A Formal Proof of the Independence of the Continuum Hypothesis

Jesse Michael Han Floris van Doorn Department of Mathematics Department of Mathematics University of Pittsburgh University of Pittsburgh Pittsburgh, PA, USA Pittsburgh, PA, USA [email protected] [email protected]

Abstract the consistency of ¬CH with ZFC, completing the indepen- We describe a formal proof of the independence of the con- dence proof. This work started modern set theory, and for tinuum hypothesis (CH) in the Lean theorem prover. We use his invention of forcing, Cohen was awarded a Fields medal. Boolean-valued models to give forcing arguments for both The independence of CH has also been an open formaliza- directions, using Cohen forcing for the consistency of ¬CH tion problem. Since 2005, Freek Wiedijk has maintained a list and a 휎-closed forcing for the consistency of CH. (Formalizing 100 theorems [47]) of one hundred problems for formalized mathematics, with the independence of CH as the CCS Concepts • Theory of computation → Logic and 24th. As of 2019, it was one of the six remaining problems. verification; Type theory. In this paper we describe the successful completion of 1 Keywords Interactive theorem proving, formal verifica- the Flypitch project (Formally proving the independence tion, continuum hypothesis, forcing, Lean, set theory, ZFC, of the continuum hypothesis). We formalize forcing with Boolean-valued models Boolean-valued models. We use Cohen forcing to construct a Boolean-valued model of ZFC where CH is false, and a ACM Reference Format: 휎-closed forcing to construct a Boolean-valued model of Jesse Michael Han and Floris van Doorn. 2020. A Formal Proof of the ZFC where CH is true. We then combine this with a deep Independence of the Continuum Hypothesis. In Proceedings of the embedding of first-order logic, including a proof system and 9th ACM SIGPLAN International Conference on Certified Programs the axioms of ZFC, to verify that CH is neither provable nor and Proofs (CPP ’20), January 20–21, 2020, New Orleans, LA, USA. ACM, New York, NY, USA, 14 pages. https://doi.org/10.1145/3372885. disprovable from ZFC. 2 3373826 Our formalization uses the Lean 3 theorem prover, building on top of mathlib [29]. Lean is an interactive proof assis- 1 Introduction tant under active development at Microsoft Research [10, 44]. It has a similar metatheory to Coq, adding definitional proof The continuum hypothesis (CH) states that there is no car- irrelevance, quotient types, and a noncomputable choice 휔 픠 dinality between , the smallest infinite cardinal and , the principle. Our formalization makes as much use of the ex- cardinality of the continuum. It was posed by Cantor [6] in pressiveness of Lean’s dependent type theory as possible, 1878 and was the first problem on Hilbert’s list of twenty- using constructions which are impossible or unwieldy to en- three unsolved problems in mathematics. Gödel [14] proved code in HOL, let alone ZF. The types of cardinals and ordinals in 1938 that CH was consistent with Zermelo-Fraenkel set in mathlib, which are defined as proper equivalence classes of theory with the axiom of choice (ZFC). He conjectured that (well-ordered) types, live one universe level higher than the CH was independent, i.e. neither provable nor disprovable, types used to construct them, and our models of set theory from ZFC. This remained an open problem until 1963, when arXiv:2102.02901v1 [math.LO] 4 Feb 2021 require as input an entire universe of types. Our encoding Paul Cohen developed forcing [8, 9] and used it to prove of first-order logic also uses parameterized inductive types Permission to make digital or hard copies of all or part of this work for which ensure that type-correctness implies well-formedness, personal or classroom use is granted without fee provided that copies eliminating the need for separate well-formedness proofs. are not made or distributed for profit or commercial advantage and that The method of forcing with Boolean-valued models was copies bear this notice and the full citation on the first page. Copyrights developed by Solovay and Scott [38, 40] as a simplification of for components of this work owned by others than the author(s) must Cohen’s method. Some of these simplifications were incor- be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific porated by Shoenfield43 [ ] into a general theory of forcing permission and/or a fee. Request permissions from [email protected]. using partial orders, and it is in this form that forcing is usu- CPP ’20, January 20–21, 2020, New Orleans, LA, USA ally practiced. While both approaches have essentially the © 2020 Copyright held by the owner/author(s). Publication rights licensed same mathematical content (see e.g. [25, 26, 30]), there are to ACM. ACM ISBN 978-1-4503-7097-4/20/01...$15.00 1https://flypitch.github.io https://doi.org/10.1145/3372885.3373826 2https://github.com/flypitch/flypitch CPP ’20, January 20–21, 2020, New Orleans, LA, USA Jesse Michael Han and Floris van Doorn several reasons why we chose to use Boolean-valued models. the passage to type theory. Our formalization clarifies some The main reason is the directness of forcing with Boolean- of these questions. valued models, which bypasses the need for the Löwenheim- We use custom domain-specific tactics and various forms Skolem theorems, Mostowski collapse, countable transitive of automation throughout our formalization, notably a tac- models, or genericity considerations for filters. The theory of tic library for simulating natural deduction proofs inside a forcing with Boolean-valued models also cleanly splits into complete Boolean algebra (Section6). This reveals another several parts, allowing us to formalize different components advantage of working in a proof assistant: the bookkeeping in parallel (e.g. a general theory of Boolean-valued seman- of Boolean truth-values, sometimes regarded as a tedious tics, a library for calculations in complete Boolean algebras, aspect of the Boolean-valued approach to forcing, can be a construction of Boolean-valued models of set-theory) and automated away. later recombine them. In particular, our library for Boolean- valued semantics for first-order logic is completely general Contributions An earlier paper [18] describes a formaliza- and can be reused for other formalization projects. Finally, tion of Cohen forcing and the unprovability of CH. In order our Boolean-valued models of set theory are inductive types to keep our presentation self-contained, we reproduce some generalizing the Aczel encoding of set theory into depen- of that material here, incorporating it into our discussions of dent type theory; consequently, the automatically-generated our deep embedding of first-order logic/Boolean-valued se- induction principle is ∈-induction, leading to cleaner proofs. mantics, usage of metaprogramming, and the Cohen forcing 1.1 Proof Outline argument. Our main novel contribution is a formalization of collapse forcing and the unprovability of ¬CH, thereby The usual method to show that a statement is unprovable is to providing the first formalization of the independence of CH construct a model where the statement is false, and apply the in a single theorem prover. For reasons we will see in Sec- soundness theorem; our method is similar, except that we use tion5, the forcing argument for CH requires far more set Boolean-valued semantics and a Boolean-valued soundness theory and is harder to formalize than the forcing argument theorem (see Section3). The difference between Boolean- for ¬CH. Moreover, we elaborate on parts of the formal- valued models and ordinary models is that the truth values in ization which were omitted from [18], including expanded a Boolean-valued model M live in a complete Boolean algebra discussions of our implementation of the ZFC axioms and Ã (B, ⊓, ⊔, d, ,⊥,⊤). If we can construct two Boolean- our formalization of the Δ-system lemma. valued models of ZFC, one where CH is true ⊤, and one where CH is false ⊥, then by the Boolean-valued soundness theorem, CH is independent from ZFC. Sources Our strategy for forcing ¬CH is a synthesis of the For any complete Boolean algebra B we implement the proofs in the textbooks of Bell ([4], Chapter 2) and Manin set-theoretic universe 푉 B of B-valued sets by generalizing ([27], Chapter 8). For the Δ-system lemma, which we use to the Aczel encoding of set theory (called pSet, see Section4), verify that Cohen forcing is CCC, we follow Kunen ([26], obtaining a type bSet B of B-valued sets. The fundamental Chapters 1 and 5). theorem of forcing for Boolean-valued models [17], trans- We were unable to find a reference for a purely Boolean- lated to our situation, then states that bSet B is a B-valued valued account of forcing CH. We loosely followed the con- model is ZFC. ventional arguments given by Weaver ([45], Chapter 12) and To show the independence of CH, it remains to construct Moore ([30]), and base our construction of Bcollapse on the two appropriate complete Boolean algebras The properties collapse algebras defined by Bell ([4], Exercise 2.18).

of bSet B can vary wildly depending on the choice of the

b complete Boolean algebrabB. There is always a map check Related Work Set theory and first-order logic are both : pSet → bSet B, 푥 ↦→ 푥, but in general, 푥 might have common targets for formalization. Shankar [41] used a deep different properties than 푥. Making a good choice of B and embedding of first-order logic for incompleteness theorems. controlling the behavior of the check-names is precisely the Harrison gives a deeply-embedded implementation of first- task of forcing (Section5). order logic in HOL Light [19] and a proof-search style ac- Traditional presentations of forcing, even with Boolean- count of the completeness theorem in [20]. Other formaliza- valued models (e.g. [4], [25]), are careful to stay within the tions of first-order logic can be found in Isabelle/HOL36 ([ ], foundations of ZFC, emphasizing that all arguments may be [37],[5]) and Coq ([24], [31]). performed internal to a model of ZFC, etc. In order to formal- A large body of formalized set theory has been completed ize these set-theoretic arguments in a type-theoretic metathe- in Isabelle/ZF, led by Paulson and his collaborators [32, 33, ory, it is important to separate their mathematical content 35], including the relative consistency of AC with ZF [34]. from their metamathematical content. It is not immediately Building on this, Gunther, Pagano, and Terraf have taken clear what parts of these arguments use their set-theoretic some first steps towards formalizing forcing [15, 16], by way foundation in an essential way and require modification in of generic extensions of countable transitive models. A Formal Proof of the Independence of the Continuum Hypothesis CPP ’20, January 20–21, 2020, New Orleans, LA, USA

2 First-Order Logic universal quantifier cannot be applied to preformulas that The starting point for first-order logic is a language of re- are not fully applied. lation and function symbols. We represent a language as It is also possible to define well-typed terms and formulas a pair of N-indexed families of types, each of which is to using vectors of terms and nested inductive types. How- be thought of as the collection of relation (resp. function) ever, we avoided these kinds of definitions because Lean has symbols stratified by arity: limited support for nested inductive types. In the case of formulas, this would not even result in a nested inductive structure Language: Type(u+1) := type, but we found it more convenient to adapt operations (functions: N → Typeu) and proofs from preterm to preformula using our definition. (relations: N → Typeu) We use de Bruijn indices to avoid variable shadowing. This means that the variable &m under k is bound if 푚 < 푘 and 2.1 Terms, Formulas and Proofs otherwise represents the (푚 − 푘)-th free variable. We define The main novelty of our implementation of first-order logic the usual operations of lifting and substitution for terms and is the use of partially applied terms and formulas, encoded formulas, needed when using de Bruijn variables. The no- ′ in a parameterized inductive type where the N parameter tation t ↑ n#m means the preterm of preformula t where measures the difference between the arity and the number of all variables which are at least m are increased by n. The lift ′ applications. The benefit of this is that it is impossible topro- t ↑ n#0 is abbreviated to t ↑ n. The substitution t[s// duce an ill-formed term or formula, because type-correctness n] is defined to be the term or formula t where all variables is equivalent to well-formedness. This eliminates the need that represent the n-th free variable are replaced by s. More for separate well-formedness proofs. specifically, if an occurrence of a variable &(n+k) is under k Fix a language 퐿. We define the type of preterms as fol- quantifiers, then it is replaced by s ↑ (n+k). Variables &m for lows: 푚 > 푛 + 푘 are replaced by &(m-1). Our proof system is a natural deduction calculus, and all inductive preterm(L: Language.{u}) : rules are motivated to work well with backwards-reasoning. N → Typeu The type of proof trees is given by the following inductive ‵ ‵ | var: N → preterm0-- notation & family of types: | func{l: N}:L.functionsl → preterml | app{l: N}: inductive prf: preterm(l+ 1) → preterm0 → preterml set(formulaL) → formulaL → Typeu | axm Γ A:A ∈ Γ → prf Γ A A member of pretermn is a partially applied term. If applied | impI Γ AB: prf(insertA Γ)B → to n terms, it becomes a term. We define the type of well- prf Γ (A =⇒ B) formed terms termL to be pretermL0 . | impE Γ AB: prf Γ (A =⇒ B) → prf Γ A → The type of preformulas is defined similarly: prf Γ B inductive preformula(L: Language.{u}) : | falsumE Γ A: prf(insert ∼A Γ) ⊥ → prf Γ A ′′ N → Typeu | allI Γ A: prf(( 휆 f,f ↑ 1) Γ)A → ′ | falsum: preformula0-- notation ⊥ prf Γ (∀ A) ′ | equal: termL → termL → preformula0 | allE2 Γ At: prf Γ (∀ A) → -- notation ≃ prf Γ (A[t // 0]) | rel{l: N},L.relationsl → preformulal | ref Γ t: prf Γ (t ≃ t) | apprel{l: N}, preformula(l+ 1) → | subst2 Γ stf: prf Γ (s ≃ t) → termL → preformulal prf Γ (f[s // 0]) → prf Γ (f[t // 0]) | imp: preformula0 → preformula0 → In allI the notation (휆 f,f ↑ 1) ′′ Γ means lifting all free preformula0-- notation =⇒ variables in Γ by one. A term of type prf Γ A, denoted Γ ⊢ A, | all: preformula0 → preformula0 is a proof tree encoding a derivation of 퐴 from Γ. We also -- notation ∀′ define provability as the proposition stating that a proof tree We choose this definition of preformula to mimic preterm. exists. A member of preformulan is a partially applied formula, def provable( Γ : set(formulaL)) and if applied to n terms, it becomes a formula. The type of (f: formulaL): Prop := nonempty(prf Γ f) well-formed formulas formulaL is defined to be preformula Our current formalization does not use the data of proof L0 . Implication is the only primitive binary connective and trees in an essential way, but we defined them so that we universal quantification is the only primitive quantifier. Since can define manipulations on proof trees (like detour elimi- we use classical logic, we can define the other connectives nation) in future projects. Besides Boolean-valued semantics and quantifiers from these. Note that implication and the (Section3), we also formalize ordinary first-order semantics, CPP ’20, January 20–21, 2020, New Orleans, LA, USA Jesse Michael Han and Floris van Doorn and our work includes a formalization of the completeness Given a preterm t in the language, we can realize it in (and compactness) theorems using Henkin term models. any B-valued structure 푀. For this, we need to know the free variables in t. To do this conveniently with de Bruijn 2.2 ZFC variables, we say that a (pre)term t is bounded by l if all free Usually, the language of set theory has one binary relation variables are less than l (i.e. all variables under k quantifiers symbol and no function symbols. To make the language are less than k+l). Given t: pretermn which is bounded easier to work with, and to concisely formulate the con- by l, and a realization v: vectorMl of the free variables, 푡 푣 푀푛 → 푀 tinuum hypothesis, we conservatively extend ZFC with the we define the realization 푀 : by structural following function symbols: the empty set ∅, ordered pairing recursion on 푡. J K (−, −), the natural numbers 휔, power set P(−) and union For a formula 휑 we do the same: we define bounded Ð 휑 푣 푀푛 → (−). This gives a conservative extension of the regular the- (pre)formulas, and define an realization 푀 : B ory of ZFC, because these function symbols are all definable. by structural recursion. If 휑 is a sentence, theJ K realization in a structure is just an element of the Boolean algebra: 휑 푀 : B. In Figure1 we have listed all the axioms of ZFC written Since the truth values in a Boolean-valued modelJ liveK in- using names variables (the formalization uses de Bruijn vari- side the Boolean algebra B instead of just being true or false, ables). We also include the definition of ordinal, which is we have to take a little care when stating the soundness used in the axiom of infinity. Note that epsilon_wellfounded theorem for Boolean-valued models. Usually, a soundness follows for every set from the axiom of regularity, but we theorem states something like “if 휑 is provable from hy- add it for the sake of completeness. The only axiom scheme potheses in 퐶 then in every model where 퐶 holds, 휑 also is axiom_of_collection which ranges over all formulas 휑 holds.” With Boolean truth-values, this is instead stated as (x,y,p) with (at most) n+2 free variables, where p is a vector an inequality of truth values. of length n. Definition 3.2. For Γ : B and a B-valued structure 푀 we Now CH is defined to be the sentence say that Γ forces a sentence 휑 in 푀, written Γ ⊩푀 휑, if Γ ≤ ∀푥, (푥) ⇒ 푥 ≤ 휔 ∨ P(휔) ≤ 푥, CH := Ord 휑 푀 . We say that a set of sentences 퐶 models 휑, written 퐶J K 휑 푀 where 푥 ≤ 푦 means that there is a surjection from a subset |=B , if for all non-empty B-valued structures we have 휓 휑 of 푦 to 푥. In code, we have: d휓 ∈퐶 푀 ) ⊩푀 . J K def CH_formula: formula L_ZFC := Using this definition, we can now state the Boolean-valued ∀′ (is_ordinal =⇒ soundness theorem: leq_f[omega_t//1] ⊔ leq_f[Powerset_t omega_t//0]) theorem boolean_soundness{ Γ : set(sentenceL)} The substitutions ensure that the formulas are applied to the {휑 : sentenceL}: Γ ⊢ 휑 → Γ |=[B] 휑 correct arguments, and ⊔ is notation for disjunction. The proof is a straightforward structural induction. 3 Boolean-Valued Semantics 4 Boolean-Valued Models of Set Theory A complete Boolean algebra is a Boolean algebra B with 4.1 The Aczel Encoding additional operations infimum (d) and supremum (Ã) of any subset of B. We use ⊓, ⊔, =⇒ , ⊤, and ⊥ to denote meet, Our starting point is the Aczel encoding of ZFC ([1–3]) into join, material implication, top, and bottom. For more details dependent type theory. This was implemented in Coq by on complete Boolean algebras, we refer the reader to the Werner [46], and in Lean’s mathlib by Carneiro [7]. The idea textbook of Halmos-Givant [13]. is to take a type universe Typeu and imitate the cumulative hierarchy construction with an inductive type: Definition 3.1. Fix a language 퐿 and a complete Boolean algebra B.A B-valued structure (or bStructureL B) is a inductive pSet: Type(u+1) type 푀 equipped with the following. | mk( 훼 : Typeu)(A: 훼 → pSet): pSet • for every 푛-ary function symbol in a map 푀푛 → 푀; For an element x= ⟨훼,A ⟩ : pSet, the function A points to • for every 푛-ary relation symbol a map 푀푛 → B; the elements of x. We can define the empty set as ∅ := ⟨ • a function ≈ : 푀 → 푀 → B that is a Boolean valued empty, empty.elim⟩ : pSet. Note that pSet does not satisfy congruence relation. This means that e.g. 푥 ≈ 푦 ⊓ 푦 ≈ the axiom of extensionality. In order to obtain a model where 푧 ≤ 푥 ≈ 푧 and that the axiom of extensionality holds, we must quotient pSet by extensional equivalence: l 푥푖 ≈ 푦푖 ≤ 푓 (ì푥) ≈ 푓 (ì푦). 푖 def equiv: pSet → pSet → Prop There are similar conditions for reflexivity, symmetry | ⟨훼,A⟩⟨훽,B⟩ :=( ∀a, ∃b, equiv(Aa)(Bb)) ∧ and congruence for relation symbols. (∀b, ∃a, equiv(Aa)(Bb)) A Formal Proof of the Independence of the Continuum Hypothesis CPP ’20, January 20–21, 2020, New Orleans, LA, USA

axiom_of_emptyset := ∀ x,x ∉ ∅ axiom_of_ordered_pairs := ∀ xyzw,(x,y)=(z,w) ↔ x=z ∧ y=w axiom_of_extensionality := ∀ xy,( ∀ z,(z ∈ x ↔ z ∈ y)) → x=y axiom_of_union := ∀ ux,x ∈ Ð u ↔∃ y ∈ u,x ∈ y axiom_of_powerset := ∀ zy,y ∈ P(z) ↔∀ x ∈ y,x ∈ z axiom_of_infinity := ∅ ∈ 휔 ∧ (∀ x ∈ 휔, ∃ y ∈ 휔,x ∈ y) ∧ (∃ 훼, Ord(훼) ∧ 휔 = 훼) ∧ ∀ 훼, Ord(훼) → (∅ ∈ 훼 ∧∀ x ∈ 훼, ∃ y ∈ 훼,x ∈ y) → 휔 ⊆ 훼 axiom_of_regularity := ∀ x,x ≠ ∅ →∃ y ∈ x, ∀ z ∈ x,z ∉ y Ð zorns_lemma := ∀ z,z ≠ ∅ → (∀ y,(y ⊆ z ∧∀ x1 x2 ∈ y,x 1 ⊆ x2 ∨ x2 ⊆ x1) → ( y) ∈ z) → ∃ m ∈ x, ∀ x ∈ z,m ⊆ x → m=x axiom_of_collection(휑) := ∀ p ∀ A,(∀ x ∈ A, ∃ y, 휑(x,y,p)) → (∃ B,(∀ x ∈ A, ∃ y ∈ B, 휑(x,y,p)) ∧∀ y ∈ B, ∃ x ∈ A, 휑(x,y,p))

epsilon_transitive(z) := ∀ x,x ∈ z =⇒ x ⊆ z epsilon_trichotomy(z) := ∀ xy ∈ z,x=y ∨ x ∈ y ∨ y ∈ x epsilon_wellfounded(z) := ∀ x,x ⊆ z =⇒ x ≠ ∅ →∃ y ∈ x, ∀ w ∈ x,w ∉ y Ord(z) := epsilon_trichotomy(z) ∧ epsilon_wellfounded(z) ∧ epsilon_transitive(z)

Figure 1. Our formulation of ZFC.

One can then define membership from equivalence and check element of a set is assigned an element (a “Boolean truth- that modulo extensional equivalence, pSet is a model of ZFC. value”) of B, again giving us bSet B. Thus, bSet B should be thought of as the type of B-names. 4.2 Boolean-Valued Sets Boolean-Valued Equality and Membership We can de- We now want to generalize pSet to a Boolean-valued model fine Boolean-valued equality and membership analogously of ZFC. We must give a B-valued predicate interpreting the to the definitions in pSet. To do this, we translate quantifiers membership symbol ∈. We will encode this information by and connectives into operations on B: extending each ⟨훼,A⟩ : pSet with an additional function B : 훼 → B, which has the effect of attaching a Boolean truth- def bv_eq: bSet B → bSet B → B value to every element of ⟨훼,A⟩: | ⟨훼,A,B ⟩⟨훼 ′,A ′,B ′⟩ := Ã ′ ′ ′ ′ ′ inductive bSet( B : Typeu) (da,Ba =⇒ a ,B a ⊓ bv_eq(Aa)(A a )) ⊓ ′ ′ ′ Ã ′ ′ [complete_boolean_algebra B]: Type(u+1) (da ,B a =⇒ a,Ba ⊓ bv_eq(Aa)(A a )) | mk( 훼 : Typeu)(A: 훼 → bSet) We abbreviate bv_eq with the infix operator =B. It is now easy (B: 훼 → B): bSet to define B-valued membership, which we denote by ∈B. B B Aa ∈ ⟨훼,A,B ⟩ The -valued predicate expresses that def mem: bSet B → bSet B → B has truth value (at least) Bi . For convenience, if x: bSet |x ⟨훼,A,B ⟩ := Ãa,Ba ⊓ x= B Aa B and x := ⟨훼,A,B ⟩, we put x.type := 훼,x.func :=A, x.bval :=B . While standard treatments of Boolean-valued models of ZFC One can also be led to this construction by considering the mutually define equivalence and membership so that the recursive name-construction from forcing, a key ingredient axiom of extensionality follows definitionally 4([ ], [17]), the to building forcing extensions. Let P be a poset. From e.g. induction principle given by the non-mutual definition is (Kunen [26], Definition IV.2.5): easier to work with in our formalization. 휏 휏 Definition 4.1. A set is a P-name iff is a relation and for 4.3 The Fundamental Theorem of Forcing all ⟨휎, 푝⟩ ∈ 휏 we have that 휎 is a P-name and 푝 ∈ P. The fundamental theorem of forcing for Boolean-valued mod- In particular, if P is the singleton poset, then a P-name els [17] states that for any complete Boolean algebra B, the is merely a set of P-names, in the same way that a term of type bSet B forms a Boolean-valued model of ZFC. type pSet is a type-indexed collection of terms of type pSet. We mostly follow Bell [4] for the verification of the ZFC Reversing this observation, we can replace P with a complete axioms in bSet B. Although most of the argument is routine, Boolean algebra B and generalize the definition of pSet.mk we describe some aspects of bSet B which are revealed by with a third field, so that as in the caseof P-names, every this verification.

CPP ’20, January 20–21, 2020, New Orleans, LA, USA Jesse Michael Han and Floris van Doorn b

Notably, we can define subsets of a set x: bSet B by just We write 푥 for checkx , and call it a check-name. These are modifying x.bval. This gives a nice definition of powerset: also known as canonical names, as they are the canonical representation of standard two-valued sets inside a Boolean-

Definition 4.2. Fix a B-valued set x= ⟨훼,A,b ⟩ and 휒 3 휒 valued modelb of set theory. : 훼 → B be a function. We define the B-valued set e as

⟨훼,A, 휒⟩. The powerset P(푥) of 푥 is defined to be the B- In general, 푥 might have different properties than 푥, but Δ0 valued set properties (i.e. those definable with only bounded quantifica-b tion) are always preserved. Importantly, bSet B thinks 휔 is set_of_indicator 휒 := ⟨훼 → B, (휆 휒, 휒), (휆 휒, 휒 ⊆퐵 푥)⟩.

e e 휔. Notably, 휔 : pSet is defined separately from ordinal.mk In particular, this gives an easy implementation of the omega (see below) as the finite von Neumannb ordinals indexed axiom of comprehension (not just for interpretations of for- by N, so the underlying types of 휔 and 휔 are exactly N. mulas, but for any B-valued predicate on bSet B satisfying The treatment of ordinals in mathlib associates a class an appropriate B-valued congruence lemma): of ordinals to every type universe, defined as isomorphism classes of well-ordered types. Lean’s ordinals may be repre- lemma bSet_axiom_of_comprehension( 휑 : bSet B → B) sented inside pSet by defining a map ordinal.mk: ordinal (x: bSet B) → pSet via transfinite recursion (indexing the von Neumann (H_congr: B_ext 휑){Γ : B}: B B B construction of ordinals). In pseudocode, Γ ≤ Ã y,y ⊆ x ⊓ d z,z ∈ y ⇔ (z ∈ x ⊓ 휑 z) def ordinal.mk: ordinal → pSet Following Bell, we verify Zorn’s lemma in bSet B. As is | 0 := ∅ the case with pSet, establishing Zorn’s lemma requires the | succ 휉 := pSet.succ(ordinal.mk 휉) use of a choice principle from the metatheory. This was the --i.e.(mk 휉 ∪ {mk 휉}) hardest part of our verification of the fundamental theorem | is_limit 휉 := Ð 휂 < 휉,(ordinal.mk 휂) of forcing, and relies on the technical tool of mixtures, which allow sequences of B-valued sets to be “averaged” into new Working internally to any model 푀 of ZFC, we can de- ones. Using mixtures, one derives the maximum principle, fine the class Ord(푀) as the collection of transitive sets which allows existentially quantified statements to be instan- which are well-ordered by their membership relation. While tiated without changing their truth-value (so is essentially ordinal.mk actually induces an order-isomorphism of pSet’s the axiom of choice): ordinals with Lean’s ordinals, the map lemma maximum_principle( 휑 : bSet B → B) check ◦ ordinal.mk: ordinal → bSet B (h_congr: B_ext 휑): ∃ u,(Ã(x:bSet B), 휑 x)= 휑 u generally fails to surject onto bSet B’s ordinals (in general, For example, if x: bSet B and 휑 is a B-valued predicate, these are mixtures of checked ordinals). if we have that ⊤ ≤ Ã j:x.type, 휑 x, there may not ac- We summarize the relationship between the three “large” tually be some j:x.type which attains that supremum. types currently in play: However, the maximum principle ensures that a witness can check be constructed via mixtures. pSet bSet B After we verify the (shallow) statements of all the axioms in bSet B, the last step is to construct a B-valued L_ZFC- ordinal.mk structure, called V B, on bSet B, and check that the interpretations of the axioms are ⊤. This amounts to proving that the ordinal.{u} deeply embedded statements correspond to the shallowly embedded statements. This is trivial for the axioms, since We adopt the convention to spell out the name of Lean it is true by reflexivity, but takes more work for the axiom ordinals and cardinals, and use (checked) Hebrew letters for scheme of collection. This proves the following theorem. their (Boolean-valued) set-theoretic counterparts, e.g. theorem fundamental_theorem_of_forcing: check(ordinal.mk(aleph 1))= check( ℵ1)= ℵ1ˇ ⊤ ⊩[V B] ZFC We will freely conflate pSet ordinals with their underlying types, so e.g. 휈 : ℵ2 means 휈 : ℵ2.type. (It is always true

4.4 Ordinals that the cardinalityc of (ordinal.mk 휅).type is 휅.) Since in Definition 4.3. We define the canonical map check: pSet general, ℵ1 is not what bSet B thinks is ℵ1, we will use a ℵB bSet B

→ bSet B by superscript, e.g. 푘 , to denote the internal alephs of . def check: pSet → bSet B 3We were pleased to discover Lean’s support for customb notation allowed | ⟨훼,A⟩ := ⟨훼, check ◦ A,(휆 a, ⊤)⟩ us to declare the Unicode modifier character U+030C ( ) as a postfix operator for check. A Formal Proof of the Independence of the Continuum Hypothesis CPP ’20, January 20–21, 2020, New Orleans, LA, USA

5 Forcing We will use the following combinatorial conditions on B Our point of departure from conventional accounts of forc- in our forcing arguments: ing with a poset P over a countable transitive model [25, 26], Definition 5.3. We say that B has the countable chain which use a generic filter to “evaluate” the P-names to pro- condition (CCC) if every antichain A : 퐼 → B (i.e. an duce an ordinary model of ZFC, is to force with Boolean- indexed collection of elements A = {푎푖 }푖 such that whenever valued models of ZFC instead. As first observed by Scott and 푖 ≠ 푗, 푎푖 ⊓ 푎푗 = ⊥) has a countable image. Solovay [40], this obviates the need for countable transitive models, generic filters, or the truth and definability lemmas, Definition 5.4. We say that B is 휎-closed if there exists a and allows us to work only with the B-names. dense suborder P of B such that every 휔-indexed downwards The cost of taking the B-names at face value is that the cal- chain 푝0 ≥ · · · ≥ 푝푛 ··· in P has a lower bound 푝휔 in P. culus of the forcing relation [43], a key technical tool in usual forcing arguments, is replaced by the calculation of Boolean 5.2 Cohen Forcing truth-values in B. From the Boolean-valued perspective, forc- As we have already seen in Definition 4.2, we construct ing a sentence Φ in the language of ZFC means constructing the powerset of a B-valued set u: bSet B using B-valued some Boolean algebra B and a B-valued model 푀 of ZFC indicator functions 휒 :u.type → B. The basic strategy of such that the truth value Φ푀 of Φ is ⊤. We will always force Cohen forcing is to choose B such that for every 휈 : ℵ2, there over a type universe Typeu , and our Boolean-valued models is a canonical indicator function (a “Cohen real”) 휒휈 : N → B.

of ZFC are always of the form bSet B for some B : Typeu . This is an external function (a member of a functionc type of

That B belongs to the “ground model” Typeu is crucial for Typeu ) which descends to an injective function ℵ ↩→ P(휔) c 2 forcing, as specific choices of B will affect the structure of in bSet B.

bSet B (and hence the truth-value of Φ). To show that the injection ℵ2 ↩→ P(휔) suffices toc negate In this section, we describe two forcing arguments, one c CH, we will show that if B has the CCC, then 휔 ≺ ℵ1 ≺ for ¬CH and another for CH. Both follow roughly the same ℵ , where 푥 ≺ 푦 means that there is no surjection from a pattern. In both cases, we require the existence of a function; 2 subset of 푥 to 푦. We then ensure that B has this property for ¬CH, an injection ℵ ↩→ P(휔), and for CH, a surjection 2 by applying a powerful combinatorial argument called the ℵ ↠ P(휔). We will construct a Boolean algebra B which 1 Δ-system lemma. encodes the construction (in Typeu ) of such a function 퐹. Then B induces in bSet B an approximation 퐹e to such a Definition 5.5. The Cohen poset for adding ℵ2-many Co- function, which a priori is only between check-names. To hen reals is the collection of all finite partial functions ℵ2 × finish the forcing argument, we must show that itsuffices N → 2, ordered by reverse inclusion. to work with 퐹. This requires a careful study of how truth- e In the formalization, the Cohen poset is represented as a values are calculated in bSet B, and ultimately reduces to structure with three fields: an analysis of how truth-values of ∀-∃ statements in bSet B can be reflected back to Typeu , and a verification of a structure P_cohen: Type := combinatorial condition on B. (ins: finset( ℵ2.type × N)) (out: finset( ℵ2.type × N)) 5.1 Regular Open Algebras (H: ins ∩ out= ∅) Definition 5.1. Let 푋 be a topological space, and for any That is, we identify a finite partial function f with the triple open set 푈 , let 푈 ⊥ denote the complement of the closure of 푈 . ⟨f.ins,f.out,f.H ⟩, where f.ins is the preimage of {1}, The regular open algebra of a topological space 푋, written f.out is the preimage of {0}, and f.H ensures that f is well- RO(푋), is the collection of all open sets 푈 such that 푈 = defined. While the members of the Cohen poset are usually (푈 ⊥)⊥, or equivalently such that 푈 is equal to the interior defined as finite partial functions, we found that in practice of the closure of 푈 . RO(푋) is equipped with the structure f is only needed to give a finite partial specification ofa of a complete Boolean algebra, with 푥 ⊓ 푦 := 푥 ∩ 푦 and subset of ℵ2 × N (i.e. a finite set f.ins which must be in the ⊥ ⊥ ⊥ Ã Ð ⊥ ⊥ 푥 ⊔ 푦 := ((푥 ∪ 푦) ) and ¬푥 := 푥 and 푥푖 := (( 푥푖 ) ) . subset, and a finite set f.out which must not be in the subset). We chose this representation to make that information While forcing conditions usually present themselves as immediately accessible. a poset instead of a complete Boolean algebra, any forcing The Boolean algebra which we use for forcing ¬CH is poset can be represented as the dense suborder of a regular ℵ2×N open algebra [30]. Bcohen := RO(2 ) where we equip 2ℵ2×N with the usual product space topology. Definition 5.2. A dense suborder of B is a subset P ⊆ B satisfying the following conditions: (1) for all 푝 ∈ P, ⊥ < 푝; Definition 5.6. We define the canonical embedding of (2) for all ⊥ < 푏 ∈ B, there exists a 푝 ∈ P such that 푝 ≤ 푏. the Cohen poset into Bcohen as follows: CPP ’20, January 20–21, 2020, New Orleans, LA, USA Jesse Michael Han and Floris van Doorn def 휄 : P_cohen → B_cohen := Because each 퐴휂 has as a conjunct the knowledge that 푓 휂 휂 퐴 퐴 휆 p,{S|p.ins ⊆ S ∧ p.out ⊆ -S} is a function, for 1 ≠ 2, 휂1 and 휂2 are incompatible, i.e. 퐴 ⊓ 퐴 = ⊥. Since the lemma guarantees that each 퐴 is That is, we send each 푐 : P to all subsets satisfying the 휂1 휂2 휂 cohen nonzero, the 퐴 form an uncountable antichain. Therefore, specification given by c. This is clopen, hence regular. 휂 if B has the CCC, there is a contradiction. By Lemma 5.3, Crucially, the image of this embedding is a dense suborder ¬CH is forced true in bSet Bcohen. of Bcohen. This is essentially because the image of 휄 : Pcohen → In our formalization, we actually prove a more general Bcohen is the standard basis for the product topology. Our version of this argument, replacing ℵ1 and ℵ2 with any two chosen encoding of the Cohen poset also made it easier to infinite regular cardinals 휅1 < 휅2. perform this identification. CCC and the Δ-system lemma To show that Bcohen has Definition 5.7. Let 휈 : ℵ2. For any 푛 : N, the collection of the CCC, we formalize and then apply a general result in all subsets of ℵ2 × N which contain (휈, 푛) is a regular open of transfinite combinatorics called the Δ-system lemma. Though ℵ2×N 2 , denoted P(휈,푛) . Thus, we associate to 휈 the B-valued only briefly mentioned in [18], this was one of the most indicator function 휒휈 : N → B defined by 휒휈 (푛) := P(휈,푛) . involved parts of our formalization of Cohen forcing, as it

By Definitionb 4.2, each 휒휈 induces a new B-valued subset was a technical result in infinitary combinatorics. The details 휒 휒

f휈 ⊆ N. We call f휈 a Cohen real. of the full argument are too technical to give here, so we c omit the proofs in this section. Definition 5.7 gives us an ℵ2-indexed family of Cohen A family (퐴푖 )푖 of sets is called a Δ-system if there is a reals. Converting this data into an injective function from ℵ2 set 푟, called the root such that whenever 푖 ≠ 푗 we have P( ) bSet B <휅 휌 to N inside requires some care. One must check 퐴푖 ∩ 퐴푗 = 푟. We write 푐 for the supremum of 푐 for 휌 < 휅. 휈 휒 that ↦→ f휈 is externally injective, and this is where the characterization of the Cohen poset as a dense subset of B Lemma 5.1 (Δ-system lemma (Theorem 1.6, [26])). Let 휅 be

(and moving back and forth between this representation and an infinite cardinal and let 휃 > 휅 be regular, such that for all

c <휅

the definition as finite partial functions) comes in. 훼 < 휃 we have 훼 < 휃. For any family {퐴푖 }푖 ∈퐼 such that

c c

b |퐼 | ≥ 휃 and for all 푖, |퐴푖 | < 휅, there is a subfamily of size 휃

To finish negating CH, it suffices to show that 휔 ≺ ℵ1 ≺

c c which forms a Δ-system. ℵ2, i.e. that there is no surjection 휔 ↠ ℵ1 and no surjection ℵ1 ↠ ℵ2. We describe how we proved the latter claim; an The formalization closely follows the proof given in Kunen

identical argument can be used to show the former. [26, Chapter 2, Theorem 1.6]. The proof involves tricky rea-

c The strategyc of the proof is to assume that there is a sur- soning steps involving ordinals, which are common in infini- jection ℵ ↠ ℵ . This surjectivity assumption is a Boolean- tary combinatorics. It starts by assuming that without loss 1 2 Ð 퐴 휃 퐴 valued ∀-∃ statement about check-names, and we will reflect of generality 푖 푖 ⊆ , so that all the 푖 are well-ordered, 퐴 it into the metatheory, producing a ∀-∃ statement about and by assuming that all 푖 have the same order-type. These the non-checked counterparts in pSet. We will then use the simplifying assumptions are harder to formalize, because that involves actually proving the general case from the spe- CCC, a combinatorial condition on Bcohen, to show that the reflected ∀-∃ statement implies a contradiction. cial case. It also involves defining a sequence by transfinite Specifically, we use the following lemma, which is true recursion, while simultaneously proving that the sequence 휃 for general B: has certain properties (lies below ). In the formalization, the fact that the type of ordinals is a lemma AE_of_check_larger_than_check{xy: pSet} large type, i.e. lives one universe level higher than the types (f: bSet B){Γ : B}(H_nonzero: ⊥ < Γ) it is built from, causes difficulties. (These difficulties were (H: Γ ≤ is_surj_ontox ˇ yˇ f)(Hy: ∃ z,z ∈ y): also present earlier, because whenever we use e.g. “ℵ2.type”, ∀ i:y.type, ∃ j:x.type,

B we are actually referring to a nonconstructively chosen wit- c

⊥ < is_funcf ⊓ pair(x.funcj)cˇ (y.funci) ˇ ∈ f ness for the order type of all the ordinals less than aleph2 .)

c c The reason is that the original proof heavily uses sets of Suppose that there is a surjection ℵ1 ↠ ℵ2. Applying this ordinals, and taking their order types, but in Lean this would lemma to 푥 := ℵ , 푦 := ℵ , we obtain a ∀-∃ statement in the 1 2 involve calculating in both ordinal.{u} and ordinal.{u+1}. metatheory to which we can apply Lean’s axiom of choice Instead, we frequently work with well-orders of a given or- to produce a function 푔 : ℵ → ℵ . Since externally, we 2 1 der type, instead sets of ordinals, to do all computations in know that ℵ ≺ ℵ , it follows from the infinite pigeonhole 1 2 ordinal.{u}. principle that 푔 must have an uncountable fiber over some Lastly, one must take care to formulate the Δ-system so 휈 < ℵ . For every 휂 ∈ 푔−1 ({휈}), let 퐴 be the element of 1 휂 that {퐴 } is an indexed family, instead of a collections of B given by the lemma, i.e. 푖 푖 cohen sets. Theorem 5.1 below does not follow conveniently from B (is_funcf) ⊓ (pair( ℵ1.func 휈)ˇ (ℵ2.func 휂)ˇ ∈ f). the Δ-system lemma if it is formulated with a collection of A Formal Proof of the Independence of the Continuum Hypothesis CPP ’20, January 20–21, 2020, New Orleans, LA, USA sets; [26] is somewhat ambiguous about which version is Lemma 5.4. Bcollapse is 휎-closed. used. Proof. We show that the collection of principal open sets Setting 휅 = 휔 and 휃 = ℵ1 in Lemma 5.1 yields: D := {퐷푝 }푝 forms a dense subset of Bcollapse such that every Lemma 5.2. Any uncountable family of finite sets has an 휔-indexed downwards chain in D has a lower bound in D. uncountable subfamily forming a Δ-system. Since D generates the topology, it is clearly a dense suborder. 휔 We say that a topological space has the CCC if every family For an arbitrary -indexed downwards chain of pairwise disjoint open sets is countable. The proof of the 퐷 퐷 퐷 , 푝0 ⊇ 푝1 ⊇ · · · ⊇ 푝푛 ⊇ · · · following can be found in [18]. it follows from the definition of the principal open sets that (푋 ) Ð Theorem 5.1. For any family 푖 푖 ∈퐼 of topological spaces, 푝0 ⊆ 푝1 ⊆ · · · ⊆ 푝푛 ⊆ · · · . Then put 푝휔 := 푝푖 . Since the Î 푋 퐽 퐼 푖 푖 ∈퐼 푖 has the CCC if for every finite ⊆ , the product union of countable partial functions is a countable partial Î ∈ 푋푖 has the CCC. 퐷 퐷 푖 퐽 function, 푝휔 is a lower bound of { 푝푖 }푖 . □ 퐽 From Theorem 5.1 and the observation that 2 has the Remark 5.1. As an implementation detail, in the formal- CCC if 퐽 is finite, the result follows. ization we define Pcollapse to be the countable partial functions Lemma 5.3. Bcohen has the CCC. (in Typeu ) between (ordinal.mk(aleph one): pSet).type

and (powerset omega: pSet).type , so that 5.3 Collapse Forcing c Bcollapse-valued indicator functions on

Whereas Cohen forcing creates a new injection ℵ2 ↩→ P(휔), ordinal.mk(aleph one): pSet).type × 퐹 we can use collapse forcing to create a new surjection : (powerset omega: pSet).type

ℵB ↠ P(휔). Similarly to Cohen forcing, the strategy is 1 c to pick B such that there is a canonical B-valued indicator are definitionally equal to Bcollapse-valued indicator functions

on the underlying types of check(ordinal.mk(aleph one))

function on ℵ1 ×P(휔) representing the graph of a surjection and check(powerset omega)c.

퐹e. To show that 퐹esuffices to force CH, we must verify that

휎 c our choice of B is -closed. To specify the surjection ℵ1 ↠ P(휔), we specify a subset

The formalization of collapse forcing is actually much

(the graph of the function) of the powerset P(ℵ1 × P(휔)).

more involved than the formalization of Cohen forcing. In c In bSet Bcollapse, we can do this by specifying the indicator Cohen forcing, we have to do relatively little work inside of 휒 휋 ℵ → P(휔) bSet B itself besides proving basic properties of functions. function 휋 of the graph of a function : 1 as 휂 ℵ 푆 ⊆ P(휔) The difficulty is concentrated in proving and applying the follows: to an < 1 and a subset (in pSet), we CCC, which mostly happens in the metatheory. Moreover, attach the principal open (comprising functions extending {(휂, 푆)} constructing the new function (and the rest of the argument) the singleton countable partial function ): required no density arguments at all. This is because in order 휒휋 (휂, 푆) := 퐷 {(휂,푆)} = {푔 : ℵ1 → P(휔) | 푔(휂) = 푆}.

to force ¬CH, we only had to ensure there was some infi-

c More generally, we formalize conditions over generic x,

b nite cardinality between 휔 and P(휔) (we did not determine b y: pSet and B for when a function af:x.type → y.type exactly which internal aleph number ℵ1 was in bSet B). → B induces a surjection 푥 → 푦 in bSet B. By definition, However, to force CH, the quantifiers are flipped and now such a function always induces a relation on the product (in

we must exclude all cardinalities between 휔 and P(휔). From Ã c bSet B) of x and y. Surjectivity is equivalent to d j,(

cleverly choosing B, the best we can do is to construct a i, afij)= ⊤, totality is equivalent to i,(Ã j, af c d surjection 휋 : ℵ1 ↠ P(휔), and we are forced to prove that ij)= ⊤, and well-definedness follows from conditions: ℵ = ℵB and P(휔) = P(휔). This means we must define and 1 1 (∀ i, ∀ j1 j2,j 1 ≠ j2 → afij 1 ⊓ afij 2 ≤ ⊥) construct ℵB, entailing, for example, the development of the B 1 (∀ i1 i2, ⊥ <(funcxi 1)= (funcxi 2) → i1 =i 2) theory of ordinals internal to bSet B. For comparison, our 휒 library on set theory in bSet B totalled 2723 LOC when we Both surjectivity and totality of 휋 require density arguments, Ã 푥 ¬ where the definition of indexed supremum ( 푖 ) in the forced CH, and grew to 7020 LOC after forcing CH. Ð ⊥ ⊥ regular open algebra as the regularization (( 푥푖 ) ) of Definition 5.8. We define Pcollapse to be the poset of count- the set-theoretic union plays a key role: the union of the 휔 able partial functions ℵ1 → P( ). The principal open sets truth values is not the entire space, but is only a dense open 퐷푝 := {푔 : ℵ1 → P(휔) | 푔 extends 푝}, 푝 ∈ Pcollapse whose regularization is the entire space. In particular, the 휏 density argument for surjectivity crucially uses that ℵ1 is form the basis of a topology (finer than the product topol- 휔

ℵ1 uncountable while is countable. c ogy) on the function set P(휔) . We put To finish demonstrating that CH is true in bSet B , collapse ℵ1 Bcollapse := RO P(휔) , 휏 . 휔 휔 B it remains to check that P( ) = P( ) and ℵ1 = ℵ1 . There CPP ’20, January 20–21, 2020, New Orleans, LA, USA Jesse Michael Han and Floris van Doorn are two major obstacles. The first is that to even formally to select witnesses. We remark that our construction does B 휔 state the latter equality, we must construct ℵ1 in bSet B. not use specific properties of and easily generalizes to While the operation bv_powerset (Definition 4.2) gives a con- construct the successor cardinal of any infinite set. Instead struction of the internal powerset of any x: bSet B (using of using membership (<), we could have used subset (≤) B ′ B-valued indicator functions, for any B), ℵ1 is only specified instead, which would avoid the intermediate a1 , but this as the least ordinal greater than 휔, and does not admit as would have made other parts of the proof more complex. B direct of a construction. We describe our construction of ℵ1

(as the Hartogs number of 휔) in Section 5.4. 5.5 Function Reflection Now we must ensure that no new countable ordinals are Suppose given y: pSet and f: bSetb B such that bSet B

added to ℵ1 and that no new subsets of 휔 are added to P(휔) models that f is a function from 휔 to 푦. We say that bSet B in the passage via check from pSet to bSet B. We show this reflects f if there exists a g: pSet such that bg is a function in Section 5.5 by proving that we can reflect functions with from 휔 to y in pSet, and bSet B models that 푔 = 푓 . We say domain 휔 from bSet B to pSet. that bSet B reflects countable functions if it reflects all

such f. 5.4 Construction of ℵ

1 Lemma 5.5. Let B be a complete Boolean algebra, and sup-

B Instead of using the specification of ℵ as the least ordinal c 1 pose that bSet B reflects countable functions. Then P(휔) = larger than 휔 with Cantor’s theorem and using the well-

P(휔) and ℵ1 = ℵ c. foundedness of the ordinals to construct ℵ1, we opt for a 1

c direct construction of ℵ1, based on the well-known construc- B b Proof. To see that ℵ1 ⊆ ℵ , let 푥 be an arbitrary element of tion of ℵ as the Hartogs number of 휔 [21]. 1 1 ℵ 푥 휂 휂 ℵ We lay out the basic strategy. Recall that a term of type 1. By definition is equal to for some < 1 in pSet. pSet bSet B comprises three pieces of information: an indexing Since the ordinals and cardinals of are isomorphic to

훼 Lean’s ordinals and cardinals for Typeu , 휂 injects into 휔 (in type , an indexing function A: 훼 → bSet B, and a truth- b pSet value function B: 훼 → B. , and also at the level of indexing types). Since being

an injective function is Δ0, it is absolute for check, so 푥 = 휂 훼 B c 1. We define the underlying type for ℵ1 to be P(휔 × 휔 B 푥 B 4 injects into . Then, by definition of ℵ1 we have ∈ ℵ1 . 휔).type. B

To see that ℵ ⊆ ℵ1, suppose towards a contradiction 2. We define the truth-value function B: 훼 → B to as- 1c

sign to any 푅 ⊆ 휔 ×휔 the (truth-value of) the sentence, that this is not true; since the ordinals are well-ordered, ℵ cℵB ℵB “there exists an ordinal 휂 and an injection 푓 : 휂 ↩→ 휔 this means that 1 < 1 , so by definition of 1 , there is a such that 푅 is the image of the membership relation surjection 푓 : 휔 → ℵ1. By assumption, this surjection can of 휂 under 푓 .” be lifted to a function 푔 : 휔 → ℵ1 in pSet, which can again

3. Using the maximum principle (which is essentially AC), be checked to be surjective, a contradiction.

퐴 B b we define the indexing function for ℵ1 by choosing, Similarly, it is true for general B and any x: pSet that 푅 훼 휂 푅 for every : , a witness 푅 such that is the image of P(푥) ⊆ P(푥), because indicator functions into bool natu-

휂 under an injection into 휔. That 퐴 surjects onto count- rally induce indicator functions to B (by composing with

b able ordinals reduces to the fact that order-isomorphic the canonical inclusion bool → B). Conversely,b to show that

ordinals must be equal. 휔 c b P(휔) ⊆ P(휔), useb the isomorphism P(휔) ≃ 2 to reduce

휔 b Implementation details In the formalization, this strat- b this to showing that 2 ⊆ 2휔 , and then apply the assumption egy is implemented in three stages. First, the axiom of com- 휔 prehension (Section 4.3) is applied to P(휔 × 휔) to produce to an arbitrary element of 2 . □ 푅 (what bSet B thinks is) the collection of all relations on It remains to show that B fulfills the assumptions 휔 퐵(푅) collapse such that holds. This combines steps 1 and 2 and of Lemma 5.5. produces a set a1′_aux. Then we modify the indexing function a1′_aux.func (by using the maximum principle) to point Lemma 5.6. bSet Bcollapse reflects countable functions. ′ from 푅 to a chosen witness 휂푅 for 푅, producing a1 . Finally, Proof. Fix 푦 and 푓 . It suffices to show that since the ordinals 0 and 1 both have empty membership re- f ∈B functions 휔 yˇ a1′ lations, it is unprovable in Lean whether contains one or ≤ Ã (g: bSet B), the other, so we add both manually, producing ℵB.

1 g ∈B (functions omegay) ˇ ⊓ g= B f Our implementation differs from the usual construction b of Hartogs numbers by starting with the sub-well-orders and by a density argument, it suffices to show that for every 퐷 퐷 퐷 푓 B 휔 푦 of 휔, rather than taking the class of countable ordinals and principal open 푝 , for := 푝 ∩ ∈ functions , later showing it is a set. In this way we avoid performing a 4Note that this did not use our assumption, and holds for general B. For a smallness argument, at the cost of using the axiom of choice conventional proof in a set-theoretic metatheory, see e.g. [4] A Formal Proof of the Independence of the Continuum Hypothesis CPP ’20, January 20–21, 2020, New Orleans, LA, USA

⊥ <( Ð g,D ⊓ g ∈B (functions omegay) ˇ ⊓ g= B f) lemmaV_ B_collapse_models_CH: It sufficesb to construct a single function 푔 : 휔 → 푦 such that ⊤ ⊩[V B_collapse] CH_formula ⊥ < 퐷 ⊓ 푔 = 푓 . As with Cohen forcing, we will reflect a Combining these results yields ∀ ∃ Boolean-valued - statement into the metatheory, and then ′ B theorem CH_unprv: ¬ (ZFC ⊢ CH_formula) use a combinatorial property of collapse to strengthen it. The ′ following lemma is true for general B: theorem neg_CH_unprv: ¬ (ZFC ⊢ ∼CH_formula) lemma AE_of_check_func_check(xy: pSet) and the independence of CH follows. {f: bSet B}{ : B} Γ def independent(T: TheoryL)(f: sentenceL) := (H: ≤ is_func′ x y f)(H_nonzero: ⊥ < ): Γ ˇ ˇ Γ ¬ T ⊢′ f ∧ ¬ T ⊢′ ∼f ∀ (i:x.type), ∃ (j:y.type)( ′ : B) Γ theorem independence_of_CH: independent ZFC CH_f := (H_nonzero′ : ⊥ < ′)(H_le: ′ ≤ ), Γ Γ Γ by finish[independent, CH_unprv, neg_CH_unprv] Γ′ ≤ (is_func′ xˇ yˇ f) ∧ Γ′ ≤ (pair(x.funci) ˇ (y.funcj) ˇ ) ∈B f 6 Automation and Metaprogramming Recursively applying this lemma, we obtain 푔0, . . . ,푔푛,... such that A key feature of Lean is that it is its own metalanguage [12], allowing for seamless in-line definitions of custom tactics ! (and modifications of existing ones). This was an invaluable B B 퐷 ⊓ (0,푔0) ∈ 푓 > ··· > 퐷 ⊓ l ((푘,푔푘 ) ∈ 푓 ) > ··· > ⊥. asset, allowing us to rapidly develop a custom tactic library 푘 ≤푛 for simulating natural-deduction style proofs in complete The lower bound of this chain implies that the required Boolean algebras (Section 6.1) and automating equality reasoning in those proofs (Section 6.2). lift of 푓 is 푔 := {(푘,푔푘 )}푘 ∈휔 . For general B, this lower bound might be ⊥, but because B is 휎-closed, we can shrink collapse 6.1 Simulating Natural Deduction Proofs in each term of the above chain into a dense suborder D such Complete Boolean Algebras that all downward 휔-indexed chains in D have nonzero intersection, so the intersection of the chain is indeed nonzero. As stressed by Scott [39], “A main point ... is that the well- □ known algebraic characterizations of [complete Heyting algebras] and [complete Boolean algebras] exactly mimic the Implementing this argument was one of the most technical rules of deduction in the respective logics.” Indeed, that is parts of our formalization. At each step of the construction of really why the Boolean-valued soundness theorem (see Sec- the downwards chain, we must recursively apply a ∀-∃ state- tion3) is true: one can just replay natural deduction proofs ment and use the axiom of choice to select two witnesses in arbitrary complete Boolean algebras, not just Prop. We use (with four side conditions), which are then used to simul- Lean’s metaprogramming to expose natural deduction-style taneously construct the downwards chain and the function tactics to the user for the purpose of proving inequalities g: pSet . This was implemented as a monolithic recursive in complete Boolean algebras. (One thinks of the ≤ symbol function defined using Lean’s equation compiler, with the in an inequality of Boolean truth-values as a turnstile in a required parts separated afterwards. proof state). An immediate challenge which arises is being able to reason about assumptions (to the left of the turnstile) 5.6 The Independence of CH modulo associativity and commutativity. For example, the In Section 4.3 we showed that bSet B is a model of ZFC, natural-deduction version of this statement should simply which means that we can interpret the deeply-embedded be by assumption: statement of CH_formula into bSet B. It is easy to verify that the deeply-embedded interpretation of CH_formula coincide ∀ abcdefg: B, with the shallow interpretations of CH. (d ⊓ e) ⊓ (f ⊓ g ⊓ ((b ⊓ a) ⊓ c)) ≤ a As we have already observed, an easy consequence of but with a naive approach, one must manually unwrap and Boolean-valued soundness is that a formula is unprovable if permute the arguments of the nested ⊓s. Our solution is to its negation has a model. Thus, we have: piggyback on the tactic monad’s AC-invariant handling of lemma unprovable_of_model_neg{C: TheoryL} hypotheses in the tactic state, by applying the Yoneda lemma {f: sentenceL}(S: bStructureL B) for posets: (H_model: ⊤ ⊩[S]C)[H_nonempty: nonemptyS] lemma poset_yoneda{ 훽}[partial_order 훽]{ab: 훽} {Γ : B}(H_nonzero:( ⊥ : B)< Γ) (H: ∀ Γ : 훽, Γ ≤ a → Γ ≤ b):a ≤ b (H: Γ ⊩[S] ∼f): ¬ (C ⊢′ f) lemmaV_ B_cohen_models_neg_CH: With a little custom automation, our first example nearly ⊤ ⊩[V B_cohen] ∼CH_formula becomes “by assumption” CPP ’20, January 20–21, 2020, New Orleans, LA, USA Jesse Michael Han and Floris van Doorn example{abcdefg: B}: Since Lean natively supports quotient types, then as soon (d ⊓ e) ⊓ (f ⊓ g ⊓ ((b ⊓ a) ⊓ c)) ≤ a := as the only task remaining is to perform equality reasoning, by{ tidy_context, assumption} we can quotient by the appropriate setoid and simply call /- Goal state before ‵assumption‵: cc; this is easy to automate with a custom tactic bv_cc. We [...] can add support for any predicate satisfying an appropriate H_right_right_left_left: Γ ≤ b, B-valued congruence lemma, although we currently add H_right_right_left_right: Γ ≤ a support for individual predicates by hand: ⊢ Γ ≤ a-/ example{x 1 y1 x2 y2 : bSet B}{Γ} B B In this example, tidy_context combines an application of (H1 : Γ ≤ x1 ∈ y1)(H2 : Γ ≤ x1 = x2) B B poset_yoneda with a call to the simplifier to split hypotheses (H2 : Γ ≤ y1 = y2): Γ ≤ x2 ∈ y2 := by bv_cc of the form Γ ≤ a1 ⊓ a2 ⊓ ...a 푛 into Γ ≤ a1, Γ ≤ a2, ..., Γ ≤ a푛. Discharging Congruence Lemmas Rewriting along a B- With more sophisticated tricks, such as coercing assump- valued equality is the same as rewriting in the appropriate tions of the form (Γ ≤ a =⇒ b) to functions Γ ≤ a → Γ ≤ setoid parametrized by the current context Γ, so that the mo- b, automated propagation of change-of-variables (“context- tive must satisfy an appropriate congruence lemma h_congr specialization”, see [18] for more details), and automatically with respect to the equivalence relation: casing on disjunctions Γ ≤ a ⊔ b, it is even possible to write lemma bv_rw{xy: bSet B}{Γ : B} a Boolean-valued tableaux prover bv_tauto: (H: Γ ≤ x= B y){휑 : bSet B → B} example{abc: B}: {h_congr: ∀ xy,x= B y ⊓ 휑 x ≤ 휑 y} (a =⇒ b) ⊓ (b =⇒ c) ≤ a =⇒ c := {H_new: Γ ≤ 휑 y}: Γ ≤ 휑 x by{ tidy_context, bv_tauto} We alias the type of h_congr, and add a database of @[simp] Compare this with a more conventional proof, where we lemmas expressing that congruence lemmas are preserved even have the deduction theorem and modus ponens avail- by first-order logical operations: able as lemmas: def B_ext( 휑 : bSet B → B): Prop := example{ 훽 : Type∗}[complete_boolean_algebra 훽] ∀ xy,x= B y ⊓ 휑 x ≤ 휑 y {abc: 훽}: @[simp] lemma B_ext_infi{ 휄}{휑 : 휄 → (bSet B → B)} (a =⇒ b) ⊓ (b =⇒ c) ≤ a =⇒ c := {h: ∀ i, B_ext( 휑 i)} : B_ext( 휆 x, di, 휑 ix) begin Furthermore, simp is able to handle recursive applications of rw[ deduction, inf_comm, inf_assoc], ← ← these lemmas on its own, allowing most congruence lemma transitivityb ⊓ (b =⇒ c), proof obligations to be automatically discharged: { refine le_inf__, { apply inf_le_left_of_le, rw inf_comm, example{w: bSet B}: B B B apply mp}, (let 휑 := 휆 x, d z,z ∈ w ⊓ z ⊆ x ⊓ x ⊆ z { apply inf_le_right_of_le, refl }}, in B_ext 휑) := by simp { rw inf_comm, apply mp} end 7 Conclusions and Future Work It would have been possible to go further and even write Interestingly, we never used transfinite recursion for devel- a custom tactic state, as was done for temporal logic in Unit- oping elementary set theory in pSet and bSet B. Indeed, B[22] or for Lean’s SMT-mode framework, such that the the prevalence of transfinite recursion in traditional presen- machinery for handling the ambient context Γ is completely tations of set theory is only a consequence of the use of hidden. However, we judged the benefits of this to be mostly transfinite recursion in the traditional definitions of 푉 and cosmetic, and we leave more sophisticated implementations 푉 B. By instead encoding 푉 and 푉 B as inductive types which for future work. expose ∈-induction as their native induction principle, we completely eliminate transfinite induction from this part of 6.2 Boolean-valued Equality Reasoning our formalization. Congruence Closure on Quotient Types Another bene- Our consistency proof of CH is very different from the fit of applying poset_yoneda and using context variables Γ traditional proof, due to Gödel, which shows that the con- throughout the formalization is that this approach exposes structible universe L satisfies GCH. An obvious path to con- a canonical poset of setoids on bSet B induced by B-valued structing L is to define the definable powerset operation with equality: for every Γ : B the relation 휆 푥 푦, Γ ≤ 푥 =B 푦 is an an inductive predicate on pSet whose constructors encode equivalence relation on bSet B. the nine Gödel operations, and to then build the constructible A Formal Proof of the Independence of the Continuum Hypothesis CPP ’20, January 20–21, 2020, New Orleans, LA, USA hierarchy by transfinite recursion. It is interesting to con- formalizers, we propose the classical result of Shelah [42] sider whether there is a definition of L in the same spirit as on the independence of Whitehead’s problem, the proof of pSet which completely avoids transfinite induction. which combines the consistency of the ZFC + (V = L) with We also want to formalize the conservativity of ZFC over the consistency of Martin’s axiom [28] over ZFC + ¬CH to the usual presentation in the language {∈}, by proving more resolve a conjecture in abstract algebra. generally that extending a language with definable function symbols is conservative. Furthermore, while formulas with Acknowledgments de Bruijn indices enjoy pleasant theoretical properties, they are difficult to write and debug by hand. It should be possible We thank the members of the CMU-Pitt Lean group, partic- with Lean’s metaprogramming to write a custom parser from ularly Simon Hudon, Jeremy Avigad, Mario Carneiro, Reid formulas with named variables. Barton, and Tom Hales for their feedback and suggestions; Although our custom automation saved a considerable we are also grateful to Dana Scott and John Bell for their amount of work, much of it is only an approximation to advice and correspondence. a more principled approach by reflection. The natural de- The authors gratefully acknowledge the support by the duction and equality reasoning tactics in Section 6.1 and Alfred P. Sloan Foundation, Grant No. G-2018-10067. Section 6.2 make it easier to manually replay a first-order proof of a theorem of ZFC in bSet B, but the Boolean-valued References soundness theorem automatically performs this replay for a [1] Peter Aczel. 1978. The type theoretic interpretation of constructive deeply-embedded first-order proof tree. Ideally, automation set theory. In Logic Colloquium, Vol. 77. 55–66. would reify a B-valued goal to the corresponding first-order [2] Peter Aczel. 1982. The type theoretic interpretation of constructive statement, discharge it by an ATP, encode the solution in set theory: choice principles. In Studies in Logic and the Foundations of Mathematics. Vol. 110. Elsevier, 1–40. our deeply-embedded proof system, then apply soundness. [3] Peter Aczel. 1986. The type theoretic interpretation of constructive set Alternately, one could perform proof transfer via the com- theory: inductive definitions. In Studies in Logic and the Foundations pleteness theorem, proving a first-order goal in an arbitrary of Mathematics. Vol. 114. Elsevier, 17–49. ordinary model of ZFC first, then applying B-valued sound- [4] John L Bell. 2011. Set theory: Boolean-valued models and independence ness to the proof tree gotten by completeness. The advantage proofs. Vol. 47. Oxford University Press. [5] Stefan Berghofer. 2007. First-Order Logic According to Fitting. Archive to this approach is that a proof would only be computed once, of Formal Proofs (Aug. 2007). http://isa-afp.org/entries/FOL-Fitting. then reused in any model, ordinary or B-valued, whereas in html, Formal proof development. our formalization, we occasionally had to prove the same [6] Georg Cantor. 1878. Ein Beitrag zur Mannigfaltigkeitslehre. Journal statement separately in pSet and bSet B. für die reine und angewandte Mathematik 84 (1878), 242–258. Besides the construction of L, the consistency of GCH can [7] Mario Carneiro. 2019. The type theory of Lean. (2019). In preparation (https://github.com/digama0/lean-type-theory/releases). also be shown by an iterated forcing argument. Our current [8] Paul J Cohen. 1964. The independence of the continuum hypothesis. implementation of forcing should extend without too much Proceedings of the National Academy of Sciences 50, 6 (1964), 1143–1148. difficulty to iterated forcing with Boolean-valued models. [9] Paul J Cohen. 1964. The independence of the continuum hypothesis, There are also many generalizations of the consistency of II. Proceedings of the National Academy of Sciences 51, 1 (1964), 105. ¬CH. An interesting challenge could be Easton’s theorem, [10] Leonardo de Moura, Soonho Kong, Jeremy Avigad, Floris van Doorn, 휅 ↦→ 휅 and Jakob von Raumer. 2015. The Lean Theorem Prover (System which states that on regular cardinals the function 2 Description). In Automated Deduction - CADE-25 - 25th International can be any monotone function not contradicting König’s Conference on Automated Deduction, Berlin, Germany, August 1-7, 2015, Theorem (휅 < cf (2휅 ))[11]. Proceedings (Lecture Notes in Computer Science), Amy P. Felty and Aart Our work only marks the beginning of an integration of Middeldorp (Eds.), Vol. 9195. Springer, 378–388. https://doi.org/10. formal methods with modern set theory. Since Cohen, in- 1007/978-3-319-21401-6_26 [11] William B Easton. 1970. Powers of regular cardinals. Annals of mathe- creasingly sophisticated forcing arguments have been used matical logic 1, 2 (1970), 139–178. to produce a vast hierarchy of independence and relative [12] Gabriel Ebner, Sebastian Ullrich, Jared Roesch, Jeremy Avigad, and consistency results. The challenge to proof engineers is to Leonardo de Moura. 2017. A Metaprogramming Framework for Formal develop libraries and automation that can uniformly han- Verification. Proc. ACM Program. Lang. 1, ICFP, Article 34 (Aug. 2017), dle them, so that the manipulation of forcing notions and 29 pages. https://doi.org/10.1145/3110278 [13] Steven Givant and Paul Halmos. 2008. Introduction to Boolean algebras. forcing extensions in a proof assistant becomes as routine Springer Science & Business Media. as manipulating objects in an algebraic hierarchy is today. [14] Kurt Gödel. 1938. The consistency of the axiom of choice and of One place to start would be to develop a good interface for the generalized continuum-hypothesis. Proceedings of the National forcing with posets, and for transferring arguments along Academy of Sciences 24, 12 (1938), 556–557. the equivalence to Boolean-valued models. One could de- [15] Emmanuel Gunther, Miguel Pagano, and Pedro Sánchez Terraf. 2018. First steps towards a formalization of Forcing. CoRR abs/1807.05174 velop a typeclass hierarchy of combinatorial conditions on (2018). arXiv:1807.05174 http://arxiv.org/abs/1807.05174 forcing notions, and similarly for the relative consistency [16] Emmanuel Gunther, Miguel Pagano, and Pedro Sánchez Terraf. strengths of extensions to ZFC. As the next challenge to 2019. Mechanization of Separation in Generic Extensions. CoRR CPP ’20, January 20–21, 2020, New Orleans, LA, USA Jesse Michael Han and Floris van Doorn

abs/1901.03313 (2019). arXiv:1901.03313 http://arxiv.org/abs/1901. https://doi.org/10.1007/BF00881873 03313 [33] Lawrence C. Paulson. 2002. The Reflection Theorem: A Study in Meta- [17] Joel David Hamkins and Daniel Evan Seabold. 2012. Well-founded theoretic Reasoning. In Automated Deduction - CADE-18, 18th Interna- Boolean ultrapowers as large cardinal embeddings. arXiv preprint tional Conference on Automated Deduction, Copenhagen, Denmark, July arXiv:1206.6075 (2012). 27-30, 2002, Proceedings (Lecture Notes in Computer Science), Andrei [18] Jesse Michael Han and Floris van Doorn. 2019. A Formalization Voronkov (Ed.), Vol. 2392. Springer, 377–391. https://doi.org/10.1007/3- of Forcing and the Unprovability of the Continuum Hypothesis. In 540-45620-1_31 10th International Conference on Interactive Theorem Proving, ITP [34] Lawrence C. Paulson. 2008. The Relative Consistency of the Axiom of 2019, September 9-12, 2019, Portland, OR, USA. 19:1–19:19. https: Choice - Mechanized Using Isabelle/ZF. In Logic and Theory of Algo- //doi.org/10.4230/LIPIcs.ITP.2019.19 rithms, 4th Conference on Computability in Europe, CiE 2008, Athens, [19] John Harrison. 1998. Formalizing Basic First Order Model Theory. Greece, June 15-20, 2008, Proceedings (Lecture Notes in Computer Sci- In Theorem Proving in Higher Order Logics, 11th International Con- ence), Arnold Beckmann, Costas Dimitracopoulos, and Benedikt Löwe ference, TPHOLs’98, Canberra, Australia, September 27 - October 1, (Eds.), Vol. 5028. Springer, 486–490. https://doi.org/10.1007/978-3-540- 1998, Proceedings (Lecture Notes in Computer Science), Jim Grundy 69407-6_52 and Malcolm C. Newey (Eds.), Vol. 1479. Springer, 153–170. https: [35] Lawrence C. Paulson and Krzysztof Grabczewski. 1996. Mechanizing //doi.org/10.1007/BFb0055135 Set Theory. J. Autom. Reasoning 17, 3 (1996), 291–323. https://doi.org/ [20] John Harrison. 2009. Handbook of Practical Logic and Automated 10.1007/BF00283132 Reasoning. Cambridge University Press. [36] Tom Ridge and James Margetson. 2005. A Mechanically Verified, Sound [21] Friedrich Hartogs. 1915. Über das Problem der Wohlordnung. Math. and Complete Theorem Prover for First Order Logic, See [23], 294–309. Ann. 76, 4 (1915), 438–443. https://doi.org/10.1007/11541868_19 [22] Simon Hudon, Thai Son Hoang, and Jonathan S. Ostroff. 2015. The [37] Anders Schlichtkrull. 2018. Formalization of logic in the Isabelle proof Unit-B method: refinement guided by progress concerns. Software & assistant. Ph.D. Dissertation. Technical University of Denmark. Systems Modeling 15 (2015), 1091–1116. [38] Dana Scott. 1967. A Proof of the Independence of the Continuum [23] Joe Hurd and Thomas F. Melham (Eds.). 2005. Theorem Proving in Hypothesis. Theory of Computing Systems 1, 2 (1967), 89–111. Higher Order Logics, 18th International Conference, TPHOLs 2005, Ox- [39] Dana Scott. 2008. The Algebraic Intepretation of Quantifiers: intu- ford, UK, August 22-25, 2005, Proceedings. Lecture Notes in Computer itionistic and classical. Andrzej Mostowski and Foundational Studies Science, Vol. 3603. Springer. https://doi.org/10.1007/11541868 (2008), 289–312. [24] Danko Ilik. 2010. Constructive completeness proofs and delimited control. [40] Dana Scott and Robert Solovay. 1967. Boolean algebras and forcing. Ph.D. Dissertation. Ecole Polytechnique X. (1967). Unpublished manuscript. [25] Thomas Jech. 2013. Set theory. Springer Science & Business Media. [41] Natarajan Shankar. 1997. Metamathematics, machines and Gödel’s [26] Kenneth Kunen. 1980. Set theory. Studies in Logic and the Foundations proof. Vol. 38. Cambridge University Press. of Mathematics, Vol. 102. North-Holland Publishing Co., Amsterdam- [42] Saharon Shelah. 1974. Infinite abelian groups, Whitehead problem New York. xvi+313 pages. and some constructions. Israel Journal of Mathematics 18, 3 (1974), [27] Yu I Manin. 2009. A course in mathematical logic for mathematicians. 243–256. Vol. 53. Springer Science & Business Media. [43] Joseph R Shoenfield. 1971. Unramified forcing. In Axiomatic set theory, [28] Donald A Martin and Robert M Solovay. 1970. Internal Cohen exten- Vol. 13. AMS Providence, RI, 357–381. sions. Annals of Mathematical Logic 2, 2 (1970), 143–178. [44] Sebastian Ullrich and Leonardo de Moura. 2019. Counting Immutable [29] The mathlib Community. 2019. The Lean mathematical library. arXiv Beans: Reference Counting Optimized for Purely Functional Program- e-prints, Article arXiv:1910.09336 (Oct 2019), arXiv:1910.09336 pages. ming. arXiv:cs.PL/1908.05647 arXiv:cs.LO/1910.09336 [45] Nik Weaver. 2014. Forcing for mathematicians. World Scientific. [30] Justin Tatch Moore. 2019. The method of forcing. arXiv preprint [46] Benjamin Werner. 1997. Sets in types, types in sets. In International arXiv:1902.03235 (2019). Symposium on Theoretical Aspects of Computer Software. Springer, 530– [31] Russell O’Connor. 2005. Essential Incompleteness of Arithmetic Veri- 546. fied by Coq, See [23], 245–260. https://doi.org/10.1007/11541868_16 [47] Freek Wiedijk. [n. d.]. Formalizing 100 theorems. http://www.cs.ru. [32] Lawrence C. Paulson. 1993. Set Theory for Verification: I. From nl/~freek/100/ Foundations to Functions. J. Autom. Reasoning 11, 3 (1993), 353–389.