The Mathematical
Components library
principles and design choices
Assia Mahboubi & Enrico Tassi
Mahboubi & Tassi – The Mathematical Components library
1
In this talk
SSReflect is not:
• a proof checker
• a new ITP
SSReflect is:
• a language for writing Coq proofs
• implemented as a Coq plugin
Main libraries developed with this proof shell extension:
• Four Colour Theorem
• Mathematical Components library
• Formal proof of the Odd Order Theorem
Mahboubi & Tassi – The Mathematical Components library
2
In this talk
SSReflect is not:
• a proof checker
• a new ITP
SSReflect is:
• a language for writing Coq proofs
• implemented as a Coq plugin
Main libraries developed with this proof shell extension:
• Four Colour Theorem
• Mathematical Components library
• Formal proof of the Odd Order Theorem
Mahboubi & Tassi – The Mathematical Components library
2
In this talk
1. Contents of the library
2. Mathematical Components
3. There are tricks in every trade
4. Conclusions
Material available at ssr.msr-inria.inria.fr/doc/tutorial-itp13
Mahboubi & Tassi – The Mathematical Components library
3
1
Contents of the library
Mahboubi & Tassi – The Mathematical Components library
4
Roadmap to the Odd Order Theorem
The plan
maximal
structure
Unique
ness
Sylow,
Hall
primes
local
analysis
Feit
Thompson
Frobenius
isometry
inequalities
represen
tations
character
theory
solvable
groups
linear
algebra
matrices
Mahboubi & Tassi – The Mathematical Components library
Galois
theory
polyno
mials
5
Bookshelf for the Odd Order Theorem
Mahboubi & Tassi – The Mathematical Components library
6
Combinatorics and numbers
•
•
•
•
Containers, basic datatypes:
Lists, tuples, finite types, functions, sets, graphs...
Numbers:
Naturals, integers, modular arithmetics, rationals
Elementary arithmetics:
Divisibility, means, primes, binomials...
Indexed iterated operations:
L
Σ, Π, ,...
Mahboubi & Tassi – The Mathematical Components library
7
Finite group theory
•
•
•
•
Elementary concepts:
Order, morphisms, permutations, quotient, characteristic
subgroups, series, products, commutators, presentations,...
Elementary theory:
Lagrange, isomorphisms, Sylow, Hall, Jordan-Hölder
theorems, structure of abelian groups, theory of various
characteristic subgroups,...
Representation theory of finite groups
Schur, Maschke, Jacobson density, Clifford, Wedderburn
components,...
Character theory of finite groups
irreducible constituants, product and norm, virtual
characters, inertia groups,...
Mahboubi & Tassi – The Mathematical Components library
8
Algebra
•
•
•
Abstract algebra infrastructure
rings, integral domains, fields, modules, vector spaces,
matrices, polynomials, finite fields, algebraic numbers,...
Linear algebra
Decomposition, (auto)morphisms, rank, resultants,
Cayley-Hamilton, modules,...
Elementary Galois theory
Field extensions, primitive element theorem, splitting fields,
Galois groups, Galois norm, Hilbert’s 90 theorem,
fundamental theorem,...
Mahboubi & Tassi – The Mathematical Components library
9
Advanced group theory
In the distribution of the proof of the Odd Order Theorem.
Mahboubi & Tassi – The Mathematical Components library
10
Relative weights of the topics
Number of lines of code per topic
Mahboubi & Tassi – The Mathematical Components library
11
Relative weights of the topics
Evolution in time of the number of loc per topic
Mahboubi & Tassi – The Mathematical Components library
12
Algorithms?
Implementations of several algorithms of interest, together with
correctness proofs:
• Depth-first search
• Factorization in primes
• (pseudo-)Euclidean division(s)
• Gaussian elimination, LUP matrix decomposition
• Quantifier elimination(s)
• ...
Most of them are used for constructing abstract witnesses rather
than for performing large scale computations.
Mahboubi & Tassi – The Mathematical Components library
13
Specific issues
•
•
•
•
No heavy computations
No generic purpose automated reasoning was used
No domain-specific proof search tool was needed
No widely branching tree like structures and nested
case/induction reasoning
Mahboubi & Tassi – The Mathematical Components library
14
Specific issues
non structural, syntax directed reasoning
be less tied to the syntactic structure objects
implicit content a page of math textbooks
automated inference
size of the formalized material
programming discipline
Mahboubi & Tassi – The Mathematical Components library
15
Specific issues, and their solutions
•
•
•
•
Software engineering methods for formal proofs
later in this talk
Extension of the tactic language
see the SSReflect plugin
Automated inference of implicit content
later in this talk + ITP’13
Sort out the maths
see for instance the papers ITP’11 CICM’13
Mahboubi & Tassi – The Mathematical Components library
16
2
Mathematical
Components
Mahboubi & Tassi – The Mathematical Components library
17
One line of elementary algebra
Let A be a square matrix. Then:
X Y
Det (A) =
σ
aσ(i),i
σ∈Sn
i
Mahboubi & Tassi – The Mathematical Components library
18
One line of elementary algebra
Let A be a square matrix. Then:
X Y
Det (A) =
σ
aσ(i),i
σ∈Sn
•
i
A is square
Mahboubi & Tassi – The Mathematical Components library
18
One line of elementary algebra
Let A be a square matrix. Then:
X Y
Det (A) =
σ
aσ(i),i
σ∈Sn
•
i
A is square of size n × n, hence the type of permutations Sn
and the range of the index i.
Mahboubi & Tassi – The Mathematical Components library
18
One line of elementary algebra
Let A be a square matrix. Then:
X Y
Det (A) =
σ
aσ(i),i
σ∈Sn
•
•
i
A is square of size n × n, hence the type of permutations Sn
and the range of the index i.
Σ
Mahboubi & Tassi – The Mathematical Components library
18
One line of elementary algebra
Let A be a square matrix. Then:
X Y
Det (A) =
σ
aσ(i),i
σ∈Sn
•
•
i
A is square of size n × n, hence the type of permutations Sn
and the range of the index i.
Σ denotes the iteration of a binary, commutative,
associative operation with a neutral element.
Mahboubi & Tassi – The Mathematical Components library
18
One line of elementary algebra
Let A be a square matrix. Then:
X Y
Det (A) =
σ
aσ(i),i
σ∈Sn
•
•
•
i
A is square of size n × n, hence the type of permutations Sn
and the range of the index i.
Σ denotes the iteration of a binary, commutative,
associative operation with a neutral element.
Π
Mahboubi & Tassi – The Mathematical Components library
18
One line of elementary algebra
Let A be a square matrix. Then:
X Y
Det (A) =
σ
aσ(i),i
σ∈Sn
•
•
•
i
A is square of size n × n, hence the type of permutations Sn
and the range of the index i.
Σ denotes the iteration of a binary, commutative,
associative operation with a neutral element.
Π denotes the iteration of a binary, commutative,
associative operation with a neutral element,
Mahboubi & Tassi – The Mathematical Components library
18
One line of elementary algebra
Let A be a square matrix. Then:
X Y
Det (A) =
σ
aσ(i),i
σ∈Sn
•
•
•
i
A is square of size n × n, hence the type of permutations Sn
and the range of the index i.
Σ denotes the iteration of a binary, commutative,
associative operation with a neutral element.
Π denotes the iteration of a binary, commutative,
associative operation with a neutral element, which is
distributive over the one iterated by Σ.
Mahboubi & Tassi – The Mathematical Components library
18
One line of elementary algebra
Let A be a square matrix. Then:
X Y
Det (A) =
σ
aσ(i),i
σ∈Sn
•
•
•
•
i
A is square of size n × n, hence the type of permutations Sn
and the range of the index i.
Σ denotes the iteration of a binary, commutative,
associative operation with a neutral element.
Π denotes the iteration of a binary, commutative,
associative operation with a neutral element, which is
distributive over the one iterated by Σ.
Obviously,
Mahboubi & Tassi – The Mathematical Components library
18
One line of elementary algebra
Let A be a square matrix. Then:
X Y
Det (A) =
σ
aσ(i),i
σ∈Sn
•
•
•
•
i
A is square of size n × n, hence the type of permutations Sn
and the range of the index i.
Σ denotes the iteration of a binary, commutative,
associative operation with a neutral element.
Π denotes the iteration of a binary, commutative,
associative operation with a neutral element, which is
distributive over the one iterated by Σ.
Obviously, coefficients of A belong to an instance of ring:
the iterated operations are the ring addition and product.
Mahboubi & Tassi – The Mathematical Components library
18
One line of elementary algebra
Let A be a square matrix. Then:
X Y
Det (A) =
σ
aσ(i),i
σ∈Sn
i
Mahboubi & Tassi – The Mathematical Components library
19
One line of elementary algebra
Let A be a square matrix. Then:
X Y
Det (A) =
σ
aσ(i),i
σ∈Sn
•
i
In LATEX:
\textsf{Det (A)} =
\sum_{\sigma \in S_n}\epsilon_{\sigma} \prod_i a_{\sigma (i),i}
Mahboubi & Tassi – The Mathematical Components library
19
One line of elementary algebra
Let A be a square matrix. Then:
X Y
Det (A) =
σ
aσ(i),i
σ∈Sn
•
i
In LATEX:
\textsf{Det (A)} =
\sum_{\sigma \in S_n}\epsilon_{\sigma} \prod_i a_{\sigma (i),i}
•
In Coq:
Definition det (R : ringType) n (A : ’M[R]_n) : R :=
\sum_(s : ’S_n) (-1) ^+ s * \prod_i A i (s i).
Mahboubi & Tassi – The Mathematical Components library
19
Example: Wedderburn’s little theorem
What’s under the rug?
Theorem finDomain_mulrC : @commutative R R *%R.
Proof.
have fieldR := finDomain_field.
have [p p_pr charRp]: exists2 p, prime p & p \in [char R].
have [e /prod_prime_decomp->]: {e | (e > 0)%N & e%:R == 0 :> R}.
by exists #|[set: R]%G|; rewrite // -order_dvdn order_dvdG ?inE.
rewrite big_seq; elim/big_rec: _ => [|[p m] /= n]; first by rewrite
oner_eq0.
case/mem_prime_decomp=> p_pr _ _ IHn.
elim: m => [|m IHm]; rewrite ?mul1n {IHn}// expnS -mulnA natrM.
by case/eqP/domR/orP=> //; exists p; last exact/andP.
pose Rp := PrimeCharType charRp; pose L : {vspace Rp} := fullv.
pose G := [set: {unit R}]; pose ofG : {unit R} -> Rp := val.
pose projG (E : {vspace Rp}) := [preim ofG of E].
...
(* 80 more lines follow *)
Mahboubi & Tassi – The Mathematical Components library
20
Demo
The game we play live:
• On top of the infrastructure for abstract algebra
• Define matrices, trace and matrix product
• Relate these new objects to the algebra library
• Prove some properties of matrix operations
To replay it browse ssr.msr-inria.inria.fr/doc/tutorial-itp13/
• Demo file (requires Coq 8.4 + SSReflect 1.4)
• Proviola script (re)animation (requires a browser)
Mahboubi & Tassi – The Mathematical Components library
21
Demo: the structures at work
eqType
_ == _
Mahboubi & Tassi – The Mathematical Components library
22
Demo: the structures at work
eqType
_ == _
finType
{ffun _ -> _ }, 'I_n
Mahboubi & Tassi – The Mathematical Components library
22
Demo: the structures at work
eqType
_ == _
choiceType
countType
finType
{ffun _ -> _ }, 'I_n
Mahboubi & Tassi – The Mathematical Components library
22
Demo: the structures at work
_ == _
eqType
choiceType
countType
zmodType
_ + _ , 0, Σ
finType
{ffun _ -> _ }, 'I_n
Mahboubi & Tassi – The Mathematical Components library
22
Demo: matrix multiplication
B
1
b1,k
j
b2,k
2
A
ai,1 ai,2
k
i
Σj aij*bjk
Mahboubi & Tassi – The Mathematical Components library
AB
23
Demo: the structures at work
_ == _
eqType
choiceType
countType
zmodType
finType
ringType
_ + _ , 0, Σ
_*_,1
{ffun _ -> _ }, 'I_n
Mahboubi & Tassi – The Mathematical Components library
24
Demo: the structures at work
_ == _
eqType
choiceType
countType
zmodType
finType
ringType
_ + _ , 0, Σ
_*_,1
{ffun _ -> _ }, 'I_n
comRingType
mulrC
Mahboubi & Tassi – The Mathematical Components library
24
Demo: the structures at work
eqType _ == _ , eqxx
choiceType
countType
finType
zmodType _ + _ , 0, Σ, subr_eq0
ringType
_*_,1
{ffun _ -> _ }, 'I_n
comRingType
mulrC
Mahboubi & Tassi – The Mathematical Components library
24
Demo: the structures at work
eqType _ == _ , eqxx
choiceType
countType
finType
zmodType _ + _ , 0, Σ, subr_eq0
ringType _ * _ , 1, 1 != 0
{ffun _ -> _ }, 'I_n
comRingType
mulrC
Mahboubi & Tassi – The Mathematical Components library
24
Demo: the structures at work
eqType _ == _ , eqxx
choiceType
countType
zmodType _ + _ , 0, Σ, subr_eq0
finType
ringType _ * _ , 1, 1 != 0, mulrDr
{ffun _ -> _ }, 'I_n
comRingType
mulrC
Mahboubi & Tassi – The Mathematical Components library
24
3
There are tricks in every
trade
Mahboubi & Tassi – The Mathematical Components library
25
Unfortunately no single silver bullet
Many formalization tricks employed
• boolean reflection
• (un)structured reasoning
• reasoning about programs with(out) dependent types
• reasoning about groups in a modular way
Mahboubi & Tassi – The Mathematical Components library
26
Crafting your logical framework (I)
Get proofs for free: boolean programs as (decidable) predicates
Example: order relation on nat
Fixpoint le n m := match n, m with
| 0
, _
= > true
| S _ , 0
= > false
| S n’ , S m’ = > le n’ m’ end.
N o t a t i o n " a <= b " : = ( l e a b ) .
Mahboubi & Tassi – The Mathematical Components library
27
Crafting your logical framework (I)
Get proofs for free: boolean programs as (decidable) predicates
Example: order relation on nat
Fixpoint le n m := match n, m with
| 0
, _
= > true
| S _ , 0
= > false
| S n’ , S m’ = > le n’ m’ end.
N o t a t i o n " a <= b " : = ( l e a b ) .
Free theorems: execution is a legal form of proof in CIC
Lemma le0n n
: 0 <= n .
L e m m a l e S S n m : S n <= S m
=
n <= m .
Lemma lenn n
: n <= n .
Proof. by elim: n. Qed.
Mahboubi & Tassi – The Mathematical Components library
27
Crafting your logical framework (II)
Also connectives are boolean programs
Example: conjunction and implication
Definition andb a b := if a then b else false.
Notation "a && b" := (andb a b).
Definition implb a b := if a then b else true.
Notation "a ==> b" := (implb a b).
Free theorems combine well with boolean connectives
n : nat
m : nat
=======================
1 <= m.+1 && (n.+1 <= 0 ==> n == m) && P
Mahboubi & Tassi – The Mathematical Components library
n : nat
m : nat
=======================
P
28
Crafting your logical framework (III)
Reasoning by cases at hand
Lemma test (n m : nat) : P n m.
case/boolP: (n <= m).
n : nat
m : nat
=======================
P n m
n : nat
m : nat
=======================
n <= m -> P n m
subgoal 2:
~~ (n <= m) -> P n m
Mahboubi & Tassi – The Mathematical Components library
29
Structuring the proofs (I)
Decouple: proof structure — logical connectives
Example: reason by cases on the total order on n and m
Lemma trichotomy n m : n < m \/ m < n \/ n = m
n : nat
m : nat
P : bool
=========================
n == m || n < m || P
n : nat
m : nat
P : bool
============================
n < m -> n == m || n < m || P
subgoal 2:
m < n \/ n = m -> n == m || n < m || P
Just stating
trichotomy
does not suffice to reason by trichotomy
Mahboubi & Tassi – The Mathematical Components library
30
Structuring the proofs (II)
Modeling trichotomy in a faithful way
n : nat
m : nat
P : bool
============================
n == m || n < m || P
n : nat
m : nat
P : bool
============================
n < m -> false || true || P
subgoal 2:
m < n -> false || false || P
subgoal 3:
n = m -> true || false || P
You need infrastructure for that.
In our case carefully crafted inductive types did it.
Mahboubi & Tassi – The Mathematical Components library
31
Reasoning about programs (I)
Example: list programming
Programs written using simple types
Lemma size_rev s : size (rev s) = size s.
Lemma size_map f s : size (map f s) = size s.
s : seq nat
size_s : size s = n
H : m < n
============================
m < size (rev (map (fun i => i*2) s))
by rewrite size_rev size_map size_s
What if the concept of “size” is central?
Mahboubi & Tassi – The Mathematical Components library
32
Reasoning about programs (II)
Richer types inferred
Structure n .-tuple T : Type := Tuple {val :> seq T; _ : size val == n}.
Lemma size_tuple (t : n.-tuple T) : size t = n.
Lemma rev_tupleP (t : n.-tuple T) : size (rev t) == n.
Proof. by rewrite size_rev size_tuple. Qed.
Canonical rev_tuple t := Tuple (rev t) (rev_tupleP t).
Lemma map_tupleP f (t : n.-tuple T) : size (map f t) == n.
Proof. by rewrite size_map size_tuple. Qed.
Canonical map_tuple f t := Tuple (map f t) (map_tupleP f t).
t : n.-tuple nat
H : m < n
============================
m < size (rev (map (fun i => i*2) t))
by rewrite size_tuple
Mahboubi & Tassi – The Mathematical Components library
33
Reasoning about groups (I)
Proving the “being a group” property automatically
(* in the set library *)
Definition setI (A B : {set T}) : {set T} := [set x in A | x \in B]
Notation "A :&: B" := (setI A B).
Mahboubi & Tassi – The Mathematical Components library
34
Reasoning about groups (I)
Proving the “being a group” property automatically
(* in the set library *)
Definition setI (A B : {set T}) : {set T} := [set x in A | x \in B]
Notation "A :&: B" := (setI A B).
(* in the group library *)
Lemma group1 (G : {group gT}) : 1 \in G.
Lemma group_setI (G H : {group gT}) : group_set (G :&: H).
Canonical group_setI G H := group (G :&: H) (group_setI G H).
Mahboubi & Tassi – The Mathematical Components library
34
Reasoning about groups (I)
Proving the “being a group” property automatically
(* in the set library *)
Definition setI (A B : {set T}) : {set T} := [set x in A | x \in B]
Notation "A :&: B" := (setI A B).
(* in the group library *)
Lemma group1 (G : {group gT}) : 1 \in G.
Lemma group_setI (G H : {group gT}) : group_set (G :&: H).
Canonical group_setI G H := group (G :&: H) (group_setI G H).
Lemma test (G H K : {group gT}) : 1 \in (G :&: H) :&: K.
Proof. exact: group1. Qed.
Mahboubi & Tassi – The Mathematical Components library
34
Reasoning about groups (II)
The benefits of modularity
(* in the bigop library: iteration of binray op(eration) *)
Notation "\bigop[op,unit]_(X | P) F" := ...
(* in the set library *)
Notation "\bigcap_(X | P) F" := \bigop[setI,setT]_(X | P) F.
Mahboubi & Tassi – The Mathematical Components library
35
Reasoning about groups (II)
The benefits of modularity
(* in the bigop library: iteration of binray op(eration) *)
Notation "\bigop[op,unit]_(X | P) F" := ...
(* in the set library *)
Notation "\bigcap_(X | P) F" := \bigop[setI,setT]_(X | P) F.
(* in the group library *)
Lemma group_set_bigcap : group_set (\bigcap_(i | P i) F i).
Canonical bigcap_group := group (\bigcap_(i | P i) F i) group_set_bigcap.
Definition ’O_p( A ) := \bigcap_(G | [max G | p.-subgroup(A) G]) G.
Definition ’C( A ) := \bigcap_(x in A) normaliser [set x].
Definition << A >> := \bigcap_(G : groupT | A \subset G) G.
Mahboubi & Tassi – The Mathematical Components library
35
Reasoning about groups (II)
The benefits of modularity
(* in the bigop library: iteration of binray op(eration) *)
Notation "\bigop[op,unit]_(X | P) F" := ...
(* in the set library *)
Notation "\bigcap_(X | P) F" := \bigop[setI,setT]_(X | P) F.
(* in the group library *)
Lemma group_set_bigcap : group_set (\bigcap_(i | P i) F i).
Canonical bigcap_group := group (\bigcap_(i | P i) F i) group_set_bigcap.
Definition ’O_p( A ) := \bigcap_(G | [max G | p.-subgroup(A) G]) G.
Definition ’C( A ) := \bigcap_(x in A) normaliser [set x].
Definition << A >> := \bigcap_(G : groupT | A \subset G) G.
Lemma test (A : {set gT}) (G H : {group gT}) :
1 \in ’O_p(G :&: ’C(H)) :&: <<A>>.
Proof. exact: group1. Qed.
Mahboubi & Tassi – The Mathematical Components library
35
4
Conclusions
Mahboubi & Tassi – The Mathematical Components library
36
Stepping stones
SSReflect
Coq
CIC
Mahboubi & Tassi – The Mathematical Components library
37
Calculus of Inductive Constructions
programmable
programming language with inductive types
execution is a legal form of proof
types can contain CIC values
inferring types = inferring content
higher order
comfortable abstraction
Mahboubi & Tassi – The Mathematical Components library
38
Coq
type checking
implements the Calculus of Inductive Constructions
type inference
programmable to take into account the
constructions part of the library
user extensions
notations for more intelligible formulas
tactics to accommodate specific needs
Mahboubi & Tassi – The Mathematical Components library
39
SSReflect
principles
clear semantics
built out of compound & compact commands
support for proof steps that are not syntax-directed
explicit proof structure
tactics fail early and locally
naming policy on local objects easier enforced
refactoring the proofs is more efficient
Mahboubi & Tassi – The Mathematical Components library
40
. . . and a lot of discipline
Files touched by each commit
140
120
n° files
changed
100
80
60
40
20
0
Mahboubi & Tassi – The Mathematical Components library
41
What does not work (well enough)
A lot of room for improvement:
• Search is very primitive and yet too hard for newcomers;
• The user lacks of “failure explanation”;
• Refactoring activity is completely unassisted;
• The size/depth of the library pushes Coq to its limits;
• No data mining/visualization tools available.
Mahboubi & Tassi – The Mathematical Components library
42
External users
building on the libraries
low level programs @ MSR Cambridge
computer algebra @ Gothenburg + Sophia-Antipolis
elliptic curves @ IMDEA,...
using the proof language extension
Inria
AIST - Japan, ...
porting the proof language to an other proof assistant
SSReflect mode for HOL-Light used in Flyspeck
Mahboubi & Tassi – The Mathematical Components library
43
The Mathematical Components library
Resources:
• SSReflect & Mathematical Components library
URL
• SSReflect user manual
URL
• Tutorials: MAP School
SUBSCRIBE
• Mailing list: [email protected]
URL
Thanks for your attention
Mahboubi & Tassi – The Mathematical Components library
44
© Copyright 2026 Paperzz