. This has been done in the “Coq in Coq” project =-=[12]-=-. What one verifies (inside Coq) is the following statement: Γ ⊢ M : A ⇔ TC(Γ, M) = A, where TC is the type checking algorithm that takes as input a context and a term and produces a type, if it exist... |

1 |
Jordan’s Proof of the Jordan Curve Theorem, in From Insight to Proof Festschrift in Honour of Andrzej Trybulec Eds
- Hales
- 1985
(Show Context)
Citation Context ...ies Various large formalizations of mathematical proofs have been done in various proof assistants. In Mizar there is a proof of the Jordan Curve theorem [43], which has also been proved in HOL light =-=[28]-=-. In Isabelle, the prime number theorem has been proved [8]. Another formalization of a large proof and a well-known theorem is Gonthier’s formalization of the 4-color theorem in Coq [23]. The proof o... |

1 |
A Mizar Mode for HOL, Proceedings, of Theorem Proving in Higher Order Logics
- Harrison
- 1996
(Show Context)
Citation Context ...loped the Isar language [70] as a declarative input language for the Isabelle theorem prover, which is now used by very many Isabelle users. Also, Harrison has developed a Mizar 13mode for HOL-light =-=[33]-=- and Corbineau has developed a declarative proof language for Coq [17] (of which the proof in Section 1.3 is an example). 2.5 Nqthm Nqthm [3], also known as the “Boyer-Moore theorem prover” is an auto... |

1 |
curve theorem. Formalized Mathematics, 13(4):481491, 2005. 27 P. Letouzey, A new extraction for Coq
- Korni̷lowicz, Jordan
- 2003
(Show Context)
Citation Context ...ormalizing Mathematics and Mathematical Libraries Various large formalizations of mathematical proofs have been done in various proof assistants. In Mizar there is a proof of the Jordan Curve theorem =-=[43]-=-, which has also been proved in HOL light [28]. In Isabelle, the prime number theorem has been proved [8]. Another formalization of a large proof and a well-known theorem is Gonthier’s formalization o... |

1 |
Mizar: the first 30 years, Mechanized mathematics and its applications
- Matuszewski, Rudnicki
- 2005
(Show Context)
Citation Context ...rski-Grothendieck set theory with classical logic and the proofs are given in Jaskowski style [38], which is now better know as Fitch-style [20] or flag-style natural deduction. In the beginning (see =-=[49]-=-) the emphasis was very much on editing and recording mathematical articles and not so much on proof checking. Mizar has always put a strong emphasis on creating a library of formalized mathematics, w... |

1 |
A Standard for Open Mathematical Documents, http://www.mathweb.org/omdoc
- OMDoc
(Show Context)
Citation Context ...thML. Proof assistants can also deal with OpenMath or MathML objects, but in the case of these systems one also wants to have a format for theorems, definitions and proofs, which is provided by OMDoc =-=[57, 42]-=-. The OMDoc format is not yet 22very much used by the proof assistant community, and maybe a different format is needed, but it is clear that mechanisms for the exchange of formal content between pro... |

1 |
Extracting F ω’s programs from proofs
- Paulin-Mohring
- 1989
(Show Context)
Citation Context ... ListN ∃y : ListN(Sorted(y) ∧ Permutation(x, y)). From this we can then extract the program sort : ListN → ListN. The proofs-as-programs paradigm is one of the key features of the proof assistant Coq =-=[58, 44]-=-. From proofs one can extract programs in a real functional language. But also one can program a lot of functions as programs within the proof assistant, because the system includes a (small) function... |