A Verified Implementation of Algebraic Numbers in Isabelle/HOL
Abstract
We formalize algebraic numbers in Isabelle/HOL. Our development serves as a verified implementation of algebraic operations on real and complex numbers. We moreover provide algorithms that can identify all the real or complex roots of rational polynomials, and two implementations to display algebraic numbers, an approximative version and an injective precise one. We obtain verified Haskell code for these operations via Isabelle’s code generator. The development combines various existing formalizations such as matrices, Sturm’s theorem, and polynomial factorization, and it includes new formalizations about bivariate polynomials, unique factorization domains, resultants and subresultants.
Keywords
Theorem proving Algebraic numbers Real algebraic geometry Resultants1 Introduction
Algebraic numbers, i.e., the numbers that are expressed as roots of nonzero integer (or equivalently rational) polynomials, are an attractive subset of the real or complex numbers. Every satisfiable polynomial constraint has solutions in the domain of algebraic numbers; in particular, algebraic numbers are closed under arithmetic operations (addition, multiplication, integer powers, and there inverses). Moreover these arithmetic operations are precisely computable, and comparisons of algebraic numbers are decidable. As a consequence, algebraic numbers are an important utility in computer algebra systems; e.g., Collin’s cylindrical algebraic decomposition algorithm for solving problems in real algebraic geometry heavily relies upon algebraic numbers [20, Sect. 8.6.5].
Our original interest in algebraic numbers stems from a certification problem about automatically generated complexity proofs, where for a given matrix \(A \in {\mathbb {Q}}^{n \times n}\) we have to compute the growth rate of \(A^n\) for increasing n [25]. To this end, all complex roots of the characteristic polynomial of A have to be identified.
Example 1
Consider a matrix A whose characteristic polynomial is \(f(x) = \frac{1}{3} \cdot (1 + 2x + 3x^4)\) and let \(\lambda _1,\dots ,\lambda _4\) be the complex roots of f. If the norm of some \(\lambda _i\) is larger than 1, then the growth rate of A is exponential; if all norms are below 1, then \(A^n\) tends to 0; and otherwise the growth rate is polynomial and its degree can be determined by further computations.
In this paper, we describe an implementation of algebraic numbers in Isabelle/HOL [21]. Up to our knowledge it is the first implementation that is both fully verified and executable on its own, i.e., without information from external tools. The implementation already became a crucial component of the automated reasoning tool CeTA for verifying complexity proofs [1, 25] that are generated during the annual termination competitions [12]. It is also used within a verified solver for linear recurrences [10].

We first introduce some basic notions of algebraic numbers and then formalize the fact that every algebraic number has a unique canonical polynomial that represents it. We argue that these canonical polynomials make a good internal representation (Sect. 2).

For each algebraic operation, we formalize how to synthesize a polynomial that represents the output using polynomials that represent the inputs. We thus show that algebraic numbers are closed under the algebraic operations (Sect. 3).

For the multiplication and addition of algebraic numbers, we refer to resultants. We implement and formalize the subresultant remainder sequence algorithm, which can efficiently compute resultants (Sect. 4).

Using the above results, we implement the algebraic operations and comparisons of real and complex algebraic numbers, and a function to uniquely convert them into strings. We develop a hierarchy of four layers to represent real algebraic numbers, formalize several bisection algorithms, and integrate optimizations to obtain efficient code (Sect. 5).

We moreover provide algorithms that identify all real and complex roots of a rational polynomial. Together with the fact that complex roots of a real polynomial come in complex conjugate pairs, we derive algorithms that completely factor rational polynomials into real or complex polynomial factors (Sect. 6).

As we made an effort for efficiency, we experimentally compare the implementation against a version described in a preliminary version [24] of this paper, and the commercial computer algebra tool Wolfram Mathematica 11 (Sect. 7).
For the Coq proof assistant, the Mathematical Components library^{1} contains various formalized results around algebraic numbers, e.g., quantifier elimination procedures for real closed fields [6]. In particular, the formalization of algebraic numbers for Coq is given by Cohen [4]. He employed Bézout’s theorem to derive desired properties of resultants, while we followed proofs by Mishra [20] and formalized various facts on resultants. Our work is orthogonal to the more recent work which avoids resultants [5]. A partial Coq formalization of subresultants also exists [19]. In contrast, our formalization is complete, and also integrates an optimization due to Ducos [8, Sect. 2].
For Isabelle, Li and Paulson [18] independently implemented algebraic numbers. They however did not formalize resultants; instead, they employed an external tool as an oracle to provide polynomials that represent desired algebraic numbers, and provided a method to validate that the polynomials from the oracle are suitable.^{2} Due to our optimization efforts, we can execute their examples [18, Fig. 3] in 0.016 seconds on our machine, where they reported 4.16 seconds.^{3}
The whole formalization is available in the archive of formal proofs (AFP), mostly in entries Algebraic Numbers and Subresultants. Additionally, on
https://doi.org/10.5281/zenodo.1411394
we link statements in the paper with the Isabelle sources and provide details on our experiments.
2 Representation of Algebraic Numbers
Our formalization is based on Isabelle/HOL, and we state theorems and definitions following Isabelle’s syntax. For instance, Open image in new window indicates that Open image in new window is a function that takes integers and returns elements of type \(\alpha \), which is of class Open image in new window . The type of polynomials over coefficients of type \(\alpha \) is denoted by Open image in new window . In Isabelle, a polynomial \(f(x) = \sum _{i=0}^m f_i x^i\) is written as Open image in new window (the leading coefficient comes last in the list), Open image in new window denotes the coefficient \(f_i\), Open image in new window the degree m, and Open image in new window the evaluation f(a) at Open image in new window .
A number a is algebraic if it is a root of a nonzero integer polynomial f. The notion is defined in Isabelle 2018 as follows.
Definition 1
Here the condition that f is an integer polynomial is expressed by enforcing the coefficients of f to be in the set \({\mathbb {Z}}\), which is of type Open image in new window . In this definition, the polynomial Open image in new window and the algebraic number Open image in new window share the same domain type \(\alpha \), which will be instantiated by Open image in new window or Open image in new window . Since our motivation is to implement functions that actually operate on algebraic numbers of type Open image in new window and Open image in new window , manipulating polynomials in type Open image in new window leads to a circular dependency. Hence we introduce the predicate Open image in new window , meaning that a nonzero integer polynomial Open image in new window has Open image in new window as a root.
Definition 2
Here, Open image in new window is an abbreviation for Open image in new window , and Open image in new window converts the type of integer polynomials.
We obtain the following alternative characterization of algebraic numbers.
Lemma 1
2.1 Unique Representation
An algebraic number can be represented by arbitrarily many polynomials; for instance \(\sqrt{2}\) is represented by \(f(x) = x^2  2\), \(g(x) = x^2 + 2\), \(h(x) = x^4 + 2x^3 4x  4\), \(k(x) = 2x^2  4\), etc. However, every algebraic number can be uniquely represented by an integer polynomial which has no nontrivial divisors and a positive leading coefficient. The degree of this unique representative polynomial is called the degree of the algebraic number. For instance, f is this unique representative of \(\sqrt{2}\), whereas g has a negative leading coefficient, and h is reducible as \(h(x) = f(x) \cdot (x^2 + 2x + 2)\).
Irreducibility of a polynomial often means that it is nonconstant and has no nonconstant divisor of smaller degree, and in the preliminary version of this work [24] we used such a definition. Isabelle 2018, however, uses the following predicate Open image in new window for arbitrary commutative rings.
Definition 3
Here Open image in new window is Isabelle’s notation for divisibility. This definition is stronger than the polynomialspecific version. In particular, Open image in new window for nonconstant integer polynomial f demands that f is contentfree, i.e., the GCD of the coefficients of f is 1; otherwise, f is “reducible” by the GCD. For instance, the integer polynomial k above is reducible since \(k(x) = (x^2  2) \cdot 2\). Note also that the definitions are equivalent on field polynomials.
We adopt this stronger definition in the current work, and formulate the uniqueness statement as follows.
Lemma 2
Typical uniqueness results found in the literature (e.g., [11, pp. 700] and [20, pp. 319]) state that there is a unique representative polynomial of the minimum degree. Our claim is more useful for computing the unique representative: if we find any irreducible polynomial representing a number, then we do not have to search for other polynomials of lower degree that represent the same number. The typical statement is easily obtained from Lemma 2; actually the irreducible representative polynomial is of the minimum degree.
Corollary 1
We also establish a connection between Open image in new window and the already existing locale Open image in new window . Thus we can derive results from Open image in new window , e.g., that irreducibility and primality are equivalent in UFDs. This yields that for an irreducible integer polynomial f with positive leading coefficient, the GCD of f and any polynomial g is either 1 or f itself:
Lemma 3
To prove Lemma 2 we further show that the GCD of two integer polynomials stays the same up to a constant factor if we embed \({\mathbb {Z}}\) into \({\mathbb {R}}\) or \({\mathbb {C}}\).
Lemma 4
Our proof of Lemma 2 then works as follows: Assume that f and g are two different, positive and irreducible integer polynomials with a common real or complex root a. That is, f and g as real or complex polynomials have a common factor \(xa\) and hence, their GCD is a nonconstant polynomial. On the other hand, the GCD of f and g as integer polynomials must be 1: it cannot be f or g itself, since \(f \ne g\).
2.2 Unique Representation or Not?
Despite the existence of a unique (and minimal) representative polynomial of an algebraic number, it is a priori questionable whether it is a good choice in an implementation to stick to the unique representative polynomials. There is a tradeoff between the cost of computing unique representatives from arbitrary representations via polynomial factorization, and the penalty of not using minimal representations in a sequence of operations.
We answer this question experimentally by computing representations of the algebraic numbers \(\sum _{i=1}^n \sqrt{i}\) for various n. In one configuration we stick to the unique representatives and perform complete polynomial factorization after each addition. In another configuration we only perform the efficient squarefree factorization that eliminates duplicate factors.
Computation time/degree of representing polynomials for \(\sum _{i=1}^n \sqrt{i}\)
Factorization  \(n = 6\)  \(n = 7\)  \(n = 8\)  \(n = 9\)  \(n = 10\) 

Squarefree  0.054s/64  0.807s/128  19.725s/256  3m19s/384  1h48m/768 
Complete  0.019s/8  0.044s/16  0.080s/16  0.080s/16  0.117s/16 
3 Synthesizing Representative Polynomials
In order to define arithmetic operations over algebraic numbers, the first task is the following: Given polynomials that represent the input numbers, compute a polynomial that represents the output number. In the sequel, we will illustrate the constructions for the various arithmetic operations in ascending difficulty.
3.1 Constants
Obviously, a rational number \(a = \frac{n}{d}\) can be represented by \(dx  n\).
Definition 4
Lemma 5
Isabelle’s implementation of the rational numbers ensures that n and d are coprime and \(d\ge 1\). Therefore the polynomial is already positive and irreducible.
Lemma 6
3.2 Negation and Inverse
Consider an algebraic number a represented as a root of \(f(x) = \sum _{i=0}^m f_i x^i\). To represent the unary minus \(a\), the polynomial Open image in new window , defined as \(f(x)\), i.e., \(\sum _{i=0}^m (1)^i f_i x^i\), does the job.
Lemma 7
For the inverse \(\frac{1}{a}\), it is also not difficult to show that the reciprocal polynomial\(\sum _{i=0}^m f_i x^{mi}\), which is defined in Isabelle 2018 as Open image in new window , has \(\frac{1}{a}\) as a root.
Lemma 8
It is beneficial to also show that Open image in new window and Open image in new window preserve irreducibility, since otherwise we would have to perform polynomial factorization to maintain the invariant of always working on irreducible polynomials. We argue as follows: Suppose that f is irreducible and represents a. Clearly Open image in new window preserves the degree and content; thus if Open image in new window is reducible, then there is a polynomial h of smaller degree that represents \(a\). Since Open image in new window represents \((a) = a\), we obtain a polynomial representing a whose degree is smaller than f. This contradicts the uniqueness of f.
The same argument works also for Open image in new window , and we formalize the following lemma that generalizes the two.
Lemma 9
By instantiating b in the lemma by \(a\), g by Open image in new window , and I by Open image in new window , we obtain the desired result for Open image in new window . Similarly we easily obtain the result for Open image in new window .
Lemma 10
Lemma 11
3.3 Multiplication and Addition with Rational Numbers
If we had chosen rational polynomials to represent algebraic numbers, it would be easy to add or multiply a rational number to an algebraic number: when f represents a, the rational polynomials \(f(x  \frac{n}{d})\) and \(f(\frac{d}{n} \cdot x)\) represent \(a + \frac{n}{d}\) and \(a \cdot \frac{n}{d}\), respectively. In our current formalization, however, we work with integer polynomials for efficiency reasons. As neither \(f(x  \frac{n}{d})\) nor \(f(\frac{d}{n} \cdot x)\) is in general an integer polynomial, we define the polynomials slightly differently.
Definition 5
We prove the desired correctness results in a straightforward way.
Lemma 12
Lemma 13
The condition \(b \ne 0\) in Lemma 13 stems from the fact that we are essentially performing division. In practice this just demands a special case for \(b = 0\), which trivially results in the rational number 0.
Unfortunately both Open image in new window and Open image in new window do not preserve irreducibility in terms of Definition 3 in general, since they do not preserve content; e.g., for \(f(x) = 2x3\), the unique representation of \(\frac{3}{2}\), Open image in new window results in the polynomial \(2x6\), which represents 3 but is not contentfree. Nevertheless, we only need to eliminate content to obtain irreducibility. We define a function Open image in new window which divides all coefficients by the content, and additionally ensures a positive leading coefficient. Note that f represents a if and only if Open image in new window represents a. Since each of the above functions preserves degree, and an inverse operation can be found, we apply Lemma 9 and derive the desired irreducibility results.
Lemma 14
Lemma 15
3.4 nth Root
For nth root of a represented by \(f(x) = \sum _{i=0}^m f_i x^i\), it is easy to see that \(f(x^n)\), i.e., \(\sum _{i=0}^m f_i x^{ni}\), represents \(\root n \of {a}\).
Definition 6
Lemma 16
We stated the result for nth roots without using Isabelle’s operations Open image in new window and Open image in new window , because they are defined only on types Open image in new window and Open image in new window , respectively, but not on a generic field. We easily derive the results for the specific types.
Lemma 17
Lemma 18
In contrast to previous sections, Open image in new window does not preserve irreducibility, even though it preserves contents. Consider, e.g., Open image in new window applied to \(x64\), the unique representative of 64. The resulting polynomial is \(x^464\), which can be factored into \((x^28)\cdot (x^2 + 8)\). Also for the polynomials obtained from addition and multiplication of two algebraic numbers, we cannot ensure irreducibility in general. We address this issue in Sect. 5.3.
3.5 Addition and Multiplication of Algebraic Numbers
To add or multiply two irrational algebraic numbers a and b, respectively represented as roots of polynomials f and g, we must compose nonzero polynomials Open image in new window and Open image in new window that have \(a + b\) and \(a \cdot b\) as a root.
We first state the desired result for addition. Here, Open image in new window is defined as the univariate polynomial \(\mathrm {Res}_{y}(f(xy),g(y))\).
Lemma 19
We perform multiplication through division by the inverse, and division as follows: Open image in new window is defined as \(\mathrm {Res}_{y}(f(x\cdot y),g(y))\) and Open image in new window ensures that g does not represent 0, so that in particular \(b \ne 0\).
Lemma 20
To prove each lemma, we need to prove two claims: the resultant has a desired root, and is a nonzero polynomial. In the next sections we prove each of the claims.
3.5.1 Resultant has Desired Roots
Lemma 21
Lemma 22
Lemma 23
Here, Open image in new window is our notation for bivariate polynomial evaluation.
Now for univariate nonzero polynomials f and g with respective roots a and b, the bivariate polynomials \(f(xy)\) and g(y) have a common root at \(x = a+b\) and \(y = b\). Hence, Lemma 23 indicates that the univariate polynomial \(\mathrm {Res}_{y}(f(xy),g(y))\) has \(x = a+b\) as a root.
Lemma 24
We need a variation of Lemma 24 in which Open image in new window and Open image in new window are of type Open image in new window while Open image in new window and Open image in new window are still of type \(\alpha \). We prove some homomorphism lemmas to obtain the following:
Lemma 25
Analogously, if \(b \ne 0\), then \(f(x\cdot y)\) and g(y) have a common root at \(x = a/b\) and \(y = b\).
Lemma 26
3.5.2 Resultant is NonZero
Now consider the second claim: Open image in new window and Open image in new window are nonzero polynomials. Note that they would otherwise have any number as a root. Somewhat surprisingly, formalizing this claim is more involved than the first one.
We first strengthen Lemma 22, so that p and q are nonzero polynomials. Here, we require an integral domain Open image in new window , i.e., there exist no zero divisors.
Lemma 27
The proof is easy for the case where \(\mathrm {Res}_{}(f,g)\) is nonzero: we obtain p and q using Lemma 22, and it is easy to see that \(p \cdot f + q \cdot g\) cannot be a constant if \(p = 0\) or \(q = 0\), using the constraints on degrees. For the case \(\mathrm {Res}_{}(f,g) = 0\), we formalize the classical result that linear equation \(A\mathbf {v} = \mathbf {0}\) on an integral domain has a nonzero solution if and only if \(\det (A) = 0\). Since resultants are the determinants of Sylvester matrices, from a nonzero solution to \(S_{f,g}\mathbf {v} = \mathbf {0}\) one can extract nonzero polynomials p and q as a solution to \(p \cdot f + q \cdot g = 0\).
If \(\mathrm {Res}_{}(f,g) = 0\), then from Lemma 27 we have \(p \cdot f =  q \cdot g\). In UFDs, this implies that f and g cannot be coprime, i.e., that f and g have a common factor, since otherwise f must divide \(q\), contradicting \(\textit{degree}(f) > \textit{degree}(q)\).
The definition of the predicate Open image in new window in Isabelle 2018 relies on the definition of Open image in new window . We generalize Open image in new window as follows in order to state the above for arbitrary UFDs:
Definition 7
Lemma 28
4 Computing the Resultant
Resultants can be computed by first building the Sylvester matrix and then computing its determinant by transformation into row echelon form. A more efficient way to compute resultants has been developed by Brown and Traub: the subresultant polynomial remainder sequence (PRS) algorithm [2, 3].
The algorithm computes \(\mathrm {Res}_{}(f,g)\) in the manner of Euclid’s algorithm. It repeatedly performs the polynomial division on the two input polynomials and replaces one input of larger degree by the remainder of the division.
We first consider all computations over the fraction field Open image in new window , where all division operations are inherently exact. We then prove that intermediate values stay of form \(\frac{a}{1}\); that is, we can use a partial division operator Open image in new window on the integral domain \(\alpha \), that satisfies Open image in new window for \(b\ne 0\), but not necessarily Open image in new window . Therefore, our final implementation works solely on the integral domain, without requiring fraction field operations.
Lemma 29
Using the following lemma, we can always assume \(\textit{degree}(f) \le \textit{degree}(g)\). In the remainder of this section, we write m for \(\textit{degree}(f)\) and n for \(\textit{degree}(g)\).
Lemma 30
Following Brown and Traub [3], we then formalize the following lemma, showing that a Euclidean algorithm can be used to compute subresultants. As in the Euclidean algorithm, we require a polynomial h such that \(h = f + b \cdot g\) for some b, where \(l = \textit{degree}(h) < n\).
Lemma 31
 1.
\(j < l \Longrightarrow \) Open image in new window
 2.
 3.
 4.
For nonfield polynomials, and in particular bivariate polynomials, polynomial division is not always possible, but pseudodivision is: we can find h such that \(h = d \cdot f + b \cdot g\) for some constant d. The following lemma allows us to use pseudodivision instead of division in subresultant computation.
Lemma 32
Iterated application of pseudodivision results in repeated multiplication with constants \(d^{nj}\), and hence the coefficients of the processed polynomials increase exponentially. One approach to keep the coefficients small is to divide the polynomials by their content in every iteration, as in Collin’s primitive PRS algorithm [3, Sect. 4]. We have implemented this approach for the preliminary version [24] of this paper.
This work additionally formalizes the more sophisticated subresultant PRS algorithm of Brown and Traub [2, 3]. Here, a constant Open image in new window —the leading coefficient of a subresultant of the input polynomials—is carried around as an extra argument. It is used to perform exact divisions on the pseudoremainder polynomials without the necessity to calculate the content in every iteration.
The core of this algorithm is formalized as follows, where Open image in new window is an Isabelle function that divides a polynomial by a constant.
Definition 8
The above function works under the invariant that \(n < m\) (so that \(\delta  1 \ge 0\) in Definition 8) and in particular the invariant that all divisions are exact. Thus as the initial step we establish these invariants, and obtain a suitable initial value for Open image in new window .
Definition 9
The invocation of Open image in new window returns a pair (h, d), where h is a scalar multiple of the GCD of Open image in new window and Open image in new window , and \(\mathrm {Res}_{}(f,g) = d\) if \(\textit{degree}(h) = 0\), and \(\mathrm {Res}_{}(f,g) = 0\) otherwise.
In addition to the definitions of Open image in new window and Open image in new window we develop an optimized implementation in the form of code equations. These optimizations include treating common cases separately, avoiding calculating the same value twice, and replacing expressions like \((1)^{\delta +1}\cdot h\) by a single negation. We also integrate the efficient calculation of Open image in new window described by Ducos as dichotomous Lazard [8, Sect. 2], but we did not integrate Ducos’ second optimization about the calculation of Open image in new window in Definition 8.
We define the final function as Open image in new window , and prove the following correctness result as a code equation:
Lemma 33
We also define a function Open image in new window that returns the GCD of two polynomials based on Open image in new window , and get a correctness result:
Lemma 34
We do not state Lemma 34 as a code equation, since on simple polynomials, e.g., of type Open image in new window , we experimentally see that the algorithm performs worse than the standard GCD implementation. The algorithm becomes beneficial for multivariate polynomials, e.g., Open image in new window .
5 Real Algebraic Numbers
In the previous two sections, we have seen how to synthesize a polynomial f representing an algebraic number a as one of its root. To unambiguously represent a, we need to specify which root of f is actually a. Moreover, we need a concrete representation of real algebraic numbers. Both of these problems are addressed in this section, resulting in a verified implementation of real algebraic numbers.
5.1 Datatypes for Real Algebraic Numbers
Layer 2 introduces the datatype Open image in new window , which takes a special treatment for rational numbers, so that computations involving only rational numbers will not experience overheads that would arise by manipulating roots of polynomials as in Layer 1. Hence, Open image in new window demands that the (f, l, r)form is used only for algebraic numbers of degree at least 2. In Open image in new window , we additionally store the index of the root, counted from the smallest to the largest.
Layer 3 introduces the type Open image in new window , which is identical to Open image in new window but now Open image in new window is enforced by the type system.
Layer 4 introduces the quotient type Open image in new window , that identifies different representations of the same number. Hence, the builtin equality of Isabelle/HOL on Open image in new window corresponds to equality on the represented real numbers. We do not have this property in other layers, since they still permit a number to be represented differently; e.g., \(\sqrt{2}\) is encoded by \((x^2  2,1,2)\), \((x^2  2, 1.4, 1.5)\), etc.
In Layer 1, Open image in new window computes the new representative polynomial Open image in new window , and takes \([r,l]\) as the new interval. To satisfy the invariant that the leading coefficient is positive, Open image in new window , which just negates the polynomial if the leading coefficient is negative, is applied. The correctness lemma states that the invariants are preserved and the desired \(a\) is represented.
In Layer 2, we perform a simple caseanalysis on whether the represented number a is rational or not. If it is, then we use the rational number \(a\), and otherwise invoke Open image in new window from Layer 1. Afterwards, Open image in new window is applied. This function converts the triple representation into Open image in new window by either extracting the rational root if f is linear, or by computing the index of the root by invoking Sturm’s method.
Lifting the algorithms and the correctness lemma from Layer 2 to Layer s 3 and 4 is then immediate using Isabelle’s lifting and transfer package [14].
5.2 Comparison and Tightening Intervals
Lemma 35
Definition 10
Using this comparison with rational numbers, we can tighten the intervals to arbitrary precision: by taking, e.g., \(q = \frac{l+r}{2}\) one can halve the interval to [l, q] or [q, r], depending on whether \(a < q\) or \(q < a\).
Being able to tighten intervals, we can implement the Open image in new window \(\left\lfloor a\right\rfloor \) and Open image in new window \(\left\lceil a\right\rceil \) operations: tighten the interval of a until it contains at most one integer point, and then use the signbased comparison to determine whether a is less or greater than the integer.
We can also compare two irrational algebraic numbers a and b by tightening intervals. The implementation of the comparison functions^{4} for the first two layers is shown in Fig. 6.
In Layer 1, if a and b have disjoint intervals, then comparison is trivial. Otherwise Open image in new window tightens the intervals of a and b until they become disjoint. The procedure is terminating only if \(a \ne b\), since intervals will never become disjoint if \(a = b\). Hence Isabelle’s partialfunction command [16], that allows defining potentially nonterminating procedures, becomes essential. In order to conveniently prove correctness, we define some wellfounded relations for inductive proofs, which are reused for various bisection algorithms. For instance, we define a relation based on a decrease in the size of the intervals by at least \(\delta \), where \(\delta \) is the separation distance, i.e., the minimal distance of two distinct roots of some polynomial.
5.3 Polynomial Factorization and Root Separation
Recall the invariant of Layer 1: the representing polynomial must be irreducible and have exactly one root in the provided interval. Hence, after synthesizing a polynomial f to represent an algebraic number a, we must further ensure irreducibility of f and provide an interval in which a is the only root of f.
For unary minus and multiplicative inverse, Lemmas 10 and 11 ensure irreducibility, and moreover the obvious intervals \([r,l]\) and \([r^{1}, l^{1}]\) work, where [l, r] is the interval for the input. For other arithmetic operations from Sect. 3, the synthesized polynomial is not generally irreducible, and obviously derived intervals may contain multiple roots.
We first establish irreducibility by a formalized polynomial factorization algorithm [7], and obtain irreducible polynomials \(f_1, \cdots , f_n\), such that exactly one of them represents the desired a. So the remaining task is to determine which \(f_i\) has a as a root, and to provide an interval in which a is the only root of \(f_i\).
We achieve the two goals in one go. Our algorithm maintains: the current interval [l, r], which contains the desired a; a list F of candidate polynomials which have at least one root in the interval; and the total number n of roots the candidates have in the interval.
The procedure returns if \(n = 1\); in this case, F contains exactly one polynomial, and this polynomial represents a. Otherwise, it tightens [l, r], and then updates n and simultaneously excludes those factors from F that have no root in [l, r]. We will explain later in this section how to count the number of real roots a polynomial f has in a given interval.
Note that this procedure terminates only if exactly one candidate polynomial has a as a root. Consequently, we again use partialfunction to define the procedure in Isabelle.
For instance, if a is the addition of b and c, represented by \((g,l_b,r_b)\) and \((h,l_c,r_c)\), then the state is a quadruple \((l_b,r_b,l_c,r_c)\), Open image in new window returns \([l_b + l_c, r_b + r_c]\), and Open image in new window tightens intervals of b and c using the bisection algorithm Open image in new window of Sect. 5.2. Multiplication \(a = b \cdot c\) is treated in the same way, except that Open image in new window returns the interval \([l_b \cdot l_c, r_b \cdot r_c]\); here, the main bisection algorithm for multiplication is only invoked on positive numbers, and a separate algorithm takes care of the signs.
Finally, for computing the nth root \(a = \root n \of {b}\) of a positive number b, the state is an interval \([l_a,r_a]\) containing a, where initially \(l_a = \left\lfloor \root n \of {l_b}\right\rfloor \) and \(r_a = \left\lceil \root n \of {r_b}\right\rceil \). In every iteration of Open image in new window , we first compute the rational number \(m = \frac{l_a + r_a}{2}\). We then compare m with a by comparing \(m^n\) with b. This detour is necessary, since the latter comparison can be computed using Open image in new window from Sect. 5.2, whereas the former comparison is problematic since a is not available. Finally, we update the interval \([l_a,r_a]\) to one of the tighter intervals \([l_a,m]\), [m, m], or \([m,r_a]\), depending on whether \(a < m\), \(a = m\), or \(m < a\).
We present the correctness statement of the generic factor selection procedure only on Layer 2 where the functions Open image in new window and Open image in new window are implicit arguments to Open image in new window , and where Open image in new window is iterated function application of Open image in new window on input Open image in new window .
Lemma 36
The actual correctness proof in Layer 1 is a rather involved inductive proof; the wellfoundedness of the induction relation depends on the convergence of the bounds towards Open image in new window , and the statement uses 12 invariants that are maintained throughout the proof.
It remains to count how many roots a polynomial f has in a given interval. We implement such a rootcounting function Open image in new window using Sturm’s method, with a special treatment for linear polynomials. We extend the existing formalization by Eberl [9], which takes a real polynomial and real bounds, so that it can be applied on rational polynomials with rational bounds; nevertheless, the number of real roots must be determined. This extension is crucial as we later implement the real numbers by the real algebraic numbers via data refinement [13]; at this point we must not yet use real number arithmetic. The correctness of this extension is shown mainly by proving that all algorithms utilized in Sturm’s method can be homomorphically extended. For instance, for Sturm sequences we formalize the following result:
Lemma 37
For efficiency, we adapt the algorithm for our specific purpose. Sturm’s method works in two phases: the first phase computes a Sturm sequence, and the second one computes the number of roots by counting the number of sign changes on this sequence for both the upper and the lower bounds of the interval. The first phase depends only on the input polynomial, but not on the interval bounds. Therefore, for each polynomial f in the candidate list F we precompute the Sturm sequence once, so that when a new interval is queried, only the second phase of Sturm’s method has to be evaluated. This can be seen in the following code equation:
Lemma 38
5.4 Implementing Real and Complex Numbers via Real Algebraic Numbers
Having the arithmetic operations on real algebraic numbers, we now provide code equations to implement the real numbers via real algebraic numbers by data refinement, where Open image in new window is converted into a constructor in the generated code.
Lemma 39
Note that in Lemma 39, the lefthand side of the equality is addition for type Open image in new window , whereas the right is addition for type Open image in new window .
As a consequence, Isabelle users now can specify algorithms using algebraic operations on type Open image in new window and will obtain executable code which uses our verified real algebraic number implementation. Similarly, one can prove a lemma over real numbers like Open image in new window by evaluation.
5.5 Displaying Algebraic Numbers
We provide two approaches to display real algebraic numbers, i.e., two functions Open image in new window of type Open image in new window . The first one displays an approximative value of an algebraic number a. Essentially, the rational number \(\frac{\lfloor 1000a \rfloor }{1000}\) is computed and displayed as a string. For instance, \(\sqrt{2}\) is displayed as “\(\sim \) 1.414”.
The second approach displays an algebraic number without approximation, canonically in form “root #n of f”. For Layer 4 we have to prove that this approach actually defines a function, i.e., f and n are uniquely defined by the represented algebraic number. This result easily follows from the invariant that we use irreducible polynomials in combination with their uniqueness, Lemma 2.
Whereas there is no soundness statement for the final Open image in new window , we prove the following result for Open image in new window .
Lemma 40
Using Open image in new window , we define a function for displaying values of type Open image in new window and then provide its executable implementation via a code equation.
Definition 11
Lemma 41
Using Open image in new window , it is trivial to display complex numbers. Here we only present a simplified definition. The actual definition produces nicer strings if the imaginary part or real part are zero. In the definition, Isabelle’s listappend operator Open image in new window is used for string concatenation.
Definition 12
6 Real and Complex Roots of Rational Polynomials
In this section, we provide executable functions which identify all real or complex roots of an integer or rational polynomial, as illustrated in Example 1. Without loss of generality we only consider integer polynomials, since every rational polynomial can be converted into an integer polynomial with the same roots, namely by multiplying with the common denominator of the coefficients.
Based on the root finding algorithms, we also provide complete real and complex polynomial factorization algorithms, that work for polynomials with rational coefficients.
6.1 Real Roots of Integer Polynomials
We cannot yet represent the roots of an arbitrary polynomial f as Open image in new window , ..., Open image in new window as in Example 1, since we have to establish the invariant that f is irreducible, and provide an interval for each root.
Example 2
The polynomial \(f = 14 + 63x + 49x^2 + 490x^3 + 469x^4 + 21x^5 + 126x^6\) has three real roots. The algorithm for computing all roots of f will result in the rational number \(\frac{1}{3}\) and the first two roots of \(g = 2 + 3x + 7x^2 + x^3 + 2x^4\), which are irrational and are the unique roots of g in the intervals \([4,2]\) and \([2,0]\).
 1.
integer polynomial factorization: \(f = 7 \cdot (1 + 3x)^2 \cdot g\) in Example 2
 2.
construction of initial bounds for roots: all roots of g are within \([8,8]\)
 3.
bisection until one finds intervals for all roots: the roots of g are the unique roots of g in the intervals \([4,2]\) and \([2,0]\)
6.1.1 Root Bounds
Instead of searching the infinite real space for roots of a polynomial, we start with a closed interval. There are some known bounds on the maximal absolute value of roots of a polynomial. Among them we choose Cauchy’s bound, as it is efficient and easy to formalize, and gives sufficient precision for our purpose.
Definition 13
Lemma 42
6.1.2 Root Separation
Now we separate the roots using a bisection algorithm. The main idea is similar to the interval tightening algorithm in Sect. 5.3. The difference is that here we keep track of all the roots. Hence the algorithm stores two lists: a work list of intervals from which roots of input f have to be found, and a result list which stores the already found intervals each containing exactly one root of f. Initially the work list is a singleton containing the interval \([B,B]\) where B is the initial bound explained above, and the result list is empty.
In every iteration the algorithm picks up an interval [l, r] from the work list, and calls the rootcounting function Open image in new window to determine the number n of real roots of f within this interval. If \(n = 0\) then the algorithm throws away this interval and carries on to the next of the work list. If \(n = 1\) then a root is identified; the representation (f, l, r) is added to the result list. Finally, if \(n > 1\) then the algorithm splits the interval into \([l,\frac{l+r}{2}]\) and \([\frac{l+r}{2},r]\) and pushes them back to the work list. The overlap of the intervals is not problematic, since the bisection algorithm is only invoked on irreducible polynomials of degree at least 2, which cannot have a rational root like \(\frac{l+r}{2}\). In particular, the algorithm will return a distinct list of roots.
The bisection algorithm is defined via Open image in new window for efficiency reasons. The root counting function Open image in new window , that is obtained after the first phase of Sturm’s method, is passed as a parameter to the main procedure, in order to avoid recomputation. If the algorithm is invoked with an unexpected function, e.g., one that always yields \(n = 2\), then it is nonterminating.
We prove that, if correct arguments are passed, then the result of the bisection algorithm is as intended. To this end, we perform wellfounded induction on the work list. Here we define \(\delta \) as in the bisection algorithm of Sect. 5.2, but now combine the sizemeasure of intervals with the multisetextension of a wellfounded order [15]. This is required, since if \(n > 1\) we replace one interval by two smaller ones.
The final correctness is stated as follows.
Lemma 43
6.2 Complex Roots of Integer Polynomial
In contrast to Sect. 5.4, where complex algebraic numbers are easily implemented via real algebraic numbers, it is not so trivial to develop a complexnumber counterpart of Open image in new window , i.e., a method to identify all complex roots of an integer polynomial f.
 Consider a complex root \(a + b{\mathrm {i}}\) of f for \(a,b \in {\mathbb {R}}\). We haveand since both \(a+b{\mathrm {i}}\) and \(ab{\mathrm {i}}\) are roots of f, 2a is a root of Open image in new window . Hence the following polynomial g has a as a root: Similarly, \(2{\mathrm {i}}\cdot b = (a+b{\mathrm {i}})  (ab{\mathrm {i}})\) is a root of Open image in new window , and as \(2{\mathrm {i}}\) is represented by polynomial \(4+x^2\), the following polynomial h has b as a root:$$\begin{aligned} 2 a = (a + b{\mathrm {i}}) + (a  b{\mathrm {i}}) \end{aligned}$$

Let C be the set of complex numbers \(a+b{\mathrm {i}}\) with Open image in new window and Open image in new window . Then C contains at least all roots of f. Return \(\{c \in C.\ f(c) = 0\}\) as the final result.
Since we have now executable complex algebraic operations, one can in principle evaluate f(c) and test whether it is 0 or not. A drawback of this approach is the demand for manipulating polynomials of high degree. For instance, when testing Open image in new window in Example 1, complex algebraic numbers like \(c^4\) occur. These result in factorization problems for integer polynomials of degree 144.

For each \(c \in C\), extract the real intervals \(I_r\) and \(I_i\) from the internal representation of the real and imaginary part, respectively. Use interval arithmetic to test whether \(0 \in f( I_r + I_i {\mathrm {i}})\). If 0 is not contained in the interval, remove c from C.

If \(C = \textit{degree}(f)\), return C.

Tighten all bounds of C so that the extracted intervals will be half of the previous size and start again.
Lemma 44
6.3 Factorization of Polynomials over \({\mathbb {C}}\) and \({\mathbb {R}}\)
With the help of the complex roots algorithm Open image in new window and the fundamental theorem of algebra, we further develop two algorithms that factor polynomials with rational coefficients over \({\mathbb {C}}\) and \({\mathbb {R}}\), respectively. Factorization over \({\mathbb {C}}\) is easy: every factor corresponds to a root. Hence, the algorithm and the proof mainly take care of the multiplicities of the roots and factors. Also for factorization over \({\mathbb {R}}\), we first determine the complex roots. Afterwards, we extract all real roots and group each pair of complex conjugate roots. Here, the main work is to prove that for each complex root c, its multiplicity is the same as the multiplicity of the complex conjugate of c.
7 Experiments

Old version refers to our verified implementation as described in the preliminary version of this paper [24].

New version refers to our current implementation of algebraic numbers as described in this paper.

Mathematica refers to Wolfram Mathematica 11. Here, we invoke the methods RootReduce and IsolatingInterval in order to obtain the representing polynomial and an interval which uniquely identifies the root, respectively.

The type of representing polynomials are now Open image in new window rather than Open image in new window .

We incorporated the verified factorization algorithm [7] while the old version uses an unverified one that does not ensure irreducibility.

We introduced the signbased comparison technique (Sect. 5.2) while the old version uses Sturm’s method. Due to this, the old version has to keep Sturm sequences in internal representations while the new version does not.

We introduced an algorithm that finds the correct factor and a valid interval in one go (Sect 5.3), while the old version performs these tasks sequentially: it first tightens intervals until undesired roots are excluded, and then applies factorization and selects the correct factor.

We formalized Brown and Traub’s subresultant PRS algorithm (Sect. 4), while the old version uses a variant of Collin’s primitive PRS algorithm.

We apply interval arithmetic for filtering the complex roots of a polynomial from a list of candidates. In contrast, the old version utilizes algebraic number arithmetic.
Total time for example computations with algebraic numbers
Experiment  Old version  New version  Mathematica  

(1)  Examples in [18, Fig. 3]  0.032s  0.016s  0.061s 
(2)  21.941s  0.207s  0.654s  
(3)  \(\sum _{i=1}^{10} \sqrt{i}\)  0.422s  0.117s  0.070s 
(4)  \(\sum _{i=1}^6 \root 3 \of {i}\)  41.779s  19.902s  0.081s 
(5)  \((\sum _{i=1}^{9} \sqrt{i})  (\sum _{i=1}^{8} \sqrt{i})\)  26.459s  2.261s  0.000s 
The results of our experiments in Table 2 illustrate that our new implementation is significantly faster than the old implementation.
The big difference in experiment (2) is due to the use of interval arithmetic instead of expensive complex algebraic number computations (Sect. 6.2). For the other experiments, the improvements are mainly due to optimizations of the bisection algorithms and the resultant computation.
In Table 3 we report on detailed profiling information on experiments (4) and (5). The improvements in tightening intervals is due to the signbased method (Sect. 5.2) and the combined algorithm which tightens intervals and selects correct factors at the same time (Sect. 5.3). In experiment (5) we also see that the subresultant PRS algorithm of Sect. 4 significantly improves the computation time of resultants. As a consequence of our optimizations, polynomial factorization is the main bottleneck of the new implementation.
Timing of individual subalgorithms in percentage of total runtime
Experiment  Algorithm  Old version (%)  New version (%) 

(4)  Tightening intervals  59.3  11.5 
(4)  Resultant  0.1  0.0 
(4)  Factorization  40.1  88.4 
(5)  Tightening intervals  13.3  1.5 
(5)  Resultant  76.1  35.9 
(5)  Factorization  10.7  62.6 
8 Conclusion
We developed verified algorithms for real and complex algebraic numbers in Isabelle/HOL. These include all the algebraic operations, algorithms to identify complex roots of rational polynomials, and to uniquely present algebraic numbers as strings. The formalization is available to every Isabelle user, and the implementation is available to every programmer as verified Haskell code.
As for future work, a formalization of an equivalent to Sturm’s method for the complex numbers would admit to represent the roots in Example 1 just as root #(1,2,3,4) of Open image in new window , without the need for highdegree polynomials for the real and imaginary part. Moreover, a more efficient verified polynomial factorization algorithm would be welcome, since this algorithm is currently the most timeconsuming part when computing algebraic numbers.
Finally, it would be useful to algorithmically prove that the complex algebraic numbers are algebraically closed, so that one is not restricted to rational coefficients in the factorization algorithms over \({\mathbb {R}}\) and \({\mathbb {C}}\).
Footnotes
 1.
 2.
The suitability test cannot simply evaluate the polynomial on the algebraic point and test whether the result is 0; evaluating at an algebraic point requires the basic arithmetic operations on algebraic numbers, which are the operations we are defining in this work.
 3.
However, we use a faster computer with 3.2 GHz instead of 2.66 GHz.
 4.
The formalization differs slightly, since the value of Open image in new window is carried around for efficiency.
Notes
Acknowledgements
Open access funding provided by Austrian Science Fund (FWF).
References
 1.Avanzini, M., Sternagel, C., Thiemann, R.: Certification of complexity proofs using CeTA. In: RTA 2015. pp. 23–39. LIPIcs 36 (2015)Google Scholar
 2.Brown, W.S.: The subresultant PRS algorithm. ACM Trans. Math. Softw. 4(3), 237–249 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
 3.Brown, W.S., Traub, J.F.: On Euclid’s algorithm and the theory of subresultants. J. ACM 18(4), 505–514 (1971)MathSciNetCrossRefzbMATHGoogle Scholar
 4.Cohen, C.: Construction of real algebraic numbers in Coq. In: ITP 2012. LNCS, vol. 7406, pp. 67–82 (2012)Google Scholar
 5.Cohen, C., Djalal, B.: Formalization of a Newton series representation of polynomials. In: CPP 2016. pp. 100–109. ACM (2016)Google Scholar
 6.Cohen, C., Mahboubi, A.: Formal proofs in real algebraic geometry: from ordered fields to quantifier elimination. Log. Methods Comput. Sci. 8(1:02), 1–40 (2012)MathSciNetzbMATHGoogle Scholar
 7.Divasón, J., Joosten, S., Thiemann, R., Yamada, A.: A formalization of the BerlekampZassenhaus factorization algorithm. In: CPP 2017, pp. 17–29 (2017)Google Scholar
 8.Ducos, L.: Optimizations of the subresultant algorithm. J. Pure Appl. Algebra 145, 149–163 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
 9.Eberl, M.: A decision procedure for univariate real polynomials in Isabelle/HOL. In: CPP 2015. pp. 75–83. ACM (2015)Google Scholar
 10.Eberl, M.: Linear recurrences. Archive of Formal Proofs (Oct 2017), http://isaafp.org/entries/Linear_Recurrences.html, Formal proof development
 11.von zur Gathen, J., Gerhard, J.: Modern computer algebra, 2nd edn. Cambridge University Press, Cambridge (2003)Google Scholar
 12.Giesl, J., Mesnard, F., Rubio, A., Thiemann, R., Waldmann, J.: Termination competition (termCOMP 2015). In: CADE 2015. LNCS, vol. 9195, pp. 105–108 (2015)Google Scholar
 13.Haftmann, F., Krauss, A., Kunčar, O., Nipkow, T.: Data refinement in Isabelle/HOL. In: ITP 2013. LNCS, vol. 7998, pp. 100–115 (2013)Google Scholar
 14.Huffman, B., Kunčar, O.: Lifting and transfer: a modular design for quotients in Isabelle/HOL. In: CPP 2013. LNCS, vol. 8307, pp. 131–146 (2013)Google Scholar
 15.Jouannaud, J.P., Lescanne, P.: On multiset orderings. Inf. Process. Lett. 15(2), 57–63 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
 16.Krauss, A.: Recursive definitions of monadic functions. In: PAR 2010. EPTCS, vol. 43, pp. 1–13 (2010)Google Scholar
 17.Li, W.: Count the number of complex roots. Archive of Formal Proofs (Oct 2017), http://isaafp.org/entries/Count_Complex_Roots.html, Formal proof development
 18.Li, W., Paulson, L.C.: A modular, efficient formalisation of real algebraic numbers. In: CPP 2016. pp. 66–75. ACM (2016)Google Scholar
 19.Mahboubi, A.: Proving formally the implementation of an efficient gcd algorithm for polynomials. In: IJCAR 2006. LNCS, vol. 4130, pp. 438–452 (2006)Google Scholar
 20.Mishra, B.: Algorithmic Algebra. Texts and Monographs in Computer Science. Springer, New York (1993)Google Scholar
 21.Nipkow, T., Paulson, L., Wenzel, M.: Isabelle/HOL—A Proof Assistant for HigherOrder Logic, LNCS, vol. 2283. Springer (2002)Google Scholar
 22.Niven, I.: Irrational Numbers. No. 11 in Carus Mathematical Monographs, Mathematical Association of America (1956)Google Scholar
 23.Prasolov, V.V.: Polynomials. Springer (2004)Google Scholar
 24.Thiemann, R., Yamada, A.: Algebraic numbers in Isabelle/HOL. In: ITP 2016. LNCS, vol. 9807, pp. 391–408 (2016)Google Scholar
 25.Thiemann, R., Yamada, A.: Formalizing Jordan normal forms in Isabelle/HOL. In: CPP 2016. pp. 88–99. ACM (2016)Google Scholar
Copyright information
OpenAccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.