diff --git a/metadata/metadata b/metadata/metadata
--- a/metadata/metadata
+++ b/metadata/metadata
@@ -1,9190 +1,9378 @@
 [Arith_Prog_Rel_Primes]
 title = Arithmetic progressions and relative primes
 author = José Manuel Rodríguez Caballero <https://josephcmac.github.io/>
 topic = Mathematics/Number theory
 date = 2020-02-01
 notify = jose.manuel.rodriguez.caballero@ut.ee
 abstract =
   This article provides a formalization of the solution obtained by the
   author of the Problem “ARITHMETIC PROGRESSIONS” from the
   <a href="https://www.ocf.berkeley.edu/~wwu/riddles/putnam.shtml">
   Putnam exam problems of 2002</a>. The statement of the problem is
   as follows: For which integers <em>n</em> > 1 does the set of positive
   integers less than and relatively prime to <em>n</em> constitute an
   arithmetic progression?
 
+[Banach_Steinhaus]
+title = Banach-Steinhaus Theorem
+author = Dominique Unruh <http://kodu.ut.ee/~unruh/> <mailto:unruh@ut.ee>, Jose Manuel Rodriguez Caballero <https://josephcmac.github.io/> <mailto:jose.manuel.rodriguez.caballero@ut.ee>
+topic = Mathematics/Analysis
+date = 2020-05-02
+notify = jose.manuel.rodriguez.caballero@ut.ee, unruh@ut.ee
+abstract =
+  We formalize in Isabelle/HOL a result
+  due to S. Banach and H. Steinhaus known as
+  the Banach-Steinhaus theorem or Uniform boundedness principle: a
+  pointwise-bounded family of continuous linear operators from a Banach
+  space to a normed space is uniformly bounded. Our approach is an
+  adaptation to Isabelle/HOL of a proof due to A. Sokal.
+
 [Complex_Geometry]
 title = Complex Geometry
 author = Filip Marić <http://www.matf.bg.ac.rs/~filip>, Danijela Simić <http://poincare.matf.bg.ac.rs/~danijela>
 topic = Mathematics/Geometry
 date = 2019-12-16
 notify = danijela@matf.bg.ac.rs, filip@matf.bg.ac.rs, boutry@unistra.fr
 abstract =
   A formalization of geometry of complex numbers is presented.
   Fundamental objects that are investigated are the complex plane
   extended by a single infinite point, its objects (points, lines and
   circles), and groups of transformations that act on them (e.g.,
   inversions and Möbius transformations). Most objects are defined
   algebraically, but correspondence with classical geometric definitions
   is shown.
 
 [Poincare_Disc]
 title = Poincaré Disc Model
 author = Danijela Simić <http://poincare.matf.bg.ac.rs/~danijela>,  Filip Marić <http://www.matf.bg.ac.rs/~filip>,  Pierre Boutry <mailto:boutry@unistra.fr>
 topic = Mathematics/Geometry
 date = 2019-12-16
 notify = danijela@matf.bg.ac.rs, filip@matf.bg.ac.rs, boutry@unistra.fr
 abstract =
   We describe formalization of the Poincaré disc model of hyperbolic
   geometry within the Isabelle/HOL proof assistant. The model is defined
   within the extended complex plane (one dimensional complex projectives
   space &#8450;P1), formalized in the AFP entry “Complex Geometry”.
   Points, lines, congruence of pairs of points, betweenness of triples
   of points, circles, and isometries are defined within the model. It is
   shown that the model satisfies all Tarski's axioms except the
   Euclid's axiom. It is shown that it satisfies its negation and
   the limiting parallels axiom (which proves it to be a model of
   hyperbolic geometry).
 
 [Fourier]
 title = Fourier Series
 author = Lawrence C Paulson <https://www.cl.cam.ac.uk/~lp15/>
 topic = Mathematics/Analysis
 date = 2019-09-06
 notify = lp15@cam.ac.uk
 abstract =
   This development formalises the square integrable functions over the
   reals and the basics of Fourier series. It culminates with a proof
   that every well-behaved periodic function can be approximated by a
   Fourier series. The material is ported from HOL Light:
   https://github.com/jrh13/hol-light/blob/master/100/fourier.ml
 
 [Generic_Deriving]
 title = Deriving generic class instances for datatypes
 author = Jonas Rädle <mailto:jonas.raedle@gmail.com>, Lars Hupel <https://www21.in.tum.de/~hupel/>
 topic = Computer science/Data structures
 date = 2018-11-06
 notify = jonas.raedle@gmail.com
 abstract =
   <p>We provide a framework for automatically deriving instances for
   generic type classes. Our approach is inspired by Haskell's
   <i>generic-deriving</i> package and Scala's
   <i>shapeless</i> library.  In addition to generating the
   code for type class functions, we also attempt to automatically prove
   type class laws for these instances. As of now, however, some manual
   proofs are still required for recursive datatypes.</p>
   <p>Note: There are already articles in the AFP that provide
    automatic instantiation for a number of classes. Concretely, <a href="https://www.isa-afp.org/entries/Deriving.html">Deriving</a> allows the automatic instantiation of comparators, linear orders, equality, and hashing. <a href="https://www.isa-afp.org/entries/Show.html">Show</a> instantiates a Haskell-style <i>show</i> class.</p><p>Our approach works for arbitrary classes (with some Isabelle/HOL overhead for each class), but a smaller set of datatypes.</p>
 
 
 [Partial_Order_Reduction]
 title = Partial Order Reduction
 author = Julian Brunner <http://www21.in.tum.de/~brunnerj/>
 topic = Computer science/Automata and formal languages
 date = 2018-06-05
 notify = brunnerj@in.tum.de
 abstract =
   This entry provides a formalization of the abstract theory of ample
   set partial order reduction. The formalization includes transition
   systems with actions, trace theory, as well as basics on finite,
   infinite, and lazy sequences. We also provide a basic framework for
   static analysis on concurrent systems with respect to the ample set
   condition.
 
 [CakeML]
 title = CakeML
 author = Lars Hupel <https://www21.in.tum.de/~hupel/>, Yu Zhang <>
 contributors = Johannes Åman Pohjola <>
 topic = Computer science/Programming languages/Language definitions
 date = 2018-03-12
 notify = hupel@in.tum.de
 abstract =
   CakeML is a functional programming language with a proven-correct
   compiler and runtime system. This entry contains an unofficial version
   of the CakeML semantics that has been exported from the Lem
   specifications to Isabelle. Additionally, there are some hand-written
   theory files that adapt the exported code to Isabelle and port proofs
   from the HOL4 formalization, e.g. termination and equivalence proofs.
 
 [CakeML_Codegen]
 title = A Verified Code Generator from Isabelle/HOL to CakeML
 author = Lars Hupel <https://lars.hupel.info/>
 topic = Computer science/Programming languages/Compiling, Logic/Rewriting
 date = 2019-07-08
 notify = lars@hupel.info
 abstract =
   This entry contains the formalization that accompanies my PhD thesis
   (see https://lars.hupel.info/research/codegen/). I develop a verified
   compilation toolchain from executable specifications in Isabelle/HOL
   to CakeML abstract syntax trees. This improves over the
   state-of-the-art in Isabelle by providing a trustworthy procedure for
   code generation.
 
 [DiscretePricing]
 title = Pricing in discrete financial models
 author = Mnacho Echenim <http://lig-membres.imag.fr/mechenim/>
 topic = Mathematics/Probability theory, Mathematics/Games and economics
 date = 2018-07-16
 notify = mnacho.echenim@univ-grenoble-alpes.fr
 abstract =
   We have formalized the computation of fair prices for derivative
   products in discrete financial models. As an application, we derive a
   way to compute fair prices of derivative products in the
   Cox-Ross-Rubinstein model of a financial market, thus completing the
   work that was presented in this <a
   href="https://hal.archives-ouvertes.fr/hal-01562944">paper</a>.
 extra-history =
 	Change history:
 	[2019-05-12]:
 	Renamed discr_mkt predicate to stk_strict_subs and got rid of predicate A for a more natural definition of the type discrete_market;
     renamed basic quantity processes for coherent notation;
     renamed value_process into val_process and closing_value_process to cls_val_process;
     relaxed hypothesis of lemma CRR_market_fair_price.
     Added functions to price some basic options.
 	(revision 0b813a1a833f)<br>
 
 
 [Pell]
 title = Pell's Equation
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Number theory
 date = 2018-06-23
 notify = eberlm@in.tum.de
 abstract =
   <p> This article gives the basic theory of Pell's equation
   <em>x</em><sup>2</sup> = 1 +
   <em>D</em>&thinsp;<em>y</em><sup>2</sup>,
   where
   <em>D</em>&thinsp;&isin;&thinsp;&#8469; is
   a parameter and <em>x</em>, <em>y</em> are
   integer variables. </p> <p> The main result that is proven
   is the following: If <em>D</em> is not a perfect square,
   then there exists a <em>fundamental solution</em>
   (<em>x</em><sub>0</sub>,
   <em>y</em><sub>0</sub>) that is not the
   trivial solution (1, 0) and which generates all other solutions
   (<em>x</em>, <em>y</em>) in the sense that
   there exists some
   <em>n</em>&thinsp;&isin;&thinsp;&#8469;
   such that |<em>x</em>| +
   |<em>y</em>|&thinsp;&radic;<span
   style="text-decoration:
   overline"><em>D</em></span> =
   (<em>x</em><sub>0</sub> +
   <em>y</em><sub>0</sub>&thinsp;&radic;<span
   style="text-decoration:
   overline"><em>D</em></span>)<sup><em>n</em></sup>.
   This also implies that the set of solutions is infinite, and it gives
   us an explicit and executable characterisation of all the solutions.
   </p> <p> Based on this, simple executable algorithms for
   computing the fundamental solution and the infinite sequence of all
   non-negative solutions are also provided. </p>
 
 [WebAssembly]
 title = WebAssembly
 author = Conrad Watt <http://www.cl.cam.ac.uk/~caw77/>
 topic = Computer science/Programming languages/Language definitions
 date = 2018-04-29
 notify = caw77@cam.ac.uk
 abstract =
   This is a mechanised specification of the WebAssembly language, drawn
   mainly from the previously published paper formalisation of Haas et
   al. Also included is a full proof of soundness of the type system,
   together with a verified type checker and interpreter. We include only
   a partial procedure for the extraction of the type checker and
   interpreter here. For more details, please see our paper in CPP 2018.
 
 [Knuth_Morris_Pratt]
 title = The string search algorithm by Knuth, Morris and Pratt
 author = Fabian Hellauer <mailto:hellauer@in.tum.de>, Peter Lammich <http://www21.in.tum.de/~lammich>
 topic = Computer science/Algorithms
 date = 2017-12-18
 notify = hellauer@in.tum.de, lammich@in.tum.de
 abstract =
   The Knuth-Morris-Pratt algorithm is often used to show that the
   problem of finding a string <i>s</i> in a text
   <i>t</i> can be solved deterministically in
   <i>O(|s| + |t|)</i> time. We use the Isabelle
   Refinement Framework to formulate and verify the algorithm. Via
   refinement, we apply some optimisations and finally use the
   <em>Sepref</em> tool to obtain executable code in
   <em>Imperative/HOL</em>.
 
 [Minkowskis_Theorem]
 title = Minkowski's Theorem
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Geometry, Mathematics/Number theory
 date = 2017-07-13
 notify = eberlm@in.tum.de
 abstract =
   <p>Minkowski's theorem relates a subset of
   &#8477;<sup>n</sup>, the Lebesgue measure, and the
   integer lattice &#8484;<sup>n</sup>: It states that
   any convex subset of &#8477;<sup>n</sup> with volume
   greater than 2<sup>n</sup> contains at least one lattice
   point from &#8484;<sup>n</sup>\{0}, i.&thinsp;e. a
   non-zero point with integer coefficients.</p>  <p>A
   related theorem which directly implies this is Blichfeldt's
   theorem, which states that any subset of
   &#8477;<sup>n</sup> with a volume greater than 1
   contains two different points whose difference vector has integer
   components.</p>  <p>The entry contains a proof of both
   theorems.</p>
 
 [Name_Carrying_Type_Inference]
 title = Verified Metatheory and Type Inference for a Name-Carrying Simply-Typed Lambda Calculus
 author = Michael Rawson <mailto:michaelrawson76@gmail.com>
 topic = Computer science/Programming languages/Type systems
 date = 2017-07-09
 notify = mr644@cam.ac.uk, michaelrawson76@gmail.com
 abstract =
   I formalise a Church-style simply-typed
   \(\lambda\)-calculus, extended with pairs, a unit value, and
   projection functions, and show some metatheory of the calculus, such
   as the subject reduction property. Particular attention is paid to the
   treatment of names in the calculus. A nominal style of binding is
   used, but I use a manual approach over Nominal Isabelle in order to
   extract an executable type inference algorithm. More information can
   be found in my <a
   href="http://www.openthesis.org/documents/Verified-Metatheory-Type-Inference-Simply-603182.html">undergraduate
   dissertation</a>.
 
 [Propositional_Proof_Systems]
 title = Propositional Proof Systems
 author = Julius Michaelis <http://liftm.de>, Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 topic = Logic/Proof theory
 date = 2017-06-21
 notify = maintainafpppt@liftm.de
 abstract =
   We formalize a range of proof systems for classical propositional
   logic (sequent calculus, natural deduction, Hilbert systems,
   resolution) and prove the most important meta-theoretic results about
   semantics and proofs: compactness, soundness, completeness,
   translations between proof systems, cut-elimination, interpolation and
   model existence.
 
 [Optics]
 title = Optics
 author = Simon Foster <mailto:simon.foster@york.ac.uk>, Frank Zeyda <mailto:frank.zeyda@york.ac.uk>
 topic = Computer science/Functional programming, Mathematics/Algebra
 date = 2017-05-25
 notify = simon.foster@york.ac.uk
 abstract =
   Lenses provide an abstract interface for manipulating data types
   through spatially-separated views. They are defined abstractly in
   terms of two functions, <em>get</em>, the return a value
   from the source type, and <em>put</em> that updates the
   value. We mechanise the underlying theory of lenses, in terms of an
   algebraic hierarchy of lenses, including well-behaved and very
   well-behaved lenses, each lens class being characterised by a set of
   lens laws. We also mechanise a lens algebra in Isabelle that enables
   their composition and comparison, so as to allow construction of
   complex lenses. This is accompanied by a large library of algebraic
   laws. Moreover we also show how the lens classes can be applied by
   instantiating them with a number of Isabelle data types.
 extra-history =
 	Change history:
 	[2020-03-02]:
 	Added partial bijective and symmetric lenses.
         Improved alphabet command generating additional lenses and results.
         Several additional lens relations, including observational equivalence.
         Additional theorems throughout.
         Adaptations for Isabelle 2020.
         (revision 44e2e5c)
 
 [Game_Based_Crypto]
 title = Game-based cryptography in HOL
 author = Andreas Lochbihler <http://www.andreas-lochbihler.de>, S. Reza Sefidgar <>, Bhargav Bhatt <mailto:bhargav.bhatt@inf.ethz.ch>
 topic = Computer science/Security/Cryptography
 date = 2017-05-05
 notify = mail@andreas-lochbihler.de
 abstract =
   <p>In this AFP entry, we show how to specify game-based cryptographic
   security notions and formally prove secure several cryptographic
   constructions from the literature using the CryptHOL framework. Among
   others, we formalise the notions of a random oracle, a pseudo-random
   function, an unpredictable function, and of encryption schemes that are
   indistinguishable under chosen plaintext and/or ciphertext attacks. We
   prove the random-permutation/random-function switching lemma, security
   of the Elgamal and hashed Elgamal public-key encryption scheme and
   correctness and security of several constructions with pseudo-random
   functions.
   </p><p>Our proofs follow the game-hopping style advocated by
   Shoup and Bellare and Rogaway, from which most of the examples have
   been taken. We generalise some of their results such that they can be
   reused in other proofs. Thanks to CryptHOL's integration with
   Isabelle's parametricity infrastructure, many simple hops are easily
   justified using the theory of representation independence.</p>
 extra-history =
 	Change history:
 	[2018-09-28]:
 	added the CryptHOL tutorial for game-based cryptography
 	(revision 489a395764ae)
 
 [Multi_Party_Computation]
 title = Multi-Party Computation
 author = David Aspinall <http://homepages.inf.ed.ac.uk/da/>, David Butler <mailto:dbutler@turing.ac.uk>
 topic = Computer science/Security
 date = 2019-05-09
 notify = dbutler@turing.ac.uk
 abstract =
   We use CryptHOL to consider Multi-Party Computation (MPC) protocols.
   MPC was first considered by Yao in 1983 and recent advances in
   efficiency and an increased demand mean it is now deployed in the real
   world. Security is considered using the real/ideal world paradigm. We
   first define security in the semi-honest security setting where
   parties are assumed not to deviate from the protocol transcript. In
   this setting we prove multiple Oblivious Transfer (OT) protocols
   secure and then show security for the gates of the GMW protocol. We
   then define malicious security, this is a stronger notion of security
   where parties are assumed to be fully corrupted by an adversary. In
   this setting we again consider OT, as it is a fundamental building
   block of almost all MPC protocols.
 
 [Sigma_Commit_Crypto]
 title = Sigma Protocols and Commitment Schemes
 author = David Butler <https://www.turing.ac.uk/people/doctoral-students/david-butler>, Andreas Lochbihler <http://www.andreas-lochbihler.de>
 topic = Computer science/Security/Cryptography
 date = 2019-10-07
 notify = dbutler@turing.ac.uk
 abstract =
   We use CryptHOL to formalise commitment schemes and Sigma-protocols.
   Both are widely used fundamental two party cryptographic primitives.
   Security for commitment schemes is considered using game-based
   definitions whereas the security of Sigma-protocols is considered
   using both the game-based and simulation-based security paradigms. In
   this work, we first define security for both primitives and then prove
   secure multiple case studies: the Schnorr, Chaum-Pedersen and
   Okamoto Sigma-protocols as well as a construction that allows for
   compound (AND and OR statements) Sigma-protocols and the Pedersen and
   Rivest commitment schemes. We also prove that commitment schemes can
   be constructed from Sigma-protocols. We formalise this proof at an
   abstract level, only assuming the existence of a Sigma-protocol;
   consequently, the instantiations of this result for the concrete
   Sigma-protocols we consider come for free.
 
 [CryptHOL]
 title = CryptHOL
 author = Andreas Lochbihler <http://www.andreas-lochbihler.de>
 topic = Computer science/Security/Cryptography, Computer science/Functional programming, Mathematics/Probability theory
 date = 2017-05-05
 notify = mail@andreas-lochbihler.de
 abstract =
   <p>CryptHOL provides a framework for formalising cryptographic arguments
   in Isabelle/HOL. It shallowly embeds a probabilistic functional
   programming language in higher order logic. The language features
   monadic sequencing, recursion, random sampling, failures and failure
   handling, and black-box access to oracles. Oracles are probabilistic
   functions which maintain hidden state between different invocations.
   All operators are defined in the new semantic domain of
   generative probabilistic values, a codatatype. We derive proof rules for
   the operators and establish a connection with the theory of relational
   parametricity. Thus, the resuting proofs are trustworthy and
   comprehensible, and the framework is extensible and widely applicable.
   </p><p>
   The framework is used in the accompanying AFP entry "Game-based
   Cryptography in HOL". There, we show-case our framework by formalizing
   different game-based proofs from the literature. This formalisation
   continues the work described in the author's ESOP 2016 paper.</p>
 
 [Constructive_Cryptography]
 title = Constructive Cryptography in HOL
 author = Andreas Lochbihler <http://www.andreas-lochbihler.de/>, S. Reza Sefidgar<>
 topic = Computer science/Security/Cryptography, Mathematics/Probability theory
 date = 2018-12-17
 notify = mail@andreas-lochbihler.de, reza.sefidgar@inf.ethz.ch
 abstract =
   Inspired by Abstract Cryptography, we extend CryptHOL, a framework for
   formalizing game-based proofs, with an abstract model of Random
   Systems and provide proof rules about their composition and equality.
   This foundation facilitates the formalization of Constructive
   Cryptography proofs, where the security of a cryptographic scheme is
   realized as a special form of construction in which a complex random
   system is built from simpler ones. This is a first step towards a
   fully-featured compositional framework, similar to Universal
   Composability framework, that supports formalization of
   simulation-based proofs.
 
 [Probabilistic_While]
 title = Probabilistic while loop
 author = Andreas Lochbihler <http://www.andreas-lochbihler.de>
 topic = Computer science/Functional programming, Mathematics/Probability theory, Computer science/Algorithms
 date = 2017-05-05
 notify = mail@andreas-lochbihler.de
 abstract =
   This AFP entry defines a probabilistic while operator based on
   sub-probability mass functions and formalises zero-one laws and variant
   rules for probabilistic loop termination. As applications, we
   implement probabilistic algorithms for the Bernoulli, geometric and
   arbitrary uniform distributions that only use fair coin flips, and
   prove them correct and terminating with probability 1.
 extra-history =
 	Change history:
 	[2018-02-02]:
 	Added a proof that probabilistic conditioning can be implemented by repeated sampling.
 	(revision 305867c4e911)<br>
 
 
 [Monad_Normalisation]
 title = Monad normalisation
 author = Joshua Schneider <>, Manuel Eberl <https://www21.in.tum.de/~eberlm>, Andreas Lochbihler <http://www.andreas-lochbihler.de>
 topic = Tools, Computer science/Functional programming, Logic/Rewriting
 date = 2017-05-05
 notify = mail@andreas-lochbihler.de
 abstract =
   The usual monad laws can directly be used as rewrite rules for Isabelle’s
   simplifier to normalise monadic HOL terms and decide equivalences.
   In a commutative monad, however, the commutativity law is a
   higher-order permutative rewrite rule that makes the simplifier loop.
   This AFP entry implements a simproc that normalises monadic
   expressions in commutative monads using ordered rewriting. The
   simproc can also permute computations across control operators like if
   and case.
 
 [Monomorphic_Monad]
 title = Effect polymorphism in higher-order logic
 author = Andreas Lochbihler <http://www.andreas-lochbihler.de>
 topic = Computer science/Functional programming
 date = 2017-05-05
 notify = mail@andreas-lochbihler.de
 abstract =
   The notion of a monad cannot be expressed within higher-order logic
   (HOL) due to type system restrictions. We show that if a monad is used
   with values of only one type, this notion can be formalised in HOL.
   Based on this idea, we develop a library of effect specifications and
   implementations of monads and monad transformers. Hence, we can
   abstract over the concrete monad in HOL definitions and thus use the
   same definition for different (combinations of) effects. We illustrate
   the usefulness of effect polymorphism with a monadic interpreter for a
   simple language.
 extra-history =
 	Change history:
 	[2018-02-15]:
 	added further specifications and implementations of non-determinism;
         more examples
 	(revision bc5399eea78e)<br>
 
 
 [Constructor_Funs]
 title = Constructor Functions
 author = Lars Hupel <https://www21.in.tum.de/~hupel/>
 topic = Tools
 date = 2017-04-19
 notify = hupel@in.tum.de
 abstract =
   Isabelle's code generator performs various adaptations for target
   languages. Among others, constructor applications have to be fully
   saturated. That means that for constructor calls occuring as arguments
   to higher-order functions, synthetic lambdas have to be inserted. This
   entry provides tooling to avoid this construction altogether by
   introducing constructor functions.
 
 [Lazy_Case]
 title = Lazifying case constants
 author = Lars Hupel <https://www21.in.tum.de/~hupel/>
 topic = Tools
 date = 2017-04-18
 notify = hupel@in.tum.de
 abstract =
   Isabelle's code generator performs various adaptations for target
   languages. Among others, case statements are printed as match
   expressions. Internally, this is a sophisticated procedure, because in
   HOL, case statements are represented as nested calls to the case
   combinators as generated by the datatype package. Furthermore, the
   procedure relies on laziness of match expressions in the target
   language, i.e., that branches guarded by patterns that fail to match
   are not evaluated. Similarly, <tt>if-then-else</tt> is
   printed to the corresponding construct in the target language. This
   entry provides tooling to replace these special cases in the code
   generator by ignoring these target language features, instead printing
   case expressions and <tt>if-then-else</tt> as functions.
 
 [Dict_Construction]
 title = Dictionary Construction
 author = Lars Hupel <https://www21.in.tum.de/~hupel/>
 topic = Tools
 date = 2017-05-24
 notify = hupel@in.tum.de
 abstract =
   Isabelle's code generator natively supports type classes. For
   targets that do not have language support for classes and instances,
   it performs the well-known dictionary translation, as described by
   Haftmann and Nipkow. This translation happens outside the logic, i.e.,
   there is no guarantee that it is correct, besides the pen-and-paper
   proof. This work implements a certified dictionary translation that
   produces new class-free constants and derives equality theorems.
 
 [Higher_Order_Terms]
 title = An Algebra for Higher-Order Terms
 author = Lars Hupel <https://lars.hupel.info/>
 contributors = Yu Zhang <>
 topic = Computer science/Programming languages/Lambda calculi
 date = 2019-01-15
 notify = lars@hupel.info
 abstract =
   In this formalization, I introduce a higher-order term algebra,
   generalizing the notions of free variables, matching, and
   substitution. The need arose from the work on a <a
   href="http://dx.doi.org/10.1007/978-3-319-89884-1_35">verified
   compiler from Isabelle to CakeML</a>. Terms can be thought of as
   consisting of a generic (free variables, constants, application) and
   a specific part. As example applications, this entry provides
   instantiations for de-Bruijn terms, terms with named variables, and
   <a
   href="https://www.isa-afp.org/entries/Lambda_Free_RPOs.html">Blanchette’s
   &lambda;-free higher-order terms</a>. Furthermore, I
   implement translation functions between de-Bruijn terms and named
   terms and prove their correctness.
 
 [Subresultants]
 title = Subresultants
 author = Sebastiaan Joosten <mailto:sebastiaan.joosten@uibk.ac.at>, René Thiemann <mailto:rene.thiemann@uibk.ac.at>, Akihisa Yamada <mailto:akihisa.yamada@uibk.ac.at>
 topic = Mathematics/Algebra
 date = 2017-04-06
 notify = rene.thiemann@uibk.ac.at
 abstract =
   We formalize the theory of subresultants and the subresultant
   polynomial remainder sequence as described by Brown and Traub. As a
   result, we obtain efficient certified algorithms for computing the
   resultant and the greatest common divisor of polynomials.
 
 [Comparison_Sort_Lower_Bound]
 title = Lower bound on comparison-based sorting algorithms
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Computer science/Algorithms
 date = 2017-03-15
 notify = eberlm@in.tum.de
 abstract =
   <p>This article contains a formal proof of the well-known fact
   that number of comparisons that a comparison-based sorting algorithm
   needs to perform to sort a list of length <em>n</em> is at
   least <em>log<sub>2</sub>&nbsp;(n!)</em>
   in the worst case, i.&thinsp;e.&nbsp;<em>Ω(n log
   n)</em>.</p>  <p>For this purpose, a shallow
   embedding for comparison-based sorting algorithms is defined: a
   sorting algorithm is a recursive datatype containing either a HOL
   function or a query of a comparison oracle with a continuation
   containing the remaining computation. This makes it possible to force
   the algorithm to use only comparisons and to track the number of
   comparisons made.</p>
 
 [Quick_Sort_Cost]
 title = The number of comparisons in QuickSort
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Computer science/Algorithms
 date = 2017-03-15
 notify = eberlm@in.tum.de
 abstract =
   <p>We give a formal proof of the well-known results about the
   number of comparisons performed by two variants of QuickSort: first,
   the expected number of comparisons of randomised QuickSort
   (i.&thinsp;e.&nbsp;QuickSort with random pivot choice) is
   <em>2&thinsp;(n+1)&thinsp;H<sub>n</sub> -
   4&thinsp;n</em>, which is asymptotically equivalent to
   <em>2&thinsp;n ln n</em>; second, the number of
   comparisons performed by the classic non-randomised QuickSort has the
   same distribution in the average case as the randomised one.</p>
 
 [Random_BSTs]
 title = Expected Shape of Random Binary Search Trees
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Computer science/Data structures
 date = 2017-04-04
 notify = eberlm@in.tum.de
 abstract =
   <p>This entry contains proofs for the textbook results about the
   distributions of the height and internal path length of random binary
   search trees (BSTs), i.&thinsp;e. BSTs that are formed by taking
   an empty BST and inserting elements from a fixed set in random
   order.</p>  <p>In particular, we prove a logarithmic upper
   bound on the expected height and the <em>Θ(n log n)</em>
   closed-form solution for the expected internal path length in terms of
   the harmonic numbers. We also show how the internal path length
   relates to the average-case cost of a lookup in a BST.</p>
 
 [Randomised_BSTs]
 title = Randomised Binary Search Trees
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Computer science/Data structures
 date = 2018-10-19
 notify = eberlm@in.tum.de
 abstract =
   <p>This work is a formalisation of the Randomised Binary Search
   Trees introduced by Martínez and Roura, including definitions and
   correctness proofs.</p> <p>Like randomised treaps, they
   are a probabilistic data structure that behaves exactly as if elements
   were inserted into a non-balancing BST in random order. However,
   unlike treaps, they only use discrete probability distributions, but
   their use of randomness is more complicated.</p>
 
 [E_Transcendental]
 title = The Transcendence of e
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Analysis, Mathematics/Number theory
 date = 2017-01-12
 notify = eberlm@in.tum.de
 abstract =
   <p>This work contains a proof that Euler's number e is transcendental. The
   proof follows the standard approach of assuming that e is algebraic and
   then using a specific integer polynomial to derive two inconsistent bounds,
   leading to a contradiction.</p> <p>This kind of approach can be found in
   many different sources; this formalisation mostly follows a <a  href="http://planetmath.org/proofoflindemannweierstrasstheoremandthateandpiaretranscendental">PlanetMath article</a> by Roger Lipsett.</p>
 
 [Pi_Transcendental]
 title = The Transcendence of π
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Number theory
 date = 2018-09-28
 notify = eberlm@in.tum.de
 abstract =
   <p>This entry shows the transcendence of &pi; based on the
   classic proof using the fundamental theorem of symmetric polynomials
   first given by von Lindemann in 1882, but the formalisation mostly
   follows the version by Niven. The proof reuses much of the machinery
   developed in the AFP entry on the transcendence of
   <em>e</em>.</p>
 
 [DFS_Framework]
 title = A Framework for Verifying Depth-First Search Algorithms
 author = Peter Lammich <http://www21.in.tum.de/~lammich>, René Neumann <mailto:neumannr@in.tum.de>
 notify = lammich@in.tum.de
 date = 2016-07-05
 topic = Computer science/Algorithms/Graph
 abstract =
 	<p>
 	This entry presents a framework for the modular verification of
 	DFS-based algorithms, which is described in our [CPP-2015] paper. It
 	provides a generic DFS algorithm framework, that can be parameterized
 	with user-defined actions on certain events (e.g. discovery of new
 	node).  It comes with an extensible library of invariants, which can
 	be used to derive invariants of a specific parameterization.  Using
 	refinement techniques, efficient implementations of the algorithms can
 	easily be derived. Here, the framework comes with templates for a
 	recursive and a tail-recursive implementation, and also with several
 	templates for implementing the data structures required by the DFS
 	algorithm.  Finally, this entry contains a set of re-usable DFS-based
 	algorithms, which illustrate the application of the framework.
 	</p><p>
 	[CPP-2015] Peter Lammich, René Neumann: A Framework for Verifying
 	Depth-First Search Algorithms. CPP 2015: 137-146</p>
 
 [Flow_Networks]
 title = Flow Networks and the Min-Cut-Max-Flow Theorem
 author = Peter Lammich <http://www21.in.tum.de/~lammich>, S. Reza Sefidgar <>
 topic = Mathematics/Graph theory
 date = 2017-06-01
 notify = lammich@in.tum.de
 abstract =
   We present a formalization of flow networks and the Min-Cut-Max-Flow
   theorem. Our formal proof closely follows a standard textbook proof,
   and is accessible even without being an expert in Isabelle/HOL, the
   interactive theorem prover used for the formalization.
 
 [Prpu_Maxflow]
 title = Formalizing Push-Relabel Algorithms
 author = Peter Lammich <http://www21.in.tum.de/~lammich>, S. Reza Sefidgar <>
 topic = Computer science/Algorithms/Graph, Mathematics/Graph theory
 date = 2017-06-01
 notify = lammich@in.tum.de
 abstract =
   We present a formalization of push-relabel algorithms for computing
   the maximum flow in a network. We start with Goldberg's et
   al.~generic push-relabel algorithm, for which we show correctness and
   the time complexity bound of O(V^2E). We then derive the
   relabel-to-front and FIFO implementation. Using stepwise refinement
   techniques, we derive an efficient verified implementation.  Our
   formal proof of the abstract algorithms closely follows a standard
   textbook proof. It is accessible even without being an expert in
   Isabelle/HOL, the interactive theorem prover used for the
   formalization.
 
 [Buildings]
 title = Chamber Complexes, Coxeter Systems, and Buildings
 author = Jeremy Sylvestre <http://ualberta.ca/~jsylvest/>
 notify = jeremy.sylvestre@ualberta.ca
 date = 2016-07-01
 topic = Mathematics/Algebra, Mathematics/Geometry
 abstract =
 	We provide a basic formal framework for the theory of chamber
 	complexes and Coxeter systems, and for buildings as thick chamber
 	complexes endowed with a system of apartments. Along the way, we
 	develop some of the general theory of abstract simplicial complexes
 	and of groups (relying on the <i>group_add</i> class for the basics),
 	including free groups and group presentations, and their universal
 	properties. The main results verified are that the deletion condition
 	is both necessary and sufficient for a group with a set of generators
 	of order two to be a Coxeter system, and that the apartments in a
 	(thick) building are all uniformly Coxeter.
 
 [Algebraic_VCs]
 title = Program Construction and Verification Components Based on Kleene Algebra
 author = Victor B. F. Gomes <mailto:victor.gomes@cl.cam.ac.uk>, Georg Struth <mailto:g.struth@sheffield.ac.uk>
 notify = victor.gomes@cl.cam.ac.uk, g.struth@sheffield.ac.uk
 date = 2016-06-18
 topic = Mathematics/Algebra
 abstract =
 	Variants of Kleene algebra support program construction and
 	verification by algebraic reasoning. This entry provides a
 	verification component for Hoare logic based on Kleene algebra with
 	tests, verification components for weakest preconditions and strongest
 	postconditions based on Kleene algebra with domain and a component for
 	step-wise refinement based on refinement Kleene algebra with tests. In
 	addition to these components for the partial correctness of while
 	programs, a verification component for total correctness based on
 	divergence Kleene algebras and one for (partial correctness) of
 	recursive programs based on domain quantales are provided. Finally we
 	have integrated memory models for programs with pointers and a program
 	trace semantics into the weakest precondition component.
 
 [C2KA_DistributedSystems]
 title = Communicating Concurrent Kleene Algebra for Distributed Systems Specification
 author = Maxime Buyse <mailto:maxime.buyse@polytechnique.edu>, Jason Jaskolka <https://carleton.ca/jaskolka/>
 topic = Computer science/Automata and formal languages, Mathematics/Algebra
 date = 2019-08-06
 notify = maxime.buyse@polytechnique.edu, jason.jaskolka@carleton.ca
 abstract =
   Communicating Concurrent Kleene Algebra (C²KA) is a mathematical
   framework for capturing the communicating and concurrent behaviour of
   agents in distributed systems. It extends Hoare et al.'s
   Concurrent Kleene Algebra (CKA) with communication actions through the
   notions of stimuli and shared environments. C²KA has applications in
   studying system-level properties of distributed systems such as
   safety, security, and reliability. In this work, we formalize results
   about C²KA and its application for distributed systems specification.
   We first formalize the stimulus structure and behaviour structure
   (CKA). Next, we combine them to formalize C²KA and its properties.
   Then, we formalize notions and properties related to the topology of
   distributed systems and the potential for communication via stimuli
   and via shared environments of agents, all within the algebraic
   setting of C²KA.
 
 [Card_Equiv_Relations]
 title = Cardinality of Equivalence Relations
 author = Lukas Bulwahn <mailto:lukas.bulwahn@gmail.com>
 notify = lukas.bulwahn@gmail.com
 date = 2016-05-24
 topic = Mathematics/Combinatorics
 abstract =
 	This entry provides formulae for counting the number of equivalence
 	relations and partial equivalence relations over a finite carrier set
 	with given cardinality.  To count the number of equivalence relations,
 	we provide bijections between equivalence relations and set
 	partitions, and then transfer the main results of the two AFP entries,
 	Cardinality of Set Partitions and Spivey's Generalized Recurrence for
 	Bell Numbers, to theorems on equivalence relations. To count the
 	number of partial equivalence relations, we observe that counting
 	partial equivalence relations over a set A is equivalent to counting
 	all equivalence relations over all subsets of the set A. From this
 	observation and the results on equivalence relations, we show that the
 	cardinality of partial equivalence relations over a finite set of
 	cardinality n is equal to the n+1-th Bell number.
 
 [Twelvefold_Way]
 title = The Twelvefold Way
 author = Lukas Bulwahn <mailto:lukas.bulwahn@gmail.com>
 topic = Mathematics/Combinatorics
 date = 2016-12-29
 notify = lukas.bulwahn@gmail.com
 abstract =
   This entry provides all cardinality theorems of the Twelvefold Way.
   The Twelvefold Way systematically classifies twelve related
   combinatorial problems concerning two finite sets, which include
   counting permutations, combinations, multisets, set partitions and
   number partitions. This development builds upon the existing formal
   developments with cardinality theorems for those structures. It
   provides twelve bijections from the various structures to different
   equivalence classes on finite functions, and hence, proves cardinality
   formulae for these equivalence classes on finite functions.
 
 [Chord_Segments]
 title = Intersecting Chords Theorem
 author = Lukas Bulwahn <mailto:lukas.bulwahn@gmail.com>
 notify = lukas.bulwahn@gmail.com
 date = 2016-10-11
 topic = Mathematics/Geometry
 abstract =
 	This entry provides a geometric proof of the intersecting chords
 	theorem. The theorem states that when two chords intersect each other
 	inside a circle, the products of their segments are equal.  After a
 	short review of existing proofs in the literature, I decided to use a
 	proof approach that employs reasoning about lengths of line segments,
 	the orthogonality of two lines and the Pythagoras Law. Hence, one can
 	understand the formalized proof easily with the knowledge of a few
 	general geometric facts that are commonly taught in high-school.  This
 	theorem is the 55th theorem of the Top 100 Theorems list.
 
 [Category3]
 title = Category Theory with Adjunctions and Limits
 author = Eugene W. Stark <mailto:stark@cs.stonybrook.edu>
 notify = stark@cs.stonybrook.edu
 date = 2016-06-26
 topic = Mathematics/Category theory
 abstract =
 	This article attempts to develop a usable framework for doing category
 	theory in Isabelle/HOL.  Our point of view, which to some extent
 	differs from that of the previous AFP articles on the subject, is to
 	try to explore how category theory can be done efficaciously within
 	HOL, rather than trying to match exactly the way things are done using
 	a traditional approach.  To this end, we define the notion of category
 	in an "object-free" style, in which a category is represented by a
 	single partial composition operation on arrows.  This way of defining
 	categories provides some advantages in the context of HOL, including
 	the ability to avoid the use of records and the possibility of
 	defining functors and natural transformations simply as certain
 	functions on arrows, rather than as composite objects.  We define
 	various constructions associated with the basic notions, including:
 	dual category, product category, functor category, discrete category,
 	free category, functor composition, and horizontal and vertical
 	composite of natural transformations.  A "set category" locale is
 	defined that axiomatizes the notion "category of all sets at a type
 	and all functions between them," and a fairly extensive set of
 	properties of set categories is derived from the locale assumptions.
 	The notion of a set category is used to prove the Yoneda Lemma in a
 	general setting of a category equipped with a "hom embedding," which
 	maps arrows of the category to the "universe" of the set category.  We
 	also give a treatment of adjunctions, defining adjunctions via left
 	and right adjoint functors, natural bijections between hom-sets, and
 	unit and counit natural transformations, and showing the equivalence
 	of these definitions.  We also develop the theory of limits, including
 	representations of functors, diagrams and cones, and diagonal
 	functors.  We show that right adjoint functors preserve limits, and
 	that limits can be constructed via products and equalizers.  We
 	characterize the conditions under which limits exist in a set
 	category. We also examine the case of limits in a functor category,
 	ultimately culminating in a proof that the Yoneda embedding preserves
 	limits.
 extra-history =
 	Change history:
 	[2018-05-29]:
 	Revised axioms for the category locale.  Introduced notation for composition and "in hom".
 	(revision 8318366d4575)<br>
 	[2020-02-15]:
 	Move ConcreteCategory.thy from Bicategory to Category3 and use it systematically.
 	Make other minor improvements throughout.
 	(revision a51840d36867)<br>
 
 [MonoidalCategory]
 title = Monoidal Categories
 author = Eugene W. Stark <mailto:stark@cs.stonybrook.edu>
 topic = Mathematics/Category theory
 date = 2017-05-04
 notify = stark@cs.stonybrook.edu
 abstract =
   Building on the formalization of basic category theory set out in the
   author's previous AFP article, the present article formalizes
   some basic aspects of the theory of monoidal categories. Among the
   notions defined here are monoidal category, monoidal functor, and
   equivalence of monoidal categories. The main theorems formalized are
   MacLane's coherence theorem and the constructions of the free
   monoidal category and free strict monoidal category generated by a
   given category.  The coherence theorem is proved syntactically, using
   a structurally recursive approach to reduction of terms that might
   have some novel aspects. We also give proofs of some results given by
   Etingof et al, which may prove useful in a formal setting. In
   particular, we show that the left and right unitors need not be taken
   as given data in the definition of monoidal category, nor does the
   definition of monoidal functor need to take as given a specific
   isomorphism expressing the preservation of the unit object. Our
   definitions of monoidal category and monoidal functor are stated so as
   to take advantage of the economy afforded by these facts.
 extra-history =
 	Change history:
 	[2017-05-18]:
 	Integrated material from MonoidalCategory/Category3Adapter into Category3/ and deleted adapter.
 	(revision 015543cdd069)<br>
 	[2018-05-29]:
 	Modifications required due to 'Category3' changes.  Introduced notation for "in hom".
 	(revision 8318366d4575)<br>
 	[2020-02-15]:
 	Cosmetic improvements.
 	(revision a51840d36867)<br>
 
 [Card_Multisets]
 title = Cardinality of Multisets
 author = Lukas Bulwahn <mailto:lukas.bulwahn@gmail.com>
 notify = lukas.bulwahn@gmail.com
 date = 2016-06-26
 topic = Mathematics/Combinatorics
 abstract =
 	<p>This entry provides three lemmas to count the number of multisets
 	of a given size and finite carrier set. The first lemma provides a
 	cardinality formula assuming that the multiset's elements are chosen
 	from the given carrier set. The latter two lemmas provide formulas
 	assuming that the multiset's elements also cover the given carrier
 	set, i.e., each element of the carrier set occurs in the multiset at
 	least once.</p>  <p>The proof of the first lemma uses the argument of
 	the recurrence relation for counting multisets. The proof of the
 	second lemma is straightforward, and the proof of the third lemma is
 	easily obtained using the first cardinality lemma. A challenge for the
 	formalization is the derivation of the required induction rule, which
 	is a special combination of the induction rules for finite sets and
 	natural numbers. The induction rule is derived by defining a suitable
 	inductive predicate and transforming the predicate's induction
 	rule.</p>
 
 [Posix-Lexing]
 title = POSIX Lexing with Derivatives of Regular Expressions
 author = Fahad Ausaf <http://kcl.academia.edu/FahadAusaf>, Roy Dyckhoff <https://rd.host.cs.st-andrews.ac.uk>, Christian Urban <http://www.inf.kcl.ac.uk/staff/urbanc/>
 notify = christian.urban@kcl.ac.uk
 date = 2016-05-24
 topic = Computer science/Automata and formal languages
 abstract =
 	Brzozowski introduced the notion of derivatives for regular
 	expressions. They can be used for a very simple regular expression
 	matching algorithm. Sulzmann and Lu cleverly extended this algorithm
 	in order to deal with POSIX matching, which is the underlying
 	disambiguation strategy for regular expressions needed in lexers. In
 	this entry we give our inductive definition of what a POSIX value is
 	and show (i) that such a value is unique (for given regular expression
 	and string being matched) and (ii) that Sulzmann and Lu's algorithm
 	always generates such a value (provided that the regular expression
 	matches the string). We also prove the correctness of an optimised
 	version of the POSIX matching algorithm.
 
 [LocalLexing]
 title = Local Lexing
 author = Steven Obua <mailto:steven@recursivemind.com>
 topic = Computer science/Automata and formal languages
 date = 2017-04-28
 notify = steven@recursivemind.com
 abstract =
   This formalisation accompanies the paper <a
   href="https://arxiv.org/abs/1702.03277">Local
   Lexing</a> which introduces a novel parsing concept of the same
   name. The paper also gives a high-level algorithm for local lexing as
   an extension of Earley's algorithm. This formalisation proves the
   algorithm to be correct with respect to its local lexing semantics. As
   a special case, this formalisation thus also contains a proof of the
   correctness of Earley's algorithm. The paper contains a short
   outline of how this formalisation is organised.
 
 [MFMC_Countable]
 title = A Formal Proof of the Max-Flow Min-Cut Theorem for Countable Networks
 author = Andreas Lochbihler <http://www.andreas-lochbihler.de>
 date = 2016-05-09
 topic = Mathematics/Graph theory
 abstract =
 	This article formalises a proof of the maximum-flow minimal-cut
 	theorem for networks with countably many edges.  A network is a
 	directed graph with non-negative real-valued edge labels and two
 	dedicated vertices, the source and the sink.  A flow in a network
 	assigns non-negative real numbers to the edges such that for all
 	vertices except for the source and the sink, the sum of values on
 	incoming edges equals the sum of values on outgoing edges.  A cut is a
 	subset of the vertices which contains the source, but not the sink.
 	Our theorem states that in every network, there is a flow and a cut
 	such that the flow saturates all the edges going out of the cut and is
 	zero on all the incoming edges.  The proof is based on the paper
 	<emph>The Max-Flow Min-Cut theorem for countable networks</emph> by
 	Aharoni et al.  Additionally, we prove a characterisation of the
 	lifting operation for relations on discrete probability distributions,
 	which leads to a concise proof of its distributivity over relation
 	composition.
 notify = mail@andreas-lochbihler.de
 extra-history =
 	Change history:
 	[2017-09-06]:
 	derive characterisation for the lifting operations on discrete distributions from finite version of the max-flow min-cut theorem
 	(revision a7a198f5bab0)<br>
 
 
 [Liouville_Numbers]
 title = Liouville numbers
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 date = 2015-12-28
 topic = Mathematics/Analysis, Mathematics/Number theory
 abstract =
 	<p>
 	Liouville numbers are a class of transcendental numbers that can be approximated
 	particularly well with rational numbers. Historically, they were the first
 	numbers whose transcendence was proven.
 	</p><p>
 	In this entry, we define the concept of Liouville numbers as well as the
 	standard construction to obtain Liouville numbers (including Liouville's
 	constant) and we prove their most important properties: irrationality and
 	transcendence.
 	</p><p>
 	The proof is very elementary and requires only standard arithmetic, the Mean
 	Value Theorem for polynomials, and the boundedness of polynomials on compact
 	intervals.
 	</p>
 notify = eberlm@in.tum.de
 
 [Triangle]
 title = Basic Geometric Properties of Triangles
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 date = 2015-12-28
 topic = Mathematics/Geometry
 abstract =
 	<p>
 	This entry contains a definition of angles between vectors and between three
 	points. Building on this, we prove basic geometric properties of triangles, such
 	as the Isosceles Triangle Theorem, the Law of Sines and the Law of Cosines, that
 	the sum of the angles of a triangle is π, and the congruence theorems for
 	triangles.
 	</p><p>
 	The definitions and proofs were developed following those by John Harrison in
 	HOL Light. However, due to Isabelle's type class system, all definitions and
 	theorems in the Isabelle formalisation hold for all real inner product spaces.
 	</p>
 notify = eberlm@in.tum.de
 
 [Prime_Harmonic_Series]
 title = The Divergence of the Prime Harmonic Series
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 date = 2015-12-28
 topic = Mathematics/Number theory
 abstract =
 	<p>
 	In this work, we prove the lower bound <span class="nobr">ln(H_n) -
 	ln(5/3)</span> for the
 	partial sum of the Prime Harmonic series and, based on this, the divergence of
 	the Prime Harmonic Series
 	<span class="nobr">∑[p&thinsp;prime]&thinsp;·&thinsp;1/p.</span>
 	</p><p>
 	The proof relies on the unique squarefree decomposition of natural numbers. This
 	is similar to Euler's original proof (which was highly informal and morally
 	questionable). Its advantage over proofs by contradiction, like the famous one
 	by Paul Erdős, is that it provides a relatively good lower bound for the partial
 	sums.
 	</p>
 notify = eberlm@in.tum.de
 
 [Descartes_Sign_Rule]
 title = Descartes' Rule of Signs
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 date = 2015-12-28
 topic = Mathematics/Analysis
 abstract =
 	<p>
 	Descartes' Rule of Signs relates the number of positive real roots of a
 	polynomial with the number of sign changes in its coefficient sequence.
 	</p><p>
 	Our proof follows the simple inductive proof given by Rob Arthan, which was also
 	used by John Harrison in his HOL Light formalisation. We proved most of the
 	lemmas for arbitrary linearly-ordered integrity domains (e.g. integers,
 	rationals, reals); the main result, however, requires the intermediate value
 	theorem and was therefore only proven for real polynomials.
 	</p>
 notify = eberlm@in.tum.de
 
 [Euler_MacLaurin]
 title = The Euler–MacLaurin Formula
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Analysis
 date = 2017-03-10
 notify = eberlm@in.tum.de
 abstract =
   <p>The Euler-MacLaurin formula relates the value of a
   discrete sum to that of the corresponding integral in terms of the
   derivatives at the borders of the summation and a remainder term.
   Since the remainder term is often very small as the summation bounds
   grow, this can be used to compute asymptotic expansions for
   sums.</p>  <p>This entry contains a proof of this formula
   for functions from the reals to an arbitrary Banach space. Two
   variants of the formula are given: the standard textbook version and a
   variant outlined in <em>Concrete Mathematics</em> that is
   more useful for deriving asymptotic estimates.</p>  <p>As
   example applications, we use that formula to derive the full
   asymptotic expansion of the harmonic numbers and the sum of inverse
   squares.</p>
 
 [Card_Partitions]
 title = Cardinality of Set Partitions
 author = Lukas Bulwahn <mailto:lukas.bulwahn@gmail.com>
 date = 2015-12-12
 topic = Mathematics/Combinatorics
 abstract =
 	The theory's main theorem states that the cardinality of set partitions of
 	size k on a carrier set of size n is expressed by Stirling numbers of the
 	second kind. In Isabelle, Stirling numbers of the second kind are defined
 	in the AFP entry `Discrete Summation` through their well-known recurrence
 	relation. The main theorem relates them to the alternative definition as
 	cardinality of set partitions. The proof follows the simple and short
 	explanation in Richard P. Stanley's `Enumerative Combinatorics: Volume 1`
 	and Wikipedia, and unravels the full details and implicit reasoning steps
 	of these explanations.
 notify = lukas.bulwahn@gmail.com
 
 [Card_Number_Partitions]
 title = Cardinality of Number Partitions
 author = Lukas Bulwahn <mailto:lukas.bulwahn@gmail.com>
 date = 2016-01-14
 topic = Mathematics/Combinatorics
 abstract =
 	This entry provides a basic library for number partitions, defines the
 	two-argument partition function through its recurrence relation and relates
 	this partition function to the cardinality of number partitions. The main
 	proof shows that the recursively-defined partition function with arguments
 	n and k equals the cardinality of number partitions of n with exactly k parts.
 	The combinatorial proof follows the proof sketch of Theorem 2.4.1 in
 	Mazur's textbook `Combinatorics: A Guided Tour`. This entry can serve as
 	starting point for various more intrinsic properties about number partitions,
 	the partition function and related recurrence relations.
 notify = lukas.bulwahn@gmail.com
 
 [Multirelations]
 title = Binary Multirelations
 author = Hitoshi Furusawa <http://www.sci.kagoshima-u.ac.jp/~furusawa/>, Georg Struth <http://www.dcs.shef.ac.uk/~georg>
 date = 2015-06-11
 topic = Mathematics/Algebra
 abstract =
 	Binary multirelations associate elements of a set with its subsets; hence
 	they are binary relations from a set to its power set. Applications include
 	alternating automata, models and logics for games, program semantics with
 	dual demonic and angelic nondeterministic choices and concurrent dynamic
 	logics. This proof document supports an arXiv article that formalises the
 	basic algebra of multirelations and proposes axiom systems for them,
 	ranging from weak bi-monoids to weak bi-quantales.
 notify =
 
 [Noninterference_Generic_Unwinding]
 title = The Generic Unwinding Theorem for CSP Noninterference Security
 author = Pasquale Noce <mailto:pasquale.noce.lavoro@gmail.com>
 date = 2015-06-11
 topic = Computer science/Security, Computer science/Concurrency/Process calculi
 abstract =
 	<p>
 	The classical definition of noninterference security for a deterministic state
 	machine with outputs requires to consider the outputs produced by machine
 	actions after any trace, i.e. any indefinitely long sequence of actions, of the
 	machine. In order to render the verification of the security of such a machine
 	more straightforward, there is a need of some sufficient condition for security
 	such that just individual actions, rather than unbounded sequences of actions,
 	have to be considered.
 	</p><p>
 	By extending previous results applying to transitive noninterference policies,
 	Rushby has proven an unwinding theorem that provides a sufficient condition of
 	this kind in the general case of a possibly intransitive policy. This condition
 	has to be satisfied by a generic function mapping security domains into
 	equivalence relations over machine states.
 	</p><p>
 	An analogous problem arises for CSP noninterference security, whose definition
 	requires to consider any possible future, i.e. any indefinitely long sequence of
 	subsequent events and any indefinitely large set of refused events associated to
 	that sequence, for each process trace.
 	</p><p>
 	This paper provides a sufficient condition for CSP noninterference security,
 	which indeed requires to just consider individual accepted and refused events
 	and applies to the general case of a possibly intransitive policy. This
 	condition follows Rushby's one for classical noninterference security, and has
 	to be satisfied by a generic function mapping security domains into equivalence
 	relations over process traces; hence its name, Generic Unwinding Theorem.
 	Variants of this theorem applying to deterministic processes and trace set
 	processes are also proven. Finally, the sufficient condition for security
 	expressed by the theorem is shown not to be a necessary condition as well, viz.
 	there exists a secure process such that no domain-relation map satisfying the
 	condition exists.
 	</p>
 notify =
 
 [Noninterference_Ipurge_Unwinding]
 title = The Ipurge Unwinding Theorem for CSP Noninterference Security
 author = Pasquale Noce <mailto:pasquale.noce.lavoro@gmail.com>
 date = 2015-06-11
 topic = Computer science/Security
 abstract =
 	<p>
 	The definition of noninterference security for Communicating Sequential
 	Processes requires to consider any possible future, i.e. any indefinitely long
 	sequence of subsequent events and any indefinitely large set of refused events
 	associated to that sequence, for each process trace. In order to render the
 	verification of the security of a process more straightforward, there is a need
 	of some sufficient condition for security such that just individual accepted and
 	refused events, rather than unbounded sequences and sets of events, have to be
 	considered.
 	</p><p>
 	Of course, if such a sufficient condition were necessary as well, it would be
 	even more valuable, since it would permit to prove not only that a process is
 	secure by verifying that the condition holds, but also that a process is not
 	secure by verifying that the condition fails to hold.
 	</p><p>
 	This paper provides a necessary and sufficient condition for CSP noninterference
 	security, which indeed requires to just consider individual accepted and refused
 	events and applies to the general case of a possibly intransitive policy. This
 	condition follows Rushby's output consistency for deterministic state machines
 	with outputs, and has to be satisfied by a specific function mapping security
 	domains into equivalence relations over process traces. The definition of this
 	function makes use of an intransitive purge function following Rushby's one;
 	hence the name given to the condition, Ipurge Unwinding Theorem.
 	</p><p>
 	Furthermore, in accordance with Hoare's formal definition of deterministic
 	processes, it is shown that a process is deterministic just in case it is a
 	trace set process, i.e. it may be identified by means of a trace set alone,
 	matching the set of its traces, in place of a failures-divergences pair. Then,
 	variants of the Ipurge Unwinding Theorem are proven for deterministic processes
 	and trace set processes.
 	</p>
 notify =
 
 [List_Interleaving]
 title = Reasoning about Lists via List Interleaving
 author = Pasquale Noce <mailto:pasquale.noce.lavoro@gmail.com>
 date = 2015-06-11
 topic = Computer science/Data structures
 abstract =
 	<p>
 	Among the various mathematical tools introduced in his outstanding work on
 	Communicating Sequential Processes, Hoare has defined "interleaves" as the
 	predicate satisfied by any three lists such that the first list may be
 	split into sublists alternately extracted from the other two ones, whatever
 	is the criterion for extracting an item from either one list or the other
 	in each step.
 	</p><p>
 	This paper enriches Hoare's definition by identifying such criterion with
 	the truth value of a predicate taking as inputs the head and the tail of
 	the first list. This enhanced "interleaves" predicate turns out to permit
 	the proof of equalities between lists without the need of an induction.
 	Some rules that allow to infer "interleaves" statements without induction,
 	particularly applying to the addition or removal of a prefix to the input
 	lists, are also proven. Finally, a stronger version of the predicate, named
 	"Interleaves", is shown to fulfil further rules applying to the addition or
 	removal of a suffix to the input lists.
 	</p>
 notify =
 
 [Residuated_Lattices]
 title = Residuated Lattices
 author = Victor B. F. Gomes <mailto:vborgesferreiragomes1@sheffield.ac.uk>, Georg Struth <mailto:g.struth@sheffield.ac.uk>
 date = 2015-04-15
 topic = Mathematics/Algebra
 abstract =
 	The theory of residuated lattices, first proposed by Ward and Dilworth, is
 	formalised in Isabelle/HOL. This includes concepts of residuated functions;
 	their adjoints and conjugates. It also contains necessary and sufficient
 	conditions for the existence of these operations in an arbitrary lattice.
 	The mathematical components for residuated lattices are linked to the AFP
 	entry for relation algebra. In particular, we prove Jonsson and Tsinakis
 	conditions for a residuated boolean algebra to form a relation algebra.
 notify = g.struth@sheffield.ac.uk
 
 [ConcurrentGC]
 title = Relaxing Safely: Verified On-the-Fly Garbage Collection for x86-TSO
 author = Peter Gammie <http://peteg.org>, Tony Hosking <https://www.cs.purdue.edu/homes/hosking/>, Kai Engelhardt <>
 date = 2015-04-13
 topic = Computer science/Algorithms/Concurrent
 abstract =
 	<p>
 	We use ConcurrentIMP to model Schism, a state-of-the-art real-time
 	garbage collection scheme for weak memory, and show that it is safe
 	on x86-TSO.</p>
 	<p>
 	This development accompanies the PLDI 2015 paper of the same name.
 	</p>
 notify = peteg42@gmail.com
 
 [List_Update]
 title = Analysis of List Update Algorithms
 author = Maximilian P.L. Haslbeck <http://in.tum.de/~haslbema/>, Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2016-02-17
 topic = Computer science/Algorithms/Online
 abstract =
 	<p>
 	These theories formalize the quantitative analysis of a number of classical algorithms for the list update problem: 2-competitiveness of move-to-front, the lower bound of 2 for the competitiveness of deterministic list update algorithms and 1.6-competitiveness of the randomized COMB algorithm, the best randomized list update algorithm known to date.
 	The material is based on the first two chapters of <i>Online Computation
 	and Competitive Analysis</i> by Borodin and El-Yaniv.
 	</p>
 	<p>
 	For an informal description see the FSTTCS 2016 publication
 	<a href="http://www21.in.tum.de/~nipkow/pubs/fsttcs16.html">Verified Analysis of List Update Algorithms</a>
 	by Haslbeck and Nipkow.
 	</p>
 notify = nipkow@in.tum.de
 
 [ConcurrentIMP]
 title = Concurrent IMP
 author = Peter Gammie <http://peteg.org>
 date = 2015-04-13
 topic = Computer science/Programming languages/Logics
 abstract =
 	ConcurrentIMP extends the small imperative language IMP with control
 	non-determinism and constructs for synchronous message passing.
 notify = peteg42@gmail.com
 
 [TortoiseHare]
 title = The Tortoise and Hare Algorithm
 author = Peter Gammie <http://peteg.org>
 date = 2015-11-18
 topic = Computer science/Algorithms
 abstract = We formalize the Tortoise and Hare cycle-finding algorithm ascribed to Floyd by Knuth, and an improved version due to Brent.
 notify = peteg42@gmail.com
 
 [UPF]
 title = The Unified Policy Framework (UPF)
 author = Achim D. Brucker <mailto:adbrucker@0x5f.org>, Lukas Brügger <mailto:lukas.a.bruegger@gmail.com>, Burkhart Wolff <mailto:wolff@lri.fr>
 date = 2014-11-28
 topic = Computer science/Security
 abstract =
 	We present the Unified Policy Framework (UPF), a generic framework
 	for modelling security (access-control) policies. UPF emphasizes
 	the view that a policy is a policy decision function that grants or
 	denies access to resources, permissions, etc. In other words,
 	instead of modelling the relations of permitted or prohibited
 	requests directly, we model the concrete function that implements
 	the policy decision point in a system.  In more detail, UPF is
 	based on the following four principles: 1) Functional representation
 	of policies, 2) No conflicts are possible, 3) Three-valued decision
 	type (allow, deny, undefined), 4) Output type not containing the
 	decision only.
 notify = adbrucker@0x5f.org, wolff@lri.fr, lukas.a.bruegger@gmail.com
 
 [UPF_Firewall]
 title = Formal Network Models and Their Application to Firewall Policies
 author = Achim D. Brucker <https://www.brucker.ch>, Lukas Brügger<>, Burkhart Wolff <https://www.lri.fr/~wolff/>
 topic = Computer science/Security, Computer science/Networks
 date = 2017-01-08
 notify = adbrucker@0x5f.org
 abstract =
   We present a formal model of network protocols and their application
   to modeling firewall policies. The formalization is based on the
   Unified Policy Framework (UPF). The formalization was originally
   developed with for generating test cases for testing the security
   configuration actual firewall and router (middle-boxes) using
   HOL-TestGen. Our work focuses on modeling application level protocols
   on top of tcp/ip.
 
 [AODV]
 title = Loop freedom of the (untimed) AODV routing protocol
 author = Timothy Bourke <http://www.tbrk.org>, Peter Höfner <http://www.hoefner-online.de/>
 date = 2014-10-23
 topic = Computer science/Concurrency/Process calculi
 abstract =
 	<p>
 	The Ad hoc On-demand Distance Vector (AODV) routing protocol allows
 	the nodes in a Mobile Ad hoc Network (MANET) or a Wireless Mesh
 	Network (WMN) to know where to forward data packets. Such a protocol
 	is ‘loop free’ if it never leads to routing decisions that forward
 	packets in circles.
 	<p>
 	This development mechanises an existing pen-and-paper proof of loop
 	freedom of AODV. The protocol is modelled in the Algebra of
 	Wireless Networks (AWN), which is the subject of an earlier paper
 	and AFP mechanization. The proof relies on a novel compositional
 	approach for lifting invariants to networks of nodes.
 	</p><p>
 	We exploit the mechanization to analyse several variants of AODV and
 	show that Isabelle/HOL can re-establish most proof obligations
 	automatically and identify exactly the steps that are no longer valid.
 	</p>
 notify = tim@tbrk.org
 
 [Show]
 title = Haskell's Show Class in Isabelle/HOL
 author = Christian Sternagel <mailto:c.sternagel@gmail.com>, René Thiemann <mailto:rene.thiemann@uibk.ac.at>
 date = 2014-07-29
 topic = Computer science/Functional programming
 license = LGPL
 abstract =
 	We implemented a type class for "to-string" functions, similar to
 	Haskell's Show class. Moreover, we provide instantiations for Isabelle/HOL's
 	standard types like bool, prod, sum, nats, ints, and rats. It is further
 	possible, to automatically derive show functions for arbitrary user defined
 	datatypes similar to Haskell's "deriving Show".
 extra-history =
 	Change history:
 	[2015-03-11]: Adapted development to new-style (BNF-based) datatypes.<br>
 	[2015-04-10]: Moved development for old-style datatypes into subdirectory
 	"Old_Datatype".<br>
 notify = christian.sternagel@uibk.ac.at, rene.thiemann@uibk.ac.at
 
 [Certification_Monads]
 title = Certification Monads
 author = Christian Sternagel <mailto:c.sternagel@gmail.com>, René Thiemann <mailto:rene.thiemann@uibk.ac.at>
 date = 2014-10-03
 topic = Computer science/Functional programming
 abstract = This entry provides several monads intended for the development of stand-alone certifiers via code generation from Isabelle/HOL. More specifically, there are three flavors of error monads (the sum type, for the case where all monadic functions are total; an instance of the former, the so called check monad, yielding either success without any further information or an error message; as well as a variant of the sum type that accommodates partial functions by providing an explicit bottom element) and a parser monad built on top. All of this monads are heavily used in the IsaFoR/CeTA project which thus provides many examples of their usage.
 notify = c.sternagel@gmail.com, rene.thiemann@uibk.ac.at
 
 [CISC-Kernel]
 title = Formal Specification of a Generic Separation Kernel
 author = Freek Verbeek <mailto:Freek.Verbeek@ou.nl>, Sergey Tverdyshev <mailto:stv@sysgo.com>, Oto Havle <mailto:oha@sysgo.com>, Holger Blasum <mailto:holger.blasum@sysgo.com>, Bruno Langenstein <mailto:langenstein@dfki.de>, Werner Stephan <mailto:stephan@dfki.de>, Yakoub Nemouchi <mailto:nemouchi@lri.fr>, Abderrahmane Feliachi <mailto:abderrahmane.feliachi@lri.fr>, Burkhart Wolff <mailto:wolff@lri.fr>, Julien Schmaltz <mailto:Julien.Schmaltz@ou.nl>
 date = 2014-07-18
 topic = Computer science/Security
 abstract =
 	<p>Intransitive noninterference has been a widely studied topic in the last
 	few decades. Several well-established methodologies apply interactive
 	theorem proving to formulate a noninterference theorem over abstract
 	academic models. In joint work with several industrial and academic partners
 	throughout Europe, we are helping in the certification process of PikeOS, an
 	industrial separation kernel developed at SYSGO. In this process,
 	established theories could not be applied. We present a new generic model of
 	separation kernels and a new theory of intransitive noninterference. The
 	model is rich in detail, making it suitable for formal verification of
 	realistic and industrial systems such as PikeOS. Using a refinement-based
 	theorem proving approach, we ensure that proofs remain manageable.</p>
 	<p>
 	This document corresponds to the deliverable D31.1 of the EURO-MILS
 	Project <a href="http://www.euromils.eu">http://www.euromils.eu</a>.</p>
 notify =
 
 [pGCL]
 title = pGCL for Isabelle
 author = David Cock <mailto:david.cock@nicta.com.au>
 date = 2014-07-13
 topic = Computer science/Programming languages/Language definitions
 abstract =
 	<p>pGCL is both a programming language and a specification language that
 	incorporates both probabilistic and nondeterministic choice, in a unified
 	manner. Program verification is by refinement or annotation (or both), using
 	either Hoare triples, or weakest-precondition entailment, in the style of
 	GCL.</p>
 	<p> This package provides both a shallow embedding of the language
 	primitives, and an annotation and refinement framework. The generated
 	document includes a brief tutorial.</p>
 notify =
 
 [Noninterference_CSP]
 title = Noninterference Security in Communicating Sequential Processes
 author = Pasquale Noce <mailto:pasquale.noce.lavoro@gmail.com>
 date = 2014-05-23
 topic = Computer science/Security
 abstract =
 	<p>
 	An extension of classical noninterference security for deterministic
 	state machines, as introduced by Goguen and Meseguer and elegantly
 	formalized by Rushby, to nondeterministic systems should satisfy two
 	fundamental requirements: it should be based on a mathematically precise
 	theory of nondeterminism, and should be equivalent to (or at least not
 	weaker than) the classical notion in the degenerate deterministic case.
 	</p>
 	<p>
 	This paper proposes a definition of noninterference security applying
 	to Hoare's Communicating Sequential Processes (CSP) in the general case of
 	a possibly intransitive noninterference policy, and proves the
 	equivalence of this security property to classical noninterference
 	security for processes representing deterministic state machines.
 	</p>
 	<p>
 	Furthermore, McCullough's generalized noninterference security is shown
 	to be weaker than both the proposed notion of CSP noninterference security
 	for a generic process, and classical noninterference security for processes
 	representing deterministic state machines. This renders CSP noninterference
 	security preferable as an extension of classical noninterference security
 	to nondeterministic systems.
 	</p>
 notify = pasquale.noce.lavoro@gmail.com
 
 [Floyd_Warshall]
 title = The Floyd-Warshall Algorithm for Shortest Paths
 author = Simon Wimmer <http://in.tum.de/~wimmers>, Peter Lammich <http://www21.in.tum.de/~lammich>
 topic = Computer science/Algorithms/Graph
 date = 2017-05-08
 notify = wimmers@in.tum.de
 abstract =
   The Floyd-Warshall algorithm [Flo62, Roy59, War62] is a classic
   dynamic programming algorithm to compute the length of all shortest
   paths between any two vertices in a graph (i.e. to solve the all-pairs
   shortest path problem, or APSP for short). Given a representation of
   the graph as a matrix of weights M, it computes another matrix M'
   which represents a graph with the same path lengths and contains the
   length of the shortest path between any two vertices i and j. This is
   only possible if the graph does not contain any negative cycles.
   However, in this case the Floyd-Warshall algorithm will detect the
   situation by calculating a negative diagonal entry. This entry
   includes a formalization of the algorithm and of these key properties.
   The algorithm is refined to an efficient imperative version using the
   Imperative Refinement Framework.
 
 [Roy_Floyd_Warshall]
 title = Transitive closure according to Roy-Floyd-Warshall
 author = Makarius Wenzel <>
 date = 2014-05-23
 topic = Computer science/Algorithms/Graph
 abstract = This formulation of the Roy-Floyd-Warshall algorithm for the
 	transitive closure bypasses matrices and arrays, but uses a more direct
 	mathematical model with adjacency functions for immediate predecessors and
 	successors. This can be implemented efficiently in functional programming
 	languages and is particularly adequate for sparse relations.
 notify =
 
 [GPU_Kernel_PL]
 title = Syntax and semantics of a GPU kernel programming language
 author = John Wickerson <http://www.doc.ic.ac.uk/~jpw48>
 date = 2014-04-03
 topic = Computer science/Programming languages/Language definitions
 abstract =
 	This document accompanies the article "The Design and
 	Implementation of a Verification Technique for GPU Kernels"
 	by Adam Betts, Nathan Chong, Alastair F. Donaldson, Jeroen
 	Ketema, Shaz Qadeer, Paul Thomson and John Wickerson. It
 	formalises all of the definitions provided in Sections 3
 	and 4 of the article.
 notify =
 
 [AWN]
 title = Mechanization of the Algebra for Wireless Networks (AWN)
 author = Timothy Bourke <http://www.tbrk.org>
 date = 2014-03-08
 topic = Computer science/Concurrency/Process calculi
 abstract =
 	<p>
 	AWN is a process algebra developed for modelling and analysing
 	protocols for Mobile Ad hoc Networks (MANETs) and Wireless Mesh
 	Networks (WMNs). AWN models comprise five distinct layers:
 	sequential processes, local parallel compositions, nodes, partial
 	networks, and complete networks.</p>
 	<p>
 	This development mechanises the original operational semantics of
 	AWN and introduces a variant 'open' operational semantics that
 	enables the compositional statement and proof of invariants across
 	distinct network nodes. It supports labels (for weakening
 	invariants) and (abstract) data state manipulations. A framework for
 	compositional invariant proofs is developed, including a tactic
 	(inv_cterms) for inductive invariant proofs of sequential processes,
 	lifting rules for the open versions of the higher layers, and a rule
 	for transferring lifted properties back to the standard semantics. A
 	notion of 'control terms' reduces proof obligations to the subset of
 	subterms that act directly (in contrast to operators for combining
 	terms and joining processes).</p>
 notify = tim@tbrk.org
 
 [Selection_Heap_Sort]
 title = Verification of Selection and Heap Sort Using Locales
 author = Danijela Petrovic <http://www.matf.bg.ac.rs/~danijela>
 date = 2014-02-11
 topic = Computer science/Algorithms
 abstract =
 	Stepwise program refinement techniques can be used to simplify
 	program verification. Programs are better understood since their
 	main properties are clearly stated, and verification of rather
 	complex algorithms is reduced to proving simple statements
 	connecting successive program specifications. Additionally, it is
 	easy to analyze similar algorithms and to compare their properties
 	within a single formalization. Usually, formal analysis is not done
 	in educational setting due to complexity of verification and a lack
 	of tools and procedures to make comparison easy. Verification of an
 	algorithm should not only give correctness proof, but also better
 	understanding of an algorithm. If the verification is based on small
 	step program refinement, it can become simple enough to be
 	demonstrated within the university-level computer science
 	curriculum. In this paper we demonstrate this and give a formal
 	analysis of two well known algorithms (Selection Sort and Heap Sort)
 	using proof assistant Isabelle/HOL and program refinement
 	techniques.
 notify =
 
 [Real_Impl]
 title = Implementing field extensions of the form Q[sqrt(b)]
 author = René Thiemann <mailto:rene.thiemann@uibk.ac.at>
 date = 2014-02-06
 license = LGPL
 topic = Mathematics/Analysis
 abstract =
 	We apply data refinement to implement the real numbers, where we support all
 	numbers in the field extension Q[sqrt(b)], i.e., all numbers of the form p +
 	q * sqrt(b) for rational numbers p and q and some fixed natural number b. To
 	this end, we also developed algorithms to precisely compute roots of a
 	rational number, and to perform a factorization of natural numbers which
 	eliminates duplicate prime factors.
 	<p>
 	Our results have been used to certify termination proofs which involve
 	polynomial interpretations over the reals.
 extra-history =
 	Change history:
 	[2014-07-11]: Moved NthRoot_Impl to Sqrt-Babylonian.
 notify = rene.thiemann@uibk.ac.at
 
 [ShortestPath]
 title = An Axiomatic Characterization of the Single-Source Shortest Path Problem
 author = Christine Rizkallah <https://www.mpi-inf.mpg.de/~crizkall/>
 date = 2013-05-22
 topic = Mathematics/Graph theory
 abstract = This theory is split into two sections. In the first section, we give a formal proof that a well-known axiomatic characterization of the single-source shortest path problem is correct. Namely, we prove that in a directed graph with a non-negative cost function on the edges the single-source shortest path function is the only function that satisfies a set of four axioms. In the second section, we give a formal proof of the correctness of an axiomatic characterization of the single-source shortest path problem for directed graphs with general cost functions. The axioms here are more involved because we have to account for potential negative cycles in the graph. The axioms are summarized in three Isabelle locales.
 notify =
 
 [Launchbury]
 title = The Correctness of Launchbury's Natural Semantics for Lazy Evaluation
 author = Joachim Breitner <http://pp.ipd.kit.edu/~breitner>
 date = 2013-01-31
 topic = Computer science/Programming languages/Lambda calculi, Computer science/Semantics
 abstract = In his seminal paper "Natural Semantics for Lazy Evaluation", John Launchbury proves his semantics correct with respect to a denotational semantics, and outlines an adequacy proof. We have formalized both semantics and machine-checked the correctness proof, clarifying some details. Furthermore, we provide a new and more direct adequacy proof that does not require intermediate operational semantics.
 extra-history =
 	Change history:
 	[2014-05-24]: Added the proof of adequacy, as well as simplified and improved the existing proofs. Adjusted abstract accordingly.
 	[2015-03-16]: Booleans and if-then-else added to syntax and semantics, making this entry suitable to be used by the entry "Call_Arity".
 notify =
 
 [Call_Arity]
 title = The Safety of Call Arity
 author = Joachim Breitner <http://pp.ipd.kit.edu/~breitner>
 date = 2015-02-20
 topic = Computer science/Programming languages/Transformations
 abstract =
 	We formalize the Call Arity analysis, as implemented in GHC, and prove
 	both functional correctness and, more interestingly, safety (i.e. the
 	transformation does not increase allocation).
 	<p>
 	We use syntax and the denotational semantics from the entry
 	"Launchbury", where we formalized Launchbury's natural semantics for
 	lazy evaluation.
 	<p>
 	The functional correctness of Call Arity is proved with regard to that
 	denotational semantics. The operational properties are shown with
 	regard to a small-step semantics akin to Sestoft's mark 1 machine,
 	which we prove to be equivalent to Launchbury's semantics.
 	<p>
 	We use Christian Urban's Nominal2 package to define our terms and make
 	use of Brian Huffman's HOLCF package for the domain-theoretical
 	aspects of the development.
 extra-history =
 	Change history:
 	[2015-03-16]: This entry now builds on top of the Launchbury entry,
 	and the equivalency proof of the natural and the small-step semantics
 	was added.
 notify =
 
 [CCS]
 title = CCS in nominal logic
 author = Jesper Bengtson <http://www.itu.dk/people/jebe>
 date = 2012-05-29
 topic = Computer science/Concurrency/Process calculi
 abstract = We formalise a large portion of CCS as described in Milner's book 'Communication and Concurrency' using the nominal datatype package in Isabelle. Our results include many of the standard theorems of bisimulation equivalence and congruence, for both weak and strong versions. One main goal of this formalisation is to keep the machine-checked proofs as close to their pen-and-paper counterpart as possible.
 	<p>
 	This entry is described in detail in <a href="http://www.itu.dk/people/jebe/files/thesis.pdf">Bengtson's thesis</a>.
 notify =
 
 [Pi_Calculus]
 title = The pi-calculus in nominal logic
 author = Jesper Bengtson <http://www.itu.dk/people/jebe>
 date = 2012-05-29
 topic = Computer science/Concurrency/Process calculi
 abstract = We formalise the pi-calculus using the nominal datatype package, based on ideas from the nominal logic by Pitts et al., and demonstrate an implementation in Isabelle/HOL. The purpose is to derive powerful induction rules for the semantics in order to conduct machine checkable proofs, closely following the intuitive arguments found in manual proofs. In this way we have covered many of the standard theorems of bisimulation equivalence and congruence, both late and early, and both strong and weak in a uniform manner. We thus provide one of the most extensive formalisations of a the pi-calculus ever done inside a theorem prover.
 	<p>
 	A significant gain in our formulation is that agents are identified up to alpha-equivalence, thereby greatly reducing the arguments about bound names. This is a normal strategy for manual proofs about the pi-calculus, but that kind of hand waving has previously been difficult to incorporate smoothly in an interactive theorem prover. We show how the nominal logic formalism and its support in Isabelle accomplishes this and thus significantly reduces the tedium of conducting completely formal proofs. This improves on previous work using weak higher order abstract syntax since we do not need extra assumptions to filter out exotic terms and can keep all arguments within a familiar first-order logic.
 	<p>
 	This entry is described in detail in <a href="http://www.itu.dk/people/jebe/files/thesis.pdf">Bengtson's thesis</a>.
 notify =
 
 [Psi_Calculi]
 title = Psi-calculi in Isabelle
 author = Jesper Bengtson <http://www.itu.dk/people/jebe>
 date = 2012-05-29
 topic = Computer science/Concurrency/Process calculi
 abstract = Psi-calculi are extensions of the pi-calculus, accommodating arbitrary nominal datatypes to represent not only data but also communication channels, assertions and conditions, giving it an expressive power beyond the applied pi-calculus and the concurrent constraint pi-calculus.
 	<p>
 	We have formalised psi-calculi in the interactive theorem prover Isabelle using its nominal datatype package. One distinctive feature is that the framework needs to treat binding sequences, as opposed to single binders, in an efficient way. While different methods for formalising single binder calculi have been proposed over the last decades, representations for such binding sequences are not very well explored.
 	<p>
 	The main effort in the formalisation is to keep the machine checked proofs as close to their pen-and-paper counterparts as possible. This includes treating all binding sequences as atomic elements, and creating custom induction and inversion rules that to remove the bulk of manual alpha-conversions.
 	<p>
 	This entry is described in detail in <a href="http://www.itu.dk/people/jebe/files/thesis.pdf">Bengtson's thesis</a>.
 notify =
 
 [Encodability_Process_Calculi]
 title = Analysing and Comparing Encodability Criteria for Process Calculi
 author = Kirstin Peters <mailto:kirstin.peters@tu-berlin.de>, Rob van Glabbeek <http://theory.stanford.edu/~rvg/>
 date = 2015-08-10
 topic = Computer science/Concurrency/Process calculi
 abstract = Encodings or the proof of their absence are the main way to
 	compare process calculi. To analyse the quality of encodings and to rule out
 	trivial or meaningless encodings, they are augmented with quality
 	criteria. There exists a bunch of different criteria and different variants
 	of criteria in order to reason in different settings. This leads to
 	incomparable results. Moreover it is not always clear whether the criteria
 	used to obtain a result in a particular setting do indeed fit to this
 	setting. We show how to formally reason about and compare encodability
 	criteria by mapping them on requirements on a relation between source and
 	target terms that is induced by the encoding function. In particular we
 	analyse the common criteria full abstraction, operational correspondence,
 	divergence reflection, success sensitiveness, and respect of barbs; e.g. we
 	analyse the exact nature of the simulation relation (coupled simulation
 	versus bisimulation) that is induced by different variants of operational
 	correspondence. This way we reduce the problem of analysing or comparing
 	encodability criteria to the better understood problem of comparing
 	relations on processes.
 notify = kirstin.peters@tu-berlin.de
 
 [Circus]
 title = Isabelle/Circus
 author = Abderrahmane Feliachi <mailto:abderrahmane.feliachi@lri.fr>, Burkhart Wolff <mailto:wolff@lri.fr>, Marie-Claude Gaudel <mailto:mcg@lri.fr>
 contributors = Makarius Wenzel <mailto:Makarius.wenzel@lri.fr>
 date = 2012-05-27
 topic = Computer science/Concurrency/Process calculi, Computer science/System description languages
 abstract = The Circus specification language combines elements for complex data and behavior specifications, using an integration of Z and CSP with a refinement calculus. Its semantics is based on Hoare and He's Unifying Theories of Programming (UTP). Isabelle/Circus is a formalization of the UTP and the Circus language in Isabelle/HOL. It contains proof rules and tactic support that allows for proofs of refinement for Circus processes (involving both data and behavioral aspects).
 	<p>
 	The Isabelle/Circus environment supports a syntax for the semantic definitions which is close to textbook presentations of Circus. This article contains an extended version of corresponding VSTTE Paper together with the complete formal development of its underlying commented theories.
 extra-history =
 	Change history:
 	[2014-06-05]: More polishing, shorter proofs, added Circus syntax, added Makarius Wenzel as contributor.
 notify =
 
 [Dijkstra_Shortest_Path]
 title = Dijkstra's Shortest Path Algorithm
 author = Benedikt Nordhoff <mailto:b.n@wwu.de>, Peter Lammich <http://www21.in.tum.de/~lammich>
 topic = Computer science/Algorithms/Graph
 date = 2012-01-30
 abstract = We implement and prove correct Dijkstra's algorithm for the
 	single source shortest path problem, conceived in 1956 by E. Dijkstra.
 	The algorithm is implemented using the data refinement framework for monadic,
 	nondeterministic programs. An efficient implementation is derived using data
 	structures from the Isabelle Collection Framework.
 notify = lammich@in.tum.de
 
 [Refine_Monadic]
 title = Refinement for Monadic Programs
 author = Peter Lammich <http://www21.in.tum.de/~lammich>
 topic = Computer science/Programming languages/Logics
 date = 2012-01-30
 abstract = We provide a framework for program and data refinement in Isabelle/HOL.
 	The framework is based on a nondeterminism-monad with assertions, i.e.,
 	the monad carries a set of results or an assertion failure.
 	Recursion is expressed by fixed points. For convenience, we also provide
 	while and foreach combinators.
 	<p>
 	The framework provides tools to automatize canonical tasks, such as
 	verification condition generation, finding appropriate data refinement relations,
 	and refine an executable program to a form that is accepted by the
 	Isabelle/HOL code generator.
 	<p>
 	This submission comes with a collection of examples and a user-guide,
 	illustrating the usage of the framework.
 extra-history =
 	Change history:
 	[2012-04-23] Introduced ordered FOREACH loops<br>
 	[2012-06] New features:
 	REC_rule_arb and RECT_rule_arb allow for generalizing over variables.
 	prepare_code_thms - command extracts code equations for recursion combinators.<br>
 	[2012-07] New example: Nested DFS for emptiness check of Buchi-automata with witness.<br>
 	New feature:
 	fo_rule method to apply resolution using first-order matching. Useful for arg_conf, fun_cong.<br>
 	[2012-08] Adaptation to ICF v2.<br>
 	[2012-10-05] Adaptations to include support for Automatic Refinement Framework.<br>
 	[2013-09] This entry now depends on Automatic Refinement<br>
 	[2014-06] New feature: vc_solve method to solve verification conditions.
 	Maintenace changes: VCG-rules for nfoldli, improved setup for FOREACH-loops.<br>
 	[2014-07] Now defining recursion via flat domain. Dropped many single-valued prerequisites.
 	Changed notion of data refinement. In single-valued case, this matches the old notion.
 	In non-single valued case, the new notion allows for more convenient rules.
 	In particular, the new definitions allow for projecting away ghost variables as a refinement step.<br>
 	[2014-11] New features: le-or-fail relation (leof), modular reasoning about loop invariants.
 notify = lammich@in.tum.de
 
 [Refine_Imperative_HOL]
 title = The Imperative Refinement Framework
 author = Peter Lammich <http://www21.in.tum.de/~lammich>
 notify = lammich@in.tum.de
 date = 2016-08-08
 topic = Computer science/Programming languages/Transformations,Computer science/Data structures
 abstract =
 	We present the Imperative Refinement Framework (IRF), a tool that
 	supports a stepwise refinement based approach to imperative programs.
 	This entry is based on the material we presented in [ITP-2015,
 	CPP-2016].  It uses the Monadic Refinement Framework as a frontend for
 	the specification of the abstract programs, and Imperative/HOL as a
 	backend to generate executable imperative programs.  The IRF comes
 	with tool support to synthesize imperative programs from more
 	abstract, functional ones, using efficient imperative implementations
 	for the abstract data structures.  This entry also includes the
 	Imperative Isabelle Collection Framework (IICF), which provides a
 	library of re-usable imperative collection data structures.  Moreover,
 	this entry contains a quickstart guide and a reference manual, which
 	provide an introduction to using the IRF for Isabelle/HOL experts. It
 	also provids a collection of (partly commented) practical examples,
 	some highlights being Dijkstra's Algorithm, Nested-DFS, and a generic
 	worklist algorithm with subsumption.  Finally, this entry contains
 	benchmark scripts that compare the runtime of some examples against
 	reference implementations of the algorithms in Java and C++.
 	[ITP-2015] Peter Lammich: Refinement to Imperative/HOL. ITP 2015:
 	253--269  [CPP-2016] Peter Lammich: Refinement based verification of
 	imperative data structures. CPP 2016: 27--36
 
 [Automatic_Refinement]
 title = Automatic Data Refinement
 author = Peter Lammich <mailto:lammich@in.tum.de>
 topic = Computer science/Programming languages/Logics
 date = 2013-10-02
 abstract = We present the Autoref tool for Isabelle/HOL, which automatically
 	refines algorithms specified over abstract concepts like maps
 	and sets to algorithms over concrete implementations like red-black-trees,
 	and produces a refinement theorem. It is based on ideas borrowed from
 	relational parametricity due to Reynolds and Wadler.
 	The tool allows for rapid prototyping of verified, executable algorithms.
 	Moreover, it can be configured to fine-tune the result to the user~s needs.
 	Our tool is able to automatically instantiate generic algorithms, which
 	greatly simplifies the implementation of executable data structures.
 	<p>
 	This AFP-entry provides the basic tool, which is then used by the
 	Refinement and Collection Framework to provide automatic data refinement for
 	the nondeterminism monad and various collection datastructures.
 notify = lammich@in.tum.de
 
 [EdmondsKarp_Maxflow]
 title = Formalizing the Edmonds-Karp Algorithm
 author = Peter Lammich <mailto:lammich@in.tum.de>, S. Reza Sefidgar<>
 notify = lammich@in.tum.de
 date = 2016-08-12
 topic = Computer science/Algorithms/Graph
 abstract =
 	We present a formalization of the Ford-Fulkerson method for computing
 	the maximum flow in a network. Our formal proof closely follows a
 	standard textbook proof, and is accessible even without being an
 	expert in Isabelle/HOL--- the interactive theorem prover used for the
 	formalization. We then use stepwise refinement to obtain the
 	Edmonds-Karp algorithm, and formally prove a bound on its complexity.
 	Further refinement yields a verified implementation, whose execution
 	time compares well to an unverified reference implementation in Java.
 	This entry is based on our ITP-2016 paper with the same title.
 
 [VerifyThis2018]
 title = VerifyThis 2018 - Polished Isabelle Solutions
 author = Peter Lammich <http://www21.in.tum.de/~lammich>, Simon Wimmer <http://in.tum.de/~wimmers>
 topic = Computer science/Algorithms
 date = 2018-04-27
 notify = lammich@in.tum.de
 abstract =
   <a
   href="http://www.pm.inf.ethz.ch/research/verifythis.html">VerifyThis
   2018</a> was a program verification competition associated with
   ETAPS 2018. It was the 7th event in the VerifyThis competition series.
   In this entry, we present polished and completed versions of our
   solutions that we created during the competition.
 
 [PseudoHoops]
 title = Pseudo Hoops
 author = George Georgescu <>, Laurentiu Leustean <>, Viorel Preoteasa <http://users.abo.fi/vpreotea/>
 topic = Mathematics/Algebra
 date = 2011-09-22
 abstract = Pseudo-hoops are algebraic structures introduced by B. Bosbach under the name of complementary semigroups. In this formalization we prove some properties of pseudo-hoops and we define the basic concepts of filter and normal filter. The lattice of normal filters is isomorphic with the lattice of congruences of a pseudo-hoop. We also study some important classes of pseudo-hoops. Bounded Wajsberg pseudo-hoops are equivalent to pseudo-Wajsberg algebras and bounded basic pseudo-hoops are equivalent to pseudo-BL algebras. Some examples of pseudo-hoops are given in the last section of the formalization.
 notify = viorel.preoteasa@aalto.fi
 
 [MonoBoolTranAlgebra]
 title = Algebra of Monotonic Boolean Transformers
 author = Viorel Preoteasa <http://users.abo.fi/vpreotea/>
 topic = Computer science/Programming languages/Logics
 date = 2011-09-22
 abstract = Algebras of imperative programming languages have been successful in reasoning about programs. In general an algebra of programs is an algebraic structure with programs as elements and with program compositions (sequential composition, choice, skip) as algebra operations. Various versions of these algebras were introduced to model partial correctness, total correctness, refinement, demonic choice, and other aspects. We formalize here an algebra which can be used to model total correctness, refinement, demonic and angelic choice. The basic model of this algebra are monotonic Boolean transformers (monotonic functions from a Boolean algebra to itself).
 notify = viorel.preoteasa@aalto.fi
 
 [LatticeProperties]
 title = Lattice Properties
 author = Viorel Preoteasa <http://users.abo.fi/vpreotea/>
 topic = Mathematics/Order
 date = 2011-09-22
 abstract = This formalization introduces and collects some algebraic structures based on lattices and complete lattices for use in other developments. The structures introduced are modular, and lattice ordered groups. In addition to the results proved for the new lattices, this formalization also introduces theorems about latices and complete lattices in general.
 extra-history =
 	Change history:
 	[2012-01-05]: Removed the theory about distributive complete lattices which is in the standard library now.
 	Added a theory about well founded and transitive relations and a result about fixpoints in complete lattices and well founded relations.
 	Moved the results about conjunctive and disjunctive functions to a new theory.
 	Removed the syntactic classes for inf and sup which are in the standard library now.
 notify = viorel.preoteasa@aalto.fi
 
 [Impossible_Geometry]
 title = Proving the Impossibility of Trisecting an Angle and Doubling the Cube
 author = Ralph Romanos <mailto:ralph.romanos@student.ecp.fr>, Lawrence C. Paulson <http://www.cl.cam.ac.uk/~lp15/>
 topic = Mathematics/Algebra, Mathematics/Geometry
 date = 2012-08-05
 abstract = Squaring the circle, doubling the cube and trisecting an angle, using a compass and straightedge alone, are classic unsolved problems first posed by the ancient Greeks. All three problems were proved to be impossible in the 19th century. The following document presents the proof of the impossibility of solving the latter two problems using Isabelle/HOL, following a proof by Carrega. The proof uses elementary methods: no Galois theory or field extensions. The set of points constructible using a compass and straightedge is defined inductively. Radical expressions, which involve only square roots and arithmetic of rational numbers, are defined, and we find that all constructive points have radical coordinates. Finally, doubling the cube and trisecting certain angles requires solving certain cubic equations that can be proved to have no rational roots. The Isabelle proofs require a great many detailed calculations.
 notify = ralph.romanos@student.ecp.fr, lp15@cam.ac.uk
 
 [IP_Addresses]
 title = IP Addresses
 author = Cornelius Diekmann <http://net.in.tum.de/~diekmann>, Julius Michaelis <http://liftm.de>, Lars Hupel <https://www21.in.tum.de/~hupel/>
 notify = diekmann@net.in.tum.de
 date = 2016-06-28
 topic = Computer science/Networks
 abstract =
 	This entry contains a definition of IP addresses and a library to work
 	with them.  Generic IP addresses are modeled as machine words of
 	arbitrary length. Derived from this generic definition, IPv4 addresses
 	are 32bit machine words, IPv6 addresses are 128bit words.
 	Additionally, IPv4 addresses can be represented in dot-decimal
 	notation and IPv6 addresses in (compressed) colon-separated notation.
 	We support toString functions and parsers for both notations. Sets of
 	IP addresses can be represented with a netmask (e.g.
 	192.168.0.0/255.255.0.0) or in CIDR notation (e.g. 192.168.0.0/16). To
 	provide executable code for set operations on IP address ranges, the
 	library includes a datatype to work on arbitrary intervals of machine
 	words.
 
 [Simple_Firewall]
 title = Simple Firewall
 author = Cornelius Diekmann <http://net.in.tum.de/~diekmann>, Julius Michaelis <http://liftm.de>, Maximilian Haslbeck<http://cl-informatik.uibk.ac.at/users/mhaslbeck//>
 notify = diekmann@net.in.tum.de, max.haslbeck@gmx.de
 date = 2016-08-24
 topic = Computer science/Networks
 abstract =
 	We present a simple model of a firewall. The firewall can accept or
 	drop a packet and can match on interfaces, IP addresses, protocol, and
 	ports. It was designed to feature nice mathematical properties: The
 	type of match expressions was carefully crafted such that the
 	conjunction of two match expressions is only one match expression.
 	This model is too simplistic to mirror all aspects of the real world.
 	In the upcoming entry "Iptables Semantics", we will translate the
 	Linux firewall iptables to this model.  For a fixed service (e.g. ssh,
 	http), we provide an algorithm to compute an overview of the
 	firewall's filtering behavior. The algorithm computes minimal service
 	matrices, i.e. graphs which partition the complete IPv4 and IPv6
 	address space and visualize the allowed accesses between partitions.
 	For a detailed description, see
 	<a href="http://dl.ifip.org/db/conf/networking/networking2016/1570232858.pdf">Verified iptables Firewall
 	Analysis</a>, IFIP Networking 2016.
 
 [Iptables_Semantics]
 title = Iptables Semantics
 author = Cornelius Diekmann <http://net.in.tum.de/~diekmann>, Lars Hupel <https://www21.in.tum.de/~hupel/>
 notify = diekmann@net.in.tum.de, hupel@in.tum.de
 date = 2016-09-09
 topic = Computer science/Networks
 abstract =
 	We present a big step semantics of the filtering behavior of the
 	Linux/netfilter iptables firewall. We provide algorithms to simplify
 	complex iptables rulests to a simple firewall model (c.f. AFP entry <a
 	href="https://www.isa-afp.org/entries/Simple_Firewall.html">Simple_Firewall</a>)
 	and to verify spoofing protection of a ruleset.
 	Internally, we embed our semantics into ternary logic, ultimately
 	supporting every iptables match condition by abstracting over
 	unknowns. Using this AFP entry and all entries it depends on, we
 	created an easy-to-use, stand-alone haskell tool called <a
 	href="http://iptables.isabelle.systems">fffuu</a>. The tool does not
 	require any input &mdash;except for the <tt>iptables-save</tt> dump of
 	the analyzed firewall&mdash; and presents interesting results about
 	the user's ruleset. Real-Word firewall errors have been uncovered, and
 	the correctness of rulesets has been proved, with the help of
 	our tool.
 
 [Routing]
 title = Routing
 author = Julius Michaelis <http://liftm.de>, Cornelius Diekmann <http://net.in.tum.de/~diekmann>
 notify = afp@liftm.de
 date = 2016-08-31
 topic = Computer science/Networks
 abstract =
 	This entry contains definitions for routing with routing
 	tables/longest prefix matching.  A routing table entry is modelled as
 	a record of a prefix match, a metric, an output port, and an optional
 	next hop. A routing table is a list of entries, sorted by prefix
 	length and metric. Additionally, a parser and serializer for the
 	output of the ip-route command, a function to create a relation from
 	output port to corresponding destination IP space, and a model of a
 	Linux-style router are included.
 
 [KBPs]
 title = Knowledge-based programs
 author = Peter Gammie <http://peteg.org>
 topic = Computer science/Automata and formal languages
 date = 2011-05-17
 abstract = Knowledge-based programs (KBPs) are a formalism for directly relating agents' knowledge and behaviour. Here we present a general scheme for compiling KBPs to executable automata with a proof of correctness in Isabelle/HOL. We develop the algorithm top-down, using Isabelle's locale mechanism to structure these proofs, and show that two classic examples can be synthesised using Isabelle's code generator.
 extra-history =
 	Change history:
 	[2012-03-06]: Add some more views and revive the code generation.
 notify = kleing@cse.unsw.edu.au
 
 [Tarskis_Geometry]
 title = The independence of Tarski's Euclidean axiom
 author = T. J. M. Makarios <mailto:tjm1983@gmail.com>
 topic = Mathematics/Geometry
 date = 2012-10-30
 abstract =
 	Tarski's axioms of plane geometry are formalized and, using the standard
 	real Cartesian model, shown to be consistent. A substantial theory of
 	the projective plane is developed. Building on this theory, the
 	Klein-Beltrami model of the hyperbolic plane is defined and shown to
 	satisfy all of Tarski's axioms except his Euclidean axiom; thus Tarski's
 	Euclidean axiom is shown to be independent of his other axioms of plane
 	geometry.
 	<p>
 	An earlier version of this work was the subject of the author's
 	<a href="http://researcharchive.vuw.ac.nz/handle/10063/2315">MSc thesis</a>,
 	which contains natural-language explanations of some of the
 	more interesting proofs.
 notify = tjm1983@gmail.com
 
 [General-Triangle]
 title = The General Triangle Is Unique
 author = Joachim Breitner <mailto:mail@joachim-breitner.de>
 topic = Mathematics/Geometry
 date = 2011-04-01
 abstract = Some acute-angled triangles are special, e.g. right-angled or isoscele triangles. Some are not of this kind, but, without measuring angles, look as if they were. In that sense, there is exactly one general triangle. This well-known fact is proven here formally.
 notify = mail@joachim-breitner.de
 
 [LightweightJava]
 title = Lightweight Java
 author = Rok Strniša <http://rok.strnisa.com/lj/>, Matthew Parkinson <http://research.microsoft.com/people/mattpark/>
 topic = Computer science/Programming languages/Language definitions
 date = 2011-02-07
 abstract = A fully-formalized and extensible minimal imperative fragment of Java.
 notify = rok@strnisa.com
 
 [Lower_Semicontinuous]
 title = Lower Semicontinuous Functions
 author = Bogdan Grechuk <mailto:grechukbogdan@yandex.ru>
 topic = Mathematics/Analysis
 date = 2011-01-08
 abstract = We define the notions of lower and upper semicontinuity for functions from a metric space to the extended real line. We prove that a function is both lower and upper semicontinuous if and only if it is continuous. We also give several equivalent characterizations of lower semicontinuity. In particular, we prove that a function is lower semicontinuous if and only if its epigraph is a closed set. Also, we introduce the notion of the lower semicontinuous hull of an arbitrary function and prove its basic properties.
 notify = hoelzl@in.tum.de
 
 [RIPEMD-160-SPARK]
 title = RIPEMD-160
 author = Fabian Immler <mailto:immler@in.tum.de>
 topic = Computer science/Programming languages/Static analysis
 date = 2011-01-10
 abstract = This work presents a verification of an implementation in SPARK/ADA of the cryptographic hash-function RIPEMD-160. A functional specification of RIPEMD-160 is given in Isabelle/HOL. Proofs for the verification conditions generated by the static-analysis toolset of SPARK certify the functional correctness of the implementation.
 extra-history =
 	Change history:
 	[2015-11-09]: Entry is now obsolete, moved to Isabelle distribution.
 notify = immler@in.tum.de
 
 [Regular-Sets]
 title = Regular Sets and Expressions
 author = Alexander Krauss <http://www.in.tum.de/~krauss>, Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 contributors = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Computer science/Automata and formal languages
 date = 2010-05-12
 abstract = This is a library of constructions on regular expressions and languages. It provides the operations of concatenation, Kleene star and derivative on languages. Regular expressions and their meaning are defined. An executable equivalence checker for regular expressions is verified; it does not need automata but works directly on regular expressions. <i>By mapping regular expressions to binary relations, an automatic and complete proof method for (in)equalities of binary relations over union, concatenation and (reflexive) transitive closure is obtained.</i> <P> Extended regular expressions with complement and intersection are also defined and an equivalence checker is provided.
 extra-history =
 	Change history:
 	[2011-08-26]: Christian Urban added a theory about derivatives and partial derivatives of regular expressions<br>
 	[2012-05-10]: Tobias Nipkow added extended regular expressions<br>
 	[2012-05-10]: Tobias Nipkow added equivalence checking with partial derivatives
 notify = nipkow@in.tum.de, krauss@in.tum.de, christian.urban@kcl.ac.uk
 
 [Regex_Equivalence]
 title = Unified Decision Procedures for Regular Expression Equivalence
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>, Dmitriy Traytel <mailto:traytel@in.tum.de>
 topic = Computer science/Automata and formal languages
 date = 2014-01-30
 abstract =
 	We formalize a unified framework for verified decision procedures for regular
 	expression equivalence. Five recently published formalizations of such
 	decision procedures (three based on derivatives, two on marked regular
 	expressions) can be obtained as instances of the framework. We discover that
 	the two approaches based on marked regular expressions, which were previously
 	thought to be the same, are different, and one seems to produce uniformly
 	smaller automata.  The common framework makes it possible to compare the
 	performance of the different decision procedures in a meaningful way.
 	<a href="http://www21.in.tum.de/~nipkow/pubs/itp14.html">
 	The formalization is described in a paper of the same name presented at
 	Interactive Theorem Proving 2014</a>.
 notify = nipkow@in.tum.de, traytel@in.tum.de
 
 [MSO_Regex_Equivalence]
 title = Decision Procedures for MSO on Words Based on Derivatives of Regular Expressions
 author = Dmitriy Traytel <mailto:traytel@in.tum.de>, Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 topic = Computer science/Automata and formal languages, Logic/General logic/Decidability of theories
 date = 2014-06-12
 abstract =
 	Monadic second-order logic on finite words (MSO) is a decidable yet
 	expressive logic into which many decision problems can be encoded. Since MSO
 	formulas correspond to regular languages, equivalence of MSO formulas can be
 	reduced to the equivalence of some regular structures (e.g. automata). We
 	verify an executable decision procedure for MSO formulas that is not based
 	on automata but on regular expressions.
 	<p>
 	Decision procedures for regular expression equivalence have been formalized
 	before, usually based on Brzozowski derivatives. Yet, for a straightforward
 	embedding of MSO formulas into regular expressions an extension of regular
 	expressions with a projection operation is required. We prove total
 	correctness and completeness of an equivalence checker for regular
 	expressions extended in that way. We also define a language-preserving
 	translation of formulas into regular expressions with respect to two
 	different semantics of MSO.
 	<p>
 	The formalization is described in this <a href="http://www21.in.tum.de/~nipkow/pubs/icfp13.html">ICFP 2013 functional pearl</a>.
 notify = traytel@in.tum.de, nipkow@in.tum.de
 
 [Formula_Derivatives]
 title = Derivatives of Logical Formulas
 author = Dmitriy Traytel <http://www21.in.tum.de/~traytel>
 topic = Computer science/Automata and formal languages, Logic/General logic/Decidability of theories
 date = 2015-05-28
 abstract =
 	We formalize new decision procedures for WS1S, M2L(Str), and Presburger
 	Arithmetics. Formulas of these logics denote regular languages. Unlike
 	traditional decision procedures, we do <em>not</em> translate formulas into automata
 	(nor into regular expressions), at least not explicitly. Instead we devise
 	notions of derivatives (inspired by Brzozowski derivatives for regular
 	expressions) that operate on formulas directly and compute a syntactic
 	bisimulation using these derivatives. The treatment of Boolean connectives and
 	quantifiers is uniform for all mentioned logics and is abstracted into a
 	locale. This locale is then instantiated by different atomic formulas and their
 	derivatives (which may differ even for the same logic under different encodings
 	of interpretations as formal words).
 	<p>
 	The WS1S instance is described in the draft paper <a
 	href="https://people.inf.ethz.ch/trayteld/papers/csl15-ws1s_derivatives/index.html">A
 	Coalgebraic Decision Procedure for WS1S</a> by the author.
 notify = traytel@in.tum.de
 
 [Myhill-Nerode]
 title = The Myhill-Nerode Theorem Based on Regular Expressions
 author = Chunhan Wu <>, Xingyuan Zhang <>, Christian Urban <http://www.inf.kcl.ac.uk/staff/urbanc/>
 contributors = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Computer science/Automata and formal languages
 date = 2011-08-26
 abstract = There are many proofs of the Myhill-Nerode theorem using automata. In this library we give a proof entirely based on regular expressions, since regularity of languages can be conveniently defined using regular expressions (it is more painful in HOL to define regularity in terms of automata).  We prove the first direction of the Myhill-Nerode theorem by solving equational systems that involve regular expressions.  For the second direction we give two proofs: one using tagging-functions and another using partial derivatives. We also establish various closure properties of regular languages. Most details of the theories are described in our ITP 2011 paper.
 notify = christian.urban@kcl.ac.uk
 
 [Universal_Turing_Machine]
 title = Universal Turing Machine
 author = Jian Xu<>, Xingyuan Zhang<>, Christian Urban <https://nms.kcl.ac.uk/christian.urban/>, Sebastiaan J. C. Joosten <http://sjcjoosten.nl/>
 topic = Logic/Computability, Computer science/Automata and formal languages
 date = 2019-02-08
 notify = sjcjoosten@gmail.com, christian.urban@kcl.ac.uk
 abstract =
   We formalise results from computability theory: recursive functions,
   undecidability of the halting problem, and the existence of a
   universal Turing machine. This formalisation is the AFP entry
   corresponding to the paper Mechanising Turing Machines and Computability Theory
   in Isabelle/HOL, ITP 2013.
 
 [CYK]
 title = A formalisation of the Cocke-Younger-Kasami algorithm
 author = Maksym Bortin <mailto:Maksym.Bortin@nicta.com.au>
 date = 2016-04-27
 topic = Computer science/Algorithms, Computer science/Automata and formal languages
 abstract =
 	The theory provides a formalisation of the Cocke-Younger-Kasami
 	algorithm (CYK for short), an approach to solving the word problem
 	for context-free languages.  CYK decides if a word is in the
 	languages generated by a context-free grammar in Chomsky normal form.
 	The formalized algorithm is executable.
 notify = maksym.bortin@nicta.com.au
 
 [Boolean_Expression_Checkers]
 title = Boolean Expression Checkers
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2014-06-08
 topic = Computer science/Algorithms, Logic/General logic/Mechanization of proofs
 abstract =
 	This entry provides executable checkers for the following properties of
 	boolean expressions: satisfiability, tautology and equivalence. Internally,
 	the checkers operate on binary decision trees and are reasonably efficient
 	(for purely functional algorithms).
 extra-history =
 	Change history: [2015-09-23]: Salomon Sickert added an interface that does not require the usage of the Boolean formula datatype. Furthermore the general Mapping type is used instead of an association list.
 notify = nipkow@in.tum.de
 
 [Presburger-Automata]
 title = Formalizing the Logic-Automaton Connection
 author = Stefan Berghofer <http://www.in.tum.de/~berghofe>, Markus Reiter <>
 date = 2009-12-03
 topic = Computer science/Automata and formal languages, Logic/General logic/Decidability of theories
 abstract = This work presents a formalization of a library for automata on bit strings. It forms the basis of a reflection-based decision procedure for Presburger arithmetic, which is efficiently executable thanks to Isabelle's code generator. With this work, we therefore provide a mechanized proof of a well-known connection between logic and automata theory. The formalization is also described in a publication [TPHOLs 2009].
 notify = berghofe@in.tum.de
 
 [Functional-Automata]
 title = Functional Automata
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2004-03-30
 topic = Computer science/Automata and formal languages
 abstract = This theory defines deterministic and nondeterministic automata in a functional representation: the transition function/relation and the finality predicate are just functions. Hence the state space may be infinite. It is shown how to convert regular expressions into such automata. A scanner (generator) is implemented with the help of functional automata: the scanner chops the input up into longest recognized substrings. Finally we also show how to convert a certain subclass of functional automata (essentially the finite deterministic ones) into regular sets.
 notify = nipkow@in.tum.de
 
 [Statecharts]
 title = Formalizing Statecharts using Hierarchical Automata
 author = Steffen Helke <mailto:helke@cs.tu-berlin.de>, Florian Kammüller <mailto:flokam@cs.tu-berlin.de>
 topic = Computer science/Automata and formal languages
 date = 2010-08-08
 abstract = We formalize in Isabelle/HOL the abtract syntax and a synchronous
 	step semantics for the specification language Statecharts. The formalization
 	is based on Hierarchical Automata which allow a structural decomposition of
 	Statecharts into Sequential Automata. To support the composition of
 	Statecharts, we introduce calculating operators to construct a Hierarchical
 	Automaton in a stepwise manner. Furthermore, we present a complete semantics
 	of Statecharts including a theory of data spaces, which enables the modelling
 	of racing effects. We also adapt CTL for
 	Statecharts to build a bridge for future combinations with model
 	checking. However the main motivation of this work is to provide a sound and
 	complete basis for reasoning on Statecharts. As a central meta theorem we
 	prove that the well-formedness of a Statechart is preserved by the semantics.
 notify = nipkow@in.tum.de
 
 [Stuttering_Equivalence]
 title = Stuttering Equivalence
 author = Stephan Merz <http://www.loria.fr/~merz>
 topic = Computer science/Automata and formal languages
 date = 2012-05-07
 abstract = <p>Two omega-sequences are stuttering equivalent if they differ only by finite repetitions of elements. Stuttering equivalence is a fundamental concept in the theory of concurrent and distributed systems. Notably, Lamport argues that refinement notions for such systems should be insensitive to finite stuttering. Peled and Wilke showed that all PLTL (propositional linear-time temporal logic) properties that are insensitive to stuttering equivalence can be expressed without the next-time operator. Stuttering equivalence is also important for certain verification techniques such as partial-order reduction for model checking.</p> <p>We formalize stuttering equivalence in Isabelle/HOL. Our development relies on the notion of stuttering sampling functions that may skip blocks of identical sequence elements. We also encode PLTL and prove the theorem due to Peled and Wilke.</p>
 extra-history =
 	Change history:
 	[2013-01-31]: Added encoding of PLTL and proved Peled and Wilke's theorem. Adjusted abstract accordingly.
 notify = Stephan.Merz@loria.fr
 
 [Coinductive_Languages]
 title = A Codatatype of Formal Languages
 author = Dmitriy Traytel <mailto:traytel@in.tum.de>
 topic = Computer science/Automata and formal languages
 date = 2013-11-15
 abstract = <p>We define formal languages as a codataype of infinite trees
 	branching over the alphabet. Each node in such a tree indicates whether the
 	path to this node constitutes a word inside or outside of the language. This
 	codatatype is isormorphic to the set of lists representation of languages,
 	but caters for definitions by corecursion and proofs by coinduction.</p>
 	<p>Regular operations on languages are then defined by primitive corecursion.
 	A difficulty arises here, since the standard definitions of concatenation and
 	iteration from the coalgebraic literature are not primitively
 	corecursive-they require guardedness up-to union/concatenation.
 	Without support for up-to corecursion, these operation must be defined as a
 	composition of primitive ones (and proved being equal to the standard
 	definitions). As an exercise in coinduction we also prove the axioms of
 	Kleene algebra for the defined regular operations.</p>
 	<p>Furthermore, a language for context-free grammars given by productions in
 	Greibach normal form and an initial nonterminal is constructed by primitive
 	corecursion, yielding an executable decision procedure for the word problem
 	without further ado.</p>
 notify = traytel@in.tum.de
 
 [Tree-Automata]
 title = Tree Automata
 author = Peter Lammich <http://www21.in.tum.de/~lammich>
 date = 2009-11-25
 topic = Computer science/Automata and formal languages
 abstract = This work presents a machine-checked tree automata library for Standard-ML, OCaml and Haskell. The algorithms are efficient by using appropriate data structures like RB-trees. The available algorithms for non-deterministic automata include membership query, reduction, intersection, union, and emptiness check with computation of a witness for non-emptiness. The executable algorithms are derived from less-concrete, non-executable algorithms using data-refinement techniques. The concrete data structures are from the Isabelle Collections Framework. Moreover, this work contains a formalization of the class of tree-regular languages and its closure properties under set operations.
 notify = peter.lammich@uni-muenster.de, nipkow@in.tum.de
 
 [Depth-First-Search]
 title = Depth First Search
 author = Toshiaki Nishihara <>, Yasuhiko Minamide <>
 date = 2004-06-24
 topic = Computer science/Algorithms/Graph
 abstract = Depth-first search of a graph is formalized with recdef. It is shown that it visits all of the reachable nodes from a given list of nodes. Executable ML code of depth-first search is obtained using the code generation feature of Isabelle/HOL.
 notify = lp15@cam.ac.uk, krauss@in.tum.de
 
 [FFT]
 title = Fast Fourier Transform
 author = Clemens Ballarin <http://www21.in.tum.de/~ballarin/>
 date = 2005-10-12
 topic = Computer science/Algorithms/Mathematical
 abstract = We formalise a functional implementation of the FFT algorithm over the complex numbers, and its inverse. Both are shown equivalent to the usual definitions of these operations through Vandermonde matrices. They are also shown to be inverse to each other, more precisely, that composition of the inverse and the transformation yield the identity up to a scalar.
 notify = ballarin@in.tum.de
 
 [Gauss-Jordan-Elim-Fun]
 title = Gauss-Jordan Elimination for Matrices Represented as Functions
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2011-08-19
 topic = Computer science/Algorithms/Mathematical, Mathematics/Algebra
 abstract = This theory provides a compact formulation of Gauss-Jordan elimination for matrices represented as functions. Its distinctive feature is succinctness. It is not meant for large computations.
 notify = nipkow@in.tum.de
 
 [UpDown_Scheme]
 title = Verification of the UpDown Scheme
 author = Johannes Hölzl <mailto:hoelzl@in.tum.de>
 date = 2015-01-28
 topic = Computer science/Algorithms/Mathematical
 abstract =
 	The UpDown scheme is a recursive scheme used to compute the stiffness matrix
 	on a special form of sparse grids. Usually, when discretizing a Euclidean
 	space of dimension d we need O(n^d) points, for n points along each dimension.
 	Sparse grids are a hierarchical representation where the number of points is
 	reduced to O(n * log(n)^d). One disadvantage of such sparse grids is that the
 	algorithm now operate recursively in the dimensions and levels of the sparse grid.
 	<p>
 	The UpDown scheme allows us to compute the stiffness matrix on such a sparse
 	grid. The stiffness matrix represents the influence of each representation
 	function on the L^2 scalar product. For a detailed description see
 	Dirk Pflüger's PhD thesis. This formalization was developed as an
 	interdisciplinary project (IDP) at the Technische Universität München.
 notify = hoelzl@in.tum.de
 
 [GraphMarkingIBP]
 title = Verification of the Deutsch-Schorr-Waite Graph Marking Algorithm using Data Refinement
 author = Viorel Preoteasa <http://users.abo.fi/vpreotea/>, Ralph-Johan Back <http://users.abo.fi/Ralph-Johan.Back/>
 date = 2010-05-28
 topic = Computer science/Algorithms/Graph
 abstract = The verification of the Deutsch-Schorr-Waite graph marking algorithm is used as a benchmark in many formalizations of pointer programs. The main purpose of this mechanization is to show how data refinement of invariant based programs can be used in verifying practical algorithms. The verification starts with an abstract algorithm working on a graph given by a relation <i>next</i> on nodes. Gradually the abstract program is refined into Deutsch-Schorr-Waite graph marking algorithm where only one bit per graph node of additional memory is used for marking.
 extra-history =
 	Change history:
 	[2012-01-05]: Updated for the new definition of data refinement and the new syntax for demonic and angelic update statements
 notify = viorel.preoteasa@aalto.fi
 
 [Efficient-Mergesort]
 title = Efficient Mergesort
 topic = Computer science/Algorithms
 date = 2011-11-09
 author = Christian Sternagel <mailto:c.sternagel@gmail.com>
 abstract = We provide a formalization of the mergesort algorithm as used in GHC's Data.List module, proving correctness and stability. Furthermore, experimental data suggests that generated (Haskell-)code for this algorithm is much faster than for previous algorithms available in the Isabelle distribution.
 extra-history =
 	Change history:
 	[2012-10-24]:
   Added reference to journal article.<br>
 	[2018-09-17]:
   Added theory Efficient_Mergesort that works exclusively with the mutual
   induction schemas generated by the function package.<br>
   [2018-09-19]:
   Added theory Mergesort_Complexity that proves an upper bound on the number of
   comparisons that are required by mergesort.<br>
   [2018-09-19]:
   Theory Efficient_Mergesort replaces theory Efficient_Sort but keeping the old
   name Efficient_Sort.
 notify = c.sternagel@gmail.com
 
 [SATSolverVerification]
 title = Formal Verification of Modern SAT Solvers
 author = Filip Marić <http://poincare.matf.bg.ac.rs/~filip/>
 date = 2008-07-23
 topic = Computer science/Algorithms
 abstract = This document contains formal correctness proofs of modern SAT solvers. Following (Krstic et al, 2007) and (Nieuwenhuis et al., 2006), solvers are described using state-transition systems. Several different SAT solver descriptions are given and their partial correctness and termination is proved. These include: <ul> <li> a solver based on classical DPLL procedure (using only a backtrack-search with unit propagation),</li> <li> a very general solver with backjumping and learning (similar to the description given in (Nieuwenhuis et al., 2006)), and</li> <li> a solver with a specific conflict analysis algorithm (similar to the description given in (Krstic et al., 2007)).</li> </ul> Within the SAT solver correctness proofs, a large number of lemmas about propositional logic and CNF formulae are proved. This theory is self-contained and could be used for further exploring of properties of CNF based SAT algorithms.
 notify =
 
 [Transitive-Closure]
 title = Executable Transitive Closures of Finite Relations
 topic = Computer science/Algorithms/Graph
 date = 2011-03-14
 author = Christian Sternagel <mailto:c.sternagel@gmail.com>, René Thiemann <mailto:rene.thiemann@uibk.ac.at>
 license = LGPL
 abstract = We provide a generic work-list algorithm to compute the transitive closure of finite relations where only successors of newly detected states are generated. This algorithm is then instantiated for lists over arbitrary carriers and red black trees (which are faster but require a linear order on the carrier), respectively.  Our formalization was performed as part of the IsaFoR/CeTA project where reflexive transitive closures of large tree automata have to be computed.
 extra-history =
 	Change history:
 	[2014-09-04] added example simprocs in Finite_Transitive_Closure_Simprocs
 notify = c.sternagel@gmail.com, rene.thiemann@uibk.ac.at
 
 [Transitive-Closure-II]
 title = Executable Transitive Closures
 topic = Computer science/Algorithms/Graph
 date = 2012-02-29
 author = René Thiemann <mailto:rene.thiemann@uibk.ac.at>
 license = LGPL
 abstract =
 	<p>
 	We provide a generic work-list algorithm to compute the
 	(reflexive-)transitive closure of relations where only successors of newly
 	detected states are generated.
 	In contrast to our previous work, the relations do not have to be finite,
 	but each element must only have finitely many (indirect) successors.
 	Moreover, a subsumption relation can be used instead of pure equality.
 	An executable variant of the algorithm is available where the generic operations
 	are instantiated with list operations.
 	</p><p>
 	This formalization was performed as part of the IsaFoR/CeTA project,
 	and it has been used to certify size-change
 	termination proofs where large transitive closures have to be computed.
 	</p>
 notify = rene.thiemann@uibk.ac.at
 
 [MuchAdoAboutTwo]
 title = Much Ado About Two
 author = Sascha Böhme <http://www21.in.tum.de/~boehmes/>
 date = 2007-11-06
 topic = Computer science/Algorithms
 abstract = This article is an Isabelle formalisation of a paper with the same title. In a similar way as Knuth's 0-1-principle for sorting algorithms, that paper develops a 0-1-2-principle for parallel prefix computations.
 notify = boehmes@in.tum.de
 
 [DiskPaxos]
 title = Proving the Correctness of Disk Paxos
 date = 2005-06-22
 author = Mauro Jaskelioff <http://www.fceia.unr.edu.ar/~mauro/>, Stephan Merz <http://www.loria.fr/~merz>
 topic = Computer science/Algorithms/Distributed
 abstract = Disk Paxos is an algorithm for building arbitrary fault-tolerant distributed systems. The specification of Disk Paxos has been proved correct informally and tested using the TLC model checker, but up to now, it has never been fully formally verified. In this work we have formally verified its correctness using the Isabelle theorem prover and the HOL logic system, showing that Isabelle is a practical tool for verifying properties of TLA+ specifications.
 notify = kleing@cse.unsw.edu.au
 
 [GenClock]
 title = Formalization of a Generalized Protocol for Clock Synchronization
 author = Alwen Tiu <http://users.cecs.anu.edu.au/~tiu/>
 date = 2005-06-24
 topic = Computer science/Algorithms/Distributed
 abstract = We formalize the generalized Byzantine fault-tolerant clock synchronization protocol of Schneider. This protocol abstracts from particular algorithms or implementations for clock synchronization. This abstraction includes several assumptions on the behaviors of physical clocks and on general properties of concrete algorithms/implementations. Based on these assumptions the correctness of the protocol is proved by Schneider. His proof was later verified by Shankar using the theorem prover EHDM (precursor to PVS). Our formalization in Isabelle/HOL is based on Shankar's formalization.
 notify = kleing@cse.unsw.edu.au
 
 [ClockSynchInst]
 title = Instances of Schneider's generalized protocol of clock synchronization
 author = Damián Barsotti <http://www.cs.famaf.unc.edu.ar/~damian/>
 date = 2006-03-15
 topic = Computer science/Algorithms/Distributed
 abstract = F. B. Schneider ("Understanding protocols for Byzantine clock synchronization") generalizes a number of protocols for Byzantine fault-tolerant clock synchronization and presents a uniform proof for their correctness. In Schneider's schema, each processor maintains a local clock by periodically adjusting each value to one computed by a convergence function applied to the readings of all the clocks. Then, correctness of an algorithm, i.e. that the readings of two clocks at any time are within a fixed bound of each other, is based upon some conditions on the convergence function. To prove that a particular clock synchronization algorithm is correct it suffices to show that the convergence function used by the algorithm meets Schneider's conditions. Using the theorem prover Isabelle, we formalize the proofs that the convergence functions of two algorithms, namely, the Interactive Convergence Algorithm (ICA) of Lamport and Melliar-Smith and the Fault-tolerant Midpoint algorithm of Lundelius-Lynch, meet Schneider's conditions. Furthermore, we experiment on handling some parts of the proofs with fully automatic tools like ICS and CVC-lite. These theories are part of a joint work with Alwen Tiu and Leonor P. Nieto <a href="http://users.rsise.anu.edu.au/~tiu/clocksync.pdf">"Verification of Clock Synchronization Algorithms: Experiments on a combination of deductive tools"</a> in proceedings of AVOCS 2005. In this work the correctness of Schneider schema was also verified using Isabelle (entry <a href="GenClock.html">GenClock</a> in AFP).
 notify = kleing@cse.unsw.edu.au
 
 [Heard_Of]
 title = Verifying Fault-Tolerant Distributed Algorithms in the Heard-Of Model
 date = 2012-07-27
 author = Henri Debrat <mailto:henri.debrat@loria.fr>, Stephan Merz <http://www.loria.fr/~merz>
 topic = Computer science/Algorithms/Distributed
 abstract =
 	Distributed computing is inherently based on replication, promising
 	increased tolerance to failures of individual computing nodes or
 	communication channels. Realizing this promise, however, involves
 	quite subtle algorithmic mechanisms, and requires precise statements
 	about the kinds and numbers of faults that an algorithm tolerates (such
 	as process crashes, communication faults or corrupted values).  The
 	landmark theorem due to Fischer, Lynch, and Paterson shows that it is
 	impossible to achieve Consensus among N asynchronously communicating
 	nodes in the presence of even a single permanent failure. Existing
 	solutions must rely on assumptions of "partial synchrony".
 	<p>
 	Indeed, there have been numerous misunderstandings on what exactly a given
 	algorithm is supposed to realize in what kinds of environments. Moreover, the
 	abundance of subtly different computational models complicates comparisons
 	between different algorithms. Charron-Bost and Schiper introduced the Heard-Of
 	model for representing algorithms and failure assumptions in a uniform
 	framework, simplifying comparisons between algorithms.
 	<p>
 	In this contribution, we represent the Heard-Of model in Isabelle/HOL. We define
 	two semantics of runs of algorithms with different unit of atomicity and relate
 	these through a reduction theorem that allows us to verify algorithms in the
 	coarse-grained semantics (where proofs are easier) and infer their correctness
 	for the fine-grained one (which corresponds to actual executions). We
 	instantiate the framework by verifying six Consensus algorithms that differ in
 	the underlying algorithmic mechanisms and the kinds of faults they tolerate.
 notify = Stephan.Merz@loria.fr
 
 [Consensus_Refined]
 title = Consensus Refined
 date = 2015-03-18
 author = Ognjen Maric <>, Christoph Sprenger <mailto:sprenger@inf.ethz.ch>
 topic = Computer science/Algorithms/Distributed
 abstract =
 	Algorithms for solving the consensus problem are fundamental to
 	distributed computing. Despite their brevity, their
 	ability to operate in concurrent, asynchronous and failure-prone
 	environments comes at the cost of complex and subtle
 	behaviors. Accordingly, understanding how they work and proving
 	their correctness is a non-trivial endeavor where abstraction
 	is immensely helpful.
 	Moreover, research on consensus has yielded a large number of
 	algorithms, many of which appear to share common algorithmic
 	ideas. A natural question is whether and how these similarities can
 	be distilled and described in a precise, unified way.
 	In this work, we combine stepwise refinement and
 	lockstep models to provide an abstract and unified
 	view of a sizeable family of consensus algorithms. Our models
 	provide insights into the design choices underlying the different
 	algorithms, and classify them based on those choices.
 notify = sprenger@inf.ethz.ch
 
 [Key_Agreement_Strong_Adversaries]
 title = Refining Authenticated Key Agreement with Strong Adversaries
 author = Joseph Lallemand <mailto:joseph.lallemand@loria.fr>, Christoph Sprenger <mailto:sprenger@inf.ethz.ch>
 topic = Computer science/Security
 license = LGPL
 date = 2017-01-31
 notify = joseph.lallemand@loria.fr, sprenger@inf.ethz.ch
 abstract =
   We develop a family of key agreement protocols that are correct by
   construction. Our work substantially extends prior work on developing
   security protocols by refinement. First, we strengthen the adversary
   by allowing him to compromise different resources of protocol
   participants, such as their long-term keys or their session keys. This
   enables the systematic development of protocols that ensure strong
   properties such as perfect forward secrecy. Second, we broaden the
   class of protocols supported to include those with non-atomic keys and
   equationally defined cryptographic operators. We use these extensions
   to develop key agreement protocols including signed Diffie-Hellman and
   the core of IKEv1 and SKEME.
 
 [Security_Protocol_Refinement]
 title = Developing Security Protocols by Refinement
 author = Christoph Sprenger <mailto:sprenger@inf.ethz.ch>, Ivano Somaini<>
 topic = Computer science/Security
 license = LGPL
 date = 2017-05-24
 notify = sprenger@inf.ethz.ch
 abstract =
   We propose a development method for security protocols based on
   stepwise refinement. Our refinement strategy transforms abstract
   security goals into protocols that are secure when operating over an
   insecure channel controlled by a Dolev-Yao-style intruder. As
   intermediate levels of abstraction, we employ messageless guard
   protocols and channel protocols communicating over channels with
   security properties. These abstractions provide insights on why
   protocols are secure and foster the development of families of
   protocols sharing common structure and properties. We have implemented
   our method in Isabelle/HOL and used it to develop different entity
   authentication and key establishment protocols, including realistic
   features such as key confirmation, replay caches, and encrypted
   tickets. Our development highlights that guard protocols and channel
   protocols provide fundamental abstractions for bridging the gap
   between security properties and standard protocol descriptions based
   on cryptographic messages. It also shows that our refinement approach
   scales to protocols of nontrivial size and complexity.
 
 [Abortable_Linearizable_Modules]
 title = Abortable Linearizable Modules
 author = Rachid Guerraoui <mailto:rachid.guerraoui@epfl.ch>, Viktor Kuncak <http://lara.epfl.ch/~kuncak/>, Giuliano Losa <mailto:giuliano.losa@epfl.ch>
 date = 2012-03-01
 topic = Computer science/Algorithms/Distributed
 abstract =
 	We define the Abortable Linearizable Module automaton (ALM for short)
 	and prove its key composition property using the IOA theory of
 	HOLCF. The ALM is at the heart of the Speculative Linearizability
 	framework. This framework simplifies devising correct speculative
 	algorithms by enabling their decomposition into independent modules
 	that can be analyzed and proved correct in isolation. It is
 	particularly useful when working in a distributed environment, where
 	the need to tolerate faults and asynchrony has made current
 	monolithic protocols so intricate that it is no longer tractable to
 	check their correctness. Our theory contains a typical example of a
 	refinement proof in the I/O-automata framework of Lynch and Tuttle.
 notify = giuliano@losa.fr, nipkow@in.tum.de
 
 [Amortized_Complexity]
 title = Amortized Complexity Verified
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2014-07-07
 topic = Computer science/Data structures
 abstract =
 	A framework for the analysis of the amortized complexity of functional
 	data structures is formalized in Isabelle/HOL and applied to a number of
 	standard examples and to the folowing non-trivial ones: skew heaps,
 	splay trees, splay heaps and pairing heaps.
 	<p>
 	A preliminary version of this work (without pairing heaps) is described
 	in a <a href="http://www21.in.tum.de/~nipkow/pubs/itp15.html">paper</a>
 	published in the proceedings of the conference on Interactive
 	Theorem Proving ITP 2015. An extended version of this publication
 	is available <a href="http://www21.in.tum.de/~nipkow/pubs/jfp16.html">here</a>.
 extra-history =
 	Change history:
 	[2015-03-17]: Added pairing heaps by Hauke Brinkop.<br>
 	[2016-07-12]: Moved splay heaps from here to Splay_Tree<br>
 	[2016-07-14]: Moved pairing heaps from here to the new Pairing_Heap
 notify = nipkow@in.tum.de
 
 [Dynamic_Tables]
 title = Parameterized Dynamic Tables
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2015-06-07
 topic = Computer science/Data structures
 abstract =
 	This article formalizes the amortized analysis of dynamic tables
 	parameterized with their minimal and maximal load factors and the
 	expansion and contraction factors.
 	<P>
 	A full description is found in a
 	<a href="http://www21.in.tum.de/~nipkow/pubs">companion paper</a>.
 notify = nipkow@in.tum.de
 
 [AVL-Trees]
 title = AVL Trees
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>, Cornelia Pusch <>
 date = 2004-03-19
 topic = Computer science/Data structures
 abstract = Two formalizations of AVL trees with room for extensions. The first formalization is monolithic and shorter, the second one in two stages, longer and a bit simpler. The final implementation is the same. If you are interested in developing this further, please contact <tt>gerwin.klein@nicta.com.au</tt>.
 extra-history =
 	Change history:
 	[2011-04-11]: Ondrej Kuncar added delete function
 notify = kleing@cse.unsw.edu.au
 
 [BDD]
 title = BDD Normalisation
 author = Veronika Ortner <>, Norbert Schirmer <>
 date = 2008-02-29
 topic = Computer science/Data structures
 abstract = We present the verification of the normalisation of a binary decision diagram (BDD). The normalisation follows the original algorithm presented by Bryant in 1986 and transforms an ordered BDD in a reduced, ordered and shared BDD. The verification is based on Hoare logics.
 notify = kleing@cse.unsw.edu.au, norbert.schirmer@web.de
 
 [BinarySearchTree]
 title = Binary Search Trees
 author = Viktor Kuncak <http://lara.epfl.ch/~kuncak/>
 date = 2004-04-05
 topic = Computer science/Data structures
 abstract = The correctness is shown of binary search tree operations (lookup, insert and remove) implementing a set. Two versions are given, for both structured and linear (tactic-style) proofs. An implementation of integer-indexed maps is also verified.
 notify = lp15@cam.ac.uk
 
 [Splay_Tree]
 title = Splay Tree
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 notify = nipkow@in.tum.de
 date = 2014-08-12
 topic = Computer science/Data structures
 abstract =
 	Splay trees are self-adjusting binary search trees which were invented by Sleator and Tarjan [JACM 1985].
 	This entry provides executable and verified functional splay trees
 	as well as the related splay heaps (due to Okasaki).
 	<p>
 	The amortized complexity of splay trees and heaps is analyzed in the AFP entry
 	<a href="http://isa-afp.org/entries/Amortized_Complexity.html">Amortized Complexity</a>.
 extra-history =
 	Change history:
 	[2016-07-12]: Moved splay heaps here from Amortized_Complexity
 
 [Root_Balanced_Tree]
 title = Root-Balanced Tree
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 notify = nipkow@in.tum.de
 date = 2017-08-20
 topic = Computer science/Data structures
 abstract =
  <p>
  Andersson introduced <em>general balanced trees</em>,
  search trees based on the design principle of partial rebuilding:
  perform update operations naively until the tree becomes too
  unbalanced, at which point a whole subtree is rebalanced.  This article
  defines and analyzes a functional version of general balanced trees,
  which we call <em>root-balanced trees</em>. Using a lightweight model
  of execution time, amortized logarithmic complexity is verified in
  the theorem prover Isabelle.
  </p>
  <p>
  This is the Isabelle formalization of the material decribed in the APLAS 2017 article
  <a href="http://www21.in.tum.de/~nipkow/pubs/aplas17.html">Verified Root-Balanced Trees</a>
  by the same author, which also presents experimental results that show
  competitiveness of root-balanced with AVL and red-black trees.
  </p>
 
 [Skew_Heap]
 title = Skew Heap
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2014-08-13
 topic = Computer science/Data structures
 abstract =
 	Skew heaps are an amazingly simple and lightweight implementation of
 	priority queues. They were invented by Sleator and Tarjan [SIAM 1986]
 	and have logarithmic amortized complexity. This entry provides executable
 	and verified functional skew heaps.
 	<p>
 	The amortized complexity of skew heaps is analyzed in the AFP entry
 	<a href="http://isa-afp.org/entries/Amortized_Complexity.html">Amortized Complexity</a>.
 notify = nipkow@in.tum.de
 
 [Pairing_Heap]
 title = Pairing Heap
 author = Hauke Brinkop <mailto:hauke.brinkop@googlemail.com>, Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2016-07-14
 topic = Computer science/Data structures
 abstract =
 	This library defines three different versions of pairing heaps: a
 	functional version of the original design based on binary
 	trees [Fredman et al. 1986], the version by Okasaki [1998] and
 	a modified version of the latter that is free of structural invariants.
 	<p>
 	The amortized complexity of pairing heaps is analyzed in the AFP article
 	<a href="http://isa-afp.org/entries/Amortized_Complexity.html">Amortized Complexity</a>.
 extra-0 = Origin: This library was extracted from Amortized Complexity and extended.
 notify = nipkow@in.tum.de
 
 [Priority_Queue_Braun]
 title = Priority Queues Based on Braun Trees
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2014-09-04
 topic = Computer science/Data structures
 abstract =
   This entry verifies priority queues based on Braun trees. Insertion
   and deletion take logarithmic time and preserve the balanced nature
   of Braun trees. Two implementations of deletion are provided.
 notify = nipkow@in.tum.de
 extra-history =
   Change history:
 	[2019-12-16]: Added theory Priority_Queue_Braun2 with second version of del_min
 
 [Binomial-Queues]
 title = Functional Binomial Queues
 author = René Neumann <mailto:neumannr@in.tum.de>
 date = 2010-10-28
 topic = Computer science/Data structures
 abstract = Priority queues are an important data structure and efficient implementations of them are crucial. We implement a functional variant of binomial queues in Isabelle/HOL and show its functional correctness. A verification against an abstract reference specification of priority queues has also been attempted, but could not be achieved to the full extent.
 notify = florian.haftmann@informatik.tu-muenchen.de
 
 [Binomial-Heaps]
 title = Binomial Heaps and Skew Binomial Heaps
 author = Rene Meis <mailto:rene.meis@uni-muenster.de>, Finn Nielsen <mailto:finn.nielsen@uni-muenster.de>, Peter Lammich <http://www21.in.tum.de/~lammich>
 date = 2010-10-28
 topic = Computer science/Data structures
 abstract =
 	We implement and prove correct binomial heaps and skew binomial heaps.
 	Both are data-structures for priority queues.
 	While binomial heaps have logarithmic <em>findMin</em>, <em>deleteMin</em>,
 	<em>insert</em>, and <em>meld</em> operations,
 	skew binomial heaps have constant time <em>findMin</em>, <em>insert</em>,
 	and <em>meld</em> operations, and only the <em>deleteMin</em>-operation is
 	logarithmic. This is achieved by using <em>skew links</em> to avoid
 	cascading linking on <em>insert</em>-operations, and <em>data-structural
 	bootstrapping</em> to get constant-time <em>findMin</em> and <em>meld</em>
 	operations.  Our implementation follows the paper by Brodal and Okasaki.
 notify = peter.lammich@uni-muenster.de
 
 [Finger-Trees]
 title = Finger Trees
 author = Benedikt Nordhoff <mailto:b_nord01@uni-muenster.de>, Stefan Körner <mailto:s_koer03@uni-muenster.de>, Peter Lammich <http://www21.in.tum.de/~lammich>
 date = 2010-10-28
 topic = Computer science/Data structures
 abstract =
 	We implement and prove correct 2-3 finger trees.
 	Finger trees are a general purpose data structure, that can be used to
 	efficiently implement other data structures, such as priority queues.
 	Intuitively, a finger tree is an annotated sequence, where the annotations are
 	elements of a monoid. Apart from operations to access the ends of the sequence,
 	the main operation is to split the sequence at the point where a
 	<em>monotone predicate</em> over the sum of the left part of the sequence
 	becomes true for the first time.
 	The implementation follows the paper of Hinze and Paterson.
 	The code generator can be used to get efficient, verified code.
 notify = peter.lammich@uni-muenster.de
 
 [Trie]
 title = Trie
 author = Andreas Lochbihler <http://www.andreas-lochbihler.de>, Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2015-03-30
 topic = Computer science/Data structures
 abstract =
 	This article formalizes the ``trie'' data structure invented by
 	Fredkin [CACM 1960]. It also provides a specialization where the entries
 	in the trie are lists.
 extra-0 =
 	Origin: This article was extracted from existing articles by the authors.
 notify = nipkow@in.tum.de
 
 [FinFun]
 title = Code Generation for Functions as Data
 author = Andreas Lochbihler <http://www.andreas-lochbihler.de>
 date = 2009-05-06
 topic = Computer science/Data structures
 abstract = FinFuns are total functions that are constant except for a finite set of points, i.e. a generalisation of finite maps. They are formalised as a new type in Isabelle/HOL such that the code generator can handle equality tests and quantification on FinFuns. On the code output level, FinFuns are explicitly represented by constant functions and pointwise updates, similarly to associative lists. Inside the logic, they behave like ordinary functions with extensionality. Via the update/constant pattern, a recursion combinator and an induction rule for FinFuns allow for defining and reasoning about operators on FinFun that are also executable.
 extra-history =
 	Change history:
 	[2010-08-13]:
 	new concept domain of a FinFun as a FinFun
 	(revision 34b3517cbc09)<br>
 	[2010-11-04]:
 	new conversion function from FinFun to list of elements in the domain
 	(revision 0c167102e6ed)<br>
 	[2012-03-07]:
 	replace sets as FinFuns by predicates as FinFuns because the set type constructor has been reintroduced
 	(revision b7aa87989f3a)
 notify = nipkow@in.tum.de
 
 [Collections]
 title = Collections Framework
 author = Peter Lammich <http://www21.in.tum.de/~lammich>
 contributors = Andreas Lochbihler <http://www.andreas-lochbihler.de>, Thomas Tuerk <>
 date = 2009-11-25
 topic = Computer science/Data structures
 abstract = This development provides an efficient, extensible, machine checked collections framework. The library adopts the concepts of interface, implementation and generic algorithm from object-oriented programming and implements them in Isabelle/HOL. The framework features the use of data refinement techniques to refine an abstract specification (using high-level concepts like sets) to a more concrete implementation (using collection datastructures, like red-black-trees). The code-generator of Isabelle/HOL can be used to generate efficient code.
 extra-history =
 	Change history:
 	[2010-10-08]: New Interfaces: OrderedSet, OrderedMap, List.
 	Fifo now implements list-interface: Function names changed: put/get --> enqueue/dequeue.
 	New Implementations: ArrayList, ArrayHashMap, ArrayHashSet, TrieMap, TrieSet.
 	Invariant-free datastructures: Invariant implicitely hidden in typedef.
 	Record-interfaces: All operations of an interface encapsulated as record.
 	Examples moved to examples subdirectory.<br>
 	[2010-12-01]: New Interfaces: Priority Queues, Annotated Lists. Implemented by finger trees, (skew) binomial queues.<br>
 	[2011-10-10]: SetSpec: Added operations: sng, isSng, bexists, size_abort, diff, filter, iterate_rule_insertP
 	MapSpec: Added operations: sng, isSng, iterate_rule_insertP, bexists, size, size_abort, restrict,
 	map_image_filter, map_value_image_filter
 	Some maintenance changes<br>
 	[2012-04-25]: New iterator foundation by Tuerk. Various maintenance changes.<br>
 	[2012-08]: Collections V2. New features: Polymorphic iterators. Generic algorithm instantiation where required. Naming scheme changed from xx_opname to xx.opname.
 	A compatibility file CollectionsV1 tries to simplify porting of existing theories, by providing old naming scheme and the old monomorphic iterator locales.<br>
 	[2013-09]: Added Generic Collection Framework based on Autoref. The GenCF provides: Arbitrary nesting, full integration with Autoref.<br>
 	[2014-06]: Maintenace changes to GenCF: Optimized inj_image on list_set. op_set_cart (Cartesian product). big-Union operation. atLeastLessThan - operation ({a..&lt;b})<br>
 notify = lammich@in.tum.de
 
 [Containers]
 title = Light-weight Containers
 author = Andreas Lochbihler <http://www.andreas-lochbihler.de>
 contributors = René Thiemann <mailto:rene.thiemann@uibk.ac.at>
 date = 2013-04-15
 topic = Computer science/Data structures
 abstract =
 	This development provides a framework for container types like sets and maps such that generated code implements these containers with different (efficient) data structures.
 	Thanks to type classes and refinement during code generation, this light-weight approach can seamlessly replace Isabelle's default setup for code generation.
 	Heuristics automatically pick one of the available data structures depending on the type of elements to be stored, but users can also choose on their own.
 	The extensible design permits to add more implementations at any time.
 	<p>
 	To support arbitrary nesting of sets, we define a linear order on sets based on a linear order of the elements and provide efficient implementations.
 	It even allows to compare complements with non-complements.
 extra-history =
 	Change history:
 	[2013-07-11]: add pretty printing for sets (revision 7f3f52c5f5fa)<br>
 	[2013-09-20]:
 	provide generators for canonical type class instantiations
 	(revision 159f4401f4a8 by René Thiemann)<br>
 	[2014-07-08]: add support for going from partial functions to mappings (revision 7a6fc957e8ed)<br>
         [2018-03-05]: add two application examples: depth-first search and 2SAT (revision e5e1a1da2411)
 notify = mail@andreas-lochbihler.de
 
 [FileRefinement]
 title = File Refinement
 author = Karen Zee <http://www.mit.edu/~kkz/>, Viktor Kuncak <http://lara.epfl.ch/~kuncak/>
 date = 2004-12-09
 topic = Computer science/Data structures
 abstract = These theories illustrates the verification of basic file operations (file creation, file read and file write) in the Isabelle theorem prover. We describe a file at two levels of abstraction: an abstract file represented as a resizable array, and a concrete file represented using data blocks.
 notify = kkz@mit.edu
 
 [Datatype_Order_Generator]
 title = Generating linear orders for datatypes
 author = René Thiemann <mailto:rene.thiemann@uibk.ac.at>
 date = 2012-08-07
 topic = Computer science/Data structures
 abstract =
 	We provide a framework for registering automatic methods to derive
 	class instances of datatypes, as it is possible using Haskell's ``deriving Ord, Show, ...'' feature.
 	<p>
 	We further implemented such automatic methods to derive (linear) orders or hash-functions which are
 	required in the Isabelle Collection Framework. Moreover, for the tactic of Huffman and Krauss to show that a
 	datatype is countable, we implemented a wrapper so that this tactic becomes accessible in our framework.
 	<p>
 	Our formalization was performed as part of the <a href="http://cl-informatik.uibk.ac.at/software/ceta">IsaFoR/CeTA</a> project.
 	With our new tactic we could completely remove
 	tedious proofs for linear orders of two datatypes.
 	<p>
 	This development is aimed at datatypes generated by the "old_datatype"
 	command.
 notify = rene.thiemann@uibk.ac.at
 
 [Deriving]
 title = Deriving class instances for datatypes
 author = Christian Sternagel <mailto:c.sternagel@gmail.com>, René Thiemann <mailto:rene.thiemann@uibk.ac.at>
 date = 2015-03-11
 topic = Computer science/Data structures
 abstract =
 	<p>We provide a framework for registering automatic methods
 	to derive class instances of datatypes,
 	as it is possible using Haskell's ``deriving Ord, Show, ...'' feature.</p>
 	<p>We further implemented such automatic methods to derive comparators, linear orders, parametrizable equality functions,
 	and hash-functions which are required in the
 	Isabelle Collection Framework and the Container Framework.
 	Moreover, for the tactic of Blanchette to show that a datatype is countable, we implemented a
 	wrapper so that this tactic becomes accessible in our framework. All of the generators are based on
 	the infrastructure that is provided by the BNF-based datatype package.</p>
 	<p>Our formalization was performed as part of the <a href="http://cl-informatik.uibk.ac.at/software/ceta">IsaFoR/CeTA</a> project.
 	With our new tactics we could remove
 	several tedious proofs for (conditional) linear orders, and conditional equality operators
 	within IsaFoR and the Container Framework.</p>
 notify = rene.thiemann@uibk.ac.at
 
 [List-Index]
 title = List Index
 date = 2010-02-20
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 topic = Computer science/Data structures
 abstract = This theory provides functions for finding the index of an element in a list, by predicate and by value.
 notify = nipkow@in.tum.de
 
 [List-Infinite]
 title = Infinite Lists
 date = 2011-02-23
 author = David Trachtenherz <>
 topic = Computer science/Data structures
 abstract = We introduce a theory of infinite lists in HOL formalized as functions over naturals (folder ListInf, theories ListInf and ListInf_Prefix). It also provides additional results for finite lists (theory ListInf/List2), natural numbers (folder CommonArith, esp. division/modulo, naturals with infinity), sets (folder CommonSet, esp. cutting/truncating sets, traversing sets of naturals).
 notify = nipkow@in.tum.de
 
 [Matrix]
 title = Executable Matrix Operations on Matrices of Arbitrary Dimensions
 topic = Computer science/Data structures
 date = 2010-06-17
 author = Christian Sternagel <mailto:c.sternagel@gmail.com>, René Thiemann <http://cl-informatik.uibk.ac.at/~thiemann>
 license = LGPL
 abstract =
 	We provide the operations of matrix addition, multiplication,
 	transposition, and matrix comparisons as executable functions over
 	ordered semirings. Moreover, it is proven that strongly normalizing
 	(monotone) orders can be lifted to strongly normalizing (monotone) orders
 	over matrices. We further show that the standard semirings over the
 	naturals, integers, and rationals, as well as the arctic semirings
 	satisfy the axioms that are required by our matrix theory. Our
 	formalization is part of the <a
 	href="http://cl-informatik.uibk.ac.at/software/ceta">CeTA</a> system
 	which contains several termination techniques. The provided theories have
 	been essential to formalize matrix-interpretations and arctic
 	interpretations.
 extra-history =
 	Change history:
 	[2010-09-17]: Moved theory on arbitrary (ordered) semirings to Abstract Rewriting.
 notify = rene.thiemann@uibk.ac.at, christian.sternagel@uibk.ac.at
 
 [Matrix_Tensor]
 title = Tensor Product of Matrices
 topic = Computer science/Data structures, Mathematics/Algebra
 date = 2016-01-18
 author = T.V.H. Prathamesh <mailto:prathamesh@imsc.res.in>
 abstract =
 	In this work, the Kronecker tensor product of matrices and the proofs of
 	some of its properties are formalized. Properties which have been formalized
 	include associativity of the tensor product and the mixed-product
 	property.
 notify = prathamesh@imsc.res.in
 
 [Huffman]
 title = The Textbook Proof of Huffman's Algorithm
 author = Jasmin Christian Blanchette <http://www21.in.tum.de/~blanchet>
 date = 2008-10-15
 topic = Computer science/Data structures
 abstract = Huffman's algorithm is a procedure for constructing a binary tree with minimum weighted path length. This report presents a formal proof of the correctness of Huffman's algorithm written using Isabelle/HOL. Our proof closely follows the sketches found in standard algorithms textbooks, uncovering a few snags in the process. Another distinguishing feature of our formalization is the use of custom induction rules to help Isabelle's automatic tactics, leading to very short proofs for most of the lemmas.
 notify = jasmin.blanchette@gmail.com
 
 [Partial_Function_MR]
 title = Mutually Recursive Partial Functions
 author = René Thiemann <mailto:rene.thiemann@uibk.ac.at>
 topic = Computer science/Functional programming
 date = 2014-02-18
 license = LGPL
 abstract = We provide a wrapper around the partial-function command that supports mutual recursion.
 notify = rene.thiemann@uibk.ac.at
 
 [Lifting_Definition_Option]
 title = Lifting Definition Option
 author = René Thiemann <mailto:rene.thiemann@uibk.ac.at>
 topic = Computer science/Functional programming
 date = 2014-10-13
 license = LGPL
 abstract =
 	We implemented a command that can be used to easily generate
 	elements of a restricted type <tt>{x :: 'a. P x}</tt>,
 	provided the definition is of the form
 	<tt>f ys = (if check ys then Some(generate ys :: 'a) else None)</tt> where
 	<tt>ys</tt> is a list of variables <tt>y1 ... yn</tt> and
 	<tt>check ys ==> P(generate ys)</tt> can be proved.
 	<p>
 	In principle, such a definition is also directly possible using the
 	<tt>lift_definition</tt> command. However, then this definition will not be
 	suitable for code-generation. To this end, we automated a more complex
 	construction of Joachim Breitner which is amenable for code-generation, and
 	where the test <tt>check ys</tt> will only be performed once.  In the
 	automation, one auxiliary type is created, and Isabelle's lifting- and
 	transfer-package is invoked several times.
 notify = rene.thiemann@uibk.ac.at
 
 [Coinductive]
 title = Coinductive
 topic = Computer science/Functional programming
 author = Andreas Lochbihler <http://www.andreas-lochbihler.de>
 contributors = Johannes Hölzl <mailto:hoelzl@in.tum.de>
 date = 2010-02-12
 abstract = This article collects formalisations of general-purpose coinductive data types and sets. Currently, it contains coinductive natural numbers, coinductive lists, i.e. lazy lists or streams, infinite streams, coinductive terminated lists, coinductive resumptions, a library of operations on coinductive lists, and a version of König's lemma as an application for coinductive lists.<br>The initial theory was contributed by Paulson and Wenzel. Extensions and other coinductive formalisations of general interest are welcome.
 extra-history =
 	Change history:
 	[2010-06-10]:
 	coinductive lists: setup for quotient package
 	(revision 015574f3bf3c)<br>
 	[2010-06-28]:
 	new codatatype terminated lazy lists
 	(revision e12de475c558)<br>
 	[2010-08-04]:
 	terminated lazy lists: setup for quotient package;
 	more lemmas
 	(revision 6ead626f1d01)<br>
 	[2010-08-17]:
 	Koenig's lemma as an example application for coinductive lists
 	(revision f81ce373fa96)<br>
 	[2011-02-01]:
 	lazy implementation of coinductive (terminated) lists for the code generator
 	(revision 6034973dce83)<br>
 	[2011-07-20]:
 	new codatatype resumption
 	(revision 811364c776c7)<br>
 	[2012-06-27]:
 	new codatatype stream with operations (with contributions by Peter Gammie)
 	(revision dd789a56473c)<br>
 	[2013-03-13]:
 	construct codatatypes with the BNF package and adjust the definitions and proofs,
 	setup for lifting and transfer packages
 	(revision f593eda5b2c0)<br>
 	[2013-09-20]:
 	stream theory uses type and operations from HOL/BNF/Examples/Stream
 	(revision 692809b2b262)<br>
 	[2014-04-03]:
 	ccpo structure on codatatypes used to define ldrop, ldropWhile, lfilter, lconcat as least fixpoint;
 	ccpo topology on coinductive lists contributed by Johannes Hölzl;
 	added examples
 	(revision 23cd8156bd42)<br>
 notify = mail@andreas-lochbihler.de
 
 [Stream-Fusion]
 title = Stream Fusion
 author = Brian Huffman <http://cs.pdx.edu/~brianh>
 topic = Computer science/Functional programming
 date = 2009-04-29
 abstract = Stream Fusion is a system for removing intermediate list structures from Haskell programs; it consists of a Haskell library along with several compiler rewrite rules. (The library is available <a href="http://hackage.haskell.org/package/stream-fusion">online</a>.)<br><br>These theories contain a formalization of much of the Stream Fusion library in HOLCF. Lazy list and stream types are defined, along with coercions between the two types, as well as an equivalence relation for streams that generate the same list. List and stream versions of map, filter, foldr, enumFromTo, append, zipWith, and concatMap are defined, and the stream versions are shown to respect stream equivalence.
 notify = brianh@cs.pdx.edu
 
 [Tycon]
 title = Type Constructor Classes and Monad Transformers
 author = Brian Huffman <mailto:huffman@in.tum.de>
 date = 2012-06-26
 topic = Computer science/Functional programming
 abstract =
 	These theories contain a formalization of first class type constructors
 	and axiomatic constructor classes for HOLCF. This work is described
 	in detail in the ICFP 2012 paper <i>Formal Verification of Monad
 	Transformers</i> by the author. The formalization is a revised and
 	updated version of earlier joint work with Matthews and White.
 	<P>
 	Based on the hierarchy of type classes in Haskell, we define classes
 	for functors, monads, monad-plus, etc. Each one includes all the
 	standard laws as axioms. We also provide a new user command,
 	tycondef, for defining new type constructors in HOLCF. Using tycondef,
 	we instantiate the type class hierarchy with various monads and monad
 	transformers.
 notify = huffman@in.tum.de
 
 [CoreC++]
 title = CoreC++
 author = Daniel Wasserrab <http://pp.info.uni-karlsruhe.de/personhp/daniel_wasserrab.php>
 date = 2006-05-15
 topic = Computer science/Programming languages/Language definitions
 abstract = We present an operational semantics and type safety proof for multiple inheritance in C++. The semantics models the behavior of method calls, field accesses, and two forms of casts in C++ class hierarchies. For explanations see the OOPSLA 2006 paper by Wasserrab, Nipkow, Snelting and Tip.
 notify = nipkow@in.tum.de
 
 [FeatherweightJava]
 title = A Theory of Featherweight Java in Isabelle/HOL
 author = J. Nathan Foster <http://www.cs.cornell.edu/~jnfoster/>, Dimitrios Vytiniotis <http://research.microsoft.com/en-us/people/dimitris/>
 date = 2006-03-31
 topic = Computer science/Programming languages/Language definitions
 abstract = We formalize the type system, small-step operational semantics, and type soundness proof for Featherweight Java, a simple object calculus, in Isabelle/HOL.
 notify = kleing@cse.unsw.edu.au
 
 [Jinja]
 title = Jinja is not Java
 author = Gerwin Klein <http://www.cse.unsw.edu.au/~kleing/>, Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2005-06-01
 topic = Computer science/Programming languages/Language definitions
 abstract = We introduce Jinja, a Java-like programming language with a formal semantics designed to exhibit core features of the Java language architecture. Jinja is a compromise between realism of the language and tractability and clarity of the formal semantics. The following aspects are formalised: a big and a small step operational semantics for Jinja and a proof of their equivalence; a type system and a definite initialisation analysis; a type safety proof of the small step semantics; a virtual machine (JVM), its operational semantics and its type system; a type safety proof for the JVM; a bytecode verifier, i.e. data flow analyser for the JVM; a correctness proof of the bytecode verifier w.r.t. the type system; a compiler and a proof that it preserves semantics and well-typedness. The emphasis of this work is not on particular language features but on providing a unified model of the source language, the virtual machine and the compiler. The whole development has been carried out in the theorem prover Isabelle/HOL.
 notify = kleing@cse.unsw.edu.au, nipkow@in.tum.de
 
 [JinjaThreads]
 title = Jinja with Threads
 author = Andreas Lochbihler <http://www.andreas-lochbihler.de>
 date = 2007-12-03
 topic = Computer science/Programming languages/Language definitions
 abstract = We extend the Jinja source code semantics by Klein and Nipkow with Java-style arrays and threads. Concurrency is captured in a generic framework semantics for adding concurrency through interleaving to a sequential semantics, which features dynamic thread creation, inter-thread communication via shared memory, lock synchronisation and joins. Also, threads can suspend themselves and be notified by others. We instantiate the framework with the adapted versions of both Jinja source and byte code and show type safety for the multithreaded case. Equally, the compiler from source to byte code is extended, for which we prove weak bisimilarity between the source code small step semantics and the defensive Jinja virtual machine. On top of this, we formalise the JMM and show the DRF guarantee and consistency. For description of the different parts, see Lochbihler's papers at FOOL 2008, ESOP 2010, ITP 2011, and ESOP 2012.
 extra-history =
 	Change history:
 	[2008-04-23]:
 	added bytecode formalisation with arrays and threads, added thread joins
 	(revision f74a8be156a7)<br>
 	[2009-04-27]:
 	added verified compiler from source code to bytecode;
 	encapsulate native methods in separate semantics
 	(revision e4f26541e58a)<br>
 	[2009-11-30]:
 	extended compiler correctness proof to infinite and deadlocking computations
 	(revision e50282397435)<br>
 	[2010-06-08]:
 	added thread interruption;
 	new abstract memory model with sequential consistency as implementation
 	(revision 0cb9e8dbd78d)<br>
 	[2010-06-28]:
 	new thread interruption model
 	(revision c0440d0a1177)<br>
 	[2010-10-15]:
 	preliminary version of the Java memory model for source code
 	(revision 02fee0ef3ca2)<br>
 	[2010-12-16]:
 	improved version of the Java memory model, also for bytecode
 	executable scheduler for source code semantics
 	(revision 1f41c1842f5a)<br>
 	[2011-02-02]:
 	simplified code generator setup
 	new random scheduler
 	(revision 3059dafd013f)<br>
 	[2011-07-21]:
 	new interruption model,
 	generalized JMM proof of DRF guarantee,
 	allow class Object to declare methods and fields,
 	simplified subtyping relation,
 	corrected division and modulo implementation
 	(revision 46e4181ed142)<br>
 	[2012-02-16]:
 	added example programs
 	(revision bf0b06c8913d)<br>
 	[2012-11-21]:
 	type safety proof for the Java memory model,
 	allow spurious wake-ups
 	(revision 76063d860ae0)<br>
 	[2013-05-16]:
 	support for non-deterministic memory allocators
 	(revision cc3344a49ced)<br>
         [2017-10-20]:
         add an atomic compare-and-swap operation for volatile fields
         (revision a6189b1d6b30)<br>
 notify = mail@andreas-lochbihler.de
 
 [Locally-Nameless-Sigma]
 title = Locally Nameless Sigma Calculus
 author = Ludovic Henrio <mailto:Ludovic.Henrio@sophia.inria.fr>, Florian Kammüller <mailto:flokam@cs.tu-berlin.de>, Bianca Lutz <mailto:sowilo@cs.tu-berlin.de>, Henry Sudhof <mailto:hsudhof@cs.tu-berlin.de>
 date = 2010-04-30
 topic = Computer science/Programming languages/Language definitions
 abstract = We present a Theory of Objects based on the original functional sigma-calculus by Abadi and Cardelli but with an additional parameter to methods. We prove confluence of the operational semantics following the outline of Nipkow's proof of confluence for the lambda-calculus reusing his theory Commutation, a generic diamond lemma reduction. We furthermore formalize a simple type system for our sigma-calculus including a proof of type safety. The entire development uses the concept of Locally Nameless representation for binders. We reuse an earlier proof of confluence for a simpler sigma-calculus based on de Bruijn indices and lists to represent objects.
 notify = nipkow@in.tum.de
 
 [Attack_Trees]
 title = Attack Trees in Isabelle for GDPR compliance of IoT healthcare systems
 author = Florian Kammueller <http://www.cs.mdx.ac.uk/people/florian-kammueller/>
 topic = Computer science/Security
 date = 2020-04-27
 notify = florian.kammuller@gmail.com
 abstract =
   In this article, we present a proof theory for Attack Trees. Attack
   Trees are a well established and useful model for the construction of
   attacks on systems since they allow a stepwise exploration of high
   level attacks in application scenarios. Using the expressiveness of
   Higher Order Logic in Isabelle, we develop a generic
   theory of Attack Trees with a state-based semantics based on Kripke
   structures and CTL. The resulting framework
   allows mechanically supported logic analysis of the meta-theory of the
   proof calculus of Attack Trees and at the same time the developed
   proof theory enables application to case studies. A central
   correctness and completeness result proved in Isabelle establishes a
   connection between the notion of Attack Tree validity and CTL. The
   application is illustrated on the example of a healthcare IoT system
   and GDPR compliance verification.
 
 [AutoFocus-Stream]
 title = AutoFocus Stream Processing for Single-Clocking and Multi-Clocking Semantics
 author = David Trachtenherz <>
 date = 2011-02-23
 topic = Computer science/Programming languages/Language definitions
 abstract = We formalize the AutoFocus Semantics (a time-synchronous subset of the Focus formalism) as stream processing functions on finite and infinite message streams represented as finite/infinite lists. The formalization comprises both the conventional single-clocking semantics (uniform global clock for all components and communications channels) and its extension to multi-clocking semantics (internal execution clocking of a component may be a multiple of the external communication clocking). The semantics is defined by generic stream processing functions making it suitable for simulation/code generation in Isabelle/HOL. Furthermore, a number of AutoFocus semantics properties are formalized using definitions from the IntervalLogic theories.
 notify = nipkow@in.tum.de
 
 [FocusStreamsCaseStudies]
 title = Stream Processing Components: Isabelle/HOL Formalisation and Case Studies
 author = Maria Spichkova <mailto:maria.spichkova@rmit.edu.au>
 date = 2013-11-14
 topic = Computer science/Programming languages/Language definitions
 abstract = This set of theories presents an Isabelle/HOL formalisation of stream processing components introduced
 	in Focus,
 	a framework for formal specification and development of interactive systems.
 	This is an extended and updated version of the formalisation, which was
 	elaborated within the methodology "Focus on Isabelle".
 	In addition, we also applied the formalisation on three case studies
 	that cover different application areas: process control (Steam Boiler System),
 	data transmission (FlexRay communication protocol),
 	memory and processing components (Automotive-Gateway System).
 notify = lp15@cam.ac.uk, maria.spichkova@rmit.edu.au
 
 [Isabelle_Meta_Model]
 title = A Meta-Model for the Isabelle API
 author = Frédéric Tuong <mailto:tuong@users.gforge.inria.fr>, Burkhart Wolff <https://www.lri.fr/~wolff/>
 date = 2015-09-16
 topic = Computer science/Programming languages/Language definitions
 abstract =
 	We represent a theory <i>of</i> (a fragment of) Isabelle/HOL <i>in</i>
 	Isabelle/HOL. The purpose of this exercise is to write packages for
 	domain-specific specifications such as class models, B-machines, ...,
 	and generally speaking, any domain-specific languages whose
 	abstract syntax can be defined by a HOL "datatype". On this basis, the
 	Isabelle code-generator can then be used to generate code for global
 	context transformations as well as tactic code.
 	<p>
 	Consequently the package is geared towards
 	parsing, printing and code-generation to the Isabelle API.
 	It is at the moment not sufficiently rich for doing meta theory on
 	Isabelle itself. Extensions in this direction are possible though.
 	<p>
 	Moreover, the chosen fragment is fairly rudimentary. However it should be
 	easily adapted to one's needs if a package is written on top of it.
 	The supported API contains types, terms, transformation of
 	global context like definitions and data-type declarations as well
 	as infrastructure for Isar-setups.
 	<p>
 	This theory is drawn from the
 	<a href="http://isa-afp.org/entries/Featherweight_OCL.html">Featherweight OCL</a>
 	project where
 	it is used to construct a package for object-oriented data-type theories
 	generated from UML class diagrams. The Featherweight OCL, for example, allows for
 	both the direct execution of compiled tactic code by the Isabelle API
 	as well as the generation of ".thy"-files for debugging purposes.
 	<p>
 	Gained experience from this project shows that the compiled code is sufficiently
 	efficient for practical purposes while being based on a formal <i>model</i>
 	on which properties of the package can be proven such as termination of certain
 	transformations, correctness, etc.
 notify = tuong@users.gforge.inria.fr, wolff@lri.fr
 
 [Clean]
 title = Clean - An Abstract Imperative Programming Language and its Theory
 author = Frédéric Tuong <https://www.lri.fr/~ftuong/>, Burkhart Wolff <https://www.lri.fr/~wolff/>
 topic = Computer science/Programming languages, Computer science/Semantics
 date = 2019-10-04
 notify = wolff@lri.fr, ftuong@lri.fr
 abstract =
   Clean is based on a simple, abstract execution model for an imperative
   target language. “Abstract” is understood in contrast to “Concrete
   Semantics”; alternatively, the term “shallow-style embedding” could be
   used. It strives for a type-safe notion of program-variables, an
   incremental construction of the typed state-space, support of
   incremental verification, and open-world extensibility of new type
   definitions being intertwined with the program definitions. Clean is
   based on a “no-frills” state-exception monad with the usual
   definitions of bind and unit for the compositional glue of state-based
   computations. Clean offers conditionals and loops supporting C-like
   control-flow operators such as break and return. The state-space
   construction is based on the extensible record package. Direct
   recursion of procedures is supported. Clean’s design strives for
   extreme simplicity. It is geared towards symbolic execution and proven
   correct verification tools. The underlying libraries of this package,
   however, deliberately restrict themselves to the most elementary
   infrastructure for these tasks. The package is intended to serve as
   demonstrator semantic backend for Isabelle/C, or for the
   test-generation techniques.
 
 [PCF]
 title = Logical Relations for PCF
 author = Peter Gammie <mailto:peteg42@gmail.com>
 date = 2012-07-01
 topic = Computer science/Programming languages/Lambda calculi
 abstract = We apply Andy Pitts's methods of defining relations over domains to
 	several classical results in the literature. We show that the Y
 	combinator coincides with the domain-theoretic fixpoint operator,
 	that parallel-or and the Plotkin existential are not definable in
 	PCF, that the continuation semantics for PCF coincides with the
 	direct semantics, and that our domain-theoretic semantics for PCF is
 	adequate for reasoning about contextual equivalence in an
 	operational semantics. Our version of PCF is untyped and has both
 	strict and non-strict function abstractions. The development is
 	carried out in HOLCF.
 notify = peteg42@gmail.com
 
 [POPLmark-deBruijn]
 title = POPLmark Challenge Via de Bruijn Indices
 author = Stefan Berghofer <http://www.in.tum.de/~berghofe>
 date = 2007-08-02
 topic = Computer science/Programming languages/Lambda calculi
 abstract = We present a solution to the POPLmark challenge designed by Aydemir et al., which has as a goal the formalization of the meta-theory of System F<sub>&lt;:</sub>. The formalization is carried out in the theorem prover Isabelle/HOL using an encoding based on de Bruijn indices. We start with a relatively simple formalization covering only the basic features of System F<sub>&lt;:</sub>, and explain how it can be extended to also cover records and more advanced binding constructs.
 notify = berghofe@in.tum.de
 
 [Lam-ml-Normalization]
 title = Strong Normalization of Moggis's Computational Metalanguage
 author = Christian Doczkal <mailto:doczkal@ps.uni-saarland.de>
 date = 2010-08-29
 topic = Computer science/Programming languages/Lambda calculi
 abstract = Handling variable binding is one of the main difficulties in formal proofs. In this context, Moggi's computational metalanguage serves as an interesting case study. It features monadic types and a commuting conversion rule that rearranges the binding structure. Lindley and Stark have given an elegant proof of strong normalization for this calculus. The key construction in their proof is a notion of relational TT-lifting, using stacks of elimination contexts to obtain a Girard-Tait style logical relation. I give a formalization of their proof in Isabelle/HOL-Nominal with a particular emphasis on the treatment of bound variables.
 notify = doczkal@ps.uni-saarland.de, nipkow@in.tum.de
 
 [MiniML]
 title = Mini ML
 author = Wolfgang Naraschewski <>, Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2004-03-19
 topic = Computer science/Programming languages/Type systems
 abstract = This theory defines the type inference rules and the type inference algorithm <i>W</i> for MiniML (simply-typed lambda terms with <tt>let</tt>) due to Milner. It proves the soundness and completeness of <i>W</i> w.r.t. the rules.
 notify = kleing@cse.unsw.edu.au
 
 [Simpl]
 title = A Sequential Imperative Programming Language Syntax, Semantics, Hoare Logics and Verification Environment
 author = Norbert Schirmer <>
 date = 2008-02-29
 topic = Computer science/Programming languages/Language definitions, Computer science/Programming languages/Logics
 license = LGPL
 abstract = We present the theory of Simpl, a sequential imperative programming language. We introduce its syntax, its semantics (big and small-step operational semantics) and Hoare logics for both partial as well as total correctness. We prove soundness and completeness of the Hoare logic. We integrate and automate the Hoare logic in Isabelle/HOL to obtain a practically usable verification environment for imperative programs. Simpl is independent of a concrete programming language but expressive enough to cover all common language features: mutually recursive procedures, abrupt termination and exceptions, runtime faults, local and global variables, pointers and heap, expressions with side effects, pointers to procedures, partial application and closures, dynamic method invocation and also unbounded nondeterminism.
 notify = kleing@cse.unsw.edu.au, norbert.schirmer@web.de
 
 [Separation_Algebra]
 title = Separation Algebra
 author = Gerwin Klein <mailto:kleing@cse.unsw.edu.au>, Rafal Kolanski <mailto:rafal.kolanski@nicta.com.au>, Andrew Boyton <mailto:andrew.boyton@nicta.com.au>
 date = 2012-05-11
 topic = Computer science/Programming languages/Logics
 license = BSD
 abstract = We present a generic type class implementation of separation algebra for Isabelle/HOL as well as lemmas and generic tactics which can be used directly for any instantiation of the type class. <P> The ex directory contains example instantiations that include structures such as a heap or virtual memory. <P> The abstract separation algebra is based upon "Abstract Separation Logic" by Calcagno et al. These theories are also the basis of the ITP 2012 rough diamond "Mechanised Separation Algebra" by the authors. <P> The aim of this work is to support and significantly reduce the effort for future separation logic developments in Isabelle/HOL by factoring out the part of separation logic that can be treated abstractly once and for all. This includes developing typical default rule sets for reasoning as well as automated tactic support for separation logic.
 notify = kleing@cse.unsw.edu.au, rafal.kolanski@nicta.com.au
 
 [Separation_Logic_Imperative_HOL]
 title = A Separation Logic Framework for Imperative HOL
 author = Peter Lammich <http://www21.in.tum.de/~lammich>, Rene Meis <mailto:rene.meis@uni-due.de>
 date = 2012-11-14
 topic = Computer science/Programming languages/Logics
 license = BSD
 abstract =
 	We provide a framework for separation-logic based correctness proofs of
 	Imperative HOL programs. Our framework comes with a set of proof methods to
 	automate canonical tasks such as verification condition generation and
 	frame inference. Moreover, we provide a set of examples that show the
 	applicability of our framework. The examples include algorithms on lists,
 	hash-tables, and union-find trees. We also provide abstract interfaces for
 	lists, maps, and sets, that allow to develop generic imperative algorithms
 	and use data-refinement techniques.
 	<br>
 	As we target Imperative HOL, our programs can be translated to
 	efficiently executable code in various target languages, including
 	ML, OCaml, Haskell, and Scala.
 notify = lammich@in.tum.de
 
 [Inductive_Confidentiality]
 title = Inductive Study of Confidentiality
 author = Giampaolo Bella <http://www.dmi.unict.it/~giamp/>
 date = 2012-05-02
 topic = Computer science/Security
 abstract = This document contains the full theory files accompanying article <i>Inductive Study of Confidentiality --- for Everyone</i> in <i>Formal Aspects of Computing</i>. They aim at an illustrative and didactic presentation of the Inductive Method of protocol analysis, focusing on the treatment of one of the main goals of security protocols: confidentiality against a threat model. The treatment of confidentiality, which in fact forms a key aspect of all protocol analysis tools, has been found cryptic by many learners of the Inductive Method, hence the motivation for this work. The theory files in this document guide the reader step by step towards design and proof of significant confidentiality theorems. These are developed against two threat models, the standard Dolev-Yao and a more audacious one, the General Attacker, which turns out to be particularly useful also for teaching purposes.
 notify = giamp@dmi.unict.it
 
 [Possibilistic_Noninterference]
 title = Possibilistic Noninterference
 author = Andrei Popescu <mailto:uuomul@yahoo.com>, Johannes Hölzl <mailto:hoelzl@in.tum.de>
 date = 2012-09-10
 topic = Computer science/Security, Computer science/Programming languages/Type systems
 abstract = We formalize a wide variety of Volpano/Smith-style  noninterference
 	notions for a while language with parallel composition.
 	We systematize and classify these notions according to
 	compositionality w.r.t. the language constructs. Compositionality
 	yields sound syntactic criteria (a.k.a. type systems) in a uniform way.
 	<p>
 	An <a href="http://www21.in.tum.de/~nipkow/pubs/cpp12.html">article</a>
 	about these proofs is published in the proceedings
 	of the conference Certified Programs and Proofs 2012.
 notify = hoelzl@in.tum.de
 
 [SIFUM_Type_Systems]
 title = A Formalization of Assumptions and Guarantees for Compositional Noninterference
 author = Sylvia Grewe <mailto:grewe@cs.tu-darmstadt.de>, Heiko Mantel <mailto:mantel@mais.informatik.tu-darmstadt.de>, Daniel Schoepe <mailto:daniel@schoepe.org>
 date = 2014-04-23
 topic = Computer science/Security, Computer science/Programming languages/Type systems
 abstract = Research in information-flow security aims at developing methods to
 	identify undesired information leaks within programs from private
 	(high) sources to public (low) sinks. For a concurrent system, it is
 	desirable to have compositional analysis methods that allow for
 	analyzing each thread independently and that nevertheless guarantee
 	that the parallel composition of successfully analyzed threads
 	satisfies a global security guarantee. However, such a compositional
 	analysis should not be overly pessimistic about what an environment
 	might do with shared resources. Otherwise, the analysis will reject
 	many intuitively secure programs.
 	<p>
 	The paper "Assumptions and Guarantees for Compositional
 	Noninterference" by Mantel et. al. presents one solution for this problem:
 	an approach for compositionally reasoning about non-interference in
 	concurrent programs via rely-guarantee-style reasoning.  We present an
 	Isabelle/HOL formalization of the concepts and proofs of this approach.
 notify = grewe@cs.tu-darmstadt.de
 
 [Dependent_SIFUM_Type_Systems]
 title = A Dependent Security Type System for Concurrent Imperative Programs
 author = Toby Murray <http://people.eng.unimelb.edu.au/tobym/>, Robert Sison<>, Edward Pierzchalski<>, Christine Rizkallah<https://www.mpi-inf.mpg.de/~crizkall/>
 notify = toby.murray@unimelb.edu.au
 date = 2016-06-25
 topic = Computer science/Security, Computer science/Programming languages/Type systems
 abstract =
 	The paper "Compositional Verification and Refinement of Concurrent
 	Value-Dependent Noninterference" by Murray et. al. (CSF 2016) presents
 	a dependent security type system for compositionally verifying a
 	value-dependent noninterference property, defined in (Murray, PLAS
 	2015), for concurrent programs. This development formalises that
 	security definition, the type system and its soundness proof, and
 	demonstrates its application on some small examples. It was derived
 	from the SIFUM_Type_Systems AFP entry, by Sylvia Grewe, Heiko Mantel
 	and Daniel Schoepe, and whose structure it inherits.
 extra-history =
 	Change history:
 	[2016-08-19]:
 	Removed unused "stop" parameter and "stop_no_eval" assumption from the sifum_security locale.
 	(revision dbc482d36372)
 	[2016-09-27]:
 	Added security locale support for the imposition of requirements on the initial memory.
 	(revision cce4ceb74ddb)
 
 [Dependent_SIFUM_Refinement]
 title = Compositional Security-Preserving Refinement for Concurrent Imperative Programs
 author = Toby Murray <http://people.eng.unimelb.edu.au/tobym/>, Robert Sison<>, Edward Pierzchalski<>, Christine Rizkallah<https://www.mpi-inf.mpg.de/~crizkall/>
 notify = toby.murray@unimelb.edu.au
 date = 2016-06-28
 topic = Computer science/Security
 abstract =
 	The paper "Compositional Verification and Refinement of Concurrent
 	Value-Dependent Noninterference" by Murray et. al. (CSF 2016) presents
 	a compositional theory of refinement for a value-dependent
 	noninterference property, defined in (Murray, PLAS 2015), for
 	concurrent programs. This development formalises that refinement
 	theory, and demonstrates its application on some small examples.
 extra-history =
 	Change history:
 	[2016-08-19]:
 	Removed unused "stop" parameters from the sifum_refinement locale.
 	(revision dbc482d36372)
 	[2016-09-02]:
 	TobyM extended "simple" refinement theory to be usable for all bisimulations.
 	(revision 547f31c25f60)
 
 [Relational-Incorrectness-Logic]
 title = An Under-Approximate Relational Logic
 author = Toby Murray <https://people.eng.unimelb.edu.au/tobym/>
 topic = Computer science/Programming languages/Logics, Computer science/Security
 date = 2020-03-12
 notify = toby.murray@unimelb.edu.au
 abstract =
   Recently, authors have proposed under-approximate logics for reasoning
   about programs. So far, all such logics have been confined to
   reasoning about individual program behaviours. Yet there exist many
   over-approximate relational logics for reasoning about pairs of
   programs and relating their behaviours. We present the first
   under-approximate relational logic, for the simple imperative language
   IMP. We prove our logic is both sound and complete. Additionally, we
   show how reasoning in this logic can be decomposed into non-relational
   reasoning in an under-approximate Hoare logic, mirroring Beringer’s
   result for over-approximate relational logics. We illustrate the
   application of our logic on some small examples in which we provably
   demonstrate the presence of insecurity.
 
 [Strong_Security]
 title = A Formalization of Strong Security
 author = Sylvia Grewe <mailto:grewe@cs.tu-darmstadt.de>, Alexander Lux <mailto:lux@mais.informatik.tu-darmstadt.de>, Heiko Mantel <mailto:mantel@mais.informatik.tu-darmstadt.de>, Jens Sauer <mailto:sauer@mais.informatik.tu-darmstadt.de>
 date = 2014-04-23
 topic = Computer science/Security, Computer science/Programming languages/Type systems
 abstract = Research in information-flow security aims at developing methods to
 	identify undesired information leaks within programs from private
 	sources to public sinks. Noninterference captures this
 	intuition. Strong security from Sabelfeld and Sands
 	formalizes noninterference for concurrent systems.
 	<p>
 	We present an Isabelle/HOL formalization of strong security for
 	arbitrary security lattices (Sabelfeld and Sands use
 	a two-element security lattice in the original publication).
 	The formalization includes
 	compositionality proofs for strong security and a soundness proof
 	for a security type system that checks strong security for programs
 	in a simple while language with dynamic thread creation.
 	<p>
 	Our formalization of the security type system is abstract in the
 	language for expressions and in the semantic side conditions for
 	expressions. It can easily be instantiated with different syntactic
 	approximations for these side conditions. The soundness proof of
 	such an instantiation boils down to showing that these syntactic
 	approximations imply the semantic side conditions.
 notify = grewe@cs.tu-darmstadt.de
 
 [WHATandWHERE_Security]
 title = A Formalization of Declassification with WHAT-and-WHERE-Security
 author = Sylvia Grewe <mailto:grewe@cs.tu-darmstadt.de>, Alexander Lux <mailto:lux@mais.informatik.tu-darmstadt.de>, Heiko Mantel <mailto:mantel@mais.informatik.tu-darmstadt.de>, Jens Sauer <mailto:sauer@mais.informatik.tu-darmstadt.de>
 date = 2014-04-23
 topic = Computer science/Security, Computer science/Programming languages/Type systems
 abstract = Research in information-flow security aims at developing methods to
 	identify undesired information leaks within programs from private
 	sources to public sinks. Noninterference captures this intuition by
 	requiring that no information whatsoever flows from private sources
 	to public sinks. However, in practice this definition is often too
 	strict: Depending on the intuitive desired security policy, the
 	controlled declassification of certain private information (WHAT) at
 	certain points in the program (WHERE) might not result in an
 	undesired information leak.
 	<p>
 	We present an Isabelle/HOL formalization of such a security property
 	for controlled declassification, namely WHAT&WHERE-security from
 	"Scheduler-Independent Declassification" by Lux, Mantel, and Perner.
 	The formalization includes
 	compositionality proofs for and a soundness proof for a security
 	type system that checks for programs in a simple while language with
 	dynamic thread creation.
 	<p>
 	Our formalization of the security type system is abstract in the
 	language for expressions and in the semantic side conditions for
 	expressions. It can easily be instantiated with different syntactic
 	approximations for these side conditions. The soundness proof of
 	such an instantiation boils down to showing that these syntactic
 	approximations imply the semantic side conditions.
 	<p>
 	This Isabelle/HOL formalization uses theories from the entry
 	Strong Security.
 notify = grewe@cs.tu-darmstadt.de
 
 [VolpanoSmith]
 title = A Correctness Proof for the Volpano/Smith Security Typing System
 author = Gregor Snelting <http://pp.info.uni-karlsruhe.de/personhp/gregor_snelting.php>, Daniel Wasserrab <http://pp.info.uni-karlsruhe.de/personhp/daniel_wasserrab.php>
 date = 2008-09-02
 topic = Computer science/Programming languages/Type systems, Computer science/Security
 abstract = The Volpano/Smith/Irvine security type systems requires that variables are annotated as high (secret) or low (public), and provides typing rules which guarantee that secret values cannot leak to public output ports. This property of a program is called confidentiality. For a simple while-language without threads, our proof shows that typeability in the Volpano/Smith system guarantees noninterference. Noninterference means that if two initial states for program execution are low-equivalent, then the final states are low-equivalent as well. This indeed implies that secret values cannot leak to public ports. The proof defines an abstract syntax and operational semantics for programs, formalizes noninterference, and then proceeds by rule induction on the operational semantics. The mathematically most intricate part is the treatment of implicit flows. Note that the Volpano/Smith system is not flow-sensitive and thus quite unprecise, resulting in false alarms. However, due to the correctness property, all potential breaks of confidentiality are discovered.
 notify =
 
 [Abstract-Hoare-Logics]
 title = Abstract Hoare Logics
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2006-08-08
 topic = Computer science/Programming languages/Logics
 abstract = These therories describe Hoare logics for a number of imperative language constructs, from while-loops to mutually recursive procedures. Both partial and total correctness are treated. In particular a proof system for total correctness of recursive procedures in the presence of unbounded nondeterminism is presented.
 notify = nipkow@in.tum.de
 
 [Stone_Algebras]
 title = Stone Algebras
 author = Walter Guttmann <http://www.cosc.canterbury.ac.nz/walter.guttmann/>
 notify = walter.guttmann@canterbury.ac.nz
 date = 2016-09-06
 topic = Mathematics/Order
 abstract =
 	A range of algebras between lattices and Boolean algebras generalise
 	the notion of a complement. We develop a hierarchy of these
 	pseudo-complemented algebras that includes Stone algebras.
 	Independently of this theory we study filters based on partial orders.
 	Both theories are combined to prove Chen and Grätzer's construction
 	theorem for Stone algebras. The latter involves extensive reasoning
 	about algebraic structures in addition to reasoning in algebraic
 	structures.
 
 [Kleene_Algebra]
 title = Kleene Algebra
 author = Alasdair Armstrong <>, Georg Struth <http://staffwww.dcs.shef.ac.uk/people/G.Struth/>, Tjark Weber <http://user.it.uu.se/~tjawe125/>
 date = 2013-01-15
 topic = Computer science/Programming languages/Logics, Computer science/Automata and formal languages, Mathematics/Algebra
 abstract =
 	These files contain a formalisation of variants of Kleene algebras and
 	their most important models as axiomatic type classes in Isabelle/HOL.
 	Kleene algebras are foundational structures in computing with
 	applications ranging from automata and language theory to computational
 	modeling, program construction and verification.
 	<p>
 	We start with formalising dioids, which are additively idempotent
 	semirings, and expand them by axiomatisations of the Kleene star for
 	finite iteration and an omega operation for infinite iteration. We
 	show that powersets over a given monoid, (regular) languages, sets of
 	paths in a graph, sets of computation traces, binary relations and
 	formal power series form Kleene algebras, and consider further models
 	based on lattices, max-plus semirings and min-plus semirings. We also
 	demonstrate that dioids are closed under the formation of matrices
 	(proofs for Kleene algebras remain to be completed).
 	<p>
 	On the one hand we have aimed at a reference formalisation of variants
 	of Kleene algebras that covers a wide range of variants and the core
 	theorems in a structured and modular way and provides readable proofs
 	at text book level. On the other hand, we intend to use this algebraic
 	hierarchy and its models as a generic algebraic middle-layer from which
 	programming applications can quickly be explored, implemented and verified.
 notify = g.struth@sheffield.ac.uk, tjark.weber@it.uu.se
 
 [KAT_and_DRA]
 title = Kleene Algebra with Tests and Demonic Refinement Algebras
 author = Alasdair Armstrong <>, Victor B. F. Gomes <http://www.dcs.shef.ac.uk/~victor>, Georg Struth <http://www.dcs.shef.ac.uk/~georg>
 date = 2014-01-23
 topic = Computer science/Programming languages/Logics, Computer science/Automata and formal languages, Mathematics/Algebra
 abstract =
 	We formalise Kleene algebra with tests (KAT) and demonic refinement
 	algebra (DRA) in Isabelle/HOL. KAT is relevant for program verification
 	and correctness proofs in the partial correctness setting. While DRA
 	targets similar applications in the context of total correctness. Our
 	formalisation contains the two most important models of these algebras:
 	binary relations in the case of KAT and predicate transformers in the
 	case of DRA. In addition, we derive the inference rules for Hoare logic
 	in KAT and its relational model and present a simple formally verified
 	program verification tool prototype based on the algebraic approach.
 notify = g.struth@dcs.shef.ac.uk
 
 [KAD]
 title = Kleene Algebras with Domain
 author = Victor B. F. Gomes <http://www.dcs.shef.ac.uk/~victor>, Walter Guttmann <http://www.cosc.canterbury.ac.nz/walter.guttmann/>, Peter Höfner <http://www.hoefner-online.de/>, Georg Struth <http://www.dcs.shef.ac.uk/~georg>, Tjark Weber <http://user.it.uu.se/~tjawe125/>
 date = 2016-04-12
 topic = Computer science/Programming languages/Logics, Computer science/Automata and formal languages, Mathematics/Algebra
 abstract =
 	Kleene algebras with domain are Kleene algebras endowed with an
 	operation that maps each element of the algebra to its domain of
 	definition (or its complement) in abstract fashion. They form a simple
 	algebraic basis for Hoare logics, dynamic logics or predicate
 	transformer semantics. We formalise a modular hierarchy of algebras
 	with domain and antidomain (domain complement) operations in
 	Isabelle/HOL that ranges from domain and antidomain semigroups to
 	modal Kleene algebras and divergence Kleene algebras. We link these
 	algebras with models of binary relations and program traces. We
 	include some examples from modal logics, termination and program
 	analysis.
 notify = walter.guttman@canterbury.ac.nz, g.struth@sheffield.ac.uk, tjark.weber@it.uu.se
 
 [Regular_Algebras]
 title = Regular Algebras
 author = Simon Foster <http://www-users.cs.york.ac.uk/~simonf>, Georg Struth <http://www.dcs.shef.ac.uk/~georg>
 date = 2014-05-21
 topic = Computer science/Automata and formal languages, Mathematics/Algebra
 abstract =
 	Regular algebras axiomatise the equational theory of regular expressions as induced by
 	regular language identity. We use Isabelle/HOL for a detailed systematic study of regular
 	algebras given by Boffa, Conway, Kozen and Salomaa. We investigate the relationships between
 	these classes, formalise a soundness proof for the smallest class (Salomaa's) and obtain
 	completeness of the largest one (Boffa's) relative to a deep result by Krob. In addition
 	we provide a large collection of regular identities in the general setting of Boffa's axiom.
 	Our regular algebra hierarchy is orthogonal to the Kleene algebra hierarchy in the Archive
 	of Formal Proofs; we have not aimed at an integration for pragmatic reasons.
 notify = simon.foster@york.ac.uk, g.struth@sheffield.ac.uk
 
 [BytecodeLogicJmlTypes]
 title = A Bytecode Logic for JML and Types
 author = Lennart Beringer <>, Martin Hofmann <http://www.tcs.informatik.uni-muenchen.de/~mhofmann>
 date = 2008-12-12
 topic = Computer science/Programming languages/Logics
 abstract = This document contains the Isabelle/HOL sources underlying the paper <i>A bytecode logic for JML and types</i> by Beringer and Hofmann, updated to Isabelle 2008. We present a program logic for a subset of sequential Java bytecode that is suitable for representing both, features found in high-level specification language JML as well as interpretations of high-level type systems. To this end, we introduce a fine-grained collection of assertions, including strong invariants, local annotations and VDM-reminiscent partial-correctness specifications. Thanks to a goal-oriented structure and interpretation of judgements, verification may proceed without recourse to an additional control flow analysis. The suitability for interpreting intensional type systems is illustrated by the proof-carrying-code style encoding of a type system for a first-order functional language which guarantees a constant upper bound on the number of objects allocated throughout an execution, be the execution terminating or non-terminating. Like the published paper, the formal development is restricted to a comparatively small subset of the JVML, lacking (among other features) exceptions, arrays, virtual methods, and static fields. This shortcoming has been overcome meanwhile, as our paper has formed the basis of the Mobius base logic, a program logic for the full sequential fragment of the JVML. Indeed, the present formalisation formed the basis of a subsequent formalisation of the Mobius base logic in the proof assistant Coq, which includes a proof of soundness with respect to the Bicolano operational semantics by Pichardie.
 notify =
 
 [DataRefinementIBP]
 title = Semantics and Data Refinement of Invariant Based Programs
 author = Viorel Preoteasa <http://users.abo.fi/vpreotea/>, Ralph-Johan Back <http://users.abo.fi/Ralph-Johan.Back/>
 date = 2010-05-28
 topic = Computer science/Programming languages/Logics
 abstract = The invariant based programming is a technique of constructing correct programs by first identifying the basic situations (pre- and post-conditions and invariants) that can occur during the execution of the program, and then defining the transitions and proving that they preserve the invariants. Data refinement is a technique of building correct programs working on concrete datatypes as refinements of more abstract programs. In the theories presented here we formalize the predicate transformer semantics for invariant based programs and their data refinement.
 extra-history =
 	Change history:
 	[2012-01-05]: Moved some general complete lattice properties to the AFP entry Lattice Properties.
 	Changed the definition of the data refinement relation to be more general and updated all corresponding theorems.
 	Added new syntax for demonic and angelic update statements.
 notify = viorel.preoteasa@aalto.fi
 
 [RefinementReactive]
 title = Formalization of Refinement Calculus for Reactive Systems
 author = Viorel Preoteasa <mailto:viorel.preoteasa@aalto.fi>
 date = 2014-10-08
 topic = Computer science/Programming languages/Logics
 abstract =
 	We present a formalization of refinement calculus for reactive systems.
 	Refinement calculus is based on monotonic predicate transformers
 	(monotonic functions from sets of post-states to sets of pre-states),
 	and it is a powerful formalism for reasoning about imperative programs.
 	We model reactive systems as monotonic property transformers
 	that transform sets of output infinite sequences into sets of input
 	infinite sequences. Within this semantics we can model
 	refinement of reactive systems, (unbounded) angelic and
 	demonic nondeterminism, sequential composition, and
 	other semantic properties. We can model systems that may
 	fail for some inputs, and we can model compatibility of systems.
 	We can specify systems that have liveness properties using
 	linear temporal logic, and we can refine system specifications
 	into systems based on symbolic transitions systems, suitable
 	for implementations.
 notify = viorel.preoteasa@aalto.fi
 
 [SIFPL]
 title = Secure information flow and program logics
 author = Lennart Beringer <>, Martin Hofmann <http://www.tcs.informatik.uni-muenchen.de/~mhofmann>
 date = 2008-11-10
 topic = Computer science/Programming languages/Logics, Computer science/Security
 abstract = We present interpretations of type systems for secure information flow in Hoare logic, complementing previous encodings in relational program logics. We first treat the imperative language IMP, extended by a simple procedure call mechanism. For this language we consider base-line non-interference in the style of Volpano et al. and the flow-sensitive type system by Hunt and Sands. In both cases, we show how typing derivations may be used to automatically generate proofs in the program logic that certify the absence of illicit flows. We then add instructions for object creation and manipulation, and derive appropriate proof rules for base-line non-interference. As a consequence of our work, standard verification technology may be used for verifying that a concrete program satisfies the non-interference property.<br><br>The present proof development represents an update of the formalisation underlying our paper [CSF 2007] and is intended to resolve any ambiguities that may be present in the paper.
 notify = lennart.beringer@ifi.lmu.de
 
 [TLA]
 title = A Definitional Encoding of TLA* in Isabelle/HOL
 author = Gudmund Grov <http://homepages.inf.ed.ac.uk/ggrov>, Stephan Merz <http://www.loria.fr/~merz>
 date = 2011-11-19
 topic = Computer science/Programming languages/Logics
 abstract = We mechanise the logic TLA*
 	<a href="http://www.springerlink.com/content/ax3qk557qkdyt7n6/">[Merz 1999]</a>,
 	an extension of Lamport's  Temporal Logic of Actions (TLA)
 	<a href="http://dl.acm.org/citation.cfm?doid=177492.177726">[Lamport 1994]</a>
 	for specifying and reasoning
 	about concurrent and reactive systems. Aiming at a framework for mechanising]  the verification of TLA (or TLA*) specifications, this contribution reuses
 	some elements from a previous axiomatic encoding of TLA in Isabelle/HOL
 	by the second author [Merz 1998], which has been part of the Isabelle
 	distribution. In contrast to that previous work, we give here a shallow,
 	definitional embedding, with the following highlights:
 	<ul>
 	<li>a theory of infinite sequences, including a formalisation of the concepts of stuttering invariance central to TLA and TLA*;
 	<li>a definition of the semantics of TLA*, which extends TLA by a mutually-recursive definition of formulas and pre-formulas, generalising TLA action formulas;
 	<li>a substantial set of derived proof rules, including the TLA* axioms and Lamport's proof rules for system verification;
 	<li>a set of examples illustrating the usage of Isabelle/TLA* for reasoning about systems.
 	</ul>
 	Note that this work is unrelated to the ongoing development of a proof system
 	for the specification language TLA+, which includes an encoding of TLA+ as a
 	new Isabelle object logic <a href="http://www.springerlink.com/content/354026160p14j175/">[Chaudhuri et al 2010]</a>.
 notify = ggrov@inf.ed.ac.uk
 
 [Compiling-Exceptions-Correctly]
 title = Compiling Exceptions Correctly
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2004-07-09
 topic = Computer science/Programming languages/Compiling
 abstract = An exception compilation scheme that dynamically creates and removes exception handler entries on the stack. A formalization of an article of the same name by <a href="http://www.cs.nott.ac.uk/~gmh/">Hutton</a> and Wright.
 notify = nipkow@in.tum.de
 
 [NormByEval]
 title = Normalization by Evaluation
 author = Klaus Aehlig <http://www.linta.de/~aehlig/>, Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2008-02-18
 topic = Computer science/Programming languages/Compiling
 abstract = This article formalizes normalization by evaluation as implemented in Isabelle. Lambda calculus plus term rewriting is compiled into a functional program with pattern matching. It is proved that the result of a successful evaluation is a) correct, i.e. equivalent to the input, and b) in normal form.
 notify = nipkow@in.tum.de
 
 [Program-Conflict-Analysis]
 title = Formalization of Conflict Analysis of Programs with Procedures, Thread Creation, and Monitors
 topic = Computer science/Programming languages/Static analysis
 author = Peter Lammich <http://www21.in.tum.de/~lammich>, Markus Müller-Olm <http://cs.uni-muenster.de/u/mmo/>
 date = 2007-12-14
 abstract = In this work we formally verify the soundness and precision of a static program analysis that detects conflicts (e. g. data races) in programs with procedures, thread creation and monitors with the Isabelle theorem prover. As common in static program analysis, our program model abstracts guarded branching by nondeterministic branching, but completely interprets the call-/return behavior of procedures, synchronization by monitors, and thread creation. The analysis is based on the observation that all conflicts already occur in a class of particularly restricted schedules. These restricted schedules are suited to constraint-system-based program analysis. The formalization is based upon a flowgraph-based program model with an operational semantics as reference point.
 notify = peter.lammich@uni-muenster.de
 
 [Shivers-CFA]
 title = Shivers' Control Flow Analysis
 topic = Computer science/Programming languages/Static analysis
 author = Joachim Breitner <mailto:mail@joachim-breitner.de>
 date = 2010-11-16
 abstract =
 	In his dissertation, Olin Shivers introduces a concept of control flow graphs
 	for functional languages, provides an algorithm to statically derive a safe
 	approximation of the control flow graph and proves this algorithm correct. In
 	this research project, Shivers' algorithms and proofs are formalized
 	in the HOLCF extension of HOL.
 notify = mail@joachim-breitner.de, nipkow@in.tum.de
 
 [Slicing]
 title = Towards Certified Slicing
 author = Daniel Wasserrab <http://pp.info.uni-karlsruhe.de/personhp/daniel_wasserrab.php>
 date = 2008-09-16
 topic = Computer science/Programming languages/Static analysis
 abstract = Slicing is a widely-used technique with applications in e.g. compiler technology and software security. Thus verification of algorithms in these areas is often based on the correctness of slicing, which should ideally be proven independent of concrete programming languages and with the help of well-known verifying techniques such as proof assistants. As a first step in this direction, this contribution presents a framework for dynamic and static intraprocedural slicing based on control flow and program dependence graphs. Abstracting from concrete syntax we base the framework on a graph representation of the program fulfilling certain structural and well-formedness properties.<br><br>The formalization consists of the basic framework (in subdirectory Basic/), the correctness proof for dynamic slicing (in subdirectory Dynamic/), the correctness proof for static intraprocedural slicing (in subdirectory StaticIntra/) and instantiations of the framework with a simple While language (in subdirectory While/) and the sophisticated object-oriented bytecode language of Jinja (in subdirectory JinjaVM/). For more information on the framework, see the TPHOLS 2008 paper by Wasserrab and Lochbihler and the PLAS 2009 paper by Wasserrab et al.
 notify =
 
 [HRB-Slicing]
 title = Backing up Slicing: Verifying the Interprocedural Two-Phase Horwitz-Reps-Binkley Slicer
 author = Daniel Wasserrab <http://pp.info.uni-karlsruhe.de/personhp/daniel_wasserrab.php>
 date = 2009-11-13
 topic = Computer science/Programming languages/Static analysis
 abstract = After verifying <a href="Slicing.html">dynamic and static interprocedural slicing</a>, we present a modular framework for static interprocedural slicing. To this end, we formalized the standard two-phase slicer from Horwitz, Reps and Binkley (see their TOPLAS 12(1) 1990 paper) together with summary edges as presented by Reps et al. (see FSE 1994). The framework is again modular in the programming language by using an abstract CFG, defined via structural and well-formedness properties. Using a weak simulation between the original and sliced graph, we were able to prove the correctness of static interprocedural slicing. We also instantiate our framework with a simple While language with procedures. This shows that the chosen abstractions are indeed valid.
 notify = nipkow@in.tum.de
 
 [WorkerWrapper]
 title = The Worker/Wrapper Transformation
 author = Peter Gammie <http://peteg.org>
 date = 2009-10-30
 topic = Computer science/Programming languages/Transformations
 abstract = Gill and Hutton formalise the worker/wrapper transformation, building on the work of Launchbury and Peyton-Jones who developed it as a way of changing the type at which a recursive function operates. This development establishes the soundness of the technique and several examples of its use.
 notify = peteg42@gmail.com, nipkow@in.tum.de
 
 [JiveDataStoreModel]
 title = Jive Data and Store Model
 author = Nicole Rauch <mailto:rauch@informatik.uni-kl.de>, Norbert Schirmer <>
 date = 2005-06-20
 license = LGPL
 topic = Computer science/Programming languages/Misc
 abstract = This document presents the formalization of an object-oriented data and store model in Isabelle/HOL. This model is being used in the Java Interactive Verification Environment, Jive.
 notify = kleing@cse.unsw.edu.au, schirmer@in.tum.de
 
 [HotelKeyCards]
 title = Hotel Key Card System
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2006-09-09
 topic = Computer science/Security
 abstract = Two models of an electronic hotel key card system are contrasted: a state based and a trace based one. Both are defined, verified, and proved equivalent in the theorem prover Isabelle/HOL. It is shown that if a guest follows a certain safety policy regarding her key cards, she can be sure that nobody but her can enter her room.
 notify = nipkow@in.tum.de
 
 [RSAPSS]
 title = SHA1, RSA, PSS and more
 author = Christina Lindenberg <>, Kai Wirt <>
 date = 2005-05-02
 topic = Computer science/Security/Cryptography
 abstract = Formal verification is getting more and more important in computer science. However the state of the art formal verification methods in cryptography are very rudimentary. These theories are one step to provide a tool box allowing the use of formal methods in every aspect of cryptography. Moreover we present a proof of concept for the feasibility of verification techniques to a standard signature algorithm.
 notify = nipkow@in.tum.de
 
 [InformationFlowSlicing]
 title = Information Flow Noninterference via Slicing
 author = Daniel Wasserrab <http://pp.info.uni-karlsruhe.de/personhp/daniel_wasserrab.php>
 date = 2010-03-23
 topic = Computer science/Security
 abstract =
 	<p>
 	In this contribution, we show how correctness proofs for <a
 	href="Slicing.html">intra-</a> and <a
 	href="HRB-Slicing.html">interprocedural slicing</a> can be used to prove
 	that slicing is able to guarantee information flow noninterference.
 	Moreover, we also illustrate how to lift the control flow graphs of the
 	respective frameworks such that they fulfil the additional assumptions
 	needed in the noninterference proofs. A detailed description of the
 	intraprocedural proof and its interplay with the slicing framework can be
 	found in the PLAS'09 paper by Wasserrab et al.
 	</p>
 	<p>
 	This entry contains the part for intra-procedural slicing. See entry
 	<a href="InformationFlowSlicing_Inter.html">InformationFlowSlicing_Inter</a>
 	for the inter-procedural part.
 	</p>
 extra-history =
 	Change history:
 	[2016-06-10]: The original entry <a
 	href="InformationFlowSlicing.html">InformationFlowSlicing</a> contained both
 	the <a href="InformationFlowSlicing_Inter.html">inter-</a> and <a
 	href="InformationFlowSlicing.html">intra-procedural</a> case was split into
 	two for easier maintenance.
 notify =
 
 [InformationFlowSlicing_Inter]
 title = Inter-Procedural Information Flow Noninterference via Slicing
 author = Daniel Wasserrab <http://pp.info.uni-karlsruhe.de/personhp/daniel_wasserrab.php>
 date = 2010-03-23
 topic = Computer science/Security
 abstract =
 	<p>
 	In this contribution, we show how correctness proofs for <a
 	href="Slicing.html">intra-</a> and <a
 	href="HRB-Slicing.html">interprocedural slicing</a> can be used to prove
 	that slicing is able to guarantee information flow noninterference.
 	Moreover, we also illustrate how to lift the control flow graphs of the
 	respective frameworks such that they fulfil the additional assumptions
 	needed in the noninterference proofs. A detailed description of the
 	intraprocedural proof and its interplay with the slicing framework can be
 	found in the PLAS'09 paper by Wasserrab et al.
 	</p>
 	<p>
 	This entry contains the part for inter-procedural slicing. See entry
 	<a href="InformationFlowSlicing.html">InformationFlowSlicing</a>
 	for the intra-procedural part.
 	</p>
 extra-history =
 	Change history:
 	[2016-06-10]: The original entry <a
 	href="InformationFlowSlicing.html">InformationFlowSlicing</a> contained both
 	the <a href="InformationFlowSlicing_Inter.html">inter-</a> and <a
 	href="InformationFlowSlicing.html">intra-procedural</a> case was split into
 	two for easier maintenance.
 notify =
 
 [ComponentDependencies]
 title = Formalisation and Analysis of Component Dependencies
 author = Maria Spichkova <mailto:maria.spichkova@rmit.edu.au>
 date = 2014-04-28
 topic = Computer science/System description languages
 abstract = This set of theories presents a formalisation in Isabelle/HOL of data dependencies between components. The approach allows to analyse system structure oriented towards efficient checking of system: it aims at elaborating for a concrete system, which parts of the system are necessary to check a given property.
 notify = maria.spichkova@rmit.edu.au
 
 [Verified-Prover]
 title = A Mechanically Verified, Efficient, Sound and Complete Theorem Prover For First Order Logic
 author = Tom Ridge <>
 date = 2004-09-28
 topic = Logic/General logic/Mechanization of proofs
 abstract = Soundness and completeness for a system of first order logic are formally proved, building on James Margetson's formalization of work by Wainer and Wallen. The completeness proofs naturally suggest an algorithm to derive proofs. This algorithm, which can be implemented tail recursively, is formalized in Isabelle/HOL. The algorithm can be executed via the rewriting tactics of Isabelle. Alternatively, the definitions can be exported to OCaml, yielding a directly executable program.
 notify = lp15@cam.ac.uk
 
 [Completeness]
 title = Completeness theorem
 author = James Margetson <>, Tom Ridge <>
 date = 2004-09-20
 topic = Logic/Proof theory
 abstract = The completeness of first-order logic is proved, following the first five pages of Wainer and Wallen's chapter of the book <i>Proof Theory</i> by Aczel et al., CUP, 1992. Their presentation of formulas allows the proofs to use symmetry arguments. Margetson formalized this theorem by early 2000. The Isar conversion is thanks to Tom Ridge. A paper describing the formalization is available <a href="Completeness-paper.pdf">[pdf]</a>.
 notify = lp15@cam.ac.uk
 
 [Ordinal]
 title = Countable Ordinals
 author = Brian Huffman <http://web.cecs.pdx.edu/~brianh/>
 date = 2005-11-11
 topic = Logic/Set theory
 abstract = This development defines a well-ordered type of countable ordinals. It includes notions of continuous and normal functions, recursively defined functions over ordinals, least fixed-points, and derivatives. Much of ordinal arithmetic is formalized, including exponentials and logarithms. The development concludes with formalizations of Cantor Normal Form and Veblen hierarchies over normal functions.
 notify = lcp@cl.cam.ac.uk
 
 [Ordinals_and_Cardinals]
 title = Ordinals and Cardinals
 author = Andrei Popescu <>
 date = 2009-09-01
 topic = Logic/Set theory
 abstract = We develop a basic theory of ordinals and cardinals in Isabelle/HOL, up to the point where some cardinality facts relevant for the ``working mathematician" become available. Unlike in set theory, here we do not have at hand canonical notions of ordinal and cardinal. Therefore, here an ordinal is merely a well-order relation and a cardinal is an ordinal minim w.r.t. order embedding on its field.
 extra-history =
 	Change history:
 	[2012-09-25]: This entry has been discontinued because it is now part of the Isabelle distribution.
 notify = uuomul@yahoo.com, nipkow@in.tum.de
 
 [FOL-Fitting]
 title = First-Order Logic According to Fitting
 author = Stefan Berghofer <http://www.in.tum.de/~berghofe>
 contributors = Asta Halkjær From <https://people.compute.dtu.dk/ahfrom/>
 date = 2007-08-02
 topic = Logic/General logic/Classical first-order logic
 abstract = We present a formalization of parts of Melvin Fitting's book "First-Order Logic and Automated Theorem Proving". The formalization covers the syntax of first-order logic, its semantics, the model existence theorem, a natural deduction proof calculus together with a proof of correctness and completeness, as well as the Löwenheim-Skolem theorem.
 extra-history =
   Change history:
   [2018-07-21]: Proved completeness theorem for open formulas. Proofs are now written in the declarative style. Enumeration of pairs and datatypes is automated using the Countable theory.
 notify = berghofe@in.tum.de
 
 [Epistemic_Logic]
 title = Epistemic Logic
 author = Asta Halkjær From <https://people.compute.dtu.dk/ahfrom/>
 topic = Logic/General logic/Logics of knowledge and belief
 date = 2018-10-29
 notify = ahfrom@dtu.dk
 abstract =
   This work is a formalization of epistemic logic with countably many
   agents. It includes proofs of soundness and completeness for the axiom
   system K. The completeness proof is based on the textbook
   "Reasoning About Knowledge" by Fagin, Halpern, Moses and
   Vardi (MIT Press 1995).
 
 [SequentInvertibility]
 title = Invertibility in Sequent Calculi
 author = Peter Chapman <>
 date = 2009-08-28
 topic = Logic/Proof theory
 license = LGPL
 abstract = The invertibility of the rules of a sequent calculus is important for guiding proof search and can be used in some formalised proofs of Cut admissibility. We present sufficient conditions for when a rule is invertible with respect to a calculus. We illustrate the conditions with examples. It must be noted we give purely syntactic criteria; no guarantees are given as to the suitability of the rules.
 notify = pc@cs.st-andrews.ac.uk, nipkow@in.tum.de
 
 [LinearQuantifierElim]
 title = Quantifier Elimination for Linear Arithmetic
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2008-01-11
 topic = Logic/General logic/Decidability of theories
 abstract = This article formalizes quantifier elimination procedures for dense linear orders, linear real arithmetic and Presburger arithmetic. In each case both a DNF-based non-elementary algorithm and one or more (doubly) exponential NNF-based algorithms are formalized, including the well-known algorithms by Ferrante and Rackoff and by Cooper. The NNF-based algorithms for dense linear orders are new but based on Ferrante and Rackoff and on an algorithm by Loos and Weisspfenning which simulates infenitesimals. All algorithms are directly executable. In particular, they yield reflective quantifier elimination procedures for HOL itself. The formalization makes heavy use of locales and is therefore highly modular.
 notify = nipkow@in.tum.de
 
 [Nat-Interval-Logic]
 title = Interval Temporal Logic on Natural Numbers
 author = David Trachtenherz <>
 date = 2011-02-23
 topic = Logic/General logic/Temporal logic
 abstract = We introduce a theory of temporal logic operators using sets of natural numbers as time domain, formalized in a shallow embedding manner. The theory comprises special natural intervals (theory IL_Interval: open and closed intervals, continuous and modulo intervals, interval traversing results), operators for shifting intervals to left/right on the number axis as well as expanding/contracting intervals by constant factors (theory IL_IntervalOperators.thy), and ultimately definitions and results for unary and binary temporal operators on arbitrary natural sets (theory IL_TemporalOperators).
 notify = nipkow@in.tum.de
 
 [Recursion-Theory-I]
 title = Recursion Theory I
 author = Michael Nedzelsky <>
 date = 2008-04-05
 topic = Logic/Computability
 abstract = This document presents the formalization of introductory material from  recursion theory --- definitions and basic properties of primitive recursive  functions, Cantor pairing function and computably enumerable sets  (including a proof of existence of a one-complete computably enumerable set  and a proof of the Rice's theorem).
 notify = MichaelNedzelsky@yandex.ru
 
 [Free-Boolean-Algebra]
 topic = Logic/General logic/Classical propositional logic
 title = Free Boolean Algebra
 author = Brian Huffman <http://web.cecs.pdx.edu/~brianh/>
 date = 2010-03-29
 abstract = This theory defines a type constructor representing the free Boolean algebra over a set of generators. Values of type (α)<i>formula</i> represent propositional formulas with uninterpreted variables from type α, ordered by implication. In addition to all the standard Boolean algebra operations, the library also provides a function for building homomorphisms to any other Boolean algebra type.
 notify = brianh@cs.pdx.edu
 
 [Sort_Encodings]
 title = Sound and Complete Sort Encodings for First-Order Logic
 author = Jasmin Christian Blanchette <http://www21.in.tum.de/~blanchet>, Andrei Popescu <http://www21.in.tum.de/~popescua>
 date = 2013-06-27
 topic = Logic/General logic/Mechanization of proofs
 abstract =
 	This is a formalization of the soundness and completeness properties
 	for various efficient encodings of sorts in unsorted first-order logic
 	used by Isabelle's Sledgehammer tool.
 	<p>
 	Essentially, the encodings proceed as follows:
 	a many-sorted problem is decorated with (as few as possible) tags or
 	guards that make the problem monotonic; then sorts can be soundly
 	erased.
 	<p>
 	The development employs a formalization of many-sorted first-order logic
 	in clausal form (clauses, structures and the basic properties
 	of the satisfaction relation), which could be of interest as the starting
 	point for other formalizations of first-order logic metatheory.
 notify = uuomul@yahoo.com
 
 [Lambda_Free_RPOs]
 title = Formalization of Recursive Path Orders for Lambda-Free Higher-Order Terms
 author = Jasmin Christian Blanchette <mailto:jasmin.blanchette@gmail.com>, Uwe Waldmann <mailto:waldmann@mpi-inf.mpg.de>, Daniel Wand <mailto:dwand@mpi-inf.mpg.de>
 date = 2016-09-23
 topic = Logic/Rewriting
 abstract = This Isabelle/HOL formalization defines recursive path orders (RPOs) for higher-order terms without lambda-abstraction and proves many useful properties about them. The main order fully coincides with the standard RPO on first-order terms also in the presence of currying, distinguishing it from previous work. An optimized variant is formalized as well. It appears promising as the basis of a higher-order superposition calculus.
 notify = jasmin.blanchette@gmail.com
 
 [Lambda_Free_KBOs]
 title = Formalization of Knuth–Bendix Orders for Lambda-Free Higher-Order Terms
 author = Heiko Becker <mailto:hbecker@mpi-sws.org>, Jasmin Christian Blanchette <mailto:jasmin.blanchette@gmail.com>, Uwe Waldmann <mailto:waldmann@mpi-inf.mpg.de>, Daniel Wand <mailto:dwand@mpi-inf.mpg.de>
 date = 2016-11-12
 topic = Logic/Rewriting
 abstract = This Isabelle/HOL formalization defines Knuth–Bendix orders for higher-order terms without lambda-abstraction and proves many useful properties about them. The main order fully coincides with the standard transfinite KBO with subterm coefficients on first-order terms. It appears promising as the basis of a higher-order superposition calculus.
 notify = jasmin.blanchette@gmail.com
 
 [Lambda_Free_EPO]
 title = Formalization of the Embedding Path Order for Lambda-Free Higher-Order Terms
 author = Alexander Bentkamp <https://www.cs.vu.nl/~abp290/>
 topic = Logic/Rewriting
 date = 2018-10-19
 notify = a.bentkamp@vu.nl
 abstract =
   This Isabelle/HOL formalization defines the Embedding Path Order (EPO)
   for higher-order terms without lambda-abstraction and proves many
   useful properties about it. In contrast to the lambda-free recursive
   path orders, it does not fully coincide with RPO on first-order terms,
   but it is compatible with arbitrary higher-order contexts.
 
 [Nested_Multisets_Ordinals]
 title = Formalization of Nested Multisets, Hereditary Multisets, and Syntactic Ordinals
 author = Jasmin Christian Blanchette <mailto:jasmin.blanchette@gmail.com>, Mathias Fleury <mailto:fleury@mpi-inf.mpg.de>, Dmitriy Traytel <mailto:traytel@inf.ethz.ch>
 date = 2016-11-12
 topic = Logic/Rewriting
 abstract = This Isabelle/HOL formalization introduces a nested multiset datatype and defines Dershowitz and Manna's nested multiset order. The order is proved well founded and linear. By removing one constructor, we transform the nested multisets into hereditary multisets. These are isomorphic to the syntactic ordinals—the ordinals can be recursively expressed in Cantor normal form. Addition, subtraction, multiplication, and linear orders are provided on this type.
 notify = jasmin.blanchette@gmail.com
 
 [Abstract-Rewriting]
 title = Abstract Rewriting
 topic = Logic/Rewriting
 date = 2010-06-14
 author = Christian Sternagel <mailto:c.sternagel@gmail.com>, René Thiemann <http://cl-informatik.uibk.ac.at/~thiemann>
 license = LGPL
 abstract =
 	We present an Isabelle formalization of abstract rewriting (see, e.g.,
 	the book by Baader and Nipkow). First, we define standard relations like
 	<i>joinability</i>, <i>meetability</i>, <i>conversion</i>, etc. Then, we
 	formalize important properties of abstract rewrite systems, e.g.,
 	confluence and strong normalization. Our main concern is on strong
 	normalization, since this formalization is the basis of <a
 	href="http://cl-informatik.uibk.ac.at/software/ceta">CeTA</a> (which is
 	mainly about strong normalization of term rewrite systems). Hence lemmas
 	involving strong normalization constitute by far the biggest part of this
 	theory. One of those is Newman's lemma.
 extra-history =
 	Change history:
 	[2010-09-17]: Added theories defining several (ordered)
 	semirings related to strong normalization and giving some standard
 	instances. <br>
 	[2013-10-16]: Generalized delta-orders from rationals to Archimedean fields.
 notify = christian.sternagel@uibk.ac.at, rene.thiemann@uibk.ac.at
 
 [First_Order_Terms]
 title = First-Order Terms
 author = Christian Sternagel <mailto:c.sternagel@gmail.com>, René Thiemann <http://cl-informatik.uibk.ac.at/users/thiemann/>
 topic = Logic/Rewriting, Computer science/Algorithms
 license = LGPL
 date = 2018-02-06
 notify = c.sternagel@gmail.com, rene.thiemann@uibk.ac.at
 abstract =
   We formalize basic results on first-order terms, including matching and a
   first-order unification algorithm, as well as well-foundedness of the
   subsumption order. This entry is part of the <i>Isabelle
   Formalization of Rewriting</i> <a
   href="http://cl-informatik.uibk.ac.at/isafor">IsaFoR</a>,
   where first-order terms are omni-present: the unification algorithm is
   used to certify several confluence and termination techniques, like
   critical-pair computation and dependency graph approximations; and the
   subsumption order is a crucial ingredient for completion.
 
 [Free-Groups]
 title = Free Groups
 author = Joachim Breitner <mailto:mail@joachim-breitner.de>
 date = 2010-06-24
 topic = Mathematics/Algebra
 abstract =
 	Free Groups are, in a sense, the most generic kind of group. They
 	are defined over a set of generators with no additional relations in between
 	them. They play an important role in the definition of group presentations
 	and in other fields. This theory provides the definition of Free Group as
 	the set of fully canceled words in the generators. The universal property is
 	proven, as well as some isomorphisms results about Free Groups.
 extra-history =
 	Change history:
 	[2011-12-11]: Added the Ping Pong Lemma.
 notify =
 
 [CofGroups]
 title = An Example of a Cofinitary Group in Isabelle/HOL
 author = Bart Kastermans <http://kasterma.net>
 date = 2009-08-04
 topic = Mathematics/Algebra
 abstract = We formalize the usual proof that the group generated by the function k -> k + 1 on the integers gives rise to a cofinitary group.
 notify = nipkow@in.tum.de
 
 [Group-Ring-Module]
 title = Groups, Rings and Modules
 author = Hidetsune Kobayashi <>, L. Chen <>, H. Murao <>
 date = 2004-05-18
 topic = Mathematics/Algebra
 abstract = The theory of groups, rings and modules is developed to a great depth. Group theory results include Zassenhaus's theorem and the Jordan-Hoelder theorem. The ring theory development includes ideals, quotient rings and the Chinese remainder theorem. The module development includes the Nakayama lemma, exact sequences and Tensor products.
 notify = lp15@cam.ac.uk
 
 [Robbins-Conjecture]
 title = A Complete Proof of the Robbins Conjecture
 author = Matthew Wampler-Doty <>
 date = 2010-05-22
 topic = Mathematics/Algebra
 abstract = This document gives a formalization of the proof of the Robbins conjecture, following A. Mann, <i>A Complete Proof of the Robbins Conjecture</i>, 2003.
 notify = nipkow@in.tum.de
 
 [Valuation]
 title = Fundamental Properties of Valuation Theory and Hensel's Lemma
 author = Hidetsune Kobayashi <>
 date = 2007-08-08
 topic = Mathematics/Algebra
 abstract = Convergence with respect to a valuation is discussed as convergence of a Cauchy sequence. Cauchy sequences of polynomials are defined. They are used to formalize Hensel's lemma.
 notify = lp15@cam.ac.uk
 
 [Rank_Nullity_Theorem]
 title = Rank-Nullity Theorem in Linear Algebra
 author = Jose Divasón <http://www.unirioja.es/cu/jodivaso>, Jesús Aransay <http://www.unirioja.es/cu/jearansa>
 topic = Mathematics/Algebra
 date = 2013-01-16
 abstract = In this contribution, we present some formalizations based on the HOL-Multivariate-Analysis session of Isabelle. Firstly, a generalization of several theorems of such library are presented. Secondly, some definitions and proofs involving Linear Algebra and the four fundamental subspaces of a matrix are shown. Finally, we present a proof of the result known in Linear Algebra as the ``Rank-Nullity Theorem'', which states that, given any linear map f from a finite dimensional vector space V to a vector space W, then the dimension of V is equal to the dimension of the kernel of f (which is a subspace of V) and the dimension of the range of f (which is a subspace of W). The proof presented here is based on the one given by Sheldon Axler in his book <i>Linear Algebra Done Right</i>. As a corollary of the previous theorem, and taking advantage of the relationship between linear maps and matrices, we prove that, for every matrix A (which has associated a linear map between finite dimensional vector spaces), the sum of its null space and its column space (which is equal to the range of the linear map) is equal to the number of columns of A.
 extra-history =
 	Change history:
 	[2014-07-14]: Added some generalizations that allow us to formalize the Rank-Nullity Theorem over finite dimensional vector spaces, instead of over the more particular euclidean spaces. Updated abstract.
 notify = jose.divasonm@unirioja.es, jesus-maria.aransay@unirioja.es
 
 [Affine_Arithmetic]
 title = Affine Arithmetic
 author = Fabian Immler <http://www21.in.tum.de/~immler>
 date = 2014-02-07
 topic = Mathematics/Analysis
 abstract =
 	We give a formalization of affine forms as abstract representations of zonotopes.
 	We provide affine operations as well as overapproximations of some non-affine operations like multiplication and division.
 	Expressions involving those operations can automatically be turned into (executable) functions approximating the original
 	expression in affine arithmetic.
 extra-history =
 	Change history:
 	[2015-01-31]: added algorithm for zonotope/hyperplane intersection<br>
 	[2017-09-20]: linear approximations for all symbols from the floatarith data
 	type
 notify = immler@in.tum.de
 
 [Laplace_Transform]
 title = Laplace Transform
 author = Fabian Immler <https://home.in.tum.de/~immler/>
 topic = Mathematics/Analysis
 date = 2019-08-14
 notify = fimmler@cs.cmu.edu
 abstract =
   This entry formalizes the Laplace transform and concrete Laplace
   transforms for arithmetic functions, frequency shift, integration and
   (higher) differentiation in the time domain. It proves Lerch's
   lemma and uniqueness of the Laplace transform for continuous
   functions. In order to formalize the foundational assumptions, this
   entry contains a formalization of piecewise continuous functions and
   functions of exponential order.
 
 [Cauchy]
 title = Cauchy's Mean Theorem and the Cauchy-Schwarz Inequality
 author = Benjamin Porter <>
 date = 2006-03-14
 topic = Mathematics/Analysis
 abstract = This document presents the mechanised proofs of two popular theorems attributed to Augustin Louis Cauchy - Cauchy's Mean Theorem and the Cauchy-Schwarz Inequality.
 notify = kleing@cse.unsw.edu.au
 
 [Integration]
 title = Integration theory and random variables
 author = Stefan Richter <http://www-lti.informatik.rwth-aachen.de/~richter/>
 date = 2004-11-19
 topic = Mathematics/Analysis
 abstract = Lebesgue-style integration plays a major role in advanced probability. We formalize concepts of elementary measure theory, real-valued random variables as Borel-measurable functions, and a stepwise inductive definition of the integral itself. All proofs are carried out in human readable style using the Isar language.
 extra-note = Note: This article is of historical interest only. Lebesgue-style integration and probability theory are now available as part of the Isabelle/HOL distribution (directory Probability).
 notify = richter@informatik.rwth-aachen.de, nipkow@in.tum.de, hoelzl@in.tum.de
 
 [Ordinary_Differential_Equations]
 title = Ordinary Differential Equations
 author = Fabian Immler <http://www21.in.tum.de/~immler>, Johannes Hölzl <http://in.tum.de/~hoelzl>
 topic = Mathematics/Analysis
 date = 2012-04-26
 abstract =
 	<p>Session Ordinary-Differential-Equations formalizes ordinary differential equations (ODEs) and initial value
 	problems. This work comprises proofs for local and global existence of unique solutions
 	(Picard-Lindelöf theorem). Moreover, it contains a formalization of the (continuous or even
 	differentiable) dependency of the flow on initial conditions as the <i>flow</i> of ODEs.</p>
 	<p>
 	Not in the generated document are the following sessions:
 	<ul>
 	<li> HOL-ODE-Numerics:
 	Rigorous numerical algorithms for computing enclosures of solutions based on Runge-Kutta methods
 	and affine arithmetic. Reachability analysis with splitting and reduction at hyperplanes.</li>
 	<li> HOL-ODE-Examples:
 	Applications of the numerical algorithms to concrete systems of ODEs.</li>
 	<li> Lorenz_C0, Lorenz_C1:
 	  Verified algorithms for checking C1-information according to Tucker's proof,
 	  computation of C0-information.</li>
 	</ul>
 	</p>
 extra-history =
 	Change history:
 	[2014-02-13]: added an implementation of the Euler method based on affine arithmetic<br>
 	[2016-04-14]: added flow and variational equation<br>
 	[2016-08-03]: numerical algorithms for reachability analysis (using second-order Runge-Kutta methods, splitting, and reduction) implemented using Lammich's framework for automatic refinement<br>
 	[2017-09-20]: added Poincare map and propagation of variational equation in
 	reachability analysis, verified algorithms for C1-information and computations
 	for C0-information of the Lorenz attractor.
 notify = immler@in.tum.de, hoelzl@in.tum.de
 
 [Polynomials]
 title = Executable Multivariate Polynomials
 author = Christian Sternagel <mailto:c.sternagel@gmail.com>, René Thiemann <http://cl-informatik.uibk.ac.at/~thiemann>, Alexander Maletzky <https://risc.jku.at/m/alexander-maletzky/>, Fabian Immler <http://www21.in.tum.de/~immler>, Florian Haftmann <http://isabelle.in.tum.de/~haftmann>, Andreas Lochbihler <http://www.andreas-lochbihler.de>, Alexander Bentkamp <mailto:bentkamp@gmail.com>
 date = 2010-08-10
 topic = Mathematics/Analysis, Mathematics/Algebra, Computer science/Algorithms/Mathematical
 license = LGPL
 abstract =
 	We define multivariate polynomials over arbitrary (ordered) semirings in
 	combination with (executable) operations like addition, multiplication,
 	and substitution. We also define (weak) monotonicity of polynomials and
 	comparison of polynomials where we provide standard estimations like
 	absolute positiveness or the more recent approach of Neurauter, Zankl,
 	and Middeldorp. Moreover, it is proven that strongly normalizing
 	(monotone) orders can be lifted to strongly normalizing (monotone) orders
 	over polynomials. Our formalization was performed as part of the <a
 	href="http://cl-informatik.uibk.ac.at/software/ceta">IsaFoR/CeTA-system</a>
 	which contains several termination techniques. The provided theories have
 	been essential to  formalize polynomial interpretations.
 	<p>
 	This formalization also contains an abstract representation as coefficient functions with finite
 	support and a type of power-products. If this type is ordered by a linear (term) ordering, various
 	additional notions, such as leading power-product, leading coefficient etc., are introduced as
 	well. Furthermore, a lot of generic properties of, and functions on, multivariate polynomials are
 	formalized, including the substitution and evaluation homomorphisms, embeddings of polynomial rings
 	into larger rings (i.e. with one additional indeterminate), homogenization and dehomogenization of
 	polynomials, and the canonical isomorphism between R[X,Y] and R[X][Y].
 extra-history =
 	Change history:
 	[2010-09-17]: Moved theories on arbitrary (ordered) semirings to Abstract Rewriting.<br>
 	[2016-10-28]: Added abstract representation of polynomials and authors Maletzky/Immler.<br>
 	[2018-01-23]: Added authors Haftmann, Lochbihler after incorporating
 	their formalization of multivariate polynomials based on Polynomial mappings.
 	Moved material from Bentkamp's entry "Deep Learning".<br>
 	[2019-04-18]: Added material about polynomials whose power-products are represented themselves
 	by polynomial mappings.
 notify = rene.thiemann@uibk.ac.at, christian.sternagel@uibk.ac.at, alexander.maletzky@risc.jku.at, immler@in.tum.de
 
 [Sqrt_Babylonian]
 title = Computing N-th Roots using the Babylonian Method
 author = René Thiemann <mailto:rene.thiemann@uibk.ac.at>
 date = 2013-01-03
 topic = Mathematics/Analysis
 license = LGPL
 abstract =
 	We implement the Babylonian method to compute n-th roots of numbers.
 	We provide precise algorithms for naturals, integers and rationals, and
 	offer an approximation algorithm for square roots over linear ordered fields. Moreover, there
 	are precise algorithms to compute the floor and the ceiling of n-th roots.
 extra-history =
 	Change history:
 	[2013-10-16]: Added algorithms to compute floor and ceiling of sqrt of integers.
 	[2014-07-11]: Moved NthRoot_Impl from Real-Impl to this entry.
 notify = rene.thiemann@uibk.ac.at
 
 [Sturm_Sequences]
 title = Sturm's Theorem
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 date = 2014-01-11
 topic = Mathematics/Analysis
 abstract = Sturm's Theorem states that polynomial sequences with certain
 	properties, so-called Sturm sequences, can be used to count the number
 	of real roots of a real polynomial. This work contains a proof of
 	Sturm's Theorem and code for constructing Sturm sequences efficiently.
 	It also provides the “sturm” proof method, which can decide certain
 	statements about the roots of real polynomials, such as “the polynomial
 	P has exactly n roots in the interval I” or “P(x) > Q(x) for all x
 	&#8712; &#8477;”.
 notify = eberlm@in.tum.de
 
 [Sturm_Tarski]
 title = The Sturm-Tarski Theorem
 author = Wenda Li <mailto:wl302@cam.ac.uk>
 date = 2014-09-19
 topic = Mathematics/Analysis
 abstract = We have formalized the Sturm-Tarski theorem (also referred as the Tarski theorem), which generalizes Sturm's theorem. Sturm's theorem is usually used as a way to count distinct real roots, while the Sturm-Tarksi theorem forms the basis for Tarski's classic quantifier elimination for real closed field.
 notify = wl302@cam.ac.uk
 
 [Markov_Models]
 title = Markov Models
 author = Johannes Hölzl <http://in.tum.de/~hoelzl>, Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2012-01-03
 topic = Mathematics/Probability theory, Computer science/Automata and formal languages
 abstract = This is a formalization of Markov models in Isabelle/HOL. It
 	builds on Isabelle's probability theory. The available models are
 	currently Discrete-Time Markov Chains and a extensions of them with
 	rewards.
 	<p>
 	As application of these models we formalize probabilistic model
 	checking of pCTL formulas, analysis of IPv4 address allocation in
 	ZeroConf and an analysis of the anonymity of the Crowds protocol.
 	<a href="http://arxiv.org/abs/1212.3870">See here for the corresponding paper.</a>
 notify = hoelzl@in.tum.de
 
 [Probabilistic_System_Zoo]
 title = A Zoo of Probabilistic Systems
 author = Johannes Hölzl <http://in.tum.de/~hoelzl>,
 	Andreas Lochbihler <http://www.andreas-lochbihler.de>,
 	Dmitriy Traytel <http://www21.in.tum.de/~traytel>
 date = 2015-05-27
 topic = Computer science/Automata and formal languages
 abstract =
 	Numerous models of probabilistic systems are studied in the literature.
 	Coalgebra has been used to classify them into system types and compare their
 	expressiveness.  We formalize the resulting hierarchy of probabilistic system
 	types by modeling the semantics of the different systems as codatatypes.
 	This approach yields simple and concise proofs, as bisimilarity coincides
 	with equality for codatatypes.
 	<p>
 	This work is described in detail in the ITP 2015 publication by the authors.
 notify = traytel@in.tum.de
 
 [Density_Compiler]
 title = A Verified Compiler for Probability Density Functions
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>, Johannes Hölzl <http://in.tum.de/~hoelzl>, Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2014-10-09
 topic = Mathematics/Probability theory, Computer science/Programming languages/Compiling
 abstract =
 	<a href="https://doi.org/10.1007/978-3-642-36742-7_35">Bhat et al. [TACAS 2013]</a> developed an inductive compiler that computes
 	density functions for probability spaces described by programs in a
 	probabilistic functional language. In this work, we implement such a
 	compiler for a modified version of this language within the theorem prover
 	Isabelle and give a formal proof of its soundness w.r.t. the semantics of
 	the source and target language.  Together with Isabelle's code generation
 	for inductive predicates, this yields a fully verified, executable density
 	compiler. The proof is done in two steps: First, an abstract compiler
 	working with abstract functions modelled directly in the theorem prover's
 	logic is defined and proved sound.  Then, this compiler is refined to a
 	concrete version that returns a target-language expression.
 	<p>
 	An article with the same title and authors is published in the proceedings
 	of ESOP 2015.
 	A detailed presentation of this work can be found in the first author's
 	master's thesis.
 notify = hoelzl@in.tum.de
 
 [CAVA_Automata]
 title = The CAVA Automata Library
 author = Peter Lammich <http://www21.in.tum.de/~lammich>
 date = 2014-05-28
 topic = Computer science/Automata and formal languages
 abstract =
 	We report on the graph and automata library that is used in the fully
 	verified LTL model checker CAVA.
 	As most components of CAVA use some type of graphs or automata, a common
 	automata library simplifies assembly of the components and reduces
 	redundancy.
 	<p>
 	The CAVA Automata Library provides a hierarchy of graph and automata
 	classes, together with some standard algorithms.
 	Its object oriented design allows for sharing of algorithms, theorems,
 	and implementations between its classes, and also simplifies extensions
 	of the library.
 	Moreover, it is integrated into the Automatic Refinement Framework,
 	supporting automatic refinement of the abstract automata types to
 	efficient data structures.
 	<p>
 	Note that the CAVA Automata Library is work in progress. Currently, it
 	is very specifically tailored towards the requirements of the CAVA model
 	checker.
 	Nevertheless, the formalization techniques presented here allow an
 	extension of the library to a wider scope. Moreover, they are not
 	limited to graph libraries, but apply to class hierarchies in general.
 	<p>
 	The CAVA Automata Library is described in the paper: Peter Lammich, The
 	CAVA Automata Library, Isabelle Workshop 2014.
 notify = lammich@in.tum.de
 
 [LTL]
 title = Linear Temporal Logic
 author = Salomon Sickert <https://www7.in.tum.de/~sickert>
 contributors = Benedikt Seidl <mailto:benedikt.seidl@tum.de>
 date = 2016-03-01
 topic = Logic/General logic/Temporal logic, Computer science/Automata and formal languages
 abstract =
 	This theory provides a formalisation of linear temporal logic (LTL)
 	and unifies previous formalisations within the AFP. This entry
 	establishes syntax and semantics for this logic and decouples it from
 	existing entries, yielding a common environment for theories reasoning
 	about LTL. Furthermore a parser written in SML and an executable
 	simplifier are provided.
 extra-history =
     Change history:
     [2019-03-12]:
         Support for additional operators, implementation of common equivalence relations,
         definition of syntactic fragments of LTL and the minimal disjunctive normal form. <br>
 notify = sickert@in.tum.de
 
 [LTL_to_GBA]
 title = Converting Linear-Time Temporal Logic to Generalized Büchi Automata
 author = Alexander Schimpf <mailto:schimpfa@informatik.uni-freiburg.de>, Peter Lammich <http://www21.in.tum.de/~lammich>
 date = 2014-05-28
 topic = Computer science/Automata and formal languages
 abstract =
 	We formalize linear-time temporal logic (LTL) and the algorithm by Gerth
 	et al. to convert LTL formulas to generalized Büchi automata.
 	We also formalize some syntactic rewrite rules that can be applied to
 	optimize the LTL formula before conversion.
 	Moreover, we integrate the Stuttering Equivalence AFP-Entry by Stefan
 	Merz, adapting the lemma that next-free LTL formula cannot distinguish
 	between stuttering equivalent runs to our setting.
 	<p>
 	We use the Isabelle Refinement and Collection framework, as well as the
 	Autoref tool, to obtain a refined version of our algorithm, from which
 	efficiently executable code can be extracted.
 notify = lammich@in.tum.de
 
 [Gabow_SCC]
 title = Verified Efficient Implementation of Gabow's Strongly Connected Components Algorithm
 author = Peter Lammich <http://www21.in.tum.de/~lammich>
 date = 2014-05-28
 topic = Computer science/Algorithms/Graph, Mathematics/Graph theory
 abstract =
 	We present an Isabelle/HOL formalization of Gabow's algorithm for
 	finding the strongly connected components of a directed graph.
 	Using data refinement techniques, we extract efficient code that
 	performs comparable to a reference implementation in Java.
 	Our style of formalization allows for re-using large parts of the proofs
 	when defining variants of the algorithm. We demonstrate this by
 	verifying an algorithm for the emptiness check of generalized Büchi
 	automata, re-using most of the existing proofs.
 notify = lammich@in.tum.de
 
 [Promela]
 title = Promela Formalization
 author = René Neumann <mailto:rene.neumann@in.tum.de>
 date = 2014-05-28
 topic = Computer science/System description languages
 abstract =
 	We present an executable formalization of the language Promela, the
 	description language for models of the model checker SPIN. This
 	formalization is part of the work for a completely verified model
 	checker (CAVA), but also serves as a useful (and executable!)
 	description of the semantics of the language itself, something that is
 	currently missing.
 	The formalization uses three steps: It takes an abstract syntax tree
 	generated from an SML parser, removes syntactic sugar and enriches it
 	with type information. This further gets translated into a transition
 	system, on which the semantic engine (read: successor function) operates.
 notify =
 
 [CAVA_LTL_Modelchecker]
 title = A Fully Verified Executable LTL Model Checker
 author = Javier Esparza <https://www7.in.tum.de/~esparza/>,
 	Peter Lammich <http://www21.in.tum.de/~lammich>,
 	René Neumann <mailto:rene.neumann@in.tum.de>,
 	Tobias Nipkow <http://www21.in.tum.de/~nipkow>,
 	Alexander Schimpf <mailto:schimpfa@informatik.uni-freiburg.de>,
 	Jan-Georg Smaus <http://www.irit.fr/~Jan-Georg.Smaus>
 date = 2014-05-28
 topic = Computer science/Automata and formal languages
 abstract =
 	We present an LTL model checker whose code has been completely verified
 	using the Isabelle theorem prover. The checker consists of over 4000
 	lines of ML code. The code is produced using the Isabelle Refinement
 	Framework, which allows us to split its correctness proof into (1) the
 	proof of an abstract version of the checker, consisting of a few hundred
 	lines of ``formalized pseudocode'', and (2) a verified refinement step
 	in which mathematical sets and other abstract structures are replaced by
 	implementations of efficient structures like red-black trees and
 	functional arrays. This leads to a checker that,
 	while still slower than unverified checkers, can already be used as a
 	trusted reference implementation against which advanced implementations
 	can be tested.
 	<p>
 	An early version of this model checker is described in the
 	<a href="http://www21.in.tum.de/~nipkow/pubs/cav13.html">CAV 2013 paper</a>
 	with the same title.
 notify = lammich@in.tum.de
 
 [Fermat3_4]
 title = Fermat's Last Theorem for Exponents 3 and 4 and the Parametrisation of Pythagorean Triples
 author = Roelof Oosterhuis <>
 date = 2007-08-12
 topic = Mathematics/Number theory
 abstract = This document presents the mechanised proofs of<ul><li>Fermat's Last Theorem for exponents 3 and 4 and</li><li>the parametrisation of Pythagorean Triples.</li></ul>
 notify = nipkow@in.tum.de, roelofoosterhuis@gmail.com
 
 [Perfect-Number-Thm]
 title = Perfect Number Theorem
 author = Mark Ijbema <mailto:ijbema@fmf.nl>
 date = 2009-11-22
 topic = Mathematics/Number theory
 abstract = These theories present the mechanised proof of the Perfect Number Theorem.
 notify = nipkow@in.tum.de
 
 [SumSquares]
 title = Sums of Two and Four Squares
 author = Roelof Oosterhuis <>
 date = 2007-08-12
 topic = Mathematics/Number theory
 abstract = This document presents the mechanised proofs of the following results:<ul><li>any prime number of the form 4m+1 can be written as the sum of two squares;</li><li>any natural number can be written as the sum of four squares</li></ul>
 notify = nipkow@in.tum.de, roelofoosterhuis@gmail.com
 
 [Lehmer]
 title = Lehmer's Theorem
 author = Simon Wimmer <mailto:simon.wimmer@tum.de>, Lars Noschinski <http://www21.in.tum.de/~noschinl/>
 date = 2013-07-22
 topic = Mathematics/Number theory
 abstract = In 1927, Lehmer presented criterions for primality, based on the converse of Fermat's litte theorem. This work formalizes the second criterion from Lehmer's paper, a necessary and sufficient condition for primality.
 	<p>
 	As a side product we formalize some properties of Euler's phi-function,
 	the notion of the order of an element of a group, and the cyclicity of the multiplicative group of a finite field.
 notify = noschinl@gmail.com, simon.wimmer@tum.de
 
 [Pratt_Certificate]
 title = Pratt's Primality Certificates
 author = Simon Wimmer <mailto:simon.wimmer@tum.de>, Lars Noschinski <http://www21.in.tum.de/~noschinl/>
 date = 2013-07-22
 topic = Mathematics/Number theory
 abstract = In 1975, Pratt introduced a proof system for certifying primes. He showed that a number <i>p</i> is prime iff a primality certificate for <i>p</i> exists. By showing a logarithmic upper bound on the length of the certificates in size of the prime number, he concluded that the decision problem for prime numbers is in NP. This work formalizes soundness and completeness of Pratt's proof system as well as an upper bound for the size of the certificate.
 notify = noschinl@gmail.com, simon.wimmer@tum.de
 
 [Monad_Memo_DP]
 title = Monadification, Memoization and Dynamic Programming
 author = Simon Wimmer <http://home.in.tum.de/~wimmers/>, Shuwei Hu <mailto:shuwei.hu@tum.de>, Tobias Nipkow <http://www21.in.tum.de/~nipkow/>
 topic = Computer science/Programming languages/Transformations, Computer science/Algorithms, Computer science/Functional programming
 date = 2018-05-22
 notify = wimmers@in.tum.de
 abstract =
   We present a lightweight framework for the automatic verified
   (functional or imperative) memoization of recursive functions. Our
   tool can turn a pure Isabelle/HOL function definition into a
   monadified version in a state monad or the Imperative HOL heap monad,
   and prove a correspondence theorem. We provide a variety of memory
   implementations for the two types of monads. A number of simple
   techniques allow us to achieve bottom-up computation and
   space-efficient memoization. The framework’s utility is demonstrated
   on a number of representative dynamic programming problems. A detailed
   description of our work can be found in the accompanying paper [2].
 
 [Probabilistic_Timed_Automata]
 title = Probabilistic Timed Automata
 author = Simon Wimmer <http://in.tum.de/~wimmers>, Johannes Hölzl <http://home.in.tum.de/~hoelzl>
 topic = Mathematics/Probability theory,  Computer science/Automata and formal languages
 date = 2018-05-24
 notify = wimmers@in.tum.de, hoelzl@in.tum.de
 abstract =
   We present a formalization of probabilistic timed automata (PTA) for
   which we try to follow the formula MDP + TA = PTA as far as possible:
   our work starts from our existing formalizations of Markov decision
   processes (MDP) and timed automata (TA) and combines them modularly.
   We prove the fundamental result for probabilistic timed automata: the
   region construction that is known from timed automata carries over to
   the probabilistic setting. In particular, this allows us to prove that
   minimum and maximum reachability probabilities can be computed via a
   reduction to MDP model checking, including the case where one wants to
   disregard unrealizable behavior. Further information can be found in
   our ITP paper [2].
 
 [Hidden_Markov_Models]
 title = Hidden Markov Models
 author = Simon Wimmer <http://in.tum.de/~wimmers>
 topic = Mathematics/Probability theory, Computer science/Algorithms
 date = 2018-05-25
 notify = wimmers@in.tum.de
 abstract =
   This entry contains a formalization of hidden Markov models [3] based
   on Johannes Hölzl's formalization of discrete time Markov chains
   [1]. The basic definitions are provided and the correctness of two
   main (dynamic programming) algorithms for hidden Markov models is
   proved: the forward algorithm for computing the likelihood of an
   observed sequence, and the Viterbi algorithm for decoding the most
   probable hidden state sequence. The Viterbi algorithm is made
   executable including memoization.  Hidden markov models have various
   applications in natural language processing. For an introduction see
   Jurafsky and Martin [2].
 
 [ArrowImpossibilityGS]
 title = Arrow and Gibbard-Satterthwaite
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2008-09-01
 topic = Mathematics/Games and economics
 abstract = This article formalizes two proofs of Arrow's impossibility theorem due to Geanakoplos and derives the Gibbard-Satterthwaite theorem as a corollary. One formalization is based on utility functions, the other one on strict partial orders.<br><br>An article about these proofs is found <a href="http://www21.in.tum.de/~nipkow/pubs/arrow.html">here</a>.
 notify = nipkow@in.tum.de
 
 [SenSocialChoice]
 title = Some classical results in Social Choice Theory
 author = Peter Gammie <http://peteg.org>
 date = 2008-11-09
 topic = Mathematics/Games and economics
 abstract = Drawing on Sen's landmark work "Collective Choice and Social Welfare" (1970), this development proves Arrow's General Possibility Theorem, Sen's Liberal Paradox and May's Theorem in a general setting. The goal was to make precise the classical statements and proofs of these results, and to provide a foundation for more recent results such as the Gibbard-Satterthwaite and Duggan-Schwartz theorems.
 notify = nipkow@in.tum.de
 
 [Vickrey_Clarke_Groves]
 title = VCG - Combinatorial Vickrey-Clarke-Groves Auctions
 author = Marco B. Caminati <>, Manfred Kerber <http://www.cs.bham.ac.uk/~mmk>, Christoph Lange<mailto:math.semantic.web@gmail.com>, Colin Rowat<mailto:c.rowat@bham.ac.uk>
 date = 2015-04-30
 topic = Mathematics/Games and economics
 abstract =
 	A VCG auction (named after their inventors Vickrey, Clarke, and
 	Groves) is a generalization of the single-good, second price Vickrey
 	auction to the case of a combinatorial auction (multiple goods, from
 	which any participant can bid on each possible combination). We
 	formalize in this entry VCG auctions, including tie-breaking and prove
 	that the functions for the allocation and the price determination are
 	well-defined. Furthermore we show that the allocation function
 	allocates goods only to participants, only goods in the auction are
 	allocated, and no good is allocated twice. We also show that the price
 	function is non-negative. These properties also hold for the
 	automatically extracted Scala code.
 notify = mnfrd.krbr@gmail.com
 
 [Topology]
 title = Topology
 author = Stefan Friedrich <>
 date = 2004-04-26
 topic = Mathematics/Topology
 abstract = This entry contains two theories. The first, <tt>Topology</tt>, develops the basic notions of general topology. The second, which can be viewed as a demonstration of the first, is called <tt>LList_Topology</tt>. It develops the topology of lazy lists.
 notify = lcp@cl.cam.ac.uk
 
 [Knot_Theory]
 title = Knot Theory
 author = T.V.H. Prathamesh <mailto:prathamesh@imsc.res.in>
 date = 2016-01-20
 topic = Mathematics/Topology
 abstract =
 	This work contains a formalization of some topics in knot theory.
 	The concepts that were formalized include definitions of tangles, links,
 	framed links and link/tangle equivalence. The formalization is based on a
 	formulation of links in terms of tangles. We further construct and prove the
 	invariance of the Bracket polynomial. Bracket polynomial is an invariant of
 	framed links closely linked to the Jones polynomial. This is perhaps the first
 	attempt to formalize any aspect of knot theory in an interactive proof assistant.
 notify = prathamesh@imsc.res.in
 
 [Graph_Theory]
 title = Graph Theory
 author = Lars Noschinski <http://www21.in.tum.de/~noschinl/>
 date = 2013-04-28
 topic = Mathematics/Graph theory
 abstract = This development provides a formalization of directed graphs, supporting (labelled) multi-edges and infinite graphs. A polymorphic edge type allows edges to be treated as pairs of vertices, if multi-edges are not required. Formalized properties are i.a. walks (and related concepts), connectedness and subgraphs and basic properties of isomorphisms.
 	<p>
 	This formalization is used to prove characterizations of Euler Trails, Shortest Paths and Kuratowski subgraphs.
 notify = noschinl@gmail.com
 
 [Planarity_Certificates]
 title = Planarity Certificates
 author = Lars Noschinski <http://www21.in.tum.de/~noschinl/>
 date = 2015-11-11
 topic = Mathematics/Graph theory
 abstract =
 	This development provides a formalization of planarity based on
 	combinatorial maps and proves that Kuratowski's theorem implies
 	combinatorial planarity.
 	Moreover, it contains verified implementations of programs checking
 	certificates for planarity (i.e., a combinatorial map) or non-planarity
 	(i.e., a Kuratowski subgraph).
 notify = noschinl@gmail.com
 
 [Max-Card-Matching]
 title = Maximum Cardinality Matching
 author = Christine Rizkallah <https://www.mpi-inf.mpg.de/~crizkall/>
 date = 2011-07-21
 topic = Mathematics/Graph theory
 abstract =
 	<p>
 	A <em>matching</em> in a graph <i>G</i> is a subset <i>M</i> of the
 	edges of <i>G</i> such that no two share an endpoint. A matching has maximum
 	cardinality if its cardinality is at least as large as that of any other
 	matching. An <em>odd-set cover</em> <i>OSC</i> of a graph <i>G</i> is a
 	labeling of the nodes of <i>G</i> with integers such that every edge of
 	<i>G</i> is either incident to a node labeled 1 or connects two nodes
 	labeled with the same number <i>i &ge; 2</i>.
 	</p><p>
 	This article proves Edmonds theorem:<br>
 	Let <i>M</i> be a matching in a graph <i>G</i> and let <i>OSC</i> be an
 	odd-set cover of <i>G</i>.
 	For any <i>i &ge; 0</i>, let <var>n(i)</var> be the number of nodes
 	labeled <i>i</i>. If <i>|M| = n(1) +
 	&sum;<sub>i &ge; 2</sub>(n(i) div 2)</i>,
 	then <i>M</i> is a maximum cardinality matching.
 	</p>
 notify = nipkow@in.tum.de
 
 [Girth_Chromatic]
 title = A Probabilistic Proof of the Girth-Chromatic Number Theorem
 author = Lars Noschinski <http://www21.in.tum.de/~noschinl/>
 date = 2012-02-06
 topic = Mathematics/Graph theory
 abstract = This works presents a formalization of the Girth-Chromatic number theorem in graph theory, stating that graphs with arbitrarily large girth and chromatic number exist. The proof uses the theory of Random Graphs to prove the existence with probabilistic arguments.
 notify = noschinl@gmail.com
 
 [Random_Graph_Subgraph_Threshold]
 title = Properties of Random Graphs -- Subgraph Containment
 author = Lars Hupel <mailto:hupel@in.tum.de>
 date = 2014-02-13
 topic = Mathematics/Graph theory, Mathematics/Probability theory
 abstract = Random graphs are graphs with a fixed number of vertices, where each edge is present with a fixed probability. We are interested in the probability that a random graph contains a certain pattern, for example a cycle or a clique. A very high edge probability gives rise to perhaps too many edges (which degrades performance for many algorithms), whereas a low edge probability might result in a disconnected graph. We prove a theorem about a threshold probability such that a higher edge probability will asymptotically almost surely produce a random graph with the desired subgraph.
 notify = hupel@in.tum.de
 
 [Flyspeck-Tame]
 title = Flyspeck I: Tame Graphs
 author = Gertrud Bauer <>, Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2006-05-22
 topic = Mathematics/Graph theory
 abstract =
 	These theories present the verified enumeration of <i>tame</i> plane graphs
 	as defined by Thomas C. Hales in his proof of the Kepler Conjecture in his
 	book <i>Dense Sphere Packings. A Blueprint for Formal Proofs.</i> [CUP 2012].
 	The values of the constants in the definition of tameness are identical to
 	those in the <a href="https://code.google.com/p/flyspeck/">Flyspeck project</a>.
 	The <a href="http://www21.in.tum.de/~nipkow/pubs/Flyspeck/">IJCAR 2006 paper by Nipkow, Bauer and Schultz</a> refers to the original version of Hales' proof,
 	the <a href="http://www21.in.tum.de/~nipkow/pubs/itp11.html">ITP 2011 paper by Nipkow</a> refers to the Blueprint version of the proof.
 extra-history =
 	Change history:
 	[2010-11-02]: modified theories to reflect the modified definition of tameness in Hales' revised proof.<br>
 	[2014-07-03]: modified constants in def of tameness and Archive according to the final state of the Flyspeck proof.
 notify = nipkow@in.tum.de
 
 [Well_Quasi_Orders]
 title = Well-Quasi-Orders
 author = Christian Sternagel <mailto:c.sternagel@gmail.com>
 date = 2012-04-13
 topic = Mathematics/Combinatorics
 abstract = Based on Isabelle/HOL's type class for preorders,
 	we introduce a type class for well-quasi-orders (wqo)
 	which is characterized by the absence of "bad" sequences
 	(our proofs are along the lines of the proof of Nash-Williams,
 	from which we also borrow terminology). Our main results are
 	instantiations for the product type, the list type, and a type of finite trees,
 	which (almost) directly follow from our proofs of (1) Dickson's Lemma, (2)
 	Higman's Lemma, and (3) Kruskal's Tree Theorem. More concretely:
 	<ul>
 	<li>If the sets A and B are wqo then their Cartesian product is wqo.</li>
 	<li>If the set A is wqo then the set of finite lists over A is wqo.</li>
 	<li>If the set A is wqo then the set of finite trees over A is wqo.</li>
 	</ul>
 	The research was funded by the Austrian Science Fund (FWF): J3202.
 extra-history =
 	Change history:
 	[2012-06-11]: Added Kruskal's Tree Theorem.<br>
 	[2012-12-19]: New variant of Kruskal's tree theorem for terms (as opposed to
 	variadic terms, i.e., trees), plus finite version of the tree theorem as
 	corollary.<br>
 	[2013-05-16]: Simplified construction of minimal bad sequences.<br>
 	[2014-07-09]: Simplified proofs of Higman's lemma and Kruskal's tree theorem,
 	based on homogeneous sequences.<br>
   [2016-01-03]: An alternative proof of Higman's lemma by open induction.<br>
   [2017-06-08]: Proved (classical) equivalence to inductive definition of
   almost-full relations according to the ITP 2012 paper "Stop When You Are
   Almost-Full" by Vytiniotis, Coquand, and Wahlstedt.
 notify = c.sternagel@gmail.com
 
 [Marriage]
 title = Hall's Marriage Theorem
 author = Dongchen Jiang <mailto:dongchenjiang@googlemail.com>, Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2010-12-17
 topic = Mathematics/Combinatorics
 abstract = Two proofs of Hall's Marriage Theorem: one due to Halmos and Vaughan, one due to Rado.
 extra-history =
 	Change history:
 	[2011-09-09]: Added Rado's proof
 notify = nipkow@in.tum.de
 
 [Bondy]
 title = Bondy's Theorem
 author = Jeremy Avigad <http://www.andrew.cmu.edu/user/avigad/>, Stefan Hetzl <http://www.logic.at/people/hetzl/>
 date = 2012-10-27
 topic = Mathematics/Combinatorics
 abstract = A proof of Bondy's theorem following B. Bollabas, Combinatorics, 1986, Cambridge University Press.
 notify = avigad@cmu.edu, hetzl@logic.at
 
 [Ramsey-Infinite]
 title = Ramsey's theorem, infinitary version
 author = Tom Ridge <>
 date = 2004-09-20
 topic = Mathematics/Combinatorics
 abstract = This formalization of Ramsey's theorem (infinitary version) is taken from Boolos and Jeffrey, <i>Computability and Logic</i>, 3rd edition, Chapter 26. It differs slightly from the text by assuming a slightly stronger hypothesis. In particular, the induction hypothesis is stronger, holding for any infinite subset of the naturals. This avoids the rather peculiar mapping argument between kj and aikj on p.263, which is unnecessary and slightly mars this really beautiful result.
 notify = lp15@cam.ac.uk
 
 [Derangements]
 title = Derangements Formula
 author = Lukas Bulwahn <mailto:lukas.bulwahn@gmail.com>
 date = 2015-06-27
 topic = Mathematics/Combinatorics
 abstract =
 	The Derangements Formula describes the number of fixpoint-free permutations
 	as a closed formula. This theorem is the 88th theorem in a list of the
 	``<a href="http://www.cs.ru.nl/~freek/100/">Top 100 Mathematical Theorems</a>''.
 notify = lukas.bulwahn@gmail.com
 
 [Euler_Partition]
 title = Euler's Partition Theorem
 author = Lukas Bulwahn <mailto:lukas.bulwahn@gmail.com>
 date = 2015-11-19
 topic = Mathematics/Combinatorics
 abstract =
 	Euler's Partition Theorem states that the number of partitions with only
 	distinct parts is equal to the number of partitions with only odd parts.
 	The combinatorial proof follows John Harrison's HOL Light formalization.
 	This theorem is the 45th theorem of the Top 100 Theorems list.
 notify = lukas.bulwahn@gmail.com
 
 [Discrete_Summation]
 title = Discrete Summation
 author = Florian Haftmann <http://isabelle.in.tum.de/~haftmann>
 contributors = Amine Chaieb <>
 date = 2014-04-13
 topic = Mathematics/Combinatorics
 abstract = These theories introduce basic concepts and proofs about discrete summation: shifts, formal summation, falling factorials and stirling numbers. As proof of concept, a simple summation conversion is provided.
 notify = florian.haftmann@informatik.tu-muenchen.de
 
 [Open_Induction]
 title = Open Induction
 author = Mizuhito Ogawa <>, Christian Sternagel <mailto:c.sternagel@gmail.com>
 date = 2012-11-02
 topic = Mathematics/Combinatorics
 abstract =
 	A proof of the open induction schema based on J.-C. Raoult, Proving open properties by induction, <i>Information Processing Letters</i> 29, 1988, pp.19-23.
 	<p>This research was supported by the Austrian Science Fund (FWF): J3202.</p>
 notify = c.sternagel@gmail.com
 
 [Category]
 title = Category Theory to Yoneda's Lemma
 author = Greg O'Keefe <http://users.rsise.anu.edu.au/~okeefe/>
 date = 2005-04-21
 topic = Mathematics/Category theory
 license = LGPL
 abstract = This development proves Yoneda's lemma and aims to be readable by humans. It only defines what is needed for the lemma: categories, functors and natural transformations. Limits, adjunctions and other important concepts are not included.
 extra-history =
 	Change history:
 	[2010-04-23]: The definition of the constant <tt>equinumerous</tt> was slightly too weak in the original submission and has been fixed in revision <a href="https://bitbucket.org/isa-afp/afp-devel/commits/8c2b5b3c995f">8c2b5b3c995f</a>.
 notify = lcp@cl.cam.ac.uk
 
 [Category2]
 title = Category Theory
 author = Alexander Katovsky <mailto:apk32@cam.ac.uk>
 date = 2010-06-20
 topic = Mathematics/Category theory
 abstract = This article presents a development of Category Theory in Isabelle/HOL. A Category is defined using records and locales. Functors and Natural Transformations are also defined. The main result that has been formalized is that the Yoneda functor is a full and faithful embedding. We also formalize the completeness of many sorted monadic equational logic. Extensive use is made of the HOLZF theory in both cases. For an informal description see <a href="http://www.srcf.ucam.org/~apk32/Isabelle/Category/Cat.pdf">here [pdf]</a>.
 notify = alexander.katovsky@cantab.net
 
 [FunWithFunctions]
 title = Fun With Functions
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 date = 2008-08-26
 topic = Mathematics/Misc
 abstract = This is a collection of cute puzzles of the form ``Show that if a function satisfies the following constraints, it must be ...'' Please add further examples to this collection!
 notify = nipkow@in.tum.de
 
 [FunWithTilings]
 title = Fun With Tilings
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>, Lawrence C. Paulson <http://www.cl.cam.ac.uk/~lp15/>
 date = 2008-11-07
 topic = Mathematics/Misc
 abstract = Tilings are defined inductively. It is shown that one form of mutilated chess board cannot be tiled with dominoes, while another one can be tiled with L-shaped tiles. Please add further fun examples of this kind!
 notify = nipkow@in.tum.de
 
 [Lazy-Lists-II]
 title = Lazy Lists II
 author = Stefan Friedrich <>
 date = 2004-04-26
 topic = Computer science/Data structures
 abstract = This theory contains some useful extensions to the LList (lazy list) theory by <a href="http://www.cl.cam.ac.uk/~lp15/">Larry Paulson</a>, including finite, infinite, and positive llists over an alphabet, as well as the new constants take and drop and the prefix order of llists. Finally, the notions of safety and liveness in the sense of Alpern and Schneider (1985) are defined.
 notify = lcp@cl.cam.ac.uk
 
 [Ribbon_Proofs]
 title = Ribbon Proofs
 author = John Wickerson <>
 date = 2013-01-19
 topic = Computer science/Programming languages/Logics
 abstract = This document concerns the theory of ribbon proofs: a diagrammatic proof system, based on separation logic, for verifying program correctness. We include the syntax, proof rules, and soundness results for two alternative formalisations of ribbon proofs. <p> Compared to traditional proof outlines, ribbon proofs emphasise the structure of a proof, so are intelligible and pedagogical. Because they contain less redundancy than proof outlines, and allow each proof step to be checked locally, they may be more scalable. Where proof outlines are cumbersome to modify, ribbon proofs can be visually manoeuvred to yield proofs of variant programs.
 notify =
 
 [Koenigsberg_Friendship]
 title = The Königsberg Bridge Problem and the Friendship Theorem
 author = Wenda Li <mailto:wl302@cam.ac.uk>
 date = 2013-07-19
 topic = Mathematics/Graph theory
 abstract = This development provides a formalization of undirected graphs and simple graphs, which are based on Benedikt Nordhoff and Peter Lammich's simple formalization of labelled directed graphs in the archive. Then, with our formalization of graphs, we show both necessary and sufficient conditions for Eulerian trails and circuits as well as the fact that the Königsberg Bridge Problem does not have a solution. In addition, we show the Friendship Theorem in simple graphs.
 notify =
 
 [Tree_Decomposition]
 title = Tree Decomposition
 author = Christoph Dittmann <http://logic.las.tu-berlin.de/Members/Dittmann/>
 notify =
 date = 2016-05-31
 topic = Mathematics/Graph theory
 abstract =
 	We formalize tree decompositions and tree width in Isabelle/HOL,
 	proving that trees have treewidth 1.  We also show that every edge of
 	a tree decomposition is a separation of the underlying graph. As an
 	application of this theorem we prove that complete graphs of size n
 	have treewidth n-1.
 
 [Menger]
 title = Menger's Theorem
 author = Christoph Dittmann <mailto:isabelle@christoph-d.de>
 topic = Mathematics/Graph theory
 date = 2017-02-26
 notify = isabelle@christoph-d.de
 abstract =
   We present a formalization of Menger's Theorem for directed and
   undirected graphs in Isabelle/HOL.  This well-known result shows that
   if two non-adjacent distinct vertices u, v in a directed graph have no
   separator smaller than n, then there exist n internally
   vertex-disjoint paths from u to v.  The version for undirected graphs
   follows immediately because undirected graphs are a special case of
   directed graphs.
 
 [IEEE_Floating_Point]
 title = A Formal Model of IEEE Floating Point Arithmetic
 author = Lei Yu <mailto:ly271@cam.ac.uk>
 contributors =  Fabian Hellauer <mailto:hellauer@in.tum.de>, Fabian Immler <http://www21.in.tum.de/~immler>
 date = 2013-07-27
 topic = Computer science/Data structures
 abstract = This development provides a formal model of IEEE-754 floating-point arithmetic. This formalization, including formal specification of the standard and proofs of important properties of floating-point arithmetic, forms the foundation for verifying programs with floating-point computation. There is also a code generation setup for floats so that we can execute programs using this formalization in functional programming languages.
 notify = lp15@cam.ac.uk, immler@in.tum.de
 extra-history =
 	Change history:
 	[2017-09-25]: Added conversions from and to software floating point numbers
 	  (by Fabian Hellauer and Fabian Immler).<br>
   [2018-02-05]: 'Modernized' representation following the formalization in HOL4:
     former "float_format" and predicate "is_valid" is now encoded in a type "('e, 'f) float" where
     'e and 'f encode the size of exponent and fraction.
 
 [Native_Word]
 title = Native Word
 author = Andreas Lochbihler <http://www.andreas-lochbihler.de>
 contributors = Peter Lammich <http://www21.in.tum.de/~lammich>
 date = 2013-09-17
 topic = Computer science/Data structures
 abstract = This entry makes machine words and machine arithmetic available for code generation from Isabelle/HOL.  It provides a common abstraction that hides the differences between the different target languages.  The code generator maps these operations to the APIs of the target languages.  Apart from that, we extend the available bit operations on types int and integer, and map them to the operations in the target languages.
 extra-history =
 	Change history:
 	[2013-11-06]:
 	added conversion function between native words and characters
 	(revision fd23d9a7fe3a)<br>
 	[2014-03-31]:
 	added words of default size in the target language (by Peter Lammich)
 	(revision 25caf5065833)<br>
 	[2014-10-06]:
 	proper test setup with compilation and execution of tests in all target languages
 	(revision 5d7a1c9ae047)<br>
         [2017-09-02]:
         added 64-bit words (revision c89f86244e3c)<br>
         [2018-07-15]:
         added cast operators for default-size words (revision fc1f1fb8dd30)<br>
 notify = mail@andreas-lochbihler.de
 
 [XML]
 title = XML
 author = Christian Sternagel <mailto:c.sternagel@gmail.com>, René Thiemann <mailto:rene.thiemann@uibk.ac.at>
 date = 2014-10-03
 topic = Computer science/Functional programming, Computer science/Data structures
 abstract =
 	This entry provides an XML library for Isabelle/HOL. This includes parsing
 	and pretty printing of XML trees as well as combinators for transforming XML
 	trees into arbitrary user-defined data. The main contribution of this entry is
 	an interface (fit for code generation) that allows for communication between
 	verified programs formalized in Isabelle/HOL and the outside world via XML.
 	This library was developed as part of the IsaFoR/CeTA project
 	to which we refer for examples of its usage.
 notify = c.sternagel@gmail.com, rene.thiemann@uibk.ac.at
 
 [HereditarilyFinite]
 title = The Hereditarily Finite Sets
 author = Lawrence C. Paulson <http://www.cl.cam.ac.uk/~lp15/>
 date = 2013-11-17
 topic = Logic/Set theory
 abstract = The theory of hereditarily finite sets is formalised, following
 	the <a href="http://journals.impan.gov.pl/dm/Inf/422-0-1.html">development</a> of Swierczkowski.
 	An HF set is a finite collection of other HF sets; they enjoy an induction principle
 	and satisfy all the axioms of ZF set theory apart from the axiom of infinity, which is negated.
 	All constructions that are possible in ZF set theory (Cartesian products, disjoint sums, natural numbers,
 	functions) without using infinite sets are possible here.
 	The definition of addition for the HF sets follows Kirby.
 	This development forms the foundation for the Isabelle proof of Gödel's incompleteness theorems,
 	which has been <a href="Incompleteness.html">formalised separately</a>.
 extra-history =
 	Change history:
 	[2015-02-23]: Added the theory "Finitary" defining the class of types that can be embedded in hf, including int, char, option, list, etc.
 notify = lp15@cam.ac.uk
 
 [Incompleteness]
 title = Gödel's Incompleteness Theorems
 author = Lawrence C. Paulson <http://www.cl.cam.ac.uk/~lp15/>
 date = 2013-11-17
 topic = Logic/Proof theory
 abstract = Gödel's two incompleteness theorems are formalised, following a careful  <a href="http://journals.impan.gov.pl/dm/Inf/422-0-1.html">presentation</a> by Swierczkowski, in the theory of <a href="HereditarilyFinite.html">hereditarily finite sets</a>. This represents the first ever machine-assisted proof of the second incompleteness theorem. Compared with traditional formalisations using Peano arithmetic (see e.g. Boolos), coding is simpler, with no need to formalise the notion
 	of multiplication (let alone that of a prime number)
 	in the formalised calculus upon which the theorem is based.
 	However, other technical problems had to be solved in order to complete the argument.
 notify = lp15@cam.ac.uk
 
 [Finite_Automata_HF]
 title = Finite Automata in Hereditarily Finite Set Theory
 author = Lawrence C. Paulson <http://www.cl.cam.ac.uk/~lp15/>
 date = 2015-02-05
 topic = Computer science/Automata and formal languages
 abstract = Finite Automata, both deterministic and non-deterministic, for regular languages.
 	The Myhill-Nerode Theorem. Closure under intersection, concatenation, etc.
 	Regular expressions define regular languages. Closure under reversal;
 	the powerset construction mapping NFAs to DFAs. Left and right languages; minimal DFAs.
 	Brzozowski's minimization algorithm. Uniqueness up to isomorphism of minimal DFAs.
 notify = lp15@cam.ac.uk
 
 [Decreasing-Diagrams]
 title = Decreasing Diagrams
 author = Harald Zankl <http://cl-informatik.uibk.ac.at/users/hzankl>
 license = LGPL
 date = 2013-11-01
 topic = Logic/Rewriting
 abstract = This theory contains a formalization of decreasing diagrams showing that any locally decreasing abstract rewrite system is confluent. We consider the valley (van Oostrom, TCS 1994) and the conversion version (van Oostrom, RTA 2008) and closely follow the original proofs. As an application we prove Newman's lemma.
 notify = Harald.Zankl@uibk.ac.at
 
 [Decreasing-Diagrams-II]
 title = Decreasing Diagrams II
 author = Bertram Felgenhauer <mailto:bertram.felgenhauer@uibk.ac.at>
 license = LGPL
 date = 2015-08-20
 topic = Logic/Rewriting
 abstract = This theory formalizes the commutation version of decreasing diagrams for Church-Rosser modulo. The proof follows Felgenhauer and van Oostrom (RTA 2013). The theory also provides important specializations, in particular van Oostrom’s conversion version (TCS 2008) of decreasing diagrams.
 notify = bertram.felgenhauer@uibk.ac.at
 
 [GoedelGod]
 title = Gödel's God in Isabelle/HOL
 author = Christoph Benzmüller <http://page.mi.fu-berlin.de/cbenzmueller/>, Bruno Woltzenlogel Paleo <http://www.logic.at/staff/bruno/>
 date = 2013-11-12
 topic = Logic/Philosophical aspects
 abstract = Dana Scott's version of Gödel's proof of God's existence is formalized in quantified
 	modal logic KB (QML KB).
 	QML KB is modeled as a fragment of classical higher-order logic (HOL);
 	thus, the formalization is essentially a formalization in HOL.
 notify = lp15@cam.ac.uk, c.benzmueller@fu-berlin.de
 
 [Types_Tableaus_and_Goedels_God]
 title = Types, Tableaus and Gödel’s God in Isabelle/HOL
 author = David Fuenmayor <mailto:davfuenmayor@gmail.com>, Christoph Benzmüller <http://www.christoph-benzmueller.de>
 topic = Logic/Philosophical aspects
 date = 2017-05-01
 notify = davfuenmayor@gmail.com, c.benzmueller@gmail.com
 abstract =
   A computer-formalisation of the essential parts of Fitting's
   textbook "Types, Tableaus and Gödel's God" in
   Isabelle/HOL is presented. In particular, Fitting's (and
   Anderson's) variant of the ontological argument is verified and
   confirmed. This variant avoids the modal collapse, which has been
   criticised as an undesirable side-effect of Kurt Gödel's (and
   Dana Scott's) versions of the ontological argument.
   Fitting's work is employing an intensional higher-order modal
   logic, which we shallowly embed here in classical higher-order logic.
   We then utilize the embedded logic for the formalisation of
   Fitting's argument. (See also the earlier AFP entry ``Gödel's God in Isabelle/HOL''.)
 
 [GewirthPGCProof]
 title = Formalisation and Evaluation of Alan Gewirth's Proof for the Principle of Generic Consistency in Isabelle/HOL
 author = David Fuenmayor <mailto:davfuenmayor@gmail.com>, Christoph Benzmüller <http://christoph-benzmueller.de>
 topic = Logic/Philosophical aspects
 date = 2018-10-30
 notify = davfuenmayor@gmail.com, c.benzmueller@gmail.com
 abstract =
   An ambitious ethical theory ---Alan Gewirth's "Principle of
   Generic Consistency"--- is encoded and analysed in Isabelle/HOL.
   Gewirth's theory has stirred much attention in philosophy and
   ethics and has been proposed as a potential means to bound the impact
   of artificial general intelligence.
 extra-history =
 	Change history:
 	[2019-04-09]:
 	added proof for a stronger variant of the PGC and examplary inferences
 	(revision 88182cb0a2f6)<br>
 
 [Lowe_Ontological_Argument]
 title = Computer-assisted Reconstruction and Assessment of E. J. Lowe's Modal Ontological Argument
 author = David Fuenmayor <mailto:davfuenmayor@gmail.com>, Christoph Benzmüller <http://www.christoph-benzmueller.de>
 topic = Logic/Philosophical aspects
 date = 2017-09-21
 notify = davfuenmayor@gmail.com, c.benzmueller@gmail.com
 abstract =
   Computers may help us to understand --not just verify-- philosophical
   arguments. By utilizing modern proof assistants in an iterative
   interpretive process, we can reconstruct and assess an argument by
   fully formal means. Through the mechanization of a variant of St.
   Anselm's ontological argument by E. J. Lowe, which is a
   paradigmatic example of a natural-language argument with strong ties
   to metaphysics and religion, we offer an ideal showcase for our
   computer-assisted interpretive method.
 
 [AnselmGod]
 title = Anselm's God in Isabelle/HOL
 author = Ben Blumson <https://philpapers.org/profile/805>
 topic = Logic/Philosophical aspects
 date = 2017-09-06
 notify = benblumson@gmail.com
 abstract =
   Paul Oppenheimer and Edward Zalta's formalisation of
   Anselm's ontological argument for the existence of God is
   automated by embedding a free logic for definite descriptions within
   Isabelle/HOL.
 
 [Tail_Recursive_Functions]
 title = A General Method for the Proof of Theorems on Tail-recursive Functions
 author = Pasquale Noce <mailto:pasquale.noce.lavoro@gmail.com>
 date = 2013-12-01
 topic = Computer science/Functional programming
 abstract =
 	<p>
 	Tail-recursive function definitions are sometimes more straightforward than
 	alternatives, but proving theorems on them may be roundabout because of the
 	peculiar form of the resulting recursion induction rules.
 	</p><p>
 	This paper describes a proof method that provides a general solution to
 	this problem by means of suitable invariants over inductive sets, and
 	illustrates the application of such method by examining two case studies.
 	</p>
 notify = pasquale.noce.lavoro@gmail.com
 
 [CryptoBasedCompositionalProperties]
 title = Compositional Properties of Crypto-Based Components
 author = Maria Spichkova <mailto:maria.spichkova@rmit.edu.au>
 date = 2014-01-11
 topic = Computer science/Security
 abstract = This paper presents an Isabelle/HOL set of theories which allows the specification of crypto-based components and the verification of their composition properties wrt. cryptographic aspects. We introduce a formalisation of the security property of data secrecy, the corresponding definitions and proofs. Please note that here we import the Isabelle/HOL theory ListExtras.thy, presented in the AFP entry FocusStreamsCaseStudies-AFP.
 notify = maria.spichkova@rmit.edu.au
 
 [Featherweight_OCL]
 title = Featherweight OCL: A Proposal for a Machine-Checked Formal Semantics for OCL 2.5
 author = Achim D. Brucker <mailto:brucker@spamfence.net>, Frédéric Tuong <mailto:tuong@users.gforge.inria.fr>, Burkhart Wolff <mailto:wolff@lri.fr>
 date = 2014-01-16
 topic = Computer science/System description languages
 abstract = The Unified Modeling Language (UML) is one of the few
 	modeling languages that is widely used in industry. While
 	UML is mostly known as diagrammatic modeling language
 	(e.g., visualizing class models), it is complemented by a
 	textual language, called Object Constraint Language
 	(OCL). The current version of OCL is based on a four-valued
 	logic that turns UML into a formal language. Any type
 	comprises the elements "invalid" and "null" which are
 	propagated as strict and non-strict, respectively.
 	Unfortunately, the former semi-formal semantics of this
 	specification language, captured in the "Annex A" of the
 	OCL standard, leads to different interpretations of corner
 	cases. We formalize the core of OCL: denotational
 	definitions, a logical calculus and operational rules that
 	allow for the execution of OCL expressions by a mixture of
 	term rewriting and code compilation. Our formalization
 	reveals several inconsistencies and contradictions in the
 	current version of the OCL standard. Overall, this document
 	is intended to provide the basis for a machine-checked text
 	"Annex A" of the OCL standard targeting at tool
 	implementors.
 extra-history =
 	Change history:
 	[2015-10-13]:
 	<a href="https://bitbucket.org/isa-afp/afp-devel/commits/ea3b38fc54d68535bcfafd40357b6ff8f1092057">afp-devel@ea3b38fc54d6</a> and
 	<a href="https://projects.brucker.ch/hol-testgen/log/trunk?rev=12148">hol-testgen@12148</a><br>
 	&nbsp;&nbsp;&nbsp;Update of Featherweight OCL including a change in the abstract.<br>
 	[2014-01-16]:
 	<a href="https://bitbucket.org/isa-afp/afp-devel/commits/9091ce05cb20d4ad3dc1961c18f1846d85e87f8e">afp-devel@9091ce05cb20</a> and
 	<a href="https://projects.brucker.ch/hol-testgen/log/trunk?rev=10241">hol-testgen@10241</a><br>
 	&nbsp;&nbsp;&nbsp;New Entry: Featherweight OCL
 notify = brucker@spamfence.net, tuong@users.gforge.inria.fr, wolff@lri.fr
 
 [Relation_Algebra]
 title = Relation Algebra
 author = Alasdair Armstrong <>,
 	Simon Foster <mailto:simon.foster@york.ac.uk>,
 	Georg Struth <http://staffwww.dcs.shef.ac.uk/people/G.Struth/>,
 	Tjark Weber <http://user.it.uu.se/~tjawe125/>
 date = 2014-01-25
 topic = Mathematics/Algebra
 abstract = Tarski's algebra of binary relations is formalised along the lines of
 	the standard textbooks of Maddux and Schmidt and Ströhlein. This
 	includes relation-algebraic concepts such as subidentities, vectors and
 	a domain operation as well as various notions associated to functions.
 	Relation algebras are also expanded by a reflexive transitive closure
 	operation, and they are linked with Kleene algebras and models of binary
 	relations and Boolean matrices.
 notify = g.struth@sheffield.ac.uk, tjark.weber@it.uu.se
 
 [PSemigroupsConvolution]
 title = Partial Semigroups and Convolution Algebras
 author = Brijesh Dongol <mailto:brijesh.dongol@brunel.ac.uk>, Victor B. F. Gomes <mailto:victor.gomes@cl.cam.ac.uk>, Ian J. Hayes <mailto:ian.hayes@itee.uq.edu.au>, Georg Struth <mailto:g.struth@sheffield.ac.uk>
 topic = Mathematics/Algebra
 date = 2017-06-13
 notify = g.struth@sheffield.ac.uk, victor.gomes@cl.cam.ac.uk
 abstract =
    Partial Semigroups are relevant to the foundations of quantum
   mechanics and combinatorics as well as to interval and separation
   logics. Convolution algebras can be understood either as algebras of
   generalised binary modalities over ternary Kripke frames, in
   particular over partial semigroups, or as algebras of quantale-valued
   functions which are equipped with a convolution-style operation of
   multiplication that is parametrised by a ternary relation. Convolution
   algebras provide algebraic semantics for various substructural logics,
   including categorial, relevance and linear logics, for separation
   logic and for interval logics; they cover quantitative and qualitative
   applications. These mathematical components for partial semigroups and
   convolution algebras provide uniform foundations from which models of
   computation based on relations, program traces or pomsets, and
   verification components for separation or interval temporal logics can
   be built with little effort.
 
 [Secondary_Sylow]
 title = Secondary Sylow Theorems
 author = Jakob von Raumer <mailto:psxjv4@nottingham.ac.uk>
 date = 2014-01-28
 topic = Mathematics/Algebra
 abstract = These theories extend the existing proof of the first Sylow theorem
 	(written by Florian Kammueller and L. C. Paulson) by what are often
 	called the second, third and fourth Sylow theorems. These theorems
 	state propositions about the number of Sylow p-subgroups of a group
 	and the fact that they are conjugate to each other. The proofs make
 	use of an implementation of group actions and their properties.
 notify = psxjv4@nottingham.ac.uk
 
 [Jordan_Hoelder]
 title = The Jordan-Hölder Theorem
 author = Jakob von Raumer <mailto:psxjv4@nottingham.ac.uk>
 date = 2014-09-09
 topic = Mathematics/Algebra
 abstract = This submission contains theories that lead to a formalization of the proof of the Jordan-Hölder theorem about composition series of finite groups. The theories formalize the notions of isomorphism classes of groups, simple groups, normal series, composition series, maximal normal subgroups. Furthermore, they provide proofs of the second isomorphism theorem for groups, the characterization theorem for maximal normal subgroups as well as many useful lemmas about normal subgroups and factor groups. The proof is inspired by course notes of Stuart Rankin.
 notify = psxjv4@nottingham.ac.uk
 
 [Cayley_Hamilton]
 title = The Cayley-Hamilton Theorem
 author = Stephan Adelsberger <http://nm.wu.ac.at/nm/sadelsbe>,
 	Stefan Hetzl <http://www.logic.at/people/hetzl/>,
 	Florian Pollak <mailto:florian.pollak@gmail.com>
 date = 2014-09-15
 topic = Mathematics/Algebra
 abstract =
 	This document contains a proof of the Cayley-Hamilton theorem
 	based on the development of matrices in HOL/Multivariate Analysis.
 notify = stvienna@gmail.com
 
 [Probabilistic_Noninterference]
 title = Probabilistic Noninterference
 author = Andrei Popescu <http://www21.in.tum.de/~popescua>, Johannes Hölzl <http://in.tum.de/~hoelzl>
 date = 2014-03-11
 topic = Computer science/Security
 abstract = We formalize a probabilistic noninterference for a multi-threaded language with uniform scheduling, where probabilistic behaviour comes from both the scheduler and the individual threads. We define notions probabilistic noninterference in two variants: resumption-based and trace-based. For the resumption-based notions, we prove compositionality w.r.t. the language constructs and establish sound type-system-like syntactic criteria. This is a formalization of the mathematical development presented at CPP 2013 and CALCO 2013. It is the probabilistic variant of the Possibilistic Noninterference AFP entry.
 notify = hoelzl@in.tum.de
 
 [HyperCTL]
 title = A shallow embedding of HyperCTL*
 author = Markus N. Rabe <http://www.react.uni-saarland.de/people/rabe.html>, Peter Lammich <http://www21.in.tum.de/~lammich>, Andrei Popescu <http://www21.in.tum.de/~popescua>
 date = 2014-04-16
 topic = Computer science/Security, Logic/General logic/Temporal logic
 abstract = We formalize HyperCTL*, a temporal logic for expressing security properties. We
 	first define a shallow embedding of HyperCTL*, within which we prove inductive and coinductive
 	rules for the operators. Then we show that a HyperCTL* formula captures Goguen-Meseguer
 	noninterference, a landmark information flow property. We also define a deep embedding and
 	connect it to the shallow embedding by a denotational semantics, for which we prove sanity w.r.t.
 	dependence on the free variables. Finally, we show that under some finiteness assumptions about
 	the model, noninterference is given by a (finitary) syntactic formula.
 notify = uuomul@yahoo.com
 
 [Bounded_Deducibility_Security]
 title = Bounded-Deducibility Security
 author = Andrei Popescu <http://www21.in.tum.de/~popescua>, Peter Lammich <http://www21.in.tum.de/~lammich>
 date = 2014-04-22
 topic = Computer science/Security
 abstract = This is a formalization of bounded-deducibility security (BD
 	security), a flexible notion of information-flow security applicable
 	to arbitrary input-output automata. It generalizes Sutherland's
 	classic notion of nondeducibility by factoring in declassification
 	bounds and trigger, whereas nondeducibility states that, in a
 	system, information cannot flow between specified sources and sinks,
 	BD security indicates upper bounds for the flow and triggers under
 	which these upper bounds are no longer guaranteed.
 notify = uuomul@yahoo.com, lammich@in.tum.de
 
 [Network_Security_Policy_Verification]
 title = Network Security Policy Verification
 author = Cornelius Diekmann <http://net.in.tum.de/~diekmann>
 date = 2014-07-04
 topic = Computer science/Security
 abstract =
 	We present a unified theory for verifying network security policies.
 	A security policy is represented as directed graph.
 	To check high-level security goals, security invariants over the policy are
 	expressed. We cover monotonic security invariants, i.e. prohibiting more does not harm
 	security. We provide the following contributions for the security invariant theory.
 	<ul>
 	<li>Secure auto-completion of scenario-specific knowledge, which eases usability.</li>
 	<li>Security violations can be repaired by tightening the policy iff the
 	security invariants hold for the deny-all policy.</li>
 	<li>An algorithm to compute a security policy.</li>
 	<li>A formalization of stateful connection semantics in network security mechanisms.</li>
 	<li>An algorithm to compute a secure stateful implementation of a policy.</li>
 	<li>An executable implementation of all the theory.</li>
 	<li>Examples, ranging from an aircraft cabin data network to the analysis
 	of a large real-world firewall.</li>
 	<li>More examples: A fully automated translation of high-level security goals to both
 	firewall and SDN configurations (see Examples/Distributed_WebApp.thy).</li>
 	</ul>
 	For a detailed description, see
 	<ul>
 	<li>C. Diekmann, A. Korsten, and G. Carle.
 	<a href="http://www.net.in.tum.de/fileadmin/bibtex/publications/papers/diekmann2015mansdnnfv.pdf">Demonstrating
 	topoS: Theorem-prover-based synthesis of secure network configurations.</a>
 	In 2nd International Workshop on Management of SDN and NFV Systems, manSDN/NFV, Barcelona, Spain, November 2015.</li>
 	<li>C. Diekmann, S.-A. Posselt, H. Niedermayer, H. Kinkelin, O. Hanka, and G. Carle.
 	<a href="http://www.net.in.tum.de/pub/diekmann/forte14.pdf">Verifying Security Policies using Host Attributes.</a>
 	In FORTE, 34th IFIP International Conference on Formal Techniques for Distributed Objects,
 	Components and Systems, Berlin, Germany, June 2014.</li>
 	<li>C. Diekmann, L. Hupel, and G. Carle. Directed Security Policies:
 	<a href="http://rvg.web.cse.unsw.edu.au/eptcs/paper.cgi?ESSS2014.3">A Stateful Network Implementation.</a>
 	In J. Pang and Y. Liu, editors, Engineering Safety and Security Systems,
 	volume 150 of Electronic Proceedings in Theoretical Computer Science,
 	pages 20-34, Singapore, May 2014. Open Publishing Association.</li>
 	</ul>
 extra-history =
 	Change history:
 	[2015-04-14]:
 	Added Distributed WebApp example and improved graphviz visualization
 	(revision 4dde08ca2ab8)<br>
 notify = diekmann@net.in.tum.de
 
 [Abstract_Completeness]
 title = Abstract Completeness
 author = Jasmin Christian Blanchette <http://www21.in.tum.de/~blanchet>, Andrei Popescu <http://www21.in.tum.de/~popescua>, Dmitriy Traytel <http://www21.in.tum.de/~traytel>
 date = 2014-04-16
 topic = Logic/Proof theory
 abstract = A formalization of an abstract property of possibly infinite derivation trees (modeled by a codatatype),  representing the core of a proof (in Beth/Hintikka style) of the first-order logic completeness theorem, independent of the concrete syntax or inference rules. This work is described in detail in the IJCAR 2014 publication by the authors.
 	The abstract proof can be instantiated for a wide range of Gentzen and tableau systems as well as various flavors of FOL---e.g., with or without predicates, equality, or sorts. Here, we give only a toy example instantiation with classical propositional logic. A more serious instance---many-sorted FOL with equality---is described elsewhere [Blanchette and Popescu, FroCoS 2013].
 notify = traytel@in.tum.de
 
 [Pop_Refinement]
 title = Pop-Refinement
 author = Alessandro Coglio <http://www.kestrel.edu/~coglio>
 date = 2014-07-03
 topic = Computer science/Programming languages/Misc
 abstract = Pop-refinement is an approach to stepwise refinement, carried out inside an interactive theorem prover by constructing a monotonically decreasing sequence of predicates over deeply embedded target programs. The sequence starts with a predicate that characterizes the possible implementations, and ends with a predicate that characterizes a unique program in explicit syntactic form. Pop-refinement enables more requirements (e.g. program-level and non-functional) to be captured in the initial specification and preserved through refinement. Security requirements expressed as hyperproperties (i.e. predicates over sets of traces) are always preserved by pop-refinement, unlike the popular notion of refinement as trace set inclusion. Two simple examples in Isabelle/HOL are presented, featuring program-level requirements, non-functional requirements, and hyperproperties.
 notify = coglio@kestrel.edu
 
 [VectorSpace]
 title = Vector Spaces
 author = Holden Lee <mailto:holdenl@princeton.edu>
 date = 2014-08-29
 topic = Mathematics/Algebra
 abstract = This formalisation of basic linear algebra is based completely on locales, building off HOL-Algebra. It includes basic definitions: linear combinations, span, linear independence; linear transformations; interpretation of function spaces as vector spaces; the direct sum of vector spaces, sum of subspaces; the replacement theorem; existence of bases in finite-dimensional; vector spaces, definition of dimension; the rank-nullity theorem. Some concepts are actually defined and proved for modules as they also apply there. Infinite-dimensional vector spaces are supported, but dimension is only supported for finite-dimensional vector spaces. The proofs are standard; the proofs of the replacement theorem and rank-nullity theorem roughly follow the presentation in Linear Algebra by Friedberg, Insel, and Spence. The rank-nullity theorem generalises the existing development in the Archive of Formal Proof (originally using type classes, now using a mix of type classes and locales).
 notify = holdenl@princeton.edu
 
 [Special_Function_Bounds]
 title = Real-Valued Special Functions: Upper and Lower Bounds
 author = Lawrence C. Paulson <http://www.cl.cam.ac.uk/~lp15/>
 date = 2014-08-29
 topic = Mathematics/Analysis
 abstract = This development proves upper and lower bounds for several familiar real-valued functions. For sin, cos, exp and sqrt, it defines and verifies infinite families of upper and lower bounds, mostly based on Taylor series expansions. For arctan, ln and exp, it verifies a finite collection of upper and lower bounds, originally obtained from the functions' continued fraction expansions using the computer algebra system Maple. A common theme in these proofs is to take the difference between a function and its approximation, which should be zero at one point, and then consider the sign of the derivative. The immediate purpose of this development is to verify axioms used by MetiTarski, an automatic theorem prover for real-valued special functions. Crucial to MetiTarski's operation is the provision of upper and lower bounds for each function of interest.
 notify = lp15@cam.ac.uk
 
 [Landau_Symbols]
 title = Landau Symbols
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 date = 2015-07-14
 topic = Mathematics/Analysis
 abstract = This entry provides Landau symbols to describe and reason about the asymptotic growth of functions for sufficiently large inputs. A number of simplification procedures are provided for additional convenience: cancelling of dominated terms in sums under a Landau symbol, cancelling of common factors in products, and a decision procedure for Landau expressions containing products of powers of functions like x, ln(x), ln(ln(x)) etc.
 notify = eberlm@in.tum.de
 
 [Error_Function]
 title = The Error Function
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Analysis
 date = 2018-02-06
 notify = eberlm@in.tum.de
 abstract =
   <p> This entry provides the definitions and basic properties of
   the complex and real error function erf and the complementary error
   function erfc. Additionally, it gives their full asymptotic
   expansions. </p>
 
 [Akra_Bazzi]
 title = The Akra-Bazzi theorem and the Master theorem
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 date = 2015-07-14
 topic = Mathematics/Analysis
 abstract = This article contains a formalisation of the Akra-Bazzi method
 	based on a proof by Leighton. It is a generalisation of the well-known
 	Master Theorem for analysing the complexity of Divide & Conquer algorithms.
 	We also include a generalised version of the Master theorem based on the
 	Akra-Bazzi theorem, which is easier to apply than the Akra-Bazzi theorem
 	itself.
 	<p>
 	Some proof methods that facilitate applying the Master theorem are also
 	included. For a more detailed explanation of the formalisation and the
 	proof methods, see the accompanying paper (publication forthcoming).
 notify = eberlm@in.tum.de
 
 [Dirichlet_Series]
 title = Dirichlet Series
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Number theory
 date = 2017-10-12
 notify = eberlm@in.tum.de
 abstract =
   This entry is a formalisation of much of Chapters 2, 3, and 11 of
   Apostol's &ldquo;Introduction to Analytic Number
   Theory&rdquo;. This includes: <ul> <li>Definitions and
   basic properties for several number-theoretic functions (Euler's
   &phi;, M&ouml;bius &mu;, Liouville's &lambda;,
   the divisor function &sigma;, von Mangoldt's
   &Lambda;)</li> <li>Executable code for most of these
   functions, the most efficient implementations using the factoring
   algorithm by Thiemann <i>et al.</i></li>
   <li>Dirichlet products and formal Dirichlet series</li>
   <li>Analytic results connecting convergent formal Dirichlet
   series to complex functions</li> <li>Euler product
   expansions</li> <li>Asymptotic estimates of
   number-theoretic functions including the density of squarefree
   integers and the average number of divisors of a natural
   number</li> </ul> These results are useful as a basis for
   developing more number-theoretic results, such as the Prime Number
   Theorem.
 
 [Gauss_Sums]
 title = Gauss Sums and the Pólya–Vinogradov Inequality
 author = Rodrigo Raya <https://people.epfl.ch/rodrigo.raya>, Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Number theory
 date = 2019-12-10
 notify = manuel.eberl@tum.de
 abstract =
   <p>This article provides a full formalisation of Chapter 8 of
   Apostol's <em><a
   href="https://www.springer.com/de/book/9780387901633">Introduction
   to Analytic Number Theory</a></em>. Subjects that are
   covered are:</p> <ul> <li>periodic arithmetic
   functions and their finite Fourier series</li>
   <li>(generalised) Ramanujan sums</li> <li>Gauss sums
   and separable characters</li> <li>induced moduli and
   primitive characters</li> <li>the
   Pólya&mdash;Vinogradov inequality</li> </ul>
 
 [Zeta_Function]
 title = The Hurwitz and Riemann ζ Functions
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Number theory, Mathematics/Analysis
 date = 2017-10-12
 notify = eberlm@in.tum.de
 abstract =
   <p>This entry builds upon the results about formal and analytic Dirichlet
   series to define the Hurwitz &zeta; function &zeta;(<em>a</em>,<em>s</em>) and,
   based on that, the Riemann &zeta; function &zeta;(<em>s</em>).
   This is done by first defining them for &real;(<em>z</em>) > 1
   and then successively extending the domain to the left using the
   Euler&ndash;MacLaurin formula.</p>
   <p>Apart from the most basic facts such as analyticity, the following
   results are provided:</p>
   <ul>
   <li>the Stieltjes constants and the Laurent expansion of
     &zeta;(<em>s</em>) at <em>s</em> = 1</li>
   <li>the non-vanishing of &zeta;(<em>s</em>)
     for &real;(<em>z</em>) &ge; 1</li>
   <li>the relationship between &zeta;(<em>a</em>,<em>s</em>) and &Gamma;</li>
   <li>the special values at negative integers and positive even integers</li>
   <li>Hurwitz's formula and the reflection formula for &zeta;(<em>s</em>)</li>
   <li>the <a href="https://arxiv.org/abs/math/0405478">
     Hadjicostas&ndash;Chapman formula</a></li>
   </ul>
   <p>The entry also contains Euler's analytic proof of the infinitude of primes,
   based on the fact that &zeta;(<i>s</i>) has a pole at <i>s</i> = 1.</p>
 
 [Linear_Recurrences]
 title = Linear Recurrences
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Analysis
 date = 2017-10-12
 notify = eberlm@in.tum.de
 abstract =
   <p> Linear recurrences with constant coefficients are an
   interesting class of recurrence equations that can be solved
   explicitly. The most famous example are certainly the Fibonacci
   numbers with the equation <i>f</i>(<i>n</i>) =
   <i>f</i>(<i>n</i>-1) +
   <i>f</i>(<i>n</i> - 2) and the quite
   non-obvious closed form
   (<i>&phi;</i><sup><i>n</i></sup>
   -
   (-<i>&phi;</i>)<sup>-<i>n</i></sup>)
   / &radic;<span style="text-decoration:
   overline">5</span> where &phi; is the golden ratio.
   </p> <p> In this work, I build on existing tools in
   Isabelle &ndash; such as formal power series and polynomial
   factorisation algorithms &ndash; to develop a theory of these
   recurrences and derive a fully executable solver for them that can be
   exported to programming languages like Haskell. </p>
 
+[Lambert_W]
+title = The Lambert W Function on the Reals
+author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
+topic = Mathematics/Analysis
+date = 2020-04-24
+notify = eberlm@in.tum.de
+abstract =
+  <p>The Lambert <em>W</em> function is a multi-valued
+  function defined as the inverse function of <em>x</em>
+  &#x21A6; <em>x</em>
+  e<sup><em>x</em></sup>. Besides numerous
+  applications in combinatorics, physics, and engineering, it also
+  frequently occurs when solving equations containing both
+  e<sup><em>x</em></sup> and
+  <em>x</em>, or both <em>x</em> and log
+  <em>x</em>.</p> <p>This article provides a
+  definition of the two real-valued branches
+  <em>W</em><sub>0</sub>(<em>x</em>)
+  and
+  <em>W</em><sub>-1</sub>(<em>x</em>)
+  and proves various properties such as basic identities and
+  inequalities, monotonicity, differentiability, asymptotic expansions,
+  and the MacLaurin series of
+  <em>W</em><sub>0</sub>(<em>x</em>)
+  at <em>x</em> = 0.</p>
+
 [Cartan_FP]
 title = The Cartan Fixed Point Theorems
 author = Lawrence C. Paulson <http://www.cl.cam.ac.uk/~lp15/>
 date = 2016-03-08
 topic = Mathematics/Analysis
 abstract =
 	The Cartan fixed point theorems concern the group of holomorphic
 	automorphisms on a connected open set of C<sup>n</sup>. Ciolli et al.
 	have formalised the one-dimensional case of these theorems in HOL
 	Light. This entry contains their proofs, ported to Isabelle/HOL.  Thus
 	it addresses the authors' remark that "it would be important to write
 	a formal proof in a language that can be read by both humans and
 	machines".
 notify = lp15@cam.ac.uk
 
 [Gauss_Jordan]
 title = Gauss-Jordan Algorithm and Its Applications
 author = Jose Divasón <http://www.unirioja.es/cu/jodivaso>, Jesús Aransay <http://www.unirioja.es/cu/jearansa>
 topic = Computer science/Algorithms/Mathematical
 date = 2014-09-03
 abstract = The Gauss-Jordan algorithm states that any matrix over a field can be transformed by means of elementary row operations to a matrix in reduced row echelon form. The formalization is based on the Rank Nullity Theorem entry of the AFP and on the HOL-Multivariate-Analysis session of Isabelle, where matrices are represented as functions over finite types. We have set up the code generator to make this representation executable. In order to improve the performance, a refinement to immutable arrays has been carried out. We have formalized some of the applications of the Gauss-Jordan algorithm. Thanks to this development, the following facts can be computed over matrices whose elements belong to a field: Ranks, Determinants, Inverses, Bases and dimensions and Solutions of systems of linear equations. Code can be exported to SML and Haskell.
 notify = jose.divasonm@unirioja.es, jesus-maria.aransay@unirioja.es
 
 [Echelon_Form]
 title = Echelon Form
 author = Jose Divasón <http://www.unirioja.es/cu/jodivaso>, Jesús Aransay <http://www.unirioja.es/cu/jearansa>
 topic = Computer science/Algorithms/Mathematical, Mathematics/Algebra
 date = 2015-02-12
 abstract = We formalize an algorithm to compute the Echelon Form of a matrix. We have proved its existence over Bézout domains and made it executable over Euclidean domains, such as the integer ring and the univariate polynomials over a field. This allows us to compute determinants, inverses and characteristic polynomials of matrices. The work is based on the HOL-Multivariate Analysis library, and on both the Gauss-Jordan and Cayley-Hamilton AFP entries. As a by-product, some algebraic structures have been implemented (principal ideal domains, Bézout domains...). The algorithm has been refined to immutable arrays and code can be generated to functional languages as well.
 notify = jose.divasonm@unirioja.es, jesus-maria.aransay@unirioja.es
 
 [QR_Decomposition]
 title = QR Decomposition
 author = Jose Divasón <http://www.unirioja.es/cu/jodivaso>, Jesús Aransay <http://www.unirioja.es/cu/jearansa>
 topic = Computer science/Algorithms/Mathematical, Mathematics/Algebra
 date = 2015-02-12
 abstract = QR decomposition is an algorithm to decompose a real matrix A into the product of two other matrices Q and R, where Q is orthogonal and R is invertible and upper triangular. The algorithm is useful for the least squares problem; i.e., the computation of the best approximation of an unsolvable system of linear equations. As a side-product, the Gram-Schmidt process has also been formalized. A refinement using immutable arrays is presented as well. The development relies, among others, on the AFP entry "Implementing field extensions of the form Q[sqrt(b)]" by René Thiemann, which allows execution of the algorithm using symbolic computations. Verified code can be generated and executed using floats as well.
 extra-history =
 	Change history:
 	[2015-06-18]: The second part of the Fundamental Theorem of Linear Algebra has been generalized to more general inner product spaces.
 notify = jose.divasonm@unirioja.es, jesus-maria.aransay@unirioja.es
 
 [Hermite]
 title = Hermite Normal Form
 author = Jose Divasón <http://www.unirioja.es/cu/jodivaso>, Jesús Aransay <http://www.unirioja.es/cu/jearansa>
 topic = Computer science/Algorithms/Mathematical, Mathematics/Algebra
 date = 2015-07-07
 abstract = Hermite Normal Form is a canonical matrix analogue of Reduced Echelon Form, but involving matrices over more general rings. In this work we formalise an algorithm to compute the Hermite Normal Form of a matrix by means of elementary row operations, taking advantage of the Echelon Form AFP entry. We have proven the correctness of such an algorithm and refined it to immutable arrays. Furthermore, we have also formalised the uniqueness of the Hermite Normal Form of a matrix. Code can be exported and some examples of execution involving integer matrices and polynomial matrices are presented as well.
 notify = jose.divasonm@unirioja.es, jesus-maria.aransay@unirioja.es
 
 [Imperative_Insertion_Sort]
 title = Imperative Insertion Sort
 author = Christian Sternagel <mailto:c.sternagel@gmail.com>
 date = 2014-09-25
 topic = Computer science/Algorithms
 abstract = The insertion sort algorithm of Cormen et al. (Introduction to Algorithms) is expressed in Imperative HOL and proved to be correct and terminating. For this purpose we also provide a theory about imperative loop constructs with accompanying induction/invariant rules for proving partial and total correctness. Furthermore, the formalized algorithm is fit for code generation.
 notify = lp15@cam.ac.uk
 
 [Stream_Fusion_Code]
 title = Stream Fusion in HOL with Code Generation
 author = Andreas Lochbihler <http://www.andreas-lochbihler.de>, Alexandra Maximova <mailto:amaximov@student.ethz.ch>
 date = 2014-10-10
 topic = Computer science/Functional programming
 abstract = Stream Fusion is a system for removing intermediate list data structures from functional programs, in particular Haskell. This entry adapts stream fusion to Isabelle/HOL and its code generator. We define stream types for finite and possibly infinite lists and stream versions for most of the fusible list functions in the theories List and Coinductive_List, and prove them correct with respect to the conversion functions between lists and streams. The Stream Fusion transformation itself is implemented as a simproc in the preprocessor of the code generator. [Brian Huffman's <a href="http://isa-afp.org/entries/Stream-Fusion.html">AFP entry</a> formalises stream fusion in HOLCF for the domain of lazy lists to prove the GHC compiler rewrite rules correct. In contrast, this work enables Isabelle's code generator to perform stream fusion itself. To that end, it covers both finite and coinductive lists from the HOL library and the Coinductive entry. The fusible list functions require specification and proof principles different from Huffman's.]
 notify = mail@andreas-lochbihler.de
 
 [Case_Labeling]
 title = Generating Cases from Labeled Subgoals
 author = Lars Noschinski <http://www21.in.tum.de/~noschinl/>
 date = 2015-07-21
 topic = Tools, Computer science/Programming languages/Misc
 abstract =
 	Isabelle/Isar provides named cases to structure proofs. This article
 	contains an implementation of a proof method <tt>casify</tt>, which can
 	be used to easily extend proof tools with support for named cases. Such
 	a proof tool must produce labeled subgoals, which are then interpreted
 	by <tt>casify</tt>.
 	<p>
 	As examples, this work contains verification condition generators
 	producing named cases for three languages: The Hoare language from
 	<tt>HOL/Library</tt>, a monadic language for computations with failure
 	(inspired by the AutoCorres tool), and a language of conditional
 	expressions. These VCGs are demonstrated by a number of example programs.
 notify = noschinl@gmail.com
 
 [DPT-SAT-Solver]
 title = A Fast SAT Solver for Isabelle in Standard ML
 topic = Tools
 author = Armin Heller <>
 date = 2009-12-09
 abstract = This contribution contains a fast SAT solver for Isabelle written in Standard ML. By loading the theory <tt>DPT_SAT_Solver</tt>, the SAT solver installs itself (under the name ``dptsat'') and certain Isabelle tools like Refute will start using it automatically. This is a port of the DPT (Decision Procedure Toolkit) SAT Solver written in OCaml.
 notify = jasmin.blanchette@gmail.com
 
 [Rep_Fin_Groups]
 title = Representations of Finite Groups
 topic = Mathematics/Algebra
 author = Jeremy Sylvestre <http://ualberta.ca/~jsylvest/>
 date = 2015-08-12
 abstract = We provide a formal framework for the theory of representations of finite groups, as modules over the group ring. Along the way, we develop the general theory of groups (relying on the group_add class for the basics), modules, and vector spaces, to the extent required for theory of group representations. We then provide formal proofs of several important introductory theorems in the subject, including Maschke's theorem, Schur's lemma, and Frobenius reciprocity. We also prove that every irreducible representation is isomorphic to a submodule of the group ring, leading to the fact that for a finite group there are only finitely many isomorphism classes of irreducible representations. In all of this, no restriction is made on the characteristic of the ring or field of scalars until the definition of a group representation, and then the only restriction made is that the characteristic must not divide the order of the group.
 notify = jsylvest@ualberta.ca
 
 [Noninterference_Inductive_Unwinding]
 title = The Inductive Unwinding Theorem for CSP Noninterference Security
 topic = Computer science/Security
 author = Pasquale Noce <mailto:pasquale.noce.lavoro@gmail.com>
 date = 2015-08-18
 abstract =
 	<p>
 	The necessary and sufficient condition for CSP noninterference security stated by the Ipurge Unwinding Theorem is expressed in terms of a pair of event lists varying over the set of process traces. This does not render it suitable for the subsequent application of rule induction in the case of a process defined inductively, since rule induction may rather be applied to a single variable ranging over an inductively defined set.
 	</p><p>
 	Starting from the Ipurge Unwinding Theorem, this paper derives a necessary and sufficient condition for CSP noninterference security that involves a single event list varying over the set of process traces, and is thus suitable for rule induction; hence its name, Inductive Unwinding Theorem. Similarly to the Ipurge Unwinding Theorem, the new theorem only requires to consider individual accepted and refused events for each process trace, and applies to the general case of a possibly intransitive noninterference policy. Specific variants of this theorem are additionally proven for deterministic processes and trace set processes.
 	</p>
 notify = pasquale.noce.lavoro@gmail.com
 
 [Password_Authentication_Protocol]
 title = Verification of a Diffie-Hellman Password-based Authentication Protocol by Extending the Inductive Method
 author = Pasquale Noce <mailto:pasquale.noce.lavoro@gmail.com>
 topic = Computer science/Security
 date = 2017-01-03
 notify = pasquale.noce.lavoro@gmail.com
 abstract =
   This paper constructs a formal model of a Diffie-Hellman
   password-based authentication protocol between a user and a smart
   card, and proves its security. The protocol provides for the dispatch
   of the user's password to the smart card on a secure messaging
   channel established by means of Password Authenticated Connection
   Establishment (PACE), where the mapping method being used is Chip
   Authentication Mapping. By applying and suitably extending
   Paulson's Inductive Method, this paper proves that the protocol
   establishes trustworthy secure messaging channels, preserves the
   secrecy of users' passwords, and provides an effective mutual
   authentication service. What is more, these security properties turn
   out to hold independently of the secrecy of the PACE authentication
   key.
 
 [Jordan_Normal_Form]
 title = Matrices, Jordan Normal Forms, and Spectral Radius Theory
 topic = Mathematics/Algebra
 author = René Thiemann <mailto:rene.thiemann@uibk.ac.at>, Akihisa Yamada <mailto:akihisa.yamada@uibk.ac.at>
 contributors = Alexander Bentkamp <mailto:bentkamp@gmail.com>
 date = 2015-08-21
 abstract =
 	<p>
 	Matrix interpretations are useful as measure functions in termination proving. In order to use these interpretations also for complexity analysis, the growth rate of matrix powers has to examined. Here, we formalized a central result of spectral radius theory, namely that the growth rate is polynomially bounded if and only if the spectral radius of a matrix is at most one.
 	</p><p>
 	To formally prove this result we first studied the growth rates of matrices in Jordan normal form, and prove the result that every complex matrix has a Jordan normal form using a constructive prove via Schur decomposition.
 	</p><p>
 	The whole development is based on a new abstract type for matrices, which is also executable by a suitable setup of the code generator. It completely subsumes our former AFP-entry on executable matrices, and its main advantage is its close connection to the HMA-representation which allowed us to easily adapt existing proofs on determinants.
 	</p><p>
 	All the results have been applied to improve CeTA, our certifier to validate termination and complexity proof certificates.
 	</p>
 extra-history =
 	Change history:
            [2016-01-07]: Added Schur-decomposition, Gram-Schmidt orthogonalization, uniqueness of Jordan normal forms<br/>
            [2018-04-17]: Integrated lemmas from deep-learning AFP-entry of Alexander Bentkamp
 notify = rene.thiemann@uibk.ac.at, ayamada@trs.cm.is.nagoya-u.ac.jp
 
 [LTL_to_DRA]
 title = Converting Linear Temporal Logic to Deterministic (Generalized) Rabin Automata
 topic = Computer science/Automata and formal languages
 author = Salomon Sickert <mailto:sickert@in.tum.de>
 date = 2015-09-04
 abstract = Recently, Javier Esparza and Jan Kretinsky proposed a new method directly translating linear temporal logic (LTL) formulas to deterministic (generalized) Rabin automata. Compared to the existing approaches of constructing a non-deterministic Buechi-automaton in the first step and then applying a determinization procedure (e.g. some variant of Safra's construction) in a second step, this new approach preservers a relation between the formula and the states of the resulting automaton. While the old approach produced a monolithic structure, the new method is compositional. Furthermore, in some cases the resulting automata are much smaller than the automata generated by existing approaches. In order to ensure the correctness of the construction, this entry contains a complete formalisation and verification of the translation. Furthermore from this basis executable code is generated.
 extra-history =
 	Change history:
 	[2015-09-23]: Enable code export for the eager unfolding optimisation and reduce running time of the generated tool. Moreover, add support for the mlton SML compiler.<br>
 	[2016-03-24]: Make use of the LTL entry and include the simplifier.
 notify = sickert@in.tum.de
 
 [Timed_Automata]
 title = Timed Automata
 author = Simon Wimmer <http://in.tum.de/~wimmers>
 date = 2016-03-08
 topic = Computer science/Automata and formal languages
 abstract =
 	Timed automata are a widely used formalism for modeling real-time
 	systems, which is employed  in a class of successful model checkers
 	such as UPPAAL [LPY97], HyTech [HHWt97] or Kronos [Yov97].  This work
 	formalizes the theory for the subclass of diagonal-free timed
 	automata,  which is sufficient to model many interesting problems.  We
 	first define the basic concepts and semantics of diagonal-free timed
 	automata.  Based on this, we prove two types of decidability results
 	for the language emptiness problem.    The first is the classic result
 	of Alur and Dill [AD90, AD94],  which uses a finite partitioning of
 	the state space into so-called `regions`.    Our second result focuses
 	on an approach based on `Difference Bound Matrices (DBMs)`,  which is
 	practically used by model checkers.  We prove the correctness of the
 	basic forward analysis operations on DBMs.  One of these operations is
 	the Floyd-Warshall algorithm for the all-pairs shortest paths problem.
 	To obtain a finite search space, a widening operation has to be used
 	for this kind of analysis.  We use Patricia Bouyer's [Bou04] approach
 	to prove that this widening operation  is correct in the sense that
 	DBM-based forward analysis in combination with the widening operation
 	also decides language emptiness. The interesting property of this
 	proof is that the first  decidability result is reused to obtain the
 	second one.
 notify = wimmers@in.tum.de
 
 [Parity_Game]
 title = Positional Determinacy of Parity Games
 author = Christoph Dittmann <http://logic.las.tu-berlin.de/Members/Dittmann/>
 date = 2015-11-02
 topic = Mathematics/Games and economics, Mathematics/Graph theory
 abstract =
 	We present a formalization of parity games (a two-player game on
 	directed graphs) and a proof of their positional determinacy in
 	Isabelle/HOL.  This proof works for both finite and infinite games.
 notify =
 
 [Ergodic_Theory]
 title = Ergodic Theory
 author = Sebastien Gouezel <mailto:sebastien.gouezel@univ-rennes1.fr>
 date = 2015-12-01
 topic = Mathematics/Probability theory
 abstract = Ergodic theory is the branch of mathematics that studies the behaviour of measure preserving transformations, in finite or infinite measure. It interacts both with probability theory (mainly through measure theory) and with geometry as a lot of interesting examples are from geometric origin. We implement the first definitions and theorems of ergodic theory, including notably Poicaré recurrence theorem for finite measure preserving systems (together with the notion of conservativity in general), induced maps, Kac's theorem, Birkhoff theorem (arguably the most important theorem in ergodic theory), and variations around it such as conservativity of the corresponding skew product, or Atkinson lemma.
 notify = sebastien.gouezel@univ-rennes1.fr, hoelzl@in.tum.de
 
 [Latin_Square]
 title = Latin Square
 author = Alexander Bentkamp <mailto:bentkamp@gmail.com>
 date = 2015-12-02
 topic = Mathematics/Combinatorics
 abstract =
 	A Latin Square is a n x n table filled with integers from 1 to n where each number appears exactly once in each row and each column. A Latin Rectangle is a partially filled n x n table with r filled rows and n-r empty rows, such that each number appears at most once in each row and each column. The main result of this theory is that any Latin Rectangle can be completed to a Latin Square.
 notify = bentkamp@gmail.com
 
 [Deep_Learning]
 title = Expressiveness of Deep Learning
 author = Alexander Bentkamp <mailto:bentkamp@gmail.com>
 date = 2016-11-10
 topic = Computer science/Machine learning, Mathematics/Analysis
 abstract =
 	Deep learning has had a profound impact on computer science in recent years, with applications to search engines, image recognition and language processing, bioinformatics, and more. Recently, Cohen et al. provided theoretical evidence for the superiority of deep learning over shallow learning. This formalization of their work simplifies and generalizes the original proof, while working around the limitations of the Isabelle type system. To support the formalization, I developed reusable libraries of formalized mathematics, including results about the matrix rank, the Lebesgue measure, and multivariate polynomials, as well as a library for tensor analysis.
 notify = bentkamp@gmail.com
 
 [Applicative_Lifting]
 title = Applicative Lifting
 author = Andreas Lochbihler <http://www.andreas-lochbihler.de>, Joshua Schneider <>
 date = 2015-12-22
 topic = Computer science/Functional programming
 abstract = Applicative functors augment computations with effects by lifting function application to types which model the effects.  As the structure of the computation cannot depend on the effects, applicative expressions can be analysed statically.  This allows us to lift universally quantified equations to the effectful types, as observed by Hinze. Thus, equational reasoning over effectful computations can be reduced to pure types.
 	</p><p>
 	This entry provides a package for registering applicative functors and two proof methods for lifting of equations over applicative functors. The first method normalises applicative expressions according to the laws of applicative functors. This way, equations whose two sides contain the same list of variables can be lifted to every applicative functor.
 	</p><p>
 	To lift larger classes of equations, the second method exploits a number of additional properties (e.g., commutativity of effects) provided the properties have been declared for the concrete applicative functor at hand upon registration.
 	</p><p>
 	We declare several types from the Isabelle library as applicative functors and illustrate the use of the methods with two examples: the lifting of the arithmetic type class hierarchy to streams and the verification of a relabelling function on binary trees. We also formalise and verify the normalisation algorithm used by the first proof method.
 	</p>
 extra-history =
 	Change history:
 	[2016-03-03]: added formalisation of lifting with combinators<br>
 	[2016-06-10]:
 	implemented automatic derivation of lifted combinator reductions;
 	support arbitrary lifted relations using relators;
 	improved compatibility with locale interpretation
 	(revision ec336f354f37)<br>
 notify = mail@andreas-lochbihler.de
 
 [Stern_Brocot]
 title = The Stern-Brocot Tree
 author = Peter Gammie <http://peteg.org>, Andreas Lochbihler <http://www.andreas-lochbihler.de>
 date = 2015-12-22
 topic = Mathematics/Number theory
 abstract = The Stern-Brocot tree contains all rational numbers exactly once and in their lowest terms.  We formalise the Stern-Brocot tree as a coinductive tree using recursive and iterative specifications, which we have proven equivalent, and show that it indeed contains all the numbers as stated.  Following Hinze, we prove that the Stern-Brocot tree can be linearised looplessly into Stern's diatonic sequence (also known as Dijkstra's fusc function) and that it is a permutation of the Bird tree.
 	</p><p>
 	The reasoning stays at an abstract level by appealing to the uniqueness of solutions of guarded recursive equations and lifting algebraic laws point-wise to trees and streams using applicative functors.
 	</p>
 notify = mail@andreas-lochbihler.de
 
 [Algebraic_Numbers]
 title = Algebraic Numbers in Isabelle/HOL
 topic = Mathematics/Algebra
 author = René Thiemann <mailto:rene.thiemann@uibk.ac.at>, Akihisa Yamada <mailto:akihisa.yamada@uibk.ac.at>, Sebastiaan Joosten <mailto:sebastiaan.joosten@uibk.ac.at>
 date = 2015-12-22
 abstract = Based on existing libraries for matrices, factorization of rational polynomials, and Sturm's theorem, we formalized algebraic numbers in Isabelle/HOL. Our development serves as an implementation for real and complex numbers, and it admits to compute roots and completely factorize real and complex polynomials, provided that all coefficients are rational numbers. Moreover, we provide two implementations to display algebraic numbers, an injective and expensive one, or a faster but approximative version.
 	</p><p>
 	To this end, we mechanized several results on resultants, which also required us to prove that polynomials over a unique factorization domain form again a unique factorization domain.
 	</p>
 extra-history =
 	Change history:
 	[2016-01-29]: Split off Polynomial Interpolation and Polynomial Factorization<br>
 	[2017-04-16]: Use certified Berlekamp-Zassenhaus factorization, use subresultant algorithm for computing resultants, improved bisection algorithm
 notify = rene.thiemann@uibk.ac.at, ayamada@trs.cm.is.nagoya-u.ac.jp, sebastiaan.joosten@uibk.ac.at
 
 [Polynomial_Interpolation]
 title = Polynomial Interpolation
 topic = Mathematics/Algebra
 author = René Thiemann <mailto:rene.thiemann@uibk.ac.at>, Akihisa Yamada <mailto:akihisa.yamada@uibk.ac.at>
 date = 2016-01-29
 abstract =
 	We formalized three algorithms for polynomial interpolation over arbitrary
 	fields: Lagrange's explicit expression, the recursive algorithm of Neville
 	and Aitken, and the Newton interpolation in combination with an efficient
 	implementation of divided differences.  Variants of these algorithms for
 	integer polynomials are also available, where sometimes the interpolation
 	can fail; e.g., there is no linear integer polynomial <i>p</i> such that
 	<i>p(0) = 0</i> and <i>p(2) = 1</i>. Moreover, for the Newton interpolation
 	for integer polynomials, we proved that all intermediate results that are
 	computed during the algorithm must be integers.  This admits an early
 	failure detection in the implementation.  Finally, we proved the uniqueness
 	of polynomial interpolation.
 	<p>
 	The development also contains improved code equations to speed up the
 	division of integers in target languages.
 notify = rene.thiemann@uibk.ac.at, ayamada@trs.cm.is.nagoya-u.ac.jp
 
 [Polynomial_Factorization]
 title = Polynomial Factorization
 topic = Mathematics/Algebra
 author = René Thiemann <mailto:rene.thiemann@uibk.ac.at>, Akihisa Yamada <mailto:akihisa.yamada@uibk.ac.at>
 date = 2016-01-29
 abstract =
 	Based on existing libraries for polynomial interpolation and matrices,
 	we formalized several factorization algorithms for polynomials, including
 	Kronecker's algorithm for integer polynomials,
 	Yun's square-free factorization algorithm for field polynomials, and
 	Berlekamp's algorithm for polynomials over finite fields.
 	By combining the last one with Hensel's lifting,
 	we derive an efficient factorization algorithm for the integer polynomials,
 	which is then lifted for rational polynomials by mechanizing Gauss' lemma.
 	Finally, we assembled a combined factorization algorithm for rational polynomials,
 	which combines all the mentioned algorithms and additionally uses the explicit formula for roots
 	of quadratic polynomials and a rational root test.
 	<p>
 	As side products, we developed division algorithms for polynomials over integral domains,
 	as well as primality-testing and prime-factorization algorithms for integers.
 notify = rene.thiemann@uibk.ac.at, ayamada@trs.cm.is.nagoya-u.ac.jp
 
 [Perron_Frobenius]
 title = Perron-Frobenius Theorem for Spectral Radius Analysis
 author = Jose Divasón <http://www.unirioja.es/cu/jodivaso>, Ondřej Kunčar <http://www21.in.tum.de/~kuncar/>, René Thiemann <mailto:rene.thiemann@uibk.ac.at>, Akihisa Yamada <mailto:akihisa.yamada@uibk.ac.at>
 notify = rene.thiemann@uibk.ac.at
 date = 2016-05-20
 topic = Mathematics/Algebra
 abstract =
 	<p>The spectral radius of a matrix A is the maximum norm of all
 	eigenvalues of A. In previous work we already formalized that for a
 	complex matrix A, the values in A<sup>n</sup> grow polynomially in n
 	if and only if the spectral radius is at most one. One problem with
 	the above characterization is the determination of all
 	<em>complex</em> eigenvalues. In case A contains only non-negative
 	real values, a simplification is possible with the help of the
 	Perron&ndash;Frobenius theorem, which tells us that it suffices to consider only
 	the <em>real</em> eigenvalues of A, i.e., applying Sturm's method can
 	decide the polynomial growth of A<sup>n</sup>. </p><p> We formalize
 	the Perron&ndash;Frobenius theorem based on a proof via Brouwer's fixpoint
 	theorem, which is available in the HOL multivariate analysis (HMA)
 	library. Since the results on the spectral radius is based on matrices
 	in the Jordan normal form (JNF) library, we further develop a
 	connection which allows us to easily transfer theorems between HMA and
 	JNF. With this connection we derive the combined result: if A is a
 	non-negative real matrix, and no real eigenvalue of A is strictly
 	larger than one, then A<sup>n</sup> is polynomially bounded in n. </p>
 extra-history =
         Change history:
         [2017-10-18]:
         added Perron-Frobenius theorem for irreducible matrices with generalization
         (revision bda1f1ce8a1c)<br/>
         [2018-05-17]:
         prove conjecture of CPP'18 paper: Jordan blocks of spectral radius have maximum size
         (revision ffdb3794e5d5)
 
 [Stochastic_Matrices]
 title = Stochastic Matrices and the Perron-Frobenius Theorem
 author = René Thiemann <http://cl-informatik.uibk.ac.at/~thiemann>
 topic = Mathematics/Algebra, Computer science/Automata and formal languages
 date = 2017-11-22
 notify = rene.thiemann@uibk.ac.at
 abstract =
   Stochastic matrices are a convenient way to model discrete-time and
   finite state Markov chains. The Perron&ndash;Frobenius theorem
   tells us something about the existence and uniqueness of non-negative
   eigenvectors of a stochastic matrix.  In this entry, we formalize
   stochastic matrices, link the formalization to the existing AFP-entry
   on Markov chains, and apply the Perron&ndash;Frobenius theorem to
   prove that stationary distributions always exist, and they are unique
   if the stochastic matrix is irreducible.
 
 [Formal_SSA]
 title = Verified Construction of Static Single Assignment Form
 author = Sebastian Ullrich <mailto:sebasti@nullri.ch>, Denis Lohner <http://pp.ipd.kit.edu/person.php?id=88>
 date = 2016-02-05
 topic = Computer science/Algorithms, Computer science/Programming languages/Transformations
 abstract =
 	<p>
 	We define a functional variant of the static single assignment (SSA)
 	form construction algorithm described by <a
 	href="https://doi.org/10.1007/978-3-642-37051-9_6">Braun et al.</a>,
 	which combines simplicity and efficiency. The definition is based on a
 	general, abstract control flow graph representation using Isabelle locales.
 	</p>
 	<p>
 	We prove that the algorithm's output is semantically equivalent to the
 	input according to a small-step semantics, and that it is in minimal SSA
 	form for the common special case of reducible inputs. We then show the
 	satisfiability of the locale assumptions by giving instantiations for a
 	simple While language.
 	</p>
 	<p>
 	Furthermore, we use a generic instantiation based on typedefs in order
 	to extract OCaml code and replace the unverified SSA construction
 	algorithm of the <a href="https://doi.org/10.1145/2579080">CompCertSSA
 	project</a> with it.
 	</p>
 	<p>
 	A more detailed description of the verified SSA construction can be found
 	in the paper <a href="https://doi.org/10.1145/2892208.2892211">Verified
 	Construction of Static Single Assignment Form</a>, CC 2016.
 	</p>
 notify = denis.lohner@kit.edu
 
 [Minimal_SSA]
 title = Minimal Static Single Assignment Form
 author = Max Wagner <mailto:max@trollbu.de>, Denis Lohner <http://pp.ipd.kit.edu/person.php?id=88>
 topic = Computer science/Programming languages/Transformations
 date = 2017-01-17
 notify = denis.lohner@kit.edu
 abstract =
   <p>This formalization is an extension to <a
   href="https://www.isa-afp.org/entries/Formal_SSA.html">"Verified
   Construction of Static Single Assignment Form"</a>. In
   their work, the authors have shown that <a
   href="https://doi.org/10.1007/978-3-642-37051-9_6">Braun
   et al.'s static single assignment (SSA) construction
   algorithm</a> produces minimal SSA form for input programs with
   a reducible control flow graph (CFG). However Braun et al. also
   proposed an extension to their algorithm that they claim produces
   minimal SSA form even for irreducible CFGs.<br> In this
   formalization we support that claim by giving a mechanized proof.
   </p>
   <p>As the extension of Braun et al.'s algorithm
   aims for removing so-called redundant strongly connected components of
   phi functions, we show that this suffices to guarantee minimality
   according to <a href="https://doi.org/10.1145/115372.115320">Cytron et
   al.</a>.</p>
 
 [PropResPI]
 title = Propositional Resolution and Prime Implicates Generation
 author = Nicolas Peltier <http://membres-lig.imag.fr/peltier/>
 notify = Nicolas.Peltier@imag.fr
 date = 2016-03-11
 topic = Logic/General logic/Mechanization of proofs
 abstract =
 	We provide formal proofs in Isabelle-HOL (using mostly structured Isar
 	proofs) of the soundness and completeness of the Resolution rule in
 	propositional logic.  The completeness proofs take into account the
 	usual redundancy elimination rules (tautology elimination and
 	subsumption), and several refinements of the Resolution rule are
 	considered: ordered resolution (with selection functions), positive
 	and negative resolution, semantic resolution and unit resolution (the
 	latter refinement is complete only for clause sets that are Horn-
 	renamable). We also define a concrete procedure for computing
 	saturated sets and establish its soundness and completeness. The
 	clause sets are not assumed to be finite, so that the results can be
 	applied to formulas obtained by grounding sets of first-order clauses
 	(however, a total ordering among atoms is assumed to be given).
 	Next, we show that the unrestricted Resolution rule is deductive-
 	complete, in the sense that it is able to generate all  (prime)
 	implicates of any set of propositional clauses (i.e., all entailment-
 	minimal, non-valid, clausal consequences of the considered set). The
 	generation of prime implicates is an important problem, with many
 	applications in artificial intelligence and verification (for
 	abductive reasoning, knowledge compilation, diagnosis, debugging
 	etc.). We also show that implicates can be computed in an incremental
 	way, by fixing an ordering among all the atoms in the considered sets
 	and resolving upon these atoms one by one in the considered order
 	(with no backtracking). This feature is critical for the efficient
 	computation of prime implicates. Building on these results, we provide
 	a procedure for computing such implicates and establish its soundness
 	and completeness.
 
 [SuperCalc]
 title = A Variant of the Superposition Calculus
 author = Nicolas Peltier <http://membres-lig.imag.fr/peltier/>
 notify = Nicolas.Peltier@imag.fr
 date = 2016-09-06
 topic = Logic/Proof theory
 abstract =
 	We provide a formalization of a variant of the superposition
 	calculus, together with formal proofs of soundness and refutational
 	completeness (w.r.t. the usual redundancy criteria based on clause
 	ordering). This version of the calculus uses all the standard
 	restrictions of the superposition rules, together with the following
 	refinement, inspired by the basic superposition calculus: each clause
 	is associated with a set of terms which are assumed to be in normal
 	form -- thus any application of the replacement rule on these terms is
 	blocked. The set is initially empty and terms may be added or removed
 	at each inference step. The set of terms that are assumed to be in
 	normal form includes any term introduced by previous unifiers as well
 	as any term occurring in the parent clauses at a position that is
 	smaller (according to some given ordering on positions) than a
 	previously replaced term. The standard superposition calculus
 	corresponds to the case where the set of irreducible terms is always
 	empty.
 
 [Nominal2]
 title = Nominal 2
 author = Christian Urban <http://www.inf.kcl.ac.uk/staff/urbanc/>, Stefan Berghofer <http://www.in.tum.de/~berghofe>, Cezary Kaliszyk <http://cl-informatik.uibk.ac.at/users/cek/>
 date = 2013-02-21
 topic = Tools
 abstract =
 	<p>Dealing with binders, renaming of bound variables, capture-avoiding
 	substitution, etc., is very often a major problem in formal
 	proofs, especially in proofs by structural and rule
 	induction. Nominal Isabelle is designed to make such proofs easy to
 	formalise: it provides an infrastructure for declaring nominal
 	datatypes (that is alpha-equivalence classes) and for defining
 	functions over them by structural recursion. It also provides
 	induction principles that have Barendregt’s variable convention
 	already built in.
 	</p><p>
 	This entry can be used as a more advanced replacement for
 	HOL/Nominal in the Isabelle distribution.
 	</p>
 notify = christian.urban@kcl.ac.uk
 
 [First_Welfare_Theorem]
 title = Microeconomics and the First Welfare Theorem
 author = Julian Parsert <mailto:julian.parsert@gmail.com>, Cezary Kaliszyk<http://cl-informatik.uibk.ac.at/users/cek/>
 topic = Mathematics/Games and economics
 license = LGPL
 date = 2017-09-01
 notify = julian.parsert@uibk.ac.at, cezary.kaliszyk@uibk.ac.at
 abstract =
   Economic activity has always been a fundamental part of society. Due
   to modern day politics, economic theory has gained even more influence
   on our lives. Thus we want models and theories to be as precise as
   possible. This can be achieved using certification with the help of
   formal proof technology. Hence we will use Isabelle/HOL to construct
   two economic models, that of the the pure exchange economy and a
   version of the Arrow-Debreu Model. We will prove that the
   <i>First Theorem of Welfare Economics</i> holds within
   both. The theorem is the mathematical formulation of Adam Smith's
   famous <i>invisible hand</i> and states that a group of
   self-interested and rational actors will eventually achieve an
   efficient allocation of goods and services.
 extra-history =
 	Change history:
 	[2018-06-17]: Added some lemmas and a theory file, also introduced Microeconomics folder.
 	<br>
 
 [Noninterference_Sequential_Composition]
 title = Conservation of CSP Noninterference Security under Sequential Composition
 author = Pasquale Noce <mailto:pasquale.noce.lavoro@gmail.com>
 date = 2016-04-26
 topic = Computer science/Security, Computer science/Concurrency/Process calculi
 abstract =
 	<p>In his outstanding work on Communicating Sequential Processes, Hoare
 	has defined two fundamental binary operations allowing to compose the
 	input processes into another, typically more complex, process:
 	sequential composition and concurrent composition. Particularly, the
 	output of the former operation is a process that initially behaves
 	like the first operand, and then like the second operand once the
 	execution of the first one has terminated successfully, as long as it
 	does.</p>
 	<p>This paper formalizes Hoare's definition of sequential
 	composition and proves, in the general case of a possibly intransitive
 	policy, that CSP noninterference security is conserved under this
 	operation, provided that successful termination cannot be affected by
 	confidential events and cannot occur as an alternative to other events
 	in the traces of the first operand. Both of these assumptions are
 	shown, by means of counterexamples, to be necessary for the theorem to
 	hold.</p>
 notify = pasquale.noce.lavoro@gmail.com
 
 [Noninterference_Concurrent_Composition]
 title = Conservation of CSP Noninterference Security under Concurrent Composition
 author = Pasquale Noce <mailto:pasquale.noce.lavoro@gmail.com>
 notify = pasquale.noce.lavoro@gmail.com
 date = 2016-06-13
 topic = Computer science/Security, Computer science/Concurrency/Process calculi
 abstract =
 	<p>In his outstanding work on Communicating Sequential Processes,
 	Hoare has defined two fundamental binary operations allowing to
 	compose the input processes into another, typically more complex,
 	process: sequential composition and concurrent composition.
 	Particularly, the output of the latter operation is a process in which
 	any event not shared by both operands can occur whenever the operand
 	that admits the event can engage in it, whereas any event shared by
 	both operands can occur just in case both can engage in it.</p>
 	<p>This paper formalizes Hoare's definition of concurrent composition
 	and proves, in the general case of a possibly intransitive policy,
 	that CSP noninterference security is conserved under this operation.
 	This result, along with the previous analogous one concerning
 	sequential composition, enables the construction of more and more
 	complex processes enforcing noninterference security by composing,
 	sequentially or concurrently, simpler secure processes, whose security
 	can in turn be proven using either the definition of security, or
 	unwinding theorems.</p>
 
 [ROBDD]
 title = Algorithms for Reduced Ordered Binary Decision Diagrams
 author = Julius Michaelis <http://liftm.de>, Maximilian Haslbeck <http://cl-informatik.uibk.ac.at/users/mhaslbeck//>, Peter Lammich <http://www21.in.tum.de/~lammich>, Lars Hupel <https://www21.in.tum.de/~hupel/>
 date = 2016-04-27
 topic = Computer science/Algorithms, Computer science/Data structures
 abstract =
 	We present a verified and executable implementation of ROBDDs in
 	Isabelle/HOL. Our implementation relates pointer-based computation in
 	the Heap monad to operations on an abstract definition of boolean
 	functions. Internally, we implemented the if-then-else combinator in a
 	recursive fashion, following the Shannon decomposition of the argument
 	functions. The implementation mixes and adapts known techniques and is
 	built with efficiency in mind.
 notify = bdd@liftm.de, haslbecm@in.tum.de
 
 [No_FTL_observers]
 title = No Faster-Than-Light Observers
 author = Mike Stannett <mailto:m.stannett@sheffield.ac.uk>, István Németi <http://www.renyi.hu/~nemeti/>
 date = 2016-04-28
 topic = Mathematics/Physics
 abstract =
 	We provide a formal proof within First Order Relativity Theory that no
 	observer can travel faster than the speed of light. Originally
 	reported in Stannett & Németi (2014) "Using Isabelle/HOL to verify
 	first-order relativity theory", Journal of Automated Reasoning 52(4),
 	pp. 361-378.
 notify = m.stannett@sheffield.ac.uk
 
 [Groebner_Bases]
 title = Gröbner Bases Theory
 author = Fabian Immler <http://www21.in.tum.de/~immler>, Alexander Maletzky <https://risc.jku.at/m/alexander-maletzky/>
 date = 2016-05-02
 topic = Mathematics/Algebra, Computer science/Algorithms/Mathematical
 abstract =
 	This formalization is concerned with the theory of Gröbner bases in
 	(commutative) multivariate polynomial rings over fields, originally
 	developed by Buchberger in his 1965 PhD thesis. Apart from the
 	statement and proof of the main theorem of the theory, the
 	formalization also implements Buchberger's algorithm for actually
 	computing Gröbner bases as a tail-recursive function, thus allowing to
 	effectively decide ideal membership in finitely generated polynomial
 	ideals. Furthermore, all functions can be executed on a concrete
 	representation of multivariate polynomials as association lists.
 extra-history =
 	Change history:
 	[2019-04-18]: Specialized Gröbner bases to less abstract representation of polynomials, where
 	power-products are represented as polynomial mappings.<br>
 notify = alexander.maletzky@risc.jku.at
 
 [Nullstellensatz]
 title = Hilbert's Nullstellensatz
 author = Alexander Maletzky <https://risc.jku.at/m/alexander-maletzky/>
 topic = Mathematics/Algebra, Mathematics/Geometry
 date = 2019-06-16
 notify = alexander.maletzky@risc-software.at
 abstract =
   This entry formalizes Hilbert's Nullstellensatz, an important
   theorem in algebraic geometry that can be viewed as the generalization
   of the Fundamental Theorem of Algebra to multivariate polynomials: If
   a set of (multivariate) polynomials over an algebraically closed field
   has no common zero, then the ideal it generates is the entire
   polynomial ring. The formalization proves several equivalent versions
   of this celebrated theorem: the weak Nullstellensatz, the strong
   Nullstellensatz (connecting algebraic varieties and radical ideals),
   and the field-theoretic Nullstellensatz. The formalization follows
   Chapter 4.1. of <a
   href="https://link.springer.com/book/10.1007/978-0-387-35651-8">Ideals,
   Varieties, and Algorithms</a> by Cox, Little and O'Shea.
 
 [Bell_Numbers_Spivey]
 title = Spivey's Generalized Recurrence for Bell Numbers
 author = Lukas Bulwahn <mailto:lukas.bulwahn@gmail.com>
 date = 2016-05-04
 topic = Mathematics/Combinatorics
 abstract =
 	This entry defines the Bell numbers as the cardinality of set partitions for
 	a carrier set of given size, and derives Spivey's generalized recurrence
 	relation for Bell numbers following his elegant and intuitive combinatorial
 	proof.
 	<p>
 	As the set construction for the combinatorial proof requires construction of
 	three intermediate structures, the main difficulty of the formalization is
 	handling the overall combinatorial argument in a structured way.
 	The introduced proof structure allows us to compose the combinatorial argument
 	from its subparts, and supports to keep track how the detailed proof steps are
 	related to the overall argument. To obtain this structure, this entry uses set
 	monad notation for the set construction's definition, introduces suitable
 	predicates and rules, and follows a repeating structure in its Isar proof.
 notify = lukas.bulwahn@gmail.com
 
 [Randomised_Social_Choice]
 title = Randomised Social Choice Theory
 author = Manuel Eberl <mailto:eberlm@in.tum.de>
 date = 2016-05-05
 topic = Mathematics/Games and economics
 abstract =
 	This work contains a formalisation of basic Randomised Social Choice,
 	including Stochastic Dominance and Social Decision Schemes (SDSs)
 	along with some of their most important properties (Anonymity,
 	Neutrality, ex-post- and SD-Efficiency, SD-Strategy-Proofness) and two
 	particular SDSs – Random Dictatorship and Random Serial Dictatorship
 	(with proofs of the properties that they satisfy). Many important
 	properties of these concepts are also proven – such as the two
 	equivalent characterisations of Stochastic Dominance and the fact that
 	SD-efficiency of a lottery only depends on the support.  The entry
 	also provides convenient commands to define Preference Profiles, prove
 	their well-formedness, and automatically derive restrictions that
 	sufficiently nice SDSs need to satisfy on the defined profiles.
 	Currently, the formalisation focuses on weak preferences and
 	Stochastic Dominance, but it should be easy to extend it to other
 	domains – such as strict preferences – or other lottery extensions –
 	such as Bilinear Dominance or Pairwise Comparison.
 notify = eberlm@in.tum.de
 
 [SDS_Impossibility]
 title = The Incompatibility of SD-Efficiency and SD-Strategy-Proofness
 author = Manuel Eberl <mailto:eberlm@in.tum.de>
 date = 2016-05-04
 topic = Mathematics/Games and economics
 abstract =
 	This formalisation contains the proof that there is no anonymous and
 	neutral Social Decision Scheme for at least four voters and
 	alternatives that fulfils both SD-Efficiency and SD-Strategy-
 	Proofness. The proof is a fully structured and quasi-human-redable
 	one. It was derived from the (unstructured) SMT proof of the case for
 	exactly four voters and alternatives by Brandl et al.  Their proof
 	relies on an unverified translation of the original problem to SMT,
 	and the proof that lifts the argument for exactly four voters and
 	alternatives to the general case is also not machine-checked.  In this
 	Isabelle proof, on the other hand, all of these steps are  fully
 	proven and machine-checked. This is particularly important seeing as a
 	previously published informal proof of a weaker statement contained a
 	mistake in precisely this lifting step.
 notify = eberlm@in.tum.de
 
 [Median_Of_Medians_Selection]
 title = The Median-of-Medians Selection Algorithm
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Computer science/Algorithms
 date = 2017-12-21
 notify = eberlm@in.tum.de
 abstract =
   <p>This entry provides an executable functional implementation
   of the Median-of-Medians algorithm for selecting the
   <em>k</em>-th smallest element of an unsorted list
   deterministically in linear time. The size bounds for the recursive
   call that lead to the linear upper bound on the run-time of the
   algorithm are also proven. </p>
 
 [Mason_Stothers]
 title = The Mason–Stothers Theorem
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Algebra
 date = 2017-12-21
 notify = eberlm@in.tum.de
 abstract =
   <p>This article provides a formalisation of Snyder’s simple and
   elegant proof of the Mason&ndash;Stothers theorem, which is the
   polynomial analogue of the famous abc Conjecture for integers.
   Remarkably, Snyder found this very elegant proof when he was still a
   high-school student.</p> <p>In short, the statement of the
   theorem is that three non-zero coprime polynomials
   <em>A</em>, <em>B</em>, <em>C</em>
   over a field which sum to 0 and do not all have vanishing derivatives
   fulfil max{deg(<em>A</em>), deg(<em>B</em>),
   deg(<em>C</em>)} < deg(rad(<em>ABC</em>))
   where the rad(<em>P</em>) denotes the
   <em>radical</em> of <em>P</em>,
   i.&thinsp;e. the product of all unique irreducible factors of
   <em>P</em>.</p> <p>This theorem also implies a
   kind of polynomial analogue of Fermat’s Last Theorem for polynomials:
   except for trivial cases,
   <em>A<sup>n</sup></em> +
   <em>B<sup>n</sup></em> +
   <em>C<sup>n</sup></em> = 0 implies
   n&nbsp;&le;&nbsp;2 for coprime polynomials
   <em>A</em>, <em>B</em>, <em>C</em>
   over a field.</em></p>
 
 [FLP]
 title = A Constructive Proof for FLP
 author = Benjamin Bisping <mailto:benjamin.bisping@campus.tu-berlin.de>,  Paul-David Brodmann <mailto:p.brodmann@tu-berlin.de>,  Tim Jungnickel <mailto:tim.jungnickel@tu-berlin.de>,  Christina Rickmann <mailto:c.rickmann@tu-berlin.de>,  Henning Seidler <mailto:henning.seidler@mailbox.tu-berlin.de>,  Anke Stüber <mailto:anke.stueber@campus.tu-berlin.de>, Arno Wilhelm-Weidner <mailto:arno.wilhelm-weidner@tu-berlin.de>,  Kirstin Peters <mailto:kirstin.peters@tu-berlin.de>,  Uwe Nestmann <https://www.mtv.tu-berlin.de/nestmann/>
 date = 2016-05-18
 topic = Computer science/Concurrency
 abstract =
 	The impossibility of distributed consensus with one faulty process is
 	a result with important consequences for real world distributed
 	systems e.g., commits in replicated databases. Since proofs are not
 	immune to faults and even plausible proofs with a profound formalism
 	can conclude wrong results, we validate the fundamental result named
 	FLP after Fischer, Lynch and Paterson.
 	We present a formalization of distributed systems
 	and the aforementioned consensus problem. Our proof is based on Hagen
 	Völzer's paper "A constructive proof for FLP". In addition to the
 	enhanced confidence in the validity of Völzer's proof, we contribute
 	the missing gaps to show the correctness in Isabelle/HOL. We clarify
 	the proof details and even prove fairness of the infinite execution
 	that contradicts consensus. Our Isabelle formalization can also be
 	reused for further proofs of properties of distributed systems.
 notify = henning.seidler@mailbox.tu-berlin.de
 
 [IMAP-CRDT]
 title = The IMAP CmRDT
 author = Tim Jungnickel <mailto:tim.jungnickel@tu-berlin.de>, Lennart Oldenburg <>, Matthias Loibl <>
 topic = Computer science/Algorithms/Distributed, Computer science/Data structures
 date = 2017-11-09
 notify = tim.jungnickel@tu-berlin.de
 abstract =
   We provide our Isabelle/HOL formalization of a Conflict-free
   Replicated Datatype for Internet Message Access Protocol commands.
   We show that Strong Eventual Consistency (SEC) is guaranteed
   by proving the commutativity of concurrent operations. We base our
   formalization on the recently proposed "framework for
   establishing Strong Eventual Consistency for Conflict-free Replicated
   Datatypes" (AFP.CRDT) from Gomes et al. Hence, we provide an
   additional example of how the recently proposed framework can be used
   to design and prove CRDTs.
 
 [Incredible_Proof_Machine]
 title = The meta theory of the Incredible Proof Machine
 author = Joachim Breitner <http://pp.ipd.kit.edu/~breitner>, Denis Lohner <http://pp.ipd.kit.edu/person.php?id=88>
 date = 2016-05-20
 topic = Logic/Proof theory
 abstract =
 	The <a href="http://incredible.pm">Incredible Proof Machine</a> is an
 	interactive visual theorem prover which represents proofs as port
 	graphs. We model this proof representation in Isabelle, and prove that
 	it is just as powerful as natural deduction.
 notify = mail@joachim-breitner.de
 
 [Word_Lib]
 title = Finite Machine Word Library
 author = Joel Beeren<>, Matthew Fernandez<>, Xin Gao<>, Gerwin Klein <http://www.cse.unsw.edu.au/~kleing/>, Rafal Kolanski<>, Japheth Lim<>, Corey Lewis<>, Daniel Matichuk<>, Thomas Sewell<>
 notify = kleing@unsw.edu.au
 date = 2016-06-09
 topic = Computer science/Data structures
 abstract =
 	This entry contains an extension to the Isabelle library for
 	fixed-width machine words. In particular, the entry adds quickcheck setup
 	for words, printing as hexadecimals, additional operations, reasoning
 	about alignment, signed words, enumerations of words, normalisation of
 	word numerals, and an extensive library of properties about generic
 	fixed-width words, as well as an instantiation of many of these to the
 	commonly used 32 and 64-bit bases.
 
 [Catalan_Numbers]
 title = Catalan Numbers
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 notify = eberlm@in.tum.de
 date = 2016-06-21
 topic = Mathematics/Combinatorics
 abstract =
 	<p>In this work, we define the Catalan numbers <em>C<sub>n</sub></em>
 	and prove several equivalent definitions (including some closed-form
 	formulae). We also show one of their applications (counting the number
 	of binary trees of size <em>n</em>), prove the asymptotic growth
 	approximation <em>C<sub>n</sub> &sim; 4<sup>n</sup> / (&radic;<span
 	style="text-decoration: overline">&pi;</span> &middot;
 	n<sup>1.5</sup>)</em>, and provide reasonably efficient executable
 	code to compute them.</p>  <p>The derivation of the closed-form
 	formulae uses algebraic manipulations of the ordinary generating
 	function of the Catalan numbers, and the asymptotic approximation is
 	then done using generalised binomial coefficients and the Gamma
 	function. Thanks to these highly non-elementary mathematical tools,
 	the proofs are very short and simple.</p>
 
 [Fisher_Yates]
 title = Fisher–Yates shuffle
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 notify = eberlm@in.tum.de
 date = 2016-09-30
 topic = Computer science/Algorithms
 abstract =
 	<p>This work defines and proves the correctness of the Fisher–Yates
 	algorithm for shuffling – i.e. producing a random permutation – of a
 	list. The algorithm proceeds by traversing the list and in
 	each step swapping the current element with a random element from the
 	remaining list.</p>
 
 [Bertrands_Postulate]
 title = Bertrand's postulate
 author = Julian Biendarra<>, Manuel Eberl <https://www21.in.tum.de/~eberlm>
 contributors = Lawrence C. Paulson <http://www.cl.cam.ac.uk/~lp15/>
 topic = Mathematics/Number theory
 date = 2017-01-17
 notify = eberlm@in.tum.de
 abstract =
   <p>Bertrand's postulate is an early result on the
   distribution of prime numbers: For every positive integer n, there
   exists a prime number that lies strictly between n and 2n.
   The proof is ported from John Harrison's formalisation
   in HOL Light. It proceeds by first showing that the property is true
   for all n greater than or equal to 600 and then showing that it also
   holds for all n below 600 by case distinction. </p>
 
 [Rewriting_Z]
 title = The Z Property
 author = Bertram Felgenhauer<>, Julian Nagele<>, Vincent van Oostrom<>, Christian Sternagel <mailto:c.sternagel@gmail.com>
 notify = bertram.felgenhauer@uibk.ac.at, julian.nagele@uibk.ac.at, c.sternagel@gmail.com
 date = 2016-06-30
 topic = Logic/Rewriting
 abstract =
 	We formalize the Z property introduced by Dehornoy and van Oostrom.
 	First we show that for any abstract rewrite system, Z implies
 	confluence. Then we give two examples of proofs using Z: confluence of
 	lambda-calculus with respect to beta-reduction and confluence of
 	combinatory logic.
 
 [Resolution_FOL]
 title = The Resolution Calculus for First-Order Logic
 author = Anders Schlichtkrull <https://people.compute.dtu.dk/andschl/>
 notify = andschl@dtu.dk
 date = 2016-06-30
 topic = Logic/General logic/Mechanization of proofs
 abstract =
 	This theory is a formalization of the resolution calculus for
 	first-order logic. It is proven sound and complete. The soundness
 	proof uses the substitution lemma, which shows a correspondence
 	between substitutions and updates to an environment. The completeness
 	proof uses semantic trees, i.e. trees whose paths are partial Herbrand
 	interpretations. It employs Herbrand's theorem in a formulation which
 	states that an unsatisfiable set of clauses has a finite closed
 	semantic tree. It also uses the lifting lemma which lifts resolution
 	derivation steps from the ground world up to the first-order world.
 	The theory is presented in a paper in the Journal of Automated Reasoning
 	[Sch18] which extends a paper presented at the International Conference
 	on Interactive Theorem Proving [Sch16]. An earlier version was
 	presented in an MSc thesis [Sch15]. The formalization mostly follows
 	textbooks by Ben-Ari [BA12], Chang and Lee [CL73], and Leitsch [Lei97].
 	The theory is part of the IsaFoL project [IsaFoL]. <p>
 	<a name="Sch18"></a>[Sch18] Anders Schlichtkrull. "Formalization of the
 	Resolution Calculus for First-Order Logic". Journal of Automated
 	Reasoning, 2018.<br> <a name="Sch16"></a>[Sch16] Anders
 	Schlichtkrull. "Formalization of the Resolution Calculus for First-Order
 	Logic". In: ITP 2016. Vol. 9807. LNCS. Springer, 2016.<br>
 	<a name="Sch15"></a>[Sch15] Anders Schlichtkrull. <a href="https://people.compute.dtu.dk/andschl/Thesis.pdf">
 	"Formalization of Resolution Calculus in Isabelle"</a>.
 	<a href="https://people.compute.dtu.dk/andschl/Thesis.pdf">https://people.compute.dtu.dk/andschl/Thesis.pdf</a>.
 	MSc thesis. Technical University of Denmark, 2015.<br>
 	<a name="BA12"></a>[BA12] Mordechai Ben-Ari. <i>Mathematical Logic for
 	Computer Science</i>. 3rd. Springer, 2012.<br> <a
 	name="CL73"></a>[CL73] Chin-Liang Chang and Richard Char-Tung Lee.
 	<i>Symbolic Logic and Mechanical Theorem Proving</i>. 1st. Academic
 	Press, Inc., 1973.<br> <a name="Lei97"></a>[Lei97] Alexander
 	Leitsch. <i>The Resolution Calculus</i>. Texts in theoretical computer
 	science. Springer, 1997.<br> <a name="IsaFoL"></a>[IsaFoL]
 	IsaFoL authors. <a href="https://bitbucket.org/jasmin_blanchette/isafol">
 	IsaFoL: Isabelle Formalization of Logic</a>.
 	<a href="https://bitbucket.org/jasmin_blanchette/isafol">https://bitbucket.org/jasmin_blanchette/isafol</a>.
 extra-history =
 	Change history:
 	[2018-01-24]: added several new versions of the soundness and completeness theorems as described in the paper [Sch18]. <br>
 	[2018-03-20]: added a concrete instance of the unification and completeness theorems using the First-Order Terms AFP-entry from IsaFoR as described in the papers [Sch16] and [Sch18].
 
 [Surprise_Paradox]
 title = Surprise Paradox
 author = Joachim Breitner <http://pp.ipd.kit.edu/~breitner>
 notify = mail@joachim-breitner.de
 date = 2016-07-17
 topic = Logic/Proof theory
 abstract =
 	In 1964, Fitch showed that the paradox of the surprise hanging can be
 	resolved by showing that the judge’s verdict is inconsistent. His
 	formalization builds on Gödel’s coding of provability.  In this
 	theory, we reproduce his proof in Isabelle, building on Paulson’s
 	formalisation of Gödel’s incompleteness theorems.
 
 [Ptolemys_Theorem]
 title = Ptolemy's Theorem
 author = Lukas Bulwahn <mailto:lukas.bulwahn@gmail.com>
 notify = lukas.bulwahn@gmail.com
 date = 2016-08-07
 topic = Mathematics/Geometry
 abstract =
 	This entry provides an analytic proof to Ptolemy's Theorem using
 	polar form transformation and trigonometric identities.
 	In this formalization, we use ideas from John Harrison's HOL Light
 	formalization and the proof sketch on the Wikipedia entry of Ptolemy's Theorem.
 	This theorem is the 95th theorem of the Top 100 Theorems list.
 
 [Falling_Factorial_Sum]
 title = The Falling Factorial of a Sum
 author = Lukas Bulwahn <mailto:lukas.bulwahn@gmail.com>
 topic = Mathematics/Combinatorics
 date = 2017-12-22
 notify = lukas.bulwahn@gmail.com
 abstract =
   This entry shows that the falling factorial of a sum can be computed
   with an expression using binomial coefficients and the falling
   factorial of its summands. The entry provides three different proofs:
   a combinatorial proof, an induction proof and an algebraic proof using
   the Vandermonde identity.  The three formalizations try to follow
   their informal presentations from a Mathematics Stack Exchange page as
   close as possible. The induction and algebraic formalization end up to
   be very close to their informal presentation, whereas the
   combinatorial proof first requires the introduction of list
   interleavings, and significant more detail than its informal
   presentation.
 
 [InfPathElimination]
 title = Infeasible Paths Elimination by Symbolic Execution Techniques: Proof of Correctness and Preservation of Paths
 author = Romain Aissat<>, Frederic Voisin<>, Burkhart Wolff <mailto:wolff@lri.fr>
 notify = wolff@lri.fr
 date = 2016-08-18
 topic = Computer science/Programming languages/Static analysis
 abstract =
 	TRACER is a tool for verifying safety properties of sequential C
 	programs. TRACER attempts at building a finite symbolic execution
 	graph which over-approximates the set of all concrete reachable states
 	and the set of feasible paths.  We present an abstract framework for
 	TRACER and similar CEGAR-like systems. The framework provides 1) a
 	graph- transformation based method for reducing the feasible paths in
 	control-flow graphs, 2) a model for symbolic execution, subsumption,
 	predicate abstraction and invariant generation. In this framework we
 	formally prove two key properties: correct construction of the
 	symbolic states and preservation of feasible paths. The framework
 	focuses on core operations, leaving to concrete prototypes to “fit in”
 	heuristics for combining them.  The accompanying paper (published in
 	ITP 2016) can be found at
 	https://www.lri.fr/∼wolff/papers/conf/2016-itp-InfPathsNSE.pdf.
 
 [Stirling_Formula]
 title = Stirling's formula
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 notify = eberlm@in.tum.de
 date = 2016-09-01
 topic = Mathematics/Analysis
 abstract =
-        <p>This work contains a proof of Stirling's formula both for the factorial $n! \sim \sqrt{2\pi n} (n/e)^n$ on natural numbers and the real 
+        <p>This work contains a proof of Stirling's formula both for the factorial $n! \sim \sqrt{2\pi n} (n/e)^n$ on natural numbers and the real
         Gamma function $\Gamma(x)\sim \sqrt{2\pi/x} (x/e)^x$. The proof is based on work by <a
 	href="http://www.maths.lancs.ac.uk/~jameson/stirlgamma.pdf">Graham Jameson</a>.</p>
         <p>This is then extended to the full asymptotic expansion
         $$\log\Gamma(z) = \big(z - \tfrac{1}{2}\big)\log z - z + \tfrac{1}{2}\log(2\pi) + \sum_{k=1}^{n-1} \frac{B_{k+1}}{k(k+1)} z^{-k}\\
         {} - \frac{1}{n} \int_0^\infty B_n([t])(t + z)^{-n}\,\text{d}t$$
-        uniformly for all complex $z\neq 0$ in the cone $\text{arg}(z)\leq \alpha$ for any $\alpha\in(0,\pi)$, with which the above asymptotic 
+        uniformly for all complex $z\neq 0$ in the cone $\text{arg}(z)\leq \alpha$ for any $\alpha\in(0,\pi)$, with which the above asymptotic
         relation for &Gamma; is also extended to complex arguments.</p>
 
 [Lp]
 title = Lp spaces
 author = Sebastien Gouezel <http://www.math.sciences.univ-nantes.fr/~gouezel/>
 notify = sebastien.gouezel@univ-rennes1.fr
 date = 2016-10-05
 topic = Mathematics/Analysis
 abstract =
 	Lp is the space of functions whose p-th power is integrable. It is one of the most fundamental Banach spaces that is used in analysis and probability. We develop a framework for function spaces, and then implement the Lp spaces in this framework using the existing integration theory in Isabelle/HOL. Our development contains most fundamental properties of Lp spaces, notably the Hölder and Minkowski inequalities, completeness of Lp, duality, stability under almost sure convergence, multiplication of functions in Lp and Lq, stability under conditional expectation.
 
 [Berlekamp_Zassenhaus]
 title = The Factorization Algorithm of Berlekamp and Zassenhaus
 author = Jose Divasón <http://www.unirioja.es/cu/jodivaso>, Sebastiaan Joosten <mailto:sebastiaan.joosten@uibk.ac.at>, René Thiemann <mailto:rene.thiemann@uibk.ac.at>, Akihisa Yamada <mailto:akihisa.yamada@uibk.ac.at>
 notify = rene.thiemann@uibk.ac.at
 date = 2016-10-14
 topic = Mathematics/Algebra
 abstract =
 	<p>We formalize the Berlekamp-Zassenhaus algorithm for factoring
 	square-free integer polynomials in Isabelle/HOL. We further adapt an
 	existing formalization of Yun’s square-free factorization algorithm to
 	integer polynomials, and thus provide an efficient and certified
 	factorization algorithm for arbitrary univariate polynomials.
 	</p>
 	<p>The algorithm first performs a factorization in the prime field GF(p) and
 	then performs computations in the integer ring modulo p^k, where both
 	p and k are determined at runtime. Since a natural modeling of these
 	structures via dependent types is not possible in Isabelle/HOL, we
 	formalize the whole algorithm using Isabelle’s recent addition of
 	local type definitions.
 	</p>
 	<p>Through experiments we verify that our algorithm factors polynomials of degree
 	100 within seconds.
 	</p>
 
 [Allen_Calculus]
 title = Allen's Interval Calculus
 author = Fadoua Ghourabi <>
 notify = fadouaghourabi@gmail.com
 date = 2016-09-29
 topic = Logic/General logic/Temporal logic, Mathematics/Order
 abstract =
 	Allen’s interval calculus is a qualitative temporal representation of
 	time events. Allen introduced 13 binary relations that describe all
 	the possible arrangements between two events, i.e. intervals with
 	non-zero finite length. The compositions are pertinent to
 	reasoning about knowledge of time. In particular, a consistency
 	problem of relation constraints is commonly solved with a guideline
 	from these compositions. We formalize the relations together with an
 	axiomatic system. We proof the validity of the 169 compositions of
 	these relations. We also define nests as the sets of intervals that
 	share a meeting point. We prove that nests give the ordering
 	properties of points without introducing a new datatype for points.
 	[1] J.F. Allen. Maintaining Knowledge about Temporal Intervals. In
 	Commun. ACM, volume 26, pages 832–843, 1983. [2] J. F. Allen and P. J.
 	Hayes. A Common-sense Theory of Time. In Proceedings of the 9th
 	International Joint Conference on Artificial Intelligence (IJCAI’85),
 	pages 528–531, 1985.
 
 
 [Source_Coding_Theorem]
 title = Source Coding Theorem
 author = Quentin Hibon <mailto:qh225@cl.cam.ac.uk>, Lawrence C. Paulson <mailto:lp15@cam.ac.uk>
 notify = qh225@cl.cam.ac.uk
 date = 2016-10-19
 topic = Mathematics/Probability theory
 abstract =
   This document contains a proof of the necessary condition on the code
   rate of a source code, namely that this code rate is bounded by the
   entropy of the source. This represents one half of Shannon's source
   coding theorem, which is itself an equivalence.
 
 [Buffons_Needle]
 title = Buffon's Needle Problem
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Probability theory, Mathematics/Geometry
 date = 2017-06-06
 notify = eberlm@in.tum.de
 abstract =
   In the 18th century, Georges-Louis Leclerc, Comte de Buffon posed and
   later solved the following problem, which is often called the first
   problem ever solved in geometric probability: Given a floor divided
   into vertical strips of the same width, what is the probability that a
   needle thrown onto the floor randomly will cross two strips?  This
   entry formally defines the problem in the case where the needle's
   position is chosen uniformly at random in a single strip around the
   origin (which is equivalent to larger arrangements due to symmetry).
   It then provides proofs of the simple solution in the case where the
   needle's length is no greater than the width of the strips and
   the more complicated solution in the opposite case.
 
 [SPARCv8]
 title = A formal model for the SPARCv8 ISA and a proof of non-interference for the LEON3 processor
 author = Zhe Hou <mailto:zhe.hou@ntu.edu.sg>, David Sanan <mailto:sanan@ntu.edu.sg>, Alwen Tiu <mailto:ATiu@ntu.edu.sg>, Yang Liu <mailto:yangliu@ntu.edu.sg>
 notify = zhe.hou@ntu.edu.sg, sanan@ntu.edu.sg
 date = 2016-10-19
 topic = Computer science/Security, Computer science/Hardware
 abstract =
   We formalise the SPARCv8 instruction set architecture (ISA) which is
   used in processors such as LEON3. Our formalisation can be specialised
   to any SPARCv8 CPU, here we use LEON3 as a running example. Our model
   covers the operational semantics for all the instructions in the
   integer unit of the SPARCv8 architecture and it supports Isabelle code
   export, which effectively turns the Isabelle model into a SPARCv8 CPU
   simulator. We prove the language-based non-interference property for
   the LEON3 processor.  Our model is based on deterministic monad, which
   is a modified version of the non-deterministic monad from NICTA/l4v.
 
 [Separata]
 title = Separata: Isabelle tactics for Separation Algebra
 author = Zhe Hou <mailto:zhe.hou@ntu.edu.sg>, David Sanan <mailto:sanan@ntu.edu.sg>, Alwen Tiu <mailto:ATiu@ntu.edu.sg>, Rajeev Gore <mailto:rajeev.gore@anu.edu.au>, Ranald Clouston <mailto:ranald.clouston@cs.au.dk>
 notify = zhe.hou@ntu.edu.sg
 date = 2016-11-16
 topic = Computer science/Programming languages/Logics, Tools
 abstract =
   We bring the labelled sequent calculus $LS_{PASL}$ for propositional
   abstract separation logic to Isabelle. The tactics given here are
   directly applied on an extension of the Separation Algebra in the AFP.
   In addition to the cancellative separation algebra, we further
   consider some useful properties in the heap model of separation logic,
   such as indivisible unit, disjointness, and cross-split. The tactics
   are essentially a proof search procedure for the calculus $LS_{PASL}$.
   We wrap the tactics in an Isabelle method called separata, and give a
   few examples of separation logic formulae which are provable by
   separata.
 
 [LOFT]
 title = LOFT — Verified Migration of Linux Firewalls to SDN
 author = Julius Michaelis <http://liftm.de>, Cornelius Diekmann <http://net.in.tum.de/~diekmann>
 notify = isabelleopenflow@liftm.de
 date = 2016-10-21
 topic = Computer science/Networks
 abstract =
   We present LOFT — Linux firewall OpenFlow Translator, a system that
   transforms the main routing table and FORWARD chain of iptables of a
   Linux-based firewall into a set of static OpenFlow rules. Our
   implementation is verified against a model of a simplified Linux-based
   router and we can directly show how much of the original functionality
   is preserved.
 
 [Stable_Matching]
 title = Stable Matching
 author = Peter Gammie <http://peteg.org>
 notify = peteg42@gmail.com
 date = 2016-10-24
 topic = Mathematics/Games and economics
 abstract =
   We mechanize proofs of several results from the matching with
   contracts literature, which generalize those of the classical
   two-sided matching scenarios that go by the name of stable marriage.
   Our focus is on game theoretic issues. Along the way we develop
   executable algorithms for computing optimal stable matches.
 
 [Modal_Logics_for_NTS]
 title = Modal Logics for Nominal Transition Systems
 author = Tjark Weber <mailto:tjark.weber@it.uu.se>, Lars-Henrik Eriksson <mailto:lhe@it.uu.se>, Joachim Parrow <mailto:joachim.parrow@it.uu.se>, Johannes Borgström <mailto:johannes.borgstrom@it.uu.se>, Ramunas Gutkovas <mailto:ramunas.gutkovas@it.uu.se>
 notify = tjark.weber@it.uu.se
 date = 2016-10-25
 topic = Computer science/Concurrency/Process calculi, Logic/General logic/Modal logic
 abstract =
   We formalize a uniform semantic substrate for a wide variety of
   process calculi where states and action labels can be from arbitrary
   nominal sets. A Hennessy-Milner logic for these systems is defined,
   and proved adequate for bisimulation equivalence. A main novelty is
   the construction of an infinitary nominal data type to model formulas
   with (finitely supported) infinite conjunctions and actions that may
   contain binding names. The logic is generalized to treat different
   bisimulation variants such as early, late and open in a systematic
   way.
 extra-history =
 	Change history:
         [2017-01-29]:
         Formalization of weak bisimilarity added
         (revision c87cc2057d9c)
 
 [Abs_Int_ITP2012]
 title = Abstract Interpretation of Annotated Commands
 author = Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 notify = nipkow@in.tum.de
 date = 2016-11-23
 topic = Computer science/Programming languages/Static analysis
 abstract =
   This is the Isabelle formalization of the material decribed in the
   eponymous <a href="https://doi.org/10.1007/978-3-642-32347-8_9">ITP 2012 paper</a>.
   It develops a generic abstract interpreter for a
   while-language, including widening and narrowing. The collecting
   semantics and the abstract interpreter operate on annotated commands:
   the program is represented as a syntax tree with the semantic
   information directly embedded, without auxiliary labels. The aim of
   the formalization is simplicity, not efficiency or
   precision. This is motivated by the inclusion of the material in a
   theorem prover based course on semantics. A similar (but more
   polished) development is covered in the book
   <a href="https://doi.org/10.1007/978-3-319-10542-0">Concrete Semantics</a>.
 
 [Complx]
 title = COMPLX: A Verification Framework for Concurrent Imperative Programs
 author = Sidney Amani<>, June Andronick<>, Maksym Bortin<>, Corey Lewis<>, Christine Rizkallah<>, Joseph Tuong<>
 notify = sidney.amani@data61.csiro.au, corey.lewis@data61.csiro.au
 date = 2016-11-29
 topic = Computer science/Programming languages/Logics, Computer science/Programming languages/Language definitions
 abstract =
   We propose a concurrency reasoning framework for imperative programs,
   based on the Owicki-Gries (OG) foundational shared-variable
   concurrency method. Our framework combines the approaches of
   Hoare-Parallel, a formalisation of OG in Isabelle/HOL for a simple
   while-language, and Simpl, a generic imperative language embedded in
   Isabelle/HOL, allowing formal reasoning on C programs. We define the
   Complx language, extending the syntax and semantics of Simpl with
   support for parallel composition and synchronisation. We additionally
   define an OG logic, which we prove sound w.r.t. the  semantics, and a
   verification condition generator, both supporting involved low-level
   imperative constructs such as function calls and abrupt termination.
   We illustrate our framework on an example that features exceptions,
   guards and function calls.  We aim to then target concurrent operating
   systems, such as the interruptible eChronos embedded operating system
   for which we already have a model-level OG proof using Hoare-Parallel.
 extra-history =
 	Change history:
         [2017-01-13]:
         Improve VCG for nested parallels and sequential sections
         (revision 30739dbc3dcb)
 
 [Paraconsistency]
 title = Paraconsistency
 author = Anders Schlichtkrull <https://people.compute.dtu.dk/andschl/>, Jørgen Villadsen <https://people.compute.dtu.dk/jovi/>
 topic = Logic/General logic/Paraconsistent logics
 date = 2016-12-07
 notify = andschl@dtu.dk, jovi@dtu.dk
 abstract =
   Paraconsistency is about handling inconsistency in a coherent way. In
   classical and intuitionistic logic everything follows from an
   inconsistent theory. A paraconsistent logic avoids the explosion.
   Quite a few applications in computer science and engineering are
   discussed in the Intelligent Systems Reference Library Volume 110:
   Towards Paraconsistent Engineering (Springer 2016). We formalize a
   paraconsistent many-valued logic that we motivated and described in a
   special issue on logical approaches to paraconsistency (Journal of
   Applied Non-Classical Logics 2005). We limit ourselves to the
   propositional fragment of the higher-order logic. The logic is based
   on so-called key equalities and has a countably infinite number of
   truth values. We prove theorems in the logic using the definition of
   validity. We verify truth tables and also counterexamples for
   non-theorems. We prove meta-theorems about the logic and finally we
   investigate a case study.
 
 [Proof_Strategy_Language]
 title = Proof Strategy Language
 author = Yutaka Nagashima<>
 topic = Tools
 date = 2016-12-20
 notify = Yutaka.Nagashima@data61.csiro.au
 abstract =
   Isabelle includes various automatic tools for finding proofs under
   certain conditions. However, for each conjecture, knowing which
   automation to use, and how to tweak its parameters, is currently
   labour intensive. We have developed a language, PSL, designed to
   capture high level proof strategies. PSL offloads the construction of
   human-readable fast-to-replay proof scripts to automatic search,
   making use of search-time information about each conjecture. Our
   preliminary evaluations show that PSL reduces the labour cost of
   interactive theorem proving. This submission contains the
   implementation of PSL and an example theory file, Example.thy, showing
   how to write poof strategies in PSL.
 
 [Concurrent_Ref_Alg]
 title = Concurrent Refinement Algebra and Rely Quotients
 author = Julian Fell <mailto:julian.fell@uq.net.au>, Ian J. Hayes <mailto:ian.hayes@itee.uq.edu.au>, Andrius Velykis <http://andrius.velykis.lt>
 topic = Computer science/Concurrency
 date = 2016-12-30
 notify = Ian.Hayes@itee.uq.edu.au
 abstract =
   The concurrent refinement algebra developed here is designed to
   provide a foundation for rely/guarantee reasoning about concurrent
   programs. The algebra builds on a complete lattice of commands by
   providing sequential composition, parallel composition and a novel
   weak conjunction operator. The weak conjunction operator coincides
   with the lattice supremum providing its arguments are non-aborting,
   but aborts if either of its arguments do. Weak conjunction provides an
   abstract version of a guarantee condition as a guarantee process. We
   distinguish between models that distribute sequential composition over
   non-deterministic choice from the left (referred to as being
   conjunctive in the refinement calculus literature) and those that
   don't. Least and greatest fixed points of monotone functions are
   provided to allow recursion and iteration operators to be added to the
   language. Additional iteration laws are available for conjunctive
   models. The rely quotient of processes <i>c</i> and
   <i>i</i> is the process that, if executed in parallel with
   <i>i</i> implements <i>c</i>. It represents an
   abstract version of a rely condition generalised to a process.
 
 [FOL_Harrison]
 title = First-Order Logic According to Harrison
 author = Alexander Birch Jensen <https://people.compute.dtu.dk/aleje/>, Anders Schlichtkrull <https://people.compute.dtu.dk/andschl/>, Jørgen Villadsen <https://people.compute.dtu.dk/jovi/>
 topic = Logic/General logic/Mechanization of proofs
 date = 2017-01-01
 notify = aleje@dtu.dk, andschl@dtu.dk, jovi@dtu.dk
 abstract =
   <p>We present a certified declarative first-order prover with equality
   based on John Harrison's Handbook of Practical Logic and
   Automated Reasoning, Cambridge University Press, 2009. ML code
   reflection is used such that the entire prover can be executed within
   Isabelle as a very simple interactive proof assistant. As examples we
   consider Pelletier's problems 1-46.</p>
   <p>Reference: Programming and Verifying a Declarative First-Order
   Prover in Isabelle/HOL. Alexander Birch Jensen, John Bruntse Larsen,
   Anders Schlichtkrull & Jørgen Villadsen. AI Communications 31:281-299
   2018. <a href="https://content.iospress.com/articles/ai-communications/aic764">
   https://content.iospress.com/articles/ai-communications/aic764</a></p>
   <p>See also: Students' Proof Assistant (SPA).
   <a href=https://github.com/logic-tools/spa>
   https://github.com/logic-tools/spa</a></p>
 extra-history =
   Change history:
   [2018-07-21]: Proof of Pelletier's problem 34 (Andrews's Challenge) thanks to Asta Halkjær From.
 
 [Bernoulli]
 title = Bernoulli Numbers
 author = Lukas Bulwahn<mailto:lukas.bulwahn@gmail.com>, Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Analysis, Mathematics/Number theory
 date = 2017-01-24
 notify = eberlm@in.tum.de
 abstract =
   <p>Bernoulli numbers were first discovered in the closed-form
   expansion of the sum 1<sup>m</sup> +
   2<sup>m</sup> + &hellip; + n<sup>m</sup>
   for a fixed m and appear in many other places. This entry provides
   three different definitions for them: a recursive one, an explicit
   one, and one through their exponential generating function.</p>
   <p>In addition, we prove some basic facts, e.g. their relation
   to sums of powers of integers and that all odd Bernoulli numbers
   except the first are zero, and some advanced facts like their
   relationship to the Riemann zeta function on positive even
   integers.</p>
   <p>We also prove the correctness of the
   Akiyama&ndash;Tanigawa algorithm for computing Bernoulli numbers
   with reasonable efficiency, and we define the periodic Bernoulli
   polynomials (which appear e.g. in the Euler&ndash;MacLaurin
   summation formula and the expansion of the log-Gamma function) and
   prove their basic properties.</p>
 
 [Stone_Relation_Algebras]
 title = Stone Relation Algebras
 author = Walter Guttmann <http://www.cosc.canterbury.ac.nz/walter.guttmann/>
 topic = Mathematics/Algebra
 date = 2017-02-07
 notify = walter.guttmann@canterbury.ac.nz
 abstract =
   We develop Stone relation algebras, which generalise relation algebras
   by replacing the underlying Boolean algebra structure with a Stone
   algebra. We show that finite matrices over extended real numbers form
   an instance. As a consequence, relation-algebraic concepts and methods
   can be used for reasoning about weighted graphs. We also develop a
   fixpoint calculus and apply it to compare different definitions of
   reflexive-transitive closures in semirings.
 
 [Stone_Kleene_Relation_Algebras]
 title = Stone-Kleene Relation Algebras
 author = Walter Guttmann <http://www.cosc.canterbury.ac.nz/walter.guttmann/>
 topic = Mathematics/Algebra
 date = 2017-07-06
 notify = walter.guttmann@canterbury.ac.nz
 abstract =
   We develop Stone-Kleene relation algebras, which expand Stone relation
   algebras with a Kleene star operation to describe reachability in
   weighted graphs. Many properties of the Kleene star arise as a special
   case of a more general theory of iteration based on Conway semirings
   extended by simulation axioms. This includes several theorems
   representing complex program transformations. We formally prove the
   correctness of Conway's automata-based construction of the Kleene
   star of a matrix. We prove numerous results useful for reasoning about
   weighted graphs.
 
 [Abstract_Soundness]
 title = Abstract Soundness
 author = Jasmin Christian Blanchette <mailto:jasmin.blanchette@gmail.com>, Andrei Popescu <mailto:uuomul@yahoo.com>, Dmitriy Traytel <mailto:traytel@inf.ethz.ch>
 topic = Logic/Proof theory
 date = 2017-02-10
 notify = jasmin.blanchette@gmail.com
 abstract =
   A formalized coinductive account of the abstract development of
   Brotherston, Gorogiannis, and Petersen [APLAS 2012], in a slightly
   more general form since we work with arbitrary infinite proofs, which
   may be acyclic. This work is described in detail in an article by the
   authors, published in 2017 in the <em>Journal of Automated
   Reasoning</em>. The abstract proof can be instantiated for
   various formalisms, including first-order logic with inductive
   predicates.
 
 [Differential_Dynamic_Logic]
 title = Differential Dynamic Logic
 author = Brandon Bohrer <mailto:bbohrer@cs.cmu.edu>
 topic = Logic/General logic/Modal logic, Computer science/Programming languages/Logics
 date = 2017-02-13
 notify = bbohrer@cs.cmu.edu
 abstract =
   We formalize differential dynamic logic, a logic for proving
   properties of hybrid systems. The proof calculus in this formalization
   is based on the uniform substitution principle. We show it is sound
   with respect to our denotational semantics, which provides increased
   confidence in the correctness of the KeYmaera X theorem prover based
   on this calculus. As an application, we include a proof term checker
   embedded in Isabelle/HOL with several example proofs.  Published in:
   Brandon Bohrer, Vincent Rahli, Ivana Vukotic, Marcus Völp, André
   Platzer: Formally verified differential dynamic logic. CPP 2017.
 
 [Elliptic_Curves_Group_Law]
 title = The Group Law for Elliptic Curves
 author = Stefan Berghofer <http://www.in.tum.de/~berghofe>
 topic = Computer science/Security/Cryptography
 date = 2017-02-28
 notify = berghofe@in.tum.de
 abstract =
   We prove the group law for elliptic curves in Weierstrass form over
   fields of characteristic greater than 2. In addition to affine
   coordinates, we also formalize projective coordinates, which allow for
   more efficient computations. By specializing the abstract
   formalization to prime fields, we can apply the curve operations to
   parameters used in standard security protocols.
 
 [Example-Submission]
 title = Example Submission
 author = Gerwin Klein <http://www.cse.unsw.edu.au/~kleing/>
 topic = Mathematics/Analysis, Mathematics/Number theory
 date = 2004-02-25
 notify = kleing@cse.unsw.edu.au
 abstract =
   <p>This is an example submission to the Archive of Formal Proofs. It shows
   submission requirements and explains the structure of a simple typical
   submission.</p>
   <p>Note that you can use <em>HTML tags</em> and LaTeX formulae like
   $\sum_{n=1}^\infty \frac{1}{n^2} = \frac{\pi^2}{6}$ in the abstract. Display formulae like
   $$ \int_0^1 x^{-x}\,\text{d}x = \sum_{n=1}^\infty n^{-n}$$
   are also possible. Please read the
-  <a href="../submitting.html">submission guidelines</a> before using this.</p>  
+  <a href="../submitting.html">submission guidelines</a> before using this.</p>
 extra-no-index = no-index: true
 
 [CRDT]
 title = A framework for establishing Strong Eventual Consistency for Conflict-free Replicated Datatypes
 author = Victor B. F. Gomes <mailto:vb358@cam.ac.uk>, Martin Kleppmann<mailto:martin.kleppmann@cl.cam.ac.uk>, Dominic P. Mulligan<mailto:dominic.p.mulligan@googlemail.com>, Alastair R. Beresford<mailto:arb33@cam.ac.uk>
 topic = Computer science/Algorithms/Distributed, Computer science/Data structures
 date = 2017-07-07
 notify = vb358@cam.ac.uk, dominic.p.mulligan@googlemail.com
 abstract =
   In this work, we focus on the correctness of Conflict-free Replicated
   Data Types (CRDTs), a class of algorithm that provides strong eventual
   consistency guarantees for replicated data. We develop a modular and
   reusable framework for verifying the correctness of CRDT algorithms.
   We avoid correctness issues that have dogged previous mechanised
   proofs in this area by including a network model in our formalisation,
   and proving that our theorems hold in all possible network behaviours.
   Our axiomatic network model is a standard abstraction that accurately
   reflects the behaviour of real-world computer networks. Moreover, we
   identify an abstract convergence theorem, a property of order
   relations, which provides a formal definition of strong eventual
   consistency. We then obtain the first machine-checked correctness
   theorems for three concrete CRDTs: the Replicated Growable Array, the
   Observed-Remove Set, and an Increment-Decrement Counter.
 
 [HOLCF-Prelude]
 title = HOLCF-Prelude
 author = Joachim Breitner<mailto:joachim@cis.upenn.edu>, Brian Huffman<>, Neil Mitchell<>, Christian Sternagel<mailto:c.sternagel@gmail.com>
 topic = Computer science/Functional programming
 date = 2017-07-15
 notify = c.sternagel@gmail.com, joachim@cis.upenn.edu, hupel@in.tum.de
 abstract =
   The Isabelle/HOLCF-Prelude is a formalization of a large part of
   Haskell's standard prelude in Isabelle/HOLCF. We use it to prove
   the correctness of the Eratosthenes' Sieve, in its
   self-referential implementation commonly used to showcase
   Haskell's laziness; prove correctness of GHC's
   "fold/build" rule and related rewrite rules; and certify a
   number of hints suggested by HLint.
 
 [Decl_Sem_Fun_PL]
 title = Declarative Semantics for Functional Languages
 author = Jeremy Siek <http://homes.soic.indiana.edu/jsiek/>
 topic = Computer science/Programming languages
 date = 2017-07-21
 notify = jsiek@indiana.edu
 abstract =
   We present a semantics for an applied call-by-value lambda-calculus
   that is compositional, extensional, and elementary. We present four
   different views of the semantics: 1) as a relational (big-step)
   semantics that is not operational but instead declarative, 2) as a
   denotational semantics that does not use domain theory, 3) as a
   non-deterministic interpreter, and 4) as a variant of the intersection
   type systems of the Torino group.  We prove that the semantics is
   correct by showing that it is sound and complete with respect to
   operational semantics on programs and that is sound with respect to
   contextual equivalence. We have not yet investigated whether it is
   fully abstract. We demonstrate that this approach to semantics is
   useful with three case studies. First, we use the semantics to prove
   correctness of a compiler optimization that inlines function
   application. Second, we adapt the semantics to the polymorphic
   lambda-calculus extended with general recursion and prove semantic
   type soundness.  Third, we adapt the semantics to the call-by-value
   lambda-calculus with mutable references.
   <br>
   The paper that accompanies these Isabelle theories is <a href="https://arxiv.org/abs/1707.03762">available on arXiv</a>.
 
 [DynamicArchitectures]
 title = Dynamic Architectures
 author = Diego Marmsoler <http://marmsoler.com>
 topic = Computer science/System description languages
 date = 2017-07-28
 notify = diego.marmsoler@tum.de
 abstract =
   The architecture of a system describes the system's overall
   organization into components and connections between those components.
   With the emergence of mobile computing, dynamic architectures have
   become increasingly important. In such architectures, components may
   appear or disappear, and connections may change over time. In the
   following we mechanize a theory of dynamic architectures and verify
   the soundness of a corresponding calculus. Therefore, we first
   formalize the notion of configuration traces as a model for dynamic
   architectures. Then, the behavior of single components is formalized
   in terms of behavior traces and an operator is introduced and studied
   to extract the behavior of a single component out of a given
   configuration trace. Then, behavior trace assertions are introduced as
   a temporal specification technique to specify behavior of components.
   Reasoning about component behavior in a dynamic context is formalized
   in terms of a calculus for dynamic architectures. Finally, the
   soundness of the calculus is verified by introducing an alternative
   interpretation for behavior trace assertions over configuration traces
   and proving the rules of the calculus. Since projection may lead to
   finite as well as infinite behavior traces, they are formalized in
   terms of coinductive lists. Thus, our theory is based on
   Lochbihler's formalization of coinductive lists. The theory may
   be applied to verify properties for dynamic architectures.
 extra-history =
 	Change history:
 		[2018-06-07]: adding logical operators to specify configuration traces (revision 09178f08f050)<br>
 
 [Stewart_Apollonius]
 title = Stewart's Theorem and Apollonius' Theorem
 author = Lukas Bulwahn <mailto:lukas.bulwahn@gmail.com>
 topic = Mathematics/Geometry
 date = 2017-07-31
 notify = lukas.bulwahn@gmail.com
 abstract =
   This entry formalizes the two geometric theorems, Stewart's and
   Apollonius' theorem. Stewart's Theorem relates the length of
   a triangle's cevian to the lengths of the triangle's two
   sides. Apollonius' Theorem is a specialisation of Stewart's
   theorem, restricting the cevian to be the median. The proof applies
   the law of cosines, some basic geometric facts about triangles and
   then simply transforms the terms algebraically to yield the
   conjectured relation. The formalization in Isabelle can closely follow
   the informal proofs described in the Wikipedia articles of those two
   theorems.
 
 [LambdaMu]
 title = The LambdaMu-calculus
 author = Cristina Matache <mailto:cris.matache@gmail.com>, Victor B. F. Gomes <mailto:victorborgesfg@gmail.com>, Dominic P. Mulligan <mailto:dominic.p.mulligan@googlemail.com>
 topic = Computer science/Programming languages/Lambda calculi, Logic/General logic/Lambda calculus
 date = 2017-08-16
 notify = victorborgesfg@gmail.com, dominic.p.mulligan@googlemail.com
 abstract =
   The propositions-as-types correspondence is ordinarily presented as
   linking the metatheory of typed λ-calculi and the proof theory of
   intuitionistic logic. Griffin observed that this correspondence could
   be extended to classical logic through the use of control operators.
   This observation set off a flurry of further research, leading to the
   development of Parigots λμ-calculus. In this work, we formalise λμ-
   calculus in Isabelle/HOL and prove several metatheoretical properties
   such as type preservation and progress.
 
 [Orbit_Stabiliser]
 title = Orbit-Stabiliser Theorem with Application to Rotational Symmetries
 author = Jonas Rädle <mailto:jonas.raedle@tum.de>
 topic = Mathematics/Algebra
 date = 2017-08-20
 notify = jonas.raedle@tum.de
 abstract =
   The Orbit-Stabiliser theorem is a basic result in the algebra of
   groups that factors the order of a group into the sizes of its orbits
   and stabilisers.  We formalize the notion of a group action and the
   related concepts of orbits and stabilisers. This allows us to prove
   the orbit-stabiliser theorem.  In the second part of this work, we
   formalize the tetrahedral group and use the orbit-stabiliser theorem
   to prove that there are twelve (orientation-preserving) rotations of
   the tetrahedron.
 
 [PLM]
 title = Representation and Partial Automation of the Principia Logico-Metaphysica in Isabelle/HOL
 author = Daniel Kirchner <mailto:daniel@ekpyron.org>
 topic = Logic/Philosophical aspects
 date = 2017-09-17
 notify = daniel@ekpyron.org
 abstract =
   <p> We present an embedding of the second-order fragment of the
   Theory of Abstract Objects as described in Edward Zalta's
   upcoming work <a
   href="https://mally.stanford.edu/principia.pdf">Principia
   Logico-Metaphysica (PLM)</a> in the automated reasoning
   framework Isabelle/HOL. The Theory of Abstract Objects is a
   metaphysical theory that reifies property patterns, as they for
   example occur in the abstract reasoning of mathematics, as
   <b>abstract objects</b> and provides an axiomatic
   framework that allows to reason about these objects. It thereby serves
   as a fundamental metaphysical theory that can be used to axiomatize
   and describe a wide range of philosophical objects, such as Platonic
   forms or Leibniz' concepts, and has the ambition to function as a
   foundational theory of mathematics. The target theory of our embedding
   as described in chapters 7-9 of PLM employs a modal relational type
   theory as logical foundation for which a representation in functional
   type theory is <a
   href="https://mally.stanford.edu/Papers/rtt.pdf">known to
   be challenging</a>. </p> <p> Nevertheless we arrive
   at a functioning representation of the theory in the functional logic
   of Isabelle/HOL based on a semantical representation of an Aczel-model
   of the theory. Based on this representation we construct an
   implementation of the deductive system of PLM which allows to
   automatically and interactively find and verify theorems of PLM.
   </p> <p> Our work thereby supports the concept of shallow
   semantical embeddings of logical systems in HOL as a universal tool
   for logical reasoning <a
   href="http://www.mi.fu-berlin.de/inf/groups/ag-ki/publications/Universal-Reasoning/1703_09620_pd.pdf">as
   promoted by Christoph Benzm&uuml;ller</a>. </p>
   <p> The most notable result of the presented work is the
   discovery of a previously unknown paradox in the formulation of the
   Theory of Abstract Objects. The embedding of the theory in
   Isabelle/HOL played a vital part in this discovery. Furthermore it was
   possible to immediately offer several options to modify the theory to
   guarantee its consistency. Thereby our work could provide a
   significant contribution to the development of a proper grounding for
   object theory. </p>
 
 [KD_Tree]
 title = Multidimensional Binary Search Trees
 author = Martin Rau<>
 topic = Computer science/Data structures
 date = 2019-05-30
 notify = martin.rau@tum.de, mrtnrau@googlemail.com
 abstract =
   This entry provides a formalization of multidimensional binary trees,
   also known as k-d trees. It includes a balanced build algorithm as
   well as the nearest neighbor algorithm and the range search algorithm.
   It is based on the papers <a
   href="https://dl.acm.org/citation.cfm?doid=361002.361007">Multidimensional
   binary search trees used for associative searching</a> and <a
   href="https://dl.acm.org/citation.cfm?doid=355744.355745">
   An Algorithm for Finding Best Matches in Logarithmic Expected
   Time</a>.
 extra-history =
 	Change history:
 	[2020-15-04]: Change representation of k-dimensional points from 'list' to
                 HOL-Analysis.Finite_Cartesian_Product 'vec'. Update proofs
                 to incorporate HOL-Analysis 'dist' and 'cbox' primitives.
 
 [Closest_Pair_Points]
 title = Closest Pair of Points Algorithms
 author = Martin Rau <mailto:martin.rau@tum.de>, Tobias Nipkow <http://www.in.tum.de/~nipkow>
 topic = Computer science/Algorithms/Geometry
 date = 2020-01-13
 notify = martin.rau@tum.de, nipkow@in.tum.de
 abstract =
   This entry provides two related verified divide-and-conquer algorithms
   solving the fundamental <em>Closest Pair of Points</em>
   problem in Computational Geometry. Functional correctness and the
   optimal running time of <em>O</em>(<em>n</em> log <em>n</em>) are
   proved. Executable code is generated which is empirically competitive
   with handwritten reference implementations.
 extra-history =
 	Change history:
 	[2020-14-04]: Incorporate Time_Monad of the AFP entry Root_Balanced_Tree.
 
 [Approximation_Algorithms]
 title = Verified Approximation Algorithms
 author = Robin Eßmann <mailto:robin.essmann@tum.de>, Tobias Nipkow <http://www.in.tum.de/~nipkow/>, Simon Robillard <https://simon-robillard.net/>
 topic = Computer science/Algorithms/Approximation
 date = 2020-01-16
 notify = nipkow@in.tum.de
 abstract =
   We present the first formal verification of approximation algorithms
   for NP-complete optimization problems: vertex cover, independent set,
   load balancing, and bin packing. The proofs correct incompletenesses
   in existing proofs and improve the approximation ratio in one case.
 
 [Diophantine_Eqns_Lin_Hom]
 title = Homogeneous Linear Diophantine Equations
 author = Florian Messner <mailto:florian.g.messner@uibk.ac.at>, Julian Parsert <mailto:julian.parsert@gmail.com>, Jonas Schöpf <mailto:jonas.schoepf@uibk.ac.at>,  Christian Sternagel <mailto:c.sternagel@gmail.com>
 topic = Computer science/Algorithms/Mathematical, Mathematics/Number theory, Tools
 license = LGPL
 date = 2017-10-14
 notify = c.sternagel@gmail.com, julian.parsert@gmail.com
 abstract =
   We formalize the theory of homogeneous linear diophantine equations,
   focusing on two main results: (1) an abstract characterization of
   minimal complete sets of solutions, and (2) an algorithm computing
   them. Both, the characterization and the algorithm are based on
   previous work by Huet. Our starting point is a simple but inefficient
   variant of Huet's lexicographic algorithm incorporating improved
   bounds due to Clausen and Fortenbacher. We proceed by proving its
   soundness and completeness. Finally, we employ code equations to
   obtain a reasonably efficient implementation. Thus, we provide a
   formally verified solver for homogeneous linear diophantine equations.
 
 [Winding_Number_Eval]
 title = Evaluate Winding Numbers through Cauchy Indices
 author = Wenda Li <https://www.cl.cam.ac.uk/~wl302/>
 topic = Mathematics/Analysis
 date = 2017-10-17
 notify = wl302@cam.ac.uk, liwenda1990@hotmail.com
 abstract =
   In complex analysis, the winding number measures the number of times a
   path (counterclockwise) winds around a point, while the Cauchy index
   can approximate how the path winds. This entry provides a
   formalisation of the Cauchy index, which is then shown to be related
   to the winding number. In addition, this entry also offers a tactic
   that enables users to evaluate the winding number by calculating
   Cauchy indices.
 
 [Count_Complex_Roots]
 title = Count the Number of Complex Roots
 author = Wenda Li <https://www.cl.cam.ac.uk/~wl302/>
 topic = Mathematics/Analysis
 date = 2017-10-17
 notify = wl302@cam.ac.uk, liwenda1990@hotmail.com
 abstract =
   Based on evaluating Cauchy indices through remainder sequences, this
   entry provides an effective procedure to count the number of complex
   roots (with multiplicity) of a polynomial within a rectangle box or a
   half-plane. Potential applications of this entry include certified
   complex root isolation (of a polynomial) and testing the Routh-Hurwitz
   stability criterion (i.e., to check whether all the roots of some
   characteristic polynomial have negative real parts).
 
 [Buchi_Complementation]
 title = Büchi Complementation
 author = Julian Brunner <http://www21.in.tum.de/~brunnerj/>
 topic = Computer science/Automata and formal languages
 date = 2017-10-19
 notify = brunnerj@in.tum.de
 abstract =
   This entry provides a verified implementation of rank-based Büchi
   Complementation. The verification is done in three steps: <ol>
   <li>Definition of odd rankings and proof that an automaton
   rejects a word iff there exists an odd ranking for it.</li>
   <li>Definition of the complement automaton and proof that it
   accepts exactly those words for which there is an odd
   ranking.</li> <li>Verified implementation of the
   complement automaton using the Isabelle Collections
   Framework.</li> </ol>
 
 [Transition_Systems_and_Automata]
 title = Transition Systems and Automata
 author = Julian Brunner <http://www21.in.tum.de/~brunnerj/>
 topic = Computer science/Automata and formal languages
 date = 2017-10-19
 notify = brunnerj@in.tum.de
 abstract =
   This entry provides a very abstract theory of transition systems that
   can be instantiated to express various types of automata. A transition
   system is typically instantiated by providing a set of initial states,
   a predicate for enabled transitions, and a transition execution
   function. From this, it defines the concepts of finite and infinite
   paths as well as the set of reachable states, among other things. Many
   useful theorems, from basic path manipulation rules to coinduction and
   run construction rules, are proven in this abstract transition system
   context. The library comes with instantiations for DFAs, NFAs, and
   Büchi automata.
 
 [Kuratowski_Closure_Complement]
 title = The Kuratowski Closure-Complement Theorem
 author = Peter Gammie <http://peteg.org>, Gianpaolo Gioiosa<>
 topic = Mathematics/Topology
 date = 2017-10-26
 notify = peteg42@gmail.com
 abstract =
   We discuss a topological curiosity discovered by Kuratowski (1922):
   the fact that the number of distinct operators on a topological space
   generated by compositions of closure and complement never exceeds 14,
   and is exactly 14 in the case of R. In addition, we prove a theorem
   due to Chagrov (1982) that classifies topological spaces according to
   the number of such operators they support.
 
 [Hybrid_Multi_Lane_Spatial_Logic]
 title = Hybrid Multi-Lane Spatial Logic
 author = Sven Linker <mailto:s.linker@liverpool.ac.uk>
 topic = Logic/General logic/Modal logic
 date = 2017-11-06
 notify = s.linker@liverpool.ac.uk
 abstract =
   We present a semantic embedding of a spatio-temporal multi-modal
   logic, specifically defined to reason about motorway traffic, into
   Isabelle/HOL. The semantic model is an abstraction of a motorway,
   emphasising local spatial properties, and parameterised by the types
   of sensors deployed in the vehicles. We use the logic to define
   controller constraints to ensure safety, i.e., the absence of
   collisions on the motorway. After proving safety with a restrictive
   definition of sensors, we relax these assumptions and show how to
   amend the controller constraints to still guarantee safety.
 
 [Dirichlet_L]
 title = Dirichlet L-Functions and Dirichlet's Theorem
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Number theory, Mathematics/Algebra
 date = 2017-12-21
 notify = eberlm@in.tum.de
 abstract =
   <p>This article provides a formalisation of Dirichlet characters
   and Dirichlet <em>L</em>-functions including proofs of
   their basic properties &ndash; most notably their analyticity,
   their areas of convergence, and their non-vanishing for &Re;(s)
   &ge; 1. All of this is built in a very high-level style using
   Dirichlet series. The proof of the non-vanishing follows a very short
   and elegant proof by Newman, which we attempt to reproduce faithfully
   in a similar level of abstraction in Isabelle.</p> <p>This
   also leads to a relatively short proof of Dirichlet’s Theorem, which
   states that, if <em>h</em> and <em>n</em> are
   coprime, there are infinitely many primes <em>p</em> with
   <em>p</em> &equiv; <em>h</em> (mod
   <em>n</em>).</p>
 
 [Symmetric_Polynomials]
 title = Symmetric Polynomials
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Algebra
 date = 2018-09-25
 notify = eberlm@in.tum.de
 abstract =
   <p>A symmetric polynomial is a polynomial in variables
   <em>X</em><sub>1</sub>,&hellip;,<em>X</em><sub>n</sub>
   that does not discriminate between its variables, i.&thinsp;e. it
   is invariant under any permutation of them. These polynomials are
   important in the study of the relationship between the coefficients of
   a univariate polynomial and its roots in its algebraic
   closure.</p> <p>This article provides a definition of
   symmetric polynomials and the elementary symmetric polynomials
   e<sub>1</sub>,&hellip;,e<sub>n</sub> and
   proofs of their basic properties, including three notable
   ones:</p> <ul> <li> Vieta's formula, which
   gives an explicit expression for the <em>k</em>-th
   coefficient of a univariate monic polynomial in terms of its roots
   <em>x</em><sub>1</sub>,&hellip;,<em>x</em><sub>n</sub>,
   namely
   <em>c</em><sub><em>k</em></sub> = (-1)<sup><em>n</em>-<em>k</em></sup>&thinsp;e<sub><em>n</em>-<em>k</em></sub>(<em>x</em><sub>1</sub>,&hellip;,<em>x</em><sub>n</sub>).</li>
   <li>Second, the Fundamental Theorem of Symmetric Polynomials,
   which states that any symmetric polynomial is itself a uniquely
   determined polynomial combination of the elementary symmetric
   polynomials.</li> <li>Third, as a corollary of the
   previous two, that given a polynomial over some ring
   <em>R</em>, any symmetric polynomial combination of its
   roots is also in <em>R</em> even when the roots are not.
   </ul> <p> Both the symmetry property itself and the
   witness for the Fundamental Theorem are executable. </p>
 
 [Taylor_Models]
 title = Taylor Models
 author = Christoph Traut<>, Fabian Immler <http://www21.in.tum.de/~immler>
 topic = Computer science/Algorithms/Mathematical, Computer science/Data structures, Mathematics/Analysis, Mathematics/Algebra
 date = 2018-01-08
 notify = immler@in.tum.de
 abstract =
   We present a formally verified implementation of multivariate Taylor
   models. Taylor models are a form of rigorous polynomial approximation,
   consisting of an approximation polynomial based on Taylor expansions,
   combined with a rigorous bound on the approximation error. Taylor
   models were introduced as a tool to mitigate the dependency problem of
   interval arithmetic. Our implementation automatically computes Taylor
   models for the class of elementary functions, expressed by composition
   of arithmetic operations and basic functions like exp, sin, or square
   root.
 
 [Green]
 title = An Isabelle/HOL formalisation of Green's Theorem
 author = Mohammad Abdulaziz <mailto:mohammad.abdulaziz8@gmail.com>, Lawrence C. Paulson <http://www.cl.cam.ac.uk/~lp15/>
 topic = Mathematics/Analysis
 date = 2018-01-11
 notify = mohammad.abdulaziz8@gmail.com, lp15@cam.ac.uk
 abstract =
   We formalise a statement of Green’s theorem—the first formalisation to
   our knowledge—in Isabelle/HOL. The theorem statement that we formalise
   is enough for most applications, especially in physics and
   engineering. Our formalisation is made possible by a novel proof that
   avoids the ubiquitous line integral cancellation argument. This
   eliminates the need to formalise orientations and region boundaries
   explicitly with respect to the outwards-pointing normal vector.
   Instead we appeal to a homological argument about equivalences between
   paths.
 
 [Gromov_Hyperbolicity]
 title = Gromov Hyperbolicity
 author = Sebastien Gouezel<>
 topic = Mathematics/Geometry
 date = 2018-01-16
 notify = sebastien.gouezel@univ-rennes1.fr
 abstract =
   A geodesic metric space is Gromov hyperbolic if all its geodesic
   triangles are thin, i.e., every side is contained in a fixed
   thickening of the two other sides. While this definition looks
   innocuous, it has proved extremely important and versatile in modern
   geometry since its introduction by Gromov.  We formalize the basic
   classical properties of Gromov hyperbolic spaces, notably the Morse
   lemma asserting that quasigeodesics are close to geodesics, the
   invariance of hyperbolicity under quasi-isometries, we define and
   study the Gromov boundary and its associated distance, and prove that
   a quasi-isometry between Gromov hyperbolic spaces extends to a
   homeomorphism of the boundaries. We also prove a less classical
   theorem, by Bonk and Schramm, asserting that a Gromov hyperbolic space
   embeds isometrically in a geodesic Gromov-hyperbolic space. As the
   original proof uses a transfinite sequence of Cauchy completions, this
   is an interesting formalization exercise.  Along the way, we introduce
   basic material on isometries, quasi-isometries, Lipschitz maps,
   geodesic spaces, the Hausdorff distance, the Cauchy completion of a
   metric space, and the exponential on extended real numbers.
 
 [Ordered_Resolution_Prover]
 title = Formalization of Bachmair and Ganzinger's Ordered Resolution Prover
 author = Anders Schlichtkrull <https://people.compute.dtu.dk/andschl/>, Jasmin Christian Blanchette <mailto:j.c.blanchette@vu.nl>, Dmitriy Traytel <mailto:traytel@inf.ethz.ch>, Uwe Waldmann <mailto:uwe@mpi-inf.mpg.de>
 topic = Logic/General logic/Mechanization of proofs
 date = 2018-01-18
 notify = andschl@dtu.dk, j.c.blanchette@vu.nl
 abstract =
   This Isabelle/HOL formalization covers Sections 2 to 4 of Bachmair and
   Ganzinger's "Resolution Theorem Proving" chapter in the
   <em>Handbook of Automated Reasoning</em>. This includes
   soundness and completeness of unordered and ordered variants of ground
   resolution with and without literal selection, the standard redundancy
   criterion, a general framework for refutational theorem proving, and
   soundness and completeness of an abstract first-order prover.
 
 [BNF_Operations]
 title = Operations on Bounded Natural Functors
 author = Jasmin Christian Blanchette <mailto:jasmin.blanchette@gmail.com>, Andrei Popescu <mailto:uuomul@yahoo.com>, Dmitriy Traytel <mailto:traytel@inf.ethz.ch>
 topic = Tools
 date = 2017-12-19
 notify = jasmin.blanchette@gmail.com,uuomul@yahoo.com,traytel@inf.ethz.ch
 abstract =
   This entry formalizes the closure property of bounded natural functors
   (BNFs) under seven operations. These operations and the corresponding
   proofs constitute the core of Isabelle's (co)datatype package. To
   be close to the implemented tactics, the proofs are deliberately
   formulated as detailed apply scripts. The (co)datatypes together with
   (co)induction principles and (co)recursors are byproducts of the
   fixpoint operations LFP and GFP. Composition of BNFs is subdivided
   into four simpler operations: Compose, Kill, Lift, and Permute. The
   N2M operation provides mutual (co)induction principles and
   (co)recursors for nested (co)datatypes.
 
 [LLL_Basis_Reduction]
 title = A verified LLL algorithm
 author = Ralph Bottesch <>, Jose Divasón <http://www.unirioja.es/cu/jodivaso/>, Maximilian Haslbeck <http://cl-informatik.uibk.ac.at/users/mhaslbeck/>, Sebastiaan Joosten <http://sjcjoosten.nl/>, René Thiemann <http://cl-informatik.uibk.ac.at/users/thiemann/>, Akihisa Yamada<>
 topic = Computer science/Algorithms/Mathematical, Mathematics/Algebra
 date = 2018-02-02
 notify = ralph.bottesch@uibk.ac.at, jose.divason@unirioja.es, maximilian.haslbeck@uibk.ac.at, s.j.c.joosten@utwente.nl, rene.thiemann@uibk.ac.at, ayamada@trs.cm.is.nagoya-u.ac.jp
 abstract =
   The Lenstra-Lenstra-Lovász basis reduction algorithm, also known as
   LLL algorithm, is an algorithm to find a basis with short, nearly
   orthogonal vectors of an integer lattice. Thereby, it can also be seen
   as an approximation to solve the shortest vector problem (SVP), which
   is an NP-hard problem, where the approximation quality solely depends
   on the dimension of the lattice, but not the lattice itself. The
   algorithm also possesses many applications in diverse fields of
   computer science, from cryptanalysis to number theory, but it is
   specially well-known since it was used to implement the first
   polynomial-time algorithm to factor polynomials. In this work we
   present the first mechanized soundness proof of the LLL algorithm to
   compute short vectors in lattices. The formalization follows a
   textbook by von zur Gathen and Gerhard.
 extra-history =
         Change history:
         [2018-04-16]: Integrated formal complexity bounds (Haslbeck, Thiemann)
         [2018-05-25]: Integrated much faster LLL implementation based on integer arithmetic (Bottesch, Haslbeck, Thiemann)
 
 [LLL_Factorization]
 title = A verified factorization algorithm for integer polynomials with polynomial complexity
 author = Jose Divasón <http://www.unirioja.es/cu/jodivaso/>, Sebastiaan Joosten <http://sjcjoosten.nl/>, René Thiemann <http://cl-informatik.uibk.ac.at/users/thiemann/>, Akihisa Yamada <mailto:ayamada@trs.cm.is.nagoya-u.ac.jp>
 topic = Mathematics/Algebra
 date = 2018-02-06
 notify = jose.divason@unirioja.es, s.j.c.joosten@utwente.nl, rene.thiemann@uibk.ac.at, ayamada@trs.cm.is.nagoya-u.ac.jp
 abstract =
   Short vectors in lattices and factors of integer polynomials are
   related. Each factor of an integer polynomial belongs to a certain
   lattice. When factoring polynomials, the condition that we are looking
   for an irreducible polynomial means that we must look for a small
   element in a lattice, which can be done by a basis reduction
   algorithm. In this development we formalize this connection and
   thereby one main application of the LLL basis reduction algorithm: an
   algorithm to factor square-free integer polynomials which runs in
   polynomial time. The work is based on our previous
   Berlekamp–Zassenhaus development, where the exponential reconstruction
   phase has been replaced by the polynomial-time basis reduction
   algorithm. Thanks to this formalization we found a serious flaw in a
   textbook.
 
 [Treaps]
 title = Treaps
 author = Maximilian Haslbeck <http://cl-informatik.uibk.ac.at/users/mhaslbeck/>, Manuel Eberl <https://www.in.tum.de/~eberlm>, Tobias Nipkow <https://www.in.tum.de/~nipkow>
 topic = Computer science/Data structures
 date = 2018-02-06
 notify = eberlm@in.tum.de
 abstract =
   <p> A Treap is a binary tree whose nodes contain pairs
   consisting of some payload and an associated priority. It must have
   the search-tree property w.r.t. the payloads and the heap property
   w.r.t. the priorities. Treaps are an interesting data structure that
   is related to binary search trees (BSTs) in the following way: if one
   forgets all the priorities of a treap, the resulting BST is exactly
   the same as if one had inserted the elements into an empty BST in
   order of ascending priority. This means that a treap behaves like a
   BST where we can pretend the elements were inserted in a different
   order from the one in which they were actually inserted. </p>
   <p> In particular, by choosing these priorities at random upon
   insertion of an element, we can pretend that we inserted the elements
   in <em>random order</em>, so that the shape of the
   resulting tree is that of a random BST no matter in what order we
   insert the elements. This is the main result of this
   formalisation.</p>
 
 [Skip_Lists]
 title = Skip Lists
 author = Max W. Haslbeck <http://cl-informatik.uibk.ac.at/users/mhaslbeck/>, Manuel Eberl <https://www21.in.tum.de/~eberlm/>
 topic = Computer science/Data structures
 date = 2020-01-09
 notify = max.haslbeck@gmx.de
 abstract =
   <p> Skip lists are sorted linked lists enhanced with shortcuts
   and are an alternative to binary search trees. A skip lists consists
   of multiple levels of sorted linked lists where a list on level n is a
   subsequence of the list on level n − 1. In the ideal case, elements
   are skipped in such a way that a lookup in a skip lists takes O(log n)
   time. In a randomised skip list the skipped elements are choosen
   randomly. </p> <p> This entry contains formalized proofs
   of the textbook results about the expected height and the expected
   length of a search path in a randomised skip list. </p>
 
 [Mersenne_Primes]
 title = Mersenne primes and the Lucas–Lehmer test
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Number theory
 date = 2020-01-17
 notify = eberlm@in.tum.de
 abstract =
   <p>This article provides formal proofs of basic properties of
   Mersenne numbers, i. e. numbers of the form
   2<sup><em>n</em></sup> - 1, and especially of
   Mersenne primes.</p> <p>In particular, an efficient,
   verified, and executable version of the Lucas&ndash;Lehmer test is
   developed. This test decides primality for Mersenne numbers in time
   polynomial in <em>n</em>.</p>
 
 [Hoare_Time]
 title = Hoare Logics for Time Bounds
 author = Maximilian P. L. Haslbeck <http://www.in.tum.de/~haslbema>, Tobias Nipkow <https://www.in.tum.de/~nipkow>
 topic = Computer science/Programming languages/Logics
 date = 2018-02-26
 notify = haslbema@in.tum.de
 abstract =
   We study three different Hoare logics for reasoning about time bounds
   of imperative programs and formalize them in Isabelle/HOL: a classical
   Hoare like logic due to Nielson, a logic with potentials due to
   Carbonneaux <i>et al.</i> and a <i>separation
   logic</i> following work by Atkey, Chaguérand and Pottier.
   These logics are formally shown to be sound and complete. Verification
   condition generators are developed and are shown sound and complete
   too.  We also consider variants of the systems where we abstract from
   multiplicative constants in the running time bounds, thus supporting a
   big-O style of reasoning.  Finally we compare the expressive power of
   the three systems.
 
 [Architectural_Design_Patterns]
 title = A Theory of Architectural Design Patterns
 author = Diego Marmsoler <http://marmsoler.com>
 topic = Computer science/System description languages
 date = 2018-03-01
 notify = diego.marmsoler@tum.de
 abstract =
   The following document formalizes and verifies several architectural
   design patterns. Each pattern specification is formalized in terms of
   a locale where the locale assumptions correspond to the assumptions
   which a pattern poses on an architecture. Thus, pattern specifications
   may build on top of each other by interpreting the corresponding
   locale. A pattern is verified using the framework provided by the AFP
   entry Dynamic Architectures. Currently, the document consists of
   formalizations of 4 different patterns: the singleton, the publisher
   subscriber, the blackboard pattern, and the blockchain pattern.
   Thereby, the publisher component of the publisher subscriber pattern
   is modeled as an instance of the singleton pattern and the blackboard
   pattern is modeled as an instance of the publisher subscriber pattern.
   In general, this entry provides the first steps towards an overall
   theory of architectural design patterns.
 extra-history =
 	Change history:
 		[2018-05-25]: changing the major assumption for blockchain architectures from alternative minings to relative mining frequencies (revision 5043c5c71685)<br>
 		[2019-04-08]: adapting the terminology: honest instead of trusted, dishonest instead of untrusted (revision 7af3431a22ae)
 
 [Weight_Balanced_Trees]
 title = Weight-Balanced Trees
 author = Tobias Nipkow <https://www.in.tum.de/~nipkow>, Stefan Dirix<>
 topic = Computer science/Data structures
 date = 2018-03-13
 notify = nipkow@in.tum.de
 abstract =
   This theory provides a verified implementation of weight-balanced
   trees following the work of <a
   href="https://doi.org/10.1017/S0956796811000104">Hirai
   and Yamamoto</a> who proved that all parameters in a certain
   range are valid, i.e. guarantee that insertion and deletion preserve
   weight-balance. Instead of a general theorem we provide parameterized
   proofs of preservation of the invariant that work for many (all?)
   valid parameters.
 
 [Fishburn_Impossibility]
 title = The Incompatibility of Fishburn-Strategyproofness and Pareto-Efficiency
 author = Felix Brandt <http://dss.in.tum.de/staff/brandt.html>, Manuel Eberl <https://www21.in.tum.de/~eberlm>, Christian Saile <http://dss.in.tum.de/staff/christian-saile.html>, Christian Stricker <http://dss.in.tum.de/staff/christian-stricker.html>
 topic = Mathematics/Games and economics
 date = 2018-03-22
 notify = eberlm@in.tum.de
 abstract =
   <p>This formalisation contains the proof that there is no
   anonymous Social Choice Function for at least three agents and
   alternatives that fulfils both Pareto-Efficiency and
   Fishburn-Strategyproofness. It was derived from a proof of <a
   href="http://dss.in.tum.de/files/brandt-research/stratset.pdf">Brandt
   <em>et al.</em></a>, which relies on an unverified
   translation of a fixed finite instance of the original problem to SAT.
   This Isabelle proof contains a machine-checked version of both the
   statement for exactly three agents and alternatives and the lifting to
   the general case.</p>
 
 [BNF_CC]
 title = Bounded Natural Functors with Covariance and Contravariance
 author = Andreas Lochbihler <http://www.andreas-lochbihler.de>, Joshua Schneider <mailto:joshua.schneider@inf.ethz.ch>
 topic = Computer science/Functional programming, Tools
 date = 2018-04-24
 notify = mail@andreas-lochbihler.de, joshua.schneider@inf.ethz.ch
 abstract =
   Bounded natural functors (BNFs) provide a modular framework for the
   construction of (co)datatypes in higher-order logic.  Their functorial
   operations, the mapper and relator, are restricted to a subset of the
   parameters, namely those where recursion can take place.  For certain
   applications, such as free theorems, data refinement, quotients, and
   generalised rewriting, it is desirable that these operations do not
   ignore the other parameters.  In this article, we formalise the
   generalisation BNF<sub>CC</sub> that extends the mapper
   and relator to covariant and contravariant parameters.  We show that
   <ol> <li> BNF<sub>CC</sub>s are closed under
   functor composition and least and greatest fixpoints,</li>
   <li> subtypes inherit the BNF<sub>CC</sub> structure
   under conditions that generalise those for the BNF case,
   and</li> <li> BNF<sub>CC</sub>s preserve
   quotients under mild conditions.</li> </ol> These proofs
   are carried out for abstract BNF<sub>CC</sub>s similar to
   the AFP entry BNF Operations.  In addition, we apply the
   BNF<sub>CC</sub> theory to several concrete functors.
 
 [Modular_Assembly_Kit_Security]
 title = An Isabelle/HOL Formalization of the Modular Assembly Kit for Security Properties
 author = Oliver Bračevac <mailto:bracevac@st.informatik.tu-darmstadt.de>, Richard Gay <mailto:gay@mais.informatik.tu-darmstadt.de>, Sylvia Grewe <mailto:grewe@st.informatik.tu-darmstadt.de>, Heiko Mantel <mailto:mantel@mais.informatik.tu-darmstadt.de>, Henning Sudbrock <mailto:sudbrock@mais.informatik.tu-darmstadt.de>, Markus Tasch <mailto:tasch@mais.informatik.tu-darmstadt.de>
 topic = Computer science/Security
 date = 2018-05-07
 notify = tasch@mais.informatik.tu-darmstadt.de
 abstract =
   The "Modular Assembly Kit for Security Properties" (MAKS) is
   a framework for both the definition and verification of possibilistic
   information-flow security properties at the specification-level. MAKS
   supports the uniform representation of a wide range of possibilistic
   information-flow properties and provides support for the verification
   of such properties via unwinding results and compositionality results.
   We provide a formalization of this framework in Isabelle/HOL.
 
 [AxiomaticCategoryTheory]
 title = Axiom Systems for Category Theory in Free Logic
 author = Christoph Benzmüller <http://christoph-benzmueller.de>, Dana Scott <http://www.cs.cmu.edu/~scott/>
 topic = Mathematics/Category theory
 date = 2018-05-23
 notify = c.benzmueller@gmail.com
 abstract =
   This document provides a concise overview on the core results of our
   previous work on the exploration of axioms systems for category
   theory. Extending the previous studies
   (http://arxiv.org/abs/1609.01493) we include one further axiomatic
   theory in our experiments. This additional theory has been suggested
   by Mac Lane in 1948. We show that the axioms proposed by Mac Lane are
   equivalent to the ones we studied before, which includes an axioms set
   suggested by Scott in the 1970s and another axioms set proposed by
   Freyd and Scedrov in 1990, which we slightly modified to remedy a
   minor technical issue.
 
 [OpSets]
 title = OpSets: Sequential Specifications for Replicated Datatypes
 author = Martin Kleppmann <mailto:mk428@cl.cam.ac.uk>, Victor B. F. Gomes <mailto:vb358@cl.cam.ac.uk>, Dominic P. Mulligan <mailto:Dominic.Mulligan@arm.com>, Alastair R. Beresford <mailto:arb33@cl.cam.ac.uk>
 topic = Computer science/Algorithms/Distributed, Computer science/Data structures
 date = 2018-05-10
 notify = vb358@cam.ac.uk
 abstract =
   We introduce OpSets, an executable framework for specifying and
   reasoning about the semantics of replicated datatypes that provide
   eventual consistency in a distributed system, and for mechanically
   verifying algorithms that implement these datatypes. Our approach is
   simple but expressive, allowing us to succinctly specify a variety of
   abstract datatypes, including maps, sets, lists, text, graphs, trees,
   and registers. Our datatypes are also composable, enabling the
   construction of complex data structures. To demonstrate the utility of
   OpSets for analysing replication algorithms, we highlight an important
   correctness property for collaborative text editing that has
   traditionally been overlooked; algorithms that do not satisfy this
   property can exhibit awkward interleaving of text. We use OpSets to
   specify this correctness property and prove that although one existing
   replication algorithm satisfies this property, several other published
   algorithms do not.
 
 [Irrationality_J_Hancl]
 title = Irrational Rapidly Convergent Series
 author = Angeliki Koutsoukou-Argyraki <http://www.cl.cam.ac.uk/~ak2110/>, Wenda Li <http://www.cl.cam.ac.uk/~wl302/>
 topic = Mathematics/Number theory, Mathematics/Analysis
 date = 2018-05-23
 notify = ak2110@cam.ac.uk, wl302@cam.ac.uk
 abstract =
   We formalize with Isabelle/HOL a proof of a theorem by J. Hancl asserting the
   irrationality of the sum of a series consisting of rational numbers, built up
   by sequences that fulfill certain properties. Even though the criterion is a
   number theoretic result, the proof makes use only of analytical arguments. We
   also formalize a corollary of the theorem for a specific series fulfilling the
   assumptions of the theorem.
 
 [Optimal_BST]
 title = Optimal Binary Search Trees
 author = Tobias Nipkow <https://www.in.tum.de/~nipkow>, Dániel Somogyi <>
 topic = Computer science/Algorithms, Computer science/Data structures
 date = 2018-05-27
 notify = nipkow@in.tum.de
 abstract =
   This article formalizes recursive algorithms for the construction
   of optimal binary search trees given fixed access frequencies.
   We follow Knuth (1971), Yao (1980) and Mehlhorn (1984).
   The algorithms are memoized with the help of the AFP article
   <a href="Monad_Memo_DP.html">Monadification, Memoization and Dynamic Programming</a>,
   thus yielding dynamic programming algorithms.
 
 [Projective_Geometry]
 title = Projective Geometry
 author = Anthony Bordg <https://sites.google.com/site/anthonybordg/>
 topic = Mathematics/Geometry
 date = 2018-06-14
 notify = apdb3@cam.ac.uk
 abstract =
   We formalize the basics of projective geometry. In particular, we give
   a proof of the so-called Hessenberg's theorem in projective plane
   geometry. We also provide a proof of the so-called Desargues's
   theorem based on an axiomatization of (higher) projective space
   geometry using the notion of rank of a matroid. This last approach
   allows to handle incidence relations in an homogeneous way dealing
   only with points and without the need of talking explicitly about
   lines, planes or any higher entity.
 
 [Localization_Ring]
 title = The Localization of a Commutative Ring
 author = Anthony Bordg <https://sites.google.com/site/anthonybordg/>
 topic = Mathematics/Algebra
 date = 2018-06-14
 notify = apdb3@cam.ac.uk
 abstract =
   We formalize the localization of a commutative ring R with respect to
   a multiplicative subset (i.e. a submonoid of R seen as a
   multiplicative monoid). This localization is itself a commutative ring
   and we build the natural homomorphism of rings from R to its
   localization.
 
 [Minsky_Machines]
 title = Minsky Machines
 author = Bertram Felgenhauer<>
 topic = Logic/Computability
 date = 2018-08-14
 notify = int-e@gmx.de
 abstract =
   <p> We formalize undecidablity results for Minsky machines. To
   this end, we also formalize recursive inseparability.
   </p><p> We start by proving that Minsky machines can
   compute arbitrary primitive recursive and recursive functions. We then
   show that there is a deterministic Minsky machine with one argument
   and two final states such that the set of inputs that are accepted in
   one state is recursively inseparable from the set of inputs that are
   accepted in the other state. </p><p> As a corollary, the
   set of Minsky configurations that reach the first state but not the
   second recursively inseparable from the set of Minsky configurations
   that reach the second state but not the first. In particular both
   these sets are undecidable. </p><p> We do
   <em>not</em> prove that recursive functions can simulate
   Minsky machines. </p>
 
 [Neumann_Morgenstern_Utility]
 title = Von-Neumann-Morgenstern Utility Theorem
 author = Julian Parsert<mailto:julian.parsert@gmail.com>, Cezary Kaliszyk<http://cl-informatik.uibk.ac.at/users/cek/>
 topic = Mathematics/Games and economics
 license = LGPL
 date = 2018-07-04
 notify = julian.parsert@uibk.ac.at, cezary.kaliszyk@uibk.ac.at
 abstract =
   Utility functions form an essential part of game theory and economics.
   In order to guarantee the existence of utility functions most of the
   time sufficient properties are assumed in an axiomatic manner. One
   famous and very common set of such assumptions is that of expected
   utility theory. Here, the rationality, continuity, and independence of
   preferences is assumed. The von-Neumann-Morgenstern Utility theorem
   shows that these assumptions are necessary and sufficient for an
   expected utility function to exists. This theorem was proven by
   Neumann and Morgenstern in ``Theory of Games and Economic
   Behavior'' which is regarded as one of the most influential
   works in game theory. The formalization includes formal definitions of
   the underlying concepts including continuity and independence of
   preferences.
 
 [Simplex]
 title = An Incremental Simplex Algorithm with Unsatisfiable Core Generation
 author = Filip Marić <mailto:filip@matf.bg.ac.rs>, Mirko Spasić <mailto:mirko@matf.bg.ac.rs>, René Thiemann <http://cl-informatik.uibk.ac.at/~thiemann/>
 topic = Computer science/Algorithms/Optimization
 date = 2018-08-24
 notify = rene.thiemann@uibk.ac.at
 abstract =
   We present an Isabelle/HOL formalization and total correctness proof
   for the incremental version of the Simplex algorithm which is used in
   most state-of-the-art SMT solvers. It supports extraction of
   satisfying assignments, extraction of minimal unsatisfiable cores, incremental
   assertion of constraints and backtracking. The formalization relies on
   stepwise program refinement, starting from a simple specification,
   going through a number of refinement steps, and ending up in a fully
   executable functional implementation. Symmetries present in the
   algorithm are handled with special care.
 
 [Budan_Fourier]
 title = The Budan-Fourier Theorem and Counting Real Roots with Multiplicity
 author = Wenda Li <https://www.cl.cam.ac.uk/~wl302/>
 topic = Mathematics/Analysis
 date = 2018-09-02
 notify = wl302@cam.ac.uk, liwenda1990@hotmail.com
 abstract =
   This entry is mainly about counting and approximating real roots (of a
   polynomial) with multiplicity. We have first formalised the
   Budan-Fourier theorem: given a polynomial with real coefficients, we
   can calculate sign variations on Fourier sequences to over-approximate
   the number of real roots (counting multiplicity) within an interval.
   When all roots are known to be real, the over-approximation becomes
   tight: we can utilise this theorem to count real roots exactly. It is
   also worth noting that Descartes' rule of sign is a direct
   consequence of the Budan-Fourier theorem, and has been included in
   this entry. In addition, we have extended previous formalised
   Sturm's theorem to count real roots with multiplicity, while the
   original Sturm's theorem only counts distinct real roots.
   Compared to the Budan-Fourier theorem, our extended Sturm's
   theorem always counts roots exactly but may suffer from greater
   computational cost.
 
 [Quaternions]
 title = Quaternions
 author = Lawrence C. Paulson <https://www.cl.cam.ac.uk/~lp15/>
 topic = Mathematics/Algebra, Mathematics/Geometry
 date = 2018-09-05
 notify = lp15@cam.ac.uk
 abstract =
   This theory is inspired by the HOL Light development of quaternions,
   but follows its own route. Quaternions are developed coinductively, as
   in the existing formalisation of the complex numbers. Quaternions are
   quickly shown to belong to the type classes of real normed division
   algebras and real inner product spaces. And therefore they inherit a
   great body of facts involving algebraic  laws, limits, continuity,
   etc., which must be proved explicitly in the HOL Light version.  The
   development concludes with the geometric interpretation of the product
   of imaginary quaternions.
 
 [Octonions]
 title = Octonions
 author = Angeliki Koutsoukou-Argyraki <http://www.cl.cam.ac.uk/~ak2110/>
 topic = Mathematics/Algebra, Mathematics/Geometry
 date = 2018-09-14
 notify = ak2110@cam.ac.uk
 abstract =
   We develop the basic theory of Octonions, including various identities
   and properties of the octonions and of the octonionic product, a
   description of 7D isometries and representations of orthogonal
   transformations. To this end we first develop the theory of the vector
   cross product in 7 dimensions. The development of the theory of
   Octonions is inspired by that of the theory of Quaternions by Lawrence
   Paulson. However, we do not work within the type class real_algebra_1
   because the octonionic product is not associative.
 
 [Aggregation_Algebras]
 title = Aggregation Algebras
 author = Walter Guttmann <http://www.cosc.canterbury.ac.nz/walter.guttmann/>
 topic = Mathematics/Algebra
 date = 2018-09-15
 notify = walter.guttmann@canterbury.ac.nz
 abstract =
   We develop algebras for aggregation and minimisation for weight
   matrices and for edge weights in graphs. We verify the correctness of
   Prim's and Kruskal's minimum spanning tree algorithms based
   on these algebras. We also show numerous instances of these algebras
   based on linearly ordered commutative semigroups.
 
 [Prime_Number_Theorem]
 title = The Prime Number Theorem
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>, Lawrence C. Paulson <https://www.cl.cam.ac.uk/~lp15/>
 topic = Mathematics/Number theory
 date = 2018-09-19
 notify = eberlm@in.tum.de
 abstract =
   <p>This article provides a short proof of the Prime Number
   Theorem in several equivalent forms, most notably
   &pi;(<em>x</em>) ~ <em>x</em>/ln
   <em>x</em> where &pi;(<em>x</em>) is the
   number of primes no larger than <em>x</em>. It also
   defines other basic number-theoretic functions related to primes like
   Chebyshev's functions &thetasym; and &psi; and the
   &ldquo;<em>n</em>-th prime number&rdquo; function
   p<sub><em>n</em></sub>. We also show various
   bounds and relationship between these functions are shown. Lastly, we
   derive Mertens' First and Second Theorem, i.&thinsp;e.
   &sum;<sub><em>p</em>&le;<em>x</em></sub>
   ln <em>p</em>/<em>p</em> = ln
   <em>x</em> + <em>O</em>(1) and
   &sum;<sub><em>p</em>&le;<em>x</em></sub>
   1/<em>p</em> = ln ln <em>x</em> + M +
   <em>O</em>(1/ln <em>x</em>). We also give
   explicit bounds for the remainder terms.</p> <p>The proof
   of the Prime Number Theorem builds on a library of Dirichlet series
   and analytic combinatorics. We essentially follow the presentation by
   Newman. The core part of the proof is a Tauberian theorem for
   Dirichlet series, which is proven using complex analysis and then used
   to strengthen Mertens' First Theorem to
   &sum;<sub><em>p</em>&le;<em>x</em></sub>
   ln <em>p</em>/<em>p</em> = ln
   <em>x</em> + c + <em>o</em>(1).</p>
   <p>A variant of this proof has been formalised before by
   Harrison in HOL Light, and formalisations of Selberg's elementary
   proof exist both by Avigad <em>et al.</em> in Isabelle and
   by Carneiro in Metamath. The advantage of the analytic proof is that,
   while it requires more powerful mathematical tools, it is considerably
   shorter and clearer. This article attempts to provide a short and
   clear formalisation of all components of that proof using the full
   range of mathematical machinery available in Isabelle, staying as
   close as possible to Newman's simple paper proof.</p>
 
 [Signature_Groebner]
 title = Signature-Based Gröbner Basis Algorithms
 author = Alexander Maletzky <https://risc.jku.at/m/alexander-maletzky/>
 topic = Mathematics/Algebra, Computer science/Algorithms/Mathematical
 date = 2018-09-20
 notify = alexander.maletzky@risc.jku.at
 abstract =
   <p>This article formalizes signature-based algorithms for computing
   Gr&ouml;bner bases. Such algorithms are, in general, superior to
   other algorithms in terms of efficiency, and have not been formalized
   in any proof assistant so far. The present development is both
   generic, in the sense that most known variants of signature-based
   algorithms are covered by it, and effectively executable on concrete
   input thanks to Isabelle's code generator. Sample computations of
   benchmark problems show that the verified implementation of
   signature-based algorithms indeed outperforms the existing
   implementation of Buchberger's algorithm in Isabelle/HOL.</p>
   <p>Besides total correctness of the algorithms, the article also proves
   that under certain conditions they a-priori detect and avoid all
   useless zero-reductions, and always return 'minimal' (in
   some sense) Gr&ouml;bner bases if an input parameter is chosen in
   the right way.</p><p>The formalization follows the recent survey article by
   Eder and Faug&egrave;re.</p>
 
 [Factored_Transition_System_Bounding]
 title = Upper Bounding Diameters of State Spaces of Factored Transition Systems
 author = Friedrich Kurz <>, Mohammad Abdulaziz <http://home.in.tum.de/~mansour/>
 topic = Computer science/Automata and formal languages, Mathematics/Graph theory
 date = 2018-10-12
 notify = friedrich.kurz@tum.de, mohammad.abdulaziz@in.tum.de
 abstract =
   A completeness threshold is required to guarantee the completeness of
   planning as satisfiability, and bounded model checking of safety
   properties. One valid completeness threshold is the diameter of the
   underlying transition system. The diameter is the maximum element in
   the set of lengths of all shortest paths between pairs of states. The
   diameter is not calculated exactly in our setting, where the
   transition system is succinctly described using a (propositionally)
   factored representation. Rather, an upper bound on the diameter is
   calculated compositionally, by bounding the diameters of small
   abstract subsystems, and then composing those.  We port a HOL4
   formalisation of a compositional algorithm for computing a relatively
   tight upper bound on the system diameter. This compositional algorithm
   exploits acyclicity in the state space to achieve compositionality,
   and it was introduced by Abdulaziz et. al. The formalisation that we
   port is described as a part of another paper by Abdulaziz et. al. As a
   part of this porting we developed a libray about transition systems,
   which shall be of use in future related mechanisation efforts.
 
 [Smooth_Manifolds]
 title = Smooth Manifolds
 author = Fabian Immler <http://home.in.tum.de/~immler/>, Bohua Zhan <http://lcs.ios.ac.cn/~bzhan/>
 topic = Mathematics/Analysis, Mathematics/Topology
 date = 2018-10-22
 notify = immler@in.tum.de, bzhan@ios.ac.cn
 abstract =
   We formalize the definition and basic properties of smooth manifolds
   in Isabelle/HOL. Concepts covered include partition of unity, tangent
   and cotangent spaces, and the fundamental theorem of path integrals.
   We also examine some concrete manifolds such as spheres and projective
   spaces. The formalization makes extensive use of the analysis and
   linear algebra libraries in Isabelle/HOL, in particular its
   “types-to-sets” mechanism.
 
 [Matroids]
 title = Matroids
 author = Jonas Keinholz<>
 topic = Mathematics/Combinatorics
 date = 2018-11-16
 notify = eberlm@in.tum.de
 abstract =
   <p>This article defines the combinatorial structures known as
   <em>Independence Systems</em> and
   <em>Matroids</em> and provides basic concepts and theorems
   related to them. These structures play an important role in
   combinatorial optimisation, e. g. greedy algorithms such as
   Kruskal's algorithm. The development is based on Oxley's
   <a href="http://www.math.lsu.edu/~oxley/survey4.pdf">`What
   is a Matroid?'</a>.</p>
 
 [Graph_Saturation]
 title = Graph Saturation
 author = Sebastiaan J. C. Joosten<>
 topic = Logic/Rewriting, Mathematics/Graph theory
 date = 2018-11-23
 notify = sjcjoosten@gmail.com
 abstract =
   This is an Isabelle/HOL formalisation of graph saturation, closely
   following a <a href="https://doi.org/10.1016/j.jlamp.2018.06.005">paper by the author</a> on graph saturation.
   Nine out of ten lemmas of the original paper are proven in this
   formalisation. The formalisation additionally includes two theorems
   that show the main premise of the paper: that consistency and
   entailment are decided through graph saturation. This formalisation
   does not give executable code, and it did not implement any of the
   optimisations suggested in the paper.
 
 [Functional_Ordered_Resolution_Prover]
 title = A Verified Functional Implementation of Bachmair and Ganzinger's Ordered Resolution Prover
 author = Anders Schlichtkrull <https://people.compute.dtu.dk/andschl/>, Jasmin Christian Blanchette <mailto:j.c.blanchette@vu.nl>, Dmitriy Traytel <mailto:traytel@inf.ethz.ch>
 topic = Logic/General logic/Mechanization of proofs
 date = 2018-11-23
 notify = andschl@dtu.dk,j.c.blanchette@vu.nl,traytel@inf.ethz.ch
 abstract =
   This Isabelle/HOL formalization refines the abstract ordered
   resolution prover  presented in Section 4.3 of Bachmair and
   Ganzinger's "Resolution Theorem Proving" chapter in the
   <i>Handbook of Automated Reasoning</i>. The result is a
   functional implementation of a first-order prover.
 
 [Auto2_HOL]
 title = Auto2 Prover
 author = Bohua Zhan <http://lcs.ios.ac.cn/~bzhan/>
 topic = Tools
 date = 2018-11-20
 notify = bzhan@ios.ac.cn
 abstract =
   Auto2 is a saturation-based heuristic prover for higher-order logic,
   implemented as a tactic in Isabelle.  This entry contains the
   instantiation of auto2 for Isabelle/HOL, along with two basic
   examples: solutions to some of the Pelletier’s problems, and
   elementary number theory of primes.
 
 [Order_Lattice_Props]
 title = Properties of Orderings and Lattices
 author = Georg Struth <http://staffwww.dcs.shef.ac.uk/people/G.Struth/>
 topic = Mathematics/Order
 date = 2018-12-11
 notify = g.struth@sheffield.ac.uk
 abstract =
   These components add further fundamental order and lattice-theoretic
   concepts and properties to Isabelle's libraries.  They follow by
   and large the introductory sections of the Compendium of Continuous
   Lattices,  covering directed and filtered sets, down-closed and
   up-closed sets, ideals and filters, Galois connections, closure and
   co-closure operators. Some emphasis is on duality and morphisms
   between structures, as in the Compendium.  To this end, three ad-hoc
   approaches to duality are compared.
 
 [Quantales]
 title = Quantales
 author = Georg Struth <http://staffwww.dcs.shef.ac.uk/people/G.Struth/>
 topic = Mathematics/Algebra
 date = 2018-12-11
 notify = g.struth@sheffield.ac.uk
 abstract =
   These mathematical components formalise basic properties of quantales,
   together with some important models, constructions, and concepts,
   including quantic nuclei and conuclei.
 
 [Transformer_Semantics]
 title = Transformer Semantics
 author = Georg Struth <http://staffwww.dcs.shef.ac.uk/people/G.Struth/>
 topic = Mathematics/Algebra, Computer science/Semantics
 date = 2018-12-11
 notify = g.struth@sheffield.ac.uk
 abstract =
   These mathematical components formalise predicate transformer
   semantics for programs, yet currently only for partial correctness and
   in the absence of faults.  A first part for isotone (or monotone),
   Sup-preserving and Inf-preserving transformers follows Back and von
   Wright's approach, with additional emphasis on the quantalic
   structure of algebras of transformers.  The second part develops
   Sup-preserving and Inf-preserving predicate transformers from the
   powerset monad, via its Kleisli category and Eilenberg-Moore algebras,
   with emphasis on adjunctions and dualities, as well as isomorphisms
   between relations, state transformers and predicate transformers.
 
 [Concurrent_Revisions]
 title = Formalization of Concurrent Revisions
 author = Roy Overbeek <mailto:Roy.Overbeek@cwi.nl>
 topic = Computer science/Concurrency
 date = 2018-12-25
 notify = Roy.Overbeek@cwi.nl
 abstract =
   Concurrent revisions is a concurrency control model developed by
   Microsoft Research. It has many interesting properties that
   distinguish it from other well-known models such as transactional
   memory. One of these properties is <em>determinacy</em>:
   programs written within the model always produce the same outcome,
   independent of scheduling activity. The concurrent revisions model has
   an operational semantics, with an informal proof of determinacy. This
   document contains an Isabelle/HOL formalization of this semantics and
   the proof of determinacy.
 
 [Core_DOM]
 title = A Formal Model of the Document Object Model
 author = Achim D. Brucker <https://www.brucker.ch/>, Michael Herzberg <http://www.dcs.shef.ac.uk/cgi-bin/makeperson?M.Herzberg>
 topic = Computer science/Data structures
 date = 2018-12-26
 notify = adbrucker@0x5f.org
 abstract =
   In this AFP entry, we formalize the core of the Document Object Model
   (DOM).  At its core, the DOM defines a tree-like data structure for
   representing documents in general and HTML documents in particular. It
   is the heart of any modern web browser.  Formalizing the key concepts
   of the DOM is a prerequisite for the formal reasoning over client-side
   JavaScript programs and for the analysis of security concepts in
   modern web browsers.  We present a formalization of the core DOM, with
   focus on the node-tree and the operations defined on node-trees, in
   Isabelle/HOL. We use the formalization to verify the functional
   correctness of the most important functions defined in the DOM
   standard. Moreover, our formalization is 1) extensible, i.e., can be
   extended without the need of re-proving already proven properties and
   2) executable, i.e., we can generate executable code from our
   specification.
 
 [Store_Buffer_Reduction]
 title = A Reduction Theorem for Store Buffers
 author = Ernie Cohen <mailto:ecohen@amazon.com>, Norbert Schirmer <mailto:norbert.schirmer@web.de>
 topic = Computer science/Concurrency
 date = 2019-01-07
 notify = norbert.schirmer@web.de
 abstract =
   When verifying a concurrent program, it is usual to assume that memory
   is sequentially consistent.  However, most modern multiprocessors
   depend on store buffering for efficiency, and provide native
   sequential consistency only at a substantial performance penalty.  To
   regain sequential consistency, a programmer has to follow an
   appropriate programming discipline. However, na&iuml;ve disciplines,
   such as protecting all shared accesses with locks, are not flexible
   enough for building high-performance multiprocessor software.  We
   present a new discipline for concurrent programming under TSO (total
   store order, with store buffer forwarding). It does not depend on
   concurrency primitives, such as locks. Instead, threads use ghost
   operations to acquire and release ownership of memory addresses. A
   thread can write to an address only if no other thread owns it, and
   can read from an address only if it owns it or it is shared and the
   thread has flushed its store buffer since it last wrote to an address
   it did not own. This discipline covers both coarse-grained concurrency
   (where data is protected by locks) as well as fine-grained concurrency
   (where atomic operations race to memory).  We formalize this
   discipline in Isabelle/HOL, and prove that if every execution of a
   program in a system without store buffers follows the discipline, then
   every execution of the program with store buffers is sequentially
   consistent. Thus, we can show sequential consistency under TSO by
   ordinary assertional reasoning about the program, without having to
   consider store buffers at all.
 
 [IMP2]
 title = IMP2 – Simple Program Verification in Isabelle/HOL
 author = Peter Lammich <http://www21.in.tum.de/~lammich>, Simon Wimmer <http://in.tum.de/~wimmers>
 topic = Computer science/Programming languages/Logics, Computer science/Algorithms
 date = 2019-01-15
 notify = lammich@in.tum.de
 abstract =
   IMP2 is a simple imperative language together with Isabelle tooling to
   create a program verification environment in Isabelle/HOL. The tools
   include a C-like syntax, a verification condition generator, and
   Isabelle commands for the specification of programs. The framework is
   modular, i.e., it allows easy reuse of already proved programs within
   larger programs.  This entry comes with a quickstart guide and a large
   collection of examples, spanning basic algorithms with simple proofs
   to more advanced algorithms and proof techniques like data refinement.
   Some highlights from the examples are: <ul> <li>Bisection
   Square Root, </li> <li>Extended Euclid,  </li>
   <li>Exponentiation by Squaring,  </li> <li>Binary
   Search,  </li> <li>Insertion Sort,  </li>
   <li>Quicksort,  </li> <li>Depth First Search.
   </li> </ul>  The abstract syntax and semantics are very
   simple and well-documented. They are suitable to be used in a course,
   as extension to the IMP language which comes with the Isabelle
   distribution.  While this entry is limited to a simple imperative
   language, the ideas could be extended to more sophisticated languages.
 
 [Farkas]
 title = Farkas' Lemma and Motzkin's Transposition Theorem
 author = Ralph Bottesch <http://cl-informatik.uibk.ac.at/users/bottesch/>, Max W. Haslbeck <http://cl-informatik.uibk.ac.at/users/mhaslbeck/>, René Thiemann <http://cl-informatik.uibk.ac.at/~thiemann/>
 topic = Mathematics/Algebra
 date = 2019-01-17
 notify = rene.thiemann@uibk.ac.at
 abstract =
   We formalize a proof of Motzkin's transposition theorem and
   Farkas' lemma in Isabelle/HOL. Our proof is based on the
   formalization of the simplex algorithm which, given a set of linear
   constraints, either returns a satisfying assignment to the problem or
   detects unsatisfiability. By reusing facts about the simplex algorithm
   we show that a set of linear constraints is unsatisfiable if and only
   if there is a linear combination of the constraints which evaluates to
   a trivially unsatisfiable inequality.
 
 [Auto2_Imperative_HOL]
 title = Verifying Imperative Programs using Auto2
 author = Bohua Zhan <http://lcs.ios.ac.cn/~bzhan/>
 topic = Computer science/Algorithms, Computer science/Data structures
 date = 2018-12-21
 notify = bzhan@ios.ac.cn
 abstract =
   This entry contains the application of auto2 to verifying functional
   and imperative programs. Algorithms and data structures that are
   verified include linked lists, binary search trees, red-black trees,
   interval trees, priority queue, quicksort, union-find, Dijkstra's
   algorithm, and a sweep-line algorithm for detecting rectangle
   intersection. The imperative verification is based on Imperative HOL
   and its separation logic framework. A major goal of this work is to
   set up automation in order to reduce the length of proof that the user
   needs to provide, both for verifying functional programs and for
   working with separation logic.
 
 [UTP]
 title = Isabelle/UTP: Mechanised Theory Engineering for Unifying Theories of Programming
 author = Simon Foster <https://www-users.cs.york.ac.uk/~simonf/>, Frank Zeyda<>, Yakoub Nemouchi <mailto:yakoub.nemouchi@york.ac.uk>, Pedro Ribeiro<>, Burkhart Wolff<mailto:wolff@lri.fr>
 topic = Computer science/Programming languages/Logics
 date = 2019-02-01
 notify = simon.foster@york.ac.uk
 abstract =
   Isabelle/UTP is a mechanised theory engineering toolkit based on Hoare
   and He’s Unifying Theories of Programming (UTP). UTP enables the
   creation of denotational, algebraic, and operational semantics for
   different programming languages using an alphabetised relational
   calculus. We provide a semantic embedding of the alphabetised
   relational calculus in Isabelle/HOL, including new type definitions,
   relational constructors, automated proof tactics, and accompanying
   algebraic laws. Isabelle/UTP can be used to both capture laws of
   programming for different languages, and put these fundamental
   theorems to work in the creation of associated verification tools,
   using calculi like Hoare logics. This document describes the
   relational core of the UTP in Isabelle/HOL.
 
 [HOL-CSP]
 title = HOL-CSP Version 2.0
 author = Safouan Taha <mailto:safouan.taha@lri.fr>, Lina Ye <mailto:lina.ye@lri.fr>, Burkhart Wolff<mailto:wolff@lri.fr>
 topic = Computer science/Concurrency/Process calculi, Computer science/Semantics
 date = 2019-04-26
 notify = wolff@lri.fr
 abstract =
   This is a complete formalization of the work of Hoare and Roscoe on
   the denotational semantics of the Failure/Divergence Model of CSP. It
   follows essentially the presentation of CSP in Roscoe’s Book ”Theory
   and Practice of Concurrency” [8] and the semantic details in a joint
   Paper of Roscoe and Brooks ”An improved failures model for
   communicating processes".  The present work is based on a prior
   formalization attempt, called HOL-CSP 1.0, done in 1997 by H. Tej and
   B. Wolff with the Isabelle proof technology available at that time.
   This work revealed minor, but omnipresent foundational errors in key
   concepts like the process invariant. The present version HOL-CSP
   profits from substantially improved libraries (notably HOLCF),
   improved automated proof techniques, and structured proof techniques
   in Isar and is substantially shorter but more complete.
 
 [Probabilistic_Prime_Tests]
 title = Probabilistic Primality Testing
 author = Daniel Stüwe<>, Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Number theory
 date = 2019-02-11
 notify = eberlm@in.tum.de
 abstract =
   <p>The most efficient known primality tests are
   <em>probabilistic</em> in the sense that they use
   randomness and may, with some probability, mistakenly classify a
   composite number as prime &ndash; but never a prime number as
   composite. Examples of this are the Miller&ndash;Rabin test, the
   Solovay&ndash;Strassen test, and (in most cases) Fermat's
   test.</p> <p>This entry defines these three tests and
   proves their correctness. It also develops some of the
   number-theoretic foundations, such as Carmichael numbers and the
   Jacobi symbol with an efficient executable algorithm to compute
   it.</p>
 
 [Kruskal]
 title = Kruskal's Algorithm for Minimum Spanning Forest
 author = Maximilian P.L. Haslbeck <http://in.tum.de/~haslbema/>, Peter Lammich <http://www21.in.tum.de/~lammich>, Julian Biendarra<>
 topic = Computer science/Algorithms/Graph
 date = 2019-02-14
 notify = haslbema@in.tum.de, lammich@in.tum.de
 abstract =
   This Isabelle/HOL formalization defines a greedy algorithm for finding
   a minimum weight basis on a weighted matroid and proves its
   correctness. This algorithm is an abstract version of Kruskal's
   algorithm.  We interpret the abstract algorithm for the cycle matroid
   (i.e. forests in a graph) and refine it to imperative executable code
   using an efficient union-find data structure.  Our formalization can
   be instantiated for different graph representations. We provide
   instantiations for undirected graphs and symmetric directed graphs.
 
 [List_Inversions]
 title = The Inversions of a List
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Computer science/Algorithms
 date = 2019-02-01
 notify = eberlm@in.tum.de
 abstract =
   <p>This entry defines the set of <em>inversions</em>
   of a list, i.e. the pairs of indices that violate sortedness. It also
   proves the correctness of the well-known
   <em>O</em>(<em>n log n</em>)
   divide-and-conquer algorithm to compute the number of
   inversions.</p>
 
 [Prime_Distribution_Elementary]
 title = Elementary Facts About the Distribution of Primes
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Number theory
 date = 2019-02-21
 notify = eberlm@in.tum.de
 abstract =
   <p>This entry is a formalisation of Chapter 4 (and parts of
   Chapter 3) of Apostol's <a
   href="https://www.springer.com/de/book/9780387901633"><em>Introduction
   to Analytic Number Theory</em></a>. The main topics that
   are addressed are properties of the distribution of prime numbers that
   can be shown in an elementary way (i.&thinsp;e. without the Prime
   Number Theorem), the various equivalent forms of the PNT (which imply
   each other in elementary ways), and consequences that follow from the
   PNT in elementary ways. The latter include, most notably, asymptotic
   bounds for the number of distinct prime factors of
   <em>n</em>, the divisor function
   <em>d(n)</em>, Euler's totient function
   <em>&phi;(n)</em>, and
   lcm(1,&hellip;,<em>n</em>).</p>
 
 [Safe_OCL]
 title = Safe OCL
 author = Denis Nikiforov <>
 topic = Computer science/Programming languages/Language definitions
 license = LGPL
 date = 2019-03-09
 notify = denis.nikif@gmail.com
 abstract =
   <p>The theory is a formalization of the
   <a href="https://www.omg.org/spec/OCL/">OCL</a> type system, its abstract
   syntax and expression typing rules. The theory does not define a concrete
   syntax and a semantics. In contrast to
   <a href="https://www.isa-afp.org/entries/Featherweight_OCL.html">Featherweight OCL</a>,
   it is based on a deep embedding approach. The type system is defined from scratch,
   it is not based on the Isabelle HOL type system.</p>
   <p>The Safe OCL distincts nullable and non-nullable types. Also the theory gives a
   formal definition of <a href="http://ceur-ws.org/Vol-1512/paper07.pdf">safe
   navigation operations</a>. The Safe OCL typing rules are much stricter than rules
   given in the OCL specification. It allows one to catch more errors on a type
   checking phase.</p>
   <p>The type theory presented is four-layered: classes, basic types, generic types,
   errorable types. We introduce the following new types: non-nullable types (T[1]),
   nullable types (T[?]), OclSuper. OclSuper is a supertype of all other types (basic
   types, collections, tuples). This type allows us to define a total supremum function,
   so types form an upper semilattice. It allows us to define rich expression typing
   rules in an elegant manner.</p>
   <p>The Preliminaries Chapter of the theory defines a number of helper lemmas for
   transitive closures and tuples. It defines also a generic object model independent
   from OCL. It allows one to use the theory as a reference for formalization of analogous languages.</p>
 
 [QHLProver]
 title = Quantum Hoare Logic
 author = Junyi Liu<>, Bohua Zhan <http://lcs.ios.ac.cn/~bzhan/>, Shuling Wang<>, Shenggang Ying<>, Tao Liu<>, Yangjia Li<>, Mingsheng Ying<>, Naijun Zhan<>
 topic = Computer science/Programming languages/Logics, Computer science/Semantics
 date = 2019-03-24
 notify = bzhan@ios.ac.cn
 abstract =
   We formalize quantum Hoare logic as given in [1]. In particular, we
   specify the syntax and denotational semantics of a simple model of
   quantum programs. Then, we write down the rules of quantum Hoare logic
   for partial correctness, and show the soundness and completeness of
   the resulting proof system. As an application, we verify the
   correctness of Grover’s algorithm.
 
 [Transcendence_Series_Hancl_Rucki]
 title = The Transcendence of Certain Infinite Series
 author = Angeliki Koutsoukou-Argyraki <https://www.cl.cam.ac.uk/~ak2110/>, Wenda Li <https://www.cl.cam.ac.uk/~wl302/>
 topic = Mathematics/Analysis,  Mathematics/Number theory
 date = 2019-03-27
 notify = wl302@cam.ac.uk, ak2110@cam.ac.uk
 abstract =
   We formalize the proofs of two transcendence criteria by J. Hančl
   and P. Rucki that assert the transcendence of the sums of certain
   infinite series built up by sequences that fulfil certain properties.
   Both proofs make use of Roth's celebrated theorem on diophantine
   approximations to algebraic numbers from 1955  which we implement as
   an assumption without having formalised its proof.
 
 [Binding_Syntax_Theory]
 title = A General Theory of Syntax with Bindings
 author = Lorenzo Gheri <mailto:lor.gheri@gmail.com>, Andrei Popescu <mailto:a.popescu@mdx.ac.uk>
 topic = Computer science/Programming languages/Lambda calculi, Computer science/Functional programming, Logic/General logic/Mechanization of proofs
 date = 2019-04-06
 notify = a.popescu@mdx.ac.uk, lor.gheri@gmail.com
 abstract =
   We formalize a theory of syntax with bindings that has been developed
   and refined over the last decade to support several large
   formalization efforts. Terms are defined for an arbitrary number of
   constructors of varying numbers of inputs, quotiented to
   alpha-equivalence and sorted according to a binding signature. The
   theory includes many properties of the standard operators on terms:
   substitution, swapping and freshness. It also includes bindings-aware
   induction and recursion principles and support for semantic
   interpretation. This work has been presented in the ITP 2017 paper “A
   Formalized General Theory of Syntax with Bindings”.
 
 [LTL_Master_Theorem]
 title = A Compositional and Unified Translation of LTL into ω-Automata
 author = Benedikt Seidl <mailto:benedikt.seidl@tum.de>, Salomon Sickert <mailto:s.sickert@tum.de>
 topic = Computer science/Automata and formal languages
 date = 2019-04-16
 notify = benedikt.seidl@tum.de, s.sickert@tum.de
 abstract =
   We present a formalisation of the unified translation approach of
   linear temporal logic (LTL) into ω-automata from [1]. This approach
   decomposes LTL formulas into ``simple'' languages and allows
   a clear separation of concerns: first, we formalise the purely logical
   result yielding this decomposition; second, we instantiate this
   generic theory to obtain a construction for deterministic
   (state-based) Rabin automata (DRA). We extract from this particular
   instantiation an executable tool translating LTL to DRAs. To the best
   of our knowledge this is the first verified translation from LTL to
   DRAs that is proven to be double exponential in the worst case which
   asymptotically matches the known lower bound.
   <p>
   [1] Javier Esparza, Jan Kretínský, Salomon Sickert. One Theorem to Rule Them All:
   A Unified Translation of LTL into ω-Automata. LICS 2018
 
 [LambdaAuth]
 title = Formalization of Generic Authenticated Data Structures
 author = Matthias Brun<>, Dmitriy Traytel <http://people.inf.ethz.ch/trayteld/>
 topic = Computer science/Security, Computer science/Programming languages/Lambda calculi
 date = 2019-05-14
 notify = traytel@inf.ethz.ch
 abstract =
   Authenticated data structures are a technique for outsourcing data
   storage and maintenance to an untrusted server. The server is required
   to produce an efficiently checkable and cryptographically secure proof
   that it carried out precisely the requested computation. <a
   href="https://doi.org/10.1145/2535838.2535851">Miller et
   al.</a> introduced &lambda;&bull; (pronounced
   <i>lambda auth</i>)&mdash;a functional programming
   language with a built-in primitive authentication construct, which
   supports a wide range of user-specified authenticated data structures
   while guaranteeing certain correctness and security properties for all
   well-typed programs. We formalize &lambda;&bull; and prove its
   correctness and security properties. With Isabelle's help, we
   uncover and repair several mistakes in the informal proofs and lemma
   statements. Our findings are summarized in a <a
   href="http://people.inf.ethz.ch/trayteld/papers/lambdaauth/lambdaauth.pdf">paper
   draft</a>.
 
 [IMP2_Binary_Heap]
 title = Binary Heaps for IMP2
 author = Simon Griebel<>
 topic = Computer science/Data structures, Computer science/Algorithms
 date = 2019-06-13
 notify = s.griebel@tum.de
 abstract =
   In this submission array-based binary minimum heaps are formalized.
   The correctness of the following heap operations is proved: insert,
   get-min, delete-min and make-heap. These are then used to verify an
   in-place heapsort. The formalization is based on IMP2, an imperative
   program verification framework implemented in Isabelle/HOL. The
   verified heap functions are iterative versions of the partly recursive
   functions found in "Algorithms and Data Structures – The Basic
   Toolbox" by K. Mehlhorn and P. Sanders and "Introduction to
   Algorithms" by T. H. Cormen, C. E. Leiserson, R. L. Rivest and C.
   Stein.
 
 [Groebner_Macaulay]
 title = Gröbner Bases, Macaulay Matrices and Dubé's Degree Bounds
 author = Alexander Maletzky <https://risc.jku.at/m/alexander-maletzky/>
 topic = Mathematics/Algebra
 date = 2019-06-15
 notify = alexander.maletzky@risc.jku.at
 abstract =
   This entry formalizes the connection between Gröbner bases and
   Macaulay matrices (sometimes also referred to as `generalized
   Sylvester matrices'). In particular, it contains a method for
   computing Gröbner bases, which proceeds by first constructing some
   Macaulay matrix of the initial set of polynomials, then row-reducing
   this matrix, and finally converting the result back into a set of
   polynomials. The output is shown to be a Gröbner basis if the Macaulay
   matrix constructed in the first step is sufficiently large. In order
   to obtain concrete upper bounds on the size of the matrix (and hence
   turn the method into an effectively executable algorithm), Dubé's
   degree bounds on Gröbner bases are utilized; consequently, they are
   also part of the formalization.
 
 [Linear_Inequalities]
 title = Linear Inequalities
 author = Ralph Bottesch <http://cl-informatik.uibk.ac.at/users/bottesch/>, Alban Reynaud <>, René Thiemann <http://cl-informatik.uibk.ac.at/~thiemann/>
 topic = Mathematics/Algebra
 date = 2019-06-21
 notify = rene.thiemann@uibk.ac.at
 abstract =
   We formalize results about linear inqualities, mainly from
   Schrijver's book. The main results are the proof of the
   fundamental theorem on linear inequalities, Farkas' lemma,
   Carathéodory's theorem, the Farkas-Minkowsky-Weyl theorem, the
   decomposition theorem of polyhedra, and Meyer's result that the
   integer hull of a polyhedron is a polyhedron itself. Several theorems
   include bounds on the appearing numbers, and in particular we provide
   an a-priori bound on mixed-integer solutions of linear inequalities.
 
 [Linear_Programming]
 title = Linear Programming
 author = Julian Parsert <http://www.parsert.com/>, Cezary Kaliszyk <http://cl-informatik.uibk.ac.at/cek/>
 topic = Mathematics/Algebra
 date = 2019-08-06
 notify = julian.parsert@gmail.com, cezary.kaliszyk@uibk.ac.at
 abstract =
   We use the previous formalization of the general simplex algorithm to
   formulate an algorithm for solving linear programs. We encode the
   linear programs using only linear constraints. Solving these
   constraints also solves the original linear program. This algorithm is
   proven to be sound by applying the weak duality theorem which is also
   part of this formalization.
 
 [Differential_Game_Logic]
 title = Differential Game Logic
 author = André Platzer <http://www.cs.cmu.edu/~aplatzer/>
 topic = Computer science/Programming languages/Logics
 date = 2019-06-03
 notify = aplatzer@cs.cmu.edu
 abstract =
   This formalization provides differential game logic (dGL), a logic for
   proving properties of hybrid game. In addition to the syntax and
   semantics, it formalizes a uniform substitution calculus for dGL.
   Church's uniform substitutions substitute a term or formula for a
   function or predicate symbol everywhere. The uniform substitutions for
   dGL also substitute hybrid games for a game symbol everywhere. We
   prove soundness of one-pass uniform substitutions and the axioms of
   differential game logic with respect to their denotational semantics.
   One-pass uniform substitutions are faster by postponing
   soundness-critical admissibility checks with a linear pass homomorphic
   application and regain soundness by a variable condition at the
   replacements.  The formalization is based on prior non-mechanized
   soundness proofs for dGL.
 
 [Complete_Non_Orders]
 title = Complete Non-Orders and Fixed Points
 author = Akihisa Yamada <http://group-mmm.org/~ayamada/>, Jérémy Dubut <http://group-mmm.org/~dubut/>
 topic = Mathematics/Order
 date = 2019-06-27
 notify = akihisayamada@nii.ac.jp, dubut@nii.ac.jp
 abstract =
   We develop an Isabelle/HOL library of order-theoretic concepts, such
   as various completeness conditions and fixed-point theorems. We keep
   our formalization as general as possible: we reprove several
   well-known results about complete orders, often without any properties
   of ordering, thus complete non-orders. In particular, we generalize
   the Knaster–Tarski theorem so that we ensure the existence of a
   quasi-fixed point of monotone maps over complete non-orders, and show
   that the set of quasi-fixed points is complete under a mild
   condition—attractivity—which is implied by either antisymmetry or
   transitivity. This result generalizes and strengthens a result by
   Stauti and Maaden. Finally, we recover Kleene’s fixed-point theorem
   for omega-complete non-orders, again using attractivity to prove that
   Kleene’s fixed points are least quasi-fixed points.
 
 [Priority_Search_Trees]
 title = Priority Search Trees
 author = Peter Lammich <http://www21.in.tum.de/~lammich>, Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 topic = Computer science/Data structures
 date = 2019-06-25
 notify = lammich@in.tum.de
 abstract =
   We present a new, purely functional, simple and efficient data
   structure combining a search tree and a priority queue, which we call
   a <em>priority search tree</em>. The salient feature of priority search
   trees is that they offer a decrease-key operation, something that is
   missing from other simple, purely functional priority queue
   implementations. Priority search trees can be implemented on top of
   any search tree. This entry does the implementation for red-black
   trees.  This entry formalizes the first part of our ITP-2019 proof
   pearl <em>Purely Functional, Simple and Efficient Priority
   Search Trees and Applications to Prim and Dijkstra</em>.
 
 [Prim_Dijkstra_Simple]
 title = Purely Functional, Simple, and Efficient Implementation of Prim and Dijkstra
 author = Peter Lammich <http://www21.in.tum.de/~lammich>, Tobias Nipkow <http://www21.in.tum.de/~nipkow>
 topic = Computer science/Algorithms/Graph
 date = 2019-06-25
 notify = lammich@in.tum.de
 abstract =
   We verify purely functional, simple and efficient implementations of
   Prim's and Dijkstra's algorithms. This constitutes the first
   verification of an executable and even efficient version of
   Prim's algorithm. This entry formalizes the second part of our
   ITP-2019 proof pearl <em>Purely Functional, Simple and Efficient
   Priority Search Trees and Applications to Prim and Dijkstra</em>.
 
 [MFOTL_Monitor]
 title = Formalization of a Monitoring Algorithm for Metric First-Order Temporal Logic
 author = Joshua Schneider <mailto:joshua.schneider@inf.ethz.ch>, Dmitriy Traytel <http://people.inf.ethz.ch/trayteld/>
 topic = Computer science/Algorithms, Logic/General logic/Temporal logic, Computer science/Automata and formal languages
 date = 2019-07-04
 notify = joshua.schneider@inf.ethz.ch, traytel@inf.ethz.ch
 abstract =
   A monitor is a runtime verification tool that solves the following
   problem: Given a stream of time-stamped events and a policy formulated
   in a specification language, decide whether the policy is satisfied at
   every point in the stream. We verify the correctness of an executable
   monitor for specifications given as formulas in metric first-order
   temporal logic (MFOTL), an expressive extension of linear temporal
   logic with real-time constraints and first-order quantification. The
   verified monitor implements a simplified variant of the algorithm used
   in the efficient MonPoly monitoring tool. The formalization is
   presented in a forthcoming <a
   href="http://people.inf.ethz.ch/trayteld/papers/rv19-verimon/verimon.pdf">RV
   2019 paper</a>, which also compares the output of the verified
   monitor to that of other monitoring tools on randomly generated
   inputs. This case study revealed several errors in the optimized but
   unverified tools.
 
 [FOL_Seq_Calc1]
 title = A Sequent Calculus for First-Order Logic
 author = Asta Halkjær From <https://people.compute.dtu.dk/ahfrom/>
 contributors = Alexander Birch Jensen <https://people.compute.dtu.dk/aleje/>,
   Anders Schlichtkrull <https://people.compute.dtu.dk/andschl/>,
   Jørgen Villadsen <https://people.compute.dtu.dk/jovi/>
 topic = Logic/Proof theory
 date = 2019-07-18
 notify = ahfrom@dtu.dk
 abstract =
   This work formalizes soundness and completeness of a one-sided sequent
   calculus for first-order logic. The completeness is shown via a
   translation from a complete semantic tableau calculus, the proof of
   which is based on the First-Order Logic According to Fitting theory.
   The calculi and proof techniques are taken from Ben-Ari's
   Mathematical Logic for Computer Science.
 
 [Szpilrajn]
 title = Szpilrajn Extension Theorem
 author = Peter Zeller <mailto:p_zeller@cs.uni-kl.de>
 topic = Mathematics/Order
 date = 2019-07-27
 notify = p_zeller@cs.uni-kl.de
 abstract =
   We formalize the Szpilrajn extension theorem, also known as
   order-extension principal: Every strict partial order can be extended
   to a strict linear order.
 
 [TESL_Language]
 title = A Formal Development of a Polychronous Polytimed Coordination Language
 author = Hai Nguyen Van <mailto:hai.nguyenvan.phie@gmail.com>, Frédéric Boulanger <mailto:frederic.boulanger@centralesupelec.fr>, Burkhart Wolff <mailto:burkhart.wolff@lri.fr>
 topic = Computer science/System description languages, Computer science/Semantics, Computer science/Concurrency
 date = 2019-07-30
 notify = frederic.boulanger@centralesupelec.fr, burkhart.wolff@lri.fr
 abstract =
   The design of complex systems involves different formalisms for
   modeling their different parts or aspects. The global model of a
   system may therefore consist of a coordination of concurrent
   sub-models that use different paradigms.  We develop here a theory for
   a language used to specify the timed coordination of such
   heterogeneous subsystems by addressing the following issues:
   <ul><li>the
   behavior of the sub-systems is observed only at a series of discrete
   instants,</li><li>events may occur in different sub-systems at unrelated
   times, leading to polychronous systems, which do not necessarily have
   a common base clock,</li><li>coordination between subsystems involves
   causality, so the occurrence of an event may enforce the occurrence of
   other events, possibly after a certain duration has elapsed or an
   event has occurred a given number of times,</li><li>the domain of time
   (discrete, rational, continuous...) may be different in the
   subsystems, leading to polytimed systems,</li><li>the time frames of
   different sub-systems may be related (for instance, time in a GPS
   satellite and in a GPS receiver on Earth are related although they are
   not the same).</li></ul>
   Firstly, a denotational semantics of the language is
   defined. Then, in order to be able to incrementally check the behavior
   of systems, an operational semantics is given, with proofs of
   progress, soundness and completeness with regard to the denotational
   semantics. These proofs are made according to a setup that can scale
   up when new operators are added to the language. In order for
   specifications to be composed in a clean way, the language should be
   invariant by stuttering (i.e., adding observation instants at which
   nothing happens). The proof of this invariance is also given.
 
 [Stellar_Quorums]
 title = Stellar Quorum Systems
 author = Giuliano Losa <mailto:giuliano@galois.com>
 topic = Computer science/Algorithms/Distributed
 date = 2019-08-01
 notify = giuliano@galois.com
 abstract =
   We formalize the static properties of personal Byzantine quorum
   systems (PBQSs) and Stellar quorum systems, as described in the paper
   ``Stellar Consensus by Reduction'' (to appear at DISC 2019).
 
 [IMO2019]
 title = Selected Problems from the International Mathematical Olympiad 2019
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Misc
 date = 2019-08-05
 notify = eberlm@in.tum.de
 abstract =
   <p>This entry contains formalisations of the answers to three of
   the six problem of the International Mathematical Olympiad 2019,
   namely Q1, Q4, and Q5.</p> <p>The reason why these
   problems were chosen is that they are particularly amenable to
   formalisation: they can be solved with minimal use of libraries. The
   remaining three concern geometry and graph theory, which, in the
   author's opinion, are more difficult to formalise resp. require a
   more complex library.</p>
 
 [Adaptive_State_Counting]
 title = Formalisation of an Adaptive State Counting Algorithm
 author = Robert Sachtleben <mailto:rob_sac@uni-bremen.de>
 topic = Computer science/Automata and formal languages, Computer science/Algorithms
 date = 2019-08-16
 notify = rob_sac@uni-bremen.de
 abstract =
   This entry provides a formalisation of a refinement of an adaptive
   state counting algorithm, used to test for reduction between finite
   state machines. The algorithm has been originally presented by Hierons
   in the paper <a
   href="https://doi.org/10.1109/TC.2004.85">Testing from a
   Non-Deterministic Finite State Machine Using Adaptive State
   Counting</a>.  Definitions for finite state machines and
   adaptive test cases are given and many useful theorems are derived
   from these. The algorithm is formalised using mutually recursive
   functions, for which it is proven that the generated test suite is
   sufficient to test for reduction against finite state machines of a
   certain fault domain. Additionally, the algorithm is specified in a
   simple WHILE-language and its correctness is shown using Hoare-logic.
 
 [Jacobson_Basic_Algebra]
 title = A Case Study in Basic Algebra
 author = Clemens Ballarin <http://www21.in.tum.de/~ballarin/>
 topic = Mathematics/Algebra
 date = 2019-08-30
 notify = ballarin@in.tum.de
 abstract =
   The focus of this case study is re-use in abstract algebra.  It
   contains locale-based formalisations of selected parts of set, group
   and ring theory from Jacobson's <i>Basic Algebra</i>
   leading to the respective fundamental homomorphism theorems.  The
   study is not intended as a library base for abstract algebra.  It
   rather explores an approach towards abstract algebra in Isabelle.
 
 [Hybrid_Systems_VCs]
 title = Verification Components for Hybrid Systems
 author = Jonathan Julian Huerta y Munive <>
 topic = Mathematics/Algebra, Mathematics/Analysis
 date = 2019-09-10
 notify = jjhuertaymunive1@sheffield.ac.uk, jonjulian23@gmail.com
 abstract =
   These components formalise a semantic framework for the deductive
   verification of hybrid systems. They support reasoning about
   continuous evolutions of hybrid programs in the style of differential
   dynamics logic. Vector fields or flows model these evolutions, and
   their verification is done with invariants for the former or orbits
   for the latter. Laws of modal Kleene algebra or categorical predicate
   transformers implement the verification condition generation. Examples
   show the approach at work.
 
 [Generic_Join]
 title = Formalization of Multiway-Join Algorithms
 author = Thibault Dardinier<>
 topic = Computer science/Algorithms
 date = 2019-09-16
 notify = tdardini@student.ethz.ch, traytel@inf.ethz.ch
 abstract =
   Worst-case optimal multiway-join algorithms are recent seminal
   achievement of the database community. These algorithms compute the
   natural join of multiple relational databases and improve in the worst
   case over traditional query plan optimizations of nested binary joins.
   In 2014, <a
   href="https://doi.org/10.1145/2590989.2590991">Ngo, Ré,
   and Rudra</a> gave a unified presentation of different multi-way
   join algorithms. We formalized and proved correct their "Generic
   Join" algorithm and extended it to support negative joins.
 
 [Aristotles_Assertoric_Syllogistic]
 title = Aristotle's Assertoric Syllogistic
 author = Angeliki Koutsoukou-Argyraki <https://www.cl.cam.ac.uk/~ak2110/>
 topic = Logic/Philosophical aspects
 date = 2019-10-08
 notify = ak2110@cam.ac.uk
 abstract =
   We formalise with Isabelle/HOL some basic elements of Aristotle's
   assertoric syllogistic following the <a
   href="https://plato.stanford.edu/entries/aristotle-logic/">article from the Stanford Encyclopedia of Philosophy by Robin Smith.</a> To
   this end, we use a set theoretic formulation (covering both individual
   and general predication). In particular, we formalise the deductions
   in the Figures and after that we present Aristotle's
   metatheoretical observation that all deductions in the Figures can in
   fact be reduced to either Barbara or Celarent. As the formal proofs
   prove to be straightforward, the interest of this entry lies in
   illustrating the functionality of Isabelle and high efficiency of
   Sledgehammer for simple exercises in philosophy.
 
 [VerifyThis2019]
 title = VerifyThis 2019 -- Polished Isabelle Solutions
 author = Peter Lammich<>, Simon Wimmer<http://home.in.tum.de/~wimmers/>
 topic = Computer science/Algorithms
 date = 2019-10-16
 notify = lammich@in.tum.de, wimmers@in.tum.de
 abstract =
   VerifyThis 2019 (http://www.pm.inf.ethz.ch/research/verifythis.html)
   was a program verification competition associated with ETAPS 2019. It
   was the 8th event in the VerifyThis competition series. In this entry,
   we present polished and completed versions of our solutions that we
   created during the competition.
 
 [ZFC_in_HOL]
 title = Zermelo Fraenkel Set Theory in Higher-Order Logic
 author = Lawrence C. Paulson <https://www.cl.cam.ac.uk/~lp15/>
 topic = Logic/Set theory
 date = 2019-10-24
 notify = lp15@cam.ac.uk
 abstract =
   <p>This entry is a new formalisation of ZFC set theory in Isabelle/HOL. It is
   logically equivalent to Obua's HOLZF; the point is to have the closest
   possible integration with the rest of Isabelle/HOL, minimising the amount of
   new notations and exploiting type classes.</p>
   <p>There is a type <em>V</em> of sets and a function <em>elts :: V =&gt; V
   set</em> mapping a set to its elements. Classes simply have type <em>V
   set</em>, and a predicate identifies the small classes: those that correspond
   to actual sets. Type classes connected with orders and lattices are used to
   minimise the amount of new notation for concepts such as the subset relation,
   union and intersection. Basic concepts — Cartesian products, disjoint sums,
   natural numbers, functions, etc. — are formalised.</p>
   <p>More advanced set-theoretic concepts, such as transfinite induction,
   ordinals, cardinals and the transitive closure of a set, are also provided.
   The definition of addition and multiplication for general sets (not just
   ordinals) follows Kirby.</p>
   <p>The theory provides two type classes with the aim of facilitating
   developments that combine <em>V</em> with other Isabelle/HOL types:
   <em>embeddable</em>, the class of types that can be injected into <em>V</em>
   (including <em>V</em> itself as well as <em>V*V</em>, etc.), and
   <em>small</em>, the class of types that correspond to some ZF set.</p>
   extra-history =
 	Change history:
 	[2020-01-28]:  Generalisation of the "small" predicate and order types to arbitrary sets;
 	ordinal exponentiation;
 	introduction of the coercion ord_of_nat :: "nat => V";
 	numerous new lemmas. (revision 6081d5be8d08)
 
 
 [Interval_Arithmetic_Word32]
 title = Interval Arithmetic on 32-bit Words
 author = Brandon Bohrer <mailto:bbohrer@cs.cmu.edu>
 topic = Computer science/Data structures
 date = 2019-11-27
 notify = bjbohrer@gmail.com, bbohrer@cs.cmu.edu
 abstract =
   Interval_Arithmetic implements conservative interval arithmetic
   computations, then uses this interval arithmetic to implement a simple
   programming language where all terms have 32-bit signed word values,
   with explicit infinities for terms outside the representable bounds.
   Our target use case is interpreters for languages that must have a
   well-understood low-level behavior.  We include a formalization of
   bounded-length strings which are used for the identifiers of our
   language. Bounded-length identifiers are useful in some applications,
   for example the <a href="https://www.isa-afp.org/entries/Differential_Dynamic_Logic.html">Differential_Dynamic_Logic</a> article,
   where a Euclidean space indexed by identifiers demands that identifiers
   are finitely many.
 
 [Generalized_Counting_Sort]
 title = An Efficient Generalization of Counting Sort for Large, possibly Infinite Key Ranges
 author = Pasquale Noce <mailto:pasquale.noce.lavoro@gmail.com>
 topic = Computer science/Algorithms, Computer science/Functional programming
 date = 2019-12-04
 notify = pasquale.noce.lavoro@gmail.com
 abstract =
   Counting sort is a well-known algorithm that sorts objects of any kind
   mapped to integer keys, or else to keys in one-to-one correspondence
   with some subset of the integers (e.g. alphabet letters). However, it
   is suitable for direct use, viz. not just as a subroutine of another
   sorting algorithm (e.g. radix sort), only if the key range is not
   significantly larger than the number of the objects to be sorted.
   This paper describes a tail-recursive generalization of counting sort
   making use of a bounded number of counters, suitable for direct use in
   case of a large, or even infinite key range of any kind, subject to
   the only constraint of being a subset of an arbitrary linear order.
   After performing a pen-and-paper analysis of how such algorithm has to
   be designed to maximize its efficiency, this paper formalizes the
   resulting generalized counting sort (GCsort) algorithm and then
   formally proves its correctness properties, namely that (a) the
   counters' number is maximized never exceeding the fixed upper
   bound, (b) objects are conserved, (c) objects get sorted, and (d) the
   algorithm is stable.
 
 [Poincare_Bendixson]
 title = The Poincaré-Bendixson Theorem
 author = Fabian Immler <http://home.in.tum.de/~immler/>, Yong Kiam Tan <https://www.cs.cmu.edu/~yongkiat/>
 topic = Mathematics/Analysis
 date = 2019-12-18
 notify = fimmler@cs.cmu.edu, yongkiat@cs.cmu.edu
 abstract =
   The Poincaré-Bendixson theorem is a classical result in the study of
   (continuous) dynamical systems. Colloquially, it restricts the
   possible behaviors of planar dynamical systems: such systems cannot be
   chaotic. In practice, it is a useful tool for proving the existence of
   (limiting) periodic behavior in planar systems. The theorem is an
   interesting and challenging benchmark for formalized mathematics
   because proofs in the literature rely on geometric sketches and only
   hint at symmetric cases. It also requires a substantial background of
   mathematical theories, e.g., the Jordan curve theorem, real analysis,
   ordinary differential equations, and limiting (long-term) behavior of
   dynamical systems.
 
 [Isabelle_C]
 title = Isabelle/C
 author = Frédéric Tuong <https://www.lri.fr/~ftuong/>, Burkhart Wolff <https://www.lri.fr/~wolff/>
 topic = Computer science/Programming languages/Language definitions, Computer science/Semantics, Tools
 date = 2019-10-22
 notify = tuong@users.gforge.inria.fr, wolff@lri.fr
 abstract =
   We present a framework for C code in C11 syntax deeply integrated into
   the Isabelle/PIDE development environment. Our framework provides an
   abstract interface for verification back-ends to be plugged-in
   independently. Thus, various techniques such as deductive program
   verification or white-box testing can be applied to the same source,
   which is part of an integrated PIDE document model. Semantic back-ends
   are free to choose the supported C fragment and its semantics. In
   particular, they can differ on the chosen memory model or the
   specification mechanism for framing conditions. Our framework supports
   semantic annotations of C sources in the form of comments. Annotations
   serve to locally control back-end settings, and can express the term
   focus to which an annotation refers. Both the logical and the
   syntactic context are available when semantic annotations are
   evaluated. As a consequence, a formula in an annotation can refer both
   to HOL or C variables. Our approach demonstrates the degree of
   maturity and expressive power the Isabelle/PIDE sub-system has
   achieved in recent years. Our integration technique employs Lex and
   Yacc style grammars to ensure efficient deterministic parsing.  This
   is the core-module of Isabelle/C; the AFP package for Clean and
   Clean_wrapper as well as AutoCorres and AutoCorres_wrapper (available
   via git) are applications of this front-end.
 
 [Zeta_3_Irrational]
 title = The Irrationality of ζ(3)
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Number theory
 date = 2019-12-27
 notify = manuel.eberl@tum.de
 abstract =
   <p>This article provides a formalisation of Beukers's
   straightforward analytic proof that ζ(3) is irrational. This was first
   proven by Apéry (which is why this result is also often called
   ‘Apéry's Theorem’) using a more algebraic approach. This
   formalisation follows <a
   href="http://people.math.sc.edu/filaseta/gradcourses/Math785/Math785Notes4.pdf">Filaseta's
   presentation</a> of Beukers's proof.</p>
 
 [Hybrid_Logic]
 title = Formalizing a Seligman-Style Tableau System for Hybrid Logic
 author = Asta Halkjær From <https://people.compute.dtu.dk/ahfrom/>
 topic = Logic/General logic/Modal logic
 date = 2019-12-20
 notify = ahfrom@dtu.dk
 abstract =
 	This work is a formalization of soundness and completeness proofs
 	for a Seligman-style tableau system for hybrid logic. The completeness
 	result is obtained via a synthetic approach using maximally
 	consistent sets of tableau blocks. The formalization differs from
 	the cited work in a few ways. First, to avoid the need to backtrack in
 	the construction of a tableau, the formalized system has no unnamed
 	initial segment, and therefore no Name rule. Second, I show that the
 	full Bridge rule is admissible in the system. Third, I start from rules
 	restricted to only extend the branch with new formulas, including only
 	witnessing diamonds that are not already witnessed, and show that
 	the unrestricted rules are admissible. Similarly, I start from simpler
 	versions of the @-rules and show the general ones admissible. Finally,
 	the GoTo rule is restricted using a notion of coins such that each
 	application consumes a coin and coins are earned through applications of
 	the remaining rules. I show that if a branch can be closed then it can
 	be closed starting from a single coin. These restrictions are imposed
 	to rule out some means of nontermination.
 
 [Bicategory]
 title = Bicategories
 author = Eugene W. Stark <mailto:stark@cs.stonybrook.edu>
 topic = Mathematics/Category theory
 date = 2020-01-06
 notify = stark@cs.stonybrook.edu
 abstract =
   Taking as a starting point the author's previous work on
   developing aspects of category theory in Isabelle/HOL, this article
   gives a compatible formalization of the notion of
   "bicategory" and develops a framework within which formal
   proofs of facts about bicategories can be given.  The framework
   includes a number of basic results, including the Coherence Theorem,
   the Strictness Theorem, pseudofunctors and biequivalence, and facts
   about internal equivalences and adjunctions in a bicategory.  As a
   driving application and demonstration of the utility of the framework,
   it is used to give a formal proof of a theorem, due to Carboni,
   Kasangian, and Street, that characterizes up to biequivalence the
   bicategories of spans in a category with pullbacks.  The formalization
   effort necessitated the filling-in of many details that were not
   evident from the brief presentation in the original paper, as well as
   identifying a few minor corrections along the way.
 extra-history =
 	Change history:
 	[2020-02-15]:
 	Move ConcreteCategory.thy from Bicategory to Category3 and use it systematically.
 	Make other minor improvements throughout.
 	(revision a51840d36867)<br>
 
 [Subset_Boolean_Algebras]
 title = A Hierarchy of Algebras for Boolean Subsets
 author = Walter Guttmann <http://www.cosc.canterbury.ac.nz/walter.guttmann/>, Bernhard Möller <https://www.informatik.uni-augsburg.de/en/chairs/dbis/pmi/staff/moeller/>
 topic = Mathematics/Algebra
 date = 2020-01-31
 notify = walter.guttmann@canterbury.ac.nz
 abstract =
   We present a collection of axiom systems for the construction of
   Boolean subalgebras of larger overall algebras. The subalgebras are
   defined as the range of a complement-like operation on a semilattice.
   This technique has been used, for example, with the antidomain
   operation, dynamic negation and Stone algebras. We present a common
   ground for these constructions based on a new equational
   axiomatisation of Boolean algebras.
 
 [Goodstein_Lambda]
 title = Implementing the Goodstein Function in &lambda;-Calculus
 author = Bertram Felgenhauer <mailto:int-e@gmx.de>
 topic = Logic/Rewriting
 date = 2020-02-21
 notify = int-e@gmx.de
 abstract =
   In this formalization, we develop an implementation of the Goodstein
   function G in plain &lambda;-calculus, linked to a concise, self-contained
   specification. The implementation works on a Church-encoded
   representation of countable ordinals. The initial conversion to
   hereditary base 2 is not covered, but the material is sufficient to
   compute the particular value G(16), and easily extends to other fixed
   arguments.
 
 [VeriComp]
 title = A Generic Framework for Verified Compilers
 author = Martin Desharnais <https://martin.desharnais.me>
 topic = Computer science/Programming languages/Compiling
 date = 2020-02-10
 notify = martin.desharnais@unibw.de
 abstract =
   This is a generic framework for formalizing compiler transformations.
   It leverages Isabelle/HOL’s locales to abstract over concrete
   languages and transformations. It states common definitions for
   language semantics, program behaviours, forward and backward
   simulations, and compilers. We provide generic operations, such as
   simulation and compiler composition, and prove general (partial)
   correctness theorems, resulting in reusable proof components.
 
 [Hello_World]
 title = Hello World
 author = Cornelius Diekmann <http://net.in.tum.de/~diekmann>, Lars Hupel <https://www21.in.tum.de/~hupel/>
 topic = Computer science/Functional programming
 date = 2020-03-07
 notify = diekmann@net.in.tum.de
 abstract =
   In this article, we present a formalization of the well-known
   "Hello, World!" code, including a formal framework for
   reasoning about IO. Our model is inspired by the handling of IO in
   Haskell. We start by formalizing the 🌍 and embrace the IO monad
   afterwards. Then we present a sample main :: IO (), followed by its
   proof of correctness.
 
 [WOOT_Strong_Eventual_Consistency]
 title = Strong Eventual Consistency of the Collaborative Editing Framework WOOT
 author = Emin Karayel <https://orcid.org/0000-0003-3290-5034>, Edgar Gonzàlez <mailto:edgargip@google.com>
 topic = Computer science/Algorithms/Distributed
 date = 2020-03-25
 notify = eminkarayel@google.com, edgargip@google.com, me@eminkarayel.de
 abstract =
   Commutative Replicated Data Types (CRDTs) are a promising new class of
   data structures for large-scale shared mutable content in applications
   that only require eventual consistency. The WithOut Operational
   Transforms (WOOT) framework is a CRDT for collaborative text editing
   introduced by Oster et al. (CSCW 2006) for which the eventual
   consistency property was verified only for a bounded model to date. We
   contribute a formal proof for WOOTs strong eventual consistency.
 
 [Furstenberg_Topology]
 title = Furstenberg's topology and his proof of the infinitude of primes
 author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
 topic = Mathematics/Number theory
 date = 2020-03-22
 notify = manuel.eberl@tum.de
 abstract =
   <p>This article gives a formal version of Furstenberg's
   topological proof of the infinitude of primes. He defines a topology
   on the integers based on arithmetic progressions (or, equivalently,
   residue classes). Using some fairly obvious properties of this
   topology, the infinitude of primes is then easily obtained.</p>
   <p>Apart from this, this topology is also fairly ‘nice’ in
   general: it is second countable, metrizable, and perfect. All of these
   (well-known) facts are formally proven, including an explicit metric
   for the topology given by Zulfeqarr.</p>
 
 [Saturation_Framework]
 title = A Comprehensive Framework for Saturation Theorem Proving
 author = Sophie Tourret <https://www.mpi-inf.mpg.de/departments/automation-of-logic/people/sophie-tourret/>
 topic = Logic/General logic/Mechanization of proofs
 date = 2020-04-09
 notify = stourret@mpi-inf.mpg.de
 abstract =
   This Isabelle/HOL formalization is the companion of the technical
   report “A comprehensive framework for saturation theorem proving”,
   itself companion of the eponym IJCAR 2020 paper, written by Uwe
   Waldmann, Sophie Tourret, Simon Robillard and Jasmin Blanchette. It
   verifies a framework for formal refutational completeness proofs of
   abstract provers that implement saturation calculi, such as ordered
   resolution or superposition, and allows to model entire prover
   architectures in such a way that the static refutational completeness
   of a calculus immediately implies the dynamic  refutational
   completeness of a prover implementing the calculus using a variant of
   the given clause loop.  The technical report “A comprehensive
   framework for saturation theorem proving” is available <a
   href="http://matryoshka.gforge.inria.fr/pubs/satur_report.pdf">on
   the Matryoshka website</a>. The names of the Isabelle lemmas and
   theorems corresponding to the results in the report are indicated in
   the margin of the report.
 
 [MFODL_Monitor_Optimized]
 title = Formalization of an Optimized Monitoring Algorithm for Metric First-Order Dynamic Logic with Aggregations
 author = Thibault Dardinier<>, Lukas Heimes<>, Martin Raszyk <mailto:martin.raszyk@inf.ethz.ch>, Joshua Schneider <mailto:joshua.schneider@inf.ethz.ch>, Dmitriy Traytel <http://people.inf.ethz.ch/trayteld/>
 topic = Computer science/Algorithms, Logic/General logic/Modal logic, Computer science/Automata and formal languages
 date = 2020-04-09
 notify = martin.raszyk@inf.ethz.ch, joshua.schneider@inf.ethz.ch, traytel@inf.ethz.ch
 abstract =
   A monitor is a runtime verification tool that solves the following
   problem: Given a stream of time-stamped events and a policy formulated
   in a specification language, decide whether the policy is satisfied at
   every point in the stream. We verify the correctness of an executable
   monitor for specifications given as formulas in metric first-order
   dynamic logic (MFODL), which combines the features of metric
   first-order temporal logic (MFOTL) and metric dynamic logic. Thus,
   MFODL supports real-time constraints, first-order parameters, and
   regular expressions. Additionally, the monitor supports aggregation
   operations such as count and sum. This formalization, which is
   described in a <a
   href="http://people.inf.ethz.ch/trayteld/papers/ijcar20-verimonplus/verimonplus.pdf">
   forthcoming paper at IJCAR 2020</a>, significantly extends <a
   href="https://www.isa-afp.org/entries/MFOTL_Monitor.html">previous
   work on a verified monitor</a> for MFOTL. Apart from the
   addition of regular expressions and aggregations, we implemented <a
   href="https://www.isa-afp.org/entries/Generic_Join.html">multi-way
   joins</a> and a specialized sliding window algorithm to further
   optimize the monitor.
 
 [Sliding_Window_Algorithm]
 title = Formalization of an Algorithm for Greedily Computing Associative Aggregations on Sliding Windows
 author = Lukas Heimes<>, Dmitriy Traytel <http://people.inf.ethz.ch/trayteld/>, Joshua Schneider<>
 topic = Computer science/Algorithms
 date = 2020-04-10
 notify = heimesl@student.ethz.ch, traytel@inf.ethz.ch, joshua.schneider@inf.ethz.ch
 abstract =
   Basin et al.'s <a
   href="https://doi.org/10.1016/j.ipl.2014.09.009">sliding
   window algorithm (SWA)</a> is an algorithm for combining the
   elements of subsequences of a sequence with an associative operator.
   It is greedy and minimizes the number of operator applications. We
   formalize the algorithm and verify its functional correctness. We
   extend the algorithm with additional operations and provide an
   alternative interface to the slide operation that does not require the
   entire input sequence.
 
 [Lucas_Theorem]
 title = Lucas's Theorem
 author = Chelsea Edmonds <mailto:cle47@cam.ac.uk>
 topic = Mathematics/Number theory
 date = 2020-04-07
 notify = cle47@cam.ac.uk
 abstract =
   This work presents a formalisation of a generating function proof for
   Lucas's theorem. We first outline extensions to the existing
   Formal Power Series (FPS) library, including an equivalence relation
   for coefficients modulo <em>n</em>, an alternate binomial theorem statement,
   and a formalised proof of the Freshman's dream (mod <em>p</em>) lemma.
   The second part of the work presents the formal proof of Lucas's
   Theorem. Working backwards, the formalisation first proves a well
   known corollary of the theorem which is easier to formalise, and then
   applies induction to prove the original theorem statement. The proof
   of the corollary aims to provide a good example of a formalised
   generating function equivalence proof using the FPS library. The final
   theorem statement is intended to be integrated into the formalised
   proof of Hilbert's 10th Problem.
 
 [ADS_Functor]
 title = Authenticated Data Structures As Functors
 author = Andreas Lochbihler <http://www.andreas-lochbihler.de>, Ognjen Marić <mailto:ogi.afp@mynosefroze.com>
 topic = Computer science/Data structures
 date = 2020-04-16
 notify = andreas.lochbihler@digitalasset.com, mail@andreas-lochbihler.de
 abstract =
   Authenticated data structures allow several systems to convince each
   other that they are referring to the same data structure, even if each
   of them knows only a part of the data structure. Using inclusion
   proofs, knowledgeable systems can selectively share their knowledge
   with other systems and the latter can verify the authenticity of what
   is being shared.  In this article, we show how to modularly define
   authenticated data structures, their inclusion proofs, and operations
   thereon as datatypes in Isabelle/HOL, using a shallow embedding.
   Modularity allows us to construct complicated trees from reusable
   building blocks, which we call Merkle functors. Merkle functors
   include sums, products, and function spaces and are closed under
   composition and least fixpoints.  As a practical application, we model
   the hierarchical transactions of <a
   href="https://www.canton.io">Canton</a>, a
   practical interoperability protocol for distributed ledgers, as
   authenticated data structures. This is a first step towards
   formalizing the Canton protocol and verifying its integrity and
   security guarantees.
 
+[Power_Sum_Polynomials]
+title = Power Sum Polynomials
+author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
+topic = Mathematics/Algebra
+date = 2020-04-24
+notify = eberlm@in.tum.de
+abstract =
+  <p>This article provides a formalisation of the symmetric
+  multivariate polynomials known as <em>power sum
+  polynomials</em>. These are of the form
+  p<sub>n</sub>(<em>X</em><sub>1</sub>,&hellip;,
+  <em>X</em><sub><em>k</em></sub>) =
+  <em>X</em><sub>1</sub><sup>n</sup>
+  + &hellip; +
+  X<sub><em>k</em></sub><sup>n</sup>.
+  A formal proof of the Girard–Newton Theorem is also given. This
+  theorem relates the power sum polynomials to the elementary symmetric
+  polynomials s<sub><em>k</em></sub> in the form
+  of a recurrence relation
+  (-1)<sup><em>k</em></sup>
+  <em>k</em> s<sub><em>k</em></sub>
+  =
+  &sum;<sub>i&isinv;[0,<em>k</em>)</sub>
+  (-1)<sup>i</sup> s<sub>i</sub>
+  p<sub><em>k</em>-<em>i</em></sub>&thinsp;.</p>
+  <p>As an application, this is then used to solve a generalised
+  form of a puzzle given as an exercise in Dummit and Foote's
+  <em>Abstract Algebra</em>: For <em>k</em>
+  complex unknowns <em>x</em><sub>1</sub>,
+  &hellip;,
+  <em>x</em><sub><em>k</em></sub>,
+  define p<sub><em>j</em></sub> :=
+  <em>x</em><sub>1</sub><sup><em>j</em></sup>
+  + &hellip; +
+  <em>x</em><sub><em>k</em></sub><sup><em>j</em></sup>.
+  Then for each vector <em>a</em> &isinv;
+  &#x2102;<sup><em>k</em></sup>, show that
+  there is exactly one solution to the system p<sub>1</sub>
+  = a<sub>1</sub>, &hellip;,
+  p<sub><em>k</em></sub> =
+  a<sub><em>k</em></sub> up to permutation of
+  the
+  <em>x</em><sub><em>i</em></sub>
+  and determine the value of
+  p<sub><em>i</em></sub> for
+  i&gt;k.</p>
+
+[Gaussian_Integers]
+title = Gaussian Integers
+author = Manuel Eberl <https://www21.in.tum.de/~eberlm>
+topic = Mathematics/Number theory
+date = 2020-04-24
+notify = eberlm@in.tum.de
+abstract =
+  <p>The Gaussian integers are the subring &#8484;[i] of the
+  complex numbers, i. e. the ring of all complex numbers with integral
+  real and imaginary part. This article provides a definition of this
+  ring as well as proofs of various basic properties, such as that they
+  form a Euclidean ring and a full classification of their primes. An
+  executable (albeit not very efficient) factorisation algorithm is also
+  provided.</p> <p>Lastly, this Gaussian integer
+  formalisation is used in two short applications:</p> <ol>
+  <li> The characterisation of all positive integers that can be
+  written as sums of two squares</li> <li> Euclid's
+  formula for primitive Pythagorean triples</li> </ol>
+  <p>While elementary proofs for both of these are already
+  available in the AFP, the theory of Gaussian integers provides more
+  concise proofs and a more high-level view.</p>
+
+[Forcing]
+title = Formalization of Forcing in Isabelle/ZF
+author = Emmanuel Gunther <mailto:gunther@famaf.unc.edu.ar>, Miguel Pagano <https://cs.famaf.unc.edu.ar/~mpagano/>,  Pedro Sánchez Terraf <https://cs.famaf.unc.edu.ar/~pedro/home_en>
+topic = Logic/Set theory
+date = 2020-05-06
+notify = gunther@famaf.unc.edu.ar, pagano@famaf.unc.edu.ar, sterraf@famaf.unc.edu.ar
+abstract =
+  We formalize the theory of forcing in the set theory framework of
+  Isabelle/ZF. Under the assumption of the existence of a countable
+  transitive model of ZFC, we construct a proper generic extension and
+  show that the latter also satisfies ZFC.
+
+[Recursion-Addition]
+title = Recursion Theorem in ZF
+author = Georgy Dunaev <mailto:georgedunaev@gmail.com>
+topic = Logic/Set theory
+date = 2020-05-11
+notify = georgedunaev@gmail.com
+abstract =
+  This document contains a proof of the recursion theorem. This is a
+  mechanization of the proof of the recursion theorem from the text <i>Introduction to
+  Set Theory</i>, by Karel Hrbacek and Thomas Jech. This
+  implementation may be used as the basis for a model of Peano arithmetic in
+  ZF. While recursion and the natural numbers are already available in Isabelle/ZF, this clean development
+  is much easier to follow.
+
+[LTL_Normal_Form]
+title = An Efficient Normalisation Procedure for Linear Temporal Logic: Isabelle/HOL Formalisation
+author = Salomon Sickert <mailto:s.sickert@tum.de>
+topic = Computer science/Automata and formal languages, Logic/General logic/Temporal logic
+date = 2020-05-08
+notify = s.sickert@tum.de
+abstract =
+  In the mid 80s, Lichtenstein, Pnueli, and Zuck proved a classical
+  theorem stating that every formula of Past LTL (the extension of LTL
+  with past operators) is equivalent to a formula of the form
+  $\bigwedge_{i=1}^n \mathbf{G}\mathbf{F} \varphi_i \vee
+  \mathbf{F}\mathbf{G} \psi_i$,  where $\varphi_i$ and $\psi_i$ contain
+  only past operators. Some years later, Chang, Manna, and Pnueli built
+  on this result to derive a similar normal form for LTL. Both
+  normalisation procedures have a non-elementary worst-case blow-up, and
+  follow an involved path from formulas to counter-free automata to
+  star-free regular expressions and back to formulas. We improve on both
+  points. We present an executable formalisation of a direct and purely
+  syntactic normalisation procedure for LTL yielding a normal form,
+  comparable to the one by Chang, Manna, and Pnueli, that has only a
+  single exponential blow-up.
+
+[Matrices_for_ODEs]
+title = Matrices for ODEs
+author = Jonathan Julian Huerta y Munive <mailto:jjhuertaymunive1@sheffield.ac.uk>
+topic = Mathematics/Analysis, Mathematics/Algebra
+date = 2020-04-19
+notify = jonjulian23@gmail.com
+abstract =
+  Our theories formalise various matrix properties that serve to
+  establish existence, uniqueness and characterisation of the solution
+  to affine systems of ordinary differential equations (ODEs). In
+  particular, we formalise the operator and maximum norm of matrices.
+  Then we use them to prove that square matrices form a Banach space,
+  and in this setting, we show an instance of Picard-Lindelöf’s
+  theorem for affine systems of ODEs. Finally, we use this formalisation
+  to verify three simple hybrid programs.
+
+[Irrational_Series_Erdos_Straus]
+title = Irrationality Criteria for Series by Erdős and Straus
+author = Angeliki Koutsoukou-Argyraki <https://www.cl.cam.ac.uk/~ak2110/>, Wenda Li <https://www.cl.cam.ac.uk/~wl302/>
+topic = Mathematics/Number theory, Mathematics/Analysis
+date = 2020-05-12
+notify = ak2110@cam.ac.uk, wl302@cam.ac.uk, liwenda1990@hotmail.com
+abstract =
+  We formalise certain irrationality criteria for infinite series of the form:
+  \[\sum_{n=1}^\infty \frac{b_n}{\prod_{i=1}^n a_i} \]
+  where $\{b_n\}$ is a sequence of integers and $\{a_n\}$ a sequence of positive integers
+  with $a_n >1$ for all large n. The results are due to P. Erdős and E. G. Straus
+  <a href="https://projecteuclid.org/euclid.pjm/1102911140">[1]</a>.
+  In particular, we formalise Theorem 2.1, Corollary 2.10 and Theorem 3.1.
+  The latter is an application of Theorem 2.1 involving the prime numbers.
+
 [Knuth_Bendix_Order]
 title = A Formalization of Knuth–Bendix Orders
 author = Christian Sternagel <mailto:c.sternagel@gmail.com>, René Thiemann <http://cl-informatik.uibk.ac.at/~thiemann/>
 topic = Logic/Rewriting
 date = 2020-05-13
 notify = c.sternagel@gmail.com, rene.thiemann@uibk.ac.at
-abstract = 
+abstract =
   We define a generalized version of Knuth&ndash;Bendix orders,
   including subterm coefficient functions. For these orders we formalize
   several properties such as strong normalization, the subterm property,
   closure properties under substitutions and contexts, as well as ground
   totality.
 
diff --git a/thys/Banach_Steinhaus/Banach_Steinhaus.thy b/thys/Banach_Steinhaus/Banach_Steinhaus.thy
new file mode 100644
--- /dev/null
+++ b/thys/Banach_Steinhaus/Banach_Steinhaus.thy
@@ -0,0 +1,485 @@
+(*
+  File:   Banach_Steinhaus.thy
+  Author: Dominique Unruh, University of Tartu
+  Author: Jose Manuel Rodriguez Caballero, University of Tartu
+*)
+section \<open>Banach-Steinhaus theorem\<close>
+
+theory Banach_Steinhaus
+  imports Banach_Steinhaus_Missing
+begin
+
+text \<open>
+  We formalize Banach-Steinhaus theorem as theorem @{text banach_steinhaus}. This theorem was 
+  originally proved in Banach-Steinhaus's paper~\cite{banach1927principe}. For the proof, we follow
+  Sokal's approach~\cite{sokal2011really}. Furthermore, we prove as a corollary a result about
+  pointwise convergent sequences of bounded operators whose domain is a Banach space.
+\<close>
+
+subsection \<open>Preliminaries for Sokal's proof of Banach-Steinhaus theorem\<close>
+
+lemma linear_plus_norm:
+  includes notation_norm
+  assumes \<open>linear f\<close>
+  shows \<open>\<parallel>f \<xi>\<parallel> \<le> max \<parallel>f (x + \<xi>)\<parallel> \<parallel>f (x - \<xi>)\<parallel>\<close>
+  text \<open>
+  Explanation: For arbitrary \<^term>\<open>x\<close> and a linear operator \<^term>\<open>f\<close>,
+  \<^term>\<open>norm (f \<xi>)\<close> is upper bounded by the maximum of the norms
+  of the shifts of \<^term>\<open>f\<close> (i.e., \<^term>\<open>f (x + \<xi>)\<close> and \<^term>\<open>f (x - \<xi>)\<close>).
+\<close>
+proof-
+  have \<open>norm (f \<xi>) = norm ( (inverse (of_nat 2)) *\<^sub>R (f (x + \<xi>) - f (x - \<xi>)) )\<close>
+    by (smt add_diff_cancel_left' assms diff_add_cancel diff_diff_add linear_diff midpoint_def 
+        midpoint_plus_self of_nat_1 of_nat_add one_add_one scaleR_half_double)
+  also have \<open>\<dots> = inverse (of_nat 2) * norm (f (x + \<xi>) - f (x - \<xi>))\<close>
+    using Real_Vector_Spaces.real_normed_vector_class.norm_scaleR by simp
+  also have \<open>\<dots> \<le> inverse (of_nat 2) * (norm (f (x + \<xi>)) + norm (f (x - \<xi>)))\<close>
+    by (simp add: norm_triangle_ineq4)
+  also have \<open>\<dots> \<le>  max (norm (f (x + \<xi>))) (norm (f (x - \<xi>)))\<close>
+    by auto
+  finally show ?thesis by blast
+qed
+
+lemma onorm_Sup_on_ball:
+  includes notation_norm
+  assumes \<open>r > 0\<close>
+  shows "\<parallel>f\<parallel> \<le> Sup ( (\<lambda>x. \<parallel>f *\<^sub>v x\<parallel>) ` (ball x r) ) / r"
+  text \<open>
+  Explanation: Let \<^term>\<open>f\<close> be a bounded operator and let \<^term>\<open>x\<close> be a point. For any \<^term>\<open>r > 0\<close>, 
+  the operator norm of \<^term>\<open>f\<close> is bounded above by the supremum of $f$ applied to the open ball of 
+  radius \<^term>\<open>r\<close> around \<^term>\<open>x\<close>, divided by \<^term>\<open>r\<close>.
+\<close>
+proof-
+  have bdd_above_3: \<open>bdd_above ((\<lambda>x. \<parallel>f *\<^sub>v x\<parallel>) ` (ball 0 r))\<close>
+  proof -
+    obtain M where \<open>\<And> \<xi>.  \<parallel>f *\<^sub>v \<xi>\<parallel> \<le> M * norm \<xi>\<close> and \<open>M \<ge> 0\<close>
+      using norm_blinfun norm_ge_zero by blast      
+    hence \<open>\<And> \<xi>. \<xi> \<in> ball 0 r \<Longrightarrow> \<parallel>f *\<^sub>v \<xi>\<parallel> \<le> M * r\<close>
+      using \<open>r > 0\<close> by (smt mem_ball_0 mult_left_mono) 
+    thus ?thesis by (meson bdd_aboveI2)     
+  qed
+  have bdd_above_2: \<open>bdd_above ((\<lambda> \<xi>. \<parallel>f *\<^sub>v (x + \<xi>)\<parallel>) ` (ball 0 r))\<close>
+  proof-
+    have \<open>bdd_above ((\<lambda> \<xi>. \<parallel>f *\<^sub>v x\<parallel>) ` (ball 0 r))\<close>
+      by auto          
+    moreover have \<open>bdd_above ((\<lambda> \<xi>. \<parallel>f *\<^sub>v \<xi>\<parallel>) ` (ball 0 r))\<close>
+      using bdd_above_3 by blast
+    ultimately have \<open>bdd_above ((\<lambda> \<xi>. \<parallel>f *\<^sub>v x\<parallel> + \<parallel>f *\<^sub>v \<xi>\<parallel>) ` (ball 0 r))\<close>
+      by (rule bdd_above_plus)
+    then obtain M where \<open>\<And> \<xi>. \<xi> \<in> ball 0 r \<Longrightarrow> \<parallel>f *\<^sub>v x\<parallel> + \<parallel>f *\<^sub>v \<xi>\<parallel> \<le> M\<close>
+      unfolding bdd_above_def by (meson image_eqI)
+    moreover have \<open>\<parallel>f *\<^sub>v (x + \<xi>)\<parallel> \<le> \<parallel>f *\<^sub>v x\<parallel> + \<parallel>f *\<^sub>v \<xi>\<parallel>\<close> for \<xi>
+      by (simp add: blinfun.add_right norm_triangle_ineq)                
+    ultimately have \<open>\<And> \<xi>. \<xi> \<in> ball 0 r \<Longrightarrow> \<parallel>f *\<^sub>v (x + \<xi>)\<parallel> \<le> M\<close>
+      by (simp add: blinfun.add_right norm_triangle_le)
+    thus ?thesis by (meson bdd_aboveI2)                          
+  qed 
+  have bdd_above_4: \<open>bdd_above ((\<lambda> \<xi>. \<parallel>f *\<^sub>v (x - \<xi>)\<parallel>) ` (ball 0 r))\<close>
+  proof-
+    obtain K where K_def: \<open>\<And> \<xi>. \<xi> \<in> ball 0 r \<Longrightarrow> \<parallel>f *\<^sub>v (x + \<xi>)\<parallel> \<le> K\<close>
+      using  \<open>bdd_above ((\<lambda> \<xi>. norm (f (x + \<xi>))) ` (ball 0 r))\<close> unfolding bdd_above_def 
+      by (meson image_eqI)
+    have \<open>\<xi> \<in> ball (0::'a) r \<Longrightarrow> -\<xi> \<in> ball 0 r\<close> for \<xi>
+      by auto
+    thus ?thesis by (metis K_def ab_group_add_class.ab_diff_conv_add_uminus bdd_aboveI2)
+  qed
+  have bdd_above_1: \<open>bdd_above ((\<lambda> \<xi>. max \<parallel>f *\<^sub>v (x + \<xi>)\<parallel>  \<parallel>f *\<^sub>v (x - \<xi>)\<parallel>) ` (ball 0 r))\<close>
+  proof-
+    have \<open>bdd_above ((\<lambda> \<xi>. \<parallel>f *\<^sub>v (x + \<xi>)\<parallel>) ` (ball 0 r))\<close>
+      using bdd_above_2 by blast
+    moreover have \<open>bdd_above ((\<lambda> \<xi>.  \<parallel>f *\<^sub>v (x - \<xi>)\<parallel>) ` (ball 0 r))\<close>
+      using bdd_above_4 by blast
+    ultimately show ?thesis
+      unfolding max_def apply auto apply (meson bdd_above_Int1 bdd_above_mono image_Int_subset)
+      by (meson bdd_above_Int1 bdd_above_mono image_Int_subset)   
+  qed 
+  have bdd_above_6: \<open>bdd_above ((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball x r)\<close>
+  proof-
+    have \<open>bounded (ball x r)\<close>
+      by simp            
+    hence \<open>bounded ((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball x r)\<close>
+      by (metis (no_types) add.left_neutral bdd_above_2 bdd_above_norm bounded_norm_comp 
+          image_add_ball image_image)
+    thus ?thesis
+      by (simp add: bounded_imp_bdd_above)
+  qed
+  have norm_1: \<open>(\<lambda>\<xi>. \<parallel>f *\<^sub>v (x + \<xi>)\<parallel>) ` ball 0 r = (\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball x r\<close>
+    by (metis add.right_neutral ball_translation image_image)   
+  have bdd_above_5: \<open>bdd_above ((\<lambda>\<xi>. norm (f (x + \<xi>))) ` ball 0 r)\<close>
+    by (simp add: bdd_above_2)   
+  have norm_2: \<open>\<parallel>\<xi>\<parallel> < r \<Longrightarrow> \<parallel>f *\<^sub>v (x - \<xi>)\<parallel> \<in> (\<lambda>\<xi>. \<parallel>f *\<^sub>v (x + \<xi>)\<parallel>) ` ball 0 r\<close> for \<xi>
+  proof-
+    assume \<open>\<parallel>\<xi>\<parallel> < r\<close>
+    hence \<open>\<xi> \<in> ball (0::'a) r\<close>
+      by auto
+    hence \<open>-\<xi> \<in> ball (0::'a) r\<close>
+      by auto
+    thus ?thesis 
+      by (metis (no_types, lifting) ab_group_add_class.ab_diff_conv_add_uminus image_iff) 
+  qed
+  have norm_2': \<open>\<parallel>\<xi>\<parallel> < r \<Longrightarrow> \<parallel>f *\<^sub>v (x + \<xi>)\<parallel> \<in> (\<lambda>\<xi>. \<parallel>f *\<^sub>v (x - \<xi>)\<parallel>) ` ball 0 r\<close> for \<xi>
+  proof-
+    assume \<open>norm \<xi> < r\<close>
+    hence \<open>\<xi> \<in> ball (0::'a) r\<close>
+      by auto
+    hence \<open>-\<xi> \<in> ball (0::'a) r\<close>
+      by auto
+    thus ?thesis 
+      by (metis (no_types, lifting) diff_minus_eq_add image_iff)          
+  qed
+  have bdd_above_6: \<open>bdd_above ((\<lambda>\<xi>. \<parallel>f *\<^sub>v (x - \<xi>)\<parallel>) ` ball 0 r)\<close>
+    by (simp add: bdd_above_4)   
+  have Sup_2: \<open>(SUP \<xi>\<in>ball 0 r. max \<parallel>f *\<^sub>v (x + \<xi>)\<parallel> \<parallel>f *\<^sub>v (x - \<xi>)\<parallel>) =
+                 max (SUP \<xi>\<in>ball 0 r. \<parallel>f *\<^sub>v (x + \<xi>)\<parallel>) (SUP \<xi>\<in>ball 0 r. \<parallel>f *\<^sub>v (x - \<xi>)\<parallel>)\<close>
+  proof-
+    have \<open>ball (0::'a) r \<noteq> {}\<close>
+      using \<open>r > 0\<close> by auto
+    moreover have \<open>bdd_above ((\<lambda>\<xi>. \<parallel>f *\<^sub>v (x + \<xi>)\<parallel>) ` ball 0 r)\<close>
+      using bdd_above_5 by blast
+    moreover have \<open>bdd_above ((\<lambda>\<xi>. \<parallel>f *\<^sub>v (x - \<xi>)\<parallel>) ` ball 0 r)\<close>
+      using bdd_above_6 by blast
+    ultimately show ?thesis
+      using max_Sup
+      by (metis (mono_tags, lifting) Banach_Steinhaus_Missing.pointwise_max_def image_cong) 
+  qed 
+  have Sup_3': \<open>\<parallel>\<xi>\<parallel> < r \<Longrightarrow> \<parallel>f *\<^sub>v (x + \<xi>)\<parallel> \<in> (\<lambda>\<xi>. \<parallel>f *\<^sub>v (x - \<xi>)\<parallel>) ` ball 0 r\<close> for \<xi>::'a
+    by (simp add: norm_2')
+  have Sup_3'': \<open>\<parallel>\<xi>\<parallel> < r \<Longrightarrow> \<parallel>f *\<^sub>v (x - \<xi>)\<parallel> \<in> (\<lambda>\<xi>. \<parallel>f *\<^sub>v (x + \<xi>)\<parallel>) ` ball 0 r\<close> for \<xi>::'a
+    by (simp add: norm_2)  
+  have Sup_3: \<open>max (SUP \<xi>\<in>ball 0 r. \<parallel>f *\<^sub>v (x + \<xi>)\<parallel>) (SUP \<xi>\<in>ball 0 r.  \<parallel>f *\<^sub>v (x - \<xi>)\<parallel>) =
+        (SUP \<xi>\<in>ball 0 r. \<parallel>f *\<^sub>v (x + \<xi>)\<parallel>)\<close>
+  proof-
+    have \<open>(\<lambda>\<xi>. \<parallel>f *\<^sub>v (x + \<xi>)\<parallel>) ` (ball 0 r) = (\<lambda>\<xi>. \<parallel>f *\<^sub>v (x - \<xi>)\<parallel>) ` (ball 0 r)\<close>
+      apply auto using Sup_3' apply auto using Sup_3'' by blast
+    hence \<open>Sup ((\<lambda>\<xi>. \<parallel>f *\<^sub>v (x + \<xi>)\<parallel>) ` (ball 0 r))=Sup ((\<lambda>\<xi>. \<parallel>f *\<^sub>v (x - \<xi>)\<parallel>) ` (ball 0 r))\<close>
+      by simp
+    thus ?thesis by simp
+  qed
+  have Sup_1: \<open>Sup ((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` (ball 0 r)) \<le> Sup ( (\<lambda>\<xi>. \<parallel>f *\<^sub>v \<xi>\<parallel>) ` (ball x r) )\<close> 
+  proof-
+    have \<open>(\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) \<xi> \<le> max \<parallel>f *\<^sub>v (x + \<xi>)\<parallel> \<parallel>f *\<^sub>v (x - \<xi>)\<parallel>\<close> for \<xi>
+      apply(rule linear_plus_norm) apply (rule bounded_linear.linear)
+      by (simp add: blinfun.bounded_linear_right)
+    moreover have \<open>bdd_above ((\<lambda> \<xi>. max \<parallel>f *\<^sub>v (x + \<xi>)\<parallel>  \<parallel>f *\<^sub>v (x - \<xi>)\<parallel>) ` (ball 0 r))\<close> 
+      using bdd_above_1 by blast
+    moreover have \<open>ball (0::'a) r \<noteq> {}\<close>
+      using \<open>r > 0\<close> by auto      
+    ultimately have \<open>Sup ((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` (ball 0 r)) \<le>
+                     Sup ((\<lambda>\<xi>. max \<parallel>f *\<^sub>v (x + \<xi>)\<parallel> \<parallel>f *\<^sub>v (x - \<xi>)\<parallel>) ` (ball 0 r))\<close>
+      using cSUP_mono by smt 
+    also have \<open>\<dots> = max (Sup ((\<lambda>\<xi>.  \<parallel>f *\<^sub>v (x + \<xi>)\<parallel>) ` (ball 0 r)))
+                        (Sup ((\<lambda>\<xi>. \<parallel>f *\<^sub>v (x - \<xi>)\<parallel>) ` (ball 0 r)))\<close> 
+      using Sup_2 by blast
+    also have \<open>\<dots> = Sup ((\<lambda>\<xi>. \<parallel>f *\<^sub>v (x + \<xi>)\<parallel>) ` (ball 0 r))\<close>
+      using Sup_3 by blast
+    also have \<open>\<dots> = Sup ((\<lambda>\<xi>. \<parallel>f *\<^sub>v \<xi>\<parallel>) ` (ball x r))\<close>
+      by (metis  add.right_neutral ball_translation image_image)      
+    finally show ?thesis by blast
+  qed
+  have \<open>\<parallel>f\<parallel> = (SUP x\<in>ball 0 r. \<parallel>f *\<^sub>v x\<parallel>) / r\<close>
+    using \<open>0 < r\<close> onorm_r by blast
+  moreover have \<open>Sup ((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` (ball 0 r)) / r \<le> Sup ((\<lambda>\<xi>. \<parallel>f *\<^sub>v \<xi>\<parallel>) ` (ball x r)) / r\<close>
+    using Sup_1 \<open>0 < r\<close> divide_right_mono by fastforce 
+  ultimately have \<open>\<parallel>f\<parallel> \<le> Sup ((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball x r) / r\<close>
+    by simp
+  thus ?thesis by simp    
+qed
+
+lemma onorm_Sup_on_ball':
+  includes notation_norm
+  assumes \<open>r > 0\<close> and \<open>\<tau> < 1\<close>
+  shows \<open>\<exists>\<xi>\<in>ball x r.  \<tau> * r * \<parallel>f\<parallel> \<le> \<parallel>f *\<^sub>v \<xi>\<parallel>\<close>
+  text \<open>                 
+  In the proof of Banach-Steinhaus theorem, we will use this variation of the 
+  lemma @{text onorm_Sup_on_ball}.
+
+  Explanation: Let \<^term>\<open>f\<close> be a bounded operator, let \<^term>\<open>x\<close> be a point and let \<^term>\<open>r\<close> be a 
+  positive real number. For any real number \<^term>\<open>\<tau> < 1\<close>, there is a point \<^term>\<open>\<xi>\<close> in the open ball 
+  of radius \<^term>\<open>r\<close> around \<^term>\<open>x\<close> such that \<^term>\<open>\<tau> * r * \<parallel>f\<parallel> \<le> \<parallel>f *\<^sub>v \<xi>\<parallel>\<close>.
+\<close>
+proof(cases  \<open>f = 0\<close>)
+  case True
+  thus ?thesis by (metis assms(1) centre_in_ball mult_zero_right norm_zero order_refl 
+        zero_blinfun.rep_eq) 
+next
+  case False
+  have bdd_above_1: \<open>bdd_above ((\<lambda>t. \<parallel>(*\<^sub>v) f t\<parallel>) ` ball x r)\<close> for f::\<open>'a \<Rightarrow>\<^sub>L 'b\<close>
+    using assms(1) bounded_linear_image by (simp add: bounded_linear_image 
+        blinfun.bounded_linear_right bounded_imp_bdd_above bounded_norm_comp) 
+  have  \<open>norm f > 0\<close>
+    using \<open>f \<noteq> 0\<close> by auto
+  have \<open>norm f \<le>  Sup ( (\<lambda>\<xi>.  \<parallel>(*\<^sub>v) f \<xi>\<parallel>) ` (ball x r) ) / r\<close>
+    using \<open>r > 0\<close> by (simp add: onorm_Sup_on_ball)  
+  hence \<open>r * norm f \<le>  Sup ( (\<lambda>\<xi>.  \<parallel>(*\<^sub>v) f \<xi>\<parallel>) ` (ball x r) )\<close>
+    using \<open>0 < r\<close> by (smt divide_strict_right_mono nonzero_mult_div_cancel_left) 
+  moreover have \<open>\<tau> * r * norm f < r * norm f\<close>
+    using  \<open>\<tau> < 1\<close> using \<open>0 < norm f\<close> \<open>0 < r\<close> by auto
+  ultimately have \<open>\<tau> * r * norm f < Sup ( (norm \<circ> ((*\<^sub>v) f)) ` (ball x r) )\<close>
+    by simp
+  moreover have \<open>(norm \<circ> ( (*\<^sub>v) f)) ` (ball x r) \<noteq> {}\<close>
+    using \<open>0 < r\<close> by auto    
+  moreover have \<open>bdd_above ((norm \<circ> ( (*\<^sub>v) f)) ` (ball x r))\<close>
+    using bdd_above_1 apply transfer by simp
+  ultimately have \<open>\<exists>t \<in> (norm \<circ> ( (*\<^sub>v) f)) ` (ball x r). \<tau> * r * norm f < t\<close> 
+    by (simp add: less_cSup_iff)    
+  thus ?thesis by (smt comp_def image_iff) 
+qed
+
+subsection \<open>Banach-Steinhaus theorem\<close>
+
+theorem banach_steinhaus:
+  fixes f::\<open>'c \<Rightarrow> ('a::banach \<Rightarrow>\<^sub>L 'b::real_normed_vector)\<close>
+  assumes \<open>\<And>x. bounded (range (\<lambda>n. (f n) *\<^sub>v x))\<close>
+  shows  \<open>bounded (range f)\<close>
+  text\<open>
+  This is Banach-Steinhaus Theorem.
+
+  Explanation: If a family of bounded operators on a Banach space
+  is pointwise bounded, then it is uniformly bounded.
+\<close>
+proof(rule classical)
+  assume \<open>\<not>(bounded (range f))\<close>
+  have sum_1: \<open>\<exists>K. \<forall>n. sum (\<lambda>k. inverse (real_of_nat 3^k)) {0..n} \<le> K\<close>
+  proof-
+    have \<open>summable (\<lambda>n. (inverse (real_of_nat 3))^n)\<close>
+      using Series.summable_geometric_iff [where c = "inverse (real_of_nat 3)"] by auto
+    moreover have \<open>(inverse (real_of_nat 3))^n = inverse (real_of_nat 3^n)\<close> for n::nat
+      using power_inverse by blast        
+    ultimately have \<open>summable (\<lambda>n. inverse (real_of_nat 3^n))\<close>
+      by auto
+    hence \<open>bounded (range (\<lambda>n. sum (\<lambda> k. inverse (real 3 ^ k)) {0..<n}))\<close>
+      using summable_imp_sums_bounded[where f = "(\<lambda>n. inverse (real_of_nat 3^n))"]
+        lessThan_atLeast0 by auto
+    hence \<open>\<exists>M. \<forall>h\<in>(range (\<lambda>n. sum (\<lambda> k. inverse (real 3 ^ k)) {0..<n})). norm h \<le> M\<close>
+      using bounded_iff by blast
+    then obtain M where \<open>h\<in>range (\<lambda>n. sum (\<lambda> k. inverse (real 3 ^ k)) {0..<n}) \<Longrightarrow> norm h \<le> M\<close> 
+      for h
+      by blast      
+    have sum_2: \<open>sum (\<lambda>k. inverse (real_of_nat 3^k)) {0..n} \<le> M\<close> for n
+    proof-
+      have  \<open>norm (sum (\<lambda> k. inverse (real 3 ^ k)) {0..< Suc n}) \<le> M\<close>
+        using \<open>\<And>h. h\<in>(range (\<lambda>n. sum (\<lambda> k. inverse (real 3 ^ k)) {0..<n})) \<Longrightarrow> norm h \<le> M\<close> 
+        by blast
+      hence  \<open>norm (sum (\<lambda> k. inverse (real 3 ^ k)) {0..n}) \<le> M\<close>
+        by (simp add: atLeastLessThanSuc_atLeastAtMost)        
+      hence  \<open>(sum (\<lambda> k. inverse (real 3 ^ k)) {0..n}) \<le> M\<close>
+        by auto
+      thus ?thesis  by blast
+    qed
+    have \<open>sum (\<lambda>k. inverse (real_of_nat 3^k)) {0..n} \<le> M\<close> for n 
+      using sum_2 by blast
+    thus ?thesis  by blast
+  qed
+  have \<open>of_rat 2/3 < (1::real)\<close>
+    by auto
+  hence \<open>\<forall>g::'a \<Rightarrow>\<^sub>L 'b. \<forall>x. \<forall>r. \<exists>\<xi>. g \<noteq> 0 \<and> r > 0
+               \<longrightarrow> (\<xi>\<in>ball x r \<and> (of_rat 2/3) * r * norm g \<le> norm ((*\<^sub>v) g \<xi>))\<close> 
+    using onorm_Sup_on_ball' by blast
+  hence \<open>\<exists>\<xi>. \<forall>g::'a \<Rightarrow>\<^sub>L 'b. \<forall>x. \<forall>r. g \<noteq> 0 \<and> r > 0
+           \<longrightarrow> ((\<xi> g x r)\<in>ball x r \<and> (of_rat 2/3) * r * norm g \<le> norm ((*\<^sub>v) g (\<xi> g x r)))\<close> 
+    by metis
+  then obtain \<xi> where f1: \<open>\<lbrakk>g \<noteq> 0; r > 0\<rbrakk> \<Longrightarrow> 
+        \<xi> g x r \<in> ball x r \<and>  (of_rat 2/3) * r * norm g \<le> norm ((*\<^sub>v) g (\<xi> g x r))\<close>
+    for g::\<open>'a \<Rightarrow>\<^sub>L 'b\<close> and x and r
+    by blast
+  have \<open>\<forall>n. \<exists>k. norm (f k) \<ge> 4^n\<close>
+    using \<open>\<not>(bounded (range f))\<close> by (metis (mono_tags, hide_lams) boundedI image_iff linear)
+  hence  \<open>\<exists>k. \<forall>n. norm (f (k n)) \<ge> 4^n\<close>
+    by metis
+  hence  \<open>\<exists>k. \<forall>n. norm ((f \<circ> k) n) \<ge> 4^n\<close>
+    by simp
+  then obtain k where \<open>norm ((f \<circ> k) n) \<ge> 4^n\<close> for n
+    by blast
+  define T where \<open>T = f \<circ> k\<close>
+  have \<open>T n \<in> range f\<close> for n
+    unfolding T_def by simp        
+  have \<open>norm (T n) \<ge> of_nat (4^n)\<close> for n
+    unfolding T_def using \<open>\<And> n. norm ((f \<circ> k) n) \<ge> 4^n\<close> by auto
+  hence \<open>T n \<noteq> 0\<close> for n
+    by (smt T_def \<open>\<And>n. 4 ^ n \<le> norm ((f \<circ> k) n)\<close> norm_zero power_not_zero zero_le_power)
+  have \<open>inverse (of_nat 3^n) > (0::real)\<close> for n
+    by auto
+  define y::\<open>nat \<Rightarrow> 'a\<close> where \<open>y = rec_nat 0 (\<lambda>n x. \<xi> (T n) x (inverse (of_nat 3^n)))\<close>
+  have \<open>y (Suc n) \<in> ball (y n) (inverse (of_nat 3^n))\<close> for n
+    using f1 \<open>\<And> n. T n \<noteq> 0\<close> \<open>\<And> n. inverse (of_nat 3^n) > 0\<close> unfolding y_def by auto
+  hence \<open>norm (y (Suc n) - y n) \<le> inverse (of_nat 3^n)\<close> for n
+    unfolding ball_def apply auto using dist_norm by (smt norm_minus_commute) 
+  moreover have \<open>\<exists>K. \<forall>n. sum (\<lambda>k. inverse (real_of_nat 3^k)) {0..n} \<le> K\<close>
+    using sum_1 by blast
+  moreover have \<open>Cauchy y\<close>
+    using convergent_series_Cauchy[where a = "\<lambda>n. inverse (of_nat 3^n)" and \<phi> = y] dist_norm
+    by (metis calculation(1) calculation(2))
+  hence \<open>\<exists> x. y \<longlonglongrightarrow> x\<close>
+    by (simp add: convergent_eq_Cauchy)
+  then obtain x where \<open>y \<longlonglongrightarrow> x\<close>
+    by blast
+  have norm_2: \<open>norm (x - y (Suc n)) \<le> (inverse (of_nat 2))*(inverse (of_nat 3^n))\<close> for n
+  proof-
+    have \<open>inverse (real_of_nat 3) < 1\<close>
+      by simp        
+    moreover have \<open>y 0 = 0\<close>
+      using y_def by auto
+    ultimately have \<open>norm (x - y (Suc n)) 
+    \<le> (inverse (of_nat 3)) * inverse (1 - (inverse (of_nat 3))) * ((inverse (of_nat 3)) ^ n)\<close>
+      using bound_Cauchy_to_lim[where c = "inverse (of_nat 3)" and y = y and x = x]
+        power_inverse semiring_norm(77)  \<open>y \<longlonglongrightarrow> x\<close>
+        \<open>\<And> n. norm (y (Suc n) - y n) \<le> inverse (of_nat 3^n)\<close> by (metis divide_inverse)
+    moreover have \<open>inverse (real_of_nat 3) * inverse (1 - (inverse (of_nat 3)))
+                   = inverse (of_nat 2)\<close>
+      by auto
+    ultimately show ?thesis 
+      by (metis power_inverse) 
+  qed
+  have \<open>norm (x - y (Suc n)) \<le> (inverse (of_nat 2))*(inverse (of_nat 3^n))\<close> for n
+    using norm_2 by blast
+  have \<open>\<exists> M. \<forall> n. norm ((*\<^sub>v) (T n) x) \<le> M\<close>
+    unfolding T_def apply auto
+    by (metis \<open>\<And>x. bounded (range (\<lambda>n. (*\<^sub>v) (f n) x))\<close> bounded_iff rangeI)
+  then obtain M where \<open>norm ((*\<^sub>v) (T n) x) \<le> M\<close> for n
+    by blast
+  have norm_1: \<open>norm (T n) * norm (y (Suc n) - x) + norm ((*\<^sub>v) (T n) x)
+       \<le> inverse (real 2) * inverse (real 3 ^ n) * norm (T n) + norm ((*\<^sub>v) (T n) x)\<close> for n
+  proof-   
+    have \<open>norm (y (Suc n) - x) \<le> (inverse (of_nat 2))*(inverse (of_nat 3^n))\<close>
+      using \<open>norm (x - y (Suc n)) \<le> (inverse (of_nat 2))*(inverse (of_nat 3^n))\<close> 
+      by (simp add: norm_minus_commute)
+    moreover have \<open>norm (T n) \<ge> 0\<close>
+      by auto
+    ultimately have \<open>norm (T n) * norm (y (Suc n) - x) 
+                     \<le> (inverse (of_nat 2))*(inverse (of_nat 3^n))*norm (T n)\<close>
+      by (simp add: \<open>\<And>n. T n \<noteq> 0\<close>)
+    thus ?thesis by simp      
+  qed 
+  have inverse_2: \<open>(inverse (of_nat 6)) * inverse (real 3 ^ n) * norm (T n) 
+                  \<le> norm ((*\<^sub>v) (T n) x)\<close> for n
+  proof-
+    have \<open>(of_rat 2/3)*(inverse (of_nat 3^n))*norm (T n) \<le> norm ((*\<^sub>v) (T n) (y (Suc n)))\<close> 
+      using f1 \<open>\<And> n. T n \<noteq> 0\<close> \<open>\<And> n. inverse (of_nat 3^n) > 0\<close> unfolding y_def by auto
+    also have \<open>\<dots> = norm ((*\<^sub>v) (T n) ((y (Suc n) - x) + x))\<close>
+      by auto
+    also have \<open>\<dots> = norm ((*\<^sub>v) (T n) (y (Suc n) - x) + (*\<^sub>v) (T n) x)\<close>
+      apply transfer apply auto by (metis diff_add_cancel linear_simps(1))
+    also have \<open>\<dots> \<le> norm ((*\<^sub>v) (T n) (y (Suc n) - x)) + norm ((*\<^sub>v) (T n) x)\<close>
+      by (simp add: norm_triangle_ineq)
+    also have \<open>\<dots> \<le> norm (T n) * norm (y (Suc n) - x) + norm ((*\<^sub>v) (T n) x)\<close>
+      apply transfer apply auto using onorm by auto 
+    also have \<open>\<dots> \<le> (inverse (of_nat 2))*(inverse (of_nat 3^n))*norm (T n) 
+                + norm ((*\<^sub>v) (T n) x)\<close>
+      using norm_1 by blast
+    finally have \<open>(of_rat 2/3) * inverse (real 3 ^ n) * norm (T n)
+                \<le> inverse (real 2) * inverse (real 3 ^ n) * norm (T n) 
+                + norm ((*\<^sub>v) (T n) x)\<close>
+      by blast
+    hence \<open>(of_rat 2/3) * inverse (real 3 ^ n) * norm (T n) 
+             - inverse (real 2) * inverse (real 3 ^ n) * norm (T n) \<le> norm ((*\<^sub>v) (T n) x)\<close>
+      by linarith
+    moreover have \<open>(of_rat 2/3) * inverse (real 3 ^ n) * norm (T n) 
+             - inverse (real 2) * inverse (real 3 ^ n) * norm (T n)
+             = (inverse (of_nat 6)) * inverse (real 3 ^ n) * norm (T n)\<close>
+      by fastforce
+    ultimately show \<open>(inverse (of_nat 6)) * inverse (real 3 ^ n) * norm (T n) \<le> norm ((*\<^sub>v) (T n) x)\<close>
+      by linarith      
+  qed
+  have inverse_3: \<open>(inverse (of_nat 6)) * (of_rat (4/3)^n) 
+                    \<le> (inverse (of_nat 6)) * inverse (real 3 ^ n) * norm (T n)\<close> for n
+  proof-
+    have \<open>of_rat (4/3)^n = inverse (real 3 ^ n) * (of_nat 4^n)\<close>
+      apply auto by (metis divide_inverse_commute of_rat_divide power_divide of_rat_numeral_eq) 
+    also have \<open>\<dots> \<le>  inverse (real 3 ^ n) * norm (T n)\<close>
+      using \<open>\<And>n. norm (T n) \<ge> of_nat (4^n)\<close> by simp
+    finally have \<open>of_rat (4/3)^n \<le> inverse (real 3 ^ n) * norm (T n)\<close>
+      by blast
+    moreover have \<open>inverse (of_nat 6) > (0::real)\<close>
+      by auto
+    ultimately show ?thesis by auto
+  qed
+  have inverse_1: \<open>(inverse (of_nat 6)) * (of_rat (4/3)^n) \<le> M\<close> for n
+  proof-
+    have \<open>(inverse (of_nat 6)) * (of_rat (4/3)^n) 
+          \<le> (inverse (of_nat 6)) * inverse (real 3 ^ n) * norm (T n)\<close> 
+      using inverse_3 by blast
+    also have \<open>\<dots> \<le> norm ((*\<^sub>v) (T n) x)\<close> 
+      using inverse_2 by blast
+    finally have \<open>(inverse (of_nat 6)) * (of_rat (4/3)^n) \<le> norm ((*\<^sub>v) (T n) x)\<close>
+      by auto
+    thus ?thesis using \<open>\<And> n. norm ((*\<^sub>v) (T n) x) \<le> M\<close> by smt
+  qed
+  have \<open>\<exists>n. M < (inverse (of_nat 6)) * (of_rat (4/3)^n)\<close>
+    using Real.real_arch_pow by auto
+  moreover have \<open>(inverse (of_nat 6)) * (of_rat (4/3)^n) \<le> M\<close> for n
+    using inverse_1 by blast                      
+  ultimately show ?thesis by smt
+qed
+
+subsection \<open>A consequence of Banach-Steinhaus theorem\<close>
+
+corollary bounded_linear_limit_bounded_linear:
+  fixes f::\<open>nat \<Rightarrow> ('a::banach \<Rightarrow>\<^sub>L 'b::real_normed_vector)\<close>
+  assumes \<open>\<And>x. convergent (\<lambda>n. (f n) *\<^sub>v x)\<close>
+  shows  \<open>\<exists>g. (\<lambda>n. (*\<^sub>v) (f n)) \<midarrow>pointwise\<rightarrow> (*\<^sub>v) g\<close>
+  text\<open>
+  Explanation: If a sequence of bounded operators on a Banach space converges
+  pointwise, then the limit is also a bounded operator.
+\<close>
+proof-
+  have \<open>\<exists>l. (\<lambda>n. (*\<^sub>v) (f n) x) \<longlonglongrightarrow> l\<close> for x
+    by (simp add:  \<open>\<And>x. convergent (\<lambda>n. (*\<^sub>v) (f n) x)\<close> convergentD)
+  hence \<open>\<exists>F. (\<lambda>n. (*\<^sub>v) (f n)) \<midarrow>pointwise\<rightarrow> F\<close>
+    unfolding pointwise_convergent_to_def by metis
+  obtain F where \<open>(\<lambda>n. (*\<^sub>v) (f n)) \<midarrow>pointwise\<rightarrow> F\<close>
+    using \<open>\<exists>F. (\<lambda>n. (*\<^sub>v) (f n)) \<midarrow>pointwise\<rightarrow> F\<close> by auto
+  have \<open>\<And>x. (\<lambda> n. (*\<^sub>v) (f n) x) \<longlonglongrightarrow> F x\<close>
+    using \<open>(\<lambda>n. (*\<^sub>v) (f n)) \<midarrow>pointwise\<rightarrow> F\<close> apply transfer
+    by (simp add: pointwise_convergent_to_def)
+  have \<open>bounded (range f)\<close>
+    using \<open>\<And>x. convergent (\<lambda>n. (*\<^sub>v) (f n) x)\<close> banach_steinhaus
+      \<open>\<And>x. \<exists>l. (\<lambda>n. (*\<^sub>v) (f n) x) \<longlonglongrightarrow> l\<close> convergent_imp_bounded by blast
+  have norm_f_n: \<open>\<exists> M. \<forall> n. norm (f n) \<le> M\<close>
+    unfolding bounded_def
+    by (meson UNIV_I \<open>bounded (range f)\<close> bounded_iff image_eqI)
+  have \<open>isCont (\<lambda> t::'b. norm t) y\<close> for y::'b
+    using Limits.isCont_norm by simp
+  hence \<open>(\<lambda> n. norm ((*\<^sub>v) (f n) x)) \<longlonglongrightarrow> (norm (F x))\<close> for x
+    using \<open>\<And> x::'a. (\<lambda> n. (*\<^sub>v) (f n) x) \<longlonglongrightarrow> F x\<close> by (simp add: tendsto_norm)
+  hence norm_f_n_x: \<open>\<exists> M. \<forall> n. norm ((*\<^sub>v) (f n) x) \<le> M\<close> for x
+    using Elementary_Metric_Spaces.convergent_imp_bounded
+    by (metis UNIV_I \<open>\<And> x::'a. (\<lambda> n. (*\<^sub>v) (f n) x) \<longlonglongrightarrow> F x\<close> bounded_iff image_eqI)
+  have norm_f: \<open>\<exists>K. \<forall>n. \<forall>x. norm ((*\<^sub>v) (f n) x) \<le> norm x * K\<close>
+  proof-
+    have \<open>\<exists> M. \<forall> n. norm ((*\<^sub>v) (f n) x) \<le> M\<close> for x
+      using norm_f_n_x  \<open>\<And>x. (\<lambda>n. (*\<^sub>v) (f n) x) \<longlonglongrightarrow> F x\<close> by blast
+    hence \<open>\<exists> M. \<forall> n. norm (f n) \<le> M\<close>
+      using norm_f_n by simp 
+    then obtain M::real where \<open>\<exists> M. \<forall> n. norm (f n) \<le> M\<close>
+      by blast
+    have \<open>\<forall> n. \<forall>x. norm ((*\<^sub>v) (f n) x) \<le> norm x * norm (f n)\<close>
+      apply transfer apply auto by (metis mult.commute onorm) 
+    thus  ?thesis using \<open>\<exists> M. \<forall> n. norm (f n) \<le> M\<close>
+      by (metis (no_types, hide_lams) dual_order.trans norm_eq_zero order_refl 
+          real_mult_le_cancel_iff2 vector_space_over_itself.scale_zero_left zero_less_norm_iff)
+  qed 
+  have norm_F_x: \<open>\<exists>K. \<forall>x. norm (F x) \<le> norm x * K\<close>
+  proof-
+    have "\<exists>K. \<forall>n. \<forall>x. norm ((*\<^sub>v) (f n) x) \<le> norm x * K"
+      using norm_f \<open>\<And>x. (\<lambda>n. (*\<^sub>v) (f n) x) \<longlonglongrightarrow> F x\<close> by auto
+    thus ?thesis
+      using  \<open>\<And> x::'a. (\<lambda> n. (*\<^sub>v) (f n)  x) \<longlonglongrightarrow> F x\<close> apply transfer 
+      by (metis Lim_bounded tendsto_norm)   
+  qed
+  have \<open>linear F\<close>
+  proof(rule linear_limit_linear)
+    show \<open>linear ((*\<^sub>v) (f n))\<close> for n
+      apply transfer apply auto by (simp add: bounded_linear.linear) 
+    show \<open>f \<midarrow>pointwise\<rightarrow> F\<close>
+      using \<open>(\<lambda>n. (*\<^sub>v) (f n)) \<midarrow>pointwise\<rightarrow> F\<close> by auto
+  qed
+  moreover have \<open>bounded_linear_axioms F\<close>
+    using norm_F_x by (simp add: \<open>\<And>x. (\<lambda>n. (*\<^sub>v) (f n) x) \<longlonglongrightarrow> F x\<close> bounded_linear_axioms_def) 
+  ultimately have \<open>bounded_linear F\<close> 
+    unfolding bounded_linear_def by blast
+  hence \<open>\<exists>g. (*\<^sub>v) g = F\<close>
+    using bounded_linear_Blinfun_apply by auto
+  thus ?thesis using \<open>(\<lambda>n. (*\<^sub>v) (f n)) \<midarrow>pointwise\<rightarrow> F\<close> apply transfer by auto
+qed
+
+end
diff --git a/thys/Banach_Steinhaus/Banach_Steinhaus_Missing.thy b/thys/Banach_Steinhaus/Banach_Steinhaus_Missing.thy
new file mode 100644
--- /dev/null
+++ b/thys/Banach_Steinhaus/Banach_Steinhaus_Missing.thy
@@ -0,0 +1,898 @@
+(*
+  File:   Banach_Steinhaus_Missing.thy
+  Author: Dominique Unruh, University of Tartu
+  Author: Jose Manuel Rodriguez Caballero, University of Tartu
+*)
+section \<open>Missing results for the proof of Banach-Steinhaus theorem\<close>
+
+theory Banach_Steinhaus_Missing
+  imports
+    "HOL-Analysis.Infinite_Set_Sum"
+
+begin
+subsection \<open>Results missing for the proof of Banach-Steinhaus theorem\<close>
+text \<open>
+  The results proved here are preliminaries for the proof of Banach-Steinhaus theorem using Sokal's 
+  approach, but they do not explicitly appear in Sokal's paper ~\cite{sokal2011reall}.
+\<close>
+
+text\<open>Notation for the norm\<close>
+bundle notation_norm begin
+notation norm ("\<parallel>_\<parallel>")
+end
+
+bundle no_notation_norm begin
+no_notation norm ("\<parallel>_\<parallel>")
+end
+
+unbundle notation_norm
+
+text\<open>Notation for apply bilinear function\<close>
+bundle notation_blinfun_apply begin
+notation blinfun_apply (infixr "*\<^sub>v" 70)
+end
+
+bundle no_notation_blinfun_apply begin
+no_notation blinfun_apply (infixr "*\<^sub>v" 70)
+end
+
+unbundle notation_blinfun_apply
+
+lemma bdd_above_plus:
+  fixes f::\<open>'a \<Rightarrow> real\<close>
+  assumes \<open>bdd_above (f ` S)\<close> and \<open>bdd_above (g ` S)\<close> 
+  shows \<open>bdd_above ((\<lambda> x. f x + g x) ` S)\<close>
+  text \<open>
+  Explanation: If the images of two real-valued functions \<^term>\<open>f\<close>,\<^term>\<open>g\<close> are bounded above on a 
+  set \<^term>\<open>S\<close>, then the image of their sum is bounded on \<^term>\<open>S\<close>.
+\<close>
+proof-
+  obtain M where \<open>\<And> x. x\<in>S \<Longrightarrow> f x \<le> M\<close>
+    using \<open>bdd_above (f ` S)\<close> unfolding bdd_above_def by blast
+  obtain N where \<open>\<And> x. x\<in>S \<Longrightarrow> g x \<le> N\<close>
+    using \<open>bdd_above (g ` S)\<close> unfolding bdd_above_def by blast
+  have \<open>\<And> x. x\<in>S \<Longrightarrow> f x + g x \<le> M + N\<close>
+    using \<open>\<And>x. x \<in> S \<Longrightarrow> f x \<le> M\<close> \<open>\<And>x. x \<in> S \<Longrightarrow> g x \<le> N\<close> by fastforce
+  thus ?thesis unfolding bdd_above_def by blast
+qed
+
+text\<open>The maximum of two functions\<close>
+definition pointwise_max:: "('a \<Rightarrow> 'b::ord) \<Rightarrow> ('a \<Rightarrow> 'b) \<Rightarrow> ('a \<Rightarrow> 'b)" where
+  \<open>pointwise_max f g = (\<lambda>x. max (f x) (g x))\<close>
+
+lemma max_Sup_absorb_left:
+  fixes f g::\<open>'a \<Rightarrow> real\<close>
+  assumes \<open>X \<noteq> {}\<close> and \<open>bdd_above (f ` X)\<close> and \<open>bdd_above (g ` X)\<close> and \<open>Sup (f ` X) \<ge> Sup (g ` X)\<close>
+  shows \<open>Sup ((pointwise_max f g) ` X) = Sup (f ` X)\<close>
+
+  text \<open>Explanation: For real-valued functions \<^term>\<open>f\<close> and \<^term>\<open>g\<close>, if the supremum of \<^term>\<open>f\<close> is 
+    greater-equal the supremum of \<^term>\<open>g\<close>, then the supremum of \<^term>\<open>max f g\<close> equals the supremum of
+    \<^term>\<open>f\<close>. (Under some technical conditions.)\<close>
+
+proof-
+  have y_Sup: \<open>y \<in> ((\<lambda> x. max (f x) (g x)) ` X) \<Longrightarrow> y \<le> Sup (f ` X)\<close> for y
+  proof-
+    assume \<open>y \<in> ((\<lambda> x. max (f x) (g x)) ` X)\<close>
+    then obtain x where \<open>y = max (f x) (g x)\<close> and \<open>x \<in> X\<close>
+      by blast
+    have \<open>f x \<le> Sup (f ` X)\<close>
+      by (simp add:  \<open>x \<in> X\<close> \<open>bdd_above (f ` X)\<close> cSUP_upper) 
+    moreover have  \<open>g x \<le> Sup (g ` X)\<close>
+      by (simp add:  \<open>x \<in> X\<close> \<open>bdd_above (g ` X)\<close> cSUP_upper) 
+    ultimately have \<open>max (f x) (g x) \<le> Sup (f ` X)\<close>
+      using  \<open>Sup (f ` X) \<ge> Sup (g ` X)\<close> by auto
+    thus ?thesis by (simp add: \<open>y = max (f x) (g x)\<close>) 
+  qed
+  have y_f_X: \<open>y \<in> f ` X \<Longrightarrow> y \<le> Sup ((\<lambda> x. max (f x) (g x)) ` X)\<close> for y
+  proof-
+    assume \<open>y \<in> f ` X\<close>
+    then obtain x where \<open>x \<in> X\<close> and \<open>y = f x\<close>
+      by blast
+    have  \<open>bdd_above ((\<lambda> \<xi>. max (f \<xi>) (g \<xi>)) ` X)\<close>
+      by (metis (no_types) \<open>bdd_above (f ` X)\<close> \<open>bdd_above (g ` X)\<close> bdd_above_image_sup sup_max)
+    moreover have \<open>e > 0 \<Longrightarrow> \<exists> k \<in> (\<lambda> \<xi>. max (f \<xi>) (g \<xi>)) ` X. y \<le> k + e\<close>
+      for e::real
+      using \<open>Sup (f ` X) \<ge> Sup (g ` X)\<close> by (smt \<open>x \<in> X\<close> \<open>y = f x\<close> image_eqI)        
+    ultimately show ?thesis
+      using \<open>x \<in> X\<close> \<open>y = f x\<close> cSUP_upper by fastforce
+  qed
+  have \<open>Sup ((\<lambda> x. max (f x) (g x)) ` X) \<le> Sup (f ` X)\<close>
+    using y_Sup by (simp add: \<open>X \<noteq> {}\<close> cSup_least) 
+  moreover have \<open>Sup ((\<lambda> x. max (f x) (g x)) ` X) \<ge> Sup (f ` X)\<close>
+    using y_f_X by (metis (mono_tags) cSup_least calculation empty_is_image)  
+  ultimately show ?thesis unfolding pointwise_max_def by simp
+qed
+
+lemma max_Sup_absorb_right:
+  fixes f g::\<open>'a \<Rightarrow> real\<close>
+  assumes \<open>X \<noteq> {}\<close> and \<open>bdd_above (f ` X)\<close> and \<open>bdd_above (g ` X)\<close> and \<open>Sup (f ` X) \<le> Sup (g ` X)\<close>
+  shows \<open>Sup ((pointwise_max f g) ` X) = Sup (g ` X)\<close>
+  text \<open>
+  Explanation: For real-valued functions \<^term>\<open>f\<close> and \<^term>\<open>g\<close> and a nonempty set \<^term>\<open>X\<close>, such that 
+  the \<^term>\<open>f\<close> and \<^term>\<open>g\<close> are bounded above on \<^term>\<open>X\<close>, if the supremum of \<^term>\<open>f\<close> on \<^term>\<open>X\<close> is 
+  lower-equal the supremum of \<^term>\<open>g\<close> on \<^term>\<open>X\<close>, then the supremum of \<^term>\<open>pointwise_max f g\<close> on \<^term>\<open>X\<close>
+  equals the supremum of \<^term>\<open>g\<close>. This is the right analog of @{text max_Sup_absorb_left}.
+\<close>
+proof-
+  have \<open>Sup ((pointwise_max g f) ` X) = Sup (g ` X)\<close>
+    using  assms by (simp add: max_Sup_absorb_left)     
+  moreover have \<open>pointwise_max g f = pointwise_max f g\<close>
+    unfolding pointwise_max_def  by auto
+  ultimately show ?thesis by simp
+qed
+
+lemma max_Sup:
+  fixes f g::\<open>'a \<Rightarrow> real\<close>
+  assumes \<open>X \<noteq> {}\<close> and \<open>bdd_above (f ` X)\<close> and \<open>bdd_above (g ` X)\<close>
+  shows \<open>Sup ((pointwise_max f g) ` X) = max (Sup (f ` X)) (Sup (g ` X))\<close>
+  text \<open>
+  Explanation: Let \<^term>\<open>X\<close> be a nonempty set. Two supremum over \<^term>\<open>X\<close> of the maximum of two 
+  real-value functions is equal to the maximum of their suprema over \<^term>\<open>X\<close>, provided that the
+  functions are bounded above on \<^term>\<open>X\<close>.
+\<close>
+proof(cases \<open>Sup (f ` X) \<ge> Sup (g ` X)\<close>)
+  case True thus ?thesis by (simp add: assms(1) assms(2) assms(3) max_Sup_absorb_left)
+next
+  case False 
+  have f1: "\<not> 0 \<le> Sup (f ` X) + - 1 * Sup (g ` X)"
+    using False by linarith
+  hence "Sup (Banach_Steinhaus_Missing.pointwise_max f g ` X) = Sup (g ` X)"
+    by (simp add: assms(1) assms(2) assms(3) max_Sup_absorb_right)
+  thus ?thesis
+    using f1 by linarith
+qed
+
+
+lemma identity_telescopic:
+  fixes x :: \<open>_ \<Rightarrow> 'a::real_normed_vector\<close>
+  assumes \<open>x \<longlonglongrightarrow> l\<close>
+  shows \<open>(\<lambda> N. sum (\<lambda> k. x (Suc k) - x k) {n..N}) \<longlonglongrightarrow> l - x n\<close>
+  text\<open>
+  Expression of a limit as a telescopic series.
+  Explanation: If \<^term>\<open>x\<close> converges to \<^term>\<open>l\<close> then the sum \<^term>\<open>sum (\<lambda> k. x (Suc k) - x k) {n..N}\<close>
+  converges to \<^term>\<open>l - x n\<close> as \<^term>\<open>N\<close> goes to infinity.
+\<close>
+proof-
+  have \<open>(\<lambda> p. x (p + Suc n)) \<longlonglongrightarrow> l\<close>
+    using \<open>x \<longlonglongrightarrow> l\<close> by (rule LIMSEQ_ignore_initial_segment)
+  hence \<open>(\<lambda> p. x (Suc n + p)) \<longlonglongrightarrow> l\<close>   
+    by (simp add: add.commute)
+  hence \<open>(\<lambda> p. x (Suc (n + p))) \<longlonglongrightarrow> l\<close>
+    by simp 
+  hence \<open>(\<lambda> t. (- (x n)) + (\<lambda> p.  x (Suc (n + p))) t ) \<longlonglongrightarrow> (- (x n))  + l\<close>
+    using tendsto_add_const_iff by metis 
+  hence f1: \<open>(\<lambda> p. x (Suc (n + p)) - x n)\<longlonglongrightarrow> l - x n\<close>
+    by simp
+  have \<open>sum (\<lambda> k. x (Suc k) - x k) {n..n+p} = x (Suc (n+p)) - x n\<close> for p
+    by (simp add: sum_Suc_diff)
+  moreover have \<open>(\<lambda> N. sum (\<lambda> k. x (Suc k) - x k) {n..N}) (n + t) 
+               = (\<lambda> p. sum (\<lambda> k. x (Suc k) - x k) {n..n+p}) t\<close> for t
+    by blast
+  ultimately have  \<open>(\<lambda> p. (\<lambda> N. sum (\<lambda> k. x (Suc k) - x k) {n..N}) (n + p)) \<longlonglongrightarrow> l - x n\<close>
+    using f1 by simp
+  hence \<open>(\<lambda> p. (\<lambda> N. sum (\<lambda> k. x (Suc k) - x k) {n..N}) (p + n)) \<longlonglongrightarrow> l - x n\<close>
+    by (simp add: add.commute)
+  hence  \<open>(\<lambda> p. (\<lambda> N. sum (\<lambda> k. x (Suc k) - x k) {n..N}) p) \<longlonglongrightarrow> l - x n\<close>
+    using Topological_Spaces.LIMSEQ_offset[where f = "(\<lambda> N. sum (\<lambda> k. x (Suc k) - x k) {n..N})" 
+        and a = "l - x n" and k = n] by blast
+  hence  \<open>(\<lambda> M. (\<lambda> N. sum (\<lambda> k. x (Suc k) - x k) {n..N}) M) \<longlonglongrightarrow> l - x n\<close>
+    by simp
+  thus ?thesis by blast
+qed
+
+lemma bound_Cauchy_to_lim:
+  assumes \<open>y \<longlonglongrightarrow> x\<close> and \<open>\<And>n. \<parallel>y (Suc n) - y n\<parallel> \<le> c^n\<close> and \<open>y 0 = 0\<close> and \<open>c < 1\<close>
+  shows \<open>\<parallel>x - y (Suc n)\<parallel> \<le> (c / (1 - c)) * c ^ n\<close>
+  text\<open>
+  Inequality about a sequence of approximations assuming that the sequence of differences is bounded
+  by a geometric progression.
+  Explanation: Let \<^term>\<open>y\<close> be a sequence converging to \<^term>\<open>x\<close>.
+  If \<^term>\<open>y\<close> satisfies the inequality \<open>\<parallel>y (Suc n) - y n\<parallel> \<le> c ^ n\<close> for some \<^term>\<open>c < 1\<close> and 
+  assuming \<^term>\<open>y 0 = 0\<close> then the inequality \<open>\<parallel>x - y (Suc n)\<parallel> \<le> (c / (1 - c)) * c ^ n\<close> holds.
+\<close>
+proof-
+  have \<open>c \<ge> 0\<close>
+    using \<open>\<And> n. \<parallel>y (Suc n) - y n\<parallel> \<le> c^n\<close> by (smt norm_imp_pos_and_ge power_Suc0_right)
+  have norm_1: \<open>norm (\<Sum>k = Suc n..N. y (Suc k) - y k) \<le> (c ^ Suc n)/(1 - c)\<close> for N
+  proof(cases \<open>N < Suc n\<close>)
+    case True
+    hence \<open>\<parallel>sum (\<lambda>k. y (Suc k) - y k) {Suc n .. N}\<parallel> = 0\<close>
+      by auto
+    thus ?thesis  using  \<open>c \<ge> 0\<close> \<open>c < 1\<close> by auto       
+  next
+    case False
+    hence \<open>N \<ge> Suc n\<close>
+      by auto
+    have \<open>c^(Suc N) \<ge> 0\<close>
+      using \<open>c \<ge> 0\<close> by auto
+    have \<open>1 - c > 0\<close>
+      by (simp add: \<open>c < 1\<close>)
+    hence \<open>(1 - c)/(1 - c) = 1\<close>
+      by auto
+    have \<open>\<parallel>sum (\<lambda>k. y (Suc k) - y k) {Suc n .. N}\<parallel> \<le> (sum (\<lambda>k. \<parallel>y (Suc k) - y k\<parallel>) {Suc n .. N})\<close>
+      by (simp add: sum_norm_le)
+    hence \<open>\<parallel>sum (\<lambda>k. y (Suc k) - y k) {Suc n .. N}\<parallel> \<le> (sum (power c) {Suc n .. N})\<close>
+      by (simp add: assms(2) sum_norm_le)
+    hence \<open>(1 - c) * \<parallel>sum (\<lambda>k. y (Suc k) - y k) {Suc n .. N}\<parallel>
+                   \<le> (1 - c) * (sum (power c) {Suc n .. N})\<close>
+      using \<open>0 < 1 - c\<close> real_mult_le_cancel_iff2 by blast      
+    also have \<open>\<dots> = c^(Suc n) - c^(Suc N)\<close>
+      using Set_Interval.sum_gp_multiplied \<open>Suc n \<le> N\<close> by blast
+    also have \<open>\<dots> \<le> c^(Suc n)\<close>
+      using \<open>c^(Suc N) \<ge> 0\<close> by auto
+    finally have \<open>(1 - c) * \<parallel>\<Sum>k = Suc n..N. y (Suc k) - y k\<parallel> \<le> c ^ Suc n\<close>
+      by blast
+    hence \<open>((1 - c) * \<parallel>\<Sum>k = Suc n..N. y (Suc k) - y k\<parallel>)/(1 - c)
+                   \<le> (c ^ Suc n)/(1 - c)\<close>
+      using \<open>0 < 1 - c\<close> by (smt divide_right_mono)      
+    thus \<open>\<parallel>\<Sum>k = Suc n..N. y (Suc k) - y k\<parallel> \<le> (c ^ Suc n)/(1 - c)\<close>
+      using \<open>0 < 1 - c\<close> by auto 
+  qed
+  have \<open>(\<lambda> N. (sum (\<lambda>k. y (Suc k) - y k) {Suc n .. N})) \<longlonglongrightarrow> x - y (Suc n)\<close>
+    by (metis (no_types) \<open>y \<longlonglongrightarrow> x\<close> identity_telescopic)     
+  hence \<open>(\<lambda> N. \<parallel>sum (\<lambda>k. y (Suc k) - y k) {Suc n .. N}\<parallel>) \<longlonglongrightarrow> \<parallel>x - y (Suc n)\<parallel>\<close>
+    using tendsto_norm by blast
+  hence \<open>\<parallel>x - y (Suc n)\<parallel> \<le> (c ^ Suc n)/(1 - c)\<close>
+    using norm_1 Lim_bounded by blast
+  hence  \<open>\<parallel>x - y (Suc n)\<parallel> \<le> (c ^ Suc n)/(1 - c)\<close>
+    by auto
+  moreover have \<open>(c ^ Suc n)/(1 - c) = (c / (1 - c)) * (c ^ n)\<close>
+    by (simp add: divide_inverse_commute)    
+  ultimately show \<open>\<parallel>x - y (Suc n)\<parallel> \<le> (c / (1 - c)) * (c ^ n)\<close> by linarith
+qed
+
+lemma onorm_open_ball:
+  includes notation_norm
+  shows \<open>\<parallel>f\<parallel> = Sup { \<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1 }\<close>
+  text \<open>
+  Explanation: Let \<^term>\<open>f\<close> be a bounded linear operator. The operator norm of \<^term>\<open>f\<close> is the
+  supremum of \<^term>\<open>norm (f x)\<close> for \<^term>\<open>x\<close> such that \<^term>\<open>norm x < 1\<close>.
+\<close>
+proof(cases \<open>(UNIV::'a set) = 0\<close>)
+  case True
+  hence \<open>x = 0\<close> for x::'a
+    by auto
+  hence \<open>f *\<^sub>v x = 0\<close> for x
+    by (metis (full_types) blinfun.zero_right)
+  hence \<open>\<parallel>f\<parallel> = 0\<close>
+    by (simp add: blinfun_eqI zero_blinfun.rep_eq)      
+  have \<open>{ \<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1} = {0}\<close>
+    by (smt Collect_cong \<open>\<And>x. f *\<^sub>v x = 0\<close> norm_zero singleton_conv)      
+  hence \<open>Sup { \<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1} = 0\<close>
+    by simp    
+  thus ?thesis using \<open>\<parallel>f\<parallel> = 0\<close> by auto      
+next
+  case False
+  hence \<open>(UNIV::'a set) \<noteq> 0\<close>
+    by simp
+  have nonnegative: \<open>\<parallel>f *\<^sub>v x\<parallel> \<ge> 0\<close> for x
+    by simp
+  have \<open>\<exists> x::'a. x \<noteq> 0\<close>
+    using \<open>UNIV \<noteq> 0\<close> by auto
+  then obtain x::'a where \<open>x \<noteq> 0\<close>
+    by blast
+  hence \<open>\<parallel>x\<parallel> \<noteq> 0\<close>
+    by auto
+  define y where \<open>y = x /\<^sub>R \<parallel>x\<parallel>\<close>
+  have \<open>norm y = \<parallel> x /\<^sub>R \<parallel>x\<parallel> \<parallel>\<close>
+    unfolding y_def by auto
+  also have \<open>\<dots> = \<parallel>x\<parallel> /\<^sub>R \<parallel>x\<parallel>\<close>
+    by auto
+  also have \<open>\<dots> = 1\<close>
+    using \<open>\<parallel>x\<parallel> \<noteq> 0\<close> by auto
+  finally have \<open>\<parallel>y\<parallel> = 1\<close>
+    by blast
+  hence norm_1_non_empty: \<open>{ \<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> = 1} \<noteq> {}\<close>
+    by blast
+  have norm_1_bounded: \<open>bdd_above { \<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> = 1}\<close>
+    unfolding bdd_above_def apply auto
+    by (metis norm_blinfun)
+  have norm_less_1_non_empty: \<open>{\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1} \<noteq> {}\<close>
+    by (metis (mono_tags, lifting) Collect_empty_eq_bot bot_empty_eq empty_iff norm_zero 
+        zero_less_one)   
+  have norm_less_1_bounded: \<open>bdd_above {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1}\<close>
+  proof-
+    have \<open>\<exists>r. \<parallel>a r\<parallel> < 1 \<longrightarrow> \<parallel>f *\<^sub>v (a r)\<parallel> \<le> r\<close> for a :: "real \<Rightarrow> 'a"
+    proof-
+      obtain r :: "('a \<Rightarrow>\<^sub>L 'b) \<Rightarrow> real" where
+        "\<And>f x. 0 \<le> r f \<and> (bounded_linear f \<longrightarrow> \<parallel>f *\<^sub>v x\<parallel> \<le> \<parallel>x\<parallel> * r f)"
+        using bounded_linear.nonneg_bounded by moura
+      have \<open>\<not> \<parallel>f\<parallel> < 0\<close>
+        by simp          
+      hence "(\<exists>r. \<parallel>f\<parallel> * \<parallel>a r\<parallel> \<le> r) \<or> (\<exists>r. \<parallel>a r\<parallel> < 1 \<longrightarrow> \<parallel>f *\<^sub>v a r\<parallel> \<le> r)"
+        by (meson less_eq_real_def mult_le_cancel_left2) 
+      thus ?thesis using dual_order.trans norm_blinfun by blast
+    qed
+    hence \<open>\<exists> M. \<forall> x. \<parallel>x\<parallel> < 1 \<longrightarrow> \<parallel>f *\<^sub>v x\<parallel> \<le> M\<close>
+      by metis
+    thus ?thesis by auto 
+  qed
+  have Sup_non_neg: \<open>Sup {\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1} \<ge> 0\<close>
+    by (smt Collect_empty_eq cSup_upper mem_Collect_eq nonnegative norm_1_bounded norm_1_non_empty)      
+  have \<open>{0::real} \<noteq> {}\<close>
+    by simp
+  have \<open>bdd_above {0::real}\<close>
+    by simp
+  show \<open>\<parallel>f\<parallel> = Sup {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1}\<close>
+  proof(cases \<open>\<forall>x. f *\<^sub>v x = 0\<close>)
+    case True
+    have \<open>\<parallel>f *\<^sub>v x\<parallel> = 0\<close> for x
+      by (simp add: True)
+    hence \<open>{\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1 } \<subseteq> {0}\<close>
+      by blast        
+    moreover have \<open>{\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1 } \<supseteq> {0}\<close>
+      using calculation norm_less_1_non_empty by fastforce                        
+    ultimately have \<open>{\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1 } = {0}\<close>  
+      by blast
+    hence Sup1: \<open>Sup {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1 } = 0\<close> 
+      by simp
+    have \<open>\<parallel>f\<parallel> = 0\<close>
+      by (simp add: True blinfun_eqI)        
+    moreover have \<open>Sup {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1} = 0\<close>
+      using Sup1 by blast
+    ultimately show ?thesis by simp
+  next
+    case False
+    have norm_f_eq_leq: \<open>y \<in> {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> = 1} \<Longrightarrow> 
+                         y \<le> Sup {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1}\<close> for y
+    proof-
+      assume \<open>y \<in> {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> = 1}\<close>
+      hence \<open>\<exists> x. y = \<parallel>f *\<^sub>v x\<parallel> \<and> \<parallel>x\<parallel> = 1\<close>
+        by blast
+      then obtain x where \<open>y = \<parallel>f *\<^sub>v x\<parallel>\<close> and \<open>\<parallel>x\<parallel> = 1\<close>
+        by auto
+      define y' where \<open>y' n = (1 - (inverse (real (Suc n)))) *\<^sub>R y\<close> for n
+      have \<open>y' n \<in> {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1}\<close> for n
+      proof-
+        have \<open>y' n = (1 - (inverse (real (Suc n)))) *\<^sub>R \<parallel>f *\<^sub>v x\<parallel>\<close>
+          using y'_def \<open>y = \<parallel>f *\<^sub>v x\<parallel>\<close> by blast
+        also have \<open>... = \<bar>(1 - (inverse (real (Suc n))))\<bar> *\<^sub>R \<parallel>f *\<^sub>v x\<parallel>\<close>
+          by (metis (mono_tags, hide_lams) \<open>y = \<parallel>f *\<^sub>v x\<parallel>\<close> abs_1 abs_le_self_iff abs_of_nat 
+              abs_of_nonneg add_diff_cancel_left' add_eq_if cancel_comm_monoid_add_class.diff_cancel
+              diff_ge_0_iff_ge eq_iff_diff_eq_0 inverse_1 inverse_le_iff_le nat.distinct(1) of_nat_0
+              of_nat_Suc of_nat_le_0_iff zero_less_abs_iff zero_neq_one)
+        also have \<open>... = \<parallel>f *\<^sub>v ((1 - (inverse (real (Suc n)))) *\<^sub>R  x)\<parallel>\<close>
+          by (simp add: blinfun.scaleR_right)            
+        finally have y'_1: \<open>y' n = \<parallel>f *\<^sub>v ( (1 - (inverse (real (Suc n)))) *\<^sub>R x)\<parallel>\<close> 
+          by blast
+        have \<open>\<parallel>(1 - (inverse (Suc n))) *\<^sub>R x\<parallel> = (1 - (inverse (real (Suc n)))) * \<parallel>x\<parallel>\<close>
+          by (simp add: linordered_field_class.inverse_le_1_iff)                
+        hence \<open>\<parallel>(1 - (inverse (Suc n))) *\<^sub>R x\<parallel> < 1\<close>
+          by (simp add: \<open>\<parallel>x\<parallel> = 1\<close>) 
+        thus ?thesis using y'_1 by blast 
+      qed
+      have \<open>(\<lambda>n. (1 - (inverse (real (Suc n)))) ) \<longlonglongrightarrow> 1\<close>
+        using Limits.LIMSEQ_inverse_real_of_nat_add_minus by simp
+      hence \<open>(\<lambda>n. (1 - (inverse (real (Suc n)))) *\<^sub>R y) \<longlonglongrightarrow> 1 *\<^sub>R y\<close>
+        using Limits.tendsto_scaleR by blast
+      hence \<open>(\<lambda>n. (1 - (inverse (real (Suc n)))) *\<^sub>R y) \<longlonglongrightarrow> y\<close>
+        by simp
+      hence \<open>(\<lambda>n. y' n) \<longlonglongrightarrow> y\<close>
+        using y'_def by simp
+      hence \<open>y' \<longlonglongrightarrow> y\<close> 
+        by simp
+      have \<open>y' n \<le> Sup {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1}\<close> for n
+        using cSup_upper \<open>\<And>n. y' n \<in> {\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> < 1}\<close> norm_less_1_bounded by blast
+      hence \<open>y \<le> Sup {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1}\<close>
+        using \<open>y' \<longlonglongrightarrow> y\<close> Topological_Spaces.Sup_lim by (meson LIMSEQ_le_const2)
+      thus ?thesis by blast
+    qed
+    hence \<open>Sup {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> = 1} \<le> Sup {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1}\<close>
+      by (metis (lifting) cSup_least norm_1_non_empty)
+    have \<open>y \<in> {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1} \<Longrightarrow> y \<le> Sup {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> = 1}\<close> for y
+    proof(cases \<open>y = 0\<close>)
+      case True thus ?thesis by (simp add: Sup_non_neg) 
+    next
+      case False
+      hence \<open>y \<noteq> 0\<close> by blast
+      assume \<open>y \<in> {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1}\<close>
+      hence \<open>\<exists> x. y = \<parallel>f *\<^sub>v x\<parallel> \<and> \<parallel>x\<parallel> < 1\<close>
+        by blast
+      then obtain x where \<open>y = \<parallel>f *\<^sub>v x\<parallel>\<close> and \<open>\<parallel>x\<parallel> < 1\<close>
+        by blast
+      have \<open>(1/\<parallel>x\<parallel>) * y = (1/\<parallel>x\<parallel>) * \<parallel>f x\<parallel>\<close>
+        by (simp add: \<open>y = \<parallel>f *\<^sub>v x\<parallel>\<close>)
+      also have \<open>... = \<bar>1/\<parallel>x\<parallel>\<bar> * \<parallel>f *\<^sub>v x\<parallel>\<close>
+        by simp
+      also have \<open>... = \<parallel>(1/\<parallel>x\<parallel>) *\<^sub>R (f *\<^sub>v x)\<parallel>\<close>
+        by simp
+      also have \<open>... = \<parallel>f *\<^sub>v ((1/\<parallel>x\<parallel>) *\<^sub>R x)\<parallel>\<close>
+        by (simp add: blinfun.scaleR_right)          
+      finally have \<open>(1/\<parallel>x\<parallel>) * y  = \<parallel>f *\<^sub>v ((1/\<parallel>x\<parallel>) *\<^sub>R x)\<parallel>\<close>
+        by blast
+      have \<open>x \<noteq> 0\<close>
+        using  \<open>y \<noteq> 0\<close> \<open>y = \<parallel>f *\<^sub>v x\<parallel>\<close> blinfun.zero_right by auto 
+      have \<open>\<parallel> (1/\<parallel>x\<parallel>) *\<^sub>R x \<parallel> = \<bar> (1/\<parallel>x\<parallel>) \<bar> * \<parallel>x\<parallel>\<close>
+        by simp
+      also have \<open>... = (1/\<parallel>x\<parallel>) * \<parallel>x\<parallel>\<close>
+        by simp
+      finally have  \<open>\<parallel>(1/\<parallel>x\<parallel>) *\<^sub>R x\<parallel> = 1\<close>
+        using \<open>x \<noteq> 0\<close> by simp
+      hence \<open>(1/\<parallel>x\<parallel>) * y \<in> { \<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> = 1}\<close>
+        using \<open>1 / \<parallel>x\<parallel> * y = \<parallel>f *\<^sub>v (1 / \<parallel>x\<parallel>) *\<^sub>R x\<parallel>\<close> by blast
+      hence \<open>(1/\<parallel>x\<parallel>) * y \<le> Sup { \<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> = 1}\<close>
+        by (simp add: cSup_upper norm_1_bounded)
+      moreover have \<open>y \<le> (1/\<parallel>x\<parallel>) * y\<close>
+        by (metis \<open>\<parallel>x\<parallel> < 1\<close> \<open>y = \<parallel>f *\<^sub>v x\<parallel>\<close> mult_le_cancel_right1 norm_not_less_zero 
+            order.strict_implies_order \<open>x \<noteq> 0\<close> less_divide_eq_1_pos zero_less_norm_iff)
+      ultimately show ?thesis by linarith 
+    qed
+    hence \<open>Sup { \<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1} \<le> Sup { \<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> = 1}\<close>
+      by (smt cSup_least norm_less_1_non_empty) 
+    hence \<open>Sup { \<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> = 1} = Sup { \<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1}\<close>
+      using \<open>Sup {\<parallel>f *\<^sub>v x\<parallel> |x. norm x = 1} \<le> Sup { \<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> < 1}\<close> by linarith
+    have f1: \<open>(SUP x. \<parallel>f *\<^sub>v x\<parallel> / \<parallel>x\<parallel>) = Sup { \<parallel>f *\<^sub>v x\<parallel> / \<parallel>x\<parallel> | x. True}\<close>
+      by (simp add: full_SetCompr_eq)
+    have \<open>y \<in> { \<parallel>f *\<^sub>v x\<parallel> / \<parallel>x\<parallel> |x. True} \<Longrightarrow> y \<in> { \<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1} \<union> {0}\<close>
+      for y
+    proof-
+      assume \<open>y \<in> { \<parallel>f *\<^sub>v x\<parallel> / \<parallel>x\<parallel> |x. True}\<close> show ?thesis
+      proof(cases \<open>y = 0\<close>)
+        case True  thus ?thesis by simp 
+      next
+        case False
+        have \<open>\<exists> x. y = \<parallel>f *\<^sub>v x\<parallel> / \<parallel>x\<parallel>\<close>
+          using \<open>y \<in> { \<parallel>f *\<^sub>v x\<parallel> / \<parallel>x\<parallel> |x. True}\<close> by auto
+        then obtain x where \<open>y = \<parallel>f *\<^sub>v x\<parallel> / \<parallel>x\<parallel>\<close>
+          by blast
+        hence \<open>y = \<bar>(1/\<parallel>x\<parallel>)\<bar> * \<parallel> f *\<^sub>v x \<parallel>\<close>
+          by simp
+        hence \<open>y = \<parallel>(1/\<parallel>x\<parallel>) *\<^sub>R (f *\<^sub>v x)\<parallel>\<close>
+          by simp
+        hence \<open>y = \<parallel>f ((1/\<parallel>x\<parallel>) *\<^sub>R x)\<parallel>\<close>
+          by (simp add: blinfun.scaleR_right)            
+        moreover have \<open>\<parallel> (1/\<parallel>x\<parallel>) *\<^sub>R x \<parallel> = 1\<close>
+          using False \<open>y = \<parallel>f *\<^sub>v x\<parallel> / \<parallel>x\<parallel>\<close> by auto
+        ultimately have \<open>y \<in> {\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1}\<close>
+          by blast
+        thus ?thesis by blast
+      qed
+    qed
+    moreover have \<open>y \<in> {\<parallel>f x\<parallel> |x. \<parallel>x\<parallel> = 1} \<union> {0} \<Longrightarrow> y \<in> {\<parallel>f *\<^sub>v x\<parallel> / \<parallel>x\<parallel> |x. True}\<close>
+      for y
+    proof(cases \<open>y = 0\<close>)
+      case True thus ?thesis by auto 
+    next
+      case False
+      hence \<open>y \<notin> {0}\<close>
+        by simp
+      moreover assume \<open>y \<in> {\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1} \<union> {0}\<close>
+      ultimately have \<open>y \<in> {\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1}\<close>
+        by simp
+      then obtain x where \<open>\<parallel>x\<parallel> = 1\<close> and \<open>y = \<parallel>f *\<^sub>v x\<parallel>\<close>
+        by auto
+      have \<open>y = \<parallel>f *\<^sub>v x\<parallel> / \<parallel>x\<parallel>\<close> using  \<open>\<parallel>x\<parallel> = 1\<close>  \<open>y = \<parallel>f *\<^sub>v x\<parallel>\<close>
+        by simp 
+      thus ?thesis by auto 
+    qed
+    ultimately have \<open>{\<parallel>f *\<^sub>v x\<parallel> / \<parallel>x\<parallel> |x. True} = {\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1} \<union> {0}\<close>
+      by blast
+    hence \<open>Sup {\<parallel>f *\<^sub>v x\<parallel> / \<parallel>x\<parallel> |x. True} = Sup ({\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1} \<union> {0})\<close>
+      by simp
+    have "\<And>r s. \<not> (r::real) \<le> s \<or> sup r s = s"
+      by (metis (lifting) sup.absorb_iff1 sup_commute)
+    hence \<open>Sup ({\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1} \<union> {(0::real)})
+             = max (Sup {\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1}) (Sup {0::real})\<close>
+      using \<open>0 \<le> Sup {\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1}\<close> \<open>bdd_above {0}\<close> \<open>{0} \<noteq> {}\<close> cSup_singleton 
+        cSup_union_distrib max.absorb_iff1 sup_commute norm_1_bounded norm_1_non_empty
+      by (metis (no_types, lifting) )
+    moreover have \<open>Sup {(0::real)} = (0::real)\<close>
+      by simp          
+    ultimately have \<open>Sup ({\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1} \<union> {0}) = Sup {\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1}\<close>
+      using Sup_non_neg by linarith
+    moreover have \<open>Sup ( {\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1} \<union> {0}) 
+                    = max (Sup {\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1}) (Sup {0}) \<close>
+      using Sup_non_neg  \<open>Sup ({\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1} \<union> {0}) 
+        = max (Sup {\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1}) (Sup {0})\<close> 
+      by auto           
+    ultimately have f2: \<open>Sup {\<parallel>f *\<^sub>v x\<parallel> / \<parallel>x\<parallel> | x. True} = Sup {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> = 1}\<close>
+      using \<open>Sup {\<parallel>f *\<^sub>v x\<parallel> / \<parallel>x\<parallel> |x. True} = Sup ({\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1} \<union> {0})\<close> by linarith
+    have \<open>(SUP x. \<parallel>f *\<^sub>v x\<parallel> / \<parallel>x\<parallel>) = Sup {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> = 1}\<close>
+      using f1 f2 by linarith
+    hence \<open>(SUP x. \<parallel>f *\<^sub>v x\<parallel> / \<parallel>x\<parallel>) = Sup {\<parallel>f *\<^sub>v x\<parallel> | x. \<parallel>x\<parallel> < 1 }\<close>
+      by (simp add: \<open>Sup {\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> = 1} = Sup {\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> < 1}\<close>)        
+    thus ?thesis apply transfer by (simp add: onorm_def) 
+  qed      
+qed
+
+lemma onorm_r:
+  includes notation_norm
+  assumes \<open>r > 0\<close>
+  shows \<open>\<parallel>f\<parallel> = Sup ((\<lambda>x. \<parallel>f *\<^sub>v x\<parallel>) ` (ball 0 r)) / r\<close>
+  text \<open>
+  Explanation: The norm of \<^term>\<open>f\<close> is \<^term>\<open>1/r\<close> of the supremum of the norm of \<^term>\<open>f *\<^sub>v x\<close> for
+  \<^term>\<open>x\<close> in the ball of radius \<^term>\<open>r\<close> centered at the origin.
+\<close>
+proof-
+  have \<open>\<parallel>f\<parallel> = Sup {\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> < 1}\<close>
+    using onorm_open_ball by blast
+  moreover have \<open>{\<parallel>f *\<^sub>v x\<parallel> |x. \<parallel>x\<parallel> < 1} = (\<lambda>x. \<parallel>f *\<^sub>v x\<parallel>) ` (ball 0 1)\<close>
+    unfolding ball_def by auto
+  ultimately have onorm_f: \<open>\<parallel>f\<parallel> = Sup ((\<lambda>x. \<parallel>f *\<^sub>v x\<parallel>) ` (ball 0 1))\<close>
+    by simp
+  have s2: \<open>x \<in> (\<lambda>t. r *\<^sub>R \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1 \<Longrightarrow> x \<le> r * Sup ((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1)\<close> for x
+  proof-
+    assume \<open>x \<in> (\<lambda>t. r *\<^sub>R \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1\<close>
+    hence \<open>\<exists> t. x = r *\<^sub>R \<parallel>f *\<^sub>v t\<parallel> \<and> \<parallel>t\<parallel> < 1\<close>
+      by auto
+    then obtain t where \<open>x = r *\<^sub>R \<parallel>f *\<^sub>v t\<parallel>\<close> and \<open>\<parallel>t\<parallel> < 1\<close>
+      by blast
+    define y where \<open>y = x /\<^sub>R r\<close>
+    have \<open>x = r * (inverse r * x)\<close>
+      using \<open>x = r *\<^sub>R norm (f t)\<close> by auto
+    hence \<open>x - (r * (inverse r * x)) \<le> 0\<close>
+      by linarith
+    hence \<open>x \<le> r * (x /\<^sub>R r)\<close>
+      by auto
+    have \<open>y \<in> (\<lambda>k. \<parallel>f *\<^sub>v k\<parallel>) ` ball 0 1\<close>
+      unfolding y_def by (smt \<open>x \<in> (\<lambda>t. r *\<^sub>R \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1\<close> assms image_iff 
+          inverse_inverse_eq pos_le_divideR_eq positive_imp_inverse_positive) 
+    moreover have \<open>x \<le> r * y\<close>          
+      using \<open>x \<le> r * (x /\<^sub>R r)\<close> y_def by blast
+    ultimately have y_norm_f: \<open>y \<in> (\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1 \<and> x \<le> r * y\<close>
+      by blast
+    have \<open>(\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1 \<noteq> {}\<close>
+      by simp        
+    moreover have \<open>bdd_above ((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1)\<close>
+      by (simp add: bounded_linear_image blinfun.bounded_linear_right bounded_imp_bdd_above 
+          bounded_norm_comp) 
+    moreover have \<open>\<exists> y. y \<in> (\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1 \<and> x \<le> r * y\<close>
+      using y_norm_f by blast
+    ultimately show ?thesis
+      by (smt \<open>0 < r\<close> cSup_upper ordered_comm_semiring_class.comm_mult_left_mono) 
+  qed
+  have s3: \<open>(\<And>x. x \<in> (\<lambda>t. r * \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1 \<Longrightarrow> x \<le> y) \<Longrightarrow>
+         r * Sup ((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1) \<le> y\<close> for y
+  proof-
+    assume \<open>\<And>x. x \<in> (\<lambda>t. r * \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1 \<Longrightarrow> x \<le> y\<close> 
+    have x_leq: \<open>x \<in> (\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1 \<Longrightarrow> x \<le> y / r\<close> for x
+    proof-
+      assume \<open>x \<in> (\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1\<close>
+      then obtain t where \<open>t \<in> ball (0::'a) 1\<close> and \<open>x = \<parallel>f *\<^sub>v t\<parallel>\<close>
+        by auto
+      define x' where \<open>x' = r *\<^sub>R x\<close>
+      have \<open>x' = r * \<parallel>f *\<^sub>v t\<parallel>\<close>
+        by (simp add: \<open>x = \<parallel>f *\<^sub>v t\<parallel>\<close> x'_def)
+      hence \<open>x' \<in> (\<lambda>t. r * \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1\<close>
+        using \<open>t \<in> ball (0::'a) 1\<close> by auto
+      hence \<open>x' \<le> y\<close>
+        using \<open>\<And>x. x \<in> (\<lambda>t. r * \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1 \<Longrightarrow> x \<le> y\<close> by blast        
+      thus \<open>x \<le> y / r\<close>
+        unfolding x'_def using \<open>r > 0\<close> by (simp add: mult.commute pos_le_divide_eq) 
+    qed
+    have \<open>(\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1 \<noteq> {}\<close>
+      by simp        
+    moreover have \<open>bdd_above ((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1)\<close>
+      by (simp add: bounded_linear_image blinfun.bounded_linear_right bounded_imp_bdd_above 
+          bounded_norm_comp) 
+    ultimately have \<open>Sup ((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1) \<le> y/r\<close>
+      using x_leq by (simp add: \<open>bdd_above ((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 1)\<close> cSup_least) 
+    thus ?thesis using \<open>r > 0\<close>
+      by (smt divide_strict_right_mono nonzero_mult_div_cancel_left)  
+  qed
+  have norm_scaleR: \<open>norm \<circ> ((*\<^sub>R) r) = ((*\<^sub>R) \<bar>r\<bar>) \<circ> (norm::'a \<Rightarrow> real)\<close>
+    by auto
+  have f_x1: \<open>f (r *\<^sub>R x) = r *\<^sub>R f x\<close> for x
+    by (simp add: blinfun.scaleR_right)    
+  have \<open>ball (0::'a) r = ((*\<^sub>R) r) ` (ball 0 1)\<close>
+    by (smt assms ball_scale nonzero_mult_div_cancel_left right_inverse_eq scale_zero_right)
+  hence \<open>Sup ((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` (ball 0 r)) = Sup ((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` (((*\<^sub>R) r) ` (ball 0 1)))\<close>
+    by simp
+  also have \<open>\<dots> = Sup (((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) \<circ> ((*\<^sub>R) r)) ` (ball 0 1))\<close>
+    using Sup.SUP_image by auto
+  also have \<open>\<dots> = Sup ((\<lambda>t. \<parallel>f *\<^sub>v (r *\<^sub>R t)\<parallel>) ` (ball 0 1))\<close>
+    using f_x1 by (simp add: comp_assoc) 
+  also have \<open>\<dots> = Sup ((\<lambda>t. \<bar>r\<bar> *\<^sub>R \<parallel>f *\<^sub>v t\<parallel>) ` (ball 0 1))\<close>
+    using norm_scaleR f_x1 by auto 
+  also have \<open>\<dots> = Sup ((\<lambda>t. r *\<^sub>R \<parallel>f *\<^sub>v t\<parallel>) ` (ball 0 1))\<close>
+    using \<open>r > 0\<close> by auto
+  also have \<open>\<dots> = r * Sup ((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` (ball 0 1))\<close>
+    apply (rule cSup_eq_non_empty) apply simp using s2 apply auto using s3 by auto
+  also have \<open>\<dots> = r * \<parallel>f\<parallel>\<close>
+    using onorm_f by auto
+  finally have \<open>Sup ((\<lambda>t. \<parallel>f *\<^sub>v t\<parallel>) ` ball 0 r) = r * \<parallel>f\<parallel>\<close>
+    by blast    
+  thus \<open>\<parallel>f\<parallel> = Sup ((\<lambda>x. \<parallel>f *\<^sub>v x\<parallel>) ` (ball 0 r)) / r\<close> using \<open>r > 0\<close> by simp
+qed
+
+text\<open>Pointwise convergence\<close>
+definition pointwise_convergent_to :: 
+  \<open>( nat \<Rightarrow> ('a \<Rightarrow> 'b::topological_space) ) \<Rightarrow> ('a \<Rightarrow> 'b) \<Rightarrow> bool\<close> 
+  (\<open>((_)/ \<midarrow>pointwise\<rightarrow> (_))\<close> [60, 60] 60) where
+  \<open>pointwise_convergent_to x l = (\<forall> t::'a. (\<lambda> n. (x n) t) \<longlonglongrightarrow> l t)\<close>
+
+lemma linear_limit_linear:
+  fixes f :: \<open>_ \<Rightarrow> ('a::real_vector \<Rightarrow> 'b::real_normed_vector)\<close>
+  assumes  \<open>\<And>n. linear (f n)\<close> and \<open>f \<midarrow>pointwise\<rightarrow> F\<close>
+  shows \<open>linear F\<close>
+  text\<open>
+  Explanation: If a family of linear operators converges pointwise, then the limit is also a linear
+  operator.
+\<close>
+proof
+  show "F (x + y) = F x + F y" for x y
+  proof-
+    have "\<forall>a. F a = lim (\<lambda>n. f n a)"
+      using \<open>f \<midarrow>pointwise\<rightarrow> F\<close> unfolding pointwise_convergent_to_def by (metis (full_types) limI)
+    moreover have "\<forall>f b c g. (lim (\<lambda>n. g n + f n) = (b::'b) + c \<or> \<not> f \<longlonglongrightarrow> c) \<or> \<not> g \<longlonglongrightarrow> b"
+      by (metis (no_types) limI tendsto_add)
+    moreover have "\<And>a. (\<lambda>n. f n a) \<longlonglongrightarrow> F a"
+      using assms(2) pointwise_convergent_to_def by force
+    ultimately have 
+      lim_sum: \<open>lim (\<lambda> n. (f n) x + (f n) y) = lim (\<lambda> n. (f n) x) + lim (\<lambda> n. (f n) y)\<close>
+      by metis
+    have \<open>(f n) (x + y) = (f n) x + (f n) y\<close> for n
+      using \<open>\<And> n.  linear (f n)\<close> unfolding linear_def using Real_Vector_Spaces.linear_iff assms(1) 
+      by auto
+    hence \<open>lim (\<lambda> n. (f n) (x + y)) = lim (\<lambda> n. (f n) x + (f n) y)\<close>
+      by simp
+    hence \<open>lim (\<lambda> n. (f n) (x + y)) = lim (\<lambda> n. (f n) x) + lim (\<lambda> n. (f n) y)\<close>
+      using lim_sum by simp
+    moreover have \<open>(\<lambda> n. (f n) (x + y)) \<longlonglongrightarrow> F (x + y)\<close>
+      using \<open>f \<midarrow>pointwise\<rightarrow> F\<close> unfolding pointwise_convergent_to_def by blast
+    moreover have \<open>(\<lambda> n. (f n) x) \<longlonglongrightarrow> F x\<close>
+      using \<open>f \<midarrow>pointwise\<rightarrow> F\<close> unfolding pointwise_convergent_to_def by blast
+    moreover have \<open>(\<lambda> n. (f n) y) \<longlonglongrightarrow> F y\<close>
+      using \<open>f \<midarrow>pointwise\<rightarrow> F\<close> unfolding pointwise_convergent_to_def by blast
+    ultimately show ?thesis
+      by (metis limI) 
+  qed
+  show "F (r *\<^sub>R x) = r *\<^sub>R F x" for r and x
+  proof-
+    have \<open>(f n) (r *\<^sub>R x) = r *\<^sub>R (f n) x\<close> for n
+      using  \<open>\<And> n.  linear (f n)\<close> 
+      by (simp add: Real_Vector_Spaces.linear_def real_vector.linear_scale)
+    hence \<open>lim (\<lambda> n. (f n) (r *\<^sub>R x)) = lim (\<lambda> n. r *\<^sub>R (f n) x)\<close>
+      by simp
+    have \<open>convergent (\<lambda> n. (f n) x)\<close>
+      by (metis assms(2) convergentI pointwise_convergent_to_def)
+    moreover have \<open>isCont (\<lambda> t::'b. r *\<^sub>R t) tt\<close> for tt
+      by (simp add: bounded_linear_scaleR_right)
+    ultimately have \<open>lim (\<lambda> n. r *\<^sub>R ((f n) x)) =  r *\<^sub>R lim (\<lambda> n. (f n) x)\<close>
+      using \<open>f \<midarrow>pointwise\<rightarrow> F\<close> unfolding pointwise_convergent_to_def 
+      by (metis (mono_tags) isCont_tendsto_compose limI)
+    hence \<open>lim (\<lambda> n.  (f n) (r *\<^sub>R x)) = r *\<^sub>R lim (\<lambda> n. (f n) x)\<close> 
+      using \<open>lim (\<lambda> n. (f n) (r *\<^sub>R x)) = lim (\<lambda> n. r *\<^sub>R (f n) x)\<close> by simp
+    moreover have \<open>(\<lambda> n. (f n) x) \<longlonglongrightarrow> F x\<close>
+      using \<open>f \<midarrow>pointwise\<rightarrow> F\<close> unfolding pointwise_convergent_to_def by blast
+    moreover have \<open>(\<lambda> n.  (f n) (r *\<^sub>R x)) \<longlonglongrightarrow> F (r *\<^sub>R x)\<close>
+      using \<open>f \<midarrow>pointwise\<rightarrow> F\<close> unfolding pointwise_convergent_to_def by blast
+    ultimately show ?thesis
+      by (metis limI) 
+  qed
+qed
+
+
+lemma non_Cauchy_unbounded:
+  fixes a ::\<open>_ \<Rightarrow> real\<close> 
+  assumes \<open>\<And>n. a n \<ge> 0\<close> and \<open>e > 0\<close> 
+    and \<open>\<forall>M. \<exists>m. \<exists>n. m \<ge> M \<and> n \<ge> M \<and> m > n \<and> sum a {Suc n..m} \<ge> e\<close>
+  shows \<open>(\<lambda>n. (sum a  {0..n})) \<longlonglongrightarrow> \<infinity>\<close>
+  text\<open>
+  Explanation: If the sequence of partial sums of nonnegative terms is not Cauchy, then it converges
+  to infinite.
+\<close>
+proof-
+  define S::"ereal set" where \<open>S = range (\<lambda>n. sum a  {0..n})\<close>
+  have \<open>\<exists>s\<in>S.  k*e \<le> s\<close> for k::nat
+  proof(induction k)
+    case 0
+    from \<open>\<forall>M. \<exists>m. \<exists>n. m \<ge> M \<and> n \<ge> M \<and> m > n \<and> sum a {Suc n..m} \<ge> e\<close>
+    obtain m n where \<open>m \<ge> 0\<close> and \<open>n \<ge> 0\<close> and \<open>m > n\<close> and \<open>sum a {Suc n..m} \<ge> e\<close> by blast
+    have \<open>n < Suc n\<close>
+      by simp
+    hence \<open>{0..n} \<union> {Suc n..m} = {0..m}\<close>
+      using Set_Interval.ivl_disj_un(7) \<open>n < m\<close> by auto
+    moreover have \<open>finite {0..n}\<close>
+      by simp
+    moreover have \<open>finite {Suc n..m}\<close>
+      by simp
+    moreover have \<open>{0..n} \<inter> {Suc n..m} = {}\<close>
+      by simp
+    ultimately have \<open>sum a {0..n} + sum a {Suc n..m} = sum a {0..m}\<close>
+      by (metis sum.union_disjoint) 
+    moreover have \<open>sum a {Suc n..m} > 0\<close>
+      using \<open>e > 0\<close> \<open>sum a {Suc n..m} \<ge> e\<close> by linarith
+    moreover have \<open>sum a {0..n} \<ge> 0\<close>
+      by (simp add: assms(1) sum_nonneg)
+    ultimately have \<open>sum a {0..m} > 0\<close>
+      by linarith      
+    moreover have \<open>sum a {0..m} \<in> S\<close>
+      unfolding S_def by blast
+    ultimately have \<open>\<exists>s\<in>S. 0 \<le> s\<close>
+      using ereal_less_eq(5) by fastforce    
+    thus ?case
+      by (simp add: zero_ereal_def)  
+  next
+    case (Suc k)
+    assume \<open>\<exists>s\<in>S. k*e \<le> s\<close>
+    then obtain s where \<open>s\<in>S\<close> and \<open>ereal (k * e) \<le> s\<close>
+      by blast
+    have \<open>\<exists>N. s = sum a {0..N}\<close>
+      using \<open>s\<in>S\<close> unfolding S_def by blast
+    then obtain N where \<open>s = sum a {0..N}\<close>
+      by blast
+    from \<open>\<forall>M. \<exists>m. \<exists>n. m \<ge> M \<and> n \<ge> M \<and> m > n \<and> sum a {Suc n..m} \<ge> e\<close>
+    obtain m n where \<open>m \<ge> Suc N\<close> and \<open>n \<ge> Suc N\<close> and \<open>m > n\<close> and \<open>sum a {Suc n..m} \<ge> e\<close>
+      by blast
+    have \<open>finite {Suc N..n}\<close>
+      by simp
+    moreover have \<open>finite {Suc n..m}\<close>
+      by simp
+    moreover have \<open>{Suc N..n} \<union> {Suc n..m} = {Suc N..m}\<close>
+      using Set_Interval.ivl_disj_un
+      by (smt \<open>Suc N \<le> n\<close> \<open>n < m\<close> atLeastSucAtMost_greaterThanAtMost less_imp_le_nat)
+    moreover have \<open>{} = {Suc N..n} \<inter> {Suc n..m}\<close>
+      by simp
+    ultimately have \<open>sum a {Suc N..m} = sum a {Suc N..n} + sum a {Suc n..m}\<close>
+      by (metis sum.union_disjoint)
+    moreover have \<open>sum a {Suc N..n} \<ge> 0\<close>
+      using  \<open>\<And>n. a n \<ge> 0\<close> by (simp add: sum_nonneg) 
+    ultimately have \<open>sum a {Suc N..m} \<ge> e\<close>
+      using \<open>e \<le> sum a {Suc n..m}\<close> by linarith
+    have \<open>finite {0..N}\<close>
+      by simp
+    have \<open>finite {Suc N..m}\<close>
+      by simp
+    moreover have \<open>{0..N} \<union> {Suc N..m} = {0..m}\<close>
+      using Set_Interval.ivl_disj_un(7) \<open>Suc N \<le> m\<close> by auto          
+    moreover have \<open>{0..N} \<inter> {Suc N..m} = {}\<close>
+      by simp
+    ultimately have \<open>sum a {0..N} + sum a {Suc N..m} =  sum a {0..m}\<close> 
+      by (metis \<open>finite {0..N}\<close> sum.union_disjoint)    
+    hence \<open>e + k * e \<le> sum a {0..m}\<close>
+      using \<open>ereal (real k * e) \<le> s\<close> \<open>s = ereal (sum a {0..N})\<close> \<open>e \<le> sum a {Suc N..m}\<close> by auto 
+    moreover have \<open>e + k * e = (Suc k) * e\<close>
+      by (simp add: semiring_normalization_rules(3))
+    ultimately have \<open>(Suc k) * e \<le> sum a {0..m}\<close>
+      by linarith
+    hence \<open>ereal ((Suc k) * e) \<le> sum a {0..m}\<close>
+      by auto
+    moreover have \<open>sum a {0..m}\<in>S\<close>
+      unfolding S_def by blast
+    ultimately show ?case by blast
+  qed
+  hence \<open>\<exists>s\<in>S. (real n) \<le> s\<close> for n
+    by (meson assms(2) ereal_le_le ex_less_of_nat_mult less_le_not_le)
+  hence  \<open>Sup S = \<infinity>\<close>
+    using Sup_le_iff Sup_subset_mono dual_order.strict_trans1 leD less_PInf_Ex_of_nat subsetI 
+    by metis
+  hence Sup: \<open>Sup ((range (\<lambda> n. (sum a  {0..n})))::ereal set) = \<infinity>\<close> using S_def 
+    by blast
+  have \<open>incseq (\<lambda>n. (sum a  {..<n}))\<close>
+    using \<open>\<And>n. a n \<ge> 0\<close> using Extended_Real.incseq_sumI by auto
+  hence \<open>incseq (\<lambda>n. (sum a  {..< Suc n}))\<close>
+    by (meson incseq_Suc_iff)
+  hence \<open>incseq (\<lambda>n. (sum a  {0..n})::ereal)\<close>
+    using incseq_ereal by (simp add: atLeast0AtMost lessThan_Suc_atMost) 
+  hence \<open>(\<lambda>n. sum a  {0..n}) \<longlonglongrightarrow> Sup (range (\<lambda>n. (sum a  {0..n})::ereal))\<close>
+    using LIMSEQ_SUP by auto
+  thus ?thesis using Sup PInfty_neq_ereal by auto 
+qed
+
+lemma sum_Cauchy_positive:
+  fixes a ::\<open>_ \<Rightarrow> real\<close>
+  assumes \<open>\<And>n. a n \<ge> 0\<close> and \<open>\<exists>K. \<forall>n. (sum a  {0..n}) \<le> K\<close>
+  shows \<open>Cauchy (\<lambda>n. sum a {0..n})\<close>
+  text\<open>
+  Explanation: If a series of nonnegative reals is bounded, then the series is 
+  Cauchy.
+\<close>
+proof (unfold Cauchy_altdef2, rule, rule)
+  fix e::real
+  assume \<open>e>0\<close>       
+  have \<open>\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. m > n \<longrightarrow> sum a {Suc n..m} < e\<close>
+  proof(rule classical)
+    assume \<open>\<not>(\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. m > n \<longrightarrow> sum a {Suc n..m} < e)\<close>
+    hence \<open>\<forall>M. \<exists>m. \<exists>n. m \<ge> M \<and> n \<ge> M \<and> m > n \<and> \<not>(sum a {Suc n..m} < e)\<close>
+      by blast
+    hence \<open>\<forall>M. \<exists>m. \<exists>n. m \<ge> M \<and> n \<ge> M \<and> m > n \<and> sum a {Suc n..m} \<ge> e\<close>
+      by fastforce
+    hence \<open>(\<lambda>n. (sum a  {0..n}) ) \<longlonglongrightarrow> \<infinity>\<close>
+      using non_Cauchy_unbounded \<open>0 < e\<close> assms(1) by blast
+    from  \<open>\<exists>K. \<forall>n. sum a  {0..n} \<le> K\<close>
+    obtain K where  \<open>\<forall>n. sum a {0..n} \<le> K\<close>
+      by blast
+    from  \<open>(\<lambda>n. sum a {0..n})  \<longlonglongrightarrow> \<infinity>\<close>
+    have \<open>\<forall>B. \<exists>N. \<forall>n\<ge>N. (\<lambda> n. (sum a  {0..n}) ) n \<ge> B\<close>
+      using Lim_PInfty by simp
+    hence  \<open>\<exists>n. (sum a {0..n}) \<ge> K+1\<close>
+      using ereal_less_eq(3) by blast        
+    thus ?thesis using  \<open>\<forall>n. (sum a  {0..n}) \<le> K\<close> by smt       
+  qed
+  have \<open>sum a {Suc n..m} = sum a {0..m} - sum a {0..n}\<close>
+    if "m > n" for m n
+    apply (simp add: that atLeast0AtMost) using sum_up_index_split 
+    by (smt less_imp_add_positive that)
+  hence \<open>\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. m > n \<longrightarrow> sum a {0..m} - sum a {0..n} < e\<close>
+    using \<open>\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. m > n \<longrightarrow> sum a {Suc n..m} < e\<close> by smt     
+  from \<open>\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. m > n \<longrightarrow> sum a {0..m} - sum a {0..n} < e\<close>
+  obtain M where \<open>\<forall>m\<ge>M. \<forall>n\<ge>M. m > n \<longrightarrow> sum a {0..m} - sum a {0..n} < e\<close>
+    by blast
+  moreover have \<open>m > n \<Longrightarrow> sum a {0..m} \<ge> sum a {0..n}\<close> for m n
+    using \<open>\<And> n. a n \<ge> 0\<close> by (simp add: sum_mono2)
+  ultimately have \<open>\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. m > n \<longrightarrow> \<bar>sum a {0..m} - sum a {0..n}\<bar> < e\<close>
+    by auto
+  hence \<open>\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. m \<ge> n \<longrightarrow> \<bar>sum a {0..m} - sum a {0..n}\<bar> < e\<close>
+    by (metis \<open>0 < e\<close> abs_zero cancel_comm_monoid_add_class.diff_cancel diff_is_0_eq' 
+        less_irrefl_nat linorder_neqE_nat zero_less_diff)      
+  hence \<open>\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. \<bar>sum a {0..m} - sum a {0..n}\<bar> < e\<close>
+    by (metis abs_minus_commute nat_le_linear)
+  hence \<open>\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. dist (sum a {0..m}) (sum a {0..n}) < e\<close>
+    by (simp add: dist_real_def)      
+  hence \<open>\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. dist (sum a {0..m}) (sum a {0..n}) < e\<close> by blast
+  thus \<open>\<exists>N. \<forall>n\<ge>N. dist (sum a {0..n}) (sum a {0..N}) < e\<close> by auto
+qed
+
+lemma convergent_series_Cauchy:
+  fixes a::\<open>nat \<Rightarrow> real\<close> and \<phi>::\<open>nat \<Rightarrow> 'a::metric_space\<close>
+  assumes \<open>\<exists>M. \<forall>n. sum a {0..n} \<le> M\<close> and \<open>\<And>n. dist (\<phi> (Suc n)) (\<phi> n) \<le> a n\<close>
+  shows \<open>Cauchy \<phi>\<close>
+  text\<open>
+  Explanation: Let \<^term>\<open>a\<close> be a real-valued sequence and let \<^term>\<open>\<phi>\<close> be sequence in a metric space.
+  If the partial sums of \<^term>\<open>a\<close> are uniformly bounded and the distance between consecutive terms of \<^term>\<open>\<phi>\<close>
+  are bounded by the sequence \<^term>\<open>a\<close>, then \<^term>\<open>\<phi>\<close> is Cauchy.\<close>
+proof (unfold Cauchy_altdef2, rule, rule)
+  fix e::real
+  assume \<open>e > 0\<close>
+  have \<open>\<And>k. a k \<ge> 0\<close>
+    using \<open>\<And>n. dist (\<phi> (Suc n)) (\<phi> n) \<le> a n\<close> dual_order.trans zero_le_dist by blast
+  hence \<open>Cauchy (\<lambda>k. sum a {0..k})\<close>
+    using  \<open>\<exists>M. \<forall>n. sum a {0..n} \<le> M\<close> sum_Cauchy_positive by blast
+  hence \<open>\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. dist (sum a {0..m}) (sum a {0..n}) < e\<close>
+    unfolding Cauchy_def using \<open>e > 0\<close> by blast
+  hence \<open>\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. m > n \<longrightarrow> dist (sum a {0..m}) (sum a {0..n}) < e\<close>
+    by blast
+  have \<open>dist (sum a {0..m}) (sum a {0..n}) = sum a {Suc n..m}\<close> if \<open>n<m\<close> for m n
+  proof -
+    have \<open>n < Suc n\<close>
+      by simp
+    have \<open>finite {0..n}\<close>
+      by simp
+    moreover have \<open>finite {Suc n..m}\<close>
+      by simp
+    moreover have \<open>{0..n} \<union> {Suc n..m} = {0..m}\<close>
+      using \<open>n < Suc n\<close> \<open>n < m\<close> by auto
+    moreover have  \<open>{0..n} \<inter> {Suc n..m} = {}\<close>
+      by simp
+    ultimately have sum_plus: \<open>(sum a {0..n}) + sum a {Suc n..m} = (sum a {0..m})\<close>
+      by (metis sum.union_disjoint)
+    have \<open>dist (sum a {0..m}) (sum a {0..n}) = \<bar>(sum a {0..m}) - (sum a {0..n})\<bar>\<close>
+      using dist_real_def by blast
+    moreover have \<open>(sum a {0..m}) - (sum a {0..n}) = sum a {Suc n..m}\<close>
+      using sum_plus by linarith 
+    ultimately show ?thesis
+      by (simp add: \<open>\<And>k. 0 \<le> a k\<close> sum_nonneg)
+  qed
+  hence sum_a: \<open>\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. m > n \<longrightarrow> sum a {Suc n..m} < e\<close>
+    by (metis \<open>\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. dist (sum a {0..m}) (sum a {0..n}) < e\<close>) 
+  obtain M where \<open>\<forall>m\<ge>M. \<forall>n\<ge>M. m > n \<longrightarrow> sum a {Suc n..m} < e\<close>
+    using sum_a \<open>e > 0\<close> by blast
+  hence  \<open>\<forall>m. \<forall>n. Suc m \<ge> Suc M \<and> Suc n \<ge> Suc M \<and> Suc m > Suc n \<longrightarrow> sum a {Suc n..Suc m - 1} < e\<close>
+    by simp
+  hence  \<open>\<forall>m\<ge>1. \<forall>n\<ge>1. m \<ge> Suc M \<and> n \<ge> Suc M \<and> m > n \<longrightarrow> sum a {n..m - 1} < e\<close>
+    by (metis Suc_le_D)
+  hence sum_a2: \<open>\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. m > n \<longrightarrow> sum a {n..m-1} < e\<close>
+    by (meson add_leE)
+  have \<open>dist (\<phi> (n+p+1)) (\<phi> n) \<le> sum a {n..n+p}\<close> for p n :: nat
+  proof(induction p)
+    case 0 thus ?case  by (simp add: assms(2))
+  next
+    case (Suc p) thus ?case
+      by (smt Suc_eq_plus1 add_Suc_right add_less_same_cancel1 assms(2) dist_self dist_triangle2 
+          gr_implies_not0 sum.cl_ivl_Suc)  
+  qed
+  hence \<open>m > n \<Longrightarrow> dist (\<phi> m) (\<phi> n) \<le> sum a {n..m-1}\<close> for m n :: nat
+    by (metis Suc_eq_plus1 Suc_le_D diff_Suc_1  gr0_implies_Suc less_eq_Suc_le less_imp_Suc_add 
+        zero_less_Suc)
+  hence \<open>\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. m > n \<longrightarrow> dist (\<phi> m) (\<phi> n) < e\<close> 
+    using sum_a2 \<open>e > 0\<close> by smt
+  thus "\<exists>N. \<forall>n\<ge>N. dist (\<phi> n) (\<phi> N) < e"
+    using \<open>0 < e\<close> by fastforce
+qed
+
+unbundle notation_blinfun_apply
+
+unbundle no_notation_norm
+
+end
diff --git a/thys/Banach_Steinhaus/ROOT b/thys/Banach_Steinhaus/ROOT
new file mode 100644
--- /dev/null
+++ b/thys/Banach_Steinhaus/ROOT
@@ -0,0 +1,13 @@
+chapter AFP
+
+session Banach_Steinhaus (AFP) = "HOL-Analysis" +
+  options [timeout = 300]
+  sessions
+    "HOL-Types_To_Sets"
+    "HOL-ex"
+  theories
+    Banach_Steinhaus
+    Banach_Steinhaus_Missing
+  document_files
+    "root.tex"
+    "root.bib"
diff --git a/thys/Banach_Steinhaus/document/root.bib b/thys/Banach_Steinhaus/document/root.bib
new file mode 100644
--- /dev/null
+++ b/thys/Banach_Steinhaus/document/root.bib
@@ -0,0 +1,26 @@
+@article{banach1927principe,
+  title={Sur le principe de la condensation de singularit{\'e}s},
+  author={Banach, Stefan and Steinhaus, Hugo},
+  journal={Fundamenta Mathematicae},
+  volume={1},
+  number={9},
+  pages={50--61},
+  year={1927}
+}
+
+@article{sokal2011really,
+  title={A really simple elementary proof of the uniform boundedness theorem},
+  author={Sokal, Alan D},
+  journal={The American Mathematical Monthly},
+  volume={118},
+  number={5},
+  pages={450--452},
+  year={2011},
+  publisher={Taylor \& Francis}
+}
+
+@article{Weisstein_UBP,
+  title={Uniform Boundedness Principle},
+  author={Moslehian, Mohammad Sal and Weisstein, Eric W.},
+  journal={From MathWorld--A Wolfram Web Resource. http://mathworld.wolfram.com/UniformBoundednessPrinciple.html}
+}
diff --git a/thys/Banach_Steinhaus/document/root.tex b/thys/Banach_Steinhaus/document/root.tex
new file mode 100644
--- /dev/null
+++ b/thys/Banach_Steinhaus/document/root.tex
@@ -0,0 +1,30 @@
+\documentclass[11pt,a4paper]{article}
+\usepackage{isabelle,isabellesym}
+\usepackage{amsmath,amssymb}
+
+%this should be the last package used
+\usepackage{pdfsetup}
+
+% urls in roman style, theory text in math-similar italics
+\urlstyle{rm}
+\isabellestyle{it}
+
+\begin{document}
+
+\title{Banach-Steinhaus theorem}
+\author{Dominique Unruh \and Jos\'e Manuel Rodr\'iguez Caballero}
+\maketitle
+
+\begin{abstract}
+We formalize in Isabelle/HOL a result \cite{Weisstein_UBP} due to S. Banach and H. Steinhaus \cite{banach1927principe} known as Banach-Steinhaus theorem or Uniform boundedness principle: a pointwise-bounded family of continuous linear operators from a Banach space to a normed space is uniformly bounded. Our approach is an adaptation to Isabelle/HOL of a proof due to A. Sokal \cite{sokal2011really}.
+\end{abstract}
+
+\tableofcontents
+
+\input{session}
+
+
+\bibliographystyle{abbrv}
+\bibliography{root}
+
+\end{document}
diff --git a/thys/Forcing/Arities.thy b/thys/Forcing/Arities.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Arities.thy
@@ -0,0 +1,364 @@
+section\<open>Arities of internalized formulas\<close>
+theory Arities
+  imports FrecR
+begin
+
+lemma arity_upair_fm : "\<lbrakk>  t1\<in>nat ; t2\<in>nat ; up\<in>nat  \<rbrakk> \<Longrightarrow> 
+  arity(upair_fm(t1,t2,up)) = \<Union> {succ(t1),succ(t2),succ(up)}"
+  unfolding  upair_fm_def
+  using nat_union_abs1 nat_union_abs2 pred_Un   
+  by auto
+
+
+lemma arity_pair_fm : "\<lbrakk>  t1\<in>nat ; t2\<in>nat ; p\<in>nat  \<rbrakk> \<Longrightarrow> 
+  arity(pair_fm(t1,t2,p)) = \<Union> {succ(t1),succ(t2),succ(p)}"
+  unfolding pair_fm_def 
+  using arity_upair_fm nat_union_abs1 nat_union_abs2 pred_Un
+  by auto
+
+lemma arity_composition_fm :
+  "\<lbrakk> r\<in>nat ; s\<in>nat ; t\<in>nat \<rbrakk> \<Longrightarrow> arity(composition_fm(r,s,t)) = \<Union> {succ(r), succ(s), succ(t)}"
+  unfolding composition_fm_def    
+  using arity_pair_fm nat_union_abs1 nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_domain_fm : 
+    "\<lbrakk> r\<in>nat ; z\<in>nat \<rbrakk> \<Longrightarrow> arity(domain_fm(r,z)) = succ(r) \<union> succ(z)"
+  unfolding domain_fm_def 
+  using arity_pair_fm nat_union_abs1 nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_range_fm : 
+    "\<lbrakk> r\<in>nat ; z\<in>nat \<rbrakk> \<Longrightarrow> arity(range_fm(r,z)) = succ(r) \<union> succ(z)"
+  unfolding range_fm_def 
+  using arity_pair_fm nat_union_abs1 nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_union_fm : 
+  "\<lbrakk> x\<in>nat ; y\<in>nat ; z\<in>nat \<rbrakk> \<Longrightarrow> arity(union_fm(x,y,z)) = \<Union> {succ(x), succ(y), succ(z)}"
+  unfolding union_fm_def
+  using  nat_union_abs1 nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_image_fm : 
+  "\<lbrakk> x\<in>nat ; y\<in>nat ; z\<in>nat \<rbrakk> \<Longrightarrow> arity(image_fm(x,y,z)) = \<Union> {succ(x), succ(y), succ(z)}"
+  unfolding image_fm_def
+  using arity_pair_fm  nat_union_abs1 nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_pre_image_fm : 
+  "\<lbrakk> x\<in>nat ; y\<in>nat ; z\<in>nat \<rbrakk> \<Longrightarrow> arity(pre_image_fm(x,y,z)) = \<Union> {succ(x), succ(y), succ(z)}"
+  unfolding pre_image_fm_def
+  using arity_pair_fm  nat_union_abs1 nat_union_abs2 pred_Un_distrib
+  by auto
+
+
+lemma arity_big_union_fm : 
+  "\<lbrakk> x\<in>nat ; y\<in>nat \<rbrakk> \<Longrightarrow> arity(big_union_fm(x,y)) = succ(x) \<union> succ(y)"
+  unfolding big_union_fm_def
+  using nat_union_abs1 nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_fun_apply_fm : 
+  "\<lbrakk> x\<in>nat ; y\<in>nat ; f\<in>nat \<rbrakk> \<Longrightarrow> 
+    arity(fun_apply_fm(f,x,y)) =  succ(f) \<union> succ(x) \<union> succ(y)"
+  unfolding fun_apply_fm_def
+  using arity_upair_fm arity_image_fm arity_big_union_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_field_fm : 
+    "\<lbrakk> r\<in>nat ; z\<in>nat \<rbrakk> \<Longrightarrow> arity(field_fm(r,z)) = succ(r) \<union> succ(z)"
+  unfolding field_fm_def 
+  using arity_pair_fm arity_domain_fm arity_range_fm arity_union_fm 
+    nat_union_abs1 nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_empty_fm : 
+    "\<lbrakk> r\<in>nat \<rbrakk> \<Longrightarrow> arity(empty_fm(r)) = succ(r)"
+  unfolding empty_fm_def 
+  using nat_union_abs1 nat_union_abs2 pred_Un_distrib
+  by simp
+
+lemma arity_succ_fm :
+  "\<lbrakk>x\<in>nat;y\<in>nat\<rbrakk> \<Longrightarrow> arity(succ_fm(x,y)) = succ(x) \<union> succ(y)"
+  unfolding succ_fm_def cons_fm_def 
+  using arity_upair_fm arity_union_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+
+lemma number1arity__fm : 
+    "\<lbrakk> r\<in>nat \<rbrakk> \<Longrightarrow> arity(number1_fm(r)) = succ(r)"
+  unfolding number1_fm_def 
+  using arity_empty_fm arity_succ_fm nat_union_abs1 nat_union_abs2 pred_Un_distrib
+  by simp
+
+
+lemma arity_function_fm : 
+    "\<lbrakk> r\<in>nat \<rbrakk> \<Longrightarrow> arity(function_fm(r)) = succ(r)"
+  unfolding function_fm_def 
+  using arity_pair_fm nat_union_abs1 nat_union_abs2 pred_Un_distrib
+  by simp
+
+lemma arity_relation_fm : 
+    "\<lbrakk> r\<in>nat \<rbrakk> \<Longrightarrow> arity(relation_fm(r)) = succ(r)"
+  unfolding relation_fm_def 
+  using arity_pair_fm nat_union_abs1 nat_union_abs2 pred_Un_distrib
+  by simp
+
+lemma arity_restriction_fm : 
+    "\<lbrakk> r\<in>nat ; z\<in>nat ; A\<in>nat \<rbrakk> \<Longrightarrow> arity(restriction_fm(A,z,r)) = succ(A) \<union> succ(r) \<union> succ(z)"
+  unfolding restriction_fm_def 
+  using arity_pair_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_typed_function_fm : 
+  "\<lbrakk> x\<in>nat ; y\<in>nat ; f\<in>nat \<rbrakk> \<Longrightarrow> 
+    arity(typed_function_fm(f,x,y)) = \<Union> {succ(f), succ(x), succ(y)}"
+  unfolding typed_function_fm_def
+  using arity_pair_fm arity_relation_fm arity_function_fm arity_domain_fm 
+    nat_union_abs2 pred_Un_distrib
+  by auto
+
+
+lemma arity_subset_fm : 
+  "\<lbrakk>x\<in>nat ; y\<in>nat\<rbrakk> \<Longrightarrow> arity(subset_fm(x,y)) = succ(x) \<union> succ(y)"
+  unfolding subset_fm_def 
+  using nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_transset_fm :
+  "\<lbrakk>x\<in>nat\<rbrakk> \<Longrightarrow> arity(transset_fm(x)) = succ(x)"
+  unfolding transset_fm_def 
+  using arity_subset_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_ordinal_fm :
+  "\<lbrakk>x\<in>nat\<rbrakk> \<Longrightarrow> arity(ordinal_fm(x)) = succ(x)"
+  unfolding ordinal_fm_def 
+  using arity_transset_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_limit_ordinal_fm :
+  "\<lbrakk>x\<in>nat\<rbrakk> \<Longrightarrow> arity(limit_ordinal_fm(x)) = succ(x)"
+  unfolding limit_ordinal_fm_def 
+  using arity_ordinal_fm arity_succ_fm arity_empty_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_finite_ordinal_fm :
+  "\<lbrakk>x\<in>nat\<rbrakk> \<Longrightarrow> arity(finite_ordinal_fm(x)) = succ(x)"
+  unfolding finite_ordinal_fm_def 
+  using arity_ordinal_fm arity_limit_ordinal_fm arity_succ_fm arity_empty_fm 
+    nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_omega_fm :
+  "\<lbrakk>x\<in>nat\<rbrakk> \<Longrightarrow> arity(omega_fm(x)) = succ(x)"
+  unfolding omega_fm_def 
+  using arity_limit_ordinal_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_cartprod_fm : 
+  "\<lbrakk> A\<in>nat ; B\<in>nat ; z\<in>nat \<rbrakk> \<Longrightarrow> arity(cartprod_fm(A,B,z)) = succ(A) \<union> succ(B) \<union> succ(z)"
+  unfolding cartprod_fm_def
+  using arity_pair_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_fst_fm :
+  "\<lbrakk>x\<in>nat ; t\<in>nat\<rbrakk> \<Longrightarrow> arity(fst_fm(x,t)) = succ(x) \<union> succ(t)"
+  unfolding fst_fm_def
+  using arity_pair_fm arity_empty_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_snd_fm :
+  "\<lbrakk>x\<in>nat ; t\<in>nat\<rbrakk> \<Longrightarrow> arity(snd_fm(x,t)) = succ(x) \<union> succ(t)"
+  unfolding snd_fm_def
+  using arity_pair_fm arity_empty_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_snd_snd_fm :
+  "\<lbrakk>x\<in>nat ; t\<in>nat\<rbrakk> \<Longrightarrow> arity(snd_snd_fm(x,t)) = succ(x) \<union> succ(t)"
+  unfolding snd_snd_fm_def hcomp_fm_def
+  using arity_snd_fm arity_empty_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_ftype_fm :
+  "\<lbrakk>x\<in>nat ; t\<in>nat\<rbrakk> \<Longrightarrow> arity(ftype_fm(x,t)) = succ(x) \<union> succ(t)"
+  unfolding ftype_fm_def
+  using arity_fst_fm 
+  by auto
+
+lemma name1arity__fm :
+  "\<lbrakk>x\<in>nat ; t\<in>nat\<rbrakk> \<Longrightarrow> arity(name1_fm(x,t)) = succ(x) \<union> succ(t)"
+  unfolding name1_fm_def hcomp_fm_def
+  using arity_fst_fm arity_snd_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma name2arity__fm :
+  "\<lbrakk>x\<in>nat ; t\<in>nat\<rbrakk> \<Longrightarrow> arity(name2_fm(x,t)) = succ(x) \<union> succ(t)"
+  unfolding name2_fm_def hcomp_fm_def
+  using arity_fst_fm arity_snd_snd_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_cond_of_fm :
+  "\<lbrakk>x\<in>nat ; t\<in>nat\<rbrakk> \<Longrightarrow> arity(cond_of_fm(x,t)) = succ(x) \<union> succ(t)"
+  unfolding cond_of_fm_def hcomp_fm_def
+  using arity_snd_fm arity_snd_snd_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_singleton_fm :
+  "\<lbrakk>x\<in>nat ; t\<in>nat\<rbrakk> \<Longrightarrow> arity(singleton_fm(x,t)) = succ(x) \<union> succ(t)"
+  unfolding singleton_fm_def cons_fm_def
+  using arity_union_fm arity_upair_fm arity_empty_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_Memrel_fm :
+  "\<lbrakk>x\<in>nat ; t\<in>nat\<rbrakk> \<Longrightarrow> arity(Memrel_fm(x,t)) = succ(x) \<union> succ(t)"
+  unfolding Memrel_fm_def 
+  using  arity_pair_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_quasinat_fm :
+  "\<lbrakk>x\<in>nat\<rbrakk> \<Longrightarrow> arity(quasinat_fm(x)) = succ(x)"
+  unfolding quasinat_fm_def cons_fm_def 
+  using arity_succ_fm arity_empty_fm
+    nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_is_recfun_fm :
+  "\<lbrakk>p\<in>formula ; v\<in>nat ; n\<in>nat; Z\<in>nat;i\<in>nat\<rbrakk> \<Longrightarrow>  arity(p) = i \<Longrightarrow> 
+  arity(is_recfun_fm(p,v,n,Z)) = succ(v) \<union> succ(n) \<union> succ(Z) \<union> pred(pred(pred(pred(i))))"
+  unfolding is_recfun_fm_def
+  using arity_upair_fm arity_pair_fm arity_pre_image_fm arity_restriction_fm
+    nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_is_wfrec_fm :
+  "\<lbrakk>p\<in>formula ; v\<in>nat ; n\<in>nat; Z\<in>nat ; i\<in>nat\<rbrakk> \<Longrightarrow> arity(p) = i \<Longrightarrow> 
+    arity(is_wfrec_fm(p,v,n,Z)) = succ(v) \<union> succ(n) \<union> succ(Z) \<union> pred(pred(pred(pred(pred(i)))))"
+  unfolding is_wfrec_fm_def
+  using arity_succ_fm  arity_is_recfun_fm 
+     nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_is_nat_case_fm :
+  "\<lbrakk>p\<in>formula ; v\<in>nat ; n\<in>nat; Z\<in>nat; i\<in>nat\<rbrakk> \<Longrightarrow> arity(p) = i \<Longrightarrow> 
+    arity(is_nat_case_fm(v,p,n,Z)) = succ(v) \<union> succ(n) \<union> succ(Z) \<union> pred(pred(i))"
+  unfolding is_nat_case_fm_def
+  using arity_succ_fm arity_empty_fm arity_quasinat_fm 
+    nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_iterates_MH_fm :
+  assumes "isF\<in>formula" "v\<in>nat" "n\<in>nat" "g\<in>nat" "z\<in>nat" "i\<in>nat" 
+      "arity(isF) = i"
+    shows "arity(iterates_MH_fm(isF,v,n,g,z)) = 
+           succ(v) \<union> succ(n) \<union> succ(g) \<union> succ(z) \<union> pred(pred(pred(pred(i))))"
+proof -
+  let ?\<phi> = "Exists(And(fun_apply_fm(succ(succ(succ(g))), 2, 0), Forall(Implies(Equal(0, 2), isF))))"
+  let ?ar = "succ(succ(succ(g))) \<union> pred(pred(i))"
+  from assms
+  have "arity(?\<phi>) =?ar" "?\<phi>\<in>formula" 
+    using arity_fun_apply_fm
+    nat_union_abs1 nat_union_abs2 pred_Un_distrib succ_Un_distrib Un_assoc[symmetric]
+    by simp_all
+  then
+  show ?thesis
+    unfolding iterates_MH_fm_def
+    using arity_is_nat_case_fm[OF \<open>?\<phi>\<in>_\<close> _ _ _ _ \<open>arity(?\<phi>) = _\<close>] assms pred_succ_eq pred_Un_distrib
+    by auto
+qed
+
+lemma arity_is_iterates_fm :
+  assumes "p\<in>formula" "v\<in>nat" "n\<in>nat" "Z\<in>nat" "i\<in>nat" 
+    "arity(p) = i"
+  shows "arity(is_iterates_fm(p,v,n,Z)) = succ(v) \<union> succ(n) \<union> succ(Z) \<union> 
+          pred(pred(pred(pred(pred(pred(pred(pred(pred(pred(pred(i)))))))))))"
+proof -
+  let ?\<phi> = "iterates_MH_fm(p, 7#+v, 2, 1, 0)"
+  let ?\<psi> = "is_wfrec_fm(?\<phi>, 0, succ(succ(n)),succ(succ(Z)))"
+  from \<open>v\<in>_\<close>
+  have "arity(?\<phi>) = (8#+v) \<union> pred(pred(pred(pred(i))))" "?\<phi>\<in>formula"
+    using assms arity_iterates_MH_fm nat_union_abs2
+    by simp_all
+  then
+  have "arity(?\<psi>) = succ(succ(succ(n))) \<union> succ(succ(succ(Z))) \<union> (3#+v) \<union> 
+      pred(pred(pred(pred(pred(pred(pred(pred(pred(i)))))))))"
+    using assms arity_is_wfrec_fm[OF \<open>?\<phi>\<in>_\<close> _ _ _ _ \<open>arity(?\<phi>) = _\<close>] nat_union_abs1 pred_Un_distrib
+    by auto
+  then
+  show ?thesis
+    unfolding is_iterates_fm_def 
+    using arity_Memrel_fm arity_succ_fm assms nat_union_abs1 pred_Un_distrib
+    by auto
+qed
+
+lemma arity_eclose_n_fm :
+  assumes "A\<in>nat" "x\<in>nat" "t\<in>nat" 
+  shows "arity(eclose_n_fm(A,x,t)) = succ(A) \<union> succ(x) \<union> succ(t)"
+proof -
+  let ?\<phi> = "big_union_fm(1,0)"
+  have "arity(?\<phi>) = 2" "?\<phi>\<in>formula" 
+    using arity_big_union_fm nat_union_abs2
+    by simp_all
+  with assms
+  show ?thesis
+    unfolding eclose_n_fm_def
+    using arity_is_iterates_fm[OF \<open>?\<phi>\<in>_\<close> _ _ _,of _ _ _ 2] 
+    by auto
+qed
+
+lemma arity_mem_eclose_fm :
+  assumes "x\<in>nat" "t\<in>nat"
+  shows "arity(mem_eclose_fm(x,t)) = succ(x) \<union> succ(t)"
+proof -  
+  let ?\<phi>="eclose_n_fm(x #+ 2, 1, 0)"
+  from \<open>x\<in>nat\<close>
+  have "arity(?\<phi>) = x#+3" 
+    using arity_eclose_n_fm nat_union_abs2 
+    by simp
+  with assms
+  show ?thesis
+    unfolding mem_eclose_fm_def 
+    using arity_finite_ordinal_fm nat_union_abs2 pred_Un_distrib
+    by simp
+qed
+
+lemma arity_is_eclose_fm :
+  "\<lbrakk>x\<in>nat ; t\<in>nat\<rbrakk> \<Longrightarrow> arity(is_eclose_fm(x,t)) = succ(x) \<union> succ(t)"
+  unfolding is_eclose_fm_def 
+  using arity_mem_eclose_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma eclose_n1arity__fm :
+  "\<lbrakk>x\<in>nat ; t\<in>nat\<rbrakk> \<Longrightarrow> arity(eclose_n1_fm(x,t)) = succ(x) \<union> succ(t)"
+  unfolding eclose_n1_fm_def 
+  using arity_is_eclose_fm arity_singleton_fm name1arity__fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma eclose_n2arity__fm :
+  "\<lbrakk>x\<in>nat ; t\<in>nat\<rbrakk> \<Longrightarrow> arity(eclose_n2_fm(x,t)) = succ(x) \<union> succ(t)"
+  unfolding eclose_n2_fm_def 
+  using arity_is_eclose_fm arity_singleton_fm name2arity__fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_ecloseN_fm :
+  "\<lbrakk>x\<in>nat ; t\<in>nat\<rbrakk> \<Longrightarrow> arity(ecloseN_fm(x,t)) = succ(x) \<union> succ(t)"
+  unfolding ecloseN_fm_def 
+  using eclose_n1arity__fm eclose_n2arity__fm arity_union_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_frecR_fm :
+  "\<lbrakk>a\<in>nat;b\<in>nat\<rbrakk> \<Longrightarrow> arity(frecR_fm(a,b)) = succ(a) \<union> succ(b)"
+  unfolding frecR_fm_def
+  using arity_ftype_fm name1arity__fm name2arity__fm arity_domain_fm 
+      number1arity__fm arity_empty_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma arity_Collect_fm :
+  assumes "x \<in> nat" "y \<in> nat" "p\<in>formula" 
+  shows "arity(Collect_fm(x,p,y)) = succ(x) \<union> succ(y) \<union> pred(arity(p))"
+  unfolding Collect_fm_def
+  using assms pred_Un_distrib
+  by auto
+
+end
\ No newline at end of file
diff --git a/thys/Forcing/Choice_Axiom.thy b/thys/Forcing/Choice_Axiom.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Choice_Axiom.thy
@@ -0,0 +1,385 @@
+section\<open>The Axiom of Choice in $M[G]$\<close>
+theory Choice_Axiom
+  imports Powerset_Axiom Pairing_Axiom Union_Axiom Extensionality_Axiom 
+          Foundation_Axiom Powerset_Axiom Separation_Axiom 
+          Replacement_Axiom Interface Infinity_Axiom
+begin
+
+definition 
+  induced_surj :: "i\<Rightarrow>i\<Rightarrow>i\<Rightarrow>i" where
+  "induced_surj(f,a,e) \<equiv> f-``(range(f)-a)\<times>{e} \<union> restrict(f,f-``a)"
+  
+lemma domain_induced_surj: "domain(induced_surj(f,a,e)) = domain(f)"
+  unfolding induced_surj_def using domain_restrict domain_of_prod by auto
+    
+lemma range_restrict_vimage: 
+  assumes "function(f)"
+  shows "range(restrict(f,f-``a)) \<subseteq> a"
+proof
+  from assms 
+  have "function(restrict(f,f-``a))" 
+    using function_restrictI by simp
+  fix y
+  assume "y \<in> range(restrict(f,f-``a))"
+  then 
+  obtain x where "\<langle>x,y\<rangle> \<in> restrict(f,f-``a)"  "x \<in> f-``a" "x\<in>domain(f)"
+    using domain_restrict domainI[of _ _ "restrict(f,f-``a)"] by auto
+  moreover 
+  note \<open>function(restrict(f,f-``a))\<close> 
+  ultimately 
+  have "y = restrict(f,f-``a)`x" 
+    using function_apply_equality by blast
+  also from \<open>x \<in> f-``a\<close> 
+  have "restrict(f,f-``a)`x = f`x" 
+    by simp
+  finally 
+  have "y=f`x" .
+  moreover from assms \<open>x\<in>domain(f)\<close> 
+  have "\<langle>x,f`x\<rangle> \<in> f" 
+    using function_apply_Pair by auto 
+  moreover 
+  note assms \<open>x \<in> f-``a\<close> 
+  ultimately 
+  show "y\<in>a"
+    using function_image_vimage[of f a] by auto
+qed
+  
+lemma induced_surj_type: 
+  assumes
+    "function(f)" (* "relation(f)" (* a function can contain nonpairs *) *)
+  shows 
+    "induced_surj(f,a,e): domain(f) \<rightarrow> {e} \<union> a"
+    and
+    "x \<in> f-``a \<Longrightarrow> induced_surj(f,a,e)`x = f`x" 
+proof -
+  let ?f1="f-``(range(f)-a) \<times> {e}" and ?f2="restrict(f, f-``a)"
+  have "domain(?f2) = domain(f) \<inter> f-``a"
+    using domain_restrict by simp
+  moreover from assms 
+  have 1: "domain(?f1) = f-``(range(f))-f-``a"
+    using domain_of_prod function_vimage_Diff by simp
+  ultimately 
+  have "domain(?f1) \<inter> domain(?f2) = 0"
+    by auto
+  moreover 
+  have "function(?f1)" "relation(?f1)" "range(?f1) \<subseteq> {e}"
+    unfolding function_def relation_def range_def by auto
+  moreover from this and assms 
+  have "?f1: domain(?f1) \<rightarrow> range(?f1)"
+    using function_imp_Pi by simp
+  moreover from assms 
+  have "?f2: domain(?f2) \<rightarrow> range(?f2)"
+    using function_imp_Pi[of "restrict(f, f -`` a)"] function_restrictI by simp
+  moreover from assms 
+  have "range(?f2) \<subseteq> a" 
+    using range_restrict_vimage by simp
+  ultimately 
+  have "induced_surj(f,a,e): domain(?f1) \<union> domain(?f2) \<rightarrow> {e} \<union> a"
+    unfolding induced_surj_def using fun_is_function fun_disjoint_Un fun_weaken_type by simp
+  moreover 
+  have "domain(?f1) \<union> domain(?f2) = domain(f)"
+    using domain_restrict domain_of_prod by auto 
+  ultimately
+  show "induced_surj(f,a,e): domain(f) \<rightarrow> {e} \<union> a"
+    by simp
+  assume "x \<in> f-``a"
+  then 
+  have "?f2`x = f`x"
+    using restrict by simp
+  moreover from \<open>x \<in> f-``a\<close> and 1 
+  have "x \<notin> domain(?f1)"
+    by simp
+  ultimately 
+  show "induced_surj(f,a,e)`x = f`x" 
+    unfolding induced_surj_def using fun_disjoint_apply2[of x ?f1 ?f2] by simp
+qed
+  
+lemma induced_surj_is_surj : 
+  assumes 
+    "e\<in>a" "function(f)" "domain(f) = \<alpha>" "\<And>y. y \<in> a \<Longrightarrow> \<exists>x\<in>\<alpha>. f ` x = y" 
+  shows
+    "induced_surj(f,a,e) \<in> surj(\<alpha>,a)"
+  unfolding surj_def
+proof (intro CollectI ballI)
+  from assms 
+  show "induced_surj(f,a,e): \<alpha> \<rightarrow> a"
+    using induced_surj_type[of f a e] cons_eq cons_absorb by simp
+  fix y
+  assume "y \<in> a"
+  with assms 
+  have "\<exists>x\<in>\<alpha>. f ` x = y" 
+    by simp
+  then
+  obtain x where "x\<in>\<alpha>" "f ` x = y" by auto
+  with \<open>y\<in>a\<close> assms
+  have "x\<in>f-``a" 
+    using vimage_iff function_apply_Pair[of f x] by auto
+  with \<open>f ` x = y\<close> assms
+  have "induced_surj(f, a, e) ` x = y"
+    using induced_surj_type by simp
+  with \<open>x\<in>\<alpha>\<close> show
+    "\<exists>x\<in>\<alpha>. induced_surj(f, a, e) ` x = y" by auto
+qed
+  
+context G_generic 
+begin
+
+definition
+  upair_name :: "i \<Rightarrow> i \<Rightarrow> i" where
+  "upair_name(\<tau>,\<rho>) \<equiv> {\<langle>\<tau>,one\<rangle>,\<langle>\<rho>,one\<rangle>}"
+
+definition
+  is_upair_name :: "[i,i,i] \<Rightarrow> o" where
+  "is_upair_name(x,y,z) \<equiv> \<exists>xo\<in>M. \<exists>yo\<in>M. pair(##M,x,one,xo) \<and> pair(##M,y,one,yo) \<and> 
+                                       upair(##M,xo,yo,z)"
+
+lemma upair_name_abs : 
+  assumes "x\<in>M" "y\<in>M" "z\<in>M" 
+  shows "is_upair_name(x,y,z) \<longleftrightarrow> z = upair_name(x,y)" 
+  unfolding is_upair_name_def upair_name_def using assms one_in_M pair_in_M_iff by simp
+
+lemma upair_name_closed :
+  "\<lbrakk> x\<in>M; y\<in>M \<rbrakk> \<Longrightarrow> upair_name(x,y)\<in>M" 
+  unfolding upair_name_def using upair_in_M_iff pair_in_M_iff one_in_M by simp
+
+definition
+  upair_name_fm :: "[i,i,i,i] \<Rightarrow> i" where
+  "upair_name_fm(x,y,o,z) \<equiv> Exists(Exists(And(pair_fm(x#+2,o#+2,1),
+                                          And(pair_fm(y#+2,o#+2,0),upair_fm(1,0,z#+2)))))" 
+
+lemma upair_name_fm_type[TC] :
+    "\<lbrakk> s\<in>nat;x\<in>nat;y\<in>nat;o\<in>nat\<rbrakk> \<Longrightarrow> upair_name_fm(s,x,y,o)\<in>formula"
+  unfolding upair_name_fm_def by simp
+
+lemma sats_upair_name_fm :
+  assumes "x\<in>nat" "y\<in>nat" "z\<in>nat" "o\<in>nat" "env\<in>list(M)""nth(o,env)=one" 
+  shows 
+    "sats(M,upair_name_fm(x,y,o,z),env) \<longleftrightarrow> is_upair_name(nth(x,env),nth(y,env),nth(z,env))"
+  unfolding upair_name_fm_def is_upair_name_def using assms by simp
+
+definition
+  opair_name :: "i \<Rightarrow> i \<Rightarrow> i" where
+  "opair_name(\<tau>,\<rho>) \<equiv> upair_name(upair_name(\<tau>,\<tau>),upair_name(\<tau>,\<rho>))"
+
+definition
+  is_opair_name :: "[i,i,i] \<Rightarrow> o" where
+  "is_opair_name(x,y,z) \<equiv> \<exists>upxx\<in>M. \<exists>upxy\<in>M. is_upair_name(x,x,upxx) \<and> is_upair_name(x,y,upxy)
+                                          \<and> is_upair_name(upxx,upxy,z)" 
+
+lemma opair_name_abs : 
+  assumes "x\<in>M" "y\<in>M" "z\<in>M" 
+  shows "is_opair_name(x,y,z) \<longleftrightarrow> z = opair_name(x,y)" 
+  unfolding is_opair_name_def opair_name_def using assms upair_name_abs upair_name_closed by simp
+
+lemma opair_name_closed :
+  "\<lbrakk> x\<in>M; y\<in>M \<rbrakk> \<Longrightarrow> opair_name(x,y)\<in>M" 
+  unfolding opair_name_def using upair_name_closed by simp
+
+definition
+  opair_name_fm :: "[i,i,i,i] \<Rightarrow> i" where
+  "opair_name_fm(x,y,o,z) \<equiv> Exists(Exists(And(upair_name_fm(x#+2,x#+2,o#+2,1),
+                    And(upair_name_fm(x#+2,y#+2,o#+2,0),upair_name_fm(1,0,o#+2,z#+2)))))" 
+
+lemma opair_name_fm_type[TC] :
+    "\<lbrakk> s\<in>nat;x\<in>nat;y\<in>nat;o\<in>nat\<rbrakk> \<Longrightarrow> opair_name_fm(s,x,y,o)\<in>formula"
+  unfolding opair_name_fm_def by simp
+
+lemma sats_opair_name_fm :
+  assumes "x\<in>nat" "y\<in>nat" "z\<in>nat" "o\<in>nat" "env\<in>list(M)""nth(o,env)=one" 
+  shows 
+    "sats(M,opair_name_fm(x,y,o,z),env) \<longleftrightarrow> is_opair_name(nth(x,env),nth(y,env),nth(z,env))"
+  unfolding opair_name_fm_def is_opair_name_def using assms sats_upair_name_fm by simp
+
+lemma val_upair_name : "val(G,upair_name(\<tau>,\<rho>)) = {val(G,\<tau>),val(G,\<rho>)}"
+  unfolding upair_name_def using val_Upair  generic one_in_G one_in_P by simp
+    
+lemma val_opair_name : "val(G,opair_name(\<tau>,\<rho>)) = \<langle>val(G,\<tau>),val(G,\<rho>)\<rangle>"
+  unfolding opair_name_def Pair_def using val_upair_name  by simp
+    
+lemma val_RepFun_one: "val(G,{\<langle>f(x),one\<rangle> . x\<in>a}) = {val(G,f(x)) . x\<in>a}"
+proof -
+  let ?A = "{f(x) . x \<in> a}"
+  let ?Q = "\<lambda>\<langle>x,p\<rangle> . p = one"
+  have "one \<in> P\<inter>G" using generic one_in_G one_in_P by simp
+  have "{\<langle>f(x),one\<rangle> . x \<in> a} = {t \<in> ?A \<times> P . ?Q(t)}" 
+    using one_in_P by force
+  then
+  have "val(G,{\<langle>f(x),one\<rangle>  . x \<in> a}) = val(G,{t \<in> ?A \<times> P . ?Q(t)})"
+    by simp
+  also
+  have "... = {val(G,t) .. t \<in> ?A , \<exists>p\<in>P\<inter>G . ?Q(\<langle>t,p\<rangle>)}"
+    using val_of_name_alt by simp
+  also
+  have "... = {val(G,t) . t \<in> ?A }"
+    using \<open>one\<in>P\<inter>G\<close> by force
+  also
+  have "... = {val(G,f(x)) . x \<in> a}"
+    by auto
+  finally show ?thesis by simp
+qed
+
+subsection\<open>$M[G]$ is a transitive model of ZF\<close>
+
+interpretation mgzf: M_ZF_trans "M[G]"
+  using Transset_MG generic pairing_in_MG Union_MG 
+    extensionality_in_MG power_in_MG foundation_in_MG  
+    strong_replacement_in_MG separation_in_MG infinity_in_MG
+  by unfold_locales simp_all
+
+(* y = opair_name(check(\<beta>),s`\<beta>) *)
+definition
+  is_opname_check :: "[i,i,i] \<Rightarrow> o" where
+  "is_opname_check(s,x,y) \<equiv> \<exists>chx\<in>M. \<exists>sx\<in>M. is_check(x,chx) \<and> fun_apply(##M,s,x,sx) \<and> 
+                             is_opair_name(chx,sx,y)" 
+
+definition
+  opname_check_fm :: "[i,i,i,i] \<Rightarrow> i" where
+  "opname_check_fm(s,x,y,o) \<equiv> Exists(Exists(And(check_fm(2#+x,2#+o,1),
+                              And(fun_apply_fm(2#+s,2#+x,0),opair_name_fm(1,0,2#+o,2#+y)))))"
+
+lemma opname_check_fm_type[TC] :
+  "\<lbrakk> s\<in>nat;x\<in>nat;y\<in>nat;o\<in>nat\<rbrakk> \<Longrightarrow> opname_check_fm(s,x,y,o)\<in>formula"
+  unfolding opname_check_fm_def by simp
+
+lemma sats_opname_check_fm:
+  assumes "x\<in>nat" "y\<in>nat" "z\<in>nat" "o\<in>nat" "env\<in>list(M)" "nth(o,env)=one" 
+          "y<length(env)"
+  shows 
+    "sats(M,opname_check_fm(x,y,z,o),env) \<longleftrightarrow> is_opname_check(nth(x,env),nth(y,env),nth(z,env))"
+  unfolding opname_check_fm_def is_opname_check_def 
+  using assms sats_check_fm sats_opair_name_fm one_in_M by simp
+
+
+lemma opname_check_abs :
+  assumes "s\<in>M" "x\<in>M" "y\<in>M" 
+  shows "is_opname_check(s,x,y) \<longleftrightarrow> y = opair_name(check(x),s`x)" 
+  unfolding is_opname_check_def  
+  using assms check_abs check_in_M opair_name_abs apply_abs apply_closed by simp
+
+lemma repl_opname_check :
+  assumes
+    "A\<in>M" "f\<in>M" 
+  shows
+   "{opair_name(check(x),f`x). x\<in>A}\<in>M"
+proof -
+  have "arity(opname_check_fm(3,0,1,2))= 4" 
+    unfolding opname_check_fm_def opair_name_fm_def upair_name_fm_def
+          check_fm_def rcheck_fm_def trans_closure_fm_def is_eclose_fm_def mem_eclose_fm_def
+         is_Hcheck_fm_def Replace_fm_def PHcheck_fm_def finite_ordinal_fm_def is_iterates_fm_def
+             is_wfrec_fm_def is_recfun_fm_def restriction_fm_def pre_image_fm_def eclose_n_fm_def
+        is_nat_case_fm_def quasinat_fm_def Memrel_fm_def singleton_fm_def fm_defs iterates_MH_fm_def
+    by (simp add:nat_simp_union)
+  moreover
+  have "x\<in>A \<Longrightarrow> opair_name(check(x), f ` x)\<in>M" for x
+    using assms opair_name_closed apply_closed transitivity check_in_M
+    by simp
+  ultimately
+  show ?thesis using assms opname_check_abs[of f] sats_opname_check_fm
+        one_in_M
+        Repl_in_M[of "opname_check_fm(3,0,1,2)" "[one,f]" "is_opname_check(f)" 
+                    "\<lambda>x. opair_name(check(x),f`x)"] 
+    by simp
+qed
+
+
+
+theorem choice_in_MG: 
+  assumes "choice_ax(##M)"
+  shows "choice_ax(##M[G])"
+proof -
+  {
+    fix a
+    assume "a\<in>M[G]"
+    then
+    obtain \<tau> where "\<tau>\<in>M" "val(G,\<tau>) = a" 
+      using GenExt_def by auto
+    with \<open>\<tau>\<in>M\<close>
+    have "domain(\<tau>)\<in>M"
+      using domain_closed by simp
+    then
+    obtain s \<alpha> where "s\<in>surj(\<alpha>,domain(\<tau>))" "Ord(\<alpha>)" "s\<in>M" "\<alpha>\<in>M"
+      using assms choice_ax_abs by auto
+    then
+    have "\<alpha>\<in>M[G]"         
+      using M_subset_MG generic one_in_G subsetD by blast
+    let ?A="domain(\<tau>)\<times>P"
+    let ?g = "{opair_name(check(\<beta>),s`\<beta>). \<beta>\<in>\<alpha>}"
+    have "?g \<in> M" using \<open>s\<in>M\<close> \<open>\<alpha>\<in>M\<close> repl_opname_check by simp
+    let ?f_dot="{\<langle>opair_name(check(\<beta>),s`\<beta>),one\<rangle>. \<beta>\<in>\<alpha>}"
+    have "?f_dot = ?g \<times> {one}" by blast
+    from one_in_M have "{one} \<in> M" using singletonM by simp
+    define f where
+      "f \<equiv> val(G,?f_dot)" 
+    from \<open>{one}\<in>M\<close> \<open>?g\<in>M\<close> \<open>?f_dot = ?g\<times>{one}\<close> 
+    have "?f_dot\<in>M" 
+      using cartprod_closed by simp
+    then
+    have "f \<in> M[G]"
+      unfolding f_def by (blast intro:GenExtI)
+    have "f = {val(G,opair_name(check(\<beta>),s`\<beta>)) . \<beta>\<in>\<alpha>}"
+      unfolding f_def using val_RepFun_one by simp
+    also
+    have "... = {\<langle>\<beta>,val(G,s`\<beta>)\<rangle> . \<beta>\<in>\<alpha>}"
+      using val_opair_name valcheck generic one_in_G one_in_P by simp
+    finally
+    have "f = {\<langle>\<beta>,val(G,s`\<beta>)\<rangle> . \<beta>\<in>\<alpha>}" .
+    then
+    have 1: "domain(f) = \<alpha>" "function(f)"
+      unfolding function_def by auto
+    have 2: "y \<in> a \<Longrightarrow> \<exists>x\<in>\<alpha>. f ` x = y" for y
+    proof -
+      fix y
+      assume
+        "y \<in> a"
+      with \<open>val(G,\<tau>) = a\<close> 
+      obtain \<sigma> where  "\<sigma>\<in>domain(\<tau>)" "val(G,\<sigma>) = y"
+        using elem_of_val[of y _ \<tau>] by blast
+      with \<open>s\<in>surj(\<alpha>,domain(\<tau>))\<close> 
+      obtain \<beta> where "\<beta>\<in>\<alpha>" "s`\<beta> = \<sigma>" 
+        unfolding surj_def by auto
+      with \<open>val(G,\<sigma>) = y\<close>
+      have "val(G,s`\<beta>) = y" 
+        by simp
+      with \<open>f = {\<langle>\<beta>,val(G,s`\<beta>)\<rangle> . \<beta>\<in>\<alpha>}\<close> \<open>\<beta>\<in>\<alpha>\<close>
+      have "\<langle>\<beta>,y\<rangle>\<in>f" 
+        by auto
+      with \<open>function(f)\<close>
+      have "f`\<beta> = y"
+        using function_apply_equality by simp
+      with \<open>\<beta>\<in>\<alpha>\<close> show
+        "\<exists>\<beta>\<in>\<alpha>. f ` \<beta> = y" 
+        by auto
+    qed
+    then
+    have "\<exists>\<alpha>\<in>(M[G]). \<exists>f'\<in>(M[G]). Ord(\<alpha>) \<and> f' \<in> surj(\<alpha>,a)"
+    proof (cases "a=0")
+      case True
+      then
+      have "0\<in>surj(0,a)" 
+        unfolding surj_def by simp
+      then
+      show ?thesis using zero_in_MG by auto
+    next
+      case False
+      with \<open>a\<in>M[G]\<close> 
+      obtain e where "e\<in>a" "e\<in>M[G]" 
+        using transitivity_MG by blast
+      with 1 and 2
+      have "induced_surj(f,a,e) \<in> surj(\<alpha>,a)"
+        using induced_surj_is_surj by simp
+      moreover from \<open>f\<in>M[G]\<close> \<open>a\<in>M[G]\<close> \<open>e\<in>M[G]\<close>
+      have "induced_surj(f,a,e) \<in> M[G]"
+        unfolding induced_surj_def 
+        by (simp flip: setclass_iff)
+      moreover note
+        \<open>\<alpha>\<in>M[G]\<close> \<open>Ord(\<alpha>)\<close>
+      ultimately show ?thesis by auto
+    qed
+  }
+  then
+  show ?thesis using mgzf.choice_ax_abs by simp
+qed
+  
+end (* G_generic_extra_repl *)
+  
+end
\ No newline at end of file
diff --git a/thys/Forcing/Extensionality_Axiom.thy b/thys/Forcing/Extensionality_Axiom.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Extensionality_Axiom.thy
@@ -0,0 +1,32 @@
+section\<open>The Axiom of Extensionality in $M[G]$\<close>
+theory Extensionality_Axiom
+imports
+  Names
+begin
+
+context forcing_data
+begin
+  
+lemma extensionality_in_MG : "extensionality(##(M[G]))"
+proof -
+  {
+    fix x y z
+    assume 
+      asms: "x\<in>M[G]" "y\<in>M[G]" "(\<forall>w\<in>M[G] . w \<in> x \<longleftrightarrow> w \<in> y)"
+    from \<open>x\<in>M[G]\<close> have
+      "z\<in>x \<longleftrightarrow> z\<in>M[G] \<and> z\<in>x"
+      using transitivity_MG by auto
+    also have
+      "... \<longleftrightarrow> z\<in>y"
+      using asms transitivity_MG by auto
+    finally have
+      "z\<in>x \<longleftrightarrow> z\<in>y" .
+  }
+  then have
+    "\<forall>x\<in>M[G] . \<forall>y\<in>M[G] . (\<forall>z\<in>M[G] . z \<in> x \<longleftrightarrow> z \<in> y) \<longrightarrow> x = y"
+    by blast
+  then show ?thesis unfolding extensionality_def by simp
+qed
+ 
+end  (* context forcing_data *)
+end
\ No newline at end of file
diff --git a/thys/Forcing/Forces_Definition.thy b/thys/Forcing/Forces_Definition.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Forces_Definition.thy
@@ -0,0 +1,1793 @@
+section\<open>The definition of \<^term>\<open>forces\<close>\<close>
+theory Forces_Definition imports Arities FrecR Synthetic_Definition begin
+
+text\<open>This is the core of our development.\<close>
+
+subsection\<open>The relation \<^term>\<open>frecrel\<close>\<close>
+
+definition
+  frecrelP :: "[i\<Rightarrow>o,i] \<Rightarrow> o" where
+  "frecrelP(M,xy) \<equiv> (\<exists>x[M]. \<exists>y[M]. pair(M,x,y,xy) \<and> is_frecR(M,x,y))"
+
+definition
+  frecrelP_fm :: "i \<Rightarrow> i" where
+  "frecrelP_fm(a) \<equiv> Exists(Exists(And(pair_fm(1,0,a#+2),frecR_fm(1,0))))"
+
+lemma arity_frecrelP_fm :
+  "a\<in>nat \<Longrightarrow> arity(frecrelP_fm(a)) = succ(a)"
+  unfolding frecrelP_fm_def
+  using arity_frecR_fm arity_pair_fm pred_Un_distrib
+  by simp
+
+lemma frecrelP_fm_type[TC] :
+  "a\<in>nat \<Longrightarrow> frecrelP_fm(a)\<in>formula"
+  unfolding frecrelP_fm_def by simp
+
+lemma sats_frecrelP_fm :
+  assumes "a\<in>nat" "env\<in>list(A)"
+  shows "sats(A,frecrelP_fm(a),env) \<longleftrightarrow> frecrelP(##A,nth(a, env))"
+  unfolding frecrelP_def frecrelP_fm_def
+  using assms by (auto simp add:frecR_fm_iff_sats[symmetric])
+
+lemma frecrelP_iff_sats:
+  assumes
+    "nth(a,env) = aa" "a\<in> nat"  "env \<in> list(A)"
+  shows
+    "frecrelP(##A,aa)  \<longleftrightarrow> sats(A, frecrelP_fm(a), env)"
+  using assms
+  by (simp add:sats_frecrelP_fm)
+
+definition
+  is_frecrel :: "[i\<Rightarrow>o,i,i] \<Rightarrow> o" where
+  "is_frecrel(M,A,r) \<equiv> \<exists>A2[M]. cartprod(M,A,A,A2) \<and> is_Collect(M,A2, frecrelP(M) ,r)"
+
+definition
+  frecrel_fm :: "[i,i] \<Rightarrow> i" where
+  "frecrel_fm(a,r) \<equiv> Exists(And(cartprod_fm(a#+1,a#+1,0),Collect_fm(0,frecrelP_fm(0),r#+1)))"
+
+lemma frecrel_fm_type[TC] :
+  "\<lbrakk>a\<in>nat;b\<in>nat\<rbrakk> \<Longrightarrow> frecrel_fm(a,b)\<in>formula"
+  unfolding frecrel_fm_def by simp
+
+lemma arity_frecrel_fm :
+  assumes "a\<in>nat"  "b\<in>nat"
+  shows "arity(frecrel_fm(a,b)) = succ(a) \<union> succ(b)"
+  unfolding frecrel_fm_def
+  using assms arity_Collect_fm arity_cartprod_fm arity_frecrelP_fm pred_Un_distrib
+  by auto
+
+lemma sats_frecrel_fm :
+  assumes
+    "a\<in>nat"  "r\<in>nat" "env\<in>list(A)"
+  shows
+    "sats(A,frecrel_fm(a,r),env)
+    \<longleftrightarrow> is_frecrel(##A,nth(a, env),nth(r, env))"
+  unfolding is_frecrel_def frecrel_fm_def
+  using assms
+  by (simp add:sats_Collect_fm sats_frecrelP_fm)
+
+lemma is_frecrel_iff_sats:
+  assumes
+    "nth(a,env) = aa" "nth(r,env) = rr" "a\<in> nat"  "r\<in> nat"  "env \<in> list(A)"
+  shows
+    "is_frecrel(##A, aa,rr) \<longleftrightarrow> sats(A, frecrel_fm(a,r), env)"
+  using assms
+  by (simp add:sats_frecrel_fm)
+
+definition
+  names_below :: "i \<Rightarrow> i \<Rightarrow> i" where
+  "names_below(P,x) \<equiv> 2\<times>ecloseN(x)\<times>ecloseN(x)\<times>P"
+
+lemma names_belowsD:
+  assumes "x \<in> names_below(P,z)"
+  obtains f n1 n2 p where
+    "x = \<langle>f,n1,n2,p\<rangle>" "f\<in>2" "n1\<in>ecloseN(z)" "n2\<in>ecloseN(z)" "p\<in>P"
+  using assms unfolding names_below_def by auto
+
+
+definition
+  is_names_below :: "[i\<Rightarrow>o,i,i,i] \<Rightarrow> o" where
+  "is_names_below(M,P,x,nb) \<equiv> \<exists>p1[M]. \<exists>p0[M]. \<exists>t[M]. \<exists>ec[M].
+              is_ecloseN(M,ec,x) \<and> number2(M,t) \<and> cartprod(M,ec,P,p0) \<and> cartprod(M,ec,p0,p1)
+              \<and> cartprod(M,t,p1,nb)"
+
+definition
+  number2_fm :: "i\<Rightarrow>i" where
+  "number2_fm(a) \<equiv> Exists(And(number1_fm(0), succ_fm(0,succ(a))))"
+
+lemma number2_fm_type[TC] :
+  "a\<in>nat \<Longrightarrow> number2_fm(a) \<in> formula"
+  unfolding number2_fm_def by simp
+
+lemma number2arity__fm :
+  "a\<in>nat \<Longrightarrow> arity(number2_fm(a)) = succ(a)"
+  unfolding number2_fm_def
+  using number1arity__fm arity_succ_fm nat_union_abs2 pred_Un_distrib
+  by simp
+
+lemma sats_number2_fm [simp]:
+  "\<lbrakk> x \<in> nat; env \<in> list(A) \<rbrakk>
+    \<Longrightarrow> sats(A, number2_fm(x), env) \<longleftrightarrow> number2(##A, nth(x,env))"
+  by (simp add: number2_fm_def number2_def)
+
+definition
+  is_names_below_fm :: "[i,i,i] \<Rightarrow> i" where
+  "is_names_below_fm(P,x,nb) \<equiv> Exists(Exists(Exists(Exists(
+                    And(ecloseN_fm(0,x #+ 4),And(number2_fm(1),
+                    And(cartprod_fm(0,P #+ 4,2),And(cartprod_fm(0,2,3),cartprod_fm(1,3,nb#+4)))))))))"
+
+lemma arity_is_names_below_fm :
+  "\<lbrakk>P\<in>nat;x\<in>nat;nb\<in>nat\<rbrakk> \<Longrightarrow> arity(is_names_below_fm(P,x,nb)) = succ(P) \<union> succ(x) \<union> succ(nb)"
+  unfolding is_names_below_fm_def
+  using arity_cartprod_fm number2arity__fm arity_ecloseN_fm nat_union_abs2 pred_Un_distrib
+  by auto
+
+
+lemma is_names_below_fm_type[TC]:
+  "\<lbrakk>P\<in>nat;x\<in>nat;nb\<in>nat\<rbrakk> \<Longrightarrow> is_names_below_fm(P,x,nb)\<in>formula"
+  unfolding is_names_below_fm_def by simp
+
+lemma sats_is_names_below_fm :
+  assumes
+    "P\<in>nat" "x\<in>nat" "nb\<in>nat" "env\<in>list(A)"
+  shows
+    "sats(A,is_names_below_fm(P,x,nb),env)
+    \<longleftrightarrow> is_names_below(##A,nth(P, env),nth(x, env),nth(nb, env))"
+  unfolding is_names_below_fm_def is_names_below_def using assms by simp
+
+definition
+  is_tuple :: "[i\<Rightarrow>o,i,i,i,i,i] \<Rightarrow> o" where
+  "is_tuple(M,z,t1,t2,p,t) \<equiv> \<exists>t1t2p[M]. \<exists>t2p[M]. pair(M,t2,p,t2p) \<and> pair(M,t1,t2p,t1t2p) \<and>
+                                                  pair(M,z,t1t2p,t)"
+
+
+definition
+  is_tuple_fm :: "[i,i,i,i,i] \<Rightarrow> i" where
+  "is_tuple_fm(z,t1,t2,p,tup) = Exists(Exists(And(pair_fm(t2 #+ 2,p #+ 2,0),
+                      And(pair_fm(t1 #+ 2,0,1),pair_fm(z #+ 2,1,tup #+ 2)))))"
+
+
+lemma arity_is_tuple_fm : "\<lbrakk> z\<in>nat ; t1\<in>nat ; t2\<in>nat ; p\<in>nat ; tup\<in>nat \<rbrakk> \<Longrightarrow>
+  arity(is_tuple_fm(z,t1,t2,p,tup)) = \<Union> {succ(z),succ(t1),succ(t2),succ(p),succ(tup)}"
+  unfolding is_tuple_fm_def
+  using arity_pair_fm nat_union_abs1 nat_union_abs2 pred_Un_distrib
+  by auto
+
+lemma is_tuple_fm_type[TC] :
+  "z\<in>nat \<Longrightarrow> t1\<in>nat \<Longrightarrow> t2\<in>nat \<Longrightarrow> p\<in>nat \<Longrightarrow> tup\<in>nat \<Longrightarrow> is_tuple_fm(z,t1,t2,p,tup)\<in>formula"
+  unfolding is_tuple_fm_def by simp
+
+lemma sats_is_tuple_fm :
+  assumes
+    "z\<in>nat"  "t1\<in>nat" "t2\<in>nat" "p\<in>nat" "tup\<in>nat" "env\<in>list(A)"
+  shows
+    "sats(A,is_tuple_fm(z,t1,t2,p,tup),env)
+    \<longleftrightarrow> is_tuple(##A,nth(z, env),nth(t1, env),nth(t2, env),nth(p, env),nth(tup, env))"
+  unfolding is_tuple_def is_tuple_fm_def using assms by simp
+
+lemma is_tuple_iff_sats:
+  assumes
+    "nth(a,env) = aa" "nth(b,env) = bb" "nth(c,env) = cc" "nth(d,env) = dd" "nth(e,env) = ee"
+    "a\<in>nat" "b\<in>nat" "c\<in>nat" "d\<in>nat" "e\<in>nat"  "env \<in> list(A)"
+  shows
+    "is_tuple(##A,aa,bb,cc,dd,ee)  \<longleftrightarrow> sats(A, is_tuple_fm(a,b,c,d,e), env)"
+  using assms by (simp add: sats_is_tuple_fm)
+
+subsection\<open>Definition of \<^term>\<open>forces\<close> for equality and membership\<close>
+
+(* p ||- \<tau> = \<theta> \<equiv>
+  \<forall>\<sigma>. \<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>) \<longrightarrow> (\<forall>q\<in>P. \<langle>q,p\<rangle>\<in>leq \<longrightarrow> ((q ||- \<sigma>\<in>\<tau>) \<longleftrightarrow> (q ||- \<sigma>\<in>\<theta>)) ) *)
+definition
+  eq_case :: "[i,i,i,i,i,i] \<Rightarrow> o" where
+  "eq_case(t1,t2,p,P,leq,f) \<equiv> \<forall>s. s\<in>domain(t1) \<union> domain(t2) \<longrightarrow>
+      (\<forall>q. q\<in>P \<and> \<langle>q,p\<rangle>\<in>leq \<longrightarrow> (f`\<langle>1,s,t1,q\<rangle>=1  \<longleftrightarrow> f`\<langle>1,s,t2,q\<rangle> =1))"
+
+
+definition
+  is_eq_case :: "[i\<Rightarrow>o,i,i,i,i,i,i] \<Rightarrow> o" where
+  "is_eq_case(M,t1,t2,p,P,leq,f) \<equiv>
+   \<forall>s[M]. (\<exists>d[M]. is_domain(M,t1,d) \<and> s\<in>d) \<or> (\<exists>d[M]. is_domain(M,t2,d) \<and> s\<in>d)
+       \<longrightarrow> (\<forall>q[M]. q\<in>P \<and> (\<exists>qp[M]. pair(M,q,p,qp) \<and> qp\<in>leq) \<longrightarrow>
+            (\<exists>ost1q[M]. \<exists>ost2q[M]. \<exists>o[M].  \<exists>vf1[M]. \<exists>vf2[M].
+             is_tuple(M,o,s,t1,q,ost1q) \<and>
+             is_tuple(M,o,s,t2,q,ost2q) \<and> number1(M,o) \<and>
+             fun_apply(M,f,ost1q,vf1) \<and> fun_apply(M,f,ost2q,vf2) \<and>
+             (vf1 = o \<longleftrightarrow> vf2 = o)))"
+
+(* p ||-
+   \<pi> \<in> \<tau> \<equiv> \<forall>v\<in>P. \<langle>v,p\<rangle>\<in>leq \<longrightarrow> (\<exists>q\<in>P. \<langle>q,v\<rangle>\<in>leq \<and> (\<exists>\<sigma>. \<exists>r\<in>P. \<langle>\<sigma>,r\<rangle>\<in>\<tau> \<and> \<langle>q,r\<rangle>\<in>leq \<and>  q ||- \<pi> = \<sigma>)) *)
+definition
+  mem_case :: "[i,i,i,i,i,i] \<Rightarrow> o" where
+  "mem_case(t1,t2,p,P,leq,f) \<equiv> \<forall>v\<in>P. \<langle>v,p\<rangle>\<in>leq \<longrightarrow>
+    (\<exists>q. \<exists>s. \<exists>r. r\<in>P \<and> q\<in>P \<and> \<langle>q,v\<rangle>\<in>leq \<and> \<langle>s,r\<rangle> \<in> t2 \<and> \<langle>q,r\<rangle>\<in>leq \<and>  f`\<langle>0,t1,s,q\<rangle> = 1)"
+
+definition
+  is_mem_case :: "[i\<Rightarrow>o,i,i,i,i,i,i] \<Rightarrow> o" where
+  "is_mem_case(M,t1,t2,p,P,leq,f) \<equiv> \<forall>v[M]. \<forall>vp[M]. v\<in>P \<and> pair(M,v,p,vp) \<and> vp\<in>leq \<longrightarrow>
+    (\<exists>q[M]. \<exists>s[M]. \<exists>r[M]. \<exists>qv[M]. \<exists>sr[M]. \<exists>qr[M]. \<exists>z[M]. \<exists>zt1sq[M]. \<exists>o[M].
+     r\<in> P \<and> q\<in>P \<and> pair(M,q,v,qv) \<and> pair(M,s,r,sr) \<and> pair(M,q,r,qr) \<and>
+     empty(M,z) \<and> is_tuple(M,z,t1,s,q,zt1sq) \<and>
+     number1(M,o) \<and> qv\<in>leq \<and> sr\<in>t2 \<and> qr\<in>leq \<and> fun_apply(M,f,zt1sq,o))"
+
+
+schematic_goal sats_is_mem_case_fm_auto:
+  assumes
+    "n1\<in>nat" "n2\<in>nat" "p\<in>nat" "P\<in>nat" "leq\<in>nat" "f\<in>nat" "env\<in>list(A)"
+  shows
+    "is_mem_case(##A, nth(n1, env),nth(n2, env),nth(p, env),nth(P, env), nth(leq, env),nth(f,env))
+    \<longleftrightarrow> sats(A,?imc_fm(n1,n2,p,P,leq,f),env)"
+  unfolding is_mem_case_def
+  by (insert assms ; (rule sep_rules'  is_tuple_iff_sats | simp)+)
+
+
+synthesize "mem_case_fm" from_schematic sats_is_mem_case_fm_auto
+
+lemma arity_mem_case_fm :
+  assumes
+    "n1\<in>nat" "n2\<in>nat" "p\<in>nat" "P\<in>nat" "leq\<in>nat" "f\<in>nat"
+  shows
+    "arity(mem_case_fm(n1,n2,p,P,leq,f)) =
+    succ(n1) \<union> succ(n2) \<union> succ(p) \<union> succ(P) \<union> succ(leq) \<union> succ(f)"
+  unfolding mem_case_fm_def
+  using assms arity_pair_fm arity_is_tuple_fm number1arity__fm arity_fun_apply_fm arity_empty_fm
+    pred_Un_distrib
+  by auto
+
+schematic_goal sats_is_eq_case_fm_auto:
+  assumes
+    "n1\<in>nat" "n2\<in>nat" "p\<in>nat" "P\<in>nat" "leq\<in>nat" "f\<in>nat" "env\<in>list(A)"
+  shows
+    "is_eq_case(##A, nth(n1, env),nth(n2, env),nth(p, env),nth(P, env), nth(leq, env),nth(f,env))
+    \<longleftrightarrow> sats(A,?iec_fm(n1,n2,p,P,leq,f),env)"
+  unfolding is_eq_case_def
+  by (insert assms ; (rule sep_rules'  is_tuple_iff_sats | simp)+)
+
+synthesize "eq_case_fm" from_schematic sats_is_eq_case_fm_auto
+
+lemma arity_eq_case_fm :
+  assumes
+    "n1\<in>nat" "n2\<in>nat" "p\<in>nat" "P\<in>nat" "leq\<in>nat" "f\<in>nat"
+  shows
+    "arity(eq_case_fm(n1,n2,p,P,leq,f)) =
+    succ(n1) \<union> succ(n2) \<union> succ(p) \<union> succ(P) \<union> succ(leq) \<union> succ(f)"
+  unfolding eq_case_fm_def
+  using assms arity_pair_fm arity_is_tuple_fm number1arity__fm arity_fun_apply_fm arity_empty_fm
+    arity_domain_fm pred_Un_distrib
+  by auto
+
+definition
+  Hfrc :: "[i,i,i,i] \<Rightarrow> o" where
+  "Hfrc(P,leq,fnnc,f) \<equiv> \<exists>ft. \<exists>n1. \<exists>n2. \<exists>c. c\<in>P \<and> fnnc = \<langle>ft,n1,n2,c\<rangle> \<and>
+     (  ft = 0 \<and>  eq_case(n1,n2,c,P,leq,f)
+      \<or> ft = 1 \<and> mem_case(n1,n2,c,P,leq,f))"
+
+definition
+  is_Hfrc :: "[i\<Rightarrow>o,i,i,i,i] \<Rightarrow> o" where
+  "is_Hfrc(M,P,leq,fnnc,f) \<equiv>
+     \<exists>ft[M]. \<exists>n1[M]. \<exists>n2[M]. \<exists>co[M].
+      co\<in>P \<and> is_tuple(M,ft,n1,n2,co,fnnc) \<and>
+      (  (empty(M,ft) \<and> is_eq_case(M,n1,n2,co,P,leq,f))
+       \<or> (number1(M,ft) \<and>  is_mem_case(M,n1,n2,co,P,leq,f)))"
+
+definition
+  Hfrc_fm :: "[i,i,i,i] \<Rightarrow> i" where
+  "Hfrc_fm(P,leq,fnnc,f) \<equiv>
+    Exists(Exists(Exists(Exists(
+      And(Member(0,P #+ 4),And(is_tuple_fm(3,2,1,0,fnnc #+ 4),
+      Or(And(empty_fm(3),eq_case_fm(2,1,0,P #+ 4,leq #+ 4,f #+ 4)),
+         And(number1_fm(3),mem_case_fm(2,1,0,P #+ 4,leq #+ 4,f #+ 4)))))))))"
+
+lemma Hfrc_fm_type[TC] :
+  "\<lbrakk>P\<in>nat;leq\<in>nat;fnnc\<in>nat;f\<in>nat\<rbrakk> \<Longrightarrow> Hfrc_fm(P,leq,fnnc,f)\<in>formula"
+  unfolding Hfrc_fm_def by simp
+
+lemma arity_Hfrc_fm :
+  assumes
+    "P\<in>nat" "leq\<in>nat" "fnnc\<in>nat" "f\<in>nat"
+  shows
+    "arity(Hfrc_fm(P,leq,fnnc,f)) = succ(P) \<union> succ(leq) \<union> succ(fnnc) \<union> succ(f)"
+  unfolding Hfrc_fm_def
+  using assms arity_is_tuple_fm arity_mem_case_fm arity_eq_case_fm
+    arity_empty_fm number1arity__fm pred_Un_distrib
+  by auto
+
+lemma sats_Hfrc_fm:
+  assumes
+    "P\<in>nat" "leq\<in>nat" "fnnc\<in>nat" "f\<in>nat" "env\<in>list(A)"
+  shows
+    "sats(A,Hfrc_fm(P,leq,fnnc,f),env)
+    \<longleftrightarrow> is_Hfrc(##A,nth(P, env), nth(leq, env), nth(fnnc, env),nth(f, env))"
+  unfolding is_Hfrc_def Hfrc_fm_def
+  using assms  
+  by (simp add: sats_is_tuple_fm eq_case_fm_iff_sats[symmetric] mem_case_fm_iff_sats[symmetric])
+
+lemma Hfrc_iff_sats:
+  assumes
+    "P\<in>nat" "leq\<in>nat" "fnnc\<in>nat" "f\<in>nat" "env\<in>list(A)"
+    "nth(P,env) = PP"  "nth(leq,env) = lleq" "nth(fnnc,env) = ffnnc" "nth(f,env) = ff"
+  shows
+    "is_Hfrc(##A, PP, lleq,ffnnc,ff)
+    \<longleftrightarrow> sats(A,Hfrc_fm(P,leq,fnnc,f),env)"
+  using assms
+  by (simp add:sats_Hfrc_fm)
+
+definition
+  is_Hfrc_at :: "[i\<Rightarrow>o,i,i,i,i,i] \<Rightarrow> o" where
+  "is_Hfrc_at(M,P,leq,fnnc,f,z) \<equiv>
+            (empty(M,z) \<and> \<not> is_Hfrc(M,P,leq,fnnc,f))
+          \<or> (number1(M,z) \<and> is_Hfrc(M,P,leq,fnnc,f))"
+
+definition
+  Hfrc_at_fm :: "[i,i,i,i,i] \<Rightarrow> i" where
+  "Hfrc_at_fm(P,leq,fnnc,f,z) \<equiv> Or(And(empty_fm(z),Neg(Hfrc_fm(P,leq,fnnc,f))),
+                                      And(number1_fm(z),Hfrc_fm(P,leq,fnnc,f)))"
+
+lemma arity_Hfrc_at_fm :
+  assumes
+    "P\<in>nat" "leq\<in>nat" "fnnc\<in>nat" "f\<in>nat" "z\<in>nat"
+  shows
+    "arity(Hfrc_at_fm(P,leq,fnnc,f,z)) = succ(P) \<union> succ(leq) \<union> succ(fnnc) \<union> succ(f) \<union> succ(z)"
+  unfolding Hfrc_at_fm_def
+  using assms arity_Hfrc_fm arity_empty_fm number1arity__fm pred_Un_distrib
+  by auto
+
+
+lemma Hfrc_at_fm_type[TC] :
+  "\<lbrakk>P\<in>nat;leq\<in>nat;fnnc\<in>nat;f\<in>nat;z\<in>nat\<rbrakk> \<Longrightarrow> Hfrc_at_fm(P,leq,fnnc,f,z)\<in>formula"
+  unfolding Hfrc_at_fm_def by simp
+
+lemma sats_Hfrc_at_fm:
+  assumes
+    "P\<in>nat" "leq\<in>nat" "fnnc\<in>nat" "f\<in>nat" "z\<in>nat" "env\<in>list(A)"
+  shows
+    "sats(A,Hfrc_at_fm(P,leq,fnnc,f,z),env)
+    \<longleftrightarrow> is_Hfrc_at(##A,nth(P, env), nth(leq, env), nth(fnnc, env),nth(f, env),nth(z, env))"
+  unfolding is_Hfrc_at_def Hfrc_at_fm_def using assms sats_Hfrc_fm
+  by simp
+
+lemma is_Hfrc_at_iff_sats:
+  assumes
+    "P\<in>nat" "leq\<in>nat" "fnnc\<in>nat" "f\<in>nat" "z\<in>nat" "env\<in>list(A)"
+    "nth(P,env) = PP"  "nth(leq,env) = lleq" "nth(fnnc,env) = ffnnc"
+    "nth(f,env) = ff" "nth(z,env) = zz"
+  shows
+    "is_Hfrc_at(##A, PP, lleq,ffnnc,ff,zz)
+    \<longleftrightarrow> sats(A,Hfrc_at_fm(P,leq,fnnc,f,z),env)"
+  using assms by (simp add:sats_Hfrc_at_fm)
+
+lemma arity_tran_closure_fm :
+  "\<lbrakk>x\<in>nat;f\<in>nat\<rbrakk> \<Longrightarrow> arity(trans_closure_fm(x,f)) = succ(x) \<union> succ(f)"
+  unfolding trans_closure_fm_def
+  using arity_omega_fm arity_field_fm arity_typed_function_fm arity_pair_fm arity_empty_fm arity_fun_apply_fm
+    arity_composition_fm arity_succ_fm nat_union_abs2 pred_Un_distrib 
+  by auto
+
+subsection\<open>The well-founded relation \<^term>\<open>forcerel\<close>\<close>
+definition
+  forcerel :: "i \<Rightarrow> i \<Rightarrow> i" where
+  "forcerel(P,x) \<equiv> frecrel(names_below(P,x))^+"
+
+definition
+  is_forcerel :: "[i\<Rightarrow>o,i,i,i] \<Rightarrow> o" where
+  "is_forcerel(M,P,x,z) \<equiv> \<exists>r[M]. \<exists>nb[M]. tran_closure(M,r,z) \<and>
+                        (is_names_below(M,P,x,nb) \<and> is_frecrel(M,nb,r))"
+
+definition
+  forcerel_fm :: "i\<Rightarrow> i \<Rightarrow> i \<Rightarrow> i" where
+  "forcerel_fm(p,x,z) \<equiv> Exists(Exists(And(trans_closure_fm(1, z#+2),
+                                        And(is_names_below_fm(p#+2,x#+2,0),frecrel_fm(0,1)))))"
+
+lemma arity_forcerel_fm:
+  "\<lbrakk>p\<in>nat;x\<in>nat;z\<in>nat\<rbrakk> \<Longrightarrow> arity(forcerel_fm(p,x,z)) = succ(p) \<union> succ(x) \<union> succ(z)"
+  unfolding forcerel_fm_def
+  using arity_frecrel_fm arity_tran_closure_fm arity_is_names_below_fm pred_Un_distrib
+  by auto
+
+lemma forcerel_fm_type[TC]:
+  "\<lbrakk>p\<in>nat;x\<in>nat;z\<in>nat\<rbrakk> \<Longrightarrow> forcerel_fm(p,x,z)\<in>formula"
+  unfolding forcerel_fm_def by simp
+
+
+lemma sats_forcerel_fm:
+  assumes
+    "p\<in>nat" "x\<in>nat"  "z\<in>nat" "env\<in>list(A)"
+  shows
+    "sats(A,forcerel_fm(p,x,z),env) \<longleftrightarrow> is_forcerel(##A,nth(p,env),nth(x, env),nth(z, env))"
+proof -
+  have "sats(A,trans_closure_fm(1,z #+ 2),Cons(nb,Cons(r,env))) \<longleftrightarrow>
+        tran_closure(##A, r, nth(z, env))" if "r\<in>A" "nb\<in>A" for r nb
+    using that assms trans_closure_fm_iff_sats[of 1 "[nb,r]@env" _ "z#+2",symmetric] by simp
+  moreover
+  have "sats(A, is_names_below_fm(succ(succ(p)), succ(succ(x)), 0), Cons(nb, Cons(r, env))) \<longleftrightarrow>
+        is_names_below(##A, nth(p,env), nth(x, env), nb)"
+    if "r\<in>A" "nb\<in>A" for nb r
+    using assms that sats_is_names_below_fm[of "p #+ 2" "x #+ 2" 0 "[nb,r]@env"] by simp
+  moreover
+  have "sats(A, frecrel_fm(0, 1), Cons(nb, Cons(r, env))) \<longleftrightarrow>
+        is_frecrel(##A, nb, r)"
+    if "r\<in>A" "nb\<in>A" for r nb
+    using assms that sats_frecrel_fm[of 0 1 "[nb,r]@env"] by simp
+  ultimately
+  show ?thesis using assms unfolding is_forcerel_def forcerel_fm_def by simp
+qed
+
+subsection\<open>\<^term>\<open>frc_at\<close>, forcing for atomic formulas\<close>
+definition
+  frc_at :: "[i,i,i] \<Rightarrow> i" where
+  "frc_at(P,leq,fnnc) \<equiv> wfrec(frecrel(names_below(P,fnnc)),fnnc,
+                              \<lambda>x f. bool_of_o(Hfrc(P,leq,x,f)))"
+
+definition
+  is_frc_at :: "[i\<Rightarrow>o,i,i,i,i] \<Rightarrow> o" where
+  "is_frc_at(M,P,leq,x,z) \<equiv> \<exists>r[M]. is_forcerel(M,P,x,r) \<and>
+                                    is_wfrec(M,is_Hfrc_at(M,P,leq),r,x,z)"
+
+definition
+  frc_at_fm :: "[i,i,i,i] \<Rightarrow> i" where
+  "frc_at_fm(p,l,x,z) \<equiv> Exists(And(forcerel_fm(succ(p),succ(x),0),
+          is_wfrec_fm(Hfrc_at_fm(6#+p,6#+l,2,1,0),0,succ(x),succ(z))))"
+
+lemma frc_at_fm_type [TC] :
+  "\<lbrakk>p\<in>nat;l\<in>nat;x\<in>nat;z\<in>nat\<rbrakk> \<Longrightarrow> frc_at_fm(p,l,x,z)\<in>formula"
+  unfolding frc_at_fm_def by simp
+
+lemma arity_frc_at_fm :
+  assumes "p\<in>nat" "l\<in>nat" "x\<in>nat" "z\<in>nat"
+  shows "arity(frc_at_fm(p,l,x,z)) = succ(p) \<union> succ(l) \<union> succ(x) \<union> succ(z)"
+proof -
+  let ?\<phi> = "Hfrc_at_fm(6 #+ p, 6 #+ l, 2, 1, 0)"
+  from assms
+  have  "arity(?\<phi>) = (7#+p) \<union> (7#+l)" "?\<phi> \<in> formula"
+    using arity_Hfrc_at_fm nat_simp_union
+    by auto
+  with assms
+  have W: "arity(is_wfrec_fm(?\<phi>, 0, succ(x), succ(z))) = 2#+p \<union> (2#+l) \<union> (2#+x) \<union> (2#+z)"
+    using arity_is_wfrec_fm[OF \<open>?\<phi>\<in>_\<close> _ _ _ _ \<open>arity(?\<phi>) = _\<close>] pred_Un_distrib pred_succ_eq
+      nat_union_abs1
+    by auto
+  from assms
+  have "arity(forcerel_fm(succ(p),succ(x),0)) = succ(succ(p)) \<union> succ(succ(x))"
+    using arity_forcerel_fm nat_simp_union
+    by auto
+  with W assms
+  show ?thesis
+    unfolding frc_at_fm_def
+    using arity_forcerel_fm pred_Un_distrib
+    by auto
+qed
+
+lemma sats_frc_at_fm :
+  assumes
+    "p\<in>nat" "l\<in>nat" "i\<in>nat" "j\<in>nat" "env\<in>list(A)" "i < length(env)" "j < length(env)"
+  shows
+    "sats(A,frc_at_fm(p,l,i,j),env) \<longleftrightarrow>
+     is_frc_at(##A,nth(p,env),nth(l,env),nth(i,env),nth(j,env))"
+proof -
+  {
+    fix r pp ll
+    assume "r\<in>A"
+    have 0:"is_Hfrc_at(##A,nth(p,env),nth(l,env),a2, a1, a0) \<longleftrightarrow>
+         sats(A, Hfrc_at_fm(6#+p,6#+l,2,1,0), [a0,a1,a2,a3,a4,r]@env)"
+      if "a0\<in>A" "a1\<in>A" "a2\<in>A" "a3\<in>A" "a4\<in>A" for a0 a1 a2 a3 a4
+      using  that assms \<open>r\<in>A\<close>
+        is_Hfrc_at_iff_sats[of "6#+p" "6#+l" 2 1 0 "[a0,a1,a2,a3,a4,r]@env" A]  by simp
+    have "sats(A,is_wfrec_fm(Hfrc_at_fm(6 #+ p, 6 #+ l, 2, 1, 0), 0, succ(i), succ(j)),[r]@env) \<longleftrightarrow>
+         is_wfrec(##A, is_Hfrc_at(##A, nth(p,env), nth(l,env)), r,nth(i, env), nth(j, env))"
+      using assms \<open>r\<in>A\<close>
+        sats_is_wfrec_fm[OF 0[simplified]]
+      by simp
+  }
+  moreover
+  have "sats(A, forcerel_fm(succ(p), succ(i), 0), Cons(r, env)) \<longleftrightarrow>
+        is_forcerel(##A,nth(p,env),nth(i,env),r)" if "r\<in>A" for r
+    using assms sats_forcerel_fm that by simp
+  ultimately
+  show ?thesis unfolding is_frc_at_def frc_at_fm_def
+    using assms by simp
+qed
+
+definition
+  forces_eq' :: "[i,i,i,i,i] \<Rightarrow> o" where
+  "forces_eq'(P,l,p,t1,t2) \<equiv> frc_at(P,l,\<langle>0,t1,t2,p\<rangle>) = 1"
+
+definition
+  forces_mem' :: "[i,i,i,i,i] \<Rightarrow> o" where
+  "forces_mem'(P,l,p,t1,t2) \<equiv> frc_at(P,l,\<langle>1,t1,t2,p\<rangle>) = 1"
+
+definition
+  forces_neq' :: "[i,i,i,i,i] \<Rightarrow> o" where
+  "forces_neq'(P,l,p,t1,t2) \<equiv> \<not> (\<exists>q\<in>P. \<langle>q,p\<rangle>\<in>l \<and> forces_eq'(P,l,q,t1,t2))"
+
+definition
+  forces_nmem' :: "[i,i,i,i,i] \<Rightarrow> o" where
+  "forces_nmem'(P,l,p,t1,t2) \<equiv> \<not> (\<exists>q\<in>P. \<langle>q,p\<rangle>\<in>l \<and> forces_mem'(P,l,q,t1,t2))"
+
+definition
+  is_forces_eq' :: "[i\<Rightarrow>o,i,i,i,i,i] \<Rightarrow> o" where
+  "is_forces_eq'(M,P,l,p,t1,t2) \<equiv> \<exists>o[M]. \<exists>z[M]. \<exists>t[M]. number1(M,o) \<and> empty(M,z) \<and>
+                                is_tuple(M,z,t1,t2,p,t) \<and> is_frc_at(M,P,l,t,o)"
+
+definition
+  is_forces_mem' :: "[i\<Rightarrow>o,i,i,i,i,i] \<Rightarrow> o" where
+  "is_forces_mem'(M,P,l,p,t1,t2) \<equiv> \<exists>o[M]. \<exists>t[M]. number1(M,o) \<and>
+                                is_tuple(M,o,t1,t2,p,t) \<and> is_frc_at(M,P,l,t,o)"
+
+definition
+  is_forces_neq' :: "[i\<Rightarrow>o,i,i,i,i,i] \<Rightarrow> o" where
+  "is_forces_neq'(M,P,l,p,t1,t2) \<equiv>
+      \<not> (\<exists>q[M]. q\<in>P \<and> (\<exists>qp[M]. pair(M,q,p,qp) \<and> qp\<in>l \<and> is_forces_eq'(M,P,l,q,t1,t2)))"
+
+definition
+  is_forces_nmem' :: "[i\<Rightarrow>o,i,i,i,i,i] \<Rightarrow> o" where
+  "is_forces_nmem'(M,P,l,p,t1,t2) \<equiv>
+      \<not> (\<exists>q[M]. \<exists>qp[M]. q\<in>P \<and> pair(M,q,p,qp) \<and> qp\<in>l \<and> is_forces_mem'(M,P,l,q,t1,t2))"
+
+definition
+  forces_eq_fm :: "[i,i,i,i,i] \<Rightarrow> i" where
+  "forces_eq_fm(p,l,q,t1,t2) \<equiv>
+     Exists(Exists(Exists(And(number1_fm(2),And(empty_fm(1),
+              And(is_tuple_fm(1,t1#+3,t2#+3,q#+3,0),frc_at_fm(p#+3,l#+3,0,2) ))))))"
+
+definition
+  forces_mem_fm :: "[i,i,i,i,i] \<Rightarrow> i" where
+  "forces_mem_fm(p,l,q,t1,t2) \<equiv> Exists(Exists(And(number1_fm(1),
+                          And(is_tuple_fm(1,t1#+2,t2#+2,q#+2,0),frc_at_fm(p#+2,l#+2,0,1)))))"
+
+definition
+  forces_neq_fm :: "[i,i,i,i,i] \<Rightarrow> i" where
+  "forces_neq_fm(p,l,q,t1,t2) \<equiv> Neg(Exists(Exists(And(Member(1,p#+2),
+     And(pair_fm(1,q#+2,0),And(Member(0,l#+2),forces_eq_fm(p#+2,l#+2,1,t1#+2,t2#+2)))))))"
+
+definition
+  forces_nmem_fm :: "[i,i,i,i,i] \<Rightarrow> i" where
+  "forces_nmem_fm(p,l,q,t1,t2) \<equiv> Neg(Exists(Exists(And(Member(1,p#+2),
+     And(pair_fm(1,q#+2,0),And(Member(0,l#+2),forces_mem_fm(p#+2,l#+2,1,t1#+2,t2#+2)))))))"
+
+
+lemma forces_eq_fm_type [TC]:
+  "\<lbrakk> p\<in>nat;l\<in>nat;q\<in>nat;t1\<in>nat;t2\<in>nat\<rbrakk> \<Longrightarrow> forces_eq_fm(p,l,q,t1,t2) \<in> formula"
+  unfolding forces_eq_fm_def
+  by simp
+
+lemma forces_mem_fm_type [TC]:
+  "\<lbrakk> p\<in>nat;l\<in>nat;q\<in>nat;t1\<in>nat;t2\<in>nat\<rbrakk> \<Longrightarrow> forces_mem_fm(p,l,q,t1,t2) \<in> formula"
+  unfolding forces_mem_fm_def
+  by simp
+
+lemma forces_neq_fm_type [TC]:
+  "\<lbrakk> p\<in>nat;l\<in>nat;q\<in>nat;t1\<in>nat;t2\<in>nat\<rbrakk> \<Longrightarrow> forces_neq_fm(p,l,q,t1,t2) \<in> formula"
+  unfolding forces_neq_fm_def
+  by simp
+
+lemma forces_nmem_fm_type [TC]:
+  "\<lbrakk> p\<in>nat;l\<in>nat;q\<in>nat;t1\<in>nat;t2\<in>nat\<rbrakk> \<Longrightarrow> forces_nmem_fm(p,l,q,t1,t2) \<in> formula"
+  unfolding forces_nmem_fm_def
+  by simp
+
+lemma arity_forces_eq_fm :
+  "p\<in>nat \<Longrightarrow> l\<in>nat \<Longrightarrow> q\<in>nat \<Longrightarrow> t1 \<in> nat \<Longrightarrow> t2 \<in> nat \<Longrightarrow>
+   arity(forces_eq_fm(p,l,q,t1,t2)) = succ(t1) \<union> succ(t2) \<union> succ(q) \<union> succ(p) \<union> succ(l)"
+  unfolding forces_eq_fm_def
+  using number1arity__fm arity_empty_fm arity_is_tuple_fm arity_frc_at_fm
+    pred_Un_distrib
+  by auto
+
+lemma arity_forces_mem_fm :
+  "p\<in>nat \<Longrightarrow> l\<in>nat \<Longrightarrow> q\<in>nat \<Longrightarrow> t1 \<in> nat \<Longrightarrow> t2 \<in> nat \<Longrightarrow>
+   arity(forces_mem_fm(p,l,q,t1,t2)) = succ(t1) \<union> succ(t2) \<union> succ(q) \<union> succ(p) \<union> succ(l)"
+  unfolding forces_mem_fm_def
+  using number1arity__fm arity_empty_fm arity_is_tuple_fm arity_frc_at_fm
+    pred_Un_distrib
+  by auto
+
+lemma sats_forces_eq'_fm:
+  assumes  "p\<in>nat" "l\<in>nat" "q\<in>nat" "t1\<in>nat" "t2\<in>nat"  "env\<in>list(M)"
+  shows "sats(M,forces_eq_fm(p,l,q,t1,t2),env) \<longleftrightarrow>
+         is_forces_eq'(##M,nth(p,env),nth(l,env),nth(q,env),nth(t1,env),nth(t2,env))"
+  unfolding forces_eq_fm_def is_forces_eq'_def using assms sats_is_tuple_fm  sats_frc_at_fm
+  by simp
+
+lemma sats_forces_mem'_fm:
+  assumes  "p\<in>nat" "l\<in>nat" "q\<in>nat" "t1\<in>nat" "t2\<in>nat"  "env\<in>list(M)"
+  shows "sats(M,forces_mem_fm(p,l,q,t1,t2),env) \<longleftrightarrow>
+             is_forces_mem'(##M,nth(p,env),nth(l,env),nth(q,env),nth(t1,env),nth(t2,env))"
+  unfolding forces_mem_fm_def is_forces_mem'_def using assms sats_is_tuple_fm sats_frc_at_fm
+  by simp
+
+lemma sats_forces_neq'_fm:
+  assumes  "p\<in>nat" "l\<in>nat" "q\<in>nat" "t1\<in>nat" "t2\<in>nat"  "env\<in>list(M)"
+  shows "sats(M,forces_neq_fm(p,l,q,t1,t2),env) \<longleftrightarrow>
+             is_forces_neq'(##M,nth(p,env),nth(l,env),nth(q,env),nth(t1,env),nth(t2,env))"
+  unfolding forces_neq_fm_def is_forces_neq'_def
+  using assms sats_forces_eq'_fm sats_is_tuple_fm sats_frc_at_fm
+  by simp
+
+lemma sats_forces_nmem'_fm:
+  assumes  "p\<in>nat" "l\<in>nat" "q\<in>nat" "t1\<in>nat" "t2\<in>nat"  "env\<in>list(M)"
+  shows "sats(M,forces_nmem_fm(p,l,q,t1,t2),env) \<longleftrightarrow>
+             is_forces_nmem'(##M,nth(p,env),nth(l,env),nth(q,env),nth(t1,env),nth(t2,env))"
+  unfolding forces_nmem_fm_def is_forces_nmem'_def
+  using assms sats_forces_mem'_fm sats_is_tuple_fm sats_frc_at_fm
+  by simp
+
+context forcing_data
+begin
+
+(* Absoluteness of components *)
+lemma fst_abs [simp]:
+  "\<lbrakk>x\<in>M; y\<in>M \<rbrakk> \<Longrightarrow> is_fst(##M,x,y) \<longleftrightarrow> y = fst(x)"
+  unfolding fst_def is_fst_def using pair_in_M_iff zero_in_M
+  by (auto;rule_tac the_0 the_0[symmetric],auto)
+
+lemma snd_abs [simp]:
+  "\<lbrakk>x\<in>M; y\<in>M \<rbrakk> \<Longrightarrow> is_snd(##M,x,y) \<longleftrightarrow> y = snd(x)"
+  unfolding snd_def is_snd_def using pair_in_M_iff zero_in_M
+  by (auto;rule_tac the_0 the_0[symmetric],auto)
+
+lemma ftype_abs[simp] :
+  "\<lbrakk>x\<in>M; y\<in>M \<rbrakk> \<Longrightarrow> is_ftype(##M,x,y) \<longleftrightarrow> y = ftype(x)" unfolding ftype_def  is_ftype_def by simp
+
+lemma name1_abs[simp] :
+  "\<lbrakk>x\<in>M; y\<in>M \<rbrakk> \<Longrightarrow> is_name1(##M,x,y) \<longleftrightarrow> y = name1(x)"
+  unfolding name1_def is_name1_def
+  by (rule hcomp_abs[OF fst_abs];simp_all add:fst_snd_closed)
+
+lemma snd_snd_abs:
+  "\<lbrakk>x\<in>M; y\<in>M \<rbrakk> \<Longrightarrow> is_snd_snd(##M,x,y) \<longleftrightarrow> y = snd(snd(x))"
+  unfolding is_snd_snd_def
+  by (rule hcomp_abs[OF snd_abs];simp_all add:fst_snd_closed)
+
+lemma name2_abs[simp]:
+  "\<lbrakk>x\<in>M; y\<in>M \<rbrakk> \<Longrightarrow> is_name2(##M,x,y) \<longleftrightarrow> y = name2(x)"
+  unfolding name2_def is_name2_def
+  by (rule hcomp_abs[OF fst_abs snd_snd_abs];simp_all add:fst_snd_closed)
+
+lemma cond_of_abs[simp]:
+  "\<lbrakk>x\<in>M; y\<in>M \<rbrakk> \<Longrightarrow> is_cond_of(##M,x,y) \<longleftrightarrow> y = cond_of(x)"
+  unfolding cond_of_def is_cond_of_def
+  by (rule hcomp_abs[OF snd_abs snd_snd_abs];simp_all add:fst_snd_closed)
+
+lemma tuple_abs[simp]:
+  "\<lbrakk>z\<in>M;t1\<in>M;t2\<in>M;p\<in>M;t\<in>M\<rbrakk> \<Longrightarrow>
+   is_tuple(##M,z,t1,t2,p,t) \<longleftrightarrow> t = \<langle>z,t1,t2,p\<rangle>"
+  unfolding is_tuple_def using tuples_in_M by simp
+
+lemma oneN_in_M[simp]: "1\<in>M"
+  by (simp flip: setclass_iff)
+
+lemma twoN_in_M : "2\<in>M"
+  by (simp flip: setclass_iff)
+
+lemma comp_in_M:
+  "p \<preceq> q \<Longrightarrow> p\<in>M"
+  "p \<preceq> q \<Longrightarrow> q\<in>M"
+  using leq_in_M transitivity[of _ leq] pair_in_M_iff by auto
+
+(* Absoluteness of Hfrc *)
+
+lemma eq_case_abs [simp]:
+  assumes
+    "t1\<in>M" "t2\<in>M" "p\<in>M" "f\<in>M"
+  shows
+    "is_eq_case(##M,t1,t2,p,P,leq,f) \<longleftrightarrow> eq_case(t1,t2,p,P,leq,f)"
+proof -
+  have "q \<preceq> p \<Longrightarrow> q\<in>M" for q
+    using comp_in_M by simp
+  moreover
+  have "\<langle>s,y\<rangle>\<in>t \<Longrightarrow> s\<in>domain(t)" if "t\<in>M" for s y t
+    using that unfolding domain_def by auto
+  ultimately
+  have
+    "(\<forall>s\<in>M. s \<in> domain(t1) \<or> s \<in> domain(t2) \<longrightarrow> (\<forall>q\<in>M. q\<in>P \<and> q \<preceq> p \<longrightarrow>
+                              (f ` \<langle>1, s, t1, q\<rangle> =1 \<longleftrightarrow> f ` \<langle>1, s, t2, q\<rangle>=1))) \<longleftrightarrow>
+    (\<forall>s. s \<in> domain(t1) \<or> s \<in> domain(t2) \<longrightarrow> (\<forall>q. q\<in>P \<and> q \<preceq> p \<longrightarrow>
+                                  (f ` \<langle>1, s, t1, q\<rangle> =1 \<longleftrightarrow> f ` \<langle>1, s, t2, q\<rangle>=1)))"
+    using assms domain_trans[OF trans_M,of t1]
+      domain_trans[OF trans_M,of t2] by auto
+  then show ?thesis
+    unfolding eq_case_def is_eq_case_def
+    using assms pair_in_M_iff n_in_M[of 1] domain_closed tuples_in_M
+      apply_closed leq_in_M
+    by simp
+qed
+
+lemma mem_case_abs [simp]:
+  assumes
+    "t1\<in>M" "t2\<in>M" "p\<in>M" "f\<in>M"
+  shows
+    "is_mem_case(##M,t1,t2,p,P,leq,f) \<longleftrightarrow> mem_case(t1,t2,p,P,leq,f)"
+proof
+  {
+    fix v
+    assume "v\<in>P" "v \<preceq> p" "is_mem_case(##M,t1,t2,p,P,leq,f)"
+    moreover
+    from this
+    have "v\<in>M" "\<langle>v,p\<rangle> \<in> M" "(##M)(v)"
+      using transitivity[OF _ P_in_M,of v] transitivity[OF _ leq_in_M]
+      by simp_all
+    moreover
+    from calculation assms
+    obtain q r s where
+      "r \<in> P \<and> q \<in> P \<and> \<langle>q, v\<rangle> \<in> M \<and> \<langle>s, r\<rangle> \<in> M \<and> \<langle>q, r\<rangle> \<in> M \<and> 0 \<in> M \<and>
+       \<langle>0, t1, s, q\<rangle> \<in> M \<and> q \<preceq> v \<and> \<langle>s, r\<rangle> \<in> t2 \<and> q \<preceq> r \<and> f ` \<langle>0, t1, s, q\<rangle> = 1"
+      unfolding is_mem_case_def by auto
+    then
+    have "\<exists>q s r. r \<in> P \<and> q \<in> P \<and> q \<preceq> v \<and> \<langle>s, r\<rangle> \<in> t2 \<and> q \<preceq> r \<and> f ` \<langle>0, t1, s, q\<rangle> = 1"
+      by auto
+  }
+  then
+  show "mem_case(t1, t2, p, P, leq, f)" if "is_mem_case(##M, t1, t2, p, P, leq, f)"
+    unfolding mem_case_def using that assms by auto
+next
+  { fix v
+    assume "v \<in> M" "v \<in> P" "\<langle>v, p\<rangle> \<in> M" "v \<preceq> p" "mem_case(t1, t2, p, P, leq, f)"
+    moreover
+    from this
+    obtain q s r where "r \<in> P \<and> q \<in> P \<and> q \<preceq> v \<and> \<langle>s, r\<rangle> \<in> t2 \<and> q \<preceq> r \<and> f ` \<langle>0, t1, s, q\<rangle> = 1"
+      unfolding mem_case_def by auto
+    moreover
+    from this \<open>t2\<in>M\<close>
+    have "r\<in>M" "q\<in>M" "s\<in>M" "r \<in> P \<and> q \<in> P \<and> q \<preceq> v \<and> \<langle>s, r\<rangle> \<in> t2 \<and> q \<preceq> r \<and> f ` \<langle>0, t1, s, q\<rangle> = 1"
+      using transitivity P_in_M domain_closed[of t2] by auto
+    moreover
+    note \<open>t1\<in>M\<close>
+    ultimately
+    have "\<exists>q\<in>M . \<exists>s\<in>M. \<exists>r\<in>M.
+         r \<in> P \<and> q \<in> P \<and> \<langle>q, v\<rangle> \<in> M \<and> \<langle>s, r\<rangle> \<in> M \<and> \<langle>q, r\<rangle> \<in> M \<and> 0 \<in> M \<and>
+         \<langle>0, t1, s, q\<rangle> \<in> M \<and> q \<preceq> v \<and> \<langle>s, r\<rangle> \<in> t2 \<and> q \<preceq> r \<and> f ` \<langle>0, t1, s, q\<rangle> = 1"
+      using tuples_in_M zero_in_M by auto
+  }
+  then
+  show "is_mem_case(##M, t1, t2, p, P, leq, f)" if "mem_case(t1, t2, p, P, leq, f)"
+    unfolding is_mem_case_def using assms that by auto
+qed
+
+
+lemma Hfrc_abs:
+  "\<lbrakk>fnnc\<in>M; f\<in>M\<rbrakk> \<Longrightarrow>
+   is_Hfrc(##M,P,leq,fnnc,f) \<longleftrightarrow> Hfrc(P,leq,fnnc,f)"
+  unfolding is_Hfrc_def Hfrc_def using pair_in_M_iff
+  by auto
+
+lemma Hfrc_at_abs:
+  "\<lbrakk>fnnc\<in>M; f\<in>M ; z\<in>M\<rbrakk> \<Longrightarrow>
+   is_Hfrc_at(##M,P,leq,fnnc,f,z) \<longleftrightarrow>  z = bool_of_o(Hfrc(P,leq,fnnc,f)) "
+  unfolding is_Hfrc_at_def using Hfrc_abs
+  by auto
+
+lemma components_closed :
+  "x\<in>M \<Longrightarrow> ftype(x)\<in>M"
+  "x\<in>M \<Longrightarrow> name1(x)\<in>M"
+  "x\<in>M \<Longrightarrow> name2(x)\<in>M"
+  "x\<in>M \<Longrightarrow> cond_of(x)\<in>M"
+  unfolding ftype_def name1_def name2_def cond_of_def using fst_snd_closed by simp_all
+
+lemma ecloseN_closed:
+  "(##M)(A) \<Longrightarrow> (##M)(ecloseN(A))"
+  "(##M)(A) \<Longrightarrow> (##M)(eclose_n(name1,A))"
+  "(##M)(A) \<Longrightarrow> (##M)(eclose_n(name2,A))"
+  unfolding ecloseN_def eclose_n_def
+  using components_closed eclose_closed singletonM Un_closed by auto
+
+lemma is_eclose_n_abs :
+  assumes "x\<in>M" "ec\<in>M"
+  shows "is_eclose_n(##M,is_name1,ec,x) \<longleftrightarrow> ec = eclose_n(name1,x)"
+    "is_eclose_n(##M,is_name2,ec,x) \<longleftrightarrow> ec = eclose_n(name2,x)"
+  unfolding is_eclose_n_def eclose_n_def
+  using assms name1_abs name2_abs eclose_abs singletonM components_closed
+  by auto
+
+
+lemma is_ecloseN_abs :
+  "\<lbrakk>x\<in>M;ec\<in>M\<rbrakk> \<Longrightarrow> is_ecloseN(##M,ec,x) \<longleftrightarrow> ec = ecloseN(x)"
+  unfolding is_ecloseN_def ecloseN_def
+  using is_eclose_n_abs Un_closed union_abs ecloseN_closed
+  by auto
+
+lemma frecR_abs :
+  "x\<in>M \<Longrightarrow> y\<in>M \<Longrightarrow> frecR(x,y) \<longleftrightarrow> is_frecR(##M,x,y)"
+  unfolding frecR_def is_frecR_def using components_closed domain_closed by simp
+
+lemma frecrelP_abs :
+  "z\<in>M \<Longrightarrow> frecrelP(##M,z) \<longleftrightarrow> (\<exists>x y. z = \<langle>x,y\<rangle> \<and> frecR(x,y))"
+  using pair_in_M_iff frecR_abs unfolding frecrelP_def by auto
+
+lemma frecrel_abs:
+  assumes
+    "A\<in>M" "r\<in>M"
+  shows
+    "is_frecrel(##M,A,r) \<longleftrightarrow>  r = frecrel(A)"
+proof -
+  from \<open>A\<in>M\<close>
+  have "z\<in>M" if "z\<in>A\<times>A" for z
+    using cartprod_closed transitivity that by simp
+  then
+  have "Collect(A\<times>A,frecrelP(##M)) = Collect(A\<times>A,\<lambda>z. (\<exists>x y. z = \<langle>x,y\<rangle> \<and> frecR(x,y)))"
+    using Collect_cong[of "A\<times>A" "A\<times>A" "frecrelP(##M)"] assms frecrelP_abs by simp
+  with assms
+  show ?thesis unfolding is_frecrel_def def_frecrel using cartprod_closed
+    by simp
+qed
+
+lemma frecrel_closed:
+  assumes
+    "x\<in>M"
+  shows
+    "frecrel(x)\<in>M"
+proof -
+  have "Collect(x\<times>x,\<lambda>z. (\<exists>x y. z = \<langle>x,y\<rangle> \<and> frecR(x,y)))\<in>M"
+    using Collect_in_M_0p[of "frecrelP_fm(0)"] arity_frecrelP_fm sats_frecrelP_fm
+      frecrelP_abs \<open>x\<in>M\<close> cartprod_closed by simp
+  then show ?thesis
+    unfolding frecrel_def Rrel_def frecrelP_def by simp
+qed
+
+lemma field_frecrel : "field(frecrel(names_below(P,x))) \<subseteq> names_below(P,x)"
+  unfolding frecrel_def
+  using field_Rrel by simp
+
+lemma forcerelD : "uv \<in> forcerel(P,x) \<Longrightarrow> uv\<in> names_below(P,x) \<times> names_below(P,x)"
+  unfolding forcerel_def
+  using trancl_type field_frecrel by blast
+
+lemma wf_forcerel :
+  "wf(forcerel(P,x))"
+  unfolding forcerel_def using wf_trancl wf_frecrel .
+
+lemma restrict_trancl_forcerel:
+  assumes "frecR(w,y)"
+  shows "restrict(f,frecrel(names_below(P,x))-``{y})`w
+       = restrict(f,forcerel(P,x)-``{y})`w"
+  unfolding forcerel_def frecrel_def using assms restrict_trancl_Rrel[of frecR]
+  by simp
+
+lemma names_belowI :
+  assumes "frecR(\<langle>ft,n1,n2,p\<rangle>,\<langle>a,b,c,d\<rangle>)" "p\<in>P"
+  shows "\<langle>ft,n1,n2,p\<rangle> \<in> names_below(P,\<langle>a,b,c,d\<rangle>)" (is "?x \<in> names_below(_,?y)")
+proof -
+  from assms
+  have "ft \<in> 2" "a \<in> 2"
+    unfolding frecR_def by (auto simp add:components_simp)
+  from assms
+  consider (e) "n1 \<in> domain(b) \<union> domain(c) \<and> (n2 = b \<or> n2 =c)"
+    | (m) "n1 = b \<and> n2 \<in> domain(c)"
+    unfolding frecR_def by (auto simp add:components_simp)
+  then show ?thesis
+  proof cases
+    case e
+    then
+    have "n1 \<in> eclose(b) \<or> n1 \<in> eclose(c)"
+      using Un_iff in_dom_in_eclose by auto
+    with e
+    have "n1 \<in> ecloseN(?y)" "n2 \<in> ecloseN(?y)"
+      using ecloseNI components_in_eclose by auto
+    with \<open>ft\<in>2\<close> \<open>p\<in>P\<close>
+    show ?thesis unfolding names_below_def by  auto
+  next
+    case m
+    then
+    have "n1 \<in> ecloseN(?y)" "n2 \<in> ecloseN(?y)"
+      using mem_eclose_trans  ecloseNI
+        in_dom_in_eclose components_in_eclose by auto
+    with \<open>ft\<in>2\<close> \<open>p\<in>P\<close>
+    show ?thesis unfolding names_below_def
+      by auto
+  qed
+qed
+
+lemma names_below_tr :
+  assumes "x\<in> names_below(P,y)"
+    "y\<in> names_below(P,z)"
+  shows "x\<in> names_below(P,z)"
+proof -
+  let ?A="\<lambda>y . names_below(P,y)"
+  from assms
+  obtain fx x1 x2 px where
+    "x = \<langle>fx,x1,x2,px\<rangle>" "fx\<in>2" "x1\<in>ecloseN(y)" "x2\<in>ecloseN(y)" "px\<in>P"
+    unfolding names_below_def by auto
+  from assms
+  obtain fy y1 y2 py where
+    "y = \<langle>fy,y1,y2,py\<rangle>" "fy\<in>2" "y1\<in>ecloseN(z)" "y2\<in>ecloseN(z)" "py\<in>P"
+    unfolding names_below_def by auto
+  from \<open>x1\<in>_\<close> \<open>x2\<in>_\<close> \<open>y1\<in>_\<close> \<open>y2\<in>_\<close> \<open>x=_\<close> \<open>y=_\<close>
+  have "x1\<in>ecloseN(z)" "x2\<in>ecloseN(z)"
+    using ecloseN_mono names_simp by auto
+  with \<open>fx\<in>2\<close> \<open>px\<in>P\<close> \<open>x=_\<close>
+  have "x\<in>?A(z)"
+    unfolding names_below_def by simp
+  then show ?thesis using subsetI by simp
+qed
+
+lemma arg_into_names_below2 :
+  assumes "\<langle>x,y\<rangle> \<in> frecrel(names_below(P,z))"
+  shows  "x \<in> names_below(P,y)"
+proof -
+  {
+    from assms
+    have "x\<in>names_below(P,z)" "y\<in>names_below(P,z)" "frecR(x,y)"
+      unfolding frecrel_def Rrel_def
+      by auto
+    obtain f n1 n2 p where
+      "x = \<langle>f,n1,n2,p\<rangle>" "f\<in>2" "n1\<in>ecloseN(z)" "n2\<in>ecloseN(z)" "p\<in>P"
+      using \<open>x\<in>names_below(P,z)\<close>
+      unfolding names_below_def by auto
+    moreover
+    obtain fy m1 m2 q where
+      "q\<in>P" "y = \<langle>fy,m1,m2,q\<rangle>"
+      using \<open>y\<in>names_below(P,z)\<close>
+      unfolding names_below_def by auto
+    moreover
+    note \<open>frecR(x,y)\<close>
+    ultimately
+    have "x\<in>names_below(P,y)" using names_belowI by simp
+  }
+  then show ?thesis .
+qed
+
+lemma arg_into_names_below :
+  assumes "\<langle>x,y\<rangle> \<in> frecrel(names_below(P,z))"
+  shows  "x \<in> names_below(P,x)"
+proof -
+  {
+    from assms
+    have "x\<in>names_below(P,z)"
+      unfolding frecrel_def Rrel_def
+      by auto
+    from \<open>x\<in>names_below(P,z)\<close>
+    obtain f n1 n2 p where
+      "x = \<langle>f,n1,n2,p\<rangle>" "f\<in>2" "n1\<in>ecloseN(z)" "n2\<in>ecloseN(z)" "p\<in>P"
+      unfolding names_below_def by auto
+    then
+    have "n1\<in>ecloseN(x)" "n2\<in>ecloseN(x)"
+      using components_in_eclose by simp_all
+    with \<open>f\<in>2\<close> \<open>p\<in>P\<close> \<open>x = \<langle>f,n1,n2,p\<rangle>\<close>
+    have "x\<in>names_below(P,x)"
+      unfolding names_below_def by simp
+  }
+  then show ?thesis .
+qed
+
+lemma forcerel_arg_into_names_below :
+  assumes "\<langle>x,y\<rangle> \<in> forcerel(P,z)"
+  shows  "x \<in> names_below(P,x)"
+  using assms
+  unfolding forcerel_def
+  by(rule trancl_induct;auto simp add: arg_into_names_below)
+
+lemma names_below_mono :
+  assumes "\<langle>x,y\<rangle> \<in> frecrel(names_below(P,z))"
+  shows "names_below(P,x) \<subseteq> names_below(P,y)"
+proof -
+  from assms
+  have "x\<in>names_below(P,y)"
+    using arg_into_names_below2 by simp
+  then
+  show ?thesis
+    using names_below_tr subsetI by simp
+qed
+
+lemma frecrel_mono :
+  assumes "\<langle>x,y\<rangle> \<in> frecrel(names_below(P,z))"
+  shows "frecrel(names_below(P,x)) \<subseteq> frecrel(names_below(P,y))"
+  unfolding frecrel_def
+  using Rrel_mono names_below_mono assms by simp
+
+lemma forcerel_mono2 :
+  assumes "\<langle>x,y\<rangle> \<in> frecrel(names_below(P,z))"
+  shows "forcerel(P,x) \<subseteq> forcerel(P,y)"
+  unfolding forcerel_def
+  using trancl_mono frecrel_mono assms by simp
+
+lemma forcerel_mono_aux :
+  assumes "\<langle>x,y\<rangle> \<in> frecrel(names_below(P, w))^+"
+  shows "forcerel(P,x) \<subseteq> forcerel(P,y)"
+  using assms
+  by (rule trancl_induct,simp_all add: subset_trans forcerel_mono2)
+
+lemma forcerel_mono :
+  assumes "\<langle>x,y\<rangle> \<in> forcerel(P,z)"
+  shows "forcerel(P,x) \<subseteq> forcerel(P,y)"
+  using forcerel_mono_aux assms unfolding forcerel_def by simp
+
+lemma aux: "x \<in> names_below(P, w) \<Longrightarrow> \<langle>x,y\<rangle> \<in> forcerel(P,z) \<Longrightarrow>
+  (y \<in> names_below(P, w) \<longrightarrow> \<langle>x,y\<rangle> \<in> forcerel(P,w))"
+  unfolding forcerel_def
+proof(rule_tac a=x and b=y and P="\<lambda> y . y \<in> names_below(P, w) \<longrightarrow> \<langle>x,y\<rangle> \<in> frecrel(names_below(P,w))^+" in trancl_induct,simp)
+  let ?A="\<lambda> a . names_below(P, a)"
+  let ?R="\<lambda> a . frecrel(?A(a))"
+  let ?fR="\<lambda> a .forcerel(a)"
+  show "u\<in>?A(w) \<longrightarrow> \<langle>x,u\<rangle>\<in>?R(w)^+" if "x\<in>?A(w)" "\<langle>x,y\<rangle>\<in>?R(z)^+" "\<langle>x,u\<rangle>\<in>?R(z)"  for  u
+    using that frecrelD frecrelI r_into_trancl unfolding names_below_def by simp
+  {
+    fix u v
+    assume "x \<in> ?A(w)"
+      "\<langle>x, y\<rangle> \<in> ?R(z)^+"
+      "\<langle>x, u\<rangle> \<in> ?R(z)^+"
+      "\<langle>u, v\<rangle> \<in> ?R(z)"
+      "u \<in> ?A(w) \<Longrightarrow> \<langle>x, u\<rangle> \<in> ?R(w)^+"
+    then
+    have "v \<in> ?A(w) \<Longrightarrow> \<langle>x, v\<rangle> \<in> ?R(w)^+"
+    proof -
+      assume "v \<in>?A(w)"
+      from \<open>\<langle>u,v\<rangle>\<in>_\<close>
+      have "u\<in>?A(v)"
+        using arg_into_names_below2 by simp
+      with \<open>v \<in>?A(w)\<close>
+      have "u\<in>?A(w)"
+        using names_below_tr by simp
+      with \<open>v\<in>_\<close> \<open>\<langle>u,v\<rangle>\<in>_\<close>
+      have "\<langle>u,v\<rangle>\<in> ?R(w)"
+        using frecrelD frecrelI r_into_trancl unfolding names_below_def by simp
+      with \<open>u \<in> ?A(w) \<Longrightarrow> \<langle>x, u\<rangle> \<in> ?R(w)^+\<close> \<open>u\<in>?A(w)\<close>
+      have "\<langle>x, u\<rangle> \<in> ?R(w)^+" by simp
+      with \<open>\<langle>u,v\<rangle>\<in> ?R(w)\<close>
+      show "\<langle>x,v\<rangle>\<in> ?R(w)^+" using trancl_trans r_into_trancl
+        by simp
+    qed
+  }
+  then show "v \<in> ?A(w) \<longrightarrow> \<langle>x, v\<rangle> \<in> ?R(w)^+"
+    if "x \<in> ?A(w)"
+      "\<langle>x, y\<rangle> \<in> ?R(z)^+"
+      "\<langle>x, u\<rangle> \<in> ?R(z)^+"
+      "\<langle>u, v\<rangle> \<in> ?R(z)"
+      "u \<in> ?A(w) \<longrightarrow> \<langle>x, u\<rangle> \<in> ?R(w)^+" for u v
+    using that by simp
+qed
+
+lemma forcerel_eq :
+  assumes "\<langle>z,x\<rangle> \<in> forcerel(P,x)"
+  shows "forcerel(P,z) = forcerel(P,x) \<inter> names_below(P,z)\<times>names_below(P,z)"
+  using assms aux forcerelD forcerel_mono[of z x x] subsetI
+  by auto
+
+lemma forcerel_below_aux :
+  assumes "\<langle>z,x\<rangle> \<in> forcerel(P,x)" "\<langle>u,z\<rangle> \<in> forcerel(P,x)"
+  shows "u \<in> names_below(P,z)"
+  using assms(2)
+  unfolding forcerel_def
+proof(rule trancl_induct)
+  show  "u \<in> names_below(P,y)" if " \<langle>u, y\<rangle> \<in> frecrel(names_below(P, x))" for y
+    using that vimage_singleton_iff arg_into_names_below2 by simp
+next
+  show "u \<in> names_below(P,z)"
+    if "\<langle>u, y\<rangle> \<in> frecrel(names_below(P, x))^+"
+      "\<langle>y, z\<rangle> \<in> frecrel(names_below(P, x))"
+      "u \<in> names_below(P, y)"
+    for y z
+    using that arg_into_names_below2[of y z x] names_below_tr by simp
+qed
+
+lemma forcerel_below :
+  assumes "\<langle>z,x\<rangle> \<in> forcerel(P,x)"
+  shows "forcerel(P,x) -`` {z} \<subseteq> names_below(P,z)"
+  using vimage_singleton_iff assms forcerel_below_aux by auto
+
+lemma relation_forcerel :
+  shows "relation(forcerel(P,z))" "trans(forcerel(P,z))"
+  unfolding forcerel_def using relation_trancl trans_trancl by simp_all
+
+lemma Hfrc_restrict_trancl: "bool_of_o(Hfrc(P, leq, y, restrict(f,frecrel(names_below(P,x))-``{y})))
+         = bool_of_o(Hfrc(P, leq, y, restrict(f,(frecrel(names_below(P,x))^+)-``{y})))"
+  unfolding Hfrc_def bool_of_o_def eq_case_def mem_case_def
+  using restrict_trancl_forcerel frecRI1 frecRI2 frecRI3
+  unfolding forcerel_def
+  by simp
+
+(* Recursive definition of forces for atomic formulas using a transitive relation *)
+lemma frc_at_trancl: "frc_at(P,leq,z) = wfrec(forcerel(P,z),z,\<lambda>x f. bool_of_o(Hfrc(P,leq,x,f)))"
+  unfolding frc_at_def forcerel_def using wf_eq_trancl Hfrc_restrict_trancl by simp
+
+
+lemma forcerelI1 :
+  assumes "n1 \<in> domain(b) \<or> n1 \<in> domain(c)" "p\<in>P" "d\<in>P"
+  shows "\<langle>\<langle>1, n1, b, p\<rangle>, \<langle>0,b,c,d\<rangle>\<rangle>\<in> forcerel(P,\<langle>0,b,c,d\<rangle>)"
+proof -
+  let ?x="\<langle>1, n1, b, p\<rangle>"
+  let ?y="\<langle>0,b,c,d\<rangle>"
+  from assms
+  have "frecR(?x,?y)"
+    using frecRI1 by simp
+  then
+  have "?x\<in>names_below(P,?y)"  "?y \<in> names_below(P,?y)"
+    using names_belowI  assms components_in_eclose
+    unfolding names_below_def by auto
+  with \<open>frecR(?x,?y)\<close>
+  show ?thesis
+    unfolding forcerel_def frecrel_def
+    using subsetD[OF r_subset_trancl[OF relation_Rrel]] RrelI
+    by auto
+qed
+
+lemma forcerelI2 :
+  assumes "n1 \<in> domain(b) \<or> n1 \<in> domain(c)" "p\<in>P" "d\<in>P"
+  shows "\<langle>\<langle>1, n1, c, p\<rangle>, \<langle>0,b,c,d\<rangle>\<rangle>\<in> forcerel(P,\<langle>0,b,c,d\<rangle>)"
+proof -
+  let ?x="\<langle>1, n1, c, p\<rangle>"
+  let ?y="\<langle>0,b,c,d\<rangle>"
+  from assms
+  have "frecR(?x,?y)"
+    using frecRI2 by simp
+  then
+  have "?x\<in>names_below(P,?y)"  "?y \<in> names_below(P,?y)"
+    using names_belowI  assms components_in_eclose
+    unfolding names_below_def by auto
+  with \<open>frecR(?x,?y)\<close>
+  show ?thesis
+    unfolding forcerel_def frecrel_def
+    using subsetD[OF r_subset_trancl[OF relation_Rrel]] RrelI
+    by auto
+qed
+
+lemma forcerelI3 :
+  assumes "\<langle>n2, r\<rangle> \<in> c" "p\<in>P" "d\<in>P" "r \<in> P"
+  shows "\<langle>\<langle>0, b, n2, p\<rangle>,\<langle>1, b, c, d\<rangle>\<rangle> \<in> forcerel(P,\<langle>1,b,c,d\<rangle>)"
+proof -
+  let ?x="\<langle>0, b, n2, p\<rangle>"
+  let ?y="\<langle>1, b, c, d\<rangle>"
+  from assms
+  have "frecR(?x,?y)"
+    using assms frecRI3 by simp
+  then
+  have "?x\<in>names_below(P,?y)"  "?y \<in> names_below(P,?y)"
+    using names_belowI  assms components_in_eclose
+    unfolding names_below_def by auto
+  with \<open>frecR(?x,?y)\<close>
+  show ?thesis
+    unfolding forcerel_def frecrel_def
+    using subsetD[OF r_subset_trancl[OF relation_Rrel]] RrelI
+    by auto
+qed
+
+lemmas forcerelI = forcerelI1[THEN vimage_singleton_iff[THEN iffD2]]
+  forcerelI2[THEN vimage_singleton_iff[THEN iffD2]]
+  forcerelI3[THEN vimage_singleton_iff[THEN iffD2]]
+
+lemma  aux_def_frc_at:
+  assumes "z \<in> forcerel(P,x) -`` {x}"
+  shows "wfrec(forcerel(P,x), z, H) =  wfrec(forcerel(P,z), z, H)"
+proof -
+  let ?A="names_below(P,z)"
+  from assms
+  have "\<langle>z,x\<rangle> \<in> forcerel(P,x)"
+    using vimage_singleton_iff by simp
+  then
+  have "z \<in> ?A"
+    using forcerel_arg_into_names_below by simp
+  from \<open>\<langle>z,x\<rangle> \<in> forcerel(P,x)\<close>
+  have E:"forcerel(P,z) = forcerel(P,x) \<inter> (?A\<times>?A)"
+    "forcerel(P,x) -`` {z} \<subseteq> ?A"
+    using forcerel_eq forcerel_below
+    by auto
+  with \<open>z\<in>?A\<close>
+  have "wfrec(forcerel(P,x), z, H) = wfrec[?A](forcerel(P,x), z, H)"
+    using wfrec_trans_restr[OF relation_forcerel(1) wf_forcerel relation_forcerel(2), of x z ?A]
+    by simp
+  then show ?thesis
+    using E wfrec_restr_eq by simp
+qed
+
+subsection\<open>Recursive expression of \<^term>\<open>frc_at\<close>\<close>
+
+lemma def_frc_at :
+  assumes "p\<in>P"
+  shows
+    "frc_at(P,leq,\<langle>ft,n1,n2,p\<rangle>) =
+   bool_of_o( p \<in>P \<and>
+  (  ft = 0 \<and>  (\<forall>s. s\<in>domain(n1) \<union> domain(n2) \<longrightarrow>
+        (\<forall>q. q\<in>P \<and> q \<preceq> p \<longrightarrow> (frc_at(P,leq,\<langle>1,s,n1,q\<rangle>) =1 \<longleftrightarrow> frc_at(P,leq,\<langle>1,s,n2,q\<rangle>) =1)))
+   \<or> ft = 1 \<and> ( \<forall>v\<in>P. v \<preceq> p \<longrightarrow>
+    (\<exists>q. \<exists>s. \<exists>r. r\<in>P \<and> q\<in>P \<and> q \<preceq> v \<and> \<langle>s,r\<rangle> \<in> n2 \<and> q \<preceq> r \<and>  frc_at(P,leq,\<langle>0,n1,s,q\<rangle>) = 1))))"
+proof -
+  let ?r="\<lambda>y. forcerel(P,y)" and ?Hf="\<lambda>x f. bool_of_o(Hfrc(P,leq,x,f))"
+  let ?t="\<lambda>y. ?r(y) -`` {y}"
+  let ?arg="\<langle>ft,n1,n2,p\<rangle>"
+  from wf_forcerel
+  have wfr: "\<forall>w . wf(?r(w))" ..
+  with wfrec [of "?r(?arg)" ?arg ?Hf]
+  have "frc_at(P,leq,?arg) = ?Hf( ?arg, \<lambda>x\<in>?r(?arg) -`` {?arg}. wfrec(?r(?arg), x, ?Hf))"
+    using frc_at_trancl by simp
+  also
+  have " ... = ?Hf( ?arg, \<lambda>x\<in>?r(?arg) -`` {?arg}. frc_at(P,leq,x))"
+    using aux_def_frc_at frc_at_trancl by simp
+  finally
+  show ?thesis
+    unfolding Hfrc_def mem_case_def eq_case_def
+    using forcerelI  assms
+    by auto
+qed
+
+
+subsection\<open>Absoluteness of \<^term>\<open>frc_at\<close>\<close>
+
+lemma trans_forcerel_t : "trans(forcerel(P,x))"
+  unfolding forcerel_def using trans_trancl .
+
+lemma relation_forcerel_t : "relation(forcerel(P,x))"
+  unfolding forcerel_def using relation_trancl .
+
+
+lemma forcerel_in_M :
+  assumes
+    "x\<in>M"
+  shows
+    "forcerel(P,x)\<in>M"
+  unfolding forcerel_def def_frecrel names_below_def
+proof -
+  let ?Q = "2 \<times> ecloseN(x) \<times> ecloseN(x) \<times> P"
+  have "?Q \<times> ?Q \<in> M"
+    using \<open>x\<in>M\<close> P_in_M twoN_in_M ecloseN_closed cartprod_closed by simp
+  moreover
+  have "separation(##M,\<lambda>z. \<exists>x y. z = \<langle>x, y\<rangle> \<and> frecR(x, y))"
+  proof -
+    have "arity(frecrelP_fm(0)) = 1"
+      unfolding number1_fm_def frecrelP_fm_def
+      by (simp del:FOL_sats_iff pair_abs empty_abs
+          add: fm_defs frecR_fm_def number1_fm_def components_defs nat_simp_union)
+    then
+    have "separation(##M, \<lambda>z. sats(M,frecrelP_fm(0) , [z]))"
+      using separation_ax by simp
+    moreover
+    have "frecrelP(##M,z) \<longleftrightarrow> sats(M,frecrelP_fm(0),[z])"
+      if "z\<in>M" for z
+      using that sats_frecrelP_fm[of 0 "[z]"] by simp
+    ultimately
+    have "separation(##M,frecrelP(##M))"
+      unfolding separation_def by simp
+    then
+    show ?thesis using frecrelP_abs
+        separation_cong[of "##M" "frecrelP(##M)" "\<lambda>z. \<exists>x y. z = \<langle>x, y\<rangle> \<and> frecR(x, y)"]
+      by simp
+  qed
+  ultimately
+  show "{z \<in> ?Q \<times> ?Q . \<exists>x y. z = \<langle>x, y\<rangle> \<and> frecR(x, y)}^+ \<in> M"
+    using separation_closed frecrelP_abs trancl_closed by simp
+qed
+
+lemma relation2_Hfrc_at_abs:
+  "relation2(##M,is_Hfrc_at(##M,P,leq),\<lambda>x f. bool_of_o(Hfrc(P,leq,x,f)))"
+  unfolding relation2_def using Hfrc_at_abs
+  by simp
+
+lemma Hfrc_at_closed :
+  "\<forall>x\<in>M. \<forall>g\<in>M. function(g) \<longrightarrow> bool_of_o(Hfrc(P,leq,x,g))\<in>M"
+  unfolding bool_of_o_def using zero_in_M n_in_M[of 1] by simp
+
+lemma wfrec_Hfrc_at :
+  assumes
+    "X\<in>M"
+  shows
+    "wfrec_replacement(##M,is_Hfrc_at(##M,P,leq),forcerel(P,X))"
+proof -
+  have 0:"is_Hfrc_at(##M,P,leq,a,b,c) \<longleftrightarrow>
+        sats(M,Hfrc_at_fm(8,9,2,1,0),[c,b,a,d,e,y,x,z,P,leq,forcerel(P,X)])"
+    if "a\<in>M" "b\<in>M" "c\<in>M" "d\<in>M" "e\<in>M" "y\<in>M" "x\<in>M" "z\<in>M"
+    for a b c d e y x z
+    using that P_in_M leq_in_M \<open>X\<in>M\<close> forcerel_in_M
+      is_Hfrc_at_iff_sats[of concl:M P leq a b c 8 9 2 1 0
+        "[c,b,a,d,e,y,x,z,P,leq,forcerel(P,X)]"] by simp
+  have 1:"sats(M,is_wfrec_fm(Hfrc_at_fm(8,9,2,1,0),5,1,0),[y,x,z,P,leq,forcerel(P,X)]) \<longleftrightarrow>
+                   is_wfrec(##M, is_Hfrc_at(##M,P,leq),forcerel(P,X), x, y)"
+    if "x\<in>M" "y\<in>M" "z\<in>M" for x y z
+    using  that \<open>X\<in>M\<close> forcerel_in_M P_in_M leq_in_M
+      sats_is_wfrec_fm[OF 0]
+    by simp
+  let
+    ?f="Exists(And(pair_fm(1,0,2),is_wfrec_fm(Hfrc_at_fm(8,9,2,1,0),5,1,0)))"
+  have satsf:"sats(M, ?f, [x,z,P,leq,forcerel(P,X)]) \<longleftrightarrow>
+              (\<exists>y\<in>M. pair(##M,x,y,z) & is_wfrec(##M, is_Hfrc_at(##M,P,leq),forcerel(P,X), x, y))"
+    if "x\<in>M" "z\<in>M" for x z
+    using that 1 \<open>X\<in>M\<close> forcerel_in_M P_in_M leq_in_M by (simp del:pair_abs)
+  have artyf:"arity(?f) = 5"
+    unfolding is_wfrec_fm_def Hfrc_at_fm_def Hfrc_fm_def Replace_fm_def PHcheck_fm_def
+      pair_fm_def upair_fm_def is_recfun_fm_def fun_apply_fm_def big_union_fm_def
+      pre_image_fm_def restriction_fm_def image_fm_def fm_defs number1_fm_def
+      eq_case_fm_def mem_case_fm_def is_tuple_fm_def
+    by (simp add:nat_simp_union)
+  moreover
+  have "?f\<in>formula"
+    unfolding fm_defs Hfrc_at_fm_def by simp
+  ultimately
+  have "strong_replacement(##M,\<lambda>x z. sats(M,?f,[x,z,P,leq,forcerel(P,X)]))"
+    using replacement_ax 1 artyf \<open>X\<in>M\<close> forcerel_in_M P_in_M leq_in_M by simp
+  then
+  have "strong_replacement(##M,\<lambda>x z.
+          \<exists>y\<in>M. pair(##M,x,y,z) & is_wfrec(##M, is_Hfrc_at(##M,P,leq),forcerel(P,X), x, y))"
+    using repl_sats[of M ?f "[P,leq,forcerel(P,X)]"] satsf by (simp del:pair_abs)
+  then
+  show ?thesis unfolding wfrec_replacement_def by simp
+qed
+
+lemma names_below_abs :
+  "\<lbrakk>Q\<in>M;x\<in>M;nb\<in>M\<rbrakk> \<Longrightarrow> is_names_below(##M,Q,x,nb) \<longleftrightarrow> nb = names_below(Q,x)"
+  unfolding is_names_below_def names_below_def
+  using succ_in_M_iff zero_in_M cartprod_closed is_ecloseN_abs ecloseN_closed
+  by auto
+
+lemma names_below_closed:
+  "\<lbrakk>Q\<in>M;x\<in>M\<rbrakk> \<Longrightarrow> names_below(Q,x) \<in> M"
+  unfolding names_below_def
+  using zero_in_M cartprod_closed ecloseN_closed succ_in_M_iff
+  by simp
+
+lemma "names_below_productE" :
+  assumes "Q \<in> M" "x \<in> M"
+    "\<And>A1 A2 A3 A4. A1 \<in> M \<Longrightarrow> A2 \<in> M \<Longrightarrow> A3 \<in> M \<Longrightarrow> A4 \<in> M \<Longrightarrow> R(A1 \<times> A2 \<times> A3 \<times> A4)"
+  shows "R(names_below(Q,x))"
+  unfolding names_below_def using assms zero_in_M ecloseN_closed[of x] twoN_in_M by auto
+
+lemma forcerel_abs :
+  "\<lbrakk>x\<in>M;z\<in>M\<rbrakk> \<Longrightarrow> is_forcerel(##M,P,x,z) \<longleftrightarrow> z = forcerel(P,x)"
+  unfolding is_forcerel_def forcerel_def
+  using frecrel_abs names_below_abs trancl_abs P_in_M twoN_in_M ecloseN_closed names_below_closed
+    names_below_productE[of concl:"\<lambda>p. is_frecrel(##M,p,_) \<longleftrightarrow>  _ = frecrel(p)"] frecrel_closed
+  by simp
+
+lemma frc_at_abs:
+  assumes "fnnc\<in>M" "z\<in>M"
+  shows "is_frc_at(##M,P,leq,fnnc,z) \<longleftrightarrow> z = frc_at(P,leq,fnnc)"
+proof -
+  from assms
+  have "(\<exists>r\<in>M. is_forcerel(##M,P,fnnc, r) \<and> is_wfrec(##M, is_Hfrc_at(##M, P, leq), r, fnnc, z))
+        \<longleftrightarrow> is_wfrec(##M, is_Hfrc_at(##M, P, leq), forcerel(P,fnnc), fnnc, z)"
+    using forcerel_abs forcerel_in_M by simp
+  then
+  show ?thesis
+    unfolding frc_at_trancl is_frc_at_def
+    using assms wfrec_Hfrc_at[of fnnc] wf_forcerel trans_forcerel_t relation_forcerel_t forcerel_in_M
+      Hfrc_at_closed relation2_Hfrc_at_abs
+      trans_wfrec_abs[of "forcerel(P,fnnc)" fnnc z "is_Hfrc_at(##M,P,leq)" "\<lambda>x f. bool_of_o(Hfrc(P,leq,x,f))"]
+    by (simp flip:setclass_iff)
+qed
+
+lemma forces_eq'_abs :
+  "\<lbrakk>p\<in>M ; t1\<in>M ; t2\<in>M\<rbrakk> \<Longrightarrow> is_forces_eq'(##M,P,leq,p,t1,t2) \<longleftrightarrow> forces_eq'(P,leq,p,t1,t2)"
+  unfolding is_forces_eq'_def forces_eq'_def
+  using frc_at_abs zero_in_M tuples_in_M by auto
+
+lemma forces_mem'_abs :
+  "\<lbrakk>p\<in>M ; t1\<in>M ; t2\<in>M\<rbrakk> \<Longrightarrow> is_forces_mem'(##M,P,leq,p,t1,t2) \<longleftrightarrow> forces_mem'(P,leq,p,t1,t2)"
+  unfolding is_forces_mem'_def forces_mem'_def
+  using frc_at_abs zero_in_M tuples_in_M by auto
+
+lemma forces_neq'_abs :
+  assumes
+    "p\<in>M" "t1\<in>M" "t2\<in>M"
+  shows
+    "is_forces_neq'(##M,P,leq,p,t1,t2) \<longleftrightarrow> forces_neq'(P,leq,p,t1,t2)"
+proof -
+  have "q\<in>M" if "q\<in>P" for q
+    using that transitivity P_in_M by simp
+  then show ?thesis
+    unfolding is_forces_neq'_def forces_neq'_def
+    using assms forces_eq'_abs pair_in_M_iff
+    by (auto,blast)
+qed
+
+
+lemma forces_nmem'_abs :
+  assumes
+    "p\<in>M" "t1\<in>M" "t2\<in>M"
+  shows
+    "is_forces_nmem'(##M,P,leq,p,t1,t2) \<longleftrightarrow> forces_nmem'(P,leq,p,t1,t2)"
+proof -
+  have "q\<in>M" if "q\<in>P" for q
+    using that transitivity P_in_M by simp
+  then show ?thesis
+    unfolding is_forces_nmem'_def forces_nmem'_def
+    using assms forces_mem'_abs pair_in_M_iff
+    by (auto,blast)
+qed
+
+end (* forcing_data *)
+
+subsection\<open>Forcing for general formulas\<close>
+
+definition
+  ren_forces_nand :: "i\<Rightarrow>i" where
+  "ren_forces_nand(\<phi>) \<equiv> Exists(And(Equal(0,1),iterates(\<lambda>p. incr_bv(p)`1 , 2, \<phi>)))"
+
+lemma ren_forces_nand_type[TC] :
+  "\<phi>\<in>formula \<Longrightarrow> ren_forces_nand(\<phi>) \<in>formula"
+  unfolding ren_forces_nand_def
+  by simp
+
+lemma arity_ren_forces_nand :
+  assumes "\<phi>\<in>formula"
+  shows "arity(ren_forces_nand(\<phi>)) \<le> succ(arity(\<phi>))"
+proof -
+  consider (lt) "1<arity(\<phi>)" | (ge) "\<not> 1 < arity(\<phi>)"
+    by auto
+  then
+  show ?thesis
+  proof cases
+    case lt
+    with \<open>\<phi>\<in>_\<close>
+    have "2 < succ(arity(\<phi>))" "2<arity(\<phi>)#+2"
+      using succ_ltI by auto
+    with \<open>\<phi>\<in>_\<close>
+    have "arity(iterates(\<lambda>p. incr_bv(p)`1,2,\<phi>)) = 2#+arity(\<phi>)"
+      using arity_incr_bv_lemma lt
+      by auto
+    with \<open>\<phi>\<in>_\<close>
+    show ?thesis
+      unfolding ren_forces_nand_def
+      using lt pred_Un_distrib nat_union_abs1 Un_assoc[symmetric] Un_le_compat
+      by simp
+  next
+    case ge
+    with \<open>\<phi>\<in>_\<close>
+    have "arity(\<phi>) \<le> 1" "pred(arity(\<phi>)) \<le> 1"
+      using not_lt_iff_le le_trans[OF le_pred]
+      by simp_all
+    with \<open>\<phi>\<in>_\<close>
+    have "arity(iterates(\<lambda>p. incr_bv(p)`1,2,\<phi>)) = (arity(\<phi>))"
+      using arity_incr_bv_lemma ge
+      by simp
+    with \<open>arity(\<phi>) \<le> 1\<close> \<open>\<phi>\<in>_\<close> \<open>pred(_) \<le> 1\<close>
+    show ?thesis
+      unfolding ren_forces_nand_def
+      using  pred_Un_distrib nat_union_abs1 Un_assoc[symmetric] nat_union_abs2
+      by simp
+  qed
+qed
+
+lemma sats_ren_forces_nand:
+  "[q,P,leq,o,p] @ env \<in> list(M) \<Longrightarrow> \<phi>\<in>formula \<Longrightarrow>
+   sats(M, ren_forces_nand(\<phi>),[q,p,P,leq,o] @ env) \<longleftrightarrow> sats(M, \<phi>,[q,P,leq,o] @ env)"
+  unfolding ren_forces_nand_def
+  using sats_incr_bv_iff [of _ _ M _ "[q]"]
+  by simp
+
+
+definition
+  ren_forces_forall :: "i\<Rightarrow>i" where
+  "ren_forces_forall(\<phi>) \<equiv>
+      Exists(Exists(Exists(Exists(Exists(
+        And(Equal(0,6),And(Equal(1,7),And(Equal(2,8),And(Equal(3,9),
+        And(Equal(4,5),iterates(\<lambda>p. incr_bv(p)`5 , 5, \<phi>)))))))))))"
+
+lemma arity_ren_forces_all :
+  assumes "\<phi>\<in>formula"
+  shows "arity(ren_forces_forall(\<phi>)) = 5 \<union> arity(\<phi>)"
+proof -
+  consider (lt) "5<arity(\<phi>)" | (ge) "\<not> 5 < arity(\<phi>)"
+    by auto
+  then
+  show ?thesis
+  proof cases
+    case lt
+    with \<open>\<phi>\<in>_\<close>
+    have "5 < succ(arity(\<phi>))" "5<arity(\<phi>)#+2"  "5<arity(\<phi>)#+3"  "5<arity(\<phi>)#+4"
+      using succ_ltI by auto
+    with \<open>\<phi>\<in>_\<close>
+    have "arity(iterates(\<lambda>p. incr_bv(p)`5,5,\<phi>)) = 5#+arity(\<phi>)"
+      using arity_incr_bv_lemma lt
+      by simp
+    with \<open>\<phi>\<in>_\<close>
+    show ?thesis
+      unfolding ren_forces_forall_def
+      using pred_Un_distrib nat_union_abs1 Un_assoc[symmetric] nat_union_abs2
+      by simp
+  next
+    case ge
+    with \<open>\<phi>\<in>_\<close>
+    have "arity(\<phi>) \<le> 5" "pred^5(arity(\<phi>)) \<le> 5"
+      using not_lt_iff_le le_trans[OF le_pred]
+      by simp_all
+    with \<open>\<phi>\<in>_\<close>
+    have "arity(iterates(\<lambda>p. incr_bv(p)`5,5,\<phi>)) = arity(\<phi>)"
+      using arity_incr_bv_lemma ge
+      by simp
+    with \<open>arity(\<phi>) \<le> 5\<close> \<open>\<phi>\<in>_\<close> \<open>pred^5(_) \<le> 5\<close>
+    show ?thesis
+      unfolding ren_forces_forall_def
+      using  pred_Un_distrib nat_union_abs1 Un_assoc[symmetric] nat_union_abs2
+      by simp
+  qed
+qed
+
+lemma ren_forces_forall_type[TC] :
+  "\<phi>\<in>formula \<Longrightarrow> ren_forces_forall(\<phi>) \<in>formula"
+  unfolding ren_forces_forall_def by simp
+
+lemma sats_ren_forces_forall :
+  "[x,P,leq,o,p] @ env \<in> list(M) \<Longrightarrow> \<phi>\<in>formula \<Longrightarrow>
+    sats(M, ren_forces_forall(\<phi>),[x,p,P,leq,o] @ env) \<longleftrightarrow> sats(M, \<phi>,[p,P,leq,o,x] @ env)"
+  unfolding ren_forces_forall_def
+  using sats_incr_bv_iff [of _ _ M _ "[p,P,leq,o,x]"]
+  by simp
+
+
+definition
+  is_leq :: "[i\<Rightarrow>o,i,i,i] \<Rightarrow> o" where
+  "is_leq(A,l,q,p) \<equiv> \<exists>qp[A]. (pair(A,q,p,qp) \<and> qp\<in>l)"
+
+lemma (in forcing_data) leq_abs[simp]:
+  "\<lbrakk> l\<in>M ; q\<in>M ; p\<in>M \<rbrakk> \<Longrightarrow> is_leq(##M,l,q,p) \<longleftrightarrow> \<langle>q,p\<rangle>\<in>l"
+  unfolding is_leq_def using pair_in_M_iff by simp
+
+
+definition
+  leq_fm :: "[i,i,i] \<Rightarrow> i" where
+  "leq_fm(leq,q,p) \<equiv> Exists(And(pair_fm(q#+1,p#+1,0),Member(0,leq#+1)))"
+
+lemma arity_leq_fm :
+  "\<lbrakk>leq\<in>nat;q\<in>nat;p\<in>nat\<rbrakk> \<Longrightarrow> arity(leq_fm(leq,q,p)) = succ(q) \<union> succ(p) \<union> succ(leq)"
+  unfolding leq_fm_def
+  using arity_pair_fm pred_Un_distrib nat_simp_union
+  by auto
+
+lemma leq_fm_type[TC] :
+  "\<lbrakk>leq\<in>nat;q\<in>nat;p\<in>nat\<rbrakk> \<Longrightarrow> leq_fm(leq,q,p)\<in>formula"
+  unfolding leq_fm_def by simp
+
+lemma sats_leq_fm :
+  "\<lbrakk> leq\<in>nat;q\<in>nat;p\<in>nat;env\<in>list(A) \<rbrakk> \<Longrightarrow>
+     sats(A,leq_fm(leq,q,p),env) \<longleftrightarrow> is_leq(##A,nth(leq,env),nth(q,env),nth(p,env))"
+  unfolding leq_fm_def is_leq_def by simp
+
+subsubsection\<open>The primitive recursion\<close>
+
+consts forces' :: "i\<Rightarrow>i"
+primrec
+  "forces'(Member(x,y)) = forces_mem_fm(1,2,0,x#+4,y#+4)"
+  "forces'(Equal(x,y))  = forces_eq_fm(1,2,0,x#+4,y#+4)"
+  "forces'(Nand(p,q))   =
+        Neg(Exists(And(Member(0,2),And(leq_fm(3,0,1),And(ren_forces_nand(forces'(p)),
+                                         ren_forces_nand(forces'(q)))))))"
+  "forces'(Forall(p))   = Forall(ren_forces_forall(forces'(p)))"
+
+
+definition
+  forces :: "i\<Rightarrow>i" where
+  "forces(\<phi>) \<equiv> And(Member(0,1),forces'(\<phi>))"
+
+lemma forces'_type [TC]:  "\<phi>\<in>formula \<Longrightarrow> forces'(\<phi>) \<in> formula"
+  by (induct \<phi> set:formula; simp)
+
+lemma forces_type[TC] : "\<phi>\<in>formula \<Longrightarrow> forces(\<phi>) \<in> formula"
+  unfolding forces_def by simp
+
+context forcing_data
+begin
+
+subsection\<open>Forcing for atomic formulas in context\<close>
+
+definition
+  forces_eq :: "[i,i,i] \<Rightarrow> o" where
+  "forces_eq \<equiv> forces_eq'(P,leq)"
+
+definition
+  forces_mem :: "[i,i,i] \<Rightarrow> o" where
+  "forces_mem \<equiv> forces_mem'(P,leq)"
+
+(* frc_at(P,leq,\<langle>0,t1,t2,p\<rangle>) = 1*)
+definition
+  is_forces_eq :: "[i,i,i] \<Rightarrow> o" where
+  "is_forces_eq \<equiv> is_forces_eq'(##M,P,leq)"
+
+(* frc_at(P,leq,\<langle>1,t1,t2,p\<rangle>) = 1*)
+definition
+  is_forces_mem :: "[i,i,i] \<Rightarrow> o" where
+  "is_forces_mem \<equiv> is_forces_mem'(##M,P,leq)"
+
+
+lemma def_forces_eq: "p\<in>P \<Longrightarrow> forces_eq(p,t1,t2) \<longleftrightarrow>
+      (\<forall>s\<in>domain(t1) \<union> domain(t2). \<forall>q. q\<in>P \<and> q \<preceq> p \<longrightarrow>
+      (forces_mem(q,s,t1) \<longleftrightarrow> forces_mem(q,s,t2)))"
+  unfolding forces_eq_def forces_mem_def forces_eq'_def forces_mem'_def
+  using def_frc_at[of p 0 t1 t2 ]  unfolding bool_of_o_def
+  by auto
+
+lemma def_forces_mem: "p\<in>P \<Longrightarrow> forces_mem(p,t1,t2) \<longleftrightarrow>
+     (\<forall>v\<in>P. v \<preceq> p \<longrightarrow>
+      (\<exists>q. \<exists>s. \<exists>r. r\<in>P \<and> q\<in>P \<and> q \<preceq> v \<and> \<langle>s,r\<rangle> \<in> t2 \<and> q \<preceq> r \<and> forces_eq(q,t1,s)))"
+  unfolding forces_eq'_def forces_mem'_def forces_eq_def forces_mem_def
+  using def_frc_at[of p 1 t1 t2]  unfolding bool_of_o_def
+  by auto
+
+lemma forces_eq_abs :
+  "\<lbrakk>p\<in>M ; t1\<in>M ; t2\<in>M\<rbrakk> \<Longrightarrow> is_forces_eq(p,t1,t2) \<longleftrightarrow> forces_eq(p,t1,t2)"
+  unfolding is_forces_eq_def forces_eq_def
+  using forces_eq'_abs by simp
+
+lemma forces_mem_abs :
+  "\<lbrakk>p\<in>M ; t1\<in>M ; t2\<in>M\<rbrakk> \<Longrightarrow> is_forces_mem(p,t1,t2) \<longleftrightarrow> forces_mem(p,t1,t2)"
+  unfolding is_forces_mem_def forces_mem_def
+  using forces_mem'_abs by simp
+
+lemma sats_forces_eq_fm:
+  assumes  "p\<in>nat" "l\<in>nat" "q\<in>nat" "t1\<in>nat" "t2\<in>nat"  "env\<in>list(M)"
+    "nth(p,env)=P" "nth(l,env)=leq"
+  shows "sats(M,forces_eq_fm(p,l,q,t1,t2),env) \<longleftrightarrow>
+         is_forces_eq(nth(q,env),nth(t1,env),nth(t2,env))"
+  unfolding forces_eq_fm_def is_forces_eq_def is_forces_eq'_def
+  using assms sats_is_tuple_fm  sats_frc_at_fm
+  by simp
+
+lemma sats_forces_mem_fm:
+  assumes  "p\<in>nat" "l\<in>nat" "q\<in>nat" "t1\<in>nat" "t2\<in>nat"  "env\<in>list(M)"
+    "nth(p,env)=P" "nth(l,env)=leq"
+  shows "sats(M,forces_mem_fm(p,l,q,t1,t2),env) \<longleftrightarrow>
+             is_forces_mem(nth(q,env),nth(t1,env),nth(t2,env))"
+  unfolding forces_mem_fm_def is_forces_mem_def is_forces_mem'_def
+  using assms sats_is_tuple_fm sats_frc_at_fm
+  by simp
+
+
+definition
+  forces_neq :: "[i,i,i] \<Rightarrow> o" where
+  "forces_neq(p,t1,t2) \<equiv> \<not> (\<exists>q\<in>P. q\<preceq>p \<and> forces_eq(q,t1,t2))"
+
+definition
+  forces_nmem :: "[i,i,i] \<Rightarrow> o" where
+  "forces_nmem(p,t1,t2) \<equiv> \<not> (\<exists>q\<in>P. q\<preceq>p \<and> forces_mem(q,t1,t2))"
+
+
+lemma forces_neq :
+  "forces_neq(p,t1,t2) \<longleftrightarrow> forces_neq'(P,leq,p,t1,t2)"
+  unfolding forces_neq_def forces_neq'_def forces_eq_def by simp
+
+lemma forces_nmem :
+  "forces_nmem(p,t1,t2) \<longleftrightarrow> forces_nmem'(P,leq,p,t1,t2)"
+  unfolding forces_nmem_def forces_nmem'_def forces_mem_def by simp
+
+
+lemma sats_forces_Member :
+  assumes  "x\<in>nat" "y\<in>nat" "env\<in>list(M)"
+    "nth(x,env)=xx" "nth(y,env)=yy" "q\<in>M"
+  shows "sats(M,forces(Member(x,y)),[q,P,leq,one]@env) \<longleftrightarrow>
+                (q\<in>P \<and> is_forces_mem(q,xx,yy))"
+  unfolding forces_def
+  using assms sats_forces_mem_fm P_in_M leq_in_M one_in_M
+  by simp
+
+lemma sats_forces_Equal :
+  assumes  "x\<in>nat" "y\<in>nat" "env\<in>list(M)"
+    "nth(x,env)=xx" "nth(y,env)=yy" "q\<in>M"
+  shows "sats(M,forces(Equal(x,y)),[q,P,leq,one]@env) \<longleftrightarrow>
+                (q\<in>P \<and> is_forces_eq(q,xx,yy))"
+  unfolding forces_def
+  using assms sats_forces_eq_fm P_in_M leq_in_M one_in_M
+  by simp
+
+lemma sats_forces_Nand :
+  assumes  "\<phi>\<in>formula" "\<psi>\<in>formula" "env\<in>list(M)" "p\<in>M"
+  shows "sats(M,forces(Nand(\<phi>,\<psi>)),[p,P,leq,one]@env) \<longleftrightarrow>
+         (p\<in>P \<and> \<not>(\<exists>q\<in>M. q\<in>P \<and> is_leq(##M,leq,q,p) \<and>
+               (sats(M,forces'(\<phi>),[q,P,leq,one]@env) \<and> sats(M,forces'(\<psi>),[q,P,leq,one]@env))))"
+  unfolding forces_def using sats_leq_fm assms sats_ren_forces_nand P_in_M leq_in_M one_in_M
+  by simp
+
+lemma sats_forces_Neg :
+  assumes  "\<phi>\<in>formula" "env\<in>list(M)" "p\<in>M"
+  shows "sats(M,forces(Neg(\<phi>)),[p,P,leq,one]@env) \<longleftrightarrow>
+         (p\<in>P \<and> \<not>(\<exists>q\<in>M. q\<in>P \<and> is_leq(##M,leq,q,p) \<and>
+               (sats(M,forces'(\<phi>),[q,P,leq,one]@env))))"
+  unfolding Neg_def using assms sats_forces_Nand
+  by simp
+
+lemma sats_forces_Forall :
+  assumes  "\<phi>\<in>formula" "env\<in>list(M)" "p\<in>M"
+  shows "sats(M,forces(Forall(\<phi>)),[p,P,leq,one]@env) \<longleftrightarrow>
+         p\<in>P \<and> (\<forall>x\<in>M. sats(M,forces'(\<phi>),[p,P,leq,one,x]@env))"
+  unfolding forces_def using assms sats_ren_forces_forall P_in_M leq_in_M one_in_M
+  by simp
+
+end (* forcing_data *)
+
+subsection\<open>The arity of \<^term>\<open>forces\<close>\<close>
+
+lemma arity_forces_at:
+  assumes  "x \<in> nat" "y \<in> nat"
+  shows "arity(forces(Member(x, y))) = (succ(x) \<union> succ(y)) #+ 4"
+    "arity(forces(Equal(x, y))) = (succ(x) \<union> succ(y)) #+ 4"
+  unfolding forces_def
+  using assms arity_forces_mem_fm arity_forces_eq_fm succ_Un_distrib nat_simp_union
+  by auto
+
+lemma arity_forces':
+  assumes "\<phi>\<in>formula"
+  shows "arity(forces'(\<phi>)) \<le> arity(\<phi>) #+ 4"
+  using assms
+proof (induct set:formula)
+  case (Member x y)
+  then
+  show ?case
+    using arity_forces_mem_fm succ_Un_distrib nat_simp_union
+    by simp
+next
+  case (Equal x y)
+  then
+  show ?case
+    using arity_forces_eq_fm succ_Un_distrib nat_simp_union
+    by simp
+next
+  case (Nand \<phi> \<psi>)
+  let ?\<phi>' = "ren_forces_nand(forces'(\<phi>))"
+  let ?\<psi>' = "ren_forces_nand(forces'(\<psi>))"
+  have "arity(leq_fm(3, 0, 1)) = 4"
+    using arity_leq_fm succ_Un_distrib nat_simp_union
+    by simp
+  have "3 \<le> (4#+arity(\<phi>)) \<union> (4#+arity(\<psi>))" (is "_ \<le> ?rhs")
+    using nat_simp_union by simp
+  from \<open>\<phi>\<in>_\<close> Nand
+  have "pred(arity(?\<phi>')) \<le> ?rhs"  "pred(arity(?\<psi>')) \<le> ?rhs"
+  proof -
+    from \<open>\<phi>\<in>_\<close> \<open>\<psi>\<in>_\<close>
+    have A:"pred(arity(?\<phi>')) \<le> arity(forces'(\<phi>))"
+      "pred(arity(?\<psi>')) \<le> arity(forces'(\<psi>))"
+      using pred_mono[OF _  arity_ren_forces_nand] pred_succ_eq
+      by simp_all
+    from Nand
+    have "3 \<union> arity(forces'(\<phi>)) \<le> arity(\<phi>) #+ 4"
+      "3 \<union> arity(forces'(\<psi>)) \<le> arity(\<psi>) #+ 4"
+      using Un_le by simp_all
+    with Nand
+    show "pred(arity(?\<phi>')) \<le> ?rhs"
+      "pred(arity(?\<psi>')) \<le> ?rhs"
+      using le_trans[OF A(1)] le_trans[OF A(2)] le_Un_iff
+      by simp_all
+  qed
+  with Nand \<open>_=4\<close>
+  show ?case
+    using pred_Un_distrib Un_assoc[symmetric] succ_Un_distrib nat_union_abs1 Un_leI3[OF \<open>3 \<le> ?rhs\<close>]
+    by simp
+next
+  case (Forall \<phi>)
+  let ?\<phi>' = "ren_forces_forall(forces'(\<phi>))"
+  show ?case
+  proof (cases "arity(\<phi>) = 0")
+    case True
+    with Forall
+    show ?thesis
+    proof -
+      from Forall True
+      have "arity(forces'(\<phi>)) \<le> 5"
+        using le_trans[of _ 4 5] by auto
+      with \<open>\<phi>\<in>_\<close>
+      have "arity(?\<phi>') \<le> 5"
+        using arity_ren_forces_all[OF forces'_type[OF \<open>\<phi>\<in>_\<close>]] nat_union_abs2
+        by auto
+      with Forall True
+      show ?thesis
+        using pred_mono[OF _ \<open>arity(?\<phi>') \<le> 5\<close>]
+        by simp
+    qed
+  next
+    case False
+    with Forall
+    show ?thesis
+    proof -
+      from Forall False
+      have "arity(?\<phi>') = 5 \<union> arity(forces'(\<phi>))"
+        "arity(forces'(\<phi>)) \<le> 5 #+ arity(\<phi>)"
+        "4 \<le> succ(succ(succ(arity(\<phi>))))"
+        using Ord_0_lt arity_ren_forces_all
+          le_trans[OF _ add_le_mono[of 4 5, OF _ le_refl]]
+        by auto
+      with \<open>\<phi>\<in>_\<close>
+      have "5 \<union> arity(forces'(\<phi>)) \<le> 5#+arity(\<phi>)"
+        using nat_simp_union by auto
+      with \<open>\<phi>\<in>_\<close> \<open>arity(?\<phi>') = 5 \<union> _\<close>
+      show ?thesis
+        using pred_Un_distrib succ_pred_eq[OF _ \<open>arity(\<phi>)\<noteq>0\<close>]
+          pred_mono[OF _ Forall(2)] Un_le[OF \<open>4\<le>succ(_)\<close>]
+        by simp
+    qed
+  qed
+qed
+
+lemma arity_forces :
+  assumes "\<phi>\<in>formula"
+  shows "arity(forces(\<phi>)) \<le> 4#+arity(\<phi>)"
+  unfolding forces_def
+  using assms arity_forces' le_trans nat_simp_union by auto
+
+lemma arity_forces_le :
+  assumes "\<phi>\<in>formula" "n\<in>nat" "arity(\<phi>) \<le> n"
+  shows "arity(forces(\<phi>)) \<le> 4#+n"
+  using assms le_trans[OF _ add_le_mono[OF le_refl[of 5] \<open>arity(\<phi>)\<le>_\<close>]] arity_forces
+  by auto
+
+end
\ No newline at end of file
diff --git a/thys/Forcing/Forcing_Data.thy b/thys/Forcing/Forcing_Data.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Forcing_Data.thy
@@ -0,0 +1,369 @@
+section\<open>Transitive set models of ZF\<close>
+text\<open>This theory defines the locale \<^term>\<open>M_ZF_trans\<close> for
+transitive models of ZF, and the associated \<^term>\<open>forcing_data\<close>
+ that adds a forcing notion\<close>
+theory Forcing_Data
+  imports  
+    Forcing_Notions 
+    Interface
+
+begin
+
+lemma Transset_M :
+  "Transset(M) \<Longrightarrow>  y\<in>x \<Longrightarrow> x \<in> M \<Longrightarrow> y \<in> M"
+  by (simp add: Transset_def,auto)  
+
+
+locale M_ZF = 
+  fixes M 
+  assumes 
+    upair_ax:         "upair_ax(##M)"
+    and Union_ax:         "Union_ax(##M)"
+    and power_ax:         "power_ax(##M)"
+    and extensionality:   "extensionality(##M)"
+    and foundation_ax:    "foundation_ax(##M)"
+    and infinity_ax:      "infinity_ax(##M)"
+    and separation_ax:    "\<phi>\<in>formula \<Longrightarrow> env\<in>list(M) \<Longrightarrow> arity(\<phi>) \<le> 1 #+ length(env) \<Longrightarrow>
+                    separation(##M,\<lambda>x. sats(M,\<phi>,[x] @ env))" 
+    and replacement_ax:   "\<phi>\<in>formula \<Longrightarrow> env\<in>list(M) \<Longrightarrow> arity(\<phi>) \<le> 2 #+ length(env) \<Longrightarrow> 
+                    strong_replacement(##M,\<lambda>x y. sats(M,\<phi>,[x,y] @ env))" 
+
+locale M_ctm = M_ZF +
+  fixes enum
+  assumes M_countable:      "enum\<in>bij(nat,M)"
+    and trans_M:          "Transset(M)"
+
+begin
+interpretation intf: M_ZF_trans "M"
+  using M_ZF_trans.intro
+    trans_M upair_ax Union_ax power_ax extensionality
+    foundation_ax infinity_ax separation_ax[simplified] 
+    replacement_ax[simplified]
+  by simp
+
+
+lemmas transitivity = Transset_intf[OF trans_M]
+
+lemma zero_in_M:  "0 \<in> M" 
+  by (rule intf.zero_in_M)
+
+lemma tuples_in_M: "A\<in>M \<Longrightarrow> B\<in>M \<Longrightarrow> \<langle>A,B\<rangle>\<in>M" 
+  by (simp flip:setclass_iff)
+
+lemma nat_in_M : "nat \<in> M"
+  by (rule intf.nat_in_M)
+
+lemma n_in_M : "n\<in>nat \<Longrightarrow> n\<in>M"
+  using nat_in_M transitivity by simp
+
+lemma mtriv: "M_trivial(##M)" 
+  by (rule intf.mtriv)
+
+lemma mtrans: "M_trans(##M)"
+  by (rule intf.mtrans)
+
+lemma mbasic: "M_basic(##M)"
+  by (rule intf.mbasic)
+
+lemma mtrancl: "M_trancl(##M)"
+  by (rule intf.mtrancl)
+
+lemma mdatatypes: "M_datatypes(##M)"
+  by (rule intf.mdatatypes)
+
+lemma meclose: "M_eclose(##M)"
+  by (rule intf.meclose)
+
+lemma meclose_pow: "M_eclose_pow(##M)"
+  by (rule intf.meclose_pow)
+
+
+
+end (* M_ctm *)
+
+(* M_ctm interface *)
+sublocale M_ctm \<subseteq> M_trivial "##M"
+  by  (rule mtriv)
+
+sublocale M_ctm \<subseteq> M_trans "##M"
+  by  (rule mtrans)
+
+sublocale M_ctm \<subseteq> M_basic "##M"
+  by  (rule mbasic)
+
+sublocale M_ctm \<subseteq> M_trancl "##M"
+  by  (rule mtrancl)
+
+sublocale M_ctm \<subseteq> M_datatypes "##M"
+  by  (rule mdatatypes)
+
+sublocale M_ctm \<subseteq> M_eclose "##M"
+  by  (rule meclose)
+
+sublocale M_ctm \<subseteq> M_eclose_pow "##M"
+  by  (rule meclose_pow)
+
+(* end interface *)
+
+context M_ctm
+begin
+
+subsection\<open>\<^term>\<open>Collects\<close> in $M$\<close>
+lemma Collect_in_M_0p :
+  assumes
+    Qfm : "Q_fm \<in> formula" and
+    Qarty : "arity(Q_fm) = 1" and
+    Qsats : "\<And>x. x\<in>M \<Longrightarrow> sats(M,Q_fm,[x]) \<longleftrightarrow> is_Q(##M,x)" and
+    Qabs  : "\<And>x. x\<in>M \<Longrightarrow> is_Q(##M,x) \<longleftrightarrow> Q(x)" and
+    "A\<in>M"
+  shows
+    "Collect(A,Q)\<in>M" 
+proof -
+  have "z\<in>A \<Longrightarrow> z\<in>M" for z
+    using \<open>A\<in>M\<close> transitivity[of z A] by simp
+  then
+  have 1:"Collect(A,is_Q(##M)) = Collect(A,Q)" 
+    using Qabs Collect_cong[of "A" "A" "is_Q(##M)" "Q"] by simp
+  have "separation(##M,is_Q(##M))"
+    using separation_ax Qsats Qarty Qfm
+      separation_cong[of "##M" "\<lambda>y. sats(M,Q_fm,[y])" "is_Q(##M)"]
+    by simp
+  then 
+  have "Collect(A,is_Q(##M))\<in>M"
+    using separation_closed \<open>A\<in>M\<close> by simp 
+  then
+  show ?thesis using 1 by simp
+qed
+
+lemma Collect_in_M_2p :
+  assumes
+    Qfm : "Q_fm \<in> formula" and
+    Qarty : "arity(Q_fm) = 3" and
+    params_M : "y\<in>M" "z\<in>M" and
+    Qsats : "\<And>x. x\<in>M \<Longrightarrow> sats(M,Q_fm,[x,y,z]) \<longleftrightarrow> is_Q(##M,x,y,z)" and
+    Qabs  : "\<And>x. x\<in>M \<Longrightarrow> is_Q(##M,x,y,z) \<longleftrightarrow> Q(x,y,z)" and
+    "A\<in>M"
+  shows
+    "Collect(A,\<lambda>x. Q(x,y,z))\<in>M" 
+proof -
+  have "z\<in>A \<Longrightarrow> z\<in>M" for z
+    using \<open>A\<in>M\<close> transitivity[of z A] by simp
+  then
+  have 1:"Collect(A,\<lambda>x. is_Q(##M,x,y,z)) = Collect(A,\<lambda>x. Q(x,y,z))" 
+    using Qabs Collect_cong[of "A" "A" "\<lambda>x. is_Q(##M,x,y,z)" "\<lambda>x. Q(x,y,z)"] by simp
+  have "separation(##M,\<lambda>x. is_Q(##M,x,y,z))"
+    using separation_ax Qsats Qarty Qfm params_M
+      separation_cong[of "##M" "\<lambda>x. sats(M,Q_fm,[x,y,z])" "\<lambda>x. is_Q(##M,x,y,z)"]
+    by simp
+  then 
+  have "Collect(A,\<lambda>x. is_Q(##M,x,y,z))\<in>M"
+    using separation_closed \<open>A\<in>M\<close> by simp 
+  then
+  show ?thesis using 1 by simp
+qed
+
+lemma Collect_in_M_4p :
+  assumes
+    Qfm : "Q_fm \<in> formula" and
+    Qarty : "arity(Q_fm) = 5" and
+    params_M : "a1\<in>M" "a2\<in>M" "a3\<in>M" "a4\<in>M" and
+    Qsats : "\<And>x. x\<in>M \<Longrightarrow> sats(M,Q_fm,[x,a1,a2,a3,a4]) \<longleftrightarrow> is_Q(##M,x,a1,a2,a3,a4)" and
+    Qabs  : "\<And>x. x\<in>M \<Longrightarrow> is_Q(##M,x,a1,a2,a3,a4) \<longleftrightarrow> Q(x,a1,a2,a3,a4)" and
+    "A\<in>M"
+  shows
+    "Collect(A,\<lambda>x. Q(x,a1,a2,a3,a4))\<in>M" 
+proof -
+  have "z\<in>A \<Longrightarrow> z\<in>M" for z
+    using \<open>A\<in>M\<close> transitivity[of z A] by simp
+  then
+  have 1:"Collect(A,\<lambda>x. is_Q(##M,x,a1,a2,a3,a4)) = Collect(A,\<lambda>x. Q(x,a1,a2,a3,a4))" 
+    using Qabs Collect_cong[of "A" "A" "\<lambda>x. is_Q(##M,x,a1,a2,a3,a4)" "\<lambda>x. Q(x,a1,a2,a3,a4)"] 
+    by simp
+  have "separation(##M,\<lambda>x. is_Q(##M,x,a1,a2,a3,a4))"
+    using separation_ax Qsats Qarty Qfm params_M
+      separation_cong[of "##M" "\<lambda>x. sats(M,Q_fm,[x,a1,a2,a3,a4])" 
+        "\<lambda>x. is_Q(##M,x,a1,a2,a3,a4)"]
+    by simp
+  then 
+  have "Collect(A,\<lambda>x. is_Q(##M,x,a1,a2,a3,a4))\<in>M"
+    using separation_closed \<open>A\<in>M\<close> by simp 
+  then
+  show ?thesis using 1 by simp
+qed
+
+lemma Repl_in_M :
+  assumes
+    f_fm:  "f_fm \<in> formula" and
+    f_ar:  "arity(f_fm)\<le> 2 #+ length(env)" and
+    fsats: "\<And>x y. x\<in>M \<Longrightarrow> y\<in>M \<Longrightarrow> sats(M,f_fm,[x,y]@env) \<longleftrightarrow> is_f(x,y)" and
+    fabs:  "\<And>x y. x\<in>M \<Longrightarrow> y\<in>M \<Longrightarrow> is_f(x,y) \<longleftrightarrow> y = f(x)" and
+    fclosed: "\<And>x. x\<in>A \<Longrightarrow> f(x) \<in> M"  and
+    "A\<in>M" "env\<in>list(M)" 
+  shows "{f(x). x\<in>A}\<in>M"
+proof -
+  have "strong_replacement(##M, \<lambda>x y. sats(M,f_fm,[x,y]@env))"
+    using replacement_ax f_fm f_ar \<open>env\<in>list(M)\<close> by simp
+  then
+  have "strong_replacement(##M, \<lambda>x y. y = f(x))"
+    using fsats fabs 
+      strong_replacement_cong[of "##M" "\<lambda>x y. sats(M,f_fm,[x,y]@env)" "\<lambda>x y. y = f(x)"]
+    by simp
+  then
+  have "{ y . x\<in>A , y = f(x) } \<in> M" 
+    using \<open>A\<in>M\<close> fclosed strong_replacement_closed by simp
+  moreover
+  have "{f(x). x\<in>A} = { y . x\<in>A , y = f(x) }"
+    by auto
+  ultimately show ?thesis by simp
+qed
+
+end (* M_ctm *)      
+
+subsection\<open>A forcing locale and generic filters\<close>
+locale forcing_data = forcing_notion + M_ctm +
+  assumes P_in_M:           "P \<in> M"
+    and leq_in_M:         "leq \<in> M"
+
+begin
+
+lemma transD : "Transset(M) \<Longrightarrow> y \<in> M \<Longrightarrow> y \<subseteq> M" 
+  by (unfold Transset_def, blast) 
+
+(* P \<subseteq> M *)
+lemmas P_sub_M = transD[OF trans_M P_in_M]
+
+definition
+  M_generic :: "i\<Rightarrow>o" where
+  "M_generic(G) \<equiv> filter(G) \<and> (\<forall>D\<in>M. D\<subseteq>P \<and> dense(D)\<longrightarrow>D\<inter>G\<noteq>0)"
+
+lemma M_genericD [dest]: "M_generic(G) \<Longrightarrow> x\<in>G \<Longrightarrow> x\<in>P"
+  unfolding M_generic_def by (blast dest:filterD)
+
+lemma M_generic_leqD [dest]: "M_generic(G) \<Longrightarrow> p\<in>G \<Longrightarrow> q\<in>P \<Longrightarrow> p\<preceq>q \<Longrightarrow> q\<in>G"
+  unfolding M_generic_def by (blast dest:filter_leqD)
+
+lemma M_generic_compatD [dest]: "M_generic(G) \<Longrightarrow> p\<in>G \<Longrightarrow> r\<in>G \<Longrightarrow> \<exists>q\<in>G. q\<preceq>p \<and> q\<preceq>r"
+  unfolding M_generic_def by (blast dest:low_bound_filter)
+
+lemma M_generic_denseD [dest]: "M_generic(G) \<Longrightarrow> dense(D) \<Longrightarrow> D\<subseteq>P \<Longrightarrow> D\<in>M \<Longrightarrow> \<exists>q\<in>G. q\<in>D"
+  unfolding M_generic_def by blast
+
+lemma G_nonempty: "M_generic(G) \<Longrightarrow> G\<noteq>0"
+proof -
+  have "P\<subseteq>P" ..
+  assume
+    "M_generic(G)"
+  with P_in_M P_dense \<open>P\<subseteq>P\<close> show
+    "G \<noteq> 0"
+    unfolding M_generic_def by auto
+qed
+
+lemma one_in_G : 
+  assumes "M_generic(G)"
+  shows  "one \<in> G" 
+proof -
+  from assms have "G\<subseteq>P" 
+    unfolding M_generic_def and filter_def by simp
+  from \<open>M_generic(G)\<close> have "increasing(G)" 
+    unfolding M_generic_def and filter_def by simp
+  with \<open>G\<subseteq>P\<close> and \<open>M_generic(G)\<close> 
+  show ?thesis 
+    using G_nonempty and one_in_P and one_max 
+    unfolding increasing_def by blast
+qed
+
+lemma G_subset_M: "M_generic(G) \<Longrightarrow> G \<subseteq> M"
+  using transitivity[OF _ P_in_M] by auto
+
+declare iff_trans [trans]
+
+lemma generic_filter_existence: 
+  "p\<in>P \<Longrightarrow> \<exists>G. p\<in>G \<and> M_generic(G)"
+proof -
+  assume "p\<in>P"
+  let ?D="\<lambda>n\<in>nat. (if (enum`n\<subseteq>P \<and> dense(enum`n))  then enum`n else P)"
+  have "\<forall>n\<in>nat. ?D`n \<in> Pow(P)"
+    by auto
+  then 
+  have "?D:nat\<rightarrow>Pow(P)"
+    using lam_type by auto
+  have Eq4: "\<forall>n\<in>nat. dense(?D`n)"
+  proof(intro ballI)
+    fix n
+    assume "n\<in>nat"
+    then
+    have "dense(?D`n) \<longleftrightarrow> dense(if enum`n \<subseteq> P \<and> dense(enum`n) then enum`n else P)"
+      by simp
+    also 
+    have "... \<longleftrightarrow>  (\<not>(enum`n \<subseteq> P \<and> dense(enum`n)) \<longrightarrow> dense(P)) "
+      using split_if by simp
+    finally
+    show "dense(?D`n)"
+      using P_dense \<open>n\<in>nat\<close> by auto
+  qed
+  from \<open>?D\<in>_\<close> and Eq4 
+  interpret cg: countable_generic P leq one ?D 
+    by (unfold_locales, auto)
+  from \<open>p\<in>P\<close> 
+  obtain G where Eq6: "p\<in>G \<and> filter(G) \<and> (\<forall>n\<in>nat.(?D`n)\<inter>G\<noteq>0)"
+    using cg.countable_rasiowa_sikorski[where M="\<lambda>_. M"]  P_sub_M
+      M_countable[THEN bij_is_fun] M_countable[THEN bij_is_surj, THEN surj_range] 
+    unfolding cg.D_generic_def by blast
+  then 
+  have Eq7: "(\<forall>D\<in>M. D\<subseteq>P \<and> dense(D)\<longrightarrow>D\<inter>G\<noteq>0)"
+  proof (intro ballI impI)
+    fix D
+    assume "D\<in>M" and Eq9: "D \<subseteq> P \<and> dense(D) " 
+    have "\<forall>y\<in>M. \<exists>x\<in>nat. enum`x= y"
+      using M_countable and  bij_is_surj unfolding surj_def by (simp)
+    with \<open>D\<in>M\<close> obtain n where Eq10: "n\<in>nat \<and> enum`n = D" 
+      by auto
+    with Eq9 and if_P
+    have "?D`n = D" by (simp)
+    with Eq6 and Eq10 
+    show "D\<inter>G\<noteq>0" by auto
+  qed
+  with Eq6 
+  show ?thesis unfolding M_generic_def by auto
+qed
+
+(* Compatibility lemmas *)
+lemma compat_in_abs :
+  assumes
+    "A\<in>M" "r\<in>M" "p\<in>M" "q\<in>M" 
+  shows
+    "is_compat_in(##M,A,r,p,q) \<longleftrightarrow> compat_in(A,r,p,q)" 
+proof -
+  have "d\<in>A \<Longrightarrow> d\<in>M" for d
+    using transitivity \<open>A\<in>M\<close> by simp
+  moreover from this
+  have "d\<in>A \<Longrightarrow> \<langle>d, t\<rangle> \<in> M" if "t\<in>M" for t d
+    using that pair_in_M_iff by simp
+  ultimately 
+  show ?thesis
+    unfolding is_compat_in_def compat_in_def 
+    using assms pair_in_M_iff transitivity by auto
+qed
+
+definition
+  compat_in_fm :: "[i,i,i,i] \<Rightarrow> i" where
+  "compat_in_fm(A,r,p,q) \<equiv> 
+    Exists(And(Member(0,succ(A)),Exists(And(pair_fm(1,p#+2,0),
+                                        And(Member(0,r#+2),
+                                 Exists(And(pair_fm(2,q#+3,0),Member(0,r#+3))))))))" 
+
+lemma compat_in_fm_type[TC] : 
+  "\<lbrakk> A\<in>nat;r\<in>nat;p\<in>nat;q\<in>nat\<rbrakk> \<Longrightarrow> compat_in_fm(A,r,p,q)\<in>formula" 
+  unfolding compat_in_fm_def by simp
+
+lemma sats_compat_in_fm:
+  assumes
+    "A\<in>nat" "r\<in>nat"  "p\<in>nat" "q\<in>nat" "env\<in>list(M)"  
+  shows
+    "sats(M,compat_in_fm(A,r,p,q),env) \<longleftrightarrow> 
+            is_compat_in(##M,nth(A, env),nth(r, env),nth(p, env),nth(q, env))"
+  unfolding compat_in_fm_def is_compat_in_def using assms by simp
+
+end (* forcing_data *)
+
+end
diff --git a/thys/Forcing/Forcing_Main.thy b/thys/Forcing/Forcing_Main.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Forcing_Main.thy
@@ -0,0 +1,227 @@
+section\<open>The main theorem\<close>
+theory Forcing_Main
+  imports 
+  Internal_ZFC_Axioms
+  Choice_Axiom
+  Ordinals_In_MG
+  Succession_Poset
+
+begin
+
+subsection\<open>The generic extension is countable\<close>
+(*
+\<comment> \<open>Useful missing lemma\<close>
+lemma surj_imp_well_ord:
+  assumes "well_ord(A,r)" "h \<in> surj(A,B)"
+  shows "\<exists>s. well_ord(B,r)" 
+*)
+
+definition
+  minimum :: "i \<Rightarrow> i \<Rightarrow> i" where
+  "minimum(r,B) \<equiv> THE b. b\<in>B \<and> (\<forall>y\<in>B. y \<noteq> b \<longrightarrow> \<langle>b, y\<rangle> \<in> r)"
+
+lemma well_ord_imp_min:
+  assumes 
+    "well_ord(A,r)" "B \<subseteq> A" "B \<noteq> 0"
+  shows 
+    "minimum(r,B) \<in> B" 
+proof -
+  from \<open>well_ord(A,r)\<close>
+  have "wf[A](r)"
+    using well_ord_is_wf[OF \<open>well_ord(A,r)\<close>] by simp
+  with \<open>B\<subseteq>A\<close>
+  have "wf[B](r)"
+    using Sigma_mono Int_mono wf_subset unfolding wf_on_def by simp
+  then
+  have "\<forall> x. x \<in> B \<longrightarrow> (\<exists>z\<in>B. \<forall>y. \<langle>y, z\<rangle> \<in> r\<inter>B\<times>B \<longrightarrow> y \<notin> B)"
+    unfolding wf_on_def using wf_eq_minimal
+    by blast
+  with \<open>B\<noteq>0\<close>
+  obtain z where
+    B: "z\<in>B \<and> (\<forall>y. \<langle>y,z\<rangle>\<in>r\<inter>B\<times>B \<longrightarrow> y\<notin>B)"
+    by blast
+  then
+  have "z\<in>B \<and> (\<forall>y\<in>B. y \<noteq> z \<longrightarrow> \<langle>z, y\<rangle> \<in> r)"
+  proof -
+    {
+      fix y
+      assume "y\<in>B" "y\<noteq>z"
+      with \<open>well_ord(A,r)\<close> B \<open>B\<subseteq>A\<close>
+      have "\<langle>z,y\<rangle>\<in>r|\<langle>y,z\<rangle>\<in>r|y=z"
+        unfolding well_ord_def tot_ord_def linear_def by auto
+      with B \<open>y\<in>B\<close> \<open>y\<noteq>z\<close>
+      have "\<langle>z,y\<rangle>\<in>r"
+        by (cases;auto)
+    }
+    with B
+    show ?thesis by blast
+  qed
+  have "v = z" if "v\<in>B \<and> (\<forall>y\<in>B. y \<noteq> v \<longrightarrow> \<langle>v, y\<rangle> \<in> r)" for v
+    using that B by auto
+  with \<open>z\<in>B \<and> (\<forall>y\<in>B. y \<noteq> z \<longrightarrow> \<langle>z, y\<rangle> \<in> r)\<close>
+  show ?thesis
+    unfolding minimum_def 
+    using the_equality2[OF ex1I[of "\<lambda>x .x\<in>B \<and> (\<forall>y\<in>B. y \<noteq> x \<longrightarrow> \<langle>x, y\<rangle> \<in> r)" z]]
+    by auto
+qed
+
+lemma well_ord_surj_imp_lepoll:
+  assumes "well_ord(A,r)" "h \<in> surj(A,B)"
+  shows "B \<lesssim> A"
+proof -
+  let ?f="\<lambda>b\<in>B. minimum(r, {a\<in>A. h`a=b})"
+  have "b \<in> B \<Longrightarrow> minimum(r, {a \<in> A . h ` a = b}) \<in> {a\<in>A. h`a=b}" for b
+  proof -
+    fix b
+    assume "b\<in>B"
+    with \<open>h \<in> surj(A,B)\<close>
+    have "\<exists>a\<in>A. h`a=b" 
+      unfolding surj_def by blast
+    then
+    have "{a\<in>A. h`a=b} \<noteq> 0"
+      by auto
+    with assms
+    show "minimum(r,{a\<in>A. h`a=b}) \<in> {a\<in>A. h`a=b}"
+      using well_ord_imp_min by blast
+  qed
+  moreover from this
+  have "?f : B \<rightarrow> A"
+      using lam_type[of B _ "\<lambda>_.A"] by simp
+  moreover 
+  have "?f ` w = ?f ` x \<Longrightarrow> w = x" if "w\<in>B" "x\<in>B" for w x
+  proof -
+    from calculation(1)[OF that(1)] calculation(1)[OF that(2)]
+    have "w = h ` minimum(r, {a \<in> A . h ` a = w})"
+         "x = h ` minimum(r, {a \<in> A . h ` a = x})"
+      by simp_all  
+    moreover
+    assume "?f ` w = ?f ` x"
+    moreover from this and that
+    have "minimum(r, {a \<in> A . h ` a = w}) = minimum(r, {a \<in> A . h ` a = x})"
+      by simp_all
+    moreover from calculation(1,2,4)
+    show "w=x" by simp
+    qed
+  ultimately
+  show ?thesis
+  unfolding lepoll_def inj_def by blast
+qed
+
+lemma (in forcing_data) surj_nat_MG :
+  "\<exists>f. f \<in> surj(nat,M[G])"
+proof -
+  let ?f="\<lambda>n\<in>nat. val(G,enum`n)"
+  have "x \<in> nat \<Longrightarrow> val(G, enum ` x)\<in> M[G]" for x
+    using GenExtD[THEN iffD2, of _ G] bij_is_fun[OF M_countable] by force
+  then
+  have "?f: nat \<rightarrow> M[G]"
+    using lam_type[of nat "\<lambda>n. val(G,enum`n)" "\<lambda>_.M[G]"] by simp
+  moreover
+  have "\<exists>n\<in>nat. ?f`n = x" if "x\<in>M[G]" for x
+    using that GenExtD[of _ G] bij_is_surj[OF M_countable] 
+    unfolding surj_def by auto
+  ultimately
+  show ?thesis
+    unfolding surj_def by blast
+qed
+
+lemma (in G_generic) MG_eqpoll_nat: "M[G] \<approx> nat"
+proof -
+  interpret MG: M_ZF_trans "M[G]"
+    using Transset_MG generic pairing_in_MG 
+      Union_MG  extensionality_in_MG power_in_MG
+      foundation_in_MG  strong_replacement_in_MG[simplified]
+      separation_in_MG[simplified] infinity_in_MG
+    by unfold_locales simp_all
+  obtain f where "f \<in> surj(nat,M[G])"
+    using surj_nat_MG by blast
+  then
+  have "M[G] \<lesssim> nat" 
+    using well_ord_surj_imp_lepoll well_ord_Memrel[of nat]
+    by simp
+  moreover
+  have "nat \<lesssim> M[G]"
+    using MG.nat_into_M subset_imp_lepoll by auto
+  ultimately
+  show ?thesis using eqpollI 
+    by simp
+qed
+
+subsection\<open>The main result\<close>
+
+theorem extensions_of_ctms:
+  assumes 
+    "M \<approx> nat" "Transset(M)" "M \<Turnstile> ZF"
+  shows 
+    "\<exists>N. 
+      M \<subseteq> N \<and> N \<approx> nat \<and> Transset(N) \<and> N \<Turnstile> ZF \<and> M\<noteq>N \<and>
+      (\<forall>\<alpha>. Ord(\<alpha>) \<longrightarrow> (\<alpha> \<in> M \<longleftrightarrow> \<alpha> \<in> N)) \<and>
+      (M, []\<Turnstile> AC \<longrightarrow> N \<Turnstile> ZFC)"
+proof -
+  from \<open>M \<approx> nat\<close>
+  obtain enum where "enum \<in> bij(nat,M)"
+    using eqpoll_sym unfolding eqpoll_def by blast
+  with assms
+  interpret M_ctm M enum
+    using M_ZF_iff_M_satT
+    by intro_locales (simp_all add:M_ctm_axioms_def)
+  interpret ctm_separative "2^<\<omega>" seqle 0 M enum
+  proof (unfold_locales)
+    fix f
+    let ?q="seq_upd(f,0)" and ?r="seq_upd(f,1)"
+    assume "f \<in> 2^<\<omega>"
+    then
+    have "?q \<preceq>s f \<and> ?r \<preceq>s f \<and> ?q \<bottom>s ?r" 
+      using upd_leI seqspace_separative by auto
+    moreover from calculation
+    have "?q \<in> 2^<\<omega>"  "?r \<in> 2^<\<omega>"
+      using seq_upd_type[of f 2] by auto
+    ultimately
+    show "\<exists>q\<in>2^<\<omega>.  \<exists>r\<in>2^<\<omega>. q \<preceq>s f \<and> r \<preceq>s f \<and> q \<bottom>s r"
+      by (rule_tac bexI)+ \<comment> \<open>why the heck auto-tools don't solve this?\<close>
+  next
+    show "2^<\<omega> \<in> M" using nat_into_M seqspace_closed by simp
+  next
+    show "seqle \<in> M" using seqle_in_M .
+  qed
+  from cohen_extension_is_proper
+  obtain G where "M_generic(G)" 
+    "M \<noteq> GenExt(G)" (is "M\<noteq>?N") 
+    by blast
+  then 
+  interpret G_generic "2^<\<omega>" seqle 0 _ enum G by unfold_locales
+  interpret MG: M_ZF "?N"
+    using generic pairing_in_MG 
+      Union_MG  extensionality_in_MG power_in_MG
+      foundation_in_MG  strong_replacement_in_MG[simplified]
+      separation_in_MG[simplified] infinity_in_MG
+    by unfold_locales simp_all
+  have "?N \<Turnstile> ZF" 
+    using M_ZF_iff_M_satT[of ?N] MG.M_ZF_axioms by simp
+  moreover 
+  have "M, []\<Turnstile> AC \<Longrightarrow> ?N \<Turnstile> ZFC"
+  proof -
+    assume "M, [] \<Turnstile> AC"
+    then
+    have "choice_ax(##M)"
+      unfolding ZF_choice_fm_def using ZF_choice_auto by simp
+    then
+    have "choice_ax(##?N)" using choice_in_MG by simp
+    with \<open>?N \<Turnstile> ZF\<close>
+    show "?N \<Turnstile> ZFC"
+      using ZF_choice_auto sats_ZFC_iff_sats_ZF_AC 
+      unfolding ZF_choice_fm_def by simp
+  qed
+  moreover
+  note \<open>M \<noteq> ?N\<close>
+  moreover
+  have "Transset(?N)" using Transset_MG .
+  moreover
+  have "M \<subseteq> ?N" using M_subset_MG[OF one_in_G] generic by simp
+  ultimately
+  show ?thesis
+    using Ord_MG_iff MG_eqpoll_nat
+    by (rule_tac x="?N" in exI, simp)
+qed
+
+end
\ No newline at end of file
diff --git a/thys/Forcing/Forcing_Notions.thy b/thys/Forcing/Forcing_Notions.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Forcing_Notions.thy
@@ -0,0 +1,464 @@
+section\<open>Forcing notions\<close>
+text\<open>This theory defines a locale for forcing notions, that is,
+ preorders with a distinguished maximum element.\<close>
+
+theory Forcing_Notions
+  imports "ZF-Constructible.Relative"
+begin
+
+subsection\<open>Basic concepts\<close>
+text\<open>We say that two elements $p,q$ are
+  \<^emph>\<open>compatible\<close> if they have a lower bound in $P$\<close>
+definition compat_in :: "i\<Rightarrow>i\<Rightarrow>i\<Rightarrow>i\<Rightarrow>o" where
+  "compat_in(A,r,p,q) \<equiv> \<exists>d\<in>A . \<langle>d,p\<rangle>\<in>r \<and> \<langle>d,q\<rangle>\<in>r"
+
+definition
+  is_compat_in :: "[i\<Rightarrow>o,i,i,i,i] \<Rightarrow> o" where
+  "is_compat_in(M,A,r,p,q) \<equiv> \<exists>d[M]. d\<in>A \<and> (\<exists>dp[M]. pair(M,d,p,dp) \<and> dp\<in>r \<and> 
+                                   (\<exists>dq[M]. pair(M,d,q,dq) \<and> dq\<in>r))"
+
+lemma compat_inI : 
+  "\<lbrakk> d\<in>A ; \<langle>d,p\<rangle>\<in>r ; \<langle>d,g\<rangle>\<in>r \<rbrakk> \<Longrightarrow> compat_in(A,r,p,g)"
+  by (auto simp add: compat_in_def)
+
+lemma refl_compat:
+  "\<lbrakk> refl(A,r) ; \<langle>p,q\<rangle> \<in> r | p=q | \<langle>q,p\<rangle> \<in> r ; p\<in>A ; q\<in>A\<rbrakk> \<Longrightarrow> compat_in(A,r,p,q)"
+  by (auto simp add: refl_def compat_inI)
+
+lemma  chain_compat:
+  "refl(A,r) \<Longrightarrow> linear(A,r) \<Longrightarrow>  (\<forall>p\<in>A.\<forall>q\<in>A. compat_in(A,r,p,q))"
+  by (simp add: refl_compat linear_def)
+
+lemma subset_fun_image: "f:N\<rightarrow>P \<Longrightarrow> f``N\<subseteq>P"
+  by (auto simp add: image_fun apply_funtype)
+
+lemma refl_monot_domain: "refl(B,r) \<Longrightarrow> A\<subseteq>B \<Longrightarrow> refl(A,r)"  
+  unfolding refl_def by blast
+
+definition
+  antichain :: "i\<Rightarrow>i\<Rightarrow>i\<Rightarrow>o" where
+  "antichain(P,leq,A) \<equiv> A\<subseteq>P \<and> (\<forall>p\<in>A.\<forall>q\<in>A.(\<not> compat_in(P,leq,p,q)))"
+
+definition 
+  ccc :: "i \<Rightarrow> i \<Rightarrow> o" where
+  "ccc(P,leq) \<equiv> \<forall>A. antichain(P,leq,A) \<longrightarrow> |A| \<le> nat"
+
+locale forcing_notion =
+  fixes P leq one
+  assumes one_in_P:         "one \<in> P"
+    and leq_preord:       "preorder_on(P,leq)"
+    and one_max:          "\<forall>p\<in>P. \<langle>p,one\<rangle>\<in>leq"
+begin
+
+abbreviation Leq :: "[i, i] \<Rightarrow> o"  (infixl "\<preceq>" 50)
+  where "x \<preceq> y \<equiv> \<langle>x,y\<rangle>\<in>leq"
+
+lemma refl_leq:
+  "r\<in>P \<Longrightarrow> r\<preceq>r"
+  using leq_preord unfolding preorder_on_def refl_def by simp
+
+text\<open>A set $D$ is \<^emph>\<open>dense\<close> if every element $p\in P$ has a lower 
+bound in $D$.\<close>
+definition 
+  dense :: "i\<Rightarrow>o" where
+  "dense(D) \<equiv> \<forall>p\<in>P. \<exists>d\<in>D . d\<preceq>p"
+
+text\<open>There is also a weaker definition which asks for 
+a lower bound in $D$ only for the elements below some fixed 
+element $q$.\<close>
+definition 
+  dense_below :: "i\<Rightarrow>i\<Rightarrow>o" where
+  "dense_below(D,q) \<equiv> \<forall>p\<in>P. p\<preceq>q \<longrightarrow> (\<exists>d\<in>D. d\<in>P \<and> d\<preceq>p)"
+
+lemma P_dense: "dense(P)"
+  by (insert leq_preord, auto simp add: preorder_on_def refl_def dense_def)
+
+definition 
+  increasing :: "i\<Rightarrow>o" where
+  "increasing(F) \<equiv> \<forall>x\<in>F. \<forall> p \<in> P . x\<preceq>p \<longrightarrow> p\<in>F"
+
+definition 
+  compat :: "i\<Rightarrow>i\<Rightarrow>o" where
+  "compat(p,q) \<equiv> compat_in(P,leq,p,q)"
+
+lemma leq_transD:  "a\<preceq>b \<Longrightarrow> b\<preceq>c \<Longrightarrow> a \<in> P\<Longrightarrow> b \<in> P\<Longrightarrow> c \<in> P\<Longrightarrow> a\<preceq>c"
+  using leq_preord trans_onD unfolding preorder_on_def by blast
+
+lemma leq_transD':  "A\<subseteq>P \<Longrightarrow> a\<preceq>b \<Longrightarrow> b\<preceq>c \<Longrightarrow> a \<in> A \<Longrightarrow> b \<in> P\<Longrightarrow> c \<in> P\<Longrightarrow> a\<preceq>c"
+  using leq_preord trans_onD subsetD unfolding preorder_on_def by blast
+
+
+lemma leq_reflI: "p\<in>P \<Longrightarrow> p\<preceq>p"
+  using leq_preord unfolding preorder_on_def refl_def by blast
+
+lemma compatD[dest!]: "compat(p,q) \<Longrightarrow> \<exists>d\<in>P. d\<preceq>p \<and> d\<preceq>q"
+  unfolding compat_def compat_in_def .
+
+abbreviation Incompatible :: "[i, i] \<Rightarrow> o"  (infixl "\<bottom>" 50)
+  where "p \<bottom> q \<equiv> \<not> compat(p,q)"
+
+lemma compatI[intro!]: "d\<in>P \<Longrightarrow> d\<preceq>p \<Longrightarrow> d\<preceq>q \<Longrightarrow> compat(p,q)"
+  unfolding compat_def compat_in_def by blast
+
+lemma denseD [dest]: "dense(D) \<Longrightarrow> p\<in>P \<Longrightarrow>  \<exists>d\<in>D. d\<preceq> p"
+  unfolding dense_def by blast
+
+lemma denseI [intro!]: "\<lbrakk> \<And>p. p\<in>P \<Longrightarrow> \<exists>d\<in>D. d\<preceq> p \<rbrakk> \<Longrightarrow> dense(D)"
+  unfolding dense_def by blast
+
+lemma dense_belowD [dest]:
+  assumes "dense_below(D,p)" "q\<in>P" "q\<preceq>p"
+  shows "\<exists>d\<in>D. d\<in>P \<and> d\<preceq>q"
+  using assms unfolding dense_below_def by simp
+    (*obtains d where "d\<in>D" "d\<in>P" "d\<preceq>q"
+  using assms unfolding dense_below_def by blast *)
+
+lemma dense_belowI [intro!]: 
+  assumes "\<And>q. q\<in>P \<Longrightarrow> q\<preceq>p \<Longrightarrow> \<exists>d\<in>D. d\<in>P \<and> d\<preceq>q" 
+  shows "dense_below(D,p)"
+  using assms unfolding dense_below_def by simp
+
+lemma dense_below_cong: "p\<in>P \<Longrightarrow> D = D' \<Longrightarrow> dense_below(D,p) \<longleftrightarrow> dense_below(D',p)"
+  by blast
+
+lemma dense_below_cong': "p\<in>P \<Longrightarrow> \<lbrakk>\<And>x. x\<in>P \<Longrightarrow> Q(x) \<longleftrightarrow> Q'(x)\<rbrakk> \<Longrightarrow> 
+           dense_below({q\<in>P. Q(q)},p) \<longleftrightarrow> dense_below({q\<in>P. Q'(q)},p)"
+  by blast
+
+lemma dense_below_mono: "p\<in>P \<Longrightarrow> D \<subseteq> D' \<Longrightarrow> dense_below(D,p) \<Longrightarrow> dense_below(D',p)"
+  by blast
+
+lemma dense_below_under:
+  assumes "dense_below(D,p)" "p\<in>P" "q\<in>P" "q\<preceq>p"
+  shows "dense_below(D,q)"
+  using assms leq_transD by blast
+
+lemma ideal_dense_below:
+  assumes "\<And>q. q\<in>P \<Longrightarrow> q\<preceq>p \<Longrightarrow> q\<in>D"
+  shows "dense_below(D,p)"
+  using assms leq_reflI by blast
+
+lemma dense_below_dense_below: 
+  assumes "dense_below({q\<in>P. dense_below(D,q)},p)" "p\<in>P" 
+  shows "dense_below(D,p)"  
+  using assms leq_transD leq_reflI  by blast
+    (* Long proof *)
+    (*  unfolding dense_below_def
+proof (intro ballI impI)
+  fix r
+  assume "r\<in>P" \<open>r\<preceq>p\<close>
+  with assms
+  obtain q where "q\<in>P" "q\<preceq>r" "dense_below(D,q)"
+    using assms by auto
+  moreover from this
+  obtain d where "d\<in>P" "d\<preceq>q" "d\<in>D"
+    using assms leq_preord unfolding preorder_on_def refl_def by blast
+  moreover
+  note \<open>r\<in>P\<close>
+  ultimately
+  show "\<exists>d\<in>D. d \<in> P \<and> d\<preceq> r"
+    using leq_preord trans_onD unfolding preorder_on_def by blast
+qed *)
+
+definition
+  antichain :: "i\<Rightarrow>o" where
+  "antichain(A) \<equiv> A\<subseteq>P \<and> (\<forall>p\<in>A.\<forall>q\<in>A.(\<not>compat(p,q)))"
+
+text\<open>A filter is an increasing set $G$ with all its elements 
+being compatible in $G$.\<close>
+definition 
+  filter :: "i\<Rightarrow>o" where
+  "filter(G) \<equiv> G\<subseteq>P \<and> increasing(G) \<and> (\<forall>p\<in>G. \<forall>q\<in>G. compat_in(G,leq,p,q))"
+
+lemma filterD : "filter(G) \<Longrightarrow> x \<in> G \<Longrightarrow> x \<in> P"
+  by (auto simp add : subsetD filter_def)
+
+lemma filter_leqD : "filter(G) \<Longrightarrow> x \<in> G \<Longrightarrow> y \<in> P \<Longrightarrow> x\<preceq>y \<Longrightarrow> y \<in> G"
+  by (simp add: filter_def increasing_def)
+
+lemma filter_imp_compat: "filter(G) \<Longrightarrow> p\<in>G \<Longrightarrow> q\<in>G \<Longrightarrow> compat(p,q)"
+  unfolding filter_def compat_in_def compat_def by blast
+
+lemma low_bound_filter: \<comment> \<open>says the compatibility is attained inside G\<close>
+  assumes "filter(G)" and "p\<in>G" and "q\<in>G"
+  shows "\<exists>r\<in>G. r\<preceq>p \<and> r\<preceq>q" 
+  using assms 
+  unfolding compat_in_def filter_def by blast
+
+text\<open>We finally introduce the upward closure of a set
+and prove that the closure of $A$ is a filter if its elements are
+compatible in $A$.\<close>
+definition  
+  upclosure :: "i\<Rightarrow>i" where
+  "upclosure(A) \<equiv> {p\<in>P.\<exists>a\<in>A. a\<preceq>p}"
+
+lemma  upclosureI [intro] : "p\<in>P \<Longrightarrow> a\<in>A \<Longrightarrow> a\<preceq>p \<Longrightarrow> p\<in>upclosure(A)"
+  by (simp add:upclosure_def, auto)
+
+lemma  upclosureE [elim] :
+  "p\<in>upclosure(A) \<Longrightarrow> (\<And>x a. x\<in>P \<Longrightarrow> a\<in>A \<Longrightarrow> a\<preceq>x \<Longrightarrow> R) \<Longrightarrow> R"
+  by (auto simp add:upclosure_def)
+
+lemma  upclosureD [dest] :
+  "p\<in>upclosure(A) \<Longrightarrow> \<exists>a\<in>A.(a\<preceq>p) \<and> p\<in>P"
+  by (simp add:upclosure_def)
+
+lemma upclosure_increasing :
+  assumes "A\<subseteq>P"
+  shows "increasing(upclosure(A))"
+  unfolding increasing_def upclosure_def
+  using leq_transD'[OF \<open>A\<subseteq>P\<close>] by auto
+
+lemma  upclosure_in_P: "A \<subseteq> P \<Longrightarrow> upclosure(A) \<subseteq> P"
+  using subsetI upclosure_def by simp
+
+lemma  A_sub_upclosure: "A \<subseteq> P \<Longrightarrow> A\<subseteq>upclosure(A)"
+  using subsetI leq_preord 
+  unfolding upclosure_def preorder_on_def refl_def by auto
+
+lemma  elem_upclosure: "A\<subseteq>P \<Longrightarrow> x\<in>A  \<Longrightarrow> x\<in>upclosure(A)"
+  by (blast dest:A_sub_upclosure)
+
+lemma  closure_compat_filter:
+  assumes "A\<subseteq>P" "(\<forall>p\<in>A.\<forall>q\<in>A. compat_in(A,leq,p,q))"
+  shows "filter(upclosure(A))"
+  unfolding filter_def
+proof(auto)
+  show "increasing(upclosure(A))"
+    using assms upclosure_increasing by simp
+next
+  let ?UA="upclosure(A)"
+  show "compat_in(upclosure(A), leq, p, q)" if "p\<in>?UA" "q\<in>?UA" for p q
+  proof -
+    from that
+    obtain a b where 1:"a\<in>A" "b\<in>A" "a\<preceq>p" "b\<preceq>q" "p\<in>P" "q\<in>P"
+      using upclosureD[OF \<open>p\<in>?UA\<close>] upclosureD[OF \<open>q\<in>?UA\<close>] by auto
+    with assms(2)
+    obtain d where "d\<in>A" "d\<preceq>a" "d\<preceq>b"
+      unfolding compat_in_def by auto
+    with 1
+    have 2:"d\<preceq>p" "d\<preceq>q" "d\<in>?UA"
+      using A_sub_upclosure[THEN subsetD] \<open>A\<subseteq>P\<close>
+        leq_transD'[of A d a] leq_transD'[of A d b] by auto
+    then
+    show ?thesis unfolding compat_in_def by auto
+  qed
+qed
+
+lemma  aux_RS1:  "f \<in> N \<rightarrow> P \<Longrightarrow> n\<in>N \<Longrightarrow> f`n \<in> upclosure(f ``N)"
+  using elem_upclosure[OF subset_fun_image] image_fun
+  by (simp, blast)
+
+lemma decr_succ_decr: 
+  assumes "f \<in> nat \<rightarrow> P" "preorder_on(P,leq)"
+    "\<forall>n\<in>nat.  \<langle>f ` succ(n), f ` n\<rangle> \<in> leq"
+    "m\<in>nat"
+  shows "n\<in>nat \<Longrightarrow> n\<le>m \<Longrightarrow> \<langle>f ` m, f ` n\<rangle> \<in> leq"
+  using \<open>m\<in>_\<close>
+proof(induct m)
+  case 0
+  then show ?case using assms leq_reflI by simp
+next
+  case (succ x)
+  then
+  have 1:"f`succ(x) \<preceq> f`x" "f`n\<in>P" "f`x\<in>P" "f`succ(x)\<in>P"
+    using assms by simp_all
+  consider (lt) "n<succ(x)" | (eq) "n=succ(x)"
+    using succ le_succ_iff by auto
+  then 
+  show ?case 
+  proof(cases)
+    case lt
+    with 1 show ?thesis using leI succ leq_transD by auto
+  next
+    case eq
+    with 1 show ?thesis using leq_reflI by simp
+  qed
+qed
+
+lemma decr_seq_linear: 
+  assumes "refl(P,leq)" "f \<in> nat \<rightarrow> P"
+    "\<forall>n\<in>nat.  \<langle>f ` succ(n), f ` n\<rangle> \<in> leq"
+    "trans[P](leq)"
+  shows "linear(f `` nat, leq)"
+proof -
+  have "preorder_on(P,leq)" 
+    unfolding preorder_on_def using assms by simp
+  {
+    fix n m
+    assume "n\<in>nat" "m\<in>nat"
+    then
+    have "f`m \<preceq> f`n \<or> f`n \<preceq> f`m"
+    proof(cases "m\<le>n")
+      case True
+      with \<open>n\<in>_\<close> \<open>m\<in>_\<close>
+      show ?thesis 
+        using decr_succ_decr[of f n m] assms leI \<open>preorder_on(P,leq)\<close> by simp
+    next
+      case False
+      with \<open>n\<in>_\<close> \<open>m\<in>_\<close>
+      show ?thesis 
+        using decr_succ_decr[of f m n] assms leI not_le_iff_lt \<open>preorder_on(P,leq)\<close> by simp
+    qed
+  }
+  then
+  show ?thesis
+    unfolding linear_def using ball_image_simp assms by auto
+qed
+
+end (* forcing_notion *)
+
+subsection\<open>Towards Rasiowa-Sikorski Lemma (RSL)\<close>
+locale countable_generic = forcing_notion +
+  fixes \<D>
+  assumes countable_subs_of_P:  "\<D> \<in> nat\<rightarrow>Pow(P)"
+    and     seq_of_denses:        "\<forall>n \<in> nat. dense(\<D>`n)"
+
+begin
+
+definition
+  D_generic :: "i\<Rightarrow>o" where
+  "D_generic(G) \<equiv> filter(G) \<and> (\<forall>n\<in>nat.(\<D>`n)\<inter>G\<noteq>0)"
+
+text\<open>The next lemma identifies a sufficient condition for obtaining
+RSL.\<close>
+lemma RS_sequence_imp_rasiowa_sikorski:
+  assumes 
+    "p\<in>P" "f : nat\<rightarrow>P" "f ` 0 = p"
+    "\<And>n. n\<in>nat \<Longrightarrow> f ` succ(n)\<preceq> f ` n \<and> f ` succ(n) \<in> \<D> ` n" 
+  shows
+    "\<exists>G. p\<in>G \<and> D_generic(G)"
+proof -
+  note assms
+  moreover from this 
+  have "f``nat  \<subseteq> P"
+    by (simp add:subset_fun_image)
+  moreover from calculation
+  have "refl(f``nat, leq) \<and> trans[P](leq)"
+    using leq_preord unfolding preorder_on_def by (blast intro:refl_monot_domain)
+  moreover from calculation 
+  have "\<forall>n\<in>nat.  f ` succ(n)\<preceq> f ` n" by (simp)
+  moreover from calculation
+  have "linear(f``nat, leq)"
+    using leq_preord and decr_seq_linear unfolding preorder_on_def by (blast)
+  moreover from calculation
+  have "(\<forall>p\<in>f``nat.\<forall>q\<in>f``nat. compat_in(f``nat,leq,p,q))"             
+    using chain_compat by (auto)
+  ultimately  
+  have "filter(upclosure(f``nat))" (is "filter(?G)")
+    using closure_compat_filter by simp
+  moreover
+  have "\<forall>n\<in>nat. \<D> ` n \<inter> ?G \<noteq> 0"
+  proof
+    fix n
+    assume "n\<in>nat"
+    with assms 
+    have "f`succ(n) \<in> ?G \<and> f`succ(n) \<in> \<D> ` n"
+      using aux_RS1 by simp
+    then 
+    show "\<D> ` n \<inter> ?G \<noteq> 0"  by blast
+  qed
+  moreover from assms 
+  have "p \<in> ?G"
+    using aux_RS1 by auto
+  ultimately 
+  show ?thesis unfolding D_generic_def by auto
+qed
+
+end (* countable_generic *)
+
+text\<open>Now, the following recursive definition will fulfill the 
+requirements of lemma \<^term>\<open>RS_sequence_imp_rasiowa_sikorski\<close> \<close>
+
+consts RS_seq :: "[i,i,i,i,i,i] \<Rightarrow> i"
+primrec
+  "RS_seq(0,P,leq,p,enum,\<D>) = p"
+  "RS_seq(succ(n),P,leq,p,enum,\<D>) = 
+    enum`(\<mu> m. \<langle>enum`m, RS_seq(n,P,leq,p,enum,\<D>)\<rangle> \<in> leq \<and> enum`m \<in> \<D> ` n)"
+
+context countable_generic
+begin
+
+lemma preimage_rangeD:
+  assumes "f\<in>Pi(A,B)" "b \<in> range(f)" 
+  shows "\<exists>a\<in>A. f`a = b"
+  using assms apply_equality[OF _ assms(1), of _ b] domain_type[OF _ assms(1)] by auto
+
+lemma countable_RS_sequence_aux:
+  fixes p enum
+  defines "f(n) \<equiv> RS_seq(n,P,leq,p,enum,\<D>)"
+    and   "Q(q,k,m) \<equiv> enum`m\<preceq> q \<and> enum`m \<in> \<D> ` k"
+  assumes "n\<in>nat" "p\<in>P" "P \<subseteq> range(enum)" "enum:nat\<rightarrow>M"
+    "\<And>x k. x\<in>P \<Longrightarrow> k\<in>nat \<Longrightarrow>  \<exists>q\<in>P. q\<preceq> x \<and> q \<in> \<D> ` k" 
+  shows 
+    "f(succ(n)) \<in> P \<and> f(succ(n))\<preceq> f(n) \<and> f(succ(n)) \<in> \<D> ` n"
+  using \<open>n\<in>nat\<close>
+proof (induct)
+  case 0
+  from assms 
+  obtain q where "q\<in>P" "q\<preceq> p" "q \<in> \<D> ` 0" by blast
+  moreover from this and \<open>P \<subseteq> range(enum)\<close>
+  obtain m where "m\<in>nat" "enum`m = q" 
+    using preimage_rangeD[OF \<open>enum:nat\<rightarrow>M\<close>] by blast
+  moreover 
+  have "\<D>`0 \<subseteq> P"
+    using apply_funtype[OF countable_subs_of_P] by simp
+  moreover note \<open>p\<in>P\<close>
+  ultimately
+  show ?case 
+    using LeastI[of "Q(p,0)" m] unfolding Q_def f_def by auto
+next
+  case (succ n)
+  with assms 
+  obtain q where "q\<in>P" "q\<preceq> f(succ(n))" "q \<in> \<D> ` succ(n)" by blast
+  moreover from this and \<open>P \<subseteq> range(enum)\<close>
+  obtain m where "m\<in>nat" "enum`m\<preceq> f(succ(n))" "enum`m \<in> \<D> ` succ(n)"
+    using preimage_rangeD[OF \<open>enum:nat\<rightarrow>M\<close>] by blast
+  moreover note succ
+  moreover from calculation
+  have "\<D>`succ(n) \<subseteq> P" 
+    using apply_funtype[OF countable_subs_of_P] by auto
+  ultimately
+  show ?case
+    using LeastI[of "Q(f(succ(n)),succ(n))" m] unfolding Q_def f_def by auto
+qed
+
+lemma countable_RS_sequence:
+  fixes p enum
+  defines "f \<equiv> \<lambda>n\<in>nat. RS_seq(n,P,leq,p,enum,\<D>)"
+    and   "Q(q,k,m) \<equiv> enum`m\<preceq> q \<and> enum`m \<in> \<D> ` k"
+  assumes "n\<in>nat" "p\<in>P" "P \<subseteq> range(enum)" "enum:nat\<rightarrow>M"
+  shows 
+    "f`0 = p" "f`succ(n)\<preceq> f`n \<and> f`succ(n) \<in> \<D> ` n" "f`succ(n) \<in> P"
+proof -
+  from assms
+  show "f`0 = p" by simp
+  {
+    fix x k
+    assume "x\<in>P" "k\<in>nat"
+    then
+    have "\<exists>q\<in>P. q\<preceq> x \<and> q \<in> \<D> ` k"
+      using seq_of_denses apply_funtype[OF countable_subs_of_P] 
+      unfolding dense_def by blast
+  }
+  with assms
+  show "f`succ(n)\<preceq> f`n \<and> f`succ(n) \<in> \<D> ` n" "f`succ(n)\<in>P"
+    unfolding f_def using countable_RS_sequence_aux by simp_all
+qed
+
+lemma RS_seq_type: 
+  assumes "n \<in> nat" "p\<in>P" "P \<subseteq> range(enum)" "enum:nat\<rightarrow>M"
+  shows "RS_seq(n,P,leq,p,enum,\<D>) \<in> P"
+  using assms countable_RS_sequence(1,3)  
+  by (induct;simp) 
+
+lemma RS_seq_funtype:
+  assumes "p\<in>P" "P \<subseteq> range(enum)" "enum:nat\<rightarrow>M"
+  shows "(\<lambda>n\<in>nat. RS_seq(n,P,leq,p,enum,\<D>)): nat \<rightarrow> P"
+  using assms lam_type RS_seq_type by auto
+
+lemmas countable_rasiowa_sikorski = 
+  RS_sequence_imp_rasiowa_sikorski[OF _ RS_seq_funtype countable_RS_sequence(1,2)]
+end (* countable_generic *)
+
+end
diff --git a/thys/Forcing/Forcing_Theorems.thy b/thys/Forcing/Forcing_Theorems.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Forcing_Theorems.thy
@@ -0,0 +1,1551 @@
+section\<open>The Forcing Theorems\<close>
+
+theory Forcing_Theorems
+  imports
+    Forces_Definition
+
+begin
+
+context forcing_data
+begin
+
+subsection\<open>The forcing relation in context\<close>
+
+abbreviation Forces :: "[i, i, i] \<Rightarrow> o"  ("_ \<tturnstile> _ _" [36,36,36] 60) where
+  "p \<tturnstile> \<phi> env   \<equiv>   M, ([p,P,leq,one] @ env) \<Turnstile> forces(\<phi>)"
+
+lemma Collect_forces :
+  assumes 
+    fty: "\<phi>\<in>formula" and
+    far: "arity(\<phi>)\<le>length(env)" and
+    envty: "env\<in>list(M)"
+  shows
+    "{p\<in>P . p \<tturnstile> \<phi> env} \<in> M"
+proof -
+  have "z\<in>P \<Longrightarrow> z\<in>M" for z
+    using P_in_M transitivity[of z P] by simp
+  moreover
+  have "separation(##M,\<lambda>p. (p \<tturnstile> \<phi> env))"
+        using separation_ax arity_forces far fty P_in_M leq_in_M one_in_M envty arity_forces_le
+    by simp
+  then 
+  have "Collect(P,\<lambda>p. (p \<tturnstile> \<phi> env))\<in>M"
+    using separation_closed P_in_M by simp
+  then show ?thesis by simp
+qed
+
+lemma forces_mem_iff_dense_below:  "p\<in>P \<Longrightarrow> forces_mem(p,t1,t2) \<longleftrightarrow> dense_below(
+    {q\<in>P. \<exists>s. \<exists>r. r\<in>P \<and> \<langle>s,r\<rangle> \<in> t2 \<and> q\<preceq>r \<and> forces_eq(q,t1,s)}
+    ,p)"
+  using def_forces_mem[of p t1 t2] by blast
+
+subsection\<open>Kunen 2013, Lemma IV.2.37(a)\<close>
+
+lemma strengthening_eq:
+  assumes "p\<in>P" "r\<in>P" "r\<preceq>p" "forces_eq(p,t1,t2)"
+  shows "forces_eq(r,t1,t2)"
+  using assms def_forces_eq[of _ t1 t2] leq_transD by blast
+(* Long proof *)
+(*
+proof -
+  {
+    fix s q
+    assume "q\<preceq> r" "q\<in>P"
+    with assms
+    have "q\<preceq>p"
+      using leq_preord unfolding preorder_on_def trans_on_def by blast
+    moreover 
+    note \<open>q\<in>P\<close> assms
+    moreover
+    assume "s\<in>domain(t1) \<union> domain(t2)" 
+    ultimately
+    have "forces_mem(q, s, t1) \<longleftrightarrow> forces_mem(q, s, t2)"
+      using def_forces_eq[of p t1 t2] by simp
+  }
+  with \<open>r\<in>P\<close>
+  show ?thesis using def_forces_eq[of r t1 t2] by blast
+qed
+*)
+
+subsection\<open>Kunen 2013, Lemma IV.2.37(a)\<close>
+lemma strengthening_mem: 
+  assumes "p\<in>P" "r\<in>P" "r\<preceq>p" "forces_mem(p,t1,t2)"
+  shows "forces_mem(r,t1,t2)"
+  using assms forces_mem_iff_dense_below dense_below_under by auto
+
+subsection\<open>Kunen 2013, Lemma IV.2.37(b)\<close>
+lemma density_mem: 
+  assumes "p\<in>P"
+  shows "forces_mem(p,t1,t2)  \<longleftrightarrow> dense_below({q\<in>P. forces_mem(q,t1,t2)},p)"
+proof
+  assume "forces_mem(p,t1,t2)"
+  with assms
+  show "dense_below({q\<in>P. forces_mem(q,t1,t2)},p)"
+    using forces_mem_iff_dense_below strengthening_mem[of p] ideal_dense_below by auto
+next
+  assume "dense_below({q \<in> P . forces_mem(q, t1, t2)}, p)"
+  with assms
+  have "dense_below({q\<in>P. 
+    dense_below({q'\<in>P. \<exists>s r. r \<in> P \<and> \<langle>s,r\<rangle>\<in>t2 \<and> q'\<preceq>r \<and> forces_eq(q',t1,s)},q)
+    },p)"
+    using forces_mem_iff_dense_below by simp
+  with assms
+  show "forces_mem(p,t1,t2)"
+    using dense_below_dense_below forces_mem_iff_dense_below[of p t1 t2] by blast
+qed
+
+lemma aux_density_eq:
+  assumes 
+    "dense_below(
+    {q'\<in>P. \<forall>q. q\<in>P \<and> q\<preceq>q' \<longrightarrow> forces_mem(q,s,t1) \<longleftrightarrow> forces_mem(q,s,t2)}
+    ,p)"
+    "forces_mem(q,s,t1)" "q\<in>P" "p\<in>P" "q\<preceq>p"
+  shows
+    "dense_below({r\<in>P. forces_mem(r,s,t2)},q)"
+proof
+  fix r
+  assume "r\<in>P" "r\<preceq>q"
+  moreover from this and \<open>p\<in>P\<close> \<open>q\<preceq>p\<close> \<open>q\<in>P\<close>
+  have "r\<preceq>p"
+    using leq_transD by simp
+  moreover
+  note \<open>forces_mem(q,s,t1)\<close> \<open>dense_below(_,p)\<close> \<open>q\<in>P\<close>
+  ultimately
+  obtain q1 where "q1\<preceq>r" "q1\<in>P" "forces_mem(q1,s,t2)"
+    using strengthening_mem[of q _ s t1] leq_reflI leq_transD[of _ r q] by blast
+  then
+  show "\<exists>d\<in>{r \<in> P . forces_mem(r, s, t2)}. d \<in> P \<and> d\<preceq> r"
+    by blast
+qed
+
+(* Kunen 2013, Lemma IV.2.37(b) *)
+lemma density_eq:
+  assumes "p\<in>P"
+  shows "forces_eq(p,t1,t2)  \<longleftrightarrow> dense_below({q\<in>P. forces_eq(q,t1,t2)},p)"
+proof
+  assume "forces_eq(p,t1,t2)"
+  with \<open>p\<in>P\<close>
+  show "dense_below({q\<in>P. forces_eq(q,t1,t2)},p)"
+    using strengthening_eq ideal_dense_below by auto
+next
+  assume "dense_below({q\<in>P. forces_eq(q,t1,t2)},p)"
+  {
+    fix s q 
+    let ?D1="{q'\<in>P. \<forall>s\<in>domain(t1) \<union> domain(t2). \<forall>q. q \<in> P \<and> q\<preceq>q' \<longrightarrow>
+           forces_mem(q,s,t1)\<longleftrightarrow>forces_mem(q,s,t2)}"
+    let ?D2="{q'\<in>P. \<forall>q. q\<in>P \<and> q\<preceq>q' \<longrightarrow> forces_mem(q,s,t1) \<longleftrightarrow> forces_mem(q,s,t2)}"
+    assume "s\<in>domain(t1) \<union> domain(t2)" 
+    then
+    have "?D1\<subseteq>?D2" by blast
+    with \<open>dense_below(_,p)\<close>
+    have "dense_below({q'\<in>P. \<forall>s\<in>domain(t1) \<union> domain(t2). \<forall>q. q \<in> P \<and> q\<preceq>q' \<longrightarrow>
+           forces_mem(q,s,t1)\<longleftrightarrow>forces_mem(q,s,t2)},p)"
+      using dense_below_cong'[OF \<open>p\<in>P\<close> def_forces_eq[of _ t1 t2]] by simp
+    with \<open>p\<in>P\<close> \<open>?D1\<subseteq>?D2\<close>
+    have "dense_below({q'\<in>P. \<forall>q. q\<in>P \<and> q\<preceq>q' \<longrightarrow> 
+            forces_mem(q,s,t1) \<longleftrightarrow> forces_mem(q,s,t2)},p)"
+      using dense_below_mono by simp
+    moreover from this (* Automatic tools can't handle this symmetry 
+                          in order to apply aux_density_eq below *)
+    have  "dense_below({q'\<in>P. \<forall>q. q\<in>P \<and> q\<preceq>q' \<longrightarrow> 
+            forces_mem(q,s,t2) \<longleftrightarrow> forces_mem(q,s,t1)},p)"
+      by blast
+    moreover
+    assume "q \<in> P" "q\<preceq>p"
+    moreover
+    note \<open>p\<in>P\<close>
+    ultimately (*We can omit the next step but it is slower *)
+    have "forces_mem(q,s,t1) \<Longrightarrow> dense_below({r\<in>P. forces_mem(r,s,t2)},q)"
+         "forces_mem(q,s,t2) \<Longrightarrow> dense_below({r\<in>P. forces_mem(r,s,t1)},q)" 
+      using aux_density_eq by simp_all
+    then
+    have "forces_mem(q, s, t1) \<longleftrightarrow> forces_mem(q, s, t2)"
+      using density_mem[OF \<open>q\<in>P\<close>] by blast
+  }
+  with \<open>p\<in>P\<close>
+  show "forces_eq(p,t1,t2)" using def_forces_eq by blast
+qed
+
+subsection\<open>Kunen 2013, Lemma IV.2.38\<close>
+lemma not_forces_neq:
+  assumes "p\<in>P"
+  shows "forces_eq(p,t1,t2) \<longleftrightarrow> \<not> (\<exists>q\<in>P. q\<preceq>p \<and> forces_neq(q,t1,t2))"
+  using assms density_eq unfolding forces_neq_def by blast
+
+
+lemma not_forces_nmem:
+  assumes "p\<in>P"
+  shows "forces_mem(p,t1,t2) \<longleftrightarrow> \<not> (\<exists>q\<in>P. q\<preceq>p \<and> forces_nmem(q,t1,t2))"
+  using assms density_mem unfolding forces_nmem_def by blast
+
+
+(* Use the newer versions in Forces_Definition! *)
+(* (and adequate the rest of the code to them)  *)
+
+lemma sats_forces_Nand':
+  assumes
+    "p\<in>P" "\<phi>\<in>formula" "\<psi>\<in>formula" "env \<in> list(M)" 
+  shows
+    "M, [p,P,leq,one] @ env \<Turnstile> forces(Nand(\<phi>,\<psi>)) \<longleftrightarrow> 
+     \<not>(\<exists>q\<in>M. q\<in>P \<and> is_leq(##M,leq,q,p) \<and> 
+           M, [q,P,leq,one] @ env \<Turnstile> forces(\<phi>) \<and> 
+           M, [q,P,leq,one] @ env \<Turnstile> forces(\<psi>))"
+  using assms sats_forces_Nand[OF assms(2-4) transitivity[OF \<open>p\<in>P\<close>]]
+  P_in_M leq_in_M one_in_M unfolding forces_def
+  by simp
+
+lemma sats_forces_Neg':
+  assumes
+    "p\<in>P" "env \<in> list(M)" "\<phi>\<in>formula"
+  shows
+    "M, [p,P,leq,one] @ env \<Turnstile> forces(Neg(\<phi>))   \<longleftrightarrow> 
+     \<not>(\<exists>q\<in>M. q\<in>P \<and> is_leq(##M,leq,q,p) \<and> 
+          M, [q,P,leq,one]@env \<Turnstile> forces(\<phi>))"
+  using assms sats_forces_Neg transitivity 
+  P_in_M leq_in_M one_in_M  unfolding forces_def
+  by (simp, blast)
+
+lemma sats_forces_Forall':
+  assumes
+    "p\<in>P" "env \<in> list(M)" "\<phi>\<in>formula"
+  shows
+    "M,[p,P,leq,one] @ env \<Turnstile> forces(Forall(\<phi>)) \<longleftrightarrow> 
+     (\<forall>x\<in>M.   M, [p,P,leq,one,x] @ env \<Turnstile> forces(\<phi>))"
+  using assms sats_forces_Forall transitivity 
+  P_in_M leq_in_M one_in_M sats_ren_forces_forall unfolding forces_def
+  by simp
+
+subsection\<open>The relation of forcing and atomic formulas\<close>
+lemma Forces_Equal:
+  assumes
+    "p\<in>P" "t1\<in>M" "t2\<in>M" "env\<in>list(M)" "nth(n,env) = t1" "nth(m,env) = t2" "n\<in>nat" "m\<in>nat" 
+  shows
+    "(p \<tturnstile> Equal(n,m) env) \<longleftrightarrow> forces_eq(p,t1,t2)"
+   using assms sats_forces_Equal forces_eq_abs transitivity P_in_M 
+  by simp
+
+lemma Forces_Member:
+  assumes
+    "p\<in>P" "t1\<in>M" "t2\<in>M" "env\<in>list(M)" "nth(n,env) = t1" "nth(m,env) = t2" "n\<in>nat" "m\<in>nat" 
+  shows
+    "(p \<tturnstile> Member(n,m) env) \<longleftrightarrow> forces_mem(p,t1,t2)"
+   using assms sats_forces_Member forces_mem_abs transitivity P_in_M
+  by simp
+
+lemma Forces_Neg:
+  assumes
+    "p\<in>P" "env \<in> list(M)" "\<phi>\<in>formula" 
+  shows
+    "(p \<tturnstile> Neg(\<phi>) env) \<longleftrightarrow> \<not>(\<exists>q\<in>M. q\<in>P \<and> q\<preceq>p \<and> (q \<tturnstile> \<phi> env))"
+    using assms sats_forces_Neg' transitivity 
+  P_in_M pair_in_M_iff leq_in_M leq_abs by simp
+ 
+subsection\<open>The relation of forcing and connectives\<close>
+
+lemma Forces_Nand:
+  assumes
+    "p\<in>P" "env \<in> list(M)" "\<phi>\<in>formula" "\<psi>\<in>formula"
+  shows
+    "(p \<tturnstile> Nand(\<phi>,\<psi>) env) \<longleftrightarrow> \<not>(\<exists>q\<in>M. q\<in>P \<and> q\<preceq>p \<and> (q \<tturnstile> \<phi> env) \<and> (q \<tturnstile> \<psi> env))"
+   using assms sats_forces_Nand' transitivity 
+  P_in_M pair_in_M_iff leq_in_M leq_abs by simp
+
+lemma Forces_And_aux:
+  assumes
+    "p\<in>P" "env \<in> list(M)" "\<phi>\<in>formula" "\<psi>\<in>formula"
+  shows
+    "p \<tturnstile> And(\<phi>,\<psi>) env   \<longleftrightarrow> 
+    (\<forall>q\<in>M. q\<in>P \<and> q\<preceq>p \<longrightarrow> (\<exists>r\<in>M. r\<in>P \<and> r\<preceq>q \<and> (r \<tturnstile> \<phi> env) \<and> (r \<tturnstile> \<psi> env)))"
+  unfolding And_def using assms Forces_Neg Forces_Nand by (auto simp only:)
+
+lemma Forces_And_iff_dense_below:
+  assumes
+    "p\<in>P" "env \<in> list(M)" "\<phi>\<in>formula" "\<psi>\<in>formula"
+  shows
+    "(p \<tturnstile> And(\<phi>,\<psi>) env) \<longleftrightarrow> dense_below({r\<in>P. (r \<tturnstile> \<phi> env) \<and> (r \<tturnstile> \<psi> env) },p)"
+  unfolding dense_below_def using Forces_And_aux assms
+    by (auto dest:transitivity[OF _ P_in_M]; rename_tac q; drule_tac x=q in bspec)+
+
+lemma Forces_Forall:
+  assumes
+    "p\<in>P" "env \<in> list(M)" "\<phi>\<in>formula"
+  shows
+    "(p \<tturnstile> Forall(\<phi>) env) \<longleftrightarrow> (\<forall>x\<in>M. (p \<tturnstile> \<phi> ([x] @ env)))"
+   using sats_forces_Forall' assms by simp
+
+(* "x\<in>val(G,\<pi>) \<Longrightarrow> \<exists>\<theta>. \<exists>p\<in>G.  \<langle>\<theta>,p\<rangle>\<in>\<pi> \<and> val(G,\<theta>) = x" *)
+bundle some_rules =  elem_of_val_pair [dest] SepReplace_iff [simp del] SepReplace_iff[iff]
+
+context 
+  includes some_rules
+begin
+
+lemma elem_of_valI: "\<exists>\<theta>. \<exists>p\<in>P. p\<in>G \<and> \<langle>\<theta>,p\<rangle>\<in>\<pi> \<and> val(G,\<theta>) = x \<Longrightarrow> x\<in>val(G,\<pi>)"
+  by (subst def_val, auto)
+
+lemma GenExtD: "x\<in>M[G] \<longleftrightarrow> (\<exists>\<tau>\<in>M. x = val(G,\<tau>))"
+  unfolding GenExt_def by simp
+
+lemma left_in_M : "tau\<in>M \<Longrightarrow> \<langle>a,b\<rangle>\<in>tau \<Longrightarrow> a\<in>M"
+  using fst_snd_closed[of "\<langle>a,b\<rangle>"] transitivity by auto
+
+
+subsection\<open>Kunen 2013, Lemma IV.2.29\<close>
+lemma generic_inter_dense_below: 
+  assumes "D\<in>M" "M_generic(G)" "dense_below(D,p)" "p\<in>G"
+  shows "D \<inter> G \<noteq> 0"
+proof -
+  let ?D="{q\<in>P. p\<bottom>q \<or> q\<in>D}"
+  have "dense(?D)"
+  proof
+    fix r
+    assume "r\<in>P"
+    show "\<exists>d\<in>{q \<in> P . p \<bottom> q \<or> q \<in> D}. d \<preceq> r"
+    proof (cases "p \<bottom> r")
+      case True
+      with \<open>r\<in>P\<close>
+        (* Automatic tools can't handle this case for some reason... *)
+      show ?thesis using leq_reflI[of r] by (intro bexI) (blast+)
+    next
+      case False
+      then
+      obtain s where "s\<in>P" "s\<preceq>p" "s\<preceq>r" by blast
+      with assms \<open>r\<in>P\<close>
+      show ?thesis
+        using dense_belowD[OF assms(3), of s] leq_transD[of _ s r]
+        by blast
+    qed
+  qed
+  have "?D\<subseteq>P" by auto
+  (* D\<in>M *)
+  let ?d_fm="Or(Neg(compat_in_fm(1,2,3,0)),Member(0,4))"
+  have 1:"p\<in>M" 
+    using \<open>M_generic(G)\<close> M_genericD transitivity[OF _ P_in_M]
+          \<open>p\<in>G\<close> by simp
+  moreover
+  have "?d_fm\<in>formula" by simp
+  moreover
+  have "arity(?d_fm) = 5" unfolding compat_in_fm_def pair_fm_def upair_fm_def
+    by (simp add: nat_union_abs1 Un_commute)
+  moreover
+  have "(M, [q,P,leq,p,D] \<Turnstile> ?d_fm) \<longleftrightarrow> (\<not> is_compat_in(##M,P,leq,p,q) \<or> q\<in>D)"
+    if "q\<in>M" for q
+    using that sats_compat_in_fm P_in_M leq_in_M 1 \<open>D\<in>M\<close> by simp
+  moreover
+  have "(\<not> is_compat_in(##M,P,leq,p,q) \<or> q\<in>D) \<longleftrightarrow> p\<bottom>q \<or> q\<in>D" if "q\<in>M" for q
+    unfolding compat_def using that compat_in_abs P_in_M leq_in_M 1 by simp
+  ultimately
+  have "?D\<in>M" using Collect_in_M_4p[of ?d_fm _ _ _ _ _"\<lambda>x y z w h. w\<bottom>x \<or> x\<in>h"] 
+                    P_in_M leq_in_M \<open>D\<in>M\<close> by simp
+  note asm = \<open>M_generic(G)\<close> \<open>dense(?D)\<close> \<open>?D\<subseteq>P\<close> \<open>?D\<in>M\<close>
+  obtain x where "x\<in>G" "x\<in>?D" using M_generic_denseD[OF asm]
+    by force (* by (erule bexE) does it, but the other automatic tools don't *)
+  moreover from this and \<open>M_generic(G)\<close>
+  have "x\<in>D"
+    using M_generic_compatD[OF _ \<open>p\<in>G\<close>, of x]
+      leq_reflI compatI[of _ p x] by force
+  ultimately
+  show ?thesis by auto
+qed
+
+subsection\<open>Auxiliary results for Lemma IV.2.40(a)\<close>
+lemma IV240a_mem_Collect:
+  assumes
+    "\<pi>\<in>M" "\<tau>\<in>M"
+  shows
+    "{q\<in>P. \<exists>\<sigma>. \<exists>r. r\<in>P \<and> \<langle>\<sigma>,r\<rangle> \<in> \<tau> \<and> q\<preceq>r \<and> forces_eq(q,\<pi>,\<sigma>)}\<in>M"
+proof -
+  let ?rel_pred= "\<lambda>M x a1 a2 a3 a4. \<exists>\<sigma>[M]. \<exists>r[M]. \<exists>\<sigma>r[M]. 
+                r\<in>a1 \<and> pair(M,\<sigma>,r,\<sigma>r) \<and> \<sigma>r\<in>a4 \<and> is_leq(M,a2,x,r) \<and> is_forces_eq'(M,a1,a2,x,a3,\<sigma>)"
+  let ?\<phi>="Exists(Exists(Exists(And(Member(1,4),And(pair_fm(2,1,0),
+          And(Member(0,7),And(leq_fm(5,3,1),forces_eq_fm(4,5,3,6,2))))))))" 
+  have "\<sigma>\<in>M \<and> r\<in>M" if "\<langle>\<sigma>, r\<rangle> \<in> \<tau>"  for \<sigma> r
+    using that \<open>\<tau>\<in>M\<close> pair_in_M_iff transitivity[of "\<langle>\<sigma>,r\<rangle>" \<tau>] by simp
+  then
+  have "?rel_pred(##M,q,P,leq,\<pi>,\<tau>) \<longleftrightarrow> (\<exists>\<sigma>. \<exists>r. r\<in>P \<and> \<langle>\<sigma>,r\<rangle> \<in> \<tau> \<and> q\<preceq>r \<and> forces_eq(q,\<pi>,\<sigma>))"
+    if "q\<in>M" for q
+    unfolding forces_eq_def using assms that P_in_M leq_in_M leq_abs forces_eq'_abs pair_in_M_iff 
+    by auto
+  moreover
+  have "(M, [q,P,leq,\<pi>,\<tau>] \<Turnstile> ?\<phi>) \<longleftrightarrow> ?rel_pred(##M,q,P,leq,\<pi>,\<tau>)" if "q\<in>M" for q
+    using assms that sats_forces_eq'_fm sats_leq_fm P_in_M leq_in_M by simp
+  moreover
+  have "?\<phi>\<in>formula" by simp
+  moreover
+  have "arity(?\<phi>)=5" 
+    unfolding leq_fm_def pair_fm_def upair_fm_def
+    using arity_forces_eq_fm by (simp add:nat_simp_union Un_commute)
+  ultimately
+  show ?thesis 
+    unfolding forces_eq_def using P_in_M leq_in_M assms 
+        Collect_in_M_4p[of ?\<phi> _ _ _ _ _ 
+            "\<lambda>q a1 a2 a3 a4. \<exists>\<sigma>. \<exists>r. r\<in>a1 \<and> \<langle>\<sigma>,r\<rangle> \<in> \<tau> \<and> q\<preceq>r \<and> forces_eq'(a1,a2,q,a3,\<sigma>)"] by simp
+qed
+
+(* Lemma IV.2.40(a), membership *)
+lemma IV240a_mem:
+  assumes
+    "M_generic(G)" "p\<in>G" "\<pi>\<in>M" "\<tau>\<in>M" "forces_mem(p,\<pi>,\<tau>)"
+    "\<And>q \<sigma>. q\<in>P \<Longrightarrow> q\<in>G \<Longrightarrow> \<sigma>\<in>domain(\<tau>) \<Longrightarrow> forces_eq(q,\<pi>,\<sigma>) \<Longrightarrow> 
+      val(G,\<pi>) = val(G,\<sigma>)" (* inductive hypothesis *)
+  shows
+    "val(G,\<pi>)\<in>val(G,\<tau>)"
+proof (intro elem_of_valI)
+  let ?D="{q\<in>P. \<exists>\<sigma>. \<exists>r. r\<in>P \<and> \<langle>\<sigma>,r\<rangle> \<in> \<tau> \<and> q\<preceq>r \<and> forces_eq(q,\<pi>,\<sigma>)}"
+  from \<open>M_generic(G)\<close> \<open>p\<in>G\<close>
+  have "p\<in>P" by blast
+  moreover
+  note \<open>\<pi>\<in>M\<close> \<open>\<tau>\<in>M\<close>
+  ultimately
+  have "?D \<in> M" using IV240a_mem_Collect by simp
+  moreover from assms \<open>p\<in>P\<close>
+  have "dense_below(?D,p)"
+    using forces_mem_iff_dense_below by simp
+  moreover
+  note \<open>M_generic(G)\<close> \<open>p\<in>G\<close>
+  ultimately
+  obtain q where "q\<in>G" "q\<in>?D" using generic_inter_dense_below by blast
+  then
+  obtain \<sigma> r where "r\<in>P" "\<langle>\<sigma>,r\<rangle> \<in> \<tau>" "q\<preceq>r" "forces_eq(q,\<pi>,\<sigma>)" by blast
+  moreover from this and \<open>q\<in>G\<close> assms
+  have "r \<in> G" "val(G,\<pi>) = val(G,\<sigma>)" by blast+
+  ultimately
+  show "\<exists> \<sigma>. \<exists>p\<in>P. p \<in> G \<and> \<langle>\<sigma>, p\<rangle> \<in> \<tau> \<and> val(G, \<sigma>) = val(G, \<pi>)" by auto
+qed
+
+(* Example IV.2.36 (next two lemmas) *)
+lemma refl_forces_eq:"p\<in>P \<Longrightarrow> forces_eq(p,x,x)"
+  using def_forces_eq by simp
+
+lemma forces_memI: "\<langle>\<sigma>,r\<rangle>\<in>\<tau> \<Longrightarrow> p\<in>P \<Longrightarrow> r\<in>P \<Longrightarrow> p\<preceq>r \<Longrightarrow> forces_mem(p,\<sigma>,\<tau>)"
+  using refl_forces_eq[of _ \<sigma>] leq_transD leq_reflI 
+  by (blast intro:forces_mem_iff_dense_below[THEN iffD2])
+
+(* Lemma IV.2.40(a), equality, first inclusion *)
+lemma IV240a_eq_1st_incl:
+  assumes
+    "M_generic(G)" "p\<in>G" "forces_eq(p,\<tau>,\<theta>)"
+    and
+    IH:"\<And>q \<sigma>. q\<in>P \<Longrightarrow> q\<in>G \<Longrightarrow> \<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>) \<Longrightarrow> 
+        (forces_mem(q,\<sigma>,\<tau>) \<longrightarrow> val(G,\<sigma>) \<in> val(G,\<tau>)) \<and>
+        (forces_mem(q,\<sigma>,\<theta>) \<longrightarrow> val(G,\<sigma>) \<in> val(G,\<theta>))"
+(* Strong enough for this case: *)
+(*  IH:"\<And>q \<sigma>. q\<in>P \<Longrightarrow> \<sigma>\<in>domain(\<tau>) \<Longrightarrow> forces_mem(q,\<sigma>,\<theta>) \<Longrightarrow> 
+      val(G,\<sigma>) \<in> val(G,\<theta>)" *)
+  shows
+    "val(G,\<tau>) \<subseteq> val(G,\<theta>)"
+proof
+  fix x
+  assume "x\<in>val(G,\<tau>)"
+  then
+  obtain \<sigma> r where "\<langle>\<sigma>,r\<rangle>\<in>\<tau>" "r\<in>G" "val(G,\<sigma>)=x" by blast
+  moreover from this and \<open>p\<in>G\<close> \<open>M_generic(G)\<close>
+  obtain q where "q\<in>G" "q\<preceq>p" "q\<preceq>r" by force
+  moreover from this and \<open>p\<in>G\<close> \<open>M_generic(G)\<close>
+  have "q\<in>P" "p\<in>P" by blast+
+  moreover from calculation and \<open>M_generic(G)\<close>
+  have "forces_mem(q,\<sigma>,\<tau>)"
+    using forces_memI by blast
+  moreover
+  note \<open>forces_eq(p,\<tau>,\<theta>)\<close>
+  ultimately
+  have "forces_mem(q,\<sigma>,\<theta>)"
+    using def_forces_eq by blast
+  with \<open>q\<in>P\<close> \<open>q\<in>G\<close> IH[of q \<sigma>] \<open>\<langle>\<sigma>,r\<rangle>\<in>\<tau>\<close> \<open>val(G,\<sigma>) = x\<close>
+  show "x\<in>val(G,\<theta>)" by (blast)
+qed
+
+(* Lemma IV.2.40(a), equality, second inclusion--- COPY-PASTE *)
+lemma IV240a_eq_2nd_incl:
+  assumes
+    "M_generic(G)" "p\<in>G" "forces_eq(p,\<tau>,\<theta>)"
+    and
+    IH:"\<And>q \<sigma>. q\<in>P \<Longrightarrow> q\<in>G \<Longrightarrow> \<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>) \<Longrightarrow> 
+        (forces_mem(q,\<sigma>,\<tau>) \<longrightarrow> val(G,\<sigma>) \<in> val(G,\<tau>)) \<and>
+        (forces_mem(q,\<sigma>,\<theta>) \<longrightarrow> val(G,\<sigma>) \<in> val(G,\<theta>))"
+  shows
+    "val(G,\<theta>) \<subseteq> val(G,\<tau>)"
+proof
+  fix x
+  assume "x\<in>val(G,\<theta>)"
+  then
+  obtain \<sigma> r where "\<langle>\<sigma>,r\<rangle>\<in>\<theta>" "r\<in>G" "val(G,\<sigma>)=x" by blast
+  moreover from this and \<open>p\<in>G\<close> \<open>M_generic(G)\<close>
+  obtain q where "q\<in>G" "q\<preceq>p" "q\<preceq>r" by force
+  moreover from this and \<open>p\<in>G\<close> \<open>M_generic(G)\<close>
+  have "q\<in>P" "p\<in>P" by blast+
+  moreover from calculation and \<open>M_generic(G)\<close>
+  have "forces_mem(q,\<sigma>,\<theta>)"
+    using forces_memI by blast
+  moreover
+  note \<open>forces_eq(p,\<tau>,\<theta>)\<close>
+  ultimately
+  have "forces_mem(q,\<sigma>,\<tau>)"
+    using def_forces_eq by blast
+  with \<open>q\<in>P\<close> \<open>q\<in>G\<close> IH[of q \<sigma>] \<open>\<langle>\<sigma>,r\<rangle>\<in>\<theta>\<close> \<open>val(G,\<sigma>) = x\<close>
+  show "x\<in>val(G,\<tau>)" by (blast)
+qed
+
+(* Lemma IV.2.40(a), equality, second inclusion--- COPY-PASTE *)
+lemma IV240a_eq:
+  assumes
+    "M_generic(G)" "p\<in>G" "forces_eq(p,\<tau>,\<theta>)"
+    and
+    IH:"\<And>q \<sigma>. q\<in>P \<Longrightarrow> q\<in>G \<Longrightarrow> \<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>) \<Longrightarrow> 
+        (forces_mem(q,\<sigma>,\<tau>) \<longrightarrow> val(G,\<sigma>) \<in> val(G,\<tau>)) \<and>
+        (forces_mem(q,\<sigma>,\<theta>) \<longrightarrow> val(G,\<sigma>) \<in> val(G,\<theta>))"
+  shows
+    "val(G,\<tau>) = val(G,\<theta>)"
+  using IV240a_eq_1st_incl[OF assms] IV240a_eq_2nd_incl[OF assms] IH by blast 
+
+subsection\<open>Induction on names\<close>
+
+lemma core_induction:
+  assumes
+    "\<And>\<tau> \<theta> p. p \<in> P \<Longrightarrow> \<lbrakk>\<And>q \<sigma>. \<lbrakk>q\<in>P ; \<sigma>\<in>domain(\<theta>)\<rbrakk> \<Longrightarrow> Q(0,\<tau>,\<sigma>,q)\<rbrakk> \<Longrightarrow> Q(1,\<tau>,\<theta>,p)"
+    "\<And>\<tau> \<theta> p. p \<in> P \<Longrightarrow> \<lbrakk>\<And>q \<sigma>. \<lbrakk>q\<in>P ; \<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>)\<rbrakk> \<Longrightarrow> Q(1,\<sigma>,\<tau>,q) \<and> Q(1,\<sigma>,\<theta>,q)\<rbrakk> \<Longrightarrow> Q(0,\<tau>,\<theta>,p)"
+    "ft \<in> 2" "p \<in> P"
+  shows
+    "Q(ft,\<tau>,\<theta>,p)"
+proof -
+  {
+    fix ft p \<tau> \<theta>
+    have "Transset(eclose({\<tau>,\<theta>}))" (is "Transset(?e)") 
+      using Transset_eclose by simp
+    have "\<tau> \<in> ?e" "\<theta> \<in> ?e" 
+      using arg_into_eclose by simp_all
+    moreover
+    assume "ft \<in> 2" "p \<in> P"
+    ultimately
+    have "\<langle>ft,\<tau>,\<theta>,p\<rangle>\<in> 2\<times>?e\<times>?e\<times>P" (is "?a\<in>2\<times>?e\<times>?e\<times>P") by simp
+    then 
+    have "Q(ftype(?a), name1(?a), name2(?a), cond_of(?a))"
+      using core_induction_aux[of ?e P Q ?a,OF \<open>Transset(?e)\<close> assms(1,2) \<open>?a\<in>_\<close>] 
+      by (clarify) (blast)
+    then have "Q(ft,\<tau>,\<theta>,p)" by (simp add:components_simp)
+  }
+  then show ?thesis using assms by simp
+qed
+
+lemma forces_induction_with_conds:
+  assumes
+    "\<And>\<tau> \<theta> p. p \<in> P \<Longrightarrow> \<lbrakk>\<And>q \<sigma>. \<lbrakk>q\<in>P ; \<sigma>\<in>domain(\<theta>)\<rbrakk> \<Longrightarrow> Q(q,\<tau>,\<sigma>)\<rbrakk> \<Longrightarrow> R(p,\<tau>,\<theta>)"
+    "\<And>\<tau> \<theta> p. p \<in> P \<Longrightarrow> \<lbrakk>\<And>q \<sigma>. \<lbrakk>q\<in>P ; \<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>)\<rbrakk> \<Longrightarrow> R(q,\<sigma>,\<tau>) \<and> R(q,\<sigma>,\<theta>)\<rbrakk> \<Longrightarrow> Q(p,\<tau>,\<theta>)"
+    "p \<in> P"
+  shows
+    "Q(p,\<tau>,\<theta>) \<and> R(p,\<tau>,\<theta>)"
+proof -
+  let ?Q="\<lambda>ft \<tau> \<theta> p. (ft = 0 \<longrightarrow> Q(p,\<tau>,\<theta>)) \<and> (ft = 1 \<longrightarrow> R(p,\<tau>,\<theta>))"
+  from assms(1)
+  have "\<And>\<tau> \<theta> p. p \<in> P \<Longrightarrow> \<lbrakk>\<And>q \<sigma>. \<lbrakk>q\<in>P ; \<sigma>\<in>domain(\<theta>)\<rbrakk> \<Longrightarrow> ?Q(0,\<tau>,\<sigma>,q)\<rbrakk> \<Longrightarrow> ?Q(1,\<tau>,\<theta>,p)"
+    by simp
+  moreover from assms(2)
+  have "\<And>\<tau> \<theta> p. p \<in> P \<Longrightarrow> \<lbrakk>\<And>q \<sigma>. \<lbrakk>q\<in>P ; \<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>)\<rbrakk> \<Longrightarrow> ?Q(1,\<sigma>,\<tau>,q) \<and> ?Q(1,\<sigma>,\<theta>,q)\<rbrakk> \<Longrightarrow> ?Q(0,\<tau>,\<theta>,p)"
+    by simp
+  moreover
+  note \<open>p\<in>P\<close>
+  ultimately
+  have "?Q(ft,\<tau>,\<theta>,p)" if "ft\<in>2" for ft
+    by (rule core_induction[OF _ _ that, of ?Q])
+  then
+  show ?thesis by auto
+qed
+
+lemma forces_induction:
+  assumes
+    "\<And>\<tau> \<theta>. \<lbrakk>\<And>\<sigma>. \<sigma>\<in>domain(\<theta>) \<Longrightarrow> Q(\<tau>,\<sigma>)\<rbrakk> \<Longrightarrow> R(\<tau>,\<theta>)"
+    "\<And>\<tau> \<theta>. \<lbrakk>\<And>\<sigma>. \<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>) \<Longrightarrow> R(\<sigma>,\<tau>) \<and> R(\<sigma>,\<theta>)\<rbrakk> \<Longrightarrow> Q(\<tau>,\<theta>)"
+  shows
+    "Q(\<tau>,\<theta>) \<and> R(\<tau>,\<theta>)"
+proof (intro forces_induction_with_conds[OF _ _ one_in_P ])
+  fix \<tau> \<theta> p 
+  assume "q \<in> P \<Longrightarrow> \<sigma> \<in> domain(\<theta>) \<Longrightarrow> Q(\<tau>, \<sigma>)" for q \<sigma>
+  with assms(1)
+  show "R(\<tau>,\<theta>)"
+    using one_in_P by simp
+next
+  fix \<tau> \<theta> p 
+    assume "q \<in> P \<Longrightarrow> \<sigma> \<in> domain(\<tau>) \<union> domain(\<theta>) \<Longrightarrow> R(\<sigma>,\<tau>) \<and> R(\<sigma>,\<theta>)" for q \<sigma>
+    with assms(2)
+    show "Q(\<tau>,\<theta>)"
+      using one_in_P by simp
+qed
+
+subsection\<open>Lemma IV.2.40(a), in full\<close>
+lemma IV240a:
+  assumes
+    "M_generic(G)"
+  shows 
+    "(\<tau>\<in>M \<longrightarrow> \<theta>\<in>M \<longrightarrow> (\<forall>p\<in>G. forces_eq(p,\<tau>,\<theta>) \<longrightarrow> val(G,\<tau>) = val(G,\<theta>))) \<and> 
+     (\<tau>\<in>M \<longrightarrow> \<theta>\<in>M \<longrightarrow> (\<forall>p\<in>G. forces_mem(p,\<tau>,\<theta>) \<longrightarrow> val(G,\<tau>) \<in> val(G,\<theta>)))"
+    (is "?Q(\<tau>,\<theta>) \<and> ?R(\<tau>,\<theta>)")
+proof (intro forces_induction[of ?Q ?R] impI)
+  fix \<tau> \<theta> 
+  assume "\<tau>\<in>M" "\<theta>\<in>M"  "\<sigma>\<in>domain(\<theta>) \<Longrightarrow> ?Q(\<tau>,\<sigma>)" for \<sigma>
+  moreover from this
+  have "\<sigma>\<in>domain(\<theta>) \<Longrightarrow> forces_eq(q, \<tau>, \<sigma>) \<Longrightarrow> val(G, \<tau>) = val(G, \<sigma>)" 
+    if "q\<in>P" "q\<in>G" for q \<sigma>
+    using that domain_closed[of \<theta>] transitivity by auto
+  moreover 
+  note assms
+  ultimately
+  show "\<forall>p\<in>G. forces_mem(p,\<tau>,\<theta>) \<longrightarrow> val(G,\<tau>) \<in> val(G,\<theta>)"
+    using IV240a_mem domain_closed transitivity by (simp)
+next
+  fix \<tau> \<theta> 
+  assume "\<tau>\<in>M" "\<theta>\<in>M" "\<sigma> \<in> domain(\<tau>) \<union> domain(\<theta>) \<Longrightarrow> ?R(\<sigma>,\<tau>) \<and> ?R(\<sigma>,\<theta>)" for \<sigma>
+  moreover from this
+  have IH':"\<sigma> \<in> domain(\<tau>) \<union> domain(\<theta>) \<Longrightarrow> q\<in>G \<Longrightarrow>
+            (forces_mem(q, \<sigma>, \<tau>) \<longrightarrow> val(G, \<sigma>) \<in> val(G, \<tau>)) \<and> 
+            (forces_mem(q, \<sigma>, \<theta>) \<longrightarrow> val(G, \<sigma>) \<in> val(G, \<theta>))" for q \<sigma> 
+    by (auto intro:  transitivity[OF _ domain_closed[simplified]])
+  ultimately
+  show "\<forall>p\<in>G. forces_eq(p,\<tau>,\<theta>) \<longrightarrow> val(G,\<tau>) = val(G,\<theta>)"
+    using IV240a_eq[OF assms(1) _ _ IH'] by (simp)
+qed
+
+subsection\<open>Lemma IV.2.40(b)\<close>
+(* Lemma IV.2.40(b), membership *)
+lemma IV240b_mem:
+  assumes
+    "M_generic(G)" "val(G,\<pi>)\<in>val(G,\<tau>)" "\<pi>\<in>M" "\<tau>\<in>M"
+    and
+    IH:"\<And>\<sigma>. \<sigma>\<in>domain(\<tau>) \<Longrightarrow> val(G,\<pi>) = val(G,\<sigma>) \<Longrightarrow> 
+      \<exists>p\<in>G. forces_eq(p,\<pi>,\<sigma>)" (* inductive hypothesis *)
+  shows
+    "\<exists>p\<in>G. forces_mem(p,\<pi>,\<tau>)"
+proof -
+  from \<open>val(G,\<pi>)\<in>val(G,\<tau>)\<close>
+  obtain \<sigma> r where "r\<in>G" "\<langle>\<sigma>,r\<rangle>\<in>\<tau>" "val(G,\<pi>) = val(G,\<sigma>)" by auto
+  moreover from this and IH
+  obtain p' where "p'\<in>G" "forces_eq(p',\<pi>,\<sigma>)" by blast
+  moreover
+  note \<open>M_generic(G)\<close>
+  ultimately
+  obtain p where "p\<preceq>r" "p\<in>G" "forces_eq(p,\<pi>,\<sigma>)" 
+    using M_generic_compatD strengthening_eq[of p'] by blast
+  moreover 
+  note \<open>M_generic(G)\<close>
+  moreover from calculation
+  have "forces_eq(q,\<pi>,\<sigma>)" if "q\<in>P" "q\<preceq>p" for q
+    using that strengthening_eq by blast
+  moreover 
+  note \<open>\<langle>\<sigma>,r\<rangle>\<in>\<tau>\<close> \<open>r\<in>G\<close>
+  ultimately
+  have "r\<in>P \<and> \<langle>\<sigma>,r\<rangle> \<in> \<tau> \<and> q\<preceq>r \<and> forces_eq(q,\<pi>,\<sigma>)" if "q\<in>P" "q\<preceq>p" for q
+    using that leq_transD[of _ p r] by blast
+  then
+  have "dense_below({q\<in>P. \<exists>s r. r\<in>P \<and> \<langle>s,r\<rangle> \<in> \<tau> \<and> q\<preceq>r \<and> forces_eq(q,\<pi>,s)},p)"
+    using leq_reflI by blast
+  moreover
+  note \<open>M_generic(G)\<close> \<open>p\<in>G\<close>
+  moreover from calculation
+  have "forces_mem(p,\<pi>,\<tau>)" 
+    using forces_mem_iff_dense_below by blast
+  ultimately
+  show ?thesis by blast
+qed
+
+end (* includes *)
+
+lemma Collect_forces_eq_in_M:
+  assumes "\<tau> \<in> M" "\<theta> \<in> M"
+  shows "{p\<in>P. forces_eq(p,\<tau>,\<theta>)} \<in> M"
+  using assms Collect_in_M_4p[of "forces_eq_fm(1,2,0,3,4)" P leq \<tau> \<theta> 
+                                  "\<lambda>A x p l t1 t2. is_forces_eq(x,t1,t2)"
+                                  "\<lambda> x p l t1 t2. forces_eq(x,t1,t2)" P] 
+        arity_forces_eq_fm P_in_M leq_in_M sats_forces_eq_fm forces_eq_abs forces_eq_fm_type 
+  by (simp add: nat_union_abs1 Un_commute)
+
+lemma IV240b_eq_Collects:
+  assumes "\<tau> \<in> M" "\<theta> \<in> M"
+  shows "{p\<in>P. \<exists>\<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>). forces_mem(p,\<sigma>,\<tau>) \<and> forces_nmem(p,\<sigma>,\<theta>)}\<in>M" and
+        "{p\<in>P. \<exists>\<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>). forces_nmem(p,\<sigma>,\<tau>) \<and> forces_mem(p,\<sigma>,\<theta>)}\<in>M"
+proof -
+  let ?rel_pred="\<lambda>M x a1 a2 a3 a4. 
+        \<exists>\<sigma>[M]. \<exists>u[M]. \<exists>da3[M]. \<exists>da4[M]. is_domain(M,a3,da3) \<and> is_domain(M,a4,da4) \<and> 
+          union(M,da3,da4,u) \<and> \<sigma>\<in>u \<and> is_forces_mem'(M,a1,a2,x,\<sigma>,a3) \<and> 
+          is_forces_nmem'(M,a1,a2,x,\<sigma>,a4)"
+  let ?\<phi>="Exists(Exists(Exists(Exists(And(domain_fm(7,1),And(domain_fm(8,0),
+          And(union_fm(1,0,2),And(Member(3,2),And(forces_mem_fm(5,6,4,3,7),
+                              forces_nmem_fm(5,6,4,3,8))))))))))" 
+  have 1:"\<sigma>\<in>M" if "\<langle>\<sigma>,y\<rangle>\<in>\<delta>" "\<delta>\<in>M" for \<sigma> \<delta> y
+    using that pair_in_M_iff transitivity[of "\<langle>\<sigma>,y\<rangle>" \<delta>] by simp
+  have abs1:"?rel_pred(##M,p,P,leq,\<tau>,\<theta>) \<longleftrightarrow> 
+        (\<exists>\<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>). forces_mem'(P,leq,p,\<sigma>,\<tau>) \<and> forces_nmem'(P,leq,p,\<sigma>,\<theta>))" 
+        if "p\<in>M" for p
+    unfolding forces_mem_def forces_nmem_def
+    using assms that forces_mem'_abs forces_nmem'_abs P_in_M leq_in_M 
+      domain_closed Un_closed 
+    by (auto simp add:1[of _ _ \<tau>] 1[of _ _ \<theta>])
+  have abs2:"?rel_pred(##M,p,P,leq,\<theta>,\<tau>) \<longleftrightarrow> (\<exists>\<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>). 
+        forces_nmem'(P,leq,p,\<sigma>,\<tau>) \<and> forces_mem'(P,leq,p,\<sigma>,\<theta>))" if "p\<in>M" for p
+    unfolding forces_mem_def forces_nmem_def
+    using assms that forces_mem'_abs forces_nmem'_abs P_in_M leq_in_M 
+      domain_closed Un_closed 
+    by (auto simp add:1[of _ _ \<tau>] 1[of _ _ \<theta>])
+  have fsats1:"(M,[p,P,leq,\<tau>,\<theta>] \<Turnstile> ?\<phi>) \<longleftrightarrow> ?rel_pred(##M,p,P,leq,\<tau>,\<theta>)" if "p\<in>M" for p
+    using that assms sats_forces_mem'_fm sats_forces_nmem'_fm P_in_M leq_in_M
+      domain_closed Un_closed by simp
+  have fsats2:"(M,[p,P,leq,\<theta>,\<tau>] \<Turnstile> ?\<phi>) \<longleftrightarrow> ?rel_pred(##M,p,P,leq,\<theta>,\<tau>)" if "p\<in>M" for p
+    using that assms sats_forces_mem'_fm sats_forces_nmem'_fm P_in_M leq_in_M
+      domain_closed Un_closed by simp
+  have fty:"?\<phi>\<in>formula" by simp
+  have farit:"arity(?\<phi>)=5"
+    unfolding forces_nmem_fm_def domain_fm_def pair_fm_def upair_fm_def union_fm_def
+    using arity_forces_mem_fm by (simp add:nat_simp_union Un_commute)
+    show 
+    "{p \<in> P . \<exists>\<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>). forces_mem(p, \<sigma>, \<tau>) \<and> forces_nmem(p, \<sigma>, \<theta>)} \<in> M"
+    and "{p \<in> P . \<exists>\<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>). forces_nmem(p, \<sigma>, \<tau>) \<and> forces_mem(p, \<sigma>, \<theta>)} \<in> M"
+    unfolding forces_mem_def
+    using abs1 fty fsats1 farit P_in_M leq_in_M assms forces_nmem
+          Collect_in_M_4p[of ?\<phi> _ _ _ _ _ 
+          "\<lambda>x p l a1 a2. (\<exists>\<sigma>\<in>domain(a1) \<union> domain(a2). forces_mem'(p,l,x,\<sigma>,a1) \<and> 
+                                                     forces_nmem'(p,l,x,\<sigma>,a2))"]
+    using abs2 fty fsats2 farit P_in_M leq_in_M assms forces_nmem domain_closed Un_closed
+          Collect_in_M_4p[of ?\<phi> P leq \<theta> \<tau> ?rel_pred 
+          "\<lambda>x p l a2 a1. (\<exists>\<sigma>\<in>domain(a1) \<union> domain(a2). forces_nmem'(p,l,x,\<sigma>,a1) \<and> 
+                                                     forces_mem'(p,l,x,\<sigma>,a2))" P]  
+    by simp_all
+qed
+
+(* Lemma IV.2.40(b), equality *)
+lemma IV240b_eq:
+  assumes
+    "M_generic(G)" "val(G,\<tau>) = val(G,\<theta>)" "\<tau>\<in>M" "\<theta>\<in>M" 
+    and
+    IH:"\<And>\<sigma>. \<sigma>\<in>domain(\<tau>)\<union>domain(\<theta>) \<Longrightarrow> 
+      (val(G,\<sigma>)\<in>val(G,\<tau>) \<longrightarrow> (\<exists>q\<in>G. forces_mem(q,\<sigma>,\<tau>))) \<and> 
+      (val(G,\<sigma>)\<in>val(G,\<theta>) \<longrightarrow> (\<exists>q\<in>G. forces_mem(q,\<sigma>,\<theta>)))"
+    (* inductive hypothesis *)
+  shows
+    "\<exists>p\<in>G. forces_eq(p,\<tau>,\<theta>)"
+proof -
+  let ?D1="{p\<in>P. forces_eq(p,\<tau>,\<theta>)}"
+  let ?D2="{p\<in>P. \<exists>\<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>). forces_mem(p,\<sigma>,\<tau>) \<and> forces_nmem(p,\<sigma>,\<theta>)}"
+  let ?D3="{p\<in>P. \<exists>\<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>). forces_nmem(p,\<sigma>,\<tau>) \<and> forces_mem(p,\<sigma>,\<theta>)}"
+  let ?D="?D1 \<union> ?D2 \<union> ?D3"
+  note assms
+  moreover from this
+  have "domain(\<tau>) \<union> domain(\<theta>)\<in>M" (is "?B\<in>M") using domain_closed Un_closed by auto
+  moreover from calculation
+  have "?D2\<in>M" and "?D3\<in>M" using IV240b_eq_Collects by simp_all
+  ultimately
+  have "?D\<in>M" using Collect_forces_eq_in_M Un_closed by auto
+  moreover
+  have "dense(?D)"
+  proof
+    fix p
+    assume "p\<in>P"
+    have "\<exists>d\<in>P. (forces_eq(d, \<tau>, \<theta>) \<or>
+            (\<exists>\<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>). forces_mem(d, \<sigma>, \<tau>) \<and> forces_nmem(d, \<sigma>, \<theta>)) \<or>
+            (\<exists>\<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>). forces_nmem(d, \<sigma>, \<tau>) \<and> forces_mem(d, \<sigma>, \<theta>))) \<and>
+           d \<preceq> p" 
+    proof (cases "forces_eq(p, \<tau>, \<theta>)")
+      case True
+      with \<open>p\<in>P\<close> 
+      show ?thesis using leq_reflI by blast
+    next
+      case False
+      moreover note \<open>p\<in>P\<close>
+      moreover from calculation
+      obtain \<sigma> q where "\<sigma>\<in>domain(\<tau>)\<union>domain(\<theta>)" "q\<in>P" "q\<preceq>p"
+        "(forces_mem(q, \<sigma>, \<tau>) \<and> \<not> forces_mem(q, \<sigma>, \<theta>)) \<or>
+         (\<not> forces_mem(q, \<sigma>, \<tau>) \<and> forces_mem(q, \<sigma>, \<theta>))"
+        using def_forces_eq by blast
+      moreover from this
+      obtain r where "r\<preceq>q" "r\<in>P"
+        "(forces_mem(r, \<sigma>, \<tau>) \<and> forces_nmem(r, \<sigma>, \<theta>)) \<or>
+         (forces_nmem(r, \<sigma>, \<tau>) \<and> forces_mem(r, \<sigma>, \<theta>))"
+        using not_forces_nmem strengthening_mem by blast
+      ultimately
+      show ?thesis using leq_transD by blast
+    qed
+    then
+    show "\<exists>d\<in>?D1 \<union> ?D2 \<union> ?D3. d \<preceq> p" by blast
+  qed
+  moreover
+  have "?D \<subseteq> P"
+    by auto
+  moreover
+  note \<open>M_generic(G)\<close>
+  ultimately
+  obtain p where "p\<in>G" "p\<in>?D"
+    unfolding M_generic_def by blast
+  then 
+  consider 
+    (1) "forces_eq(p,\<tau>,\<theta>)" | 
+    (2) "\<exists>\<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>). forces_mem(p,\<sigma>,\<tau>) \<and> forces_nmem(p,\<sigma>,\<theta>)" | 
+    (3) "\<exists>\<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>). forces_nmem(p,\<sigma>,\<tau>) \<and> forces_mem(p,\<sigma>,\<theta>)"
+    by blast
+  then
+  show ?thesis
+  proof (cases)
+    case 1
+    with \<open>p\<in>G\<close> 
+    show ?thesis by blast
+  next
+    case 2
+    then 
+    obtain \<sigma> where "\<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>)" "forces_mem(p,\<sigma>,\<tau>)" "forces_nmem(p,\<sigma>,\<theta>)" 
+      by blast
+    moreover from this and \<open>p\<in>G\<close> and assms
+    have "val(G,\<sigma>)\<in>val(G,\<tau>)"
+      using IV240a[of G \<sigma> \<tau>] transitivity[OF _ domain_closed[simplified]] by blast
+    moreover note IH \<open>val(G,\<tau>) = _\<close>
+    ultimately
+    obtain q where "q\<in>G" "forces_mem(q, \<sigma>, \<theta>)" by auto
+    moreover from this and \<open>p\<in>G\<close> \<open>M_generic(G)\<close>
+    obtain r where "r\<in>P" "r\<preceq>p" "r\<preceq>q"
+      by blast
+    moreover
+    note \<open>M_generic(G)\<close>
+    ultimately
+    have "forces_mem(r, \<sigma>, \<theta>)"
+      using strengthening_mem by blast
+    with \<open>r\<preceq>p\<close> \<open>forces_nmem(p,\<sigma>,\<theta>)\<close> \<open>r\<in>P\<close>
+    have "False"
+      unfolding forces_nmem_def by blast
+    then
+    show ?thesis by simp
+  next (* copy-paste from case 2 mutatis mutandis*)
+    case 3
+    then
+    obtain \<sigma> where "\<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>)" "forces_mem(p,\<sigma>,\<theta>)" "forces_nmem(p,\<sigma>,\<tau>)" 
+      by blast
+    moreover from this and \<open>p\<in>G\<close> and assms
+    have "val(G,\<sigma>)\<in>val(G,\<theta>)"
+      using IV240a[of G \<sigma> \<theta>] transitivity[OF _ domain_closed[simplified]] by blast
+    moreover note IH \<open>val(G,\<tau>) = _\<close>
+    ultimately
+    obtain q where "q\<in>G" "forces_mem(q, \<sigma>, \<tau>)" by auto
+    moreover from this and \<open>p\<in>G\<close> \<open>M_generic(G)\<close>
+    obtain r where "r\<in>P" "r\<preceq>p" "r\<preceq>q"
+      by blast
+    moreover
+    note \<open>M_generic(G)\<close>
+    ultimately
+    have "forces_mem(r, \<sigma>, \<tau>)"
+      using strengthening_mem by blast
+    with \<open>r\<preceq>p\<close> \<open>forces_nmem(p,\<sigma>,\<tau>)\<close> \<open>r\<in>P\<close>
+    have "False"
+      unfolding forces_nmem_def by blast
+    then
+    show ?thesis by simp
+  qed
+qed
+
+(* Lemma IV.2.40(b), full *)
+lemma IV240b:
+  assumes
+    "M_generic(G)"
+  shows 
+    "(\<tau>\<in>M\<longrightarrow>\<theta>\<in>M\<longrightarrow>val(G,\<tau>) = val(G,\<theta>) \<longrightarrow> (\<exists>p\<in>G. forces_eq(p,\<tau>,\<theta>))) \<and>
+     (\<tau>\<in>M\<longrightarrow>\<theta>\<in>M\<longrightarrow>val(G,\<tau>) \<in> val(G,\<theta>) \<longrightarrow> (\<exists>p\<in>G. forces_mem(p,\<tau>,\<theta>)))" 
+    (is "?Q(\<tau>,\<theta>) \<and> ?R(\<tau>,\<theta>)")
+proof (intro forces_induction)
+  fix \<tau> \<theta> p
+  assume "\<sigma>\<in>domain(\<theta>) \<Longrightarrow> ?Q(\<tau>, \<sigma>)" for \<sigma>
+  with assms
+  show "?R(\<tau>, \<theta>)"
+    using IV240b_mem domain_closed transitivity by (simp)
+next
+  fix \<tau> \<theta> p
+  assume "\<sigma> \<in> domain(\<tau>) \<union> domain(\<theta>) \<Longrightarrow> ?R(\<sigma>,\<tau>) \<and> ?R(\<sigma>,\<theta>)" for \<sigma>
+  moreover from this
+  have IH':"\<tau>\<in>M \<Longrightarrow> \<theta>\<in>M \<Longrightarrow> \<sigma> \<in> domain(\<tau>) \<union> domain(\<theta>) \<Longrightarrow>
+          (val(G, \<sigma>) \<in> val(G, \<tau>) \<longrightarrow> (\<exists>q\<in>G. forces_mem(q, \<sigma>, \<tau>))) \<and>
+          (val(G, \<sigma>) \<in> val(G, \<theta>) \<longrightarrow> (\<exists>q\<in>G. forces_mem(q, \<sigma>, \<theta>)))" for \<sigma> 
+    by (blast intro:left_in_M) 
+  ultimately
+  show "?Q(\<tau>,\<theta>)"
+    using IV240b_eq[OF assms(1)] by (auto)
+qed
+
+lemma map_val_in_MG:
+  assumes 
+    "env\<in>list(M)"
+  shows 
+    "map(val(G),env)\<in>list(M[G])"
+  unfolding GenExt_def using assms map_type2 by simp
+
+lemma truth_lemma_mem:
+  assumes 
+    "env\<in>list(M)" "M_generic(G)"
+    "n\<in>nat" "m\<in>nat" "n<length(env)" "m<length(env)"
+  shows 
+    "(\<exists>p\<in>G. p \<tturnstile> Member(n,m) env)  \<longleftrightarrow>  M[G], map(val(G),env) \<Turnstile> Member(n,m)"
+  using assms IV240a[OF assms(2), of "nth(n,env)" "nth(m,env)"] 
+    IV240b[OF assms(2), of "nth(n,env)" "nth(m,env)"] 
+    P_in_M leq_in_M one_in_M 
+    Forces_Member[of _  "nth(n,env)" "nth(m,env)" env n m] map_val_in_MG
+  by (auto)
+
+lemma truth_lemma_eq:
+  assumes 
+    "env\<in>list(M)" "M_generic(G)" 
+    "n\<in>nat" "m\<in>nat" "n<length(env)" "m<length(env)"
+  shows 
+    "(\<exists>p\<in>G. p \<tturnstile> Equal(n,m) env)  \<longleftrightarrow>  M[G], map(val(G),env) \<Turnstile> Equal(n,m)"
+  using assms IV240a(1)[OF assms(2), of "nth(n,env)" "nth(m,env)"] 
+    IV240b(1)[OF assms(2), of "nth(n,env)" "nth(m,env)"] 
+    P_in_M leq_in_M one_in_M 
+    Forces_Equal[of _  "nth(n,env)" "nth(m,env)" env n m] map_val_in_MG
+  by (auto)
+
+lemma arities_at_aux:
+  assumes
+    "n \<in> nat" "m \<in> nat" "env \<in> list(M)" "succ(n) \<union> succ(m) \<le> length(env)"
+  shows
+    "n < length(env)" "m < length(env)"
+  using assms succ_leE[OF Un_leD1, of n "succ(m)" "length(env)"] 
+   succ_leE[OF Un_leD2, of "succ(n)" m "length(env)"] by auto
+
+subsection\<open>The Strenghtening Lemma\<close>
+
+lemma strengthening_lemma:
+  assumes 
+    "p\<in>P" "\<phi>\<in>formula" "r\<in>P" "r\<preceq>p"
+  shows
+    "\<And>env. env\<in>list(M) \<Longrightarrow> arity(\<phi>)\<le>length(env) \<Longrightarrow> p \<tturnstile> \<phi> env \<Longrightarrow> r \<tturnstile> \<phi> env"
+  using assms(2)
+proof (induct)
+  case (Member n m)
+  then
+  have "n<length(env)" "m<length(env)"
+    using arities_at_aux by simp_all
+  moreover
+  assume "env\<in>list(M)"
+  moreover
+  note assms Member
+  ultimately
+  show ?case 
+    using Forces_Member[of _ "nth(n,env)" "nth(m,env)" env n m]
+      strengthening_mem[of p r "nth(n,env)" "nth(m,env)"] by simp
+next
+  case (Equal n m)
+  then
+  have "n<length(env)" "m<length(env)"
+    using arities_at_aux by simp_all
+  moreover
+  assume "env\<in>list(M)"
+  moreover
+  note assms Equal
+  ultimately
+  show ?case 
+    using Forces_Equal[of _ "nth(n,env)" "nth(m,env)" env n m]
+      strengthening_eq[of p r "nth(n,env)" "nth(m,env)"] by simp
+next
+  case (Nand \<phi> \<psi>)
+  with assms
+  show ?case 
+    using Forces_Nand transitivity[OF _ P_in_M] pair_in_M_iff 
+      transitivity[OF _ leq_in_M] leq_transD by auto
+next
+  case (Forall \<phi>)
+  with assms
+  have "p \<tturnstile> \<phi> ([x] @ env)" if "x\<in>M" for x
+    using that Forces_Forall by simp
+  with Forall 
+  have "r \<tturnstile> \<phi> ([x] @ env)" if "x\<in>M" for x
+    using that pred_le2 by (simp)
+  with assms Forall
+  show ?case 
+    using Forces_Forall by simp
+qed
+
+subsection\<open>The Density Lemma\<close>
+lemma arity_Nand_le: 
+  assumes "\<phi> \<in> formula" "\<psi> \<in> formula" "arity(Nand(\<phi>, \<psi>)) \<le> length(env)" "env\<in>list(A)"
+  shows "arity(\<phi>) \<le> length(env)" "arity(\<psi>) \<le> length(env)"
+  using assms 
+  by (rule_tac Un_leD1, rule_tac [5] Un_leD2, auto)
+
+lemma dense_below_imp_forces:
+  assumes 
+    "p\<in>P" "\<phi>\<in>formula"
+  shows
+    "\<And>env. env\<in>list(M) \<Longrightarrow> arity(\<phi>)\<le>length(env) \<Longrightarrow>
+     dense_below({q\<in>P. (q \<tturnstile> \<phi> env)},p) \<Longrightarrow> (p \<tturnstile> \<phi> env)"
+  using assms(2)
+proof (induct)
+  case (Member n m)
+  then
+  have "n<length(env)" "m<length(env)"
+    using arities_at_aux by simp_all
+  moreover
+  assume "env\<in>list(M)"
+  moreover
+  note assms Member
+  ultimately
+  show ?case 
+    using Forces_Member[of _ "nth(n,env)" "nth(m,env)" env n m]
+      density_mem[of p "nth(n,env)" "nth(m,env)"] by simp
+next
+  case (Equal n m)
+  then
+  have "n<length(env)" "m<length(env)"
+    using arities_at_aux by simp_all
+  moreover
+  assume "env\<in>list(M)"
+  moreover
+  note assms Equal
+  ultimately
+  show ?case 
+    using Forces_Equal[of _ "nth(n,env)" "nth(m,env)" env n m]
+      density_eq[of p "nth(n,env)" "nth(m,env)"] by simp
+next
+case (Nand \<phi> \<psi>)
+  {  
+    fix q
+    assume "q\<in>M" "q\<in>P" "q\<preceq> p" "q \<tturnstile> \<phi> env"
+    moreover 
+    note Nand
+    moreover from calculation
+    obtain d where "d\<in>P" "d \<tturnstile> Nand(\<phi>, \<psi>) env" "d\<preceq> q"
+      using dense_belowI by auto
+    moreover from calculation
+    have "\<not>(d\<tturnstile> \<psi> env)" if "d \<tturnstile> \<phi> env"
+      using that Forces_Nand leq_reflI transitivity[OF _ P_in_M, of d] by auto
+    moreover 
+    note arity_Nand_le[of \<phi> \<psi>]
+    moreover from calculation
+    have "d \<tturnstile> \<phi> env" 
+       using strengthening_lemma[of q \<phi> d env] Un_leD1 by auto
+    ultimately
+    have "\<not> (q \<tturnstile> \<psi> env)"
+      using strengthening_lemma[of q \<psi> d env] by auto
+  }
+  with \<open>p\<in>P\<close>
+  show ?case
+    using Forces_Nand[symmetric, OF _ Nand(5,1,3)] by blast
+next
+  case (Forall \<phi>)
+  have "dense_below({q\<in>P. q \<tturnstile> \<phi> ([a]@env)},p)" if "a\<in>M" for a
+  proof
+    fix r
+    assume "r\<in>P" "r\<preceq>p"
+    with \<open>dense_below(_,p)\<close>
+    obtain q where "q\<in>P" "q\<preceq>r" "q \<tturnstile> Forall(\<phi>) env"
+      by blast
+    moreover
+    note Forall \<open>a\<in>M\<close>
+    moreover from calculation
+    have "q \<tturnstile> \<phi> ([a]@env)"
+      using Forces_Forall by simp
+    ultimately
+    show "\<exists>d \<in> {q\<in>P. q \<tturnstile> \<phi> ([a]@env)}. d \<in> P \<and> d\<preceq>r"
+      by auto
+  qed
+  moreover 
+  note Forall(2)[of "Cons(_,env)"] Forall(1,3-5)
+  ultimately
+  have "p \<tturnstile> \<phi> ([a]@env)" if "a\<in>M" for a
+    using that pred_le2 by simp
+  with assms Forall
+  show ?case using Forces_Forall by simp
+qed
+
+lemma density_lemma:
+  assumes
+    "p\<in>P" "\<phi>\<in>formula" "env\<in>list(M)" "arity(\<phi>)\<le>length(env)"
+  shows
+    "p \<tturnstile> \<phi> env   \<longleftrightarrow>   dense_below({q\<in>P. (q \<tturnstile> \<phi> env)},p)"
+proof
+  assume "dense_below({q\<in>P. (q \<tturnstile> \<phi> env)},p)"
+  with assms
+  show  "(p \<tturnstile> \<phi> env)"
+    using dense_below_imp_forces by simp
+next
+  assume "p \<tturnstile> \<phi> env"
+  with assms
+  show "dense_below({q\<in>P. q \<tturnstile> \<phi> env},p)"
+    using strengthening_lemma leq_reflI by auto
+qed
+
+subsection\<open>The Truth Lemma\<close>
+lemma Forces_And:
+  assumes
+    "p\<in>P" "env \<in> list(M)" "\<phi>\<in>formula" "\<psi>\<in>formula" 
+    "arity(\<phi>) \<le> length(env)" "arity(\<psi>) \<le> length(env)"
+  shows
+    "p \<tturnstile> And(\<phi>,\<psi>) env   \<longleftrightarrow>  (p \<tturnstile> \<phi> env) \<and> (p \<tturnstile> \<psi> env)"
+proof
+  assume "p \<tturnstile> And(\<phi>, \<psi>) env"
+  with assms
+  have "dense_below({r \<in> P . (r \<tturnstile> \<phi> env) \<and> (r \<tturnstile> \<psi> env)}, p)"
+    using Forces_And_iff_dense_below by simp
+  then
+  have "dense_below({r \<in> P . (r \<tturnstile> \<phi> env)}, p)" "dense_below({r \<in> P . (r \<tturnstile> \<psi> env)}, p)"
+    by blast+
+  with assms
+  show "(p \<tturnstile> \<phi> env) \<and> (p \<tturnstile> \<psi> env)"
+    using density_lemma[symmetric] by simp
+next
+  assume "(p \<tturnstile> \<phi> env) \<and> (p \<tturnstile> \<psi> env)"
+  have "dense_below({r \<in> P . (r \<tturnstile> \<phi> env) \<and> (r \<tturnstile> \<psi> env)}, p)"
+  proof (intro dense_belowI bexI conjI, assumption)
+    fix q
+    assume "q\<in>P" "q\<preceq> p"
+    with assms \<open>(p \<tturnstile> \<phi> env) \<and> (p \<tturnstile> \<psi> env)\<close>
+    show "q\<in>{r \<in> P . (r \<tturnstile> \<phi> env) \<and> (r \<tturnstile> \<psi> env)}" "q\<preceq> q"
+      using strengthening_lemma leq_reflI by auto
+  qed
+  with assms
+  show "p \<tturnstile> And(\<phi>,\<psi>) env"
+    using Forces_And_iff_dense_below by simp
+qed
+
+lemma Forces_Nand_alt:
+  assumes
+    "p\<in>P" "env \<in> list(M)" "\<phi>\<in>formula" "\<psi>\<in>formula" 
+    "arity(\<phi>) \<le> length(env)" "arity(\<psi>) \<le> length(env)"
+  shows
+    "(p \<tturnstile> Nand(\<phi>,\<psi>) env) \<longleftrightarrow> (p \<tturnstile> Neg(And(\<phi>,\<psi>)) env)"
+  using assms Forces_Nand Forces_And Forces_Neg by auto
+
+lemma truth_lemma_Neg:
+  assumes 
+    "\<phi>\<in>formula" "M_generic(G)" "env\<in>list(M)" "arity(\<phi>)\<le>length(env)" and
+    IH: "(\<exists>p\<in>G. p \<tturnstile> \<phi> env) \<longleftrightarrow> M[G], map(val(G),env) \<Turnstile> \<phi>"
+  shows
+    "(\<exists>p\<in>G. p \<tturnstile> Neg(\<phi>) env)  \<longleftrightarrow>  M[G], map(val(G),env) \<Turnstile> Neg(\<phi>)"
+proof (intro iffI, elim bexE, rule ccontr) 
+  (* Direct implication by contradiction *)
+  fix p 
+  assume "p\<in>G" "p \<tturnstile> Neg(\<phi>) env" "\<not>(M[G],map(val(G),env) \<Turnstile> Neg(\<phi>))"
+  moreover 
+  note assms
+  moreover from calculation
+  have "M[G], map(val(G),env) \<Turnstile> \<phi>"
+    using map_val_in_MG by simp
+  with IH
+  obtain r where "r \<tturnstile> \<phi> env" "r\<in>G" by blast
+  moreover from this and \<open>M_generic(G)\<close> \<open>p\<in>G\<close>
+  obtain q where "q\<preceq>p" "q\<preceq>r" "q\<in>G"
+    by blast
+  moreover from calculation 
+  have "q \<tturnstile> \<phi> env"
+    using strengthening_lemma[where \<phi>=\<phi>] by blast
+  ultimately
+  show "False"
+    using Forces_Neg[where \<phi>=\<phi>] transitivity[OF _ P_in_M] by blast
+next
+  assume "M[G], map(val(G),env) \<Turnstile> Neg(\<phi>)"
+  with assms 
+  have "\<not> (M[G], map(val(G),env) \<Turnstile> \<phi>)"
+    using map_val_in_MG by simp
+  let ?D="{p\<in>P. (p \<tturnstile> \<phi> env) \<or> (p \<tturnstile> Neg(\<phi>) env)}"
+  have "separation(##M,\<lambda>p. (p \<tturnstile> \<phi> env))" 
+      using separation_ax arity_forces assms P_in_M leq_in_M one_in_M arity_forces_le
+    by simp
+  moreover
+  have "separation(##M,\<lambda>p. (p \<tturnstile> Neg(\<phi>) env))"
+      using separation_ax arity_forces assms P_in_M leq_in_M one_in_M arity_forces_le
+    by simp
+  ultimately
+  have "separation(##M,\<lambda>p. (p \<tturnstile> \<phi> env) \<or> (p \<tturnstile> Neg(\<phi>) env))" 
+    using separation_disj by simp
+  then 
+  have "?D \<in> M" 
+    using separation_closed P_in_M by simp
+  moreover
+  have "?D \<subseteq> P" by auto
+  moreover
+  have "dense(?D)"
+  proof
+    fix q
+    assume "q\<in>P"
+    show "\<exists>d\<in>{p \<in> P . (p \<tturnstile> \<phi> env) \<or> (p \<tturnstile> Neg(\<phi>) env)}. d\<preceq> q"
+    proof (cases "q \<tturnstile> Neg(\<phi>) env")
+      case True
+      with \<open>q\<in>P\<close>
+      show ?thesis using leq_reflI by blast
+    next
+      case False
+      with \<open>q\<in>P\<close> and assms
+      show ?thesis using Forces_Neg by auto
+    qed
+  qed
+  moreover
+  note \<open>M_generic(G)\<close>
+  ultimately
+  obtain p where "p\<in>G" "(p \<tturnstile> \<phi> env) \<or> (p \<tturnstile> Neg(\<phi>) env)"
+    by blast
+  then
+  consider (1) "p \<tturnstile> \<phi> env" | (2) "p \<tturnstile> Neg(\<phi>) env" by blast
+  then
+  show "\<exists>p\<in>G. (p \<tturnstile> Neg(\<phi>) env)"
+  proof (cases)
+    case 1
+    with \<open>\<not> (M[G],map(val(G),env) \<Turnstile> \<phi>)\<close> \<open>p\<in>G\<close> IH
+    show ?thesis
+      by blast
+  next
+    case 2
+    with \<open>p\<in>G\<close> 
+    show ?thesis by blast
+  qed
+qed 
+
+lemma truth_lemma_And:
+  assumes 
+    "env\<in>list(M)" "\<phi>\<in>formula" "\<psi>\<in>formula"
+    "arity(\<phi>)\<le>length(env)" "arity(\<psi>) \<le> length(env)" "M_generic(G)"
+    and
+    IH: "(\<exists>p\<in>G. p \<tturnstile> \<phi> env)  \<longleftrightarrow>   M[G], map(val(G),env) \<Turnstile> \<phi>"
+        "(\<exists>p\<in>G. p \<tturnstile> \<psi> env)  \<longleftrightarrow>   M[G], map(val(G),env) \<Turnstile> \<psi>"
+  shows
+    "(\<exists>p\<in>G. (p \<tturnstile> And(\<phi>,\<psi>) env)) \<longleftrightarrow> M[G] , map(val(G),env) \<Turnstile> And(\<phi>,\<psi>)"
+  using assms map_val_in_MG Forces_And[OF M_genericD assms(1-5)]
+proof (intro iffI, elim bexE)
+  fix p
+  assume "p\<in>G" "p \<tturnstile> And(\<phi>,\<psi>) env"
+  with assms
+  show "M[G], map(val(G),env) \<Turnstile> And(\<phi>,\<psi>)" 
+    using Forces_And[OF M_genericD, of _ _ _ \<phi> \<psi>] map_val_in_MG by auto
+next 
+  assume "M[G], map(val(G),env) \<Turnstile> And(\<phi>,\<psi>)"
+  moreover
+  note assms
+  moreover from calculation
+  obtain q r where "q \<tturnstile> \<phi> env" "r \<tturnstile> \<psi> env" "q\<in>G" "r\<in>G"
+    using map_val_in_MG Forces_And[OF M_genericD assms(1-5)] by auto
+  moreover from calculation
+  obtain p where "p\<preceq>q" "p\<preceq>r" "p\<in>G"
+    by blast
+  moreover from calculation
+  have "(p \<tturnstile> \<phi> env) \<and> (p \<tturnstile> \<psi> env)" (* can't solve as separate goals *)
+    using strengthening_lemma by (blast)
+  ultimately
+  show "\<exists>p\<in>G. (p \<tturnstile> And(\<phi>,\<psi>) env)"
+    using Forces_And[OF M_genericD assms(1-5)] by auto
+qed 
+
+definition 
+  ren_truth_lemma :: "i\<Rightarrow>i" where
+  "ren_truth_lemma(\<phi>) \<equiv> 
+    Exists(Exists(Exists(Exists(Exists(
+    And(Equal(0,5),And(Equal(1,8),And(Equal(2,9),And(Equal(3,10),And(Equal(4,6),
+    iterates(\<lambda>p. incr_bv(p)`5 , 6, \<phi>)))))))))))"
+
+lemma ren_truth_lemma_type[TC] :
+  "\<phi>\<in>formula \<Longrightarrow> ren_truth_lemma(\<phi>) \<in>formula" 
+  unfolding ren_truth_lemma_def
+  by simp
+
+lemma arity_ren_truth : 
+  assumes "\<phi>\<in>formula"
+  shows "arity(ren_truth_lemma(\<phi>)) \<le> 6 \<union> succ(arity(\<phi>))"
+proof -
+  consider (lt) "5 <arity(\<phi>)" | (ge) "\<not> 5 < arity(\<phi>)"
+    by auto
+  then
+  show ?thesis
+  proof cases
+    case lt
+    consider (a) "5<arity(\<phi>)#+5"  | (b) "arity(\<phi>)#+5 \<le> 5"
+      using not_lt_iff_le \<open>\<phi>\<in>_\<close> by force
+    then 
+    show ?thesis
+    proof cases
+      case a
+      with \<open>\<phi>\<in>_\<close> lt
+      have "5 < succ(arity(\<phi>))" "5<arity(\<phi>)#+2"  "5<arity(\<phi>)#+3"  "5<arity(\<phi>)#+4"
+        using succ_ltI by auto
+       with \<open>\<phi>\<in>_\<close> 
+      have c:"arity(iterates(\<lambda>p. incr_bv(p)`5,5,\<phi>)) = 5#+arity(\<phi>)" (is "arity(?\<phi>') = _") 
+        using arity_incr_bv_lemma lt a
+        by simp
+      with \<open>\<phi>\<in>_\<close>
+      have "arity(incr_bv(?\<phi>')`5) = 6#+arity(\<phi>)"
+        using arity_incr_bv_lemma[of ?\<phi>' 5] a by auto
+      with \<open>\<phi>\<in>_\<close>
+      show ?thesis
+        unfolding ren_truth_lemma_def
+        using pred_Un_distrib nat_union_abs1 Un_assoc[symmetric] a c nat_union_abs2
+        by simp
+    next
+      case b
+      with \<open>\<phi>\<in>_\<close> lt
+      have "5 < succ(arity(\<phi>))" "5<arity(\<phi>)#+2"  "5<arity(\<phi>)#+3"  "5<arity(\<phi>)#+4" "5<arity(\<phi>)#+5"
+        using succ_ltI by auto
+      with \<open>\<phi>\<in>_\<close> 
+      have "arity(iterates(\<lambda>p. incr_bv(p)`5,6,\<phi>)) = 6#+arity(\<phi>)" (is "arity(?\<phi>') = _") 
+        using arity_incr_bv_lemma lt 
+        by simp
+      with \<open>\<phi>\<in>_\<close>
+      show ?thesis
+        unfolding ren_truth_lemma_def
+        using pred_Un_distrib nat_union_abs1 Un_assoc[symmetric]  nat_union_abs2
+        by simp
+    qed
+  next
+    case ge
+    with \<open>\<phi>\<in>_\<close>
+    have "arity(\<phi>) \<le> 5" "pred^5(arity(\<phi>)) \<le> 5"
+      using not_lt_iff_le le_trans[OF le_pred]
+      by auto
+    with \<open>\<phi>\<in>_\<close>
+    have "arity(iterates(\<lambda>p. incr_bv(p)`5,6,\<phi>)) = arity(\<phi>)" "arity(\<phi>)\<le>6" "pred^5(arity(\<phi>)) \<le> 6"
+      using arity_incr_bv_lemma ge le_trans[OF \<open>arity(\<phi>)\<le>5\<close>] le_trans[OF \<open>pred^5(arity(\<phi>))\<le>5\<close>]
+      by auto
+    with \<open>arity(\<phi>) \<le> 5\<close> \<open>\<phi>\<in>_\<close> \<open>pred^5(_) \<le> 5\<close>
+    show ?thesis
+      unfolding ren_truth_lemma_def
+      using  pred_Un_distrib nat_union_abs1 Un_assoc[symmetric] nat_union_abs2 
+      by simp
+  qed
+qed
+
+lemma sats_ren_truth_lemma:
+  "[q,b,d,a1,a2,a3] @ env \<in> list(M) \<Longrightarrow> \<phi> \<in> formula \<Longrightarrow>
+   (M, [q,b,d,a1,a2,a3] @ env \<Turnstile> ren_truth_lemma(\<phi>) ) \<longleftrightarrow>
+   (M, [q,a1,a2,a3,b] @ env \<Turnstile> \<phi>)"
+  unfolding ren_truth_lemma_def
+  by (insert sats_incr_bv_iff [of _ _ M _ "[q,a1,a2,a3,b]"], simp)
+
+lemma truth_lemma' :
+  assumes
+    "\<phi>\<in>formula" "env\<in>list(M)" "arity(\<phi>) \<le> succ(length(env))" 
+  shows
+    "separation(##M,\<lambda>d. \<exists>b\<in>M. \<forall>q\<in>P. q\<preceq>d \<longrightarrow> \<not>(q \<tturnstile> \<phi> ([b]@env)))"
+proof -
+  let ?rel_pred="\<lambda>M x a1 a2 a3. \<exists>b\<in>M. \<forall>q\<in>M. q\<in>a1 \<and> is_leq(##M,a2,q,x) \<longrightarrow> 
+                  \<not>(M, [q,a1,a2,a3,b] @ env \<Turnstile> forces(\<phi>))" 
+  let ?\<psi>="Exists(Forall(Implies(And(Member(0,3),leq_fm(4,0,2)),
+          Neg(ren_truth_lemma(forces(\<phi>))))))"
+  have "q\<in>M" if "q\<in>P" for q using that transitivity[OF _ P_in_M] by simp
+  then
+  have 1:"\<forall>q\<in>M. q\<in>P \<and> R(q) \<longrightarrow> Q(q) \<Longrightarrow> (\<forall>q\<in>P. R(q) \<longrightarrow> Q(q))" for R Q 
+    by auto
+  then
+  have "\<lbrakk>b \<in> M; \<forall>q\<in>M. q \<in> P \<and> q \<preceq> d \<longrightarrow> \<not>(q \<tturnstile> \<phi> ([b]@env))\<rbrakk> \<Longrightarrow>
+         \<exists>c\<in>M. \<forall>q\<in>P. q \<preceq> d \<longrightarrow> \<not>(q \<tturnstile> \<phi> ([c]@env))" for b d
+    by (rule bexI,simp_all)
+  then
+  have "?rel_pred(M,d,P,leq,one) \<longleftrightarrow> (\<exists>b\<in>M. \<forall>q\<in>P. q\<preceq>d \<longrightarrow> \<not>(q \<tturnstile> \<phi> ([b]@env)))" if "d\<in>M" for d
+    using that leq_abs leq_in_M P_in_M one_in_M assms
+    by auto
+  moreover
+  have "?\<psi>\<in>formula" using assms by simp
+  moreover
+  have "(M, [d,P,leq,one]@env \<Turnstile> ?\<psi>) \<longleftrightarrow> ?rel_pred(M,d,P,leq,one)" if "d\<in>M" for d
+    using assms that P_in_M leq_in_M one_in_M sats_leq_fm sats_ren_truth_lemma
+    by simp
+  moreover
+  have "arity(?\<psi>) \<le> 4#+length(env)" 
+  proof -
+    have eq:"arity(leq_fm(4, 0, 2)) = 5"
+      using arity_leq_fm succ_Un_distrib nat_simp_union
+      by simp
+    with \<open>\<phi>\<in>_\<close>
+    have "arity(?\<psi>) = 3 \<union> (pred^2(arity(ren_truth_lemma(forces(\<phi>)))))"
+      using nat_union_abs1 pred_Un_distrib by simp
+    moreover
+    have "... \<le> 3 \<union> (pred(pred(6 \<union> succ(arity(forces(\<phi>))))))" (is "_ \<le> ?r")
+      using  \<open>\<phi>\<in>_\<close> Un_le_compat[OF le_refl[of 3]] 
+                  le_imp_subset arity_ren_truth[of "forces(\<phi>)"]
+                  pred_mono
+      by auto
+    finally
+    have "arity(?\<psi>) \<le> ?r" by simp
+    have i:"?r \<le> 4 \<union> pred(arity(forces(\<phi>)))" 
+      using pred_Un_distrib pred_succ_eq \<open>\<phi>\<in>_\<close> Un_assoc[symmetric] nat_union_abs1 by simp
+    have h:"4 \<union> pred(arity(forces(\<phi>))) \<le> 4 \<union> (4#+length(env))"
+      using  \<open>env\<in>_\<close> add_commute \<open>\<phi>\<in>_\<close>
+            Un_le_compat[of 4 4,OF _ pred_mono[OF _ arity_forces_le[OF _ _ \<open>arity(\<phi>)\<le>_\<close>]] ]
+            \<open>env\<in>_\<close> by auto
+    with \<open>\<phi>\<in>_\<close> \<open>env\<in>_\<close>
+    show ?thesis
+      using le_trans[OF  \<open>arity(?\<psi>) \<le> ?r\<close>  le_trans[OF i h]] nat_simp_union by simp
+  qed
+  ultimately
+  show ?thesis using assms P_in_M leq_in_M one_in_M 
+       separation_ax[of "?\<psi>" "[P,leq,one]@env"] 
+       separation_cong[of "##M" "\<lambda>y. (M, [y,P,leq,one]@env \<Turnstile>?\<psi>)"]
+    by simp
+qed
+
+
+lemma truth_lemma:
+  assumes 
+    "\<phi>\<in>formula" "M_generic(G)"
+  shows 
+     "\<And>env. env\<in>list(M) \<Longrightarrow> arity(\<phi>)\<le>length(env) \<Longrightarrow> 
+      (\<exists>p\<in>G. p \<tturnstile> \<phi> env)   \<longleftrightarrow>   M[G], map(val(G),env) \<Turnstile> \<phi>"
+  using assms(1)
+proof (induct)
+  case (Member x y)
+  then
+  show ?case
+    using assms truth_lemma_mem[OF \<open>env\<in>list(M)\<close> assms(2) \<open>x\<in>nat\<close> \<open>y\<in>nat\<close>] 
+      arities_at_aux by simp
+next
+  case (Equal x y)
+  then
+  show ?case
+    using assms truth_lemma_eq[OF \<open>env\<in>list(M)\<close> assms(2) \<open>x\<in>nat\<close> \<open>y\<in>nat\<close>] 
+      arities_at_aux by simp
+next
+  case (Nand \<phi> \<psi>)
+  moreover 
+  note \<open>M_generic(G)\<close>
+  ultimately
+  show ?case 
+    using truth_lemma_And truth_lemma_Neg Forces_Nand_alt 
+      M_genericD map_val_in_MG arity_Nand_le[of \<phi> \<psi>] by auto
+next
+  case (Forall \<phi>)
+  with \<open>M_generic(G)\<close>
+  show ?case
+  proof (intro iffI)
+    assume "\<exists>p\<in>G. (p \<tturnstile> Forall(\<phi>) env)"
+    with \<open>M_generic(G)\<close>
+    obtain p where "p\<in>G" "p\<in>M" "p\<in>P" "p \<tturnstile> Forall(\<phi>) env"
+      using transitivity[OF _ P_in_M] by auto
+    with \<open>env\<in>list(M)\<close> \<open>\<phi>\<in>formula\<close>
+    have "p \<tturnstile> \<phi> ([x]@env)" if "x\<in>M" for x
+      using that Forces_Forall by simp
+    with \<open>p\<in>G\<close> \<open>\<phi>\<in>formula\<close> \<open>env\<in>_\<close> \<open>arity(Forall(\<phi>)) \<le> length(env)\<close>
+      Forall(2)[of "Cons(_,env)"] 
+    show "M[G], map(val(G),env) \<Turnstile>  Forall(\<phi>)"
+      using pred_le2 map_val_in_MG
+      by (auto iff:GenExtD)
+  next
+    assume "M[G], map(val(G),env) \<Turnstile> Forall(\<phi>)"
+    let ?D1="{d\<in>P. (d \<tturnstile> Forall(\<phi>) env)}"
+    let ?D2="{d\<in>P. \<exists>b\<in>M. \<forall>q\<in>P. q\<preceq>d \<longrightarrow> \<not>(q \<tturnstile> \<phi> ([b]@env))}"
+    define D where "D \<equiv> ?D1 \<union> ?D2"
+    have ar\<phi>:"arity(\<phi>)\<le>succ(length(env))" 
+      using assms \<open>arity(Forall(\<phi>)) \<le> length(env)\<close> \<open>\<phi>\<in>formula\<close> \<open>env\<in>list(M)\<close> pred_le2 
+      by simp
+    then
+    have "arity(Forall(\<phi>)) \<le> length(env)" 
+      using pred_le \<open>\<phi>\<in>formula\<close> \<open>env\<in>list(M)\<close> by simp
+    then
+    have "?D1\<in>M" using Collect_forces ar\<phi> \<open>\<phi>\<in>formula\<close> \<open>env\<in>list(M)\<close> by simp
+    moreover
+    have "?D2\<in>M" using \<open>env\<in>list(M)\<close> \<open>\<phi>\<in>formula\<close>  truth_lemma' separation_closed ar\<phi>
+                        P_in_M
+      by simp
+    ultimately
+    have "D\<in>M" unfolding D_def using Un_closed by simp
+    moreover
+    have "D \<subseteq> P" unfolding D_def by auto
+    moreover
+    have "dense(D)" 
+    proof
+      fix p
+      assume "p\<in>P"
+      show "\<exists>d\<in>D. d\<preceq> p"
+      proof (cases "p \<tturnstile> Forall(\<phi>) env")
+        case True
+        with \<open>p\<in>P\<close> 
+        show ?thesis unfolding D_def using leq_reflI by blast
+      next
+        case False
+        with Forall \<open>p\<in>P\<close>
+        obtain b where "b\<in>M" "\<not>(p \<tturnstile> \<phi> ([b]@env))"
+          using Forces_Forall by blast
+        moreover from this \<open>p\<in>P\<close> Forall
+        have "\<not>dense_below({q\<in>P. q \<tturnstile> \<phi> ([b]@env)},p)"
+          using density_lemma pred_le2  by auto
+        moreover from this
+        obtain d where "d\<preceq>p" "\<forall>q\<in>P. q\<preceq>d \<longrightarrow> \<not>(q \<tturnstile> \<phi> ([b] @ env))"
+          "d\<in>P" by blast
+        ultimately
+        show ?thesis unfolding D_def by auto
+      qed
+    qed
+    moreover
+    note \<open>M_generic(G)\<close>
+    ultimately
+    obtain d where "d \<in> D"  "d \<in> G" by blast
+    then
+    consider (1) "d\<in>?D1" | (2) "d\<in>?D2" unfolding D_def by blast
+    then
+    show "\<exists>p\<in>G. (p \<tturnstile> Forall(\<phi>) env)"
+    proof (cases)
+      case 1
+      with \<open>d\<in>G\<close>
+      show ?thesis by blast
+    next
+      case 2
+      then
+      obtain b where "b\<in>M" "\<forall>q\<in>P. q\<preceq>d \<longrightarrow>\<not>(q \<tturnstile> \<phi> ([b] @ env))"
+        by blast
+      moreover from this(1) and  \<open>M[G], _ \<Turnstile>  Forall(\<phi>)\<close> and 
+        Forall(2)[of "Cons(b,env)"] Forall(1,3-4) \<open>M_generic(G)\<close>
+      obtain p where "p\<in>G" "p\<in>P" "p \<tturnstile> \<phi> ([b] @ env)" 
+        using pred_le2 using map_val_in_MG by (auto iff:GenExtD)
+      moreover
+      note \<open>d\<in>G\<close> \<open>M_generic(G)\<close>
+      ultimately
+      obtain q where "q\<in>G" "q\<in>P" "q\<preceq>d" "q\<preceq>p" by blast
+      moreover from this and  \<open>p \<tturnstile> \<phi> ([b] @ env)\<close> 
+        Forall  \<open>b\<in>M\<close> \<open>p\<in>P\<close>
+      have "q \<tturnstile> \<phi> ([b] @ env)"
+        using pred_le2 strengthening_lemma by simp
+      moreover 
+      note \<open>\<forall>q\<in>P. q\<preceq>d \<longrightarrow>\<not>(q \<tturnstile> \<phi> ([b] @ env))\<close>
+      ultimately
+      show ?thesis by simp
+    qed
+  qed
+qed
+subsection\<open>The ``Definition of forcing''\<close>
+lemma definition_of_forcing:
+  assumes
+    "p\<in>P" "\<phi>\<in>formula" "env\<in>list(M)" "arity(\<phi>)\<le>length(env)"
+  shows
+    "(p \<tturnstile> \<phi> env) \<longleftrightarrow>
+     (\<forall>G. M_generic(G) \<and> p\<in>G  \<longrightarrow>  M[G], map(val(G),env) \<Turnstile> \<phi>)"
+proof (intro iffI allI impI, elim conjE)
+  fix G
+  assume "(p \<tturnstile> \<phi> env)" "M_generic(G)" "p \<in> G"
+  with assms 
+  show "M[G], map(val(G),env) \<Turnstile> \<phi>"
+    using truth_lemma by blast
+next
+  assume 1: "\<forall>G.(M_generic(G)\<and> p\<in>G)\<longrightarrow> M[G] , map(val(G),env) \<Turnstile> \<phi>"
+  {
+    fix r 
+    assume 2: "r\<in>P" "r\<preceq>p"
+    then 
+    obtain G where "r\<in>G" "M_generic(G)"
+      using generic_filter_existence by auto
+    moreover from calculation 2 \<open>p\<in>P\<close> 
+    have "p\<in>G" 
+      unfolding M_generic_def using filter_leqD by simp
+    moreover note 1
+    ultimately
+    have "M[G], map(val(G),env) \<Turnstile> \<phi>"
+      by simp
+    with assms \<open>M_generic(G)\<close> 
+    obtain s where "s\<in>G" "(s \<tturnstile> \<phi> env)"
+      using truth_lemma by blast
+    moreover from this and  \<open>M_generic(G)\<close> \<open>r\<in>G\<close> 
+    obtain q where "q\<in>G" "q\<preceq>s" "q\<preceq>r"
+      by blast
+    moreover from calculation \<open>s\<in>G\<close> \<open>M_generic(G)\<close> 
+    have "s\<in>P" "q\<in>P" 
+      unfolding M_generic_def filter_def by auto
+    moreover 
+    note assms
+    ultimately 
+    have "\<exists>q\<in>P. q\<preceq>r \<and> (q \<tturnstile> \<phi> env)"
+      using strengthening_lemma by blast
+  }
+  then
+  have "dense_below({q\<in>P. (q \<tturnstile> \<phi> env)},p)"
+    unfolding dense_below_def by blast
+  with assms
+  show "(p \<tturnstile> \<phi> env)"
+    using density_lemma by blast
+qed
+
+lemmas definability = forces_type 
+end (* forcing_data *)
+
+end
\ No newline at end of file
diff --git a/thys/Forcing/Foundation_Axiom.thy b/thys/Forcing/Foundation_Axiom.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Foundation_Axiom.thy
@@ -0,0 +1,35 @@
+section\<open>The Axiom of Foundation in $M[G]$\<close>
+theory Foundation_Axiom
+imports
+  Names
+begin
+
+context forcing_data
+begin
+  
+(* Slick proof essentially by Paulson (adapted from L) *)  
+lemma foundation_in_MG : "foundation_ax(##(M[G]))"
+  unfolding foundation_ax_def
+  by (rule rallI, cut_tac A=x in foundation, auto intro: transitivity_MG)
+
+(* Same theorem as above, declarative proof, 
+   without using transitivity *)
+lemma "foundation_ax(##(M[G]))"
+proof -
+  {   
+    fix x 
+    assume "x\<in>M[G]" "\<exists>y\<in>M[G] . y\<in>x"
+    then 
+    have "\<exists>y\<in>M[G] . y\<in>x\<inter>M[G]" by simp
+    then 
+    obtain y where "y\<in>x\<inter>M[G]" "\<forall>z\<in>y. z \<notin> x\<inter>M[G]" 
+      using foundation[of "x\<inter>M[G]"]  by blast
+    then 
+    have "\<exists>y\<in>M[G] . y \<in> x \<and> (\<forall>z\<in>M[G] . z \<notin> x \<or> z \<notin> y)"by auto
+  }
+  then show ?thesis
+    unfolding foundation_ax_def by auto
+qed
+    
+end  (* context forcing_data *)
+end
\ No newline at end of file
diff --git a/thys/Forcing/FrecR.thy b/thys/Forcing/FrecR.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/FrecR.thy
@@ -0,0 +1,680 @@
+section\<open>Well-founded relation on names\<close>
+theory FrecR imports Names Synthetic_Definition begin
+
+lemmas sep_rules' = nth_0 nth_ConsI FOL_iff_sats function_iff_sats
+  fun_plus_iff_sats omega_iff_sats FOL_sats_iff 
+
+text\<open>\<^term>\<open>frecR\<close> is the well-founded relation on names that allows
+us to define forcing for atomic formulas.\<close>
+
+(* MOVE THIS. absoluteness of higher-order composition *)
+definition
+  is_hcomp :: "[i\<Rightarrow>o,i\<Rightarrow>i\<Rightarrow>o,i\<Rightarrow>i\<Rightarrow>o,i,i] \<Rightarrow> o" where
+  "is_hcomp(M,is_f,is_g,a,w) \<equiv> \<exists>z[M]. is_g(a,z) \<and> is_f(z,w)" 
+
+lemma (in M_trivial) hcomp_abs: 
+  assumes
+    is_f_abs:"\<And>a z. M(a) \<Longrightarrow> M(z) \<Longrightarrow> is_f(a,z) \<longleftrightarrow> z = f(a)" and
+    is_g_abs:"\<And>a z. M(a) \<Longrightarrow> M(z) \<Longrightarrow> is_g(a,z) \<longleftrightarrow> z = g(a)" and
+    g_closed:"\<And>a. M(a) \<Longrightarrow> M(g(a))" 
+    "M(a)" "M(w)" 
+  shows
+    "is_hcomp(M,is_f,is_g,a,w) \<longleftrightarrow> w = f(g(a))" 
+  unfolding is_hcomp_def using assms by simp
+
+definition
+  hcomp_fm :: "[i\<Rightarrow>i\<Rightarrow>i,i\<Rightarrow>i\<Rightarrow>i,i,i] \<Rightarrow> i" where
+  "hcomp_fm(pf,pg,a,w) \<equiv> Exists(And(pg(succ(a),0),pf(0,succ(w))))"
+
+lemma sats_hcomp_fm:
+  assumes 
+    f_iff_sats:"\<And>a b z. a\<in>nat \<Longrightarrow> b\<in>nat \<Longrightarrow> z\<in>M \<Longrightarrow> 
+                 is_f(nth(a,Cons(z,env)),nth(b,Cons(z,env))) \<longleftrightarrow> sats(M,pf(a,b),Cons(z,env))"
+    and
+    g_iff_sats:"\<And>a b z. a\<in>nat \<Longrightarrow> b\<in>nat \<Longrightarrow> z\<in>M \<Longrightarrow> 
+                is_g(nth(a,Cons(z,env)),nth(b,Cons(z,env))) \<longleftrightarrow> sats(M,pg(a,b),Cons(z,env))"
+    and
+    "a\<in>nat" "w\<in>nat" "env\<in>list(M)" 
+  shows
+    "sats(M,hcomp_fm(pf,pg,a,w),env) \<longleftrightarrow> is_hcomp(##M,is_f,is_g,nth(a,env),nth(w,env))" 
+proof -
+  have "sats(M, pf(0, succ(w)), Cons(x, env)) \<longleftrightarrow> is_f(x,nth(w,env))" if "x\<in>M" "w\<in>nat" for x w
+    using f_iff_sats[of 0 "succ(w)" x] that by simp
+  moreover
+  have "sats(M, pg(succ(a), 0), Cons(x, env)) \<longleftrightarrow> is_g(nth(a,env),x)" if "x\<in>M" "a\<in>nat" for x a
+    using g_iff_sats[of "succ(a)" 0 x] that by simp
+  ultimately
+  show ?thesis unfolding hcomp_fm_def is_hcomp_def using assms by simp
+qed
+
+
+(* Preliminary *)
+definition
+  ftype :: "i\<Rightarrow>i" where
+  "ftype \<equiv> fst"
+
+definition
+  name1 :: "i\<Rightarrow>i" where
+  "name1(x) \<equiv> fst(snd(x))"
+
+definition
+  name2 :: "i\<Rightarrow>i" where
+  "name2(x) \<equiv> fst(snd(snd(x)))"
+
+definition
+  cond_of :: "i\<Rightarrow>i" where
+  "cond_of(x) \<equiv> snd(snd(snd((x))))"
+
+lemma components_simp:
+  "ftype(\<langle>f,n1,n2,c\<rangle>) = f"
+  "name1(\<langle>f,n1,n2,c\<rangle>) = n1"
+  "name2(\<langle>f,n1,n2,c\<rangle>) = n2"
+  "cond_of(\<langle>f,n1,n2,c\<rangle>) = c"
+  unfolding ftype_def name1_def name2_def cond_of_def
+  by simp_all
+
+definition eclose_n :: "[i\<Rightarrow>i,i] \<Rightarrow> i" where
+  "eclose_n(name,x) = eclose({name(x)})"
+
+definition
+  ecloseN :: "i \<Rightarrow> i" where
+  "ecloseN(x) = eclose_n(name1,x) \<union> eclose_n(name2,x)"
+
+lemma components_in_eclose :
+  "n1 \<in> ecloseN(\<langle>f,n1,n2,c\<rangle>)"
+  "n2 \<in> ecloseN(\<langle>f,n1,n2,c\<rangle>)"
+  unfolding ecloseN_def eclose_n_def
+  using components_simp arg_into_eclose by auto
+
+lemmas names_simp = components_simp(2) components_simp(3)
+
+lemma ecloseNI1 : 
+  assumes "x \<in> eclose(n1) \<or> x\<in>eclose(n2)" 
+  shows "x \<in> ecloseN(\<langle>f,n1,n2,c\<rangle>)" 
+  unfolding ecloseN_def eclose_n_def
+  using assms eclose_sing names_simp
+  by auto
+
+lemmas ecloseNI = ecloseNI1
+
+lemma ecloseN_mono :
+  assumes "u \<in> ecloseN(x)" "name1(x) \<in> ecloseN(y)" "name2(x) \<in> ecloseN(y)"
+  shows "u \<in> ecloseN(y)"
+proof -
+  from \<open>u\<in>_\<close>
+  consider (a) "u\<in>eclose({name1(x)})" | (b) "u \<in> eclose({name2(x)})"
+    unfolding ecloseN_def  eclose_n_def by auto
+  then 
+  show ?thesis
+  proof cases
+    case a
+    with \<open>name1(x) \<in> _\<close>
+    show ?thesis 
+      unfolding ecloseN_def  eclose_n_def
+      using eclose_singE[OF a] mem_eclose_trans[of u "name1(x)" ] by auto 
+  next
+    case b
+    with \<open>name2(x) \<in> _\<close>
+    show ?thesis 
+      unfolding ecloseN_def eclose_n_def
+      using eclose_singE[OF b] mem_eclose_trans[of u "name2(x)"] by auto
+  qed
+qed
+
+
+(* ftype(p) \<equiv> THE a. \<exists>b. p = \<langle>a, b\<rangle> *)
+
+definition
+  is_fst :: "(i\<Rightarrow>o)\<Rightarrow>i\<Rightarrow>i\<Rightarrow>o" where
+  "is_fst(M,x,t) \<equiv> (\<exists>z[M]. pair(M,t,z,x)) \<or> 
+                       (\<not>(\<exists>z[M]. \<exists>w[M]. pair(M,w,z,x)) \<and> empty(M,t))"
+
+definition
+  fst_fm :: "[i,i] \<Rightarrow> i" where
+  "fst_fm(x,t) \<equiv> Or(Exists(pair_fm(succ(t),0,succ(x))),
+                   And(Neg(Exists(Exists(pair_fm(0,1,2 #+ x)))),empty_fm(t)))"
+
+lemma sats_fst_fm :
+  "\<lbrakk> x \<in> nat; y \<in> nat;env \<in> list(A) \<rbrakk> 
+    \<Longrightarrow> sats(A, fst_fm(x,y), env) \<longleftrightarrow>
+        is_fst(##A, nth(x,env), nth(y,env))"
+  by (simp add: fst_fm_def is_fst_def)
+
+definition 
+  is_ftype :: "(i\<Rightarrow>o)\<Rightarrow>i\<Rightarrow>i\<Rightarrow>o" where
+  "is_ftype \<equiv> is_fst" 
+
+definition
+  ftype_fm :: "[i,i] \<Rightarrow> i" where
+  "ftype_fm \<equiv> fst_fm" 
+
+lemma sats_ftype_fm :
+  "\<lbrakk> x \<in> nat; y \<in> nat;env \<in> list(A) \<rbrakk> 
+    \<Longrightarrow> sats(A, ftype_fm(x,y), env) \<longleftrightarrow>
+        is_ftype(##A, nth(x,env), nth(y,env))"
+  unfolding ftype_fm_def is_ftype_def
+  by (simp add:sats_fst_fm)
+
+lemma is_ftype_iff_sats:
+  assumes
+    "nth(a,env) = aa" "nth(b,env) = bb" "a\<in>nat" "b\<in>nat" "env \<in> list(A)"
+  shows
+    "is_ftype(##A,aa,bb)  \<longleftrightarrow> sats(A,ftype_fm(a,b), env)"
+  using assms
+  by (simp add:sats_ftype_fm)
+
+definition
+  is_snd :: "(i\<Rightarrow>o)\<Rightarrow>i\<Rightarrow>i\<Rightarrow>o" where
+  "is_snd(M,x,t) \<equiv> (\<exists>z[M]. pair(M,z,t,x)) \<or> 
+                       (\<not>(\<exists>z[M]. \<exists>w[M]. pair(M,z,w,x)) \<and> empty(M,t))"
+
+definition
+  snd_fm :: "[i,i] \<Rightarrow> i" where
+  "snd_fm(x,t) \<equiv> Or(Exists(pair_fm(0,succ(t),succ(x))),
+                   And(Neg(Exists(Exists(pair_fm(1,0,2 #+ x)))),empty_fm(t)))"
+
+lemma sats_snd_fm :
+  "\<lbrakk> x \<in> nat; y \<in> nat;env \<in> list(A) \<rbrakk> 
+    \<Longrightarrow> sats(A, snd_fm(x,y), env) \<longleftrightarrow>
+        is_snd(##A, nth(x,env), nth(y,env))"
+  by (simp add: snd_fm_def is_snd_def)
+
+definition
+  is_name1 :: "(i\<Rightarrow>o)\<Rightarrow>i\<Rightarrow>i\<Rightarrow>o" where
+  "is_name1(M,x,t2) \<equiv> is_hcomp(M,is_fst(M),is_snd(M),x,t2)"
+
+definition
+  name1_fm :: "[i,i] \<Rightarrow> i" where
+  "name1_fm(x,t) \<equiv> hcomp_fm(fst_fm,snd_fm,x,t)" 
+
+lemma sats_name1_fm :
+  "\<lbrakk> x \<in> nat; y \<in> nat;env \<in> list(A) \<rbrakk> 
+    \<Longrightarrow> sats(A, name1_fm(x,y), env) \<longleftrightarrow>
+        is_name1(##A, nth(x,env), nth(y,env))"
+  unfolding name1_fm_def is_name1_def using sats_fst_fm sats_snd_fm 
+    sats_hcomp_fm[of A "is_fst(##A)" _ fst_fm "is_snd(##A)"] by simp
+
+lemma is_name1_iff_sats:
+  assumes
+    "nth(a,env) = aa" "nth(b,env) = bb" "a\<in>nat" "b\<in>nat" "env \<in> list(A)"
+  shows
+    "is_name1(##A,aa,bb)  \<longleftrightarrow> sats(A,name1_fm(a,b), env)"
+  using assms
+  by (simp add:sats_name1_fm)
+
+definition
+  is_snd_snd :: "(i\<Rightarrow>o)\<Rightarrow>i\<Rightarrow>i\<Rightarrow>o" where
+  "is_snd_snd(M,x,t) \<equiv> is_hcomp(M,is_snd(M),is_snd(M),x,t)"
+
+definition
+  snd_snd_fm :: "[i,i]\<Rightarrow>i" where
+  "snd_snd_fm(x,t) \<equiv> hcomp_fm(snd_fm,snd_fm,x,t)"
+
+lemma sats_snd2_fm :
+  "\<lbrakk> x \<in> nat; y \<in> nat;env \<in> list(A) \<rbrakk> 
+    \<Longrightarrow> sats(A,snd_snd_fm(x,y), env) \<longleftrightarrow>
+        is_snd_snd(##A, nth(x,env), nth(y,env))"
+  unfolding snd_snd_fm_def is_snd_snd_def using sats_snd_fm 
+    sats_hcomp_fm[of A "is_snd(##A)" _ snd_fm "is_snd(##A)"] by simp
+
+definition
+  is_name2 :: "(i\<Rightarrow>o)\<Rightarrow>i\<Rightarrow>i\<Rightarrow>o" where
+  "is_name2(M,x,t3) \<equiv> is_hcomp(M,is_fst(M),is_snd_snd(M),x,t3)"
+
+definition
+  name2_fm :: "[i,i] \<Rightarrow> i" where
+  "name2_fm(x,t3) \<equiv> hcomp_fm(fst_fm,snd_snd_fm,x,t3)"
+
+lemma sats_name2_fm :
+  "\<lbrakk> x \<in> nat; y \<in> nat;env \<in> list(A) \<rbrakk> 
+    \<Longrightarrow> sats(A,name2_fm(x,y), env) \<longleftrightarrow>
+        is_name2(##A, nth(x,env), nth(y,env))"
+  unfolding name2_fm_def is_name2_def using sats_fst_fm sats_snd2_fm
+    sats_hcomp_fm[of A "is_fst(##A)" _ fst_fm "is_snd_snd(##A)"] by simp
+
+lemma is_name2_iff_sats:
+  assumes
+    "nth(a,env) = aa" "nth(b,env) = bb" "a\<in>nat" "b\<in>nat" "env \<in> list(A)"
+  shows
+    "is_name2(##A,aa,bb)  \<longleftrightarrow> sats(A,name2_fm(a,b), env)"
+  using assms
+  by (simp add:sats_name2_fm)
+
+definition
+  is_cond_of :: "(i\<Rightarrow>o)\<Rightarrow>i\<Rightarrow>i\<Rightarrow>o" where
+  "is_cond_of(M,x,t4) \<equiv> is_hcomp(M,is_snd(M),is_snd_snd(M),x,t4)"
+
+definition
+  cond_of_fm :: "[i,i] \<Rightarrow> i" where
+  "cond_of_fm(x,t4) \<equiv> hcomp_fm(snd_fm,snd_snd_fm,x,t4)"
+
+lemma sats_cond_of_fm :
+  "\<lbrakk> x \<in> nat; y \<in> nat;env \<in> list(A) \<rbrakk> 
+    \<Longrightarrow> sats(A,cond_of_fm(x,y), env) \<longleftrightarrow>
+        is_cond_of(##A, nth(x,env), nth(y,env))"
+  unfolding cond_of_fm_def is_cond_of_def using sats_snd_fm sats_snd2_fm
+    sats_hcomp_fm[of A "is_snd(##A)" _ snd_fm "is_snd_snd(##A)"] by simp
+
+lemma is_cond_of_iff_sats:
+  assumes
+    "nth(a,env) = aa" "nth(b,env) = bb" "a\<in>nat" "b\<in>nat" "env \<in> list(A)"
+  shows
+    "is_cond_of(##A,aa,bb)  \<longleftrightarrow> sats(A,cond_of_fm(a,b), env)"
+  using assms
+  by (simp add:sats_cond_of_fm)
+
+lemma components_type[TC] :
+  assumes "a\<in>nat" "b\<in>nat"
+  shows 
+    "ftype_fm(a,b)\<in>formula" 
+    "name1_fm(a,b)\<in>formula"
+    "name2_fm(a,b)\<in>formula"
+    "cond_of_fm(a,b)\<in>formula"
+  using assms
+  unfolding ftype_fm_def fst_fm_def snd_fm_def snd_snd_fm_def name1_fm_def name2_fm_def 
+    cond_of_fm_def hcomp_fm_def
+  by simp_all
+
+lemmas sats_components_fm[simp] = sats_ftype_fm sats_name1_fm sats_name2_fm sats_cond_of_fm
+
+lemmas components_iff_sats = is_ftype_iff_sats is_name1_iff_sats is_name2_iff_sats
+  is_cond_of_iff_sats
+
+lemmas components_defs = fst_fm_def ftype_fm_def snd_fm_def snd_snd_fm_def hcomp_fm_def
+  name1_fm_def name2_fm_def cond_of_fm_def
+
+
+definition
+  is_eclose_n :: "[i\<Rightarrow>o,[i\<Rightarrow>o,i,i]\<Rightarrow>o,i,i] \<Rightarrow> o" where
+  "is_eclose_n(N,is_name,en,t) \<equiv> 
+        \<exists>n1[N].\<exists>s1[N]. is_name(N,t,n1) \<and> is_singleton(N,n1,s1) \<and> is_eclose(N,s1,en)"
+
+definition 
+  eclose_n1_fm :: "[i,i] \<Rightarrow> i" where
+  "eclose_n1_fm(m,t) \<equiv> Exists(Exists(And(And(name1_fm(t#+2,0),singleton_fm(0,1)),
+                                       is_eclose_fm(1,m#+2))))"
+
+definition 
+  eclose_n2_fm :: "[i,i] \<Rightarrow> i" where
+  "eclose_n2_fm(m,t) \<equiv> Exists(Exists(And(And(name2_fm(t#+2,0),singleton_fm(0,1)),
+                                       is_eclose_fm(1,m#+2))))"
+
+definition
+  is_ecloseN :: "[i\<Rightarrow>o,i,i] \<Rightarrow> o" where
+  "is_ecloseN(N,en,t) \<equiv> \<exists>en1[N].\<exists>en2[N].
+                is_eclose_n(N,is_name1,en1,t) \<and> is_eclose_n(N,is_name2,en2,t)\<and>
+                union(N,en1,en2,en)"
+
+definition 
+  ecloseN_fm :: "[i,i] \<Rightarrow> i" where
+  "ecloseN_fm(en,t) \<equiv> Exists(Exists(And(eclose_n1_fm(1,t#+2),
+                            And(eclose_n2_fm(0,t#+2),union_fm(1,0,en#+2)))))"
+lemma ecloseN_fm_type [TC] :
+  "\<lbrakk> en \<in> nat ; t \<in> nat \<rbrakk> \<Longrightarrow> ecloseN_fm(en,t) \<in> formula"
+  unfolding ecloseN_fm_def eclose_n1_fm_def eclose_n2_fm_def by simp
+
+lemma sats_ecloseN_fm [simp]:
+  "\<lbrakk> en \<in> nat; t \<in> nat ; env \<in> list(A) \<rbrakk>
+    \<Longrightarrow> sats(A, ecloseN_fm(en,t), env) \<longleftrightarrow> is_ecloseN(##A,nth(en,env),nth(t,env))"
+  unfolding ecloseN_fm_def is_ecloseN_def eclose_n1_fm_def eclose_n2_fm_def is_eclose_n_def
+  using  nth_0 nth_ConsI sats_name1_fm sats_name2_fm 
+    is_singleton_iff_sats[symmetric]
+  by auto
+
+(* Relation of forces *)
+definition
+  frecR :: "i \<Rightarrow> i \<Rightarrow> o" where
+  "frecR(x,y) \<equiv>
+    (ftype(x) = 1 \<and> ftype(y) = 0 
+      \<and> (name1(x) \<in> domain(name1(y)) \<union> domain(name2(y)) \<and> (name2(x) = name1(y) \<or> name2(x) = name2(y))))
+   \<or> (ftype(x) = 0 \<and> ftype(y) =  1 \<and> name1(x) = name1(y) \<and> name2(x) \<in> domain(name2(y)))"
+
+lemma frecR_ftypeD :
+  assumes "frecR(x,y)"
+  shows "(ftype(x) = 0 \<and> ftype(y) = 1) \<or> (ftype(x) = 1 \<and> ftype(y) = 0)"
+  using assms unfolding frecR_def by auto
+
+lemma frecRI1: "s \<in> domain(n1) \<or> s \<in> domain(n2) \<Longrightarrow> frecR(\<langle>1, s, n1, q\<rangle>, \<langle>0, n1, n2, q'\<rangle>)"
+  unfolding frecR_def by (simp add:components_simp)
+
+lemma frecRI1': "s \<in> domain(n1) \<union> domain(n2) \<Longrightarrow> frecR(\<langle>1, s, n1, q\<rangle>, \<langle>0, n1, n2, q'\<rangle>)"
+  unfolding frecR_def by (simp add:components_simp)
+
+lemma frecRI2: "s \<in> domain(n1) \<or> s \<in> domain(n2) \<Longrightarrow> frecR(\<langle>1, s, n2, q\<rangle>, \<langle>0, n1, n2, q'\<rangle>)"
+  unfolding frecR_def by (simp add:components_simp)
+
+lemma frecRI2': "s \<in> domain(n1) \<union> domain(n2) \<Longrightarrow> frecR(\<langle>1, s, n2, q\<rangle>, \<langle>0, n1, n2, q'\<rangle>)"
+  unfolding frecR_def by (simp add:components_simp)
+
+
+lemma frecRI3: "\<langle>s, r\<rangle> \<in> n2 \<Longrightarrow> frecR(\<langle>0, n1, s, q\<rangle>, \<langle>1, n1, n2, q'\<rangle>)"
+  unfolding frecR_def by (auto simp add:components_simp)
+
+lemma frecRI3': "s \<in> domain(n2) \<Longrightarrow> frecR(\<langle>0, n1, s, q\<rangle>, \<langle>1, n1, n2, q'\<rangle>)"
+  unfolding frecR_def by (auto simp add:components_simp)
+
+lemma frecR_iff :
+  "frecR(x,y) \<longleftrightarrow>
+    (ftype(x) = 1 \<and> ftype(y) = 0 
+      \<and> (name1(x) \<in> domain(name1(y)) \<union> domain(name2(y)) \<and> (name2(x) = name1(y) \<or> name2(x) = name2(y))))
+   \<or> (ftype(x) = 0 \<and> ftype(y) =  1 \<and> name1(x) = name1(y) \<and> name2(x) \<in> domain(name2(y)))"
+  unfolding frecR_def ..
+
+lemma frecR_D1 :
+  "frecR(x,y) \<Longrightarrow> ftype(y) = 0 \<Longrightarrow> ftype(x) = 1 \<and> 
+      (name1(x) \<in> domain(name1(y)) \<union> domain(name2(y)) \<and> (name2(x) = name1(y) \<or> name2(x) = name2(y)))"
+  using frecR_iff
+  by auto
+
+lemma frecR_D2 :
+  "frecR(x,y) \<Longrightarrow> ftype(y) = 1 \<Longrightarrow> ftype(x) = 0 \<and> 
+      ftype(x) = 0 \<and> ftype(y) =  1 \<and> name1(x) = name1(y) \<and> name2(x) \<in> domain(name2(y))"
+  using frecR_iff
+  by auto
+
+lemma frecR_DI : 
+  assumes "frecR(\<langle>a,b,c,d\<rangle>,\<langle>ftype(y),name1(y),name2(y),cond_of(y)\<rangle>)"
+  shows "frecR(\<langle>a,b,c,d\<rangle>,y)"
+  using assms unfolding frecR_def by (force simp add:components_simp)
+
+(*
+name1(x) \<in> domain(name1(y)) \<union> domain(name2(y)) \<and> 
+            (name2(x) = name1(y) \<or> name2(x) = name2(y)) 
+          \<or> name1(x) = name1(y) \<and> name2(x) \<in> domain(name2(y))*)
+definition
+  is_frecR :: "[i\<Rightarrow>o,i,i] \<Rightarrow> o" where
+  "is_frecR(M,x,y) \<equiv> \<exists> ftx[M]. \<exists> n1x[M]. \<exists>n2x[M]. \<exists>fty[M]. \<exists>n1y[M]. \<exists>n2y[M]. \<exists>dn1[M]. \<exists>dn2[M].
+  is_ftype(M,x,ftx) \<and> is_name1(M,x,n1x)\<and> is_name2(M,x,n2x) \<and>
+  is_ftype(M,y,fty) \<and> is_name1(M,y,n1y) \<and> is_name2(M,y,n2y)
+          \<and> is_domain(M,n1y,dn1) \<and> is_domain(M,n2y,dn2) \<and> 
+          (  (number1(M,ftx) \<and> empty(M,fty) \<and> (n1x \<in> dn1 \<or> n1x \<in> dn2) \<and> (n2x = n1y \<or> n2x = n2y))
+           \<or> (empty(M,ftx) \<and> number1(M,fty) \<and> n1x = n1y \<and> n2x \<in> dn2))"
+
+schematic_goal sats_frecR_fm_auto:
+  assumes 
+    "i\<in>nat" "j\<in>nat" "env\<in>list(A)" "nth(i,env) = a" "nth(j,env) = b"
+  shows
+    "is_frecR(##A,a,b) \<longleftrightarrow> sats(A,?fr_fm(i,j),env)"
+  unfolding  is_frecR_def is_Collect_def  
+  by (insert assms ; (rule sep_rules' cartprod_iff_sats  components_iff_sats
+        | simp del:sats_cartprod_fm)+)
+
+synthesize "frecR_fm" from_schematic sats_frecR_fm_auto
+
+(* Third item of Kunen observations about the trcl relation in p. 257. *)
+lemma eq_ftypep_not_frecrR:
+  assumes "ftype(x) = ftype(y)"
+  shows "\<not> frecR(x,y)"
+  using assms frecR_ftypeD by force
+
+
+definition
+  rank_names :: "i \<Rightarrow> i" where
+  "rank_names(x) \<equiv> max(rank(name1(x)),rank(name2(x)))"
+
+lemma rank_names_types [TC]: 
+  shows "Ord(rank_names(x))"
+  unfolding rank_names_def max_def using Ord_rank Ord_Un by auto
+
+definition
+  mtype_form :: "i \<Rightarrow> i" where
+  "mtype_form(x) \<equiv> if rank(name1(x)) < rank(name2(x)) then 0 else 2"
+
+definition
+  type_form :: "i \<Rightarrow> i" where
+  "type_form(x) \<equiv> if ftype(x) = 0 then 1 else mtype_form(x)"
+
+lemma type_form_tc [TC]: 
+  shows "type_form(x) \<in> 3"
+  unfolding type_form_def mtype_form_def by auto
+
+lemma frecR_le_rnk_names :
+  assumes  "frecR(x,y)"
+  shows "rank_names(x)\<le>rank_names(y)"
+proof -
+  obtain a b c d  where
+    H: "a = name1(x)" "b = name2(x)"
+    "c = name1(y)" "d = name2(y)"
+    "(a \<in> domain(c)\<union>domain(d) \<and> (b=c \<or> b = d)) \<or> (a = c \<and> b \<in> domain(d))"
+    using assms unfolding frecR_def by force
+  then 
+  consider
+    (m) "a \<in> domain(c) \<and> (b = c \<or> b = d) "
+    | (n) "a \<in> domain(d) \<and> (b = c \<or> b = d)" 
+    | (o) "b \<in> domain(d) \<and> a = c"
+    by auto
+  then show ?thesis proof(cases)
+    case m
+    then 
+    have "rank(a) < rank(c)" 
+      using eclose_rank_lt  in_dom_in_eclose  by simp
+    with \<open>rank(a) < rank(c)\<close> H m
+    show ?thesis unfolding rank_names_def using Ord_rank max_cong max_cong2 leI by auto
+  next
+    case n
+    then
+    have "rank(a) < rank(d)"
+      using eclose_rank_lt in_dom_in_eclose  by simp
+    with \<open>rank(a) < rank(d)\<close> H n
+    show ?thesis unfolding rank_names_def 
+      using Ord_rank max_cong2 max_cong max_commutes[of "rank(c)" "rank(d)"] leI by auto
+  next
+    case o
+    then
+    have "rank(b) < rank(d)" (is "?b < ?d") "rank(a) = rank(c)" (is "?a = _")
+      using eclose_rank_lt in_dom_in_eclose  by simp_all
+    with H
+    show ?thesis unfolding rank_names_def
+      using Ord_rank max_commutes max_cong2[OF leI[OF \<open>?b < ?d\<close>], of ?a] by simp
+  qed
+qed
+
+
+definition 
+  \<Gamma> :: "i \<Rightarrow> i" where
+  "\<Gamma>(x) = 3 ** rank_names(x) ++ type_form(x)"
+
+lemma \<Gamma>_type [TC]: 
+  shows "Ord(\<Gamma>(x))"
+  unfolding \<Gamma>_def by simp
+
+
+lemma \<Gamma>_mono : 
+  assumes "frecR(x,y)"
+  shows "\<Gamma>(x) < \<Gamma>(y)"
+proof -
+  have F: "type_form(x) < 3" "type_form(y) < 3"
+    using ltI by simp_all
+  from assms 
+  have A: "rank_names(x) \<le> rank_names(y)" (is "?x \<le> ?y")
+    using frecR_le_rnk_names by simp
+  then
+  have "Ord(?y)" unfolding rank_names_def using Ord_rank max_def by simp
+  note leE[OF \<open>?x\<le>?y\<close>] 
+  then
+  show ?thesis
+  proof(cases)
+    case 1
+    then 
+    show ?thesis unfolding \<Gamma>_def using oadd_lt_mono2 \<open>?x < ?y\<close> F by auto
+  next
+    case 2
+    consider (a) "ftype(x) = 0 \<and> ftype(y) = 1" | (b) "ftype(x) = 1 \<and> ftype(y) = 0"
+      using  frecR_ftypeD[OF \<open>frecR(x,y)\<close>] by auto
+    then show ?thesis proof(cases)
+      case b
+      then 
+      have "type_form(y) = 1" 
+        using type_form_def by simp
+      from b
+      have H: "name2(x) = name1(y) \<or> name2(x) = name2(y) " (is "?\<tau> = ?\<sigma>' \<or> ?\<tau> = ?\<tau>'")
+        "name1(x) \<in> domain(name1(y)) \<union> domain(name2(y))" 
+        (is "?\<sigma> \<in> domain(?\<sigma>') \<union> domain(?\<tau>')")
+        using assms unfolding type_form_def frecR_def by auto
+      then 
+      have E: "rank(?\<tau>) = rank(?\<sigma>') \<or> rank(?\<tau>) = rank(?\<tau>')" by auto
+      from H
+      consider (a) "rank(?\<sigma>) < rank(?\<sigma>')" |  (b) "rank(?\<sigma>) < rank(?\<tau>')"
+        using eclose_rank_lt in_dom_in_eclose by force
+      then
+      have "rank(?\<sigma>) < rank(?\<tau>)" proof (cases)
+        case a
+        with \<open>rank_names(x) = rank_names(y) \<close>
+        show ?thesis unfolding rank_names_def mtype_form_def type_form_def using max_D2[OF E a]
+            E assms Ord_rank by simp
+      next
+        case b
+        with \<open>rank_names(x) = rank_names(y) \<close>
+        show ?thesis unfolding rank_names_def mtype_form_def type_form_def 
+          using max_D2[OF _ b] max_commutes E assms Ord_rank disj_commute by auto
+      qed
+      with b
+      have "type_form(x) = 0" unfolding type_form_def mtype_form_def by simp
+      with \<open>rank_names(x) = rank_names(y) \<close> \<open>type_form(y) = 1\<close> \<open>type_form(x) = 0\<close>
+      show ?thesis 
+        unfolding \<Gamma>_def by auto
+    next
+      case a
+      then 
+      have "name1(x) = name1(y)" (is "?\<sigma> = ?\<sigma>'") 
+        "name2(x) \<in> domain(name2(y))" (is "?\<tau> \<in> domain(?\<tau>')")
+        "type_form(x) = 1"
+        using assms unfolding type_form_def frecR_def by auto
+      then
+      have "rank(?\<sigma>) = rank(?\<sigma>')" "rank(?\<tau>) < rank(?\<tau>')" 
+        using  eclose_rank_lt in_dom_in_eclose by simp_all
+      with \<open>rank_names(x) = rank_names(y) \<close> 
+      have "rank(?\<tau>') \<le> rank(?\<sigma>')" 
+        unfolding rank_names_def using Ord_rank max_D1 by simp
+      with a
+      have "type_form(y) = 2"
+        unfolding type_form_def mtype_form_def using not_lt_iff_le assms by simp
+      with \<open>rank_names(x) = rank_names(y) \<close> \<open>type_form(y) = 2\<close> \<open>type_form(x) = 1\<close>
+      show ?thesis 
+        unfolding \<Gamma>_def by auto
+    qed
+  qed
+qed
+
+definition
+  frecrel :: "i \<Rightarrow> i" where
+  "frecrel(A) \<equiv> Rrel(frecR,A)"
+
+lemma frecrelI : 
+  assumes "x \<in> A" "y\<in>A" "frecR(x,y)"
+  shows "\<langle>x,y\<rangle>\<in>frecrel(A)"
+  using assms unfolding frecrel_def Rrel_def by auto
+
+lemma frecrelD :
+  assumes "\<langle>x,y\<rangle> \<in> frecrel(A1\<times>A2\<times>A3\<times>A4)"
+  shows "ftype(x) \<in> A1" "ftype(x) \<in> A1"
+    "name1(x) \<in> A2" "name1(y) \<in> A2" "name2(x) \<in> A3" "name2(x) \<in> A3" 
+    "cond_of(x) \<in> A4" "cond_of(y) \<in> A4" 
+    "frecR(x,y)"
+  using assms unfolding frecrel_def Rrel_def ftype_def by (auto simp add:components_simp)
+
+lemma wf_frecrel : 
+  shows "wf(frecrel(A))"
+proof -
+  have "frecrel(A) \<subseteq> measure(A,\<Gamma>)"
+    unfolding frecrel_def Rrel_def measure_def
+    using \<Gamma>_mono by force
+  then show ?thesis using wf_subset wf_measure by auto
+qed
+
+lemma core_induction_aux:
+  fixes A1 A2 :: "i"
+  assumes
+    "Transset(A1)"
+    "\<And>\<tau> \<theta> p.  p \<in> A2 \<Longrightarrow> \<lbrakk>\<And>q \<sigma>. \<lbrakk> q\<in>A2 ; \<sigma>\<in>domain(\<theta>)\<rbrakk> \<Longrightarrow> Q(0,\<tau>,\<sigma>,q)\<rbrakk> \<Longrightarrow> Q(1,\<tau>,\<theta>,p)"
+    "\<And>\<tau> \<theta> p.  p \<in> A2 \<Longrightarrow> \<lbrakk>\<And>q \<sigma>. \<lbrakk> q\<in>A2 ; \<sigma>\<in>domain(\<tau>) \<union> domain(\<theta>)\<rbrakk> \<Longrightarrow> Q(1,\<sigma>,\<tau>,q) \<and> Q(1,\<sigma>,\<theta>,q)\<rbrakk> \<Longrightarrow> Q(0,\<tau>,\<theta>,p)"
+  shows "a\<in>2\<times>A1\<times>A1\<times>A2 \<Longrightarrow> Q(ftype(a),name1(a),name2(a),cond_of(a))"
+proof (induct a rule:wf_induct[OF wf_frecrel[of "2\<times>A1\<times>A1\<times>A2"]])
+  case (1 x)
+  let ?\<tau> = "name1(x)" 
+  let ?\<theta> = "name2(x)"
+  let ?D = "2\<times>A1\<times>A1\<times>A2"
+  assume "x \<in> ?D"
+  then
+  have "cond_of(x)\<in>A2" 
+    by (auto simp add:components_simp)
+  from \<open>x\<in>?D\<close>
+  consider (eq) "ftype(x)=0" | (mem) "ftype(x)=1"
+    by (auto simp add:components_simp)
+  then 
+  show ?case 
+  proof cases
+    case eq
+    then 
+    have "Q(1, \<sigma>, ?\<tau>, q) \<and> Q(1, \<sigma>, ?\<theta>, q)" if "\<sigma> \<in> domain(?\<tau>) \<union> domain(?\<theta>)" and "q\<in>A2" for q \<sigma>
+    proof -
+      from 1
+      have A: "?\<tau>\<in>A1" "?\<theta>\<in>A1" "?\<tau>\<in>eclose(A1)" "?\<theta>\<in>eclose(A1)"
+        using  arg_into_eclose by (auto simp add:components_simp)
+      with  \<open>Transset(A1)\<close> that(1)
+      have "\<sigma>\<in>eclose(?\<tau>) \<union> eclose(?\<theta>)" 
+        using in_dom_in_eclose  by auto
+      then
+      have "\<sigma>\<in>A1"
+        using mem_eclose_subset[OF \<open>?\<tau>\<in>A1\<close>] mem_eclose_subset[OF \<open>?\<theta>\<in>A1\<close>] 
+          Transset_eclose_eq_arg[OF \<open>Transset(A1)\<close>] 
+        by auto         
+      with \<open>q\<in>A2\<close> \<open>?\<theta> \<in> A1\<close> \<open>cond_of(x)\<in>A2\<close> \<open>?\<tau>\<in>A1\<close>
+      have "frecR(\<langle>1, \<sigma>, ?\<tau>, q\<rangle>, x)" (is "frecR(?T,_)")
+        "frecR(\<langle>1, \<sigma>, ?\<theta>, q\<rangle>, x)" (is "frecR(?U,_)")
+        using  frecRI1'[OF that(1)] frecR_DI  \<open>ftype(x) = 0\<close> 
+          frecRI2'[OF that(1)] 
+        by (auto simp add:components_simp)
+      with \<open>x\<in>?D\<close> \<open>\<sigma>\<in>A1\<close> \<open>q\<in>A2\<close>
+      have "\<langle>?T,x\<rangle>\<in> frecrel(?D)" "\<langle>?U,x\<rangle>\<in> frecrel(?D)" 
+        using frecrelI[of ?T ?D x]  frecrelI[of ?U ?D x] by (auto simp add:components_simp)
+      with \<open>q\<in>A2\<close> \<open>\<sigma>\<in>A1\<close> \<open>?\<tau>\<in>A1\<close> \<open>?\<theta>\<in>A1\<close>
+      have "Q(1, \<sigma>, ?\<tau>, q)" using 1 by (force simp add:components_simp)
+      moreover from \<open>q\<in>A2\<close> \<open>\<sigma>\<in>A1\<close> \<open>?\<tau>\<in>A1\<close> \<open>?\<theta>\<in>A1\<close> \<open>\<langle>?U,x\<rangle>\<in> frecrel(?D)\<close>
+      have "Q(1, \<sigma>, ?\<theta>, q)" using 1 by (force simp add:components_simp)
+      ultimately
+      show ?thesis using A by simp
+    qed
+    then show ?thesis using assms(3) \<open>ftype(x) = 0\<close> \<open>cond_of(x)\<in>A2\<close> by auto
+  next
+    case mem
+    have "Q(0, ?\<tau>,  \<sigma>, q)" if "\<sigma> \<in> domain(?\<theta>)" and "q\<in>A2" for q \<sigma>
+    proof -
+      from 1 assms
+      have "?\<tau>\<in>A1" "?\<theta>\<in>A1" "cond_of(x)\<in>A2" "?\<tau>\<in>eclose(A1)" "?\<theta>\<in>eclose(A1)"
+        using  arg_into_eclose by (auto simp add:components_simp)
+      with  \<open>Transset(A1)\<close> that(1)
+      have "\<sigma>\<in> eclose(?\<theta>)" 
+        using in_dom_in_eclose  by auto
+      then
+      have "\<sigma>\<in>A1"
+        using mem_eclose_subset[OF \<open>?\<theta>\<in>A1\<close>] Transset_eclose_eq_arg[OF \<open>Transset(A1)\<close>] 
+        by auto         
+      with \<open>q\<in>A2\<close> \<open>?\<theta> \<in> A1\<close> \<open>cond_of(x)\<in>A2\<close> \<open>?\<tau>\<in>A1\<close>
+      have "frecR(\<langle>0, ?\<tau>, \<sigma>, q\<rangle>, x)" (is "frecR(?T,_)")
+        using  frecRI3'[OF that(1)] frecR_DI  \<open>ftype(x) = 1\<close>                 
+        by (auto simp add:components_simp)
+      with \<open>x\<in>?D\<close> \<open>\<sigma>\<in>A1\<close> \<open>q\<in>A2\<close> \<open>?\<tau>\<in>A1\<close>
+      have "\<langle>?T,x\<rangle>\<in> frecrel(?D)" "?T\<in>?D"
+        using frecrelI[of ?T ?D x] by (auto simp add:components_simp)
+      with \<open>q\<in>A2\<close> \<open>\<sigma>\<in>A1\<close> \<open>?\<tau>\<in>A1\<close> \<open>?\<theta>\<in>A1\<close> 1
+      show ?thesis by (force simp add:components_simp)
+    qed
+    then show ?thesis using assms(2) \<open>ftype(x) = 1\<close> \<open>cond_of(x)\<in>A2\<close>  by auto
+  qed
+qed
+
+lemma def_frecrel : "frecrel(A) = {z\<in>A\<times>A. \<exists>x y. z = \<langle>x, y\<rangle> \<and> frecR(x,y)}"
+  unfolding frecrel_def Rrel_def ..
+
+lemma frecrel_fst_snd:
+  "frecrel(A) = {z \<in> A\<times>A . 
+            ftype(fst(z)) = 1 \<and> 
+        ftype(snd(z)) = 0 \<and> name1(fst(z)) \<in> domain(name1(snd(z))) \<union> domain(name2(snd(z))) \<and> 
+            (name2(fst(z)) = name1(snd(z)) \<or> name2(fst(z)) = name2(snd(z))) 
+          \<or> (ftype(fst(z)) = 0 \<and> 
+        ftype(snd(z)) = 1 \<and>  name1(fst(z)) = name1(snd(z)) \<and> name2(fst(z)) \<in> domain(name2(snd(z))))}"
+  unfolding def_frecrel frecR_def
+  by (intro equalityI subsetI CollectI; elim CollectE; auto)
+
+end
\ No newline at end of file
diff --git a/thys/Forcing/Infinity_Axiom.thy b/thys/Forcing/Infinity_Axiom.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Infinity_Axiom.thy
@@ -0,0 +1,37 @@
+section\<open>The Axiom of Infinity in $M[G]$\<close>
+theory Infinity_Axiom
+  imports Pairing_Axiom Union_Axiom Separation_Axiom
+begin
+
+context G_generic begin
+
+interpretation mg_triv: M_trivial"##M[G]"
+  using transitivity_MG zero_in_MG generic Union_MG pairing_in_MG
+  by unfold_locales auto
+
+lemma infinity_in_MG : "infinity_ax(##M[G])"
+proof -
+  from infinity_ax obtain I where
+    Eq1: "I\<in>M" "0 \<in> I" "\<forall>y\<in>M. y \<in> I \<longrightarrow> succ(y) \<in> I"
+    unfolding infinity_ax_def  by auto
+  then
+  have "check(I) \<in> M"
+    using check_in_M by simp
+  then
+  have "I\<in> M[G]"
+    using valcheck generic one_in_G one_in_P GenExtI[of "check(I)" G] by simp
+  with \<open>0\<in>I\<close>
+  have "0\<in>M[G]" using transitivity_MG by simp
+  with \<open>I\<in>M\<close>
+  have "y \<in> M" if "y \<in> I" for y
+    using  transitivity[OF _ \<open>I\<in>M\<close>] that by simp
+  with \<open>I\<in>M[G]\<close>
+  have "succ(y) \<in> I \<inter> M[G]" if "y \<in> I" for y
+    using that Eq1 transitivity_MG by blast
+  with Eq1 \<open>I\<in>M[G]\<close> \<open>0\<in>M[G]\<close>
+  show ?thesis
+    unfolding infinity_ax_def by auto
+qed
+
+end (* G_generic' *)
+end
\ No newline at end of file
diff --git a/thys/Forcing/Interface.thy b/thys/Forcing/Interface.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Interface.thy
@@ -0,0 +1,1376 @@
+section\<open>Interface between set models and Constructibility\<close>
+
+text\<open>This theory provides an interface between Paulson's
+relativization results and set models of ZFC. In particular,
+it is used to prove that the locale \<^term>\<open>forcing_data\<close> is
+a sublocale of all relevant locales in ZF-Constructibility
+(\<^term>\<open>M_trivial\<close>, \<^term>\<open>M_basic\<close>, \<^term>\<open>M_eclose\<close>, etc).\<close>
+
+theory Interface
+  imports
+    Nat_Miscellanea
+    Relative_Univ
+    Synthetic_Definition
+begin
+
+syntax
+  "_sats"  :: "[i, i, i] \<Rightarrow> o"  ("(_, _ \<Turnstile> _)" [36,36,36] 60)
+translations
+  "(M,env \<Turnstile> \<phi>)" \<rightleftharpoons> "CONST sats(M,\<phi>,env)"
+
+abbreviation
+  dec10  :: i   ("10") where "10 \<equiv> succ(9)"
+
+abbreviation
+  dec11  :: i   ("11") where "11 \<equiv> succ(10)"
+
+abbreviation
+  dec12  :: i   ("12") where "12 \<equiv> succ(11)"
+
+abbreviation
+  dec13  :: i   ("13") where "13 \<equiv> succ(12)"
+
+abbreviation
+  dec14  :: i   ("14") where "14 \<equiv> succ(13)"
+
+
+definition
+  infinity_ax :: "(i \<Rightarrow> o) \<Rightarrow> o" where
+  "infinity_ax(M) \<equiv>
+      (\<exists>I[M]. (\<exists>z[M]. empty(M,z) \<and> z\<in>I) \<and> (\<forall>y[M]. y\<in>I \<longrightarrow> (\<exists>sy[M]. successor(M,y,sy) \<and> sy\<in>I)))"
+
+definition
+  choice_ax :: "(i\<Rightarrow>o) \<Rightarrow> o" where
+  "choice_ax(M) \<equiv> \<forall>x[M]. \<exists>a[M]. \<exists>f[M]. ordinal(M,a) \<and> surjection(M,a,x,f)"
+
+context M_basic begin
+
+lemma choice_ax_abs :
+  "choice_ax(M) \<longleftrightarrow> (\<forall>x[M]. \<exists>a[M]. \<exists>f[M]. Ord(a) \<and> f \<in> surj(a,x))"
+  unfolding choice_ax_def
+  by (simp)
+
+end (* M_basic *)
+
+definition
+  wellfounded_trancl :: "[i=>o,i,i,i] => o" where
+  "wellfounded_trancl(M,Z,r,p) \<equiv>
+      \<exists>w[M]. \<exists>wx[M]. \<exists>rp[M].
+               w \<in> Z & pair(M,w,p,wx) & tran_closure(M,r,rp) & wx \<in> rp"
+
+lemma empty_intf :
+  "infinity_ax(M) \<Longrightarrow>
+  (\<exists>z[M]. empty(M,z))"
+  by (auto simp add: empty_def infinity_ax_def)
+
+lemma Transset_intf :
+  "Transset(M) \<Longrightarrow>  y\<in>x \<Longrightarrow> x \<in> M \<Longrightarrow> y \<in> M"
+  by (simp add: Transset_def,auto)
+
+locale M_ZF_trans =
+  fixes M
+  assumes
+    upair_ax:         "upair_ax(##M)"
+    and Union_ax:         "Union_ax(##M)"
+    and power_ax:         "power_ax(##M)"
+    and extensionality:   "extensionality(##M)"
+    and foundation_ax:    "foundation_ax(##M)"
+    and infinity_ax:      "infinity_ax(##M)"
+    and separation_ax:    "\<phi>\<in>formula \<Longrightarrow> env\<in>list(M) \<Longrightarrow> arity(\<phi>) \<le> 1 #+ length(env) \<Longrightarrow>
+                    separation(##M,\<lambda>x. sats(M,\<phi>,[x] @ env))"
+    and replacement_ax:   "\<phi>\<in>formula \<Longrightarrow> env\<in>list(M) \<Longrightarrow> arity(\<phi>) \<le> 2 #+ length(env) \<Longrightarrow>
+                    strong_replacement(##M,\<lambda>x y. sats(M,\<phi>,[x,y] @ env))"
+    and trans_M:          "Transset(M)"
+begin
+
+
+lemma TranssetI :
+  "(\<And>y x. y\<in>x \<Longrightarrow> x\<in>M \<Longrightarrow> y\<in>M) \<Longrightarrow> Transset(M)"
+  by (auto simp add: Transset_def)
+
+lemma zero_in_M:  "0 \<in> M"
+proof -
+  from infinity_ax have
+    "(\<exists>z[##M]. empty(##M,z))"
+    by (rule empty_intf)
+  then obtain z where
+    zm: "empty(##M,z)"  "z\<in>M"
+    by auto
+  with trans_M have "z=0"
+    by (simp  add: empty_def, blast intro: Transset_intf )
+  with zm show ?thesis
+    by simp
+qed
+
+subsection\<open>Interface with \<^term>\<open>M_trivial\<close>\<close>
+lemma mtrans :
+  "M_trans(##M)"
+  using Transset_intf[OF trans_M] zero_in_M exI[of "\<lambda>x. x\<in>M"]
+  by unfold_locales auto
+
+
+lemma mtriv :
+  "M_trivial(##M)"
+  using trans_M M_trivial.intro mtrans M_trivial_axioms.intro upair_ax Union_ax
+  by simp
+
+end
+
+sublocale M_ZF_trans \<subseteq> M_trivial "##M"
+  by (rule mtriv)
+
+context M_ZF_trans
+begin
+
+subsection\<open>Interface with \<^term>\<open>M_basic\<close>\<close>
+
+(* Inter_separation: "M(A) \<Longrightarrow> separation(M, \<lambda>x. \<forall> y[M]. y\<in>A \<Longrightarrow> x\<in>y)" *)
+schematic_goal inter_fm_auto:
+  assumes
+    "nth(i,env) = x" "nth(j,env) = B"
+    "i \<in> nat" "j \<in> nat" "env \<in> list(A)"
+  shows
+    "(\<forall>y\<in>A . y\<in>B \<longrightarrow> x\<in>y) \<longleftrightarrow> sats(A,?ifm(i,j),env)"
+  by (insert assms ; (rule sep_rules | simp)+)
+
+lemma inter_sep_intf :
+  assumes
+    "A\<in>M"
+  shows
+    "separation(##M,\<lambda>x . \<forall>y\<in>M . y\<in>A \<longrightarrow> x\<in>y)"
+proof -
+  obtain ifm where
+    fmsats:"\<And>env. env\<in>list(M) \<Longrightarrow> (\<forall> y\<in>M. y\<in>(nth(1,env)) \<longrightarrow> nth(0,env)\<in>y)
+    \<longleftrightarrow> sats(M,ifm(0,1),env)"
+    and
+    "ifm(0,1) \<in> formula"
+    and
+    "arity(ifm(0,1)) = 2"
+    using \<open>A\<in>M\<close> inter_fm_auto
+    by (simp del:FOL_sats_iff add: nat_simp_union)
+  then
+  have "\<forall>a\<in>M. separation(##M, \<lambda>x. sats(M,ifm(0,1) , [x, a]))"
+    using separation_ax by simp
+  moreover
+  have "(\<forall>y\<in>M . y\<in>a \<longrightarrow> x\<in>y) \<longleftrightarrow> sats(M,ifm(0,1),[x,a])"
+    if "a\<in>M" "x\<in>M" for a x
+    using that fmsats[of "[x,a]"] by simp
+  ultimately
+  have "\<forall>a\<in>M. separation(##M, \<lambda>x . \<forall>y\<in>M . y\<in>a \<longrightarrow> x\<in>y)"
+    unfolding separation_def by simp
+  with \<open>A\<in>M\<close> show ?thesis by simp
+qed
+
+
+(* Diff_separation: "M(B) \<Longrightarrow> separation(M, \<lambda>x. x \<notin> B)" *)
+schematic_goal diff_fm_auto:
+  assumes
+    "nth(i,env) = x" "nth(j,env) = B"
+    "i \<in> nat" "j \<in> nat" "env \<in> list(A)"
+  shows
+    "x\<notin>B \<longleftrightarrow> sats(A,?dfm(i,j),env)"
+  by (insert assms ; (rule sep_rules | simp)+)
+
+lemma diff_sep_intf :
+  assumes
+    "B\<in>M"
+  shows
+    "separation(##M,\<lambda>x . x\<notin>B)"
+proof -
+  obtain dfm where
+    fmsats:"\<And>env. env\<in>list(M) \<Longrightarrow> nth(0,env)\<notin>nth(1,env)
+    \<longleftrightarrow> sats(M,dfm(0,1),env)"
+    and
+    "dfm(0,1) \<in> formula"
+    and
+    "arity(dfm(0,1)) = 2"
+    using \<open>B\<in>M\<close> diff_fm_auto
+    by (simp del:FOL_sats_iff add: nat_simp_union)
+  then
+  have "\<forall>b\<in>M. separation(##M, \<lambda>x. sats(M,dfm(0,1) , [x, b]))"
+    using separation_ax by simp
+  moreover
+  have "x\<notin>b \<longleftrightarrow> sats(M,dfm(0,1),[x,b])"
+    if "b\<in>M" "x\<in>M" for b x
+    using that fmsats[of "[x,b]"] by simp
+  ultimately
+  have "\<forall>b\<in>M. separation(##M, \<lambda>x . x\<notin>b)"
+    unfolding separation_def by simp
+  with \<open>B\<in>M\<close> show ?thesis by simp
+qed
+
+schematic_goal cprod_fm_auto:
+  assumes
+    "nth(i,env) = z" "nth(j,env) = B" "nth(h,env) = C"
+    "i \<in> nat" "j \<in> nat" "h \<in> nat" "env \<in> list(A)"
+  shows
+    "(\<exists>x\<in>A. x\<in>B \<and> (\<exists>y\<in>A. y\<in>C \<and> pair(##A,x,y,z))) \<longleftrightarrow> sats(A,?cpfm(i,j,h),env)"
+  by (insert assms ; (rule sep_rules | simp)+)
+
+
+lemma cartprod_sep_intf :
+  assumes
+    "A\<in>M"
+    and
+    "B\<in>M"
+  shows
+    "separation(##M,\<lambda>z. \<exists>x\<in>M. x\<in>A \<and> (\<exists>y\<in>M. y\<in>B \<and> pair(##M,x,y,z)))"
+proof -
+  obtain cpfm where
+    fmsats:"\<And>env. env\<in>list(M) \<Longrightarrow>
+    (\<exists>x\<in>M. x\<in>nth(1,env) \<and> (\<exists>y\<in>M. y\<in>nth(2,env) \<and> pair(##M,x,y,nth(0,env))))
+    \<longleftrightarrow> sats(M,cpfm(0,1,2),env)"
+    and
+    "cpfm(0,1,2) \<in> formula"
+    and
+    "arity(cpfm(0,1,2)) = 3"
+    using cprod_fm_auto by (simp del:FOL_sats_iff add: fm_defs nat_simp_union)
+  then
+  have "\<forall>a\<in>M. \<forall>b\<in>M. separation(##M, \<lambda>z. sats(M,cpfm(0,1,2) , [z, a, b]))"
+    using separation_ax by simp
+  moreover
+  have "(\<exists>x\<in>M. x\<in>a \<and> (\<exists>y\<in>M. y\<in>b \<and> pair(##M,x,y,z))) \<longleftrightarrow> sats(M,cpfm(0,1,2),[z,a,b])"
+    if "a\<in>M" "b\<in>M" "z\<in>M" for a b z
+    using that fmsats[of "[z,a,b]"] by simp
+  ultimately
+  have "\<forall>a\<in>M. \<forall>b\<in>M. separation(##M, \<lambda>z . (\<exists>x\<in>M. x\<in>a \<and> (\<exists>y\<in>M. y\<in>b \<and> pair(##M,x,y,z))))"
+    unfolding separation_def by simp
+  with \<open>A\<in>M\<close> \<open>B\<in>M\<close> show ?thesis by simp
+qed
+
+schematic_goal im_fm_auto:
+  assumes
+    "nth(i,env) = y" "nth(j,env) = r" "nth(h,env) = B"
+    "i \<in> nat" "j \<in> nat" "h \<in> nat" "env \<in> list(A)"
+  shows
+    "(\<exists>p\<in>A. p\<in>r & (\<exists>x\<in>A. x\<in>B & pair(##A,x,y,p))) \<longleftrightarrow> sats(A,?imfm(i,j,h),env)"
+  by (insert assms ; (rule sep_rules | simp)+)
+
+lemma image_sep_intf :
+  assumes
+    "A\<in>M"
+    and
+    "r\<in>M"
+  shows
+    "separation(##M, \<lambda>y. \<exists>p\<in>M. p\<in>r & (\<exists>x\<in>M. x\<in>A & pair(##M,x,y,p)))"
+proof -
+  obtain imfm where
+    fmsats:"\<And>env. env\<in>list(M) \<Longrightarrow>
+    (\<exists>p\<in>M. p\<in>nth(1,env) & (\<exists>x\<in>M. x\<in>nth(2,env) & pair(##M,x,nth(0,env),p)))
+    \<longleftrightarrow> sats(M,imfm(0,1,2),env)"
+    and
+    "imfm(0,1,2) \<in> formula"
+    and
+    "arity(imfm(0,1,2)) = 3"
+    using im_fm_auto by (simp del:FOL_sats_iff pair_abs add: fm_defs nat_simp_union)
+  then
+  have "\<forall>r\<in>M. \<forall>a\<in>M. separation(##M, \<lambda>y. sats(M,imfm(0,1,2) , [y,r,a]))"
+    using separation_ax by simp
+  moreover
+  have "(\<exists>p\<in>M. p\<in>k & (\<exists>x\<in>M. x\<in>a & pair(##M,x,y,p))) \<longleftrightarrow> sats(M,imfm(0,1,2),[y,k,a])"
+    if "k\<in>M" "a\<in>M" "y\<in>M" for k a y
+    using that fmsats[of "[y,k,a]"] by simp
+  ultimately
+  have "\<forall>k\<in>M. \<forall>a\<in>M. separation(##M, \<lambda>y . \<exists>p\<in>M. p\<in>k & (\<exists>x\<in>M. x\<in>a & pair(##M,x,y,p)))"
+    unfolding separation_def by simp
+  with \<open>r\<in>M\<close> \<open>A\<in>M\<close> show ?thesis by simp
+qed
+
+schematic_goal con_fm_auto:
+  assumes
+    "nth(i,env) = z" "nth(j,env) = R"
+    "i \<in> nat" "j \<in> nat" "env \<in> list(A)"
+  shows
+    "(\<exists>p\<in>A. p\<in>R & (\<exists>x\<in>A.\<exists>y\<in>A. pair(##A,x,y,p) & pair(##A,y,x,z)))
+  \<longleftrightarrow> sats(A,?cfm(i,j),env)"
+  by (insert assms ; (rule sep_rules | simp)+)
+
+
+lemma converse_sep_intf :
+  assumes
+    "R\<in>M"
+  shows
+    "separation(##M,\<lambda>z. \<exists>p\<in>M. p\<in>R & (\<exists>x\<in>M.\<exists>y\<in>M. pair(##M,x,y,p) & pair(##M,y,x,z)))"
+proof -
+  obtain cfm where
+    fmsats:"\<And>env. env\<in>list(M) \<Longrightarrow>
+    (\<exists>p\<in>M. p\<in>nth(1,env) & (\<exists>x\<in>M.\<exists>y\<in>M. pair(##M,x,y,p) & pair(##M,y,x,nth(0,env))))
+    \<longleftrightarrow> sats(M,cfm(0,1),env)"
+    and
+    "cfm(0,1) \<in> formula"
+    and
+    "arity(cfm(0,1)) = 2"
+    using con_fm_auto by (simp del:FOL_sats_iff pair_abs add: fm_defs nat_simp_union)
+  then
+  have "\<forall>r\<in>M. separation(##M, \<lambda>z. sats(M,cfm(0,1) , [z,r]))"
+    using separation_ax by simp
+  moreover
+  have "(\<exists>p\<in>M. p\<in>r & (\<exists>x\<in>M.\<exists>y\<in>M. pair(##M,x,y,p) & pair(##M,y,x,z))) \<longleftrightarrow>
+          sats(M,cfm(0,1),[z,r])"
+    if "z\<in>M" "r\<in>M" for z r
+    using that fmsats[of "[z,r]"] by simp
+  ultimately
+  have "\<forall>r\<in>M. separation(##M, \<lambda>z . \<exists>p\<in>M. p\<in>r & (\<exists>x\<in>M.\<exists>y\<in>M. pair(##M,x,y,p) & pair(##M,y,x,z)))"
+    unfolding separation_def by simp
+  with \<open>R\<in>M\<close> show ?thesis by simp
+qed
+
+
+schematic_goal rest_fm_auto:
+  assumes
+    "nth(i,env) = z" "nth(j,env) = C"
+    "i \<in> nat" "j \<in> nat" "env \<in> list(A)"
+  shows
+    "(\<exists>x\<in>A. x\<in>C & (\<exists>y\<in>A. pair(##A,x,y,z)))
+  \<longleftrightarrow> sats(A,?rfm(i,j),env)"
+  by (insert assms ; (rule sep_rules | simp)+)
+
+
+lemma restrict_sep_intf :
+  assumes
+    "A\<in>M"
+  shows
+    "separation(##M,\<lambda>z. \<exists>x\<in>M. x\<in>A & (\<exists>y\<in>M. pair(##M,x,y,z)))"
+proof -
+  obtain rfm where
+    fmsats:"\<And>env. env\<in>list(M) \<Longrightarrow>
+    (\<exists>x\<in>M. x\<in>nth(1,env) & (\<exists>y\<in>M. pair(##M,x,y,nth(0,env))))
+    \<longleftrightarrow> sats(M,rfm(0,1),env)"
+    and
+    "rfm(0,1) \<in> formula"
+    and
+    "arity(rfm(0,1)) = 2"
+    using rest_fm_auto by (simp del:FOL_sats_iff pair_abs add: fm_defs nat_simp_union)
+  then
+  have "\<forall>a\<in>M. separation(##M, \<lambda>z. sats(M,rfm(0,1) , [z,a]))"
+    using separation_ax by simp
+  moreover
+  have "(\<exists>x\<in>M. x\<in>a & (\<exists>y\<in>M. pair(##M,x,y,z))) \<longleftrightarrow>
+          sats(M,rfm(0,1),[z,a])"
+    if "z\<in>M" "a\<in>M" for z a
+    using that fmsats[of "[z,a]"] by simp
+  ultimately
+  have "\<forall>a\<in>M. separation(##M, \<lambda>z . \<exists>x\<in>M. x\<in>a & (\<exists>y\<in>M. pair(##M,x,y,z)))"
+    unfolding separation_def by simp
+  with \<open>A\<in>M\<close> show ?thesis by simp
+qed
+
+schematic_goal comp_fm_auto:
+  assumes
+    "nth(i,env) = xz" "nth(j,env) = S" "nth(h,env) = R"
+    "i \<in> nat" "j \<in> nat" "h \<in> nat" "env \<in> list(A)"
+  shows
+    "(\<exists>x\<in>A. \<exists>y\<in>A. \<exists>z\<in>A. \<exists>xy\<in>A. \<exists>yz\<in>A.
+              pair(##A,x,z,xz) & pair(##A,x,y,xy) & pair(##A,y,z,yz) & xy\<in>S & yz\<in>R)
+  \<longleftrightarrow> sats(A,?cfm(i,j,h),env)"
+  by (insert assms ; (rule sep_rules | simp)+)
+
+
+lemma comp_sep_intf :
+  assumes
+    "R\<in>M"
+    and
+    "S\<in>M"
+  shows
+    "separation(##M,\<lambda>xz. \<exists>x\<in>M. \<exists>y\<in>M. \<exists>z\<in>M. \<exists>xy\<in>M. \<exists>yz\<in>M.
+              pair(##M,x,z,xz) & pair(##M,x,y,xy) & pair(##M,y,z,yz) & xy\<in>S & yz\<in>R)"
+proof -
+  obtain cfm where
+    fmsats:"\<And>env. env\<in>list(M) \<Longrightarrow>
+    (\<exists>x\<in>M. \<exists>y\<in>M. \<exists>z\<in>M. \<exists>xy\<in>M. \<exists>yz\<in>M. pair(##M,x,z,nth(0,env)) &
+            pair(##M,x,y,xy) & pair(##M,y,z,yz) & xy\<in>nth(1,env) & yz\<in>nth(2,env))
+    \<longleftrightarrow> sats(M,cfm(0,1,2),env)"
+    and
+    "cfm(0,1,2) \<in> formula"
+    and
+    "arity(cfm(0,1,2)) = 3"
+    using comp_fm_auto by (simp del:FOL_sats_iff pair_abs add: fm_defs nat_simp_union)
+  then
+  have "\<forall>r\<in>M. \<forall>s\<in>M. separation(##M, \<lambda>y. sats(M,cfm(0,1,2) , [y,s,r]))"
+    using separation_ax by simp
+  moreover
+  have "(\<exists>x\<in>M. \<exists>y\<in>M. \<exists>z\<in>M. \<exists>xy\<in>M. \<exists>yz\<in>M.
+              pair(##M,x,z,xz) & pair(##M,x,y,xy) & pair(##M,y,z,yz) & xy\<in>s & yz\<in>r)
+          \<longleftrightarrow> sats(M,cfm(0,1,2) , [xz,s,r])"
+    if "xz\<in>M" "s\<in>M" "r\<in>M" for xz s r
+    using that fmsats[of "[xz,s,r]"] by simp
+  ultimately
+  have "\<forall>s\<in>M. \<forall>r\<in>M. separation(##M, \<lambda>xz . \<exists>x\<in>M. \<exists>y\<in>M. \<exists>z\<in>M. \<exists>xy\<in>M. \<exists>yz\<in>M.
+              pair(##M,x,z,xz) & pair(##M,x,y,xy) & pair(##M,y,z,yz) & xy\<in>s & yz\<in>r)"
+    unfolding separation_def by simp
+  with \<open>S\<in>M\<close> \<open>R\<in>M\<close> show ?thesis by simp
+qed
+
+
+schematic_goal pred_fm_auto:
+  assumes
+    "nth(i,env) = y" "nth(j,env) = R" "nth(h,env) = X"
+    "i \<in> nat" "j \<in> nat" "h \<in> nat" "env \<in> list(A)"
+  shows
+    "(\<exists>p\<in>A. p\<in>R & pair(##A,y,X,p)) \<longleftrightarrow> sats(A,?pfm(i,j,h),env)"
+  by (insert assms ; (rule sep_rules | simp)+)
+
+
+lemma pred_sep_intf:
+  assumes
+    "R\<in>M"
+    and
+    "X\<in>M"
+  shows
+    "separation(##M, \<lambda>y. \<exists>p\<in>M. p\<in>R & pair(##M,y,X,p))"
+proof -
+  obtain pfm where
+    fmsats:"\<And>env. env\<in>list(M) \<Longrightarrow>
+    (\<exists>p\<in>M. p\<in>nth(1,env) & pair(##M,nth(0,env),nth(2,env),p)) \<longleftrightarrow> sats(M,pfm(0,1,2),env)"
+    and
+    "pfm(0,1,2) \<in> formula"
+    and
+    "arity(pfm(0,1,2)) = 3"
+    using pred_fm_auto by (simp del:FOL_sats_iff pair_abs add: fm_defs nat_simp_union)
+  then
+  have "\<forall>x\<in>M. \<forall>r\<in>M. separation(##M, \<lambda>y. sats(M,pfm(0,1,2) , [y,r,x]))"
+    using separation_ax by simp
+  moreover
+  have "(\<exists>p\<in>M. p\<in>r & pair(##M,y,x,p))
+          \<longleftrightarrow> sats(M,pfm(0,1,2) , [y,r,x])"
+    if "y\<in>M" "r\<in>M" "x\<in>M" for y x r
+    using that fmsats[of "[y,r,x]"] by simp
+  ultimately
+  have "\<forall>x\<in>M. \<forall>r\<in>M. separation(##M, \<lambda> y . \<exists>p\<in>M. p\<in>r & pair(##M,y,x,p))"
+    unfolding separation_def by simp
+  with \<open>X\<in>M\<close> \<open>R\<in>M\<close> show ?thesis by simp
+qed
+
+(* Memrel_separation:
+     "separation(M, \<lambda>z. \<exists>x[M]. \<exists>y[M]. pair(M,x,y,z) & x \<in> y)"
+*)
+schematic_goal mem_fm_auto:
+  assumes
+    "nth(i,env) = z" "i \<in> nat" "env \<in> list(A)"
+  shows
+    "(\<exists>x\<in>A. \<exists>y\<in>A. pair(##A,x,y,z) & x \<in> y) \<longleftrightarrow> sats(A,?mfm(i),env)"
+  by (insert assms ; (rule sep_rules | simp)+)
+
+lemma memrel_sep_intf:
+  "separation(##M, \<lambda>z. \<exists>x\<in>M. \<exists>y\<in>M. pair(##M,x,y,z) & x \<in> y)"
+proof -
+  obtain mfm where
+    fmsats:"\<And>env. env\<in>list(M) \<Longrightarrow>
+    (\<exists>x\<in>M. \<exists>y\<in>M. pair(##M,x,y,nth(0,env)) & x \<in> y) \<longleftrightarrow> sats(M,mfm(0),env)"
+    and
+    "mfm(0) \<in> formula"
+    and
+    "arity(mfm(0)) = 1"
+    using mem_fm_auto by (simp del:FOL_sats_iff pair_abs add: fm_defs nat_simp_union)
+  then
+  have "separation(##M, \<lambda>z. sats(M,mfm(0) , [z]))"
+    using separation_ax by simp
+  moreover
+  have "(\<exists>x\<in>M. \<exists>y\<in>M. pair(##M,x,y,z) & x \<in> y) \<longleftrightarrow> sats(M,mfm(0),[z])"
+    if "z\<in>M" for z
+    using that fmsats[of "[z]"] by simp
+  ultimately
+  have "separation(##M, \<lambda>z . \<exists>x\<in>M. \<exists>y\<in>M. pair(##M,x,y,z) & x \<in> y)"
+    unfolding separation_def by simp
+  then show ?thesis by simp
+qed
+
+schematic_goal recfun_fm_auto:
+  assumes
+    "nth(i1,env) = x" "nth(i2,env) = r" "nth(i3,env) = f" "nth(i4,env) = g" "nth(i5,env) = a"
+    "nth(i6,env) = b" "i1\<in>nat" "i2\<in>nat" "i3\<in>nat" "i4\<in>nat" "i5\<in>nat" "i6\<in>nat" "env \<in> list(A)"
+  shows
+    "(\<exists>xa\<in>A. \<exists>xb\<in>A. pair(##A,x,a,xa) & xa \<in> r & pair(##A,x,b,xb) & xb \<in> r &
+                  (\<exists>fx\<in>A. \<exists>gx\<in>A. fun_apply(##A,f,x,fx) & fun_apply(##A,g,x,gx) & fx \<noteq> gx))
+    \<longleftrightarrow> sats(A,?rffm(i1,i2,i3,i4,i5,i6),env)"
+  by (insert assms ; (rule sep_rules | simp)+)
+
+
+lemma is_recfun_sep_intf :
+  assumes
+    "r\<in>M" "f\<in>M" "g\<in>M" "a\<in>M" "b\<in>M"
+  shows
+    "separation(##M,\<lambda>x. \<exists>xa\<in>M. \<exists>xb\<in>M.
+                    pair(##M,x,a,xa) & xa \<in> r & pair(##M,x,b,xb) & xb \<in> r &
+                    (\<exists>fx\<in>M. \<exists>gx\<in>M. fun_apply(##M,f,x,fx) & fun_apply(##M,g,x,gx) &
+                                     fx \<noteq> gx))"
+proof -
+  obtain rffm where
+    fmsats:"\<And>env. env\<in>list(M) \<Longrightarrow>
+    (\<exists>xa\<in>M. \<exists>xb\<in>M. pair(##M,nth(0,env),nth(4,env),xa) & xa \<in> nth(1,env) &
+    pair(##M,nth(0,env),nth(5,env),xb) & xb \<in> nth(1,env) & (\<exists>fx\<in>M. \<exists>gx\<in>M.
+    fun_apply(##M,nth(2,env),nth(0,env),fx) & fun_apply(##M,nth(3,env),nth(0,env),gx) & fx \<noteq> gx))
+    \<longleftrightarrow> sats(M,rffm(0,1,2,3,4,5),env)"
+    and
+    "rffm(0,1,2,3,4,5) \<in> formula"
+    and
+    "arity(rffm(0,1,2,3,4,5)) = 6"
+    using recfun_fm_auto by (simp del:FOL_sats_iff pair_abs add: fm_defs nat_simp_union)
+  then
+  have "\<forall>a1\<in>M. \<forall>a2\<in>M. \<forall>a3\<in>M. \<forall>a4\<in>M. \<forall>a5\<in>M.
+        separation(##M, \<lambda>x. sats(M,rffm(0,1,2,3,4,5) , [x,a1,a2,a3,a4,a5]))"
+    using separation_ax by simp
+  moreover
+  have "(\<exists>xa\<in>M. \<exists>xb\<in>M. pair(##M,x,a4,xa) & xa \<in> a1 & pair(##M,x,a5,xb) & xb \<in> a1 &
+          (\<exists>fx\<in>M. \<exists>gx\<in>M. fun_apply(##M,a2,x,fx) & fun_apply(##M,a3,x,gx) & fx \<noteq> gx))
+          \<longleftrightarrow> sats(M,rffm(0,1,2,3,4,5) , [x,a1,a2,a3,a4,a5])"
+    if "x\<in>M" "a1\<in>M" "a2\<in>M" "a3\<in>M" "a4\<in>M" "a5\<in>M"  for x a1 a2 a3 a4 a5
+    using that fmsats[of "[x,a1,a2,a3,a4,a5]"] by simp
+  ultimately
+  have "\<forall>a1\<in>M. \<forall>a2\<in>M. \<forall>a3\<in>M. \<forall>a4\<in>M. \<forall>a5\<in>M. separation(##M, \<lambda> x .
+          \<exists>xa\<in>M. \<exists>xb\<in>M. pair(##M,x,a4,xa) & xa \<in> a1 & pair(##M,x,a5,xb) & xb \<in> a1 &
+          (\<exists>fx\<in>M. \<exists>gx\<in>M. fun_apply(##M,a2,x,fx) & fun_apply(##M,a3,x,gx) & fx \<noteq> gx))"
+    unfolding separation_def by simp
+  with \<open>r\<in>M\<close> \<open>f\<in>M\<close> \<open>g\<in>M\<close> \<open>a\<in>M\<close> \<open>b\<in>M\<close> show ?thesis by simp
+qed
+
+
+(* Instance of Replacement for M_basic *)
+
+schematic_goal funsp_fm_auto:
+  assumes
+    "nth(i,env) = p" "nth(j,env) = z" "nth(h,env) = n"
+    "i \<in> nat" "j \<in> nat" "h \<in> nat" "env \<in> list(A)"
+  shows
+    "(\<exists>f\<in>A. \<exists>b\<in>A. \<exists>nb\<in>A. \<exists>cnbf\<in>A. pair(##A,f,b,p) & pair(##A,n,b,nb) & is_cons(##A,nb,f,cnbf) &
+    upair(##A,cnbf,cnbf,z)) \<longleftrightarrow> sats(A,?fsfm(i,j,h),env)"
+  by (insert assms ; (rule sep_rules | simp)+)
+
+
+lemma funspace_succ_rep_intf :
+  assumes
+    "n\<in>M"
+  shows
+    "strong_replacement(##M,
+          \<lambda>p z. \<exists>f\<in>M. \<exists>b\<in>M. \<exists>nb\<in>M. \<exists>cnbf\<in>M.
+                pair(##M,f,b,p) & pair(##M,n,b,nb) & is_cons(##M,nb,f,cnbf) &
+                upair(##M,cnbf,cnbf,z))"
+proof -
+  obtain fsfm where
+    fmsats:"env\<in>list(M) \<Longrightarrow>
+    (\<exists>f\<in>M. \<exists>b\<in>M. \<exists>nb\<in>M. \<exists>cnbf\<in>M. pair(##M,f,b,nth(0,env)) & pair(##M,nth(2,env),b,nb)
+      & is_cons(##M,nb,f,cnbf) & upair(##M,cnbf,cnbf,nth(1,env)))
+    \<longleftrightarrow> sats(M,fsfm(0,1,2),env)"
+    and "fsfm(0,1,2) \<in> formula" and "arity(fsfm(0,1,2)) = 3" for env
+    using funsp_fm_auto[of concl:M] by (simp del:FOL_sats_iff pair_abs add: fm_defs nat_simp_union)
+  then
+  have "\<forall>n0\<in>M. strong_replacement(##M, \<lambda>p z. sats(M,fsfm(0,1,2) , [p,z,n0]))"
+    using replacement_ax by simp
+  moreover
+  have "(\<exists>f\<in>M. \<exists>b\<in>M. \<exists>nb\<in>M. \<exists>cnbf\<in>M. pair(##M,f,b,p) & pair(##M,n0,b,nb) &
+          is_cons(##M,nb,f,cnbf) & upair(##M,cnbf,cnbf,z))
+          \<longleftrightarrow> sats(M,fsfm(0,1,2) , [p,z,n0])"
+    if "p\<in>M" "z\<in>M" "n0\<in>M" for p z n0
+    using that fmsats[of "[p,z,n0]"] by simp
+  ultimately
+  have "\<forall>n0\<in>M. strong_replacement(##M, \<lambda> p z.
+          \<exists>f\<in>M. \<exists>b\<in>M. \<exists>nb\<in>M. \<exists>cnbf\<in>M. pair(##M,f,b,p) & pair(##M,n0,b,nb) &
+          is_cons(##M,nb,f,cnbf) & upair(##M,cnbf,cnbf,z))"
+    unfolding strong_replacement_def univalent_def by simp
+  with \<open>n\<in>M\<close> show ?thesis by simp
+qed
+
+
+(* Interface with M_basic *)
+
+lemmas M_basic_sep_instances =
+  inter_sep_intf diff_sep_intf cartprod_sep_intf
+  image_sep_intf converse_sep_intf restrict_sep_intf
+  pred_sep_intf memrel_sep_intf comp_sep_intf is_recfun_sep_intf
+
+lemma mbasic : "M_basic(##M)"
+  using trans_M zero_in_M power_ax M_basic_sep_instances funspace_succ_rep_intf mtriv
+  by unfold_locales auto
+
+end
+
+sublocale M_ZF_trans \<subseteq> M_basic "##M"
+  by (rule mbasic)
+
+subsection\<open>Interface with \<^term>\<open>M_trancl\<close>\<close>
+
+(* rtran_closure_mem *)
+schematic_goal rtran_closure_mem_auto:
+  assumes
+    "nth(i,env) = p" "nth(j,env) = r"  "nth(k,env) = B"
+    "i \<in> nat" "j \<in> nat" "k \<in> nat" "env \<in> list(A)"
+  shows
+    "rtran_closure_mem(##A,B,r,p) \<longleftrightarrow> sats(A,?rcfm(i,j,k),env)"
+  unfolding rtran_closure_mem_def
+  by (insert assms ; (rule sep_rules | simp)+)
+
+
+lemma (in M_ZF_trans) rtrancl_separation_intf:
+  assumes
+    "r\<in>M"
+    and
+    "A\<in>M"
+  shows
+    "separation (##M, rtran_closure_mem(##M,A,r))"
+proof -
+  obtain rcfm where
+    fmsats:"\<And>env. env\<in>list(M) \<Longrightarrow>
+    (rtran_closure_mem(##M,nth(2,env),nth(1,env),nth(0,env))) \<longleftrightarrow> sats(M,rcfm(0,1,2),env)"
+    and
+    "rcfm(0,1,2) \<in> formula"
+    and
+    "arity(rcfm(0,1,2)) = 3"
+    using rtran_closure_mem_auto by (simp del:FOL_sats_iff pair_abs add: fm_defs nat_simp_union)
+  then
+  have "\<forall>x\<in>M. \<forall>a\<in>M. separation(##M, \<lambda>y. sats(M,rcfm(0,1,2) , [y,x,a]))"
+    using separation_ax by simp
+  moreover
+  have "(rtran_closure_mem(##M,a,x,y))
+          \<longleftrightarrow> sats(M,rcfm(0,1,2) , [y,x,a])"
+    if "y\<in>M" "x\<in>M" "a\<in>M" for y x a
+    using that fmsats[of "[y,x,a]"] by simp
+  ultimately
+  have "\<forall>x\<in>M. \<forall>a\<in>M. separation(##M, rtran_closure_mem(##M,a,x))"
+    unfolding separation_def by simp
+  with \<open>r\<in>M\<close> \<open>A\<in>M\<close> show ?thesis by simp
+qed
+
+schematic_goal rtran_closure_fm_auto:
+  assumes
+    "nth(i,env) = r" "nth(j,env) = rp"
+    "i \<in> nat" "j \<in> nat" "env \<in> list(A)"
+  shows
+    "rtran_closure(##A,r,rp) \<longleftrightarrow> sats(A,?rtc(i,j),env)"
+  unfolding rtran_closure_def
+  by (insert assms ; (rule sep_rules rtran_closure_mem_auto | simp)+)
+
+schematic_goal trans_closure_fm_auto:
+  assumes
+    "nth(i,env) = r" "nth(j,env) = rp"
+    "i \<in> nat" "j \<in> nat" "env \<in> list(A)"
+  shows
+    "tran_closure(##A,r,rp) \<longleftrightarrow> sats(A,?tc(i,j),env)"
+  unfolding tran_closure_def
+  by (insert assms ; (rule sep_rules rtran_closure_fm_auto | simp))+
+
+synthesize "trans_closure_fm" from_schematic trans_closure_fm_auto
+
+schematic_goal wellfounded_trancl_fm_auto:
+  assumes
+    "nth(i,env) = p" "nth(j,env) = r"  "nth(k,env) = B"
+    "i \<in> nat" "j \<in> nat" "k \<in> nat" "env \<in> list(A)"
+  shows
+    "wellfounded_trancl(##A,B,r,p) \<longleftrightarrow> sats(A,?wtf(i,j,k),env)"
+  unfolding  wellfounded_trancl_def
+  by (insert assms ; (rule sep_rules trans_closure_fm_iff_sats | simp)+)
+
+lemma (in M_ZF_trans) wftrancl_separation_intf:
+  assumes
+    "r\<in>M"
+    and
+    "Z\<in>M"
+  shows
+    "separation (##M, wellfounded_trancl(##M,Z,r))"
+proof -
+  obtain rcfm where
+    fmsats:"\<And>env. env\<in>list(M) \<Longrightarrow>
+    (wellfounded_trancl(##M,nth(2,env),nth(1,env),nth(0,env))) \<longleftrightarrow> sats(M,rcfm(0,1,2),env)"
+    and
+    "rcfm(0,1,2) \<in> formula"
+    and
+    "arity(rcfm(0,1,2)) = 3"
+    using wellfounded_trancl_fm_auto[of concl:M "nth(2,_)"] unfolding fm_defs trans_closure_fm_def
+    by (simp del:FOL_sats_iff pair_abs add: fm_defs nat_simp_union)
+  then
+  have "\<forall>x\<in>M. \<forall>z\<in>M. separation(##M, \<lambda>y. sats(M,rcfm(0,1,2) , [y,x,z]))"
+    using separation_ax by simp
+  moreover
+  have "(wellfounded_trancl(##M,z,x,y))
+          \<longleftrightarrow> sats(M,rcfm(0,1,2) , [y,x,z])"
+    if "y\<in>M" "x\<in>M" "z\<in>M" for y x z
+    using that fmsats[of "[y,x,z]"] by simp
+  ultimately
+  have "\<forall>x\<in>M. \<forall>z\<in>M. separation(##M, wellfounded_trancl(##M,z,x))"
+    unfolding separation_def by simp
+  with \<open>r\<in>M\<close> \<open>Z\<in>M\<close> show ?thesis by simp
+qed
+
+(* nat \<in> M *)
+
+lemma (in M_ZF_trans) finite_sep_intf:
+  "separation(##M, \<lambda>x. x\<in>nat)"
+proof -
+  have "arity(finite_ordinal_fm(0)) = 1 "
+    unfolding finite_ordinal_fm_def limit_ordinal_fm_def empty_fm_def succ_fm_def cons_fm_def
+      union_fm_def upair_fm_def
+    by (simp add: nat_union_abs1 Un_commute)
+  with separation_ax
+  have "(\<forall>v\<in>M. separation(##M,\<lambda>x. sats(M,finite_ordinal_fm(0),[x,v])))"
+    by simp
+  then have "(\<forall>v\<in>M. separation(##M,finite_ordinal(##M)))"
+    unfolding separation_def by simp
+  then have "separation(##M,finite_ordinal(##M))"
+    using zero_in_M by auto
+  then show ?thesis unfolding separation_def by simp
+qed
+
+
+lemma (in M_ZF_trans) nat_subset_I' :
+  "\<lbrakk> I\<in>M ; 0\<in>I ; \<And>x. x\<in>I \<Longrightarrow> succ(x)\<in>I \<rbrakk> \<Longrightarrow> nat \<subseteq> I"
+  by (rule subsetI,induct_tac x,simp+)
+
+
+lemma (in M_ZF_trans) nat_subset_I :
+  "\<exists>I\<in>M. nat \<subseteq> I"
+proof -
+  have "\<exists>I\<in>M. 0\<in>I \<and> (\<forall>x\<in>M. x\<in>I \<longrightarrow> succ(x)\<in>I)"
+    using infinity_ax unfolding infinity_ax_def by auto
+  then obtain I where
+    "I\<in>M" "0\<in>I" "(\<forall>x\<in>M. x\<in>I \<longrightarrow> succ(x)\<in>I)"
+    by auto
+  then have "\<And>x. x\<in>I \<Longrightarrow> succ(x)\<in>I"
+    using Transset_intf[OF trans_M]  by simp
+  then have "nat\<subseteq>I"
+    using  \<open>I\<in>M\<close> \<open>0\<in>I\<close> nat_subset_I' by simp
+  then show ?thesis using \<open>I\<in>M\<close> by auto
+qed
+
+lemma (in M_ZF_trans) nat_in_M :
+  "nat \<in> M"
+proof -
+  have 1:"{x\<in>B . x\<in>A}=A" if "A\<subseteq>B" for A B
+    using that by auto
+  obtain I where
+    "I\<in>M" "nat\<subseteq>I"
+    using nat_subset_I by auto
+  then have "{x\<in>I . x\<in>nat} \<in> M"
+    using finite_sep_intf separation_closed[of "\<lambda>x . x\<in>nat"] by simp
+  then show ?thesis
+    using \<open>nat\<subseteq>I\<close> 1 by simp
+qed
+  (* end nat \<in> M *)
+
+
+lemma (in M_ZF_trans) mtrancl : "M_trancl(##M)"
+  using  mbasic rtrancl_separation_intf wftrancl_separation_intf nat_in_M
+    wellfounded_trancl_def
+  by unfold_locales auto
+
+sublocale M_ZF_trans \<subseteq> M_trancl "##M"
+  by (rule mtrancl)
+
+subsection\<open>Interface with \<^term>\<open>M_eclose\<close>\<close>
+
+lemma repl_sats:
+  assumes
+    sat:"\<And>x z. x\<in>M \<Longrightarrow> z\<in>M \<Longrightarrow> sats(M,\<phi>,Cons(x,Cons(z,env))) \<longleftrightarrow> P(x,z)"
+  shows
+    "strong_replacement(##M,\<lambda>x z. sats(M,\<phi>,Cons(x,Cons(z,env)))) \<longleftrightarrow>
+   strong_replacement(##M,P)"
+  by (rule strong_replacement_cong,simp add:sat)
+
+lemma (in M_ZF_trans) nat_trans_M :
+  "n\<in>M" if "n\<in>nat" for n
+  using that nat_in_M Transset_intf[OF trans_M] by simp
+
+lemma (in M_ZF_trans) list_repl1_intf:
+  assumes
+    "A\<in>M"
+  shows
+    "iterates_replacement(##M, is_list_functor(##M,A), 0)"
+proof -
+  {
+    fix n
+    assume "n\<in>nat"
+    have "succ(n)\<in>M"
+      using \<open>n\<in>nat\<close> nat_trans_M by simp
+    then have 1:"Memrel(succ(n))\<in>M"
+      using \<open>n\<in>nat\<close> Memrel_closed by simp
+    have "0\<in>M"
+      using  nat_0I nat_trans_M by simp
+    then have "is_list_functor(##M, A, a, b)
+       \<longleftrightarrow> sats(M, list_functor_fm(13,1,0), [b,a,c,d,a0,a1,a2,a3,a4,y,x,z,Memrel(succ(n)),A,0])"
+      if "a\<in>M" "b\<in>M" "c\<in>M" "d\<in>M" "a0\<in>M" "a1\<in>M" "a2\<in>M" "a3\<in>M" "a4\<in>M" "y\<in>M" "x\<in>M" "z\<in>M"
+      for a b c d a0 a1 a2 a3 a4 y x z
+      using that 1 \<open>A\<in>M\<close> list_functor_iff_sats by simp
+    then have "sats(M, iterates_MH_fm(list_functor_fm(13,1,0),10,2,1,0), [a0,a1,a2,a3,a4,y,x,z,Memrel(succ(n)),A,0])
+        \<longleftrightarrow> iterates_MH(##M,is_list_functor(##M,A),0,a2, a1, a0)"
+      if "a0\<in>M" "a1\<in>M" "a2\<in>M" "a3\<in>M" "a4\<in>M" "y\<in>M" "x\<in>M" "z\<in>M"
+      for a0 a1 a2 a3 a4 y x z
+      using that sats_iterates_MH_fm[of M "is_list_functor(##M,A)" _] 1 \<open>0\<in>M\<close> \<open>A\<in>M\<close>  by simp
+    then have 2:"sats(M, is_wfrec_fm(iterates_MH_fm(list_functor_fm(13,1,0),10,2,1,0),3,1,0),
+                            [y,x,z,Memrel(succ(n)),A,0])
+        \<longleftrightarrow>
+        is_wfrec(##M, iterates_MH(##M,is_list_functor(##M,A),0) , Memrel(succ(n)), x, y)"
+      if "y\<in>M" "x\<in>M" "z\<in>M" for y x z
+      using  that sats_is_wfrec_fm 1 \<open>0\<in>M\<close> \<open>A\<in>M\<close> by simp
+    let
+      ?f="Exists(And(pair_fm(1,0,2),
+               is_wfrec_fm(iterates_MH_fm(list_functor_fm(13,1,0),10,2,1,0),3,1,0)))"
+    have satsf:"sats(M, ?f, [x,z,Memrel(succ(n)),A,0])
+        \<longleftrightarrow>
+        (\<exists>y\<in>M. pair(##M,x,y,z) &
+        is_wfrec(##M, iterates_MH(##M,is_list_functor(##M,A),0) , Memrel(succ(n)), x, y))"
+      if "x\<in>M" "z\<in>M" for x z
+      using that 2 1 \<open>0\<in>M\<close> \<open>A\<in>M\<close> by (simp del:pair_abs)
+    have "arity(?f) = 5"
+      unfolding iterates_MH_fm_def is_wfrec_fm_def is_recfun_fm_def is_nat_case_fm_def
+        restriction_fm_def list_functor_fm_def number1_fm_def cartprod_fm_def
+        sum_fm_def quasinat_fm_def pre_image_fm_def fm_defs
+      by (simp add:nat_simp_union)
+    then
+    have "strong_replacement(##M,\<lambda>x z. sats(M,?f,[x,z,Memrel(succ(n)),A,0]))"
+      using replacement_ax 1 \<open>A\<in>M\<close> \<open>0\<in>M\<close> by simp
+    then
+    have "strong_replacement(##M,\<lambda>x z.
+          \<exists>y\<in>M. pair(##M,x,y,z) & is_wfrec(##M, iterates_MH(##M,is_list_functor(##M,A),0) ,
+                Memrel(succ(n)), x, y))"
+      using repl_sats[of M ?f "[Memrel(succ(n)),A,0]"]  satsf by (simp del:pair_abs)
+  }
+  then
+  show ?thesis unfolding iterates_replacement_def wfrec_replacement_def by simp
+qed
+
+
+
+(* Iterates_replacement para predicados sin parámetros *)
+lemma (in M_ZF_trans) iterates_repl_intf :
+  assumes
+    "v\<in>M" and
+    isfm:"is_F_fm \<in> formula" and
+    arty:"arity(is_F_fm)=2" and
+    satsf: "\<And>a b env'. \<lbrakk> a\<in>M ; b\<in>M ; env'\<in>list(M) \<rbrakk>
+              \<Longrightarrow> is_F(a,b) \<longleftrightarrow> sats(M, is_F_fm, [b,a]@env')"
+  shows
+    "iterates_replacement(##M,is_F,v)"
+proof -
+  {
+    fix n
+    assume "n\<in>nat"
+    have "succ(n)\<in>M"
+      using \<open>n\<in>nat\<close> nat_trans_M by simp
+    then have 1:"Memrel(succ(n))\<in>M"
+      using \<open>n\<in>nat\<close> Memrel_closed by simp
+    {
+      fix a0 a1 a2 a3 a4 y x z
+      assume as:"a0\<in>M" "a1\<in>M" "a2\<in>M" "a3\<in>M" "a4\<in>M" "y\<in>M" "x\<in>M" "z\<in>M"
+      have "sats(M, is_F_fm, Cons(b,Cons(a,Cons(c,Cons(d,[a0,a1,a2,a3,a4,y,x,z,Memrel(succ(n)),v])))))
+          \<longleftrightarrow> is_F(a,b)"
+        if "a\<in>M" "b\<in>M" "c\<in>M" "d\<in>M" for a b c d
+        using as that 1 satsf[of a b "[c,d,a0,a1,a2,a3,a4,y,x,z,Memrel(succ(n)),v]"] \<open>v\<in>M\<close> by simp
+      then
+      have "sats(M, iterates_MH_fm(is_F_fm,9,2,1,0), [a0,a1,a2,a3,a4,y,x,z,Memrel(succ(n)),v])
+          \<longleftrightarrow> iterates_MH(##M,is_F,v,a2, a1, a0)"
+        using as
+          sats_iterates_MH_fm[of M "is_F" "is_F_fm"] 1 \<open>v\<in>M\<close> by simp
+    }
+    then have 2:"sats(M, is_wfrec_fm(iterates_MH_fm(is_F_fm,9,2,1,0),3,1,0),
+                            [y,x,z,Memrel(succ(n)),v])
+        \<longleftrightarrow>
+        is_wfrec(##M, iterates_MH(##M,is_F,v),Memrel(succ(n)), x, y)"
+      if "y\<in>M" "x\<in>M" "z\<in>M" for y x z
+      using  that sats_is_wfrec_fm 1 \<open>v\<in>M\<close> by simp
+    let
+      ?f="Exists(And(pair_fm(1,0,2),
+               is_wfrec_fm(iterates_MH_fm(is_F_fm,9,2,1,0),3,1,0)))"
+    have satsf:"sats(M, ?f, [x,z,Memrel(succ(n)),v])
+        \<longleftrightarrow>
+        (\<exists>y\<in>M. pair(##M,x,y,z) &
+        is_wfrec(##M, iterates_MH(##M,is_F,v) , Memrel(succ(n)), x, y))"
+      if "x\<in>M" "z\<in>M" for x z
+      using that 2 1 \<open>v\<in>M\<close> by (simp del:pair_abs)
+    have "arity(?f) = 4"
+      unfolding iterates_MH_fm_def is_wfrec_fm_def is_recfun_fm_def is_nat_case_fm_def
+        restriction_fm_def pre_image_fm_def quasinat_fm_def fm_defs
+      using arty by (simp add:nat_simp_union)
+    then
+    have "strong_replacement(##M,\<lambda>x z. sats(M,?f,[x,z,Memrel(succ(n)),v]))"
+      using replacement_ax 1 \<open>v\<in>M\<close> \<open>is_F_fm\<in>formula\<close> by simp
+    then
+    have "strong_replacement(##M,\<lambda>x z.
+          \<exists>y\<in>M. pair(##M,x,y,z) & is_wfrec(##M, iterates_MH(##M,is_F,v) ,
+                Memrel(succ(n)), x, y))"
+      using repl_sats[of M ?f "[Memrel(succ(n)),v]"]  satsf by (simp del:pair_abs)
+  }
+  then
+  show ?thesis unfolding iterates_replacement_def wfrec_replacement_def by simp
+qed
+
+lemma (in M_ZF_trans) formula_repl1_intf :
+  "iterates_replacement(##M, is_formula_functor(##M), 0)"
+proof -
+  have "0\<in>M"
+    using  nat_0I nat_trans_M by simp
+  have 1:"arity(formula_functor_fm(1,0)) = 2"
+    unfolding formula_functor_fm_def fm_defs sum_fm_def cartprod_fm_def number1_fm_def
+    by (simp add:nat_simp_union)
+  have 2:"formula_functor_fm(1,0)\<in>formula" by simp
+  have "is_formula_functor(##M,a,b) \<longleftrightarrow>
+        sats(M, formula_functor_fm(1,0), [b,a])"
+    if "a\<in>M" "b\<in>M"  for a b
+    using that by simp
+  then show ?thesis using \<open>0\<in>M\<close> 1 2 iterates_repl_intf by simp
+qed
+
+lemma (in M_ZF_trans) nth_repl_intf:
+  assumes
+    "l \<in> M"
+  shows
+    "iterates_replacement(##M,\<lambda>l' t. is_tl(##M,l',t),l)"
+proof -
+  have 1:"arity(tl_fm(1,0)) = 2"
+    unfolding tl_fm_def fm_defs quasilist_fm_def Cons_fm_def Nil_fm_def Inr_fm_def number1_fm_def
+      Inl_fm_def by (simp add:nat_simp_union)
+  have 2:"tl_fm(1,0)\<in>formula" by simp
+  have "is_tl(##M,a,b) \<longleftrightarrow> sats(M, tl_fm(1,0), [b,a])"
+    if "a\<in>M" "b\<in>M" for a b
+    using that by simp
+  then show ?thesis using \<open>l\<in>M\<close> 1 2 iterates_repl_intf by simp
+qed
+
+
+lemma (in M_ZF_trans) eclose_repl1_intf:
+  assumes
+    "A\<in>M"
+  shows
+    "iterates_replacement(##M, big_union(##M), A)"
+proof -
+  have 1:"arity(big_union_fm(1,0)) = 2"
+    unfolding big_union_fm_def fm_defs by (simp add:nat_simp_union)
+  have 2:"big_union_fm(1,0)\<in>formula" by simp
+  have "big_union(##M,a,b) \<longleftrightarrow> sats(M, big_union_fm(1,0), [b,a])"
+    if "a\<in>M" "b\<in>M" for a b
+    using that by simp
+  then show ?thesis using \<open>A\<in>M\<close> 1 2 iterates_repl_intf by simp
+qed
+
+(*
+    and list_replacement2:
+   "M(A) \<Longrightarrow> strong_replacement(M,
+         \<lambda>n y. n\<in>nat & is_iterates(M, is_list_functor(M,A), 0, n, y))"
+
+*)
+lemma (in M_ZF_trans) list_repl2_intf:
+  assumes
+    "A\<in>M"
+  shows
+    "strong_replacement(##M,\<lambda>n y. n\<in>nat & is_iterates(##M, is_list_functor(##M,A), 0, n, y))"
+proof -
+  have "0\<in>M"
+    using  nat_0I nat_trans_M by simp
+  have "is_list_functor(##M,A,a,b) \<longleftrightarrow>
+        sats(M,list_functor_fm(13,1,0),[b,a,c,d,e,f,g,h,i,j,k,n,y,A,0,nat])"
+    if "a\<in>M" "b\<in>M" "c\<in>M" "d\<in>M" "e\<in>M" "f\<in>M""g\<in>M""h\<in>M""i\<in>M""j\<in>M" "k\<in>M" "n\<in>M" "y\<in>M"
+    for a b c d e f g h i j k n y
+    using that \<open>0\<in>M\<close> nat_in_M \<open>A\<in>M\<close> by simp
+  then
+  have 1:"sats(M, is_iterates_fm(list_functor_fm(13,1,0),3,0,1),[n,y,A,0,nat] ) \<longleftrightarrow>
+           is_iterates(##M, is_list_functor(##M,A), 0, n , y)"
+    if "n\<in>M" "y\<in>M" for n y
+    using that \<open>0\<in>M\<close> \<open>A\<in>M\<close> nat_in_M
+      sats_is_iterates_fm[of M "is_list_functor(##M,A)"] by simp
+  let ?f = "And(Member(0,4),is_iterates_fm(list_functor_fm(13,1,0),3,0,1))"
+  have satsf:"sats(M, ?f,[n,y,A,0,nat] ) \<longleftrightarrow>
+        n\<in>nat & is_iterates(##M, is_list_functor(##M,A), 0, n, y)"
+    if "n\<in>M" "y\<in>M" for n y
+    using that \<open>0\<in>M\<close> \<open>A\<in>M\<close> nat_in_M 1 by simp
+  have "arity(?f) = 5"
+    unfolding is_iterates_fm_def restriction_fm_def list_functor_fm_def number1_fm_def Memrel_fm_def
+      cartprod_fm_def sum_fm_def quasinat_fm_def pre_image_fm_def fm_defs is_wfrec_fm_def
+      is_recfun_fm_def iterates_MH_fm_def is_nat_case_fm_def
+    by (simp add:nat_simp_union)
+  then
+  have "strong_replacement(##M,\<lambda>n y. sats(M,?f,[n,y,A,0,nat]))"
+    using replacement_ax 1 nat_in_M \<open>A\<in>M\<close> \<open>0\<in>M\<close> by simp
+  then
+  show ?thesis using repl_sats[of M ?f "[A,0,nat]"]  satsf  by simp
+qed
+
+lemma (in M_ZF_trans) formula_repl2_intf:
+  "strong_replacement(##M,\<lambda>n y. n\<in>nat & is_iterates(##M, is_formula_functor(##M), 0, n, y))"
+proof -
+  have "0\<in>M"
+    using  nat_0I nat_trans_M by simp
+  have "is_formula_functor(##M,a,b) \<longleftrightarrow>
+        sats(M,formula_functor_fm(1,0),[b,a,c,d,e,f,g,h,i,j,k,n,y,0,nat])"
+    if "a\<in>M" "b\<in>M" "c\<in>M" "d\<in>M" "e\<in>M" "f\<in>M""g\<in>M""h\<in>M""i\<in>M""j\<in>M" "k\<in>M" "n\<in>M" "y\<in>M"
+    for a b c d e f g h i j k n y
+    using that \<open>0\<in>M\<close> nat_in_M by simp
+  then
+  have 1:"sats(M, is_iterates_fm(formula_functor_fm(1,0),2,0,1),[n,y,0,nat] ) \<longleftrightarrow>
+           is_iterates(##M, is_formula_functor(##M), 0, n , y)"
+    if "n\<in>M" "y\<in>M" for n y
+    using that \<open>0\<in>M\<close> nat_in_M
+      sats_is_iterates_fm[of M "is_formula_functor(##M)"] by simp
+  let ?f = "And(Member(0,3),is_iterates_fm(formula_functor_fm(1,0),2,0,1))"
+  have satsf:"sats(M, ?f,[n,y,0,nat] ) \<longleftrightarrow>
+        n\<in>nat & is_iterates(##M, is_formula_functor(##M), 0, n, y)"
+    if "n\<in>M" "y\<in>M" for n y
+    using that \<open>0\<in>M\<close> nat_in_M 1 by simp
+  have artyf:"arity(?f) = 4"
+    unfolding is_iterates_fm_def formula_functor_fm_def fm_defs sum_fm_def quasinat_fm_def
+      cartprod_fm_def number1_fm_def Memrel_fm_def ordinal_fm_def transset_fm_def
+      is_wfrec_fm_def is_recfun_fm_def iterates_MH_fm_def is_nat_case_fm_def subset_fm_def
+      pre_image_fm_def restriction_fm_def
+    by (simp add:nat_simp_union)
+  then
+  have "strong_replacement(##M,\<lambda>n y. sats(M,?f,[n,y,0,nat]))"
+    using replacement_ax 1 artyf \<open>0\<in>M\<close> nat_in_M by simp
+  then
+  show ?thesis using repl_sats[of M ?f "[0,nat]"]  satsf  by simp
+qed
+
+
+(*
+   "M(A) \<Longrightarrow> strong_replacement(M,
+         \<lambda>n y. n\<in>nat & is_iterates(M, big_union(M), A, n, y))"
+*)
+
+lemma (in M_ZF_trans) eclose_repl2_intf:
+  assumes
+    "A\<in>M"
+  shows
+    "strong_replacement(##M,\<lambda>n y. n\<in>nat & is_iterates(##M, big_union(##M), A, n, y))"
+proof -
+  have "big_union(##M,a,b) \<longleftrightarrow>
+        sats(M,big_union_fm(1,0),[b,a,c,d,e,f,g,h,i,j,k,n,y,A,nat])"
+    if "a\<in>M" "b\<in>M" "c\<in>M" "d\<in>M" "e\<in>M" "f\<in>M""g\<in>M""h\<in>M""i\<in>M""j\<in>M" "k\<in>M" "n\<in>M" "y\<in>M"
+    for a b c d e f g h i j k n y
+    using that \<open>A\<in>M\<close> nat_in_M by simp
+  then
+  have 1:"sats(M, is_iterates_fm(big_union_fm(1,0),2,0,1),[n,y,A,nat] ) \<longleftrightarrow>
+           is_iterates(##M, big_union(##M), A, n , y)"
+    if "n\<in>M" "y\<in>M" for n y
+    using that \<open>A\<in>M\<close> nat_in_M
+      sats_is_iterates_fm[of M "big_union(##M)"] by simp
+  let ?f = "And(Member(0,3),is_iterates_fm(big_union_fm(1,0),2,0,1))"
+  have satsf:"sats(M, ?f,[n,y,A,nat] ) \<longleftrightarrow>
+        n\<in>nat & is_iterates(##M, big_union(##M), A, n, y)"
+    if "n\<in>M" "y\<in>M" for n y
+    using that \<open>A\<in>M\<close> nat_in_M 1 by simp
+  have artyf:"arity(?f) = 4"
+    unfolding is_iterates_fm_def formula_functor_fm_def fm_defs sum_fm_def quasinat_fm_def
+      cartprod_fm_def number1_fm_def Memrel_fm_def ordinal_fm_def transset_fm_def
+      is_wfrec_fm_def is_recfun_fm_def iterates_MH_fm_def is_nat_case_fm_def subset_fm_def
+      pre_image_fm_def restriction_fm_def
+    by (simp add:nat_simp_union)
+  then
+  have "strong_replacement(##M,\<lambda>n y. sats(M,?f,[n,y,A,nat]))"
+    using replacement_ax 1 artyf \<open>A\<in>M\<close> nat_in_M by simp
+  then
+  show ?thesis using repl_sats[of M ?f "[A,nat]"]  satsf  by simp
+qed
+
+lemma (in M_ZF_trans) mdatatypes : "M_datatypes(##M)"
+  using  mtrancl list_repl1_intf list_repl2_intf formula_repl1_intf
+    formula_repl2_intf nth_repl_intf
+  by unfold_locales auto
+
+sublocale M_ZF_trans \<subseteq> M_datatypes "##M"
+  by (rule mdatatypes)
+
+lemma (in M_ZF_trans) meclose : "M_eclose(##M)"
+  using mdatatypes eclose_repl1_intf eclose_repl2_intf
+  by unfold_locales auto
+
+sublocale M_ZF_trans \<subseteq> M_eclose "##M"
+  by (rule meclose)
+
+(* Interface with locale M_eclose_pow *)
+
+(* "powerset(M,A,z) \<equiv> \<forall>x[M]. x \<in> z \<longleftrightarrow> subset(M,x,A)" *)
+definition
+  powerset_fm :: "[i,i] \<Rightarrow> i" where
+  "powerset_fm(A,z) \<equiv> Forall(Iff(Member(0,succ(z)),subset_fm(0,succ(A))))"
+
+lemma powerset_type [TC]:
+  "\<lbrakk> x \<in> nat; y \<in> nat \<rbrakk> \<Longrightarrow> powerset_fm(x,y) \<in> formula"
+  by (simp add:powerset_fm_def)
+
+definition
+  is_powapply_fm :: "[i,i,i] \<Rightarrow> i" where
+  "is_powapply_fm(f,y,z) \<equiv>
+      Exists(And(fun_apply_fm(succ(f), succ(y), 0),
+            Forall(Iff(Member(0, succ(succ(z))),
+            Forall(Implies(Member(0, 1), Member(0, 2)))))))"
+
+lemma is_powapply_type [TC] :
+  "\<lbrakk>f\<in>nat ; y\<in>nat; z\<in>nat\<rbrakk> \<Longrightarrow> is_powapply_fm(f,y,z)\<in>formula"
+  unfolding is_powapply_fm_def by simp
+
+lemma sats_is_powapply_fm :
+  assumes
+    "f\<in>nat" "y\<in>nat" "z\<in>nat" "env\<in>list(A)" "0\<in>A"
+  shows
+    "is_powapply(##A,nth(f, env),nth(y, env),nth(z, env))
+    \<longleftrightarrow> sats(A,is_powapply_fm(f,y,z),env)"
+  unfolding is_powapply_def is_powapply_fm_def is_Collect_def powerset_def subset_def
+  using nth_closed assms by simp
+
+
+lemma (in M_ZF_trans) powapply_repl :
+  assumes
+    "f\<in>M"
+  shows
+    "strong_replacement(##M,is_powapply(##M,f))"
+proof -
+  have "arity(is_powapply_fm(2,0,1)) = 3"
+    unfolding is_powapply_fm_def
+    by (simp add: fm_defs nat_simp_union)
+  then
+  have "\<forall>f0\<in>M. strong_replacement(##M, \<lambda>p z. sats(M,is_powapply_fm(2,0,1) , [p,z,f0]))"
+    using replacement_ax by simp
+  moreover
+  have "is_powapply(##M,f0,p,z) \<longleftrightarrow> sats(M,is_powapply_fm(2,0,1) , [p,z,f0])"
+    if "p\<in>M" "z\<in>M" "f0\<in>M" for p z f0
+    using that zero_in_M sats_is_powapply_fm[of 2 0 1 "[p,z,f0]" M] by simp
+  ultimately
+  have "\<forall>f0\<in>M. strong_replacement(##M, is_powapply(##M,f0))"
+    unfolding strong_replacement_def univalent_def by simp
+  with \<open>f\<in>M\<close> show ?thesis by simp
+qed
+
+
+(*"PHrank(M,f,y,z) \<equiv> M(z) \<and> (\<exists>fy[M]. fun_apply(M,f,y,fy) \<and> successor(M,fy,z))"*)
+definition
+  PHrank_fm :: "[i,i,i] \<Rightarrow> i" where
+  "PHrank_fm(f,y,z) \<equiv> Exists(And(fun_apply_fm(succ(f),succ(y),0)
+                                 ,succ_fm(0,succ(z))))"
+
+lemma PHrank_type [TC]:
+  "\<lbrakk> x \<in> nat; y \<in> nat; z \<in> nat \<rbrakk> \<Longrightarrow> PHrank_fm(x,y,z) \<in> formula"
+  by (simp add:PHrank_fm_def)
+
+
+lemma (in M_ZF_trans) sats_PHrank_fm [simp]:
+  "\<lbrakk> x \<in> nat; y \<in> nat; z \<in> nat;  env \<in> list(M) \<rbrakk> 
+    \<Longrightarrow> sats(M,PHrank_fm(x,y,z),env) \<longleftrightarrow>
+        PHrank(##M,nth(x,env),nth(y,env),nth(z,env))"
+  using zero_in_M Internalizations.nth_closed by (simp add: PHrank_def PHrank_fm_def)
+
+
+lemma (in M_ZF_trans) phrank_repl :
+  assumes
+    "f\<in>M"
+  shows
+    "strong_replacement(##M,PHrank(##M,f))"
+proof -
+  have "arity(PHrank_fm(2,0,1)) = 3"
+    unfolding PHrank_fm_def
+    by (simp add: fm_defs nat_simp_union)
+  then
+  have "\<forall>f0\<in>M. strong_replacement(##M, \<lambda>p z. sats(M,PHrank_fm(2,0,1) , [p,z,f0]))"
+    using replacement_ax by simp
+  then
+  have "\<forall>f0\<in>M. strong_replacement(##M, PHrank(##M,f0))"
+    unfolding strong_replacement_def univalent_def by simp
+  with \<open>f\<in>M\<close> show ?thesis by simp
+qed
+
+
+(*"is_Hrank(M,x,f,hc) \<equiv> (\<exists>R[M]. big_union(M,R,hc) \<and>is_Replace(M,x,PHrank(M,f),R)) "*)
+definition
+  is_Hrank_fm :: "[i,i,i] \<Rightarrow> i" where
+  "is_Hrank_fm(x,f,hc) \<equiv> Exists(And(big_union_fm(0,succ(hc)),
+                                Replace_fm(succ(x),PHrank_fm(succ(succ(succ(f))),0,1),0)))"
+
+lemma is_Hrank_type [TC]:
+  "\<lbrakk> x \<in> nat; y \<in> nat; z \<in> nat \<rbrakk> \<Longrightarrow> is_Hrank_fm(x,y,z) \<in> formula"
+  by (simp add:is_Hrank_fm_def)
+
+lemma (in M_ZF_trans) sats_is_Hrank_fm [simp]:
+  "\<lbrakk> x \<in> nat; y \<in> nat; z \<in> nat; env \<in> list(M)\<rbrakk>
+    \<Longrightarrow> sats(M,is_Hrank_fm(x,y,z),env) \<longleftrightarrow>
+        is_Hrank(##M,nth(x,env),nth(y,env),nth(z,env))"
+  using zero_in_M is_Hrank_def is_Hrank_fm_def sats_Replace_fm
+  by simp
+
+(* M(x) \<Longrightarrow> wfrec_replacement(M,is_Hrank(M),rrank(x)) *)
+lemma (in M_ZF_trans) wfrec_rank :
+  assumes
+    "X\<in>M"
+  shows
+    "wfrec_replacement(##M,is_Hrank(##M),rrank(X))"
+proof -
+  have
+    "is_Hrank(##M,a2, a1, a0) \<longleftrightarrow>
+             sats(M, is_Hrank_fm(2,1,0), [a0,a1,a2,a3,a4,y,x,z,rrank(X)])"
+    if "a4\<in>M" "a3\<in>M" "a2\<in>M" "a1\<in>M" "a0\<in>M" "y\<in>M" "x\<in>M" "z\<in>M" for a4 a3 a2 a1 a0 y x z
+    using that rrank_in_M \<open>X\<in>M\<close> by simp
+  then
+  have
+    1:"sats(M, is_wfrec_fm(is_Hrank_fm(2,1,0),3,1,0),[y,x,z,rrank(X)])
+  \<longleftrightarrow> is_wfrec(##M, is_Hrank(##M) ,rrank(X), x, y)"
+    if "y\<in>M" "x\<in>M" "z\<in>M" for y x z
+    using that \<open>X\<in>M\<close> rrank_in_M sats_is_wfrec_fm by simp
+  let
+    ?f="Exists(And(pair_fm(1,0,2),is_wfrec_fm(is_Hrank_fm(2,1,0),3,1,0)))"
+  have satsf:"sats(M, ?f, [x,z,rrank(X)])
+              \<longleftrightarrow> (\<exists>y\<in>M. pair(##M,x,y,z) & is_wfrec(##M, is_Hrank(##M) , rrank(X), x, y))"
+    if "x\<in>M" "z\<in>M" for x z
+    using that 1 \<open>X\<in>M\<close> rrank_in_M by (simp del:pair_abs)
+  have "arity(?f) = 3"
+    unfolding is_wfrec_fm_def is_recfun_fm_def is_nat_case_fm_def is_Hrank_fm_def PHrank_fm_def
+      restriction_fm_def list_functor_fm_def number1_fm_def cartprod_fm_def
+      sum_fm_def quasinat_fm_def pre_image_fm_def fm_defs
+    by (simp add:nat_simp_union)
+  then
+  have "strong_replacement(##M,\<lambda>x z. sats(M,?f,[x,z,rrank(X)]))"
+    using replacement_ax 1 \<open>X\<in>M\<close> rrank_in_M by simp
+  then
+  have "strong_replacement(##M,\<lambda>x z.
+          \<exists>y\<in>M. pair(##M,x,y,z) & is_wfrec(##M, is_Hrank(##M) , rrank(X), x, y))"
+    using repl_sats[of M ?f "[rrank(X)]"]  satsf by (simp del:pair_abs)
+  then
+  show ?thesis unfolding wfrec_replacement_def  by simp
+qed
+
+(*"is_HVfrom(M,A,x,f,h) \<equiv> \<exists>U[M]. \<exists>R[M].  union(M,A,U,h)
+        \<and> big_union(M,R,U) \<and> is_Replace(M,x,is_powapply(M,f),R)"*)
+definition
+  is_HVfrom_fm :: "[i,i,i,i] \<Rightarrow> i" where
+  "is_HVfrom_fm(A,x,f,h) \<equiv> Exists(Exists(And(union_fm(A #+ 2,1,h #+ 2),
+                            And(big_union_fm(0,1),
+                            Replace_fm(x #+ 2,is_powapply_fm(f #+ 4,0,1),0)))))"
+
+lemma is_HVfrom_type [TC]:
+  "\<lbrakk> A\<in>nat; x \<in> nat; f \<in> nat; h \<in> nat \<rbrakk> \<Longrightarrow> is_HVfrom_fm(A,x,f,h) \<in> formula"
+  by (simp add:is_HVfrom_fm_def)
+
+lemma sats_is_HVfrom_fm :
+  "\<lbrakk> a\<in>nat; x \<in> nat; f \<in> nat; h \<in> nat; env \<in> list(A); 0\<in>A\<rbrakk>
+    \<Longrightarrow> sats(A,is_HVfrom_fm(a,x,f,h),env) \<longleftrightarrow>
+        is_HVfrom(##A,nth(a,env),nth(x,env),nth(f,env),nth(h,env))"
+  using is_HVfrom_def is_HVfrom_fm_def sats_Replace_fm[OF sats_is_powapply_fm]
+  by simp
+
+lemma is_HVfrom_iff_sats:
+  assumes
+    "nth(a,env) = aa" "nth(x,env) = xx" "nth(f,env) = ff" "nth(h,env) = hh"
+    "a\<in>nat" "x\<in>nat" "f\<in>nat" "h\<in>nat" "env\<in>list(A)" "0\<in>A"
+  shows
+    "is_HVfrom(##A,aa,xx,ff,hh) \<longleftrightarrow> sats(A, is_HVfrom_fm(a,x,f,h), env)"
+  using assms sats_is_HVfrom_fm by simp
+
+(* FIX US *)
+schematic_goal sats_is_Vset_fm_auto:
+  assumes
+    "i\<in>nat" "v\<in>nat" "env\<in>list(A)" "0\<in>A"
+    "i < length(env)" "v < length(env)"
+  shows
+    "is_Vset(##A,nth(i, env),nth(v, env))
+    \<longleftrightarrow> sats(A,?ivs_fm(i,v),env)"
+  unfolding is_Vset_def is_Vfrom_def
+  by (insert assms; (rule sep_rules is_HVfrom_iff_sats is_transrec_iff_sats | simp)+)
+
+schematic_goal is_Vset_iff_sats:
+  assumes
+    "nth(i,env) = ii" "nth(v,env) = vv"
+    "i\<in>nat" "v\<in>nat" "env\<in>list(A)" "0\<in>A"
+    "i < length(env)" "v < length(env)"
+  shows
+    "is_Vset(##A,ii,vv) \<longleftrightarrow> sats(A, ?ivs_fm(i,v), env)"
+  unfolding \<open>nth(i,env) = ii\<close>[symmetric] \<open>nth(v,env) = vv\<close>[symmetric]
+  by (rule sats_is_Vset_fm_auto(1); simp add:assms)
+
+
+lemma (in M_ZF_trans) memrel_eclose_sing :
+  "a\<in>M \<Longrightarrow> \<exists>sa\<in>M. \<exists>esa\<in>M. \<exists>mesa\<in>M.
+       upair(##M,a,a,sa) & is_eclose(##M,sa,esa) & membership(##M,esa,mesa)"
+  using upair_ax eclose_closed Memrel_closed unfolding upair_ax_def
+  by (simp del:upair_abs)
+
+
+lemma (in M_ZF_trans) trans_repl_HVFrom :
+  assumes
+    "A\<in>M" "i\<in>M"
+  shows
+    "transrec_replacement(##M,is_HVfrom(##M,A),i)"
+proof -
+  { fix mesa
+    assume "mesa\<in>M"
+    have
+      0:"is_HVfrom(##M,A,a2, a1, a0) \<longleftrightarrow>
+      sats(M, is_HVfrom_fm(8,2,1,0), [a0,a1,a2,a3,a4,y,x,z,A,mesa])"
+      if "a4\<in>M" "a3\<in>M" "a2\<in>M" "a1\<in>M" "a0\<in>M" "y\<in>M" "x\<in>M" "z\<in>M" for a4 a3 a2 a1 a0 y x z
+      using that zero_in_M sats_is_HVfrom_fm \<open>mesa\<in>M\<close> \<open>A\<in>M\<close> by simp
+    have
+      1:"sats(M, is_wfrec_fm(is_HVfrom_fm(8,2,1,0),4,1,0),[y,x,z,A,mesa])
+        \<longleftrightarrow> is_wfrec(##M, is_HVfrom(##M,A),mesa, x, y)"
+      if "y\<in>M" "x\<in>M" "z\<in>M" for y x z
+      using that \<open>A\<in>M\<close> \<open>mesa\<in>M\<close> sats_is_wfrec_fm[OF 0] by simp
+    let
+      ?f="Exists(And(pair_fm(1,0,2),is_wfrec_fm(is_HVfrom_fm(8,2,1,0),4,1,0)))"
+    have satsf:"sats(M, ?f, [x,z,A,mesa])
+              \<longleftrightarrow> (\<exists>y\<in>M. pair(##M,x,y,z) & is_wfrec(##M, is_HVfrom(##M,A) , mesa, x, y))"
+      if "x\<in>M" "z\<in>M" for x z
+      using that 1 \<open>A\<in>M\<close> \<open>mesa\<in>M\<close> by (simp del:pair_abs)
+    have "arity(?f) = 4"
+      unfolding is_HVfrom_fm_def is_wfrec_fm_def is_recfun_fm_def is_nat_case_fm_def
+        restriction_fm_def list_functor_fm_def number1_fm_def cartprod_fm_def
+        is_powapply_fm_def sum_fm_def quasinat_fm_def pre_image_fm_def fm_defs
+      by (simp add:nat_simp_union)
+    then
+    have "strong_replacement(##M,\<lambda>x z. sats(M,?f,[x,z,A,mesa]))"
+      using replacement_ax 1 \<open>A\<in>M\<close> \<open>mesa\<in>M\<close> by simp
+    then
+    have "strong_replacement(##M,\<lambda>x z.
+          \<exists>y\<in>M. pair(##M,x,y,z) & is_wfrec(##M, is_HVfrom(##M,A) , mesa, x, y))"
+      using repl_sats[of M ?f "[A,mesa]"]  satsf by (simp del:pair_abs)
+    then
+    have "wfrec_replacement(##M,is_HVfrom(##M,A),mesa)"
+      unfolding wfrec_replacement_def  by simp
+  }
+  then show ?thesis unfolding transrec_replacement_def
+    using \<open>i\<in>M\<close> memrel_eclose_sing by simp
+qed
+
+
+lemma (in M_ZF_trans) meclose_pow : "M_eclose_pow(##M)"
+  using meclose power_ax powapply_repl phrank_repl trans_repl_HVFrom wfrec_rank
+  by unfold_locales auto
+
+sublocale M_ZF_trans \<subseteq> M_eclose_pow "##M"
+  by (rule meclose_pow)
+
+lemma (in M_ZF_trans) repl_gen :
+  assumes
+    f_abs: "\<And>x y. \<lbrakk> x\<in>M; y\<in>M \<rbrakk> \<Longrightarrow> is_F(##M,x,y) \<longleftrightarrow> y = f(x)"
+    and
+    f_sats: "\<And>x y. \<lbrakk>x\<in>M ; y\<in>M \<rbrakk> \<Longrightarrow>
+             sats(M,f_fm,Cons(x,Cons(y,env))) \<longleftrightarrow> is_F(##M,x,y)"
+    and
+    f_form: "f_fm \<in> formula"
+    and
+    f_arty: "arity(f_fm) = 2"
+    and
+    "env\<in>list(M)"
+  shows
+    "strong_replacement(##M, \<lambda>x y. y = f(x))"
+proof -
+  have "sats(M,f_fm,[x,y]@env) \<longleftrightarrow> is_F(##M,x,y)" if "x\<in>M" "y\<in>M" for x y
+    using that f_sats[of x y] by simp
+  moreover
+  from f_form f_arty
+  have "strong_replacement(##M, \<lambda>x y. sats(M,f_fm,[x,y]@env))"
+    using \<open>env\<in>list(M)\<close> replacement_ax by simp
+  ultimately
+  have "strong_replacement(##M, is_F(##M))"
+    using strong_replacement_cong[of "##M" "\<lambda>x y. sats(M,f_fm,[x,y]@env)" "is_F(##M)"] by simp
+  with f_abs show ?thesis
+    using strong_replacement_cong[of "##M" "is_F(##M)" "\<lambda>x y. y = f(x)"] by simp
+qed
+
+(* Proof Scheme for instances of separation *)
+lemma (in M_ZF_trans) sep_in_M :
+  assumes
+    "\<phi> \<in> formula" "env\<in>list(M)"
+    "arity(\<phi>) \<le> 1 #+ length(env)" "A\<in>M" and
+    satsQ: "\<And>x. x\<in>M \<Longrightarrow> sats(M,\<phi>,[x]@env) \<longleftrightarrow> Q(x)"
+  shows
+    "{y\<in>A . Q(y)}\<in>M"
+proof -
+  have "separation(##M,\<lambda>x. sats(M,\<phi>,[x] @ env))"
+    using assms separation_ax by simp
+  then show ?thesis using
+      \<open>A\<in>M\<close> satsQ trans_M
+      separation_cong[of "##M" "\<lambda>y. sats(M,\<phi>,[y]@env)" "Q"]
+      separation_closed  by simp
+qed
+
+end
\ No newline at end of file
diff --git a/thys/Forcing/Internal_ZFC_Axioms.thy b/thys/Forcing/Internal_ZFC_Axioms.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Internal_ZFC_Axioms.thy
@@ -0,0 +1,523 @@
+section\<open>The ZFC axioms, internalized\<close>
+theory Internal_ZFC_Axioms
+  imports 
+  Forcing_Data
+
+begin
+
+schematic_goal ZF_union_auto:
+    "Union_ax(##A) \<longleftrightarrow> (A, [] \<Turnstile> ?zfunion)"
+  unfolding Union_ax_def 
+  by ((rule sep_rules | simp)+)
+
+synthesize "ZF_union_fm" from_schematic ZF_union_auto
+
+schematic_goal ZF_power_auto:
+    "power_ax(##A) \<longleftrightarrow> (A, [] \<Turnstile> ?zfpow)"
+  unfolding power_ax_def powerset_def subset_def
+  by ((rule sep_rules | simp)+)
+
+synthesize "ZF_power_fm" from_schematic ZF_power_auto
+
+schematic_goal ZF_pairing_auto:
+    "upair_ax(##A) \<longleftrightarrow> (A, [] \<Turnstile> ?zfpair)"
+  unfolding upair_ax_def 
+  by ((rule sep_rules | simp)+)
+
+synthesize "ZF_pairing_fm" from_schematic ZF_pairing_auto
+
+schematic_goal ZF_foundation_auto:
+    "foundation_ax(##A) \<longleftrightarrow> (A, [] \<Turnstile> ?zfpow)"
+  unfolding foundation_ax_def 
+  by ((rule sep_rules | simp)+)
+
+synthesize "ZF_foundation_fm" from_schematic ZF_foundation_auto
+
+schematic_goal ZF_extensionality_auto:
+    "extensionality(##A) \<longleftrightarrow> (A, [] \<Turnstile> ?zfpow)"
+  unfolding extensionality_def 
+  by ((rule sep_rules | simp)+)
+
+synthesize "ZF_extensionality_fm" from_schematic ZF_extensionality_auto
+
+schematic_goal ZF_infinity_auto:
+    "infinity_ax(##A) \<longleftrightarrow> (A, [] \<Turnstile> (?\<phi>(i,j,h)))"
+  unfolding infinity_ax_def 
+  by ((rule sep_rules | simp)+)
+
+synthesize "ZF_infinity_fm" from_schematic ZF_infinity_auto
+
+schematic_goal ZF_choice_auto:
+    "choice_ax(##A) \<longleftrightarrow> (A, [] \<Turnstile> (?\<phi>(i,j,h)))"
+  unfolding choice_ax_def 
+  by ((rule sep_rules | simp)+)
+
+synthesize "ZF_choice_fm" from_schematic ZF_choice_auto
+
+syntax
+  "_choice" :: "i"  ("AC")
+translations
+  "AC" \<rightharpoonup> "CONST ZF_choice_fm"
+
+lemmas ZFC_fm_defs = ZF_extensionality_fm_def ZF_foundation_fm_def ZF_pairing_fm_def
+              ZF_union_fm_def ZF_infinity_fm_def ZF_power_fm_def ZF_choice_fm_def
+
+lemmas ZFC_fm_sats = ZF_extensionality_auto ZF_foundation_auto ZF_pairing_auto
+              ZF_union_auto ZF_infinity_auto ZF_power_auto ZF_choice_auto
+
+definition
+  ZF_fin :: "i" where
+  "ZF_fin \<equiv> { ZF_extensionality_fm, ZF_foundation_fm, ZF_pairing_fm,
+              ZF_union_fm, ZF_infinity_fm, ZF_power_fm }"
+
+definition
+  ZFC_fin :: "i" where
+  "ZFC_fin \<equiv> ZF_fin \<union> {ZF_choice_fm}"
+
+lemma ZFC_fin_type : "ZFC_fin \<subseteq> formula"
+  unfolding ZFC_fin_def ZF_fin_def ZFC_fm_defs by (auto)
+
+subsection\<open>The Axiom of Separation, internalized\<close>
+lemma iterates_Forall_type [TC]:
+      "\<lbrakk> n \<in> nat; p \<in> formula \<rbrakk> \<Longrightarrow> Forall^n(p) \<in> formula"
+  by (induct set:nat, auto)
+
+lemma last_init_eq :
+  assumes "l \<in> list(A)" "length(l) = succ(n)"
+  shows "\<exists> a\<in>A. \<exists>l'\<in>list(A). l = l'@[a]"
+proof-
+  from \<open>l\<in>_\<close> \<open>length(_) = _\<close>
+  have "rev(l) \<in> list(A)" "length(rev(l)) = succ(n)"
+    by simp_all
+  then
+  obtain a l' where "a\<in>A" "l'\<in>list(A)" "rev(l) = Cons(a,l')"
+    by (cases;simp)
+  then
+  have "l = rev(l') @ [a]" "rev(l') \<in> list(A)"
+    using rev_rev_ident[OF \<open>l\<in>_\<close>] by auto
+  with \<open>a\<in>_\<close>
+  show ?thesis by blast
+qed
+
+lemma take_drop_eq :
+  assumes "l\<in>list(M)"
+  shows "\<And> n . n < succ(length(l)) \<Longrightarrow> l = take(n,l) @ drop(n,l)"
+  using \<open>l\<in>list(M)\<close>
+proof induct
+  case Nil
+  then show ?case by auto
+next
+  case (Cons a l)
+  then show ?case
+  proof -
+    {
+      fix i
+      assume "i<succ(succ(length(l)))"
+      with \<open>l\<in>list(M)\<close>
+      consider (lt) "i = 0" | (eq) "\<exists>k\<in>nat. i = succ(k) \<and> k < succ(length(l))"
+        using \<open>l\<in>list(M)\<close>  le_natI nat_imp_quasinat
+        by (cases rule:nat_cases[of i];auto)
+      then
+      have "take(i,Cons(a,l)) @ drop(i,Cons(a,l)) = Cons(a,l)"
+        using Cons
+        by (cases;auto)
+    }
+    then show ?thesis using Cons by auto
+  qed
+qed
+
+lemma list_split :
+assumes "n \<le> succ(length(rest))" "rest \<in> list(M)"
+shows  "\<exists>re\<in>list(M). \<exists>st\<in>list(M). rest = re @ st \<and> length(re) = pred(n)"
+proof -
+  from assms
+  have "pred(n) \<le> length(rest)"
+    using pred_mono[OF _ \<open>n\<le>_\<close>] pred_succ_eq by auto
+  with \<open>rest\<in>_\<close>
+  have "pred(n)\<in>nat" "rest = take(pred(n),rest) @ drop(pred(n),rest)" (is "_ = ?re @ ?st")
+    using take_drop_eq[OF \<open>rest\<in>_\<close>] le_natI by auto
+  then
+  have "length(?re) = pred(n)" "?re\<in>list(M)" "?st\<in>list(M)"
+    using length_take[rule_format,OF _ \<open>pred(n)\<in>_\<close>] \<open>pred(n) \<le> _\<close> \<open>rest\<in>_\<close>
+    unfolding min_def
+    by auto
+  then
+  show ?thesis
+    using rev_bexI[of _ _ "\<lambda> re. \<exists>st\<in>list(M). rest = re @ st \<and> length(re) = pred(n)"]
+      \<open>length(?re) = _\<close> \<open>rest = _\<close>
+    by auto
+qed
+
+lemma sats_nForall:
+  assumes
+    "\<phi> \<in> formula"
+  shows
+    "n\<in>nat \<Longrightarrow> ms \<in> list(M) \<Longrightarrow>
+       M, ms \<Turnstile> (Forall^n(\<phi>)) \<longleftrightarrow>
+       (\<forall>rest \<in> list(M). length(rest) = n \<longrightarrow> M, rest @ ms \<Turnstile> \<phi>)"
+proof (induct n arbitrary:ms set:nat)
+  case 0
+  with assms
+  show ?case by simp
+next
+  case (succ n)
+  have "(\<forall>rest\<in>list(M). length(rest) = succ(n) \<longrightarrow> P(rest,n)) \<longleftrightarrow>
+        (\<forall>t\<in>M. \<forall>res\<in>list(M). length(res) = n \<longrightarrow> P(res @ [t],n))"
+    if "n\<in>nat" for n P
+    using that last_init_eq by force
+  from this[of _ "\<lambda>rest _. (M, rest @ ms \<Turnstile> \<phi>)"] \<open>n\<in>nat\<close>
+  have "(\<forall>rest\<in>list(M). length(rest) = succ(n) \<longrightarrow> M, rest @ ms \<Turnstile> \<phi>) \<longleftrightarrow>
+        (\<forall>t\<in>M. \<forall>res\<in>list(M). length(res) = n \<longrightarrow>  M, (res @ [t]) @ ms \<Turnstile> \<phi>)"
+    by simp
+    with assms succ(1,3) succ(2)[of "Cons(_,ms)"]
+  show ?case
+    using arity_sats_iff[of \<phi> _ M "Cons(_, ms @ _)"] app_assoc
+    by (simp)
+qed
+
+definition
+  sep_body_fm :: "i \<Rightarrow> i" where
+  "sep_body_fm(p) \<equiv> Forall(Exists(Forall(
+                           Iff(Member(0,1),And(Member(0,2),
+                                    incr_bv1^2(p))))))"
+
+lemma sep_body_fm_type [TC]: "p \<in> formula \<Longrightarrow> sep_body_fm(p) \<in> formula"
+  by (simp add: sep_body_fm_def)
+
+lemma sats_sep_body_fm: 
+  assumes
+    "\<phi> \<in> formula" "ms\<in>list(M)" "rest\<in>list(M)"
+  shows
+    "M, rest @ ms \<Turnstile> sep_body_fm(\<phi>) \<longleftrightarrow> 
+     separation(##M,\<lambda>x. M, [x] @ rest @ ms \<Turnstile> \<phi>)"
+  using assms formula_add_params1[of _ 2 _ _ "[_,_]" ]
+  unfolding sep_body_fm_def separation_def by simp
+
+definition
+  ZF_separation_fm :: "i \<Rightarrow> i" where
+  "ZF_separation_fm(p) \<equiv> Forall^(pred(arity(p)))(sep_body_fm(p))"
+
+lemma ZF_separation_fm_type [TC]: "p \<in> formula \<Longrightarrow> ZF_separation_fm(p) \<in> formula"
+  by (simp add: ZF_separation_fm_def)
+
+lemma sats_ZF_separation_fm_iff:
+  assumes
+    "\<phi>\<in>formula"
+  shows
+  "(M, [] \<Turnstile> (ZF_separation_fm(\<phi>)))
+   \<longleftrightarrow>
+   (\<forall>env\<in>list(M). arity(\<phi>) \<le> 1 #+ length(env) \<longrightarrow> 
+      separation(##M,\<lambda>x. M, [x] @ env \<Turnstile> \<phi>))"
+proof (intro iffI ballI impI)
+  let ?n="Arith.pred(arity(\<phi>))"
+  fix env
+  assume "M, [] \<Turnstile> ZF_separation_fm(\<phi>)" 
+  assume "arity(\<phi>) \<le> 1 #+ length(env)" "env\<in>list(M)"
+  moreover from this
+  have "arity(\<phi>) \<le> succ(length(env))" by simp
+  then
+  obtain some rest where "some\<in>list(M)" "rest\<in>list(M)" 
+    "env = some @ rest" "length(some) = Arith.pred(arity(\<phi>))"
+    using list_split[OF \<open>arity(\<phi>) \<le> succ(_)\<close> \<open>env\<in>_\<close>] by force
+  moreover from \<open>\<phi>\<in>_\<close>
+  have "arity(\<phi>) \<le> succ(Arith.pred(arity(\<phi>)))"
+   using succpred_leI by simp
+  moreover
+  note assms
+  moreover 
+  assume "M, [] \<Turnstile> ZF_separation_fm(\<phi>)" 
+  moreover from calculation
+  have "M, some \<Turnstile> sep_body_fm(\<phi>)"
+    using sats_nForall[of "sep_body_fm(\<phi>)" ?n]
+    unfolding ZF_separation_fm_def by simp
+  ultimately
+  show "separation(##M, \<lambda>x. M, [x] @ env \<Turnstile> \<phi>)"
+    unfolding ZF_separation_fm_def
+    using sats_sep_body_fm[of \<phi> "[]" M some]
+      arity_sats_iff[of \<phi> rest M "[_] @ some"]
+      separation_cong[of "##M" "\<lambda>x. M, Cons(x, some @ rest) \<Turnstile> \<phi>" _ ]
+    by simp
+next \<comment> \<open>almost equal to the previous implication\<close>
+  let ?n="Arith.pred(arity(\<phi>))"
+  assume asm:"\<forall>env\<in>list(M). arity(\<phi>) \<le> 1 #+ length(env) \<longrightarrow> 
+    separation(##M, \<lambda>x. M, [x] @ env \<Turnstile> \<phi>)"
+  {
+    fix some
+    assume "some\<in>list(M)" "length(some) = Arith.pred(arity(\<phi>))"
+    moreover
+    note \<open>\<phi>\<in>_\<close>
+    moreover from calculation
+    have "arity(\<phi>) \<le> 1 #+ length(some)" 
+      using le_trans[OF succpred_leI] succpred_leI by simp
+    moreover from calculation and asm
+    have "separation(##M, \<lambda>x. M, [x] @ some \<Turnstile> \<phi>)" by blast
+    ultimately
+    have "M, some \<Turnstile> sep_body_fm(\<phi>)" 
+    using sats_sep_body_fm[of \<phi> "[]" M some]
+      arity_sats_iff[of \<phi> _ M "[_,_] @ some"]
+      strong_replacement_cong[of "##M" "\<lambda>x y. M, Cons(x, Cons(y, some @ _)) \<Turnstile> \<phi>" _ ]
+    by simp
+  }
+  with \<open>\<phi>\<in>_\<close>
+  show "M, [] \<Turnstile> ZF_separation_fm(\<phi>)"
+    using sats_nForall[of "sep_body_fm(\<phi>)" ?n]
+    unfolding ZF_separation_fm_def
+    by simp
+qed
+
+subsection\<open>The Axiom of Replacement, internalized\<close>
+schematic_goal sats_univalent_fm_auto:
+  assumes 
+    (*    Q_iff_sats:"\<And>a b z env aa bb. nth(a,Cons(z,env)) = aa \<Longrightarrow> nth(b,Cons(z,env)) = bb \<Longrightarrow> z\<in>A 
+          \<Longrightarrow> aa \<in> A \<Longrightarrow> bb \<in> A \<Longrightarrow> env\<in> list(A) \<Longrightarrow> 
+                 Q(aa,bb) \<longleftrightarrow> (A, Cons(z,env) \<Turnstile> (Q_fm(a,b)))" \<comment> \<open>using only one formula\<close> *)
+    Q_iff_sats:"\<And>x y z. x \<in> A \<Longrightarrow> y \<in> A \<Longrightarrow> z\<in>A \<Longrightarrow> 
+                 Q(x,z) \<longleftrightarrow> (A,Cons(z,Cons(y,Cons(x,env))) \<Turnstile> Q1_fm)"
+       "\<And>x y z. x \<in> A \<Longrightarrow> y \<in> A \<Longrightarrow> z\<in>A \<Longrightarrow> 
+                 Q(x,y) \<longleftrightarrow> (A,Cons(z,Cons(y,Cons(x,env))) \<Turnstile> Q2_fm)"
+    and 
+    asms: "nth(i,env) = B" "i \<in> nat" "env \<in> list(A)"
+  shows
+    "univalent(##A,B,Q) \<longleftrightarrow> A,env \<Turnstile> ?ufm(i)"
+  unfolding univalent_def 
+  by (insert asms; (rule sep_rules Q_iff_sats | simp)+)
+  
+synthesize_notc "univalent_fm" from_schematic sats_univalent_fm_auto
+
+lemma univalent_fm_type [TC]: "q1\<in> formula \<Longrightarrow> q2\<in>formula \<Longrightarrow> i\<in>nat \<Longrightarrow> 
+  univalent_fm(q2,q1,i) \<in>formula"
+  by (simp add:univalent_fm_def)
+
+lemma sats_univalent_fm :
+  assumes
+    Q_iff_sats:"\<And>x y z. x \<in> A \<Longrightarrow> y \<in> A \<Longrightarrow> z\<in>A \<Longrightarrow> 
+                 Q(x,z) \<longleftrightarrow> (A,Cons(z,Cons(y,Cons(x,env))) \<Turnstile> Q1_fm)"
+       "\<And>x y z. x \<in> A \<Longrightarrow> y \<in> A \<Longrightarrow> z\<in>A \<Longrightarrow> 
+                 Q(x,y) \<longleftrightarrow> (A,Cons(z,Cons(y,Cons(x,env))) \<Turnstile> Q2_fm)"
+    and 
+    asms: "nth(i,env) = B" "i \<in> nat" "env \<in> list(A)"
+  shows
+    "A,env \<Turnstile> univalent_fm(Q1_fm,Q2_fm,i) \<longleftrightarrow> univalent(##A,B,Q)"
+  unfolding univalent_fm_def using asms sats_univalent_fm_auto[OF Q_iff_sats] by simp
+
+definition
+  swap_vars :: "i\<Rightarrow>i" where
+  "swap_vars(\<phi>) \<equiv> 
+      Exists(Exists(And(Equal(0,3),And(Equal(1,2),iterates(\<lambda>p. incr_bv(p)`2 , 2, \<phi>)))))" 
+
+lemma swap_vars_type[TC] :
+  "\<phi>\<in>formula \<Longrightarrow> swap_vars(\<phi>) \<in>formula" 
+  unfolding swap_vars_def by simp
+
+lemma sats_swap_vars :
+  "[x,y] @ env \<in> list(M) \<Longrightarrow> \<phi>\<in>formula \<Longrightarrow> 
+    M, [x,y] @ env \<Turnstile> swap_vars(\<phi>)\<longleftrightarrow> M,[y,x] @ env \<Turnstile> \<phi>"
+  unfolding swap_vars_def
+  using sats_incr_bv_iff [of _ _ M _ "[y,x]"] by simp
+
+definition
+  univalent_Q1 :: "i \<Rightarrow> i" where
+  "univalent_Q1(\<phi>) \<equiv> incr_bv1(swap_vars(\<phi>))"
+
+definition
+  univalent_Q2 :: "i \<Rightarrow> i" where
+  "univalent_Q2(\<phi>) \<equiv> incr_bv(swap_vars(\<phi>))`0"
+
+lemma univalent_Qs_type [TC]: 
+  assumes "\<phi>\<in>formula"
+  shows "univalent_Q1(\<phi>) \<in> formula" "univalent_Q2(\<phi>) \<in> formula"
+  unfolding univalent_Q1_def univalent_Q2_def using assms by simp_all
+
+lemma sats_univalent_fm_assm:
+  assumes 
+    "x \<in> A" "y \<in> A" "z\<in>A" "env\<in> list(A)" "\<phi> \<in> formula"
+  shows 
+    "(A, ([x,z] @ env) \<Turnstile> \<phi>) \<longleftrightarrow> (A, Cons(z,Cons(y,Cons(x,env))) \<Turnstile> (univalent_Q1(\<phi>)))"
+    "(A, ([x,y] @ env) \<Turnstile> \<phi>) \<longleftrightarrow> (A, Cons(z,Cons(y,Cons(x,env))) \<Turnstile> (univalent_Q2(\<phi>)))"
+  unfolding univalent_Q1_def univalent_Q2_def
+  using 
+    sats_incr_bv_iff[of _ _ A _ "[]"] \<comment> \<open>simplifies iterates of \<^term>\<open>\<lambda>x. incr_bv(x)`0\<close>\<close>
+    sats_incr_bv1_iff[of _ "Cons(x,env)" A z y] 
+    sats_swap_vars  assms 
+   by simp_all
+
+definition
+  rep_body_fm :: "i \<Rightarrow> i" where
+  "rep_body_fm(p) \<equiv> Forall(Implies(
+        univalent_fm(univalent_Q1(incr_bv(p)`2),univalent_Q2(incr_bv(p)`2),0),
+        Exists(Forall(
+          Iff(Member(0,1),Exists(And(Member(0,3),incr_bv(incr_bv(p)`2)`2)))))))"
+
+lemma rep_body_fm_type [TC]: "p \<in> formula \<Longrightarrow> rep_body_fm(p) \<in> formula"
+  by (simp add: rep_body_fm_def)
+
+lemmas ZF_replacement_simps = formula_add_params1[of \<phi> 2 _ M "[_,_]" ]
+  sats_incr_bv_iff[of _ _ M _ "[]"] \<comment> \<open>simplifies iterates of \<^term>\<open>\<lambda>x. incr_bv(x)`0\<close>\<close>
+  sats_incr_bv_iff[of _ _ M _ "[_,_]"]\<comment> \<open>simplifies \<^term>\<open>\<lambda>x. incr_bv(x)`2\<close>\<close>
+  sats_incr_bv1_iff[of _ _ M] sats_swap_vars for \<phi> M
+
+lemma sats_rep_body_fm:
+  assumes
+    "\<phi> \<in> formula" "ms\<in>list(M)" "rest\<in>list(M)"
+  shows
+    "M, rest @ ms \<Turnstile> rep_body_fm(\<phi>) \<longleftrightarrow> 
+     strong_replacement(##M,\<lambda>x y. M, [x,y] @ rest @ ms \<Turnstile> \<phi>)"
+  using assms ZF_replacement_simps 
+  unfolding rep_body_fm_def strong_replacement_def univalent_def
+  unfolding univalent_fm_def univalent_Q1_def univalent_Q2_def
+  by simp
+
+definition
+  ZF_replacement_fm :: "i \<Rightarrow> i" where
+  "ZF_replacement_fm(p) \<equiv> Forall^(pred(pred(arity(p))))(rep_body_fm(p))"
+
+lemma ZF_replacement_fm_type [TC]: "p \<in> formula \<Longrightarrow> ZF_replacement_fm(p) \<in> formula"
+  by (simp add: ZF_replacement_fm_def)
+
+lemma sats_ZF_replacement_fm_iff:
+  assumes
+    "\<phi>\<in>formula"
+  shows
+  "(M, [] \<Turnstile> (ZF_replacement_fm(\<phi>)))
+   \<longleftrightarrow>
+   (\<forall>env\<in>list(M). arity(\<phi>) \<le> 2 #+ length(env) \<longrightarrow> 
+      strong_replacement(##M,\<lambda>x y. M,[x,y] @ env \<Turnstile> \<phi>))"
+proof (intro iffI ballI impI)
+  let ?n="Arith.pred(Arith.pred(arity(\<phi>)))"
+  fix env
+  assume "M, [] \<Turnstile> ZF_replacement_fm(\<phi>)" "arity(\<phi>) \<le> 2 #+ length(env)" "env\<in>list(M)"
+  moreover from this
+  have "arity(\<phi>) \<le> succ(succ(length(env)))" by (simp)
+  moreover from calculation 
+  have "pred(arity(\<phi>)) \<le> succ(length(env))"
+    using pred_mono[OF _ \<open>arity(\<phi>)\<le>succ(_)\<close>] pred_succ_eq by simp
+  moreover from calculation
+  obtain some rest where "some\<in>list(M)" "rest\<in>list(M)" 
+    "env = some @ rest" "length(some) = Arith.pred(Arith.pred(arity(\<phi>)))" 
+    using list_split[OF \<open>pred(_) \<le> _\<close> \<open>env\<in>_\<close>] by auto
+  moreover
+  note \<open>\<phi>\<in>_\<close>
+  moreover from this
+  have "arity(\<phi>) \<le> succ(succ(Arith.pred(Arith.pred(arity(\<phi>)))))"
+    using le_trans[OF succpred_leI] succpred_leI by simp
+  moreover from calculation
+  have "M, some \<Turnstile> rep_body_fm(\<phi>)"
+    using sats_nForall[of "rep_body_fm(\<phi>)" ?n]
+    unfolding ZF_replacement_fm_def
+    by simp
+  ultimately
+  show "strong_replacement(##M, \<lambda>x y. M, [x, y] @ env \<Turnstile> \<phi>)"
+    using sats_rep_body_fm[of \<phi> "[]" M some]
+      arity_sats_iff[of \<phi> rest M "[_,_] @ some"]
+      strong_replacement_cong[of "##M" "\<lambda>x y. M, Cons(x, Cons(y, some @ rest)) \<Turnstile> \<phi>" _ ]
+    by simp
+next \<comment> \<open>almost equal to the previous implication\<close>
+  let ?n="Arith.pred(Arith.pred(arity(\<phi>)))"
+  assume asm:"\<forall>env\<in>list(M). arity(\<phi>) \<le> 2 #+ length(env) \<longrightarrow> 
+    strong_replacement(##M, \<lambda>x y. M, [x, y] @ env \<Turnstile> \<phi>)"
+  {
+    fix some
+    assume "some\<in>list(M)" "length(some) = Arith.pred(Arith.pred(arity(\<phi>)))"
+    moreover
+    note \<open>\<phi>\<in>_\<close>
+    moreover from calculation
+    have "arity(\<phi>) \<le> 2 #+ length(some)" 
+      using le_trans[OF succpred_leI] succpred_leI by simp
+    moreover from calculation and asm
+    have "strong_replacement(##M, \<lambda>x y. M, [x, y] @ some \<Turnstile> \<phi>)" by blast
+    ultimately
+    have "M, some \<Turnstile> rep_body_fm(\<phi>)" 
+    using sats_rep_body_fm[of \<phi> "[]" M some]
+      arity_sats_iff[of \<phi> _ M "[_,_] @ some"]
+      strong_replacement_cong[of "##M" "\<lambda>x y. M, Cons(x, Cons(y, some @ _)) \<Turnstile> \<phi>" _ ]
+    by simp
+  }
+  with \<open>\<phi>\<in>_\<close>
+  show "M, [] \<Turnstile> ZF_replacement_fm(\<phi>)"
+    using sats_nForall[of "rep_body_fm(\<phi>)" ?n]
+    unfolding ZF_replacement_fm_def
+    by simp
+qed
+
+definition
+  ZF_inf :: "i" where
+  "ZF_inf \<equiv> {ZF_separation_fm(p) . p \<in> formula } \<union> {ZF_replacement_fm(p) . p \<in> formula }"
+              
+lemma Un_subset_formula: "A\<subseteq>formula \<and> B\<subseteq>formula \<Longrightarrow> A\<union>B \<subseteq> formula"
+  by auto
+  
+lemma ZF_inf_subset_formula : "ZF_inf \<subseteq> formula"
+  unfolding ZF_inf_def by auto
+    
+definition
+  ZFC :: "i" where
+  "ZFC \<equiv> ZF_inf \<union> ZFC_fin"
+
+definition
+  ZF :: "i" where
+  "ZF \<equiv> ZF_inf \<union> ZF_fin"
+
+definition 
+  ZF_minus_P :: "i" where
+  "ZF_minus_P \<equiv> ZF - { ZF_power_fm }"
+
+lemma ZFC_subset_formula: "ZFC \<subseteq> formula"
+  by (simp add:ZFC_def Un_subset_formula ZF_inf_subset_formula ZFC_fin_type)
+  
+txt\<open>Satisfaction of a set of sentences\<close>
+definition
+  satT :: "[i,i] \<Rightarrow> o"  ("_ \<Turnstile> _" [36,36] 60) where
+  "A \<Turnstile> \<Phi>  \<equiv>  \<forall>\<phi>\<in>\<Phi>. (A,[] \<Turnstile> \<phi>)"
+
+lemma satTI [intro!]: 
+  assumes "\<And>\<phi>. \<phi>\<in>\<Phi> \<Longrightarrow> A,[] \<Turnstile> \<phi>"
+  shows "A \<Turnstile> \<Phi>"
+  using assms unfolding satT_def by simp
+
+lemma satTD [dest] :"A \<Turnstile> \<Phi> \<Longrightarrow>  \<phi>\<in>\<Phi> \<Longrightarrow> A,[] \<Turnstile> \<phi>"
+  unfolding satT_def by simp
+
+lemma sats_ZFC_iff_sats_ZF_AC: 
+  "(N \<Turnstile> ZFC) \<longleftrightarrow> (N \<Turnstile> ZF) \<and> (N, [] \<Turnstile> AC)"
+    unfolding ZFC_def ZFC_fin_def ZF_def by auto
+
+lemma M_ZF_iff_M_satT: "M_ZF(M) \<longleftrightarrow> (M \<Turnstile> ZF)"
+proof
+  assume "M \<Turnstile> ZF"
+  then
+  have fin: "upair_ax(##M)" "Union_ax(##M)" "power_ax(##M)"
+    "extensionality(##M)" "foundation_ax(##M)" "infinity_ax(##M)"
+    unfolding ZF_def ZF_fin_def ZFC_fm_defs satT_def
+    using ZFC_fm_sats[of M] by simp_all
+  {
+    fix \<phi> env
+    assume "\<phi> \<in> formula" "env\<in>list(M)" 
+    moreover from \<open>M \<Turnstile> ZF\<close>
+    have "\<forall>p\<in>formula. (M, [] \<Turnstile> (ZF_separation_fm(p)))" 
+         "\<forall>p\<in>formula. (M, [] \<Turnstile> (ZF_replacement_fm(p)))"
+      unfolding ZF_def ZF_inf_def by auto
+    moreover from calculation
+    have "arity(\<phi>) \<le> succ(length(env)) \<Longrightarrow> separation(##M, \<lambda>x. (M, Cons(x, env) \<Turnstile> \<phi>))"
+      "arity(\<phi>) \<le> succ(succ(length(env))) \<Longrightarrow> strong_replacement(##M,\<lambda>x y. sats(M,\<phi>,Cons(x,Cons(y, env))))"
+      using sats_ZF_separation_fm_iff sats_ZF_replacement_fm_iff by simp_all  
+  }
+  with fin
+  show "M_ZF(M)"
+    unfolding M_ZF_def by simp
+next
+  assume \<open>M_ZF(M)\<close>
+  then
+  have "M \<Turnstile> ZF_fin" 
+    unfolding M_ZF_def ZF_fin_def ZFC_fm_defs satT_def
+    using ZFC_fm_sats[of M] by blast
+  moreover from \<open>M_ZF(M)\<close>
+  have "\<forall>p\<in>formula. (M, [] \<Turnstile> (ZF_separation_fm(p)))" 
+       "\<forall>p\<in>formula. (M, [] \<Turnstile> (ZF_replacement_fm(p)))"
+    unfolding M_ZF_def using sats_ZF_separation_fm_iff 
+      sats_ZF_replacement_fm_iff by simp_all
+  ultimately
+  show "M \<Turnstile> ZF"
+    unfolding ZF_def ZF_inf_def by blast
+qed
+
+end
diff --git a/thys/Forcing/Internalizations.thy b/thys/Forcing/Internalizations.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Internalizations.thy
@@ -0,0 +1,34 @@
+section\<open>Aids to internalize formulas\<close>
+theory Internalizations
+  imports 
+    "ZF-Constructible.DPow_absolute" 
+begin
+
+text\<open>We found it useful to have slightly different versions of some 
+results in ZF-Constructible:\<close>
+lemma nth_closed :
+  assumes "0\<in>A" "env\<in>list(A)"
+  shows "nth(n,env)\<in>A" 
+  using assms(2,1) unfolding nth_def by (induct env; simp)
+
+lemmas FOL_sats_iff = sats_Nand_iff sats_Forall_iff sats_Neg_iff sats_And_iff
+  sats_Or_iff sats_Implies_iff sats_Iff_iff sats_Exists_iff 
+
+lemma nth_ConsI: "\<lbrakk>nth(n,l) = x; n \<in> nat\<rbrakk> \<Longrightarrow> nth(succ(n), Cons(a,l)) = x"
+by simp
+
+lemmas nth_rules = nth_0 nth_ConsI nat_0I nat_succI
+lemmas sep_rules = nth_0 nth_ConsI FOL_iff_sats function_iff_sats
+                   fun_plus_iff_sats successor_iff_sats
+                    omega_iff_sats FOL_sats_iff Replace_iff_sats
+
+text\<open>Also a different compilation of lemmas (term\<open>sep_rules\<close>) used in formula
+ synthesis\<close>
+lemmas fm_defs = omega_fm_def limit_ordinal_fm_def empty_fm_def typed_function_fm_def
+                 pair_fm_def upair_fm_def domain_fm_def function_fm_def succ_fm_def
+                 cons_fm_def fun_apply_fm_def image_fm_def big_union_fm_def union_fm_def
+                 relation_fm_def composition_fm_def field_fm_def ordinal_fm_def range_fm_def
+                 transset_fm_def subset_fm_def Replace_fm_def
+
+
+end
diff --git a/thys/Forcing/Least.thy b/thys/Forcing/Least.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Least.thy
@@ -0,0 +1,133 @@
+section\<open>The binder \<^term>\<open>Least\<close>\<close>
+theory Least
+  imports
+    Names
+
+begin
+
+text\<open>We have some basic results on the least ordinal satisfying
+a predicate.\<close>
+
+lemma Least_Ord: "(\<mu> \<alpha>. R(\<alpha>)) = (\<mu> \<alpha>. Ord(\<alpha>) \<and> R(\<alpha>))"
+  unfolding Least_def by (simp add:lt_Ord)
+
+lemma Ord_Least_cong: 
+  assumes "\<And>y. Ord(y) \<Longrightarrow> R(y) \<longleftrightarrow> Q(y)"
+  shows "(\<mu> \<alpha>. R(\<alpha>)) = (\<mu> \<alpha>. Q(\<alpha>))"
+proof -
+  from assms
+  have "(\<mu> \<alpha>. Ord(\<alpha>) \<and> R(\<alpha>)) = (\<mu> \<alpha>. Ord(\<alpha>) \<and> Q(\<alpha>))"
+    by simp 
+  then
+  show ?thesis using Least_Ord by simp
+qed
+
+definition
+  least :: "[i\<Rightarrow>o,i\<Rightarrow>o,i] \<Rightarrow> o" where
+  "least(M,Q,i) \<equiv> ordinal(M,i) \<and> (
+         (empty(M,i) \<and> (\<forall>b[M]. ordinal(M,b) \<longrightarrow> \<not>Q(b)))
+       \<or> (Q(i) \<and> (\<forall>b[M]. ordinal(M,b) \<and> b\<in>i\<longrightarrow> \<not>Q(b))))"
+
+definition
+  least_fm :: "[i,i] \<Rightarrow> i" where
+  "least_fm(q,i) \<equiv> And(ordinal_fm(i),
+   Or(And(empty_fm(i),Forall(Implies(ordinal_fm(0),Neg(q)))), 
+      And(Exists(And(q,Equal(0,succ(i)))),
+          Forall(Implies(And(ordinal_fm(0),Member(0,succ(i))),Neg(q))))))"
+
+lemma least_fm_type[TC] :"i \<in> nat \<Longrightarrow> q\<in>formula \<Longrightarrow> least_fm(q,i) \<in> formula"
+  unfolding least_fm_def
+  by simp
+
+(* Refactorize Formula and Relative to include the following three lemmas *)
+lemmas basic_fm_simps = sats_subset_fm' sats_transset_fm' sats_ordinal_fm'
+
+lemma sats_least_fm :
+  assumes p_iff_sats: 
+    "\<And>a. a \<in> A \<Longrightarrow> P(a) \<longleftrightarrow> sats(A, p, Cons(a, env))"
+  shows
+    "\<lbrakk>y \<in> nat; env \<in> list(A) ; 0\<in>A\<rbrakk>
+    \<Longrightarrow> sats(A, least_fm(p,y), env) \<longleftrightarrow>
+        least(##A, P, nth(y,env))"
+  using nth_closed p_iff_sats unfolding least_def least_fm_def
+  by (simp add:basic_fm_simps)
+
+lemma least_iff_sats:
+  assumes is_Q_iff_sats: 
+      "\<And>a. a \<in> A \<Longrightarrow> is_Q(a) \<longleftrightarrow> sats(A, q, Cons(a,env))"
+  shows 
+  "\<lbrakk>nth(j,env) = y; j \<in> nat; env \<in> list(A); 0\<in>A\<rbrakk>
+   \<Longrightarrow> least(##A, is_Q, y) \<longleftrightarrow> sats(A, least_fm(q,j), env)"
+  using sats_least_fm [OF is_Q_iff_sats, of j , symmetric]
+  by simp
+
+lemma least_conj: "a\<in>M \<Longrightarrow> least(##M, \<lambda>x. x\<in>M \<and> Q(x),a) \<longleftrightarrow> least(##M,Q,a)"
+  unfolding least_def by simp
+
+(* Better to have this in M_basic or similar *)
+lemma (in M_ctm) unique_least: "a\<in>M \<Longrightarrow> b\<in>M \<Longrightarrow> least(##M,Q,a) \<Longrightarrow> least(##M,Q,b) \<Longrightarrow> a=b"
+  unfolding least_def
+  by (auto, erule_tac i=a and j=b in Ord_linear_lt; (drule ltD | simp); auto intro:Ord_in_Ord)
+
+context M_trivial
+begin
+
+subsection\<open>Absoluteness and closure under \<^term>\<open>Least\<close>\<close>
+
+lemma least_abs:
+  assumes "\<And>x. Q(x) \<Longrightarrow> M(x)" "M(a)" 
+  shows "least(M,Q,a) \<longleftrightarrow> a = (\<mu> x. Q(x))"
+  unfolding least_def
+proof (cases "\<forall>b[M]. Ord(b) \<longrightarrow> \<not> Q(b)"; intro iffI; simp add:assms)
+  case True
+  with \<open>\<And>x. Q(x) \<Longrightarrow> M(x)\<close>
+  have "\<not> (\<exists>i. Ord(i) \<and> Q(i)) " by blast
+  then
+  show "0 =(\<mu> x. Q(x))" using Least_0 by simp
+  then
+  show "ordinal(M, \<mu> x. Q(x)) \<and> (empty(M, Least(Q)) \<or> Q(Least(Q)))"
+    by simp 
+next
+  assume "\<exists>b[M]. Ord(b) \<and> Q(b)"
+  then 
+  obtain i where "M(i)" "Ord(i)" "Q(i)" by blast
+  assume "a = (\<mu> x. Q(x))"
+  moreover
+  note \<open>M(a)\<close>
+  moreover from  \<open>Q(i)\<close> \<open>Ord(i)\<close>
+  have "Q(\<mu> x. Q(x))" (is ?G)
+    by (blast intro:LeastI)
+  moreover
+  have "(\<forall>b[M]. Ord(b) \<and> b \<in> (\<mu> x. Q(x)) \<longrightarrow> \<not> Q(b))" (is "?H")
+    using less_LeastE[of Q _ False]
+    by (auto, drule_tac ltI, simp, blast)
+  ultimately
+  show "ordinal(M, \<mu> x. Q(x)) \<and> (empty(M, \<mu> x. Q(x)) \<and> (\<forall>b[M]. Ord(b) \<longrightarrow> \<not> Q(b)) \<or> ?G \<and> ?H)"
+    by simp
+next
+  assume 1:"\<exists>b[M]. Ord(b) \<and> Q(b)"
+  then 
+  obtain i where "M(i)" "Ord(i)" "Q(i)" by blast
+  assume "Ord(a) \<and> (a = 0 \<and> (\<forall>b[M]. Ord(b) \<longrightarrow> \<not> Q(b)) \<or> Q(a) \<and> (\<forall>b[M]. Ord(b) \<and> b \<in> a \<longrightarrow> \<not> Q(b)))"
+  with 1
+  have "Ord(a)" "Q(a)" "\<forall>b[M]. Ord(b) \<and> b \<in> a \<longrightarrow> \<not> Q(b)"
+    by blast+
+  moreover from this and \<open>\<And>x. Q(x) \<Longrightarrow> M(x)\<close>
+  have "Ord(b) \<Longrightarrow> b \<in> a \<Longrightarrow> \<not> Q(b)" for b
+    by blast
+  moreover from this and \<open>Ord(a)\<close>
+  have "b < a \<Longrightarrow> \<not> Q(b)" for b
+    unfolding lt_def using Ord_in_Ord by blast
+  ultimately
+  show "a = (\<mu> x. Q(x))"
+    using Least_equality by simp
+qed
+
+lemma Least_closed:
+  assumes "\<And>x. Q(x) \<Longrightarrow> M(x)"
+  shows "M(\<mu> x. Q(x))"
+  using assms LeastI[of Q] Least_0 by (cases "(\<exists>i. Ord(i) \<and> Q(i))", auto)
+
+end (* M_trivial *)
+
+end
\ No newline at end of file
diff --git a/thys/Forcing/Names.thy b/thys/Forcing/Names.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Names.thy
@@ -0,0 +1,1060 @@
+section\<open>Names and generic extensions\<close>
+
+theory Names
+  imports
+    Forcing_Data
+    Interface
+    Recursion_Thms
+    Synthetic_Definition
+begin
+
+definition
+  SepReplace :: "[i, i\<Rightarrow>i, i\<Rightarrow> o] \<Rightarrow> i" where
+  "SepReplace(A,b,Q) \<equiv> {y . x\<in>A, y=b(x) \<and> Q(x)}"
+
+syntax
+  "_SepReplace"  :: "[i, pttrn, i, o] \<Rightarrow> i"  ("(1{_ ../ _ \<in> _, _})")
+translations
+  "{b .. x\<in>A, Q}" => "CONST SepReplace(A, \<lambda>x. b, \<lambda>x. Q)"
+
+lemma Sep_and_Replace: "{b(x) .. x\<in>A, P(x) } = {b(x) . x\<in>{y\<in>A. P(y)}}"
+  by (auto simp add:SepReplace_def)
+
+lemma SepReplace_subset : "A\<subseteq>A'\<Longrightarrow> {b .. x\<in>A, Q}\<subseteq>{b .. x\<in>A', Q}"
+  by (auto simp add:SepReplace_def)
+
+lemma SepReplace_iff [simp]: "y\<in>{b(x) .. x\<in>A, P(x)} \<longleftrightarrow> (\<exists>x\<in>A. y=b(x) & P(x))"
+  by (auto simp add:SepReplace_def)
+
+lemma SepReplace_dom_implies :
+  "(\<And> x . x \<in>A \<Longrightarrow> b(x) = b'(x))\<Longrightarrow> {b(x) .. x\<in>A, Q(x)}={b'(x) .. x\<in>A, Q(x)}"
+  by  (simp add:SepReplace_def)
+
+lemma SepReplace_pred_implies :
+  "\<forall>x. Q(x)\<longrightarrow> b(x) = b'(x)\<Longrightarrow> {b(x) .. x\<in>A, Q(x)}={b'(x) .. x\<in>A, Q(x)}"
+  by  (force simp add:SepReplace_def)
+
+subsection\<open>The well-founded relation \<^term>\<open>ed\<close>\<close>
+
+lemma eclose_sing : "x \<in> eclose(a) \<Longrightarrow> x \<in> eclose({a})"
+  by(rule subsetD[OF mem_eclose_subset],simp+)
+
+lemma ecloseE :
+  assumes  "x \<in> eclose(A)"
+  shows  "x \<in> A \<or> (\<exists> B \<in> A . x \<in> eclose(B))"
+  using assms
+proof (induct rule:eclose_induct_down)
+  case (1 y)
+  then
+  show ?case
+    using arg_into_eclose by auto
+next
+  case (2 y z)
+  from \<open>y \<in> A \<or> (\<exists>B\<in>A. y \<in> eclose(B))\<close>
+  consider (inA) "y \<in> A" | (exB) "(\<exists>B\<in>A. y \<in> eclose(B))"
+    by auto
+  then show ?case
+  proof (cases)
+    case inA
+    then
+    show ?thesis using 2 arg_into_eclose by auto
+  next
+    case exB
+    then obtain B where "y \<in> eclose(B)" "B\<in>A"
+      by auto
+    then
+    show ?thesis using 2 ecloseD[of y B z] by auto
+  qed
+qed
+
+lemma eclose_singE : "x \<in> eclose({a}) \<Longrightarrow> x = a \<or> x \<in> eclose(a)"
+  by(blast dest: ecloseE)
+
+lemma in_eclose_sing :
+  assumes "x \<in> eclose({a})" "a \<in> eclose(z)"
+  shows "x \<in> eclose({z})"
+proof -
+  from \<open>x\<in>eclose({a})\<close>
+  consider (eq) "x=a" | (lt) "x\<in>eclose(a)"
+    using eclose_singE by auto
+  then
+  show ?thesis
+    using eclose_sing mem_eclose_trans assms
+    by (cases, auto)
+qed
+
+lemma in_dom_in_eclose :
+  assumes "x \<in> domain(z)"
+  shows "x \<in> eclose(z)"
+proof -
+  from assms
+  obtain y where "\<langle>x,y\<rangle> \<in> z"
+    unfolding domain_def by auto
+  then
+  show ?thesis
+    unfolding Pair_def
+    using ecloseD[of "{x,x}"] ecloseD[of "{{x,x},{x,y}}"] arg_into_eclose
+    by auto
+qed
+
+text\<open>term\<open>ed\<close> is the well-founded relation on which \<^term>\<open>val\<close> is defined.\<close>
+definition
+  ed :: "[i,i] \<Rightarrow> o" where
+  "ed(x,y) \<equiv> x \<in> domain(y)"
+
+definition
+  edrel :: "i \<Rightarrow> i" where
+  "edrel(A) \<equiv> Rrel(ed,A)"
+
+
+lemma edI[intro!]: "t\<in>domain(x) \<Longrightarrow> ed(t,x)"
+  unfolding ed_def .
+
+lemma edD[dest!]: "ed(t,x) \<Longrightarrow> t\<in>domain(x)"
+  unfolding ed_def .
+
+
+lemma rank_ed:
+  assumes "ed(y,x)"
+  shows "succ(rank(y)) \<le> rank(x)"
+proof
+  from assms
+  obtain p where "\<langle>y,p\<rangle>\<in>x" by auto
+  moreover
+  obtain s where "y\<in>s" "s\<in>\<langle>y,p\<rangle>" unfolding Pair_def by auto
+  ultimately
+  have "rank(y) < rank(s)" "rank(s) < rank(\<langle>y,p\<rangle>)" "rank(\<langle>y,p\<rangle>) < rank(x)"
+    using rank_lt by blast+
+  then
+  show "rank(y) < rank(x)"
+    using lt_trans by blast
+qed
+
+lemma edrel_dest [dest]: "x \<in> edrel(A) \<Longrightarrow> \<exists> a\<in> A. \<exists> b \<in> A. x =\<langle>a,b\<rangle>"
+  by(auto simp add:ed_def edrel_def Rrel_def)
+
+lemma edrelD : "x \<in> edrel(A) \<Longrightarrow> \<exists> a\<in> A. \<exists> b \<in> A. x =\<langle>a,b\<rangle> \<and> a \<in> domain(b)"
+  by(auto simp add:ed_def edrel_def Rrel_def)
+
+lemma edrelI [intro!]: "x\<in>A \<Longrightarrow> y\<in>A \<Longrightarrow> x \<in> domain(y) \<Longrightarrow> \<langle>x,y\<rangle>\<in>edrel(A)"
+  by (simp add:ed_def edrel_def Rrel_def)
+
+lemma edrel_trans: "Transset(A) \<Longrightarrow> y\<in>A \<Longrightarrow> x \<in> domain(y) \<Longrightarrow> \<langle>x,y\<rangle>\<in>edrel(A)"
+  by (rule edrelI, auto simp add:Transset_def domain_def Pair_def)
+
+lemma domain_trans: "Transset(A) \<Longrightarrow> y\<in>A \<Longrightarrow> x \<in> domain(y) \<Longrightarrow> x\<in>A"
+  by (auto simp add: Transset_def domain_def Pair_def)
+
+lemma relation_edrel : "relation(edrel(A))"
+  by(auto simp add: relation_def)
+
+lemma field_edrel : "field(edrel(A))\<subseteq>A"
+  by blast
+
+lemma edrel_sub_memrel: "edrel(A) \<subseteq> trancl(Memrel(eclose(A)))"
+proof
+  fix z
+  assume
+    "z\<in>edrel(A)"
+  then obtain x y where
+    Eq1:   "x\<in>A" "y\<in>A" "z=\<langle>x,y\<rangle>" "x\<in>domain(y)"
+    using edrelD
+    by blast
+  then obtain u v where
+    Eq2:   "x\<in>u" "u\<in>v" "v\<in>y"
+    unfolding domain_def Pair_def by auto
+  with Eq1 have
+    Eq3:   "x\<in>eclose(A)" "y\<in>eclose(A)" "u\<in>eclose(A)" "v\<in>eclose(A)"
+    by (auto, rule_tac [3-4] ecloseD, rule_tac [3] ecloseD, simp_all add:arg_into_eclose)
+  let
+    ?r="trancl(Memrel(eclose(A)))"
+  from Eq2 and Eq3 have
+    "\<langle>x,u\<rangle>\<in>?r" "\<langle>u,v\<rangle>\<in>?r" "\<langle>v,y\<rangle>\<in>?r"
+    by (auto simp add: r_into_trancl)
+  then  have
+    "\<langle>x,y\<rangle>\<in>?r"
+    by (rule_tac trancl_trans, rule_tac [2] trancl_trans, simp)
+  with Eq1 show "z\<in>?r" by simp
+qed
+
+lemma wf_edrel : "wf(edrel(A))"
+  using wf_subset [of "trancl(Memrel(eclose(A)))"] edrel_sub_memrel
+    wf_trancl wf_Memrel
+  by auto
+
+lemma ed_induction:
+  assumes "\<And>x. \<lbrakk>\<And>y.  ed(y,x) \<Longrightarrow> Q(y) \<rbrakk> \<Longrightarrow> Q(x)"
+  shows "Q(a)"
+proof(induct rule: wf_induct2[OF wf_edrel[of "eclose({a})"] ,of a "eclose({a})"])
+  case 1
+  then show ?case using arg_into_eclose by simp
+next
+  case 2
+  then show ?case using field_edrel .
+next
+  case (3 x)
+  then
+  show ?case
+    using assms[of x] edrelI domain_trans[OF Transset_eclose 3(1)] by blast
+qed
+
+lemma dom_under_edrel_eclose: "edrel(eclose({x})) -`` {x} = domain(x)"
+proof
+  show "edrel(eclose({x})) -`` {x} \<subseteq> domain(x)"
+    unfolding edrel_def Rrel_def ed_def
+    by auto
+next
+  show "domain(x) \<subseteq> edrel(eclose({x})) -`` {x}"
+    unfolding edrel_def Rrel_def
+    using in_dom_in_eclose eclose_sing arg_into_eclose
+    by blast
+qed
+
+lemma ed_eclose : "\<langle>y,z\<rangle> \<in> edrel(A) \<Longrightarrow> y \<in> eclose(z)"
+  by(drule edrelD,auto simp add:domain_def in_dom_in_eclose)
+
+lemma tr_edrel_eclose : "\<langle>y,z\<rangle> \<in> edrel(eclose({x}))^+ \<Longrightarrow> y \<in> eclose(z)"
+  by(rule trancl_induct,(simp add: ed_eclose mem_eclose_trans)+)
+
+
+lemma restrict_edrel_eq :
+  assumes "z \<in> domain(x)"
+  shows "edrel(eclose({x})) \<inter> eclose({z})\<times>eclose({z}) = edrel(eclose({z}))"
+proof(intro equalityI subsetI)
+  let ?ec="\<lambda> y . edrel(eclose({y}))"
+  let ?ez="eclose({z})"
+  let ?rr="?ec(x) \<inter> ?ez \<times> ?ez"
+  fix y
+  assume yr:"y \<in> ?rr"
+  with yr obtain a b where 1:"\<langle>a,b\<rangle> \<in> ?rr" "a \<in> ?ez" "b \<in> ?ez" "\<langle>a,b\<rangle> \<in> ?ec(x)" "y=\<langle>a,b\<rangle>"
+    by blast
+  moreover
+  from this
+  have "a \<in> domain(b)" using edrelD by blast
+  ultimately
+  show "y \<in> edrel(eclose({z}))" by blast
+next
+  let ?ec="\<lambda> y . edrel(eclose({y}))"
+  let ?ez="eclose({z})"
+  let ?rr="?ec(x) \<inter> ?ez \<times> ?ez"
+  fix y
+  assume yr:"y \<in> edrel(?ez)"
+  then obtain a b where "a \<in> ?ez" "b \<in> ?ez" "y=\<langle>a,b\<rangle>" "a \<in> domain(b)"
+    using edrelD by blast
+  moreover
+  from this assms
+  have "z \<in> eclose(x)" using in_dom_in_eclose by simp
+  moreover
+  from assms calculation
+  have "a \<in> eclose({x})" "b \<in> eclose({x})" using in_eclose_sing by simp_all
+  moreover
+  from this \<open>a\<in>domain(b)\<close>
+  have "\<langle>a,b\<rangle> \<in> edrel(eclose({x}))" by blast
+  ultimately
+  show "y \<in> ?rr" by simp
+qed
+
+lemma tr_edrel_subset :
+  assumes "z \<in> domain(x)"
+  shows   "tr_down(edrel(eclose({x})),z) \<subseteq> eclose({z})"
+proof(intro subsetI)
+  let ?r="\<lambda> x . edrel(eclose({x}))"
+  fix y
+  assume  "y \<in> tr_down(?r(x),z)"
+  then
+  have "\<langle>y,z\<rangle> \<in> ?r(x)^+" using tr_downD by simp
+  with assms
+  show "y \<in> eclose({z})" using tr_edrel_eclose eclose_sing by simp
+qed
+
+
+context M_ctm
+begin
+
+lemma upairM : "x \<in> M \<Longrightarrow> y \<in> M \<Longrightarrow> {x,y} \<in> M"
+  by (simp flip: setclass_iff)
+
+lemma singletonM : "a \<in> M \<Longrightarrow> {a} \<in> M"
+  by (simp flip: setclass_iff)
+
+lemma Rep_simp : "Replace(u,\<lambda> y z . z = f(y)) = { f(y) . y \<in> u}"
+  by(auto)
+
+end (* M_ctm *)
+
+subsection\<open>Values and check-names\<close>
+context forcing_data
+begin
+
+definition
+  Hcheck :: "[i,i] \<Rightarrow> i" where
+  "Hcheck(z,f)  \<equiv> { \<langle>f`y,one\<rangle> . y \<in> z}"
+
+definition
+  check :: "i \<Rightarrow> i" where
+  "check(x) \<equiv> transrec(x , Hcheck)"
+
+lemma checkD:
+  "check(x) =  wfrec(Memrel(eclose({x})), x, Hcheck)"
+  unfolding check_def transrec_def ..
+
+definition
+  rcheck :: "i \<Rightarrow> i" where
+  "rcheck(x) \<equiv> Memrel(eclose({x}))^+"
+
+
+lemma Hcheck_trancl:"Hcheck(y, restrict(f,Memrel(eclose({x}))-``{y}))
+                   = Hcheck(y, restrict(f,(Memrel(eclose({x}))^+)-``{y}))"
+  unfolding Hcheck_def
+  using restrict_trans_eq by simp
+
+lemma check_trancl: "check(x) = wfrec(rcheck(x), x, Hcheck)"
+  using checkD wf_eq_trancl Hcheck_trancl unfolding rcheck_def by simp
+
+(* relation of check is in M *)
+lemma rcheck_in_M :
+  "x \<in> M \<Longrightarrow> rcheck(x) \<in> M"
+  unfolding rcheck_def by (simp flip: setclass_iff)
+
+
+lemma  aux_def_check: "x \<in> y \<Longrightarrow>
+  wfrec(Memrel(eclose({y})), x, Hcheck) =
+  wfrec(Memrel(eclose({x})), x, Hcheck)"
+  by (rule wfrec_eclose_eq,auto simp add: arg_into_eclose eclose_sing)
+
+lemma def_check : "check(y) = { \<langle>check(w),one\<rangle> . w \<in> y}"
+proof -
+  let
+    ?r="\<lambda>y. Memrel(eclose({y}))"
+  have wfr:   "\<forall>w . wf(?r(w))" 
+    using wf_Memrel ..
+  then 
+  have "check(y)= Hcheck( y, \<lambda>x\<in>?r(y) -`` {y}. wfrec(?r(y), x, Hcheck))"
+    using wfrec[of "?r(y)" y "Hcheck"] checkD by simp
+  also 
+  have " ... = Hcheck( y, \<lambda>x\<in>y. wfrec(?r(y), x, Hcheck))"
+    using under_Memrel_eclose arg_into_eclose by simp
+  also 
+  have " ... = Hcheck( y, \<lambda>x\<in>y. check(x))"
+    using aux_def_check checkD by simp
+  finally show ?thesis using Hcheck_def by simp
+qed
+
+
+lemma def_checkS :
+  fixes n
+  assumes "n \<in> nat"
+  shows "check(succ(n)) = check(n) \<union> {\<langle>check(n),one\<rangle>}"
+proof -
+  have "check(succ(n)) = {\<langle>check(i),one\<rangle> . i \<in> succ(n)} "
+    using def_check by blast
+  also have "... = {\<langle>check(i),one\<rangle> . i \<in> n} \<union> {\<langle>check(n),one\<rangle>}"
+    by blast
+  also have "... = check(n) \<union> {\<langle>check(n),one\<rangle>}"
+    using def_check[of n,symmetric] by simp
+  finally show ?thesis .
+qed
+
+lemma field_Memrel2 :
+  assumes "x \<in> M"
+  shows "field(Memrel(eclose({x}))) \<subseteq> M"
+proof -
+  have "field(Memrel(eclose({x}))) \<subseteq> eclose({x})" "eclose({x}) \<subseteq> M"
+    using Ordinal.Memrel_type field_rel_subset assms eclose_least[OF trans_M] by auto
+  then
+  show ?thesis using subset_trans by simp
+qed
+
+definition
+  Hv :: "i\<Rightarrow>i\<Rightarrow>i\<Rightarrow>i" where
+  "Hv(G,x,f) \<equiv> { f`y .. y\<in> domain(x), \<exists>p\<in>P. \<langle>y,p\<rangle> \<in> x \<and> p \<in> G }"
+
+text\<open>The funcion \<^term>\<open>val\<close> interprets a name in \<^term>\<open>M\<close>
+according to a (generic) filter \<^term>\<open>G\<close>. Note the definition
+in terms of the well-founded recursor.\<close>
+
+definition
+  val :: "i\<Rightarrow>i\<Rightarrow>i" where
+  "val(G,\<tau>) \<equiv> wfrec(edrel(eclose({\<tau>})), \<tau> ,Hv(G))"
+
+lemma aux_def_val:
+  assumes "z \<in> domain(x)"
+  shows "wfrec(edrel(eclose({x})),z,Hv(G)) = wfrec(edrel(eclose({z})),z,Hv(G))"
+proof -
+  let ?r="\<lambda>x . edrel(eclose({x}))"
+  have "z\<in>eclose({z})" using arg_in_eclose_sing .
+  moreover
+  have "relation(?r(x))" using relation_edrel .
+  moreover
+  have "wf(?r(x))" using wf_edrel .
+  moreover from assms
+  have "tr_down(?r(x),z) \<subseteq> eclose({z})" using tr_edrel_subset by simp
+  ultimately
+  have "wfrec(?r(x),z,Hv(G)) = wfrec[eclose({z})](?r(x),z,Hv(G))"
+    using wfrec_restr by simp
+  also from \<open>z\<in>domain(x)\<close>
+  have "... = wfrec(?r(z),z,Hv(G))"
+    using restrict_edrel_eq wfrec_restr_eq by simp
+  finally show ?thesis .
+qed
+
+text\<open>The next lemma provides the usual recursive expresion for the definition of term\<open>val\<close>.\<close>
+
+lemma def_val:  "val(G,x) = {val(G,t) .. t\<in>domain(x) , \<exists>p\<in>P .  \<langle>t,p\<rangle>\<in>x \<and> p \<in> G }"
+proof -
+  let
+    ?r="\<lambda>\<tau> . edrel(eclose({\<tau>}))"
+  let
+    ?f="\<lambda>z\<in>?r(x)-``{x}. wfrec(?r(x),z,Hv(G))"
+  have "\<forall>\<tau>. wf(?r(\<tau>))" using wf_edrel by simp
+  with wfrec [of _ x]
+  have "val(G,x) = Hv(G,x,?f)" using val_def by simp
+  also
+  have " ... = Hv(G,x,\<lambda>z\<in>domain(x). wfrec(?r(x),z,Hv(G)))"
+    using dom_under_edrel_eclose by simp
+  also
+  have " ... = Hv(G,x,\<lambda>z\<in>domain(x). val(G,z))"
+    using aux_def_val val_def by simp
+  finally
+  show ?thesis using Hv_def SepReplace_def by simp
+qed
+
+lemma val_mono : "x\<subseteq>y \<Longrightarrow> val(G,x) \<subseteq> val(G,y)"
+  by (subst (1 2) def_val, force)
+
+text\<open>Check-names are the canonical names for elements of the
+ground model. Here we show that this is the case.\<close>
+
+lemma valcheck : "one \<in> G \<Longrightarrow>  one \<in> P \<Longrightarrow> val(G,check(y))  = y"
+proof (induct rule:eps_induct)
+  case (1 y)
+  then show ?case
+  proof -    
+    have "check(y) = { \<langle>check(w), one\<rangle> . w \<in> y}"  (is "_ = ?C") 
+      using def_check .
+    then
+    have "val(G,check(y)) = val(G, {\<langle>check(w), one\<rangle> . w \<in> y})"
+      by simp
+    also
+    have " ...  = {val(G,t) .. t\<in>domain(?C) , \<exists>p\<in>P .  \<langle>t, p\<rangle>\<in>?C \<and> p \<in> G }"
+      using def_val by blast
+    also
+    have " ... =  {val(G,t) .. t\<in>domain(?C) , \<exists>w\<in>y. t=check(w) }"
+      using 1 by simp
+    also
+    have " ... = {val(G,check(w)) . w\<in>y }"
+      by force
+    finally
+    show "val(G,check(y)) = y"
+      using 1 by simp
+  qed
+qed
+
+lemma val_of_name :
+  "val(G,{x\<in>A\<times>P. Q(x)}) = {val(G,t) .. t\<in>A , \<exists>p\<in>P .  Q(\<langle>t,p\<rangle>) \<and> p \<in> G }"
+proof -
+  let
+    ?n="{x\<in>A\<times>P. Q(x)}" and
+    ?r="\<lambda>\<tau> . edrel(eclose({\<tau>}))"
+  let
+    ?f="\<lambda>z\<in>?r(?n)-``{?n}. val(G,z)"
+  have
+    wfR : "wf(?r(\<tau>))" for \<tau>
+    by (simp add: wf_edrel)
+  have "domain(?n) \<subseteq> A" by auto
+  { fix t
+    assume H:"t \<in> domain({x \<in> A \<times> P . Q(x)})"
+    then have "?f ` t = (if t \<in> ?r(?n)-``{?n} then val(G,t) else 0)"
+      by simp
+    moreover have "... = val(G,t)"
+      using dom_under_edrel_eclose H if_P by auto
+  }
+  then
+  have Eq1: "t \<in> domain({x \<in> A \<times> P . Q(x)}) \<Longrightarrow> val(G,t) = ?f` t"  for t
+    by simp
+  have "val(G,?n) = {val(G,t) .. t\<in>domain(?n), \<exists>p \<in> P . \<langle>t,p\<rangle> \<in> ?n \<and> p \<in> G}"
+    by (subst def_val,simp)
+  also
+  have "... = {?f`t .. t\<in>domain(?n), \<exists>p\<in>P . \<langle>t,p\<rangle>\<in>?n \<and> p\<in>G}"
+    unfolding Hv_def
+    by (subst SepReplace_dom_implies,auto simp add:Eq1)
+  also
+  have  "... = { (if t\<in>?r(?n)-``{?n} then val(G,t) else 0) .. t\<in>domain(?n), \<exists>p\<in>P . \<langle>t,p\<rangle>\<in>?n \<and> p\<in>G}"
+    by (simp)
+  also
+  have Eq2:  "... = { val(G,t) .. t\<in>domain(?n), \<exists>p\<in>P . \<langle>t,p\<rangle>\<in>?n \<and> p\<in>G}"
+  proof -
+    have "domain(?n) \<subseteq> ?r(?n)-``{?n}"
+      using dom_under_edrel_eclose by simp
+    then
+    have "\<forall>t\<in>domain(?n). (if t\<in>?r(?n)-``{?n} then val(G,t) else 0) = val(G,t)"
+      by auto
+    then
+    show "{ (if t\<in>?r(?n)-``{?n} then val(G,t) else 0) .. t\<in>domain(?n), \<exists>p\<in>P . \<langle>t,p\<rangle>\<in>?n \<and> p\<in>G} =
+          { val(G,t) .. t\<in>domain(?n), \<exists>p\<in>P . \<langle>t,p\<rangle>\<in>?n \<and> p\<in>G}"
+      by auto
+  qed
+  also
+  have " ... = { val(G,t) .. t\<in>A, \<exists>p\<in>P . \<langle>t,p\<rangle>\<in>?n \<and> p\<in>G}"
+    by force
+  finally
+  show " val(G,?n)  = { val(G,t) .. t\<in>A, \<exists>p\<in>P . Q(\<langle>t,p\<rangle>) \<and> p\<in>G}"
+    by auto
+qed
+
+lemma val_of_name_alt :
+  "val(G,{x\<in>A\<times>P. Q(x)}) = {val(G,t) .. t\<in>A , \<exists>p\<in>P\<inter>G .  Q(\<langle>t,p\<rangle>) }"
+  using val_of_name by force
+
+lemma val_only_names: "val(F,\<tau>) = val(F,{x\<in>\<tau>. \<exists>t\<in>domain(\<tau>). \<exists>p\<in>P. x=\<langle>t,p\<rangle>})"
+  (is "_ = val(F,?name)")
+proof -
+  have "val(F,?name) = {val(F, t).. t\<in>domain(?name), \<exists>p\<in>P. \<langle>t, p\<rangle> \<in> ?name \<and> p \<in> F}"
+    using def_val by blast
+  also
+  have " ... = {val(F, t). t\<in>{y\<in>domain(?name). \<exists>p\<in>P. \<langle>y, p\<rangle> \<in> ?name \<and> p \<in> F}}"
+    using Sep_and_Replace by simp
+  also
+  have " ... = {val(F, t). t\<in>{y\<in>domain(\<tau>). \<exists>p\<in>P. \<langle>y, p\<rangle> \<in> \<tau> \<and> p \<in> F}}"
+    by blast
+  also
+  have " ... = {val(F, t).. t\<in>domain(\<tau>), \<exists>p\<in>P. \<langle>t, p\<rangle> \<in> \<tau> \<and> p \<in> F}"
+    using Sep_and_Replace by simp
+  also
+  have " ... = val(F, \<tau>)"
+    using def_val[symmetric] by blast
+  finally
+  show ?thesis ..
+qed
+
+lemma val_only_pairs: "val(F,\<tau>) = val(F,{x\<in>\<tau>. \<exists>t p. x=\<langle>t,p\<rangle>})"
+proof
+  have "val(F,\<tau>) = val(F,{x\<in>\<tau>. \<exists>t\<in>domain(\<tau>). \<exists>p\<in>P. x=\<langle>t,p\<rangle>})"
+    (is "_ = val(F,?name)")
+    using val_only_names .
+  also
+  have "... \<subseteq> val(F,{x\<in>\<tau>. \<exists>t p. x=\<langle>t,p\<rangle>})"
+    using val_mono[of ?name "{x\<in>\<tau>. \<exists>t p. x=\<langle>t,p\<rangle>}"] by auto
+  finally
+  show "val(F,\<tau>) \<subseteq> val(F,{x\<in>\<tau>. \<exists>t p. x=\<langle>t,p\<rangle>})" by simp
+next
+  show "val(F,{x\<in>\<tau>. \<exists>t p. x=\<langle>t,p\<rangle>}) \<subseteq> val(F,\<tau>)"
+    using val_mono[of "{x\<in>\<tau>. \<exists>t p. x=\<langle>t,p\<rangle>}"] by auto
+qed
+
+lemma val_subset_domain_times_range: "val(F,\<tau>) \<subseteq> val(F,domain(\<tau>)\<times>range(\<tau>))"
+  using val_only_pairs[THEN equalityD1]
+    val_mono[of "{x \<in> \<tau> . \<exists>t p. x = \<langle>t, p\<rangle>}" "domain(\<tau>)\<times>range(\<tau>)"] by blast
+
+lemma val_subset_domain_times_P: "val(F,\<tau>) \<subseteq> val(F,domain(\<tau>)\<times>P)"
+  using val_only_names[of F \<tau>] val_mono[of "{x\<in>\<tau>. \<exists>t\<in>domain(\<tau>). \<exists>p\<in>P. x=\<langle>t,p\<rangle>}" "domain(\<tau>)\<times>P" F]
+  by auto
+
+definition
+  GenExt :: "i\<Rightarrow>i"     ("M[_]")
+  where "GenExt(G)\<equiv> {val(G,\<tau>). \<tau> \<in> M}"
+
+
+lemma val_of_elem: "\<langle>\<theta>,p\<rangle> \<in> \<pi> \<Longrightarrow> p\<in>G \<Longrightarrow> p\<in>P \<Longrightarrow> val(G,\<theta>) \<in> val(G,\<pi>)"
+proof -
+  assume
+    "\<langle>\<theta>,p\<rangle> \<in> \<pi>"
+  then
+  have "\<theta>\<in>domain(\<pi>)" by auto
+  assume "p\<in>G" "p\<in>P"
+  with \<open>\<theta>\<in>domain(\<pi>)\<close> \<open>\<langle>\<theta>,p\<rangle> \<in> \<pi>\<close>
+  have "val(G,\<theta>) \<in> {val(G,t) .. t\<in>domain(\<pi>) , \<exists>p\<in>P .  \<langle>t, p\<rangle>\<in>\<pi> \<and> p \<in> G }"
+    by auto
+  then
+  show ?thesis by (subst def_val)
+qed
+
+lemma elem_of_val: "x\<in>val(G,\<pi>) \<Longrightarrow> \<exists>\<theta>\<in>domain(\<pi>). val(G,\<theta>) = x"
+  by (subst (asm) def_val,auto)
+
+lemma elem_of_val_pair: "x\<in>val(G,\<pi>) \<Longrightarrow> \<exists>\<theta>. \<exists>p\<in>G.  \<langle>\<theta>,p\<rangle>\<in>\<pi> \<and> val(G,\<theta>) = x"
+  by (subst (asm) def_val,auto)
+
+lemma elem_of_val_pair':
+  assumes "\<pi>\<in>M" "x\<in>val(G,\<pi>)"
+  shows "\<exists>\<theta>\<in>M. \<exists>p\<in>G.  \<langle>\<theta>,p\<rangle>\<in>\<pi> \<and> val(G,\<theta>) = x"
+proof -
+  from assms
+  obtain \<theta> p where "p\<in>G" "\<langle>\<theta>,p\<rangle>\<in>\<pi>" "val(G,\<theta>) = x"
+    using elem_of_val_pair by blast
+  moreover from this \<open>\<pi>\<in>M\<close>
+  have "\<theta>\<in>M"
+    using pair_in_M_iff[THEN iffD1, THEN conjunct1, simplified]
+      transitivity by blast
+  ultimately
+  show ?thesis by blast
+qed
+
+
+lemma GenExtD:
+  "x \<in> M[G] \<Longrightarrow> \<exists>\<tau>\<in>M. x = val(G,\<tau>)"
+  by (simp add:GenExt_def)
+
+lemma GenExtI:
+  "x \<in> M \<Longrightarrow> val(G,x) \<in> M[G]"
+  by (auto simp add: GenExt_def)
+
+lemma Transset_MG : "Transset(M[G])"
+proof -
+  { fix vc y
+    assume "vc \<in> M[G]" and "y \<in> vc"
+    then obtain c where "c\<in>M" "val(G,c)\<in>M[G]" "y \<in> val(G,c)"
+      using GenExtD by auto
+    from \<open>y \<in> val(G,c)\<close>
+    obtain \<theta> where "\<theta>\<in>domain(c)" "val(G,\<theta>) = y"
+      using elem_of_val by blast
+    with trans_M \<open>c\<in>M\<close>
+    have "y \<in> M[G]"
+      using domain_trans GenExtI by blast
+  }
+  then
+  show ?thesis using Transset_def by auto
+qed
+
+lemmas transitivity_MG = Transset_intf[OF Transset_MG]
+
+lemma check_n_M :
+  fixes n
+  assumes "n \<in> nat"
+  shows "check(n) \<in> M"
+  using \<open>n\<in>nat\<close>
+proof (induct n)
+  case 0
+  then show ?case using zero_in_M by (subst def_check,simp)
+next
+  case (succ x)
+  have "one \<in> M" using one_in_P P_sub_M subsetD by simp
+  with \<open>check(x)\<in>M\<close>
+  have "\<langle>check(x),one\<rangle> \<in> M"
+    using tuples_in_M by simp
+  then
+  have "{\<langle>check(x),one\<rangle>} \<in> M"
+    using singletonM by simp
+  with \<open>check(x)\<in>M\<close>
+  have "check(x) \<union> {\<langle>check(x),one\<rangle>} \<in> M"
+    using Un_closed by simp
+  then show ?case using \<open>x\<in>nat\<close> def_checkS by simp
+qed
+
+
+definition
+  PHcheck :: "[i,i,i,i] \<Rightarrow> o" where
+  "PHcheck(o,f,y,p) \<equiv> p\<in>M \<and> (\<exists>fy[##M]. fun_apply(##M,f,y,fy) \<and> pair(##M,fy,o,p))"
+
+definition
+  is_Hcheck :: "[i,i,i,i] \<Rightarrow> o" where
+  "is_Hcheck(o,z,f,hc)  \<equiv> is_Replace(##M,z,PHcheck(o,f),hc)"
+
+lemma one_in_M: "one \<in> M"
+  by (insert one_in_P P_in_M, simp add: transitivity)
+
+lemma def_PHcheck:
+  assumes
+    "z\<in>M" "f\<in>M"
+  shows
+    "Hcheck(z,f) = Replace(z,PHcheck(one,f))"
+proof -
+  from assms
+  have "\<langle>f`x,one\<rangle> \<in> M" "f`x\<in>M" if "x\<in>z" for x
+    using tuples_in_M one_in_M transitivity that apply_closed by simp_all
+  then
+  have "{y . x \<in> z, y = \<langle>f ` x, one\<rangle>} =  {y . x \<in> z, y = \<langle>f ` x, one\<rangle> \<and> y\<in>M \<and> f`x\<in>M}"
+    by simp
+  then
+  show ?thesis
+    using \<open>z\<in>M\<close> \<open>f\<in>M\<close> transitivity
+    unfolding Hcheck_def PHcheck_def RepFun_def
+    by auto
+qed
+
+(*
+  "PHcheck(o,f,y,p) \<equiv> \<exists>fy[##M]. fun_apply(##M,f,y,fy) \<and> pair(##M,fy,o,p)"
+*)
+definition
+  PHcheck_fm :: "[i,i,i,i] \<Rightarrow> i" where
+  "PHcheck_fm(o,f,y,p) \<equiv> Exists(And(fun_apply_fm(succ(f),succ(y),0)
+                                 ,pair_fm(0,succ(o),succ(p))))"
+
+lemma PHcheck_type [TC]:
+  "\<lbrakk> x \<in> nat; y \<in> nat; z \<in> nat; u \<in> nat \<rbrakk> \<Longrightarrow> PHcheck_fm(x,y,z,u) \<in> formula"
+  by (simp add:PHcheck_fm_def)
+
+lemma sats_PHcheck_fm [simp]:
+  "\<lbrakk> x \<in> nat; y \<in> nat; z \<in> nat; u \<in> nat ; env \<in> list(M)\<rbrakk>
+    \<Longrightarrow> sats(M,PHcheck_fm(x,y,z,u),env) \<longleftrightarrow>
+        PHcheck(nth(x,env),nth(y,env),nth(z,env),nth(u,env))"
+  using zero_in_M Internalizations.nth_closed by (simp add: PHcheck_def PHcheck_fm_def)
+
+(*
+  "is_Hcheck(o,z,f,hc)  \<equiv> is_Replace(##M,z,PHcheck(o,f),hc)"
+*)
+definition
+  is_Hcheck_fm :: "[i,i,i,i] \<Rightarrow> i" where
+  "is_Hcheck_fm(o,z,f,hc) \<equiv> Replace_fm(z,PHcheck_fm(succ(succ(o)),succ(succ(f)),0,1),hc)"
+
+lemma is_Hcheck_type [TC]:
+  "\<lbrakk> x \<in> nat; y \<in> nat; z \<in> nat; u \<in> nat \<rbrakk> \<Longrightarrow> is_Hcheck_fm(x,y,z,u) \<in> formula"
+  by (simp add:is_Hcheck_fm_def)
+
+lemma sats_is_Hcheck_fm [simp]:
+  "\<lbrakk> x \<in> nat; y \<in> nat; z \<in> nat; u \<in> nat ; env \<in> list(M)\<rbrakk>
+    \<Longrightarrow> sats(M,is_Hcheck_fm(x,y,z,u),env) \<longleftrightarrow>
+        is_Hcheck(nth(x,env),nth(y,env),nth(z,env),nth(u,env))"
+  using sats_Replace_fm unfolding is_Hcheck_def is_Hcheck_fm_def
+  by simp
+
+
+(* instance of replacement for hcheck *)
+lemma wfrec_Hcheck :
+  assumes
+    "X\<in>M"
+  shows
+    "wfrec_replacement(##M,is_Hcheck(one),rcheck(X))"
+proof -
+  have "is_Hcheck(one,a,b,c) \<longleftrightarrow>
+        sats(M,is_Hcheck_fm(8,2,1,0),[c,b,a,d,e,y,x,z,one,rcheck(x)])"
+    if "a\<in>M" "b\<in>M" "c\<in>M" "d\<in>M" "e\<in>M" "y\<in>M" "x\<in>M" "z\<in>M"
+    for a b c d e y x z
+    using that one_in_M \<open>X\<in>M\<close> rcheck_in_M by simp
+  then have 1:"sats(M,is_wfrec_fm(is_Hcheck_fm(8,2,1,0),4,1,0),
+                    [y,x,z,one,rcheck(X)]) \<longleftrightarrow>
+            is_wfrec(##M, is_Hcheck(one),rcheck(X), x, y)"
+    if "x\<in>M" "y\<in>M" "z\<in>M" for x y z
+    using  that sats_is_wfrec_fm \<open>X\<in>M\<close> rcheck_in_M one_in_M by simp
+  let
+    ?f="Exists(And(pair_fm(1,0,2),
+               is_wfrec_fm(is_Hcheck_fm(8,2,1,0),4,1,0)))"
+  have satsf:"sats(M, ?f, [x,z,one,rcheck(X)]) \<longleftrightarrow>
+              (\<exists>y\<in>M. pair(##M,x,y,z) & is_wfrec(##M, is_Hcheck(one),rcheck(X), x, y))"
+    if "x\<in>M" "z\<in>M" for x z
+    using that 1 \<open>X\<in>M\<close> rcheck_in_M one_in_M by (simp del:pair_abs)
+  have artyf:"arity(?f) = 4"
+    unfolding is_wfrec_fm_def is_Hcheck_fm_def Replace_fm_def PHcheck_fm_def
+      pair_fm_def upair_fm_def is_recfun_fm_def fun_apply_fm_def big_union_fm_def
+      pre_image_fm_def restriction_fm_def image_fm_def
+    by (simp add:nat_simp_union)
+  then
+  have "strong_replacement(##M,\<lambda>x z. sats(M,?f,[x,z,one,rcheck(X)]))"
+    using replacement_ax 1 artyf \<open>X\<in>M\<close> rcheck_in_M one_in_M by simp
+  then
+  have "strong_replacement(##M,\<lambda>x z.
+          \<exists>y\<in>M. pair(##M,x,y,z) & is_wfrec(##M, is_Hcheck(one),rcheck(X), x, y))"
+    using repl_sats[of M ?f "[one,rcheck(X)]"] satsf by (simp del:pair_abs)
+  then
+  show ?thesis unfolding wfrec_replacement_def by simp
+qed
+
+lemma repl_PHcheck :
+  assumes
+    "f\<in>M"
+  shows
+    "strong_replacement(##M,PHcheck(one,f))"
+proof -
+  have "arity(PHcheck_fm(2,3,0,1)) = 4"
+    unfolding PHcheck_fm_def fun_apply_fm_def big_union_fm_def pair_fm_def image_fm_def
+      upair_fm_def
+    by (simp add:nat_simp_union)
+  with \<open>f\<in>M\<close>
+  have "strong_replacement(##M,\<lambda>x y. sats(M,PHcheck_fm(2,3,0,1),[x,y,one,f]))"
+    using replacement_ax one_in_M by simp
+  with \<open>f\<in>M\<close>
+  show ?thesis using one_in_M unfolding strong_replacement_def univalent_def by simp
+qed
+
+lemma univ_PHcheck : "\<lbrakk> z\<in>M ; f\<in>M \<rbrakk> \<Longrightarrow> univalent(##M,z,PHcheck(one,f))"
+  unfolding univalent_def PHcheck_def by simp
+
+lemma relation2_Hcheck :
+  "relation2(##M,is_Hcheck(one),Hcheck)"
+proof -
+  have 1:"\<lbrakk>x\<in>z; PHcheck(one,f,x,y) \<rbrakk> \<Longrightarrow> (##M)(y)"
+    if "z\<in>M" "f\<in>M" for z f x y
+    using that unfolding PHcheck_def by simp
+  have "is_Replace(##M,z,PHcheck(one,f),hc) \<longleftrightarrow> hc = Replace(z,PHcheck(one,f))"
+    if "z\<in>M" "f\<in>M" "hc\<in>M" for z f hc
+    using that Replace_abs[OF _ _ univ_PHcheck 1] by simp
+  with def_PHcheck
+  show ?thesis
+    unfolding relation2_def is_Hcheck_def Hcheck_def by simp
+qed
+
+lemma PHcheck_closed :
+  "\<lbrakk>z\<in>M ; f\<in>M ; x\<in>z; PHcheck(one,f,x,y) \<rbrakk> \<Longrightarrow> (##M)(y)"
+  unfolding PHcheck_def by simp
+
+lemma Hcheck_closed :
+  "\<forall>y\<in>M. \<forall>g\<in>M. function(g) \<longrightarrow> Hcheck(y,g)\<in>M"
+proof -
+  have "Replace(y,PHcheck(one,f))\<in>M" if "f\<in>M" "y\<in>M" for f y
+    using that repl_PHcheck  PHcheck_closed[of y f] univ_PHcheck
+      strong_replacement_closed
+    by (simp flip: setclass_iff)
+  then show ?thesis using def_PHcheck by auto
+qed
+
+lemma wf_rcheck : "x\<in>M \<Longrightarrow> wf(rcheck(x))"
+  unfolding rcheck_def using wf_trancl[OF wf_Memrel] .
+
+lemma trans_rcheck : "x\<in>M \<Longrightarrow> trans(rcheck(x))"
+  unfolding rcheck_def using trans_trancl .
+
+lemma relation_rcheck : "x\<in>M \<Longrightarrow> relation(rcheck(x))"
+  unfolding rcheck_def using relation_trancl .
+
+lemma check_in_M : "x\<in>M \<Longrightarrow> check(x) \<in> M"
+  unfolding transrec_def
+  using wfrec_Hcheck[of x] check_trancl wf_rcheck trans_rcheck relation_rcheck rcheck_in_M
+    Hcheck_closed relation2_Hcheck trans_wfrec_closed[of "rcheck(x)" x "is_Hcheck(one)" Hcheck]
+  by (simp flip: setclass_iff)
+
+end (* forcing_data *)
+
+(* check if this should go to Relative! *)
+definition
+  is_singleton :: "[i\<Rightarrow>o,i,i] \<Rightarrow> o" where
+  "is_singleton(A,x,z) \<equiv> \<exists>c[A]. empty(A,c) \<and> is_cons(A,x,c,z)"
+
+lemma (in M_trivial) singleton_abs[simp] : "\<lbrakk> M(x) ; M(s) \<rbrakk> \<Longrightarrow> is_singleton(M,x,s) \<longleftrightarrow> s = {x}"
+  unfolding is_singleton_def using nonempty by simp
+
+definition
+  singleton_fm :: "[i,i] \<Rightarrow> i" where
+  "singleton_fm(i,j) \<equiv> Exists(And(empty_fm(0), cons_fm(succ(i),0,succ(j))))"
+
+lemma singleton_type[TC] : "\<lbrakk> x \<in> nat; y \<in> nat \<rbrakk> \<Longrightarrow> singleton_fm(x,y) \<in> formula"
+  unfolding singleton_fm_def by simp
+
+lemma is_singleton_iff_sats:
+  "\<lbrakk> nth(i,env) = x; nth(j,env) = y;
+          i \<in> nat; j\<in>nat ; env \<in> list(A)\<rbrakk>
+       \<Longrightarrow> is_singleton(##A,x,y) \<longleftrightarrow> sats(A, singleton_fm(i,j), env)"
+  unfolding is_singleton_def singleton_fm_def by simp
+
+context forcing_data begin
+
+(* Internalization and absoluteness of rcheck *)
+definition
+  is_rcheck :: "[i,i] \<Rightarrow> o" where
+  "is_rcheck(x,z) \<equiv> \<exists>r\<in>M. tran_closure(##M,r,z) \<and> (\<exists>ec\<in>M. membership(##M,ec,r) \<and>
+                           (\<exists>s\<in>M. is_singleton(##M,x,s) \<and>  is_eclose(##M,s,ec)))"
+
+lemma rcheck_abs :
+  "\<lbrakk> x\<in>M ; r\<in>M \<rbrakk> \<Longrightarrow> is_rcheck(x,r) \<longleftrightarrow> r = rcheck(x)"
+  unfolding rcheck_def is_rcheck_def
+  using singletonM trancl_closed Memrel_closed eclose_closed by simp
+
+schematic_goal rcheck_fm_auto:
+  assumes
+    "i \<in> nat" "j \<in> nat" "env \<in> list(M)"
+  shows
+    "is_rcheck(nth(i,env),nth(j,env)) \<longleftrightarrow> sats(M,?rch(i,j),env)"
+  unfolding is_rcheck_def
+  by (insert assms ; (rule sep_rules is_singleton_iff_sats is_eclose_iff_sats
+        trans_closure_fm_iff_sats | simp)+)
+
+synthesize "rcheck_fm" from_schematic rcheck_fm_auto
+
+definition
+  is_check :: "[i,i] \<Rightarrow> o" where
+  "is_check(x,z) \<equiv> \<exists>rch\<in>M. is_rcheck(x,rch) \<and> is_wfrec(##M,is_Hcheck(one),rch,x,z)"
+
+lemma check_abs :
+  assumes
+    "x\<in>M" "z\<in>M"
+  shows
+    "is_check(x,z) \<longleftrightarrow> z = check(x)"
+proof -
+  have
+    "is_check(x,z) \<longleftrightarrow> is_wfrec(##M,is_Hcheck(one),rcheck(x),x,z)"
+    unfolding is_check_def using assms rcheck_abs rcheck_in_M
+    unfolding check_trancl is_check_def by simp
+  then show ?thesis
+    unfolding check_trancl
+    using assms wfrec_Hcheck[of x] wf_rcheck trans_rcheck relation_rcheck rcheck_in_M
+      Hcheck_closed relation2_Hcheck trans_wfrec_abs[of "rcheck(x)" x z "is_Hcheck(one)" Hcheck]
+    by (simp flip: setclass_iff)
+qed
+
+(* \<exists>rch\<in>M. is_rcheck(x,rch) \<and> is_wfrec(##M,is_Hcheck(one),rch,x,z) *)
+definition
+  check_fm :: "[i,i,i] \<Rightarrow> i" where
+  "check_fm(x,o,z) \<equiv> Exists(And(rcheck_fm(1#+x,0),
+                      is_wfrec_fm(is_Hcheck_fm(6#+o,2,1,0),0,1#+x,1#+z)))"
+
+lemma check_fm_type[TC] :
+  "\<lbrakk>x\<in>nat;o\<in>nat;z\<in>nat\<rbrakk> \<Longrightarrow> check_fm(x,o,z)\<in>formula"
+  unfolding check_fm_def by simp
+
+lemma sats_check_fm :
+  assumes
+    "nth(o,env) = one" "x\<in>nat" "z\<in>nat" "o\<in>nat" "env\<in>list(M)" "x < length(env)" "z < length(env)"
+  shows
+    "sats(M, check_fm(x,o,z), env) \<longleftrightarrow> is_check(nth(x,env),nth(z,env))"
+proof -
+  have sats_is_Hcheck_fm:
+    "\<And>a0 a1 a2 a3 a4. \<lbrakk> a0\<in>M; a1\<in>M; a2\<in>M; a3\<in>M; a4\<in>M \<rbrakk> \<Longrightarrow>
+         is_Hcheck(one,a2, a1, a0) \<longleftrightarrow>
+         sats(M, is_Hcheck_fm(6#+o,2,1,0), [a0,a1,a2,a3,a4,r]@env)" if "r\<in>M" for r
+    using that one_in_M assms  by simp
+  then
+  have "sats(M, is_wfrec_fm(is_Hcheck_fm(6#+o,2,1,0),0,1#+x,1#+z),Cons(r,env))
+        \<longleftrightarrow> is_wfrec(##M,is_Hcheck(one),r,nth(x,env),nth(z,env))" if "r\<in>M" for r
+    using that assms one_in_M sats_is_wfrec_fm by simp
+  then
+  show ?thesis unfolding is_check_def check_fm_def
+    using assms rcheck_in_M one_in_M rcheck_fm_iff_sats[symmetric] by simp
+qed
+
+
+lemma check_replacement:
+  "{check(x). x\<in>P} \<in> M"
+proof -
+  have "arity(check_fm(0,2,1)) = 3"
+    unfolding check_fm_def rcheck_fm_def trans_closure_fm_def is_eclose_fm_def mem_eclose_fm_def
+      is_Hcheck_fm_def Replace_fm_def PHcheck_fm_def finite_ordinal_fm_def is_iterates_fm_def
+      is_wfrec_fm_def is_recfun_fm_def restriction_fm_def pre_image_fm_def eclose_n_fm_def
+      is_nat_case_fm_def quasinat_fm_def Memrel_fm_def singleton_fm_def fm_defs iterates_MH_fm_def
+    by (simp add:nat_simp_union)
+  moreover
+  have "check(x)\<in>M" if "x\<in>P" for x
+    using that Transset_intf[of M x P] trans_M check_in_M P_in_M by simp
+  ultimately
+  show ?thesis using sats_check_fm check_abs P_in_M check_in_M one_in_M
+      Repl_in_M[of "check_fm(0,2,1)" "[one]" is_check check] by simp
+qed
+
+lemma pair_check : "\<lbrakk> p\<in>M ; y\<in>M \<rbrakk>  \<Longrightarrow> (\<exists>c\<in>M. is_check(p,c) \<and> pair(##M,c,p,y)) \<longleftrightarrow> y = \<langle>check(p),p\<rangle>"
+  using check_abs check_in_M tuples_in_M by simp
+
+
+lemma M_subset_MG :  "one \<in> G \<Longrightarrow> M \<subseteq> M[G]"
+  using check_in_M one_in_P GenExtI
+  by (intro subsetI, subst valcheck [of G,symmetric], auto)
+
+text\<open>The name for the generic filter\<close>
+definition
+  G_dot :: "i" where
+  "G_dot \<equiv> {\<langle>check(p),p\<rangle> . p\<in>P}"
+
+lemma G_dot_in_M :
+  "G_dot \<in> M"
+proof -
+  let ?is_pcheck = "\<lambda>x y. \<exists>ch\<in>M. is_check(x,ch) \<and> pair(##M,ch,x,y)"
+  let ?pcheck_fm = "Exists(And(check_fm(1,3,0),pair_fm(0,1,2)))"
+  have "sats(M,?pcheck_fm,[x,y,one]) \<longleftrightarrow> ?is_pcheck(x,y)" if "x\<in>M" "y\<in>M" for x y
+    using sats_check_fm that one_in_M by simp
+  moreover
+  have "?is_pcheck(x,y) \<longleftrightarrow> y = \<langle>check(x),x\<rangle>" if "x\<in>M" "y\<in>M" for x y
+    using that check_abs check_in_M by simp
+  moreover
+  have "?pcheck_fm\<in>formula" by simp
+  moreover
+  have "arity(?pcheck_fm)=3"
+    unfolding check_fm_def rcheck_fm_def trans_closure_fm_def is_eclose_fm_def mem_eclose_fm_def
+      is_Hcheck_fm_def Replace_fm_def PHcheck_fm_def finite_ordinal_fm_def is_iterates_fm_def
+      is_wfrec_fm_def is_recfun_fm_def restriction_fm_def pre_image_fm_def eclose_n_fm_def
+      is_nat_case_fm_def quasinat_fm_def Memrel_fm_def singleton_fm_def fm_defs iterates_MH_fm_def
+    by (simp add:nat_simp_union)
+  moreover
+  from P_in_M check_in_M tuples_in_M P_sub_M
+  have "\<langle>check(p),p\<rangle> \<in> M" if "p\<in>P" for p
+    using that by auto
+  ultimately
+  show ?thesis
+    unfolding G_dot_def
+    using one_in_M P_in_M Repl_in_M[of ?pcheck_fm "[one]"]
+    by simp
+qed
+
+
+lemma val_G_dot :
+  assumes "G \<subseteq> P"
+    "one \<in> G"
+  shows "val(G,G_dot) = G"
+proof (intro equalityI subsetI)
+  fix x
+  assume "x\<in>val(G,G_dot)"
+  then obtain \<theta> p where "p\<in>G" "\<langle>\<theta>,p\<rangle> \<in> G_dot" "val(G,\<theta>) = x" "\<theta> = check(p)"
+    unfolding G_dot_def using elem_of_val_pair G_dot_in_M
+    by force
+  with \<open>one\<in>G\<close> \<open>G\<subseteq>P\<close> show
+    "x \<in> G"
+    using valcheck P_sub_M by auto
+next
+  fix p
+  assume "p\<in>G"
+  have "\<langle>check(q),q\<rangle> \<in> G_dot" if "q\<in>P" for q
+    unfolding G_dot_def using that by simp
+  with \<open>p\<in>G\<close> \<open>G\<subseteq>P\<close>
+  have "val(G,check(p)) \<in> val(G,G_dot)"
+    using val_of_elem G_dot_in_M by blast
+  with \<open>p\<in>G\<close> \<open>G\<subseteq>P\<close> \<open>one\<in>G\<close>
+  show "p \<in> val(G,G_dot)"
+    using P_sub_M valcheck by auto
+qed
+
+
+lemma G_in_Gen_Ext :
+  assumes "G \<subseteq> P" and "one \<in> G"
+  shows   "G \<in> M[G]"
+  using assms val_G_dot GenExtI[of _ G] G_dot_in_M
+  by force
+
+(* Move this to M_trivial *)
+lemma fst_snd_closed: "p\<in>M \<Longrightarrow> fst(p) \<in> M \<and> snd(p)\<in> M"
+proof (cases "\<exists>a. \<exists>b. p = \<langle>a, b\<rangle>")
+  case False
+  then
+  show "fst(p) \<in> M \<and> snd(p) \<in> M" unfolding fst_def snd_def using zero_in_M by auto
+next
+  case True
+  then
+  obtain a b where "p = \<langle>a, b\<rangle>" by blast
+  with True
+  have "fst(p) = a" "snd(p) = b" unfolding fst_def snd_def by simp_all
+  moreover
+  assume "p\<in>M"
+  moreover from this
+  have "a\<in>M"
+    unfolding \<open>p = _\<close> Pair_def by (force intro:Transset_M[OF trans_M])
+  moreover from  \<open>p\<in>M\<close>
+  have "b\<in>M"
+    using Transset_M[OF trans_M, of "{a,b}" p] Transset_M[OF trans_M, of "b" "{a,b}"]
+    unfolding \<open>p = _\<close> Pair_def by (simp)
+  ultimately
+  show ?thesis by simp
+qed
+
+end (* forcing_data *)
+
+locale G_generic = forcing_data +
+  fixes G :: "i"
+  assumes generic : "M_generic(G)"
+begin
+
+lemma zero_in_MG :
+  "0 \<in> M[G]"
+proof -
+  have "0 = val(G,0)"
+    using zero_in_M elem_of_val by auto
+  also 
+  have "... \<in> M[G]"
+    using GenExtI zero_in_M by simp
+  finally show ?thesis .
+qed
+
+lemma G_nonempty: "G\<noteq>0"
+proof -
+  have "P\<subseteq>P" ..
+  with P_in_M P_dense \<open>P\<subseteq>P\<close>
+  show "G \<noteq> 0"
+    using generic unfolding M_generic_def by auto
+qed
+
+end (* context G_generic *)
+end
\ No newline at end of file
diff --git a/thys/Forcing/Nat_Miscellanea.thy b/thys/Forcing/Nat_Miscellanea.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Nat_Miscellanea.thy
@@ -0,0 +1,277 @@
+section\<open>Auxiliary results on arithmetic\<close>
+theory Nat_Miscellanea imports ZF begin
+
+text\<open>Most of these results will get used at some point for the
+calculation of arities.\<close>
+lemmas nat_succI =  Ord_succ_mem_iff [THEN iffD2,OF nat_into_Ord]
+
+lemma nat_succD : "m \<in> nat \<Longrightarrow>  succ(n) \<in> succ(m) \<Longrightarrow> n \<in> m"
+  by (drule_tac j="succ(m)" in ltI,auto elim:ltD)
+
+lemmas zero_in =  ltD [OF nat_0_le]
+
+lemma in_n_in_nat :  "m \<in> nat \<Longrightarrow> n \<in> m \<Longrightarrow> n \<in> nat"
+  by(drule ltI[of "n"],auto simp add: lt_nat_in_nat)
+
+lemma in_succ_in_nat : "m \<in> nat \<Longrightarrow> n \<in> succ(m) \<Longrightarrow> n \<in> nat"
+  by(auto simp add:in_n_in_nat)
+
+lemma ltI_neg : "x \<in> nat \<Longrightarrow> j \<le> x \<Longrightarrow> j \<noteq> x \<Longrightarrow> j < x"
+  by (simp add: le_iff)
+
+lemma succ_pred_eq  :  "m \<in> nat \<Longrightarrow> m \<noteq> 0  \<Longrightarrow> succ(pred(m)) = m"
+  by (auto elim: natE)
+
+lemma succ_ltI : "succ(j) < n \<Longrightarrow> j < n"
+  by (simp add: succ_leE[OF leI])
+
+lemma succ_In : "n \<in> nat \<Longrightarrow> succ(j) \<in> n \<Longrightarrow> j \<in> n"
+  by (rule succ_ltI[THEN ltD], auto intro: ltI)
+
+lemmas succ_leD = succ_leE[OF leI]
+
+lemma succpred_leI : "n \<in> nat \<Longrightarrow>  n \<le> succ(pred(n))"
+  by (auto elim: natE)
+
+lemma succpred_n0 : "succ(n) \<in> p \<Longrightarrow> p\<noteq>0"
+  by (auto)
+
+
+lemma funcI : "f \<in> A \<rightarrow> B \<Longrightarrow> a \<in> A \<Longrightarrow> b= f ` a \<Longrightarrow> \<langle>a, b\<rangle> \<in> f"
+  by(simp_all add: apply_Pair)
+
+lemmas natEin = natE [OF lt_nat_in_nat]
+
+lemma succ_in : "succ(x) \<le> y  \<Longrightarrow> x \<in> y"
+  by (auto dest:ltD)
+
+lemmas Un_least_lt_iffn =  Un_least_lt_iff [OF nat_into_Ord nat_into_Ord]
+
+lemma pred_le2 : "n\<in> nat \<Longrightarrow> m \<in> nat \<Longrightarrow> pred(n) \<le> m \<Longrightarrow> n \<le> succ(m)"
+  by(subgoal_tac "n\<in>nat",rule_tac n="n" in natE,auto)
+
+lemma pred_le : "n\<in> nat \<Longrightarrow> m \<in> nat \<Longrightarrow> n \<le> succ(m) \<Longrightarrow> pred(n) \<le> m"
+  by(subgoal_tac "pred(n)\<in>nat",rule_tac n="n" in natE,auto)
+
+lemma Un_leD1 : "Ord(i)\<Longrightarrow> Ord(j)\<Longrightarrow> Ord(k)\<Longrightarrow>  i \<union> j \<le> k \<Longrightarrow> i \<le> k"   
+  by (rule Un_least_lt_iff[THEN iffD1[THEN conjunct1]],simp_all)
+
+lemma Un_leD2 : "Ord(i)\<Longrightarrow> Ord(j)\<Longrightarrow> Ord(k)\<Longrightarrow>  i \<union> j \<le>k \<Longrightarrow> j \<le> k"   
+  by (rule Un_least_lt_iff[THEN iffD1[THEN conjunct2]],simp_all)
+
+lemma gt1 : "n \<in> nat \<Longrightarrow> i \<in> n \<Longrightarrow> i \<noteq> 0 \<Longrightarrow> i \<noteq> 1 \<Longrightarrow> 1<i"
+  by(rule_tac n="i" in natE,erule in_n_in_nat,auto intro: Ord_0_lt)
+
+lemma pred_mono : "m \<in> nat \<Longrightarrow> n \<le> m \<Longrightarrow> pred(n) \<le> pred(m)"
+  by(rule_tac n="n" in natE,auto simp add:le_in_nat,erule_tac n="m" in natE,auto)
+
+lemma succ_mono : "m \<in> nat \<Longrightarrow> n \<le> m \<Longrightarrow> succ(n) \<le> succ(m)"
+  by auto
+
+lemma pred2_Un: 
+  assumes "j \<in> nat" "m \<le> j" "n \<le> j" 
+  shows "pred(pred(m \<union> n)) \<le> pred(pred(j))" 
+  using assms pred_mono[of "j"] le_in_nat Un_least_lt pred_mono by simp
+
+lemma nat_union_abs1 : 
+  "\<lbrakk> Ord(i) ; Ord(j) ; i \<le> j \<rbrakk> \<Longrightarrow> i \<union> j = j"
+  by (rule Un_absorb1,erule le_imp_subset)
+
+lemma nat_union_abs2 : 
+  "\<lbrakk> Ord(i) ; Ord(j) ; i \<le> j \<rbrakk> \<Longrightarrow> j \<union> i = j"
+  by (rule Un_absorb2,erule le_imp_subset)
+
+lemma nat_un_max : "Ord(i) \<Longrightarrow> Ord(j) \<Longrightarrow> i \<union> j = max(i,j)"
+  using max_def nat_union_abs1 not_lt_iff_le leI nat_union_abs2
+  by auto
+
+lemma nat_max_ty : "Ord(i) \<Longrightarrow>Ord(j) \<Longrightarrow> Ord(max(i,j))"
+  unfolding max_def by simp
+
+lemma le_not_lt_nat : "Ord(p) \<Longrightarrow> Ord(q) \<Longrightarrow> \<not> p\<le> q \<Longrightarrow> q \<le> p" 
+  by (rule ltE,rule not_le_iff_lt[THEN iffD1],auto,drule ltI[of q p],auto,erule leI)
+
+lemmas nat_simp_union = nat_un_max nat_max_ty max_def 
+
+lemma le_succ : "x\<in>nat \<Longrightarrow> x\<le>succ(x)" by simp
+lemma le_pred : "x\<in>nat \<Longrightarrow> pred(x)\<le>x" 
+  using pred_le[OF _ _ le_succ] pred_succ_eq 
+  by simp
+
+lemma Un_le_compat : "o \<le> p \<Longrightarrow> q \<le> r \<Longrightarrow> Ord(o) \<Longrightarrow> Ord(p) \<Longrightarrow> Ord(q) \<Longrightarrow> Ord(r) \<Longrightarrow> o \<union> q \<le> p \<union> r"
+  using le_trans[of q r "p\<union>r",OF _ Un_upper2_le] le_trans[of o p "p\<union>r",OF _ Un_upper1_le]
+    nat_simp_union 
+  by auto
+
+lemma Un_le : "p \<le> r \<Longrightarrow> q \<le> r \<Longrightarrow>
+               Ord(p) \<Longrightarrow> Ord(q) \<Longrightarrow> Ord(r) \<Longrightarrow> 
+                p \<union> q \<le> r"
+  using nat_simp_union by auto
+
+lemma Un_leI3 : "o \<le> r \<Longrightarrow> p \<le> r \<Longrightarrow> q \<le> r \<Longrightarrow> 
+                Ord(o) \<Longrightarrow> Ord(p) \<Longrightarrow> Ord(q) \<Longrightarrow> Ord(r) \<Longrightarrow> 
+                o \<union> p \<union> q \<le> r"
+  using nat_simp_union by auto
+
+lemma diff_mono :
+  assumes "m \<in> nat" "n\<in>nat" "p \<in> nat" "m < n" "p\<le>m"
+  shows "m#-p < n#-p"
+proof -
+  from assms
+  have "m#-p \<in> nat" "m#-p #+p = m"
+    using add_diff_inverse2 by simp_all
+  with assms
+  show ?thesis
+    using less_diff_conv[of n p "m #- p",THEN iffD2] by simp
+qed
+
+lemma pred_Un:
+  "x \<in> nat \<Longrightarrow> y \<in> nat \<Longrightarrow> Arith.pred(succ(x) \<union> y) = x \<union> Arith.pred(y)"
+  "x \<in> nat \<Longrightarrow> y \<in> nat \<Longrightarrow> Arith.pred(x \<union> succ(y)) = Arith.pred(x) \<union> y"
+  using pred_Un_distrib pred_succ_eq by simp_all
+
+lemma le_natI : "j \<le> n \<Longrightarrow> n \<in> nat \<Longrightarrow> j\<in>nat"
+  by(drule ltD,rule in_n_in_nat,rule nat_succ_iff[THEN iffD2,of n],simp_all)
+
+lemma le_natE : "n\<in>nat \<Longrightarrow> j < n \<Longrightarrow>  j\<in>n"
+  by(rule ltE[of j n],simp+)
+
+lemma diff_cancel :
+  assumes "m \<in> nat" "n\<in>nat" "m < n"
+  shows "m#-n = 0"
+  using assms diff_is_0_lemma leI by simp
+
+lemma leD : assumes "n\<in>nat" "j \<le> n"
+  shows "j < n | j = n"
+  using leE[OF \<open>j\<le>n\<close>,of "j<n | j = n"] by auto
+
+subsection\<open>Some results in ordinal arithmetic\<close>
+text\<open>The following results are auxiliary to the proof of 
+wellfoundedness of the relation \<^term>\<open>frecR\<close>\<close>
+
+lemma max_cong :
+  assumes "x \<le> y" "Ord(y)" "Ord(z)" shows "max(x,y) \<le> max(y,z)"
+  using assms 
+proof (cases "y \<le> z")
+  case True
+  then show ?thesis 
+    unfolding max_def using assms by simp
+next
+  case False
+  then have "z \<le> y"  using assms not_le_iff_lt leI by simp
+  then show ?thesis 
+    unfolding max_def using assms by simp 
+qed
+
+lemma max_commutes : 
+  assumes "Ord(x)" "Ord(y)"
+  shows "max(x,y) = max(y,x)"
+  using assms Un_commute nat_simp_union(1) nat_simp_union(1)[symmetric] by auto
+
+lemma max_cong2 :
+  assumes "x \<le> y" "Ord(y)" "Ord(z)" "Ord(x)" 
+  shows "max(x,z) \<le> max(y,z)"
+proof -
+  from assms 
+  have " x \<union> z \<le> y \<union> z"
+    using lt_Ord Ord_Un Un_mono[OF  le_imp_subset[OF \<open>x\<le>y\<close>]]  subset_imp_le by auto
+  then show ?thesis 
+    using  nat_simp_union \<open>Ord(x)\<close> \<open>Ord(z)\<close> \<open>Ord(y)\<close> by simp
+qed
+
+lemma max_D1 :
+  assumes "x = y" "w < z"  "Ord(x)"  "Ord(w)" "Ord(z)" "max(x,w) = max(y,z)"
+  shows "z\<le>y"
+proof -
+  from assms
+  have "w <  x \<union> w" using Un_upper2_lt[OF \<open>w<z\<close>] assms nat_simp_union by simp
+  then
+  have "w < x" using assms lt_Un_iff[of x w w] lt_not_refl by auto
+  then 
+  have "y = y \<union> z" using assms max_commutes nat_simp_union assms leI by simp 
+  then 
+  show ?thesis using Un_leD2 assms by simp
+qed
+
+lemma max_D2 :
+  assumes "w = y \<or> w = z" "x < y"  "Ord(x)"  "Ord(w)" "Ord(y)" "Ord(z)" "max(x,w) = max(y,z)"
+  shows "x<w"
+proof -
+  from assms
+  have "x < z \<union> y" using Un_upper2_lt[OF \<open>x<y\<close>] by simp
+  then
+  consider (a) "x < y" | (b) "x < w"
+    using assms nat_simp_union by simp
+  then show ?thesis proof (cases)
+    case a
+    consider (c) "w = y" | (d) "w = z" 
+      using assms by auto
+    then show ?thesis proof (cases)
+      case c
+      with a show ?thesis by simp
+    next
+      case d
+      with a
+      show ?thesis 
+      proof (cases "y <w")
+        case True       
+        then show ?thesis using lt_trans[OF \<open>x<y\<close>] by simp
+      next
+        case False
+        then
+        have "w \<le> y" 
+          using not_lt_iff_le[OF assms(5) assms(4)] by simp
+        with \<open>w=z\<close>
+        have "max(z,y) = y"  unfolding max_def using assms by simp
+        with assms
+        have "... = x \<union> w" using nat_simp_union max_commutes  by simp
+        then show ?thesis using le_Un_iff assms by blast
+      qed
+    qed
+  next
+    case b
+    then show ?thesis .
+  qed
+qed
+
+lemma oadd_lt_mono2 :
+  assumes  "Ord(n)" "Ord(\<alpha>)" "Ord(\<beta>)" "\<alpha> < \<beta>" "x < n" "y < n" "0 <n"
+  shows "n ** \<alpha> ++ x < n **\<beta> ++ y"
+proof -
+  consider (0) "\<beta>=0" | (s) \<gamma> where  "Ord(\<gamma>)" "\<beta> = succ(\<gamma>)" | (l) "Limit(\<beta>)"
+    using Ord_cases[OF \<open>Ord(\<beta>)\<close>,of ?thesis] by force
+  then show ?thesis 
+  proof cases
+    case 0
+    then show ?thesis using \<open>\<alpha><\<beta>\<close> by auto
+  next
+    case s
+    then
+    have "\<alpha>\<le>\<gamma>" using \<open>\<alpha><\<beta>\<close> using leI by auto
+    then
+    have "n ** \<alpha> \<le> n ** \<gamma>" using omult_le_mono[OF _ \<open>\<alpha>\<le>\<gamma>\<close>] \<open>Ord(n)\<close> by simp
+    then
+    have "n ** \<alpha> ++ x < n ** \<gamma> ++ n" using oadd_lt_mono[OF _ \<open>x<n\<close>] by simp
+    also
+    have "... = n ** \<beta>" using \<open>\<beta>=succ(_)\<close> omult_succ \<open>Ord(\<beta>)\<close> \<open>Ord(n)\<close> by simp
+    finally
+    have "n ** \<alpha> ++ x < n ** \<beta>" by auto
+    then
+    show ?thesis using oadd_le_self \<open>Ord(\<beta>)\<close> lt_trans2 \<open>Ord(n)\<close> by auto
+  next
+    case l
+    have "Ord(x)" using \<open>x<n\<close> lt_Ord by simp
+    with l
+    have "succ(\<alpha>) < \<beta>" using Limit_has_succ \<open>\<alpha><\<beta>\<close> by simp
+    have "n ** \<alpha> ++ x < n ** \<alpha> ++ n" 
+      using oadd_lt_mono[OF le_refl[OF Ord_omult[OF _ \<open>Ord(\<alpha>)\<close>]] \<open>x<n\<close>] \<open>Ord(n)\<close> by simp
+    also
+    have "... = n ** succ(\<alpha>)" using omult_succ \<open>Ord(\<alpha>)\<close> \<open>Ord(n)\<close> by simp
+    finally
+    have "n ** \<alpha> ++ x < n ** succ(\<alpha>)" by simp 
+    with \<open>succ(\<alpha>) < \<beta>\<close>
+    have "n ** \<alpha> ++ x < n ** \<beta>" using lt_trans omult_lt_mono \<open>Ord(n)\<close> \<open>0<n\<close>  by auto      
+    then show ?thesis using oadd_le_self \<open>Ord(\<beta>)\<close> lt_trans2 \<open>Ord(n)\<close> by auto
+  qed
+qed
+end
diff --git a/thys/Forcing/Ordinals_In_MG.thy b/thys/Forcing/Ordinals_In_MG.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Ordinals_In_MG.thy
@@ -0,0 +1,55 @@
+section\<open>Ordinals in generic extensions\<close>
+theory Ordinals_In_MG
+  imports
+    Forcing_Theorems Relative_Univ
+begin
+
+context G_generic
+begin
+
+lemma rank_val: "rank(val(G,x)) \<le> rank(x)" (is "?Q(x)")
+proof (induct rule:ed_induction[of ?Q])
+  case (1 x)
+  have "val(G,x) = {val(G,u). u\<in>{t\<in>domain(x). \<exists>p\<in>P .  \<langle>t,p\<rangle>\<in>x \<and> p \<in> G }}"
+    using def_val unfolding Sep_and_Replace by blast
+  then
+  have "rank(val(G,x)) = (\<Union>u\<in>{t\<in>domain(x). \<exists>p\<in>P .  \<langle>t,p\<rangle>\<in>x \<and> p \<in> G }. succ(rank(val(G,u))))"
+    using rank[of "val(G,x)"] by simp
+  moreover
+  have "succ(rank(val(G, y))) \<le> rank(x)" if "ed(y, x)" for y 
+    using 1[OF that] rank_ed[OF that] by (auto intro:lt_trans1)
+  moreover from this
+  have "(\<Union>u\<in>{t\<in>domain(x). \<exists>p\<in>P .  \<langle>t,p\<rangle>\<in>x \<and> p \<in> G }. succ(rank(val(G,u)))) \<le> rank(x)" 
+    by (rule_tac UN_least_le) (auto)
+  ultimately
+  show ?case by simp
+qed
+
+lemma Ord_MG_iff:
+  assumes "Ord(\<alpha>)" 
+  shows "\<alpha> \<in> M \<longleftrightarrow> \<alpha> \<in> M[G]"
+proof
+  show "\<alpha> \<in> M \<Longrightarrow> \<alpha> \<in> M[G]" 
+    using generic[THEN one_in_G, THEN M_subset_MG] ..
+next
+  assume "\<alpha> \<in> M[G]"
+  then
+  obtain x where "x\<in>M" "val(G,x) = \<alpha>"
+    using GenExtD by auto
+  then
+  have "rank(\<alpha>) \<le> rank(x)" 
+    using rank_val by blast
+  with assms
+  have "\<alpha> \<le> rank(x)"
+    using rank_of_Ord by simp
+  then 
+  have "\<alpha> \<in> succ(rank(x))" using ltD by simp
+  with \<open>x\<in>M\<close>
+  show "\<alpha> \<in> M"
+    using cons_closed transitivity[of \<alpha> "succ(rank(x))"] 
+      rank_closed unfolding succ_def by simp  
+qed
+  
+end (* G_generic *)
+
+end
\ No newline at end of file
diff --git a/thys/Forcing/Pairing_Axiom.thy b/thys/Forcing/Pairing_Axiom.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Pairing_Axiom.thy
@@ -0,0 +1,44 @@
+section\<open>The Axiom of Pairing in $M[G]$\<close>
+theory Pairing_Axiom imports Names begin
+
+context forcing_data
+begin
+
+lemma val_Upair :
+  "one \<in> G \<Longrightarrow> val(G,{\<langle>\<tau>,one\<rangle>,\<langle>\<rho>,one\<rangle>}) = {val(G,\<tau>),val(G,\<rho>)}"
+  by (insert one_in_P, rule trans, subst def_val,auto simp add: Sep_and_Replace)
+
+lemma pairing_in_MG : 
+  assumes "M_generic(G)"
+  shows "upair_ax(##M[G])"
+proof - 
+  {
+    fix x y
+    have "one\<in>G" using assms one_in_G by simp
+    from assms 
+    have "G\<subseteq>P" unfolding M_generic_def and filter_def by simp
+    with \<open>one\<in>G\<close>
+    have "one\<in>P" using subsetD by simp
+    then 
+    have "one\<in>M" using transitivity[OF _ P_in_M] by simp
+    assume "x \<in> M[G]" "y \<in> M[G]"
+    then 
+    obtain \<tau> \<rho> where
+      0 : "val(G,\<tau>) = x" "val(G,\<rho>) = y" "\<rho> \<in> M"  "\<tau> \<in> M"
+      using GenExtD by blast
+    with \<open>one\<in>M\<close> 
+    have "\<langle>\<tau>,one\<rangle> \<in> M" "\<langle>\<rho>,one\<rangle>\<in>M" using pair_in_M_iff by auto
+    then 
+    have 1: "{\<langle>\<tau>,one\<rangle>,\<langle>\<rho>,one\<rangle>} \<in> M" (is "?\<sigma> \<in> _") using upair_in_M_iff by simp
+    then 
+    have "val(G,?\<sigma>) \<in> M[G]" using GenExtI by simp
+    with 1 
+    have "{val(G,\<tau>),val(G,\<rho>)} \<in> M[G]" using val_Upair assms one_in_G by simp
+    with 0 
+    have "{x,y} \<in> M[G]" by simp
+  }
+  then show ?thesis unfolding upair_ax_def upair_def by auto
+qed
+
+end  (* context forcing_data *)
+end
\ No newline at end of file
diff --git a/thys/Forcing/Pointed_DC.thy b/thys/Forcing/Pointed_DC.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Pointed_DC.thy
@@ -0,0 +1,148 @@
+section\<open>A pointed version of DC\<close>
+theory Pointed_DC imports ZF.AC
+
+begin
+txt\<open>This proof of DC is from Moschovakis "Notes on Set Theory"\<close>
+
+consts dc_witness :: "i \<Rightarrow> i \<Rightarrow> i \<Rightarrow> i \<Rightarrow> i \<Rightarrow> i"
+primrec
+  wit0   : "dc_witness(0,A,a,s,R) = a"
+  witrec :"dc_witness(succ(n),A,a,s,R) = s`{x\<in>A. \<langle>dc_witness(n,A,a,s,R),x\<rangle>\<in>R }"
+
+lemma witness_into_A [TC]:
+  assumes "a\<in>A"
+    "(\<forall>X . X\<noteq>0 \<and> X\<subseteq>A \<longrightarrow> s`X\<in>X)"
+    "\<forall>y\<in>A. {x\<in>A. \<langle>y,x\<rangle>\<in>R } \<noteq> 0" "n\<in>nat"
+  shows "dc_witness(n, A, a, s, R)\<in>A"
+  using \<open>n\<in>nat\<close>
+proof(induct n)
+  case 0
+  then show ?case using \<open>a\<in>A\<close> by simp
+next
+  case (succ x)
+  then
+  show ?case using assms by auto
+qed
+
+lemma witness_related :
+  assumes "a\<in>A"
+    "(\<forall>X . X\<noteq>0 \<and> X\<subseteq>A \<longrightarrow> s`X\<in>X)"
+    "\<forall>y\<in>A. {x\<in>A. \<langle>y,x\<rangle>\<in>R } \<noteq> 0" "n\<in>nat"
+  shows "\<langle>dc_witness(n, A, a, s, R),dc_witness(succ(n), A, a, s, R)\<rangle>\<in>R"
+proof -
+  from assms
+  have "dc_witness(n, A, a, s, R)\<in>A" (is "?x \<in> A")
+    using witness_into_A[of _ _ s R n] by simp
+  with assms
+  show ?thesis by auto
+qed
+
+lemma witness_funtype:
+  assumes "a\<in>A"
+    "(\<forall>X . X\<noteq>0 \<and> X\<subseteq>A \<longrightarrow> s`X\<in>X)"
+    "\<forall>y\<in>A. {x\<in>A. \<langle>y,x\<rangle>\<in>R } \<noteq> 0"
+  shows "(\<lambda>n\<in>nat. dc_witness(n, A, a, s, R)) \<in> nat \<rightarrow> A" (is "?f \<in> _ \<rightarrow> _")
+proof -
+  have "?f \<in> nat \<rightarrow> {dc_witness(n, A, a, s, R). n\<in>nat}" (is "_ \<in> _ \<rightarrow> ?B")
+    using lam_funtype assms by simp
+  then
+  have "?B \<subseteq> A"
+    using witness_into_A assms by auto
+  with \<open>?f \<in> _\<close>
+  show ?thesis
+    using fun_weaken_type
+    by simp
+qed
+
+lemma witness_to_fun:   assumes "a\<in>A"
+  "(\<forall>X . X\<noteq>0 \<and> X\<subseteq>A \<longrightarrow> s`X\<in>X)"
+  "\<forall>y\<in>A. {x\<in>A. \<langle>y,x\<rangle>\<in>R } \<noteq> 0"
+shows "\<exists>f \<in> nat\<rightarrow>A. \<forall>n\<in>nat. f`n =dc_witness(n,A,a,s,R)"
+  using assms bexI[of _ "\<lambda>n\<in>nat. dc_witness(n,A,a,s,R)"] witness_funtype
+  by simp
+
+theorem pointed_DC  :
+  assumes "(\<forall>x\<in>A. \<exists>y\<in>A. \<langle>x,y\<rangle>\<in> R)"
+  shows "\<forall>a\<in>A. (\<exists>f \<in> nat\<rightarrow>A. f`0 = a \<and> (\<forall>n \<in> nat. \<langle>f`n,f`succ(n)\<rangle>\<in>R))"
+proof -
+  have 0:"\<forall>y\<in>A. {x \<in> A . \<langle>y, x\<rangle> \<in> R} \<noteq> 0"
+    using assms by auto
+  from AC_func_Pow[of A]
+  obtain g
+    where 1: "g \<in> Pow(A) - {0} \<rightarrow> A"
+      "\<forall>X. X \<noteq> 0 \<and> X \<subseteq> A \<longrightarrow> g ` X \<in> X"
+    by auto
+  let ?f ="\<lambda>a.\<lambda>n\<in>nat. dc_witness(n,A,a,g,R)"
+  {
+    fix a
+    assume "a\<in>A"
+    from \<open>a\<in>A\<close>
+    have f0: "?f(a)`0 = a" by simp
+    with \<open>a\<in>A\<close>
+    have "\<langle>?f(a) ` n, ?f(a) ` succ(n)\<rangle> \<in> R" if "n\<in>nat" for n
+      using witness_related[OF \<open>a\<in>A\<close> 1(2) 0] beta that by simp
+    then
+    have "\<exists>f\<in>nat \<rightarrow> A. f ` 0 = a \<and> (\<forall>n\<in>nat. \<langle>f ` n, f ` succ(n)\<rangle> \<in> R)" (is "\<exists>x\<in>_ .?P(x)")
+      using f0 witness_funtype 0 1 \<open>a\<in>_\<close> by blast
+  }
+  then show ?thesis by auto
+qed
+
+lemma aux_DC_on_AxNat2 : "\<forall>x\<in>A\<times>nat. \<exists>y\<in>A. \<langle>x,\<langle>y,succ(snd(x))\<rangle>\<rangle> \<in> R \<Longrightarrow>
+                  \<forall>x\<in>A\<times>nat. \<exists>y\<in>A\<times>nat. \<langle>x,y\<rangle> \<in> {\<langle>a,b\<rangle>\<in>R. snd(b) = succ(snd(a))}"
+  by (rule ballI, erule_tac x="x" in ballE, simp_all)
+
+lemma infer_snd : "c\<in> A\<times>B \<Longrightarrow> snd(c) = k \<Longrightarrow> c=\<langle>fst(c),k\<rangle>"
+  by auto
+
+corollary DC_on_A_x_nat :
+  assumes "(\<forall>x\<in>A\<times>nat. \<exists>y\<in>A. \<langle>x,\<langle>y,succ(snd(x))\<rangle>\<rangle> \<in> R)" "a\<in>A"
+  shows "\<exists>f \<in> nat\<rightarrow>A. f`0 = a \<and> (\<forall>n \<in> nat. \<langle>\<langle>f`n,n\<rangle>,\<langle>f`succ(n),succ(n)\<rangle>\<rangle>\<in>R)" (is "\<exists>x\<in>_.?P(x)")
+proof -
+  let ?R'="{\<langle>a,b\<rangle>\<in>R. snd(b) = succ(snd(a))}"
+  from assms(1)
+  have "\<forall>x\<in>A\<times>nat. \<exists>y\<in>A\<times>nat. \<langle>x,y\<rangle> \<in> ?R'"
+    using aux_DC_on_AxNat2 by simp
+  with \<open>a\<in>_\<close>
+  obtain f where
+    F:"f\<in>nat\<rightarrow>A\<times>nat" "f ` 0 = \<langle>a,0\<rangle>"  "\<forall>n\<in>nat. \<langle>f ` n, f ` succ(n)\<rangle> \<in> ?R'"
+    using pointed_DC[of "A\<times>nat" ?R'] by blast
+  let ?f="\<lambda>x\<in>nat. fst(f`x)"
+  from F
+  have "?f\<in>nat\<rightarrow>A" "?f ` 0 = a" by auto
+  have 1:"n\<in> nat \<Longrightarrow> f`n= \<langle>?f`n, n\<rangle>" for n
+  proof(induct n set:nat)
+    case 0
+    then show ?case using F by simp
+  next
+    case (succ x)
+    then
+    have "\<langle>f`x, f`succ(x)\<rangle> \<in> ?R'" "f`x \<in> A\<times>nat" "f`succ(x)\<in>A\<times>nat"
+      using F by simp_all
+    then
+    have "snd(f`succ(x)) = succ(snd(f`x))" by simp
+    with succ \<open>f`x\<in>_\<close>
+    show ?case using infer_snd[OF \<open>f`succ(_)\<in>_\<close>] by auto
+  qed
+  have "\<langle>\<langle>?f`n,n\<rangle>,\<langle>?f`succ(n),succ(n)\<rangle>\<rangle> \<in> R" if "n\<in>nat" for n
+    using that 1[of "succ(n)"] 1[OF \<open>n\<in>_\<close>] F(3) by simp
+  with \<open>f`0=\<langle>a,0\<rangle>\<close>
+  show ?thesis using rev_bexI[OF \<open>?f\<in>_\<close>] by simp
+qed
+
+lemma aux_sequence_DC :
+  assumes "\<forall>x\<in>A. \<forall>n\<in>nat. \<exists>y\<in>A. \<langle>x,y\<rangle> \<in> S`n"
+    "R={\<langle>\<langle>x,n\<rangle>,\<langle>y,m\<rangle>\<rangle> \<in> (A\<times>nat)\<times>(A\<times>nat). \<langle>x,y\<rangle>\<in>S`m }"
+  shows "\<forall> x\<in>A\<times>nat . \<exists>y\<in>A. \<langle>x,\<langle>y,succ(snd(x))\<rangle>\<rangle> \<in> R"
+  using assms Pair_fst_snd_eq by auto
+
+lemma aux_sequence_DC2 : "\<forall>x\<in>A. \<forall>n\<in>nat. \<exists>y\<in>A. \<langle>x,y\<rangle> \<in> S`n \<Longrightarrow>
+        \<forall>x\<in>A\<times>nat. \<exists>y\<in>A. \<langle>x,\<langle>y,succ(snd(x))\<rangle>\<rangle> \<in> {\<langle>\<langle>x,n\<rangle>,\<langle>y,m\<rangle>\<rangle>\<in>(A\<times>nat)\<times>(A\<times>nat). \<langle>x,y\<rangle>\<in>S`m }"
+  by auto
+
+lemma sequence_DC:
+  assumes "\<forall>x\<in>A. \<forall>n\<in>nat. \<exists>y\<in>A. \<langle>x,y\<rangle> \<in> S`n"
+  shows "\<forall>a\<in>A. (\<exists>f \<in> nat\<rightarrow>A. f`0 = a \<and> (\<forall>n \<in> nat. \<langle>f`n,f`succ(n)\<rangle>\<in>S`succ(n)))"
+  by (rule ballI,insert assms,drule aux_sequence_DC2, drule DC_on_A_x_nat, auto)
+
+end
\ No newline at end of file
diff --git a/thys/Forcing/Powerset_Axiom.thy b/thys/Forcing/Powerset_Axiom.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Powerset_Axiom.thy
@@ -0,0 +1,303 @@
+section\<open>The Powerset Axiom in $M[G]$\<close>
+theory Powerset_Axiom
+  imports Renaming_Auto Separation_Axiom Pairing_Axiom Union_Axiom
+begin
+
+simple_rename "perm_pow" src "[ss,p,l,o,fs,\<chi>]" tgt "[fs,ss,sp,p,l,o,\<chi>]"
+
+lemma Collect_inter_Transset:
+  assumes
+    "Transset(M)" "b \<in> M"
+  shows
+    "{x\<in>b . P(x)} = {x\<in>b . P(x)} \<inter> M"
+  using assms unfolding Transset_def
+  by (auto)
+
+context G_generic  begin
+
+lemma name_components_in_M:
+  assumes "<\<sigma>,p>\<in>\<theta>" "\<theta> \<in> M"
+  shows   "\<sigma>\<in>M" "p\<in>M"
+proof -
+  from assms obtain a where
+    "\<sigma> \<in> a" "p \<in> a" "a\<in><\<sigma>,p>"
+    unfolding Pair_def by auto
+  moreover from assms
+  have "<\<sigma>,p>\<in>M"
+    using transitivity by simp
+  moreover from calculation
+  have "a\<in>M"
+    using transitivity by simp
+  ultimately
+  show "\<sigma>\<in>M" "p\<in>M"
+    using transitivity by simp_all
+qed
+
+lemma sats_fst_snd_in_M:
+  assumes
+    "A\<in>M" "B\<in>M" "\<phi> \<in> formula" "p\<in>M" "l\<in>M" "o\<in>M" "\<chi>\<in>M"
+    "arity(\<phi>) \<le> 6"
+  shows
+    "{sq \<in>A\<times>B . sats(M,\<phi>,[snd(sq),p,l,o,fst(sq),\<chi>])} \<in> M"
+    (is "?\<theta> \<in> M")
+proof -
+  have "6\<in>nat" "7\<in>nat" by simp_all
+  let ?\<phi>' = "ren(\<phi>)`6`7`perm_pow_fn"
+  from \<open>A\<in>M\<close> \<open>B\<in>M\<close> have
+    "A\<times>B \<in> M"
+    using cartprod_closed by simp
+  from \<open>arity(\<phi>) \<le> 6\<close> \<open>\<phi>\<in> formula\<close> \<open>6\<in>_\<close> \<open>7\<in>_\<close>
+  have "?\<phi>' \<in> formula" "arity(?\<phi>')\<le>7"
+    unfolding perm_pow_fn_def
+    using  perm_pow_thm  arity_ren ren_tc Nil_type
+    by auto
+  with \<open>?\<phi>' \<in> formula\<close>
+  have 1: "arity(Exists(Exists(And(pair_fm(0,1,2),?\<phi>'))))\<le>5"     (is "arity(?\<psi>)\<le>5")
+    unfolding pair_fm_def upair_fm_def
+    using nat_simp_union pred_le arity_type by auto
+  {
+    fix sp
+    note \<open>A\<times>B \<in> M\<close>
+    moreover
+    assume "sp \<in> A\<times>B"
+    moreover from calculation
+    have "fst(sp) \<in> A" "snd(sp) \<in> B"
+      using fst_type snd_type by simp_all
+    ultimately
+    have "sp \<in> M" "fst(sp) \<in> M" "snd(sp) \<in> M"
+      using  \<open>A\<in>M\<close> \<open>B\<in>M\<close> transitivity
+      by simp_all
+    note inM = \<open>A\<in>M\<close> \<open>B\<in>M\<close> \<open>p\<in>M\<close> \<open>l\<in>M\<close> \<open>o\<in>M\<close> \<open>\<chi>\<in>M\<close>
+      \<open>sp\<in>M\<close> \<open>fst(sp)\<in>M\<close> \<open>snd(sp)\<in>M\<close>
+    with 1 \<open>sp \<in> M\<close> \<open>?\<phi>' \<in> formula\<close>
+    have "M, [sp,p,l,o,\<chi>]@[p] \<Turnstile> ?\<psi> \<longleftrightarrow> M,[sp,p,l,o,\<chi>] \<Turnstile> ?\<psi>" (is "M,?env0@ _\<Turnstile>_ \<longleftrightarrow> _")
+      using arity_sats_iff[of ?\<psi> "[p]" M ?env0] by auto
+    also from inM \<open>sp \<in> A\<times>B\<close>
+    have "... \<longleftrightarrow> sats(M,?\<phi>',[fst(sp),snd(sp),sp,p,l,o,\<chi>])"
+      by auto
+    also from inM \<open>\<phi> \<in> formula\<close> \<open>arity(\<phi>) \<le> 6\<close>
+    have "... \<longleftrightarrow> sats(M,\<phi>,[snd(sp),p,l,o,fst(sp),\<chi>])"
+      (is "sats(_,_,?env1) \<longleftrightarrow> sats(_,_,?env2)")
+      using sats_iff_sats_ren[of \<phi> 6 7 ?env2 M ?env1 perm_pow_fn] perm_pow_thm
+      unfolding perm_pow_fn_def by simp
+    finally
+    have "sats(M,?\<psi>,[sp,p,l,o,\<chi>,p]) \<longleftrightarrow> sats(M,\<phi>,[snd(sp),p,l,o,fst(sp),\<chi>])"
+      by simp
+  }
+  then have
+    "?\<theta> = {sp\<in>A\<times>B . sats(M,?\<psi>,[sp,p,l,o,\<chi>,p])}"
+    by auto
+  also from assms \<open>A\<times>B\<in>M\<close> have
+    " ... \<in> M"
+  proof -
+    from 1
+    have "arity(?\<psi>) \<le> 6"
+      using leI by simp
+    moreover from \<open>?\<phi>' \<in> formula\<close>
+    have "?\<psi> \<in> formula"
+      by simp
+    moreover note assms \<open>A\<times>B\<in>M\<close>
+    ultimately 
+    show "{x \<in> A\<times>B . sats(M, ?\<psi>, [x, p, l, o, \<chi>, p])} \<in> M"
+      using separation_ax separation_iff
+      by simp
+  qed
+  finally show ?thesis .
+qed
+
+lemma Pow_inter_MG:
+  assumes
+    "a\<in>M[G]"
+  shows
+    "Pow(a) \<inter> M[G] \<in> M[G]"
+proof -
+  from assms obtain \<tau> where
+    "\<tau> \<in> M" "val(G, \<tau>) = a"
+    using GenExtD by auto
+  let ?Q="Pow(domain(\<tau>)\<times>P) \<inter> M"
+  from \<open>\<tau>\<in>M\<close> 
+  have "domain(\<tau>)\<times>P \<in> M" "domain(\<tau>) \<in> M"
+    using domain_closed cartprod_closed P_in_M
+    by simp_all
+  then 
+  have "?Q \<in> M"
+  proof -
+    from power_ax \<open>domain(\<tau>)\<times>P \<in> M\<close> obtain Q where
+      "powerset(##M,domain(\<tau>)\<times>P,Q)" "Q \<in> M"
+      unfolding power_ax_def by auto
+    moreover from calculation 
+    have "z\<in>Q \<Longrightarrow> z\<in>M" for z
+      using transitivity by blast
+    ultimately
+    have "Q = {a\<in>Pow(domain(\<tau>)\<times>P) . a\<in>M}"
+      using \<open>domain(\<tau>)\<times>P \<in> M\<close> powerset_abs[of "domain(\<tau>)\<times>P" Q]
+      by (simp flip: setclass_iff)
+    also 
+    have " ... = ?Q"
+      by auto
+    finally 
+    show ?thesis using \<open>Q\<in>M\<close> by simp
+  qed
+  let
+    ?\<pi>="?Q\<times>{one}"
+  let
+    ?b="val(G,?\<pi>)"
+  from \<open>?Q\<in>M\<close> 
+  have "?\<pi>\<in>M"
+    using one_in_P P_in_M transitivity
+    by (simp flip: setclass_iff)
+  from \<open>?\<pi>\<in>M\<close> 
+  have "?b \<in> M[G]"
+    using GenExtI by simp
+  have "Pow(a) \<inter> M[G] \<subseteq> ?b"
+  proof
+    fix c
+    assume "c \<in> Pow(a) \<inter> M[G]"
+    then obtain \<chi> where
+      "c\<in>M[G]" "\<chi> \<in> M" "val(G,\<chi>) = c"
+      using GenExtD by auto
+    let ?\<theta>="{sp \<in>domain(\<tau>)\<times>P . snd(sp) \<tturnstile> (Member(0,1)) [fst(sp),\<chi>] }"
+    have "arity(forces(Member(0,1))) = 6"
+      using arity_forces_at by auto
+    with \<open>domain(\<tau>) \<in> M\<close> \<open>\<chi> \<in> M\<close> 
+    have "?\<theta> \<in> M"
+      using P_in_M one_in_M leq_in_M sats_fst_snd_in_M
+      by simp
+    then 
+    have "?\<theta> \<in> ?Q"
+      by auto
+    then 
+    have "val(G,?\<theta>) \<in> ?b"
+      using one_in_G one_in_P generic val_of_elem [of ?\<theta> one ?\<pi> G]
+      by auto
+    have "val(G,?\<theta>) = c"
+    proof(intro equalityI subsetI)
+      fix x
+      assume "x \<in> val(G,?\<theta>)"
+      then obtain \<sigma> p where
+        1: "<\<sigma>,p>\<in>?\<theta>" "p\<in>G" "val(G,\<sigma>) =  x"
+        using elem_of_val_pair
+        by blast
+      moreover from \<open><\<sigma>,p>\<in>?\<theta>\<close> \<open>?\<theta> \<in> M\<close>
+      have "\<sigma>\<in>M"
+        using name_components_in_M[of _ _ ?\<theta>] by auto
+      moreover from 1 
+      have "(p \<tturnstile> (Member(0,1)) [\<sigma>,\<chi>])" "p\<in>P"
+        by simp_all
+      moreover 
+      note \<open>val(G,\<chi>) = c\<close>
+      ultimately 
+      have "sats(M[G],Member(0,1),[x,c])"
+        using \<open>\<chi> \<in> M\<close> generic definition_of_forcing nat_simp_union
+        by auto
+      moreover 
+      have "x\<in>M[G]"
+        using \<open>val(G,\<sigma>) =  x\<close> \<open>\<sigma>\<in>M\<close>  \<open>\<chi>\<in>M\<close> GenExtI by blast
+      ultimately 
+      show "x\<in>c"
+        using \<open>c\<in>M[G]\<close> by simp
+    next
+      fix x
+      assume "x \<in> c"
+      with \<open>c \<in> Pow(a) \<inter> M[G]\<close> 
+      have "x \<in> a" "c\<in>M[G]" "x\<in>M[G]"
+        using transitivity_MG
+        by auto
+      with \<open>val(G, \<tau>) = a\<close> 
+      obtain \<sigma> where
+        "\<sigma>\<in>domain(\<tau>)" "val(G,\<sigma>) =  x"
+        using elem_of_val
+        by blast
+      moreover note \<open>x\<in>c\<close> \<open>val(G,\<chi>) = c\<close>
+      moreover from calculation 
+      have "val(G,\<sigma>) \<in> val(G,\<chi>)"
+        by simp
+      moreover note \<open>c\<in>M[G]\<close> \<open>x\<in>M[G]\<close>
+      moreover from calculation 
+      have "sats(M[G],Member(0,1),[x,c])"
+        by simp
+      moreover 
+      have "Member(0,1)\<in>formula" by simp
+      moreover 
+      have "\<sigma>\<in>M"
+      proof -
+        from \<open>\<sigma>\<in>domain(\<tau>)\<close> 
+        obtain p where "<\<sigma>,p> \<in> \<tau>"
+          by auto
+        with \<open>\<tau>\<in>M\<close> 
+        show ?thesis
+          using name_components_in_M by blast
+      qed
+      moreover note \<open>\<chi> \<in> M\<close>
+      ultimately 
+      obtain p where "p\<in>G" "(p \<tturnstile> Member(0,1) [\<sigma>,\<chi>])"
+        using generic truth_lemma[of "Member(0,1)" "G" "[\<sigma>,\<chi>]" ] nat_simp_union
+        by auto
+      moreover from \<open>p\<in>G\<close> 
+      have "p\<in>P"
+        using generic unfolding M_generic_def filter_def by blast
+      ultimately
+      have "<\<sigma>,p>\<in>?\<theta>"
+        using \<open>\<sigma>\<in>domain(\<tau>)\<close> by simp
+      with \<open>val(G,\<sigma>) =  x\<close> \<open>p\<in>G\<close> 
+      show "x\<in>val(G,?\<theta>)"
+        using val_of_elem [of _ _ "?\<theta>"] by auto
+    qed
+    with \<open>val(G,?\<theta>) \<in> ?b\<close> 
+    show "c\<in>?b" by simp
+  qed
+  then 
+  have "Pow(a) \<inter> M[G] = {x\<in>?b . x\<subseteq>a & x\<in>M[G]}"
+    by auto
+  also from \<open>a\<in>M[G]\<close> 
+  have " ... = {x\<in>?b . sats(M[G],subset_fm(0,1),[x,a]) & x\<in>M[G]}"
+    using Transset_MG by force
+  also 
+  have " ... = {x\<in>?b . sats(M[G],subset_fm(0,1),[x,a])} \<inter> M[G]"
+    by auto
+  also from \<open>?b\<in>M[G]\<close> 
+  have " ... = {x\<in>?b . sats(M[G],subset_fm(0,1),[x,a])}"
+    using Collect_inter_Transset Transset_MG
+    by simp
+  also from \<open>?b\<in>M[G]\<close> \<open>a\<in>M[G]\<close>
+  have " ... \<in> M[G]"
+    using Collect_sats_in_MG GenExtI nat_simp_union by simp
+  finally show ?thesis .
+qed
+end (* context: G_generic *)
+
+
+context G_generic begin
+
+interpretation mgtriv: M_trivial "##M[G]"
+  using generic Union_MG pairing_in_MG zero_in_MG transitivity_MG
+  unfolding M_trivial_def M_trans_def M_trivial_axioms_def by (simp; blast)
+
+
+theorem power_in_MG : "power_ax(##(M[G]))"
+  unfolding power_ax_def
+proof (intro rallI, simp only:setclass_iff rex_setclass_is_bex)
+  (* After simplification, we have to show that for every
+     a\<in>M[G] there exists some x\<in>M[G] with powerset(##M[G],a,x)
+  *)
+  fix a
+  assume "a \<in> M[G]"
+  then
+  have "(##M[G])(a)" by simp
+  have "{x\<in>Pow(a) . x \<in> M[G]} = Pow(a) \<inter> M[G]"
+    by auto
+  also from \<open>a\<in>M[G]\<close> 
+  have " ... \<in> M[G]"
+    using Pow_inter_MG by simp
+  finally 
+  have "{x\<in>Pow(a) . x \<in> M[G]} \<in> M[G]" .
+  moreover from \<open>a\<in>M[G]\<close> \<open>{x\<in>Pow(a) . x \<in> M[G]} \<in> _\<close> 
+  have "powerset(##M[G], a, {x\<in>Pow(a) . x \<in> M[G]})"
+    using mgtriv.powerset_abs[OF \<open>(##M[G])(a)\<close>]
+    by simp
+  ultimately 
+  show "\<exists>x\<in>M[G] . powerset(##M[G], a, x)"
+    by auto
+qed
+end (* context: G_generic *)
+end
\ No newline at end of file
diff --git a/thys/Forcing/Proper_Extension.thy b/thys/Forcing/Proper_Extension.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Proper_Extension.thy
@@ -0,0 +1,72 @@
+section\<open>Separative notions and proper extensions\<close>
+theory Proper_Extension
+  imports
+    Names
+
+begin
+
+text\<open>The key ingredient to obtain a proper extension is to have
+a \<^emph>\<open>separative preorder\<close>:\<close>
+
+locale separative_notion = forcing_notion +
+  assumes separative: "p\<in>P \<Longrightarrow> \<exists>q\<in>P. \<exists>r\<in>P. q \<preceq> p \<and> r \<preceq> p \<and> q \<bottom> r"
+begin
+
+text\<open>For separative preorders, the complement of every filter is
+dense. Hence an $M$-generic filter can't belong to the ground model.\<close>
+
+lemma filter_complement_dense:
+  assumes "filter(G)" shows "dense(P - G)"
+proof
+  fix p
+  assume "p\<in>P"
+  show "\<exists>d\<in>P - G. d \<preceq> p"
+  proof (cases "p\<in>G")
+    case True
+    note \<open>p\<in>P\<close> assms
+    moreover
+    obtain q r where "q \<preceq> p" "r \<preceq> p" "q \<bottom> r" "q\<in>P" "r\<in>P" 
+      using separative[OF \<open>p\<in>P\<close>]
+      by force
+    with \<open>filter(G)\<close>
+    obtain s where "s \<preceq> p" "s \<notin> G" "s \<in> P"
+      using filter_imp_compat[of G q r]
+      by auto
+    then
+    show ?thesis by blast
+  next
+    case False
+    with \<open>p\<in>P\<close> 
+    show ?thesis using leq_reflI unfolding Diff_def by auto
+  qed
+qed
+
+end (* separative_notion *)
+
+locale ctm_separative = forcing_data + separative_notion
+begin
+
+lemma generic_not_in_M: assumes "M_generic(G)"  shows "G \<notin> M"
+proof
+  assume "G\<in>M"
+  then
+  have "P - G \<in> M" 
+    using P_in_M Diff_closed by simp
+  moreover
+  have "\<not>(\<exists>q\<in>G. q \<in> P - G)" "(P - G) \<subseteq> P"
+    unfolding Diff_def by auto
+  moreover
+  note assms
+  ultimately
+  show "False"
+    using filter_complement_dense[of G] M_generic_denseD[of G "P-G"] 
+      M_generic_def by simp \<comment> \<open>need to put generic ==> filter in claset\<close>
+qed
+
+theorem proper_extension: assumes "M_generic(G)" shows "M \<noteq> M[G]"
+  using assms G_in_Gen_Ext[of G] one_in_G[of G] generic_not_in_M
+  by force
+
+end (* ctm_separative *)
+
+end
\ No newline at end of file
diff --git a/thys/Forcing/ROOT b/thys/Forcing/ROOT
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/ROOT
@@ -0,0 +1,19 @@
+chapter AFP
+
+session Forcing (AFP) =  "ZF-Constructible" +
+  description "
+    Formalization of Forcing in Isabelle/ZF
+
+    We formalize the theory of forcing in the set theory framework of
+    Isabelle/ZF. Under the assumption of the existence of a countable
+    transitive model of ZFC, we construct a proper generic extension
+    and show that the latter also satisfies ZFC.
+  "
+  options [timeout=300]
+  theories
+    "Rasiowa_Sikorski"
+    "Forcing_Main"
+  document_files
+    "root.tex"
+    "root.bib"
+    "root.bst"
diff --git a/thys/Forcing/Rasiowa_Sikorski.thy b/thys/Forcing/Rasiowa_Sikorski.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Rasiowa_Sikorski.thy
@@ -0,0 +1,52 @@
+section\<open>The general Rasiowa-Sikorski lemma\<close>
+theory Rasiowa_Sikorski imports Forcing_Notions Pointed_DC begin
+
+context countable_generic
+begin
+
+lemma RS_relation:
+  assumes "p\<in>P" "n\<in>nat"
+  shows "\<exists>y\<in>P. \<langle>p,y\<rangle> \<in> (\<lambda>m\<in>nat. {\<langle>x,y\<rangle>\<in>P\<times>P. y\<preceq>x \<and> y\<in>\<D>`(pred(m))})`n"
+proof -
+  from seq_of_denses \<open>n\<in>nat\<close>
+  have "dense(\<D> ` pred(n))" by simp
+  with \<open>p\<in>P\<close>
+  have "\<exists>d\<in>\<D> ` Arith.pred(n). d\<preceq> p"
+    unfolding dense_def by simp
+  then obtain d where 3: "d \<in> \<D> ` Arith.pred(n) \<and> d\<preceq> p"
+    by blast
+  from countable_subs_of_P \<open>n\<in>nat\<close>
+  have "\<D> ` Arith.pred(n) \<in> Pow(P)"
+    by (blast dest:apply_funtype intro:pred_type)
+  then 
+  have "\<D> ` Arith.pred(n) \<subseteq> P" 
+    by (rule PowD)
+  with 3
+  have "d \<in> P \<and> d\<preceq> p \<and> d \<in> \<D> ` Arith.pred(n)"
+    by auto
+  with \<open>p\<in>P\<close> \<open>n\<in>nat\<close> 
+  show ?thesis by auto
+qed
+
+lemma DC_imp_RS_sequence:
+  assumes "p\<in>P"
+  shows "\<exists>f. f: nat\<rightarrow>P \<and> f ` 0 = p \<and> 
+     (\<forall>n\<in>nat. f ` succ(n)\<preceq> f ` n \<and> f ` succ(n) \<in> \<D> ` n)"
+proof -
+  let ?S="(\<lambda>m\<in>nat. {\<langle>x,y\<rangle>\<in>P\<times>P. y\<preceq>x \<and> y\<in>\<D>`(pred(m))})"
+  have "\<forall>x\<in>P. \<forall>n\<in>nat. \<exists>y\<in>P. \<langle>x,y\<rangle> \<in> ?S`n" 
+    using RS_relation by (auto)
+  then
+  have "\<forall>a\<in>P. (\<exists>f \<in> nat\<rightarrow>P. f`0 = a \<and> (\<forall>n \<in> nat. \<langle>f`n,f`succ(n)\<rangle>\<in>?S`succ(n)))"
+    using sequence_DC by (blast)
+  with \<open>p\<in>P\<close>
+  show ?thesis by auto
+qed
+  
+theorem rasiowa_sikorski:
+  "p\<in>P \<Longrightarrow> \<exists>G. p\<in>G \<and> D_generic(G)"
+  using RS_sequence_imp_rasiowa_sikorski by (auto dest:DC_imp_RS_sequence)
+
+end (* countable_generic *)
+
+end
\ No newline at end of file
diff --git a/thys/Forcing/Recursion_Thms.thy b/thys/Forcing/Recursion_Thms.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Recursion_Thms.thy
@@ -0,0 +1,226 @@
+section\<open>Some enhanced theorems on recursion\<close>
+
+theory Recursion_Thms imports ZF.Epsilon begin
+
+text\<open>We prove results concerning definitions by well-founded
+recursion on some relation \<^term>\<open>R\<close> and its transitive closure
+\<^term>\<open>R^*\<close>\<close>
+  (* Restrict the relation r to the field A*A *)
+
+lemma fld_restrict_eq : "a \<in> A \<Longrightarrow> (r \<inter> A\<times>A)-``{a} = (r-``{a} \<inter> A)"
+  by(force)
+
+lemma fld_restrict_mono : "relation(r) \<Longrightarrow> A \<subseteq> B \<Longrightarrow> r \<inter> A\<times>A \<subseteq> r \<inter> B\<times>B"
+  by(auto)
+
+lemma fld_restrict_dom :
+  assumes "relation(r)" "domain(r) \<subseteq> A" "range(r)\<subseteq> A"
+  shows "r\<inter> A\<times>A = r"
+proof (rule equalityI,blast,rule subsetI)
+  { fix x
+    assume xr: "x \<in> r"
+    from xr assms have "\<exists> a b . x = \<langle>a,b\<rangle>" by (simp add: relation_def)
+    then obtain a b where "\<langle>a,b\<rangle> \<in> r" "\<langle>a,b\<rangle> \<in> r\<inter>A\<times>A" "x \<in> r\<inter>A\<times>A"
+      using assms xr
+      by force
+    then have "x\<in> r \<inter> A\<times>A" by simp
+  }
+  then show "x \<in> r \<Longrightarrow> x\<in> r\<inter>A\<times>A" for x .
+qed
+
+definition tr_down :: "[i,i] \<Rightarrow> i"
+  where "tr_down(r,a) = (r^+)-``{a}"
+
+lemma tr_downD : "x \<in> tr_down(r,a) \<Longrightarrow> \<langle>x,a\<rangle> \<in> r^+"
+  by (simp add: tr_down_def vimage_singleton_iff)
+
+lemma pred_down : "relation(r) \<Longrightarrow> r-``{a} \<subseteq> tr_down(r,a)"
+  by(simp add: tr_down_def vimage_mono r_subset_trancl)
+
+lemma tr_down_mono : "relation(r) \<Longrightarrow> x \<in> r-``{a} \<Longrightarrow> tr_down(r,x) \<subseteq> tr_down(r,a)"
+  by(rule subsetI,simp add:tr_down_def,auto dest: underD,force simp add: underI r_into_trancl trancl_trans)
+
+lemma rest_eq :
+  assumes "relation(r)" and "r-``{a} \<subseteq> B" and "a \<in> B"
+  shows "r-``{a} = (r\<inter>B\<times>B)-``{a}"
+proof (intro equalityI subsetI)
+  fix x
+  assume "x \<in> r-``{a}"
+  then
+  have "x \<in> B" using assms by (simp add: subsetD)
+  from \<open>x\<in> r-``{a}\<close>
+  have "\<langle>x,a\<rangle> \<in> r" using underD by simp
+  then
+  show "x \<in> (r\<inter>B\<times>B)-``{a}" using \<open>x\<in>B\<close> \<open>a\<in>B\<close> underI by simp
+next
+  from assms
+  show "x \<in> r -`` {a}" if  "x \<in> (r \<inter> B\<times>B) -`` {a}" for x
+    using vimage_mono that by auto
+qed
+
+lemma wfrec_restr_eq : "r' = r \<inter> A\<times>A \<Longrightarrow> wfrec[A](r,a,H) = wfrec(r',a,H)"
+  by(simp add:wfrec_on_def)
+
+lemma wfrec_restr :
+  assumes rr: "relation(r)" and wfr:"wf(r)"
+  shows  "a \<in> A \<Longrightarrow> tr_down(r,a) \<subseteq> A \<Longrightarrow> wfrec(r,a,H) = wfrec[A](r,a,H)"
+proof (induct a arbitrary:A rule:wf_induct_raw[OF wfr] )
+  case (1 a)
+  have wfRa : "wf[A](r)"
+    using wf_subset wfr wf_on_def Int_lower1 by simp
+  from pred_down rr
+  have "r -`` {a} \<subseteq> tr_down(r, a)" .
+  with 1
+  have "r-``{a} \<subseteq> A" by (force simp add: subset_trans)
+  {
+    fix x
+    assume x_a : "x \<in> r-``{a}"
+    with \<open>r-``{a} \<subseteq> A\<close>
+    have "x \<in> A" ..
+    from pred_down rr
+    have b : "r -``{x} \<subseteq> tr_down(r,x)" .
+    then
+    have "tr_down(r,x) \<subseteq> tr_down(r,a)"
+      using tr_down_mono x_a rr by simp
+    with 1
+    have "tr_down(r,x) \<subseteq> A" using subset_trans by force
+    have "\<langle>x,a\<rangle> \<in> r" using x_a  underD by simp
+    with 1 \<open>tr_down(r,x) \<subseteq> A\<close> \<open>x \<in> A\<close>
+    have "wfrec(r,x,H) = wfrec[A](r,x,H)" by simp
+  }
+  then
+  have "x\<in> r-``{a} \<Longrightarrow> wfrec(r,x,H) =  wfrec[A](r,x,H)" for x  .
+  then
+  have Eq1 :"(\<lambda> x \<in> r-``{a} . wfrec(r,x,H)) = (\<lambda> x \<in> r-``{a} . wfrec[A](r,x,H))"
+    using lam_cong by simp
+
+  from assms
+  have "wfrec(r,a,H) = H(a,\<lambda> x \<in> r-``{a} . wfrec(r,x,H))" by (simp add:wfrec)
+  also
+  have "... = H(a,\<lambda> x \<in> r-``{a} . wfrec[A](r,x,H))"
+    using assms Eq1 by simp
+  also from 1 \<open>r-``{a} \<subseteq> A\<close>
+  have "... = H(a,\<lambda> x \<in> (r\<inter>A\<times>A)-``{a} . wfrec[A](r,x,H))"
+    using assms rest_eq  by simp
+  also from \<open>a\<in>A\<close>
+  have "... = H(a,\<lambda> x \<in> (r-``{a})\<inter>A . wfrec[A](r,x,H))"
+    using fld_restrict_eq by simp
+  also from \<open>a\<in>A\<close> \<open>wf[A](r)\<close>
+  have "... = wfrec[A](r,a,H)" using wfrec_on by simp
+  finally show ?case .
+qed
+
+lemmas wfrec_tr_down = wfrec_restr[OF _ _ _ subset_refl]
+
+lemma wfrec_trans_restr : "relation(r) \<Longrightarrow> wf(r) \<Longrightarrow> trans(r) \<Longrightarrow> r-``{a}\<subseteq>A \<Longrightarrow> a \<in> A \<Longrightarrow>
+  wfrec(r, a, H) = wfrec[A](r, a, H)"
+  by(subgoal_tac "tr_down(r,a) \<subseteq> A",auto simp add : wfrec_restr tr_down_def trancl_eq_r)
+
+
+lemma field_trancl : "field(r^+) = field(r)"
+  by (blast intro: r_into_trancl dest!: trancl_type [THEN subsetD])
+
+definition
+  Rrel :: "[i\<Rightarrow>i\<Rightarrow>o,i] \<Rightarrow> i" where
+  "Rrel(R,A) \<equiv> {z\<in>A\<times>A. \<exists>x y. z = \<langle>x, y\<rangle> \<and> R(x,y)}"
+
+lemma RrelI : "x \<in> A \<Longrightarrow> y \<in> A \<Longrightarrow> R(x,y) \<Longrightarrow> \<langle>x,y\<rangle> \<in> Rrel(R,A)"
+  unfolding Rrel_def by simp
+
+lemma Rrel_mem: "Rrel(mem,x) = Memrel(x)"
+  unfolding Rrel_def Memrel_def ..
+
+lemma relation_Rrel: "relation(Rrel(R,d))"
+  unfolding Rrel_def relation_def by simp
+
+lemma field_Rrel: "field(Rrel(R,d)) \<subseteq>  d"
+  unfolding Rrel_def by auto
+
+lemma Rrel_mono : "A \<subseteq> B \<Longrightarrow> Rrel(R,A) \<subseteq> Rrel(R,B)"
+  unfolding Rrel_def by blast
+
+lemma Rrel_restr_eq : "Rrel(R,A) \<inter> B\<times>B = Rrel(R,A\<inter>B)"
+  unfolding Rrel_def by blast
+
+(* now a consequence of the previous lemmas *)
+lemma field_Memrel : "field(Memrel(A)) \<subseteq> A"
+  (* unfolding field_def using Ordinal.Memrel_type by blast *)
+  using Rrel_mem field_Rrel by blast
+
+lemma restrict_trancl_Rrel:
+  assumes "R(w,y)"
+  shows "restrict(f,Rrel(R,d)-``{y})`w
+       = restrict(f,(Rrel(R,d)^+)-``{y})`w"
+proof (cases "y\<in>d")
+  let ?r="Rrel(R,d)" and ?s="(Rrel(R,d))^+"
+  case True
+  show ?thesis
+  proof (cases "w\<in>d")
+    case True
+    with \<open>y\<in>d\<close> assms
+    have "\<langle>w,y\<rangle>\<in>?r"
+      unfolding Rrel_def by blast
+    then
+    have "\<langle>w,y\<rangle>\<in>?s"
+      using r_subset_trancl[of ?r] relation_Rrel[of R d] by blast
+    with \<open>\<langle>w,y\<rangle>\<in>?r\<close>
+    have "w\<in>?r-``{y}" "w\<in>?s-``{y}"
+      using vimage_singleton_iff by simp_all
+    then
+    show ?thesis by simp
+  next
+    case False
+    then
+    have "w\<notin>domain(restrict(f,?r-``{y}))"
+      using subsetD[OF field_Rrel[of R d]] by auto
+    moreover from \<open>w\<notin>d\<close>
+    have "w\<notin>domain(restrict(f,?s-``{y}))"
+      using subsetD[OF field_Rrel[of R d], of w] field_trancl[of ?r]
+        fieldI1[of w y ?s] by auto
+    ultimately
+    have "restrict(f,?r-``{y})`w = 0" "restrict(f,?s-``{y})`w = 0"
+      unfolding apply_def by auto
+    then show ?thesis by simp
+  qed
+next
+  let ?r="Rrel(R,d)"
+  let ?s="?r^+"
+  case False
+  then
+  have "?r-``{y}=0"
+    unfolding Rrel_def by blast
+  then
+  have "w\<notin>?r-``{y}" by simp
+  with \<open>y\<notin>d\<close> assms
+  have "y\<notin>field(?s)"
+    using field_trancl subsetD[OF field_Rrel[of R d]] by force
+  then
+  have "w\<notin>?s-``{y}"
+    using vimage_singleton_iff by blast
+  with \<open>w\<notin>?r-``{y}\<close>
+  show ?thesis by simp
+qed
+
+lemma restrict_trans_eq:
+  assumes "w \<in> y"
+  shows "restrict(f,Memrel(eclose({x}))-``{y})`w
+       = restrict(f,(Memrel(eclose({x}))^+)-``{y})`w"
+  using assms restrict_trancl_Rrel[of mem ] Rrel_mem by (simp)
+
+lemma wf_eq_trancl:
+  assumes "\<And> f y . H(y,restrict(f,R-``{y})) = H(y,restrict(f,R^+-``{y}))"
+  shows  "wfrec(R, x, H) = wfrec(R^+, x, H)" (is "wfrec(?r,_,_) = wfrec(?r',_,_)")
+proof -
+  have "wfrec(R, x, H) = wftrec(?r^+, x, \<lambda>y f. H(y, restrict(f,?r-``{y})))"
+    unfolding wfrec_def ..
+  also
+  have " ... = wftrec(?r^+, x, \<lambda>y f. H(y, restrict(f,(?r^+)-``{y})))"
+    using assms by simp
+  also
+  have " ... =  wfrec(?r^+, x, H)"
+    unfolding wfrec_def using trancl_eq_r[OF relation_trancl trans_trancl] by simp
+  finally
+  show ?thesis .
+qed
+
+end
diff --git a/thys/Forcing/Relative_Univ.thy b/thys/Forcing/Relative_Univ.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Relative_Univ.thy
@@ -0,0 +1,382 @@
+section\<open>Relativization of the cumulative hierarchy\<close>
+theory Relative_Univ
+  imports
+    "ZF-Constructible.Rank"
+    Internalizations
+    Recursion_Thms
+
+begin
+
+lemma (in M_trivial) powerset_abs' [simp]: 
+  assumes
+    "M(x)" "M(y)"
+  shows
+    "powerset(M,x,y) \<longleftrightarrow> y = {a\<in>Pow(x) . M(a)}"
+  using powerset_abs assms by simp
+
+lemma Collect_inter_Transset:
+  assumes 
+    "Transset(M)" "b \<in> M"
+  shows
+    "{x\<in>b . P(x)} = {x\<in>b . P(x)} \<inter> M"
+    using assms unfolding Transset_def
+  by (auto)  
+
+lemma (in M_trivial) family_union_closed: "\<lbrakk>strong_replacement(M, \<lambda>x y. y = f(x)); M(A); \<forall>x\<in>A. M(f(x))\<rbrakk>
+      \<Longrightarrow> M(\<Union>x\<in>A. f(x))"
+  using RepFun_closed ..
+
+(* "Vfrom(A,i) \<equiv> transrec(i, %x f. A \<union> (\<Union>y\<in>x. Pow(f`y)))" *)
+(* HVfrom is *not* the recursive step for Vfrom. It is the
+   relativized version *)
+definition
+  HVfrom :: "[i\<Rightarrow>o,i,i,i] \<Rightarrow> i" where
+  "HVfrom(M,A,x,f) \<equiv> A \<union> (\<Union>y\<in>x. {a\<in>Pow(f`y). M(a)})"
+
+(* z = Pow(f`y) *)
+definition
+  is_powapply :: "[i\<Rightarrow>o,i,i,i] \<Rightarrow> o" where
+  "is_powapply(M,f,y,z) \<equiv> M(z) \<and> (\<exists>fy[M]. fun_apply(M,f,y,fy) \<and> powerset(M,fy,z))"
+
+(* Trivial lemma *)
+lemma is_powapply_closed: "is_powapply(M,f,y,z) \<Longrightarrow> M(z)"
+  unfolding is_powapply_def by simp
+
+(* is_Replace(M,A,P,z) \<equiv> \<forall>u[M]. u \<in> z \<longleftrightarrow> (\<exists>x[M]. x\<in>A & P(x,u)) *)
+definition
+  is_HVfrom :: "[i\<Rightarrow>o,i,i,i,i] \<Rightarrow> o" where
+  "is_HVfrom(M,A,x,f,h) \<equiv> \<exists>U[M]. \<exists>R[M].  union(M,A,U,h) 
+        \<and> big_union(M,R,U) \<and> is_Replace(M,x,is_powapply(M,f),R)" 
+
+
+definition
+  is_Vfrom :: "[i\<Rightarrow>o,i,i,i] \<Rightarrow> o" where
+  "is_Vfrom(M,A,i,V) \<equiv> is_transrec(M,is_HVfrom(M,A),i,V)"
+
+definition
+  is_Vset :: "[i\<Rightarrow>o,i,i] \<Rightarrow> o" where
+  "is_Vset(M,i,V) \<equiv> \<exists>z[M]. empty(M,z) \<and> is_Vfrom(M,z,i,V)"
+
+
+subsection\<open>Formula synthesis\<close>
+
+schematic_goal sats_is_powapply_fm_auto:
+  assumes
+    "f\<in>nat" "y\<in>nat" "z\<in>nat" "env\<in>list(A)" "0\<in>A"
+  shows
+    "is_powapply(##A,nth(f, env),nth(y, env),nth(z, env))
+    \<longleftrightarrow> sats(A,?ipa_fm(f,y,z),env)"
+  unfolding is_powapply_def is_Collect_def powerset_def subset_def
+  using nth_closed assms
+   by (simp) (rule sep_rules  | simp)+
+
+schematic_goal is_powapply_iff_sats:
+  assumes
+    "nth(f,env) = ff" "nth(y,env) = yy" "nth(z,env) = zz" "0\<in>A"
+    "f \<in> nat"  "y \<in> nat" "z \<in> nat" "env \<in> list(A)"
+  shows
+       "is_powapply(##A,ff,yy,zz) \<longleftrightarrow> sats(A, ?is_one_fm(a,r), env)"
+  unfolding \<open>nth(f,env) = ff\<close>[symmetric] \<open>nth(y,env) = yy\<close>[symmetric]
+    \<open>nth(z,env) = zz\<close>[symmetric]
+  by (rule sats_is_powapply_fm_auto(1); simp add:assms)
+
+(* rank *)
+definition
+  Hrank :: "[i,i] \<Rightarrow> i" where
+  "Hrank(x,f) = (\<Union>y\<in>x. succ(f`y))"
+
+definition
+  PHrank :: "[i\<Rightarrow>o,i,i,i] \<Rightarrow> o" where
+  "PHrank(M,f,y,z) \<equiv> M(z) \<and> (\<exists>fy[M]. fun_apply(M,f,y,fy) \<and> successor(M,fy,z))"
+
+definition
+  is_Hrank :: "[i\<Rightarrow>o,i,i,i] \<Rightarrow> o" where
+  "is_Hrank(M,x,f,hc) \<equiv> (\<exists>R[M]. big_union(M,R,hc) \<and>is_Replace(M,x,PHrank(M,f),R)) "
+
+definition
+  rrank :: "i \<Rightarrow> i" where
+  "rrank(a) \<equiv> Memrel(eclose({a}))^+" 
+
+lemma (in M_eclose) wf_rrank : "M(x) \<Longrightarrow> wf(rrank(x))" 
+  unfolding rrank_def using wf_trancl[OF wf_Memrel] .
+
+lemma (in M_eclose) trans_rrank : "M(x) \<Longrightarrow> trans(rrank(x))"
+  unfolding rrank_def using trans_trancl .
+
+lemma (in M_eclose) relation_rrank : "M(x) \<Longrightarrow> relation(rrank(x))" 
+  unfolding rrank_def using relation_trancl .
+
+lemma (in M_eclose) rrank_in_M : "M(x) \<Longrightarrow> M(rrank(x))" 
+  unfolding rrank_def by simp
+
+
+subsection\<open>Absoluteness results\<close>
+
+locale M_eclose_pow = M_eclose + 
+  assumes
+    power_ax : "power_ax(M)" and
+    powapply_replacement : "M(f) \<Longrightarrow> strong_replacement(M,is_powapply(M,f))" and
+    HVfrom_replacement : "\<lbrakk> M(i) ; M(A) \<rbrakk> \<Longrightarrow> 
+                          transrec_replacement(M,is_HVfrom(M,A),i)" and
+    PHrank_replacement : "M(f) \<Longrightarrow> strong_replacement(M,PHrank(M,f))" and
+    is_Hrank_replacement : "M(x) \<Longrightarrow> wfrec_replacement(M,is_Hrank(M),rrank(x))"
+
+begin
+
+lemma is_powapply_abs: "\<lbrakk>M(f); M(y)\<rbrakk> \<Longrightarrow> is_powapply(M,f,y,z) \<longleftrightarrow> M(z) \<and> z = {x\<in>Pow(f`y). M(x)}"
+  unfolding is_powapply_def by simp
+
+lemma "\<lbrakk>M(A); M(x); M(f); M(h) \<rbrakk> \<Longrightarrow> 
+      is_HVfrom(M,A,x,f,h) \<longleftrightarrow> 
+      (\<exists>R[M]. h = A \<union> \<Union>R \<and> is_Replace(M, x,\<lambda>x y. y = {x \<in> Pow(f ` x) . M(x)}, R))"
+  using is_powapply_abs unfolding is_HVfrom_def by auto
+
+lemma Replace_is_powapply:
+  assumes
+    "M(R)" "M(A)" "M(f)" 
+  shows
+  "is_Replace(M, A, is_powapply(M, f), R) \<longleftrightarrow> R = Replace(A,is_powapply(M,f))"
+proof -
+  have "univalent(M,A,is_powapply(M,f))" 
+    using \<open>M(A)\<close> \<open>M(f)\<close> unfolding univalent_def is_powapply_def by simp
+  moreover
+  have "\<And>x y. \<lbrakk> x\<in>A; is_powapply(M,f,x,y) \<rbrakk> \<Longrightarrow> M(y)"
+    using \<open>M(A)\<close> \<open>M(f)\<close> unfolding is_powapply_def by simp
+  ultimately
+  show ?thesis using \<open>M(A)\<close> \<open>M(R)\<close> Replace_abs by simp
+qed
+
+lemma powapply_closed:
+  "\<lbrakk> M(y) ; M(f) \<rbrakk> \<Longrightarrow> M({x \<in> Pow(f ` y) . M(x)})"
+  using apply_closed power_ax unfolding power_ax_def by simp
+
+lemma RepFun_is_powapply:
+  assumes
+    "M(R)" "M(A)" "M(f)" 
+  shows
+  "Replace(A,is_powapply(M,f)) = RepFun(A,\<lambda>y.{x\<in>Pow(f`y). M(x)})"
+proof -
+  have "{y . x \<in> A, M(y) \<and> y = {x \<in> Pow(f ` x) . M(x)}} = {y . x \<in> A, y = {x \<in> Pow(f ` x) . M(x)}}"
+    using assms powapply_closed transM[of _ A] by blast
+  also
+  have " ... = {{x \<in> Pow(f ` y) . M(x)} . y \<in> A}" by auto
+  finally 
+  show ?thesis using assms is_powapply_abs transM[of _ A] by simp
+qed
+
+lemma RepFun_powapply_closed:
+  assumes 
+    "M(f)" "M(A)"
+  shows 
+    "M(Replace(A,is_powapply(M,f)))"
+proof -
+  have "univalent(M,A,is_powapply(M,f))" 
+    using \<open>M(A)\<close> \<open>M(f)\<close> unfolding univalent_def is_powapply_def by simp
+  moreover
+  have "\<lbrakk> x\<in>A ; is_powapply(M,f,x,y) \<rbrakk> \<Longrightarrow> M(y)" for x y
+    using assms unfolding is_powapply_def by simp
+  ultimately
+  show ?thesis using assms powapply_replacement by simp
+qed
+
+lemma Union_powapply_closed:
+  assumes 
+    "M(x)" "M(f)"
+  shows 
+    "M(\<Union>y\<in>x. {a\<in>Pow(f`y). M(a)})"
+proof -
+  have "M({a\<in>Pow(f`y). M(a)})" if "y\<in>x" for y
+    using that assms transM[of _ x] powapply_closed by simp
+  then
+  have "M({{a\<in>Pow(f`y). M(a)}. y\<in>x})"
+    using assms transM[of _ x]  RepFun_powapply_closed RepFun_is_powapply by simp
+  then show ?thesis using assms by simp
+qed
+
+lemma relation2_HVfrom: "M(A) \<Longrightarrow> relation2(M,is_HVfrom(M,A),HVfrom(M,A))"
+    unfolding is_HVfrom_def HVfrom_def relation2_def
+    using Replace_is_powapply RepFun_is_powapply 
+          Union_powapply_closed RepFun_powapply_closed by auto
+
+lemma HVfrom_closed : 
+  "M(A) \<Longrightarrow> \<forall>x[M]. \<forall>g[M]. function(g) \<longrightarrow> M(HVfrom(M,A,x,g))"
+  unfolding HVfrom_def using Union_powapply_closed by simp
+
+lemma transrec_HVfrom:
+  assumes "M(A)"
+  shows "Ord(i) \<Longrightarrow> {x\<in>Vfrom(A,i). M(x)} = transrec(i,HVfrom(M,A))"
+proof (induct rule:trans_induct)
+  case (step i)
+  have "Vfrom(A,i) = A \<union> (\<Union>y\<in>i. Pow((\<lambda>x\<in>i. Vfrom(A, x)) ` y))"
+    using def_transrec[OF Vfrom_def, of A i] by simp
+  then 
+  have "Vfrom(A,i) = A \<union> (\<Union>y\<in>i. Pow(Vfrom(A, y)))"
+    by simp
+  then
+  have "{x\<in>Vfrom(A,i). M(x)} = {x\<in>A. M(x)} \<union> (\<Union>y\<in>i. {x\<in>Pow(Vfrom(A, y)). M(x)})"
+    by auto
+  with \<open>M(A)\<close>
+  have "{x\<in>Vfrom(A,i). M(x)} = A \<union> (\<Union>y\<in>i. {x\<in>Pow(Vfrom(A, y)). M(x)})" 
+    by (auto intro:transM)
+  also
+  have "... = A \<union> (\<Union>y\<in>i. {x\<in>Pow({z\<in>Vfrom(A,y). M(z)}). M(x)})" 
+  proof -
+    have "{x\<in>Pow(Vfrom(A, y)). M(x)} = {x\<in>Pow({z\<in>Vfrom(A,y). M(z)}). M(x)}"
+      if "y\<in>i" for y by (auto intro:transM)
+    then
+    show ?thesis by simp
+  qed
+  also from step 
+  have " ... = A \<union> (\<Union>y\<in>i. {x\<in>Pow(transrec(y, HVfrom(M, A))). M(x)})" by auto
+  also
+  have " ... = transrec(i, HVfrom(M, A))"
+    using def_transrec[of "\<lambda>y. transrec(y, HVfrom(M, A))" "HVfrom(M, A)" i,symmetric] 
+    unfolding HVfrom_def by simp
+  finally
+  show ?case .
+qed
+
+lemma Vfrom_abs: "\<lbrakk> M(A); M(i); M(V); Ord(i) \<rbrakk> \<Longrightarrow> is_Vfrom(M,A,i,V) \<longleftrightarrow> V = {x\<in>Vfrom(A,i). M(x)}"
+  unfolding is_Vfrom_def
+  using relation2_HVfrom HVfrom_closed HVfrom_replacement 
+    transrec_abs[of "is_HVfrom(M,A)" i "HVfrom(M,A)"] transrec_HVfrom by simp
+
+lemma Vfrom_closed: "\<lbrakk> M(A); M(i); Ord(i) \<rbrakk> \<Longrightarrow> M({x\<in>Vfrom(A,i). M(x)})"
+  unfolding is_Vfrom_def
+  using relation2_HVfrom HVfrom_closed HVfrom_replacement 
+    transrec_closed[of "is_HVfrom(M,A)" i "HVfrom(M,A)"] transrec_HVfrom by simp
+
+lemma Vset_abs: "\<lbrakk> M(i); M(V); Ord(i) \<rbrakk> \<Longrightarrow> is_Vset(M,i,V) \<longleftrightarrow> V = {x\<in>Vset(i). M(x)}"
+  using Vfrom_abs unfolding is_Vset_def by simp
+
+lemma Vset_closed: "\<lbrakk> M(i); Ord(i) \<rbrakk> \<Longrightarrow> M({x\<in>Vset(i). M(x)})"
+  using Vfrom_closed unfolding is_Vset_def by simp
+
+lemma Hrank_trancl:"Hrank(y, restrict(f,Memrel(eclose({x}))-``{y}))
+                  = Hrank(y, restrict(f,(Memrel(eclose({x}))^+)-``{y}))"
+  unfolding Hrank_def
+  using restrict_trans_eq by simp
+
+lemma rank_trancl: "rank(x) = wfrec(rrank(x), x, Hrank)"
+proof -
+  have "rank(x) =  wfrec(Memrel(eclose({x})), x, Hrank)"
+    (is "_ = wfrec(?r,_,_)")
+    unfolding rank_def transrec_def Hrank_def by simp
+  also
+  have " ... = wftrec(?r^+, x, \<lambda>y f. Hrank(y, restrict(f,?r-``{y})))"
+    unfolding wfrec_def ..
+  also
+  have " ... = wftrec(?r^+, x, \<lambda>y f. Hrank(y, restrict(f,(?r^+)-``{y})))"
+    using Hrank_trancl by simp
+  also
+  have " ... =  wfrec(?r^+, x, Hrank)"
+    unfolding wfrec_def using trancl_eq_r[OF relation_trancl trans_trancl] by simp
+  finally
+  show ?thesis unfolding rrank_def .
+qed
+
+lemma univ_PHrank : "\<lbrakk> M(z) ; M(f) \<rbrakk> \<Longrightarrow> univalent(M,z,PHrank(M,f))" 
+  unfolding univalent_def PHrank_def by simp
+
+
+lemma PHrank_abs :
+    "\<lbrakk> M(f) ; M(y) \<rbrakk> \<Longrightarrow> PHrank(M,f,y,z) \<longleftrightarrow> M(z) \<and> z = succ(f`y)"
+  unfolding PHrank_def by simp
+
+lemma PHrank_closed : "PHrank(M,f,y,z) \<Longrightarrow> M(z)" 
+  unfolding PHrank_def by simp
+
+lemma Replace_PHrank_abs:
+  assumes
+    "M(z)" "M(f)" "M(hr)" 
+  shows
+    "is_Replace(M,z,PHrank(M,f),hr) \<longleftrightarrow> hr = Replace(z,PHrank(M,f))" 
+proof -
+  have "\<And>x y. \<lbrakk>x\<in>z; PHrank(M,f,x,y) \<rbrakk> \<Longrightarrow> M(y)"
+    using \<open>M(z)\<close> \<open>M(f)\<close> unfolding PHrank_def by simp
+  then
+  show ?thesis using \<open>M(z)\<close> \<open>M(hr)\<close> \<open>M(f)\<close> univ_PHrank Replace_abs by simp
+qed
+
+lemma RepFun_PHrank:
+  assumes
+    "M(R)" "M(A)" "M(f)" 
+  shows
+  "Replace(A,PHrank(M,f)) = RepFun(A,\<lambda>y. succ(f`y))"
+proof -
+  have "{z . y \<in> A, M(z) \<and> z = succ(f`y)} = {z . y \<in> A, z = succ(f`y)}" 
+    using assms PHrank_closed transM[of _ A] by blast
+  also
+  have " ... = {succ(f`y) . y \<in> A}" by auto
+  finally 
+  show ?thesis using assms PHrank_abs transM[of _ A] by simp
+qed
+
+lemma RepFun_PHrank_closed :
+  assumes
+    "M(f)" "M(A)" 
+  shows
+    "M(Replace(A,PHrank(M,f)))"
+proof -
+  have "\<lbrakk> x\<in>A ; PHrank(M,f,x,y) \<rbrakk> \<Longrightarrow> M(y)" for x y
+    using assms unfolding PHrank_def by simp
+  with univ_PHrank
+  show ?thesis using assms PHrank_replacement by simp
+qed
+
+lemma relation2_Hrank :
+  "relation2(M,is_Hrank(M),Hrank)"
+  unfolding is_Hrank_def Hrank_def relation2_def
+  using Replace_PHrank_abs RepFun_PHrank RepFun_PHrank_closed by auto
+
+
+lemma Union_PHrank_closed:
+  assumes 
+    "M(x)" "M(f)"
+  shows 
+    "M(\<Union>y\<in>x. succ(f`y))"
+proof -
+  have "M(succ(f`y))" if "y\<in>x" for y
+    using that assms transM[of _ x] by simp
+  then
+  have "M({succ(f`y). y\<in>x})"
+    using assms transM[of _ x]  RepFun_PHrank_closed RepFun_PHrank by simp
+  then show ?thesis using assms by simp
+qed
+
+lemma is_Hrank_closed : 
+  "M(A) \<Longrightarrow> \<forall>x[M]. \<forall>g[M]. function(g) \<longrightarrow> M(Hrank(x,g))"
+  unfolding Hrank_def using RepFun_PHrank_closed Union_PHrank_closed by simp
+
+lemma rank_closed: "M(a) \<Longrightarrow> M(rank(a))"
+  unfolding rank_trancl 
+  using relation2_Hrank is_Hrank_closed is_Hrank_replacement 
+        wf_rrank relation_rrank trans_rrank rrank_in_M 
+         trans_wfrec_closed[of "rrank(a)" a "is_Hrank(M)"] by simp
+
+
+lemma M_into_Vset:
+  assumes "M(a)"
+  shows "\<exists>i[M]. \<exists>V[M]. ordinal(M,i) \<and> is_Vfrom(M,0,i,V) \<and> a\<in>V"
+proof -
+  let ?i="succ(rank(a))"
+  from assms
+  have "a\<in>{x\<in>Vfrom(0,?i). M(x)}" (is "a\<in>?V")
+    using Vset_Ord_rank_iff by simp
+  moreover from assms
+  have "M(?i)"
+    using rank_closed by simp
+  moreover 
+  note \<open>M(a)\<close>
+  moreover from calculation
+  have "M(?V)"
+    using Vfrom_closed by simp
+  moreover from calculation
+  have "ordinal(M,?i) \<and> is_Vfrom(M, 0, ?i, ?V) \<and> a \<in> ?V"
+    using Ord_rank Vfrom_abs by simp 
+  ultimately
+  show ?thesis by blast
+qed
+
+end
+end
\ No newline at end of file
diff --git a/thys/Forcing/Renaming.thy b/thys/Forcing/Renaming.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Renaming.thy
@@ -0,0 +1,584 @@
+section\<open>Renaming of variables in internalized formulas\<close>
+
+theory Renaming
+  imports
+    Nat_Miscellanea
+    "ZF-Constructible.Formula"
+begin
+
+lemma app_nm :
+  assumes "n\<in>nat" "m\<in>nat" "f\<in>n\<rightarrow>m" "x \<in> nat"
+  shows "f`x \<in> nat"
+proof(cases "x\<in>n")
+  case True
+  then show ?thesis using assms in_n_in_nat apply_type by simp
+next
+  case False
+  then show ?thesis using assms apply_0 domain_of_fun by simp
+qed
+
+subsection\<open>Renaming of free variables\<close>
+
+definition
+  union_fun :: "[i,i,i,i] \<Rightarrow> i" where
+  "union_fun(f,g,m,p) \<equiv> \<lambda>j \<in> m \<union> p  . if j\<in>m then f`j else g`j"
+
+lemma union_fun_type:
+  assumes "f \<in> m \<rightarrow> n"
+    "g \<in> p \<rightarrow> q"
+  shows "union_fun(f,g,m,p) \<in> m \<union> p \<rightarrow> n \<union> q"
+proof -
+  let ?h="union_fun(f,g,m,p)"
+  have
+    D: "?h`x \<in> n \<union> q" if "x \<in> m \<union> p" for x
+  proof (cases "x \<in> m")
+    case True
+    then have
+      "x \<in> m \<union> p" by simp
+    with \<open>x\<in>m\<close>
+    have "?h`x = f`x"
+      unfolding union_fun_def  beta by simp
+    with \<open>f \<in> m \<rightarrow> n\<close> \<open>x\<in>m\<close>
+    have "?h`x \<in> n" by simp
+    then show ?thesis ..
+  next
+    case False
+    with \<open>x \<in> m \<union> p\<close>
+    have "x \<in> p"
+      by auto
+    with \<open>x\<notin>m\<close>
+    have "?h`x = g`x"
+      unfolding union_fun_def using beta by simp
+    with \<open>g \<in> p \<rightarrow> q\<close> \<open>x\<in>p\<close>
+    have "?h`x \<in> q" by simp
+    then show ?thesis ..
+  qed
+  have A:"function(?h)" unfolding union_fun_def using function_lam by simp
+  have " x\<in> (m \<union> p) \<times> (n \<union> q)" if "x\<in> ?h" for x
+    using that lamE[of x "m \<union> p" _ "x \<in> (m \<union> p) \<times> (n \<union> q)"] D unfolding union_fun_def
+    by auto
+  then have B:"?h \<subseteq> (m \<union> p) \<times> (n \<union> q)" ..
+  have "m \<union> p \<subseteq> domain(?h)"
+    unfolding union_fun_def using domain_lam by simp
+  with A B
+  show ?thesis using  Pi_iff [THEN iffD2] by simp
+qed
+
+lemma union_fun_action :
+  assumes
+    "env \<in> list(M)"
+    "env' \<in> list(M)"
+    "length(env) = m \<union> p"
+    "\<forall> i . i \<in> m \<longrightarrow>  nth(f`i,env') = nth(i,env)"
+    "\<forall> j . j \<in> p \<longrightarrow> nth(g`j,env') = nth(j,env)"
+  shows "\<forall> i . i \<in> m \<union> p \<longrightarrow>
+          nth(i,env) = nth(union_fun(f,g,m,p)`i,env')"
+proof -
+  let ?h = "union_fun(f,g,m,p)"
+  have "nth(x, env) = nth(?h`x,env')" if "x \<in> m \<union> p" for x
+    using that
+  proof (cases "x\<in>m")
+    case True
+    with \<open>x\<in>m\<close>
+    have "?h`x = f`x"
+      unfolding union_fun_def  beta by simp
+    with assms \<open>x\<in>m\<close>
+    have "nth(x,env) = nth(?h`x,env')" by simp
+    then show ?thesis .
+  next
+    case False
+    with \<open>x \<in> m \<union> p\<close>
+    have
+      "x \<in> p" "x\<notin>m"  by auto
+    then
+    have "?h`x = g`x"
+      unfolding union_fun_def beta by simp
+    with assms \<open>x\<in>p\<close>
+    have "nth(x,env) = nth(?h`x,env')" by simp
+    then show ?thesis .
+  qed
+  then show ?thesis by simp
+qed
+
+
+lemma id_fn_type :
+  assumes "n \<in> nat"
+  shows "id(n) \<in> n \<rightarrow> n"
+  unfolding id_def using \<open>n\<in>nat\<close> by simp
+
+lemma id_fn_action:
+  assumes "n \<in> nat" "env\<in>list(M)"
+  shows "\<And> j . j < n \<Longrightarrow> nth(j,env) = nth(id(n)`j,env)"
+proof -
+  show "nth(j,env) = nth(id(n)`j,env)" if "j < n" for j using that \<open>n\<in>nat\<close> ltD by simp
+qed
+
+
+definition
+  sum :: "[i,i,i,i,i] \<Rightarrow> i" where
+  "sum(f,g,m,n,p) \<equiv> \<lambda>j \<in> m#+p  . if j<m then f`j else (g`(j#-m))#+n"
+
+lemma sum_inl:
+  assumes "m \<in> nat" "n\<in>nat"
+    "f \<in> m\<rightarrow>n" "x \<in> m"
+  shows "sum(f,g,m,n,p)`x = f`x"
+proof -
+  from \<open>m\<in>nat\<close>
+  have "m\<le>m#+p"
+    using add_le_self[of m] by simp
+  with assms
+  have "x\<in>m#+p"
+    using ltI[of x m] lt_trans2[of x m "m#+p"] ltD by simp
+  from assms
+  have "x<m"
+    using ltI by simp
+  with \<open>x\<in>m#+p\<close>
+  show ?thesis unfolding sum_def by simp
+qed
+
+lemma sum_inr:
+  assumes "m \<in> nat" "n\<in>nat" "p\<in>nat"
+    "g\<in>p\<rightarrow>q" "m \<le> x" "x < m#+p"
+  shows "sum(f,g,m,n,p)`x = g`(x#-m)#+n"
+proof -
+  from assms
+  have "x\<in>nat"
+    using in_n_in_nat[of "m#+p"] ltD
+    by simp
+  with assms
+  have "\<not> x<m"
+    using not_lt_iff_le[THEN iffD2] by simp
+  from assms
+  have "x\<in>m#+p"
+    using ltD by simp
+  with \<open>\<not> x<m\<close>
+  show ?thesis unfolding sum_def by simp
+qed
+
+
+lemma sum_action :
+  assumes "m \<in> nat" "n\<in>nat" "p\<in>nat" "q\<in>nat"
+    "f \<in> m\<rightarrow>n" "g\<in>p\<rightarrow>q"
+    "env \<in> list(M)"
+    "env' \<in> list(M)"
+    "env1 \<in> list(M)"
+    "env2 \<in> list(M)"
+    "length(env) = m"
+    "length(env1) = p"
+    "length(env') = n"
+    "\<And> i . i < m \<Longrightarrow> nth(i,env) = nth(f`i,env')"
+    "\<And> j. j < p \<Longrightarrow> nth(j,env1) = nth(g`j,env2)"
+  shows "\<forall> i . i < m#+p \<longrightarrow>
+          nth(i,env@env1) = nth(sum(f,g,m,n,p)`i,env'@env2)"
+proof -
+  let ?h = "sum(f,g,m,n,p)"
+  from \<open>m\<in>nat\<close> \<open>n\<in>nat\<close> \<open>q\<in>nat\<close>
+  have "m\<le>m#+p" "n\<le>n#+q" "q\<le>n#+q"
+    using add_le_self[of m]  add_le_self2[of n q] by simp_all
+  from \<open>p\<in>nat\<close>
+  have "p = (m#+p)#-m" using diff_add_inverse2 by simp
+  have "nth(x, env @ env1) = nth(?h`x,env'@env2)" if "x<m#+p" for x
+  proof (cases "x<m")
+    case True
+    then
+    have 2: "?h`x= f`x" "x\<in>m" "f`x \<in> n" "x\<in>nat"
+      using assms sum_inl ltD apply_type[of f m _ x] in_n_in_nat by simp_all
+    with \<open>x<m\<close> assms
+    have "f`x < n" "f`x<length(env')"  "f`x\<in>nat"
+      using ltI in_n_in_nat by simp_all
+    with 2 \<open>x<m\<close> assms
+    have "nth(x,env@env1) = nth(x,env)"
+      using nth_append[OF \<open>env\<in>list(M)\<close>] \<open>x\<in>nat\<close> by simp
+    also
+    have
+      "... = nth(f`x,env')"
+      using 2 \<open>x<m\<close> assms by simp
+    also
+    have "... = nth(f`x,env'@env2)"
+      using nth_append[OF \<open>env'\<in>list(M)\<close>] \<open>f`x<length(env')\<close> \<open>f`x \<in>nat\<close> by simp
+    also
+    have "... = nth(?h`x,env'@env2)"
+      using 2 by simp
+    finally
+    have "nth(x, env @ env1) = nth(?h`x,env'@env2)" .
+    then show ?thesis .
+  next
+    case False
+    have "x\<in>nat"
+      using that in_n_in_nat[of "m#+p" x] ltD \<open>p\<in>nat\<close> \<open>m\<in>nat\<close> by simp
+    with \<open>length(env) = m\<close>
+    have "m\<le>x" "length(env) \<le> x"
+      using not_lt_iff_le \<open>m\<in>nat\<close> \<open>\<not>x<m\<close> by simp_all
+    with \<open>\<not>x<m\<close> \<open>length(env) = m\<close>
+    have 2 : "?h`x= g`(x#-m)#+n"  "\<not> x <length(env)"
+      unfolding sum_def
+      using  sum_inr that beta ltD by simp_all
+    from assms \<open>x\<in>nat\<close> \<open>p=m#+p#-m\<close>
+    have "x#-m < p"
+      using diff_mono[OF _ _ _ \<open>x<m#+p\<close> \<open>m\<le>x\<close>] by simp
+    then have "x#-m\<in>p" using ltD by simp
+    with \<open>g\<in>p\<rightarrow>q\<close>
+    have "g`(x#-m) \<in> q"  by simp
+    with \<open>q\<in>nat\<close> \<open>length(env') = n\<close>
+    have "g`(x#-m) < q" "g`(x#-m)\<in>nat" using ltI in_n_in_nat by simp_all
+    with \<open>q\<in>nat\<close> \<open>n\<in>nat\<close>
+    have "(g`(x#-m))#+n <n#+q" "n \<le> g`(x#-m)#+n" "\<not> g`(x#-m)#+n < length(env')"
+      using add_lt_mono1[of "g`(x#-m)" _ n,OF _ \<open>q\<in>nat\<close>]
+        add_le_self2[of n] \<open>length(env') = n\<close>
+      by simp_all
+    from assms \<open>\<not> x < length(env)\<close> \<open>length(env) = m\<close>
+    have "nth(x,env @ env1) = nth(x#-m,env1)"
+      using nth_append[OF \<open>env\<in>list(M)\<close> \<open>x\<in>nat\<close>] by simp
+    also
+    have "... = nth(g`(x#-m),env2)"
+      using assms \<open>x#-m < p\<close> by simp
+    also
+    have "... = nth((g`(x#-m)#+n)#-length(env'),env2)"
+      using  \<open>length(env') = n\<close>
+        diff_add_inverse2 \<open>g`(x#-m)\<in>nat\<close>
+      by simp
+    also
+    have "... = nth((g`(x#-m)#+n),env'@env2)"
+      using  nth_append[OF \<open>env'\<in>list(M)\<close>] \<open>n\<in>nat\<close> \<open>\<not> g`(x#-m)#+n < length(env')\<close>
+      by simp
+    also
+    have "... = nth(?h`x,env'@env2)"
+      using 2 by simp
+    finally
+    have "nth(x, env @ env1) = nth(?h`x,env'@env2)" .
+    then show ?thesis .
+  qed
+  then show ?thesis by simp
+qed
+
+lemma sum_type  :
+  assumes "m \<in> nat" "n\<in>nat" "p\<in>nat" "q\<in>nat"
+    "f \<in> m\<rightarrow>n" "g\<in>p\<rightarrow>q"
+  shows "sum(f,g,m,n,p) \<in> (m#+p) \<rightarrow> (n#+q)"
+proof -
+  let ?h = "sum(f,g,m,n,p)"
+  from \<open>m\<in>nat\<close> \<open>n\<in>nat\<close> \<open>q\<in>nat\<close>
+  have "m\<le>m#+p" "n\<le>n#+q" "q\<le>n#+q"
+    using add_le_self[of m]  add_le_self2[of n q] by simp_all
+  from \<open>p\<in>nat\<close>
+  have "p = (m#+p)#-m" using diff_add_inverse2 by simp
+  {fix x
+    assume 1: "x\<in>m#+p" "x<m"
+    with 1 have "?h`x= f`x" "x\<in>m"
+      using assms sum_inl ltD by simp_all
+    with \<open>f\<in>m\<rightarrow>n\<close>
+    have "?h`x \<in> n" by simp
+    with \<open>n\<in>nat\<close> have "?h`x < n" using ltI by simp
+    with \<open>n\<le>n#+q\<close>
+    have "?h`x < n#+q" using lt_trans2 by simp
+    then
+    have "?h`x \<in> n#+q"  using ltD by simp
+  }
+  then have 1:"?h`x \<in> n#+q" if "x\<in>m#+p" "x<m" for x using that .
+  {fix x
+    assume 1: "x\<in>m#+p" "m\<le>x"
+    then have "x<m#+p" "x\<in>nat" using ltI in_n_in_nat[of "m#+p"] ltD by simp_all
+    with 1
+    have 2 : "?h`x= g`(x#-m)#+n"
+      using assms sum_inr ltD by simp_all
+    from assms \<open>x\<in>nat\<close> \<open>p=m#+p#-m\<close>
+    have "x#-m < p" using diff_mono[OF _ _ _ \<open>x<m#+p\<close> \<open>m\<le>x\<close>] by simp
+    then have "x#-m\<in>p" using ltD by simp
+    with \<open>g\<in>p\<rightarrow>q\<close>
+    have "g`(x#-m) \<in> q"  by simp
+    with \<open>q\<in>nat\<close> have "g`(x#-m) < q" using ltI by simp
+    with \<open>q\<in>nat\<close>
+    have "(g`(x#-m))#+n <n#+q" using add_lt_mono1[of "g`(x#-m)" _ n,OF _ \<open>q\<in>nat\<close>] by simp
+    with 2
+    have "?h`x \<in> n#+q"  using ltD by simp
+  }
+  then have 2:"?h`x \<in> n#+q" if "x\<in>m#+p" "m\<le>x" for x using that .
+  have
+    D: "?h`x \<in> n#+q" if "x\<in>m#+p" for x
+    using that
+  proof (cases "x<m")
+    case True
+    then show ?thesis using 1 that by simp
+  next
+    case False
+    with \<open>m\<in>nat\<close> have "m\<le>x" using not_lt_iff_le that in_n_in_nat[of "m#+p"] by simp
+    then show ?thesis using 2 that by simp
+  qed
+  have A:"function(?h)" unfolding sum_def using function_lam by simp
+  have " x\<in> (m #+ p) \<times> (n #+ q)" if "x\<in> ?h" for x
+    using that lamE[of x "m#+p" _ "x \<in> (m #+ p) \<times> (n #+ q)"] D unfolding sum_def
+    by auto
+  then have B:"?h \<subseteq> (m #+ p) \<times> (n #+ q)" ..
+  have "m #+ p \<subseteq> domain(?h)"
+    unfolding sum_def using domain_lam by simp
+  with A B
+  show ?thesis using  Pi_iff [THEN iffD2] by simp
+qed
+
+lemma sum_type_id :
+  assumes
+    "f \<in> length(env)\<rightarrow>length(env')"
+    "env \<in> list(M)"
+    "env' \<in> list(M)"
+    "env1 \<in> list(M)"
+  shows
+    "sum(f,id(length(env1)),length(env),length(env'),length(env1)) \<in>
+        (length(env)#+length(env1)) \<rightarrow> (length(env')#+length(env1))"
+  using assms length_type id_fn_type sum_type
+  by simp
+
+lemma sum_type_id_aux2 :
+  assumes
+    "f \<in> m\<rightarrow>n"
+    "m \<in> nat" "n \<in> nat"
+    "env1 \<in> list(M)"
+  shows
+    "sum(f,id(length(env1)),m,n,length(env1)) \<in>
+        (m#+length(env1)) \<rightarrow> (n#+length(env1))"
+  using assms id_fn_type sum_type
+  by auto
+
+lemma sum_action_id :
+  assumes
+    "env \<in> list(M)"
+    "env' \<in> list(M)"
+    "f \<in> length(env)\<rightarrow>length(env')"
+    "env1 \<in> list(M)"
+    "\<And> i . i < length(env) \<Longrightarrow> nth(i,env) = nth(f`i,env')"
+  shows "\<And> i . i < length(env)#+length(env1) \<Longrightarrow>
+          nth(i,env@env1) = nth(sum(f,id(length(env1)),length(env),length(env'),length(env1))`i,env'@env1)"
+proof -
+  from assms
+  have "length(env)\<in>nat" (is "?m \<in> _") by simp
+  from assms have "length(env')\<in>nat" (is "?n \<in> _") by simp
+  from assms have "length(env1)\<in>nat" (is "?p \<in> _") by simp
+  note lenv = id_fn_action[OF \<open>?p\<in>nat\<close> \<open>env1\<in>list(M)\<close>]
+  note lenv_ty = id_fn_type[OF \<open>?p\<in>nat\<close>]
+  {
+    fix i
+    assume "i < length(env)#+length(env1)"
+    have "nth(i,env@env1) = nth(sum(f,id(length(env1)),?m,?n,?p)`i,env'@env1)"
+      using sum_action[OF \<open>?m\<in>nat\<close> \<open>?n\<in>nat\<close> \<open>?p\<in>nat\<close> \<open>?p\<in>nat\<close> \<open>f\<in>?m\<rightarrow>?n\<close>
+          lenv_ty \<open>env\<in>list(M)\<close> \<open>env'\<in>list(M)\<close>
+          \<open>env1\<in>list(M)\<close> \<open>env1\<in>list(M)\<close> _
+          _ _  assms(5) lenv
+          ] \<open>i<?m#+length(env1)\<close> by simp
+  }
+  then show "\<And> i . i < ?m#+length(env1) \<Longrightarrow>
+          nth(i,env@env1) = nth(sum(f,id(?p),?m,?n,?p)`i,env'@env1)" by simp
+qed
+
+lemma sum_action_id_aux :
+  assumes
+    "f \<in> m\<rightarrow>n"
+    "env \<in> list(M)"
+    "env' \<in> list(M)"
+    "env1 \<in> list(M)"
+    "length(env) = m"
+    "length(env') = n"
+    "length(env1) = p"
+    "\<And> i . i < m \<Longrightarrow> nth(i,env) = nth(f`i,env')"
+  shows "\<And> i . i < m#+length(env1) \<Longrightarrow>
+          nth(i,env@env1) = nth(sum(f,id(length(env1)),m,n,length(env1))`i,env'@env1)"
+  using assms length_type id_fn_type sum_action_id
+  by auto
+
+
+definition
+  sum_id :: "[i,i] \<Rightarrow> i" where
+  "sum_id(m,f) \<equiv> sum(\<lambda>x\<in>1.x,f,1,1,m)"
+
+lemma sum_id0 : "m\<in>nat\<Longrightarrow>sum_id(m,f)`0 = 0"
+  by(unfold sum_id_def,subst sum_inl,auto)
+
+lemma sum_idS : "p\<in>nat \<Longrightarrow> q\<in>nat \<Longrightarrow> f\<in>p\<rightarrow>q \<Longrightarrow> x \<in> p \<Longrightarrow> sum_id(p,f)`(succ(x)) = succ(f`x)"
+  by(subgoal_tac "x\<in>nat",unfold sum_id_def,subst sum_inr,
+      simp_all add:ltI,simp_all add: app_nm in_n_in_nat)
+
+lemma sum_id_tc_aux :
+  "p \<in> nat \<Longrightarrow>  q \<in> nat \<Longrightarrow> f \<in> p \<rightarrow> q \<Longrightarrow> sum_id(p,f) \<in> 1#+p \<rightarrow> 1#+q"
+  by (unfold sum_id_def,rule sum_type,simp_all)
+
+lemma sum_id_tc :
+  "n \<in> nat \<Longrightarrow> m \<in> nat \<Longrightarrow> f \<in> n \<rightarrow> m \<Longrightarrow> sum_id(n,f) \<in> succ(n) \<rightarrow> succ(m)"
+  by(rule ssubst[of  "succ(n) \<rightarrow> succ(m)" "1#+n \<rightarrow> 1#+m"],
+      simp,rule sum_id_tc_aux,simp_all)
+
+subsection\<open>Renaming of formulas\<close>
+
+consts   ren :: "i\<Rightarrow>i"
+primrec
+  "ren(Member(x,y)) =
+      (\<lambda> n \<in> nat . \<lambda> m \<in> nat. \<lambda>f \<in> n \<rightarrow> m. Member (f`x, f`y))"
+
+"ren(Equal(x,y)) =
+      (\<lambda> n \<in> nat . \<lambda> m \<in> nat. \<lambda>f \<in> n \<rightarrow> m. Equal (f`x, f`y))"
+
+"ren(Nand(p,q)) =
+      (\<lambda> n \<in> nat . \<lambda> m \<in> nat. \<lambda>f \<in> n \<rightarrow> m. Nand (ren(p)`n`m`f, ren(q)`n`m`f))"
+
+"ren(Forall(p)) =
+      (\<lambda> n \<in> nat . \<lambda> m \<in> nat. \<lambda>f \<in> n \<rightarrow> m. Forall (ren(p)`succ(n)`succ(m)`sum_id(n,f)))"
+
+lemma arity_meml : "l \<in> nat \<Longrightarrow> Member(x,y) \<in> formula \<Longrightarrow> arity(Member(x,y)) \<le> l \<Longrightarrow> x \<in> l"
+  by(simp,rule subsetD,rule le_imp_subset,assumption,simp)
+lemma arity_memr : "l \<in> nat \<Longrightarrow> Member(x,y) \<in> formula \<Longrightarrow> arity(Member(x,y)) \<le> l \<Longrightarrow> y \<in> l"
+  by(simp,rule subsetD,rule le_imp_subset,assumption,simp)
+lemma arity_eql : "l \<in> nat \<Longrightarrow> Equal(x,y) \<in> formula \<Longrightarrow> arity(Equal(x,y)) \<le> l \<Longrightarrow> x \<in> l"
+  by(simp,rule subsetD,rule le_imp_subset,assumption,simp)
+lemma arity_eqr : "l \<in> nat \<Longrightarrow> Equal(x,y) \<in> formula \<Longrightarrow> arity(Equal(x,y)) \<le> l \<Longrightarrow> y \<in> l"
+  by(simp,rule subsetD,rule le_imp_subset,assumption,simp)
+lemma  nand_ar1 : "p \<in> formula \<Longrightarrow> q\<in>formula \<Longrightarrow>arity(p) \<le> arity(Nand(p,q))"
+  by (simp,rule Un_upper1_le,simp+)
+lemma nand_ar2 : "p \<in> formula \<Longrightarrow> q\<in>formula \<Longrightarrow>arity(q) \<le> arity(Nand(p,q))"
+  by (simp,rule Un_upper2_le,simp+)
+
+lemma nand_ar1D : "p \<in> formula \<Longrightarrow> q\<in>formula \<Longrightarrow> arity(Nand(p,q)) \<le> n \<Longrightarrow> arity(p) \<le> n"
+  by(auto simp add:  le_trans[OF Un_upper1_le[of "arity(p)" "arity(q)"]])
+lemma nand_ar2D : "p \<in> formula \<Longrightarrow> q\<in>formula \<Longrightarrow> arity(Nand(p,q)) \<le> n \<Longrightarrow> arity(q) \<le> n"
+  by(auto simp add:  le_trans[OF Un_upper2_le[of "arity(p)" "arity(q)"]])
+
+
+lemma ren_tc : "p \<in> formula \<Longrightarrow>
+  (\<And> n m f . n \<in> nat \<Longrightarrow> m \<in> nat \<Longrightarrow> f \<in> n\<rightarrow>m \<Longrightarrow>  ren(p)`n`m`f \<in> formula)"
+  by (induct set:formula,auto simp add: app_nm sum_id_tc)
+
+
+lemma arity_ren :
+  fixes "p"
+  assumes "p \<in> formula"
+  shows "\<And> n m f . n \<in> nat \<Longrightarrow> m \<in> nat \<Longrightarrow> f \<in> n\<rightarrow>m \<Longrightarrow> arity(p) \<le> n \<Longrightarrow> arity(ren(p)`n`m`f)\<le>m"
+  using assms
+proof (induct set:formula)
+  case (Member x y)
+  then have "f`x \<in> m" "f`y \<in> m"
+    using Member assms by (simp add: arity_meml apply_funtype,simp add:arity_memr apply_funtype)
+  then show ?case using Member by (simp add: Un_least_lt ltI)
+next
+  case (Equal x y)
+  then have "f`x \<in> m" "f`y \<in> m"
+    using Equal assms by (simp add: arity_eql apply_funtype,simp add:arity_eqr apply_funtype)
+  then show ?case using Equal by (simp add: Un_least_lt ltI)
+next
+  case (Nand p q)
+  then have "arity(p)\<le>arity(Nand(p,q))"
+    "arity(q)\<le>arity(Nand(p,q))"
+    by (subst  nand_ar1,simp,simp,simp,subst nand_ar2,simp+)
+  then have "arity(p)\<le>n"
+    and "arity(q)\<le>n" using Nand
+    by (rule_tac j="arity(Nand(p,q))" in le_trans,simp,simp)+
+  then have "arity(ren(p)`n`m`f) \<le> m" and  "arity(ren(q)`n`m`f) \<le> m"
+    using Nand by auto
+  then show ?case using Nand by (simp add:Un_least_lt)
+next
+  case (Forall p)
+  from Forall have "succ(n)\<in>nat"  "succ(m)\<in>nat" by auto
+  from Forall have 2: "sum_id(n,f) \<in> succ(n)\<rightarrow>succ(m)" by (simp add:sum_id_tc)
+  from Forall have 3:"arity(p) \<le> succ(n)" by (rule_tac n="arity(p)" in natE,simp+)
+  then have "arity(ren(p)`succ(n)`succ(m)`sum_id(n,f))\<le>succ(m)" using
+      Forall \<open>succ(n)\<in>nat\<close> \<open>succ(m)\<in>nat\<close> 2 by force
+  then show ?case using Forall 2 3 ren_tc arity_type pred_le by auto
+qed
+
+lemma arity_forallE : "p \<in> formula \<Longrightarrow> m \<in> nat \<Longrightarrow> arity(Forall(p)) \<le> m \<Longrightarrow> arity(p) \<le> succ(m)"
+  by(rule_tac n="arity(p)" in natE,erule arity_type,simp+)
+
+lemma env_coincidence_sum_id :
+  assumes "m \<in> nat" "n \<in> nat"
+    "\<rho> \<in> list(A)" "\<rho>' \<in> list(A)"
+    "f \<in> n \<rightarrow> m"
+    "\<And> i . i < n \<Longrightarrow> nth(i,\<rho>) = nth(f`i,\<rho>')"
+    "a \<in> A" "j \<in> succ(n)"
+  shows "nth(j,Cons(a,\<rho>)) = nth(sum_id(n,f)`j,Cons(a,\<rho>'))"
+proof -
+  let ?g="sum_id(n,f)"
+  have "succ(n) \<in> nat" using \<open>n\<in>nat\<close> by simp
+  then have "j \<in> nat" using \<open>j\<in>succ(n)\<close> in_n_in_nat by blast
+  then have "nth(j,Cons(a,\<rho>)) = nth(?g`j,Cons(a,\<rho>'))"
+  proof (cases rule:natE[OF \<open>j\<in>nat\<close>])
+    case 1
+    then show ?thesis using assms sum_id0 by simp
+  next
+    case (2 i)
+    with \<open>j\<in>succ(n)\<close> have "succ(i)\<in>succ(n)" by simp
+    with \<open>n\<in>nat\<close> have "i \<in> n" using nat_succD assms by simp
+    have "f`i\<in>m" using \<open>f\<in>n\<rightarrow>m\<close> apply_type \<open>i\<in>n\<close> by simp
+    then have "f`i \<in> nat" using in_n_in_nat \<open>m\<in>nat\<close> by simp
+    have "nth(succ(i),Cons(a,\<rho>)) = nth(i,\<rho>)" using \<open>i\<in>nat\<close> by simp
+    also have "... = nth(f`i,\<rho>')" using assms \<open>i\<in>n\<close> ltI by simp
+    also have "... = nth(succ(f`i),Cons(a,\<rho>'))" using \<open>f`i\<in>nat\<close> by simp
+    also have "... = nth(?g`succ(i),Cons(a,\<rho>'))"
+      using assms sum_idS[OF \<open>n\<in>nat\<close> \<open>m\<in>nat\<close>  \<open>f\<in>n\<rightarrow>m\<close> \<open>i \<in> n\<close>] cases by simp
+    finally have "nth(succ(i),Cons(a,\<rho>)) = nth(?g`succ(i),Cons(a,\<rho>'))" .
+    then show ?thesis using \<open>j=succ(i)\<close> by simp
+  qed
+  then show ?thesis .
+qed
+
+lemma sats_iff_sats_ren :
+  fixes "\<phi>"
+  assumes "\<phi> \<in> formula"
+  shows  "\<lbrakk>  n \<in> nat ; m \<in> nat ; \<rho> \<in> list(M) ; \<rho>' \<in> list(M) ; f \<in> n \<rightarrow> m ;
+            arity(\<phi>) \<le> n ;
+            \<And> i . i < n \<Longrightarrow> nth(i,\<rho>) = nth(f`i,\<rho>') \<rbrakk> \<Longrightarrow>
+         sats(M,\<phi>,\<rho>) \<longleftrightarrow> sats(M,ren(\<phi>)`n`m`f,\<rho>')"
+  using \<open>\<phi> \<in> formula\<close>
+proof(induct \<phi> arbitrary:n m \<rho> \<rho>' f)
+  case (Member x y)
+  have "ren(Member(x,y))`n`m`f = Member(f`x,f`y)" using Member assms arity_type by force
+  moreover
+  have "x \<in> n" using Member arity_meml by simp
+  moreover 
+  have "y \<in> n" using Member arity_memr by simp
+  ultimately
+  show ?case using Member ltI by simp
+next
+  case (Equal x y)
+  have "ren(Equal(x,y))`n`m`f = Equal(f`x,f`y)" using Equal assms arity_type by force
+  moreover
+  have "x \<in> n" using Equal arity_eql by simp
+  moreover
+  have "y \<in> n" using Equal arity_eqr by simp
+  ultimately show ?case using Equal ltI by simp
+next
+  case (Nand p q)
+  have "ren(Nand(p,q))`n`m`f = Nand(ren(p)`n`m`f,ren(q)`n`m`f)" using Nand by simp
+  moreover
+  have "arity(p) \<le> n" using Nand nand_ar1D by simp
+  moreover from this
+  have "i \<in> arity(p) \<Longrightarrow> i \<in> n" for i using subsetD[OF le_imp_subset[OF \<open>arity(p) \<le> n\<close>]] by simp
+  moreover from this
+  have "i \<in> arity(p) \<Longrightarrow> nth(i,\<rho>) = nth(f`i,\<rho>')" for i using Nand ltI by simp
+  moreover from this
+  have "sats(M,p,\<rho>) \<longleftrightarrow> sats(M,ren(p)`n`m`f,\<rho>')" using \<open>arity(p)\<le>n\<close> Nand by simp
+  have "arity(q) \<le> n" using Nand nand_ar2D by simp
+  moreover from this
+  have "i \<in> arity(q) \<Longrightarrow> i \<in> n" for i using subsetD[OF le_imp_subset[OF \<open>arity(q) \<le> n\<close>]] by simp
+  moreover from this
+  have "i \<in> arity(q) \<Longrightarrow> nth(i,\<rho>) = nth(f`i,\<rho>')" for i using Nand ltI by simp
+  moreover from this
+  have "sats(M,q,\<rho>) \<longleftrightarrow> sats(M,ren(q)`n`m`f,\<rho>')" using assms \<open>arity(q)\<le>n\<close> Nand by simp
+  ultimately
+  show ?case using Nand by simp
+next
+  case (Forall p)
+  have 0:"ren(Forall(p))`n`m`f = Forall(ren(p)`succ(n)`succ(m)`sum_id(n,f))"
+    using Forall by simp
+  have 1:"sum_id(n,f) \<in> succ(n) \<rightarrow> succ(m)" (is "?g \<in> _") using sum_id_tc Forall by simp
+  then have 2: "arity(p) \<le> succ(n)"
+    using Forall le_trans[of _ "succ(pred(arity(p)))"] succpred_leI by simp
+  have "succ(n)\<in>nat" "succ(m)\<in>nat" using Forall by auto
+  then have A:"\<And> j .j < succ(n) \<Longrightarrow> nth(j, Cons(a, \<rho>)) = nth(?g`j, Cons(a, \<rho>'))" if "a\<in>M" for a
+    using that env_coincidence_sum_id Forall ltD by force
+  have
+    "sats(M,p,Cons(a,\<rho>)) \<longleftrightarrow> sats(M,ren(p)`succ(n)`succ(m)`?g,Cons(a,\<rho>'))" if "a\<in>M" for a
+  proof -
+    have C:"Cons(a,\<rho>) \<in> list(M)" "Cons(a,\<rho>')\<in>list(M)" using Forall that by auto
+    have "sats(M,p,Cons(a,\<rho>)) \<longleftrightarrow> sats(M,ren(p)`succ(n)`succ(m)`?g,Cons(a,\<rho>'))"
+      using Forall(2)[OF \<open>succ(n)\<in>nat\<close> \<open>succ(m)\<in>nat\<close> C(1) C(2) 1 2 A[OF \<open>a\<in>M\<close>]] by simp
+    then show ?thesis .
+  qed
+  then show ?case using Forall 0 1 2 by simp
+qed
+
+end
diff --git a/thys/Forcing/Renaming_Auto.thy b/thys/Forcing/Renaming_Auto.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Renaming_Auto.thy
@@ -0,0 +1,57 @@
+theory Renaming_Auto
+  imports
+    Renaming
+    ZF.Finite
+    ZF.List
+keywords
+  "rename" :: thy_decl % "ML"
+and
+  "simple_rename" :: thy_decl % "ML"
+and
+  "src"
+and
+  "tgt"
+abbrevs
+  "simple_rename" = ""
+
+begin
+
+lemmas app_fun = apply_iff[THEN iffD1]
+lemmas nat_succI = nat_succ_iff[THEN iffD2]
+ML_file\<open>Utils.ml\<close>
+ML_file\<open>Renaming_ML.ml\<close>
+ML\<open>
+  open Renaming_ML
+
+  fun renaming_def mk_ren name from to ctxt =
+    let val to = to |> Syntax.read_term ctxt
+        val from = from |> Syntax.read_term ctxt
+        val (tc_lemma,action_lemma,fvs,r) = mk_ren from to ctxt
+        val (tc_lemma,action_lemma) = (fix_vars tc_lemma fvs ctxt , fix_vars action_lemma fvs ctxt)
+        val ren_fun_name = Binding.name (name ^ "_fn")
+        val ren_fun_def =  Binding.name (name ^ "_fn_def")
+        val ren_thm = Binding.name (name ^ "_thm")
+    in
+      Local_Theory.note   ((ren_thm, []), [tc_lemma,action_lemma]) ctxt |> snd |>
+      Local_Theory.define ((ren_fun_name, NoSyn), ((ren_fun_def, []), r)) |> snd      
+  end;
+\<close>
+
+ML\<open>
+local
+
+  val ren_parser = Parse.position (Parse.string --
+      (Parse.$$$ "src" |-- Parse.string --| Parse.$$$ "tgt" -- Parse.string));
+
+  val _ =
+   Outer_Syntax.local_theory \<^command_keyword>\<open>rename\<close> "ML setup for synthetic definitions"
+     (ren_parser >> (fn ((name,(from,to)),_) => renaming_def sum_rename name from to ))
+
+  val _ =
+   Outer_Syntax.local_theory \<^command_keyword>\<open>simple_rename\<close> "ML setup for synthetic definitions"
+     (ren_parser >> (fn ((name,(from,to)),_) => renaming_def ren_thm name from to ))
+
+in
+end
+\<close>
+end
\ No newline at end of file
diff --git a/thys/Forcing/Renaming_ML.ml b/thys/Forcing/Renaming_ML.ml
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Renaming_ML.ml
@@ -0,0 +1,178 @@
+(* Builds the finite mapping. *)
+structure Renaming_ML = struct
+open Utils
+
+fun sum_ f g m n p = @{const Renaming.sum} $ f $ g $ m $ n $ p
+
+fun mk_ren rho rho' ctxt =
+  let val rs  = to_ML_list rho
+      val rs' = to_ML_list rho'
+      val ixs = 0 upto (length rs-1)
+      fun err t = "The element " ^ Syntax.string_of_term ctxt t ^ " is missing in the target environment"
+      fun mkp i =
+          case find_index (fn x => x = nth rs i) rs' of
+            ~1 => nth rs i |> err |> error
+          |  j => mk_Pair (mk_ZFnat i) (mk_ZFnat j) 
+  in  map mkp ixs |> mk_FinSet
+  end                           
+
+fun mk_dom_lemma ren rho =
+  let val n = rho |> to_ML_list |> length |> mk_ZFnat
+  in eq_ n (@{const domain} $ ren) |> tp
+end
+
+fun ren_tc_goal fin ren rho rho' =
+  let val n = rho |> to_ML_list |> length
+      val m = rho' |> to_ML_list |> length
+      val fun_ty = if fin then @{const_name "FiniteFun"} else @{const_abbrev "function_space"}
+      val ty = Const (fun_ty,@{typ "i \<Rightarrow> i \<Rightarrow> i"}) $ mk_ZFnat n $ mk_ZFnat m
+  in  mem_ ren ty |> tp
+end
+
+fun ren_action_goal ren rho rho' ctxt =
+  let val setV = Variable.variant_frees ctxt [] [("A",@{typ i})] |> hd |> Free
+      val j = Variable.variant_frees ctxt [] [("j",@{typ i})] |> hd |> Free 
+      val vs = rho  |> to_ML_list
+      val ws = rho' |> to_ML_list |> filter isFree 
+      val h1 = subset_ (vs|> mk_FinSet) setV
+      val h2 = lt_ j (mk_ZFnat (length vs))
+      val fvs = ([j,setV ] @ ws |> filter isFree) |> map freeName
+      val lhs = nth_ j rho
+      val rhs = nth_ (app_ ren j)  rho'
+      val concl = eq_ lhs rhs
+   in (Logic.list_implies([tp h1,tp h2],tp concl),fvs)
+  end
+
+  fun sum_tc_goal f m n p = 
+    let val m_length = m |> to_ML_list |> length |> mk_ZFnat
+        val n_length = n |> to_ML_list |> length |> mk_ZFnat
+        val p_length = p |> length_
+        val id_fun = @{const id} $ p_length
+        val sum_fun = sum_ f id_fun m_length n_length p_length
+        val dom = add_ m_length p_length
+        val codom = add_ n_length p_length
+        val fun_ty = @{const_abbrev "function_space"}
+        val ty = Const (fun_ty,@{typ "i \<Rightarrow> i \<Rightarrow> i"}) $ dom $ codom
+  in  (sum_fun, mem_ sum_fun ty |> tp)
+  end
+
+fun sum_action_goal ren rho rho' ctxt =
+  let val setV = Variable.variant_frees ctxt [] [("A",@{typ i})] |> hd |> Free
+      val envV = Variable.variant_frees ctxt [] [("env",@{typ i})] |> hd |> Free
+      val j = Variable.variant_frees ctxt [] [("j",@{typ i})] |> hd |> Free 
+      val vs = rho  |> to_ML_list
+      val ws = rho' |> to_ML_list |> filter isFree 
+      val envL =  envV |> length_
+      val rhoL = vs |> length |> mk_ZFnat
+      val h1 = subset_ (append vs ws |> mk_FinSet) setV
+      val h2 = lt_ j (add_ rhoL envL)
+      val h3 = mem_ envV (list_ setV)
+      val fvs = ([j,setV,envV] @ ws |> filter isFree) |> map freeName
+      val lhs = nth_ j (concat_ rho envV)
+      val rhs = nth_ (app_ ren j) (concat_ rho' envV)
+      val concl = eq_ lhs rhs
+   in (Logic.list_implies([tp h1,tp h2,tp h3],tp concl),fvs)
+  end
+
+  (* Tactics *)
+  fun fin ctxt = 
+         REPEAT (resolve_tac ctxt [@{thm nat_succI}] 1)
+         THEN   resolve_tac ctxt [@{thm nat_0I}] 1
+
+  fun step ctxt thm = 
+    asm_full_simp_tac ctxt 1
+    THEN asm_full_simp_tac ctxt 1
+    THEN EqSubst.eqsubst_tac ctxt [1] [@{thm app_fun} OF [thm]] 1
+    THEN simp_tac ctxt 1
+    THEN simp_tac ctxt 1
+
+  fun fin_fun_tac ctxt = 
+    REPEAT (
+      resolve_tac ctxt [@{thm consI}] 1
+      THEN resolve_tac ctxt [@{thm ltD}] 1
+      THEN simp_tac ctxt 1
+      THEN resolve_tac ctxt [@{thm ltD}] 1
+      THEN simp_tac ctxt 1)
+    THEN resolve_tac ctxt [@{thm emptyI}] 1
+  THEN REPEAT (simp_tac ctxt 1)
+
+  fun ren_thm e e' ctxt = 
+   let
+    val r = mk_ren e e' ctxt
+    val fin_tc_goal = ren_tc_goal true r e e' 
+    val dom_goal =  mk_dom_lemma r e
+    val tc_goal = ren_tc_goal false r e e'
+    val (action_goal,fvs) = ren_action_goal r e e' ctxt
+    val fin_tc_lemma = Goal.prove ctxt [] [] fin_tc_goal (fn _ => fin_fun_tac ctxt)
+    val dom_lemma = Goal.prove ctxt [] [] dom_goal (fn _ => blast_tac ctxt 1) 
+    val tc_lemma =  Goal.prove ctxt [] [] tc_goal
+            (fn _ =>  EqSubst.eqsubst_tac ctxt [1] [dom_lemma] 1
+              THEN resolve_tac ctxt [@{thm FiniteFun_is_fun}] 1
+              THEN resolve_tac ctxt [fin_tc_lemma] 1)
+    val action_lemma = Goal.prove ctxt [] [] action_goal
+              (fn _ => 
+                  forward_tac ctxt [@{thm le_natI}] 1
+                  THEN fin ctxt
+                  THEN REPEAT (resolve_tac ctxt [@{thm natE}] 1
+                               THEN step ctxt tc_lemma)
+                  THEN (step ctxt tc_lemma)
+              )
+    in (action_lemma, tc_lemma, fvs, r)
+  end
+
+(* 
+Returns the sum renaming, the goal for type_checking, and the actual lemmas 
+for the left part of the sum.
+*)
+ fun sum_ren_aux e e' ctxt = 
+  let val env = Variable.variant_frees ctxt [] [("env",@{typ i})] |> hd |> Free
+      val (left_action_lemma,left_tc_lemma,_,r) = ren_thm e e' ctxt
+      val (sum_ren,sum_goal_tc) = sum_tc_goal r e e' env
+      val setV = Variable.variant_frees ctxt [] [("A",@{typ i})] |> hd |> Free      
+      fun hyp en = mem_ en (list_ setV)
+  in (sum_ren,
+      freeName env,
+      Logic.list_implies (map (fn e => e |> hyp |> tp) [env], sum_goal_tc),
+      left_tc_lemma,
+      left_action_lemma)
+end
+
+fun sum_tc_lemma rho rho' ctxt =
+  let val (sum_ren, envVar, tc_goal, left_tc_lemma, left_action_lemma) = sum_ren_aux rho rho' ctxt
+      val (goal,fvs) = sum_action_goal sum_ren rho rho' ctxt
+      val r = mk_ren rho rho' ctxt
+  in (sum_ren, goal,envVar, r,left_tc_lemma, left_action_lemma ,fvs, Goal.prove ctxt [] [] tc_goal
+               (fn _ =>
+            resolve_tac ctxt [@{thm sum_type_id_aux2}] 1
+            THEN asm_simp_tac ctxt 4
+            THEN simp_tac ctxt 1
+            THEN resolve_tac ctxt [left_tc_lemma] 1            
+            THEN (fin ctxt)
+            THEN (fin ctxt)
+  ))
+  end
+
+fun sum_rename rho rho' ctxt = 
+  let
+    val (_, goal, _, left_rename, left_tc_lemma, left_action_lemma, fvs, sum_tc_lemma) = sum_tc_lemma rho rho' ctxt
+    val action_lemma = fix_vars left_action_lemma fvs ctxt
+  in (sum_tc_lemma, Goal.prove ctxt [] [] goal
+    (fn _ => resolve_tac ctxt [@{thm sum_action_id_aux}] 1
+            THEN (simp_tac ctxt 4)
+            THEN (simp_tac ctxt 1)
+            THEN (resolve_tac ctxt [left_tc_lemma]  1)
+            THEN (asm_full_simp_tac ctxt 1) 
+            THEN (asm_full_simp_tac ctxt 1)
+            THEN (simp_tac ctxt 1)
+            THEN (simp_tac ctxt 1)
+            THEN (simp_tac ctxt 1)
+            THEN (full_simp_tac ctxt 1)
+            THEN (resolve_tac ctxt [action_lemma] 1)
+            THEN (blast_tac ctxt  1)
+            THEN (full_simp_tac ctxt  1)
+            THEN (full_simp_tac ctxt  1)
+    
+   ), fvs, left_rename
+   )
+end ;
+end
\ No newline at end of file
diff --git a/thys/Forcing/Replacement_Axiom.thy b/thys/Forcing/Replacement_Axiom.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Replacement_Axiom.thy
@@ -0,0 +1,564 @@
+section\<open>The Axiom of Replacement in $M[G]$\<close>
+theory Replacement_Axiom
+  imports
+    Least Relative_Univ Separation_Axiom Renaming_Auto
+begin
+
+rename "renrep1" src "[p,P,leq,o,\<rho>,\<tau>]" tgt "[V,\<tau>,\<rho>,p,\<alpha>,P,leq,o]"
+
+definition renrep_fn :: "i \<Rightarrow> i" where
+  "renrep_fn(env) \<equiv> sum(renrep1_fn,id(length(env)),6,8,length(env))"
+
+definition
+  renrep :: "[i,i] \<Rightarrow> i" where
+  "renrep(\<phi>,env) = ren(\<phi>)`(6#+length(env))`(8#+length(env))`renrep_fn(env)"
+
+lemma renrep_type [TC]:
+  assumes "\<phi>\<in>formula" "env \<in> list(M)"
+  shows "renrep(\<phi>,env) \<in> formula"
+  unfolding renrep_def renrep_fn_def renrep1_fn_def
+  using assms renrep1_thm(1) ren_tc
+  by simp
+
+lemma arity_renrep:
+  assumes  "\<phi>\<in>formula" "arity(\<phi>)\<le> 6#+length(env)" "env \<in> list(M)"
+  shows "arity(renrep(\<phi>,env)) \<le> 8#+length(env)"
+  unfolding  renrep_def renrep_fn_def renrep1_fn_def
+  using assms renrep1_thm(1) arity_ren
+  by simp
+
+lemma renrep_sats :
+  assumes  "arity(\<phi>) \<le> 6 #+ length(env)"
+          "[P,leq,o,p,\<rho>,\<tau>] @ env \<in> list(M)"
+    "V \<in> M" "\<alpha> \<in> M"
+    "\<phi>\<in>formula"
+  shows "sats(M, \<phi>, [p,P,leq,o,\<rho>,\<tau>] @ env) \<longleftrightarrow> sats(M, renrep(\<phi>,env), [V,\<tau>,\<rho>,p,\<alpha>,P,leq,o] @ env)"
+  unfolding  renrep_def renrep_fn_def renrep1_fn_def
+  by (rule sats_iff_sats_ren,insert assms, auto simp add:renrep1_thm(1)[of _ M,simplified]
+        renrep1_thm(2)[simplified,where p=p and \<alpha>=\<alpha>])
+
+rename "renpbdy1" src "[\<rho>,p,\<alpha>,P,leq,o]" tgt "[\<rho>,p,x,\<alpha>,P,leq,o]"
+
+definition renpbdy_fn :: "i \<Rightarrow> i" where
+  "renpbdy_fn(env) \<equiv> sum(renpbdy1_fn,id(length(env)),6,7,length(env))"
+
+definition
+  renpbdy :: "[i,i] \<Rightarrow> i" where
+  "renpbdy(\<phi>,env) = ren(\<phi>)`(6#+length(env))`(7#+length(env))`renpbdy_fn(env)"
+
+
+lemma
+  renpbdy_type [TC]: "\<phi>\<in>formula \<Longrightarrow> env\<in>list(M) \<Longrightarrow> renpbdy(\<phi>,env) \<in> formula"
+  unfolding renpbdy_def renpbdy_fn_def renpbdy1_fn_def
+  using  renpbdy1_thm(1) ren_tc
+  by simp
+
+lemma  arity_renpbdy: "\<phi>\<in>formula \<Longrightarrow> arity(\<phi>) \<le> 6 #+ length(env) \<Longrightarrow> env\<in>list(M) \<Longrightarrow> arity(renpbdy(\<phi>,env)) \<le> 7 #+ length(env)"
+  unfolding renpbdy_def renpbdy_fn_def renpbdy1_fn_def
+  using  renpbdy1_thm(1) arity_ren
+  by simp
+
+lemma
+  sats_renpbdy: "arity(\<phi>) \<le> 6 #+ length(nenv) \<Longrightarrow> [\<rho>,p,x,\<alpha>,P,leq,o,\<pi>] @ nenv \<in> list(M) \<Longrightarrow> \<phi>\<in>formula \<Longrightarrow>
+       sats(M, \<phi>, [\<rho>,p,\<alpha>,P,leq,o] @ nenv) \<longleftrightarrow> sats(M, renpbdy(\<phi>,nenv), [\<rho>,p,x,\<alpha>,P,leq,o] @ nenv)"
+  unfolding renpbdy_def renpbdy_fn_def renpbdy1_fn_def
+  by (rule sats_iff_sats_ren,auto simp add: renpbdy1_thm(1)[of _ M,simplified]
+                                            renpbdy1_thm(2)[simplified,where \<alpha>=\<alpha> and x=x])
+
+
+rename "renbody1" src "[x,\<alpha>,P,leq,o]" tgt "[\<alpha>,x,m,P,leq,o]"
+
+definition renbody_fn :: "i \<Rightarrow> i" where
+  "renbody_fn(env) \<equiv> sum(renbody1_fn,id(length(env)),5,6,length(env))"
+
+definition
+  renbody :: "[i,i] \<Rightarrow> i" where
+  "renbody(\<phi>,env) = ren(\<phi>)`(5#+length(env))`(6#+length(env))`renbody_fn(env)"
+
+lemma
+  renbody_type [TC]: "\<phi>\<in>formula \<Longrightarrow> env\<in>list(M) \<Longrightarrow> renbody(\<phi>,env) \<in> formula"
+  unfolding renbody_def renbody_fn_def renbody1_fn_def
+  using  renbody1_thm(1) ren_tc
+  by simp
+
+lemma  arity_renbody: "\<phi>\<in>formula \<Longrightarrow> arity(\<phi>) \<le> 5 #+ length(env) \<Longrightarrow> env\<in>list(M) \<Longrightarrow>
+  arity(renbody(\<phi>,env)) \<le> 6 #+ length(env)"
+  unfolding renbody_def renbody_fn_def renbody1_fn_def
+  using  renbody1_thm(1) arity_ren
+  by simp
+
+lemma
+  sats_renbody: "arity(\<phi>) \<le> 5 #+ length(nenv) \<Longrightarrow> [\<alpha>,x,m,P,leq,o] @ nenv \<in> list(M) \<Longrightarrow> \<phi>\<in>formula \<Longrightarrow>
+       sats(M, \<phi>, [x,\<alpha>,P,leq,o] @ nenv) \<longleftrightarrow> sats(M, renbody(\<phi>,nenv), [\<alpha>,x,m,P,leq,o] @ nenv)"
+  unfolding renbody_def renbody_fn_def renbody1_fn_def
+  by (rule sats_iff_sats_ren, auto simp add:renbody1_thm(1)[of _ M,simplified]
+                                            renbody1_thm(2)[where \<alpha>=\<alpha> and m=m,simplified])
+
+context G_generic
+begin
+
+lemma pow_inter_M:
+  assumes
+    "x\<in>M" "y\<in>M"
+  shows
+    "powerset(##M,x,y) \<longleftrightarrow> y = Pow(x) \<inter> M"
+  using assms by auto
+
+
+schematic_goal sats_prebody_fm_auto:
+  assumes
+    "\<phi>\<in>formula" "[P,leq,one,p,\<rho>,\<pi>] @ nenv \<in>list(M)"  "\<alpha>\<in>M" "arity(\<phi>) \<le> 2 #+ length(nenv)"
+  shows
+    "(\<exists>\<tau>\<in>M. \<exists>V\<in>M. is_Vset(##M,\<alpha>,V) \<and> \<tau>\<in>V \<and> sats(M,forces(\<phi>),[p,P,leq,one,\<rho>,\<tau>] @ nenv))
+   \<longleftrightarrow> sats(M,?prebody_fm,[\<rho>,p,\<alpha>,P,leq,one] @ nenv)"
+  apply (insert assms; (rule sep_rules is_Vset_iff_sats[OF _ _ _ _ _ nonempty[simplified]] | simp))
+   apply (rule sep_rules is_Vset_iff_sats is_Vset_iff_sats[OF _ _ _ _ _ nonempty[simplified]] | simp)+
+        apply (rule nonempty[simplified])
+       apply (simp_all)
+    apply (rule length_type[THEN nat_into_Ord], blast)+
+  apply ((rule sep_rules | simp))
+    apply ((rule sep_rules | simp))
+      apply ((rule sep_rules | simp))
+       apply ((rule sep_rules | simp))
+      apply ((rule sep_rules | simp))
+     apply ((rule sep_rules | simp))
+    apply ((rule sep_rules | simp))
+   apply (rule renrep_sats[simplified])
+       apply (insert assms)
+       apply(auto simp add: renrep_type definability)
+proof -
+  from assms
+  have "nenv\<in>list(M)" by simp
+  with \<open>arity(\<phi>)\<le>_\<close> \<open>\<phi>\<in>_\<close>
+  show "arity(forces(\<phi>)) \<le> succ(succ(succ(succ(succ(succ(length(nenv)))))))"
+    using arity_forces_le by simp
+qed
+
+(* The formula synthesized above *)
+synthesize_notc "prebody_fm" from_schematic sats_prebody_fm_auto
+
+lemma prebody_fm_type [TC]:
+  assumes "\<phi>\<in>formula"
+    "env \<in> list(M)"
+  shows "prebody_fm(\<phi>,env)\<in>formula"
+proof -
+  from \<open>\<phi>\<in>formula\<close>
+  have "forces(\<phi>)\<in>formula" by simp
+  then
+  have "renrep(forces(\<phi>),env)\<in>formula"
+    using \<open>env\<in>list(M)\<close> by simp
+  then show ?thesis unfolding prebody_fm_def by simp
+qed
+
+lemmas new_fm_defs = fm_defs is_transrec_fm_def is_eclose_fm_def mem_eclose_fm_def
+  finite_ordinal_fm_def is_wfrec_fm_def  Memrel_fm_def eclose_n_fm_def is_recfun_fm_def is_iterates_fm_def
+  iterates_MH_fm_def is_nat_case_fm_def quasinat_fm_def pre_image_fm_def restriction_fm_def
+
+lemma sats_prebody_fm:
+  assumes
+    "[P,leq,one,p,\<rho>] @ nenv \<in>list(M)" "\<phi>\<in>formula" "\<alpha>\<in>M" "arity(\<phi>) \<le> 2 #+ length(nenv)"
+  shows
+    "sats(M,prebody_fm(\<phi>,nenv),[\<rho>,p,\<alpha>,P,leq,one] @ nenv) \<longleftrightarrow>
+     (\<exists>\<tau>\<in>M. \<exists>V\<in>M. is_Vset(##M,\<alpha>,V) \<and> \<tau>\<in>V \<and> sats(M,forces(\<phi>),[p,P,leq,one,\<rho>,\<tau>] @ nenv))"
+  unfolding prebody_fm_def using assms sats_prebody_fm_auto by force
+
+
+lemma arity_prebody_fm:
+  assumes
+    "\<phi>\<in>formula" "\<alpha>\<in>M" "env \<in> list(M)" "arity(\<phi>) \<le> 2 #+ length(env)"
+  shows
+    "arity(prebody_fm(\<phi>,env))\<le>6 #+ length(env)"
+  unfolding prebody_fm_def is_HVfrom_fm_def is_powapply_fm_def
+  using assms new_fm_defs nat_simp_union
+    arity_renrep[of "forces(\<phi>)"] arity_forces_le[simplified] pred_le by auto
+
+
+definition
+  body_fm' :: "[i,i]\<Rightarrow>i" where
+  "body_fm'(\<phi>,env) \<equiv> Exists(Exists(And(pair_fm(0,1,2),renpbdy(prebody_fm(\<phi>,env),env))))"
+
+lemma body_fm'_type[TC]: "\<phi>\<in>formula \<Longrightarrow> env\<in>list(M) \<Longrightarrow> body_fm'(\<phi>,env)\<in>formula"
+  unfolding body_fm'_def using prebody_fm_type
+  by simp
+
+lemma arity_body_fm':
+  assumes
+    "\<phi>\<in>formula" "\<alpha>\<in>M" "env\<in>list(M)" "arity(\<phi>) \<le> 2 #+ length(env)"
+  shows
+    "arity(body_fm'(\<phi>,env))\<le>5  #+ length(env)"
+  unfolding body_fm'_def
+  using assms new_fm_defs nat_simp_union arity_prebody_fm pred_le  arity_renpbdy[of "prebody_fm(\<phi>,env)"]
+  by auto
+
+lemma sats_body_fm':
+  assumes
+    "\<exists>t p. x=\<langle>t,p\<rangle>" "x\<in>M" "[\<alpha>,P,leq,one,p,\<rho>] @ nenv \<in>list(M)" "\<phi>\<in>formula" "arity(\<phi>) \<le> 2 #+ length(nenv)"
+  shows
+    "sats(M,body_fm'(\<phi>,nenv),[x,\<alpha>,P,leq,one] @ nenv) \<longleftrightarrow>
+     sats(M,renpbdy(prebody_fm(\<phi>,nenv),nenv),[fst(x),snd(x),x,\<alpha>,P,leq,one] @ nenv)"
+  using assms fst_snd_closed[OF \<open>x\<in>M\<close>] unfolding body_fm'_def
+  by (auto)
+
+definition
+  body_fm :: "[i,i]\<Rightarrow>i" where
+  "body_fm(\<phi>,env) \<equiv> renbody(body_fm'(\<phi>,env),env)"
+
+lemma body_fm_type [TC]: "env\<in>list(M) \<Longrightarrow> \<phi>\<in>formula \<Longrightarrow>  body_fm(\<phi>,env)\<in>formula"
+  unfolding body_fm_def by simp
+
+lemma sats_body_fm:
+  assumes
+    "\<exists>t p. x=\<langle>t,p\<rangle>" "[\<alpha>,x,m,P,leq,one] @ nenv \<in>list(M)"
+    "\<phi>\<in>formula" "arity(\<phi>) \<le> 2 #+ length(nenv)"
+  shows
+    "sats(M,body_fm(\<phi>,nenv),[\<alpha>,x,m,P,leq,one] @ nenv) \<longleftrightarrow>
+     sats(M,renpbdy(prebody_fm(\<phi>,nenv),nenv),[fst(x),snd(x),x,\<alpha>,P,leq,one] @ nenv)"
+  using assms sats_body_fm' sats_renbody[OF _ assms(2), symmetric] arity_body_fm'
+  unfolding body_fm_def
+  by auto
+
+lemma sats_renpbdy_prebody_fm:
+  assumes
+    "\<exists>t p. x=\<langle>t,p\<rangle>" "x\<in>M" "[\<alpha>,m,P,leq,one] @ nenv \<in>list(M)"
+    "\<phi>\<in>formula" "arity(\<phi>) \<le> 2 #+ length(nenv)"
+  shows
+    "sats(M,renpbdy(prebody_fm(\<phi>,nenv),nenv),[fst(x),snd(x),x,\<alpha>,P,leq,one] @ nenv) \<longleftrightarrow>
+     sats(M,prebody_fm(\<phi>,nenv),[fst(x),snd(x),\<alpha>,P,leq,one] @ nenv)"
+  using assms fst_snd_closed[OF \<open>x\<in>M\<close>]
+    sats_renpbdy[OF arity_prebody_fm _ prebody_fm_type, of concl:M, symmetric]
+  by force
+
+lemma body_lemma:
+  assumes
+    "\<exists>t p. x=\<langle>t,p\<rangle>" "x\<in>M" "[x,\<alpha>,m,P,leq,one] @ nenv \<in>list(M)"
+    "\<phi>\<in>formula" "arity(\<phi>) \<le> 2 #+ length(nenv)"
+  shows
+    "sats(M,body_fm(\<phi>,nenv),[\<alpha>,x,m,P,leq,one] @ nenv) \<longleftrightarrow>
+  (\<exists>\<tau>\<in>M. \<exists>V\<in>M. is_Vset(\<lambda>a. (##M)(a),\<alpha>,V) \<and> \<tau> \<in> V \<and> (snd(x) \<tturnstile> \<phi> ([fst(x),\<tau>]@nenv)))"
+  using assms sats_body_fm[of x \<alpha> m nenv] sats_renpbdy_prebody_fm[of x \<alpha>]
+    sats_prebody_fm[of "snd(x)" "fst(x)"] fst_snd_closed[OF \<open>x\<in>M\<close>]
+  by (simp, simp flip: setclass_iff,simp)
+
+lemma Replace_sats_in_MG:
+  assumes
+    "c\<in>M[G]" "env \<in> list(M[G])"
+    "\<phi> \<in> formula" "arity(\<phi>) \<le> 2 #+ length(env)"
+    "univalent(##M[G], c, \<lambda>x v. (M[G] , [x,v]@env \<Turnstile> \<phi>) )"
+  shows
+    "{v. x\<in>c, v\<in>M[G] \<and> (M[G] , [x,v]@env \<Turnstile> \<phi>)} \<in> M[G]"
+proof -
+  let ?R = "\<lambda> x v . v\<in>M[G] \<and> (M[G] , [x,v]@env \<Turnstile> \<phi>)"
+  from \<open>c\<in>M[G]\<close>
+  obtain \<pi>' where "val(G, \<pi>') = c" "\<pi>' \<in> M"
+    using GenExt_def by auto
+  then
+  have "domain(\<pi>')\<times>P\<in>M" (is "?\<pi>\<in>M")
+    using cartprod_closed P_in_M domain_closed by simp
+  from \<open>val(G, \<pi>') = c\<close>
+  have "c \<subseteq> val(G,?\<pi>)"
+    using def_val[of G ?\<pi>] one_in_P one_in_G[OF generic] elem_of_val
+      domain_of_prod[OF one_in_P, of "domain(\<pi>')"] by force
+  from \<open>env \<in> _\<close>
+  obtain nenv where "nenv\<in>list(M)" "env = map(val(G),nenv)"
+    using map_val by auto
+  then
+  have "length(nenv) = length(env)" by simp
+  define f where "f(\<rho>p) \<equiv> \<mu> \<alpha>. \<alpha>\<in>M \<and> (\<exists>\<tau>\<in>M. \<tau> \<in> Vset(\<alpha>) \<and>
+        (snd(\<rho>p) \<tturnstile> \<phi> ([fst(\<rho>p),\<tau>] @ nenv)))" (is "_ \<equiv> \<mu> \<alpha>. ?P(\<rho>p,\<alpha>)") for \<rho>p
+  have "f(\<rho>p) = (\<mu> \<alpha>. \<alpha>\<in>M \<and> (\<exists>\<tau>\<in>M. \<exists>V\<in>M. is_Vset(##M,\<alpha>,V) \<and> \<tau>\<in>V \<and>
+        (snd(\<rho>p) \<tturnstile> \<phi> ([fst(\<rho>p),\<tau>] @ nenv))))" (is "_ = (\<mu> \<alpha>. \<alpha>\<in>M \<and> ?Q(\<rho>p,\<alpha>))") for \<rho>p
+    unfolding f_def using Vset_abs Vset_closed Ord_Least_cong[of "?P(\<rho>p)" "\<lambda> \<alpha>. \<alpha>\<in>M \<and> ?Q(\<rho>p,\<alpha>)"]
+    by (simp, simp del:setclass_iff)
+  moreover
+  have "f(\<rho>p) \<in> M" for \<rho>p
+    unfolding f_def using Least_closed[of "?P(\<rho>p)"] by simp
+  ultimately
+  have 1:"least(##M,\<lambda>\<alpha>. ?Q(\<rho>p,\<alpha>),f(\<rho>p))" for \<rho>p
+    using least_abs[of "\<lambda>\<alpha>. \<alpha>\<in>M \<and> ?Q(\<rho>p,\<alpha>)" "f(\<rho>p)"] least_conj
+    by (simp flip: setclass_iff)
+  have "Ord(f(\<rho>p))" for \<rho>p unfolding f_def by simp
+  define QQ where "QQ\<equiv>?Q"
+  from 1
+  have "least(##M,\<lambda>\<alpha>. QQ(\<rho>p,\<alpha>),f(\<rho>p))" for \<rho>p
+    unfolding QQ_def .
+  from \<open>arity(\<phi>) \<le> _\<close> \<open>length(nenv) = _\<close>
+  have "arity(\<phi>) \<le> 2 #+ length(nenv)"
+    by simp
+  moreover
+  note assms \<open>nenv\<in>list(M)\<close> \<open>?\<pi>\<in>M\<close>
+  moreover
+  have "\<rho>p\<in>?\<pi> \<Longrightarrow> \<exists>t p. \<rho>p=\<langle>t,p\<rangle>" for \<rho>p
+    by auto
+  ultimately
+  have body:"M , [\<alpha>,\<rho>p,m,P,leq,one] @ nenv \<Turnstile> body_fm(\<phi>,nenv) \<longleftrightarrow> ?Q(\<rho>p,\<alpha>)"
+    if "\<rho>p\<in>?\<pi>" "\<rho>p\<in>M" "m\<in>M" "\<alpha>\<in>M" for \<alpha> \<rho>p m
+    using that P_in_M leq_in_M one_in_M body_lemma[of \<rho>p \<alpha> m nenv \<phi>] by simp
+  let ?f_fm="least_fm(body_fm(\<phi>,nenv),1)"
+  {
+    fix \<rho>p m
+    assume asm: "\<rho>p\<in>M" "\<rho>p\<in>?\<pi>" "m\<in>M"
+    note inM = this P_in_M leq_in_M one_in_M \<open>nenv\<in>list(M)\<close>
+    with body
+    have body':"\<And>\<alpha>. \<alpha> \<in> M \<Longrightarrow> (\<exists>\<tau>\<in>M. \<exists>V\<in>M. is_Vset(\<lambda>a. (##M)(a), \<alpha>, V) \<and> \<tau> \<in> V \<and>
+          (snd(\<rho>p) \<tturnstile> \<phi> ([fst(\<rho>p),\<tau>] @ nenv))) \<longleftrightarrow>
+          M, Cons(\<alpha>, [\<rho>p, m, P, leq, one] @ nenv) \<Turnstile> body_fm(\<phi>,nenv)" by simp
+    from inM
+    have "M , [\<rho>p,m,P,leq,one] @ nenv \<Turnstile> ?f_fm \<longleftrightarrow> least(##M, QQ(\<rho>p), m)"
+      using sats_least_fm[OF body', of 1] unfolding QQ_def
+      by (simp, simp flip: setclass_iff)
+  }
+  then
+  have "M, [\<rho>p,m,P,leq,one] @ nenv \<Turnstile> ?f_fm \<longleftrightarrow> least(##M, QQ(\<rho>p), m)"
+    if "\<rho>p\<in>M" "\<rho>p\<in>?\<pi>" "m\<in>M" for \<rho>p m using that by simp
+  then
+  have "univalent(##M, ?\<pi>, \<lambda>\<rho>p m. M , [\<rho>p,m] @ ([P,leq,one] @ nenv) \<Turnstile> ?f_fm)"
+    unfolding univalent_def by (auto intro:unique_least)
+  moreover from \<open>length(_) = _\<close> \<open>env \<in> _\<close>
+  have "length([P,leq,one] @ nenv) = 3 #+ length(env)" by simp
+  moreover from \<open>arity(_) \<le> 2 #+ length(nenv)\<close>
+    \<open>length(_) = length(_)\<close>[symmetric] \<open>nenv\<in>_\<close> \<open>\<phi>\<in>_\<close>
+  have "arity(?f_fm) \<le> 5 #+ length(env)"
+    unfolding body_fm_def  new_fm_defs least_fm_def
+    using arity_forces arity_renrep arity_renbody arity_body_fm' nonempty
+    by (simp add: pred_Un Un_assoc, simp add: Un_assoc[symmetric] nat_union_abs1 pred_Un)
+      (auto simp add: nat_simp_union, rule pred_le, auto intro:leI)
+  moreover from \<open>\<phi>\<in>formula\<close> \<open>nenv\<in>list(M)\<close>
+  have "?f_fm\<in>formula" by simp
+  moreover
+  note inM = P_in_M leq_in_M one_in_M \<open>nenv\<in>list(M)\<close> \<open>?\<pi>\<in>M\<close>
+  ultimately
+  obtain Y where "Y\<in>M"
+    "\<forall>m\<in>M. m \<in> Y \<longleftrightarrow> (\<exists>\<rho>p\<in>M. \<rho>p \<in> ?\<pi> \<and> M, [\<rho>p,m] @ ([P,leq,one] @ nenv) \<Turnstile> ?f_fm)"
+    using replacement_ax[of ?f_fm "[P,leq,one] @ nenv"]
+    unfolding strong_replacement_def by auto
+  with \<open>least(_,QQ(_),f(_))\<close> \<open>f(_) \<in> M\<close> \<open>?\<pi>\<in>M\<close>
+    \<open>_ \<Longrightarrow> _ \<Longrightarrow> _ \<Longrightarrow> M,_ \<Turnstile> ?f_fm \<longleftrightarrow> least(_,_,_)\<close>
+  have "f(\<rho>p)\<in>Y" if "\<rho>p\<in>?\<pi>" for \<rho>p
+    using that transitivity[OF _ \<open>?\<pi>\<in>M\<close>]
+    by (clarsimp, rule_tac x="\<langle>x,y\<rangle>" in bexI, auto)
+  moreover
+  have "{y\<in>Y. Ord(y)} \<in> M"
+    using \<open>Y\<in>M\<close> separation_ax sats_ordinal_fm trans_M
+      separation_cong[of "##M" "\<lambda>y. sats(M,ordinal_fm(0),[y])" "Ord"]
+      separation_closed by simp
+  then
+  have "\<Union> {y\<in>Y. Ord(y)} \<in> M" (is "?sup \<in> M")
+    using Union_closed by simp
+  then
+  have "{x\<in>Vset(?sup). x \<in> M} \<in> M"
+    using Vset_closed by simp
+  moreover
+  have "{one} \<in> M"
+    using one_in_M singletonM by simp
+  ultimately
+  have "{x\<in>Vset(?sup). x \<in> M} \<times> {one} \<in> M" (is "?big_name \<in> M")
+    using cartprod_closed by simp
+  then
+  have "val(G,?big_name) \<in> M[G]"
+    by (blast intro:GenExtI)
+  {
+    fix v x
+    assume "x\<in>c"
+    moreover
+    note \<open>val(G,\<pi>')=c\<close> \<open>\<pi>'\<in>M\<close>
+    moreover
+    from calculation
+    obtain \<rho> p where "\<langle>\<rho>,p\<rangle>\<in>\<pi>'"  "val(G,\<rho>) = x" "p\<in>G" "\<rho>\<in>M"
+      using elem_of_val_pair'[of \<pi>' x G] by blast
+    moreover
+    assume "v\<in>M[G]"
+    then
+    obtain \<sigma> where "val(G,\<sigma>) = v" "\<sigma>\<in>M"
+      using GenExtD by auto
+    moreover
+    assume "sats(M[G], \<phi>, [x,v] @ env)"
+    moreover
+    note \<open>\<phi>\<in>_\<close> \<open>nenv\<in>_\<close> \<open>env = _\<close> \<open>arity(\<phi>)\<le> 2 #+ length(env)\<close>
+    ultimately
+    obtain q where "q\<in>G" "q \<tturnstile> \<phi> ([\<rho>,\<sigma>]@nenv)"
+      using truth_lemma[OF \<open>\<phi>\<in>_\<close> generic, symmetric, of "[\<rho>,\<sigma>] @ nenv"]
+      by auto
+    with \<open>\<langle>\<rho>,p\<rangle>\<in>\<pi>'\<close> \<open>\<langle>\<rho>,q\<rangle>\<in>?\<pi> \<Longrightarrow> f(\<langle>\<rho>,q\<rangle>)\<in>Y\<close>
+    have "f(\<langle>\<rho>,q\<rangle>)\<in>Y"
+      using generic unfolding M_generic_def filter_def by blast
+    let ?\<alpha>="succ(rank(\<sigma>))"
+    note \<open>\<sigma>\<in>M\<close>
+    moreover from this
+    have "?\<alpha> \<in> M"
+      using rank_closed cons_closed by (simp flip: setclass_iff)
+    moreover
+    have "\<sigma> \<in> Vset(?\<alpha>)"
+      using Vset_Ord_rank_iff by auto
+    moreover
+    note \<open>q \<tturnstile> \<phi> ([\<rho>,\<sigma>] @ nenv)\<close>
+    ultimately
+    have "?P(\<langle>\<rho>,q\<rangle>,?\<alpha>)" by (auto simp del: Vset_rank_iff)
+    moreover
+    have "(\<mu> \<alpha>. ?P(\<langle>\<rho>,q\<rangle>,\<alpha>)) = f(\<langle>\<rho>,q\<rangle>)"
+      unfolding f_def by simp
+    ultimately
+    obtain \<tau> where "\<tau>\<in>M" "\<tau> \<in> Vset(f(\<langle>\<rho>,q\<rangle>))" "q \<tturnstile> \<phi> ([\<rho>,\<tau>] @ nenv)"
+      using LeastI[of "\<lambda> \<alpha>. ?P(\<langle>\<rho>,q\<rangle>,\<alpha>)" ?\<alpha>] by auto
+    with \<open>q\<in>G\<close> \<open>\<rho>\<in>M\<close> \<open>nenv\<in>_\<close> \<open>arity(\<phi>)\<le> 2 #+ length(nenv)\<close>
+    have "M[G], map(val(G),[\<rho>,\<tau>] @ nenv) \<Turnstile> \<phi>"
+      using truth_lemma[OF \<open>\<phi>\<in>_\<close> generic, of "[\<rho>,\<tau>] @ nenv"] by auto
+    moreover from \<open>x\<in>c\<close> \<open>c\<in>M[G]\<close>
+    have "x\<in>M[G]" using transitivity_MG by simp
+    moreover
+    note \<open>M[G],[x,v] @ env\<Turnstile> \<phi>\<close> \<open>env = map(val(G),nenv)\<close> \<open>\<tau>\<in>M\<close> \<open>val(G,\<rho>)=x\<close>
+      \<open>univalent(##M[G],_,_)\<close> \<open>x\<in>c\<close> \<open>v\<in>M[G]\<close>
+    ultimately
+    have "v=val(G,\<tau>)"
+      using GenExtI[of \<tau> G] unfolding univalent_def by (auto)
+    from \<open>\<tau> \<in> Vset(f(\<langle>\<rho>,q\<rangle>))\<close> \<open>Ord(f(_))\<close>  \<open>f(\<langle>\<rho>,q\<rangle>)\<in>Y\<close>
+    have "\<tau> \<in> Vset(?sup)"
+      using Vset_Ord_rank_iff lt_Union_iff[of _ "rank(\<tau>)"] by auto
+    with \<open>\<tau>\<in>M\<close>
+    have "val(G,\<tau>) \<in> val(G,?big_name)"
+      using domain_of_prod[of one "{one}" "{x\<in>Vset(?sup). x \<in> M}" ] def_val[of G ?big_name]
+        one_in_G[OF generic] one_in_P  by (auto simp del: Vset_rank_iff)
+    with \<open>v=val(G,\<tau>)\<close>
+    have "v \<in> val(G,{x\<in>Vset(?sup). x \<in> M} \<times> {one})"
+      by simp
+  }
+  then
+  have "{v. x\<in>c, ?R(x,v)} \<subseteq> val(G,?big_name)" (is "?repl\<subseteq>?big")
+    by blast
+  with \<open>?big_name\<in>M\<close>
+  have "?repl = {v\<in>?big. \<exists>x\<in>c. sats(M[G], \<phi>, [x,v] @ env )}" (is "_ = ?rhs")
+  proof(intro equalityI subsetI)
+    fix v
+    assume "v\<in>?repl"
+    with \<open>?repl\<subseteq>?big\<close>
+    obtain x where "x\<in>c" "M[G], [x, v] @ env \<Turnstile> \<phi>" "v\<in>?big"
+      using subsetD by auto
+    with \<open>univalent(##M[G],_,_)\<close> \<open>c\<in>M[G]\<close>
+    show "v \<in> ?rhs"
+      unfolding univalent_def
+      using transitivity_MG ReplaceI[of "\<lambda> x v. \<exists>x\<in>c. M[G], [x, v] @ env \<Turnstile> \<phi>"] by blast
+  next
+    fix v
+    assume "v\<in>?rhs"
+    then
+    obtain x where
+      "v\<in>val(G, ?big_name)" "M[G], [x, v] @ env \<Turnstile> \<phi>" "x\<in>c"
+      by blast
+    moreover from this \<open>c\<in>M[G]\<close>
+    have "v\<in>M[G]" "x\<in>M[G]"
+      using transitivity_MG GenExtI[OF \<open>?big_name\<in>_\<close>,of G] by auto
+    moreover from calculation \<open>univalent(##M[G],_,_)\<close>
+    have "?R(x,y) \<Longrightarrow> y = v" for y
+      unfolding univalent_def by auto
+    ultimately
+    show "v\<in>?repl"
+      using ReplaceI[of ?R x v c]
+      by blast
+  qed
+  moreover
+  let ?\<psi> = "Exists(And(Member(0,2#+length(env)),\<phi>))"
+  have "v\<in>M[G] \<Longrightarrow> (\<exists>x\<in>c. M[G], [x,v] @ env \<Turnstile> \<phi>) \<longleftrightarrow> M[G], [v] @ env @ [c] \<Turnstile> ?\<psi>"
+    "arity(?\<psi>) \<le> 2 #+ length(env)" "?\<psi>\<in>formula"
+    for v
+  proof -
+    fix v
+    assume "v\<in>M[G]"
+    with \<open>c\<in>M[G]\<close>
+    have "nth(length(env)#+1,[v]@env@[c]) = c"
+      using  \<open>env\<in>_\<close>nth_concat[of v c "M[G]" env]
+      by auto
+    note inMG= \<open>nth(length(env)#+1,[v]@env@[c]) = c\<close> \<open>c\<in>M[G]\<close> \<open>v\<in>M[G]\<close> \<open>env\<in>_\<close>
+    show "(\<exists>x\<in>c. M[G], [x,v] @ env \<Turnstile> \<phi>) \<longleftrightarrow> M[G], [v] @ env @ [c] \<Turnstile> ?\<psi>"
+    proof
+      assume "\<exists>x\<in>c. M[G], [x, v] @ env \<Turnstile> \<phi>"
+      then obtain x where
+        "x\<in>c" "M[G], [x, v] @ env \<Turnstile> \<phi>" "x\<in>M[G]"
+        using transitivity_MG[OF _ \<open>c\<in>M[G]\<close>]
+        by auto
+      with \<open>\<phi>\<in>_\<close> \<open>arity(\<phi>)\<le>2#+length(env)\<close> inMG
+      show "M[G], [v] @ env @ [c] \<Turnstile> Exists(And(Member(0, 2 #+ length(env)), \<phi>))"
+        using arity_sats_iff[of \<phi> "[c]" _ "[x,v]@env"]
+        by auto
+    next
+      assume "M[G], [v] @ env @ [c] \<Turnstile> Exists(And(Member(0, 2 #+ length(env)), \<phi>))"
+      with inMG
+      obtain x where
+        "x\<in>M[G]" "x\<in>c" "M[G], [x,v]@env@[c] \<Turnstile> \<phi>"
+        by auto
+      with \<open>\<phi>\<in>_\<close> \<open>arity(\<phi>)\<le>2#+length(env)\<close> inMG
+      show "\<exists>x\<in>c. M[G], [x, v] @ env\<Turnstile> \<phi>"
+        using arity_sats_iff[of \<phi> "[c]" _ "[x,v]@env"]
+        by auto
+    qed
+  next
+    from \<open>env\<in>_\<close> \<open>\<phi>\<in>_\<close>
+    show "arity(?\<psi>)\<le>2#+length(env)"
+      using pred_mono[OF _ \<open>arity(\<phi>)\<le>2#+length(env)\<close>] lt_trans[OF _ le_refl]
+      by (auto simp add:nat_simp_union)
+  next
+    from \<open>\<phi>\<in>_\<close>
+    show "?\<psi>\<in>formula" by simp
+  qed
+  moreover from this
+  have "{v\<in>?big. \<exists>x\<in>c. M[G], [x,v] @ env \<Turnstile> \<phi>} = {v\<in>?big. M[G], [v] @ env @ [c] \<Turnstile>  ?\<psi>}"
+    using transitivity_MG[OF _ GenExtI, OF _ \<open>?big_name\<in>M\<close>]
+    by simp
+  moreover from calculation and \<open>env\<in>_\<close> \<open>c\<in>_\<close> \<open>?big\<in>M[G]\<close>
+  have "{v\<in>?big. M[G] , [v] @ env @ [c] \<Turnstile> ?\<psi>} \<in> M[G]"
+    using Collect_sats_in_MG by auto
+  ultimately
+  show ?thesis by simp
+qed
+
+theorem strong_replacement_in_MG:
+  assumes
+    "\<phi>\<in>formula" and "arity(\<phi>) \<le> 2 #+ length(env)" "env \<in> list(M[G])"
+  shows
+    "strong_replacement(##M[G],\<lambda>x v. sats(M[G],\<phi>,[x,v] @ env))"
+proof -
+  let ?R="\<lambda>x y . M[G], [x, y] @ env \<Turnstile> \<phi>"
+  {
+    fix A
+    let ?Y="{v . x \<in> A, v\<in>M[G] \<and> ?R(x,v)}"
+    assume 1: "(##M[G])(A)"
+      "\<forall>x[##M[G]]. x \<in> A \<longrightarrow> (\<forall>y[##M[G]]. \<forall>z[##M[G]]. ?R(x,y) \<and> ?R(x,z) \<longrightarrow> y = z)"
+    then
+    have "univalent(##M[G], A, ?R)" "A\<in>M[G]"
+      unfolding univalent_def by simp_all
+    with assms \<open>A\<in>_\<close>
+    have "(##M[G])(?Y)"
+      using Replace_sats_in_MG by auto
+    have "b \<in> ?Y \<longleftrightarrow> (\<exists>x[##M[G]]. x \<in> A \<and> ?R(x,b))" if "(##M[G])(b)" for b
+    proof(rule)
+      from \<open>A\<in>_\<close>
+      show "\<exists>x[##M[G]]. x \<in> A \<and> ?R(x,b)" if "b \<in> ?Y"
+        using that transitivity_MG by auto
+    next
+      show "b \<in> ?Y" if "\<exists>x[##M[G]]. x \<in> A \<and> ?R(x,b)"
+      proof -
+        from \<open>(##M[G])(b)\<close>
+        have "b\<in>M[G]" by simp
+        with that
+        obtain x where "(##M[G])(x)" "x\<in>A" "b\<in>M[G] \<and> ?R(x,b)"
+          by blast
+        moreover from this 1 \<open>(##M[G])(b)\<close>
+        have "x\<in>M[G]" "z\<in>M[G] \<and> ?R(x,z) \<Longrightarrow> b = z" for z
+          by auto
+        ultimately
+        show ?thesis
+          using ReplaceI[of "\<lambda> x y. y\<in>M[G] \<and> ?R(x,y)"] by auto
+      qed
+    qed
+    then
+    have "\<forall>b[##M[G]]. b \<in> ?Y \<longleftrightarrow> (\<exists>x[##M[G]]. x \<in> A \<and> ?R(x,b))"
+      by simp
+    with \<open>(##M[G])(?Y)\<close>
+    have " (\<exists>Y[##M[G]]. \<forall>b[##M[G]]. b \<in> Y \<longleftrightarrow> (\<exists>x[##M[G]]. x \<in> A \<and> ?R(x,b)))"
+      by auto
+  }
+  then show ?thesis unfolding strong_replacement_def univalent_def
+    by auto
+qed
+
+end (* context G_generic *)
+
+end
\ No newline at end of file
diff --git a/thys/Forcing/Separation_Axiom.thy b/thys/Forcing/Separation_Axiom.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Separation_Axiom.thy
@@ -0,0 +1,400 @@
+section\<open>The Axiom of Separation in $M[G]$\<close>
+theory Separation_Axiom
+  imports Forcing_Theorems Separation_Rename
+begin
+
+context G_generic
+begin
+
+lemma map_val :
+  assumes "env\<in>list(M[G])"
+  shows "\<exists>nenv\<in>list(M). env = map(val(G),nenv)"
+  using assms
+  proof(induct env)
+    case Nil
+    have "map(val(G),Nil) = Nil" by simp
+    then show ?case by force
+  next
+    case (Cons a l)
+    then obtain a' l' where
+      "l' \<in> list(M)" "l=map(val(G),l')" "a = val(G,a')"
+      "Cons(a,l) = map(val(G),Cons(a',l'))" "Cons(a',l') \<in> list(M)"
+      using \<open>a\<in>M[G]\<close> GenExtD
+      by force
+    then show ?case by force
+qed
+
+
+lemma Collect_sats_in_MG :
+  assumes
+    "c\<in>M[G]"
+    "\<phi> \<in> formula" "env\<in>list(M[G])" "arity(\<phi>) \<le> 1 #+ length(env)"
+  shows    
+    "{x\<in>c. (M[G], [x] @ env \<Turnstile> \<phi>)}\<in> M[G]"
+proof -  
+  from \<open>c\<in>M[G]\<close>
+  obtain \<pi> where "\<pi> \<in> M" "val(G, \<pi>) = c"
+    using GenExt_def by auto
+  let ?\<chi>="And(Member(0,1 #+ length(env)),\<phi>)" and ?Pl1="[P,leq,one]"
+  let ?new_form="sep_ren(length(env),forces(?\<chi>))"
+  let ?\<psi>="Exists(Exists(And(pair_fm(0,1,2),?new_form)))"
+  note phi = \<open>\<phi>\<in>formula\<close> \<open>arity(\<phi>) \<le> 1 #+ length(env)\<close> 
+  then
+  have "?\<chi>\<in>formula" by simp
+  with \<open>env\<in>_\<close> phi
+  have "arity(?\<chi>) \<le> 2#+length(env) " 
+    using nat_simp_union leI by simp
+  with \<open>env\<in>list(_)\<close> phi
+  have "arity(forces(?\<chi>)) \<le> 6 #+ length(env)"
+    using  arity_forces_le by simp
+  then
+  have "arity(forces(?\<chi>)) \<le> 7 #+ length(env)"
+    using nat_simp_union arity_forces leI by simp
+  with \<open>arity(forces(?\<chi>)) \<le>7 #+ _\<close> \<open>env \<in> _\<close> \<open>\<phi> \<in> formula\<close>
+  have "arity(?new_form) \<le> 7 #+ length(env)" "?new_form \<in> formula"
+    using arity_rensep[OF definability[of "?\<chi>"]]  definability[of "?\<chi>"] type_rensep 
+    by auto
+  then
+  have "pred(pred(arity(?new_form))) \<le> 5 #+ length(env)" "?\<psi>\<in>formula"
+    unfolding pair_fm_def upair_fm_def 
+    using nat_simp_union length_type[OF \<open>env\<in>list(M[G])\<close>] 
+        pred_mono[OF _ pred_mono[OF _ \<open>arity(?new_form) \<le> _\<close>]]
+    by auto
+  with \<open>arity(?new_form) \<le> _\<close> \<open>?new_form \<in> formula\<close>
+  have "arity(?\<psi>) \<le> 5 #+ length(env)"
+    unfolding pair_fm_def upair_fm_def 
+    using nat_simp_union arity_forces
+    by auto
+  from \<open>\<phi>\<in>formula\<close>
+  have "forces(?\<chi>) \<in> formula"
+    using definability by simp
+  from \<open>\<pi>\<in>M\<close> P_in_M 
+  have "domain(\<pi>)\<in>M" "domain(\<pi>) \<times> P \<in> M"
+    by (simp_all flip:setclass_iff)
+  from \<open>env \<in> _\<close>
+  obtain nenv where "nenv\<in>list(M)" "env = map(val(G),nenv)" "length(nenv) = length(env)"
+    using map_val by auto
+  from \<open>arity(\<phi>) \<le> _\<close> \<open>env\<in>_\<close> \<open>\<phi>\<in>_\<close>
+  have "arity(\<phi>) \<le> 2#+ length(env)" 
+    using le_trans[OF \<open>arity(\<phi>)\<le>_\<close>] add_le_mono[of 1 2,OF _ le_refl] 
+    by auto
+  with \<open>nenv\<in>_\<close> \<open>env\<in>_\<close> \<open>\<pi>\<in>M\<close> \<open>\<phi>\<in>_\<close> \<open>length(nenv) = length(env)\<close>
+  have "arity(?\<chi>) \<le> length([\<theta>] @ nenv @ [\<pi>])" for \<theta> 
+    using nat_union_abs2[OF _ _ \<open>arity(\<phi>) \<le> 2#+ _\<close>] nat_simp_union 
+    by simp    
+  note in_M = \<open>\<pi>\<in>M\<close> \<open>domain(\<pi>) \<times> P \<in> M\<close>  P_in_M one_in_M leq_in_M
+  {
+    fix u
+    assume "u \<in> domain(\<pi>) \<times> P" "u \<in> M"
+    with in_M \<open>?new_form \<in> formula\<close> \<open>?\<psi>\<in>formula\<close> \<open>nenv \<in> _\<close>
+    have Eq1: "(M, [u] @ ?Pl1 @ [\<pi>] @ nenv \<Turnstile> ?\<psi>) \<longleftrightarrow> 
+                        (\<exists>\<theta>\<in>M. \<exists>p\<in>P. u =\<langle>\<theta>,p\<rangle> \<and> 
+                          M, [\<theta>,p,u]@?Pl1@[\<pi>] @ nenv \<Turnstile> ?new_form)"
+      by (auto simp add: transitivity)
+    have Eq3: "\<theta>\<in>M \<Longrightarrow> p\<in>P \<Longrightarrow>
+       (M, [\<theta>,p,u]@?Pl1@[\<pi>]@nenv \<Turnstile> ?new_form) \<longleftrightarrow>
+          (\<forall>F. M_generic(F) \<and> p \<in> F \<longrightarrow> (M[F],  map(val(F), [\<theta>] @ nenv@[\<pi>]) \<Turnstile>  ?\<chi>))" 
+      for \<theta> p 
+    proof -
+      fix p \<theta> 
+      assume "\<theta> \<in> M" "p\<in>P"
+      then 
+      have "p\<in>M" using P_in_M by (simp add: transitivity)
+      note in_M' = in_M \<open>\<theta> \<in> M\<close> \<open>p\<in>M\<close> \<open>u \<in> domain(\<pi>) \<times> P\<close> \<open>u \<in> M\<close> \<open>nenv\<in>_\<close>
+      then 
+      have "[\<theta>,u] \<in> list(M)" by simp
+      let ?env="[p]@?Pl1@[\<theta>] @ nenv @ [\<pi>,u]"
+      let ?new_env=" [\<theta>,p,u,P,leq,one,\<pi>] @ nenv"
+      let ?\<psi>="Exists(Exists(And(pair_fm(0,1,2),?new_form)))"
+      have "[\<theta>, p, u, \<pi>, leq, one, \<pi>] \<in> list(M)" 
+        using in_M' by simp
+      have "?\<chi> \<in> formula" "forces(?\<chi>)\<in> formula"  
+        using phi by simp_all
+      from in_M' 
+      have "?Pl1 \<in> list(M)" by simp
+      from in_M' have "?env \<in> list(M)" by simp
+      have Eq1': "?new_env \<in> list(M)" using in_M'  by simp 
+      then 
+      have "(M, [\<theta>,p,u]@?Pl1@[\<pi>] @ nenv \<Turnstile> ?new_form) \<longleftrightarrow> (M, ?new_env \<Turnstile> ?new_form)"
+        by simp
+      from in_M' \<open>env \<in> _\<close> Eq1' \<open>length(nenv) = length(env)\<close> 
+        \<open>arity(forces(?\<chi>)) \<le> 7 #+ length(env)\<close> \<open>forces(?\<chi>)\<in> formula\<close>
+        \<open>[\<theta>, p, u, \<pi>, leq, one, \<pi>] \<in> list(M)\<close> 
+      have "... \<longleftrightarrow> M, ?env \<Turnstile> forces(?\<chi>)"
+        using sepren_action[of "forces(?\<chi>)"  "nenv",OF _ _ \<open>nenv\<in>list(M)\<close>] 
+        by simp
+      also from in_M'
+      have "... \<longleftrightarrow> M,  ([p,P, leq, one,\<theta>]@nenv@ [\<pi>])@[u] \<Turnstile> forces(?\<chi>)" 
+        using app_assoc by simp
+      also 
+      from in_M' \<open>env\<in>_\<close> phi \<open>length(nenv) = length(env)\<close>
+        \<open>arity(forces(?\<chi>)) \<le> 6 #+ length(env)\<close> \<open>forces(?\<chi>)\<in>formula\<close>
+      have "... \<longleftrightarrow> M,  [p,P, leq, one,\<theta>]@ nenv @ [\<pi>] \<Turnstile> forces(?\<chi>)"        
+        by (rule_tac arity_sats_iff,auto)
+      also 
+      from \<open>arity(forces(?\<chi>)) \<le> 6 #+ length(env)\<close> \<open>forces(?\<chi>)\<in>formula\<close> in_M' phi 
+      have " ... \<longleftrightarrow> (\<forall>F. M_generic(F) \<and> p \<in> F \<longrightarrow> 
+                           M[F],  map(val(F), [\<theta>] @ nenv @ [\<pi>]) \<Turnstile>  ?\<chi>)"
+        using  definition_of_forcing 
+      proof (intro iffI)
+        assume a1: "M,  [p,P, leq, one,\<theta>] @ nenv @ [\<pi>] \<Turnstile>  forces(?\<chi>)"
+        note definition_of_forcing \<open>arity(\<phi>)\<le> 1#+_\<close>
+        with \<open>nenv\<in>_\<close> \<open>arity(?\<chi>) \<le> length([\<theta>] @ nenv @ [\<pi>])\<close> \<open>env\<in>_\<close>
+        have "p \<in> P \<Longrightarrow> ?\<chi>\<in>formula \<Longrightarrow> [\<theta>,\<pi>] \<in> list(M) \<Longrightarrow>
+                  M, [p,P, leq, one] @ [\<theta>]@ nenv@[\<pi>] \<Turnstile> forces(?\<chi>) \<Longrightarrow> 
+              \<forall>G. M_generic(G) \<and> p \<in> G \<longrightarrow> M[G],  map(val(G), [\<theta>] @ nenv @[\<pi>]) \<Turnstile>  ?\<chi>"
+          by auto
+        then
+        show "\<forall>F. M_generic(F) \<and> p \<in> F \<longrightarrow> 
+                  M[F],  map(val(F), [\<theta>] @ nenv @ [\<pi>]) \<Turnstile>  ?\<chi>"
+          using  \<open>?\<chi>\<in>formula\<close> \<open>p\<in>P\<close> a1 \<open>\<theta>\<in>M\<close> \<open>\<pi>\<in>M\<close> by simp
+      next
+        assume "\<forall>F. M_generic(F) \<and> p \<in> F \<longrightarrow> 
+                   M[F],  map(val(F), [\<theta>] @ nenv @[\<pi>]) \<Turnstile>  ?\<chi>"
+        with definition_of_forcing [THEN iffD2] \<open>arity(?\<chi>) \<le> length([\<theta>] @ nenv @ [\<pi>])\<close>
+        show "M,  [p, P, leq, one,\<theta>] @ nenv @ [\<pi>] \<Turnstile>  forces(?\<chi>)"
+          using  \<open>?\<chi>\<in>formula\<close> \<open>p\<in>P\<close> in_M' 
+          by auto
+      qed
+      finally 
+      show "(M, [\<theta>,p,u]@?Pl1@[\<pi>]@nenv \<Turnstile> ?new_form) \<longleftrightarrow> (\<forall>F. M_generic(F) \<and> p \<in> F \<longrightarrow> 
+                           M[F],  map(val(F), [\<theta>] @ nenv @ [\<pi>]) \<Turnstile>  ?\<chi>)" 
+        by simp
+    qed
+    with Eq1 
+    have "(M, [u] @ ?Pl1 @ [\<pi>] @ nenv \<Turnstile> ?\<psi>) \<longleftrightarrow> 
+         (\<exists>\<theta>\<in>M. \<exists>p\<in>P. u =\<langle>\<theta>,p\<rangle> \<and> 
+          (\<forall>F. M_generic(F) \<and> p \<in> F \<longrightarrow> M[F],  map(val(F), [\<theta>] @ nenv @ [\<pi>]) \<Turnstile>  ?\<chi>))"
+      by auto 
+  }
+  then 
+  have Equivalence: "u\<in> domain(\<pi>) \<times> P \<Longrightarrow> u \<in> M \<Longrightarrow> 
+       (M, [u] @ ?Pl1 @ [\<pi>] @ nenv \<Turnstile> ?\<psi>) \<longleftrightarrow> 
+         (\<exists>\<theta>\<in>M. \<exists>p\<in>P. u =\<langle>\<theta>,p\<rangle> \<and> 
+          (\<forall>F. M_generic(F) \<and> p \<in> F \<longrightarrow> M[F],   map(val(F), [\<theta>] @ nenv @[\<pi>]) \<Turnstile>  ?\<chi>))" 
+    for u 
+    by simp
+  moreover from \<open>env = _\<close> \<open>\<pi>\<in>M\<close> \<open>nenv\<in>list(M)\<close>
+  have map_nenv:"map(val(G), nenv@[\<pi>]) = env @ [val(G,\<pi>)]"
+    using map_app_distrib append1_eq_iff by auto
+  ultimately
+  have aux:"(\<exists>\<theta>\<in>M. \<exists>p\<in>P. u =\<langle>\<theta>,p\<rangle> \<and> (p\<in>G \<longrightarrow> M[G], [val(G,\<theta>)] @ env @ [val(G,\<pi>)] \<Turnstile> ?\<chi>))" 
+   (is "(\<exists>\<theta>\<in>M. \<exists>p\<in>P. _ ( _ \<longrightarrow> _, ?vals(\<theta>) \<Turnstile> _))")
+   if "u \<in> domain(\<pi>) \<times> P" "u \<in> M"  "M, [u]@ ?Pl1 @[\<pi>] @ nenv \<Turnstile> ?\<psi>" for u
+    using Equivalence[THEN iffD1, OF that] generic by force
+  moreover 
+  have "\<theta>\<in>M \<Longrightarrow> val(G,\<theta>)\<in>M[G]" for \<theta>
+    using GenExt_def by auto
+  moreover
+  have "\<theta>\<in> M \<Longrightarrow> [val(G, \<theta>)] @ env @ [val(G, \<pi>)] \<in> list(M[G])" for \<theta>
+  proof -
+    from \<open>\<pi>\<in>M\<close>
+    have "val(G,\<pi>)\<in> M[G]" using GenExtI by simp
+    moreover
+    assume "\<theta> \<in> M"
+    moreover
+    note \<open>env \<in> list(M[G])\<close>
+    ultimately
+    show ?thesis 
+      using GenExtI by simp
+  qed
+  ultimately 
+  have "(\<exists>\<theta>\<in>M. \<exists>p\<in>P. u=\<langle>\<theta>,p\<rangle> \<and> (p\<in>G \<longrightarrow> val(G,\<theta>)\<in>nth(1 #+ length(env),[val(G, \<theta>)] @ env @ [val(G, \<pi>)]) 
+        \<and> M[G],  ?vals(\<theta>) \<Turnstile>  \<phi>))"
+    if "u \<in> domain(\<pi>) \<times> P" "u \<in> M"  "M, [u] @ ?Pl1 @[\<pi>] @ nenv \<Turnstile> ?\<psi>" for u
+    using aux[OF that] by simp
+  moreover from \<open>env \<in> _\<close> \<open>\<pi>\<in>M\<close>
+  have nth:"nth(1 #+ length(env),[val(G, \<theta>)] @ env @ [val(G, \<pi>)]) = val(G,\<pi>)" 
+    if "\<theta>\<in>M" for \<theta>
+    using nth_concat[of "val(G,\<theta>)" "val(G,\<pi>)" "M[G]"] using that GenExtI by simp
+  ultimately
+  have "(\<exists>\<theta>\<in>M. \<exists>p\<in>P. u=\<langle>\<theta>,p\<rangle> \<and> (p\<in>G \<longrightarrow> val(G,\<theta>)\<in>val(G,\<pi>) \<and> M[G],  ?vals(\<theta>) \<Turnstile>  \<phi>))"
+    if "u \<in> domain(\<pi>) \<times> P" "u \<in> M"  "M, [u] @ ?Pl1 @[\<pi>] @ nenv \<Turnstile> ?\<psi>" for u
+    using that \<open>\<pi>\<in>M\<close> \<open>env \<in> _\<close> by simp
+  with \<open>domain(\<pi>)\<times>P\<in>M\<close>
+  have "\<forall>u\<in>domain(\<pi>)\<times>P . (M, [u] @ ?Pl1 @[\<pi>] @ nenv \<Turnstile> ?\<psi>) \<longrightarrow> (\<exists>\<theta>\<in>M. \<exists>p\<in>P. u =\<langle>\<theta>,p\<rangle> \<and>
+        (p \<in> G \<longrightarrow> val(G, \<theta>)\<in>val(G, \<pi>) \<and> M[G],  ?vals(\<theta>) \<Turnstile>  \<phi>))"
+    by (simp add:transitivity)
+  then 
+  have "{u\<in>domain(\<pi>)\<times>P . (M,[u] @ ?Pl1 @[\<pi>] @ nenv \<Turnstile> ?\<psi>) } \<subseteq>
+     {u\<in>domain(\<pi>)\<times>P . \<exists>\<theta>\<in>M. \<exists>p\<in>P. u =\<langle>\<theta>,p\<rangle> \<and> 
+       (p \<in> G \<longrightarrow> val(G, \<theta>)\<in>val(G, \<pi>) \<and> (M[G], ?vals(\<theta>) \<Turnstile> \<phi>))}"
+    (is "?n\<subseteq>?m") 
+    by auto
+  with val_mono 
+  have first_incl: "val(G,?n) \<subseteq> val(G,?m)" 
+    by simp
+  note  \<open>val(G,\<pi>) = c\<close> (* from the assumptions *)
+  with \<open>?\<psi>\<in>formula\<close>  \<open>arity(?\<psi>) \<le> _\<close> in_M \<open>nenv \<in> _\<close> \<open>env \<in> _\<close> \<open>length(nenv) = _\<close> 
+  have "?n\<in>M" 
+    using separation_ax leI separation_iff by auto 
+  from generic 
+  have "filter(G)" "G\<subseteq>P" 
+    unfolding M_generic_def filter_def by simp_all
+  from \<open>val(G,\<pi>) = c\<close> 
+  have "val(G,?m) =
+               {val(G,t) .. t\<in>domain(\<pi>) , \<exists>q\<in>P .  
+                    (\<exists>\<theta>\<in>M. \<exists>p\<in>P. \<langle>t,q\<rangle> = \<langle>\<theta>, p\<rangle> \<and> 
+            (p \<in> G \<longrightarrow> val(G, \<theta>) \<in> c \<and> (M[G],  [val(G, \<theta>)] @ env @ [c] \<Turnstile>  \<phi>)) \<and> q \<in> G)}"
+    using val_of_name by auto
+  also 
+  have "... =  {val(G,t) .. t\<in>domain(\<pi>) , \<exists>q\<in>P. 
+                   val(G, t) \<in> c \<and> (M[G],  [val(G, t)] @ env @ [c] \<Turnstile>  \<phi>) \<and> q \<in> G}" 
+  proof -
+
+    have "t\<in>M \<Longrightarrow>
+      (\<exists>q\<in>P. (\<exists>\<theta>\<in>M. \<exists>p\<in>P. \<langle>t,q\<rangle> = \<langle>\<theta>, p\<rangle> \<and> 
+              (p \<in> G \<longrightarrow> val(G, \<theta>) \<in> c \<and> (M[G],  [val(G, \<theta>)] @ env @ [c] \<Turnstile>  \<phi>)) \<and> q \<in> G)) 
+      \<longleftrightarrow> 
+      (\<exists>q\<in>P. val(G, t) \<in> c \<and> ( M[G], [val(G, t)]@env@[c]\<Turnstile> \<phi> ) \<and> q \<in> G)" for t
+      by auto
+    then show ?thesis using \<open>domain(\<pi>)\<in>M\<close> by (auto simp add:transitivity)
+  qed
+  also 
+  have "... =  {x .. x\<in>c , \<exists>q\<in>P. x \<in> c \<and> (M[G],  [x] @ env @ [c] \<Turnstile>  \<phi>) \<and> q \<in> G}"
+  proof
+
+    show "... \<subseteq> {x .. x\<in>c , \<exists>q\<in>P. x \<in> c \<and> (M[G],  [x] @ env @ [c] \<Turnstile>  \<phi>) \<and> q \<in> G}"
+      by auto
+  next 
+    (* Now we show the other inclusion:
+      {x .. x\<in>c , \<exists>q\<in>P. x \<in> c \<and> (M[G],  [x, w, c] \<Turnstile>  \<phi>) \<and> q \<in> G}
+      \<subseteq>
+      {val(G,t)..t\<in>domain(\<pi>),\<exists>q\<in>P.val(G,t)\<in>c\<and>(M[G], [val(G,t),w] \<Turnstile> \<phi>)\<and>q\<in>G}
+    *)
+    {
+      fix x
+      assume "x\<in>{x .. x\<in>c , \<exists>q\<in>P. x \<in> c \<and> (M[G],  [x] @ env @ [c] \<Turnstile>  \<phi>) \<and> q \<in> G}"
+      then 
+      have "\<exists>q\<in>P. x \<in> c \<and> (M[G],  [x] @ env @ [c] \<Turnstile>  \<phi>) \<and> q \<in> G"
+        by simp
+      with \<open>val(G,\<pi>) = c\<close>  
+      have "\<exists>q\<in>P. \<exists>t\<in>domain(\<pi>). val(G,t) =x \<and> (M[G],  [val(G,t)] @ env @ [c] \<Turnstile>  \<phi>) \<and> q \<in> G" 
+        using Sep_and_Replace elem_of_val by auto
+    }
+    then 
+    show " {x .. x\<in>c , \<exists>q\<in>P. x \<in> c \<and> (M[G],  [x] @ env @ [c] \<Turnstile>  \<phi>) \<and> q \<in> G} \<subseteq> ..."
+      using SepReplace_iff by force
+  qed
+  also 
+  have " ... = {x\<in>c. (M[G], [x] @ env @ [c] \<Turnstile> \<phi>)}"
+    using \<open>G\<subseteq>P\<close> G_nonempty by force
+  finally 
+  have val_m: "val(G,?m) = {x\<in>c. (M[G], [x] @ env @ [c] \<Turnstile> \<phi>)}" by simp
+  have "val(G,?m) \<subseteq> val(G,?n)" 
+  proof
+    fix x
+    assume "x \<in> val(G,?m)"
+    with val_m 
+    have Eq4: "x \<in> {x\<in>c. (M[G], [x] @ env @ [c] \<Turnstile> \<phi>)}" by simp
+    with \<open>val(G,\<pi>) = c\<close>
+    have "x \<in> val(G,\<pi>)" by simp
+    then 
+    have "\<exists>\<theta>. \<exists>q\<in>G. \<langle>\<theta>,q\<rangle>\<in>\<pi> \<and> val(G,\<theta>) =x" 
+      using elem_of_val_pair by auto
+    then obtain \<theta> q where
+      "\<langle>\<theta>,q\<rangle>\<in>\<pi>" "q\<in>G" "val(G,\<theta>)=x" by auto
+    from \<open>\<langle>\<theta>,q\<rangle>\<in>\<pi>\<close>
+    have "\<theta>\<in>M"
+      using domain_trans[OF trans_M \<open>\<pi>\<in>_\<close>] by auto
+    with \<open>\<pi>\<in>M\<close> \<open>nenv \<in> _\<close> \<open>env = _\<close>
+    have "[val(G,\<theta>), val(G,\<pi>)] @ env \<in>list(M[G])" 
+      using GenExt_def by auto
+    with  Eq4 \<open>val(G,\<theta>)=x\<close> \<open>val(G,\<pi>) = c\<close> \<open>x \<in> val(G,\<pi>)\<close> nth \<open>\<theta>\<in>M\<close>
+    have Eq5: "M[G],  [val(G,\<theta>)] @ env @[val(G,\<pi>)] \<Turnstile> And(Member(0,1 #+ length(env)),\<phi>)" 
+      by auto
+        (* Recall ?\<chi> = And(Member(0,1 #+ length(env)),\<phi>) *)
+    with \<open>\<theta>\<in>M\<close> \<open>\<pi>\<in>M\<close>  Eq5 \<open>M_generic(G)\<close> \<open>\<phi>\<in>formula\<close> \<open>nenv \<in> _ \<close> \<open>env = _ \<close> map_nenv 
+      \<open>arity(?\<chi>) \<le> length([\<theta>] @ nenv @ [\<pi>])\<close>
+    have "(\<exists>r\<in>G. M,  [r,P,leq,one,\<theta>] @ nenv @[\<pi>] \<Turnstile> forces(?\<chi>))"
+      using truth_lemma  
+      by auto
+    then obtain r where      (* I can't "obtain" this directly *)
+      "r\<in>G" "M,  [r,P,leq,one,\<theta>] @ nenv @ [\<pi>] \<Turnstile> forces(?\<chi>)" by auto
+    with \<open>filter(G)\<close> and \<open>q\<in>G\<close> obtain p where
+      "p\<in>G" "p\<preceq>q" "p\<preceq>r" 
+      unfolding filter_def compat_in_def by force
+    with \<open>r\<in>G\<close>  \<open>q\<in>G\<close> \<open>G\<subseteq>P\<close> 
+    have "p\<in>P" "r\<in>P" "q\<in>P" "p\<in>M"
+      using  P_in_M  by (auto simp add:transitivity)
+    with \<open>\<phi>\<in>formula\<close> \<open>\<theta>\<in>M\<close> \<open>\<pi>\<in>M\<close>  \<open>p\<preceq>r\<close> \<open>nenv \<in> _\<close> \<open>arity(?\<chi>) \<le> length([\<theta>] @ nenv @ [\<pi>])\<close>
+      \<open>M, [r,P,leq,one,\<theta>] @ nenv @ [\<pi>] \<Turnstile> forces(?\<chi>)\<close> \<open>env\<in>_\<close>
+    have "M,  [p,P,leq,one,\<theta>] @ nenv @ [\<pi>] \<Turnstile> forces(?\<chi>)"
+      using strengthening_lemma 
+      by simp
+    with \<open>p\<in>P\<close> \<open>\<phi>\<in>formula\<close> \<open>\<theta>\<in>M\<close> \<open>\<pi>\<in>M\<close> \<open>nenv \<in> _\<close> \<open>arity(?\<chi>) \<le> length([\<theta>] @ nenv @ [\<pi>])\<close>
+    have "\<forall>F. M_generic(F) \<and> p \<in> F \<longrightarrow> 
+                 M[F],   map(val(F), [\<theta>] @ nenv @[\<pi>]) \<Turnstile>  ?\<chi>"
+      using definition_of_forcing
+      by simp
+    with \<open>p\<in>P\<close> \<open>\<theta>\<in>M\<close>  
+    have Eq6: "\<exists>\<theta>'\<in>M. \<exists>p'\<in>P.  \<langle>\<theta>,p\<rangle> = <\<theta>',p'> \<and> (\<forall>F. M_generic(F) \<and> p' \<in> F \<longrightarrow> 
+                 M[F],   map(val(F), [\<theta>'] @ nenv @ [\<pi>]) \<Turnstile>  ?\<chi>)" by auto
+    from \<open>\<pi>\<in>M\<close> \<open>\<langle>\<theta>,q\<rangle>\<in>\<pi>\<close> 
+    have "\<langle>\<theta>,q\<rangle> \<in> M" by (simp add:transitivity)
+    from \<open>\<langle>\<theta>,q\<rangle>\<in>\<pi>\<close> \<open>\<theta>\<in>M\<close> \<open>p\<in>P\<close>  \<open>p\<in>M\<close> 
+    have "\<langle>\<theta>,p\<rangle>\<in>M" "\<langle>\<theta>,p\<rangle>\<in>domain(\<pi>)\<times>P" 
+      using tuples_in_M by auto
+    with \<open>\<theta>\<in>M\<close> Eq6 \<open>p\<in>P\<close>
+    have "M, [\<langle>\<theta>,p\<rangle>] @ ?Pl1 @ [\<pi>] @ nenv \<Turnstile> ?\<psi>"
+      using Equivalence  by auto
+    with \<open>\<langle>\<theta>,p\<rangle>\<in>domain(\<pi>)\<times>P\<close> 
+    have "\<langle>\<theta>,p\<rangle>\<in>?n" by simp
+    with \<open>p\<in>G\<close> \<open>p\<in>P\<close> 
+    have "val(G,\<theta>)\<in>val(G,?n)" 
+      using  val_of_elem[of \<theta> p] by simp
+    with \<open>val(G,\<theta>)=x\<close> 
+    show "x\<in>val(G,?n)" by simp
+  qed (* proof of "val(G,?m) \<subseteq> val(G,?n)" *)
+  with val_m first_incl 
+  have "val(G,?n) = {x\<in>c. (M[G], [x] @ env @ [c] \<Turnstile> \<phi>)}" by auto
+  also 
+  have " ... = {x\<in>c. (M[G], [x] @ env \<Turnstile> \<phi>)}" 
+  proof -
+    {
+      fix x
+      assume "x\<in>c"
+      moreover from assms 
+      have "c\<in>M[G]"
+        unfolding GenExt_def by auto
+      moreover from this and \<open>x\<in>c\<close> 
+      have "x\<in>M[G]"
+        using transitivity_MG
+        by simp
+      ultimately 
+      have "(M[G],  ([x] @ env) @[c] \<Turnstile>  \<phi>) \<longleftrightarrow> (M[G],  [x] @ env \<Turnstile>  \<phi>)" 
+        using phi \<open>env \<in> _\<close> by (rule_tac arity_sats_iff, simp_all)   (* Enhance this *)
+    }
+    then show ?thesis by auto
+  qed      
+  finally 
+  show "{x\<in>c. (M[G], [x] @ env \<Turnstile> \<phi>)}\<in> M[G]" 
+    using \<open>?n\<in>M\<close> GenExt_def by force
+qed
+
+theorem separation_in_MG:
+  assumes 
+    "\<phi>\<in>formula" and "arity(\<phi>) \<le> 1 #+ length(env)" and "env\<in>list(M[G])"
+  shows  
+    "separation(##M[G],\<lambda>x. (M[G], [x] @ env \<Turnstile> \<phi>))"
+proof -
+  { 
+    fix c
+    assume "c\<in>M[G]" 
+    moreover from \<open>env \<in> _\<close>
+    obtain nenv where  "nenv\<in>list(M)" 
+      "env = map(val(G),nenv)" "length(env) = length(nenv)"
+      using GenExt_def map_val[of env] by auto
+    moreover note \<open>\<phi> \<in> _\<close> \<open>arity(\<phi>) \<le> _\<close> \<open>env \<in> _\<close>
+    ultimately
+    have Eq1: "{x\<in>c. (M[G], [x] @ env \<Turnstile> \<phi>)} \<in> M[G]"
+      using Collect_sats_in_MG  by auto
+  }
+  then 
+  show ?thesis 
+    using separation_iff rev_bexI unfolding is_Collect_def by force
+qed
+
+end (* context: G_generic *)
+
+end
\ No newline at end of file
diff --git a/thys/Forcing/Separation_Rename.thy b/thys/Forcing/Separation_Rename.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Separation_Rename.thy
@@ -0,0 +1,519 @@
+section\<open>Auxiliary renamings for Separation\<close>
+theory Separation_Rename
+  imports Interface Renaming
+begin
+
+lemmas apply_fun = apply_iff[THEN iffD1]
+
+lemma nth_concat : "[p,t] \<in> list(A) \<Longrightarrow> env\<in> list(A) \<Longrightarrow> nth(1 #+ length(env),[p]@ env @ [t]) = t"
+  by(auto simp add:nth_append)
+
+lemma nth_concat2 : "env\<in> list(A) \<Longrightarrow> nth(length(env),env @ [p,t]) = p"
+  by(auto simp add:nth_append)
+
+lemma nth_concat3 : "env\<in> list(A) \<Longrightarrow> u = nth(succ(length(env)), env @ [pi, u])"
+  by(auto simp add:nth_append)
+
+definition 
+  sep_var :: "i \<Rightarrow> i" where
+  "sep_var(n) \<equiv> {\<langle>0,1\<rangle>,\<langle>1,3\<rangle>,\<langle>2,4\<rangle>,\<langle>3,5\<rangle>,\<langle>4,0\<rangle>,\<langle>5#+n,6\<rangle>,\<langle>6#+n,2\<rangle>}"
+
+definition
+  sep_env :: "i \<Rightarrow> i" where
+  "sep_env(n) \<equiv> \<lambda> i \<in> (5#+n)-5 . i#+2"
+
+definition weak :: "[i, i] \<Rightarrow> i" where
+  "weak(n,m) \<equiv> {i#+m . i \<in> n}"
+
+lemma weakD : 
+  assumes "n \<in> nat" "k\<in>nat" "x \<in> weak(n,k)"
+  shows "\<exists> i \<in> n . x = i#+k"
+  using assms unfolding weak_def by blast
+
+lemma weak_equal :
+  assumes "n\<in>nat" "m\<in>nat"
+  shows "weak(n,m) = (m#+n) - m"
+proof -
+  have "weak(n,m)\<subseteq>(m#+n)-m" 
+  proof(intro subsetI)
+    fix x
+    assume "x\<in>weak(n,m)"
+    with assms 
+    obtain i where
+      "i\<in>n" "x=i#+m"
+      using weakD by blast
+    then
+    have "m\<le>i#+m" "i<n"
+      using add_le_self2[of m i] \<open>m\<in>nat\<close> \<open>n\<in>nat\<close> ltI[OF \<open>i\<in>n\<close>] by simp_all
+    then
+    have "\<not>i#+m<m"
+      using not_lt_iff_le in_n_in_nat[OF \<open>n\<in>nat\<close> \<open>i\<in>n\<close>] \<open>m\<in>nat\<close> by simp
+    with \<open>x=i#+m\<close>
+    have "x\<notin>m" 
+      using ltI \<open>m\<in>nat\<close> by auto
+    moreover
+    from assms \<open>x=i#+m\<close> \<open>i<n\<close>
+    have "x<m#+n"
+      using add_lt_mono1[OF \<open>i<n\<close> \<open>n\<in>nat\<close>] by simp
+    ultimately
+    show "x\<in>(m#+n)-m" 
+      using ltD DiffI by simp
+  qed
+  moreover
+  have "(m#+n)-m\<subseteq>weak(n,m)" 
+  proof (intro subsetI)
+    fix x 
+    assume "x\<in>(m#+n)-m"
+    then 
+    have "x\<in>m#+n" "x\<notin>m"
+      using DiffD1[of x "n#+m" m] DiffD2[of x "n#+m" m] by simp_all
+    then
+    have "x<m#+n" "x\<in>nat" 
+      using ltI in_n_in_nat[OF add_type[of m n]] by simp_all
+    then
+    obtain i where
+      "m#+n = succ(x#+i)" 
+      using less_iff_succ_add[OF \<open>x\<in>nat\<close>,of "m#+n"] add_type by auto
+    then 
+    have "x#+i<m#+n" using succ_le_iff by simp
+    with \<open>x\<notin>m\<close> 
+    have "\<not>x<m" using ltD by blast
+    with \<open>m\<in>nat\<close> \<open>x\<in>nat\<close>
+    have "m\<le>x" using not_lt_iff_le by simp 
+    with \<open>x<m#+n\<close>  \<open>n\<in>nat\<close>
+    have "x#-m<m#+n#-m" 
+      using diff_mono[OF \<open>x\<in>nat\<close> _ \<open>m\<in>nat\<close>] by simp
+    have "m#+n#-m =  n" using diff_cancel2 \<open>m\<in>nat\<close> \<open>n\<in>nat\<close> by simp   
+    with \<open>x#-m<m#+n#-m\<close> \<open>x\<in>nat\<close>
+    have "x#-m \<in> n" "x=x#-m#+m" 
+      using ltD add_diff_inverse2[OF \<open>m\<le>x\<close>] by simp_all
+    then 
+    show "x\<in>weak(n,m)" 
+      unfolding weak_def by auto
+  qed
+  ultimately
+  show ?thesis by auto
+qed
+
+lemma weak_zero:
+  shows "weak(0,n) = 0"
+  unfolding weak_def by simp
+
+lemma weakening_diff :
+  assumes "n \<in> nat"
+  shows "weak(n,7) - weak(n,5) \<subseteq> {5#+n, 6#+n}"
+  unfolding weak_def using assms
+proof(auto)
+  {
+    fix i
+    assume "i\<in>n" "succ(succ(natify(i)))\<noteq>n" "\<forall>w\<in>n. succ(succ(natify(i))) \<noteq> natify(w)"
+    then 
+    have "i<n" 
+      using ltI \<open>n\<in>nat\<close> by simp
+    from \<open>n\<in>nat\<close> \<open>i\<in>n\<close> \<open>succ(succ(natify(i)))\<noteq>n\<close>
+    have "i\<in>nat" "succ(succ(i))\<noteq>n" using in_n_in_nat by simp_all
+    from \<open>i<n\<close>
+    have "succ(i)\<le>n" using succ_leI by simp
+    with \<open>n\<in>nat\<close>
+    consider (a) "succ(i) = n" | (b) "succ(i) < n"
+      using leD by auto
+    then have "succ(i) = n" 
+    proof cases
+      case a
+      then show ?thesis .
+    next
+      case b
+      then 
+      have "succ(succ(i))\<le>n" using succ_leI by simp
+      with \<open>n\<in>nat\<close>
+      consider (a) "succ(succ(i)) = n" | (b) "succ(succ(i)) < n"
+        using leD by auto
+      then have "succ(i) = n" 
+      proof cases
+        case a
+        with \<open>succ(succ(i))\<noteq>n\<close> show ?thesis by blast
+      next
+        case b
+        then 
+        have "succ(succ(i))\<in>n" using ltD by simp
+        with \<open>i\<in>nat\<close>
+        have "succ(succ(natify(i))) \<noteq> natify(succ(succ(i)))"
+          using  \<open>\<forall>w\<in>n. succ(succ(natify(i))) \<noteq> natify(w)\<close> by auto
+        then 
+        have "False" using \<open>i\<in>nat\<close> by auto
+        then show ?thesis by blast
+      qed
+      then show ?thesis .
+    qed
+    with \<open>i\<in>nat\<close> have "succ(natify(i)) = n" by simp
+  }
+  then 
+  show "n \<in> nat \<Longrightarrow> 
+    succ(succ(natify(y))) \<noteq> n \<Longrightarrow> 
+    \<forall>x\<in>n. succ(succ(natify(y))) \<noteq> natify(x) \<Longrightarrow>
+    y \<in> n \<Longrightarrow> succ(natify(y)) = n" for y
+    by blast
+qed
+
+lemma in_add_del :
+  assumes "x\<in>j#+n" "n\<in>nat" "j\<in>nat"
+  shows "x < j \<or> x \<in> weak(n,j)" 
+proof (cases "x<j")
+  case True
+  then show ?thesis ..
+next
+  case False
+  have "x\<in>nat" "j#+n\<in>nat"
+    using in_n_in_nat[OF _ \<open>x\<in>j#+n\<close>] assms by simp_all
+  then
+  have "j \<le> x" "x < j#+n" 
+    using not_lt_iff_le False \<open>j\<in>nat\<close> \<open>n\<in>nat\<close> ltI[OF \<open>x\<in>j#+n\<close>] by auto
+  then 
+  have "x#-j < (j #+ n) #- j" "x = j #+ (x #-j)"
+    using diff_mono \<open>x\<in>nat\<close> \<open>j#+n\<in>nat\<close> \<open>j\<in>nat\<close> \<open>n\<in>nat\<close> 
+      add_diff_inverse[OF \<open>j\<le>x\<close>] by simp_all
+  then 
+  have "x#-j < n" "x = (x #-j ) #+ j"
+    using diff_add_inverse \<open>n\<in>nat\<close> add_commute by simp_all
+  then 
+  have "x#-j \<in>n" using ltD by simp
+  then 
+  have "x \<in> weak(n,j)" 
+    unfolding weak_def
+    using \<open>x= (x#-j) #+j\<close> RepFunI[OF \<open>x#-j\<in>n\<close>] add_commute by force
+  then show ?thesis  ..
+qed
+
+
+lemma sep_env_action:
+  assumes
+    "[t,p,u,P,leq,o,pi] \<in> list(M)"
+    "env \<in> list(M)"
+  shows "\<forall> i . i \<in> weak(length(env),5) \<longrightarrow> 
+      nth(sep_env(length(env))`i,[t,p,u,P,leq,o,pi]@env) = nth(i,[p,P,leq,o,t] @ env @ [pi,u])"
+proof -
+  from assms
+  have A: "5#+length(env)\<in>nat" "[p, P, leq, o, t] \<in>list(M)"
+    by simp_all
+  let ?f="sep_env(length(env))"
+  have EQ: "weak(length(env),5) = 5#+length(env) - 5"
+    using weak_equal length_type[OF \<open>env\<in>list(M)\<close>] by simp
+  let ?tgt="[t,p,u,P,leq,o,pi]@env"
+  let ?src="[p,P,leq,o,t] @ env @ [pi,u]"
+  have "nth(?f`i,[t,p,u,P,leq,o,pi]@env) = nth(i,[p,P,leq,o,t] @ env @ [pi,u])" 
+    if "i \<in> (5#+length(env)-5)" for i 
+  proof -
+    from that 
+    have 2: "i \<in> 5#+length(env)"  "i \<notin> 5" "i \<in> nat" "i#-5\<in>nat" "i#+2\<in>nat"
+      using in_n_in_nat[OF \<open>5#+length(env)\<in>nat\<close>] by simp_all
+    then 
+    have 3: "\<not> i < 5" using ltD by force
+    then
+    have "5 \<le> i" "2 \<le> 5" 
+      using  not_lt_iff_le \<open>i\<in>nat\<close> by simp_all
+    then have "2 \<le> i" using le_trans[OF \<open>2\<le>5\<close>] by simp
+    from A \<open>i \<in> 5#+length(env)\<close> 
+    have "i < 5#+length(env)" using ltI by simp
+    with \<open>i\<in>nat\<close> \<open>2\<le>i\<close> A
+    have C:"i#+2 < 7#+length(env)"  by simp
+    with that 
+    have B: "?f`i = i#+2" unfolding sep_env_def by simp
+    from 3 assms(1) \<open>i\<in>nat\<close>
+    have "\<not> i#+2 < 7" using not_lt_iff_le add_le_mono by simp
+    from \<open>i < 5#+length(env)\<close> 3 \<open>i\<in>nat\<close>
+    have "i#-5 < 5#+length(env) #- 5" 
+      using diff_mono[of i "5#+length(env)" 5,OF _ _ _ \<open>i < 5#+length(env)\<close>] 
+        not_lt_iff_le[THEN iffD1] by force
+    with assms(2)
+    have "i#-5 < length(env)" using diff_add_inverse length_type by simp
+    have "nth(i,?src) =nth(i#-5,env@[pi,u])"
+      using nth_append[OF A(2) \<open>i\<in>nat\<close>] 3 by simp
+    also 
+    have "... = nth(i#-5, env)" 
+      using nth_append[OF \<open>env \<in>list(M)\<close> \<open>i#-5\<in>nat\<close>] \<open>i#-5 < length(env)\<close> by simp
+    also 
+    have "... = nth(i#+2, ?tgt)"
+      using nth_append[OF assms(1) \<open>i#+2\<in>nat\<close>] \<open>\<not> i#+2 <7\<close> by simp
+    ultimately 
+    have "nth(i,?src) = nth(?f`i,?tgt)"
+      using B by simp 
+    then show ?thesis using that by simp
+  qed
+  then show ?thesis using EQ by force
+qed
+
+lemma sep_env_type :
+  assumes "n \<in> nat"
+  shows "sep_env(n) : (5#+n)-5 \<rightarrow> (7#+n)-7"
+proof -
+  let ?h="sep_env(n)"
+  from \<open>n\<in>nat\<close> 
+  have "(5#+n)#+2 = 7#+n" "7#+n\<in>nat" "5#+n\<in>nat" by simp_all
+  have
+    D: "sep_env(n)`x \<in> (7#+n)-7" if "x \<in> (5#+n)-5" for x
+  proof -
+    from \<open>x\<in>5#+n-5\<close>
+    have "?h`x = x#+2" "x<5#+n" "x\<in>nat"
+      unfolding sep_env_def using ltI in_n_in_nat[OF \<open>5#+n\<in>nat\<close>] by simp_all
+    then 
+    have "x#+2 < 7#+n" by simp
+    then 
+    have "x#+2 \<in> 7#+n" using ltD by simp
+    from \<open>x\<in>5#+n-5\<close>
+    have "x\<notin>5" by simp 
+    then have "\<not>x<5" using ltD by blast
+    then have "5\<le>x" using not_lt_iff_le \<open>x\<in>nat\<close> by simp
+    then have "7\<le>x#+2" using add_le_mono \<open>x\<in>nat\<close> by simp
+    then have "\<not>x#+2<7" using not_lt_iff_le \<open>x\<in>nat\<close> by simp
+    then have "x#+2 \<notin> 7" using ltI \<open>x\<in>nat\<close> by force
+    with \<open>x#+2 \<in> 7#+n\<close> show ?thesis using  \<open>?h`x = x#+2\<close> DiffI by simp
+  qed
+  then show ?thesis unfolding sep_env_def using lam_type by simp
+qed
+
+lemma sep_var_fin_type :
+  assumes "n \<in> nat"
+  shows "sep_var(n) : 7#+n  -||> 7#+n"
+  unfolding sep_var_def 
+  using consI ltD emptyI by force
+
+lemma sep_var_domain :
+  assumes "n \<in> nat"
+  shows "domain(sep_var(n)) =  7#+n - weak(n,5)"
+proof - 
+  let ?A="weak(n,5)"
+  have A:"domain(sep_var(n)) \<subseteq> (7#+n)" 
+    unfolding sep_var_def 
+    by(auto simp add: le_natE)
+  have C: "x=5#+n \<or> x=6#+n \<or> x \<le> 4" if "x\<in>domain(sep_var(n))" for x
+    using that unfolding sep_var_def by auto
+  have D : "x<n#+7" if "x\<in>7#+n" for x
+    using that \<open>n\<in>nat\<close> ltI by simp
+  have "\<not> 5#+n < 5#+n" using \<open>n\<in>nat\<close>  lt_irrefl[of _ False] by force
+  have "\<not> 6#+n < 5#+n" using \<open>n\<in>nat\<close> by force
+  have R: "x < 5#+n" if "x\<in>?A" for x
+  proof -
+    from that
+    obtain i where
+      "i<n" "x=5#+i" 
+      unfolding weak_def
+      using ltI \<open>n\<in>nat\<close> RepFun_iff by force
+    with \<open>n\<in>nat\<close>
+    have "5#+i < 5#+n" using add_lt_mono2 by simp
+    with \<open>x=5#+i\<close> 
+    show "x < 5#+n" by simp
+  qed
+  then 
+  have 1:"x\<notin>?A" if "\<not>x <5#+n" for x using that by blast
+  have "5#+n \<notin> ?A" "6#+n\<notin>?A"
+  proof -
+    show "5#+n \<notin> ?A" using 1 \<open>\<not>5#+n<5#+n\<close> by blast    
+    with 1 show "6#+n \<notin> ?A" using  \<open>\<not>6#+n<5#+n\<close> by blast
+  qed
+  then 
+  have E:"x\<notin>?A" if "x\<in>domain(sep_var(n))" for x 
+    unfolding weak_def
+    using C that by force
+  then 
+  have F: "domain(sep_var(n)) \<subseteq> 7#+n - ?A" using A by auto
+  from assms
+  have "x<7 \<or> x\<in>weak(n,7)" if "x\<in>7#+n" for x
+    using in_add_del[OF \<open>x\<in>7#+n\<close>] by simp
+  moreover
+  {
+    fix x
+    assume asm:"x\<in>7#+n"  "x\<notin>?A"  "x\<in>weak(n,7)"
+    then 
+    have "x\<in>domain(sep_var(n))" 
+    proof -
+      from \<open>n\<in>nat\<close>
+      have "weak(n,7)-weak(n,5)\<subseteq>{n#+5,n#+6}" 
+        using weakening_diff by simp
+      with  \<open>x\<notin>?A\<close> asm
+      have "x\<in>{n#+5,n#+6}" using  subsetD DiffI by blast
+      then 
+      show ?thesis unfolding sep_var_def by simp
+    qed
+  }
+  moreover
+  {
+    fix x
+    assume asm:"x\<in>7#+n"  "x\<notin>?A" "x<7"
+    then have "x\<in>domain(sep_var(n))"
+    proof (cases "2 \<le> n")
+      case True
+      moreover
+      have "0<n" using  leD[OF \<open>n\<in>nat\<close> \<open>2\<le>n\<close>] lt_imp_0_lt by auto
+      ultimately
+      have "x<5"
+        using \<open>x<7\<close> \<open>x\<notin>?A\<close> \<open>n\<in>nat\<close> in_n_in_nat
+        unfolding weak_def
+        by (clarsimp simp add:not_lt_iff_le, auto simp add:lt_def)
+      then
+      show ?thesis unfolding sep_var_def 
+        by (clarsimp simp add:not_lt_iff_le, auto simp add:lt_def)
+    next
+      case False 
+      then 
+      show ?thesis 
+      proof (cases "n=0")
+        case True
+        then show ?thesis 
+          unfolding sep_var_def using ltD asm \<open>n\<in>nat\<close> by auto
+      next
+        case False
+        then 
+        have "n < 2" using  \<open>n\<in>nat\<close> not_lt_iff_le \<open>\<not> 2 \<le> n\<close>  by force
+        then 
+        have "\<not> n <1" using \<open>n\<noteq>0\<close> by simp
+        then 
+        have "n=1" using not_lt_iff_le \<open>n<2\<close> le_iff by auto
+        then show ?thesis 
+          using \<open>x\<notin>?A\<close> 
+          unfolding weak_def sep_var_def 
+          using ltD asm \<open>n\<in>nat\<close> by force
+      qed
+    qed
+  }
+  ultimately
+  have "w\<in>domain(sep_var(n))" if "w\<in> 7#+n - ?A" for w
+    using that by blast
+  then
+  have "7#+n - ?A \<subseteq> domain(sep_var(n))" by blast
+  with F 
+  show ?thesis by auto
+qed
+
+lemma sep_var_type :
+  assumes "n \<in> nat"
+  shows "sep_var(n) : (7#+n)-weak(n,5) \<rightarrow> 7#+n"
+  using FiniteFun_is_fun[OF sep_var_fin_type[OF \<open>n\<in>nat\<close>]]
+    sep_var_domain[OF \<open>n\<in>nat\<close>] by simp
+
+lemma sep_var_action :
+  assumes 
+    "[t,p,u,P,leq,o,pi] \<in> list(M)"
+    "env \<in> list(M)"
+  shows "\<forall> i . i \<in> (7#+length(env)) - weak(length(env),5) \<longrightarrow> 
+    nth(sep_var(length(env))`i,[t,p,u,P,leq,o,pi]@env) = nth(i,[p,P,leq,o,t] @ env @ [pi,u])"
+  using assms
+proof (subst sep_var_domain[OF length_type[OF \<open>env\<in>list(M)\<close>],symmetric],auto)
+  fix i y
+  assume "\<langle>i, y\<rangle> \<in> sep_var(length(env))"
+  with assms
+  show "nth(sep_var(length(env)) ` i,
+               Cons(t, Cons(p, Cons(u, Cons(P, Cons(leq, Cons(o, Cons(pi, env)))))))) =
+           nth(i, Cons(p, Cons(P, Cons(leq, Cons(o, Cons(t, env @ [pi, u]))))))"  
+    using apply_fun[OF sep_var_type] assms
+      unfolding sep_var_def
+      using nth_concat2[OF \<open>env\<in>list(M)\<close>]  nth_concat3[OF \<open>env\<in>list(M)\<close>,symmetric]
+      by force
+  qed
+
+definition
+  rensep :: "i \<Rightarrow> i" where
+  "rensep(n) \<equiv> union_fun(sep_var(n),sep_env(n),7#+n-weak(n,5),weak(n,5))"
+
+lemma rensep_aux :
+  assumes "n\<in>nat"
+  shows "(7#+n-weak(n,5)) \<union> weak(n,5) = 7#+n" "7#+n \<union> ( 7 #+ n - 7) = 7#+n"
+proof -
+  from \<open>n\<in>nat\<close>
+  have "weak(n,5) = n#+5-5"
+    using weak_equal by simp
+  with  \<open>n\<in>nat\<close>
+  show "(7#+n-weak(n,5)) \<union> weak(n,5) = 7#+n" "7#+n \<union> ( 7 #+ n - 7) = 7#+n"
+    using Diff_partition le_imp_subset by auto
+qed
+
+lemma rensep_type :
+  assumes "n\<in>nat"
+  shows "rensep(n) \<in> 7#+n \<rightarrow> 7#+n"
+proof -
+  from \<open>n\<in>nat\<close>
+  have "rensep(n) \<in> (7#+n-weak(n,5)) \<union> weak(n,5) \<rightarrow> 7#+n \<union> (7#+n - 7)"
+    unfolding rensep_def 
+    using union_fun_type  sep_var_type \<open>n\<in>nat\<close> sep_env_type weak_equal
+    by force
+  then
+  show ?thesis using rensep_aux \<open>n\<in>nat\<close> by auto 
+qed
+
+lemma rensep_action :
+  assumes "[t,p,u,P,leq,o,pi] @ env \<in> list(M)"
+  shows "\<forall> i . i < 7#+length(env) \<longrightarrow> nth(rensep(length(env))`i,[t,p,u,P,leq,o,pi]@env) = nth(i,[p,P,leq,o,t] @ env @ [pi,u])"
+proof - 
+  let ?tgt="[t,p,u,P,leq,o,pi]@env"
+  let ?src="[p,P,leq,o,t] @ env @ [pi,u]"
+  let ?m="7 #+ length(env) - weak(length(env),5)"
+  let ?p="weak(length(env),5)"
+  let ?f="sep_var(length(env))"
+  let ?g="sep_env(length(env))"
+  let ?n="length(env)"
+  from assms
+  have 1 : "[t,p,u,P,leq,o,pi] \<in> list(M)" " env \<in> list(M)"
+    "?src \<in> list(M)" "?tgt \<in> list(M)"  
+    "7#+?n = (7#+?n-weak(?n,5)) \<union> weak(?n,5)"
+    " length(?src) = (7#+?n-weak(?n,5)) \<union> weak(?n,5)"
+    using Diff_partition le_imp_subset rensep_aux by auto
+  then
+  have "nth(i, ?src) = nth(union_fun(?f, ?g, ?m, ?p) ` i, ?tgt)" if "i < 7#+length(env)" for i
+  proof -
+    from \<open>i<7#+?n\<close>
+    have "i \<in> (7#+?n-weak(?n,5)) \<union> weak(?n,5)" 
+      using ltD by simp 
+    then show ?thesis
+      unfolding rensep_def using  
+        union_fun_action[OF \<open>?src\<in>list(M)\<close> \<open>?tgt\<in>list(M)\<close> \<open>length(?src) = (7#+?n-weak(?n,5)) \<union> weak(?n,5)\<close>
+          sep_var_action[OF \<open>[t,p,u,P,leq,o,pi] \<in> list(M)\<close> \<open>env\<in>list(M)\<close>]      
+          sep_env_action[OF \<open>[t,p,u,P,leq,o,pi] \<in> list(M)\<close> \<open>env\<in>list(M)\<close>]
+          ] that 
+      by simp
+  qed
+  then show ?thesis unfolding rensep_def by simp
+qed
+
+definition sep_ren :: "[i,i] \<Rightarrow> i" where
+  "sep_ren(n,\<phi>) \<equiv> ren(\<phi>)`(7#+n)`(7#+n)`rensep(n)"
+
+lemma arity_rensep: assumes "\<phi>\<in>formula" "env \<in> list(M)"
+  "arity(\<phi>) \<le> 7#+length(env)"
+shows "arity(sep_ren(length(env),\<phi>)) \<le> 7#+length(env)"
+  unfolding sep_ren_def
+  using arity_ren rensep_type assms
+  by simp
+
+lemma type_rensep [TC]: 
+  assumes "\<phi>\<in>formula" "env\<in>list(M)" 
+  shows "sep_ren(length(env),\<phi>) \<in> formula"
+  unfolding sep_ren_def
+  using ren_tc rensep_type assms
+  by simp
+
+lemma sepren_action: 
+  assumes "arity(\<phi>) \<le> 7 #+ length(env)"
+    "[t,p,u,P,leq,o,pi] \<in> list(M)"
+    "env\<in>list(M)"
+    "\<phi>\<in>formula"
+  shows "sats(M, sep_ren(length(env),\<phi>),[t,p,u,P,leq,o,pi] @ env) \<longleftrightarrow> sats(M, \<phi>,[p,P,leq,o,t] @ env @ [pi,u])"
+proof -
+  from assms
+  have 1: " [t, p, u, P, leq, o, pi] @ env \<in> list(M)" 
+    "[P,leq,o,p,t] \<in> list(M)"
+    "[pi,u] \<in> list(M)"    
+    by simp_all
+  then 
+  have 2: "[p,P,leq,o,t] @ env @ [pi,u] \<in> list(M)" using app_type by simp
+  show ?thesis 
+    unfolding sep_ren_def
+    using sats_iff_sats_ren[OF \<open>\<phi>\<in>formula\<close>       
+        add_type[of 7 "length(env)"]
+        add_type[of 7 "length(env)"]
+        2 1(1) 
+        rensep_type[OF length_type[OF \<open>env\<in>list(M)\<close>]] 
+        \<open>arity(\<phi>) \<le> 7 #+ length(env)\<close>]
+      rensep_action[OF 1(1),rule_format,symmetric]
+    by simp
+qed
+
+end
\ No newline at end of file
diff --git a/thys/Forcing/Succession_Poset.thy b/thys/Forcing/Succession_Poset.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Succession_Poset.thy
@@ -0,0 +1,369 @@
+section\<open>A poset of successions\<close>
+theory Succession_Poset
+  imports
+    Arities Proper_Extension Synthetic_Definition
+    Names
+begin
+
+subsection\<open>The set of finite binary sequences\<close>
+
+text\<open>We implement the poset for adding one Cohen real, the set 
+$2^{<\omega}$ of of finite binary sequences.\<close>
+
+definition
+  seqspace :: "i \<Rightarrow> i" ("_^<\<omega>" [100]100) where
+  "seqspace(B) \<equiv> \<Union>n\<in>nat. (n\<rightarrow>B)"
+
+lemma seqspaceI[intro]: "n\<in>nat \<Longrightarrow> f:n\<rightarrow>B \<Longrightarrow> f\<in>seqspace(B)"
+  unfolding seqspace_def by blast
+
+lemma seqspaceD[dest]: "f\<in>seqspace(B) \<Longrightarrow> \<exists>n\<in>nat. f:n\<rightarrow>B"
+  unfolding seqspace_def by blast
+
+lemma seqspace_type: 
+  "f \<in> B^<\<omega> \<Longrightarrow> \<exists>n\<in>nat. f:n\<rightarrow>B" 
+  unfolding seqspace_def by auto
+
+schematic_goal seqspace_fm_auto:
+  assumes 
+    "nth(i,env) = n" "nth(j,env) = z"  "nth(h,env) = B" 
+    "i \<in> nat" "j \<in> nat" "h\<in>nat" "env \<in> list(A)"
+  shows 
+    "(\<exists>om\<in>A. omega(##A,om) \<and> n \<in> om \<and> is_funspace(##A, n, B, z)) \<longleftrightarrow> (A, env \<Turnstile> (?sqsprp(i,j,h)))"
+  unfolding is_funspace_def 
+  by (insert assms ; (rule sep_rules | simp)+)
+
+synthesize "seqspace_rep_fm" from_schematic seqspace_fm_auto
+ 
+locale M_seqspace =  M_trancl +
+  assumes 
+    seqspace_replacement: "M(B) \<Longrightarrow> strong_replacement(M,\<lambda>n z. n\<in>nat \<and> is_funspace(M,n,B,z))"
+begin
+
+lemma seqspace_closed:
+  "M(B) \<Longrightarrow> M(B^<\<omega>)"
+  unfolding seqspace_def using seqspace_replacement[of B] RepFun_closed2 
+  by simp
+
+end (* M_seqspace *)
+
+
+sublocale M_ctm \<subseteq> M_seqspace "##M"
+proof (unfold_locales, simp)
+  fix B
+  have "arity(seqspace_rep_fm(0,1,2)) \<le> 3" "seqspace_rep_fm(0,1,2)\<in>formula" 
+    unfolding seqspace_rep_fm_def 
+    using arity_pair_fm arity_omega_fm arity_typed_function_fm nat_simp_union 
+    by auto
+  moreover
+  assume "B\<in>M"
+  ultimately
+  have "strong_replacement(##M, \<lambda>x y. M, [x, y, B] \<Turnstile> seqspace_rep_fm(0, 1, 2))"
+    using replacement_ax[of "seqspace_rep_fm(0,1,2)"]
+    by simp
+  moreover 
+  note \<open>B\<in>M\<close>
+  moreover from this
+  have "univalent(##M, A, \<lambda>x y. M, [x, y, B] \<Turnstile> seqspace_rep_fm(0, 1, 2))" 
+    if "A\<in>M" for A 
+    using that unfolding univalent_def seqspace_rep_fm_def  
+    by (auto, blast dest:transitivity)
+  ultimately
+  have "strong_replacement(##M, \<lambda>n z. \<exists>om[##M]. omega(##M,om) \<and> n \<in> om \<and> is_funspace(##M, n, B, z))"
+    using seqspace_fm_auto[of 0 "[_,_,B]" _ 1 _ 2 B M] unfolding seqspace_rep_fm_def strong_replacement_def
+    by simp
+  with \<open>B\<in>M\<close> 
+  show "strong_replacement(##M, \<lambda>n z. n \<in> nat \<and> is_funspace(##M, n, B, z))"
+    using M_nat by simp
+qed
+
+definition seq_upd :: "i \<Rightarrow> i \<Rightarrow> i" where
+  "seq_upd(f,a) \<equiv> \<lambda> j \<in> succ(domain(f)) . if j < domain(f) then f`j else a"
+
+lemma seq_upd_succ_type : 
+  assumes "n\<in>nat" "f\<in>n\<rightarrow>A" "a\<in>A"
+  shows "seq_upd(f,a)\<in> succ(n) \<rightarrow> A"
+proof -
+  from assms
+  have equ: "domain(f) = n" using domain_of_fun by simp
+  {
+    fix j
+    assume "j\<in>succ(domain(f))"
+    with equ \<open>n\<in>_\<close>
+    have "j\<le>n" using ltI by auto
+    with \<open>n\<in>_\<close>
+    consider (lt) "j<n" | (eq) "j=n" using leD by auto
+    then 
+    have "(if j < n then f`j else a) \<in> A"
+    proof cases
+      case lt
+      with \<open>f\<in>_\<close> 
+      show ?thesis using apply_type ltD[OF lt] by simp
+    next
+      case eq
+      with \<open>a\<in>_\<close>
+      show ?thesis by auto
+    qed
+  }
+  with equ
+  show ?thesis
+    unfolding seq_upd_def
+    using lam_type[of "succ(domain(f))"]
+    by auto
+qed
+
+lemma seq_upd_type : 
+  assumes "f\<in>A^<\<omega>" "a\<in>A"
+  shows "seq_upd(f,a) \<in> A^<\<omega>"
+proof -
+  from \<open>f\<in>_\<close>
+  obtain y where "y\<in>nat" "f\<in>y\<rightarrow>A"
+    unfolding seqspace_def by blast
+  with \<open>a\<in>A\<close>
+  have "seq_upd(f,a)\<in>succ(y)\<rightarrow>A" 
+    using seq_upd_succ_type by simp
+  with \<open>y\<in>_\<close>
+  show ?thesis
+    unfolding seqspace_def by auto
+qed
+
+lemma seq_upd_apply_domain [simp]: 
+  assumes "f:n\<rightarrow>A" "n\<in>nat"
+  shows "seq_upd(f,a)`n = a"
+  unfolding seq_upd_def using assms domain_of_fun by auto
+
+lemma zero_in_seqspace : 
+  shows "0 \<in> A^<\<omega>"
+  unfolding seqspace_def
+  by force
+
+definition
+  seqleR :: "i \<Rightarrow> i \<Rightarrow> o" where
+  "seqleR(f,g) \<equiv> g \<subseteq> f"
+
+definition
+  seqlerel :: "i \<Rightarrow> i" where
+  "seqlerel(A) \<equiv> Rrel(\<lambda>x y. y \<subseteq> x,A^<\<omega>)"
+
+definition
+  seqle :: "i" where
+  "seqle \<equiv> seqlerel(2)"
+
+lemma seqleI[intro!]: 
+  "\<langle>f,g\<rangle> \<in> 2^<\<omega>\<times>2^<\<omega> \<Longrightarrow> g \<subseteq> f  \<Longrightarrow> \<langle>f,g\<rangle> \<in> seqle"
+  unfolding  seqspace_def seqle_def seqlerel_def Rrel_def 
+  by blast
+
+lemma seqleD[dest!]: 
+  "z \<in> seqle \<Longrightarrow> \<exists>x y. \<langle>x,y\<rangle> \<in> 2^<\<omega>\<times>2^<\<omega> \<and> y \<subseteq> x \<and> z = \<langle>x,y\<rangle>"
+  unfolding seqle_def seqlerel_def Rrel_def 
+  by blast
+
+lemma upd_leI : 
+  assumes "f\<in>2^<\<omega>" "a\<in>2"
+  shows "\<langle>seq_upd(f,a),f\<rangle>\<in>seqle"  (is "\<langle>?f,_\<rangle>\<in>_")
+proof
+  show " \<langle>?f, f\<rangle> \<in> 2^<\<omega> \<times> 2^<\<omega>" 
+    using assms seq_upd_type by auto
+next
+  show  "f \<subseteq> seq_upd(f,a)" 
+  proof 
+    fix x
+    assume "x \<in> f"
+    moreover from \<open>f \<in> 2^<\<omega>\<close>
+    obtain n where  "n\<in>nat" "f : n \<rightarrow> 2"
+      using seqspace_type by blast
+    moreover from calculation
+    obtain y where "y\<in>n" "x=\<langle>y,f`y\<rangle>" using Pi_memberD[of f n "\<lambda>_ . 2"] 
+      by blast
+    moreover from \<open>f:n\<rightarrow>2\<close>
+    have "domain(f) = n" using domain_of_fun by simp
+    ultimately
+    show "x \<in> seq_upd(f,a)"
+      unfolding seq_upd_def lam_def  
+      by (auto intro:ltI)
+  qed
+qed
+
+lemma preorder_on_seqle: "preorder_on(2^<\<omega>,seqle)"
+  unfolding preorder_on_def refl_def trans_on_def by blast
+
+lemma zero_seqle_max: "x\<in>2^<\<omega> \<Longrightarrow> \<langle>x,0\<rangle> \<in> seqle"
+  using zero_in_seqspace 
+  by auto
+
+interpretation forcing_notion "2^<\<omega>" "seqle" "0"
+  using preorder_on_seqle zero_seqle_max zero_in_seqspace 
+  by unfold_locales simp_all
+
+abbreviation SEQle :: "[i, i] \<Rightarrow> o"  (infixl "\<preceq>s" 50)
+  where "x \<preceq>s y \<equiv> Leq(x,y)"
+
+abbreviation SEQIncompatible :: "[i, i] \<Rightarrow> o"  (infixl "\<bottom>s" 50)
+  where "x \<bottom>s y \<equiv> Incompatible(x,y)"
+
+lemma seqspace_separative:
+  assumes "f\<in>2^<\<omega>"
+  shows "seq_upd(f,0) \<bottom>s seq_upd(f,1)" (is "?f \<bottom>s ?g")
+proof 
+  assume "compat(?f, ?g)"
+  then 
+  obtain h where "h \<in> 2^<\<omega>" "?f \<subseteq> h" "?g \<subseteq> h"
+    by blast
+  moreover from \<open>f\<in>_\<close>
+  obtain y where "y\<in>nat" "f:y\<rightarrow>2" by blast
+  moreover from this
+  have "?f: succ(y) \<rightarrow> 2" "?g: succ(y) \<rightarrow> 2" 
+    using seq_upd_succ_type by blast+
+  moreover from this
+  have "\<langle>y,?f`y\<rangle> \<in> ?f" "\<langle>y,?g`y\<rangle> \<in> ?g" using apply_Pair by auto
+  ultimately
+  have "\<langle>y,0\<rangle> \<in> h" "\<langle>y,1\<rangle> \<in> h" by auto
+  moreover from \<open>h \<in> 2^<\<omega>\<close>
+  obtain n where "n\<in>nat" "h:n\<rightarrow>2" by blast
+  ultimately
+  show "False"
+    using fun_is_function[of h n "\<lambda>_. 2"] 
+    unfolding seqspace_def function_def by auto
+qed
+
+definition is_seqleR :: "[i\<Rightarrow>o,i,i] \<Rightarrow> o" where
+  "is_seqleR(Q,f,g) \<equiv> g \<subseteq> f"
+
+definition seqleR_fm :: "i \<Rightarrow> i" where
+  "seqleR_fm(fg) \<equiv> Exists(Exists(And(pair_fm(0,1,fg#+2),subset_fm(1,0))))"
+
+lemma type_seqleR_fm :
+  "fg \<in> nat \<Longrightarrow> seqleR_fm(fg) \<in> formula"
+  unfolding seqleR_fm_def 
+  by simp
+
+lemma arity_seqleR_fm :
+  "fg \<in> nat \<Longrightarrow> arity(seqleR_fm(fg)) = succ(fg)"
+  unfolding seqleR_fm_def 
+  using arity_pair_fm arity_subset_fm nat_simp_union by simp
+
+lemma (in M_basic) seqleR_abs: 
+  assumes "M(f)" "M(g)"
+  shows "seqleR(f,g) \<longleftrightarrow> is_seqleR(M,f,g)"
+  unfolding seqleR_def is_seqleR_def 
+  using assms apply_abs domain_abs domain_closed[OF \<open>M(f)\<close>]  domain_closed[OF \<open>M(g)\<close>]
+  by auto
+
+definition
+  relP :: "[i\<Rightarrow>o,[i\<Rightarrow>o,i,i]\<Rightarrow>o,i] \<Rightarrow> o" where
+  "relP(M,r,xy) \<equiv> (\<exists>x[M]. \<exists>y[M]. pair(M,x,y,xy) \<and> r(M,x,y))"
+
+lemma (in M_ctm) seqleR_fm_sats : 
+  assumes "fg\<in>nat" "env\<in>list(M)" 
+  shows "sats(M,seqleR_fm(fg),env) \<longleftrightarrow> relP(##M,is_seqleR,nth(fg, env))"
+  unfolding seqleR_fm_def is_seqleR_def relP_def
+  using assms trans_M sats_subset_fm pair_iff_sats
+  by auto
+
+
+lemma (in M_basic) is_related_abs :
+  assumes "\<And> f g . M(f) \<Longrightarrow> M(g) \<Longrightarrow> rel(f,g) \<longleftrightarrow> is_rel(M,f,g)"
+  shows "\<And>z . M(z) \<Longrightarrow> relP(M,is_rel,z) \<longleftrightarrow> (\<exists>x y. z = \<langle>x,y\<rangle> \<and> rel(x,y))"
+  unfolding relP_def using pair_in_M_iff assms by auto
+
+definition
+  is_RRel :: "[i\<Rightarrow>o,[i\<Rightarrow>o,i,i]\<Rightarrow>o,i,i] \<Rightarrow> o" where
+  "is_RRel(M,is_r,A,r) \<equiv> \<exists>A2[M]. cartprod(M,A,A,A2) \<and> is_Collect(M,A2, relP(M,is_r),r)"
+
+lemma (in M_basic) is_Rrel_abs :
+  assumes "M(A)"  "M(r)"
+    "\<And> f g . M(f) \<Longrightarrow> M(g) \<Longrightarrow> rel(f,g) \<longleftrightarrow> is_rel(M,f,g)"
+  shows "is_RRel(M,is_rel,A,r) \<longleftrightarrow>  r = Rrel(rel,A)"
+proof -
+  from \<open>M(A)\<close> 
+  have "M(z)" if "z\<in>A\<times>A" for z
+    using cartprod_closed transM[of z "A\<times>A"] that by simp
+  then
+  have A:"relP(M, is_rel, z) \<longleftrightarrow> (\<exists>x y. z = \<langle>x, y\<rangle> \<and> rel(x, y))" "M(z)" if "z\<in>A\<times>A" for z
+    using that is_related_abs[of rel is_rel,OF assms(3)] by auto
+  then
+  have "Collect(A\<times>A,relP(M,is_rel)) = Collect(A\<times>A,\<lambda>z. (\<exists>x y. z = \<langle>x,y\<rangle> \<and> rel(x,y)))"
+    using Collect_cong[of "A\<times>A" "A\<times>A" "relP(M,is_rel)",OF _ A(1)] assms(1) assms(2)
+    by auto
+  with assms
+  show ?thesis unfolding is_RRel_def Rrel_def using cartprod_closed
+    by auto
+qed
+
+definition
+  is_seqlerel :: "[i\<Rightarrow>o,i,i] \<Rightarrow> o" where
+  "is_seqlerel(M,A,r) \<equiv> is_RRel(M,is_seqleR,A,r)"
+
+lemma (in M_basic) seqlerel_abs :
+  assumes "M(A)"  "M(r)"
+  shows "is_seqlerel(M,A,r) \<longleftrightarrow> r = Rrel(seqleR,A)"
+  unfolding is_seqlerel_def
+  using is_Rrel_abs[OF \<open>M(A)\<close> \<open>M(r)\<close>,of seqleR is_seqleR] seqleR_abs
+  by auto
+
+definition RrelP :: "[i\<Rightarrow>i\<Rightarrow>o,i] \<Rightarrow> i" where
+  "RrelP(R,A) \<equiv> {z\<in>A\<times>A. \<exists>x y. z = \<langle>x, y\<rangle> \<and> R(x,y)}"
+  
+lemma Rrel_eq : "RrelP(R,A) = Rrel(R,A)"
+  unfolding Rrel_def RrelP_def by auto
+
+context M_ctm
+begin
+
+lemma Rrel_closed:
+  assumes "A\<in>M" 
+    "\<And> a. a \<in> nat \<Longrightarrow> rel_fm(a)\<in>formula"
+    "\<And> f g . (##M)(f) \<Longrightarrow> (##M)(g) \<Longrightarrow> rel(f,g) \<longleftrightarrow> is_rel(##M,f,g)"
+    "arity(rel_fm(0)) = 1" 
+    "\<And> a . a \<in> M \<Longrightarrow> sats(M,rel_fm(0),[a]) \<longleftrightarrow> relP(##M,is_rel,a)"
+  shows "(##M)(Rrel(rel,A))" 
+proof -
+  have "z\<in> M \<Longrightarrow> relP(##M, is_rel, z) \<longleftrightarrow> (\<exists>x y. z = \<langle>x, y\<rangle> \<and> rel(x, y))" for z
+    using assms(3) is_related_abs[of rel is_rel]
+    by auto
+  with assms
+  have "Collect(A\<times>A,\<lambda>z. (\<exists>x y. z = \<langle>x,y\<rangle> \<and> rel(x,y))) \<in> M"
+    using Collect_in_M_0p[of "rel_fm(0)" "\<lambda> A z . relP(A,is_rel,z)" "\<lambda> z.\<exists>x y. z = \<langle>x, y\<rangle> \<and> rel(x, y)" ]
+        cartprod_closed
+    by simp
+  then show ?thesis
+  unfolding Rrel_def by simp
+qed
+
+lemma seqle_in_M: "seqle \<in> M"
+  using Rrel_closed seqspace_closed 
+    transitivity[OF _ nat_in_M] type_seqleR_fm[of 0] arity_seqleR_fm[of 0]
+    seqleR_fm_sats[of 0] seqleR_abs seqlerel_abs 
+  unfolding seqle_def seqlerel_def seqleR_def
+  by auto
+
+subsection\<open>Cohen extension is proper\<close>
+
+interpretation ctm_separative "2^<\<omega>" seqle 0
+proof (unfold_locales)
+  fix f
+  let ?q="seq_upd(f,0)" and ?r="seq_upd(f,1)"
+  assume "f \<in> 2^<\<omega>"
+  then
+  have "?q \<preceq>s f \<and> ?r \<preceq>s f \<and> ?q \<bottom>s ?r" 
+    using upd_leI seqspace_separative by auto
+  moreover from calculation
+  have "?q \<in> 2^<\<omega>"  "?r \<in> 2^<\<omega>"
+    using seq_upd_type[of f 2] by auto
+  ultimately
+  show "\<exists>q\<in>2^<\<omega>. \<exists>r\<in>2^<\<omega>. q \<preceq>s f \<and> r \<preceq>s f \<and> q \<bottom>s r"
+    by (rule_tac bexI)+ \<comment> \<open>why the heck auto-tools don't solve this?\<close>
+next
+  show "2^<\<omega> \<in> M" using nat_into_M seqspace_closed by simp
+next
+  show "seqle \<in> M" using seqle_in_M .
+qed
+
+lemma cohen_extension_is_proper: "\<exists>G. M_generic(G) \<and> M \<noteq> GenExt(G)"
+  using proper_extension generic_filter_existence zero_in_seqspace
+  by force
+
+end (* M_ctm *)
+
+end
\ No newline at end of file
diff --git a/thys/Forcing/Synthetic_Definition.thy b/thys/Forcing/Synthetic_Definition.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Synthetic_Definition.thy
@@ -0,0 +1,130 @@
+section\<open>Automatic synthesis of formulas\<close>
+theory Synthetic_Definition
+  imports "ZF-Constructible.Formula"
+  keywords
+    "synthesize" :: thy_decl % "ML"
+    and
+    "synthesize_notc" :: thy_decl % "ML"
+    and
+    "from_schematic"
+
+begin
+ML_file\<open>Utils.ml\<close>
+
+ML\<open>
+val $` = curry ((op $) o swap)
+infix $`
+
+fun pair f g x = (f x, g x)
+
+fun display kind pos (thms,thy) =
+  let val _ = Proof_Display.print_results true pos thy ((kind,""),[thms])
+  in thy
+end
+
+fun prove_tc_form goal thms ctxt =
+  Goal.prove ctxt [] [] goal
+     (fn _ => rewrite_goal_tac ctxt thms 1
+              THEN TypeCheck.typecheck_tac ctxt)
+
+fun prove_sats goal thms thm_auto ctxt =
+  let val ctxt' = ctxt |> Simplifier.add_simp (thm_auto |> hd)
+  in
+  Goal.prove ctxt [] [] goal
+     (fn _ => rewrite_goal_tac ctxt thms 1
+              THEN PARALLEL_ALLGOALS (asm_simp_tac ctxt')
+              THEN TypeCheck.typecheck_tac ctxt')
+  end
+
+fun is_mem (@{const mem} $ _ $  _) = true
+  | is_mem _ = false
+
+fun synth_thm_sats def_name term lhs set env hyps vars vs pos thm_auto lthy =
+let val (_,tm,ctxt1) = Utils.thm_concl_tm lthy term
+    val (thm_refs,ctxt2) = Variable.import true [Proof_Context.get_thm lthy term] ctxt1 |>> #2
+    val vs' = map (Thm.term_of o #2) vs
+    val vars' = map (Thm.term_of o #2) vars
+    val r_tm = tm |> Utils.dest_lhs_def |> fold (op $`) vs'
+    val sats = @{const apply} $ (@{const satisfies} $ set $ r_tm) $ env
+    val rhs = @{const IFOL.eq(i)} $ sats $ (@{const succ} $ @{const zero})
+    val concl = @{const IFOL.iff} $ lhs $ rhs
+    val g_iff = Logic.list_implies(hyps, Utils.tp concl)
+    val thm = prove_sats g_iff thm_refs thm_auto ctxt2
+    val name = Binding.name (def_name ^ "_iff_sats")
+    val thm = Utils.fix_vars thm (map (#1 o dest_Free) vars') lthy
+ in
+   Local_Theory.note ((name, []), [thm]) lthy |> display "theorem" pos
+ end
+
+fun synth_thm_tc def_name term hyps vars pos lthy =
+let val (_,tm,ctxt1) = Utils.thm_concl_tm lthy term
+    val (thm_refs,ctxt2) = Variable.import true [Proof_Context.get_thm lthy term] ctxt1
+                    |>> #2
+    val vars' = map (Thm.term_of o #2) vars
+    val tc_attrib = @{attributes [TC]}
+    val r_tm = tm |> Utils.dest_lhs_def |> fold (op $`) vars'
+    val concl = @{const mem} $ r_tm $ @{const formula}
+    val g = Logic.list_implies(hyps, Utils.tp concl)
+    val thm = prove_tc_form g thm_refs ctxt2
+    val name = Binding.name (def_name ^ "_type")
+    val thm = Utils.fix_vars thm (map (#1 o dest_Free) vars') ctxt2
+ in
+   Local_Theory.note ((name, tc_attrib), [thm]) lthy |> display "theorem" pos
+ end
+
+
+fun synthetic_def def_name thmref pos tc auto thy =
+  let
+    val (thm_ref,_) = thmref |>> Facts.ref_name
+    val (((_,vars),thm_tms),_) = Variable.import true [Proof_Context.get_thm thy thm_ref] thy
+    val (tm,hyps) = thm_tms |> hd |> pair Thm.concl_of Thm.prems_of
+    val (lhs,rhs) = tm |> Utils.dest_iff_tms o Utils.dest_trueprop
+    val ((set,t),env) = rhs |> Utils.dest_sats_frm
+    fun olist t = Ord_List.make String.compare (Term.add_free_names t [])
+    fun relevant ts (@{const mem} $ t $ _) = not (Term.is_Free t) orelse
+        Ord_List.member String.compare ts (t |> Term.dest_Free |> #1)
+      | relevant _ _ = false
+    val t_vars = olist t
+    val vs = List.filter (fn (((v,_),_),_) => Utils.inList v t_vars) vars
+    val at = List.foldr (fn ((_,var),t') => lambda (Thm.term_of var) t') t vs
+    val hyps' = List.filter (relevant t_vars o Utils.dest_trueprop) hyps
+  in
+    Local_Theory.define ((Binding.name def_name, NoSyn),
+                        ((Binding.name (def_name ^ "_def"), []), at)) thy |> #2 |>
+    (if tc then synth_thm_tc def_name (def_name ^ "_def") hyps' vs pos else I) |>
+    (if auto then synth_thm_sats def_name (def_name ^ "_def") lhs set env hyps vars vs pos thm_tms else I)
+
+end
+\<close>
+ML\<open>
+
+local
+  val synth_constdecl =
+       Parse.position (Parse.string -- ((Parse.$$$ "from_schematic" |-- Parse.thm)));
+
+  val _ =
+     Outer_Syntax.local_theory \<^command_keyword>\<open>synthesize\<close> "ML setup for synthetic definitions"
+       (synth_constdecl >> (fn ((bndg,thm),p) => synthetic_def bndg thm p true true))
+
+  val _ =
+     Outer_Syntax.local_theory \<^command_keyword>\<open>synthesize_notc\<close> "ML setup for synthetic definitions"
+       (synth_constdecl >> (fn ((bndg,thm),p) => synthetic_def bndg thm p false false))
+
+in
+
+end
+\<close>
+text\<open>The \<^ML>\<open>synthetic_def\<close> function extracts definitions from
+schematic goals. A new definition is added to the context. \<close>
+
+(* example of use *)
+(*
+schematic_goal mem_formula_ex :
+  assumes "m\<in>nat" "n\<in> nat" "env \<in> list(M)"
+  shows "nth(m,env) \<in> nth(n,env) \<longleftrightarrow> sats(M,?frm,env)"
+  by (insert assms ; (rule sep_rules empty_iff_sats cartprod_iff_sats | simp del:sats_cartprod_fm)+)
+
+synthesize "\<phi>" from_schematic mem_formula_ex
+*)
+
+end
diff --git a/thys/Forcing/Union_Axiom.thy b/thys/Forcing/Union_Axiom.thy
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Union_Axiom.thy
@@ -0,0 +1,177 @@
+section\<open>The Axiom of Unions in $M[G]$\<close>
+theory Union_Axiom
+  imports Names
+begin
+
+context forcing_data
+begin
+
+
+definition Union_name_body :: "[i,i,i,i] \<Rightarrow> o" where
+  "Union_name_body(P',leq',\<tau>,\<theta>p) \<equiv> (\<exists> \<sigma>[##M].
+           \<exists> q[##M]. (q\<in> P' \<and> (\<langle>\<sigma>,q\<rangle> \<in> \<tau> \<and>
+            (\<exists> r[##M].r\<in>P' \<and> (\<langle>fst(\<theta>p),r\<rangle> \<in> \<sigma> \<and> \<langle>snd(\<theta>p),r\<rangle> \<in> leq' \<and> \<langle>snd(\<theta>p),q\<rangle> \<in> leq')))))"
+
+definition Union_name_fm :: "i" where
+  "Union_name_fm \<equiv>
+    Exists(
+    Exists(And(pair_fm(1,0,2),
+    Exists (
+    Exists (And(Member(0,7),
+      Exists (And(And(pair_fm(2,1,0),Member(0,6)),
+        Exists (And(Member(0,9),
+         Exists (And(And(pair_fm(6,1,0),Member(0,4)),
+          Exists (And(And(pair_fm(6,2,0),Member(0,10)),
+          Exists (And(pair_fm(7,5,0),Member(0,11)))))))))))))))))"
+
+lemma Union_name_fm_type [TC]:
+  "Union_name_fm \<in>formula"
+  unfolding Union_name_fm_def by simp
+
+
+lemma arity_Union_name_fm :
+  "arity(Union_name_fm) = 4"
+  unfolding Union_name_fm_def upair_fm_def pair_fm_def
+  by(auto simp add: nat_simp_union)
+
+lemma sats_Union_name_fm :
+  "\<lbrakk> a \<in> M; b \<in> M ; P' \<in> M ; p \<in> M ; \<theta> \<in> M ; \<tau> \<in> M ; leq' \<in> M \<rbrakk> \<Longrightarrow>
+     sats(M,Union_name_fm,[\<langle>\<theta>,p\<rangle>,\<tau>,leq',P']@[a,b]) \<longleftrightarrow>
+     Union_name_body(P',leq',\<tau>,\<langle>\<theta>,p\<rangle>)"
+  unfolding Union_name_fm_def Union_name_body_def tuples_in_M
+  by (subgoal_tac "\<langle>\<theta>,p\<rangle> \<in> M", auto simp add : tuples_in_M)
+
+
+lemma domD :
+  assumes "\<tau> \<in> M" "\<sigma> \<in> domain(\<tau>)"
+  shows "\<sigma> \<in> M"
+  using assms Transset_M trans_M
+  by (simp flip: setclass_iff)
+
+
+definition Union_name :: "i \<Rightarrow> i" where
+  "Union_name(\<tau>) \<equiv>
+    {u \<in> domain(\<Union>(domain(\<tau>))) \<times> P . Union_name_body(P,leq,\<tau>,u)}"
+
+lemma Union_name_M : assumes "\<tau> \<in> M"
+  shows "{u \<in> domain(\<Union>(domain(\<tau>))) \<times> P . Union_name_body(P,leq,\<tau>,u)} \<in> M"
+  unfolding Union_name_def
+proof -
+  let ?P="\<lambda> x . sats(M,Union_name_fm,[x,\<tau>,leq]@[P,\<tau>,leq])"
+  let ?Q="\<lambda> x . Union_name_body(P,leq,\<tau>,x)"
+  from \<open>\<tau>\<in>M\<close>
+  have "domain(\<Union>(domain(\<tau>)))\<in>M" (is "?d \<in> _") using domain_closed Union_closed by simp
+  then
+  have "?d \<times> P \<in> M" using cartprod_closed P_in_M by simp
+  have "arity(Union_name_fm)\<le>6" using arity_Union_name_fm by simp
+  from assms P_in_M leq_in_M  arity_Union_name_fm
+  have "[\<tau>,leq] \<in> list(M)" "[P,\<tau>,leq] \<in> list(M)" by auto
+  with assms assms P_in_M leq_in_M  \<open>arity(Union_name_fm)\<le>6\<close>
+  have "separation(##M,?P)"
+    using separation_ax by simp
+  with \<open>?d \<times> P \<in> M\<close>
+  have A:"{ u \<in> ?d \<times> P . ?P(u) } \<in> M"
+    using  separation_iff by force
+  have "?P(x)\<longleftrightarrow> ?Q(x)" if "x\<in> ?d\<times>P" for x
+  proof -
+    from \<open>x\<in> ?d\<times>P\<close>
+    have "x = \<langle>fst(x),snd(x)\<rangle>" using Pair_fst_snd_eq by simp
+    with \<open>x\<in>?d\<times>P\<close> \<open>?d\<in>M\<close>
+    have "fst(x) \<in> M" "snd(x) \<in> M"
+      using mtrans fst_type snd_type P_in_M unfolding M_trans_def by auto
+    then
+    have "?P(\<langle>fst(x),snd(x)\<rangle>) \<longleftrightarrow>  ?Q(\<langle>fst(x),snd(x)\<rangle>)"
+      using P_in_M sats_Union_name_fm P_in_M \<open>\<tau>\<in>M\<close> leq_in_M by simp
+    with \<open>x = \<langle>fst(x),snd(x)\<rangle>\<close>
+    show "?P(x) \<longleftrightarrow> ?Q(x)" using that by simp
+  qed
+  then show ?thesis using Collect_cong A by simp
+qed
+
+
+
+lemma Union_MG_Eq :
+  assumes "a \<in> M[G]" and "a = val(G,\<tau>)" and "filter(G)" and "\<tau> \<in> M"
+  shows "\<Union> a = val(G,Union_name(\<tau>))"
+proof -
+  {
+    fix x
+    assume "x \<in> \<Union> (val(G,\<tau>))"
+    then obtain i where "i \<in> val(G,\<tau>)" "x \<in> i" by blast
+    with \<open>\<tau> \<in> M\<close> obtain \<sigma> q where
+      "q \<in> G" "\<langle>\<sigma>,q\<rangle> \<in> \<tau>" "val(G,\<sigma>) = i" "\<sigma> \<in> M"
+      using elem_of_val_pair domD by blast
+    with \<open>x \<in> i\<close> obtain \<theta> r where
+      "r \<in> G" "\<langle>\<theta>,r\<rangle> \<in> \<sigma>" "val(G,\<theta>) = x" "\<theta> \<in> M"
+      using elem_of_val_pair domD by blast
+    with \<open>\<langle>\<sigma>,q\<rangle>\<in>\<tau>\<close> have "\<theta> \<in> domain(\<Union>(domain(\<tau>)))" by auto
+    with \<open>filter(G)\<close> \<open>q\<in>G\<close> \<open>r\<in>G\<close> obtain p where
+      A: "p \<in> G" "\<langle>p,r\<rangle> \<in> leq" "\<langle>p,q\<rangle> \<in> leq" "p \<in> P" "r \<in> P" "q \<in> P"
+      using low_bound_filter filterD  by blast
+    then have "p \<in> M" "q\<in>M" "r\<in>M"
+      using mtrans P_in_M unfolding M_trans_def by auto
+    with A \<open>\<langle>\<theta>,r\<rangle> \<in> \<sigma>\<close> \<open>\<langle>\<sigma>,q\<rangle> \<in> \<tau>\<close> \<open>\<theta> \<in> M\<close> \<open>\<theta> \<in> domain(\<Union>(domain(\<tau>)))\<close>  \<open>\<sigma>\<in>M\<close> have
+      "\<langle>\<theta>,p\<rangle> \<in> Union_name(\<tau>)" unfolding Union_name_def Union_name_body_def
+      by auto
+    with \<open>p\<in>P\<close> \<open>p\<in>G\<close> have "val(G,\<theta>) \<in> val(G,Union_name(\<tau>))"
+      using val_of_elem by simp
+    with \<open>val(G,\<theta>)=x\<close> have "x \<in> val(G,Union_name(\<tau>))" by simp
+  }
+  with \<open>a=val(G,\<tau>)\<close> have 1: "x \<in> \<Union> a \<Longrightarrow> x \<in> val(G,Union_name(\<tau>))" for x by simp
+  {
+    fix x
+    assume "x \<in> (val(G,Union_name(\<tau>)))"
+    then obtain \<theta> p where
+      "p \<in> G" "\<langle>\<theta>,p\<rangle> \<in> Union_name(\<tau>)" "val(G,\<theta>) = x"
+      using elem_of_val_pair by blast
+    with \<open>filter(G)\<close> have "p\<in>P" using filterD by simp
+    from \<open>\<langle>\<theta>,p\<rangle> \<in> Union_name(\<tau>)\<close> obtain \<sigma> q r where
+      "\<sigma> \<in> domain(\<tau>)"  "\<langle>\<sigma>,q\<rangle> \<in> \<tau> " "\<langle>\<theta>,r\<rangle> \<in> \<sigma>" "r\<in>P" "q\<in>P" "\<langle>p,r\<rangle> \<in> leq" "\<langle>p,q\<rangle> \<in> leq"
+      unfolding Union_name_def Union_name_body_def by force
+    with \<open>p\<in>G\<close> \<open>filter(G)\<close> have "r \<in> G" "q \<in> G"
+      using filter_leqD by auto
+    with \<open>\<langle>\<theta>,r\<rangle> \<in> \<sigma>\<close> \<open>\<langle>\<sigma>,q\<rangle>\<in>\<tau>\<close> \<open>q\<in>P\<close> \<open>r\<in>P\<close> have
+      "val(G,\<sigma>) \<in> val(G,\<tau>)" "val(G,\<theta>) \<in> val(G,\<sigma>)"
+      using val_of_elem by simp+
+    then have "val(G,\<theta>) \<in> \<Union> val(G,\<tau>)" by blast
+    with \<open>val(G,\<theta>)=x\<close> \<open>a=val(G,\<tau>)\<close> have
+      "x \<in> \<Union> a" by simp
+  }
+  with \<open>a=val(G,\<tau>)\<close>
+  have "x \<in> val(G,Union_name(\<tau>)) \<Longrightarrow> x \<in> \<Union> a" for x by blast
+  then
+  show ?thesis using 1 by blast
+qed
+
+lemma union_in_MG : assumes "filter(G)"
+  shows "Union_ax(##M[G])"
+proof -
+  { fix a
+    assume "a \<in> M[G]"
+    then
+    interpret mgtrans : M_trans "##M[G]"
+      using transitivity_MG by (unfold_locales; auto)
+    from \<open>a\<in>_\<close> obtain \<tau> where "\<tau> \<in> M" "a=val(G,\<tau>)" using GenExtD by blast
+    then
+    have "Union_name(\<tau>) \<in> M" (is "?\<pi> \<in> _") using Union_name_M unfolding Union_name_def by simp
+    then
+    have "val(G,?\<pi>) \<in> M[G]" (is "?U \<in> _") using GenExtI by simp
+    with \<open>a\<in>_\<close>
+    have "(##M[G])(a)" "(##M[G])(?U)" by auto
+    with \<open>\<tau> \<in> M\<close> \<open>filter(G)\<close> \<open>?U \<in> M[G]\<close> \<open>a=val(G,\<tau>)\<close>
+    have "big_union(##M[G],a,?U)"
+      using Union_MG_Eq Union_abs  by simp
+    with \<open>?U \<in> M[G]\<close>
+    have "\<exists>z[##M[G]]. big_union(##M[G],a,z)" by force
+  }
+  then
+  have "Union_ax(##M[G])" unfolding Union_ax_def by force
+  then
+  show ?thesis by simp
+qed
+
+theorem Union_MG : "M_generic(G) \<Longrightarrow> Union_ax(##M[G])"
+  by (simp add:M_generic_def union_in_MG)
+
+end (* forcing_data *)
+end
diff --git a/thys/Forcing/Utils.ml b/thys/Forcing/Utils.ml
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/Utils.ml
@@ -0,0 +1,126 @@
+signature Utils =
+ sig
+    val binop : term -> term -> term -> term
+    val add_: term -> term -> term
+    val app_: term -> term -> term
+    val concat_: term -> term -> term
+    val dest_apply: term -> term * term
+    val dest_iff_lhs: term -> term
+    val dest_iff_rhs: term -> term
+    val dest_iff_tms: term -> term * term
+    val dest_lhs_def: term -> term
+    val dest_rhs_def: term -> term
+    val dest_satisfies_tms: term -> term * term
+    val dest_satisfies_frm: term -> term
+    val dest_eq_tms: term -> term * term
+    val dest_sats_frm: term -> (term * term) * term
+    val dest_trueprop: term -> term
+    val eq_: term -> term -> term
+    val fix_vars: thm -> string list -> Proof.context -> thm
+    val formula_: term
+    val freeName: term -> string
+    val inList: ''a -> ''a list -> bool
+    val isFree: term -> bool
+    val length_: term -> term
+    val list_: term -> term
+    val lt_: term -> term -> term
+    val mem_: term -> term -> term
+    val mk_FinSet: term list -> term
+    val mk_Pair: term -> term -> term
+    val mk_ZFlist: ('a -> term) -> 'a list -> term
+    val mk_ZFnat: int -> term
+    val nat_: term
+    val nth_: term -> term -> term
+    val subset_: term -> term -> term
+    val thm_concl_tm :  Proof.context -> xstring -> 
+        ((indexname * typ) * cterm) list * term * Proof.context
+    val to_ML_list: term -> term list
+    val tp: term -> term
+  end
+
+structure Utils : Utils =
+struct 
+(* Smart constructors for ZF-terms *)
+
+fun inList a = exists (fn b => a = b)
+
+fun binop h t u = h $ t $ u
+val mk_Pair  = binop @{const Pair}
+
+fun mk_FinSet nil = @{const zero}
+  | mk_FinSet (e :: es) = @{const cons} $ e $ mk_FinSet es
+
+fun mk_ZFnat 0 = @{const zero}
+  | mk_ZFnat n = @{const succ} $ mk_ZFnat (n-1)
+
+fun mk_ZFlist _ nil = @{const "Nil"}
+  | mk_ZFlist f (t :: ts) = @{const "Cons"} $ f t $ mk_ZFlist f ts
+
+fun to_ML_list (@{const Nil}) = nil
+  | to_ML_list (@{const Cons} $ t $ ts) = t :: to_ML_list ts
+|   to_ML_list _ = nil
+
+fun isFree (Free (_,_)) = true
+  | isFree _ = false
+
+fun freeName (Free (n,_)) = n
+  | freeName _ = error "Not a free variable"
+
+val app_ = binop @{const apply}
+
+fun tp x = @{const Trueprop} $ x
+fun length_ env = @{const length} $ env
+val nth_ = binop @{const nth}
+val add_ = binop @{const add}
+val mem_ = binop @{const mem}
+val subset_ = binop @{const Subset}
+val lt_ = binop @{const lt}
+val concat_ = binop @{const app}
+val eq_ = binop @{const IFOL.eq(i)}
+
+(* Abbreviation for sets *)
+fun list_ set = @{const list} $ set
+val nat_ = @{const nat}
+val formula_ = @{const formula}
+
+(** Destructors of terms **)
+fun dest_eq_tms (Const (@{const_name IFOL.eq},_) $ t $ u) = (t, u)
+  | dest_eq_tms t = raise TERM ("dest_eq_tms", [t])
+
+fun dest_lhs_def (Const (@{const_name Pure.eq},_) $ x $ _) = x
+  | dest_lhs_def t = raise TERM ("dest_lhs_def", [t])
+
+fun dest_rhs_def (Const (@{const_name Pure.eq},_) $ _ $ y) = y
+  | dest_rhs_def t = raise TERM ("dest_rhs_def", [t])
+
+
+fun dest_apply (@{const apply} $ t $ u) = (t,u)
+  | dest_apply t = raise TERM ("dest_applies_op", [t])
+
+fun dest_satisfies_tms (@{const Formula.satisfies} $ A $ f) = (A,f)
+  | dest_satisfies_tms t = raise TERM ("dest_satisfies_tms", [t]);
+
+val dest_satisfies_frm = #2 o dest_satisfies_tms
+
+fun dest_sats_frm t = t |> dest_eq_tms |> #1 |> dest_apply |>> dest_satisfies_tms ;
+
+fun dest_trueprop (@{const IFOL.Trueprop} $ t) = t
+  | dest_trueprop t = t
+
+fun dest_iff_tms (@{const IFOL.iff} $ t $ u) = (t, u)
+  | dest_iff_tms t = raise TERM ("dest_iff_tms", [t])
+
+val dest_iff_lhs = #1 o dest_iff_tms
+val dest_iff_rhs = #2 o dest_iff_tms
+
+fun thm_concl_tm ctxt thm_ref =
+  let val (((_,vars),thm_tms),ctxt1) = Variable.import true [Proof_Context.get_thm ctxt thm_ref] ctxt
+  in (vars, thm_tms |> hd |> Thm.concl_of, ctxt1)
+end
+
+fun fix_vars thm vars ctxt = let
+  val (_, ctxt1) = Variable.add_fixes vars ctxt
+  in singleton (Proof_Context.export ctxt1 ctxt) thm
+end
+
+end ;
diff --git a/thys/Forcing/document/root.bib b/thys/Forcing/document/root.bib
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/document/root.bib
@@ -0,0 +1,64 @@
+@article{DBLP:journals/jar/PaulsonG96,
+  author    = {Lawrence C. Paulson and
+               Krzysztof Grabczewski},
+  title     = {Mechanizing Set Theory},
+  journal   = {J. Autom. Reasoning},
+  volume    = {17},
+  number    = {3},
+  pages     = {291--323},
+  year      = {1996},
+  xurl       = {https://doi.org/10.1007/BF00283132},
+  doi       = {10.1007/BF00283132},
+  timestamp = {Sat, 20 May 2017 00:22:31 +0200},
+  biburl    = {https://dblp.org/rec/bib/journals/jar/PaulsonG96},
+  bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{2018arXiv180705174G,
+       author = {Gunther, Emmanuel and Pagano, Miguel and S{\'a}nchez Terraf, Pedro},
+  title     = {First Steps Towards a Formalization of Forcing},
+  booktitle = {Proceedings of the 13th Workshop on Logical and Semantic Frameworks
+               with Applications, {LSFA} 2018, Fortaleza, Brazil, September 26-28,
+               2018},
+  pages     = {119--136},
+  year      = {2018},
+  url       = {https://doi.org/10.1016/j.entcs.2019.07.008},
+  doi       = {10.1016/j.entcs.2019.07.008},
+  timestamp = {Wed, 05 Feb 2020 13:47:23 +0100},
+  biburl    = {https://dblp.org/rec/journals/entcs/GuntherPT19.bib},
+  bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+
+@ARTICLE{2019arXiv190103313G,
+       author = {Gunther, Emmanuel and Pagano, Miguel and S{\'a}nchez Terraf, Pedro},
+        title = "{Mechanization of Separation in Generic Extensions}",
+      journal = {arXiv e-prints},
+     keywords = {Computer Science - Logic in Computer Science, Mathematics - Logic, 03B35 (Primary) 03E40, 03B70, 68T15 (Secondary), F.4.1},
+         year = 2019,
+        month = Jan,
+          eid = {arXiv:1901.03313},
+       volume = {1901.03313},
+archivePrefix = {arXiv},
+       eprint = {1901.03313},
+ primaryClass = {cs.LO},
+       adsurl = {https://ui.adsabs.harvard.edu/\#abs/2019arXiv190103313G},
+      adsnote = {Provided by the SAO/NASA Astrophysics Data System},
+     abstract = {We mechanize, in the proof assistant Isabelle, a proof of the axiom-scheme of Separation in generic extensions of models of set theory by using the fundamental theorems of forcing. We also formalize the satisfaction of the axioms of Extensionality, Foundation, Union, and Powerset. The axiom of Infinity is likewise treated, under additional assumptions on the ground model. In order to achieve these goals, we extended Paulson's library on constructibility with renaming of variables for internalized formulas, improved results on definitions by recursion on well-founded relations, and sharpened hypotheses in his development of relativization and absoluteness.}
+}
+
+@ARTICLE{2020arXiv200109715G,
+       author = {{Gunther}, Emmanuel and {Pagano}, Miguel and {S{\'a}nchez Terraf}, Pedro},
+        title = "{Formalization of Forcing in Isabelle/ZF}",
+      journal = {arXiv e-prints},
+     keywords = {Computer Science - Logic in Computer Science, Mathematics - Logic},
+         year = 2020,
+        month = jan,
+          eid = {arXiv:2001.09715},
+       volume = {2001.09715},
+archivePrefix = {arXiv},
+       eprint = {2001.09715},
+ primaryClass = {cs.LO},
+       adsurl = {https://ui.adsabs.harvard.edu/abs/2020arXiv200109715G},
+      adsnote = {Provided by the SAO/NASA Astrophysics Data System}
+}
diff --git a/thys/Forcing/document/root.bst b/thys/Forcing/document/root.bst
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/document/root.bst
@@ -0,0 +1,1440 @@
+%% 
+%% by pedro
+%% Based on file `model1b-num-names.bst'
+%% 
+%%
+%%
+ENTRY
+  { address
+    author
+    booktitle
+    chapter
+    edition
+    editor
+    howpublished
+    institution
+    journal
+    key
+    month
+    note
+    number
+    organization
+    pages
+    publisher
+    school
+    series
+    title
+    type
+    volume
+    year
+  }
+  {}
+  { label extra.label sort.label short.list }
+INTEGERS { output.state before.all mid.sentence after.sentence after.block }
+FUNCTION {init.state.consts}
+{ #0 'before.all :=
+  #1 'mid.sentence :=
+  #2 'after.sentence :=
+  #3 'after.block :=
+}
+STRINGS { s t}
+FUNCTION {output.nonnull}
+{ 's :=
+  output.state mid.sentence =
+    { ", " * write$ }
+    { output.state after.block =
+        { add.period$ write$
+          newline$
+          "\newblock " write$
+        }
+        { output.state before.all =
+            'write$
+            { add.period$ " " * write$ }
+          if$
+        }
+      if$
+      mid.sentence 'output.state :=
+    }
+  if$
+  s
+}
+FUNCTION {output}
+{ duplicate$ empty$
+    'pop$
+    'output.nonnull
+  if$
+}
+FUNCTION {output.check}
+{ 't :=
+  duplicate$ empty$
+    { pop$ "empty " t * " in " * cite$ * warning$ }
+    'output.nonnull
+  if$
+}
+FUNCTION {fin.entry}
+{ add.period$
+  write$
+  newline$
+}
+
+FUNCTION {new.block}
+{ output.state before.all =
+    'skip$
+    { after.block 'output.state := }
+  if$
+}
+FUNCTION {new.sentence}
+{ output.state after.block =
+    'skip$
+    { output.state before.all =
+        'skip$
+        { after.sentence 'output.state := }
+      if$
+    }
+  if$
+}
+FUNCTION {add.blank}
+{  " " * before.all 'output.state :=
+}
+
+FUNCTION {date.block}
+{
+  skip$
+}
+
+FUNCTION {not}
+{   { #0 }
+    { #1 }
+  if$
+}
+FUNCTION {and}
+{   'skip$
+    { pop$ #0 }
+  if$
+}
+FUNCTION {or}
+{   { pop$ #1 }
+    'skip$
+  if$
+}
+FUNCTION {new.block.checkb}
+{ empty$
+  swap$ empty$
+  and
+    'skip$
+    'new.block
+  if$
+}
+FUNCTION {field.or.null}
+{ duplicate$ empty$
+    { pop$ "" }
+    'skip$
+  if$
+}
+FUNCTION {emphasize}
+{ duplicate$ empty$
+    { pop$ "" }
+    { "\textit{" swap$ * "}" * }
+  if$
+}
+%% by pedro
+FUNCTION {slanted}
+{ duplicate$ empty$
+    { pop$ "" }
+    { "\textsl{" swap$ * "}" * }
+  if$
+}
+FUNCTION {smallcaps}
+{ duplicate$ empty$
+    { pop$ "" }
+    { "\textsc{" swap$ * "}" * }
+  if$
+}
+FUNCTION {bold}
+{ duplicate$ empty$
+    { pop$ "" }
+    { "\textbf{" swap$ * "}" * }
+  if$
+}
+
+
+FUNCTION {tie.or.space.prefix}
+{ duplicate$ text.length$ #3 <
+    { "~" }
+    { " " }
+  if$
+  swap$
+}
+
+FUNCTION {capitalize}
+{ "u" change.case$ "t" change.case$ }
+
+FUNCTION {space.word}
+{ " " swap$ * " " * }
+ % Here are the language-specific definitions for explicit words.
+ % Each function has a name bbl.xxx where xxx is the English word.
+ % The language selected here is ENGLISH
+FUNCTION {bbl.and}
+{ "and"}
+
+FUNCTION {bbl.etal}
+{ "et~al." }
+
+FUNCTION {bbl.editors}
+{ "eds." }
+
+FUNCTION {bbl.editor}
+{ "ed." }
+
+FUNCTION {bbl.edby}
+{ "edited by" }
+
+FUNCTION {bbl.edition}
+{ "edition" }
+
+FUNCTION {bbl.volume}
+{ "volume" }
+
+FUNCTION {bbl.of}
+{ "of" }
+
+FUNCTION {bbl.number}
+{ "number" }
+
+FUNCTION {bbl.nr}
+{ "no." }
+
+FUNCTION {bbl.in}
+{ "in" }
+
+FUNCTION {bbl.pages}
+{ "pp." }
+
+FUNCTION {bbl.page}
+{ "p." }
+
+FUNCTION {bbl.chapter}
+{ "chapter" }
+
+FUNCTION {bbl.techrep}
+{ "Technical Report" }
+
+FUNCTION {bbl.mthesis}
+{ "Master's thesis" }
+
+FUNCTION {bbl.phdthesis}
+{ "Ph.D. thesis" }
+
+MACRO {jan} {"January"}
+
+MACRO {feb} {"February"}
+
+MACRO {mar} {"March"}
+
+MACRO {apr} {"April"}
+
+MACRO {may} {"May"}
+
+MACRO {jun} {"June"}
+
+MACRO {jul} {"July"}
+
+MACRO {aug} {"August"}
+
+MACRO {sep} {"September"}
+
+MACRO {oct} {"October"}
+
+MACRO {nov} {"November"}
+
+MACRO {dec} {"December"}
+
+MACRO {acmcs} {"ACM Comput. Surv."}
+
+MACRO {acta} {"Acta Inf."}
+
+MACRO {cacm} {"Commun. ACM"}
+
+MACRO {ibmjrd} {"IBM J. Res. Dev."}
+
+MACRO {ibmsj} {"IBM Syst.~J."}
+
+MACRO {ieeese} {"IEEE Trans. Software Eng."}
+
+MACRO {ieeetc} {"IEEE Trans. Comput."}
+
+MACRO {ieeetcad}
+ {"IEEE Trans. Comput. Aid. Des."}
+
+MACRO {ipl} {"Inf. Process. Lett."}
+
+MACRO {jacm} {"J.~ACM"}
+
+MACRO {jcss} {"J.~Comput. Syst. Sci."}
+
+MACRO {scp} {"Sci. Comput. Program."}
+
+MACRO {sicomp} {"SIAM J. Comput."}
+
+MACRO {tocs} {"ACM Trans. Comput. Syst."}
+
+MACRO {tods} {"ACM Trans. Database Syst."}
+
+MACRO {tog} {"ACM Trans. Graphic."}
+
+MACRO {toms} {"ACM Trans. Math. Software"}
+
+MACRO {toois} {"ACM Trans. Office Inf. Syst."}
+
+MACRO {toplas} {"ACM Trans. Progr. Lang. Syst."}
+
+MACRO {tcs} {"Theor. Comput. Sci."}
+
+FUNCTION {bibinfo.check}
+{ swap$
+  duplicate$ missing$
+    {
+      pop$ pop$
+      ""
+    }
+    { duplicate$ empty$
+        {
+          swap$ pop$
+        }
+        { swap$
+          "\bibinfo{" swap$ * "}{" * swap$ * "}" *
+        }
+      if$
+    }
+  if$
+}
+FUNCTION {bibinfo.warn}
+{ swap$
+  duplicate$ missing$
+    {
+      swap$ "missing " swap$ * " in " * cite$ * warning$ pop$
+      ""
+    }
+    { duplicate$ empty$
+        {
+          swap$ "empty " swap$ * " in " * cite$ * warning$
+        }
+        { swap$
+          pop$
+        }
+      if$
+    }
+  if$
+}
+STRINGS  { bibinfo}
+INTEGERS { nameptr namesleft numnames }
+
+FUNCTION {format.names}
+{ 'bibinfo :=
+  duplicate$ empty$ 'skip$ {
+  's :=
+  "" 't :=
+  #1 'nameptr :=
+  s num.names$ 'numnames :=
+  numnames 'namesleft :=
+    { namesleft #0 > }
+    { s nameptr
+      "{f{.}.~}{vv~}{ll}{, jj}"
+      format.name$
+      bibinfo bibinfo.check
+      't :=
+      nameptr #1 >
+        {
+          namesleft #1 >
+            { ", " * t * }
+            {
+              "," *
+              s nameptr "{ll}" format.name$ duplicate$ "others" =
+                { 't := }
+                { pop$ }
+              if$
+              t "others" =
+                {
+                  " " * bbl.etal *
+                }
+                { " " * t * }
+              if$
+            }
+          if$
+        }
+        't
+      if$
+      nameptr #1 + 'nameptr :=
+      namesleft #1 - 'namesleft :=
+    }
+  while$
+  } if$
+}
+FUNCTION {format.names.ed}
+{
+  format.names
+}
+FUNCTION {format.key}
+{ empty$
+    { key field.or.null }
+    { "" }
+  if$
+}
+
+FUNCTION {format.authors}
+{ author "author" format.names smallcaps
+}
+FUNCTION {get.bbl.editor}
+{ editor num.names$ #1 > 'bbl.editors 'bbl.editor if$ }
+
+FUNCTION {format.editors}
+{ editor "editor" format.names duplicate$ empty$ 'skip$
+    {
+      " " *
+      get.bbl.editor
+      capitalize
+   "(" swap$ * ")" *
+      *
+    }
+  if$
+}
+FUNCTION {format.note}
+{
+ note empty$
+    { "" }
+    { note #1 #1 substring$
+      duplicate$ "{" =
+        'skip$
+        { output.state mid.sentence =
+          { "l" }
+          { "u" }
+        if$
+        change.case$
+        }
+      if$
+      note #2 global.max$ substring$ * "note" bibinfo.check
+    }
+  if$
+}
+
+FUNCTION {format.title}
+{ title
+  duplicate$ empty$ 'skip$
+    { "t" change.case$ }
+  if$
+  "title" bibinfo.check
+}
+FUNCTION {format.full.names}
+{'s :=
+ "" 't :=
+  #1 'nameptr :=
+  s num.names$ 'numnames :=
+  numnames 'namesleft :=
+    { namesleft #0 > }
+    { s nameptr
+      "{vv~}{ll}" format.name$
+      't :=
+      nameptr #1 >
+        {
+          namesleft #1 >
+            { ", " * t * }
+            {
+              s nameptr "{ll}" format.name$ duplicate$ "others" =
+                { 't := }
+                { pop$ }
+              if$
+              t "others" =
+                {
+                  " " * bbl.etal *
+                }
+                {
+                  bbl.and
+                  space.word * t *
+                }
+              if$
+            }
+          if$
+        }
+        't
+      if$
+      nameptr #1 + 'nameptr :=
+      namesleft #1 - 'namesleft :=
+    }
+  while$
+}
+
+FUNCTION {author.editor.key.full}
+{ author empty$
+    { editor empty$
+        { key empty$
+            { cite$ #1 #3 substring$ }
+            'key
+          if$
+        }
+        { editor format.full.names }
+      if$
+    }
+    { author format.full.names }
+  if$
+}
+
+FUNCTION {author.key.full}
+{ author empty$
+    { key empty$
+         { cite$ #1 #3 substring$ }
+          'key
+      if$
+    }
+    { author format.full.names }
+  if$
+}
+
+FUNCTION {editor.key.full}
+{ editor empty$
+    { key empty$
+         { cite$ #1 #3 substring$ }
+          'key
+      if$
+    }
+    { editor format.full.names }
+  if$
+}
+
+FUNCTION {make.full.names}
+{ type$ "book" =
+  type$ "inbook" =
+  or
+    'author.editor.key.full
+    { type$ "proceedings" =
+        'editor.key.full
+        'author.key.full
+      if$
+    }
+  if$
+}
+
+FUNCTION {output.bibitem}
+{ newline$
+  "\bibitem[{" write$
+  label write$
+  ")" make.full.names duplicate$ short.list =
+     { pop$ }
+     { * }
+   if$
+  "}]{" * write$
+  cite$ write$
+  "}" write$
+  newline$
+  ""
+  before.all 'output.state :=
+}
+
+FUNCTION {n.dashify}
+{
+  't :=
+  ""
+    { t empty$ not }
+    { t #1 #1 substring$ "-" =
+        { t #1 #2 substring$ "--" = not
+            { "--" *
+              t #2 global.max$ substring$ 't :=
+            }
+            {   { t #1 #1 substring$ "-" = }
+                { "-" *
+                  t #2 global.max$ substring$ 't :=
+                }
+              while$
+            }
+          if$
+        }
+        { t #1 #1 substring$ *
+          t #2 global.max$ substring$ 't :=
+        }
+      if$
+    }
+  while$
+}
+
+FUNCTION {word.in}
+{ bbl.in
+  ":" *
+  " " * }
+
+FUNCTION {format.date}
+{ year "year" bibinfo.check duplicate$ empty$
+    {
+      "empty year in " cite$ * "; set to ????" * warning$
+       pop$ "????"
+    }
+    'skip$
+  if$
+  %  extra.label *
+  %% by pedro
+  " (" swap$ * ")" *
+}
+FUNCTION{format.year}
+{ year "year" bibinfo.check duplicate$ empty$
+    {  "empty year in " cite$ *
+       "; set to ????" *
+       warning$
+       pop$ "????"
+    }
+    {
+    }
+  if$
+  % extra.label *
+  " (" swap$ * ")" *
+}
+FUNCTION {format.btitle}
+{ title "title" bibinfo.check
+  duplicate$ empty$ 'skip$
+    {
+    }
+  if$
+  %% by pedro
+  "``" swap$ * "''" *
+}
+FUNCTION {either.or.check}
+{ empty$
+    'pop$
+    { "can't use both " swap$ * " fields in " * cite$ * warning$ }
+  if$
+}
+FUNCTION {format.bvolume}
+{ volume empty$
+    { "" }
+    %% by pedro
+    { series "series" bibinfo.check
+      duplicate$ empty$ 'pop$
+        { %slanted
+           }
+      if$
+      "volume and number" number either.or.check
+      volume tie.or.space.prefix
+      "volume" bibinfo.check 
+      bold
+      * *
+    }
+  if$
+}
+FUNCTION {format.number.series}
+{ volume empty$
+    { number empty$
+        { series field.or.null }
+        { series empty$
+            { number "number" bibinfo.check }
+        { output.state mid.sentence =
+            { bbl.number }
+            { bbl.number capitalize }
+          if$
+          number tie.or.space.prefix "number" bibinfo.check * *
+          bbl.in space.word *
+          series "series" bibinfo.check *
+        }
+      if$
+    }
+      if$
+    }
+    { "" }
+  if$
+}
+
+FUNCTION {format.edition}
+{ edition duplicate$ empty$ 'skip$
+    {
+      output.state mid.sentence =
+        { "l" }
+        { "t" }
+      if$ change.case$
+      "edition" bibinfo.check
+      " " * bbl.edition *
+    }
+  if$
+}
+
+INTEGERS { multiresult }
+FUNCTION {multi.page.check}
+{ 't :=
+  #0 'multiresult :=
+    { multiresult not
+      t empty$ not
+      and
+    }
+    { t #1 #1 substring$
+      duplicate$ "-" =
+      swap$ duplicate$ "," =
+      swap$ "+" =
+      or or
+        { #1 'multiresult := }
+        { t #2 global.max$ substring$ 't := }
+      if$
+    }
+  while$
+  multiresult
+}
+FUNCTION {format.pages}
+{ pages duplicate$ empty$ 'skip$
+    { duplicate$ multi.page.check
+        {
+          bbl.pages swap$
+          n.dashify
+        }
+        {
+          bbl.page swap$
+        }
+      if$
+      tie.or.space.prefix
+      "pages" bibinfo.check
+      * *
+    }
+  if$
+}
+
+FUNCTION {format.pages.simple}
+{ pages duplicate$ empty$ 'skip$
+    { duplicate$ multi.page.check
+        {
+%          bbl.pages swap$
+          n.dashify
+        }
+        {
+%          bbl.page swap$
+        }
+      if$
+      tie.or.space.prefix
+      "pages" bibinfo.check
+      * 
+    }
+  if$
+}
+FUNCTION {format.journal.pages}
+{ pages duplicate$ empty$ 'pop$
+    { swap$ duplicate$ empty$
+        { pop$ pop$ format.pages }
+        {
+          ": " *
+          swap$
+          n.dashify
+          "pages" bibinfo.check
+          *
+        }
+      if$
+    }
+  if$
+}
+FUNCTION {format.vol.num.pages}
+{ volume field.or.null
+  duplicate$ empty$ 'skip$
+    {
+      "volume" bibinfo.check
+    }
+  if$
+  %% by pedro
+  bold
+  pages duplicate$ empty$ 'pop$
+  { swap$ duplicate$ empty$
+      { pop$ pop$ format.pages }
+      {
+        ": " *
+        swap$
+        n.dashify
+        "pages" bibinfo.check
+        *
+      }
+      if$
+  }
+  if$
+  format.year * 
+}
+
+FUNCTION {format.chapter.pages}
+{ chapter empty$
+    { "" }
+    { type empty$
+        { bbl.chapter }
+        { type "l" change.case$
+          "type" bibinfo.check
+        }
+      if$
+      chapter tie.or.space.prefix
+      "chapter" bibinfo.check
+      * *
+    }
+  if$
+}
+
+FUNCTION {format.booktitle}
+{
+  booktitle "booktitle" bibinfo.check
+}
+FUNCTION {format.in.ed.booktitle}
+{ format.booktitle duplicate$ empty$ 'skip$
+    {
+      editor "editor" format.names.ed duplicate$ empty$ 'pop$
+        {
+          " " *
+          get.bbl.editor
+          capitalize
+          "(" swap$ * "), " *
+          * swap$
+          * }
+      if$
+      word.in swap$ *
+    }
+  if$
+}
+FUNCTION {format.thesis.type}
+{ type duplicate$ empty$
+    'pop$
+    { swap$ pop$
+      "t" change.case$ "type" bibinfo.check
+    }
+  if$
+}
+FUNCTION {format.tr.number}
+{ number "number" bibinfo.check
+  type duplicate$ empty$
+    { pop$ bbl.techrep }
+    'skip$
+  if$
+  "type" bibinfo.check
+  swap$ duplicate$ empty$
+    { pop$ "t" change.case$ }
+    { tie.or.space.prefix * * }
+  if$
+}
+FUNCTION {format.article.crossref}
+{
+  word.in
+  " \cite{" * crossref * "}" *
+}
+FUNCTION {format.book.crossref}
+{ volume duplicate$ empty$
+    { "empty volume in " cite$ * "'s crossref of " * crossref * warning$
+      pop$ word.in
+    }
+    { bbl.volume
+      swap$ tie.or.space.prefix "volume" bibinfo.check * * bbl.of space.word *
+    }
+  if$
+  " \cite{" * crossref * "}" *
+}
+FUNCTION {format.incoll.inproc.crossref}
+{
+  word.in
+  " \cite{" * crossref * "}" *
+}
+FUNCTION {format.org.or.pub}
+{ 't :=
+  ""
+  address empty$ t empty$ and
+    'skip$
+    {
+      t empty$
+        { address "address" bibinfo.check *
+        }
+        { t *
+          address empty$
+            'skip$
+            { ", " * address "address" bibinfo.check * }
+          if$
+        }
+      if$
+    }
+  if$
+}
+FUNCTION {format.publisher.address}
+{ publisher "publisher" bibinfo.check format.org.or.pub
+}
+FUNCTION {format.publisher.address.year}
+{ publisher "publisher" bibinfo.check format.org.or.pub
+  format.journal.pages
+  format.year *
+}
+
+FUNCTION {school.address.year}
+{ school "school"  bibinfo.warn 
+  address empty$
+    'skip$
+    { ", " * address "address" bibinfo.check * }
+  if$
+ format.year * 
+}
+
+FUNCTION {format.publisher.address.pages}
+{ publisher "publisher" bibinfo.check format.org.or.pub
+  format.year *
+  
+}
+
+FUNCTION {format.organization.address}
+{ organization "organization" bibinfo.check format.org.or.pub
+}
+
+FUNCTION {format.organization.address.year}
+{ organization "organization" bibinfo.check format.org.or.pub
+  format.journal.pages
+  format.year *
+}
+
+FUNCTION {article}
+{ "%Type = Article" write$
+  output.bibitem
+  format.authors "author" output.check
+  author format.key output
+  format.title "title" output.check
+  crossref missing$
+    {
+      journal
+      "journal" bibinfo.check
+      %% by pedro
+      emphasize
+      "journal" output.check
+      add.blank
+      format.vol.num.pages output
+    }
+    { format.article.crossref output.nonnull
+    }
+  if$
+%  format.journal.pages
+  new.sentence
+  format.note output
+  fin.entry
+}
+FUNCTION {book}
+{ "%Type = Book" write$
+  output.bibitem
+  author empty$
+    { format.editors "author and editor" output.check
+      editor format.key output
+    }
+    { format.authors output.nonnull
+      crossref missing$
+        { "author and editor" editor either.or.check }
+        'skip$
+      if$
+    }
+  if$
+  format.btitle "title" output.check
+  crossref missing$
+    { %% by pedro
+      format.bvolume output
+      format.number.series output
+      % format.bvolume output
+      format.publisher.address.year output
+    }
+    {
+      format.book.crossref output.nonnull
+    }
+  if$
+  format.edition output
+  % format.date "year" output.check
+  new.sentence
+  format.note output
+  fin.entry
+}
+FUNCTION {booklet}
+{ "%Type = Booklet" write$
+  output.bibitem
+  format.authors output
+  author format.key output
+  format.title "title" output.check
+  howpublished "howpublished" bibinfo.check output
+  address "address" bibinfo.check output
+  format.date "year" output.check
+  new.sentence
+  format.note output
+  fin.entry
+}
+
+FUNCTION {inbook}
+{ "%Type = Inbook" write$
+  output.bibitem
+  author empty$
+    { format.editors "author and editor" output.check
+      editor format.key output
+    }
+    { format.authors output.nonnull
+  format.title "title" output.check
+      crossref missing$
+        { "author and editor" editor either.or.check }
+        'skip$
+      if$
+    }
+  if$
+  format.btitle "title" output.check
+  crossref missing$
+    {
+      format.bvolume output
+      format.number.series output
+      format.publisher.address output
+      format.pages "pages" output.check
+      format.edition output
+      format.date "year" output.check
+    }
+    {
+      format.book.crossref output.nonnull
+    }
+  if$
+%  format.edition output
+%  format.pages "pages" output.check
+  new.sentence
+  format.note output
+  fin.entry
+}
+
+FUNCTION {incollection}
+{ "%Type = Incollection" write$
+  output.bibitem
+  format.authors "author" output.check
+  author format.key output
+  format.title "title" output.check
+  crossref missing$
+    { format.in.ed.booktitle "booktitle" output.check
+      format.bvolume output
+      format.number.series output
+      format.pages "pages" output.check
+      % format.publisher.address output
+      % format.date "year" output.check
+      format.publisher.address.year output
+      format.edition output
+    }
+    { format.incoll.inproc.crossref output.nonnull
+    }
+  if$
+%  format.pages "pages" output.check
+  new.sentence
+  format.note output
+  fin.entry
+}
+FUNCTION {inproceedings}
+{ "%Type = Inproceedings" write$
+  output.bibitem
+  format.authors "author" output.check
+  author format.key output
+  format.title "title" output.check
+  crossref missing$
+    {
+      journal
+      "journal" bibinfo.check
+      "journal" output.check
+      format.in.ed.booktitle "booktitle" output.check
+      format.bvolume output
+      format.number.series output
+      publisher empty$
+        { %format.organization.address output 
+	  format.organization.address.year output 
+%	  format.journal.pages		  
+	}
+        { organization "organization" bibinfo.check output
+          format.publisher.address.year output
+          % format.date "year" output.check
+%	  format.journal.pages
+        }
+      if$
+    }
+    { format.incoll.inproc.crossref output.nonnull
+      format.journal.pages
+    }
+  if$
+% format.pages.simple "pages" output.check
+%%% La que sigue la muevo adentro del "if"
+% format.journal.pages
+  new.sentence
+  format.note output
+  fin.entry
+}
+FUNCTION {conference} { inproceedings }
+FUNCTION {manual}
+{ "%Type = Manual" write$
+  output.bibitem
+  format.authors output
+  author format.key output
+  format.btitle "title" output.check
+  organization "organization" bibinfo.check output
+  address "address" bibinfo.check output
+  format.edition output
+  format.date "year" output.check
+  new.sentence
+  format.note output
+  fin.entry
+}
+
+FUNCTION {mastersthesis}
+{ "%Type = Masterthesis" write$
+  output.bibitem
+  format.authors "author" output.check
+  author format.key output
+  format.btitle
+  "title" output.check
+  bbl.mthesis format.thesis.type output.nonnull
+%  school "school" bibinfo.warn output
+%  address "address" bibinfo.check output
+%  format.date "year" output.check
+  school.address.year output
+  new.sentence
+  format.note output
+  fin.entry
+}
+
+FUNCTION {misc}
+{ "%Type = Misc" write$
+  output.bibitem
+  format.authors output
+  author format.key output
+  format.title output
+  howpublished "howpublished" bibinfo.check output
+  format.date "year" output.check
+  new.sentence
+  format.note output
+  fin.entry
+}
+FUNCTION {phdthesis}
+{ "%Type = Phdthesis" write$
+  output.bibitem
+  format.authors "author" output.check
+  author format.key output
+  format.btitle
+  "title" output.check
+  bbl.phdthesis format.thesis.type output.nonnull
+%  school "school" bibinfo.warn output
+%  address "address" bibinfo.check output
+%  format.date "year" output.check
+  school.address.year output
+  new.sentence
+  format.note output
+  fin.entry
+}
+
+FUNCTION {proceedings}
+{ "%Type = Proceedings" write$
+  output.bibitem
+  format.editors output
+  editor format.key output
+  format.btitle "title" output.check
+  format.bvolume output
+  format.number.series output
+  publisher empty$
+    { format.organization.address output }
+    { organization "organization" bibinfo.check output
+      format.publisher.address output
+    }
+  if$
+  format.date "year" output.check
+  new.sentence
+  format.note output
+  fin.entry
+}
+
+FUNCTION {techreport}
+{ "%Type = Techreport" write$
+  output.bibitem
+  format.authors "author" output.check
+  author format.key output
+  format.btitle
+  "title" output.check
+  format.tr.number output.nonnull
+  institution "institution" bibinfo.warn output
+  address "address" bibinfo.check output
+  format.date "year" output.check
+  new.sentence
+  format.note output
+  fin.entry
+}
+
+FUNCTION {unpublished}
+{ "%Type = Unpublished" write$
+  output.bibitem
+  format.authors "author" output.check
+  author format.key output
+  format.title "title" output.check
+  format.date "year" output.check
+  new.sentence
+  format.note "note" output.check
+  fin.entry
+}
+
+FUNCTION {default.type} { misc }
+READ
+FUNCTION {sortify}
+{ purify$
+  "l" change.case$
+}
+INTEGERS { len }
+FUNCTION {chop.word}
+{ 's :=
+  'len :=
+  s #1 len substring$ =
+    { s len #1 + global.max$ substring$ }
+    's
+  if$
+}
+FUNCTION {format.lab.names}
+{ 's :=
+  "" 't :=
+  s #1 "{vv~}{ll}" format.name$
+  s num.names$ duplicate$
+  #2 >
+    { pop$
+      " " * bbl.etal *
+    }
+    { #2 <
+        'skip$
+        { s #2 "{ff }{vv }{ll}{ jj}" format.name$ "others" =
+            {
+              " " * bbl.etal *
+            }
+            { bbl.and space.word * s #2 "{vv~}{ll}" format.name$
+              * }
+          if$
+        }
+      if$
+    }
+  if$
+}
+
+FUNCTION {author.key.label}
+{ author empty$
+    { key empty$
+        { cite$ #1 #3 substring$ }
+        'key
+      if$
+    }
+    { author format.lab.names }
+  if$
+}
+
+FUNCTION {author.editor.key.label}
+{ author empty$
+    { editor empty$
+        { key empty$
+            { cite$ #1 #3 substring$ }
+            'key
+          if$
+        }
+        { editor format.lab.names }
+      if$
+    }
+    { author format.lab.names }
+  if$
+}
+
+FUNCTION {editor.key.label}
+{ editor empty$
+    { key empty$
+        { cite$ #1 #3 substring$ }
+        'key
+      if$
+    }
+    { editor format.lab.names }
+  if$
+}
+
+FUNCTION {calc.short.authors}
+{ type$ "book" =
+  type$ "inbook" =
+  or
+    'author.editor.key.label
+    { type$ "proceedings" =
+        'editor.key.label
+        'author.key.label
+      if$
+    }
+  if$
+  'short.list :=
+}
+
+FUNCTION {calc.label}
+{ calc.short.authors
+  short.list
+  "("
+  *
+  year duplicate$ empty$
+     { pop$ "????" }
+     { purify$ #-1 #4 substring$ }
+  if$
+  *
+  'label :=
+}
+
+FUNCTION {sort.format.names}
+{ 's :=
+  #1 'nameptr :=
+  ""
+  s num.names$ 'numnames :=
+  numnames 'namesleft :=
+    { namesleft #0 > }
+    { s nameptr
+      "{ll{ }}{  f{ }}{  jj{ }}"
+      format.name$ 't :=
+      nameptr #1 >
+        {
+          "   "  *
+          namesleft #1 = t "others" = and
+            { "zzzzz" * }
+            { t sortify * }
+          if$
+        }
+        { t sortify * }
+      if$
+      nameptr #1 + 'nameptr :=
+      namesleft #1 - 'namesleft :=
+    }
+  while$
+}
+
+FUNCTION {sort.format.title}
+{ 't :=
+  "A " #2
+    "An " #3
+      "The " #4 t chop.word
+    chop.word
+  chop.word
+  sortify
+  #1 global.max$ substring$
+}
+FUNCTION {author.sort}
+{ author empty$
+    { key empty$
+        { "to sort, need author or key in " cite$ * warning$
+          ""
+        }
+        { key sortify }
+      if$
+    }
+    { author sort.format.names }
+  if$
+}
+FUNCTION {author.editor.sort}
+{ author empty$
+    { editor empty$
+        { key empty$
+            { "to sort, need author, editor, or key in " cite$ * warning$
+              ""
+            }
+            { key sortify }
+          if$
+        }
+        { editor sort.format.names }
+      if$
+    }
+    { author sort.format.names }
+  if$
+}
+FUNCTION {editor.sort}
+{ editor empty$
+    { key empty$
+        { "to sort, need editor or key in " cite$ * warning$
+          ""
+        }
+        { key sortify }
+      if$
+    }
+    { editor sort.format.names }
+  if$
+}
+FUNCTION {presort}
+{ calc.label
+  label sortify
+  "    "
+  *
+  type$ "book" =
+  type$ "inbook" =
+  or
+    'author.editor.sort
+    { type$ "proceedings" =
+        'editor.sort
+        'author.sort
+      if$
+    }
+  if$
+  #1 entry.max$ substring$
+  'sort.label :=
+  sort.label
+  *
+  "    "
+  *
+  title field.or.null
+  sort.format.title
+  *
+  #1 entry.max$ substring$
+  'sort.key$ :=
+}
+
+ITERATE {presort}
+SORT
+STRINGS { last.label next.extra }
+INTEGERS { last.extra.num number.label }
+FUNCTION {initialize.extra.label.stuff}
+{ #0 int.to.chr$ 'last.label :=
+  "" 'next.extra :=
+  #0 'last.extra.num :=
+  #0 'number.label :=
+}
+FUNCTION {forward.pass}
+{ last.label label =
+    { last.extra.num #1 + 'last.extra.num :=
+      last.extra.num int.to.chr$ 'extra.label :=
+    }
+    { "a" chr.to.int$ 'last.extra.num :=
+      "" 'extra.label :=
+      label 'last.label :=
+    }
+  if$
+  number.label #1 + 'number.label :=
+}
+FUNCTION {reverse.pass}
+{ next.extra "b" =
+    { "a" 'extra.label := }
+    'skip$
+  if$
+  extra.label 'next.extra :=
+  extra.label
+  duplicate$ empty$
+    'skip$
+    { "{\natexlab{" swap$ * "}}" * }
+  if$
+  'extra.label :=
+  label extra.label * 'label :=
+}
+EXECUTE {initialize.extra.label.stuff}
+ITERATE {forward.pass}
+REVERSE {reverse.pass}
+FUNCTION {bib.sort.order}
+{ sort.label
+  "    "
+  *
+  year field.or.null sortify
+  *
+  "    "
+  *
+  title field.or.null
+  sort.format.title
+  *
+  #1 entry.max$ substring$
+  'sort.key$ :=
+}
+ITERATE {bib.sort.order}
+SORT
+FUNCTION {begin.bib}
+{ preamble$ empty$
+    'skip$
+    { preamble$ write$ newline$ }
+  if$
+  "\begin{small}\begin{thebibliography}{" number.label int.to.str$ * "}" *
+  write$ newline$
+  "\expandafter\ifx\csname natexlab\endcsname\relax\def\natexlab#1{#1}\fi"
+  write$ newline$
+  "\providecommand{\bibinfo}[2]{#2}"
+  write$ newline$
+	"\ifx\xfnm\relax \def\xfnm[#1]{\unskip,\space#1}\fi"
+  write$ newline$
+}
+EXECUTE {begin.bib}
+EXECUTE {init.state.consts}
+ITERATE {call.type$}
+FUNCTION {end.bib}
+{ newline$
+  "\end{thebibliography}\end{small}" write$ newline$
+}
+EXECUTE {end.bib}
diff --git a/thys/Forcing/document/root.tex b/thys/Forcing/document/root.tex
new file mode 100644
--- /dev/null
+++ b/thys/Forcing/document/root.tex
@@ -0,0 +1,110 @@
+\documentclass[11pt,a4paper]{article}
+\usepackage{isabelle,isabellesym}
+\usepackage[numbers]{natbib}
+
+% further packages required for unusual symbols (see also
+% isabellesym.sty), use only when needed
+
+\usepackage{amssymb}
+  %for \<leadsto>, \<box>, \<diamond>, \<sqsupset>, \<mho>, \<Join>,
+  %\<lhd>, \<lesssim>, \<greatersim>, \<lessapprox>, \<greaterapprox>,
+  %\<triangleq>, \<yen>, \<lozenge>
+
+%\usepackage{eurosym}
+  %for \<euro>
+
+%\usepackage[only,bigsqcap]{stmaryrd}
+  %for \<Sqinter>
+
+%\usepackage{eufrak}
+  %for \<AA> ... \<ZZ>, \<aa> ... \<zz> (also included in amssymb)
+
+%\usepackage{textcomp}
+  %for \<onequarter>, \<onehalf>, \<threequarters>, \<degree>, \<cent>,
+  %\<currency>
+
+% this should be the last package used
+\usepackage{pdfsetup}
+
+% urls in roman style, theory text in math-similar italics
+\urlstyle{rm}
+\isabellestyle{it}
+
+% for uniform font size
+%\renewcommand{\isastyle}{\isastyleminor}
+
+\renewcommand{\isacharunderscorekeyword}{\mbox{\_}}
+\renewcommand{\isacharunderscore}{\mbox{\_}}
+\renewcommand{\isasymtturnstile}{\isamath{\Vdash}}
+\renewcommand{\isacharminus}{-}
+\newcommand{\axiomas}[1]{\mathit{#1}}
+\newcommand{\ZFC}{\axiomas{ZFC}}
+
+
+\begin{document}
+
+\title{Formalization of Forcing in Isabelle/ZF}
+\author{Emmanuel Gunther\thanks{Universidad Nacional de C\'ordoba. 
+    Facultad de Matem\'atica, Astronom\'{\i}a,  F\'{\i}sica y
+    Computaci\'on.}
+  \and
+  Miguel Pagano\footnotemark[1]
+  \and
+  Pedro S\'anchez Terraf\footnotemark[1] \thanks{Centro de Investigaci\'on y Estudios de Matem\'atica
+    (CIEM-FaMAF), Conicet. C\'ordoba. Argentina.
+    Supported by Secyt-UNC project 33620180100465CB.}
+}
+\maketitle
+
+\begin{abstract}
+  We formalize the theory of forcing in the set theory framework of
+  Isabelle/ZF. Under the assumption of the existence of a countable
+  transitive model of $\ZFC$, we construct a proper generic extension and show
+  that the latter also satisfies $\ZFC$.
+\end{abstract}
+
+
+\tableofcontents
+
+% sane default for proof documents
+\parindent 0pt\parskip 0.5ex
+
+\section{Introduction}
+We formalize the theory of forcing. We work on top of the Isabelle/ZF
+framework developed by \citet{DBLP:journals/jar/PaulsonG96}. Our
+mechanization is described in more detail in our papers
+\cite{2018arXiv180705174G} (LSFA 2018), \cite{2019arXiv190103313G},
+and \cite{2020arXiv200109715G} (IJCAR 2020).
+
+\subsection*{Release notes}
+\label{sec:release-notes}
+
+We have improved several aspects of our development before submitting
+it to the AFP:
+\begin{enumerate}
+\item Our session \isatt{Forcing} depends on the new release of
+  \isatt{ZF-Constructible}.
+\item We streamlined the commands for synthesizing renames and formulas.
+\item The command that synthesizes formulas produces the lemmas for
+  them (the synthesized term is a formula and the equivalence between
+  the satisfaction of the synthesized term and the relativized term).
+\item Consistently use of structured proofs using Isar (except for one
+  coming from a schematic goal command).
+\end{enumerate}
+
+A cross-linked HTML version of the development can be found at
+\url{https://cs.famaf.unc.edu.ar/~pedro/forcing/}.
+
+% generated text of all theories
+\input{session}
+
+% optional bibliography
+\bibliographystyle{root}
+\bibliography{root}
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
diff --git a/thys/Gaussian_Integers/Gaussian_Integers.thy b/thys/Gaussian_Integers/Gaussian_Integers.thy
new file mode 100644
--- /dev/null
+++ b/thys/Gaussian_Integers/Gaussian_Integers.thy
@@ -0,0 +1,2376 @@
+(*
+  File:    Gaussian_Integers.thy
+  Author:  Manuel Eberl, TU München
+*)
+section \<open>Gaussian Integers\<close>
+theory Gaussian_Integers
+imports
+  "HOL-Computational_Algebra.Computational_Algebra"
+  "HOL-Number_Theory.Number_Theory"
+begin
+
+subsection \<open>Auxiliary material\<close>
+
+lemma coprime_iff_prime_factors_disjoint:
+  fixes x y :: "'a :: factorial_semiring"
+  assumes "x \<noteq> 0" "y \<noteq> 0"
+  shows "coprime x y \<longleftrightarrow> prime_factors x \<inter> prime_factors y = {}"
+proof 
+  assume "coprime x y"
+  have False if "p \<in> prime_factors x" "p \<in> prime_factors y" for p
+  proof -
+    from that assms have "p dvd x" "p dvd y"
+      by (auto simp: prime_factors_dvd)
+    with \<open>coprime x y\<close> have "p dvd 1"
+      using coprime_common_divisor by auto
+    with that assms show False by (auto simp: prime_factors_dvd)
+  qed
+  thus "prime_factors x \<inter> prime_factors y = {}" by auto
+next
+  assume disjoint: "prime_factors x \<inter> prime_factors y = {}"
+  show "coprime x y"
+  proof (rule coprimeI)
+    fix d assume d: "d dvd x" "d dvd y"
+    show "is_unit d"
+    proof (rule ccontr)
+      assume "\<not>is_unit d"
+      moreover from this and d assms have "d \<noteq> 0" by auto
+      ultimately obtain p where p: "prime p" "p dvd d"
+        using prime_divisor_exists by auto
+      with d and assms have "p \<in> prime_factors x \<inter> prime_factors y"
+        by (auto simp: prime_factors_dvd)
+      with disjoint show False by auto
+    qed
+  qed
+qed
+
+lemma product_dvd_irreducibleD:
+  fixes a b x :: "'a :: algebraic_semidom"
+  assumes "irreducible x"
+  assumes "a * b dvd x"
+  shows "a dvd 1 \<or> b dvd 1"
+proof -
+  from assms obtain c where "x = a * b * c"
+    by auto
+  hence "x = a * (b * c)"
+    by (simp add: mult_ac)
+  from irreducibleD[OF assms(1) this] show "a dvd 1 \<or> b dvd 1"
+    by (auto simp: is_unit_mult_iff)
+qed
+
+lemma prime_elem_mult_dvdI:
+  assumes "prime_elem p" "p dvd c" "b dvd c" "\<not>p dvd b"
+  shows   "p * b dvd c"
+proof -
+  from assms(3) obtain a where c: "c = a * b"
+    using mult.commute by blast
+  with assms(2) have "p dvd a * b"
+    by simp
+  with assms have "p dvd a"
+    by (subst (asm) prime_elem_dvd_mult_iff) auto
+  with c show ?thesis by (auto intro: mult_dvd_mono)
+qed
+
+lemma prime_elem_power_mult_dvdI:
+  fixes p :: "'a :: algebraic_semidom"
+  assumes "prime_elem p" "p ^ n dvd c" "b dvd c" "\<not>p dvd b"
+  shows   "p ^ n * b dvd c"
+proof (cases "n = 0")
+  case False
+  from assms(3) obtain a where c: "c = a * b"
+    using mult.commute by blast
+  with assms(2) have "p ^ n dvd b * a"
+    by (simp add: mult_ac)
+  hence "p ^ n dvd a"
+    by (rule prime_power_dvd_multD[OF assms(1)]) (use assms False in auto)
+  with c show ?thesis by (auto intro: mult_dvd_mono)
+qed (use assms in auto)
+
+lemma prime_mod_4_cases:
+  fixes p :: nat
+  assumes "prime p"
+  shows   "p = 2 \<or> [p = 1] (mod 4) \<or> [p = 3] (mod 4)"
+proof (cases "p = 2")
+  case False
+  with prime_gt_1_nat[of p] assms have "p > 2" by auto
+  have "\<not>4 dvd p"
+    using assms product_dvd_irreducibleD[of p 2 2]
+    by (auto simp: prime_elem_iff_irreducible simp flip: prime_elem_nat_iff)
+  hence "p mod 4 \<noteq> 0"
+    by (auto simp: mod_eq_0_iff_dvd)
+  moreover have "p mod 4 \<noteq> 2"
+  proof
+    assume "p mod 4 = 2"
+    hence "p mod 4 mod 2 = 0"
+      by (simp add: cong_def)
+    thus False using \<open>prime p\<close> \<open>p > 2\<close> prime_odd_nat[of p]
+      by (auto simp: mod_mod_cancel)
+  qed
+  moreover have "p mod 4 \<in> {0,1,2,3}"
+    by auto
+  ultimately show ?thesis by (auto simp: cong_def)
+qed auto
+
+lemma of_nat_prod_mset: "of_nat (prod_mset A) = prod_mset (image_mset of_nat A)"
+  by (induction A) auto
+
+lemma multiplicity_0_left [simp]: "multiplicity 0 x = 0"
+  by (cases "x = 0") (auto simp: not_dvd_imp_multiplicity_0)
+
+lemma is_unit_power [intro]: "is_unit x \<Longrightarrow> is_unit (x ^ n)"
+  by (subst is_unit_power_iff) auto
+
+lemma (in factorial_semiring) pow_divides_pow_iff:
+  assumes "n > 0"
+  shows   "a ^ n dvd b ^ n \<longleftrightarrow> a dvd b"
+proof (cases "b = 0")
+  case False
+  show ?thesis
+  proof
+    assume dvd: "a ^ n dvd b ^ n"
+    with \<open>b \<noteq> 0\<close> have "a \<noteq> 0"
+      using \<open>n > 0\<close> by (auto simp: power_0_left)
+    show "a dvd b"
+    proof (rule multiplicity_le_imp_dvd)
+      fix p :: 'a assume p: "prime p"
+      from dvd \<open>b \<noteq> 0\<close> have "multiplicity p (a ^ n) \<le> multiplicity p (b ^ n)"
+        by (intro dvd_imp_multiplicity_le) auto
+      thus "multiplicity p a \<le> multiplicity p b"
+        using p \<open>a \<noteq> 0\<close> \<open>b \<noteq> 0\<close> \<open>n > 0\<close> by (simp add: prime_elem_multiplicity_power_distrib)
+    qed fact+
+  qed (auto intro: dvd_power_same)
+qed (use assms in \<open>auto simp: power_0_left\<close>)
+
+lemma multiplicity_power_power:
+  fixes p :: "'a :: {factorial_semiring, algebraic_semidom}"
+  assumes "n > 0"
+  shows   "multiplicity (p ^ n) (x ^ n) = multiplicity p x"
+proof (cases "x = 0 \<or> p = 0 \<or> is_unit p")
+  case True
+  thus ?thesis using \<open>n > 0\<close>
+    by (auto simp: power_0_left is_unit_power_iff multiplicity_unit_left)
+next
+  case False
+  show ?thesis
+  proof (intro antisym multiplicity_geI)
+    have "(p ^ multiplicity p x) ^ n dvd x ^ n"
+      by (intro dvd_power_same) (simp add: multiplicity_dvd)
+    thus "(p ^ n) ^ multiplicity p x dvd x ^ n"
+      by (simp add: mult_ac flip: power_mult)
+  next
+    have "(p ^ n) ^ multiplicity (p ^ n) (x ^ n) dvd x ^ n"
+      by (simp add: multiplicity_dvd)
+    hence "(p ^ multiplicity (p ^ n) (x ^ n)) ^ n dvd x ^ n"
+      by (simp add: mult_ac flip: power_mult)
+    thus "p ^ multiplicity (p ^ n) (x ^ n) dvd x"
+      by (subst (asm) pow_divides_pow_iff) (use assms in auto)
+  qed (use False \<open>n > 0\<close> in \<open>auto simp: is_unit_power_iff\<close>)
+qed
+
+lemma even_square_cong_4_int:
+  fixes x :: int
+  assumes "even x"
+  shows   "[x ^ 2 = 0] (mod 4)"
+proof -
+  from assms have "even \<bar>x\<bar>"
+    by simp
+  hence [simp]: "\<bar>x\<bar> mod 2 = 0"
+    by presburger
+  have "(\<bar>x\<bar> ^ 2) mod 4 = ((\<bar>x\<bar> mod 4) ^ 2) mod 4"
+    by (simp add: power_mod)
+  also from assms have "\<bar>x\<bar> mod 4 = 0 \<or> \<bar>x\<bar> mod 4 = 2"
+    using mod_double_modulus[of 2 "\<bar>x\<bar>"] by simp
+  hence "((\<bar>x\<bar> mod 4) ^ 2) mod 4 = 0"
+    by auto
+  finally show ?thesis by (simp add: cong_def)
+qed
+
+lemma even_square_cong_4_nat: "even (x::nat) \<Longrightarrow> [x ^ 2 = 0] (mod 4)"
+  using even_square_cong_4_int[of "int x"] by (auto simp flip: cong_int_iff)
+
+lemma odd_square_cong_4_int:
+  fixes x :: int
+  assumes "odd x"
+  shows   "[x ^ 2 = 1] (mod 4)"
+proof -
+  from assms have "odd \<bar>x\<bar>"
+    by simp
+  hence [simp]: "\<bar>x\<bar> mod 2 = 1"
+    by presburger
+  have "(\<bar>x\<bar> ^ 2) mod 4 = ((\<bar>x\<bar> mod 4) ^ 2) mod 4"
+    by (simp add: power_mod)
+  also from assms have "\<bar>x\<bar> mod 4 = 1 \<or> \<bar>x\<bar> mod 4 = 3"
+    using mod_double_modulus[of 2 "\<bar>x\<bar>"] by simp
+  hence "((\<bar>x\<bar> mod 4) ^ 2) mod 4 = 1"
+    by auto
+  finally show ?thesis by (simp add: cong_def)
+qed
+
+lemma odd_square_cong_4_nat: "odd (x::nat) \<Longrightarrow> [x ^ 2 = 1] (mod 4)"
+  using odd_square_cong_4_int[of "int x"] by (auto simp flip: cong_int_iff)
+
+
+text \<open>
+  Gaussian integers will require a notion of an element being a power up to a unit,
+  so we introduce this here. This should go in the library eventually.
+\<close>
+definition is_nth_power_upto_unit where
+  "is_nth_power_upto_unit n x \<longleftrightarrow> (\<exists>u. is_unit u \<and> is_nth_power n (u * x))"
+
+lemma is_nth_power_upto_unit_base: "is_nth_power n x \<Longrightarrow> is_nth_power_upto_unit n x"
+  by (auto simp: is_nth_power_upto_unit_def intro: exI[of _ 1])
+
+lemma is_nth_power_upto_unitI:
+  assumes "normalize (x ^ n) = normalize y"
+  shows   "is_nth_power_upto_unit n y"
+proof -
+  from associatedE1[OF assms] obtain u where "is_unit u" "u * y = x ^ n"
+    by metis
+  thus ?thesis
+    by (auto simp: is_nth_power_upto_unit_def intro!: exI[of _ u])
+qed
+
+lemma is_nth_power_upto_unit_conv_multiplicity: 
+  fixes x :: "'a :: factorial_semiring"
+  assumes "n > 0"
+  shows   "is_nth_power_upto_unit n x \<longleftrightarrow> (\<forall>p. prime p \<longrightarrow> n dvd multiplicity p x)"
+proof (cases "x = 0")
+  case False
+  show ?thesis
+  proof safe
+    fix p :: 'a assume p: "prime p"
+    assume "is_nth_power_upto_unit n x"
+    then obtain u y where uy: "is_unit u" "u * x = y ^ n"
+      by (auto simp: is_nth_power_upto_unit_def elim!: is_nth_powerE)
+    from p uy assms False have [simp]: "y \<noteq> 0" by (auto simp: power_0_left)
+    have "multiplicity p (u * x) = multiplicity p (y ^ n)"
+      by (subst uy(2) [symmetric]) simp
+    also have "multiplicity p (u * x) = multiplicity p x"
+      by (simp add: multiplicity_times_unit_right uy(1))
+    finally show "n dvd multiplicity p x"
+      using False and p and uy and assms
+      by (auto simp: prime_elem_multiplicity_power_distrib)
+  next
+    assume *: "\<forall>p. prime p \<longrightarrow> n dvd multiplicity p x"
+    have "multiplicity p ((\<Prod>p\<in>prime_factors x. p ^ (multiplicity p x div n)) ^ n) = 
+            multiplicity p x" if "prime p" for p
+    proof -
+      from that and * have "n dvd multiplicity p x" by blast
+      have "multiplicity p x = 0" if "p \<notin> prime_factors x"
+        using that and \<open>prime p\<close> by (simp add: prime_factors_multiplicity)
+      with that and * and assms show ?thesis unfolding prod_power_distrib power_mult [symmetric]
+        by (subst multiplicity_prod_prime_powers) (auto simp: in_prime_factors_imp_prime elim: dvdE)
+    qed
+    with assms False 
+      have "normalize ((\<Prod>p\<in>prime_factors x. p ^ (multiplicity p x div n)) ^ n) = normalize x"
+      by (intro multiplicity_eq_imp_eq) (auto simp: multiplicity_prod_prime_powers)
+    thus "is_nth_power_upto_unit n x"
+      by (auto intro: is_nth_power_upto_unitI)
+  qed
+qed (use assms in \<open>auto simp: is_nth_power_upto_unit_def\<close>)
+
+lemma is_nth_power_upto_unit_0_left [simp, intro]: "is_nth_power_upto_unit 0 x \<longleftrightarrow> is_unit x"
+proof
+  assume "is_unit x"
+  thus "is_nth_power_upto_unit 0 x"
+    unfolding is_nth_power_upto_unit_def by (intro exI[of _ "1 div x"]) auto
+next
+  assume "is_nth_power_upto_unit 0 x"
+  then obtain u where "is_unit u" "u * x = 1"
+    by (auto simp: is_nth_power_upto_unit_def)
+  thus "is_unit x"
+    by (metis dvd_triv_right)
+qed
+
+lemma is_nth_power_upto_unit_unit [simp, intro]:
+  assumes "is_unit x"
+  shows   "is_nth_power_upto_unit n x"
+  using assms by (auto simp: is_nth_power_upto_unit_def intro!: exI[of _ "1 div x"])
+
+lemma is_nth_power_upto_unit_1_left [simp, intro]: "is_nth_power_upto_unit 1 x"
+  by (auto simp: is_nth_power_upto_unit_def intro: exI[of _ 1])
+
+lemma is_nth_power_upto_unit_mult_coprimeD1:
+  fixes x y :: "'a :: factorial_semiring"
+  assumes "coprime x y" "is_nth_power_upto_unit n (x * y)"
+  shows   "is_nth_power_upto_unit n x"
+proof -
+  consider "n = 0" | "x = 0" "n > 0" | "x \<noteq> 0" "y = 0" "n > 0" | "n > 0" "x \<noteq> 0" "y \<noteq> 0"
+    by force
+  thus ?thesis
+  proof cases
+    assume [simp]: "n = 0"
+    from assms have "is_unit (x * y)"
+      by auto
+    hence "is_unit x"
+      using is_unit_mult_iff by blast
+    thus ?thesis using assms by auto
+  next
+    assume "x = 0" "n > 0"
+    thus ?thesis by (auto simp: is_nth_power_upto_unit_def)
+  next
+    assume *: "x \<noteq> 0" "y = 0" "n > 0"
+    with assms show ?thesis by auto
+  next
+    assume *: "n > 0" and [simp]: "x \<noteq> 0" "y \<noteq> 0"
+    show ?thesis
+    proof (subst is_nth_power_upto_unit_conv_multiplicity[OF \<open>n > 0\<close>]; safe)
+      fix p :: 'a assume p: "prime p"
+      show "n dvd multiplicity p x"
+      proof (cases "p dvd x")
+        case False
+        thus ?thesis
+          by (simp add: not_dvd_imp_multiplicity_0)
+      next
+        case True
+        have "n dvd multiplicity p (x * y)"
+          using assms(2) \<open>n > 0\<close> p by (auto simp: is_nth_power_upto_unit_conv_multiplicity)
+        also have "\<dots> = multiplicity p x + multiplicity p y"
+          using p by (subst prime_elem_multiplicity_mult_distrib) auto
+        also have "\<not>p dvd y"
+          using \<open>coprime x y\<close> \<open>p dvd x\<close> p not_prime_unit coprime_common_divisor by blast
+        hence "multiplicity p y = 0"
+          by (rule not_dvd_imp_multiplicity_0)
+        finally show ?thesis by simp
+      qed
+    qed
+  qed
+qed
+
+lemma is_nth_power_upto_unit_mult_coprimeD2:
+  fixes x y :: "'a :: factorial_semiring"
+  assumes "coprime x y" "is_nth_power_upto_unit n (x * y)"
+  shows   "is_nth_power_upto_unit n y"
+  using assms is_nth_power_upto_unit_mult_coprimeD1[of y x]
+  by (simp_all add: mult_ac coprime_commute)
+
+
+subsection \<open>Definition\<close>
+
+text \<open>
+  Gaussian integers are the ring $\mathbb{Z}[i]$ which is formed either by formally adjoining
+  an element $i$ with $i^2 = -1$ to $\mathbb{Z}$ or by taking all the complex numbers with
+  integer real and imaginary part.
+
+  We define them simply by giving an appropriate ring structure to $\mathbb{Z}^2$, with the first
+  component representing the real part and the second component the imaginary part:
+\<close>
+codatatype gauss_int = Gauss_Int (ReZ: int) (ImZ: int)
+
+text \<open>
+  The following is the imaginary unit $i$ in the Gaussian integers, which we will denote as
+  \<open>\<i>\<^sub>\<int>\<close>:
+\<close>
+primcorec gauss_i where
+  "ReZ gauss_i = 0"
+| "ImZ gauss_i = 1"
+
+lemma gauss_int_eq_iff: "x = y \<longleftrightarrow> ReZ x = ReZ y \<and> ImZ x = ImZ y"
+  by (cases x; cases y) auto
+
+
+(*<*)
+bundle gauss_int_notation
+begin
+
+notation gauss_i ("\<i>\<^sub>\<int>")
+
+end
+
+bundle no_gauss_int_notation
+begin
+
+no_notation (output) gauss_i ("\<i>\<^sub>\<int>")
+
+end
+
+bundle gauss_int_output_notation
+begin
+
+notation (output) gauss_i ("\<ii>")
+
+end
+
+unbundle gauss_int_notation
+(*>*)
+
+
+text \<open>
+  Next, we define the canonical injective homomorphism from the Gaussian integers into the
+  complex numbers:
+\<close>
+primcorec gauss2complex where
+  "Re (gauss2complex z) = of_int (ReZ z)"
+| "Im (gauss2complex z) = of_int (ImZ z)"
+
+declare [[coercion gauss2complex]]
+
+lemma gauss2complex_eq_iff [simp]: "gauss2complex z = gauss2complex u \<longleftrightarrow> z = u"
+  by (simp add: complex_eq_iff gauss_int_eq_iff)
+
+text \<open>
+  Gaussian integers also have conjugates, just like complex numbers:
+\<close>
+primcorec gauss_cnj where
+  "ReZ (gauss_cnj z) = ReZ z"
+| "ImZ (gauss_cnj z) = -ImZ z"
+
+
+text \<open>
+  In the remainder of this section, we prove that Gaussian integers are a commutative ring
+  of characteristic 0 and several other trivial algebraic properties.
+\<close>
+
+instantiation gauss_int :: comm_ring_1
+begin
+
+primcorec zero_gauss_int where
+  "ReZ zero_gauss_int = 0"
+| "ImZ zero_gauss_int = 0"
+
+primcorec one_gauss_int where
+  "ReZ one_gauss_int = 1"
+| "ImZ one_gauss_int = 0"
+
+primcorec uminus_gauss_int where
+  "ReZ (uminus_gauss_int x) = -ReZ x"
+| "ImZ (uminus_gauss_int x) = -ImZ x"
+
+primcorec plus_gauss_int where
+  "ReZ (plus_gauss_int x y) = ReZ x + ReZ y"
+| "ImZ (plus_gauss_int x y) = ImZ x + ImZ y"
+
+primcorec minus_gauss_int where
+  "ReZ (minus_gauss_int x y) = ReZ x - ReZ y"
+| "ImZ (minus_gauss_int x y) = ImZ x - ImZ y"
+
+primcorec times_gauss_int where
+  "ReZ (times_gauss_int x y) = ReZ x * ReZ y - ImZ x * ImZ y"
+| "ImZ (times_gauss_int x y) = ReZ x * ImZ y + ImZ x * ReZ y"
+
+instance
+  by intro_classes (auto simp: gauss_int_eq_iff algebra_simps)
+
+end
+
+lemma gauss_i_times_i [simp]: "\<i>\<^sub>\<int> * \<i>\<^sub>\<int> = (-1 :: gauss_int)"
+  and gauss_cnj_i [simp]: "gauss_cnj \<i>\<^sub>\<int> = -\<i>\<^sub>\<int>"
+  by (simp_all add: gauss_int_eq_iff)
+
+lemma gauss_cnj_eq_0_iff [simp]: "gauss_cnj z = 0 \<longleftrightarrow> z = 0"
+  by (auto simp: gauss_int_eq_iff)
+
+lemma gauss_cnj_eq_self: "Im z = 0 \<Longrightarrow> gauss_cnj z = z"
+  and gauss_cnj_eq_minus_self: "Re z = 0 \<Longrightarrow> gauss_cnj z = -z"
+  by (auto simp: gauss_int_eq_iff)
+
+lemma ReZ_of_nat [simp]: "ReZ (of_nat n) = of_nat n"
+  and ImZ_of_nat [simp]: "ImZ (of_nat n) = 0"
+  by (induction n; simp)+
+
+lemma ReZ_of_int [simp]: "ReZ (of_int n) = n"
+  and ImZ_of_int [simp]: "ImZ (of_int n) = 0"
+  by (induction n; simp)+
+
+lemma ReZ_numeral [simp]: "ReZ (numeral n) = numeral n"
+  and ImZ_numeral [simp]: "ImZ (numeral n) = 0"
+  by (subst of_nat_numeral [symmetric], subst ReZ_of_nat ImZ_of_nat, simp)+
+
+lemma gauss2complex_0 [simp]: "gauss2complex 0 = 0"
+  and gauss2complex_1 [simp]: "gauss2complex 1 = 1"
+  and gauss2complex_i [simp]: "gauss2complex \<i>\<^sub>\<int> = \<i>"
+  and gauss2complex_add [simp]: "gauss2complex (x + y) = gauss2complex x + gauss2complex y"
+  and gauss2complex_diff [simp]: "gauss2complex (x - y) = gauss2complex x - gauss2complex y"
+  and gauss2complex_mult [simp]: "gauss2complex (x * y) = gauss2complex x * gauss2complex y"
+  and gauss2complex_uminus [simp]: "gauss2complex (-x) = -gauss2complex x"
+  and gauss2complex_cnj [simp]: "gauss2complex (gauss_cnj x) = cnj (gauss2complex x)"
+  by (simp_all add: complex_eq_iff)
+
+lemma gauss2complex_of_nat [simp]: "gauss2complex (of_nat n) = of_nat n"
+  by (simp add: complex_eq_iff)
+
+lemma gauss2complex_eq_0_iff [simp]: "gauss2complex x = 0 \<longleftrightarrow> x = 0"
+  and gauss2complex_eq_1_iff [simp]: "gauss2complex x = 1 \<longleftrightarrow> x = 1"
+  and zero_eq_gauss2complex_iff [simp]: "0 = gauss2complex x \<longleftrightarrow> x = 0"
+  and one_eq_gauss2complex_iff [simp]: "1 = gauss2complex x \<longleftrightarrow> x = 1"
+  by (simp_all add: complex_eq_iff gauss_int_eq_iff)
+
+lemma gauss_i_times_gauss_i_times [simp]: "\<i>\<^sub>\<int> * (\<i>\<^sub>\<int> * x) = (-x :: gauss_int)"
+  by (subst mult.assoc [symmetric], subst gauss_i_times_i) auto
+
+lemma gauss_i_neq_0 [simp]: "\<i>\<^sub>\<int> \<noteq> 0" "0 \<noteq> \<i>\<^sub>\<int>"
+  and gauss_i_neq_1 [simp]: "\<i>\<^sub>\<int> \<noteq> 1" "1 \<noteq> \<i>\<^sub>\<int>"
+  and gauss_i_neq_of_nat [simp]: "\<i>\<^sub>\<int> \<noteq> of_nat n" "of_nat n \<noteq> \<i>\<^sub>\<int>"
+  and gauss_i_neq_of_int [simp]: "\<i>\<^sub>\<int> \<noteq> of_int n" "of_int n \<noteq> \<i>\<^sub>\<int>"
+  and gauss_i_neq_numeral [simp]: "\<i>\<^sub>\<int> \<noteq> numeral m" "numeral m \<noteq> \<i>\<^sub>\<int>"
+  by (auto simp: gauss_int_eq_iff)
+
+lemma gauss_cnj_0 [simp]: "gauss_cnj 0 = 0"
+  and gauss_cnj_1 [simp]: "gauss_cnj 1 = 1"
+  and gauss_cnj_cnj [simp]: "gauss_cnj (gauss_cnj z) = z"
+  and gauss_cnj_uminus [simp]: "gauss_cnj (-a) = -gauss_cnj a"
+  and gauss_cnj_add [simp]: "gauss_cnj (a + b) = gauss_cnj a + gauss_cnj b"
+  and gauss_cnj_diff [simp]: "gauss_cnj (a - b) = gauss_cnj a - gauss_cnj b"
+  and gauss_cnj_mult [simp]: "gauss_cnj (a * b) = gauss_cnj a * gauss_cnj b"
+  and gauss_cnj_of_nat [simp]: "gauss_cnj (of_nat n1) = of_nat n1"
+  and gauss_cnj_of_int [simp]: "gauss_cnj (of_int n2) = of_int n2"
+  and gauss_cnj_numeral [simp]: "gauss_cnj (numeral n3) = numeral n3"
+  by (simp_all add: gauss_int_eq_iff)
+
+lemma gauss_cnj_power [simp]: "gauss_cnj (a ^ n) = gauss_cnj a ^ n"
+  by (induction n) auto
+
+lemma gauss_cnj_sum [simp]: "gauss_cnj (sum f A) = (\<Sum>x\<in>A. gauss_cnj (f x))"
+  by (induction A rule: infinite_finite_induct) auto
+
+lemma gauss_cnj_prod [simp]: "gauss_cnj (prod f A) = (\<Prod>x\<in>A. gauss_cnj (f x))"
+  by (induction A rule: infinite_finite_induct) auto
+
+lemma of_nat_dvd_of_nat:
+  assumes "a dvd b"
+  shows   "of_nat a dvd (of_nat b :: 'a :: comm_semiring_1)"
+  using assms by auto
+
+lemma of_int_dvd_imp_dvd_gauss_cnj:
+  fixes z :: gauss_int
+  assumes "of_int n dvd z"
+  shows   "of_int n dvd gauss_cnj z"
+proof -
+  from assms obtain u where "z = of_int n * u" by blast
+  hence "gauss_cnj z = of_int n * gauss_cnj u"
+    by simp
+  thus ?thesis by auto
+qed
+
+lemma of_nat_dvd_imp_dvd_gauss_cnj:
+  fixes z :: gauss_int
+  assumes "of_nat n dvd z"
+  shows   "of_nat n dvd gauss_cnj z"
+  using of_int_dvd_imp_dvd_gauss_cnj[of "int n"] assms by simp
+
+lemma of_int_dvd_of_int_gauss_int_iff:
+  "(of_int m :: gauss_int) dvd of_int n \<longleftrightarrow> m dvd n"
+proof
+  assume "of_int m dvd (of_int n :: gauss_int)"
+  then obtain a :: gauss_int where "of_int n = of_int m * a"
+    by blast
+  thus "m dvd n"
+    by (auto simp: gauss_int_eq_iff)
+qed auto
+
+lemma of_nat_dvd_of_nat_gauss_int_iff:
+  "(of_nat m :: gauss_int) dvd of_nat n \<longleftrightarrow> m dvd n"
+  using of_int_dvd_of_int_gauss_int_iff[of "int m" "int n"] by simp
+
+lemma gauss_cnj_dvd:
+  assumes "a dvd b"
+  shows   "gauss_cnj a dvd gauss_cnj b"
+proof -
+  from assms obtain c where "b = a * c"
+    by blast
+  hence "gauss_cnj b = gauss_cnj a * gauss_cnj c"
+    by simp
+  thus ?thesis by auto
+qed
+
+lemma gauss_cnj_dvd_iff: "gauss_cnj a dvd gauss_cnj b \<longleftrightarrow> a dvd b"
+  using gauss_cnj_dvd[of a b] gauss_cnj_dvd[of "gauss_cnj a" "gauss_cnj b"] by auto
+
+lemma gauss_cnj_dvd_left_iff: "gauss_cnj a dvd b \<longleftrightarrow> a dvd gauss_cnj b"
+  by (subst gauss_cnj_dvd_iff [symmetric]) auto
+
+lemma gauss_cnj_dvd_right_iff: "a dvd gauss_cnj b \<longleftrightarrow> gauss_cnj a dvd b"
+  by (rule gauss_cnj_dvd_left_iff [symmetric])
+
+
+instance gauss_int :: idom
+proof
+  fix z u :: gauss_int
+  assume "z \<noteq> 0" "u \<noteq> 0"
+  hence "gauss2complex z * gauss2complex u \<noteq> 0"
+    by simp
+  also have "gauss2complex z * gauss2complex u = gauss2complex (z * u)"
+    by simp
+  finally show "z * u \<noteq> 0"
+    unfolding gauss2complex_eq_0_iff .
+qed
+
+instance gauss_int :: ring_char_0
+  by intro_classes (auto intro!: injI simp: gauss_int_eq_iff)
+
+
+subsection \<open>Pretty-printing\<close>
+
+text \<open>
+  The following lemma collection provides better pretty-printing of Gaussian integers so that
+  e.g.\ evaluation with the `value' command produces nicer results.
+\<close>
+lemma gauss_int_code_post [code_post]:
+  "Gauss_Int 0 0 = 0"
+  "Gauss_Int 0 1 = \<i>\<^sub>\<int>"
+  "Gauss_Int 0 (-1) = -\<i>\<^sub>\<int>"
+  "Gauss_Int 1 0 = 1"
+  "Gauss_Int 1 1 = 1 + \<i>\<^sub>\<int>"
+  "Gauss_Int 1 (-1) = 1 - \<i>\<^sub>\<int>"
+  "Gauss_Int (-1) 0 = -1"
+  "Gauss_Int (-1) 1 = -1 + \<i>\<^sub>\<int>"
+  "Gauss_Int (-1) (-1) = -1 - \<i>\<^sub>\<int>"  
+  "Gauss_Int (numeral b) 0 = numeral b"
+  "Gauss_Int (-numeral b) 0 = -numeral b"
+  "Gauss_Int (numeral b) 1 = numeral b + \<i>\<^sub>\<int>"
+  "Gauss_Int (-numeral b) 1 = -numeral b + \<i>\<^sub>\<int>"
+  "Gauss_Int (numeral b) (-1) = numeral b - \<i>\<^sub>\<int>"
+  "Gauss_Int (-numeral b) (-1) = -numeral b - \<i>\<^sub>\<int>"
+  "Gauss_Int 0 (numeral b) = numeral b * \<i>\<^sub>\<int>"
+  "Gauss_Int 0 (-numeral b) = -numeral b * \<i>\<^sub>\<int>"
+  "Gauss_Int 1 (numeral b) = 1 + numeral b * \<i>\<^sub>\<int>"
+  "Gauss_Int 1 (-numeral b) = 1 - numeral b * \<i>\<^sub>\<int>"
+  "Gauss_Int (-1) (numeral b) = -1 + numeral b * \<i>\<^sub>\<int>"
+  "Gauss_Int (-1) (-numeral b) = -1 - numeral b * \<i>\<^sub>\<int>"
+  "Gauss_Int (numeral a) (numeral b) = numeral a + numeral b * \<i>\<^sub>\<int>"
+  "Gauss_Int (numeral a) (-numeral b) = numeral a - numeral b * \<i>\<^sub>\<int>"
+  "Gauss_Int (-numeral a) (numeral b) = -numeral a + numeral b * \<i>\<^sub>\<int>"
+  "Gauss_Int (-numeral a) (-numeral b) = -numeral a - numeral b * \<i>\<^sub>\<int>"
+  by (simp_all add: gauss_int_eq_iff)
+
+value "\<i>\<^sub>\<int> ^ 3"
+value "2 * (3 + \<i>\<^sub>\<int>)"
+value "(2 + \<i>\<^sub>\<int>) * (2 - \<i>\<^sub>\<int>)"
+
+
+subsection \<open>Norm\<close>
+
+text \<open>
+  The square of the complex norm (or complex modulus) on the Gaussian integers gives us a norm
+  that always returns a natural number. We will later show that this is also a Euclidean norm
+  (in the sense of a Euclidean ring).
+\<close>
+definition gauss_int_norm :: "gauss_int \<Rightarrow> nat" where
+  "gauss_int_norm z = nat (ReZ z ^ 2 + ImZ z ^ 2)"
+
+lemma gauss_int_norm_0 [simp]: "gauss_int_norm 0 = 0"
+  and gauss_int_norm_1 [simp]: "gauss_int_norm 1 = 1"
+  and gauss_int_norm_i [simp]: "gauss_int_norm \<i>\<^sub>\<int> = 1"
+  and gauss_int_norm_cnj [simp]: "gauss_int_norm (gauss_cnj z) = gauss_int_norm z"
+  and gauss_int_norm_of_nat [simp]: "gauss_int_norm (of_nat n) = n ^ 2"
+  and gauss_int_norm_of_int [simp]: "gauss_int_norm (of_int m) = nat (m ^ 2)"
+  and gauss_int_norm_of_numeral [simp]: "gauss_int_norm (numeral n') = numeral (Num.sqr n')"
+  by (simp_all add: gauss_int_norm_def nat_power_eq)
+
+lemma gauss_int_norm_uminus [simp]: "gauss_int_norm (-z) = gauss_int_norm z"
+  by (simp add: gauss_int_norm_def)
+
+lemma gauss_int_norm_eq_0_iff [simp]: "gauss_int_norm z = 0 \<longleftrightarrow> z = 0"
+proof
+  assume "gauss_int_norm z = 0"
+  hence "ReZ z ^ 2 + ImZ z ^ 2 \<le> 0"
+    by (simp add: gauss_int_norm_def)
+  moreover have "ReZ z ^ 2 + ImZ z ^ 2 \<ge> 0"
+    by simp
+  ultimately have "ReZ z ^ 2 + ImZ z ^ 2 = 0"
+    by linarith
+  thus "z = 0"
+    by (auto simp: gauss_int_eq_iff)
+qed auto
+
+lemma gauss_int_norm_pos_iff [simp]: "gauss_int_norm z > 0 \<longleftrightarrow> z \<noteq> 0"
+  using gauss_int_norm_eq_0_iff[of z] by (auto intro: Nat.gr0I)
+
+lemma real_gauss_int_norm: "real (gauss_int_norm z) = norm (gauss2complex z) ^ 2"
+  by (auto simp: cmod_def gauss_int_norm_def)
+
+lemma gauss_int_norm_mult: "gauss_int_norm (z * u) = gauss_int_norm z * gauss_int_norm u"
+proof -
+  have "real (gauss_int_norm (z * u)) = real (gauss_int_norm z * gauss_int_norm u)"
+    unfolding of_nat_mult by (simp add: real_gauss_int_norm norm_power norm_mult power_mult_distrib)
+  thus ?thesis by (subst (asm) of_nat_eq_iff)
+qed
+
+lemma self_mult_gauss_cnj: "z * gauss_cnj z = of_nat (gauss_int_norm z)"
+  by (simp add: gauss_int_norm_def gauss_int_eq_iff algebra_simps power2_eq_square)
+
+lemma gauss_cnj_mult_self: "gauss_cnj z * z = of_nat (gauss_int_norm z)"
+  by (subst mult.commute, rule self_mult_gauss_cnj)
+
+lemma self_plus_gauss_cnj: "z + gauss_cnj z = of_int (2 * ReZ z)"
+  and self_minus_gauss_cnj: "z - gauss_cnj z = of_int (2 * ImZ z) * \<i>\<^sub>\<int>"
+  by (auto simp: gauss_int_eq_iff)
+
+lemma gauss_int_norm_dvd_mono:
+  assumes "a dvd b"
+  shows "gauss_int_norm a dvd gauss_int_norm b"
+proof -
+  from assms obtain c where "b = a * c" by blast
+  hence "gauss_int_norm b = gauss_int_norm (a * c)"
+    by metis
+  thus ?thesis by (simp add: gauss_int_norm_mult)
+qed
+
+text \<open>
+  A Gaussian integer is a unit iff its norm is 1, and this is the case precisely for the four
+  elements \<open>\<plusminus>1\<close> and \<open>\<plusminus>\<i>\<close>:
+\<close>
+lemma is_unit_gauss_int_iff: "x dvd 1 \<longleftrightarrow> x \<in> {1, -1, \<i>\<^sub>\<int>, -\<i>\<^sub>\<int> :: gauss_int}"
+  and is_unit_gauss_int_iff': "x dvd 1 \<longleftrightarrow> gauss_int_norm x = 1"
+proof -
+  have "x dvd 1" if "x \<in> {1, -1, \<i>\<^sub>\<int>, -\<i>\<^sub>\<int>}"
+  proof -
+    from that have *: "x * gauss_cnj x = 1"
+      by (auto simp: gauss_int_norm_def)
+    show "x dvd 1" by (subst * [symmetric]) simp
+  qed
+  moreover have "gauss_int_norm x = 1" if "x dvd 1"
+    using gauss_int_norm_dvd_mono[OF that] by simp
+  moreover have "x \<in> {1, -1, \<i>\<^sub>\<int>, -\<i>\<^sub>\<int>}" if "gauss_int_norm x = 1"
+  proof -
+    from that have *: "(ReZ x)\<^sup>2 + (ImZ x)\<^sup>2 = 1"
+      by (auto simp: gauss_int_norm_def nat_eq_iff)
+    hence "ReZ x ^ 2 \<le> 1" and "ImZ x ^ 2 \<le> 1"
+      using zero_le_power2[of "ImZ x"] zero_le_power2[of "ReZ x"] by linarith+
+    hence "\<bar>ReZ x\<bar> \<le> 1" and "\<bar>ImZ x\<bar> \<le> 1"
+      by (auto simp: abs_square_le_1)
+    hence "ReZ x \<in> {-1, 0, 1}" and "ImZ x \<in> {-1, 0, 1}"
+      by auto
+    thus "x \<in> {1, -1, \<i>\<^sub>\<int>, -\<i>\<^sub>\<int> :: gauss_int}"
+      using * by (auto simp: gauss_int_eq_iff)    
+  qed
+  ultimately show "x dvd 1 \<longleftrightarrow> x \<in> {1, -1, \<i>\<^sub>\<int>, -\<i>\<^sub>\<int> :: gauss_int}"
+              and "x dvd 1 \<longleftrightarrow> gauss_int_norm x = 1"
+    by blast+
+qed
+
+lemma is_unit_gauss_i [simp, intro]: "(gauss_i :: gauss_int) dvd 1"
+  by (simp add: is_unit_gauss_int_iff)
+
+lemma gauss_int_norm_eq_Suc_0_iff: "gauss_int_norm x = Suc 0 \<longleftrightarrow> x dvd 1"
+  by (simp add: is_unit_gauss_int_iff')
+
+lemma is_unit_gauss_cnj [intro]: "z dvd 1 \<Longrightarrow> gauss_cnj z dvd 1"
+  by (simp add: is_unit_gauss_int_iff')
+
+lemma is_unit_gauss_cnj_iff [simp]: "gauss_cnj z dvd 1 \<longleftrightarrow> z dvd 1"
+  by (simp add: is_unit_gauss_int_iff')
+
+
+subsection \<open>Division and normalisation\<close>
+
+text \<open>
+  We define a rounding operation that takes a complex number and returns a Gaussian integer
+  by rounding the real and imaginary parts separately:
+\<close>
+primcorec round_complex :: "complex \<Rightarrow> gauss_int" where
+  "ReZ (round_complex z) = round (Re z)"
+| "ImZ (round_complex z) = round (Im z)"
+
+text \<open>
+  The distance between a rounded complex number and the original one is no more than
+  $\frac{1}{2}\sqrt{2}$:
+\<close>
+lemma norm_round_complex_le: "norm (z - gauss2complex (round_complex z)) ^ 2 \<le> 1 / 2"
+proof -
+  have "(Re z - ReZ (round_complex z)) ^ 2 \<le> (1 / 2) ^ 2"
+    using of_int_round_abs_le[of "Re z"]
+    by (subst abs_le_square_iff [symmetric]) (auto simp: abs_minus_commute)
+  moreover have "(Im z - ImZ (round_complex z)) ^ 2 \<le> (1 / 2) ^ 2"
+    using of_int_round_abs_le[of "Im z"]
+    by (subst abs_le_square_iff [symmetric]) (auto simp: abs_minus_commute)
+  ultimately have "(Re z - ReZ (round_complex z)) ^ 2 + (Im z - ImZ (round_complex z)) ^ 2 \<le>
+                     (1 / 2) ^ 2 + (1 / 2) ^ 2"
+    by (rule add_mono)
+  thus "norm (z - gauss2complex (round_complex z)) ^ 2 \<le> 1 / 2"
+    by (simp add: cmod_def power2_eq_square)
+qed
+
+lemma dist_round_complex_le: "dist z (gauss2complex (round_complex z)) \<le> sqrt 2 / 2"
+proof -
+  have "dist z (gauss2complex (round_complex z)) ^ 2 =
+        norm (z - gauss2complex (round_complex z)) ^ 2"
+    by (simp add: dist_norm)
+  also have "\<dots> \<le> 1 / 2"
+    by (rule norm_round_complex_le)
+  also have "\<dots> = (sqrt 2 / 2) ^ 2"
+    by (simp add: power2_eq_square)
+  finally show ?thesis
+    by (rule power2_le_imp_le) auto
+qed
+
+
+text \<open>
+  We can now define division on Gaussian integers simply by performing the division in the
+  complex numbers and rounding the result. This also gives us a remainder operation defined
+  accordingly for which the norm of the remainder is always smaller than the norm of the divisor.
+
+  We can also define a normalisation operation that returns a canonical representative for each
+  association class. Since the four units of the Gaussian integers are \<open>\<plusminus>1\<close> and \<open>\<plusminus>\<i>\<close>, each
+  association class (other than \<open>0\<close>) has four representatives, one in each quadrant. We simply
+  define the on in the upper-right quadrant (i.e.\ the one with non-negative imaginary part
+  and positive real part) as the canonical one.
+
+  Thus, the Gaussian integers form a Euclidean ring. This gives us many things, most importantly
+  the existence of GCDs and LCMs and unique factorisation.
+\<close>
+instantiation gauss_int :: algebraic_semidom
+begin
+
+definition divide_gauss_int :: "gauss_int \<Rightarrow> gauss_int \<Rightarrow> gauss_int" where
+  "divide_gauss_int a b = round_complex (gauss2complex a / gauss2complex b)"
+
+instance proof
+  fix a :: gauss_int
+  show "a div 0 = 0"
+    by (auto simp: gauss_int_eq_iff divide_gauss_int_def)
+next
+  fix a b :: gauss_int assume "b \<noteq> 0"
+  thus "a * b div b = a"
+    by (auto simp: gauss_int_eq_iff divide_gauss_int_def)
+qed
+
+end
+
+instantiation gauss_int :: semidom_divide_unit_factor
+begin
+
+definition unit_factor_gauss_int :: "gauss_int \<Rightarrow> gauss_int" where
+  "unit_factor_gauss_int z =
+     (if z = 0 then 0 else 
+      if ImZ z \<ge> 0 \<and> ReZ z > 0 then 1
+      else if ReZ z \<le> 0 \<and> ImZ z > 0 then \<i>\<^sub>\<int>
+      else if ImZ z \<le> 0 \<and> ReZ z < 0 then -1
+      else -\<i>\<^sub>\<int>)"
+
+instance proof
+  show "unit_factor (0 :: gauss_int) = 0"
+    by (simp add: unit_factor_gauss_int_def)
+next
+  fix z :: gauss_int
+  assume "is_unit z"
+  thus "unit_factor z = z"
+    by (subst (asm) is_unit_gauss_int_iff) (auto simp: unit_factor_gauss_int_def)
+next
+  fix z :: gauss_int
+  assume z: "z \<noteq> 0"
+  thus "is_unit (unit_factor z)"
+    by (subst is_unit_gauss_int_iff) (auto simp: unit_factor_gauss_int_def)
+next
+  fix z u :: gauss_int
+  assume "is_unit z"
+  hence "z \<in> {1, -1, \<i>\<^sub>\<int>, -\<i>\<^sub>\<int>}"
+    by (subst (asm) is_unit_gauss_int_iff)
+  thus "unit_factor (z * u) = z * unit_factor u"
+    by (safe; auto simp: unit_factor_gauss_int_def gauss_int_eq_iff[of u 0])
+qed
+
+end
+
+instantiation gauss_int :: normalization_semidom
+begin
+
+definition normalize_gauss_int :: "gauss_int \<Rightarrow> gauss_int" where
+  "normalize_gauss_int z =
+     (if z = 0 then 0 else 
+      if ImZ z \<ge> 0 \<and> ReZ z > 0 then z
+      else if ReZ z \<le> 0 \<and> ImZ z > 0 then -\<i>\<^sub>\<int> * z
+      else if ImZ z \<le> 0 \<and> ReZ z < 0 then -z
+      else \<i>\<^sub>\<int> * z)"
+
+instance proof
+  show "normalize (0 :: gauss_int) = 0"
+    by (simp add: normalize_gauss_int_def)
+next
+  fix z :: gauss_int
+  show "unit_factor z * normalize z = z"
+    by (auto simp: normalize_gauss_int_def unit_factor_gauss_int_def algebra_simps)
+qed
+
+end
+
+lemma normalize_gauss_int_of_nat [simp]: "normalize (of_nat n :: gauss_int) = of_nat n"
+  and normalize_gauss_int_of_int [simp]: "normalize (of_int m :: gauss_int) = of_int \<bar>m\<bar>"
+  and normalize_gauss_int_of_numeral [simp]: "normalize (numeral n' :: gauss_int) = numeral n'"
+  by (auto simp: normalize_gauss_int_def)
+
+lemma normalize_gauss_i [simp]: "normalize \<i>\<^sub>\<int> = 1"
+  by (simp add: normalize_gauss_int_def)
+
+lemma gauss_int_norm_normalize [simp]: "gauss_int_norm (normalize x) = gauss_int_norm x"
+  by (simp add: normalize_gauss_int_def gauss_int_norm_mult)
+
+lemma normalized_gauss_int:
+  assumes "normalize z = z"
+  shows   "ReZ z \<ge> 0" "ImZ z \<ge> 0"
+  using assms
+  by (cases "ReZ z" "0 :: int" rule: linorder_cases;
+      cases "ImZ z" "0 :: int" rule: linorder_cases;
+      simp add: normalize_gauss_int_def gauss_int_eq_iff)+
+
+lemma normalized_gauss_int':
+  assumes "normalize z = z" "z \<noteq> 0"
+  shows   "ReZ z > 0" "ImZ z \<ge> 0"
+  using assms
+  by (cases "ReZ z" "0 :: int" rule: linorder_cases;
+      cases "ImZ z" "0 :: int" rule: linorder_cases;
+      simp add: normalize_gauss_int_def gauss_int_eq_iff)+
+
+lemma normalized_gauss_int_iff:
+  "normalize z = z \<longleftrightarrow> z = 0 \<or> ReZ z > 0 \<and> ImZ z \<ge> 0"
+  by (cases "ReZ z" "0 :: int" rule: linorder_cases;
+      cases "ImZ z" "0 :: int" rule: linorder_cases;
+      simp add: normalize_gauss_int_def gauss_int_eq_iff)+
+
+instantiation gauss_int :: idom_modulo
+begin
+
+definition modulo_gauss_int :: "gauss_int \<Rightarrow> gauss_int \<Rightarrow> gauss_int" where
+  "modulo_gauss_int a b = a - a div b * b"
+
+instance proof
+  fix a b :: gauss_int
+  show "a div b * b + a mod b = a"
+    by (simp add: modulo_gauss_int_def)
+qed
+
+end
+
+lemma gauss_int_norm_mod_less_aux:
+  assumes [simp]: "b \<noteq> 0"
+  shows   "2 * gauss_int_norm (a mod b) \<le> gauss_int_norm b"
+proof -
+  define a' b' where "a' = gauss2complex a" and "b' = gauss2complex b"
+  have [simp]: "b' \<noteq> 0" by (simp add: b'_def)
+  have "gauss_int_norm (a mod b) = 
+          norm (gauss2complex (a - round_complex (a' / b') * b)) ^ 2"
+    unfolding modulo_gauss_int_def
+    by (subst real_gauss_int_norm [symmetric]) (auto simp add: divide_gauss_int_def a'_def b'_def)
+  also have "gauss2complex (a - round_complex (a' / b') * b) =
+               a' - gauss2complex (round_complex (a' / b')) * b'"
+    by (simp add: a'_def b'_def)
+  also have "\<dots> = (a' / b' - gauss2complex (round_complex (a' / b'))) * b'"
+    by (simp add: field_simps)
+  also have "norm \<dots> ^ 2 = norm (a' / b' - gauss2complex (round_complex (a' / b'))) ^ 2 * norm b' ^ 2"
+    by (simp add: norm_mult power_mult_distrib)
+  also have "\<dots> \<le> 1 / 2 * norm b' ^ 2"
+    by (intro mult_right_mono norm_round_complex_le) auto
+  also have "norm b' ^ 2 = gauss_int_norm b"
+    by (simp add: b'_def real_gauss_int_norm)
+  finally show ?thesis by linarith
+qed
+
+lemma gauss_int_norm_mod_less:
+  assumes [simp]: "b \<noteq> 0"
+  shows   "gauss_int_norm (a mod b) < gauss_int_norm b"
+proof -
+  have "gauss_int_norm b > 0" by simp
+  thus "gauss_int_norm (a mod b) < gauss_int_norm b"
+    using gauss_int_norm_mod_less_aux[OF assms, of a] by presburger
+qed
+
+lemma gauss_int_norm_dvd_imp_le:
+  assumes "b \<noteq> 0"
+  shows   "gauss_int_norm a \<le> gauss_int_norm (a * b)"
+proof (cases "a = 0")
+  case False
+  thus ?thesis using assms by (intro dvd_imp_le gauss_int_norm_dvd_mono) auto
+qed auto
+
+instantiation gauss_int :: euclidean_ring
+begin
+
+definition euclidean_size_gauss_int :: "gauss_int \<Rightarrow> nat" where
+  [simp]: "euclidean_size_gauss_int = gauss_int_norm"
+
+instance proof
+  show "euclidean_size (0 :: gauss_int) = 0"
+    by simp
+next
+  fix a b :: gauss_int assume [simp]: "b \<noteq> 0"
+  show "euclidean_size (a mod b) < euclidean_size b"
+    using gauss_int_norm_mod_less[of b a] by simp
+  show "euclidean_size a \<le> euclidean_size (a * b)"
+    by (simp add: gauss_int_norm_dvd_imp_le)
+qed
+
+end
+
+instance gauss_int :: normalization_euclidean_semiring ..
+
+instantiation gauss_int :: euclidean_ring_gcd
+begin
+
+definition gcd_gauss_int :: "gauss_int \<Rightarrow> gauss_int \<Rightarrow> gauss_int" where
+  "gcd_gauss_int \<equiv> normalization_euclidean_semiring_class.gcd"
+definition lcm_gauss_int :: "gauss_int \<Rightarrow> gauss_int \<Rightarrow> gauss_int" where
+  "lcm_gauss_int \<equiv> normalization_euclidean_semiring_class.lcm"
+definition Gcd_gauss_int :: "gauss_int set \<Rightarrow> gauss_int" where
+  "Gcd_gauss_int \<equiv> normalization_euclidean_semiring_class.Gcd"
+definition Lcm_gauss_int :: "gauss_int set \<Rightarrow> gauss_int" where
+  "Lcm_gauss_int \<equiv> normalization_euclidean_semiring_class.Lcm"
+
+instance 
+  by intro_classes
+     (simp_all add: gcd_gauss_int_def lcm_gauss_int_def Gcd_gauss_int_def Lcm_gauss_int_def)
+
+end
+
+lemma multiplicity_gauss_cnj: "multiplicity (gauss_cnj a) (gauss_cnj b) = multiplicity a b"
+  unfolding multiplicity_def gauss_cnj_power [symmetric] gauss_cnj_dvd_iff ..
+    
+lemma multiplicity_gauss_int_of_nat:
+  "multiplicity (of_nat a) (of_nat b :: gauss_int) = multiplicity a b"
+  unfolding multiplicity_def of_nat_power [symmetric] of_nat_dvd_of_nat_gauss_int_iff ..
+
+lemma gauss_int_dvd_same_norm_imp_associated:
+  assumes "z1 dvd z2" "gauss_int_norm z1 = gauss_int_norm z2"
+  shows   "normalize z1 = normalize z2"
+proof (cases "z1 = 0")
+  case [simp]: False
+  from assms(1) obtain u where u: "z2 = z1 * u" by blast
+  from assms have "gauss_int_norm u = 1"
+    by (auto simp: gauss_int_norm_mult u)
+  hence "is_unit u"
+    by (simp add: is_unit_gauss_int_iff')
+  with u show ?thesis by simp
+qed (use assms in auto)
+
+lemma gcd_of_int_gauss_int: "gcd (of_int a :: gauss_int) (of_int b) = of_int (gcd a b)"
+proof (induction "nat \<bar>b\<bar>" arbitrary: a b rule: less_induct)
+  case (less b a)
+  show ?case
+  proof (cases "b = 0")
+    case False
+    have "of_int (gcd a b) = (of_int (gcd b (a mod b)) :: gauss_int)"
+      by (subst gcd_red_int) auto
+    also have "\<dots> = gcd (of_int b) (of_int (a mod b))"
+      using False by (intro less [symmetric]) (auto intro!: abs_mod_less)
+    also have "a mod b = (a - a div b * b)"
+      by (simp add: minus_div_mult_eq_mod)
+    also have "of_int \<dots> = of_int (-(a div b)) * of_int b + (of_int a :: gauss_int)"
+      by (simp add: algebra_simps)
+    also have "gcd (of_int b) \<dots> = gcd (of_int b) (of_int a)"
+      by (rule gcd_add_mult)
+    finally show ?thesis by (simp add: gcd.commute)
+  qed auto
+qed
+
+lemma coprime_of_int_gauss_int: "coprime (of_int a :: gauss_int) (of_int b) = coprime a b"
+  unfolding coprime_iff_gcd_eq_1 gcd_of_int_gauss_int by auto
+
+lemma gcd_of_nat_gauss_int: "gcd (of_nat a :: gauss_int) (of_nat b) = of_nat (gcd a b)"
+  using gcd_of_int_gauss_int[of "int a" "int b"] by simp
+
+lemma coprime_of_nat_gauss_int: "coprime (of_nat a :: gauss_int) (of_nat b) = coprime a b"
+  unfolding coprime_iff_gcd_eq_1 gcd_of_nat_gauss_int by auto
+
+lemma gauss_cnj_dvd_self_iff: "gauss_cnj z dvd z \<longleftrightarrow> ReZ z = 0 \<or> ImZ z = 0 \<or> \<bar>ReZ z\<bar> = \<bar>ImZ z\<bar>"
+proof
+  assume "gauss_cnj z dvd z"
+  hence "normalize (gauss_cnj z) = normalize z"
+    by (rule gauss_int_dvd_same_norm_imp_associated) auto
+  then obtain u :: gauss_int where "is_unit u"  and u: "gauss_cnj z = u * z"
+    using associatedE1 by blast
+  hence "u \<in> {1, -1, \<i>\<^sub>\<int>, -\<i>\<^sub>\<int>}"
+    by (simp add: is_unit_gauss_int_iff)
+  thus "ReZ z = 0 \<or> ImZ z = 0 \<or> \<bar>ReZ z\<bar> = \<bar>ImZ z\<bar>"
+  proof (elim insertE emptyE)
+    assume [simp]: "u = \<i>\<^sub>\<int>"
+    have "ReZ z = ReZ (gauss_cnj z)"
+      by simp
+    also have "gauss_cnj z = \<i>\<^sub>\<int> * z"
+      using u by simp
+    also have "ReZ \<dots> = -ImZ z"
+      by simp
+    finally show "ReZ z = 0 \<or> ImZ z = 0 \<or> \<bar>ReZ z\<bar> = \<bar>ImZ z\<bar>"
+      by auto
+  next
+    assume [simp]: "u = -\<i>\<^sub>\<int>"
+    have "ReZ z = ReZ (gauss_cnj z)"
+      by simp
+    also have "gauss_cnj z = -\<i>\<^sub>\<int> * z"
+      using u by simp
+    also have "ReZ \<dots> = ImZ z"
+      by simp
+    finally show "ReZ z = 0 \<or> ImZ z = 0 \<or> \<bar>ReZ z\<bar> = \<bar>ImZ z\<bar>"
+      by auto
+  next
+    assume [simp]: "u = 1"
+    have "ImZ z = -ImZ (gauss_cnj z)"
+      by simp
+    also have "gauss_cnj z = z"
+      using u by simp
+    finally show "ReZ z = 0 \<or> ImZ z = 0 \<or> \<bar>ReZ z\<bar> = \<bar>ImZ z\<bar>"
+      by auto
+  next
+    assume [simp]: "u = -1"
+    have "ReZ z = ReZ (gauss_cnj z)"
+      by simp
+    also have "gauss_cnj z = -z"
+      using u by simp
+    also have "ReZ \<dots> = -ReZ z"
+      by simp
+    finally show "ReZ z = 0 \<or> ImZ z = 0 \<or> \<bar>ReZ z\<bar> = \<bar>ImZ z\<bar>"
+      by auto
+  qed
+next
+  assume "ReZ z = 0 \<or> ImZ z = 0 \<or> \<bar>ReZ z\<bar> = \<bar>ImZ z\<bar>"
+  thus "gauss_cnj z dvd z"
+  proof safe
+    assume "\<bar>ReZ z\<bar> = \<bar>ImZ z\<bar>"
+    then obtain u :: int where "is_unit u" and u: "ImZ z = u * ReZ z"
+      using associatedE2[of "ReZ z" "ImZ z"] by auto
+    from \<open>is_unit u\<close> have "u \<in> {1, -1}"
+      by auto
+    hence "z = gauss_cnj z * (of_int u * \<i>\<^sub>\<int>)"
+      using u by (auto simp: gauss_int_eq_iff)
+    thus ?thesis
+      by (metis dvd_triv_left)
+  qed (auto simp: gauss_cnj_eq_self gauss_cnj_eq_minus_self)
+qed
+
+lemma self_dvd_gauss_cnj_iff: "z dvd gauss_cnj z \<longleftrightarrow> ReZ z = 0 \<or> ImZ z = 0 \<or> \<bar>ReZ z\<bar> = \<bar>ImZ z\<bar>"
+  using gauss_cnj_dvd_self_iff[of z] by (subst (asm) gauss_cnj_dvd_left_iff) auto
+
+
+subsection \<open>Prime elements\<close>
+
+text \<open>
+  Next, we analyse what the prime elements of the Gaussian integers are. First, note that
+  according to the conventions of Isabelle's computational algebra library, a prime element
+  is called a prime iff it is also normalised, i.e.\ in our case it lies in the upper right
+  quadrant.
+
+  As a first fact, we can show that a Gaussian integer whose norm is \<open>\<int>\<close>-prime must be
+  $\mathbb{Z}[i]$-prime:
+\<close>
+
+lemma prime_gauss_int_norm_imp_prime_elem:
+  assumes "prime (gauss_int_norm q)"
+  shows   "prime_elem q"
+proof -
+  have "irreducible q"
+  proof (rule irreducibleI)
+    fix a b assume "q = a * b"
+    hence "gauss_int_norm q = gauss_int_norm a * gauss_int_norm b"
+      by (simp_all add: gauss_int_norm_mult)
+    thus "is_unit a \<or> is_unit b"
+      using assms by (auto dest!: prime_product simp: gauss_int_norm_eq_Suc_0_iff)
+  qed (use assms in \<open>auto simp: is_unit_gauss_int_iff'\<close>)
+  thus "prime_elem q"
+    using irreducible_imp_prime_elem_gcd by blast
+qed
+
+text \<open>
+  Also, a conjugate is a prime element iff the original element is a prime element:
+\<close>
+lemma prime_elem_gauss_cnj [intro]: "prime_elem z \<Longrightarrow> prime_elem (gauss_cnj z)"
+  by (auto simp: prime_elem_def gauss_cnj_dvd_left_iff)
+
+lemma prime_elem_gauss_cnj_iff [simp]: "prime_elem (gauss_cnj z) \<longleftrightarrow> prime_elem z"
+  using prime_elem_gauss_cnj[of z] prime_elem_gauss_cnj[of "gauss_cnj z"] by auto
+
+
+subsubsection \<open>The factorisation of 2\<close>
+
+text \<open>
+  2 factors as $-i (1 + i)^2$ in the Gaussian integers, where $-i$ is a unit and
+  $1 + i$ is prime.
+\<close>
+
+lemma gauss_int_2_eq: "2 = -\<i>\<^sub>\<int> * (1 + \<i>\<^sub>\<int>) ^ 2"
+  by (simp add: gauss_int_eq_iff power2_eq_square)
+
+lemma prime_elem_one_plus_i_gauss_int: "prime_elem (1 + \<i>\<^sub>\<int>)"
+  by (rule prime_gauss_int_norm_imp_prime_elem) (auto simp: gauss_int_norm_def)
+
+lemma prime_one_plus_i_gauss_int: "prime (1 + \<i>\<^sub>\<int>)"
+  by (simp add: prime_def prime_elem_one_plus_i_gauss_int
+                gauss_int_eq_iff normalize_gauss_int_def)
+
+lemma prime_factorization_2_gauss_int:
+  "prime_factorization (2 :: gauss_int) = {#1 + \<i>\<^sub>\<int>, 1 + \<i>\<^sub>\<int>#}"
+proof -
+  have "prime_factorization (2 :: gauss_int) =
+        (prime_factorization (prod_mset {#1 + gauss_i, 1 + gauss_i#}))"
+    by (subst prime_factorization_unique) (auto simp: gauss_int_eq_iff normalize_gauss_int_def)
+  also have "prime_factorization (prod_mset {#1 + gauss_i, 1 + gauss_i#}) =
+               {#1 + gauss_i, 1 + gauss_i#}"
+    using prime_one_plus_i_gauss_int by (subst prime_factorization_prod_mset_primes) auto
+  finally show ?thesis .
+qed
+
+
+subsubsection \<open>Inert primes\<close>
+
+text \<open>
+  Any \<open>\<int>\<close>-prime congruent 3 modulo 4 is also a Gaussian prime. These primes are called
+  \<^emph>\<open>inert\<close>, because they do not decompose when moving from \<open>\<int>\<close> to $\mathbb{Z}[i]$.
+\<close>
+
+lemma gauss_int_norm_not_3_mod_4: "[gauss_int_norm z \<noteq> 3] (mod 4)"
+proof -
+  have A: "ReZ z mod 4 \<in> {0..3}" "ImZ z mod 4 \<in> {0..3}" by auto
+  have B: "{0..3} = {0, 1, 2, 3 :: int}" by auto
+
+  have "[ReZ z ^ 2 + ImZ z ^ 2 = (ReZ z mod 4) ^ 2 + (ImZ z mod 4) ^ 2] (mod 4)"
+    by (intro cong_add cong_pow) (auto simp: cong_def)
+  moreover have "((ReZ z mod 4) ^ 2 + (ImZ z mod 4) ^ 2) mod 4 \<noteq> 3 mod 4"
+    using A unfolding B by auto
+  ultimately have "[ReZ z ^ 2 + ImZ z ^ 2 \<noteq> 3] (mod 4)"
+    unfolding cong_def by metis
+  hence "[int (nat (ReZ z ^ 2 + ImZ z ^ 2)) \<noteq> int 3] (mod (int 4))"
+    by simp
+  thus ?thesis unfolding gauss_int_norm_def
+    by (subst (asm) cong_int_iff)
+qed
+
+lemma prime_elem_gauss_int_of_nat:
+  fixes n :: nat
+  assumes prime: "prime n" and "[n = 3] (mod 4)"
+  shows   "prime_elem (of_nat n :: gauss_int)"
+proof (intro irreducible_imp_prime_elem irreducibleI)
+  from assms show "of_nat n \<noteq> (0 :: gauss_int)"
+    by (auto simp: gauss_int_eq_iff)
+next
+  show "\<not>is_unit (of_nat n :: gauss_int)"
+    using assms by (subst is_unit_gauss_int_iff) (auto simp: gauss_int_eq_iff)
+next
+  fix a b :: gauss_int
+  assume *: "of_nat n = a * b"
+  hence "gauss_int_norm (a * b) = gauss_int_norm (of_nat n)"
+    by metis
+  hence *: "gauss_int_norm a * gauss_int_norm b = n ^ 2"
+    by (simp add: gauss_int_norm_mult power2_eq_square flip: nat_mult_distrib)
+  from prime_power_mult_nat[OF prime this] obtain i j :: nat
+    where ij: "gauss_int_norm a = n ^ i" "gauss_int_norm b = n ^ j" by blast
+  
+  have "i + j = 2"
+  proof -
+    have "n ^ (i + j) = n ^ 2"
+      using ij * by (simp add: power_add)
+    from prime_power_inj[OF prime this] show ?thesis by simp
+  qed
+  hence "i = 0 \<and> j = 2 \<or> i = 1 \<and> j = 1 \<or> i = 2 \<and> j = 0"
+    by auto
+  thus "is_unit a \<or> is_unit b"
+  proof (elim disjE)
+    assume "i = 1 \<and> j = 1"
+    with ij have "gauss_int_norm a = n"
+      by auto
+    hence "[gauss_int_norm a = n] (mod 4)"
+      by simp
+    also have "[n = 3] (mod 4)" by fact
+    finally have "[gauss_int_norm a = 3] (mod 4)" .
+    moreover have "[gauss_int_norm a \<noteq> 3] (mod 4)"
+      by (rule gauss_int_norm_not_3_mod_4)
+    ultimately show ?thesis by contradiction
+  qed (use ij in \<open>auto simp: is_unit_gauss_int_iff'\<close>)
+qed
+
+theorem prime_gauss_int_of_nat:
+  fixes n :: nat
+  assumes prime: "prime n" and "[n = 3] (mod 4)"
+  shows   "prime (of_nat n :: gauss_int)"
+  using prime_elem_gauss_int_of_nat[OF assms]
+  unfolding prime_def by simp
+
+
+subsubsection \<open>Non-inert primes\<close>
+
+text \<open>
+  Any \<open>\<int>\<close>-prime congruent 1 modulo 4 factors into two conjugate Gaussian primes.
+\<close>
+
+lemma minimal_QuadRes_neg1:
+  assumes "QuadRes n (-1)" "n > 1" "odd n"
+  obtains x :: nat where "x \<le> (n - 1) div 2" and "[x ^ 2 + 1 = 0] (mod n)"
+proof -
+  from \<open>QuadRes n (-1)\<close> obtain x where "[x ^ 2 = (-1)] (mod (int n))"
+    by (auto simp: QuadRes_def)
+  hence "[x ^ 2 + 1 = -1 + 1] (mod (int n))"
+    by (intro cong_add) auto
+  also have "x ^ 2 + 1 = int (nat \<bar>x\<bar> ^ 2 + 1)"
+    by simp
+  finally have "[int (nat \<bar>x\<bar> ^ 2 + 1) = int 0] (mod (int n))"
+    by simp
+  hence "[nat \<bar>x\<bar> ^ 2 + 1 = 0] (mod n)"
+    by (subst (asm) cong_int_iff)
+
+  define x' where
+    "x' = (if nat \<bar>x\<bar> mod n \<le> (n - 1) div 2 then nat \<bar>x\<bar> mod n else n - (nat \<bar>x\<bar> mod n))"
+  have x'_quadres: "[x' ^ 2 + 1 = 0] (mod n)"
+  proof (cases "nat \<bar>x\<bar> mod n \<le> (n - 1) div 2")
+    case True
+    hence "[x' ^ 2 + 1 = (nat \<bar>x\<bar> mod n) ^ 2 + 1] (mod n)"
+      by (simp add: x'_def)
+    also have "[(nat \<bar>x\<bar> mod n) ^ 2 + 1 = nat \<bar>x\<bar> ^ 2 + 1] (mod n)"
+      by (intro cong_add cong_pow) (auto simp: cong_def)
+    also have "[nat \<bar>x\<bar> ^ 2 + 1 = 0] (mod n)" by fact
+    finally show ?thesis .
+  next
+    case False
+    hence "[int (x' ^ 2 + 1) = (int n - int (nat \<bar>x\<bar> mod n)) ^ 2 + 1] (mod int n)"
+      using \<open>n > 1\<close> by (simp add: x'_def of_nat_diff add_ac)
+    also have "[(int n - int (nat \<bar>x\<bar> mod n)) ^ 2 + 1 =
+                (0 - int (nat \<bar>x\<bar> mod n)) ^ 2 + 1] (mod int n)"
+      by (intro cong_add cong_pow) (auto simp: cong_def)
+    also have "[(0 - int (nat \<bar>x\<bar> mod n)) ^ 2 + 1 = int ((nat \<bar>x\<bar> mod n) ^ 2 + 1)] (mod (int n))"
+      by (simp add: add_ac)
+    finally have "[x' ^ 2 + 1 = (nat \<bar>x\<bar> mod n)\<^sup>2 + 1] (mod n)"
+      by (subst (asm) cong_int_iff)
+    also have "[(nat \<bar>x\<bar> mod n)\<^sup>2 + 1 = nat \<bar>x\<bar> ^ 2 + 1] (mod n)"
+      by (intro cong_add cong_pow) (auto simp: cong_def)
+    also have "[nat \<bar>x\<bar> ^ 2 + 1 = 0] (mod n)" by fact
+    finally show ?thesis .
+  qed
+  moreover have x'_le: "x' \<le> (n - 1) div 2"
+    using \<open>odd n\<close> by (auto elim!: oddE simp: x'_def)
+  ultimately show ?thesis by (intro that[of x'])
+qed
+
+text \<open>
+  Let \<open>p\<close> be some prime number that is congruent 1 modulo 4.
+\<close>
+locale noninert_gauss_int_prime =
+  fixes p :: nat
+  assumes prime_p: "prime p" and cong_1_p: "[p = 1] (mod 4)"
+begin
+
+lemma p_gt_2: "p > 2" and odd_p: "odd p"
+proof -
+  from prime_p and cong_1_p have "p > 1" "p \<noteq> 2"
+    by (auto simp: prime_gt_Suc_0_nat cong_def)
+  thus "p > 2" by auto
+  with prime_p show "odd p"
+    using primes_dvd_imp_eq two_is_prime_nat by blast
+qed
+
+text \<open>
+  -1 is a quadratic residue modulo \<open>p\<close>, so there exists some \<open>x\<close> such that
+  $x^2 + 1$ is divisible by \<open>p\<close>. Moreover, we can choose \<open>x\<close> such that it is positive and
+  no greater than $\frac{1}{2}(p-1)$:
+\<close>
+lemma minimal_QuadRes_neg1:
+  obtains x where "x > 0" "x \<le> (p - 1) div 2" "[x ^ 2 + 1 = 0] (mod p)"
+proof -
+  have "[Legendre (-1) (int p) = (- 1) ^ ((p - 1) div 2)] (mod (int p))"
+    using prime_p p_gt_2 by (intro euler_criterion) auto
+  also have "[p - 1 = 1 - 1] (mod 4)"
+    using p_gt_2 by (intro cong_diff_nat cong_refl) (use cong_1_p in auto)
+  hence "2 * 2 dvd p - 1"
+    by (simp add: cong_0_iff)
+  hence "even ((p - 1) div 2)"
+    using dvd_mult_imp_div by blast
+  hence "(-1) ^ ((p - 1) div 2) = (1 :: int)"
+    by simp
+  finally have "Legendre (-1) (int p) mod p = 1"
+    using p_gt_2 by (auto simp: cong_def)
+  hence "Legendre (-1) (int p) = 1"
+    using p_gt_2 by (auto simp: Legendre_def cong_def zmod_minus1 split: if_splits)
+  hence "QuadRes p (-1)"
+    by (simp add: Legendre_def split: if_splits)
+  from minimal_QuadRes_neg1[OF this] p_gt_2 odd_p
+    obtain x where x: "x \<le> (p - 1) div 2" "[x ^ 2 + 1 = 0] (mod p)" by auto
+  have "x > 0"
+    using x p_gt_2 by (auto intro!: Nat.gr0I simp: cong_def)
+  from x and this show ?thesis by (intro that[of x]) auto
+qed
+
+text \<open>
+  We can show from this that \<open>p\<close> is not prime as a Gaussian integer.
+\<close>
+lemma not_prime: "\<not>prime_elem (of_nat p :: gauss_int)"
+proof
+  assume prime: "prime_elem (of_nat p :: gauss_int)"
+  obtain x where x: "x > 0" "x \<le> (p - 1) div 2" "[x ^ 2 + 1 = 0] (mod p)"
+    using  minimal_QuadRes_neg1 .
+
+  have "of_nat p dvd (of_nat (x ^ 2 + 1) :: gauss_int)"
+    using x by (intro of_nat_dvd_of_nat) (auto simp: cong_0_iff)
+  also have eq: "of_nat (x ^ 2 + 1) = ((of_nat x + \<i>\<^sub>\<int>) * (of_nat x - \<i>\<^sub>\<int>) :: gauss_int)"
+    using \<open>x > 0\<close> by (simp add: algebra_simps gauss_int_eq_iff power2_eq_square of_nat_diff)
+  finally have "of_nat p dvd ((of_nat x + \<i>\<^sub>\<int>) * (of_nat x - \<i>\<^sub>\<int>) :: gauss_int)" .
+
+  from prime and this
+    have "of_nat p dvd (of_nat x + \<i>\<^sub>\<int> :: gauss_int) \<or> of_nat p dvd (of_nat x - \<i>\<^sub>\<int> :: gauss_int)"
+    by (rule prime_elem_dvd_multD)
+  hence dvd: "of_nat p dvd (of_nat x + \<i>\<^sub>\<int> :: gauss_int)" "of_nat p dvd (of_nat x - \<i>\<^sub>\<int> :: gauss_int)"
+    by (auto dest: of_nat_dvd_imp_dvd_gauss_cnj)
+
+  have "of_nat (p ^ 2) = (of_nat p * of_nat p :: gauss_int)"
+    by (simp add: power2_eq_square)
+  also from dvd have "\<dots> dvd ((of_nat x + \<i>\<^sub>\<int>) * (of_nat x - \<i>\<^sub>\<int>))"
+    by (intro mult_dvd_mono)
+  also have "\<dots> = of_nat (x ^ 2 + 1)"
+    by (rule eq [symmetric])
+  finally have "p ^ 2 dvd (x ^ 2 + 1)"
+    by (subst (asm) of_nat_dvd_of_nat_gauss_int_iff)
+  hence "p ^ 2 \<le> x ^ 2 + 1"
+    by (intro dvd_imp_le) auto
+  moreover have "p ^ 2 > x ^ 2 + 1"
+  proof -
+    have "x ^ 2 + 1 \<le> ((p - 1) div 2) ^ 2 + 1"
+      using x by (intro add_mono power_mono) auto
+    also have "\<dots> \<le> (p - 1) ^ 2 + 1"
+      by auto
+    also have "(p - 1) * (p - 1) < (p - 1) * (p + 1)"
+      using p_gt_2 by (intro mult_strict_left_mono) auto
+    hence "(p - 1) ^ 2 + 1 < p ^ 2"
+      by (simp add: algebra_simps power2_eq_square)
+    finally show ?thesis .
+  qed
+  ultimately show False by linarith
+qed
+
+text \<open>
+  Any prime factor of \<open>p\<close> in the Gaussian integers must have norm \<open>p\<close>.
+\<close>
+lemma norm_prime_divisor:
+  fixes q :: gauss_int
+  assumes q: "prime_elem q" "q dvd of_nat p"
+  shows "gauss_int_norm q = p"
+proof -
+  from assms obtain r where r: "of_nat p = q * r"
+    by auto
+  have "p ^ 2 = gauss_int_norm (of_nat p)"
+    by simp
+  also have "\<dots> = gauss_int_norm q * gauss_int_norm r"
+    by (auto simp: r gauss_int_norm_mult)
+  finally have *: "gauss_int_norm q * gauss_int_norm r = p ^ 2"
+    by simp
+  hence "\<exists>i j. gauss_int_norm q = p ^ i \<and> gauss_int_norm r = p ^ j"
+    using prime_p by (intro prime_power_mult_nat)
+  then obtain i j where ij: "gauss_int_norm q = p ^ i" "gauss_int_norm r = p ^ j"
+    by blast
+  have ij_eq_2: "i + j = 2"
+  proof -
+    from * have "p ^ (i + j) = p ^ 2"
+      by (simp add: power_add ij)
+    thus ?thesis
+      using p_gt_2 by (subst (asm) power_inject_exp) auto
+  qed
+  hence "i = 0 \<and> j = 2 \<or> i = 1 \<and> j = 1 \<or> i = 2 \<and> j = 0" by auto
+  hence "i = 1"
+  proof (elim disjE)
+    assume "i = 2 \<and> j = 0"
+    hence "is_unit r"
+      using ij by (simp add: gauss_int_norm_eq_Suc_0_iff)
+    hence "prime_elem (of_nat p :: gauss_int)" using \<open>prime_elem q\<close>
+      by (simp add: prime_elem_mult_unit_left r mult.commute[of _ r])
+    with not_prime show "i = 1" by contradiction
+  qed (use q ij in \<open>auto simp: gauss_int_norm_eq_Suc_0_iff\<close>)
+  thus ?thesis using ij by simp
+qed
+
+text \<open>
+  We now show two lemmas that characterise the two prime factors of \<open>p\<close> in the
+  Gaussian integers: they are two conjugates $x\pm iy$ for positive integers \<open>x\<close> and \<open>y\<close> such
+  that $x^2 + y^2 = p$.
+\<close>
+lemma prime_divisor_exists:
+  obtains q where "prime q" "prime_elem (gauss_cnj q)" "ReZ q > 0" "ImZ q > 0"
+                  "of_nat p = q * gauss_cnj q" "gauss_int_norm q = p"
+proof -
+  have "\<exists>q::gauss_int. q dvd of_nat p \<and> prime q"
+    by (rule prime_divisor_exists) (use prime_p in \<open>auto simp: is_unit_gauss_int_iff'\<close>)
+  then obtain q :: gauss_int where q: "prime q" "q dvd of_nat p"
+    by blast
+  from \<open>prime q\<close> have [simp]: "q \<noteq> 0" by auto
+  have "normalize q = q"
+    using q by simp
+  hence q_signs: "ReZ q > 0" "ImZ q \<ge> 0"
+    by (subst (asm) normalized_gauss_int_iff; simp)+
+  
+  from q have "gauss_int_norm q = p"
+    using norm_prime_divisor[of q] by simp
+  moreover from this have "gauss_int_norm (gauss_cnj q) = p"
+    by simp
+  hence "prime_elem (gauss_cnj q)"
+    using prime_p by (intro prime_gauss_int_norm_imp_prime_elem) auto
+  moreover have "of_nat p = q * gauss_cnj q"
+    using \<open>gauss_int_norm q = p\<close> by (simp add: self_mult_gauss_cnj)
+  moreover have "ImZ q \<noteq> 0"
+  proof
+    assume [simp]: "ImZ q = 0"
+    define m where "m = nat (ReZ q)"
+    have [simp]: "q = of_nat m"
+      using q_signs by (auto simp: gauss_int_eq_iff m_def)
+    with q have "m dvd p"
+      by (simp add: of_nat_dvd_of_nat_gauss_int_iff)
+    with prime_p have "m = 1 \<or> m = p"
+      using prime_nat_iff by blast
+    with q show False using not_prime by auto
+  qed
+  with q_signs have "ImZ q > 0" by simp
+  ultimately show ?thesis using q q_signs by (intro that[of q])
+qed
+
+theorem prime_factorization:
+  obtains q1 q2
+  where "prime q1" "prime q2" "prime_factorization (of_nat p) = {#q1, q2#}" 
+        "gauss_int_norm q1 = p" "gauss_int_norm q2 = p" "q2 = \<i>\<^sub>\<int> * gauss_cnj q1"
+        "ReZ q1 > 0" "ImZ q1 > 0" "ReZ q1 > 0" "ImZ q2 > 0"
+proof -
+  obtain q where q: "prime q" "prime_elem (gauss_cnj q)" "ReZ q > 0" "ImZ q > 0"
+                    "of_nat p = q * gauss_cnj q" "gauss_int_norm q = p"
+    using prime_divisor_exists by metis
+  from \<open>prime q\<close> have [simp]: "q \<noteq> 0" by auto
+  define q' where "q' = normalize (gauss_cnj q)"
+  have "prime_factorization (of_nat p) = prime_factorization (prod_mset {#q, q'#})"
+    by (subst prime_factorization_unique) (auto simp: q q'_def)
+  also have "\<dots> = {#q, q'#}"
+    using q by (subst prime_factorization_prod_mset_primes) (auto simp: q'_def)
+  finally have "prime_factorization (of_nat p) = {#q, q'#}" .
+  moreover have "q' = \<i>\<^sub>\<int> * gauss_cnj q"
+    using q by (auto simp: normalize_gauss_int_def q'_def)
+  moreover have "prime q'"
+    using q by (auto simp: q'_def)
+  ultimately show ?thesis using q
+    by (intro that[of q q']) (auto simp: q'_def gauss_int_norm_mult)
+qed
+
+end
+
+text \<open>
+  In particular, a consequence of this is that any prime congruent 1 modulo 4
+  can be written as a sum of squares of positive integers.
+\<close>
+lemma prime_cong_1_mod_4_gauss_int_norm_exists:
+  fixes p :: nat
+  assumes "prime p" "[p = 1] (mod 4)"
+  shows   "\<exists>z. gauss_int_norm z = p \<and> ReZ z > 0 \<and> ImZ z > 0"
+proof -
+  from assms interpret noninert_gauss_int_prime p
+    by unfold_locales
+  from prime_divisor_exists obtain q
+    where q: "prime q" "of_nat p = q * gauss_cnj q" 
+             "ReZ q > 0" "ImZ q > 0" "gauss_int_norm q = p" by metis
+  have "p = gauss_int_norm q"
+    using q by simp
+  thus ?thesis using q by blast
+qed
+
+
+subsubsection \<open>Full classification of Gaussian primes\<close>
+
+text \<open>
+  Any prime in the ring of Gaussian integers is of the form
+
+    \<^item> \<open>1 + \<i>\<^sub>\<int>\<close>
+
+    \<^item> \<open>p\<close> where \<open>p \<in> \<nat>\<close> is prime in \<open>\<nat>\<close> and congruent 1 modulo 4
+
+    \<^item> $x + iy$ where $x,y$ are positive integers and $x^2 + y^2$ is a prime congruent 3 modulo 4
+
+  or an associated element of one of these.  
+\<close>
+theorem gauss_int_prime_classification:
+  fixes x :: gauss_int
+  assumes "prime x"
+  obtains 
+    (one_plus_i) "x = 1 + \<i>\<^sub>\<int>"
+  | (cong_3_mod_4) p where "x = of_nat p" "prime p" "[p = 3] (mod 4)"
+  | (cong_1_mod_4) "prime (gauss_int_norm x)" "[gauss_int_norm x = 1] (mod 4)"
+                   "ReZ x > 0" "ImZ x > 0" "ReZ x \<noteq> ImZ x"
+proof -
+  define N where "N = gauss_int_norm x"
+  have "x dvd x * gauss_cnj x"
+    by simp
+  also have "\<dots> = of_nat (gauss_int_norm x)"
+    by (simp add: self_mult_gauss_cnj)
+  finally have "x \<in> prime_factors (of_nat N)"
+    using assms by (auto simp: in_prime_factors_iff N_def)
+  also have "N = prod_mset (prime_factorization N)"
+    using assms unfolding N_def by (subst prod_mset_prime_factorization_nat) auto
+  also have "(of_nat \<dots> :: gauss_int) = 
+               prod_mset (image_mset of_nat (prime_factorization N))"
+    by (subst of_nat_prod_mset) auto
+  also have "prime_factors \<dots> = (\<Union>p\<in>prime_factors N. prime_factors (of_nat p))"
+    by (subst prime_factorization_prod_mset) auto
+  finally obtain p where p: "p \<in> prime_factors N" "x \<in> prime_factors (of_nat p)"
+    by auto
+
+  have "prime p"
+    using p by auto
+  hence "\<not>(2 * 2) dvd p"
+    using product_dvd_irreducibleD[of p 2 2]
+    by (auto simp flip: prime_elem_iff_irreducible)
+  hence "[p \<noteq> 0] (mod 4)"
+    using p by (auto simp: cong_0_iff in_prime_factors_iff)
+  hence "p mod 4 \<in> {1,2,3}" by (auto simp: cong_def)
+  thus ?thesis
+  proof (elim singletonE insertE)
+    assume "p mod 4 = 2"
+    hence "p mod 4 mod 2 = 0"
+      by simp
+    hence "p mod 2 = 0"
+      by (simp add: mod_mod_cancel)
+    with \<open>prime p\<close> have [simp]: "p = 2"
+      using prime_prime_factor two_is_prime_nat by blast
+    have "prime_factors (of_nat p) = {1 + \<i>\<^sub>\<int> :: gauss_int}"
+      by (simp add: prime_factorization_2_gauss_int)
+    with p show ?thesis using that(1) by auto
+  next
+    assume *: "p mod 4 = 3"
+    hence "prime_factors (of_nat p) = {of_nat p :: gauss_int}"
+      using prime_gauss_int_of_nat[of p] \<open>prime p\<close>
+      by (subst prime_factorization_prime) (auto simp: cong_def)
+    with p show ?thesis using that(2)[of p] *
+      by (auto simp: cong_def)
+  next
+    assume *: "p mod 4 = 1"
+    then interpret noninert_gauss_int_prime p
+      by unfold_locales (use \<open>prime p\<close> in \<open>auto simp: cong_def\<close>)
+    obtain q1 q2 :: gauss_int where q12:
+      "prime q1" "prime q2" "prime_factorization (of_nat p) = {#q1, q2#}"
+      "gauss_int_norm q1 = p" "gauss_int_norm q2 = p" "q2 = \<i>\<^sub>\<int> * gauss_cnj q1"
+      "ReZ q1 > 0" "ImZ q1 > 0" "ReZ q1 > 0" "ImZ q2 > 0"
+      using prime_factorization by metis
+    from p q12 have "x = q1 \<or> x = q2" by auto
+    with q12 have **: "gauss_int_norm x = p" "ReZ x > 0" "ImZ x > 0"
+      by auto
+    have "ReZ x \<noteq> ImZ x"
+    proof
+      assume "ReZ x = ImZ x"
+      hence "even (gauss_int_norm x)"
+        by (auto simp: gauss_int_norm_def nat_mult_distrib)
+      hence "even p" using \<open>gauss_int_norm x = p\<close>
+        by simp
+      with \<open>p mod 4 = 1\<close> show False
+        by presburger
+    qed
+    thus ?thesis using that(3) \<open>prime p\<close> * **
+      by (simp add: cong_def)
+  qed
+qed
+
+lemma prime_gauss_int_norm_squareD:
+  fixes z :: gauss_int
+  assumes "prime z" "gauss_int_norm z = p ^ 2"
+  shows   "prime p \<and> z = of_nat p"
+  using assms(1)
+proof (cases rule: gauss_int_prime_classification)
+  case one_plus_i
+  have "prime (2 :: nat)" by simp
+  also from one_plus_i have "2 = p ^ 2"
+    using assms(2) by (auto simp: gauss_int_norm_def)
+  finally show ?thesis by (simp add: prime_power_iff)
+next
+  case (cong_3_mod_4 p)
+  thus ?thesis using assms by auto
+next
+  case cong_1_mod_4
+  with assms show ?thesis
+    by (auto simp: prime_power_iff)
+qed
+
+lemma gauss_int_norm_eq_prime_squareD:
+  assumes "prime p" and "[p = 3] (mod 4)" and "gauss_int_norm z = p ^ 2"
+  shows   "normalize z = of_nat p" and "prime_elem z"
+proof -
+  have "\<exists>q::gauss_int. q dvd z \<and> prime q"
+    by (rule prime_divisor_exists) (use assms in \<open>auto simp: is_unit_gauss_int_iff'\<close>)
+  then obtain q :: gauss_int where q: "q dvd z" "prime q" by blast
+  have "gauss_int_norm q dvd gauss_int_norm z"
+    by (rule gauss_int_norm_dvd_mono) fact
+  also have "\<dots> = p ^ 2" by fact
+  finally obtain i where i: "i \<le> 2" "gauss_int_norm q = p ^ i"
+    by (subst (asm) divides_primepow_nat) (use assms q in auto)
+  from i assms q have "i \<noteq> 0"
+    by (auto intro!: Nat.gr0I simp: gauss_int_norm_eq_Suc_0_iff)
+  moreover from i assms q have "i \<noteq> 1"
+    using gauss_int_norm_not_3_mod_4[of q] by auto
+  ultimately have "i = 2" using i by auto
+  with i have "gauss_int_norm q = p ^ 2" by auto
+  hence [simp]: "q = of_nat p"
+    using prime_gauss_int_norm_squareD[of q p] q by auto
+  have "normalize (of_nat p) = normalize z"
+    using q assms
+    by (intro gauss_int_dvd_same_norm_imp_associated) auto
+  thus *: "normalize z = of_nat p" by simp
+
+  have "prime (normalize z)"
+    using prime_gauss_int_of_nat[of p] assms by (subst *) auto
+  thus "prime_elem z" by simp
+qed
+
+text \<open>
+  The following can be used as a primality test for Gaussian integers. It effectively
+  reduces checking the primality of a Gaussian integer to checking the primality of an
+  integer.
+
+  A Gaussian integer is prime if either its norm is either \<open>\<int>\<close>-prime or the square of
+  a \<open>\<int>\<close>-prime that is congruent 3 modulo 4.
+\<close>
+lemma prime_elem_gauss_int_iff:
+  fixes z :: gauss_int
+  defines "n \<equiv> gauss_int_norm z"
+  shows   "prime_elem z \<longleftrightarrow> prime n \<or> (\<exists>p. n = p ^ 2 \<and> prime p \<and> [p = 3] (mod 4))"
+proof
+  assume "prime n \<or> (\<exists>p. n = p ^ 2 \<and> prime p \<and> [p = 3] (mod 4))"
+  thus "prime_elem z"
+    by (auto intro: gauss_int_norm_eq_prime_squareD(2)
+                    prime_gauss_int_norm_imp_prime_elem simp: n_def)
+next
+  assume "prime_elem z"
+  hence "prime (normalize z)" by simp
+  thus "prime n \<or> (\<exists>p. n = p ^ 2 \<and> prime p \<and> [p = 3] (mod 4))"
+  proof (cases rule: gauss_int_prime_classification)
+    case one_plus_i
+    have "n = gauss_int_norm (normalize z)"
+      by (simp add: n_def)
+    also have "normalize z = 1 + \<i>\<^sub>\<int>"
+      by fact
+    also have "gauss_int_norm \<dots> = 2"
+      by (simp add: gauss_int_norm_def)
+    finally show ?thesis by simp
+  next
+    case (cong_3_mod_4 p)
+    have "n = gauss_int_norm (normalize z)"
+      by (simp add: n_def)
+    also have "normalize z = of_nat p"
+      by fact
+    also have "gauss_int_norm \<dots> = p ^ 2"
+      by simp
+    finally show ?thesis using cong_3_mod_4 by simp
+  next
+    case cong_1_mod_4
+    thus ?thesis by (simp add: n_def)
+  qed
+qed
+
+
+subsubsection \<open>Multiplicities of primes\<close>
+
+text \<open>
+  In this section, we will show some results connecting the multiplicity of a Gaussian prime \<open>p\<close>
+  in a Gaussian integer \<open>z\<close> to the \<open>\<int>\<close>-multiplicity of the norm of \<open>p\<close> in the norm of \<open>z\<close>.
+\<close>
+
+text \<open>
+  The multiplicity of the Gaussian prime \<^term>\<open>1 + \<i>\<^sub>\<int>\<close> in an integer \<open>c\<close> is simply
+  twice the \<open>\<int>\<close>-multiplicity of 2 in \<open>c\<close>:
+\<close>
+lemma multiplicity_prime_1_plus_i_aux: "multiplicity (1 + \<i>\<^sub>\<int>) (of_nat c) = 2 * multiplicity 2 c"
+proof (cases "c = 0")
+  case [simp]: False
+  have "2 * multiplicity 2 c = multiplicity 2 (c ^ 2)"
+    by (simp add: prime_elem_multiplicity_power_distrib)
+  also have "multiplicity 2 (c ^ 2) = multiplicity (of_nat 2) (of_nat c ^ 2 :: gauss_int)"
+    by (simp flip: multiplicity_gauss_int_of_nat)
+  also have "of_nat 2 = (-\<i>\<^sub>\<int>) * (1 + \<i>\<^sub>\<int>) ^ 2"
+    by (simp add: algebra_simps power2_eq_square)
+  also have "multiplicity \<dots> (of_nat c ^ 2) = multiplicity ((1 + \<i>\<^sub>\<int>) ^ 2) (of_nat c ^ 2)"
+    by (subst multiplicity_times_unit_left) auto
+  also have "\<dots> = multiplicity (1 + \<i>\<^sub>\<int>) (of_nat c)"
+    by (subst multiplicity_power_power) auto
+  finally show ?thesis ..
+qed auto
+
+text \<open>
+  Tha multiplicity of an inert Gaussian prime $q\in\mathbb{Z}$ in a Gaussian integer \<open>z\<close> is 
+  precisely half the \<open>\<int>\<close>-multiplicity of \<open>q\<close> in the norm of \<open>z\<close>.
+\<close>
+lemma multiplicity_prime_cong_3_mod_4:
+  assumes "prime (of_nat q :: gauss_int)"
+  shows   "multiplicity q (gauss_int_norm z) = 2 * multiplicity (of_nat q) z"
+proof (cases "z = 0")
+  case [simp]: False
+  have "multiplicity q (gauss_int_norm z) =
+          multiplicity (of_nat q) (of_nat (gauss_int_norm z) :: gauss_int)"
+    by (simp add: multiplicity_gauss_int_of_nat)
+  also have "\<dots> = multiplicity (of_nat q) (z * gauss_cnj z)"
+    by (simp add: self_mult_gauss_cnj)
+  also have "\<dots> = multiplicity (of_nat q) z + multiplicity (gauss_cnj (of_nat q)) (gauss_cnj z)"
+    using assms by (subst prime_elem_multiplicity_mult_distrib) auto
+  also have "multiplicity (gauss_cnj (of_nat q)) (gauss_cnj z) = multiplicity (of_nat q) z"
+    by (subst multiplicity_gauss_cnj) auto
+  also have "\<dots> + \<dots> = 2 * \<dots>"
+    by simp
+  finally show ?thesis .
+qed auto
+
+text \<open>
+  For Gaussian primes \<open>p\<close> whose norm is congruent 1 modulo 4, the $\mathbb{Z}[i]$-multiplicity
+  of \<open>p\<close> in an integer \<open>c\<close> is just the \<open>\<int>\<close>-multiplicity of their norm in \<open>c\<close>.
+\<close>
+lemma multiplicity_prime_cong_1_mod_4_aux:
+  fixes p :: gauss_int
+  assumes "prime_elem p" "ReZ p > 0" "ImZ p > 0" "ImZ p \<noteq> ReZ p"
+  shows "multiplicity p (of_nat c) = multiplicity (gauss_int_norm p) c"
+proof (cases "c = 0")
+  case [simp]: False
+  show ?thesis
+  proof (intro antisym multiplicity_geI)
+    define k where "k = multiplicity p (of_nat c)"
+    have "p ^ k dvd of_nat c"
+      by (simp add: multiplicity_dvd k_def)
+    moreover have "gauss_cnj p ^ k dvd of_nat c"
+      using multiplicity_dvd[of "gauss_cnj p" "of_nat c"]
+            multiplicity_gauss_cnj[of p "of_nat c"] by (simp add: k_def)
+    moreover have "\<not>p dvd gauss_cnj p"
+      using assms by (subst self_dvd_gauss_cnj_iff) auto
+    hence "\<not>p dvd gauss_cnj p ^ k"
+      using assms prime_elem_dvd_power by blast
+    ultimately have "p ^ k * gauss_cnj p ^ k dvd of_nat c"
+      using assms by (intro prime_elem_power_mult_dvdI) auto
+    also have "p ^ k * gauss_cnj p ^ k = of_nat (gauss_int_norm p ^ k)"
+      by (simp flip: self_mult_gauss_cnj add: power_mult_distrib)
+    finally show "gauss_int_norm p ^ k dvd c"
+      by (subst (asm) of_nat_dvd_of_nat_gauss_int_iff)
+  next
+    define k where "k = multiplicity (gauss_int_norm p) c"
+    have "p ^ k dvd (p * gauss_cnj p) ^ k"
+      by (intro dvd_power_same) auto
+    also have "\<dots> = of_nat (gauss_int_norm p ^ k)"
+      by (simp add: self_mult_gauss_cnj)
+    also have "\<dots> dvd of_nat c"
+      unfolding of_nat_dvd_of_nat_gauss_int_iff by (auto simp: k_def multiplicity_dvd)
+    finally show "p ^ k dvd of_nat c" .
+  qed (use assms in \<open>auto simp: gauss_int_norm_eq_Suc_0_iff\<close>)
+qed auto
+
+text \<open>
+  The multiplicity of a Gaussian prime with norm congruent 1 modulo 4 in some Gaussian integer \<open>z\<close>
+  and the multiplicity of its conjugate in \<open>z\<close> sum to the the \<open>\<int>\<close>-multiplicity of their norm in
+  the norm of \<open>z\<close>:
+\<close>
+lemma multiplicity_prime_cong_1_mod_4:
+  fixes p :: gauss_int
+  assumes "prime_elem p" "ReZ p > 0" "ImZ p > 0" "ImZ p \<noteq> ReZ p"
+  shows "multiplicity (gauss_int_norm p) (gauss_int_norm z) =
+           multiplicity p z + multiplicity (gauss_cnj p) z"
+proof (cases "z = 0")
+  case [simp]: False
+  have "multiplicity (gauss_int_norm p) (gauss_int_norm z) = 
+          multiplicity p (of_nat (gauss_int_norm z))"
+    using assms by (subst multiplicity_prime_cong_1_mod_4_aux) auto
+  also have "\<dots> = multiplicity p (z * gauss_cnj z)"
+    by (simp add: self_mult_gauss_cnj)
+  also have "\<dots> = multiplicity p z + multiplicity p (gauss_cnj z)"
+    using assms by (subst prime_elem_multiplicity_mult_distrib) auto
+  also have "multiplicity p (gauss_cnj z) = multiplicity (gauss_cnj p) z"
+    by (subst multiplicity_gauss_cnj [symmetric]) auto
+  finally show ?thesis .
+qed auto
+
+text \<open>
+  The multiplicity of the Gaussian prime \<^term>\<open>1 + \<i>\<^sub>\<int>\<close> in a Gaussian integer \<open>z\<close> is precisely
+  the \<open>\<int>\<close>-multiplicity of 2 in the norm of \<open>z\<close>:
+\<close>
+lemma multiplicity_prime_1_plus_i: "multiplicity (1 + \<i>\<^sub>\<int>) z = multiplicity 2 (gauss_int_norm z)"
+proof (cases "z = 0")
+  case [simp]: False
+  note [simp] = prime_elem_one_plus_i_gauss_int
+  have "2 * multiplicity 2 (gauss_int_norm z) = multiplicity (1 + \<i>\<^sub>\<int>) (of_nat (gauss_int_norm z))" 
+    by (rule multiplicity_prime_1_plus_i_aux [symmetric])
+  also have "\<dots> = multiplicity (1 + \<i>\<^sub>\<int>) (z * gauss_cnj z)"
+    by (simp add: self_mult_gauss_cnj)
+  also have "\<dots> = multiplicity (1 + \<i>\<^sub>\<int>) z + multiplicity (gauss_cnj (1 - \<i>\<^sub>\<int>)) (gauss_cnj z)"
+    by (subst prime_elem_multiplicity_mult_distrib) auto
+  also have "multiplicity (gauss_cnj (1 - \<i>\<^sub>\<int>)) (gauss_cnj z) = multiplicity (1 - \<i>\<^sub>\<int>) z"
+    by (subst multiplicity_gauss_cnj) auto
+  also have "1 - \<i>\<^sub>\<int> = (-\<i>\<^sub>\<int>) * (1 + \<i>\<^sub>\<int>)"
+    by (simp add: algebra_simps)
+  also have "multiplicity \<dots> z = multiplicity (1 + \<i>\<^sub>\<int>) z"
+    by (subst multiplicity_times_unit_left) auto
+  also have "\<dots> + \<dots> = 2 * \<dots>"
+    by simp
+  finally show ?thesis by simp
+qed auto
+
+
+subsection \<open>Coprimality of an element and its conjugate\<close>
+
+text \<open>
+  Using the classification of the primes, we now show that if the real and imaginary parts of a
+  Gaussian integer are coprime and its norm is odd, then it is coprime to its own conjugate.
+\<close>
+lemma coprime_self_gauss_cnj:
+  assumes "coprime (ReZ z) (ImZ z)" and "odd (gauss_int_norm z)"
+  shows   "coprime z (gauss_cnj z)"
+proof (rule coprimeI)
+  fix d assume "d dvd z" "d dvd gauss_cnj z"
+  have *: False if "p \<in> prime_factors z" "p \<in> prime_factors (gauss_cnj z)" for p
+  proof -
+    from that have p: "prime p" "p dvd z" "p dvd gauss_cnj z"
+      by auto
+
+    define p' where "p' = gauss_cnj p"
+    define d where "d = gauss_int_norm p"
+    have of_nat_d_eq: "of_nat d = p * p'"
+      by (simp add: p'_def self_mult_gauss_cnj d_def)
+    have "prime_elem p" "prime_elem p'" "p dvd z" "p' dvd z" "p dvd gauss_cnj z" "p' dvd gauss_cnj z"
+      using that by (auto simp: in_prime_factors_iff p'_def gauss_cnj_dvd_left_iff)
+
+    have "prime p"
+      using that by auto
+    then obtain q where q: "prime q" "of_nat q dvd z"
+    proof (cases rule: gauss_int_prime_classification)
+      case one_plus_i
+      hence "2 = gauss_int_norm p"
+        by (auto simp: gauss_int_norm_def)
+      also have "gauss_int_norm p dvd gauss_int_norm z"
+        using p by (intro gauss_int_norm_dvd_mono) auto
+      finally have "even (gauss_int_norm z)" .
+      with \<open>odd (gauss_int_norm z)\<close> show ?thesis
+        by contradiction
+    next
+      case (cong_3_mod_4 q)
+      thus ?thesis using that[of q] p by simp
+    next
+      case cong_1_mod_4
+      hence "\<not>p dvd p'"
+        unfolding p'_def by (subst self_dvd_gauss_cnj_iff) auto
+      hence "p * p' dvd z" using p
+        by (intro prime_elem_mult_dvdI) (auto simp: p'_def gauss_cnj_dvd_left_iff)
+      also have "p * p' = of_nat (gauss_int_norm p)"
+        by (simp add: p'_def self_mult_gauss_cnj)
+      finally show ?thesis using that[of "gauss_int_norm p"] cong_1_mod_4
+        by simp
+    qed
+
+    have "of_nat q dvd gcd (2 * of_int (ReZ z)) (2 * \<i>\<^sub>\<int> * of_int (ImZ z))"
+    proof (rule gcd_greatest)
+      have "of_nat q dvd (z + gauss_cnj z)"
+        using q by (auto simp: gauss_cnj_dvd_right_iff)
+      also have "\<dots> = 2 * of_int (ReZ z)"
+        by (simp add: self_plus_gauss_cnj)
+      finally show "of_nat q dvd (2 * of_int (ReZ z) :: gauss_int)" .
+    next
+      have "of_nat q dvd (z - gauss_cnj z)"
+        using q by (auto simp: gauss_cnj_dvd_right_iff)
+      also have "\<dots> = 2 * \<i>\<^sub>\<int> * of_int (ImZ z)"
+        by (simp add: self_minus_gauss_cnj)
+      finally show "of_nat q dvd (2 * \<i>\<^sub>\<int> * of_int (ImZ z))" .
+    qed
+    also have "\<dots> = 2"
+    proof -
+      have "odd (ReZ z) \<or> odd (ImZ z)"
+        using assms by (auto simp: gauss_int_norm_def even_nat_iff)
+      thus ?thesis
+      proof
+        assume "odd (ReZ z)"
+        hence "coprime (of_int (ReZ z)) (of_int 2 :: gauss_int)"
+          unfolding coprime_of_int_gauss_int coprime_right_2_iff_odd .
+        thus ?thesis
+          using assms
+          by (subst gcd_mult_left_right_cancel)
+             (auto simp: coprime_of_int_gauss_int coprime_commute is_unit_left_imp_coprime
+                         is_unit_right_imp_coprime gcd_proj1_if_dvd gcd_proj2_if_dvd)
+      next
+        assume "odd (ImZ z)"
+        hence "coprime (of_int (ImZ z)) (of_int 2 :: gauss_int)"
+          unfolding coprime_of_int_gauss_int coprime_right_2_iff_odd .
+        hence "gcd (2 * of_int (ReZ z)) (2 * \<i>\<^sub>\<int> * of_int (ImZ z)) = gcd (2 * of_int (ReZ z)) (2 * \<i>\<^sub>\<int>)"
+          using assms
+          by (subst gcd_mult_right_right_cancel)
+             (auto simp: coprime_of_int_gauss_int coprime_commute is_unit_left_imp_coprime
+                         is_unit_right_imp_coprime)
+        also have "\<dots> = normalize (2 * gcd (of_int (ReZ z)) \<i>\<^sub>\<int>)"
+          by (subst gcd_mult_left) auto
+        also have "gcd (of_int (ReZ z)) \<i>\<^sub>\<int> = 1"
+          by (subst coprime_iff_gcd_eq_1 [symmetric], rule is_unit_right_imp_coprime) auto
+        finally show ?thesis by simp
+      qed
+    qed
+    finally have "of_nat q dvd (of_nat 2 :: gauss_int)"
+      by simp
+    hence "q dvd 2"
+      by (simp only: of_nat_dvd_of_nat_gauss_int_iff)
+    with \<open>prime q\<close> have "q = 2"
+      using primes_dvd_imp_eq two_is_prime_nat by blast
+    with q have "2 dvd z"
+      by auto
+
+    have "2 dvd gauss_int_norm 2"
+      by simp
+    also have "\<dots> dvd gauss_int_norm z"
+      using \<open>2 dvd z\<close> by (intro gauss_int_norm_dvd_mono)
+    finally show False using \<open>odd (gauss_int_norm z)\<close> by contradiction
+  qed
+
+  fix d :: gauss_int
+  assume d: "d dvd z" "d dvd gauss_cnj z"
+  show "is_unit d"
+  proof (rule ccontr)
+    assume "\<not>is_unit d"
+    moreover from d assms have "d \<noteq> 0"
+      by auto
+    ultimately obtain p where p: "prime p" "p dvd d"
+      using prime_divisorE by blast
+    with d have "p \<in> prime_factors z" "p \<in> prime_factors (gauss_cnj z)"
+      using assms by (auto simp: in_prime_factors_iff)
+    with *[of p] show False by blast
+  qed
+qed
+
+
+subsection \<open>Square decompositions of prime numbers congruent 1 mod 4\<close>
+
+lemma prime_1_mod_4_sum_of_squares_unique_aux:
+  fixes p x y :: nat
+  assumes "prime p" "[p = 1] (mod 4)" "x ^ 2 + y ^ 2 = p"
+  shows   "x > 0 \<and> y > 0 \<and> x \<noteq> y"
+proof safe
+  from assms show "x > 0" "y > 0"
+    by (auto intro!: Nat.gr0I simp: prime_power_iff)
+next
+  assume "x = y"
+  with assms have "p = 2 * x ^ 2"
+    by simp
+  with \<open>prime p\<close> have "p = 2"
+    by (auto dest: prime_product)
+  with \<open>[p = 1] (mod 4)\<close> show False
+    by (simp add: cong_def)
+qed
+
+text \<open>
+  Any prime number congruent 1 modulo 4 can be written \<^emph>\<open>uniquely\<close> as a sum of two squares
+  $x^2 + y^2$ (up to commutativity of the addition). Additionally, we have shown above that
+  \<open>x\<close> and \<open>y\<close> are both positive and \<open>x \<noteq> y\<close>.
+\<close>
+lemma prime_1_mod_4_sum_of_squares_unique:
+  fixes p :: nat
+  assumes "prime p" "[p = 1] (mod 4)"
+  shows   "\<exists>!(x,y). x \<le> y \<and> x ^ 2 + y ^ 2 = p"
+proof (rule ex_ex1I)
+  obtain z where z: "gauss_int_norm z = p"
+    using prime_cong_1_mod_4_gauss_int_norm_exists[OF assms] by blast
+  show "\<exists>z. case z of (x,y) \<Rightarrow> x \<le> y \<and> x ^ 2 + y ^ 2 = p"
+  proof (cases "\<bar>ReZ z\<bar> \<le> \<bar>ImZ z\<bar>")
+    case True
+    with z show ?thesis by
+      (intro exI[of _ "(nat \<bar>ReZ z\<bar>, nat \<bar>ImZ z\<bar>)"])
+      (auto simp: gauss_int_norm_def nat_add_distrib simp flip: nat_power_eq)
+  next
+    case False
+    with z show ?thesis by
+      (intro exI[of _ "(nat \<bar>ImZ z\<bar>, nat \<bar>ReZ z\<bar>)"])
+      (auto simp: gauss_int_norm_def nat_add_distrib simp flip: nat_power_eq)
+  qed
+next
+  fix z1 z2
+  assume z1: "case z1 of (x, y) \<Rightarrow> x \<le> y \<and> x\<^sup>2 + y\<^sup>2 = p"
+  assume z2: "case z2 of (x, y) \<Rightarrow> x \<le> y \<and> x\<^sup>2 + y\<^sup>2 = p"
+  define z1' :: gauss_int where "z1' = of_nat (fst z1) + \<i>\<^sub>\<int> * of_nat (snd z1)"
+  define z2' :: gauss_int where "z2' = of_nat (fst z2) + \<i>\<^sub>\<int> * of_nat (snd z2)"
+  from assms interpret noninert_gauss_int_prime p
+    by unfold_locales auto
+  have norm_z1': "gauss_int_norm z1' = p"
+    using z1 by (simp add: z1'_def gauss_int_norm_def case_prod_unfold nat_add_distrib nat_power_eq)
+  have norm_z2': "gauss_int_norm z2' = p"
+    using z2 by (simp add: z2'_def gauss_int_norm_def case_prod_unfold nat_add_distrib nat_power_eq)
+
+  have sgns: "fst z1 > 0" "snd z1 > 0" "fst z2 > 0" "snd z2 > 0" "fst z1 \<noteq> snd z1" "fst z2 \<noteq> snd z2"
+    using prime_1_mod_4_sum_of_squares_unique_aux[OF assms, of "fst z1" "snd z1"] z1
+          prime_1_mod_4_sum_of_squares_unique_aux[OF assms, of "fst z2" "snd z2"] z2 by auto
+  have [simp]: "normalize z1' = z1'" "normalize z2' = z2'"
+    using sgns by (subst normalized_gauss_int_iff; simp add: z1'_def z2'_def)+
+  have "prime z1'" "prime z2'"
+    using norm_z1' norm_z2' assms unfolding prime_def
+    by (auto simp: prime_gauss_int_norm_imp_prime_elem)
+
+  have "of_nat p = z1' * gauss_cnj z1'"
+    by (simp add: self_mult_gauss_cnj norm_z1')
+  hence "z1' dvd of_nat p"
+    by simp
+  also have "of_nat p = z2' * gauss_cnj z2'"
+    by (simp add: self_mult_gauss_cnj norm_z2')
+  finally have "z1' dvd z2' \<or> z1' dvd gauss_cnj z2'" using assms
+    by (subst (asm) prime_elem_dvd_mult_iff)
+       (simp add: norm_z1' prime_gauss_int_norm_imp_prime_elem)
+  thus "z1 = z2"
+  proof
+    assume "z1' dvd z2'"
+    with \<open>prime z1'\<close> \<open>prime z2'\<close> have "z1' = z2'"
+      by (simp add: primes_dvd_imp_eq)
+    thus ?thesis
+      by (simp add: z1'_def z2'_def gauss_int_eq_iff prod_eq_iff)
+  next
+    assume dvd: "z1' dvd gauss_cnj z2'"
+    have "normalize (\<i>\<^sub>\<int> * gauss_cnj z2') = \<i>\<^sub>\<int> * gauss_cnj z2'"
+      using sgns by (subst normalized_gauss_int_iff) (auto simp: z2'_def)
+    moreover have "prime_elem (\<i>\<^sub>\<int> * gauss_cnj z2')"
+      by (rule prime_gauss_int_norm_imp_prime_elem)
+         (simp add: gauss_int_norm_mult norm_z2' \<open>prime p\<close>)
+    ultimately have "prime (\<i>\<^sub>\<int> * gauss_cnj z2')"
+      by (simp add: prime_def)
+    moreover from dvd have "z1' dvd \<i>\<^sub>\<int> * gauss_cnj z2'"
+      by simp
+    ultimately have "z1' = \<i>\<^sub>\<int> * gauss_cnj z2'"
+      using \<open>prime z1'\<close> by (simp add: primes_dvd_imp_eq)
+    hence False using z1 z2 sgns
+      by (auto simp: gauss_int_eq_iff z1'_def z2'_def)
+    thus ?thesis ..
+  qed
+qed
+
+lemma two_sum_of_squares_nat_iff: "(x :: nat) ^ 2 + y ^ 2 = 2 \<longleftrightarrow> x = 1 \<and> y = 1"
+proof
+  assume eq: "x ^ 2 + y ^ 2 = 2"
+  have square_neq_2: "n ^ 2 \<noteq> 2" for n :: nat
+  proof
+    assume *: "n ^ 2 = 2"
+    have "prime (2 :: nat)"
+      by simp
+    thus False by (subst (asm) * [symmetric]) (auto simp: prime_power_iff)
+  qed
+
+  from eq have "x ^ 2 < 2 ^ 2" "y ^ 2 < 2 ^ 2"
+    by simp_all
+  hence "x < 2" "y < 2"
+    using power2_less_imp_less[of x 2] power2_less_imp_less[of y 2] by auto
+  moreover have "x > 0" "y > 0"
+    using eq square_neq_2[of x] square_neq_2[of y] by (auto intro!: Nat.gr0I)
+  ultimately show "x = 1 \<and> y = 1"
+    by auto
+qed auto
+
+lemma prime_sum_of_squares_unique:
+  fixes p :: nat
+  assumes "prime p" "p = 2 \<or> [p = 1] (mod 4)"
+  shows   "\<exists>!(x,y). x \<le> y \<and> x ^ 2 + y ^ 2 = p"
+  using assms(2)
+proof
+  assume [simp]: "p = 2"
+  have **: "(\<lambda>(x,y). x \<le> y \<and> x ^ 2 + y ^ 2 = p) = (\<lambda>z. z = (1,1 :: nat))"
+    using two_sum_of_squares_nat_iff by (auto simp: fun_eq_iff)
+  thus ?thesis
+    by (subst **) auto
+qed (use prime_1_mod_4_sum_of_squares_unique[of p] assms in auto)
+
+text \<open>
+  We now give a simple and inefficient algorithm to compute the canonical decomposition
+  $x ^ 2 + y ^ 2$ with $x\leq y$.
+\<close>
+definition prime_square_sum_nat_decomp :: "nat \<Rightarrow> nat \<times> nat" where
+  "prime_square_sum_nat_decomp p =
+     (if prime p \<and> (p = 2 \<or> [p = 1] (mod 4))
+      then THE (x,y). x \<le> y \<and> x ^ 2 + y ^ 2 = p else (0, 0))"
+
+lemma prime_square_sum_nat_decomp_eqI:
+  assumes "prime p" "x ^ 2 + y ^ 2 = p" "x \<le> y"
+  shows   "prime_square_sum_nat_decomp p = (x, y)"
+proof -
+  have "[gauss_int_norm (of_nat x + \<i>\<^sub>\<int> * of_nat y) \<noteq> 3] (mod 4)"
+    by (rule gauss_int_norm_not_3_mod_4)
+  also have "gauss_int_norm (of_nat x + \<i>\<^sub>\<int> * of_nat y) = p"
+    using assms by (auto simp: gauss_int_norm_def nat_add_distrib nat_power_eq)
+  finally have "[p \<noteq> 3] (mod 4)" .
+  with prime_mod_4_cases[of p] assms have *: "p = 2 \<or> [p = 1] (mod 4)"
+    by auto
+
+  have "prime_square_sum_nat_decomp p = (THE (x,y). x \<le> y \<and> x ^ 2 + y ^ 2 = p)"
+    using * \<open>prime p\<close> by (simp add: prime_square_sum_nat_decomp_def)
+  also have "\<dots> = (x, y)"
+  proof (rule the1_equality)
+    show "\<exists>!(x,y). x \<le> y \<and> x ^ 2 + y ^ 2 = p"
+      using \<open>prime p\<close> * by (rule prime_sum_of_squares_unique)
+  qed (use assms in auto)
+  finally show ?thesis .
+qed
+
+lemma prime_square_sum_nat_decomp_correct:
+  assumes "prime p" "p = 2 \<or> [p = 1] (mod 4)"
+  defines "z \<equiv> prime_square_sum_nat_decomp p"
+  shows "fst z ^ 2 + snd z ^ 2 = p" "fst z \<le> snd z"
+proof -
+  define z' where "z' = (THE (x,y). x \<le> y \<and> x ^ 2 + y ^ 2 = p)"
+  have "z = z'"
+    unfolding z_def z'_def using assms by (simp add: prime_square_sum_nat_decomp_def)
+  also have"\<exists>!(x,y). x \<le> y \<and> x ^ 2 + y ^ 2 = p"
+    using assms by (intro prime_sum_of_squares_unique)
+  hence "case z' of (x, y) \<Rightarrow> x \<le> y \<and> x ^ 2 + y ^ 2 = p"
+    unfolding z'_def by (rule theI')
+  finally show "fst z ^ 2 + snd z ^ 2 = p" "fst z \<le> snd z"
+    by auto
+qed
+
+lemma sum_of_squares_nat_bound:
+  fixes x y n :: nat
+  assumes "x ^ 2 + y ^ 2 = n"
+  shows   "x \<le> n"
+proof (cases "x = 0")
+  case False
+  hence "x * 1 \<le> x ^ 2"
+    unfolding power2_eq_square by (intro mult_mono) auto
+  also have "\<dots> \<le> x ^ 2 + y ^ 2"
+    by simp
+  also have "\<dots> = n"
+    by fact
+  finally show ?thesis by simp
+qed auto
+
+lemma sum_of_squares_nat_bound':
+  fixes x y n :: nat
+  assumes "x ^ 2 + y ^ 2 = n"
+  shows   "y \<le> n"
+  using sum_of_squares_nat_bound[of y x] assms by (simp add: add.commute)
+
+lemma is_singleton_conv_Ex1:
+  "is_singleton A \<longleftrightarrow> (\<exists>!x. x \<in> A)"
+proof
+  assume "is_singleton A"
+  thus "\<exists>!x. x \<in> A"
+    by (auto elim!: is_singletonE)
+next
+  assume "\<exists>!x. x \<in> A"
+  thus "is_singleton A"
+    by (metis equals0D is_singletonI')
+qed
+
+lemma the_elemI:
+  assumes "is_singleton A"
+  shows   "the_elem A \<in> A"
+  using assms by (elim is_singletonE) auto
+
+lemma prime_square_sum_nat_decomp_code_aux:
+  assumes "prime p" "p = 2 \<or> [p = 1] (mod 4)"
+  defines "z \<equiv> the_elem (Set.filter (\<lambda>(x,y). x ^ 2 + y ^ 2 = p) (SIGMA x:{0..p}. {x..p}))"
+  shows "prime_square_sum_nat_decomp p = z"
+proof -
+  let ?A = "Set.filter (\<lambda>(x,y). x ^ 2 + y ^ 2 = p) (SIGMA x:{0..p}. {x..p})"
+  have eq: "?A = {(x,y). x \<le> y \<and> x ^ 2 + y ^ 2 = p}"
+    using sum_of_squares_nat_bound sum_of_squares_nat_bound' by auto
+  have z: "z \<in> Set.filter (\<lambda>(x,y). x ^ 2 + y ^ 2 = p) (SIGMA x:{0..p}. {x..p})"
+    unfolding z_def eq using prime_sum_of_squares_unique[OF assms(1,2)]
+    by (intro the_elemI) (simp add: is_singleton_conv_Ex1)
+  have "prime_square_sum_nat_decomp p = (fst z, snd z)"
+    using z by (intro prime_square_sum_nat_decomp_eqI[OF assms(1)]) auto
+  also have "\<dots> = z"
+    by simp
+  finally show ?thesis .
+qed
+
+lemma prime_square_sum_nat_decomp_code [code]:
+  "prime_square_sum_nat_decomp p =
+     (if prime p \<and> (p = 2 \<or> [p = 1] (mod 4))
+      then the_elem (Set.filter (\<lambda>(x,y). x ^ 2 + y ^ 2 = p) (SIGMA x:{0..p}. {x..p}))
+      else (0, 0))"
+  using prime_square_sum_nat_decomp_code_aux[of p]
+  by (auto simp: prime_square_sum_nat_decomp_def)
+
+
+subsection \<open>Executable factorisation of Gaussian integers\<close>
+
+text \<open>
+  Lastly, we use all of the above to give an executable (albeit not very efficient) factorisation
+  algorithm for Gaussian integers based on factorisation of regular integers. Note that we will
+  only compute the set of prime factors without multiplicity, but given that, it would be fairly
+  easy to determine the multiplicity as well.
+
+  First, we need the following function that computes the Gaussian integer factors of a 
+  \<open>\<int>\<close>-prime \<open>p\<close>:
+\<close>
+definition factor_gauss_int_prime_nat :: "nat \<Rightarrow> gauss_int list" where
+  "factor_gauss_int_prime_nat p =
+     (if p = 2 then [1 + \<i>\<^sub>\<int>]
+      else if [p = 3] (mod 4) then [of_nat p]
+      else case prime_square_sum_nat_decomp p of
+             (x, y) \<Rightarrow> [of_nat x + \<i>\<^sub>\<int> * of_nat y, of_nat y + \<i>\<^sub>\<int> * of_nat x])"
+
+lemma factor_gauss_int_prime_nat_correct:
+  assumes "prime p"
+  shows   "set (factor_gauss_int_prime_nat p) = prime_factors (of_nat p)"
+  using prime_mod_4_cases[OF assms]
+proof (elim disjE)
+  assume "p = 2"
+  thus ?thesis
+    by (auto simp: prime_factorization_2_gauss_int factor_gauss_int_prime_nat_def)
+next
+  assume *: "[p = 3] (mod 4)"
+  with assms have "prime (of_nat p :: gauss_int)"
+    by (intro prime_gauss_int_of_nat)
+  thus ?thesis using assms *
+    by (auto simp: prime_factorization_prime factor_gauss_int_prime_nat_def cong_def)
+next
+  assume *: "[p = 1] (mod 4)"
+  then interpret noninert_gauss_int_prime p
+    using \<open>prime p\<close> by unfold_locales
+  define z where "z = prime_square_sum_nat_decomp p"
+  define x y where "x = fst z" and "y = snd z"
+  have xy: "x ^ 2 + y ^ 2 = p" "x \<le> y"
+    using prime_square_sum_nat_decomp_correct[of p] * assms
+    by (auto simp: x_def y_def z_def)
+  from xy have xy_signs: "x > 0" "y > 0"
+    using prime_1_mod_4_sum_of_squares_unique_aux[of p x y] assms * by auto
+  have norms: "gauss_int_norm (of_nat x + \<i>\<^sub>\<int> * of_nat y) = p"
+              "gauss_int_norm (of_nat y + \<i>\<^sub>\<int> * of_nat x) = p"
+    using xy by (auto simp: gauss_int_norm_def nat_add_distrib nat_power_eq)
+  have prime: "prime (of_nat x + \<i>\<^sub>\<int> * of_nat y)" "prime (of_nat y + \<i>\<^sub>\<int> * of_nat x)"
+    using norms xy_signs \<open>prime p\<close> unfolding prime_def normalized_gauss_int_iff
+    by (auto intro!: prime_gauss_int_norm_imp_prime_elem)
+
+  have "normalize ((of_nat x + \<i>\<^sub>\<int> * of_nat y) * (of_nat y + \<i>\<^sub>\<int> * of_nat x)) = of_nat p"
+  proof -
+    have "(of_nat x + \<i>\<^sub>\<int> * of_nat y) * (of_nat y + \<i>\<^sub>\<int> * of_nat x) = (\<i>\<^sub>\<int> * of_nat p :: gauss_int)"
+      by (subst xy(1) [symmetric]) (auto simp: gauss_int_eq_iff power2_eq_square)
+    also have "normalize \<dots> = of_nat p"
+      by simp
+    finally show ?thesis .
+  qed
+  hence "prime_factorization (of_nat p) =
+         prime_factorization (prod_mset {#of_nat x + \<i>\<^sub>\<int> * of_nat y, of_nat y + \<i>\<^sub>\<int> * of_nat x#})"
+    using assms xy by (subst prime_factorization_unique) (auto simp: gauss_int_eq_iff)
+  also have "\<dots> = {#of_nat x + \<i>\<^sub>\<int> * of_nat y, of_nat y + \<i>\<^sub>\<int> * of_nat x#}"
+    using prime by (subst prime_factorization_prod_mset_primes) auto
+  finally have "prime_factors (of_nat p) = {of_nat x + \<i>\<^sub>\<int> * of_nat y, of_nat y + \<i>\<^sub>\<int> * of_nat x}"
+    by simp
+  also have "\<dots> = set (factor_gauss_int_prime_nat p)"
+    using * unfolding factor_gauss_int_prime_nat_def case_prod_unfold
+    by (auto simp: cong_def x_def y_def z_def)
+  finally show ?thesis ..
+qed
+
+text \<open>
+  Next, we lift this to compute the prime factorisation of any integer in the Gaussian integers:
+\<close>
+definition prime_factors_gauss_int_of_nat :: "nat \<Rightarrow> gauss_int set" where
+  "prime_factors_gauss_int_of_nat n = (if n = 0 then {} else 
+     (\<Union>p\<in>prime_factors n. set (factor_gauss_int_prime_nat p)))"
+
+lemma prime_factors_gauss_int_of_nat_correct:
+  "prime_factors_gauss_int_of_nat n = prime_factors (of_nat n)"
+proof (cases "n = 0")
+  case False
+  from False have [simp]: "n > 0" by auto
+  have "prime_factors (of_nat n :: gauss_int) =
+          prime_factors (of_nat (prod_mset (prime_factorization n)))"
+    by (subst prod_mset_prime_factorization_nat [symmetric]) auto
+  also have "\<dots> = prime_factors (prod_mset (image_mset of_nat (prime_factorization n)))"
+    by (subst of_nat_prod_mset) auto
+  also have "\<dots> = (\<Union>p\<in>prime_factors n. prime_factors (of_nat p))"
+    by (subst prime_factorization_prod_mset) auto
+  also have "\<dots> = (\<Union>p\<in>prime_factors n. set (factor_gauss_int_prime_nat p))"
+    by (intro SUP_cong refl factor_gauss_int_prime_nat_correct [symmetric]) auto
+  finally show ?thesis by (simp add: prime_factors_gauss_int_of_nat_def)
+qed (auto simp:  prime_factors_gauss_int_of_nat_def)
+
+text \<open>
+  We can now use this to factor any Gaussian integer by computing a factorisation of its
+  norm and removing all the prime divisors that do not actually divide it.
+\<close>
+definition prime_factors_gauss_int :: "gauss_int \<Rightarrow> gauss_int set" where
+  "prime_factors_gauss_int z = (if z = 0 then {} 
+     else Set.filter (\<lambda>p. p dvd z) (prime_factors_gauss_int_of_nat (gauss_int_norm z)))"
+
+lemma prime_factors_gauss_int_correct [code_unfold]: "prime_factors z = prime_factors_gauss_int z"
+proof (cases "z = 0")
+  case [simp]: False
+  define n where "n = gauss_int_norm z"
+  from False have [simp]: "n > 0" by (auto simp: n_def)
+
+  have "prime_factors_gauss_int z = Set.filter (\<lambda>p. p dvd z) (prime_factors (of_nat n))"
+    by (simp add: prime_factors_gauss_int_of_nat_correct prime_factors_gauss_int_def n_def)
+  also have "of_nat n = z * gauss_cnj z"
+    by (simp add: n_def self_mult_gauss_cnj)
+  also have "prime_factors \<dots> = prime_factors z \<union> prime_factors (gauss_cnj z)"
+    by (subst prime_factors_product) auto
+  also have "Set.filter (\<lambda>p. p dvd z) \<dots> = prime_factors z"
+    by (auto simp: in_prime_factors_iff)
+  finally show ?thesis by simp
+qed (auto simp: prime_factors_gauss_int_def)
+
+(*<*)
+unbundle no_gauss_int_notation
+(*>*)
+
+end
\ No newline at end of file
diff --git a/thys/Gaussian_Integers/Gaussian_Integers_Everything.thy b/thys/Gaussian_Integers/Gaussian_Integers_Everything.thy
new file mode 100644
--- /dev/null
+++ b/thys/Gaussian_Integers/Gaussian_Integers_Everything.thy
@@ -0,0 +1,16 @@
+(*
+  File:     Gaussian_Integers_Everything.thy
+  Author:   Manuel Eberl, TU München
+
+  Dummy theory to import everything in the session to ensure the theories are loaded in the
+  right order for the document.
+*)
+theory Gaussian_Integers_Everything
+imports
+  Gaussian_Integers
+  Gaussian_Integers_Test
+  Gaussian_Integers_Sums_Of_Two_Squares
+  Gaussian_Integers_Pythagorean_Triples
+begin
+
+end
\ No newline at end of file
diff --git a/thys/Gaussian_Integers/Gaussian_Integers_Pythagorean_Triples.thy b/thys/Gaussian_Integers/Gaussian_Integers_Pythagorean_Triples.thy
new file mode 100644
--- /dev/null
+++ b/thys/Gaussian_Integers/Gaussian_Integers_Pythagorean_Triples.thy
@@ -0,0 +1,266 @@
+(*
+  File:     Gaussian_Integers_Pythagorean_Triples.thy
+  Author:   Manuel Eberl, TU München
+
+  Application of Gaussian integers to deriving Euclid's formula for primitive Pythagorean triples
+*)
+subsection \<open>Primitive Pythagorean triples\<close>
+theory Gaussian_Integers_Pythagorean_Triples
+  imports Gaussian_Integers
+begin
+
+text \<open>
+  In this section, we derive Euclid's formula for primitive Pythagorean triples using
+  Gaussian integers, following Stillwell~\cite{stillwell}.
+\<close>
+definition prim_pyth_triple :: "nat \<Rightarrow> nat \<Rightarrow> nat \<Rightarrow> bool" where
+  "prim_pyth_triple x y z \<longleftrightarrow> x > 0 \<and> y > 0 \<and> coprime x y \<and> x\<^sup>2 + y\<^sup>2 = z\<^sup>2"
+
+lemma prim_pyth_triple_commute: "prim_pyth_triple x y z \<longleftrightarrow> prim_pyth_triple y x z"
+  by (simp add: prim_pyth_triple_def coprime_commute add_ac conj_ac)
+
+lemma prim_pyth_triple_aux:
+  fixes u v :: nat
+  assumes "v \<le> u"
+  shows "(2 * u * v) ^ 2 + (u ^ 2 - v ^ 2) ^ 2 = (u ^ 2 + v ^ 2) ^ 2"
+proof -
+  have "int ((2 * u * v) ^ 2 + (u ^ 2 - v ^ 2) ^ 2) =
+        (2 * int u * int v) ^ 2 + (int u ^ 2 - int v ^ 2) ^ 2"
+    using assms by (simp add: of_nat_diff)
+  also have "\<dots> = (int u ^ 2 + int v ^ 2) ^ 2"
+    by (simp add: power2_eq_square algebra_simps)
+  also have "\<dots> = int ((u ^ 2 + v ^ 2) ^ 2)"
+    by simp
+  finally show ?thesis
+    by (simp only: of_nat_eq_iff)
+qed
+
+lemma prim_pyth_tripleI1:
+  assumes "0 < v" "v < u" "coprime u v" "\<not>(odd u \<and> odd v)"
+  shows   "prim_pyth_triple (2 * u * v) (u\<^sup>2 - v\<^sup>2) (u\<^sup>2 + v\<^sup>2)"
+proof -
+  have "v ^ 2 < u ^ 2"
+    using assms by (intro power_strict_mono) auto
+  hence "\<not>u ^ 2 < v ^ 2" by linarith
+
+  from assms have "coprime (int u) (int v ^ 2)"
+    by auto
+  hence "coprime (int u) (int u * int u + (-(int v ^ 2)))"
+    unfolding coprime_iff_gcd_eq_1 by (subst gcd_add_mult) auto
+  also have "int u * int u + (-(int v ^ 2)) = int (u ^ 2 - v ^ 2)"
+    using \<open>v < u\<close> by (simp add: of_nat_diff flip: power2_eq_square)
+  finally have coprime1: "coprime u (u ^ 2 - v ^ 2)"
+    by auto
+
+  from assms have "coprime (int v) (int u ^ 2)"
+    by (auto simp: coprime_commute)
+  hence "coprime (int v) ((-int v) * int v + int u ^ 2)"
+    unfolding coprime_iff_gcd_eq_1 by (subst gcd_add_mult) auto
+  also have "(-int v) * int v + int u ^ 2 = int (u ^ 2 - v ^ 2)"
+    using \<open>v < u\<close> by (simp add: of_nat_diff flip: power2_eq_square)
+  finally have coprime2: "coprime v (u ^ 2 - v ^ 2)"
+    by auto
+
+  have "(2 * u * v) ^ 2 + (u ^ 2 - v ^ 2) ^ 2 = (u ^ 2 + v ^ 2) ^ 2"
+    using \<open>v < u\<close> by (intro prim_pyth_triple_aux) auto
+  moreover have "coprime (2 * u * v) (u ^ 2 - v ^ 2)"
+    using assms \<open>\<not>u ^ 2 < v ^ 2\<close> coprime1 coprime2 by auto
+  ultimately show ?thesis using assms \<open>v ^ 2 < u ^ 2\<close>
+    by (simp add: prim_pyth_triple_def)
+qed
+
+lemma prim_pyth_tripleI2:
+  assumes "0 < v" "v < u" "coprime u v" "\<not>(odd u \<and> odd v)"
+  shows   "prim_pyth_triple (u\<^sup>2 - v\<^sup>2) (2 * u * v) (u\<^sup>2 + v\<^sup>2)"
+  using prim_pyth_tripleI1[OF assms] by (simp add: prim_pyth_triple_commute)
+
+lemma primitive_pythagorean_tripleE_int:
+  assumes "z ^ 2 = x ^ 2 + y ^ 2"
+  assumes "coprime x y"
+  obtains u v :: int
+    where "coprime u v" and "\<not>(odd u \<and> odd v)"
+      and "x = 2 * u * v \<and> y = u\<^sup>2 - v\<^sup>2  \<or>  x = u\<^sup>2 - v\<^sup>2 \<and> y = 2 * u * v"
+proof -
+  have "\<not>(even x \<and> even y)"
+    using not_coprimeI[of 2 x y] \<open>coprime x y\<close> by auto
+  moreover have "\<not>(odd x \<and> odd y)"
+  proof safe
+    assume "odd x" "odd y"
+    hence "[x ^ 2 + y ^ 2 = 1 + 1] (mod 4)"
+      by (intro cong_add odd_square_cong_4_int)
+    hence "[z ^ 2 = 2] (mod 4)"
+      by (simp add: assms)
+    moreover have "[z ^ 2 = 0] (mod 4) \<or> [z ^ 2 = 1] (mod 4)"
+      using even_square_cong_4_int[of z] odd_square_cong_4_int[of z]
+      by (cases "even z") auto
+    ultimately show False
+      by (auto simp: cong_def)
+  qed
+  ultimately have "even y \<longleftrightarrow> odd x"
+    by blast
+
+  have "even z \<longleftrightarrow> even (z ^ 2)"
+    by auto
+  also have "even (z ^ 2) \<longleftrightarrow> even (x ^ 2 + y ^ 2)"
+    by (subst assms(1)) auto
+  finally have "odd z"
+    by (cases "even x") (auto simp: \<open>even y \<longleftrightarrow> \<not>even x\<close>)
+
+  define t where "t = of_int x + \<i>\<^sub>\<int> * of_int y"
+  from assms have t_mult_cnj: "t * gauss_cnj t = of_int z ^ 2"
+    by (simp add: t_def power2_eq_square algebra_simps flip: of_int_mult of_int_add)
+
+  have "gauss_int_norm t = z ^ 2"
+    by (simp add: gauss_int_norm_def t_def assms)
+  with \<open>coprime x y\<close> and \<open>odd z\<close> have "coprime t (gauss_cnj t)"
+    by (intro coprime_self_gauss_cnj)
+       (auto simp: t_def gauss_int_norm_def assms(1) [symmetric] even_nat_iff)
+  moreover have "is_square (t * gauss_cnj t)"
+    by (subst t_mult_cnj) auto
+  hence "is_nth_power_upto_unit 2 (t * gauss_cnj t)"
+    by (auto intro: is_nth_power_upto_unit_base)
+  ultimately have "is_nth_power_upto_unit 2 t"
+    by (rule is_nth_power_upto_unit_mult_coprimeD1)
+  then obtain a b where ab: "is_unit a" "a * t = b ^ 2"
+    by (auto simp: is_nth_power_upto_unit_def is_nth_power_def)
+  from ab(1) have "a \<in> {1, -1, \<i>\<^sub>\<int>, -\<i>\<^sub>\<int>}"
+    by (auto simp: is_unit_gauss_int_iff)
+  then obtain u v :: int where "ReZ t = 2 * u * v \<and> ImZ t = u ^ 2 - v ^ 2 \<or> 
+                                ImZ t = 2 * u * v \<and> ReZ t = u ^ 2 - v ^ 2"
+  proof safe
+    assume [simp]: "a = 1"
+    have "ReZ t = ReZ b ^ 2 - ImZ b ^ 2" "ImZ t = 2 * ReZ b * ImZ b" using ab(2)
+      by (auto simp: gauss_int_eq_iff power2_eq_square)
+    thus ?thesis using that by blast
+  next
+    assume [simp]: "a = -1"
+    have "ReZ t = ImZ b ^ 2 - (-ReZ b) ^ 2" "ImZ t = 2 * ImZ b * (-ReZ b)" using ab(2)
+      by (auto simp: gauss_int_eq_iff power2_eq_square algebra_simps)
+    thus ?thesis using that by blast
+  next
+    assume [simp]: "a = \<i>\<^sub>\<int>"
+    hence "ImZ t = ImZ b ^ 2 - ReZ b ^ 2" "ReZ t = 2 * ImZ b * ReZ b" using ab(2)
+      by (auto simp: gauss_int_eq_iff power2_eq_square algebra_simps)
+    thus ?thesis using that by blast
+  next
+    assume [simp]: "a = -\<i>\<^sub>\<int>"
+    hence "ImZ t = (-ReZ b) ^ 2 - ImZ b ^ 2" "ReZ t = 2 * (-ReZ b) * ImZ b" using ab(2)
+      by (auto simp: gauss_int_eq_iff power2_eq_square algebra_simps)
+    thus ?thesis using that by blast
+  qed
+  also have "ReZ t = x"
+    by (simp add: t_def)
+  also have "ImZ t = y"
+    by (simp add: t_def)
+  finally have xy: "x = 2 * u * v \<and> y = u\<^sup>2 - v\<^sup>2 \<or> x = u\<^sup>2 - v\<^sup>2 \<and> y = 2 * u * v"
+    by blast
+
+  have not_both_odd: "\<not>(odd u \<and> odd v)"
+  proof safe
+    assume "odd u" "odd v"
+    hence "even x" "even y"
+      using xy by auto
+    with \<open>coprime x y\<close> show False
+      by auto
+  qed
+
+  have "coprime u v"
+  proof (rule coprimeI)
+    fix d assume "d dvd u" "d dvd v"
+    hence "d dvd (u\<^sup>2 - v\<^sup>2)" "d dvd 2 * u * v"
+      by (auto simp: power2_eq_square)
+    with xy have "d dvd x" "d dvd y"
+      by auto
+    with \<open>coprime x y\<close> show "is_unit d"
+      using not_coprimeI by blast
+  qed
+  with xy not_both_odd show ?thesis
+    using that[of u v] by blast
+qed
+
+lemma prim_pyth_tripleE:
+  assumes "prim_pyth_triple x y z"
+  obtains u v :: nat
+  where "0 < v" and "v < u" and "coprime u v" and "\<not>(odd u \<and> odd v)" and "z = u\<^sup>2 + v\<^sup>2"
+    and "x = 2 * u * v \<and> y = u\<^sup>2 - v\<^sup>2  \<or>  x = u\<^sup>2 - v\<^sup>2 \<and> y = 2 * u * v"
+proof -
+  have *: "(int z) ^ 2 = (int x) ^ 2 + (int y) ^ 2" "coprime (int x) (int y)"
+    using assms by (auto simp flip: of_nat_power of_nat_add simp: prim_pyth_triple_def)
+  obtain u v
+    where uv: "coprime u v" "\<not>(odd u \<and> odd v)"
+              "int x = 2 * u * v \<and> int y = u\<^sup>2 - v\<^sup>2  \<or>  int x = u\<^sup>2 - v\<^sup>2 \<and> int y = 2 * u * v"
+    using primitive_pythagorean_tripleE_int[OF *] by metis
+  define u' v' where "u' = nat \<bar>u\<bar>" and "v' = nat \<bar>v\<bar>"
+
+  have **: "a = 2 * u' * v'" if "int a = 2 * u * v" for a
+  proof -
+    from that have "nat \<bar>int a\<bar> = nat \<bar>2 * u * v\<bar>"
+      by (simp only: )
+    thus "a = 2 * u' * v'"
+      by (simp add: u'_def v'_def abs_mult nat_mult_distrib)
+  qed
+  have ***: "a = u' ^ 2 - v' ^ 2" "v' \<le> u'" if "int a = u ^ 2 - v ^ 2" for a
+  proof -
+    have "v ^ 2 \<le> v ^ 2 + int a"
+      by simp
+    also have "\<dots> = u ^ 2"
+      using that by simp
+    finally have "\<bar>v\<bar> \<le> \<bar>u\<bar>"
+      using abs_le_square_iff by blast
+    thus "v' \<le> u'"
+      by (simp add: v'_def u'_def)
+
+    from that have "u ^ 2 = v ^ 2 + int a"
+      by simp
+    hence "nat \<bar>u ^ 2\<bar> = nat \<bar>v ^ 2 + int a\<bar>"
+      by (simp only: )
+    also have "nat \<bar>u ^ 2\<bar> = u' ^ 2"
+      by (simp add: u'_def flip: nat_power_eq)
+    also have "nat \<bar>v ^ 2 + int a\<bar> = v' ^ 2 + a"
+      by (simp add: nat_add_distrib v'_def flip: nat_power_eq)
+    finally show "a = u' ^ 2 - v' ^ 2"
+      by simp
+  qed
+
+  have eq: "x = 2 * u' * v' \<and> y = u'\<^sup>2 - v'\<^sup>2  \<or>  x = u'\<^sup>2 - v'\<^sup>2 \<and> y = 2 * u' * v'" and "v' \<le> u'"
+    using uv(3) **[of x] **[of y] ***[of x] ***[of y] by blast+
+  moreover have "coprime u' v'"
+    using \<open>coprime u v\<close>
+    by (auto simp: u'_def v'_def)
+  moreover have "\<not>(odd u' \<and> odd v')"
+    using uv(2) by (auto simp: u'_def v'_def)
+  moreover have "v' \<noteq> u'" "v' > 0"
+    using \<open>coprime u' v'\<close> eq assms by (auto simp: prim_pyth_triple_def)
+  moreover from this have "v' < u'"
+    using \<open>v' \<le> u'\<close> by auto
+  moreover have "z = u'\<^sup>2 + v'\<^sup>2"
+  proof -
+    from assms have "z ^ 2 = x ^ 2 + y ^ 2"
+      by (simp add: prim_pyth_triple_def)
+    also have "\<dots> = (2 * u' * v') ^ 2 + (u' ^ 2 - v' ^ 2) ^ 2"
+      using eq by (auto simp: add_ac)
+    also have "\<dots> = (u' ^ 2 + v' ^ 2) ^ 2"
+      by (intro prim_pyth_triple_aux) fact
+    finally show ?thesis by simp
+  qed
+  ultimately show ?thesis using that[of v' u'] by metis
+qed
+
+theorem prim_pyth_triple_iff:
+  "prim_pyth_triple x y z \<longleftrightarrow>
+     (\<exists>u v. 0 < v \<and> v < u \<and> coprime u v \<and> \<not>(odd u \<and> odd v) \<and>
+            (x = 2 * u * v \<and> y = u\<^sup>2 - v\<^sup>2  \<or>  x = u\<^sup>2 - v\<^sup>2 \<and> y = 2 * u * v) \<and> z = u\<^sup>2 + v\<^sup>2)"
+  (is "_ \<longleftrightarrow> ?rhs")
+proof
+  assume "prim_pyth_triple x y z"
+  from prim_pyth_tripleE[OF this] show ?rhs by metis
+next
+  assume ?rhs
+  then obtain u v where uv: "0 < v" "v < u" "coprime u v" "\<not>(odd u \<and> odd v)" "z = u\<^sup>2 + v\<^sup>2" and
+                        eq: "x = 2 * u * v \<and> y = u\<^sup>2 - v\<^sup>2  \<or>  x = u\<^sup>2 - v\<^sup>2 \<and> y = 2 * u * v"
+    by metis
+  thus "prim_pyth_triple x y z"
+    using uv prim_pyth_tripleI1[OF uv(1-4)] prim_pyth_tripleI2[OF uv(1-4)] uv(5) eq by auto
+qed
+
+end
\ No newline at end of file
diff --git a/thys/Gaussian_Integers/Gaussian_Integers_Sums_Of_Two_Squares.thy b/thys/Gaussian_Integers/Gaussian_Integers_Sums_Of_Two_Squares.thy
new file mode 100644
--- /dev/null
+++ b/thys/Gaussian_Integers/Gaussian_Integers_Sums_Of_Two_Squares.thy
@@ -0,0 +1,150 @@
+(*
+  File:     Gaussian_Integers_Sums_Of_Two_Squares.thy
+  Author:   Manuel Eberl, TU München
+
+  Application of Gaussian integers to determining which natural numbers can be written as a sum
+  of two squares
+*)
+subsection \<open>Sums of two squares\<close>
+theory Gaussian_Integers_Sums_Of_Two_Squares
+  imports Gaussian_Integers
+begin
+
+text \<open>
+  As an application, we can now easily prove that a positive natural number is the
+  sum of two squares if and only if all prime factors congruent 3 modulo 4 have even
+  multiplicity.
+\<close>
+
+inductive sum_of_2_squares_nat :: "nat \<Rightarrow> bool" where
+  "sum_of_2_squares_nat (a ^ 2 + b ^ 2)"
+
+lemma sum_of_2_squares_nat_altdef: "sum_of_2_squares_nat n \<longleftrightarrow> n \<in> range gauss_int_norm"
+proof (safe elim!: sum_of_2_squares_nat.cases)
+  fix a b :: nat
+  have "a ^ 2 + b ^ 2 = gauss_int_norm (of_nat a + \<i>\<^sub>\<int> * of_nat b)"
+    by (auto simp: gauss_int_norm_def nat_add_distrib nat_power_eq)
+  thus "a ^ 2 + b ^ 2 \<in> range gauss_int_norm" by blast
+next
+  fix z :: gauss_int
+  have "gauss_int_norm z = nat \<bar>ReZ z\<bar> ^ 2 + nat \<bar>ImZ z\<bar> ^ 2"
+    by (auto simp: gauss_int_norm_def nat_add_distrib simp flip: nat_power_eq)
+  thus "sum_of_2_squares_nat (gauss_int_norm z)"
+    by (auto intro: sum_of_2_squares_nat.intros)
+qed
+
+lemma sum_of_2_squares_nat_gauss_int_norm [intro]: "sum_of_2_squares_nat (gauss_int_norm z)"
+  by (auto simp: sum_of_2_squares_nat_altdef)
+
+lemma sum_of_2_squares_nat_0 [simp, intro]: "sum_of_2_squares_nat 0" 
+  and sum_of_2_squares_nat_1 [simp, intro]: "sum_of_2_squares_nat 1"
+  and sum_of_2_squares_nat_Suc_0 [simp, intro]: "sum_of_2_squares_nat (Suc 0)"
+  and sum_of_2_squares_nat_2 [simp, intro]: "sum_of_2_squares_nat 2"
+  using sum_of_2_squares_nat.intros[of 0 0] sum_of_2_squares_nat.intros[of 0 1]
+        sum_of_2_squares_nat.intros[of 1 1] by (simp_all add: numeral_2_eq_2)
+
+lemma sum_of_2_squares_nat_mult [intro]:
+  assumes "sum_of_2_squares_nat x" "sum_of_2_squares_nat y"
+  shows   "sum_of_2_squares_nat (x * y)"
+proof -
+  from assms obtain z1 z2 where "x = gauss_int_norm z1" "y = gauss_int_norm z2"
+    by (auto simp: sum_of_2_squares_nat_altdef)
+  hence "x * y = gauss_int_norm (z1 * z2)"
+    by (simp add: gauss_int_norm_mult)
+  thus ?thesis by auto
+qed
+
+lemma sum_of_2_squares_nat_power [intro]:
+  assumes "sum_of_2_squares_nat m"
+  shows   "sum_of_2_squares_nat (m ^ n)"
+  using assms by (induction n) auto
+
+lemma sum_of_2_squares_nat_prod [intro]:
+  assumes "\<And>x. x \<in> A \<Longrightarrow> sum_of_2_squares_nat (f x)"
+  shows   "sum_of_2_squares_nat (\<Prod>x\<in>A. f x)"
+  using assms by (induction A rule: infinite_finite_induct) auto
+
+lemma sum_of_2_squares_nat_prod_mset [intro]:
+  assumes "\<And>x. x \<in># A \<Longrightarrow> sum_of_2_squares_nat x"
+  shows   "sum_of_2_squares_nat (prod_mset A)"
+  using assms by (induction A) auto
+
+lemma sum_of_2_squares_nat_necessary:
+  assumes "sum_of_2_squares_nat n" "n > 0"
+  assumes "prime p" "[p = 3] (mod 4)"
+  shows   "even (multiplicity p n)"
+proof -
+  define k where "k = multiplicity p n"
+  from assms obtain z where z: "gauss_int_norm z = n"
+    by (auto simp: sum_of_2_squares_nat_altdef)
+  from assms and z have [simp]: "z \<noteq> 0"
+    by auto
+  have prime': "prime (of_nat p :: gauss_int)"
+    using assms prime_gauss_int_of_nat by blast
+  have [simp]: "multiplicity (of_nat p) (gauss_cnj z) = multiplicity (of_nat p) z"
+    using multiplicity_gauss_cnj[of "of_nat p" z] by simp
+  have "multiplicity (of_nat p) (of_nat n :: gauss_int) =
+        multiplicity (of_nat p) (z * gauss_cnj z)"
+    using z by (simp add: self_mult_gauss_cnj)
+  also have "\<dots> = 2 * multiplicity (of_nat p) z"
+    using prime' by (subst prime_elem_multiplicity_mult_distrib) auto
+  finally have "multiplicity p n = 2 * multiplicity (of_nat p) z"
+    by (subst (asm) multiplicity_gauss_int_of_nat)
+  thus ?thesis by auto
+qed
+
+lemma sum_of_2_squares_nat_sufficient:
+  fixes n :: nat
+  assumes "n > 0"
+  assumes "\<And>p. p \<in> prime_factors n \<Longrightarrow> [p = 3] (mod 4) \<Longrightarrow> even (multiplicity p n)"
+  shows "sum_of_2_squares_nat n"
+proof -
+  define P2 where "P2 = {p\<in>prime_factors n. [p = 1] (mod 4)}"
+  define P3 where "P3 = {p\<in>prime_factors n. [p = 3] (mod 4)}"
+  from \<open>n > 0\<close> have "n = (\<Prod>p\<in>prime_factors n. p ^ multiplicity p n)"
+    by (subst prime_factorization_nat) auto
+  also have "\<dots> = (\<Prod>p\<in>{2}\<union>P2\<union>P3. p ^ multiplicity p n)"
+    using prime_mod_4_cases
+    by (intro prod.mono_neutral_left)
+       (auto simp: P2_def P3_def in_prime_factors_iff not_dvd_imp_multiplicity_0)
+  also have "\<dots> = (\<Prod>p\<in>{2}\<union>P2. p ^ multiplicity p n) * (\<Prod>p\<in>P3. p ^ multiplicity p n)"
+    by (intro prod.union_disjoint) (auto simp: P2_def P3_def cong_def)
+  also have "(\<Prod>p\<in>{2}\<union>P2. p ^ multiplicity p n) =
+               2 ^ multiplicity 2 n * (\<Prod>p\<in>P2. p ^ multiplicity p n)"
+    by (subst prod.union_disjoint) (auto simp: P2_def cong_def)
+  also have "(\<Prod>p\<in>P3. p ^ multiplicity p n) = (\<Prod>p\<in>P3. (p ^ 2) ^ (multiplicity p n div 2))"
+  proof (intro prod.cong refl)
+    fix p :: nat assume p: "p \<in> P3"
+    have "(p ^ 2) ^ (multiplicity p n div 2) = p ^ (2 * (multiplicity p n div 2))"
+      by (simp add: power_mult)
+    also have "even (multiplicity p n)"
+      using assms p by (auto simp: P3_def)
+    hence "2 * (multiplicity p n div 2) = multiplicity p n"
+      by simp
+    finally show "p ^ multiplicity p n = (p ^ 2) ^ (multiplicity p n div 2)"
+      by simp
+  qed
+  finally have "n = 2 ^ multiplicity 2 n * (\<Prod>p\<in>P2. p ^ multiplicity p n) * 
+                      (\<Prod>p\<in>P3. p\<^sup>2 ^ (multiplicity p n div 2))" .
+
+  also have "sum_of_2_squares_nat \<dots>"
+  proof (intro sum_of_2_squares_nat_mult sum_of_2_squares_nat_prod; rule sum_of_2_squares_nat_power)
+    fix p :: nat assume p: "p \<in> P2"
+    with prime_cong_1_mod_4_gauss_int_norm_exists[of p] show "sum_of_2_squares_nat p"
+      by (auto simp: P2_def)
+  next
+    fix p :: nat assume p: "p \<in> P3"
+    have "sum_of_2_squares_nat (gauss_int_norm (of_nat p))" ..
+    also have "gauss_int_norm (of_nat p) = p ^ 2"
+      by simp
+    finally show "sum_of_2_squares_nat (p ^ 2)" .
+  qed auto
+  finally show ?thesis .
+qed
+
+theorem sum_of_2_squares_nat_iff:
+  "sum_of_2_squares_nat n \<longleftrightarrow>
+     n = 0 \<or> (\<forall>p\<in>prime_factors n. [p = 3] (mod 4) \<longrightarrow> even (multiplicity p n))"
+  using sum_of_2_squares_nat_necessary[of n] sum_of_2_squares_nat_sufficient[of n] by auto
+
+end
\ No newline at end of file
diff --git a/thys/Gaussian_Integers/Gaussian_Integers_Test.thy b/thys/Gaussian_Integers/Gaussian_Integers_Test.thy
new file mode 100644
--- /dev/null
+++ b/thys/Gaussian_Integers/Gaussian_Integers_Test.thy
@@ -0,0 +1,32 @@
+(*
+  File:     Gaussian_Integers_Test.thy
+  Author:   Manuel Eberl, TU München
+
+  Test of code generation for executable factorisation algorithm for Gaussian integers
+*)
+theory Gaussian_Integers_Test
+imports
+  Gaussian_Integers
+  "Polynomial_Factorization.Prime_Factorization"
+  "HOL-Library.Code_Target_Numeral"
+begin
+
+text \<open>
+  Lastly, we apply our factorisation algorithm to some simple examples:
+\<close>
+
+(*<*)
+context
+  includes gauss_int_notation
+begin
+(*>*)
+
+value "(1234 + 5678 * \<i>\<^sub>\<int>) mod (321 + 654 * \<i>\<^sub>\<int>)"
+value "prime_factors (1 + 3 * \<i>\<^sub>\<int>)"
+value "prime_factors (4830 + 1610 * \<i>\<^sub>\<int>)"
+
+(*<*)
+end
+(*>*)
+
+end
\ No newline at end of file
diff --git a/thys/Gaussian_Integers/ROOT b/thys/Gaussian_Integers/ROOT
new file mode 100644
--- /dev/null
+++ b/thys/Gaussian_Integers/ROOT
@@ -0,0 +1,14 @@
+chapter AFP
+
+session Gaussian_Integers (AFP) = "HOL-Number_Theory" +
+  options [timeout = 1200]
+  sessions
+    "HOL-Computational_Algebra"
+    "HOL-Library"
+    Polynomial_Factorization
+  theories
+    Gaussian_Integers_Everything
+  document_files
+    "root.tex"
+    "root.bib"
+
diff --git a/thys/Gaussian_Integers/document/root.bib b/thys/Gaussian_Integers/document/root.bib
new file mode 100644
--- /dev/null
+++ b/thys/Gaussian_Integers/document/root.bib
@@ -0,0 +1,13 @@
+@Inbook{stillwell,
+author="Stillwell, John",
+title="The Gaussian integers",
+bookTitle="Elements of Number Theory",
+year="2003",
+publisher="Springer New York",
+address="New York, NY",
+pages="101--116",
+isbn="978-0-387-21735-2",
+doi="10.1007/978-0-387-21735-2_6",
+url="https://doi.org/10.1007/978-0-387-21735-2_6"
+}
+
diff --git a/thys/Gaussian_Integers/document/root.tex b/thys/Gaussian_Integers/document/root.tex
new file mode 100644
--- /dev/null
+++ b/thys/Gaussian_Integers/document/root.tex
@@ -0,0 +1,44 @@
+\documentclass[11pt,a4paper]{article}
+\usepackage{isabelle,isabellesym}
+\usepackage{amsfonts, amsmath, amssymb}
+
+% this should be the last package used
+\usepackage{pdfsetup}
+
+% urls in roman style, theory text in math-similar italics
+\urlstyle{rm}
+\isabellestyle{it}
+
+\begin{document}
+
+\title{Gaussian Integers}
+\author{Manuel Eberl}
+\maketitle
+
+\begin{abstract}
+The Gaussian integers are the subring $\mathbb{Z}[i]$ of the complex numbers, i.\,e.\ the ring of all complex numbers with integral real and imaginary part. This article provides a definition of this ring as well as proofs of various basic properties, such as that they form a Euclidean ring and a full classification of their primes. An executable (albeit not very efficient) factorisation algorithm is also provided.
+
+Lastly, this Gaussian integer formalisation is used in two short applications:
+\begin{enumerate}
+\item The characterisation of all positive integers that can be written as sums of two squares
+\item Euclid's formula for primitive Pythagorean triples
+\end{enumerate}
+While elementary proofs for both of these are already available in the AFP, the theory of Gaussian integers provides more concise proofs and a more high-level view.
+\end{abstract}
+
+\newpage
+\tableofcontents
+\newpage
+\parindent 0pt\parskip 0.5ex
+
+\input{session}
+
+\bibliographystyle{abbrv}
+\bibliography{root}
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
diff --git a/thys/Irrational_Series_Erdos_Straus/Irrational_Series_Erdos_Straus.thy b/thys/Irrational_Series_Erdos_Straus/Irrational_Series_Erdos_Straus.thy
new file mode 100644
--- /dev/null
+++ b/thys/Irrational_Series_Erdos_Straus/Irrational_Series_Erdos_Straus.thy
@@ -0,0 +1,2020 @@
+(* Title:      Irrational_Series_Erdos_Straus.thy
+   Author:     Angeliki Koutsoukou-Argyraki and Wenda Li, University of Cambridge, UK.
+
+We formalise certain irrationality criteria for infinite series by P. Erdos and E.G. Straus.
+In particular, we formalise Theorem 2.1, Corollary 2.10 and Theorem 3.1 in [1]. The latter is an 
+application of Theorem 2.1 involving the prime numbers.
+
+References:
+[1]  P. Erdos and E.G. Straus, On the irrationality of certain series, Pacific Journal of 
+Mathematics, Vol. 55, No 1, 1974  https://projecteuclid.org/euclid.pjm/1102911140
+*)
+
+theory "Irrational_Series_Erdos_Straus" imports
+  Prime_Number_Theorem.Prime_Number_Theorem
+  Prime_Distribution_Elementary.PNT_Consequences
+begin
+
+section \<open>Miscellaneous\<close>
+
+lemma suminf_comparison:
+  assumes "summable f" and "\<forall>n. norm (g n) \<le> f n"
+  shows "suminf g \<le> suminf f"
+proof (rule suminf_le)
+  show "\<forall>n. g n \<le> f n" 
+    apply rule
+    subgoal for n using assms(2)[rule_format,of n] by auto
+    done
+  show "summable g" 
+    apply (rule summable_comparison_test'[OF \<open>summable f\<close>, of 0])
+    using assms(2) by auto
+  show "summable f" using assms(1) .
+qed
+
+lemma tendsto_of_int_diff_0:
+  assumes "(\<lambda>n. f n - of_int(g n)) \<longlonglongrightarrow> (0::real)" "\<forall>\<^sub>F n in sequentially. f n > 0"
+  shows "\<forall>\<^sub>F n in sequentially. 0 \<le> g n"
+proof -
+  have "\<forall>\<^sub>F n in sequentially. \<bar>f n - of_int(g n)\<bar> < 1 / 2" 
+    using assms(1)[unfolded tendsto_iff,rule_format,of "1/2"] by auto
+  then show ?thesis using assms(2)
+    apply eventually_elim
+    by linarith
+qed
+
+lemma eventually_mono_sequentially:
+  assumes "eventually P sequentially"
+  assumes "\<And>x. P (x+k) \<Longrightarrow> Q (x+k)"
+  shows "eventually Q sequentially"
+  using sequentially_offset[OF assms(1),of k]
+  apply (subst eventually_sequentially_seg[symmetric,of _ k])
+  apply (elim eventually_mono)
+  by fact
+
+lemma frequently_eventually_at_top:
+  fixes P Q::"'a::linorder \<Rightarrow> bool"
+  assumes "frequently P at_top" "eventually Q at_top"
+  shows "frequently (\<lambda>x. P x \<and> (\<forall>y\<ge>x. Q y) ) at_top"
+  using assms
+  unfolding frequently_def eventually_at_top_linorder 
+  by (metis (mono_tags, hide_lams) le_cases order_trans)
+
+lemma eventually_at_top_mono:
+  fixes P Q::"'a::linorder \<Rightarrow> bool"
+  assumes event_P:"eventually P at_top"
+  assumes PQ_imp:"\<And>x. x\<ge>z \<Longrightarrow> \<forall>y\<ge>x. P y \<Longrightarrow> Q x"
+  shows "eventually Q at_top"
+proof -
+  obtain N where N_P:"\<forall>n\<ge>N. P n"
+    using event_P[unfolded eventually_at_top_linorder] by auto
+  define N' where "N' = max N z"
+  have "Q x" when "x\<ge>N'" for x 
+    apply (rule PQ_imp)
+    using N_P that unfolding N'_def by auto
+  then show ?thesis unfolding eventually_at_top_linorder
+    by auto
+qed
+
+lemma frequently_at_top_elim:
+  fixes P Q::"'a::linorder \<Rightarrow> bool"
+  assumes "\<exists>\<^sub>Fx in at_top. P x"
+  assumes "\<And>i. P i \<Longrightarrow> \<exists>j>i. Q j"
+  shows "\<exists>\<^sub>Fx in at_top. Q x"
+  using assms unfolding frequently_def eventually_at_top_linorder 
+  by (meson leD le_cases less_le_trans)
+
+lemma less_Liminf_iff:
+  fixes X :: "_ \<Rightarrow> _ :: complete_linorder"
+  shows "Liminf F X < C \<longleftrightarrow> (\<exists>y<C. frequently (\<lambda>x. y \<ge> X x) F)"
+  apply (subst Not_eq_iff[symmetric])
+  apply (simp add:not_less not_frequently not_le le_Liminf_iff)
+  by force
+
+lemma sequentially_even_odd_imp:
+  assumes "\<forall>\<^sub>F N in sequentially. P (2*N)" "\<forall>\<^sub>F N in sequentially. P (2*N+1)"
+  shows "\<forall>\<^sub>F n in sequentially. P n"
+proof -
+  obtain N where N_P:"\<forall>x\<ge>N.  P (2 * x) \<and> P (2 * x + 1)"
+    using eventually_conj[OF assms] 
+    unfolding eventually_at_top_linorder by auto
+  define N' where "N'=2*N "
+  have "P n" when "n\<ge>2*N" for n
+  proof -
+    define n' where "n'= n div 2"
+    then have "n'\<ge>N" using that by auto
+    then have "P (2 * n') \<and> P (2 * n' + 1)"
+      using N_P by auto
+    then show ?thesis unfolding n'_def
+      apply (cases "even n")
+      by auto
+  qed
+  then show ?thesis unfolding eventually_at_top_linorder by auto
+qed
+
+
+section \<open>Theorem 2.1 and Corollary 2.10\<close>
+
+context
+  fixes a b ::"nat\<Rightarrow>int "
+  assumes a_pos:"\<forall> n. a n >0 " and a_large:"\<forall>\<^sub>F n in sequentially. a n > 1" 
+    and ab_tendsto: "(\<lambda>n. \<bar>b n\<bar> / (a (n-1)*a n)) \<longlonglongrightarrow> 0"
+begin
+
+private lemma aux_series_summable: "summable (\<lambda>n. b n / (\<Prod>k\<le>n. a k))" 
+proof -
+  have "\<forall>e>0. \<forall>\<^sub>F x in sequentially. \<bar>b x\<bar> / (a (x-1) * a x) < e"
+    using ab_tendsto[unfolded tendsto_iff] 
+    apply (simp add:of_int_abs[symmetric] abs_mult del:of_int_abs)
+    by (subst (asm) (2) abs_of_pos,use \<open>\<forall> n. a n > 0\<close> in auto)+                 
+  from this[rule_format,of 1]
+  have "\<forall>\<^sub>F x in sequentially. \<bar>real_of_int(b x)\<bar> < (a (x-1) * a x)"
+    using \<open>\<forall> n. a n >0\<close> by auto
+  moreover have "\<forall>n. (\<Prod>k\<le>n. real_of_int (a k)) > 0" 
+    using a_pos by (auto intro!:linordered_semidom_class.prod_pos)
+  ultimately have "\<forall>\<^sub>F n in sequentially. \<bar>b n\<bar> / (\<Prod>k\<le>n. a k) 
+                        < (a (n-1) * a n) / (\<Prod>k\<le>n. a k)"
+    apply (elim eventually_mono)
+    by (auto simp add:field_simps)
+  moreover have "\<bar>b n\<bar> / (\<Prod>k\<le>n. a k) = norm (b n / (\<Prod>k\<le>n. a k))" for n 
+    using \<open>\<forall>n. (\<Prod>k\<le>n. real_of_int (a k)) > 0\<close>[rule_format,of n] by auto
+  ultimately have "\<forall>\<^sub>F n in sequentially. norm (b n / (\<Prod>k\<le>n. a k)) 
+                        < (a (n-1) * a n) / (\<Prod>k\<le>n. a k)"
+    by algebra
+  moreover have "summable (\<lambda>n. (a (n-1) * a n) / (\<Prod>k\<le>n. a k))" 
+  proof -
+    obtain s where a_gt_1:"\<forall> n\<ge>s. a n >1"
+      using a_large[unfolded eventually_at_top_linorder] by auto
+    define cc where "cc= (\<Prod>k<s. a k)"
+    have "cc>0" 
+      unfolding cc_def
+      apply (rule linordered_semidom_class.prod_pos)
+      using a_pos by auto
+    have "(\<Prod>k\<le>n+s. a k) \<ge> cc * 2^n" for n
+    proof -
+      have "prod a {s..<Suc (s + n)} \<ge> 2^n"
+      proof (induct n)
+        case 0
+        then show ?case using a_gt_1 by auto
+      next
+        case (Suc n)
+        moreover have "a (s + Suc n) \<ge> 2" 
+          using a_gt_1 by (smt le_add1)
+        ultimately show ?case 
+          apply (subst prod.atLeastLessThan_Suc,simp)
+          using mult_mono'[of 2 "a (Suc (s + n))" " 2 ^ n" "prod a {s..<Suc (s + n)}",simplified] 
+          by (simp add: mult.commute)
+      qed
+      moreover have "prod a {0..(n + s)} =
+            prod a {..<s} * prod a {s..<Suc (s + n)} "
+        using prod.atLeastLessThan_concat[of 0 s "s+n+1" a,simplified]
+        apply (simp add: atLeastLessThanSuc_atLeastAtMost algebra_simps
+            atLeast0LessThan)
+        by (smt a_gt_1 le_add2 lessThan_atLeast0 mult.left_commute prod.last_plus zero_le)
+      ultimately show ?thesis
+        using \<open>cc>0\<close> unfolding cc_def by (simp add: atLeast0AtMost)
+    qed
+    then have "1/(\<Prod>k\<le>n+s. a k) \<le> 1/(cc * 2^n)" for n
+    proof -
+      assume asm:"\<And>n. cc * 2 ^ n \<le> prod a {..n + s}"
+      then have "real_of_int (cc * 2 ^ n) \<le> prod a {..n + s}" using of_int_le_iff by blast
+      moreover have "prod a {..n + s} >0" using \<open>cc>0\<close> by (simp add: a_pos prod_pos)
+      ultimately show ?thesis using \<open>cc>0\<close> 
+        by (auto simp:field_simps simp del:of_int_prod)
+    qed
+    moreover have "summable (\<lambda>n. 1/(cc * 2^n))"
+    proof -
+      have "summable (\<lambda>n. 1/(2::int)^n)"
+        using summable_geometric[of "1/(2::int)"] by (simp add:power_one_over)
+      from summable_mult[OF this,of "1/cc"] show ?thesis by auto
+    qed
+    ultimately have "summable (\<lambda>n. 1 / (\<Prod>k\<le>n+s. a k))"
+      apply (elim summable_comparison_test'[where N=0])
+      apply (unfold real_norm_def, subst abs_of_pos)
+      by (auto simp add: \<open>\<forall>n. 0 < (\<Prod>k\<le>n. real_of_int (a k))\<close>)
+    then have "summable (\<lambda>n. 1 / (\<Prod>k\<le>n. a k))"
+      apply (subst summable_iff_shift[where k=s,symmetric])
+      by simp
+    then have "summable (\<lambda>n. (a (n+1) * a (n+2)) / (\<Prod>k\<le>n+2. a k))"
+    proof -
+      assume asm:"summable (\<lambda>n. 1 / real_of_int (prod a {..n}))"
+      have "1 / real_of_int (prod a {..n}) = (a (n+1) * a (n+2)) / (\<Prod>k\<le>n+2. a k)" for n 
+      proof -
+        have "a (Suc (Suc n)) \<noteq> 0" "a (Suc n) \<noteq>0" 
+          using a_pos by (metis less_irrefl)+
+        then show ?thesis 
+          by (simp add: atLeast0_atMost_Suc atMost_atLeast0)
+      qed
+      then show ?thesis using asm by auto
+    qed
+    then show "summable (\<lambda>n. (a (n-1) * a n) / (\<Prod>k\<le>n. a k))"
+      apply (subst summable_iff_shift[symmetric,of _ 2])
+      by auto
+  qed
+  ultimately show ?thesis 
+    apply (elim summable_comparison_test_ev[rotated])
+    by (simp add: eventually_mono)
+qed
+
+private fun get_c::"(nat \<Rightarrow> int) \<Rightarrow> (nat \<Rightarrow> int) \<Rightarrow> int \<Rightarrow> nat \<Rightarrow> (nat \<Rightarrow> int)" where
+  "get_c a' b' B N 0 = round (B * b' N / a' N)"|
+  "get_c a' b' B N (Suc n) = get_c a' b' B N n * a' (n+N) - B * b' (n+N)"
+
+lemma ab_rationality_imp:
+  assumes ab_rational:"(\<Sum>n. (b n / (\<Prod>i \<le> n. a i))) \<in> \<rat>"
+  shows "\<exists> (B::int)>0. \<exists> c::nat\<Rightarrow> int.
+            (\<forall>\<^sub>F n in sequentially. B*b n = c n * a n - c(n+1) \<and> \<bar>c(n+1)\<bar><a n/2)
+            \<and> (\<lambda>n. c (Suc n) / a n) \<longlonglongrightarrow> 0"
+proof -
+  have [simp]:"a n \<noteq> 0" for n using a_pos by (metis less_numeral_extra(3))
+  obtain A::int and B::int where 
+    AB_eq:"(\<Sum>n. real_of_int (b n) / real_of_int (prod a {..n})) = A / B" and "B>0"
+  proof -
+    obtain q::rat where "(\<Sum>n. real_of_int (b n) / real_of_int (prod a {..n})) = real_of_rat q"
+      using ab_rational by (rule Rats_cases) simp
+    moreover obtain A::int and B::int where "q = Rat.Fract A B" "B > 0" "coprime A B"
+      by (rule Rat_cases) auto
+    ultimately show ?thesis by (auto intro!: that[of A B] simp:of_rat_rat)
+  qed  
+  define f where "f = (\<lambda>n.  b n / real_of_int (prod a {..n}))"
+  define R where "R = (\<lambda>N. (\<Sum>n. B*b (n+N+1) / prod a {N..n+N+1}))"
+  have all_e_ubound:"\<forall>e>0. \<forall>\<^sub>F M in sequentially. \<forall>n. \<bar>B*b (n+M+1) / prod a {M..n+M+1}\<bar> < e/4 * 1/2^n"
+  proof safe
+    fix e::real assume "e>0"
+    obtain N where N_a2: "\<forall>n \<ge> N. a n \<ge> 2" 
+      and N_ba: "\<forall>n \<ge> N. \<bar>b n\<bar> / (a (n-1) * a n)  < e/(4*B)"
+    proof -
+      have "\<forall>\<^sub>F n in sequentially. \<bar>b n\<bar> / (a (n - 1) * a n) < e/(4*B)" 
+        using order_topology_class.order_tendstoD[OF ab_tendsto,of "e/(4*B)"] \<open>B>0\<close> \<open>e>0\<close>
+        by auto
+      moreover have "\<forall>\<^sub>F n in sequentially. a n \<ge> 2"
+        using a_large by (auto elim: eventually_mono)
+      ultimately have "\<forall>\<^sub>F n in sequentially. \<bar>b n\<bar> / (a (n - 1) * a n) < e/(4*B) \<and> a n \<ge> 2" 
+        by eventually_elim auto
+      then show ?thesis unfolding eventually_at_top_linorder using that
+        by auto
+    qed
+    have geq_N_bound:"\<bar>B*b (n+M+1) / prod a {M..n+M+1}\<bar> < e/4 * 1/2^n" when "M\<ge>N" for n M   
+    proof -
+      define D where "D = B*b (n+M+1)/ (a (n+M) * a (n+M+1))"
+      have "\<bar>B*b (n+M+1) / prod a {M..n+M+1}\<bar> = \<bar>D / prod a {M..<n+M}\<bar>"
+      proof -
+        have "{M..n+M+1} = {M..<n+M} \<union> {n+M,n+M+1}" by auto
+        then have "prod a {M..n+M+1} = a (n+M) * a (n+M+1)* prod a {M..<n+M}" by simp
+        then show ?thesis unfolding D_def by (simp add:algebra_simps)
+      qed
+      also have "... <  \<bar>e/4 * (1/prod a {M..<n+M})\<bar>"
+      proof -
+        have "\<bar>D\<bar> < e/ 4" 
+          unfolding D_def using N_ba[rule_format, of "n+M+1"] \<open>B>0\<close> \<open>M \<ge> N\<close> \<open>e>0\<close> a_pos
+          by (auto simp:field_simps abs_mult abs_of_pos)
+        from mult_strict_right_mono[OF this,of "1/prod a {M..<n+M}"] a_pos \<open>e>0\<close>
+        show ?thesis 
+          apply (auto simp:abs_prod abs_mult prod_pos)
+          by (subst (2) abs_of_pos,auto)+
+      qed
+      also have "... \<le> e/4 * 1/2^n"
+      proof -
+        have "prod a {M..<n+M} \<ge> 2^n"
+        proof (induct n)
+          case 0
+          then show ?case by simp
+        next
+          case (Suc n)
+          then show ?case 
+            using \<open>M\<ge>N\<close> by (simp add: N_a2 mult.commute mult_mono' prod.atLeastLessThan_Suc)
+        qed
+        then have "real_of_int (prod a {M..<n+M}) \<ge> 2^n" 
+          using numeral_power_le_of_int_cancel_iff by blast
+        then show ?thesis using \<open>e>0\<close> by (auto simp add:divide_simps)
+      qed
+      finally show ?thesis .
+    qed
+    show "\<forall>\<^sub>F M in sequentially. \<forall>n. \<bar>real_of_int (B * b (n + M + 1)) 
+                / real_of_int (prod a {M..n + M + 1})\<bar> < e / 4 * 1 / 2 ^ n"
+      apply (rule eventually_sequentiallyI[of N])
+      using geq_N_bound by blast
+  qed
+  have R_tendsto_0:"R \<longlonglongrightarrow> 0"
+  proof (rule tendstoI)
+    fix e::real assume "e>0"
+    show "\<forall>\<^sub>F x in sequentially. dist (R x) 0 < e" using all_e_ubound[rule_format,OF \<open>e>0\<close>]
+    proof eventually_elim
+      case (elim M)
+      define g where "g = (\<lambda>n. B*b (n+M+1) / prod a {M..n+M+1})"
+      have g_lt:"\<bar>g n\<bar> < e/4 * 1/2^n" for n
+        using elim unfolding g_def by auto
+      have g_abs_summable:"summable (\<lambda>n. \<bar>g n\<bar>)"
+      proof -
+        have "summable (\<lambda>n. e/4 * 1/2^n)" 
+          using summable_geometric[of "1/2",THEN summable_mult,of "e/4",simplified]
+          by (auto simp add:algebra_simps power_divide)
+        then show ?thesis 
+          apply (elim summable_comparison_test')
+          using g_lt less_eq_real_def by auto
+      qed
+      have "\<bar>\<Sum>n. g n\<bar> \<le> (\<Sum>n. \<bar>g n\<bar>)" by (rule summable_rabs[OF g_abs_summable])
+      also have "... \<le>(\<Sum>n. e/4 * 1/2^n)"
+      proof (rule suminf_comparison)
+        show "summable (\<lambda>n. e/4 * 1/2^n)" 
+          using summable_geometric[of "1/2",THEN summable_mult,of "e/4",simplified]
+          by (auto simp add:algebra_simps power_divide)
+        show "\<forall>n. norm \<bar>g n\<bar> \<le> e / 4 * 1 / 2 ^ n" using g_lt less_eq_real_def by auto
+      qed
+      also have "... = (e/4) * (\<Sum>n. (1/2)^n)"
+        apply (subst suminf_mult[symmetric])
+        subgoal 
+          apply (rule complete_algebra_summable_geometric)
+          by simp
+        subgoal by (auto simp:algebra_simps power_divide)
+        done
+      also have "... = e/2" by (simp add:suminf_geometric[of "1/2"])
+      finally have "\<bar>\<Sum>n. g n\<bar> \<le> e / 2" .
+      then show "dist (R M) 0 < e" unfolding R_def g_def using \<open>e>0\<close> by auto
+    qed
+  qed
+
+  obtain N where R_N_bound:"\<forall>M \<ge> N. \<bar>R M\<bar> \<le>  1 / 4"
+    and N_geometric:"\<forall>M\<ge>N. \<forall>n. \<bar>real_of_int (B * b (n + M + 1)) / (prod a {M..n + M + 1})\<bar> < 1 / 2 ^ n"
+  proof -
+    obtain N1 where N1:"\<forall>M \<ge> N1. \<bar>R M\<bar> \<le>  1 / 4"
+      using metric_LIMSEQ_D[OF R_tendsto_0,of "1/4"] all_e_ubound[rule_format,of 4,unfolded eventually_sequentially]
+      by (auto simp:less_eq_real_def)
+    obtain N2 where N2:"\<forall>M\<ge>N2. \<forall>n. \<bar>real_of_int (B * b (n + M + 1)) 
+                          / (prod a {M..n + M + 1})\<bar> < 1 / 2 ^ n"
+      using all_e_ubound[rule_format,of 4,unfolded eventually_sequentially]
+      by (auto simp:less_eq_real_def)
+    define N where "N=max N1 N2"
+    show ?thesis using that[of N] N1 N2 unfolding N_def by simp
+  qed
+
+  define C where "C = B * prod a {..<N} * (\<Sum>n<N. f n)"
+  have "summable f"
+    unfolding f_def using aux_series_summable .
+  have "A * prod a {..<N} = C + B * b N / a N  + R N" 
+  proof -
+    have "A * prod a {..<N} = B * prod a {..<N} * (\<Sum>n. f n)"
+      unfolding AB_eq f_def using \<open>B>0\<close> by auto
+    also have "... = B * prod a {..<N} * ((\<Sum>n<N+1. f n) + (\<Sum>n. f (n+N+1)))"
+      using suminf_split_initial_segment[OF \<open>summable f\<close>, of "N+1"] by auto
+    also have "... = B * prod a {..<N} * ((\<Sum>n<N. f n) + f N + (\<Sum>n. f (n+N+1)))"
+      using sum.atLeast0_lessThan_Suc by simp
+    also have "... = C + B * b N / a N + (\<Sum>n. B*b (n+N+1) / prod a {N..n+N+1})"
+    proof -
+      have "B * prod a {..<N} * f N = B * b N / a N" 
+      proof -
+        have "{..N} =  {..<N} \<union> {N}" using ivl_disj_un_singleton(2) by blast
+        then show ?thesis unfolding f_def by auto
+      qed
+      moreover have "B * prod a {..<N} * (\<Sum>n. f (n+N+1)) = (\<Sum>n. B*b (n+N+1) / prod a {N..n+N+1})"
+      proof -
+        have "summable (\<lambda>n. f (n + N + 1))" 
+          using \<open>summable f\<close> summable_iff_shift[of f "N+1"] by auto
+        moreover have "prod a {..<N} * f (n + N + 1) = b (n + N + 1) / prod a {N..n + N + 1}" for n
+        proof -
+          have "{..n + N + 1} = {..<N} \<union> {N..n + N + 1}" by auto
+          then show ?thesis 
+            unfolding f_def
+            apply simp
+            apply (subst prod.union_disjoint)
+            by auto
+        qed
+        ultimately show ?thesis 
+          apply (subst suminf_mult[symmetric])
+          by (auto simp add: mult.commute mult.left_commute)
+      qed
+      ultimately show ?thesis unfolding C_def by (auto simp:algebra_simps)
+    qed
+    also have "... = C +B * b N / a N  + R N"
+      unfolding R_def by simp
+    finally show ?thesis .
+  qed
+  have R_bound:"\<bar>R M\<bar> \<le> 1 / 4" and R_Suc:"R (Suc M) = a M * R M - B * b (Suc M) / a (Suc M)" 
+    when "M \<ge> N" for M
+  proof -
+    define g where "g = (\<lambda>n. B*b (n+M+1) / prod a {M..n+M+1})"
+    have g_abs_summable:"summable (\<lambda>n. \<bar>g n\<bar>)"
+    proof -
+      have "summable (\<lambda>n.(1::real)/2^n)" 
+        using summable_geometric[of "(1::real)/2",simplified] 
+        by (auto elim!: back_subst[of "summable"] simp:field_simps)
+      moreover have "\<bar>g n\<bar> < 1/2^n" for n
+        using N_geometric[rule_format,OF that] unfolding g_def by simp
+      ultimately show ?thesis 
+        apply (elim summable_comparison_test')
+        using less_eq_real_def by auto
+    qed
+    show "\<bar>R M\<bar> \<le> 1 / 4" using R_N_bound[rule_format,OF that] .
+    have "R M = (\<Sum>n. g n)" unfolding R_def g_def by simp
+    also have "... = g 0 + (\<Sum>n. g (Suc n))"
+      apply (subst suminf_split_head)
+      using summable_rabs_cancel[OF g_abs_summable] by auto
+    also have "... = g 0 + 1/a M * (\<Sum>n. a M * g (Suc n))"
+      apply (subst suminf_mult)
+      by (auto simp add: g_abs_summable summable_Suc_iff summable_rabs_cancel)
+    also have "... = g 0 + 1/a M * R (Suc M)"
+    proof -
+      have "a M * g (Suc n) = B * b (n + M + 2) / prod a {Suc M..n + M + 2}" for n
+      proof -
+        have "{M..Suc (Suc (M + n))} = {M} \<union> {Suc M..Suc (Suc (M + n))}" by auto
+        then show ?thesis 
+          unfolding g_def using \<open>B>0\<close> by (auto simp add:algebra_simps)
+      qed
+      then have "(\<Sum>n. a M * g (Suc n)) = R (Suc M)"
+        unfolding R_def by auto
+      then show ?thesis by auto
+    qed
+    finally have "R M = g 0 + 1 / a M * R (Suc M)" .
+    then have "R (Suc M) = a M * R M - g 0 * a M" 
+      by (auto simp add:algebra_simps)
+    moreover have "{M..Suc M} = {M,Suc M}" by auto
+    ultimately show "R (Suc M) = a M * R M - B * b (Suc M) / a (Suc M)" 
+      unfolding g_def by auto
+  qed
+
+  define c where "c = (\<lambda>n. if n\<ge>N then get_c a b B N (n-N) else undefined)"
+  have c_rec:"c (n+1) = c n * a n -  B * b n" when "n \<ge> N" for n
+    unfolding c_def using that by (auto simp:Suc_diff_le)
+  have c_R:"c (Suc n) / a n = R n" when "n \<ge> N" for n
+    using that
+  proof (induct rule:nat_induct_at_least)
+    case base
+    have "\<bar> c (N+1) / a N \<bar> \<le> 1/2" 
+    proof -
+      have "c N = round (B * b N / a N)" unfolding c_def by simp
+      moreover have "c (N+1) / a N = c N - B * b N / a N"
+        using a_pos[rule_format,of N]
+        by (auto simp add:c_rec[of N,simplified] divide_simps)
+      ultimately show ?thesis using of_int_round_abs_le by auto
+    qed        
+    moreover have "\<bar>R N\<bar> \<le> 1 / 4" using R_bound[of N] by simp
+    ultimately have "\<bar>c (N+1) / a N - R N \<bar> < 1" by linarith
+    moreover have "c (N+1) / a N - R N \<in> \<int>"
+    proof -
+      have "c (N+1) / a N = c N - B * b N / a N"
+        using a_pos[rule_format,of N]
+        by (auto simp add:c_rec[of N,simplified] divide_simps)
+      moreover have " B * b N / a N + R N \<in> \<int>" 
+      proof -
+        have "C = B * (\<Sum>n<N. prod a {..<N} * (b n / prod a {..n}))"
+          unfolding C_def f_def by (simp add:sum_distrib_left algebra_simps)
+        also have "... = B * (\<Sum>n<N. prod a {n<..<N} * b n)"
+        proof -
+          have "{..<N} = {n<..<N} \<union> {..n}" if "n<N" for n 
+            by (simp add: ivl_disj_un_one(1) sup_commute that)
+          then show ?thesis
+            using \<open>B>0\<close> 
+            apply simp
+            apply (subst prod.union_disjoint)
+            by auto
+        qed
+        finally have "C = real_of_int (B * (\<Sum>n<N. prod a {n<..<N} * b n))" .
+        then have "C \<in> \<int>" using Ints_of_int by blast
+        moreover note \<open>A * prod a {..<N} = C + B * b N / a N  + R N\<close>
+        ultimately show ?thesis 
+          by (metis Ints_diff Ints_of_int add.assoc add_diff_cancel_left')
+      qed
+      ultimately show ?thesis by (simp add: diff_diff_add)
+    qed
+    ultimately have "c (N+1) / a N - R N = 0"
+      by (metis Ints_cases less_irrefl of_int_0 of_int_lessD)
+    then show ?case by simp
+  next
+    case (Suc n)
+    have "c (Suc (Suc n)) / a (Suc n) = c (Suc n) - B * b (Suc n) / a (Suc n)"
+      apply (subst c_rec[of "Suc n",simplified])
+      using \<open>N \<le> n\<close> by (auto simp add: divide_simps)
+    also have "... = a n * R n - B * b (Suc n) / a (Suc n)"  
+      using Suc by (auto simp: divide_simps)
+    also have "... = R (Suc n)"
+      using R_Suc[OF \<open>N \<le> n\<close>] by simp
+    finally  show ?case .
+  qed
+  have ca_tendsto_zero:"(\<lambda>n. c (Suc n) / a n) \<longlonglongrightarrow> 0"
+    using R_tendsto_0 
+    apply (elim filterlim_mono_eventually)
+    using c_R by (auto intro!:eventually_sequentiallyI[of N])
+  have ca_bound:"\<bar>c (n + 1)\<bar> < a n / 2" when "n \<ge> N" for n
+  proof -
+    have "\<bar>c (Suc n)\<bar> / a n  = \<bar>c (Suc n) / a n\<bar>" using a_pos[rule_format,of n] by auto
+    also have "... = \<bar>R n\<bar>" using c_R[OF that] by auto
+    also have "... < 1/2" using R_bound[OF that] by auto
+    finally have "\<bar>c (Suc n)\<bar> / a n < 1/2" .
+    then show ?thesis using a_pos[rule_format,of n] by auto
+  qed
+
+(* (* the following part corresponds to (2.7) (2.8) in the original paper, but turns out to be
+        not necessary. *)
+  have c_round:"c n = round (B * b n / a n)" when "n \<ge> N" for n
+  proof (cases "n=N")
+    case True
+    then show ?thesis unfolding c_def by simp
+  next
+    case False
+    with \<open>n\<ge>N\<close> obtain n' where n_Suc:"n=Suc n'" and "n' \<ge> N" 
+      by (metis le_eq_less_or_eq lessE less_imp_le_nat)
+    have "B * b n / a n = c n - R n"
+    proof -
+      have "R n = c n - B * b n / a n"
+        using c_R[OF \<open>n'\<ge>N\<close>,symmetric,folded n_Suc] R_Suc[OF \<open>n'\<ge>N\<close>,folded n_Suc]
+        by (auto simp:field_simps)
+      then show ?thesis by (auto simp:field_simps)
+    qed
+    then have "\<bar>B * b n / a n - c n\<bar> = \<bar>R n\<bar>" by auto
+    then have "\<bar>B * b n / a n - c n\<bar> < 1/2" using R_bound[OF \<open>n \<ge> N\<close>] by auto
+    from round_unique'[OF this] show ?thesis by auto
+  qed
+  *)
+  show "\<exists>B>0. \<exists>c. (\<forall>\<^sub>F n in sequentially. B * b n = c n * a n - c (n + 1) 
+            \<and> real_of_int \<bar>c (n + 1)\<bar> < a n / 2) \<and> (\<lambda>n. c (Suc n) / a n) \<longlonglongrightarrow> 0"
+    unfolding eventually_at_top_linorder
+    apply (rule exI[of _ B],use \<open>B>0\<close> in simp)
+    apply (intro exI[of _c] exI[of _ N])
+    using c_rec ca_bound ca_tendsto_zero 
+    by fastforce
+qed
+
+private lemma imp_ab_rational:
+  assumes "\<exists> (B::int)>0. \<exists> c::nat\<Rightarrow> int.
+              (\<forall>\<^sub>F n in sequentially. B*b n = c n * a n - c(n+1) \<and> \<bar>c(n+1)\<bar><a n/2)"
+  shows "(\<Sum>n. (b n / (\<Prod>i \<le> n. a i))) \<in> \<rat>"
+proof -
+  obtain B::int and c::"nat\<Rightarrow>int" and N::nat where "B>0" and  
+    large_n:"\<forall>n\<ge>N. B * b n = c n * a n - c (n + 1) \<and> real_of_int \<bar>c (n + 1)\<bar> < a n / 2
+                      \<and> a n\<ge>2"
+  proof -
+    obtain B c where "B>0" and event1:"\<forall>\<^sub>F n in sequentially. B * b n = c n * a n - c (n + 1) 
+              \<and> real_of_int \<bar>c (n + 1)\<bar> < real_of_int (a n) / 2"
+      using assms by auto
+    from eventually_conj[OF event1 a_large,unfolded eventually_at_top_linorder]
+    obtain N where "\<forall>n\<ge>N. (B * b n = c n * a n - c (n + 1) 
+                        \<and> real_of_int \<bar>c (n + 1)\<bar> < real_of_int (a n) / 2) \<and> 2 \<le> a n"
+      by fastforce
+    then show ?thesis using that[of B N c] \<open>B>0\<close> by auto
+  qed
+  define f where "f=(\<lambda>n. real_of_int (b n) / real_of_int (prod a {..n}))"
+  define S where "S = (\<Sum>n. f n)"
+  have "summable f"
+    unfolding f_def by (rule aux_series_summable)
+  define C where "C=B*prod a {..<N} * (\<Sum>n<N. f n)"
+  have "B*prod a {..<N} * S = C + real_of_int (c N)" 
+  proof -
+    define h1 where "h1= (\<lambda>n. (c (n+N) * a (n+N)) / prod a {N..n+N})"
+    define h2 where "h2 = (\<lambda>n. c (n+N+1) / prod a {N..n+N})"
+    have f_h12:"B*prod a {..<N}*f (n+N) = h1 n - h2 n" for n 
+    proof -
+      define g1 where "g1 = (\<lambda>n. B * b (n+N))"
+      define g2 where "g2 = (\<lambda>n. prod a {..<N} / prod a {..n + N})"
+      have "B*prod a {..<N}*f (n+N) = (g1 n * g2 n)"
+        unfolding f_def g1_def g2_def by (auto simp:algebra_simps)
+      moreover have "g1 n = c (n+N) * a (n+N) - c (n+N+1)" 
+        using large_n[rule_format,of "n+N"] unfolding g1_def by auto
+      moreover have "g2 n = (1/prod a {N..n+N})" 
+      proof -
+        have "prod a ({..<N} \<union> {N..n + N}) = prod a {..<N} * prod a {N..n + N}"
+          apply (rule prod.union_disjoint[of "{..<N}" "{N..n+N}" a])
+          by auto
+        moreover have "prod a ({..<N} \<union> {N..n + N}) = prod a {..n+N}"
+          by (simp add: ivl_disj_un_one(4))
+        ultimately show ?thesis 
+          unfolding g2_def
+          apply simp
+          using a_pos by (metis less_irrefl)
+      qed
+      ultimately have "B*prod a {..<N}*f (n+N) = (c (n+N) * a (n+N) - c (n+N+1)) / prod a {N..n+N}"
+        by auto
+      also have "... = h1 n - h2 n"
+        unfolding h1_def h2_def by (auto simp:algebra_simps diff_divide_distrib)
+      finally show ?thesis by simp
+    qed
+    have "B*prod a {..<N} * S = B*prod a {..<N} * ((\<Sum>n<N. f n) + (\<Sum>n. f (n+N)))"
+      using suminf_split_initial_segment[OF \<open>summable f\<close>,of N] 
+      unfolding S_def by (auto simp:algebra_simps)
+    also have "... = C + B*prod a {..<N}*(\<Sum>n. f (n+N))"
+      unfolding C_def by (auto simp:algebra_simps)
+    also have "... = C + (\<Sum>n. h1 n - h2 n)"
+      apply (subst suminf_mult[symmetric])
+      subgoal using \<open>summable f\<close> by (simp add: summable_iff_shift)
+      subgoal using f_h12 by auto
+      done
+    also have "... = C + h1 0"
+    proof -
+      have "(\<lambda>n. \<Sum>i\<le>n. h1 i - h2 i) \<longlonglongrightarrow> (\<Sum>i. h1 i - h2 i)"
+      proof (rule summable_LIMSEQ')
+        have "(\<lambda>i. h1 i - h2 i) = (\<lambda>i.  real_of_int (B * prod a {..<N}) * f (i + N))"
+          using f_h12 by auto
+        then show "summable (\<lambda>i. h1 i - h2 i)"
+          using \<open>summable f\<close> by (simp add: summable_iff_shift summable_mult)
+      qed
+      moreover have "(\<Sum>i\<le>n. h1 i - h2 i)  = h1 0 - h2 n" for n
+      proof (induct n)
+        case 0
+        then show ?case by simp
+      next
+        case (Suc n)
+        have "(\<Sum>i\<le>Suc n. h1 i - h2 i) = (\<Sum>i\<le>n. h1 i - h2 i) + h1 (n+1) - h2 (n+1)"
+          by auto
+        also have "... =  h1 0 - h2 n + h1 (n+1) - h2 (n+1)" using Suc by auto
+        also have "... = h1 0 - h2 (n+1)"
+        proof -
+          have "h2 n = h1 (n+1)"
+            unfolding h2_def h1_def 
+            apply (auto simp:prod.nat_ivl_Suc')
+            using a_pos by (metis less_numeral_extra(3))
+          then show ?thesis by auto
+        qed
+        finally show ?case by simp
+      qed
+      ultimately have "(\<lambda>n. h1 0 - h2 n) \<longlonglongrightarrow> (\<Sum>i. h1 i - h2 i)" by simp
+      then have "h2 \<longlonglongrightarrow> (h1 0 -  (\<Sum>i. h1 i - h2 i))"
+        apply (elim metric_tendsto_imp_tendsto)
+        by (auto intro!:eventuallyI simp add:dist_real_def)
+      moreover have "h2 \<longlonglongrightarrow> 0"
+      proof -
+        have h2_n:"\<bar>h2 n\<bar> < (1 / 2)^(n+1)" for n 
+        proof -
+          have "\<bar>h2 n\<bar> = \<bar>c (n + N + 1)\<bar> / prod a {N..n + N}"
+            unfolding h2_def abs_divide
+            using a_pos by (simp add: abs_of_pos prod_pos)
+          also have "... < (a (N+n) / 2) / prod a {N..n + N}"
+            unfolding h2_def
+            apply (rule divide_strict_right_mono)
+            subgoal using large_n[rule_format,of "N+n"] by (auto simp add:algebra_simps)
+            subgoal using a_pos by (simp add: prod_pos)
+            done
+          also have "... = 1 / (2*prod a {N..<n + N})"
+            apply (subst ivl_disj_un(6)[of N "n+N",symmetric])
+            using a_pos[rule_format,of "N+n"] by (auto simp add:algebra_simps)
+          also have "... \<le> (1/2)^(n+1)"
+          proof (induct n)
+            case 0
+            then show ?case by auto
+          next
+            case (Suc n)
+            define P where "P=1 / real_of_int (2 * prod a {N..<n + N})"
+            have "1 / real_of_int (2 * prod a {N..<Suc n + N}) = P / a (n+N)"
+              unfolding P_def by (auto simp add: prod.atLeastLessThan_Suc)
+            also have "... \<le>  ( (1 / 2) ^ (n + 1) ) / a (n+N) "
+              apply (rule divide_right_mono)
+              subgoal unfolding P_def using Suc by auto
+              subgoal by (simp add: a_pos less_imp_le)
+              done
+            also have "... \<le> ( (1 / 2) ^ (n + 1) ) / 2 "
+              apply (rule divide_left_mono)
+              using large_n[rule_format,of "n+N",simplified] by auto
+            also have "... = (1 / 2) ^ (n + 2)" by auto
+            finally show ?case by simp
+          qed
+          finally show ?thesis .
+        qed
+        have "(\<lambda>n. (1 / 2)^(n+1)) \<longlonglongrightarrow> (0::real)" 
+          using tendsto_mult_right_zero[OF LIMSEQ_abs_realpow_zero2[of "1/2",simplified],of "1/2"]
+          by auto
+        then show ?thesis 
+          apply (elim Lim_null_comparison[rotated])
+          using h2_n less_eq_real_def by (auto intro!:eventuallyI)
+      qed
+      ultimately have "(\<Sum>i. h1 i - h2 i) = h1 0"
+        using LIMSEQ_unique by fastforce
+      then show ?thesis by simp
+    qed
+    also have "... = C + c N"
+      unfolding h1_def using a_pos 
+      by auto (metis less_irrefl)
+    finally show ?thesis . 
+  qed
+  then have "S = (C + real_of_int (c N)) / (B*prod a {..<N})" 
+    by (metis \<open>0 < B\<close> a_pos less_irrefl mult.commute mult_pos_pos 
+        nonzero_mult_div_cancel_right of_int_eq_0_iff prod_pos)
+  moreover have "... \<in> \<rat>"
+    unfolding C_def f_def by (intro Rats_divide Rats_add Rats_mult Rats_of_int Rats_sum)
+  ultimately show "S \<in> \<rat>" by auto
+qed
+
+theorem theorem_2_1_Erdos_Straus :
+  "(\<Sum>n. (b n / (\<Prod>i \<le> n. a i))) \<in> \<rat> \<longleftrightarrow> (\<exists> (B::int)>0. \<exists> c::nat\<Rightarrow> int.
+            (\<forall>\<^sub>F n in sequentially. B*b n = c n * a n - c(n+1) \<and> \<bar>c(n+1)\<bar><a n/2))"
+  using ab_rationality_imp imp_ab_rational by auto
+
+text\<open>The following is a Corollary to Theorem 2.1.  \<close>
+
+corollary corollary_2_10_Erdos_Straus:
+  assumes ab_event:"\<forall>\<^sub>F n in sequentially. b n > 0 \<and> a (n+1) \<ge> a n" 
+    and ba_lim_leq:"lim (\<lambda>n. (b(n+1) - b n )/a n) \<le> 0" 
+    and ba_lim_exist:"convergent (\<lambda>n. (b(n+1) - b n )/a n)"
+    and "liminf (\<lambda>n. a n / b n) = 0 "
+  shows "(\<Sum>n. (b n / (\<Prod>i \<le> n. a i))) \<notin> \<rat>"
+proof 
+  assume "(\<Sum>n. (b n / (\<Prod>i \<le> n. a i))) \<in> \<rat>"
+  then obtain B c where "B>0" and abc_event:"\<forall>\<^sub>F n in sequentially. B * b n = c n * a n - c (n + 1) 
+          \<and> \<bar>c (n + 1)\<bar> < a n / 2" and ca_vanish: "(\<lambda>n. c (Suc n) / a n) \<longlonglongrightarrow> 0"
+    using ab_rationality_imp by auto
+
+  have bac_close:"(\<lambda>n. B * b n / a n - c n) \<longlonglongrightarrow> 0"
+  proof -
+    have "\<forall>\<^sub>F n in sequentially. B * b n - c n * a n + c (n + 1) = 0"
+      using abc_event by (auto elim!:eventually_mono)
+    then have "\<forall>\<^sub>F n in sequentially. (B * b n - c n * a n + c (n+1)) / a n = 0 "
+      apply eventually_elim
+      by auto
+    then have "\<forall>\<^sub>F n in sequentially. B * b n / a n - c n  + c (n + 1) / a n = 0"
+      apply eventually_elim
+      using a_pos by (auto simp:divide_simps) (metis less_irrefl)
+    then have "(\<lambda>n. B * b n / a n - c n  + c (n + 1) / a n) \<longlonglongrightarrow> 0"
+      by (simp add: eventually_mono tendsto_iff)
+    from tendsto_diff[OF this ca_vanish]  
+    show ?thesis by auto
+  qed
+
+  have c_pos:"\<forall>\<^sub>F n in sequentially. c n > 0" 
+  proof -
+    from bac_close have *:"\<forall>\<^sub>F n in sequentially. c n \<ge> 0"
+      apply (elim tendsto_of_int_diff_0)
+      using ab_event a_large apply (eventually_elim) 
+      using \<open>B>0\<close> by auto 
+    show ?thesis
+    proof (rule ccontr)
+      assume "\<not> (\<forall>\<^sub>F n in sequentially. c n > 0)"
+      moreover have "\<forall>\<^sub>F n in sequentially. c (Suc n) \<ge> 0 \<and> c n\<ge>0"
+        using * eventually_sequentially_Suc[of "\<lambda>n. c n\<ge>0"] 
+        by (metis (mono_tags, lifting) eventually_at_top_linorder le_Suc_eq)
+      ultimately have "\<exists>\<^sub>F n in sequentially. c n = 0 \<and> c (Suc n) \<ge> 0"
+        using eventually_elim2 frequently_def by fastforce
+      moreover have "\<forall>\<^sub>F n in sequentially. b n > 0 \<and> B * b n = c n * a n - c (n + 1)"
+        using ab_event abc_event by eventually_elim auto
+      ultimately have "\<exists>\<^sub>F n in sequentially. c n = 0 \<and> c (Suc n) \<ge> 0 \<and> b n > 0 
+                          \<and> B * b n = c n * a n - c (n + 1)"
+        using frequently_eventually_frequently by fastforce
+      from frequently_ex[OF this] 
+      obtain n where "c n = 0" "c (Suc n) \<ge> 0" "b n > 0" 
+        "B * b n = c n * a n - c (n + 1)"
+        by auto
+      then have "B * b n \<le> 0" by auto
+      then show False using \<open>b n>0\<close> \<open>B > 0\<close> using mult_pos_pos not_le by blast
+    qed
+  qed
+
+  have bc_epsilon:"\<forall>\<^sub>F n in sequentially. b (n+1) / b n >  (c (n+1) - \<epsilon>) / c n" when "\<epsilon>>0" "\<epsilon><1" for \<epsilon>::real
+  proof -
+    have "\<forall>\<^sub>F x in sequentially. \<bar>c (Suc x) / a x\<bar> < \<epsilon> / 2"
+      using ca_vanish[unfolded tendsto_iff,rule_format, of "\<epsilon>/2"] \<open>\<epsilon>>0\<close> by auto
+    moreover then have "\<forall>\<^sub>F x in sequentially. \<bar>c (x+2) / a (x+1)\<bar> < \<epsilon> / 2"
+      apply (subst (asm) eventually_sequentially_Suc[symmetric])
+      by simp
+    moreover have "\<forall>\<^sub>F n in sequentially. B * b (n+1) = c (n+1) * a (n+1) - c (n + 2)"
+      using abc_event
+      apply (subst (asm) eventually_sequentially_Suc[symmetric])
+      by (auto elim:eventually_mono)
+    moreover have "\<forall>\<^sub>F n in sequentially. c n > 0 \<and> c (n+1) > 0 \<and> c (n+2) > 0"
+    proof -
+      have "\<forall>\<^sub>F n in sequentially. 0 < c (Suc n)"
+        using c_pos by (subst eventually_sequentially_Suc) simp
+      moreover then have "\<forall>\<^sub>F n in sequentially. 0 < c (Suc (Suc n))"
+        using c_pos by (subst eventually_sequentially_Suc) simp
+      ultimately show ?thesis using c_pos by eventually_elim auto
+    qed
+    ultimately show ?thesis using ab_event abc_event 
+    proof eventually_elim
+      case (elim n)
+      define \<epsilon>\<^sub>0 \<epsilon>\<^sub>1 where "\<epsilon>\<^sub>0 = c (n+1) / a n" and "\<epsilon>\<^sub>1 = c (n+2) / a (n+1)"
+      have "\<epsilon>\<^sub>0 > 0" "\<epsilon>\<^sub>1 > 0" "\<epsilon>\<^sub>0 < \<epsilon>/2" "\<epsilon>\<^sub>1 < \<epsilon>/2" using a_pos elim by (auto simp add: \<epsilon>\<^sub>0_def \<epsilon>\<^sub>1_def)
+      have "(\<epsilon> - \<epsilon>\<^sub>1) * c n > 0"
+        apply (rule mult_pos_pos)
+        using \<open>\<epsilon>\<^sub>1 > 0\<close> \<open>\<epsilon>\<^sub>1 < \<epsilon>/2\<close> \<open>\<epsilon>>0\<close> elim by auto
+      moreover have "\<epsilon>\<^sub>0 * (c (n+1) - \<epsilon>) > 0"
+        apply (rule mult_pos_pos[OF \<open>\<epsilon>\<^sub>0 > 0\<close>])
+        using elim(4) that(2) by linarith
+      ultimately have "(\<epsilon> - \<epsilon>\<^sub>1) * c n + \<epsilon>\<^sub>0 * (c (n+1) - \<epsilon>) > 0" by auto
+      moreover have "c n - \<epsilon>\<^sub>0 > 0" using \<open>\<epsilon>\<^sub>0 < \<epsilon> / 2\<close> elim(4) that(2) by linarith
+      moreover have "c n > 0" by (simp add: elim(4))
+      ultimately have "(c (n+1) - \<epsilon>) / c n < (c (n+1) - \<epsilon>\<^sub>1) / (c n -  \<epsilon>\<^sub>0)"
+        by (auto simp add: field_simps)
+      also have "... \<le> (c (n+1) - \<epsilon>\<^sub>1) / (c n -  \<epsilon>\<^sub>0) * (a (n+1) / a n)"
+      proof -
+        have "(c (n+1) - \<epsilon>\<^sub>1) / (c n -  \<epsilon>\<^sub>0) > 0" 
+          by (smt \<open>0 < (\<epsilon> - \<epsilon>\<^sub>1) * real_of_int (c n)\<close> \<open>0 < real_of_int (c n) - \<epsilon>\<^sub>0\<close> 
+              divide_pos_pos elim(4) mult_le_0_iff of_int_less_1_iff that(2))
+        moreover have "(a (n+1) / a n) \<ge> 1" 
+          using a_pos elim(5) by auto
+        ultimately show ?thesis by (metis mult_cancel_left1 real_mult_le_cancel_iff2)
+      qed
+      also have "... = (B * b (n+1)) / (B * b n)"
+      proof -
+        have "B * b n = c n * a n - c (n + 1)"
+          using elim by auto
+        also have "... = a n * (c n - \<epsilon>\<^sub>0)"
+          using a_pos[rule_format,of n] unfolding \<epsilon>\<^sub>0_def by (auto simp:field_simps)
+        finally have "B * b n = a n * (c n - \<epsilon>\<^sub>0)" .
+        moreover have "B * b (n+1) = a (n+1) * (c (n+1) - \<epsilon>\<^sub>1)" 
+          unfolding \<epsilon>\<^sub>1_def 
+          using a_pos[rule_format,of "n+1"] 
+          apply (subst \<open>B * b (n + 1) = c (n + 1) * a (n + 1) - c (n + 2)\<close>)
+          by (auto simp:field_simps)
+        ultimately show ?thesis by (simp add: mult.commute)
+      qed
+      also have "... = b (n+1) / b n" 
+        using \<open>B>0\<close> by auto
+      finally show ?case .
+    qed
+  qed
+
+  have eq_2_11:"\<exists>\<^sub>F n in sequentially. b (n+1) > b n + (1 - \<epsilon>)^2 * a n / B" 
+    when "\<epsilon>>0" "\<epsilon><1" "\<not> (\<forall>\<^sub>F n in sequentially. c (n+1) \<le> c n)"  for \<epsilon>::real
+  proof -
+    have "\<exists>\<^sub>F x in sequentially. c x < c (Suc x) " using that(3) 
+      by (simp add:not_eventually frequently_elim1)
+    moreover have "\<forall>\<^sub>F x in sequentially. \<bar>c (Suc x) / a x\<bar> < \<epsilon>"
+      using ca_vanish[unfolded tendsto_iff,rule_format, of \<epsilon>] \<open>\<epsilon>>0\<close> by auto
+    moreover have "\<forall>\<^sub>F n in sequentially. c n > 0 \<and> c (n+1) > 0"
+    proof -
+      have "\<forall>\<^sub>F n in sequentially. 0 < c (Suc n)"
+        using c_pos by (subst eventually_sequentially_Suc) simp
+      then show ?thesis using c_pos by eventually_elim auto
+    qed
+    ultimately show ?thesis  using ab_event abc_event bc_epsilon[OF \<open>\<epsilon>>0\<close> \<open>\<epsilon><1\<close>] 
+    proof (elim frequently_rev_mp,eventually_elim)
+      case (elim n)
+      then have "c (n+1) / a n < \<epsilon>" 
+        using a_pos[rule_format,of n] by auto
+      also have "... \<le> \<epsilon> * c n" using elim(7) that(1) by auto
+      finally have "c (n+1) / a n < \<epsilon> * c n" .
+      then have "c (n+1) / c n < \<epsilon> * a n" 
+        using a_pos[rule_format,of n] elim by (auto simp:field_simps)
+      then have "(1 - \<epsilon>) * a n < a n - c (n+1) / c n"
+        by (auto simp:algebra_simps)
+      then have "(1 - \<epsilon>)^2 * a n / B < (1 - \<epsilon>) * (a n - c (n+1) / c n) / B"
+        apply (subst (asm) real_mult_less_iff1[symmetric, of "(1-\<epsilon>)/B"])
+        using \<open>\<epsilon><1\<close> \<open>B>0\<close> by (auto simp:divide_simps power2_eq_square)
+      then have "b n + (1 - \<epsilon>)^2 * a n / B < b n + (1 - \<epsilon>) * (a n - c (n+1) / c n) / B"
+        using \<open>B>0\<close> by auto
+      also have "... = b n + (1 - \<epsilon>) * ((c n *a n - c (n+1)) / c n) / B"
+        using elim by (auto simp:field_simps)
+      also have "... = b n + (1 - \<epsilon>) * (b n / c n)"
+      proof -
+        have "B * b n = c n * a n - c (n + 1)" using elim by auto
+        from this[symmetric] show ?thesis
+          using \<open>B>0\<close> by simp
+      qed
+      also have "... = (1+(1-\<epsilon>)/c n) * b n"
+        by (auto simp:algebra_simps)
+      also have "... = ((c n+1-\<epsilon>)/c n) * b n"
+        using elim by (auto simp:divide_simps)
+      also have "... \<le> ((c (n+1) -\<epsilon>)/c n) * b n"
+      proof -
+        define cp where "cp = c n+1"
+        have "c (n+1) \<ge> cp" unfolding cp_def using \<open>c n < c (Suc n)\<close> by auto
+        moreover have "c n>0" "b n>0" using elim by auto
+        ultimately show ?thesis 
+          apply (fold cp_def)
+          by (auto simp:divide_simps)
+      qed
+      also have "... < b (n+1)"
+        using elim by (auto simp:divide_simps)
+      finally show ?case .
+    qed
+  qed
+
+  have "\<forall>\<^sub>F n in sequentially. c (n+1) \<le> c n"
+  proof (rule ccontr)
+    assume "\<not> (\<forall>\<^sub>F n in sequentially. c (n + 1) \<le> c n)"
+    from eq_2_11[OF _ _ this,of "1/2"]
+    have "\<exists>\<^sub>F n in sequentially. b (n+1) > b n + 1/4 * a n / B" 
+      by (auto simp:algebra_simps power2_eq_square)
+    then have *:"\<exists>\<^sub>F n in sequentially. (b (n+1) - b n) / a n > 1 / (B * 4)" 
+      apply (elim frequently_elim1)
+      subgoal for n
+        using a_pos[rule_format,of n] by (auto simp:field_simps)
+      done
+    define f where "f = (\<lambda>n. (b (n+1) - b n) / a n)"
+    have "f \<longlonglongrightarrow> lim f"
+      using convergent_LIMSEQ_iff ba_lim_exist unfolding f_def by auto
+    from this[unfolded tendsto_iff,rule_format, of "1 / (B*4)"] 
+    have "\<forall>\<^sub>F x in sequentially. \<bar>f x - lim f\<bar> < 1 / (B * 4)"
+      using \<open>B>0\<close> by (auto simp:dist_real_def)
+    moreover have "\<exists>\<^sub>F n in sequentially. f n > 1 / (B * 4)" 
+      using * unfolding f_def by auto
+    ultimately have "\<exists>\<^sub>F n in sequentially. f n > 1 / (B * 4) \<and> \<bar>f n - lim f\<bar> < 1 / (B * 4)"
+      by (auto elim:frequently_eventually_frequently[rotated])
+    from frequently_ex[OF this] 
+    obtain n where "f n > 1 / (B * 4)" "\<bar>f n - lim f\<bar> < 1 / (B * 4)"
+      by auto
+    moreover have "lim f \<le> 0" using ba_lim_leq unfolding f_def by auto
+    ultimately show False by linarith
+  qed
+  then obtain N where N_dec:"\<forall>n\<ge>N. c (n+1) \<le> c n" by (meson eventually_at_top_linorder)
+  define max_c where "max_c = (MAX n \<in> {..N}. c n)"
+  have max_c:"c n \<le> max_c" for n
+  proof (cases "n\<le>N")
+    case True
+    then show ?thesis unfolding max_c_def by simp
+  next
+    case False
+    then have "n\<ge>N" by auto
+    then have "c n\<le>c N" 
+    proof (induct rule:nat_induct_at_least)
+      case base
+      then show ?case by simp
+    next
+      case (Suc n)
+      then have "c (n+1) \<le> c n" using N_dec by auto
+      then show ?case using \<open>c n \<le> c N\<close> by auto
+    qed
+    moreover have "c N \<le> max_c" unfolding max_c_def by auto
+    ultimately show ?thesis by auto
+  qed
+  have "max_c > 0 " 
+  proof -
+    obtain N where "\<forall>n\<ge>N. 0 < c n" 
+      using c_pos[unfolded eventually_at_top_linorder] by auto
+    then have "c N > 0" by auto
+    then show ?thesis using max_c[of N] by simp
+  qed
+  have ba_limsup_bound:"1/(B*(B+1)) \<le> limsup (\<lambda>n. b n/a n)" 
+    "limsup (\<lambda>n. b n/a n) \<le> max_c / B + 1 / (B+1)"
+  proof -
+    define f where "f = (\<lambda>n. b n/a n)"
+    from tendsto_mult_right_zero[OF bac_close,of "1/B"] 
+    have "(\<lambda>n. f n - c n / B) \<longlonglongrightarrow> 0"
+      unfolding f_def using  \<open>B>0\<close> by (auto simp:algebra_simps)
+    from this[unfolded tendsto_iff,rule_format,of "1/(B+1)"]
+    have "\<forall>\<^sub>F x in sequentially. \<bar>f x - c x / B\<bar> < 1 / (B+1)"
+      using \<open>B>0\<close> by auto
+    then have *:"\<forall>\<^sub>F n in sequentially. 1/(B*(B+1)) \<le> ereal (f n) \<and> ereal (f n) \<le> max_c / B + 1 / (B+1)" 
+      using c_pos
+    proof eventually_elim
+      case (elim n)
+      then have "f n - c n / B < 1 / (B+1)" by auto
+      then have "f n < c n / B + 1 / (B+1)" by simp
+      also have "... \<le> max_c / B + 1 / (B+1)"
+        using max_c[of n] using \<open>B>0\<close> by (auto simp:divide_simps)
+      finally have *:"f n < max_c / B + 1 / (B+1)" .
+
+      have "1/(B*(B+1)) = 1/B - 1 / (B+1)" 
+        using \<open>B>0\<close> by (auto simp:divide_simps)
+      also have "... \<le> c n/B - 1 / (B+1)" 
+        using \<open>0 < c n\<close> \<open>B>0\<close> by (auto,auto simp:divide_simps)
+      also have "... < f n" using elim by auto
+      finally have "1/(B*(B+1)) < f n" .
+      with * show ?case by simp
+    qed
+    show "limsup f \<le> max_c / B + 1 / (B+1)"
+      apply (rule Limsup_bounded)
+      using * by (auto elim:eventually_mono)
+    have "1/(B*(B+1)) \<le> liminf f"
+      apply (rule Liminf_bounded)
+      using * by (auto elim:eventually_mono)
+    also have "liminf f \<le> limsup f" by (simp add: Liminf_le_Limsup)
+    finally show "1/(B*(B+1)) \<le> limsup f" .
+  qed
+
+  have "0 < inverse (ereal (max_c / B + 1 / (B+1)))"
+    using \<open>max_c > 0\<close> \<open>B>0\<close> 
+    by (simp add: pos_add_strict)
+  also have "... \<le> inverse (limsup (\<lambda>n. b n/a n))"
+  proof (rule ereal_inverse_antimono[OF _ ba_limsup_bound(2)])
+    have "0<1/(B*(B+1))" using \<open>B>0\<close> by auto
+    also have "... \<le> limsup (\<lambda>n. b n/a n)" using ba_limsup_bound(1) .
+    finally show "0\<le>limsup (\<lambda>n. b n/a n)" using zero_ereal_def by auto
+  qed 
+  also have "... = liminf (\<lambda>n. inverse (ereal ( b n/a n)))"
+    apply (subst Liminf_inverse_ereal[symmetric])
+    using a_pos ab_event by (auto elim!:eventually_mono simp:divide_simps)
+  also have "... = liminf (\<lambda>n. ( a n/b n))"
+    apply (rule Liminf_eq)
+    using a_pos ab_event 
+    apply (auto elim!:eventually_mono) 
+    by (metis less_int_code(1))
+  finally have "liminf (\<lambda>n. ( a n/b n)) > 0" .
+  then show False using \<open>liminf (\<lambda>n. a n / b n) = 0\<close> by simp
+qed
+
+end
+
+section\<open>Some auxiliary results on the prime numbers. \<close>
+
+lemma nth_prime_nonzero[simp]:"nth_prime n \<noteq> 0"
+  by (simp add: prime_gt_0_nat prime_nth_prime)
+
+lemma nth_prime_gt_zero[simp]:"nth_prime n >0"
+  by (simp add: prime_gt_0_nat prime_nth_prime)
+
+lemma ratio_of_consecutive_primes:
+  "(\<lambda>n. nth_prime (n+1)/nth_prime n) \<longlonglongrightarrow>1"
+proof -
+  define f where "f=(\<lambda>x. real (nth_prime (Suc x)) /real (nth_prime x))"
+  define g where "g=(\<lambda>x. (real x * ln (real x)) 
+                              / (real (Suc x) * ln (real (Suc x))))"
+  have p_n:"(\<lambda>x. real (nth_prime x) / (real x * ln (real x))) \<longlonglongrightarrow> 1"
+    using nth_prime_asymptotics[unfolded asymp_equiv_def,simplified] .
+  moreover have p_sn:"(\<lambda>n. real (nth_prime (Suc n)) 
+                        / (real (Suc n) * ln (real (Suc n)))) \<longlonglongrightarrow> 1"
+    using nth_prime_asymptotics[unfolded asymp_equiv_def,simplified
+        ,THEN LIMSEQ_Suc] .
+  ultimately have "(\<lambda>x. f x * g x) \<longlonglongrightarrow> 1"
+    using tendsto_divide[OF p_sn p_n] 
+    unfolding f_def g_def by (auto simp:algebra_simps)
+  moreover have "g \<longlonglongrightarrow> 1" unfolding g_def
+    by real_asymp
+  ultimately have "(\<lambda>x. if g x = 0 then 0 else f x) \<longlonglongrightarrow> 1"
+    apply (drule_tac tendsto_divide[OF _ \<open>g \<longlonglongrightarrow> 1\<close>])
+    by auto
+  then have "f \<longlonglongrightarrow> 1"
+  proof (elim filterlim_mono_eventually)
+    have "\<forall>\<^sub>F x in sequentially. (if g (x+3) = 0 then 0 
+                else f (x+3)) = f (x+3)" 
+      unfolding g_def by auto
+    then show "\<forall>\<^sub>F x in sequentially. (if g x = 0 then 0 else f x) = f x"
+      apply (subst (asm) eventually_sequentially_seg)
+      by simp
+  qed auto
+  then show ?thesis unfolding f_def by auto
+qed
+
+lemma nth_prime_double_sqrt_less:
+  assumes "\<epsilon> > 0"
+  shows "\<forall>\<^sub>F n in sequentially. (nth_prime (2*n) - nth_prime n) 
+            / sqrt (nth_prime n) < n powr (1/2+\<epsilon>)"
+proof -
+  define pp ll where 
+    "pp=(\<lambda>n. (nth_prime (2*n) - nth_prime n) / sqrt (nth_prime n))" and
+    "ll=(\<lambda>x::nat. x * ln x)"
+  have pp_pos:"pp (n+1) > 0" for n
+    unfolding pp_def by simp
+
+  have "(\<lambda>x. nth_prime (2 * x)) \<sim>[sequentially] (\<lambda>x. (2 * x) * ln (2 * x))"
+    using nth_prime_asymptotics[THEN asymp_equiv_compose
+        ,of "(*) 2" sequentially,unfolded comp_def]
+    using mult_nat_left_at_top pos2 by blast
+  also have "... \<sim>[sequentially] (\<lambda>x. 2 *x * ln x)"
+    by real_asymp
+  finally have "(\<lambda>x. nth_prime (2 * x)) \<sim>[sequentially] (\<lambda>x. 2 *x * ln x)" .
+  from this[unfolded asymp_equiv_def, THEN tendsto_mult_left,of 2]
+  have "(\<lambda>x. nth_prime (2 * x) / (x * ln x)) \<longlonglongrightarrow> 2"
+    unfolding asymp_equiv_def by auto
+  moreover have *:"(\<lambda>x. nth_prime x / (x * ln x)) \<longlonglongrightarrow> 1"
+    using nth_prime_asymptotics unfolding asymp_equiv_def by auto
+  ultimately    
+  have "(\<lambda>x. (nth_prime (2 * x) - nth_prime x) / ll x) \<longlonglongrightarrow> 1"
+    unfolding ll_def
+    apply -
+    apply (drule (1) tendsto_diff)
+    apply (subst of_nat_diff,simp)
+    by (subst diff_divide_distrib,simp)
+  moreover have "(\<lambda>x. sqrt (nth_prime x) / sqrt (ll x)) \<longlonglongrightarrow> 1"
+    unfolding ll_def
+    using tendsto_real_sqrt[OF *] 
+    by (auto simp: real_sqrt_divide)
+  ultimately have "(\<lambda>x. pp x * (sqrt (ll x) / (ll x))) \<longlonglongrightarrow> 1"
+    apply -
+    apply (drule (1) tendsto_divide,simp)
+    by (auto simp:field_simps of_nat_diff pp_def)
+  moreover have "\<forall>\<^sub>F x in sequentially. sqrt (ll x) / ll x = 1/sqrt (ll x)"
+    apply (subst eventually_sequentially_Suc[symmetric])
+    by (auto intro!:eventuallyI simp:ll_def divide_simps)
+  ultimately have "(\<lambda>x. pp x / sqrt (ll x)) \<longlonglongrightarrow> 1"
+    apply (elim filterlim_mono_eventually)
+    by (auto elim!:eventually_mono) (metis mult.right_neutral times_divide_eq_right)
+  moreover have "(\<lambda>x. sqrt (ll x) / x powr (1/2+\<epsilon>)) \<longlonglongrightarrow> 0"
+    unfolding ll_def using \<open>\<epsilon>>0\<close> by real_asymp
+  ultimately have "(\<lambda>x. pp x / x powr (1/2+\<epsilon>) * 
+                      (sqrt (ll x) / sqrt (ll x))) \<longlonglongrightarrow> 0"
+    apply -
+    apply (drule (1) tendsto_mult)
+    by (auto elim:filterlim_mono_eventually)
+  moreover have "\<forall>\<^sub>F x in sequentially. sqrt (ll x) / sqrt (ll x) = 1"
+    apply (subst eventually_sequentially_Suc[symmetric])
+    by (auto intro!:eventuallyI simp:ll_def )
+  ultimately have "(\<lambda>x. pp x / x powr (1/2+\<epsilon>)) \<longlonglongrightarrow> 0"
+    apply (elim filterlim_mono_eventually)
+    by (auto elim:eventually_mono)
+  from tendstoD[OF this, of 1,simplified]
+  show "\<forall>\<^sub>F x in sequentially. pp x < x powr (1 / 2 + \<epsilon>)"
+    apply (elim eventually_mono_sequentially[of _ 1])
+    using pp_pos by auto
+qed
+
+
+section \<open>Theorem 3.1\<close>
+
+text\<open>Theorem 3.1 is an application of Theorem 2.1 with the sequences considered involving 
+the prime numbers.\<close>
+
+theorem theorem_3_10_Erdos_Straus:
+  fixes a::"nat \<Rightarrow> int"
+  assumes a_pos:"\<forall> n. a n >0" and "mono a"
+    and nth_1:"(\<lambda>n. nth_prime n / (a n)^2) \<longlonglongrightarrow> 0"
+    and nth_2:"liminf (\<lambda>n. a n / nth_prime n) = 0"
+  shows "(\<Sum>n. (nth_prime n / (\<Prod>i \<le> n. a i))) \<notin> \<rat>"
+proof
+  assume asm:"(\<Sum>n. (nth_prime n / (\<Prod>i \<le> n. a i))) \<in> \<rat>"
+
+  have a2_omega:"(\<lambda>n. (a n)^2) \<in> \<omega>(\<lambda>x. x * ln x)"
+  proof -
+    have "(\<lambda>n. real (nth_prime n)) \<in> o(\<lambda>n. real_of_int ((a n)\<^sup>2))"
+      apply (rule smalloI_tendsto[OF nth_1])
+      using a_pos by (metis (mono_tags, lifting) less_int_code(1) 
+          not_eventuallyD of_int_0_eq_iff zero_eq_power2)
+    moreover have "(\<lambda>x. real (nth_prime x)) \<in> \<Omega>(\<lambda>x. real x * ln (real x))"
+      using nth_prime_bigtheta
+      by blast
+    ultimately show ?thesis 
+      using landau_omega.small_big_trans smallo_imp_smallomega by blast
+  qed
+
+  have a_gt_1:"\<forall>\<^sub>F n in sequentially. 1 < a n" 
+  proof -
+    have "\<forall>\<^sub>F x in sequentially. \<bar>x * ln x\<bar> \<le> (a x)\<^sup>2"
+      using a2_omega[unfolded smallomega_def,simplified,rule_format,of 1]
+      by auto
+    then have "\<forall>\<^sub>F x in sequentially. \<bar>(x+3) * ln (x+3)\<bar> \<le> (a (x+3))\<^sup>2" 
+      apply (subst (asm) eventually_sequentially_seg[symmetric, of _ 3])
+      by simp
+    then have "\<forall>\<^sub>F n in sequentially. 1 < a ( n+3)" 
+    proof (elim eventually_mono)
+      fix x
+      assume "\<bar>real (x + 3) * ln (real (x + 3))\<bar> \<le> real_of_int ((a (x + 3))\<^sup>2)"
+      moreover have "\<bar>real (x + 3) * ln (real (x + 3))\<bar> > 3"
+      proof -
+        have "ln (real (x + 3)) > 1"
+          apply simp using ln3_gt_1 ln_gt_1 by force
+        moreover have "real(x+3) \<ge> 3" by simp
+        ultimately have "(x+3)*ln (real (x + 3)) > 3*1 "
+          apply (rule_tac mult_le_less_imp_less)
+          by auto
+        then show ?thesis by auto
+      qed
+      ultimately have "real_of_int ((a (x + 3))\<^sup>2) > 3"
+        by auto
+      then show "1 < a (x + 3)" 
+        by (smt Suc3_eq_add_3 a_pos add.commute of_int_1 one_power2)
+    qed
+    then show ?thesis 
+      apply (subst eventually_sequentially_seg[symmetric, of _ 3])
+      by auto
+  qed
+
+  obtain B::int and c where 
+    "B>0" and Bc_large:"\<forall>\<^sub>F n in sequentially. B * nth_prime n 
+                = c n * a n - c (n + 1) \<and> \<bar>c (n + 1)\<bar> <  a n / 2"
+    and ca_vanish: "(\<lambda>n. c (Suc n) / real_of_int (a n)) \<longlonglongrightarrow> 0"
+  proof -
+    note a_gt_1
+    moreover have "(\<lambda>n. real_of_int \<bar>int (nth_prime n)\<bar> 
+                    / real_of_int (a (n - 1) * a n)) \<longlonglongrightarrow> 0" 
+    proof -
+      define f where "f=(\<lambda>n. nth_prime (n+1) / (a n * a (n+1)))"
+      define g where "g=(\<lambda>n. 2*nth_prime n / (a n)^2)"
+      have "\<forall>\<^sub>F x in sequentially. norm (f x) \<le> g x"
+      proof -
+        have "\<forall>\<^sub>F n in sequentially. nth_prime (n+1) < 2*nth_prime n" 
+          using ratio_of_consecutive_primes[unfolded tendsto_iff
+              ,rule_format,of 1,simplified]
+          apply (elim eventually_mono)
+          by (auto simp :divide_simps dist_norm)
+        moreover have "\<forall>\<^sub>F n in sequentially. real_of_int (a n * a (n+1))
+                           \<ge> (a n)^2"
+          apply (rule eventuallyI)
+          using \<open>mono a\<close> by (auto simp:power2_eq_square a_pos incseq_SucD)
+        ultimately show ?thesis unfolding f_def g_def
+          apply eventually_elim
+          apply (subst norm_divide)
+          apply (rule_tac linordered_field_class.frac_le)
+          using a_pos[rule_format, THEN order.strict_implies_not_eq ]
+          by auto
+      qed
+      moreover have "g \<longlonglongrightarrow> 0 " 
+        using nth_1[THEN tendsto_mult_right_zero,of 2] unfolding g_def 
+        by auto
+      ultimately have "f \<longlonglongrightarrow> 0" 
+        using Lim_null_comparison[of f g sequentially]
+        by auto
+      then show ?thesis
+        unfolding f_def
+        by (rule_tac LIMSEQ_imp_Suc) auto
+    qed
+    moreover have "(\<Sum>n. real_of_int (int (nth_prime n)) 
+                    / real_of_int (prod a {..n})) \<in> \<rat>" 
+      using asm by simp
+    ultimately have "\<exists>B>0. \<exists>c. (\<forall>\<^sub>F n in sequentially.
+              B * int (nth_prime n) = c n * a n - c (n + 1) \<and>
+              real_of_int \<bar>c (n + 1)\<bar> < real_of_int (a n) / 2) \<and>
+          (\<lambda>n. real_of_int (c (Suc n)) / real_of_int (a n)) \<longlonglongrightarrow> 0"
+      using ab_rationality_imp[OF a_pos,of nth_prime] by fast
+    then show thesis 
+      apply clarify
+      apply (rule_tac c=c and B=B in that)
+      by auto
+  qed
+
+  have bac_close:"(\<lambda>n. B * nth_prime n / a n - c n) \<longlonglongrightarrow> 0"
+  proof -
+    have "\<forall>\<^sub>F n in sequentially. B * nth_prime n - c n * a n + c (n + 1) = 0"
+      using Bc_large by (auto elim!:eventually_mono)
+    then have "\<forall>\<^sub>F n in sequentially. (B * nth_prime n - c n * a n + c (n+1)) / a n = 0 "
+      apply eventually_elim
+      by auto
+    then have "\<forall>\<^sub>F n in sequentially. B * nth_prime n / a n - c n  + c (n + 1) / a n = 0"
+      apply eventually_elim
+      using a_pos by (auto simp:divide_simps) (metis less_irrefl)
+    then have "(\<lambda>n. B * nth_prime n / a n - c n  + c (n + 1) / a n) \<longlonglongrightarrow> 0"
+      by (simp add: eventually_mono tendsto_iff)
+    from tendsto_diff[OF this ca_vanish]  
+    show ?thesis by auto
+  qed
+
+  have c_pos:"\<forall>\<^sub>F n in sequentially. c n > 0" 
+  proof -
+    from bac_close have *:"\<forall>\<^sub>F n in sequentially. c n \<ge> 0"
+      apply (elim tendsto_of_int_diff_0)
+      using a_gt_1 apply (eventually_elim) 
+      using \<open>B>0\<close> by auto 
+    show ?thesis
+    proof (rule ccontr)
+      assume "\<not> (\<forall>\<^sub>F n in sequentially. c n > 0)"
+      moreover have "\<forall>\<^sub>F n in sequentially. c (Suc n) \<ge> 0 \<and> c n\<ge>0"
+        using * eventually_sequentially_Suc[of "\<lambda>n. c n\<ge>0"] 
+        by (metis (mono_tags, lifting) eventually_at_top_linorder le_Suc_eq)
+      ultimately have "\<exists>\<^sub>F n in sequentially. c n = 0 \<and> c (Suc n) \<ge> 0"
+        using eventually_elim2 frequently_def by fastforce
+      moreover have "\<forall>\<^sub>F n in sequentially. nth_prime n > 0 
+                        \<and> B * nth_prime n = c n * a n - c (n + 1)"
+        using Bc_large by eventually_elim auto
+      ultimately have "\<exists>\<^sub>F n in sequentially. c n = 0 \<and> c (Suc n) \<ge> 0 
+          \<and> B * nth_prime n = c n * a n - c (n + 1)"
+        using frequently_eventually_frequently by fastforce
+      from frequently_ex[OF this] 
+      obtain n where "c n = 0" "c (Suc n) \<ge> 0"
+        "B * nth_prime n = c n * a n - c (n + 1)"
+        by auto
+      then have "B * nth_prime n \<le> 0" by auto
+      then show False using \<open>B > 0\<close> 
+        by (simp add: mult_le_0_iff)
+    qed
+  qed
+
+  have B_nth_prime:"\<forall>\<^sub>F n in sequentially. nth_prime n > B" 
+  proof -
+    have "\<forall>\<^sub>F x in sequentially. B+1 \<le> nth_prime x"
+      using nth_prime_at_top[unfolded filterlim_at_top_ge[where c="nat B+1"]
+          ,rule_format,of "nat B + 1",simplified] 
+
+      apply (elim eventually_mono)
+      using \<open>B>0\<close> by auto
+    then show ?thesis 
+      apply (elim eventually_mono)
+      by auto
+  qed
+
+  have bc_epsilon:"\<forall>\<^sub>F n in sequentially. nth_prime (n+1) 
+            / nth_prime n >  (c (n+1) - \<epsilon>) / c n" when "\<epsilon>>0" "\<epsilon><1" for \<epsilon>::real
+  proof -
+    have "\<forall>\<^sub>F x in sequentially. \<bar>c (Suc x) / a x\<bar> < \<epsilon> / 2"
+      using ca_vanish[unfolded tendsto_iff,rule_format, of "\<epsilon>/2"] \<open>\<epsilon>>0\<close> by auto
+    moreover then have "\<forall>\<^sub>F x in sequentially. \<bar>c (x+2) / a (x+1)\<bar> < \<epsilon> / 2"
+      apply (subst (asm) eventually_sequentially_Suc[symmetric])
+      by simp
+    moreover have "\<forall>\<^sub>F n in sequentially. B * nth_prime (n+1) = c (n+1) * a (n+1) - c (n + 2)"
+      using Bc_large
+      apply (subst (asm) eventually_sequentially_Suc[symmetric])
+      by (auto elim:eventually_mono)
+    moreover have "\<forall>\<^sub>F n in sequentially. c n > 0 \<and> c (n+1) > 0 \<and> c (n+2) > 0"
+    proof -
+      have "\<forall>\<^sub>F n in sequentially. 0 < c (Suc n)"
+        using c_pos by (subst eventually_sequentially_Suc) simp
+      moreover then have "\<forall>\<^sub>F n in sequentially. 0 < c (Suc (Suc n))"
+        using c_pos by (subst eventually_sequentially_Suc) simp
+      ultimately show ?thesis using c_pos by eventually_elim auto
+    qed
+    ultimately show ?thesis using Bc_large
+    proof eventually_elim
+      case (elim n)
+      define \<epsilon>\<^sub>0 \<epsilon>\<^sub>1 where "\<epsilon>\<^sub>0 = c (n+1) / a n" and "\<epsilon>\<^sub>1 = c (n+2) / a (n+1)"
+      have "\<epsilon>\<^sub>0 > 0" "\<epsilon>\<^sub>1 > 0" "\<epsilon>\<^sub>0 < \<epsilon>/2" "\<epsilon>\<^sub>1 < \<epsilon>/2" 
+        using a_pos elim \<open>mono a\<close>
+        by (auto simp add: \<epsilon>\<^sub>0_def \<epsilon>\<^sub>1_def abs_of_pos)
+      have "(\<epsilon> - \<epsilon>\<^sub>1) * c n > 0"
+        apply (rule mult_pos_pos)
+        using \<open>\<epsilon>\<^sub>1 > 0\<close> \<open>\<epsilon>\<^sub>1 < \<epsilon>/2\<close> \<open>\<epsilon>>0\<close> elim by auto
+      moreover have "\<epsilon>\<^sub>0 * (c (n+1) - \<epsilon>) > 0"
+        apply (rule mult_pos_pos[OF \<open>\<epsilon>\<^sub>0 > 0\<close>])
+        using elim(4) that(2) by linarith
+      ultimately have "(\<epsilon> - \<epsilon>\<^sub>1) * c n + \<epsilon>\<^sub>0 * (c (n+1) - \<epsilon>) > 0" by auto
+      moreover have "c n - \<epsilon>\<^sub>0 > 0" using \<open>\<epsilon>\<^sub>0 < \<epsilon> / 2\<close> elim(4) that(2) by linarith
+      moreover have "c n > 0" by (simp add: elim(4))
+      ultimately have "(c (n+1) - \<epsilon>) / c n < (c (n+1) - \<epsilon>\<^sub>1) / (c n -  \<epsilon>\<^sub>0)"
+        by (auto simp add:field_simps)
+      also have "... \<le> (c (n+1) - \<epsilon>\<^sub>1) / (c n -  \<epsilon>\<^sub>0) * (a (n+1) / a n)"
+      proof -
+        have "(c (n+1) - \<epsilon>\<^sub>1) / (c n -  \<epsilon>\<^sub>0) > 0" 
+          by (smt \<open>0 < (\<epsilon> - \<epsilon>\<^sub>1) * real_of_int (c n)\<close> \<open>0 < real_of_int (c n) - \<epsilon>\<^sub>0\<close> 
+              divide_pos_pos elim(4) mult_le_0_iff of_int_less_1_iff that(2))
+        moreover have "(a (n+1) / a n) \<ge> 1" 
+          using a_pos \<open>mono a\<close> by (simp add: mono_def)
+        ultimately show ?thesis by (metis mult_cancel_left1 real_mult_le_cancel_iff2)
+      qed
+      also have "... = (B * nth_prime (n+1)) / (B * nth_prime n)"
+      proof -
+        have "B * nth_prime n = c n * a n - c (n + 1)"
+          using elim by auto
+        also have "... = a n * (c n - \<epsilon>\<^sub>0)"
+          using a_pos[rule_format,of n] unfolding \<epsilon>\<^sub>0_def by (auto simp:field_simps)
+        finally have "B * nth_prime n = a n * (c n - \<epsilon>\<^sub>0)" .
+        moreover have "B * nth_prime (n+1) = a (n+1) * (c (n+1) - \<epsilon>\<^sub>1)" 
+          unfolding \<epsilon>\<^sub>1_def 
+          using a_pos[rule_format,of "n+1"] 
+          apply (subst \<open>B * nth_prime (n + 1) = c (n + 1) * a (n + 1) - c (n + 2)\<close>)
+          by (auto simp:field_simps)
+        ultimately show ?thesis by (simp add: mult.commute)
+      qed
+      also have "... = nth_prime (n+1) / nth_prime n" 
+        using \<open>B>0\<close> by auto
+      finally show ?case .
+    qed
+  qed
+
+
+  have c_ubound:"\<forall>x. \<exists>n. c n > x"
+  proof (rule ccontr)
+    assume " \<not> (\<forall>x. \<exists>n. x < c n)"
+    then obtain ub where "\<forall>n. c n \<le> ub" "ub > 0"
+      by (meson dual_order.trans int_one_le_iff_zero_less le_cases not_le)
+    define pa where "pa = (\<lambda>n. nth_prime n / a n)"
+    have pa_pos:"\<And>n. pa n > 0" unfolding pa_def by (simp add: a_pos)
+    have "liminf (\<lambda>n. 1 / pa n) = 0"
+      using nth_2 unfolding pa_def by auto
+    then have "(\<exists>y<ereal (real_of_int B / real_of_int (ub + 1)). 
+      \<exists>\<^sub>F x in sequentially. ereal (1 / pa x) \<le> y)"
+      apply (subst less_Liminf_iff[symmetric])
+      using \<open>0 < B\<close> \<open>0 < ub\<close> by auto
+    then have "\<exists>\<^sub>F x in sequentially. 1 / pa x < B/(ub+1)"
+      by (meson frequently_mono le_less_trans less_ereal.simps(1))
+    then have "\<exists>\<^sub>F x in sequentially. B*pa x > (ub+1)"
+      apply (elim frequently_elim1)
+      by (metis \<open>0 < ub\<close> mult.left_neutral of_int_0_less_iff pa_pos pos_divide_less_eq 
+          pos_less_divide_eq times_divide_eq_left zless_add1_eq)
+    moreover have "\<forall>\<^sub>F x in sequentially. c x \<le> ub"
+      using \<open>\<forall>n. c n \<le> ub\<close> by simp
+    ultimately have "\<exists>\<^sub>F x in sequentially. B*pa x - c x > 1"
+      apply (elim frequently_rev_mp eventually_mono)
+      by linarith
+    moreover have "(\<lambda>n. B * pa n - c n) \<longlonglongrightarrow>0" 
+      unfolding pa_def using bac_close by auto
+    from tendstoD[OF this,of 1] 
+    have "\<forall>\<^sub>F n in sequentially.  \<bar>B * pa n - c n\<bar> < 1"
+      by auto
+    ultimately have "\<exists>\<^sub>F x in sequentially. B*pa x - c x > 1 \<and> \<bar>B * pa x - c x\<bar> < 1"
+      using frequently_eventually_frequently by blast
+    then show False 
+      by (simp add: frequently_def)
+  qed
+
+  have eq_2_11:"\<forall>\<^sub>F n in sequentially. c (n+1)>c n \<longrightarrow> 
+                  nth_prime (n+1) > nth_prime n + (1 - \<epsilon>)^2 * a n / B" 
+    when "\<epsilon>>0" "\<epsilon><1" for \<epsilon>::real
+  proof -
+    have "\<forall>\<^sub>F x in sequentially. \<bar>c (Suc x) / a x\<bar> < \<epsilon>"
+      using ca_vanish[unfolded tendsto_iff,rule_format, of \<epsilon>] \<open>\<epsilon>>0\<close> by auto
+    moreover have "\<forall>\<^sub>F n in sequentially. c n > 0 \<and> c (n+1) > 0"
+    proof -
+      have "\<forall>\<^sub>F n in sequentially. 0 < c (Suc n)"
+        using c_pos by (subst eventually_sequentially_Suc) simp
+      then show ?thesis using c_pos by eventually_elim auto
+    qed
+    ultimately show ?thesis  using Bc_large bc_epsilon[OF \<open>\<epsilon>>0\<close> \<open>\<epsilon><1\<close>] 
+    proof (eventually_elim, rule_tac impI)
+      case (elim n)
+      assume "c n < c (n + 1)"
+      have "c (n+1) / a n < \<epsilon>" 
+        using a_pos[rule_format,of n] using elim(1,2) by auto
+      also have "... \<le> \<epsilon> * c n" using elim(2) that(1) by auto
+      finally have "c (n+1) / a n < \<epsilon> * c n" .
+      then have "c (n+1) / c n < \<epsilon> * a n" 
+        using a_pos[rule_format,of n] elim by (auto simp:field_simps)
+      then have "(1 - \<epsilon>) * a n < a n - c (n+1) / c n"
+        by (auto simp:algebra_simps)
+      then have "(1 - \<epsilon>)^2 * a n / B < (1 - \<epsilon>) * (a n - c (n+1) / c n) / B"
+        apply (subst (asm) real_mult_less_iff1[symmetric, of "(1-\<epsilon>)/B"])
+        using \<open>\<epsilon><1\<close> \<open>B>0\<close> by (auto simp:divide_simps power2_eq_square)
+      then have "nth_prime n + (1 - \<epsilon>)^2 * a n / B < nth_prime n + (1 - \<epsilon>) * (a n - c (n+1) / c n) / B"
+        using \<open>B>0\<close> by auto
+      also have "... = nth_prime n + (1 - \<epsilon>) * ((c n *a n - c (n+1)) / c n) / B"
+        using elim by (auto simp:field_simps)
+      also have "... = nth_prime n + (1 - \<epsilon>) * (nth_prime n / c n)"
+      proof -
+        have "B * nth_prime n = c n * a n - c (n + 1)" using elim by auto
+        from this[symmetric] show ?thesis
+          using \<open>B>0\<close> by simp
+      qed
+      also have "... = (1+(1-\<epsilon>)/c n) * nth_prime n"
+        by (auto simp:algebra_simps)
+      also have "... = ((c n+1-\<epsilon>)/c n) * nth_prime n"
+        using elim by (auto simp:divide_simps)
+      also have "... \<le> ((c (n+1) -\<epsilon>)/c n) * nth_prime n"
+      proof -
+        define cp where "cp = c n+1"
+        have "c (n+1) \<ge> cp" unfolding cp_def using \<open>c n < c (n + 1)\<close> by auto
+        moreover have "c n>0" "nth_prime n>0" using elim by auto
+        ultimately show ?thesis 
+          apply (fold cp_def)
+          by (auto simp:divide_simps)
+      qed
+      also have "... < nth_prime (n+1)"
+        using elim by (auto simp:divide_simps)
+      finally show "real (nth_prime n) + (1 - \<epsilon>)\<^sup>2 * real_of_int (a n) 
+          / real_of_int B < real (nth_prime (n + 1))" .
+    qed
+  qed
+
+  have c_neq_large:"\<forall>\<^sub>F n in sequentially. c (n+1) \<noteq> c n"
+  proof (rule ccontr)
+    assume "\<not> (\<forall>\<^sub>F n in sequentially. c (n + 1) \<noteq> c n)"
+    then have that:"\<exists>\<^sub>F n in sequentially. c (n + 1) = c n"
+      unfolding frequently_def .
+    have "\<forall>\<^sub>F x in sequentially. (B * int (nth_prime x) = c x * a x - c (x + 1) 
+        \<and> \<bar>real_of_int (c (x + 1))\<bar> < real_of_int (a x) / 2) \<and> 0 < c x \<and> B < int (nth_prime x)
+        \<and> (c (x+1)>c x \<longrightarrow> nth_prime (x+1) > nth_prime x +  a x / (2* B))"
+      using Bc_large c_pos B_nth_prime eq_2_11[of "1-1/ sqrt 2",simplified]
+      by eventually_elim (auto simp:divide_simps)
+    then have "\<exists>\<^sub>F m in sequentially. nth_prime (m+1) > (1+1/(2*B))*nth_prime m"
+    proof (elim frequently_eventually_at_top[OF that, THEN frequently_at_top_elim])
+      fix n
+      assume "c (n + 1) = c n \<and>
+           (\<forall>y\<ge>n. (B * int (nth_prime y) = c y * a y - c (y + 1) \<and>
+                    \<bar>real_of_int (c (y + 1))\<bar> < real_of_int (a y) / 2) \<and>
+                   0 < c y \<and> B < int (nth_prime y) \<and> (c y < c (y + 1) \<longrightarrow>
+                   real (nth_prime y) + real_of_int (a y) / real_of_int (2 * B)
+                   < real (nth_prime (y + 1))))"
+      then have "c (n + 1) = c n" 
+        and Bc_eq:"\<forall>y\<ge>n. B * int (nth_prime y) = c y * a y - c (y + 1) \<and> 0 < c y 
+                            \<and> \<bar>real_of_int (c (y + 1))\<bar> < real_of_int (a y) / 2 
+                            \<and> B < int (nth_prime y)
+                            \<and> (c y < c (y + 1) \<longrightarrow>
+                   real (nth_prime y) + real_of_int (a y) / real_of_int (2 * B)
+                   < real (nth_prime (y + 1)))"
+        by auto
+      obtain m where "n<m" "c m \<le> c n" "c n<c (m+1)" 
+      proof -
+        have "\<exists>N. N > n \<and> c N > c n"
+          using c_ubound[rule_format, of "MAX x\<in>{..n}. c x"] 
+          by (metis Max_ge atMost_iff dual_order.trans finite_atMost finite_imageI image_eqI 
+              linorder_not_le order_refl)
+        then obtain N where "N>n" "c N>c n" by auto
+        define A m where "A={m. n<m \<and> (m+1)\<le>N \<and> c (m+1) > c n}" and "m = Min A"
+        have "finite A" unfolding A_def
+          by (metis (no_types, lifting) A_def add_leE finite_nat_set_iff_bounded_le mem_Collect_eq)
+        moreover have "N-1\<in>A" unfolding A_def 
+          using \<open>c n < c N\<close> \<open>n < N\<close> \<open>c (n + 1) = c n\<close>
+          by (smt Suc_diff_Suc Suc_eq_plus1 Suc_leI Suc_pred  add.commute 
+              add_diff_inverse_nat add_leD1 diff_is_0_eq' mem_Collect_eq nat_add_left_cancel_less
+              zero_less_one)
+        ultimately have "m\<in>A"
+          using Min_in unfolding m_def by auto
+        then have "n<m"  "c n<c (m+1)" "m>0"
+          unfolding m_def A_def by auto
+        moreover have "c m \<le> c n"
+        proof (rule ccontr)
+          assume " \<not> c m \<le> c n"
+          then have "m-1\<in>A" using \<open>m\<in>A\<close> \<open>c (n + 1) = c n\<close>
+            unfolding A_def 
+            by auto (smt One_nat_def Suc_eq_plus1 Suc_lessI less_diff_conv)
+          from  Min_le[OF \<open>finite A\<close> this,folded m_def] \<open>m>0\<close> show False by auto
+        qed
+        ultimately show ?thesis using that[of m] by auto
+      qed
+      have "(1 + 1 / (2 * B)) * nth_prime m < nth_prime m + a m / (2*B)"
+      proof -
+        have "nth_prime m < a m"
+        proof -
+          have "B * int (nth_prime m) < c m * (a m - 1)"
+            using Bc_eq[rule_format,of m] \<open>c m \<le> c n\<close> \<open>c n < c (m + 1)\<close> \<open>n < m\<close> 
+            by (auto simp:algebra_simps)
+          also have "... \<le> c n * (a m - 1)"
+            by (simp add: \<open>c m \<le> c n\<close> a_pos mult_right_mono)
+          finally have "B * int (nth_prime m) < c n * (a m - 1)" .
+          moreover have "c n\<le>B" 
+          proof -
+            have " B * int (nth_prime n) = c n * (a n - 1)" "B < int (nth_prime n)"
+              and c_a:"\<bar>real_of_int (c (n + 1))\<bar> < real_of_int (a n) / 2"
+              using Bc_eq[rule_format,of n] \<open>c (n + 1) = c n\<close> by (auto simp:algebra_simps)
+            from this(1) have " c n dvd (B * int (nth_prime n))"
+              by simp
+            moreover have "coprime (c n) (int (nth_prime n))"
+            proof -
+              have "c n < int (nth_prime n)" 
+              proof (rule ccontr)
+                assume "\<not> c n < int (nth_prime n)"
+                then have asm:"c n \<ge> int (nth_prime n)" by auto
+                then have "a n > 2 * nth_prime n"
+                  using c_a \<open>c (n + 1) = c n\<close> by auto
+                then have "a n -1 \<ge> 2 * nth_prime n"
+                  by simp
+                then have "a n - 1 > 2 * B"
+                  using \<open>B < int (nth_prime n)\<close> by auto
+                from mult_le_less_imp_less[OF asm this] \<open>B>0\<close>
+                have "int (nth_prime n) * (2 * B) < c n * (a n - 1)"
+                  by auto
+                then show False using \<open>B * int (nth_prime n) = c n * (a n - 1)\<close>
+                  by (smt \<open>0 < B\<close> \<open>B < int (nth_prime n)\<close> combine_common_factor 
+                      mult.commute mult_pos_pos)
+              qed
+              then have "\<not> nth_prime n dvd c n" 
+                by (simp add: Bc_eq zdvd_not_zless)
+              then have "coprime (int (nth_prime n)) (c n)" 
+                by (auto intro!:prime_imp_coprime_int)
+              then show ?thesis using coprime_commute by blast
+            qed
+            ultimately have "c n dvd B"
+              using coprime_dvd_mult_left_iff by auto
+            then show ?thesis using \<open>0 < B\<close> zdvd_imp_le by blast
+          qed
+          moreover have "c n > 0 " using Bc_eq by blast
+          ultimately show ?thesis
+            using \<open>B>0\<close> by (smt a_pos mult_mono)
+        qed
+        then show ?thesis using \<open>B>0\<close> by (auto simp:field_simps)
+      qed
+      also have "... < nth_prime (m+1)"
+        using Bc_eq[rule_format, of m] \<open>n<m\<close> \<open>c m \<le> c n\<close> \<open>c n < c (m+1)\<close>
+        by linarith
+      finally show "\<exists>j>n. (1 + 1 / real_of_int (2 * B)) * real (nth_prime j)
+                       < real (nth_prime (j + 1))" using \<open>m>n\<close> by auto
+    qed
+    then have "\<exists>\<^sub>F m in sequentially. nth_prime (m+1)/nth_prime m > (1+1/(2*B))"
+      by (auto elim:frequently_elim1 simp:field_simps)
+    moreover have "\<forall>\<^sub>F m in sequentially. nth_prime (m+1)/nth_prime m < (1+1/(2*B))"
+      using ratio_of_consecutive_primes[unfolded tendsto_iff,rule_format,of "1/(2*B)"]
+        \<open>B>0\<close>
+      unfolding dist_real_def
+      by (auto elim!:eventually_mono simp:algebra_simps)
+    ultimately show False by (simp add: eventually_mono frequently_def)
+  qed
+
+  have c_gt_half:"\<forall>\<^sub>F N in sequentially. card {n\<in>{N..<2*N}.  c n > c (n+1)} > N / 2"
+  proof -
+    define h where "h=(\<lambda>n. (nth_prime (2*n) - nth_prime n) 
+                              /  sqrt (nth_prime n))"
+    have "\<forall>\<^sub>F n in sequentially. h n < n / 2"
+    proof -
+      have "\<forall>\<^sub>F n in sequentially. h n < n powr (5/6)"
+        using nth_prime_double_sqrt_less[of "1/3"]
+        unfolding h_def by auto
+      moreover have "\<forall>\<^sub>F n in sequentially. n powr (5/6) < (n /2)"
+        by real_asymp
+      ultimately show ?thesis 
+        by eventually_elim auto 
+    qed
+    moreover have "\<forall>\<^sub>F n in sequentially. sqrt (nth_prime n) / a n < 1 / (2*B)"
+      using nth_1[THEN tendsto_real_sqrt,unfolded tendsto_iff
+          ,rule_format,of "1/(2*B)"] \<open>B>0\<close> a_pos
+      by (auto simp:real_sqrt_divide abs_of_pos)
+    ultimately have "\<forall>\<^sub>F x in sequentially. c (x+1) \<noteq> c x
+        \<and> sqrt (nth_prime x) / a x < 1 / (2*B)
+        \<and>  h x < x / 2
+        \<and> (c (x+1)>c x \<longrightarrow> nth_prime (x+1) > nth_prime x +  a x / (2* B))"
+      using c_neq_large B_nth_prime eq_2_11[of "1-1/ sqrt 2",simplified]
+      by eventually_elim (auto simp:divide_simps)
+    then show ?thesis
+    proof (elim eventually_at_top_mono)
+      fix N assume "N\<ge>1" and N_asm:"\<forall>y\<ge>N. c (y + 1) \<noteq> c y \<and>
+               sqrt (real (nth_prime y)) / real_of_int (a y)
+               < 1 / real_of_int (2 * B) \<and>  h y < y / 2 \<and>
+               (c y < c (y + 1) \<longrightarrow>
+                real (nth_prime y) + real_of_int (a y) / real_of_int (2 * B)
+                < real (nth_prime (y + 1)))"
+
+      define S where "S={n \<in> {N..<2 * N}. c n < c (n + 1)}"
+      define g where "g=(\<lambda>n. (nth_prime (n+1) - nth_prime n) 
+                              /  sqrt (nth_prime n))"
+      define f where "f=(\<lambda>n. nth_prime (n+1) - nth_prime n)"
+      have g_gt_1:"g n>1" when "n\<ge>N" "c n < c (n + 1)" for n
+      proof -
+        have "nth_prime n + sqrt (nth_prime n) < nth_prime (n+1)"
+        proof -
+          have "nth_prime n + sqrt (nth_prime n) < nth_prime n + a n / (2*B)"
+            using N_asm[rule_format,OF \<open>n\<ge>N\<close>] a_pos
+            by (auto simp:field_simps)
+          also have "... < nth_prime (n+1)"
+            using N_asm[rule_format,OF \<open>n\<ge>N\<close>] \<open>c n < c (n + 1)\<close> by auto
+          finally show ?thesis .
+        qed
+        then show ?thesis unfolding g_def 
+          using \<open>c n < c (n + 1)\<close> by auto
+      qed
+      have g_geq_0:"g n \<ge> 0" for n 
+        unfolding g_def  by auto
+
+      have "finite S" "\<forall>x\<in>S. x\<ge>N \<and> c x<c (x+1)"
+        unfolding S_def by auto
+      then have "card S \<le> sum g S" 
+      proof (induct S)
+        case empty
+        then show ?case by auto
+      next
+        case (insert x F)
+        moreover have "g x>1" 
+        proof -
+          have "c x < c (x+1)" "x\<ge>N" using insert(4) by auto
+          then show ?thesis using g_gt_1 by auto
+        qed
+        ultimately show ?case by simp
+      qed
+      also have "... \<le> sum g {N..<2*N}"
+        apply (rule sum_mono2)
+        unfolding S_def using g_geq_0 by auto
+      also have "... \<le> sum (\<lambda>n. f n/sqrt (nth_prime N)) {N..<2*N}"
+        apply (rule sum_mono)
+        unfolding f_def g_def by (auto intro!:divide_left_mono)
+      also have "... = sum f {N..<2*N} / sqrt (nth_prime N)"
+        unfolding sum_divide_distrib[symmetric] by auto
+      also have "... = (nth_prime (2*N) - nth_prime N) / sqrt (nth_prime N)"
+      proof -
+        have "sum f {N..<2 * N} = nth_prime (2 * N) - nth_prime N"   
+        proof (induct N)
+          case 0
+          then show ?case by simp
+        next
+          case (Suc N)
+          have ?case if "N=0"
+          proof -
+            have "sum f {Suc N..<2 * Suc N} = sum f {1}"
+              using that by (simp add: numeral_2_eq_2)
+            also have "... = nth_prime 2 - nth_prime 1"
+              unfolding f_def by (simp add:numeral_2_eq_2)
+            also have "... = nth_prime (2 * Suc N) - nth_prime (Suc N)"
+              using that by auto
+            finally show ?thesis .
+          qed
+          moreover have ?case if "N\<noteq>0"
+          proof -
+            have "sum f {Suc N..<2 * Suc N} = sum f {N..<2 * Suc N} - f N"
+              apply (subst (2) sum.atLeast_Suc_lessThan)
+              using that by auto
+            also have "... = sum f {N..<2 * N}+ f (2*N) + f(2*N+1) - f N"
+              by auto
+            also have "... = nth_prime (2 * Suc N) - nth_prime (Suc N)"
+              using Suc unfolding f_def by auto
+            finally show ?thesis .
+          qed
+          ultimately show ?case by blast
+        qed
+        then show ?thesis by auto
+      qed
+      also have "... = h N"
+        unfolding h_def by auto
+      also have "... < N/2"
+        using N_asm by auto
+      finally have "card S < N/2" .
+
+      define T where "T={n \<in> {N..<2 * N}. c n > c (n + 1)}"
+      have "T \<union> S = {N..<2 * N}" "T \<inter> S = {}" "finite T"
+        unfolding T_def S_def using N_asm by fastforce+
+
+      then have "card T + card S = card {N..<2 * N}"
+        using card_Un_disjoint \<open>finite S\<close> by metis
+      also have "... = N"
+        by simp
+      finally have "card T + card S = N" .
+      with \<open>card S < N/2\<close> 
+      show "card T > N/2" by linarith
+    qed
+  qed
+
+  text\<open>Inequality (3.5) in the original paper required a slight modification: \<close>
+
+  have a_gt_plus:"\<forall>\<^sub>F n in sequentially. c n > c (n+1) \<longrightarrow>a (n+1) > a n + (a n - c(n+1) - 1) / c (n+1)"
+  proof -
+    note a_gt_1[THEN eventually_all_ge_at_top] c_pos[THEN eventually_all_ge_at_top]
+    moreover have "\<forall>\<^sub>F n in sequentially. 
+              B * int (nth_prime (n+1)) = c (n+1) * a (n+1) - c (n + 2)"
+      using Bc_large 
+      apply (subst (asm) eventually_sequentially_Suc[symmetric])
+      by (auto elim:eventually_mono)
+    moreover have "\<forall>\<^sub>F n in sequentially. 
+                        B * int (nth_prime n) = c n * a n - c (n + 1) \<and> \<bar>c (n + 1)\<bar> <  a n / 2"
+      using Bc_large by (auto elim:eventually_mono)
+    ultimately show ?thesis 
+      apply (eventually_elim)
+    proof (rule impI)
+      fix n 
+      assume "\<forall>y\<ge>n. 1 < a y" "\<forall>y\<ge>n. 0 < c y"
+        and
+        Suc_n_eq:"B * int (nth_prime (n + 1)) = c (n + 1) * a (n + 1) - c (n + 2)" and
+        "B * int (nth_prime n) = c n * a n - c (n + 1) \<and>
+                real_of_int \<bar>c (n + 1)\<bar> < real_of_int (a n) / 2" 
+        and "c (n + 1) < c n"
+      then have n_eq:"B * int (nth_prime n) = c n * a n - c (n + 1)" and 
+        c_less_a: "real_of_int \<bar>c (n + 1)\<bar> < real_of_int (a n) / 2" 
+        by auto
+      from \<open>\<forall>y\<ge>n. 1 < a y\<close> \<open>\<forall>y\<ge>n. 0 < c y\<close> 
+      have *:"a n>1" "a (n+1) > 1" "c n > 0" 
+        "c (n+1) > 0"  "c (n+2) > 0"
+        by auto
+      then have "(1+1/c (n+1))* (a n - 1)/a (n+1) = (c (n+1)+1) * ((a n - 1) / (c (n+1) * a (n+1)))"
+        by (auto simp:field_simps)
+      also have "... \<le> c n * ((a n - 1) / (c (n+1) * a (n+1)))"
+        apply (rule mult_right_mono)
+        subgoal using \<open>c (n + 1) < c n\<close> by auto
+        subgoal by (smt \<open>0 < c (n + 1)\<close> a_pos divide_nonneg_pos mult_pos_pos of_int_0_le_iff 
+              of_int_0_less_iff)
+        done
+      also have "... = (c n * (a n - 1)) / (c (n+1) * a (n+1))" by auto
+      also have "... < (c n * (a n - 1)) / (c (n+1) * a (n+1)  - c (n+2))"
+        apply (rule divide_strict_left_mono)
+        subgoal using \<open>c (n+2) > 0\<close> by auto
+        unfolding Suc_n_eq[symmetric] using * \<open>B>0\<close> by auto
+      also have "... < (c n * a n - c (n+1)) / (c (n+1) * a (n+1)  - c (n+2))"
+        apply (rule frac_less)
+        unfolding Suc_n_eq[symmetric] using * \<open>B>0\<close> \<open>c (n + 1) < c n\<close> 
+        by (auto simp:algebra_simps)
+      also have "... = nth_prime n / nth_prime (n+1)"
+        unfolding Suc_n_eq[symmetric] n_eq[symmetric] using \<open>B>0\<close> by auto
+      also have "... < 1" by auto
+      finally have "(1 + 1 / real_of_int (c (n + 1))) * real_of_int (a n - 1) 
+        / real_of_int (a (n + 1)) < 1 " .
+      then show "a n + (a n - c (n + 1) - 1) /  (c (n + 1)) < (a (n + 1))"
+        using * by (auto simp:field_simps)
+    qed
+  qed
+  have a_gt_1:"\<forall>\<^sub>F n in sequentially. c n > c (n+1) \<longrightarrow> a (n+1) > a n + 1"
+    using Bc_large a_gt_plus c_pos[THEN eventually_all_ge_at_top]
+    apply eventually_elim
+  proof (rule impI)
+    fix n assume  
+      "c (n + 1) < c n \<longrightarrow> a n +  (a n - c (n + 1) - 1) / c (n + 1) <  a (n + 1)" 
+      "c (n + 1) < c n" and B_eq:"B * int (nth_prime n) = c n * a n - c (n + 1) \<and>
+         \<bar>real_of_int (c (n + 1))\<bar> < real_of_int (a n) / 2" and c_pos:"\<forall>y\<ge>n. 0 < c y"
+    from this(1,2) 
+    have "a n +  (a n - c (n + 1) - 1) / c (n + 1) <  a (n + 1)" by auto
+    moreover have "a n - 2 * c (n+1) > 0"
+      using B_eq c_pos[rule_format,of "n+1"] by auto
+    then have "a n - 2 * c (n+1) \<ge> 1" by simp
+    then have "(a n - c (n + 1) - 1) / c (n + 1) \<ge> 1"
+      using c_pos[rule_format,of "n+1"] by (auto simp:field_simps)
+    ultimately show "a n + 1 < a (n + 1)" by auto
+  qed
+
+  text\<open>The following corresponds to inequality (3.6) in the paper, which had to be
+        slightly corrected:  \<close>
+
+  have a_gt_sqrt:"\<forall>\<^sub>F n in sequentially. c n > c (n+1) \<longrightarrow> a (n+1) > a n + (sqrt n - 2)"
+  proof -
+    have a_2N:"\<forall>\<^sub>F N in sequentially. a (2*N) \<ge> N /2 +1" 
+      using c_gt_half a_gt_1[THEN eventually_all_ge_at_top] 
+    proof eventually_elim
+      case (elim N)
+      define S where "S={n \<in> {N..<2 * N}. c (n + 1) < c n}"
+      define f where "f = (\<lambda>n. a (Suc n) - a n)"
+
+      have f_1:"\<forall>x\<in>S. f x\<ge>1" and f_0:"\<forall>x. f x\<ge>0"
+        subgoal using elim unfolding S_def f_def by auto
+        subgoal using \<open>mono a\<close>[THEN incseq_SucD] unfolding f_def by auto
+        done
+      have "N / 2 < card S" 
+        using elim unfolding S_def by auto
+      also have "... \<le> sum f S" 
+        unfolding of_int_sum
+        apply (rule sum_bounded_below[of _ 1,simplified])
+        using f_1 by auto
+      also have "... \<le> sum f {N..<2 * N}" 
+        unfolding of_int_sum
+        apply (rule sum_mono2)
+        unfolding S_def using f_0 by auto
+      also have "... = a (2*N) - a N" 
+        unfolding of_int_sum f_def of_int_diff
+        apply (rule sum_Suc_diff')
+        by auto
+      finally have "N / 2 < a (2*N) - a N" .
+      then show ?case using a_pos[rule_format,of N] by linarith
+    qed
+
+    have a_n4:"\<forall>\<^sub>F n in sequentially. a n > n/4" 
+    proof -
+      obtain N where a_N:"\<forall>n\<ge>N. a (2*n) \<ge> n /2+1"
+        using a_2N unfolding eventually_at_top_linorder by auto
+      have "a n>n/4" when "n\<ge>2*N" for n 
+      proof -
+        define n' where "n'=n div 2"
+        have "n'\<ge>N" unfolding n'_def using that by auto
+        have "n/4 < n' /2+1"
+          unfolding n'_def by auto
+        also have "... \<le> a (2*n')"
+          using a_N \<open>n'\<ge>N\<close> by auto
+        also have "... \<le>a n" unfolding n'_def
+          apply (cases "even n")
+          subgoal by simp
+          subgoal by (simp add: assms(2) incseqD)
+          done
+        finally show ?thesis .
+      qed
+      then show ?thesis
+        unfolding eventually_at_top_linorder by auto
+    qed
+
+    have c_sqrt:"\<forall>\<^sub>F n in sequentially. c n < sqrt n / 4"
+    proof -
+      have "\<forall>\<^sub>F x in sequentially. x>1" by simp
+      moreover have "\<forall>\<^sub>F x in sequentially. real (nth_prime x) / (real x * ln (real x)) < 2"
+        using nth_prime_asymptotics[unfolded asymp_equiv_def,THEN order_tendstoD(2),of 2]
+        by simp
+      ultimately have "\<forall>\<^sub>F n in sequentially. c n < B*8 *ln n + 1" using a_n4 Bc_large
+      proof eventually_elim
+        case (elim n)
+        from this(4) have "c n=(B*nth_prime n+c (n+1))/a n"
+          using a_pos[rule_format,of n] 
+          by (auto simp:divide_simps)
+        also have "... = (B*nth_prime n)/a n+c (n+1)/a n"
+          by (auto simp:divide_simps)
+        also have "... < (B*nth_prime n)/a n + 1"
+        proof -
+          have "c (n+1)/a n < 1" using elim(4) by auto
+          then show ?thesis by auto
+        qed
+        also have "... < B*8 * ln n + 1"
+        proof -
+          have "B*nth_prime n < 2*B*n*ln n"
+            using \<open>real (nth_prime n) / (real n * ln (real n)) < 2\<close> \<open>B>0\<close> \<open> 1 < n\<close> 
+            by (auto simp:divide_simps)
+          moreover have "real n / 4 < real_of_int (a n)" by fact
+          ultimately have "(B*nth_prime n) / a n < (2*B*n*ln n) / (n/4)"
+            apply (rule_tac frac_less)
+            using \<open>B>0\<close> \<open> 1 < n\<close>  by auto
+          also have "... = B*8 * ln n"
+            using \<open> 1 < n\<close> by auto
+          finally show ?thesis by auto
+        qed
+        finally show ?case .
+      qed
+      moreover have "\<forall>\<^sub>F n in sequentially. B*8 *ln n + 1 < sqrt n / 4"
+        by real_asymp
+      ultimately show ?thesis 
+        by eventually_elim auto
+    qed
+
+    have 
+      "\<forall>\<^sub>F n in sequentially. 0 < c (n+1)"
+      "\<forall>\<^sub>F n in sequentially. c (n+1) < sqrt (n+1) / 4"
+      "\<forall>\<^sub>F n in sequentially. n > 4"
+      "\<forall>\<^sub>F n in sequentially. (n - 4) / sqrt (n + 1) + 1 > sqrt n"
+      subgoal using c_pos[THEN eventually_all_ge_at_top]    
+        by eventually_elim auto
+      subgoal using  c_sqrt[THEN eventually_all_ge_at_top] 
+        by eventually_elim (use le_add1 in blast)
+      subgoal by simp
+      subgoal 
+        by real_asymp
+      done
+    then show ?thesis using a_gt_plus a_n4
+      apply eventually_elim
+    proof (rule impI)
+      fix n assume asm:"0 < c (n + 1)" "c (n + 1) < sqrt (real (n + 1)) / 4" and
+        a_ineq:"c (n + 1) < c n \<longrightarrow> a n +  (a n - c (n + 1) - 1) /  c (n + 1) < a (n + 1)" 
+        "c (n + 1) < c n"  and "n / 4 < a n" "n > 4" 
+        and n_neq:" sqrt (real n) < real (n - 4) / sqrt (real (n + 1)) + 1"
+
+      have "(n-4) / sqrt(n+1) = (n/4 - 1)/ (sqrt (real (n + 1)) / 4)"
+        using \<open>n>4\<close> by (auto simp:divide_simps)
+      also have "... < (a n - 1) /  c (n + 1)" 
+        apply (rule frac_less)
+        using \<open>n > 4\<close> \<open>n / 4 < a n\<close> \<open>0 < c (n + 1)\<close> \<open>c (n + 1) < sqrt (real (n + 1)) / 4\<close>
+        by auto
+      also have "... - 1 = (a n - c (n + 1) - 1) /  c (n + 1)"
+        using \<open>0 < c (n + 1)\<close> by (auto simp:field_simps)
+      also have "a n + ... < a (n+1)"
+        using a_ineq by auto
+      finally have "a n + ((n - 4) / sqrt (n + 1) - 1) < a (n + 1)" by simp
+      moreover have "(n - 4) / sqrt (n + 1) - 1 > sqrt n - 2"
+        using n_neq[THEN diff_strict_right_mono,of 2] \<open>n>4\<close> 
+        by (auto simp:algebra_simps of_nat_diff) 
+      ultimately show "real_of_int (a n) + (sqrt (real n) - 2) < real_of_int (a (n + 1))"
+        by argo
+    qed
+  qed
+
+  text\<open>The following corresponds to inequality $ a_{2N} > N^{3/2}/2$ in the paper,
+ which had to be slightly corrected: \<close>
+
+  have a_2N_sqrt:"\<forall>\<^sub>F N in sequentially. a (2*N) >  real N * (sqrt (real N)/2 - 1)"
+    using c_gt_half a_gt_sqrt[THEN eventually_all_ge_at_top] eventually_gt_at_top[of 4]
+  proof eventually_elim
+    case (elim N)
+    define S where "S={n \<in> {N..<2 * N}. c (n + 1) < c n}"
+    define f where "f = (\<lambda>n. a (Suc n) - a n)"
+
+    have f_N:"\<forall>x\<in>S. f x\<ge>sqrt N - 2"
+    proof 
+      fix x assume "x\<in>S"
+      then have "sqrt (real x) - 2 < f x" "x\<ge>N"
+        using elim unfolding S_def f_def by auto
+      moreover have "sqrt x - 2 \<ge> sqrt N - 2"
+        using \<open>x\<ge>N\<close> by simp
+      ultimately show  "sqrt (real N) - 2 \<le> real_of_int (f x)" by argo
+    qed
+    have f_0:"\<forall>x. f x\<ge>0"
+      using \<open>mono a\<close>[THEN incseq_SucD] unfolding f_def by auto
+
+    have "(N / 2)  * (sqrt N - 2) < card S * (sqrt N - 2)" 
+      apply (rule mult_strict_right_mono)
+      subgoal using elim unfolding S_def by auto
+      subgoal using \<open>N>4\<close> 
+        by (metis diff_gt_0_iff_gt numeral_less_real_of_nat_iff real_sqrt_four real_sqrt_less_iff)
+      done
+    also have "...  \<le> sum f S" 
+      unfolding of_int_sum
+      apply (rule sum_bounded_below)
+      using f_N by auto
+    also have "... \<le> sum f {N..<2 * N}" 
+      unfolding of_int_sum
+      apply (rule sum_mono2)
+      unfolding S_def using f_0 by auto
+    also have "... = a (2*N) - a N" 
+      unfolding of_int_sum f_def of_int_diff
+      apply (rule sum_Suc_diff')
+      by auto
+    finally have "real N / 2 * (sqrt (real N) - 2) < real_of_int (a (2 * N) - a N)" 
+      .              
+    then have "real N / 2 * (sqrt (real N) - 2) < a (2 * N)"
+      using a_pos[rule_format,of N] by linarith
+    then show ?case by (auto simp:field_simps)
+  qed
+
+  text\<open>The following part is required to derive the final contradiction of the proof.\<close>
+
+  have a_n_sqrt:"\<forall>\<^sub>F n in sequentially. a n > (((n-1)/2) powr (3/2) - (n-1)) /2"
+  proof (rule sequentially_even_odd_imp)
+    define f where "f=(\<lambda>N. ((real (2 * N - 1) / 2) powr (3 / 2) - real (2 * N - 1)) / 2)"
+    define g where "g=(\<lambda>N. real N * (sqrt (real N) / 2 - 1))"
+    have "\<forall>\<^sub>F N in sequentially. g N > f N"
+      unfolding f_def g_def
+      by real_asymp
+    moreover have "\<forall>\<^sub>F N in sequentially. a (2 * N) > g N"
+      unfolding g_def using a_2N_sqrt .
+    ultimately show "\<forall>\<^sub>F N in sequentially. f N < a (2 * N)"
+      by eventually_elim auto
+  next
+    define f where "f=(\<lambda>N. ((real (2 * N + 1 - 1) / 2) powr (3 / 2) 
+                                  - real (2 * N + 1 - 1)) / 2)"
+    define g where "g=(\<lambda>N. real N * (sqrt (real N) / 2 - 1))"
+    have "\<forall>\<^sub>F N in sequentially. g N = f N"
+      using eventually_gt_at_top[of 0]
+      apply eventually_elim
+      unfolding f_def g_def
+      by (auto simp:algebra_simps powr_half_sqrt[symmetric] powr_mult_base)
+    moreover have "\<forall>\<^sub>F N in sequentially. a (2 * N) > g N"
+      unfolding g_def using a_2N_sqrt .
+    moreover have "\<forall>\<^sub>F N in sequentially. a (2 * N + 1) \<ge> a (2*N)"
+      apply (rule eventuallyI)
+      using \<open>mono a\<close> by (simp add: incseqD)
+    ultimately show "\<forall>\<^sub>F N in sequentially. f N < (a (2 * N + 1))"
+      apply eventually_elim
+      by auto
+  qed
+
+  have a_nth_prime_gt:"\<forall>\<^sub>F n in sequentially. a n / nth_prime n > 1"
+  proof -
+    define f where "f=(\<lambda>n::nat. (((n-1)/2) powr (3/2) - (n-1)) /2)"
+    have "\<forall>\<^sub>F x in sequentially. real (nth_prime x) / (real x * ln (real x)) < 2"
+      using nth_prime_asymptotics[unfolded asymp_equiv_def,THEN order_tendstoD(2),of 2]
+      by simp
+    from this[] eventually_gt_at_top[of 1]
+    have "\<forall>\<^sub>F n in sequentially. real (nth_prime n)   < 2*(real n * ln n)"
+      apply eventually_elim
+      by (auto simp:field_simps)
+    moreover have *:"\<forall>\<^sub>F N in sequentially. f N >0 "
+      unfolding f_def
+      by real_asymp
+    moreover have " \<forall>\<^sub>F n in sequentially. f n < a n"
+      using a_n_sqrt unfolding f_def .
+    ultimately have "\<forall>\<^sub>F n in sequentially. a n / nth_prime n 
+                    > f n / (2*(real n * ln n))"
+      apply eventually_elim
+      apply (rule frac_less2)
+      by auto
+    moreover have "\<forall>\<^sub>F n in sequentially.
+        (f n)/ (2*(real n * ln n)) > 1"
+      unfolding f_def 
+      by real_asymp
+    ultimately show ?thesis 
+      by eventually_elim argo
+  qed
+
+  have a_nth_prime_lt:"\<exists>\<^sub>F n in sequentially. a n / nth_prime n < 1"
+  proof -
+    have "liminf (\<lambda>x. a x / nth_prime x) < 1"
+      using nth_2 by auto
+    from this[unfolded less_Liminf_iff]
+    show ?thesis
+      apply (auto elim!:frequently_elim1)
+      by (meson divide_less_eq_1 ereal_less_eq(7) leD leI 
+          nth_prime_nonzero of_nat_eq_0_iff of_nat_less_0_iff order.trans)
+  qed
+
+  from a_nth_prime_gt a_nth_prime_lt show False 
+    by (simp add: eventually_mono frequently_def) 
+qed
+
+section\<open>Acknowledgements\<close>
+
+text\<open>A.K.-A. and W.L. were supported by the ERC Advanced Grant ALEXANDRIA (Project 742178)
+ funded by the European Research Council and led by Professor Lawrence Paulson
+ at the University of Cambridge, UK.\<close>
+
+end
\ No newline at end of file
diff --git a/thys/Irrational_Series_Erdos_Straus/ROOT b/thys/Irrational_Series_Erdos_Straus/ROOT
new file mode 100644
--- /dev/null
+++ b/thys/Irrational_Series_Erdos_Straus/ROOT
@@ -0,0 +1,13 @@
+chapter AFP
+
+session Irrational_Series_Erdos_Straus (AFP) = "HOL-Analysis" +
+  options [timeout = 1200]
+  sessions
+    Prime_Number_Theorem
+    Prime_Distribution_Elementary
+  theories
+    Irrational_Series_Erdos_Straus
+  document_files
+    "root.tex"
+    "root.bib"
+
diff --git a/thys/Irrational_Series_Erdos_Straus/document/root.bib b/thys/Irrational_Series_Erdos_Straus/document/root.bib
new file mode 100644
--- /dev/null
+++ b/thys/Irrational_Series_Erdos_Straus/document/root.bib
@@ -0,0 +1,11 @@
+@article{erdHos1974irrationality,
+  title={On the irrationality of certain series},
+  author={Erd{\H{o}}s, Paul and Straus, Ernst},
+  journal={Pacific journal of mathematics},
+  volume={55},
+  number={1},
+  pages={85--92},
+  year={1974},
+  publisher={Mathematical Sciences Publishers}
+}
+
diff --git a/thys/Irrational_Series_Erdos_Straus/document/root.tex b/thys/Irrational_Series_Erdos_Straus/document/root.tex
new file mode 100644
--- /dev/null
+++ b/thys/Irrational_Series_Erdos_Straus/document/root.tex
@@ -0,0 +1,40 @@
+\documentclass[11pt,a4paper]{article}
+\usepackage{isabelle,isabellesym}
+\usepackage{amsfonts, amsmath, amssymb}
+
+% this should be the last package used
+\usepackage{pdfsetup}
+
+% urls in roman style, theory text in math-similar italics
+\urlstyle{rm}
+\isabellestyle{it}
+
+\begin{document}
+
+\title{Irrationality Criteria for Series by Erd\H{o}s and Straus}
+\author{Angeliki Koutsoukou-Argyraki and Wenda Li}
+\maketitle
+
+\begin{abstract}
+We formalise certain irrationality criteria for infinite series of the form:
+\[
+\sum_n\frac{b_n}{\prod_{i \leq n} a_i} 
+\]
+where $b_n$, $a_i$ are integers. The result is due to P. Erd\H{o}s and E.G. Straus \cite{erdHos1974irrationality}, and in particular we formalise Theorem 2.1, Corollary 2.10 and Theorem 3.1. The latter is an application of Theorem 2.1 involving the prime numbers.
+\end{abstract}
+
+
+\tableofcontents
+
+\input{session}
+
+\nocite{apostol1976analytic}
+\bibliographystyle{abbrv}
+\bibliography{root}
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
diff --git a/thys/LTL_Normal_Form/Normal_Form.thy b/thys/LTL_Normal_Form/Normal_Form.thy
new file mode 100644
--- /dev/null
+++ b/thys/LTL_Normal_Form/Normal_Form.thy
@@ -0,0 +1,423 @@
+(*
+    Author:   Salomon Sickert
+    License:  BSD
+*)
+
+section \<open>A Normal Form for Linear Temporal Logic\<close>
+
+theory Normal_Form imports
+  LTL_Master_Theorem.Master_Theorem
+begin
+
+subsection \<open>LTL Equivalences\<close>
+
+text \<open>Several valid laws of LTL relating strong and weak operators that are useful later.\<close>
+
+lemma ltln_strong_weak_2:
+  "w \<Turnstile>\<^sub>n \<phi> U\<^sub>n \<psi> \<longleftrightarrow> w \<Turnstile>\<^sub>n (\<phi> and\<^sub>n F\<^sub>n \<psi>) W\<^sub>n \<psi>" (is "?thesis1")
+  "w \<Turnstile>\<^sub>n \<phi> M\<^sub>n \<psi> \<longleftrightarrow> w \<Turnstile>\<^sub>n \<phi> R\<^sub>n (\<psi> and\<^sub>n F\<^sub>n \<phi>)" (is "?thesis2")
+proof -
+  have "\<exists>j. suffix (i + j) w \<Turnstile>\<^sub>n \<psi>"
+    if "suffix j w \<Turnstile>\<^sub>n \<psi>" and "\<forall>j\<le>i. \<not> suffix j w \<Turnstile>\<^sub>n \<psi>" for i j
+  proof
+    from that have "j > i"
+      by (cases "j > i") auto
+    thus "suffix (i + (j - i)) w \<Turnstile>\<^sub>n \<psi>"
+      using that by auto
+  qed
+  thus ?thesis1
+    unfolding ltln_strong_weak by auto
+next 
+  have "\<exists>j. suffix (i + j) w \<Turnstile>\<^sub>n \<phi>"
+    if "suffix j w \<Turnstile>\<^sub>n \<phi>" and "\<forall>j<i. \<not> suffix j w \<Turnstile>\<^sub>n \<phi>" for i j
+  proof
+    from that have "j \<ge> i"
+      by (cases "j \<ge> i") auto
+    thus "suffix (i + (j - i)) w \<Turnstile>\<^sub>n \<phi>"
+      using that by auto
+  qed
+  thus ?thesis2
+    unfolding ltln_strong_weak by auto
+qed
+
+lemma ltln_weak_strong_2:
+  "w \<Turnstile>\<^sub>n \<phi> W\<^sub>n \<psi> \<longleftrightarrow> w \<Turnstile>\<^sub>n \<phi> U\<^sub>n (\<psi> or\<^sub>n G\<^sub>n \<phi>)" (is "?thesis1")
+  "w \<Turnstile>\<^sub>n \<phi> R\<^sub>n \<psi> \<longleftrightarrow> w \<Turnstile>\<^sub>n (\<phi> or\<^sub>n G\<^sub>n \<psi>) M\<^sub>n \<psi>" (is "?thesis2")
+proof -
+  have "suffix j w \<Turnstile>\<^sub>n \<phi>"
+    if "\<And>j. j < i \<Longrightarrow> suffix j w \<Turnstile>\<^sub>n \<phi>" and "\<And>j. suffix (i + j) w \<Turnstile>\<^sub>n \<phi>" for i j
+    using that(1)[of j] that(2)[of "j - i"] by (cases "j < i") simp_all
+  thus ?thesis1
+    unfolding ltln_weak_strong unfolding semantics_ltln.simps suffix_suffix by blast
+next
+  have "suffix j w \<Turnstile>\<^sub>n \<psi>"
+    if "\<And>j. j \<le> i \<Longrightarrow> suffix j w \<Turnstile>\<^sub>n \<psi>" and "\<And>j. suffix (i + j) w \<Turnstile>\<^sub>n \<psi>" for i j
+    using that(1)[of j] that(2)[of "j - i"] by (cases "j \<le> i") simp_all
+  thus ?thesis2
+    unfolding ltln_weak_strong unfolding semantics_ltln.simps suffix_suffix by blast
+qed
+
+subsection \<open>$\evalnu{\psi}{M}$, $\evalmu{\psi}{N}$, $\flatten{\psi}{M}$, and $\flattentwo{\psi}{N}$\<close>
+
+text \<open>The following four functions use "promise sets", named $M$ or $N$, to rewrite arbitrary 
+  formulas into formulas from the class $\Sigma_1$-, $\Sigma_2$-, $\Pi_1$-, and $\Pi_2$, 
+  respectively. In general the obtained formulas are not  equivalent, but under some conditions 
+  (as outlined below) they are.\<close>
+
+no_notation FG_advice ("_[_]\<^sub>\<mu>" [90,60] 89)
+no_notation GF_advice ("_[_]\<^sub>\<nu>" [90,60] 89)
+
+notation FG_advice ("_[_]\<^sub>\<Sigma>\<^sub>1" [90,60] 89)
+notation GF_advice ("_[_]\<^sub>\<Pi>\<^sub>1" [90,60] 89)
+
+fun flatten_sigma_2:: "'a ltln \<Rightarrow> 'a ltln set \<Rightarrow> 'a ltln" ("_[_]\<^sub>\<Sigma>\<^sub>2")
+where
+  "(\<phi> U\<^sub>n \<psi>)[M]\<^sub>\<Sigma>\<^sub>2 = (\<phi>[M]\<^sub>\<Sigma>\<^sub>2) U\<^sub>n (\<psi>[M]\<^sub>\<Sigma>\<^sub>2)"
+| "(\<phi> W\<^sub>n \<psi>)[M]\<^sub>\<Sigma>\<^sub>2 = (\<phi>[M]\<^sub>\<Sigma>\<^sub>2) U\<^sub>n ((\<psi>[M]\<^sub>\<Sigma>\<^sub>2) or\<^sub>n (G\<^sub>n \<phi>[M]\<^sub>\<Pi>\<^sub>1))"
+| "(\<phi> M\<^sub>n \<psi>)[M]\<^sub>\<Sigma>\<^sub>2 = (\<phi>[M]\<^sub>\<Sigma>\<^sub>2) M\<^sub>n (\<psi>[M]\<^sub>\<Sigma>\<^sub>2)"
+| "(\<phi> R\<^sub>n \<psi>)[M]\<^sub>\<Sigma>\<^sub>2 = ((\<phi>[M]\<^sub>\<Sigma>\<^sub>2) or\<^sub>n (G\<^sub>n \<psi>[M]\<^sub>\<Pi>\<^sub>1)) M\<^sub>n (\<psi>[M]\<^sub>\<Sigma>\<^sub>2)"
+| "(\<phi> and\<^sub>n \<psi>)[M]\<^sub>\<Sigma>\<^sub>2 = (\<phi>[M]\<^sub>\<Sigma>\<^sub>2) and\<^sub>n (\<psi>[M]\<^sub>\<Sigma>\<^sub>2)"
+| "(\<phi> or\<^sub>n \<psi>)[M]\<^sub>\<Sigma>\<^sub>2 = (\<phi>[M]\<^sub>\<Sigma>\<^sub>2) or\<^sub>n (\<psi>[M]\<^sub>\<Sigma>\<^sub>2)"
+| "(X\<^sub>n \<phi>)[M]\<^sub>\<Sigma>\<^sub>2 = X\<^sub>n (\<phi>[M]\<^sub>\<Sigma>\<^sub>2)"
+| "\<phi>[M]\<^sub>\<Sigma>\<^sub>2 = \<phi>"
+
+fun flatten_pi_2 :: "'a ltln \<Rightarrow> 'a ltln set \<Rightarrow> 'a ltln" ("_[_]\<^sub>\<Pi>\<^sub>2")
+where
+  "(\<phi> W\<^sub>n \<psi>)[N]\<^sub>\<Pi>\<^sub>2 = (\<phi>[N]\<^sub>\<Pi>\<^sub>2) W\<^sub>n (\<psi>[N]\<^sub>\<Pi>\<^sub>2)"
+| "(\<phi> U\<^sub>n \<psi>)[N]\<^sub>\<Pi>\<^sub>2 = (\<phi>[N]\<^sub>\<Pi>\<^sub>2 and\<^sub>n (F\<^sub>n \<psi>[N]\<^sub>\<Sigma>\<^sub>1)) W\<^sub>n (\<psi>[N]\<^sub>\<Pi>\<^sub>2)"
+| "(\<phi> R\<^sub>n \<psi>)[N]\<^sub>\<Pi>\<^sub>2 = (\<phi>[N]\<^sub>\<Pi>\<^sub>2) R\<^sub>n (\<psi>[N]\<^sub>\<Pi>\<^sub>2)"
+| "(\<phi> M\<^sub>n \<psi>)[N]\<^sub>\<Pi>\<^sub>2 = (\<phi>[N]\<^sub>\<Pi>\<^sub>2) R\<^sub>n ((\<psi>[N]\<^sub>\<Pi>\<^sub>2) and\<^sub>n (F\<^sub>n \<phi>[N]\<^sub>\<Sigma>\<^sub>1))"
+| "(\<phi> and\<^sub>n \<psi>)[N]\<^sub>\<Pi>\<^sub>2 = (\<phi>[N]\<^sub>\<Pi>\<^sub>2) and\<^sub>n (\<psi>[N]\<^sub>\<Pi>\<^sub>2)"
+| "(\<phi> or\<^sub>n \<psi>)[N]\<^sub>\<Pi>\<^sub>2 = (\<phi>[N]\<^sub>\<Pi>\<^sub>2) or\<^sub>n (\<psi>[N]\<^sub>\<Pi>\<^sub>2)"
+| "(X\<^sub>n \<phi>)[N]\<^sub>\<Pi>\<^sub>2 = X\<^sub>n (\<phi>[N]\<^sub>\<Pi>\<^sub>2)"
+| "\<phi>[N]\<^sub>\<Pi>\<^sub>2 = \<phi>"
+
+lemma GF_advice_restriction:
+  "\<phi>[\<G>\<F> (\<phi> W\<^sub>n \<psi>) w]\<^sub>\<Pi>\<^sub>1 = \<phi>[\<G>\<F> \<phi> w]\<^sub>\<Pi>\<^sub>1"
+  "\<psi>[\<G>\<F> (\<phi> R\<^sub>n \<psi>) w]\<^sub>\<Pi>\<^sub>1 = \<psi>[\<G>\<F> \<psi> w]\<^sub>\<Pi>\<^sub>1"
+  by (metis (no_types, lifting) \<G>\<F>_semantics' inf_commute inf_left_commute inf_sup_absorb subformulas\<^sub>\<mu>.simps(6) GF_advice_inter_subformulas) 
+     (metis (no_types, lifting) GF_advice_inter \<G>\<F>.simps(5) \<G>\<F>_semantics' \<G>\<F>_subformulas\<^sub>\<mu> inf.commute sup.boundedE)
+
+lemma FG_advice_restriction: 
+  "\<psi>[\<F>\<G> (\<phi> U\<^sub>n \<psi>) w]\<^sub>\<Sigma>\<^sub>1 = \<psi>[\<F>\<G> \<psi> w]\<^sub>\<Sigma>\<^sub>1"
+  "\<phi>[\<F>\<G> (\<phi> M\<^sub>n \<psi>) w]\<^sub>\<Sigma>\<^sub>1 = \<phi>[\<F>\<G> \<phi> w]\<^sub>\<Sigma>\<^sub>1"  
+  by (metis (no_types, lifting) FG_advice_inter \<F>\<G>.simps(4) \<F>\<G>_semantics' \<F>\<G>_subformulas\<^sub>\<nu> inf.commute sup.boundedE) 
+     (metis (no_types, lifting) FG_advice_inter \<F>\<G>.simps(7) \<F>\<G>_semantics' \<F>\<G>_subformulas\<^sub>\<nu> inf.right_idem inf_commute sup.cobounded1) 
+
+lemma flatten_sigma_2_intersection:
+  "M \<inter> subformulas\<^sub>\<mu> \<phi> \<subseteq> S \<Longrightarrow> \<phi>[M \<inter> S]\<^sub>\<Sigma>\<^sub>2 = \<phi>[M]\<^sub>\<Sigma>\<^sub>2"
+  by (induction \<phi>) (simp; blast intro: GF_advice_inter)+
+
+lemma flatten_sigma_2_intersection_eq:
+  "M \<inter> subformulas\<^sub>\<mu> \<phi> = M' \<Longrightarrow> \<phi>[M']\<^sub>\<Sigma>\<^sub>2 = \<phi>[M]\<^sub>\<Sigma>\<^sub>2"
+  using flatten_sigma_2_intersection by auto
+
+lemma flatten_sigma_2_monotone: 
+  "w \<Turnstile>\<^sub>n \<phi>[M]\<^sub>\<Sigma>\<^sub>2 \<Longrightarrow> M \<subseteq> M' \<Longrightarrow> w \<Turnstile>\<^sub>n \<phi>[M']\<^sub>\<Sigma>\<^sub>2"
+  by (induction \<phi> arbitrary: w)
+     (simp; blast dest: GF_advice_monotone)+
+
+lemma flatten_pi_2_intersection:
+  "N \<inter> subformulas\<^sub>\<nu> \<phi> \<subseteq> S \<Longrightarrow> \<phi>[N \<inter> S]\<^sub>\<Pi>\<^sub>2 = \<phi>[N]\<^sub>\<Pi>\<^sub>2"
+  by (induction \<phi>) (simp; blast intro: FG_advice_inter)+
+
+lemma flatten_pi_2_intersection_eq:
+  "N \<inter> subformulas\<^sub>\<nu> \<phi> = N' \<Longrightarrow> \<phi>[N']\<^sub>\<Pi>\<^sub>2 = \<phi>[N]\<^sub>\<Pi>\<^sub>2"
+  using flatten_pi_2_intersection by auto
+
+lemma flatten_pi_2_monotone: 
+  "w \<Turnstile>\<^sub>n \<phi>[N]\<^sub>\<Pi>\<^sub>2 \<Longrightarrow> N \<subseteq> N' \<Longrightarrow> w \<Turnstile>\<^sub>n \<phi>[N']\<^sub>\<Pi>\<^sub>2"
+  by (induction \<phi> arbitrary: w)
+     (simp; blast dest: FG_advice_monotone)+
+
+lemma ltln_weak_strong_stable_words_1:
+  "w \<Turnstile>\<^sub>n (\<phi> W\<^sub>n \<psi>) \<longleftrightarrow> w \<Turnstile>\<^sub>n \<phi> U\<^sub>n (\<psi> or\<^sub>n (G\<^sub>n \<phi>[\<G>\<F> \<phi> w]\<^sub>\<Pi>\<^sub>1))" (is "?lhs \<longleftrightarrow> ?rhs") 
+proof 
+  assume ?lhs
+  
+  moreover
+
+  {
+    assume assm: "w \<Turnstile>\<^sub>n G\<^sub>n \<phi>"
+    moreover
+    obtain i where "\<And>j. \<F> \<phi> (suffix i w) \<subseteq> \<G>\<F> \<phi> w"
+      by (metis MOST_nat_le \<G>\<F>_suffix \<mu>_stable_def order_refl suffix_\<mu>_stable)
+    hence "\<And>j. \<F> \<phi> (suffix i (suffix j w)) \<subseteq> \<G>\<F> \<phi> w"
+      by (metis \<F>_suffix \<G>\<F>_\<F>_subset \<G>\<F>_suffix semiring_normalization_rules(24) subset_Un_eq suffix_suffix sup.orderE)
+    ultimately
+    have "suffix i w \<Turnstile>\<^sub>n G\<^sub>n (\<phi>[\<G>\<F> \<phi> w]\<^sub>\<Pi>\<^sub>1)"
+      using GF_advice_a1[OF \<open>\<And>j. \<F> \<phi> (suffix i (suffix j w)) \<subseteq> \<G>\<F> \<phi> w\<close>]
+      by (simp add: add.commute)
+    hence "?rhs"
+      using assm by auto 
+  }
+
+  moreover
+
+  have "w \<Turnstile>\<^sub>n \<phi> U\<^sub>n \<psi> \<Longrightarrow> ?rhs"
+    by auto
+  
+  ultimately
+
+  show ?rhs
+    using ltln_weak_to_strong(1) by blast
+next
+  assume ?rhs
+  thus ?lhs
+    unfolding ltln_weak_strong_2 unfolding semantics_ltln.simps
+    by (metis \<G>\<F>_suffix order_refl GF_advice_a2)
+qed
+
+lemma ltln_weak_strong_stable_words_2:
+  "w \<Turnstile>\<^sub>n (\<phi> R\<^sub>n \<psi>) \<longleftrightarrow> w \<Turnstile>\<^sub>n (\<phi> or\<^sub>n (G\<^sub>n \<psi>[\<G>\<F> \<psi> w]\<^sub>\<Pi>\<^sub>1)) M\<^sub>n \<psi>" (is "?lhs \<longleftrightarrow> ?rhs") 
+proof 
+  assume ?lhs
+  
+  moreover
+
+  {
+    assume assm: "w \<Turnstile>\<^sub>n G\<^sub>n \<psi>"
+    moreover
+    obtain i where "\<And>j. \<F> \<psi> (suffix i w) \<subseteq> \<G>\<F> \<psi> w"
+      by (metis MOST_nat_le \<G>\<F>_suffix \<mu>_stable_def order_refl suffix_\<mu>_stable)
+    hence "\<And>j. \<F> \<psi> (suffix i (suffix j w)) \<subseteq> \<G>\<F> \<psi> w"
+      by (metis \<F>_suffix \<G>\<F>_\<F>_subset \<G>\<F>_suffix semiring_normalization_rules(24) subset_Un_eq suffix_suffix sup.orderE)
+    ultimately
+    have "suffix i w \<Turnstile>\<^sub>n G\<^sub>n (\<psi>[\<G>\<F> \<psi> w]\<^sub>\<Pi>\<^sub>1)"
+      using GF_advice_a1[OF \<open>\<And>j. \<F> \<psi> (suffix i (suffix j w)) \<subseteq> \<G>\<F> \<psi> w\<close>]
+      by (simp add: add.commute)
+    hence "?rhs"
+      using assm by auto 
+  }
+
+  moreover
+
+  have "w \<Turnstile>\<^sub>n \<phi> M\<^sub>n \<psi> \<Longrightarrow> ?rhs"
+    by auto
+  
+  ultimately
+
+  show ?rhs
+    using ltln_weak_to_strong by blast
+next
+  assume ?rhs
+  thus ?lhs
+    unfolding ltln_weak_strong_2 unfolding semantics_ltln.simps
+    by (metis GF_advice_a2 \<G>\<F>_suffix order_refl)
+qed
+
+lemma ltln_weak_strong_stable_words:
+  "w \<Turnstile>\<^sub>n (\<phi> W\<^sub>n \<psi>) \<longleftrightarrow> w \<Turnstile>\<^sub>n \<phi> U\<^sub>n (\<psi> or\<^sub>n (G\<^sub>n \<phi>[\<G>\<F> (\<phi> W\<^sub>n \<psi>) w]\<^sub>\<Pi>\<^sub>1))"
+  "w \<Turnstile>\<^sub>n (\<phi> R\<^sub>n \<psi>) \<longleftrightarrow> w \<Turnstile>\<^sub>n (\<phi> or\<^sub>n (G\<^sub>n \<psi>[\<G>\<F> (\<phi> R\<^sub>n \<psi>) w]\<^sub>\<Pi>\<^sub>1)) M\<^sub>n \<psi>"
+  unfolding ltln_weak_strong_stable_words_1 ltln_weak_strong_stable_words_2 GF_advice_restriction by simp+
+
+lemma flatten_sigma_2_IH_lifting: 
+  assumes "\<psi> \<in> subfrmlsn \<phi>"
+  assumes "suffix i w \<Turnstile>\<^sub>n \<psi>[\<G>\<F> \<psi> (suffix i w)]\<^sub>\<Sigma>\<^sub>2 = suffix i w \<Turnstile>\<^sub>n \<psi>"
+  shows "suffix i w \<Turnstile>\<^sub>n \<psi>[\<G>\<F> \<phi> w]\<^sub>\<Sigma>\<^sub>2 = suffix i w \<Turnstile>\<^sub>n \<psi>" 
+  by (metis (no_types, lifting) inf.absorb_iff2 inf_assoc inf_commute assms(2) \<G>\<F>_suffix flatten_sigma_2_intersection_eq[of "\<G>\<F> \<phi> w" \<psi> "\<G>\<F> \<psi> w"] \<G>\<F>_semantics' subformulas\<^sub>\<mu>_subset[OF assms(1)])
+  
+lemma flatten_sigma_2_correct:
+  "w \<Turnstile>\<^sub>n \<phi>[\<G>\<F> \<phi> w]\<^sub>\<Sigma>\<^sub>2 \<longleftrightarrow> w \<Turnstile>\<^sub>n \<phi>"
+proof (induction \<phi> arbitrary: w)
+  case (And_ltln \<phi>1 \<phi>2)
+  then show ?case 
+    using flatten_sigma_2_IH_lifting[of _ "\<phi>1 and\<^sub>n \<phi>2" 0] by simp
+next
+  case (Or_ltln \<phi>1 \<phi>2)
+  then show ?case 
+    using flatten_sigma_2_IH_lifting[of _ "\<phi>1 or\<^sub>n \<phi>2" 0] by simp
+next
+  case (Next_ltln \<phi>)
+  then show ?case 
+    using flatten_sigma_2_IH_lifting[of _ "X\<^sub>n \<phi>" 1] by fastforce
+next
+  case (Until_ltln \<phi>1 \<phi>2)
+  then show ?case
+    using flatten_sigma_2_IH_lifting[of _ "\<phi>1 U\<^sub>n \<phi>2"] by fastforce
+next
+  case (Release_ltln \<phi>1 \<phi>2)
+  then show ?case
+    unfolding ltln_weak_strong_stable_words
+    using flatten_sigma_2_IH_lifting[of _ "\<phi>1 R\<^sub>n \<phi>2"] by fastforce
+next
+  case (WeakUntil_ltln \<phi>1 \<phi>2)
+  then show ?case
+    unfolding ltln_weak_strong_stable_words
+    using flatten_sigma_2_IH_lifting[of _ "\<phi>1 W\<^sub>n \<phi>2"] by fastforce
+next
+case (StrongRelease_ltln \<phi>1 \<phi>2)
+  then show ?case
+    using flatten_sigma_2_IH_lifting[of _ "\<phi>1 M\<^sub>n \<phi>2"] by fastforce
+qed auto
+
+lemma ltln_strong_weak_stable_words_1:
+  "w \<Turnstile>\<^sub>n \<phi> U\<^sub>n \<psi> \<longleftrightarrow> w \<Turnstile>\<^sub>n (\<phi> and\<^sub>n (F\<^sub>n \<psi>[\<F>\<G> \<psi> w]\<^sub>\<Sigma>\<^sub>1)) W\<^sub>n \<psi>" (is "?lhs \<longleftrightarrow> ?rhs") 
+proof 
+  assume ?rhs
+
+  moreover
+
+  obtain i where "\<nu>_stable \<psi> (suffix i w)"
+    by (metis MOST_nat less_Suc_eq suffix_\<nu>_stable)
+  hence "\<forall>\<psi> \<in> \<F>\<G> \<psi> w. suffix i w \<Turnstile>\<^sub>n G\<^sub>n \<psi>"
+    using \<F>\<G>_suffix \<G>_elim \<nu>_stable_def by blast
+
+  {
+    assume assm: "w \<Turnstile>\<^sub>n G\<^sub>n (\<phi> and\<^sub>n (F\<^sub>n \<psi>[\<F>\<G> \<psi> w]\<^sub>\<Sigma>\<^sub>1))"
+    hence "suffix i w \<Turnstile>\<^sub>n (F\<^sub>n \<psi>)[\<F>\<G> \<psi> w]\<^sub>\<Sigma>\<^sub>1"
+      by simp
+    hence "suffix i w \<Turnstile>\<^sub>n F\<^sub>n \<psi>"
+      by (blast dest: FG_advice_b2_helper[OF \<open>\<forall>\<psi> \<in> \<F>\<G> \<psi> w. suffix i w \<Turnstile>\<^sub>n G\<^sub>n \<psi>\<close>])
+    hence "w \<Turnstile>\<^sub>n \<phi> U\<^sub>n \<psi>"
+      using assm by auto
+  }
+
+  ultimately
+  
+  show ?lhs
+    by (meson ltln_weak_to_strong(1) semantics_ltln.simps(5) until_and_left_distrib)
+next 
+  assume ?lhs 
+
+  moreover
+
+  have "\<And>i. suffix i w \<Turnstile>\<^sub>n \<psi> \<Longrightarrow> suffix i w \<Turnstile>\<^sub>n \<psi>[\<F>\<G> \<psi> w]\<^sub>\<Sigma>\<^sub>1"
+    using \<F>\<G>_suffix by (blast intro: FG_advice_b1)
+
+  ultimately
+
+  show "?rhs"
+    unfolding ltln_strong_weak_2 by fastforce
+qed
+
+lemma ltln_strong_weak_stable_words_2:
+  "w \<Turnstile>\<^sub>n \<phi> M\<^sub>n \<psi> \<longleftrightarrow> w \<Turnstile>\<^sub>n \<phi> R\<^sub>n (\<psi> and\<^sub>n (F\<^sub>n \<phi>[\<F>\<G> \<phi> w]\<^sub>\<Sigma>\<^sub>1))" (is "?lhs \<longleftrightarrow> ?rhs") 
+proof 
+  assume ?rhs
+
+  moreover
+
+  obtain i where "\<nu>_stable \<phi> (suffix i w)"
+    by (metis MOST_nat less_Suc_eq suffix_\<nu>_stable)
+  hence "\<forall>\<psi> \<in> \<F>\<G> \<phi> w. suffix i w \<Turnstile>\<^sub>n G\<^sub>n \<psi>"
+    using \<F>\<G>_suffix \<G>_elim \<nu>_stable_def by blast
+
+  {
+    assume assm: "w \<Turnstile>\<^sub>n G\<^sub>n (\<psi> and\<^sub>n (F\<^sub>n \<phi>[\<F>\<G> \<phi> w]\<^sub>\<Sigma>\<^sub>1))"
+    hence "suffix i w \<Turnstile>\<^sub>n (F\<^sub>n \<phi>)[\<F>\<G> \<phi> w]\<^sub>\<Sigma>\<^sub>1"
+      by simp
+    hence "suffix i w \<Turnstile>\<^sub>n F\<^sub>n \<phi>"
+      by (blast dest: FG_advice_b2_helper[OF \<open>\<forall>\<psi> \<in> \<F>\<G> \<phi> w. suffix i w \<Turnstile>\<^sub>n G\<^sub>n \<psi>\<close>])
+    hence "w \<Turnstile>\<^sub>n \<phi> M\<^sub>n \<psi>"
+      using assm by auto
+  }
+
+  ultimately
+  
+  show ?lhs
+    using ltln_weak_to_strong(3) semantics_ltln.simps(5) strong_release_and_right_distrib by blast
+next 
+  assume ?lhs 
+
+  moreover
+
+  have "\<And>i. suffix i w \<Turnstile>\<^sub>n \<phi> \<Longrightarrow> suffix i w \<Turnstile>\<^sub>n \<phi>[\<F>\<G> \<phi> w]\<^sub>\<Sigma>\<^sub>1"
+    using \<F>\<G>_suffix by (blast intro: FG_advice_b1)
+
+  ultimately
+
+  show "?rhs"
+    unfolding ltln_strong_weak_2 by fastforce
+qed
+
+lemma ltln_strong_weak_stable_words:
+  "w \<Turnstile>\<^sub>n \<phi> U\<^sub>n \<psi> \<longleftrightarrow> w \<Turnstile>\<^sub>n (\<phi> and\<^sub>n (F\<^sub>n \<psi>[\<F>\<G> (\<phi> U\<^sub>n \<psi>) w]\<^sub>\<Sigma>\<^sub>1)) W\<^sub>n \<psi>"
+  "w \<Turnstile>\<^sub>n \<phi> M\<^sub>n \<psi> \<longleftrightarrow> w \<Turnstile>\<^sub>n \<phi> R\<^sub>n (\<psi> and\<^sub>n (F\<^sub>n \<phi>[\<F>\<G> (\<phi> M\<^sub>n \<psi>) w]\<^sub>\<Sigma>\<^sub>1))"
+  unfolding ltln_strong_weak_stable_words_1 ltln_strong_weak_stable_words_2 FG_advice_restriction by simp+
+
+lemma flatten_pi_2_IH_lifting: 
+  assumes "\<psi> \<in> subfrmlsn \<phi>"
+  assumes "suffix i w \<Turnstile>\<^sub>n \<psi>[\<F>\<G> \<psi> (suffix i w)]\<^sub>\<Pi>\<^sub>2 = suffix i w \<Turnstile>\<^sub>n \<psi>"
+  shows "suffix i w \<Turnstile>\<^sub>n \<psi>[\<F>\<G> \<phi> w]\<^sub>\<Pi>\<^sub>2 = suffix i w \<Turnstile>\<^sub>n \<psi>" 
+  by (metis (no_types, lifting) inf.absorb_iff2 inf_assoc inf_commute assms(2) \<F>\<G>_suffix flatten_pi_2_intersection_eq[of "\<F>\<G> \<phi> w" \<psi> "\<F>\<G> \<psi> w"] \<F>\<G>_semantics' subformulas\<^sub>\<nu>_subset[OF assms(1)])
+
+lemma flatten_pi_2_correct:
+  "w \<Turnstile>\<^sub>n \<phi>[\<F>\<G> \<phi> w]\<^sub>\<Pi>\<^sub>2 \<longleftrightarrow> w \<Turnstile>\<^sub>n \<phi>"
+proof (induction \<phi> arbitrary: w)
+  case (And_ltln \<phi>1 \<phi>2)
+  then show ?case 
+    using flatten_pi_2_IH_lifting[of _ "\<phi>1 and\<^sub>n \<phi>2" 0] by simp
+next
+  case (Or_ltln \<phi>1 \<phi>2)
+  then show ?case 
+    using flatten_pi_2_IH_lifting[of _ "\<phi>1 or\<^sub>n \<phi>2" 0] by simp
+next
+  case (Next_ltln \<phi>)
+  then show ?case 
+    using flatten_pi_2_IH_lifting[of _ "X\<^sub>n \<phi>" 1] by fastforce
+next
+  case (Until_ltln \<phi>1 \<phi>2)
+  then show ?case
+    unfolding ltln_strong_weak_stable_words
+    using flatten_pi_2_IH_lifting[of _ "\<phi>1 U\<^sub>n \<phi>2"] by fastforce
+next
+  case (Release_ltln \<phi>1 \<phi>2)
+  then show ?case
+    using flatten_pi_2_IH_lifting[of _ "\<phi>1 R\<^sub>n \<phi>2"] by fastforce
+next
+  case (WeakUntil_ltln \<phi>1 \<phi>2)
+  then show ?case
+    using flatten_pi_2_IH_lifting[of _ "\<phi>1 W\<^sub>n \<phi>2"] by fastforce
+next
+case (StrongRelease_ltln \<phi>1 \<phi>2)
+  then show ?case
+    unfolding ltln_strong_weak_stable_words
+    using flatten_pi_2_IH_lifting[of _ "\<phi>1 M\<^sub>n \<phi>2"] by fastforce
+qed auto
+
+subsection \<open>Main Theorem\<close>
+
+text \<open>Using the four previously defined functions we obtain our normal form.\<close>
+
+theorem normal_form_with_flatten_sigma_2:
+  "w \<Turnstile>\<^sub>n \<phi> \<longleftrightarrow> 
+    (\<exists>M \<subseteq> subformulas\<^sub>\<mu> \<phi>. \<exists>N \<subseteq> subformulas\<^sub>\<nu> \<phi>.
+      w \<Turnstile>\<^sub>n \<phi>[M]\<^sub>\<Sigma>\<^sub>2 \<and> (\<forall>\<psi> \<in> M. w \<Turnstile>\<^sub>n G\<^sub>n (F\<^sub>n \<psi>[N]\<^sub>\<Sigma>\<^sub>1)) \<and> (\<forall>\<psi> \<in> N. w \<Turnstile>\<^sub>n F\<^sub>n (G\<^sub>n \<psi>[M]\<^sub>\<Pi>\<^sub>1)))" (is "?lhs \<longleftrightarrow> ?rhs")
+proof
+  assume ?lhs
+  then have "w \<Turnstile>\<^sub>n \<phi>[\<G>\<F> \<phi> w]\<^sub>\<Sigma>\<^sub>2"
+    using flatten_sigma_2_correct by blast
+  then show ?rhs
+    using \<G>\<F>_subformulas\<^sub>\<mu> \<F>\<G>_subformulas\<^sub>\<nu> \<G>\<F>_implies_GF \<F>\<G>_implies_FG by metis 
+next
+  assume ?rhs
+  then obtain M N where "w \<Turnstile>\<^sub>n \<phi>[M]\<^sub>\<Sigma>\<^sub>2" and "M \<subseteq> \<G>\<F> \<phi> w" and "N \<subseteq> \<F>\<G> \<phi> w"
+    using X_\<G>\<F>_Y_\<F>\<G> by blast
+  then have "w \<Turnstile>\<^sub>n \<phi>[\<G>\<F> \<phi> w]\<^sub>\<Sigma>\<^sub>2"
+    using flatten_sigma_2_monotone by blast
+  then show ?lhs
+    using flatten_sigma_2_correct by blast
+qed
+
+theorem normal_form_with_flatten_pi_2:
+  "w \<Turnstile>\<^sub>n \<phi> \<longleftrightarrow> 
+    (\<exists>M \<subseteq> subformulas\<^sub>\<mu> \<phi>. \<exists>N \<subseteq> subformulas\<^sub>\<nu> \<phi>.
+      w \<Turnstile>\<^sub>n \<phi>[N]\<^sub>\<Pi>\<^sub>2 \<and> (\<forall>\<psi> \<in> M. w \<Turnstile>\<^sub>n G\<^sub>n (F\<^sub>n \<psi>[N]\<^sub>\<Sigma>\<^sub>1)) \<and> (\<forall>\<psi> \<in> N. w \<Turnstile>\<^sub>n F\<^sub>n (G\<^sub>n \<psi>[M]\<^sub>\<Pi>\<^sub>1)))" (is "?lhs \<longleftrightarrow> ?rhs")
+proof
+  assume ?lhs
+  then have "w \<Turnstile>\<^sub>n \<phi>[\<F>\<G> \<phi> w]\<^sub>\<Pi>\<^sub>2"
+    using flatten_pi_2_correct by blast
+  then show ?rhs
+    using \<G>\<F>_subformulas\<^sub>\<mu> \<F>\<G>_subformulas\<^sub>\<nu> \<G>\<F>_implies_GF \<F>\<G>_implies_FG by metis 
+next
+  assume ?rhs
+  then obtain M N where "w \<Turnstile>\<^sub>n \<phi>[N]\<^sub>\<Pi>\<^sub>2" and "M \<subseteq> \<G>\<F> \<phi> w" and "N \<subseteq> \<F>\<G> \<phi> w"
+    using X_\<G>\<F>_Y_\<F>\<G> by metis
+  then have "w \<Turnstile>\<^sub>n \<phi>[\<F>\<G> \<phi> w]\<^sub>\<Pi>\<^sub>2"
+    using flatten_pi_2_monotone by metis
+  then show ?lhs
+    using flatten_pi_2_correct by blast
+qed
+
+end
\ No newline at end of file
diff --git a/thys/LTL_Normal_Form/Normal_Form_Code_Export.thy b/thys/LTL_Normal_Form/Normal_Form_Code_Export.thy
new file mode 100644
--- /dev/null
+++ b/thys/LTL_Normal_Form/Normal_Form_Code_Export.thy
@@ -0,0 +1,134 @@
+(*
+    Author:   Salomon Sickert
+    License:  BSD
+*)
+
+section \<open>Code Export\<close>
+
+theory Normal_Form_Code_Export imports
+  LTL.Code_Equations
+  LTL.Rewriting
+  LTL.Disjunctive_Normal_Form
+  HOL.String
+  Normal_Form
+begin
+
+fun flatten_pi_1_list :: "String.literal ltln \<Rightarrow> String.literal ltln list \<Rightarrow> String.literal ltln"
+  where
+  "flatten_pi_1_list (\<psi>\<^sub>1 U\<^sub>n \<psi>\<^sub>2) M = (if (\<psi>\<^sub>1 U\<^sub>n \<psi>\<^sub>2) \<in> set M then (flatten_pi_1_list \<psi>\<^sub>1 M) W\<^sub>n (flatten_pi_1_list \<psi>\<^sub>2 M) else false\<^sub>n)"
+| "flatten_pi_1_list (\<psi>\<^sub>1 W\<^sub>n \<psi>\<^sub>2) M = (flatten_pi_1_list \<psi>\<^sub>1 M) W\<^sub>n (flatten_pi_1_list \<psi>\<^sub>2 M)"
+| "flatten_pi_1_list (\<psi>\<^sub>1 M\<^sub>n \<psi>\<^sub>2) M = (if (\<psi>\<^sub>1 M\<^sub>n \<psi>\<^sub>2) \<in> set M then (flatten_pi_1_list \<psi>\<^sub>1 M) R\<^sub>n (flatten_pi_1_list \<psi>\<^sub>2 M) else false\<^sub>n)"
+| "flatten_pi_1_list (\<psi>\<^sub>1 R\<^sub>n \<psi>\<^sub>2) M = (flatten_pi_1_list \<psi>\<^sub>1 M) R\<^sub>n (flatten_pi_1_list \<psi>\<^sub>2 M)"
+| "flatten_pi_1_list (\<psi>\<^sub>1 and\<^sub>n \<psi>\<^sub>2) M = (flatten_pi_1_list \<psi>\<^sub>1 M) and\<^sub>n (flatten_pi_1_list \<psi>\<^sub>2 M)"
+| "flatten_pi_1_list (\<psi>\<^sub>1 or\<^sub>n \<psi>\<^sub>2) M = (flatten_pi_1_list \<psi>\<^sub>1 M) or\<^sub>n (flatten_pi_1_list \<psi>\<^sub>2 M)"
+| "flatten_pi_1_list (X\<^sub>n \<psi>) M = X\<^sub>n (flatten_pi_1_list \<psi> M)"
+| "flatten_pi_1_list \<phi> _ = \<phi>"
+
+fun flatten_sigma_1_list :: "String.literal ltln \<Rightarrow> String.literal ltln list \<Rightarrow> String.literal ltln"
+where
+  "flatten_sigma_1_list (\<psi>\<^sub>1 U\<^sub>n \<psi>\<^sub>2) N = (flatten_sigma_1_list \<psi>\<^sub>1 N) U\<^sub>n (flatten_sigma_1_list \<psi>\<^sub>2 N)"
+| "flatten_sigma_1_list (\<psi>\<^sub>1 W\<^sub>n \<psi>\<^sub>2) N = (if (\<psi>\<^sub>1 W\<^sub>n \<psi>\<^sub>2) \<in> set N then true\<^sub>n else (flatten_sigma_1_list \<psi>\<^sub>1 N) U\<^sub>n (flatten_sigma_1_list \<psi>\<^sub>2 N))"
+| "flatten_sigma_1_list (\<psi>\<^sub>1 M\<^sub>n \<psi>\<^sub>2) N = (flatten_sigma_1_list \<psi>\<^sub>1 N) M\<^sub>n (flatten_sigma_1_list \<psi>\<^sub>2 N)"
+| "flatten_sigma_1_list (\<psi>\<^sub>1 R\<^sub>n \<psi>\<^sub>2) N = (if (\<psi>\<^sub>1 R\<^sub>n \<psi>\<^sub>2) \<in> set N then true\<^sub>n else (flatten_sigma_1_list \<psi>\<^sub>1 N) M\<^sub>n (flatten_sigma_1_list \<psi>\<^sub>2 N))"
+| "flatten_sigma_1_list (\<psi>\<^sub>1 and\<^sub>n \<psi>\<^sub>2) N = (flatten_sigma_1_list \<psi>\<^sub>1 N) and\<^sub>n (flatten_sigma_1_list \<psi>\<^sub>2 N)"
+| "flatten_sigma_1_list (\<psi>\<^sub>1 or\<^sub>n \<psi>\<^sub>2) N = (flatten_sigma_1_list \<psi>\<^sub>1 N) or\<^sub>n (flatten_sigma_1_list \<psi>\<^sub>2 N)"
+| "flatten_sigma_1_list (X\<^sub>n \<psi>) N = X\<^sub>n (flatten_sigma_1_list \<psi> N)"
+| "flatten_sigma_1_list \<phi> _ = \<phi>"
+
+fun flatten_sigma_2_list :: "String.literal ltln \<Rightarrow> String.literal ltln list \<Rightarrow> String.literal ltln"
+where
+  "flatten_sigma_2_list (\<phi> U\<^sub>n \<psi>) M = (flatten_sigma_2_list \<phi> M) U\<^sub>n (flatten_sigma_2_list \<psi> M)"
+| "flatten_sigma_2_list (\<phi> W\<^sub>n \<psi>) M = (flatten_sigma_2_list \<phi> M) U\<^sub>n ((flatten_sigma_2_list \<psi> M) or\<^sub>n (G\<^sub>n (flatten_pi_1_list \<phi> M)))"
+| "flatten_sigma_2_list (\<phi> M\<^sub>n \<psi>) M = (flatten_sigma_2_list \<phi> M) M\<^sub>n (flatten_sigma_2_list \<psi> M)"
+| "flatten_sigma_2_list (\<phi> R\<^sub>n \<psi>) M = ((flatten_sigma_2_list \<phi> M) or\<^sub>n (G\<^sub>n (flatten_pi_1_list \<psi> M))) M\<^sub>n (flatten_sigma_2_list \<psi> M)"
+| "flatten_sigma_2_list (\<phi> and\<^sub>n \<psi>) M = (flatten_sigma_2_list \<phi> M) and\<^sub>n (flatten_sigma_2_list \<psi> M)"
+| "flatten_sigma_2_list (\<phi> or\<^sub>n \<psi>) M = (flatten_sigma_2_list \<phi> M) or\<^sub>n (flatten_sigma_2_list \<psi> M)"
+| "flatten_sigma_2_list (X\<^sub>n \<phi>) M = X\<^sub>n (flatten_sigma_2_list \<phi> M)"
+| "flatten_sigma_2_list \<phi> _ = \<phi>"
+
+lemma flatten_code_equations[simp]:
+  "\<phi>[set M]\<^sub>\<Pi>\<^sub>1 = flatten_pi_1_list \<phi> M"
+  "\<phi>[set M]\<^sub>\<Sigma>\<^sub>1 = flatten_sigma_1_list \<phi> M"
+  "\<phi>[set M]\<^sub>\<Sigma>\<^sub>2 = flatten_sigma_2_list \<phi> M"
+  by (induction \<phi>) auto
+
+abbreviation "and_list \<equiv> foldl And_ltln true\<^sub>n"
+
+abbreviation "or_list \<equiv> foldl Or_ltln false\<^sub>n"
+
+definition "normal_form_disjunct (\<phi> :: String.literal ltln) M N 
+  \<equiv> (flatten_sigma_2_list \<phi> M)
+      and\<^sub>n (and_list (map (\<lambda>\<psi>. G\<^sub>n (F\<^sub>n (flatten_sigma_1_list \<psi> N))) M) 
+      and\<^sub>n (and_list (map (\<lambda>\<psi>. F\<^sub>n (G\<^sub>n (flatten_pi_1_list    \<psi> M))) N)))"
+
+definition "normal_form (\<phi> :: String.literal ltln) 
+  \<equiv> or_list (map (\<lambda>(M, N). normal_form_disjunct \<phi> M N) (advice_sets \<phi>))" 
+
+lemma and_list_semantic: "w \<Turnstile>\<^sub>n and_list xs \<longleftrightarrow> (\<forall>x \<in> set xs. w \<Turnstile>\<^sub>n x)"
+  by (induction xs rule: rev_induct) auto 
+
+lemma or_list_semantic: "w \<Turnstile>\<^sub>n or_list xs \<longleftrightarrow> (\<exists>x \<in> set xs. w \<Turnstile>\<^sub>n x)"
+  by (induction xs rule: rev_induct) auto
+
+theorem normal_form_correct:
+  "w \<Turnstile>\<^sub>n \<phi> \<longleftrightarrow> w \<Turnstile>\<^sub>n normal_form \<phi>"
+proof 
+  assume "w \<Turnstile>\<^sub>n \<phi>"
+  then obtain M N where "M \<subseteq> subformulas\<^sub>\<mu> \<phi>" and "N \<subseteq> subformulas\<^sub>\<nu> \<phi>"
+    and c1: "w \<Turnstile>\<^sub>n \<phi>[M]\<^sub>\<Sigma>\<^sub>2" and c2: "\<forall>\<psi> \<in> M. w \<Turnstile>\<^sub>n G\<^sub>n (F\<^sub>n \<psi>[N]\<^sub>\<Sigma>\<^sub>1)" and c3: "\<forall>\<psi> \<in> N. w \<Turnstile>\<^sub>n F\<^sub>n (G\<^sub>n \<psi>[M]\<^sub>\<Pi>\<^sub>1)"
+    using normal_form_with_flatten_sigma_2 by metis
+  then obtain ms ns where "M = set ms" and "N = set ns" and ms_ns_in: "(ms, ns) \<in> set (advice_sets \<phi>)" 
+    by (meson advice_sets_subformulas)
+  then have "w \<Turnstile>\<^sub>n normal_form_disjunct \<phi> ms ns"
+    using c1 c2 c3 by (simp add: and_list_semantic normal_form_disjunct_def)
+  then show "w \<Turnstile>\<^sub>n normal_form \<phi>"
+    using normal_form_def or_list_semantic ms_ns_in by fastforce
+next
+  assume "w \<Turnstile>\<^sub>n normal_form \<phi>"
+  then obtain ms ns where "(ms, ns) \<in> set (advice_sets \<phi>)" 
+    and "w \<Turnstile>\<^sub>n normal_form_disjunct \<phi> ms ns"
+    unfolding normal_form_def or_list_semantic by force
+  then have "set ms \<subseteq> subformulas\<^sub>\<mu> \<phi>" and "set ns \<subseteq> subformulas\<^sub>\<nu> \<phi>"
+    and c1: "w \<Turnstile>\<^sub>n \<phi>[set ms]\<^sub>\<Sigma>\<^sub>2" and c2: "\<forall>\<psi> \<in> set ms. w \<Turnstile>\<^sub>n G\<^sub>n (F\<^sub>n \<psi>[set ns]\<^sub>\<Sigma>\<^sub>1)" and c3: "\<forall>\<psi> \<in> set ns. w \<Turnstile>\<^sub>n F\<^sub>n (G\<^sub>n \<psi>[set ms]\<^sub>\<Pi>\<^sub>1)"  
+    using advice_sets_element_subfrmlsn 
+    by (auto simp: and_list_semantic normal_form_disjunct_def) blast
+  then show "w \<Turnstile>\<^sub>n \<phi>"
+    using normal_form_with_flatten_sigma_2 by metis
+qed
+
+definition "normal_form_with_simplifier (\<phi> :: String.literal ltln) 
+  \<equiv> min_dnf (simplify Slow (normal_form (simplify Slow \<phi>)))" 
+
+lemma ltl_semantics_min_dnf:
+  "w \<Turnstile>\<^sub>n \<phi> \<longleftrightarrow> (\<exists>C \<in> min_dnf \<phi>. \<forall>\<psi>. \<psi> |\<in>| C \<longrightarrow> w \<Turnstile>\<^sub>n \<psi>)" (is "?lhs \<longleftrightarrow> ?rhs")
+proof 
+  let ?M = "{\<psi>. w \<Turnstile>\<^sub>n \<psi>}"
+  assume ?lhs
+  hence "?M \<Turnstile>\<^sub>P \<phi>"
+    using ltl_models_equiv_prop_entailment by blast
+  then obtain M' where "fset M' \<subseteq> ?M" and "M' \<in> min_dnf \<phi>"
+    using min_dnf_iff_prop_assignment_subset by blast
+  thus ?rhs
+    by (meson in_mono mem_Collect_eq notin_fset)
+next 
+  let ?M = "{\<psi>. w \<Turnstile>\<^sub>n \<psi>}"
+  assume ?rhs
+  then obtain M' where "fset M' \<subseteq> ?M" and "M' \<in> min_dnf \<phi>"
+    using notin_fset by fastforce
+  hence "?M \<Turnstile>\<^sub>P \<phi>"
+    using min_dnf_iff_prop_assignment_subset by blast
+  thus ?lhs
+    using ltl_models_equiv_prop_entailment by blast
+qed
+
+theorem 
+  "w \<Turnstile>\<^sub>n \<phi> \<longleftrightarrow> (\<exists>C \<in> (normal_form_with_simplifier \<phi>). \<forall>\<psi>. \<psi> |\<in>| C \<longrightarrow> w \<Turnstile>\<^sub>n \<psi>)" (is "?lhs \<longleftrightarrow> ?rhs")
+  unfolding normal_form_with_simplifier_def ltl_semantics_min_dnf[symmetric] 
+  using normal_form_correct by simp
+
+text \<open>In order to export the code run \texttt{isabelle build -D [PATH] -e}.\<close>
+
+export_code normal_form in SML
+export_code normal_form_with_simplifier in SML
+
+end
\ No newline at end of file
diff --git a/thys/LTL_Normal_Form/Normal_Form_Complexity.thy b/thys/LTL_Normal_Form/Normal_Form_Complexity.thy
new file mode 100644
--- /dev/null
+++ b/thys/LTL_Normal_Form/Normal_Form_Complexity.thy
@@ -0,0 +1,650 @@
+(*
+    Author:   Salomon Sickert
+    License:  BSD
+*)
+
+section \<open>Size Bounds\<close>
+
+text \<open>We prove an exponential upper bound for the normalisation procedure. Moreover, we show that 
+  the number of proper subformulas, which correspond to states very-weak alternating automata 
+  (A1W), is only linear for each disjunct.\<close>
+
+theory Normal_Form_Complexity imports
+  Normal_Form
+begin
+
+subsection \<open>Inequalities and Identities\<close>
+
+lemma inequality_1: 
+  "y > 0 \<Longrightarrow> y + 3 \<le> (2 :: nat) ^ (y + 1)"
+  by (induction y) (simp, fastforce)
+
+lemma inequality_2: 
+  "x > 0 \<Longrightarrow> y > 0 \<Longrightarrow> ((2 :: nat) ^ (x + 1)) + (2 ^ (y + 1)) \<le> (2 ^ (x + y + 1))"
+  by (induction x; simp; induction y; simp; fastforce)
+
+lemma size_gr_0: 
+  "size (\<phi> :: 'a ltln) > 0" 
+  by (cases \<phi>) simp_all
+
+lemma sum_associative:
+  "finite X \<Longrightarrow> (\<Sum>x \<in> X. f x + c) = (\<Sum>x \<in> X. f x) + card X * c"
+  by (induction rule: finite_induct) simp_all
+
+subsection \<open>Length\<close>
+
+text \<open>We prove that the length (size) of the resulting formula in normal form is at most exponential.\<close>
+
+lemma flatten_sigma_1_length: 
+  "size (\<phi>[N]\<^sub>\<Sigma>\<^sub>1) \<le> size \<phi>"
+  by (induction \<phi>) simp_all
+
+lemma flatten_pi_1_length: 
+  "size (\<phi>[M]\<^sub>\<Pi>\<^sub>1) \<le> size \<phi>"
+  by (induction \<phi>) simp_all
+
+lemma flatten_sigma_2_length: 
+  "size (\<phi>[M]\<^sub>\<Sigma>\<^sub>2) \<le> 2 ^ (size \<phi> + 1)"
+proof (induction \<phi>)
+  case (And_ltln \<phi>1 \<phi>2)
+  hence "size (\<phi>1 and\<^sub>n \<phi>2)[M]\<^sub>\<Sigma>\<^sub>2  \<le> (2 ^ (size \<phi>1 + 1)) + (2 ^ (size \<phi>2 + 1)) + 1"
+    by simp
+  also
+  have "\<dots> \<le> 2 ^ (size \<phi>1 + size \<phi>2 + 1) + 1 "
+    using inequality_2[OF size_gr_0 size_gr_0] by simp
+  also
+  have "\<dots> \<le> 2 ^ (size (\<phi>1 and\<^sub>n \<phi>2) + 1)"
+    by simp
+  finally
+  show ?case.
+next
+  case (Or_ltln \<phi>1 \<phi>2)
+  hence "size (\<phi>1 or\<^sub>n \<phi>2)[M]\<^sub>\<Sigma>\<^sub>2  \<le> (2 ^ (size \<phi>1 + 1)) + (2 ^ (size \<phi>2 + 1)) + 1"
+    by simp
+  also
+  have "\<dots> \<le> 2 ^ (size \<phi>1 + size \<phi>2 + 1) + 1 "
+    using inequality_2[OF size_gr_0 size_gr_0] by simp
+  also
+  have "\<dots> \<le> 2 ^ (size (\<phi>1 or\<^sub>n \<phi>2) + 1)"
+    by simp
+  finally
+  show ?case.
+next
+  case (Next_ltln \<phi>)
+  then show ?case 
+    using le_Suc_eq by fastforce
+next
+  case (WeakUntil_ltln \<phi>1 \<phi>2)
+  hence "size (\<phi>1 W\<^sub>n \<phi>2)[M]\<^sub>\<Sigma>\<^sub>2 \<le> 2 ^ (size \<phi>1 + 1) + 2 ^ (size \<phi>2 + 1) + size \<phi>1 + 4"
+    by (simp, simp add: add.commute add_mono flatten_pi_1_length)
+  also
+  have "\<dots> \<le> 2 ^ (size \<phi>2 + 1) + 2 * 2 ^ (size \<phi>1 + 1) + 1"
+    using inequality_1[OF size_gr_0, of \<phi>1] by simp
+  also
+  have "\<dots> \<le> 2 * (2 ^ (size \<phi>1 + 1) + 2 ^ (size \<phi>2 + 1))"
+    by simp
+  also
+  have "\<dots> \<le> 2 * 2 ^ (size \<phi>1 + size \<phi>2 + 1)"
+    using inequality_2[OF size_gr_0 size_gr_0] mult_le_mono2 by blast 
+  also
+  have "\<dots> = 2 ^ (size (\<phi>1 W\<^sub>n \<phi>2) + 1)"
+    by simp
+  finally
+  show ?case.
+next
+  case (StrongRelease_ltln \<phi>1 \<phi>2)
+  hence "size (\<phi>1 M\<^sub>n \<phi>2)[M]\<^sub>\<Sigma>\<^sub>2  \<le> (2 ^ (size \<phi>1 + 1)) + (2 ^ (size \<phi>2 + 1)) + 1"
+    by simp
+  also
+  have "\<dots> \<le> 2 ^ (size \<phi>1 + size \<phi>2 + 1) + 1 "
+    using inequality_2[OF size_gr_0 size_gr_0] by simp
+  also
+  have "\<dots> \<le> 2 ^ (size (\<phi>1 M\<^sub>n \<phi>2) + 1)"
+    by simp
+  finally
+  show ?case.
+next
+  case (Until_ltln \<phi>1 \<phi>2)
+  hence "size (\<phi>1 U\<^sub>n \<phi>2)[M]\<^sub>\<Sigma>\<^sub>2  \<le> (2 ^ (size \<phi>1 + 1)) + (2 ^ (size \<phi>2 + 1)) + 1"
+    by simp
+  also
+  have "\<dots> \<le> 2 ^ (size \<phi>1 + size \<phi>2 + 1) + 1 "
+    using inequality_2[OF size_gr_0 size_gr_0] by simp
+  also
+  have "\<dots> \<le> 2 ^ (size (\<phi>1 U\<^sub>n \<phi>2) + 1)"
+    by simp
+  finally
+  show ?case.
+next
+  case (Release_ltln \<phi>1 \<phi>2)
+  hence "size (\<phi>1 R\<^sub>n \<phi>2)[M]\<^sub>\<Sigma>\<^sub>2 \<le> 2 ^ (size \<phi>1 + 1) + 2 ^ (size \<phi>2 + 1) + size \<phi>2 + 4"
+    by (simp, simp add: add.commute add_mono flatten_pi_1_length)
+  also
+  have "\<dots> \<le> 2 ^ (size \<phi>1 + 1) + 2 * 2 ^ (size \<phi>2 + 1) + 1"
+    using inequality_1[OF size_gr_0, of \<phi>2] by simp
+  also
+  have "\<dots> \<le> 2 * (2 ^ (size \<phi>1 + 1) + 2 ^ (size \<phi>2 + 1))"
+    by simp
+  also
+  have "\<dots> \<le> 2 * 2 ^ (size \<phi>1 + size \<phi>2 + 1)"
+    using inequality_2[OF size_gr_0 size_gr_0] mult_le_mono2 by blast 
+  also
+  have "\<dots> = 2 ^ (size (\<phi>1 R\<^sub>n \<phi>2) + 1)"
+    by simp
+  finally
+  show ?case .
+qed auto
+
+lemma flatten_pi_2_length: 
+  "size (\<phi>[N]\<^sub>\<Pi>\<^sub>2) \<le> 2 ^ (size \<phi> + 1)"
+proof (induction \<phi>)
+  case (And_ltln \<phi>1 \<phi>2)
+  hence "size (\<phi>1 and\<^sub>n \<phi>2)[N]\<^sub>\<Pi>\<^sub>2  \<le> (2 ^ (size \<phi>1 + 1)) + (2 ^ (size \<phi>2 + 1)) + 1"
+    by simp
+  also
+  have "\<dots> \<le> 2 ^ (size \<phi>1 + size \<phi>2 + 1) + 1 "
+    using inequality_2[OF size_gr_0 size_gr_0] by simp
+  also
+  have "\<dots> \<le> 2 ^ (size (\<phi>1 and\<^sub>n \<phi>2) + 1)"
+    by simp
+  finally
+  show ?case.
+next
+  case (Or_ltln \<phi>1 \<phi>2)
+  hence "size (\<phi>1 or\<^sub>n \<phi>2)[N]\<^sub>\<Pi>\<^sub>2  \<le> (2 ^ (size \<phi>1 + 1)) + (2 ^ (size \<phi>2 + 1)) + 1"
+    by simp
+  also
+  have "\<dots> \<le> 2 ^ (size \<phi>1 + size \<phi>2 + 1) + 1 "
+    using inequality_2[OF size_gr_0 size_gr_0] by simp
+  also
+  have "\<dots> \<le> 2 ^ (size (\<phi>1 or\<^sub>n \<phi>2) + 1)"
+    by simp
+  finally
+  show ?case.
+next
+  case (Next_ltln \<phi>)
+  then show ?case 
+    using le_Suc_eq by fastforce
+next
+  case (Until_ltln \<phi>1 \<phi>2)
+  hence "size (\<phi>1 U\<^sub>n \<phi>2)[N]\<^sub>\<Pi>\<^sub>2 \<le> 2 ^ (size \<phi>1 + 1) + 2 ^ (size \<phi>2 + 1) + size \<phi>2 + 4"
+    by (simp, simp add: add.commute add_mono flatten_sigma_1_length)
+  also
+  have "\<dots> \<le> 2 ^ (size \<phi>1 + 1) + 2 * 2 ^ (size \<phi>2 + 1) + 1"
+    using inequality_1[OF size_gr_0, of \<phi>2] by simp
+  also
+  have "\<dots> \<le> 2 * (2 ^ (size \<phi>1 + 1) + 2 ^ (size \<phi>2 + 1))"
+    by simp
+  also
+  have "\<dots> \<le> 2 * 2 ^ (size \<phi>1 + size \<phi>2 + 1)"
+    using inequality_2[OF size_gr_0 size_gr_0] mult_le_mono2 by blast 
+  also
+  have "\<dots> = 2 ^ (size (\<phi>1 U\<^sub>n \<phi>2) + 1)"
+    by simp
+  finally
+  show ?case.
+next
+  case (Release_ltln \<phi>1 \<phi>2)
+  hence "size (\<phi>1 R\<^sub>n \<phi>2)[N]\<^sub>\<Pi>\<^sub>2  \<le> (2 ^ (size \<phi>1 + 1)) + (2 ^ (size \<phi>2 + 1)) + 1"
+    by simp
+  also
+  have "\<dots> \<le> 2 ^ (size \<phi>1 + size \<phi>2 + 1) + 1 "
+    using inequality_2[OF size_gr_0 size_gr_0] by simp
+  also
+  have "\<dots> \<le> 2 ^ (size (\<phi>1 R\<^sub>n \<phi>2) + 1)"
+    by simp
+  finally
+  show ?case.
+next
+  case (WeakUntil_ltln \<phi>1 \<phi>2)
+  hence "size (\<phi>1 W\<^sub>n \<phi>2)[N]\<^sub>\<Pi>\<^sub>2  \<le> (2 ^ (size \<phi>1 + 1)) + (2 ^ (size \<phi>2 + 1)) + 1"
+    by simp
+  also
+  have "\<dots> \<le> 2 ^ (size \<phi>1 + size \<phi>2 + 1) + 1 "
+    using inequality_2[OF size_gr_0 size_gr_0] by simp
+  also
+  have "\<dots> \<le> 2 ^ (size (\<phi>1 W\<^sub>n \<phi>2) + 1)"
+    by simp
+  finally
+  show ?case.
+next
+  case (StrongRelease_ltln \<phi>1 \<phi>2)
+  hence "size (\<phi>1 M\<^sub>n \<phi>2)[N]\<^sub>\<Pi>\<^sub>2 \<le> 2 ^ (size \<phi>1 + 1) + 2 ^ (size \<phi>2 + 1) + size \<phi>1 + 4"
+    by (simp, simp add: add.commute add_mono flatten_sigma_1_length)
+  also
+  have "\<dots> \<le> 2 ^ (size \<phi>2 + 1) + 2 * 2 ^ (size \<phi>1 + 1) + 1"
+    using inequality_1[OF size_gr_0, of \<phi>1] by simp
+  also
+  have "\<dots> \<le> 2 * (2 ^ (size \<phi>1 + 1) + 2 ^ (size \<phi>2 + 1))"
+    by simp
+  also
+  have "\<dots> \<le> 2 * 2 ^ (size \<phi>1 + size \<phi>2 + 1)"
+    using inequality_2[OF size_gr_0 size_gr_0] mult_le_mono2 by blast 
+  also
+  have "\<dots> = 2 ^ (size (\<phi>1 M\<^sub>n \<phi>2) + 1)"
+    by simp
+  finally
+  show ?case .
+qed auto
+
+definition "normal_form_length_upper_bound"
+  where "normal_form_length_upper_bound \<phi>
+    \<equiv> (2 :: nat) ^ (size \<phi>) * (2 ^ (size \<phi> + 1) + 2 * (size \<phi> + 2) ^ 2)"
+
+definition "normal_form_disjunct_with_flatten_pi_2_length"
+  where "normal_form_disjunct_with_flatten_pi_2_length \<phi> M N
+    \<equiv> size (\<phi>[N]\<^sub>\<Pi>\<^sub>2) + (\<Sum>\<psi> \<in> M. size (\<psi>[N]\<^sub>\<Sigma>\<^sub>1) + 2) + (\<Sum>\<psi> \<in> N. size (\<psi>[M]\<^sub>\<Pi>\<^sub>1) + 2)" 
+
+definition "normal_form_with_flatten_pi_2_length"
+  where "normal_form_with_flatten_pi_2_length \<phi> 
+    \<equiv> \<Sum>(M, N) \<in> {(M, N) | M N. M \<subseteq> subformulas\<^sub>\<mu> \<phi> \<and> N \<subseteq> subformulas\<^sub>\<nu> \<phi>}. normal_form_disjunct_with_flatten_pi_2_length \<phi> M N"
+
+definition "normal_form_disjunct_with_flatten_sigma_2_length"
+  where "normal_form_disjunct_with_flatten_sigma_2_length \<phi> M N 
+    \<equiv> size (\<phi>[M]\<^sub>\<Sigma>\<^sub>2) + (\<Sum>\<psi> \<in> M. size (\<psi>[N]\<^sub>\<Sigma>\<^sub>1) + 2) + (\<Sum>\<psi> \<in> N. size (\<psi>[M]\<^sub>\<Pi>\<^sub>1) + 2)" 
+
+definition "normal_form_with_flatten_sigma_2_length"
+  where "normal_form_with_flatten_sigma_2_length \<phi> 
+    \<equiv> \<Sum>(M, N) \<in> {(M, N) | M N. M \<subseteq> subformulas\<^sub>\<mu> \<phi> \<and> N \<subseteq> subformulas\<^sub>\<nu> \<phi>}. normal_form_disjunct_with_flatten_sigma_2_length \<phi> M N"
+
+lemma normal_form_disjunct_length_upper_bound:
+  assumes 
+    "M \<subseteq> subformulas\<^sub>\<mu> \<phi>" 
+    "N \<subseteq> subformulas\<^sub>\<nu> \<phi>"
+  shows 
+    "normal_form_disjunct_with_flatten_sigma_2_length \<phi> M N \<le> 2 ^ (size \<phi> + 1) + 2 * (size \<phi> + 2) ^ 2" (is "?thesis1")
+    "normal_form_disjunct_with_flatten_pi_2_length \<phi> M N \<le> 2 ^ (size \<phi> + 1) + 2 * (size \<phi> + 2) ^ 2" (is "?thesis2")
+proof -
+  let ?n = "size \<phi>"
+  let ?b = "2 ^ (?n + 1) + ?n * (?n + 2) + ?n * (?n + 2)"
+
+  have finite_M: "finite M" and card_M: "card M \<le> ?n"
+    by (metis assms(1) finite_subset subformulas\<^sub>\<mu>_finite)
+       (meson assms(1) card_mono order_trans subformulas\<^sub>\<mu>_subfrmlsn subfrmlsn_card subfrmlsn_finite) 
+
+  have finite_N: "finite N" and card_N: "card N \<le> ?n"
+    by (metis assms(2) finite_subset subformulas\<^sub>\<nu>_finite)
+       (meson assms(2) card_mono order_trans subformulas\<^sub>\<nu>_subfrmlsn subfrmlsn_card subfrmlsn_finite) 
+
+  have size_M: "\<And>\<psi>. \<psi> \<in> M \<Longrightarrow> size \<psi> \<le> size \<phi>"
+    and size_N: "\<And>\<psi>. \<psi> \<in> N \<Longrightarrow> size \<psi> \<le> size \<phi>"
+    by (metis assms(1) eq_iff in_mono less_imp_le subformulas\<^sub>\<mu>_subfrmlsn subfrmlsn_size)
+       (metis assms(2) eq_iff in_mono less_imp_le subformulas\<^sub>\<nu>_subfrmlsn subfrmlsn_size)
+
+  hence size_M': "\<And>\<psi>. \<psi> \<in> M \<Longrightarrow> size (\<psi>[N]\<^sub>\<Sigma>\<^sub>1) \<le> size \<phi>"
+    and size_N': "\<And>\<psi>. \<psi> \<in> N \<Longrightarrow> size (\<psi>[M]\<^sub>\<Pi>\<^sub>1) \<le> size \<phi>"
+    using flatten_sigma_1_length flatten_pi_1_length order_trans by blast+
+
+  have "(\<Sum>\<psi> \<in> M. size (\<psi>[N]\<^sub>\<Sigma>\<^sub>1)) \<le> ?n * ?n"
+    and "(\<Sum>\<psi> \<in> N. size (\<psi>[M]\<^sub>\<Pi>\<^sub>1)) \<le> ?n * ?n"
+    using sum_bounded_above[of M, OF size_M'] sum_bounded_above[of N, OF size_N']
+    using mult_le_mono[OF card_M] mult_le_mono[OF card_N] by fastforce+
+     
+  hence "(\<Sum>\<psi> \<in> M. (size (\<psi>[N]\<^sub>\<Sigma>\<^sub>1) + 2)) \<le> ?n * (?n + 2)"
+    and "(\<Sum>\<psi> \<in> N. (size (\<psi>[M]\<^sub>\<Pi>\<^sub>1) + 2)) \<le> ?n * (?n + 2)"
+    unfolding sum_associative[OF finite_M] sum_associative[OF finite_N]
+    using card_M card_N by simp_all
+
+  hence "normal_form_disjunct_with_flatten_sigma_2_length \<phi> M N \<le> ?b"
+    and "normal_form_disjunct_with_flatten_pi_2_length \<phi> M N \<le> ?b"
+    unfolding normal_form_disjunct_with_flatten_sigma_2_length_def normal_form_disjunct_with_flatten_pi_2_length_def 
+    by (metis (no_types, lifting) flatten_sigma_2_length flatten_pi_2_length add_le_mono)+
+
+  thus ?thesis1 and ?thesis2
+    by (simp_all add: power2_eq_square)
+qed
+
+theorem normal_form_length_upper_bound:
+  "normal_form_with_flatten_sigma_2_length \<phi> \<le> normal_form_length_upper_bound \<phi>" (is "?thesis1")
+  "normal_form_with_flatten_pi_2_length \<phi> \<le> normal_form_length_upper_bound \<phi>" (is "?thesis2")
+proof -
+  let ?n = "size \<phi>"
+  let ?b = "2 ^ (size \<phi> + 1) + 2 * (size \<phi> + 2) ^ 2"
+
+  have "{(M, N) | M N. M \<subseteq> subformulas\<^sub>\<mu> \<phi> \<and> N \<subseteq> subformulas\<^sub>\<nu> \<phi>} = {M. M \<subseteq> subformulas\<^sub>\<mu> \<phi>} \<times> {N. N \<subseteq> subformulas\<^sub>\<nu> \<phi>}" (is "?choices = _")
+    by simp
+  
+  moreover
+  
+  have "card {M. M \<subseteq> subformulas\<^sub>\<mu> \<phi>} = (2 :: nat) ^ (card (subformulas\<^sub>\<mu> \<phi>))"
+    and "card {N. N \<subseteq> subformulas\<^sub>\<nu> \<phi>} = (2 :: nat) ^ (card (subformulas\<^sub>\<nu> \<phi>))"
+    using card_Pow unfolding Pow_def using subformulas\<^sub>\<mu>_finite subformulas\<^sub>\<nu>_finite by auto
+  
+  ultimately
+  
+  have "card ?choices \<le> 2 ^ (card (subfrmlsn \<phi>))" (is "?f \<le> _")
+    by (metis subformulas\<^sub>\<mu>\<^sub>\<nu>_card card_cartesian_product subformulas\<^sub>\<mu>\<^sub>\<nu>_subfrmlsn subfrmlsn_finite Suc_1 card_mono lessI power_add power_increasing_iff)
+  
+  moreover
+  
+  have "(2 :: nat) ^ (card (subfrmlsn \<phi>)) \<le> 2 ^ ?n"
+    using power_increasing[of _ _ "2 :: nat"] by (simp add: subfrmlsn_card)
+  
+  ultimately
+  
+  have bar: "of_nat (card ?choices) \<le> (2 :: nat) ^ ?n"
+    using of_nat_id by presburger
+
+  moreover
+
+  have "normal_form_with_flatten_sigma_2_length \<phi> \<le> of_nat (card ?choices) * ?b"
+    unfolding normal_form_with_flatten_sigma_2_length_def
+    by (rule sum_bounded_above) (insert normal_form_disjunct_length_upper_bound, auto)
+
+  moreover
+
+  have "normal_form_with_flatten_pi_2_length \<phi> \<le> of_nat (card ?choices) * ?b"
+    unfolding normal_form_with_flatten_pi_2_length_def
+    by (rule sum_bounded_above) (insert normal_form_disjunct_length_upper_bound, auto)
+
+  ultimately
+
+  show ?thesis1 and ?thesis2
+    unfolding normal_form_length_upper_bound_def 
+    using mult_le_mono1 order_trans by blast+
+qed
+
+subsection \<open>Proper Subformulas\<close>
+
+text \<open>We prove that the number of (proper) subformulas (sf) in a disjunct is linear and not exponential.\<close>
+
+fun sf :: "'a ltln \<Rightarrow> 'a ltln set"
+where
+  "sf (\<phi> and\<^sub>n \<psi>) = sf \<phi> \<union> sf \<psi>"
+| "sf (\<phi> or\<^sub>n \<psi>) = sf \<phi> \<union> sf \<psi>"
+| "sf (X\<^sub>n \<phi>) = {X\<^sub>n \<phi>} \<union> sf \<phi>"
+| "sf (\<phi> U\<^sub>n \<psi>) = {\<phi> U\<^sub>n \<psi>} \<union> sf \<phi> \<union> sf \<psi>"
+| "sf (\<phi> R\<^sub>n \<psi>) = {\<phi> R\<^sub>n \<psi>} \<union> sf \<phi> \<union> sf \<psi>"
+| "sf (\<phi> W\<^sub>n \<psi>) = {\<phi> W\<^sub>n \<psi>} \<union> sf \<phi> \<union> sf \<psi>"
+| "sf (\<phi> M\<^sub>n \<psi>) = {\<phi> M\<^sub>n \<psi>} \<union> sf \<phi> \<union> sf \<psi>"
+| "sf \<phi> = {}"
+
+lemma sf_finite: 
+  "finite (sf \<phi>)"
+  by (induction \<phi>) auto
+
+lemma sf_subset_subfrmlsn: 
+  "sf \<phi> \<subseteq> subfrmlsn \<phi>"
+  by (induction \<phi>) auto
+
+lemma sf_size:
+  "\<psi> \<in> sf \<phi> \<Longrightarrow> size \<psi> \<le> size \<phi>"
+  by (induction \<phi>) auto
+
+lemma sf_sf_subset: 
+  "\<psi> \<in> sf \<phi> \<Longrightarrow> sf \<psi> \<subseteq> sf \<phi>"
+  by (induction \<phi>) auto
+
+lemma subfrmlsn_sf_subset: 
+  "\<psi> \<in> subfrmlsn \<phi> \<Longrightarrow> sf \<psi> \<subseteq> sf \<phi>"
+  by (induction \<phi>) auto
+
+lemma sf_subset_insert:
+  assumes "sf \<phi> \<subseteq> insert \<phi> X"
+  assumes "\<psi> \<in> subfrmlsn \<phi>"
+  assumes "\<phi> \<noteq> \<psi>" 
+  shows "sf \<psi> \<subseteq> X" 
+proof -
+  have "sf \<psi> \<subseteq> sf \<phi> - {\<phi>}"
+    using assms(2,3) subfrmlsn_sf_subset sf_size subfrmlsn_size by fastforce
+  thus "?thesis"
+    using assms(1) by auto
+qed
+
+lemma flatten_pi_1_sf_subset: 
+  "sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1) \<subseteq> (\<Union>\<phi>\<in>sf \<phi>. sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1))"
+  by (induction \<phi>) auto
+
+lemma flatten_sigma_1_sf_subset: 
+  "sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>1) \<subseteq> (\<Union>\<phi>\<in>sf \<phi>. sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>1))"
+  by (induction \<phi>) auto
+
+lemma flatten_sigma_2_sf_subset: 
+  "sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2) \<subseteq> (\<Union>\<psi>\<in>sf \<phi>. sf (\<psi>[M]\<^sub>\<Sigma>\<^sub>2))"
+  by (induction \<phi>) auto
+
+lemma sf_set1: 
+  "sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2) \<union> sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1) \<subseteq> (\<Union>\<psi> \<in> (sf \<phi>). (sf (\<psi>[M]\<^sub>\<Sigma>\<^sub>2) \<union> sf (\<psi>[M]\<^sub>\<Pi>\<^sub>1)))"
+  by (induction \<phi>) auto
+
+(* TODO: could be moved *)
+lemma ltln_not_idempotent [simp]:
+  "\<phi> and\<^sub>n \<psi> \<noteq> \<phi>" "\<psi> and\<^sub>n \<phi> \<noteq> \<phi>" "\<phi> \<noteq> \<phi> and\<^sub>n \<psi>" "\<phi> \<noteq> \<psi> and\<^sub>n \<phi>"
+  "\<phi> or\<^sub>n \<psi> \<noteq> \<phi>" "\<psi> or\<^sub>n \<phi> \<noteq> \<phi>" "\<phi> \<noteq> \<phi> or\<^sub>n \<psi>" "\<phi> \<noteq> \<psi> or\<^sub>n \<phi>"
+  "X\<^sub>n \<phi> \<noteq> \<phi>" "\<phi> \<noteq> X\<^sub>n \<phi>"
+  "\<phi> U\<^sub>n \<psi> \<noteq> \<phi>" "\<phi> \<noteq> \<phi> U\<^sub>n \<psi>" "\<psi> U\<^sub>n \<phi> \<noteq> \<phi>" "\<phi> \<noteq> \<psi> U\<^sub>n \<phi>"
+  "\<phi> R\<^sub>n \<psi> \<noteq> \<phi>" "\<phi> \<noteq> \<phi> R\<^sub>n \<psi>" "\<psi> R\<^sub>n \<phi> \<noteq> \<phi>" "\<phi> \<noteq> \<psi> R\<^sub>n \<phi>"
+  "\<phi> W\<^sub>n \<psi> \<noteq> \<phi>" "\<phi> \<noteq> \<phi> W\<^sub>n \<psi>" "\<psi> W\<^sub>n \<phi> \<noteq> \<phi>" "\<phi> \<noteq> \<psi> W\<^sub>n \<phi>"
+  "\<phi> M\<^sub>n \<psi> \<noteq> \<phi>" "\<phi> \<noteq> \<phi> M\<^sub>n \<psi>" "\<psi> M\<^sub>n \<phi> \<noteq> \<phi>" "\<phi> \<noteq> \<psi> M\<^sub>n \<phi>"
+  by (induction \<phi>; force)+
+
+lemma flatten_card_sf_induct:
+  assumes "finite X"
+  assumes "\<And>x. x \<in> X \<Longrightarrow> sf x \<subseteq> X"
+  shows "card (\<Union>\<phi>\<in>X. sf (\<phi>[N]\<^sub>\<Sigma>\<^sub>1)) \<le> card X 
+   \<and> card (\<Union>\<phi>\<in>X. sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<le> card X 
+   \<and> card (\<Union>\<phi>\<in>X. sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2) \<union> sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<le> 3 * card X"
+  using assms(2)
+proof (induction rule: finite_ranking_induct[where f = size, OF \<open>finite X\<close>])
+  case (2 \<psi> X)
+    {
+      assume "\<psi> \<notin> X"
+      hence "\<And>\<chi>. \<chi> \<in> X \<Longrightarrow> sf \<chi> \<subseteq> X"
+        using 2(2,4) sf_subset_subfrmlsn subfrmlsn_size by fastforce
+      hence "card (\<Union>\<phi>\<in>X. sf (\<phi>[N]\<^sub>\<Sigma>\<^sub>1)) \<le> card X"
+        and "card (\<Union>\<phi>\<in>X. sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<le> card X"        
+        and "card (\<Union>\<phi>\<in>X. sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2) \<union> sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<le> 3 * card X"
+        using 2(3) by simp+
+      
+      moreover
+
+      let ?lower1 = "\<Union>\<phi> \<in> insert \<psi> X. sf (\<phi>[N]\<^sub>\<Sigma>\<^sub>1)"
+      let ?upper1 = "(\<Union>\<phi> \<in> X. sf (\<phi>[N]\<^sub>\<Sigma>\<^sub>1)) \<union> {\<psi>[N]\<^sub>\<Sigma>\<^sub>1}"
+
+      let ?lower2 = "\<Union>\<phi> \<in> insert \<psi> X. sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)"
+      let ?upper2 = "(\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<union> {\<psi>[M]\<^sub>\<Pi>\<^sub>1}"
+
+      let ?lower3 = "\<Union>\<phi> \<in> insert \<psi> X. sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2) \<union> sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)"
+      let ?upper3_cases = "{\<psi>[M]\<^sub>\<Sigma>\<^sub>2, \<psi>[M]\<^sub>\<Pi>\<^sub>1} \<union> (case \<psi> of (\<phi>1 W\<^sub>n \<phi>2) \<Rightarrow> {G\<^sub>n (\<phi>1[M]\<^sub>\<Pi>\<^sub>1)} | (\<phi>1 R\<^sub>n \<phi>2) \<Rightarrow> {G\<^sub>n (\<phi>2[M]\<^sub>\<Pi>\<^sub>1)} | _ \<Rightarrow> {})"
+      let ?upper3 = "(\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2) \<union> sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<union> ?upper3_cases"
+
+      have finite_upper1: "finite (?upper1)"
+        and finite_upper2: "finite (?upper2)" 
+        and finite_upper3: "finite (?upper3)" 
+        using 2(1) sf_finite by auto (cases \<psi>, auto)
+
+      have "\<And>x y. card {x, y} \<le> 3"
+        and "\<And>x y z. card {x, y, z} \<le> 3"
+        by (simp add: card_insert_if le_less)+
+      hence card_leq_3: "card (?upper3_cases) \<le> 3"
+        by (cases \<psi>) (simp_all, fast)
+
+      note card_subset_split_rule = le_trans[OF card_mono card_Un_le]
+
+      have sf_in_X: "sf \<psi> \<subseteq> insert \<psi> X"
+        using 2 by blast
+
+      have "?lower1 \<subseteq> ?upper1 \<and> ?lower2 \<subseteq> ?upper2 \<and> ?lower3 \<subseteq> ?upper3" 
+      proof (cases \<psi>)
+        case (And_ltln \<psi>\<^sub>1 \<psi>\<^sub>2)
+        have *: "sf \<psi>\<^sub>1 \<subseteq> X" "sf \<psi>\<^sub>2 \<subseteq> X" 
+          by (rule sf_subset_insert[OF sf_in_X, unfolded And_ltln]; simp)+
+
+        have "(sf (\<psi>[M]\<^sub>\<Sigma>\<^sub>2)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2))"
+          and "(sf (\<psi>[M]\<^sub>\<Pi>\<^sub>1)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1))"
+          and "(sf (\<psi>[N]\<^sub>\<Sigma>\<^sub>1)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[N]\<^sub>\<Sigma>\<^sub>1))"
+          subgoal
+            using flatten_sigma_2_sf_subset[of _ M] * by (force simp: And_ltln)
+          subgoal
+            using flatten_pi_1_sf_subset[of _ M] * by (force simp: And_ltln)
+          subgoal 
+            using flatten_sigma_1_sf_subset * by (force simp: And_ltln)
+          done
+        
+        thus ?thesis 
+          by blast
+      next
+        case (Or_ltln \<psi>\<^sub>1 \<psi>\<^sub>2)
+        have *: "sf \<psi>\<^sub>1 \<subseteq> X" "sf \<psi>\<^sub>2 \<subseteq> X"
+          by (rule sf_subset_insert[OF sf_in_X, unfolded Or_ltln]; simp)+
+
+        have "(sf (\<psi>[M]\<^sub>\<Sigma>\<^sub>2)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2))"
+          and "(sf (\<psi>[M]\<^sub>\<Pi>\<^sub>1)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1))"
+          and "(sf (\<psi>[N]\<^sub>\<Sigma>\<^sub>1)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[N]\<^sub>\<Sigma>\<^sub>1))"
+          subgoal
+            using flatten_sigma_2_sf_subset[of _ M] * by (force simp: Or_ltln)
+          subgoal
+            using flatten_pi_1_sf_subset[of _ M] * by (force simp: Or_ltln)
+          subgoal 
+            using flatten_sigma_1_sf_subset * by (force simp: Or_ltln)
+          done
+          
+        thus ?thesis 
+          by blast
+      next
+        case (Next_ltln \<psi>\<^sub>1)
+        have *: "sf \<psi>\<^sub>1 \<subseteq> X" 
+          by (rule sf_subset_insert[OF sf_in_X, unfolded Next_ltln]) simp_all
+  
+        have "(sf (\<psi>[M]\<^sub>\<Sigma>\<^sub>2)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2)) \<union> {\<psi>[M]\<^sub>\<Sigma>\<^sub>2}"
+          and "(sf (\<psi>[M]\<^sub>\<Pi>\<^sub>1)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<union> {\<psi>[M]\<^sub>\<Pi>\<^sub>1}"
+          and "(sf (\<psi>[N]\<^sub>\<Sigma>\<^sub>1)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[N]\<^sub>\<Sigma>\<^sub>1)) \<union> {\<psi>[N]\<^sub>\<Sigma>\<^sub>1}"
+          subgoal
+            using flatten_sigma_2_sf_subset[of _ M] * by (force simp: Next_ltln)
+          subgoal
+            using flatten_pi_1_sf_subset[of _ M] * by (force simp: Next_ltln)
+          subgoal 
+            using flatten_sigma_1_sf_subset * by (force simp: Next_ltln)
+          done
+        
+        thus ?thesis
+          by blast
+      next
+        case (Until_ltln \<psi>\<^sub>1 \<psi>\<^sub>2)
+        have *: "sf \<psi>\<^sub>1 \<subseteq> X" "sf \<psi>\<^sub>2 \<subseteq> X"
+          by (rule sf_subset_insert[OF sf_in_X, unfolded Until_ltln]; simp)+
+  
+        hence "(sf (\<psi>[M]\<^sub>\<Sigma>\<^sub>2)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2)) \<union> {\<psi>[M]\<^sub>\<Sigma>\<^sub>2}"
+          and "(sf (\<psi>[M]\<^sub>\<Pi>\<^sub>1)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<union> {\<psi>[M]\<^sub>\<Pi>\<^sub>1}"
+          and "(sf (\<psi>[N]\<^sub>\<Sigma>\<^sub>1)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[N]\<^sub>\<Sigma>\<^sub>1)) \<union> {\<psi>[N]\<^sub>\<Sigma>\<^sub>1}"
+          subgoal
+            using flatten_sigma_2_sf_subset[of _ M] * by (force simp: Until_ltln)
+          subgoal
+            using flatten_pi_1_sf_subset[of _ M] * by (force simp: Until_ltln)
+          subgoal 
+            using flatten_sigma_1_sf_subset * by (force simp: Until_ltln)
+          done
+  
+        thus ?thesis
+          by blast
+      next
+        case (Release_ltln \<psi>\<^sub>1 \<psi>\<^sub>2)
+        have *: "sf \<psi>\<^sub>1 \<subseteq> X" "sf \<psi>\<^sub>2 \<subseteq> X"
+          by (rule sf_subset_insert[OF sf_in_X, unfolded Release_ltln]; simp)+
+  
+        have "(sf (\<psi>[M]\<^sub>\<Sigma>\<^sub>2)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2)) \<union> {\<psi>[M]\<^sub>\<Sigma>\<^sub>2, G\<^sub>n \<psi>\<^sub>2[M]\<^sub>\<Pi>\<^sub>1} \<union> sf (\<psi>\<^sub>2[M]\<^sub>\<Pi>\<^sub>1)"
+          and "(sf (\<psi>[M]\<^sub>\<Pi>\<^sub>1)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<union> {\<psi>[M]\<^sub>\<Pi>\<^sub>1}"
+          and "(sf (\<psi>[N]\<^sub>\<Sigma>\<^sub>1)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[N]\<^sub>\<Sigma>\<^sub>1)) \<union> {\<psi>[N]\<^sub>\<Sigma>\<^sub>1}"
+          subgoal
+            using flatten_sigma_2_sf_subset[of _ M] * by (force simp: Release_ltln)
+          subgoal
+            using flatten_pi_1_sf_subset[of _ M] * by (force simp: Release_ltln)
+          subgoal 
+            using flatten_sigma_1_sf_subset * by (force simp: Release_ltln)
+          done
+  
+        moreover 
+        have "sf (\<psi>\<^sub>2[M]\<^sub>\<Pi>\<^sub>1) \<subseteq> (\<Union>\<phi>\<in>X. sf \<phi>[M]\<^sub>\<Sigma>\<^sub>2 \<union> sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<union> {\<psi>[M]\<^sub>\<Pi>\<^sub>1}" 
+          using \<open>(sf (\<psi>[M]\<^sub>\<Pi>\<^sub>1)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<union> {\<psi>[M]\<^sub>\<Pi>\<^sub>1}\<close> 
+          by (auto simp: Release_ltln)
+          
+        ultimately
+        show ?thesis
+          by (simp add: Release_ltln) blast 
+      next
+        case (WeakUntil_ltln \<psi>\<^sub>1 \<psi>\<^sub>2)
+        have *: "sf \<psi>\<^sub>1 \<subseteq> X" "sf \<psi>\<^sub>2 \<subseteq> X"
+          by (rule sf_subset_insert[OF sf_in_X, unfolded WeakUntil_ltln]; simp)+
+  
+        have "(sf (\<psi>[M]\<^sub>\<Sigma>\<^sub>2)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2)) \<union> {\<psi>[M]\<^sub>\<Sigma>\<^sub>2, G\<^sub>n \<psi>\<^sub>1[M]\<^sub>\<Pi>\<^sub>1} \<union> sf (\<psi>\<^sub>1[M]\<^sub>\<Pi>\<^sub>1)"
+          and "(sf (\<psi>[M]\<^sub>\<Pi>\<^sub>1)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<union> {\<psi>[M]\<^sub>\<Pi>\<^sub>1}"
+          and "(sf (\<psi>[N]\<^sub>\<Sigma>\<^sub>1)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[N]\<^sub>\<Sigma>\<^sub>1)) \<union> {\<psi>[N]\<^sub>\<Sigma>\<^sub>1}"
+          subgoal
+            using flatten_sigma_2_sf_subset[of _ M] * by (force simp: WeakUntil_ltln)
+          subgoal
+            using flatten_pi_1_sf_subset[of _ M] * by (force simp: WeakUntil_ltln)
+          subgoal 
+            using flatten_sigma_1_sf_subset * by (force simp: WeakUntil_ltln)
+          done
+  
+        moreover 
+        have "sf (\<psi>\<^sub>1[M]\<^sub>\<Pi>\<^sub>1) \<subseteq> (\<Union>\<phi>\<in>X. sf \<phi>[M]\<^sub>\<Sigma>\<^sub>2 \<union> sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<union> {\<psi>[M]\<^sub>\<Pi>\<^sub>1}" 
+          using \<open>(sf (\<psi>[M]\<^sub>\<Pi>\<^sub>1)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<union> {\<psi>[M]\<^sub>\<Pi>\<^sub>1}\<close> 
+          by (auto simp: WeakUntil_ltln)
+          
+        ultimately
+        show ?thesis
+          by (simp add: WeakUntil_ltln) blast 
+      next 
+        case (StrongRelease_ltln \<psi>\<^sub>1 \<psi>\<^sub>2)
+        have *: "sf \<psi>\<^sub>1 \<subseteq> X" "sf \<psi>\<^sub>2 \<subseteq> X"
+          by (rule sf_subset_insert[OF sf_in_X, unfolded StrongRelease_ltln]; simp)+
+          
+        hence "(sf (\<psi>[M]\<^sub>\<Sigma>\<^sub>2)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2)) \<union> {\<psi>[M]\<^sub>\<Sigma>\<^sub>2}"
+          and "(sf (\<psi>[M]\<^sub>\<Pi>\<^sub>1)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<union> {\<psi>[M]\<^sub>\<Pi>\<^sub>1}"
+          and "(sf (\<psi>[N]\<^sub>\<Sigma>\<^sub>1)) \<subseteq> (\<Union>\<phi> \<in> X. sf (\<phi>[N]\<^sub>\<Sigma>\<^sub>1)) \<union> {\<psi>[N]\<^sub>\<Sigma>\<^sub>1}"
+          subgoal
+            using flatten_sigma_2_sf_subset[of _ M] * by (force simp: StrongRelease_ltln)
+          subgoal
+            using flatten_pi_1_sf_subset[of _ M] * by (force simp: StrongRelease_ltln)
+          subgoal 
+            using flatten_sigma_1_sf_subset * by (force simp: StrongRelease_ltln)
+          done
+          
+        thus ?thesis 
+          by blast
+      qed auto
+
+      hence "card ?lower1 \<le> card (\<Union>\<phi> \<in> X. sf (\<phi>[N]\<^sub>\<Sigma>\<^sub>1)) + 1"
+        and "card ?lower2 \<le> card (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) + 1"
+        and "card ?lower3 \<le> card (\<Union>\<phi> \<in> X. sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2) \<union> sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) + 3" 
+        using card_subset_split_rule[OF finite_upper1, of ?lower1] 
+        using card_subset_split_rule[OF finite_upper2, of ?lower2]
+        using card_subset_split_rule[OF finite_upper3, of ?lower3]
+        using card_leq_3 by simp+
+  
+      moreover
+      have "card (insert \<psi> X) = card X + 1"
+        using \<open>\<psi> \<notin> X\<close> \<open>finite X\<close> by simp
+      ultimately
+      have ?case
+        by linarith
+    }
+  moreover
+  have "\<psi> \<in> X \<Longrightarrow> ?case"
+    using 2 by (simp add: insert_absorb)
+  ultimately
+  show ?case 
+    by meson
+qed simp
+      
+theorem flatten_card_sf: 
+  "card (\<Union>\<psi> \<in> sf \<phi>. sf (\<psi>[M]\<^sub>\<Sigma>\<^sub>1)) \<le> card (sf \<phi>)" (is "?t1") 
+  "card (\<Union>\<psi> \<in> sf \<phi>. sf (\<psi>[M]\<^sub>\<Pi>\<^sub>1)) \<le> card (sf \<phi>)" (is "?t2")
+  "card (sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2) \<union> sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<le> 3 * card (sf \<phi>)" (is "?t3")
+proof -
+  have "card (\<Union>\<psi> \<in> sf \<phi>. sf \<psi>[M]\<^sub>\<Sigma>\<^sub>2 \<union> sf (\<psi>[M]\<^sub>\<Pi>\<^sub>1)) \<le> 3 * card (sf \<phi>)"
+    using flatten_card_sf_induct[OF sf_finite sf_sf_subset] by auto
+  moreover
+  have "card (sf \<phi>[M]\<^sub>\<Sigma>\<^sub>2 \<union> sf (\<phi>[M]\<^sub>\<Pi>\<^sub>1)) \<le> card (\<Union>\<psi> \<in> sf \<phi>. sf \<psi>[M]\<^sub>\<Sigma>\<^sub>2 \<union> sf (\<psi>[M]\<^sub>\<Pi>\<^sub>1))"
+    using card_mono[OF _ sf_set1] sf_finite by blast
+  ultimately
+  show ?t1 ?t2 ?t3
+    using flatten_card_sf_induct[OF sf_finite sf_sf_subset] by auto
+qed
+
+corollary flatten_sigma_2_card_sf: 
+  "card (sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2)) \<le> 3 * (card (sf \<phi>))"
+  by (metis sf_finite order.trans[OF _ flatten_card_sf(3), of "card (sf (\<phi>[M]\<^sub>\<Sigma>\<^sub>2))", OF card_mono] finite_UnI Un_upper1)
+
+end
\ No newline at end of file
diff --git a/thys/LTL_Normal_Form/ROOT b/thys/LTL_Normal_Form/ROOT
new file mode 100644
--- /dev/null
+++ b/thys/LTL_Normal_Form/ROOT
@@ -0,0 +1,15 @@
+chapter AFP
+
+session LTL_Normal_Form (AFP) = "LTL" +
+  options [timeout = 600]
+  sessions
+    LTL_Master_Theorem
+  theories
+    "Normal_Form"
+    "Normal_Form_Complexity"
+    "Normal_Form_Code_Export"
+  document_files
+    "root.tex"
+    "root.bib"
+  export_files (in ".") [1]
+    "LTL_Normal_Form.Normal_Form_Code_Export:**"
diff --git a/thys/LTL_Normal_Form/document/root.bib b/thys/LTL_Normal_Form/document/root.bib
new file mode 100644
--- /dev/null
+++ b/thys/LTL_Normal_Form/document/root.bib
@@ -0,0 +1,91 @@
+@inproceedings{DBLP:conf/lop/LichtensteinPZ85,
+  author    = {Orna Lichtenstein and
+               Amir Pnueli and
+               Lenore D. Zuck},
+  editor    = {Rohit Parikh},
+  title     = {The Glory of the Past},
+  booktitle = {Logics of Programs, Conference, Brooklyn College, New York, NY, USA,
+               June 17-19, 1985, Proceedings},
+  series    = {Lecture Notes in Computer Science},
+  volume    = {193},
+  pages     = {196--218},
+  publisher = {Springer},
+  year      = {1985},
+  _url       = {https://doi.org/10.1007/3-540-15648-8\_16},
+  doi       = {10.1007/3-540-15648-8_16},
+  timestamp = {Tue, 14 May 2019 10:00:52 +0200},
+  biburl    = {https://dblp.org/rec/bib/conf/lop/LichtensteinPZ85},
+  bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@phdthesis{XXXX:phd/Zuck86,
+  author    = {Lenore D. Zuck},
+  title     = {{Past Temporal Logic}},
+  school    = {The Weizmann Institute of Science, Israel},
+  year      = {1986},
+  month     = aug
+}
+
+@inproceedings{DBLP:conf/icalp/ChangMP92,
+  author    = {Edward Y. Chang and
+               Zohar Manna and
+               Amir Pnueli},
+  editor    = {Werner Kuich},
+  title     = {Characterization of Temporal Property Classes},
+  booktitle = {Automata, Languages and Programming, 19th International Colloquium,
+               ICALP92, Vienna, Austria, July 13-17, 1992, Proceedings},
+  series    = {Lecture Notes in Computer Science},
+  volume    = {623},
+  pages     = {474--486},
+  publisher = {Springer},
+  year      = {1992},
+  _url       = {https://doi.org/10.1007/3-540-55719-9\_97},
+  doi       = {10.1007/3-540-55719-9_97},
+  timestamp = {Tue, 14 May 2019 10:00:44 +0200},
+  biburl    = {https://dblp.org/rec/bib/conf/icalp/ChangMP92},
+  bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{DBLP:conf/mfcs/CernaP03,
+  author    = {Ivana {\v{C}}ern{\'{a}} and
+               Radek Pel{\'{a}}nek},
+  editor    = {Branislav Rovan and
+               Peter Vojt{\'{a}}s},
+  title     = {Relating Hierarchy of Temporal Properties to Model Checking},
+  booktitle = {Mathematical Foundations of Computer Science 2003, 28th International
+               Symposium, {MFCS} 2003, Bratislava, Slovakia, August 25-29, 2003,
+               Proceedings},
+  series    = {Lecture Notes in Computer Science},
+  volume    = {2747},
+  pages     = {318--327},
+  publisher = {Springer},
+  year      = {2003},
+  _url       = {https://doi.org/10.1007/978-3-540-45138-9\_26},
+  doi       = {10.1007/978-3-540-45138-9_26},
+  timestamp = {Tue, 14 May 2019 10:00:37 +0200},
+  biburl    = {https://dblp.org/rec/bib/conf/mfcs/CernaP03},
+  bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{XXXX:conf/lics/SickertE20,
+  author    = {Salomon Sickert and Javier Esparza},
+  title     = {An Efficient Normalisation Procedure for Linear Temporal Logic and Very Weak Alternating Automata},
+  booktitle = {Proceedings of the 35th Annual {ACM/IEEE} Symposium on Logic in Computer
+               Science, {LICS} 2020, Saarbr\"ucken, Germany, July 8-11, 2020},
+  publisher = {{ACM}},
+  year      = {2020},
+  _url       = {https://doi.org/10.1145/3373718.3394743},
+  doi       = {10.1145/3373718.3394743}
+}
+
+@article{DBLP:journals/corr/abs-2005-00472,
+  author    = {Salomon Sickert and
+               Javier Esparza},
+  title     = {An Efficient Normalisation Procedure for Linear Temporal Logic and Very Weak Alternating Automata},
+  journal   = {CoRR},
+  volume    = {abs/2005.00472},
+  year      = {2020},
+  _url       = {http://arxiv.org/abs/2005.00472},
+  archivePrefix = {arXiv},
+  eprint    = {2005.00472}
+}
diff --git a/thys/LTL_Normal_Form/document/root.tex b/thys/LTL_Normal_Form/document/root.tex
new file mode 100644
--- /dev/null
+++ b/thys/LTL_Normal_Form/document/root.tex
@@ -0,0 +1,108 @@
+\documentclass[11pt,a4paper]{article}
+
+\usepackage[english]{babel}
+\usepackage[utf8]{inputenc}
+
+\usepackage{mathtools,amsthm,amssymb}
+\usepackage{isabelle,isabellesym}
+
+\usepackage[T1]{fontenc}
+
+% this should be the last package used
+\usepackage{pdfsetup}
+
+% urls in roman style, theory text in math-similar italics
+\urlstyle{rm}
+\isabellestyle{it}
+
+% for uniform font size
+\renewcommand{\isastyle}{\isastyleminor}
+
+% LTL Operators
+
+\newcommand{\true}{{\ensuremath{\mathbf{t\hspace{-0.5pt}t}}}}
+\newcommand{\false}{{\ensuremath{\mathbf{ff}}}}
+\newcommand{\F}{{\ensuremath{\mathbf{F}}}}
+\newcommand{\G}{{\ensuremath{\mathbf{G}}}}
+\newcommand{\X}{{\ensuremath{\mathbf{X}}}}
+\newcommand{\U}{{\ensuremath{\mathbf{U}}}}
+\newcommand{\W}{{\ensuremath{\mathbf{W}}}}
+\newcommand{\M}{{\ensuremath{\mathbf{M}}}}
+\newcommand{\R}{{\ensuremath{\mathbf{R}}}}
+
+% LTL Subformulas
+
+\newcommand{\subf}{\textit{sf}\,}
+
+\newcommand{\sfmu}{{\ensuremath{\mathbb{\mu}}}}
+\newcommand{\sfnu}{{\ensuremath{\mathbb{\nu}}}}
+\newcommand{\setmu}{\ensuremath{M}}
+\newcommand{\setnu}{\ensuremath{N}}
+\newcommand{\setF}{\ensuremath{\mathcal{F}}}
+\newcommand{\setG}{\ensuremath{\mathcal{G}}}
+\newcommand{\setFG}{\ensuremath{\mathcal{F\hspace{-0.1em}G}}}
+\newcommand{\setGF}{\ensuremath{\mathcal{G\hspace{-0.1em}F}\!}}
+
+% LTL Functions
+
+\newcommand{\evalnu}[2]{{#1[#2]^\Pi_1}}
+\newcommand{\evalmu}[2]{{#1[#2]^\Sigma_1}}
+\newcommand{\flatten}[2]{{#1[#2]^\Sigma_2}}
+\newcommand{\flattentwo}[2]{{#1[#2]^\Pi_2}}
+
+\newtheorem{theorem}{Theorem}
+\newtheorem{definition}[theorem]{Definition}
+\newtheorem{lemma}[theorem]{Lemma}
+\newtheorem{corollary}[theorem]{Corollary}
+\newtheorem{proposition}[theorem]{Proposition}
+\newtheorem{example}[theorem]{Example}
+\newtheorem{remark}[theorem]{Remark}
+
+\begin{document}
+
+\title{An Efficient Normalisation Procedure for Linear Temporal Logic: Isabelle/HOL Formalisation}
+\author{Salomon Sickert}
+
+\maketitle
+
+\begin{abstract}
+In the mid 80s, Lichtenstein, Pnueli, and Zuck proved a classical theorem stating that every formula of Past LTL (the extension of LTL with past operators) is equivalent to a formula of the form $\bigwedge_{i=1}^n \G\F \varphi_i \vee \F\G \psi_i $, where $\varphi_i$ and $\psi_i$ contain only past operators \cite{DBLP:conf/lop/LichtensteinPZ85,XXXX:phd/Zuck86}. Some years later, Chang, Manna, and Pnueli built on this result to derive a similar normal form for LTL \cite{DBLP:conf/icalp/ChangMP92}. Both normalisation procedures have a non-elementary worst-case blow-up, and follow an involved path from formulas to counter-free automata to star-free regular expressions and back to formulas. We improve on both points. We present an executable formalisation of a direct and purely syntactic normalisation procedure for LTL yielding a normal form, comparable to the one by Chang, Manna, and Pnueli, that has only a single exponential blow-up.
+\end{abstract}
+
+\tableofcontents
+
+\section{Overview}
+
+This document contains the formalisation of the central results appearing in \cite[Sections 4-6]{XXXX:conf/lics/SickertE20}. We refer the interested reader to \cite{XXXX:conf/lics/SickertE20} or to the extended version \cite{DBLP:journals/corr/abs-2005-00472} for an introduction to the topic, related work, intuitive explanations of the proofs, and an application of the normalisation procedure, namely, a translation from LTL to deterministic automata.
+
+The central result of this document is the following theorem: 
+
+\begin{theorem}
+Let $\varphi$ be an LTL formula and let $\Delta_2$, $\Sigma_1$, $\Sigma_2$, and $\Pi_1$ be the classes of LTL formulas from Definition \ref{def:future_hierarchy}. Then $\varphi$ is equivalent to the following formula from the class $\Delta_2$:
+\[
+\bigvee_{\substack{\setmu \subseteq \sfmu(\varphi)\\\setnu \subseteq \sfnu(\varphi)}} \left( \flatten{\varphi}{\setmu} \wedge \bigwedge_{\psi \in \setmu} \G\F(\evalmu{\psi}{\setnu}) \wedge \bigwedge_{\psi \in \setnu} \F\G(\evalnu{\psi}{\setmu}) \right)
+\]
+\noindent where $\flatten{\psi}{\setmu}$, $\evalmu{\psi}{\setnu}$, and $\evalnu{\psi}{\setmu}$ are functions mapping $\psi$ to a formula from $\Sigma_2$, $\Sigma_1$, and $\Pi_1$, respectively.
+\end{theorem}
+
+\begin{definition}[Adapted from \cite{DBLP:conf/mfcs/CernaP03}]
+\label{def:future_hierarchy}
+We define the following classes of LTL formulas:
+\begin{itemize}
+	\item The class $\Sigma_0 = \Pi_0 = \Delta_0$ is the least set containing all atomic propositions and their negations, and is closed under the application of conjunction and disjunction.
+	\item The class $\Sigma_{i+1}$ is the least set containing $\Pi_i$ and is closed under the application of conjunction, disjunction, and the $\X$, $\U$, and $\M$ operators.
+	\item The class $\Pi_{i+1}$ is the least set containing $\Sigma_i$ and is closed under the application of conjunction, disjunction, and the $\X$, $\R$, and $\W$ operators.
+	\item The class $\Delta_{i+1}$ is the least set containing $\Sigma_{i+1}$ and $\Pi_{i+1}$ and is closed under the application of conjunction and disjunction.
+\end{itemize}
+\end{definition}
+
+% sane default for proof documents
+\parindent 0pt\parskip 0.5ex
+
+% generated text of all theories
+\input{session}
+
+\bibliographystyle{plainurl}
+\bibliography{root}
+
+\end{document}
diff --git a/thys/Lambert_W/Lambert_W.thy b/thys/Lambert_W/Lambert_W.thy
new file mode 100644
--- /dev/null
+++ b/thys/Lambert_W/Lambert_W.thy
@@ -0,0 +1,1405 @@
+(*
+  File:    Lambert_W.thy
+  Author:  Manuel Eberl, TU München
+
+  Definition and basic properties of the two real-valued branches of the Lambert W function,
+*)
+section \<open>The Lambert $W$ Function on the reals\<close>
+theory Lambert_W
+imports
+  Complex_Main
+  "HOL-Library.FuncSet"
+  "HOL-Real_Asymp.Real_Asymp"
+begin
+
+(*<*)
+text \<open>Some lemmas about asymptotic equivalence:\<close>
+
+lemma asymp_equiv_sandwich':
+  fixes f :: "'a \<Rightarrow> real"
+  assumes "\<And>c'. c' \<in> {l<..<c} \<Longrightarrow> eventually (\<lambda>x. f x \<ge> c' * g x) F"
+  assumes "\<And>c'. c' \<in> {c<..<u} \<Longrightarrow> eventually (\<lambda>x. f x \<le> c' * g x) F"
+  assumes "l < c" "c < u" and [simp]: "c \<noteq> 0"
+  shows   "f \<sim>[F] (\<lambda>x. c * g x)"
+proof -
+  have "(\<lambda>x. f x - c * g x) \<in> o[F](g)"
+  proof (rule landau_o.smallI)
+    fix e :: real assume e: "e > 0"
+    define C1 where "C1 = min (c + e) ((c + u) / 2)"
+    have C1: "C1 \<in> {c<..<u}" "C1 - c \<le> e"
+      using e assms by (auto simp: C1_def min_def)
+    define C2 where "C2 = max (c - e) ((c + l) / 2)"
+    have C2: "C2 \<in> {l<..<c}" "c - C2 \<le> e"
+      using e assms by (auto simp: C2_def max_def field_simps)
+
+    show "eventually (\<lambda>x. norm (f x - c * g x) \<le> e * norm (g x)) F"
+      using assms(2)[OF C1(1)] assms(1)[OF C2(1)]
+    proof eventually_elim
+      case (elim x)
+      show ?case
+      proof (cases "f x \<ge> c * g x")
+        case True
+        hence "norm (f x - c * g x) = f x - c * g x"
+          by simp
+        also have "\<dots> \<le> (C1 - c) * g x"
+          using elim by (simp add: algebra_simps)
+        also have "\<dots> \<le> (C1 - c) * norm (g x)"
+          using C1 by (intro mult_left_mono) auto
+        also have "\<dots> \<le> e * norm (g x)"
+          using C1 elim by (intro mult_right_mono) auto
+        finally show ?thesis using elim by simp
+      next
+        case False
+        hence "norm (f x - c * g x) = c * g x - f x"
+          by simp
+        also have "\<dots> \<le> (c - C2) * g x"
+          using elim by (simp add: algebra_simps)
+        also have "\<dots> \<le> (c - C2) * norm (g x)"
+          using C2 by (intro mult_left_mono) auto
+        also have "\<dots> \<le> e * norm (g x)"
+          using C2 elim by (intro mult_right_mono) auto
+        finally show ?thesis using elim by simp
+      qed
+    qed
+  qed
+  also have "g \<in> O[F](\<lambda>x. c * g x)"
+    by simp
+  finally show ?thesis
+    unfolding asymp_equiv_altdef by blast
+qed
+
+lemma asymp_equiv_sandwich'':
+  fixes f :: "'a \<Rightarrow> real"
+  assumes "\<And>c'. c' \<in> {l<..<1} \<Longrightarrow> eventually (\<lambda>x. f x \<ge> c' * g x) F"
+  assumes "\<And>c'. c' \<in> {1<..<u} \<Longrightarrow> eventually (\<lambda>x. f x \<le> c' * g x) F"
+  assumes "l < 1" "1 < u"
+  shows   "f \<sim>[F] (g)"
+  using asymp_equiv_sandwich'[of l 1 g f F u] assms by simp
+(*>*)
+
+subsection \<open>Properties of the function $x\mapsto x e^{x}$\<close>
+
+lemma exp_times_self_gt:
+  assumes "x \<noteq> -1"
+  shows   "x * exp x > -exp (-1::real)"
+proof -
+  define f where "f = (\<lambda>x::real. x * exp x)"
+  define f' where "f' = (\<lambda>x::real. (x + 1) * exp x)"
+  have "(f has_field_derivative f' x) (at x)" for x
+    by (auto simp: f_def f'_def intro!: derivative_eq_intros simp: algebra_simps)
+  define l r where "l = min x (-1)" and "r = max x (-1)"
+
+  have "\<exists>z. z > l \<and> z < r \<and> f r - f l = (r - l) * f' z"
+    unfolding f_def f'_def l_def r_def using assms
+    by (intro MVT2) (auto intro!: derivative_eq_intros simp: algebra_simps)
+  then obtain z where z: "z \<in> {l<..<r}" "f r - f l = (r - l) * f' z"
+    by auto
+  from z have "f x = f (-1) + (x + 1) * f' z"
+    using assms by (cases "x \<ge> -1") (auto simp: l_def r_def max_def min_def algebra_simps)
+  moreover have "sgn ((x + 1) * f' z) = 1"
+    using z assms
+    by (cases x "(-1) :: real" rule: linorder_cases; cases z "(-1) :: real" rule: linorder_cases)
+       (auto simp: f'_def sgn_mult l_def r_def)
+  hence "(x + 1) * f' z > 0" using sgn_greater by fastforce
+  ultimately show ?thesis by (simp add: f_def)
+qed
+
+lemma exp_times_self_ge: "x * exp x \<ge> -exp (-1::real)"
+  using exp_times_self_gt[of x] by (cases "x = -1") auto
+
+lemma exp_times_self_strict_mono:
+  assumes "x \<ge> -1" "x < (y :: real)"
+  shows   "x * exp x < y * exp y"
+  using assms(2)
+proof (rule DERIV_pos_imp_increasing_open)
+  fix t assume t: "x < t" "t < y"
+  have "((\<lambda>x. x * exp x) has_real_derivative (t + 1) * exp t) (at t)"
+    by (auto intro!: derivative_eq_intros simp: algebra_simps)
+  moreover have "(t + 1) * exp t > 0"
+    using t assms by (intro mult_pos_pos) auto
+  ultimately show "\<exists>y. ((\<lambda>a. a * exp a) has_real_derivative y) (at t) \<and> 0 < y" by blast
+qed (auto intro!: continuous_intros)
+
+lemma exp_times_self_strict_antimono:
+  assumes "y \<le> -1" "x < (y :: real)"
+  shows   "x * exp x > y * exp y"
+proof -
+  have "-x * exp x < -y * exp y"
+    using assms(2)
+  proof (rule DERIV_pos_imp_increasing_open)
+    fix t assume t: "x < t" "t < y"
+    have "((\<lambda>x. -x * exp x) has_real_derivative (-(t + 1)) * exp t) (at t)"
+      by (auto intro!: derivative_eq_intros simp: algebra_simps)
+    moreover have "(-(t + 1)) * exp t > 0"
+      using t assms by (intro mult_pos_pos) auto
+    ultimately show "\<exists>y. ((\<lambda>a. -a * exp a) has_real_derivative y) (at t) \<and> 0 < y" by blast
+  qed (auto intro!: continuous_intros)
+  thus ?thesis by simp
+qed
+
+lemma exp_times_self_mono:
+  assumes "x \<ge> -1" "x \<le> (y :: real)"
+  shows   "x * exp x \<le> y * exp y"
+  using exp_times_self_strict_mono[of x y] assms by (cases "x = y") auto
+
+lemma exp_times_self_antimono:
+  assumes "y \<le> -1" "x \<le> (y :: real)"
+  shows   "x * exp x \<ge> y * exp y"
+  using exp_times_self_strict_antimono[of y x] assms by (cases "x = y") auto
+
+lemma exp_times_self_inj: "inj_on (\<lambda>x::real. x * exp x) {-1..}"
+proof
+  fix x y :: real
+  assume "x \<in> {-1..}" "y \<in> {-1..}" "x * exp x = y * exp y"
+  thus "x = y"
+    using exp_times_self_strict_mono[of x y] exp_times_self_strict_mono[of y x]
+    by (cases x y rule: linorder_cases) auto
+qed
+
+lemma exp_times_self_inj': "inj_on (\<lambda>x::real. x * exp x) {..-1}"
+proof
+  fix x y :: real
+  assume "x \<in> {..-1}" "y \<in> {..-1}" "x * exp x = y * exp y"
+  thus "x = y"
+    using exp_times_self_strict_antimono[of x y] exp_times_self_strict_antimono[of y x]
+    by (cases x y rule: linorder_cases) auto
+qed
+
+
+subsection \<open>Definition\<close>
+
+text \<open>
+  The following are the two branches $W_0(x)$ and $W_{-1}(x)$ of the Lambert $W$ function on the
+  real numbers. These are the inverse functions of the function $x\mapsto xe^x$, i.\,e.\ 
+  we have $W(x)e^{W(x)} = x$ for both branches wherever they are defined. The two branches
+  meet at the point $x = -\frac{1}{e}$.
+
+  $W_0(x)$ is the principal branch, whose domain is $[-\frac{1}{e}; \infty)$ and whose
+  range is $[-1; \infty)$.
+  $W_{-1}(x)$ has the domain $[-\frac{1}{e}; 0)$ and the range $(-\infty;-1]$.
+  Figure~\ref{fig:lambertw} shows plots of these two branches for illustration.
+\<close>
+
+text \<open>
+\definecolor{myblue}{HTML}{3869b1}
+\definecolor{myred}{HTML}{cc2428}
+\begin{figure}
+\begin{center}
+\begin{tikzpicture}
+  \begin{axis}[
+          xmin=-0.5, xmax=6.6, ymin=-3.8, ymax=1.5, axis lines=middle, ytick = {-3, -2, -1, 1}, xtick = {1,...,10}, yticklabel pos = right,
+          yticklabel style={right,xshift=1mm},
+          extra x tick style={tick label style={above,yshift=1mm}},
+          extra x ticks={-0.367879441},
+          extra x tick labels={$-\frac{1}{e}$},
+          width=\textwidth, height=0.8\textwidth,
+          xlabel={$x$}, tick style={thin,black}
+  ] 
+  \addplot [color=black, line width=0.5pt, densely dashed, mark=none,domain=-5:0,samples=200] ({-exp(-1)}, {x}); 
+  \addplot [color=myblue, line width=1pt, mark=none,domain=-1:1.5,samples=200] ({x*exp(x)}, {x}); 
+  \addplot [color=myred, line width=1pt, mark=none,domain=-5:-1,samples=200] ({x*exp(x)}, {x}); 
+  \end{axis}
+\end{tikzpicture}
+\end{center}
+\caption{The two real branches of the Lambert $W$ function: $W_0$ (blue) and $W_{-1}$ (red).}
+\label{fig:lambertw}
+\end{figure}
+\<close>
+
+definition Lambert_W :: "real \<Rightarrow> real" where
+  "Lambert_W x = (if x < -exp(-1) then -1 else (THE w. w \<ge> -1 \<and> w * exp w = x))"
+
+definition Lambert_W' :: "real \<Rightarrow> real" where
+  "Lambert_W' x = (if x \<in> {-exp(-1)..<0} then (THE w. w \<le> -1 \<and> w * exp w = x) else -1)"
+
+lemma Lambert_W_ex1:
+  assumes "(x::real) \<ge> -exp (-1)"
+  shows   "\<exists>!w. w \<ge> -1 \<and> w * exp w = x"
+proof (rule ex_ex1I)
+  have "filterlim (\<lambda>w::real. w * exp w) at_top at_top"
+    by real_asymp
+  hence "eventually (\<lambda>w. w * exp w \<ge> x) at_top"
+    by (auto simp: filterlim_at_top)
+  hence "eventually (\<lambda>w. w \<ge> 0 \<and> w * exp w \<ge> x) at_top"
+    by (intro eventually_conj eventually_ge_at_top)
+  then obtain w' where w': "w' * exp w' \<ge> x" "w' \<ge> 0"
+    by (auto simp: eventually_at_top_linorder)
+  from w' assms have "\<exists>w. -1 \<le> w \<and> w \<le> w' \<and> w * exp w = x"
+    by (intro IVT' continuous_intros) auto
+  thus "\<exists>w. w \<ge> -1 \<and> w * exp w = x" by blast
+next
+  fix w w' :: real
+  assume ww': "w \<ge> -1 \<and> w * exp w = x" "w' \<ge> -1 \<and> w' * exp w' = x"
+  hence "w * exp w = w' * exp w'" by simp
+  thus "w = w'"
+    using exp_times_self_strict_mono[of w w'] exp_times_self_strict_mono[of w' w] ww'
+    by (cases w w' rule: linorder_cases) auto
+qed
+
+lemma Lambert_W'_ex1:
+  assumes "(x::real) \<in> {-exp (-1)..<0}"
+  shows   "\<exists>!w. w \<le> -1 \<and> w * exp w = x"
+proof (rule ex_ex1I)
+  have "eventually (\<lambda>w. x \<le> w * exp w) at_bot"
+    using assms by real_asymp
+  hence "eventually (\<lambda>w. w \<le> -1 \<and> w * exp w \<ge> x) at_bot"
+    by (intro eventually_conj eventually_le_at_bot)
+  then obtain w' where w': "w' * exp w' \<ge> x" "w' \<le> -1"
+    by (auto simp: eventually_at_bot_linorder)
+
+  from w' assms have "\<exists>w. w' \<le> w \<and> w \<le> -1 \<and> w * exp w = x"
+    by (intro IVT2' continuous_intros) auto
+  thus "\<exists>w. w \<le> -1 \<and> w * exp w = x" by blast
+next
+  fix w w' :: real
+  assume ww': "w \<le> -1 \<and> w * exp w = x" "w' \<le> -1 \<and> w' * exp w' = x"
+  hence "w * exp w = w' * exp w'" by simp
+  thus "w = w'"
+    using exp_times_self_strict_antimono[of w w'] exp_times_self_strict_antimono[of w' w] ww'
+    by (cases w w' rule: linorder_cases) auto
+qed
+
+lemma Lambert_W_times_exp_self: 
+  assumes "x \<ge> -exp (-1)"
+  shows   "Lambert_W x * exp (Lambert_W x) = x"
+  using theI'[OF Lambert_W_ex1[OF assms]] assms by (auto simp: Lambert_W_def)
+
+lemma Lambert_W_times_exp_self':
+  assumes "x \<ge> -exp (-1)"
+  shows   "exp (Lambert_W x) * Lambert_W x = x"
+  using Lambert_W_times_exp_self[of x] assms by (simp add: mult_ac)
+
+lemma Lambert_W'_times_exp_self: 
+  assumes "x \<in> {-exp (-1)..<0}"
+  shows   "Lambert_W' x * exp (Lambert_W' x) = x"
+  using theI'[OF Lambert_W'_ex1[OF assms]] assms by (auto simp: Lambert_W'_def)
+
+lemma Lambert_W'_times_exp_self':
+  assumes "x \<in> {-exp (-1)..<0}"
+  shows   "exp (Lambert_W' x) * Lambert_W' x = x"
+  using Lambert_W'_times_exp_self[of x] assms by (simp add: mult_ac)
+
+lemma Lambert_W_ge: "Lambert_W x \<ge> -1"
+  using theI'[OF Lambert_W_ex1[of x]] by (auto simp: Lambert_W_def)
+
+lemma Lambert_W'_le: "Lambert_W' x \<le> -1"
+  using theI'[OF Lambert_W'_ex1[of x]] by (auto simp: Lambert_W'_def)
+
+lemma Lambert_W_eqI:
+  assumes "w \<ge> -1" "w * exp w = x"
+  shows   "Lambert_W x = w"
+proof -
+  from assms exp_times_self_ge[of w] have "x \<ge> -exp (-1)"
+    by (cases "x \<ge> -exp (-1)") auto
+  from Lambert_W_ex1[OF this] Lambert_W_times_exp_self[OF this] Lambert_W_ge[of x] assms
+    show ?thesis by metis
+  qed
+
+lemma Lambert_W'_eqI:
+  assumes "w \<le> -1" "w * exp w = x"
+  shows   "Lambert_W' x = w"
+proof -
+  from assms exp_times_self_ge[of w] have "x \<ge> -exp (-1)"
+    by (cases "x \<ge> -exp (-1)") auto
+  moreover from assms have "w * exp w < 0"
+    by (intro mult_neg_pos) auto
+  ultimately have "x \<in> {-exp (-1)..<0}"
+    using assms by auto
+
+  from Lambert_W'_ex1[OF this(1)] Lambert_W'_times_exp_self[OF this(1)] Lambert_W'_le assms
+    show ?thesis by metis
+  qed
+
+text \<open>
+  $W_0(x)$ and $W_{-1}(x)$ together fully cover all solutions of $we^w = x$:
+\<close>
+lemma exp_times_self_eqD:
+  assumes "w * exp w = x"
+  shows   "x \<ge> -exp (-1)" and "w = Lambert_W x \<or> x < 0 \<and> w = Lambert_W' x"
+proof -
+  from assms show "x \<ge> -exp (-1)"
+    using exp_times_self_ge[of w] by auto
+  show "w = Lambert_W x \<or> x < 0 \<and> w = Lambert_W' x"
+  proof (cases "w \<ge> -1")
+    case True
+    hence "Lambert_W x = w"
+      using assms by (intro Lambert_W_eqI) auto
+    thus ?thesis by auto
+  next
+    case False
+    from False have "w * exp w < 0"
+      by (intro mult_neg_pos) auto
+    from False have "Lambert_W' x = w"
+      using assms by (intro Lambert_W'_eqI) auto
+    thus ?thesis using assms \<open>w * exp w < 0\<close> by auto
+  qed
+qed
+
+theorem exp_times_self_eq_iff:
+  "w * exp w = x \<longleftrightarrow> x \<ge> -exp (-1) \<and> (w = Lambert_W x \<or> x < 0 \<and> w = Lambert_W' x)"
+  using exp_times_self_eqD[of w x]
+  by (auto simp: Lambert_W_times_exp_self Lambert_W'_times_exp_self)
+
+lemma Lambert_W_exp_times_self [simp]: "x \<ge> -1 \<Longrightarrow> Lambert_W (x * exp x) = x"
+  by (rule Lambert_W_eqI) auto
+
+lemma Lambert_W_exp_times_self' [simp]: "x \<ge> -1 \<Longrightarrow> Lambert_W (exp x * x) = x"
+  by (rule Lambert_W_eqI) auto
+
+lemma Lambert_W'_exp_times_self [simp]: "x \<le> -1 \<Longrightarrow> Lambert_W' (x * exp x) = x"
+  by (rule Lambert_W'_eqI) auto
+
+lemma Lambert_W'_exp_times_self' [simp]: "x \<le> -1 \<Longrightarrow> Lambert_W' (exp x * x) = x"
+  by (rule Lambert_W'_eqI) auto
+
+lemma Lambert_W_times_ln_self:
+  assumes "x \<ge> exp (-1)"
+  shows   "Lambert_W (x * ln x) = ln x"
+proof -
+  have "0 < exp (-1 :: real)"
+    by simp
+  also note \<open>\<dots> \<le> x\<close>
+  finally have "x > 0" .
+  from assms have "ln (exp (-1)) \<le> ln x"
+    using \<open>x > 0\<close> by (subst ln_le_cancel_iff) auto
+  hence "Lambert_W (exp (ln x) * ln x) = ln x"
+    by (subst Lambert_W_exp_times_self') auto
+  thus ?thesis using \<open>x > 0\<close> by simp
+qed
+
+lemma Lambert_W_times_ln_self':
+  assumes "x \<ge> exp (-1)"
+  shows   "Lambert_W (ln x  * x) = ln x"
+  using Lambert_W_times_ln_self[OF assms] by (simp add: mult.commute)
+
+lemma Lambert_W_eq_minus_exp_minus1 [simp]: "Lambert_W (-exp (-1)) = -1"
+  by (rule Lambert_W_eqI) auto
+
+lemma Lambert_W'_eq_minus_exp_minus1 [simp]: "Lambert_W' (-exp (-1)) = -1"
+  by (rule Lambert_W'_eqI) auto
+
+lemma Lambert_W_0 [simp]: "Lambert_W 0 = 0"
+  by (rule Lambert_W_eqI) auto
+
+
+subsection \<open>Monotonicity properties\<close>
+
+lemma Lambert_W_strict_mono:
+  assumes "x \<ge> -exp(-1)" "x < y"
+  shows   "Lambert_W x < Lambert_W y"
+proof (rule ccontr)
+  assume "\<not>(Lambert_W x < Lambert_W y)"
+  hence "Lambert_W x * exp (Lambert_W x) \<ge> Lambert_W y * exp (Lambert_W y)"
+    by (intro exp_times_self_mono) (auto simp: Lambert_W_ge)
+  hence "x \<ge> y"
+    using assms by (simp add: Lambert_W_times_exp_self)
+  with assms show False by simp
+qed
+
+lemma Lambert_W_mono:
+  assumes "x \<ge> -exp(-1)" "x \<le> y"
+  shows   "Lambert_W x \<le> Lambert_W y"
+  using Lambert_W_strict_mono[of x y] assms by (cases "x = y") auto
+
+lemma Lambert_W_eq_iff [simp]:
+  "x \<ge> -exp(-1) \<Longrightarrow> y \<ge> -exp(-1) \<Longrightarrow> Lambert_W x = Lambert_W y \<longleftrightarrow> x = y"
+  using Lambert_W_strict_mono[of x y] Lambert_W_strict_mono[of y x]
+  by (cases x y rule: linorder_cases) auto
+
+lemma Lambert_W_le_iff [simp]:
+  "x \<ge> -exp(-1) \<Longrightarrow> y \<ge> -exp(-1) \<Longrightarrow> Lambert_W x \<le> Lambert_W y \<longleftrightarrow> x \<le> y"
+  using Lambert_W_strict_mono[of x y] Lambert_W_strict_mono[of y x]
+  by (cases x y rule: linorder_cases) auto
+
+lemma Lambert_W_less_iff [simp]:
+  "x \<ge> -exp(-1) \<Longrightarrow> y \<ge> -exp(-1) \<Longrightarrow> Lambert_W x < Lambert_W y \<longleftrightarrow> x < y"
+  using Lambert_W_strict_mono[of x y] Lambert_W_strict_mono[of y x]
+  by (cases x y rule: linorder_cases) auto
+
+lemma Lambert_W_le_minus_one:
+  assumes "x \<le> -exp(-1)"
+  shows   "Lambert_W x = -1"
+proof (cases "x = -exp(-1)")
+  case False
+  thus ?thesis using assms
+    by (auto simp: Lambert_W_def)
+qed auto
+
+lemma Lambert_W_pos_iff [simp]: "Lambert_W x > 0 \<longleftrightarrow> x > 0"
+proof (cases "x \<ge> -exp (-1)")
+  case True
+  thus ?thesis
+    using Lambert_W_less_iff[of 0 x] by (simp del: Lambert_W_less_iff)
+next
+  case False
+  hence "x < - exp(-1)" by auto
+  also have "\<dots> \<le> 0" by simp
+  finally show ?thesis using False
+    by (auto simp: Lambert_W_le_minus_one)
+qed
+
+lemma Lambert_W_eq_0_iff [simp]: "Lambert_W x = 0 \<longleftrightarrow> x = 0"
+  using Lambert_W_eq_iff[of x 0]
+  by (cases "x \<ge> -exp (-1)") (auto simp: Lambert_W_le_minus_one simp del: Lambert_W_eq_iff)
+
+lemma Lambert_W_nonneg_iff [simp]: "Lambert_W x \<ge> 0 \<longleftrightarrow> x \<ge> 0"
+  using Lambert_W_pos_iff[of x]
+  by (cases "x = 0") (auto simp del: Lambert_W_pos_iff)
+
+lemma Lambert_W_neg_iff [simp]: "Lambert_W x < 0 \<longleftrightarrow> x < 0"
+  using Lambert_W_nonneg_iff[of x] by (auto simp del: Lambert_W_nonneg_iff)
+
+lemma Lambert_W_nonpos_iff [simp]: "Lambert_W x \<le> 0 \<longleftrightarrow> x \<le> 0"
+  using Lambert_W_pos_iff[of x] by (auto simp del: Lambert_W_pos_iff)
+
+lemma Lambert_W_geI:
+  assumes "y * exp y \<le> x"
+  shows   "Lambert_W x \<ge> y"
+proof (cases "y \<ge> -1")
+  case False
+  hence "y \<le> -1" by simp
+  also have "-1 \<le> Lambert_W x" by (rule Lambert_W_ge)
+  finally show ?thesis .
+next
+  case True
+  have "Lambert_W x \<ge> Lambert_W (y * exp y)"
+    using assms exp_times_self_ge[of y] by (intro Lambert_W_mono) auto
+  thus ?thesis using assms True by simp
+qed
+
+lemma Lambert_W_gtI:
+  assumes "y * exp y < x"
+  shows   "Lambert_W x > y"
+proof (cases "y \<ge> -1")
+  case False
+  hence "y < -1" by simp
+  also have "-1 \<le> Lambert_W x" by (rule Lambert_W_ge)
+  finally show ?thesis .
+next
+  case True
+  have "Lambert_W x > Lambert_W (y * exp y)"
+    using assms exp_times_self_ge[of y] by (intro Lambert_W_strict_mono) auto
+  thus ?thesis using assms True by simp
+qed
+
+lemma Lambert_W_leI:
+  assumes "y * exp y \<ge> x" "y \<ge> -1" "x \<ge> -exp (-1)"
+  shows   "Lambert_W x \<le> y"
+proof -
+  have "Lambert_W x \<le> Lambert_W (y * exp y)"
+    using assms exp_times_self_ge[of y] by (intro Lambert_W_mono) auto
+  thus ?thesis using assms by simp
+qed
+
+lemma Lambert_W_lessI:
+  assumes "y * exp y > x" "y \<ge> -1" "x \<ge> -exp (-1)"
+  shows   "Lambert_W x < y"
+proof -
+  have "Lambert_W x < Lambert_W (y * exp y)"
+    using assms exp_times_self_ge[of y] by (intro Lambert_W_strict_mono) auto
+  thus ?thesis using assms by simp
+qed
+
+
+
+lemma Lambert_W'_strict_antimono:
+  assumes "-exp (-1) \<le> x" "x < y" "y < 0"
+  shows   "Lambert_W' x > Lambert_W' y"
+proof (rule ccontr)
+  assume "\<not>(Lambert_W' x > Lambert_W' y)"
+  hence "Lambert_W' x * exp (Lambert_W' x) \<ge> Lambert_W' y * exp (Lambert_W' y)"
+    using assms by (intro exp_times_self_antimono Lambert_W'_le) auto
+  hence "x \<ge> y"
+    using assms by (simp add: Lambert_W'_times_exp_self)
+  with assms show False by simp
+qed
+
+lemma Lambert_W'_antimono:
+  assumes "x \<ge> -exp(-1)" "x \<le> y" "y < 0"
+  shows   "Lambert_W' x \<ge> Lambert_W' y"
+  using Lambert_W'_strict_antimono[of x y] assms by (cases "x = y") auto
+
+lemma Lambert_W'_eq_iff [simp]:
+  "x \<in> {-exp(-1)..<0} \<Longrightarrow> y \<in> {-exp(-1)..<0} \<Longrightarrow> Lambert_W' x = Lambert_W' y \<longleftrightarrow> x = y"
+  using Lambert_W'_strict_antimono[of x y] Lambert_W'_strict_antimono[of y x]
+  by (cases x y rule: linorder_cases) auto
+
+lemma Lambert_W'_le_iff [simp]:
+  "x \<in> {-exp(-1)..<0} \<Longrightarrow> y \<in> {-exp(-1)..<0} \<Longrightarrow> Lambert_W' x \<le> Lambert_W' y \<longleftrightarrow> x \<ge> y"
+  using Lambert_W'_strict_antimono[of x y] Lambert_W'_strict_antimono[of y x]
+  by (cases x y rule: linorder_cases) auto
+
+lemma Lambert_W'_less_iff [simp]:
+  "x \<in> {-exp(-1)..<0} \<Longrightarrow> y \<in> {-exp(-1)..<0} \<Longrightarrow> Lambert_W' x < Lambert_W' y \<longleftrightarrow> x > y"
+  using Lambert_W'_strict_antimono[of x y] Lambert_W'_strict_antimono[of y x]
+  by (cases x y rule: linorder_cases) auto
+
+lemma Lambert_W'_le_minus_one:
+  assumes "x \<le> -exp(-1)"
+  shows   "Lambert_W' x = -1"
+proof (cases "x = -exp(-1)")
+  case False
+  thus ?thesis using assms
+    by (auto simp: Lambert_W'_def)
+qed auto
+
+lemma Lambert_W'_ge_zero: "x \<ge> 0 \<Longrightarrow> Lambert_W' x = -1"
+  by (simp add: Lambert_W'_def)
+
+lemma Lambert_W'_neg: "Lambert_W' x < 0"
+  by (rule le_less_trans[OF Lambert_W'_le]) auto
+
+lemma Lambert_W'_nz [simp]: "Lambert_W' x \<noteq> 0"
+  using Lambert_W'_neg[of x] by simp
+
+lemma Lambert_W'_geI:
+  assumes "y * exp y \<ge> x" "y \<le> -1" "x \<ge> -exp(-1)"
+  shows   "Lambert_W' x \<ge> y"
+proof -
+  from assms have "y * exp y < 0"
+    by (intro mult_neg_pos) auto
+  hence "Lambert_W' x \<ge> Lambert_W' (y * exp y)"
+    using assms exp_times_self_ge[of y] by (intro Lambert_W'_antimono) auto
+  thus ?thesis using assms by simp
+qed
+
+lemma Lambert_W'_gtI:
+  assumes "y * exp y > x" "y \<le> -1" "x \<ge> -exp(-1)"
+  shows   "Lambert_W' x \<ge> y"
+proof -
+  from assms have "y * exp y < 0"
+    by (intro mult_neg_pos) auto
+  hence "Lambert_W' x > Lambert_W' (y * exp y)"
+    using assms exp_times_self_ge[of y] by (intro Lambert_W'_strict_antimono) auto
+  thus ?thesis using assms by simp
+qed
+
+lemma Lambert_W'_leI:
+  assumes "y * exp y \<le> x" "x < 0"
+  shows   "Lambert_W' x \<le> y"
+proof (cases "y \<le> -1")
+  case True
+  have "Lambert_W' x \<le> Lambert_W' (y * exp y)"
+    using assms exp_times_self_ge[of y] by (intro Lambert_W'_antimono) auto
+  thus ?thesis using assms True by simp
+next
+  case False
+  have "Lambert_W' x \<le> -1"
+    by (rule Lambert_W'_le)
+  also have "\<dots> < y"
+    using False by simp
+  finally show ?thesis by simp
+qed
+
+lemma Lambert_W'_lessI:
+  assumes "y * exp y < x" "x < 0"
+  shows   "Lambert_W' x < y"
+proof (cases "y \<le> -1")
+  case True
+  have "Lambert_W' x < Lambert_W' (y * exp y)"
+    using assms exp_times_self_ge[of y] by (intro Lambert_W'_strict_antimono) auto
+  thus ?thesis using assms True by simp
+next
+  case False
+  have "Lambert_W' x \<le> -1"
+    by (rule Lambert_W'_le)
+  also have "\<dots> < y"
+    using False by simp
+  finally show ?thesis by simp
+qed
+
+
+lemma bij_betw_exp_times_self_atLeastAtMost:
+  fixes a b :: real
+  assumes "a \<ge> -1" "a \<le> b"
+  shows   "bij_betw (\<lambda>x. x * exp x) {a..b} {a * exp a..b * exp b}"
+  unfolding bij_betw_def
+proof
+  show "inj_on (\<lambda>x. x * exp x) {a..b}"
+    by (rule inj_on_subset[OF exp_times_self_inj]) (use assms in auto)
+next
+  show "(\<lambda>x. x * exp x) ` {a..b} = {a * exp a..b * exp b}"
+  proof safe
+    fix x assume "x \<in> {a..b}"
+    thus "x * exp x \<in> {a * exp a..b * exp b}"
+      using assms by (auto intro!: exp_times_self_mono)
+  next
+    fix x assume x: "x \<in> {a * exp a..b * exp b}"
+    have "(-1) * exp (-1) \<le> a * exp a"
+      using assms by (intro exp_times_self_mono) auto
+    also have "\<dots> \<le> x" using x by simp
+    finally have "x \<ge> -exp (-1)" by simp
+
+    have "Lambert_W x \<in> {a..b}"
+      using x \<open>x \<ge> -exp (-1)\<close> assms by (auto intro!: Lambert_W_geI Lambert_W_leI)
+    moreover have "Lambert_W x * exp (Lambert_W x) = x"
+      using \<open>x \<ge> -exp (-1)\<close> by (simp add: Lambert_W_times_exp_self)
+    ultimately show "x \<in> (\<lambda>x. x * exp x) ` {a..b}"
+      unfolding image_iff by metis
+  qed
+qed
+
+lemma bij_betw_exp_times_self_atLeastAtMost':
+  fixes a b :: real
+  assumes "a \<le> b" "b \<le> -1"
+  shows   "bij_betw (\<lambda>x. x * exp x) {a..b} {b * exp b..a * exp a}"
+  unfolding bij_betw_def
+proof
+  show "inj_on (\<lambda>x. x * exp x) {a..b}"
+    by (rule inj_on_subset[OF exp_times_self_inj']) (use assms in auto)
+next
+  show "(\<lambda>x. x * exp x) ` {a..b} = {b * exp b..a * exp a}"
+  proof safe
+    fix x assume "x \<in> {a..b}"
+    thus "x * exp x \<in> {b * exp b..a * exp a}"
+      using assms by (auto intro!: exp_times_self_antimono)
+  next
+    fix x assume x: "x \<in> {b * exp b..a * exp a}"
+    from assms have "a * exp a < 0"
+      by (intro mult_neg_pos) auto
+    with x have "x < 0" by auto
+    have "(-1) * exp (-1) \<le> b * exp b"
+      using assms by (intro exp_times_self_antimono) auto
+    also have "\<dots> \<le> x" using x by simp
+    finally have "x \<ge> -exp (-1)" by simp
+
+    have "Lambert_W' x \<in> {a..b}"
+      using x \<open>x \<ge> -exp (-1)\<close> \<open>x < 0\<close> assms 
+      by (auto intro!: Lambert_W'_geI Lambert_W'_leI)
+    moreover have "Lambert_W' x * exp (Lambert_W' x) = x"
+      using \<open>x \<ge> -exp (-1)\<close> \<open>x < 0\<close> by (auto simp: Lambert_W'_times_exp_self)
+    ultimately show "x \<in> (\<lambda>x. x * exp x) ` {a..b}"
+      unfolding image_iff by metis
+  qed
+qed
+
+lemma bij_betw_exp_times_self_atLeast:
+  fixes a :: real
+  assumes "a \<ge> -1"
+  shows   "bij_betw (\<lambda>x. x * exp x) {a..} {a * exp a..}"
+  unfolding bij_betw_def
+proof
+  show "inj_on (\<lambda>x. x * exp x) {a..}"
+    by (rule inj_on_subset[OF exp_times_self_inj]) (use assms in auto)
+next
+  show "(\<lambda>x. x * exp x) ` {a..} = {a * exp a..}"
+  proof safe
+    fix x assume "x \<ge> a"
+    thus "x * exp x \<ge> a * exp a"
+      using assms by (auto intro!: exp_times_self_mono)
+  next
+    fix x assume x: "x \<ge> a * exp a"
+    have "(-1) * exp (-1) \<le> a * exp a"
+      using assms by (intro exp_times_self_mono) auto
+    also have "\<dots> \<le> x" using x by simp
+    finally have "x \<ge> -exp (-1)" by simp
+
+    have "Lambert_W x \<in> {a..}"
+      using x \<open>x \<ge> -exp (-1)\<close> assms by (auto intro!: Lambert_W_geI Lambert_W_leI)
+    moreover have "Lambert_W x * exp (Lambert_W x) = x"
+      using \<open>x \<ge> -exp (-1)\<close> by (simp add: Lambert_W_times_exp_self)
+    ultimately show "x \<in> (\<lambda>x. x * exp x) ` {a..}"
+      unfolding image_iff by metis
+  qed
+qed
+
+
+subsection \<open>Basic identities and bounds\<close>
+
+lemma Lambert_W_2_ln_2 [simp]: "Lambert_W (2 * ln 2) = ln 2"
+proof -
+  have "-1 \<le> (0 :: real)"
+    by simp
+  also have "\<dots> \<le> ln 2"
+    by simp
+  finally have "-1 \<le> (ln 2 :: real)" .
+  thus ?thesis
+    by (intro Lambert_W_eqI) auto
+qed
+
+lemma Lambert_W_exp_1 [simp]: "Lambert_W (exp 1) = 1"
+  by (rule Lambert_W_eqI) auto
+
+lemma Lambert_W_neg_ln_over_self:
+  assumes "x \<in> {exp (-1)..exp 1}"
+  shows   "Lambert_W (-ln x / x) = -ln x"
+proof -
+  have "0 < (exp (-1) :: real)"
+    by simp
+  also have "\<dots> \<le> x"
+    using assms by simp
+  finally have "x > 0" .
+  from \<open>x > 0\<close> assms have "ln x \<le> ln (exp 1)"
+    by (subst ln_le_cancel_iff) auto
+  also have "ln (exp 1) = (1 :: real)"
+    by simp
+  finally have "ln x \<le> 1" .
+  show ?thesis
+    using assms \<open>x > 0\<close> \<open>ln x \<le> 1\<close>
+    by (intro Lambert_W_eqI) (auto simp: exp_minus field_simps)
+qed
+
+lemma Lambert_W'_neg_ln_over_self:
+  assumes "x \<ge> exp 1"
+  shows   "Lambert_W' (-ln x / x) = -ln x"
+proof (rule Lambert_W'_eqI)
+  have "0 < (exp 1 :: real)"
+    by simp
+  also have "\<dots> \<le> x"
+    by fact
+  finally have "x > 0" .
+  from assms \<open>x > 0\<close> have "ln x \<ge> ln (exp 1)"
+    by (subst ln_le_cancel_iff) auto
+  thus "-ln x \<le> -1" by simp
+  show "-ln x * exp (-ln x) = -ln x / x"
+    using \<open>x > 0\<close> by (simp add: field_simps exp_minus)
+qed
+
+lemma exp_Lambert_W: "x \<ge> -exp (-1) \<Longrightarrow> x \<noteq> 0 \<Longrightarrow> exp (Lambert_W x) = x / Lambert_W x"
+  using Lambert_W_times_exp_self[of x] by (auto simp add: divide_simps mult_ac)
+
+lemma exp_Lambert_W': "x \<in> {-exp (-1)..<0} \<Longrightarrow> exp (Lambert_W' x) = x / Lambert_W' x"
+  using Lambert_W'_times_exp_self[of x] by (auto simp add: divide_simps mult_ac)
+
+lemma ln_Lambert_W:
+  assumes "x > 0"
+  shows   "ln (Lambert_W x) = ln x - Lambert_W x"
+proof -
+  have "-exp (-1) \<le> (0 :: real)"
+    by simp
+  also have "\<dots> < x" by fact
+  finally have x: "x > -exp(-1)" .
+
+  have "exp (ln (Lambert_W x)) = exp (ln x - Lambert_W x)"
+    using assms x by (subst exp_diff) (auto simp: exp_Lambert_W)
+  thus ?thesis by (subst (asm) exp_inj_iff)
+qed
+
+lemma ln_minus_Lambert_W':
+  assumes "x \<in> {-exp (-1)..<0}"
+  shows   "ln (-Lambert_W' x) = ln (-x) - Lambert_W' x"
+proof -
+  have "exp (ln (-x) - Lambert_W' x) = -Lambert_W' x"
+    using assms by (simp add: exp_diff exp_Lambert_W')
+  also have "\<dots> = exp (ln (-Lambert_W' x))"
+    using Lambert_W'_neg[of x] by simp
+  finally show ?thesis by simp
+qed
+
+lemma Lambert_W_plus_Lambert_W_eq:
+  assumes "x > 0" "y > 0"
+  shows   "Lambert_W x + Lambert_W y = Lambert_W (x * y * (1 / Lambert_W x + 1 / Lambert_W y))"
+proof (rule sym, rule Lambert_W_eqI)
+  have "x > -exp(-1)" "y > -exp (-1)"
+    by (rule less_trans[OF _ assms(1)] less_trans[OF _ assms(2)], simp)+
+  with assms show "(Lambert_W x + Lambert_W y) * exp (Lambert_W x + Lambert_W y) =
+                     x * y * (1 / Lambert_W x + 1 / Lambert_W y)"
+    by (auto simp: field_simps exp_add exp_Lambert_W)
+  have "-1 \<le> (0 :: real)"
+    by simp
+  also from assms have "\<dots> \<le> Lambert_W x + Lambert_W y"
+    by (intro add_nonneg_nonneg) auto
+  finally show "\<dots> \<ge> -1" .
+qed
+
+lemma Lambert_W'_plus_Lambert_W'_eq:
+  assumes "x \<in> {-exp(-1)..<0}" "y \<in> {-exp(-1)..<0}"
+  shows   "Lambert_W' x + Lambert_W' y = Lambert_W' (x * y * (1 / Lambert_W' x + 1 / Lambert_W' y))"
+proof (rule sym, rule Lambert_W'_eqI)
+  from assms show "(Lambert_W' x + Lambert_W' y) * exp (Lambert_W' x + Lambert_W' y) =
+                     x * y * (1 / Lambert_W' x + 1 / Lambert_W' y)"
+    by (auto simp: field_simps exp_add exp_Lambert_W')
+  have "Lambert_W' x + Lambert_W' y \<le> -1 + -1"
+    by (intro add_mono Lambert_W'_le)
+  also have "\<dots> \<le> -1" by simp
+  finally show "Lambert_W' x + Lambert_W' y \<le> -1" .
+qed
+
+lemma Lambert_W_gt_ln_minus_ln_ln:
+  assumes "x > exp 1"
+  shows   "Lambert_W x > ln x - ln (ln x)"
+proof (rule Lambert_W_gtI)
+  have "x > 1"
+    by (rule less_trans[OF _ assms]) auto
+  have "ln x > ln (exp 1)"
+    by (subst ln_less_cancel_iff) (use \<open>x > 1\<close> assms in auto)
+  thus "(ln x - ln (ln x)) * exp (ln x - ln (ln x)) < x"
+    using assms \<open>x > 1\<close> by (simp add: exp_diff field_simps)
+qed
+
+lemma Lambert_W_less_ln:
+  assumes "x > exp 1"
+  shows   "Lambert_W x < ln x"
+proof (rule Lambert_W_lessI)
+  have "x > 0"
+    by (rule less_trans[OF _ assms]) auto
+  have "ln x > ln (exp 1)"
+    by (subst ln_less_cancel_iff) (use \<open>x > 0\<close> assms in auto)
+  thus "x < ln x * exp (ln x)"
+    using \<open>x > 0\<close> by simp
+  show "ln x \<ge> -1"
+    by (rule less_imp_le[OF le_less_trans[OF _ \<open>ln x > _\<close>]]) auto
+  show "x \<ge> -exp (-1)"
+    by (rule less_imp_le[OF le_less_trans[OF _ \<open>x > 0\<close>]]) auto
+qed
+
+
+subsection \<open>Limits, continuity, and differentiability\<close>
+
+lemma filterlim_Lambert_W_at_top [tendsto_intros]: "filterlim Lambert_W at_top at_top"
+  unfolding filterlim_at_top
+proof
+  fix C :: real
+  have "eventually (\<lambda>x. x \<ge> C * exp C) at_top"
+    by (rule eventually_ge_at_top)
+  thus "eventually (\<lambda>x. Lambert_W x \<ge> C) at_top"
+  proof eventually_elim
+    case (elim x)
+    thus ?case
+      by (intro Lambert_W_geI) auto
+  qed
+qed
+
+lemma filterlim_Lambert_W_at_left_0 [tendsto_intros]:
+  "filterlim Lambert_W' at_bot (at_left 0)"
+  unfolding filterlim_at_bot
+proof
+  fix C :: real
+  define C' where "C' = min C (-1)"
+  have "C' < 0" "C' \<le> C"
+    by (simp_all add: C'_def)
+  have "C' * exp C' < 0"
+    using \<open>C' < 0\<close> by (intro mult_neg_pos) auto
+  hence "eventually (\<lambda>x. x \<ge> C' * exp C') (at_left 0)"
+    by real_asymp
+  moreover have "eventually (\<lambda>x::real. x < 0) (at_left 0)"
+    by real_asymp
+  ultimately show "eventually (\<lambda>x. Lambert_W' x \<le> C) (at_left 0)"
+  proof eventually_elim
+    case (elim x)
+    hence "Lambert_W' x \<le> C'"
+      by (intro Lambert_W'_leI) auto
+    also have "\<dots> \<le> C" by fact
+    finally show ?case .
+  qed
+qed
+
+lemma continuous_on_Lambert_W [continuous_intros]: "continuous_on {-exp (-1)..} Lambert_W"
+proof -
+  have *: "continuous_on {-exp (-1)..b * exp b} Lambert_W" if "b \<ge> 0" for b
+  proof -
+    have "continuous_on ((\<lambda>x. x * exp x) ` {-1..b}) Lambert_W"
+      by (rule continuous_on_inv) (auto intro!: continuous_intros)
+    also have "(\<lambda>x. x * exp x) ` {-1..b} = {-exp (-1)..b * exp b}"
+      using bij_betw_exp_times_self_atLeastAtMost[of "-1" b] \<open>b \<ge> 0\<close>
+      by (simp add: bij_betw_def)
+    finally show ?thesis .
+  qed
+
+  have "continuous (at x) Lambert_W" if "x \<ge> 0" for x
+  proof -
+    have x: "-exp (-1) < x"
+      by (rule less_le_trans[OF _ that]) auto
+    
+    define b where "b = Lambert_W x + 1"
+    have "b \<ge> 0"
+      using Lambert_W_ge[of x] by (simp add: b_def)
+    have "x = Lambert_W x * exp (Lambert_W x)"
+      using that x by (subst Lambert_W_times_exp_self) auto
+    also have "\<dots> < b * exp b"
+      by (intro exp_times_self_strict_mono) (auto simp: b_def Lambert_W_ge)
+    finally have "b * exp b > x" .
+    have "continuous_on {-exp(-1)<..<b * exp b} Lambert_W"
+      by (rule continuous_on_subset[OF *[of b]]) (use \<open>b \<ge> 0\<close> in auto)
+    moreover have "x \<in> {-exp(-1)<..<b * exp b}"
+      using \<open>b * exp b > x\<close> x by (auto simp: )
+    ultimately show "continuous (at x) Lambert_W"
+      by (subst (asm) continuous_on_eq_continuous_at) auto
+  qed
+  hence "continuous_on {0..} Lambert_W"
+    by (intro continuous_at_imp_continuous_on) auto
+  moreover have "continuous_on {-exp (-1)..0} Lambert_W"
+    using *[of 0] by simp
+  ultimately have "continuous_on ({-exp (-1)..0} \<union> {0..}) Lambert_W"
+    by (intro continuous_on_closed_Un) auto
+  also have "{-exp (-1)..0} \<union> {0..} = {-exp (-1::real)..}"
+    using order.trans[of "-exp (-1)::real" 0] by auto
+  finally show ?thesis .
+qed
+
+lemma continuous_on_Lambert_W_alt [continuous_intros]:
+  assumes "continuous_on A f" "\<And>x. x \<in> A \<Longrightarrow> f x \<ge> -exp (-1)"
+  shows   "continuous_on A (\<lambda>x. Lambert_W (f x))"
+  using continuous_on_compose2[OF continuous_on_Lambert_W assms(1)] assms by auto
+
+lemma continuous_on_Lambert_W' [continuous_intros]: "continuous_on {-exp (-1)..<0} Lambert_W'"
+proof -
+  have *: "continuous_on {-exp (-1)..-b * exp (-b)} Lambert_W'" if "b \<ge> 1" for b
+  proof -
+    have "continuous_on ((\<lambda>x. x * exp x) ` {-b..-1}) Lambert_W'"
+      by (intro continuous_on_inv ballI) (auto intro!: continuous_intros)
+    also have "(\<lambda>x. x * exp x) ` {-b..-1} = {-exp (-1)..-b * exp (-b)}"
+      using bij_betw_exp_times_self_atLeastAtMost'[of "-b" "-1"] that
+      by (simp add: bij_betw_def)
+    finally show ?thesis .
+  qed
+
+  have "continuous (at x) Lambert_W'" if "x > -exp (-1)" "x < 0" for x
+  proof - 
+    define b where "b = Lambert_W x + 1"
+    have "eventually (\<lambda>b. -b * exp (-b) > x) at_top"
+      using that by real_asymp
+    hence "eventually (\<lambda>b. b \<ge> 1 \<and> -b * exp (-b) > x) at_top"
+      by (intro eventually_conj eventually_ge_at_top)
+    then obtain b where b: "b \<ge> 1" "-b * exp (-b) > x"
+      by (auto simp: eventually_at_top_linorder)
+
+    have "continuous_on {-exp(-1)<..<-b * exp (-b)} Lambert_W'"
+      by (rule continuous_on_subset[OF *[of b]]) (use \<open>b \<ge> 1\<close> in auto)
+    moreover have "x \<in> {-exp(-1)<..<-b * exp (-b)}"
+      using b that by auto
+    ultimately show "continuous (at x) Lambert_W'"
+      by (subst (asm) continuous_on_eq_continuous_at) auto
+  qed
+  hence **: "continuous_on {-exp (-1)<..<0} Lambert_W'"
+    by (intro continuous_at_imp_continuous_on) auto
+
+  show ?thesis
+    unfolding continuous_on_def
+  proof
+    fix x :: real assume x: "x \<in> {-exp(-1)..<0}"
+    show "(Lambert_W' \<longlongrightarrow> Lambert_W' x) (at x within {-exp(-1)..<0})"
+    proof (cases "x = -exp(-1)")
+      case False
+      hence "isCont Lambert_W' x"
+        using x ** by (auto simp: continuous_on_eq_continuous_at)
+      thus ?thesis
+        using continuous_at filterlim_within_subset by blast
+    next
+      case True
+      define a :: real where "a = -2 * exp (-2)"
+      have a: "a > -exp (-1)"
+        using exp_times_self_strict_antimono[of "-1" "-2"] by (auto simp: a_def)
+      from True have "x \<in> {-exp (-1)..<a}"
+        using a by (auto simp: a_def)
+      have "continuous_on {-exp (-1)..<a} Lambert_W'"
+        unfolding a_def by (rule continuous_on_subset[OF *[of 2]]) auto
+      hence "(Lambert_W' \<longlongrightarrow> Lambert_W' x) (at x within {-exp (-1)..<a})"
+        using \<open>x \<in> {-exp (-1)..<a}\<close> by (auto simp: continuous_on_def)
+      also have "at x within {-exp (-1)..<a} = at_right x"
+        using a by (intro at_within_nhd[of _ "{..<a}"]) (auto simp: True)
+      also have "\<dots> = at x within {-exp (-1)..<0}"
+        using a by (intro at_within_nhd[of _ "{..<0}"]) (auto simp: True)
+      finally show ?thesis .
+    qed
+  qed
+qed
+
+lemma continuous_on_Lambert_W'_alt [continuous_intros]:
+  assumes "continuous_on A f" "\<And>x. x \<in> A \<Longrightarrow> f x \<in> {-exp (-1)..<0}"
+  shows   "continuous_on A (\<lambda>x. Lambert_W' (f x))"
+  using continuous_on_compose2[OF continuous_on_Lambert_W' assms(1)] assms
+  by (auto simp: subset_iff)
+
+
+lemma tendsto_Lambert_W_1:
+  assumes "(f \<longlongrightarrow> L) F" "eventually (\<lambda>x. f x \<ge> -exp (-1)) F"
+  shows   "((\<lambda>x. Lambert_W (f x)) \<longlongrightarrow> Lambert_W L) F"
+proof (cases "F = bot")
+  case [simp]: False
+  from tendsto_lowerbound[OF assms] have "L \<ge> -exp (-1)" by simp
+  thus ?thesis
+    using continuous_on_tendsto_compose[OF continuous_on_Lambert_W assms(1)] assms(2) by simp
+qed auto
+
+lemma tendsto_Lambert_W_2:
+  assumes "(f \<longlongrightarrow> L) F" "L > -exp (-1)"
+  shows   "((\<lambda>x. Lambert_W (f x)) \<longlongrightarrow> Lambert_W L) F"
+  using order_tendstoD(1)[OF assms] assms
+  by (intro tendsto_Lambert_W_1) (auto elim: eventually_mono)
+
+lemma tendsto_Lambert_W [tendsto_intros]:
+  assumes "(f \<longlongrightarrow> L) F" "eventually (\<lambda>x. f x \<ge> -exp (-1)) F \<or> L > -exp (-1)"
+  shows   "((\<lambda>x. Lambert_W (f x)) \<longlongrightarrow> Lambert_W L) F"
+  using assms(2)
+proof
+  assume "L > -exp (-1)"
+  from order_tendstoD(1)[OF assms(1) this] assms(1) show ?thesis
+    by (intro tendsto_Lambert_W_1) (auto elim: eventually_mono)  
+qed (use tendsto_Lambert_W_1[OF assms(1)] in auto)
+
+lemma tendsto_Lambert_W'_1:
+  assumes "(f \<longlongrightarrow> L) F" "eventually (\<lambda>x. f x \<ge> -exp (-1)) F" "L < 0"
+  shows   "((\<lambda>x. Lambert_W' (f x)) \<longlongrightarrow> Lambert_W' L) F"
+proof (cases "F = bot")
+  case [simp]: False
+  from tendsto_lowerbound[OF assms(1,2)] have L_ge: "L \<ge> -exp (-1)" by simp
+  from order_tendstoD(2)[OF assms(1,3)] have ev: "eventually (\<lambda>x. f x < 0) F"
+    by auto
+  with assms(2) have "eventually (\<lambda>x. f x \<in> {-exp (-1)..<0}) F"
+    by eventually_elim auto
+  thus ?thesis using L_ge assms(3)
+    by (intro continuous_on_tendsto_compose[OF continuous_on_Lambert_W' assms(1)]) auto
+qed auto
+
+lemma tendsto_Lambert_W'_2:
+  assumes "(f \<longlongrightarrow> L) F" "L > -exp (-1)" "L < 0"
+  shows   "((\<lambda>x. Lambert_W' (f x)) \<longlongrightarrow> Lambert_W' L) F"
+  using order_tendstoD(1)[OF assms(1,2)] assms
+  by (intro tendsto_Lambert_W'_1) (auto elim: eventually_mono)
+
+lemma tendsto_Lambert_W' [tendsto_intros]:
+  assumes "(f \<longlongrightarrow> L) F" "eventually (\<lambda>x. f x \<ge> -exp (-1)) F \<or> L > -exp (-1)" "L < 0"
+  shows   "((\<lambda>x. Lambert_W' (f x)) \<longlongrightarrow> Lambert_W' L) F"
+  using assms(2)
+proof
+  assume "L > -exp (-1)"
+  from order_tendstoD(1)[OF assms(1) this] assms(1,3) show ?thesis
+    by (intro tendsto_Lambert_W'_1) (auto elim: eventually_mono)  
+qed (use tendsto_Lambert_W'_1[OF assms(1) _ assms(3)] in auto)
+
+
+lemma continuous_Lambert_W [continuous_intros]:
+  assumes "continuous F f" "f (Lim F (\<lambda>x. x)) > -exp (-1) \<or> eventually (\<lambda>x. f x \<ge> -exp (-1)) F"
+  shows   "continuous F (\<lambda>x. Lambert_W (f x))"
+  using assms unfolding continuous_def by (intro tendsto_Lambert_W) auto
+
+lemma continuous_Lambert_W' [continuous_intros]:
+  assumes "continuous F f" "f (Lim F (\<lambda>x. x)) > -exp (-1) \<or> eventually (\<lambda>x. f x \<ge> -exp (-1)) F"
+          "f (Lim F (\<lambda>x. x)) < 0"
+  shows   "continuous F (\<lambda>x. Lambert_W' (f x))"
+  using assms unfolding continuous_def by (intro tendsto_Lambert_W') auto
+
+
+lemma has_field_derivative_Lambert_W [derivative_intros]:
+  assumes x: "x > -exp (-1)"
+  shows   "(Lambert_W has_real_derivative inverse (x + exp (Lambert_W x))) (at x within A)"
+proof -
+  write Lambert_W ("W")
+  from x have "W x > W (-exp (-1))"
+    by (subst Lambert_W_less_iff) auto
+  hence "W x > -1" by simp
+
+  note [derivative_intros] = DERIV_inverse_function[where g = Lambert_W]
+  have "((\<lambda>x. x * exp x) has_real_derivative (1 + W x) * exp (W x)) (at (W x))"
+    by (auto intro!: derivative_eq_intros simp: algebra_simps)
+  hence "(W has_real_derivative inverse ((1 + W x) * exp (W x))) (at x)"
+    by (rule DERIV_inverse_function[where a = "-exp (-1)" and b = "x + 1"])
+       (use x \<open>W x > -1\<close> in \<open>auto simp: Lambert_W_times_exp_self Lim_ident_at
+                                  intro!: continuous_intros\<close>)
+  also have "(1 + W x) * exp (W x) = x + exp (W x)"
+    using x by (simp add: algebra_simps Lambert_W_times_exp_self)
+  finally show ?thesis by (rule has_field_derivative_at_within)
+qed
+
+lemma has_field_derivative_Lambert_W_gen [derivative_intros]:
+  assumes "(f has_real_derivative f') (at x within A)" "f x > -exp (-1)"
+  shows   "((\<lambda>x. Lambert_W (f x)) has_real_derivative
+             (f' / (f x + exp (Lambert_W (f x))))) (at x within A)"
+  using DERIV_chain2[OF has_field_derivative_Lambert_W[OF assms(2)] assms(1)]
+  by (simp add: field_simps)
+
+lemma has_field_derivative_Lambert_W' [derivative_intros]:
+  assumes x: "x \<in> {-exp (-1)<..<0}"
+  shows   "(Lambert_W' has_real_derivative inverse (x + exp (Lambert_W' x))) (at x within A)"
+proof -
+  write Lambert_W' ("W")
+  from x have "W x < W (-exp (-1))"
+    by (subst Lambert_W'_less_iff) auto
+  hence "W x < -1" by simp
+
+  note [derivative_intros] = DERIV_inverse_function[where g = Lambert_W]
+  have "((\<lambda>x. x * exp x) has_real_derivative (1 + W x) * exp (W x)) (at (W x))"
+    by (auto intro!: derivative_eq_intros simp: algebra_simps)
+  hence "(W has_real_derivative inverse ((1 + W x) * exp (W x))) (at x)"
+    by (rule DERIV_inverse_function[where a = "-exp (-1)" and b = "0"])
+       (use x \<open>W x < -1\<close> in \<open>auto simp: Lambert_W'_times_exp_self Lim_ident_at
+                                        intro!: continuous_intros\<close>)
+  also have "(1 + W x) * exp (W x) = x + exp (W x)"
+    using x by (simp add: algebra_simps Lambert_W'_times_exp_self)
+  finally show ?thesis by (rule has_field_derivative_at_within)
+qed
+
+lemma has_field_derivative_Lambert_W'_gen [derivative_intros]:
+  assumes "(f has_real_derivative f') (at x within A)" "f x \<in> {-exp (-1)<..<0}"
+  shows   "((\<lambda>x. Lambert_W' (f x)) has_real_derivative
+             (f' / (f x + exp (Lambert_W' (f x))))) (at x within A)"
+  using DERIV_chain2[OF has_field_derivative_Lambert_W'[OF assms(2)] assms(1)]
+  by (simp add: field_simps)
+
+
+subsection \<open>Asymptotic expansion\<close>
+
+text \<open>
+  Lastly, we prove some more detailed asymptotic expansions of $W$ and $W'$ at their
+  singularities. First, we show that:
+  \begin{align*}
+    W(x) &= \log x - \log\log x + o(\log\log x) &&\text{for}\ x\to\infty\\
+    W'(x) &= \log (-x) - \log (-\log (-x)) + o(\log (-\log (-x))) &&\text{for}\ x\to 0^{-}
+  \end{align*}
+\<close>
+theorem Lambert_W_asymp_equiv_at_top:
+  "(\<lambda>x. Lambert_W x - ln x) \<sim>[at_top] (\<lambda>x. -ln (ln x))"
+proof -
+  have "(\<lambda>x. Lambert_W x - ln x) \<sim>[at_top] (\<lambda>x. (-1) * ln (ln x))"
+  proof (rule asymp_equiv_sandwich')
+    fix c' :: real assume c': "c' \<in> {-2<..<-1}"
+    have "eventually (\<lambda>x. (ln x + c' * ln (ln x)) * exp (ln x + c' * ln (ln x)) \<le> x) at_top"
+         "eventually (\<lambda>x. ln x + c' * ln (ln x) \<ge> -1) at_top"
+      using c' by real_asymp+
+    thus "eventually (\<lambda>x. Lambert_W x - ln x \<ge> c' * ln (ln x)) at_top"
+    proof eventually_elim
+      case (elim x)
+      hence "Lambert_W x \<ge> ln x + c' * ln (ln x)"
+        by (intro Lambert_W_geI)
+      thus ?case by simp
+    qed
+  next
+    fix c' :: real assume c': "c' \<in> {-1<..<0}"
+    have "eventually (\<lambda>x. (ln x + c' * ln (ln x)) * exp (ln x + c' * ln (ln x)) \<ge> x) at_top"
+         "eventually (\<lambda>x. ln x + c' * ln (ln x) \<ge> -1) at_top"
+      using c' by real_asymp+
+    thus "eventually (\<lambda>x. Lambert_W x - ln x \<le> c' * ln (ln x)) at_top"
+      using eventually_ge_at_top[of "-exp (-1)"]
+    proof eventually_elim
+      case (elim x)
+      hence "Lambert_W x \<le> ln x + c' * ln (ln x)"
+        by (intro Lambert_W_leI)
+      thus ?case by simp
+    qed
+  qed auto
+  thus ?thesis by simp
+qed
+
+lemma Lambert_W_asymp_equiv_at_top' [asymp_equiv_intros]:
+  "Lambert_W \<sim>[at_top] ln"
+proof -
+  have "(\<lambda>x. Lambert_W x - ln x) \<in> \<Theta>(\<lambda>x. -ln (ln x))"
+    by (intro asymp_equiv_imp_bigtheta Lambert_W_asymp_equiv_at_top)
+  also have "(\<lambda>x::real. -ln (ln x)) \<in> o(ln)"
+    by real_asymp
+  finally show ?thesis by (simp add: asymp_equiv_altdef)
+qed
+
+theorem Lambert_W'_asymp_equiv_at_left_0:
+  "(\<lambda>x. Lambert_W' x - ln (-x)) \<sim>[at_left 0] (\<lambda>x. -ln (-ln (-x)))"
+proof -
+  have "(\<lambda>x. Lambert_W' x - ln (-x)) \<sim>[at_left 0] (\<lambda>x. (-1) * ln (-ln (-x)))"
+  proof (rule asymp_equiv_sandwich')
+    fix c' :: real assume c': "c' \<in> {-2<..<-1}"
+    have "eventually (\<lambda>x. x \<le> (ln (-x) + c' * ln (-ln (-x))) * exp (ln (-x) + c' * ln (-ln (-x)))) (at_left 0)"
+         "eventually (\<lambda>x::real. ln (-x) + c' * ln (-ln (-x)) \<le> -1) (at_left 0)"
+         "eventually (\<lambda>x::real. -exp (-1) \<le> x) (at_left 0)"
+      using c' by real_asymp+
+    thus "eventually (\<lambda>x. Lambert_W' x - ln (-x) \<ge> c' * ln (-ln (-x))) (at_left 0)"
+    proof eventually_elim
+      case (elim x)
+      hence "Lambert_W' x \<ge> ln (-x) + c' * ln (-ln (-x))"
+        by (intro Lambert_W'_geI)
+      thus ?case by simp
+    qed
+  next
+    fix c' :: real assume c': "c' \<in> {-1<..<0}"
+    have "eventually (\<lambda>x. x \<ge> (ln (-x) + c' * ln (-ln (-x))) * exp (ln (-x) + c' * ln (-ln (-x)))) (at_left 0)"
+      using c' by real_asymp
+    moreover have "eventually (\<lambda>x::real. x < 0) (at_left 0)"
+      by (auto simp: eventually_at intro: exI[of _ 1])
+    ultimately show "eventually (\<lambda>x. Lambert_W' x - ln (-x) \<le> c' * ln (-ln (-x))) (at_left 0)"
+    proof eventually_elim
+      case (elim x)
+      hence "Lambert_W' x \<le> ln (-x) + c' * ln (-ln (-x))"
+        by (intro Lambert_W'_leI)
+      thus ?case by simp
+    qed
+  qed auto
+  thus ?thesis by simp
+qed
+
+lemma Lambert_W'_asymp_equiv'_at_left_0 [asymp_equiv_intros]:
+  "Lambert_W' \<sim>[at_left 0] (\<lambda>x. ln (-x))"
+proof -
+  have "(\<lambda>x. Lambert_W' x - ln (-x)) \<in> \<Theta>[at_left 0](\<lambda>x. -ln (-ln (-x)))"
+    by (intro asymp_equiv_imp_bigtheta Lambert_W'_asymp_equiv_at_left_0)
+  also have "(\<lambda>x::real. -ln (-ln (-x))) \<in> o[at_left 0](\<lambda>x. ln (-x))"
+    by real_asymp
+  finally show ?thesis by (simp add: asymp_equiv_altdef)
+qed
+
+
+text \<open>
+  Next, we look at the branching point $a := \tfrac{1}{e}$. Here, the asymptotic behaviour
+  is as follows:
+  \begin{align*}
+    W(x) &= -1 + \sqrt{2e}(x - a)^{\frac{1}{2}} - \tfrac{2}{3}e(x-a) + o(x-a) &&\text{for} x\to a^+\\
+    W'(x) &= -1 - \sqrt{2e}(x - a)^{\frac{1}{2}} - \tfrac{2}{3}e(x-a) + o(x-a) &&\text{for} x\to a^+
+  \end{align*}
+\<close>
+lemma sqrt_sqrt_mult:
+  assumes "x \<ge> (0 :: real)"
+  shows   "sqrt x * (sqrt x * y) = x * y"
+  using assms by (subst mult.assoc [symmetric]) auto
+
+theorem Lambert_W_asymp_equiv_at_right_minus_exp_minus1:
+  defines "e \<equiv> exp 1"
+  defines "a \<equiv> -exp (-1)"
+  defines "C1 \<equiv> sqrt (2 * exp 1)"
+  defines "f \<equiv> (\<lambda>x. -1 + C1 * sqrt (x - a))"
+  shows   "(\<lambda>x. Lambert_W x - f x) \<sim>[at_right a] (\<lambda>x. -2/3 * e * (x - a))"
+proof -
+  define C :: "real \<Rightarrow> real" where "C = (\<lambda>c. sqrt (2/e)/3 * (2*e+3*c))"
+  have asymp_equiv: "(\<lambda>x. (f x + c * (x - a)) * exp (f x + c * (x - a)) - x)
+                       \<sim>[at_right a] (\<lambda>x. C c * (x - a) powr (3/2))" if "c \<noteq> -2/3 * e" for c
+  proof -
+    from that have "C c \<noteq> 0"
+      by (auto simp: C_def e_def)
+    have "(\<lambda>x. (f x + c * (x - a)) * exp (f x + c * (x - a)) - x - C c * (x - a) powr (3/2))
+            \<in> o[at_right a](\<lambda>x. (x - a) powr (3/2))"
+      unfolding f_def a_def C_def C1_def e_def
+      by (real_asymp simp: field_simps real_sqrt_mult real_sqrt_divide sqrt_sqrt_mult
+                           exp_minus simp flip: sqrt_def)
+    thus ?thesis
+      using \<open>C c \<noteq> 0\<close> by (intro smallo_imp_asymp_equiv) auto
+  qed
+      
+  show ?thesis
+  proof (rule asymp_equiv_sandwich')
+    fix c' :: real assume c': "c' \<in> {-e<..<-2/3*e}"
+    hence neq: "c' \<noteq> -2/3 * e" by auto
+    from c' have neg: "C c' < 0" unfolding C_def by (auto intro!: mult_pos_neg)
+    hence "eventually (\<lambda>x. C c' * (x - a) powr (3 / 2) < 0) (at_right a)"
+      by real_asymp
+    hence "eventually (\<lambda>x. (f x + c' * (x - a)) * exp (f x + c' * (x - a)) - x < 0) (at_right a)"
+      using asymp_equiv_eventually_neg_iff[OF asymp_equiv[OF neq]]
+      by eventually_elim (use neg in auto)
+    thus "eventually (\<lambda>x. Lambert_W x - f x \<ge> c' * (x - a)) (at_right a)"
+    proof eventually_elim
+      case (elim x)
+      hence "Lambert_W x \<ge> f x + c' * (x - a)"
+        by (intro Lambert_W_geI) auto
+      thus ?case by simp
+    qed
+  next
+    fix c' :: real assume c': "c' \<in> {-2/3*e<..<0}"
+    hence neq: "c' \<noteq> -2/3 * e" by auto
+    from c' have pos: "C c' > 0" unfolding C_def by auto
+    hence "eventually (\<lambda>x. C c' * (x - a) powr (3 / 2) > 0) (at_right a)"
+      by real_asymp
+    hence "eventually (\<lambda>x. (f x + c' * (x - a)) * exp (f x + c' * (x - a)) - x > 0) (at_right a)"
+      using asymp_equiv_eventually_pos_iff[OF asymp_equiv[OF neq]]
+      by eventually_elim (use pos in auto)
+    moreover have "eventually (\<lambda>x. - 1 \<le> f x + c' * (x - a)) (at_right a)"
+                  "eventually (\<lambda>x. x > a) (at_right a)"
+      unfolding a_def f_def C1_def c' by real_asymp+
+    ultimately show "eventually (\<lambda>x. Lambert_W x - f x \<le> c' * (x - a)) (at_right a)"
+    proof eventually_elim
+      case (elim x)
+      hence "Lambert_W x \<le> f x + c' * (x - a)"
+        by (intro Lambert_W_leI) (auto simp: a_def)
+      thus ?case by simp
+    qed
+  qed (auto simp: e_def)
+qed
+
+theorem Lambert_W'_asymp_equiv_at_right_minus_exp_minus1:
+  defines "e \<equiv> exp 1"
+  defines "a \<equiv> -exp (-1)"
+  defines "C1 \<equiv> sqrt (2 * exp 1)"
+  defines "f \<equiv> (\<lambda>x. -1 - C1 * sqrt (x - a))"
+  shows   "(\<lambda>x. Lambert_W' x - f x) \<sim>[at_right a] (\<lambda>x. -2/3 * e * (x - a))"
+proof -
+  define C :: "real \<Rightarrow> real" where "C = (\<lambda>c. -sqrt (2/e)/3 * (2*e+3*c))"
+
+  have asymp_equiv: "(\<lambda>x. (f x + c * (x - a)) * exp (f x + c * (x - a)) - x)
+                       \<sim>[at_right a] (\<lambda>x. C c * (x - a) powr (3/2))" if "c \<noteq> -2/3 * e" for c
+  proof -
+    from that have "C c \<noteq> 0"
+      by (auto simp: C_def e_def)
+    have "(\<lambda>x. (f x + c * (x - a)) * exp (f x + c * (x - a)) - x - C c * (x - a) powr (3/2))
+            \<in> o[at_right a](\<lambda>x. (x - a) powr (3/2))"
+      unfolding f_def a_def C_def C1_def e_def
+      by (real_asymp simp: field_simps real_sqrt_mult real_sqrt_divide sqrt_sqrt_mult
+                           exp_minus simp flip: sqrt_def)
+    thus ?thesis
+      using \<open>C c \<noteq> 0\<close> by (intro smallo_imp_asymp_equiv) auto
+  qed
+      
+  show ?thesis
+  proof (rule asymp_equiv_sandwich')
+    fix c' :: real assume c': "c' \<in> {-e<..<-2/3*e}"
+    hence neq: "c' \<noteq> -2/3 * e" by auto
+    from c' have pos: "C c' > 0" unfolding C_def by (auto intro!: mult_pos_neg)
+    hence "eventually (\<lambda>x. C c' * (x - a) powr (3 / 2) > 0) (at_right a)"
+      by real_asymp
+    hence "eventually (\<lambda>x. (f x + c' * (x - a)) * exp (f x + c' * (x - a)) - x > 0) (at_right a)"
+      using asymp_equiv_eventually_pos_iff[OF asymp_equiv[OF neq]]
+      by eventually_elim (use pos in auto)
+    moreover have "eventually (\<lambda>x. x > a) (at_right a)"
+                  "eventually (\<lambda>x. f x + c' * (x - a) \<le> -1) (at_right a)"
+      unfolding a_def f_def C1_def c' by real_asymp+
+    ultimately show "eventually (\<lambda>x. Lambert_W' x - f x \<ge> c' * (x - a)) (at_right a)"
+    proof eventually_elim
+      case (elim x)
+      hence "Lambert_W' x \<ge> f x + c' * (x - a)"
+        by (intro Lambert_W'_geI) (auto simp: a_def)
+      thus ?case by simp
+    qed
+  next
+    fix c' :: real assume c': "c' \<in> {-2/3*e<..<0}"
+    hence neq: "c' \<noteq> -2/3 * e" by auto
+    from c' have neg: "C c' < 0" unfolding C_def by auto
+    hence "eventually (\<lambda>x. C c' * (x - a) powr (3 / 2) < 0) (at_right a)"
+      by real_asymp
+    hence "eventually (\<lambda>x. (f x + c' * (x - a)) * exp (f x + c' * (x - a)) - x < 0) (at_right a)"
+      using asymp_equiv_eventually_neg_iff[OF asymp_equiv[OF neq]]
+      by eventually_elim (use neg in auto)
+    moreover have "eventually (\<lambda>x. x < 0) (at_right a)"
+      unfolding a_def by real_asymp
+    ultimately show "eventually (\<lambda>x. Lambert_W' x - f x \<le> c' * (x - a)) (at_right a)"
+    proof eventually_elim
+      case (elim x)
+      hence "Lambert_W' x \<le> f x + c' * (x - a)"
+        by (intro Lambert_W'_leI) auto
+      thus ?case by simp
+    qed
+  qed (auto simp: e_def)
+qed
+
+
+text \<open>
+  Lastly, just for fun, we derive a slightly more accurate expansion of $W_0(x)$ for $x\to\infty$:
+\<close>
+theorem Lambert_W_asymp_equiv_at_top'':
+  "(\<lambda>x. Lambert_W x - ln x + ln (ln x)) \<sim>[at_top] (\<lambda>x. ln (ln x) / ln x)"
+proof -
+  have "(\<lambda>x. Lambert_W x - ln x + ln (ln x)) \<sim>[at_top] (\<lambda>x. 1 * (ln (ln x) / ln x))"
+  proof (rule asymp_equiv_sandwich')
+    fix c' :: real assume c': "c' \<in> {0<..<1}"
+    define a where "a = (\<lambda>x::real. ln x - ln (ln x) + c' * (ln (ln x) / ln x))"
+    have "eventually (\<lambda>x. a x * exp (a x) \<le> x) at_top"
+      using c' unfolding a_def by real_asymp+
+    thus "eventually (\<lambda>x. Lambert_W x - ln x + ln (ln x) \<ge> c' * (ln (ln x) / ln x)) at_top"
+    proof eventually_elim
+      case (elim x)
+      hence "Lambert_W x \<ge> a x"
+        by (intro Lambert_W_geI)
+      thus ?case by (simp add: a_def)
+    qed
+  next
+    fix c' :: real assume c': "c' \<in> {1<..<2}"
+    define a where "a = (\<lambda>x::real. ln x - ln (ln x) + c' * (ln (ln x) / ln x))"
+    have "eventually (\<lambda>x. a x * exp (a x) \<ge> x) at_top"
+         "eventually (\<lambda>x. a x \<ge> -1) at_top"
+      using c' unfolding a_def by real_asymp+
+    thus "eventually (\<lambda>x. Lambert_W x - ln x + ln (ln x) \<le> c' * (ln (ln x) / ln x)) at_top"
+      using eventually_ge_at_top[of "-exp (-1)"]
+    proof eventually_elim
+      case (elim x)
+      hence "Lambert_W x \<le> a x"
+        by (intro Lambert_W_leI)
+      thus ?case by (simp add: a_def)
+    qed
+  qed auto
+  thus ?thesis by simp
+qed
+
+end
\ No newline at end of file
diff --git a/thys/Lambert_W/Lambert_W_MacLaurin_Series.thy b/thys/Lambert_W/Lambert_W_MacLaurin_Series.thy
new file mode 100644
--- /dev/null
+++ b/thys/Lambert_W/Lambert_W_MacLaurin_Series.thy
@@ -0,0 +1,373 @@
+(*
+  File:     Lambert_W_MacLaurin_Series
+  Author:   Manuel Eberl, TU München
+
+  The MacLaurin series of the Lambert W function at x = 0
+  This file is kept separate from the main Lambert_W file because it requires significantly
+  more library material, including HOL-Analysis.
+*)
+theory Lambert_W_MacLaurin_Series
+imports
+  "HOL-Computational_Algebra.Formal_Power_Series"
+  "Bernoulli.Bernoulli_FPS" (* TODO only for Stirling number identities; should be moved! *)
+  "Stirling_Formula.Stirling_Formula"
+  Lambert_W
+begin
+
+subsection \<open>The MacLaurin series of $W_0(x)$ at $x = 0$\<close>
+
+text \<open>
+  In this section, we derive the MacLaurin series of $W_0(x)$ as a formal power series
+  at $x = 0$ and prove that its radius of convergenge is $e^{-1}$.
+
+  We do not actually show that this series evaluates to 1 since Isabelle's library does not 
+  contain the required theorems about convergence of the composition of two power series yet.
+  If it did, however, this last remaining step would be trivial since we did all the real work
+  here.
+\<close>
+
+(* TODO Move *)
+lemma Stirling_Suc_n_n: "Stirling (Suc n) n = (Suc n choose 2)"
+  by (induction n) (auto simp: choose_two)
+
+lemma Stirling_n_n_minus_1: "n > 0 \<Longrightarrow> Stirling n (n - 1) = (n choose 2)"
+  using Stirling_Suc_n_n[of "n - 1"] by (cases n) auto
+
+text \<open>
+  The following defines the power series $W(X)$ as the formal inverse of the
+  formal power series $X e^X$:
+\<close>
+definition fps_Lambert_W :: "real fps" where
+  "fps_Lambert_W = fps_inv (fps_X * fps_exp 1)"
+
+text \<open>
+  The formal composition of $W(X)$ and $X e^X$ is, in fact, the identity (in both directions).
+\<close>
+lemma fps_compose_Lambert_W: "fps_compose fps_Lambert_W (fps_X * fps_exp 1) = fps_X"
+  unfolding fps_Lambert_W_def by (rule fps_inv) auto 
+
+lemma fps_compose_Lambert_W': "fps_compose (fps_X * fps_exp 1) fps_Lambert_W  = fps_X"
+  unfolding fps_Lambert_W_def by (rule fps_inv_right) auto
+
+text \<open>
+  We have $W(0) = 0$, which shows that $W(X)$ indeed represents the branch $W_0$.
+\<close>
+lemma fps_nth_Lambert_W_0 [simp]: "fps_nth fps_Lambert_W 0 = 0"
+  by (simp add: fps_Lambert_W_def fps_inv_def)
+
+lemma fps_nth_Lambert_W_1 [simp]: "fps_nth fps_Lambert_W 1 = 1"
+  by (simp add: fps_Lambert_W_def fps_inv_def)
+
+text \<open>
+  All the equalities that hold for the analytic Lambert $W$ function in a neighbourhood of 0
+  also hold formally for the formal power series, e.g. $W(X) = X e^{-W(X)}$:  
+\<close>
+lemma fps_Lambert_W_over_X:
+  "fps_Lambert_W = fps_X * fps_compose (fps_exp (-1)) fps_Lambert_W"
+proof -
+  have "fps_nth (fps_exp 1 oo fps_Lambert_W) 0 = 1"
+    by simp
+  hence nz: "fps_exp 1 oo fps_Lambert_W \<noteq> 0"
+    by force    
+  have "fps_Lambert_W * fps_compose (fps_exp 1) fps_Lambert_W =
+          fps_compose (fps_X * fps_exp 1) fps_Lambert_W"
+    by (simp add: fps_compose_mult_distrib)
+  also have "\<dots> = fps_X * fps_compose 1 fps_Lambert_W"
+    by (simp add: fps_compose_Lambert_W')
+  also have "1 = fps_exp (-1) * fps_exp (1 :: real)"
+    by (simp flip: fps_exp_add_mult)
+  also have "fps_X * fps_compose \<dots> fps_Lambert_W =
+               fps_X * fps_compose (fps_exp (-1)) fps_Lambert_W *
+                 fps_compose (fps_exp 1) fps_Lambert_W"
+    by (simp add: fps_compose_mult_distrib mult_ac)
+  finally show ?thesis
+    using nz by simp
+qed
+    
+text \<open>
+  We now derive the closed-form expression
+  \[W(X) = \sum_{n=1}^\infty \frac{(-n)^{n-1}}{n!} X^n\ .\]
+\<close>
+lemma fps_nth_Lambert_W: "fps_nth fps_Lambert_W n = (if n = 0 then 0 else ((-n)^(n-1) / fact n))"
+proof -
+  define F :: "real fps" where "F = fps_X * fps_exp 1"
+  have fps_nth_eq: "fps_nth F n = 1 / fact (n - 1)" if "n > 0" for n
+    using that unfolding F_def by simp
+  have F_power: "F ^ n = fps_X ^ n * fps_exp (of_nat n)" for n
+    by (simp add: F_def power_mult_distrib fps_exp_power_mult)
+
+  have "fps_nth (fps_inv F) n = (if n = 0 then 0 else ((-n)^(n-1) / fact n))" for n
+  proof (induction n rule: less_induct)
+    case (less n)
+    consider "n = 0" | "n = 1" | "n > 1" by force
+    thus ?case
+    proof cases
+      case 3
+      hence "fps_nth (fps_inv F) n = -(\<Sum>i=0..n-1. fps_nth (fps_inv F) i * fps_nth (F ^ i) n)"
+        (is "_ = -?S") by (cases n) (auto simp: fps_inv_def F_def)
+      also have "?S = (\<Sum>i=1..<n. fps_nth (fps_inv F) i * fps_nth (F ^ i) n)"
+        using less[of 1] 3 by (intro sum.mono_neutral_right) (auto simp: not_le)
+      also have "\<dots> = (-1) ^ (n+1) / fact n *
+                        (\<Sum>i=1..<n. ((-1)^(n - i) * real (n choose i) * real i ^ (n - 1)))"
+        unfolding sum_divide_distrib sum_distrib_left
+      proof (intro sum.cong, goal_cases)
+        case (2 i)
+        hence "fps_nth (fps_inv F) i * fps_nth (F ^ i) n =
+                 (-1) ^ (i - 1) * real (i ^ (i - 1) * i ^ (n - i)) *
+                 (fact n / (fact i * fact (n - i)) / fact n)"
+          using less.IH[of i] by (simp add: F_power less fps_X_power_mult_nth power_minus')
+        also have "(fact n / (fact i * fact (n - i))) = real (n choose i)"
+          using 2 by (subst binomial_fact) auto
+        also have "i ^ (i - 1) * i ^ (n - i) = i ^ (n - 1)"
+          using 2 by (subst power_add [symmetric]) auto
+        also have "(-1) ^ (i - 1) = ((-1) ^ (n+1) * (-1)^(n-i) :: real)"
+          using 2 by (subst power_add [symmetric]) (auto simp: minus_one_power_iff)
+        finally show ?case by simp
+      qed auto
+      also have "(\<Sum>i=1..<n. ((-1)^(n - i) * real (n choose i) * real i ^ (n - 1))) =
+                 (\<Sum>i\<in>{..n}-{n}. ((-1)^(n - i) * real (n choose i) * real i ^ (n - 1)))"
+        using 3 by (intro sum.mono_neutral_left) auto
+      also have "\<dots> = (\<Sum>i\<le>n. ((-1)^(n - i) * real (n choose i) * real i ^ (n - 1))) -
+                      real n ^ (n - 1)"
+        by (subst (2) sum.remove[of _ n]) auto
+      also have "(\<Sum>i\<le>n. ((-1)^(n - i) * real (n choose i) * real i ^ (n - 1))) =
+                   real (Stirling (n - 1) n) * fact n"
+        by (subst Stirling_closed_form) auto
+      also have "Stirling (n - 1) n = 0"
+        using 3 by (subst Stirling_less) auto
+      finally have "fps_nth (fps_inv F) n = -((-1) ^ n * real n ^ (n - 1) / fact n)"
+        by simp
+      also have "\<dots> = (-real n) ^ (n - 1) / fact n"
+        using 3 by (subst power_minus) (auto simp: minus_one_power_iff)
+      finally show ?thesis
+        using 3 by simp
+    qed (auto simp: fps_inv_def F_def)
+  qed
+  thus ?thesis by (simp add: F_def fps_Lambert_W_def)
+qed
+
+(* TODO: Move *)
+text \<open>
+  Next, we need a few auxiliary lemmas about summability and convergence radii that should
+  go into Isabelle's standard library at some point:
+\<close>
+lemma summable_comparison_test_bigo:
+  fixes f :: "nat \<Rightarrow> real"
+  assumes "summable (\<lambda>n. norm (g n))" "f \<in> O(g)"
+  shows   "summable f"
+proof -
+  from \<open>f \<in> O(g)\<close> obtain C where C: "eventually (\<lambda>x. norm (f x) \<le> C * norm (g x)) at_top"
+    by (auto elim: landau_o.bigE)
+  thus ?thesis
+    by (rule summable_comparison_test_ev) (insert assms, auto intro: summable_mult)
+qed
+
+lemma summable_comparison_test_bigo':
+  assumes "summable (\<lambda>n. norm (g n))"
+  assumes "(\<lambda>n. norm (f n :: 'a :: banach)) \<in> O(\<lambda>n. norm (g n))"
+  shows   "summable f"
+proof (rule summable_norm_cancel, rule summable_comparison_test_bigo)
+  show "summable (\<lambda>n. norm (norm (g n)))"
+    using assms by simp
+qed fact+
+
+lemma conv_radius_conv_Sup':
+  fixes f :: "nat \<Rightarrow> 'a :: {banach, real_normed_div_algebra}"
+  shows "conv_radius f = Sup {r. \<forall>z. ereal (norm z) < r \<longrightarrow> summable (\<lambda>n. norm (f n * z ^ n))}"
+proof (rule Sup_eqI [symmetric], goal_cases)
+  case (1 r)
+  show ?case
+  proof (rule conv_radius_geI_ex')
+    fix r' :: real assume r': "r' > 0" "ereal r' < r"
+    show "summable (\<lambda>n. f n * of_real r' ^ n)"
+      by (rule summable_norm_cancel) (use 1 r' in auto)
+  qed
+next
+  case (2 r)
+  from 2[of 0] have r: "r \<ge> 0" by auto
+  show ?case
+  proof (intro conv_radius_leI_ex' r)
+    fix R assume R: "R > 0" "ereal R > r"
+    with r obtain r' where [simp]: "r = ereal r'" by (cases r) auto
+    show "\<not>summable (\<lambda>n. f n * of_real R ^ n)"
+    proof
+      assume *: "summable (\<lambda>n. f n * of_real R ^ n)"
+      define R' where "R' = (R + r') / 2"
+      from R have R': "R' > r'" "R' < R" by (simp_all add: R'_def)
+      hence "\<forall>z. norm z < R' \<longrightarrow> summable (\<lambda>n. norm (f n * z ^ n))"
+        using powser_insidea[OF *] by auto
+      from 2[of R'] and this have "R' \<le> r'" by auto
+      with \<open>R' > r'\<close> show False by simp
+    qed
+  qed
+qed
+
+lemma bigo_imp_conv_radius_ge:
+  fixes f g :: "nat \<Rightarrow> 'a :: {banach, real_normed_field}"
+  assumes "f \<in> O(g)"
+  shows   "conv_radius f \<ge> conv_radius g"
+proof -
+  have "conv_radius g = Sup {r. \<forall>z. ereal (norm z) < r \<longrightarrow> summable (\<lambda>n. norm (g n * z ^ n))}"
+    by (simp add: conv_radius_conv_Sup')
+  also have "\<dots> \<le> Sup {r. \<forall>z. ereal (norm z) < r \<longrightarrow> summable (\<lambda>n. f n * z ^ n)}"
+  proof (rule Sup_subset_mono, safe)
+    fix r :: ereal and z :: 'a
+    assume g: "\<forall>z. ereal (norm z) < r \<longrightarrow> summable (\<lambda>n. norm (g n * z ^ n))"
+    assume z: "ereal (norm z) < r"
+    from g z have "summable (\<lambda>n. norm (g n * z ^ n))"
+      by blast
+    moreover have "(\<lambda>n. norm (f n * z ^ n)) \<in> O(\<lambda>n. norm (g n * z ^ n))"
+      unfolding landau_o.big.norm_iff by (intro landau_o.big.mult assms) auto
+    ultimately show "summable (\<lambda>n. f n * z ^ n)"
+      by (rule summable_comparison_test_bigo')
+  qed
+  also have "\<dots> = conv_radius f"
+    by (simp add: conv_radius_conv_Sup)
+  finally show ?thesis .
+qed
+
+lemma conv_radius_cong_bigtheta:
+  assumes "f \<in> \<Theta>(g)"
+  shows   "conv_radius f = conv_radius g"
+  using assms
+  by (intro antisym bigo_imp_conv_radius_ge) (auto simp: bigtheta_def bigomega_iff_bigo)
+
+lemma conv_radius_eqI_smallomega_smallo:
+  fixes f :: "nat \<Rightarrow> 'a :: {real_normed_div_algebra, banach}"
+  assumes "\<And>\<epsilon>. \<epsilon> > l \<Longrightarrow> \<epsilon> < inverse C \<Longrightarrow> (\<lambda>n. norm (f n)) \<in> \<omega>(\<lambda>n. \<epsilon> ^ n)"
+  assumes "\<And>\<epsilon>. \<epsilon> < u \<Longrightarrow> \<epsilon> > inverse C \<Longrightarrow> (\<lambda>n. norm (f n)) \<in> o(\<lambda>n. \<epsilon> ^ n)"
+  assumes C: "C > 0" and lu: "l > 0" "l < inverse C" "u > inverse C"
+  shows   "conv_radius f = ereal C"
+proof (intro antisym)
+  have "0 < inverse C"
+    using assms by (auto simp: field_simps)
+  also have "\<dots> < u"
+    by fact
+  finally have "u > 0" by simp
+  show "conv_radius f \<ge> C"
+    unfolding conv_radius_altdef le_Liminf_iff
+  proof safe
+    fix c :: ereal assume c: "c < C"
+    hence "max c (inverse u) < ereal C"
+      using lu C \<open>u > 0\<close> by (auto simp: field_simps)
+    from ereal_dense2[OF this] obtain c' where c': "c < ereal c'" "inverse u < c'" "c' < C"
+      by auto
+    have "inverse u > 0"
+      using \<open>u > 0\<close> by simp
+    also have "\<dots> < c'" by fact
+    finally have "c' > 0" .
+    
+    have "\<forall>\<^sub>F x in sequentially. norm (norm (f x)) \<le> 1/2 * norm (inverse c' ^ x)"
+      using landau_o.smallD[OF assms(2)[of "inverse c'"], of "1/2"] c' C lu \<open>c' > 0\<close> c
+      by (simp add: field_simps)
+    thus "\<forall>\<^sub>F n in sequentially. c < inverse (ereal (root n (norm (f n))))"
+      using eventually_gt_at_top[of 0]
+    proof eventually_elim
+      case (elim n)
+      have "norm (f n) \<le> 1/2 * norm (inverse c' ^ n)"
+        using c' using elim by (simp add: field_simps)
+      also have "\<dots> < norm (inverse c' ^ n)"
+        using \<open>c' > 0\<close> by simp
+      finally have "root n (norm (f n)) < root n (norm (inverse c' ^ n))"
+        using \<open>n > 0\<close> c' by (intro real_root_less_mono) auto
+      also have "root n (norm (inverse c' ^ n)) = inverse c'"
+        using \<open>n > 0\<close> \<open>c' > 0\<close> by (simp add: norm_power real_root_power)
+      finally have "ereal (root n (norm (f n))) < ereal (inverse c')"
+        by simp
+      also have "\<dots> = inverse (ereal c')"
+        using \<open>c' > 0\<close> by auto
+      finally have "inverse (inverse (ereal c')) < inverse (ereal (root n (norm (f n))))"
+        using c' \<open>n > 0\<close> by (intro ereal_inverse_antimono_strict) auto
+      also have "inverse (inverse (ereal c')) = ereal c'"
+        using c' by simp
+      finally show ?case
+        using \<open>c < c'\<close> by simp
+    qed
+  qed
+next
+  show "conv_radius f \<le> C"
+  proof (rule ccontr)
+    assume "\<not>(conv_radius f \<le> C)"
+    hence "conv_radius f > C" by auto
+    hence "min (conv_radius f) (inverse l) > ereal C"
+      using lu C \<open>l > 0\<close> by (auto simp: field_simps)
+    from ereal_dense2[OF this] obtain c where c: "C < ereal c" "inverse l > c" "c < conv_radius f"
+      by auto
+    hence "c > 0" using lu C
+      by (simp add: field_simps)
+
+    have "\<forall>\<^sub>F n in sequentially. ereal c < inverse (ereal (root n (norm (f n))))"
+      using less_LiminfD[OF c(3)[unfolded conv_radius_altdef]] by simp
+    moreover have "\<forall>\<^sub>F n in sequentially. norm (f n) \<ge> 2 * norm (inverse c ^ n)"
+      using landau_omega.smallD[OF assms(1)[of "inverse c"], of 2] c C \<open>c > 0\<close> lu
+      by (simp add: field_simps)
+    ultimately have "eventually (\<lambda>n. False) sequentially"
+      using eventually_gt_at_top[of 0]
+    proof eventually_elim
+      case (elim n)
+      have "norm (inverse c ^ n) < 2 * norm (inverse c ^ n)"
+        using c \<open>n > 0\<close> C by simp
+      also have "\<dots> \<le> norm (f n)"
+        using elim by simp
+      finally have "root n (inverse c ^ n) < root n (norm (f n))"
+        using \<open>n > 0\<close> by (intro real_root_less_mono) auto
+      also have "root n (inverse c ^ n) = inverse c"
+        using \<open>n > 0\<close> c C by (subst real_root_power) auto
+      finally have "ereal (inverse c) < ereal (root n (norm (f n)))"
+        by simp
+      also have "ereal (inverse c) = inverse (ereal c)"
+        using c C by auto
+      finally have "inverse (ereal (root n (norm (f n)))) < inverse (inverse (ereal c))"
+        using c C
+        by (intro ereal_inverse_antimono_strict) auto
+      also have "\<dots> = ereal c"
+        using c C by auto
+      also have "\<dots> < inverse (ereal (root n (norm (f n))))"
+        using elim by simp
+      finally show False .
+    qed
+    thus False by simp
+  qed
+qed
+
+text \<open>
+  Finally, we show that the radius of convergence of $W(X)$ is $e^{-1}$ by directly computing
+  \[\lim\limits_{n\to\infty} \sqrt[n]{|[X^n]\,W(X)|} = e\]
+  using Stirling's formula for $n!$:
+\<close>
+lemma fps_conv_radius_Lambert_W: "fps_conv_radius fps_Lambert_W = exp (-1)"
+proof -
+  have "conv_radius (fps_nth fps_Lambert_W) = conv_radius (\<lambda>n. exp 1 ^ n * n powr (-3/2) :: real)"
+  proof (rule conv_radius_cong_bigtheta)
+    have "fps_nth fps_Lambert_W \<in> \<Theta>(\<lambda>n. (-real n) ^ (n - 1) / fact n)"
+      by (intro bigthetaI_cong eventually_mono[OF eventually_gt_at_top[of 0]])
+         (auto simp: fps_nth_Lambert_W)
+    also have "(\<lambda>n. (-real n) ^ (n - 1) / fact n) \<in> \<Theta>(\<lambda>n. real n ^ (n - 1) / fact n)"
+      by (subst landau_theta.norm_iff [symmetric], subst norm_divide) auto
+    also have "(\<lambda>n. (real n) ^ (n - 1) / fact n) \<in>
+                 \<Theta>(\<lambda>n. (real n) ^ (n - 1) / (sqrt (2 * pi * real n) * (real n / exp 1) ^ n))"
+      by (intro asymp_equiv_imp_bigtheta asymp_equiv_intros fact_asymp_equiv)
+    also have "(\<lambda>n. (real n) ^ (n - 1) / (sqrt (2 * pi * real n) * (real n / exp 1) ^ n)) \<in>
+                 \<Theta>(\<lambda>n. exp 1 ^ n * n powr (-3/2))"
+      by (real_asymp simp: ln_inverse)
+    finally show "fps_nth fps_Lambert_W \<in> \<Theta>(\<lambda>n. exp 1 ^ n * n powr (-3/2) :: real)" .
+  qed
+  also have "\<dots> = inverse (limsup (\<lambda>n. ereal (root n (exp 1 ^ n * real n powr - (3 / 2)))))"
+    by (simp add: conv_radius_def)
+  also have "limsup (\<lambda>n. ereal (root n (exp 1 ^ n * real n powr - (3 / 2)))) = exp 1"
+  proof (intro lim_imp_Limsup tendsto_intros)
+    \<comment> \<open>real\_asymp does not support \<^const>\<open>root\<close> for a variable basis natively, so
+        we need to convert it to \<^const>\<open>powr\<close> first.\<close>
+    (* TODO add better "root" support to real_asymp *)
+    have "(\<lambda>n. (exp 1 ^ n * real n powr -(3/2)) powr (1 / real n)) \<longlonglongrightarrow> exp 1"
+      by real_asymp
+    also have "?this \<longleftrightarrow> (\<lambda>x. root x (exp 1 ^ x * real x powr - (3 / 2))) \<longlonglongrightarrow> exp 1"
+      by (intro filterlim_cong eventually_mono[OF eventually_gt_at_top[of 0]])
+         (auto simp: root_powr_inverse)
+    finally show \<dots> .
+  qed auto
+  finally show ?thesis
+    by (simp add: fps_conv_radius_def exp_minus)
+qed
+
+end
\ No newline at end of file
diff --git a/thys/Lambert_W/ROOT b/thys/Lambert_W/ROOT
new file mode 100644
--- /dev/null
+++ b/thys/Lambert_W/ROOT
@@ -0,0 +1,16 @@
+chapter AFP
+
+session Lambert_W (AFP) = Bernoulli +
+  options [timeout = 1200]
+  sessions
+    "HOL-Library"
+    "HOL-Computational_Algebra"
+    "HOL-Real_Asymp"
+    Stirling_Formula
+  theories
+    Lambert_W
+    Lambert_W_MacLaurin_Series
+  document_files
+    "root.tex"
+    "root.bib"
+
diff --git a/thys/Lambert_W/document/root.bib b/thys/Lambert_W/document/root.bib
new file mode 100644
--- /dev/null
+++ b/thys/Lambert_W/document/root.bib
@@ -0,0 +1,13 @@
+@article{corless96,
+  doi = {10.1007/bf02124750},
+  url = {https://doi.org/10.1007/bf02124750},
+  year = {1996},
+  month = dec,
+  publisher = {Springer Science and Business Media {LLC}},
+  volume = {5},
+  number = {1},
+  pages = {329--359},
+  author = {R. M. Corless and G. H. Gonnet and D. E. G. Hare and D. J. Jeffrey and D. E. Knuth},
+  title = {On the {Lambert $W$} function},
+  journal = {Advances in Computational Mathematics}
+}
diff --git a/thys/Lambert_W/document/root.tex b/thys/Lambert_W/document/root.tex
new file mode 100644
--- /dev/null
+++ b/thys/Lambert_W/document/root.tex
@@ -0,0 +1,40 @@
+\documentclass[11pt,a4paper]{article}
+\usepackage{isabelle,isabellesym}
+\usepackage{amsfonts, amsmath, amssymb}
+\usepackage{pgfplots}
+
+% this should be the last package used
+\usepackage{pdfsetup}
+
+% urls in roman style, theory text in math-similar italics
+\urlstyle{rm}
+\isabellestyle{it}
+
+\begin{document}
+
+\title{The Lambert $W$ Function on the Reals}
+\author{Manuel Eberl}
+\maketitle
+
+\begin{abstract}
+The Lambert $W$ function is a multi-valued function defined as the inverse function of $x \mapsto x e^x$. Besides numerous applications in combinatorics, physics, and engineering, it also frequently occurs when solving equations containing both $e^x$ and $x$, or both $x$ and $\log x$.
+
+This article provides a definition of the two real-valued branches $W_0(x)$ and $W_{-1}(x)$ and proves various properties such as basic identities and inequalities, monotonicity, differentiability, asymptotic expansions, and the MacLaurin series of $W_0(x)$ at $x = 0$.
+\end{abstract}
+
+\tableofcontents
+\newpage
+\parindent 0pt\parskip 0.5ex
+
+\input{session}
+
+\nocite{corless96}
+\bibliographystyle{abbrv}
+\bibliography{root}
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
diff --git a/thys/Matrices_for_ODEs/MTX_Examples.thy b/thys/Matrices_for_ODEs/MTX_Examples.thy
new file mode 100644
--- /dev/null
+++ b/thys/Matrices_for_ODEs/MTX_Examples.thy
@@ -0,0 +1,237 @@
+(*  Title:       Verification Examples
+    Author:      Jonathan Julián Huerta y Munive, 2020
+    Maintainer:  Jonathan Julián Huerta y Munive <jjhuertaymunive1@sheffield.ac.uk>
+*)
+
+section \<open> Verification examples \<close>
+
+
+theory MTX_Examples
+  imports MTX_Flows "Hybrid_Systems_VCs.HS_VC_Spartan"
+
+begin
+
+
+subsection \<open> Examples \<close>
+
+abbreviation hoareT :: "('a \<Rightarrow> bool) \<Rightarrow> ('a \<Rightarrow> 'a set) \<Rightarrow> ('a \<Rightarrow> bool) \<Rightarrow> bool" 
+  ("PRE_ HP _ POST _" [85,85]85) where "PRE P HP X POST Q \<equiv> (P \<le> |X]Q)"
+
+
+subsubsection \<open> Verification by uniqueness. \<close>
+
+abbreviation mtx_circ :: "2 sq_mtx" ("A")
+  where "A \<equiv> mtx  
+   ([0,  1] # 
+    [-1, 0] # [])"
+
+abbreviation mtx_circ_flow :: "real \<Rightarrow> real^2 \<Rightarrow> real^2" ("\<phi>")
+  where "\<phi> t s \<equiv> (\<chi> i. if i = 1 then s$1 * cos t + s$2 * sin t else - s$1 * sin t + s$2 * cos t)"
+
+lemma mtx_circ_flow_eq: "exp (t *\<^sub>R A) *\<^sub>V s = \<phi> t s"
+  apply(rule local_flow.eq_solution[OF local_flow_sq_mtx_linear, symmetric])
+    apply(rule ivp_solsI, simp_all add: sq_mtx_vec_mult_eq vec_eq_iff)
+  unfolding UNIV_2 using exhaust_2
+  by (force intro!: poly_derivatives simp: matrix_vector_mult_def)+
+
+lemma mtx_circ: 
+  "PRE(\<lambda>s. r\<^sup>2 = (s $ 1)\<^sup>2 + (s $ 2)\<^sup>2) 
+  HP x\<acute>=(*\<^sub>V) A & G 
+  POST (\<lambda>s. r\<^sup>2 = (s $ 1)\<^sup>2 + (s $ 2)\<^sup>2)"
+  apply(subst local_flow.fbox_g_ode[OF local_flow_sq_mtx_linear])
+  unfolding mtx_circ_flow_eq by auto
+
+no_notation mtx_circ ("A")
+        and mtx_circ_flow ("\<phi>")
+
+
+subsubsection \<open> Flow of diagonalisable matrix. \<close>
+
+abbreviation mtx_hOsc :: "real \<Rightarrow> real \<Rightarrow> 2 sq_mtx" ("A")
+  where "A a b \<equiv> mtx  
+   ([0, 1] # 
+    [a, b] # [])"
+
+abbreviation mtx_chB_hOsc :: "real \<Rightarrow> real \<Rightarrow> 2 sq_mtx" ("P")
+  where "P a b \<equiv> mtx
+   ([a, b] # 
+    [1, 1] # [])"
+
+lemma inv_mtx_chB_hOsc: 
+  "a \<noteq> b \<Longrightarrow> (P a b)\<^sup>-\<^sup>1 = (1/(a - b)) *\<^sub>R mtx 
+   ([ 1, -b] # 
+    [-1,  a] # [])"
+  apply(rule sq_mtx_inv_unique, unfold scaleR_mtx2 times_mtx2)
+  by (simp add: diff_divide_distrib[symmetric] one_mtx2)+
+
+lemma invertible_mtx_chB_hOsc: "a \<noteq> b \<Longrightarrow> mtx_invertible (P a b)"
+  apply(rule mtx_invertibleI[of _ "(P a b)\<^sup>-\<^sup>1"])
+   apply(unfold inv_mtx_chB_hOsc scaleR_mtx2 times_mtx2 one_mtx2)
+  by (subst sq_mtx_eq_iff, simp add: vector_def frac_diff_eq1)+
+
+lemma mtx_hOsc_diagonalizable:
+  fixes a b :: real
+  defines "\<iota>\<^sub>1 \<equiv> (b - sqrt (b^2+4*a))/2" and "\<iota>\<^sub>2 \<equiv> (b + sqrt (b^2+4*a))/2"
+  assumes "b\<^sup>2 + a * 4 > 0" and "a \<noteq> 0"
+  shows "A a b = P (-\<iota>\<^sub>2/a) (-\<iota>\<^sub>1/a) * (\<d>\<i>\<a>\<g> i. if i = 1 then \<iota>\<^sub>1 else \<iota>\<^sub>2) * (P (-\<iota>\<^sub>2/a) (-\<iota>\<^sub>1/a))\<^sup>-\<^sup>1"
+  unfolding assms apply(subst inv_mtx_chB_hOsc)
+  using assms(3,4) apply(simp_all add: diag2_eq[symmetric])
+  unfolding sq_mtx_times_eq sq_mtx_scaleR_eq UNIV_2 apply(subst sq_mtx_eq_iff)
+  using exhaust_2 assms by (auto simp: field_simps, auto simp: field_power_simps)
+
+lemma mtx_hOsc_solution_eq:
+  fixes a b :: real
+  defines "\<iota>\<^sub>1 \<equiv> (b - sqrt (b\<^sup>2+4*a))/2" and "\<iota>\<^sub>2 \<equiv> (b + sqrt (b\<^sup>2+4*a))/2"
+  defines "\<Phi> t \<equiv> mtx (
+   [\<iota>\<^sub>2*exp(t*\<iota>\<^sub>1) - \<iota>\<^sub>1*exp(t*\<iota>\<^sub>2),     exp(t*\<iota>\<^sub>2)-exp(t*\<iota>\<^sub>1)]#
+   [a*exp(t*\<iota>\<^sub>2) - a*exp(t*\<iota>\<^sub>1), \<iota>\<^sub>2*exp(t*\<iota>\<^sub>2)-\<iota>\<^sub>1*exp(t*\<iota>\<^sub>1)]#[])"
+  assumes "b\<^sup>2 + a * 4 > 0" and "a \<noteq> 0"
+  shows "P (-\<iota>\<^sub>2/a) (-\<iota>\<^sub>1/a) * (\<d>\<i>\<a>\<g> i. exp (t * (if i=1 then \<iota>\<^sub>1 else \<iota>\<^sub>2))) * (P (-\<iota>\<^sub>2/a) (-\<iota>\<^sub>1/a))\<^sup>-\<^sup>1 
+  = (1/sqrt (b\<^sup>2 + a * 4)) *\<^sub>R (\<Phi> t)"
+  unfolding assms apply(subst inv_mtx_chB_hOsc)
+  using assms apply(simp_all add: mtx_times_scaleR_commute, subst sq_mtx_eq_iff)
+  unfolding UNIV_2 sq_mtx_times_eq sq_mtx_scaleR_eq sq_mtx_uminus_eq apply(simp_all add: axis_def)
+  by (auto simp: field_simps, auto simp: field_power_simps)+
+ 
+lemma local_flow_mtx_hOsc:
+  fixes a b
+  defines "\<iota>\<^sub>1 \<equiv> (b - sqrt (b^2+4*a))/2" and "\<iota>\<^sub>2 \<equiv> (b + sqrt (b^2+4*a))/2"
+  defines "\<Phi> t \<equiv> mtx (
+   [\<iota>\<^sub>2*exp(t*\<iota>\<^sub>1) - \<iota>\<^sub>1*exp(t*\<iota>\<^sub>2),     exp(t*\<iota>\<^sub>2)-exp(t*\<iota>\<^sub>1)]#
+   [a*exp(t*\<iota>\<^sub>2) - a*exp(t*\<iota>\<^sub>1), \<iota>\<^sub>2*exp(t*\<iota>\<^sub>2)-\<iota>\<^sub>1*exp(t*\<iota>\<^sub>1)]#[])"
+  assumes "b\<^sup>2 + a * 4 > 0" and "a \<noteq> 0"
+  shows "local_flow ((*\<^sub>V) (A a b)) UNIV UNIV (\<lambda>t. (*\<^sub>V) ((1/sqrt (b\<^sup>2 + a * 4)) *\<^sub>R \<Phi> t))"
+  unfolding assms using local_flow_sq_mtx_linear[of "A a b"] assms
+  apply(subst (asm) exp_scaleR_diagonal2[OF invertible_mtx_chB_hOsc mtx_hOsc_diagonalizable])
+     apply(simp, simp, simp)
+  by (subst (asm) mtx_hOsc_solution_eq) simp_all
+
+lemma overdamped_door_arith:
+  assumes "b\<^sup>2 + a * 4 > 0" and "a < 0" and "b \<le> 0" and "t \<ge> 0" and "s1 > 0"
+  shows "0 \<le> ((b + sqrt (b\<^sup>2 + 4 * a)) * exp (t * (b - sqrt (b\<^sup>2 + 4 * a)) / 2) / 2 - 
+(b - sqrt (b\<^sup>2 + 4 * a)) * exp (t * (b + sqrt (b\<^sup>2 + 4 * a)) / 2) / 2) * s1 / sqrt (b\<^sup>2 + a * 4)"
+proof(subst diff_divide_distrib[symmetric], simp)
+  have f0: "s1 / (2 * sqrt (b\<^sup>2 + a * 4)) > 0"  (is "s1/?c3 > 0")
+    using assms(1,5) by simp
+  have f1: "(b - sqrt (b\<^sup>2 + 4 * a)) < (b + sqrt (b\<^sup>2 + 4 * a))" (is "?c2 < ?c1") 
+    and f2: "(b + sqrt (b\<^sup>2 + 4 * a)) < 0"
+    using sqrt_ge_absD[of b "b\<^sup>2 + 4 * a"] assms by (force, linarith)
+  hence f3: "exp (t * ?c2 / 2) \<le> exp (t * ?c1 / 2)" (is "exp ?t1 \<le> exp ?t2")
+    unfolding exp_le_cancel_iff 
+    using assms(4) by (case_tac "t=0", simp_all)
+  hence "?c2 * exp ?t2 \<le> ?c2 * exp ?t1"
+    using f1 f2 real_mult_le_cancel_iff2[of "-?c2" "exp ?t1" "exp ?t2"] by linarith 
+  also have "... < ?c1 * exp ?t1"
+    using f1 by auto
+  also have"... \<le> ?c1 * exp ?t1"
+    using f1 f2 by auto
+  ultimately show "0 \<le> (?c1 * exp ?t1 - ?c2 * exp ?t2) * s1 / ?c3"
+    using f0 f1 assms(5) by auto
+qed
+
+lemma overdamped_door:
+  assumes "b\<^sup>2 + a * 4 > 0" and "a < 0" and "b \<le> 0" and "0 \<le> t"
+  shows "PRE (\<lambda>s. s$1 = 0)
+  HP (LOOP 
+      (\<lambda>s. {s. s$1 > 0 \<and> s$2 = 0});
+      (x\<acute>=(*\<^sub>V) (A a b) & G on {0..t} UNIV @ 0) 
+     INV (\<lambda>s. 0 \<le> s$1))
+  POST (\<lambda>s. 0 \<le> s $ 1)"
+  apply(rule fbox_loopI, simp_all add: le_fun_def)
+  apply(subst local_flow.fbox_g_ode_ivl[OF local_flow_mtx_hOsc[OF assms(1)]])
+  using assms apply(simp_all add: le_fun_def fbox_def)
+  unfolding sq_mtx_scaleR_eq UNIV_2 sq_mtx_vec_mult_eq
+  by (clarsimp simp: overdamped_door_arith)
+
+
+no_notation mtx_hOsc ("A")
+        and mtx_chB_hOsc ("P")
+
+
+subsubsection \<open> Flow of non-diagonalisable matrix. \<close>
+
+abbreviation mtx_cnst_acc :: "3 sq_mtx" ("K")
+  where "K \<equiv> mtx (
+  [0,1,0] #
+  [0,0,1] # 
+  [0,0,0] # [])"
+
+lemma pow2_scaleR_mtx_cnst_acc: "(t *\<^sub>R K)\<^sup>2 = mtx (
+  [0,0,t\<^sup>2] #
+  [0,0,0] # 
+  [0,0,0] # [])"
+  unfolding power2_eq_square apply(subst sq_mtx_eq_iff)
+  unfolding sq_mtx_times_eq UNIV_3 by auto
+
+lemma powN_scaleR_mtx_cnst_acc: "n > 2 \<Longrightarrow> (t *\<^sub>R K)^n = 0"
+  apply(induct n, simp, case_tac "n \<le> 2")
+   apply(subgoal_tac "n = 2", erule ssubst)
+  unfolding power_Suc2 pow2_scaleR_mtx_cnst_acc sq_mtx_times_eq UNIV_3
+  by (auto simp: sq_mtx_eq_iff)
+
+lemma exp_mtx_cnst_acc: "exp (t *\<^sub>R K) = ((t *\<^sub>R K)\<^sup>2/\<^sub>R 2) + (t *\<^sub>R K) + 1"
+  unfolding exp_def apply(subst suminf_eq_sum[of 2])
+  using powN_scaleR_mtx_cnst_acc by (simp_all add: numeral_2_eq_2)
+ 
+lemma exp_mtx_cnst_acc_simps:
+  "exp (t *\<^sub>R K) $$ 1 $ 1 = 1" "exp (t *\<^sub>R K) $$ 1 $ 2 = t" "exp (t *\<^sub>R K) $$ 1 $ 3 = t^2/2"
+  "exp (t *\<^sub>R K) $$ 2 $ 1 = 0" "exp (t *\<^sub>R K) $$ 2 $ 2 = 1" "exp (t *\<^sub>R K) $$ 2 $ 3 = t"
+  "exp (t *\<^sub>R K) $$ 3 $ 1 = 0" "exp (t *\<^sub>R K) $$ 3 $ 2 = 0" "exp (t *\<^sub>R K) $$ 3 $ 3 = 1"
+  unfolding exp_mtx_cnst_acc one_mtx3 pow2_scaleR_mtx_cnst_acc by simp_all
+
+lemma exp_mtx_cnst_acc_vec_mult_eq: "exp (t *\<^sub>R K) *\<^sub>V s = 
+  vector [s$3 * t^2/2 + s$2 * t + s$1, s$3 * t + s$2, s$3]"
+  apply(simp add: sq_mtx_vec_mult_eq vector_def)
+  unfolding UNIV_3 apply (simp add: exp_mtx_cnst_acc_simps fun_eq_iff)
+  using exhaust_3 exp_mtx_cnst_acc_simps(7,8,9) by fastforce
+
+lemma local_flow_mtx_cnst_acc:
+  "local_flow ((*\<^sub>V) K) UNIV UNIV (\<lambda>t s. ((t *\<^sub>R K)\<^sup>2/\<^sub>R 2 + (t *\<^sub>R K) + 1) *\<^sub>V s)"
+  using local_flow_sq_mtx_linear[of K] unfolding exp_mtx_cnst_acc .  
+
+lemma docking_station_arith:
+  assumes "(d::real) > x" and "v > 0"
+  shows "(v = v\<^sup>2 * t / (2 * d - 2 * x)) \<longleftrightarrow> (v * t - v\<^sup>2 * t\<^sup>2 / (4 * d - 4 * x) + x = d)"
+proof
+  assume "v = v\<^sup>2 * t / (2 * d - 2 * x)"
+  hence "v * t = 2 * (d - x)"
+    using assms by (simp add: eq_divide_eq power2_eq_square) 
+  hence "v * t - v\<^sup>2 * t\<^sup>2 / (4 * d - 4 * x) + x = 2 * (d - x) - 4 * (d - x)\<^sup>2 / (4 * (d - x)) + x"
+    apply(subst power_mult_distrib[symmetric])
+    by (erule ssubst, subst power_mult_distrib, simp)
+  also have "... = d"
+    apply(simp only: mult_divide_mult_cancel_left_if)
+    using assms by (auto simp: power2_eq_square)
+  finally show "v * t - v\<^sup>2 * t\<^sup>2 / (4 * d - 4 * x) + x = d" .
+next
+  assume "v * t - v\<^sup>2 * t\<^sup>2 / (4 * d - 4 * x) + x = d"
+  hence "0 = v\<^sup>2 * t\<^sup>2 / (4 * (d - x)) + (d - x) - v * t"
+    by auto
+  hence "0 = (4 * (d - x)) * (v\<^sup>2 * t\<^sup>2 / (4 * (d - x)) + (d - x) - v * t)"
+    by auto
+  also have "... = v\<^sup>2 * t\<^sup>2 + 4 * (d - x)\<^sup>2  - (4 * (d - x)) * (v * t)"
+    using assms apply(simp add: distrib_left right_diff_distrib)
+    apply(subst right_diff_distrib[symmetric])+
+    by (simp add: power2_eq_square)
+  also have "... = (v * t - 2 * (d - x))\<^sup>2"
+    by (simp only: power2_diff, auto simp: field_simps power2_diff)
+  finally have "0 = (v * t - 2 * (d - x))\<^sup>2" .
+  hence "v * t = 2 * (d - x)"
+    by auto
+  thus "v = v\<^sup>2 * t / (2 * d - 2 * x)"
+    apply(subst power2_eq_square, subst mult.assoc)
+    apply(erule ssubst, subst right_diff_distrib[symmetric])
+    using assms by auto
+qed
+
+lemma docking_station:
+  assumes "d > x\<^sub>0" and "v\<^sub>0 > 0"
+  shows "PRE (\<lambda>s. s$1 = x\<^sub>0 \<and> s$2 = v\<^sub>0)
+  HP ((3 ::= (\<lambda>s. -(v\<^sub>0^2/(2*(d-x\<^sub>0))))); x\<acute>=(*\<^sub>V) K & G)
+  POST (\<lambda>s. s$2 = 0 \<longleftrightarrow> s$1 = d)"
+  apply(clarsimp simp: le_fun_def local_flow.fbox_g_ode[OF local_flow_sq_mtx_linear[of K]])
+  unfolding exp_mtx_cnst_acc_vec_mult_eq using assms by (simp add: docking_station_arith)
+
+no_notation mtx_cnst_acc ("K")
+
+end
\ No newline at end of file
diff --git a/thys/Matrices_for_ODEs/MTX_Flows.thy b/thys/Matrices_for_ODEs/MTX_Flows.thy
new file mode 100644
--- /dev/null
+++ b/thys/Matrices_for_ODEs/MTX_Flows.thy
@@ -0,0 +1,291 @@
+(*  Title:       Affine systems of ODEs
+    Author:      Jonathan Julián Huerta y Munive, 2020
+    Maintainer:  Jonathan Julián Huerta y Munive <jjhuertaymunive1@sheffield.ac.uk>
+*)
+
+section \<open> Affine systems of ODEs \<close>
+
+text \<open>Affine systems of ordinary differential equations (ODEs) are those whose vector 
+fields are linear operators. Broadly speaking, if there are functions $A$ and $B$ such that the 
+system of ODEs $X'\, t = f\, (X\, t)$ turns into $X'\, t = (A\, t)\cdot (X\, t)+(B\, t)$, then it
+is affine. The end goal of this section is to prove that every affine system of ODEs has a unique 
+solution, and to obtain a characterization of said solution. \<close>
+
+theory MTX_Flows
+  imports SQ_MTX "Hybrid_Systems_VCs.HS_ODEs"
+
+begin
+
+
+subsection \<open> Existence and uniqueness for affine systems \<close>
+
+definition matrix_continuous_on :: "real set \<Rightarrow> (real \<Rightarrow> ('a::real_normed_algebra_1)^'n^'m) \<Rightarrow> bool" 
+  where "matrix_continuous_on T A = (\<forall>t \<in> T. \<forall>\<epsilon> > 0. \<exists> \<delta> > 0. \<forall>\<tau>\<in>T. \<bar>\<tau> - t\<bar> < \<delta> \<longrightarrow> \<parallel>A \<tau> - A t\<parallel>\<^sub>o\<^sub>p \<le> \<epsilon>)"
+
+lemma continuous_on_matrix_vector_multl:
+  assumes "matrix_continuous_on T A"
+  shows "continuous_on T (\<lambda>t. A t *v s)"
+proof(rule continuous_onI, simp add: dist_norm)
+  fix e t::real assume "0 < e" and "t \<in> T"
+  let ?\<epsilon> = "e/(\<parallel>(if s = 0 then 1 else s)\<parallel>)"
+  have "?\<epsilon> > 0"
+    using \<open>0 < e\<close> by simp 
+  then obtain \<delta> where dHyp: "\<delta> > 0 \<and> (\<forall>\<tau>\<in>T. \<bar>\<tau> - t\<bar> < \<delta> \<longrightarrow> \<parallel>A \<tau> - A t\<parallel>\<^sub>o\<^sub>p \<le> ?\<epsilon>)"
+    using assms \<open>t \<in> T\<close> unfolding dist_norm matrix_continuous_on_def by fastforce
+  {fix \<tau> assume "\<tau> \<in> T" and "\<bar>\<tau> - t\<bar> < \<delta>"
+    have obs: "?\<epsilon> * (\<parallel>s\<parallel>) = (if s = 0 then 0 else e)"
+      by auto
+    have "\<parallel>A \<tau> *v s - A t *v s\<parallel> = \<parallel>(A \<tau> - A t) *v s\<parallel>"
+      by (simp add: matrix_vector_mult_diff_rdistrib)      
+    also have "... \<le> (\<parallel>A \<tau> - A t\<parallel>\<^sub>o\<^sub>p) * (\<parallel>s\<parallel>)"
+      using norm_matrix_le_mult_op_norm by blast
+    also have "... \<le> ?\<epsilon> * (\<parallel>s\<parallel>)"
+      using dHyp \<open>\<tau> \<in> T\<close> \<open>\<bar>\<tau> - t\<bar> < \<delta>\<close> mult_right_mono norm_ge_zero by blast 
+    finally have "\<parallel>A \<tau> *v s - A t *v s\<parallel> \<le> e"
+      by (subst (asm) obs) (metis (mono_tags, hide_lams) \<open>0 < e\<close> less_eq_real_def order_trans)}
+  thus "\<exists>d>0. \<forall>\<tau>\<in>T. \<bar>\<tau> - t\<bar> < d \<longrightarrow> \<parallel>A \<tau> *v s - A t *v s\<parallel> \<le> e"
+    using dHyp by blast
+qed
+
+lemma lipschitz_cond_affine:
+  fixes A :: "real \<Rightarrow> 'a::real_normed_algebra_1^'n^'m" and T::"real set"
+  defines "L \<equiv> Sup {\<parallel>A t\<parallel>\<^sub>o\<^sub>p |t. t \<in> T}"
+  assumes "t \<in> T" and "bdd_above {\<parallel>A t\<parallel>\<^sub>o\<^sub>p |t. t \<in> T}"
+  shows "\<parallel>A t *v x - A t *v y\<parallel> \<le> L * (\<parallel>x - y\<parallel>)"
+proof-
+  have obs: "\<parallel>A t\<parallel>\<^sub>o\<^sub>p \<le> Sup {\<parallel>A t\<parallel>\<^sub>o\<^sub>p |t. t \<in> T}"
+    apply(rule cSup_upper)
+    using continuous_on_subset assms by (auto simp: dist_norm)
+  have "\<parallel>A t *v x - A t *v y\<parallel> = \<parallel>A t *v (x - y)\<parallel>"
+    by (simp add: matrix_vector_mult_diff_distrib)
+  also have "... \<le> (\<parallel>A t\<parallel>\<^sub>o\<^sub>p) * (\<parallel>x - y\<parallel>)"
+    using norm_matrix_le_mult_op_norm by blast
+  also have "... \<le> Sup {\<parallel>A t\<parallel>\<^sub>o\<^sub>p |t. t \<in> T} * (\<parallel>x - y\<parallel>)"
+    using obs mult_right_mono norm_ge_zero by blast 
+  finally show "\<parallel>A t *v x - A t *v y\<parallel> \<le> L * (\<parallel>x - y\<parallel>)"
+    unfolding assms .
+qed
+
+lemma local_lipschitz_affine:
+  fixes A :: "real \<Rightarrow> 'a::real_normed_algebra_1^'n^'m"
+  assumes "open T" and "open S" 
+    and Ahyp: "\<And>\<tau> \<epsilon>. \<epsilon> > 0 \<Longrightarrow> \<tau> \<in> T \<Longrightarrow> cball \<tau> \<epsilon> \<subseteq> T \<Longrightarrow> bdd_above {\<parallel>A t\<parallel>\<^sub>o\<^sub>p |t. t \<in> cball \<tau> \<epsilon>}"
+  shows "local_lipschitz T S (\<lambda>t s. A t *v s + B t)"
+proof(unfold local_lipschitz_def lipschitz_on_def, clarsimp)
+  fix s t assume "s \<in> S" and "t \<in> T"
+  then obtain e1 e2 where "cball t e1 \<subseteq> T" and "cball s e2 \<subseteq> S" and "min e1 e2 > 0"
+    using open_cballE[OF _ \<open>open T\<close>] open_cballE[OF _ \<open>open S\<close>] by force
+  hence obs: "cball t (min e1 e2) \<subseteq> T"
+    by auto
+  let ?L = "Sup {\<parallel>A \<tau>\<parallel>\<^sub>o\<^sub>p |\<tau>. \<tau> \<in> cball t (min e1 e2)}"
+  have "\<parallel>A t\<parallel>\<^sub>o\<^sub>p \<in> {\<parallel>A \<tau>\<parallel>\<^sub>o\<^sub>p |\<tau>. \<tau> \<in> cball t (min e1 e2)}"
+    using \<open>min e1 e2 > 0\<close> by auto
+  moreover have bdd: "bdd_above {\<parallel>A \<tau>\<parallel>\<^sub>o\<^sub>p |\<tau>. \<tau> \<in> cball t (min e1 e2)}"
+    by (rule Ahyp, simp only: \<open>min e1 e2 > 0\<close>, simp_all add: \<open>t \<in> T\<close> obs)
+  moreover have "Sup {\<parallel>A \<tau>\<parallel>\<^sub>o\<^sub>p |\<tau>. \<tau> \<in> cball t (min e1 e2)} \<ge> 0"
+    apply(rule order.trans[OF op_norm_ge_0[of "A t"]])
+    by (rule cSup_upper[OF calculation])
+  moreover have "\<forall>x\<in>cball s (min e1 e2) \<inter> S. \<forall>y\<in>cball s (min e1 e2) \<inter> S. 
+    \<forall>\<tau>\<in>cball t (min e1 e2) \<inter> T. dist (A \<tau> *v x) (A \<tau> *v y) \<le> ?L * dist x y"
+    apply(clarify, simp only: dist_norm, rule lipschitz_cond_affine)
+    using \<open>min e1 e2 > 0\<close> bdd by auto
+  ultimately show "\<exists>e>0. \<exists>L. \<forall>t\<in>cball t e \<inter> T. 0 \<le> L \<and> 
+    (\<forall>x\<in>cball s e \<inter> S. \<forall>y\<in>cball s e \<inter> S. dist (A t *v x) (A t *v y) \<le> L * dist x y)"
+    using \<open>min e1 e2 > 0\<close> by blast
+qed
+
+lemma picard_lindeloef_affine:
+  fixes A :: "real \<Rightarrow> 'a::{banach,real_normed_algebra_1,heine_borel}^'n^'n"
+  assumes Ahyp: "matrix_continuous_on T A"
+      and "\<And>\<tau> \<epsilon>. \<tau> \<in> T \<Longrightarrow> \<epsilon> > 0 \<Longrightarrow> bdd_above {\<parallel>A t\<parallel>\<^sub>o\<^sub>p |t. dist \<tau> t \<le> \<epsilon>}"
+      and Bhyp: "continuous_on T B" and "open S" 
+      and "t\<^sub>0 \<in> T" and Thyp: "open T" "is_interval T" 
+    shows "picard_lindeloef (\<lambda> t s. A t *v s + B t) T S t\<^sub>0"
+  apply (unfold_locales, simp_all add: assms, clarsimp)
+   apply (rule continuous_on_add[OF continuous_on_matrix_vector_multl[OF Ahyp] Bhyp])
+  by (rule local_lipschitz_affine) (simp_all add: assms)
+
+lemma picard_lindeloef_autonomous_affine: 
+  fixes A :: "'a::{banach,real_normed_field,heine_borel}^'n^'n"
+  shows "picard_lindeloef (\<lambda> t s. A *v s + B) UNIV UNIV t\<^sub>0"
+  using picard_lindeloef_affine[of _ "\<lambda>t. A" "\<lambda>t. B"] 
+  unfolding matrix_continuous_on_def by (simp only: diff_self op_norm0, auto)
+
+lemma picard_lindeloef_autonomous_linear:
+  fixes A :: "'a::{banach,real_normed_field,heine_borel}^'n^'n"
+  shows "picard_lindeloef (\<lambda> t. (*v) A) UNIV UNIV t\<^sub>0"
+  using picard_lindeloef_autonomous_affine[of A 0] by force
+
+lemmas unique_sol_autonomous_affine = picard_lindeloef.unique_solution[OF 
+    picard_lindeloef_autonomous_affine _ _ funcset_UNIV UNIV_I _ _ funcset_UNIV UNIV_I]
+
+lemmas unique_sol_autonomous_linear = picard_lindeloef.unique_solution[OF 
+    picard_lindeloef_autonomous_linear _ _ funcset_UNIV UNIV_I _ _ funcset_UNIV UNIV_I]
+
+
+subsection \<open> Flow for affine systems \<close>
+
+
+subsubsection \<open> Derivative rules for square matrices \<close>
+
+lemma has_derivative_exp_scaleRl[derivative_intros]:
+  fixes f::"real \<Rightarrow> real" (* by Fabian Immler and Johannes Hölzl *)
+  assumes "D f \<mapsto> f' at t within T"
+  shows "D (\<lambda>t. exp (f t *\<^sub>R A)) \<mapsto> (\<lambda>h. f' h *\<^sub>R (exp (f t *\<^sub>R A) * A)) at t within T"
+proof -
+  have "bounded_linear f'" 
+    using assms by auto
+  then obtain m where obs: "f' = (\<lambda>h. h * m)"
+    using real_bounded_linear by blast
+  thus ?thesis
+    using vector_diff_chain_within[OF _ exp_scaleR_has_vector_derivative_right] 
+      assms obs by (auto simp: has_vector_derivative_def comp_def)
+qed
+
+lemma has_vderiv_on_exp_scaleRl:
+  assumes "D f = f' on T"
+  shows "D (\<lambda>x. exp (f x *\<^sub>R A)) = (\<lambda>x. f' x *\<^sub>R exp (f x *\<^sub>R A) * A) on T"
+  using assms unfolding has_vderiv_on_def has_vector_derivative_def apply clarsimp
+  by (rule has_derivative_exp_scaleRl, auto simp: fun_eq_iff)
+
+lemma vderiv_on_exp_scaleRlI[poly_derivatives]:
+  assumes "D f = f' on T" and "g' = (\<lambda>x. f' x *\<^sub>R exp (f x *\<^sub>R A) * A)"
+  shows "D (\<lambda>x. exp (f x *\<^sub>R A)) = g' on T"
+  using has_vderiv_on_exp_scaleRl assms by simp
+
+lemma has_derivative_mtx_ith[derivative_intros]:
+  fixes t::real and T :: "real set"
+  defines "t\<^sub>0 \<equiv> netlimit (at t within T)"
+  assumes "D A \<mapsto> (\<lambda>h. h *\<^sub>R A' t) at t within T"
+  shows "D (\<lambda>t. A t $$ i) \<mapsto> (\<lambda>h. h *\<^sub>R A' t $$ i) at t within T"
+  using assms unfolding has_derivative_def apply safe
+   apply(force simp: bounded_linear_def bounded_linear_axioms_def)
+  apply(rule_tac F="\<lambda>\<tau>. (A \<tau> - A t\<^sub>0 - (\<tau> - t\<^sub>0) *\<^sub>R A' t) /\<^sub>R (\<parallel>\<tau> - t\<^sub>0\<parallel>)" in tendsto_zero_norm_bound)
+  by (clarsimp, rule mult_left_mono, metis (no_types, lifting) norm_column_le_norm 
+      sq_mtx_minus_ith sq_mtx_scaleR_ith) simp_all
+
+lemmas has_derivative_mtx_vec_mult[derivative_intros] = 
+  bounded_bilinear.FDERIV[OF bounded_bilinear_sq_mtx_vec_mult]
+
+lemma vderiv_mtx_vec_mult_intro[poly_derivatives]:
+  assumes "D u = u' on T" and "D A = A' on T"
+      and "g = (\<lambda>t. A t *\<^sub>V u' t + A' t *\<^sub>V u t )"
+    shows "D (\<lambda>t. A t *\<^sub>V u t) = g on T"
+  using assms unfolding has_vderiv_on_def has_vector_derivative_def apply clarsimp
+  apply(erule_tac x=x in ballE, simp_all)+
+  apply(rule derivative_eq_intros(142))
+  by (auto simp: fun_eq_iff mtx_vec_scaleR_commute pth_6 scaleR_mtx_vec_assoc)
+
+lemmas has_vderiv_on_ivl_integral = ivl_integral_has_vderiv_on[OF vderiv_on_continuous_on]
+
+declare has_vderiv_on_ivl_integral [poly_derivatives]
+
+lemma has_derivative_mtx_vec_multl[derivative_intros]:
+  assumes "\<And> i j. D (\<lambda>t. (A t) $$ i $ j) \<mapsto> (\<lambda>\<tau>. \<tau> *\<^sub>R (A' t) $$ i $ j) (at t within T)"
+  shows "D (\<lambda>t. A t *\<^sub>V x) \<mapsto> (\<lambda>\<tau>. \<tau> *\<^sub>R (A' t) *\<^sub>V x) at t within T"
+  unfolding sq_mtx_vec_mult_sum_cols
+  apply(rule_tac f'1="\<lambda>i \<tau>. \<tau> *\<^sub>R  (x $ i *\<^sub>R \<c>\<o>\<l> i (A' t))" in derivative_eq_intros(10))
+   apply(simp_all add: scaleR_right.sum)
+  apply(rule_tac g'1="\<lambda>\<tau>. \<tau> *\<^sub>R \<c>\<o>\<l> i (A' t)" in derivative_eq_intros(4), simp_all add: mult.commute)
+  using assms unfolding sq_mtx_col_def column_def apply(transfer, simp)
+  apply(rule has_derivative_vec_lambda)
+  by (simp add: scaleR_vec_def)
+
+lemma continuous_on_mtx_vec_multr: "continuous_on S ((*\<^sub>V) A)"
+  by transfer (simp add: matrix_vector_mult_linear_continuous_on)
+
+\<comment> \<open>Automatically generated derivative rules from this subsubsection \<close>
+
+thm derivative_eq_intros(140,141,142,143)
+
+
+subsubsection \<open> Existence and uniqueness with square matrices \<close>
+
+text \<open>Finally, we can use the @{term exp} operation to characterize the general solutions for affine 
+systems of ODEs. We show that they satisfy the @{term "local_flow"} locale.\<close>
+
+lemma continuous_on_sq_mtx_vec_multl:
+  fixes A :: "real \<Rightarrow> ('n::finite) sq_mtx"
+  assumes "continuous_on T A"
+  shows "continuous_on T (\<lambda>t. A t *\<^sub>V s)"
+proof-
+  have "matrix_continuous_on T (\<lambda>t. to_vec (A t))"
+    using assms by (force simp: continuous_on_iff dist_norm norm_sq_mtx_def matrix_continuous_on_def)
+  hence "continuous_on T (\<lambda>t. to_vec (A t) *v s)"
+    by (rule continuous_on_matrix_vector_multl)
+  thus ?thesis
+    by transfer
+qed
+
+lemmas continuous_on_affine = continuous_on_add[OF continuous_on_sq_mtx_vec_multl]
+
+lemma local_lipschitz_sq_mtx_affine:
+  fixes A :: "real \<Rightarrow> ('n::finite) sq_mtx"
+  assumes "continuous_on T A" "open T" "open S"
+  shows "local_lipschitz T S (\<lambda>t s. A t *\<^sub>V s + B t)"
+proof-
+  have obs: "\<And>\<tau> \<epsilon>. 0 < \<epsilon> \<Longrightarrow>  \<tau> \<in> T \<Longrightarrow> cball \<tau> \<epsilon> \<subseteq> T \<Longrightarrow> bdd_above {\<parallel>A t\<parallel> |t. t \<in> cball \<tau> \<epsilon>}"
+    by (rule bdd_above_norm_cont_comp, rule continuous_on_subset[OF assms(1)], simp_all)
+  hence "\<And>\<tau> \<epsilon>. 0 < \<epsilon> \<Longrightarrow> \<tau> \<in> T \<Longrightarrow> cball \<tau> \<epsilon> \<subseteq> T \<Longrightarrow> bdd_above {\<parallel>to_vec (A t)\<parallel>\<^sub>o\<^sub>p |t. t \<in> cball \<tau> \<epsilon>}"
+    by (simp add: norm_sq_mtx_def)
+  hence "local_lipschitz T S (\<lambda>t s. to_vec (A t) *v s + B t)"
+    using local_lipschitz_affine[OF assms(2,3), of "\<lambda>t. to_vec (A t)"] by force
+  thus ?thesis
+    by transfer 
+qed
+
+lemma picard_lindeloef_sq_mtx_affine:
+  assumes "continuous_on T A" and "continuous_on T B" 
+    and "t\<^sub>0 \<in> T" "is_interval T" "open T" and "open S"
+  shows "picard_lindeloef (\<lambda>t s. A t *\<^sub>V s + B t) T S t\<^sub>0"
+  apply(unfold_locales, simp_all add: assms, clarsimp)
+  using continuous_on_affine assms apply blast
+  by (rule local_lipschitz_sq_mtx_affine, simp_all add: assms)
+
+lemmas sq_mtx_unique_sol_autonomous_affine = picard_lindeloef.unique_solution[OF 
+    picard_lindeloef_sq_mtx_affine[OF 
+      continuous_on_const 
+      continuous_on_const 
+      UNIV_I is_interval_univ 
+      open_UNIV open_UNIV] 
+    _ _ funcset_UNIV UNIV_I _ _ funcset_UNIV UNIV_I]
+
+lemma has_vderiv_on_sq_mtx_linear:
+  "D (\<lambda>t. exp ((t - t\<^sub>0) *\<^sub>R A) *\<^sub>V s) = (\<lambda>t. A *\<^sub>V (exp ((t - t\<^sub>0) *\<^sub>R A) *\<^sub>V s)) on {t\<^sub>0--t}"
+  by (rule poly_derivatives)+ (auto simp: exp_times_scaleR_commute sq_mtx_times_vec_assoc)
+
+lemma has_vderiv_on_sq_mtx_affine:
+  fixes t\<^sub>0::real and A :: "('a::finite) sq_mtx"
+  defines "lSol c t \<equiv> exp ((c * (t - t\<^sub>0)) *\<^sub>R A)"
+  shows "D (\<lambda>t. lSol 1 t *\<^sub>V s + lSol 1 t *\<^sub>V (\<integral>\<^sub>t\<^sub>0\<^sup>t (lSol (-1) \<tau> *\<^sub>V B) \<partial>\<tau>)) = 
+  (\<lambda>t. A *\<^sub>V (lSol 1 t *\<^sub>V s + lSol 1 t *\<^sub>V (\<integral>\<^sub>t\<^sub>0\<^sup>t (lSol (-1) \<tau> *\<^sub>V B) \<partial>\<tau>)) + B) on {t\<^sub>0--t}"
+  unfolding assms apply(simp only: mult.left_neutral mult_minus1)
+  apply(rule poly_derivatives, (force)?, (force)?, (force)?, (force)?)+
+  by (simp add: mtx_vec_mult_add_rdistl sq_mtx_times_vec_assoc[symmetric] 
+      exp_minus_inverse exp_times_scaleR_commute mult_exp_exp  scale_left_distrib[symmetric])
+
+lemma autonomous_linear_sol_is_exp:
+  assumes "D X = (\<lambda>t. A *\<^sub>V X t) on {t\<^sub>0--t}" and "X t\<^sub>0 = s" 
+  shows "X t = exp ((t - t\<^sub>0) *\<^sub>R A) *\<^sub>V s"
+  apply(rule sq_mtx_unique_sol_autonomous_affine[of X A 0, OF _ \<open>X t\<^sub>0 = s\<close>])
+  using assms has_vderiv_on_sq_mtx_linear by force+
+
+lemma autonomous_affine_sol_is_exp_plus_int:
+  assumes "D X = (\<lambda>t. A *\<^sub>V X t + B) on {t\<^sub>0--t}" and "X t\<^sub>0 = s" 
+  shows "X t = exp ((t - t\<^sub>0) *\<^sub>R A) *\<^sub>V s + exp ((t - t\<^sub>0) *\<^sub>R A) *\<^sub>V (\<integral>\<^sub>t\<^sub>0\<^sup>t(exp (- (\<tau> - t\<^sub>0) *\<^sub>R A) *\<^sub>V B)\<partial>\<tau>)"
+  apply(rule sq_mtx_unique_sol_autonomous_affine[OF assms])
+  using has_vderiv_on_sq_mtx_affine by force+
+
+lemma local_flow_sq_mtx_linear: "local_flow ((*\<^sub>V) A) UNIV UNIV (\<lambda>t s. exp (t *\<^sub>R A) *\<^sub>V s)"
+  unfolding local_flow_def local_flow_axioms_def apply safe
+  using picard_lindeloef_sq_mtx_affine[of _ "\<lambda>t. A" "\<lambda>t. 0"] apply force
+  using has_vderiv_on_sq_mtx_linear[of 0] by auto
+
+lemma local_flow_sq_mtx_affine: "local_flow (\<lambda>s. A *\<^sub>V s + B) UNIV UNIV 
+  (\<lambda>t s. exp (t *\<^sub>R A) *\<^sub>V s + exp (t *\<^sub>R A) *\<^sub>V (\<integral>\<^sub>0\<^sup>t(exp (- \<tau> *\<^sub>R A) *\<^sub>V B)\<partial>\<tau>))"
+  unfolding local_flow_def local_flow_axioms_def apply safe
+  using picard_lindeloef_sq_mtx_affine[of _ "\<lambda>t. A" "\<lambda>t. B"] apply force
+  using has_vderiv_on_sq_mtx_affine[of 0 A] by auto
+
+
+end
\ No newline at end of file
diff --git a/thys/Matrices_for_ODEs/MTX_Norms.thy b/thys/Matrices_for_ODEs/MTX_Norms.thy
new file mode 100644
--- /dev/null
+++ b/thys/Matrices_for_ODEs/MTX_Norms.thy
@@ -0,0 +1,285 @@
+(*  Title:       Matrix norms
+    Author:      Jonathan Julián Huerta y Munive, 2020
+    Maintainer:  Jonathan Julián Huerta y Munive <jjhuertaymunive1@sheffield.ac.uk>
+*)
+
+section \<open> Matrix norms \<close>
+
+text \<open> Here, we explore some properties about the operator and the maximum norms for matrices. \<close>
+
+theory MTX_Norms
+  imports MTX_Preliminaries
+
+begin
+
+
+subsection\<open> Matrix operator norm \<close>
+
+abbreviation op_norm :: "('a::real_normed_algebra_1)^'n^'m \<Rightarrow> real" ("(1\<parallel>_\<parallel>\<^sub>o\<^sub>p)" [65] 61)
+  where "\<parallel>A\<parallel>\<^sub>o\<^sub>p \<equiv> onorm (\<lambda>x. A *v x)"
+
+lemma norm_matrix_bound:
+  fixes A :: "('a::real_normed_algebra_1)^'n^'m"
+  shows "\<parallel>x\<parallel> = 1 \<Longrightarrow> \<parallel>A *v x\<parallel> \<le> \<parallel>(\<chi> i j. \<parallel>A $ i $ j\<parallel>) *v 1\<parallel>"
+proof-
+  fix x :: "('a, 'n) vec" assume "\<parallel>x\<parallel> = 1"
+  hence xi_le1:"\<And>i. \<parallel>x $ i\<parallel> \<le> 1" 
+    by (metis Finite_Cartesian_Product.norm_nth_le) 
+  {fix j::'m 
+    have "\<parallel>(\<Sum>i\<in>UNIV. A $ j $ i * x $ i)\<parallel> \<le> (\<Sum>i\<in>UNIV. \<parallel>A $ j $ i * x $ i\<parallel>)"
+      using norm_sum by blast
+    also have "... \<le> (\<Sum>i\<in>UNIV. (\<parallel>A $ j $ i\<parallel>) * (\<parallel>x $ i\<parallel>))"
+      by (simp add: norm_mult_ineq sum_mono)
+    also have "... \<le> (\<Sum>i\<in>UNIV. (\<parallel>A $ j $ i\<parallel>) * 1)"
+      using xi_le1 by (simp add: sum_mono mult_left_le)
+    finally have "\<parallel>(\<Sum>i\<in>UNIV. A $ j $ i * x $ i)\<parallel> \<le> (\<Sum>i\<in>UNIV. (\<parallel>A $ j $ i\<parallel>) * 1)" by simp}
+  hence "\<And>j. \<parallel>(A *v x) $ j\<parallel> \<le> ((\<chi> i1 i2. \<parallel>A $ i1 $ i2\<parallel>) *v 1) $ j"
+    unfolding matrix_vector_mult_def by simp
+  hence "(\<Sum>j\<in>UNIV. (\<parallel>(A *v x) $ j\<parallel>)\<^sup>2) \<le> (\<Sum>j\<in>UNIV. (\<parallel>((\<chi> i1 i2. \<parallel>A $ i1 $ i2\<parallel>) *v 1) $ j\<parallel>)\<^sup>2)"
+    by (metis (mono_tags, lifting) norm_ge_zero power2_abs power_mono real_norm_def sum_mono) 
+  thus "\<parallel>A *v x\<parallel> \<le> \<parallel>(\<chi> i j. \<parallel>A $ i $ j\<parallel>) *v 1\<parallel>"
+    unfolding norm_vec_def L2_set_def by simp
+qed
+
+lemma onorm_set_proptys:
+  fixes A :: "('a::real_normed_algebra_1)^'n^'m"
+  shows "bounded (range (\<lambda>x. (\<parallel>A *v x\<parallel>) / (\<parallel>x\<parallel>)))"
+    and "bdd_above (range (\<lambda>x. (\<parallel>A *v x\<parallel>) / (\<parallel>x\<parallel>)))"
+    and "(range (\<lambda>x. (\<parallel>A *v x\<parallel>) / (\<parallel>x\<parallel>))) \<noteq> {}"
+  unfolding bounded_def bdd_above_def image_def dist_real_def 
+    apply(rule_tac x=0 in exI)
+  by (rule_tac x="\<parallel>(\<chi> i j. \<parallel>A $ i $ j\<parallel>) *v 1\<parallel>" in exI, clarsimp,
+      subst mult_norm_matrix_sgn_eq[symmetric], clarsimp,
+      rule_tac x="sgn _" in norm_matrix_bound, simp add: norm_sgn)+ force
+
+lemma op_norm_set_proptys:
+  fixes A :: "('a::real_normed_algebra_1)^'n^'m"
+  shows "bounded {\<parallel>A *v x\<parallel> | x. \<parallel>x\<parallel> = 1}"
+    and "bdd_above {\<parallel>A *v x\<parallel> | x. \<parallel>x\<parallel> = 1}"
+    and "{\<parallel>A *v x\<parallel> | x. \<parallel>x\<parallel> = 1} \<noteq> {}"
+  unfolding bounded_def bdd_above_def apply safe
+    apply(rule_tac x=0 in exI, rule_tac x="\<parallel>(\<chi> i j. \<parallel>A $ i $ j\<parallel>) *v 1\<parallel>" in exI)
+    apply(force simp: norm_matrix_bound dist_real_def)
+   apply(rule_tac x="\<parallel>(\<chi> i j. \<parallel>A $ i $ j\<parallel>) *v 1\<parallel>" in exI, force simp: norm_matrix_bound)
+  using ex_norm_eq_1 by blast
+
+lemma op_norm_def: "\<parallel>A\<parallel>\<^sub>o\<^sub>p = Sup {\<parallel>A *v x\<parallel> | x. \<parallel>x\<parallel> = 1}"
+  apply(rule antisym[OF onorm_le cSup_least[OF op_norm_set_proptys(3)]])
+   apply(case_tac "x = 0", simp)
+   apply(subst mult_norm_matrix_sgn_eq[symmetric], simp)
+   apply(rule cSup_upper[OF _ op_norm_set_proptys(2)])
+   apply(force simp: norm_sgn)
+  unfolding onorm_def 
+  apply(rule cSup_upper[OF _ onorm_set_proptys(2)])
+  by (simp add: image_def, clarsimp) (metis div_by_1)
+
+lemma norm_matrix_le_op_norm: "\<parallel>x\<parallel> = 1 \<Longrightarrow> \<parallel>A *v x\<parallel> \<le> \<parallel>A\<parallel>\<^sub>o\<^sub>p"
+  apply(unfold onorm_def, rule cSup_upper[OF _ onorm_set_proptys(2)])
+  unfolding image_def by (clarsimp, rule_tac x=x in exI) simp
+
+lemma op_norm_ge_0: "0 \<le> \<parallel>A\<parallel>\<^sub>o\<^sub>p"
+  using ex_norm_eq_1 norm_ge_zero norm_matrix_le_op_norm basic_trans_rules(23) by blast
+
+lemma norm_sgn_le_op_norm: "\<parallel>A *v sgn x\<parallel> \<le> \<parallel>A\<parallel>\<^sub>o\<^sub>p"
+  by (cases "x=0", simp_all add: norm_sgn norm_matrix_le_op_norm op_norm_ge_0)
+
+lemma norm_matrix_le_mult_op_norm: "\<parallel>A *v x\<parallel> \<le> (\<parallel>A\<parallel>\<^sub>o\<^sub>p) * (\<parallel>x\<parallel>)"
+proof-
+  have "\<parallel>A *v x\<parallel> = (\<parallel>A *v sgn x\<parallel>) * (\<parallel>x\<parallel>)"
+    by(simp add: mult_norm_matrix_sgn_eq)
+  also have "... \<le> (\<parallel>A\<parallel>\<^sub>o\<^sub>p) * (\<parallel>x\<parallel>)"
+    using norm_sgn_le_op_norm[of A] by (simp add: mult_mono')
+  finally show ?thesis by simp
+qed
+
+lemma blin_matrix_vector_mult: "bounded_linear ((*v) A)" for A :: "('a::real_normed_algebra_1)^'n^'m"
+  by (unfold_locales) (auto intro: norm_matrix_le_mult_op_norm simp: 
+      mult.commute matrix_vector_right_distrib vector_scaleR_commute)
+
+lemma op_norm_eq_0: "(\<parallel>A\<parallel>\<^sub>o\<^sub>p = 0) = (A = 0)" for A :: "('a::real_normed_field)^'n^'m"
+  unfolding onorm_eq_0[OF blin_matrix_vector_mult] using matrix_axis_0[of 1 A] by fastforce
+
+lemma op_norm0: "\<parallel>(0::('a::real_normed_field)^'n^'m)\<parallel>\<^sub>o\<^sub>p = 0"
+  using op_norm_eq_0[of 0] by simp
+                  
+lemma op_norm_triangle: "\<parallel>A + B\<parallel>\<^sub>o\<^sub>p \<le> (\<parallel>A\<parallel>\<^sub>o\<^sub>p) + (\<parallel>B\<parallel>\<^sub>o\<^sub>p)" 
+  using onorm_triangle[OF blin_matrix_vector_mult[of A] blin_matrix_vector_mult[of B]]
+    matrix_vector_mult_add_rdistrib[symmetric, of A _ B] by simp
+
+lemma op_norm_scaleR: "\<parallel>c *\<^sub>R A\<parallel>\<^sub>o\<^sub>p = \<bar>c\<bar> * (\<parallel>A\<parallel>\<^sub>o\<^sub>p)"
+  unfolding onorm_scaleR[OF blin_matrix_vector_mult, symmetric] scaleR_vector_assoc ..
+
+lemma op_norm_matrix_matrix_mult_le: "\<parallel>A ** B\<parallel>\<^sub>o\<^sub>p \<le> (\<parallel>A\<parallel>\<^sub>o\<^sub>p) * (\<parallel>B\<parallel>\<^sub>o\<^sub>p)" 
+proof(rule onorm_le)
+  have "0 \<le> (\<parallel>A\<parallel>\<^sub>o\<^sub>p)" 
+    by(rule onorm_pos_le[OF blin_matrix_vector_mult])
+  fix x have "\<parallel>A ** B *v x\<parallel> = \<parallel>A *v (B *v x)\<parallel>"
+    by (simp add: matrix_vector_mul_assoc)
+  also have "... \<le> (\<parallel>A\<parallel>\<^sub>o\<^sub>p) * (\<parallel>B *v x\<parallel>)"
+    by (simp add: norm_matrix_le_mult_op_norm[of _ "B *v x"])
+  also have "... \<le> (\<parallel>A\<parallel>\<^sub>o\<^sub>p) * ((\<parallel>B\<parallel>\<^sub>o\<^sub>p) * (\<parallel>x\<parallel>))"
+    using norm_matrix_le_mult_op_norm[of B x] \<open>0 \<le> (\<parallel>A\<parallel>\<^sub>o\<^sub>p)\<close> mult_left_mono by blast
+  finally show "\<parallel>A ** B *v x\<parallel> \<le> (\<parallel>A\<parallel>\<^sub>o\<^sub>p) * (\<parallel>B\<parallel>\<^sub>o\<^sub>p) * (\<parallel>x\<parallel>)" 
+    by simp
+qed
+
+lemma norm_matrix_vec_mult_le_transpose:
+  "\<parallel>x\<parallel> = 1 \<Longrightarrow> (\<parallel>A *v x\<parallel>) \<le> sqrt (\<parallel>transpose A ** A\<parallel>\<^sub>o\<^sub>p) * (\<parallel>x\<parallel>)" for A :: "real^'n^'n"
+proof-
+  assume "\<parallel>x\<parallel> = 1"
+  have "(\<parallel>A *v x\<parallel>)\<^sup>2 = (A *v x) \<bullet> (A *v x)"
+    using dot_square_norm[of "(A *v x)"] by simp
+  also have "... = x \<bullet> (transpose A *v (A *v x))"
+    using vec_mult_inner by blast
+  also have "... \<le> (\<parallel>x\<parallel>) * (\<parallel>transpose A *v (A *v x)\<parallel>)"
+    using norm_cauchy_schwarz by blast
+  also have "... \<le> (\<parallel>transpose A ** A\<parallel>\<^sub>o\<^sub>p) * (\<parallel>x\<parallel>)^2"
+    apply(subst matrix_vector_mul_assoc) 
+    using norm_matrix_le_mult_op_norm[of "transpose A ** A" x]
+    by (simp add: \<open>\<parallel>x\<parallel> = 1\<close>) 
+  finally have "((\<parallel>A *v x\<parallel>))^2 \<le> (\<parallel>transpose A ** A\<parallel>\<^sub>o\<^sub>p) * (\<parallel>x\<parallel>)^2"
+    by linarith
+  thus "(\<parallel>A *v x\<parallel>) \<le> sqrt ((\<parallel>transpose A ** A\<parallel>\<^sub>o\<^sub>p)) * (\<parallel>x\<parallel>)"
+    by (simp add: \<open>\<parallel>x\<parallel> = 1\<close> real_le_rsqrt)
+qed
+
+lemma op_norm_le_sum_column: "\<parallel>A\<parallel>\<^sub>o\<^sub>p \<le> (\<Sum>i\<in>UNIV. \<parallel>column i A\<parallel>)" for A :: "real^'n^'m"  
+proof(unfold op_norm_def, rule cSup_least[OF op_norm_set_proptys(3)], clarsimp)
+  fix x :: "real^'n" assume x_def:"\<parallel>x\<parallel> = 1" 
+  hence x_hyp:"\<And>i. \<parallel>x $ i\<parallel> \<le> 1"
+    by (simp add: norm_bound_component_le_cart)
+  have "(\<parallel>A *v x\<parallel>) = \<parallel>(\<Sum>i\<in>UNIV. x $ i *s column i A)\<parallel>"
+    by(subst matrix_mult_sum[of A], simp)
+  also have "... \<le> (\<Sum>i\<in>UNIV. \<parallel>x $ i *s column i A\<parallel>)"
+    by (simp add: sum_norm_le)
+  also have "... = (\<Sum>i\<in>UNIV. (\<parallel>x $ i\<parallel>) * (\<parallel>column i A\<parallel>))"
+    by (simp add: mult_norm_matrix_sgn_eq)
+  also have "... \<le> (\<Sum>i\<in>UNIV. \<parallel>column i A\<parallel>)"
+    using x_hyp by (simp add: mult_left_le_one_le sum_mono) 
+  finally show "\<parallel>A *v x\<parallel> \<le> (\<Sum>i\<in>UNIV. \<parallel>column i A\<parallel>)" .
+qed
+
+lemma op_norm_le_transpose: "\<parallel>A\<parallel>\<^sub>o\<^sub>p \<le> \<parallel>transpose A\<parallel>\<^sub>o\<^sub>p" for A :: "real^'n^'n"  
+proof-
+  have obs:"\<forall>x. \<parallel>x\<parallel> = 1 \<longrightarrow> (\<parallel>A *v x\<parallel>) \<le> sqrt ((\<parallel>transpose A ** A\<parallel>\<^sub>o\<^sub>p)) * (\<parallel>x\<parallel>)"
+    using norm_matrix_vec_mult_le_transpose by blast
+  have "(\<parallel>A\<parallel>\<^sub>o\<^sub>p) \<le> sqrt ((\<parallel>transpose A ** A\<parallel>\<^sub>o\<^sub>p))"
+    using obs apply(unfold op_norm_def)
+    by (rule cSup_least[OF op_norm_set_proptys(3)]) clarsimp
+  hence "((\<parallel>A\<parallel>\<^sub>o\<^sub>p))\<^sup>2 \<le> (\<parallel>transpose A ** A\<parallel>\<^sub>o\<^sub>p)"
+    using power_mono[of "(\<parallel>A\<parallel>\<^sub>o\<^sub>p)" _ 2] op_norm_ge_0
+    by (metis not_le real_less_lsqrt)
+  also have "... \<le> (\<parallel>transpose A\<parallel>\<^sub>o\<^sub>p) * (\<parallel>A\<parallel>\<^sub>o\<^sub>p)"
+    using op_norm_matrix_matrix_mult_le by blast
+  finally have "((\<parallel>A\<parallel>\<^sub>o\<^sub>p))\<^sup>2 \<le> (\<parallel>transpose A\<parallel>\<^sub>o\<^sub>p) * (\<parallel>A\<parallel>\<^sub>o\<^sub>p)"
+    by linarith
+  thus "(\<parallel>A\<parallel>\<^sub>o\<^sub>p) \<le> (\<parallel>transpose A\<parallel>\<^sub>o\<^sub>p)"
+    using sq_le_cancel[of "(\<parallel>A\<parallel>\<^sub>o\<^sub>p)"] op_norm_ge_0 by metis
+qed
+
+
+subsection\<open> Matrix maximum norm \<close>
+
+abbreviation max_norm :: "real^'n^'m \<Rightarrow> real" ("(1\<parallel>_\<parallel>\<^sub>m\<^sub>a\<^sub>x)" [65] 61)
+  where "\<parallel>A\<parallel>\<^sub>m\<^sub>a\<^sub>x \<equiv> Max (abs ` (entries A))"
+
+lemma max_norm_def: "\<parallel>A\<parallel>\<^sub>m\<^sub>a\<^sub>x = Max {\<bar>A $ i $ j\<bar>|i j. i\<in>UNIV \<and> j\<in>UNIV}"
+  by (simp add: image_def, rule arg_cong[of _ _ Max], blast)
+
+lemma max_norm_set_proptys: "finite {\<bar>A $ i $ j\<bar> |i j. i \<in> UNIV \<and> j \<in> UNIV}" (is "finite ?X")
+proof-
+  have "\<And>i. finite {\<bar>A $ i $ j\<bar> | j. j \<in> UNIV}"
+    using finite_Atleast_Atmost_nat by fastforce
+  hence "finite (\<Union>i\<in>UNIV. {\<bar>A $ i $ j\<bar> | j. j \<in> UNIV})" (is "finite ?Y")
+    using finite_class.finite_UNIV by blast
+  also have "?X \<subseteq> ?Y" 
+    by auto
+  ultimately show ?thesis 
+    using finite_subset by blast
+qed
+
+lemma max_norm_ge_0: "0 \<le> \<parallel>A\<parallel>\<^sub>m\<^sub>a\<^sub>x"
+  unfolding max_norm_def 
+  apply(rule order.trans[OF abs_ge_zero[of "A $ _ $ _"] Max_ge])
+  using max_norm_set_proptys by auto
+
+lemma op_norm_le_max_norm:
+  fixes A :: "real^('n::finite)^('m::finite)"
+  shows "\<parallel>A\<parallel>\<^sub>o\<^sub>p \<le> real CARD('m) * real CARD('n) * (\<parallel>A\<parallel>\<^sub>m\<^sub>a\<^sub>x)"
+  apply(rule onorm_le_matrix_component)
+  unfolding max_norm_def by(rule Max_ge[OF max_norm_set_proptys]) force
+
+lemma sqrt_Sup_power2_eq_Sup_abs:
+  "finite A \<Longrightarrow> A \<noteq> {} \<Longrightarrow> sqrt (Sup {(f i)\<^sup>2 |i. i \<in> A}) = Sup {\<bar>f i\<bar> |i. i \<in> A}"
+proof(rule sym)
+  assume assms: "finite A" "A \<noteq> {}"
+  then obtain i where i_def: "i \<in> A \<and> Sup {(f i)\<^sup>2|i. i \<in> A} = (f i)^2"
+    using cSup_finite_ex[of "{(f i)\<^sup>2|i. i \<in> A}"] by auto
+  hence lhs: "sqrt (Sup {(f i)\<^sup>2 |i. i \<in> A}) = \<bar>f i\<bar>"
+    by simp
+  have "finite {(f i)\<^sup>2|i. i \<in> A}"
+    using assms by simp
+  hence "\<forall>j\<in>A. (f j)\<^sup>2 \<le> (f i)\<^sup>2"
+    using i_def cSup_upper[of _ "{(f i)\<^sup>2 |i. i \<in> A}"] by force
+  hence "\<forall>j\<in>A. \<bar>f j\<bar> \<le> \<bar>f i\<bar>"
+    using abs_le_square_iff by blast
+  also have "\<bar>f i\<bar> \<in> {\<bar>f i\<bar> |i. i \<in> A}"
+    using i_def by auto
+  ultimately show "Sup {\<bar>f i\<bar> |i. i \<in> A} = sqrt (Sup {(f i)\<^sup>2 |i. i \<in> A})"
+    using cSup_mem_eq[of "\<bar>f i\<bar>" "{\<bar>f i\<bar> |i. i \<in> A}"] lhs by auto
+qed
+
+lemma sqrt_Max_power2_eq_max_abs:
+  "finite A \<Longrightarrow> A \<noteq> {} \<Longrightarrow> sqrt (Max {(f i)\<^sup>2|i. i \<in> A}) = Max {\<bar>f i\<bar> |i. i \<in> A}"
+  apply(subst cSup_eq_Max[symmetric], simp_all)+
+  using sqrt_Sup_power2_eq_Sup_abs .
+
+lemma op_norm_diag_mat_eq: "\<parallel>diag_mat f\<parallel>\<^sub>o\<^sub>p = Max {\<bar>f i\<bar> |i. i \<in> UNIV}" (is "_ = Max ?A")
+proof(unfold op_norm_def)
+  have obs: "\<And>x i. (f i)\<^sup>2 * (x $ i)\<^sup>2 \<le> Max {(f i)\<^sup>2|i. i \<in> UNIV} * (x $ i)\<^sup>2"
+    apply(rule mult_right_mono[OF _ zero_le_power2])
+    using le_max_image_of_finite[of "\<lambda>i. (f i)^2"] by simp
+  {fix r assume "r \<in> {\<parallel>diag_mat f *v x\<parallel> |x. \<parallel>x\<parallel> = 1}"
+    then obtain x where x_def: "\<parallel>diag_mat f *v x\<parallel> = r \<and> \<parallel>x\<parallel> = 1"
+      by blast
+    hence "r\<^sup>2 = (\<Sum>i\<in>UNIV. (f i)\<^sup>2 * (x $ i)\<^sup>2)"
+      unfolding norm_vec_def L2_set_def matrix_vector_mul_diag_mat 
+      apply (simp add: power_mult_distrib)
+      by (metis (no_types, lifting) x_def norm_ge_zero real_sqrt_ge_0_iff real_sqrt_pow2)
+    also have "... \<le> (Max {(f i)\<^sup>2|i. i \<in> UNIV}) * (\<Sum>i\<in>UNIV. (x $ i)\<^sup>2)"
+      using obs[of _ x] by (simp add: sum_mono sum_distrib_left)
+    also have "... = Max {(f i)\<^sup>2|i. i \<in> UNIV}"
+      using x_def by (simp add: norm_vec_def L2_set_def)
+    finally have "r \<le> sqrt (Max {(f i)\<^sup>2|i. i \<in> UNIV})"
+      using x_def real_le_rsqrt by blast 
+    hence "r \<le> Max ?A"
+      by (subst (asm) sqrt_Max_power2_eq_max_abs[of UNIV f], simp_all)}
+  hence 1: "\<forall>x\<in>{\<parallel>diag_mat f *v x\<parallel> |x. \<parallel>x\<parallel> = 1}. x \<le> Max ?A"
+    unfolding diag_mat_def by blast
+  obtain i where i_def: "Max ?A = \<parallel>diag_mat f *v \<e> i\<parallel>"
+    using cMax_finite_ex[of ?A] by force
+  hence 2: "\<exists>x\<in>{\<parallel>diag_mat f *v x\<parallel> |x. \<parallel>x\<parallel> = 1}. Max ?A \<le> x"
+    by (metis (mono_tags, lifting) abs_1 mem_Collect_eq norm_axis_eq order_refl real_norm_def)
+  show "Sup {\<parallel>diag_mat f *v x\<parallel> |x. \<parallel>x\<parallel> = 1} = Max ?A"
+    by (rule cSup_eq[OF 1 2])
+qed
+
+lemma op_max_norms_eq_at_diag: "\<parallel>diag_mat f\<parallel>\<^sub>o\<^sub>p = \<parallel>diag_mat f\<parallel>\<^sub>m\<^sub>a\<^sub>x"
+proof(rule antisym)
+  have "{\<bar>f i\<bar> |i. i \<in> UNIV} \<subseteq> {\<bar>diag_mat f $ i $ j\<bar> |i j. i \<in> UNIV \<and> j \<in> UNIV}"
+    by (smt Collect_mono diag_mat_vec_nth_simps(1))
+  thus "\<parallel>diag_mat f\<parallel>\<^sub>o\<^sub>p \<le> \<parallel>diag_mat f\<parallel>\<^sub>m\<^sub>a\<^sub>x"
+    unfolding op_norm_diag_mat_eq max_norm_def
+    by (rule Max.subset_imp) (blast, simp only: finite_image_of_finite2)
+next
+  have "Sup {\<bar>diag_mat f $ i $ j\<bar> |i j. i \<in> UNIV \<and> j \<in> UNIV} \<le> Sup {\<bar>f i\<bar> |i. i \<in> UNIV}"
+    apply(rule cSup_least, blast, clarify, case_tac "i = j", simp)
+    by (rule cSup_upper, blast, simp_all) (rule cSup_upper2, auto)
+  thus "\<parallel>diag_mat f\<parallel>\<^sub>m\<^sub>a\<^sub>x \<le> \<parallel>diag_mat f\<parallel>\<^sub>o\<^sub>p"
+    unfolding op_norm_diag_mat_eq max_norm_def
+    apply (subst cSup_eq_Max[symmetric], simp only: finite_image_of_finite2, blast)
+    by (subst cSup_eq_Max[symmetric], simp, blast)
+qed
+
+
+end
\ No newline at end of file
diff --git a/thys/Matrices_for_ODEs/MTX_Preliminaries.thy b/thys/Matrices_for_ODEs/MTX_Preliminaries.thy
new file mode 100644
--- /dev/null
+++ b/thys/Matrices_for_ODEs/MTX_Preliminaries.thy
@@ -0,0 +1,403 @@
+(*  Title:       Mathematical Preliminaries
+    Author:      Jonathan Julián Huerta y Munive, 2020
+    Maintainer:  Jonathan Julián Huerta y Munive <jjhuertaymunive1@sheffield.ac.uk>
+*)
+
+section \<open> Mathematical Preliminaries \<close>
+
+text \<open>This section adds useful syntax, abbreviations and theorems to the Isabelle distribution. \<close>
+
+theory MTX_Preliminaries
+  imports "Hybrid_Systems_VCs.HS_Preliminaries"
+
+begin
+
+
+subsection \<open> Syntax \<close>
+
+abbreviation "\<e> k \<equiv> axis k 1"
+
+syntax
+  "_ivl_integral" :: "real \<Rightarrow> real \<Rightarrow> 'a \<Rightarrow> pttrn \<Rightarrow> bool" ("(3\<integral>\<^sub>_\<^sup>_ (_)\<partial>/_)" [0, 0, 10] 10)
+
+translations
+  "\<integral>\<^sub>a\<^sup>b f \<partial>x" \<rightleftharpoons> "CONST ivl_integral a b (\<lambda>x. f)"
+
+notation matrix_inv ("_\<^sup>-\<^sup>1" [90])
+
+abbreviation "entries (A::'a^'n^'m) \<equiv> {A $ i $ j | i j. i \<in> UNIV \<and> j \<in> UNIV}"
+
+
+subsection \<open> Topology and sets \<close>
+
+lemmas compact_imp_bdd_above = compact_imp_bounded[THEN bounded_imp_bdd_above]
+
+lemma comp_cont_image_spec: "continuous_on T f \<Longrightarrow> compact T \<Longrightarrow> compact {f t |t. t \<in> T}"
+  using compact_continuous_image by (simp add: Setcompr_eq_image)
+
+lemmas bdd_above_cont_comp_spec = compact_imp_bdd_above[OF comp_cont_image_spec]
+
+lemmas bdd_above_norm_cont_comp = continuous_on_norm[THEN bdd_above_cont_comp_spec]
+
+lemma open_cballE: "t\<^sub>0 \<in> T \<Longrightarrow> open T \<Longrightarrow> \<exists>e>0. cball t\<^sub>0 e \<subseteq> T"
+  using open_contains_cball by blast
+
+lemma open_ballE: "t\<^sub>0 \<in> T \<Longrightarrow> open T \<Longrightarrow> \<exists>e>0. ball t\<^sub>0 e \<subseteq> T"
+  using open_contains_ball by blast
+
+lemma funcset_UNIV: "f \<in> A \<rightarrow> UNIV"
+  by auto
+
+lemma finite_image_of_finite[simp]:
+  fixes f::"'a::finite \<Rightarrow> 'b"
+  shows "finite {x. \<exists>i. x = f i}"
+  using finite_Atleast_Atmost_nat by force
+
+lemma finite_image_of_finite2:
+  fixes f :: "'a::finite \<Rightarrow> 'b::finite \<Rightarrow> 'c"
+  shows "finite {f x y |x y. P x y}"
+proof-
+  have "finite (\<Union>x. {f x y|y. P x y})"
+    by simp
+  moreover have "{f x y|x y. P x y} = (\<Union>x. {f x y|y. P x y})"
+    by auto
+  ultimately show ?thesis 
+    by simp
+qed
+
+
+subsection \<open> Functions \<close>
+
+lemma finite_sum_univ_singleton: "(sum g UNIV) = sum g {i::'a::finite} + sum g (UNIV - {i})"
+  by (metis add.commute finite_class.finite_UNIV sum.subset_diff top_greatest)
+
+lemma suminfI:
+  fixes f :: "nat \<Rightarrow> 'a::{t2_space,comm_monoid_add}"
+  shows "f sums k \<Longrightarrow> suminf f = k"
+  unfolding sums_iff by simp
+
+lemma suminf_eq_sum:
+  fixes f :: "nat \<Rightarrow> ('a::real_normed_vector)"
+  assumes "\<And>n. n > m \<Longrightarrow> f n = 0"
+  shows "(\<Sum>n. f n) = (\<Sum>n \<le> m. f n)"
+  using assms by (meson atMost_iff finite_atMost not_le suminf_finite)
+
+lemma suminf_multr: "summable f \<Longrightarrow> (\<Sum>n. f n * c) = (\<Sum>n. f n) * c" for c::"'a::real_normed_algebra"
+  by (rule bounded_linear.suminf [OF bounded_linear_mult_left, symmetric])
+
+lemma sum_if_then_else_simps[simp]:
+  fixes q :: "('a::semiring_0)" and i :: "'n::finite"
+  shows "(\<Sum>j\<in>UNIV. f j * (if j = i then q else 0)) = f i * q"
+    and "(\<Sum>j\<in>UNIV. f j * (if i = j then q else 0)) = f i * q"
+    and "(\<Sum>j\<in>UNIV. (if i = j then q else 0) * f j) = q * f i"
+    and "(\<Sum>j\<in>UNIV. (if j = i then q else 0) * f j) = q * f i"
+  by (auto simp: finite_sum_univ_singleton[of _ i])
+
+
+subsection \<open> Suprema \<close>
+
+lemma le_max_image_of_finite[simp]:
+  fixes f::"'a::finite \<Rightarrow> 'b::linorder"
+  shows "(f i) \<le> Max {x. \<exists>i. x = f i}"
+  by (rule Max.coboundedI, simp_all) (rule_tac x=i in exI, simp)
+
+lemma cSup_eq:
+  fixes c::"'a::conditionally_complete_lattice"
+  assumes "\<forall>x \<in> X. x \<le> c" and "\<exists>x \<in> X. c \<le> x"
+  shows "Sup X = c"
+  by (metis assms cSup_eq_maximum order_class.order.antisym)
+
+lemma cSup_mem_eq: 
+  "c \<in> X \<Longrightarrow> \<forall>x \<in> X. x \<le> c \<Longrightarrow> Sup X = c" for c::"'a::conditionally_complete_lattice"
+  by (rule cSup_eq, auto)
+
+lemma cSup_finite_ex:
+  "finite X \<Longrightarrow> X \<noteq> {} \<Longrightarrow> \<exists>x\<in>X. Sup X = x" for X::"'a::conditionally_complete_linorder set"
+  by (metis (full_types) bdd_finite(1) cSup_upper finite_Sup_less_iff order_less_le)
+
+lemma cMax_finite_ex:
+  "finite X \<Longrightarrow> X \<noteq> {} \<Longrightarrow> \<exists>x\<in>X. Max X = x" for X::"'a::conditionally_complete_linorder set"
+  apply(subst cSup_eq_Max[symmetric])
+  using cSup_finite_ex by auto
+
+lemma finite_nat_minimal_witness:
+  fixes P :: "('a::finite) \<Rightarrow> nat \<Rightarrow> bool"
+  assumes "\<forall>i. \<exists>N::nat. \<forall>n \<ge> N. P i n"
+  shows "\<exists>N. \<forall>i. \<forall>n \<ge> N. P i n" 
+proof-
+  let "?bound i" = "(LEAST N. \<forall>n \<ge> N. P i n)"
+  let ?N = "Max {?bound i |i. i \<in> UNIV}"
+  {fix n::nat and i::'a 
+    assume "n \<ge> ?N" 
+    obtain M where "\<forall>n \<ge> M. P i n" 
+      using assms by blast
+    hence obs: "\<forall> m \<ge> ?bound i. P i m"
+      using LeastI[of "\<lambda>N. \<forall>n \<ge> N. P i n"] by blast
+    have "finite {?bound i |i. i \<in> UNIV}"
+      by simp
+    hence "?N \<ge> ?bound i"
+      using Max_ge by blast
+    hence "n \<ge> ?bound i" 
+      using \<open>n \<ge> ?N\<close> by linarith
+    hence "P i n" 
+      using obs by blast}
+  thus "\<exists>N. \<forall>i n. N \<le> n \<longrightarrow> P i n" 
+    by blast
+qed
+
+
+subsection \<open> Real numbers \<close>
+
+named_theorems field_power_simps "simplification rules for powers to the nth"
+
+declare semiring_normalization_rules(18) [field_power_simps]
+    and semiring_normalization_rules(26) [field_power_simps]
+    and semiring_normalization_rules(27) [field_power_simps]
+    and semiring_normalization_rules(28) [field_power_simps]
+    and semiring_normalization_rules(29) [field_power_simps]
+
+text \<open>WARNING: Adding @{thm semiring_normalization_rules(27)} to our tactic makes 
+its combination with simp to loop infinitely in some proofs.\<close>
+
+lemma sq_le_cancel:
+  shows "(a::real) \<ge> 0 \<Longrightarrow> b \<ge> 0 \<Longrightarrow> a^2 \<le> b * a \<Longrightarrow> a \<le> b"
+  and "(a::real) \<ge> 0 \<Longrightarrow> b \<ge> 0 \<Longrightarrow> a^2 \<le> a * b \<Longrightarrow> a \<le> b"
+   apply (metis less_eq_real_def mult.commute mult_le_cancel_left semiring_normalization_rules(29))
+  by (metis less_eq_real_def mult_le_cancel_left semiring_normalization_rules(29))
+
+lemma frac_diff_eq1: "a \<noteq> b \<Longrightarrow> a / (a - b) - b / (a - b) = 1" for a::real
+  by (metis (no_types, hide_lams) ab_left_minus add.commute add_left_cancel 
+      diff_divide_distrib diff_minus_eq_add div_self)
+
+lemma exp_add: "x * y - y * x = 0 \<Longrightarrow> exp (x + y) = exp x * exp y" 
+  by (rule exp_add_commuting) (simp add: ac_simps)
+
+lemmas mult_exp_exp = exp_add[symmetric]
+
+
+subsection \<open> Vectors and matrices \<close>
+
+lemma sum_axis[simp]:
+  fixes q :: "('a::semiring_0)"
+  shows "(\<Sum>j\<in>UNIV. f j * axis i q $ j) = f i * q"
+    and "(\<Sum>j\<in>UNIV. axis i q $ j * f j) = q * f i"
+  unfolding axis_def by(auto simp: vec_eq_iff)
+
+lemma sum_scalar_nth_axis: "sum (\<lambda>i. (x $ i) *s \<e> i) UNIV = x" for x :: "('a::semiring_1)^'n"
+  unfolding vec_eq_iff axis_def by simp
+
+lemma scalar_eq_scaleR[simp]: "c *s x = c *\<^sub>R x"
+  unfolding vec_eq_iff by simp
+
+lemma matrix_add_rdistrib: "((B + C) ** A) = (B ** A) + (C ** A)"
+  by (vector matrix_matrix_mult_def sum.distrib[symmetric] field_simps)
+
+lemma vec_mult_inner: "(A *v v) \<bullet> w = v \<bullet> (transpose A *v w)" for A :: "real ^'n^'n"
+  unfolding matrix_vector_mult_def transpose_def inner_vec_def
+  apply(simp add: sum_distrib_right sum_distrib_left)
+  apply(subst sum.swap)
+  apply(subgoal_tac "\<forall>i j. A $ i $ j * v $ j * w $ i = v $ j * (A $ i $ j * w $ i)")
+  by presburger simp
+
+lemma uminus_axis_eq[simp]: "- axis i k = axis i (-k)" for k :: "'a::ring"
+  unfolding axis_def by(simp add: vec_eq_iff)
+
+lemma norm_axis_eq[simp]: "\<parallel>axis i k\<parallel> = \<parallel>k\<parallel>"
+proof(simp add: axis_def norm_vec_def L2_set_def)
+  let "?\<delta>\<^sub>K" = "\<lambda>i j k. if i = j then k else 0" 
+  have "(\<Sum>j\<in>UNIV. (\<parallel>(?\<delta>\<^sub>K j i k)\<parallel>)\<^sup>2) = (\<Sum>j\<in>{i}. (\<parallel>(?\<delta>\<^sub>K j i k)\<parallel>)\<^sup>2) + (\<Sum>j\<in>(UNIV-{i}). (\<parallel>(?\<delta>\<^sub>K j i k)\<parallel>)\<^sup>2)"
+    using finite_sum_univ_singleton by blast 
+  also have "... = (\<parallel>k\<parallel>)\<^sup>2" 
+    by simp
+  finally show "sqrt (\<Sum>j\<in>UNIV. (norm (if j = i then k else 0))\<^sup>2) = norm k" 
+    by simp
+qed
+
+lemma matrix_axis_0: 
+  fixes A :: "('a::idom)^'n^'m"
+  assumes "k \<noteq> 0 " and h:"\<forall>i. (A *v (axis i k)) = 0"
+  shows "A = 0"  
+proof-
+  {fix i::'n
+    have "0 = (\<Sum>j\<in>UNIV. (axis i k) $ j *s column j A)" 
+      using h matrix_mult_sum[of A "axis i k"] by simp
+    also have "... = k *s column i A" 
+      by (simp add: axis_def vector_scalar_mult_def column_def vec_eq_iff mult.commute)
+    finally have "k *s column i A = 0"
+      unfolding axis_def by simp
+    hence "column i A = 0" 
+      using vector_mul_eq_0 \<open>k \<noteq> 0\<close> by blast}
+  thus "A = 0" 
+    unfolding column_def vec_eq_iff by simp
+qed
+
+lemma scaleR_norm_sgn_eq: "(\<parallel>x\<parallel>) *\<^sub>R sgn x = x"
+  by (metis divideR_right norm_eq_zero scale_eq_0_iff sgn_div_norm)
+
+lemma vector_scaleR_commute: "A *v c *\<^sub>R x = c *\<^sub>R (A *v x)" for x :: "('a::real_normed_algebra_1)^'n"
+  unfolding scaleR_vec_def matrix_vector_mult_def by(auto simp: vec_eq_iff scaleR_right.sum)
+
+lemma scaleR_vector_assoc: "c *\<^sub>R (A *v x) = (c *\<^sub>R A) *v x" for x :: "('a::real_normed_algebra_1)^'n"
+  unfolding matrix_vector_mult_def by(auto simp: vec_eq_iff scaleR_right.sum)
+
+lemma mult_norm_matrix_sgn_eq:
+  fixes x :: "('a::real_normed_algebra_1)^'n"
+  shows "(\<parallel>A *v sgn x\<parallel>) * (\<parallel>x\<parallel>) = \<parallel>A *v x\<parallel>"
+proof-
+  have "\<parallel>A *v x\<parallel> = \<parallel>A *v ((\<parallel>x\<parallel>) *\<^sub>R sgn x)\<parallel>"
+    by(simp add: scaleR_norm_sgn_eq)
+  also have "... = (\<parallel>A *v sgn x\<parallel>) * (\<parallel>x\<parallel>)"
+    by(simp add: vector_scaleR_commute)
+  finally show ?thesis ..
+qed
+
+
+subsection\<open> Diagonalization \<close>
+
+lemma invertibleI: "A ** B = mat 1 \<Longrightarrow> B ** A = mat 1 \<Longrightarrow> invertible A"
+  unfolding invertible_def by auto
+
+lemma invertibleD[simp]:
+  assumes "invertible A" 
+  shows "A\<^sup>-\<^sup>1 ** A = mat 1" and "A ** A\<^sup>-\<^sup>1 = mat 1"
+  using assms unfolding matrix_inv_def invertible_def
+  by (simp_all add: verit_sko_ex')
+
+lemma matrix_inv_unique:
+  assumes "A ** B = mat 1" and "B ** A = mat 1"
+  shows "A\<^sup>-\<^sup>1 = B"
+  by (metis assms invertibleD(2) invertibleI matrix_mul_assoc matrix_mul_lid)
+
+lemma invertible_matrix_inv: "invertible A \<Longrightarrow> invertible (A\<^sup>-\<^sup>1)"
+  using invertibleD invertibleI by blast
+
+lemma matrix_inv_idempotent[simp]: "invertible A \<Longrightarrow> A\<^sup>-\<^sup>1\<^sup>-\<^sup>1 = A"
+  using invertibleD matrix_inv_unique by blast
+  
+lemma matrix_inv_matrix_mul:
+  assumes "invertible A" and "invertible B"
+  shows "(A ** B)\<^sup>-\<^sup>1 = B\<^sup>-\<^sup>1 ** A\<^sup>-\<^sup>1"
+proof(rule matrix_inv_unique)
+  have "A ** B ** (B\<^sup>-\<^sup>1 ** A\<^sup>-\<^sup>1) = A ** (B ** B\<^sup>-\<^sup>1) ** A\<^sup>-\<^sup>1"
+    by (simp add: matrix_mul_assoc)
+  also have "... = mat 1"
+    using assms by simp
+  finally show "A ** B ** (B\<^sup>-\<^sup>1 ** A\<^sup>-\<^sup>1) = mat 1" .
+next
+  have "B\<^sup>-\<^sup>1 ** A\<^sup>-\<^sup>1 ** (A ** B) = B\<^sup>-\<^sup>1 ** (A\<^sup>-\<^sup>1 ** A) ** B"
+    by (simp add: matrix_mul_assoc)
+  also have "... = mat 1"
+    using assms by simp
+  finally show "B\<^sup>-\<^sup>1 ** A\<^sup>-\<^sup>1 ** (A ** B) = mat 1" .
+qed
+
+lemma mat_inverse_simps[simp]:
+  fixes c :: "'a::division_ring"
+  assumes "c \<noteq> 0"
+  shows "mat (inverse c) ** mat c = mat 1" 
+    and "mat c ** mat (inverse c) = mat 1"
+  unfolding matrix_matrix_mult_def mat_def by (auto simp: vec_eq_iff assms)
+
+lemma matrix_inv_mat[simp]: "c \<noteq> 0 \<Longrightarrow> (mat c)\<^sup>-\<^sup>1 = mat (inverse c)" for c :: "'a::division_ring"
+  by (simp add: matrix_inv_unique)
+
+lemma invertible_mat[simp]: "c \<noteq> 0 \<Longrightarrow> invertible (mat c)" for c :: "'a::division_ring"
+  using invertibleI mat_inverse_simps(1) mat_inverse_simps(2) by blast
+
+lemma matrix_inv_mat_1: "(mat (1::'a::division_ring))\<^sup>-\<^sup>1 = mat 1"
+  by simp
+
+lemma invertible_mat_1: "invertible (mat (1::'a::division_ring))"
+  by simp
+
+definition similar_matrix :: "('a::semiring_1)^'m^'m \<Rightarrow> ('a::semiring_1)^'n^'n \<Rightarrow> bool" (infixr "\<sim>" 25)
+  where "similar_matrix A B \<longleftrightarrow> (\<exists> P. invertible P \<and> A = P\<^sup>-\<^sup>1 ** B ** P)"
+
+lemma similar_matrix_refl[simp]: "A \<sim> A" for A :: "'a::division_ring^'n^'n"
+  by (unfold similar_matrix_def, rule_tac x="mat 1" in exI, simp)
+
+lemma similar_matrix_simm: "A \<sim> B \<Longrightarrow> B \<sim> A" for A B :: "('a::semiring_1)^'n^'n"
+  apply(unfold similar_matrix_def, clarsimp)
+  apply(rule_tac x="P\<^sup>-\<^sup>1" in exI, simp add: invertible_matrix_inv)
+  by (metis invertible_def matrix_inv_unique matrix_mul_assoc matrix_mul_lid matrix_mul_rid)
+
+lemma similar_matrix_trans: "A \<sim> B \<Longrightarrow> B \<sim> C \<Longrightarrow> A \<sim> C" for A B C :: "('a::semiring_1)^'n^'n"
+proof(unfold similar_matrix_def, clarsimp)
+  fix P Q
+  assume "A = P\<^sup>-\<^sup>1 ** (Q\<^sup>-\<^sup>1 ** C ** Q) ** P" and "B = Q\<^sup>-\<^sup>1 ** C ** Q"
+  let ?R = "Q ** P"
+  assume inverts: "invertible Q" "invertible P"
+  hence "?R\<^sup>-\<^sup>1 = P\<^sup>-\<^sup>1 ** Q\<^sup>-\<^sup>1"
+    by (rule matrix_inv_matrix_mul)
+  also have "invertible ?R"
+    using inverts invertible_mult by blast 
+  ultimately show "\<exists>R. invertible R \<and> P\<^sup>-\<^sup>1 ** (Q\<^sup>-\<^sup>1 ** C ** Q) ** P = R\<^sup>-\<^sup>1 ** C ** R"
+    by (metis matrix_mul_assoc)
+qed
+
+lemma mat_vec_nth_simps[simp]:
+  "i = j \<Longrightarrow> mat c $ i $ j = c" 
+  "i \<noteq> j \<Longrightarrow> mat c $ i $ j = 0"
+  by (simp_all add: mat_def)
+
+definition "diag_mat f = (\<chi> i j. if i = j then f i else 0)"
+
+lemma diag_mat_vec_nth_simps[simp]:
+  "i = j \<Longrightarrow> diag_mat f $ i $ j = f i"
+  "i \<noteq> j \<Longrightarrow> diag_mat f $ i $ j = 0"
+  unfolding diag_mat_def by simp_all
+
+lemma diag_mat_const_eq[simp]: "diag_mat (\<lambda>i. c) = mat c"
+  unfolding mat_def diag_mat_def by simp
+
+lemma matrix_vector_mul_diag_mat: "diag_mat f *v s = (\<chi> i. f i * s$i)"
+  unfolding diag_mat_def matrix_vector_mult_def by simp
+
+lemma matrix_vector_mul_diag_axis[simp]: "diag_mat f *v (axis i k) = axis i (f i * k)"
+  by (simp add: matrix_vector_mul_diag_mat axis_def fun_eq_iff)
+
+lemma matrix_mul_diag_matl: "diag_mat f ** A = (\<chi> i j. f i * A$i$j)"
+  unfolding diag_mat_def matrix_matrix_mult_def by simp
+
+lemma matrix_matrix_mul_diag_matr: "A ** diag_mat f = (\<chi> i j. A$i$j * f j)"
+  unfolding diag_mat_def matrix_matrix_mult_def apply(clarsimp simp: fun_eq_iff)
+  subgoal for i j 
+    by (auto simp: finite_sum_univ_singleton[of _ j])
+  done
+
+lemma matrix_mul_diag_diag: "diag_mat f ** diag_mat g = diag_mat (\<lambda>i. f i * g i)"
+  unfolding diag_mat_def matrix_matrix_mult_def vec_eq_iff by simp
+
+lemma compow_matrix_mul_diag_mat_eq: "((**) (diag_mat f) ^^ n) (mat 1) = diag_mat (\<lambda>i. f i^n)"
+  apply(induct n, simp_all add: matrix_mul_diag_matl)
+  by (auto simp: vec_eq_iff diag_mat_def)
+
+lemma compow_similar_diag_mat_eq:
+  assumes "invertible P" 
+      and "A = P\<^sup>-\<^sup>1 ** (diag_mat f) ** P"
+    shows "((**) A ^^ n) (mat 1) = P\<^sup>-\<^sup>1 ** (diag_mat (\<lambda>i. f i^n)) ** P"
+proof(induct n, simp_all add: assms)
+  fix n::nat
+  have "P\<^sup>-\<^sup>1 ** diag_mat f ** P ** (P\<^sup>-\<^sup>1 ** diag_mat (\<lambda>i. f i ^ n) ** P) = 
+  P\<^sup>-\<^sup>1 ** diag_mat f ** diag_mat (\<lambda>i. f i ^ n) ** P" (is "?lhs = _")
+    by (metis (no_types, lifting) assms(1) invertibleD(2) matrix_mul_rid matrix_mul_assoc) 
+  also have "... = P\<^sup>-\<^sup>1 ** diag_mat (\<lambda>i. f i * f i ^ n) ** P" (is "_ = ?rhs")
+    by (metis (full_types) matrix_mul_assoc matrix_mul_diag_diag)
+  finally show "?lhs = ?rhs" .
+qed
+
+lemma compow_similar_diag_mat:
+  assumes "A \<sim> (diag_mat f)"
+  shows "((**) A ^^ n) (mat 1) \<sim> diag_mat (\<lambda>i. f i^n)"
+proof(unfold similar_matrix_def)
+  obtain P where "invertible P" and "A = P\<^sup>-\<^sup>1 ** (diag_mat f) ** P"
+    using assms unfolding similar_matrix_def by blast
+  thus "\<exists>P. invertible P \<and> ((**) A ^^ n) (mat 1) = P\<^sup>-\<^sup>1 ** diag_mat (\<lambda>i. f i ^ n) ** P"
+    using compow_similar_diag_mat_eq by blast
+qed
+
+no_notation matrix_inv ("_\<^sup>-\<^sup>1" [90])
+        and similar_matrix (infixr "\<sim>" 25)
+
+
+end
\ No newline at end of file
diff --git a/thys/Matrices_for_ODEs/ROOT b/thys/Matrices_for_ODEs/ROOT
new file mode 100644
--- /dev/null
+++ b/thys/Matrices_for_ODEs/ROOT
@@ -0,0 +1,11 @@
+chapter AFP
+
+session "Matrices_for_ODEs" (AFP) = "HOL-Analysis" +
+  options [timeout = 1800]
+  sessions
+    Hybrid_Systems_VCs
+  theories
+    MTX_Examples
+  document_files
+    "root.bib"
+    "root.tex"
\ No newline at end of file
diff --git a/thys/Matrices_for_ODEs/SQ_MTX.thy b/thys/Matrices_for_ODEs/SQ_MTX.thy
new file mode 100644
--- /dev/null
+++ b/thys/Matrices_for_ODEs/SQ_MTX.thy
@@ -0,0 +1,718 @@
+(*  Title:       Square Matrices
+    Author:      Jonathan Julián Huerta y Munive, 2020
+    Maintainer:  Jonathan Julián Huerta y Munive <jjhuertaymunive1@sheffield.ac.uk>
+*)
+
+section \<open> Square Matrices \<close>
+
+text\<open> The general solution for affine systems of ODEs involves the exponential function. 
+Unfortunately, this operation is only available in Isabelle for the type class ``banach''. 
+Hence, we define a type of square matrices and prove that it is an instance of this class.\<close>
+
+theory SQ_MTX
+  imports MTX_Norms
+
+begin
+
+subsection \<open> Definition \<close>
+
+typedef 'm sq_mtx = "UNIV::(real^'m^'m) set"
+  morphisms to_vec to_mtx by simp
+
+declare to_mtx_inverse [simp]
+    and to_vec_inverse [simp]
+
+setup_lifting type_definition_sq_mtx
+
+lift_definition sq_mtx_ith :: "'m sq_mtx \<Rightarrow> 'm \<Rightarrow> (real^'m)" (infixl "$$" 90) is "($)" .
+
+lift_definition sq_mtx_vec_mult :: "'m sq_mtx \<Rightarrow> (real^'m) \<Rightarrow> (real^'m)" (infixl "*\<^sub>V" 90) is "(*v)" .
+
+lift_definition vec_sq_mtx_prod :: "(real^'m) \<Rightarrow> 'm sq_mtx \<Rightarrow> (real^'m)" is "(v*)" .
+
+lift_definition sq_mtx_diag :: "(('m::finite) \<Rightarrow> real) \<Rightarrow> ('m::finite) sq_mtx" (binder "\<d>\<i>\<a>\<g> " 10) 
+  is diag_mat .
+
+lift_definition sq_mtx_transpose :: "('m::finite) sq_mtx \<Rightarrow> 'm sq_mtx" ("_\<^sup>\<dagger>") is transpose .
+
+lift_definition sq_mtx_inv :: "('m::finite) sq_mtx \<Rightarrow> 'm sq_mtx" ("_\<^sup>-\<^sup>1" [90]) is matrix_inv .
+
+lift_definition sq_mtx_row :: "'m \<Rightarrow> ('m::finite) sq_mtx \<Rightarrow> real^'m" ("\<r>\<o>\<w>") is row .
+
+lift_definition sq_mtx_col :: "'m \<Rightarrow> ('m::finite) sq_mtx \<Rightarrow> real^'m" ("\<c>\<o>\<l>")  is column .
+
+lemma to_vec_eq_ith: "(to_vec A) $ i = A $$ i"
+  by transfer simp
+
+lemma to_mtx_ith[simp]: 
+  "(to_mtx A) $$ i1 = A $ i1"
+  "(to_mtx A) $$ i1 $ i2 = A $ i1 $ i2"
+  by (transfer, simp)+
+
+lemma to_mtx_vec_lambda_ith[simp]: "to_mtx (\<chi> i j. x i j) $$ i1 $ i2 = x i1 i2"
+  by (simp add: sq_mtx_ith_def)
+
+lemma sq_mtx_eq_iff:
+  shows "A = B = (\<forall>i j. A $$ i $ j = B $$ i $ j)"
+    and "A = B = (\<forall>i. A $$ i = B $$ i)"
+  by (transfer, simp add: vec_eq_iff)+
+
+lemma sq_mtx_diag_simps[simp]:
+  "i = j \<Longrightarrow> sq_mtx_diag f $$ i $ j = f i"
+  "i \<noteq> j \<Longrightarrow> sq_mtx_diag f $$ i $ j = 0"
+  "sq_mtx_diag f $$ i = axis i (f i)"
+  unfolding sq_mtx_diag_def by (simp_all add: axis_def vec_eq_iff)
+
+lemma sq_mtx_diag_vec_mult: "(\<d>\<i>\<a>\<g> i. f i) *\<^sub>V s = (\<chi> i. f i * s$i)"
+  by (simp add: matrix_vector_mul_diag_mat sq_mtx_diag.abs_eq sq_mtx_vec_mult.abs_eq)
+
+lemma sq_mtx_vec_mult_diag_axis: "(\<d>\<i>\<a>\<g> i. f i) *\<^sub>V (axis i k) = axis i (f i * k)"
+  unfolding sq_mtx_diag_vec_mult axis_def by auto
+
+lemma sq_mtx_vec_mult_eq: "m *\<^sub>V x = (\<chi> i. sum (\<lambda>j. (m $$ i $ j) * (x $ j)) UNIV)"
+  by (transfer, simp add: matrix_vector_mult_def)
+
+lemma sq_mtx_transpose_transpose[simp]: "(A\<^sup>\<dagger>)\<^sup>\<dagger> = A"
+  by (transfer, simp)
+
+lemma transpose_mult_vec_canon_row[simp]: "(A\<^sup>\<dagger>) *\<^sub>V (\<e> i) = \<r>\<o>\<w> i A"
+  by transfer (simp add: row_def transpose_def axis_def matrix_vector_mult_def)
+
+lemma row_ith[simp]: "\<r>\<o>\<w> i A = A $$ i"
+  by transfer (simp add: row_def)
+
+lemma mtx_vec_mult_canon: "A *\<^sub>V (\<e> i) = \<c>\<o>\<l> i A" 
+  by (transfer, simp add: matrix_vector_mult_basis)
+
+
+subsection \<open> Ring of square matrices \<close>
+
+instantiation sq_mtx :: (finite) ring 
+begin
+
+lift_definition plus_sq_mtx :: "'a sq_mtx \<Rightarrow> 'a sq_mtx \<Rightarrow> 'a sq_mtx" is "(+)" .
+
+lift_definition zero_sq_mtx :: "'a sq_mtx" is "0" .
+
+lift_definition uminus_sq_mtx :: "'a sq_mtx \<Rightarrow> 'a sq_mtx" is "uminus" .
+
+lift_definition minus_sq_mtx :: "'a sq_mtx \<Rightarrow> 'a sq_mtx \<Rightarrow> 'a sq_mtx" is "(-)" .
+
+lift_definition times_sq_mtx :: "'a sq_mtx \<Rightarrow> 'a sq_mtx \<Rightarrow> 'a sq_mtx" is "(**)" .
+
+declare plus_sq_mtx.rep_eq [simp]
+    and minus_sq_mtx.rep_eq [simp]
+
+instance apply intro_classes
+  by(transfer, simp add: algebra_simps matrix_mul_assoc matrix_add_rdistrib matrix_add_ldistrib)+
+
+end
+
+lemma sq_mtx_zero_ith[simp]: "0 $$ i = 0"
+  by (transfer, simp)
+
+lemma sq_mtx_zero_nth[simp]: "0 $$ i $ j = 0"
+  by transfer simp
+
+lemma sq_mtx_plus_eq: "A + B = to_mtx (\<chi> i j. A$$i$j + B$$i$j)"
+  by transfer (simp add: vec_eq_iff)
+
+lemma sq_mtx_plus_ith[simp]:"(A + B) $$ i = A $$ i + B $$ i"
+  unfolding sq_mtx_plus_eq by (simp add: vec_eq_iff)
+
+lemma sq_mtx_uminus_eq: "- A = to_mtx (\<chi> i j. - A$$i$j)"
+  by transfer (simp add: vec_eq_iff)
+
+lemma sq_mtx_minus_eq: "A - B = to_mtx (\<chi> i j. A$$i$j - B$$i$j)"
+  by transfer (simp add: vec_eq_iff)
+
+lemma sq_mtx_minus_ith[simp]:"(A - B) $$ i = A $$ i - B $$ i"
+  unfolding sq_mtx_minus_eq by (simp add: vec_eq_iff)
+
+lemma sq_mtx_times_eq: "A * B = to_mtx (\<chi> i j. sum (\<lambda>k. A$$i$k * B$$k$j) UNIV)"
+  by transfer (simp add: matrix_matrix_mult_def)
+
+lemma sq_mtx_plus_diag_diag[simp]: "sq_mtx_diag f + sq_mtx_diag g = (\<d>\<i>\<a>\<g> i. f i + g i)"
+  by (subst sq_mtx_eq_iff) (simp add: axis_def)
+
+lemma sq_mtx_minus_diag_diag[simp]: "sq_mtx_diag f - sq_mtx_diag g = (\<d>\<i>\<a>\<g> i. f i - g i)"
+  by (subst sq_mtx_eq_iff) (simp add: axis_def)
+
+lemma sum_sq_mtx_diag[simp]: "(\<Sum>n<m. sq_mtx_diag (g n)) = (\<d>\<i>\<a>\<g> i. \<Sum>n<m. (g n i))" for m::nat
+  by (induct m, simp, subst sq_mtx_eq_iff, simp_all)
+
+lemma sq_mtx_mult_diag_diag[simp]: "sq_mtx_diag f * sq_mtx_diag g = (\<d>\<i>\<a>\<g> i. f i * g i)"
+  by (simp add: matrix_mul_diag_diag sq_mtx_diag.abs_eq times_sq_mtx.abs_eq)
+
+lemma sq_mtx_mult_diagl: "(\<d>\<i>\<a>\<g> i. f i) * A = to_mtx (\<chi> i j. f i * A $$ i $ j)"
+  by transfer (simp add: matrix_mul_diag_matl)
+
+lemma sq_mtx_mult_diagr: "A * (\<d>\<i>\<a>\<g> i. f i) = to_mtx (\<chi> i j. A $$ i $ j * f j)"
+  by transfer (simp add: matrix_matrix_mul_diag_matr)
+
+lemma mtx_vec_mult_0l[simp]: "0 *\<^sub>V x = 0"
+  by (simp add: sq_mtx_vec_mult.abs_eq zero_sq_mtx_def)
+
+lemma mtx_vec_mult_0r[simp]: "A *\<^sub>V 0 = 0"
+  by (transfer, simp)
+
+lemma mtx_vec_mult_add_rdistr: "(A + B) *\<^sub>V x = A *\<^sub>V x + B *\<^sub>V x"
+  unfolding plus_sq_mtx_def 
+  apply(transfer)
+  by (simp add: matrix_vector_mult_add_rdistrib)
+
+lemma mtx_vec_mult_add_rdistl: "A *\<^sub>V (x + y) = A *\<^sub>V x + A *\<^sub>V y"
+  unfolding plus_sq_mtx_def 
+  apply transfer
+  by (simp add: matrix_vector_right_distrib)
+
+lemma mtx_vec_mult_minus_rdistrib: "(A - B) *\<^sub>V x = A *\<^sub>V x - B *\<^sub>V x"
+  unfolding minus_sq_mtx_def by(transfer, simp add: matrix_vector_mult_diff_rdistrib)
+
+lemma mtx_vec_mult_minus_ldistrib: "A *\<^sub>V (x - y) =  A *\<^sub>V x -  A *\<^sub>V y"
+  by (metis (no_types, lifting) add_diff_cancel diff_add_cancel 
+      matrix_vector_right_distrib sq_mtx_vec_mult.rep_eq)
+
+lemma sq_mtx_times_vec_assoc: "(A * B) *\<^sub>V x = A *\<^sub>V (B *\<^sub>V x)"
+  by (transfer, simp add: matrix_vector_mul_assoc)
+
+lemma sq_mtx_vec_mult_sum_cols: "A *\<^sub>V x = sum (\<lambda>i. x $ i *\<^sub>R \<c>\<o>\<l> i A) UNIV"
+  by(transfer) (simp add: matrix_mult_sum scalar_mult_eq_scaleR)
+
+
+subsection \<open> Real normed vector space of square matrices \<close>
+
+instantiation sq_mtx :: (finite) real_normed_vector 
+begin
+
+definition norm_sq_mtx :: "'a sq_mtx \<Rightarrow> real" where "\<parallel>A\<parallel> = \<parallel>to_vec A\<parallel>\<^sub>o\<^sub>p"
+
+lift_definition scaleR_sq_mtx :: "real \<Rightarrow> 'a sq_mtx \<Rightarrow> 'a sq_mtx" is scaleR .
+
+definition sgn_sq_mtx :: "'a sq_mtx \<Rightarrow> 'a sq_mtx" 
+  where "sgn_sq_mtx A = (inverse (\<parallel>A\<parallel>)) *\<^sub>R A"
+
+definition dist_sq_mtx :: "'a sq_mtx \<Rightarrow> 'a sq_mtx \<Rightarrow> real" 
+  where "dist_sq_mtx A B = \<parallel>A - B\<parallel>" 
+
+definition uniformity_sq_mtx :: "('a sq_mtx \<times> 'a sq_mtx) filter" 
+  where "uniformity_sq_mtx = (INF e\<in>{0<..}. principal {(x, y). dist x y < e})"
+
+definition open_sq_mtx :: "'a sq_mtx set \<Rightarrow> bool" 
+  where "open_sq_mtx U = (\<forall>x\<in>U. \<forall>\<^sub>F (x', y) in uniformity. x' = x \<longrightarrow> y \<in> U)"
+
+instance apply intro_classes 
+  unfolding sgn_sq_mtx_def open_sq_mtx_def dist_sq_mtx_def uniformity_sq_mtx_def
+            prefer 10 
+            apply(transfer, simp add: norm_sq_mtx_def op_norm_triangle)
+           prefer 9 
+           apply(simp_all add: norm_sq_mtx_def zero_sq_mtx_def op_norm_eq_0)
+  by (transfer, simp add: norm_sq_mtx_def op_norm_scaleR algebra_simps)+
+
+end
+
+lemma sq_mtx_scaleR_eq: "c *\<^sub>R A = to_mtx (\<chi> i j. c *\<^sub>R A $$ i $ j)"
+  by transfer (simp add: vec_eq_iff)
+
+lemma scaleR_to_mtx_ith[simp]: "c *\<^sub>R (to_mtx A) $$ i1 $ i2 = c * A $ i1 $ i2"
+  by transfer (simp add: scaleR_vec_def)
+
+lemma sq_mtx_scaleR_ith[simp]: "(c *\<^sub>R A) $$ i = (c  *\<^sub>R (A $$ i))"
+  by (unfold scaleR_sq_mtx_def, transfer, simp)
+
+lemma scaleR_sq_mtx_diag: "c *\<^sub>R sq_mtx_diag f = (\<d>\<i>\<a>\<g> i. c * f i)"
+  by (subst sq_mtx_eq_iff, simp add: axis_def)
+
+lemma scaleR_mtx_vec_assoc: "(c *\<^sub>R A) *\<^sub>V x = c *\<^sub>R (A *\<^sub>V x)"
+  unfolding scaleR_sq_mtx_def sq_mtx_vec_mult_def apply simp
+  by (simp add: scaleR_matrix_vector_assoc)
+
+lemma mtx_vec_scaleR_commute: "A *\<^sub>V (c *\<^sub>R x) = c *\<^sub>R (A *\<^sub>V x)"
+  unfolding scaleR_sq_mtx_def sq_mtx_vec_mult_def apply(simp, transfer)
+  by (simp add: vector_scaleR_commute)
+
+lemma mtx_times_scaleR_commute: "A * (c *\<^sub>R B) = c *\<^sub>R (A * B)" for A::"('n::finite) sq_mtx"
+  unfolding sq_mtx_scaleR_eq sq_mtx_times_eq 
+  apply(simp add: to_mtx_inject)
+  apply(simp add: vec_eq_iff fun_eq_iff)
+  by (simp add: semiring_normalization_rules(19) vector_space_over_itself.scale_sum_right)
+
+lemma le_mtx_norm: "m \<in> {\<parallel>A *\<^sub>V x\<parallel> |x. \<parallel>x\<parallel> = 1} \<Longrightarrow> m \<le> \<parallel>A\<parallel>"
+  using cSup_upper[of _ "{\<parallel>(to_vec A) *v x\<parallel> | x. \<parallel>x\<parallel> = 1}"]
+  by (simp add: op_norm_set_proptys(2) op_norm_def norm_sq_mtx_def sq_mtx_vec_mult.rep_eq)
+
+lemma norm_vec_mult_le: "\<parallel>A *\<^sub>V x\<parallel> \<le> (\<parallel>A\<parallel>) * (\<parallel>x\<parallel>)"
+  by (simp add: norm_matrix_le_mult_op_norm norm_sq_mtx_def sq_mtx_vec_mult.rep_eq)
+
+lemma bounded_bilinear_sq_mtx_vec_mult: "bounded_bilinear (\<lambda>A s. A *\<^sub>V s)"
+  apply (rule bounded_bilinear.intro, simp_all add: mtx_vec_mult_add_rdistr 
+      mtx_vec_mult_add_rdistl scaleR_mtx_vec_assoc mtx_vec_scaleR_commute)
+  by (rule_tac x=1 in exI, auto intro!: norm_vec_mult_le)
+
+lemma norm_sq_mtx_def2: "\<parallel>A\<parallel> = Sup {\<parallel>A *\<^sub>V x\<parallel> |x. \<parallel>x\<parallel> = 1}"
+  unfolding norm_sq_mtx_def op_norm_def sq_mtx_vec_mult_def by simp
+
+lemma norm_sq_mtx_def3: "\<parallel>A\<parallel> = (SUP x. (\<parallel>A *\<^sub>V x\<parallel>) / (\<parallel>x\<parallel>))"
+  unfolding norm_sq_mtx_def onorm_def sq_mtx_vec_mult_def by simp
+
+lemma norm_sq_mtx_diag: "\<parallel>sq_mtx_diag f\<parallel> = Max {\<bar>f i\<bar> |i. i \<in> UNIV}"
+  unfolding norm_sq_mtx_def apply transfer
+  by (rule op_norm_diag_mat_eq)
+
+lemma sq_mtx_norm_le_sum_col: "\<parallel>A\<parallel> \<le> (\<Sum>i\<in>UNIV. \<parallel>\<c>\<o>\<l> i A\<parallel>)"
+  using op_norm_le_sum_column[of "to_vec A"] 
+  apply(simp add: norm_sq_mtx_def)
+  by(transfer, simp add: op_norm_le_sum_column)
+
+lemma norm_le_transpose: "\<parallel>A\<parallel> \<le> \<parallel>A\<^sup>\<dagger>\<parallel>"
+  unfolding norm_sq_mtx_def by transfer (rule op_norm_le_transpose)
+
+lemma norm_eq_norm_transpose[simp]: "\<parallel>A\<^sup>\<dagger>\<parallel> = \<parallel>A\<parallel>"
+  using norm_le_transpose[of A] and norm_le_transpose[of "A\<^sup>\<dagger>"] by simp
+
+lemma norm_column_le_norm: "\<parallel>A $$ i\<parallel> \<le> \<parallel>A\<parallel>"
+  using norm_vec_mult_le[of "A\<^sup>\<dagger>" "\<e> i"] by simp
+
+
+subsection \<open> Real normed algebra of square matrices \<close>
+
+instantiation sq_mtx :: (finite) real_normed_algebra_1
+begin
+
+lift_definition one_sq_mtx :: "'a sq_mtx" is "to_mtx (mat 1)" .
+
+lemma sq_mtx_one_idty: "1 * A = A" "A * 1 = A" for A :: "'a sq_mtx"
+  by(transfer, transfer, unfold mat_def matrix_matrix_mult_def, simp add: vec_eq_iff)+
+
+lemma sq_mtx_norm_1: "\<parallel>(1::'a sq_mtx)\<parallel> = 1"
+  unfolding one_sq_mtx_def norm_sq_mtx_def 
+  apply(simp add: op_norm_def)
+  apply(subst cSup_eq[of _ 1])
+  using ex_norm_eq_1 by auto
+
+lemma sq_mtx_norm_times: "\<parallel>A * B\<parallel> \<le> (\<parallel>A\<parallel>) * (\<parallel>B\<parallel>)" for A :: "'a sq_mtx"
+  unfolding norm_sq_mtx_def times_sq_mtx_def by(simp add: op_norm_matrix_matrix_mult_le)
+
+instance 
+  apply intro_classes 
+  apply(simp_all add: sq_mtx_one_idty sq_mtx_norm_1 sq_mtx_norm_times)
+  apply(simp_all add: to_mtx_inject vec_eq_iff one_sq_mtx_def zero_sq_mtx_def mat_def)
+  by(transfer, simp add: scalar_matrix_assoc matrix_scalar_ac)+
+
+end
+
+lemma sq_mtx_one_ith_simps[simp]: "1 $$ i $ i = 1" "i \<noteq> j \<Longrightarrow> 1 $$ i $ j = 0"
+  unfolding one_sq_mtx_def mat_def by simp_all
+
+lemma of_nat_eq_sq_mtx_diag[simp]: "of_nat m = (\<d>\<i>\<a>\<g> i. m)"
+  by (induct m) (simp, subst sq_mtx_eq_iff, simp add: axis_def)+
+
+lemma mtx_vec_mult_1[simp]: "1 *\<^sub>V s = s"
+  by (auto simp: sq_mtx_vec_mult_def one_sq_mtx_def 
+      mat_def vec_eq_iff matrix_vector_mult_def)
+
+lemma sq_mtx_diag_one[simp]: "(\<d>\<i>\<a>\<g> i. 1) = 1"
+  by (subst sq_mtx_eq_iff, simp add: one_sq_mtx_def mat_def axis_def)
+
+abbreviation "mtx_invertible A \<equiv> invertible (to_vec A)"
+
+lemma mtx_invertible_def: "mtx_invertible A \<longleftrightarrow> (\<exists>A'. A' * A = 1 \<and> A * A' = 1)"
+  apply (unfold sq_mtx_inv_def times_sq_mtx_def one_sq_mtx_def invertible_def, clarsimp, safe)
+   apply(rule_tac x="to_mtx A'" in exI, simp)
+  by (rule_tac x="to_vec A'" in exI, simp add: to_mtx_inject)
+
+lemma mtx_invertibleI:
+  assumes "A * B = 1" and "B * A = 1"
+  shows "mtx_invertible A"
+  using assms unfolding mtx_invertible_def by auto
+
+lemma mtx_invertibleD[simp]:
+  assumes "mtx_invertible A" 
+  shows "A\<^sup>-\<^sup>1 * A = 1" and "A * A\<^sup>-\<^sup>1 = 1"
+  apply (unfold sq_mtx_inv_def times_sq_mtx_def one_sq_mtx_def)
+  using assms by simp_all
+
+lemma mtx_invertible_inv[simp]: "mtx_invertible A \<Longrightarrow> mtx_invertible (A\<^sup>-\<^sup>1)"
+  using mtx_invertibleD mtx_invertibleI by blast
+
+lemma mtx_invertible_one[simp]: "mtx_invertible 1"
+  by (simp add: one_sq_mtx.rep_eq)
+
+lemma sq_mtx_inv_unique:
+  assumes "A * B = 1" and "B * A = 1"
+  shows "A\<^sup>-\<^sup>1 = B"
+  by (metis (no_types, lifting) assms mtx_invertibleD(2) 
+      mtx_invertibleI mult.assoc sq_mtx_one_idty(1))
+
+lemma sq_mtx_inv_idempotent[simp]: "mtx_invertible A \<Longrightarrow> A\<^sup>-\<^sup>1\<^sup>-\<^sup>1 = A"
+  using mtx_invertibleD sq_mtx_inv_unique by blast
+
+lemma sq_mtx_inv_mult:
+  assumes "mtx_invertible A" and "mtx_invertible B"
+  shows "(A * B)\<^sup>-\<^sup>1 = B\<^sup>-\<^sup>1 * A\<^sup>-\<^sup>1"
+  by (simp add: assms matrix_inv_matrix_mul sq_mtx_inv_def times_sq_mtx_def)
+
+lemma sq_mtx_inv_one[simp]: "1\<^sup>-\<^sup>1 = 1"
+  by (simp add: sq_mtx_inv_unique)
+
+definition similar_sq_mtx :: "('n::finite) sq_mtx \<Rightarrow> 'n sq_mtx \<Rightarrow> bool" (infixr "\<sim>" 25)
+  where "(A \<sim> B) \<longleftrightarrow> (\<exists> P. mtx_invertible P \<and> A = P\<^sup>-\<^sup>1 * B * P)"
+
+lemma similar_sq_mtx_matrix: "(A \<sim> B) = similar_matrix (to_vec A) (to_vec B)"
+  apply(unfold similar_matrix_def similar_sq_mtx_def, safe)
+   apply (metis sq_mtx_inv.rep_eq times_sq_mtx.rep_eq)
+  by (metis UNIV_I sq_mtx_inv.abs_eq times_sq_mtx.abs_eq to_mtx_inverse to_vec_inverse)
+
+lemma similar_sq_mtx_refl[simp]: "A \<sim> A"
+  by (unfold similar_sq_mtx_def, rule_tac x="1" in exI, simp)
+
+lemma similar_sq_mtx_simm: "A \<sim> B \<Longrightarrow> B \<sim> A"
+  apply(unfold similar_sq_mtx_def, clarsimp)
+  apply(rule_tac x="P\<^sup>-\<^sup>1" in exI, simp add: mult.assoc)
+  by (metis mtx_invertibleD(2) mult.assoc mult.left_neutral)
+
+lemma similar_sq_mtx_trans: "A \<sim> B \<Longrightarrow> B \<sim> C \<Longrightarrow> A \<sim> C"
+  unfolding similar_sq_mtx_matrix using similar_matrix_trans by blast
+
+lemma power_sq_mtx_diag: "(sq_mtx_diag f)^n = (\<d>\<i>\<a>\<g> i. f i^n)"
+  by (induct n, simp_all)
+
+lemma power_similiar_sq_mtx_diag_eq:
+  assumes "mtx_invertible P"
+      and "A = P\<^sup>-\<^sup>1 * (sq_mtx_diag f) * P"
+    shows "A^n = P\<^sup>-\<^sup>1 * (\<d>\<i>\<a>\<g> i. f i^n) * P"
+proof(induct n, simp_all add: assms)
+  fix n::nat
+  have "P\<^sup>-\<^sup>1 * sq_mtx_diag f * P * (P\<^sup>-\<^sup>1 * (\<d>\<i>\<a>\<g> i. f i ^ n) * P) = 
+  P\<^sup>-\<^sup>1 * sq_mtx_diag f * (\<d>\<i>\<a>\<g> i. f i ^ n) * P"
+    by (metis (no_types, lifting) assms(1) mtx_invertibleD(2) mult.assoc mult.right_neutral)
+  also have "... = P\<^sup>-\<^sup>1 * (\<d>\<i>\<a>\<g> i. f i * f i ^ n) * P"
+    by (simp add: mult.assoc) 
+  finally show "P\<^sup>-\<^sup>1 * sq_mtx_diag f * P * (P\<^sup>-\<^sup>1 * (\<d>\<i>\<a>\<g> i. f i ^ n) * P) = 
+  P\<^sup>-\<^sup>1 * (\<d>\<i>\<a>\<g> i. f i * f i ^ n) * P" .
+qed
+
+lemma power_similar_sq_mtx_diag:
+  assumes "A \<sim> (sq_mtx_diag f)"
+  shows "A^n \<sim> (\<d>\<i>\<a>\<g> i. f i^n)"
+  using assms power_similiar_sq_mtx_diag_eq 
+  unfolding similar_sq_mtx_def by blast
+
+
+subsection \<open> Banach space of square matrices \<close>
+
+lemma Cauchy_cols:
+  fixes X :: "nat \<Rightarrow> ('a::finite) sq_mtx" 
+  assumes "Cauchy X"
+  shows "Cauchy (\<lambda>n. \<c>\<o>\<l> i (X n))" 
+proof(unfold Cauchy_def dist_norm, clarsimp)
+  fix \<epsilon>::real assume "\<epsilon> > 0"
+  then obtain M where M_def:"\<forall>m\<ge>M. \<forall>n\<ge>M. \<parallel>X m - X n\<parallel> < \<epsilon>"
+    using \<open>Cauchy X\<close> unfolding Cauchy_def by(simp add: dist_sq_mtx_def) metis
+  {fix m n assume "m \<ge> M" and "n \<ge> M"
+    hence "\<epsilon> > \<parallel>X m - X n\<parallel>" 
+      using M_def by blast
+    moreover have "\<parallel>X m - X n\<parallel> \<ge> \<parallel>(X m - X n) *\<^sub>V \<e> i\<parallel>"
+      by(rule le_mtx_norm[of _ "X m - X n"], force)
+    moreover have "\<parallel>(X m - X n) *\<^sub>V \<e> i\<parallel> = \<parallel>X m *\<^sub>V \<e> i - X n *\<^sub>V \<e> i\<parallel>"
+      by (simp add: mtx_vec_mult_minus_rdistrib)
+    moreover have "... = \<parallel>\<c>\<o>\<l> i (X m) - \<c>\<o>\<l> i (X n)\<parallel>"
+      by (simp add: mtx_vec_mult_minus_rdistrib mtx_vec_mult_canon)
+    ultimately have "\<parallel>\<c>\<o>\<l> i (X m) - \<c>\<o>\<l> i (X n)\<parallel> < \<epsilon>" 
+      by linarith}
+  thus "\<exists>M. \<forall>m\<ge>M. \<forall>n\<ge>M. \<parallel>\<c>\<o>\<l> i (X m) - \<c>\<o>\<l> i (X n)\<parallel> < \<epsilon>" 
+    by blast
+qed
+
+lemma col_convergence:
+  assumes "\<forall>i. (\<lambda>n. \<c>\<o>\<l> i (X n)) \<longlonglongrightarrow> L $ i" 
+  shows "X \<longlonglongrightarrow> to_mtx (transpose L)"
+proof(unfold LIMSEQ_def dist_norm, clarsimp)
+  let ?L = "to_mtx (transpose L)"
+  let ?a = "CARD('a)" fix \<epsilon>::real assume "\<epsilon> > 0"
+  hence "\<epsilon> / ?a > 0" by simp
+  hence "\<forall>i. \<exists> N. \<forall>n\<ge>N. \<parallel>\<c>\<o>\<l> i (X n) - L $ i\<parallel> < \<epsilon>/?a"
+    using assms unfolding LIMSEQ_def dist_norm convergent_def by blast
+  then obtain N where "\<forall>i. \<forall>n\<ge>N. \<parallel>\<c>\<o>\<l> i (X n) - L $ i\<parallel> < \<epsilon>/?a"
+    using finite_nat_minimal_witness[of "\<lambda> i n. \<parallel>\<c>\<o>\<l> i (X n) - L $ i\<parallel> < \<epsilon>/?a"] by blast
+  also have "\<And>i n. (\<c>\<o>\<l> i (X n) - L $ i) = (\<c>\<o>\<l> i (X n - ?L))"
+    unfolding minus_sq_mtx_def by(transfer, simp add: transpose_def vec_eq_iff column_def)
+  ultimately have N_def:"\<forall>i. \<forall>n\<ge>N. \<parallel>\<c>\<o>\<l> i (X n - ?L)\<parallel> < \<epsilon>/?a" 
+    by auto
+  have "\<forall>n\<ge>N. \<parallel>X n - ?L\<parallel> < \<epsilon>"
+  proof(rule allI, rule impI)
+    fix n::nat assume "N \<le> n"
+    hence "\<forall> i. \<parallel>\<c>\<o>\<l> i (X n - ?L)\<parallel> < \<epsilon>/?a"
+      using N_def by blast
+    hence "(\<Sum>i\<in>UNIV. \<parallel>\<c>\<o>\<l> i (X n - ?L)\<parallel>) < (\<Sum>(i::'a)\<in>UNIV. \<epsilon>/?a)"
+      using sum_strict_mono[of _ "\<lambda>i. \<parallel>\<c>\<o>\<l> i (X n - ?L)\<parallel>"] by force
+    moreover have "\<parallel>X n - ?L\<parallel> \<le> (\<Sum>i\<in>UNIV. \<parallel>\<c>\<o>\<l> i (X n - ?L)\<parallel>)"
+      using sq_mtx_norm_le_sum_col by blast
+    moreover have "(\<Sum>(i::'a)\<in>UNIV. \<epsilon>/?a) = \<epsilon>" 
+      by force
+    ultimately show "\<parallel>X n - ?L\<parallel> < \<epsilon>" 
+      by linarith
+  qed
+  thus "\<exists>no. \<forall>n\<ge>no. \<parallel>X n - ?L\<parallel> < \<epsilon>" 
+    by blast
+qed
+
+instance sq_mtx :: (finite) banach
+proof(standard)
+  fix X :: "nat \<Rightarrow> 'a sq_mtx"
+  assume "Cauchy X"
+  hence "\<And>i. Cauchy (\<lambda>n. \<c>\<o>\<l> i (X n))"
+    using Cauchy_cols by blast
+  hence obs: "\<forall>i. \<exists>! L. (\<lambda>n. \<c>\<o>\<l> i (X n)) \<longlonglongrightarrow> L"
+    using Cauchy_convergent convergent_def LIMSEQ_unique by fastforce
+  define L where "L = (\<chi> i. lim (\<lambda>n. \<c>\<o>\<l> i (X n)))"
+  hence "\<forall>i. (\<lambda>n. \<c>\<o>\<l> i (X n)) \<longlonglongrightarrow> L $ i" 
+    using obs theI_unique[of "\<lambda>L. (\<lambda>n. \<c>\<o>\<l> _ (X n)) \<longlonglongrightarrow> L" "L $ _"] by (simp add: lim_def)
+  thus "convergent X"
+    using col_convergence unfolding convergent_def by blast
+qed
+
+lemma exp_similiar_sq_mtx_diag_eq:
+  assumes "mtx_invertible P"
+      and "A = P\<^sup>-\<^sup>1 * (\<d>\<i>\<a>\<g> i. f i) * P"
+    shows "exp A = P\<^sup>-\<^sup>1 * exp (\<d>\<i>\<a>\<g> i. f i) * P"
+proof(unfold exp_def power_similiar_sq_mtx_diag_eq[OF assms])
+  have "(\<Sum>n. P\<^sup>-\<^sup>1 * (\<d>\<i>\<a>\<g> i. f i ^ n) * P /\<^sub>R fact n) = 
+  (\<Sum>n. P\<^sup>-\<^sup>1 * ((\<d>\<i>\<a>\<g> i. f i ^ n) /\<^sub>R fact n) * P)"
+    by simp
+  also have "... = (\<Sum>n. P\<^sup>-\<^sup>1 * ((\<d>\<i>\<a>\<g> i. f i ^ n) /\<^sub>R fact n)) * P"
+    apply(subst suminf_multr[OF bounded_linear.summable[OF bounded_linear_mult_right]])
+    unfolding power_sq_mtx_diag[symmetric] by (simp_all add: summable_exp_generic)
+  also have "... = P\<^sup>-\<^sup>1 * (\<Sum>n. (\<d>\<i>\<a>\<g> i. f i ^ n) /\<^sub>R fact n) * P"
+    apply(subst suminf_mult[of _ "P\<^sup>-\<^sup>1"])
+    unfolding power_sq_mtx_diag[symmetric] 
+    by (simp_all add: summable_exp_generic)
+  finally show "(\<Sum>n. P\<^sup>-\<^sup>1 * (\<d>\<i>\<a>\<g> i. f i ^ n) * P /\<^sub>R fact n) = 
+  P\<^sup>-\<^sup>1 * (\<Sum>n. sq_mtx_diag f ^ n /\<^sub>R fact n) * P"
+    unfolding power_sq_mtx_diag by simp
+qed
+
+lemma exp_similiar_sq_mtx_diag:
+  assumes "A \<sim> sq_mtx_diag f"
+  shows "exp A \<sim> exp (sq_mtx_diag f)"
+  using assms exp_similiar_sq_mtx_diag_eq 
+  unfolding similar_sq_mtx_def by blast
+
+lemma suminf_sq_mtx_diag:
+  assumes "\<forall>i. (\<lambda>n. f n i) sums (suminf (\<lambda>n. f n i))"
+  shows "(\<Sum>n. (\<d>\<i>\<a>\<g> i. f n i)) = (\<d>\<i>\<a>\<g> i. \<Sum>n. f n i)"
+proof(rule suminfI, unfold sums_def LIMSEQ_iff, clarsimp simp: norm_sq_mtx_diag)
+  let ?g = "\<lambda>n i. \<bar>(\<Sum>n<n. f n i) - (\<Sum>n. f n i)\<bar>"
+  fix r::real assume "r > 0"
+  have "\<forall>i. \<exists>no. \<forall>n\<ge>no. ?g n i < r"
+    using assms \<open>r > 0\<close> unfolding sums_def LIMSEQ_iff by clarsimp 
+  then obtain N where key: "\<forall>i. \<forall>n\<ge>N. ?g n i < r"
+    using finite_nat_minimal_witness[of "\<lambda>i n. ?g n i < r"] by blast
+  {fix n::nat
+    assume "n \<ge> N"
+    obtain i where i_def: "Max {x. \<exists>i. x = ?g n i} = ?g n i"
+      using cMax_finite_ex[of "{x. \<exists>i. x = ?g n i}"] by auto
+    hence "?g n i < r"
+      using key \<open>n \<ge> N\<close> by blast
+    hence "Max {x. \<exists>i. x = ?g n i} < r"
+      unfolding i_def[symmetric] .}
+  thus "\<exists>N. \<forall>n\<ge>N. Max {x. \<exists>i. x = ?g n i} < r"
+    by blast
+qed
+
+lemma exp_sq_mtx_diag: "exp (sq_mtx_diag f) = (\<d>\<i>\<a>\<g> i. exp (f i))"
+  apply(unfold exp_def, simp add: power_sq_mtx_diag scaleR_sq_mtx_diag)
+  apply(rule suminf_sq_mtx_diag)
+  using exp_converges[of "f _"] 
+  unfolding sums_def LIMSEQ_iff exp_def by force
+
+lemma exp_scaleR_diagonal1:
+  assumes "mtx_invertible P" and "A = P\<^sup>-\<^sup>1 * (\<d>\<i>\<a>\<g> i. f i) * P"
+    shows "exp (t *\<^sub>R A) = P\<^sup>-\<^sup>1 * (\<d>\<i>\<a>\<g> i. exp (t * f i)) * P"
+proof-
+  have "exp (t *\<^sub>R A) = exp (P\<^sup>-\<^sup>1 * (t *\<^sub>R sq_mtx_diag f) * P)"
+    using assms by simp
+  also have "... = P\<^sup>-\<^sup>1 * (\<d>\<i>\<a>\<g> i. exp (t * f i)) * P"
+    by (metis assms(1) exp_similiar_sq_mtx_diag_eq exp_sq_mtx_diag scaleR_sq_mtx_diag)
+  finally show "exp (t *\<^sub>R A) = P\<^sup>-\<^sup>1 * (\<d>\<i>\<a>\<g> i. exp (t * f i)) * P" .
+qed
+
+lemma exp_scaleR_diagonal2:
+  assumes "mtx_invertible P" and "A = P * (\<d>\<i>\<a>\<g> i. f i) * P\<^sup>-\<^sup>1"
+    shows "exp (t *\<^sub>R A) = P * (\<d>\<i>\<a>\<g> i. exp (t * f i)) * P\<^sup>-\<^sup>1"
+  apply(subst sq_mtx_inv_idempotent[OF assms(1), symmetric])
+  apply(rule exp_scaleR_diagonal1)
+  by (simp_all add: assms)
+
+
+subsection \<open> Examples \<close>
+
+definition "mtx A = to_mtx (vector (map vector A))"
+
+lemma vector_nth_eq: "(vector A) $ i = foldr (\<lambda>x f n. (f (n + 1))(n := x)) A (\<lambda>n x. 0) 1 i"
+  unfolding vector_def by simp
+
+lemma mtx_ith_eq[simp]: "mtx A $$ i $ j = foldr (\<lambda>x f n. (f (n + 1))(n := x))
+  (map (\<lambda>l. vec_lambda (foldr (\<lambda>x f n. (f (n + 1))(n := x)) l (\<lambda>n x. 0) 1)) A) (\<lambda>n x. 0) 1 i $ j"
+  unfolding mtx_def vector_def by (simp add: vector_nth_eq)
+
+subsubsection \<open> 2x2 matrices \<close>
+
+lemma mtx2_eq_iff: "(mtx 
+  ([a1, b1] # 
+   [c1, d1] # []) :: 2 sq_mtx) = mtx 
+  ([a2, b2] # 
+   [c2, d2] # []) \<longleftrightarrow> a1 = a2 \<and> b1 = b2 \<and> c1 = c2 \<and> d1 = d2"
+  apply(simp add: sq_mtx_eq_iff, safe)
+  using exhaust_2 by force+
+
+lemma mtx2_to_mtx: "mtx 
+  ([a, b] # 
+   [c, d] # []) = 
+  to_mtx (\<chi> i j::2. if i=1 \<and> j=1 then a 
+  else (if i=1 \<and> j=2 then b 
+  else (if i=2 \<and> j=1 then c 
+  else d)))"
+  apply(subst sq_mtx_eq_iff)
+  using exhaust_2 by force
+
+abbreviation diag2 :: "real \<Rightarrow> real \<Rightarrow> 2 sq_mtx" 
+  where "diag2 \<iota>\<^sub>1 \<iota>\<^sub>2 \<equiv> mtx 
+   ([\<iota>\<^sub>1, 0] # 
+    [0, \<iota>\<^sub>2] # [])"
+
+lemma diag2_eq: "diag2 (\<iota> 1) (\<iota> 2) = (\<d>\<i>\<a>\<g> i. \<iota> i)"
+  apply(simp add: sq_mtx_eq_iff)
+  using exhaust_2 by (force simp: axis_def)
+
+lemma one_mtx2: "(1::2 sq_mtx) = diag2 1 1"
+  apply(subst sq_mtx_eq_iff)
+  using exhaust_2 by force
+
+lemma zero_mtx2: "(0::2 sq_mtx) = diag2 0 0"
+  by (simp add: sq_mtx_eq_iff)
+
+lemma scaleR_mtx2: "k *\<^sub>R mtx 
+  ([a, b] # 
+   [c, d] # []) = mtx 
+  ([k*a, k*b] # 
+   [k*c, k*d] # [])"
+  by (simp add: sq_mtx_eq_iff)
+
+lemma uminus_mtx2: "-mtx 
+  ([a, b] # 
+   [c, d] # []) = (mtx 
+  ([-a, -b] # 
+   [-c, -d] # [])::2 sq_mtx)"
+  by (simp add: sq_mtx_uminus_eq sq_mtx_eq_iff)
+
+lemma plus_mtx2: "mtx 
+  ([a1, b1] # 
+   [c1, d1] # []) + mtx 
+  ([a2, b2] # 
+   [c2, d2] # []) = ((mtx 
+  ([a1+a2, b1+b2] # 
+   [c1+c2, d1+d2] # []))::2 sq_mtx)"
+  by (simp add: sq_mtx_eq_iff)
+
+lemma minus_mtx2: "mtx 
+  ([a1, b1] # 
+   [c1, d1] # []) - mtx 
+  ([a2, b2] # 
+   [c2, d2] # []) = ((mtx 
+  ([a1-a2, b1-b2] # 
+   [c1-c2, d1-d2] # []))::2 sq_mtx)"
+  by (simp add: sq_mtx_eq_iff)
+
+lemma times_mtx2: "mtx 
+  ([a1, b1] # 
+   [c1, d1] # []) * mtx 
+  ([a2, b2] # 
+   [c2, d2] # []) = ((mtx 
+  ([a1*a2+b1*c2, a1*b2+b1*d2] # 
+   [c1*a2+d1*c2, c1*b2+d1*d2] # []))::2 sq_mtx)"
+  unfolding sq_mtx_times_eq UNIV_2
+  by (simp add: sq_mtx_eq_iff)
+
+subsubsection \<open> 3x3 matrices \<close>
+
+lemma mtx3_to_mtx: "mtx 
+  ([a\<^sub>1\<^sub>1, a\<^sub>1\<^sub>2, a\<^sub>1\<^sub>3] # 
+   [a\<^sub>2\<^sub>1, a\<^sub>2\<^sub>2, a\<^sub>2\<^sub>3] # 
+   [a\<^sub>3\<^sub>1, a\<^sub>3\<^sub>2, a\<^sub>3\<^sub>3] # []) = 
+  to_mtx (\<chi> i j::3. if i=1 \<and> j=1 then a\<^sub>1\<^sub>1
+  else (if i=1 \<and> j=2 then a\<^sub>1\<^sub>2 
+  else (if i=1 \<and> j=3 then a\<^sub>1\<^sub>3 
+  else (if i=2 \<and> j=1 then a\<^sub>2\<^sub>1
+  else (if i=2 \<and> j=2 then a\<^sub>2\<^sub>2 
+  else (if i=2 \<and> j=3 then a\<^sub>2\<^sub>3 
+  else (if i=3 \<and> j=1 then a\<^sub>3\<^sub>1 
+  else (if i=3 \<and> j=2 then a\<^sub>3\<^sub>2 
+  else a\<^sub>3\<^sub>3))))))))"
+  apply(simp add: sq_mtx_eq_iff)
+  using exhaust_3 by force
+
+abbreviation diag3 :: "real \<Rightarrow> real \<Rightarrow> real \<Rightarrow> 3 sq_mtx" 
+  where "diag3 \<iota>\<^sub>1 \<iota>\<^sub>2 \<iota>\<^sub>3 \<equiv> mtx 
+  ([\<iota>\<^sub>1, 0, 0] # 
+   [0, \<iota>\<^sub>2, 0] # 
+   [0, 0, \<iota>\<^sub>3] # [])"
+
+lemma diag3_eq: "diag3 (\<iota> 1) (\<iota> 2) (\<iota> 3) = (\<d>\<i>\<a>\<g> i. \<iota> i)"
+  apply(simp add: sq_mtx_eq_iff)
+  using exhaust_3 by (force simp: axis_def)
+
+lemma one_mtx3: "(1::3 sq_mtx) = diag3 1 1 1"
+  apply(subst sq_mtx_eq_iff)
+  using exhaust_3 by force
+
+lemma zero_mtx3: "(0::3 sq_mtx) = diag3 0 0 0"
+  by (simp add: sq_mtx_eq_iff)
+
+lemma scaleR_mtx3: "k *\<^sub>R mtx 
+  ([a\<^sub>1\<^sub>1, a\<^sub>1\<^sub>2, a\<^sub>1\<^sub>3] # 
+   [a\<^sub>2\<^sub>1, a\<^sub>2\<^sub>2, a\<^sub>2\<^sub>3] # 
+   [a\<^sub>3\<^sub>1, a\<^sub>3\<^sub>2, a\<^sub>3\<^sub>3] # []) = mtx 
+  ([k*a\<^sub>1\<^sub>1, k*a\<^sub>1\<^sub>2, k*a\<^sub>1\<^sub>3] # 
+   [k*a\<^sub>2\<^sub>1, k*a\<^sub>2\<^sub>2, k*a\<^sub>2\<^sub>3] # 
+   [k*a\<^sub>3\<^sub>1, k*a\<^sub>3\<^sub>2, k*a\<^sub>3\<^sub>3] # [])"
+  by (simp add: sq_mtx_eq_iff)
+
+lemma plus_mtx3: "mtx 
+  ([a\<^sub>1\<^sub>1, a\<^sub>1\<^sub>2, a\<^sub>1\<^sub>3] # 
+   [a\<^sub>2\<^sub>1, a\<^sub>2\<^sub>2, a\<^sub>2\<^sub>3] # 
+   [a\<^sub>3\<^sub>1, a\<^sub>3\<^sub>2, a\<^sub>3\<^sub>3] # []) + mtx 
+  ([b\<^sub>1\<^sub>1, b\<^sub>1\<^sub>2, b\<^sub>1\<^sub>3] # 
+   [b\<^sub>2\<^sub>1, b\<^sub>2\<^sub>2, b\<^sub>2\<^sub>3] # 
+   [b\<^sub>3\<^sub>1, b\<^sub>3\<^sub>2, b\<^sub>3\<^sub>3] # []) = (mtx 
+  ([a\<^sub>1\<^sub>1+b\<^sub>1\<^sub>1, a\<^sub>1\<^sub>2+b\<^sub>1\<^sub>2, a\<^sub>1\<^sub>3+b\<^sub>1\<^sub>3] # 
+   [a\<^sub>2\<^sub>1+b\<^sub>2\<^sub>1, a\<^sub>2\<^sub>2+b\<^sub>2\<^sub>2, a\<^sub>2\<^sub>3+b\<^sub>2\<^sub>3] # 
+   [a\<^sub>3\<^sub>1+b\<^sub>3\<^sub>1, a\<^sub>3\<^sub>2+b\<^sub>3\<^sub>2, a\<^sub>3\<^sub>3+b\<^sub>3\<^sub>3] # [])::3 sq_mtx)"
+  by (subst sq_mtx_eq_iff) simp
+
+lemma minus_mtx3: "mtx 
+  ([a\<^sub>1\<^sub>1, a\<^sub>1\<^sub>2, a\<^sub>1\<^sub>3] # 
+   [a\<^sub>2\<^sub>1, a\<^sub>2\<^sub>2, a\<^sub>2\<^sub>3] # 
+   [a\<^sub>3\<^sub>1, a\<^sub>3\<^sub>2, a\<^sub>3\<^sub>3] # []) - mtx 
+  ([b\<^sub>1\<^sub>1, b\<^sub>1\<^sub>2, b\<^sub>1\<^sub>3] # 
+   [b\<^sub>2\<^sub>1, b\<^sub>2\<^sub>2, b\<^sub>2\<^sub>3] # 
+   [b\<^sub>3\<^sub>1, b\<^sub>3\<^sub>2, b\<^sub>3\<^sub>3] # []) = (mtx 
+  ([a\<^sub>1\<^sub>1-b\<^sub>1\<^sub>1, a\<^sub>1\<^sub>2-b\<^sub>1\<^sub>2, a\<^sub>1\<^sub>3-b\<^sub>1\<^sub>3] # 
+   [a\<^sub>2\<^sub>1-b\<^sub>2\<^sub>1, a\<^sub>2\<^sub>2-b\<^sub>2\<^sub>2, a\<^sub>2\<^sub>3-b\<^sub>2\<^sub>3] # 
+   [a\<^sub>3\<^sub>1-b\<^sub>3\<^sub>1, a\<^sub>3\<^sub>2-b\<^sub>3\<^sub>2, a\<^sub>3\<^sub>3-b\<^sub>3\<^sub>3] # [])::3 sq_mtx)"
+  by (simp add: sq_mtx_eq_iff)
+
+lemma times_mtx3: "mtx 
+  ([a\<^sub>1\<^sub>1, a\<^sub>1\<^sub>2, a\<^sub>1\<^sub>3] # 
+   [a\<^sub>2\<^sub>1, a\<^sub>2\<^sub>2, a\<^sub>2\<^sub>3] # 
+   [a\<^sub>3\<^sub>1, a\<^sub>3\<^sub>2, a\<^sub>3\<^sub>3] # []) * mtx 
+  ([b\<^sub>1\<^sub>1, b\<^sub>1\<^sub>2, b\<^sub>1\<^sub>3] # 
+   [b\<^sub>2\<^sub>1, b\<^sub>2\<^sub>2, b\<^sub>2\<^sub>3] # 
+   [b\<^sub>3\<^sub>1, b\<^sub>3\<^sub>2, b\<^sub>3\<^sub>3] # []) = (mtx 
+  ([a\<^sub>1\<^sub>1*b\<^sub>1\<^sub>1+a\<^sub>1\<^sub>2*b\<^sub>2\<^sub>1+a\<^sub>1\<^sub>3*b\<^sub>3\<^sub>1, a\<^sub>1\<^sub>1*b\<^sub>1\<^sub>2+a\<^sub>1\<^sub>2*b\<^sub>2\<^sub>2+a\<^sub>1\<^sub>3*b\<^sub>3\<^sub>2, a\<^sub>1\<^sub>1*b\<^sub>1\<^sub>3+a\<^sub>1\<^sub>2*b\<^sub>2\<^sub>3+a\<^sub>1\<^sub>3*b\<^sub>3\<^sub>3] # 
+   [a\<^sub>2\<^sub>1*b\<^sub>1\<^sub>1+a\<^sub>2\<^sub>2*b\<^sub>2\<^sub>1+a\<^sub>2\<^sub>3*b\<^sub>3\<^sub>1, a\<^sub>2\<^sub>1*b\<^sub>1\<^sub>2+a\<^sub>2\<^sub>2*b\<^sub>2\<^sub>2+a\<^sub>2\<^sub>3*b\<^sub>3\<^sub>2, a\<^sub>2\<^sub>1*b\<^sub>1\<^sub>3+a\<^sub>2\<^sub>2*b\<^sub>2\<^sub>3+a\<^sub>2\<^sub>3*b\<^sub>3\<^sub>3] # 
+   [a\<^sub>3\<^sub>1*b\<^sub>1\<^sub>1+a\<^sub>3\<^sub>2*b\<^sub>2\<^sub>1+a\<^sub>3\<^sub>3*b\<^sub>3\<^sub>1, a\<^sub>3\<^sub>1*b\<^sub>1\<^sub>2+a\<^sub>3\<^sub>2*b\<^sub>2\<^sub>2+a\<^sub>3\<^sub>3*b\<^sub>3\<^sub>2, a\<^sub>3\<^sub>1*b\<^sub>1\<^sub>3+a\<^sub>3\<^sub>2*b\<^sub>2\<^sub>3+a\<^sub>3\<^sub>3*b\<^sub>3\<^sub>3] # [])::3 sq_mtx)"
+  unfolding sq_mtx_times_eq
+  unfolding UNIV_3 by (simp add: sq_mtx_eq_iff)
+
+end
\ No newline at end of file
diff --git a/thys/Matrices_for_ODEs/document/root.bib b/thys/Matrices_for_ODEs/document/root.bib
new file mode 100644
--- /dev/null
+++ b/thys/Matrices_for_ODEs/document/root.bib
@@ -0,0 +1,70 @@
+%% This BibTeX bibliography file was created using BibDesk.
+%% http://bibdesk.sourceforge.net/
+
+
+%% Created for Jonathan Julian Huerta y Munive at 2019-06-10 16:26:22 +0100 
+
+
+%% Saved with string encoding Unicode (UTF-8)
+
+@article{ArmstrongGS16,
+	Author = {Alasdair Armstrong and Victor B. F. Gomes and Georg Struth},
+	Journal = {Formal Aspects of Computing},
+	Number = 2,
+	Pages = {265--293},
+	Title = {Building program construction and verification tools from algebraic principles},
+	Volume = 28,
+	Year = 2016}
+
+@Unpublished{FosterMS19,
+  author    = {Simon Foster and
+               Jonathan Juli{\'{a}}n Huerta y Munive and
+               Georg Struth},
+  title     = {Differential {H}oare Logics and Refinement Calculi for Hybrid Systems
+               with {I}sabelle/{HOL}},
+  journal   = {CoRR},
+  volume    = {abs/1910.13554},
+  note = {\href{http://arxiv.org/abs/1909.05618}{arXiv:1909.05618}[cs.LO]},
+  year      = {2019}
+}
+
+@Unpublished{MuniveS19,
+  author = 	 {Huerta y Munive, Jonathan Juli\'an and Struth, G.},
+  title = 	 {Predicate Transformer Semantics for Hybrid Systems: Verification Components for {I}sabelle/{HOL}},
+    note =         {\href{https://arxiv.org/abs/arXiv:1909.05618}{arXiv:1909.05618} [cs.LO]},
+      year =         2019,
+}
+
+@article{ImmlerH12a,
+	Author = {Fabian Immler and Johannes H{\"{o}}lzl},
+	Journal = {Archive of Formal Proofs},
+	Title = {Ordinary Differential Equations},
+	Url = {https://www.isa-afp.org/entries/Ordinary_Differential_Equations.shtml},
+	Year = {2012},
+	Bdsk-Url-1 = {https://www.isa-afp.org/entries/Ordinary_Differential_Equations.shtml}}
+
+@book{Platzer10,
+	Author = {Andr\'e Platzer},
+	Publisher = {Springer},
+	Title = {Logical Analysis of Hybrid Systems},
+	Year = 2010}
+
+@article{afp:hybrid,
+	Author = {Huerta y Munive, Jonathan Juli\'an},
+	Journal = {Archive of Formal Proofs},
+	Title = {Verification Components for Hybrid Systems},
+	Year = 2019}
+
+@article{afp:transem,
+	Author = {Georg Struth},
+	Journal = {Archive of Formal Proofs},
+	Title = {Transformer Semantics},
+	Year = 2018}
+
+@article{afp:vericomp,
+	Author = {Victor B. F. Gomes and Georg Struth},
+	Journal = {Archive of Formal Proofs},
+	Title = {Program Construction and Verification Components Based on {K}leene Algebra},
+	Year = 2016}
+
+
diff --git a/thys/Matrices_for_ODEs/document/root.tex b/thys/Matrices_for_ODEs/document/root.tex
new file mode 100644
--- /dev/null
+++ b/thys/Matrices_for_ODEs/document/root.tex
@@ -0,0 +1,76 @@
+\documentclass[11pt,a4paper]{article}
+\usepackage{isabelle,isabellesym}
+
+% further packages required for unusual symbols (see also
+% isabellesym.sty), use only when needed
+
+\usepackage{amssymb}
+  %for \<leadsto>, \<box>, \<diamond>, \<sqsupset>, \<mho>, \<Join>,
+  %\<lhd>, \<lesssim>, \<greatersim>, \<lessapprox>, \<greaterapprox>,
+  %\<triangleq>, \<yen>, \<lozenge>
+
+%\usepackage{eurosym}
+  %for \<euro>
+
+%\usepackage[only,bigsqcap]{stmaryrd}
+  %for \<Sqinter>
+
+%\usepackage{eufrak}
+  %for \<AA> ... \<ZZ>, \<aa> ... \<zz> (also included in amssymb)
+
+%\usepackage{textcomp}
+  %for \<onequarter>, \<onehalf>, \<threequarters>, \<degree>, \<cent>,
+  %\<currency>
+
+% this should be the last package used
+\usepackage{pdfsetup}
+
+% urls in roman style, theory text in math-similar italics
+\urlstyle{rm}
+\isabellestyle{it}
+
+% for uniform font size
+%\renewcommand{\isastyle}{\isastyleminor}
+
+\renewcommand{\isasymlonglonglongrightarrow}{$\longrightarrow$}
+
+
+\begin{document}
+
+\title{Matrices for ODEs}
+\author{Jonathan Juli\'an Huerta y Munive}
+\maketitle
+
+\begin{abstract}
+  Our theories formalise various matrix properties that serve to establish 
+  existence, uniqueness and characterisation of the solution to affine 
+  systems of ordinary differential equations (ODEs). In particular, we
+  formalise the operator and maximum norm of matrices. Then we use 
+  them to prove that square matrices form a Banach space, and in this 
+  setting, we show an instance of Picard-Lindel\"of's theorem for affine
+  systems of ODEs. Finally, we apply this formalisation by verifying three 
+  simple hybrid programs.
+\end{abstract}
+
+\tableofcontents
+
+% sane default for proof documents
+\parindent 0pt\parskip 0.5ex
+
+\section{Introductory Remarks}
+
+Affine systems of ordinary differential equations (ODEs) are those whose associated vector fields are linear transformations. That is, if there is a matrix-valued function $A:\mathbb{R}\to M_{n\times n}(\mathbb{R})$ and vector function $B:\mathbb{R}\to\mathbb{R}^n$ such that the system of ODEs $x'\, t=f\, (t,x\, t)$ can be rewritten as $x'\, t=A\cdot (x\, t)+B\, t$, then the system is affine. Similarly, the associated linear system of ODEs is $x'\, t=A\cdot (x\, t)$ for matrix-vector multiplication $\cdot$. Our theories formalise affine (hence linear) systems of ordinary differential equations. For this purpose, we extend the ODE libraries of~\cite{ImmlerH12a} and linear algebra in HOL-Analysis. We add to them various results about invertibility of matrices, their diagonalisation, their operator and maximum norms, and properties relating them with vectors. We also define a new type of square matrices and prove that this is a Banach space. Then we obtain results about derivatives of matrix-vector multiplication and use them to prove Picard-Lindel\"of's theorem as formalised in~\cite{afp:hybrid}. The Banach space instance allows us to characterise the general solution to affine systems of ODEs in terms of the matrix-exponential. Finally, we use the components of~\cite{afp:hybrid} to do three simple verification examples in the style of differential dynamic logic~\cite{Platzer10} as showcased in~\cite{ArmstrongGS16,FosterMS19,MuniveS19}. A paper with a detailed overview of the various contributions that this formalisation adds to the verification components will be available soon in ArXiv.
+
+% generated text of all theories
+\input{session}
+
+% optional bibliography
+\bibliographystyle{abbrv}
+\bibliography{root}
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
diff --git a/thys/Power_Sum_Polynomials/Power_Sum_Polynomials.thy b/thys/Power_Sum_Polynomials/Power_Sum_Polynomials.thy
new file mode 100644
--- /dev/null
+++ b/thys/Power_Sum_Polynomials/Power_Sum_Polynomials.thy
@@ -0,0 +1,412 @@
+section \<open>Power sum polynomials\<close>
+(*
+  File:     Power_Sum_Polynomials.thy
+  Author:   Manuel Eberl, TU München
+*)
+theory Power_Sum_Polynomials
+imports
+  "Symmetric_Polynomials.Symmetric_Polynomials"
+  "HOL-Computational_Algebra.Field_as_Ring"
+  Power_Sum_Polynomials_Library
+begin
+
+subsection \<open>Definition\<close>
+
+text \<open>
+  For $n$ indeterminates $X_1,\ldots,X_n$, we define the $k$-th power sum polynomial as
+  \[p_k(X_1, \ldots, X_n) = X_1^k + \ldots + X_n^k\ .\]
+\<close>
+lift_definition powsum_mpoly_aux :: "nat set \<Rightarrow> nat \<Rightarrow> (nat \<Rightarrow>\<^sub>0 nat) \<Rightarrow>\<^sub>0 'a :: {semiring_1,zero_neq_one}" is
+  "\<lambda>X k mon. if infinite X \<or> k = 0 \<and> mon \<noteq> 0 then 0
+             else if k = 0 \<and> mon = 0 then of_nat (card X)
+             else if finite X \<and> (\<exists>x\<in>X. mon = Poly_Mapping.single x k) then 1 else 0"
+  by auto
+
+lemma lookup_powsum_mpoly_aux:
+  "Poly_Mapping.lookup (powsum_mpoly_aux X k) mon =
+     (if infinite X \<or> k = 0 \<and> mon \<noteq> 0 then 0
+             else if k = 0 \<and> mon = 0 then of_nat (card X)
+             else if finite X \<and> (\<exists>x\<in>X. mon = Poly_Mapping.single x k) then 1 else 0)"
+  by transfer' simp
+
+lemma lookup_sym_mpoly_aux_monom_singleton [simp]:
+  assumes "finite X" "x \<in> X" "k > 0"
+  shows   "Poly_Mapping.lookup (powsum_mpoly_aux X k) (Poly_Mapping.single x k) = 1"
+  using assms by (auto simp: lookup_powsum_mpoly_aux)
+
+lemma lookup_sym_mpoly_aux_monom_singleton':
+  assumes "finite X" "k > 0"
+  shows   "Poly_Mapping.lookup (powsum_mpoly_aux X k) (Poly_Mapping.single x k) = (if x \<in> X then 1 else 0)"
+  using assms by (auto simp: lookup_powsum_mpoly_aux)
+
+lemma keys_powsum_mpoly_aux: "m \<in> keys (powsum_mpoly_aux A k) \<Longrightarrow> keys m \<subseteq> A"
+  by transfer' (auto split: if_splits simp: keys_monom_of_set)
+
+
+lift_definition powsum_mpoly :: "nat set \<Rightarrow> nat \<Rightarrow> 'a :: {semiring_1,zero_neq_one} mpoly" is
+  "powsum_mpoly_aux" .
+
+lemma vars_powsum_mpoly_subset: "vars (powsum_mpoly A k) \<subseteq> A"
+  using keys_powsum_mpoly_aux by (auto simp: vars_def powsum_mpoly.rep_eq)
+
+lemma powsum_mpoly_infinite: "\<not>finite A \<Longrightarrow> powsum_mpoly A k = 0"
+  by (transfer, transfer) auto
+
+lemma coeff_powsum_mpoly:
+  "MPoly_Type.coeff (powsum_mpoly X k) mon =
+     (if infinite X \<or> k = 0 \<and> mon \<noteq> 0 then 0
+             else if k = 0 \<and> mon = 0 then of_nat (card X)
+             else if finite X \<and> (\<exists>x\<in>X. mon = Poly_Mapping.single x k) then 1 else 0)"
+  by transfer' (simp add: lookup_powsum_mpoly_aux)
+
+lemma coeff_powsum_mpoly_0_right:
+  "MPoly_Type.coeff (powsum_mpoly X 0) mon = (if mon = 0 then of_nat (card X) else 0)"
+  by transfer' (auto simp add: lookup_powsum_mpoly_aux)
+
+lemma coeff_powsum_mpoly_singleton:
+  assumes "finite X" "k > 0"
+  shows   "MPoly_Type.coeff (powsum_mpoly X k) (Poly_Mapping.single x k) = (if x \<in> X then 1 else 0)"
+  using assms by transfer' (simp add: lookup_powsum_mpoly_aux)
+
+lemma coeff_powsum_mpoly_singleton_eq_1 [simp]:
+  assumes "finite X" "x \<in> X" "k > 0"
+  shows   "MPoly_Type.coeff (powsum_mpoly X k) (Poly_Mapping.single x k) = 1"
+  using assms by (simp add: coeff_powsum_mpoly_singleton)
+
+lemma coeff_powsum_mpoly_singleton_eq_0 [simp]:
+  assumes "finite X" "x \<notin> X" "k > 0"
+  shows   "MPoly_Type.coeff (powsum_mpoly X k) (Poly_Mapping.single x k) = 0"
+  using assms by (simp add: coeff_powsum_mpoly_singleton)
+
+lemma powsum_mpoly_0 [simp]: "powsum_mpoly X 0 = of_nat (card X)"
+  by (intro mpoly_eqI ext) (auto simp: coeff_powsum_mpoly_0_right of_nat_mpoly_eq mpoly_coeff_Const)
+
+lemma powsum_mpoly_empty [simp]: "powsum_mpoly {} k = 0"
+  by (intro mpoly_eqI) (auto simp: coeff_powsum_mpoly)
+
+lemma powsum_mpoly_altdef: "powsum_mpoly X k = (\<Sum>x\<in>X. monom (Poly_Mapping.single x k) 1)"
+proof (cases "finite X")
+  case [simp]: True
+  show ?thesis
+  proof (cases "k = 0")
+    case True
+    thus ?thesis by auto
+  next
+    case False
+    show ?thesis
+    proof (intro mpoly_eqI, goal_cases)
+      case (1 mon)
+      show ?case using False
+        by (cases "\<exists>x\<in>X. mon = Poly_Mapping.single x k")
+           (auto simp: coeff_powsum_mpoly coeff_monom when_def)
+    qed
+  qed
+qed (auto simp: powsum_mpoly_infinite)
+
+text \<open>
+  Power sum polynomials are symmetric:
+\<close>
+lemma symmetric_powsum_mpoly [intro]:
+  assumes "A \<subseteq> B"
+  shows   "symmetric_mpoly A (powsum_mpoly B k)"
+  unfolding powsum_mpoly_altdef
+proof (rule symmetric_mpoly_symmetric_sum)
+  fix x \<pi>
+  assume "x \<in> B" "\<pi> permutes A"
+  thus "mpoly_map_vars \<pi> (MPoly_Type.monom (Poly_Mapping.single x k) 1) =
+        MPoly_Type.monom (Poly_Mapping.single (\<pi> x) k) 1"
+    using assms by (auto simp: mpoly_map_vars_monom permutes_bij permutep_single
+                               bij_imp_bij_inv permutes_inv_inv)
+qed (use assms in \<open>auto simp: permutes_subset\<close>)
+
+lemma insertion_powsum_mpoly [simp]: "insertion f (powsum_mpoly X k) = (\<Sum>i\<in>X. f i ^ k)"
+  unfolding powsum_mpoly_altdef insertion_sum insertion_single by simp
+
+lemma powsum_mpoly_nz:
+  assumes "finite X" "X \<noteq> {}" "k > 0"
+  shows   "(powsum_mpoly X k :: 'a :: {semiring_1, zero_neq_one} mpoly) \<noteq> 0"
+proof -
+  from assms obtain x where "x \<in> X" by auto
+  hence "coeff (powsum_mpoly X k) (Poly_Mapping.single x k) = (1 :: 'a)"
+    using assms by (auto simp: coeff_powsum_mpoly)
+  thus ?thesis by auto
+qed
+
+lemma powsum_mpoly_eq_0_iff:
+  assumes "k > 0"
+  shows   "powsum_mpoly X k = 0 \<longleftrightarrow> infinite X \<or> X = {}"
+  using assms powsum_mpoly_nz[of X k] by (auto simp: powsum_mpoly_infinite)
+
+
+subsection \<open>The Girard--Newton Theorem\<close>
+
+text \<open>
+  The following is a nice combinatorial proof of the Girard--Newton Theorem due to
+  Doron Zeilberger~\cite{zeilberger}.
+
+  The precise statement is this:
+
+  Let $e_k$ denote the $k$-th elementary symmetric polynomial in $X_1,\ldots,X_n$.
+  This is the sum of all monomials that can be formed by taking the product of $k$ 
+  distinct variables.
+
+  Next, let $p_k = X_1^k + \ldots + X_n^k$ denote that $k$-th symmetric power sum polynomial
+  in $X_1,\ldots,X_n$.
+
+  Then the following equality holds:
+  \[(-1)^k k e_k + \sum_{i=0}^{k-1} (-1)^i e_i p_{k-i}\]
+\<close>
+theorem Girard_Newton:
+  assumes "finite X"
+  shows   "(-1) ^ k * of_nat k * sym_mpoly X k +
+           (\<Sum>i<k. (-1) ^ i * sym_mpoly X i * powsum_mpoly X (k - i)) =
+             (0 :: 'a :: comm_ring_1 mpoly)"
+  (is "?lhs = 0")
+proof -
+  write Poly_Mapping.single ("sng")
+
+  define n where "n = card X"
+  define \<A> :: "(nat set \<times> nat) set"
+    where "\<A> = {(A, j). A \<subseteq> X \<and> card A \<le> k \<and> j \<in> X \<and> (card A = k \<longrightarrow> j \<in> A)}"
+  define \<A>1 :: "(nat set \<times> nat) set"
+    where "\<A>1 = {A\<in>Pow X. card A < k} \<times> X"
+  define \<A>2 :: "(nat set \<times> nat) set"
+    where "\<A>2 = (SIGMA A:{A\<in>Pow X. card A = k}. A)"
+
+  have \<A>_split: "\<A> = \<A>1 \<union> \<A>2" "\<A>1 \<inter> \<A>2 = {}"
+    by (auto simp: \<A>_def \<A>1_def \<A>2_def)
+  have [intro]: "finite \<A>1" "finite \<A>2"
+    using assms finite_subset[of _ X] by (auto simp: \<A>1_def \<A>2_def intro!: finite_SigmaI)
+  have [intro]: "finite \<A>"
+    by (subst \<A>_split) auto
+
+  \<comment> \<open>
+    We define a `weight' function \<open>w\<close> from \<open>\<A>\<close> to the ring of polynomials as
+    \[w(A,j) = (-1)^{|A|} x_j^{k-|A|} \prod_{i\in A} x_i\ .\]
+  \<close>
+  define w :: "nat set \<times> nat \<Rightarrow> 'a mpoly"
+    where "w = (\<lambda>(A, j). monom (monom_of_set A + sng j (k - card A)) ((-1) ^ card A))"
+
+  \<comment> \<open>The sum of these weights over all of \<open>\<A>\<close> is precisely the sum that we want to show equals 0:\<close>
+  have "?lhs = (\<Sum>x\<in>\<A>. w x)"
+  proof -
+    have "(\<Sum>x\<in>\<A>. w x) = (\<Sum>x\<in>\<A>1. w x) + (\<Sum>x\<in>\<A>2. w x)"
+      by (subst \<A>_split, subst sum.union_disjoint, use \<A>_split(2) in auto)
+
+    also have "(\<Sum>x\<in>\<A>1. w x) = (\<Sum>i<k. (-1) ^ i * sym_mpoly X i * powsum_mpoly X (k - i))"
+    proof -
+      have "(\<Sum>x\<in>\<A>1. w x) = (\<Sum>A | A \<subseteq> X \<and> card A < k. \<Sum>j\<in>X. w (A, j))"
+        using assms by (subst sum.Sigma) (auto simp: \<A>1_def)
+      also have "\<dots> = (\<Sum>A | A \<subseteq> X \<and> card A < k. \<Sum>j\<in>X.
+                        monom (monom_of_set A) ((-1) ^ card A) * monom (sng j (k - card A)) 1)"
+        unfolding w_def by (intro sum.cong) (auto simp: mult_monom)
+      also have "\<dots> = (\<Sum>A | A \<subseteq> X \<and> card A < k. monom (monom_of_set A) ((-1) ^ card A) *
+                        powsum_mpoly X (k - card A))"
+        by (simp add: sum_distrib_left powsum_mpoly_altdef)
+      also have "\<dots> = (\<Sum>(i,A) \<in> (SIGMA i:{..<k}. {A. A \<subseteq> X \<and> card A = i}).
+                        monom (monom_of_set A) ((-1) ^ i) * powsum_mpoly X (k - i))"
+        by (rule sum.reindex_bij_witness[of _ snd "\<lambda>A. (card A, A)"]) auto
+      also have "\<dots> = (\<Sum>i<k. \<Sum>A | A \<subseteq> X \<and> card A = i.
+                        monom (monom_of_set A) 1 * monom 0 ((-1) ^ i) * powsum_mpoly X (k - i))"
+        using assms by (subst sum.Sigma) (auto simp: mult_monom)
+      also have "\<dots> = (\<Sum>i<k. (-1) ^ i * sym_mpoly X i * powsum_mpoly X (k - i))"
+        by (simp add: sum_distrib_left sum_distrib_right mpoly_monom_0_eq_Const 
+                      mpoly_Const_power mpoly_Const_uminus algebra_simps sym_mpoly_altdef)
+      finally show ?thesis .
+    qed
+
+    also have "(\<Sum>x\<in>\<A>2. w x) = (-1) ^ k * of_nat k * sym_mpoly X k"
+    proof -
+      have "(\<Sum>x\<in>\<A>2. w x) = (\<Sum>(A,j)\<in>\<A>2. monom (monom_of_set A) ((- 1) ^ k))"
+        by (intro sum.cong) (auto simp: \<A>2_def w_def mpoly_monom_0_eq_Const intro!: sum.cong)
+      also have "\<dots> = (\<Sum>A | A \<subseteq> X \<and> card A = k. \<Sum>j\<in>A. monom (monom_of_set A) ((- 1) ^ k))"
+        using assms finite_subset[of _ X] by (subst sum.Sigma) (auto simp: \<A>2_def)
+      also have "(\<lambda>A. monom (monom_of_set A) ((- 1) ^ k) :: 'a mpoly) =
+                   (\<lambda>A. monom 0 ((-1) ^ k) * monom (monom_of_set A) 1)"
+        by (auto simp: fun_eq_iff mult_monom)
+      also have "monom 0 ((-1) ^ k) = (-1) ^ k"
+        by (auto simp: mpoly_monom_0_eq_Const mpoly_Const_power mpoly_Const_uminus)
+      also have "(\<Sum>A | A \<subseteq> X \<and> card A = k. \<Sum>j\<in>A. (- 1) ^ k * monom (monom_of_set A) 1) =
+                   ((-1) ^ k * of_nat k * sym_mpoly X k :: 'a mpoly)"
+        by (auto simp: sum_distrib_left sum_distrib_right mult_ac sym_mpoly_altdef)
+      finally show ?thesis .
+    qed
+
+    finally show ?thesis by (simp add: algebra_simps)
+  qed
+
+  \<comment> \<open>Next, we show that the weights sum to 0:\<close>
+  also have "(\<Sum>x\<in>\<A>. w x) = 0"
+  proof -
+    \<comment> \<open>We define a function \<open>T\<close> that is a involutory permutation of \<open>\<A>\<close>.
+        To be more precise, it bijectively maps those elements \<open>(A,j)\<close> of \<open>\<A>\<close> with \<open>j \<in> A\<close>
+        to those where \<open>j \<notin> A\<close> and the other way round. `Involutory' means that \<open>T\<close> is its
+        own inverse function, i.\,e.\ $T(T(x)) = x$.\<close>
+    define T :: "nat set \<times> nat \<Rightarrow> nat set \<times> nat"
+      where "T = (\<lambda>(A, j). if j \<in> A then (A - {j}, j) else (insert j A, j))"
+    have [simp]: "T (T x) = x" for x
+      by (auto simp: T_def split: prod.splits)
+    have [simp]: "T x \<in> \<A>" if "x \<in> \<A>" for x
+    proof -
+      have [simp]: "n \<le> n - Suc 0 \<longleftrightarrow> n = 0" for n
+        by auto
+      show ?thesis using that assms finite_subset[of _ X]
+        by (auto simp: T_def \<A>_def split: prod.splits)
+    qed
+    have "snd (T x) \<in> fst (T x) \<longleftrightarrow> snd x \<notin> fst x" if "x \<in> \<A>" for x
+      by (auto simp: T_def split: prod.splits)
+    hence bij: "bij_betw T {x\<in>\<A>. snd x \<in> fst x} {x\<in>\<A>. snd x \<notin> fst x}"
+      by (intro bij_betwI[of _ _ _ T]) auto
+
+    \<comment>\<open>Crucially, we show that \<^term>\<open>T\<close> flips the weight of each element:\<close>
+    have [simp]: "w (T x) = -w x" if "x \<in> \<A>" for x
+    proof -
+      obtain A j where [simp]: "x = (A, j)" by force
+      
+      \<comment> \<open>Since \<^term>\<open>T\<close> is an involution, we can assume w.\,l.\,o.\,g.\ that \<open>j \<in> A\<close>:\<close>
+      have aux: "w (T (A, j)) = - w (A, j)" if "(A, j) \<in> \<A>" "j \<in> A" for j A
+      proof -
+        from that have [simp]: "j \<in> A" "A \<subseteq> X" and "k > 0"
+          using finite_subset[OF _ assms, of A] by (auto simp: \<A>_def intro!: Nat.gr0I)
+        have [simp]: "finite A"
+          using finite_subset[OF _ assms, of A] by auto
+        from that have "card A \<le> k"
+          by (auto simp: \<A>_def)
+
+        have card: "card A = Suc (card (A - {j}))"
+          using card.remove[of A j] by auto
+        hence card_less: "card (A - {j}) < card A" by linarith
+
+        have "w (T (A, j)) = monom (monom_of_set (A - {j}) + sng j (k - card (A - {j})))
+                         ((- 1) ^ card (A - {j}))" by (simp add: w_def T_def)
+        also have "(- 1) ^ card (A - {j}) = ((- 1) ^ Suc (Suc (card (A - {j}))) :: 'a)"
+          by simp
+        also have "Suc (card (A - {j})) = card A"
+          using card by simp
+        also have "k - card (A - {j}) = Suc (k - card A)"
+          using \<open>k > 0\<close> \<open>card A \<le> k\<close> card_less by (subst card) auto
+        also have "monom_of_set (A - {j}) + sng j (Suc (k - card A)) =
+                   monom_of_set A + sng j (k - card A)"
+          by (transfer fixing: A j k) (auto simp: fun_eq_iff)
+        also have "monom \<dots> ((-1)^ Suc (card A)) = -w (A, j)"
+          by (simp add: w_def monom_uminus)
+        finally show ?thesis .
+      qed
+
+      show ?thesis
+      proof (cases "j \<in> A")
+        case True
+        with aux[of A j] that show ?thesis by auto
+      next
+        case False
+        hence "snd (T x) \<in> fst (T x)"
+          by (auto simp: T_def split: prod.splits)
+        with aux[of "fst (T x)" "snd (T x)"] that show ?thesis by auto
+      qed
+    qed
+
+    text \<open>
+      We can now show fairly easily that the sum is equal to zero.
+    \<close>
+    have *: "\<A> = {x\<in>\<A>. snd x \<in> fst x} \<union> {x\<in>\<A>. snd x \<notin> fst x}"
+      by auto
+    have "(\<Sum>x\<in>\<A>. w x) = (\<Sum>x | x \<in> \<A> \<and> snd x \<in> fst x. w x) + (\<Sum>x | x \<in> \<A> \<and> snd x \<notin> fst x. w x)"
+      using \<open>finite \<A>\<close> by (subst *, subst sum.union_disjoint) auto
+    also have "(\<Sum>x | x \<in> \<A> \<and> snd x \<notin> fst x. w x) = (\<Sum>x | x \<in> \<A> \<and> snd x \<in> fst x. w (T x))"
+      using sum.reindex_bij_betw[OF bij, of w] by simp
+    also have "\<dots> = -(\<Sum>x | x \<in> \<A> \<and> snd x \<in> fst x. w x)"
+      by (simp add: sum_negf)
+    finally show "(\<Sum>x\<in>\<A>. w x) = 0"
+      by simp
+  qed
+
+  finally show ?thesis .
+qed
+
+text \<open>
+  The following variant of the theorem holds for \<open>k > n\<close>. Note that this is now a
+  linear recurrence relation with constant coefficients for $p_k$ in terms of
+  $e_0, \ldots, e_n$.
+\<close>
+corollary Girard_Newton':
+  assumes "finite X" and "k > card X"
+  shows   "(\<Sum>i\<le>card X. (-1) ^ i * sym_mpoly X i * powsum_mpoly X (k - i)) =
+             (0 :: 'a :: comm_ring_1 mpoly)"
+proof -
+  have "(0 :: 'a mpoly) = (\<Sum>i<k. (- 1) ^ i * sym_mpoly X i * powsum_mpoly X (k - i))"
+    using Girard_Newton[of X k] assms by simp
+  also have "\<dots> = (\<Sum>i\<le>card X. (- 1) ^ i * sym_mpoly X i * powsum_mpoly X (k - i))"
+    using assms by (intro sum.mono_neutral_right) auto
+  finally show ?thesis ..
+qed  
+
+text \<open>
+  The following variant is the Newton--Girard Theorem solved for $e_k$, giving us
+  an explicit way to determine $e_k$ from $e_0, \ldots, e_{k-1}$ and $p_1, \ldots, p_k$:
+\<close>
+corollary sym_mpoly_recurrence:
+  assumes k: "k > 0" and "finite X"
+  shows   "(sym_mpoly X k :: 'a :: field_char_0 mpoly) =
+             -smult (1 / of_nat k) (\<Sum>i=1..k. (-1) ^ i * sym_mpoly X (k - i) * powsum_mpoly X i)"
+proof -
+  define e p :: "nat \<Rightarrow> 'a mpoly" where [simp]: "e = sym_mpoly X" "p = powsum_mpoly X"
+  have *: "0 = (-1) ^ k * of_nat k * e k +
+              (\<Sum>i<k. (- 1) ^ i * e i * p (k - i) :: 'a mpoly)"
+    using Girard_Newton[of X k] assms by simp
+
+  have "0 = (-1) ^ k * smult (1 / of_nat k) (0 :: 'a mpoly)"
+    by simp
+  also have "\<dots> = smult (1 / of_nat k) (of_nat k) * e k +
+                  smult (1 / of_nat k) (\<Sum>i<k. (-1)^(k+i) * e i * p (k - i))"
+    unfolding smult_conv_mult
+    using k by (subst *) (simp add: power_add sum_distrib_left sum_distrib_right field_simps 
+                               del: div_mult_self3 div_mult_self4 div_mult_self2 div_mult_self1)
+  also have "smult (1 / of_nat k :: 'a) (of_nat k) = 1"
+    using k by (simp add: of_nat_monom smult_conv_mult mult_monom del: monom_of_nat)
+  also have "(\<Sum>i<k. (-1) ^ (k+i) * e i * p (k - i)) = (\<Sum>i=1..k. (-1) ^ i * e (k-i) * p i)"
+    by (intro sum.reindex_bij_witness[of _ "\<lambda>i. k - i" "\<lambda>i. k - i"])
+       (auto simp: minus_one_power_iff)
+  finally show ?thesis unfolding e_p_def by algebra
+qed
+
+text \<open>
+  Analogously, the following is the theorem solved for $p_k$, giving us a
+  way to determine $p_k$ from $e_0, \ldots, e_k$ and $p_1, \ldots, p_{k-1}$:
+\<close>
+corollary powsum_mpoly_recurrence:
+  assumes k: "k > 0" and X: "finite X"
+  shows   "(powsum_mpoly X k :: 'a :: comm_ring_1 mpoly) =
+             (-1) ^ (k + 1) * of_nat k * sym_mpoly X k -
+             (\<Sum>i=1..<k. (-1) ^ i * sym_mpoly X i * powsum_mpoly X (k - i))"
+proof -
+  define e p :: "nat \<Rightarrow> 'a mpoly" where [simp]: "e = sym_mpoly X" "p = powsum_mpoly X"
+  have *: "0 = (-1) ^ k * of_nat k * e k +
+                 (\<Sum>i<k. (-1) ^ i * e i * p (k - i) :: 'a mpoly)"
+    using Girard_Newton[of X k] assms by simp
+  also have "{..<k} = insert 0 {1..<k}"
+    using assms by auto
+  finally have "(-1) ^ k * of_nat k * e k + (\<Sum>i=1..<k. (-1) ^ i * e i * p (k - i)) + p k = 0"
+    using assms by (simp add: algebra_simps)
+  from add.inverse_unique[OF this] show ?thesis by simp
+qed
+
+text \<open>
+  Again, if we assume $k > n$, the above takes a much simpler form and is, in fact,
+  a linear recurrence with constant coefficients:
+\<close>
+lemma powsum_mpoly_recurrence':
+  assumes k: "k > card X" and X: "finite X"
+  shows   "(powsum_mpoly X k :: 'a :: comm_ring_1 mpoly) =
+             -(\<Sum>i=1..card X. (-1) ^ i * sym_mpoly X i * powsum_mpoly X (k - i))"
+proof -
+  define e p :: "nat \<Rightarrow> 'a mpoly" where [simp]: "e = sym_mpoly X" "p = powsum_mpoly X"
+  have "p k = (-1) ^ (k + 1) * of_nat k * e k - (\<Sum>i=1..<k. (-1) ^ i * e i * p (k - i))"
+    unfolding e_p_def using assms by (intro powsum_mpoly_recurrence) auto
+  also have "\<dots> = -(\<Sum>i=1..<k. (-1) ^ i * e i * p (k - i))"
+    using assms by simp
+  also have "(\<Sum>i=1..<k. (-1) ^ i * e i * p (k - i)) = (\<Sum>i=1..card X. (-1) ^ i * e i * p (k - i))"
+    using assms by (intro sum.mono_neutral_right) auto
+  finally show ?thesis by simp
+qed
+
+end
\ No newline at end of file
diff --git a/thys/Power_Sum_Polynomials/Power_Sum_Polynomials_Library.thy b/thys/Power_Sum_Polynomials/Power_Sum_Polynomials_Library.thy
new file mode 100644
--- /dev/null
+++ b/thys/Power_Sum_Polynomials/Power_Sum_Polynomials_Library.thy
@@ -0,0 +1,544 @@
+(*
+  File:     Power_Sum_Polynomials_Library.thy
+  Author:   Manuel Eberl, TU München
+*)
+section \<open>Auxiliary material\<close>
+theory Power_Sum_Polynomials_Library
+imports
+  "Polynomial_Factorization.Fundamental_Theorem_Algebra_Factorized"  
+  "Symmetric_Polynomials.Symmetric_Polynomials"
+  "HOL-Computational_Algebra.Computational_Algebra"
+begin
+
+subsection \<open>Miscellaneous\<close>
+
+lemma atLeastAtMost_nat_numeral:
+  "atLeastAtMost m (numeral k :: nat) =
+     (if m \<le> numeral k then insert (numeral k) (atLeastAtMost m (pred_numeral k))
+                 else {})"
+  by (simp add: numeral_eq_Suc atLeastAtMostSuc_conv)
+
+lemma sum_in_Rats [intro]: "(\<And>x. x \<in> A \<Longrightarrow> f x \<in> \<rat>) \<Longrightarrow> sum f A \<in> \<rat>"
+  by (induction A rule: infinite_finite_induct) auto
+
+(* TODO Move *)
+lemma (in monoid_mult) prod_list_distinct_conv_prod_set:
+  "distinct xs \<Longrightarrow> prod_list (map f xs) = prod f (set xs)"
+  by (induct xs) simp_all
+
+lemma (in monoid_mult) interv_prod_list_conv_prod_set_nat:
+  "prod_list (map f [m..<n]) = prod f (set [m..<n])"
+  by (simp add: prod_list_distinct_conv_prod_set)
+
+lemma (in monoid_mult) prod_list_prod_nth:
+  "prod_list xs = (\<Prod>i = 0..< length xs. xs ! i)"
+  using interv_prod_list_conv_prod_set_nat [of "(!) xs" 0 "length xs"] by (simp add: map_nth)
+
+
+lemma gcd_poly_code_aux_reduce:
+  "gcd_poly_code_aux p 0 = normalize p"
+  "q \<noteq> 0 \<Longrightarrow> gcd_poly_code_aux p q = gcd_poly_code_aux q (primitive_part (pseudo_mod p q))"
+  by (subst gcd_poly_code_aux.simps; simp)+
+
+lemma coprimeI_primes:
+  fixes a b :: "'a :: factorial_semiring"
+  assumes "a \<noteq> 0 \<or> b \<noteq> 0"
+  assumes "\<And>p. prime p \<Longrightarrow> p dvd a \<Longrightarrow> p dvd b \<Longrightarrow> False"
+  shows   "coprime a b"
+proof (rule coprimeI)
+  fix d assume d: "d dvd a" "d dvd b"
+  with assms(1) have [simp]: "d \<noteq> 0" by auto
+  show "is_unit d"
+  proof (rule ccontr)
+    assume "\<not>is_unit d"
+    then obtain p where p: "prime p" "p dvd d"
+      using prime_divisor_exists[of d] by auto
+    from assms(2)[of p] and p and d show False
+      using dvd_trans by auto
+  qed
+qed
+
+lemma coprime_pderiv_imp_squarefree:
+  assumes "coprime p (pderiv p)"
+  shows   "squarefree p"
+proof (rule squarefreeI)
+  fix d assume d: "d ^ 2 dvd p"
+  then obtain q where q: "p = d ^ 2 * q"
+    by (elim dvdE)
+  hence "d dvd p" "d dvd pderiv p"
+    by (auto simp: pderiv_mult pderiv_power_Suc numeral_2_eq_2)
+  with assms show "is_unit d"
+    using not_coprimeI by blast
+qed
+
+lemma squarefree_field_poly_iff:
+  fixes p :: "'a :: {field_char_0,euclidean_ring_gcd,semiring_gcd_mult_normalize} poly"
+  assumes [simp]: "p \<noteq> 0"
+  shows "squarefree p \<longleftrightarrow> coprime p (pderiv p)"
+proof
+  assume "squarefree p"
+  show "coprime p (pderiv p)"
+  proof (rule coprimeI_primes)
+    fix d assume d: "d dvd p" "d dvd pderiv p" "prime d"
+    from d(1) obtain q where q: "p = d * q"
+      by (elim dvdE)   
+    from d(2) and q have "d dvd q * pderiv d"
+      by (simp add: pderiv_mult dvd_add_right_iff)
+    with \<open>prime d\<close> have "d dvd q \<or> d dvd pderiv d"
+      using prime_dvd_mult_iff by blast
+    thus False
+    proof
+      assume "d dvd q"
+      hence "d ^ 2 dvd p"
+        by (auto simp: q power2_eq_square)
+      with \<open>squarefree p\<close> show False
+        using d(3) not_prime_unit squarefreeD by blast
+    next
+      assume "d dvd pderiv d"
+      hence "Polynomial.degree d = 0" by simp
+      moreover have "d \<noteq> 0" using d by auto
+      ultimately show False
+        using d(3) is_unit_iff_degree not_prime_unit by blast
+    qed
+  qed auto
+qed (use coprime_pderiv_imp_squarefree[of p] in auto)
+
+lemma coprime_pderiv_imp_rsquarefree:
+  assumes "coprime (p :: 'a :: field_char_0 poly) (pderiv p)"
+  shows   "rsquarefree p"
+  unfolding rsquarefree_roots
+proof safe
+  fix x assume "poly p x = 0" "poly (pderiv p) x = 0"
+  hence "[:-x, 1:] dvd p" "[:-x, 1:] dvd pderiv p"
+    by (auto simp: poly_eq_0_iff_dvd)
+  with assms have "is_unit [:-x, 1:]"
+    using not_coprimeI by blast
+  thus False by auto
+qed
+
+lemma poly_of_nat [simp]: "poly (of_nat n) x = of_nat n"
+  by (induction n) auto
+
+lemma poly_of_int [simp]: "poly (of_int n) x = of_int n"
+  by (cases n) auto
+
+lemma order_eq_0_iff: "p \<noteq> 0 \<Longrightarrow> order x p = 0 \<longleftrightarrow> poly p x \<noteq> 0"
+  by (auto simp: order_root)
+
+lemma order_pos_iff: "p \<noteq> 0 \<Longrightarrow> order x p > 0 \<longleftrightarrow> poly p x = 0"
+  by (auto simp: order_root)
+
+lemma order_prod:
+  assumes "\<And>x. x \<in> A \<Longrightarrow> f x \<noteq> 0"
+  shows   "order x (\<Prod>y\<in>A. f y) = (\<Sum>y\<in>A. order x (f y))"
+  using assms by (induction A rule: infinite_finite_induct) (auto simp: order_mult)
+
+lemma order_prod_mset:
+  assumes "0 \<notin># A"
+  shows   "order x (prod_mset A) = sum_mset (image_mset (order x) A)"
+  using assms by (induction A) (auto simp: order_mult)
+
+lemma order_prod_list:
+  assumes "0 \<notin> set xs"
+  shows   "order x (prod_list xs) = sum_list (map (order x) xs)"
+  using assms by (induction xs) (auto simp: order_mult)
+
+lemma order_power: "p \<noteq> 0 \<Longrightarrow> order x (p ^ n) = n * order x p"
+  by (induction n) (auto simp: order_mult)
+
+
+lemma smult_0_right [simp]: "MPoly_Type.smult p 0 = 0"
+  by (transfer, transfer) auto
+
+lemma mult_smult_right [simp]: 
+  fixes c :: "'a :: comm_semiring_0"
+  shows "p * MPoly_Type.smult c q = MPoly_Type.smult c (p * q)"
+  by (simp add: smult_conv_mult mult_ac)
+
+lemma mapping_single_eq_iff [simp]:
+  "Poly_Mapping.single a b = Poly_Mapping.single c d \<longleftrightarrow> b = 0 \<and> d = 0 \<or> a = c \<and> b = d"
+  by transfer (unfold fun_eq_iff when_def, metis)
+
+lemma monom_of_set_plus_monom_of_set:
+  assumes "A \<inter> B = {}" "finite A" "finite B"
+  shows   "monom_of_set A + monom_of_set B = monom_of_set (A \<union> B)"
+  using assms by transfer (auto simp: fun_eq_iff)
+  
+lemma mpoly_monom_0_eq_Const: "monom 0 c = Const c"
+  by (intro mpoly_eqI) (auto simp: coeff_monom when_def mpoly_coeff_Const)
+
+lemma mpoly_Const_0 [simp]: "Const 0 = 0"
+  by (intro mpoly_eqI) (auto simp: mpoly_coeff_Const mpoly_coeff_0)
+
+lemma mpoly_Const_1 [simp]: "Const 1 = 1"
+  by (intro mpoly_eqI) (auto simp: mpoly_coeff_Const mpoly_coeff_1)
+
+lemma mpoly_Const_uminus: "Const (-a) = -Const a"
+  by (intro mpoly_eqI) (auto simp: mpoly_coeff_Const)
+
+lemma mpoly_Const_add: "Const (a + b) = Const a + Const b"
+  by (intro mpoly_eqI) (auto simp: mpoly_coeff_Const)
+
+lemma mpoly_Const_mult: "Const (a * b) = Const a * Const b"
+  unfolding mpoly_monom_0_eq_Const [symmetric] mult_monom by simp
+
+lemma mpoly_Const_power: "Const (a ^ n) = Const a ^ n"
+  by (induction n) (auto simp: mpoly_Const_mult)
+
+lemma of_nat_mpoly_eq: "of_nat n = Const (of_nat n)"
+proof (induction n)
+  case 0
+  have "0 = (Const 0 :: 'a mpoly)"
+    by (intro mpoly_eqI) (auto simp: mpoly_coeff_Const)
+  thus ?case
+    by simp
+next
+  case (Suc n)
+  have "1 + Const (of_nat n) = Const (1 + of_nat n)"
+    by (intro mpoly_eqI) (auto simp: mpoly_coeff_Const mpoly_coeff_1)
+  thus ?case
+    using Suc by auto
+qed
+
+lemma insertion_of_nat [simp]: "insertion f (of_nat n) = of_nat n"
+  by (simp add: of_nat_mpoly_eq)
+  
+lemma insertion_monom_of_set [simp]:
+  "insertion f (monom (monom_of_set X) c) = c * (\<Prod>i\<in>X. f i)"
+proof (cases "finite X")
+  case [simp]: True
+  have "insertion f (monom (monom_of_set X) c) = c * (\<Prod>a. f a ^ (if a \<in> X then 1 else 0))"
+    by (auto simp: lookup_monom_of_set)
+  also have "(\<Prod>a. f a ^ (if a \<in> X then 1 else 0)) = (\<Prod>i\<in>X. f i ^ (if i \<in> X then 1 else 0))"
+    by (intro Prod_any.expand_superset) auto
+  also have "\<dots> = (\<Prod>i\<in>X. f i)"
+    by (intro prod.cong) auto
+  finally show ?thesis .
+qed (auto simp: lookup_monom_of_set)
+
+
+(* TODO: Move! Version in AFP is too weak! *)
+lemma symmetric_mpoly_symmetric_sum:
+  assumes "\<And>\<pi>. \<pi> permutes A \<Longrightarrow> g \<pi> permutes X"
+  assumes "\<And>x \<pi>. x \<in> X \<Longrightarrow> \<pi> permutes A \<Longrightarrow> mpoly_map_vars \<pi> (f x) = f (g \<pi> x)"
+  shows "symmetric_mpoly A (\<Sum>x\<in>X. f x)"
+  unfolding symmetric_mpoly_def
+proof safe
+  fix \<pi> assume \<pi>: "\<pi> permutes A"
+  have "mpoly_map_vars \<pi> (sum f X) = (\<Sum>x\<in>X. mpoly_map_vars \<pi> (f x))"
+    by simp
+  also have "\<dots> = (\<Sum>x\<in>X. f (g \<pi> x))"
+    by (intro sum.cong assms \<pi> refl)
+  also have "\<dots> = (\<Sum>x\<in>g \<pi>`X. f x)"
+    using assms(1)[OF \<pi>] by (subst sum.reindex) (auto simp: permutes_inj_on)
+  also have "g \<pi> ` X = X"
+    using assms(1)[OF \<pi>] by (simp add: permutes_image)
+  finally show "mpoly_map_vars \<pi> (sum f X) = sum f X" .
+qed
+
+lemma sym_mpoly_0 [simp]:
+  assumes "finite A"
+  shows   "sym_mpoly A 0 = 1"
+  using assms by (transfer, transfer) (auto simp: fun_eq_iff when_def)
+
+lemma sym_mpoly_eq_0 [simp]:
+  assumes "k > card A"
+  shows   "sym_mpoly A k = 0"
+proof (transfer fixing: A k, transfer fixing: A k, intro ext)
+  fix mon
+  have "\<not>(finite A \<and> (\<exists>Y\<subseteq>A. card Y = k \<and> mon = monom_of_set Y))"
+  proof safe
+    fix Y assume Y: "finite A" "Y \<subseteq> A" "k = card Y" "mon = monom_of_set Y"
+    hence "card Y \<le> card A" by (intro card_mono) auto
+    with Y and assms show False by simp
+  qed
+  thus "(if finite A \<and> (\<exists>Y\<subseteq>A. card Y = k \<and> mon = monom_of_set Y) then 1 else 0) = 0"
+    by auto
+qed
+
+lemma coeff_sym_mpoly_monom_of_set_eq_0:
+  assumes "finite X" "Y \<subseteq> X" "card Y \<noteq> k"
+  shows   "MPoly_Type.coeff (sym_mpoly X k) (monom_of_set Y) = 0"
+  using assms finite_subset[of _ X] by (auto simp: coeff_sym_mpoly)
+
+lemma coeff_sym_mpoly_monom_of_set_eq_0':
+  assumes "finite X" "\<not>Y \<subseteq> X" "finite Y"
+  shows   "MPoly_Type.coeff (sym_mpoly X k) (monom_of_set Y) = 0"
+  using assms finite_subset[of _ X] by (auto simp: coeff_sym_mpoly)
+
+
+subsection \<open>The set of roots of a univariate polynomial\<close>
+
+lift_definition poly_roots :: "'a :: idom poly \<Rightarrow> 'a multiset" is
+  "\<lambda>p x. if p = 0 then 0 else order x p"
+proof -
+  fix p :: "'a poly"
+  show "(\<lambda>x. if p = 0 then 0 else order x p) \<in> multiset"
+    by (cases "p = 0") (auto simp: multiset_def order_pos_iff poly_roots_finite)
+qed
+
+lemma poly_roots_0 [simp]: "poly_roots 0 = {#}"
+  by transfer auto
+
+lemma poly_roots_1 [simp]: "poly_roots 1 = {#}"
+  by transfer auto
+
+lemma count_poly_roots [simp]:
+  assumes "p \<noteq> 0"
+  shows   "count (poly_roots p) x = order x p"
+  using assms by transfer auto
+
+lemma in_poly_roots_iff [simp]: "p \<noteq> 0 \<Longrightarrow> x \<in># poly_roots p \<longleftrightarrow> poly p x = 0"
+  by (subst count_greater_zero_iff [symmetric], subst count_poly_roots) (auto simp: order_pos_iff)
+
+lemma set_mset_poly_roots: "p \<noteq> 0 \<Longrightarrow> set_mset (poly_roots p) = {x. poly p x = 0}"
+  using in_poly_roots_iff[of p] by blast
+
+lemma count_poly_roots': "count (poly_roots p) x = (if p = 0 then 0 else order x p)"
+  by transfer' auto
+
+lemma poly_roots_const [simp]: "poly_roots [:c:] = {#}"
+  by (intro multiset_eqI) (auto simp: count_poly_roots' order_eq_0_iff)
+
+lemma poly_roots_linear [simp]: "poly_roots [:-x, 1:] = {#x#}"
+  by (intro multiset_eqI) (auto simp: count_poly_roots' order_eq_0_iff)
+
+lemma poly_roots_monom [simp]: "c \<noteq> 0 \<Longrightarrow> poly_roots (Polynomial.monom c n) = replicate_mset n 0"
+  by (intro multiset_eqI) (auto simp: count_poly_roots' order_eq_0_iff poly_monom)
+
+lemma poly_roots_smult [simp]: "c \<noteq> 0 \<Longrightarrow> poly_roots (Polynomial.smult c p) = poly_roots p"
+  by (intro multiset_eqI) (auto simp: count_poly_roots' order_smult)
+
+lemma poly_roots_mult: "p \<noteq> 0 \<Longrightarrow> q \<noteq> 0 \<Longrightarrow> poly_roots (p * q) = poly_roots p + poly_roots q"
+  by (intro multiset_eqI) (auto simp: count_poly_roots' order_mult)
+
+lemma poly_roots_prod:
+  assumes "\<And>x. x \<in> A \<Longrightarrow> f x \<noteq> 0"
+  shows   "poly_roots (prod f A) = (\<Sum>x\<in>A. poly_roots (f x))"
+  using assms by (induction A rule: infinite_finite_induct) (auto simp: poly_roots_mult)
+
+lemma poly_roots_prod_mset:
+  assumes "0 \<notin># A"
+  shows   "poly_roots (prod_mset A) = sum_mset (image_mset poly_roots A)"
+  using assms by (induction A) (auto simp: poly_roots_mult)
+
+lemma poly_roots_prod_list:
+  assumes "0 \<notin> set xs"
+  shows   "poly_roots (prod_list xs) = sum_list (map poly_roots xs)"
+  using assms by (induction xs) (auto simp: poly_roots_mult)
+
+lemma poly_roots_power: "p \<noteq> 0 \<Longrightarrow> poly_roots (p ^ n) = repeat_mset n (poly_roots p)"
+  by (induction n) (auto simp: poly_roots_mult)
+
+lemma rsquarefree_poly_roots_eq:
+  assumes "rsquarefree p"
+  shows   "poly_roots p = mset_set {x. poly p x = 0}"
+proof (rule multiset_eqI)
+  fix x :: 'a
+  from assms show "count (poly_roots p) x = count (mset_set {x. poly p x = 0}) x"
+    by (cases "poly p x = 0") (auto simp: poly_roots_finite order_eq_0_iff rsquarefree_def)
+qed
+
+lemma rsquarefree_imp_distinct_roots:
+  assumes "rsquarefree p" and "mset xs = poly_roots p"
+  shows   "distinct xs"
+proof (cases "p = 0")
+  case [simp]: False
+  have *: "mset xs = mset_set {x. poly p x = 0}"
+    using assms by (simp add: rsquarefree_poly_roots_eq)
+  hence "set_mset (mset xs) = set_mset (mset_set {x. poly p x = 0})"
+    by (simp only: )
+  hence [simp]: "set xs = {x. poly p x = 0}"
+    by (simp add: poly_roots_finite)
+  from * show ?thesis
+    by (subst distinct_count_atmost_1) (auto simp: poly_roots_finite)
+qed (use assms in auto)
+
+lemma poly_roots_factorization:
+  fixes p c A
+  assumes [simp]: "c \<noteq> 0"
+  defines "p \<equiv> Polynomial.smult c (prod_mset (image_mset (\<lambda>x. [:-x, 1:]) A))"
+  shows   "poly_roots p = A"
+proof -
+  have "poly_roots p = poly_roots (\<Prod>x\<in>#A. [:-x, 1:])"
+    by (auto simp: p_def)
+  also have "\<dots> = A"
+    by (subst poly_roots_prod_mset) (auto simp: image_mset.compositionality o_def)
+  finally show ?thesis .
+qed
+
+lemma fundamental_theorem_algebra_factorized':
+  fixes p :: "complex poly"
+  shows "p = Polynomial.smult (Polynomial.lead_coeff p) 
+               (prod_mset (image_mset (\<lambda>x. [:-x, 1:]) (poly_roots p)))"
+proof (cases "p = 0")
+  case [simp]: False
+  obtain xs where
+    xs: "Polynomial.smult (Polynomial.lead_coeff p) (\<Prod>x\<leftarrow>xs. [:-x, 1:]) = p"
+        "length xs = Polynomial.degree p"
+    using fundamental_theorem_algebra_factorized[of p] by auto
+  define A where "A = mset xs"
+
+  note xs(1)
+  also have "(\<Prod>x\<leftarrow>xs. [:-x, 1:]) = prod_mset (image_mset (\<lambda>x. [:-x, 1:]) A)"
+    unfolding A_def by (induction xs) auto
+  finally have *: "Polynomial.smult (Polynomial.lead_coeff p) (\<Prod>x\<in>#A. [:- x, 1:]) = p" .
+  also have "A = poly_roots p"
+    using poly_roots_factorization[of "Polynomial.lead_coeff p" A]
+    by (subst * [symmetric]) auto
+  finally show ?thesis ..
+qed auto
+  
+lemma poly_roots_eq_imp_eq:
+  fixes p q :: "complex poly"
+  assumes "Polynomial.lead_coeff p = Polynomial.lead_coeff q"
+  assumes "poly_roots p = poly_roots q"
+  shows   "p = q"
+proof (cases "p = 0 \<or> q = 0")
+  case False
+  hence [simp]: "p \<noteq> 0" "q \<noteq> 0"
+    by auto
+  have "p = Polynomial.smult (Polynomial.lead_coeff p) 
+               (prod_mset (image_mset (\<lambda>x. [:-x, 1:]) (poly_roots p)))"
+    by (rule fundamental_theorem_algebra_factorized')
+  also have "\<dots> = Polynomial.smult (Polynomial.lead_coeff q) 
+                   (prod_mset (image_mset (\<lambda>x. [:-x, 1:]) (poly_roots q)))"
+    by (simp add: assms)
+  also have "\<dots> = q"
+    by (rule fundamental_theorem_algebra_factorized' [symmetric])
+  finally show ?thesis .
+qed (use assms in auto)
+
+lemma Sum_any_zeroI': "(\<And>x. P x \<Longrightarrow> f x = 0) \<Longrightarrow> Sum_any (\<lambda>x. f x when P x) = 0"
+  by (auto simp: Sum_any.expand_set)
+
+(* TODO: This was not really needed here, but it is important nonetheless.
+   It should go in the Symmetric_Polynomials entry. *)
+lemma sym_mpoly_insert:
+  assumes "finite X" "x \<notin> X"
+  shows   "(sym_mpoly (insert x X) (Suc k) :: 'a :: semiring_1 mpoly) =
+             monom (monom_of_set {x}) 1 * sym_mpoly X k + sym_mpoly X (Suc k)" (is "?lhs = ?A + ?B")
+proof (rule mpoly_eqI)
+  fix mon
+  show "coeff ?lhs mon = coeff (?A + ?B) mon"
+  proof (cases "\<forall>i. lookup mon i \<le> 1 \<and> (i \<notin> insert x X \<longrightarrow> lookup mon i = 0)")
+    case False
+    then obtain i where i: "lookup mon i > 1 \<or> i \<notin> insert x X \<and> lookup mon i > 0"
+      by (auto simp: not_le)
+    
+    have "coeff ?A mon = prod_fun (coeff (monom (monom_of_set {x}) 1))
+                                  (coeff (sym_mpoly X k)) mon"
+      by (simp add: coeff_mpoly_times)
+    also have "\<dots> = (\<Sum>l. \<Sum>q. coeff (monom (monom_of_set {x}) 1) l * coeff (sym_mpoly X k) q
+                         when mon = l + q)"
+        unfolding prod_fun_def 
+        by (intro Sum_any.cong, subst Sum_any_right_distrib, force)
+           (auto simp: Sum_any_right_distrib when_def intro!: Sum_any.cong)
+    also have "\<dots> = 0"
+    proof (rule Sum_any_zeroI, rule Sum_any_zeroI')
+      fix ma mb assume *: "mon = ma + mb"
+      show "coeff (monom (monom_of_set {x}) (1::'a)) ma * coeff (sym_mpoly X k) mb = 0"
+      proof (cases "i = x")
+        case [simp]: True
+        show ?thesis
+        proof (cases "lookup mb i > 0")
+          case True
+          hence "coeff (sym_mpoly X k) mb = 0" using \<open>x \<notin> X\<close>
+            by (auto simp: coeff_sym_mpoly lookup_monom_of_set split: if_splits)
+          thus ?thesis
+            using mult_not_zero by blast
+        next
+          case False
+          hence "coeff (monom (monom_of_set {x}) 1) ma = 0"
+            using i by (auto simp: coeff_monom when_def * lookup_add)
+          thus ?thesis
+            using mult_not_zero by blast
+        qed
+      next
+        case [simp]: False
+        show ?thesis
+        proof (cases "lookup ma i > 0")
+          case False
+          hence "lookup mb i = lookup mon i"
+            using * by (auto simp: lookup_add)
+          hence "coeff (sym_mpoly X k) mb = 0" using i
+            by (auto simp: coeff_sym_mpoly lookup_monom_of_set split: if_splits)
+          thus ?thesis
+            using mult_not_zero by blast
+        next
+          case True
+          hence "coeff (monom (monom_of_set {x}) 1) ma = 0"
+            using i by (auto simp: coeff_monom when_def * lookup_add)
+          thus ?thesis
+            using mult_not_zero by blast
+        qed
+      qed
+    qed
+    finally have "coeff ?A mon = 0" .
+    moreover from False have "coeff ?lhs mon = 0"
+      by (subst coeff_sym_mpoly) (auto simp: lookup_monom_of_set split: if_splits)
+    moreover from False have "coeff (sym_mpoly X (Suc k)) mon = 0"
+      by (subst coeff_sym_mpoly) (auto simp: lookup_monom_of_set split: if_splits)
+    ultimately show ?thesis
+      by auto
+  next
+    case True
+    define A where "A = keys mon"
+    have A: "A \<subseteq> insert x X"
+      using True by (auto simp: A_def)
+    have [simp]: "mon = monom_of_set A"
+      unfolding A_def using True by transfer (force simp: fun_eq_iff le_Suc_eq)
+    have "finite A"
+      using finite_subset A assms by blast
+    show ?thesis
+    proof (cases "x \<in> A")
+      case False
+      have "coeff ?A mon = prod_fun (coeff (monom (monom_of_set {x}) 1))
+                                    (coeff (sym_mpoly X k)) (monom_of_set A)"
+        by (simp add: coeff_mpoly_times)
+      also have "\<dots> = (\<Sum>l. \<Sum>q. coeff (monom (monom_of_set {x}) 1) l * coeff (sym_mpoly X k) q
+                         when monom_of_set A = l + q)"
+        unfolding prod_fun_def 
+        by (intro Sum_any.cong, subst Sum_any_right_distrib, force)
+           (auto simp: Sum_any_right_distrib when_def intro!: Sum_any.cong)
+      also have "\<dots> = 0"
+      proof (rule Sum_any_zeroI, rule Sum_any_zeroI')
+        fix ma mb assume *: "monom_of_set A = ma + mb"
+        hence "keys ma \<subseteq> A"
+          using \<open>finite A\<close> by transfer (auto simp: fun_eq_iff split: if_splits)
+        thus "coeff (monom (monom_of_set {x}) (1::'a)) ma * coeff (sym_mpoly X k) mb = 0"
+          using \<open>x \<notin> A\<close> by (auto simp: coeff_monom when_def)
+      qed
+      finally show ?thesis
+        using False A assms finite_subset[of _ "insert x X"] finite_subset[of _ X]
+        by (auto simp: coeff_sym_mpoly)
+    next
+      case True
+      have "mon = monom_of_set {x} + monom_of_set (A - {x})"
+        using \<open>x \<in> A\<close> \<open>finite A\<close> by (auto simp: monom_of_set_plus_monom_of_set)
+      also have "coeff ?A \<dots> = coeff (sym_mpoly X k) (monom_of_set (A - {x}))"
+        by (subst coeff_monom_mult) auto
+      also have "\<dots> = (if card A = Suc k then 1 else 0)"
+      proof (cases "card A = Suc k")
+        case True
+        thus ?thesis
+          using assms \<open>finite A\<close> \<open>x \<in> A\<close> A
+          by (subst coeff_sym_mpoly_monom_of_set) auto
+      next
+        case False
+        thus ?thesis
+          using assms \<open>x \<in> A\<close> A \<open>finite A\<close> card_Suc_Diff1[of A x]
+          by (subst coeff_sym_mpoly_monom_of_set_eq_0) auto
+      qed
+      moreover have "coeff ?B (monom_of_set A) = 0"
+        using assms \<open>x \<in> A\<close> \<open>finite A\<close>
+        by (subst coeff_sym_mpoly_monom_of_set_eq_0') auto
+      moreover have "coeff ?lhs (monom_of_set A) = (if card A = Suc k then 1 else 0)"
+        using assms A \<open>finite A\<close> finite_subset[of _ "insert x X"] by (auto simp: coeff_sym_mpoly)
+      ultimately show ?thesis by simp
+    qed
+  qed
+qed
+
+
+end
\ No newline at end of file
diff --git a/thys/Power_Sum_Polynomials/Power_Sum_Puzzle.thy b/thys/Power_Sum_Polynomials/Power_Sum_Puzzle.thy
new file mode 100644
--- /dev/null
+++ b/thys/Power_Sum_Polynomials/Power_Sum_Puzzle.thy
@@ -0,0 +1,476 @@
+(*
+  File:     Power_Sum_Puzzle.thy
+  Author:   Manuel Eberl, TU München
+*)
+section \<open>Power sum puzzles\<close>
+theory Power_Sum_Puzzle
+imports
+  Power_Sum_Polynomials
+  "Polynomial_Factorization.Rational_Root_Test"
+begin
+
+subsection \<open>General setting and results\<close>
+
+text \<open>
+  We now consider the following situation: Given unknown complex numbers $x_1,\ldots,x_n$,
+  define $p_k = x_1^k + \ldots + x_n^k$. Also, define $e_k := e_k(x_1,\ldots,x_n)$ where
+  $e_k(X_1,\ldots,X_n)$ is the $k$-th elementary symmetric polynomial.
+
+  What is the relationship between the sequences $e_k$ and $p_k$; in particular,
+  how can we determine one from the other?
+\<close>
+locale power_sum_puzzle =
+  fixes x :: "nat \<Rightarrow> complex"
+  fixes n :: nat
+begin
+
+text \<open>
+  We first introduce the notation $p_k := x_1 ^ k + \ldots + x_n ^ k$:
+\<close>
+definition p where "p k = (\<Sum>i<n. x i ^ k)"
+
+lemma p_0 [simp]: "p 0 = of_nat n"
+  by (simp add: p_def)
+
+lemma p_altdef: "p k = insertion x (powsum_mpoly {..<n} k)"
+  by (simp add: p_def)
+
+text \<open>
+  Similarly, we introduce the notation $e_k = e_k(x_1,\ldots, x_n)$ where
+  $e_k(X_1,\ldots,X_n)$ is the $k$-th elementary symmetric polynomial (i.\,e. the sum of
+  all monomials that can be formed by taking the product of exactly $k$ distinct variables).
+\<close>
+definition e where "e k = (\<Sum>Y | Y \<subseteq> {..<n} \<and> card Y = k. prod x Y)"
+
+lemma e_altdef: "e k = insertion x (sym_mpoly {..<n} k)"
+  by (simp add: e_def insertion_sym_mpoly)
+
+text \<open>
+  It is clear that $e_k$ vanishes for $k > n$.
+\<close>
+lemma e_eq_0 [simp]: "k > n \<Longrightarrow> e k = 0"
+  by (simp add: e_altdef)
+
+lemma e_0 [simp]: "e 0 = 1"
+  by (simp add: e_altdef)
+
+
+text \<open>
+  The recurrences we got from the Girard--Newton Theorem earlier now directly give us
+  analogous recurrences for $e_k$ and $p_k$:
+\<close>
+lemma e_recurrence:
+  assumes k: "k > 0"
+  shows   "e k = -(\<Sum>i=1..k. (- 1) ^ i * e (k - i) * p i) / of_nat k"
+  using assms unfolding e_altdef p_altdef
+  by (subst sym_mpoly_recurrence)
+     (auto simp: insertion_sum insertion_add insertion_mult insertion_power insertion_sym_mpoly)
+
+lemma p_recurrence:
+  assumes k: "k > 0"
+  shows   "p k = -of_nat k * (-1) ^ k * e k - (\<Sum>i=1..<k. (-1) ^ i * e i * p (k - i))"
+  using assms unfolding e_altdef p_altdef
+  by (subst powsum_mpoly_recurrence)
+     (auto simp: insertion_sum insertion_add insertion_mult insertion_diff 
+                 insertion_power insertion_sym_mpoly)
+
+lemma p_recurrence'':
+  assumes k: "k > n"
+  shows   "p k = -(\<Sum>i=1..n. (-1) ^ i * e i * p (k - i))"
+  using assms unfolding e_altdef p_altdef
+  by (subst powsum_mpoly_recurrence')
+     (auto simp: insertion_sum insertion_add insertion_mult insertion_diff 
+                 insertion_power insertion_sym_mpoly)
+
+
+text \<open>
+  It is clear from this recurrence that if $p_1$ to $p_n$ are rational, then so are the $e_k$:
+\<close>
+lemma e_in_Rats:
+  assumes "\<And>k. k \<in> {1..n} \<Longrightarrow> p k \<in> \<rat>"
+  shows   "e k \<in> \<rat>"
+proof (cases "k \<le> n")
+  case True
+  thus ?thesis
+  proof (induction k rule: less_induct)
+    case (less k)
+    show ?case
+    proof (cases "k = 0")
+      case False
+      thus ?thesis using assms less
+        by (subst e_recurrence) (auto intro!: Rats_divide)
+    qed auto
+  qed
+qed auto
+
+text \<open>
+  Analogously, if $p_1$ to $p_n$ are rational, then so are all the other $p_k$:
+\<close>
+lemma p_in_Rats:
+  assumes "\<And>k. k \<in> {1..n} \<Longrightarrow> p k \<in> \<rat>"
+  shows   "p k \<in> \<rat>"
+proof (induction k rule: less_induct)
+  case (less k)
+  consider "k = 0" | "k \<in> {1..n}" | "k > n"
+    by force
+  thus ?case
+  proof cases
+    assume "k > n"
+    thus ?thesis
+      using less assms by (subst p_recurrence'') (auto intro!: sum_in_Rats Rats_mult e_in_Rats)
+  qed (use assms in auto)
+qed
+
+
+text \<open>
+  Next, we define the unique monic polynomial that has $x_1, \ldots, x_n$ as its roots
+  (respecting multiplicity):
+\<close>
+definition Q :: "complex poly" where "Q = (\<Prod>i<n. [:-x i, 1:])"
+
+lemma degree_Q [simp]: "Polynomial.degree Q = n"
+  by (simp add: Q_def degree_prod_eq_sum_degree)
+
+lemma lead_coeff_Q [simp]: "Polynomial.coeff Q n = 1"
+  using monic_prod[of "{..<n}" "\<lambda>i. [:-x i, 1:]"]
+  by (simp add: Q_def degree_prod_eq_sum_degree)
+
+text \<open>
+  By Vieta's Theorem, we then have:
+  \[Q(X) = \sum_{k=0}^n (-1)^{n-k} e_{n-k} X^k\]
+  In other words: The above allows us to determine the $x_1, \ldots, x_n$ explicitly.
+  They are, in fact, precisely the roots of the above polynomial (respecting multiplicity).
+  Since this polynomial depends only on the $e_k$, which are in turn determined by
+  $p_1, \ldots, p_n$, this means that these are the \<^emph>\<open>only\<close> solutions of this puzzle
+  (up to permutation of the $x_i$).
+\<close>
+lemma coeff_Q: "Polynomial.coeff Q k = (if k > n then 0 else (-1) ^ (n - k) * e (n - k))"
+proof (cases "k \<le> n")
+  case True
+  thus ?thesis
+    using coeff_poly_from_roots[of "{..<n}" k x] by (auto simp: Q_def e_def)
+qed (auto simp: Polynomial.coeff_eq_0)
+
+lemma Q_altdef: "Q = (\<Sum>k\<le>n. Polynomial.monom ((-1) ^ (n - k) * e (n - k)) k)"
+  by (subst poly_as_sum_of_monoms [symmetric]) (simp add: coeff_Q)
+
+text \<open>
+  The following theorem again shows that $x_1, \ldots, x_n$ are precisely the roots
+  of \<^term>\<open>Q\<close>, respecting multiplicity.
+\<close>
+theorem mset_x_eq_poly_roots_Q: "{#x i. i \<in># mset_set {..<n}#} = poly_roots Q"
+proof -
+  have "poly_roots Q = (\<Sum>i<n. {#x i#})"
+    by (simp add: Q_def poly_roots_prod)
+  also have "\<dots> = {#x i. i \<in># mset_set {..<n}#}"
+    by (induction n) (auto simp: lessThan_Suc)
+  finally show ?thesis ..
+qed
+
+end
+
+
+subsection \<open>Existence of solutions\<close>
+
+text \<open>
+  So far, we have assumed a solution to the puzzle and then shown the properties that this
+  solution must fulfil. However, we have not yet shown that there \<^emph>\<open>is\<close> a solution.
+  We will do that now.
+
+  Let $n$ be a natural number and $f_k$ some sequence of complex numbers. We will show that 
+  there are $x_1, \ldots, x_n$ so that $x_1 ^ k + \ldots + x_n ^ k = f_k$ for any $1\leq k\leq n$.
+\<close>
+locale power_sum_puzzle_existence =
+  fixes f :: "nat \<Rightarrow> complex" and n :: nat
+begin
+
+text \<open>
+  First, we define a sequence of numbers \<open>e'\<close> analogously to the sequence \<open>e\<close> before,
+  except that we replace all occurrences of the power sum $p_k$ with $f_k$ (recall that in the end
+  we want $p_k = f_k$).
+\<close>
+fun e' :: "nat \<Rightarrow> complex"
+  where "e' k = (if k = 0 then 1 else if k > n then 0
+                 else -(\<Sum>i=1..k. (-1) ^ i * e' (k - i) * f i) / of_nat k)"
+
+lemmas [simp del] = e'.simps
+
+lemma e'_0 [simp]: "e' 0 = 1"
+  by (simp add: e'.simps)
+
+lemma e'_eq_0 [simp]: "k > n \<Longrightarrow> e' k = 0"
+  by (auto simp: e'.simps)
+
+text \<open>
+  Just as before, we can show the following recurrence for \<open>f\<close> in terms of \<open>e'\<close>:
+\<close>
+lemma f_recurrence:
+  assumes k: "k > 0" "k \<le> n"
+  shows   "f k = -of_nat k * (-1) ^ k * e' k - (\<Sum>i=1..<k. (- 1) ^ i * e' i * f (k - i))"
+proof -
+  have "-of_nat k * e' k = (\<Sum>i=1..k. (- 1) ^ i * e' (k - i) * f i)"
+    using assms by (subst e'.simps) (simp add: field_simps)
+  hence "(-1)^k * (-of_nat k * e' k) = (-1)^k * (\<Sum>i=1..k. (- 1) ^ i * e' (k - i) * f i)"
+    by simp
+  also have "\<dots> = f k + (-1) ^ k * (\<Sum>i=1..<k. (- 1) ^ i * e' (k - i) * f i)"
+    using assms by (subst sum.last_plus) (auto simp: minus_one_power_iff)
+  also have "(-1) ^ k * (\<Sum>i=1..<k. (- 1) ^ i * e' (k - i) * f i) =
+             (\<Sum>i=1..<k. (- 1) ^ (k - i) * e' (k - i) * f i)"
+    unfolding sum_distrib_left by (intro sum.cong) (auto simp: minus_one_power_iff)
+  also have "\<dots> = (\<Sum>i=1..<k. (- 1) ^ i * e' i * f (k - i))"
+    by (intro sum.reindex_bij_witness[of _ "\<lambda>i. k - i" "\<lambda>i. k - i"]) auto
+  finally show ?thesis
+    by (simp add: algebra_simps)
+qed
+
+text \<open>
+  We now define a polynomial whose roots will be precisely the solution $x_1, \ldots, x_n$ to our
+  problem.
+\<close>
+lift_definition Q' :: "complex poly" is "\<lambda>k. if k > n then 0 else (-1) ^ (n - k) * e' (n - k)"
+  using eventually_gt_at_top[of n] unfolding cofinite_eq_sequentially
+  by eventually_elim auto
+
+lemma coeff_Q': "Polynomial.coeff Q' k = (if k > n then 0 else (-1) ^ (n - k) * e' (n - k))"
+  by transfer auto
+
+lemma lead_coeff_Q': "Polynomial.coeff Q' n = 1"
+  by (simp add: coeff_Q')
+
+lemma degree_Q' [simp]: "Polynomial.degree Q' = n"
+proof (rule antisym)
+  show "Polynomial.degree Q' \<ge> n"
+    by (rule le_degree) (auto simp: coeff_Q')
+  show "Polynomial.degree Q' \<le> n"
+    by (rule degree_le) (auto simp: coeff_Q')
+qed
+
+text \<open>
+  Since the complex numbers are algebraically closed, this polynomial splits into
+  linear factors:
+\<close>
+definition Root :: "nat \<Rightarrow> complex"
+  where "Root = (SOME Root. Q' = (\<Prod>i<n. [:-Root i, 1:]))"
+
+lemma Root: "Q' = (\<Prod>i<n. [:-Root i, 1:])"
+proof -
+  obtain rs where rs: "(\<Prod>r\<leftarrow>rs. [:-r, 1:]) = Q'" "length rs = n"
+    using fundamental_theorem_algebra_factorized[of Q'] lead_coeff_Q' by auto
+  have "Q' = (\<Prod>r\<leftarrow>rs. [:-r, 1:])"
+    by (simp add: rs)
+  also have "\<dots> = (\<Prod>r=0..<n. [:-rs ! r, 1:])"
+    by (subst prod_list_prod_nth) (auto simp: rs)
+  also have "{0..<n} = {..<n}"
+    by auto
+  finally have "\<exists>Root. Q' = (\<Prod>i<n. [:-Root i, 1:])"
+    by blast
+  thus ?thesis
+    unfolding Root_def by (rule someI_ex)
+qed
+
+text \<open>
+  We can therefore now use the results from before for these $x_1, \ldots, x_n$.
+\<close>
+sublocale power_sum_puzzle Root n .
+
+text \<open>
+  Vieta's theorem gives us an expression for the coefficients of \<open>Q'\<close> in terms of
+  $e_k(x_1,\ldots,x_n)$. This shows that our \<open>e'\<close> is indeed exactly the same as \<open>e\<close>.
+\<close>
+lemma e'_eq_e: "e' k = e k"
+proof (cases "k \<le> n")
+  case True
+  from True have "e' k = (-1) ^ k * poly.coeff Q' (n - k)"
+    by (simp add: coeff_Q')
+  also have "Q' = (\<Prod>x<n. [:-Root x, 1:])"
+    using Root by simp
+  also have "(-1) ^ k * poly.coeff \<dots> (n - k) = e k"
+    using True coeff_poly_from_roots[of "{..<n}" "n - k" Root]
+    by (simp add: insertion_sym_mpoly e_altdef)
+  finally show "e' k = e k" .
+qed auto
+
+text \<open>
+  It then follows by a simple induction that $p_k = f_k$ for $1\leq k\leq n$, as intended:
+\<close>
+lemma p_eq_f:
+  assumes "k > 0" "k \<le> n"
+  shows   "p k = f k"
+  using assms
+proof (induction k rule: less_induct)
+  case (less k)
+  thus "p k = f k"
+    using p_recurrence[of k] f_recurrence[of k] less by (simp add: e'_eq_e)
+qed
+
+end
+
+text \<open>
+  Here is a more condensed form of the above existence theorem:
+\<close>
+theorem power_sum_puzzle_has_solution:
+  fixes f :: "nat \<Rightarrow> complex"
+  shows "\<exists>Root. \<forall>k\<in>{1..n}. (\<Sum>i<n. Root i ^ k) = f k"
+proof -
+  interpret power_sum_puzzle_existence f .
+  from p_eq_f have "\<forall>k\<in>{1..n}. (\<Sum>i<n. Root i ^ k) = f k"
+    by (auto simp: p_def)
+  thus ?thesis by blast
+qed
+
+
+subsection \<open>A specific puzzle\<close>
+
+text \<open>
+  We now look at one particular instance of this puzzle, which was given as an exercise in
+  \<^emph>\<open>Abstract Algebra\<close> by Dummit and Foote (Exercise 23 in Section 14.6)~\cite{dummit}.
+
+ Suppose we know that
+  $x + y + z = 1$, $x^2 + y^2 + z^2 = 2$, and $x^3 + y^3 + z^3 = 3$. Then what is
+  $x^5+y^5+z^5$? What about any arbitrary $x^n+y^n+z^n$?
+\<close>
+locale power_sum_puzzle_example =
+  fixes x y z :: complex
+  assumes xyz: "x   + y   + z   = 1"
+               "x^2 + y^2 + z^2 = 2"
+               "x^3 + y^3 + z^3 = 3"
+begin
+
+text \<open>
+  We reuse the results we have shown in the general case before.
+\<close>
+definition f where "f n = [x,y,z] ! n"
+
+sublocale power_sum_puzzle f 3 .
+
+text \<open>
+  We can simplify \<^term>\<open>p\<close> a bit more now.
+\<close>
+lemma p_altdef': "p k = x ^ k + y ^ k + z ^ k"
+  unfolding p_def f_def by (simp add: eval_nat_numeral)
+
+lemma p_base [simp]: "p (Suc 0) = 1" "p 2 = 2" "p 3 = 3"
+  using xyz by (simp_all add: p_altdef')
+
+text \<open>
+  We can easily compute all the non-zero values of \<^term>\<open>e\<close> recursively:
+\<close>
+lemma e_Suc_0 [simp]: "e (Suc 0) = 1"
+  by (subst e_recurrence; simp)
+
+lemma e_2 [simp]: "e 2 = -1/2"
+  by (subst e_recurrence; simp add: atLeastAtMost_nat_numeral)
+
+lemma e_3 [simp]: "e 3 = 1/6"
+  by (subst e_recurrence; simp add: atLeastAtMost_nat_numeral)
+
+text \<open>
+  Plugging in all the values, the recurrence relation for \<^term>\<open>p\<close> now looks like this:
+\<close>
+lemma p_recurrence''': "k > 3 \<Longrightarrow> p k = p (k-3) / 6 + p (k-2) / 2 + p (k-1)"
+  using p_recurrence''[of k] by (simp add: atLeastAtMost_nat_numeral)
+
+text \<open>
+  Also note again that all $p_k$ are rational:
+\<close>
+lemma p_in_Rats': "p k \<in> \<rat>"
+proof -
+  have *: "{1..3} = {1, 2, (3::nat)}"
+    by auto
+  also have "\<forall>k\<in>\<dots>. p k \<in> \<rat>"
+    by auto
+  finally show ?thesis
+    using p_in_Rats[of k] by simp
+qed  
+
+text \<open>
+  The above recurrence has the characteristic polynomial $X^3 - X^2 - \frac{1}{2} X - \frac{1}{6}$
+  (which is exactly our \<^term>\<open>Q\<close>), so we know that can now specify $x$, $y$, and $z$
+  more precisely: They are the roots of that polynomial (in unspecified order).
+\<close>
+
+lemma xyz_eq: "{#x, y, z#} = poly_roots [:-1/6, -1/2, -1, 1:]"
+proof -
+  have "image_mset f (mset_set {..<3}) = poly_roots Q"
+    using mset_x_eq_poly_roots_Q .
+  also have "image_mset f (mset_set {..<3}) = {#x, y, z#}"
+    by (simp add: numeral_3_eq_3 lessThan_Suc f_def Multiset.union_ac)
+  also have "Q = [:-1/6, -1/2, -1, 1:]"
+    by (simp add: Q_altdef atMost_nat_numeral Polynomial.monom_altdef
+                  power3_eq_cube power2_eq_square)
+  finally show ?thesis .
+qed
+
+text \<open>
+  Using the rational root test, we can easily show that $x$, $y$, and $z$ are irrational.
+\<close>
+lemma xyz_irrational: "set_mset (poly_roots [:-1/6, -1/2, -1, 1::complex:]) \<inter> \<rat> = {}"
+proof -
+  define p :: "rat poly" where "p = [:-1/6, -1/2, -1, 1:]"
+  have "rational_root_test p = None"
+    unfolding p_def by code_simp
+  hence "\<not>(\<exists>x::rat. poly p x = 0)"
+    by (rule rational_root_test)
+  hence "\<not>(\<exists>x\<in>\<rat>. poly (map_poly of_rat p) x = (0 :: complex))"
+    by (auto simp: Rats_def)
+  also have "map_poly of_rat p = [:-1/6, -1/2, -1, 1 :: complex:]"
+    by (simp add: p_def of_rat_minus of_rat_divide)
+  finally show ?thesis
+    by auto
+qed   
+    
+
+text \<open>
+  This polynomial is \<^emph>\<open>squarefree\<close>, so these three roots are, in fact, unique (so that there are
+  indeed $3! = 6$ possible permutations).
+\<close>
+lemma rsquarefree: "rsquarefree [:-1/6, -1/2, -1, 1 :: complex:]"
+  by (rule coprime_pderiv_imp_rsquarefree)
+     (auto simp: pderiv_pCons coprime_iff_gcd_eq_1 gcd_poly_code gcd_poly_code_def content_def
+                 primitive_part_def gcd_poly_code_aux_reduce pseudo_mod_def pseudo_divmod_def
+                 Let_def Polynomial.monom_altdef normalize_poly_def)
+
+lemma distinct_xyz: "distinct [x, y, z]"
+  by (rule rsquarefree_imp_distinct_roots[OF rsquarefree]) (simp_all add: xyz_eq)
+
+
+text \<open>
+  While these roots \<^emph>\<open>can\<close> be written more explicitly in radical form, they are not very pleasant
+  to look at. We therefore only compute a few values of \<open>p\<close> just for fun:
+\<close>
+lemma "p 4 = 25 / 6" and "p 5 = 6" and "p 10 = 15539 / 432"
+  by (simp_all add: p_recurrence''')
+
+text \<open>
+  Lastly, let us (informally) examine the asymptotics of this problem.
+
+  Two of the roots have a norm of roughly $\beta \approx 0.341$, while the remaining root 
+  \<open>\<alpha>\<close> is roughly 1.431. Consequently, $x^n + y^n + z^n$ is asymptotically equivalent to $\alpha^n$,
+  with the error being bounded by $2\cdot \beta^n$ and therefore goes to 0 very quickly.
+
+  For $p(10) = \frac{15539}{432} \approx 35.97$, for instance, this approximation is correct
+  up to 6 decimals (a relative error of about 0.0001\,\%).
+\<close>
+
+end
+
+
+text \<open>
+  To really emphasise that the above puzzle has a solution and the locale is not `vacuous',
+  here is an interpretation of the locale using the existence theorem from before:
+\<close>
+notepad
+begin
+  define f :: "nat \<Rightarrow> complex" where "f = (\<lambda>k. [1,2,3] ! (k - 1))"
+  obtain Root :: "nat \<Rightarrow> complex" where Root: "\<And>k. k \<in> {1..3} \<Longrightarrow> (\<Sum>i<3. Root i ^ k) = f k"
+    using power_sum_puzzle_has_solution[of 3 f] by metis
+  define x y z where "x = Root 0" "y = Root 1" "z = Root 2"
+  have "x + y + z = 1" and "x^2 + y^2 + z^2 = 2" and "x^3 + y^3 + z^3 = 3"
+    using Root[of 1] Root[of 2] Root[of 3] by (simp_all add: eval_nat_numeral x_y_z_def f_def)
+  then interpret power_sum_puzzle_example x y z
+    by unfold_locales
+  have "p 5 = 6"
+    by (simp add: p_recurrence''')
+end
+
+end
\ No newline at end of file
diff --git a/thys/Power_Sum_Polynomials/ROOT b/thys/Power_Sum_Polynomials/ROOT
new file mode 100644
--- /dev/null
+++ b/thys/Power_Sum_Polynomials/ROOT
@@ -0,0 +1,13 @@
+chapter AFP
+
+session Power_Sum_Polynomials (AFP) = Symmetric_Polynomials +
+  options [timeout = 600]
+  sessions
+    "HOL-Computational_Algebra"
+    Polynomial_Factorization
+  theories
+    Power_Sum_Puzzle
+  document_files
+    "root.tex"
+    "root.bib"
+
diff --git a/thys/Power_Sum_Polynomials/document/root.bib b/thys/Power_Sum_Polynomials/document/root.bib
new file mode 100644
--- /dev/null
+++ b/thys/Power_Sum_Polynomials/document/root.bib
@@ -0,0 +1,20 @@
+@article{zeilberger,
+  title = "A combinatorial proof of {N}ewton's identities",
+  journal = "Discrete Mathematics",
+  volume = "49",
+  number = "3",
+  pages = "319",
+  year = "1984",
+  issn = "0012-365X",
+  doi = "https://doi.org/10.1016/0012-365X(84)90171-7",
+  url = "http://www.sciencedirect.com/science/article/pii/0012365X84901717",
+  author = "Doron Zeilberger"
+}
+
+@book{dummit,
+  title={Abstract Algebra},
+  author={Dummit, D. S. and Foote, R. M.},
+  isbn={9780471433347},
+  year={2003},
+  publisher={Wiley}
+}
diff --git a/thys/Power_Sum_Polynomials/document/root.tex b/thys/Power_Sum_Polynomials/document/root.tex
new file mode 100644
--- /dev/null
+++ b/thys/Power_Sum_Polynomials/document/root.tex
@@ -0,0 +1,38 @@
+\documentclass[11pt,a4paper]{article}
+\usepackage{isabelle,isabellesym}
+\usepackage{amsfonts, amsmath, amssymb}
+
+% this should be the last package used
+\usepackage{pdfsetup}
+
+% urls in roman style, theory text in math-similar italics
+\urlstyle{rm}
+\isabellestyle{it}
+
+\begin{document}
+
+\title{Power Sum Polynomials\\ and the Girard--Newton Theorem}
+\author{Manuel Eberl}
+\maketitle
+
+\begin{abstract}
+This article provides a formalisation of the symmetric multivariate polynomials known as \emph{power sum polynomials}. These are of the form $p_n(X_1,\ldots, X_k) = X_1 ^ n + \ldots + X_k ^ n$. A formal proof of the Girard--Newton Theorem is also given. This theorem relates the power sum polynomials to the elementary symmetric polynomials $s_k$ in the form of a recurrence relation $(-1)^k k s_k = \sum_{i=0}^{k-1} (-1)^i s_i p_{k-i}$\ .
+
+As an application, this is then used to solve a generalised form of a puzzle given as an exercise in Dummit and Foote's \emph{Abstract Algebra}: For $k$ complex unknowns $x_1, \ldots, x_k$, define $p_j := x_1^j + \ldots + x_k^j$. Then for each vector $a\in\mathbb{C}^k$, show that there is exactly one solution to the system $p_1 = a_1, \ldots, p_k = a_k$ up to permutation of the $x_i$ and determine the value of $p_i$ for $i>k$.
+\end{abstract}
+
+\tableofcontents
+\newpage
+\parindent 0pt\parskip 0.5ex
+
+\input{session}
+
+\bibliographystyle{abbrv}
+\bibliography{root}
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
diff --git a/thys/ROOTS b/thys/ROOTS
--- a/thys/ROOTS
+++ b/thys/ROOTS
@@ -1,532 +1,542 @@
 ADS_Functor
 AODV
 Attack_Trees
 Auto2_HOL
 Auto2_Imperative_HOL
 AVL-Trees
 AWN
 Abortable_Linearizable_Modules
 Abs_Int_ITP2012
 Abstract-Hoare-Logics
 Abstract-Rewriting
 Abstract_Completeness
 Abstract_Soundness
 Adaptive_State_Counting
 Affine_Arithmetic
 Aggregation_Algebras
 Akra_Bazzi
 Algebraic_Numbers
 Algebraic_VCs
 Allen_Calculus
 Amortized_Complexity
 AnselmGod
 Applicative_Lifting
 Approximation_Algorithms
 Architectural_Design_Patterns
 Aristotles_Assertoric_Syllogistic
 Arith_Prog_Rel_Primes
 ArrowImpossibilityGS
 AutoFocus-Stream
 Automatic_Refinement
 AxiomaticCategoryTheory
 BDD
 BNF_Operations
+Banach_Steinhaus
 Bell_Numbers_Spivey
 Berlekamp_Zassenhaus
 Bernoulli
 Bertrands_Postulate
 Bicategory
 BinarySearchTree
 Binding_Syntax_Theory
 Binomial-Heaps
 Binomial-Queues
 BNF_CC
 Bondy
 Boolean_Expression_Checkers
 Bounded_Deducibility_Security
 Buchi_Complementation
 Budan_Fourier
 Buffons_Needle
 Buildings
 BytecodeLogicJmlTypes
 C2KA_DistributedSystems
 CAVA_Automata
 CAVA_LTL_Modelchecker
 CCS
 CISC-Kernel
 CRDT
 CYK
 CakeML
 CakeML_Codegen
 Call_Arity
 Card_Equiv_Relations
 Card_Multisets
 Card_Number_Partitions
 Card_Partitions
 Cartan_FP
 Case_Labeling
 Catalan_Numbers
 Category
 Category2
 Category3
 Cauchy
 Cayley_Hamilton
 Certification_Monads
 Chord_Segments
 Circus
 Clean
 ClockSynchInst
 Closest_Pair_Points
 CofGroups
 Coinductive
 Coinductive_Languages
 Collections
 Comparison_Sort_Lower_Bound
 Compiling-Exceptions-Correctly
 Completeness
 Complete_Non_Orders
 Complex_Geometry
 Complx
 ComponentDependencies
 ConcurrentGC
 ConcurrentIMP
 Concurrent_Ref_Alg
 Concurrent_Revisions
 Consensus_Refined
 Constructive_Cryptography
 Constructor_Funs
 Containers
 CoreC++
 Core_DOM
 Count_Complex_Roots
 CryptHOL
 CryptoBasedCompositionalProperties
 DFS_Framework
 DPT-SAT-Solver
 DataRefinementIBP
 Datatype_Order_Generator
 Decl_Sem_Fun_PL
 Decreasing-Diagrams
 Decreasing-Diagrams-II
 Deep_Learning
 Density_Compiler
 Dependent_SIFUM_Refinement
 Dependent_SIFUM_Type_Systems
 Depth-First-Search
 Derangements
 Deriving
 Descartes_Sign_Rule
 Dict_Construction
 Differential_Dynamic_Logic
 Differential_Game_Logic
 Dijkstra_Shortest_Path
 Diophantine_Eqns_Lin_Hom
 Dirichlet_L
 Dirichlet_Series
 Discrete_Summation
 DiscretePricing
 DiskPaxos
 DynamicArchitectures
 Dynamic_Tables
 E_Transcendental
 Echelon_Form
 EdmondsKarp_Maxflow
 Efficient-Mergesort
 Elliptic_Curves_Group_Law
 Encodability_Process_Calculi
 Epistemic_Logic
 Ergodic_Theory
 Error_Function
 Euler_MacLaurin
 Euler_Partition
 Example-Submission
 Factored_Transition_System_Bounding
 Farkas
 FFT
 FLP
 FOL-Fitting
 FOL_Harrison
 FOL_Seq_Calc1
 Falling_Factorial_Sum
 FeatherweightJava
 Featherweight_OCL
 Fermat3_4
 FileRefinement
 FinFun
 Finger-Trees
 Finite_Automata_HF
 First_Order_Terms
 First_Welfare_Theorem
 Fishburn_Impossibility
 Fisher_Yates
 Flow_Networks
 Floyd_Warshall
 Flyspeck-Tame
 FocusStreamsCaseStudies
+Forcing
 Formal_SSA
 Formula_Derivatives
 Fourier
 Free-Boolean-Algebra
 Free-Groups
 FunWithFunctions
 FunWithTilings
 Functional-Automata
 Functional_Ordered_Resolution_Prover
 Furstenberg_Topology
 GPU_Kernel_PL
 Gabow_SCC
 Game_Based_Crypto
 Gauss-Jordan-Elim-Fun
 Gauss_Jordan
 Gauss_Sums
+Gaussian_Integers
 GenClock
 General-Triangle
 Generalized_Counting_Sort
 Generic_Deriving
 Generic_Join
 GewirthPGCProof
 Girth_Chromatic
 GoedelGod
 Goodstein_Lambda
 GraphMarkingIBP
 Graph_Saturation
 Graph_Theory
 Green
 Groebner_Bases
 Groebner_Macaulay
 Gromov_Hyperbolicity
 Group-Ring-Module
 HOL-CSP
 HOLCF-Prelude
 HRB-Slicing
 Heard_Of
 Hello_World
 HereditarilyFinite
 Hermite
 Hidden_Markov_Models
 Higher_Order_Terms
 Hoare_Time
 HotelKeyCards
 Huffman
 Hybrid_Logic
 Hybrid_Multi_Lane_Spatial_Logic
 Hybrid_Systems_VCs
 HyperCTL
 IEEE_Floating_Point
 IMAP-CRDT
 IMO2019
 IMP2
 IMP2_Binary_Heap
 IP_Addresses
 Imperative_Insertion_Sort
 Impossible_Geometry
 Incompleteness
 Incredible_Proof_Machine
 Inductive_Confidentiality
 InfPathElimination
 InformationFlowSlicing
 InformationFlowSlicing_Inter
 Integration
 Interval_Arithmetic_Word32
 Iptables_Semantics
+Irrational_Series_Erdos_Straus
 Irrationality_J_Hancl
 Isabelle_C
 Isabelle_Meta_Model
 Jacobson_Basic_Algebra
 Jinja
 JinjaThreads
 JiveDataStoreModel
 Jordan_Hoelder
 Jordan_Normal_Form
 KAD
 KAT_and_DRA
 KBPs
 KD_Tree
 Key_Agreement_Strong_Adversaries
 Kleene_Algebra
 Knuth_Bendix_Order
 Knot_Theory
+Knuth_Bendix_Order
 Knuth_Morris_Pratt
 Koenigsberg_Friendship
 Kruskal
 Kuratowski_Closure_Complement
 LLL_Basis_Reduction
 LLL_Factorization
 LOFT
 LTL
 LTL_to_DRA
 LTL_to_GBA
 LTL_Master_Theorem
+LTL_Normal_Form
 Lam-ml-Normalization
 LambdaAuth
 LambdaMu
 Lambda_Free_KBOs
 Lambda_Free_RPOs
+Lambert_W
 Landau_Symbols
 Laplace_Transform
 Latin_Square
 LatticeProperties
 Lambda_Free_EPO
 Launchbury
 Lazy-Lists-II
 Lazy_Case
 Lehmer
 Lifting_Definition_Option
 LightweightJava
 LinearQuantifierElim
 Linear_Inequalities
 Linear_Programming
 Linear_Recurrences
 Liouville_Numbers
 List-Index
 List-Infinite
 List_Interleaving
 List_Inversions
 List_Update
 LocalLexing
 Localization_Ring
 Locally-Nameless-Sigma
 Lowe_Ontological_Argument
 Lower_Semicontinuous
 Lp
 Lucas_Theorem
 MFMC_Countable
 MSO_Regex_Equivalence
 Markov_Models
 Marriage
 Mason_Stothers
+Matrices_for_ODEs
 Matrix
 Matrix_Tensor
 Matroids
 Max-Card-Matching
 Median_Of_Medians_Selection
 Menger
 Mersenne_Primes
 MFODL_Monitor_Optimized
 MFOTL_Monitor
 MiniML
 Minimal_SSA
 Minkowskis_Theorem
 Minsky_Machines
 Modal_Logics_for_NTS
 Modular_Assembly_Kit_Security
 Monad_Memo_DP
 Monad_Normalisation
 MonoBoolTranAlgebra
 MonoidalCategory
 Monomorphic_Monad
 MuchAdoAboutTwo
 Multirelations
 Multi_Party_Computation
 Myhill-Nerode
 Name_Carrying_Type_Inference
 Nat-Interval-Logic
 Native_Word
 Nested_Multisets_Ordinals
 Network_Security_Policy_Verification
 Neumann_Morgenstern_Utility
 No_FTL_observers
 Nominal2
 Noninterference_CSP
 Noninterference_Concurrent_Composition
 Noninterference_Generic_Unwinding
 Noninterference_Inductive_Unwinding
 Noninterference_Ipurge_Unwinding
 Noninterference_Sequential_Composition
 NormByEval
 Nullstellensatz
 Octonions
 Open_Induction
 OpSets
 Optics
 Optimal_BST
 Orbit_Stabiliser
 Order_Lattice_Props
 Ordered_Resolution_Prover
 Ordinal
 Ordinals_and_Cardinals
 Ordinary_Differential_Equations
 PCF
 PLM
 Pell
 POPLmark-deBruijn
 PSemigroupsConvolution
 Pairing_Heap
 Paraconsistency
 Parity_Game
 Partial_Function_MR
 Partial_Order_Reduction
 Password_Authentication_Protocol
 Perfect-Number-Thm
 Perron_Frobenius
 Pi_Calculus
 Pi_Transcendental
 Planarity_Certificates
 Polynomial_Factorization
 Polynomial_Interpolation
 Polynomials
 Poincare_Bendixson
 Poincare_Disc
 Pop_Refinement
 Posix-Lexing
 Possibilistic_Noninterference
+Power_Sum_Polynomials
 Pratt_Certificate
 Presburger-Automata
 Prim_Dijkstra_Simple
 Prime_Distribution_Elementary
 Prime_Harmonic_Series
 Prime_Number_Theorem
 Priority_Queue_Braun
 Priority_Search_Trees
 Probabilistic_Noninterference
 Probabilistic_Prime_Tests
 Probabilistic_System_Zoo
 Probabilistic_Timed_Automata
 Probabilistic_While
 Projective_Geometry
 Program-Conflict-Analysis
 Promela
 Proof_Strategy_Language
 PropResPI
 Propositional_Proof_Systems
 Prpu_Maxflow
 PseudoHoops
 Psi_Calculi
 Ptolemys_Theorem
 QHLProver
 QR_Decomposition
 Quantales
 Quaternions
 Quick_Sort_Cost
 RIPEMD-160-SPARK
 ROBDD
 RSAPSS
 Ramsey-Infinite
 Random_BSTs
 Randomised_BSTs
 Random_Graph_Subgraph_Threshold
 Randomised_Social_Choice
 Rank_Nullity_Theorem
 Real_Impl
+Recursion-Addition
 Recursion-Theory-I
 Refine_Imperative_HOL
 Refine_Monadic
 RefinementReactive
 Regex_Equivalence
 Regular-Sets
 Regular_Algebras
 Relation_Algebra
 Relational-Incorrectness-Logic
 Rep_Fin_Groups
 Residuated_Lattices
 Resolution_FOL
 Rewriting_Z
 Ribbon_Proofs
 Robbins-Conjecture
 Root_Balanced_Tree
 Routing
 Roy_Floyd_Warshall
 SATSolverVerification
 SDS_Impossibility
 SIFPL
 SIFUM_Type_Systems
 SPARCv8
 Safe_OCL
 Saturation_Framework
 Secondary_Sylow
 Security_Protocol_Refinement
 Selection_Heap_Sort
 SenSocialChoice
 Separata
 Separation_Algebra
 Separation_Logic_Imperative_HOL
 SequentInvertibility
 Shivers-CFA
 ShortestPath
 Show
 Sigma_Commit_Crypto
 Signature_Groebner
 Simpl
 Simple_Firewall
 Simplex
 Skew_Heap
 Skip_Lists
 Slicing
 Sliding_Window_Algorithm
 Smooth_Manifolds
 Sort_Encodings
 Source_Coding_Theorem
 Special_Function_Bounds
 Splay_Tree
 Sqrt_Babylonian
 Stable_Matching
 Statecharts
 Stellar_Quorums
 Stern_Brocot
 Stewart_Apollonius
 Stirling_Formula
 Stochastic_Matrices
 Stone_Algebras
 Stone_Kleene_Relation_Algebras
 Stone_Relation_Algebras
 Store_Buffer_Reduction
 Stream-Fusion
 Stream_Fusion_Code
 Strong_Security
 Sturm_Sequences
 Sturm_Tarski
 Stuttering_Equivalence
 Subresultants
 Subset_Boolean_Algebras
 SumSquares
 SuperCalc
 Surprise_Paradox
 Symmetric_Polynomials
 Szpilrajn
 TESL_Language
 TLA
 Tail_Recursive_Functions
 Tarskis_Geometry
 Taylor_Models
 Timed_Automata
 Topology
 TortoiseHare
 Transcendence_Series_Hancl_Rucki
 Transformer_Semantics
 Transition_Systems_and_Automata
 Transitive-Closure
 Transitive-Closure-II
 Treaps
 Tree-Automata
 Tree_Decomposition
 Triangle
 Trie
 Twelvefold_Way
 Tycon
 Types_Tableaus_and_Goedels_God
 Universal_Turing_Machine
 UPF
 UPF_Firewall
 UpDown_Scheme
 UTP
 Valuation
 VectorSpace
 VeriComp
 Verified-Prover
 VerifyThis2018
 VerifyThis2019
 Vickrey_Clarke_Groves
 VolpanoSmith
 WHATandWHERE_Security
 WebAssembly
 Weight_Balanced_Trees
 Well_Quasi_Orders
 Winding_Number_Eval
 WOOT_Strong_Eventual_Consistency
 Word_Lib
 WorkerWrapper
 XML
 Zeta_Function
 Zeta_3_Irrational
 ZFC_in_HOL
 pGCL
diff --git a/thys/Recursion-Addition/ROOT b/thys/Recursion-Addition/ROOT
new file mode 100644
--- /dev/null
+++ b/thys/Recursion-Addition/ROOT
@@ -0,0 +1,10 @@
+chapter AFP
+
+session "Recursion-Addition" (AFP) = ZF +
+  options [timeout = 300]
+  theories
+    recursion
+
+  document_files
+    "root.tex"
+
diff --git a/thys/Recursion-Addition/document/root.tex b/thys/Recursion-Addition/document/root.tex
new file mode 100644
--- /dev/null
+++ b/thys/Recursion-Addition/document/root.tex
@@ -0,0 +1,36 @@
+\documentclass[11pt,a4paper]{article}
+\usepackage{isabelle,isabellesym}
+
+% this should be the last package used
+\usepackage{pdfsetup}
+
+% urls in roman style, theory text in math-similar italics
+\urlstyle{rm}
+\isabellestyle{it}
+
+
+\begin{document}
+
+\title{Recursion Theorem}
+\author{Georgy Dunaev}
+\maketitle
+
+\begin{abstract}
+  This document contains a proof of the recursion theorem.
+  This is a mechanization of the proof of the recursion theorem from 
+  the text \textit{Introduction to Set Theory}, by Karel Hrbacek 
+  and Thomas Jech. This implementation may be used as the basis for 
+  a model of Peano Arithmetic in ZF\@. While recursion and the natural
+  numbers are already available in ZF, this clean development
+  is much easier to follow.
+\end{abstract}
+
+\tableofcontents
+
+% include generated text of all theories
+\input{session}
+
+\bibliographystyle{abbrv}
+\bibliography{root}
+
+\end{document}
diff --git a/thys/Recursion-Addition/recursion.thy b/thys/Recursion-Addition/recursion.thy
new file mode 100644
--- /dev/null
+++ b/thys/Recursion-Addition/recursion.thy
@@ -0,0 +1,1525 @@
+(*  Title:       Recursion theorem
+    Author:      Georgy Dunaev <georgedunaev at gmail.com>, 2020
+    Maintainer:  Georgy Dunaev <georgedunaev at gmail.com>
+*)
+section "Recursion Submission"
+
+text \<open>Recursion Theorem is proved in the following document.
+It also contains the addition on natural numbers.
+The development is done in the context of Zermelo-Fraenkel set theory.\<close>
+
+theory recursion
+  imports ZF
+begin
+
+section \<open>Basic Set Theory\<close>
+text \<open>Useful lemmas about sets, functions and natural numbers\<close>
+lemma pisubsig : \<open>Pi(A,P)\<subseteq>Pow(Sigma(A,P))\<close>
+proof
+  fix x
+  assume \<open>x \<in> Pi(A,P)\<close>
+  hence \<open>x \<in> {f\<in>Pow(Sigma(A,P)). A\<subseteq>domain(f) & function(f)}\<close>
+    by (unfold Pi_def)
+  thus \<open>x \<in> Pow(Sigma(A, P))\<close>
+    by (rule CollectD1)
+qed
+
+lemma apparg:
+  fixes f A B
+  assumes T0:\<open>f:A\<rightarrow>B\<close>
+  assumes T1:\<open>f ` a = b\<close>
+  assumes T2:\<open>a \<in> A\<close>
+  shows \<open>\<langle>a, b\<rangle> \<in> f\<close>
+proof(rule iffD2[OF func.apply_iff], rule T0)
+  show T:\<open>a \<in> A \<and> f ` a = b\<close>
+    by (rule conjI[OF T2 T1])
+qed
+
+theorem nat_induct_bound :
+  assumes H0:\<open>P(0)\<close>
+  assumes H1:\<open>!!x. x\<in>nat \<Longrightarrow> P(x) \<Longrightarrow> P(succ(x))\<close>
+  shows \<open>\<forall>n\<in>nat. P(n)\<close>
+proof(rule ballI)
+  fix n
+  assume H2:\<open>n\<in>nat\<close>
+  show \<open>P(n)\<close>
+  proof(rule nat_induct[of n])
+    from H2 show \<open>n\<in>nat\<close> by assumption
+  next
+    show \<open>P(0)\<close> by (rule H0)
+  next
+    fix x
+    assume H3:\<open>x\<in>nat\<close>
+    assume H4:\<open>P(x)\<close>
+    show \<open>P(succ(x))\<close> by (rule H1[OF H3 H4])
+  qed
+qed
+
+theorem nat_Tr : \<open>\<forall>n\<in>nat. m\<in>n \<longrightarrow> m\<in>nat\<close>
+proof(rule nat_induct_bound)
+  show \<open>m \<in> 0 \<longrightarrow> m \<in> nat\<close> by auto
+next
+  fix x
+  assume H0:\<open>x \<in> nat\<close>
+  assume H1:\<open>m \<in> x \<longrightarrow> m \<in> nat\<close>
+  show \<open>m \<in> succ(x) \<longrightarrow> m \<in> nat\<close>
+  proof(rule impI)
+    assume H2:\<open>m\<in>succ(x)\<close>
+    show \<open>m \<in> nat\<close>
+    proof(rule succE[OF H2])
+      assume H3:\<open>m = x\<close>
+      from H0 and H3 show \<open>m \<in> nat\<close>
+        by auto
+    next
+      assume H4:\<open>m \<in> x\<close>
+      show \<open>m \<in> nat\<close>
+        by(rule mp[OF H1 H4])
+    qed
+  qed
+qed
+
+(* Natural numbers are linearly ordered. *)
+theorem zeroleq : \<open>\<forall>n\<in>nat. 0\<in>n \<or> 0=n\<close>
+proof(rule ballI)
+  fix n
+  assume H1:\<open>n\<in>nat\<close>
+  show \<open>0\<in>n\<or>0=n\<close>
+  proof(rule nat_induct[of n])
+    from H1 show \<open>n \<in> nat\<close> by assumption
+  next
+    show \<open>0 \<in> 0 \<or> 0 = 0\<close> by (rule disjI2, rule refl)
+  next
+    fix x
+    assume H2:\<open>x\<in>nat\<close>
+    assume H3:\<open> 0 \<in> x \<or> 0 = x\<close>
+    show \<open>0 \<in> succ(x) \<or> 0 = succ(x)\<close>
+    proof(rule disjE[OF H3])
+      assume H4:\<open>0\<in>x\<close>
+      show \<open>0 \<in> succ(x) \<or> 0 = succ(x)\<close>
+      proof(rule disjI1)
+        show \<open>0 \<in> succ(x)\<close>
+          by (rule succI2[OF H4])
+      qed
+    next
+      assume H4:\<open>0=x\<close>
+      show \<open>0 \<in> succ(x) \<or> 0 = succ(x)\<close>
+      proof(rule disjI1)
+        have q:\<open>x \<in> succ(x)\<close> by auto
+        from q and H4 show \<open>0 \<in> succ(x)\<close> by auto
+      qed
+    qed
+  qed
+qed
+
+theorem JH2_1ii : \<open>m\<in>succ(n) \<Longrightarrow> m\<in>n\<or>m=n\<close>
+  by auto
+
+theorem nat_transitive:\<open>\<forall>n\<in>nat. \<forall>k. \<forall>m.  k \<in> m \<and> m \<in> n \<longrightarrow> k \<in> n\<close>
+proof(rule nat_induct_bound)
+  show \<open>\<forall>k. \<forall>m. k \<in> m \<and> m \<in> 0 \<longrightarrow> k \<in> 0\<close>
+  proof(rule allI, rule allI, rule impI)
+    fix k m
+    assume H:\<open>k \<in> m \<and> m \<in> 0\<close>
+    then have H:\<open>m \<in> 0\<close> by auto
+    then show \<open>k \<in> 0\<close> by auto
+  qed
+next
+  fix n
+  assume H0:\<open>n \<in> nat\<close>
+  assume H1:\<open>\<forall>k.
+            \<forall>m.
+               k \<in> m \<and> m \<in> n \<longrightarrow>
+               k \<in> n\<close>
+  show \<open>\<forall>k. \<forall>m.
+               k \<in> m \<and>
+               m \<in> succ(n) \<longrightarrow>
+               k \<in> succ(n)\<close>
+  proof(rule allI, rule allI, rule impI)
+    fix k m
+    assume H4:\<open>k \<in> m \<and> m \<in> succ(n)\<close>
+    hence H4':\<open>m \<in> succ(n)\<close> by (rule conjunct2)
+    hence H4'':\<open>m\<in>n \<or> m=n\<close> by (rule succE, auto)
+    from H4 have Q:\<open>k \<in> m\<close> by (rule conjunct1)
+    have H1S:\<open>\<forall>m. k \<in> m \<and> m \<in> n \<longrightarrow> k \<in> n\<close>
+      by (rule spec[OF H1])
+    have H1S:\<open>k \<in> m \<and> m \<in> n \<longrightarrow> k \<in> n\<close>
+      by (rule spec[OF H1S])
+    show \<open>k \<in> succ(n)\<close>
+    proof(rule disjE[OF H4''])
+      assume L:\<open>m\<in>n\<close>
+      from Q and L have QL:\<open>k \<in> m \<and> m \<in> n\<close> by auto
+      have G:\<open>k \<in> n\<close> by (rule mp [OF H1S QL])
+      show \<open>k \<in> succ(n)\<close>
+        by (rule succI2[OF G])
+    next
+      assume L:\<open>m=n\<close>
+      from Q have F:\<open>k \<in> succ(m)\<close> by auto
+      from L and Q show \<open>k \<in> succ(n)\<close> by auto
+    qed
+  qed
+qed
+
+theorem nat_xninx : \<open>\<forall>n\<in>nat. \<not>(n\<in>n)\<close>
+proof(rule nat_induct_bound)
+  show \<open>0\<notin>0\<close>
+    by auto
+next
+  fix x
+  assume H0:\<open>x\<in>nat\<close>
+  assume H1:\<open>x\<notin>x\<close>
+  show \<open>succ(x) \<notin> succ(x)\<close>
+  proof(rule contrapos[OF H1])
+    assume Q:\<open>succ(x) \<in> succ(x)\<close>
+    have D:\<open>succ(x)\<in>x \<or> succ(x)=x\<close>
+      by (rule JH2_1ii[OF Q])
+    show \<open>x\<in>x\<close>
+    proof(rule disjE[OF D])
+      assume Y1:\<open>succ(x)\<in>x\<close>
+      have U:\<open>x\<in>succ(x)\<close> by (rule succI1)
+      have T:\<open>x \<in> succ(x) \<and> succ(x) \<in> x \<longrightarrow> x \<in> x\<close>
+        by (rule spec[OF spec[OF bspec[OF nat_transitive H0]]])
+      have R:\<open>x \<in> succ(x) \<and> succ(x) \<in> x\<close>
+        by (rule conjI[OF U Y1])
+      show \<open>x\<in>x\<close>
+        by (rule mp[OF T R])
+    next
+      assume Y1:\<open>succ(x)=x\<close>
+      show \<open>x\<in>x\<close>
+        by (rule subst[OF Y1], rule Q)
+    qed
+  qed
+qed
+
+theorem nat_asym : \<open>\<forall>n\<in>nat. \<forall>m. \<not>(n\<in>m \<and> m\<in>n)\<close>
+proof(rule ballI, rule allI)
+  fix n m
+  assume H0:\<open>n \<in> nat\<close>
+  have Q:\<open>\<not>(n\<in>n)\<close>
+    by(rule bspec[OF nat_xninx H0])
+  show \<open>\<not> (n \<in> m \<and> m \<in> n)\<close>
+  proof(rule contrapos[OF Q])
+    assume W:\<open>(n \<in> m \<and> m \<in> n)\<close>
+    show \<open>n\<in>n\<close>
+      by (rule mp[OF spec[OF spec[OF bspec[OF nat_transitive H0]]] W])
+  qed
+qed
+
+theorem zerolesucc :\<open>\<forall>n\<in>nat. 0 \<in> succ(n)\<close>
+proof(rule nat_induct_bound)
+  show \<open>0\<in>1\<close>
+    by auto
+next
+  fix x
+  assume H0:\<open>x\<in>nat\<close>
+  assume H1:\<open>0\<in>succ(x)\<close>
+  show \<open>0\<in>succ(succ(x))\<close>
+  proof
+    assume J:\<open>0 \<notin> succ(x)\<close>
+    show \<open>0 = succ(x)\<close>
+      by(rule notE[OF J H1])
+  qed
+qed
+
+theorem succ_le : \<open>\<forall>n\<in>nat. succ(m)\<in>succ(n) \<longrightarrow> m\<in>n\<close>
+proof(rule nat_induct_bound)
+  show \<open> succ(m) \<in> 1 \<longrightarrow> m \<in> 0\<close>
+    by blast
+next
+  fix x
+  assume H0:\<open>x \<in> nat\<close>
+  assume H1:\<open>succ(m) \<in> succ(x) \<longrightarrow> m \<in> x\<close>
+  show \<open> succ(m) \<in>
+             succ(succ(x)) \<longrightarrow>
+             m \<in> succ(x)\<close>
+  proof(rule impI)
+    assume J0:\<open>succ(m) \<in> succ(succ(x))\<close>
+    show \<open>m \<in> succ(x)\<close>
+    proof(rule succE[OF J0])
+      assume R:\<open>succ(m) = succ(x)\<close>
+      hence R:\<open>m=x\<close> by (rule upair.succ_inject)
+      from R and succI1 show \<open>m \<in> succ(x)\<close> by auto
+    next
+      assume R:\<open>succ(m) \<in> succ(x)\<close>
+      have R:\<open>m\<in>x\<close> by (rule mp[OF H1 R])
+      then show \<open>m \<in> succ(x)\<close> by auto
+    qed
+  qed
+qed
+
+theorem succ_le2 : \<open>\<forall>n\<in>nat. \<forall>m. succ(m)\<in>succ(n) \<longrightarrow> m\<in>n\<close>
+proof
+  fix n
+  assume H:\<open>n\<in>nat\<close>
+  show \<open>\<forall>m. succ(m) \<in> succ(n) \<longrightarrow> m \<in> n\<close>
+  proof
+    fix m
+    from succ_le and H show \<open>succ(m) \<in> succ(n) \<longrightarrow> m \<in> n\<close> by auto
+  qed
+qed
+
+theorem le_succ : \<open>\<forall>n\<in>nat. m\<in>n \<longrightarrow> succ(m)\<in>succ(n)\<close>
+proof(rule nat_induct_bound)
+  show \<open>m \<in> 0 \<longrightarrow> succ(m) \<in> 1\<close>
+    by auto
+next
+  fix x
+  assume H0:\<open>x\<in>nat\<close>
+  assume H1:\<open>m \<in> x \<longrightarrow> succ(m) \<in> succ(x)\<close>
+  show \<open>m \<in> succ(x) \<longrightarrow>
+            succ(m) \<in> succ(succ(x))\<close>
+  proof(rule impI)
+    assume HR1:\<open>m\<in>succ(x)\<close>
+    show \<open>succ(m) \<in> succ(succ(x))\<close>
+    proof(rule succE[OF HR1])
+      assume Q:\<open>m = x\<close>
+      from Q show \<open>succ(m) \<in> succ(succ(x))\<close>
+        by auto
+    next
+      assume Q:\<open>m \<in> x\<close>
+      have Q:\<open>succ(m) \<in> succ(x)\<close>
+        by (rule mp[OF H1 Q])
+      from Q show \<open>succ(m) \<in> succ(succ(x))\<close>
+        by (rule succI2)
+    qed
+  qed
+qed
+
+theorem nat_linord:\<open>\<forall>n\<in>nat. \<forall>m\<in>nat. m\<in>n\<or>m=n\<or>n\<in>m\<close>
+proof(rule ballI)
+  fix n
+  assume H1:\<open>n\<in>nat\<close>
+  show \<open>\<forall>m\<in>nat. m \<in> n \<or> m = n \<or> n \<in> m\<close>
+  proof(rule nat_induct[of n])
+    from H1 show \<open>n\<in>nat\<close> by assumption
+  next
+    show \<open>\<forall>m\<in>nat. m \<in> 0 \<or> m = 0 \<or> 0 \<in> m\<close>
+    proof
+      fix m
+      assume J:\<open>m\<in>nat\<close>
+      show \<open> m \<in> 0 \<or> m = 0 \<or> 0 \<in> m\<close>
+      proof(rule disjI2)
+        have Q:\<open>0\<in>m\<or>0=m\<close> by (rule bspec[OF zeroleq J])
+        show \<open>m = 0 \<or> 0 \<in> m\<close>
+          by (rule disjE[OF Q], auto)
+      qed
+    qed
+  next
+    fix x
+    assume K:\<open>x\<in>nat\<close>
+    assume M:\<open>\<forall>m\<in>nat. m \<in> x \<or> m = x \<or> x \<in> m\<close>
+    show \<open>\<forall>m\<in>nat.
+            m \<in> succ(x) \<or>
+            m = succ(x) \<or>
+            succ(x) \<in> m\<close>
+    proof(rule nat_induct_bound)
+      show \<open>0 \<in> succ(x) \<or>  0 = succ(x) \<or> succ(x) \<in> 0\<close>
+      proof(rule disjI1)
+        show \<open>0 \<in> succ(x)\<close>
+          by (rule bspec[OF zerolesucc K])
+      qed
+    next
+      fix y
+      assume H0:\<open>y \<in> nat\<close>
+      assume H1:\<open>y \<in> succ(x) \<or> y = succ(x) \<or> succ(x) \<in> y\<close>
+      show \<open>succ(y) \<in> succ(x) \<or>
+            succ(y) = succ(x) \<or>
+            succ(x) \<in> succ(y)\<close>
+      proof(rule disjE[OF H1])
+        assume W:\<open>y\<in>succ(x)\<close>
+        show \<open>succ(y) \<in> succ(x) \<or>
+              succ(y) = succ(x) \<or>
+              succ(x) \<in> succ(y)\<close>
+        proof(rule succE[OF W])
+          assume G:\<open>y=x\<close>
+          show \<open>succ(y) \<in> succ(x) \<or>
+    succ(y) = succ(x) \<or>
+    succ(x) \<in> succ(y)\<close>
+            by (rule disjI2, rule disjI1, rule subst[OF G], rule refl)
+        next
+          assume G:\<open>y \<in> x\<close>
+          have R:\<open>succ(y) \<in> succ(x)\<close>
+            by (rule mp[OF bspec[OF le_succ K] G])
+          show \<open>succ(y) \<in> succ(x) \<or>
+           succ(y) = succ(x) \<or>
+           succ(x) \<in> succ(y)\<close>
+            by(rule disjI1, rule R)
+        qed
+      next
+        assume W:\<open>y = succ(x) \<or> succ(x) \<in> y\<close>
+        show \<open>succ(y) \<in> succ(x) \<or>
+              succ(y) = succ(x) \<or>
+              succ(x) \<in> succ(y)\<close>
+        proof(rule disjE[OF W])
+          assume W:\<open>y=succ(x)\<close>
+          show \<open>succ(y) \<in> succ(x) \<or>
+              succ(y) = succ(x) \<or>
+              succ(x) \<in> succ(y)\<close>
+            by (rule disjI2, rule disjI2, rule subst[OF W], rule succI1)
+        next
+          assume W:\<open>succ(x)\<in>y\<close>
+          show \<open>succ(y) \<in> succ(x) \<or>
+              succ(y) = succ(x) \<or>
+              succ(x) \<in> succ(y)\<close>
+            by (rule disjI2, rule disjI2, rule succI2[OF W])
+        qed
+      qed
+    qed
+  qed
+qed
+
+lemma tgb:
+  assumes knat: \<open>k\<in>nat\<close>
+  assumes D: \<open>t \<in> k \<rightarrow> A\<close>
+  shows  \<open>t \<in> Pow(nat \<times> A)\<close>
+proof -
+  from D
+  have q:\<open>t\<in>{t\<in>Pow(Sigma(k,%_.A)). k\<subseteq>domain(t) & function(t)}\<close>
+    by(unfold Pi_def)
+  have J:\<open>t \<in> Pow(k \<times> A)\<close>
+    by (rule CollectD1[OF q])
+  have G:\<open>k \<times> A \<subseteq> nat \<times> A\<close>
+  proof(rule func.Sigma_mono)
+    from knat
+    show \<open>k\<subseteq>nat\<close>
+      by (rule QUniv.naturals_subset_nat)
+  next
+    show \<open>\<And>x. x \<in> k \<Longrightarrow> A \<subseteq> A\<close>
+      by auto
+  qed
+  show \<open>t \<in> Pow(nat \<times> A)\<close>
+    by (rule subsetD, rule func.Pow_mono[OF G], rule J)
+qed
+
+section \<open>Compatible set\<close>
+text \<open>Union of compatible set of functions is a function.\<close>
+
+definition compat :: \<open>[i,i]\<Rightarrow>o\<close>
+  where "compat(f1,f2) == \<forall>x.\<forall>y1.\<forall>y2.\<langle>x,y1\<rangle> \<in> f1 \<and> \<langle>x,y2\<rangle> \<in> f2 \<longrightarrow> y1=y2"
+
+lemma compatI [intro]:
+  assumes H:\<open>\<And>x y1 y2.\<lbrakk>\<langle>x,y1\<rangle> \<in> f1; \<langle>x,y2\<rangle> \<in> f2\<rbrakk>\<Longrightarrow>y1=y2\<close>
+  shows \<open>compat(f1,f2)\<close>
+proof(unfold compat_def)
+  show \<open>\<forall>x y1 y2. \<langle>x, y1\<rangle> \<in> f1 \<and> \<langle>x, y2\<rangle> \<in> f2 \<longrightarrow> y1 = y2\<close>
+  proof(rule allI | rule impI)+
+    fix x y1 y2
+    assume K:\<open>\<langle>x, y1\<rangle> \<in> f1 \<and> \<langle>x, y2\<rangle> \<in> f2\<close>
+    have K1:\<open>\<langle>x, y1\<rangle> \<in> f1\<close> by (rule conjunct1[OF K])
+    have K2:\<open>\<langle>x, y2\<rangle> \<in> f2\<close> by (rule conjunct2[OF K])
+    show \<open>y1 = y2\<close> by (rule H[OF K1 K2])
+  qed
+qed
+
+lemma compatD:
+  assumes H: \<open>compat(f1,f2)\<close>
+  shows \<open>\<And>x y1 y2.\<lbrakk>\<langle>x,y1\<rangle> \<in> f1; \<langle>x,y2\<rangle> \<in> f2\<rbrakk>\<Longrightarrow>y1=y2\<close>
+proof -
+  fix x y1 y2
+  assume Q1:\<open>\<langle>x, y1\<rangle> \<in> f1\<close>
+  assume Q2:\<open>\<langle>x, y2\<rangle> \<in> f2\<close>
+  from H have H:\<open>\<forall>x y1 y2. \<langle>x, y1\<rangle> \<in> f1 \<and> \<langle>x, y2\<rangle> \<in> f2 \<longrightarrow> y1 = y2\<close>
+    by (unfold compat_def)
+  show \<open>y1=y2\<close>
+  proof(rule mp[OF spec[OF spec[OF spec[OF H]]]])
+    show \<open>\<langle>x, y1\<rangle> \<in> f1 \<and> \<langle>x, y2\<rangle> \<in> f2\<close>
+      by(rule conjI[OF Q1 Q2])
+  qed
+qed
+
+lemma compatE:
+  assumes H: \<open>compat(f1,f2)\<close>
+  and W:\<open>(\<And>x y1 y2.\<lbrakk>\<langle>x,y1\<rangle> \<in> f1; \<langle>x,y2\<rangle> \<in> f2\<rbrakk>\<Longrightarrow>y1=y2) \<Longrightarrow> E\<close>
+shows \<open>E\<close>
+  by (rule W, rule compatD[OF H], assumption+)
+
+
+definition compatset :: \<open>i\<Rightarrow>o\<close>
+  where "compatset(S) == \<forall>f1\<in>S.\<forall>f2\<in>S. compat(f1,f2)"
+
+lemma compatsetI [intro] :
+  assumes 1:\<open>\<And>f1 f2. \<lbrakk>f1\<in>S;f2\<in>S\<rbrakk> \<Longrightarrow> compat(f1,f2)\<close>
+  shows \<open>compatset(S)\<close>
+  by (unfold compatset_def, rule ballI, rule ballI, rule 1, assumption+)
+
+lemma compatsetD:
+  assumes H: \<open>compatset(S)\<close>
+  shows \<open>\<And>f1 f2.\<lbrakk>f1\<in>S; f2\<in>S\<rbrakk>\<Longrightarrow>compat(f1,f2)\<close>
+proof -
+  fix f1 f2
+  assume H1:\<open>f1\<in>S\<close>
+  assume H2:\<open>f2\<in>S\<close>
+  from H have H:\<open>\<forall>f1\<in>S.\<forall>f2\<in>S. compat(f1,f2)\<close>
+    by (unfold compatset_def)
+  show \<open>compat(f1,f2)\<close>
+    by (rule bspec[OF bspec[OF H H1] H2])
+qed
+
+lemma compatsetE:
+  assumes H: \<open>compatset(S)\<close>
+  and W:\<open>(\<And>f1 f2.\<lbrakk>f1\<in>S; f2\<in>S\<rbrakk>\<Longrightarrow>compat(f1,f2)) \<Longrightarrow> E\<close>
+shows \<open>E\<close>
+  by (rule W, rule compatsetD[OF H], assumption+)
+
+theorem upairI1 : \<open>a \<in> {a, b}\<close>
+proof
+  assume \<open>a \<notin> {b}\<close>
+  show \<open>a = a\<close> by (rule refl)
+qed
+
+theorem upairI2 : \<open>b \<in> {a, b}\<close>
+proof
+  assume H:\<open>b \<notin> {b}\<close>
+  have Y:\<open>b \<in> {b}\<close> by (rule upair.singletonI)
+  show \<open>b = a\<close> by (rule notE[OF H Y])
+qed
+
+theorem sinup : \<open>{x} \<in> \<langle>x, xa\<rangle>\<close>
+proof (unfold Pair_def)
+  show \<open>{x} \<in> {{x, x}, {x, xa}}\<close>
+  proof (rule IFOL.subst)
+    show \<open>{x} \<in> {{x},{x,xa}}\<close>
+      by (rule upairI1)
+  next
+    show \<open>{{x}, {x, xa}} = {{x, x}, {x, xa}}\<close>
+      by blast
+  qed
+qed
+
+theorem compatsetunionfun :
+  fixes S
+  assumes H0:\<open>compatset(S)\<close>
+  shows \<open>function(\<Union>S)\<close>
+proof(unfold function_def)
+  show \<open> \<forall>x y1. \<langle>x, y1\<rangle> \<in> \<Union>S \<longrightarrow>
+          (\<forall>y2. \<langle>x, y2\<rangle> \<in> \<Union>S \<longrightarrow> y1 = y2)\<close>
+  proof(rule allI, rule allI, rule impI, rule allI, rule impI)
+    fix x y1 y2
+    assume F1:\<open>\<langle>x, y1\<rangle> \<in> \<Union>S\<close>
+    assume F2:\<open>\<langle>x, y2\<rangle> \<in> \<Union>S\<close>
+    show \<open>y1=y2\<close>
+    proof(rule UnionE[OF F1], rule UnionE[OF F2])
+      fix f1 f2
+      assume J1:\<open>\<langle>x, y1\<rangle> \<in> f1\<close>
+      assume J2:\<open>\<langle>x, y2\<rangle> \<in> f2\<close>
+      assume K1:\<open>f1 \<in> S\<close>
+      assume K2:\<open>f2 \<in> S\<close>
+      have R:\<open>compat(f1,f2)\<close>
+        by (rule compatsetD[OF H0 K1 K2])
+      show \<open>y1=y2\<close>
+        by(rule compatD[OF R J1 J2])
+    qed
+  qed
+qed
+
+theorem mkel :
+  assumes 1:\<open>A\<close>
+  assumes 2:\<open>A\<Longrightarrow>B\<close>
+  shows \<open>B\<close>
+  by (rule 2, rule 1)
+
+theorem valofunion :
+  fixes S
+  assumes H0:\<open>compatset(S)\<close>
+  assumes W:\<open>f\<in>S\<close>
+  assumes Q:\<open>f:A\<rightarrow>B\<close>
+  assumes T:\<open>a\<in>A\<close>
+  assumes P:\<open>f ` a = v\<close>
+  shows N:\<open>(\<Union>S)`a = v\<close>
+proof -
+  have K:\<open>\<langle>a, v\<rangle> \<in> f\<close>
+    by (rule apparg[OF Q P T])
+  show N:\<open>(\<Union>S)`a = v\<close>
+  proof(rule function_apply_equality)
+    show \<open>function(\<Union>S)\<close>
+      by(rule compatsetunionfun[OF H0])
+  next
+    show \<open>\<langle>a, v\<rangle> \<in> \<Union>S\<close>
+      by(rule UnionI[OF W K ])
+  qed
+qed
+
+section "Partial computation"
+
+definition satpc :: \<open>[i,i,i] \<Rightarrow> o \<close>
+  where \<open>satpc(t,\<alpha>,g) == \<forall>n \<in> \<alpha> . t`succ(n) = g ` <t`n, n>\<close>
+
+text \<open>$m$-step computation based on $a$ and $g$\<close>
+definition partcomp :: \<open>[i,i,i,i,i]\<Rightarrow>o\<close>
+  where \<open>partcomp(A,t,m,a,g) == (t:succ(m)\<rightarrow>A) \<and> (t`0=a) \<and> satpc(t,m,g)\<close>
+
+lemma partcompI [intro]:
+  assumes H1:\<open>(t:succ(m)\<rightarrow>A)\<close>
+  assumes H2:\<open>(t`0=a)\<close>
+  assumes H3:\<open>satpc(t,m,g)\<close>
+  shows \<open>partcomp(A,t,m,a,g)\<close>
+proof (unfold partcomp_def, auto)
+  show \<open>t \<in> succ(m) \<rightarrow> A\<close> by (rule H1)
+  show \<open>(t`0=a)\<close> by (rule H2)
+  show \<open>satpc(t,m,g)\<close> by (rule H3)
+qed
+
+lemma partcompD1: \<open>partcomp(A,t,m,a,g) \<Longrightarrow> t \<in> succ(m) \<rightarrow> A\<close>
+  by (unfold partcomp_def, auto)
+
+lemma partcompD2: \<open>partcomp(A,t,m,a,g) \<Longrightarrow> (t`0=a)\<close>
+ by (unfold partcomp_def, auto)
+
+lemma partcompD3: \<open>partcomp(A,t,m,a,g) \<Longrightarrow> satpc(t,m,g)\<close>
+  by (unfold partcomp_def, auto)
+
+lemma partcompE [elim] :
+  assumes 1:\<open>partcomp(A,t,m,a,g)\<close>
+    and 2:\<open>\<lbrakk>(t:succ(m)\<rightarrow>A) ; (t`0=a) ; satpc(t,m,g)\<rbrakk> \<Longrightarrow> E\<close>
+  shows \<open>E\<close>
+  by (rule 2, rule partcompD1[OF 1], rule partcompD2[OF 1], rule partcompD3[OF 1])
+
+text \<open>If we add ordered pair in the middle of partial computation then
+it will not change.\<close>
+lemma addmiddle:
+(*  fixes  t m a g*)
+  assumes mnat:\<open>m\<in>nat\<close>
+  assumes F:\<open>partcomp(A,t,m,a,g)\<close>
+  assumes xinm:\<open>x\<in>m\<close>
+  shows \<open>cons(\<langle>succ(x), g ` \<langle>t ` x, x\<rangle>\<rangle>, t) = t\<close>
+proof(rule partcompE[OF F])
+  assume F1:\<open>t \<in> succ(m) \<rightarrow> A\<close>
+  assume F2:\<open>t ` 0 = a\<close>
+  assume F3:\<open>satpc(t, m, g)\<close>
+  from F3
+  have W:\<open>\<forall>n\<in>m. t ` succ(n) = g ` \<langle>t ` n, n\<rangle>\<close>
+    by (unfold satpc_def)
+  have U:\<open>t ` succ(x) = g ` \<langle>t ` x, x\<rangle>\<close>
+    by (rule bspec[OF W xinm])
+  have E:\<open>\<langle>succ(x), (g ` \<langle>t ` x, x\<rangle>)\<rangle> \<in> t\<close>
+  proof(rule apparg[OF F1 U])
+    show \<open>succ(x) \<in> succ(m)\<close>
+      by(rule mp[OF bspec[OF le_succ mnat] xinm])
+  qed
+  show ?thesis
+    by (rule equalities.cons_absorb[OF E])
+qed
+
+
+section \<open>Set of functions \<close>
+text \<open>It is denoted as $F$ on page 48 in "Introduction to Set Theory".\<close>
+definition pcs :: \<open>[i,i,i]\<Rightarrow>i\<close>
+  where \<open>pcs(A,a,g) == {t\<in>Pow(nat*A). \<exists>m\<in>nat. partcomp(A,t,m,a,g)}\<close>
+
+lemma pcs_uniq :
+  assumes F1:\<open>m1\<in>nat\<close>
+  assumes F2:\<open>m2\<in>nat\<close>
+  assumes H1: \<open>partcomp(A,f1,m1,a,g)\<close>
+  assumes H2: \<open>partcomp(A,f2,m2,a,g)\<close>
+  shows \<open>\<forall>n\<in>nat. n\<in>succ(m1) \<and> n\<in>succ(m2) \<longrightarrow> f1`n = f2`n\<close>
+proof(rule partcompE[OF H1], rule partcompE[OF H2])
+  assume H11:\<open>f1 \<in> succ(m1) \<rightarrow> A\<close>
+  assume H12:\<open>f1 ` 0 = a \<close>
+  assume H13:\<open>satpc(f1, m1, g)\<close>
+  assume H21:\<open>f2 \<in> succ(m2) \<rightarrow> A\<close>
+  assume H22:\<open>f2 ` 0 = a\<close>
+  assume H23:\<open>satpc(f2, m2, g)\<close>
+  show \<open>\<forall>n\<in>nat. n\<in>succ(m1) \<and> n\<in>succ(m2) \<longrightarrow> f1`n = f2`n\<close>
+proof(rule nat_induct_bound)
+  from H12 and H22
+  show \<open>0\<in>succ(m1) \<and> 0\<in>succ(m2) \<longrightarrow> f1 ` 0 = f2 ` 0\<close>
+    by auto
+next
+  fix x
+  assume J0:\<open>x\<in>nat\<close>
+  assume J1:\<open>x \<in> succ(m1) \<and> x \<in> succ(m2) \<longrightarrow> f1 ` x = f2 ` x\<close>
+  from H13 have G1:\<open>\<forall>n \<in> m1 . f1`succ(n) = g ` <f1`n, n>\<close>
+    by (unfold satpc_def, auto)
+  from H23 have G2:\<open>\<forall>n \<in> m2 . f2`succ(n) = g ` <f2`n, n>\<close>
+    by (unfold satpc_def, auto)
+  show \<open>succ(x) \<in> succ(m1) \<and> succ(x) \<in> succ(m2) \<longrightarrow>
+        f1 ` succ(x) = f2 ` succ(x)\<close>
+  proof
+    assume K:\<open>succ(x) \<in> succ(m1) \<and> succ(x) \<in> succ(m2)\<close>
+    from K have K1:\<open>succ(x) \<in> succ(m1)\<close> by auto
+    from K have K2:\<open>succ(x) \<in> succ(m2)\<close> by auto
+    have K1':\<open>x \<in> m1\<close> by (rule mp[OF bspec[OF succ_le F1] K1])
+    have K2':\<open>x \<in> m2\<close> by (rule mp[OF bspec[OF succ_le F2] K2])
+    have U1:\<open>x\<in>succ(m1)\<close>
+      by (rule Nat.succ_in_naturalD[OF K1 Nat.nat_succI[OF F1]])
+    have U2:\<open>x\<in>succ(m2)\<close>
+      by (rule Nat.succ_in_naturalD[OF K2 Nat.nat_succI[OF F2]])
+    have Y1:\<open>f1`succ(x) = g ` <f1`x, x>\<close>
+      by (rule bspec[OF G1 K1'])
+    have Y2:\<open>f2`succ(x) = g ` <f2`x, x>\<close>
+      by (rule bspec[OF G2 K2'])
+    have \<open>f1 ` x = f2 ` x\<close>
+      by(rule mp[OF J1 conjI[OF U1 U2]])
+    then have Y:\<open>g ` <f1`x, x> = g ` <f2`x, x>\<close> by auto
+    from Y1 and Y2 and Y
+    show \<open>f1 ` succ(x) = f2 ` succ(x)\<close>
+      by auto
+  qed
+qed
+qed
+
+lemma domainsubsetfunc :
+  assumes Q:\<open>f1\<subseteq>f2\<close>
+  shows \<open>domain(f1)\<subseteq>domain(f2)\<close>
+proof
+  fix x
+  assume H:\<open>x \<in> domain(f1)\<close>
+  show \<open>x \<in> domain(f2)\<close>
+  proof(rule domainE[OF H])
+    fix y
+    assume W:\<open>\<langle>x, y\<rangle> \<in> f1\<close>
+    have \<open>\<langle>x, y\<rangle> \<in> f2\<close>
+      by(rule subsetD[OF Q W])
+    then show \<open>x \<in> domain(f2)\<close>
+      by(rule domainI)
+  qed
+qed
+
+lemma natdomfunc:
+  assumes 1:\<open>q\<in>A\<close>
+  assumes J0:\<open>f1 \<in> Pow(nat \<times> A)\<close>
+  assumes U:\<open>m1 \<in> domain(f1)\<close>
+  shows \<open>m1\<in>nat\<close>
+proof -
+  from J0 have J0 : \<open>f1 \<subseteq> nat \<times> A\<close>
+    by auto
+  have J0:\<open>domain(f1) \<subseteq> domain(nat \<times> A)\<close>
+    by(rule func.domain_mono[OF J0])
+  have F:\<open>m1 \<in> domain(nat \<times> A)\<close>
+    by(rule subsetD[OF J0 U])
+  have R:\<open>domain(nat \<times> A) = nat\<close>
+    by (rule equalities.domain_of_prod[OF 1])
+  show \<open>m1 \<in> nat\<close>
+    by(rule subst[OF R], rule F)
+qed
+
+lemma pcs_lem :
+  assumes 1:\<open>q\<in>A\<close>
+  shows \<open>compatset(pcs(A, a, g))\<close>
+proof (*(rule compatsetI)*)
+  fix f1 f2
+  assume H1:\<open>f1 \<in> pcs(A, a, g)\<close>
+  then have H1':\<open>f1 \<in> {t\<in>Pow(nat*A). \<exists>m\<in>nat. partcomp(A,t,m,a,g)}\<close> by (unfold pcs_def)
+  hence H1'A:\<open>f1 \<in> Pow(nat*A)\<close> by auto
+  hence H1'A:\<open>f1 \<subseteq> (nat*A)\<close> by auto
+  assume H2:\<open>f2 \<in> pcs(A, a, g)\<close>
+  then have H2':\<open>f2 \<in> {t\<in>Pow(nat*A). \<exists>m\<in>nat. partcomp(A,t,m,a,g)}\<close> by (unfold pcs_def)
+  show \<open>compat(f1, f2)\<close>
+  proof(rule compatI)
+    fix x y1 y2
+    assume P1:\<open>\<langle>x, y1\<rangle> \<in> f1\<close>
+    assume P2:\<open>\<langle>x, y2\<rangle> \<in> f2\<close>
+    show \<open>y1 = y2\<close>
+    proof(rule CollectE[OF H1'], rule CollectE[OF H2'])
+      assume J0:\<open>f1 \<in> Pow(nat \<times> A)\<close>
+      assume J1:\<open>f2 \<in> Pow(nat \<times> A)\<close>
+      assume J2:\<open>\<exists>m\<in>nat. partcomp(A, f1, m, a, g)\<close>
+      assume J3:\<open>\<exists>m\<in>nat. partcomp(A, f2, m, a, g)\<close>
+      show \<open>y1 = y2\<close>
+      proof(rule bexE[OF J2], rule bexE[OF J3])
+        fix m1 m2
+        assume K1:\<open>partcomp(A, f1, m1, a, g)\<close>
+        assume K2:\<open>partcomp(A, f2, m2, a, g)\<close>
+        hence K2':\<open>(f2:succ(m2)\<rightarrow>A) \<and> (f2`0=a) \<and> satpc(f2,m2,g)\<close>
+          by (unfold partcomp_def)
+        from K1 have K1'A:\<open>(f1:succ(m1)\<rightarrow>A)\<close> by (rule partcompD1)
+        from K2' have K2'A:\<open>(f2:succ(m2)\<rightarrow>A)\<close> by auto
+        from K1'A have K1'AD:\<open>domain(f1) = succ(m1)\<close>
+          by(rule domain_of_fun)
+        from K2'A have K2'AD:\<open>domain(f2) = succ(m2)\<close>
+          by(rule domain_of_fun)
+        have L1:\<open>f1`x=y1\<close>
+          by (rule func.apply_equality[OF P1], rule K1'A)
+        have L2:\<open>f2`x=y2\<close>
+          by(rule func.apply_equality[OF P2], rule K2'A)
+        have m1nat:\<open>m1\<in>nat\<close>
+        proof(rule natdomfunc[OF 1 J0])
+          show \<open>m1 \<in> domain(f1)\<close>
+            by (rule ssubst[OF K1'AD], auto)
+        qed
+        have m2nat:\<open>m2\<in>nat\<close>
+        proof(rule natdomfunc[OF 1 J1])
+          show \<open>m2 \<in> domain(f2)\<close>
+            by (rule ssubst[OF K2'AD], auto)
+        qed
+        have G1:\<open>\<langle>x, y1\<rangle> \<in> (nat*A)\<close>
+          by(rule subsetD[OF H1'A P1])
+        have KK:\<open>x\<in>nat\<close>
+          by(rule SigmaE[OF G1], auto)
+        (*x is in the domain of f1  i.e. succ(m1)
+so we can have both  x \<in> ?m1.2 \<and> x \<in> ?m2.2
+how to prove that m1 \<in> nat ? from J0 !  f1 is a subset of nat \<times> A*)
+        have W:\<open>f1`x=f2`x\<close>
+        proof(rule mp[OF bspec[OF pcs_uniq KK] ])
+          show \<open>m1 \<in> nat\<close>
+            by (rule m1nat)
+        next
+          show \<open>m2 \<in> nat\<close>
+            by (rule m2nat)
+        next
+          show \<open>partcomp(A, f1, m1, a, g)\<close>
+            by (rule K1)
+        next
+          show \<open>partcomp(A, f2, m2, a, g)\<close>
+            by (rule K2)
+        next
+            (*  P1:\<open>\<langle>x, y1\<rangle> \<in> f1\<close>
+              K1'A:\<open>(f1:succ(m1)\<rightarrow>A)\<close>
+            *)
+          have U1:\<open>x \<in> succ(m1)\<close>
+            by (rule func.domain_type[OF P1 K1'A])
+          have U2:\<open>x \<in> succ(m2)\<close>
+            by (rule func.domain_type[OF P2 K2'A])
+          show \<open>x \<in> succ(m1) \<and> x \<in> succ(m2)\<close>
+            by (rule conjI[OF U1 U2])
+        qed
+        from L1 and W and L2
+        show \<open>y1 = y2\<close> by auto
+      qed
+    qed
+  qed
+qed
+
+theorem fuissu : \<open>f \<in> X -> Y \<Longrightarrow> f \<subseteq> X\<times>Y\<close>
+proof
+  fix w
+  assume H1 : \<open>f \<in> X -> Y\<close>
+  then have J1:\<open>f \<in> {q\<in>Pow(Sigma(X,\<lambda>_.Y)). X\<subseteq>domain(q) & function(q)}\<close>
+    by (unfold Pi_def)
+  then have J2:\<open>f \<in> Pow(Sigma(X,\<lambda>_.Y))\<close>
+    by auto
+  then have J3:\<open>f \<subseteq> Sigma(X,\<lambda>_.Y)\<close>
+    by auto
+  assume H2 : \<open>w \<in> f\<close>
+  from J3 and H2 have \<open>w\<in>Sigma(X,\<lambda>_.Y)\<close>
+    by auto
+  then have J4:\<open>w \<in> (\<Union>x\<in>X. (\<Union>y\<in>Y. {\<langle>x,y\<rangle>}))\<close>
+    by auto
+  show \<open>w \<in> X*Y\<close>
+  proof (rule UN_E[OF J4])
+    fix x
+    assume V1:\<open>x \<in> X\<close>
+    assume V2:\<open>w \<in> (\<Union>y\<in>Y. {\<langle>x, y\<rangle>})\<close>
+    show \<open>w \<in> X \<times> Y\<close>
+    proof (rule UN_E[OF V2])
+      fix y
+      assume V3:\<open>y \<in> Y\<close>
+      assume V4:\<open>w \<in> {\<langle>x, y\<rangle>}\<close>
+      then have V4:\<open>w = \<langle>x, y\<rangle>\<close>
+        by auto
+      have v5:\<open>\<langle>x, y\<rangle> \<in> Sigma(X,\<lambda>_.Y)\<close>
+      proof(rule SigmaI)
+        show \<open>x \<in> X\<close> by (rule V1)
+      next
+        show \<open>y \<in> Y\<close> by (rule V3)
+      qed
+      then have V5:\<open>\<langle>x, y\<rangle> \<in> X*Y\<close>
+        by auto
+      from V4 and V5 show \<open>w \<in> X \<times> Y\<close> by auto
+    qed
+  qed
+qed
+
+theorem recuniq :
+  fixes f
+  assumes H0:\<open>f \<in> nat -> A \<and> f ` 0 = a \<and> satpc(f, nat, g)\<close>
+  fixes t
+  assumes H1:\<open>t \<in> nat -> A \<and> t ` 0 = a \<and> satpc(t, nat, g)\<close>
+  fixes x
+  shows \<open>f=t\<close>
+proof -
+  from H0 have H02:\<open>\<forall>n \<in> nat. f`succ(n) = g ` <(f`n), n>\<close> by (unfold satpc_def, auto)
+  from H0 have H01:\<open>f ` 0 = a\<close> by auto
+  from H0 have H00:\<open>f \<in> nat -> A\<close> by auto
+  from H1 have H12:\<open>\<forall>n \<in> nat. t`succ(n) = g ` <(t`n), n>\<close> by (unfold satpc_def, auto)
+  from H1 have H11:\<open>t ` 0 = a\<close> by auto
+  from H1 have H10:\<open>t \<in> nat -> A\<close> by auto
+  show \<open>f=t\<close>
+  proof (rule fun_extension[OF H00 H10])
+    fix x
+    assume K: \<open>x \<in> nat\<close>
+    show \<open>(f ` x) = (t ` x)\<close>
+    proof(rule nat_induct[of x])
+      show \<open>x \<in> nat\<close> by (rule K)
+    next
+      from H01 and H11 show \<open>f ` 0 = t ` 0\<close>
+        by auto
+    next
+      fix x
+      assume A:\<open>x\<in>nat\<close>
+      assume B:\<open>f`x = t`x\<close>
+      show \<open>f ` succ(x) = t ` succ(x)\<close>
+      proof -
+        from H02 and A have H02':\<open>f`succ(x) = g ` <(f`x), x>\<close>
+          by (rule bspec)
+        from H12 and A have H12':\<open>t`succ(x) = g ` <(t`x), x>\<close>
+          by (rule bspec)
+        from B and H12' have H12'':\<open>t`succ(x) = g ` <(f`x), x>\<close> by auto
+        from H12'' and H02' show \<open>f ` succ(x) = t ` succ(x)\<close> by auto
+      qed
+    qed
+  qed
+qed
+
+section \<open>Lemmas for recursion theorem\<close>
+
+locale recthm =
+  fixes A :: "i"
+    and a :: "i"
+    and g :: "i"
+  assumes hyp1 : \<open>a \<in> A\<close>
+    and hyp2 : \<open>g : ((A*nat)\<rightarrow>A)\<close>
+begin
+
+lemma l3:\<open>function(\<Union>pcs(A, a, g))\<close>
+  by (rule compatsetunionfun, rule pcs_lem, rule hyp1)
+
+lemma l1 : \<open>\<Union>pcs(A, a, g) \<subseteq> nat \<times> A\<close>
+proof
+  fix x
+  assume H:\<open>x \<in> \<Union>pcs(A, a, g)\<close>
+  hence  H:\<open>x \<in> \<Union>{t\<in>Pow(nat*A). \<exists>m\<in>nat. partcomp(A,t,m,a,g)}\<close>
+    by (unfold pcs_def)
+  show \<open>x \<in> nat \<times> A\<close>
+  proof(rule UnionE[OF H])
+    fix B
+    assume J1:\<open>x\<in>B\<close>
+    assume J2:\<open>B \<in> {t \<in> Pow(nat \<times> A) .
+            \<exists>m\<in>nat. partcomp(A, t, m, a, g)}\<close>
+    hence J2:\<open>B \<in> Pow(nat \<times> A)\<close> by auto
+    hence J2:\<open>B \<subseteq> nat \<times> A\<close> by auto
+    from J1 and J2 show \<open>x \<in> nat \<times> A\<close>
+      by auto
+  qed
+qed
+
+lemma le1:
+  assumes H:\<open>x\<in>1\<close>
+  shows \<open>x=0\<close>
+proof
+  show \<open>x \<subseteq> 0\<close>
+  proof
+    fix z
+    assume J:\<open>z\<in>x\<close>
+    show \<open>z\<in>0\<close>
+    proof(rule succE[OF H])
+      assume J:\<open>x\<in>0\<close>
+      show \<open>z\<in>0\<close>
+        by (rule notE[OF not_mem_empty J])
+    next
+      assume K:\<open>x=0\<close>
+      from J and K show \<open>z\<in>0\<close>
+        by auto
+    qed
+  qed
+next
+  show \<open>0 \<subseteq> x\<close> by auto
+qed
+
+lemma lsinglfun : \<open>function({\<langle>0, a\<rangle>})\<close>
+proof(unfold function_def)
+  show \<open> \<forall>x y. \<langle>x, y\<rangle> \<in> {\<langle>0, a\<rangle>} \<longrightarrow>
+          (\<forall>y'. \<langle>x, y'\<rangle> \<in> {\<langle>0, a\<rangle>} \<longrightarrow>
+                y = y')\<close>
+  proof(rule allI,rule allI,rule impI,rule allI,rule impI)
+    fix x y y'
+    assume H0:\<open>\<langle>x, y\<rangle> \<in> {\<langle>0, a\<rangle>}\<close>
+    assume H1:\<open>\<langle>x, y'\<rangle> \<in> {\<langle>0, a\<rangle>}\<close>
+    show \<open>y = y'\<close>
+    proof(rule upair.singletonE[OF H0],rule upair.singletonE[OF H1])
+      assume H0:\<open>\<langle>x, y\<rangle> = \<langle>0, a\<rangle>\<close>
+      assume H1:\<open>\<langle>x, y'\<rangle> = \<langle>0, a\<rangle>\<close>
+      from H0 and H1 have H:\<open>\<langle>x, y\<rangle> = \<langle>x, y'\<rangle>\<close> by auto
+      then show \<open>y = y'\<close> by auto
+    qed
+  qed
+qed
+
+lemma singlsatpc:\<open>satpc({\<langle>0, a\<rangle>}, 0, g)\<close>
+proof(unfold satpc_def)
+  show \<open>\<forall>n\<in>0. {\<langle>0, a\<rangle>} ` succ(n) =
+           g ` \<langle>{\<langle>0, a\<rangle>} ` n, n\<rangle>\<close>
+    by auto
+qed
+
+lemma zerostep :
+  shows \<open>partcomp(A, {\<langle>0, a\<rangle>}, 0, a, g)\<close>
+proof(unfold partcomp_def)
+  show \<open>{\<langle>0, a\<rangle>} \<in> 1 -> A \<and> {\<langle>0, a\<rangle>} ` 0 = a \<and> satpc({\<langle>0, a\<rangle>}, 0, g)\<close>
+  proof
+    show \<open>{\<langle>0, a\<rangle>} \<in> 1 -> A\<close>
+    proof (unfold Pi_def)
+      show \<open>{\<langle>0, a\<rangle>} \<in> {f \<in> Pow(1 \<times> A) . 1 \<subseteq> domain(f) \<and> function(f)}\<close>
+      proof
+        show \<open>{\<langle>0, a\<rangle>} \<in> Pow(1 \<times> A)\<close>
+        proof(rule PowI, rule equalities.singleton_subsetI)
+          show \<open>\<langle>0, a\<rangle> \<in> 1 \<times> A\<close>
+          proof
+            show \<open>0 \<in> 1\<close> by auto
+          next
+            show \<open>a \<in> A\<close> by (rule hyp1)
+          qed
+        qed
+      next
+        show \<open>1 \<subseteq> domain({\<langle>0, a\<rangle>}) \<and> function({\<langle>0, a\<rangle>})\<close>
+        proof
+          show \<open>1 \<subseteq> domain({\<langle>0, a\<rangle>})\<close>
+          proof
+            fix x
+            assume W:\<open>x\<in>1\<close>
+            from W have W:\<open>x=0\<close> by (rule le1)
+            have Y:\<open>0\<in>domain({\<langle>0, a\<rangle>})\<close>
+              by auto
+            from W and Y
+            show \<open>x\<in>domain({\<langle>0, a\<rangle>})\<close>
+              by auto
+          qed
+        next
+          show \<open>function({\<langle>0, a\<rangle>})\<close>
+            by (rule lsinglfun)
+        qed
+      qed
+    qed
+    show \<open>{\<langle>0, a\<rangle>} ` 0 = a \<and> satpc({\<langle>0, a\<rangle>}, 0, g)\<close>
+    proof
+      show \<open>{\<langle>0, a\<rangle>} ` 0 = a\<close>
+        by (rule func.singleton_apply)
+    next
+      show \<open>satpc({\<langle>0, a\<rangle>}, 0, g)\<close>
+        by (rule singlsatpc)
+    qed
+  qed
+qed
+
+lemma zainupcs : \<open>\<langle>0, a\<rangle> \<in> \<Union>pcs(A, a, g)\<close>
+proof
+  show \<open>\<langle>0, a\<rangle> \<in> {\<langle>0, a\<rangle>}\<close>
+    by auto
+next
+  (* {\<langle>0, a\<rangle>} is a 0-step computation *)
+  show \<open>{\<langle>0, a\<rangle>} \<in> pcs(A, a, g)\<close>
+  proof(unfold pcs_def)
+    show \<open>{\<langle>0, a\<rangle>} \<in> {t \<in> Pow(nat \<times> A) . \<exists>m\<in>nat. partcomp(A, t, m, a, g)}\<close>
+    proof
+      show \<open>{\<langle>0, a\<rangle>} \<in> Pow(nat \<times> A)\<close>
+      proof(rule PowI, rule equalities.singleton_subsetI)
+        show \<open>\<langle>0, a\<rangle> \<in> nat \<times> A\<close>
+        proof
+          show \<open>0 \<in> nat\<close> by auto
+        next
+          show \<open>a \<in> A\<close> by (rule hyp1)
+        qed
+      qed
+    next
+      show \<open>\<exists>m\<in>nat. partcomp(A, {\<langle>0, a\<rangle>}, m, a, g)\<close>
+      proof
+        show \<open>partcomp(A, {\<langle>0, a\<rangle>}, 0, a, g)\<close>
+          by (rule zerostep)
+      next
+        show \<open>0 \<in> nat\<close> by auto
+      qed
+    qed
+  qed
+qed
+
+lemma l2': \<open>0 \<in> domain(\<Union>pcs(A, a, g))\<close>
+proof
+  show \<open>\<langle>0, a\<rangle> \<in> \<Union>pcs(A, a, g)\<close>
+    by (rule zainupcs)
+qed
+
+text \<open>Push an ordered pair to the end of partial computation t
+and obtain another partial computation.\<close>
+lemma shortlem :
+  assumes mnat:\<open>m\<in>nat\<close>
+  assumes F:\<open>partcomp(A,t,m,a,g)\<close>
+  shows \<open>partcomp(A,cons(\<langle>succ(m), g ` <t`m, m>\<rangle>, t),succ(m),a,g)\<close>
+proof(rule partcompE[OF F])
+  assume F1:\<open>t \<in> succ(m) \<rightarrow> A\<close>
+  assume F2:\<open>t ` 0 = a\<close>
+  assume F3:\<open>satpc(t, m, g)\<close>
+  show ?thesis (*\<open>partcomp(A,cons(\<langle>succ(m), g ` <t`m, m>\<rangle>, t),succ(m),a,g)\<close> *)
+  proof
+    have ljk:\<open>cons(\<langle>succ(m), g ` \<langle>t ` m, m\<rangle>\<rangle>, t) \<in> (cons(succ(m),succ(m)) \<rightarrow> A)\<close>
+    proof(rule func.fun_extend3[OF F1])
+      show \<open>succ(m) \<notin> succ(m)\<close>
+        by (rule  upair.mem_not_refl)
+      have tmA:\<open>t ` m \<in> A\<close>
+        by (rule func.apply_funtype[OF F1], auto)
+      show \<open>g ` \<langle>t ` m, m\<rangle> \<in> A\<close>
+        by(rule func.apply_funtype[OF hyp2], auto, rule tmA, rule mnat)
+    qed
+    have \<open>cons(\<langle>succ(m), g ` \<langle>t ` m, m\<rangle>\<rangle>, t) \<in> (cons(succ(m),succ(m)) \<rightarrow> A)\<close>
+      by (rule ljk)
+    then have \<open>cons(\<langle>cons(m, m), g ` \<langle>t ` m, m\<rangle>\<rangle>, t) \<in> cons(cons(m, m), cons(m, m)) \<rightarrow> A\<close>
+      by (unfold succ_def)
+    then show \<open>cons(\<langle>succ(m), g ` \<langle>t ` m, m\<rangle>\<rangle>, t) \<in> succ(succ(m)) \<rightarrow> A\<close>
+      by (unfold succ_def, assumption)
+    show \<open>cons(\<langle>succ(m), g ` \<langle>t ` m, m\<rangle>\<rangle>, t) ` 0 = a\<close>
+    proof(rule trans, rule func.fun_extend_apply[OF F1])
+      show \<open>succ(m) \<notin> succ(m)\<close> by (rule  upair.mem_not_refl)
+      show \<open>(if 0 = succ(m) then g ` \<langle>t ` m, m\<rangle> else t ` 0) = a\<close>
+        by(rule trans, rule upair.if_not_P, auto, rule F2)
+    qed
+    show \<open>satpc(cons(\<langle>succ(m), g ` \<langle>t ` m, m\<rangle>\<rangle>, t), succ(m), g)\<close>
+    proof(unfold satpc_def, rule ballI)
+      fix n
+      assume Q:\<open>n \<in> succ(m)\<close>
+      show \<open>cons(\<langle>succ(m), g ` \<langle>t ` m, m\<rangle>\<rangle>, t) ` succ(n)
+= g ` \<langle>cons(\<langle>succ(m), g ` \<langle>t ` m, m\<rangle>\<rangle>, t) ` n, n\<rangle>\<close>
+      proof(rule trans, rule func.fun_extend_apply[OF F1], rule upair.mem_not_refl)
+        show \<open>(if succ(n) = succ(m) then g ` \<langle>t ` m, m\<rangle> else t ` succ(n)) =
+    g ` \<langle>cons(\<langle>succ(m), g ` \<langle>t ` m, m\<rangle>\<rangle>, t) ` n, n\<rangle>\<close>
+        proof(rule upair.succE[OF Q])
+          assume Y:\<open>n=m\<close>
+          show \<open>(if succ(n) = succ(m) then g ` \<langle>t ` m, m\<rangle> else t ` succ(n)) =
+    g ` \<langle>cons(\<langle>succ(m), g ` \<langle>t ` m, m\<rangle>\<rangle>, t) ` n, n\<rangle>\<close>
+          proof(rule trans, rule upair.if_P)
+            from Y show \<open>succ(n) = succ(m)\<close> by auto
+          next
+            have L1:\<open>t ` m = cons(\<langle>succ(m), g ` \<langle>t ` m, m\<rangle>\<rangle>, t) ` n\<close>
+            proof(rule sym, rule trans, rule func.fun_extend_apply[OF F1], rule upair.mem_not_refl)
+              show \<open> (if n = succ(m) then g ` \<langle>t ` m, m\<rangle> else t ` n) = t ` m\<close>
+              proof(rule trans, rule upair.if_not_P)
+                from Y show \<open>t ` n = t ` m\<close> by auto
+                show \<open>n \<noteq> succ(m)\<close>
+                proof(rule not_sym)
+                  show \<open>succ(m) \<noteq> n\<close>
+                    by(rule subst, rule sym, rule Y, rule upair.succ_neq_self)
+                qed
+              qed
+            qed
+            from Y
+            have L2:\<open>m = n\<close>
+              by auto
+            have L:\<open> \<langle>t ` m, m\<rangle> = \<langle>cons(\<langle>succ(m), g ` \<langle>t ` m, m\<rangle>\<rangle>, t) ` n, n\<rangle>\<close>
+              by(rule subst_context2[OF L1 L2])
+            show \<open> g ` \<langle>t ` m, m\<rangle> = g ` \<langle>cons(\<langle>succ(m), g ` \<langle>t ` m, m\<rangle>\<rangle>, t) ` n, n\<rangle>\<close>
+              by(rule subst_context[OF L])
+          qed
+        next
+          assume Y:\<open>n \<in> m\<close>
+          show \<open>(if succ(n) = succ(m) then g ` \<langle>t ` m, m\<rangle> else t ` succ(n)) =
+                g ` \<langle>cons(\<langle>succ(m), g ` \<langle>t ` m, m\<rangle>\<rangle>, t) ` n, n\<rangle>\<close>
+          proof(rule trans, rule upair.if_not_P)
+            show \<open>succ(n) \<noteq> succ(m)\<close>
+              by(rule contrapos, rule upair.mem_imp_not_eq, rule Y, rule upair.succ_inject, assumption)
+          next
+            have X:\<open>cons(\<langle>succ(m), g ` \<langle>t ` m, m\<rangle>\<rangle>, t) ` n = t ` n\<close>
+            proof(rule trans, rule func.fun_extend_apply[OF F1], rule upair.mem_not_refl)
+              show \<open>(if n = succ(m) then g ` \<langle>t ` m, m\<rangle> else t ` n) = t ` n\<close>
+              proof(rule upair.if_not_P)
+                show \<open>n \<noteq> succ(m)\<close>
+                proof(rule contrapos)
+                  assume q:"n=succ(m)"
+                  from q and Y have M:\<open>succ(m)\<in>m\<close>
+                    by auto
+                  show \<open>m\<in>m\<close>
+                    by(rule Nat.succ_in_naturalD[OF M mnat])
+                next
+                  show \<open>m \<notin> m\<close> by (rule  upair.mem_not_refl)
+                qed
+              qed
+            qed
+            from F3
+            have W:\<open>\<forall>n\<in>m. t ` succ(n) = g ` \<langle>t ` n, n\<rangle>\<close>
+              by (unfold satpc_def)
+            have U:\<open>t ` succ(n) = g ` \<langle>t ` n, n\<rangle>\<close>
+              by (rule bspec[OF W Y])
+            show \<open>t ` succ(n) = g ` \<langle>cons(\<langle>succ(m), g ` \<langle>t ` m, m\<rangle>\<rangle>, t) ` n, n\<rangle>\<close>
+              by (rule trans, rule U, rule sym, rule subst_context[OF X])
+          qed
+        qed
+      qed
+    qed
+  qed
+qed
+
+lemma l2:\<open>nat \<subseteq> domain(\<Union>pcs(A, a, g))\<close>
+proof
+  fix x
+  assume G:\<open>x\<in>nat\<close>
+  show \<open>x \<in> domain(\<Union>pcs(A, a, g))\<close>
+  proof(rule nat_induct[of x])
+    show \<open>x\<in>nat\<close> by (rule G)
+  next
+    fix x
+    assume Q1:\<open>x\<in>nat\<close>
+    assume Q2:\<open>x\<in>domain(\<Union>pcs(A, a, g))\<close>
+    show \<open>succ(x)\<in>domain(\<Union>pcs(A, a, g))\<close>
+    proof(rule domainE[OF Q2])
+      fix y
+      assume W1:\<open>\<langle>x, y\<rangle> \<in> (\<Union>pcs(A, a, g))\<close>
+      show \<open>succ(x)\<in>domain(\<Union>pcs(A, a, g))\<close>
+      proof(rule UnionE[OF W1])
+        fix t
+        assume E1:\<open>\<langle>x, y\<rangle> \<in> t\<close>
+        assume E2:\<open>t \<in> pcs(A, a, g)\<close>
+        hence E2:\<open>t\<in>{t\<in>Pow(nat*A). \<exists>m \<in> nat. partcomp(A,t,m,a,g)}\<close>
+          by(unfold pcs_def)
+        have E21:\<open>t\<in>Pow(nat*A)\<close>
+          by(rule CollectD1[OF E2])
+        have E22m:\<open>\<exists>m\<in>nat. partcomp(A,t,m,a,g)\<close>
+          by(rule CollectD2[OF E2])
+        show \<open>succ(x)\<in>domain(\<Union>pcs(A, a, g))\<close>
+        proof(rule bexE[OF E22m])
+          fix m
+          assume mnat:\<open>m\<in>nat\<close>
+          assume E22P:\<open>partcomp(A,t,m,a,g)\<close>
+          hence E22:\<open>((t:succ(m)\<rightarrow>A) \<and> (t`0=a)) \<and> satpc(t,m,g)\<close>
+            by(unfold partcomp_def, auto)
+          hence E223:\<open>satpc(t,m,g)\<close> by auto
+          hence E223:\<open>\<forall>n \<in> m . t`succ(n) = g ` <t`n, n>\<close>
+            by(unfold satpc_def, auto)
+          from E22 have E221:\<open>(t:succ(m)\<rightarrow>A)\<close>
+            by auto
+          from E221 have domt:\<open>domain(t) = succ(m)\<close>
+            by (rule func.domain_of_fun)
+          from E1 have xind:\<open>x \<in> domain(t)\<close>
+            by (rule equalities.domainI)
+          from xind and domt have xinsm:\<open>x \<in> succ(m)\<close>
+            by auto
+          show \<open>succ(x)\<in>domain(\<Union>pcs(A, a, g))\<close>
+          proof
+        (*proof(rule exE[OF E22])*)
+            show \<open> \<langle>succ(x), g ` <t`x, x>\<rangle> \<in> (\<Union>pcs(A, a, g))\<close> (*?*)
+            proof
+             (*t\<union>{\<langle>succ(x), g ` <t`x, x>\<rangle>}*)
+              show \<open>cons(\<langle>succ(x), g ` <t`x, x>\<rangle>, t) \<in> pcs(A, a, g)\<close>
+              proof(unfold pcs_def, rule CollectI)
+                from E21
+                have L1:\<open>t \<subseteq> nat \<times> A\<close>
+                  by auto
+                from Q1 have J1:\<open>succ(x)\<in>nat\<close>
+                  by auto(*Nat.nat_succI*)
+                have txA: \<open>t ` x \<in> A\<close>
+                  by (rule func.apply_type[OF E221 xinsm])
+                from txA and Q1 have txx:\<open>\<langle>t ` x, x\<rangle> \<in> A \<times> nat\<close>
+                  by auto
+                have secp: \<open>g ` \<langle>t ` x, x\<rangle> \<in> A\<close>
+                  by(rule func.apply_type[OF hyp2 txx])
+                from J1 and secp
+                have L2:\<open>\<langle>succ(x),g ` \<langle>t ` x, x\<rangle>\<rangle> \<in> nat \<times> A\<close>
+                  by auto
+                show \<open> cons(\<langle>succ(x),g ` \<langle>t ` x, x\<rangle>\<rangle>,t) \<in> Pow(nat \<times> A)\<close>
+                proof(rule PowI)
+                  show \<open> cons(\<langle>succ(x), g ` \<langle>t ` x, x\<rangle>\<rangle>, t) \<subseteq> nat \<times> A\<close>
+                  proof
+                    show \<open>\<langle>succ(x), g ` \<langle>t ` x, x\<rangle>\<rangle> \<in> nat \<times> A \<and> t \<subseteq> nat \<times> A\<close>
+                      by (rule conjI[OF L2 L1])
+                  qed
+                qed
+              next
+                show \<open>\<exists>m \<in> nat. partcomp(A, cons(\<langle>succ(x), g ` \<langle>t ` x, x\<rangle>\<rangle>, t), m, a, g)\<close>
+                proof(rule succE[OF xinsm])
+                  assume xeqm:\<open>x=m\<close>
+                  show \<open>\<exists>m \<in> nat. partcomp(A, cons(\<langle>succ(x), g ` \<langle>t ` x, x\<rangle>\<rangle>, t), m, a, g)\<close>
+                  proof
+                    show \<open>partcomp(A, cons(\<langle>succ(x), g ` \<langle>t ` x, x\<rangle>\<rangle>, t), succ(x), a, g)\<close>
+                    proof(rule shortlem[OF Q1])
+                      show \<open>partcomp(A, t, x, a, g)\<close>
+                      proof(rule subst[of m x], rule sym, rule xeqm)
+                        show \<open>partcomp(A, t, m, a, g)\<close>
+                          by (rule E22P)
+                      qed
+                    qed
+                  next
+                    from Q1 show \<open>succ(x) \<in> nat\<close> by auto
+                  qed
+                next
+                  assume xinm:\<open>x\<in>m\<close>
+                  have lmm:\<open>cons(\<langle>succ(x), g ` \<langle>t ` x, x\<rangle>\<rangle>, t) = t\<close>
+                    by (rule addmiddle[OF mnat E22P xinm])
+                  show \<open>\<exists>m\<in>nat. partcomp(A, cons(\<langle>succ(x), g ` \<langle>t ` x, x\<rangle>\<rangle>, t), m, a, g)\<close>
+                    by(rule subst[of t], rule sym, rule lmm, rule E22m)
+                qed
+              qed
+            next
+              show \<open>\<langle>succ(x), g ` \<langle>t ` x, x\<rangle>\<rangle> \<in> cons(\<langle>succ(x), g ` \<langle>t ` x, x\<rangle>\<rangle>, t)\<close>
+                by auto
+            qed
+          qed
+        qed
+      qed
+    qed
+  next
+    show \<open>0 \<in> domain(\<Union>pcs(A, a, g))\<close>
+      by (rule l2')
+  qed
+qed
+
+lemma useful : \<open>\<forall>m\<in>nat. \<exists>t. partcomp(A,t,m,a,g)\<close>
+proof(rule nat_induct_bound)
+  show \<open>\<exists>t. partcomp(A, t, 0, a, g)\<close>
+  proof
+    show \<open>partcomp(A, {\<langle>0, a\<rangle>}, 0, a, g)\<close>
+      by (rule zerostep)
+  qed
+next
+  fix m
+  assume mnat:\<open>m\<in>nat\<close>
+  assume G:\<open>\<exists>t. partcomp(A,t,m,a,g)\<close>
+  show \<open>\<exists>t. partcomp(A,t,succ(m),a,g)\<close>
+  proof(rule exE[OF G])
+    fix t
+    assume G:\<open>partcomp(A,t,m,a,g)\<close>
+    show \<open>\<exists>t. partcomp(A,t,succ(m),a,g)\<close>
+    proof
+      show \<open>partcomp(A,cons(\<langle>succ(m), g ` <t`m, m>\<rangle>, t),succ(m),a,g)\<close>
+        by(rule shortlem[OF mnat G])
+    qed
+  qed
+qed
+
+lemma l4 : \<open>(\<Union>pcs(A,a,g)) \<in> nat -> A\<close>
+proof(unfold Pi_def)
+  show \<open> \<Union>pcs(A, a, g) \<in> {f \<in> Pow(nat \<times> A) . nat \<subseteq> domain(f) \<and> function(f)}\<close>
+  proof
+    show \<open>\<Union>pcs(A, a, g) \<in> Pow(nat \<times> A)\<close>
+    proof
+      show \<open>\<Union>pcs(A, a, g) \<subseteq> nat \<times> A\<close>
+        by (rule l1)
+    qed
+  next
+    show \<open>nat \<subseteq> domain(\<Union>pcs(A, a, g)) \<and> function(\<Union>pcs(A, a, g))\<close>
+    proof
+      show \<open>nat \<subseteq> domain(\<Union>pcs(A, a, g))\<close>
+        by (rule l2)
+    next
+      show \<open>function(\<Union>pcs(A, a, g))\<close>
+        by (rule l3)
+    qed
+  qed
+qed
+
+lemma l5: \<open>(\<Union>pcs(A, a, g)) ` 0 = a\<close>
+proof(rule func.function_apply_equality)
+  show \<open>function(\<Union>pcs(A, a, g))\<close>
+    by (rule l3)
+next
+  show \<open>\<langle>0, a\<rangle> \<in> \<Union>pcs(A, a, g)\<close>
+    by (rule zainupcs)
+qed
+
+lemma ballE2:
+  assumes \<open>\<forall>x\<in>AA. P(x)\<close>
+  assumes \<open>x\<in>AA\<close>
+  assumes \<open>P(x) ==> Q\<close>
+  shows Q
+  by (rule assms(3), rule bspec, rule assms(1), rule assms(2))
+
+text \<open> Recall that
+  \<open>satpc(t,\<alpha>,g) == \<forall>n \<in> \<alpha> . t`succ(n) = g ` <t`n, n>\<close>
+  \<open>partcomp(A,t,m,a,g) == (t:succ(m)\<rightarrow>A) \<and> (t`0=a) \<and> satpc(t,m,g)\<close>
+  \<open>pcs(A,a,g) == {t\<in>Pow(nat*A). \<exists>m. partcomp(A,t,m,a,g)}\<close>
+\<close>
+
+lemma l6new: \<open>satpc(\<Union>pcs(A, a, g), nat, g)\<close>
+proof (unfold satpc_def, rule ballI)
+  fix n
+  assume nnat:\<open>n\<in>nat\<close>
+  hence snnat:\<open>succ(n)\<in>nat\<close> by auto
+  (* l2:\<open>nat \<subseteq> domain(\<Union>pcs(A, a, g))\<close> *)
+  show \<open>(\<Union>pcs(A, a, g)) ` succ(n) = g ` \<langle>(\<Union>pcs(A, a, g)) ` n, n\<rangle>\<close>
+  proof(rule ballE2[OF useful snnat], erule exE)
+    fix t
+    assume Y:\<open>partcomp(A, t, succ(n), a, g)\<close>
+    show \<open>(\<Union>pcs(A, a, g)) ` succ(n) = g ` \<langle>(\<Union>pcs(A, a, g)) ` n, n\<rangle>\<close>
+    proof(rule partcompE[OF Y])
+      assume Y1:\<open>t \<in> succ(succ(n)) \<rightarrow> A\<close>
+      assume Y2:\<open>t ` 0 = a\<close>
+      assume Y3:\<open>satpc(t, succ(n), g)\<close>
+      hence Y3:\<open>\<forall>x \<in> succ(n) . t`succ(x) = g ` <t`x, x>\<close>
+        by (unfold satpc_def)
+      hence Y3:\<open>t`succ(n) = g ` <t`n, n>\<close>
+        by (rule bspec, auto)
+      have e1:\<open>(\<Union>pcs(A, a, g)) ` succ(n) = t ` succ(n)\<close>
+      proof(rule valofunion, rule pcs_lem, rule hyp1)
+        show \<open>t \<in> pcs(A, a, g)\<close>
+        proof(unfold pcs_def, rule CollectI)
+          show \<open>t \<in> Pow(nat \<times> A)\<close>
+            proof(rule tgb)
+            show \<open>t \<in> succ(succ(n)) \<rightarrow> A\<close> by (rule Y1)
+          next
+            from snnat
+            show \<open>succ(succ(n)) \<in> nat\<close> by auto
+          qed
+        next
+          show \<open>\<exists>m\<in>nat. partcomp(A, t, m, a, g)\<close>
+            by(rule bexI, rule Y, rule snnat)
+        qed
+      next
+        show \<open>t \<in> succ(succ(n)) \<rightarrow> A\<close> by (rule Y1)
+      next
+        show \<open>succ(n) \<in> succ(succ(n))\<close> by auto
+      next
+        show \<open>t ` succ(n) = t ` succ(n)\<close> by (rule refl)
+      qed
+      have e2:\<open>(\<Union>pcs(A, a, g)) ` n = t ` n\<close>
+      proof(rule valofunion, rule pcs_lem, rule hyp1)
+        show \<open>t \<in> pcs(A, a, g)\<close>
+        proof(unfold pcs_def, rule CollectI)
+          show \<open>t \<in> Pow(nat \<times> A)\<close>
+          proof(rule tgb)
+            show \<open>t \<in> succ(succ(n)) \<rightarrow> A\<close> by (rule Y1)
+          next
+            from snnat
+            show \<open>succ(succ(n)) \<in> nat\<close> by auto
+          qed
+        next
+          show \<open>\<exists>m\<in>nat. partcomp(A, t, m, a, g)\<close>
+            by(rule bexI, rule Y, rule snnat)
+        qed
+      next
+        show \<open>t \<in> succ(succ(n)) \<rightarrow> A\<close> by (rule Y1)
+      next
+        show \<open>n \<in> succ(succ(n))\<close> by auto
+      next
+        show \<open>t ` n = t ` n\<close> by (rule refl)
+      qed
+      have e3:\<open>g ` \<langle>(\<Union>pcs(A, a, g)) ` n, n\<rangle> = g ` \<langle>t ` n, n\<rangle>\<close>
+        by (rule subst[OF e2], rule refl)
+      show \<open>(\<Union>pcs(A, a, g)) ` succ(n) = g ` \<langle>(\<Union>pcs(A, a, g)) ` n, n\<rangle>\<close>
+        by (rule trans, rule e1,rule trans, rule Y3, rule sym, rule e3)
+    qed
+  qed
+qed
+
+section "Recursion theorem"
+
+theorem recursionthm:
+  shows \<open>\<exists>!f. ((f \<in> (nat\<rightarrow>A)) \<and> ((f`0) = a) \<and> satpc(f,nat,g))\<close>
+(* where \<open>satpc(t,\<alpha>,g) == \<forall>n \<in> \<alpha> . t`succ(n) = g ` <t`n, n>\<close> *)
+proof
+  show \<open>\<exists>f. f \<in> nat -> A \<and> f ` 0 = a \<and> satpc(f, nat, g)\<close>
+  proof
+    show \<open>(\<Union>pcs(A,a,g)) \<in> nat -> A \<and> (\<Union>pcs(A,a,g)) ` 0 = a \<and> satpc(\<Union>pcs(A,a,g), nat, g)\<close>
+    proof
+      show \<open>\<Union>pcs(A, a, g) \<in> nat -> A\<close>
+        by (rule l4)
+    next
+      show \<open>(\<Union>pcs(A, a, g)) ` 0 = a \<and> satpc(\<Union>pcs(A, a, g), nat, g)\<close>
+      proof
+        show \<open>(\<Union>pcs(A, a, g)) ` 0 = a\<close>
+          by (rule l5)
+      next
+        show \<open>satpc(\<Union>pcs(A, a, g), nat, g)\<close>
+          by (rule l6new)
+      qed
+    qed
+  qed
+next
+  show \<open>\<And>f y. f \<in> nat -> A \<and>
+           f ` 0 = a \<and>
+           satpc(f, nat, g) \<Longrightarrow>
+           y \<in> nat -> A \<and>
+           y ` 0 = a \<and>
+           satpc(y, nat, g) \<Longrightarrow>
+           f = y\<close>
+    by (rule recuniq)
+qed
+
+end
+
+section "Lemmas for addition"
+
+text \<open>
+Let's define function t(x) = (a+x).
+Firstly we need to define a function \<open>g:nat \<times> nat \<rightarrow> nat\<close>, such that
+\<open>g`\<langle>t`n, n\<rangle> = t`succ(n) = a + (n + 1) = (a + n) + 1 = (t`n) + 1\<close>
+So \<open>g`\<langle>a, b\<rangle> = a + 1\<close> and \<open>g(p) = succ(pr1(p))\<close>
+and \<open>satpc(t,\<alpha>,g) \<Longleftrightarrow> \<forall>n \<in> \<alpha> . t`succ(n) = succ(t`n)\<close>.
+\<close>
+
+definition addg :: \<open>i\<close>
+  where addg_def : \<open>addg == \<lambda>x\<in>(nat*nat). succ(fst(x))\<close>
+
+lemma addgfun: \<open>function(addg)\<close>
+  by (unfold addg_def, rule func.function_lam)
+
+lemma addgsubpow : \<open>addg \<in> Pow((nat \<times> nat) \<times> nat)\<close>
+proof (unfold addg_def, rule subsetD)
+  show \<open>(\<lambda>x\<in>nat \<times> nat. succ(fst(x))) \<in> nat \<times> nat \<rightarrow> nat\<close>
+  proof(rule func.lam_type)
+    fix x
+    assume \<open>x\<in>nat \<times> nat\<close>
+    hence \<open>fst(x)\<in>nat\<close> by auto
+    thus \<open>succ(fst(x)) \<in> nat\<close> by auto
+  qed
+next
+  show \<open>nat \<times> nat \<rightarrow> nat \<subseteq> Pow((nat \<times> nat) \<times> nat)\<close>
+    by (rule pisubsig)
+qed
+
+lemma addgdom : \<open>nat \<times> nat \<subseteq> domain(addg)\<close>
+proof(unfold addg_def)
+  have e:\<open>domain(\<lambda>x\<in>nat \<times> nat. succ(fst(x))) = nat \<times> nat\<close>
+    by (rule domain_lam)  (* "domain(Lambda(A,b)) = A" *)
+  show \<open>nat \<times> nat \<subseteq>
+    domain(\<lambda>x\<in>nat \<times> nat. succ(fst(x)))\<close>
+    by (rule subst, rule sym, rule e, auto)
+qed
+
+lemma plussucc:
+  assumes F:\<open>f \<in> (nat\<rightarrow>nat)\<close>
+  assumes H:\<open>satpc(f,nat,addg)\<close>
+  shows \<open>\<forall>n \<in> nat . f`succ(n) = succ(f`n)\<close>
+proof
+  fix n
+  assume J:\<open>n\<in>nat\<close>
+  from H
+  have H:\<open>\<forall>n \<in> nat . f`succ(n) = (\<lambda>x\<in>(nat*nat). succ(fst(x)))` <f`n, n>\<close>
+    by (unfold satpc_def, unfold addg_def)
+  have H:\<open>f`succ(n) = (\<lambda>x\<in>(nat*nat). succ(fst(x)))` <f`n, n>\<close>
+    by (rule bspec[OF H J])
+  have Q:\<open>(\<lambda>x\<in>(nat*nat). succ(fst(x)))` <f`n, n> = succ(fst(<f`n, n>))\<close>
+  proof(rule func.beta)
+    show \<open>\<langle>f ` n, n\<rangle> \<in> nat \<times> nat\<close>
+    proof
+      show \<open>f ` n \<in> nat\<close>
+        by (rule func.apply_funtype[OF F J])
+      show \<open>n \<in> nat\<close>
+        by (rule J)
+    qed
+  qed
+  have HQ:\<open>f`succ(n) = succ(fst(<f`n, n>))\<close>
+    by (rule trans[OF H Q])
+  have K:\<open>fst(<f`n, n>) = f`n\<close>
+    by auto
+  hence K:\<open>succ(fst(<f`n, n>)) = succ(f`n)\<close>
+    by (rule subst_context)
+  show \<open>f`succ(n) = succ(f`n)\<close>
+    by (rule trans[OF HQ K])
+qed
+
+section "Definition of addition"
+
+text \<open>Theorem that addition of natural numbers exists
+and unique in some sense. Due to theorem 'plussucc' the term
+ \<open>satpc(f,nat,addg)\<close>
+  can be replaced here with
+ \<open>\<forall>n \<in> nat . f`succ(n) = succ(f`n)\<close>.\<close>
+theorem addition:
+  assumes \<open>a\<in>nat\<close>
+  shows
+ \<open>\<exists>!f. ((f \<in> (nat\<rightarrow>nat)) \<and> ((f`0) = a) \<and> satpc(f,nat,addg))\<close>
+proof(rule recthm.recursionthm, unfold recthm_def)
+  show \<open>a \<in> nat \<and> addg \<in> nat \<times> nat \<rightarrow> nat\<close>
+  proof
+    show \<open>a\<in>nat\<close> by (rule assms(1))
+  next
+    show \<open>addg \<in> nat \<times> nat \<rightarrow> nat\<close>
+    proof(unfold Pi_def, rule CollectI)
+      show \<open>addg \<in> Pow((nat \<times> nat) \<times> nat)\<close>
+        by (rule addgsubpow)
+    next
+      have A2: \<open>nat \<times> nat \<subseteq> domain(addg)\<close>
+        by(rule addgdom)
+      have A3: \<open>function(addg)\<close>
+        by (rule addgfun)
+      show \<open>nat \<times> nat \<subseteq> domain(addg) \<and> function(addg)\<close>
+        by(rule conjI[OF A2 A3])
+    qed
+  qed
+qed
+
+end
diff --git a/web/entries/Banach_Steinhaus.html b/web/entries/Banach_Steinhaus.html
new file mode 100644
--- /dev/null
+++ b/web/entries/Banach_Steinhaus.html
@@ -0,0 +1,186 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<title>Banach-Steinhaus Theorem - Archive of Formal Proofs
+</title>
+<link rel="stylesheet" type="text/css" href="../front.css">
+<link rel="icon" href="../images/favicon.ico" type="image/icon">
+<link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
+<!-- MathJax for LaTeX support in abstracts -->
+<script>
+MathJax = {
+  tex: {
+    inlineMath: [['$', '$'], ['\\(', '\\)']]
+  },
+  processEscapes: true,
+  svg: {
+    fontCache: 'global'
+  }
+};
+</script>
+<script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
+</head>
+
+<body class="mathjax_ignore">
+
+<table width="100%">
+<tbody>
+<tr>
+
+<!-- Navigation -->
+<td width="20%" align="center" valign="top">
+  <p>&nbsp;</p>
+  <a href="https://www.isa-afp.org/">
+    <img src="../images/isabelle.png" width="100" height="88" border=0>
+  </a>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+  <table class="nav" width="80%">
+    <tr>
+      <td class="nav" width="100%"><a href="../index.html">Home</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../about.html">About</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../submitting.html">Submission</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../updating.html">Updating Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../using.html">Using Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../search.html">Search</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../statistics.html">Statistics</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../topics.html">Index</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../download.html">Download</a></td>
+    </tr>
+  </table>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+</td>
+
+
+<!-- Content -->
+<td width="80%" valign="top">
+<div align="center">
+  <p>&nbsp;</p>
+  <h1>          <font class="first">B</font>anach-Steinhaus
+  
+          <font class="first">T</font>heorem
+  
+</h1>
+  <p>&nbsp;</p>
+
+<table width="80%" class="data">
+<tbody>
+<tr>
+  <td class="datahead" width="20%">Title:</td>
+  <td class="data" width="80%">Banach-Steinhaus Theorem</td>
+</tr>
+
+<tr>
+  <td class="datahead">
+          Authors:
+      </td>
+  <td class="data">
+                    <a href="http://kodu.ut.ee/~unruh/">Dominique Unruh</a> and
+          <a href="https://josephcmac.github.io/">Jose Manuel Rodriguez Caballero</a>
+      </td>
+</tr>
+
+
+
+<tr>
+  <td class="datahead">Submission date:</td>
+  <td class="data">2020-05-02</td>
+</tr>
+
+<tr>
+  <td class="datahead" valign="top">Abstract:</td>
+  <td class="abstract mathjax_process">
+We formalize in Isabelle/HOL a result
+due to S. Banach and H. Steinhaus known as
+the Banach-Steinhaus theorem or Uniform boundedness principle: a
+pointwise-bounded family of continuous linear operators from a Banach
+space to a normed space is uniformly bounded. Our approach is an
+adaptation to Isabelle/HOL of a proof due to A. Sokal.</td>
+</tr>
+
+
+<tr>
+  <td class="datahead" valign="top">BibTeX:</td>
+  <td class="formatted">
+        <pre>@article{Banach_Steinhaus-AFP,
+  author  = {Dominique Unruh and Jose Manuel Rodriguez Caballero},
+  title   = {Banach-Steinhaus Theorem},
+  journal = {Archive of Formal Proofs},
+  month   = may,
+  year    = 2020,
+  note    = {\url{http://isa-afp.org/entries/Banach_Steinhaus.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}</pre>
+  </td>
+</tr>
+
+    <tr><td class="datahead">License:</td>
+        <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
+
+    
+                    
+                    
+
+        
+  </tbody>
+</table>
+
+<p></p>
+
+<table class="links">
+  <tbody>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/Banach_Steinhaus/outline.pdf">Proof outline</a><br>
+      <a href="../browser_info/current/AFP/Banach_Steinhaus/document.pdf">Proof document</a>
+    </td>
+    </tr>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/Banach_Steinhaus/index.html">Browse theories</a>
+      </td></tr>
+    <tr>
+    <td class="links">
+      <a href="../release/afp-Banach_Steinhaus-current.tar.gz">Download this entry</a>
+    </td>
+    </tr>
+
+
+          <tr><td class="links">Older releases:
+            None
+            </td></tr>
+    
+  </tbody>
+</table>
+
+</div>
+</td>
+
+</tr>
+</tbody>
+</table>
+
+<script src="../jquery.min.js"></script>
+<script src="../script.js"></script>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/web/entries/Bernoulli.html b/web/entries/Bernoulli.html
--- a/web/entries/Bernoulli.html
+++ b/web/entries/Bernoulli.html
@@ -1,220 +1,220 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <title>Bernoulli Numbers - Archive of Formal Proofs
 </title>
 <link rel="stylesheet" type="text/css" href="../front.css">
 <link rel="icon" href="../images/favicon.ico" type="image/icon">
 <link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
 <!-- MathJax for LaTeX support in abstracts -->
 <script>
 MathJax = {
   tex: {
     inlineMath: [['$', '$'], ['\\(', '\\)']]
   },
   processEscapes: true,
   svg: {
     fontCache: 'global'
   }
 };
 </script>
 <script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
 </head>
 
 <body class="mathjax_ignore">
 
 <table width="100%">
 <tbody>
 <tr>
 
 <!-- Navigation -->
 <td width="20%" align="center" valign="top">
   <p>&nbsp;</p>
   <a href="https://www.isa-afp.org/">
     <img src="../images/isabelle.png" width="100" height="88" border=0>
   </a>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
   <table class="nav" width="80%">
     <tr>
       <td class="nav" width="100%"><a href="../index.html">Home</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../about.html">About</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../submitting.html">Submission</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../updating.html">Updating Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../using.html">Using Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../search.html">Search</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../statistics.html">Statistics</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../topics.html">Index</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../download.html">Download</a></td>
     </tr>
   </table>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
 </td>
 
 
 <!-- Content -->
 <td width="80%" valign="top">
 <div align="center">
   <p>&nbsp;</p>
   <h1>          <font class="first">B</font>ernoulli
   
           <font class="first">N</font>umbers
   
 </h1>
   <p>&nbsp;</p>
 
 <table width="80%" class="data">
 <tbody>
 <tr>
   <td class="datahead" width="20%">Title:</td>
   <td class="data" width="80%">Bernoulli Numbers</td>
 </tr>
 
 <tr>
   <td class="datahead">
           Authors:
       </td>
   <td class="data">
                     Lukas Bulwahn (lukas /dot/ bulwahn /at/ gmail /dot/ com) and
           <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
       </td>
 </tr>
 
 
 
 <tr>
   <td class="datahead">Submission date:</td>
   <td class="data">2017-01-24</td>
 </tr>
 
 <tr>
   <td class="datahead" valign="top">Abstract:</td>
   <td class="abstract mathjax_process">
 <p>Bernoulli numbers were first discovered in the closed-form
 expansion of the sum 1<sup>m</sup> +
 2<sup>m</sup> + &hellip; + n<sup>m</sup>
 for a fixed m and appear in many other places. This entry provides
 three different definitions for them: a recursive one, an explicit
 one, and one through their exponential generating function.</p>
 <p>In addition, we prove some basic facts, e.g. their relation
 to sums of powers of integers and that all odd Bernoulli numbers
 except the first are zero, and some advanced facts like their
 relationship to the Riemann zeta function on positive even
 integers.</p>
 <p>We also prove the correctness of the
 Akiyama&ndash;Tanigawa algorithm for computing Bernoulli numbers
 with reasonable efficiency, and we define the periodic Bernoulli
 polynomials (which appear e.g. in the Euler&ndash;MacLaurin
 summation formula and the expansion of the log-Gamma function) and
 prove their basic properties.</p></td>
 </tr>
 
 
 <tr>
   <td class="datahead" valign="top">BibTeX:</td>
   <td class="formatted">
         <pre>@article{Bernoulli-AFP,
   author  = {Lukas Bulwahn and Manuel Eberl},
   title   = {Bernoulli Numbers},
   journal = {Archive of Formal Proofs},
   month   = jan,
   year    = 2017,
   note    = {\url{http://isa-afp.org/entries/Bernoulli.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }</pre>
   </td>
 </tr>
 
     <tr><td class="datahead">License:</td>
         <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
 
     
                     
                       <tr><td class="datahead">Used by:</td>
-          <td class="data"><a href="Euler_MacLaurin.html">Euler_MacLaurin</a>, <a href="Stirling_Formula.html">Stirling_Formula</a>, <a href="Zeta_Function.html">Zeta_Function</a>      </td></tr>
+          <td class="data"><a href="Euler_MacLaurin.html">Euler_MacLaurin</a>, <a href="Lambert_W.html">Lambert_W</a>, <a href="Stirling_Formula.html">Stirling_Formula</a>, <a href="Zeta_Function.html">Zeta_Function</a>      </td></tr>
           
 
         
   </tbody>
 </table>
 
 <p></p>
 
 <table class="links">
   <tbody>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/Bernoulli/outline.pdf">Proof outline</a><br>
       <a href="../browser_info/current/AFP/Bernoulli/document.pdf">Proof document</a>
     </td>
     </tr>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/Bernoulli/index.html">Browse theories</a>
       </td></tr>
     <tr>
     <td class="links">
       <a href="../release/afp-Bernoulli-current.tar.gz">Download this entry</a>
     </td>
     </tr>
 
 
           <tr><td class="links">Older releases:
               <ul>
                               <li>Isabelle 2019:
             <a href="../release/afp-Bernoulli-2019-06-11.tar.gz">
               afp-Bernoulli-2019-06-11.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2018:
             <a href="../release/afp-Bernoulli-2018-08-16.tar.gz">
               afp-Bernoulli-2018-08-16.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2017:
             <a href="../release/afp-Bernoulli-2017-10-10.tar.gz">
               afp-Bernoulli-2017-10-10.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2016-1:
             <a href="../release/afp-Bernoulli-2017-01-24.tar.gz">
               afp-Bernoulli-2017-01-24.tar.gz
             </a>
             </li>
                           </ul>
             </td></tr>
     
   </tbody>
 </table>
 
 </div>
 </td>
 
 </tr>
 </tbody>
 </table>
 
 <script src="../jquery.min.js"></script>
 <script src="../script.js"></script>
 
 </body>
 </html>
\ No newline at end of file
diff --git a/web/entries/Forcing.html b/web/entries/Forcing.html
new file mode 100644
--- /dev/null
+++ b/web/entries/Forcing.html
@@ -0,0 +1,191 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<title>Formalization of Forcing in Isabelle/ZF - Archive of Formal Proofs
+</title>
+<link rel="stylesheet" type="text/css" href="../front.css">
+<link rel="icon" href="../images/favicon.ico" type="image/icon">
+<link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
+<!-- MathJax for LaTeX support in abstracts -->
+<script>
+MathJax = {
+  tex: {
+    inlineMath: [['$', '$'], ['\\(', '\\)']]
+  },
+  processEscapes: true,
+  svg: {
+    fontCache: 'global'
+  }
+};
+</script>
+<script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
+</head>
+
+<body class="mathjax_ignore">
+
+<table width="100%">
+<tbody>
+<tr>
+
+<!-- Navigation -->
+<td width="20%" align="center" valign="top">
+  <p>&nbsp;</p>
+  <a href="https://www.isa-afp.org/">
+    <img src="../images/isabelle.png" width="100" height="88" border=0>
+  </a>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+  <table class="nav" width="80%">
+    <tr>
+      <td class="nav" width="100%"><a href="../index.html">Home</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../about.html">About</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../submitting.html">Submission</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../updating.html">Updating Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../using.html">Using Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../search.html">Search</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../statistics.html">Statistics</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../topics.html">Index</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../download.html">Download</a></td>
+    </tr>
+  </table>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+</td>
+
+
+<!-- Content -->
+<td width="80%" valign="top">
+<div align="center">
+  <p>&nbsp;</p>
+  <h1>          <font class="first">F</font>ormalization
+  
+          of
+  
+          <font class="first">F</font>orcing
+  
+          in
+  
+          <font class="first">I</font>sabelle/ZF
+  
+</h1>
+  <p>&nbsp;</p>
+
+<table width="80%" class="data">
+<tbody>
+<tr>
+  <td class="datahead" width="20%">Title:</td>
+  <td class="data" width="80%">Formalization of Forcing in Isabelle/ZF</td>
+</tr>
+
+<tr>
+  <td class="datahead">
+          Authors:
+      </td>
+  <td class="data">
+                      Emmanuel Gunther (gunther /at/ famaf /dot/ unc /dot/ edu /dot/ ar),
+                <a href="https://cs.famaf.unc.edu.ar/~mpagano/">Miguel Pagano</a> and
+          <a href="https://cs.famaf.unc.edu.ar/~pedro/home_en">Pedro Sánchez Terraf</a>
+      </td>
+</tr>
+
+
+
+<tr>
+  <td class="datahead">Submission date:</td>
+  <td class="data">2020-05-06</td>
+</tr>
+
+<tr>
+  <td class="datahead" valign="top">Abstract:</td>
+  <td class="abstract mathjax_process">
+We formalize the theory of forcing in the set theory framework of
+Isabelle/ZF. Under the assumption of the existence of a countable
+transitive model of ZFC, we construct a proper generic extension and
+show that the latter also satisfies ZFC.</td>
+</tr>
+
+
+<tr>
+  <td class="datahead" valign="top">BibTeX:</td>
+  <td class="formatted">
+        <pre>@article{Forcing-AFP,
+  author  = {Emmanuel Gunther and Miguel Pagano and Pedro Sánchez Terraf},
+  title   = {Formalization of Forcing in Isabelle/ZF},
+  journal = {Archive of Formal Proofs},
+  month   = may,
+  year    = 2020,
+  note    = {\url{http://isa-afp.org/entries/Forcing.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}</pre>
+  </td>
+</tr>
+
+    <tr><td class="datahead">License:</td>
+        <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
+
+    
+                    
+                    
+
+        
+  </tbody>
+</table>
+
+<p></p>
+
+<table class="links">
+  <tbody>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/Forcing/outline.pdf">Proof outline</a><br>
+      <a href="../browser_info/current/AFP/Forcing/document.pdf">Proof document</a>
+    </td>
+    </tr>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/Forcing/index.html">Browse theories</a>
+      </td></tr>
+    <tr>
+    <td class="links">
+      <a href="../release/afp-Forcing-current.tar.gz">Download this entry</a>
+    </td>
+    </tr>
+
+
+          <tr><td class="links">Older releases:
+            None
+            </td></tr>
+    
+  </tbody>
+</table>
+
+</div>
+</td>
+
+</tr>
+</tbody>
+</table>
+
+<script src="../jquery.min.js"></script>
+<script src="../script.js"></script>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/web/entries/Gaussian_Integers.html b/web/entries/Gaussian_Integers.html
new file mode 100644
--- /dev/null
+++ b/web/entries/Gaussian_Integers.html
@@ -0,0 +1,195 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<title>Gaussian Integers - Archive of Formal Proofs
+</title>
+<link rel="stylesheet" type="text/css" href="../front.css">
+<link rel="icon" href="../images/favicon.ico" type="image/icon">
+<link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
+<!-- MathJax for LaTeX support in abstracts -->
+<script>
+MathJax = {
+  tex: {
+    inlineMath: [['$', '$'], ['\\(', '\\)']]
+  },
+  processEscapes: true,
+  svg: {
+    fontCache: 'global'
+  }
+};
+</script>
+<script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
+</head>
+
+<body class="mathjax_ignore">
+
+<table width="100%">
+<tbody>
+<tr>
+
+<!-- Navigation -->
+<td width="20%" align="center" valign="top">
+  <p>&nbsp;</p>
+  <a href="https://www.isa-afp.org/">
+    <img src="../images/isabelle.png" width="100" height="88" border=0>
+  </a>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+  <table class="nav" width="80%">
+    <tr>
+      <td class="nav" width="100%"><a href="../index.html">Home</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../about.html">About</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../submitting.html">Submission</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../updating.html">Updating Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../using.html">Using Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../search.html">Search</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../statistics.html">Statistics</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../topics.html">Index</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../download.html">Download</a></td>
+    </tr>
+  </table>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+</td>
+
+
+<!-- Content -->
+<td width="80%" valign="top">
+<div align="center">
+  <p>&nbsp;</p>
+  <h1>          <font class="first">G</font>aussian
+  
+          <font class="first">I</font>ntegers
+  
+</h1>
+  <p>&nbsp;</p>
+
+<table width="80%" class="data">
+<tbody>
+<tr>
+  <td class="datahead" width="20%">Title:</td>
+  <td class="data" width="80%">Gaussian Integers</td>
+</tr>
+
+<tr>
+  <td class="datahead">
+          Author:
+      </td>
+  <td class="data">
+              <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
+      </td>
+</tr>
+
+
+
+<tr>
+  <td class="datahead">Submission date:</td>
+  <td class="data">2020-04-24</td>
+</tr>
+
+<tr>
+  <td class="datahead" valign="top">Abstract:</td>
+  <td class="abstract mathjax_process">
+<p>The Gaussian integers are the subring &#8484;[i] of the
+complex numbers, i. e. the ring of all complex numbers with integral
+real and imaginary part. This article provides a definition of this
+ring as well as proofs of various basic properties, such as that they
+form a Euclidean ring and a full classification of their primes. An
+executable (albeit not very efficient) factorisation algorithm is also
+provided.</p> <p>Lastly, this Gaussian integer
+formalisation is used in two short applications:</p> <ol>
+<li> The characterisation of all positive integers that can be
+written as sums of two squares</li> <li> Euclid's
+formula for primitive Pythagorean triples</li> </ol>
+<p>While elementary proofs for both of these are already
+available in the AFP, the theory of Gaussian integers provides more
+concise proofs and a more high-level view.</p></td>
+</tr>
+
+
+<tr>
+  <td class="datahead" valign="top">BibTeX:</td>
+  <td class="formatted">
+        <pre>@article{Gaussian_Integers-AFP,
+  author  = {Manuel Eberl},
+  title   = {Gaussian Integers},
+  journal = {Archive of Formal Proofs},
+  month   = apr,
+  year    = 2020,
+  note    = {\url{http://isa-afp.org/entries/Gaussian_Integers.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}</pre>
+  </td>
+</tr>
+
+    <tr><td class="datahead">License:</td>
+        <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
+
+    
+                      <tr><td class="datahead">Depends on:</td>
+          <td class="data"><a href="Polynomial_Factorization.html">Polynomial_Factorization</a>      </td></tr>
+          
+                    
+
+        
+  </tbody>
+</table>
+
+<p></p>
+
+<table class="links">
+  <tbody>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/Gaussian_Integers/outline.pdf">Proof outline</a><br>
+      <a href="../browser_info/current/AFP/Gaussian_Integers/document.pdf">Proof document</a>
+    </td>
+    </tr>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/Gaussian_Integers/index.html">Browse theories</a>
+      </td></tr>
+    <tr>
+    <td class="links">
+      <a href="../release/afp-Gaussian_Integers-current.tar.gz">Download this entry</a>
+    </td>
+    </tr>
+
+
+          <tr><td class="links">Older releases:
+            None
+            </td></tr>
+    
+  </tbody>
+</table>
+
+</div>
+</td>
+
+</tr>
+</tbody>
+</table>
+
+<script src="../jquery.min.js"></script>
+<script src="../script.js"></script>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/web/entries/Hybrid_Systems_VCs.html b/web/entries/Hybrid_Systems_VCs.html
--- a/web/entries/Hybrid_Systems_VCs.html
+++ b/web/entries/Hybrid_Systems_VCs.html
@@ -1,201 +1,203 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <title>Verification Components for Hybrid Systems - Archive of Formal Proofs
 </title>
 <link rel="stylesheet" type="text/css" href="../front.css">
 <link rel="icon" href="../images/favicon.ico" type="image/icon">
 <link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
 <!-- MathJax for LaTeX support in abstracts -->
 <script>
 MathJax = {
   tex: {
     inlineMath: [['$', '$'], ['\\(', '\\)']]
   },
   processEscapes: true,
   svg: {
     fontCache: 'global'
   }
 };
 </script>
 <script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
 </head>
 
 <body class="mathjax_ignore">
 
 <table width="100%">
 <tbody>
 <tr>
 
 <!-- Navigation -->
 <td width="20%" align="center" valign="top">
   <p>&nbsp;</p>
   <a href="https://www.isa-afp.org/">
     <img src="../images/isabelle.png" width="100" height="88" border=0>
   </a>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
   <table class="nav" width="80%">
     <tr>
       <td class="nav" width="100%"><a href="../index.html">Home</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../about.html">About</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../submitting.html">Submission</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../updating.html">Updating Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../using.html">Using Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../search.html">Search</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../statistics.html">Statistics</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../topics.html">Index</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../download.html">Download</a></td>
     </tr>
   </table>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
 </td>
 
 
 <!-- Content -->
 <td width="80%" valign="top">
 <div align="center">
   <p>&nbsp;</p>
   <h1>          <font class="first">V</font>erification
   
           <font class="first">C</font>omponents
   
           for
   
           <font class="first">H</font>ybrid
   
           <font class="first">S</font>ystems
   
 </h1>
   <p>&nbsp;</p>
 
 <table width="80%" class="data">
 <tbody>
 <tr>
   <td class="datahead" width="20%">Title:</td>
   <td class="data" width="80%">Verification Components for Hybrid Systems</td>
 </tr>
 
 <tr>
   <td class="datahead">
           Author:
       </td>
   <td class="data">
-              Jonathan Julian Huerta y Munive
+              Jonathan Julian Huerta y Munive (jjhuertaymunive1 /at/ sheffield /dot/ ac /dot/ uk)
       </td>
 </tr>
 
 
 
 <tr>
   <td class="datahead">Submission date:</td>
   <td class="data">2019-09-10</td>
 </tr>
 
 <tr>
   <td class="datahead" valign="top">Abstract:</td>
   <td class="abstract mathjax_process">
 These components formalise a semantic framework for the deductive
 verification of hybrid systems. They support reasoning about
 continuous evolutions of hybrid programs in the style of differential
 dynamics logic. Vector fields or flows model these evolutions, and
 their verification is done with invariants for the former or orbits
 for the latter. Laws of modal Kleene algebra or categorical predicate
 transformers implement the verification condition generation. Examples
 show the approach at work.</td>
 </tr>
 
 
 <tr>
   <td class="datahead" valign="top">BibTeX:</td>
   <td class="formatted">
         <pre>@article{Hybrid_Systems_VCs-AFP,
   author  = {Jonathan Julian Huerta y Munive},
   title   = {Verification Components for Hybrid Systems},
   journal = {Archive of Formal Proofs},
   month   = sep,
   year    = 2019,
   note    = {\url{http://isa-afp.org/entries/Hybrid_Systems_VCs.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }</pre>
   </td>
 </tr>
 
     <tr><td class="datahead">License:</td>
         <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
 
     
                       <tr><td class="datahead">Depends on:</td>
           <td class="data"><a href="KAD.html">KAD</a>, <a href="Ordinary_Differential_Equations.html">Ordinary_Differential_Equations</a>, <a href="Transformer_Semantics.html">Transformer_Semantics</a>      </td></tr>
           
-                    
+                      <tr><td class="datahead">Used by:</td>
+          <td class="data"><a href="Matrices_for_ODEs.html">Matrices_for_ODEs</a>      </td></tr>
+          
 
         
   </tbody>
 </table>
 
 <p></p>
 
 <table class="links">
   <tbody>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/Hybrid_Systems_VCs/outline.pdf">Proof outline</a><br>
       <a href="../browser_info/current/AFP/Hybrid_Systems_VCs/document.pdf">Proof document</a>
     </td>
     </tr>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/Hybrid_Systems_VCs/index.html">Browse theories</a>
       </td></tr>
     <tr>
     <td class="links">
       <a href="../release/afp-Hybrid_Systems_VCs-current.tar.gz">Download this entry</a>
     </td>
     </tr>
 
 
           <tr><td class="links">Older releases:
               <ul>
                               <li>Isabelle 2019:
             <a href="../release/afp-Hybrid_Systems_VCs-2019-09-10.tar.gz">
               afp-Hybrid_Systems_VCs-2019-09-10.tar.gz
             </a>
             </li>
                           </ul>
             </td></tr>
     
   </tbody>
 </table>
 
 </div>
 </td>
 
 </tr>
 </tbody>
 </table>
 
 <script src="../jquery.min.js"></script>
 <script src="../script.js"></script>
 
 </body>
 </html>
\ No newline at end of file
diff --git a/web/entries/Irrational_Series_Erdos_Straus.html b/web/entries/Irrational_Series_Erdos_Straus.html
new file mode 100644
--- /dev/null
+++ b/web/entries/Irrational_Series_Erdos_Straus.html
@@ -0,0 +1,201 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<title>Irrationality Criteria for Series by Erdős and Straus - Archive of Formal Proofs
+</title>
+<link rel="stylesheet" type="text/css" href="../front.css">
+<link rel="icon" href="../images/favicon.ico" type="image/icon">
+<link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
+<!-- MathJax for LaTeX support in abstracts -->
+<script>
+MathJax = {
+  tex: {
+    inlineMath: [['$', '$'], ['\\(', '\\)']]
+  },
+  processEscapes: true,
+  svg: {
+    fontCache: 'global'
+  }
+};
+</script>
+<script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
+</head>
+
+<body class="mathjax_ignore">
+
+<table width="100%">
+<tbody>
+<tr>
+
+<!-- Navigation -->
+<td width="20%" align="center" valign="top">
+  <p>&nbsp;</p>
+  <a href="https://www.isa-afp.org/">
+    <img src="../images/isabelle.png" width="100" height="88" border=0>
+  </a>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+  <table class="nav" width="80%">
+    <tr>
+      <td class="nav" width="100%"><a href="../index.html">Home</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../about.html">About</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../submitting.html">Submission</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../updating.html">Updating Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../using.html">Using Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../search.html">Search</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../statistics.html">Statistics</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../topics.html">Index</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../download.html">Download</a></td>
+    </tr>
+  </table>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+</td>
+
+
+<!-- Content -->
+<td width="80%" valign="top">
+<div align="center">
+  <p>&nbsp;</p>
+  <h1>          <font class="first">I</font>rrationality
+  
+          <font class="first">C</font>riteria
+  
+          for
+  
+          <font class="first">S</font>eries
+  
+          by
+  
+          <font class="first">E</font>rdős
+  
+          and
+  
+          <font class="first">S</font>traus
+  
+</h1>
+  <p>&nbsp;</p>
+
+<table width="80%" class="data">
+<tbody>
+<tr>
+  <td class="datahead" width="20%">Title:</td>
+  <td class="data" width="80%">Irrationality Criteria for Series by Erdős and Straus</td>
+</tr>
+
+<tr>
+  <td class="datahead">
+          Authors:
+      </td>
+  <td class="data">
+                    <a href="https://www.cl.cam.ac.uk/~ak2110/">Angeliki Koutsoukou-Argyraki</a> and
+          <a href="https://www.cl.cam.ac.uk/~wl302/">Wenda Li</a>
+      </td>
+</tr>
+
+
+
+<tr>
+  <td class="datahead">Submission date:</td>
+  <td class="data">2020-05-12</td>
+</tr>
+
+<tr>
+  <td class="datahead" valign="top">Abstract:</td>
+  <td class="abstract mathjax_process">
+We formalise certain irrationality criteria for infinite series of the form:
+\[\sum_{n=1}^\infty \frac{b_n}{\prod_{i=1}^n a_i} \]
+where $\{b_n\}$ is a sequence of integers and $\{a_n\}$ a sequence of positive integers
+with $a_n >1$ for all large n. The results are due to P. Erdős and E. G. Straus
+<a href="https://projecteuclid.org/euclid.pjm/1102911140">[1]</a>.
+In particular, we formalise Theorem 2.1, Corollary 2.10 and Theorem 3.1.
+The latter is an application of Theorem 2.1 involving the prime numbers.</td>
+</tr>
+
+
+<tr>
+  <td class="datahead" valign="top">BibTeX:</td>
+  <td class="formatted">
+        <pre>@article{Irrational_Series_Erdos_Straus-AFP,
+  author  = {Angeliki Koutsoukou-Argyraki and Wenda Li},
+  title   = {Irrationality Criteria for Series by Erdős and Straus},
+  journal = {Archive of Formal Proofs},
+  month   = may,
+  year    = 2020,
+  note    = {\url{http://isa-afp.org/entries/Irrational_Series_Erdos_Straus.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}</pre>
+  </td>
+</tr>
+
+    <tr><td class="datahead">License:</td>
+        <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
+
+    
+                      <tr><td class="datahead">Depends on:</td>
+          <td class="data"><a href="Prime_Distribution_Elementary.html">Prime_Distribution_Elementary</a>, <a href="Prime_Number_Theorem.html">Prime_Number_Theorem</a>      </td></tr>
+          
+                    
+
+        
+  </tbody>
+</table>
+
+<p></p>
+
+<table class="links">
+  <tbody>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/Irrational_Series_Erdos_Straus/outline.pdf">Proof outline</a><br>
+      <a href="../browser_info/current/AFP/Irrational_Series_Erdos_Straus/document.pdf">Proof document</a>
+    </td>
+    </tr>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/Irrational_Series_Erdos_Straus/index.html">Browse theories</a>
+      </td></tr>
+    <tr>
+    <td class="links">
+      <a href="../release/afp-Irrational_Series_Erdos_Straus-current.tar.gz">Download this entry</a>
+    </td>
+    </tr>
+
+
+          <tr><td class="links">Older releases:
+            None
+            </td></tr>
+    
+  </tbody>
+</table>
+
+</div>
+</td>
+
+</tr>
+</tbody>
+</table>
+
+<script src="../jquery.min.js"></script>
+<script src="../script.js"></script>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/web/entries/LTL.html b/web/entries/LTL.html
--- a/web/entries/LTL.html
+++ b/web/entries/LTL.html
@@ -1,231 +1,231 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <title>Linear Temporal Logic - Archive of Formal Proofs
 </title>
 <link rel="stylesheet" type="text/css" href="../front.css">
 <link rel="icon" href="../images/favicon.ico" type="image/icon">
 <link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
 <!-- MathJax for LaTeX support in abstracts -->
 <script>
 MathJax = {
   tex: {
     inlineMath: [['$', '$'], ['\\(', '\\)']]
   },
   processEscapes: true,
   svg: {
     fontCache: 'global'
   }
 };
 </script>
 <script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
 </head>
 
 <body class="mathjax_ignore">
 
 <table width="100%">
 <tbody>
 <tr>
 
 <!-- Navigation -->
 <td width="20%" align="center" valign="top">
   <p>&nbsp;</p>
   <a href="https://www.isa-afp.org/">
     <img src="../images/isabelle.png" width="100" height="88" border=0>
   </a>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
   <table class="nav" width="80%">
     <tr>
       <td class="nav" width="100%"><a href="../index.html">Home</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../about.html">About</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../submitting.html">Submission</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../updating.html">Updating Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../using.html">Using Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../search.html">Search</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../statistics.html">Statistics</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../topics.html">Index</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../download.html">Download</a></td>
     </tr>
   </table>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
 </td>
 
 
 <!-- Content -->
 <td width="80%" valign="top">
 <div align="center">
   <p>&nbsp;</p>
   <h1>          <font class="first">L</font>inear
   
           <font class="first">T</font>emporal
   
           <font class="first">L</font>ogic
   
 </h1>
   <p>&nbsp;</p>
 
 <table width="80%" class="data">
 <tbody>
 <tr>
   <td class="datahead" width="20%">Title:</td>
   <td class="data" width="80%">Linear Temporal Logic</td>
 </tr>
 
 <tr>
   <td class="datahead">
           Author:
       </td>
   <td class="data">
               Salomon Sickert (s /dot/ sickert /at/ tum /dot/ de)
       </td>
 </tr>
 
   <tr>
     <td class="datahead">
               Contributor:
           </td>
     <td class="data">
                   Benedikt Seidl (benedikt /dot/ seidl /at/ tum /dot/ de)
            </td>
   </tr>
 
 
 <tr>
   <td class="datahead">Submission date:</td>
   <td class="data">2016-03-01</td>
 </tr>
 
 <tr>
   <td class="datahead" valign="top">Abstract:</td>
   <td class="abstract mathjax_process">
 This theory provides a formalisation of linear temporal logic (LTL)
 and unifies previous formalisations within the AFP. This entry
 establishes syntax and semantics for this logic and decouples it from
 existing entries, yielding a common environment for theories reasoning
 about LTL. Furthermore a parser written in SML and an executable
 simplifier are provided.</td>
 </tr>
 
   <tr>
     <td class="datahead" valign="top">Change history:</td>
     <td class="abstract">[2019-03-12]:
 Support for additional operators, implementation of common equivalence relations,
 definition of syntactic fragments of LTL and the minimal disjunctive normal form. <br></td>
   </tr>
 
 <tr>
   <td class="datahead" valign="top">BibTeX:</td>
   <td class="formatted">
         <pre>@article{LTL-AFP,
   author  = {Salomon Sickert},
   title   = {Linear Temporal Logic},
   journal = {Archive of Formal Proofs},
   month   = mar,
   year    = 2016,
   note    = {\url{http://isa-afp.org/entries/LTL.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }</pre>
   </td>
 </tr>
 
     <tr><td class="datahead">License:</td>
         <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
 
     
                       <tr><td class="datahead">Depends on:</td>
           <td class="data"><a href="Boolean_Expression_Checkers.html">Boolean_Expression_Checkers</a>      </td></tr>
           
                       <tr><td class="datahead">Used by:</td>
-          <td class="data"><a href="LTL_Master_Theorem.html">LTL_Master_Theorem</a>, <a href="LTL_to_DRA.html">LTL_to_DRA</a>, <a href="LTL_to_GBA.html">LTL_to_GBA</a>, <a href="Promela.html">Promela</a>, <a href="Stuttering_Equivalence.html">Stuttering_Equivalence</a>      </td></tr>
+          <td class="data"><a href="LTL_Master_Theorem.html">LTL_Master_Theorem</a>, <a href="LTL_Normal_Form.html">LTL_Normal_Form</a>, <a href="LTL_to_DRA.html">LTL_to_DRA</a>, <a href="LTL_to_GBA.html">LTL_to_GBA</a>, <a href="Promela.html">Promela</a>, <a href="Stuttering_Equivalence.html">Stuttering_Equivalence</a>      </td></tr>
           
 
         
   </tbody>
 </table>
 
 <p></p>
 
 <table class="links">
   <tbody>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/LTL/outline.pdf">Proof outline</a><br>
       <a href="../browser_info/current/AFP/LTL/document.pdf">Proof document</a>
     </td>
     </tr>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/LTL/index.html">Browse theories</a>
       </td></tr>
     <tr>
     <td class="links">
       <a href="../release/afp-LTL-current.tar.gz">Download this entry</a>
     </td>
     </tr>
 
 
           <tr><td class="links">Older releases:
               <ul>
                               <li>Isabelle 2019:
             <a href="../release/afp-LTL-2019-06-11.tar.gz">
               afp-LTL-2019-06-11.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2018:
             <a href="../release/afp-LTL-2018-08-16.tar.gz">
               afp-LTL-2018-08-16.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2017:
             <a href="../release/afp-LTL-2017-10-10.tar.gz">
               afp-LTL-2017-10-10.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2016-1:
             <a href="../release/afp-LTL-2016-12-17.tar.gz">
               afp-LTL-2016-12-17.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2016:
             <a href="../release/afp-LTL-2016-03-02.tar.gz">
               afp-LTL-2016-03-02.tar.gz
             </a>
             </li>
                           </ul>
             </td></tr>
     
   </tbody>
 </table>
 
 </div>
 </td>
 
 </tr>
 </tbody>
 </table>
 
 <script src="../jquery.min.js"></script>
 <script src="../script.js"></script>
 
 </body>
 </html>
\ No newline at end of file
diff --git a/web/entries/LTL_Master_Theorem.html b/web/entries/LTL_Master_Theorem.html
--- a/web/entries/LTL_Master_Theorem.html
+++ b/web/entries/LTL_Master_Theorem.html
@@ -1,221 +1,223 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <title>A Compositional and Unified Translation of LTL into ω-Automata - Archive of Formal Proofs
 </title>
 <link rel="stylesheet" type="text/css" href="../front.css">
 <link rel="icon" href="../images/favicon.ico" type="image/icon">
 <link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
 <!-- MathJax for LaTeX support in abstracts -->
 <script>
 MathJax = {
   tex: {
     inlineMath: [['$', '$'], ['\\(', '\\)']]
   },
   processEscapes: true,
   svg: {
     fontCache: 'global'
   }
 };
 </script>
 <script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
 </head>
 
 <body class="mathjax_ignore">
 
 <table width="100%">
 <tbody>
 <tr>
 
 <!-- Navigation -->
 <td width="20%" align="center" valign="top">
   <p>&nbsp;</p>
   <a href="https://www.isa-afp.org/">
     <img src="../images/isabelle.png" width="100" height="88" border=0>
   </a>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
   <table class="nav" width="80%">
     <tr>
       <td class="nav" width="100%"><a href="../index.html">Home</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../about.html">About</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../submitting.html">Submission</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../updating.html">Updating Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../using.html">Using Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../search.html">Search</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../statistics.html">Statistics</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../topics.html">Index</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../download.html">Download</a></td>
     </tr>
   </table>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
 </td>
 
 
 <!-- Content -->
 <td width="80%" valign="top">
 <div align="center">
   <p>&nbsp;</p>
   <h1>          <font class="first">A</font>
   
           <font class="first">C</font>ompositional
   
           and
   
           <font class="first">U</font>nified
   
           <font class="first">T</font>ranslation
   
           of
   
           <font class="first">L</font>TL
   
           into
   
           ω-Automata
   
 </h1>
   <p>&nbsp;</p>
 
 <table width="80%" class="data">
 <tbody>
 <tr>
   <td class="datahead" width="20%">Title:</td>
   <td class="data" width="80%">A Compositional and Unified Translation of LTL into ω-Automata</td>
 </tr>
 
 <tr>
   <td class="datahead">
           Authors:
       </td>
   <td class="data">
                     Benedikt Seidl (benedikt /dot/ seidl /at/ tum /dot/ de) and
           Salomon Sickert (s /dot/ sickert /at/ tum /dot/ de)
       </td>
 </tr>
 
 
 
 <tr>
   <td class="datahead">Submission date:</td>
   <td class="data">2019-04-16</td>
 </tr>
 
 <tr>
   <td class="datahead" valign="top">Abstract:</td>
   <td class="abstract mathjax_process">
 We present a formalisation of the unified translation approach of
 linear temporal logic (LTL) into ω-automata from [1]. This approach
 decomposes LTL formulas into ``simple'' languages and allows
 a clear separation of concerns: first, we formalise the purely logical
 result yielding this decomposition; second, we instantiate this
 generic theory to obtain a construction for deterministic
 (state-based) Rabin automata (DRA). We extract from this particular
 instantiation an executable tool translating LTL to DRAs. To the best
 of our knowledge this is the first verified translation from LTL to
 DRAs that is proven to be double exponential in the worst case which
 asymptotically matches the known lower bound.
 <p>
 [1] Javier Esparza, Jan Kretínský, Salomon Sickert. One Theorem to Rule Them All:
 A Unified Translation of LTL into ω-Automata. LICS 2018</td>
 </tr>
 
 
 <tr>
   <td class="datahead" valign="top">BibTeX:</td>
   <td class="formatted">
         <pre>@article{LTL_Master_Theorem-AFP,
   author  = {Benedikt Seidl and Salomon Sickert},
   title   = {A Compositional and Unified Translation of LTL into ω-Automata},
   journal = {Archive of Formal Proofs},
   month   = apr,
   year    = 2019,
   note    = {\url{http://isa-afp.org/entries/LTL_Master_Theorem.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }</pre>
   </td>
 </tr>
 
     <tr><td class="datahead">License:</td>
         <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
 
     
                       <tr><td class="datahead">Depends on:</td>
           <td class="data"><a href="Deriving.html">Deriving</a>, <a href="LTL.html">LTL</a>, <a href="Transition_Systems_and_Automata.html">Transition_Systems_and_Automata</a>      </td></tr>
           
-                    
+                      <tr><td class="datahead">Used by:</td>
+          <td class="data"><a href="LTL_Normal_Form.html">LTL_Normal_Form</a>      </td></tr>
+          
 
         
   </tbody>
 </table>
 
 <p></p>
 
 <table class="links">
   <tbody>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/LTL_Master_Theorem/outline.pdf">Proof outline</a><br>
       <a href="../browser_info/current/AFP/LTL_Master_Theorem/document.pdf">Proof document</a>
     </td>
     </tr>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/LTL_Master_Theorem/index.html">Browse theories</a>
       </td></tr>
     <tr>
     <td class="links">
       <a href="../release/afp-LTL_Master_Theorem-current.tar.gz">Download this entry</a>
     </td>
     </tr>
 
 
           <tr><td class="links">Older releases:
               <ul>
                               <li>Isabelle 2019:
             <a href="../release/afp-LTL_Master_Theorem-2019-06-11.tar.gz">
               afp-LTL_Master_Theorem-2019-06-11.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2018:
             <a href="../release/afp-LTL_Master_Theorem-2019-04-17.tar.gz">
               afp-LTL_Master_Theorem-2019-04-17.tar.gz
             </a>
             </li>
                           </ul>
             </td></tr>
     
   </tbody>
 </table>
 
 </div>
 </td>
 
 </tr>
 </tbody>
 </table>
 
 <script src="../jquery.min.js"></script>
 <script src="../script.js"></script>
 
 </body>
 </html>
\ No newline at end of file
diff --git a/web/entries/LTL_Normal_Form.html b/web/entries/LTL_Normal_Form.html
new file mode 100644
--- /dev/null
+++ b/web/entries/LTL_Normal_Form.html
@@ -0,0 +1,211 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<title>An Efficient Normalisation Procedure for Linear Temporal Logic: Isabelle/HOL Formalisation - Archive of Formal Proofs
+</title>
+<link rel="stylesheet" type="text/css" href="../front.css">
+<link rel="icon" href="../images/favicon.ico" type="image/icon">
+<link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
+<!-- MathJax for LaTeX support in abstracts -->
+<script>
+MathJax = {
+  tex: {
+    inlineMath: [['$', '$'], ['\\(', '\\)']]
+  },
+  processEscapes: true,
+  svg: {
+    fontCache: 'global'
+  }
+};
+</script>
+<script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
+</head>
+
+<body class="mathjax_ignore">
+
+<table width="100%">
+<tbody>
+<tr>
+
+<!-- Navigation -->
+<td width="20%" align="center" valign="top">
+  <p>&nbsp;</p>
+  <a href="https://www.isa-afp.org/">
+    <img src="../images/isabelle.png" width="100" height="88" border=0>
+  </a>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+  <table class="nav" width="80%">
+    <tr>
+      <td class="nav" width="100%"><a href="../index.html">Home</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../about.html">About</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../submitting.html">Submission</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../updating.html">Updating Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../using.html">Using Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../search.html">Search</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../statistics.html">Statistics</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../topics.html">Index</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../download.html">Download</a></td>
+    </tr>
+  </table>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+</td>
+
+
+<!-- Content -->
+<td width="80%" valign="top">
+<div align="center">
+  <p>&nbsp;</p>
+  <h1>          <font class="first">A</font>n
+  
+          <font class="first">E</font>fficient
+  
+          <font class="first">N</font>ormalisation
+  
+          <font class="first">P</font>rocedure
+  
+          for
+  
+          <font class="first">L</font>inear
+  
+          <font class="first">T</font>emporal
+  
+          <font class="first">L</font>ogic:
+  
+          <font class="first">I</font>sabelle/HOL
+  
+          <font class="first">F</font>ormalisation
+  
+</h1>
+  <p>&nbsp;</p>
+
+<table width="80%" class="data">
+<tbody>
+<tr>
+  <td class="datahead" width="20%">Title:</td>
+  <td class="data" width="80%">An Efficient Normalisation Procedure for Linear Temporal Logic: Isabelle/HOL Formalisation</td>
+</tr>
+
+<tr>
+  <td class="datahead">
+          Author:
+      </td>
+  <td class="data">
+              Salomon Sickert (s /dot/ sickert /at/ tum /dot/ de)
+      </td>
+</tr>
+
+
+
+<tr>
+  <td class="datahead">Submission date:</td>
+  <td class="data">2020-05-08</td>
+</tr>
+
+<tr>
+  <td class="datahead" valign="top">Abstract:</td>
+  <td class="abstract mathjax_process">
+In the mid 80s, Lichtenstein, Pnueli, and Zuck proved a classical
+theorem stating that every formula of Past LTL (the extension of LTL
+with past operators) is equivalent to a formula of the form
+$\bigwedge_{i=1}^n \mathbf{G}\mathbf{F} \varphi_i \vee
+\mathbf{F}\mathbf{G} \psi_i$,  where $\varphi_i$ and $\psi_i$ contain
+only past operators. Some years later, Chang, Manna, and Pnueli built
+on this result to derive a similar normal form for LTL. Both
+normalisation procedures have a non-elementary worst-case blow-up, and
+follow an involved path from formulas to counter-free automata to
+star-free regular expressions and back to formulas. We improve on both
+points. We present an executable formalisation of a direct and purely
+syntactic normalisation procedure for LTL yielding a normal form,
+comparable to the one by Chang, Manna, and Pnueli, that has only a
+single exponential blow-up.</td>
+</tr>
+
+
+<tr>
+  <td class="datahead" valign="top">BibTeX:</td>
+  <td class="formatted">
+        <pre>@article{LTL_Normal_Form-AFP,
+  author  = {Salomon Sickert},
+  title   = {An Efficient Normalisation Procedure for Linear Temporal Logic: Isabelle/HOL Formalisation},
+  journal = {Archive of Formal Proofs},
+  month   = may,
+  year    = 2020,
+  note    = {\url{http://isa-afp.org/entries/LTL_Normal_Form.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}</pre>
+  </td>
+</tr>
+
+    <tr><td class="datahead">License:</td>
+        <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
+
+    
+                      <tr><td class="datahead">Depends on:</td>
+          <td class="data"><a href="LTL.html">LTL</a>, <a href="LTL_Master_Theorem.html">LTL_Master_Theorem</a>      </td></tr>
+          
+                    
+
+        
+  </tbody>
+</table>
+
+<p></p>
+
+<table class="links">
+  <tbody>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/LTL_Normal_Form/outline.pdf">Proof outline</a><br>
+      <a href="../browser_info/current/AFP/LTL_Normal_Form/document.pdf">Proof document</a>
+    </td>
+    </tr>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/LTL_Normal_Form/index.html">Browse theories</a>
+      </td></tr>
+    <tr>
+    <td class="links">
+      <a href="../release/afp-LTL_Normal_Form-current.tar.gz">Download this entry</a>
+    </td>
+    </tr>
+
+
+          <tr><td class="links">Older releases:
+            None
+            </td></tr>
+    
+  </tbody>
+</table>
+
+</div>
+</td>
+
+</tr>
+</tbody>
+</table>
+
+<script src="../jquery.min.js"></script>
+<script src="../script.js"></script>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/web/entries/Lambert_W.html b/web/entries/Lambert_W.html
new file mode 100644
--- /dev/null
+++ b/web/entries/Lambert_W.html
@@ -0,0 +1,209 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<title>The Lambert W Function on the Reals - Archive of Formal Proofs
+</title>
+<link rel="stylesheet" type="text/css" href="../front.css">
+<link rel="icon" href="../images/favicon.ico" type="image/icon">
+<link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
+<!-- MathJax for LaTeX support in abstracts -->
+<script>
+MathJax = {
+  tex: {
+    inlineMath: [['$', '$'], ['\\(', '\\)']]
+  },
+  processEscapes: true,
+  svg: {
+    fontCache: 'global'
+  }
+};
+</script>
+<script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
+</head>
+
+<body class="mathjax_ignore">
+
+<table width="100%">
+<tbody>
+<tr>
+
+<!-- Navigation -->
+<td width="20%" align="center" valign="top">
+  <p>&nbsp;</p>
+  <a href="https://www.isa-afp.org/">
+    <img src="../images/isabelle.png" width="100" height="88" border=0>
+  </a>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+  <table class="nav" width="80%">
+    <tr>
+      <td class="nav" width="100%"><a href="../index.html">Home</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../about.html">About</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../submitting.html">Submission</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../updating.html">Updating Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../using.html">Using Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../search.html">Search</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../statistics.html">Statistics</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../topics.html">Index</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../download.html">Download</a></td>
+    </tr>
+  </table>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+</td>
+
+
+<!-- Content -->
+<td width="80%" valign="top">
+<div align="center">
+  <p>&nbsp;</p>
+  <h1>          <font class="first">T</font>he
+  
+          <font class="first">L</font>ambert
+  
+          <font class="first">W</font>
+  
+          <font class="first">F</font>unction
+  
+          on
+  
+          the
+  
+          <font class="first">R</font>eals
+  
+</h1>
+  <p>&nbsp;</p>
+
+<table width="80%" class="data">
+<tbody>
+<tr>
+  <td class="datahead" width="20%">Title:</td>
+  <td class="data" width="80%">The Lambert W Function on the Reals</td>
+</tr>
+
+<tr>
+  <td class="datahead">
+          Author:
+      </td>
+  <td class="data">
+              <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
+      </td>
+</tr>
+
+
+
+<tr>
+  <td class="datahead">Submission date:</td>
+  <td class="data">2020-04-24</td>
+</tr>
+
+<tr>
+  <td class="datahead" valign="top">Abstract:</td>
+  <td class="abstract mathjax_process">
+<p>The Lambert <em>W</em> function is a multi-valued
+function defined as the inverse function of <em>x</em>
+&#x21A6; <em>x</em>
+e<sup><em>x</em></sup>. Besides numerous
+applications in combinatorics, physics, and engineering, it also
+frequently occurs when solving equations containing both
+e<sup><em>x</em></sup> and
+<em>x</em>, or both <em>x</em> and log
+<em>x</em>.</p> <p>This article provides a
+definition of the two real-valued branches
+<em>W</em><sub>0</sub>(<em>x</em>)
+and
+<em>W</em><sub>-1</sub>(<em>x</em>)
+and proves various properties such as basic identities and
+inequalities, monotonicity, differentiability, asymptotic expansions,
+and the MacLaurin series of
+<em>W</em><sub>0</sub>(<em>x</em>)
+at <em>x</em> = 0.</p></td>
+</tr>
+
+
+<tr>
+  <td class="datahead" valign="top">BibTeX:</td>
+  <td class="formatted">
+        <pre>@article{Lambert_W-AFP,
+  author  = {Manuel Eberl},
+  title   = {The Lambert W Function on the Reals},
+  journal = {Archive of Formal Proofs},
+  month   = apr,
+  year    = 2020,
+  note    = {\url{http://isa-afp.org/entries/Lambert_W.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}</pre>
+  </td>
+</tr>
+
+    <tr><td class="datahead">License:</td>
+        <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
+
+    
+                      <tr><td class="datahead">Depends on:</td>
+          <td class="data"><a href="Bernoulli.html">Bernoulli</a>, <a href="Stirling_Formula.html">Stirling_Formula</a>      </td></tr>
+          
+                    
+
+        
+  </tbody>
+</table>
+
+<p></p>
+
+<table class="links">
+  <tbody>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/Lambert_W/outline.pdf">Proof outline</a><br>
+      <a href="../browser_info/current/AFP/Lambert_W/document.pdf">Proof document</a>
+    </td>
+    </tr>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/Lambert_W/index.html">Browse theories</a>
+      </td></tr>
+    <tr>
+    <td class="links">
+      <a href="../release/afp-Lambert_W-current.tar.gz">Download this entry</a>
+    </td>
+    </tr>
+
+
+          <tr><td class="links">Older releases:
+            None
+            </td></tr>
+    
+  </tbody>
+</table>
+
+</div>
+</td>
+
+</tr>
+</tbody>
+</table>
+
+<script src="../jquery.min.js"></script>
+<script src="../script.js"></script>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/web/entries/Matrices_for_ODEs.html b/web/entries/Matrices_for_ODEs.html
new file mode 100644
--- /dev/null
+++ b/web/entries/Matrices_for_ODEs.html
@@ -0,0 +1,191 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<title>Matrices for ODEs - Archive of Formal Proofs
+</title>
+<link rel="stylesheet" type="text/css" href="../front.css">
+<link rel="icon" href="../images/favicon.ico" type="image/icon">
+<link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
+<!-- MathJax for LaTeX support in abstracts -->
+<script>
+MathJax = {
+  tex: {
+    inlineMath: [['$', '$'], ['\\(', '\\)']]
+  },
+  processEscapes: true,
+  svg: {
+    fontCache: 'global'
+  }
+};
+</script>
+<script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
+</head>
+
+<body class="mathjax_ignore">
+
+<table width="100%">
+<tbody>
+<tr>
+
+<!-- Navigation -->
+<td width="20%" align="center" valign="top">
+  <p>&nbsp;</p>
+  <a href="https://www.isa-afp.org/">
+    <img src="../images/isabelle.png" width="100" height="88" border=0>
+  </a>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+  <table class="nav" width="80%">
+    <tr>
+      <td class="nav" width="100%"><a href="../index.html">Home</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../about.html">About</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../submitting.html">Submission</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../updating.html">Updating Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../using.html">Using Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../search.html">Search</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../statistics.html">Statistics</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../topics.html">Index</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../download.html">Download</a></td>
+    </tr>
+  </table>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+</td>
+
+
+<!-- Content -->
+<td width="80%" valign="top">
+<div align="center">
+  <p>&nbsp;</p>
+  <h1>          <font class="first">M</font>atrices
+  
+          for
+  
+          <font class="first">O</font>DEs
+  
+</h1>
+  <p>&nbsp;</p>
+
+<table width="80%" class="data">
+<tbody>
+<tr>
+  <td class="datahead" width="20%">Title:</td>
+  <td class="data" width="80%">Matrices for ODEs</td>
+</tr>
+
+<tr>
+  <td class="datahead">
+          Author:
+      </td>
+  <td class="data">
+              Jonathan Julian Huerta y Munive (jjhuertaymunive1 /at/ sheffield /dot/ ac /dot/ uk)
+      </td>
+</tr>
+
+
+
+<tr>
+  <td class="datahead">Submission date:</td>
+  <td class="data">2020-04-19</td>
+</tr>
+
+<tr>
+  <td class="datahead" valign="top">Abstract:</td>
+  <td class="abstract mathjax_process">
+Our theories formalise various matrix properties that serve to
+establish existence, uniqueness and characterisation of the solution
+to affine systems of ordinary differential equations (ODEs). In
+particular, we formalise the operator and maximum norm of matrices.
+Then we use them to prove that square matrices form a Banach space,
+and in this setting, we show an instance of Picard-Lindelöf’s
+theorem for affine systems of ODEs. Finally, we use this formalisation
+to verify three simple hybrid programs.</td>
+</tr>
+
+
+<tr>
+  <td class="datahead" valign="top">BibTeX:</td>
+  <td class="formatted">
+        <pre>@article{Matrices_for_ODEs-AFP,
+  author  = {Jonathan Julian Huerta y Munive},
+  title   = {Matrices for ODEs},
+  journal = {Archive of Formal Proofs},
+  month   = apr,
+  year    = 2020,
+  note    = {\url{http://isa-afp.org/entries/Matrices_for_ODEs.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}</pre>
+  </td>
+</tr>
+
+    <tr><td class="datahead">License:</td>
+        <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
+
+    
+                      <tr><td class="datahead">Depends on:</td>
+          <td class="data"><a href="Hybrid_Systems_VCs.html">Hybrid_Systems_VCs</a>      </td></tr>
+          
+                    
+
+        
+  </tbody>
+</table>
+
+<p></p>
+
+<table class="links">
+  <tbody>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/Matrices_for_ODEs/outline.pdf">Proof outline</a><br>
+      <a href="../browser_info/current/AFP/Matrices_for_ODEs/document.pdf">Proof document</a>
+    </td>
+    </tr>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/Matrices_for_ODEs/index.html">Browse theories</a>
+      </td></tr>
+    <tr>
+    <td class="links">
+      <a href="../release/afp-Matrices_for_ODEs-current.tar.gz">Download this entry</a>
+    </td>
+    </tr>
+
+
+          <tr><td class="links">Older releases:
+            None
+            </td></tr>
+    
+  </tbody>
+</table>
+
+</div>
+</td>
+
+</tr>
+</tbody>
+</table>
+
+<script src="../jquery.min.js"></script>
+<script src="../script.js"></script>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/web/entries/Polynomial_Factorization.html b/web/entries/Polynomial_Factorization.html
--- a/web/entries/Polynomial_Factorization.html
+++ b/web/entries/Polynomial_Factorization.html
@@ -1,224 +1,224 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <title>Polynomial Factorization - Archive of Formal Proofs
 </title>
 <link rel="stylesheet" type="text/css" href="../front.css">
 <link rel="icon" href="../images/favicon.ico" type="image/icon">
 <link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
 <!-- MathJax for LaTeX support in abstracts -->
 <script>
 MathJax = {
   tex: {
     inlineMath: [['$', '$'], ['\\(', '\\)']]
   },
   processEscapes: true,
   svg: {
     fontCache: 'global'
   }
 };
 </script>
 <script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
 </head>
 
 <body class="mathjax_ignore">
 
 <table width="100%">
 <tbody>
 <tr>
 
 <!-- Navigation -->
 <td width="20%" align="center" valign="top">
   <p>&nbsp;</p>
   <a href="https://www.isa-afp.org/">
     <img src="../images/isabelle.png" width="100" height="88" border=0>
   </a>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
   <table class="nav" width="80%">
     <tr>
       <td class="nav" width="100%"><a href="../index.html">Home</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../about.html">About</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../submitting.html">Submission</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../updating.html">Updating Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../using.html">Using Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../search.html">Search</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../statistics.html">Statistics</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../topics.html">Index</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../download.html">Download</a></td>
     </tr>
   </table>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
 </td>
 
 
 <!-- Content -->
 <td width="80%" valign="top">
 <div align="center">
   <p>&nbsp;</p>
   <h1>          <font class="first">P</font>olynomial
   
           <font class="first">F</font>actorization
   
 </h1>
   <p>&nbsp;</p>
 
 <table width="80%" class="data">
 <tbody>
 <tr>
   <td class="datahead" width="20%">Title:</td>
   <td class="data" width="80%">Polynomial Factorization</td>
 </tr>
 
 <tr>
   <td class="datahead">
           Authors:
       </td>
   <td class="data">
                     <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a> and
           <a href="http://group-mmm.org/~ayamada/">Akihisa Yamada</a>
       </td>
 </tr>
 
 
 
 <tr>
   <td class="datahead">Submission date:</td>
   <td class="data">2016-01-29</td>
 </tr>
 
 <tr>
   <td class="datahead" valign="top">Abstract:</td>
   <td class="abstract mathjax_process">
 Based on existing libraries for polynomial interpolation and matrices,
 we formalized several factorization algorithms for polynomials, including
 Kronecker's algorithm for integer polynomials,
 Yun's square-free factorization algorithm for field polynomials, and
 Berlekamp's algorithm for polynomials over finite fields.
 By combining the last one with Hensel's lifting,
 we derive an efficient factorization algorithm for the integer polynomials,
 which is then lifted for rational polynomials by mechanizing Gauss' lemma.
 Finally, we assembled a combined factorization algorithm for rational polynomials,
 which combines all the mentioned algorithms and additionally uses the explicit formula for roots
 of quadratic polynomials and a rational root test.
 <p>
 As side products, we developed division algorithms for polynomials over integral domains,
 as well as primality-testing and prime-factorization algorithms for integers.</td>
 </tr>
 
 
 <tr>
   <td class="datahead" valign="top">BibTeX:</td>
   <td class="formatted">
         <pre>@article{Polynomial_Factorization-AFP,
   author  = {René Thiemann and Akihisa Yamada},
   title   = {Polynomial Factorization},
   journal = {Archive of Formal Proofs},
   month   = jan,
   year    = 2016,
   note    = {\url{http://isa-afp.org/entries/Polynomial_Factorization.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }</pre>
   </td>
 </tr>
 
     <tr><td class="datahead">License:</td>
         <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
 
     
                       <tr><td class="datahead">Depends on:</td>
           <td class="data"><a href="Partial_Function_MR.html">Partial_Function_MR</a>, <a href="Polynomial_Interpolation.html">Polynomial_Interpolation</a>, <a href="Show.html">Show</a>, <a href="Sqrt_Babylonian.html">Sqrt_Babylonian</a>      </td></tr>
           
                       <tr><td class="datahead">Used by:</td>
-          <td class="data"><a href="Dirichlet_Series.html">Dirichlet_Series</a>, <a href="Functional_Ordered_Resolution_Prover.html">Functional_Ordered_Resolution_Prover</a>, <a href="Jordan_Normal_Form.html">Jordan_Normal_Form</a>, <a href="Knuth_Bendix_Order.html">Knuth_Bendix_Order</a>, <a href="Linear_Recurrences.html">Linear_Recurrences</a>, <a href="Perron_Frobenius.html">Perron_Frobenius</a>, <a href="Subresultants.html">Subresultants</a>      </td></tr>
+          <td class="data"><a href="Dirichlet_Series.html">Dirichlet_Series</a>, <a href="Functional_Ordered_Resolution_Prover.html">Functional_Ordered_Resolution_Prover</a>, <a href="Gaussian_Integers.html">Gaussian_Integers</a>, <a href="Jordan_Normal_Form.html">Jordan_Normal_Form</a>, <a href="Knuth_Bendix_Order.html">Knuth_Bendix_Order</a>, <a href="Linear_Recurrences.html">Linear_Recurrences</a>, <a href="Perron_Frobenius.html">Perron_Frobenius</a>, <a href="Power_Sum_Polynomials.html">Power_Sum_Polynomials</a>, <a href="Subresultants.html">Subresultants</a>      </td></tr>
           
 
         
   </tbody>
 </table>
 
 <p></p>
 
 <table class="links">
   <tbody>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/Polynomial_Factorization/outline.pdf">Proof outline</a><br>
       <a href="../browser_info/current/AFP/Polynomial_Factorization/document.pdf">Proof document</a>
     </td>
     </tr>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/Polynomial_Factorization/index.html">Browse theories</a>
       </td></tr>
     <tr>
     <td class="links">
       <a href="../release/afp-Polynomial_Factorization-current.tar.gz">Download this entry</a>
     </td>
     </tr>
 
 
           <tr><td class="links">Older releases:
               <ul>
                               <li>Isabelle 2019:
             <a href="../release/afp-Polynomial_Factorization-2019-06-11.tar.gz">
               afp-Polynomial_Factorization-2019-06-11.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2018:
             <a href="../release/afp-Polynomial_Factorization-2018-08-16.tar.gz">
               afp-Polynomial_Factorization-2018-08-16.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2017:
             <a href="../release/afp-Polynomial_Factorization-2017-10-10.tar.gz">
               afp-Polynomial_Factorization-2017-10-10.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2016-1:
             <a href="../release/afp-Polynomial_Factorization-2016-12-17.tar.gz">
               afp-Polynomial_Factorization-2016-12-17.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2016:
             <a href="../release/afp-Polynomial_Factorization-2016-02-22.tar.gz">
               afp-Polynomial_Factorization-2016-02-22.tar.gz
             </a>
             </li>
                           </ul>
             </td></tr>
     
   </tbody>
 </table>
 
 </div>
 </td>
 
 </tr>
 </tbody>
 </table>
 
 <script src="../jquery.min.js"></script>
 <script src="../script.js"></script>
 
 </body>
 </html>
\ No newline at end of file
diff --git a/web/entries/Power_Sum_Polynomials.html b/web/entries/Power_Sum_Polynomials.html
new file mode 100644
--- /dev/null
+++ b/web/entries/Power_Sum_Polynomials.html
@@ -0,0 +1,222 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<title>Power Sum Polynomials - Archive of Formal Proofs
+</title>
+<link rel="stylesheet" type="text/css" href="../front.css">
+<link rel="icon" href="../images/favicon.ico" type="image/icon">
+<link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
+<!-- MathJax for LaTeX support in abstracts -->
+<script>
+MathJax = {
+  tex: {
+    inlineMath: [['$', '$'], ['\\(', '\\)']]
+  },
+  processEscapes: true,
+  svg: {
+    fontCache: 'global'
+  }
+};
+</script>
+<script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
+</head>
+
+<body class="mathjax_ignore">
+
+<table width="100%">
+<tbody>
+<tr>
+
+<!-- Navigation -->
+<td width="20%" align="center" valign="top">
+  <p>&nbsp;</p>
+  <a href="https://www.isa-afp.org/">
+    <img src="../images/isabelle.png" width="100" height="88" border=0>
+  </a>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+  <table class="nav" width="80%">
+    <tr>
+      <td class="nav" width="100%"><a href="../index.html">Home</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../about.html">About</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../submitting.html">Submission</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../updating.html">Updating Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../using.html">Using Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../search.html">Search</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../statistics.html">Statistics</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../topics.html">Index</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../download.html">Download</a></td>
+    </tr>
+  </table>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+</td>
+
+
+<!-- Content -->
+<td width="80%" valign="top">
+<div align="center">
+  <p>&nbsp;</p>
+  <h1>          <font class="first">P</font>ower
+  
+          <font class="first">S</font>um
+  
+          <font class="first">P</font>olynomials
+  
+</h1>
+  <p>&nbsp;</p>
+
+<table width="80%" class="data">
+<tbody>
+<tr>
+  <td class="datahead" width="20%">Title:</td>
+  <td class="data" width="80%">Power Sum Polynomials</td>
+</tr>
+
+<tr>
+  <td class="datahead">
+          Author:
+      </td>
+  <td class="data">
+              <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
+      </td>
+</tr>
+
+
+
+<tr>
+  <td class="datahead">Submission date:</td>
+  <td class="data">2020-04-24</td>
+</tr>
+
+<tr>
+  <td class="datahead" valign="top">Abstract:</td>
+  <td class="abstract mathjax_process">
+<p>This article provides a formalisation of the symmetric
+multivariate polynomials known as <em>power sum
+polynomials</em>. These are of the form
+p<sub>n</sub>(<em>X</em><sub>1</sub>,&hellip;,
+<em>X</em><sub><em>k</em></sub>) =
+<em>X</em><sub>1</sub><sup>n</sup>
++ &hellip; +
+X<sub><em>k</em></sub><sup>n</sup>.
+A formal proof of the Girard–Newton Theorem is also given. This
+theorem relates the power sum polynomials to the elementary symmetric
+polynomials s<sub><em>k</em></sub> in the form
+of a recurrence relation
+(-1)<sup><em>k</em></sup>
+<em>k</em> s<sub><em>k</em></sub>
+=
+&sum;<sub>i&isinv;[0,<em>k</em>)</sub>
+(-1)<sup>i</sup> s<sub>i</sub>
+p<sub><em>k</em>-<em>i</em></sub>&thinsp;.</p>
+<p>As an application, this is then used to solve a generalised
+form of a puzzle given as an exercise in Dummit and Foote's
+<em>Abstract Algebra</em>: For <em>k</em>
+complex unknowns <em>x</em><sub>1</sub>,
+&hellip;,
+<em>x</em><sub><em>k</em></sub>,
+define p<sub><em>j</em></sub> :=
+<em>x</em><sub>1</sub><sup><em>j</em></sup>
++ &hellip; +
+<em>x</em><sub><em>k</em></sub><sup><em>j</em></sup>.
+Then for each vector <em>a</em> &isinv;
+&#x2102;<sup><em>k</em></sup>, show that
+there is exactly one solution to the system p<sub>1</sub>
+= a<sub>1</sub>, &hellip;,
+p<sub><em>k</em></sub> =
+a<sub><em>k</em></sub> up to permutation of
+the
+<em>x</em><sub><em>i</em></sub>
+and determine the value of
+p<sub><em>i</em></sub> for
+i&gt;k.</p></td>
+</tr>
+
+
+<tr>
+  <td class="datahead" valign="top">BibTeX:</td>
+  <td class="formatted">
+        <pre>@article{Power_Sum_Polynomials-AFP,
+  author  = {Manuel Eberl},
+  title   = {Power Sum Polynomials},
+  journal = {Archive of Formal Proofs},
+  month   = apr,
+  year    = 2020,
+  note    = {\url{http://isa-afp.org/entries/Power_Sum_Polynomials.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}</pre>
+  </td>
+</tr>
+
+    <tr><td class="datahead">License:</td>
+        <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
+
+    
+                      <tr><td class="datahead">Depends on:</td>
+          <td class="data"><a href="Polynomial_Factorization.html">Polynomial_Factorization</a>, <a href="Symmetric_Polynomials.html">Symmetric_Polynomials</a>      </td></tr>
+          
+                    
+
+        
+  </tbody>
+</table>
+
+<p></p>
+
+<table class="links">
+  <tbody>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/Power_Sum_Polynomials/outline.pdf">Proof outline</a><br>
+      <a href="../browser_info/current/AFP/Power_Sum_Polynomials/document.pdf">Proof document</a>
+    </td>
+    </tr>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/Power_Sum_Polynomials/index.html">Browse theories</a>
+      </td></tr>
+    <tr>
+    <td class="links">
+      <a href="../release/afp-Power_Sum_Polynomials-current.tar.gz">Download this entry</a>
+    </td>
+    </tr>
+
+
+          <tr><td class="links">Older releases:
+            None
+            </td></tr>
+    
+  </tbody>
+</table>
+
+</div>
+</td>
+
+</tr>
+</tbody>
+</table>
+
+<script src="../jquery.min.js"></script>
+<script src="../script.js"></script>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/web/entries/Prime_Distribution_Elementary.html b/web/entries/Prime_Distribution_Elementary.html
--- a/web/entries/Prime_Distribution_Elementary.html
+++ b/web/entries/Prime_Distribution_Elementary.html
@@ -1,218 +1,218 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <title>Elementary Facts About the Distribution of Primes - Archive of Formal Proofs
 </title>
 <link rel="stylesheet" type="text/css" href="../front.css">
 <link rel="icon" href="../images/favicon.ico" type="image/icon">
 <link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
 <!-- MathJax for LaTeX support in abstracts -->
 <script>
 MathJax = {
   tex: {
     inlineMath: [['$', '$'], ['\\(', '\\)']]
   },
   processEscapes: true,
   svg: {
     fontCache: 'global'
   }
 };
 </script>
 <script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
 </head>
 
 <body class="mathjax_ignore">
 
 <table width="100%">
 <tbody>
 <tr>
 
 <!-- Navigation -->
 <td width="20%" align="center" valign="top">
   <p>&nbsp;</p>
   <a href="https://www.isa-afp.org/">
     <img src="../images/isabelle.png" width="100" height="88" border=0>
   </a>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
   <table class="nav" width="80%">
     <tr>
       <td class="nav" width="100%"><a href="../index.html">Home</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../about.html">About</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../submitting.html">Submission</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../updating.html">Updating Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../using.html">Using Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../search.html">Search</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../statistics.html">Statistics</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../topics.html">Index</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../download.html">Download</a></td>
     </tr>
   </table>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
 </td>
 
 
 <!-- Content -->
 <td width="80%" valign="top">
 <div align="center">
   <p>&nbsp;</p>
   <h1>          <font class="first">E</font>lementary
   
           <font class="first">F</font>acts
   
           <font class="first">A</font>bout
   
           the
   
           <font class="first">D</font>istribution
   
           of
   
           <font class="first">P</font>rimes
   
 </h1>
   <p>&nbsp;</p>
 
 <table width="80%" class="data">
 <tbody>
 <tr>
   <td class="datahead" width="20%">Title:</td>
   <td class="data" width="80%">Elementary Facts About the Distribution of Primes</td>
 </tr>
 
 <tr>
   <td class="datahead">
           Author:
       </td>
   <td class="data">
               <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
       </td>
 </tr>
 
 
 
 <tr>
   <td class="datahead">Submission date:</td>
   <td class="data">2019-02-21</td>
 </tr>
 
 <tr>
   <td class="datahead" valign="top">Abstract:</td>
   <td class="abstract mathjax_process">
 <p>This entry is a formalisation of Chapter 4 (and parts of
 Chapter 3) of Apostol's <a
 href="https://www.springer.com/de/book/9780387901633"><em>Introduction
 to Analytic Number Theory</em></a>. The main topics that
 are addressed are properties of the distribution of prime numbers that
 can be shown in an elementary way (i.&thinsp;e. without the Prime
 Number Theorem), the various equivalent forms of the PNT (which imply
 each other in elementary ways), and consequences that follow from the
 PNT in elementary ways. The latter include, most notably, asymptotic
 bounds for the number of distinct prime factors of
 <em>n</em>, the divisor function
 <em>d(n)</em>, Euler's totient function
 <em>&phi;(n)</em>, and
 lcm(1,&hellip;,<em>n</em>).</p></td>
 </tr>
 
 
 <tr>
   <td class="datahead" valign="top">BibTeX:</td>
   <td class="formatted">
         <pre>@article{Prime_Distribution_Elementary-AFP,
   author  = {Manuel Eberl},
   title   = {Elementary Facts About the Distribution of Primes},
   journal = {Archive of Formal Proofs},
   month   = feb,
   year    = 2019,
   note    = {\url{http://isa-afp.org/entries/Prime_Distribution_Elementary.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }</pre>
   </td>
 </tr>
 
     <tr><td class="datahead">License:</td>
         <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
 
     
                       <tr><td class="datahead">Depends on:</td>
           <td class="data"><a href="Prime_Number_Theorem.html">Prime_Number_Theorem</a>, <a href="Zeta_Function.html">Zeta_Function</a>      </td></tr>
           
                       <tr><td class="datahead">Used by:</td>
-          <td class="data"><a href="IMO2019.html">IMO2019</a>, <a href="Zeta_3_Irrational.html">Zeta_3_Irrational</a>      </td></tr>
+          <td class="data"><a href="IMO2019.html">IMO2019</a>, <a href="Irrational_Series_Erdos_Straus.html">Irrational_Series_Erdos_Straus</a>, <a href="Zeta_3_Irrational.html">Zeta_3_Irrational</a>      </td></tr>
           
 
         
   </tbody>
 </table>
 
 <p></p>
 
 <table class="links">
   <tbody>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/Prime_Distribution_Elementary/outline.pdf">Proof outline</a><br>
       <a href="../browser_info/current/AFP/Prime_Distribution_Elementary/document.pdf">Proof document</a>
     </td>
     </tr>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/Prime_Distribution_Elementary/index.html">Browse theories</a>
       </td></tr>
     <tr>
     <td class="links">
       <a href="../release/afp-Prime_Distribution_Elementary-current.tar.gz">Download this entry</a>
     </td>
     </tr>
 
 
           <tr><td class="links">Older releases:
               <ul>
                               <li>Isabelle 2019:
             <a href="../release/afp-Prime_Distribution_Elementary-2019-06-11.tar.gz">
               afp-Prime_Distribution_Elementary-2019-06-11.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2018:
             <a href="../release/afp-Prime_Distribution_Elementary-2019-02-22.tar.gz">
               afp-Prime_Distribution_Elementary-2019-02-22.tar.gz
             </a>
             </li>
                           </ul>
             </td></tr>
     
   </tbody>
 </table>
 
 </div>
 </td>
 
 </tr>
 </tbody>
 </table>
 
 <script src="../jquery.min.js"></script>
 <script src="../script.js"></script>
 
 </body>
 </html>
\ No newline at end of file
diff --git a/web/entries/Prime_Number_Theorem.html b/web/entries/Prime_Number_Theorem.html
--- a/web/entries/Prime_Number_Theorem.html
+++ b/web/entries/Prime_Number_Theorem.html
@@ -1,234 +1,234 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <title>The Prime Number Theorem - Archive of Formal Proofs
 </title>
 <link rel="stylesheet" type="text/css" href="../front.css">
 <link rel="icon" href="../images/favicon.ico" type="image/icon">
 <link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
 <!-- MathJax for LaTeX support in abstracts -->
 <script>
 MathJax = {
   tex: {
     inlineMath: [['$', '$'], ['\\(', '\\)']]
   },
   processEscapes: true,
   svg: {
     fontCache: 'global'
   }
 };
 </script>
 <script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
 </head>
 
 <body class="mathjax_ignore">
 
 <table width="100%">
 <tbody>
 <tr>
 
 <!-- Navigation -->
 <td width="20%" align="center" valign="top">
   <p>&nbsp;</p>
   <a href="https://www.isa-afp.org/">
     <img src="../images/isabelle.png" width="100" height="88" border=0>
   </a>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
   <table class="nav" width="80%">
     <tr>
       <td class="nav" width="100%"><a href="../index.html">Home</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../about.html">About</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../submitting.html">Submission</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../updating.html">Updating Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../using.html">Using Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../search.html">Search</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../statistics.html">Statistics</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../topics.html">Index</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../download.html">Download</a></td>
     </tr>
   </table>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
 </td>
 
 
 <!-- Content -->
 <td width="80%" valign="top">
 <div align="center">
   <p>&nbsp;</p>
   <h1>          <font class="first">T</font>he
   
           <font class="first">P</font>rime
   
           <font class="first">N</font>umber
   
           <font class="first">T</font>heorem
   
 </h1>
   <p>&nbsp;</p>
 
 <table width="80%" class="data">
 <tbody>
 <tr>
   <td class="datahead" width="20%">Title:</td>
   <td class="data" width="80%">The Prime Number Theorem</td>
 </tr>
 
 <tr>
   <td class="datahead">
           Authors:
       </td>
   <td class="data">
                     <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a> and
           <a href="https://www.cl.cam.ac.uk/~lp15/">Lawrence C. Paulson</a>
       </td>
 </tr>
 
 
 
 <tr>
   <td class="datahead">Submission date:</td>
   <td class="data">2018-09-19</td>
 </tr>
 
 <tr>
   <td class="datahead" valign="top">Abstract:</td>
   <td class="abstract mathjax_process">
 <p>This article provides a short proof of the Prime Number
 Theorem in several equivalent forms, most notably
 &pi;(<em>x</em>) ~ <em>x</em>/ln
 <em>x</em> where &pi;(<em>x</em>) is the
 number of primes no larger than <em>x</em>. It also
 defines other basic number-theoretic functions related to primes like
 Chebyshev's functions &thetasym; and &psi; and the
 &ldquo;<em>n</em>-th prime number&rdquo; function
 p<sub><em>n</em></sub>. We also show various
 bounds and relationship between these functions are shown. Lastly, we
 derive Mertens' First and Second Theorem, i.&thinsp;e.
 &sum;<sub><em>p</em>&le;<em>x</em></sub>
 ln <em>p</em>/<em>p</em> = ln
 <em>x</em> + <em>O</em>(1) and
 &sum;<sub><em>p</em>&le;<em>x</em></sub>
 1/<em>p</em> = ln ln <em>x</em> + M +
 <em>O</em>(1/ln <em>x</em>). We also give
 explicit bounds for the remainder terms.</p> <p>The proof
 of the Prime Number Theorem builds on a library of Dirichlet series
 and analytic combinatorics. We essentially follow the presentation by
 Newman. The core part of the proof is a Tauberian theorem for
 Dirichlet series, which is proven using complex analysis and then used
 to strengthen Mertens' First Theorem to
 &sum;<sub><em>p</em>&le;<em>x</em></sub>
 ln <em>p</em>/<em>p</em> = ln
 <em>x</em> + c + <em>o</em>(1).</p>
 <p>A variant of this proof has been formalised before by
 Harrison in HOL Light, and formalisations of Selberg's elementary
 proof exist both by Avigad <em>et al.</em> in Isabelle and
 by Carneiro in Metamath. The advantage of the analytic proof is that,
 while it requires more powerful mathematical tools, it is considerably
 shorter and clearer. This article attempts to provide a short and
 clear formalisation of all components of that proof using the full
 range of mathematical machinery available in Isabelle, staying as
 close as possible to Newman's simple paper proof.</p></td>
 </tr>
 
 
 <tr>
   <td class="datahead" valign="top">BibTeX:</td>
   <td class="formatted">
         <pre>@article{Prime_Number_Theorem-AFP,
   author  = {Manuel Eberl and Lawrence C. Paulson},
   title   = {The Prime Number Theorem},
   journal = {Archive of Formal Proofs},
   month   = sep,
   year    = 2018,
   note    = {\url{http://isa-afp.org/entries/Prime_Number_Theorem.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }</pre>
   </td>
 </tr>
 
     <tr><td class="datahead">License:</td>
         <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
 
     
                       <tr><td class="datahead">Depends on:</td>
           <td class="data"><a href="Stirling_Formula.html">Stirling_Formula</a>, <a href="Zeta_Function.html">Zeta_Function</a>      </td></tr>
           
                       <tr><td class="datahead">Used by:</td>
-          <td class="data"><a href="Prime_Distribution_Elementary.html">Prime_Distribution_Elementary</a>, <a href="Transcendence_Series_Hancl_Rucki.html">Transcendence_Series_Hancl_Rucki</a>, <a href="Zeta_3_Irrational.html">Zeta_3_Irrational</a>      </td></tr>
+          <td class="data"><a href="Irrational_Series_Erdos_Straus.html">Irrational_Series_Erdos_Straus</a>, <a href="Prime_Distribution_Elementary.html">Prime_Distribution_Elementary</a>, <a href="Transcendence_Series_Hancl_Rucki.html">Transcendence_Series_Hancl_Rucki</a>, <a href="Zeta_3_Irrational.html">Zeta_3_Irrational</a>      </td></tr>
           
 
         
   </tbody>
 </table>
 
 <p></p>
 
 <table class="links">
   <tbody>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/Prime_Number_Theorem/outline.pdf">Proof outline</a><br>
       <a href="../browser_info/current/AFP/Prime_Number_Theorem/document.pdf">Proof document</a>
     </td>
     </tr>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/Prime_Number_Theorem/index.html">Browse theories</a>
       </td></tr>
     <tr>
     <td class="links">
       <a href="../release/afp-Prime_Number_Theorem-current.tar.gz">Download this entry</a>
     </td>
     </tr>
 
 
           <tr><td class="links">Older releases:
               <ul>
                               <li>Isabelle 2019:
             <a href="../release/afp-Prime_Number_Theorem-2019-06-11.tar.gz">
               afp-Prime_Number_Theorem-2019-06-11.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2018:
             <a href="../release/afp-Prime_Number_Theorem-2018-09-20.tar.gz">
               afp-Prime_Number_Theorem-2018-09-20.tar.gz
             </a>
             </li>
                           </ul>
             </td></tr>
     
   </tbody>
 </table>
 
 </div>
 </td>
 
 </tr>
 </tbody>
 </table>
 
 <script src="../jquery.min.js"></script>
 <script src="../script.js"></script>
 
 </body>
 </html>
\ No newline at end of file
diff --git a/web/entries/Recursion-Addition.html b/web/entries/Recursion-Addition.html
new file mode 100644
--- /dev/null
+++ b/web/entries/Recursion-Addition.html
@@ -0,0 +1,189 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<title>Recursion Theorem in ZF - Archive of Formal Proofs
+</title>
+<link rel="stylesheet" type="text/css" href="../front.css">
+<link rel="icon" href="../images/favicon.ico" type="image/icon">
+<link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
+<!-- MathJax for LaTeX support in abstracts -->
+<script>
+MathJax = {
+  tex: {
+    inlineMath: [['$', '$'], ['\\(', '\\)']]
+  },
+  processEscapes: true,
+  svg: {
+    fontCache: 'global'
+  }
+};
+</script>
+<script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
+</head>
+
+<body class="mathjax_ignore">
+
+<table width="100%">
+<tbody>
+<tr>
+
+<!-- Navigation -->
+<td width="20%" align="center" valign="top">
+  <p>&nbsp;</p>
+  <a href="https://www.isa-afp.org/">
+    <img src="../images/isabelle.png" width="100" height="88" border=0>
+  </a>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+  <table class="nav" width="80%">
+    <tr>
+      <td class="nav" width="100%"><a href="../index.html">Home</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../about.html">About</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../submitting.html">Submission</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../updating.html">Updating Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../using.html">Using Entries</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../search.html">Search</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../statistics.html">Statistics</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../topics.html">Index</a></td>
+    </tr>
+    <tr>
+      <td class="nav"><a href="../download.html">Download</a></td>
+    </tr>
+  </table>
+  <p>&nbsp;</p>
+  <p>&nbsp;</p>
+</td>
+
+
+<!-- Content -->
+<td width="80%" valign="top">
+<div align="center">
+  <p>&nbsp;</p>
+  <h1>          <font class="first">R</font>ecursion
+  
+          <font class="first">T</font>heorem
+  
+          in
+  
+          <font class="first">Z</font>F
+  
+</h1>
+  <p>&nbsp;</p>
+
+<table width="80%" class="data">
+<tbody>
+<tr>
+  <td class="datahead" width="20%">Title:</td>
+  <td class="data" width="80%">Recursion Theorem in ZF</td>
+</tr>
+
+<tr>
+  <td class="datahead">
+          Author:
+      </td>
+  <td class="data">
+              Georgy Dunaev (georgedunaev /at/ gmail /dot/ com)
+      </td>
+</tr>
+
+
+
+<tr>
+  <td class="datahead">Submission date:</td>
+  <td class="data">2020-05-11</td>
+</tr>
+
+<tr>
+  <td class="datahead" valign="top">Abstract:</td>
+  <td class="abstract mathjax_process">
+This document contains a proof of the recursion theorem. This is a
+mechanization of the proof of the recursion theorem from the text <i>Introduction to
+Set Theory</i>, by Karel Hrbacek and Thomas Jech. This
+implementation may be used as the basis for a model of Peano arithmetic in
+ZF. While recursion and the natural numbers are already available in Isabelle/ZF, this clean development
+is much easier to follow.</td>
+</tr>
+
+
+<tr>
+  <td class="datahead" valign="top">BibTeX:</td>
+  <td class="formatted">
+        <pre>@article{Recursion-Addition-AFP,
+  author  = {Georgy Dunaev},
+  title   = {Recursion Theorem in ZF},
+  journal = {Archive of Formal Proofs},
+  month   = may,
+  year    = 2020,
+  note    = {\url{http://isa-afp.org/entries/Recursion-Addition.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}</pre>
+  </td>
+</tr>
+
+    <tr><td class="datahead">License:</td>
+        <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
+
+    
+                    
+                    
+
+        
+  </tbody>
+</table>
+
+<p></p>
+
+<table class="links">
+  <tbody>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/Recursion-Addition/outline.pdf">Proof outline</a><br>
+      <a href="../browser_info/current/AFP/Recursion-Addition/document.pdf">Proof document</a>
+    </td>
+    </tr>
+    <tr>
+    <td class="links">
+      <a href="../browser_info/current/AFP/Recursion-Addition/index.html">Browse theories</a>
+      </td></tr>
+    <tr>
+    <td class="links">
+      <a href="../release/afp-Recursion-Addition-current.tar.gz">Download this entry</a>
+    </td>
+    </tr>
+
+
+          <tr><td class="links">Older releases:
+            None
+            </td></tr>
+    
+  </tbody>
+</table>
+
+</div>
+</td>
+
+</tr>
+</tbody>
+</table>
+
+<script src="../jquery.min.js"></script>
+<script src="../script.js"></script>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/web/entries/Stirling_Formula.html b/web/entries/Stirling_Formula.html
--- a/web/entries/Stirling_Formula.html
+++ b/web/entries/Stirling_Formula.html
@@ -1,212 +1,212 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <title>Stirling's formula - Archive of Formal Proofs
 </title>
 <link rel="stylesheet" type="text/css" href="../front.css">
 <link rel="icon" href="../images/favicon.ico" type="image/icon">
 <link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
 <!-- MathJax for LaTeX support in abstracts -->
 <script>
 MathJax = {
   tex: {
     inlineMath: [['$', '$'], ['\\(', '\\)']]
   },
   processEscapes: true,
   svg: {
     fontCache: 'global'
   }
 };
 </script>
 <script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
 </head>
 
 <body class="mathjax_ignore">
 
 <table width="100%">
 <tbody>
 <tr>
 
 <!-- Navigation -->
 <td width="20%" align="center" valign="top">
   <p>&nbsp;</p>
   <a href="https://www.isa-afp.org/">
     <img src="../images/isabelle.png" width="100" height="88" border=0>
   </a>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
   <table class="nav" width="80%">
     <tr>
       <td class="nav" width="100%"><a href="../index.html">Home</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../about.html">About</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../submitting.html">Submission</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../updating.html">Updating Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../using.html">Using Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../search.html">Search</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../statistics.html">Statistics</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../topics.html">Index</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../download.html">Download</a></td>
     </tr>
   </table>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
 </td>
 
 
 <!-- Content -->
 <td width="80%" valign="top">
 <div align="center">
   <p>&nbsp;</p>
   <h1>          <font class="first">S</font>tirling's
   
           formula
   
 </h1>
   <p>&nbsp;</p>
 
 <table width="80%" class="data">
 <tbody>
 <tr>
   <td class="datahead" width="20%">Title:</td>
   <td class="data" width="80%">Stirling's formula</td>
 </tr>
 
 <tr>
   <td class="datahead">
           Author:
       </td>
   <td class="data">
               <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
       </td>
 </tr>
 
 
 
 <tr>
   <td class="datahead">Submission date:</td>
   <td class="data">2016-09-01</td>
 </tr>
 
 <tr>
   <td class="datahead" valign="top">Abstract:</td>
   <td class="abstract mathjax_process">
 <p>This work contains a proof of Stirling's formula both for the factorial $n! \sim \sqrt{2\pi n} (n/e)^n$ on natural numbers and the real
 Gamma function $\Gamma(x)\sim \sqrt{2\pi/x} (x/e)^x$. The proof is based on work by <a
 href="http://www.maths.lancs.ac.uk/~jameson/stirlgamma.pdf">Graham Jameson</a>.</p>
 <p>This is then extended to the full asymptotic expansion
 $$\log\Gamma(z) = \big(z - \tfrac{1}{2}\big)\log z - z + \tfrac{1}{2}\log(2\pi) + \sum_{k=1}^{n-1} \frac{B_{k+1}}{k(k+1)} z^{-k}\\
 {} - \frac{1}{n} \int_0^\infty B_n([t])(t + z)^{-n}\,\text{d}t$$
 uniformly for all complex $z\neq 0$ in the cone $\text{arg}(z)\leq \alpha$ for any $\alpha\in(0,\pi)$, with which the above asymptotic
 relation for &Gamma; is also extended to complex arguments.</p></td>
 </tr>
 
 
 <tr>
   <td class="datahead" valign="top">BibTeX:</td>
   <td class="formatted">
         <pre>@article{Stirling_Formula-AFP,
   author  = {Manuel Eberl},
   title   = {Stirling's formula},
   journal = {Archive of Formal Proofs},
   month   = sep,
   year    = 2016,
   note    = {\url{http://isa-afp.org/entries/Stirling_Formula.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }</pre>
   </td>
 </tr>
 
     <tr><td class="datahead">License:</td>
         <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
 
     
                       <tr><td class="datahead">Depends on:</td>
           <td class="data"><a href="Bernoulli.html">Bernoulli</a>, <a href="Landau_Symbols.html">Landau_Symbols</a>      </td></tr>
           
                       <tr><td class="datahead">Used by:</td>
-          <td class="data"><a href="Comparison_Sort_Lower_Bound.html">Comparison_Sort_Lower_Bound</a>, <a href="Prime_Number_Theorem.html">Prime_Number_Theorem</a>      </td></tr>
+          <td class="data"><a href="Comparison_Sort_Lower_Bound.html">Comparison_Sort_Lower_Bound</a>, <a href="Lambert_W.html">Lambert_W</a>, <a href="Prime_Number_Theorem.html">Prime_Number_Theorem</a>      </td></tr>
           
 
         
   </tbody>
 </table>
 
 <p></p>
 
 <table class="links">
   <tbody>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/Stirling_Formula/outline.pdf">Proof outline</a><br>
       <a href="../browser_info/current/AFP/Stirling_Formula/document.pdf">Proof document</a>
     </td>
     </tr>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/Stirling_Formula/index.html">Browse theories</a>
       </td></tr>
     <tr>
     <td class="links">
       <a href="../release/afp-Stirling_Formula-current.tar.gz">Download this entry</a>
     </td>
     </tr>
 
 
           <tr><td class="links">Older releases:
               <ul>
                               <li>Isabelle 2019:
             <a href="../release/afp-Stirling_Formula-2019-06-11.tar.gz">
               afp-Stirling_Formula-2019-06-11.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2018:
             <a href="../release/afp-Stirling_Formula-2018-08-16.tar.gz">
               afp-Stirling_Formula-2018-08-16.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2017:
             <a href="../release/afp-Stirling_Formula-2017-10-10.tar.gz">
               afp-Stirling_Formula-2017-10-10.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2016-1:
             <a href="../release/afp-Stirling_Formula-2016-12-17.tar.gz">
               afp-Stirling_Formula-2016-12-17.tar.gz
             </a>
             </li>
                           </ul>
             </td></tr>
     
   </tbody>
 </table>
 
 </div>
 </td>
 
 </tr>
 </tbody>
 </table>
 
 <script src="../jquery.min.js"></script>
 <script src="../script.js"></script>
 
 </body>
 </html>
\ No newline at end of file
diff --git a/web/entries/Symmetric_Polynomials.html b/web/entries/Symmetric_Polynomials.html
--- a/web/entries/Symmetric_Polynomials.html
+++ b/web/entries/Symmetric_Polynomials.html
@@ -1,219 +1,219 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <title>Symmetric Polynomials - Archive of Formal Proofs
 </title>
 <link rel="stylesheet" type="text/css" href="../front.css">
 <link rel="icon" href="../images/favicon.ico" type="image/icon">
 <link rel="alternate" type="application/rss+xml" title="RSS" href="../rss.xml">
 <!-- MathJax for LaTeX support in abstracts -->
 <script>
 MathJax = {
   tex: {
     inlineMath: [['$', '$'], ['\\(', '\\)']]
   },
   processEscapes: true,
   svg: {
     fontCache: 'global'
   }
 };
 </script>
 <script id="MathJax-script" async src="../components/mathjax/es5/tex-mml-chtml.js"></script>
 </head>
 
 <body class="mathjax_ignore">
 
 <table width="100%">
 <tbody>
 <tr>
 
 <!-- Navigation -->
 <td width="20%" align="center" valign="top">
   <p>&nbsp;</p>
   <a href="https://www.isa-afp.org/">
     <img src="../images/isabelle.png" width="100" height="88" border=0>
   </a>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
   <table class="nav" width="80%">
     <tr>
       <td class="nav" width="100%"><a href="../index.html">Home</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../about.html">About</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../submitting.html">Submission</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../updating.html">Updating Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../using.html">Using Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../search.html">Search</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../statistics.html">Statistics</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../topics.html">Index</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="../download.html">Download</a></td>
     </tr>
   </table>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
 </td>
 
 
 <!-- Content -->
 <td width="80%" valign="top">
 <div align="center">
   <p>&nbsp;</p>
   <h1>          <font class="first">S</font>ymmetric
   
           <font class="first">P</font>olynomials
   
 </h1>
   <p>&nbsp;</p>
 
 <table width="80%" class="data">
 <tbody>
 <tr>
   <td class="datahead" width="20%">Title:</td>
   <td class="data" width="80%">Symmetric Polynomials</td>
 </tr>
 
 <tr>
   <td class="datahead">
           Author:
       </td>
   <td class="data">
               <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
       </td>
 </tr>
 
 
 
 <tr>
   <td class="datahead">Submission date:</td>
   <td class="data">2018-09-25</td>
 </tr>
 
 <tr>
   <td class="datahead" valign="top">Abstract:</td>
   <td class="abstract mathjax_process">
 <p>A symmetric polynomial is a polynomial in variables
 <em>X</em><sub>1</sub>,&hellip;,<em>X</em><sub>n</sub>
 that does not discriminate between its variables, i.&thinsp;e. it
 is invariant under any permutation of them. These polynomials are
 important in the study of the relationship between the coefficients of
 a univariate polynomial and its roots in its algebraic
 closure.</p> <p>This article provides a definition of
 symmetric polynomials and the elementary symmetric polynomials
 e<sub>1</sub>,&hellip;,e<sub>n</sub> and
 proofs of their basic properties, including three notable
 ones:</p> <ul> <li> Vieta's formula, which
 gives an explicit expression for the <em>k</em>-th
 coefficient of a univariate monic polynomial in terms of its roots
 <em>x</em><sub>1</sub>,&hellip;,<em>x</em><sub>n</sub>,
 namely
 <em>c</em><sub><em>k</em></sub> = (-1)<sup><em>n</em>-<em>k</em></sup>&thinsp;e<sub><em>n</em>-<em>k</em></sub>(<em>x</em><sub>1</sub>,&hellip;,<em>x</em><sub>n</sub>).</li>
 <li>Second, the Fundamental Theorem of Symmetric Polynomials,
 which states that any symmetric polynomial is itself a uniquely
 determined polynomial combination of the elementary symmetric
 polynomials.</li> <li>Third, as a corollary of the
 previous two, that given a polynomial over some ring
 <em>R</em>, any symmetric polynomial combination of its
 roots is also in <em>R</em> even when the roots are not.
 </ul> <p> Both the symmetry property itself and the
 witness for the Fundamental Theorem are executable. </p></td>
 </tr>
 
 
 <tr>
   <td class="datahead" valign="top">BibTeX:</td>
   <td class="formatted">
         <pre>@article{Symmetric_Polynomials-AFP,
   author  = {Manuel Eberl},
   title   = {Symmetric Polynomials},
   journal = {Archive of Formal Proofs},
   month   = sep,
   year    = 2018,
   note    = {\url{http://isa-afp.org/entries/Symmetric_Polynomials.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }</pre>
   </td>
 </tr>
 
     <tr><td class="datahead">License:</td>
         <td class="data"><a href="http://isa-afp.org/LICENSE">BSD License</a></td></tr>
 
     
                       <tr><td class="datahead">Depends on:</td>
           <td class="data"><a href="Polynomials.html">Polynomials</a>      </td></tr>
           
                       <tr><td class="datahead">Used by:</td>
-          <td class="data"><a href="Pi_Transcendental.html">Pi_Transcendental</a>      </td></tr>
+          <td class="data"><a href="Pi_Transcendental.html">Pi_Transcendental</a>, <a href="Power_Sum_Polynomials.html">Power_Sum_Polynomials</a>      </td></tr>
           
 
         
   </tbody>
 </table>
 
 <p></p>
 
 <table class="links">
   <tbody>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/Symmetric_Polynomials/outline.pdf">Proof outline</a><br>
       <a href="../browser_info/current/AFP/Symmetric_Polynomials/document.pdf">Proof document</a>
     </td>
     </tr>
     <tr>
     <td class="links">
       <a href="../browser_info/current/AFP/Symmetric_Polynomials/index.html">Browse theories</a>
       </td></tr>
     <tr>
     <td class="links">
       <a href="../release/afp-Symmetric_Polynomials-current.tar.gz">Download this entry</a>
     </td>
     </tr>
 
 
           <tr><td class="links">Older releases:
               <ul>
                               <li>Isabelle 2019:
             <a href="../release/afp-Symmetric_Polynomials-2019-06-11.tar.gz">
               afp-Symmetric_Polynomials-2019-06-11.tar.gz
             </a>
             </li>
                                         <li>Isabelle 2018:
             <a href="../release/afp-Symmetric_Polynomials-2018-09-26.tar.gz">
               afp-Symmetric_Polynomials-2018-09-26.tar.gz
             </a>
             </li>
                           </ul>
             </td></tr>
     
   </tbody>
 </table>
 
 </div>
 </td>
 
 </tr>
 </tbody>
 </table>
 
 <script src="../jquery.min.js"></script>
 <script src="../script.js"></script>
 
 </body>
 </html>
\ No newline at end of file
diff --git a/web/index.html b/web/index.html
--- a/web/index.html
+++ b/web/index.html
@@ -1,4885 +1,4961 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <title>Archive of Formal Proofs</title>
 <link rel="stylesheet" type="text/css" href="front.css">
 <link rel="icon" href="images/favicon.ico" type="image/icon">
 <link rel="alternate" type="application/rss+xml" title="RSS" href="rss.xml">
  </head>
 
 <body class="mathjax_ignore">
 
 <table width="100%">
 <tbody>
 <tr>
 
 <!-- Navigation -->
 <td width="20%" align="center" valign="top">
   <p>&nbsp;</p>
   <a href="https://www.isa-afp.org/">
     <img src="images/isabelle.png" width="100" height="88" border=0>
   </a>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
   <table class="nav" width="80%">
     <tr>
       <td class="nav" width="100%"><a href="index.html">Home</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="about.html">About</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="submitting.html">Submission</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="updating.html">Updating Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="using.html">Using Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="search.html">Search</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="statistics.html">Statistics</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="topics.html">Index</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="download.html">Download</a></td>
     </tr>
   </table>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
 </td>
 
 
 <!-- Content -->
 <td width="80%" valign="top">
 <div align="center">
   <p>&nbsp;</p>
   <h1><font class="first">A</font>rchive of
 <font class="first">F</font>ormal
 <font class="first">P</font>roofs</h1>
 </h1>
   <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td>
 The Archive of Formal Proofs is a collection of proof libraries, examples, and larger scientific developments,
 mechanically checked in the theorem prover <a href="http://isabelle.in.tum.de/">Isabelle</a>. It is organized in the way
 of a scientific journal, is indexed by <a href="http://dblp.uni-trier.de/db/journals/afp/">dblp</a> and has an ISSN:
 2150-914x. Submissions are refereed. The preferred citation style is available <a href="citing.html">[here]</a>. We encourage companion AFP submissions to conference and journal publications.
 <br><br>A <a href="http://devel.isa-afp.org">development version</a> of the archive is available as well.    </td>
   </tr>
 </tbody>
 </table>
 
 <p>&nbsp;</p>
 
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2020</td>
   </tr>
       <tr>
       <td class="entry">
         2020-05-13: <a href="entries/Knuth_Bendix_Order.html">A Formalization of Knuth–Bendix Orders</a>
         <br>
                   Authors:
                         Christian Sternagel
           and     <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
+        2020-05-12: <a href="entries/Irrational_Series_Erdos_Straus.html">Irrationality Criteria for Series by Erdős and Straus</a>
+        <br>
+                  Authors:
+                        <a href="https://www.cl.cam.ac.uk/~ak2110/">Angeliki Koutsoukou-Argyraki</a>
+          and     <a href="https://www.cl.cam.ac.uk/~wl302/">Wenda Li</a>
+              </td>
+    </tr>
+      <tr>
+      <td class="entry">
+        2020-05-11: <a href="entries/Recursion-Addition.html">Recursion Theorem in ZF</a>
+        <br>
+                  Author:
+                        Georgy Dunaev
+                        </td>
+    </tr>
+      <tr>
+      <td class="entry">
+        2020-05-08: <a href="entries/LTL_Normal_Form.html">An Efficient Normalisation Procedure for Linear Temporal Logic: Isabelle/HOL Formalisation</a>
+        <br>
+                  Author:
+                        Salomon Sickert
+                        </td>
+    </tr>
+      <tr>
+      <td class="entry">
+        2020-05-06: <a href="entries/Forcing.html">Formalization of Forcing in Isabelle/ZF</a>
+        <br>
+                  Authors:
+                          Emmanuel Gunther,
+                        <a href="https://cs.famaf.unc.edu.ar/~mpagano/">Miguel Pagano</a>
+          and     <a href="https://cs.famaf.unc.edu.ar/~pedro/home_en">Pedro Sánchez Terraf</a>
+              </td>
+    </tr>
+      <tr>
+      <td class="entry">
+        2020-05-02: <a href="entries/Banach_Steinhaus.html">Banach-Steinhaus Theorem</a>
+        <br>
+                  Authors:
+                        <a href="http://kodu.ut.ee/~unruh/">Dominique Unruh</a>
+          and     <a href="https://josephcmac.github.io/">Jose Manuel Rodriguez Caballero</a>
+              </td>
+    </tr>
+      <tr>
+      <td class="entry">
         2020-04-27: <a href="entries/Attack_Trees.html">Attack Trees in Isabelle for GDPR compliance of IoT healthcare systems</a>
         <br>
                   Author:
                         <a href="http://www.cs.mdx.ac.uk/people/florian-kammueller/">Florian Kammueller</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
+        2020-04-24: <a href="entries/Power_Sum_Polynomials.html">Power Sum Polynomials</a>
+        <br>
+                  Author:
+                        <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
+                        </td>
+    </tr>
+      <tr>
+      <td class="entry">
+        2020-04-24: <a href="entries/Lambert_W.html">The Lambert W Function on the Reals</a>
+        <br>
+                  Author:
+                        <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
+                        </td>
+    </tr>
+      <tr>
+      <td class="entry">
+        2020-04-24: <a href="entries/Gaussian_Integers.html">Gaussian Integers</a>
+        <br>
+                  Author:
+                        <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
+                        </td>
+    </tr>
+      <tr>
+      <td class="entry">
+        2020-04-19: <a href="entries/Matrices_for_ODEs.html">Matrices for ODEs</a>
+        <br>
+                  Author:
+                        Jonathan Julian Huerta y Munive
+                        </td>
+    </tr>
+      <tr>
+      <td class="entry">
         2020-04-16: <a href="entries/ADS_Functor.html">Authenticated Data Structures As Functors</a>
         <br>
                   Authors:
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
           and     Ognjen Marić
               </td>
     </tr>
       <tr>
       <td class="entry">
         2020-04-10: <a href="entries/Sliding_Window_Algorithm.html">Formalization of an Algorithm for Greedily Computing Associative Aggregations on Sliding Windows</a>
         <br>
                   Authors:
                           Lukas Heimes,
                         <a href="http://people.inf.ethz.ch/trayteld/">Dmitriy Traytel</a>
           and     Joshua Schneider
               </td>
     </tr>
       <tr>
       <td class="entry">
         2020-04-09: <a href="entries/Saturation_Framework.html">A Comprehensive Framework for Saturation Theorem Proving</a>
         <br>
                   Author:
                         <a href="https://www.mpi-inf.mpg.de/departments/automation-of-logic/people/sophie-tourret/">Sophie Tourret</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2020-04-09: <a href="entries/MFODL_Monitor_Optimized.html">Formalization of an Optimized Monitoring Algorithm for Metric First-Order Dynamic Logic with Aggregations</a>
         <br>
                   Authors:
                           Thibault Dardinier,
                           Lukas Heimes,
                           Martin Raszyk,
                         Joshua Schneider
           and     <a href="http://people.inf.ethz.ch/trayteld/">Dmitriy Traytel</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2020-04-07: <a href="entries/Lucas_Theorem.html">Lucas's Theorem</a>
         <br>
                   Author:
                         Chelsea Edmonds
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2020-03-25: <a href="entries/WOOT_Strong_Eventual_Consistency.html">Strong Eventual Consistency of the Collaborative Editing Framework WOOT</a>
         <br>
                   Authors:
                         <a href="https://orcid.org/0000-0003-3290-5034">Emin Karayel</a>
           and     Edgar Gonzàlez
               </td>
     </tr>
       <tr>
       <td class="entry">
         2020-03-22: <a href="entries/Furstenberg_Topology.html">Furstenberg's topology and his proof of the infinitude of primes</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2020-03-12: <a href="entries/Relational-Incorrectness-Logic.html">An Under-Approximate Relational Logic</a>
         <br>
                   Author:
                         <a href="https://people.eng.unimelb.edu.au/tobym/">Toby Murray</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2020-03-07: <a href="entries/Hello_World.html">Hello World</a>
         <br>
                   Authors:
                         <a href="http://net.in.tum.de/~diekmann">Cornelius Diekmann</a>
           and     <a href="https://www21.in.tum.de/~hupel/">Lars Hupel</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2020-02-21: <a href="entries/Goodstein_Lambda.html">Implementing the Goodstein Function in &lambda;-Calculus</a>
         <br>
                   Author:
                         Bertram Felgenhauer
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2020-02-10: <a href="entries/VeriComp.html">A Generic Framework for Verified Compilers</a>
         <br>
                   Author:
                         <a href="https://martin.desharnais.me">Martin Desharnais</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2020-02-01: <a href="entries/Arith_Prog_Rel_Primes.html">Arithmetic progressions and relative primes</a>
         <br>
                   Author:
                         <a href="https://josephcmac.github.io/">José Manuel Rodríguez Caballero</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2020-01-31: <a href="entries/Subset_Boolean_Algebras.html">A Hierarchy of Algebras for Boolean Subsets</a>
         <br>
                   Authors:
                         <a href="http://www.cosc.canterbury.ac.nz/walter.guttmann/">Walter Guttmann</a>
           and     <a href="https://www.informatik.uni-augsburg.de/en/chairs/dbis/pmi/staff/moeller/">Bernhard Möller</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2020-01-17: <a href="entries/Mersenne_Primes.html">Mersenne primes and the Lucas–Lehmer test</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2020-01-16: <a href="entries/Approximation_Algorithms.html">Verified Approximation Algorithms</a>
         <br>
                   Authors:
                           Robin Eßmann,
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
           and     <a href="https://simon-robillard.net/">Simon Robillard</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2020-01-13: <a href="entries/Closest_Pair_Points.html">Closest Pair of Points Algorithms</a>
         <br>
                   Authors:
                         Martin Rau
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2020-01-09: <a href="entries/Skip_Lists.html">Skip Lists</a>
         <br>
                   Authors:
                         <a href="http://cl-informatik.uibk.ac.at/users/mhaslbeck/">Max W. Haslbeck</a>
           and     <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2020-01-06: <a href="entries/Bicategory.html">Bicategories</a>
         <br>
                   Author:
                         Eugene W. Stark
                         </td>
     </tr>
   </tbody>
 </table>
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2019</td>
   </tr>
       <tr>
       <td class="entry">
         2019-12-27: <a href="entries/Zeta_3_Irrational.html">The Irrationality of ζ(3)</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-12-20: <a href="entries/Hybrid_Logic.html">Formalizing a Seligman-Style Tableau System for Hybrid Logic</a>
         <br>
                   Author:
                         <a href="https://people.compute.dtu.dk/ahfrom/">Asta Halkjær From</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-12-18: <a href="entries/Poincare_Bendixson.html">The Poincaré-Bendixson Theorem</a>
         <br>
                   Authors:
                         <a href="http://home.in.tum.de/~immler/">Fabian Immler</a>
           and     <a href="https://www.cs.cmu.edu/~yongkiat/">Yong Kiam Tan</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-12-16: <a href="entries/Poincare_Disc.html">Poincaré Disc Model</a>
         <br>
                   Authors:
                           <a href="http://poincare.matf.bg.ac.rs/~danijela">Danijela Simić</a>,
                         Filip Marić
           and     Pierre Boutry
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-12-16: <a href="entries/Complex_Geometry.html">Complex Geometry</a>
         <br>
                   Authors:
                         Filip Marić
           and     <a href="http://poincare.matf.bg.ac.rs/~danijela">Danijela Simić</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-12-10: <a href="entries/Gauss_Sums.html">Gauss Sums and the Pólya–Vinogradov Inequality</a>
         <br>
                   Authors:
                         <a href="https://people.epfl.ch/rodrigo.raya">Rodrigo Raya</a>
           and     <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-12-04: <a href="entries/Generalized_Counting_Sort.html">An Efficient Generalization of Counting Sort for Large, possibly Infinite Key Ranges</a>
         <br>
                   Author:
                         Pasquale Noce
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-11-27: <a href="entries/Interval_Arithmetic_Word32.html">Interval Arithmetic on 32-bit Words</a>
         <br>
                   Author:
                         Brandon Bohrer
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-10-24: <a href="entries/ZFC_in_HOL.html">Zermelo Fraenkel Set Theory in Higher-Order Logic</a>
         <br>
                   Author:
                         <a href="https://www.cl.cam.ac.uk/~lp15/">Lawrence C. Paulson</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-10-22: <a href="entries/Isabelle_C.html">Isabelle/C</a>
         <br>
                   Authors:
                         <a href="https://www.lri.fr/~ftuong/">Frédéric Tuong</a>
           and     <a href="https://www.lri.fr/~wolff/">Burkhart Wolff</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-10-16: <a href="entries/VerifyThis2019.html">VerifyThis 2019 -- Polished Isabelle Solutions</a>
         <br>
                   Authors:
                         Peter Lammich
           and     <a href="http://home.in.tum.de/~wimmers/">Simon Wimmer</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-10-08: <a href="entries/Aristotles_Assertoric_Syllogistic.html">Aristotle's Assertoric Syllogistic</a>
         <br>
                   Author:
                         <a href="https://www.cl.cam.ac.uk/~ak2110/">Angeliki Koutsoukou-Argyraki</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-10-07: <a href="entries/Sigma_Commit_Crypto.html">Sigma Protocols and Commitment Schemes</a>
         <br>
                   Authors:
                         <a href="https://www.turing.ac.uk/people/doctoral-students/david-butler">David Butler</a>
           and     <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-10-04: <a href="entries/Clean.html">Clean - An Abstract Imperative Programming Language and its Theory</a>
         <br>
                   Authors:
                         <a href="https://www.lri.fr/~ftuong/">Frédéric Tuong</a>
           and     <a href="https://www.lri.fr/~wolff/">Burkhart Wolff</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-09-16: <a href="entries/Generic_Join.html">Formalization of Multiway-Join Algorithms</a>
         <br>
                   Author:
                         Thibault Dardinier
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-09-10: <a href="entries/Hybrid_Systems_VCs.html">Verification Components for Hybrid Systems</a>
         <br>
                   Author:
                         Jonathan Julian Huerta y Munive
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-09-06: <a href="entries/Fourier.html">Fourier Series</a>
         <br>
                   Author:
                         <a href="https://www.cl.cam.ac.uk/~lp15/">Lawrence C Paulson</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-08-30: <a href="entries/Jacobson_Basic_Algebra.html">A Case Study in Basic Algebra</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~ballarin/">Clemens Ballarin</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-08-16: <a href="entries/Adaptive_State_Counting.html">Formalisation of an Adaptive State Counting Algorithm</a>
         <br>
                   Author:
                         Robert Sachtleben
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-08-14: <a href="entries/Laplace_Transform.html">Laplace Transform</a>
         <br>
                   Author:
                         <a href="http://home.in.tum.de/~immler/">Fabian Immler</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-08-06: <a href="entries/Linear_Programming.html">Linear Programming</a>
         <br>
                   Authors:
                         <a href="http://www.parsert.com/">Julian Parsert</a>
           and     <a href="http://cl-informatik.uibk.ac.at/cek/">Cezary Kaliszyk</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-08-06: <a href="entries/C2KA_DistributedSystems.html">Communicating Concurrent Kleene Algebra for Distributed Systems Specification</a>
         <br>
                   Authors:
                         Maxime Buyse
           and     <a href="https://carleton.ca/jaskolka/">Jason Jaskolka</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-08-05: <a href="entries/IMO2019.html">Selected Problems from the International Mathematical Olympiad 2019</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-08-01: <a href="entries/Stellar_Quorums.html">Stellar Quorum Systems</a>
         <br>
                   Author:
                         Giuliano Losa
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-07-30: <a href="entries/TESL_Language.html">A Formal Development of a Polychronous Polytimed Coordination Language</a>
         <br>
                   Authors:
                           Hai Nguyen Van,
                         Frédéric Boulanger
           and     <a href="https://www.lri.fr/~wolff/">Burkhart Wolff</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-07-27: <a href="entries/Szpilrajn.html">Szpilrajn Extension Theorem</a>
         <br>
                   Author:
                         Peter Zeller
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-07-18: <a href="entries/FOL_Seq_Calc1.html">A Sequent Calculus for First-Order Logic</a>
         <br>
                   Author:
                         <a href="https://people.compute.dtu.dk/ahfrom/">Asta Halkjær From</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-07-08: <a href="entries/CakeML_Codegen.html">A Verified Code Generator from Isabelle/HOL to CakeML</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~hupel/">Lars Hupel</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-07-04: <a href="entries/MFOTL_Monitor.html">Formalization of a Monitoring Algorithm for Metric First-Order Temporal Logic</a>
         <br>
                   Authors:
                         Joshua Schneider
           and     <a href="http://people.inf.ethz.ch/trayteld/">Dmitriy Traytel</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-06-27: <a href="entries/Complete_Non_Orders.html">Complete Non-Orders and Fixed Points</a>
         <br>
                   Authors:
                         <a href="http://group-mmm.org/~ayamada/">Akihisa Yamada</a>
           and     <a href="http://group-mmm.org/~dubut/">Jérémy Dubut</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-06-25: <a href="entries/Priority_Search_Trees.html">Priority Search Trees</a>
         <br>
                   Authors:
                         Peter Lammich
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-06-25: <a href="entries/Prim_Dijkstra_Simple.html">Purely Functional, Simple, and Efficient Implementation of Prim and Dijkstra</a>
         <br>
                   Authors:
                         Peter Lammich
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-06-21: <a href="entries/Linear_Inequalities.html">Linear Inequalities</a>
         <br>
                   Authors:
                           <a href="http://cl-informatik.uibk.ac.at/users/bottesch/">Ralph Bottesch</a>,
                         Alban Reynaud
           and     <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-06-16: <a href="entries/Nullstellensatz.html">Hilbert's Nullstellensatz</a>
         <br>
                   Author:
                         <a href="https://risc.jku.at/m/alexander-maletzky/">Alexander Maletzky</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-06-15: <a href="entries/Groebner_Macaulay.html">Gröbner Bases, Macaulay Matrices and Dubé's Degree Bounds</a>
         <br>
                   Author:
                         <a href="https://risc.jku.at/m/alexander-maletzky/">Alexander Maletzky</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-06-13: <a href="entries/IMP2_Binary_Heap.html">Binary Heaps for IMP2</a>
         <br>
                   Author:
                         Simon Griebel
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-06-03: <a href="entries/Differential_Game_Logic.html">Differential Game Logic</a>
         <br>
                   Author:
                         <a href="http://www.cs.cmu.edu/~aplatzer/">André Platzer</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-05-30: <a href="entries/KD_Tree.html">Multidimensional Binary Search Trees</a>
         <br>
                   Author:
                         Martin Rau
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-05-14: <a href="entries/LambdaAuth.html">Formalization of Generic Authenticated Data Structures</a>
         <br>
                   Authors:
                         Matthias Brun
           and     <a href="http://people.inf.ethz.ch/trayteld/">Dmitriy Traytel</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-05-09: <a href="entries/Multi_Party_Computation.html">Multi-Party Computation</a>
         <br>
                   Authors:
                         <a href="http://homepages.inf.ed.ac.uk/da/">David Aspinall</a>
           and     <a href="https://www.turing.ac.uk/people/doctoral-students/david-butler">David Butler</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-04-26: <a href="entries/HOL-CSP.html">HOL-CSP Version 2.0</a>
         <br>
                   Authors:
                           Safouan Taha,
                         Lina Ye
           and     <a href="https://www.lri.fr/~wolff/">Burkhart Wolff</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-04-16: <a href="entries/LTL_Master_Theorem.html">A Compositional and Unified Translation of LTL into ω-Automata</a>
         <br>
                   Authors:
                         Benedikt Seidl
           and     Salomon Sickert
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-04-06: <a href="entries/Binding_Syntax_Theory.html">A General Theory of Syntax with Bindings</a>
         <br>
                   Authors:
                         Lorenzo Gheri
           and     Andrei Popescu
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-03-27: <a href="entries/Transcendence_Series_Hancl_Rucki.html">The Transcendence of Certain Infinite Series</a>
         <br>
                   Authors:
                         <a href="https://www.cl.cam.ac.uk/~ak2110/">Angeliki Koutsoukou-Argyraki</a>
           and     <a href="https://www.cl.cam.ac.uk/~wl302/">Wenda Li</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-03-24: <a href="entries/QHLProver.html">Quantum Hoare Logic</a>
         <br>
                   Authors:
                           Junyi Liu,
                           <a href="http://lcs.ios.ac.cn/~bzhan/">Bohua Zhan</a>,
                           Shuling Wang,
                           Shenggang Ying,
                           Tao Liu,
                           Yangjia Li,
                         Mingsheng Ying
           and     Naijun Zhan
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-03-09: <a href="entries/Safe_OCL.html">Safe OCL</a>
         <br>
                   Author:
                         Denis Nikiforov
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-02-21: <a href="entries/Prime_Distribution_Elementary.html">Elementary Facts About the Distribution of Primes</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-02-14: <a href="entries/Kruskal.html">Kruskal's Algorithm for Minimum Spanning Forest</a>
         <br>
                   Authors:
                           <a href="http://in.tum.de/~haslbema/">Maximilian P.L. Haslbeck</a>,
                         Peter Lammich
           and     Julian Biendarra
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-02-11: <a href="entries/Probabilistic_Prime_Tests.html">Probabilistic Primality Testing</a>
         <br>
                   Authors:
                         Daniel Stüwe
           and     <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-02-08: <a href="entries/Universal_Turing_Machine.html">Universal Turing Machine</a>
         <br>
                   Authors:
                           Jian Xu,
                           Xingyuan Zhang,
                         <a href="http://www.inf.kcl.ac.uk/staff/urbanc/">Christian Urban</a>
           and     Sebastiaan J. C. Joosten
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-02-01: <a href="entries/UTP.html">Isabelle/UTP: Mechanised Theory Engineering for Unifying Theories of Programming</a>
         <br>
                   Authors:
                           <a href="https://www-users.cs.york.ac.uk/~simonf/">Simon Foster</a>,
                           Frank Zeyda,
                           Yakoub Nemouchi,
                         Pedro Ribeiro
           and     <a href="https://www.lri.fr/~wolff/">Burkhart Wolff</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-02-01: <a href="entries/List_Inversions.html">The Inversions of a List</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-01-17: <a href="entries/Farkas.html">Farkas' Lemma and Motzkin's Transposition Theorem</a>
         <br>
                   Authors:
                           <a href="http://cl-informatik.uibk.ac.at/users/bottesch/">Ralph Bottesch</a>,
                         <a href="http://cl-informatik.uibk.ac.at/users/mhaslbeck/">Max W. Haslbeck</a>
           and     <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-01-15: <a href="entries/IMP2.html">IMP2 – Simple Program Verification in Isabelle/HOL</a>
         <br>
                   Authors:
                         Peter Lammich
           and     <a href="http://home.in.tum.de/~wimmers/">Simon Wimmer</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2019-01-15: <a href="entries/Higher_Order_Terms.html">An Algebra for Higher-Order Terms</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~hupel/">Lars Hupel</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2019-01-07: <a href="entries/Store_Buffer_Reduction.html">A Reduction Theorem for Store Buffers</a>
         <br>
                   Authors:
                         Ernie Cohen
           and     Norbert Schirmer
               </td>
     </tr>
   </tbody>
 </table>
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2018</td>
   </tr>
       <tr>
       <td class="entry">
         2018-12-26: <a href="entries/Core_DOM.html">A Formal Model of the Document Object Model</a>
         <br>
                   Authors:
                         <a href="https://www.brucker.ch/">Achim D. Brucker</a>
           and     <a href="http://www.dcs.shef.ac.uk/cgi-bin/makeperson?M.Herzberg">Michael Herzberg</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-12-25: <a href="entries/Concurrent_Revisions.html">Formalization of Concurrent Revisions</a>
         <br>
                   Author:
                         Roy Overbeek
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-12-21: <a href="entries/Auto2_Imperative_HOL.html">Verifying Imperative Programs using Auto2</a>
         <br>
                   Author:
                         <a href="http://lcs.ios.ac.cn/~bzhan/">Bohua Zhan</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-12-17: <a href="entries/Constructive_Cryptography.html">Constructive Cryptography in HOL</a>
         <br>
                   Authors:
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
           and     S. Reza Sefidgar
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-12-11: <a href="entries/Transformer_Semantics.html">Transformer Semantics</a>
         <br>
                   Author:
                         <a href="http://staffwww.dcs.shef.ac.uk/people/G.Struth/">Georg Struth</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-12-11: <a href="entries/Quantales.html">Quantales</a>
         <br>
                   Author:
                         <a href="http://staffwww.dcs.shef.ac.uk/people/G.Struth/">Georg Struth</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-12-11: <a href="entries/Order_Lattice_Props.html">Properties of Orderings and Lattices</a>
         <br>
                   Author:
                         <a href="http://staffwww.dcs.shef.ac.uk/people/G.Struth/">Georg Struth</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-11-23: <a href="entries/Graph_Saturation.html">Graph Saturation</a>
         <br>
                   Author:
                         Sebastiaan J. C. Joosten
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-11-23: <a href="entries/Functional_Ordered_Resolution_Prover.html">A Verified Functional Implementation of Bachmair and Ganzinger's Ordered Resolution Prover</a>
         <br>
                   Authors:
                           <a href="https://people.compute.dtu.dk/andschl/">Anders Schlichtkrull</a>,
                         Jasmin Christian Blanchette
           and     <a href="http://people.inf.ethz.ch/trayteld/">Dmitriy Traytel</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-11-20: <a href="entries/Auto2_HOL.html">Auto2 Prover</a>
         <br>
                   Author:
                         <a href="http://lcs.ios.ac.cn/~bzhan/">Bohua Zhan</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-11-16: <a href="entries/Matroids.html">Matroids</a>
         <br>
                   Author:
                         Jonas Keinholz
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-11-06: <a href="entries/Generic_Deriving.html">Deriving generic class instances for datatypes</a>
         <br>
                   Authors:
                         Jonas Rädle
           and     <a href="https://www21.in.tum.de/~hupel/">Lars Hupel</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-10-30: <a href="entries/GewirthPGCProof.html">Formalisation and Evaluation of Alan Gewirth's Proof for the Principle of Generic Consistency in Isabelle/HOL</a>
         <br>
                   Authors:
                         David Fuenmayor
           and     <a href="http://christoph-benzmueller.de">Christoph Benzmüller</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-10-29: <a href="entries/Epistemic_Logic.html">Epistemic Logic</a>
         <br>
                   Author:
                         <a href="https://people.compute.dtu.dk/ahfrom/">Asta Halkjær From</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-10-22: <a href="entries/Smooth_Manifolds.html">Smooth Manifolds</a>
         <br>
                   Authors:
                         <a href="http://home.in.tum.de/~immler/">Fabian Immler</a>
           and     <a href="http://lcs.ios.ac.cn/~bzhan/">Bohua Zhan</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-10-19: <a href="entries/Randomised_BSTs.html">Randomised Binary Search Trees</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-10-19: <a href="entries/Lambda_Free_EPO.html">Formalization of the Embedding Path Order for Lambda-Free Higher-Order Terms</a>
         <br>
                   Author:
                         Alexander Bentkamp
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-10-12: <a href="entries/Factored_Transition_System_Bounding.html">Upper Bounding Diameters of State Spaces of Factored Transition Systems</a>
         <br>
                   Authors:
                         Friedrich Kurz
           and     <a href="http://home.in.tum.de/~mansour/">Mohammad Abdulaziz</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-09-28: <a href="entries/Pi_Transcendental.html">The Transcendence of π</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-09-25: <a href="entries/Symmetric_Polynomials.html">Symmetric Polynomials</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-09-20: <a href="entries/Signature_Groebner.html">Signature-Based Gröbner Basis Algorithms</a>
         <br>
                   Author:
                         <a href="https://risc.jku.at/m/alexander-maletzky/">Alexander Maletzky</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-09-19: <a href="entries/Prime_Number_Theorem.html">The Prime Number Theorem</a>
         <br>
                   Authors:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
           and     <a href="https://www.cl.cam.ac.uk/~lp15/">Lawrence C. Paulson</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-09-15: <a href="entries/Aggregation_Algebras.html">Aggregation Algebras</a>
         <br>
                   Author:
                         <a href="http://www.cosc.canterbury.ac.nz/walter.guttmann/">Walter Guttmann</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-09-14: <a href="entries/Octonions.html">Octonions</a>
         <br>
                   Author:
                         <a href="https://www.cl.cam.ac.uk/~ak2110/">Angeliki Koutsoukou-Argyraki</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-09-05: <a href="entries/Quaternions.html">Quaternions</a>
         <br>
                   Author:
                         <a href="https://www.cl.cam.ac.uk/~lp15/">Lawrence C. Paulson</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-09-02: <a href="entries/Budan_Fourier.html">The Budan-Fourier Theorem and Counting Real Roots with Multiplicity</a>
         <br>
                   Author:
                         <a href="https://www.cl.cam.ac.uk/~wl302/">Wenda Li</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-08-24: <a href="entries/Simplex.html">An Incremental Simplex Algorithm with Unsatisfiable Core Generation</a>
         <br>
                   Authors:
                           Filip Marić,
                         Mirko Spasić
           and     <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-08-14: <a href="entries/Minsky_Machines.html">Minsky Machines</a>
         <br>
                   Author:
                         Bertram Felgenhauer
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-07-16: <a href="entries/DiscretePricing.html">Pricing in discrete financial models</a>
         <br>
                   Author:
                         <a href="http://lig-membres.imag.fr/mechenim/">Mnacho Echenim</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-07-04: <a href="entries/Neumann_Morgenstern_Utility.html">Von-Neumann-Morgenstern Utility Theorem</a>
         <br>
                   Authors:
                         <a href="http://www.parsert.com/">Julian Parsert</a>
           and     <a href="http://cl-informatik.uibk.ac.at/cek/">Cezary Kaliszyk</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-06-23: <a href="entries/Pell.html">Pell's Equation</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-06-14: <a href="entries/Projective_Geometry.html">Projective Geometry</a>
         <br>
                   Author:
                         <a href="https://sites.google.com/site/anthonybordg/">Anthony Bordg</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-06-14: <a href="entries/Localization_Ring.html">The Localization of a Commutative Ring</a>
         <br>
                   Author:
                         <a href="https://sites.google.com/site/anthonybordg/">Anthony Bordg</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-06-05: <a href="entries/Partial_Order_Reduction.html">Partial Order Reduction</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~brunnerj/">Julian Brunner</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-05-27: <a href="entries/Optimal_BST.html">Optimal Binary Search Trees</a>
         <br>
                   Authors:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
           and     Dániel Somogyi
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-05-25: <a href="entries/Hidden_Markov_Models.html">Hidden Markov Models</a>
         <br>
                   Author:
                         <a href="http://home.in.tum.de/~wimmers/">Simon Wimmer</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-05-24: <a href="entries/Probabilistic_Timed_Automata.html">Probabilistic Timed Automata</a>
         <br>
                   Authors:
                         <a href="http://home.in.tum.de/~wimmers/">Simon Wimmer</a>
           and     <a href="http://in.tum.de/~hoelzl">Johannes Hölzl</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-05-23: <a href="entries/Irrationality_J_Hancl.html">Irrational Rapidly Convergent Series</a>
         <br>
                   Authors:
                         <a href="https://www.cl.cam.ac.uk/~ak2110/">Angeliki Koutsoukou-Argyraki</a>
           and     <a href="https://www.cl.cam.ac.uk/~wl302/">Wenda Li</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-05-23: <a href="entries/AxiomaticCategoryTheory.html">Axiom Systems for Category Theory in Free Logic</a>
         <br>
                   Authors:
                         <a href="http://christoph-benzmueller.de">Christoph Benzmüller</a>
           and     <a href="http://www.cs.cmu.edu/~scott/">Dana Scott</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-05-22: <a href="entries/Monad_Memo_DP.html">Monadification, Memoization and Dynamic Programming</a>
         <br>
                   Authors:
                           <a href="http://home.in.tum.de/~wimmers/">Simon Wimmer</a>,
                         Shuwei Hu
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-05-10: <a href="entries/OpSets.html">OpSets: Sequential Specifications for Replicated Datatypes</a>
         <br>
                   Authors:
                           Martin Kleppmann,
                           Victor B. F. Gomes,
                         Dominic P. Mulligan
           and     Alastair R. Beresford
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-05-07: <a href="entries/Modular_Assembly_Kit_Security.html">An Isabelle/HOL Formalization of the Modular Assembly Kit for Security Properties</a>
         <br>
                   Authors:
                           Oliver Bračevac,
                           Richard Gay,
                           Sylvia Grewe,
                           Heiko Mantel,
                         Henning Sudbrock
           and     Markus Tasch
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-04-29: <a href="entries/WebAssembly.html">WebAssembly</a>
         <br>
                   Author:
                         <a href="http://www.cl.cam.ac.uk/~caw77/">Conrad Watt</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-04-27: <a href="entries/VerifyThis2018.html">VerifyThis 2018 - Polished Isabelle Solutions</a>
         <br>
                   Authors:
                         Peter Lammich
           and     <a href="http://home.in.tum.de/~wimmers/">Simon Wimmer</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-04-24: <a href="entries/BNF_CC.html">Bounded Natural Functors with Covariance and Contravariance</a>
         <br>
                   Authors:
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
           and     Joshua Schneider
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-03-22: <a href="entries/Fishburn_Impossibility.html">The Incompatibility of Fishburn-Strategyproofness and Pareto-Efficiency</a>
         <br>
                   Authors:
                           <a href="http://dss.in.tum.de/staff/brandt.html">Felix Brandt</a>,
                           <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>,
                         <a href="http://dss.in.tum.de/staff/christian-saile.html">Christian Saile</a>
           and     <a href="http://dss.in.tum.de/staff/christian-stricker.html">Christian Stricker</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-03-13: <a href="entries/Weight_Balanced_Trees.html">Weight-Balanced Trees</a>
         <br>
                   Authors:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
           and     Stefan Dirix
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-03-12: <a href="entries/CakeML.html">CakeML</a>
         <br>
                   Authors:
                         <a href="https://www21.in.tum.de/~hupel/">Lars Hupel</a>
           and     Yu Zhang
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-03-01: <a href="entries/Architectural_Design_Patterns.html">A Theory of Architectural Design Patterns</a>
         <br>
                   Author:
                         <a href="http://marmsoler.com">Diego Marmsoler</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-02-26: <a href="entries/Hoare_Time.html">Hoare Logics for Time Bounds</a>
         <br>
                   Authors:
                         <a href="http://www.in.tum.de/~haslbema">Maximilian P. L. Haslbeck</a>
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-02-06: <a href="entries/Treaps.html">Treaps</a>
         <br>
                   Authors:
                           <a href="http://cl-informatik.uibk.ac.at/users/mhaslbeck/">Maximilian Haslbeck</a>,
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-02-06: <a href="entries/LLL_Factorization.html">A verified factorization algorithm for integer polynomials with polynomial complexity</a>
         <br>
                   Authors:
                           <a href="http://www.unirioja.es/cu/jodivaso/">Jose Divasón</a>,
                           <a href="http://sjcjoosten.nl/">Sebastiaan Joosten</a>,
                         <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
           and     <a href="http://group-mmm.org/~ayamada/">Akihisa Yamada</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-02-06: <a href="entries/First_Order_Terms.html">First-Order Terms</a>
         <br>
                   Authors:
                         Christian Sternagel
           and     <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-02-06: <a href="entries/Error_Function.html">The Error Function</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-02-02: <a href="entries/LLL_Basis_Reduction.html">A verified LLL algorithm</a>
         <br>
                   Authors:
                           <a href="http://cl-informatik.uibk.ac.at/users/bottesch/">Ralph Bottesch</a>,
                           <a href="http://www.unirioja.es/cu/jodivaso/">Jose Divasón</a>,
                           <a href="http://cl-informatik.uibk.ac.at/users/mhaslbeck/">Maximilian Haslbeck</a>,
                           <a href="http://sjcjoosten.nl/">Sebastiaan Joosten</a>,
                         <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
           and     <a href="http://group-mmm.org/~ayamada/">Akihisa Yamada</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-01-18: <a href="entries/Ordered_Resolution_Prover.html">Formalization of Bachmair and Ganzinger's Ordered Resolution Prover</a>
         <br>
                   Authors:
                           <a href="https://people.compute.dtu.dk/andschl/">Anders Schlichtkrull</a>,
                           Jasmin Christian Blanchette,
                         <a href="http://people.inf.ethz.ch/trayteld/">Dmitriy Traytel</a>
           and     Uwe Waldmann
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-01-16: <a href="entries/Gromov_Hyperbolicity.html">Gromov Hyperbolicity</a>
         <br>
                   Author:
                         Sebastien Gouezel
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2018-01-11: <a href="entries/Green.html">An Isabelle/HOL formalisation of Green's Theorem</a>
         <br>
                   Authors:
                         <a href="http://home.in.tum.de/~mansour/">Mohammad Abdulaziz</a>
           and     <a href="https://www.cl.cam.ac.uk/~lp15/">Lawrence C. Paulson</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2018-01-08: <a href="entries/Taylor_Models.html">Taylor Models</a>
         <br>
                   Authors:
                         Christoph Traut
           and     <a href="http://home.in.tum.de/~immler/">Fabian Immler</a>
               </td>
     </tr>
   </tbody>
 </table>
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2017</td>
   </tr>
       <tr>
       <td class="entry">
         2017-12-22: <a href="entries/Falling_Factorial_Sum.html">The Falling Factorial of a Sum</a>
         <br>
                   Author:
                         Lukas Bulwahn
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-12-21: <a href="entries/Median_Of_Medians_Selection.html">The Median-of-Medians Selection Algorithm</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-12-21: <a href="entries/Mason_Stothers.html">The Mason–Stothers Theorem</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-12-21: <a href="entries/Dirichlet_L.html">Dirichlet L-Functions and Dirichlet's Theorem</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-12-19: <a href="entries/BNF_Operations.html">Operations on Bounded Natural Functors</a>
         <br>
                   Authors:
                           Jasmin Christian Blanchette,
                         Andrei Popescu
           and     <a href="http://people.inf.ethz.ch/trayteld/">Dmitriy Traytel</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-12-18: <a href="entries/Knuth_Morris_Pratt.html">The string search algorithm by Knuth, Morris and Pratt</a>
         <br>
                   Authors:
                         Fabian Hellauer
           and     Peter Lammich
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-11-22: <a href="entries/Stochastic_Matrices.html">Stochastic Matrices and the Perron-Frobenius Theorem</a>
         <br>
                   Author:
                         <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-11-09: <a href="entries/IMAP-CRDT.html">The IMAP CmRDT</a>
         <br>
                   Authors:
                           Tim Jungnickel,
                         Lennart Oldenburg
           and     Matthias Loibl
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-11-06: <a href="entries/Hybrid_Multi_Lane_Spatial_Logic.html">Hybrid Multi-Lane Spatial Logic</a>
         <br>
                   Author:
                         Sven Linker
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-10-26: <a href="entries/Kuratowski_Closure_Complement.html">The Kuratowski Closure-Complement Theorem</a>
         <br>
                   Authors:
                         <a href="http://peteg.org">Peter Gammie</a>
           and     Gianpaolo Gioiosa
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-10-19: <a href="entries/Transition_Systems_and_Automata.html">Transition Systems and Automata</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~brunnerj/">Julian Brunner</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-10-19: <a href="entries/Buchi_Complementation.html">Büchi Complementation</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~brunnerj/">Julian Brunner</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-10-17: <a href="entries/Winding_Number_Eval.html">Evaluate Winding Numbers through Cauchy Indices</a>
         <br>
                   Author:
                         <a href="https://www.cl.cam.ac.uk/~wl302/">Wenda Li</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-10-17: <a href="entries/Count_Complex_Roots.html">Count the Number of Complex Roots</a>
         <br>
                   Author:
                         <a href="https://www.cl.cam.ac.uk/~wl302/">Wenda Li</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-10-14: <a href="entries/Diophantine_Eqns_Lin_Hom.html">Homogeneous Linear Diophantine Equations</a>
         <br>
                   Authors:
                           Florian Messner,
                           <a href="http://www.parsert.com/">Julian Parsert</a>,
                         Jonas Schöpf
           and     Christian Sternagel
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-10-12: <a href="entries/Zeta_Function.html">The Hurwitz and Riemann ζ Functions</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-10-12: <a href="entries/Linear_Recurrences.html">Linear Recurrences</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-10-12: <a href="entries/Dirichlet_Series.html">Dirichlet Series</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-09-21: <a href="entries/Lowe_Ontological_Argument.html">Computer-assisted Reconstruction and Assessment of E. J. Lowe's Modal Ontological Argument</a>
         <br>
                   Authors:
                         David Fuenmayor
           and     <a href="http://christoph-benzmueller.de">Christoph Benzmüller</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-09-17: <a href="entries/PLM.html">Representation and Partial Automation of the Principia Logico-Metaphysica in Isabelle/HOL</a>
         <br>
                   Author:
                         Daniel Kirchner
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-09-06: <a href="entries/AnselmGod.html">Anselm's God in Isabelle/HOL</a>
         <br>
                   Author:
                         <a href="https://philpapers.org/profile/805">Ben Blumson</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-09-01: <a href="entries/First_Welfare_Theorem.html">Microeconomics and the First Welfare Theorem</a>
         <br>
                   Authors:
                         <a href="http://www.parsert.com/">Julian Parsert</a>
           and     <a href="http://cl-informatik.uibk.ac.at/cek/">Cezary Kaliszyk</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-08-20: <a href="entries/Root_Balanced_Tree.html">Root-Balanced Tree</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-08-20: <a href="entries/Orbit_Stabiliser.html">Orbit-Stabiliser Theorem with Application to Rotational Symmetries</a>
         <br>
                   Author:
                         Jonas Rädle
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-08-16: <a href="entries/LambdaMu.html">The LambdaMu-calculus</a>
         <br>
                   Authors:
                           Cristina Matache,
                         Victor B. F. Gomes
           and     Dominic P. Mulligan
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-07-31: <a href="entries/Stewart_Apollonius.html">Stewart's Theorem and Apollonius' Theorem</a>
         <br>
                   Author:
                         Lukas Bulwahn
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-07-28: <a href="entries/DynamicArchitectures.html">Dynamic Architectures</a>
         <br>
                   Author:
                         <a href="http://marmsoler.com">Diego Marmsoler</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-07-21: <a href="entries/Decl_Sem_Fun_PL.html">Declarative Semantics for Functional Languages</a>
         <br>
                   Author:
                         <a href="http://homes.soic.indiana.edu/jsiek/">Jeremy Siek</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-07-15: <a href="entries/HOLCF-Prelude.html">HOLCF-Prelude</a>
         <br>
                   Authors:
                           Joachim Breitner,
                           Brian Huffman,
                         Neil Mitchell
           and     Christian Sternagel
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-07-13: <a href="entries/Minkowskis_Theorem.html">Minkowski's Theorem</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-07-09: <a href="entries/Name_Carrying_Type_Inference.html">Verified Metatheory and Type Inference for a Name-Carrying Simply-Typed Lambda Calculus</a>
         <br>
                   Author:
                         Michael Rawson
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-07-07: <a href="entries/CRDT.html">A framework for establishing Strong Eventual Consistency for Conflict-free Replicated Datatypes</a>
         <br>
                   Authors:
                           Victor B. F. Gomes,
                           Martin Kleppmann,
                         Dominic P. Mulligan
           and     Alastair R. Beresford
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-07-06: <a href="entries/Stone_Kleene_Relation_Algebras.html">Stone-Kleene Relation Algebras</a>
         <br>
                   Author:
                         <a href="http://www.cosc.canterbury.ac.nz/walter.guttmann/">Walter Guttmann</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-06-21: <a href="entries/Propositional_Proof_Systems.html">Propositional Proof Systems</a>
         <br>
                   Authors:
                         <a href="http://liftm.de">Julius Michaelis</a>
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-06-13: <a href="entries/PSemigroupsConvolution.html">Partial Semigroups and Convolution Algebras</a>
         <br>
                   Authors:
                           Brijesh Dongol,
                           Victor B. F. Gomes,
                         Ian J. Hayes
           and     <a href="http://staffwww.dcs.shef.ac.uk/people/G.Struth/">Georg Struth</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-06-06: <a href="entries/Buffons_Needle.html">Buffon's Needle Problem</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-06-01: <a href="entries/Prpu_Maxflow.html">Formalizing Push-Relabel Algorithms</a>
         <br>
                   Authors:
                         Peter Lammich
           and     S. Reza Sefidgar
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-06-01: <a href="entries/Flow_Networks.html">Flow Networks and the Min-Cut-Max-Flow Theorem</a>
         <br>
                   Authors:
                         Peter Lammich
           and     S. Reza Sefidgar
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-05-25: <a href="entries/Optics.html">Optics</a>
         <br>
                   Authors:
                         <a href="https://www-users.cs.york.ac.uk/~simonf/">Simon Foster</a>
           and     Frank Zeyda
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-05-24: <a href="entries/Security_Protocol_Refinement.html">Developing Security Protocols by Refinement</a>
         <br>
                   Authors:
                         Christoph Sprenger
           and     Ivano Somaini
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-05-24: <a href="entries/Dict_Construction.html">Dictionary Construction</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~hupel/">Lars Hupel</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-05-08: <a href="entries/Floyd_Warshall.html">The Floyd-Warshall Algorithm for Shortest Paths</a>
         <br>
                   Authors:
                         <a href="http://home.in.tum.de/~wimmers/">Simon Wimmer</a>
           and     Peter Lammich
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-05-05: <a href="entries/Probabilistic_While.html">Probabilistic while loop</a>
         <br>
                   Author:
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-05-05: <a href="entries/Monomorphic_Monad.html">Effect polymorphism in higher-order logic</a>
         <br>
                   Author:
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-05-05: <a href="entries/Monad_Normalisation.html">Monad normalisation</a>
         <br>
                   Authors:
                           Joshua Schneider,
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
           and     <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-05-05: <a href="entries/Game_Based_Crypto.html">Game-based cryptography in HOL</a>
         <br>
                   Authors:
                           <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>,
                         S. Reza Sefidgar
           and     Bhargav Bhatt
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-05-05: <a href="entries/CryptHOL.html">CryptHOL</a>
         <br>
                   Author:
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-05-04: <a href="entries/MonoidalCategory.html">Monoidal Categories</a>
         <br>
                   Author:
                         Eugene W. Stark
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-05-01: <a href="entries/Types_Tableaus_and_Goedels_God.html">Types, Tableaus and Gödel’s God in Isabelle/HOL</a>
         <br>
                   Authors:
                         David Fuenmayor
           and     <a href="http://christoph-benzmueller.de">Christoph Benzmüller</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-04-28: <a href="entries/LocalLexing.html">Local Lexing</a>
         <br>
                   Author:
                         Steven Obua
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-04-19: <a href="entries/Constructor_Funs.html">Constructor Functions</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~hupel/">Lars Hupel</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-04-18: <a href="entries/Lazy_Case.html">Lazifying case constants</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~hupel/">Lars Hupel</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-04-06: <a href="entries/Subresultants.html">Subresultants</a>
         <br>
                   Authors:
                           <a href="http://sjcjoosten.nl/">Sebastiaan Joosten</a>,
                         <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
           and     <a href="http://group-mmm.org/~ayamada/">Akihisa Yamada</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-04-04: <a href="entries/Random_BSTs.html">Expected Shape of Random Binary Search Trees</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-03-15: <a href="entries/Quick_Sort_Cost.html">The number of comparisons in QuickSort</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-03-15: <a href="entries/Comparison_Sort_Lower_Bound.html">Lower bound on comparison-based sorting algorithms</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-03-10: <a href="entries/Euler_MacLaurin.html">The Euler–MacLaurin Formula</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-02-28: <a href="entries/Elliptic_Curves_Group_Law.html">The Group Law for Elliptic Curves</a>
         <br>
                   Author:
                         <a href="http://www.in.tum.de/~berghofe">Stefan Berghofer</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-02-26: <a href="entries/Menger.html">Menger's Theorem</a>
         <br>
                   Author:
                         <a href="http://logic.las.tu-berlin.de/Members/Dittmann/">Christoph Dittmann</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-02-13: <a href="entries/Differential_Dynamic_Logic.html">Differential Dynamic Logic</a>
         <br>
                   Author:
                         Brandon Bohrer
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-02-10: <a href="entries/Abstract_Soundness.html">Abstract Soundness</a>
         <br>
                   Authors:
                           Jasmin Christian Blanchette,
                         Andrei Popescu
           and     <a href="http://people.inf.ethz.ch/trayteld/">Dmitriy Traytel</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-02-07: <a href="entries/Stone_Relation_Algebras.html">Stone Relation Algebras</a>
         <br>
                   Author:
                         <a href="http://www.cosc.canterbury.ac.nz/walter.guttmann/">Walter Guttmann</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-01-31: <a href="entries/Key_Agreement_Strong_Adversaries.html">Refining Authenticated Key Agreement with Strong Adversaries</a>
         <br>
                   Authors:
                         Joseph Lallemand
           and     Christoph Sprenger
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-01-24: <a href="entries/Bernoulli.html">Bernoulli Numbers</a>
         <br>
                   Authors:
                         Lukas Bulwahn
           and     <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-01-17: <a href="entries/Minimal_SSA.html">Minimal Static Single Assignment Form</a>
         <br>
                   Authors:
                         Max Wagner
           and     <a href="http://pp.ipd.kit.edu/person.php?id=88">Denis Lohner</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-01-17: <a href="entries/Bertrands_Postulate.html">Bertrand's postulate</a>
         <br>
                   Authors:
                         Julian Biendarra
           and     <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-01-12: <a href="entries/E_Transcendental.html">The Transcendence of e</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-01-08: <a href="entries/UPF_Firewall.html">Formal Network Models and Their Application to Firewall Policies</a>
         <br>
                   Authors:
                           <a href="https://www.brucker.ch/">Achim D. Brucker</a>,
                         Lukas Brügger
           and     <a href="https://www.lri.fr/~wolff/">Burkhart Wolff</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2017-01-03: <a href="entries/Password_Authentication_Protocol.html">Verification of a Diffie-Hellman Password-based Authentication Protocol by Extending the Inductive Method</a>
         <br>
                   Author:
                         Pasquale Noce
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2017-01-01: <a href="entries/FOL_Harrison.html">First-Order Logic According to Harrison</a>
         <br>
                   Authors:
                           <a href="https://people.compute.dtu.dk/aleje/">Alexander Birch Jensen</a>,
                         <a href="https://people.compute.dtu.dk/andschl/">Anders Schlichtkrull</a>
           and     <a href="https://people.compute.dtu.dk/jovi/">Jørgen Villadsen</a>
               </td>
     </tr>
   </tbody>
 </table>
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2016</td>
   </tr>
       <tr>
       <td class="entry">
         2016-12-30: <a href="entries/Concurrent_Ref_Alg.html">Concurrent Refinement Algebra and Rely Quotients</a>
         <br>
                   Authors:
                           Julian Fell,
                         Ian J. Hayes
           and     <a href="http://andrius.velykis.lt">Andrius Velykis</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-12-29: <a href="entries/Twelvefold_Way.html">The Twelvefold Way</a>
         <br>
                   Author:
                         Lukas Bulwahn
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-12-20: <a href="entries/Proof_Strategy_Language.html">Proof Strategy Language</a>
         <br>
                   Author:
                         Yutaka Nagashima
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-12-07: <a href="entries/Paraconsistency.html">Paraconsistency</a>
         <br>
                   Authors:
                         <a href="https://people.compute.dtu.dk/andschl/">Anders Schlichtkrull</a>
           and     <a href="https://people.compute.dtu.dk/jovi/">Jørgen Villadsen</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-11-29: <a href="entries/Complx.html">COMPLX: A Verification Framework for Concurrent Imperative Programs</a>
         <br>
                   Authors:
                           Sidney Amani,
                           June Andronick,
                           Maksym Bortin,
                           Corey Lewis,
                         Christine Rizkallah
           and     Joseph Tuong
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-11-23: <a href="entries/Abs_Int_ITP2012.html">Abstract Interpretation of Annotated Commands</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-11-16: <a href="entries/Separata.html">Separata: Isabelle tactics for Separation Algebra</a>
         <br>
                   Authors:
                           Zhe Hou,
                           David Sanan,
                           Alwen Tiu,
                         Rajeev Gore
           and     Ranald Clouston
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-11-12: <a href="entries/Nested_Multisets_Ordinals.html">Formalization of Nested Multisets, Hereditary Multisets, and Syntactic Ordinals</a>
         <br>
                   Authors:
                           Jasmin Christian Blanchette,
                         Mathias Fleury
           and     <a href="http://people.inf.ethz.ch/trayteld/">Dmitriy Traytel</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-11-12: <a href="entries/Lambda_Free_KBOs.html">Formalization of Knuth–Bendix Orders for Lambda-Free Higher-Order Terms</a>
         <br>
                   Authors:
                           Heiko Becker,
                           Jasmin Christian Blanchette,
                         Uwe Waldmann
           and     Daniel Wand
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-11-10: <a href="entries/Deep_Learning.html">Expressiveness of Deep Learning</a>
         <br>
                   Author:
                         Alexander Bentkamp
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-10-25: <a href="entries/Modal_Logics_for_NTS.html">Modal Logics for Nominal Transition Systems</a>
         <br>
                   Authors:
                           Tjark Weber,
                           Lars-Henrik Eriksson,
                           Joachim Parrow,
                         Johannes Borgström
           and     Ramunas Gutkovas
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-10-24: <a href="entries/Stable_Matching.html">Stable Matching</a>
         <br>
                   Author:
                         <a href="http://peteg.org">Peter Gammie</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-10-21: <a href="entries/LOFT.html">LOFT — Verified Migration of Linux Firewalls to SDN</a>
         <br>
                   Authors:
                         <a href="http://liftm.de">Julius Michaelis</a>
           and     <a href="http://net.in.tum.de/~diekmann">Cornelius Diekmann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-10-19: <a href="entries/Source_Coding_Theorem.html">Source Coding Theorem</a>
         <br>
                   Authors:
                         Quentin Hibon
           and     <a href="https://www.cl.cam.ac.uk/~lp15/">Lawrence C. Paulson</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-10-19: <a href="entries/SPARCv8.html">A formal model for the SPARCv8 ISA and a proof of non-interference for the LEON3 processor</a>
         <br>
                   Authors:
                           Zhe Hou,
                           David Sanan,
                         Alwen Tiu
           and     Yang Liu
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-10-14: <a href="entries/Berlekamp_Zassenhaus.html">The Factorization Algorithm of Berlekamp and Zassenhaus</a>
         <br>
                   Authors:
                           <a href="http://www.unirioja.es/cu/jodivaso/">Jose Divasón</a>,
                           <a href="http://sjcjoosten.nl/">Sebastiaan Joosten</a>,
                         <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
           and     <a href="http://group-mmm.org/~ayamada/">Akihisa Yamada</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-10-11: <a href="entries/Chord_Segments.html">Intersecting Chords Theorem</a>
         <br>
                   Author:
                         Lukas Bulwahn
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-10-05: <a href="entries/Lp.html">Lp spaces</a>
         <br>
                   Author:
                         Sebastien Gouezel
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-09-30: <a href="entries/Fisher_Yates.html">Fisher–Yates shuffle</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-09-29: <a href="entries/Allen_Calculus.html">Allen's Interval Calculus</a>
         <br>
                   Author:
                         Fadoua Ghourabi
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-09-23: <a href="entries/Lambda_Free_RPOs.html">Formalization of Recursive Path Orders for Lambda-Free Higher-Order Terms</a>
         <br>
                   Authors:
                           Jasmin Christian Blanchette,
                         Uwe Waldmann
           and     Daniel Wand
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-09-09: <a href="entries/Iptables_Semantics.html">Iptables Semantics</a>
         <br>
                   Authors:
                         <a href="http://net.in.tum.de/~diekmann">Cornelius Diekmann</a>
           and     <a href="https://www21.in.tum.de/~hupel/">Lars Hupel</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-09-06: <a href="entries/SuperCalc.html">A Variant of the Superposition Calculus</a>
         <br>
                   Author:
                         <a href="http://membres-lig.imag.fr/peltier/">Nicolas Peltier</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-09-06: <a href="entries/Stone_Algebras.html">Stone Algebras</a>
         <br>
                   Author:
                         <a href="http://www.cosc.canterbury.ac.nz/walter.guttmann/">Walter Guttmann</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-09-01: <a href="entries/Stirling_Formula.html">Stirling's formula</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-08-31: <a href="entries/Routing.html">Routing</a>
         <br>
                   Authors:
                         <a href="http://liftm.de">Julius Michaelis</a>
           and     <a href="http://net.in.tum.de/~diekmann">Cornelius Diekmann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-08-24: <a href="entries/Simple_Firewall.html">Simple Firewall</a>
         <br>
                   Authors:
                           <a href="http://net.in.tum.de/~diekmann">Cornelius Diekmann</a>,
                         <a href="http://liftm.de">Julius Michaelis</a>
           and     <a href="http://cl-informatik.uibk.ac.at/users/mhaslbeck/">Maximilian Haslbeck</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-08-18: <a href="entries/InfPathElimination.html">Infeasible Paths Elimination by Symbolic Execution Techniques: Proof of Correctness and Preservation of Paths</a>
         <br>
                   Authors:
                           Romain Aissat,
                         Frederic Voisin
           and     <a href="https://www.lri.fr/~wolff/">Burkhart Wolff</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-08-12: <a href="entries/EdmondsKarp_Maxflow.html">Formalizing the Edmonds-Karp Algorithm</a>
         <br>
                   Authors:
                         Peter Lammich
           and     S. Reza Sefidgar
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-08-08: <a href="entries/Refine_Imperative_HOL.html">The Imperative Refinement Framework</a>
         <br>
                   Author:
                         Peter Lammich
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-08-07: <a href="entries/Ptolemys_Theorem.html">Ptolemy's Theorem</a>
         <br>
                   Author:
                         Lukas Bulwahn
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-07-17: <a href="entries/Surprise_Paradox.html">Surprise Paradox</a>
         <br>
                   Author:
                         Joachim Breitner
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-07-14: <a href="entries/Pairing_Heap.html">Pairing Heap</a>
         <br>
                   Authors:
                         Hauke Brinkop
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-07-05: <a href="entries/DFS_Framework.html">A Framework for Verifying Depth-First Search Algorithms</a>
         <br>
                   Authors:
                         Peter Lammich
           and     René Neumann
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-07-01: <a href="entries/Buildings.html">Chamber Complexes, Coxeter Systems, and Buildings</a>
         <br>
                   Author:
                         <a href="http://ualberta.ca/~jsylvest/">Jeremy Sylvestre</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-06-30: <a href="entries/Rewriting_Z.html">The Z Property</a>
         <br>
                   Authors:
                           Bertram Felgenhauer,
                           Julian Nagele,
                         Vincent van Oostrom
           and     Christian Sternagel
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-06-30: <a href="entries/Resolution_FOL.html">The Resolution Calculus for First-Order Logic</a>
         <br>
                   Author:
                         <a href="https://people.compute.dtu.dk/andschl/">Anders Schlichtkrull</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-06-28: <a href="entries/IP_Addresses.html">IP Addresses</a>
         <br>
                   Authors:
                           <a href="http://net.in.tum.de/~diekmann">Cornelius Diekmann</a>,
                         <a href="http://liftm.de">Julius Michaelis</a>
           and     <a href="https://www21.in.tum.de/~hupel/">Lars Hupel</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-06-28: <a href="entries/Dependent_SIFUM_Refinement.html">Compositional Security-Preserving Refinement for Concurrent Imperative Programs</a>
         <br>
                   Authors:
                           <a href="https://people.eng.unimelb.edu.au/tobym/">Toby Murray</a>,
                           Robert Sison,
                         Edward Pierzchalski
           and     Christine Rizkallah
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-06-26: <a href="entries/Category3.html">Category Theory with Adjunctions and Limits</a>
         <br>
                   Author:
                         Eugene W. Stark
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-06-26: <a href="entries/Card_Multisets.html">Cardinality of Multisets</a>
         <br>
                   Author:
                         Lukas Bulwahn
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-06-25: <a href="entries/Dependent_SIFUM_Type_Systems.html">A Dependent Security Type System for Concurrent Imperative Programs</a>
         <br>
                   Authors:
                           <a href="https://people.eng.unimelb.edu.au/tobym/">Toby Murray</a>,
                           Robert Sison,
                         Edward Pierzchalski
           and     Christine Rizkallah
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-06-21: <a href="entries/Catalan_Numbers.html">Catalan Numbers</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-06-18: <a href="entries/Algebraic_VCs.html">Program Construction and Verification Components Based on Kleene Algebra</a>
         <br>
                   Authors:
                         Victor B. F. Gomes
           and     <a href="http://staffwww.dcs.shef.ac.uk/people/G.Struth/">Georg Struth</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-06-13: <a href="entries/Noninterference_Concurrent_Composition.html">Conservation of CSP Noninterference Security under Concurrent Composition</a>
         <br>
                   Author:
                         Pasquale Noce
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-06-09: <a href="entries/Word_Lib.html">Finite Machine Word Library</a>
         <br>
                   Authors:
                           Joel Beeren,
                           Matthew Fernandez,
                           Xin Gao,
                           <a href="http://www.cse.unsw.edu.au/~kleing/">Gerwin Klein</a>,
                           Rafal Kolanski,
                           Japheth Lim,
                           Corey Lewis,
                         Daniel Matichuk
           and     Thomas Sewell
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-05-31: <a href="entries/Tree_Decomposition.html">Tree Decomposition</a>
         <br>
                   Author:
                         <a href="http://logic.las.tu-berlin.de/Members/Dittmann/">Christoph Dittmann</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-05-24: <a href="entries/Posix-Lexing.html">POSIX Lexing with Derivatives of Regular Expressions</a>
         <br>
                   Authors:
                           <a href="http://kcl.academia.edu/FahadAusaf">Fahad Ausaf</a>,
                         <a href="https://rd.host.cs.st-andrews.ac.uk">Roy Dyckhoff</a>
           and     <a href="http://www.inf.kcl.ac.uk/staff/urbanc/">Christian Urban</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-05-24: <a href="entries/Card_Equiv_Relations.html">Cardinality of Equivalence Relations</a>
         <br>
                   Author:
                         Lukas Bulwahn
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-05-20: <a href="entries/Perron_Frobenius.html">Perron-Frobenius Theorem for Spectral Radius Analysis</a>
         <br>
                   Authors:
                           <a href="http://www.unirioja.es/cu/jodivaso/">Jose Divasón</a>,
                           <a href="http://www21.in.tum.de/~kuncar/">Ondřej Kunčar</a>,
                         <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
           and     <a href="http://group-mmm.org/~ayamada/">Akihisa Yamada</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-05-20: <a href="entries/Incredible_Proof_Machine.html">The meta theory of the Incredible Proof Machine</a>
         <br>
                   Authors:
                         Joachim Breitner
           and     <a href="http://pp.ipd.kit.edu/person.php?id=88">Denis Lohner</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-05-18: <a href="entries/FLP.html">A Constructive Proof for FLP</a>
         <br>
                   Authors:
                           Benjamin Bisping,
                           Paul-David Brodmann,
                           Tim Jungnickel,
                           Christina Rickmann,
                           Henning Seidler,
                           Anke Stüber,
                           Arno Wilhelm-Weidner,
                         Kirstin Peters
           and     <a href="https://www.mtv.tu-berlin.de/nestmann/">Uwe Nestmann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-05-09: <a href="entries/MFMC_Countable.html">A Formal Proof of the Max-Flow Min-Cut Theorem for Countable Networks</a>
         <br>
                   Author:
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-05-05: <a href="entries/Randomised_Social_Choice.html">Randomised Social Choice Theory</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-05-04: <a href="entries/SDS_Impossibility.html">The Incompatibility of SD-Efficiency and SD-Strategy-Proofness</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-05-04: <a href="entries/Bell_Numbers_Spivey.html">Spivey's Generalized Recurrence for Bell Numbers</a>
         <br>
                   Author:
                         Lukas Bulwahn
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-05-02: <a href="entries/Groebner_Bases.html">Gröbner Bases Theory</a>
         <br>
                   Authors:
                         <a href="http://home.in.tum.de/~immler/">Fabian Immler</a>
           and     <a href="https://risc.jku.at/m/alexander-maletzky/">Alexander Maletzky</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-04-28: <a href="entries/No_FTL_observers.html">No Faster-Than-Light Observers</a>
         <br>
                   Authors:
                         Mike Stannett
           and     <a href="http://www.renyi.hu/~nemeti/">István Németi</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-04-27: <a href="entries/ROBDD.html">Algorithms for Reduced Ordered Binary Decision Diagrams</a>
         <br>
                   Authors:
                           <a href="http://liftm.de">Julius Michaelis</a>,
                           <a href="http://cl-informatik.uibk.ac.at/users/mhaslbeck/">Maximilian Haslbeck</a>,
                         Peter Lammich
           and     <a href="https://www21.in.tum.de/~hupel/">Lars Hupel</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-04-27: <a href="entries/CYK.html">A formalisation of the Cocke-Younger-Kasami algorithm</a>
         <br>
                   Author:
                         Maksym Bortin
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-04-26: <a href="entries/Noninterference_Sequential_Composition.html">Conservation of CSP Noninterference Security under Sequential Composition</a>
         <br>
                   Author:
                         Pasquale Noce
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-04-12: <a href="entries/KAD.html">Kleene Algebras with Domain</a>
         <br>
                   Authors:
                           Victor B. F. Gomes,
                           <a href="http://www.cosc.canterbury.ac.nz/walter.guttmann/">Walter Guttmann</a>,
                           <a href="http://www.hoefner-online.de/">Peter Höfner</a>,
                         <a href="http://staffwww.dcs.shef.ac.uk/people/G.Struth/">Georg Struth</a>
           and     Tjark Weber
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-03-11: <a href="entries/PropResPI.html">Propositional Resolution and Prime Implicates Generation</a>
         <br>
                   Author:
                         <a href="http://membres-lig.imag.fr/peltier/">Nicolas Peltier</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-03-08: <a href="entries/Timed_Automata.html">Timed Automata</a>
         <br>
                   Author:
                         <a href="http://home.in.tum.de/~wimmers/">Simon Wimmer</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-03-08: <a href="entries/Cartan_FP.html">The Cartan Fixed Point Theorems</a>
         <br>
                   Author:
                         <a href="https://www.cl.cam.ac.uk/~lp15/">Lawrence C. Paulson</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-03-01: <a href="entries/LTL.html">Linear Temporal Logic</a>
         <br>
                   Author:
                         Salomon Sickert
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-02-17: <a href="entries/List_Update.html">Analysis of List Update Algorithms</a>
         <br>
                   Authors:
                         <a href="http://in.tum.de/~haslbema/">Maximilian P.L. Haslbeck</a>
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-02-05: <a href="entries/Formal_SSA.html">Verified Construction of Static Single Assignment Form</a>
         <br>
                   Authors:
                         Sebastian Ullrich
           and     <a href="http://pp.ipd.kit.edu/person.php?id=88">Denis Lohner</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-01-29: <a href="entries/Polynomial_Interpolation.html">Polynomial Interpolation</a>
         <br>
                   Authors:
                         <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
           and     <a href="http://group-mmm.org/~ayamada/">Akihisa Yamada</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-01-29: <a href="entries/Polynomial_Factorization.html">Polynomial Factorization</a>
         <br>
                   Authors:
                         <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
           and     <a href="http://group-mmm.org/~ayamada/">Akihisa Yamada</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2016-01-20: <a href="entries/Knot_Theory.html">Knot Theory</a>
         <br>
                   Author:
                         T.V.H. Prathamesh
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-01-18: <a href="entries/Matrix_Tensor.html">Tensor Product of Matrices</a>
         <br>
                   Author:
                         T.V.H. Prathamesh
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2016-01-14: <a href="entries/Card_Number_Partitions.html">Cardinality of Number Partitions</a>
         <br>
                   Author:
                         Lukas Bulwahn
                         </td>
     </tr>
   </tbody>
 </table>
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2015</td>
   </tr>
       <tr>
       <td class="entry">
         2015-12-28: <a href="entries/Triangle.html">Basic Geometric Properties of Triangles</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-12-28: <a href="entries/Prime_Harmonic_Series.html">The Divergence of the Prime Harmonic Series</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-12-28: <a href="entries/Liouville_Numbers.html">Liouville numbers</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-12-28: <a href="entries/Descartes_Sign_Rule.html">Descartes' Rule of Signs</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-12-22: <a href="entries/Stern_Brocot.html">The Stern-Brocot Tree</a>
         <br>
                   Authors:
                         <a href="http://peteg.org">Peter Gammie</a>
           and     <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-12-22: <a href="entries/Applicative_Lifting.html">Applicative Lifting</a>
         <br>
                   Authors:
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
           and     Joshua Schneider
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-12-22: <a href="entries/Algebraic_Numbers.html">Algebraic Numbers in Isabelle/HOL</a>
         <br>
                   Authors:
                           <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>,
                         <a href="http://group-mmm.org/~ayamada/">Akihisa Yamada</a>
           and     <a href="http://sjcjoosten.nl/">Sebastiaan Joosten</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-12-12: <a href="entries/Card_Partitions.html">Cardinality of Set Partitions</a>
         <br>
                   Author:
                         Lukas Bulwahn
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-12-02: <a href="entries/Latin_Square.html">Latin Square</a>
         <br>
                   Author:
                         Alexander Bentkamp
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-12-01: <a href="entries/Ergodic_Theory.html">Ergodic Theory</a>
         <br>
                   Author:
                         Sebastien Gouezel
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-11-19: <a href="entries/Euler_Partition.html">Euler's Partition Theorem</a>
         <br>
                   Author:
                         Lukas Bulwahn
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-11-18: <a href="entries/TortoiseHare.html">The Tortoise and Hare Algorithm</a>
         <br>
                   Author:
                         <a href="http://peteg.org">Peter Gammie</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-11-11: <a href="entries/Planarity_Certificates.html">Planarity Certificates</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~noschinl/">Lars Noschinski</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-11-02: <a href="entries/Parity_Game.html">Positional Determinacy of Parity Games</a>
         <br>
                   Author:
                         <a href="http://logic.las.tu-berlin.de/Members/Dittmann/">Christoph Dittmann</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-09-16: <a href="entries/Isabelle_Meta_Model.html">A Meta-Model for the Isabelle API</a>
         <br>
                   Authors:
                         <a href="https://www.lri.fr/~ftuong/">Frédéric Tuong</a>
           and     <a href="https://www.lri.fr/~wolff/">Burkhart Wolff</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-09-04: <a href="entries/LTL_to_DRA.html">Converting Linear Temporal Logic to Deterministic (Generalized) Rabin Automata</a>
         <br>
                   Author:
                         Salomon Sickert
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-08-21: <a href="entries/Jordan_Normal_Form.html">Matrices, Jordan Normal Forms, and Spectral Radius Theory</a>
         <br>
                   Authors:
                         <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
           and     <a href="http://group-mmm.org/~ayamada/">Akihisa Yamada</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-08-20: <a href="entries/Decreasing-Diagrams-II.html">Decreasing Diagrams II</a>
         <br>
                   Author:
                         Bertram Felgenhauer
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-08-18: <a href="entries/Noninterference_Inductive_Unwinding.html">The Inductive Unwinding Theorem for CSP Noninterference Security</a>
         <br>
                   Author:
                         Pasquale Noce
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-08-12: <a href="entries/Rep_Fin_Groups.html">Representations of Finite Groups</a>
         <br>
                   Author:
                         <a href="http://ualberta.ca/~jsylvest/">Jeremy Sylvestre</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-08-10: <a href="entries/Encodability_Process_Calculi.html">Analysing and Comparing Encodability Criteria for Process Calculi</a>
         <br>
                   Authors:
                         Kirstin Peters
           and     <a href="http://theory.stanford.edu/~rvg/">Rob van Glabbeek</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-07-21: <a href="entries/Case_Labeling.html">Generating Cases from Labeled Subgoals</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~noschinl/">Lars Noschinski</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-07-14: <a href="entries/Landau_Symbols.html">Landau Symbols</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-07-14: <a href="entries/Akra_Bazzi.html">The Akra-Bazzi theorem and the Master theorem</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-07-07: <a href="entries/Hermite.html">Hermite Normal Form</a>
         <br>
                   Authors:
                         <a href="http://www.unirioja.es/cu/jodivaso/">Jose Divasón</a>
           and     <a href="http://www.unirioja.es/cu/jearansa">Jesús Aransay</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-06-27: <a href="entries/Derangements.html">Derangements Formula</a>
         <br>
                   Author:
                         Lukas Bulwahn
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-06-11: <a href="entries/Noninterference_Ipurge_Unwinding.html">The Ipurge Unwinding Theorem for CSP Noninterference Security</a>
         <br>
                   Author:
                         Pasquale Noce
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-06-11: <a href="entries/Noninterference_Generic_Unwinding.html">The Generic Unwinding Theorem for CSP Noninterference Security</a>
         <br>
                   Author:
                         Pasquale Noce
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-06-11: <a href="entries/Multirelations.html">Binary Multirelations</a>
         <br>
                   Authors:
                         <a href="http://www.sci.kagoshima-u.ac.jp/~furusawa/">Hitoshi Furusawa</a>
           and     <a href="http://staffwww.dcs.shef.ac.uk/people/G.Struth/">Georg Struth</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-06-11: <a href="entries/List_Interleaving.html">Reasoning about Lists via List Interleaving</a>
         <br>
                   Author:
                         Pasquale Noce
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-06-07: <a href="entries/Dynamic_Tables.html">Parameterized Dynamic Tables</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-05-28: <a href="entries/Formula_Derivatives.html">Derivatives of Logical Formulas</a>
         <br>
                   Author:
                         <a href="http://people.inf.ethz.ch/trayteld/">Dmitriy Traytel</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-05-27: <a href="entries/Probabilistic_System_Zoo.html">A Zoo of Probabilistic Systems</a>
         <br>
                   Authors:
                           <a href="http://in.tum.de/~hoelzl">Johannes Hölzl</a>,
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
           and     <a href="http://people.inf.ethz.ch/trayteld/">Dmitriy Traytel</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-04-30: <a href="entries/Vickrey_Clarke_Groves.html">VCG - Combinatorial Vickrey-Clarke-Groves Auctions</a>
         <br>
                   Authors:
                           Marco B. Caminati,
                           <a href="http://www.cs.bham.ac.uk/~mmk">Manfred Kerber</a>,
                         Christoph Lange
           and     Colin Rowat
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-04-15: <a href="entries/Residuated_Lattices.html">Residuated Lattices</a>
         <br>
                   Authors:
                         Victor B. F. Gomes
           and     <a href="http://staffwww.dcs.shef.ac.uk/people/G.Struth/">Georg Struth</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-04-13: <a href="entries/ConcurrentIMP.html">Concurrent IMP</a>
         <br>
                   Author:
                         <a href="http://peteg.org">Peter Gammie</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-04-13: <a href="entries/ConcurrentGC.html">Relaxing Safely: Verified On-the-Fly Garbage Collection for x86-TSO</a>
         <br>
                   Authors:
                           <a href="http://peteg.org">Peter Gammie</a>,
                         <a href="https://www.cs.purdue.edu/homes/hosking/">Tony Hosking</a>
           and     Kai Engelhardt
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-03-30: <a href="entries/Trie.html">Trie</a>
         <br>
                   Authors:
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-03-18: <a href="entries/Consensus_Refined.html">Consensus Refined</a>
         <br>
                   Authors:
                         Ognjen Maric
           and     Christoph Sprenger
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-03-11: <a href="entries/Deriving.html">Deriving class instances for datatypes</a>
         <br>
                   Authors:
                         Christian Sternagel
           and     <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-02-20: <a href="entries/Call_Arity.html">The Safety of Call Arity</a>
         <br>
                   Author:
                         Joachim Breitner
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-02-12: <a href="entries/QR_Decomposition.html">QR Decomposition</a>
         <br>
                   Authors:
                         <a href="http://www.unirioja.es/cu/jodivaso/">Jose Divasón</a>
           and     <a href="http://www.unirioja.es/cu/jearansa">Jesús Aransay</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-02-12: <a href="entries/Echelon_Form.html">Echelon Form</a>
         <br>
                   Authors:
                         <a href="http://www.unirioja.es/cu/jodivaso/">Jose Divasón</a>
           and     <a href="http://www.unirioja.es/cu/jearansa">Jesús Aransay</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2015-02-05: <a href="entries/Finite_Automata_HF.html">Finite Automata in Hereditarily Finite Set Theory</a>
         <br>
                   Author:
                         <a href="https://www.cl.cam.ac.uk/~lp15/">Lawrence C. Paulson</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2015-01-28: <a href="entries/UpDown_Scheme.html">Verification of the UpDown Scheme</a>
         <br>
                   Author:
                         <a href="http://in.tum.de/~hoelzl">Johannes Hölzl</a>
                         </td>
     </tr>
   </tbody>
 </table>
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2014</td>
   </tr>
       <tr>
       <td class="entry">
         2014-11-28: <a href="entries/UPF.html">The Unified Policy Framework (UPF)</a>
         <br>
                   Authors:
                           <a href="https://www.brucker.ch/">Achim D. Brucker</a>,
                         Lukas Brügger
           and     <a href="https://www.lri.fr/~wolff/">Burkhart Wolff</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-10-23: <a href="entries/AODV.html">Loop freedom of the (untimed) AODV routing protocol</a>
         <br>
                   Authors:
                         <a href="http://www.tbrk.org">Timothy Bourke</a>
           and     <a href="http://www.hoefner-online.de/">Peter Höfner</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-10-13: <a href="entries/Lifting_Definition_Option.html">Lifting Definition Option</a>
         <br>
                   Author:
                         <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-10-10: <a href="entries/Stream_Fusion_Code.html">Stream Fusion in HOL with Code Generation</a>
         <br>
                   Authors:
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
           and     Alexandra Maximova
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-10-09: <a href="entries/Density_Compiler.html">A Verified Compiler for Probability Density Functions</a>
         <br>
                   Authors:
                           <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>,
                         <a href="http://in.tum.de/~hoelzl">Johannes Hölzl</a>
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-10-08: <a href="entries/RefinementReactive.html">Formalization of Refinement Calculus for Reactive Systems</a>
         <br>
                   Author:
                         Viorel Preoteasa
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-10-03: <a href="entries/XML.html">XML</a>
         <br>
                   Authors:
                         Christian Sternagel
           and     <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-10-03: <a href="entries/Certification_Monads.html">Certification Monads</a>
         <br>
                   Authors:
                         Christian Sternagel
           and     <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-09-25: <a href="entries/Imperative_Insertion_Sort.html">Imperative Insertion Sort</a>
         <br>
                   Author:
                         Christian Sternagel
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-09-19: <a href="entries/Sturm_Tarski.html">The Sturm-Tarski Theorem</a>
         <br>
                   Author:
                         <a href="https://www.cl.cam.ac.uk/~wl302/">Wenda Li</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-09-15: <a href="entries/Cayley_Hamilton.html">The Cayley-Hamilton Theorem</a>
         <br>
                   Authors:
                           <a href="http://nm.wu.ac.at/nm/sadelsbe">Stephan Adelsberger</a>,
                         <a href="http://www.logic.at/people/hetzl/">Stefan Hetzl</a>
           and     Florian Pollak
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-09-09: <a href="entries/Jordan_Hoelder.html">The Jordan-Hölder Theorem</a>
         <br>
                   Author:
                         Jakob von Raumer
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-09-04: <a href="entries/Priority_Queue_Braun.html">Priority Queues Based on Braun Trees</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-09-03: <a href="entries/Gauss_Jordan.html">Gauss-Jordan Algorithm and Its Applications</a>
         <br>
                   Authors:
                         <a href="http://www.unirioja.es/cu/jodivaso/">Jose Divasón</a>
           and     <a href="http://www.unirioja.es/cu/jearansa">Jesús Aransay</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-08-29: <a href="entries/VectorSpace.html">Vector Spaces</a>
         <br>
                   Author:
                         Holden Lee
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-08-29: <a href="entries/Special_Function_Bounds.html">Real-Valued Special Functions: Upper and Lower Bounds</a>
         <br>
                   Author:
                         <a href="https://www.cl.cam.ac.uk/~lp15/">Lawrence C. Paulson</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-08-13: <a href="entries/Skew_Heap.html">Skew Heap</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-08-12: <a href="entries/Splay_Tree.html">Splay Tree</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-07-29: <a href="entries/Show.html">Haskell's Show Class in Isabelle/HOL</a>
         <br>
                   Authors:
                         Christian Sternagel
           and     <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-07-18: <a href="entries/CISC-Kernel.html">Formal Specification of a Generic Separation Kernel</a>
         <br>
                   Authors:
                           Freek Verbeek,
                           Sergey Tverdyshev,
                           Oto Havle,
                           Holger Blasum,
                           Bruno Langenstein,
                           Werner Stephan,
                           Yakoub Nemouchi,
                           Abderrahmane Feliachi,
                         <a href="https://www.lri.fr/~wolff/">Burkhart Wolff</a>
           and     Julien Schmaltz
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-07-13: <a href="entries/pGCL.html">pGCL for Isabelle</a>
         <br>
                   Author:
                         David Cock
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-07-07: <a href="entries/Amortized_Complexity.html">Amortized Complexity Verified</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-07-04: <a href="entries/Network_Security_Policy_Verification.html">Network Security Policy Verification</a>
         <br>
                   Author:
                         <a href="http://net.in.tum.de/~diekmann">Cornelius Diekmann</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-07-03: <a href="entries/Pop_Refinement.html">Pop-Refinement</a>
         <br>
                   Author:
                         <a href="http://www.kestrel.edu/~coglio">Alessandro Coglio</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-06-12: <a href="entries/MSO_Regex_Equivalence.html">Decision Procedures for MSO on Words Based on Derivatives of Regular Expressions</a>
         <br>
                   Authors:
                         <a href="http://people.inf.ethz.ch/trayteld/">Dmitriy Traytel</a>
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-06-08: <a href="entries/Boolean_Expression_Checkers.html">Boolean Expression Checkers</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-05-28: <a href="entries/Promela.html">Promela Formalization</a>
         <br>
                   Author:
                         René Neumann
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-05-28: <a href="entries/LTL_to_GBA.html">Converting Linear-Time Temporal Logic to Generalized Büchi Automata</a>
         <br>
                   Authors:
                         Alexander Schimpf
           and     Peter Lammich
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-05-28: <a href="entries/Gabow_SCC.html">Verified Efficient Implementation of Gabow's Strongly Connected Components Algorithm</a>
         <br>
                   Author:
                         Peter Lammich
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-05-28: <a href="entries/CAVA_LTL_Modelchecker.html">A Fully Verified Executable LTL Model Checker</a>
         <br>
                   Authors:
                           <a href="https://www7.in.tum.de/~esparza/">Javier Esparza</a>,
                           Peter Lammich,
                           René Neumann,
                           <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>,
                         Alexander Schimpf
           and     <a href="http://www.irit.fr/~Jan-Georg.Smaus">Jan-Georg Smaus</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-05-28: <a href="entries/CAVA_Automata.html">The CAVA Automata Library</a>
         <br>
                   Author:
                         Peter Lammich
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-05-23: <a href="entries/Roy_Floyd_Warshall.html">Transitive closure according to Roy-Floyd-Warshall</a>
         <br>
                   Author:
                         Makarius Wenzel
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-05-23: <a href="entries/Noninterference_CSP.html">Noninterference Security in Communicating Sequential Processes</a>
         <br>
                   Author:
                         Pasquale Noce
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-05-21: <a href="entries/Regular_Algebras.html">Regular Algebras</a>
         <br>
                   Authors:
                         <a href="https://www-users.cs.york.ac.uk/~simonf/">Simon Foster</a>
           and     <a href="http://staffwww.dcs.shef.ac.uk/people/G.Struth/">Georg Struth</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-04-28: <a href="entries/ComponentDependencies.html">Formalisation and Analysis of Component Dependencies</a>
         <br>
                   Author:
                         Maria Spichkova
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-04-23: <a href="entries/WHATandWHERE_Security.html">A Formalization of Declassification with WHAT-and-WHERE-Security</a>
         <br>
                   Authors:
                           Sylvia Grewe,
                           Alexander Lux,
                         Heiko Mantel
           and     Jens Sauer
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-04-23: <a href="entries/Strong_Security.html">A Formalization of Strong Security</a>
         <br>
                   Authors:
                           Sylvia Grewe,
                           Alexander Lux,
                         Heiko Mantel
           and     Jens Sauer
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-04-23: <a href="entries/SIFUM_Type_Systems.html">A Formalization of Assumptions and Guarantees for Compositional Noninterference</a>
         <br>
                   Authors:
                           Sylvia Grewe,
                         Heiko Mantel
           and     Daniel Schoepe
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-04-22: <a href="entries/Bounded_Deducibility_Security.html">Bounded-Deducibility Security</a>
         <br>
                   Authors:
                         Andrei Popescu
           and     Peter Lammich
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-04-16: <a href="entries/HyperCTL.html">A shallow embedding of HyperCTL*</a>
         <br>
                   Authors:
                           <a href="http://www.react.uni-saarland.de/people/rabe.html">Markus N. Rabe</a>,
                         Peter Lammich
           and     Andrei Popescu
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-04-16: <a href="entries/Abstract_Completeness.html">Abstract Completeness</a>
         <br>
                   Authors:
                           Jasmin Christian Blanchette,
                         Andrei Popescu
           and     <a href="http://people.inf.ethz.ch/trayteld/">Dmitriy Traytel</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-04-13: <a href="entries/Discrete_Summation.html">Discrete Summation</a>
         <br>
                   Author:
                         <a href="http://isabelle.in.tum.de/~haftmann">Florian Haftmann</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-04-03: <a href="entries/GPU_Kernel_PL.html">Syntax and semantics of a GPU kernel programming language</a>
         <br>
                   Author:
                         John Wickerson
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-03-11: <a href="entries/Probabilistic_Noninterference.html">Probabilistic Noninterference</a>
         <br>
                   Authors:
                         Andrei Popescu
           and     <a href="http://in.tum.de/~hoelzl">Johannes Hölzl</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-03-08: <a href="entries/AWN.html">Mechanization of the Algebra for Wireless Networks (AWN)</a>
         <br>
                   Author:
                         <a href="http://www.tbrk.org">Timothy Bourke</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-02-18: <a href="entries/Partial_Function_MR.html">Mutually Recursive Partial Functions</a>
         <br>
                   Author:
                         <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-02-13: <a href="entries/Random_Graph_Subgraph_Threshold.html">Properties of Random Graphs -- Subgraph Containment</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~hupel/">Lars Hupel</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-02-11: <a href="entries/Selection_Heap_Sort.html">Verification of Selection and Heap Sort Using Locales</a>
         <br>
                   Author:
                         <a href="http://www.matf.bg.ac.rs/~danijela">Danijela Petrovic</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-02-07: <a href="entries/Affine_Arithmetic.html">Affine Arithmetic</a>
         <br>
                   Author:
                         <a href="http://home.in.tum.de/~immler/">Fabian Immler</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-02-06: <a href="entries/Real_Impl.html">Implementing field extensions of the form Q[sqrt(b)]</a>
         <br>
                   Author:
                         <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-01-30: <a href="entries/Regex_Equivalence.html">Unified Decision Procedures for Regular Expression Equivalence</a>
         <br>
                   Authors:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
           and     <a href="http://people.inf.ethz.ch/trayteld/">Dmitriy Traytel</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-01-28: <a href="entries/Secondary_Sylow.html">Secondary Sylow Theorems</a>
         <br>
                   Author:
                         Jakob von Raumer
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-01-25: <a href="entries/Relation_Algebra.html">Relation Algebra</a>
         <br>
                   Authors:
                           Alasdair Armstrong,
                           <a href="https://www-users.cs.york.ac.uk/~simonf/">Simon Foster</a>,
                         <a href="http://staffwww.dcs.shef.ac.uk/people/G.Struth/">Georg Struth</a>
           and     Tjark Weber
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-01-23: <a href="entries/KAT_and_DRA.html">Kleene Algebra with Tests and Demonic Refinement Algebras</a>
         <br>
                   Authors:
                           Alasdair Armstrong,
                         Victor B. F. Gomes
           and     <a href="http://staffwww.dcs.shef.ac.uk/people/G.Struth/">Georg Struth</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-01-16: <a href="entries/Featherweight_OCL.html">Featherweight OCL: A Proposal for a Machine-Checked Formal Semantics for OCL 2.5</a>
         <br>
                   Authors:
                           <a href="https://www.brucker.ch/">Achim D. Brucker</a>,
                         <a href="https://www.lri.fr/~ftuong/">Frédéric Tuong</a>
           and     <a href="https://www.lri.fr/~wolff/">Burkhart Wolff</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2014-01-11: <a href="entries/Sturm_Sequences.html">Sturm's Theorem</a>
         <br>
                   Author:
                         <a href="https://www21.in.tum.de/~eberlm">Manuel Eberl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2014-01-11: <a href="entries/CryptoBasedCompositionalProperties.html">Compositional Properties of Crypto-Based Components</a>
         <br>
                   Author:
                         Maria Spichkova
                         </td>
     </tr>
   </tbody>
 </table>
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2013</td>
   </tr>
       <tr>
       <td class="entry">
         2013-12-01: <a href="entries/Tail_Recursive_Functions.html">A General Method for the Proof of Theorems on Tail-recursive Functions</a>
         <br>
                   Author:
                         Pasquale Noce
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2013-11-17: <a href="entries/Incompleteness.html">Gödel's Incompleteness Theorems</a>
         <br>
                   Author:
                         <a href="https://www.cl.cam.ac.uk/~lp15/">Lawrence C. Paulson</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2013-11-17: <a href="entries/HereditarilyFinite.html">The Hereditarily Finite Sets</a>
         <br>
                   Author:
                         <a href="https://www.cl.cam.ac.uk/~lp15/">Lawrence C. Paulson</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2013-11-15: <a href="entries/Coinductive_Languages.html">A Codatatype of Formal Languages</a>
         <br>
                   Author:
                         <a href="http://people.inf.ethz.ch/trayteld/">Dmitriy Traytel</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2013-11-14: <a href="entries/FocusStreamsCaseStudies.html">Stream Processing Components: Isabelle/HOL Formalisation and Case Studies</a>
         <br>
                   Author:
                         Maria Spichkova
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2013-11-12: <a href="entries/GoedelGod.html">Gödel's God in Isabelle/HOL</a>
         <br>
                   Authors:
                         <a href="http://christoph-benzmueller.de">Christoph Benzmüller</a>
           and     <a href="http://www.logic.at/staff/bruno/">Bruno Woltzenlogel Paleo</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2013-11-01: <a href="entries/Decreasing-Diagrams.html">Decreasing Diagrams</a>
         <br>
                   Author:
                         <a href="http://cl-informatik.uibk.ac.at/users/hzankl">Harald Zankl</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2013-10-02: <a href="entries/Automatic_Refinement.html">Automatic Data Refinement</a>
         <br>
                   Author:
                         Peter Lammich
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2013-09-17: <a href="entries/Native_Word.html">Native Word</a>
         <br>
                   Author:
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2013-07-27: <a href="entries/IEEE_Floating_Point.html">A Formal Model of IEEE Floating Point Arithmetic</a>
         <br>
                   Author:
                         Lei Yu
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2013-07-22: <a href="entries/Pratt_Certificate.html">Pratt's Primality Certificates</a>
         <br>
                   Authors:
                         <a href="http://home.in.tum.de/~wimmers/">Simon Wimmer</a>
           and     <a href="http://www21.in.tum.de/~noschinl/">Lars Noschinski</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2013-07-22: <a href="entries/Lehmer.html">Lehmer's Theorem</a>
         <br>
                   Authors:
                         <a href="http://home.in.tum.de/~wimmers/">Simon Wimmer</a>
           and     <a href="http://www21.in.tum.de/~noschinl/">Lars Noschinski</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2013-07-19: <a href="entries/Koenigsberg_Friendship.html">The Königsberg Bridge Problem and the Friendship Theorem</a>
         <br>
                   Author:
                         <a href="https://www.cl.cam.ac.uk/~wl302/">Wenda Li</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2013-06-27: <a href="entries/Sort_Encodings.html">Sound and Complete Sort Encodings for First-Order Logic</a>
         <br>
                   Authors:
                         Jasmin Christian Blanchette
           and     Andrei Popescu
               </td>
     </tr>
       <tr>
       <td class="entry">
         2013-05-22: <a href="entries/ShortestPath.html">An Axiomatic Characterization of the Single-Source Shortest Path Problem</a>
         <br>
                   Author:
                         Christine Rizkallah
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2013-04-28: <a href="entries/Graph_Theory.html">Graph Theory</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~noschinl/">Lars Noschinski</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2013-04-15: <a href="entries/Containers.html">Light-weight Containers</a>
         <br>
                   Author:
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2013-02-21: <a href="entries/Nominal2.html">Nominal 2</a>
         <br>
                   Authors:
                           <a href="http://www.inf.kcl.ac.uk/staff/urbanc/">Christian Urban</a>,
                         <a href="http://www.in.tum.de/~berghofe">Stefan Berghofer</a>
           and     <a href="http://cl-informatik.uibk.ac.at/cek/">Cezary Kaliszyk</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2013-01-31: <a href="entries/Launchbury.html">The Correctness of Launchbury's Natural Semantics for Lazy Evaluation</a>
         <br>
                   Author:
                         Joachim Breitner
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2013-01-19: <a href="entries/Ribbon_Proofs.html">Ribbon Proofs</a>
         <br>
                   Author:
                         John Wickerson
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2013-01-16: <a href="entries/Rank_Nullity_Theorem.html">Rank-Nullity Theorem in Linear Algebra</a>
         <br>
                   Authors:
                         <a href="http://www.unirioja.es/cu/jodivaso/">Jose Divasón</a>
           and     <a href="http://www.unirioja.es/cu/jearansa">Jesús Aransay</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2013-01-15: <a href="entries/Kleene_Algebra.html">Kleene Algebra</a>
         <br>
                   Authors:
                           Alasdair Armstrong,
                         <a href="http://staffwww.dcs.shef.ac.uk/people/G.Struth/">Georg Struth</a>
           and     Tjark Weber
               </td>
     </tr>
       <tr>
       <td class="entry">
         2013-01-03: <a href="entries/Sqrt_Babylonian.html">Computing N-th Roots using the Babylonian Method</a>
         <br>
                   Author:
                         <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
                         </td>
     </tr>
   </tbody>
 </table>
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2012</td>
   </tr>
       <tr>
       <td class="entry">
         2012-11-14: <a href="entries/Separation_Logic_Imperative_HOL.html">A Separation Logic Framework for Imperative HOL</a>
         <br>
                   Authors:
                         Peter Lammich
           and     Rene Meis
               </td>
     </tr>
       <tr>
       <td class="entry">
         2012-11-02: <a href="entries/Open_Induction.html">Open Induction</a>
         <br>
                   Authors:
                         Mizuhito Ogawa
           and     Christian Sternagel
               </td>
     </tr>
       <tr>
       <td class="entry">
         2012-10-30: <a href="entries/Tarskis_Geometry.html">The independence of Tarski's Euclidean axiom</a>
         <br>
                   Author:
                         T. J. M. Makarios
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2012-10-27: <a href="entries/Bondy.html">Bondy's Theorem</a>
         <br>
                   Authors:
                         <a href="http://www.andrew.cmu.edu/user/avigad/">Jeremy Avigad</a>
           and     <a href="http://www.logic.at/people/hetzl/">Stefan Hetzl</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2012-09-10: <a href="entries/Possibilistic_Noninterference.html">Possibilistic Noninterference</a>
         <br>
                   Authors:
                         Andrei Popescu
           and     <a href="http://in.tum.de/~hoelzl">Johannes Hölzl</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2012-08-07: <a href="entries/Datatype_Order_Generator.html">Generating linear orders for datatypes</a>
         <br>
                   Author:
                         <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2012-08-05: <a href="entries/Impossible_Geometry.html">Proving the Impossibility of Trisecting an Angle and Doubling the Cube</a>
         <br>
                   Authors:
                         Ralph Romanos
           and     <a href="https://www.cl.cam.ac.uk/~lp15/">Lawrence C. Paulson</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2012-07-27: <a href="entries/Heard_Of.html">Verifying Fault-Tolerant Distributed Algorithms in the Heard-Of Model</a>
         <br>
                   Authors:
                         Henri Debrat
           and     <a href="http://www.loria.fr/~merz">Stephan Merz</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2012-07-01: <a href="entries/PCF.html">Logical Relations for PCF</a>
         <br>
                   Author:
                         <a href="http://peteg.org">Peter Gammie</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2012-06-26: <a href="entries/Tycon.html">Type Constructor Classes and Monad Transformers</a>
         <br>
                   Author:
                         Brian Huffman
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2012-05-29: <a href="entries/Psi_Calculi.html">Psi-calculi in Isabelle</a>
         <br>
                   Author:
                         <a href="http://www.itu.dk/people/jebe">Jesper Bengtson</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2012-05-29: <a href="entries/Pi_Calculus.html">The pi-calculus in nominal logic</a>
         <br>
                   Author:
                         <a href="http://www.itu.dk/people/jebe">Jesper Bengtson</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2012-05-29: <a href="entries/CCS.html">CCS in nominal logic</a>
         <br>
                   Author:
                         <a href="http://www.itu.dk/people/jebe">Jesper Bengtson</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2012-05-27: <a href="entries/Circus.html">Isabelle/Circus</a>
         <br>
                   Authors:
                           Abderrahmane Feliachi,
                         <a href="https://www.lri.fr/~wolff/">Burkhart Wolff</a>
           and     Marie-Claude Gaudel
               </td>
     </tr>
       <tr>
       <td class="entry">
         2012-05-11: <a href="entries/Separation_Algebra.html">Separation Algebra</a>
         <br>
                   Authors:
                           <a href="http://www.cse.unsw.edu.au/~kleing/">Gerwin Klein</a>,
                         Rafal Kolanski
           and     Andrew Boyton
               </td>
     </tr>
       <tr>
       <td class="entry">
         2012-05-07: <a href="entries/Stuttering_Equivalence.html">Stuttering Equivalence</a>
         <br>
                   Author:
                         <a href="http://www.loria.fr/~merz">Stephan Merz</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2012-05-02: <a href="entries/Inductive_Confidentiality.html">Inductive Study of Confidentiality</a>
         <br>
                   Author:
                         <a href="http://www.dmi.unict.it/~giamp/">Giampaolo Bella</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2012-04-26: <a href="entries/Ordinary_Differential_Equations.html">Ordinary Differential Equations</a>
         <br>
                   Authors:
                         <a href="http://home.in.tum.de/~immler/">Fabian Immler</a>
           and     <a href="http://in.tum.de/~hoelzl">Johannes Hölzl</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2012-04-13: <a href="entries/Well_Quasi_Orders.html">Well-Quasi-Orders</a>
         <br>
                   Author:
                         Christian Sternagel
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2012-03-01: <a href="entries/Abortable_Linearizable_Modules.html">Abortable Linearizable Modules</a>
         <br>
                   Authors:
                           Rachid Guerraoui,
                         <a href="http://lara.epfl.ch/~kuncak/">Viktor Kuncak</a>
           and     Giuliano Losa
               </td>
     </tr>
       <tr>
       <td class="entry">
         2012-02-29: <a href="entries/Transitive-Closure-II.html">Executable Transitive Closures</a>
         <br>
                   Author:
                         <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2012-02-06: <a href="entries/Girth_Chromatic.html">A Probabilistic Proof of the Girth-Chromatic Number Theorem</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~noschinl/">Lars Noschinski</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2012-01-30: <a href="entries/Refine_Monadic.html">Refinement for Monadic Programs</a>
         <br>
                   Author:
                         Peter Lammich
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2012-01-30: <a href="entries/Dijkstra_Shortest_Path.html">Dijkstra's Shortest Path Algorithm</a>
         <br>
                   Authors:
                         Benedikt Nordhoff
           and     Peter Lammich
               </td>
     </tr>
       <tr>
       <td class="entry">
         2012-01-03: <a href="entries/Markov_Models.html">Markov Models</a>
         <br>
                   Authors:
                         <a href="http://in.tum.de/~hoelzl">Johannes Hölzl</a>
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
   </tbody>
 </table>
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2011</td>
   </tr>
       <tr>
       <td class="entry">
         2011-11-19: <a href="entries/TLA.html">A Definitional Encoding of TLA* in Isabelle/HOL</a>
         <br>
                   Authors:
                         <a href="http://homepages.inf.ed.ac.uk/ggrov">Gudmund Grov</a>
           and     <a href="http://www.loria.fr/~merz">Stephan Merz</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2011-11-09: <a href="entries/Efficient-Mergesort.html">Efficient Mergesort</a>
         <br>
                   Author:
                         Christian Sternagel
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2011-09-22: <a href="entries/PseudoHoops.html">Pseudo Hoops</a>
         <br>
                   Authors:
                           George Georgescu,
                         Laurentiu Leustean
           and     Viorel Preoteasa
               </td>
     </tr>
       <tr>
       <td class="entry">
         2011-09-22: <a href="entries/MonoBoolTranAlgebra.html">Algebra of Monotonic Boolean Transformers</a>
         <br>
                   Author:
                         Viorel Preoteasa
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2011-09-22: <a href="entries/LatticeProperties.html">Lattice Properties</a>
         <br>
                   Author:
                         Viorel Preoteasa
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2011-08-26: <a href="entries/Myhill-Nerode.html">The Myhill-Nerode Theorem Based on Regular Expressions</a>
         <br>
                   Authors:
                           Chunhan Wu,
                         Xingyuan Zhang
           and     <a href="http://www.inf.kcl.ac.uk/staff/urbanc/">Christian Urban</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2011-08-19: <a href="entries/Gauss-Jordan-Elim-Fun.html">Gauss-Jordan Elimination for Matrices Represented as Functions</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2011-07-21: <a href="entries/Max-Card-Matching.html">Maximum Cardinality Matching</a>
         <br>
                   Author:
                         Christine Rizkallah
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2011-05-17: <a href="entries/KBPs.html">Knowledge-based programs</a>
         <br>
                   Author:
                         <a href="http://peteg.org">Peter Gammie</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2011-04-01: <a href="entries/General-Triangle.html">The General Triangle Is Unique</a>
         <br>
                   Author:
                         Joachim Breitner
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2011-03-14: <a href="entries/Transitive-Closure.html">Executable Transitive Closures of Finite Relations</a>
         <br>
                   Authors:
                         Christian Sternagel
           and     <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2011-02-23: <a href="entries/Nat-Interval-Logic.html">Interval Temporal Logic on Natural Numbers</a>
         <br>
                   Author:
                         David Trachtenherz
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2011-02-23: <a href="entries/List-Infinite.html">Infinite Lists</a>
         <br>
                   Author:
                         David Trachtenherz
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2011-02-23: <a href="entries/AutoFocus-Stream.html">AutoFocus Stream Processing for Single-Clocking and Multi-Clocking Semantics</a>
         <br>
                   Author:
                         David Trachtenherz
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2011-02-07: <a href="entries/LightweightJava.html">Lightweight Java</a>
         <br>
                   Authors:
                         <a href="http://rok.strnisa.com/lj/">Rok Strniša</a>
           and     <a href="http://research.microsoft.com/people/mattpark/">Matthew Parkinson</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2011-01-10: <a href="entries/RIPEMD-160-SPARK.html">RIPEMD-160</a>
         <br>
                   Author:
                         <a href="http://home.in.tum.de/~immler/">Fabian Immler</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2011-01-08: <a href="entries/Lower_Semicontinuous.html">Lower Semicontinuous Functions</a>
         <br>
                   Author:
                         Bogdan Grechuk
                         </td>
     </tr>
   </tbody>
 </table>
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2010</td>
   </tr>
       <tr>
       <td class="entry">
         2010-12-17: <a href="entries/Marriage.html">Hall's Marriage Theorem</a>
         <br>
                   Authors:
                         Dongchen Jiang
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2010-11-16: <a href="entries/Shivers-CFA.html">Shivers' Control Flow Analysis</a>
         <br>
                   Author:
                         Joachim Breitner
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2010-10-28: <a href="entries/Finger-Trees.html">Finger Trees</a>
         <br>
                   Authors:
                           Benedikt Nordhoff,
                         Stefan Körner
           and     Peter Lammich
               </td>
     </tr>
       <tr>
       <td class="entry">
         2010-10-28: <a href="entries/Binomial-Queues.html">Functional Binomial Queues</a>
         <br>
                   Author:
                         René Neumann
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2010-10-28: <a href="entries/Binomial-Heaps.html">Binomial Heaps and Skew Binomial Heaps</a>
         <br>
                   Authors:
                           Rene Meis,
                         Finn Nielsen
           and     Peter Lammich
               </td>
     </tr>
       <tr>
       <td class="entry">
         2010-08-29: <a href="entries/Lam-ml-Normalization.html">Strong Normalization of Moggis's Computational Metalanguage</a>
         <br>
                   Author:
                         Christian Doczkal
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2010-08-10: <a href="entries/Polynomials.html">Executable Multivariate Polynomials</a>
         <br>
                   Authors:
                           Christian Sternagel,
                           <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>,
                           <a href="https://risc.jku.at/m/alexander-maletzky/">Alexander Maletzky</a>,
                           <a href="http://home.in.tum.de/~immler/">Fabian Immler</a>,
                           <a href="http://isabelle.in.tum.de/~haftmann">Florian Haftmann</a>,
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
           and     Alexander Bentkamp
               </td>
     </tr>
       <tr>
       <td class="entry">
         2010-08-08: <a href="entries/Statecharts.html">Formalizing Statecharts using Hierarchical Automata</a>
         <br>
                   Authors:
                         Steffen Helke
           and     Florian Kammüller
               </td>
     </tr>
       <tr>
       <td class="entry">
         2010-06-24: <a href="entries/Free-Groups.html">Free Groups</a>
         <br>
                   Author:
                         Joachim Breitner
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2010-06-20: <a href="entries/Category2.html">Category Theory</a>
         <br>
                   Author:
                         Alexander Katovsky
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2010-06-17: <a href="entries/Matrix.html">Executable Matrix Operations on Matrices of Arbitrary Dimensions</a>
         <br>
                   Authors:
                         Christian Sternagel
           and     <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2010-06-14: <a href="entries/Abstract-Rewriting.html">Abstract Rewriting</a>
         <br>
                   Authors:
                         Christian Sternagel
           and     <a href="http://cl-informatik.uibk.ac.at/~thiemann/">René Thiemann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2010-05-28: <a href="entries/GraphMarkingIBP.html">Verification of the Deutsch-Schorr-Waite Graph Marking Algorithm using Data Refinement</a>
         <br>
                   Authors:
                         Viorel Preoteasa
           and     <a href="http://users.abo.fi/Ralph-Johan.Back/">Ralph-Johan Back</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2010-05-28: <a href="entries/DataRefinementIBP.html">Semantics and Data Refinement of Invariant Based Programs</a>
         <br>
                   Authors:
                         Viorel Preoteasa
           and     <a href="http://users.abo.fi/Ralph-Johan.Back/">Ralph-Johan Back</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2010-05-22: <a href="entries/Robbins-Conjecture.html">A Complete Proof of the Robbins Conjecture</a>
         <br>
                   Author:
                         Matthew Wampler-Doty
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2010-05-12: <a href="entries/Regular-Sets.html">Regular Sets and Expressions</a>
         <br>
                   Authors:
                         <a href="http://www.in.tum.de/~krauss">Alexander Krauss</a>
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2010-04-30: <a href="entries/Locally-Nameless-Sigma.html">Locally Nameless Sigma Calculus</a>
         <br>
                   Authors:
                           Ludovic Henrio,
                           Florian Kammüller,
                         Bianca Lutz
           and     Henry Sudhof
               </td>
     </tr>
       <tr>
       <td class="entry">
         2010-03-29: <a href="entries/Free-Boolean-Algebra.html">Free Boolean Algebra</a>
         <br>
                   Author:
                         Brian Huffman
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2010-03-23: <a href="entries/InformationFlowSlicing_Inter.html">Inter-Procedural Information Flow Noninterference via Slicing</a>
         <br>
                   Author:
                         <a href="http://pp.info.uni-karlsruhe.de/personhp/daniel_wasserrab.php">Daniel Wasserrab</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2010-03-23: <a href="entries/InformationFlowSlicing.html">Information Flow Noninterference via Slicing</a>
         <br>
                   Author:
                         <a href="http://pp.info.uni-karlsruhe.de/personhp/daniel_wasserrab.php">Daniel Wasserrab</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2010-02-20: <a href="entries/List-Index.html">List Index</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2010-02-12: <a href="entries/Coinductive.html">Coinductive</a>
         <br>
                   Author:
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
                         </td>
     </tr>
   </tbody>
 </table>
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2009</td>
   </tr>
       <tr>
       <td class="entry">
         2009-12-09: <a href="entries/DPT-SAT-Solver.html">A Fast SAT Solver for Isabelle in Standard ML</a>
         <br>
                   Author:
                         Armin Heller
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2009-12-03: <a href="entries/Presburger-Automata.html">Formalizing the Logic-Automaton Connection</a>
         <br>
                   Authors:
                         <a href="http://www.in.tum.de/~berghofe">Stefan Berghofer</a>
           and     Markus Reiter
               </td>
     </tr>
       <tr>
       <td class="entry">
         2009-11-25: <a href="entries/Tree-Automata.html">Tree Automata</a>
         <br>
                   Author:
                         Peter Lammich
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2009-11-25: <a href="entries/Collections.html">Collections Framework</a>
         <br>
                   Author:
                         Peter Lammich
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2009-11-22: <a href="entries/Perfect-Number-Thm.html">Perfect Number Theorem</a>
         <br>
                   Author:
                         Mark Ijbema
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2009-11-13: <a href="entries/HRB-Slicing.html">Backing up Slicing: Verifying the Interprocedural Two-Phase Horwitz-Reps-Binkley Slicer</a>
         <br>
                   Author:
                         <a href="http://pp.info.uni-karlsruhe.de/personhp/daniel_wasserrab.php">Daniel Wasserrab</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2009-10-30: <a href="entries/WorkerWrapper.html">The Worker/Wrapper Transformation</a>
         <br>
                   Author:
                         <a href="http://peteg.org">Peter Gammie</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2009-09-01: <a href="entries/Ordinals_and_Cardinals.html">Ordinals and Cardinals</a>
         <br>
                   Author:
                         Andrei Popescu
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2009-08-28: <a href="entries/SequentInvertibility.html">Invertibility in Sequent Calculi</a>
         <br>
                   Author:
                         Peter Chapman
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2009-08-04: <a href="entries/CofGroups.html">An Example of a Cofinitary Group in Isabelle/HOL</a>
         <br>
                   Author:
                         <a href="http://kasterma.net">Bart Kastermans</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2009-05-06: <a href="entries/FinFun.html">Code Generation for Functions as Data</a>
         <br>
                   Author:
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2009-04-29: <a href="entries/Stream-Fusion.html">Stream Fusion</a>
         <br>
                   Author:
                         Brian Huffman
                         </td>
     </tr>
   </tbody>
 </table>
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2008</td>
   </tr>
       <tr>
       <td class="entry">
         2008-12-12: <a href="entries/BytecodeLogicJmlTypes.html">A Bytecode Logic for JML and Types</a>
         <br>
                   Authors:
                         Lennart Beringer
           and     <a href="http://www.tcs.informatik.uni-muenchen.de/~mhofmann">Martin Hofmann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2008-11-10: <a href="entries/SIFPL.html">Secure information flow and program logics</a>
         <br>
                   Authors:
                         Lennart Beringer
           and     <a href="http://www.tcs.informatik.uni-muenchen.de/~mhofmann">Martin Hofmann</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2008-11-09: <a href="entries/SenSocialChoice.html">Some classical results in Social Choice Theory</a>
         <br>
                   Author:
                         <a href="http://peteg.org">Peter Gammie</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2008-11-07: <a href="entries/FunWithTilings.html">Fun With Tilings</a>
         <br>
                   Authors:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
           and     <a href="https://www.cl.cam.ac.uk/~lp15/">Lawrence C. Paulson</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2008-10-15: <a href="entries/Huffman.html">The Textbook Proof of Huffman's Algorithm</a>
         <br>
                   Author:
                         Jasmin Christian Blanchette
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2008-09-16: <a href="entries/Slicing.html">Towards Certified Slicing</a>
         <br>
                   Author:
                         <a href="http://pp.info.uni-karlsruhe.de/personhp/daniel_wasserrab.php">Daniel Wasserrab</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2008-09-02: <a href="entries/VolpanoSmith.html">A Correctness Proof for the Volpano/Smith Security Typing System</a>
         <br>
                   Authors:
                         <a href="http://pp.info.uni-karlsruhe.de/personhp/gregor_snelting.php">Gregor Snelting</a>
           and     <a href="http://pp.info.uni-karlsruhe.de/personhp/daniel_wasserrab.php">Daniel Wasserrab</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2008-09-01: <a href="entries/ArrowImpossibilityGS.html">Arrow and Gibbard-Satterthwaite</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2008-08-26: <a href="entries/FunWithFunctions.html">Fun With Functions</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2008-07-23: <a href="entries/SATSolverVerification.html">Formal Verification of Modern SAT Solvers</a>
         <br>
                   Author:
                         Filip Marić
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2008-04-05: <a href="entries/Recursion-Theory-I.html">Recursion Theory I</a>
         <br>
                   Author:
                         Michael Nedzelsky
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2008-02-29: <a href="entries/Simpl.html">A Sequential Imperative Programming Language Syntax, Semantics, Hoare Logics and Verification Environment</a>
         <br>
                   Author:
                         Norbert Schirmer
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2008-02-29: <a href="entries/BDD.html">BDD Normalisation</a>
         <br>
                   Authors:
                         Veronika Ortner
           and     Norbert Schirmer
               </td>
     </tr>
       <tr>
       <td class="entry">
         2008-02-18: <a href="entries/NormByEval.html">Normalization by Evaluation</a>
         <br>
                   Authors:
                         <a href="http://www.linta.de/~aehlig/">Klaus Aehlig</a>
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2008-01-11: <a href="entries/LinearQuantifierElim.html">Quantifier Elimination for Linear Arithmetic</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
   </tbody>
 </table>
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2007</td>
   </tr>
       <tr>
       <td class="entry">
         2007-12-14: <a href="entries/Program-Conflict-Analysis.html">Formalization of Conflict Analysis of Programs with Procedures, Thread Creation, and Monitors</a>
         <br>
                   Authors:
                         Peter Lammich
           and     <a href="http://cs.uni-muenster.de/u/mmo/">Markus Müller-Olm</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2007-12-03: <a href="entries/JinjaThreads.html">Jinja with Threads</a>
         <br>
                   Author:
                         <a href="http://www.andreas-lochbihler.de">Andreas Lochbihler</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2007-11-06: <a href="entries/MuchAdoAboutTwo.html">Much Ado About Two</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~boehmes/">Sascha Böhme</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2007-08-12: <a href="entries/SumSquares.html">Sums of Two and Four Squares</a>
         <br>
                   Author:
                         Roelof Oosterhuis
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2007-08-12: <a href="entries/Fermat3_4.html">Fermat's Last Theorem for Exponents 3 and 4 and the Parametrisation of Pythagorean Triples</a>
         <br>
                   Author:
                         Roelof Oosterhuis
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2007-08-08: <a href="entries/Valuation.html">Fundamental Properties of Valuation Theory and Hensel's Lemma</a>
         <br>
                   Author:
                         Hidetsune Kobayashi
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2007-08-02: <a href="entries/POPLmark-deBruijn.html">POPLmark Challenge Via de Bruijn Indices</a>
         <br>
                   Author:
                         <a href="http://www.in.tum.de/~berghofe">Stefan Berghofer</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2007-08-02: <a href="entries/FOL-Fitting.html">First-Order Logic According to Fitting</a>
         <br>
                   Author:
                         <a href="http://www.in.tum.de/~berghofe">Stefan Berghofer</a>
                         </td>
     </tr>
   </tbody>
 </table>
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2006</td>
   </tr>
       <tr>
       <td class="entry">
         2006-09-09: <a href="entries/HotelKeyCards.html">Hotel Key Card System</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2006-08-08: <a href="entries/Abstract-Hoare-Logics.html">Abstract Hoare Logics</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2006-05-22: <a href="entries/Flyspeck-Tame.html">Flyspeck I: Tame Graphs</a>
         <br>
                   Authors:
                         Gertrud Bauer
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2006-05-15: <a href="entries/CoreC++.html">CoreC++</a>
         <br>
                   Author:
                         <a href="http://pp.info.uni-karlsruhe.de/personhp/daniel_wasserrab.php">Daniel Wasserrab</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2006-03-31: <a href="entries/FeatherweightJava.html">A Theory of Featherweight Java in Isabelle/HOL</a>
         <br>
                   Authors:
                         <a href="http://www.cs.cornell.edu/~jnfoster/">J. Nathan Foster</a>
           and     <a href="http://research.microsoft.com/en-us/people/dimitris/">Dimitrios Vytiniotis</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2006-03-15: <a href="entries/ClockSynchInst.html">Instances of Schneider's generalized protocol of clock synchronization</a>
         <br>
                   Author:
                         <a href="http://www.cs.famaf.unc.edu.ar/~damian/">Damián Barsotti</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2006-03-14: <a href="entries/Cauchy.html">Cauchy's Mean Theorem and the Cauchy-Schwarz Inequality</a>
         <br>
                   Author:
                         Benjamin Porter
                         </td>
     </tr>
   </tbody>
 </table>
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2005</td>
   </tr>
       <tr>
       <td class="entry">
         2005-11-11: <a href="entries/Ordinal.html">Countable Ordinals</a>
         <br>
                   Author:
                         Brian Huffman
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2005-10-12: <a href="entries/FFT.html">Fast Fourier Transform</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~ballarin/">Clemens Ballarin</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2005-06-24: <a href="entries/GenClock.html">Formalization of a Generalized Protocol for Clock Synchronization</a>
         <br>
                   Author:
                         Alwen Tiu
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2005-06-22: <a href="entries/DiskPaxos.html">Proving the Correctness of Disk Paxos</a>
         <br>
                   Authors:
                         <a href="http://www.fceia.unr.edu.ar/~mauro/">Mauro Jaskelioff</a>
           and     <a href="http://www.loria.fr/~merz">Stephan Merz</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2005-06-20: <a href="entries/JiveDataStoreModel.html">Jive Data and Store Model</a>
         <br>
                   Authors:
                         Nicole Rauch
           and     Norbert Schirmer
               </td>
     </tr>
       <tr>
       <td class="entry">
         2005-06-01: <a href="entries/Jinja.html">Jinja is not Java</a>
         <br>
                   Authors:
                         <a href="http://www.cse.unsw.edu.au/~kleing/">Gerwin Klein</a>
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2005-05-02: <a href="entries/RSAPSS.html">SHA1, RSA, PSS and more</a>
         <br>
                   Authors:
                         Christina Lindenberg
           and     Kai Wirt
               </td>
     </tr>
       <tr>
       <td class="entry">
         2005-04-21: <a href="entries/Category.html">Category Theory to Yoneda's Lemma</a>
         <br>
                   Author:
                         <a href="http://users.rsise.anu.edu.au/~okeefe/">Greg O'Keefe</a>
                         </td>
     </tr>
   </tbody>
 </table>
 <p>&nbsp;</p>
 
 <table width="80%" class="entries">
 <tbody>
   <tr>
     <td class="head">2004</td>
   </tr>
       <tr>
       <td class="entry">
         2004-12-09: <a href="entries/FileRefinement.html">File Refinement</a>
         <br>
                   Authors:
                         <a href="http://www.mit.edu/~kkz/">Karen Zee</a>
           and     <a href="http://lara.epfl.ch/~kuncak/">Viktor Kuncak</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2004-11-19: <a href="entries/Integration.html">Integration theory and random variables</a>
         <br>
                   Author:
                         <a href="http://www-lti.informatik.rwth-aachen.de/~richter/">Stefan Richter</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2004-09-28: <a href="entries/Verified-Prover.html">A Mechanically Verified, Efficient, Sound and Complete Theorem Prover For First Order Logic</a>
         <br>
                   Author:
                         Tom Ridge
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2004-09-20: <a href="entries/Ramsey-Infinite.html">Ramsey's theorem, infinitary version</a>
         <br>
                   Author:
                         Tom Ridge
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2004-09-20: <a href="entries/Completeness.html">Completeness theorem</a>
         <br>
                   Authors:
                         James Margetson
           and     Tom Ridge
               </td>
     </tr>
       <tr>
       <td class="entry">
         2004-07-09: <a href="entries/Compiling-Exceptions-Correctly.html">Compiling Exceptions Correctly</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2004-06-24: <a href="entries/Depth-First-Search.html">Depth First Search</a>
         <br>
                   Authors:
                         Toshiaki Nishihara
           and     Yasuhiko Minamide
               </td>
     </tr>
       <tr>
       <td class="entry">
         2004-05-18: <a href="entries/Group-Ring-Module.html">Groups, Rings and Modules</a>
         <br>
                   Authors:
                           Hidetsune Kobayashi,
                         L. Chen
           and     H. Murao
               </td>
     </tr>
       <tr>
       <td class="entry">
         2004-04-26: <a href="entries/Topology.html">Topology</a>
         <br>
                   Author:
                         Stefan Friedrich
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2004-04-26: <a href="entries/Lazy-Lists-II.html">Lazy Lists II</a>
         <br>
                   Author:
                         Stefan Friedrich
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2004-04-05: <a href="entries/BinarySearchTree.html">Binary Search Trees</a>
         <br>
                   Author:
                         <a href="http://lara.epfl.ch/~kuncak/">Viktor Kuncak</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2004-03-30: <a href="entries/Functional-Automata.html">Functional Automata</a>
         <br>
                   Author:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
                         </td>
     </tr>
       <tr>
       <td class="entry">
         2004-03-19: <a href="entries/MiniML.html">Mini ML</a>
         <br>
                   Authors:
                         Wolfgang Naraschewski
           and     <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
               </td>
     </tr>
       <tr>
       <td class="entry">
         2004-03-19: <a href="entries/AVL-Trees.html">AVL Trees</a>
         <br>
                   Authors:
                         <a href="http://www21.in.tum.de/~nipkow">Tobias Nipkow</a>
           and     Cornelia Pusch
               </td>
     </tr>
   </tbody>
 </table>
 
 
 </div>
 </td>
 
 </tr>
 </tbody>
 </table>
 
 
 </body>
 </html>
\ No newline at end of file
diff --git a/web/rss.xml b/web/rss.xml
--- a/web/rss.xml
+++ b/web/rss.xml
@@ -1,588 +1,574 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
   <channel>
     <atom:link href="https://www.isa-afp.org/rss.xml" rel="self" type="application/rss+xml" />
     <title>Archive of Formal Proofs</title>
     <link>https://www.isa-afp.org</link>
     <description>
       The Archive of Formal Proofs is a collection of proof libraries, examples,
       and larger scientific developments, mechanically checked
       in the theorem prover Isabelle.
     </description>
     <pubDate>13 May 2020 00:00:00 +0000</pubDate>
     <item>
        <title>A Formalization of Knuth–Bendix Orders</title>
               <link>https://www.isa-afp.org/entries/Knuth_Bendix_Order.html</link>
        <guid>https://www.isa-afp.org/entries/Knuth_Bendix_Order.html</guid>
        <dc:creator> Christian Sternagel, René Thiemann       </dc:creator>
        <pubDate>13 May 2020 00:00:00 +0000</pubDate>
        <description>
 We define a generalized version of Knuth&amp;ndash;Bendix orders,
 including subterm coefficient functions. For these orders we formalize
 several properties such as strong normalization, the subterm property,
 closure properties under substitutions and contexts, as well as ground
 totality.</description>
     </item>
     <item>
+       <title>Irrationality Criteria for Series by Erdős and Straus</title>
+              <link>https://www.isa-afp.org/entries/Irrational_Series_Erdos_Straus.html</link>
+       <guid>https://www.isa-afp.org/entries/Irrational_Series_Erdos_Straus.html</guid>
+       <dc:creator> Angeliki Koutsoukou-Argyraki, Wenda Li       </dc:creator>
+       <pubDate>12 May 2020 00:00:00 +0000</pubDate>
+       <description>
+We formalise certain irrationality criteria for infinite series of the form:
+\[\sum_{n=1}^\infty \frac{b_n}{\prod_{i=1}^n a_i} \]
+where $\{b_n\}$ is a sequence of integers and $\{a_n\}$ a sequence of positive integers
+with $a_n &gt;1$ for all large n. The results are due to P. Erdős and E. G. Straus
+&lt;a href=&#34;https://projecteuclid.org/euclid.pjm/1102911140&#34;&gt;[1]&lt;/a&gt;.
+In particular, we formalise Theorem 2.1, Corollary 2.10 and Theorem 3.1.
+The latter is an application of Theorem 2.1 involving the prime numbers.</description>
+    </item>
+    <item>
+       <title>Recursion Theorem in ZF</title>
+              <link>https://www.isa-afp.org/entries/Recursion-Addition.html</link>
+       <guid>https://www.isa-afp.org/entries/Recursion-Addition.html</guid>
+       <dc:creator> Georgy Dunaev       </dc:creator>
+       <pubDate>11 May 2020 00:00:00 +0000</pubDate>
+       <description>
+This document contains a proof of the recursion theorem. This is a
+mechanization of the proof of the recursion theorem from the text &lt;i&gt;Introduction to
+Set Theory&lt;/i&gt;, by Karel Hrbacek and Thomas Jech. This
+implementation may be used as the basis for a model of Peano arithmetic in
+ZF. While recursion and the natural numbers are already available in Isabelle/ZF, this clean development
+is much easier to follow.</description>
+    </item>
+    <item>
+       <title>An Efficient Normalisation Procedure for Linear Temporal Logic: Isabelle/HOL Formalisation</title>
+              <link>https://www.isa-afp.org/entries/LTL_Normal_Form.html</link>
+       <guid>https://www.isa-afp.org/entries/LTL_Normal_Form.html</guid>
+       <dc:creator> Salomon Sickert       </dc:creator>
+       <pubDate>08 May 2020 00:00:00 +0000</pubDate>
+       <description>
+In the mid 80s, Lichtenstein, Pnueli, and Zuck proved a classical
+theorem stating that every formula of Past LTL (the extension of LTL
+with past operators) is equivalent to a formula of the form
+$\bigwedge_{i=1}^n \mathbf{G}\mathbf{F} \varphi_i \vee
+\mathbf{F}\mathbf{G} \psi_i$,  where $\varphi_i$ and $\psi_i$ contain
+only past operators. Some years later, Chang, Manna, and Pnueli built
+on this result to derive a similar normal form for LTL. Both
+normalisation procedures have a non-elementary worst-case blow-up, and
+follow an involved path from formulas to counter-free automata to
+star-free regular expressions and back to formulas. We improve on both
+points. We present an executable formalisation of a direct and purely
+syntactic normalisation procedure for LTL yielding a normal form,
+comparable to the one by Chang, Manna, and Pnueli, that has only a
+single exponential blow-up.</description>
+    </item>
+    <item>
+       <title>Formalization of Forcing in Isabelle/ZF</title>
+              <link>https://www.isa-afp.org/entries/Forcing.html</link>
+       <guid>https://www.isa-afp.org/entries/Forcing.html</guid>
+       <dc:creator> Emmanuel Gunther, Miguel Pagano, Pedro Sánchez Terraf       </dc:creator>
+       <pubDate>06 May 2020 00:00:00 +0000</pubDate>
+       <description>
+We formalize the theory of forcing in the set theory framework of
+Isabelle/ZF. Under the assumption of the existence of a countable
+transitive model of ZFC, we construct a proper generic extension and
+show that the latter also satisfies ZFC.</description>
+    </item>
+    <item>
+       <title>Banach-Steinhaus Theorem</title>
+              <link>https://www.isa-afp.org/entries/Banach_Steinhaus.html</link>
+       <guid>https://www.isa-afp.org/entries/Banach_Steinhaus.html</guid>
+       <dc:creator> Dominique Unruh, Jose Manuel Rodriguez Caballero       </dc:creator>
+       <pubDate>02 May 2020 00:00:00 +0000</pubDate>
+       <description>
+We formalize in Isabelle/HOL a result
+due to S. Banach and H. Steinhaus known as
+the Banach-Steinhaus theorem or Uniform boundedness principle: a
+pointwise-bounded family of continuous linear operators from a Banach
+space to a normed space is uniformly bounded. Our approach is an
+adaptation to Isabelle/HOL of a proof due to A. Sokal.</description>
+    </item>
+    <item>
        <title>Attack Trees in Isabelle for GDPR compliance of IoT healthcare systems</title>
               <link>https://www.isa-afp.org/entries/Attack_Trees.html</link>
        <guid>https://www.isa-afp.org/entries/Attack_Trees.html</guid>
        <dc:creator> Florian Kammueller       </dc:creator>
        <pubDate>27 Apr 2020 00:00:00 +0000</pubDate>
        <description>
 In this article, we present a proof theory for Attack Trees. Attack
 Trees are a well established and useful model for the construction of
 attacks on systems since they allow a stepwise exploration of high
 level attacks in application scenarios. Using the expressiveness of
 Higher Order Logic in Isabelle, we develop a generic
 theory of Attack Trees with a state-based semantics based on Kripke
 structures and CTL. The resulting framework
 allows mechanically supported logic analysis of the meta-theory of the
 proof calculus of Attack Trees and at the same time the developed
 proof theory enables application to case studies. A central
 correctness and completeness result proved in Isabelle establishes a
 connection between the notion of Attack Tree validity and CTL. The
 application is illustrated on the example of a healthcare IoT system
 and GDPR compliance verification.</description>
     </item>
     <item>
+       <title>Power Sum Polynomials</title>
+              <link>https://www.isa-afp.org/entries/Power_Sum_Polynomials.html</link>
+       <guid>https://www.isa-afp.org/entries/Power_Sum_Polynomials.html</guid>
+       <dc:creator> Manuel Eberl       </dc:creator>
+       <pubDate>24 Apr 2020 00:00:00 +0000</pubDate>
+       <description>
+&lt;p&gt;This article provides a formalisation of the symmetric
+multivariate polynomials known as &lt;em&gt;power sum
+polynomials&lt;/em&gt;. These are of the form
+p&lt;sub&gt;n&lt;/sub&gt;(&lt;em&gt;X&lt;/em&gt;&lt;sub&gt;1&lt;/sub&gt;,&amp;hellip;,
+&lt;em&gt;X&lt;/em&gt;&lt;sub&gt;&lt;em&gt;k&lt;/em&gt;&lt;/sub&gt;) =
+&lt;em&gt;X&lt;/em&gt;&lt;sub&gt;1&lt;/sub&gt;&lt;sup&gt;n&lt;/sup&gt;
++ &amp;hellip; +
+X&lt;sub&gt;&lt;em&gt;k&lt;/em&gt;&lt;/sub&gt;&lt;sup&gt;n&lt;/sup&gt;.
+A formal proof of the Girard–Newton Theorem is also given. This
+theorem relates the power sum polynomials to the elementary symmetric
+polynomials s&lt;sub&gt;&lt;em&gt;k&lt;/em&gt;&lt;/sub&gt; in the form
+of a recurrence relation
+(-1)&lt;sup&gt;&lt;em&gt;k&lt;/em&gt;&lt;/sup&gt;
+&lt;em&gt;k&lt;/em&gt; s&lt;sub&gt;&lt;em&gt;k&lt;/em&gt;&lt;/sub&gt;
+=
+&amp;sum;&lt;sub&gt;i&amp;isinv;[0,&lt;em&gt;k&lt;/em&gt;)&lt;/sub&gt;
+(-1)&lt;sup&gt;i&lt;/sup&gt; s&lt;sub&gt;i&lt;/sub&gt;
+p&lt;sub&gt;&lt;em&gt;k&lt;/em&gt;-&lt;em&gt;i&lt;/em&gt;&lt;/sub&gt;&amp;thinsp;.&lt;/p&gt;
+&lt;p&gt;As an application, this is then used to solve a generalised
+form of a puzzle given as an exercise in Dummit and Foote&#39;s
+&lt;em&gt;Abstract Algebra&lt;/em&gt;: For &lt;em&gt;k&lt;/em&gt;
+complex unknowns &lt;em&gt;x&lt;/em&gt;&lt;sub&gt;1&lt;/sub&gt;,
+&amp;hellip;,
+&lt;em&gt;x&lt;/em&gt;&lt;sub&gt;&lt;em&gt;k&lt;/em&gt;&lt;/sub&gt;,
+define p&lt;sub&gt;&lt;em&gt;j&lt;/em&gt;&lt;/sub&gt; :=
+&lt;em&gt;x&lt;/em&gt;&lt;sub&gt;1&lt;/sub&gt;&lt;sup&gt;&lt;em&gt;j&lt;/em&gt;&lt;/sup&gt;
++ &amp;hellip; +
+&lt;em&gt;x&lt;/em&gt;&lt;sub&gt;&lt;em&gt;k&lt;/em&gt;&lt;/sub&gt;&lt;sup&gt;&lt;em&gt;j&lt;/em&gt;&lt;/sup&gt;.
+Then for each vector &lt;em&gt;a&lt;/em&gt; &amp;isinv;
+&amp;#x2102;&lt;sup&gt;&lt;em&gt;k&lt;/em&gt;&lt;/sup&gt;, show that
+there is exactly one solution to the system p&lt;sub&gt;1&lt;/sub&gt;
+= a&lt;sub&gt;1&lt;/sub&gt;, &amp;hellip;,
+p&lt;sub&gt;&lt;em&gt;k&lt;/em&gt;&lt;/sub&gt; =
+a&lt;sub&gt;&lt;em&gt;k&lt;/em&gt;&lt;/sub&gt; up to permutation of
+the
+&lt;em&gt;x&lt;/em&gt;&lt;sub&gt;&lt;em&gt;i&lt;/em&gt;&lt;/sub&gt;
+and determine the value of
+p&lt;sub&gt;&lt;em&gt;i&lt;/em&gt;&lt;/sub&gt; for
+i&amp;gt;k.&lt;/p&gt;</description>
+    </item>
+    <item>
+       <title>The Lambert W Function on the Reals</title>
+              <link>https://www.isa-afp.org/entries/Lambert_W.html</link>
+       <guid>https://www.isa-afp.org/entries/Lambert_W.html</guid>
+       <dc:creator> Manuel Eberl       </dc:creator>
+       <pubDate>24 Apr 2020 00:00:00 +0000</pubDate>
+       <description>
+&lt;p&gt;The Lambert &lt;em&gt;W&lt;/em&gt; function is a multi-valued
+function defined as the inverse function of &lt;em&gt;x&lt;/em&gt;
+&amp;#x21A6; &lt;em&gt;x&lt;/em&gt;
+e&lt;sup&gt;&lt;em&gt;x&lt;/em&gt;&lt;/sup&gt;. Besides numerous
+applications in combinatorics, physics, and engineering, it also
+frequently occurs when solving equations containing both
+e&lt;sup&gt;&lt;em&gt;x&lt;/em&gt;&lt;/sup&gt; and
+&lt;em&gt;x&lt;/em&gt;, or both &lt;em&gt;x&lt;/em&gt; and log
+&lt;em&gt;x&lt;/em&gt;.&lt;/p&gt; &lt;p&gt;This article provides a
+definition of the two real-valued branches
+&lt;em&gt;W&lt;/em&gt;&lt;sub&gt;0&lt;/sub&gt;(&lt;em&gt;x&lt;/em&gt;)
+and
+&lt;em&gt;W&lt;/em&gt;&lt;sub&gt;-1&lt;/sub&gt;(&lt;em&gt;x&lt;/em&gt;)
+and proves various properties such as basic identities and
+inequalities, monotonicity, differentiability, asymptotic expansions,
+and the MacLaurin series of
+&lt;em&gt;W&lt;/em&gt;&lt;sub&gt;0&lt;/sub&gt;(&lt;em&gt;x&lt;/em&gt;)
+at &lt;em&gt;x&lt;/em&gt; = 0.&lt;/p&gt;</description>
+    </item>
+    <item>
+       <title>Gaussian Integers</title>
+              <link>https://www.isa-afp.org/entries/Gaussian_Integers.html</link>
+       <guid>https://www.isa-afp.org/entries/Gaussian_Integers.html</guid>
+       <dc:creator> Manuel Eberl       </dc:creator>
+       <pubDate>24 Apr 2020 00:00:00 +0000</pubDate>
+       <description>
+&lt;p&gt;The Gaussian integers are the subring &amp;#8484;[i] of the
+complex numbers, i. e. the ring of all complex numbers with integral
+real and imaginary part. This article provides a definition of this
+ring as well as proofs of various basic properties, such as that they
+form a Euclidean ring and a full classification of their primes. An
+executable (albeit not very efficient) factorisation algorithm is also
+provided.&lt;/p&gt; &lt;p&gt;Lastly, this Gaussian integer
+formalisation is used in two short applications:&lt;/p&gt; &lt;ol&gt;
+&lt;li&gt; The characterisation of all positive integers that can be
+written as sums of two squares&lt;/li&gt; &lt;li&gt; Euclid&#39;s
+formula for primitive Pythagorean triples&lt;/li&gt; &lt;/ol&gt;
+&lt;p&gt;While elementary proofs for both of these are already
+available in the AFP, the theory of Gaussian integers provides more
+concise proofs and a more high-level view.&lt;/p&gt;</description>
+    </item>
+    <item>
+       <title>Matrices for ODEs</title>
+              <link>https://www.isa-afp.org/entries/Matrices_for_ODEs.html</link>
+       <guid>https://www.isa-afp.org/entries/Matrices_for_ODEs.html</guid>
+       <dc:creator> Jonathan Julian Huerta y Munive       </dc:creator>
+       <pubDate>19 Apr 2020 00:00:00 +0000</pubDate>
+       <description>
+Our theories formalise various matrix properties that serve to
+establish existence, uniqueness and characterisation of the solution
+to affine systems of ordinary differential equations (ODEs). In
+particular, we formalise the operator and maximum norm of matrices.
+Then we use them to prove that square matrices form a Banach space,
+and in this setting, we show an instance of Picard-Lindelöf’s
+theorem for affine systems of ODEs. Finally, we use this formalisation
+to verify three simple hybrid programs.</description>
+    </item>
+    <item>
        <title>Authenticated Data Structures As Functors</title>
               <link>https://www.isa-afp.org/entries/ADS_Functor.html</link>
        <guid>https://www.isa-afp.org/entries/ADS_Functor.html</guid>
        <dc:creator> Andreas Lochbihler, Ognjen Marić       </dc:creator>
        <pubDate>16 Apr 2020 00:00:00 +0000</pubDate>
        <description>
 Authenticated data structures allow several systems to convince each
 other that they are referring to the same data structure, even if each
 of them knows only a part of the data structure. Using inclusion
 proofs, knowledgeable systems can selectively share their knowledge
 with other systems and the latter can verify the authenticity of what
 is being shared.  In this article, we show how to modularly define
 authenticated data structures, their inclusion proofs, and operations
 thereon as datatypes in Isabelle/HOL, using a shallow embedding.
 Modularity allows us to construct complicated trees from reusable
 building blocks, which we call Merkle functors. Merkle functors
 include sums, products, and function spaces and are closed under
 composition and least fixpoints.  As a practical application, we model
 the hierarchical transactions of &lt;a
 href=&#34;https://www.canton.io&#34;&gt;Canton&lt;/a&gt;, a
 practical interoperability protocol for distributed ledgers, as
 authenticated data structures. This is a first step towards
 formalizing the Canton protocol and verifying its integrity and
 security guarantees.</description>
     </item>
     <item>
        <title>Formalization of an Algorithm for Greedily Computing Associative Aggregations on Sliding Windows</title>
               <link>https://www.isa-afp.org/entries/Sliding_Window_Algorithm.html</link>
        <guid>https://www.isa-afp.org/entries/Sliding_Window_Algorithm.html</guid>
        <dc:creator> Lukas Heimes, Dmitriy Traytel, Joshua Schneider       </dc:creator>
        <pubDate>10 Apr 2020 00:00:00 +0000</pubDate>
        <description>
 Basin et al.&#39;s &lt;a
 href=&#34;https://doi.org/10.1016/j.ipl.2014.09.009&#34;&gt;sliding
 window algorithm (SWA)&lt;/a&gt; is an algorithm for combining the
 elements of subsequences of a sequence with an associative operator.
 It is greedy and minimizes the number of operator applications. We
 formalize the algorithm and verify its functional correctness. We
 extend the algorithm with additional operations and provide an
 alternative interface to the slide operation that does not require the
 entire input sequence.</description>
     </item>
     <item>
        <title>A Comprehensive Framework for Saturation Theorem Proving</title>
               <link>https://www.isa-afp.org/entries/Saturation_Framework.html</link>
        <guid>https://www.isa-afp.org/entries/Saturation_Framework.html</guid>
        <dc:creator> Sophie Tourret       </dc:creator>
        <pubDate>09 Apr 2020 00:00:00 +0000</pubDate>
        <description>
 This Isabelle/HOL formalization is the companion of the technical
 report “A comprehensive framework for saturation theorem proving”,
 itself companion of the eponym IJCAR 2020 paper, written by Uwe
 Waldmann, Sophie Tourret, Simon Robillard and Jasmin Blanchette. It
 verifies a framework for formal refutational completeness proofs of
 abstract provers that implement saturation calculi, such as ordered
 resolution or superposition, and allows to model entire prover
 architectures in such a way that the static refutational completeness
 of a calculus immediately implies the dynamic  refutational
 completeness of a prover implementing the calculus using a variant of
 the given clause loop.  The technical report “A comprehensive
 framework for saturation theorem proving” is available &lt;a
 href=&#34;http://matryoshka.gforge.inria.fr/pubs/satur_report.pdf&#34;&gt;on
 the Matryoshka website&lt;/a&gt;. The names of the Isabelle lemmas and
 theorems corresponding to the results in the report are indicated in
 the margin of the report.</description>
     </item>
     <item>
        <title>Formalization of an Optimized Monitoring Algorithm for Metric First-Order Dynamic Logic with Aggregations</title>
               <link>https://www.isa-afp.org/entries/MFODL_Monitor_Optimized.html</link>
        <guid>https://www.isa-afp.org/entries/MFODL_Monitor_Optimized.html</guid>
        <dc:creator> Thibault Dardinier, Lukas Heimes, Martin Raszyk, Joshua Schneider, Dmitriy Traytel       </dc:creator>
        <pubDate>09 Apr 2020 00:00:00 +0000</pubDate>
        <description>
 A monitor is a runtime verification tool that solves the following
 problem: Given a stream of time-stamped events and a policy formulated
 in a specification language, decide whether the policy is satisfied at
 every point in the stream. We verify the correctness of an executable
 monitor for specifications given as formulas in metric first-order
 dynamic logic (MFODL), which combines the features of metric
 first-order temporal logic (MFOTL) and metric dynamic logic. Thus,
 MFODL supports real-time constraints, first-order parameters, and
 regular expressions. Additionally, the monitor supports aggregation
 operations such as count and sum. This formalization, which is
 described in a &lt;a
 href=&#34;http://people.inf.ethz.ch/trayteld/papers/ijcar20-verimonplus/verimonplus.pdf&#34;&gt;
 forthcoming paper at IJCAR 2020&lt;/a&gt;, significantly extends &lt;a
 href=&#34;https://www.isa-afp.org/entries/MFOTL_Monitor.html&#34;&gt;previous
 work on a verified monitor&lt;/a&gt; for MFOTL. Apart from the
 addition of regular expressions and aggregations, we implemented &lt;a
 href=&#34;https://www.isa-afp.org/entries/Generic_Join.html&#34;&gt;multi-way
 joins&lt;/a&gt; and a specialized sliding window algorithm to further
 optimize the monitor.</description>
     </item>
     <item>
        <title>Lucas's Theorem</title>
               <link>https://www.isa-afp.org/entries/Lucas_Theorem.html</link>
        <guid>https://www.isa-afp.org/entries/Lucas_Theorem.html</guid>
        <dc:creator> Chelsea Edmonds       </dc:creator>
        <pubDate>07 Apr 2020 00:00:00 +0000</pubDate>
        <description>
 This work presents a formalisation of a generating function proof for
 Lucas&#39;s theorem. We first outline extensions to the existing
 Formal Power Series (FPS) library, including an equivalence relation
 for coefficients modulo &lt;em&gt;n&lt;/em&gt;, an alternate binomial theorem statement,
 and a formalised proof of the Freshman&#39;s dream (mod &lt;em&gt;p&lt;/em&gt;) lemma.
 The second part of the work presents the formal proof of Lucas&#39;s
 Theorem. Working backwards, the formalisation first proves a well
 known corollary of the theorem which is easier to formalise, and then
 applies induction to prove the original theorem statement. The proof
 of the corollary aims to provide a good example of a formalised
 generating function equivalence proof using the FPS library. The final
 theorem statement is intended to be integrated into the formalised
 proof of Hilbert&#39;s 10th Problem.</description>
     </item>
     <item>
        <title>Strong Eventual Consistency of the Collaborative Editing Framework WOOT</title>
               <link>https://www.isa-afp.org/entries/WOOT_Strong_Eventual_Consistency.html</link>
        <guid>https://www.isa-afp.org/entries/WOOT_Strong_Eventual_Consistency.html</guid>
        <dc:creator> Emin Karayel, Edgar Gonzàlez       </dc:creator>
        <pubDate>25 Mar 2020 00:00:00 +0000</pubDate>
        <description>
 Commutative Replicated Data Types (CRDTs) are a promising new class of
 data structures for large-scale shared mutable content in applications
 that only require eventual consistency. The WithOut Operational
 Transforms (WOOT) framework is a CRDT for collaborative text editing
 introduced by Oster et al. (CSCW 2006) for which the eventual
 consistency property was verified only for a bounded model to date. We
 contribute a formal proof for WOOTs strong eventual consistency.</description>
     </item>
     <item>
        <title>Furstenberg's topology and his proof of the infinitude of primes</title>
               <link>https://www.isa-afp.org/entries/Furstenberg_Topology.html</link>
        <guid>https://www.isa-afp.org/entries/Furstenberg_Topology.html</guid>
        <dc:creator> Manuel Eberl       </dc:creator>
        <pubDate>22 Mar 2020 00:00:00 +0000</pubDate>
        <description>
 &lt;p&gt;This article gives a formal version of Furstenberg&#39;s
 topological proof of the infinitude of primes. He defines a topology
 on the integers based on arithmetic progressions (or, equivalently,
 residue classes). Using some fairly obvious properties of this
 topology, the infinitude of primes is then easily obtained.&lt;/p&gt;
 &lt;p&gt;Apart from this, this topology is also fairly ‘nice’ in
 general: it is second countable, metrizable, and perfect. All of these
 (well-known) facts are formally proven, including an explicit metric
 for the topology given by Zulfeqarr.&lt;/p&gt;</description>
     </item>
     <item>
        <title>An Under-Approximate Relational Logic</title>
               <link>https://www.isa-afp.org/entries/Relational-Incorrectness-Logic.html</link>
        <guid>https://www.isa-afp.org/entries/Relational-Incorrectness-Logic.html</guid>
        <dc:creator> Toby Murray       </dc:creator>
        <pubDate>12 Mar 2020 00:00:00 +0000</pubDate>
        <description>
 Recently, authors have proposed under-approximate logics for reasoning
 about programs. So far, all such logics have been confined to
 reasoning about individual program behaviours. Yet there exist many
 over-approximate relational logics for reasoning about pairs of
 programs and relating their behaviours. We present the first
 under-approximate relational logic, for the simple imperative language
 IMP. We prove our logic is both sound and complete. Additionally, we
 show how reasoning in this logic can be decomposed into non-relational
 reasoning in an under-approximate Hoare logic, mirroring Beringer’s
 result for over-approximate relational logics. We illustrate the
 application of our logic on some small examples in which we provably
 demonstrate the presence of insecurity.</description>
     </item>
     <item>
        <title>Hello World</title>
               <link>https://www.isa-afp.org/entries/Hello_World.html</link>
        <guid>https://www.isa-afp.org/entries/Hello_World.html</guid>
        <dc:creator> Cornelius Diekmann, Lars Hupel       </dc:creator>
        <pubDate>07 Mar 2020 00:00:00 +0000</pubDate>
        <description>
 In this article, we present a formalization of the well-known
 &#34;Hello, World!&#34; code, including a formal framework for
 reasoning about IO. Our model is inspired by the handling of IO in
 Haskell. We start by formalizing the 🌍 and embrace the IO monad
 afterwards. Then we present a sample main :: IO (), followed by its
 proof of correctness.</description>
     </item>
     <item>
        <title>Implementing the Goodstein Function in &lambda;-Calculus</title>
               <link>https://www.isa-afp.org/entries/Goodstein_Lambda.html</link>
        <guid>https://www.isa-afp.org/entries/Goodstein_Lambda.html</guid>
        <dc:creator> Bertram Felgenhauer       </dc:creator>
        <pubDate>21 Feb 2020 00:00:00 +0000</pubDate>
        <description>
 In this formalization, we develop an implementation of the Goodstein
 function G in plain &amp;lambda;-calculus, linked to a concise, self-contained
 specification. The implementation works on a Church-encoded
 representation of countable ordinals. The initial conversion to
 hereditary base 2 is not covered, but the material is sufficient to
 compute the particular value G(16), and easily extends to other fixed
 arguments.</description>
     </item>
     <item>
        <title>A Generic Framework for Verified Compilers</title>
               <link>https://www.isa-afp.org/entries/VeriComp.html</link>
        <guid>https://www.isa-afp.org/entries/VeriComp.html</guid>
        <dc:creator> Martin Desharnais       </dc:creator>
        <pubDate>10 Feb 2020 00:00:00 +0000</pubDate>
        <description>
 This is a generic framework for formalizing compiler transformations.
 It leverages Isabelle/HOL’s locales to abstract over concrete
 languages and transformations. It states common definitions for
 language semantics, program behaviours, forward and backward
 simulations, and compilers. We provide generic operations, such as
 simulation and compiler composition, and prove general (partial)
 correctness theorems, resulting in reusable proof components.</description>
     </item>
     <item>
        <title>Arithmetic progressions and relative primes</title>
               <link>https://www.isa-afp.org/entries/Arith_Prog_Rel_Primes.html</link>
        <guid>https://www.isa-afp.org/entries/Arith_Prog_Rel_Primes.html</guid>
        <dc:creator> José Manuel Rodríguez Caballero       </dc:creator>
        <pubDate>01 Feb 2020 00:00:00 +0000</pubDate>
        <description>
 This article provides a formalization of the solution obtained by the
 author of the Problem “ARITHMETIC PROGRESSIONS” from the
 &lt;a href=&#34;https://www.ocf.berkeley.edu/~wwu/riddles/putnam.shtml&#34;&gt;
 Putnam exam problems of 2002&lt;/a&gt;. The statement of the problem is
 as follows: For which integers &lt;em&gt;n&lt;/em&gt; &gt; 1 does the set of positive
 integers less than and relatively prime to &lt;em&gt;n&lt;/em&gt; constitute an
 arithmetic progression?</description>
     </item>
     <item>
        <title>A Hierarchy of Algebras for Boolean Subsets</title>
               <link>https://www.isa-afp.org/entries/Subset_Boolean_Algebras.html</link>
        <guid>https://www.isa-afp.org/entries/Subset_Boolean_Algebras.html</guid>
        <dc:creator> Walter Guttmann, Bernhard Möller       </dc:creator>
        <pubDate>31 Jan 2020 00:00:00 +0000</pubDate>
        <description>
 We present a collection of axiom systems for the construction of
 Boolean subalgebras of larger overall algebras. The subalgebras are
 defined as the range of a complement-like operation on a semilattice.
 This technique has been used, for example, with the antidomain
 operation, dynamic negation and Stone algebras. We present a common
 ground for these constructions based on a new equational
 axiomatisation of Boolean algebras.</description>
     </item>
     <item>
        <title>Mersenne primes and the Lucas–Lehmer test</title>
               <link>https://www.isa-afp.org/entries/Mersenne_Primes.html</link>
        <guid>https://www.isa-afp.org/entries/Mersenne_Primes.html</guid>
        <dc:creator> Manuel Eberl       </dc:creator>
        <pubDate>17 Jan 2020 00:00:00 +0000</pubDate>
        <description>
 &lt;p&gt;This article provides formal proofs of basic properties of
 Mersenne numbers, i. e. numbers of the form
 2&lt;sup&gt;&lt;em&gt;n&lt;/em&gt;&lt;/sup&gt; - 1, and especially of
 Mersenne primes.&lt;/p&gt; &lt;p&gt;In particular, an efficient,
 verified, and executable version of the Lucas&amp;ndash;Lehmer test is
 developed. This test decides primality for Mersenne numbers in time
 polynomial in &lt;em&gt;n&lt;/em&gt;.&lt;/p&gt;</description>
     </item>
     <item>
        <title>Verified Approximation Algorithms</title>
               <link>https://www.isa-afp.org/entries/Approximation_Algorithms.html</link>
        <guid>https://www.isa-afp.org/entries/Approximation_Algorithms.html</guid>
        <dc:creator> Robin Eßmann, Tobias Nipkow, Simon Robillard       </dc:creator>
        <pubDate>16 Jan 2020 00:00:00 +0000</pubDate>
        <description>
 We present the first formal verification of approximation algorithms
 for NP-complete optimization problems: vertex cover, independent set,
 load balancing, and bin packing. The proofs correct incompletenesses
 in existing proofs and improve the approximation ratio in one case.</description>
     </item>
     <item>
        <title>Closest Pair of Points Algorithms</title>
               <link>https://www.isa-afp.org/entries/Closest_Pair_Points.html</link>
        <guid>https://www.isa-afp.org/entries/Closest_Pair_Points.html</guid>
        <dc:creator> Martin Rau, Tobias Nipkow       </dc:creator>
        <pubDate>13 Jan 2020 00:00:00 +0000</pubDate>
        <description>
 This entry provides two related verified divide-and-conquer algorithms
 solving the fundamental &lt;em&gt;Closest Pair of Points&lt;/em&gt;
 problem in Computational Geometry. Functional correctness and the
 optimal running time of &lt;em&gt;O&lt;/em&gt;(&lt;em&gt;n&lt;/em&gt; log &lt;em&gt;n&lt;/em&gt;) are
 proved. Executable code is generated which is empirically competitive
 with handwritten reference implementations.</description>
     </item>
     <item>
        <title>Skip Lists</title>
               <link>https://www.isa-afp.org/entries/Skip_Lists.html</link>
        <guid>https://www.isa-afp.org/entries/Skip_Lists.html</guid>
        <dc:creator> Max W. Haslbeck, Manuel Eberl       </dc:creator>
        <pubDate>09 Jan 2020 00:00:00 +0000</pubDate>
        <description>
 &lt;p&gt; Skip lists are sorted linked lists enhanced with shortcuts
 and are an alternative to binary search trees. A skip lists consists
 of multiple levels of sorted linked lists where a list on level n is a
 subsequence of the list on level n − 1. In the ideal case, elements
 are skipped in such a way that a lookup in a skip lists takes O(log n)
 time. In a randomised skip list the skipped elements are choosen
 randomly. &lt;/p&gt; &lt;p&gt; This entry contains formalized proofs
 of the textbook results about the expected height and the expected
 length of a search path in a randomised skip list. &lt;/p&gt;</description>
     </item>
     <item>
        <title>Bicategories</title>
               <link>https://www.isa-afp.org/entries/Bicategory.html</link>
        <guid>https://www.isa-afp.org/entries/Bicategory.html</guid>
        <dc:creator> Eugene W. Stark       </dc:creator>
        <pubDate>06 Jan 2020 00:00:00 +0000</pubDate>
        <description>
 Taking as a starting point the author&#39;s previous work on
 developing aspects of category theory in Isabelle/HOL, this article
 gives a compatible formalization of the notion of
 &#34;bicategory&#34; and develops a framework within which formal
 proofs of facts about bicategories can be given.  The framework
 includes a number of basic results, including the Coherence Theorem,
 the Strictness Theorem, pseudofunctors and biequivalence, and facts
 about internal equivalences and adjunctions in a bicategory.  As a
 driving application and demonstration of the utility of the framework,
 it is used to give a formal proof of a theorem, due to Carboni,
 Kasangian, and Street, that characterizes up to biequivalence the
 bicategories of spans in a category with pullbacks.  The formalization
 effort necessitated the filling-in of many details that were not
 evident from the brief presentation in the original paper, as well as
 identifying a few minor corrections along the way.</description>
     </item>
     <item>
        <title>The Irrationality of ζ(3)</title>
               <link>https://www.isa-afp.org/entries/Zeta_3_Irrational.html</link>
        <guid>https://www.isa-afp.org/entries/Zeta_3_Irrational.html</guid>
        <dc:creator> Manuel Eberl       </dc:creator>
        <pubDate>27 Dec 2019 00:00:00 +0000</pubDate>
        <description>
 &lt;p&gt;This article provides a formalisation of Beukers&#39;s
 straightforward analytic proof that ζ(3) is irrational. This was first
 proven by Apéry (which is why this result is also often called
 ‘Apéry&#39;s Theorem’) using a more algebraic approach. This
 formalisation follows &lt;a
 href=&#34;http://people.math.sc.edu/filaseta/gradcourses/Math785/Math785Notes4.pdf&#34;&gt;Filaseta&#39;s
 presentation&lt;/a&gt; of Beukers&#39;s proof.&lt;/p&gt;</description>
     </item>
-    <item>
-       <title>Formalizing a Seligman-Style Tableau System for Hybrid Logic</title>
-              <link>https://www.isa-afp.org/entries/Hybrid_Logic.html</link>
-       <guid>https://www.isa-afp.org/entries/Hybrid_Logic.html</guid>
-       <dc:creator> Asta Halkjær From       </dc:creator>
-       <pubDate>20 Dec 2019 00:00:00 +0000</pubDate>
-       <description>
-This work is a formalization of soundness and completeness proofs
-for a Seligman-style tableau system for hybrid logic. The completeness
-result is obtained via a synthetic approach using maximally
-consistent sets of tableau blocks. The formalization differs from
-the cited work in a few ways. First, to avoid the need to backtrack in
-the construction of a tableau, the formalized system has no unnamed
-initial segment, and therefore no Name rule. Second, I show that the
-full Bridge rule is admissible in the system. Third, I start from rules
-restricted to only extend the branch with new formulas, including only
-witnessing diamonds that are not already witnessed, and show that
-the unrestricted rules are admissible. Similarly, I start from simpler
-versions of the @-rules and show the general ones admissible. Finally,
-the GoTo rule is restricted using a notion of coins such that each
-application consumes a coin and coins are earned through applications of
-the remaining rules. I show that if a branch can be closed then it can
-be closed starting from a single coin. These restrictions are imposed
-to rule out some means of nontermination.</description>
-    </item>
-    <item>
-       <title>The Poincaré-Bendixson Theorem</title>
-              <link>https://www.isa-afp.org/entries/Poincare_Bendixson.html</link>
-       <guid>https://www.isa-afp.org/entries/Poincare_Bendixson.html</guid>
-       <dc:creator> Fabian Immler, Yong Kiam Tan       </dc:creator>
-       <pubDate>18 Dec 2019 00:00:00 +0000</pubDate>
-       <description>
-The Poincaré-Bendixson theorem is a classical result in the study of
-(continuous) dynamical systems. Colloquially, it restricts the
-possible behaviors of planar dynamical systems: such systems cannot be
-chaotic. In practice, it is a useful tool for proving the existence of
-(limiting) periodic behavior in planar systems. The theorem is an
-interesting and challenging benchmark for formalized mathematics
-because proofs in the literature rely on geometric sketches and only
-hint at symmetric cases. It also requires a substantial background of
-mathematical theories, e.g., the Jordan curve theorem, real analysis,
-ordinary differential equations, and limiting (long-term) behavior of
-dynamical systems.</description>
-    </item>
-    <item>
-       <title>Poincaré Disc Model</title>
-              <link>https://www.isa-afp.org/entries/Poincare_Disc.html</link>
-       <guid>https://www.isa-afp.org/entries/Poincare_Disc.html</guid>
-       <dc:creator> Danijela Simić, Filip Marić, Pierre Boutry       </dc:creator>
-       <pubDate>16 Dec 2019 00:00:00 +0000</pubDate>
-       <description>
-We describe formalization of the Poincaré disc model of hyperbolic
-geometry within the Isabelle/HOL proof assistant. The model is defined
-within the extended complex plane (one dimensional complex projectives
-space &amp;#8450;P1), formalized in the AFP entry “Complex Geometry”.
-Points, lines, congruence of pairs of points, betweenness of triples
-of points, circles, and isometries are defined within the model. It is
-shown that the model satisfies all Tarski&#39;s axioms except the
-Euclid&#39;s axiom. It is shown that it satisfies its negation and
-the limiting parallels axiom (which proves it to be a model of
-hyperbolic geometry).</description>
-    </item>
-    <item>
-       <title>Complex Geometry</title>
-              <link>https://www.isa-afp.org/entries/Complex_Geometry.html</link>
-       <guid>https://www.isa-afp.org/entries/Complex_Geometry.html</guid>
-       <dc:creator> Filip Marić, Danijela Simić       </dc:creator>
-       <pubDate>16 Dec 2019 00:00:00 +0000</pubDate>
-       <description>
-A formalization of geometry of complex numbers is presented.
-Fundamental objects that are investigated are the complex plane
-extended by a single infinite point, its objects (points, lines and
-circles), and groups of transformations that act on them (e.g.,
-inversions and Möbius transformations). Most objects are defined
-algebraically, but correspondence with classical geometric definitions
-is shown.</description>
-    </item>
-    <item>
-       <title>Gauss Sums and the Pólya–Vinogradov Inequality</title>
-              <link>https://www.isa-afp.org/entries/Gauss_Sums.html</link>
-       <guid>https://www.isa-afp.org/entries/Gauss_Sums.html</guid>
-       <dc:creator> Rodrigo Raya, Manuel Eberl       </dc:creator>
-       <pubDate>10 Dec 2019 00:00:00 +0000</pubDate>
-       <description>
-&lt;p&gt;This article provides a full formalisation of Chapter 8 of
-Apostol&#39;s &lt;em&gt;&lt;a
-href=&#34;https://www.springer.com/de/book/9780387901633&#34;&gt;Introduction
-to Analytic Number Theory&lt;/a&gt;&lt;/em&gt;. Subjects that are
-covered are:&lt;/p&gt; &lt;ul&gt; &lt;li&gt;periodic arithmetic
-functions and their finite Fourier series&lt;/li&gt;
-&lt;li&gt;(generalised) Ramanujan sums&lt;/li&gt; &lt;li&gt;Gauss sums
-and separable characters&lt;/li&gt; &lt;li&gt;induced moduli and
-primitive characters&lt;/li&gt; &lt;li&gt;the
-Pólya&amp;mdash;Vinogradov inequality&lt;/li&gt; &lt;/ul&gt;</description>
-    </item>
-    <item>
-       <title>An Efficient Generalization of Counting Sort for Large, possibly Infinite Key Ranges</title>
-              <link>https://www.isa-afp.org/entries/Generalized_Counting_Sort.html</link>
-       <guid>https://www.isa-afp.org/entries/Generalized_Counting_Sort.html</guid>
-       <dc:creator> Pasquale Noce       </dc:creator>
-       <pubDate>04 Dec 2019 00:00:00 +0000</pubDate>
-       <description>
-Counting sort is a well-known algorithm that sorts objects of any kind
-mapped to integer keys, or else to keys in one-to-one correspondence
-with some subset of the integers (e.g. alphabet letters). However, it
-is suitable for direct use, viz. not just as a subroutine of another
-sorting algorithm (e.g. radix sort), only if the key range is not
-significantly larger than the number of the objects to be sorted.
-This paper describes a tail-recursive generalization of counting sort
-making use of a bounded number of counters, suitable for direct use in
-case of a large, or even infinite key range of any kind, subject to
-the only constraint of being a subset of an arbitrary linear order.
-After performing a pen-and-paper analysis of how such algorithm has to
-be designed to maximize its efficiency, this paper formalizes the
-resulting generalized counting sort (GCsort) algorithm and then
-formally proves its correctness properties, namely that (a) the
-counters&#39; number is maximized never exceeding the fixed upper
-bound, (b) objects are conserved, (c) objects get sorted, and (d) the
-algorithm is stable.</description>
-    </item>
-    <item>
-       <title>Interval Arithmetic on 32-bit Words</title>
-              <link>https://www.isa-afp.org/entries/Interval_Arithmetic_Word32.html</link>
-       <guid>https://www.isa-afp.org/entries/Interval_Arithmetic_Word32.html</guid>
-       <dc:creator> Brandon Bohrer       </dc:creator>
-       <pubDate>27 Nov 2019 00:00:00 +0000</pubDate>
-       <description>
-Interval_Arithmetic implements conservative interval arithmetic
-computations, then uses this interval arithmetic to implement a simple
-programming language where all terms have 32-bit signed word values,
-with explicit infinities for terms outside the representable bounds.
-Our target use case is interpreters for languages that must have a
-well-understood low-level behavior.  We include a formalization of
-bounded-length strings which are used for the identifiers of our
-language. Bounded-length identifiers are useful in some applications,
-for example the &lt;a href=&#34;https://www.isa-afp.org/entries/Differential_Dynamic_Logic.html&#34;&gt;Differential_Dynamic_Logic&lt;/a&gt; article,
-where a Euclidean space indexed by identifiers demands that identifiers
-are finitely many.</description>
-    </item>
-    <item>
-       <title>Zermelo Fraenkel Set Theory in Higher-Order Logic</title>
-              <link>https://www.isa-afp.org/entries/ZFC_in_HOL.html</link>
-       <guid>https://www.isa-afp.org/entries/ZFC_in_HOL.html</guid>
-       <dc:creator> Lawrence C. Paulson       </dc:creator>
-       <pubDate>24 Oct 2019 00:00:00 +0000</pubDate>
-       <description>
-&lt;p&gt;This entry is a new formalisation of ZFC set theory in Isabelle/HOL. It is
-logically equivalent to Obua&#39;s HOLZF; the point is to have the closest
-possible integration with the rest of Isabelle/HOL, minimising the amount of
-new notations and exploiting type classes.&lt;/p&gt;
-&lt;p&gt;There is a type &lt;em&gt;V&lt;/em&gt; of sets and a function &lt;em&gt;elts :: V =&amp;gt; V
-set&lt;/em&gt; mapping a set to its elements. Classes simply have type &lt;em&gt;V
-set&lt;/em&gt;, and a predicate identifies the small classes: those that correspond
-to actual sets. Type classes connected with orders and lattices are used to
-minimise the amount of new notation for concepts such as the subset relation,
-union and intersection. Basic concepts — Cartesian products, disjoint sums,
-natural numbers, functions, etc. — are formalised.&lt;/p&gt;
-&lt;p&gt;More advanced set-theoretic concepts, such as transfinite induction,
-ordinals, cardinals and the transitive closure of a set, are also provided.
-The definition of addition and multiplication for general sets (not just
-ordinals) follows Kirby.&lt;/p&gt;
-&lt;p&gt;The theory provides two type classes with the aim of facilitating
-developments that combine &lt;em&gt;V&lt;/em&gt; with other Isabelle/HOL types:
-&lt;em&gt;embeddable&lt;/em&gt;, the class of types that can be injected into &lt;em&gt;V&lt;/em&gt;
-(including &lt;em&gt;V&lt;/em&gt; itself as well as &lt;em&gt;V*V&lt;/em&gt;, etc.), and
-&lt;em&gt;small&lt;/em&gt;, the class of types that correspond to some ZF set.&lt;/p&gt;
-extra-history =
-Change history:
-[2020-01-28]:  Generalisation of the &#34;small&#34; predicate and order types to arbitrary sets;
-ordinal exponentiation;
-introduction of the coercion ord_of_nat :: &#34;nat =&gt; V&#34;;
-numerous new lemmas. (revision 6081d5be8d08)</description>
-    </item>
-    <item>
-       <title>Isabelle/C</title>
-              <link>https://www.isa-afp.org/entries/Isabelle_C.html</link>
-       <guid>https://www.isa-afp.org/entries/Isabelle_C.html</guid>
-       <dc:creator> Frédéric Tuong, Burkhart Wolff       </dc:creator>
-       <pubDate>22 Oct 2019 00:00:00 +0000</pubDate>
-       <description>
-We present a framework for C code in C11 syntax deeply integrated into
-the Isabelle/PIDE development environment. Our framework provides an
-abstract interface for verification back-ends to be plugged-in
-independently. Thus, various techniques such as deductive program
-verification or white-box testing can be applied to the same source,
-which is part of an integrated PIDE document model. Semantic back-ends
-are free to choose the supported C fragment and its semantics. In
-particular, they can differ on the chosen memory model or the
-specification mechanism for framing conditions. Our framework supports
-semantic annotations of C sources in the form of comments. Annotations
-serve to locally control back-end settings, and can express the term
-focus to which an annotation refers. Both the logical and the
-syntactic context are available when semantic annotations are
-evaluated. As a consequence, a formula in an annotation can refer both
-to HOL or C variables. Our approach demonstrates the degree of
-maturity and expressive power the Isabelle/PIDE sub-system has
-achieved in recent years. Our integration technique employs Lex and
-Yacc style grammars to ensure efficient deterministic parsing.  This
-is the core-module of Isabelle/C; the AFP package for Clean and
-Clean_wrapper as well as AutoCorres and AutoCorres_wrapper (available
-via git) are applications of this front-end.</description>
-    </item>
   </channel>
 </rss>
diff --git a/web/statistics.html b/web/statistics.html
--- a/web/statistics.html
+++ b/web/statistics.html
@@ -1,303 +1,307 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <title>Archive of Formal Proofs</title>
 <link rel="stylesheet" type="text/css" href="front.css">
 <link rel="icon" href="images/favicon.ico" type="image/icon">
 <link rel="alternate" type="application/rss+xml" title="RSS" href="rss.xml">
  </head>
 
 <body class="mathjax_ignore">
 
 <table width="100%">
 <tbody>
 <tr>
 
 <!-- Navigation -->
 <td width="20%" align="center" valign="top">
   <p>&nbsp;</p>
   <a href="https://www.isa-afp.org/">
     <img src="images/isabelle.png" width="100" height="88" border=0>
   </a>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
   <table class="nav" width="80%">
     <tr>
       <td class="nav" width="100%"><a href="index.html">Home</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="about.html">About</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="submitting.html">Submission</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="updating.html">Updating Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="using.html">Using Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="search.html">Search</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="statistics.html">Statistics</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="topics.html">Index</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="download.html">Download</a></td>
     </tr>
   </table>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
 </td>
 
 
 <!-- Content -->
 <td width="80%" valign="top">
 <div align="center">
   <p>&nbsp;</p>
   <h1><font class="first">S</font>tatistics
 </h1>
   <p>&nbsp;</p>
 
 <table width="80%" class="descr">
   <tbody>
     <tr><td>
       <h2>Statistics</h2>
 
 <table>
-<tr><td>Number of Articles:</td><td class="statsnumber">531</td></tr>
-<tr><td>Number of Authors:</td><td class="statsnumber">350</td></tr>
-<tr><td>Number of lemmas:</td><td class="statsnumber">~143,700</td></tr>
-<tr><td>Lines of Code:</td><td class="statsnumber">~2,493,800</td></tr>
+<tr><td>Number of Articles:</td><td class="statsnumber">540</td></tr>
+<tr><td>Number of Authors:</td><td class="statsnumber">356</td></tr>
+<tr><td>Number of lemmas:</td><td class="statsnumber">~145,300</td></tr>
+<tr><td>Lines of Code:</td><td class="statsnumber">~2,518,000</td></tr>
 </table>
 <h4>Most used AFP articles:</h4>
 <table id="most_used">
 <tr>
 <th></th><th>Name</th><th>Used by ? articles</th>
 </tr>
 
   <tr><td>1.</td>
         
     <td><a href="entries/List-Index.html">List-Index</a></td>
     <td>14</td>
     </tr>
     <tr><td>2.</td>
         
     <td><a href="entries/Coinductive.html">Coinductive</a></td>
     <td>12</td>
     </tr>
       <td></td>
     <td><a href="entries/Collections.html">Collections</a></td>
     <td>12</td>
     </tr>
       <td></td>
     <td><a href="entries/Regular-Sets.html">Regular-Sets</a></td>
     <td>12</td>
     </tr>
     <tr><td>3.</td>
         
     <td><a href="entries/Landau_Symbols.html">Landau_Symbols</a></td>
     <td>11</td>
     </tr>
     <tr><td>4.</td>
         
     <td><a href="entries/Show.html">Show</a></td>
     <td>10</td>
     </tr>
     <tr><td>5.</td>
         
     <td><a href="entries/Abstract-Rewriting.html">Abstract-Rewriting</a></td>
     <td>9</td>
     </tr>
       <td></td>
     <td><a href="entries/Automatic_Refinement.html">Automatic_Refinement</a></td>
     <td>9</td>
     </tr>
       <td></td>
     <td><a href="entries/Deriving.html">Deriving</a></td>
     <td>9</td>
     </tr>
+      <td></td>
+    <td><a href="entries/Polynomial_Factorization.html">Polynomial_Factorization</a></td>
+    <td>9</td>
+    </tr>
     <tr><td>6.</td>
         
     <td><a href="entries/Jordan_Normal_Form.html">Jordan_Normal_Form</a></td>
     <td>8</td>
     </tr>
       <td></td>
     <td><a href="entries/Native_Word.html">Native_Word</a></td>
     <td>8</td>
     </tr>
   
 </table>
 <script>
 // DATA
 var years = [2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020];
-var no_articles = [14, 22, 29, 37, 52, 64, 86, 103, 128, 151, 208, 253, 326, 396, 455, 511, 531];
-var no_loc = [61000, 96800, 131400, 238900, 353800, 435900, 517100, 568200, 740700, 828400, 1038500, 1216800, 1581100, 1830900, 2104900, 2399100, 2493800 ];
-var no_authors = [14, 11, 6, 6, 10, 6, 24, 11, 17, 16, 36, 20, 63, 31, 28, 38, 13];
-var no_authors_series = [14, 25, 31, 37, 47, 53, 77, 88, 105, 121, 157, 177, 240, 271, 299, 337, 350];
-var all_articles = [ "AVL-Trees","MiniML","Functional-Automata","BinarySearchTree","Topology","Lazy-Lists-II","Group-Ring-Module","Depth-First-Search","Compiling-Exceptions-Correctly","Completeness","Ramsey-Infinite","Verified-Prover","Integration","FileRefinement","Category","RSAPSS","Jinja","JiveDataStoreModel","DiskPaxos","GenClock","FFT","Ordinal","Cauchy","ClockSynchInst","FeatherweightJava","CoreC++","Flyspeck-Tame","Abstract-Hoare-Logics","HotelKeyCards","POPLmark-deBruijn","FOL-Fitting","Valuation","Fermat3_4","SumSquares","MuchAdoAboutTwo","JinjaThreads","Program-Conflict-Analysis","LinearQuantifierElim","NormByEval","BDD","Simpl","Recursion-Theory-I","SATSolverVerification","FunWithFunctions","ArrowImpossibilityGS","VolpanoSmith","Slicing","Huffman","FunWithTilings","SenSocialChoice","SIFPL","BytecodeLogicJmlTypes","Stream-Fusion","FinFun","CofGroups","SequentInvertibility","Ordinals_and_Cardinals","WorkerWrapper","HRB-Slicing","Perfect-Number-Thm","Tree-Automata","Collections","Presburger-Automata","DPT-SAT-Solver","Coinductive","List-Index","InformationFlowSlicing","InformationFlowSlicing_Inter","Free-Boolean-Algebra","Locally-Nameless-Sigma","Regular-Sets","Robbins-Conjecture","GraphMarkingIBP","DataRefinementIBP","Abstract-Rewriting","Matrix","Category2","Free-Groups","Statecharts","Polynomials","Lam-ml-Normalization","Binomial-Queues","Binomial-Heaps","Finger-Trees","Shivers-CFA","Marriage","Lower_Semicontinuous","RIPEMD-160-SPARK","LightweightJava","List-Infinite","AutoFocus-Stream","Nat-Interval-Logic","Transitive-Closure","General-Triangle","KBPs","Max-Card-Matching","Gauss-Jordan-Elim-Fun","Myhill-Nerode","PseudoHoops","MonoBoolTranAlgebra","LatticeProperties","Efficient-Mergesort","TLA","Markov_Models","Dijkstra_Shortest_Path","Refine_Monadic","Girth_Chromatic","Transitive-Closure-II","Abortable_Linearizable_Modules","Well_Quasi_Orders","Ordinary_Differential_Equations","Inductive_Confidentiality","Stuttering_Equivalence","Separation_Algebra","Circus","CCS","Pi_Calculus","Psi_Calculi","Tycon","PCF","Heard_Of","Impossible_Geometry","Datatype_Order_Generator","Possibilistic_Noninterference","Bondy","Tarskis_Geometry","Open_Induction","Separation_Logic_Imperative_HOL","Sqrt_Babylonian","Kleene_Algebra","Rank_Nullity_Theorem","Ribbon_Proofs","Launchbury","Nominal2","Containers","Graph_Theory","ShortestPath","Sort_Encodings","Koenigsberg_Friendship","Lehmer","Pratt_Certificate","IEEE_Floating_Point","Native_Word","Automatic_Refinement","Decreasing-Diagrams","GoedelGod","FocusStreamsCaseStudies","Coinductive_Languages","HereditarilyFinite","Incompleteness","Tail_Recursive_Functions","Sturm_Sequences","CryptoBasedCompositionalProperties","Featherweight_OCL","KAT_and_DRA","Relation_Algebra","Secondary_Sylow","Regex_Equivalence","Real_Impl","Affine_Arithmetic","Selection_Heap_Sort","Random_Graph_Subgraph_Threshold","Partial_Function_MR","AWN","Probabilistic_Noninterference","GPU_Kernel_PL","Discrete_Summation","HyperCTL","Abstract_Completeness","Bounded_Deducibility_Security","SIFUM_Type_Systems","Strong_Security","WHATandWHERE_Security","ComponentDependencies","Regular_Algebras","Noninterference_CSP","Roy_Floyd_Warshall","CAVA_Automata","LTL_to_GBA","Gabow_SCC","Promela","CAVA_LTL_Modelchecker","Boolean_Expression_Checkers","MSO_Regex_Equivalence","Pop_Refinement","Network_Security_Policy_Verification","Amortized_Complexity","pGCL","CISC-Kernel","Show","Splay_Tree","Skew_Heap","VectorSpace","Special_Function_Bounds","Gauss_Jordan","Priority_Queue_Braun","Jordan_Hoelder","Cayley_Hamilton","Sturm_Tarski","Imperative_Insertion_Sort","Certification_Monads","XML","RefinementReactive","Density_Compiler","Stream_Fusion_Code","Lifting_Definition_Option","AODV","UPF","UpDown_Scheme","Finite_Automata_HF","Echelon_Form","QR_Decomposition","Call_Arity","Deriving","Consensus_Refined","Trie","ConcurrentGC","ConcurrentIMP","Residuated_Lattices","Vickrey_Clarke_Groves","Probabilistic_System_Zoo","Formula_Derivatives","Dynamic_Tables","Multirelations","Noninterference_Generic_Unwinding","Noninterference_Ipurge_Unwinding","List_Interleaving","Derangements","Hermite","Landau_Symbols","Akra_Bazzi","Case_Labeling","Encodability_Process_Calculi","Rep_Fin_Groups","Noninterference_Inductive_Unwinding","Decreasing-Diagrams-II","Jordan_Normal_Form","LTL_to_DRA","Isabelle_Meta_Model","Parity_Game","Planarity_Certificates","TortoiseHare","Euler_Partition","Ergodic_Theory","Latin_Square","Card_Partitions","Applicative_Lifting","Stern_Brocot","Algebraic_Numbers","Liouville_Numbers","Triangle","Prime_Harmonic_Series","Descartes_Sign_Rule","Card_Number_Partitions","Matrix_Tensor","Knot_Theory","Polynomial_Interpolation","Polynomial_Factorization","Formal_SSA","List_Update","LTL","Cartan_FP","Timed_Automata","PropResPI","KAD","Noninterference_Sequential_Composition","CYK","ROBDD","No_FTL_observers","Groebner_Bases","Bell_Numbers_Spivey","SDS_Impossibility","Randomised_Social_Choice","MFMC_Countable","FLP","Perron_Frobenius","Incredible_Proof_Machine","Card_Equiv_Relations","Posix-Lexing","Tree_Decomposition","Word_Lib","Noninterference_Concurrent_Composition","Algebraic_VCs","Catalan_Numbers","Dependent_SIFUM_Type_Systems","Category3","Card_Multisets","IP_Addresses","Dependent_SIFUM_Refinement","Rewriting_Z","Resolution_FOL","Buildings","DFS_Framework","Pairing_Heap","Surprise_Paradox","Ptolemys_Theorem","Refine_Imperative_HOL","EdmondsKarp_Maxflow","InfPathElimination","Simple_Firewall","Routing","Stirling_Formula","Stone_Algebras","SuperCalc","Iptables_Semantics","Lambda_Free_RPOs","Allen_Calculus","Fisher_Yates","Lp","Chord_Segments","Berlekamp_Zassenhaus","Source_Coding_Theorem","SPARCv8","LOFT","Stable_Matching","Modal_Logics_for_NTS","Deep_Learning","Lambda_Free_KBOs","Nested_Multisets_Ordinals","Separata","Abs_Int_ITP2012","Complx","Paraconsistency","Proof_Strategy_Language","Twelvefold_Way","Concurrent_Ref_Alg","FOL_Harrison","Password_Authentication_Protocol","UPF_Firewall","E_Transcendental","Minimal_SSA","Bertrands_Postulate","Bernoulli","Key_Agreement_Strong_Adversaries","Stone_Relation_Algebras","Abstract_Soundness","Differential_Dynamic_Logic","Menger","Elliptic_Curves_Group_Law","Euler_MacLaurin","Comparison_Sort_Lower_Bound","Quick_Sort_Cost","Random_BSTs","Subresultants","Lazy_Case","Constructor_Funs","LocalLexing","Types_Tableaus_and_Goedels_God","MonoidalCategory","Game_Based_Crypto","CryptHOL","Probabilistic_While","Monad_Normalisation","Monomorphic_Monad","Floyd_Warshall","Dict_Construction","Security_Protocol_Refinement","Optics","Flow_Networks","Prpu_Maxflow","Buffons_Needle","PSemigroupsConvolution","Propositional_Proof_Systems","Stone_Kleene_Relation_Algebras","CRDT","Name_Carrying_Type_Inference","Minkowskis_Theorem","HOLCF-Prelude","Decl_Sem_Fun_PL","DynamicArchitectures","Stewart_Apollonius","LambdaMu","Root_Balanced_Tree","Orbit_Stabiliser","First_Welfare_Theorem","AnselmGod","PLM","Lowe_Ontological_Argument","Dirichlet_Series","Zeta_Function","Linear_Recurrences","Diophantine_Eqns_Lin_Hom","Winding_Number_Eval","Count_Complex_Roots","Buchi_Complementation","Transition_Systems_and_Automata","Kuratowski_Closure_Complement","Hybrid_Multi_Lane_Spatial_Logic","IMAP-CRDT","Stochastic_Matrices","Knuth_Morris_Pratt","BNF_Operations","Median_Of_Medians_Selection","Mason_Stothers","Dirichlet_L","Falling_Factorial_Sum","Taylor_Models","Green","Gromov_Hyperbolicity","Ordered_Resolution_Prover","LLL_Basis_Reduction","First_Order_Terms","Error_Function","LLL_Factorization","Treaps","Hoare_Time","Architectural_Design_Patterns","CakeML","Weight_Balanced_Trees","Fishburn_Impossibility","BNF_CC","VerifyThis2018","WebAssembly","Modular_Assembly_Kit_Security","OpSets","Monad_Memo_DP","AxiomaticCategoryTheory","Irrationality_J_Hancl","Probabilistic_Timed_Automata","Hidden_Markov_Models","Optimal_BST","Partial_Order_Reduction","Projective_Geometry","Localization_Ring","Pell","Neumann_Morgenstern_Utility","DiscretePricing","Minsky_Machines","Simplex","Budan_Fourier","Quaternions","Octonions","Aggregation_Algebras","Prime_Number_Theorem","Signature_Groebner","Symmetric_Polynomials","Pi_Transcendental","Factored_Transition_System_Bounding","Randomised_BSTs","Lambda_Free_EPO","Smooth_Manifolds","Epistemic_Logic","GewirthPGCProof","Generic_Deriving","Matroids","Auto2_HOL","Graph_Saturation","Functional_Ordered_Resolution_Prover","Order_Lattice_Props","Quantales","Transformer_Semantics","Constructive_Cryptography","Auto2_Imperative_HOL","Concurrent_Revisions","Core_DOM","Store_Buffer_Reduction","Higher_Order_Terms","IMP2","Farkas","UTP","List_Inversions","Universal_Turing_Machine","Probabilistic_Prime_Tests","Kruskal","Prime_Distribution_Elementary","Safe_OCL","QHLProver","Transcendence_Series_Hancl_Rucki","Binding_Syntax_Theory","LTL_Master_Theorem","HOL-CSP","Multi_Party_Computation","LambdaAuth","KD_Tree","Differential_Game_Logic","IMP2_Binary_Heap","Groebner_Macaulay","Nullstellensatz","Linear_Inequalities","Priority_Search_Trees","Prim_Dijkstra_Simple","Complete_Non_Orders","MFOTL_Monitor","CakeML_Codegen","FOL_Seq_Calc1","Szpilrajn","TESL_Language","Stellar_Quorums","IMO2019","C2KA_DistributedSystems","Linear_Programming","Laplace_Transform","Adaptive_State_Counting","Jacobson_Basic_Algebra","Fourier","Hybrid_Systems_VCs","Generic_Join","Clean","Sigma_Commit_Crypto","Aristotles_Assertoric_Syllogistic","VerifyThis2019","Isabelle_C","ZFC_in_HOL","Interval_Arithmetic_Word32","Generalized_Counting_Sort","Gauss_Sums","Complex_Geometry","Poincare_Disc","Poincare_Bendixson","Hybrid_Logic","Zeta_3_Irrational","Bicategory","Skip_Lists","Closest_Pair_Points","Approximation_Algorithms","Mersenne_Primes","Subset_Boolean_Algebras","Arith_Prog_Rel_Primes","VeriComp","Goodstein_Lambda","Hello_World","Relational-Incorrectness-Logic","Furstenberg_Topology","WOOT_Strong_Eventual_Consistency","Lucas_Theorem","Saturation_Framework","MFODL_Monitor_Optimized","Sliding_Window_Algorithm","ADS_Functor","Attack_Trees","Knuth_Bendix_Order"];
-var years_loc_articles = [  2004        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2005        ,    ,    ,    ,    ,    ,    ,  ,2006        ,    ,    ,    ,    ,    ,  ,2007        ,    ,    ,    ,    ,    ,    ,  ,2008        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2009        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2010        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2011        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2012        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2013        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2014        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2015        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2016        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2017        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2018        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2019        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2020        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,];
-var loc_articles = [ "839","1825","1544","1096","2419","1058","44269","205","142","1994","209","1109","3792","506","1141","3769","17203","3119","6430","1145","447","2537","1275","1583","1838","12833","13114","2685","1228","4269","3556","9649","2847","970","1741","79734","4738","3396","2186","10664","31192","6723","30332","180","793","1047","14413","2080","254","2221","5958","3458","799","1540","684","6654","8","2627","27490","330","5025","32412","4380","210","9533","447","2380","3399","611","6311","2042","840","1024","713","5632","1427","4078","2230","6061","22617","1602","1587","3370","2449","2592","260","1620","16","2930","7805","6557","6381","992","125","10136","332","235","1828","4425","1784","1039","442","4461","11857","2834","8583","1043","408","2940","2725","38065","3243","1480","2611","3153","2580","25275","27588","2266","4107","7701","1245","260","5309","73","9729","752","6673","1511","4354","1248","1908","6215","4974","10067","7894","538","3830","4595","202","848","1781","5209","10327","1524","150","5292","706","2248","10774","1458","3067","1958","11485","1860","1190","1219","2175","1144","14861","2215","1964","166","10685","6420","572","590","1698","465","883","4133","1403","2138","2280","1959","2467","220","4431","3999","5432","4463","9390","406","5930","1829","12832","2973","9486","4560","951","645","104","2338","1653","9143","752","2113","875","1727","627","931","1201","1296","7880","1922","90","28055","2879","2796","1116","5259","4863","8842","1169","6178","527","6194","1601","1782","5327","1085","4103","952","2362","1089","2446","1060","468","2074","2148","3761","710","16080","8267","908","1063","21109","9679","8653","3142","9161","690","435","13711","478","898","2716","1162","10063","401","498","495","741","843","3622","4616","4123","6228","8166","12108","3178","518","17583","2876","2411","5496","886","2453","1162","17386","509","702","5036","9700","4287","5331","3813","329","656","1057","8313","3257","2593","553","8478","17950","206","3314","8773","398","2960","12833","9483","373","173","384","18976","2545","6119","3777","1017","2608","4338","9356","20033","4053","3420","319","3204","169","19540","541","14618","2648","7056","7590","3898","3244","4546","855","2289","5001","1349","276","4339","1475","3482","7114","9662","601","852","1722","2194","12220","4116","590","13558","1695","4484","1640","694","835","737","3346","105","68","10492","1127","8000","4135","9435","1200","378","4711","2078","639","14059","2015","3930","4869","398","1531","5554","5614","1991","4205","478","4121","3146","3471","88","480","1877","1261","2193","250","10669","854","7463","5301","3079","2961","8849","5261","2326","6172","945","6514","992","489","809","8891","854","338","3133","493","4585","9457","15962","6239","10249","2288","785","3260","1818","8438","3278","12949","592","841","3383","3642","11559","13548","3734","5742","530","1044","7674","1042","1259","5297","2754","1390","1622","2173","13358","805","10027","2667","541","1271","3955","5318","9770","2765","934","11918","1743","2355","7917","1490","449","685","1811","1132","3578","3551","2983","2218","1644","7221","4968","2767","16973","34365","3259","6022","1900","10334","372","16867","3018","3300","5304","4576","10486","1000","15843","4437","9487","5543","3300","1264","2973","805","10253","2606","5262","472","3365","1869","2599","13350","945","192","4455","527","713","782","2335","2134","9934","2089","3736","3105","2350","3195","3812","176","1726","8509","6605","4830","5723","4561","14529","10314","6402","4407","1907","51409","2450","3936","2758","1699","3154","944","906","596","375","691","766","2564","332","3071","11343","744","2351","1939","2670"];
+var no_articles = [14, 22, 29, 37, 52, 64, 86, 103, 128, 151, 208, 253, 326, 396, 455, 511, 540];
+var no_loc = [61000.0, 96800.0, 131400.0, 238900.0, 353800.0, 435900.0, 517100.0, 568100.0, 740400.0, 828100.0, 1038200.0, 1216500.0, 1580800.0, 1830500.0, 2104400.0, 2398600.0, 2518000.0 ];
+var no_authors = [14, 11, 6, 6, 10, 6, 24, 11, 17, 16, 36, 20, 63, 31, 28, 38, 19];
+var no_authors_series = [14, 25, 31, 37, 47, 53, 77, 88, 105, 121, 157, 177, 240, 271, 299, 337, 356];
+var all_articles = [ "MiniML","AVL-Trees","Functional-Automata","BinarySearchTree","Lazy-Lists-II","Topology","Group-Ring-Module","Depth-First-Search","Compiling-Exceptions-Correctly","Completeness","Ramsey-Infinite","Verified-Prover","Integration","FileRefinement","Category","RSAPSS","Jinja","JiveDataStoreModel","DiskPaxos","GenClock","FFT","Ordinal","Cauchy","ClockSynchInst","FeatherweightJava","CoreC++","Flyspeck-Tame","Abstract-Hoare-Logics","HotelKeyCards","FOL-Fitting","POPLmark-deBruijn","Valuation","SumSquares","Fermat3_4","MuchAdoAboutTwo","JinjaThreads","Program-Conflict-Analysis","LinearQuantifierElim","NormByEval","Simpl","BDD","Recursion-Theory-I","SATSolverVerification","FunWithFunctions","ArrowImpossibilityGS","VolpanoSmith","Slicing","Huffman","FunWithTilings","SenSocialChoice","SIFPL","BytecodeLogicJmlTypes","Stream-Fusion","FinFun","CofGroups","SequentInvertibility","Ordinals_and_Cardinals","WorkerWrapper","HRB-Slicing","Perfect-Number-Thm","Collections","Tree-Automata","Presburger-Automata","DPT-SAT-Solver","Coinductive","List-Index","InformationFlowSlicing","InformationFlowSlicing_Inter","Free-Boolean-Algebra","Locally-Nameless-Sigma","Regular-Sets","Robbins-Conjecture","DataRefinementIBP","GraphMarkingIBP","Abstract-Rewriting","Matrix","Category2","Free-Groups","Statecharts","Polynomials","Lam-ml-Normalization","Binomial-Queues","Binomial-Heaps","Finger-Trees","Shivers-CFA","Marriage","Lower_Semicontinuous","RIPEMD-160-SPARK","LightweightJava","List-Infinite","AutoFocus-Stream","Nat-Interval-Logic","Transitive-Closure","General-Triangle","KBPs","Max-Card-Matching","Gauss-Jordan-Elim-Fun","Myhill-Nerode","LatticeProperties","MonoBoolTranAlgebra","PseudoHoops","Efficient-Mergesort","TLA","Markov_Models","Dijkstra_Shortest_Path","Refine_Monadic","Girth_Chromatic","Transitive-Closure-II","Abortable_Linearizable_Modules","Well_Quasi_Orders","Ordinary_Differential_Equations","Inductive_Confidentiality","Stuttering_Equivalence","Separation_Algebra","Circus","Psi_Calculi","CCS","Pi_Calculus","Tycon","PCF","Heard_Of","Impossible_Geometry","Datatype_Order_Generator","Possibilistic_Noninterference","Bondy","Tarskis_Geometry","Open_Induction","Separation_Logic_Imperative_HOL","Sqrt_Babylonian","Kleene_Algebra","Rank_Nullity_Theorem","Ribbon_Proofs","Launchbury","Nominal2","Containers","Graph_Theory","ShortestPath","Sort_Encodings","Koenigsberg_Friendship","Lehmer","Pratt_Certificate","IEEE_Floating_Point","Native_Word","Automatic_Refinement","Decreasing-Diagrams","GoedelGod","FocusStreamsCaseStudies","Coinductive_Languages","Incompleteness","HereditarilyFinite","Tail_Recursive_Functions","CryptoBasedCompositionalProperties","Sturm_Sequences","Featherweight_OCL","KAT_and_DRA","Relation_Algebra","Secondary_Sylow","Regex_Equivalence","Real_Impl","Affine_Arithmetic","Selection_Heap_Sort","Random_Graph_Subgraph_Threshold","Partial_Function_MR","AWN","Probabilistic_Noninterference","GPU_Kernel_PL","Discrete_Summation","HyperCTL","Abstract_Completeness","Bounded_Deducibility_Security","SIFUM_Type_Systems","WHATandWHERE_Security","Strong_Security","ComponentDependencies","Regular_Algebras","Noninterference_CSP","Roy_Floyd_Warshall","Gabow_SCC","CAVA_Automata","CAVA_LTL_Modelchecker","LTL_to_GBA","Promela","Boolean_Expression_Checkers","MSO_Regex_Equivalence","Pop_Refinement","Network_Security_Policy_Verification","Amortized_Complexity","pGCL","CISC-Kernel","Show","Splay_Tree","Skew_Heap","VectorSpace","Special_Function_Bounds","Gauss_Jordan","Priority_Queue_Braun","Jordan_Hoelder","Cayley_Hamilton","Sturm_Tarski","Imperative_Insertion_Sort","Certification_Monads","XML","RefinementReactive","Density_Compiler","Stream_Fusion_Code","Lifting_Definition_Option","AODV","UPF","UpDown_Scheme","Finite_Automata_HF","QR_Decomposition","Echelon_Form","Call_Arity","Deriving","Consensus_Refined","Trie","ConcurrentIMP","ConcurrentGC","Residuated_Lattices","Vickrey_Clarke_Groves","Probabilistic_System_Zoo","Formula_Derivatives","Dynamic_Tables","Noninterference_Ipurge_Unwinding","Noninterference_Generic_Unwinding","List_Interleaving","Multirelations","Derangements","Hermite","Akra_Bazzi","Landau_Symbols","Case_Labeling","Encodability_Process_Calculi","Rep_Fin_Groups","Noninterference_Inductive_Unwinding","Decreasing-Diagrams-II","Jordan_Normal_Form","LTL_to_DRA","Isabelle_Meta_Model","Parity_Game","Planarity_Certificates","TortoiseHare","Euler_Partition","Ergodic_Theory","Latin_Square","Card_Partitions","Applicative_Lifting","Algebraic_Numbers","Stern_Brocot","Liouville_Numbers","Triangle","Prime_Harmonic_Series","Descartes_Sign_Rule","Card_Number_Partitions","Matrix_Tensor","Knot_Theory","Polynomial_Factorization","Polynomial_Interpolation","Formal_SSA","List_Update","LTL","Cartan_FP","Timed_Automata","PropResPI","KAD","Noninterference_Sequential_Composition","ROBDD","CYK","No_FTL_observers","Groebner_Bases","Bell_Numbers_Spivey","SDS_Impossibility","Randomised_Social_Choice","MFMC_Countable","FLP","Perron_Frobenius","Incredible_Proof_Machine","Posix-Lexing","Card_Equiv_Relations","Tree_Decomposition","Word_Lib","Noninterference_Concurrent_Composition","Algebraic_VCs","Catalan_Numbers","Dependent_SIFUM_Type_Systems","Card_Multisets","Category3","Dependent_SIFUM_Refinement","IP_Addresses","Rewriting_Z","Resolution_FOL","Buildings","DFS_Framework","Pairing_Heap","Surprise_Paradox","Ptolemys_Theorem","Refine_Imperative_HOL","EdmondsKarp_Maxflow","InfPathElimination","Simple_Firewall","Routing","Stirling_Formula","Stone_Algebras","SuperCalc","Iptables_Semantics","Lambda_Free_RPOs","Allen_Calculus","Fisher_Yates","Lp","Chord_Segments","Berlekamp_Zassenhaus","Source_Coding_Theorem","SPARCv8","LOFT","Stable_Matching","Modal_Logics_for_NTS","Deep_Learning","Lambda_Free_KBOs","Nested_Multisets_Ordinals","Separata","Abs_Int_ITP2012","Complx","Paraconsistency","Proof_Strategy_Language","Twelvefold_Way","Concurrent_Ref_Alg","FOL_Harrison","Password_Authentication_Protocol","UPF_Firewall","E_Transcendental","Bertrands_Postulate","Minimal_SSA","Bernoulli","Key_Agreement_Strong_Adversaries","Stone_Relation_Algebras","Abstract_Soundness","Differential_Dynamic_Logic","Menger","Elliptic_Curves_Group_Law","Euler_MacLaurin","Quick_Sort_Cost","Comparison_Sort_Lower_Bound","Random_BSTs","Subresultants","Lazy_Case","Constructor_Funs","LocalLexing","Types_Tableaus_and_Goedels_God","MonoidalCategory","Game_Based_Crypto","Monomorphic_Monad","Probabilistic_While","Monad_Normalisation","CryptHOL","Floyd_Warshall","Security_Protocol_Refinement","Dict_Construction","Optics","Flow_Networks","Prpu_Maxflow","Buffons_Needle","PSemigroupsConvolution","Propositional_Proof_Systems","Stone_Kleene_Relation_Algebras","CRDT","Name_Carrying_Type_Inference","Minkowskis_Theorem","HOLCF-Prelude","Decl_Sem_Fun_PL","DynamicArchitectures","Stewart_Apollonius","LambdaMu","Orbit_Stabiliser","Root_Balanced_Tree","First_Welfare_Theorem","AnselmGod","PLM","Lowe_Ontological_Argument","Dirichlet_Series","Zeta_Function","Linear_Recurrences","Diophantine_Eqns_Lin_Hom","Winding_Number_Eval","Count_Complex_Roots","Buchi_Complementation","Transition_Systems_and_Automata","Kuratowski_Closure_Complement","Hybrid_Multi_Lane_Spatial_Logic","IMAP-CRDT","Stochastic_Matrices","Knuth_Morris_Pratt","BNF_Operations","Dirichlet_L","Mason_Stothers","Median_Of_Medians_Selection","Falling_Factorial_Sum","Taylor_Models","Green","Gromov_Hyperbolicity","Ordered_Resolution_Prover","LLL_Basis_Reduction","Treaps","First_Order_Terms","Error_Function","LLL_Factorization","Hoare_Time","Architectural_Design_Patterns","CakeML","Weight_Balanced_Trees","Fishburn_Impossibility","BNF_CC","VerifyThis2018","WebAssembly","Modular_Assembly_Kit_Security","OpSets","Monad_Memo_DP","AxiomaticCategoryTheory","Irrationality_J_Hancl","Probabilistic_Timed_Automata","Hidden_Markov_Models","Optimal_BST","Partial_Order_Reduction","Projective_Geometry","Localization_Ring","Pell","Neumann_Morgenstern_Utility","DiscretePricing","Minsky_Machines","Simplex","Budan_Fourier","Quaternions","Octonions","Aggregation_Algebras","Prime_Number_Theorem","Signature_Groebner","Symmetric_Polynomials","Pi_Transcendental","Factored_Transition_System_Bounding","Randomised_BSTs","Lambda_Free_EPO","Smooth_Manifolds","Epistemic_Logic","GewirthPGCProof","Generic_Deriving","Matroids","Auto2_HOL","Functional_Ordered_Resolution_Prover","Graph_Saturation","Transformer_Semantics","Order_Lattice_Props","Quantales","Constructive_Cryptography","Auto2_Imperative_HOL","Concurrent_Revisions","Core_DOM","Store_Buffer_Reduction","Higher_Order_Terms","IMP2","Farkas","List_Inversions","UTP","Universal_Turing_Machine","Probabilistic_Prime_Tests","Kruskal","Prime_Distribution_Elementary","Safe_OCL","QHLProver","Transcendence_Series_Hancl_Rucki","Binding_Syntax_Theory","LTL_Master_Theorem","HOL-CSP","Multi_Party_Computation","LambdaAuth","KD_Tree","Differential_Game_Logic","IMP2_Binary_Heap","Groebner_Macaulay","Nullstellensatz","Linear_Inequalities","Priority_Search_Trees","Prim_Dijkstra_Simple","Complete_Non_Orders","MFOTL_Monitor","CakeML_Codegen","FOL_Seq_Calc1","Szpilrajn","TESL_Language","Stellar_Quorums","IMO2019","C2KA_DistributedSystems","Linear_Programming","Laplace_Transform","Adaptive_State_Counting","Jacobson_Basic_Algebra","Fourier","Hybrid_Systems_VCs","Generic_Join","Clean","Sigma_Commit_Crypto","Aristotles_Assertoric_Syllogistic","VerifyThis2019","Isabelle_C","ZFC_in_HOL","Interval_Arithmetic_Word32","Generalized_Counting_Sort","Gauss_Sums","Poincare_Disc","Complex_Geometry","Poincare_Bendixson","Hybrid_Logic","Zeta_3_Irrational","Bicategory","Skip_Lists","Closest_Pair_Points","Approximation_Algorithms","Mersenne_Primes","Subset_Boolean_Algebras","Arith_Prog_Rel_Primes","VeriComp","Goodstein_Lambda","Hello_World","Relational-Incorrectness-Logic","Furstenberg_Topology","WOOT_Strong_Eventual_Consistency","Lucas_Theorem","MFODL_Monitor_Optimized","Saturation_Framework","Sliding_Window_Algorithm","ADS_Functor","Matrices_for_ODEs","Power_Sum_Polynomials","Lambert_W","Gaussian_Integers","Attack_Trees","Banach_Steinhaus","Forcing","LTL_Normal_Form","Recursion-Addition","Irrational_Series_Erdos_Straus","Knuth_Bendix_Order"];
+var years_loc_articles = [  2004        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2005        ,    ,    ,    ,    ,    ,    ,  ,2006        ,    ,    ,    ,    ,    ,  ,2007        ,    ,    ,    ,    ,    ,    ,  ,2008        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2009        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2010        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2011        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2012        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2013        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2014        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2015        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2016        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2017        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2018        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2019        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,  ,2020        ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,];
+var loc_articles = [ "1825","839","1544","1096","1058","2419","44269","205","142","1994","209","1109","3792","506","1141","3769","17203","3119","6430","1145","447","2537","1275","1583","1838","12833","13114","2685","1228","3556","4269","9649","970","2847","1741","79734","4738","3396","2186","31192","10664","6723","30332","180","793","1047","14413","2080","254","2221","5958","3458","799","1540","684","6654","8","2627","27490","330","32412","5025","4380","210","9533","447","2380","3399","611","6311","2042","840","713","1024","5632","1427","4078","2230","6061","22617","1602","1587","3370","2449","2592","260","1620","16","2930","7805","6557","6381","992","125","10136","332","235","1828","1039","1784","4425","303","4461","11857","2834","8583","1043","408","2940","2613","38065","3243","1480","2611","3153","27588","2580","25275","2266","4107","7701","1245","260","5309","73","9729","719","6673","1511","4354","1248","1908","6215","4974","10067","7894","538","3830","4595","202","848","1781","5209","10327","1524","150","5292","706","10774","2248","1458","1958","3067","11485","1860","1190","1219","2175","1144","14861","2215","1964","166","10685","6420","572","590","1698","465","883","4133","2138","1403","2280","1959","2467","220","5432","4431","9390","3999","4463","406","5930","1829","12832","2973","9486","4560","931","645","104","2338","1653","9143","752","2113","875","1727","627","931","1201","1296","7880","1922","90","28055","2879","2796","1116","4863","5259","8842","1169","6178","527","1601","6194","1782","5327","1085","4103","952","2446","1089","1060","2362","468","2074","3761","2148","710","16080","8267","908","1063","21109","9679","8653","3142","9161","690","435","13711","478","898","2716","10063","1162","401","498","495","741","843","3622","4616","6228","4123","8166","12108","3178","518","17583","2876","2411","5496","2453","886","1162","17386","509","702","5036","9700","4287","5331","3813","656","329","1057","8313","3257","2593","553","8478","206","17950","8773","3314","398","2960","12833","9483","373","173","384","18976","2545","6119","3777","1017","2608","4338","9356","20033","4053","3420","319","3204","169","19540","541","14618","2648","7056","7590","3898","3244","4546","855","2289","5001","1349","276","4339","1475","3482","7114","9662","601","1722","852","2194","12220","4116","590","13558","1695","4484","1640","835","694","737","3346","105","68","10492","1127","8000","4135","4711","1200","378","9435","2078","14059","639","2015","3930","4869","398","1531","5554","5614","1991","4205","478","4121","3146","3471","88","480","1261","1877","2193","250","10669","854","7463","5301","3079","2808","8849","5261","2326","6172","945","6514","992","489","809","8891","3133","338","854","493","4585","9457","15962","6239","10249","1818","2288","785","3260","8438","3278","12949","592","841","3383","3642","11559","13548","3734","5742","530","1044","7674","1042","1259","5297","2754","1390","1622","2173","13358","805","10027","2667","541","1271","3955","5318","9770","2765","934","11918","1743","2355","7917","1490","449","685","1811","1132","3551","3578","1644","2983","2218","7221","4968","2767","16973","34365","3259","6022","1900","372","10334","16867","3018","3300","5304","4576","10486","1000","15843","4437","9487","5543","3300","1264","2973","805","10253","2606","5262","472","3365","1869","2599","13350","945","192","4455","527","713","782","2335","2134","9934","2089","3736","3105","2350","3195","3812","176","1726","8509","6605","4830","5723","4561","10314","14529","6402","4407","1907","51409","2450","3936","2758","1699","3154","944","906","596","375","691","766","2564","332","11343","3071","744","2351","1559","1239","1609","2537","1939","1341","12003","1034","1444","1938","2670"];
 
 </script>
 <h4>Growth in number of articles:</h4>
 <script src="Chart.js"></script>
 <div class="chart">
 <canvas id="NumberOfArticles" width="400" height="400"></canvas>
 </div>
 <script>
 var ctx = document.getElementById("NumberOfArticles");
 var myChart = new Chart(ctx, {
     type: 'bar',
     data: {
         labels: years,
         datasets: [{
             label: 'size of the AFP in # of articles',
             data: no_articles,
             backgroundColor: "rgba(46, 45, 78, 1)"
         }],
     },
     options: {
         responsive: true,
         maintainAspectRatio: true,
         scales: {
             yAxes: [{
                 ticks: {
                     beginAtZero:true
                 }
             }]
         },
      }
 });
 </script>
 
 <h4>Growth in lines of code:</h4>
 <div class="chart">
 <canvas id="NumberOfLoc" width="400" height="400"></canvas>
 </div>
 <script>
 var ctx = document.getElementById("NumberOfLoc");
 var myChart = new Chart(ctx, {
     type: 'bar',
     data: {
         labels: years,
         datasets: [{
             label: 'size of the AFP in lines of code',
             data: no_loc,
             backgroundColor: "rgba(101, 99, 136, 1)"
         }],
     },
     options: {
         responsive: true,
         maintainAspectRatio: true,
         scales: {
             yAxes: [{
                 ticks: {
                     beginAtZero:true
                 }
             }]
         },
      }
 });
 </script>
 
 <h4>Growth in number of authors:</h4>
 <div class="chart">
 <canvas id="NumberOfAuthors" width="400" height="400"></canvas>
 </div>
 <script>
 var ctx = document.getElementById("NumberOfAuthors");
 var myChart = new Chart(ctx, {
     type: 'bar',
     data: {
         labels: years,
         datasets: [{
             label: 'new authors per year',
             data: no_authors,
             backgroundColor: "rgba(101, 99, 136, 1)"
             },
             {
             label: 'number of authors contributing (cumulative)',
             data: no_authors_series,
             backgroundColor: "rgba(0, 15, 48, 1)"
         }],
     },
     options: {
         responsive: true,
         maintainAspectRatio: true,
         scales: {
             yAxes: [{
                 ticks: {
                     beginAtZero:true
                 }
             }]
         },
      }
 });
 </script>
 
 <h4>Size of articles:</h4>
 <div style="width: 800px" class="chart">
 <canvas id="LocArticles" width="800" height="400"></canvas>
 </div>
 <script>
 var ctx = document.getElementById("LocArticles");
 var myChart = new Chart(ctx, {
     type: 'bar',
     data: {
         labels: years_loc_articles,
         datasets: [{
             label: 'loc per article',
             data: loc_articles,
             backgroundColor: "rgba(101, 99, 136, 1)"
             }]
     },
     options: {
         responsive: true,
         maintainAspectRatio: true,
         scales: {
             xAxes: [{
                 categoryPercentage: 1,
                 barPercentage: 0.9,
                 ticks: {
                     autoSkip: false
                 }
                 }],
             yAxes: [{
                 ticks: {
                     beginAtZero:true
                 }
             }]
         },
         tooltips: {
             callbacks: {
                 title: function(tooltipItem, data) {
                        return all_articles[tooltipItem[0].index];
                        }
             }
         }
      }
 });
 </script>
 
     </td></tr>
 
   </tbody>
 </table>
 
 </div>
 </td>
 
 </tr>
 </tbody>
 </table>
 
 <script src="Chart.js"></script>
 
 </body>
 </html>
\ No newline at end of file
diff --git a/web/topics.html b/web/topics.html
--- a/web/topics.html
+++ b/web/topics.html
@@ -1,872 +1,884 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <title>Archive of Formal Proofs</title>
 <link rel="stylesheet" type="text/css" href="front.css">
 <link rel="icon" href="images/favicon.ico" type="image/icon">
 <link rel="alternate" type="application/rss+xml" title="RSS" href="rss.xml">
  </head>
 
 <body class="mathjax_ignore">
 
 <table width="100%">
 <tbody>
 <tr>
 
 <!-- Navigation -->
 <td width="20%" align="center" valign="top">
   <p>&nbsp;</p>
   <a href="https://www.isa-afp.org/">
     <img src="images/isabelle.png" width="100" height="88" border=0>
   </a>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
   <table class="nav" width="80%">
     <tr>
       <td class="nav" width="100%"><a href="index.html">Home</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="about.html">About</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="submitting.html">Submission</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="updating.html">Updating Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="using.html">Using Entries</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="search.html">Search</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="statistics.html">Statistics</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="topics.html">Index</a></td>
     </tr>
     <tr>
       <td class="nav"><a href="download.html">Download</a></td>
     </tr>
   </table>
   <p>&nbsp;</p>
   <p>&nbsp;</p>
 </td>
 
 
 <!-- Content -->
 <td width="80%" valign="top">
 <div align="center">
   <p>&nbsp;</p>
   <h1><font class="first">I</font>ndex by <font class="first">T</font>opic
 </h1>
   <p>&nbsp;</p>
 
 <table width="80%" class="descr">
 <tbody>
 <tr>
 <td>
   <h2>Computer science</h2>
   <div class="list">
     </div>
         <h3>Automata and formal languages</h3>
     <div class="list">
           <a href="entries/Partial_Order_Reduction.html">Partial_Order_Reduction</a> &nbsp;
           <a href="entries/C2KA_DistributedSystems.html">C2KA_DistributedSystems</a> &nbsp;
           <a href="entries/Posix-Lexing.html">Posix-Lexing</a> &nbsp;
           <a href="entries/LocalLexing.html">LocalLexing</a> &nbsp;
           <a href="entries/KBPs.html">KBPs</a> &nbsp;
           <a href="entries/Regular-Sets.html">Regular-Sets</a> &nbsp;
           <a href="entries/Regex_Equivalence.html">Regex_Equivalence</a> &nbsp;
           <a href="entries/MSO_Regex_Equivalence.html">MSO_Regex_Equivalence</a> &nbsp;
           <a href="entries/Formula_Derivatives.html">Formula_Derivatives</a> &nbsp;
           <a href="entries/Myhill-Nerode.html">Myhill-Nerode</a> &nbsp;
           <a href="entries/Universal_Turing_Machine.html">Universal_Turing_Machine</a> &nbsp;
           <a href="entries/CYK.html">CYK</a> &nbsp;
           <a href="entries/Presburger-Automata.html">Presburger-Automata</a> &nbsp;
           <a href="entries/Functional-Automata.html">Functional-Automata</a> &nbsp;
           <a href="entries/Statecharts.html">Statecharts</a> &nbsp;
           <a href="entries/Stuttering_Equivalence.html">Stuttering_Equivalence</a> &nbsp;
           <a href="entries/Coinductive_Languages.html">Coinductive_Languages</a> &nbsp;
           <a href="entries/Tree-Automata.html">Tree-Automata</a> &nbsp;
           <a href="entries/Kleene_Algebra.html">Kleene_Algebra</a> &nbsp;
           <a href="entries/KAT_and_DRA.html">KAT_and_DRA</a> &nbsp;
           <a href="entries/KAD.html">KAD</a> &nbsp;
           <a href="entries/Regular_Algebras.html">Regular_Algebras</a> &nbsp;
           <a href="entries/Markov_Models.html">Markov_Models</a> &nbsp;
           <a href="entries/Probabilistic_System_Zoo.html">Probabilistic_System_Zoo</a> &nbsp;
           <a href="entries/CAVA_Automata.html">CAVA_Automata</a> &nbsp;
           <a href="entries/LTL.html">LTL</a> &nbsp;
           <a href="entries/LTL_to_GBA.html">LTL_to_GBA</a> &nbsp;
           <a href="entries/CAVA_LTL_Modelchecker.html">CAVA_LTL_Modelchecker</a> &nbsp;
           <a href="entries/Probabilistic_Timed_Automata.html">Probabilistic_Timed_Automata</a> &nbsp;
           <a href="entries/Finite_Automata_HF.html">Finite_Automata_HF</a> &nbsp;
           <a href="entries/LTL_to_DRA.html">LTL_to_DRA</a> &nbsp;
           <a href="entries/Timed_Automata.html">Timed_Automata</a> &nbsp;
           <a href="entries/Stochastic_Matrices.html">Stochastic_Matrices</a> &nbsp;
           <a href="entries/Buchi_Complementation.html">Buchi_Complementation</a> &nbsp;
           <a href="entries/Transition_Systems_and_Automata.html">Transition_Systems_and_Automata</a> &nbsp;
           <a href="entries/Factored_Transition_System_Bounding.html">Factored_Transition_System_Bounding</a> &nbsp;
           <a href="entries/LTL_Master_Theorem.html">LTL_Master_Theorem</a> &nbsp;
           <a href="entries/MFOTL_Monitor.html">MFOTL_Monitor</a> &nbsp;
           <a href="entries/Adaptive_State_Counting.html">Adaptive_State_Counting</a> &nbsp;
           <a href="entries/MFODL_Monitor_Optimized.html">MFODL_Monitor_Optimized</a> &nbsp;
+          <a href="entries/LTL_Normal_Form.html">LTL_Normal_Form</a> &nbsp;
                 </div>
       <h3>Algorithms</h3>
     <div class="list">
           <a href="entries/Knuth_Morris_Pratt.html">Knuth_Morris_Pratt</a> &nbsp;
           <a href="entries/Probabilistic_While.html">Probabilistic_While</a> &nbsp;
           <a href="entries/Comparison_Sort_Lower_Bound.html">Comparison_Sort_Lower_Bound</a> &nbsp;
           <a href="entries/Quick_Sort_Cost.html">Quick_Sort_Cost</a> &nbsp;
           <a href="entries/TortoiseHare.html">TortoiseHare</a> &nbsp;
           <a href="entries/Selection_Heap_Sort.html">Selection_Heap_Sort</a> &nbsp;
           <a href="entries/VerifyThis2018.html">VerifyThis2018</a> &nbsp;
           <a href="entries/CYK.html">CYK</a> &nbsp;
           <a href="entries/Boolean_Expression_Checkers.html">Boolean_Expression_Checkers</a> &nbsp;
           <a href="entries/Efficient-Mergesort.html">Efficient-Mergesort</a> &nbsp;
           <a href="entries/SATSolverVerification.html">SATSolverVerification</a> &nbsp;
           <a href="entries/MuchAdoAboutTwo.html">MuchAdoAboutTwo</a> &nbsp;
           <a href="entries/First_Order_Terms.html">First_Order_Terms</a> &nbsp;
           <a href="entries/Monad_Memo_DP.html">Monad_Memo_DP</a> &nbsp;
           <a href="entries/Hidden_Markov_Models.html">Hidden_Markov_Models</a> &nbsp;
           <a href="entries/Imperative_Insertion_Sort.html">Imperative_Insertion_Sort</a> &nbsp;
           <a href="entries/Formal_SSA.html">Formal_SSA</a> &nbsp;
           <a href="entries/ROBDD.html">ROBDD</a> &nbsp;
           <a href="entries/Median_Of_Medians_Selection.html">Median_Of_Medians_Selection</a> &nbsp;
           <a href="entries/Fisher_Yates.html">Fisher_Yates</a> &nbsp;
           <a href="entries/Optimal_BST.html">Optimal_BST</a> &nbsp;
           <a href="entries/IMP2.html">IMP2</a> &nbsp;
           <a href="entries/Auto2_Imperative_HOL.html">Auto2_Imperative_HOL</a> &nbsp;
           <a href="entries/List_Inversions.html">List_Inversions</a> &nbsp;
           <a href="entries/IMP2_Binary_Heap.html">IMP2_Binary_Heap</a> &nbsp;
           <a href="entries/MFOTL_Monitor.html">MFOTL_Monitor</a> &nbsp;
           <a href="entries/Adaptive_State_Counting.html">Adaptive_State_Counting</a> &nbsp;
           <a href="entries/Generic_Join.html">Generic_Join</a> &nbsp;
           <a href="entries/VerifyThis2019.html">VerifyThis2019</a> &nbsp;
           <a href="entries/Generalized_Counting_Sort.html">Generalized_Counting_Sort</a> &nbsp;
           <a href="entries/MFODL_Monitor_Optimized.html">MFODL_Monitor_Optimized</a> &nbsp;
           <a href="entries/Sliding_Window_Algorithm.html">Sliding_Window_Algorithm</a> &nbsp;
                   <strong>Graph:</strong>
               <a href="entries/DFS_Framework.html">DFS_Framework</a> &nbsp;
               <a href="entries/Prpu_Maxflow.html">Prpu_Maxflow</a> &nbsp;
               <a href="entries/Floyd_Warshall.html">Floyd_Warshall</a> &nbsp;
               <a href="entries/Roy_Floyd_Warshall.html">Roy_Floyd_Warshall</a> &nbsp;
               <a href="entries/Dijkstra_Shortest_Path.html">Dijkstra_Shortest_Path</a> &nbsp;
               <a href="entries/EdmondsKarp_Maxflow.html">EdmondsKarp_Maxflow</a> &nbsp;
               <a href="entries/Depth-First-Search.html">Depth-First-Search</a> &nbsp;
               <a href="entries/GraphMarkingIBP.html">GraphMarkingIBP</a> &nbsp;
               <a href="entries/Transitive-Closure.html">Transitive-Closure</a> &nbsp;
               <a href="entries/Transitive-Closure-II.html">Transitive-Closure-II</a> &nbsp;
               <a href="entries/Gabow_SCC.html">Gabow_SCC</a> &nbsp;
               <a href="entries/Kruskal.html">Kruskal</a> &nbsp;
               <a href="entries/Prim_Dijkstra_Simple.html">Prim_Dijkstra_Simple</a> &nbsp;
                 <strong>Distributed:</strong>
               <a href="entries/DiskPaxos.html">DiskPaxos</a> &nbsp;
               <a href="entries/GenClock.html">GenClock</a> &nbsp;
               <a href="entries/ClockSynchInst.html">ClockSynchInst</a> &nbsp;
               <a href="entries/Heard_Of.html">Heard_Of</a> &nbsp;
               <a href="entries/Consensus_Refined.html">Consensus_Refined</a> &nbsp;
               <a href="entries/Abortable_Linearizable_Modules.html">Abortable_Linearizable_Modules</a> &nbsp;
               <a href="entries/IMAP-CRDT.html">IMAP-CRDT</a> &nbsp;
               <a href="entries/CRDT.html">CRDT</a> &nbsp;
               <a href="entries/OpSets.html">OpSets</a> &nbsp;
               <a href="entries/Stellar_Quorums.html">Stellar_Quorums</a> &nbsp;
               <a href="entries/WOOT_Strong_Eventual_Consistency.html">WOOT_Strong_Eventual_Consistency</a> &nbsp;
                 <strong>Concurrent:</strong>
               <a href="entries/ConcurrentGC.html">ConcurrentGC</a> &nbsp;
                 <strong>Online:</strong>
               <a href="entries/List_Update.html">List_Update</a> &nbsp;
                 <strong>Geometry:</strong>
               <a href="entries/Closest_Pair_Points.html">Closest_Pair_Points</a> &nbsp;
                 <strong>Approximation:</strong>
               <a href="entries/Approximation_Algorithms.html">Approximation_Algorithms</a> &nbsp;
                 <strong>Mathematical:</strong>
               <a href="entries/FFT.html">FFT</a> &nbsp;
               <a href="entries/Gauss-Jordan-Elim-Fun.html">Gauss-Jordan-Elim-Fun</a> &nbsp;
               <a href="entries/UpDown_Scheme.html">UpDown_Scheme</a> &nbsp;
               <a href="entries/Polynomials.html">Polynomials</a> &nbsp;
               <a href="entries/Gauss_Jordan.html">Gauss_Jordan</a> &nbsp;
               <a href="entries/Echelon_Form.html">Echelon_Form</a> &nbsp;
               <a href="entries/QR_Decomposition.html">QR_Decomposition</a> &nbsp;
               <a href="entries/Hermite.html">Hermite</a> &nbsp;
               <a href="entries/Groebner_Bases.html">Groebner_Bases</a> &nbsp;
               <a href="entries/Diophantine_Eqns_Lin_Hom.html">Diophantine_Eqns_Lin_Hom</a> &nbsp;
               <a href="entries/Taylor_Models.html">Taylor_Models</a> &nbsp;
               <a href="entries/LLL_Basis_Reduction.html">LLL_Basis_Reduction</a> &nbsp;
               <a href="entries/Signature_Groebner.html">Signature_Groebner</a> &nbsp;
                 <strong>Optimization:</strong>
               <a href="entries/Simplex.html">Simplex</a> &nbsp;
               </div>
       <h3>Concurrency</h3>
     <div class="list">
           <a href="entries/FLP.html">FLP</a> &nbsp;
           <a href="entries/Concurrent_Ref_Alg.html">Concurrent_Ref_Alg</a> &nbsp;
           <a href="entries/Concurrent_Revisions.html">Concurrent_Revisions</a> &nbsp;
           <a href="entries/Store_Buffer_Reduction.html">Store_Buffer_Reduction</a> &nbsp;
           <a href="entries/TESL_Language.html">TESL_Language</a> &nbsp;
                   <strong>Process calculi:</strong>
               <a href="entries/Noninterference_Generic_Unwinding.html">Noninterference_Generic_Unwinding</a> &nbsp;
               <a href="entries/AODV.html">AODV</a> &nbsp;
               <a href="entries/AWN.html">AWN</a> &nbsp;
               <a href="entries/CCS.html">CCS</a> &nbsp;
               <a href="entries/Pi_Calculus.html">Pi_Calculus</a> &nbsp;
               <a href="entries/Psi_Calculi.html">Psi_Calculi</a> &nbsp;
               <a href="entries/Encodability_Process_Calculi.html">Encodability_Process_Calculi</a> &nbsp;
               <a href="entries/Circus.html">Circus</a> &nbsp;
               <a href="entries/Noninterference_Sequential_Composition.html">Noninterference_Sequential_Composition</a> &nbsp;
               <a href="entries/Noninterference_Concurrent_Composition.html">Noninterference_Concurrent_Composition</a> &nbsp;
               <a href="entries/Modal_Logics_for_NTS.html">Modal_Logics_for_NTS</a> &nbsp;
               <a href="entries/HOL-CSP.html">HOL-CSP</a> &nbsp;
               </div>
       <h3>Data structures</h3>
     <div class="list">
           <a href="entries/Generic_Deriving.html">Generic_Deriving</a> &nbsp;
           <a href="entries/Random_BSTs.html">Random_BSTs</a> &nbsp;
           <a href="entries/Randomised_BSTs.html">Randomised_BSTs</a> &nbsp;
           <a href="entries/List_Interleaving.html">List_Interleaving</a> &nbsp;
           <a href="entries/Refine_Imperative_HOL.html">Refine_Imperative_HOL</a> &nbsp;
           <a href="entries/Amortized_Complexity.html">Amortized_Complexity</a> &nbsp;
           <a href="entries/Dynamic_Tables.html">Dynamic_Tables</a> &nbsp;
           <a href="entries/AVL-Trees.html">AVL-Trees</a> &nbsp;
           <a href="entries/BDD.html">BDD</a> &nbsp;
           <a href="entries/BinarySearchTree.html">BinarySearchTree</a> &nbsp;
           <a href="entries/Splay_Tree.html">Splay_Tree</a> &nbsp;
           <a href="entries/Root_Balanced_Tree.html">Root_Balanced_Tree</a> &nbsp;
           <a href="entries/Skew_Heap.html">Skew_Heap</a> &nbsp;
           <a href="entries/Pairing_Heap.html">Pairing_Heap</a> &nbsp;
           <a href="entries/Priority_Queue_Braun.html">Priority_Queue_Braun</a> &nbsp;
           <a href="entries/Binomial-Queues.html">Binomial-Queues</a> &nbsp;
           <a href="entries/Binomial-Heaps.html">Binomial-Heaps</a> &nbsp;
           <a href="entries/Finger-Trees.html">Finger-Trees</a> &nbsp;
           <a href="entries/Trie.html">Trie</a> &nbsp;
           <a href="entries/FinFun.html">FinFun</a> &nbsp;
           <a href="entries/Collections.html">Collections</a> &nbsp;
           <a href="entries/Containers.html">Containers</a> &nbsp;
           <a href="entries/FileRefinement.html">FileRefinement</a> &nbsp;
           <a href="entries/Datatype_Order_Generator.html">Datatype_Order_Generator</a> &nbsp;
           <a href="entries/Deriving.html">Deriving</a> &nbsp;
           <a href="entries/List-Index.html">List-Index</a> &nbsp;
           <a href="entries/List-Infinite.html">List-Infinite</a> &nbsp;
           <a href="entries/Matrix.html">Matrix</a> &nbsp;
           <a href="entries/Matrix_Tensor.html">Matrix_Tensor</a> &nbsp;
           <a href="entries/Huffman.html">Huffman</a> &nbsp;
           <a href="entries/Lazy-Lists-II.html">Lazy-Lists-II</a> &nbsp;
           <a href="entries/IEEE_Floating_Point.html">IEEE_Floating_Point</a> &nbsp;
           <a href="entries/Native_Word.html">Native_Word</a> &nbsp;
           <a href="entries/XML.html">XML</a> &nbsp;
           <a href="entries/ROBDD.html">ROBDD</a> &nbsp;
           <a href="entries/IMAP-CRDT.html">IMAP-CRDT</a> &nbsp;
           <a href="entries/Word_Lib.html">Word_Lib</a> &nbsp;
           <a href="entries/CRDT.html">CRDT</a> &nbsp;
           <a href="entries/KD_Tree.html">KD_Tree</a> &nbsp;
           <a href="entries/Taylor_Models.html">Taylor_Models</a> &nbsp;
           <a href="entries/Treaps.html">Treaps</a> &nbsp;
           <a href="entries/Skip_Lists.html">Skip_Lists</a> &nbsp;
           <a href="entries/Weight_Balanced_Trees.html">Weight_Balanced_Trees</a> &nbsp;
           <a href="entries/OpSets.html">OpSets</a> &nbsp;
           <a href="entries/Optimal_BST.html">Optimal_BST</a> &nbsp;
           <a href="entries/Core_DOM.html">Core_DOM</a> &nbsp;
           <a href="entries/Auto2_Imperative_HOL.html">Auto2_Imperative_HOL</a> &nbsp;
           <a href="entries/IMP2_Binary_Heap.html">IMP2_Binary_Heap</a> &nbsp;
           <a href="entries/Priority_Search_Trees.html">Priority_Search_Trees</a> &nbsp;
           <a href="entries/Interval_Arithmetic_Word32.html">Interval_Arithmetic_Word32</a> &nbsp;
           <a href="entries/ADS_Functor.html">ADS_Functor</a> &nbsp;
                 </div>
       <h3>Functional programming</h3>
     <div class="list">
           <a href="entries/Optics.html">Optics</a> &nbsp;
           <a href="entries/CryptHOL.html">CryptHOL</a> &nbsp;
           <a href="entries/Probabilistic_While.html">Probabilistic_While</a> &nbsp;
           <a href="entries/Monad_Normalisation.html">Monad_Normalisation</a> &nbsp;
           <a href="entries/Monomorphic_Monad.html">Monomorphic_Monad</a> &nbsp;
           <a href="entries/Show.html">Show</a> &nbsp;
           <a href="entries/Certification_Monads.html">Certification_Monads</a> &nbsp;
           <a href="entries/Partial_Function_MR.html">Partial_Function_MR</a> &nbsp;
           <a href="entries/Lifting_Definition_Option.html">Lifting_Definition_Option</a> &nbsp;
           <a href="entries/Coinductive.html">Coinductive</a> &nbsp;
           <a href="entries/Stream-Fusion.html">Stream-Fusion</a> &nbsp;
           <a href="entries/Tycon.html">Tycon</a> &nbsp;
           <a href="entries/Monad_Memo_DP.html">Monad_Memo_DP</a> &nbsp;
           <a href="entries/XML.html">XML</a> &nbsp;
           <a href="entries/Tail_Recursive_Functions.html">Tail_Recursive_Functions</a> &nbsp;
           <a href="entries/Stream_Fusion_Code.html">Stream_Fusion_Code</a> &nbsp;
           <a href="entries/Applicative_Lifting.html">Applicative_Lifting</a> &nbsp;
           <a href="entries/HOLCF-Prelude.html">HOLCF-Prelude</a> &nbsp;
           <a href="entries/BNF_CC.html">BNF_CC</a> &nbsp;
           <a href="entries/Binding_Syntax_Theory.html">Binding_Syntax_Theory</a> &nbsp;
           <a href="entries/Generalized_Counting_Sort.html">Generalized_Counting_Sort</a> &nbsp;
           <a href="entries/Hello_World.html">Hello_World</a> &nbsp;
                 </div>
       <h3>Hardware</h3>
     <div class="list">
           <a href="entries/SPARCv8.html">SPARCv8</a> &nbsp;
                 </div>
       <h3>Machine learning</h3>
     <div class="list">
           <a href="entries/Deep_Learning.html">Deep_Learning</a> &nbsp;
                 </div>
       <h3>Networks</h3>
     <div class="list">
           <a href="entries/UPF_Firewall.html">UPF_Firewall</a> &nbsp;
           <a href="entries/IP_Addresses.html">IP_Addresses</a> &nbsp;
           <a href="entries/Simple_Firewall.html">Simple_Firewall</a> &nbsp;
           <a href="entries/Iptables_Semantics.html">Iptables_Semantics</a> &nbsp;
           <a href="entries/Routing.html">Routing</a> &nbsp;
           <a href="entries/LOFT.html">LOFT</a> &nbsp;
                 </div>
       <h3>Programming languages</h3>
     <div class="list">
           <a href="entries/Clean.html">Clean</a> &nbsp;
           <a href="entries/Decl_Sem_Fun_PL.html">Decl_Sem_Fun_PL</a> &nbsp;
                   <strong>Language definitions:</strong>
               <a href="entries/CakeML.html">CakeML</a> &nbsp;
               <a href="entries/WebAssembly.html">WebAssembly</a> &nbsp;
               <a href="entries/pGCL.html">pGCL</a> &nbsp;
               <a href="entries/GPU_Kernel_PL.html">GPU_Kernel_PL</a> &nbsp;
               <a href="entries/LightweightJava.html">LightweightJava</a> &nbsp;
               <a href="entries/CoreC++.html">CoreC++</a> &nbsp;
               <a href="entries/FeatherweightJava.html">FeatherweightJava</a> &nbsp;
               <a href="entries/Jinja.html">Jinja</a> &nbsp;
               <a href="entries/JinjaThreads.html">JinjaThreads</a> &nbsp;
               <a href="entries/Locally-Nameless-Sigma.html">Locally-Nameless-Sigma</a> &nbsp;
               <a href="entries/AutoFocus-Stream.html">AutoFocus-Stream</a> &nbsp;
               <a href="entries/FocusStreamsCaseStudies.html">FocusStreamsCaseStudies</a> &nbsp;
               <a href="entries/Isabelle_Meta_Model.html">Isabelle_Meta_Model</a> &nbsp;
               <a href="entries/Simpl.html">Simpl</a> &nbsp;
               <a href="entries/Complx.html">Complx</a> &nbsp;
               <a href="entries/Safe_OCL.html">Safe_OCL</a> &nbsp;
               <a href="entries/Isabelle_C.html">Isabelle_C</a> &nbsp;
                 <strong>Lambda calculi:</strong>
               <a href="entries/Higher_Order_Terms.html">Higher_Order_Terms</a> &nbsp;
               <a href="entries/Launchbury.html">Launchbury</a> &nbsp;
               <a href="entries/PCF.html">PCF</a> &nbsp;
               <a href="entries/POPLmark-deBruijn.html">POPLmark-deBruijn</a> &nbsp;
               <a href="entries/Lam-ml-Normalization.html">Lam-ml-Normalization</a> &nbsp;
               <a href="entries/LambdaMu.html">LambdaMu</a> &nbsp;
               <a href="entries/Binding_Syntax_Theory.html">Binding_Syntax_Theory</a> &nbsp;
               <a href="entries/LambdaAuth.html">LambdaAuth</a> &nbsp;
                 <strong>Type systems:</strong>
               <a href="entries/Name_Carrying_Type_Inference.html">Name_Carrying_Type_Inference</a> &nbsp;
               <a href="entries/MiniML.html">MiniML</a> &nbsp;
               <a href="entries/Possibilistic_Noninterference.html">Possibilistic_Noninterference</a> &nbsp;
               <a href="entries/SIFUM_Type_Systems.html">SIFUM_Type_Systems</a> &nbsp;
               <a href="entries/Dependent_SIFUM_Type_Systems.html">Dependent_SIFUM_Type_Systems</a> &nbsp;
               <a href="entries/Strong_Security.html">Strong_Security</a> &nbsp;
               <a href="entries/WHATandWHERE_Security.html">WHATandWHERE_Security</a> &nbsp;
               <a href="entries/VolpanoSmith.html">VolpanoSmith</a> &nbsp;
                 <strong>Logics:</strong>
               <a href="entries/ConcurrentIMP.html">ConcurrentIMP</a> &nbsp;
               <a href="entries/Refine_Monadic.html">Refine_Monadic</a> &nbsp;
               <a href="entries/Automatic_Refinement.html">Automatic_Refinement</a> &nbsp;
               <a href="entries/MonoBoolTranAlgebra.html">MonoBoolTranAlgebra</a> &nbsp;
               <a href="entries/Simpl.html">Simpl</a> &nbsp;
               <a href="entries/Separation_Algebra.html">Separation_Algebra</a> &nbsp;
               <a href="entries/Separation_Logic_Imperative_HOL.html">Separation_Logic_Imperative_HOL</a> &nbsp;
               <a href="entries/Relational-Incorrectness-Logic.html">Relational-Incorrectness-Logic</a> &nbsp;
               <a href="entries/Abstract-Hoare-Logics.html">Abstract-Hoare-Logics</a> &nbsp;
               <a href="entries/Kleene_Algebra.html">Kleene_Algebra</a> &nbsp;
               <a href="entries/KAT_and_DRA.html">KAT_and_DRA</a> &nbsp;
               <a href="entries/KAD.html">KAD</a> &nbsp;
               <a href="entries/BytecodeLogicJmlTypes.html">BytecodeLogicJmlTypes</a> &nbsp;
               <a href="entries/DataRefinementIBP.html">DataRefinementIBP</a> &nbsp;
               <a href="entries/RefinementReactive.html">RefinementReactive</a> &nbsp;
               <a href="entries/SIFPL.html">SIFPL</a> &nbsp;
               <a href="entries/TLA.html">TLA</a> &nbsp;
               <a href="entries/Ribbon_Proofs.html">Ribbon_Proofs</a> &nbsp;
               <a href="entries/Separata.html">Separata</a> &nbsp;
               <a href="entries/Complx.html">Complx</a> &nbsp;
               <a href="entries/Differential_Dynamic_Logic.html">Differential_Dynamic_Logic</a> &nbsp;
               <a href="entries/Hoare_Time.html">Hoare_Time</a> &nbsp;
               <a href="entries/IMP2.html">IMP2</a> &nbsp;
               <a href="entries/UTP.html">UTP</a> &nbsp;
               <a href="entries/QHLProver.html">QHLProver</a> &nbsp;
               <a href="entries/Differential_Game_Logic.html">Differential_Game_Logic</a> &nbsp;
                 <strong>Compiling:</strong>
               <a href="entries/CakeML_Codegen.html">CakeML_Codegen</a> &nbsp;
               <a href="entries/Compiling-Exceptions-Correctly.html">Compiling-Exceptions-Correctly</a> &nbsp;
               <a href="entries/NormByEval.html">NormByEval</a> &nbsp;
               <a href="entries/Density_Compiler.html">Density_Compiler</a> &nbsp;
               <a href="entries/VeriComp.html">VeriComp</a> &nbsp;
                 <strong>Static analysis:</strong>
               <a href="entries/RIPEMD-160-SPARK.html">RIPEMD-160-SPARK</a> &nbsp;
               <a href="entries/Program-Conflict-Analysis.html">Program-Conflict-Analysis</a> &nbsp;
               <a href="entries/Shivers-CFA.html">Shivers-CFA</a> &nbsp;
               <a href="entries/Slicing.html">Slicing</a> &nbsp;
               <a href="entries/HRB-Slicing.html">HRB-Slicing</a> &nbsp;
               <a href="entries/InfPathElimination.html">InfPathElimination</a> &nbsp;
               <a href="entries/Abs_Int_ITP2012.html">Abs_Int_ITP2012</a> &nbsp;
                 <strong>Transformations:</strong>
               <a href="entries/Call_Arity.html">Call_Arity</a> &nbsp;
               <a href="entries/Refine_Imperative_HOL.html">Refine_Imperative_HOL</a> &nbsp;
               <a href="entries/WorkerWrapper.html">WorkerWrapper</a> &nbsp;
               <a href="entries/Monad_Memo_DP.html">Monad_Memo_DP</a> &nbsp;
               <a href="entries/Formal_SSA.html">Formal_SSA</a> &nbsp;
               <a href="entries/Minimal_SSA.html">Minimal_SSA</a> &nbsp;
                 <strong>Misc:</strong>
               <a href="entries/JiveDataStoreModel.html">JiveDataStoreModel</a> &nbsp;
               <a href="entries/Pop_Refinement.html">Pop_Refinement</a> &nbsp;
               <a href="entries/Case_Labeling.html">Case_Labeling</a> &nbsp;
               </div>
       <h3>Security</h3>
     <div class="list">
           <a href="entries/Multi_Party_Computation.html">Multi_Party_Computation</a> &nbsp;
           <a href="entries/Noninterference_Generic_Unwinding.html">Noninterference_Generic_Unwinding</a> &nbsp;
           <a href="entries/Noninterference_Ipurge_Unwinding.html">Noninterference_Ipurge_Unwinding</a> &nbsp;
           <a href="entries/UPF.html">UPF</a> &nbsp;
           <a href="entries/UPF_Firewall.html">UPF_Firewall</a> &nbsp;
           <a href="entries/CISC-Kernel.html">CISC-Kernel</a> &nbsp;
           <a href="entries/Noninterference_CSP.html">Noninterference_CSP</a> &nbsp;
           <a href="entries/Key_Agreement_Strong_Adversaries.html">Key_Agreement_Strong_Adversaries</a> &nbsp;
           <a href="entries/Security_Protocol_Refinement.html">Security_Protocol_Refinement</a> &nbsp;
           <a href="entries/Attack_Trees.html">Attack_Trees</a> &nbsp;
           <a href="entries/Inductive_Confidentiality.html">Inductive_Confidentiality</a> &nbsp;
           <a href="entries/Possibilistic_Noninterference.html">Possibilistic_Noninterference</a> &nbsp;
           <a href="entries/SIFUM_Type_Systems.html">SIFUM_Type_Systems</a> &nbsp;
           <a href="entries/Dependent_SIFUM_Type_Systems.html">Dependent_SIFUM_Type_Systems</a> &nbsp;
           <a href="entries/Dependent_SIFUM_Refinement.html">Dependent_SIFUM_Refinement</a> &nbsp;
           <a href="entries/Relational-Incorrectness-Logic.html">Relational-Incorrectness-Logic</a> &nbsp;
           <a href="entries/Strong_Security.html">Strong_Security</a> &nbsp;
           <a href="entries/WHATandWHERE_Security.html">WHATandWHERE_Security</a> &nbsp;
           <a href="entries/VolpanoSmith.html">VolpanoSmith</a> &nbsp;
           <a href="entries/SIFPL.html">SIFPL</a> &nbsp;
           <a href="entries/HotelKeyCards.html">HotelKeyCards</a> &nbsp;
           <a href="entries/InformationFlowSlicing.html">InformationFlowSlicing</a> &nbsp;
           <a href="entries/InformationFlowSlicing_Inter.html">InformationFlowSlicing_Inter</a> &nbsp;
           <a href="entries/CryptoBasedCompositionalProperties.html">CryptoBasedCompositionalProperties</a> &nbsp;
           <a href="entries/Probabilistic_Noninterference.html">Probabilistic_Noninterference</a> &nbsp;
           <a href="entries/HyperCTL.html">HyperCTL</a> &nbsp;
           <a href="entries/Bounded_Deducibility_Security.html">Bounded_Deducibility_Security</a> &nbsp;
           <a href="entries/Network_Security_Policy_Verification.html">Network_Security_Policy_Verification</a> &nbsp;
           <a href="entries/Noninterference_Inductive_Unwinding.html">Noninterference_Inductive_Unwinding</a> &nbsp;
           <a href="entries/Password_Authentication_Protocol.html">Password_Authentication_Protocol</a> &nbsp;
           <a href="entries/Noninterference_Sequential_Composition.html">Noninterference_Sequential_Composition</a> &nbsp;
           <a href="entries/Noninterference_Concurrent_Composition.html">Noninterference_Concurrent_Composition</a> &nbsp;
           <a href="entries/SPARCv8.html">SPARCv8</a> &nbsp;
           <a href="entries/Modular_Assembly_Kit_Security.html">Modular_Assembly_Kit_Security</a> &nbsp;
           <a href="entries/LambdaAuth.html">LambdaAuth</a> &nbsp;
                   <strong>Cryptography:</strong>
               <a href="entries/Game_Based_Crypto.html">Game_Based_Crypto</a> &nbsp;
               <a href="entries/Sigma_Commit_Crypto.html">Sigma_Commit_Crypto</a> &nbsp;
               <a href="entries/CryptHOL.html">CryptHOL</a> &nbsp;
               <a href="entries/Constructive_Cryptography.html">Constructive_Cryptography</a> &nbsp;
               <a href="entries/RSAPSS.html">RSAPSS</a> &nbsp;
               <a href="entries/Elliptic_Curves_Group_Law.html">Elliptic_Curves_Group_Law</a> &nbsp;
               </div>
       <h3>Semantics</h3>
     <div class="list">
           <a href="entries/Launchbury.html">Launchbury</a> &nbsp;
           <a href="entries/Clean.html">Clean</a> &nbsp;
           <a href="entries/Transformer_Semantics.html">Transformer_Semantics</a> &nbsp;
           <a href="entries/HOL-CSP.html">HOL-CSP</a> &nbsp;
           <a href="entries/QHLProver.html">QHLProver</a> &nbsp;
           <a href="entries/TESL_Language.html">TESL_Language</a> &nbsp;
           <a href="entries/Isabelle_C.html">Isabelle_C</a> &nbsp;
                 </div>
       <h3>System description languages</h3>
     <div class="list">
           <a href="entries/Circus.html">Circus</a> &nbsp;
           <a href="entries/ComponentDependencies.html">ComponentDependencies</a> &nbsp;
           <a href="entries/Promela.html">Promela</a> &nbsp;
           <a href="entries/Featherweight_OCL.html">Featherweight_OCL</a> &nbsp;
           <a href="entries/DynamicArchitectures.html">DynamicArchitectures</a> &nbsp;
           <a href="entries/Architectural_Design_Patterns.html">Architectural_Design_Patterns</a> &nbsp;
           <a href="entries/TESL_Language.html">TESL_Language</a> &nbsp;
                 </div>
     <h2>Logic</h2>
   <div class="list">
     </div>
         <h3>Philosophical aspects</h3>
     <div class="list">
           <a href="entries/GoedelGod.html">GoedelGod</a> &nbsp;
           <a href="entries/Types_Tableaus_and_Goedels_God.html">Types_Tableaus_and_Goedels_God</a> &nbsp;
           <a href="entries/GewirthPGCProof.html">GewirthPGCProof</a> &nbsp;
           <a href="entries/Lowe_Ontological_Argument.html">Lowe_Ontological_Argument</a> &nbsp;
           <a href="entries/AnselmGod.html">AnselmGod</a> &nbsp;
           <a href="entries/PLM.html">PLM</a> &nbsp;
           <a href="entries/Aristotles_Assertoric_Syllogistic.html">Aristotles_Assertoric_Syllogistic</a> &nbsp;
                 </div>
       <h3>General logic</h3>
     <div class="list">
                   <strong>Classical propositional logic:</strong>
               <a href="entries/Free-Boolean-Algebra.html">Free-Boolean-Algebra</a> &nbsp;
                 <strong>Classical first-order logic:</strong>
               <a href="entries/FOL-Fitting.html">FOL-Fitting</a> &nbsp;
                 <strong>Decidability of theories:</strong>
               <a href="entries/MSO_Regex_Equivalence.html">MSO_Regex_Equivalence</a> &nbsp;
               <a href="entries/Formula_Derivatives.html">Formula_Derivatives</a> &nbsp;
               <a href="entries/Presburger-Automata.html">Presburger-Automata</a> &nbsp;
               <a href="entries/LinearQuantifierElim.html">LinearQuantifierElim</a> &nbsp;
                 <strong>Mechanization of proofs:</strong>
               <a href="entries/Boolean_Expression_Checkers.html">Boolean_Expression_Checkers</a> &nbsp;
               <a href="entries/Verified-Prover.html">Verified-Prover</a> &nbsp;
               <a href="entries/Sort_Encodings.html">Sort_Encodings</a> &nbsp;
               <a href="entries/PropResPI.html">PropResPI</a> &nbsp;
               <a href="entries/Resolution_FOL.html">Resolution_FOL</a> &nbsp;
               <a href="entries/FOL_Harrison.html">FOL_Harrison</a> &nbsp;
               <a href="entries/Ordered_Resolution_Prover.html">Ordered_Resolution_Prover</a> &nbsp;
               <a href="entries/Functional_Ordered_Resolution_Prover.html">Functional_Ordered_Resolution_Prover</a> &nbsp;
               <a href="entries/Binding_Syntax_Theory.html">Binding_Syntax_Theory</a> &nbsp;
               <a href="entries/Saturation_Framework.html">Saturation_Framework</a> &nbsp;
                 <strong>Lambda calculus:</strong>
               <a href="entries/LambdaMu.html">LambdaMu</a> &nbsp;
                 <strong>Logics of knowledge and belief:</strong>
               <a href="entries/Epistemic_Logic.html">Epistemic_Logic</a> &nbsp;
                 <strong>Temporal logic:</strong>
               <a href="entries/Nat-Interval-Logic.html">Nat-Interval-Logic</a> &nbsp;
               <a href="entries/LTL.html">LTL</a> &nbsp;
               <a href="entries/HyperCTL.html">HyperCTL</a> &nbsp;
               <a href="entries/Allen_Calculus.html">Allen_Calculus</a> &nbsp;
               <a href="entries/MFOTL_Monitor.html">MFOTL_Monitor</a> &nbsp;
+              <a href="entries/LTL_Normal_Form.html">LTL_Normal_Form</a> &nbsp;
                 <strong>Modal logic:</strong>
               <a href="entries/Modal_Logics_for_NTS.html">Modal_Logics_for_NTS</a> &nbsp;
               <a href="entries/Differential_Dynamic_Logic.html">Differential_Dynamic_Logic</a> &nbsp;
               <a href="entries/Hybrid_Multi_Lane_Spatial_Logic.html">Hybrid_Multi_Lane_Spatial_Logic</a> &nbsp;
               <a href="entries/Hybrid_Logic.html">Hybrid_Logic</a> &nbsp;
               <a href="entries/MFODL_Monitor_Optimized.html">MFODL_Monitor_Optimized</a> &nbsp;
                 <strong>Paraconsistent logics:</strong>
               <a href="entries/Paraconsistency.html">Paraconsistency</a> &nbsp;
               </div>
       <h3>Computability</h3>
     <div class="list">
           <a href="entries/Universal_Turing_Machine.html">Universal_Turing_Machine</a> &nbsp;
           <a href="entries/Recursion-Theory-I.html">Recursion-Theory-I</a> &nbsp;
           <a href="entries/Minsky_Machines.html">Minsky_Machines</a> &nbsp;
                 </div>
       <h3>Set theory</h3>
     <div class="list">
           <a href="entries/Ordinal.html">Ordinal</a> &nbsp;
           <a href="entries/Ordinals_and_Cardinals.html">Ordinals_and_Cardinals</a> &nbsp;
           <a href="entries/HereditarilyFinite.html">HereditarilyFinite</a> &nbsp;
           <a href="entries/ZFC_in_HOL.html">ZFC_in_HOL</a> &nbsp;
+          <a href="entries/Forcing.html">Forcing</a> &nbsp;
+          <a href="entries/Recursion-Addition.html">Recursion-Addition</a> &nbsp;
                 </div>
       <h3>Proof theory</h3>
     <div class="list">
           <a href="entries/Propositional_Proof_Systems.html">Propositional_Proof_Systems</a> &nbsp;
           <a href="entries/Completeness.html">Completeness</a> &nbsp;
           <a href="entries/SequentInvertibility.html">SequentInvertibility</a> &nbsp;
           <a href="entries/Incompleteness.html">Incompleteness</a> &nbsp;
           <a href="entries/Abstract_Completeness.html">Abstract_Completeness</a> &nbsp;
           <a href="entries/SuperCalc.html">SuperCalc</a> &nbsp;
           <a href="entries/Incredible_Proof_Machine.html">Incredible_Proof_Machine</a> &nbsp;
           <a href="entries/Surprise_Paradox.html">Surprise_Paradox</a> &nbsp;
           <a href="entries/Abstract_Soundness.html">Abstract_Soundness</a> &nbsp;
           <a href="entries/FOL_Seq_Calc1.html">FOL_Seq_Calc1</a> &nbsp;
                 </div>
       <h3>Rewriting</h3>
     <div class="list">
           <a href="entries/CakeML_Codegen.html">CakeML_Codegen</a> &nbsp;
           <a href="entries/Monad_Normalisation.html">Monad_Normalisation</a> &nbsp;
           <a href="entries/Lambda_Free_RPOs.html">Lambda_Free_RPOs</a> &nbsp;
           <a href="entries/Lambda_Free_KBOs.html">Lambda_Free_KBOs</a> &nbsp;
           <a href="entries/Lambda_Free_EPO.html">Lambda_Free_EPO</a> &nbsp;
           <a href="entries/Nested_Multisets_Ordinals.html">Nested_Multisets_Ordinals</a> &nbsp;
           <a href="entries/Abstract-Rewriting.html">Abstract-Rewriting</a> &nbsp;
           <a href="entries/First_Order_Terms.html">First_Order_Terms</a> &nbsp;
           <a href="entries/Decreasing-Diagrams.html">Decreasing-Diagrams</a> &nbsp;
           <a href="entries/Decreasing-Diagrams-II.html">Decreasing-Diagrams-II</a> &nbsp;
           <a href="entries/Rewriting_Z.html">Rewriting_Z</a> &nbsp;
           <a href="entries/Graph_Saturation.html">Graph_Saturation</a> &nbsp;
           <a href="entries/Goodstein_Lambda.html">Goodstein_Lambda</a> &nbsp;
           <a href="entries/Knuth_Bendix_Order.html">Knuth_Bendix_Order</a> &nbsp;
                 </div>
     <h2>Mathematics</h2>
   <div class="list">
     </div>
         <h3>Order</h3>
     <div class="list">
           <a href="entries/LatticeProperties.html">LatticeProperties</a> &nbsp;
           <a href="entries/Stone_Algebras.html">Stone_Algebras</a> &nbsp;
           <a href="entries/Allen_Calculus.html">Allen_Calculus</a> &nbsp;
           <a href="entries/Order_Lattice_Props.html">Order_Lattice_Props</a> &nbsp;
           <a href="entries/Complete_Non_Orders.html">Complete_Non_Orders</a> &nbsp;
           <a href="entries/Szpilrajn.html">Szpilrajn</a> &nbsp;
                 </div>
       <h3>Algebra</h3>
     <div class="list">
           <a href="entries/Optics.html">Optics</a> &nbsp;
           <a href="entries/Subresultants.html">Subresultants</a> &nbsp;
           <a href="entries/Buildings.html">Buildings</a> &nbsp;
           <a href="entries/Algebraic_VCs.html">Algebraic_VCs</a> &nbsp;
           <a href="entries/C2KA_DistributedSystems.html">C2KA_DistributedSystems</a> &nbsp;
           <a href="entries/Multirelations.html">Multirelations</a> &nbsp;
           <a href="entries/Residuated_Lattices.html">Residuated_Lattices</a> &nbsp;
           <a href="entries/PseudoHoops.html">PseudoHoops</a> &nbsp;
           <a href="entries/Impossible_Geometry.html">Impossible_Geometry</a> &nbsp;
           <a href="entries/Gauss-Jordan-Elim-Fun.html">Gauss-Jordan-Elim-Fun</a> &nbsp;
           <a href="entries/Matrix_Tensor.html">Matrix_Tensor</a> &nbsp;
           <a href="entries/Kleene_Algebra.html">Kleene_Algebra</a> &nbsp;
           <a href="entries/KAT_and_DRA.html">KAT_and_DRA</a> &nbsp;
           <a href="entries/KAD.html">KAD</a> &nbsp;
           <a href="entries/Regular_Algebras.html">Regular_Algebras</a> &nbsp;
           <a href="entries/Free-Groups.html">Free-Groups</a> &nbsp;
           <a href="entries/CofGroups.html">CofGroups</a> &nbsp;
           <a href="entries/Group-Ring-Module.html">Group-Ring-Module</a> &nbsp;
           <a href="entries/Robbins-Conjecture.html">Robbins-Conjecture</a> &nbsp;
           <a href="entries/Valuation.html">Valuation</a> &nbsp;
           <a href="entries/Rank_Nullity_Theorem.html">Rank_Nullity_Theorem</a> &nbsp;
           <a href="entries/Polynomials.html">Polynomials</a> &nbsp;
           <a href="entries/Relation_Algebra.html">Relation_Algebra</a> &nbsp;
           <a href="entries/PSemigroupsConvolution.html">PSemigroupsConvolution</a> &nbsp;
           <a href="entries/Secondary_Sylow.html">Secondary_Sylow</a> &nbsp;
           <a href="entries/Jordan_Hoelder.html">Jordan_Hoelder</a> &nbsp;
           <a href="entries/Cayley_Hamilton.html">Cayley_Hamilton</a> &nbsp;
           <a href="entries/VectorSpace.html">VectorSpace</a> &nbsp;
           <a href="entries/Echelon_Form.html">Echelon_Form</a> &nbsp;
           <a href="entries/QR_Decomposition.html">QR_Decomposition</a> &nbsp;
           <a href="entries/Hermite.html">Hermite</a> &nbsp;
           <a href="entries/Rep_Fin_Groups.html">Rep_Fin_Groups</a> &nbsp;
           <a href="entries/Jordan_Normal_Form.html">Jordan_Normal_Form</a> &nbsp;
           <a href="entries/Algebraic_Numbers.html">Algebraic_Numbers</a> &nbsp;
           <a href="entries/Polynomial_Interpolation.html">Polynomial_Interpolation</a> &nbsp;
           <a href="entries/Polynomial_Factorization.html">Polynomial_Factorization</a> &nbsp;
           <a href="entries/Perron_Frobenius.html">Perron_Frobenius</a> &nbsp;
           <a href="entries/Stochastic_Matrices.html">Stochastic_Matrices</a> &nbsp;
           <a href="entries/Groebner_Bases.html">Groebner_Bases</a> &nbsp;
           <a href="entries/Nullstellensatz.html">Nullstellensatz</a> &nbsp;
           <a href="entries/Mason_Stothers.html">Mason_Stothers</a> &nbsp;
           <a href="entries/Berlekamp_Zassenhaus.html">Berlekamp_Zassenhaus</a> &nbsp;
           <a href="entries/Stone_Relation_Algebras.html">Stone_Relation_Algebras</a> &nbsp;
           <a href="entries/Stone_Kleene_Relation_Algebras.html">Stone_Kleene_Relation_Algebras</a> &nbsp;
           <a href="entries/Orbit_Stabiliser.html">Orbit_Stabiliser</a> &nbsp;
           <a href="entries/Dirichlet_L.html">Dirichlet_L</a> &nbsp;
           <a href="entries/Symmetric_Polynomials.html">Symmetric_Polynomials</a> &nbsp;
           <a href="entries/Taylor_Models.html">Taylor_Models</a> &nbsp;
           <a href="entries/LLL_Basis_Reduction.html">LLL_Basis_Reduction</a> &nbsp;
           <a href="entries/LLL_Factorization.html">LLL_Factorization</a> &nbsp;
           <a href="entries/Localization_Ring.html">Localization_Ring</a> &nbsp;
           <a href="entries/Quaternions.html">Quaternions</a> &nbsp;
           <a href="entries/Octonions.html">Octonions</a> &nbsp;
           <a href="entries/Aggregation_Algebras.html">Aggregation_Algebras</a> &nbsp;
           <a href="entries/Signature_Groebner.html">Signature_Groebner</a> &nbsp;
           <a href="entries/Quantales.html">Quantales</a> &nbsp;
           <a href="entries/Transformer_Semantics.html">Transformer_Semantics</a> &nbsp;
           <a href="entries/Farkas.html">Farkas</a> &nbsp;
           <a href="entries/Groebner_Macaulay.html">Groebner_Macaulay</a> &nbsp;
           <a href="entries/Linear_Inequalities.html">Linear_Inequalities</a> &nbsp;
           <a href="entries/Linear_Programming.html">Linear_Programming</a> &nbsp;
           <a href="entries/Jacobson_Basic_Algebra.html">Jacobson_Basic_Algebra</a> &nbsp;
           <a href="entries/Hybrid_Systems_VCs.html">Hybrid_Systems_VCs</a> &nbsp;
           <a href="entries/Subset_Boolean_Algebras.html">Subset_Boolean_Algebras</a> &nbsp;
+          <a href="entries/Power_Sum_Polynomials.html">Power_Sum_Polynomials</a> &nbsp;
+          <a href="entries/Matrices_for_ODEs.html">Matrices_for_ODEs</a> &nbsp;
                 </div>
       <h3>Analysis</h3>
     <div class="list">
+          <a href="entries/Banach_Steinhaus.html">Banach_Steinhaus</a> &nbsp;
           <a href="entries/Fourier.html">Fourier</a> &nbsp;
           <a href="entries/E_Transcendental.html">E_Transcendental</a> &nbsp;
           <a href="entries/Liouville_Numbers.html">Liouville_Numbers</a> &nbsp;
           <a href="entries/Descartes_Sign_Rule.html">Descartes_Sign_Rule</a> &nbsp;
           <a href="entries/Euler_MacLaurin.html">Euler_MacLaurin</a> &nbsp;
           <a href="entries/Real_Impl.html">Real_Impl</a> &nbsp;
           <a href="entries/Lower_Semicontinuous.html">Lower_Semicontinuous</a> &nbsp;
           <a href="entries/Affine_Arithmetic.html">Affine_Arithmetic</a> &nbsp;
           <a href="entries/Laplace_Transform.html">Laplace_Transform</a> &nbsp;
           <a href="entries/Cauchy.html">Cauchy</a> &nbsp;
           <a href="entries/Integration.html">Integration</a> &nbsp;
           <a href="entries/Ordinary_Differential_Equations.html">Ordinary_Differential_Equations</a> &nbsp;
           <a href="entries/Polynomials.html">Polynomials</a> &nbsp;
           <a href="entries/Sqrt_Babylonian.html">Sqrt_Babylonian</a> &nbsp;
           <a href="entries/Sturm_Sequences.html">Sturm_Sequences</a> &nbsp;
           <a href="entries/Sturm_Tarski.html">Sturm_Tarski</a> &nbsp;
           <a href="entries/Special_Function_Bounds.html">Special_Function_Bounds</a> &nbsp;
           <a href="entries/Landau_Symbols.html">Landau_Symbols</a> &nbsp;
           <a href="entries/Error_Function.html">Error_Function</a> &nbsp;
           <a href="entries/Akra_Bazzi.html">Akra_Bazzi</a> &nbsp;
           <a href="entries/Zeta_Function.html">Zeta_Function</a> &nbsp;
           <a href="entries/Linear_Recurrences.html">Linear_Recurrences</a> &nbsp;
+          <a href="entries/Lambert_W.html">Lambert_W</a> &nbsp;
           <a href="entries/Cartan_FP.html">Cartan_FP</a> &nbsp;
           <a href="entries/Deep_Learning.html">Deep_Learning</a> &nbsp;
           <a href="entries/Stirling_Formula.html">Stirling_Formula</a> &nbsp;
           <a href="entries/Lp.html">Lp</a> &nbsp;
           <a href="entries/Bernoulli.html">Bernoulli</a> &nbsp;
           <a href="entries/Winding_Number_Eval.html">Winding_Number_Eval</a> &nbsp;
           <a href="entries/Count_Complex_Roots.html">Count_Complex_Roots</a> &nbsp;
           <a href="entries/Taylor_Models.html">Taylor_Models</a> &nbsp;
           <a href="entries/Green.html">Green</a> &nbsp;
           <a href="entries/Irrationality_J_Hancl.html">Irrationality_J_Hancl</a> &nbsp;
           <a href="entries/Budan_Fourier.html">Budan_Fourier</a> &nbsp;
           <a href="entries/Smooth_Manifolds.html">Smooth_Manifolds</a> &nbsp;
           <a href="entries/Transcendence_Series_Hancl_Rucki.html">Transcendence_Series_Hancl_Rucki</a> &nbsp;
           <a href="entries/Hybrid_Systems_VCs.html">Hybrid_Systems_VCs</a> &nbsp;
           <a href="entries/Poincare_Bendixson.html">Poincare_Bendixson</a> &nbsp;
+          <a href="entries/Matrices_for_ODEs.html">Matrices_for_ODEs</a> &nbsp;
+          <a href="entries/Irrational_Series_Erdos_Straus.html">Irrational_Series_Erdos_Straus</a> &nbsp;
                 </div>
       <h3>Probability theory</h3>
     <div class="list">
           <a href="entries/DiscretePricing.html">DiscretePricing</a> &nbsp;
           <a href="entries/CryptHOL.html">CryptHOL</a> &nbsp;
           <a href="entries/Constructive_Cryptography.html">Constructive_Cryptography</a> &nbsp;
           <a href="entries/Probabilistic_While.html">Probabilistic_While</a> &nbsp;
           <a href="entries/Markov_Models.html">Markov_Models</a> &nbsp;
           <a href="entries/Density_Compiler.html">Density_Compiler</a> &nbsp;
           <a href="entries/Probabilistic_Timed_Automata.html">Probabilistic_Timed_Automata</a> &nbsp;
           <a href="entries/Hidden_Markov_Models.html">Hidden_Markov_Models</a> &nbsp;
           <a href="entries/Random_Graph_Subgraph_Threshold.html">Random_Graph_Subgraph_Threshold</a> &nbsp;
           <a href="entries/Ergodic_Theory.html">Ergodic_Theory</a> &nbsp;
           <a href="entries/Source_Coding_Theorem.html">Source_Coding_Theorem</a> &nbsp;
           <a href="entries/Buffons_Needle.html">Buffons_Needle</a> &nbsp;
                 </div>
       <h3>Number theory</h3>
     <div class="list">
           <a href="entries/Arith_Prog_Rel_Primes.html">Arith_Prog_Rel_Primes</a> &nbsp;
           <a href="entries/Pell.html">Pell</a> &nbsp;
           <a href="entries/Minkowskis_Theorem.html">Minkowskis_Theorem</a> &nbsp;
           <a href="entries/E_Transcendental.html">E_Transcendental</a> &nbsp;
           <a href="entries/Pi_Transcendental.html">Pi_Transcendental</a> &nbsp;
           <a href="entries/Liouville_Numbers.html">Liouville_Numbers</a> &nbsp;
           <a href="entries/Prime_Harmonic_Series.html">Prime_Harmonic_Series</a> &nbsp;
           <a href="entries/Fermat3_4.html">Fermat3_4</a> &nbsp;
           <a href="entries/Perfect-Number-Thm.html">Perfect-Number-Thm</a> &nbsp;
           <a href="entries/SumSquares.html">SumSquares</a> &nbsp;
           <a href="entries/Lehmer.html">Lehmer</a> &nbsp;
           <a href="entries/Pratt_Certificate.html">Pratt_Certificate</a> &nbsp;
           <a href="entries/Dirichlet_Series.html">Dirichlet_Series</a> &nbsp;
           <a href="entries/Gauss_Sums.html">Gauss_Sums</a> &nbsp;
           <a href="entries/Zeta_Function.html">Zeta_Function</a> &nbsp;
           <a href="entries/Stern_Brocot.html">Stern_Brocot</a> &nbsp;
           <a href="entries/Bertrands_Postulate.html">Bertrands_Postulate</a> &nbsp;
           <a href="entries/Bernoulli.html">Bernoulli</a> &nbsp;
           <a href="entries/Diophantine_Eqns_Lin_Hom.html">Diophantine_Eqns_Lin_Hom</a> &nbsp;
           <a href="entries/Dirichlet_L.html">Dirichlet_L</a> &nbsp;
           <a href="entries/Mersenne_Primes.html">Mersenne_Primes</a> &nbsp;
           <a href="entries/Irrationality_J_Hancl.html">Irrationality_J_Hancl</a> &nbsp;
           <a href="entries/Prime_Number_Theorem.html">Prime_Number_Theorem</a> &nbsp;
           <a href="entries/Probabilistic_Prime_Tests.html">Probabilistic_Prime_Tests</a> &nbsp;
           <a href="entries/Prime_Distribution_Elementary.html">Prime_Distribution_Elementary</a> &nbsp;
           <a href="entries/Transcendence_Series_Hancl_Rucki.html">Transcendence_Series_Hancl_Rucki</a> &nbsp;
           <a href="entries/Zeta_3_Irrational.html">Zeta_3_Irrational</a> &nbsp;
           <a href="entries/Furstenberg_Topology.html">Furstenberg_Topology</a> &nbsp;
           <a href="entries/Lucas_Theorem.html">Lucas_Theorem</a> &nbsp;
+          <a href="entries/Gaussian_Integers.html">Gaussian_Integers</a> &nbsp;
+          <a href="entries/Irrational_Series_Erdos_Straus.html">Irrational_Series_Erdos_Straus</a> &nbsp;
                 </div>
       <h3>Games and economics</h3>
     <div class="list">
           <a href="entries/DiscretePricing.html">DiscretePricing</a> &nbsp;
           <a href="entries/ArrowImpossibilityGS.html">ArrowImpossibilityGS</a> &nbsp;
           <a href="entries/SenSocialChoice.html">SenSocialChoice</a> &nbsp;
           <a href="entries/Vickrey_Clarke_Groves.html">Vickrey_Clarke_Groves</a> &nbsp;
           <a href="entries/Parity_Game.html">Parity_Game</a> &nbsp;
           <a href="entries/First_Welfare_Theorem.html">First_Welfare_Theorem</a> &nbsp;
           <a href="entries/Randomised_Social_Choice.html">Randomised_Social_Choice</a> &nbsp;
           <a href="entries/SDS_Impossibility.html">SDS_Impossibility</a> &nbsp;
           <a href="entries/Stable_Matching.html">Stable_Matching</a> &nbsp;
           <a href="entries/Fishburn_Impossibility.html">Fishburn_Impossibility</a> &nbsp;
           <a href="entries/Neumann_Morgenstern_Utility.html">Neumann_Morgenstern_Utility</a> &nbsp;
                 </div>
       <h3>Geometry</h3>
     <div class="list">
           <a href="entries/Complex_Geometry.html">Complex_Geometry</a> &nbsp;
           <a href="entries/Poincare_Disc.html">Poincare_Disc</a> &nbsp;
           <a href="entries/Minkowskis_Theorem.html">Minkowskis_Theorem</a> &nbsp;
           <a href="entries/Buildings.html">Buildings</a> &nbsp;
           <a href="entries/Chord_Segments.html">Chord_Segments</a> &nbsp;
           <a href="entries/Triangle.html">Triangle</a> &nbsp;
           <a href="entries/Impossible_Geometry.html">Impossible_Geometry</a> &nbsp;
           <a href="entries/Tarskis_Geometry.html">Tarskis_Geometry</a> &nbsp;
           <a href="entries/General-Triangle.html">General-Triangle</a> &nbsp;
           <a href="entries/Nullstellensatz.html">Nullstellensatz</a> &nbsp;
           <a href="entries/Ptolemys_Theorem.html">Ptolemys_Theorem</a> &nbsp;
           <a href="entries/Buffons_Needle.html">Buffons_Needle</a> &nbsp;
           <a href="entries/Stewart_Apollonius.html">Stewart_Apollonius</a> &nbsp;
           <a href="entries/Gromov_Hyperbolicity.html">Gromov_Hyperbolicity</a> &nbsp;
           <a href="entries/Projective_Geometry.html">Projective_Geometry</a> &nbsp;
           <a href="entries/Quaternions.html">Quaternions</a> &nbsp;
           <a href="entries/Octonions.html">Octonions</a> &nbsp;
                 </div>
       <h3>Topology</h3>
     <div class="list">
           <a href="entries/Topology.html">Topology</a> &nbsp;
           <a href="entries/Knot_Theory.html">Knot_Theory</a> &nbsp;
           <a href="entries/Kuratowski_Closure_Complement.html">Kuratowski_Closure_Complement</a> &nbsp;
           <a href="entries/Smooth_Manifolds.html">Smooth_Manifolds</a> &nbsp;
                 </div>
       <h3>Graph theory</h3>
     <div class="list">
           <a href="entries/Flow_Networks.html">Flow_Networks</a> &nbsp;
           <a href="entries/Prpu_Maxflow.html">Prpu_Maxflow</a> &nbsp;
           <a href="entries/MFMC_Countable.html">MFMC_Countable</a> &nbsp;
           <a href="entries/ShortestPath.html">ShortestPath</a> &nbsp;
           <a href="entries/Gabow_SCC.html">Gabow_SCC</a> &nbsp;
           <a href="entries/Graph_Theory.html">Graph_Theory</a> &nbsp;
           <a href="entries/Planarity_Certificates.html">Planarity_Certificates</a> &nbsp;
           <a href="entries/Max-Card-Matching.html">Max-Card-Matching</a> &nbsp;
           <a href="entries/Girth_Chromatic.html">Girth_Chromatic</a> &nbsp;
           <a href="entries/Random_Graph_Subgraph_Threshold.html">Random_Graph_Subgraph_Threshold</a> &nbsp;
           <a href="entries/Flyspeck-Tame.html">Flyspeck-Tame</a> &nbsp;
           <a href="entries/Koenigsberg_Friendship.html">Koenigsberg_Friendship</a> &nbsp;
           <a href="entries/Tree_Decomposition.html">Tree_Decomposition</a> &nbsp;
           <a href="entries/Menger.html">Menger</a> &nbsp;
           <a href="entries/Parity_Game.html">Parity_Game</a> &nbsp;
           <a href="entries/Factored_Transition_System_Bounding.html">Factored_Transition_System_Bounding</a> &nbsp;
           <a href="entries/Graph_Saturation.html">Graph_Saturation</a> &nbsp;
                 </div>
       <h3>Combinatorics</h3>
     <div class="list">
           <a href="entries/Card_Equiv_Relations.html">Card_Equiv_Relations</a> &nbsp;
           <a href="entries/Twelvefold_Way.html">Twelvefold_Way</a> &nbsp;
           <a href="entries/Card_Multisets.html">Card_Multisets</a> &nbsp;
           <a href="entries/Card_Partitions.html">Card_Partitions</a> &nbsp;
           <a href="entries/Card_Number_Partitions.html">Card_Number_Partitions</a> &nbsp;
           <a href="entries/Well_Quasi_Orders.html">Well_Quasi_Orders</a> &nbsp;
           <a href="entries/Marriage.html">Marriage</a> &nbsp;
           <a href="entries/Bondy.html">Bondy</a> &nbsp;
           <a href="entries/Ramsey-Infinite.html">Ramsey-Infinite</a> &nbsp;
           <a href="entries/Derangements.html">Derangements</a> &nbsp;
           <a href="entries/Euler_Partition.html">Euler_Partition</a> &nbsp;
           <a href="entries/Discrete_Summation.html">Discrete_Summation</a> &nbsp;
           <a href="entries/Open_Induction.html">Open_Induction</a> &nbsp;
           <a href="entries/Latin_Square.html">Latin_Square</a> &nbsp;
           <a href="entries/Bell_Numbers_Spivey.html">Bell_Numbers_Spivey</a> &nbsp;
           <a href="entries/Catalan_Numbers.html">Catalan_Numbers</a> &nbsp;
           <a href="entries/Falling_Factorial_Sum.html">Falling_Factorial_Sum</a> &nbsp;
           <a href="entries/Matroids.html">Matroids</a> &nbsp;
                 </div>
       <h3>Category theory</h3>
     <div class="list">
           <a href="entries/Category3.html">Category3</a> &nbsp;
           <a href="entries/MonoidalCategory.html">MonoidalCategory</a> &nbsp;
           <a href="entries/Category.html">Category</a> &nbsp;
           <a href="entries/Category2.html">Category2</a> &nbsp;
           <a href="entries/AxiomaticCategoryTheory.html">AxiomaticCategoryTheory</a> &nbsp;
           <a href="entries/Bicategory.html">Bicategory</a> &nbsp;
                 </div>
       <h3>Physics</h3>
     <div class="list">
           <a href="entries/No_FTL_observers.html">No_FTL_observers</a> &nbsp;
                 </div>
       <h3>Misc</h3>
     <div class="list">
           <a href="entries/FunWithFunctions.html">FunWithFunctions</a> &nbsp;
           <a href="entries/FunWithTilings.html">FunWithTilings</a> &nbsp;
           <a href="entries/IMO2019.html">IMO2019</a> &nbsp;
                 </div>
     <h2>Tools</h2>
   <div class="list">
       <a href="entries/Monad_Normalisation.html">Monad_Normalisation</a> &nbsp;
       <a href="entries/Constructor_Funs.html">Constructor_Funs</a> &nbsp;
       <a href="entries/Lazy_Case.html">Lazy_Case</a> &nbsp;
       <a href="entries/Dict_Construction.html">Dict_Construction</a> &nbsp;
       <a href="entries/Case_Labeling.html">Case_Labeling</a> &nbsp;
       <a href="entries/DPT-SAT-Solver.html">DPT-SAT-Solver</a> &nbsp;
       <a href="entries/Nominal2.html">Nominal2</a> &nbsp;
       <a href="entries/Separata.html">Separata</a> &nbsp;
       <a href="entries/Proof_Strategy_Language.html">Proof_Strategy_Language</a> &nbsp;
       <a href="entries/Diophantine_Eqns_Lin_Hom.html">Diophantine_Eqns_Lin_Hom</a> &nbsp;
       <a href="entries/BNF_Operations.html">BNF_Operations</a> &nbsp;
       <a href="entries/BNF_CC.html">BNF_CC</a> &nbsp;
       <a href="entries/Auto2_HOL.html">Auto2_HOL</a> &nbsp;
       <a href="entries/Isabelle_C.html">Isabelle_C</a> &nbsp;
     </div>
     </td>
 </tr>
 </tbody>
 </table>
 
 </div>
 </td>
 
 </tr>
 </tbody>
 </table>
 
 
 </body>
 </html>
\ No newline at end of file