A Machine Proof of the Filter-Method Construction for Real Numbers

Abstract

This paper presents a machine verification of a real number theory where real numbers are constructed using concepts related to filters. The theory encompasses a special filter, namely the non-principal arithmetical ultrafilter whose existence can be proven with the Continuum Hypothesis, to establish several non-standard number sets: *N, *Z and *Q. The set of real numbers, $\mathbf{R}$, is subsequently obtained by the equivalence classification of a specific subset of *Q. The entire theory is thoroughly formalized, with each detail verified to ensure rigor and precision. The verification is implemented using the Coq proof assistant and is grounded in the Morse–Kelley axiomatic set theory. This work contributes a new selection of foundational material for the formalization of mathematical theories.

1. Introduction

This paper is dedicated to implementing the mechanized proof (also known as formalization or formal/machine verification) of a specific real number theory, which was first mentioned by Wang in [1], then introduced in one of his monographs [2] published in 2018. This mathematical theory employs a special filter, named the “non-principal arithmetical ultrafilter” [3], to facilitate the construction of real numbers. In this paper, we refer to it as the “filter-method construction for real numbers” (FMCR). The proof is implemented in the Coq proof assistant (The Coq proof assistant was renamed “Rocq Prover” in 2025, see https://rocq-prover.org, accessed on 19 August 2025), an interactive theorem-proving tool, and is based on Morse–Kelley axiomatic set theory (MK) [4].

Mechanized theorem proving refers to the formal verification of mathematical theorems or computer software and hardware systems using computers through formal methods [5]. “The word ‘formal’ indicates the use of formal languages to write assertions, define objects, and specify constraints. It also indicates the use of formal semantics, that is, accounts of the meaning of a syntactic expression, which can be used to specify the desired behavior of a system or the properties of an object sought” [6]. Mechanized theorem proving can be divided into interactive theorem proving (ITP) and automated theorem proving (ATP). And the former is likely to be more desirable to formalize most non-trivial theorems in mathematics or computer system correctness [5,7].

ITP emerged in the 1960s [8], and interactive theorem-proving tools are also known as proof assistants. “ITP involves the use of proof assistants to construct formal proofs of mathematical claims using the axioms and rules of a formal foundation that is implemented by the system. The user of such an assistant generally has a proof in mind and works interactively with the system to transform it into a formal derivation. Proofs are presented to the system using a specialized proof language, much like a programming language. The proof assistants process the input, complains about the parts it cannot understand, keeps track of goals and proof obligations, and responds to queries, say, about definitions and theorems in the background libraries. Most importantly, every inference is checked for correctness using a small, trusted body of code, known as the kernel or trusted computing base” [6]. With the continuous advancement of computer science and technology, various theorem-proving tools such as Coq [9,10], Isabelle/HOL [11], HOL Light [12], Mizar [13], and Lean [14] have emerged. ITP has also gradually gained recognition and attention in the academic community.

The formal verification of mathematical theorems is the practice of using a rigorously structured formal language, often within proof assistants on a computer, to describe mathematical definitions and theorems. These definitions and theorems are then proven using a corresponding proof language, ultimately resulting in the establishment of a formal mathematical library that encompasses mathematical definitions, theorems and their formal proofs [6,15,16]. To date, many core theorems of mathematics have been formally verified in various proof assistants, such as the prime number theorem [17], the four color theorem [18], the Jordan curve theorem [19], Gödel’s first and second incompleteness theorems [20], the Cartan fixed-point theorems [21], and the central limit theorem [22]. In November 2008, the Notices of the American Mathematical Society devoted a special issue to the topic of interactive theorem proving, which provides an overview of the state of the field at the time [15]. In 2013, Georges Gonthier and thirteen co-authors announced the culmination of a six-year project that resulted in the verification of the Feit–Thompson odd order theorem [23]. In 2015, the formal verification of the Kepler conjecture was completed under the leadership of Thomas Hales [24]. In December 2023, the project initiated by Terence Tao to formalize the proof of the Polynomial Freiman–Rusza Conjecture also succeeded [25]. These achievements contribute to the growing influence of mechanized proving of mathematical theorems in the academic community. The renowned mathematician and computer scientist Freek Wiedijk believes that the ongoing formalization of mathematics is a mathematical revolution [26]. “With the help of computational proof assistants, formal verification could become the new standard for rigor in mathematics” [15].

As far as real number theory is concerned, in the initial stage of its formulation, methods can be broadly categorized into two approaches: the Dedekind cut method introduced by Dedekind and the Cauchy sequence method proposed by Cantor, both of which have become well established in mathematical discourse. These two enduring and classic theories continue to be widely accepted and applied in contemporary mathematical research. Nevertheless, it appears that human curiosity concerning the real numbers is not quite quenched with just these two constructions and there are still new methods of constructing real numbers proposed up to the 21th century [27]. Meanwhile, fueled by applications in automated (mechanized) theorem proving and verification, where one must represent the real numbers in a computer, nuances of the differences between various constructions of the reals become very pronounced [27]. As a result, the formal verification of these theories on real numbers represents both a profound exploration of the fundamental theories of mathematics and a significant enrichment of the foundational materials required for the formalization of mathematical theorems. This enrichment, in turn, offers a broader array of choices for future formalization efforts. Therefore, the formalization of FMCR serves as not only a comprehensive and rigorous verification of the theory itself but also a means to provide further starting points and possibilities for future formalization work.

FMCR employs a special filter, the non-principal arithmetical ultrafilter (NPAUF), to construct real numbers. Filter and ultrafilter are mathematical concepts that can be derived from topology. In [28,29], we, respectively, presented the formalization of filter-related theories and the existence of NPAUF in Coq. This paper will further introduce the Coq formalization of the entire process of constructing real numbers using NPAUF.

Compared to classical real number theories, FMCR possesses several distinctive features:

1. The construction involves the non-standard extension of number systems. With the use of NPAUF, the set of natural numbers can be extended to the non-standard natural number set *N, which is a useful non-standard model that has simple construction and superior properties [1]. *N includes some special elements at infinity that can be named infinity natural numbers. Infinity numbers are greater than all natural numbers (infinitely large) but follow the general arithmetic properties (addition, multiplication, order, etc.) of natural numbers. Following the idea of equivalence classification, *N can be further extended to the non-standard integer set *Z inclusive of infinity integers, and the non-standard rational number set *Q, which encompasses both infinity and infinitesimal numbers (numbers that are infinitely small). The structure of real numbers is then obtained by equivalently classifying a specific subset of *Q.

2. The establishment of this method requires additional set theory hypotheses as premises, for the existence of NPAUF has not been proven within general axiomatic set theories [2,30]. In [29], we implemented the Coq formalization of the proof provided by Wang in [2,30] that the Continuum Hypothesis (CH) implies the existence of NPAUF. Therefore, in order to formalize FMCR, CH actually needs to be acknowledged as a precondition or axiom. CH is consistent and compatible with the general axiomatic set theories, and can be safely employed [31,32].

3. This method could potentially be extended to establish the foundation of non-standard analysis—non-standard real numbers, also known as hyper-reals. Robinson once quoted Gödel’s statements in the preface of his masterpiece Nonstandard Analysis [33]: “There are good reasons to believe that non-standard analysis, in some version or other, will be the analysis of the future”. The majority of literature on non-standard analysis typically utilizes the ultrapower method to provide a model for hyper-reals [33,34,35]. Although FMCR does not directly construct hyper-reals, the construction process involves some non-standard number sets: *N, *Z and *Q. The underlying concepts involving NPAUF might serve as an alternative to the ultrapower method for hyper-real construction. As mentioned in [28,29], our long-term goal is to formalize the non-standard analysis.

Following the previous work in [28,29], we choose the Coq proof assistant to implement the formal verification, and the formal system of Morse–Kelley axiomatic set theory (MK) in Coq [36,37] as the basis for the work in this paper. Indeed, set theory is the foundation of modern mathematics, and axiomatic set theories, developed to address Russell’s Paradox, can undoubtedly serve as the basis for highly rigorous formal verification of mathematical theorems. Furthermore, MK recognizes a broader range of mathematical objects than just “sets”, called “classes”, making it a proper extension of Zermelo–Fraenkel axiomatic set theory (with the Axiom of Choice) (ZFC) and relatively more convenient to utilize in the formalization process [28,29,36,37].

The mathematical descriptions of definitions and theorems used in this paper are mainly taken from textbooks [2,4,30] ([4] contributes to the part of MK and [2,30] to the filters and FMCR). The entire Coq code is available at https://github.com/1DGW/formal-verification-of-the-filter-method-construction-for-real-numbers, accessed on 19 August 2025.

The paper is organized as follows: Section 2 presents the relevant preliminary knowledge required for this paper; Section 3 presents the formalization of the construction of the sets *N, *Z and *Q; Section 4 presents the formalization of real number set $\mathbf{R}$ and the verification of elementary properties of real numbers; Section 5 gives the conclusion and further perspectives.

2. Preliminary Knowledge

In this section, we outline some fundamental usages of Coq tailored to our work, and present basic formalization results required for FMCR.

2.1. About Coq

The process of formalizing a mathematical theory can be roughly divided into two parts: one is to describe definitions and theorems using a formal language, which is like a “translation process” from a natural language; and the other entails gradually discharging proof goals using formal proof tactics in an interactive environment in order to ensure the correctness of the described content. Due to significant differences in logic, syntax, and semantics between natural and formal languages, accurately translating a natural language into a logically rigorous formal language becomes the most crucial step in the formalization process.

In Coq, there are several commands that can be used to describe mathematical definitions such as “Definition”, “Inductive”, “Fixpoint”, etc. Each of them has different roles, and “Definition” is sufficient for our system.

The description of a definition is written “Definition c : A := t.” For this definition to be accepted, it is necessary that t is well typed in the current environment and context, that the type of c is A, and that c does not clash with the name of another global variable. The Coq system has a type-inference mechanism that can determine the type of t; thus, the definition sometimes can be simply written “Definition c := t.”

From the mathematical perspective, c can be regarded as the name of a definition and t the specific content of it. For example, to define the square of a natural number n, the definition is described as:

where “fun” is the key word used to write anonymous programming functions in Coq. Here, it takes a natural number n and returns its square $n·n$. To make the code concise, the definition is often written:

In this form, n can be regarded as the parameter of this definition, and the type “nat” of n can be determined by the Coq system and thus can be defaulted.

Additionally, to simplify the expressions, we can introduce notations for definitions:

The command “Declare Scope” declares the scope “scope_nat” where the notation is interpreted. All notations in scope_nat can be interpreted when the scope is open with the command “Open Scope”. “Delimit Scope” links the delimiting key “nat” to scope_nat, which helps to interpret the notations in scope_nat when the scope is close or to distinguish those identical notations but in different scopes. For example, “(3 ²)%nat” still can be interpreted as the square of the natural number 3 even if “3 ²” would represent a different definition in another scope, or scope_nat would be close.

The “Theorem” command is used to state that one wants to prove a theorem, indicating the name of this theorem and its statement. For example, to prove the logic proposition “For every proposition $P,Q,R$, $(P⟹Q)⟹\left(\right(Q⟹R)⟹(P⟹R\left)\right)$”, we can write:

where “prop_trans” represents the name of this theorem, and “->”, right-associative, can serve as “⟹”. Followed by Theorem, proofs start with the “Proof” command and end with “Qed”. Between Proof and Qed, proof tactics need to be written to discharge all proof goals and make the code able to run and pass successfully. For the example above, the complete formal verification is as follows:

The tactic “intros” is used to introduce the premises (i.e., the parameters P, Q, R and the premises (P -> Q), (Q -> R) and P) to the proof environment as hypotheses. The tactic “auto” is a built-in automated tactic in Coq, designed to solve simple proof goals.

Table 1. Fundamental proof tactics in Coq.

Tactic	Semantics
intro/intros	introduce a single premise/all premises to proof environment as hypotheses
pose proof H	introduce an existing hypothesis H or a previously established theorem
split	split the conjunction in the goal to generate two subgoals
destruct H	split disjunctions or conjunctions/instantiate existential quantifiers in hypothesis H, where H can be a proven theorem
assumption	search through all available hypotheses to find an exact match for the goal and solve it
apply H (in H1)	apply the hypothesis H to the proof goal (to the hypothesis H1), where H can be a proven theorem
unfold A (in H)	unfold definition A in the goal (in hypothesis H)
rewrite H (in H1)	perform equality substitution on the proof goal (or hypothesis H1) using equation H to replace corresponding variables
exists a	instantiate the existential quantifier in the goal with a
left/right	extract the left/right disjunct from the goal’s disjunction as a new subgoal
repeat T	repeat applying tactic T until it is no longer applicable
auto	automatically and repeatedly execute basic tactics including assumption, intros and apply

lists some fundamental tactics with their semantics. For additional tactics and detailed usage, refer to [9,10].

As previously mentioned, the critical step of the formalization process is the formal description of definitions and theorems. Therefore, this paper focuses on formal descriptions of definitions and theorems, and in Section 4.3 we present brief semantic explanations of formal proofs (tactics) through the verification of Archimedean property and completeness of real numbers. Readers can run the code we provide to verify the correctness of the descriptions and proofs.

Besides Theorem, there are many other synonymous commands, such as “Lemma”, “Corollary”, “Proposition”, “Property” and “Fact”, that can be interchangeably used as needed.

In some cases, we may need to declare a proposition that is temporarily unprovable or a mathematical object that is temporarily unconstructible, such as in the description of axioms. In such situations, the commands “Axiom” or “Parameter” are used. Their usage is similar to Theorem, but the contents declared by these two commands do not require proofs and can be invoked directly.

At this point, the understanding for Coq is sufficient to comprehend the content of the following sections. For more details on Coq usage, refer to [9,10].

2.2. About MK

Our team has finished the formalization of Morse–Kelley axiomatic set theory (MK) [36,37], and the entire code has been included in the Coq official contribution repository, indexed at https://coq.inria.fr/coq-package-index, accessed on 19 August 2025. Here, we summarize its important content as preparatory knowledge.

MK is grounded in Classical Logic [4], whereas the Coq system adopts Intuitionistic Logic [9]. Therefore, the Law of Excluded Middle needs to be assumed:

MK acknowledges “classes” (which are more numerous than sets) as fundamental objects. That is to say, every mathematical object (ordered pair, function, integer, etc.) is a class, and only those classes belonging to some other ones are defined as sets. The non-set classes are named “proper classes”. The term “class” does not appear in any axiom, it is a term that is directly recognized without definition. In Coq, the term “class” is declared as a new type “Class”, using the command “Parameter”.

There are two primitive constants in addition to the term “class”. The first is “∈”, which is read “is a member of” or “belongs to”. This means that one mathematical object (class) can be an element of another. The second is denoted “$\{··:\cdots \}$” and is read “the class of all $··$ such that ⋯”. It is the classifier and represents a class consisting of classes that satisfy a specific property. For example, “$\{x:x\notin y\}$” represents the class that consists of all members not belonging to y. The constant “∈” is described as “In” and “$\{··:\cdots \}$” as “Classifier”.

The type of “In” is actually “Class -> Class -> Prop”, indicating that it takes two classes as input and produces a proposition. For instance, given classes x and y, “x ∈ y” represents the proposition that x belongs to y.

The type of “Classifier” is slightly more intricate. In its type “(Class -> Prop) -> Class”, the first “Class” corresponds to the first placeholder in the classifier constant, intended to be filled by a variable representing a member of the classifier. The “Prop” corresponds to the second placeholder, meant for a proposition (whether correct or not). The last “Class” indicates that the classifier is indeed a class, but we do not know if there are members in it. Taken together, “(Class -> Prop)” implies that the proposition in the second placeholder takes the variable from the first as a parameter. Thus, in the notation “\{ P \}”, the type of “P”, which represents a proposition with a parameter, is precisely “Class -> Prop”.

The constants “class”, “∈” and “$\{··:\cdots \}$” form the basic structure of MK, through which all the axioms, definitions and theorems in MK can be described.

The definition of “set” is one of the most crucial definitions in MK, it constrains the concept of set to avoid Russell’s Paradox, excluding certain classes that are deemed “too large” (e.g., $\{u:u=u\}$, $\{u:u\notin u\}$) [4,36,37].

Definition 1 (Set).

x is a set if and only if for some y, $x\in y$.

MK inherits most elementary concepts and operations concerning sets (e.g., intersection, union, complement, pairs) from naive set theory and extends them to all classes. For example, $x\cap y$ in MK represents the intersection of classes x and y, either of which could be a set or not. Nevertheless, most objects discussed in this paper can be proven sets; if there are no specific instructions, we will directly use the term “set” rather than “class” to describe them.

The table presented in Appendix A lists partial definitions and mathematical meanings in MK along with their formalization in Coq, which will be frequently used in later sections. For more details about MK, refer to [4,36,37]; or access Coq-related source code of MK from https://github.com/1DGW/Formalization-of-Morse-Kelley-axiomatic-set-theory, accessed on 19 August 2025.

2.3. About Filters

The study of filters needs to be conducted within the context of set theories, so MK is an appropriate foundation to formalize the related concepts. The earliest concept related to filter is ultrafilter, which was apparently enunciated first by Frigyes Riesz in an address [38] in 1909 that unfortunately did not receive at the time the attention it deserved [39]. The concept of a filter, more concise and abstract, was introduced after the ultrafilter in [40,41] by Henri Paul Cartan in 1937 and subsequently adopted by Bourbaki in their book General Topology  [42].

The ultrafilter can be classified as principal ultrafilter and non-principal ultrafilter (also called free ultrafilter), and the former is relatively straightforward to construct and formalize.

Definition 2 (Principal Ultrafilter).

For every $a\in A$, the following set

$$\{u:u\subset A\wedge a\in u\},$$

denoted as $F_a$, is an ultrafilter over A. Each $F_a$, corresponding to the element a of A, is called a principal ultrafilter over A.

$F_a$ consists of all subsets of A that include the element a; it can be regarded as the sum of all properties of a in A. Formalizing this definition requires two steps: the first is to construct the set $F_a$, and the second is to verify that $F_a$ is indeed an ultrafilter.

The formal definition of $F_a$ requires two parameters A and a. And the formal proposition “Fa_P2_b” declared by the command “Property” indicates that when A is a set (Ensemble A) and a belongs to A (a ∈ A), $F_a$ is an ultrafilter over A.

The construction of a non-principal ultrafilter is not as succinct or direct, and proving its existence usually requires a theorem called the Filter Extension Principle (FEP) [2,30], which is a conclusion derivable from the Axiom of Choice (AC) and named the Ultrafilter Theorem in [43].

Theorem 1 (Filter Extension Principle).

Let F be a filter over A, then there exists an ultrafilter G over A such that $F\subset G$.

FEP asserts that every filter can be extended to an ultrafilter, with the use of which a non-principal ultrafilter can be extended from a specific filter called Fréchet Filter (denoted $F_{\sigma }$) [2,30]. The proof of FEP requires AC, so it is actually a non-constructive proof. In other words, a non-principal ultrafilter cannot be directly constructed but can only be formalized in the form of a proposition or theorem:

where “Ensemble A” and “∼ Finite A” represents that A is an infinite set and “∃ F0, free_ultraFilter F0 A” indicates the existence of a non-principal ultrafilter over A. The non-principal ultrafilter is also called the free ultrafilter, and “free_ultraFilter” is an invocation of its formalization.

In 1979, Daguenet-Teissier noticed a special ultrafilter in [44] with a specific property [1]. Subsequently, drawing from this research, Wang observed that non-principal ultrafilters with this property can be used to establish arithmetic models, including a real number model, with simple structures and superior properties [1]. Consequently, Wang refers to ultrafilters with this property as the “arithmetical ultrafilter (AUF)” and non-principal ones as the “non-principal arithmetical ultrafilter (NPAUF)” [3].

Definition 3 (Arithmetical Ultrafilter).

For every ultrafilter F over an infinite set A, F is an arithmetical ultrafilter if and only if:

$$\forall f,g\in A^A,f\langle F\rangle =g\langle F\rangle ⟹f{=}_{F}g.$$

Here, $f,g\in A^A$ means f and g are functions whose domain is A and range is contained in A; $f\langle F\rangle =\{u:u\subset A\wedge f^{-1}\lceil u\rfloor \in F\}$ where $f^{-1}\lceil u\rfloor =\{u:u\in domainf\wedge f\left(u\right)\in A\}$; and $f{=}_{F}g$ means $\{u:u\in A\wedge f(u)=g(u\left)\right\}\in F$, where f and g are F-equivalent or f and g are almost equal about F. The formalization of AUF is as follows:

The formal definition consists of three assumptions: “∼ Finite A” indicates that A is an infinite set, “F ∈ ($\mathrm{\beta }$ A)” indicates that F is an ultrafilter over A as “($\mathrm{\beta }$ A)” represents the set consisting of all the ultrafilters over set A, and the last assumption rules that for each function f and g, $f\langle F\rangle =g\langle F\rangle$ implies that f and g are F-equivalent, where $f\langle F\rangle$ is formally denoted as “f〈F∣A〉” because the parameter “A” cannot be omitted in code.

It is straightforward to prove that every principal ultrafilter is an AUF [2], but the existence of a non-principal AUF (NPAUF) is challenging to prove within the framework of general set theories. In one of Wang’s publications [30], he introduces various methods to prove the existence of NPAUF using different set theory hypotheses independent of ZFC. Among them, we chose the Continuum Hypothesis (CH) as the precondition to formally verify the existence of NPAUF, which ensures the safety and consistency of our formal system because CH is also consistent with MK [29,31,32].

Figure 1 presents the relationships among the filters involved in our formalization. As shown in the figure, an ultrafilter is also called a maximal filter; a non-principal ultrafilter is also called a free ultrafilter, so the principal ultrafilter is equivalent to the non-free ultrafilter. With the use of FEP, every filter can be extended to an ultrafilter and the Fréchet Filter to a non-principal ultrafilter. And every principal ultrafilter can be proven to be an AUF but the proof of the existence of NPAUF relies on CH.

Appendix B shows the fundamental definitions and mathematical meanings about filters along with their formalization in Coq. For details on filter theories, refer to [2,30,43]; for details about our formalization of filters, refer to [28,29] or review the Coq code.

3. Construction of $*\mathbf{N}$, $*\mathbf{Z}$ and $*\mathbf{Q}$

3.1. Construction of $*\mathbf{N}$

The construction of $*\mathbf{N}$ depends on the existence of an NPAUF, so first a specific NPAUF must be chosen. Since NPAUF cannot be constructed directly, we use the command “Parameter” to introduce it.

The content stated in the above code has been formally verified in [29]. The first line defines a global variable F0 of type Class, which is equivalent to acknowledging an unproven class in mathematics, since in MK, all mathematical objects are classes. The second line further specifies that $F0$ is an NPAUF over $\omega$ (the set of natural numbers in MK), where “Arithmetical_ultraFilter F0 $\mathrm{\omega }$” indicates that $F0$ is an AUF, and “∀ m, F0 <> (F $\mathrm{\omega }$ m)” indicates that $F0$ is not equal to any principal ultrafilters over $\omega$, thus making $F0$ an NPAUF.

The set $*\mathbf{N}$ is then constructed as follows:

$$*\mathbf{N}=\{u:\exists f,f\in {\omega }^{\omega }\wedge u=f\langle F0\rangle \},$$

where $f\in {\omega }^{\omega }$ indicates that f is a function whose domain is $\omega$ and range is contained in $\omega$, and $f\langle F0\rangle =\{u:u\subset \omega \wedge f^{-1}\lceil u\rfloor \in F0\}$ ($f^{-1}\lceil u\rfloor =\{u:u\in \left(domainf\right)\wedge f\left(u\right)\in \omega \}$). The Coq formalization is aligned with the mathematical description:

It can be proven that for every ultrafilter F and a function f, $f\langle F\rangle$ is still an ultrafilter, and $f\langle F\rangle$ is called a transformation of F under f [29,30]. Therefore, $*\mathbf{N}$ is the set consisting of all transformations from $F0$ and each element of $*\mathbf{N}$ is at least an ultrafilter (of course, it could also be an AUF or an NPAUF).

$*\mathbf{N}$ is a non-standard extension of $\omega$ due to the existence of a proper subset of $*\mathbf{N}$ isomorphic to $\omega$, and all elements outside this subset are infinity numbers. To present this isomorphism process, the order and operations on $*\mathbf{N}$ should be formalized first.

Definition 4 (Order on *N).

For each $f,g\in {\omega }^{\omega }$, $u,v\in *\mathbf{N}$ and $u=f\langle F0\rangle$, $v=g\langle F0\rangle$, then the order of u and v is defined as follows:

$$u<v⟺f\langle F0\rangle <g\langle F0\rangle ⟺\{n:f(n)\in g(n\left)\right\}\in F0.$$

The order on $*\mathbf{N}$ is a total order, meaning that for any $u,v,w\in *\mathbf{N}$, it satisfies:

(1) Irreflexivity: $\sim u<u$,

(2) Transitivity: $u<v\wedge v<w⟹u<w$,

(3) Trichotomy: $u<v\vee v<u\vee u=v$.

In the code, “Connect” is the formalization of the MK concept that is equivalent to the concept of trichotomy [4,36].

Definition 5 (Addition on *N).

For each $f,g\in {\omega }^{\omega }$, $u,v\in *\mathbf{N}$ and $u=f\langle F0\rangle$, $v=g\langle F0\rangle$, then the sum of u and v is defined as follows:

$$u+v=f\langle F0\rangle +g\langle F0\rangle =(f+g)\langle F0\rangle ,$$

where $f+g$ represents the addition of functions in ${\omega }^{\omega }$, $f+g=\left\{\right(u,v):u\in \omega \wedge v=f(u)+g(u\left)\right\}$.

In the formalization, the addition of u and v is defined in the form of “∩({⋯})”. This is because mathematically, if the set constructed by the classifier $\{\cdots \}$ is a singleton $\left\{a\right\}$, then $\bigcap \left\{a\right\}$ is exactly equal to the unique element a. Here, the unique element is the result of $u+v$.

The formalization of multiplication follows the same process as addition, simply by replacing the addition operation with multiplication. Furthermore, the order, addition and multiplication on $*\mathbf{N}$ satisfy the basic arithmetic properties (commutativity, associativity, distributivity, etc.) of the natural numbers, which has also been formalized.

The subset isomorphic to $\omega$ is defined as:

$${*\mathbf{N}}_{\mathbf{N}}=\{u:uisaprincipalultrafilterover\omega \},$$

so ${*\mathbf{N}}_{\mathbf{N}}$ consists of all the principal ultrafilters over $\omega$.

Here “F $\mathrm{\omega }$ n” represents the principal ultrafilter $F_n$ corresponding to n which is an element of $\omega$.

Since every element of $\omega$ corresponds to a principal ultrafilter, the elements in $\omega$ are in one-to-one correspondence with the elements in ${*\mathbf{N}}_{\mathbf{N}}$. The two sets are isomorphic.

Proposition 1 ($\mathbf{\omega }$ and ${*\mathbf{N}}_{\mathbf{N}}$ are isomorphic).

The function $\phi =\{(u,v):u\in \omega \wedge v=F_u\}$ is a 1-1 function (bijective function) whose domain is $\omega$ and range is ${*\mathbf{N}}_{\mathbf{N}}$, and for each $m,n\in \omega$, $\phi$ preserves order and operations:

(1) 

$\phi \left(0\right)=F_0\wedge \phi \left(1\right)=F_1$.

(2) 

Order Preservation: $m<n⟺\phi \left(m\right)<\phi \left(n\right)$.

(3) 

Addition Preservation: $\phi (m+n)=\phi \left(m\right)+\phi \left(n\right)$.

(4) 

Multiplication Preservation: $\phi (m·n)=\phi \left(m\right)·\phi \left(n\right)$.

where 0 and 1 are, respectively, defined by the empty set ∅ and the singleton $\{\varnothing \}$ in MK.

To formalize this proposition, the function $\phi$ should be described first:

Then, to verify the properties that $\phi$ satisfies:

In the code, “m ∈ n” indicates that m is less than n, because in MK the order on $\omega$ is exactly defined as the relation “∈”. And “(m + n)%$\mathrm{\omega }$” means that $m+n$ should be interpreted as the addition on $\omega$, and ($\mathrm{\phi }$[m] + $\mathrm{\phi }$[n])%n’ as the addition on $*\mathbf{N}$.

Now ${*\mathbf{N}}_{\mathbf{N}}$ can be deemed as a set of natural numbers as well because of the isomorphism. Moreover, it can be verified that $*\mathbf{N}$ is a non-standard extension of ${*\mathbf{N}}_{\mathbf{N}}$, namely a non-standard extension of natural number set.

From the first line, it can be observed that ${*\mathbf{N}}_{\mathbf{N}}$ is a proper subset of $*\mathbf{N}$, and the second line shows that the elements outside ${*\mathbf{N}}_{\mathbf{N}}$ are all greater than those in ${*\mathbf{N}}_{\mathbf{N}}$. The expression “t ∈ (N’ ∼ N’_N)” is the formalization of the mathematical expression $t\in *\mathbf{N}\sim {*\mathbf{N}}_{\mathbf{N}}$, which means that t belongs to $*\mathbf{N}$ but not in ${*\mathbf{N}}_{\mathbf{N}}$. The elements in $*\mathbf{N}\sim {*\mathbf{N}}_{\mathbf{N}}$ can be called “infinity natural numbers”, because they are greater than all the general natural numbers (they are infinitely large).

Therefore, $*\mathbf{N}$ is actually a non-standard natural number set and its structure can be intuitively depicted as:

$$\underset{{*\mathbf{N}}_{\mathbf{N}}}{\underbrace{0<1<2<\cdots <n<}}\cdots <\tau <(\tau +1)<\cdots$$

where $\tau$ represents an infinity natural number.

3.2. Extension from $*\mathbf{N}$ to $*\mathbf{Z}$

The extension from $*\mathbf{N}$ to $*\mathbf{Z}$ adopts the idea of equivalence classification and the relevant definitions and theorems should be formalized.

Definition 6 (Equivalence Relation).

For each set a, let R be a subset of $a\times a$; R is called an equivalence relation over a if it satisfies:

(1) Reflexivity: $\forall x\in a,xRx$.

(2) Symmetry: $\forall x,y\in a$, if $xRy$ then $yRx$.

(3) Transitivity: $\forall x,y,z\in a$, if $xRy$ and $yRz$ then $xRz$, where $a\times a=\left\{\right(u,v):u\in a\wedge v\in a\}$ (Cartesian Product) and $xRy$ stands for $(x,y)\in R$, namely $(x,y)$ satisfies R-relation.

A trivial example of equivalence relation is identity relation. Because for every a and its members x and y, it obviously satisfies $x=x$ (reflexivity), if $x=y$ then $y=x$ (symmetry), and if $x=y$ and $y=z$ then $x=z$ (transitivity). The identity relation over a can be set as $\left\{\right(u,v):u\in a\wedge v\in a\wedge u=v\}$.

Definition 7 (Equivalence Class).

Let R be an equivalence relation over a; for each x in a, the set

$$\{u:u\in a\wedge uRx\}$$

is called the equivalence class represented by x with respect to the R-relation, denoted ${\left[x\right]}_R$.

To formalize this definition, three parameters are required: the first one serves as the representation x of this equivalence class, the second the equivalence relation R and the last the set a.

Definition 8 (Quotient Set).

Let R be an equivalence relation over a, the quotient set of a is:

$$a/R=\{u:\exists x,x\in a\wedge u={\left[x\right]}_R\}.$$

A quotient set $a/R$ consists of all equivalence classes with respect to R; it is the result of equivalently classifying the elements of a.

The construction of $*\mathbf{Z}$ actually equivalently classifies the elements of $*\mathbf{N}\times *\mathbf{N}$, and a specific equivalence relation over $*\mathbf{N}\times *\mathbf{N}$ must be set first:

$$R_{*\mathbf{N}}=\{((m,n),(p,q)):m,n,p,q\in *\mathbf{N}\wedge m+q=n+p\},$$

where $m+q$ and $n+p$ indicate the addition on $*\mathbf{N}$.

The expression “N’ × N’” represents $*\mathbf{N}\times *\mathbf{N}$ ($=\{(u,v):u\in *\mathbf{N}\wedge v\in *\mathbf{N}\}$); it is the formalization of the Cartesian Product of $*\mathbf{N}$. To simplify the formalization code, we introduce the notation “\[ u \]” for the equivalence class with respect to $R_{*\mathbf{N}}$.

According to the equivalence relation, we can observe many equivalent elements in $*\mathbf{N}\times *\mathbf{N}$. For example, $(0,0)$, $(1,1)$, $(2,2)$, ⋯, $(\tau ,\tau )$, ⋯ are equivalent; $(0,1)$,$(1,2)$,$(2,3)$, "EF, $(\tau ,\tau +1)$, ⋯ are equivalent; and so are $(2,0)$,$(3,1)$,$(4,2)$, ⋯, $(\tau +2,\tau )$, ⋯, where $\tau$ represents an infinity natural number. In a planar dot array composed of elements in $*\mathbf{N}\times *\mathbf{N}$, we can connect equivalent points with straight lines and thus obtain Figure 2.

In Figure 2, every oblique line represents an equivalence class of $*\mathbf{N}\times *\mathbf{N}$, and intuitively the order of these oblique lines on the horizontal axis forms a new number “sequence” (this “sequence” is extended to infinity numbers) and the lines extended by dashed lines extend this “sequence” to a range of negative numbers. Then, the set consisting of all these oblique lines, namely the quotient set of $*\mathbf{N}\times *\mathbf{N}$ with respect to $R_{*\mathbf{N}}$, is exactly $*\mathbf{Z}$.

$$*\mathbf{Z}=(*\mathbf{N}\times *\mathbf{N})/R_{*\mathbf{N}}=\{u:\exists x,x\in *\mathbf{N}\times *\mathbf{N}\wedge u={\left[x\right]}_{R_{*\mathbf{N}}}\}.$$

The suffix “%eqr” indicates that the notation “/” should be interpreted as the quotient set operation.

In the similar ways following $*\mathbf{N}$, the order, addition and multiplication on $*\mathbf{Z}$ can be formalized:

The order and operation properties of $*\mathbf{N}$ are also shared by $*\mathbf{Z}$. In addition, $*\mathbf{Z}$ has an extra property: for every element $u\in *\mathbf{Z}$, there exists a unique element v such that $u+v=0$; namely, every element of $*\mathbf{Z}$ has a corresponding negative element.

The symbol “∃!” above represents the unique existence of v, namely for each $v^{\prime }$ that satisfies $u+v^{\prime }=0$, $v^{\prime }$ must be equal to v. And “Z’0” is the formalization of 0 (the zero element) in $*\mathbf{Z}$; it is equal to the equivalence class ${\left[(F_0,F_0)\right]}_{R_{*\mathbf{N}}}$ where $F_0$ is the principal ultrafilter corresponding to 0 ($\in \omega$).

$*\mathbf{Z}$ has an important proper subset:

$${*\mathbf{Z}}_{\mathbf{Z}}=\{u:\exists m,n\in {*\mathbf{N}}_{\mathbf{N}}\wedge u={\left[(m,n)\right]}_{R_{*\mathbf{N}}}\}$$

${*\mathbf{Z}}_{\mathbf{Z}}$ consists of the equivalence classes whose elements are all from ${*\mathbf{N}}_{\mathbf{N}}\times {*\mathbf{N}}_{\mathbf{N}}$, and ${*\mathbf{N}}_{\mathbf{N}}$ is the finite section of $*\mathbf{N}$. This implies that ${*\mathbf{Z}}_{\mathbf{Z}}$ is also the finite section of $*\mathbf{Z}$, making ${*\mathbf{Z}}_{\mathbf{Z}}$ suitable to serve as a set of general integers. And every member of $*\mathbf{Z}\sim {*\mathbf{Z}}_{\mathbf{Z}}$ is greater (for the positive ones) or smaller (for the negative ones) than all the elements in ${*\mathbf{Z}}_{\mathbf{Z}}$.

Therefore, the elements in $*\mathbf{Z}\sim {*\mathbf{Z}}_{\mathbf{Z}}$ are either positive infinity or negative infinity; they can be called the “infinity integers”. $*\mathbf{Z}$ is a non-standard extension of the integer set.

In addition, just as $\omega$ is isomorphic to ${*\mathbf{N}}_{\mathbf{N}}$, $*\mathbf{N}$ is isomorphic to the following subset of $*\mathbf{Z}$:

$${*\mathbf{Z}}_{*\mathbf{N}}=\{u:\exists m,m\in *\mathbf{N}\wedge u={\left[(m,F_0)\right]}_{R_{*\mathbf{N}}}\},$$

namely, there exists a 1-1 function between $*\mathbf{N}$ and ${*\mathbf{Z}}_{*\mathbf{N}}$ that preserves order and operations. ${*\mathbf{Z}}_{*\mathbf{N}}$ consists of the non-negative elements of $*\mathbf{Z}$.

Now the structure of $*\mathbf{Z}$ can be intuitively depicted as: where $\tau$ represents an infinity integer.

3.3. Extension from $*\mathbf{Z}$ to $*\mathbf{Q}$

Similar to the process from $*\mathbf{N}$ to $*\mathbf{Z}$, $*\mathbf{Q}$ is also obtained by equivalence classification, and the equivalence relation is defined on $*\mathbf{Z}\times (*\mathbf{Z}\sim \{*$${\mathrm{Z}}_0\left\}\right)$:

$$R_{*\mathbf{Z}}=\{((a,b),(c,d)):a,c\in *\mathbf{Z}\wedge b,d\in \left(*\mathbf{Z}\sim \{*Z_0\}\right)\wedge a·d=b·c\},$$

where *Z₀ is the 0 element in $*\mathbf{Z}$, formalized as “Z’0”.

The definition “Z’_De” in the code gives $*\mathbf{Z}\times (*\mathbf{Z}\sim \{*$${\mathrm{Z}}_0\left\}\right)$ a shorter symbol, making the formal description more convenient. The notation of the equivalence class with respect to $R_{*\mathbf{Z}}$ is the same as that with respect to $R_{*\mathbf{N}}$, but distinguished by scope.

According to the definition of $R_{*\mathbf{Z}}$, for two equivalence classes ${\left[(a,b)\right]}_{R_{*\mathbf{Z}}}$ and ${\left[(c,d)\right]}_{R_{*\mathbf{Z}}}$, ${\left[(a,b)\right]}_{R_{*\mathbf{Z}}}={\left[(c,d)\right]}_{R_{*\mathbf{Z}}}$ means $a·d=b·c$, which aligns with the general understanding of $a/b=c/d$. Thus, each equivalence class ${\left[(a,b)\right]}_{R_{*\mathbf{Z}}}$ can be interpreted as the fraction $a/b$, and $R_{*\mathbf{Z}}$ essentially generates fractions.

Figure 3 presents the classification process of $R_{*\mathbf{Z}}$.

In the planar dot array composed of elements in $*\mathbf{Z}\times (*\mathbf{Z}\sim \{*$${\mathrm{Z}}_0\left\}\right)$, every line connecting equivalent points represents an equivalence class of $*\mathbf{Z}\times (*\mathbf{Z}\sim \{*$${\mathrm{Z}}_0\left\}\right)$, and certainly the lines are dense, which means that there always exists such a line between any two and the inverse elements such as $1/2$ are contained. The set consisting of all these lines, namely the quotient set of $*\mathbf{Z}\times (*\mathbf{Z}\sim \{*$${\mathrm{Z}}_0\left\}\right)$ with respect to $R_{*\mathbf{Z}}$, is exactly $*\mathbf{Q}$.

$$*\mathbf{Q}=(*\mathbf{Z}\times (*\mathbf{Z}\sim \{*Z_0\}))/R_{*\mathbf{Z}}=\{u:\exists x,u={\left[x\right]}_{R_{*\mathbf{Z}}}\}.$$

It is possible to define the order and operations on $*\mathbf{Q}$ in the same way as the usual definitions for fractions, and it can be verified that the elements in $*\mathbf{Q}$ satisfy all the arithmetic properties of the rational numbers.

But different from the general rational numbers, $*\mathbf{Q}$ introduces not only the infinity numbers but also the infinitesimal numbers. To clarify this point, the elements of $*\mathbf{Q}$ can be divided into two categories.

Elements of one category, called finitely large elements of $*\mathbf{Q}$, constitute a crucial subset of $*\mathbf{Q}$:

$${\mathbf{Q}}_{<}=\{u:u\in *\mathbf{Q}\wedge \exists k\in {*\mathbf{Q}}_{\mathbf{N}},\left|u\right|=k\vee \left|u\right|<k\}.$$

${\mathbf{Q}}_{<}$ is called the Archimedes Subset of $*\mathbf{Q}$ because every element u satisfies the Archimedean Property:

$$\exists k\in {*\mathbf{Q}}_{\mathbf{N}},\left|u\right|=k\vee \left|u\right|<k,$$

where ${*\mathbf{Q}}_{\mathbf{N}}$ is the subset isomorphic to $\omega$ and ${*\mathbf{N}}_{\mathbf{N}}$, representing the natural number set; and $\left|u\right|$ denotes the absolute value of u.

It can be observed that the absolute value of every element in ${\mathbf{Q}}_{<}$ is always smaller than a certain natural number, which means that all elements in ${\mathbf{Q}}_{<}$ are measurable or finitely large. Thus, the elements of the other category belong to $*\mathbf{Q}\sim {\mathbf{Q}}_{<}$; they are greater than all natural numbers (infinitely large), called infinity numbers.

To implement the formalization of ${\mathbf{Q}}_{<}$, the formalization of ${*\mathbf{Q}}_{\mathbf{N}}$ and the concept of absolute value are required. The latter can be straightforwardly formalized as a function:

The formal definition “Q’_Abs” defines a function that takes an element u in $*\mathbf{Q}$ and outputs three different value dependent on the order relation of u and 0 (formalized by “Q’0”), which aligns with the usual understanding of the absolute value. The notation “| u |” then represents the expression “(Q’_Abs)[u]”, the value of u under the function.

The formalization of ${*\mathbf{Q}}_{\mathbf{N}}$ is a little more complicated, for there are no instructions provided for the specific construction of ${*\mathbf{Q}}_{\mathbf{N}}$ in [2]. Inspired by the isomorphism introduced in previous sections, one feasible method is to construct a subset isomorphic to $\omega$, and the isomorphism function is formally described as:

Here, “$\mathrm{\phi }$” is the formalization of the isomorphism function $\phi$ between $\omega$ and ${*\mathbf{N}}_{\mathbf{N}}$; namely, the domain of $\phi$ is $\omega$, the range is ${*\mathbf{N}}_{\mathbf{N}}$ and $\phi$ preserves the order and operations on $\omega$ and ${*\mathbf{N}}_{\mathbf{N}}$. “$\mathrm{\phi }$1” represents the isomorphism function between $*\mathbf{N}$ and ${*\mathbf{Z}}_{*\mathbf{N}}$, and “$\mathrm{\phi }$2” represents that between $*\mathbf{Z}$ and ${*\mathbf{Q}}_{*\mathbf{Z}}$ (the subset of $*\mathbf{Q}$ isomorphic to $*\mathbf{Z}$). Therefore, the composition of the three functions, denoted as ${\phi }_4$, can be verified to be an isomorphism function whose domain is $\omega$ and the range is contained in $*\mathbf{Q}$.

Then, ${*\mathbf{Q}}_{\mathbf{N}}$ is formally defined as the range of ${\phi }_4$, after which the set ${\mathbf{Q}}_{<}$ can also be formalized.

Another important subset of $*\mathbf{Q}$ is the set of infinitesimal numbers, denoted as $\mathbf{I}$. Intuitively, an infinitesimal number is an inverse element of an infinity number (i.e., $1/\tau$ where $\tau \in *\mathbf{Q}\sim {\mathbf{N}}_{<}$). For each non-zero natural number k, an infinitesimal number should be smaller than $1/k$.

$$\mathbf{I}=\{u:u\in *\mathbf{Q}\wedge (\forall k\in ({*\mathbf{Q}}_{\mathbf{N}}\sim {\{}^{*}{\mathrm{Q}}_0\}),\left|u\right|<(*{\mathrm{Q}}_1/k)\left)\right\},$$

where $*$Q₀ and $*$Q₁, respectively, are the zero element 0 and identity element 1 in $*\mathbf{Q}$, formalized as “Q’0” and “Q’1”.

Obviously, the zero element 0 is an infinitesimal number, but there are non-zero elements in $\mathbf{I}$, meaning that the singleton $\left\{0\right\}$ can be proven a proper subset of $\mathbf{I}$. And $\mathbf{I}$ should be a subset of ${\mathbf{Q}}_{<}$ because infinitesimal numbers are also finitely large.

Besides the sets introduced above, $*\mathbf{Q}$ also has some other important subsets: ${*\mathbf{Q}}_{*\mathbf{N}}$ that is isomorphic to $*\mathbf{N}$, ${*\mathbf{Q}}_{*\mathbf{Z}}$ that is isomorphic to $*\mathbf{Z}$, ${*\mathbf{Q}}_{\mathbf{Z}}$ that is isomorphic to ${*\mathbf{Z}}_{\mathbf{Z}}$ and can serve as a set of integers, and ${*\mathbf{Q}}_{\mathbf{Q}}$ that can serve as a set of rational numbers. And undoubtedly ${*\mathbf{Q}}_{\mathbf{N}}$, ${*\mathbf{Q}}_{\mathbf{Z}}$ and ${*\mathbf{Q}}_{\mathbf{Q}}$ are all subsets of ${\mathbf{Q}}_{<}$ because their elements are finitely large and measurable. Here, we directly present their formalization.

The formal expression “Z’0” and “Z’1”, respectively, represent the zero element 0 and the identity element 1 in $*\mathbf{Z}$, and “Q’0” represents 0 in $*\mathbf{Q}$.

Therefore, $*\mathbf{Q}$ actually has a structure much more complicated than usual the rational number set and even than the real number set. Including both infinity and infinitesimal numbers, $*\mathbf{Q}$ is a non-standard extension of the rational number set. Figure 4 shows the structures involved from $\omega$ to $*\mathbf{Q}$.

4. Real Number Set $\mathbf{R}$

4.1. From ${\mathbf{Q}}_{<}$ to $\mathbf{R}$

Now it is sufficient to perform equivalence classification on ${\mathbf{Q}}_{<}$ to obtain the real number set $\mathbf{R}$, and the equivalence relation is defined as:

$$R_{*\mathbf{Q}}=\{(u,v):u\in {\mathbf{Q}}_{<}\wedge v\in {\mathbf{Q}}_{<}\wedge u-v\in \mathbf{I}\}.$$

The formal proposition “R_Q’_is_equRelation” verifies that $R_{*\mathbf{Q}}$ is an equivalence relation on ${\mathbf{Q}}_{<}$, and the equivalence class with respect to $R_{*\mathbf{Q}}$ is also denoted by the notation “\[ u \]”.

Then, the real number set $\mathbf{R}$ is defined as the quotient set of ${\mathbf{Q}}_{<}$:

It is obvious that $\mathbf{R}$ is obtained by equivalence classification of a single set, whereas $*\mathbf{Z}$ and $*\mathbf{Q}$ are obtained by classifying the Cartesian Product of two sets. This means that the elements in $\mathbf{R}$ are all equivalence classes, each of which can be represented by a single element from ${\mathbf{Q}}_{<}$. That is to say, each $u\in \mathbf{R}$ can be denoted as ${\left[a\right]}_{R_{*\mathbf{Q}}}$ where a is the representation of u and an element in ${\mathbf{Q}}_{<}$. Thus, the order and operations on $\mathbf{R}$ can be directly defined according to those on $*\mathbf{Q}$ (${\mathbf{Q}}_{<}$ is a subset of $*\mathbf{Q}$).

In addition, since the natural number set ${*\mathbf{Q}}_{\mathbf{N}}$ is contained in ${\mathbf{Q}}_{<}$, the natural number set $\mathbf{N}$ contained in $\mathbf{R}$ can be defined as the set consisting of equivalence classes represented by members from ${*\mathbf{Q}}_{\mathbf{N}}$. And the same idea applies to the integer set $\mathbf{Z}$ and the rational number set $\mathbf{Q}$.

Clearly, ${*\mathbf{Q}}_{\mathbf{N}}$ is isomorphic to $\mathbf{N}$, and consequently $\omega$ is also isomorphic to $\mathbf{N}$ (since $\omega$ is isomorphic to ${*\mathbf{Q}}_{\mathbf{N}}$). Moreover, ${*\mathbf{Q}}_{\mathbf{Z}}$ is isomorphic to $\mathbf{Z}$, and ${*\mathbf{Q}}_{\mathbf{Q}}$ is isomorphic to $\mathbf{Q}$.

Figure 5 shows the structures from ${\mathbf{Q}}_{<}$ to $\mathbf{R}$.

4.2. What Are Real Numbers?

Although the set $\mathbf{R}$ has been constructed, it needs to be clarified how to ensure that $\mathbf{R}$ is indeed the set of real numbers required in mathematical analysis.

Firstly, concerning the order and operations, the elements in R satisfies the following properties:

(I)

Properties of Addition

(1)

$u+0=u$.

(2)

existence of negative element: $\exists !u_0,u+u_0=0$.

(3)

associative law: $(u+v)+w=u+(v+w)$.

(4)

commutative law: $u+v=v+u$.

(II)

Properties of Multiplication

(1)

$u·1=u$.

(2)

existence of inverse element: $\exists !u_1,u·u_1=1$.

(3)

associative law: $(u·v)·w=u·(v·w)$.

(4)

commutative law: $u·v=v·u$.

(I,II)

Connection between Addition and Multiplication

(1)

distributive law: $u·(v+w)=(u·v)+(u·w)$.

(III)

Properties of Order

(1)

$0<1$.

(2)

reflexivity: $u\nless u$.

(3)

transitivity: $u<v\wedge v<w⟹u<w$.

(4)

trichotomy: $u<v\vee v<u\vee u=v$.

(I,III)

Connection between Addition and Order: $u<v⟺(u+w)<(v+w)$.

(II,III)

Connection between Multiplication and Order: $u<v⟺(u·w)<(v·w)$, where $0<w$.

In the above code, “R0” and “R1”, respectively, represent the zero and identity element in the set $\mathbf{R}$.

These are all the elementary properties of real numbers familiar to us all, and a structure satisfying the above properties is called an ordered field in mathematics.

However, merely satisfying the properties of ordered fields is not sufficient to constitute the set of real numbers. In the process of FMCR, several sets can be verified ordered fields, such as $*\mathbf{Q}$, ${*\mathbf{Q}}_{\mathbf{Q}}$, $\mathbf{Q}$, $\mathbf{R}$. But only $\mathbf{R}$ can serve as the real number set because $\mathbf{R}$ possesses both of two additional properties:

• Archimedean Property: $\forall r\in \mathbf{R},\exists k\in \mathbf{N},\left|r\right|\le k.$
• Completeness (there are numerous equivalent statements of the Archimedean property and completeness [45,46], and the formulations here are quoted from [2]): A monotonically increasing and bounded sequence must possess a supremum (least upper bound).

A structure satisfying the ordered field properties, the Archimedean property and completeness constitutes a complete ordered field, and can serve as a real number set [46]. What mathematical analysis needs is exactly the complete ordered field.

4.3. Formally Proving the Archimedean Property and Completeness

Obtained from the equivalence classification of ${\mathbf{Q}}_{<}$ which is exactly defined by the Archimedean property, $\mathbf{R}$ logically satisfies the Archimedean property.

The expression “|r|” here indicates the absolute value of the real number r; it is formalized as the value of a function.

The key to proving the Archimedean property lies in addressing the case where $0<r$, since for $r<0$, one only needs to consider $-r$ (which is greater than 0). As for the case where $r=0$, the theorem can be easily verified: $\left|0\right|\le 0$.

Therefore, we use the tactic “assert” to introduce the following assertion to the proof environment as a hypothesis.

The statements asserted by this tactic need to be proven. The proof code is typically enclosed in curly braces “{” and “}”, after which the asserted content can be utilized as a hypothesis within the proof environment.

We briefly introduce the manual proof of this assertion:

Proof. 

For $0<r$, let $r={\left[q^{\prime }\right]}_{R_{*\mathbf{Q}}}$ where $q^{\prime }\in {\mathbf{Q}}_{<}$; thus, there exists an $n\in {*\mathbf{Q}}_{\mathbf{N}}$ such that $|q^{\prime }|\le n$. By the definition of the order on $\mathbf{R}$, $0<q^{\prime }$ holds, which implies $|q^{\prime }|=q^{\prime }$ and $q^{\prime }\le n$. Consequently, we have ${\left[n\right]}_{R_{*\mathbf{Q}}}\in \mathbf{N}$ and $\left|r\right|=r={\left[q^{\prime }\right]}_{R_{*\mathbf{Q}}}\le {\left[n\right]}_{R_{*\mathbf{Q}}}$.    □

Now we can present a relatively complete machine proof of the Archimedean property.

For brevity, the machine proof details of the assertion at { … } are omitted here, with corresponding manual proof presented above. The verification approach for the remaining code is as follows:

4 Introduce $r\in \mathbf{R}$ and $0\in \mathbf{R}$ as hypotheses into the proof environment.

5 Split the proof into three cases by trichotomy: $0<r$, $r<0$ and $r=0$. The case $0<r$ is already covered by the previous assertion in line 3.

6–8 (case $r<0$) Let $-r=r_0$; then, $0<r_0$ and $\left|r\right|=|r_0|$. We can rewrite $\left|r\right|$ as $|r_0|$ in the proof goal, making it align with the assertion in line 3.

9 (case $r=0$) Directly specify the constant 0 (R0 in code), which satisfies $0\in \mathbf{R}$ and $\left|0\right|\le 0$.

The Archimedean property means the measurability of numbers, and $*\mathbf{Q}$ does not satisfy this property because of the infinity numbers. Thus, $*\mathbf{Q}$ cannot serve as the real number set.

As for the completeness, the concept of sequence needs to be described first. A sequence of $\mathbf{R}$ is exactly a function whose domain is the natural number set $\mathbf{N}$ and range is contained in $\mathbf{R}$. Up to now, we have seen several sets that can serve as the natural number set: $\omega$, ${*\mathbf{N}}_{\mathbf{N}}$, ${*\mathbf{Q}}_{\mathbf{N}}$ and $\mathbf{N}$. Considering its concise set structure, we choose $\omega$ as the foundation of a formal definition of sequence.

In addition, the concepts of monotonicity and supremum also need to be formalized precisely. The monotonicity illustrates that if $m<n$ then the value of a sequence f should satisfy $f\left(m\right)\le f\left(n\right)$.

In MK, the order relation on $\omega$ is exactly the “∈” relation, so the expression “m ∈ n” exactly means that m is smaller than n. Supremum also can be called the least upper bound; it can be formalized with the use of two formal definitions.

The first definition states that r is an upper bound of f if r is equal to or greater than all values of f. And the second definition illustrates that if r is the supremum of f, r should be an upper bound of f and each number smaller than r cannot be an upper bound of f, which makes r the smallest among all the upper bounds of f.

Then, the completeness can be formally proven:

The overall approach of the machine verification is as follows (here, we also omit the proofs of assertions made by the tactic “assert”, and some details of proven conclusions such as “R_Seq_Property2”, “R_RatSeq”, etc., are not elaborated):

4–5 Introduce the premises to the proof context as hypotheses and restructure them.

6 “R_Seq_Property2” is a previously established result stating that any monotonically increasing sequence f can be divided into two cases:

(i)

f becomes constant after some term, or

(ii)

there exists a strictly increasing subsequence of f.

Here, we apply this result to split the proof into two parts: lines 7–16 for case (i), and lines 17–45 for case (ii).

7–16 (case i) Let the constant value in case (i) be $r_1$, and the term be x. Thus, for each $m>x$, we have $f\left(m\right)=r_1$. Obviously, $r_1$ is the least upper bound of sequence f, where lines 9–13 prove that $r_1$ is an upper bound of f and lines 14–16 prove that $r_1$ is the smallest one among all the upper bounds of f.

17–45 (case ii) Let the strictly increasing subsequence of f be h; then, we can construct a rational sequence k such that

$$\forall n\in \omega ,k\left(n\right)\in \mathbf{Q}\wedge h\left(n\right)<k\left(n\right)<h\left(n^{\prime }\right),$$

where $n^{\prime }$ is the successor of n. Then, it can be proven that k has a least upper bound, denoted a (the assertion in line 35). Furthermore, a can be proven the least upper bound of h (the assertion in line 36) and f (proofs in lines 38–45).

It should be noted that in the proof of case (ii), the construction of the rational sequence k is particularly crucial as it necessitates the use of the Axiom of Choice (AC), which is often overlooked in manual proofs.

In line 24, we firstly use the tactic “set” (which is used to introduce local definitions during proof construction) to define a set

$$A_n=\{u:u\in \mathbf{Q}\wedge h\left(n\right)<u<h\left(n^{\prime }\right)\},$$

denoted “A n” in code. For each $n\in \omega$, $A_n$ consists of all the (infinitely many) rational numbers between $h\left(n\right)$ and $h\left(n^{\prime }\right)$, but we only need to choose a single element of $A_n$.

Then, in line 25, we invoke AC (AxiomIX in code), which introduces a choice function c into the proof environment such that for each set x, $c\left(x\right)\in x$ holds. In other words, the choice function c can select a specific element for every set. Consequently, for every $n\in \omega$, $c\left(A_n\right)\in A_n$ holds, according to which we can define the rational number sequence

$$k=\{(u,v):u\in \omega \wedge v=c\left(A_u\right)\},$$

as formally defined in line 27.

Lines 28–33 verify that k is a strictly increasing rational sequence, and for each $n\in \omega$, $k\left(n\right)=c\left(A_n\right)$ and $h\left(n\right)<k\left(n\right)<h\left(n^{\prime }\right)$ hold.

Among the various sets ($*\mathbf{N}$, $*\mathbf{Z}$, $*\mathbf{Q}$, ${\mathbf{Q}}_{<}$, $\mathbf{R}$, etc.) constructed previously, only $\mathbf{R}$ possesses completeness, making it capable of serving as the real number set.

At last, as one of the classical examples, the real number $\sqrt{2}$ can be verified to be an irrational number.

5. Conclusions and Outlook

5.1. Non-Standard Extension of Number Systems

The process of FMCR is accomplished in several steps: extending the natural number set $\omega$ to the non-standard natural number set $*\mathbf{N}$ through an NPAUF; extending $*\mathbf{N}$ to the non-standard integer set $*\mathbf{Z}$ and the non-standard rational number set $*\mathbf{Q}$ through the idea of equivalence classification; then, classifying the Archimedean subset ${\mathbf{Q}}_{<}$ to obtain the real number set $\mathbf{R}$. Therefore, this is a method of obtaining the real numbers by performing non-standard extensions of the number systems, and the most crucial step is the extension from $\omega$ to $*\mathbf{N}$, which directly introduces the infinity numbers. Additionally, to prove the existence of NPAUF, the Continuum Hypothesis (CH) is utilized.

Inspired by the process from $\omega$ to $*\mathbf{N}$, we believe that this process can be applied to the existing real number set $\mathbf{R}$, thereby obtaining the set of non-standard real numbers $*\mathbf{R}$, also known as the hyper-real numbers [33,35]. Specifically, in the formalization of $*\mathbf{N}$:

If the expression “ran(f) ⊂ $\mathrm{\omega }$” is replaced with “ran(f) ⊂ $\mathbf{R}$”, then this set should become the hyper-real number set. Note that, as presented in Section 3.1, “F0” would still be the specific NPAUF introduced by the command “Parameter”.

Thus, we have:

$$*\mathbf{R}=\{u:\exists f,f\in {\mathbf{R}}^{\omega }\wedge u=f\langle F0\rangle \},$$

where $f\in {\mathbf{R}}^{\omega }$ indicates that f is a function whose domain is $\omega$ and range is contained in $\mathbf{R}$, and $f\langle F0\rangle =\{u:u\subset \mathbf{R}\wedge f^{-1}\lceil u\rfloor \in F0\}$ ($f^{-1}\lceil u\rfloor =\{u:u\in \left(domainf\right)\wedge f\left(u\right)\in \mathbf{R}\}$).

The order and operations on $*\mathbf{R}$ can be defined by analogy with those on $*\mathbf{N}$. For hyper-real numbers $u,v$ ∈ $*\mathbf{R}$, if $u=f\langle F0\rangle$ and $v=g\langle F0\rangle$, we can define:

$$\begin{array}{cc}\hfill & u<v⟺f\langle F0\rangle <g\langle F0\rangle ⟺\{n:f(n)<g(n\left)\right\},\hfill \\ \hfill & u+v=f\langle F0\rangle +g\langle F0\rangle =(f+g)\langle F0\rangle ,\hfill \\ \hfill & u·v=f\langle F0\rangle ·g\langle F0\rangle =(f·g)\langle F0\rangle ,\hfill \end{array}$$

Similar to the construction of $*{\mathbf{N}}_{\mathbf{N}}$, we can construct the standard part of $*\mathbf{R}$:

$$*{\mathbf{R}}_{\mathbf{R}}=\{u:\exists r,r\in \mathbf{R}\wedge u=F_r\},$$

where $F_r$ represents the principal ultrafilter corresponding to the real number r. Consisting of all the principal ultrafilters over $\mathbf{R}$, $*{\mathbf{R}}_{\mathbf{R}}$ is the standard real number set contained in $*\mathbf{R}$; it can be formally described as:

where “F $\mathrm{R}$ r” (see Definition 2 in Section 2.3) is the formalization of the principal ultrafilter $F_r$ over $\mathbf{R}$.

Given that every real number r uniquely corresponds to a principal ultrafilter $F_r$, the real number set $\mathbf{R}$ is isomorphic to $*{\mathbf{R}}_{\mathbf{R}}$, and the latter is also a concrete model of the real number set. This aligns with the isomorphism between $\omega$ and $*{\mathbf{N}}_{\mathbf{N}}$, both of which are models of the natural number set, as introduced in Section 3.1.

In $*\mathbf{R}\sim {*\mathbf{R}}_{\mathbf{R}}$, there exist positive numbers smaller than every positive real number—these are precisely the infinitesimals.

For example, let $y=\{(u,v):u\in \omega \wedge v=1/\overline{u+1}\}$, where $\overline{u+1}$ ($\in \mathbf{N}$) is the image of $u+1$ under the isomorphism between $\omega$ and $\mathbf{N}$. Thus, we have $y\in {\mathbf{R}}^{\omega }$ and $y\langle F0\rangle {\in }^{*}\mathbf{R}$. And for each $n\in \omega$, $y\left(n\right)=1/\overline{n+1}\in \mathbf{R}$ holds. Here, we introduce a manual proof demonstrating that $y\langle F0\rangle$ is an infinitesimal:

Proof. 

Firstly, we have $F_0<y\langle F0\rangle ⟺\{n:0<y\left(n\right)\}\in F0⟺\{n:0<1/\overline{n+1}\}\in F0⟺\omega \in F0$, where $F_0$ is the zero element (i.e., the principal ultrafilter corresponding to 0) in $*\mathbf{R}$ and $F0$ is the NPAUF introduced above.

Then, for each positive $r\in \mathbf{R}$, $y\langle F0\rangle <F_r⟺\{n:1/\overline{n+1}<r\}\in F0$. Since $1/\overline{n+1}$ is in fact a decreasing sequence, there exists $N\in \omega$ such that $\forall m>N,1/\overline{m+1}<r$ holds, namely $\{n:1/\overline{n+1}<r\}=\{n:n>N\}$. Because $F0$ is a non-principal ultrafilter, $\{n:n\le N\}\cup \{n:n>N\}=\omega \in F0$ holds. Then, according to the properties of non-principal ultrafilters (see Definitions 3 and 5 in [29]), we have $\{n:n>N\}\in F0$, namely $\{n:1/\overline{n+1}<r\}\in F0$ and $y\langle F0\rangle <F_r$, which implies that $y\langle F0\rangle$ is a positive infinitesimal (smaller than all positive real numbers but greater than zero).    □

In the above proof, the equivalences $F_0<y\langle F0\rangle ⟺\{n:0<y\left(n\right)\}\in F0$ and $y\langle F0\rangle <F_r⟺\{n:1/\overline{n+1}<r\}\in F0$ must be derived from the definition of the arithmetical ultrafilter. And according to this proof, we can verify the following formal theorem in Coq to demonstrate the existence of infinitesimals in $*\mathbf{R}$.

where “F $\mathrm{R}$ R0” represents the principal ultrafilter $F_0$ (i.e., the zero element in $*\mathbf{R}$).

As briefly discussed above, NPAUF enables the construction of a hyper-real number model where each element (hyper-real number) is represented by an arithmetical ultrafilter. This achieves methodological consistency with the filter-method construction of real numbers presented in this paper.

To advance further, we plan to implement the formalization of hyper-real numbers and even non-standard analysis using NPAUF. This could be a meaningful attempt and piece of research. On the one hand, from the mathematical perspective, hyper-real numbers are the foundation of non-standard analysis, which unfortunately is still not widely understood. Machine proof may become a new pathway for people to learn about this theory. On the other hand, the application of NPAUF unifies the construction of the real and hyper-real numbers, which is also of positive significance for mathematical research.

5.2. Notes on the Implementation

This work is grounded in the Coq formalization of the Morse–Kelley axiomatic set theory (MK) [4,36,37], and paves the way for the formal verification of non-standard analysis. The contribution is the Coq verification for proofs of the filter-method construction of real numbers (FMCR) introduced in [1,2].

The formalization of FMCR comprises 9 (.v)files and approximately 13,000 lines of Coq code (excluding MK and filter formalization). It is self-contained and does not rely on any official libraries of Coq. All code has been successfully executed in the Coq IDE (integrated development environment). Figure 6 shows the dependency of our Coq development, where each ellipse represents a (.v)file.

The MK part (red ellipses) and filter part (blue ellipses) are our previous works [28,29,36,37] that this paper is based on, and the part of green ellipses for FMCR is our development presented in this paper. The gray ellipses represent some required auxiliary formalization, the contents of which are not meticulously reflected in the manual proofs but necessary for the machine verification. In particular, in the file existence_of_NPAUF.v, the existence of non-principal arithmetical ultrafilters is formally verified with the use of the Continuum Hypothesis [29]. This guarantees that FMCR itself is logically sound and consistent with MK. Readers can verify the details in our Coq code.

The mechanized proof of mathematical theorems undoubtedly can strengthen the rigor of theories. To verify the correctness of a theory, people do not need to understand the tedious and complicated proofs, but only to check if the formal descriptions of relevant definitions and theorems are right. And if the code is executed successfully, the proof is correct. In addition, the formalization can also help people study and comprehend the theories, since every detail of the proofs must be verified in a computer. As the famous saying in the programming community goes: “Talk is cheap, show me the code!” It should be believed that computer-assisted verification may become a new trend in mathematical research [6,15,26,47,48].