A Generic and Executable Formalization of Signature-Based Gröbner Basis Algorithms
aa r X i v : . [ c s . S C ] D ec A Generic and Executable Formalization ofSignature-Based Gröbner Basis Algorithms
Alexander Maletzky Research Institute for Symbolic Computation (RISC), Johannes Kepler University Linz,Altenberger Strasse 69, A-4040 Linz, AustriaandRISC Software GmbH, Softwarepark 35, A-4232 Hagenberg im Mühlkreis, Austria
Abstract
We present a generic and executable formalization of signature-based algorithms (such asFaugère’s F ) for computing Gröbner bases, as well as their mathematical background,in the Isabelle/HOL proof assistant. Said algorithms are currently the best known al-gorithms for computing Gröbner bases in terms of computational efficiency. The formaldevelopment attempts to be as generic as possible, generalizing most known variantsof signature-based algorithms, but at the same time the implemented functions are ef-fectively executable on concrete input for efficiently computing mechanically verifiedGröbner bases. Besides correctness the formalization also proves that under certain con-ditions the algorithms a-priori detect and avoid all useless reductions to zero, and returnminimal signature Gröbner bases.To the best of our knowledge, the formalization presented here is the only formaliza-tion of signature-based Gröbner basis algorithms in existence so far. Keywords:
Gröbner bases, signature-based algorithms, interactive theorem proving,Isabelle/HOL
1. Introduction
Gröbner bases, introduced by Buchberger (1965), are a ubiquitous tool in computeralgebra and beyond, as they allow to effectively solve many problems related to multi-variate polynomial rings and ideals. Finding Gröbner bases is a computationally difficulttask, and therefore many researchers have attempted to design more and more efficientalgorithms over the years. This, finally, lead to the first signature-based algorithm , the F algorithm invented by Faugère (2002). Nowadays, F and its relatives are the most effi-cient algorithms for computing Gröbner bases, implemented in many modern computeralgebra systems. Email address: [email protected] (Alexander Maletzky) The research was funded by the Austrian Science Fund (FWF): P 29498-N31.
Preprint submitted to Elsevier ©2020. Licensed under CC-BY-NC-ND 4.0 http://creativecommons.org/licenses/by-nc-nd/4.0/ he work presented in this paper focuses on yet another implementation of signature-based algorithms, but this time not in a computer algebra system but in the proof assis-tant Isabelle/HOL (Nipkow et al. (2002)). The distinctive feature of our implementationis its formal verification by the inference kernel of Isabelle. This, of course, necessitatedformalizing also the vast theory behind signature-based algorithms, eventually leadingto an extensive , generic and executable formalization of an important topic in moderncomputer algebra. Even more, it is the—to the best of our knowledge—first-ever for-malization of this theory in any proof assistant. As such, it constitutes the ultimatecertificate that the existing informal theory is indeed correct, without even the slightestmistake or overlooked gap.In the remainder we assume familiarity with the basics of Gröbner bases theory,including polynomial reduction, S-polynomials, the definition of Gröbner bases, andBuchberger’s algorithm. Although we present the key definitions, theorems and algo-rithms of the signature-based approach to Gröbner bases in this paper, readers totallynew to the subject might also want to have a glance at the excellent survey articleby Eder and Faugère (2017), which we took as the template for our formalization. Wemust also stress that besides Faugère, many more researchers have worked on signature-based algorithms, resulting in a great variety of such algorithms. Giving an exhaustiveoverview of all variations of signature-based algorithms in existence is out of scope here,though; see again Eder and Faugère (2017) instead.The motivation and distinctive feature of signature-based algorithms is detectingand avoiding many more useless zero-reductions while computing Gröbner bases thanother algorithms—and in some cases even all useless reductions. This saves a lot ofcomputation time and thus leads to a drastic speed-up. How all this relates to signatures,and what signatures are in the first place, will be explained in Sections 3–5.The main motivation for the formalization was to verify a state-of-the-art algorithmfor computing Gröbner bases. That task could be expected to be challenging due to theinherent complexity of the underlying mathematical theory, illustrated by the fact thattermination of the original F algorithm was an open problem for a decade until it wassettled by Galkin (2012). Our formal development of the theory may also serve as thebasis for further theoretical investigations, e. g. by implementing, testing and verifyingnew improvements of the formalized algorithms, as well as for further formalizations inthe vast area of Gröbner bases.Summarizing, the key features of the work presented here are as follows:• The formalization is generic, in the sense that we consider rewrite bases and allowfor arbitrary term orders and rewrite orders (Section 5). According to Eder and Faugère(2017) this set-up covers most, if not all, existing variations of signature-based al-gorithms.• All algorithms are proved to be totally correct w. r. t. their specifications. In partic-ular, the algorithm for computing rewrite bases (Algorithm 1) is shown to terminatefor every input (Section 6.1).• Besides correctness, we also prove that under certain conditions the algorithmindeed avoids all useless zero-reductions, and that with a particular choice of therewrite order it returns minimal signature Gröbner bases (Section 7).2 All formally verified algorithms are efficiently executable on concrete input. ‘Effi-cient’ means that, for instance, the algorithms operate only on sig-poly-pairs ratherthan full module elements (Section 8).The entire formalization is freely available online (Maletzky (2018)), as an entry of Is-abelle’s Archive of Formal Proofs (AFP). The rest of the paper is organized as follows: Section 2 gives a brief overview ofIsabelle/HOL, to make the paper as self-contained as possible. Section 3 presents thepreliminaries of signature-based algorithms, Section 4 introduces s -reduction and sig-nature Gröbner bases, Section 5 defines rewrite bases and S-pairs and establishes theconnection between them, Section 6 presents the main algorithms and hints why theyare totally correct, and Section 7 contains two results concerning the ‘optimality’ of thealgorithms. Each of these sections first presents the various concepts and theorems incommon mathematical style, before showing how they are formalized in Isabelle/HOL.Section 8, then, explains how the formalized algorithms can be executed on concreteinput and provides a comparison of the running times of these algorithms to other algo-rithms implemented in Isabelle/HOL and in Mathematica . Section 9, finally, concludesthe paper by giving quantitative information on the formalization effort and listing re-lated and future work.
2. Brief Overview of Isabelle/HOL
The purpose of this section is to give a brief overview of the most important aspectsof Isabelle/HOL that are necessary for understanding the rest of the paper. Furtherinformation and documentation can be found in Paulson (1994); Nipkow et al. (2002);Wenzel (2018) and on the Isabelle homepage . Readers already familiar with Isabellecan safely skip this section.Isabelle is a generic proof assistant : it serves as a framework for implementing differ-ent object logics, such as first-order logic or higher-order logic, in one single system. Assuch, it provides the basic infrastructure needed for automated and interactive theoremproving in general: a small inference kernel based on higher-order unification, theory-and proof contexts, a document preparation interface, and many more. Isabelle/HOL isa concrete object logic implemented in Isabelle, namely classical higher-order predicatelogic. Being the most actively developed object logic of Isabelle, it comes with a library ofhundreds of useful mathematical concepts, such as numbers, sets, lists, abstract algebraicstructures, etc., which new formalizations can build upon.Formalizing a mathematical theory in Isabelle/HOL normally proceeds by definitionaltheory extensions : new concepts are defined, properties of these concepts and their rela-tion to existing concepts are proved, and so on; arbitrary axiomatizations, though possiblein principle, are usually avoided to eliminate the risk of introducing inconsistencies tothe theory. Our formalization goes without any such axiomatizations. http://isabelle.in.tum.de .1. Definitions New constants can be introduced either via explicit non-recursive definitions or asrecursive functions. A simple example of the former is the following: definition subset-eq :: α set ⇒ α set ⇒ bool ( infix ⊆ where subset-eq A B ←→ ( ∀ a ∈ A. a ∈ B) This definition introduces a new constant, subset-eq , of type α set ⇒ α set ⇒ bool . Thatmeans, it is a function taking two sets of element-type α as arguments and returning aboolean value. Greek letters like α always denote type variables ; hence, subset-eq is a polymorphic function that cannot only be applied to sets of a particular element-type,but to all sets. The type constructors set and bool are built into Isabelle/HOL. The‘infix’ clause following the type is optional and instructs Isabelle to record the shortinfix notation ⊆ for subset-eq . The actual definition of subset-eq comes after the ‘where’keyword: subset-eq holds for two arguments A and B if, and only if, every element a of A is also an element of B . Note that free variables in definitions, theorems, etc. areimplicitly universally quantified, and that ∀ and ∈ are built-in constants with the usualmeaning. Therefore, subset-eq is indeed the usual subset relation; of course, it is a built-inconstant of Isabelle/HOL, too.As can be seen, Isabelle uses Curried notation for denoting function application: inthe definition, subset-eq is applied to A and B by mere juxtaposition, without parenthe-ses. Parentheses only become necessary in nested function applications, as in f ( g x ).What can also be seen in the above definition is that single arrows are used to denoteequivalences and implications: −→ for logical implication, ←→ for equivalence. Notation 2.1.
Within enclosing informal text, we will adopt the standard mathematicalnotation for function application when writing Isabelle code. For instance, we shall write subset-eq ( A, B ) rather than subset-eq
A B , because the latter does not fit very well withinformal text. Furthermore, names of constants will be typeset in sans serif font todistinguish them from variables, which will be typeset in italics , as usual.As an example of a recursive definition, consider the following: function set :: α list ⇒ α set where set [] = {} |set (x ∪ set xs This command defines a polymorphic function set which maps lists (built-in type con-structor list ) to the set of their elements, which is achieved by structural recursion onthe shape of the argument: if it is empty, the empty set is returned; otherwise, the listconsists of a head x and a tail xs , in which case set is applied to xs recursively and x is added to the result. Recursively defined functions must always be shown to termi-nate, to avoid potential inconsistencies. In some cases, Isabelle can do the terminationproofs itself, whereas in more difficult situations the user has to construct the proofsinteractively. Theorems can be stated using the synonymous ‘lemma’, ‘theorem’ or ‘corollary’ key-words. For instance, a lemma expressing that the set of elements of the concatenationof two lists equals the union of the individual sets could be stated as follows:4 emma set-append: set (xs @ ys) = set xs ∪ set ys Here, @ is infix syntax denoting the concatenation of lists xs and ys , and recall fromabove that the two free variables xs and ys are implicitly universally quantified. Sofar, however, the lemma is only an unproved claim as far as Isabelle is concerned, sowe now have to prove it. Proving in Isabelle rests on two pillars: First, an intuitive,human-readable formal proof language, called Isar , for proving theorems interactively.That means, the user writes down the individual steps of the proof, and Isabelle checkswhether they are indeed correct. Second, a huge machinery of automatic proof methodsthat are able to prove certain goals automatically, saving the user from doing tediousbut more or less simple proofs manually. Existing automation is fairly sophisticated,incorporating even powerful state-of-art first-order reasoners.To give a rough idea of how proofs in Isabelle/HOL look like, we show a quite verboseinduction proof of the above lemma; long dashes ( − ) indicate explanatory comments: lemma set-append: set (xs @ ys) = set xs ∪ set ys proof (induction xs) − Induction base: show set ([] @ ys) = set [] ∪ set ys by simp − Prove the goal by simplification w.r.t. the definitions of ‹set› and ‹@›. next − Induction step: fix x xs − Choose fresh ‹x› and ‹xs› arbitrary, but fixed. assume set (xs @ ys) = set xs ∪ set ys − Assume the induction hypothesis. then show set ((x ∪ set ys by simp − Prove the goal again by simplification,but this time also using the induction hypothesis. qed
Since we will not present any Isabelle-proofs in the remainder of this paper, we do notsay more about proving in Isabelle here.Finally, please note that more complicated lemmas involving assumptions can bestated following the ‘fixes’/‘assumes’/‘shows’ pattern, to increase readability: lemma times-mono-int: fixes a b c :: int assumes a ≤ b and ≤ c shows a * c ≤ b * c The optional ‘fixes’ clause locally fixes variables and potentially annotates them withtypes (here int , the type of integers). The optional ‘assumes’ clause states one or moreassumptions, and the mandatory ‘shows’ clause states the ultimate conclusion.
Notation 2.2.
Within enclosing informal text, names of lemmas and theorems will betypeset in italics , like set-append . We conclude this section by listing built-in concepts we will use later on.• The usual logical connectives and quantifiers. Syntax in Isabelle/HOL closely re-sembles ordinary mathematical notation, expect that logical implication is denotedby −→ and equivalence by ←→ . 5 The usual operations from set theory, whose Isabelle-syntax resembles mathemat-ical notation, too.• f ` A , which denotes the image of set A under function f .• {0..< n } , which denotes the set { k ∈ N | ≤ k < n } of natural numbers; analo-gously, [0..< n ] denotes the list of natural numbers from 0 up to n .• set , [] and , as explained above: set ( xs ) is the set of elements of list xs , [] is theempty list, and x xs is the list whose first element is x and whose tail is xs .• length ( xs ), which is the length of list xs .• xs ! i , which is the i -th element of list xs , starting from 0.• fst and snd , which project pairs of type α × β onto their first and second entries,respectively. For instance, fst (( a, b )) = a . Remark 2.1.
Throughout the paper we will follow the common convention in papersabout Isabelle of using dashes instead of underscores, for the sake of better readability.So, subset-eq would in reality be subset_eq in the actual Isabelle sources.
3. Preliminaries
In this and the subsequent sections we present signature-based Gröbner basis algo-rithms and their formalization in Isabelle/HOL. Notation is mainly borrowed from Eder and Faugère(2017), with some small adjustments here and there to resemble the notation we use inthe formalization. In fact, since the formalization itself closely follows Sections 4–7of Eder and Faugère (2017), most of the mathematical details omitted in this expositionfor the sake of brevity can be found there instead. The informal proofs that served as thetemplates for our formal development were exclusively taken from the above-mentionedarticle and from Roune and Stillman (2012) and Eder and Roune (2013).In the remainder of this paper let K be a field and let R = K [ x , . . . , x n ] be the n -variate polynomial ring over K . Every polynomial p ∈ R can be written as a K -linearcombination of power-products , where a power-product is a product of the indetermi-nates x , . . . , x n , e. g. x x x . We will write [ X ] for the commutative monoid of power-products in x , . . . , x n and typically denote power-products by the typed variables s and t , unless stated otherwise.Now, fix a finite sequence F = ( f , . . . , f m ) of polynomials in R ; these polynomialsplay the role of the set we want to compute a Gröbner basis of. The sequence F gives riseto a module-homomorphism · : R m → R by setting e i := f i for 1 ≤ i ≤ m and canonicalbasis vectors e i of the free module R m . A module element a ∈ R m is called a syzygy of F if a = 0. Note that R m can be viewed as a K -vector space, meaning that every a ∈ R m can be written as a K -linear combination of terms , where a term is a product ofthe form t e i for some power-product t and some 1 ≤ i ≤ m . We will write T for the setof terms and typically denote terms by the typed variables u and v . For a term v = t e i , t is called the power-product of v and i is called the component of v .6or a polynomial p ∈ R , supp( p ) is the support of p , which the set of all power-products appearing in p with non-zero coefficient. Likewise, supp( a ) for a ∈ R m is theset of all terms appearing in a with non-zero coefficient. coeff( p, t ) denotes the coefficientof power-product t in p ∈ R , and analogous for coeff( a, u ) with u ∈ T and a ∈ R m .Finally we must also fix an admissible order relation (cid:22) on [ X ] and some compatibleextension (cid:22) t to a term order on T . Admissible has the usual meaning of 1 (cid:22) t and s (cid:22) s ⇒ t s (cid:22) t s for all s , s , t ∈ [ X ]. Compatible just means that s (cid:22) t ⇒ s e i (cid:22) t t e i forall s, t ∈ [ X ] and 1 ≤ i ≤ m . The most important extension of (cid:22) to a term order is the position over term (POT) extension, denoted by (cid:22) pot and defined as s e i (cid:22) pot t e j : ⇔ i < j ∨ ( i = j ∧ s (cid:22) t ) . Every p ∈ R has a leading power-product lp( p ) and a leading coefficient lc( p ): if p = 0, the leading power-product of p is the largest power-product w. r. t. (cid:22) appearing insupp( p ), and the leading coefficient is its coefficient; lp(0) is left undefined and lc(0) := 0.Likewise, every module element a ∈ R m has a leading term s ( a ) and a leading coefficientlc( a ), defined completely analogously w. r. t. (cid:22) t . The reason why the leading term of a is denoted by s ( a ) rather than lt( a ) becomes clear in the following definition: Definition 3.1 (Signature).
Let a ∈ R m . The signature of a is the leading term s ( a )of a .Therefore, the all-important signature of a module element a ∈ R m is nothing else butthe leading term of a . In the remainder, we will exclusively use the word ‘signature’instead of ‘leading term’. Note that in contrast to Eder and Faugère (2017), in our casethe signature only consists of a term without coefficient.Summarizing, every a ∈ R m has two important values associated to it: its signature s ( a ) ∈ T and the polynomial a ∈ R . For our formal development of signature-based Gröbner basis algorithms we did nothave to start completely from scratch, but could build upon on existing extensive for-malizations of multivariate polynomials and Gröbner bases. Here, we will explain themost important aspects of these formalizations that are relevant for signature-based al-gorithms; the interested reader is referred to Maletzky and Immler (2018a,b) for moredetails. The formalizations are freely available as separate entries in the Archive ofFormal Proofs (Sternagel et al. (2010); Immler and Maletzky (2016)).In Isabelle/HOL, multivariate polynomials are represented as so-called polynomialmappings , which are functions from some type α to another type β such that all butfinitely many values are mapped to 0. The meaning of such a mapping is clear: α playsthe role of the power-products or terms, and β plays the role of the coefficient-ring; thevalue a power-product or term is mapped to is its coefficient in the polynomial. Thetype of polynomial mappings from α to β is denoted by α ⇒ β . Note that polynomialmappings are sometimes also referred to as finitely supported functions .Terms are simply represented as pairs consisting of a power-product and a componentof type nat , the type of natural numbers; hence, if α is the type of power-products, thenthe type of terms is α × nat . Note that because of nat being infinite, the components ofterms can become arbitrarily large; this point deserves a bit more attention, which willbe paid below. Before, we summarize what we have so far:7 Here and henceforth, α will always denote the type of power-products. How exactlypower-products are represented is not important, since they essentially only haveto form a cancellative commutative monoid and a lattice w. r. t. divisibility. Formore details see Maletzky and Immler (2018b).• Type τ will abbreviate the type of terms, i. e., the type α × nat . In the actual for-malization, τ only needs to be isomorphic to α × nat , but this is a mere technicalitywithout any further implications.• Type β plays the role of K , the coefficient field.• The polynomial ring R hence corresponds to the type α ⇒ β , and the module R m to τ ⇒ β . Example 3.1.
Let p = 3 x − xy + y − ∈ K [ x, y ]. Then p corresponds to an objectof type α ⇒ β which maps x xy
7→ − y
1, 1
7→ −
4, and all other power-products t
0. As indicated above, how the individual power-products are representedis not important here.Likewise, let a = (cid:18) xy − x + y (cid:19) ∈ K [ x, y ] . Then a corresponds to an object of type τ ⇒ β which maps ( xy ,
2, (1 ,
7→ − x ,
1, ( y ,
1, and all other terms u
0. Note in particular that the firstcomponent is indexed by 0, the second by 1, etc.One may now ask the following legitimate question:How can R m be represented by τ ⇒ β , if R m has dimension m (and thereforeall terms appearing in its elements have components ≤ m ), but τ allows forarbitrarily large components?Indeed, strictly speaking R m and τ ⇒ β are not isomorphic. However, we can cir-cumvent the problem of components of terms being greater than m (or, in fact m − τ ⇒ β appearing anywhere in the formal development. Moreprecisely, we define the set sig-inv-set ( m ), parameterized over the natural number m , ofall module elements whose terms have components in the range [0 , . . . , m − a occurring in the theorem belong to sig-inv-set ( m ).Of course, m is not just an arbitrary natural number, but it is the length of theimplicitly fixed sequence F = ( f , . . . , f m ) of polynomials. So, in the formalization wealso fix a sequence, or more precisely a list, fs in the implicit theory context: context fixes fs :: ( α ⇒ β ) list This instruction ensures that all subsequent definitions, theorems, algorithms, etc. areimplicitly parameterized over the list fs . Consequently, we can define the set Rm of all‘valid’ module elements: definition Rm :: ( τ ⇒ β ) set where Rm = sig-inv-set (length fs) Rm is the set of module elements whose terms have components in the range[0 , . . . , length ( fs ) − R m . Remark 3.1.
In a dependently-typed system like Coq (Bertot and Castéran (2004)), Rm could be turned into a type, meaning that the additional assumptions a ∈ Rm oftheorems could be encoded implicitly in the type of a . Isabelle/HOL is only simply-typed,so this approach does not work in our case. Remark 3.2.
The definition of Rm shown above is not exactly the one of the formaliza-tion. Namely, analogous to components, we also have to take care that all indeterminatesappearing in module elements also appear in fs ; similar as for the components, this can-not be encoded (easily) in the type α . The details are technical and omitted here for thesake of simplicity.Having fs fixed in the context, we next formalize the module-homomorphism · , called poly in the formal theory, and prove its characteristic properties. We omit its slightlytechnical definition here. lemma poly-zero: poly 0 = 0 lemma poly-plus: poly (a + b) = poly a + poly b lemma poly-mult-scalar: poly (p ⊙ a) = p * poly a Here one should note that poly is defined in such a way that these identities hold un-conditionally, even if a, b / ∈ Rm . The expression p ⊙ a denotes scalar multiplication ofthe module element a by the polynomial p . Two further important lemmas about poly describe its relationship to the ideal generated by the elements of fs : lemma poly-in-ideal: poly a ∈ ideal (set fs) lemma in-idealE-poly-Rm: assumes p ∈ ideal (set fs) shows ∃ a ∈ Rm. p = poly a
The first lemma obviously expresses that poly ( a ) is always an element of the ideal gener-ated by the elements of fs , whereas the second lemma states the converse: every element p of the ideal can be written as p = poly ( a ) for some a ∈ Rm ; a being an element of Rm is of particular importance here. The expression ideal ( B ), taken from Sternagel et al.(2010), denotes the ideal generated by the set B .The only things that are still missing from Section 3.1 are the order relations (cid:22) and (cid:22) t , and the various concepts they induce (leading power-product etc.); they are, infact, contained in Sternagel et al. (2010) as well. Similar to fs , the remaining formaldevelopment shall be parameterized over these orderings, so a locale is employed to fixthem implicitly: locale qpm-inf-term =ordered-powerprod ord +linorder ord-term for ord :: α ⇒ α ⇒ bool ( infixl (cid:22) and ord-term :: τ ⇒ τ ⇒ bool ( infixl (cid:22) t
50) + assumes stimes-mono: u (cid:22) t v −→ t ⊗ u (cid:22) t t ⊗ v assumes ord-termI: fst u (cid:22) fst v −→ snd u ≤ snd v −→ u (cid:22) t v fs ,a simple context -statement was sufficient, but here we really need the capabilities of afull-fledged locale. For more information on locales see Ballarin (2010).Locale qpm-inf-term fixes the two relations (cid:22) and (cid:22) t , and assumes that (cid:22) is anadmissible order on type α (the power-products) and that (cid:22) t is a linear order on type τ (the terms). Furthermore, it assumes the two properties stimes-mono and ord-termI .Property stimes-mono expresses that (cid:22) t is monotonic w. r. t. ⊗ , where t ⊗ u denotes theterm obtained from u by multiplying its power-product by t . Property ord-termI statesthat if the power-product and the component of u are not greater than their respectivecounterparts of v , then u (cid:22) t v . Note that fst ( u ) gives the first entry of term u , i. e. itspower-product, and snd ( u ) gives the second entry of u , i. e. its component.All subsequent definitions, theorems, etc. will be stated in the context of this locale,meaning that they are implicitly parameterized over (cid:22) and (cid:22) t (just as they are param-eterized over fs ), and that furthermore all theorems are implicitly constrained by thetwo additional assumptions stimes-mono and ord-termI . Leading power-products, lead-ing terms and signatures of polynomials and module elements can be defined readily inthis setup.We conclude this section by pointing the reader to Appendix A, containing a glossaryfor translating between mathematical notions and notations occurring in this paper, andtheir counterparts in the formalization. Remark 3.3.
In the actual Isabelle sources, power-products are written additively ratherthan multiplicatively , for technical reasons. So, 0 is used instead of 1, + instead of · , and ⊕ instead of ⊗ . In this paper we decided to stick to the standard multiplicative writingfor the sake of uniformity.
4. Signature Reduction and Signature Gröbner Bases
Let us now turn to the key concept in the theory of Gröbner bases: polynomialreduction . In the ‘traditional’, non-signature approach the reduction relation is a binaryrelation on polynomials, parameterized over a set of polynomials. In the signature-basedworld, it becomes a binary relation on module elements , i. e. on R m , defined as follows: Definition 4.1 ( s -Reduction). Let a, b ∈ R m and G ⊆ R m . The module element a s -reduces to b modulo G if, and only if, there exist g ∈ G and t ∈ [ X ] such that1. g = 0,2. t lp( g ) ∈ supp( a ),3. b = a − t g , and4. t s ( g ) (cid:22) t s ( a ), which is equivalent to s ( b ) (cid:22) t s ( a ).So, if a s -reduces to b modulo G , it simply means that a reduces to b modulo G inthe usual sense of polynomial reduction, and that furthermore the signature of b is G , of course, denotes the image of G under the homomorphism · . a . In short, s -reduction is like polynomial reduction with theadditional requirement that signatures do not grow. s -reduction comes in different flavors, depending on whether t lp( g ) in Definition 4.1equals lp( a ) or not, and whether in the last condition of that definition we have t s ( g ) = s ( a ) or t s ( g ) ≺ t s ( a ). If t lp( g ) = lp( a ), we shall say that the s -reduction is a top s -reduction; otherwise, if t lp( g ) ≺ lp( a ), we call it a tail s -reduction. If t s ( g ) = s ( a ) the s -reduction is a singular s -reduction, whereas if t s ( g ) ≺ t s ( a ) it is a regular s -reduction.It is easy to see that in a regular s -reduction we always have s ( b ) = s ( a ). Notation 4.1.
Let r ∈ {(cid:22) t , ≺ t , = } and r ∈ {(cid:22) , ≺ , = } . We will use the following nota-tion: a r , r −→ G b means that a s -reduces to b modulo G , and that additionally t s ( g ) r s ( a )and t lp( g ) r lp( a ) hold, where t, g are as in Definition 4.1. As usual, r , r −→ ∗ G denotes thereflexive-transitive closure of r , r −→ G . So, (cid:22) , (cid:22) t −→ G stands for general s -reduction, ≺ t , = −→ G forregular top s -reduction, and so on. To ease notation, we will simply write −→ G insteadof (cid:22) t , (cid:22) −→ G .What has been said above about the relationship between s ( b ) and s ( a ) if b s -reducesto a is of course also true for the reflexive-transitive closure of s -reduction. In particular,if a ≺ t , r −→ ∗ G b , i. e. a regular s -reduces to b in several steps, then s ( b ) = s ( a ). This trivialobservation will play a crucial role later on.The definition of s -reduction in the formalization closely follows Definition 4.1, butin addition also incorporates Notation 4.1: definition sig-red-single :: ( τ ⇒ τ ⇒ bool) ⇒ ( α ⇒ α ⇒ bool) ⇒ ( τ ⇒ β ) ⇒ ( τ ⇒ β ) ⇒ ( τ ⇒ β ) ⇒ α ⇒ bool where sig-red-single r1 r2 a b g t ←→ (poly g = ∧ coeff (poly a) (t * lp (poly g)) = ∧ b = a - monom-mult ((coeff (poly a) (t * lp (poly g))) / lc (poly g)) t g ∧ r1 (t ⊗ s g) ( s a) ∧ r2 (t * lp (poly g)) (lp (poly a))) definition sig-red :: ( τ ⇒ τ ⇒ bool) ⇒ ( α ⇒ α ⇒ bool) ⇒ ( τ ⇒ β ) set ⇒ ( τ ⇒ β ) ⇒ ( τ ⇒ β ) ⇒ bool where sig-red r1 r2 G a b ←→ ( ∃ g ∈ G. ∃ t. sig-red-single r1 r2 a b g t) definition is-sig-red :: ( τ ⇒ τ ⇒ bool) ⇒ ( α ⇒ α ⇒ bool) ⇒ ( τ ⇒ β ) set ⇒ ( τ ⇒ β ) ⇒ bool where is-sig-red r1 r2 G a ←→ ( ∃ b. sig-red r1 r2 G a b) So, sig-red-single (r , r , a, b, g, t ) expresses that a s -reduces to b modulo the singleton { g } using the given power-product t as the multiplier. Note that monom-mult ( c, t, a )is multiplication of a by the coefficient c and power-product t . The two relations r and r have exactly the same meaning as in Notation 4.1, i. e., they specify whetherthe s -reduction is singular/regular/arbitrary and top/tail/arbitrary, respectively. Theexpression sig-red (r , r , G, a, b ) precisely corresponds to a r , r −→ G b ; the reflexive-transitiveclosure of s -reduction is thus given by sig-red (r , r , G ) ∗∗ , using Isabelle/HOL’s built-innotation r ∗∗ for denoting the reflexive-transitive closre of an arbitrary binary relation r .Finally, is-sig-red is an auxiliary notion expressing s -reducibility. Obviously lp( a ) ≺ t lp( g ) is not possible, since t lp( g ) ∈ supp( a ). s -reduction insome sense ‘refines’ polynomial reduction, we can immediately infer that s -reduction isNoetherian, too: Lemma 4.1.
For all G ⊆ R m , r , r −→ G is Noetherian, that is, there are no infinite chains a , r −→ G a , r −→ G . . . . This lemma can be translated easily into Isabelle/HOL, employing the built-in predi-cate wfP for expressing well-foundedness of the converse of s -reduction (denoted by −− ): lemma sig-red-wf-Rm: assumes G ⊆ Rm shows wfP (sig-red r1 r2 G) −− Proving this lemma is a matter of only a couple of lines, thanks to the fact thatImmler and Maletzky (2016) already proved Noetherianity of traditional polynomial re-duction in Isabelle/HOL. The assumption of G being a subset of Rm is necessary becauseof the observations made in Section 3.2.Before we define signature Gröbner bases, we introduce an auxiliary notion: Definition 4.2.
We say that a s -reduces to zero modulo G if, and only if, there exists b such that a (cid:22) t , (cid:22) −→ ∗ G b and b = 0, i. e., b is a syzygy. Just as for s -reduction, we willalso use the phrases singular and regular s -reduction to zero, if a = , (cid:22) −→ ∗ G b or a ≺ t , (cid:22) −→ ∗ G b ,respectively.Note that even though we use the word ‘zero’ in Definition 4.2 it does not mean that b it-self has to be 0, only that it must be a syzygy. This terminology is taken from Eder and Faugère(2017).In the non-signature world, a Gröbner basis is a set G ⊆ R such that every p ∈ h G i canbe reduced to 0 modulo G . This definition can be translated readily into the signature-based setting: Definition 4.3 (Signature Gröbner Basis).
Let u be a term. A set G ⊆ R m is a signature Gröbner basis in u if, and only if, every a ∈ R m with s ( a ) = u s -reduces tozero modulo G .The set G is a signature Gröbner basis up to u if it is a signature Gröbner basis inall v ≺ t u . If G is a signature Gröbner basis in all terms, we simply call it a signatureGröbner basis.Translating Definitions 4.2 and 4.3 into Isabelle/HOL is again immediate; the only realdifferences are some Rm conditions, as usual: definition sig-red-zero :: ( τ ⇒ τ ⇒ bool) ⇒ ( τ ⇒ β ) set ⇒ ( τ ⇒ β ) ⇒ bool where sig-red-zero r1 G a ←→ ( ∃ b. (sig-red r1 ( (cid:22) ) G) ∗∗ a b ∧ poly b = 0) definition is-sig-GB-in :: ( τ ⇒ β ) set ⇒ τ ⇒ bool where is-sig-GB-in G u ←→ ( ∀ a. s a = u −→ a ∈ Rm −→ sig-red-zero ( (cid:22) t ) G a) definition is-sig-GB_upt :: ( τ ⇒ β ) set ⇒ τ ⇒ bool where is-sig-GB-upt G u ←→ (G ⊆ Rm ∧ ( ∀ v. v ≺ t u −→ snd v < length fs −→ is-sig-GB-in G v)) sig-red-zero is only parameterized over the relation r for signatures,but not over r for leading power-products: there is no need to distinguish betweentop/tail/arbitrary s -reductions to zero.The connection between signature Gröbner bases and ordinary non-signature Gröbnerbases follows immediately from the definition of s -reduction: Proposition 4.1.
Let G ⊆ R m be a signature Gröbner basis. Then G is a Gröbner basisof h f , . . . , f m i . Signature-based Gröbner basis algorithms, such as F , compute rewrite bases , whichare a subclass of signature Gröbner bases (see Section 5). Proposition 4.1 tells us thatfrom a signature Gröbner basis one can easily obtain a Gröbner basis of the ideal h f , . . . , f m i under consideration by applying the module-homomorphism · to all ele-ments.The formalization of Proposition 4.1 looks as follows, where is-Groebner-basis is definedin Immler and Maletzky (2016): lemma is-sig-GB-is-Groebner-basis: assumes G ⊆ Rm and ∀ u. is-sig-GB-in G u shows is-Groebner-basis (poly ` G) The next result about signature Gröbner bases will prove very useful later on, for in-stance in Lemma 4.3. Readers interested in its proof are referred to Lemma 3 in Roune and Stillman(2012).
Lemma 4.2.
Let a, b ∈ R m \{ } , let G be a signature Gröbner basis up to s ( a ) , andassume s ( a ) = s ( b ) and lc( a ) = lc( b ) . If both a and b are regular top s -irreducible modulo G , then lp( a ) = lp( b ) and lc( a ) = lc( b ) . If both a and b are regular s -irreducible modulo G , then a = b . In the formalization this lemma is split into two lemmas: lemma sig-regular-top-reduced-lp-lc-unique: assumes is-sig-GB-upt G ( s a) and a ∈ Rm and b ∈ Rm and s a = s b and lc a = lc b and ¬ is-sig-red ( ≺ t ) (=) G a and ¬ is-sig-red ( ≺ t ) (=) G b shows lp (poly a) = lp (poly b) and lc (poly a) = lc (poly b) lemma sig-regular-reduced-unique: assumes is-sig-GB-upt G ( s a) and a ∈ Rm and b ∈ Rm and s a = s b and lc a = lc b and ¬ is-sig-red ( ≺ t ) ( (cid:22) ) G a and ¬ is-sig-red ( ≺ t ) ( (cid:22) ) G b shows poly a = poly b We conclude this section by introducing the concept of a syzygy signature and provingan important lemma about it:
Definition 4.4 (Syzygy Signature).
A term u is called a syzygy signature if thereexists a ∈ R m \{ } with s ( a ) = u and a = 0.13yzygy signatures play a key role for detecting useless zero-reductions when computingsignature Gröbner bases. Namely, by virtue of Lemma 4.2, we obtain the following resultwhose importance will become clear in Section 5: Lemma 4.3 (Syzygy Criterion) . Let a ∈ R m and let G be a signature Gröbner basis upto s ( a ) . If s ( a ) is a syzygy signature, then a regular s -reduces to zero modulo G .Moreover, if u is a syzygy signature and u | v , then v is a syzygy signature, too. Definition 4.4 and Lemma 4.3 naturally translate into Isabelle/HOL: definition is-syz-sig :: τ ⇒ bool where is-syz-sig u ←→ ( ∃ a ∈ Rm. a = ∧ s a = u ∧ poly a = 0) lemma syzygy-crit: assumes is-sig-GB-upt G ( s a) and is-syz-sig G ( s a) and a ∈ Rm shows sig-red-zero ( ≺ t ) G a lemma is-syz-sig-dvd: assumes is-syz-sig u and u dvd t v shows is-syz-sig v
5. Rewrite Bases and S-Pairs
Besides signature Gröbner bases, we need another class of sets G ⊆ R m of moduleelements, called rewrite bases . Rewrite bases play a crucial role for computing signatureGröbner bases, as will be seen in Section 6. Before, however, we must introduce someauxiliary concepts: sig-poly-pairs, rewrite orders and canonical rewriters. Definition 5.1 (Sig-Poly-Pair). A sig-poly-pair is a pair ( u, p ) ∈ T × R such thatthere exists a ∈ R m \{ } with s ( a ) = u and a = p .Our definition of rewrite orders is slightly more technical than the one given in theliterature. The reason for this deviation is that there, rewrite orders are defined formodule elements rather than sig-poly-pairs. We found it more reasonable to definerewrite orders on sig-poly-pairs, because in any case the only information concrete rewriteorders may take into account for deciding which of the two arguments is greater are thesignatures and the polynomial parts of the arguments. Definition 5.2 (Rewrite Order).
A binary relation E on sig-poly-pairs is called a rewrite order if, and only if, it is a reflexive, transitive and linear relation, additionallysatisfying1. ( u, p ) E ( v, q ) ∧ ( v, q ) E ( u, p ) = ⇒ u = v for all sig-poly-pairs ( u, p ) and ( v, q ), and2. a ∈ G \{ } ∧ b ∈ G \{ } ∧ s ( a ) | s ( b ) = ⇒ ( s ( a ) , a ) E ( s ( b ) , b ) for all a, b, G such that G is a signature Gröbner basis up to s ( b ) and b is regular top s -irreducible modulo G . u | v , for two terms u and v , means that there exists t ∈ [ X ] with v = t u . E shall refine the divisibility relation onsignatures—but only under some technical assumptions which are necessary for provingthat E rat (Definition 5.3) is indeed a rewrite order.To get some intuition about rewrite orders, we present the two ‘standard’ rewriteorders that can be found in the literature: Definition 5.3 ( E rat , E add ). The relation E rat is defined as( u, p ) E rat ( v, q ) : ⇔ lp( q ) u ≺ t lp( p ) v ∨ (lp( q ) u = lp( p ) v ∧ u (cid:22) t v ) . The relation E add is defined as( u, p ) E add ( v, q ) : ⇔ u (cid:22) t v. As explained in Remark 7.3 in Eder and Faugère (2017), the suffix ‘ rat ’ of E rat originatesfrom an alternative presentation of this relation, in which the ratios u lp( p ) and v lp( q ) arecompared.Above we claimed that E rat and E add are rewrite orders. The proof for E add is fairlystraightforward, but the proof of the last requirement of rewrite orders is a bit moreinvolved for E rat ; one essentially has to make use of Lemma 4.2 again.The definition of rewrite orders in the formalization closely resembles Definition 5.2;only note that spp-of ( a ) is a mere abbreviation for ( s ( a ) , poly ( a )): definition is-rewrite-ord :: (( τ × ( α ⇒ β )) ⇒ ( τ × ( α ⇒ β )) ⇒ bool) ⇒ bool where is-rewrite-ord ord ←→ (reflp ord ∧ transp ord ∧ ( ∀ a b. ord a b ∨ ord b a) ∧ ( ∀ a b. ord a b −→ ord b a −→ fst a = fst b) ∧ ( ∀ G a b. is-sig-GB-upt G ( s b) −→ a ∈ G −→ b ∈ G −→ a = −→ b = −→ s a dvd t s b −→¬ is-sig-red ( ≺ t ) (=) G b −→ ord (spp-of a) (spp-of b))) Since there is nothing special about the formal definitions of E rat and E add compared tothe informal ones, we omit them here.Just as we have implicitly fixed (cid:22) and (cid:22) t , let us now also fix an arbitrary rewriteorder E . The last prerequisite we need before we can define rewrite bases are canonicalrewriters : Definition 5.4 (Canonical Rewriter).
Let G ⊆ R m , a ∈ R m and u ∈ T . The moduleelement a is called a canonical rewriter in signature u w. r. t. G if, and only if, a ∈ G \{ } , s ( a ) | u , and a is maximal w. r. t. E with these properties. Definition 5.5 (Rewrite Basis).
Let G ⊆ R m and u ∈ T . The set G is said to bea rewrite basis in u if, and only if, u is a syzygy signature or there exists a canonicalrewriter g in signature u w. r. t. G such that u s ( g ) g is regular top s -irreducible modulo G . Furthermore, G is a rewrite basis up to u if it is a rewrite basis in all v ≺ t u . If G isa rewrite basis in all terms, we simply call it a rewrite basis. By abuse of notation we also compare module elements in R m w. r. t. E , in the sense that a E b ⇔ ( s ( a ) , a ) E ( s ( b ) , b ). For two terms u, v with u | v , uv denotes the unique t ∈ [ X ] with v = t u . is-sig-GB-upt and is-RB-upt : definition is-canon-rewriter :: ( τ ⇒ β ) set ⇒ τ ⇒ ( τ ⇒ β ) ⇒ bool where is-canon-rewriter G u a ←→ (a ∈ G ∧ a = ∧ s a dvd t u ∧ ( ∀ g ∈ G. g = −→ s g dvd t u −→ spp-of g E spp-of a))) definition is-RB-in :: ( τ ⇒ β ) set ⇒ τ ⇒ bool where is-RB-in G u ←→ (is-syz-sig u ∨ ( ∃ g. is-canon-rewriter G u g ∧¬ is-sig-red ( ≺ t ) (=) G (monom-mult 1 (u / s g) g))) definition is-RB-upt :: ( τ ⇒ β ) set ⇒ τ ⇒ bool where is-RB-upt G u ←→ (G ⊆ Rm ∧ ( ∀ v. v ≺ t u −→ snd v < length fs −→ is-RB-in G v)) Now that we know what rewrite bases are it is time to establish the connectionbetween rewrite bases and signature Gröbner bases, and hence to traditional Gröbnerbases by virtue of Proposition 4.1. For an informal proof of the following proposition,see Lemma 8 in Eder and Roune (2013):
Proposition 5.1. If G is a rewrite basis up to u , it is also a signature Gröbner basis upto u . We omit the obvious translation of this proposition into Isabelle/HOL. Summarizing,Propositions 4.1 and 5.1 justify computing a rewrite basis in order to find a traditionalGröbner basis of h f , . . . , f m i . Therefore, we now need a means for actually computing rewrite bases—and it turns out that the key to an effective algorithm lies in a conceptwell-known from traditional Gröbner bases theory: Definition 5.6 (S-Pair).
Let a, b ∈ R m , and let t = lcm(lp( a ) , lp( b )). Then the S-pair of a and b , written spair( a, b ), is defined asspair( a, b ) := t lc( a )lp( a ) a − t lc( b )lp( b ) b. Furthermore, a and b are said to give rise to a regular S-pair if, and only if, a, b = 0 and t lp( a ) s ( a ) = t lp( b ) s ( b ); otherwise they give rise to a singular S-pair.So, S-pairs correspond precisely to S-polynomials, but ‘lifted’ from R to R m : indeed,spair( a, b ) ∈ R m , and it is easy to see that spair( a, b ) = spoly( a, b ), where spoly( p, q ) isthe usual S-polynomial of p and q .The distinction between singular and regular S-pairs is important, because in The-orem 5.1 below we will show that only regular S-pairs are of interest. If a and b giverise to a regular S-pair, we have s (spair( a, b )) = max( t lp( a ) s ( a ) , t lp( b ) s ( b )), where t is as inDefinition 5.6.The definitions of S-pairs and regular S-pairs in the formalization look as follows:16 efinition spair :: ( τ ⇒ β ) ⇒ ( τ ⇒ β ) ⇒ ( τ ⇒ β ) where spair a b = (let t1 = lp (poly a); t2 = lp (poly b); t = lcm t1 t2 in(monom-mult (1 / lc (poly a)) (t / t1) a) -(monom-mult (1 / lc (poly b)) (t / t2) b)) definition is-regular-spair :: ( τ ⇒ β ) ⇒ ( τ ⇒ β ) ⇒ bool where is-regular-spair a b ←→ (poly a = ∧ poly b = ∧ (let t1 = lp (poly a); t2 = lp (poly b); t = lcm t1 t2 in(t / t1) ⊗ s a = (t / t2) ⊗ s b)) Now we are ready to state the central theorem in this section, which links rewrite basesto regular S-pairs just as Buchberger’s theorem links Gröbner bases to S-polynomials:
Theorem 5.1.
Let G ⊆ R m be finite and u ∈ T , assume that no two elements of G have the same signatures, and moreover assume that G is a rewrite basis in all s ( a ) ≺ t u ,where a is either a regular S-pair of elements of G or a = e i ( ≤ i ≤ m ). Then G is arewrite basis up to u . For a proof of this theorem see Lemma 10 in Eder and Roune (2013). The formalstatement of the theorem in Isabelle/HOL is as follows: lemma is-RB-upt-finite: assumes G ⊆ Rm and inj-on s G and finite G and ∀ g1 ∈ G. ∀ g2 ∈ G. is-regular-spair g1 g2 −→ s (spair g1 g2) ≺ t u −→ is-RB-in G ( s (spair g1 g2)) and ∀ i. i < length fs −→ (1, i) ≺ t u −→ is-RB-in G (1, i) shows is-RB-upt G u The second assumption of is-RB-upt-finite merely expresses that the function s is injectiveon G , that is, no two elements of G have the same signatures.Theorem 5.1 gives us some idea how to decide whether a given finite set G is arewrite basis up to u : it suffices to check the finitely many signatures of regular S-pairs and canonical basis vectors. Note, however, that there is still an issue related tosyzygy signatures: the definition of rewrite bases involves syzygy signatures, and decidingwhether a given u is a syzygy signature is a difficult problem—actually, as difficult ascomputing a Gröbner basis of the module of syzygies. Luckily, Theorem 5.1 does notonly suggest a method for (semi-)deciding whether a given set is a rewrite basis, but italso gives rise to an algorithm for computing rewrite bases which does not suffer fromthe problem with syzygy signatures just outlined. This algorithm is the subject of thenext section.
6. Algorithms
As claimed above, Theorem 5.1 gives rise to an algorithm for computing rewritebases, and in fact that algorithm bears close resemblance to Buchberger’s algorithm forcomputing Gröbner bases: it is a critical-pair/completion algorithm that successivelyiterates through all S-pairs, applies a criterion for testing whether the S-pair underconsideration must be reduced, s -reduces it to some normal form if necessary, and addsthe result to the basis computed so far unless it be zero. Algorithm 1 summarizes the17 lgorithm 1 An algorithm for computing rewrite bases.
Input: sequence ( f , . . . , f m ) of polynomials in R , admissible order (cid:22) on [ X ], compatibleextension (cid:22) t on T , rewrite order E Output: rewrite basis G function RB (( f , . . . , f m ) , (cid:22) , (cid:22) t , E ) G ← ∅ S ← { s ( f j e i − f i e j ) | ≤ i < j ≤ m } P ← { e i | ≤ i ≤ m } while P = ∅ do a ← some element of P with (cid:22) t -minimal signature P ← P \{ a } if a = e i for some i then S ← S ∪ { s ( f i g − g e i ) | g ∈ G } if ¬ sigCrit ( E , G, S, a ) then b ← result of regular s -reducing a modulo G if b = 0 then S ← S ∪ { s ( b ) } else G ← G ∪ { b } P ← P ∪ { spair( g, b ) | g ∈ G, spair( g, b ) is regular } return G method just sketched in an imperative programming style; it is a slight variation ofAlgorithm 3 in Eder and Faugère (2017).Several remarks on Algorithm 1 are in place:• The accumulator G holds the basis computed so far, and P is the set of elementsthat still have to be considered. It does not only contain regular S-pairs, but alsothe m canonical basis vectors corresponding to the input-sequence ( f , . . . , f m ).This justifies initializing G by the empty set.• The set S contains the signatures of some known syzygies. It is initialized by thesignatures of the Koszul syzygies of the input sequence, and successively enlargedin Lines 9 and 13. These syzygy-signatures are used to apply the syzygy criterion(Lemma 4.3) in function sigCrit , see Algorithm 2 below.• It is important to note that in Line 6 of Algorithm 1, an element a with minimalsignature is taken from P . This is crucial for the correctness of the algorithm, sincea different choice could lead to wrong results.• Also note that s ( b ) = s ( a ), since b is the result of regular s -reducing a , and regular s -reductions do not change signatures. This, together with the particular choice of a , implies that G is computed by increasing signatures, i. e., the signatures of theelements b added to G in Line 15 are increasing.Ignoring the sigCrit -test in Line 10 of Algorithm 1 for the moment, the algorithm ispartially correct. This follows from the fact that either b = 0, in which case s ( b ) = s ( a )18s a syzygy signature, or b is added to G , in which case it becomes the canonical rewriterin s ( b ) = s ( a ) (this follows from the definition of rewrite orders) and is by constructionregular top s -irreducible. Therefore, in either case the potentially enlarged set G is arewrite basis in s ( a ) by Definition 5.5, and upon termination of the algorithm, it is arewrite basis in all terms u thanks to Theorem 5.1.The auxiliary function sigCrit , which is implemented in Algorithm 2, tests whetheran S-pair spair( a, b ) has to be s -reduced in Algorithm 1. In a nutshell, it appliesLemma 4.3, the syzygy criterion, and moreover checks whether the constituents of theS-pair are canonical rewriters in certain terms u a and u b ; if not, the S-pair does nothave to be reduced, because either the canonical rewriters in these respective termshave been treated already, or will still be treated later on, and in either case there isnothing to be done for spair( a, b ). There is one subtle point, though: Knowing thatspair( a, b ) is regular, one of u a or u b is strictly greater than the other by definition, and s (spair( a, b )) = max( u a , u b ). W. l. o. g. assume u b ≺ t u a . So, by what has been saidabove, it should be clear that sigCrit is allowed to do the checks on u a = s (spair( a, b ))in Line 5 of Algorithm 2, but it is perhaps not clear why the same checks may also beperformed on the smaller term u b that does not contribute to s (spair( a, b )) at all. Indeed,answering this question is slightly intricate, and we confine ourselves here to pointing theinterested reader to Lemma 12 in Eder and Roune (2013) for an explanation. Algorithm 2
An algorithm for testing whether S-pairs must be regular s -reduced. Input: rewrite order E , G ⊆ R m , S ⊆ T , regular spair( a, b ) with a, b ∈ G Output: ‘False’ if spair( a, b ) has to be regular s -reduced in Algorithm 1 function sigCrit ( E , G, S, spair( a, b )) t ← lcm(lp( a ) , lp( b )) u a ← t lp( a ) s ( a ) u b ← t lp( b ) s ( b ) if ( ∃ s ∈ S. s | u a ) ∨ ( a is not canonical rewriter in u a w. r. t. G ) then return True if ( ∃ s ∈ S. s | u b ) ∨ ( b is not canonical rewriter in u b w. r. t. G ) then return True return FalseWe hope we could convince the reader about the partial correctness of Algorithms 1and 2 now; if not, a more thorough account on the whole subject can, as usual, befound in Eder and Faugère (2017). However, the algorithm is not only partially correct,but also terminates for every input; this claim will be investigated in Section 6.1. Wesummarize the result in a theorem:
Theorem 6.1 (Correctness of Algorithm 1) . For every input, Algorithm 1 terminatesand returns a rewrite basis G w. r. t. ( f , . . . , f m ) , (cid:22) , (cid:22) t and E . Furthermore, h G i = h f , . . . , f m i . Remark 6.1.
Algorithm 2 corresponds to Algorithm 4 in Eder and Faugère (2017),which, however, is presented in a slightly different way. Namely, the two disjuncts inLines 5 and 7 of Algorithm 2 are combined into one single ‘rewritability’ check in thecited article. This makes the formulation of the algorithm a bit more elegant.19lso, one has to take into account that the last argument of function sigCrit could bea canonical basis vector e i rather than an S-pair. In that case, only the syzygy criterionis applied, i. e., ∃ s ∈ S. s | e i .Let us now turn to the formalization of RB in Isabelle/HOL. There, it is natural toimplement functions as functional programs instead of imperative ones, so we define thetail-recursive function rb-aux for computing rewrite bases as follows: function rb-aux ::((( τ ⇒ β ) list × τ list × ((( τ ⇒ β ) × ( τ ⇒ β )) + nat) list) × nat) ⇒ ((( τ ⇒ β ) list × τ list × ((( τ ⇒ β ) × ( τ ⇒ β )) + nat) list) × nat) where rb-aux ((gs, ss, []), z) = ((gs, ss, []), z) |rb-aux ((gs, ss, a s b) The function takes one argument, which in turn is a tuple consisting of four entries: alist gs corresponding to the set G in Algorithm 1, a list ss corresponding to S , a list ps corresponding to P , and a natural number z counting the total number of zero-reductions.The latter is a mere technicality only needed in Section 7.1, and may thus be ignored forthe moment. The function not only returns gs , but also the other arguments, to facilitateformal reasoning about it—but of course only gs is interesting from our perspective.Please note that the list fs and the various relations ( (cid:22) , etc.) are still implicitly fixedin the theory context and therefore do not have to be passed as arguments to rb-aux explicitly.The first part of the definition corresponds to the base case, where the list ps is empty.The second part corresponds to the case where ps contains at least one element, and canhence be decomposed into its head a and tail ps ′ . Since we ensure that the list is alwayskept sorted by increasing signatures, a is known to be an element with minimal signature,just as required in Line 6 of Algorithm 1. Then, ss is enlarged by new syzygy-signaturesin the auxiliary function new-syz-sigs , and the result is stored in ss ′ ; this correspondsprecisely to Lines 8 and 9 of Algorithm 1. Afterward, the auxiliary function sig-crit isapplied to gs , ss ′ and a to check whether a has to be s -reduced or not. sig-crit is theformalization of function sigCrit , and since there is nothing special about its definition,we omit it here. Anyway, if sig-crit returns True , nothing needs to be done and rb-aux iscalled recursively on the remaining list ps ′ . Otherwise, a is regular s -reduced to b (takencare of by function sig-trd ), and depending on whether b is a syzygy or not its signature isadded to ss ′ or it is added to gs , and new S-pairs are added to ps ′ by function add-spairs .So, in short, rb-aux corresponds exactly to Lines 5–17 of Algorithm 1. The remaininglines, corresponding to the initialization of G , S and P , are covered by the way how thearguments of the initial call of rb-aux are constructed, as will be seen below.20efore, please note that the element-type of ps is a sum type , i. e., the disjoint unionof two types: once the type of pairs of module elements, ( τ ⇒ β ) × ( τ ⇒ β ), andonce the type nat of natural numbers. This is due to the fact that ps may both containS-pairs and canonical basis vectors: S-pairs are represented by the two elements theyoriginate from, because these elements themselves are needed in sig-crit , and canonicalbasis vectors are compactly represented by their component, which is of course a naturalnumber. Function poly-of-pair converts an object of this sum type into an actual moduleelement of type τ ⇒ β , by either constructing an S-pair or returning a ‘full’ basis vector.The initial argument of rb-aux corresponds to the initial values of G , S and P : gs is the empty list, ss is Koszul-syz-sigs ( fs ), which returns the signatures of the Koszulsyzygies of fs , and ps is the list map ( Inr , [0 .. < length ( fs )]), representing the canonicalbasis vectors in the sum type mentioned above.So, we can finally define function rb as follows: definition rb :: ( τ ⇒ β ) list × nat where rb = (let ((gs, _, _), z) =rb-aux (([], Koszul-syz-sigs fs, map Inr [0.. Algorithm 1 and function rb could easily be adapted to not only computea rewrite basis, and hence Gröbner basis of the ideal h f , . . . , f m i , but also a Gröbner basisof the module of syzygies of ( f , . . . , f m ). We do not consider this in the formalization,though. Termination of the original F algorithm had been an open problem for a long time,until it was eventually settled by Galkin (2012). Later, Pan et al. (2012) proved ter-mination of a more general signature-based algorithm, which happens to be equivalentto Algorithm 1. The proof we modeled our formal Isabelle-proof after can be foundin Eder and Roune (2013) (Theorem 20). Here, we present the key ideas of the proof,referring the interested reader to the cited article for more information about it.Assume ( g , g , g , . . . ) is the sequence of elements added to G by Algorithm 1, inthat order. We want to show that this sequence is finite. First, introduce the followingrelation ∼ on R m : a ∼ b : ⇔ lp( b ) s ( a ) = lp( a ) s ( b ). ∼ is an equivalence relation, andtherefore allows one to partition the sequence into subsets of equivalent elements w. r. t. ∼ . Next, one can prove that only finitely many of these subset are non-empty, usingNoetherianity of R m and further properties of the sequence that follow from its beingconstructed by Algorithm 1, e. g., no element is regular s -reducible by the others. Finally,one can prove by induction on the finitely many non-empty sets R that each of them isfinite, because every element of R corresponds to an S-pair of elements in ‘previous’ sets,which are finite by the induction hypothesis. This concludes the proof.22 emark 6.3. Readers not so familiar with signature-based algorithms might wonderwhy the well-known termination proof of Buchberger’s algorithm does not work forsignature-based algorithms. The reason is simple: a new element b added to the basis isonly regular s -irreducible, which unfortunately does not imply that b is irreducible in thetraditional sense of polynomial reduction. In particular, lp( b ) might even be divisible bylp( g ) for some g in the current basis—something which cannot happen in Buchberger’salgorithm, which in turn is what the termination proof of Buchberger’s algorithm mainlyrests upon.In the formalization, the theorem needed for establishing termination of function rb-aux is as follows: lemma rb-termination: fixes seq :: nat ⇒ ( τ ⇒ β ) assumes ∀ i j. i < j −→ s (seq i) ≺ t s (seq j) and ∀ i. ( ∃ j So, we assume that there exists an infinite sequence seq with the listed properties andderive a contradiction; hence, any such sequence must be finite. seq is modeled as afunction from the natural numbers to module elements of type τ ⇒ β , which means thatthe i -th element of seq is simply seq ( i ) and the set of all elements of seq is range ( seq ). Aclose inspection of the presumed properties of seq reveals that they essentially correspondto the first six properties of gs in the above list characterizing rb-aux-inv . The only realdifference is that the order of the elements in seq corresponds to the order in whichthey are generated by function rb-aux , which is the reversed order compared to gs . Thisexplains why, for instance, the signatures in seq must be strictly increasing, whereas in gs they must be strictly decreasing.From rb-termination we can conclude that function rb-aux terminates for all argu-ments satisfying the invariant rb-aux-inv , which in particular includes the initial argumentspecified by function rb . This finishes the proof of total correctness of rb . 7. Optimality Results The original goal of signature-based algorithms is to detect and avoid as many use-less zero-reductions as possible, and thus speed up the computation of Gröbner bases.Practical experience shows that this goal is indeed achieved (see Section 8), and theoryeven tells us that in some situations zero-reductions can be avoided altogether: Theorem 7.1. Let ( f , . . . , f m ) be a regular sequence and assume (cid:22) t = (cid:22) pot , i. e., (cid:22) t isa POT-extension of (cid:22) . Then Algorithm 1 does not s -reduce any element to zero, meaningthat the test in Line 12 of that algorithm always yields ‘False’. (cid:22) pot ,the rewrite basis is computed incrementally, i. e., first for ( f ), then for ( f , f ), and soon. The sequence ( f , . . . , f m ) being regular implies that the only syzygies a satisfying s ( a ) = t e i , for 1 ≤ i ≤ m and t ∈ [ X ], are in the module of principal syzygies of( f , . . . , f i )—a generating set of which is added to S in Line 9. However, every zero-reduction corresponds to precisely such a syzygy, and therefore is detected beforehandby the syzygy criterion implemented in function sigCrit . It should be observed thatEder and Faugère (2017) need the additional assumption that E be either E rat or E add .We do not need this assumption because of our slightly different implementation of func-tion sigCrit .The formalization of Theorem 7.1 in Isabelle/HOL begins with the definition of reg-ular sequences: definition is-regular-sequence :: ( α ⇒ β ) list ⇒ bool where is-regular-sequence fs ←→ ( ∀ j A signature Gröbner basis iscalled minimal if, and only if, none of its elements is top s -reducible modulo the otherelements.Note that minimal signature Gröbner bases have nothing to do with minimal Gröbnerbases in the usual sense: if G is a minimal signature Gröbner basis, then G is not auto-matically a minimal Gröbner basis, that is, there could exist p , p ∈ G with p = p andlp( p ) | lp( p ). Nevertheless, minimal signature Gröbner bases deserve the name, sinceevery ideal I ⊆ R m has one unique minimal signature Gröbner basis G , and moreoverany other signature Gröbner basis H of I satisfies { s ( g ) | g ∈ G } ⊆ { s ( h ) | h ∈ H } and { lp( g ) | g ∈ G } ⊆ { lp( h ) | h ∈ H } ; see Lemma 4.3 in Eder and Faugère (2017) for details.Surprisingly, when using E rat as the rewrite order, rb-aux automatically computesminimal signature Gröbner bases (recall from Proposition 5.1 that rewrite bases arealso signature Gröbner bases). The following theorem corresponds to Corollary 7.3in Eder and Faugère (2017): Theorem 7.2. Assume E = E rat . Then the rewrite basis computed by Algorithm 1 isalso a minimal signature Gröbner basis. Therefore, E rat is the optimal rewrite order in terms of the size of the resulting basisand the number of S-pairs that must be dealt with. Still, as noted in point (c) ofSection 14.3 in Eder and Faugère (2017), other rewrite orders, such as E add , can lead toa comparable overall performance of the algorithm.Again, Definition 7.1 and Theorem 7.2 translate naturally into in Isabelle/HOL, asshown below: definition is-min-sig-GB :: ( τ ⇒ β ) set ⇒ bool where is-min-sig-GB G ←→ G ⊆ Rm ∧ ( ∀ u. snd u < length fs −→ is-sig-GB-in G u) ∧ ( ∀ g ∈ G. ¬ is-sig-red ( (cid:22) t ) (=) (G - {g}) g) corollary rb-aux-is-min-sig-GB: assumes ( E ) = ( E rat ) shows is-min-sig-GB (set (fst rb)) 8. Code Generation and Computations When it comes to actually computing rewrite bases, the following two observationsare important:• Algorithm 1 and function rb operate on module elements in R m , or objects of type τ ⇒ β , respectively. Operations on such objects, such as addition, multiplication,etc., are of course m -times more expensive than on ordinary polynomials in R .• A close investigation of said algorithms and their sub-algorithms, such as regular s -reduction, reveals that in fact only the signature s ( a ) and the polynomial part a of module elements a ∈ R m must be known for executing the algorithms. There-fore, the whole computation of rewrite bases can be made more efficient by lettingthe functions operate on sig-poly-pairs (see Definition 5.1) instead of full moduleelements. 25n the formalization, we take the preceding observations into account by refining function rb and all other functions it depends on to new functions that operate on sig-poly-pairs,i. e., objects of type τ × ( α ⇒ β ). Of course, we formally prove that the refined functionsbehave precisely as the original ones and therefore inherit all their main properties.Eventually we end up with a function gb-sig that takes a list of polynomials as input,employs the refined version of rb-aux (called rb-spp-aux ) for computing a rewrite basis ofit, which is a list of sig-poly-pairs. Finally, it projects the elements of this list onto theirsecond entries to obtain again a list of polynomials which constitute a Gröbner basis ofthe input. Furthermore, gb-sig is parameterized over (cid:22) , (cid:22) t and E .Thanks to Isabelle’s code generator , the mechanically verified function gb-sig can beused to effectively compute Gröbner bases. In a nutshell, this works by translating thedefinitions of gb-sig and its sub-algorithms, which are universally quantified equalitiesin Isabelle/HOL, into operationally equivalent procedures operating on concrete datastructures in SML, OCaml, Scala or Haskell. The translation is implemented in sucha way that the generated executable programs can be trusted to inherit all correctnessproperties of the abstract Isabelle-functions. More information about code generation inIsabelle can be found in Haftmann et al. (2013); Haftmann and Bulwahn (2018).In our concrete case, multivariate polynomials are represented efficiently as ordered(w. r. t. (cid:22) ) associative lists, mapping power-products to coefficients. This formally veri-fied concrete representation, which is part of Sternagel et al. (2010), allows us to provideefficient implementations of all frequently used operations, e. g., addition, lp , etc.A typical invocation of gb-sig within Isabelle, which automatically triggers code gen-eration into SML and execution of the resulting program, could look as follows: value [code] gb-sig-pprod (POT DRLEX) rw-rat-strict-pprod[X ^ 2 * Z ^ 3 + 3 * X ^ 2 * Y, X * Y * Z + 2 * Y ^ 2] This instruction immediately returns the following 4-element Gröbner basis, computedover the field of rational numbers w. r. t. the POT extension of the degree-reverse-lexicographic ordering and rewrite order E rat : [(3 / 4) * X ^ 3 * Y ^ 2 - 2 * Y ^ 4, - 4 * Y ^ 3 * Z - 3 * X ^ 2 * Y ^ 2,X * Y * Z + 2 * Y ^ 2, X ^ 2 * Z ^ 3 + 3 * X ^ 2 * Y] The auxiliary constants X , Y and Z are introduced for conveniently writing down trivari-ate polynomials; further indeterminates can easily be added on-the-fly, without evenhaving to adapt the underlying type. More sample computations can be found in theory Signature-Examples of the formalization.Besides simple examples as the one shown above, gb-sig can also be tested on com-mon benchmark problems and compared to other implementations of Gröbner bases.Table 1 shows such a comparison to a formally verified implementation of Buchberger’salgorithm with product- and chain-criterion in Isabelle/HOL, called gb and describedin Maletzky and Immler (2018a), and to function GroebnerBasis in Mathematica E rat . We shall emphasize, however, that other order relations and rewriteorders are formalized, too, and may hence be used in computations without further ado. The suffixes ‘-pprod’ are technical artifacts that can safely be ignored here. able 1: Timings (in seconds) and total number of zero-reductions of Gröbner basis computations.‘?’ indicates that the computation was aborted after 1200 seconds. gb-sig gb Mathematica Benchmark Time Remark 8.1. The timings for Mathematica have to be read with care: Mathematica always computes a reduced Gröbner basis, whereas the results returned by gb-sig and gb are not necessarily reduced. So, the timings of Mathematica must be understood as amere reference mark for highly sophisticated, state-of-the-art computer algebra software.It is not surprising that our formally verified function gb-sig cannot compete with it inmost cases. 9. Conclusion In this paper we presented a formalization of signature-based algorithms for comput-ing Gröbner bases in Isabelle/HOL. The formalization is generic, executable, and coversnot only correctness but also optimality (no zero-reductions, minimal signature Gröbnerbases) of the implemented algorithms.The formalization effort was roughly three months of full-time work. This mightnot sound very much, but it must once again be noted that we could make heavy useof existing formalizations of multivariate polynomials and modules thereof, as well asGröbner bases theory, in Isabelle/HOL. Otherwise, it would have taken a lot longer.The total number of lines of code is ∼ Prelims (general facts about lists, relations, etc.; ∼ 960 lines), More-MPoly (general propertiesof polynomials; ∼ 440 lines), Quasi-PM-Power-Products (facts about power-products; ∼ 290 lines), Signature-Groebner (main theory; ∼ Signature-Examples (code generation and sample computations; ∼ 380 lines). Proofs are intentionally givenin a quite verbose style for better readability. Even though signature-based algorithms have, to the best of our knowledge, not beenformalized in any other proof assistant so far, formalizations of traditional Gröbner basestheory exist in various systems. 27he first formalization of Gröbner bases dates back to Théry (2001) and Persson(2001) in the Coq proof assistant (Bertot and Castéran (2004)). Later, Schwarzweller(2006) formalized the purely theoretical aspects of the theory in Mizar (Bancerek et al.(2015)). Jorge et al. (2009) and Medina-Bulo et al. (2010) implemented formally verifiedversions of Buchberger’s algorithm in OCaml and Common LISP, respectively; the formerwas verified using Coq, and the latter using ACL2 (Kaufmann et al. (2000)). And, ofcourse, the work presented in this paper heavily rests on the formalization of traditionalGröbner bases theory by Immler and Maletzky (2016) in Isabelle/HOL.Buchberger (2004) and Crăciun (2008) took a slightly different approach: they man-aged to automatically synthesize Buchberger’s algorithm from a formal description of itsspecification in the Theorema system (Buchberger et al. (2016)). In the same system,we formalized a generalization of Gröbner bases to reduction rings (Maletzky (2016)).Finally, it must also be mentioned that Gröbner bases methodology for a long timehas been, and still is, successfully applied in automated theorem proving, as a black-boxalgorithm for proving universal equalities and inequations over algebraically closed fields;see for instance Harrison (2001) and Chaieb and Wenzel (2007). The present formalization could be extended in several ways. First of all, function gb-sig could be improved by inter-reducing intermediate bases when (cid:22) pot is used as themodule term order. This idea, due to Stegers (2006); Eder and Perry (2010), has thepotential of speeding up computations, but inter-reducing intermediate bases turns outto be much more subtle in the signature-based setting than it is in the traditional setting.Another possible improvement of gb-sig consists of implementing the F -style reduc-tion, as proposed by Faugère (1999). This approach not only s -reduces one polynomialat a time, but several polynomials simultaneously by row-reducing certain matrices.Incidentally, the F algorithm and corresponding F -style reduction are part of the for-malization by Immler and Maletzky (2016) (described in Maletzky and Immler (2018a)),and therefore could be incorporated into the formalization presented here with only mod-erate effort. The main reason why we have not done so as of yet is that no increase inperformance can be expected from it in this concrete case: matrices are representeddensely as immutable arrays in Isabelle/HOL, but F -style reductions only make sense ifsparse matrices are stored efficiently , possibly even involving some sort of compression.Formalizing better representations of sparse matrices in Isabelle/HOL is left for futurework.A third potential improvement of the efficiency of the algorithms is the use of more so-phisticated data-structures, e. g. tournament trees, kd-trees, and others. Roune and Stillman(2012) review some of these data-structures and how they can reasonably be used in thecomputation of Gröbner bases by signature-based algorithms. Acknowledgments. I thank the anonymous reviewers for their valuable remarks. References Ballarin, C., 2010. Tutorial to Locales and Locale Interpretation, in: Lambán, L., Romero, A., Rubio,J. (Eds.), Contribuciones Científicas en Honor de Mirian Andrés Gómez, Servicio de Publicaciones dela Universidad de La Rioja. pp. 123–140. Part of the Isabelle documentation. ancerek, G., Byliński, C., Grabowski, A., Korniłowicz, A., Matuszewski, R., Naumowicz, A., Pąk, K.,Urban, J., 2015. Mizar: State-of-the-art and Beyond, in: Kerber, M., Carette, J., Kaliszyk, C., Rabe,F., Sorge, V. (Eds.), Intelligent Computer Mathematics (Proceedings of CICM 2015, WashingtonD.C., US, July 13–17), Springer. pp. 261–279. doi: .Bertot, Y., Castéran, P., 2004. Interactive Theorem Proving and Program Development – Coq’Art:The Calculus of Inductive Constructions. Texts in Theoretical Computer Science. An EATCS Series,Springer. doi: .Buchberger, B., 1965. Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nacheinem nulldimensionalen Polynomideal (An Algorithm for Finding the Basis Elements in the ResidueClass Ring Modulo a Zero Dimensional Polynomial Ideal). Ph.D. thesis. Mathematical Institute,University of Innsbruck, Austria. English translation in J. Symb. Comput. .Chaieb, A., Wenzel, M., 2007. Context aware Calculation and Deduction: Ring Equalities via GröbnerBases in Isabelle, in: Kauers, M., Kerber, M., Miner, R., Windsteiger, W. (Eds.), Towards Mecha-nized Mathematical Assistants (Proceedings of Calculemus’2007, Hagenberg, Austria, June 27–30),Springer. pp. 27–39. doi: .Crăciun, A., 2008. Lazy Thinking Algorithm Synthesis in Gröbner Bases Theory. Ph.D. thesis. RISC,Johannes Kepler University Linz, Austria.Eder, C., Faugère, J.C., 2017. A Survey on Signature-Based Algorithms for Computing Gröbner Bases.J. Symb. Comput. 80, 719–784. doi: .Eder, C., Perry, J., 2010. F5C: A Variant of Faugère’s F Algorithm with Reduced Gröbner Bases. J.Symb. Comput. 45, 1442–1458. doi: .Eder, C., Roune, B.H., 2013. Signature Rewriting in Gröbner Basis Computation, in: Proceedingsof the 38th International Symposium on Symbolic and Algebraic Computation, ACM. pp. 331–338.doi: .Faugère, J.C., 1999. A New Efficient Algorithm for Computing Gröbner Bases ( F ). J. Pure and AppliedAlgebra 139, 61–88. doi: .Faugère, J.C., 2002. A New Efficient Algorithm for Computing Gröbner Bases Without Reduction to Zero( F ), in: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation,ACM. pp. 75–83. doi: .Galkin, V., 2012. Termination of Original F . arXiv:1203.2402 [math.AC].Haftmann, F., Bulwahn, L., 2018. Code Generation from Isabelle/HOL Theories. Part of the Isabelledocumentation.Haftmann, F., Krauss, A., Kun˘car, O., Nipkow, T., 2013. Data Refinement in Isabelle/HOL, in: Blazy,S., Paulin-Mohring, C., Pichardie, D. (Eds.), Interactive Theorem Proving (Proceedings of ITP’2013,Rennes, France, July 22–26), Springer. pp. 100–115. doi: .Harrison, J., 2001. Complex quantifier elimination in HOL, in: Boulton, R.J., Jackson, P.B. (Eds.),TPHOLs 2001: Supplemental Proceedings, Division of Informatics, University of Edinburgh. pp.159–174. URL: .Immler, F., Maletzky, A., 2016. Gröbner Bases Theory. Archive of Formal Proofs http://afp.sf.net/entries/Groebner_Bases.shtml , Formal proof development.Jorge, J.S., Guilas, V.M., Freire, J.L., 2009. Certifying properties of an efficient functional program forcomputing Gröbner bases. J. Symb. Comput. 44, 571–582. doi: .Kaufmann, M., Manolios, P., Moore, J.S., 2000. Computer-Aided Reasoning: An Approach. KluwerAcademic Publishers. doi: .Maletzky, A., 2016. Computer-Assisted Exploration of Gröbner Bases Theory in Theorema. Ph.D.thesis. RISC, Johannes Kepler University Linz.Maletzky, A., 2018. Signature-Based Gröbner Basis Algorithms. Archive of Formal Proofs http://isa-afp.org/entries/Signature_Groebner.html , Formal proof development.Maletzky, A., Immler, F., 2018a. Gröbner Bases of Modules and Faugère’s F Algorithm in Is-abelle/HOL, in: Rabe, F., Farmer, W., Passmore, G., Youssef, A. (Eds.), Intelligent ComputerMathematics (Proceedings of CICM 2018, Hagenberg, Austria, August 13-17), Springer. pp. 178–193. doi: . aletzky, A., Immler, F., 2018b. Gröbner Bases of Modules and Faugère’s F Algorithm in Isabelle/HOL(extended version). Technical Report. RISC, JKU Linz. ArXiv:1805.00304 [cs.LO].Medina-Bulo, I., Palomo-Lozano, F., Ruiz-Reina, J.L., 2010. A verified Common Lisp Implementationof Buchberger’s Algorithm in ACL2. J. Symb. Comput. 45, 96–123. doi: .Nipkow, T., Paulson, L.C., Wenzel, M., 2002. Isabelle/HOL—A Proof Assistant for Higher-Order Logic.volume 2283 of Lecture Notes in Computer Science . Springer. doi: .Pan, S., Hu, Y., Wang, B., 2012. The Termination of Algorithms for Computing Gröbner Bases.arXiv:1202.3524 [math.AC].Paulson, L.C., 1994. Isabelle: A Generic Theorem Prover. volume 828 of