Defining Functions on Equivalence Classes

Lawrence C. Paulson, Computer Laboratory, University of Cambridge Outline of Talk

1. Review of equivalence relations and quotients

2. General lemmas for defining quotients formally

3. Detailed development of the integers

4. Brief treatment of a quotiented datatype

2 Quotient Constructions

Identify values according to an equivalence relation

• terms that differ only by bound variable names • numbers that leave the same residue modulo p numerous applications in algebra, topology, etc.

• quotient constructions of the integers, rationals and non-standard reals; quotient groups and rings

Where are the applications in automated proof?

3 Definitions

• An equivalence relation ∼ on a set A is any relation that is reflexive (on A), symmetric and transitive.

• An equivalence class [x]∼ contains all y where y ∼ x (for x ∈ A)

• If ∼ is an equivalence relation on A, then the quotient space A/∼ is the set of all equivalence classes

• The equivalence classes form a partition of A

4 Examples

The integers: equivalence classes on ℕ×ℕ The integers can be defined• as equivalence classes on pairs of natural numbers related by The integers can be defined as equivalence classes on pairs of natural numbers related by (x, y) (x(u, ,yv) ) (u, v)x v xu vy u y ∼ ∼⇐⇒ ⇐+⇒= ++ = + ≠0 The rational numbers can beThedefined asrationals:equivalence classes equivalencon pairs of integerserelated clabysses on ℤ×ℤ The rational• numbers can be defined as equivalence classes on pairs of integers related by (x, y) (x(u, ,yv) ) (u, v)xv uyxv (uyy, v (0y), v 0) ∼ ∼⇐⇒ ⇐=⇒ = $= $= The integers can be defined using a signed magnitude representation. The rational numbers can be defined as fractions in reduced form. The integers• canλ-betdefinederms:using equivalenca signed magnitude representation.e classesThe onrational α-numbersequivalenccan be definedeas fractions in reduced form. The[x] hyisperreals:the equiv inalencefinitclasse sequency esy ofx reals • ∼ [x] is the equivalence class y y x ∼ { | ∼{ }| ∼ } The equivalence relation partitions(quotientthe set A. Theedquotient withset Arespect/ is defined to tbeothe anset ofultrageneratedfiltby er. ) The equivalence relation partitions the set A. The quotient∼ set A/ is defined to be the set of ∼generated by . Let us examine the construction of the integers. ∼ ∼ Let us examine the construction of the integers.

5 [(x, y)][(xrepresents, y)] representsthe integerthe intex gery x y − −

2 2 The integers can be defined as equivalence classes on pairs of natural numbers related by (x, y) (u, v) x v u y ∼ ⇐⇒ + = +

The rational numbers can be defined as equivalence classes on pairs of integers related by (x, y) (u, v) xv uy (y, v 0) ∼ ⇐⇒ = $=

The integers can be defined using a signed magnitude representation. The rational numbers can be defined as fractions in reduced form.

[x] is the equivalence class y y x ∼ { | ∼ } The equivalence relation partitions the set A. The quotient set A/ is defined to be the set of generated by . ∼ ∼ Let us examine the constructionConstrof the integers.ucting the Integers

[(x, y)] represents the integer x y − The integer operations on equivalence classes:

0 [(0, 0)] = [(x, y)] 2[(y, x)] − = [(x, y)] [(u, v)] [(x u, y v)] + = + + [(x, y)] [(u, v)] [(xu yv, xv vu)] × = + + Such definitions are only leFgitimateunctionif they are deindependentfinitionsof the particular mustelements preserchosen fromvethe theequiv alence classes. To prove equivalence relation. Then the choice ( z) z of representative− −does= not matter. write the integer z as [(x, y)]. ( [(x, y)]) [(y, x)] [(x, y)] − − = −6 =

The proof that addition is associative appeals to the corresponding property for the natural numbers: [(x , y )] [(x , y )] [(x , y )] [(x x x , y y y ]) 1 1 + 2 2 + 3 3 = 1 + 2 + 3 1 + 2 + 3 [(x , y )] [(x , y )] [(x , y )] ! " = 1 1 + 2 2 + 3 3

3 ! " 0 [(0, 0)] = [(x, y)] [(y, x)] − = [(x, y)] [(u, v)] [(x u, y v)] + = + + [(x, y)] [(u, v)] [(xu yv, xv vu)] × = + +

Such definitions are only legitimate if they are independent of the particular elements chosen from the equivalence classes.

To prove Sample Proof: ( z) z 0 [(0, 0)] = − − = [(x, y)] [(y, x)] write the integer z as [(x, y)]. − = [(x, y)] [(u, v)] [(x u, y v)] + = + + [(x, y)] [(u, v)] [(xu yv, xv vu)] • Replace z× by an( arbitrar=[(x,y +equivalency)]) + e cla[(ssy, x)] [(x, y)] Such definitions are only legitimate if they are independent− −of the particular0 elements[(0,chosen0)]=from the−equivalence classes. = = Rewrite using [(x, y)] [(y, x)] To prove • − = [(x, y)] [((uz,)v)] z [(x u, y v)] The proof that addition is associative appeals+− −to =the=corresponding+ + property for the natural numbers: • Proof is trivial:[(x, y)] [(u, v)] [(xu yv, xv vu)] write the integer z as [(x, y)]. × = + +

( , Such definitions) are only(le(gitimate[,(xif,theyy))are]) independent[(yof,the(x)particular] ,[(elementsx, y))chosen] from the(equivalence classes. , ) [ x1 y1 ] [−x−2 y2 ]= − [ x3= y3 ] [ x1 x2 x3 y1 y2 y3] To prove + + = + + + + The proof that addition is associative appeals to the corresponding property( forzthe) naturalz numbers: [(x1, y1)] [(x2, y2)] [(x3, y3)] ! " − − = = + + [(x ,writey )the] integer[(xz as,[(yx, )y)]]. [(x , y )] [(x x x , y y y ]) 1 1 + 2 2 + 3 3 = 1 + 2 + 3 1 + 2 + 3 ( , ) ( , ) ( , ) ! " ( [(x, y)])[ x1 y[(1y], x)][ x2[(xy32, y])] [ x3 y3 ] ! " − − = 7= − + = + 3 ! " The proof that addition is associative appeals to the corresponding property for the natural numbers: [(x , y )] [(x , y )] [(x , y )] [(x x x , y y y ]) 1 1 + 2 2 + 3 3 = 1 + 2 + 3 1 + 2 + 3 [(x , y )] [(x , y )] [(x , y )] ! " = 1 1 + 2 2 + 3 3

3 ! " 0 [(0, 0)] = [(x, y)] [(y, x)] − = [(x, y)] [(u, v)] [(x u, y v)] + = + + [(x, y)] [(u, v)] [(xu yv, xv vu)] Proof that× += is Associative+ + Such definitions are only legitimate if they are independent of the particular elements chosen from the equivalence classes.

To prove ( z) z Replace each integer −by− a pair= of natural numbers. write the integer z as [(x, y)]. ( [(x, y)]) [(y, x)] [(x, y)] Prove by associativity− − =of− + on the= naturals

The proof that addition is associative appeals to the corresponding property for the natural numbers: [(x , y )] [(x , y )] [(x , y )] [(x x x , y y y ]) 1 1 + 2 2 + 3 3 = 1 + 2 + 3 1 + 2 + 3 [(x , y )] [(x , y )] [(x , y )] ! " = 1 1 + 2 2 + 3 3

3 ! "

8 Alternatives to Quotients

• λ-terms? Use de Bruijn’s treatment of variables ✓ • Integers as signed natural numbers? Ugly, with massive case analyses ✗

• Rationals as reduced fractions? Requires serious reasoning about greatest common divisors ✗

• Hyperreals? Quotient groups? ✗✗✗

9 A Formalization of Equivalence Classes R“ x denotes y (x, y) R : the equivalence class [x] { } { | ∈ } R theorem eq equiv class iff: "[[equiv A r; x A; y A]] (r‘‘{x} = r‘‘{y})∈ =∈((x,y) r)" "⇒ ∈ The quotient set is definedFtoormalizingbe the set of equivalence classes. Quotients "A//r x A. {r‘‘{x}}" ≡ ∈ set comprehensions as unions and singleton sets Set comprehensionsA!Formalization of asEqui nestvalenceed unionsClass esof singletons

R“ x denotes y (x, y) R : the equivalence class [x]R f (x , . . . , x ){ }x A , . {. . ,|x A ∈ } . . . f (x , . . . , x ) { 1 n | 1 ∈ 1 n ∈ n} = { 1 n } theorem eq equiv classx1iff:A1 xn An "∈ "∈ " equiv A r; x A; y A Congruence-preserving property:[[ ]] (r‘‘{x} = r‘‘{y})∈ =∈((x,y) r)" congruentExampler : fthis"⇒ deyfinitionz. (y,z) of a quotientr spacf ye= f z∈ The quotient≡set∀is defined to be the set of equi∈valence classes.−→ "A//r x 4 A. {r‘‘{x}}" ≡ ∈ set comprehensions as unions and singleton sets !

The equivalencf (x , . . . , xe cla) xss [x]A , . . . , x A . . . f (x , . . . , x ) { 1 n | 1 ∈ 1 n ∈ n} = { 1 n } x A x A 1∈ 1 n∈ n 10 " " Congruence-preserving property: congruent r f y z. (y,z) r f y = f z ≡ ∀ ∈ −→

4 Typical theorem: [x] = [y]

A Formalizationif andof Equionlvalencey ifClass x es∼ y R“ x denotes y (x, y) R : the equivalence class [x] { } { | ∈ } R theorem eq equiv class iff: "[[equiv A r; x A; y A]] (r‘‘{x} = r‘‘{y})∈ =∈((x,y) r)" "⇒ ∈ The quotient set is defined to be the set of equivalence classes. "A//r x A. {r‘‘{x}}" ≡ ∈ r is anset equivalenccomprehensions as unionse and singleton sets The equivalence classes relation on A ! [x] and [y] f (x , . . . , x ) x A , . . . , x A . . . f (x , . . . , x ) { 1 n | 1 ∈ 1 n ∈ n} = { 1 n } x A x A "1∈ 1 "n∈ n Congruence-preserving property: congruent r f 11y z. (y,z) r f y = f z ≡ ∀ ∈ −→

4 Defining Functions on Equivalence Classes

• Form a set bylemma appleliminatesyinga uniontheo vceroncretthe elementseof functionan equivalence class topro vided the function is Congruence-preserving. all representativeslemma UN equiv class: "[[equiv A r; congruent r f; a A]] • If the function preserves the( equivalencx r‘‘{a}.e relation,f x) = f a"∈ "⇒ ∈ this set will beother a stufsingletf for two-aron.gument Thenfunctions get its element: ! contents x = x { } Example: Defining the Integers Formally (ComprehensionsWe begin by defining arethe equi unions,valence relation. so we collapse c"intrelonstant unions{((x,y),(u,v))) | x y u v. x+v = u+y}" ≡ Next, we introduce the type int. 12 typedef (Integ) int = "UNIV//intrel" by (auto simp add: quotient def) Now we can define the integer constants 0 and 1. "0 Abs Integ(intrel ‘‘ {(0,0)})" "1 ≡ Abs Integ(intrel ‘‘ {(1,0)})" ≡ 5 A Formalization of Equivalence Classes R“ x denotes y (x, y) R : the equivalence class [x] { } { | ∈ } R theorem eq equiv class iff: "[[equiv A r; x A; y A]] (r‘‘{x} = r‘‘{y})∈ =∈((x,y) r)" "⇒ ∈ The quotient set is defined to be the set of equivalence classes. "A//r x A. {r‘‘{x}}" ≡ ∈ set comprehensions as unions and singleton sets !

Af (x ,K. . .ey, x ) Dex fiA ,nition. . . , x A & Lemma. . . f (x , . . . , x ) { 1 n | 1 ∈ 1 n ∈ n} = { 1 n } x A x A "1∈ 1 "n∈ n Congruence-preserving function, f: Congruence-preserving property: congruent r f y z. (y,z) r f y = f z ≡ ∀ ∈ −→ Collapsing unions over equivalenc4 e classes,

lemma eliminateswherea union over fthe iselements a setof-anvaluedequivalence functionclass provided the function is Congruence-preserving. lemma UN equiv class: "[[equiv A r; congruent r f; a A]] ( x r‘‘{a}. f x) = f a"∈ "⇒ ∈ other stuff for two-argument functions If f respects !a equivalence relation, then the contents x = x union{ } over [a] is simply f (a). Example: Defining the Integers Formally We begin by defining the equivalence relation. 13 "intrel {((x,y),(u,v)) | x y u v. x+v = u+y}" ≡ Next, we introduce the type int. typedef (Integ) int = "UNIV//intrel" by (auto simp add: quotient def) Now we can define the integer constants 0 and 1. "0 Abs Integ(intrel ‘‘ {(0,0)})" "1 ≡ Abs Integ(intrel ‘‘ {(1,0)})" ≡ 5 lemma eliminates a union over the elements of an equivalence class provided the function is Congruence-preserving. lemma UN equivlemma eliminatesclass:a union over the elements of an equivalence class provided the function is Congruence-preserving. " equiv A r; congruent r f; a A [[ lemmalemmaeliminatesUNa unionequivover the elementsclass:of an equivalence class provided]] the function is Congruence-preserving. ( x r‘‘{a}. f x) = f a"∈ "⇒ lemma∈UN"[[equivequiv Aclass:r; congruent r f; a A]] other stuff for two-argument functions ∈ Constr! "[[equivucting( Axr; r‘‘{a}.congruent the Intf x)regersf;= fa a"A]] "⇒ ∈ ∈ contents xother=stufxf for two-argument( functionsx r‘‘{a}. f x) = f a" { } "⇒ ! ∈ Example: Definingothercontentsstufthef for twInteo-argumentgersxfunctionsFormall= x y The{ !equivalenc} e relation: We begin by defining thecontentsequivalence relation. x = x Example: Defining{ } the Integers Formally "intrelWe begin{((x,y),(u,v))by defining the equivalence relation. | x y u v. x+v = u+y}" Example:≡ Defining the Integers Formally Next, we introduce the typeWeint.begin by "intreldefining the equivalence relation.{((x,y),(u,v)) | x y u v. x+v = u+y}" ≡ typedef (Integ)The Netyxt,pewe"intrelintintroduce definitionthe= type"UNIV//intrel"int. (quotienting{((x,y),(u,v)) the universal| x y setu )v.: x+v = u+y}" (auto simp add: quotient≡ def) by Netypedefxt, we introduce(Integ)the type int. int = "UNIV//intrel" Now we can define the intetypedefger constantsby (auto0(Integ)and 1. simpintadd:= "UNIV//intrel"quotient def) "0 Abs NoInteg(intrelbyw we can(autodefine the intesimpger constants‘‘add:0{(0,0)})"and 1. quotient def) ≡ The constants zero and one: "1 AbsNowInteg(intrelwe"0can define theAbsinteger constantsInteg(intrel‘‘0 and{(1,0)})"1. ‘‘ {(0,0)})" ≡ ≡ "0"1 AbsAbsInteg(intrelInteg(intrel5 ‘‘‘‘{(0,0)})"{(1,0)})" ≡ "1 ≡ Abs Integ(intrel ‘‘ {(1,0)})" ≡ 5 5 14 Proving that intrel is an equivalence relation requires a one-line simplifier call. every integer is represented by a pair of natural numbers. Proving that intrel is an equivalence relation requires a one-line simplifier call. Proving that intrel is an equivalence relation requires a one-line simplifier call. z xyeveryz integer[(isxrepresented, y)] by a pair of natural numbers. every integer is represented by a pair of natural numbers. ∀ ∃ = z xy z [(x, y)] z xy z [(x, y)] ∀ ∃ = lemma∀ eq∃ Abs= Integ [cases type: int]: lemma eqDeAbs Integfining[cases Unartype:y"( Minusint]:lemmax y. eqz =AbsAbsIntegInteg(intrel‘‘{(x,y)})[cases type: int]: P) P" "( x y. z = Abs Integ(intrel‘‘{(x,y)})"( x y. zP)= AbsP"Integ(intrel‘‘{(x,y)})#⇒ P) #⇒ P" Unary!minus, A#⇒One-Ar#gument⇒ Function #⇒ #⇒ Unary!minus, AAlOne-Arl representativesgument Function of theWe cannotintegerUnarypick an !zarbitraryminus,elementA One-Arof an equivgumentalence class,Functionbut if the function is congruent, the choice of element does not matter. We cannot pick an arbitrary element of an equivalence class, but if the functionTherefore,is congruent,Wwee cannotformtheapicksetchoiceconsistingan ofarbitraryelementofelementdoesall valuesnotofmatterangeneratedequi. valenceby allclass,elementsbut if ofthethefunctionequivalenceis congruent,class. Thisthe choiceset willof simplifyelement doesto a singleton,not matter. Therefore, we form a set consisting of all values generated by all elementswhoseof the equivaluevalencewillclass.be returnedThis set willvia simplifythe equationto a singleton,contents x = x. Therefore, we form a set consisting of all values generated{ } by all elements of the equivalence class. This set will simplify to a singleton, whose value will be returned via the equation contents x = x. { } whose value will be returned via the equation contents x = x. { } "-z contents ( (x,y) Rep Integ z. "-z contents ( (x,y) Rep Integ "-z≡z. contents ( (x,y)∈ Rep Integ z. ≡ { Abs Integ(intrel‘‘{(y,x)})∈ ≡ })"{ Abs Integ(intrel‘‘{(y,x)})∈ })" " " { Abs Integ(intrel‘‘{(y,x)}) })" Here intrel ‘‘ {(y,x)} denotes the equivalence class Here intrel ‘‘ {(y,x)} denotes the equivalence "class Here intrel ‘‘ {(y,x)} denotes the equivalence class [(y, x)] [(y, x)] The argument of contents is the collectionTheof all inteequivalencgers [(y, x)] such thate cla(x, y)ssbelongs[(yto,thexequi)] valence class for z. This collection The argument of contents is the collection of all integers [(y, x)] such that (x, y) belongs to the equivalence class for z. This collection will turn out to be a singleton. The argument of contents is the collection of all integers [(y, x)] such that (x, y) belongs to the equivalence class for z. This collection prove its characteristic equation will turn outwilltoturnbe aoutsingleton.to be a singleton. [(x, y)] [(y, x)] prove its charprovacteristice its characteristicequationequation −The desired= characteristic equation: [(x, y[)(]x, y[)(]y, x[()]y, x)] − − = = 6

6 6 15 Proving the Characteristic Equation

The definition respects the equivalence relation. lemma minus: "- Abs Integ(intrel‘‘{(x,y)}) = Abs Integ(intrel ‘‘ {(y,x)})" proof - have "congruent intrel (λ(x,y). {Abs Integ (intrel‘‘{(y,x)})})" by (simp add: congruent def) thus ?thesis by (simp add: minus int def UN equiv class [OF equiv intrel]) qed

The first part of the proof concerns congruence. The second part of the proof establishes the desired equation using the definition of negation (minus int def) and our theorem about unions over equivalence classes. Given the characteristic equation, proving properties of unary negation is trivial. Consider the proof that negationRisesultself-cancelling. follows by definition, lemma "- (-simplifyingz) = z" with a general lemma. by (cases z, simp add: minus) Two-Argument Functions on Equi16valence Classes Addition: There are simply two unions instead of one. "z + w contents≡ ( (x,y) Rep Integ z. (u,v) Rep Integ w. { Abs Integ(intrel‘‘{(x+u,∈ y+v)})∈ })" ! ! 7 Reasoning About Minus

The characteristic equation lets other proofs resemble tlemmaextbookminus: ones. "- Abs Integ(intrel‘‘{(x,y)}) = Abs Integ(intrel ‘‘ {(y,x)})" proof - Step 1: uses caseshave "congruent to replacintrel e(λ (x,y).each {AbsintegerInteg (intrel‘‘{(y,x)})})"by an by (simp add: congruent def) arbitrary pairthus of?thesis natural numbers. by (simp add: minus int def UN equiv class [OF equiv intrel]) qed

Step 2: simplifyThe first part usingof the proof theconcerns equationcongruence. The second andpart of thelawsproof establishes aboutthe desired equation using the definition of negation (minus int def) and our theorem about unions over equivalence classes. the naturalGi vnumbers.en the characteristic equation, proving properties of unary negation is trivial. Consider the proof that negation is self-cancelling.

lemma "- (- z) = z" by (cases z, simp add: minus) Two-Argument Functions on Equivalence Classes Addition: There are simply two unions instead of one.

"z + w 17 contents≡ ( (x,y) Rep Integ z. (u,v) Rep Integ w. { Abs Integ(intrel‘‘{(x+u,∈ y+v)})∈ })" ! ! 7 lemma minus: "- Abs Integ(intrel‘‘{(x,y)}) = Abs Integ(intrel ‘‘ {(y,x)})" proof - have "congruent intrel (λ(x,y). {Abs Integ (intrel‘‘{(y,x)})})" by (simp add: congruent def) thus ?thesis by (simp add: minus int def UN equiv class [OF equiv intrel]) qed

The first part of the proof concerns congruence. The second part of the proof establishes the desired equation using the definition of negation (minus int def) and our theorem about unions over equivalence classes. Given the characteristic equation, proving properties of unary negation is trivial. AConsider Tthe proofwthatoneg-ationArgumentis self-cancelling. Function lemma "- (- z) = z" by (cases z, simp add: minus) z w TwAlo-Arl gumentrepresentativesFunctions on Equi of vthealence intCegerslasses and Addition: There are simply two unions instead of one. "z + w contents≡ ( (x,y) Rep Integ z. (u,v) Rep Integ w. { Abs Integ(intrel‘‘{(x+u,∈ y+v)})∈ })" ! ! 7 The desired characteristic equation:

The characteristic equation for addition [(x, y)] [(u, v)] [(x u, y v)] + = + + lemma add: "Abs Integ (intrel‘‘{(x,y)}) + Abs Integ (intrel‘‘{(u,v)}) = Abs Integ The(intrel‘‘{(x+u, obvious generalizationy+v)})" of the one-argument case unary minus distributes over addition. lemma "-(z + w) = (-z) + (-w)" by (cases z, cases w),18 simp add: minus add) the ordering ( ) ≤ "z (w::int) ≤x y u v. x+v u+y & ≡ ∃ (x,y)≤ Rep Integ z & (u,v) Rep Integ w" ∈ ∈ the characteristic equation directly [(x, y)] [u, v] x v u y ≤ ⇐⇒ + ≤ + lemma le: "(Abs Integ(intrel‘‘{(x,y)}) Abs Integ(intrel‘‘{(u,v)})) = (x+v u+y)" ≤ ≤ by (force simp add: le int def)

8 Proofs About Addition

The characteristic equation: The characteristic equation for addition [(x, y)] [(u, v)] [(x u, y v)] + = + + lemma add: "Abs Integ (intrel‘‘{(x,y)}) + Abs Integ (intrel‘‘{(u,v)}) = The characteristicAbs Integequation(intrel‘‘{(x+u,for addition [(x, y)]y+v)})"[(u, v)] [(x u, y v)] + = + + unarylemmaminusadd:distributes over addition. "Abs Integ (intrel‘‘{(x,y)}) + Abs Integ (intrel‘‘{(u,v)}) = lemmaAbs Integ"-(z(intrel‘‘{(x+u,+ w) = (-z)y+v)})"+ (-w)"

A byunarytypicalminus(casesdistrib theorem:utes oz,ver addition.cases w), simp add: minus add) the ordering ( ) lemma "-(z≤ + w) = (-z) + (-w)" "zby (cases(w::int)z, cases w), simp add: minus add) ≤ the orderingx y u( )v. x+v u+y & ≡ ∃ ≤ (x,y)≤ Rep Integ z & (u,v) Rep Integ w" Proof"z , a(w::int)s usual, by cases∈ and simplification ∈ the characteristic≤x yequationu directlyv. x+v u+y & [(≡x, y∃)] [u, v] (x,y)x ≤ v Repu Integy z & (u,v) Rep Integ w" ≤ ⇐⇒ + ∈ ≤ + ∈ lemmathe characteristicle: equation directly "(Abs Integ(intrel‘‘{(x,y)}) Abs Integ(intrel‘‘{(u,v)})) [(x=, y(x+v)] [uu+y)", v] x v ≤u y ≤ by (force≤simp add:⇐⇒le int19+def)≤ + lemma le: "(Abs Integ(intrel‘‘{(x,y)}) Abs Integ(intrel‘‘{(u,v)}))8 = (x+v u+y)" ≤ ≤ by (force simp add: le int def)

8 The characteristic equation for addition [(x, y)] [(u, v)] [(x u, y v)] + = + + lemma add: "Abs Integ (intrel‘‘{(x,y)}) + Abs Integ (intrel‘‘{(u,v)}) = The characteristic equation Absfor additionInteg[(x, y)(intrel‘‘{(x+u,] [(u, v)] [(x u, yy+v)})"v)] The characteristic equation for addition+ = + + lemma add: [(x, y)] [(u, v)] [(x u, y v)] "Abs Integunary(intrel‘‘{(x,y)})minus distributes over+ addition.Abs Integ +(intrel‘‘{(u,v)})= = + + lemmaAbs Integadd:(intrel‘‘{(x+u, y+v)})" "Abs Integ (intrel‘‘{(x,y)}) + Abs Integ (intrel‘‘{(u,v)}) = unary minus distriblemmautes over addition. "-(z + w) = (-z) + (-w)" Abs Integ (intrel‘‘{(x+u, y+v)})" lemma "-(zby (cases+ w) = (-z)z,+ (-w)"cases w), simp add: minus add) byunaryDe(casesminus distribfiz,utesningcasesover addition.w), Thesimp add: Orderingminus add) the orderingthe( ordering) ( ) lemma "-(z≤ + w)≤ = (-z) + (-w)" "zby (cases(w::int)"z z,(w::int)cases w), simp add: minus add) ≤x y u v.≤ x+v u+y & the≡ ∃ordering ((x,y)x) y≤u Repv.Integx+vz & (u,v)u+y & Rep Integ w" ≡ ∃ ≤ ∈ ≤ ∈ the characteristic equation directly (x,y) Rep Integ z & (u,v) Rep Integ w" "z (w::int) [(x, y)] [u, v] x v u y ∈ ∈ The≤ ≤desiredthe characteristic⇐⇒ charactequation+ ≤directly+eristic equation: lemma le: x y u v. x+v u+y & "(Abs≡ ∃Integ(intrel‘‘{(x,y)}) Abs≤Integ(intrel‘‘{(u,v)})) = (x+v [(xu+y)", y)] [((x,y)u, ≤v)] Repx Integv u z y& (u,v) Rep Integ w" ≤ by (force simp add: le≤int def) ⇐∈⇒ + ≤ + ∈ the characteristiclemmaequationle:directly 8 I[(tsx, proof:y)] "(Abs[u, vInteg(intrel‘‘{(x,y)})] x v u y Abs Integ(intrel‘‘{(u,v)})) = (x+v u+y)" ≤ ≤ ≤⇐⇒ + ≤ + lemma le:by (force simp add: le int def) "(Abs Integ(intrel‘‘{(x,y)}) Abs Integ(intrel‘‘{(u,v)})) ≤ = (x+v u+y)" 8 ≤ by (force simp add: le int def)

8 We are not forced to treat relations as functions.

20 How to Define a Quotiented Recursive Datatype

1. Define an ordinary datatype: a free algebra.

2. Define an equivalence relation expressing the desired equations.

3. Define the new type to be a quotient.

4. Define its abstract constructors and other operations as functions on equivalence classes.

21 Quotienting a Recursive Data type To define a datatype with equational constraints, first define an ordinary datatype (which will be a free algebra). Then,Adefine Man equivalenceessarelation expressinggethe desiredDatatyequations. Finally, quotientpethe datatype. The free datatype constructors are lifted to the new recursive datatype, using the techniques of function definition described above. To define other functionsQuotientingon the new datatype,a Recursifirst definevea concreteData vtypeersion on the free datatype and then lift it. To define a datatype with equational constraints, first define an ordinary datatype (which will be a free algebra). datatype Then, define an equivalence relation expressing the desired equations. Finally, quotient the datatype. freemsgThe free datatype=constructorsNONCEare liftednatto the new recursive datatype, using the techniques of function definition described above. To define other functions| MPAIRon the new datatype,freemsgfirst define a concretefreemsgversion on the free datatype and then lift it. datatype| CRYPT nat freemsg freemsg| DECRYPT= NONCEnat freemsgnat inductive "msgrel" | MPAIR freemsg freemsg intros | CRYPT nat freemsg CD: "CRYPT K (DECRYPT K X) X" DC: "DECRYPT K (CRYPT |K X)DECRYPT∼ X" nat freemsg CanNONCE: encr"NONCEyptionN NONCEand decrN" ∼yption to be inverses? ∼ MPAIR: "[[X X’; Y Y’]] MPAIR X Y MPAIR X’ Y’" DK (EK (X)) X and EK (DK (X)) X CRYPT: "X ∼X’ =CRYPT∼ K"⇒X CRYPT K ∼X’"= DECRYPT: "X∼ X’"⇒ DECRYPT K∼ X DECRYPT K X’" SYM: "X ∼Y "Y⇒ X" ∼ ∼ "⇒ ∼ TRANS: "[[X Y; Y Z]] X Z" ∼ ∼ "⇒ ∼ 9

22 9 The Equivalence Relation

The desired equations

inductive "msgrel" intros CD: "CRYPT K (DECRYPT K X) X" DC: "DECRYPT K (CRYPT K X) ∼ X" NONCE: "NONCE N NONCE N" ∼ ∼ MPAIR: "[[X X’; Y Y’]] MPAIR X Y MPAIR X’ Y’" CRYPT: "X ∼X’ CRYPT∼ K"⇒X CRYPT K ∼X’" DECRYPT: "X∼ X’"⇒ DECRYPT K∼ X DECRYPT K X’" SYM: "X ∼Y "Y⇒ X" ∼ ∼ "⇒ ∼ TRANS: "[[X Y; Y Z]] X Z" ∼ ∼ "⇒ ∼ "Nonce N == Abs Msg(msgrel‘‘{NONCE N})"

"MPair X Y == SymmetrAbs Msgy and( U Rep Msg X. V Rep MsgFY.ormsgrel‘‘{MPAIR the abstractU V})" transitivity ∈ ∈ constructors "Crypt K X !== Abs Msg ( U!Rep Msg X. msgrel‘‘{CRYPT K U})" ∈ "Decrypt K X == Abs Msg!( U Rep Msg X. msgrel‘‘{DECRYPT K U})" ∈ Related work ! 23 John Harrison package for HOL declares the type and operations and returns theorems about those operations. However, such a package is not essential. The necessary definitions are straightforward and the reasoning about equivalence classes poses no difficulties. Homeier: special support for quotient constructions on recursive data types.

10 inductiDeve "msgrel"fining Functions on the intros CD: "CRYPT K (DECRYPT K X) X" DC: Quotient"DECRYPT K (CRYPTedK X) Dataty∼ X" pe NONCE: "NONCE N NONCE N" ∼ ∼ MPAIR: "[[X X’; Y Y’]] MPAIR X Y MPAIR X’ Y’" CRYPT: "X ∼X’ CRYPT∼ K"⇒X CRYPT K ∼X’" • DestrDECRYPT:uct"Xors∼ : X’de"⇒fineDECRYPT first onK∼ Xthe DECRYPTfree datatyK X’"pe, SYM: "X ∼Y "Y⇒ X" ∼ respecting∼ ∼, "then⇒ ∼ transfer. TRANS: "[[X Y; Y Z]] X Z" ∼ ∼ "⇒ ∼ •"NonceConstrN ==uctAbsorsMsg(msgrel‘‘{NONCE: define like otherN})" functions on

"MPairequivalencX Y == e relations. They respect ∼ by its Abs Msg ( U Rep Msg X. V Rep Msg Y. msgrel‘‘{MPAIR U V})" definition∈. ∈ "Crypt K X !== Abs Msg ( U!Rep Msg X. msgrel‘‘{CRYPT K U})" ∈ "Decrypt K X == Abs Msg!( U Rep Msg X. msgrel‘‘{DECRYPT K U})" ∈ Related work ! John Harrison package for HOL declares the type and operations and returns theorems about those operations. However, such a package is not essential. The necessary definitions are straightforward and the reasoning about equivalence classes poses no difficulties. Homeier: special support for quotient constructions on recursive data types. 24 10 Related Work

• HOL-4 packages by Harrison and Homeier • lift concrete functions to abstract ones • Isabelle/HOL theories • Slotosch: partial equivalence relations • Wenzel: axiomatic type classes • All using Axiom of Choice (Hilbert’s ε-operator)

25 Conclusions

• Working with functions defined on quotient spaces is easy, using set comprehension.

• Any tool for set theory or HOL is suitable. (Arthan uses similar ideas with ProofPower.)

• The axiom of choice is not required. • With correct lemmas, simplification is automatic.

26