The Machine-Checked Complete Formalization of Landau’s Foundations of Analysis in Rocq

Abstract

Formal verification has achieved remarkable outcomes in both theory advancement and engineering practice, with the formalization of mathematical theories serving as its foundational cornerstone—making this process particularly critical. Axiomatic set theory underpins modern mathematics, providing the rigorous basis for constructing almost all theories. Landau’s Foundations of Analysis starts with pure logical axioms from set theory, does not rely on geometric intuition, strictly constructs number systems, and is a benchmark for axiomatic analysis in modern mathematics. In this paper, we first develop a machine proof system for axiomatic set theory rooted in the Morse–Kelley(MK) system. This system encompasses effective proof automation, scale simplification, and specialized handling of the classification axiom for ordered pairs. We then prove the Transfinite Recursion Theorem, leveraging it to further prove the Recursion Theorem for natural numbers—the key result for defining natural number operations. Finally, we detail the implementation of a machine proof system for analysis, which adopts MK as its description language and adheres to Landau’s Foundations of Analysis. This formalization realized all the contents of the book from natural numbers to complex numbers. All formalization does not need to introduce the standard library and has undergone verification by Rocq(Coq) 8.16 to ensure reliability. Implemented using the Rocq proof assistant, the formalization has undergone verification to ensure reliability. This work holds broader applicability such as the formalization of point-set topology and abstract algebra, while also serving as a valuable resource for teaching axiomatic set theory and mathematical analysis.

1. Introduction

Formal verification for mathematics aims to formalize mathematical theories through computer verification. Gödel once stated, “The development of mathematics towards greater exactness has, as is well-known, lead to formalization of large areas of it such that you can carry out proofs by following a few mechanical rules.” In recent decades, formalization technology has become an important tool in mathematical theory [1,2,3,4] and program verification [5,6]. Formal tools have rapidly developed alongside innovations in underlying theories, resulting in stronger expressive power [7,8], closer alignment with mathematical notation, better interactivity, and higher levels of automation [9,10,11]. Rocq (extension of Coq) [12,13,14], an interactive proof assistant based on constructive calculus theory [15,16,17], has made significant progress both in theoretical development [18,19,20] and engineering applications [21,22].

In our previous work, we had completed the machine proof system of axiomatic set theory and analysis in Rocq [23], which are significantly different from the work in this paper. Regarding axiomatic set theory, we have addressed the existing defects regarding classifiers, added a series of automated strategies and conclusions with independent significance to facilitate expansion, and furthermore, we have proven the key proposition Recursion Theorem for defining natural number operations. Zhang completed the formalization of set theory based on the ZF axiom system [24] and directly proved the Recursion Theorem through the methods described in set theory books [25,26]. The formalization of the Recursion Theorem based on the Transfinite Recursion Theorem is the first of its kind to our knowledge. This method has a clearer hierarchy and is easier for scholars to understand. In terms of analysis, we completed the formalization of the equivalence among completeness theorems of real numbers [27], the properties of continuous functions on closed intervals [28], and the rigor of calculus without limit theory [29]; however, all this work is based on type theory, which means that different types of numbers have different types in Rocq. All described objects are classes in this paper, and formalizations are achieved through axiomatic set theory.

In 1908, the German mathematician Zermelo first published an axiomatic system [30] for set theory [31], which was later improved and modified by mathematicians Fraenkel and Skolem, forming the well-known Zermelo–Fraenkel set theory axiom system (ZF). In 1920, Hungarian–American mathematician von Neumann proposed another axiomatic system [32], which was modified by Bernays starting in 1937 and further simplified by Gödel in 1940, resulting in the famous von Neumann–Bernays–Gödel set theory axiom system (NBG). Subsequently, other axiomatic set theory systems, such as Morse–Kelley (MK) set theory [26,33] and Tarski–Grothendieck set theory, were developed. This paper chooses MK to formalize FA in these theories. On the one hand, the MK system is relatively more concise compared to other theoretical expressions. On the other hand, Kelley pointed out that referring to FA and MK can construct the real numbers system.

The axiomatic system for natural numbers took shape based on basic properties summarized by Dedekind, with its landmark being Peano’s 1889 work Arithmetices Principia, Nova Methodo Exposita (The Principles of Arithmetic, Presented by a New Method). After numerous failures and setbacks, efforts to find a foundation for analytical mathematics [34] gradually gained clarity—the process known as the “arithmetization of analysis” in the 19th century, which generally unfolded in three stages [35,36]: (1) Establishment of the limit theory: marked primarily by the work of Cauchy and Weierstrass. (2) Establishment of the real number theory: defined mainly by the real number construction theories developed by Dedekind, Cantor, and Weierstrass, among others. (3) Completion of the arithmetization process: symbolized by the natural number theories proposed by Dedekind and Peano. This paper uses a construction approach to gradually build the entire analysis system from the underlying axiomatic set theory.

In this work, we first present the machine proof system of Morse–Kelley axiomatic set theory, which is concise yet comprehensive for analysis. This part of the content includes not only our formalization but also the optimization and vulnerability patching compared to previous work [37]. Next, we prove Transfinite Recursion Theorem, which is one of most important conclusions in MK. Moreover, through this theorem, we prove Recursion Theorem for natural numbers, which is a crucial conclusion for defining natural number operations. At last, we present the implementation details of machine proof system for analysis including natural numbers, fractions, cuts, real numbers, complex numbers which follows Landau’s Foundations of Analysis [38] and uses the MK as the foundational description language. Every proof is verified by Rocq to show rigor and correctness, and we make up for missing proof details to make it more complete.

This paper is organized in the following way. Section 2 is dedicated to related work. Section 3 states contents of the MK including axioms, notations, definitions, and properties for understanding this work. Section 4 introduces the proof details of Transfinite Recursion Theorem and Recursion Theorem for natural numbers. Section 5 presents the formalization of analysis from natural numbers to complex numbers. Finally, we draw our conclusions and discuss some potential further work in Section 6.

2. Related Work

de Bruijn designed the earliest proof checker, Automath, and his student, van Benthem Jutting, completed the formalization of Landau’s Foundations of Analysis in 1977 [39]. This work is a significant early advancement in formal mathematics, and according to the existing literature, its code is large and unreadable. This is different from the highly readable, easy to understand, and extensible formalization we have implemented. Moreover, Brown gave a particular faithful reproduction of a signature corresponding to the Automath version of Landau’s book in 2011 [40]. In Rocq’s standard library, there is already a set of real number theories based on a dozen axioms [41]. In 2016, Guidi encoded this book into the formal language ‘$\lambda \delta$’, and furthermore, presented an implemented procedure producing a representation of the Foundations of Analysis in Rocq [42]. The formalizations of both Brown and Guidi are based on type theory and focus on computer applications, Our work, though, is based on axiomatic set theory and focuses on being close to mathematical expressions.

The excellent real analysis library—Coquelicot [43]—was developed by Boldo et al. as an extension of the library. This axiomatic construction of real numbers is clearly different from our approach. In addition to the above work, Grimm has defined real numbers from set theory, and he aimed to formalize the fundamental notations of mathematics referring to Elements of Mathematic of Bourbaki in 2016 [44]. This work is based on the ZFC, which is different from our work based on the MK, and we construct a more clear progressive relationship for the number system.

3. Morse–Kelley Axiomatic Set Theory

Considering consistency, the description of the axioms, definitions, and theorems involved in the formalization correspond to one in Kelley’s General Topology. Meanwhile, we just extract the content required by the formalization for the sake of code simplicity and readability. The MK theory itself is a metalanguage, few additional elements need to be introduced, such as logical constants and quantifications, and equality in MK is consistent with the conventional meaning. Moreover, this theory is built on classical logic; hence, the law of excluded middle needs be introduced. Then, the MK system can start being built with these foundations.

We first declare a “class,” which is the type of all objects (whether they are sets or not). The formal description in Rocq is as follows:

• Parameter Class :Type.

Additionally, two mathematical constants and the concept of set need to be introduced. The first constant of these is “∈”, and “$e\in C$” is called “e is an element of C ” or “e belongs to C”. The second constant of these is “$\{..|\dots \}$”, which denotes a classifier, that is, the class composed of all classes that satisfy a certain property. Next, if “s” is a set, it indicates that “s” belongs to a certain class. Their formal descriptions in Rocq are as follows:

• Parameter In : Class -> Class -> Prop.
• Notation "x ∈ y" := (In x y) (at level 10).
• Parameter Classifier : (Class -> Prop) -> Class.
• Notation "\{ P \}" := (Classifier P) (at level 0).
• Definition Ensemble (s :Class) = ∃ C, s ∈ C.

There are a total of eight axioms and one axiomatic scheme regarding the extensionality of equality, the classifier, the judgment of whether a special class is a set, the existence of countably infinite sets, and the axiom of choice. The descriptions of these propositions and their formalizations in Rocq are as follows:

• Axiom of extent: $x=y\leftrightarrow (\forall z,z\in x\leftrightarrow z\in y).$
• Classification axiom scheme: $\beta \in \{\alpha :P(\alpha \left)\right\}\leftrightarrow \beta$ is a set and $P\left(\beta \right).$
• Axiom of subsets: x is a s set $\to \exists y$ is an s set, $(\forall z,z\subset x\to z\in y).$
• Axiom of union: Both $x,y$ are sets $\to x\cup y$ is a set.
• Axiom of substitution: The domain of function f is a set → Ran(f) is a set.
• Axiom of amalgamation: x is a set $\to \cup x$ is a set.
• Axiom of regularity: $x\ne \varnothing \to \exists y\in x,x\cap y=\varnothing .$
• Axiom of infinity: $\exists y$ is a set, $\varnothing \in y$, and $x\cup \left\{x\right\}\in y$ whenever $x\in y$.
• Axiom of choice: There is a choice function c whose domain is $\mu \sim \varnothing$.

• Axiom AxiomI : ∀ x y, x = y <-> (∀ z, z ∈ x <-> z ∈ y).
• Axiom AxiomII : ∀ b P, b ∈ \{ P \} <-> Ensemble b /\ (P b).
• Axiom AxiomIII : ∀ {x}, Ensemble x -> ∃ y, Ensemble y /\ (∀ z, z ⊂ x -> z ∈ y).
• Axiom AxiomIV : ∀ {x y}, Ensemble x -> Ensemble y -> Ensemble (x∪y).
• Axiom AxiomV : ∀ {f}, Function f -> Ensemble dom(f) -> Ensemble ran(f).
• Axiom AxiomVI : ∀ x, Ensemble x -> Ensemble (∪ x).
• Axiom AxiomVII : ∀ x, x ≠ Ø -> ∃ y, y ∈ x /\ x ∩ y = Ø.
• Axiom AxiomVIII : ∃ y, Ensemble y /\ Ø ∈ y /\ (∀ x, x ∈ y -> x∪[x] ∈ y).
• Axiom AxiomIX : ∃ c, ChoiceFunction c /\ dom(c) = μ ^~ [Ø].

Except for the details of the classification axiom scheme, all the axioms above are similar to other axiomatic set theory systems, but this one is the key that cannot be lacking. We can resolve the Russell Paradox; that is, the proper class is not a set by the classification axiom scheme. It should be noted that the axiom of choice is not introduced in the practical development of the analysis system. We listed all axioms in order to demonstrate the entire axiomatic system in MK theory.

In our early formalization for MK, we completed almost all the content; however, there are some aspects that need to be improved. Therefore, we upgrade the original system and solve the remaining problems in this work.

3.1. Optimization and Automation

In Rocq, the integration of proof tactics can be achieved through “Ltac”, which is highly necessary in the machine proof system for axiomatic set theory. This is because it can help reduce the proofs related to sets in subgoals and provide concise instructions to replace lengthy commands, thereby improving efficiency. The following codes briefly shows the handling of instructions, quantifiers, sets, and other aspects in the code.

• (∗ Simplification for existential quantifier in the hypothesis ∗)
• Ltac deHex1 :=
•   match goal with
•     H:  ∃  x, ?P
•     |- _ => destruct H as []
•   end.
• Ltac rdeHex := repeat deHex1; deand.

• (∗ Simplification for empty-class ∗)
• Ltac eqext := apply AxiomI; split; intros.

• (∗ Simplification for classification axiom-scheme ∗)
• Ltac appA2G := apply AxiomII; split; eauto.
• Ltac appA2H H := apply AxiomII in H as [].
• Ltac PP H a b := apply AxiomII in H as [? [a [b []]]]; subst.
• Ltac appoA2G := apply AxiomII’; split; eauto.
• Ltac appoA2H H := apply AxiomII’ in H as [].

• (∗ Simplification for intersection and union ∗)
• Ltac deHun :=
•   match goal with
•    | H:  ?c ∈ ?a ∪ ?b
•      |- _ => apply MKT4 in H as [] ; deHun
•    | _ => idtac
•   end.
• Ltac deGun :=
•   match goal with
•     | |-  ?c ∈ ?a∪?b => apply MKT4 ; deGun
•     | _ => idtac
•   end.
• Ltac deHin :=
•   match goal with
•    | H:  ?c ∈ ?a ∩ ?b
•      |- _ => apply MKT4’ in H as []; deHin
•    | _ => idtac
•   end.
• Ltac deGin :=
•   match goal with
•     | |- ?c ∈ ?a ∩ ?b => apply MKT4’; split; deGin
•     | _ => idtac
•   end.

• (∗ Simplification for empty-class ∗)
• Ltac emf :=
•   match goal with
•     H:  ?a ∈  ∅
•     |- _ => destruct (MKT16 H)
•   end.
• Ltac eqE := eqext; try emf; auto.
• Ltac feine z := destruct (@ MKT16 z).
• Ltac NEele H := apply NEexE in H as [].

• (∗ Simplification for ordered pair ∗)
• Ltac ope1 :=
•   match goal with
•     H: Ensemble ([?x,?y])
•     |- Ensemble ?x => eapply MKT49c1; eauto
•   end.
• Ltac ope2 :=
•   match goal with
•     H: Ensemble ([?x,?y])
•     |- Ensemble ?y => eapply MKT49c2; eauto
•   end.
• Ltac ope3 :=
•   match goal with
•     H: [?x,?y] ∈ ?z
•     |- Ensemble ?x => eapply MKT49c1; eauto
•   end.
• Ltac ope4 :=
•   match goal with
•     H: [?x,?y] ∈ ?z
•     |- Ensemble ?y => eapply MKT49c2; eauto
•   end.
• Ltac ope := try ope1; try ope2; try ope3; try ope4.
• Ltac xo :=
•   match goal with
•     |- Ensemble ([?a, ?b]) => try apply MKT49a
•   end.
• Ltac rxo := eauto; repeat xo; eauto.

• (∗ Simplification for mathematical induction ∗)
• Ltac MI x := apply Mathematical_Induction with (n:=x); auto; intros.

The above Ltac is summarized from a large number of formal practices, and the processing of the classification axiom scheme and set improves efficiency by more than 30%. Furthermore, enabling researchers to focus their proof ideas on the core part, we have extracted many propositions with general significance and added numerous inferences with wide applications. There are 40 lemmas, 16 corollaries, 50 facts, and 30 integrated proof strategies carrying out simplification work. As a result, the code scale has decreased from over 9000 lines to over 4000 lines, reducing it by more than half while also improving operational efficiency.

3.2. Classification Axiom Scheme for Ordered Pairs

When the classification axiom scheme was first proposed in MK, it took a general form, so it should naturally be applicable to various situations. However, when the elements in a class are ordered pairs (i.e., there exist two variables), they must be handled reasonably in formalization; otherwise, the kernel verification cannot be passed. In the early work, we newly defined a classifier for ordered pairs and added two axioms following the example of the classification axiom scheme. The specific details of the formalization are as follows.

• Origin code:
• Parameter Classifier_P : (Class -> Class -> Prop) -> Class.
• Notation "\{\ P \}\" := (Classifier_P P) (at level 0).
• Axiom AxiomII_P : ∀ a b P, [a, b] ∈ \{\ P \}\ <-> Ensemble [a, b] /\ (P a b).
• Axiom Property_P : ∀ z P, z ∈ \{\ P \}\ -> (∃ a b, z = [a, b]) /\ z ∈ \{\ P \}\.

It should be noted here that the statements of “Parameter” and “Axiom” are directly acknowledged without the need for proof; therefore, it is necessary to proceed with caution. Since there is a lack of an explicit mention of the need to introduce additional axioms for order pairs in the MK system, this form of treatment is inconsistent with the original book. In this work, we prove the additional three admitted propositions about the ordered pair and provide a better handling method to address the weakness. The formalization of the classification axiom scheme for ordered pairs is shown in the following code.

• Updated code:
• Notation "\{\ P \}\" := \{ λ z, ∃ x y, z = [x, y] /\ P x y \}(at level 0).
• Fact AxiomII’ : ∀ a b P, [a, b] ∈ \{\ P \}\ <-> Ensemble [a, b] /\ (P a b).

The statements of “Fact” need to be proven, which means the description is rigorous. Hence, we can obtain the additional three axioms previously added, which is rational but unnecessary. These propositions verified by Rocq ensure the non-contradiction of the entire system.

3.3. Essential Content for Analysis

The formalization of analysis does not need to introduce the content related to the axiom of choice and subsequent content concerning cardinal numbers in MK. On the one hand, an axiom of choice needs to be introduced in non-standard analysis and functional analysis, and it will only be considered for future work in this area. On the other hand, the conclusion of cardinal numbers uses the axiom of choice, so we do not consider incorporating it into the system. Meanwhile, the machine proof system of axiomatic set theory can be designed to be self-enclosed and does not require the introduction of additional content; hence, we only retained previous content of the axiom of choice but not including the axiom of choice. And we must introduce the law of excluded middle; otherwise, we prove the existence of elements in non-empty classes, which is a common proposition in classical logic.

Table 1. Definitions and meanings in MK.

Rocq Symbol	Meaning
$a\in A$	a is an element of the class A
Ensemble A	A is a set
$A\cup B$	$\left\{x\right|x\in A$ or $x\in B\}$
$A\cap B$	$\left\{x\right|x\in A$ and $x\in B\}$
$A\sim B$	$\left\{x\right|x\in A$ and $x\notin B\}$
∅	empty class
$\mu$	proper class
$A\subset B$	A is a subclass of B
$\left[a\right]$	$\left\{x\right|x=a\}$
$[a,b]$	ordered pair $(a,b)$
Function f	f is a function
dom(f)	domain of f
ran(f)	range of f
$f\left[x\right]$	value of f at a
Oridinal r	r is an ordinal
R	class of all ordinal numbers
Oridinal_Number r	r is an ordinal number
$f\left|\right(x)$	restriction of f on x
OnTo F A B	function F is from A to B
PlusOne n	successor of n
W	class of all integer numbers

lists the essential definitions and their corresponding symbols in MK to formalize FA.

For the sake of understanding, the specific content of the definitions and their respective formalizations are presented as follows.

• The empty class ∅ is a class without any elements.

• Definition Ø := \{λ x, x ≠ x \}.

• Their proper class $\mathit{\mu }$ is a class composed of all sets.

• Definition μ := \{λ x, x = x \}.

• f is a function that means it is composed of ordered pairs, and if the first coordinate of any element in f is fixed, its second coordinate is unique.

• Definition Relation r := ∀ z, z ∈ r -> ∃ x y, z = [x, y].
• Definition Function f  :=
•   Relation f /\ (∀ x y z, [x, y] ∈ f -> [x, z] ∈ f -> y = z).

• The domain of f is composed of the first coordinates of all elements in f.

• Definition Domain f := \{ λ x, ∃ y, [x,y] ∈ f \}.
• Notation "dom( f )" := (Domain f)(at level 5).

• The domain of f is composed of the second coordinates of all elements in f.

• Definition Range f := \{ λ y, ∃ x, [x,y] ∈ f \}.
• Notation "ran( f )" := (Range f)(at level 5).

• The value of f at x is the second coordinate of an ordered pair whose first coordinate is x, and f is usually a function; otherwise, it is meaningless.

• Definition Value f x := ∩ \{ λ y, [x,y] ∈ f \}.
• Notation "f [ x ]" := (Value f x)(at level 5).

• F is an ordinal that means it satisfies the following two properties.

$$Full:\forall a\in F\to a\subset F$$

$$Connect:\forall u,v\in F\to u\in v\vee v\in u\vee v=u$$

• Definition Connect r x :=
•   ∀ u v, u ∈ x -> v ∈ x -> (u ∈ v) \/ (v ∈ u) \/ (u = v).
• Definition full x  := ∀ m, m ∈ x -> m ⊂ x.
• Definition Ordinal x := Connect E x /\ full x.

• F is an ordinal number that means F is not only an ordinal but also a set.

• Definition Ordinal_Number x := x ∈ R.

• The restriction of f on x means the subclass of f whose domain is x.

• Definition Restriction f x := f ∩ (x × μ).
• Notation "f | ( x )" := (Restriction f x)(at level 30).

• Function f is from A to B that means Dom(f) is A and Ran(f) is a subclass of B.

• Definition OnTo F A B := Function F /\ dom(F) = A /\ ran(F) ⊂ B.

• Successor of n is $n\cup \left[n\right]$

• Definition PlusOne n := n ∪ [n].

So far, all the fundamental content of the machine proof system of axiomatic set theory has been completed. Next, the Recursion Theorem on natural numbers is derived through the Transfinite Recursion Theorem in MK, which completes the interface between axiomatic set theory and analysis.

4. Key Theorems

The proof of the Recursion Theorem is scattered in the various literature; however, we do not follow these conventional approaches. Rather, we want to start from some conclusions of the ordinal number in MK. We therefore use the Transfinite Recursion Theorem in MK to prove the Recursion Theorem, which enables the recursive definition of natural number operations, and then complete the formalization of the analysis. We first present an essential conclusion in MK and the formal proof details of Transfinite Recursion Theorem and Recursion Theorem on natural numbers.

4.1. Preliminary Property

There are four propositions used in the proof, and these descriptions and formalizations are as follows.

Property 1. 

If x is an ordinal E well-orders x.

Property 2. 

R is an ordinal and R is not a set.

Property 3. 

Each E-section of R is an ordinal.

Property 4. 

Let f be a function such that $Dom\left(f\right)$ is an ordinal and $f\left(u\right)=g\left(f\right|u)$ for u in $Dom\left(f\right)$. If h is also a function such that $Dom\left(h\right)$ is an ordinal and $h\left(u\right)=g\left(h\right|u)$ for u in $Dom\left(h\right)$, then $h\subset f$ or $f\subset h$.

• Property MKT107 : ∀ x, Ordinal x -> WellOrdered E x.
• Property MKT113 : Ordinal R /\ ^~ Ensemble R.
• Property MKT114 : ∀ x, Section x E R -> Ordinal x.
• Property MKT127 : ∀ {f h g},
•   Function f -> Ordinal dom(f) -> (∀ u, u ∈ dom(f) -> f[u] = g[f|(u)]) ->
•   Function h -> Ordinal dom(h) -> (∀ u, u ∈ dom(h) -> h[u] = g[h|(u)]) ->
•   h ⊂ f \/ f ⊂ h.

4.2. Transfinite Recursion Theorem

Theorem 1. 

For each g, there is a unique function f such that $Dom\left(f\right)$ is an ordinal and $f\left(x\right)=g\left(f\right|x)$ for each ordinal number.

The formalization of the theorem is expressed directly in Rocq as follows:

• Theorem TfRecursion : ∀ g, ∃! f,
•   Function f /\ Ordinal dom(f) /\ (∀ x, Ordinal_Number x -> f[x] = g[f|(x)]).

Proof. 

Uniqueness is easy to prove, and the following contents focus on existence. We first construct an ordered pair class f as follows and prove that f is exactly what is required.

$f=\left\{\right(u,v\left)\right|u\in R$, and there is a function h such that its domain is an ordinal, $h\left(z\right)=g\left(h\right|z)$ for z in the domain of h and $(u,v)\in h\}$.

Let $(u,v_1),(u,v_2)$ be the elements of f, then there exist functions $h_1,h_2$ with the domain ordinal, which satisfy $h_1\left(x\right)=g\left(h_1\right|x)$ and $h_2\left(x\right)=g\left(h_2\right|x)$ for any ordinal number x and $(u,v_1)\in h_1,(u,v_2)\in h_2$. According to Property 4, we have $h_1\subset h_2$ or $h_2\subset h_1$. For the former case $h_1\subset h_2$, we can obtain $(u,v_1)\in h_2$ then $v_1=v_2$ since $h_2$ is a function. For the latter case, the same reasoning applies, so we have $v_1=v_2$; thus, f is a function (refer to lines 6–9 in Figure A1).

According to Property 3, $Dom\left(f\right)$ is an ordinal if $Dom\left(f\right)$ is an E-section of R. As the construction of f, $Dom\left(f\right)$ is a subclass of R. We can obtain E well-orders R by Property 1 and Property 2 (refer to lines 10–17 in Figure A1).

Then we discuss ordinal number x in two cases.

Case 1 ($x\in Dom\left(f\right)$): We have $(x,f(x\left)\right)\in f$ in this case. Next, it can be inferred that $x\in R$ by the construction of f, and there is a function h, whose properties are described above. We can obtain $h\subset f$ then $h\left(x\right)=f\left(x\right)$ and $h|x=f|x$. Hence, this conclusion is proved in this case (refer to lines 18–30 in Figure A1).

Case 2 ($x\notin Dom\left(f\right)$): We have $(x,f(x\left)\right)\notin f$ in this case. This case only requires proof of $g\left(f\right)=\mu$, that is $f\notin Dom\left(g\right)$. Assume to the contrary that it is. Supposing $f\in Dom\left(g\right)$; there is an E-first member y of $RDom\left(f\right)$, and then we construct a new class $h=f\cup \{y,g(f\left)\right\}$. It is not difficult to prove that h is a function and its domain is an ordinal. In addition, we obtain $h\left(z\right)=g\left(h\right|z)$ for $z\in Dom\left(h\right)$, so $h\subset f$, which is in contradiction with $y\notin Dom\left(f\right)$ (refer to lines 34-59 in Figure A1). Therefore, this theorem is proven.    □

4.3. Recursion Theorem on Natural Numbers

Theorem 2. 

A is a set, a is the element of A, and function F is from A to A; then, there is a unique function h which is from W to A, such that $h(\varnothing )=a$ and $\forall n\in W,h(n+1)=F\left(h\right(n\left)\right)$

The formalization of the theorem is expressed directly in Rocq as follows:

• Theorem RecursionW: ∀ F A a, Ensemble A -> a ∈ A -> OnTo F A A ->
•     ∃! h, OnTo h W A /\ h[Ø] = a /\ ∀n, n ∈ W -> h[PlusOne n] = F[h[n]].

Proof. 

Uniqueness is easy to prove, and the following contents focus on existence. We first construct an ordered pair class g as follows.

$g=\left\{\right(u,v\left)\right|(u=\varnothing ,v=a)\vee$ Dom(u) is the successor of natural number z and $v=F\left(u\right(z\left)\right)\}$. Let $(u,v_1),(u,v_2)$ be the elements of g. For $u=\varnothing$, $v_1=v_2=a$, if not, then it causes the contradiction that ∅ is equal to the successor of a class. For another case, there exist integer numbers $n_1,n_2$ whose successors of the two are equal, and then $n_1=n_2$. Moreover, we have $v_1=F\left(u\left(n_1\right)\right)=F\left(u\left(n_2\right)\right)=v_2$, so g is a function (refer to lines 7–12 in Figure A2).

By the construction of g, we can obtain $Ran\left(g\right)\subset A$ (refer to lines 13–16 in Figure A2), and any function f, whose domain is an ordinal, has the following properties:

$$\forall u\in W,u\in Dom\left(f\right),f\left(u\right)\in A\to g\left(f\right|(u+1))=F(f\left(u\right))$$

According to Theorem 1, there is a function h, whose domain is an ordinal, such that $h\left(x\right)=g\left(h\right|x)$ for every ordinal number x. We can prove $\varnothing \in Dom\left(h\right)\subset W$, and further, we obtain $Dom\left(h\right)=W$ by mathematical induction (refer to lines 38–45 in Figure A2). By the properties of h, we can obtain $Ran\left(h\right)\subset A$. At last, by the construction of g we can obtain $\forall n\in W,h(n+1)=F\left(h\right(n\left)\right)$ (refer to lines 52–54 in Figure A2). Hence, h is the function desired in the theorem.    □

The formalizations of Transfinite Recursion Theorem and Recursion Theorem on natural numbers have been completed, and the specific details of formal proof can be found in the appendix.

5. Machine Proof System of Analysis

The machine proof system of analysis strictly follows Landau’s Foundations of Analysis. Starting from the Peano axioms, natural numbers (positive integers), fractions (positive), and rational numbers/integers (positive) are defined in order. The overall framework and progressive relationship are shown in Figure 1. The positive real numbers (called “Cut” in this book) are defined by Dedekind cut, and furthermore, add negative real numbers and 0 to construct all real numbers. Finally, defining complex numbers by real number pairs and then the whole number system theory is realized naturally. Overall, Foundations of Analysis defines real numbers through construction rather than a series of axioms and introduces the Dedekind fundamental theorem instead of admitting it as an axiom. The formalization of this book is sufficient as the basis in most areas of analysis.

5.1. Natural Numbers

To unify with it, we first define ’1’ and the set of positive natural numbers, which are formally described as follows.

• Definition One := PlusOne Ø.
• Definition Nat := W ^~ [Ø].

The successor function of positive natural numbers is formally described as follows:

• Definition Nsuc := \{\ λ u v, u ∈ Nat /\ v = PlusOne u \}\.
• Notation " x⁺ " := Nsuc[x](at level 0).

This further proves the mathematical induction method of positive natural numbers, which is formally described as follows:

• Theorem MathInd : ∀ P : Class -> Prop,
•     P One -> (∀ k, k ∈ Nat -> P k -> P k⁺) -> (∀ n, n ∈ Nat -> P n).

Finally, provide a formal proof of the recursion theorem for positive natural numbers, as well as a function for constructing recursive operations.

• Theorem RecursionNex :  {F A a}, Ensemble A -> a ∈ A -> OnTo F A A ->
•   ∃ h, OnTo h Nat A /\ h[One] = a /\ ∀ n, n ∈ Nat -> h[n⁺] = F[h[n]].
• Theorem RecursionNun : ∀ h1 h2 F A a,
•   OnTo h1 Nat A -> h1[One] = a -> (∀ n, n ∈ Nat -> h1[n⁺] = F[h1[n]]) ->
•   OnTo h2 Nat A -> h2[One] = a -> (∀ n, n ∈ Nat -> h2[n⁺] = F[h2[n]]) -> h1 = h2.
• Definition NArith F a :=
•   ∩ \{ λ h, OnTo h Nat Nat /\ h[One] = a /\ ∀ n, n ∈ Nat -> h[n⁺] = F[h[n]] \}.

By using the above function, one only needs to provide a function from Nat to Nat, as well as a positive natural number, to obtain the corresponding recursive function, because recursive functions are unique. From this, we can proceed to related contents of the natural number part, starting with the formal proof of the Peano axioms as follows.

• Theorem FAA1 : One ∈ Nat.
• Theorem FAA2 : ∀ x y, x ∈  Nat -> y ∈ Nat -> x = y -> x⁺ = y⁺.
• Theorem FAA3 : ∀ x, x ∈ Nat -> x⁺ <> One.
• Theorem FAA4 : ∀ x y, x ∈ Nat -> y ∈ Nat -> x⁺ = y⁺ -> x = y.
• Theorem FAA5 : ∀ M, M ⊂ Nat -> One ∈ M -> (∀ u, u ∈ M -> u⁺ ∈ M) -> M = Nat.

The formal definition of natural number addition and its correctness verification are as follows.

• Definition addN := λ m, NArith Nsuc m⁺.
• Notation " x + y " := (addN x)[y].
• Fact addnT : ∀ {n}, n ∈ Nat ->
•   OnTo (addN n) Nat Nat /\ n + One = n⁺ /\ ∀ m, m ∈ Nat -> n + m⁺ = (n + m)⁺.

Furthermore, we provide the formal definition of natural number subtraction and verify its correctness.

• Definition minN x y := ∩ \{ λ z, z ∈ Nat /\ x = y + z \}.
• Notation " x - y " := (minN x y).
• Fact MinNUn : ∀ {x y z}, x ∈ Nat -> y ∈ Nat -> z ∈ Nat -> x + y = z -> y = z - x.
• Fact MinNEx : ∀ {x y}, y > x -> x ∈ Nat -> y ∈ Nat -> x + (y - x) = y.

Finally, we provide the formal definition of natural number multiplication and verify its correctness.

• Definition mulN := λ m, NArith (addN m) m.
• Notation " x · y " := (mulN x)[y](at level 40).
• Fact mulNT : ∀ {n}, n ∈ Nat ->
•   OnTo (mulN n) Nat Nat /\ n · One = n /\ ∀ m, m ∈ Nat -> n · m⁺ = (n · m) + n.

5.2. Fractions and Rational Numbers

Fractions are composed of ordered pairs of natural numbers, that is, fractions set is the Cartesian product of the set of natural numbers with itself. Related definitions and properties of fractions are formally described as follows.

• (* Fractions set, Numerator and Denominator  *)
• Definition FC := Nat × Nat.
• Notation " p ¹ " := (First p)(at level 0) : FC_scope.
• Notation " p ² " := (Second p)(at level 0) : FC_scope.

• (* Relation(^~,>,<) *)
• Definition eqv f1 f2 := (f1¹ · f2²)%Nat = (f2¹ · f1²)%Nat.
• Notation " f1 ^~ f2 " := (eqv f1 f2): FC_scope.
• Definition gtf f1 f2 := (f1¹ · f2² > f2¹ · f1²)%Nat.
• Notation " x > y " := (gtf x y) : FC_scope.
• Definition ltf f1 f2 := (f1¹ · f2² < f2¹ · f1²)%Nat.
• Notation " x < y " := (ltf x y) : FC_scope.

• (* Operation(+,-,·,÷) *)
• Definition addF f1 f2 := [f1¹ · f2² + f2¹ · f1², f1² · f2²]%Nat.
• Notation "f1 + f2" := (addF f1 f2) : FC_scope.
• Definition minF f1 f2 := [(f1¹ · f2²) - (f2¹ · f1²), f1² · f2²]%Nat.
• Notation "f1 - f2" := (minF f1 f2) : FC_scope.
• Definition mulF f1 f2 := [f1¹ · f2¹, f1² · f2²]%Nat.
• Notation " f1 · f2 " := (mulF f1 f2)(at level 40) : FC_scope.
• Definition divF f1 f2 := f1 · ([f2², f2¹]).
• Notation "f1 / f2" := (divF f1 f2) : FC_scope.

A rational number is a class composed of all equivalent fractions of a certain fraction. Related definitions and properties of rational numbers are formally described as follows.

• (* Rational Numbers set *)
• Definition rC := \{λ S, ∃ F, F ∈ FC /\ S = \{λ f, f ∈ FC /\ f ^~ F \} \}%FC.

• (* Relation(>,<) *)
• Definition gtr r1 r2 := ∀ f1 f2, f1 ∈ r2 -> f2 ∈ r1 -> (f2 > f1)%FC.
• Notation " x > y " := (gtr x y) : rC_scope.
• Definition ltr r1 r2 := ∀ f1 f2, f1 ∈ r1 -> f2 ∈ r2 -> (f1 < f2)%FC.
• Notation " x < y " := (ltr x y) : rC_scope.

• (* Operation(+,-,·,÷) *)
• Definition addr r1 r2 :=
•   \{ λ f, f ∈ FC /\ ∃ f1 f2, f1 ∈ r1 /\ f2 ∈ r2 /\ f ^~ (f1 + f2) \}%FC.
• Notation "r1 + r2" := (addr r1 r2) : rC_scope.
• Definition minr r1 r2 :=
•   \{ λ f, f ∈ FC /\ ∃ f1 f2, f1 ∈ r1 /\ f2 ∈ r2 /\ f ^~ (f1 - f2) \}%FC.
• Notation " r1 - r2 " := (minr r1 r2) : rC_scope.
• Definition mulr r1 r2 :=
•   \{ λ f, f ∈ FC /\ ∃ f1 f2, f1 ∈ r1 /\ f2 ∈ r2 /\ f ^~ (f1 · f2) \}%FC.
• Notation " r1 · r2 " := (mulr r1 r2)(at level 40) : rC_scope.
• Definition divr r1 r2 :=
•   \{ λ f, f ∈ FC /\ ∃ f1 f2, f1 ∈ r1 /\ f2 ∈ r2 /\  f ^~ (f1 / f2) \}%FC.
• Notation " r1 / r2 " := (divr r1 r2)(at level 40) : rC_scope.

• (* Archimedes theorem for rational numbers *)
• Theorem FAT115 : ∀ r1 r2, r1 ∈ rC -> r2 ∈ rC -> ∃ n, n ∈ Nat /\ (Ntor n) · r1 > r2.

This part presents the definition of fractions and establishes a direct connection with rational numbers through the concept of equivalence classes. Additionally, we prove the Archimedean property for rational numbers.

5.3. Cuts

Landau’s definition of cuts (positive real numbers) refers to the Dedekind cut. Different from constructing real numbers through a Cauchy sequence and decimal representation, this approach starts from sets and is more in line with our original intention of implementing a number system from a set theory.

A rational number set M is a cut (positive real number) if it satisfies these properties as follows:

(1)

M is not empty and there exist rational numbers that do not belong to M;

(2)

M contains all rational numbers smaller than any element in M;

(3)

With every number it contains, M also contains a greater one.

Related definitions and properties of cuts are formally described as follows.

• (* Cuts set, Lower Number and Upper Number *)
• Definition CC := \{λ S, S ⊂ rC /\ (S <> Ø /\ ∃ r, r ∈ rC /\ ^~ r ∈ S) /\
•   (∀ r1 r2, r1 ∈ S -> r2 ∈ rC -> r2 < r1 -> r2 ∈ S) /\
•   (∀ r1, r1 ∈ S -> ∃ r2, r2 ∈ S /\ r1 < r2) \}%rC.
• Definition Num_L r c := r ∈ c.
• Definition Num_U r c := ^~ r ∈ c.

• (* Relation(>,<) *)
• Definition gtc c1 c2 := ∃ r, Num_L r c1 /\ Num_U r c2.
• Notation " x > y " := (gtc x y) : CC_scope.
• Definition ltc c1 c2 := ∃ r, Num_L r c2 /\ Num_U r c1.
• Notation " x < y " := (ltc x y) : CC_scope.

• (* Operation(+,-,·,¹,÷,✓) *)
• Definition addc c1 c2 :=
•   \{λ c, ∃ r1 r2, Num_L r1 c1 /\ Num_L r2 c2 /\ c = (r1 + r2) \}%rC.
• Notation "c1 + c2" := (addc c1 c2) : CC_scope.
• Definition minc c1 c2 := \{λ r, ∃ r1 r2,
•   Num_L r1 c1 /\ r2 ∈ rC /\ Num_U r2 c2 /\ r2 < r1 /\ r = (r1 - r2) \}%rC.
• Notation " x - y " := (minc x y) : CC_scope.
• Definition mulc c1 c2 :=
•   \{λ c, ∃ r1 r2, Num_L r1 c1 /\ Num_L r2 c2 /\ c = (r1 · r2)%rC \}.
• Notation " c1 · c2 " := (mulc c1 c2)(at level 40) : CC_scope.
• Definition recC c := \{ λ r, r ∈ rC /\
•   ∃ r0, r0 ∈ rC /\ Num_U r0 c /\ (^~ LNU r0 c) /\ r = (Ntor One) / r0) \}.
• Notation " c1 / c2 " := c1 · (recC c2).(at level 40) : CC_scope.
• Definition Sqrt_C c := \{ λ r, r ∈ rC /\ (rtoC r) · (rtoC r) < c \}.
• Notation " ✓ c " := (Sqrt_C c)(at level 0) : CC_scope.

This part presents the construction method of cuts; moreover, we prove the existence of irrational numbers($\sqrt{2}$).

5.4. Real Numbers

Every cut is a positive real number, and each positive real number corresponds to a negative real number. At the same time, we define the 0 distinct from a positive real number and a negative real number; then the specific implementation is as follows.

(1)

∅ represents 0.

(2)

$(u,0)$ represents a positive real number, where u is a cut.

(3)

$(0,u)$ represents a negative real number, where u is a cut.

Related definitions and properties of real numbers are formally described as follows.

• (* 0, positive, negative, real numbers set and value of real numbers *)
• Definition zero := Ø.
• Notation " 0 " := zero : RC_scope.
• Definition PRC := \{\ λ u v, u ∈ CC /\ v = 0 \}\.
• Definition NRC := \{\ λ u v, u = 0 /\ v ∈ CC \}\.
• Definition RC := PRC ∪ [0] ∪ NRC.
• Notation " p ¹ " := (First p)(at level 0) : RC_scope.
• Notation " p ² " := (Second p)(at level 0) : RC_scope.

• (* Relation(>,<) *)
• Definition gtR r1 r2 := (r2 ∈ PRC /\ r1 ∈ PRC /\ (r2¹ < r1¹)%CC) \/
•   (r2 = 0 /\ r1 ∈ PRC) \/ (r2 ∈ NRC /\ r1 ∈ PRC) \/
•   (r2 ∈ NRC /\ r1 = 0) \/ (r2 ∈ NRC /\ r1 ∈ NRC /\ (r1² < r2²)%CC).
• Notation " x > y " := (gtR x y) : RC_scope.
• Definition ltR r1 r2 := (r1 ∈ PRC /\ r2 ∈ PRC /\ (r1¹ < r2¹)%CC) \/
•   (r1 = 0 /\ r2 ∈ PRC) \/ (r1 ∈ NRC /\ r2 ∈ PRC) \/
•   (r1 ∈ NRC /\ r2 = 0) \/ (r1 ∈ NRC /\ r2 ∈ NRC /\ (r2² < r1²)%CC).
• Notation " x < y " := (ltR x y) : RC_scope.

• (* Operation(||,+,-,·,÷,✓) *)
• Definition AbsR := \{\ λ r z, r ∈ RC /\
•   (r ∈ NRC -> z = [r²,0]) /\ (r ∈ PRC -> z = r) /\ (r = 0 -> z = 0) \}\.
• Notation " | X | " := (AbsR[X])(at level 10) : RC_scope.
• Definition addR a :=  \{\ λ b c, b ∈ RC /\
•   (a ∈ PRC -> b ∈ PRC -> c = [a¹ + b¹,0]) /\
•   (a ∈ NRC -> b ∈ NRC -> c = [0, a² + b²]) /\ (a = 0 -> c = b) /\
•   (b = 0 -> c = a) /\ (a ∈ PRC -> b ∈ NRC -> (a¹ = b² -> c = 0) /\
•   (gtc a¹ b² -> c = [a¹ - b²,0]) /\ (ltc a¹ b² -> c = [0,b² - a¹])) /\
•   (a ∈ NRC -> b ∈ PRC -> (a² = b¹ -> c = 0) /\
•   (gtc a² b¹ -> c = [0,a² - b¹]) /\ (ltc a² b¹ -> c = [b¹ - a²,0])) \}\.
• Notation "x + y" := ((addR x) [y]) : RC_scope.
• Definition minR := \{\ λ a b, a ∈ RC /\
•   (a ∈ PRC -> b = [0,a¹]) /\ (a ∈ NRC -> b = [a²,0]) /\ (a = 0 -> b = 0) \}\.
• Notation "- x" := (minR[x]) : RC_scope.
• Definition MinR x y := x + (-y).
• Notation "x - y" := MinR x y : RC_scope.
• Definition mulR a := \{\ λ b c, b ∈ RC /\ (a ∈ PRC -> b ∈ PRC -> c = [a¹·b¹,0]) /\
•   (a ∈ NRC -> b ∈ NRC -> c = [a²·b²,0]) /\ (a ∈ PRC -> b ∈ NRC -> c = [a¹·b²,0]) /\
•   (a ∈ NRC -> b ∈ PRC -> c = [a²·b¹,0]) /\ (a = 0 -> c = 0) /\ (b = 0 -> c = 0) \}\.
• Notation " x · y " := ((mulR x) [y])(at level 40) : RC_scope.
• Definition divR a := \{\ λ b c, b ∈ RC /\ b <> 0 /\
•   (b ∈ PRC -> c = a · [(recC b¹),0]) /\ (b ∈ NRC -> c = a · [0,(recC b²)]) \}\.
• Notation " x / y " := ((divR x) [y]) : RC_scope.
• Definition Sqrt_R := \{\ λ a b, a ∈ RC /\ ^~ a ∈ NRC /\
•   (a ∈ PRC -> b = [(✓ (a¹))%CC, 0]) /\ (a = 0 -> b= 0) \}\.
• Notation " ✓ a " := (Sqrt_R [a])(at level 0): RC_scope.

This part presents how to extend from cuts to real numbers and further realize their various order relations and operations. Meanwhile, we prove the Dedekind fundamental theorem in the last section.

5.5. Complex Numbers

Complex numbers are composed of ordered pairs of real numbers, which is similar to the relationship between fractions and natural numbers. Related definitions and properties of fractions are formally described as follows.

• (* Complex numbers set, Real part and Imaginary part *)
• Definition cC := RC × RC.
• Notation " p ¹ " := (First p)(at level 0) : cC_scope_.
• Notation " p ² " := (Second p)(at level 0) : cC_scope.

• (* Operation(+,-,·,÷,^-,||) *)
• Definition addC x y := [x¹ + y¹, x² + y²]%RC.
• Notation "x + y" := (addC x y) : cC_scope.
• Definition minC x y := [x¹ - y¹, x² - y²]%RC.
• Notation " x - y " := (minC x y) : cC_scope.
• Definition mulC x y := [x¹ · y¹ - x² · y², x¹ · y² + x² · y¹]%RC.
• Notation " x · y " := (mulC x y) : cC_scope.
• Definition Out_1 x := ((x¹) / (Square_cC x))%RC.
• Definition Out_2 x := (- ((x²) / (Square_cC x)))%RC.
• Definition DivC x y:= [(y¹) / (Square_cC y), (-x²)/ (Square_cC x)] · x.
• Notation " x / y " := (DivC x y) : cC_scope.
• Definition Conj x := [x¹, (-x²)]%RC.
• Notation " x ^- " := (Conj x)(at level 0) : cC_scope.
• Definition Abs_cC x := ✓((x¹ · x¹) + (x² · x²)).
• Notation " | x | " := (Abs_cC x) : cC_scope.

• (* Imaginary unit: i and its application in the last theorem)
• Definition i := [0%RC,1%RC].
• Theorem T301 : ∀ u v, u ∈ RC -> v ∈ RC -> [u, 0%RC] + [v, 0%RC] · i = [u, v].

All content of the complex numbers part has also been fully formalized, but we will not elaborate on it in detail here because of space limitations. Researchers who are interested can refer to our source code for more information.

6. Conclusions and Future Work

We completed the formalization of the machine proof system of analysis based on Morse–Kelley axiomatic set theory. Firstly, we introduced the machine proof system of Morse–Kelley axiomatic set theory that is concise while remaining comprehensive enough for analysis. This content covers not only our formalization work but also highlights the distinctions and advantages of our approach relative to prior research. Next, we provide proof for the Transfinite Recursion Theorem key conclusion within the MK system. Furthermore, leveraging this theorem, we prove the Recursion Theorem for natural numbers, the critical result for defining operations on natural numbers. Finally, we present the implementation details of the machine proof system designed for analysis, which encompasses natural numbers, fractions, cuts, real numbers, and complex numbers. This system adheres to the framework of Landau’s Foundations of Analysis and adopts MK as its foundational descriptive language. All proofs undergo verification in Rocq to ensure rigor and correctness, and we supplement any missing proof details to enhance the formal system’s completeness.

In the future, we will complete the formalization of deeper contents of this theory, such as calculus, point-set topology approached from topological spaces and neighborhoods, and abstract algebra derived from groups, rings, and fields. Meanwhile, we will complete the extension to previous work. Furthermore, this work can be promoted to undergraduate teaching to help students better understand the specific contents of axiomatic set theory and mathematical analysis.