Mechanising Hilbert’s Foundations of
Geometry in Isabelle
Phil Scott
Master of Science
Artificial Intelligence
School of Informatics
University of Edinburgh
2008
Abstract
This project continues and revises Meikle’s mechanisation of Hilbert’s Foundations
of Geometry in Isabelle/HOL, focusing on declarative-style proofs to create readable
and maintainable proof documents. In the interests of readability and conciseness,
we have investigated general-purpose abstractions for geometric reasoning, and have
shown how these can simplify existing proofs. We have revised many of the existing
definitions by introducing new types, and analysed the notion of rays and half-planes
more deeply than Hilbert had originally. Finally, we have corrected subtle mistakes in
Meikle’s mechanised axioms of Group III, forcing us to produce new corrected proofs
of the early theorems.
i
Acknowledgements
I cannot give enough thanks to my supervisors, Jacques Fleuriot and Laura Meikle. I
would be fortunate enough to have even one supervisor with their knowledge, dedication and passion for the subject matter.
ii
Declaration
I declare that this thesis was composed by myself, that the work contained herein is
my own except where explicitly stated otherwise in the text, and that this work has not
been submitted for any other degree or professional qualification except as specified.
(Phil Scott)
iii
Table of Contents
1
2
3
4
Background and Aims
1
1.1
Axiomatic Geometry . . . . . . . . . . . . . . . . . . . . . . . . . .
1
1.2
Aims . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
1.3
Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
1.4
Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
Mechanisation
8
2.1
Isabelle/Isar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8
2.2
Declarative and Procedural styles . . . . . . . . . . . . . . . . . . . .
12
2.3
HOL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
2.4
Existing mechanisation . . . . . . . . . . . . . . . . . . . . . . . . .
14
2.5
Theorem 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14
2.6
Mechanisation Style . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
Verbosity and Abstraction
18
3.1
Issues with Prose . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
3.2
Issues with Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
3.3
Collinearity and Planarity . . . . . . . . . . . . . . . . . . . . . . . .
22
3.4
Good Abstractions . . . . . . . . . . . . . . . . . . . . . . . . . . .
24
3.5
Building the Abstractions . . . . . . . . . . . . . . . . . . . . . . . .
25
3.6
Putting it to Work . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
Types, Segments and Rays
33
4.1
Motivating New Types . . . . . . . . . . . . . . . . . . . . . . . . .
33
4.2
Rays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
39
4.3
Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42
4.4
Concluding remarks . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
iv
5
6
Revising Group III
49
5.1
Corrections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
5.2
Half-planes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54
5.3
Axiom III,4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
5.4
Concluding remarks . . . . . . . . . . . . . . . . . . . . . . . . . . .
64
Conclusion and Further Work
65
Bibliography
68
A Meikle’s proof of Theorem 3
71
B Revised Proof of Theorem 3
75
C Theorem 12
77
D Group I
79
E Group II
82
F Group III
86
v
Chapter 1
Background and Aims
1.1
Axiomatic Geometry
Our project continues a mechanisation [18] of David Hilbert’s Foundations of Geometry [13], and to motivate it, we would like to remind the reader of the significance of
this text. Some of that significance is inarguably historical, and so perhaps we should
begin with the origins of geometry itself. But those origins are probably forever lost to
us. At most, we know that by the time of the Classical Greeks, there had already been
significant study of geometry with many geometric facts known. Reasonably sophisticated geometric insights have at least been hypothesised in the stone-circle builders of
megalithic Britain, geometric problems are found in the Rhind Papyrii of the ancient
Egyptians, and Babylonian stone-tablets show impressive abstract geometric sophistication, both in descriptions of algebraic problems, and the apparent discovery of the
Pythagorean triples [26, 19, 20].
The Greeks often claimed Egypt as their mathematical heritage via Thales, but the
Rhind Papyrii do not explain the sudden emergence of the Greek’s logical sophistication, apparent in the following report by Proclus:
They say that Thales was the first to demonstrate that the circle is bisected
by the diameter. [6]
Even to a modern educated audience, Thales’ supposed achievement can seem puzzling. We are normally oblivious to a geometric fact such as this. It is hardly the
interesting and useful result of, say, Pythagoras’ Theorem. And was anyone in doubt
that circles are bisected by their diameter? What could Thales’ proof have amounted
to? What use was the result once established?
1
The Greeks had become attentive to logical principles. They explicitly distinguished
what we can learn empirically from what we can learn through reason alone [4], and
they knew how efficacious the latter was for geometry. Thus, a large number of geometric facts could be systematised. That is, they could be derived by rational arguments
from other, more “basic” facts, becoming theorems. In turn, those basic facts could be
proven, and so on, until all the facts were arranged in a hierarchy. Its roots were the
axioms, truths that were so obvious they needed no further proof.
What is particularly interesting is the enormous extent to which the systematisation
can be done. Even facts which seem to be completely obvious, of which we would
think it perverse to demand proof, can be momentarily doubted until they are shown to
be consequences of more basic truths. Thus, we have cases where geometers are going
so far as to prove that circles are bisected by their diameters.
The result of these axiomatisations were compiled as at least two texts. Only one
is extant: the Elements of Euclid [12]. Euclid’s twelve-book hierarchy of geometric
theorems was rooted in just five axioms and a suite of intuitive definitions for basic
geometric concepts such as lines, planes, angles, figures and so on. This text, the
systematic scepticism on which it is based, and the systematic analysis of our ideas
into ever more basic forms has served to inspire pure mathematicians and philosophers
ever since.
However, one of Euclid’s axioms was questioned from the very outset, the Parallel
Postulate. It was felt it was not basic enough to have the status of an axiom, but
instead should be a theorem, and many mathematicians over the centuries attempted to
prove it. They failed, because in the 18th century, Beltrami exhibited a space where
the postulate failed, thereby showing it independent of the other axioms. For a number
of mathematicians, this suggested that the nature of space was an open question, to be
dealt with by the empirical sciences [24].
Within the same century, mathematicians, having given in to a more pragmatic approach to the subject – justified by the needs and successes of the new sciences – were
returning to logical principles [9]. They reconsidered the systematic scepticism of
the Greeks and the scathing attacks against Newton and Leibnitz’ Calculus by Bishop
Berkeley, who until then had been largely ignored.
So by reconsidering a conceptual analysis of mathematical knowledge, Cauchy could
do away entirely with the infinities, infinitesimals and limits of the calculus, while
Dedekind and Cantor found a way to build all the other number systems from just the
counting numbers, which in turn, were reduced to just a few basic axioms [3].
These mathematicians went further than their Greek predecessors. A key insight was
that, if we have enough axioms relating a set of concepts, we can scrap explicit definitions entirely. For instance, suppose we are told
For any two distinct points, there exists one and only one line that contains
them.
We can now immediately conclude that if two distinct lines contain a point, they contain exactly one point. But importantly, we do not have to know what a point or a line
is, nor what it means for lines to contain points. The terms can be left uninterpreted.
Indeed, we could replace them with any other terms and the conclusion would still
follow as a matter of pure logic.
This is in contrast to Euclid, who gave various definitions for his basic terms, such as
1. A point is that which has no part.
2. A line is a breadthless length.
3. The extremities of a line are points. [...]
By eliminating these definitions, a self-contained treatise would be possible, one where
the basic theoretical concepts and axioms never needed to appeal outside themselves
to vague pre-theoretic notions such as “breadthless length”.
Furthermore, it had become clear that, just as geometric truths could be systematised
in such a way that even the very obvious was in need of a proof, so too could geometric
definitions be systematised in such a way that even the most basic ideas was in need
of a definition. And just as the analysis of geometric facts bottoms out at the axioms,
the analysis of definitions bottoms out at primitive notions. The primitives have no
definitions at all, nor do they them because everything one wants to deduce about them
is a consequence of the axioms alone. Hilbert is famously quoted saying it would not
matter if the primitives point, line and plane were replaced throughout his work with
beer mug, table and chair [16].
So just as Thales could ask “is a circle bisected by its diameter”, and could settle the
matter even if it was intuitively obvious, Hilbert could ask “what is an angle” and give
a definition even if the notion is intuitively clear. And by reflecting on how angles are
used in geometric reasoning, and how they relate to other geometric figures, we can
agree with Hilbert that they must be two rays emanating from a point. In turn, we can
ask “but what is a ray”, and be presented another definition, until we get down to our
primitives.
There was another reason to leave the primitives undefined. During the 19th century,
work in projective geometry was uncovering duality theorems, geometric truths which
remained true when the words “point” and “line” where interchanged. Such theorems
suggested an approach to geometry which cared less about the actual designation of
“point” and “line”, but instead merely on the abstract relations between them. Thus,
Hilbert saw his axiomatisation as defining a “schema of concepts”, the concepts being
these primitive notions[14].
And with new geometries such as hyperbolic geometry being studied, there was interest in how to classify them all. But, of course, if an axiom system defines a geometry,
then the classification of geometries becomes the classification of those systems, with
different combinations of axioms yielding different geometries. Hilbert was interested
in our geometric intuitions however, and so his first few chapters are principally concerned with just the one Euclidean geometry.
With uninterpreted axioms, Hilbert’s proofs could not smuggle in hidden assumptions,
and his definitions could not reach outside the text as Euclid’s did. His is a definitive
axiomatisation which could finally say that its theorems derive from reason alone. This
is the principle, anyhow. Unlike Euclid, Hilbert was content to leave many theorems
stated but unproven, and was happy to appeal to diagrams to explain paths of inference. This is tolerable since we would expect the full proofs to be unenlightening.
Instead then, Hilbert’s first chapter gives a sample of thirty-two interesting theorems,
key milestones that we encounter when working through elementary geometry.
1.2
Aims
We will be working with Meikle’s partial mechanisation of the Foundations of Geometry in Isabelle/HOL [27]. A complete mechanisation and verification of Hilbert’s
axiomatic system will definitively show that his theorems follow by logic alone. And
we will know that his primitives can be left truly uninterpreted, since the rules of HOL
appeal only to abstract syntax and hold over all interpretations of the terms – including
beer mugs, tables and chairs.
Not merely an exercise in verification, the work may have practical benefits too. Mechanical theorem proving has been used to verify the correctness of computer lan-
guages and mission-critical software. If the programs deal with geometry, proofs of
their correctness will benefit from an arsenal of mechanised theory, which we eventually hope our work will become.
Furthermore, ordinary mathematical proofs can become so complicated nowadays that
it is difficult for the human review process to verify their correctness. Hales started the
Flyspeck project with the goal of mechanising enough mathematics to verify his proof
of the Kepler conjecture [10], because his proof could not be certified valid even after
five years in review. A solid grounding of mechanised geometry will instead allow the
mechanical verification of such geometric proofs.
The basic axioms and their elementary consequences only make up the first chapter
of Hilbert’s text, and this chapter is our present concern. We regard the later chapters
as equally important, however, especially as they are often concerned with crucial
metamathematical results. We leave these chapters for future work.
Meikle has mechanised the axioms of the first three groups and virtually all the theorems of the first two groups, with a number of theorems mechanised in the third. The
original aims of the present project were to complete the mechanisation of the final
two groups, but we have had to completely revise these aims. The reasons are that,
firstly, when starting the project, we moved to a new proof language which opened up
new goals. Secondly, there were significant issues with Hilbert’s prose and its mechanisation, which found us merely extending and revising groups II and III.
1.3
Related Work
Hilbert’s approach to geometry is largely unfamiliar nowadays. Since the 18th century,
when the modern analytic approach took off, geometry has been studied in Cartesian
coordinate systems. So points are just identified with numerical coordinates and geometric figures are identified with sets of coordinates. As such, geometric reasoning
appeals to arithmetic rather than geometric axioms. Hilbert’s work returns to the Greek
synthetic tradition, where geometry is the basis for mathematics and thus the foundation for arithmetic.
In the 19th century, Klein introduced the Erlanger Programm, which reinterprets geometry in terms of transformation groups and analyses the invariants. So for instance,
Euclidean geometry is characterised in terms of the group of “rigid” transformations
of space – compositions of reflections and translations – and the study of this geometry
is the study of the invariants under these transformations. Like an axiom system, this
approach allows us to classify geometries by classifying the transformation groups [7].
While this is a popular approach to geometry amenable to axiomatisation, it is still
analytic as opposed to synthetic, and relies on complex theory drawn from analysis.
Borrowing such complex theory to found geometry is, as Majer argues, exactly what
Hilbert wanted to avoid [17]. Instead, Hilbert wanted to classify geometric truths in
terms of our most basic intuitions about geometric primitives, and so his approach
differs substantially from that of the Erlanger programm.
Working later, after the development of modern formal logic, Tarski produced his own
axiomatisation of geometry, this time symbolically formalised [25]. Notably, Tarski’s
geometry takes only points as primitive, and is first-order with eliminable quantifiers.
Hence, Tarski could show there is a procedure for deciding which statements of the
theory are true. A similar result will almost certainly not hold for Hilbert’s theory.
Hilbert’s is much more powerful, mentioning natural numbers in one of the axioms,
and eventually showing how to do arithmetic in geometric terms. As such, he is likely
to run foul of Gödel’s Incompleteness Theorems, whereupon his theory will be shown
undecidable. Moreover, it will likely rely on either elementary set theory or higherorder logic. For in Group V, Hilbert proves that the notions of “point”, “line” and
“plane” are semantically complete; that is, that their domains are uniquely picked out
by the axioms.
While we are not relying heavily on automated theorem-proving in geometry for the
present work, there has been success here. One approach owes some of its success
to reasoning algebraically with full angles – angles defined as any two intersecting
lines – rather than Hilbert’s half angles [23]. However, we are interested in preserving
Hilbert’s definitions and axioms as much as possible, so will not be following up on
this idea at the present time.
Dufourd et al have a partial mechanisation of Hilbert’s geometry in the theorem prover
Coq [1]. But they are concerned with intuitionistic proofs, and so have analysed what
additional axioms are needed to make Hilbert’s theory intuitionistic. Again, we are
concerned with mechanising Hilbert’s theory as he intended it, which is very much
classical.
1.4
Structure
The report is organised as follows:
• in Chapter 2, we review the software and formal system we shall be using for
mechanisation. We briefly discuss some of the work we are extending, and mention our stylistic decisions and how they differ from the earlier approach;
• in Chapter 3, we shall discuss verbosity in mechanised mathematics, and provide some examples of how to overcome it, so that theorems can be stated more
concisely and proofs simplified;
• in Chapter 4, we introduce new types into our theory, focusing in particular on the
notion of a “ray”, and on the imprecision surrounding this concept in Hilbert’s
text;
• in Chapter 5, we identify problems in Meikle’s mechanisation of Group III, and
recount how we overcame them. We identify more imprecision and possible
gaps in Hilbert’s exposition, and show that, by bridging these, we can produce
elegant proofs of the complex theorems early in this group;
• in Chapter 6, we give our reflections on the mechanisation process, and suggest
possibilities for future work.
The declarations, definitions, axioms and theorems for our new mechanisations
of groups I, II and III are given in appendices D, E and F respectively.
Chapter 2
Mechanisation
We will be following Meikle and using the Isabelle/Isar [29] proof-assistant and the
HOL [27] object logic for our mechanisation. But in contrast to the earlier work,
we shall be exclusively using the declarative style of proof, in an attempt to create
readable proof texts. After discussing these ideas, we shall look at mechanisation
issues in translating prose to HOL, and discuss what can be learned from difficulties in
the process with regards to Hilbert’s exposition.
For the first three sections, all uses of terms such as proof, theorem, premise are to be
understood as mechanical proofs, mechanised theorems and mechanised premises in a
formal system.
2.1
Isabelle/Isar
Isabelle [21] is a proof assistant written in ML. It allows us to incrementally build formal theories by stipulating new definitions and proving new theorems. Each theorem
in Isabelle is a metalevel implication of the form
P1 =⇒ P2 =⇒ . . . =⇒ Pk =⇒ Q
which asserts that the premises P1 , P2 , . . . , Pk in the object theory derive the conclusion
Q. We can assert these statements as axioms, but most of the time we give a proof.
In its most basic functionality, we carry out proofs by transforming a stack of goals
(metalevel implications like the above) which represent the proof state. Many of the
functions simply unify the top goal with some of the premises and conclusion of an
8
existing theorem, which are then deleted or otherwise transformed. Other functions,
called tactics, carry out larger steps of reasoning using automated theorem-proving
techniques. For instance, the simplifier, in its most basic form, interprets theorems as
rewrite-rules, which it then uses against the goal and assumptions until no more apply.
The rewrite-rules can be declared either globally or as needed. Other tactics include
auto, blast and iprover, which implement classical, tableau and intuitionistic reasoning
respectively. By applying rules and using these tactics, the goals can eventually be
transformed so that the goal stack is emptied, at which point the theorem becomes part
of the theory, and can be applied in future proofs.
Isar is a system used to describe Isabelle proofs [29]. In its most most basic form, it
is interactive and procedural, a thin layer above Isabelle allowing us to incrementally
transform a goal stack as we described above. But it also allows proofs to be written
declaratively. Here, we still work with a goal stack, but the individual goals are largely
fixed. Instead, we are principally concerned with facts. At the start of a proof, our set
of facts are our assumptions and any theorems proven so far in the theory. As the proof
text progresses, new facts are deduced until we eventually prove the goal at the top of
the stack, which is then removed. Each deduction must be achievable either in a single
deduction step or by a nested Isar proof. If a single step is used, it will either be the
application of an existing theorem, or the invocation of a tactic which can complete the
deduction automatically.
We can compare the two approaches with a simple proof
theorem [[P −→ R; P ∧ Q ]] =⇒ Q ∧ R
apply (rule conjI)
apply (erule conjunct2)
apply (erule mp)
apply (erule conjunct1)
done
This is the procedural style, applying three rules of natural deduction successively to
the goal at the top of the stack. Initially, the stack consists of just the goal itself
1. P −→ R =⇒P ∧ Q =⇒ Q ∧ R
The first command breaks this up into two goals, giving the new stack:
1. P −→ R =⇒P ∧ Q =⇒ Q
2. P −→ R =⇒P ∧ Q =⇒ R
The first goal is eliminated by conjunct2 and the second is transformed by mp to:
1. P ∧ Q =⇒ P
which is finally eliminated by conjunct1. Note that the rules are applied in different
ways according to the semantics of rule and erule. There is also drule and frule. The
four together determine how the goal at the top of the stack is unified with the supplied
theorem.
Next, we look at a declarative proof:
theorem
assumes P −→ R and P ∧ Q
shows Q ∧ R
proof −
from conjunct2 and hP ∧ Qi have Q .
from conjunct1 and hP ∧ Qi have P .
from mp hP −→ Ri and hPi have R .
from conjI hQi and hRi show Q ∧ R .
qed
The use of assumes and shows is just syntactic sugar over the metalevel implication,
so we are still proving the same theorem. The first two steps of the proof deduce the
facts Q and P from the assumptions, and then finally prove the goal. The command
have introduces intermediate facts while the command show unifies the deduced fact
with the goal so that it can be popped from the stack.
The facts stated between the commands from and have are referred to as the current
facts for that line of the proof. The period terminating each line is actually the Isar
command for a trivial proof. It unifies the assumptions of the first fact with the other
current facts in order, while the conclusion is unified with the statement following have
or show.
Isar has a substantial amount of syntax over and above what we have seen here. For
instance, it encourages the forward-chaining of facts. This is possible because after
each step in the proof, the variable this is automatically bound to the last fact proved,
and so we can use the commands hence and thus to abbreviate from this have and
from this show. We can also use
with hP −→ Ri have
which abbreviates
from hP −→ Ri and this have
Isar can also be asked to infer the most sensible natural deduction rule to use at each
step, based on the shape of the current facts and the shape of the goal. Thus, we can
often leave the natural deduction rules implicit. Putting both ideas together, we get the
slightly shorter proof:
theorem
assumes P −→ R and P ∧ Q
shows Q ∧ R
proof −
from hP ∧ Qi have Q ..
from hP ∧ Qi have P ..
with hP −→ Ri have R ..
with hQi show Q ∧ R ..
qed
Finally, we discuss Isar’s handling of existential reasoning. Now just as universally
quantified formulas and implications at the object level can be replaced by universally
quantified formulas and implications at the metalevel, it is possible to move existential
quantifiers to the metalevel also. To see this, we note that
∃ x. P x
is equivalent to
Q x. (P x =⇒ Q) =⇒ Q
V
V
where
is a metalevel quantifier and x is not free in Q. Indeed, Isar has a special
syntax for the above metalevel statement:
obtains x where P x
Thus, to reason about an object satisfying P, we just prove this metalevel fact (referred
to as a soundness statement), after which we are given the fact P x (where x is referred
to as the obtained parameter). Eventually, we must prove a fact that does not contain
this parameter, which can then be unified with Q.
So we have two ways to use Isabelle: we can start from a goal on a stack and supply a
sequence of transformations which eventually lead to the empty stack, or we can start
from the assumptions, showing how facts can be derived and how these eventually
entail the goal. Thus, the first method reasons backwards and procedurally, while the
second reasons forwards and declaratively.
The aim of declarative proof languages is to represent much of the structure and language of informal mathematical proofs. So we have commands such as with and from
composed in ways that resemble English sentences. However, we note that the object
language – in which facts are written – is a traditional symbolic object language, with
which the reader is expected to be familiar.
Other declarative proof tools such as Mizar [22], which inspired Isar, use natural language at the meta- and object-levels. But with Mizar, we have less choice in our object
logic. Mizar uses first-order logic and set theory exclusively, though Harrison has developed a Mizar mode for HOL [11]. For a detailed comparison of Isar and Mizar, see
Wenzel and Wiedijk [28].
2.2
Declarative and Procedural styles
We suggest it is possible for a reader familiar only with the object logic to understand
the basic structure and approach of a declarative Isar proof. Indeed, a readable informal
proof is often used as a basic skeleton, and then each inference is just refined to greater
and greater detail until we reach the resolution of a mechanised proof. Moreover, we
can readily identify the facts used to drive the proof forward at any given point. Hence,
we are free to glance over the proof to see the higher-level structure, and able to dip
in to random sections if we want to understand bits of that structure at the mechanical
level (we discuss an example of this in section 5.3).
This is in contrast to procedural proofs. In order to understand a randomly selected
block of procedural steps, the reader must know what the goal-stack looks like at that
point, which is not included with the proof text. Neither is there any guarantee that
the proofs will have any recognisable structure, since the goal stack itself is often
manipulated during the proof by reordering goals, or using tactics that attack several
goals simultaneously. The upshot is that the path from goal to the assumptions can be
unpredictable, and rarely follows even the reversed path of the natural language proof.
In the context of the present work, we should mention that the ancient geometers reflected on the use of forward proof from assumptions – synthetic reasoning – and
reasoning backward from conclusion to assumption – analysis or, as Pappus calls it,
“reverse solution.” [5]. Pappus recognised that backward reasoning often helped in the
early stages of proof, and indeed, the procedural and interactive approach to proof is
often encouraged as a first step before a declarative proof is finally produced.
2.3
HOL
The higher-order object logic [27] we shall be extending is based on the HOL system
[8] and so ultimately on Church’s theory of simple types [2]. Its language extends firstorder logic with type restrictions, lambda abstractions, more powerful binders such as
∃ ! for unique existence, SOME to denote an object (should it exist) satisfying a supplied description, and THE to do the same for unique objects satisfying the description.
We have the familiar language for set-theory, including set-theoretic operations, and a
powerful syntax for set-comprehensions. We also have a suite of natural deduction
rules for both elementary logic and set theory, as well as tactics which can carry out
larger steps of set-theoretic and classical reasoning automatically.
In HOL, predicates are just functions whose values are booleans, and all functions are
identified and typed at the metalevel. For instance, a function f which maps objects of
type α and β to γ has the type
α⇒β⇒γ
As with ML, types may be polymorphic and functions can be implicitly curried, so that
f x denotes a function of type β ⇒ γ. Predicates are simply functions that map objects
to truth values.
HOL types terms denoting sets as α set. Objects of this type are sets whose members
are of type α. We should note then, that sets whose members have type α set must
have the type α set set. Thus, we cannot mix members of a set with members of its
power set, as we would with more traditional “untyped” set theories such as ZF and
NBG. However, we should also note that, since the universe of each set is defined by
the type, we can take comprehensions and complements arbitrarily.
We have chosen to use HOL since Hilbert freely employs sets in his treatise. For
instance, segments are defined as a set of two points and rays as a set of points on the
same side of another point. For his final axiom, Hilbert asserts that the set of all points
cannot be extended whilst preserving certain relations among them, which contains not
only a mention of sets, but the mention of relations. For the latter, we need something
at least as powerful as first-order set theory or second-order logic.
2.4
Existing mechanisation
Meikle’s existing work already includes a number of prevasive but subtle mechanisation decisions. For instance, Hilbert’s opening definition begins
Consider three distinct sets of objects. Let the objects of the first set
be called points [...]; let the objects of the second set be called lines [...];
let the objects of the third set be called planes [...].
While this statement talks immediately about sets, Meikle mechanised it by declaring
three new types: pt, line and plane, no doubt reasoning that Hilbert’s three sets could
be understood as the domains for three types. But was Hilbert ruling out the possibility
that his three sets were empty? If not, the mechanisation is inappropriate, since higherorder logic rules out types with empty domains. The upshot is that we can prove that
there is at least one point, one line and one plane before we have stated any axioms at
all, which may not have been Hilbert’s intention.
The pedantry inherent in mechanisation brings out mistakes or inconsistencies in the
text. Meikle and Fleuriot noticed that Hilbert never appeals directly to his first two
axioms [18], and realised this was because, in early editions of the text, those axioms
essentially introduced notation and so could be appealed to implicitly in the use of
that notation. But when Hilbert later revised the axioms, he left his proofs unchanged,
leading to the confusion. Aside from this, a number of other errors have been identified, including typographical errors and a confusion between obtuse and reflex angles
(page 11 of Foundations of Geometry [13]). We have freely marked and corrected all
such errors when quoting Hilbert in the present work.
2.5
Theorem 3
Meikle and Fleuriot [18] had much to say about their mechanisation of Theorem 3,
which we include in Appendix A. There, they showed that there is a substantial gap
between Hilbert’s use of what was supposedly pure logic and the elementary logic
embodied by HOL. While this is certainly interesting, is it a point against Hilbert’s
rigour? Meikle and Fleuriot suggest so, and identify several unmentioned steps which
were “non-trivial” or “difficult”. But “non-trivial” in the context of mechanical theorem proving in HOL may not be the same as “non-trivial” to a human mathematician,
and Hilbert could not have been expected to anticipate the difficulties in translation
when he was not composing his proofs at the level of individual inference rules.
More interesting are the gaps Meikle and Fleuriot identified in the purely geometric
reasoning. Again, Hilbert must rely on the first two axioms of Group I, but does not
mention them. And in their proof, Meikle and Fleuriot encountered some difficult
intermediate steps involving planes. Hilbert does not even mention planes in his proof,
or the necessary axioms to govern them – possibly another omission.
It is still difficult to criticise Hilbert on this matter, since, as we mentioned in the last
chapter, he often states theorems without any proof at all. And if Hilbert was content to
state theorems without proof, he may have been content to give proofs that left certain
applications of axioms implicit.
Now if some of the theorems lack proofs, we are left with the question of how Hilbert
selected the theorems he would explicitly mention. For instance, in Chapter 1, he says:
Of the theorems that ensue from Axioms I, 1-8 only the following two are
mentioned:
He also explains in the introduction that
This present investigation is a new attempt to establish for geometry a
complete, and as simple as possible, set of axioms and to deduce from
them the most important geometric theorems in such a way that the meaning of the various groups of axioms, as well as the significance of the
conclusions that can be drawn from the individual axioms, come to light.
(emphasis added)
This is something that mechanisation can help us evaluate. Based on the difficulties
Meikle and Fleuriot found in the proof of Theorem 3, we can argue that there are
other theorems Hilbert should have explicitly mentioned, such as theorems concerning
planes. In general, if we view Hilbert’s selected highlights as a picture of elementary
geometry, showing only the significant lemmas that move us from the axioms to the
most interesting results, then we have something mechanisation can evaluate. For if
we find places where Hilbert offers a lemma but its mechanisation is trivial, then we
have an argument that the lemma is unwarranted. Whereas if we find proofs that are
particularly difficult which could be helped by a new and generally useful lemma, then
we have an argument that the lemma should be added to Hilbert’s picture. Thus, we
hope that once the current mechanisation work is complete, we will be able to suggest
an alternative selection of theorems and lemmas as the milestones of both informal and
mechanised elementary geometry.
2.6
Mechanisation Style
We made a number of stylistic decisions at the beginning of the work. Firstly, we shall
be using the declarative style exclusively, and with the aim of eventually producing
a set of readable proof documents. Readability will not only make the details of our
work accessible to a wider audience, but should make it easier to maintain the proofs
against new versions of Isabelle.
So in the interests of readability, we have used long descriptive names for symbolic
constants, instead of short abbreviations. For example, we have changed what was
originally cong-segs to congruent-segments and have made similar changes elsewhere.
We shall be moving as many quantifiers, conjunctions and implications from the object
level to the metalevel. For instance, any theorem of the form P ∧ Q −→ R can be
rewritten at the metalevel as
assumes P and Q
shows R
As we discussed above, the declarative style allows metalevel statements to be written
with natural language syntax, so moving to the metalevel improves readability. This is
typically done anyway, since theorems are often easier to use in proofs when expressed
at the meta- rather than object level.
Finally, as is typical in ML, we have replaced all functions and predicates on tuples
with curriable one argument functions. Curried versions of functions may well prove
useful, and indeed, as we show in Chapters 4 and 5, we can understand both rays
and half-planes in Hilbert’s geometry in terms of the equivalence class of a particular
curried predicate.
But for readability, conciseness is crucial, and this is a challenging issue. As much as
possible, we must keep our proof texts short and eliminate the inherent verbosity of
mechanised mathematics. We discuss this matter in detail in the next chapter, where
Theorem 3 is used as a case-study. We show how, with the right abstractions, its proof
can be substantially shortened and simplified over Meikle’s original.
Chapter 3
Verbosity and Abstraction
Compared to ordinary mathematics, mechanised mathematics is verbose. Even trivial
results can require a dozen lines of proof. To a certain extent, tactics can make leaps
of inference over many steps of pure natural deduction, but in non-trivial higher-order
proofs, they often struggle. In certain cases, not even the unification of proof rules
succeeds. In this chapter, we discuss how, with the right abstractions, we can create
more powerful inferential mechanisms, thereby reducing the length of a proof, while
providing a more concise language to state the theorems proved.
3.1
Issues with Prose
Sometimes natural language is more concise because it is much more expressive than
the language of higher-order logic. When we mechanise, we effectively translate down
from the more expressive language. We can find it difficult to preserve structure and
intent, even with works as attentive to logical rigour as Foundations of Geometry. Consider the following very simple example (page 8 [13]), stating facts about the points O,
A, A′ and B:
O lies between A and B but not between A and A′ .
We could mechanise this as:
between A O B ∧ ¬between A O A ′
Now this is not a direct translation. Notice that we have had to use the term O twice.
This is because, in Hilbert’s formulation, the conjunction but governs two predicates:
18
“is between A and B” and “is between A and A′ ”, and combines them into a single predicate which is then applied to a single subject O. We have no operation to combine the
between relations like this, and if we try to give a single subject-predicate formulation
using lambda-abstraction, the result is unwieldy:
(λx. between A x B ∧ ¬between A x A ′) O
Instead, we have opted for the first-formulation, insisting that even if we have not
preserved the logical structure of the original, we have preserved its intention. In this
case, the matter is trivial, but other examples require more radical transformations and
it is less clear whether intention is preserved. Here is such an example:
Two angles that have a vertex and one side in common and whose separate
sides form a line are called supplementary angles.
There are several issues to mention here. The sides of an angle are just rays, but there
are some issues with the notion of rays “forming a line”, which we cover in Chapter 4.
There we shall understand the statement to mean the rays are distinct and lie on the
same line. But Hilbert does not even define the meaning of “the ray lies on the line”.
He just starts using such phrases. In the first group, he is more careful. After giving
Axiom I,6, he explicitly introduces the phrase “a lies on the plane α”. But after this,
his other incidence relations appear from nowhere. So on page 11 (of [13]) and in
Axiom III,4, he talks about segments and rays lying in the interiors of angles, and then
about rays lying in a plane, all without definitions.
We can be charitable. The intended meaning is obvious: segments, rays and angles
are each associated with a unique set of points. The incidence relations of the points
therefore determines the incidence relations of the new objects. Unfortunately, we
do not have automated tools which can spot this and provide these new incidence
relations automatically, suggesting we devise these tools ourselves, or otherwise revise
our representation. For now, we must explicitly introduce new predicates, and, to keep
from having to continuously unfold their definitions, we must prove geometric rules
to govern them. This is laborious, and complicates the proof-text, providing another
example of why mechanised proof leads to verbosity and why we are discouraged from
keeping to the exact structure of Hilbert’s prose.
One more point about these explicit definitions: Hilbert has several ways to talk about
incidence. While he may say “a and b contain A”, he can just as easily say “A lies
on a and b”, “A is incident with a and b”, “a and b intersect at A” or “a and b meet
at A”. Now we could mechanise each of these and still only introduce one predicate.
The other expressions can be introduced in Isabelle as mere syntax that will be automatically translated to terms involving the single predicate when encountered, but we
have chosen not to do this. Even if Hilbert is developing the foundations of geometry,
he is not developing a new vocabulary for geometry, and so he is free to make use
of common synonyms. But since we are developing a new symbolic vocabulary, one
which new readers must familarise themselves with to understand the proofs, we must
keep it small.
Returning to the example, we look more closely at the phrase “separate sides”. Two
supplementary angles have three sides: the common side and the two separate sides.
That we are discussing angles and sides is irrelevant. The general description works
for any two Xs which have two Y s each, one of which they share. But this way of
describing the objects is not directly available to us in HOL. For a start, “sides in common” and “separate sides” cannot be analysed separately, so the conjunction and in the
original prose is not the logical conjunction of HOL. We would need some new device
in higher-order logic. And in order to capture the meaning of the natural language
device, we would need to prove numerous deduction rules to govern it. The reason we
did not, aside from the fact that such tasks require a fair amount of mechanisation that
is not directly related to mechanical geometry, is that the introduction of a new relation
would not necessarily have made the proofs any more readable: again, Hilbert is making use of an existing language that his readers are familiar with. We are inventing our
own. But at the same time, we are aiming to preserve the intention of the definitions
and axioms. The conflicting concerns make for a difficult challenge. Here, we initially
opted for
supplementary :: angle ⇒ angle ⇒ bool
supplementary hk hk ′ ≡ hk 6= hk ′
sides hk ∪ sides hk ′ 6= {}
∧ (∀ h ∈ sides hk. ∃ h ′ ∈ sides hk ′. line-of-ray h = line-of-ray h ′)
(Incidentally, note the use of the explicitly defined line-of-ray function).
This reading is again verbose. It is also confusing and we felt it deviated too far from
the prose. We have also exploited a geometric fact in the second conjunct, that the
sides of an angle lie on distinct lines, when we noted above that Hilbert’s description
should work even in non-geometric contexts. The following was a compromise:
supplementary hk hk ′ ≡ hk 6= hk ′
∧ (∃ h. h ∈ sides hk ∧ h ∈ sides hk ′
∧ line-of-ray (opposite-side hk h) = line-of-ray (opposite-side hk ′ h))
Note that we have removed the redundant claim that the angles share a vertex – it is
enough to say they share a side. Now for this definition, we did introduce one new
device, namely the function opposite-side, which given one side of an angle, returns
the other. This is a simpler descriptive device, so we still have not captured the prose
exactly, but it may be more useful in general mechanisation, since it can be easily
generalised by a function on arbitrary pairs.
3.2
Issues with Proofs
The clearest examples of verbosity are in the geometric proofs themselves. For the rest
of this chapter, we shall return to Theorem 3 in Group II. In Hilbert’s text, this proof is
accompanied by a diagram (figure 3.1).
Figure 3.1: Diagram for Theorem 3
F
E
A
D
C
G
Diagrams accompany many of Hilbert’s proofs. Indeed, his arguments generally consist of constructing the displayed figure. The desired conclusion is then derived by
reasoning about the construction. Such geometric constructions entail large numbers
of basic facts: for instance, if we draw a square, we have facts about the four triangles
made by its diagonals, facts about opposite sides being parallel, and so on. A diagram
helps to show which of these facts are important and hide those that are not.
So in Hilbert’s diagram, we have facts indicated but not stated in the accompanying
prose. We are shown that the six points A,C, D, E, F and G lie in the same plane; that
they are mutually distinct; and we are shown all possible collinearity and betweenness
relationships. Moreover, information is conveyed in what the diagram does not show.
So no line is drawn between D and F or between E and C, indicating that such lines
are irrelevant to the proof. And the orientation and general layout of the diagram also
guides the reader towards the right set of inferences. So the most clearly emphasised
triangle in the diagram is ACF, which is the one used when appealing to the central
axiom justifying the theorem.
This last point hints at something important. When making use of a theorem with a
complex set of assumptions in Isabelle/Isar, the automated tools have trouble deciding
which of the current facts should count directly as assumptions, and which merely
derive the assumptions. Perhaps humans have the same problem with this, but in
Hilbert’s text, the diagram works well to guide the reader to the correct application.
The mechanical prover has no such diagrams, and would instead consider all facts and
derivations given what is provided. The resulting combinatorial explosion can cause
those tactics to fail. To avoid this, we must indicate which facts are to be considered
at each step explicitly and symbolically, and in many cases, manually bind schematic
variables to help the unifier identify the correct assumptions.
The proof length grows as a consequence, bloated with explicitly stated but uninteresting intermediate facts, so that we may start losing any hope of creating a readable
document. As such, we decided it was necessary to find some way to make proofs
concise, even without what Meikle and Fleuriot suggest is diagrammatic reasoning.
So instead, we chose to introduce new symbolic ways of shortening geometric proofs,
by compressing large numbers of facts into just a few.
3.3
Collinearity and Planarity
It turns out that there are at least two purely geometric abstractions that we can use
for this purpose. For instance, many of the facts we need in the proof of Theorem 3,
as shown in Meikle’s original proof, merely state that points are distinct, or state individual incidence relationships between points and lines. These can be condensed, not
into statements about particular incidence relationships, but about collinearity rela-
tionships among the points themselves. Moreover, if we can make do with collinearity
statements exclusively, it would at least eliminate all terms denoting individual lines.
As an example, consider the following facts
A 6= B
on-line A a
on-line B a
on-line C a
¬on-line D a
on-line D b
on-line E b
on-line F b
By recasting these in terms of collinearity, we are left with just
collinear {A, B, C}
collinear {D, E, F}
¬collinear {A, B, D}
Now the collinear predicate was principally introduced by Meikle to mechanise various axioms, such as the combined Axiom I,4-5. The predicate is defined by:
constdefs
collinear :: pt set ⇒ bool
collinear S ≡ ∃ a. ∀ P∈S. on-line P a
It says there is a line that each point in the set S lies on. Using it, we can mechanise the
phrase of Axiom I,4 “For any three points A, B, C that do not lie on one and the same
line”:
¬collinear {A, B, C}
At this point, we should deal with any concerns that set-theoretic reasoning deviates
from Hilbert’s purely geometric treatise. After all, Hilbert was happy to discuss sets in
his text. So not only do we have rays defined as “totalities of points” – in other words,
sets of points – we also find sets of sets, such as polygonal segments, which cash out
as sets of segments, which in turn cash out as sets of points. As such, we feel justified
in introducing our own predicates on sets, especially since the collinear and planar
predicates will be used almost exclusively to reason with finite collections of points.
Meikle proved a number of lemmas showing how statements of collinearity relate, and
how they relate to statements involving other more primitive notions. But as lemmas,
they are mostly conveniences to move between notations. What we want to do for the
current work is to turn the collinear predicate into a powerful abstraction, not merely
a syntactic shorthand for expressing axioms and theorems more concisely.
3.4
Good Abstractions
An abstraction at the very least moves us to a new level of description, and hides
underlying details at the lower-level. In the case of collinearity, we are moved from
talking about incidence relationships to a relationship among sets, hiding any mention
of the lines they are incident with. To further clarify what we want of an abstraction,
we offer the following criteria:
1. the new concept represented (relation, function, etc) should be intuitive;
2. it should fully encapsulate its definition: we should rarely if ever want to unfold
the definition in proofs which use it;
3. it should be governed by concise, intuitive and general deduction rules that can
be used frequently and which can be systematically combined to express complex geometric arguments;
4. use of the deduction rules should yield shorter proofs than those expressed in
terms of the unfolded representation;
5. if possible, the abstraction should be “self-contained”, allowing us to reason
directly between different instances of the abstraction without having to move to
another representation.
A paradigm example of a good abstraction is the limit notation of analysis. A limit
of a function is typically defined by the standard epsilon-delta definition. Armed with
this definition, we can prove whether a function tends to a limit at a given point and
what that limit is. But we quickly find that direct proofs from the definition are often
laborious and inelegant. They treat every function as a special case, and do not exploit
the fact that functions are often constructed systematically from simpler ones.
Now we introduce the notation
lim f (x)
x→c
to succinctly denote the limit (should it exist) of the function f as x tends to c. But what
turns this notation into a powerful abstraction is a set of rules for reasoning in a selfcontained way about limits: combination rules (sum, product, quotient), comparison
rules, glue rules and so forth. Combined with facts about limits for basic functions,
these rules can be systematically applied to reason about limits without ever having to
return to the epsilon-delta definition. Moreover, the rules are highly intuitive, in many
cases conforming in obvious ways to existing algebraic laws, and so they represent a
new level of description in those algebraic terms.
This explanation is historically inaccurate of course. Reasoning about limits directly
preceeded the introduction of the epsilon-delta definition, but this is further evidence
of the abstraction’s intuitiveness. Indeed, we typically learn to reason in this more
intuitive way at school, and only learn the rigorous definitions later.
3.5
Building the Abstractions
Reflecting on the example, we can note that the combination rules for limits just “lift”
algebraic operations on functions to algebraic operations on limits of functions. Now
collinearity is a predicate of sets, and so if we want to model it on the same principle, we need to “lift” the basic set-theoretic operations and relations to set-theoretic
operations and relations on collinear sets. The set theoretic operations we consider are
unions, intersections, complements, differences and subsets:
The most trivial is the subset relation. Clearly, any property shared by all members of
a set is shared by all members of its subsets, so trivially, the subset of a collinear set is
also collinear:
collinear-subset:
assumes A ⊆ B
and collinear B
shows collinear A
using assms unfolding collinear-def by auto
We did not need to prove this. An automatic tactic could immediately derive the result
by definition.
With subsets out of the way, we can discharge intersections and differences. After all,
A ∪ B ⊆ A and A − B ⊆ A. So that leaves unions and complements. For unions, we
need to prove that a union of collinear sets is collinear. Obviously, this does not hold
in general, so we need additional assumptions. Now not any sort of assumption will
do. After all, this is a set-theoretic abstraction, so we want to restrict our attention to
set-theoretic assumptions. It is undesirable, and indeed trivial, to say that two collinear
sets have a collinear union when their points are incident with the same line. But we
can look at the membership relation.
Now, we know that two distinct points uniquely determine a line by Axiom I,2, so if a
collinear set contains two distinct members, then every member of the set must lie on
that line. Thus, our union rule becomes:
theorem collinear-union:
assumes collinear S, collinear T
A ∈ S, A ∈ T, B ∈ S, B ∈ T
and A 6= B
shows collinear (S ∪ T)
Lastly, we have complements. We did not provide a rule for these. In Hilbert’s proofs,
there are no cases where complements of collinear sets or non-collinear sets are taken,
so such theorems involving complements are not likely to be useful. Besides, it is
trivially true that the complement of a collinear set is non-collinear.
Analogous to the collinear predicate is the planar predicate. This was also introduced
in the original work to mechanise one of the Group I axioms. But the axiom is not
needed until at least Group V, and certainly not in the existing mechanisation. As such,
the predicate went unused. So continuing our goal to create useful abstractions, we
have gathered some results concerning planarity.
As with collinear, it was trivial to prove the subset rule, and the union rule is proved
in an analogous way. The collinear rule needed axioms 1 and 2 which demand that
lines are uniquely determined by two distinct points. Now axioms 4 and 5 demand
that planes are uniquely determined by three non-collinear points. So we should use a
non-collinearity property in our assumptions:
theorem planar-union:
assumes planar S planar T
¬collinear (S ∩ T)
shows planar (S ∪ T)
The fact that we have mentioned collinearity in this theorem suggests we find other
theorems relating collinearity and planarity. To that end, we have the following two
key theorems:
theorem collinear-implies-planar:
assumes collinear S
shows planar S
theorem collinear-union-is-planar:
assumes collinear S
collinear T
S ∩ T 6= {}
shows planar (S ∪ T)
The first theorem is a consequence of Axiom 6 in the first group: if two points on a
line lie in a plane, then the line lies in that plane. The second theorem is entailed by
the fact that intersecting lines determine a plane.
A number of additional theorems were proven about collinearity and planarity. We
added the facts that arbitrary sets of two or fewer elements are collinear and arbitrary sets of three or fewer elements are planar. From this, it immediately follows
that three non-collinear points are distinct and four non-planar points are distinct. We
also provided theorems which allow us to move back and forth between collinearity/planarity claims to incidence claims. Finally, we proved two important results about
non-collinear sets:
theorem non-collinear-subset:
assumes ¬collinear S
obtains A B and C where {A, B, C} ⊆ S ∧ ¬collinear {A, B, C}
This theorem states that a non-collinear set has a non-collinear subset of three elements.
In other words, non-collinear points determine at least one triangle.
The other non-collinearity theorem allows us to construct a triangle from two distinct
points, something we typically want to do in the initial stages of a geometric construction:
theorem construct-triangle:
assumes A 6= B
obtains C where ¬collinear {A, B, C}
proof −
{
fix D E and F
assume ∀ P. collinear {A, B, P}
hence collinear {A, B, D} collinear {A, B, E} and collinear {A, B, F} by auto
hence collinear {D, E, F} using hA 6= Bi
by (blast intro:
collinear-union
collinear-subset[where T = {A, B, D} ∪ {A, B, E} ∪ {A, B, F}])
}
with AxiomI3b show ( C. ¬ collinear {A, B, C} =⇒ thesis) =⇒ thesis by blast
V
qed
The result follows from the second part of Axiom I,3, asserting that there are three
non-collinear points. If we work from contradiction, we can assume that all points are
collinear with the given A and B and from this deduce that any three points must be
collinear. This can be done in a single step with blast and the two rules for collinear
sets.
Note, however, that we have bound our literal union to the metavariable T in the subset
rule. Without this, the tactic fails, likely because higher-order unification is undecidable in general, and Isabelle will use trivial unifiers whenever it can, which is not what
we want here. This is unfortunate, but must be done whenever these rules are used.
But since the pattern is nearly identical in each case, it should be possible to automate.
See Chapter 6 for more discussion.
We now return to our list of qualities for a good abstraction. We see that we need more
theorems if collinearity and planarity are to be self-contained. The problem is that
Hilbert’s axioms are given in terms of incidence relations, not our new abstractions, so
we need to revise these axioms accordingly. Unfortunately, we find that the revisions
take us too far from the original intent, and they are variously stronger or weaker. So
instead, we derive our revisions from the originals. It remains an interesting question
whether or not the full set of revisions likewise derive the original axioms, and thus
whether they could form an alternative axiomatisation, but it is not a question we have
explored in the current work.
Axiom 1 is dealt with by the fact that two-element sets are collinear, the first part of
Axiom 4 by the fact that three-element sets are planar. Axioms 2 and 5 are incorporated into the union rules for collinear sets and planar sets. Axiom 6 is essentially
incorporated into the fact that collinearity implies planarity. And the second part of
Axiom 3 is already given in terms of collinearity.
Only the first part of Axiom 3 and Axiom 7 need to be dealt with. The first says that
there are at least two points on a line. The second that two distinct planes sharing a
point must share some other point. We include the original mechanised axioms here
and both revisions:
O RIGINAL MECHANISATION OF A XIOM 3
AxiomI3a: ∀ a. ∃ A B. A6=B ∧ on-line A a ∧ on-line B a
R EVISED
MECHANISATION OF
A XIOM 3
corollary AxiomI3a-col:
assumes collinear S
obtains P and Q where
P 6= Q
and collinear (S ∪ {P, Q})
O RIGINAL MECHANISATION OF A XIOM 7
AxiomI7: [[ α6=β; in-plane A α; in-plane A β ]] =⇒
∃ B. A6=B ∧ in-plane B α ∧ in-plane B β
R EVISED
MECHANISATION OF
corollary AxiomI7-col:
assumes
planar S planar T
and S ∩ T 6= {}
A XIOM 7
obtains P and Q where
P 6= Q
planar (S ∪ {P, Q})
and planar (T ∪ {P, Q})
Notice that we have lifted the object-level existential quantifier to a metalevel obtains,
a strategy that we discussed in Chapter 2.
In Group II, the first three axioms concern betweeness properties. But collinearity and
planarity strictly belong to Group I, before betweeness has been introduced. So there
is nothing to be done here. However, Axiom 4 does mention incidence, and so we
can revise it. Intuitively, it says that a line entering a triangle also leaves it. We again
include the original and its revision:
AxiomII4:
[[ ¬collinear {A,B,C};
line-on-plane a (plane-of A B C);
¬on-line A a; ¬on-line B a; ¬on-line C a;
line-meets-segment a (the-segment A B) ]]
=⇒ (line-meets-segment a (the-segment A C) ∨ line-meets-segment a (the-segment B C))
corollary AxiomII4-col:
assumes
¬ collinear {A, B, C}
¬ collinear {A, B, E}
¬ collinear {C, D, E}
planar {A, B, C, D, E}
and between A D B
shows ∃ F. collinear {D, E, F} ∧ (between A F C ∨ between B F C)
Note that the original axiom mentioned lines meeting segments, while the revision only
mentions betweeness. The expressions are nevertheless equivalent, and we only prefer
the segment formulation in the original because it conforms closely to Hilbert’s prose,
and because we consider segments an important abstraction in the mechanisation. We
discuss this abstraction in Chapter 4.
3.6
Putting it to Work
Armed with revised axioms, and various rules for collinearity and planarity, we return to our case-study. Meikle’s original proof and our revised proof can be found in
appendices A and B respectively.
Every step in the proof is either an application of a revised axiom or one of our rules for
collinear and planar sets, which is consistent with several criteria from 3.4 on page 24.
Collinearity and planarity are governed by rules that allow us to express complex steps
of geometric reasoning by systematically combining the sets involved, as required by
item 3. At no point did we unfold either predicate, or move to talking instead of incidence relations, so these relations have been encapsulated to provide a new level of
description, in accordance with items 2 and 5. The notions of collinearity and planarity are also intuitive, being standard geometric concepts, in accordance with item 1.
Additionally, because the rules are based on set-theoretic properties, they allowed us
to appeal both to our geometric intuition and our intuitions of the behaviour of sets,
making it easier to discover proofs.
Incidentally, we note that every use of the union rule in our revised proof takes the
form we saw in the proof for construct-triangle, so we have more evidence that this
should be automated.
In Meikle’s original mechanisation, special-case lemmas were used to identify the
larger gaps in Hilbert’s proof. One such lemma gathers together the assumptions of
Axiom II,4. Meikle notes that one of these assumptions, that the line EG lies in the
plane AFC, is particularly difficult to prove. But on our new scheme, that EG lies in
AFC is captured simply by the assertion that all five points are planar, and that follows
in a single step from the facts that {A, E, F} and {C, F, G} are collinear sets. Another
lemma showed that the line EG does not intersect the segment FC. In our proof, it
took just four steps to prove this, again using our union and subset rules for collinear
sets. Thus, our rules greatly simplified the proof, and unlike the special-case lemmas,
they are reusable.
Indeed, we should stress that this is not an isolated example. Many of the proofs we
have now mechanised made frequent use of the collinear and planar rules, and we hope
that they have led to shorter, more readable, and more easily-discoverable proofs. It
is difficult to assess these claims however. While fewer steps were used in the new
proof of Theorem 3, it may be that Meikle’s proof could have been shortened anyway
without making use of the new abstractions. Nevertheless, we feel that a number of the
original criteria have been satisfied to justify them. Certainly, in our development of the
theories, we found them more convenient than reasoning directly in terms of incidence
relations. Furthermore, we feel justified in seeking out new symbolic abstractions to
shorten proofs, perhaps even considering devices such as “common and separate sides”
mentioned earlier.
In the next chapter, we shall see more examples of abstractions and how they reduce
verbosity, this time in the context of new types.
Chapter 4
Types, Segments and Rays
In several places, Hilbert introduces a new name for an existing concept, such as segments which are identified with two element point sets. We argue that these are best
mechanised as type-definitions, especially as new relations are brought in to govern
these concepts exclusively. We show how new types can reduce verbosity in the mechanised mathematics, though we must prove numerous rules to make them useful abstractions in proofs.
We have a lot to say about one of the abstractions in particular, the notion of a “ray”.
As we shall see, Hilbert’s exposition of this notion could have been more thorough.
4.1
Motivating New Types
DEFINITION. Segments stand in a certain relation to each other and for
the description the words “congruent” or “equal” will be used.
DEFINITION: Angles stand in a certain relation to each other, and for the
description of which the word “congruent” or “equal” will be used.
We should remark that these are not, strictly-speaking, definitions. Hilbert does not
explicitly tell us what “congruent” or “equal” mean here. He just says they are used to
describe some – as yet unspecified – relation on segments and angles. So the relations
are primitive and implicitly defined by axioms, just as with the primitives points, lines
and planes. And so until these axioms are spelled out, we must put our prior interpretations of “congruent” and “equal” aside, and treat these as uninterpreted symbols.
When it comes to proofs, we will follow the axioms only.
33
So to mechanise the introduction of these terms, we can use Isabelle to declare rather
than define a new named predicate. This predicate can then be referred to in our mechanised axioms. We are only required to give it a type.
Now presumably, we do not want a type that will constrain the possible interpretation
of the predicate. All such constraints are supposed to be given by Hilbert’s axioms
of congruence. So we might offer the most general type possible for a relation (or
two-place predicate):
consts congruent :: ′a ⇒ ′b ⇒ bool
The problem with this type is that it allows any kind of object to be an argument.
So while it allows us to ask whether two given segments are congruent, or whether
two given angles are congruent, it also allows us to ask whether a point is congruent
to an angle, or indeed, whether a point is congruent to a line. Given that we are
working in a higher-order logic, we can even ask whether the congruence predicate
itself is congruent to, say, the betweeness predicate! How would Hilbert answer such
questions? Perhaps always with the answer no. That is, statements such as “the line a
is congruent to the point P” are always false. But we would need an axiom to ensure
this. Since Hilbert never gives one, we cannot decide these statements – instead, there
is a gap in our theory.
In the foreword of the 10th edition of Foundations of Geometry [13], Goheen suggests
a different solution. He insists that “the relation of congruence said of line segments
must be primitive and yet distinguished from the primitive relation of congruence said
of angles.” Indeed, when Hilbert wrote “segments stand in a certain relation”, he
plausibly meant that segments and only segments stand in that relation. If this was
Hilbert’s intention, then Goheen is correct that there are two distinct relations here,
even if referred to by the same word. It must then be context which picks out the
particular relation when we use the words “congruent” and “equal”.
Plausibly then, Hilbert would have regarded a statement such as “the line a is congruent
to the point P” as a category mistake, much like the mistake in the statement “a plane
lies on a point”. And enforcing against category mistakes is exactly what we can do
with appropriate type restrictions. But if we rule out all the possible category mistakes,
we cannot overload “congruent” as Hilbert has done – at least not with Isabelle’s simple
type system. Instead, we must make Goheen’s point explicit: there are two distinct
relations here, so we give two distinct Isabelle declarations, with two distinct names,
congruent-segments and congruent-angles.
Two declarations were used in the original mechanisation, but Meikle gave a broad
type. Besides which, the mechanisation did not follow Hilbert’s definition of segments
exactly.
DEFINITION. Consider two points, A and B, on a line a. The set of the
two points is called a segment and will be denoted by AB or by BA. The
points between A and B are called the points of the segment AB, or are also
said to lie inside the segment.
Unlike those for congruence, these are properly-called definitions, since they introduce
a new name for an existing concept. Meikle did not explicitly mechanise this definition,
but instead, left the notion of segments implicit in the axioms. So the axiom
If a segment A′ B′ and a segment A′′ B′′ are congruent to the same segment AB, then the segment A′ B′ is also congruent to the segment A′′ B′′ , or
briefly, if two segments are congruent to a third one they are congruent to
each other.
was mechanised as
axioms AxiomIII2:
[[ A6=B; A ′6=B ′; A ′′6=B ′′;
congruent-segments (segment A ′ B ′) (segment A B);
congruent-segments (segment A ′′ B ′′) (segment A B)
]] =⇒ congruent-segments (segment A ′ B ′) (segment A ′′ B ′′)
On first glance, the mechanisation appears close to the original, but in fact, the object
denoted by the term segment A B is not a segment as Hilbert defined it. According
to Hilbert, the correct value should just be the set {A, B}, but instead, Meikle had it
denote the set of A and B plus all the points in between.
constdefs
segment :: [pt, pt] ⇒ pt set
segment A B ≡ {X. A6=B ∧ (X=A ∨ X=B ∨ (between A X B)) }
Despite the difference, no inconsistencies are introduced, since Hilbert’s and Meikle’s
notion of segments determine each another. And admittedly, Hilbert gets confused on
these matters himself. Consider the following remark on page 11:
If a point H lies on h and a point K lies on k then the segment HK lies
entirely in the interior [of the angle 6 (h, k)]. [13]y
According to his own definition, the segment HK is just the set {H, K}, so the above
remark is just plain incorrect – the points H and K in this case are not in the angle’s
interior, since the interior of 6 (h, k) excludes the whole of h and k. Now Hilbert is
more careful elsewhere, and so this is likely an isolated error. Indeed, looking back to
the definition of segments, what he should have said is only subtlely different
If a point H lies on h and a point K lies on k then the points of the segment
HK lie entirely in the interior [of the angle 6 (h, k)].
We now return to the types. Meikle chose for the congruence relation the type
consts congruent-segments :: [pt set, pt set] ⇒ bool
This type certainly disallows category mistakes such as “the line a is congruent to the
point P”, but it admits others such as “the set of points {A, B,C} is congruent to the
set of points forming the circle C ”. But, of course, if the first is a category mistake,
then we should not arbitrarily admit the second. The only reason to do so is because
point-sets are the most specific type Isabelle can infer, but this is just a technical issue.
We decided instead to give our relations a much more specific type, disallowing any
category mistakes by insisting that only segments can be said to be congruent. Again,
we believe this was Hilbert’s intention:
consts
congruent-segments :: segment ⇒ segment ⇒ bool
congruent-angles :: angle ⇒ angle ⇒ bool
We just need to add segment and angle types to our mechanised theory. Unfortunately,
HOL does not have a specific type for two-element sets which we could use as a synonym for the segment type. Instead, we must introduce an entirely new type, and do so
conservatively. Isabelle allows us to do this by exhibiting the domain of interpretation
for the new type. That is, the set of objects which the type represents, which in this
case is the set of all two-element point-sets. We are just required to prove that this set
is non-empty – since we are using a logic of non-empty domains – and we are then
conservatively provided with not only the type segment, but a constant for the domain
of interpretation and two new functions:
typedef segment = {{A, B} :: pt set |A B. A 6= B}
consts
segment :: pt set set
Rep-segment :: segment ⇒ pt set
Abs-segment :: pt set ⇒ segment
theorem segment-def : segment ≡ {{A, B} :: pt set |A B. A 6= B}
theorem Rep-segment: Rep-segment s ∈ segment
theorem Rep-segment-inverse: Abs-segment (Rep-segment s) = s
theorem Abs-segment-inverse: S ∈ segment =⇒ Rep-segment (Abs-segment S) = S
The constant segment is the domain of our new type – the set of all two element
point-sets – not to be confused with the type segment. The functions Rep-segment
and Abs-segment move us back and forth between objects of the new type to the corresponding representations in the domain.
This type has not only helped us make good sense of Hilbert’s definition of congruence,
but it also allows us to simplify statements involving the relation. For instance, in the
mechanisation of Axiom III,2, we no longer need to refer directly to points. In fact, we
can just mechanise Hilbert’s concise restatement of the axiom: “if two segments are
congruent to a third one they are congruent to each other.”
axioms AxiomIII2:
[[ congruent-segments S T;
congruent-segments S ′ T
]] =⇒ congruent-segments S S ′
Isabelle’s type inferencer will ensure that S, S′ and T are all segments. There is no
need to mention their endpoints explicitly, and no need to ensure that those endpoints
are distinct as in the original mechanisation. After all, if S, S′ and T are segments, their
endpoints must be distinct by definition. So we can lose the first three assumptions
from the original mechanisation. This is a general advantage with introducing types.
Without them, segments are merely instances of more general types satisfying certain
constraints. If we want to restrict our attention to segments as opposed to objects of the
general type, we must carry around those constraints as assumptions. In the case above,
the conditions were the distinctness of two endpoints. In other cases, the conditions are
more complicated, so much so that new predicates must be introduced. For instance,
when the notion of angle was mechanised, Meikle introduced the predicate
constdefs
angle :: pt set set ⇒ bool
angle A ≡ ∃ B C D. B6=C ∧ B6=D ∧ C6=D ∧
A={ray B C, ray B D} ∧
¬collinear{B,C,D}
Angles were typed as sets of point-sets. Variables denoting them were typed accordingly, so if we want to ensure that we were talking about angles specifically and not
other collections of point-sets, we need assumptions to ensure this predicate is satisfied. It is the predicate then, which tells us what an angle is, and so it must be carried
around everywhere we want to talk about angles.
Worse, the required mechanisation can easily lose sense of the prose. Here is how
Hilbert had defined angles:
DEFINITION. Let α be a plane and h, k any two distinct rays emanating from O in α and lying on distinct lines. The pair of rays h, k is called
an angle and is denoted by 6 (h, k) or by 6 (k, h).
The rays h, k are called the sides of the angle and the point O is called
the vertex of the angle.
Now compare our type-definition for these angles with the prose and with Meikle’s
mechanisation above.
typedef angle
= {{h,k} |h k O. emanates-from h O ∧ emanates-from k O ∧ line-of-ray h 6= line-of-ray k}
Incidentally, note that we drop the redundant assumption about planes, since distinct
rays with a common point of emanation (from here on, start-point) will always be
planar. And we can drop the assumptions about distinct points, just as we did with
Axiom III,2. Those assumptions have effectively been incorporated into the types and
hidden by the type-inferencer. What we are left with is succinct and closely resembles
the non-redundant parts of Hilbert’s definition.
To summarise, introducing new types means we can disallow category mistakes, and
moves what would otherwise be bulky checks and conditions on more general kinds of
object into the type-system.
4.2
Rays
DEFINITION. Let A, A′ , O, B be four points of the line a such that O
lies between A and B but not between A and A′ . The points A, A′ are then
said to lie on the line a on one and the same side of the point O [...] The
totality of points of the line a that lie on one and the same side of O is
called a ray emanating from O.
The conciseness of our angle definition required the introduction of another type, this
time for rays. Without it, we would need extra conditions on h and k, asserting that
they satisfy Hilbert’s definition for rays above. But even without the advantages of conciseness, a new type is justified. It means Hilbert’s definition is mechanised explicitly,
rather than being implicit in the introduction of a new predicate or function.
Meikle left them implicit. For rays, she supplied a predicate and three functions
constdefs
samesides :: [pt,pt,pt] ⇒ bool
A A ′ samesides X ≡ collinear{A,A ′,X} ∧ ¬between A X A ′
ray :: [pt,pt] ⇒ pt set
ray X A ≡ {P. X6=A ∧ ( P=A ∨ between X P A ∨ between X A P)}
ray2 :: [pt,pt] ⇒ pt set
ray2 X A ≡ {P. A P samesides X}
ray3 :: pt ⇒ pt set
ray3 X ≡ {P. ∀ A A ′. A6=A ′ ∧ A6=X ∧ A ′6=X ∧
A A ′ samesides X ∧
P=A ∨ P=A ′∨ P=X}
All three functions map points to the point-sets which are the rays themselves. That
is, the term ray X A denotes the ray emanating from X and passing through A. But
note the mechanisation of samesides. It allows degenerate cases such as X X samesides
X and A X samesides X regardless of the chosen X and A. It is not clear if this was
Hilbert’s intention. The upshot is that ray X A and ray2 X A are actually different sets.
The first excludes X while the second does not.
Lastly, we should note that the definition of ray3 is an error. Remembering that conjunction takes precedence over disjunction, the universally quantified formula in the
set description consists of three disjuncts. The first disjunct asserts that A, A′ and X
are mutually distinct and that A and A′ lie on the same side of X. The second disjunct
asserts that P and A′ are the same point, while the final disjunct asserts that P and X are
the same point. Now suppose P = X. Then the last disjunct is true, and so the whole
disjunction is true, regardless of our choice of A and A′ . Otherwise, if P 6= X, we just
pick A and A′ distinct from both P and X, such that A, A′ and X are not collinear. Then
the first two disjuncts are false, and so the whole disjunction fails. It thus follows that
ray3 X = {X}. Clearly, this is wrong.
Rays are not mentioned again until Group III, where Meikle chooses the first function
to reason about them, thereby assuming that rays should not contain their start-points.
Was this Hilbert’s intention? The matter could be resolved if we knew whether the
predicate samesides should be true in those degenerate cases when the three points in
question are not mutually distinct. If we accept that whenever Hilbert introduces variables, he implicitly assumes distinctness, then we have no definite answer. However,
we are told
1.
[E]very point of a line partitions it into two rays.
2.
Two angles that have a vertex and one side in common and whose
separate sides form a line are called supplementary angles.
If start-points are excluded, leaving rays open, then the rays which are an angle’s sides
cannot form a line, because the common start-point would be missing, contradicting
2. And for the same reason, lines would not be partitioned into rays, contradicting 1.
On the other-hand, if the start-point is included, we still lack a partition in the sense of
two separate sets. On either understanding, 1 is strictly incorrect.
If there is a partitioning on account of samesides, then there must be an equivalence
relation here. So to mechanise Hilbert’s observation, we should prove this. It can be
done, but only if we allow a single degenerate case, that a point is always on the same
side as itself, and so we redefine our predicate as follows:
same-side :: pt ⇒ pt ⇒ pt ⇒ bool
same-side E A B ≡ E 6= A ∧ E 6= B ∧ collinear {E, A, B} ∧ ¬between A E B
Moreover, by thinking about this partitioning more abstractly, a generalisation is obvious. Hilbert defined a ray in terms of partitioned lines (minus the common start-point),
but of course, it is actually the entire space minus the common start-point that is partitioned – into an infinity of rays, each one emanating from that common point. A
proof of this partitioning breaks down into three theorems which, together, show that
the curried relation same-side E is an equivalence relation on the set of all points other
than E.
axioms
AxiomII1a: (between A B C) =⇒ A6=B ∧ A6=C ∧ B6=C
AxiomII1c: between C B A =⇒ between A B C
theorem same-side-refl [simp]:
assumes A 6= E
shows same-side E A A
using assms and AxiomII1a unfolding same-side-def by auto
theorem same-side-sym:
assumes same-side E B A
shows same-side E A B
using AxiomII1c[of A E B] and assms unfolding same-side-def by auto
theorem same-side-trans:
assumes same-side E A B
same-side E B C
shows same-side E A C
The first two theorems were trivial, both demonstrable without an explicit proof. The
third theorem was not. It requires several case splits and some careful reasoning
concerning how the four points are ordered on a line, using theorems 4 and 5 from
Group II, as Hilbert no doubt knew since the definition follows the theorems.
Each point E will give rise to its own set of equivalence classes under the relation
same-side E. The union of all these sets is the set of all possible rays. We can succinctly
express this as
typedef ray = {{P. same-side E A P} |E A. A 6= E}
Now while this is more general than Hilbert’s definition, it is also weaker. The above
definition does not immediately tell us, as Hilbert did, that a line is partitioned into
exactly two rays, nor does it tell us that two rays (and their common start-point) form
a line. We will deal with this omission in due course.
4.3
Abstraction
The introduction of new types requires some laborious mechanisation. For our ray
type, Isabelle initially only provides us with the theorems Abs-ray and Rep-ray to
move us back and forth between objects of the new type and their representations
as point-sets. These are inadequate for our purposes. Indeed, they just unfold the typedefinitions. For readability and expressive power, we want to avoid the underlying
representations whenever possible. Instead, we want to introduce a new set of rules
and theorems, which may eventually do for segments, rays and angles what Hilbert’s
axioms do for points, lines and planes.
First, we deal with the rest of Hilbert’s definitions:
DEFINITION. Consider two points, A and B, on a line a. The set of the
two points is called a segment, and will be denoted by AB or BA. The
points between A and B are called the points of the segment AB, or are
also said to lie inside the segment AB. The points A, B are called the end
points of the segment AB. All other points of the line a are said to lie
outside the segment AB.
constdefs
the-segment :: pt ⇒ pt ⇒ segment
the-segment A B ≡ Abs-segment {A, B}
inside :: segment ⇒ pt ⇒ bool
inside S P ≡ ∃ A B. endpoints S = {A, B} ∧ between A P B
endpoints :: segment ⇒ pt set
endpoints ≡ Rep-segment
outside :: segment ⇒ pt ⇒ bool
outside S P ≡ ∃ A B. endpoints S = {A, B} ∧ collinear {A, B, P} ∧ ¬between A P B
Notice that Hilbert’s notion of endpoints and his use of the notation AB, mechanised
here by endpoints and the-segment, turn out to be just thin wrappers over the segment
representation.
Before continuing, we should remark that, when mechanising the proof of a theorem
in Group IV, it became apparent that a seemingly trivial theorem was missing: that
rays have unique start-points. The proof is likewise omitted from Hilbert’s prose, and
it might be the author’s oversight.
Rays are introduced with:
The totality of points of the line a that lie on one and the same side of O is
called a ray emanating from O.
Notice that this definition does not immediately tell us that rays have just one startpoint. For instance, it might be that a ray emanates from both O and O′ , being a set
of points on the line a which are on the side side of both O and O′ . The next time he
mentions rays, Hilbert seems to be mindful of this fact:
Let α be a plane and h, k any two distinct rays emanating from O in α
and lying on distinct lines. The pair of rays h, k is called an angle and is
denoted by 6 (h, k) or by 6 (k, h).
This definition still does not immediately entail that rays have unique start-points.
Again, while h and k must emanate from O, they could also emanate from elsewhere.
However, Hilbert continues
The rays h, k are called the sides of the angle and the point O is called the
vertex of the angle.
Suddenly, Hilbert uses the definite article “the vertex”, which implies that vertices
are unique. But, in turn, this implies that the start-points of rays are unique. This is
certainly a fact, but there is no prior mention of it. Instead, Hilbert may have carelessly
shifted from indefinite to definite descriptions when moving from talk of start-points to
talk of vertices. The move is invalid, unless we have a theorem to justify the uniqueness
of both.
Now it is not an entirely simple matter that ray start-points are unique, and it was
not proven in Meikle’s mechanisation. In Meikle’s mechanisation, it would require
showing that
ray E A = ray E ′ B =⇒ E = E ′
We produced a proof for this, but it was complex and confusing, requiring careful
argumentation concerning various chosen points on the rays and reasoning about their
mutual betweeness. However, we have now abandoned the original definition of rays,
and instead defined them as a partition imposed by same-side E. Consequently, the
proof becomes substantially simpler, its theorem can be stated more elegantly, and it
can be given a distinguished place in our suite of rules for the abstractions. Before
giving these rules, we define the following functions and predicates:
line-meets-segment :: line ⇒ segment ⇒ bool
line-meets-segment a S ≡ ∃ P. inside S P ∧ on-line P a
on-ray :: pt ⇒ ray ⇒ bool
on-ray P h ≡ P ∈ Rep-ray h
emanates-from :: ray ⇒ pt ⇒ bool
emanates-from h E ≡ ∃ A. ∀ P. on-ray P h ←→ same-side E A P
start-point :: ray ⇒ pt
start-point h ≡ THE E. emanates-from h E
line-of-ray :: ray ⇒ line
line-of-ray h ≡ THE a. ∀ P. on-ray P h −→ on-line P a
the-ray :: pt ⇒ pt ⇒ ray
the-ray E A ≡ THE h. on-ray A h ∧ start-point h = E
Notice that the function start-point is defined using the definite description operator,
and so HOL will force us to prove the satisfiability and uniqueness of the description.
Both are given by the theorem
theorem start-points-are-unique:
shows ∃ !E. emanates-from h E
The theorems which govern these functions should be taken to capture their semantics
implicitly – much as Hilbert’s axioms do for the primitive notions – while providing
useful rules for reasoning more abstractly about rays and segments. The suite of theorems has grown organically as we run through proofs and realise a particular rule
would be convenient, and we expect to find more as the mechanisation progresses.
Here is a selection:
theorem rays-are-open :
shows ¬on-ray (start-point h) h
theorem start-point-on-line:
shows on-line (start-point h) (line-of-ray h)
theorem ray-equality:
assumes ∀ P. on-ray P h ←→ on-ray P h ′
shows h = h ′
theorem ray-equality2:
assumes same-side E A B
shows the-ray E A = the-ray E B
theorem point-on-ray:
obtains A where on-ray A h
corollary start-point:
assumes on-ray A h
shows ∀ P. on-ray P h ←→ same-side (start-point h) A P
theorem the-ray:
assumes on-ray A h
shows h = the-ray (start-point h) A
theorem line-of-ray [simp]:
assumes A 6= E
shows line-of-ray (the-ray E A) = line-of E A
The first two theorems remind us that rays are collinear with their start-points but do
not contain them. The next two equality theorems tell us that rays are defined entirely
by the points on them, and that points on the same side of a start-point determine the
same ray. Next, we are told there is at least one point on a ray, and then that rays can
be defined in terms of: this point, the same-side relation, and the start-point. Next, the
function the-ray is explained and the question of whether the definite description refers
to a definite object is settled. Finally, we have a means to move from the complex notation line-of-ray (the-ray E A) to the simpler notation line-of E A, for which we already
have an established suite of rules. Since the simpler notation is always preferred, this
rule can be added to the simplifier.
We would like to see as many of Hilbert’s definitions mechanised as new types, not
only for consistency, but because of the advantages we have seen in terms of abstraction, conciseness and the explicitness of introducing them. This may not generally
be possible however, since, in Isabelle, we are limited to simple types. For instance,
we might have preferred to have a distinct type for each set of rays emanating from a
distinct point, but Isabelle’s type system will not allow this. Had it been possible, Isabelle would have helped us create our new types automatically as sets of equivalence
classes, leading to a slightly more compact formulation.
There is a further advantage to abstraction, one which will be familiar to programmers:
abstractions make our representation easier to change. For instance, we originally
defined the same-side relation as
same-side :: pt ⇒ pt ⇒ pt ⇒ bool
same-side E A B ≡ E 6= A ∧ ( A = B ∨ between E A B ∨ between E B A)
Our new mechanisation is equivalent, but only in virtue of Theorem 4 and the axioms
of Group II. By the time we made the revision (to bring the mechanised version closer
to Hilbert’s prose), we already had a complete set of theory files making use of the
relation. Fortunately, we only had to update a few proofs. These were the proofs of
theorems defining the most basic semantics of the same-side relation, and it was these
only which directly unfolded the definition above. All other proofs used the basic
theorems, and so did not depend directly on the definition. When the representation
changed, abstraction had made them immune from the consequences.
Finally, we return to the question of how rays can form a line. As we remarked earlier, if rays are open, this is not strictly true. Instead, it is two collinear rays and their
common start point that form a line. The proof is not entirely trivial, and again, re-
quires careful reasoning concerning betweeness. However, a more general result can
be pulled out to make life easier: given three points, collinear with, but distinct from,
a fourth, at least two of the three must lie on the same side as the fourth.
theorem same-side-trichotomy:
assumes collinear {A, B, C, E}
A 6= E B 6= E C 6= E
shows same-side E A B ∨ same-side E A C ∨ same-side E B C
This hides the reasoning concerning betweeness, and is an interesting result besides.
Now our theorem that rays form lines is split into two parts. First we show that if a
point P lies on the line of two collinear rays sharing a start-point, then P either is the
start-point, or it lies on one of the two rays. That is, the points of a line are exhausted
by two rays and their common start-point. Next, we show there are at least two distinct
rays on a line. Then the fact that a line minus the start-point is partitioned into two rays
emanating from that start point is shown implicitly, by considering the additional fact
that rays partition the whole space (minus the start-point).
theorem rays-form-lines:
assumes
h 6= k
line-of-ray h = line-of-ray k
start-point h = start-point k
on-line P (line-of-ray h)
shows P = start-point h ∨ on-ray P h ∨ on-ray P k
theorem two-rays-on-a-line:
assumes on-line E a
obtains h and k where h 6= k line-of-ray h = line-of-ray k start-point h = E
and start-point k = E
4.4
Concluding remarks
In this chapter, we have discussed reasons for introducing new types. Firstly, they
disallow badly-typed formulas which we would recognise as category mistakes. Sec-
ondly, the type-definitions themselves correspond exactly with Hilbert’s own definitions of objects such as segments and angles. And finally, they allow us to mechanise
various statements much more concisely. We noted, however, that new type definitions
require us to introduce new functions, predicates and rules to govern them. That way,
they can be used conveniently as abstractions.
We focused on the ray type, showing how it can be defined in terms of an equivalence
relation, generalising Hilbert’s own definition. We have evidence that Hilbert had overlooked a proof that rays have unique endpoints, and that generally, he could have given
a more thorough-going and precise analysis of the notion of rays, such as by carefully
defining what it means for “rays to form a line” and stating whether or not rays contain
their endpoints. In the next chapter, we will offer more evidence that Hilbert could
have been more thorough in his exposition.
Chapter 5
Revising Group III
Group III is the largest of the three groups, comprising a total of nineteen theorems,
most of them in turn requiring planar constructions and dealing with complex objects
such as triangles and the angles they form. At most, only the first seven theorems
had been mechanised, and this was insufficient for the original project aims. The
theorems of Group IV depend on later theorems in Group III, which likewise depend
on earlier theorems. As such, it was essential that we return to this group to continue
the mechanisation work.
We identify errors in Meikle’s mechanisation which compromise the existing mechanised theorems and we show that recovering those proofs requires a good deal of
exposition about half-planes and their relation to rays.
5.1
Corrections
It is in Group III that angles are first defined in terms of two rays emanating from the
same point. With this definition, Hilbert can give the fourth axiom:
DEFINITION. Angles stand in a certain relation to each other, and for the
description of which the word “congruent” or “equal” will be used.
III,4. Let 6 (h, k) be an angle in the plane α and a′ a line in a plane α′ and
let a definite side of a′ in α′ be given. Let h′ be a ray on the line a′ that
emanates from the point O′ . Then there exists in the plane α′ one and only
one ray k′ such that the angle 6 (h, k) is congruent or equal to the angle
6 (h′ , k′ ) and at the same time all interior points of the angle 6 (h′ , k′ ) lie on
the given side of a′ .
49
There are two new ideas here. Firstly, we have the notion of “a definite side of a′ ”. Secondly, we have “interior points” of an angle. Neither are primitives in Hilbert’s treatise,
so they are both defined in simpler terms. The first notion is defined in Group II:
THEOREM 8. Every line a that lies in a plane α separates the points which
are not [on the line a] into two regions with the following property: Every
point A of one region determines with every point B of the other region a
segment AB on which there lies a point of the line a. However any two
points A and A′ of one and the same region determine a segment AA′ that
contains no point of a.
DEFINITION. The points A,A′ are said to lie in the plane α on one and
the same side of the line a[.]
The idea is similar to that behind our same-side relation with which we define rays. Indeed, while same-side partitioned the space into rays, Hilbert’s new relation partitions
the space into half-planes. Interestingly, Hilbert felt the partitioning into half-planes
warranted an explicit theorem, while the fact that lines are partitioned into rays was
left as a minor consequence of his definitions. Perhaps Hilbert was indicating that the
first fact is more difficult to prove.
Meikle did not have a completed proof of Theorem 8, but in Group III, she did mechanise the idea of Hilbert’s regions (more accurately half-planes):
constdefs
region-of-plane :: [plane, line] ⇒ pt set
region-of-plane α a ≡ SOME r. ∀ A B. A6=B ∧
in-plane A α ∧
in-plane B α ∧
line-on-plane a α ∧
¬line-meets-seg a A B
−→ A∈r ∧ B∈r
As with segments and rays, Meikle used a set of points to represent a half-plane, rather
than a new type. But then Hilbert has no relations peculiar to half-planes, so there are
no concerns over category mistakes regarding them, nor does he explicitly define the
notion. So a new type is not clearly justified based on the ideas in the last chapter, and
following Meikle, we have kept regions and half-planes as point-sets.
So to mechanise the phrase “a definite side of a” in Axiom III,4 (page 49), Meikle
used the above function. The values of this function are indeed half-planes (so long as
sensible arguments are given). There are only two arguments here: a line and a plane.
But we know that a line on a plane bounds exactly two half-planes. This is why Meikle
had to use the indefinite description operator SOME to arbitrarily pick one.
The mechanisation is almost certainly flawed. Hilbert’s phrase talks of a definite side
and so his axiom applies to both, not a single, indefinite one. Indeed, the first proof to
use Axiom III,4 most certainly uses a definite side of the line
A similar phrase appears in Axiom III,1 where Hilbert talks of a “given side of the line
a′ ”:
III,1. If A, B are two points on the line a, and A′ is a point on the same or
another line a′ then it is always possible to find a point B′ on a given side
of the line a′ through A′ such that the segment AB is congruent or equal to
the segment A′ B′ .
Meikle mechanised this as
axioms AxiomIII1:
[[ A6=B; on-line A a;
on-line B a; on-line A ′ a ′
]] =⇒ ∃ B ′ C ′. on-line B ′ a ′ ∧ on-line C ′ a ′ ∧
between C ′ A ′ B ′ ∧
congruent-segments (segment A B) (the-segment A ′ B ′) ∧
congruent-segments (segment A B) (the-segment A ′ C ′)
This mechanised axiom asserts that, given a point A′ on a line, and a segment AB, there
are two segments sharing the endpoint A′ and congruent with AB. So for consistency,
Meikle should have had Axiom III,4 asserting the existence of two angles, one on each
half-plane bounded by a′ , not one angle on an indefinite side.
Next, we have the notion of an angle’s interior. This is defined in Group III:
Let the ray h lie on the line [h] and the ray k on the line k. The rays h and k
together with the point O partition the points of the plane into two regions.
All points that lie on the same side of [k] as those on h, and also those that
lie on the same side of h as those on k, are said to lie in the interior of the
angle 6 (h, k). All other points are said to lie in the exterior of, or outside,
the angle.
Meikle mechanised the notion of an angle’s interior with a function, this one returning
a point-set region.
constdefs
interior-angle :: pt set set ⇒ pt set
interior-angle Ang ≡ {P. ∃ h k. ∀ A B.
pt-on-ray A h ∧
pt-on-ray B k ∧
angle Ang ∧ Ang = {h,k} ∧
between A P B }
Note that this looks very different to Hilbert’s definition. Firstly, it makes no mention
of the sides of a line, perhaps because Meikle did not have a correct mechanisation of
this concept. Moreover, it is incorrect. The two universal quantifiers above should be
existential quantifiers:
constdefs
interior-angle :: pt set set ⇒ pt set
interior-angle Ang ≡ {P. ∃ h k A B.
pt-on-ray A h ∧
pt-on-ray B k ∧
angle Ang ∧ Ang = {h,k} ∧
between A P B }
Even so, while this is provably equivalent to Hilbert’s definition, it is not intensionally
equivalent. Admittedly, Hilbert effectively points out that interior points on the first
definition are interior points according to the second, but he does not explicitly claim
the converse.
I would suggest that Meikle’s error arose because she was juggling five conjuncts and
four quantifiers. Had she had an angle type, the two existential quantifiers and the
conjuncts angle Ang and Ang = {h,k} may have been omitted, making the definition
easier to mechanise. In any case, the error means that her function interior-angle
always maps to the empty set! The consequences of this become clearer when we read
the mechanisation of Axiom III,4:
constdefs
angle-in-region :: [ pt set set, pt set] ⇒ bool
angle-in-region A R ≡ ∃ h k. ∀ X∈interior-angle A.
A={h,k} ∧
angle A ∧
X∈R
axioms AxiomIII4:
[[ angle-in-plane {h,k} α ;
line-on-plane a ′ α ′;
ray-on-line h ′ a ′
]] =⇒ ∃ ! k ′. angle-in-region {h ′, k ′} (region-of-plane α ′ a ′) ∧
congruent-angles {h,k} {h ′,k ′}
The predicate angle-in-region asserts that the supplied set of point-sets A constitute an
angle – a set of two rays with common start-points lying on distinct lines – and then
asserts that all points in the set interior-angle A are points in the supplied region R.
But we now know that interior-angle A is empty, so this last matter is always trivially
settled. Furthermore, the claim that A is an angle has been placed inside the universal
quantifiers, so angle-in-region A R will always be true, whether or not A actually is an
angle. We should note here that the issue of region-of-plane failing to specify a definite
region, while still an error, is rendered irrelevant by the larger one.
The upshot is that we have mechanised Axiom III,4 without the final clause “and at the
same time all interior points of the angle 6 (h′ , k′ ) lie on the given side of a′ ”. In turn,
this means we can no longer interpret congruent-angles as the angle congruence of
Euclidean geometry. This may not introduce any inconsistency however, and indeed,
we might still be able to give the axioms some interpretation. Meikle could even continue a substantial amount of further mechanisation, thereby not noticing the error. But
eventually, we will find that certain constructions and definitions will be impossible.
For instance, we cannot even define right-angles.
Worse, the existing proofs have been compromised. For instance, the proof of Theorem 12, which Meikle commented was already “incredibly difficult in Isabelle”, was
in fact much simpler than it would otherwise have been, since all the complex reasoning concerning interior angles and their relations to half-planes was made irrelevant
by incorrect definitions of both of these terms. In fact, Meikle and Fleuriot stated
6
that their proof was made difficult partly because it “required obtaining the fact that
B′ A′C′ and 6 B′ A′ D′ lay [...] in the same region”, but with the definitions above, it is
possible to prove this fact all too trivially.
The rest of this chapter discusses the correct proof of Theorem 12 and a second critical
theorem not in Meikle’s mechanisation: the uniqueness of segment construction. Both
proofs rely on a tricky argument that we could extract as a lemma. Using this lemma,
the proofs of uniqueness of segment construction and Theorem 12 become remarkably
short. But even to get this far, we needed to prove a large amount of important facts
concerning half-planes and angle interiors:
5.2
Half-planes
We mechanised the relation which gives rise to half-planes as
constdefs
same-half-plane :: line ⇒ pt ⇒ pt ⇒ bool
same-half-plane a A B ≡ ¬on-line A a ∧ ¬on-line B a
∧ (A = B ∨ (∃ α. line-on-plane a α ∧ in-plane A α ∧ in-plane B α)
∧ ¬line-meets-segment a (the-segment A B))
The complex set of clauses in this definition ensures that a, A and B are planar, but that
A and B do not lie on a. These are required for the relation to hold. The most important
clause requires that a does not meet the segment AB, as per Hilbert’s definition. But
notice we have an additional clause explicitly allowing A and B to be equal. While this
is not part of Hilbert’s definition, it ensures a derived relation is reflexive, as we had
with same-side E in the last chapter. It would be nice if we had abstractions to make
this read more concisely, but alas, we could not even appeal to our planar predicate:
this predicate is not defined for sets of both points and lines.
Hilbert says the relation separates the plane into regions (half-planes). Again, we can
generalise, and say that the relation separates the whole space minus the line into an
infinity of half-planes in space bounded by that line. Half-planes are then just twodimensional analogues of rays. To demonstrate this, we must prove that the (curried)
relation same-half-plane a is an equivalence relation on the whole space minus a.
theorem same-half-plane-refl [simp]:
assumes ¬on-line A a
shows same-half-plane a A A
using assms unfolding same-half-plane-def by simp
theorem same-half-plane-sym:
assumes same-half-plane a B A
shows same-half-plane a A B
using assms and segment-symmetry unfolding same-half-plane-def by auto
theorem same-half-plane-trans:
assumes same-half-plane a A B
and same-half-plane a B C
shows same-half-plane a A C
As we can see, reflexivity and symmetry are trivial. We did not even need an explicit
proof, just the automatic tactics. But as with rays, transitivity was more challenging.
Here is what we must prove: suppose we have three points A, B and C planar with but
not on the line a. Then, if a does not pass through AB or BC then it cannot pass through
AC. We prove this by proving the equivalent statement: if a passes through AC, then it
must pass through either AB or BC.
There is an interesting case-split here. Suppose A, B and C form a triangle. According
to Axiom II,4, if a line enters a triangle, it must leave it. So if the line a enters at AC it
must leave either at AB or BC. So this is easily dealt with. If, on the other hand, A, B
and C are collinear, then we cannot appeal to this axiom, but must instead reason about
segments on a line. And to do this, we found we needed the following lemmas:
lemma segment-add:
assumes between A ′ B ′ C ′
and between A ′ P B ′ ∨ between B ′ P C ′
shows between A ′ P C ′
lemma segment-add-converse:
assumes between A ′ B ′ C ′
and between A ′ P C ′
shows B ′ = P ∨ between A ′ P B ′ ∨ between B ′ P C ′
Though we have not expressed this directly in terms of betweeness, we can say the
common assumption here is that the segments A′ B′ and B′C′ lie on a line and are
joined at the common point B′ . The first says that if a point lies inside either of A′ B′ or
B′C′ , then it lies inside A′C′ . The second says that if a point lies inside A′C′ , then it lies
inside A′ B′ or B′C′ or is the point B′ itself. Hence, the points of A′ B′ and B′C′ together
with B′ are exactly the points of the segment A′C′ . In other words, the segments A′ B′
and B′C′ add to make the segment A′C′ .
So to prove that a meeting AC implies that it meets either AB or BC, we have three
cases to consider. Which of A, B and C lies between the other two? Then we just
use an appropriate lemma from the above. Here is a cut-down extract from the proof,
showing the case-split
have between B A C =⇒ between B P C using segment-add[of B A C P] by blast
moreover have between A C B =⇒ between A P B using segment-add[of A C B P] by blast
moreover have between A B C =⇒ B = P ∨ between A P B ∨ between B P C using
segment-add-converse by simp
Interestingly, Hilbert makes no mention of what is needed to justify Theorem 8. It
seems he was probably aware of the required assumptions, since the theorem follows
his major results on betweeness. But elsewhere, he at least mentions the key axioms
or results that justify his theorems. He could have at least mentioned transitivity, and
that Axiom III,4 specifically is needed to prove this property. It is somewhat inconsistent that he did not. In Group III, for instance, he explicitly mentions that segment
congruence is reflexive, and explicitly uses “symmetry” and “transitivity”, and even
expresses the facts symbolically. But the proofs are entirely trivial, far more so than
the one above, so we cannot explain the omission by saying Hilbert thought it too
“obvious”.
We would argue instead that a consistent exposition should give due attention, as we
have, to the fact that same-half-plane is an equivalence relation. And at the very least,
it should clarify that a point A can always be said to lie on the same half plane as itself,
else we cannot guarantee reflexivity. We had the same problem with the definition of
rays.
We should note that our generalisation in the statement of Theorem 8 has weakened
it again. We have not proven that our relation partitions the plane minus the line into
exactly two half-planes. While we need these facts to complete Group II, we did
not have time to prove them. Besides, they are not required for our current goals in
Group III, which is the focus of this chapter.
The question now is whether we introduce a half-plane type in terms of the equivalence
classes, just as we did for the ray type. If we look again at Axiom III,4, we notice the
phrase “a definite side of a′ ”. This definite side is a half-plane. So we could introduce
a half-plane type as we did for rays, and thus have our definite side of a′ expressed as
a term of this type.
But Hilbert explicitly introduces rays, and as we saw in the last chapter, they are very
important objects, needed to define and reason about angles. It is not clear that halfplanes would be so useful as objects in their own right, so rather than complicate our
theory with a possibly unneeded type and the requisite rules to govern it, we decided
instead to identify half-planes with any given point on them. That is, instead of talking
about the half-plane that is the equivalence class [P], we just talk directly about P. In
a sense, we use P to point to the half-plane we are interested in.
5.3
Axiom III,4
We can now mechanise Hilbert’s axiom
axioms AxiomIII4a:
¬on-line A (line-of-ray h ′) =⇒ ∃ !k. rays-form-an-angle h ′ k ′
∧ congruent-angles hk (with-sides h ′ k ′)
∧ (∀ P. interior (with-sides h ′ k ′) P −→ same-half-plane (line-of-ray h ′) A P)
Note that we have dropped a number of redundant assumptions from Hilbert’s original.
In particular, we have not mentioned the planes α and α′ . This is because the angle
hk uniquely determines α, and the point A and the ray h′ uniquely determine α′ . Furthermore, we have removed any mention of a′ . Rays lie on exactly one line, so when
Hilbert asserts that the ray h′ lies on a′ , we can express this as line-of-ray h ′ = a ′ and
just refer to the line using the left-hand side of the equality.
Our idea of using a point to pick out a half-plane allowed us to revise the mechanisation
of Axiom III,1. Recall Hilbert’s phrase “a given side of the line a′ ”, which Meikle
avoided by having the axiom assert the existence of two segments rather than one. We,
on the other hand, keep to the singular of Hilbert’s prose:
III,1. If A, B are two points on the line a, and A′ is a point on the same or
another line a′ then it is always possible to find a point B′ on a given side
of the line a′ through A′ such that the segment AB congruent or equal to
the segment A′ B′ .
axioms
AxiomIII1: A 6= C =⇒ ∃ B. same-side A B C ∧ congruent-segments S (the-segment A B)
We have identified the given side of the line using the same-side relation and a point,
C, just as we identified the given half-plane in Axiom III,4 using the same-half-plane
relation and another point.
Incidentally, we could again remove substantial redundancy: we do not need any mention of the lines a and a′ , nor the points A and B, and our use of the segment type has
enabled us to drop one of Meikle’s assumptions.
There are a few new predicates and functions introduced in our mechanisation of Axiom III,4, the definitions of which we now give:
constdefs
rays-form-an-angle :: ray ⇒ ray ⇒ bool
rays-form-an-angle h k ≡ line-of-ray h 6= line-of-ray k ∧ start-point h = start-point k
sides :: angle ⇒ ray set
sides hk ≡ Rep-angle hk
with-sides :: ray ⇒ ray ⇒ angle
with-sides h k ≡ THE hk. sides hk = {h, k}
the-angle :: pt ⇒ pt ⇒ pt ⇒ angle
the-angle A B C ≡ THE hk. sides hk = {the-ray B A, the-ray B C}
interior :: angle ⇒ pt ⇒ bool
interior hk P ≡ ∃ h k. sides hk = {h, k}
∧ (∀ Q. on-ray Q h −→ same-half-plane (line-of-ray k) P Q)
∧ (∀ Q. on-ray Q k −→ same-half-plane (line-of-ray h) P Q)
An angle is just an (unordered) pair of rays, which are the angle’s sides. So the sides
function is just a synonym for an angle’s representation.
The predicate
rays-form-an-angle matches Hilbert’s definition of angles and our definition of the
angle type, and so guarantees that with-sides will refer to a definite object. We have
also provided the-angle A B C to mechanise the notation 6 ABC. Finally, we have the
crucial definition of an angle’s interior, correctly mechanised in terms of half-planes
rather than segments, and structurally very similar to Hilbert’s prose.
Now we discuss why this axiom is important. Axiom III,1 tells us that, from a point
A, we can always find another point B in a given direction such that AB is congruent
to a given segment. Thus, it is an axiom of segment construction. However, the axiom
does not tell us that the segment constructed is unique, a fact which follows from the
remaining axioms and crucially Axiom III,4. That axiom is applied to the following
figure:
Figure 5.1: Applying Axiom III,4
B
A
C
C′
In this diagram, 6 ABC and 6 ABC′ are assumed congruent, and it is our goal to show
that AC and AC′ coincide. Now the interiors of both angles lie on the same half plane
bounded by the line AB, and hence, by Axiom III,4, the rays BC and BC′ are identical.
Consequently, C and C′ must be the same point, and hence the segments AC and AC′
are identical.
Essentially the same reasoning is used again in Theorem 12. In neither case does
Hilbert go into the above detail. Instead, he says (with differently labelled triangles)
A′C′ B′ ≡ 6 A′C′ B′′ , in contradiction to the uniqueness of angle construction required by Axiom III,4.
6
[...]
Then 6 BAC would be congruent to 6 B′ A′ D′ as well as to 6 B′ A′C′ . This is
impossible, as by Axiom III,4 every angle can be constructed on a given
side of a given ray in a plane in only one way.
Incidentally, proofs-by-contradiction are unnecessary here. The direct proofs are clearer
and this is what we have used in the mechanisation.
It is interesting that Hilbert took the application of Axiom III,4 to be so straightforward, when it was the most complex to mechanise and rested on a number of auxilary
theorems. This might be evidence that Hilbert is letting his geometric intuition dictate
what is and is not a trivial step in the proof, something which we cannot do in the
mechanisation.
As complex as the reasoning step is, and given that it is used in two theorems, it had to
be extracted as a lemma:
lemma unique-segment-opposite-angle:
assumes
¬collinear {A, B, C}
same-side B C C ′
congruent-angles S (the-angle B A C)
and congruent-angles S (the-angle B A C ′)
shows C = C ′
The first two assumptions define the construction, the last two the angle congruence.
It is an interesting fact about Hilbert’s geometry that we could not replace the last two
with congruent-angles (the-angle B A C) (the-angle B A C ′). This latter form is the
one used in proving the uniqueness of segment construction, but not in the proof of
Theorem 12. The single assumption entails the two if we have reflexivity of angle
congruence – guaranteed in a second part to Axiom III,4. But the two assumptions
only entail the one if we have transitivity of angle congruence, which depends for its
proof on Theorem 12. Hence, the lemma needs to use the two assumptions if it is to be
of use in a proof of Theorem 12.
The lemma is difficult to prove, because we need to establish a complex clause in the
conclusion of Axiom III,4, namely that the interiors of the angles ABC and ABC′ lie
on the same half-plane bounded by AB. However, we do not have any assumptions
concerning half-planes, only same-side. In slightly different terms, we are only told
that C and C′ lie on the same ray emanating from B, not the same half-plane. So we
need a theorem to move us from one fact to the other:
theorem same-side-same-half-plane:
assumes
on-line A a
¬on-line C a
and same-side A C C ′
shows same-half-plane a C C ′
Though we have formulated this in terms of same-side, we can equivalently talk in
terms of rays. The theorem tells us that a ray not on a line a, but emanating from it,
lies entirely in a half-plane bounded by a. Hence, it gives us a useful relation between
rays and half-planes, one which is not mentioned by Hilbert.
Hence, looking back to our original diagram, we can easily deduce that C and C′ must
lie in the same half-plane bounded by the line AB. Of course, this does not immediately
tell us anything about the interiors of the angles, which is what we are interested in. A
theorem concerning angle interiors and half-planes would therefore be useful.
theorem interior-side:
assumes
sides Ang = {h, k}
on-ray A k
shows ∀ P. interior Ang P −→ same-half-plane (line-of-ray h) A P
This tells us that all interior points of 6 (h, k) lie in the same half-plane bounded by
the line of h as any given point in k. This is exactly what we need for our lemma. It
tells us that all points in the interiors of ABC and ABC′ lie in the same half-plane as C
and C′ respectively. Since these two points also lie in the same half-plane, it follows
by symmetry and transitivity of same-half-plane AB that the interiors lie in the same
half-plane as C. This is exactly the clause we require in Axiom III,4!
After applying the axiom, we can show that the rays BC and BC′ are identical, but this
does not immediately tell us that C and C′ are identical. In the final step, we note that
the lines AC and BC = BC′ must intersect at a unique point, and that point must be
C = C′ .
With the lemma now proven, it is interesting to look at the final mechanised proofs
of the uniqueness of segment construction and Theorem 12 (segment-uniqueness and
twelve respectively). (We reproduce the first here, the second is left to Appendix C).
The comments, printed here in SMALL CAPS, explain the reasoning at each block of
steps.
theorem segment-uniqueness:
assumes A 6= C
shows ∃ !B. same-side A B C ∧ congruent-segments S (the-segment A B)
proof −
{
A SSUME
THAT WE HAVE CONSTRUCTED SEGMENTS
AB
AND
AB′
CONGRUENT TO
S
ON
THE SAME SIDE OF THE LINE .
fix B and B ′
assume same-side A B C and congruent-segments S (the-segment A B)
assume same-side A B ′ C and congruent-segments S (the-segment A B ′)
T HE SEGMENTS AB AND AB′
ARE THEN CONGRUENT BY
A XIOM III,2.
from hcongruent-segments S (the-segment A B)i
and hcongruent-segments S (the-segment A B ′)i
have congruent-segments (the-segment A B) (the-segment A B ′)
using AxiomIII2 by (blast intro: congruent-segment-sym)
W E CONSTRUCT A TRIANGLE ABD
from hsame-side A B Ci have A 6= B using same-side-distinct by auto
from this obtain D where ¬collinear {A, B, D} by (rule construct-triangle)
W HICH
GIVES US A SECOND TRIANGLE
AB′ D
from hsame-side A B Ci and hsame-side A B ′ Ci have same-side A B B ′
by (blast intro: same-side-sym same-side-trans)
hence collinear {A, B, B ′} and A 6= B ′
using same-side-distinct[of A B B ′] and same-side-collinear[of A B B ′] by auto
with h¬collinear {A, B, D}i have ¬collinear {A, B ′, D}
by (blast intro: collinear-union collinear-subset[where T = {A, B ′, D} ∪ {A, B, B ′}])
T HUS , 6 BAD AND 6 B′ AD ARE CONGRUENT.
from hsame-side A B B ′i have the-ray A B = the-ray A B ′ by (rule ray-equality2)
hence the-angle B A D = the-angle B ′ A D using angle-equality[of A B B ′ D D] by simp
hence congruent-angles (the-angle B A D) (the-angle B ′ A D) by simp
A ND
BY
A XIOM III,5,
THIS MEANS THAT 6
ADB AND 6 ADB′
ARE CONGRUENT
with h¬collinear {A, B, D}i h¬collinear {A, B ′, D}i
and hcongruent-segments (the-segment A B) (the-segment A B ′)i
have congruent-angles (the-angle A D B) (the-angle A D B ′)
using AxiomIII5 by simp
W E APPLY A XIOM III,4
VIA OUR LEMMA , DEDUCING THAT
B = B′ .
with unique-segment-opposite-angle[of D A B B ′ the-angle A D B] have B = B ′
using h¬collinear {A, B, D}i and hsame-side A B B ′i by simp
}
with AxiomIII1 show ?thesis using hA 6= Ci by auto
qed
Interestingly, by revising Axiom III,1 so that it asserts the existence of a single segment rather than two (section 5.3), we avoided a case-split that Meikle and Fleuriot
mentioned in their own mechanisation [18]. They had suggested the case-split was
hidden implicitly in Hilbert’s diagram, but we have shown this was not the case, and
that it was merely an artifact of a mechanisation decision. When we revise the axiom
to bring it more in line with Hilbert’s prose, the case-split disappears.
We also notice how short this proof is, and how closely each sequence of steps corresponds to the steps of Hilbert’s proof (page 13 of [13]). It is only in the application
of Axiom III,4 that we have had to defer to a complex lemma. When all but this step
was easy to mechanise, we have more evidence that Hilbert over-trivialised the application of Axiom III,4. Indeed, we would argue that this oversight is due to Hilbert both
missing subtleties in defining half-planes, which we considered at the beginning of the
chapter, and in reasoning about them.
The structural similarity between the Isar proof and the informal proof is very much
an advantage of the declarative style. Indeed, Hilbert’s natural language arguments
immediately give us the basic structure of the mechanised proofs. In many cases,
all we need to do is fill in “boilerplate” inferences. Each segment of “boilerplate”
is marked by a natural language comment which captures the macro-scale inference.
With these comments, one can identify the general approach of the proof, and read the
associated block of mechanised text if more detail is needed. It is often possible to
read an Isar proof like this, dipping into arbitrary sequences of proof text, because the
goal and facts available at any given point are easily identified.
5.4
Concluding remarks
In this chapter, we have discussed errors in Meikle’s work in Group III. We hope these
errors have now been eliminated, but acknowledge this was only after Meikle and
Fleuriot spotted a number of mistakes in our own early revisions. Generally, we would
stress that mechanising mathematics is inherently tricky. Errors in mechanisation can
be very subtle and go unnoticed, even as they compromise large numbers of proofs.
In order to correct the errors, we found we needed to wrestle again with imprecision in
Hilbert’s prose, this time concerning half-planes. We found we needed new theorems
to govern these objects before we could think about proving even the first two theorems
of the group.
Moreover, we showed that Hilbert’s appeal to Axiom III,4 cashes out in a lemma with a
lengthy mechanised proof. Hilbert’s casual treatment of this step might suggest he was
appealing to geometric intuition rather than pure logic, and that our lemma should be
included in the exposition for Group III. However, we must be wary of such arguments,
for, as is the case with Meikle and Fleuriot’s proof of the theorem, purported gaps in a
proof or appeals to a diagram may be mere artifacts of the chosen representation.
Chapter 6
Conclusion and Further Work
In this work, we have revised and advanced a mechanisation of Hilbert’s Foundations
of Geometry in the declarative style of Isabelle/Isar, particularly with a focus on readability. To that end, we considered the verbosity often present in mechanised mathematics, which we sought to alleviate by introducing powerful abstractions, both logical
and geometric, that can be relied on to simplify proofs.
We analysed two such abstractions dealing with collinearity and planarity of points,
and showed how a proof of Theorem 3 is possible in terms of these abstractions alone.
By comparing the proof to Meikle’s, we have evidence that the abstractions help to
simplify and shorten proofs, in this case, without having to break the theorem down
into auxiliary lemmas. We also remarked that, by introducing set-theoretic reasoning
into geometric arguments, the abstractions make proofs easier to discover. Thus, they
have benefits above readability.
We noted that some of the tactics struggled to use our abstractions appropriately and
we had to manually bind schematic variables in our rules. However, in each case,
the form of the inference is always the same, and so should be possible to automate.
Indeed, we can define new tactics in Isabelle, and so as we continue the work in the
future, we intend to add functions to simplify these common reasoning steps, deducing
the required binding automatically before handing the work to the blast tactic.
Given the overall success of our two abstractions, we shall try to identify others, and
try to revise many of the theorems in terms of them. It remains an interesting question
how useful it would be to reaxiomatise elementary geometry structurally in terms of
two collections of sets, one of which is identified as the collinear sets, and one of which
is identified as the planar sets.
65
We have seen numerous advantages in adding new types into our theory. Firstly, they
allow us to rule out category mistakes in using various predicates and relations. Secondly, they give us a clear mechanisation of Hilbert’s definitions. And finally, they
allow us to discharge constraints in the statement of a theorem, moving them into the
type-checker.
We saw some examples of ambiguity in Hilbert’s claims about rays and half-planes.
Given this is a modern axiomatic foundation for geometry, it seems these notions
should have been analysed and reasoned about more thoroughly. Certainly, we must be
more thorough when mechanising, and in doing so, we found a sensible generalisation
over Hilbert’s original definitions, providing a number of new theorems governing the
two kinds of object.
While revising Meikle’s mechanised axioms, definitions and theorems, we noted that a
number of Hilbert’s originals contained redundant clauses, which we removed. Through
further revisions, we showed how mechanisation decisions can have subtle effects on
our mechanised proofs. Indeed, Meikle and Fleuriot’s mechanisation of Axiom III,1
led to a case-split which they believed was implicit in Hilbert’s own proof, but in fact
was peculiar to their mechanisation.
By identifying subtle errors in the previous work, we have shown that getting the right
representation for axioms is often difficult, and that mistakes can compromise large
amounts of proof-text. Concerned that our revisions still contain errors, we realise it is
now imperative that we obtain a soundness proof for our theory.
Finally, we have produced what we believe is a correct proof of Theorem 12. We
showed how the complex reasoning in this theorem depends on two significant results:
one theorem showing that same-half-plane is an equivalence relation, and another theorem to relate rays and half-planes. We suggest that both of these theorems are interesting and non-trivial geometric results, and that since they support key steps in
the proofs of Theorem 12 and the uniqueness of segment construction, they deserve a
mention in Hilbert’s exposition.
In general, we expect to find more gaps as we work through the Foundations of Geometry. When mechanising, we survey geometry at a much more fine-grained conceptual
level than Hilbert would have, and so it is not surprising that we find interesting geometric concepts and theorems that he missed.
In the future, we would like to replace our axioms with assumptions in Isar’s locales
[15]. With locales, the axioms of geometry will be rendered as schemes asserting that
any system of relations and objects satisfying the axioms will also satisfy the theorems.
With locales, semantic results such as soundness and completeness proofs are likely
to be much easier. Finally, locales can be arranged into hierarchies, so that we can
structure the five groups according to how they classify various kinds of geometry, just
as Hilbert does in later chapters.
Reflecting, we notice that much of this project was spent revising existing work. We
believe this is a consequence of our stylistic goals: instead of merely trying to verify
Hilbert’s conclusions, we have been concerned with readable proof documents. Representation and abstraction are therefore paramount. But these are challenging concerns.
We can generally only evaluate the quality of a representation in hindsight, when we
have seen it condense or otherwise simplify a significant number of later theorems and
their proofs. Inevitably, there will be cases where what initially seemed like a good
representation turns out to have little use as we develop our theory, and so we have to
go back and revise it.
As such, the development of our theory does not take place in a linear fashion as it
could in Meikle’s work. Our work in Group I is never finished, since we may find
that as we progress through to the later groups, we need to revise or extend some of
its definitions and theorems. We also remarked how the theorems governing the ray
abstraction, for instance, grew organically in Chapter 4. Thus, instead of mechanising
by progressing straightforwardly through Hilbert’s text, we see ourselves building a
theory which is improved continually and iteratively. In turn, this means it is crucial
that our proofs are easy to maintain over time.
The procedural style makes this difficult. If proofs are to be maintainable over time,
they must be easy to understand when we come to revise them. But when reading a
procedural proof, the goal stack is always hidden; it is not clear from the source text
what each proof step achieves; and there is no clearly identifiable structure. This is
another reason to prefer the declarative style, with emphasis on readability.
We would eventually like to see the entirety of Hilbert’s Foundations of Geometry
mechanised. We would at least like mechanised the remaining two groups from his
Chapter 1, the metatheoretical results of Chapter 2, and the development of arithmetic
and Cartesian geometry in terms of proportion and plane area. Thus, we shall not only
have mechanised the foundations of geometry, but shown how geometry can be made
a foundation for mathematics itself, just as the ancients had it.
Bibliography
[1] Pascal Schreck Christophe Dehlinger, Jean-Franois Dufourd. Higher-Order Intuitionistic Formalization and Proofs in Hilbert’s Elementary Geometry. In Third
International Workshop on Automated Deduction in Geometry, pages 306–324,
2003.
[2] Alonzo Church. A Formulation of the Simple Theory of Types. Association for
Symbolic Logic, pages 56–68, 1940.
[3] Richard Dedekind. Essays on the Theory of Numbers. Dover Publications, 1963.
[4] John Fauvel and Jeremy Gray. The History of Mathematics, A Reader. Macmillan
Press Ltd, 1987.
[5] John Fauvel and Jeremy Gray. The History of Mathematics, A Reader. Macmillan
Press Ltd, 1987.
[6] Colin R. Fletcher. Thales: Our Founder? The Mathematical Gazette, 66:266–
272, 1982.
[7] Cyril W. L. Garner. Klein’s ‘Erlanger Program’ and the Geometry of an Infinitesimal Region. The American Mathematical Monthly, pages 367–368, 1977.
[8] M J Gordon.
Hol: A proof generating system for higher-order logic.
In
G Birtwistle and P A Subrahmanyam, editors, VLSI Specification, Verification
and Synthesis. 1988.
[9] Judith V. Grabiner. Who Gave you the Epsilon? Cauchy and the Origins of
Rigorous Calculus. The American Mathematical Monthly, 90:185–194, 1983.
[10] Thomas Hales. Introduction to the Flyspeck Project. http://drops.dagstuhl.de/
opus/volltexte/2006/432/pdf/05021.HalesThomas.Paper.432.pdf.
68
[11] John Harrison. A Mizar Mode for HOL. In TPHOLs, pages 203–220, 1996.
[12] Thomas L. Heath. Euclid: The Thirteen Books of The Elements. Dover Publications, 1956.
[13] David Hilbert. Foundations of Geometry. Open Court Classics, 1971.
[14] David Hilbert. In Michael Hallet and Ulrich Majer, editors, David Hilbert’s Lectures on the Foundations of Geometry. springer, 2004.
[15] Florian Kammuller and Markus Wenzel. Locales: A sectioning concept for isabelle. In Theorem Proving in Higher Order Logics (TPHOLs 99), LNCS 1690,
pages 149–165. Springer, 1999.
[16] H. C. Kennedy. Origins of Modern Axiomatics: Pasch to Peano. The American
Mathematical Monthly, 79:133–136, 1972.
[17] Ulrich Majer. The Relation of Logic and Intuition in Kant’s Philosophy of Science, Particularly Geometry. In Emily Carson and Renate Huber, editors, Intuition and the Axiomatic Method. Springer, 2006.
[18] Laura I. Meikle and Jacques D. Fleuriot. Formalizing Hilbert’s Grundlagen in
Isabelle/Isar. In TPHOLs, pages 319–334, 2003.
[19] G. A. Miller. A Few Theorems Relating to the Rhind Mathematical Papyrus. The
American Mathematical Monthly, 38:194–197, 1931.
[20] O. Neugebauer. The Survival of Babylonian Methods in the Exact Sciences of
Antiquity and Middle Ages. Proceedings of the American Philosophical Society,
107:528–555, 1963.
[21] Lawrence C Paulson. Isabelle: A generic theorem prover. Journal of Automated
Reasoning, 5, 1994.
[22] Piotr Rudnicki. An Overview of the MIZAR Project. In University of Technology,
Bastad, pages 311–332, 1992.
[23] X.-S. Gao Shangi-Ching Chou and J.-Z.Zhang. Machine Proofs in Geometry.
World Scientific Publishing, 1994.
[24] Abe Shenitzer. How Hyperbolic Geometry Became Respectable. The American
Mathematical Monthly, 101:464–470, 1994.
[25] Alfred Tarski and Steven Givant. Tarskis system of geometry. Bull. Symbolic
Logic, 5:175–214, 1999.
[26] Alexander Thom. Megalithic Sites in Britain. Oxford University Press, 1967.
[27] Lawrence C. Paulson Tobias Nipkow and Markus Wenzel. Isabelle’s Logics:
HOL. isabelle.in.tum.de/doc/logics-HOL.pdf, 2008.
[28] Markus Wenzel and Freek Wiedijk. A Comparison of Mizar and Isar. J. Automated Reasoning, 29:389–411, 2002.
[29] Markus M. Wenzel. Isabelle/Isar – a versatile environment for human-readable
formal proof documents. PhD thesis, ”Institut für Informatik, Technische Universität München”, 2002.
Appendix A
Meikle’s proof of Theorem 3
constdefs
pts-in-plane S z ≡ ∀ X∈S. in-plane X z
plane-of A B C ≡ (SOME z. A6=B ∧ B6=C ∧ A6=C ∧ ¬collinear {A,B,C} ∧
pts-in-plane {A,B,C} z )
inside-seg A B ≡ {X. A6=B ∧ between A X B}
line-meets-seg a A B ≡ (∃ C∈inside-seg A B. on-line C a)
axioms
AxiomII1: (between A B C) =⇒ A6=B ∧ A6=C ∧ B6=C ∧ collinear{A,B,C} ∧ (between C B A)
AxiomI3b: ∃ A B C. A6=B ∧ B6=C ∧ A6=C ∧ ¬collinear {A,B,C}
AxiomII4: [[ ¬collinear {A,B,C}; line-on-plane a (plane-of A B C);
¬on-line A a; ¬on-line B a; ¬on-line C a;
line-meets-seg a A B ]]
=⇒ (line-meets-seg a A C ∨ line-meets-seg a B C)
lemma line-intersects-seg:
[[ on-line A a; between C A D ]] =⇒ line-meets-seg a C D
lemma line-not-meet-seg-altered:
[[ ¬collinear {Ca, B, C};
on-line Ca (line-of Ca Ba); on-line Ba (line-of Ca Ba); on-line Ba (line-of B C);
¬between C Ba B ]] =⇒ ¬line-meets-seg (line-of Ca Ba) B C
lemma pts-are-diff :
¬collinear{A,B,C} =⇒ A6=B ∧ A6=C ∧ B6=C
lemma line-of2:
[[ A6=B; on-line A l ; on-line B l ]] =⇒ l=line-of A B
lemma line-of3:
A6=B =⇒ ∃ ! X. X= line-of A B ∧ on-line A X ∧ on-line B X
lemma on-line4:
[[ collinear{B,A,C}; B6=C ]] =⇒ on-line A (line-of B C)
lemma on-line5:
[[ collinear{B,C,A}; B6=C ]] =⇒ on-line A (line-of B C)
lemma noncollinear:
[[A6=C; ¬on-line E (line-of A C)]] =⇒ ¬collinear{A,C,E}
lemma not-collinear3:
[[ B6=C;collinear{B,A,C}; ¬collinear{B,D,A} ]] =⇒ ¬collinear{B,C,D}
lemma not-collinear4:
[[ B6=C;collinear{A,B,C}; ¬collinear{A,D,B} ]] =⇒ ¬collinear{B,C,D}
71
lemma different-pts3:
[[ collinear {A,B,C}; ¬collinear{D,A,B} ]] =⇒ D6=C
lemma different-pts4:
[[ collinear {A,B,C}; ¬collinear{A,D,B} ]] =⇒ C6=D
lemma intro-pt-not-on-line3:
[[ A6=B; D6=E ∧ E6=F ∧ D6=F ∧ ¬collinear{D,E,F} ]]
=⇒ ∃ C. A6=C ∧ B6=C ∧ ¬on-line C (line-of A B) ∧ on-line A (line-of A B) ∧
on-line B (line-of A B)
lemma Points-not-on-line:
[[ collinear{A,E,F}; ¬collinear{A,C,E}; collinear{F,C,G}; F6=G; collinear{F,C,G}; ¬collinear{A,F,C};
A6=E; ¬collinear{E,F,C}; C6=G ]]
=⇒ ¬on-line A (line-of E G) ∧ ¬on-line F (line-of E G) ∧ ¬on-line C (line-of E G)
lemma line-on-plane:
[[ B6=C; on-line B (line-of A C); on-line E (line-of C D); ¬collinear{A,C,D} ]]
=⇒ line-on-plane (line-of B E) (plane-of A C D)
lemma pts-different:
assumes E-not-F: E6=F and AEF-coll: collinear{A,E,F}
and not-coll-ACE: ¬collinear{A,C,E} and FCG-coll: collinear{F,C,G}
shows E6=G
lemma on-line:
assumes E-not-F: E6=F and
AEF-coll: collinear{A,E,F} and
not-coll-ACE: ¬collinear{A,C,E} and
FCG-coll: collinear{F,C,G}
shows on-line E (line-of E G) ∧ on-line G (line-of E G)
lemma line-intersects-seg2:
assumes E-not-F: E6=F and
AEF-coll: collinear{A,E,F} and
not-coll-ACE: ¬collinear{A,C,E} and
FCG-coll: collinear{F,C,G} and
AEF: between A E F
shows line-meets-seg (line-of E G) A F
proof −
from E-not-F and AEF-coll and not-coll-ACE and FCG-coll and on-line
have on-line E (line-of E G) by auto
from this and AEF and line-intersects-seg show ?thesis by blast
qed
lemma assumptions-needed:
assumes A-not-E: A6=E and A-not-F: A6=F and E-not-F: E6=F
and AEF: between A E F and AEF-coll: collinear{A,E,F}
and not-coll-ACE: ¬collinear{A,C,E} and F-not-C: F6=C and
FCG: between F C G
shows ¬collinear {A,F,C} ∧ ¬on-line A (line-of E G) ∧
¬on-line F (line-of E G) ∧ ¬on-line C (line-of E G) ∧
line-meets-seg (line-of E G) A F ∧
line-on-plane (line-of E G) (plane-of A F C)
proof −
from FCG and AxiomII1 have
F6=C ∧ F6=G ∧ C6=G ∧ collinear{F,C,G} ∧ between G C F by blast
then have F-not-G: F6=G and C-not-G: C6=G and
FCG-coll: collinear{F,C,G} and GCF: between G C F by auto
from A-not-F and AEF-coll and not-coll-ACE and not-collinear3 have
not-coll-AFC: ¬collinear {A,F,C} by blast
from E-not-F and AEF-coll and not-coll-ACE and not-collinear4 have
not-coll-EFC: ¬collinear{E,F,C} by blast
from AEF-coll and not-coll-ACE and FCG-coll and
F-not-G and FCG-coll and not-coll-AFC and A-not-E and
not-coll-EFC and C-not-G and Points-not-on-line[of A E F C G] have
A-not-on-EG: ¬on-line A (line-of E G) and
F-not-on-EG: ¬on-line F (line-of E G) and
C-not-on-EG: ¬on-line C (line-of E G) by auto
from E-not-F and AEF-coll and not-coll-ACE and FCG-coll and
AEF and line-intersects-seg2 have
EG-meets-AF: line-meets-seg (line-of E G) A F by blast
from AEF-coll and A-not-F and on-line4 have
E-on-AF: on-line E (line-of A F) by blast
from FCG-coll and F-not-C and on-line5 have
G-on-FC: on-line G (line-of F C) by blast
from E-not-F and E-on-AF and
G-on-FC and not-coll-AFC and line-on-plane
have EG-on-planeAFC: line-on-plane (line-of E G) (plane-of A F C)
by blast
from not-coll-AFC and A-not-on-EG and F-not-on-EG and C-not-on-EG
and EG-meets-AF and EG-on-planeAFC show ?thesis by blast
qed
lemma line-not-meet-seg2:
assumes AEF-coll: collinear{A,E,F} and
not-coll-ACE: ¬collinear{A,C,E} and
FCG-coll: collinear{F,C,G} and
not-coll-EFC: ¬collinear{E,F,C} and
G-on-FC: on-line G (line-of F C) and
not-CGF: ¬between C G F
shows ¬line-meets-seg (line-of E G) F C
proof −
from not-coll-EFC and pts-are-diff have E-not-F: E6=F and F-not-C: F6=C by auto
from E-not-F and AEF-coll and not-coll-ACE and FCG-coll and on-line
have E-on-EG: on-line E (line-of E G) and
G-on-EG: on-line G (line-of E G) by auto
from not-coll-EFC and F-not-C and E-on-EG and G-on-EG and G-on-FC and not-CGF
and line-not-meet-seg-altered show ?thesis by blast
qed
lemma line-not-meet-seg3:
assumes E-not-F:E6=F and AEF-coll: collinear{A,E,F} and not-coll-ACE:¬collinear{A,C,E}
and F-not-C:F6=C and FCG: between F C G and AEF-coll: collinear{A,E,F}
and not-coll-ACE: ¬collinear{A,C,E} and not-CGF: ¬between C G F
shows ¬line-meets-seg (line-of E G) F C
proof −
from FCG and AxiomII1 have
F6=C ∧ F6=G ∧ C6=G ∧ collinear{F,C,G} ∧ between G C F by blast
then have FCG-coll: collinear{F,C,G} by auto
from E-not-F and AEF-coll and not-coll-ACE and not-collinear4 have
not-coll-EFC: ¬collinear{E,F,C} by blast
from FCG-coll and F-not-C and on-line5 have
G-on-FC: on-line G (line-of F C) by blast
from E-not-F and AEF-coll and not-coll-ACE and FCG-coll and not-coll-EFC
and F-not-C and G-on-FC and not-CGF and line-not-meet-seg2[of A E F C G]
show ?thesis by auto
qed
theorem three:
assumes A-not-C: A6=C
shows ∃ D. between A D C
proof −
from A-not-C and AxiomI3b and intro-pt-not-on-line3 obtain E where
A-not-E: A6=E and E-not-on-AC: ¬on-line E (line-of A C)
by blast
from A-not-E and AxiomII2 obtain F where AEF:between A E F by blast
from this and AxiomII1 have
A6=E ∧ A6=F ∧ E6=F ∧ collinear{A,E,F} ∧ between F E A by blast
then have
A-not-F: A6=F and E-not-F: E6=F and AEF-coll: collinear{A,E,F}
by auto
from A-not-C and E-not-on-AC and noncollinear have
not-coll-ACE: ¬collinear{A,C,E} by blast
from this and AEF-coll and different-pts4 have
F-not-C: F6=C by blast
from this and AxiomII2 obtain G where FCG:between F C G by blast
from this and AxiomII1 have between G C F by auto
from this and AxiomII3 have not-CGF: ¬between C G F by blast
from FCG and A-not-E and A-not-F and E-not-F and
AEF and AEF-coll and not-coll-ACE and F-not-C and
assumptions-needed[of A E F C G] have
not-coll-AFC:¬collinear{A,F,C} and
A-not-on-EG: ¬on-line A (line-of E G) and
F-not-on-EG: ¬on-line F (line-of E G) and
C-not-on-EG: ¬on-line C (line-of E G) and
EG-meets-AF: line-meets-seg (line-of E G) A F and
EG-on-planeAFC: line-on-plane (line-of E G) (plane-of A F C)
by auto
from not-coll-AFC and EG-on-planeAFC and A-not-on-EG and F-not-on-EG and
C-not-on-EG and EG-meets-AF and AxiomII4
have EG-meets-AC-or-FC: line-meets-seg (line-of E G) A C ∨
line-meets-seg (line-of E G) F C by blast
from E-not-F and AEF-coll and not-coll-ACE and F-not-C and
FCG and E-not-F and AEF-coll and not-coll-ACE and not-CGF and
line-not-meet-seg3 have
¬line-meets-seg (line-of E G) F C by blast
from this and EG-meets-AC-or-FC and line-meets-seg-def and
inside-seg-def obtain X where between A X C by blast
thus ?thesis ..
qed
Appendix B
Revised Proof of Theorem 3
theorem three:
assumes A 6= C
shows ∃ D. between A D C
proof −
W E FIRST CONSTRUCT A TRIANGLE ACE.
from construct-triangle obtain E where ¬collinear {A, C, E} using assms .
N EXT,
WE OBTAIN A POINT
F
SUCH THAT
E
IS BETWEEN
A AND F .
hence A 6= E by auto
with AxiomII2 obtain F where between A E F by blast
I T FOLLOWS
THAT
A, C AND F
ARE NOT COLLINEAR .
hence collinear {A, E, F} and A 6= F using AxiomII1a and AxiomII1b by auto
with h¬collinear {A, C, E}i have assm1:¬collinear {A, C, F}
by (blast intro: collinear-subset[where T = {A, E, F} ∪ {A, C, F}] collinear-union)
T HUS , C
AND
BETWEEN
F
F
AND
ARE DISTINCT, AND SO WE CAN OBTAIN A POINT
G
SUCH THAT
C
IS
G.
hence C 6= F by auto
with AxiomII2 obtain G where between C F G by auto
WE
AIM TO APPLY
A XIOM II,4,
BUT WE NEED TO PROVE ITS ASSUMPTIONS .
SHOW THAT ALL POINTS CONSTRUCTED SO FAR ARE PLANAR .
75
F IRST,
WE
hence collinear {C, F, G} using AxiomII1b by simp
with hcollinear {A, E, F}i have assm4: planar {A, F, C, E, G}
by (blast intro: planar-subset[where T = {A, E, F} ∪ {C, F, G}] collinear-union-is-planar)
N EXT WE SHOW THAT A, F
AND
G ARE NON - COLLINEAR .
from hbetween C F Gi have F 6= G using AxiomII1a by simp
with hcollinear {C, F, G}i and h¬collinear {A, C, F}i have assm2:¬collinear {A, F, G}
by (blast intro: collinear-subset[where T = {A, F, G} ∪ {C, F, G}] collinear-union)
S IMILARLY
FOR
C, E
AND
G.
from hbetween A E F i and hbetween C F Gi have E 6= F and C 6= G using AxiomII1a by auto
from hE 6= F i h¬collinear {A, C, E}i hcollinear {A, E, F}i have ¬collinear {C, E, F, G}
by (blast intro: collinear-union collinear-subset[where T = {A, E, F} ∪ {C, E, F, G}])
with hC 6= Gi and hcollinear {C, F, G}i have assm3:¬collinear {C, E, G}
by (blast intro: collinear-subset[where T = {C, E, G} ∪ {C, F, G}] collinear-union)
W E NOW APPLY THE AXIOM .
from assm1 assm2 assm3 assm4 and hbetween A E F i obtain D where collinear {D, E, G}
∧ (between A D C ∨ between F D C) using AxiomII4-col[of A F C G E] by auto
IT
FOLLOWS FROM
A XIOM II3
THAT
D
MUST LIE BETWEEN
A
AND
C,
SINGE
G
IS THE
UNIQUE POINT OF INTERSECTION OF THE LINES EG, CF WHILE G DOES NOT LIE BETWEEN
F
AND C.
moreover
{
fix D
assume collinear {D, E, G}
assume collinear {C, D, F}
with hC 6= F i have collinear {C, D, F, G} using hcollinear {C, F, G}i by (blast intro:
collinear-subset[where T = {C, D, F} ∪ {C, F, G}] collinear-union)
with hcollinear {D, E, G}i and h¬collinear {C, E, G}i have D = G
by (blast intro: collinear-union collinear-subset[where T = {D, E, G} ∪ {C, D, F, G}])
with hbetween C F Gi have ¬between F D C using AxiomII3 and AxiomII1c by blast
}
ultimately have between A D C using AxiomII1b[of F D C] by auto
thus ?thesis ..
qed
Appendix C
Theorem 12
theorem twelve:
assumes ¬collinear {A, B, C}
¬collinear {A ′, B ′, C ′}
congruent-segments (the-segment A B) (the-segment A ′ B ′)
congruent-segments (the-segment A C) (the-segment A ′ C ′)
and congruent-angles (the-angle B A C) (the-angle B ′ A ′ C ′)
shows congruent-triangles (the-triangle A B C) (the-triangle A ′ B ′ C ′)
proof −
A S H ILBERT
NOTES ,
A XIOM III,5
GIVES US THE MISSING ANGLE CONGRUENCES .
from
AxiomIII5 have one:congruent-angles (the-angle A B C) (the-angle A ′ B ′ C ′) using assms by
simp
from AxiomIII5 have two:congruent-angles (the-angle A C B) (the-angle A ′ C ′ B ′) using
assms by simp
O NLY
THE CONGRUENCE OF
SIDE OF
B′
BC
AND
B′C′
REMAINS .
WE
FIRST OBTAIN
D′
ON THE SAME
AS C′ .
from h¬collinear {A ′, B ′, C ′}i have B ′ 6= C ′ by auto
with AxiomIII1[of B ′ C ′] obtain D ′ where same-side B ′ D ′ C ′ and congruent-segments
(the-segment B C) (the-segment B ′ D ′) by auto
hence collinear {B ′, C ′, D ′} and B ′ 6= D ′ using same-side-collinear[of B ′ D ′ C ′] and same-side-distinct
by auto
hence ¬collinear {A ′, B ′, D ′} using h¬collinear {A ′, B ′, C ′}i
6
by (blast intro: collinear-subset[where T = {B ′, C ′, D ′} ∪ {A ′, B ′, D ′}] collinear-union)
ABC AND 6 A′ B′ D′
ARE IDENTICAL AND THEREFORE CONGRUENT.
77
from hsame-side B ′ D ′ C ′i have the-ray B ′ D ′ = the-ray B ′ C ′ by (rule ray-equality2)
hence the-angle A ′ B ′ C ′ = the-angle A ′ B ′ D ′ using angle-equality[of B ′ A ′ A ′ C ′ D ′] by simp
with hcongruent-angles (the-angle A B C) (the-angle A ′ B ′ C ′)i have congruent-angles (the-angle
A B C) (the-angle A ′ B ′ D ′) by simp
H ENCE ,
BY
A XIOM III,5, 6 BAC AND 6 B′ A′ D′
with AxiomIII5[of B A C
B′
A′
D ′]
ARE CONGRUENT.
congruent-segments (the-segment B C) (the-segment B ′
h
D ′)ih¬collinear {A ′, B ′, D ′}i and assms
have congruent-angles (the-angle B A C) (the-angle B ′ A ′ D ′) using segment-symmetry by
auto
A PPLYING A XIOM III,4
VIA OUR LEMMA TELLS US THAT
with unique-segment-opposite-angle[of
A ′ B ′ C ′ D ′ the-angle
C′
AND
D
ARE IDENTICAL .
B A C] h¬collinear {A ′, B ′, C ′}i
same-side B ′ D ′ C ′i
h
congruent-angles (the-angle B A C) (the-angle B ′ A ′ C ′)i have C ′ = D ′ by (auto intro:
h
same-side-sym)
G IVING
US OUR FINAL SEGMENT CONGRUENCE .
hence the-segment B ′ C ′ = the-segment B ′ D ′ by simp
with hcongruent-segments (the-segment B C) (the-segment B ′ D ′)i have congruent-segments
(the-segment B C) (the-segment B ′ C ′) by simp
with one two and assms show ?thesis unfolding congruent-triangles-def the-triangle-def by
blast
qed
Appendix D
Group I
typedecl pt
typedecl line
typedecl plane
consts
on-line :: pt ⇒ line ⇒ bool
in-plane :: pt ⇒ plane ⇒ bool
constdefs
collinear S ≡ ∃ a. ∀ P∈S. on-line P a
planar S ≡ ∃ α. ∀ P∈S. in-plane P α
line-of A B ≡ SOME a. on-line A a ∧ on-line B a
plane-of A B C ≡ SOME α. in-plane A α ∧ in-plane B α ∧ in-plane C α
line-on-plane a α ≡ ∀ P. on-line P a −→ in-plane P α
axioms
AxiomI12: A6=B =⇒ ∃ !a. on-line A a ∧ on-line B a
AxiomI3a: ∀ a. ∃ A B. A6=B ∧ on-line A a ∧ on-line B a
AxiomI3b: ∃ A B C. ¬collinear {A,B,C}
AxiomI4b:∀ α. ∃ A. in-plane A α
AxiomI45: ¬collinear {A,B,C} =⇒ ∃ !α. in-plane A α ∧ in-plane B α ∧ in-plane C α
AxiomI6: [[ A6=B; in-plane A α; in-plane B α ]] =⇒ line-on-plane (line-of A B) α
AxiomI7: [[ α6=β; in-plane A α; in-plane A β ]] =⇒ ∃ B. A6=B ∧ in-plane B α ∧ in-plane B β
AxiomI8: ∃ A B C D. ¬planar {A,B,C,D}
theorem one:
assumes a6=b on-line A a on-line B a on-line A b and on-line B b
shows A = B
theorem one-rev:
assumes A 6= B on-line A a on-line B a
shows a = line-of A B
theorem AxiomI3a-obtain:
obtains A::pt and B::pt where A 6= B and a = line-of A B
lemma second-point-on-line:
assumes on-line A a
obtains B where B 6= A and on-line B a
lemma second-point:
obtains P::pt where A 6= P
theorem on-line-of : on-line A (line-of A B) ∧ on-line B (line-of A B)
lemma line-of-commutes [simp]:
79
shows line-of B A = line-of A B
lemma plane-of-swap [simp]:
shows plane-of A C B = plane-of A B C
lemma plane-of-rotate [simp]:
shows plane-of B C A = plane-of A B C
lemma collinear-set-swap [simp]:
shows collinear {A, C, B} = collinear {A, B, C}
lemma collinear-set-rotate [simp]:
shows collinear {C, A, B} = collinear {A, B, C}
lemma collinear-empty [simp]:
shows collinear {}
lemma collinear-pair [simp]:
shows collinear {P, Q}
lemma collinear-singleton [simp]:
shows collinear {P}
corollary AxiomI3a-col:
assumes collinear S
obtains P and Q where P 6= Q and collinear (S ∪ {P, Q})
lemma line-of-collinear-points:
assumes collinear S
A ∈ S B ∈ S A 6= B
shows ∀ P∈S. on-line P (line-of A B)
theorem collinear-union:
assumes collinear S collinear T
A ∈ S A ∈ T B ∈ S B ∈ T and A 6= B
shows collinear (S ∪ T)
theorem collinear-subset:
assumes S ⊆ T and collinear T
shows collinear S
lemma collinear-from-on-line:
assumes on-line A (line-of B C)
shows collinear {A, B, C}
lemma on-line-from-collinear:
assumes collinear {A, B, C} and B 6= C
shows on-line A (line-of B C)
theorem construct-triangle:
assumes A 6= B
obtains C where ¬collinear {A, B, C}
theorem identify-plane-of :
assumes ¬collinear {A, B, C}
in-plane A α in-plane B α and in-plane C α
shows α = plane-of A B C
theorem non-collinear-subset:
assumes ¬collinear S
obtains A B and C where {A, B, C} ⊆ S ∧ ¬collinear {A, B, C}
lemma planar-empty [simp]:
shows planar {}
lemma plane-of-planar-points:
assumes planar S
A∈SB∈SC∈S
and ¬collinear {A, B, C}
shows ∀ P∈S. in-plane P (plane-of A B C)
theorem planar-subset:
assumes S ⊆ T and planar T
shows planar S
theorem collinear-implies-planar:
assumes collinear S
shows planar S
lemma planar-triple [simp]:
shows planar {A, B, C}
lemma planar-pair [simp]:
shows planar {A, B}
lemma planar-singleton [simp]:
shows planar {A}
theorem in-plane-of :
shows in-plane A (plane-of A B C) ∧ in-plane B (plane-of A B C) ∧ in-plane C (plane-of A B C)
corollary in-plane-of1 [simp]:
shows in-plane A (plane-of A B C)
corollary in-plane-of2 [simp]:
shows in-plane B (plane-of A B C)
corollary in-plane-of3 [simp]:
shows in-plane C (plane-of A B C)
corollary AxiomI6-col:
assumes collinear S
A ∈ S B ∈ S and A 6= B
shows ∀ P∈S. in-plane P (plane-of A B C)
theorem planar-union:
assumes planar S planar T
¬collinear (S ∩ T)
shows planar (S ∪ T)
theorem collinear-union-is-planar:
assumes collinear S collinear T and S ∩ T 6= {}
shows planar (S ∪ T)
theorem plane-of-point-and-line:
assumes ¬on-line A a
shows ∃ !α. in-plane A α ∧ line-on-plane a α
corollary AxiomI4b-col:
assumes planar S
obtains P where planar (S ∪ {P})
corollary AxiomI7-col:
assumes planar S planar T and S ∩ T 6= {}
obtains P and Q where P 6= Q
planar (S ∪ {P, Q})
and planar (T ∪ {P, Q})
Appendix E
Group II
typedef segment = {{A, B} :: pt set |A B. A 6= B}
consts between :: pt ⇒ pt ⇒ pt ⇒ bool
constdefs
same-side E A B ≡ E 6= A ∧ E 6= B ∧ collinear {E, A, B} ∧ ¬between A E B
endpoints ≡ Rep-segment
inside AB P ≡ ∃ A B. endpoints AB = {A, B} ∧ between A P B
outside AB P ≡ ∃ A B. endpoints AB = {A, B} ∧ collinear {A, B, P} ∧ ¬between A P B
line-meets-segment a AB ≡ ∃ P. inside AB P ∧ on-line P a
the-segment A B ≡ Abs-segment {A, B}
same-half-plane a A B ≡ ¬on-line A a ∧ ¬on-line B a
∧ (A = B ∨ (∃ α. line-on-plane a α ∧ in-plane A α ∧ in-plane B α)
∧ ¬line-meets-segment a (the-segment A B))
axioms
AxiomII1a: (between A B C) =⇒
A6=B ∧ A6=C ∧ B6=C
AxiomII1b: between A B C =⇒ collinear {A, B, C}
AxiomII1c: between C B A =⇒ between A B C
AxiomII2: A6=C =⇒ ∃ B. between A C B
AxiomII3: between A B C =⇒ ¬between B A C
AxiomII4: [[ ¬collinear {A,B,C};
line-on-plane a (plane-of A B C);
¬on-line A a; ¬on-line B a; ¬on-line C a;
line-meets-segment a (the-segment A B) ]]
=⇒ (line-meets-segment a (the-segment A C) ∨ line-meets-segment a (the-segment B C))
theorem the-segment:
assumes A 6= B
shows endpoints (the-segment A B) = {A, B}
theorem segment-symmetry:
shows the-segment A B = the-segment B A
theorem inside-between:
assumes A 6= B and inside (the-segment A B) P
shows between A P B
theorem between-inside:
assumes between A P B
82
shows inside (the-segment A B) P
corollary AxiomII4-col:
assumes ¬ collinear {A, B, C}
¬ collinear {A, B, E}
¬ collinear {C, D, E}
planar {A, B, C, D, E}
and between A D B
shows ∃ F. collinear {D, E, F} ∧ (between A F C ∨ between B F C)
theorem three:
assumes A 6= C
shows ∃ D. between A D C
theorem between-implies-same-side:
assumes between E A B ∨ between E B A
shows same-side E A B
theorem same-side-distinct:
assumes same-side E A B
shows A 6= E ∧ B 6= E
theorem same-side-collinear:
assumes same-side E A B
shows collinear {A, B, E}
theorem point-on-same-side:
assumes E 6= A
obtains B where A 6= B and same-side E A B
theorem same-side-refl [simp]:
assumes A 6= E
shows same-side E A A
theorem same-side-sym:
assumes same-side E B A
shows same-side E A B
theorem same-side-trans:
assumes same-side E A B and same-side E B C
shows same-side E A C
theorem segment-add:
assumes between A B C and between A P B ∨ between B P C
shows between A P C
theorem segment-add-converse:
assumes between A B C and between A P C
shows B = P ∨ between A P B ∨ between B P C
lemma collinear-same-side:
assumes collinear {A, B, C} and A 6= B
shows same-side A B C ∨ same-side B A C
theorem same-half-plane-refl [simp]:
assumes ¬on-line A a
shows same-half-plane a A A
theorem same-half-plane-sym:
assumes same-half-plane a B A
shows same-half-plane a A B
theorem same-half-plane-trans:
assumes same-half-plane a A B and same-half-plane a B C
shows same-half-plane a A C
theorem same-side-trichotomy:
assumes collinear {A, B, C, E} and A 6= E B 6= E C 6= E
shows same-side E A B ∨ same-side E A C ∨ same-side E B C
typedef ray = {{P. same-side E A P} |E A. A 6= E}
constdefs
on-ray P h ≡ P ∈ Rep-ray h
emanates-from h E ≡ ∃ A. ∀ P. on-ray P h ←→ same-side E A P
start-point h ≡ THE E. emanates-from h E
line-of-ray h ≡ THE a. ∀ P. on-ray P h −→ on-line P a
the-ray E A ≡ THE h. on-ray A h ∧ start-point h = E
lemma ray-def-lemma:
assumes emanates-from h E and on-ray A h
shows ∀ P. on-ray P h ←→ same-side E A P
lemma rays-are-open-lemma:
assumes emanates-from h E
shows ¬on-ray E h
theorem start-points-are-unique:
shows ∃ !E. emanates-from h E
corollary start-point-emanates:
shows emanates-from h (start-point h)
theorem rays-are-open [simp]:
shows ¬on-ray (start-point h) h
corollary start-point:
assumes on-ray A h
shows ∀ P. on-ray P h ←→ same-side (start-point h) A P
theorem ray-on-line:
assumes on-ray P h
shows on-line P (line-of-ray h)
theorem start-point-on-line [simp]:
shows on-line (start-point h) (line-of-ray h)
theorem ray-equality:
assumes ∀ P. on-ray P h ←→ on-ray P h ′
shows h = h ′
theorem unique-ray:
assumes A 6= E
shows ∃ !h. on-ray A h ∧ start-point h = E
theorem the-ray:
assumes A 6= E
shows on-ray A (the-ray E A) ∧ start-point (the-ray E A) = E
theorem the-ray2:
assumes on-ray A h
shows h = the-ray (start-point h) A
theorem ray-equality2:
assumes same-side E A B
shows the-ray E A = the-ray E B
corollary the-ray1 [simp]:
assumes A 6= E
shows on-ray A (the-ray E A)
theorem line-of-ray [simp]:
assumes A 6= E
shows line-of-ray (the-ray E A) = line-of E A
corollary collinear-ray:
assumes B 6= C and on-ray A (the-ray B C)
shows collinear {A, B, C}
theorem same-side-same-half-plane:
assumes on-line A a ¬on-line B a and same-side A B C
shows same-half-plane a B C
theorem rays-form-lines:
assumes h 6= k
line-of-ray h = line-of-ray k
start-point h = start-point k
on-line P (line-of-ray h)
shows P = start-point h ∨ on-ray P h ∨ on-ray P k
Appendix F
Group III
typedef angle = {{h,k} |h k. line-of-ray h 6= line-of-ray k ∧ start-point h = start-point k}
constdefs
sides hk ≡ Rep-angle hk
vertex hk ≡ THE P. ∀ h ∈ sides hk. start-point h = P
rays-form-an-angle h k ≡ line-of-ray h 6= line-of-ray k ∧ start-point h = start-point k
opposite-side hk h ≡ THE k. sides hk = {h, k}
plane-of :: angle => plane
plane-of hk ≡ THE α. ∀ h ∈ sides hk. ∀ P. on-ray P h −→ in-plane P α
interior hk P ≡ ∃ h k. sides hk = {h, k}
∧ (∀ Q. on-ray Q h −→ same-half-plane (line-of-ray k) P Q)
∧ (∀ Q. on-ray Q k −→ same-half-plane (line-of-ray h) P Q)
exterior hk P ≡ in-plane P (plane-of hk) ∧ ¬interior hk P
supplementary hk hk ′ ≡ hk 6= hk ′
∧ (∃ h. h ∈ sides hk ∧ h ∈ sides hk ′
∧ line-of-ray (opposite-side hk h) = line-of-ray (opposite-side hk ′ h))
the-angle A B C ≡ THE hk. sides hk = {the-ray B A, the-ray B C}
with-sides h k ≡ THE hk. sides hk = {h, k}
theorem angle-vertex:
shows ∀ h ∈ sides hk. start-point h = (vertex hk)
theorem sides:
assumes rays-form-an-angle h k
shows sides (with-sides h k) = {h, k}
theorem non-collinear-points-form-an-angle:
assumes ¬collinear {A, B, C}
shows rays-form-an-angle (the-ray A B) (the-ray A C)
theorem sides2:
assumes ¬collinear {A, B, C}
shows sides (with-sides (the-ray A B) (the-ray A C)) = {the-ray A B, the-ray A C}
theorem the-angle-with-sides:
shows the-angle A B C = with-sides (the-ray B A) (the-ray B C)
theorem angle-equality:
assumes the-ray B A = the-ray B A ′ and the-ray B C = the-ray B C ′
shows the-angle A B C = the-angle A ′ B C ′
theorem angle-sym [simp]:
shows the-angle C B A = the-angle A B C
86
theorem interior-side:
assumes sides Ang = {h, k} and on-ray A k
shows ∀ P. interior Ang P −→ same-half-plane (line-of-ray h) A P
consts congruent-segments :: segment ⇒ segment ⇒ bool
consts congruent-angles :: angle ⇒ angle ⇒ bool
constdefs the-triangle :: pt ⇒ pt ⇒ pt ⇒ pt set
the-triangle A B C ≡ {A,B,C}
constdefs congruent-triangles :: pt set ⇒ pt set ⇒ bool
congruent-triangles T1 T2 ≡ ∃ A B C A ′ B ′ C ′.
T1 = {A, B, C} ∧ T2 = {A ′, B ′, C ′}
∧ ¬collinear T1 ∧ ¬collinear T2
∧ congruent-segments (the-segment A B) (the-segment A ′ B ′)
∧ congruent-segments (the-segment B C) (the-segment B ′ C ′)
∧ congruent-segments (the-segment A C) (the-segment A ′ C ′)
∧ congruent-angles (the-angle A B C) (the-angle A ′ B ′ C ′)
∧ congruent-angles (the-angle B A C) (the-angle B ′ A ′ C ′)
∧ congruent-angles (the-angle A C B) (the-angle A ′ C ′ B ′)
axioms
AxiomIII1: A 6= C =⇒ ∃ B. same-side A B C ∧ congruent-segments S (the-segment A B)
AxiomIII2: [[ congruent-segments S T;
congruent-segments S ′ T
]] =⇒ congruent-segments S S ′
AxiomIII3: [[ between A B C;
between A ′ B ′ C ′;
congruent-segments (the-segment A B) (the-segment A ′ B ′);
congruent-segments (the-segment B C) (the-segment B ′ C ′)
]] =⇒ cong-segs (the-segment A C) (the-segment A ′ C ′)
AxiomIII4a: ¬on-line A (line-of-ray h) =⇒ ∃ !k. rays-form-an-angle h k
∧ congruent-angles h ′k ′ (with-sides h k)
∧ (∀ P. interior (with-sides h k) P −→ same-half-plane (line-of-ray h) A P)
AxiomIII4b [simp]: congruent-angles hk hk
AxiomIII5: [[ ¬collinear{A, B, C}; ¬collinear{A ′, B ′, C ′} ;
congruent-segments (the-segment A B) (the-segment A ′ B ′) ;
congruent-segments (the-segment A C) (the-segment A ′ C ′) ;
congruent-angles (the-angle B A C) (the-angle B ′ A ′ C ′)
]] =⇒ congruent-angles (the-angle A B C) (the-angle A ′ B ′ C ′)
theorem congruent-segment-refl [simp]:
shows congruent-segments S S
theorem congruent-segment-sym:
assumes congruent-segments S T
shows congruent-segments T S
theorem congruent-segment-trans:
assumes congruent-segments S T and congruent-segments T U
shows congruent-segments S U
lemma unique-segment-opposite-angle:
assumes ¬collinear {A, B, C} and same-side B C C ′
congruent-angles S (the-angle B A C)
and congruent-angles S (the-angle B A C ′)
shows C = C ′
theorem segment-uniqueness:
assumes A 6= C
shows ∃ !B. same-side A B C ∧ congruent-segments S (the-segment A B)
theorem twelve:
assumes ¬collinear {A, B, C}
¬collinear {A ′, B ′, C ′}
congruent-segments (the-segment A B) (the-segment A ′ B ′)
congruent-segments (the-segment A C) (the-segment A ′ C ′)
and congruent-angles (the-angle B A C) (the-angle B ′ A ′ C ′)
shows congruent-triangles (the-triangle A B C) (the-triangle A ′ B ′ C ′)