A Formalization of Dedekind Domains and Class Groups of Global Fields

Typeclasses were originally introduced in Haskell as a mechanism for operator overloading [34], and are used throughout Lean’s core library and mathlib to endow types with mathematical structures consisting of both operators and their properties [31]. When the elaborator sees a function with an instance parameter being applied, such as the [monoid M] parameter of pow _succ a n, a Prolog-like search is started to automatically synthesize a suitable value for this parameter. Each of the local parameters and the declarations marked as instance is tested in turn to see if their type matches the expected type of the instance synthesis. All instance parameters of candidate instances are themselves recursively inferred, until either a suitable term is constructed or no more candidates remain; an error is raised in the latter case [2, Sect. 10]. Compared to Haskell’s, Lean’s typeclasses have few structural restrictions: notably, classes and instances can depend on any term, instances may overlap, classes can apply to multiple types, and can have functional dependencies.

In our development, we followed the common practice in mathlib of providing structure on a type, whenever such a structure exists canonically, through typeclasses. The informal notion of providing a certain mathematical structure on a type should not be confused with the structure keyword formally declaring a structure type whose elements are tuples. To confuse matters further, Lean implements typeclasses as structure types, where the typeclass instances are tuples of the typeclass’s fields. Typeclasses provided us a way to treat uniformly situations that are informally considered the same, as we discuss in Sects. 4.1 and 4.2. Our reliance on typeclasses did not cause any noticeable slowness in proof checking: there was no instance that should be found but could not due to timeouts.

A central consideration in formalizing definitions for mathlib is choosing the appropriate amount of bundling: determining whether information about an object should be carried by the object itself (bundled), or passed as a separate value (unbundled) [4]. For example, the is _number _field typeclass of Sect. 4 is considered to have unbundled inheritance from the field class because instances of these classes are passed in separate parameters, while it has bundled inheritance from char _zero and finite _dimensional since both are included as fields of the structure. Similarly, the formalization of admissible absolute values discussed in Sect. 8.2 features a bundled structure absolute _value which includes a map along with proofs stating that this map is an absolute value, and an unbundled structure is _admissible which takes the absolute value map as a separate parameter.

Unbundling has an advantage in expressivity: because each property of an object is passed in a separate parameter, modifying one hypothesis requires modifying one parameter. In contrast, bundling hypotheses means that each subset of hypotheses requires its own structure declaration; any results proved for a given structure have to be made available for other structures manually or through automation such as typeclass inference. The advantage here is that bundled structures result in simpler parameter lists, since fully unbundling the class would result in each of its 38 structure fields becoming a separate parameter.

Technical considerations play another important role in choosing the level of bundling: bundled properties are easily found by automation compared to unbundled properties which require a search of the local context, bundled inheritance between classes can only be applied when the two classes have the same type parameters, while long unbundled inheritance chains cause exponentially large terms, resulting in slowdowns and high memory consumption. Although there is no general rule governing bundling, in general mathlib prefers to bundle if possible, unbundling only when the additional properties are all Prop-valued and are not involved in long inheritance chains.

The definition of is _number _field illustrates our treatment of field extensions. A field L containing a subfield K is said to be a field extension L/K. Often we encounter towers of field extensions: we might have that \(\mathbb {Q}\) is contained in K, K is contained in L, L is contained in an algebraic closure \(\overline{K}\) of K, and \(\overline{K}\) is contained in \(\mathbb {C}\). We might formalize this situation by viewing \(\mathbb {Q}\), K, L, and \(\overline{K}\) as sets of complex numbers \(\mathbb {C}\) and defining field extensions as subset relations between these subfields. This way, no coercions need to be inserted in order to map elements of one field into a larger field. Unfortunately, we can only avoid coercions as far as we are able to stay within one largest field. For example, the definition of complex numbers depends on many results for rational numbers, which would need to be proved again, or transported, for the subfield of \(\mathbb {C}\) isomorphic to \(\mathbb {Q}\).

Instead, we formalized results about field extensions through parametrization. The fields K and L can be arbitrary types and the hypothesis “L is a field extension of K” is represented by an instance parameter [algebra K L] denoting a K-algebra structure on L. The algebra structure provides us with a ring homomorphism \(\texttt {algebra} \_\texttt {map\,K\,L}: K \rightarrow L\); this map is injective because K and L are fields. In other words, field extensions are given by their embeddings.

There are multiple possible K-algebra structures for a field L and Lean does not enforce uniqueness of typeclass instances, but the mathlib maintainers try to ensure all instances that can be inferred are definitionally equal. Definitional equality is a syntactical notion of equality found in dependent type theories that reflects the possibility of computation: for example, the term 2 + 2: \(\mathbb {N}\) is definitionally equal to 4. Whenever Lean can infer the definitional equality of two terms (the terms are said to unify), one can be substituted for the other. Thus, ensuring definitional equality for instances means that overlapping instances will not lead to conflicts when one instance is expected and another is found.

The main drawback of using arbitrary embeddings to represent field extensions is that we need to prove that these maps commute. For example, we might start with a field extension \(L / \mathbb {Q}\), then define a subfield K of L, resulting in a tower of extensions \(L / K / \mathbb {Q}\). In such a tower, the map \(\mathbb {Q}\rightarrow L\) should be equal to the composition \(\mathbb {Q}\rightarrow K\) followed by \(K \rightarrow L\). Such an equality cannot always be achieved by defining the map \(\mathbb {Q}\rightarrow L\) to be this composition: in the example, the definition of the map \(\mathbb {Q}\rightarrow K\) depends on the map \(\mathbb {Q}\rightarrow L\).

The solution in mathlib is to parametrize over all three maps, as long as there is also a proof of coherence: a hypothesis of the form “L/K/F is a tower of field extensions” is translated into three instance parameters [algebra F K], [algebra K L], and [algebra F L], along with a parameter [is _scalar _tower F K L] expressing that the maps commute.

The is _scalar _tower typeclass derives its name from its applicability to any three types among which scalar multiplication operations exist:

For example, if R is a ring, A is an R-algebra, and M is an A-module, we can state that M is also an R-module by adding a [is _scalar _tower R A M] parameter. Since x  \(\cdot \) y for an R-algebra A is defined as algebra _map R A x * y, applying smul _assoc for each x : K with \(y = (1: L)\) and \(z = (1: F)\) shows that the algebra _maps indeed commute in a tower of field extensions L/K/F.

Common is _scalar _tower instances are declared in mathlib, such as for the maps \(R \rightarrow S \rightarrow B\) when S is a R-subalgebra of A and B is an A-algebra such that is _scalar _tower R A B; this also implies that the maps \(R \rightarrow S \rightarrow A\) form a tower. The effect is that almost all coherence proof obligations are automated through typeclass instance synthesis. Only when defining a new algebra structure were we required to supply the is _scalar _tower instances ourselves.

When K is a number field (defined as a field satisfying is _number _field), the ring \(\mathcal {O}_{K}\) of integers in K is defined as the integral closure of \(\mathbb {Z}\) in K. This is the subring containing those x : K that are a root of a monic polynomial with coefficients in \(\mathbb {Z}\):

where integral _closure was already defined in mathlib. When K is a function field over the finite field \(\mathbb {F}_{q}\), we defined \(\mathcal {O}_{K}\) analogously as integral _closure ( \(\mathbb {F}_{q}\) [X]) K.

Since the integers \(\mathbb {Z}\) are integrally closed in \(\mathbb {Q}\), this construction of the ring of integers of the number field \(\mathbb {Q}\) is isomorphic, but not definitionally equal, to \(\mathbb {Z}\). To avoid dealing with these isomorphisms, and also to treat the two definitions of rings of integers on an equal footing, we introduced a typeclass is _integral _closure A R B stating that A is the integral closure of R in B, and worked with a generic is _integral _closure instance instead of the specific ring _of _integers construction when possible.

The ring of integers is one example of a subobject, such as a subfield, subring or subalgebra, defined through a characteristic predicate. In mathlib, subobjects are “bundled,” in the form of a structure comprising the carrier set and proofs showing the carrier set is closed under the relevant operations. Bundled subobjects provide similar benefits to those of bundled morphisms; the choice for the latter is explained in the mathlib overview paper [31]. Where the algebra and is _scalar _tower typeclasses provide an interface generalizing over multiple equivalent definitions, subobjects provide a specific implementation of that interface in the form of a subtype.

Two new subobjects that we defined in our development were subfield as well as intermediate _field. We defined a subfield of a field K as a subset of K that contains 0 and 1 and is closed under addition, negation, multiplication, and taking inverses. If L is a field extension of K, we defined an intermediate field as a subfield of L that is also a K-subalgebra: in other words, a subfield that contains the image of \(\texttt {algebra} \_\texttt {map\,K\,L} \). Other examples of subobjects available in mathlib are submonoids, subgroups, and submodules (with ideals as a special case of submodules); all of these are provided with an instance of the set _like typeclass that supplies notation such as a membership relation “\(x \in S\).”

The new definitions found immediate use: soon after we contributed our definition of intermediate _field to mathlib, the Berkeley Galois theory group used it in a formalization of the primitive element theorem. Soon after the primitive element theorem was merged into mathlib, we used it in our development of the trace form. This anecdote illustrates the decentralized development style of mathlib, with different groups and people building on each other’s results in a collaborative process.

Through the set _like typeclass, subobjects can be coerced to types, by sending a subobject S to the subtype of all elements of S. By putting typeclass instances on this subtype, we could reason about inductively defined rings such as \(\mathbb {Z}\) and subrings such as integral _closure \(\mathbb {Z}\) K uniformly. If \(S: \texttt {subfield}\ K\), there is a ring embedding, the map that sends x : S to K by “forgetting” that \(x \in S\), and we registered this map as an algebra S K instance, also allowing us to treat field extensions of the form \(\mathbb {Q}\rightarrow \mathbb {C}\) and subfields uniformly. Similarly, for \(F: \texttt {intermediate} \_\texttt {field\,K\,L} \), we defined the corresponding algebra K F, algebra F L, and is _scalar _tower K F L instances.

The fraction field \({{\,\mathrm{Frac}\,}}R\) of an integral domain R can be defined explicitly as a quotient type as follows: starting from the type of pairs (a, b) with \(a,b \in R\) such that \(b\ne 0\), one quotients by the equivalence relation generated by \((a,b) \sim (a \alpha , b \alpha )\) for all \(\alpha \ne 0: R\), writing the equivalence class of (a, b) as \(\frac{a}{b}\). It can easily be proved that the ring structure on R extends uniquely to a field structure on \({{\,\mathrm{Frac}\,}}R\); in mathlib this construction is called fraction _ring R, and is used to define the field of rational functions \(K(X) = \texttt {ratfunc\,K} \). When \(R=\mathbb {Z}\), this yields the traditional description of \(\mathbb {Q}\) as the set of equivalence classes of fractions, where \(\frac{2}{3}=\frac{-4}{-6}\), etc.

The drawback of this construction is that there are many other fields that can serve as the field of fractions for the same ring. Consider the field \(\{z \in \mathbb {C}: \Re z \in \mathbb {Q}, \Im z\in \mathbb {Q}\}\), which is isomorphic to \({{\,\mathrm{Frac}\,}}(\mathbb {Z}[i])\) but not definitionally equal to it. Indeed, the mathlib definition of the rational numbers \(\mathbb {Q}\) is a product type, not a quotient type, so we would not be able to treat \(\mathbb {Q}\) as the field of fractions of \(\mathbb {Z}\) in this setup. Any properties proven for \(\mathbb {Q}\) would have to be repeated for \({{\,\mathrm{Frac}\,}}(\mathbb {Z})\), using transfer lemmas stating these properties are preserved by the isomorphism between \(\mathbb {Q}\) and \({{\,\mathrm{Frac}\,}}(\mathbb {Z})\).

The strategy used in mathlib is to rather allow for many different fraction fields of our given integral domain R—as fields K with a suitable [algebra R K] instance, where the map algebra _map R K witnesses that all elements K are “fractions” of elements of R—and to parametrize every result over the choice of K. The conditions on the R-algebra structure on K are encoded as a typeclass is _fraction _ring R K. In the definition used by mathlib, a fraction ring is a special case of a ring localization, which is defined for any commutative ring R. Different localizations restrict the denominators to different multiplicative submonoids of \(R\setminus \{0\}\).

The conditions on algebra _map R K imply that K is the smallest field, up to isomorphism, containing R, expressed by the following unique mapping property. If \(g :R \rightarrow A\) is an injective map to a ring A such that g(x) has a multiplicative inverse for all \(x \ne 0: R\), then it can be extended uniquely to a map \(K \rightarrow A\) compatible with algebra _map R K and g. In particular, given \({\texttt {is}}\_{\texttt {fraction}}\_{\texttt {ring}}\,{\texttt {R}}\,{\texttt {K}}_{\texttt {1}}\) and \({\texttt {is}}\_{\texttt {fraction}}\_{\texttt {ring}}\,{\texttt {R}}\,{\texttt {K}}_{\texttt {2}}\), we can derive an isomorphism \(K_1 \simeq K_2\). The construction of \({{\,\mathrm{Frac}\,}}R\) then results in a field of fractions (with an instance is _fraction _ring R (fraction _ring R)) rather than the field of fractions.

The above description of fraction fields is the third such formalization in mathlib. The first version consisted of a quotient type quotient _ring R, constructed similarly to the current definition of fraction _ring R. Due to the aforementioned drawback—namely, that this provided no easy way to view \(\mathbb {Q}\) as the field of fractions of \(\mathbb {Z}\), for instance—this was refactored to use a characteristic predicate instead.

The second version defined K to be the field of fractions of R if there existed an injective fraction map \(f: R \rightarrow K\), which is a ring homomorphism witnessing that all elements of K are “fractions” of elements of R; the map and its properties were bundled as a type fraction _map R K. Results on fraction fields were parametrized over a choice of fraction map f. This made it possible to view \(\mathbb {Q}\) as the fraction field of \(\mathbb {Z}\), by providing a suitable map called int.fraction _map : fraction _map \(\mathbb {Z}~\mathbb {Q}\). This came at a price: informally, at any given stage of one’s reasoning, the field K is fixed and the map \(f:R\rightarrow K\) is applied implicitly, just viewing every x : R as x : K. It is now impossible to view \(R \le K\) as an inclusion of R-subalgebras, because the map f is needed explicitly to give the R-algebra structure on K. As a workaround, mathlib used a type synonym codomain f:= K and instantiated the R-algebra structure given by f on this synonym. Again we encountered a distinction between \(\mathbb {Q}\) “itself” and \({{\,\mathrm{Frac}\,}}(\mathbb {Z}) = \texttt {codomain\, int.fraction} \_\texttt {map} \), still requiring the transfer of results such as typeclass instances.

The most recent version is the one described above. Inspired by our success in using the algebra typeclass to denote inclusions of rings, we unbundled the explicit (f: fraction _map R K) parameters into an instance parameter [algebra R K] that specifies the map, and an instance parameter [is _fraction _ring R K] that specifies the conditions satisfied by the map. Separating out these parameters finally allowed us to painlessly view \(\mathbb {Q}\) as the fraction ring of \(\mathbb {Z}\) while preserving the original \(\mathbb {Z}\)-algebra structure on \(\mathbb {Q}\).

In Sect. 2, we have informally said that every number field K can be written as \(K=\mathbb {Q}(\alpha )\) for a root \(\alpha \) of an irreducible polynomial \(P\in \mathbb {Q}[X]\). This can be made precise in several ways. For instance, one can consider a large field L (of characteristic 0) where P splits completely, then choose a root \(\alpha \in L\) and let \(K = \mathbb {Q}(\alpha )\) be the smallest subfield of L containing \(\alpha \). Or, one can consider the quotient ring \(\mathbb {Q}[X]/P\) and observe that this is a field where the class \(X\pmod {P}\) is a root of P. The assignment \(\alpha \mapsto X\pmod {P}\) yields an isomorphism of the two fields, but any other choice of a root \(\alpha '\in L\) leads to another isomorphism \(\mathbb {Q}(\alpha ')\cong \mathbb {Q}[X]/P\). Although mathematically we often tacitly identify these constructions, there is no canonical representation of the monogenic extensions of \(\mathbb {Q}\), those which can be obtained by adjoining a single root of one polynomial.

The same continues to hold if we replace the base field \(\mathbb {Q}\) with another field F, thus considering extensions of the form \(F(\alpha )\), now requiring that \(\alpha \) be a root of some \(P\in F[X]\). Various constructions of \(F(\alpha )\) have already been formalized in mathlib. The ability to switch between these representations is important: sometimes K and F are fixed and we want an arbitrary \(\alpha \); sometimes \(\alpha \) is fixed and we want an arbitrary type representing \(F(\alpha )\).

To find a uniform way to reason about all these definitions, we chose to formalize the notion of power basis to represent monogenic field extensions: this is a basis of the form \(1, \alpha , \alpha ^2, \dots , \alpha ^{n-1}: K\) (viewing K as a F-vector space). We defined a structure type bundling the information of a power basis. Omitting some generalizations not needed in this paper, the definition reads:

We formalized that the previously defined notions of monogenic field extensions are equivalent to the existence of a power basis.

With the power _basis structure, we gained the ability to parametrize our results, being able to choose the F and K in a monogenic field extension K/F, or being able to choose the \(\alpha \) generating \(F(\alpha )\) (by setting the gen field to \(\alpha \)). To specialize a result from an arbitrary K with a power basis over F to a specific construction of \(K = F(\alpha )\), one can apply the result to the power basis pb generated by \(\alpha \) and rewrite \(\texttt {power} \_\texttt {basis.gen\,pb} = \alpha \).

There are various equivalent conditions, used at various times, for an integral domain D to be a Dedekind domain. The following three have been formalized in mathlib:Note that fields are Dedekind domains according to these conventions.

The mathlib community chose is _dedekind _domain as the main definition, since this condition is usually the one checked in practice [28]. The other two equivalent definitions were added to mathlib, but before formalizing the proof that they are indeed equivalent. Having multiple definitions allowed us to do our work in parallel without depending on unformalized results. For example, the proof of unique ideal factorization in a Dedekind domain initially assumed is _dedekind _domain _inv D, and the proof that the ring of integers \(\mathcal {O}_{K}\) is a Dedekind domain concluded is _dedekind _domain (ring _of _integers K). After the equivalence between is _dedekind _domain D and is _dedekind _domain _inv D was formalized, we could easily replace usages of is _dedekind _domain _inv with is _dedekind _domain.

The conditions is _dedekind _domain and is _dedekind _domain _inv require a fraction field K, although the truth value of the predicates does not depend on the choice of K. For ease of use, we let the type of is _dedekind _domain depend only on the domain D by instantiating K in the definition as fraction _ring D. From now on, we fix a fraction field K of D.

Applications of is _dedekind _domain can choose a specific fraction field through the following lemma exposing the alternate definition:

We marked is _dedekind _domain as a typeclass by using the keyword class rather than structure, allowing the typeclass system to automatically infer the Dedekind domain structure when an appropriate instance is declared, such as for PIDs or for rings of integers.

The notion which is pivotal to the definition of the ideal class group of a Dedekind domain is that of fractional ideals: given any integral domain R with a field of fractions F, we define is _fractional as a predicate on R-submodules J of F, informally as “there is an x : R with \(x J \subseteq R\).” For a Dedekind domain, nonzero fractional ideals form a group under multiplication. As seen in Sect. 4.5, this notion depends on the field F as well as on the embedding f := algebra _map R F. A more precise way of stating the above condition is then \(f(x)J\subseteq f(R)\). We formalized the definition of fractional ideals of R contained in F as a type fractional _ideal R F, whose elements consist of an R-submodule of F along with a proof of is _fractional. The structure of fractional ideals does not depend on the choice of a fraction field, which we formalized as an isomorphism fractional _ideal.canonical _equiv between two types of fractional ideals on R, corresponding to different fields of fractions.

We defined the addition, multiplication, and intersection operations on fractional ideals, by showing that the corresponding operations on submodules map fractional ideals to fractional ideals. We also formalized that these operations give a commutative semiring structure on the type of fractional ideals. For example, multiplication of fractional ideals is defined as

Defining the quotient of two fractional ideals requires slightly more work. Consider any R-algebra A and an injection \(R\hookrightarrow A\). Given ideals \(I,J\le R\), the submodule \(I / J\le A\) is defined by the property

Beware that the notation 1/I might be misleading here: indeed, for general integral domains, the equality \(I*1/I=1\) might not hold. As an example, one can consider the ideal (X, Y) in \(\mathbb {C}[X,Y]\), which is not a Dedekind domain: by definition, \((X, Y)^{-1}\) consists of the elements \(a=\frac{p}{q} :{{\,\mathrm{Frac}\,}}\bigl (\mathbb {C}[X,Y]\bigr )\) with the property that \(a *b \in \mathbb {C}[X,Y]\) for all \(b \in (X,Y)\). This last condition is equivalent to requiring that both \(a *X\) and \(a *Y\) are in \(\mathbb {C}[X,Y]\) and thus the denominator q of a must be divisible both by X and by Y, so actually \(q\in \mathbb {C}^\times \). It follows that \((X,Y)^{-1}=\mathbb {C}[X,Y]\), and in particular \((X,Y)*(X,Y)^{-1}=(X,Y)\subsetneq 1=\mathbb {C}[X,Y]\).

On the other hand, we formalized that the equality \(I*1/I=1\) holds for Dedekind domains (Sect. 5.3) as the following lemma:

This justifies the notation \(I^{-1}=1/I\). In fact, we define this notation even for the ideal 0, by declaring that \(0^{-1}=0\). This fits the pattern of the typeclass group _with _zero in mathlib, consisting of groups endowed with an extra element 0 whose inverse is again 0.

Moreover, mathlib used to define \(a / b:= a * b^{-1}\), but our definition of \(I^{-1} = 1 / I\) would cause circularity. This led us to a major refactor of this core definition. In particular, we had to weaken the definitional equality to a proposition; this involved many small changes throughout mathlib.⁴

We now describe how we proved and formalized that the two definitions is _dedekind _domain and is _dedekind _domain _inv of being a Dedekind domain are equivalent. Let D be a Dedekind domain, and let \(f:D\rightarrow K\) a fraction map to a field of fractions K of D.

To show that is _dedekind _domain _inv implies is _dedekind _domain, we follow the proof given by Fröhlich in [20, Chap. 1, Sect. 2, Proposition 1.2.1]. A constant challenge that was faced while coding this proof was already mentioned in Sect. 4.5, namely the fact that elements of the domain must be traced along the inclusion into the chosen field of fractions. The proofs for being integrally closed and of dimension being less than or equal to 1 are fairly straightforward.

Formalizing the Noetherian condition was the most challenging. Fröhlich considers elements \(a_1, \dots , a_n \in I\) and \(b_1, \dots , b_n \in I^{-1}\) for any nonempty fractional ideal I, satisfying \( \sum _i a_i b_i = 1 \). Observe now that, in mathlib, the definition of the product \(A*B\) of two fractional ideals A, B is a special case of the product of two submodules, and therefore it is defined as

Unraveling this definition, we see that it defines \(A*B\) as the smallest (i.e., the infimum with respect to set-theoretic inclusion as order relation) submodule containing all submodules \(a\cdot B\) for \(a\in A\), where \(a \cdot B\) is the range of the function \(\lambda \) b: B, \(a*b\). However, it is quite challenging to formalize that an element of \(A*B\) must be a finite sum \(\sum _{i} a_i*b_i\), for \(a_i \in A\) and \(b_i \in B\). Instead, we show that, for every element \(x\in A*B\), there are finite sets \(T\subseteq A\), \(T'\subseteq B\) such that x \(\in \) span (T * T’), formalized as submodule.mem _span _mul _finite _of _mem _mul. Now considering a nonzero integral ideal I of the ring D, by definition of invertibility we can write 1 \(\in \) (1  :  fractional _ideal D K) = I * I \({}^{-1}\). Hence, we obtain finite sets \(T \subset I\) and \(T' \subset I{}^{-1}\) such that 1 is contained in the D-span of \(T*T'\). We used the norm _cast tactic [25] to resolve most coercions but this tactic did not solve coercions coming from the inclusion algebra _map D K. With coercions, the actual statement of the latter expression in Lean is \(\uparrow \) T’ \(\subseteq \) \(\uparrow \uparrow \) ( \(\uparrow \) I) \({}^{-1}\), which reads

From the existence of T and \(T'\), we concluded that I is indeed finitely generated, thus finishing the proof.

The theorem fractional _ideal.mul _inv _cancel proves the converse, namely that is _dedekind _domain implies is _dedekind _domain _inv. The classical proof consists of three steps: first, every maximal ideal \(M\subseteq D\), seen as a fractional ideal, is invertible; second, every nonzero ideal is invertible, using that it is contained in a maximal ideal; third, the fact that every fractional ideal J satisfies \(xJ\le I\) for a suitable element \(x\in D\) and a suitable ideal \(I\subseteq D\) implies that every fractional ideal is invertible, concluding the proof that nonzero fractional ideals form a group. The third step was easy, building upon the material developed for the general theory of fractional _ideal. Concerning the first two, we found that passing from the case where M is maximal to the general case required more code than directly showing invertibility of arbitrary nonzero ideals. The formal statement reads

from where it becomes apparent that we had to repeatedly distinguish between I  :  ideal D and its coercion \(\uparrow \) I  :  fractional _ideal D K although these objects, from a mathematical point of view, are identical.

The formal proof of this result relies on the lemma exists _not _mem _one _of _ne _bot, which says that for every nontrivial ideal \(0\subsetneq I\subsetneq D\), there exists an element in the field K which is not integral (so, not in 1: fractional _ideal D K) but lies in \(I{}^{-1}\). The proof begins by invoking that every nonzero ideal in the Noetherian ring D contains a product of nonzero prime ideals. This result was not previously available in mathlib. The dimension condition shows its full force when applying this lemma: each prime ideal in the product \(I*I^{-1}\), being nonzero, will be maximal because the Krull dimension of D is at most 1; from this, exists _not _mem _one _of _ne _bot follows easily. Having the above lemma at our disposal, we were able to prove that every ideal \(I\ne 0\) is invertible by arguing by contradiction: if \(I*I{}^{-1}\ne D\), we can find an element \(x\in K{\setminus } D\) which is in \((I*I{}^{-1}){}^{-1}\) thanks to exists _not _mem _one _of _ne _bot; some easy algebraic manipulation then implies that x is actually integral over D. Since D is integrally closed, \(x \in D\), contradicting the construction of x. Combining these results gives the equivalence between the two conditions for being a Dedekind domain.

As briefly indicated before, we also formalized a proof that in a Dedekind domain every nonzero ideal can be expressed as a product of prime ideals in a unique way up to the order of the factors. In fact, for an integral domain, every nonzero ideal is a product of prime ideals if and only if all nonzero fractional ideals are invertible; the uniqueness follows separately. We have formalized one direction of this equivalence, a proof of the converse can be found in [36, Chap. 5, Sect. 6, Theorem 10].

We formalized the unique ideal factorization property of a Dedekind domain D by instantiating a unique factorization monoid structure on its ideals.

In mathlib, unique factorization domains are actually a special case of unique factorization monoids (UFMs). A commutative monoid R with an absorbing element 0 and injective multiplication is defined to be a UFM, if the relation “x properly divides y” is well-founded (implying that every element can be factored as a product of irreducibles) and an element of R is prime if and only if it is irreducible (implying uniqueness of the factorization). Examples in mathlib of UFMs are the unique factorization domains \(\mathbb {N}\) and \(\mathbb {Z}\) as well as, for any UFM \(\alpha \), the quotient of \(\alpha \) by the subgroup of invertible elements associates \(\alpha \). With much of the necessary definitions and properties already formalized, the formalization of this unique factorization result has been done in well under 100 lines of Lean code. One of the main mathematical ingredients (interesting in its own right) is that for ideals in a Dedekind domain, to divide is to contain:

Similarly, to strictly contain is to properly divide, so the well-foundedness condition of UFMs is exactly the property that a Dedekind domain is Noetherian. In order to show that all irreducible elements of the monoid of nonzero prime ideals in D are prime elements, we formalized that irreducible ideals in a Dedekind domain are maximal and therefore prime (note that prime ideals of a Dedekind domain D coincide with prime elements of the monoid of its nonzero ideals); the converse holds in every monoid.

We note that the unique factorization result, or actually an easy corollary thereof, is an important ingredient in our finiteness proof for the class group of rings of integers, as we will elaborate on in Sect. 8.2.

In the notation from the previous section, consider the bilinear map lmul:= \(\lambda \) x y  :  K, x * y. The trace of the linear map lmul x is called the algebra trace \({{\,\mathrm{Tr}\,}}_{K / F}(x)\) of x. We defined the algebra trace as a linear map, in this case from K to F:

This definition was marked noncomputable since linear _map.trace makes a case distinction on the existence of a finite basis, choosing an arbitrary finite basis if one exists (since the value of linear _map.trace does not depend on this choice) and returning 0 otherwise. This latter case did not occur in our development.

We defined the trace form to be an F-bilinear form on K, mapping x, y : K to \({{\,\mathrm{Tr}\,}}_{K/F}(xy)\).

In the following, let L/K/F be a tower of finite extensions of fields, namely we assume [algebra F K] [algebra K L] [algebra F L] [is _scalar _tower F K L], as described in Sect. 4.2.

The value of the trace depends on the choice of F and K; we formalized this as lemmas trace _algebra _map x  :  trace F K (algebra _map F K x) = finrank F K * x as well as trace _trace x  :  trace F K (trace (K L x)) = trace F L x; here finrank F K is the degree of the field extension K/F. These results followed by direct computation.

To compute \({{\,\mathrm{Tr}\,}}_{K/F}(x)\), it therefore suffices to consider the trace of x in the smallest field containing x and F, which is the monogenic extension F(x) discussed in Sect. 4.6. There is a nice formula for the trace in F(x), although the terms in this formula are elements in a larger field L (such as the splitting field of minpoly F x, the minimal polynomial of x over F). In formalizing this formula, we first mapped the trace to L using the embedding \(\texttt {algebra} \_\texttt {map\,F\,L} \), which gave the following statement:

We formulated the lemma in terms of the power basis, since we needed to use it for F(x) here and for an arbitrary finite separable extension L/K later in the proof.

The elements of roots (map (algebra _map F L) (minpoly F pb.gen)) are called conjugates of x in L. Each conjugate of x is integral since it is a root of the same monic polynomial, and integer multiples and sums of integral elements are integral. Combining trace _gen _eq _sum _roots and trace _algebra _map showed that the trace of x is an integer multiple (namely finrank F(x) L) of a sum of conjugate roots, hence we concluded that the trace (and trace form) of an integral element is also integral.

Finally, we showed that the trace form is nondegenerate, following Neukirch [28, Proposition 2.8]. Since K/F is a finite, separable field extension, it has a power basis pb generated by an element x : K. Letting \(x_k\) denote the k-th conjugate of x in an algebraically closed field L/K/F, the main difficulty was in checking the equality \(\sum _k x_k^{i + j} = {{\,\mathrm{Tr}\,}}_{K / F} (x^{i + j})\). Directly applying trace _gen _eq _sum _roots was tempting, since we had a sum over conjugates of powers on both sides. However, the two expressions did not precisely match: the left-hand side is a sum of conjugates of x, where each conjugate is raised to the power \(i + j\), while the conclusion of trace _gen _eq _sum _roots resulted in a sum over conjugates of \(x^{i + j}\).

Instead, the paper proof switched here to an equivalent definition of conjugate: the conjugates of x in L are the images (counted with multiplicity) of x under each embedding \(\sigma :F(x) \rightarrow L\) that fixes F. This equivalence between the two notions of conjugate was contributed to mathlib by the Berkeley group in the week before we realized we needed it. Mapping trace _gen _eq _sum _roots through the equivalence gave \({{\,\mathrm{Tr}\,}}_{K / F}(x) = \sum _{\sigma } \sigma \ x\). Since each \(\sigma \) is a ring homomorphism, \(\sigma \ x^{i + j} = (\sigma \ x)^{i + j}\), so the conjugates of \(x^{i + j}\) are the \((i + j)\)-th powers of conjugates of x, which concluded the proof.

Recall from Sect. 2 that the ideal class group \(\mathcal {C}l_D\) of a Dedekind domain D is the quotient of the group of nonzero fractional ideals of D by the nonzero principal fractional ideals. More generally, given an integral domain R with fraction field K, we can define the class group \(\mathcal {C}l_R\) as the quotient of the invertible fractional ideals by the nonzero principal fractional ideals. We formalized this in Lean by first defining a map \({\texttt {to}}\_{\texttt {principal}}\_{\texttt {ideal}}\,{\texttt {R}}\,{\texttt {K}}: {\texttt {K}}^{\times } \rightarrow {\texttt {(}}{\texttt {fractional}}\_{\texttt {ideal}}\,{\texttt {R}}\,{\texttt {K}}{\texttt {)}}^{\times }\), and defined the class group as

Here, \({\texttt {R}}^{\times }\) for a semiring R denotes the multiplicative group of its invertible elements. Recall from Sect. 5.2 that in the general case of an integral domain R the type of fractional ideals of R is endowed with the structure of a commutative semiring. Therefore, the quotient of the abelian group \(({\texttt {fractional}}\_{\texttt {ideal}}\,{\texttt {R}}\,{\texttt {K}})^{\times }\) by the subgroup of nonzero principal fractional ideals is well defined. In the case where R is a Dedekind domain, we provided a map class _group.mk0 sending nonzero integral ideals of R to the corresponding class in the class group.

In general, Dedekind domains can have infinite class groups: in fact, a celebrated result by Claborn shows that for every abelian group G, there exists a Dedekind domain D with \(\mathcal {C}l_D\cong G\) (see [11, Theorem 7]). For an extreme—but somewhat classical—example, the Dedekind domainhas class group isomorphic to \(\mathbb {C}/\mathbb {Z}^2\). However, as discussed in Sect. 2, the rings of integers of global fields have finite class groups.

We let K be a number field and let \(K'\) be a function field, with ring of integers \(\mathcal {O}_{K}\) and \(\mathcal {O}_{K'}\) (we fix a choice of a model \(\mathbb {F}_{q}[t]\)), respectively. Most proofs of the finiteness of \(\mathcal {C}l_{\mathcal {O}_{K}}\) available in a modern textbook (see [28, Theorems 4.4, 5.3, 6.3]) depend on Minkowski’s lattice point theorem, a result from the geometry of numbers (which has been formalized in Isabelle/HOL [18]). Extending this proof to show the finiteness of \(\mathcal {C}l_{\mathcal {O}_{K'}}\) is quite involved and does not result in a uniform proof for \(\mathcal {C}l_{\mathcal {O}_{K}}\) and \(\mathcal {C}l_{\mathcal {O}_{K'}}\). Our formalization instead adapted and generalized a classical approach to the finiteness of \(\mathcal {C}l_{\mathcal {O}_{K}}\), where the use of Minkowski’s theorem is replaced by the pigeonhole principle. We have made available online an informal writeup of the proof, used in the formalization efforts.⁵ The classical approach seems to go back to Kronecker and can be found, for instance, in [23]. We note that some other “uniform” approaches can be found in [1] and [30].

Let D be an Euclidean domain: in particular, it will be a PID and hence a Dedekind domain. Given a fraction field F of D, let K be a finite separable field extension of F. We formalized, in the theorem class _group.fintype _of _admissible _of _finite, that the integral closure S of D in K has a finite class group whenever D has an “admissible” absolute value abs. This notion originated in our project from the adaptation and generalization of the classical finiteness proof in interaction with the formalization efforts. Very informally, the admissibility conditions require that the remainder operator % produces values that are not too far apart. More precisely, and in more “ordinary” mathematical notation, writing \({{\,\mathrm{mod}\,}}\) instead of \(\%\) and \(x \mapsto |x |\) for the absolute value function \(D \rightarrow \mathbb {Z}\), the latter is called admissible if both:To formalize this, we made minor modifications like turning \({{\,\mathrm{card}\,}}\) into a total function on \(\mathbb {R}\) and turning A into an n-tuple (noting that in this setting there is no need to forbid repetition of elements within the n-tuple). This resulted in the following predicate classifying admissible absolute values abv:

The is _euclidean abv predicate asserts that the absolute value abv  :  D \(\rightarrow \) \(\mathbb {Z}\) respects the remainder operator of the Euclidean domain D, in particular abv (a % b) \(\texttt {<} \) abv b.

The above condition formalizes and generalizes an intermediate result in paper proofs of the finiteness of the class group; the different proofs for number fields and function fields (still assuming K/F separable) become the same after this point. The direct consequence (by the pigeonhole principle) of admissibility of \(x \mapsto |x |\), applied in practice, is that for all \(\epsilon \in \mathbb {R}_{>0},\ b \in D-\{0\},\ n \in \mathbb {N}\), and all subsets \(A \in D^n\) containing more than \({{\,\mathrm{card}\,}}(\epsilon )^n\) elements, there exist distinct \(x,y \in D^n\) such that for all \(i=1, \ldots , n\) we have \(|x_i {{\,\mathrm{mod}\,}}b - y_i {{\,\mathrm{mod}\,}}b |<\epsilon |b |\). We used division with remainder to replace the fractional part operator on F in the classical proof, which was essential to incorporate function fields, and at the same time allowed our proof to stay entirely within D to avoid coercions.

In a similar way to the algebra trace of Sect. 7.1, we defined the norm of an element x  :  S as the determinant of the linear map lmul x. We used the admissibility of abs to find a finite set finset _approx of elements of D, such that the following generalization of [23, Theorem 12.2.1] holds.

Translated back into more “ordinary” mathematical notation, this theorem tells us that, for all \(a, b \in S\) with b nonzero, there exist \(q \in S\) and \(r \in {\mathrm{finset}}\_{\mathrm{approx}}\), such thatAfter this, the classical approach mentioned above formalized smoothly: we show that each class in \(\mathcal {C}l_{K}\) contains an ideal J with \(M \in J\), where M is the product of all elements of finset _approx, hence M is nonzero. Since the ideals of the Dedekind domain S have unique factorization, the nonzero ideal \(\langle M \rangle \) spanned by M has only finitely many divisors. To contain is to divide in Dedekind domains, so there are only finitely many ideals J with \(M \in J\). Thus, we concluded that \(\mathcal {C}l_{K}\) is finite under the condition of the existence of an admissible absolute value on D.

It remained to define an admissible absolute value for \(\mathbb {Z}\) and \(\mathbb {F}_{q}[t]\). On \(\mathbb {Z}\), the usual Archimedean absolute value fulfills the requirements by setting \({{\,\mathrm{card}\,}}\epsilon \) to be \(\frac{1}{\epsilon }\), rounded up. Since remainders mod b can be chosen to lie in the interval [0, b[, partitioning this interval into \({{\,\mathrm{card}\,}}\epsilon \) intervals of length \(\epsilon b\) induces the desired partition.

For \(\mathbb {F}_{q}[t]\), we showed that \(|f|_{\deg }:=q^{\deg f}\) for \(f \in \mathbb {F}_{q}[t]\) is an admissible absolute value. Fix a polynomial \(b \in \mathbb {F}_{q}[t]\) and a set \(A' \subset \mathbb {F}_{q}[t]\) of remainders modulo b. Since the coefficients of polynomials in \(\mathbb {F}_{q}[t]\) are elements of a finite set of cardinality q, and the degree of each \(f \in A'\) is strictly less than \(\deg b\), for each c there are only \(q^c\) distinct values for the c coefficients of the monomials of degree \(\deg b - c\) up to \(\deg b - 1\). If the highest coefficients of \(f, g \in A'\) coincide, then \(|(f-g) |_{\deg } < q^{\deg b - c} = q^{-c} |b |_{\deg }\). By setting \({{\,\mathrm{card}\,}}\epsilon = \left\lceil {-\log _{q} \epsilon }\right\rceil \) so that \(q^{- {{\,\mathrm{card}\,}}\epsilon } \le \epsilon \), we can partition \(A'\) into \({{\,\mathrm{card}\,}}\epsilon \) subsets based on highest coefficients, so that elements of each partition are within distance \(\epsilon |b |_{\deg }\) as desired.

We concluded that when K is a global field, restricting to separable extensions of \(\mathbb {F}_{q}(t)\) in the function field case (but see the remark below), the class group is finite:

Finally, we defined number _field.class _number and function _field.class _number as the cardinality of the respective class groups.

We remark that it is possible to get rid of the [is _separable F K] assumption above. For instance, using that any function field K, given as finite extension of \(\mathbb {F}_{q}(t)\), contains an \(s \in K\) such that \(K/\mathbb {F}_{q}(s)\) is a finite and separable extension; see for example [24, Corollary 4.4 in Chap. VIII] (noting that \(\mathbb {F}_{q}\) is perfect and K has transcendence degree 1 over \(\mathbb {F}_{q}\)). One then also needs to show that the finiteness of the class group of the integral closure of \(\mathbb {F}_{q}[s]\) in K is preserved upon replacing \(\mathbb {F}_{q}[s]\) by \(\mathbb {F}_{q}[t]\). A trivial way to get rid of the assumption in the statement above is to simply move it to our definition of function field. While this would be mathematically consistent by the result just cited, we did not opt to do this (for instance showing a finite extension of a function field is a function field would become nontrivial). Alternatively, one could aim at dropping the separability condition in the formalized result mentioned in the first paragraph of Sect. 7. Having a formalization of this generalization would be interesting in its own right. This approach would also still need the adaptation of some of the details in the final steps for the finiteness of the class group in the admissible case.

We rounded off our development by determining the class number in the simplest possible case: the rational numbers \(\mathbb {Q}\). First, we formalized the theorem class _number _eq _one _iff, stating that the class number of K is 1 if and only if \(\mathcal {O}_{K}\) is a principal ideal domain. After defining the isomorphism rat.ring _of _integers _equiv showing \(\mathcal {O}_{\mathbb {Q}}\) is \(\mathbb {Z}\), we could use the fact that \(\mathbb {Z}\) is a PID to conclude that the class number of \(\mathbb {Q}\) is equal to 1:

Broadly speaking, one could see our formalization work as part of number theory. There are several formalization results in this direction. Most notably, Eberl formalized a substantial part of analytic number theory in Isabelle/HOL [19]. Narrowing somewhat to a more algebraic setting, Cano, Cohen, Dénès, Mörtberg, and Siles formalized in Coq constructive definitions in ring theory, with a particular focus on factorization properties and with applications to algebraic notions like well-founded divisibility and Krull dimension [8]. Moreover, de Lima, Galdino, Borges Avelar, and Ayala-Rincón recently formalized in PVS basic notions regarding ring theory, with a particular focus on quotients: isomorphism theorems, the Chinese remainder theorem, and the definitions of prime and maximal ideals [14]. We are not aware of any other formal developments of fractional ideals, Dedekind domains or class groups of rings of integers.

There are many libraries formalizing basic notions of commutative algebra such as field extensions and ideals, including the Mathematical Components library in Coq [26], the algebraic library for Isabelle/HOL [5], the set.mm database for MetaMath [27], and the Mizar Mathematical Library [22]. The field of algebraic numbers, or more generally algebraic closures of arbitrary fields, are also available in many provers. For example, Blot [6] formalized algebraic numbers in Coq, Cohen [12] constructed the subfield of real algebraic numbers in Coq, Thiemann et al. [33] formalized algebraic numbers in Isabelle/HOL, Carneiro [9] in MetaMath, and Watase [35] in Mizar. To our knowledge, the Coq Mathematical Components library is the only formal development beside ours specifically dealing with number fields [26, field/algnum.v].

Apart from the general theory of algebraic numbers, there are formalizations of specific rings of integers. For instance, the Gaussian integers \(\mathbb {Z}[i]\) have been formalized in Isabelle/HOL by Eberl [17], in MetaMath by Carneiro [10] and in Mizar by Futa et al. [21]. Eberl’s Isabelle/HOL formalization deserves special mention in this context since it introduces techniques from algebraic number theory, defining the integer-valued norm on \(\mathbb {Z}[i]\) and classifying the prime elements of \(\mathbb {Z}[i]\).

An application of our work is the formalization of the adèlic ring of a global field in Lean (María Inés de Frutos-Fernández [13]). In particular, the author formalized adic valuations on Dedekind domains, and also proved a correspondence between idèle and ideal class groups. Our work on Dedekind domains and class groups was an essential building block for this project.

Finally, since our project became available in the mathlib library, a team led by Brasca has begun formalizing Fermat’s Last Theorem for regular primes. Fermat’s Last Theorem is the assertion that, for all integers \(n\ge 3\),

It is immediate to see that, for positive integers n and m, if n divides m, then the validity of (\(\mathrm {FLT}_{n}\)) implies that of (\(\mathrm {FLT}_{m}\)). Therefore, also taking into account that (\(\mathrm {FLT}_{4}\)) was already dealt with by Fermat himself, it suffices to only consider exponents that are odd prime numbers.

Now, an odd prime number p is said to be regular if it does not divide the order of the class group \(\mathcal {C}l_{\mathbb {Q}(\zeta _p)}\) of the number field obtained by adjoining to \(\mathbb {Q}\) a primitive pth root of unity \(\zeta _p\); the latter means that \(\zeta _p^p=1\) and \(\zeta _p\ne 1\) or, equivalently, that \(\zeta _p\) is a root of the irreducible polynomialA classical result, due to Kummer’s work in 1847, is that (\(\mathrm {FLT}_{p}\)) is true for every regular prime number p. This is the result Brasca and his team have begun formalizing in Lean 3 in the on-going work [7], and it evidently requires the finiteness of the class group in order to define the notion of a regular prime as above⁶. Moreover, most arguments occurring in Kummer’s proof pertain to the structure of the ring of integers \(\mathbb {Z}[\zeta _p]=\mathcal {O}_{\mathbb {Q}(\zeta _p)}\) as a Dedekind domain, and our work lies at the core of the formalization of these structures.

Having formalized various basic results of algebraic number theory, there are several natural directions for future work, including formalizing some of the following results.

In this project, we confirmed the rule that the hardest part of formalization is to get the definitions right. Once this is accomplished, the paper proof (sometimes first adapted with formalization in mind) almost always translates into a formal proof without too much effort. In particular, we regularly had to invent abstractions to treat instances of the “same” situation uniformly. Instead of fixing a canonical representation, be it \(F \subseteq K \subseteq L\) as subfields or the field of fractions \({{\,\mathrm{Frac}\,}}R\), or the monogenic \(K(\alpha )\), we found that making the essence of the situation an explicit parameter, as in is _scalar _tower, is _fraction _ring or power _basis, allows to treat equivalent viewpoints uniformly without the need for transferring results.

The formalization efforts described in this paper cannot be cleanly separated from the development of mathlib as a whole. The decentralized organization and highly integrated design of mathlib meant that we could contribute our formalizations as we completed them, resulting in a quick integration into the rest of the library. Other contributors building on these results often extended them to meet our requirements, before we could identify that we needed them, as the anecdote in Sect. 4.4 illustrates. In other words, the low barriers for contributions ensured mutually beneficial collaboration.