Deciding Univariate Polynomial Problems Using Untrusted Certificates in Isabelle/HOL
Abstract
We present a proof procedure for univariate real polynomial problems in Isabelle/HOL. The core mathematics of our procedure is based on univariate cylindrical algebraic decomposition. We follow the approach of untrusted certificates, separating solving from verifying: efficient external tools perform expensive real algebraic computations, producing evidence that is formally checked within Isabelle’s logic. This allows us to exploit highlytuned computer algebra systems like Mathematica to guide our procedure without impacting the correctness of its results. We present experiments demonstrating the efficacy of this approach, in many cases yielding orders of magnitude improvements over previous methods.
Keywords
Interactive theorem proving Isabelle/HOL Decision procedure Cylindrical algebraic decomposition1 Introduction
Nonlinear polynomial systems are ubiquitous in science and engineering. As realworld applications of formal verification continue to grow and diversify, there is an increasing need for proof assistants (e.g., ACL2, Coq, Isabelle [27], HOL Light and PVS) to provide automation for reasoning about nonlinear systems over the reals [17, 24, 25].
Cylindrical algebraic decomposition (CAD) [8] is one of the most powerful known techniques for analysing nonlinear polynomial systems. CADbased methods have been implemented in various systems such as Z3 [9], QEPCAD [3], Mathematica and Maple. However, implementing CADbased decision procedures within proof assistants has been hindered by the difficulty in formalising the mathematics justifying CAD computations.
A key feature of our procedure is its certificatebased design in which an external untrusted (but ideally highly efficient) program is used to find certificates, and those certificates are then checked by verified internal procedures. Overall, the soundness of our procedure depends solely on the soundness of Isabelle’s logic (and code generation^{2}) rather than trusted external oracles. This is much like Isabelle’s sledgehammer tactic, which sceptically incorporates various external tools.

An efficient formalised theory of Tarski queries,

An efficient approach to univariate sign determination at real algebraic points,

A practical formally verified procedure for real algebraic problems based on univariate CAD.
2 A Motivating Example
To do so, we can decompose \(\mathbb {R}\) into disjoint connected components induced by the roots of P and Q. This is illustrated in Fig. 1:
 The decomposition of \(\mathbb {R}\) into the seven regions given covered the entire real line. That is,$$\begin{aligned} (\infty ,3) \cup \{3\} \cup (3,\sqrt{2}) \cup \{\sqrt{2}\} \cup (\sqrt{2},\sqrt{2})\cup \{\sqrt{2}\} \cup (\sqrt{2},\infty ) = \mathbb {R}. \end{aligned}$$

The “signinvariance” of P and Q over each region was exploited to allow only a single sample point to be selected from each region. This property holds as by the Intermediate Value Theorem, P and Q can only change sign by passing through a root.

The signs of univariate polynomials were evaluated at irrational real algebraic points like \(\sqrt{2}\) to determine the truth values of atomic formulas.
3 A Sketch of Our CertificateBased Design
There is a rich history of certificatebased, sceptical integrations between proof assistants and external solvers. Examples include John Harrison’s sumsofsquares method [17] and the Sledgehammer [31] command in Isabelle.

External solvers are often highly tuned and run much faster than verified ones.

Verification of certificates from external solvers is usually much easier than finding them. Such verification ensures the soundness of the overall tactic.

Switching between different external solvers does not require changes in formal proofs.
Algorithm 1 sketches our idea for univariate universal formulas. In particular, in line 3, we use external programs to return real roots of polynomials (i.e., \(\mathfrak {P}\)) from the quantifierfree part of the formula (i.e., F(x)). Those roots (i.e., \( roots \)) correspond to a decomposition such that each polynomial from \(\mathfrak {P}\) has a constant sign over each component of this decomposition. Since the roots are returned by untrusted programs, in line 5, we not only check \(\forall x \in samples .\, F(x)\) as in Eq. (1) but also certify that these roots are indeed all real roots of \(\mathfrak {P}\).
With existential formulas, the situation is even simpler as illustrated in Algorithm 2, since we do not need to deal with the decomposition internally. Rather, all we need is a real algebraic witness that satisfies \(\lambda x.\, F(x)\) to certify \(\exists x.\, F(x)\). What is more interesting is that the satisfaction problem for \(\lambda x.\, F(x)\) can be not only solved by a CAD procedure, which is complete but not very fast due to its symbolic nature, but also be complemented by highly efficient incomplete numerical methods. Thus it is natural to externalize the step in line 2 in Algorithm 2.
4 Encoding Real Algebraic Numbers
External programs in either Algorithms 1 and 2 can return real algebraic numbers (e.g. \(\sqrt{2}\)). In this section, we see how to formalise such numbers in Isabelle/HOL.

A polynomial \(p \in \mathbb {Z}[x]\) s.t. \(p(r) = 0\), and

Two rationals \(a,b \in \mathbb {Q}\) s.t. r is the only root of p contained in [a, b].
 ,
 The polynomial is of different signs (and nonzero) at and ,
 The polynomial has exactly one real root within the interval .
5 Deciding the Sign of a Univariate Polynomial at Real Algebraic Points
In this section, we describe a verified procedure to decide the sign of univariate polynomials with rational coefficients at real algebraic points which uses only rational (or dyadic rational) arithmetic rather than costly algebraic arithmetic.
5.1 The Sturm–Tarski Theorem
We abbreviate \(\mathbb {R} \cup \{\infty ,\infty \}\) as \(\overline{\mathbb {R}}\), the extended real numbers.
Definition 1
The Sturm–Tarski theorem [23, Chapter 8] (or Tarski’s theorem [2, Chapter 2]) is essentially an effective way to compute Tarski queries through some remainder sequences:
Theorem 1
Note that the more famous Sturm’s theorem, which counts the number of distinct real roots (of a univariate polynomial) within an interval, is a special case of the Sturm–Tarski theorem when \(Q=1\).
5.2 A Formal Proof of the Sturm–Tarski Theorem
Our proof of the Sturm–Tarski theorem in Isabelle is based on Basu et al. [2, Chapter 2] and Cohen’s formalisation in Coq [6].
The core idea of our formal proof is built around the Cauchy index. First defined by Cauchy in 1837, the Cauchy index of a real rational function encodes deep properties of its roots and poles, and can be used as the basis of an algebraic method for computing Tarski queries.^{3}
Definition 2
5.3 Sign Determination Through the Sturm–Tarski Theorem
 checks if each coefficient of is rational,
 converts an integer polynomial into a dyadic rational one,
 clears denominators in the coefficients by multiplying each coefficient by the least common multiple (of the denominators),
 throws an exception, if either \((p, lb , ub )\) is an invalid representation of a real algebraic number or the polynomial has any nonrational coefficient.
5.4 Remark
A formal proof of the Sturm–Tarski theorem is not new among proof assistants: it has been formalised in PVS [25] and Coq [6]. However, as far as we know, we are the first to exploit this theorem to build a verified sign determination procedure of real algebraic numbers, which uses only rational or dyadic rational arithmetic.
Real algebraic numbers are essential in symbolic computing, and well studied. In general, exact real algebrac arithmetic is rarely used in modern computer algebra systems due to its extreme inefficiency. For example, consider the problem of isolating the real roots of a polynomial with real algebraic coefficients. Modern approaches usually use sophisticated techniques to soundly approximate those coefficients to a certain precision rather than carrying out exact algebraic arithmetic [5, 33, 35], relying on exact symbolic procedures as a fallback in degenerate cases.

Sophisticated interval arithmetic can be used to decide the sign before resorting to a remainder sequence, as has been done in Z3 [10]. This approach should help when the sign is nonzero.

Pseudodivision, which we are currently using for building remainder sequences, is not good for controlling coefficients growth. More sophisticated approaches, such as subresultant sequences and modular methods, can be used to optimise the calculation of remainder sequences.
6 The Formal Development of the Decision Procedure
In this section, we describe the main proof underlying our tactic.
6.1 Parsing Formulas
6.2 Existential Case
6.3 Universal Case
 is a certificate that should be instantiated by an external solver. More specifically, should be the representation of a list of real roots (in ascending order) of polynomials from the quantifierfree part of the target formula,
 constructs sample points from the representation of a list of roots,
 extracts polynomials from the quantifierfree part ,
 and together ensure that the representation of roots are valid and those roots are in ascending order,
 checks if is a representation of all real roots of the polynomials . Specifically, by Sturm’s theorem, the number of total distinct real roots of each can be computed, which can be then compared with the number of that .
7 Linking to an External Solver
Certificates for both existential and universal cases can be produced by any program performing univariate CAD. For now, we implement the program on top of Mathematica. More specifically, the universal certificates are constructed by the Mathematica command SemialgebraicComponentInstances, which gives sample points in each connected component of a semialgebraic set. The existential certificates are constructed by the command FindInstance, which incorporates powerful numerical methods to accelerate the search for real algebraic sample points.
Also, it may be worth mentioning that after a certificate has been found, our tactic will record it (as a string) so that repeating the proof no longer requires the external solver. This is much like the sumsofsquares tactic [17].
In general, the certificatebased design grants us much flexibility: We can easily switch to a more efficient external solver without modifying existing formal proofs. In fact, we were first using an implementation of univariate CAD built within MetiTarski, which turned out to be not very efficient, and we simply switched to the current one based on Mathematica. In the future, we plan to experiment with other opensource CAD implementations such as Z3 and QEPCAD to provide more options with external solvers.
8 Experiments and Related Work

Their procedure resembles Tarski’s original quantifier elimination [2, Chapter 2] and Cyril Cohen’s quantifier elimination procedure in Coq [6, Chapter 12] by making use of both the Sturm–Tarski theorem and matrices. In contrast, our tactic is based on CAD and real algebraic numbers (instead of matrices).

Their procedure is entirely built within PVS, while ours sceptically makes use of efficient external programs to generate certificates.
In general, the experiments indicate that our tactic outperforms the tarski strategy in PVS. Particularly, the advantage of our tactic becomes greater as the problems become more complex, which can be attributed to the fact that our tactic has much better worstcase computational complexity (polynomial vs. exponential in the number of polynomials).
In the case of general multivariate problems, the CAD procedure is doubly exponential while Tarski’s quantifier elimination procedure is nonelementary in the number of variables [2, Chapter 11]). When limited to univariate problems, the CAD procedure degenerates to root isolation and sign determination on a set of univariate polynomials, which is of polynomial complexity in the number of polynomials and their degree bound [2, Chapter 10]). In comparison, Tarski’s quantifier elimination procedure, even when limited to univariate problems, is still exponential in the number of polynomials [7].
In addition, it is worth noting that as the problems become more complex (e.g., ex6 and ex7 in Fig. 3), certificate checking becomes the bottleneck factor of our tactic (especially for universal problems). This indicates that, despite the fact that certificate searching is much harder than certificate checking, the Mathematica implementation is still much more efficient than our verified certificatechecking procedure. This leaves much room for future optimisations.
Our work has also been greatly inspired by Cyril Cohen’s PhD thesis [6], within which a quantifier elimination procedure has been built upon the Sturm–Tarski theorem and real algebraic numbers formalised within the Coq theorem prover. However, our goals and approaches are very different.
Cohen’s work is part of a large project that has formalised the Feit–Thompson theorem (odd order theorem) in Coq [15], and focuses more on theoretical developments than we do. For example, they proved the Sturm–Tarski theorem to construct an RCF quantifier elimination procedure in the spirit of Tarski’s original method, which has important theoretical properties but is not practical as a proof procedure. Moreover, he has formalised arithmetic on real algebraic numbers and shown that they form a real closed field via resultants. We have not formalised resultants at all. Our sign determination algorithm uses the Sturm–Tarski theorem, which is significantly more efficient in practice than using resultants. On the other hand, as it was unnecessary for our proof procedure, we have not proved in Isabelle that the real algebraic numbers form a real closed field. In general, compared to his work, ours stresses the practical side over the theoretical. Fundamentally, we want to build procedures to solve nontrivial problems in practice.
Decision procedures based on Sturm’s theorem have been implemented in Isabelle and PVS before [14, 26]. Their core idea is to count the number of real roots within a certain (bounded or unbounded) interval. Generally, they can only handle formulas involving a single polynomial, so they are not complete for firstorder formulas (unlike our tactic and the tarski strategy in PVS).
Assia Mahboubi [22] has implemented the executable part of a general CAD procedure in Coq, but as far as we know, the correctness proof for her implementation is still ongoing. This is also one of the reasons for us to choose the certificatebased approach rather than directly verifying an implementation.
There are other methods to handle nonlinear polynomial problems in theorem provers, such as sums of squares [17], which is good for multivariate universal problems but is not applicable when the existential quantifier arises, and interval arithmetic [18, 34], which is very efficient for some cases but is not complete. These methods and ours should be used in a complementary way.
9 Discussion and Applications
Applications of MetiTarski include verification problems arising in air traffic control [13] and analogue circuit designs [11]. As some of the applications are safety critical, it is natural to consider to integrate MetiTarski with an existing interactive theorem prover, whose internal logic can be used to ensure the correctness of MetiTarski’s proofs. Besides, the automation provided by MetiTarski is generally useful to interactive theorem provers.
MetiTarski has been integrated with the PVS theorem prover [28] as a trusted oracle [12]. The authors state that the automation introduced by MetiTarski for closing sequents containing realvalued functions considerably outperforms existing tactics in PVS. However, this tactic should not be used in a certification environment, where external oracles are not allowed.
Our eventual goal is to integrate MetiTarski into the Isabelle/HOL theorem prover. Isabelle can verify purely logical inferences (in fact, it contains an internal copy of the Metis theorem prover), and the third author has just formalised most of the bounds of transcendental functions used by MetiTarski [30]. The primary remaining hurdle is the RCF decision procedure, and the work presented here is the first step towards it.

The bivariate sign determination procedure based on recursive application of the Sturm–Tarski theorem described in our previous work [21] can be easily generalised to a multivariate one (i.e., a procedure to decide the sign of a multivariate polynomial at real algebraic points), which can be then used to efficiently certify purely existential multivariate formulas over reals.

Our recent formalisation of Cauchy’s residue theorem [20] can be used to certify a key theorem used in general CAD: that the complex roots of a polynomial continuously depend on its coefficients.
10 Conclusion

It is based on univariate cylindrical algebraic decomposition (CAD).

It sceptically integrates efficient external solvers in a certificatebased way, so that its soundness solely depends on Isabelle’s logic (and code generation machinery) rather than the external solvers.
Certificatebased methods can be compared on the basis of how much mathematics and computation are required both to find and check their certificates. For example, to convert a Positivstellensatz certificate into a HOLLight proof of a universal theorem, Harrison’s sumsofsquares tactic only requires simple signbased reasoning and rational arithmetic, while in our case, we need more mathematics (e.g., real algebraic numbers and the Sturm–Tarski theorem) and more computation (especially for the universal case). A good certificate design needs to balance the difficulty of the formalisation effort and verified computation required to check the certificates with the efficiency improvements offered by offloading the construction of the certificates to highperformance external tools.
Footnotes
 1.
Code is available from https://bitbucket.org/liwenda1990/src_jar_2017.
 2.
As our tactic is computationally intense, our procedure makes use of the proof by reflection technique [16].
 3.
Besides the application described in this section, the Cauchy index also plays a critical role in the Routh–Hurwitz theorem. Interested readers may consult [32, Chapter 10, 11] for historical notes.
 4.
In fact, their tactic does not handle arbitrary boolean expressions like ours, but we believe this should not be too hard to overcome.
 5.
 6.
Notes
Acknowledgements
We thank Florian Haftmann for helping with code generation for our procedure. We are also grateful to the anonymous referees for their constructive suggestions.
References
 1.Akbarpour, B., Paulson, L.: MetiTarski: an automatic theorem prover for realvalued special functions. J. Autom. Reason. 44(3), 175–205 (2010)MathSciNetCrossRefMATHGoogle Scholar
 2.Basu, S., Pollack, R., Roy, M.F.: Algorithms in Real Algebraic Geometry (Algorithms and Computation in Mathematics). Springer, New York (2006)MATHGoogle Scholar
 3.Brown, C.W.: QEPCAD B: a program for computing with semialgebraic sets using CADs. ACM SIGSAM Bull. 37(4), 97–108 (2003)CrossRefMATHGoogle Scholar
 4.Chaieb, A., et al.: Automated methods for formal proofs in simple arithmetics and algebra. Dissertation, Technische Universität, München (2008)Google Scholar
 5.Cheng, J.S., Gao, X.S., Yap, C.K.: Complete numerical isolation of real zeros in zerodimensional triangular systems. In: Proceedings of the 2007 International Symposium on Symbolic and Algebraic Computation, pp. 92–99. ACM (2007)Google Scholar
 6.Cohen, C.: Formalized algebraic numbers: construction and firstorder theory. Ph.D. thesis, École polytechnique (2012)Google Scholar
 7.Cohen, C., Mahboubi, A., et al.: Formal proofs in real algebraic geometry: from ordered fields to quantifier elimination. Log. Methods Comput. Sci. 8(1: 02), 1–40 (2012)MathSciNetMATHGoogle Scholar
 8.Collins, G.E.: Quantifier elimination for real closed fields by cylindrical algebraic decomposition: a synopsis. ACM SIGSAM Bull. 10(1), 10–12 (1976)CrossRefGoogle Scholar
 9.De Moura, L., Bjørner, N.: Z3: An efficient SMT solver. In: Tools and Algorithms for the Construction and Analysis of Systems, pp. 337–340. Springer, Berlin (2008)Google Scholar
 10.De Moura, L., Passmore, G.O.: Computation in real closed infinitesimal and transcendental extensions of the rationals. In: International Conference on Automated Deduction, pp. 178–192. Springer, Berlin (2013)Google Scholar
 11.Denman, W., Akbarpour, B., Tahar, S., Zaki, M.H., Paulson, L.C.: Formal verification of analog designs using MetiTarski. In: Formal Methods in ComputerAided Design, 2009. FMCAD 2009, pp. 93–100. IEEE (2009)Google Scholar
 12.Denman, W., Muñoz, C.: Automated real proving in PVS via MetiTarski. In: FM 2014: Formal Methods, pp. 194–199. Springer (2014)Google Scholar
 13.Denman, W., Zaki, M.H., Tahar, S., Rodrigues, L.: Towards flight control verification using automated theorem proving. In: NASA Formal Methods, pp. 89–100. Springer (2011)Google Scholar
 14.Eberl, M.: A decision procedure for univariate real polynomials in Isabelle/HOL. In: Proceedings of the 2015 Conference on Certified Programs and Proofs, CPP ’15, pp. 75–83. ACM, New York (2015). doi: 10.1145/2676724.2693166
 15.Gonthier, G., Asperti, A., Avigad, J., Bertot, Y., Cohen, C., Garillot, F., Le Roux, S., Mahboubi, A., O’Connor, R., Ould Biha, S., Pasca, I., Rideau, L., Solovyev, A., Tassi, E., Théry, L.: A machinechecked proof of the odd order theorem. In: Blazy S., PaulinMohring C., Pichardie D. (eds.) Interactive Theorem Proving: 4th International Conference, ITP 2013, Rennes, France, July 22–26. Lecture Notes in Computer Science, vol. 7998, pp. 163–179. Springer, Berlin (2013)Google Scholar
 16.Haftmann, F., Nipkow, T.: Code generation via higherorder rewrite systems. In: International Symposium on Functional and Logic Programming, pp. 103–117. Springer (2010)Google Scholar
 17.Harrison, J.: Verifying nonlinear real formulas via sums of squares. In: K. Schneider, J. Brandt (eds.) Proceedings of the 20th International Conference on Theorem Proving in Higher Order Logics, TPHOLs 2007, Lecture Notes in Computer Science, vol. 4732, pp. 102–118. Springer, Kaiserslautern (2007)Google Scholar
 18.Hölzl, J.: Proving inequalities over reals with computation in Isabelle/HOL. In: International Workshop on Programming Languages for Mechanized Mathematics Systems, pp. 38–45 (2009)Google Scholar
 19.Hurd, J.: Metis first order prover. http://gilith.com/software/metis (2007)
 20.Li, W., Paulson, L.C.: A formal proof of Cauchy’s residue theorem. In: ITP 2016: Seventh International Conference on Interactive Theorem Proving (2016, to appear)Google Scholar
 21.Li, W., Paulson, L.C.: A modular, efficient formalisation of real algebraic numbers. In: Proceedings of the 5th ACM SIGPLAN Conference on Certified Programs and Proofs, pp. 66–75. ACM (2016)Google Scholar
 22.Mahboubi, A.: Implementing the cylindrical algebraic decomposition within the Coq system. Math. Struct. Comput. Sci. 17(1), 99–127 (2007)MathSciNetCrossRefMATHGoogle Scholar
 23.Mishra, B.: Algorithmic Algebra. Springer, New York (1993)CrossRefMATHGoogle Scholar
 24.Muñoz, C., Narkawicz, A.: Formalization of Bernstein polynomials and applications to global optimization. J. Autom. Reason. 51(2), 151–196 (2013). doi: 10.1007/s1081701292563 MathSciNetCrossRefMATHGoogle Scholar
 25.Narkawicz, A., Munoz, C., Dutle, A.: Formallyverified decision procedures for univariate polynomial computation based on Sturm’s and Tarski’s theorems. J. Autom. Reason. 54(4), 285–326 (2015)MathSciNetCrossRefMATHGoogle Scholar
 26.Narkawicz, A.J., Muñoz, C.A.: A formallyverified decision procedure for univariate polynomial computation based on Sturm’s theorem. Technical Memorandum NASA/TM2014218548, NASA, Langley Research Center, Hampton VA 236812199, USA (2014)Google Scholar
 27.Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: A Proof Assistant for HigherOrder Logic. Springer, Berlin (2002)CrossRefMATHGoogle Scholar
 28.Owre, S., Rushby, J.M., Shankar, N.: PVS: a prototype verification system. In: International Conference on Automated Deduction, pp. 748–752. Springer (1992)Google Scholar
 29.Passmore, G.O., Paulson, L.C., De Moura, L.: Real algebraic strategies for MetiTarski proofs. In: International Conference on Intelligent Computer Mathematics, pp. 358–370. Springer (2012)Google Scholar
 30.Paulson, L.C.: Realvalued special functions: upper and lower bounds. Archive of Formal Proofs (2014)Google Scholar
 31.Paulson, L.C., Blanchette, J.C.: Three years of experience with Sledgehammer, a practical link between automatic and interactive theorem provers. In: IWIL2010, vol. 1 (2010)Google Scholar
 32.Rahman, Q., Schmeisser, G.: Analytic Theory of Polynomials. London Mathematical Society Monographs. Clarendon Press, Oxford (2002). https://books.google.co.uk/books?id=FzFEEVO3PXYC
 33.Sagraloff, M.: A general approach to isolating roots of a bitstream polynomial. Math. Comput. Sci. 4(4), 481–506 (2010)MathSciNetCrossRefMATHGoogle Scholar
 34.Solovyev, A., Hales, T.C.: Formal verification of nonlinear inequalities with Taylor interval approximations. In: NASA Formal Methods, pp. 383–397. Springer, Berlin (2013)Google Scholar
 35.Strzeboński, A.W.: Cylindrical algebraic decomposition using validated numerics. J. Symb. Comput. 41(9), 1021–1038 (2006)MathSciNetCrossRefMATHGoogle Scholar
 36.Thiemann, R., Yamada, A.: Algebraic numbers in Isabelle/HOL. Archive of Formal Proofs (2015). http://isaafp.org/entries/Algebraic_Numbers.shtml. Formal proof development
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.