alt.hn

4/27/2026 at 2:24:53 PM

“Why not just use Lean?”

 https://lawrencecpaulson.github.io//2026/04/23/Why_not_Lean.html

by ibobev

4/27/2026 at 3:20:20 PM

For the HN crowd who are generally programmers but not necessarily mathematicians, it’s more relevant to consider the programming side of things. There is a very good book (one I haven’t finished unfortunately) that covers Lean from a functional programming perspective rather than proving mathematics perspective: https://leanprover.github.io/functional_programming_in_lean/

I am learning Lean myself so forgive me as I have an overly rosy picture of it as a beginner. My current goal is to write and prove the kind of code normal programmers would write, such as real-world compression/decompression algorithms as in the recent lean-zip example: https://github.com/kiranandcode/lean-zip/blob/master/Zip/Nat...

by kccqzy

4/27/2026 at 3:43:54 PM

I recall an experiment in proving software correct from the 1990s that found more errors in the final proof annotations than in the software it had proved correct.

Then, I foresee 2 other obstacles, 1 of which may disappear:

1. Actually knowing what the software is supposed to do is hard. Understanding what the users actually want to do and what the customers are paying to do --which aren't necessarily the same thing--is complex

2. The quality of the work of many software developers is abysmal and I don't know why they would be better at a truth language than they are at Java or some other language.

Objection 2 may disappear to be replaced with AI systems with the attention to do what needs to be done. So perhaps things will change in that to make it worthwhile...

by readthenotes1

4/27/2026 at 5:33:35 PM

I think the hope for 2 is that those programmers would be forced into inaction by the language safety, rather than being allowed to cause problems.

I don't really think that works either, because there's endless ways to add complication even if you can't worsen behavior (assuming that's even possible). At best they might be caught eventually... but anyone who has worked in a large tech company knows at least a few people who are somehow still employed years later, despite constant ineptitude. Play The Game well enough and it's probably always possible.

by Groxx

4/27/2026 at 8:58:40 PM

It's even conceivable that 2 gets worse with AI: The AI does the proof for them, very convolutedly so, and as long as the proof checker eats it, it goes through. Comes the day when the complexity goes beyond what the AI assistant can handle and it gives up. At that point, the proof codes complexity will for a long time have passed the threshold of being comprehensible for any human and there is no progress possible. Hard stop.

by teiferer

4/27/2026 at 9:27:53 PM

Using a proof language with an SMT solver is basically that: an inexplicable tick that it’s fine, until a small change is needed, the tick is gone, and nothing can say why.

by codebje

4/27/2026 at 9:36:46 PM

That's basically what sledgehammer (mentioned in the article) boils down to. The Lean folks use some safeguards to avoid issues with that, such as only using their "grind" at the end of a proof, where all the "building blocks" have been added to context.

by zozbot234

4/28/2026 at 5:57:47 PM

> I think the hope for 2 is that those programmers would be forced into inaction by the language safety, rather than being allowed to cause problems.

Ah! That's funny :)

In practice there are always ways to circumvent safety, especially when it is easier than the alternative.

In a Typescript codebase I work on, I configured the type-checker to fordbid `any`. Should be easy enough to use `object` When we don't know the type, right? Well then things started being serialized into `string` way more often than I'd like...

by sdeframond

4/29/2026 at 5:21:20 AM

tbh if you think a serialized string bypasses anything in a proof-oriented language... I think that just means you haven't used one before. stringly-typed code is no less safe than strict types in these systems, though it's generally quite a lot more work: more things are fallible, and you need to repeatedly re-build or check every guarantee you are still requiring in other code that you interact with.

the exception is if you explicitly state X is a true statement, as many have some kind of bypass like that (an axiom or assumption or whatever). you could build a system that uses this everywhere to break most of the rules, like you can use `any` everywhere, but it'll be extremely obvious if that's the case.

by Groxx

4/30/2026 at 11:48:55 AM

Oh, it is obvious.

My point is: if you try to force people into inaction, chances are they will bypass you.

by sdeframond

4/27/2026 at 3:51:50 PM

Re 1: Discussing and guiding the desirable theorems for general-purpose programs has been a major challenge for us. Proofs for their own sake (bad?) vs glorious general results (good but hard?). Actual human guidance there can be critical there at least for now.

by jsmorph

4/28/2026 at 4:19:40 AM

Check out SeL4 (a proven correct micro kernel used by billions of devices worldwide) and CompCert (a proven correct C compiler used by Airbus).

by deterministic

4/27/2026 at 3:53:28 PM

Mind linking the experiment? Sounds interesting.

by cayley_graph

4/27/2026 at 5:46:42 PM

While reading though this book, I messed around with a basic computer algebra simplifier in Lean:

https://github.com/dharmatech/symbolism.lean

It's a port of code from C#.

Lean is astonishingly expressive.

by dharmatech

4/27/2026 at 9:28:15 PM

Have you tried dafny, which seems roughly comparable for your purposes? I heard some buzz about it a little while ago but I haven't been following this space closely.

by grogers

4/27/2026 at 11:14:54 PM

Dafny and F*, which competes directly with Lean but is more guided towards SWE, are definitely worthy of consideration.

by nextos

4/28/2026 at 7:46:46 AM

Ada/SPARK may also be worth a look.

by v9v

4/27/2026 at 5:57:07 PM

what about non-functional programming?

FP is just as irrelevant for most programmers as the math you already shoved aside

by NooneAtAll3

4/27/2026 at 6:16:50 PM

Hmm like the “new” JS Fetch api with `then` chaining? What about map, filter, reduce? Anonymous functions? List comprehensions? FP is everywhere. Pure FP code isn’t seen very often, as side effects are necessary for most classes of programs, but neither is pure OOP code, as not everything is dynamically dispatched, nor imperative code, as Objects or functions may more cleanly describe/convey something in code.

by DauntingPear7

4/27/2026 at 7:01:17 PM

I shoved math aside because I think for most of the HN crowd it wouldn’t be a good use of their time to do what mainstream mathematics is about, like the “things such as Grothendieck schemes and perfectoid spaces” the article also references. FP is much more relevant because for any program for which a proof of correctness is worthwhile, you can always extract a functional core of that program (functional core, imperative shell). And that functional core will be easier to prove than if it were written in an imperative style.

by kccqzy

4/27/2026 at 6:51:46 PM

FP and math are the same concept.

The semantics of math are equation based.

Everything in the math universal language is defined as an expression or formula.

All proofs are based on this concept.

To translate this into programming think about what programming is? Programming rather being a single line formula is a series of procedures.

  1. add 1
  2. add 3
  3. repeat.
in functional programming you get rid of that and you think from the perspective of how much of a program can you fit into a single one liner? An expression? Think map, reduce, list comprehensions, etc.

That is essentially what functional programming is. Fitting your entire program onto one line OR fitting it into a math expression.

The reason why you see multiple lines in FP languages is because of aliasing.

  m = b + c
  y = x + m
is really:

  y = x + (b + c)
This is also isomorphic to the concept of immutability. By making things immutable your just aliasing part of the one liner...

So functional programming, one line programs, formulas and equations in math, and immutability are essentially ALL the same concept.

That is why lean is functional. Because it's math.

by threethirtytwo

4/27/2026 at 9:10:11 PM

You might like looking at Dafny. It is more imperative focus, but has many of the same software proving functionality that Lean has.

It is different in that it uses SMT instead of dependent types and tactics to prove the software, but I found it more approachable.

Also, it compiles to several target languages, whereas Lean 4 only compiles to C and therefore only supports the C ABI.

by icosahedron

4/27/2026 at 5:41:23 PM

The author appears to have a serious misconception about Lean, which is surprising since he seems to be quite knowledgeable in the area.

Specifically, the author seems to be under the impression that Lean retains proof objects and the final proof to be checked is one massive proof object, with all definitions unfolded: "these massive terms are unnecessary, but are kept anyway" (TFA). This couldn't be further from the truth. Lean implements exactly the same optimization as the author cherishes in LCF; metaphorically, that "The steps of a proof would be performed but not recorded, like a mathematics lecturer using a small blackboard who rubs out earlier parts of proofs to make space for later ones" (quoted by blog post linked from TFA). Once a `theorem` (as opposed to a `def`) is written in Lean4, then the proof object is no longer used. This is not merely an optimization but a critical part of the language: theorems are opaque. If the proof term is not discarded (and I'm not sure it isn't), then this is only for the sake of user observability in the interactive mode; the kernel does not and cannot care what the proof object was.

by nrds

4/27/2026 at 5:52:25 PM

A proof object in dependent type theory is just the term that inhabits a type. So are you saying the Lean implementation can construct proofs without constructing such a term?

by burakemir

4/27/2026 at 6:34:05 PM

No, I'm saying it is checked and then discarded. (Or at least, discarded by the kernel. Presumably it ends up somewhere in the frontend's tactic cache.) That matches perfectly the metaphor, "rubs out earlier parts of proofs to make space for later ones".

The shared misconception seems to be in believing that because _conceptually_ the theory implemented by Lean builds up a massive proof term, that _operationally_ the Lean kernel must also be doing that. This does not follow. (Even the concept is not quite right since Lean4 is not perfectly referentially transparent in the presence of quotients.)

by nrds

4/27/2026 at 9:07:36 PM

Yeah. I guess the abstract type approach saves some memory, but it's a constant factor thing, not an asymptotic improvement. The comment that Lean wastes "tens of megabytes" seems telling: it seems like something that would be a critical advantage in the 1980s and 1990s, when Paulson first fought these battles, but maybe less important today...

by vilhelm_s

4/27/2026 at 9:11:03 PM

To be fair, lean wastes and leaks memory like a sieve, but this is almost all in the frontend. It has nothing to do with the kernel or the theorem proving approach chosen.

by nrds

4/28/2026 at 10:51:05 AM

It is more a conceptual thing. In LCF, proofs and terms are different things, and that is how it should be in my opinion. This Curry-Howard confusion is unnecessary, but many people don't realise that, they think it is the only way to do math on a computer. You can still store proofs in LCF if you want, and use them; just as in Lean, you might be able to optimise them away.

by auggierose

4/28/2026 at 6:56:56 PM

You have done no more to show an actual distinction in the approach than TFA and its linked blog post... It sounds like a naming thing to me. On one side we name the term/program as a term and see it as something checked by the kernel, and on the other you name the term/program as a program and see it as something executed by the runtime. What's the difference?

by nrds

4/28/2026 at 9:35:36 PM

There is indeed no difference if your dependent-typing approach is using reflection (where the checked term is actually a program that's logically proven to result in a a correct proof when executed - such as, commonly, by running a decision procedure) but that's not a common approach.

by zozbot234

4/29/2026 at 8:26:45 PM

The difference is that a term is not (necessarily) a program. Also checking is not executing. Its like saying riding a horse is the same as eating a fish. Really just a naming thing, what's the difference?

by auggierose

5/1/2026 at 1:00:34 AM

You're drawing an equivalence between the wrong pair of things. I'm not saying that term=program; I'm saying that the type checker, qua `term -> context -> decision`, bound to a particular term, is a program `context -> decision`, and the other approach is also a program `context -> decision`. I guess it's defunctionalization, not "nothing", but a next-door neighbor of "nothing".

by nrds

4/27/2026 at 6:17:58 PM

People tell me Lean is really good for functional programming. However, coming from Agda, it feels like a pretty clunky downgrade. They also tell me it's good for tactics, but I've found Coq's tactics more powerful and ergonomic. Maybe these are all baby-duck perceptions. So far, it feels like Lean's main strength isn't being the best at anything, but being decent at everything and having a huge community. I see the point and appeal, but it's saddens me that a bit of the beauty and power are lost in exchange.

by danilafe

4/27/2026 at 7:08:09 PM

In other words, it is a network effect.

My perspective is that network effects are far less long-lasting than they feel in the moment. For example if being decent at everything and having a huge community was the only thing that mattered, Perl would still be a big deal. Many similar examples exist.

In the case of Lean, being the first with a huge library really makes a difference. Just as Perl got a big boost from having CPAN. (Which was an imitation of CTAN, except for a programming language instead of TeX.)

But, based on scaling laws, we should expect the value of a large library for most users to grow around the log of the size of the library. (See https://pdodds.w3.uvm.edu/teaching/courses/2009-08UVM-300/do... for the relevant scaling laws.)

When your library is small, this looks like an insurmountable barrier. But you don't have to match the scale for factors of usability to become more important. And porting mathematical libraries is a good target for LLMs. The source is verified, the target is verifiable, and the reasoning path generally ports.

The flip side of this is that, thanks to LLMs, working on a minority platform isn't the barrier that you might expect. Because if their library can be ported to your platform, then your proof can probably be ported to their platform as well!

by btilly

4/27/2026 at 8:04:53 PM

> The flip side of this is that, thanks to LLMs, working on a minority platform isn't the barrier that you might expect

This is a nice thought, but with Agda in particular it's just not true. It's one of the few languages I've seen that's sufficiently unrepresented in training data. Frontier LLMs (Codex, Claude Code) reliably say "I realized I can't do this." after wasting lots of tokens going back and forth.

In fact, I think this positions Agda uniquely poorly.

by danilafe

4/27/2026 at 8:18:27 PM

This. LLMs are no good at stuff they haven't seen a lot of training data for (saying this as a SystemVerilog programmer who also does some C-coding for interfacing with SystemVerilog, neither of which has a lot of open source code to show LLMs)

by krupan

4/28/2026 at 12:23:31 AM

Huh.

I wonder how compiler technology would do. Possibly as a component of an attempted solution.

by btilly

4/28/2026 at 6:35:13 AM

> except for a programming language instead of TeX

TeX is a programming language. It's not a very good programming language, but people have implemented floating-point math [0], regular expressions [1], an Arduino emulator [2], and terminal input/output [3] in pure TeX. The last two examples are obscure, but the first two examples are used (internally) by the vast majority of modern LaTeX documents.

[0]: https://github.com/latex3/latex3/blob/develop/l3kernel/l3fp....

[1]: https://github.com/latex3/latex3/blob/develop/l3kernel/l3reg...

[2]: https://www.ctan.org/pkg/avremu

[3]: https://www.ctan.org/pkg/reverxii

by gucci-on-fleek

4/28/2026 at 12:23:30 AM

> So far, it feels like Lean's main strength isn't being the best at anything, but being decent at everything and having a huge community. I see the point and appeal, but it's saddens me that a bit of the beauty and power are lost in exchange.

To me that feels like a community that's finally matured enough to start getting on with things. Perfect tools aren't the point; get tools that are good enough and do actual work with them.

by lmm

4/28/2026 at 4:55:05 AM

Sounds like an excuse for mediocrity.

You can apply that same argument for the of Python in the ML world. It results in all sorts of pain points that everyone has to deal with all the time.

by antonvs

4/28/2026 at 7:20:07 AM

All large-scale projects are made of mediocre parts. At some point you run out of brilliance and have to structure it so that mediocre can still be a positive contribution.

by lmm

4/27/2026 at 9:44:03 PM

I prefer agda as proof checker but its not a practical choice for building software. Lean feels like it could legitimately become a successor to Haskell as the go to functional programming language for software development.

by solomonb

4/27/2026 at 10:41:04 PM

I think what holds Agda back from being "practical" is that it just doesn't have good tactics. You can't easily automate proofs and even simplification techniques require some language-level tricks[1]. There's technically support for elaborator reflection (as in Idris) but it's painful and impossible to debug. Certainly nowhere near where Coq and Lean are.

[1]: like this one I've used for several proofs so far: https://danilafe.com/blog/agda_expr_pattern/

by danilafe

4/27/2026 at 10:49:58 PM

Its also really slow and doesn't have a huge library ecosystem. The latter is fixable but not so much for the former.

by solomonb

4/27/2026 at 11:23:53 PM

Also true. The slowness is relatively unpredictable, too: sometimes changing a 'rewrite' to a 'with' can increase memory usage tenfold.

While we're at it, another major concern for me is the inscrutability of Agda's error messages. I've had one error message single-handedly overflow my tmux scrollback buffer. There's no way I'm going to be able to interpret that.

by danilafe

4/28/2026 at 12:22:38 AM

> While we're at it, another major concern for me is the inscrutability of Agda's error messages. I've had one error message single-handedly overflow my tmux scrollback buffer. There's no way I'm going to be able to interpret that.

lmao i've been there. Agda is my first choice for proof checker and for math-y explorations but its not gonna be a replacement for Haskell as a production programming language.

by solomonb

4/27/2026 at 8:18:21 PM

I've used agda a tiny bit and Lean somewhat more, and I definitely found it much easier to write functional programs not focused on mathematical proofs in Lean than Agda. IIRC the difference was mostly tooling - Agda's documentation is kind of bad and it's a pain to get it working on your system (and it really wants you to be using Emacs specifically). Whereas Lean documents how to write the cat utility in its own docs and generally has a much better, more modern tooling experience.

by JuniperMesos

4/27/2026 at 8:26:27 PM

I believe you, but this hasn't been my experience. It took me hours to get Lean to work (something odd was happening with the package manager + version + tooling combination). Agda worked out of the box with macOS homebrew. Agda's docs are petty bad, but I've found its cross-linked module documentation incredibly useful. The main issue is knowing something exists.

by danilafe

4/27/2026 at 9:06:18 PM

This has also been my experience with lean4.

I don't understand the forced vscode path, just let me get it as normal software in a convenient way and run it as a tool

by fooker

4/27/2026 at 10:43:55 PM

To be fair, Coq has ProofGeneral and Agda has its emacs mode. Once you go outside these established channels, oftentimes using the tool becomes incredibly difficult. I guess for interactive theorem proving in general you may need some sort of editor at some point.

by danilafe

4/28/2026 at 12:02:24 AM

Yeah, I'm not a fan of the encouragement to use vscode; that said it was pretty easy for me to get neovim set up with Lean tooling, and that's what I use generally.

by JuniperMesos

4/27/2026 at 7:46:14 PM

I'm curious what you like about Agda functional programming? Many of the praises I hear about it have to do with it's dependent pattern matching, and I think Lean suffers a lot more in that regard. I'm curious though if you still find Agda friendlier for "normal" fp (and if so, how?)

by markusde

4/27/2026 at 8:00:10 PM

Its parameterized modules, extremely elegant yet flexible mixfix notation mechanism, the various niceties around pattern matching (though this one might be a bit of Stockholm syndrome; Agda doesn't nicely allow pattern matching anywhere except at function clauses), the fact that records, GADTS, and modules all feel like aspects of the same thing, and the fact that typeclasses are 'just' records that are automatically filled in. The typeclass and module features IMO already give it some edge over Haskell. I don't know if it's friendlier, but it is more ergonomic.

by danilafe

4/27/2026 at 9:39:38 PM

Thanks! Typeclasses are also something I really like about Lean.

by markusde

4/27/2026 at 6:47:02 PM

Thing is, it comes after both. Maybe it is just being a jack of all trades, but something made it success when the others remain fairly niche.

by moomin

4/27/2026 at 7:09:25 PM

I think its pretty clear that being too early has been as bad as being too late for most technologies. There are a few that have gradually gained community after decades but it is easier to make a poor copy of one of them and have better momentum and less skepticism.

by capitalhilbilly

4/27/2026 at 7:08:59 PM

When I woke up this morning I could not have predicted someone calling a proof assistant a "Jack of all trades"

by portly

5/1/2026 at 12:50:46 PM

“All trades in an extremely specific bounded context”!

by moomin

4/27/2026 at 8:07:29 PM

Thoughts on Idris?

by floxy

4/27/2026 at 9:06:53 PM

Idris feels mostly dead to me at this point. Which breaks my heart, because for a split second it had real momentum around it.

Not OP, but as Haskell-derived dependently-typed languages Idris and Agda are quite similar, so I suspect if they like one they’d like the other.

by wk_end

4/27/2026 at 4:39:09 PM

Isabelle/HOL as a language is nice, but the tooling has deep flaws even outside the pure desktop-first app approach.

The language is different (not necessarily better) in comparison to Lean, but I do agree with some of the points on dependent types. It seems both languages mostly just made different tradeoffs, which imo, were fair and have shaped them into quite efficient tools for their domains. The domain of "proofs" is large and different paradigms just have different strengths/weaknesses, Lean just specialized for a different part of this space.

Sledgehammer is nice but probably just a question of time until an equivalent can be ported/created for Lean. It might also be nice to use for explorative phases but is a resource hog, it also makes proofs concise but I would usually rather see the full chain of steps directly for a proof in the published code instead of a semi-magic "by sledgehammer".

Working on Isabelle itself however is painful (especially communicating with developers) in comparison to Lean. Things like "we don't have bugs just unexpected behaviour" on the mailing list just seems childish/unprofessional. The callout to RAM consumption of Lean and related systems is also a bit of joke when looking at Isabelle's gluttony for RAM.

by c0balt

4/27/2026 at 4:42:12 PM

> but I would usually rather see the full chain of steps directly for a proof in the published code instead of a semi-magic "by sledgehammer".

One issue with this is that coming up with a quickly-checkable certificate for UNSAT is not exactly a trivial problem. It's effectively the same as writing a formal proof.

by zozbot234

4/27/2026 at 5:54:34 PM

> Sledgehammer is nice but probably just a question of time until an equivalent can be ported/created for Lean.

I have no knowledge of what sledgehammer is. However...

> it also makes proofs concise but I would usually rather see the full chain of steps directly for a proof in the published code instead of a semi-magic "by sledgehammer"

This description makes sledgehammer sound identical to Mathlib's `grind`. https://leanprover-community.github.io/mathlib4_docs/Init/Gr...

by thaumasiotes

4/27/2026 at 8:16:41 PM

The goal (ATP) is similar but the idea is a bit different, sledgehammer is not directly learning/applying rules but instead effectively a driver for invoking a bunch of ATPs + SMT solvers at once on a goal in Isabelle/HOL.

You can read more about it here: https://isabelle.in.tum.de/dist/doc/sledgehammer.pdf

by c0balt

4/28/2026 at 12:41:43 PM

The authors of Lean also wrote a smt solver (Z3). Other proof languages like F* use Z3 to prove its things

Why isn't there a tactic in Lean to prove things by SMT using Z3? This could be integrated to grind

by nextaccountic

4/27/2026 at 4:53:26 PM

Last I checked, Isabelle/HOL used a custom Emacs mode as their interface. (I could be mixing it up with one of the other HOLs).

by vintermann

4/27/2026 at 8:09:04 PM

The current GUI interface is Isabelle/jedit. Afaik, no Emacs interface is officially provided atm.

by c0balt

4/27/2026 at 3:23:56 PM

I think what's interesting about Lean is that Lean is a language, and what most people are talking about is a library called Mathlib. From what I've read about Mathlib, the creators are very pragmatic, which is why they encode classical logic in Lean types, with only a bit of intuitionistic logic[1].

[1] for those unfamiliar with math lingo, classical logic has a lot of powerful features. One of those is the law of the excluded middle, which says something can't be true and false at the same time. That means not not true is true, which you can't say in intuitionistic logic. Another feature is proof by contradiction, where you can prove something by showing that the alternative is unsound. There's quite a few results that depend on these techniques, so trying to do everything in intuitionistic logic has run into a lot of roadblocks.

by smj-edison

4/27/2026 at 5:51:00 PM

>the law of the excluded middle, which says something can't be true and false at the same time

This is the not excluded middle, it is the "Law of noncontradiction"

Excluded middle means: either p is true or the negation of p is true

https://en.wikipedia.org/wiki/Law_of_noncontradiction

by hackandthink

4/27/2026 at 4:05:57 PM

> I think what's interesting about Lean is that Lean is a language, and what most people are talking about is a library called Mathlib. From what I've read about Mathlib, the creators are very pragmatic, which is why they encode classical logic in Lean types, with only a bit of intuitionistic logic

The computer science folks are now working on their own CSLib. https://www.cslib.io https://www.github.com/leanprover/cslib Given that intuitionistic logic is really only relevant to computational content (the whole point of it is to be able to turn a mathematical argument into a construction that could in some sense be computed with), it will be interesting to see how they deal with the issue. Note that if you write algorithms in Lean, you are already limited to some kind of construction, and perhaps that's all the logic you need for that purpose.

by zozbot234

4/27/2026 at 3:53:37 PM

> One of those is the law of the excluded middle, which says something can't be true and false at the same time.

That would be the law of non-contradiction (LNC). The law of the excluded middle (LEM) says that for every proposition it is true or its negation is true.

LEM: For all p, p or not p.

LNC: For all p, not (p and not p).

Classical logic satisfies both, intuitionistic logic only satisfies LNC.

by cubefox

4/27/2026 at 3:33:58 PM

> Another feature is proof by contradiction, where you can prove something by showing that the alternative is unsound.

As far as lean is concerned, this isn't an example of classical logic. It's just the definition of "not" - to say that some proposition implies a contradiction, and to say that that proposition is untrue, are the same statement.

Most "something"s that you'd want to prove this way will require a step from classical logic, but not all of them. (¬p ⟶ F) ⟶ p is classical; (p ⟶ F) ⟶ ¬p is constructive.

by thaumasiotes

4/27/2026 at 3:56:59 PM

More generally, any negative statements can be proven classically, even in intuitionistic logic. Intuitionistic logic does not have the De Morgan duality found in classical logic, you have to go to linear logic if you want to recover that while keeping constructivity. (The "negative" in linear logic actually models requesting some object, which is dual to constructing it. The connection with the usual meaning of "negative" in logic involves a similar duality between "proposing" a proof and "challenging" it.)

by zozbot234

4/27/2026 at 3:43:25 PM

So proof by contradiction proves ¬p, but it requires the law of excluded middle to prove p (in the case of ¬p -> F)? I didn't realize that was constructive in the first case.

by smj-edison

4/27/2026 at 5:19:06 PM

Well, at some point you have to define what you mean by "proof by contradiction". I was responding to your statement, "prove something by showing that the alternative is unsound". You can prove that something is false that way without needing classical logic.

Mathlib defines `by_contradiction` as a theorem proving `(¬p → False) → p` for any proposition p. ( https://leanprover-community.github.io/mathlib4_docs/Mathlib... ) This does require classical logic.

For what's happening with `¬p -> F`, recall that this is by definition the statement `¬¬p`; classical logic will let you conclude `p` from `¬¬p`, or it will let you apply the law of the excluded middle to conclude that either `p` or `¬p` must be the case, and then show that since it isn't `¬p`, it must be `p`. (Again, not really different approaches, but perhaps different in someone's mental model.)

On the other hand, if you have `p -> F`, that is by definition the statement `¬p`, and if you've established `¬p`, you've already finished proving that p is false.

Something that I find particularly absurd about the hypothetical distinction between intuitionistic and classical logic is that intuitionistic logic is sufficient to prove `¬p` from `¬¬¬p`. (This is quite similar to how 'proof by contradiction' is constructive if you're proving a negative but not if you're proving a positive; it might be the same result.) So for any proposition that can be restated in a "negative" way, the law of the excluded middle remains true in intuitionistic logic. The difference lies only in "fundamentally positive" propositions. (You can do that proof yourself at https://incredible.pm/ ; it's in section 4, `((A→⊥)→⊥)→⊥` -> `A→⊥`.)

There's a fun article on this very blog telling a similar story: https://lawrencecpaulson.github.io/2021/11/24/Intuitionism.h...

> Martin-Löf designed his type theory with the aim that AC should be provable and in his landmark Constructive mathematics and computer programming presented a detailed derivation of it as his only example. Briefly, if (∀x : A)(∃y :B) C(x,y) then (∃f : A → B)(∀x : A) C(x, f(x)).

> Spoiling the party was Diaconescu’s proof in 1975 that in a certain category-theoretic setting, the axiom of choice implied LEM and therefore classical logic. His proof is reproducible in the setting of intuitionistic set theory and seems to have driven today’s intuitionists to oppose AC.

> It’s striking that AC was seen not merely as acceptable but clear by the likes of Bishop, Bridges and Dummett. Now it is being rejected and the various arguments against it have the look of post-hoc rationalisations. Of course, the alternative would be to reject intuitionism altogether. This is certainly what mathematicians have done: in my experience, the overwhelming majority of constructive mathematicians are not mathematicians at all. They are computer scientists.

by thaumasiotes

4/27/2026 at 5:54:15 PM

Yeah, I suppose I was playing fast and loose with the terminology to make it more approachable. iirc, the definition of proof by contradiction is you assume the negation, show that the negation has something that is both true and not true, and hence the negation is logically unsound. Since you can technically derive anything from an unsound system, you derive that the negation is false, and then by the laws of excluded middle and non-contradiction, you know that p must be true.

But now I see from what you mentioned that this means that if you don't do the negation elimination, then you can still show `¬¬p` in an intuitionistic logic system.

Is proof by contradiction of a false statement just a counterexample? Because a counterexample shows that the statement is incoherent, so the negation must be true. And you have to construct a counterexample.

by smj-edison

4/27/2026 at 6:04:15 PM

A counterexample as generally understood would be a constructive refutation. Proof by contradiction is much more general than that. Of course the problem of extracting the residual constructive content from a proof by contradiction (explaining how it is in some sense constructing some vastly generalized counterexample) is non-trivial.

by zozbot234

4/27/2026 at 5:31:50 PM

Constructivists don't call a proof of ¬p a "proof by contradiction", they just call it a proof of ¬p. To them, a "proof by contradiction" of some p that isn't in the negative fragment is just nonsense, because constructive logic doesn't have the kind of duality that even makes it necessary to talk about contradiction as a kind of proof to begin with. They'd see the classical use of "proof by contradiction" as a clunky way of saying "I've actually only proven a negative statement, and now I can use De Morgan duality to pretend that I proved a positive."

by zozbot234

4/27/2026 at 9:27:15 PM

> Constructivists don't call a proof of ¬p a "proof by contradiction", they just call it a proof of ¬p.

I tend to agree with the opposition on this one. Concluding that p is false because its truth leads to a contradiction is fundamentally identical to concluding that p is true because its falsity leads to a contradiction... and in particular, it is reasonable to describe 'concluding that p is false because its truth leads to a contradiction' as a 'proof by contradiction'.

The reason that the first type is "constructive" while the second one isn't is due to a strange definition of falsity on the part of the constructivists.

by thaumasiotes

4/27/2026 at 9:32:25 PM

> Concluding that p is false because its truth leads to a contradiction is fundamentally identical to concluding that p is true because its falsity leads to a contradiction... The reason that the first type is "constructive" while the second one isn't is due to a strange definition of falsity on the part of the constructivists.

You can actually make that a rigorous statement in linear logic, which reintroduces the duality that's lost in intuitionistic logic while still making it possible to assess whether some claim is constructive. But linear logic is significantly more complex than either classical or intuitionistic logic.

by zozbot234

4/27/2026 at 3:31:21 PM

You mean intuitionistic logic, not "intuitive logic".

by Chinjut

4/27/2026 at 3:39:01 PM

Oops, just edited. I'm still fairly new to this area, so I keep mixing up my terms :)

by smj-edison

4/27/2026 at 3:29:14 PM

When/why would one prefer to use intuitive logic, given the limitations/roadblocks?

by vscode-rest

4/27/2026 at 3:42:34 PM

Classical logic has plenty of limitations/roadblocks, all logics do. Logic isn't a unified domain, but an infinite beach of structural shards, each providing a unique lens of study.

Classical logic was rejected in computer science because the non-constructive nature made it inappropriate for an ostensibly constructive domain. Theoretical mathematics has plenty of uses to prove existences and then do nothing with the relevant object. A computer, generally, is more interested in performing operations over objects, which requires more than proving the object exists. Additionally, while you can implement evaluation of classical logic with a machine, it's extremely unwieldy and inefficient, and allows for a level of non-rigor that proves to be a massive footgun.

by ux266478

4/27/2026 at 4:33:28 PM

Classical logic isn’t rejected in computer science. Computer science papers don’t generally care if their proofs are non-constructive, just like in mathematics.

by layer8

4/27/2026 at 5:37:30 PM

This entire thread is making clear that constructivists want to speak on behalf of everyone while in the real word the vast majority of mathematicians or logicians don’t belong to their niche school of mathematics/philosophy.

by Revanche1367

4/27/2026 at 6:20:44 PM

Do you understand the irony in posting this on a comment chain ostensibly rejecting foundational objectivism?

by ux266478

4/28/2026 at 2:08:32 PM

Not everyone has to subscribe to your philosophy, weird I know.

by Revanche1367

4/27/2026 at 4:37:11 PM

They care quite a bit actually, they just call their constructive proofs "algorithms" or "decision procedures".

by zozbot234

4/27/2026 at 5:27:00 PM

Intuitionism is just disallowing the law of the excluded middle (that propositions are either true or they are not true). Disallowing non-constructive proofs is a related system to intuitionism called “constructivism”. There are rigorous formulations of mathematics that are constructive, intuitionist or even strict finitist.

by seanhunter

4/27/2026 at 6:38:01 PM

What point are you responding to?

by groundzeros2015

4/27/2026 at 7:08:09 PM

THe parent of my post referred to disallowing non-constructive proofs, which is not a feature of intuitionist logic but of constructivism.

by seanhunter

4/27/2026 at 4:17:57 PM

But proving the object exists is still useful, of course: it effectively means you can assume an oracle that constructs this object without hitting any contradiction. Talking about oracles is useful in turn since it's a very general way of talking about side-conditions that might make something easier to construct.

by zozbot234

4/27/2026 at 4:47:55 PM

Of course. Though it's also important to note: whether or not an object exists is dependent on the logic being utilized itself, which is to say nothing of how even if the object holds some structural equivalent in the given logic of attention, it might not have all provable structure shared between the two, and that's before we get into how the chosen axioms on top of the logical system also mutate all of this.

It's not that classical logic is useless, it's just that it's not particularly appropriate to choose as the basis for a system built on algorithms. This goes both ways. Set theory was taken as the foundation of arithmetic, et al. because type theory was simply too unwieldy for human beings scrawling algebras on blackboards.

by ux266478

4/27/2026 at 7:15:20 PM

I am absolutely not even close to being an expert on the topic, but type theory wasn't all that well understood even relatively recently - Voevodsky coined the Univalence axiom in 2009 or so, while sets have been used for centuries.

So not sure it would be "unwieldy", it's a remarkably simple addition and it may avoid some of the pain points with sets? But again, not even a mathematician.

by gf000

4/27/2026 at 4:56:30 PM

Set theory was chosen because it was a compatively simple proof of concept. You don't really refer to the foundation when scrawling algebra on a blackboard the way you would with a proof assistant, and this actually causes all sorts of issues down the line (it's a key motivation for things like HoTT).

by zozbot234

4/27/2026 at 8:40:45 PM

> But proving the object exists is still useful, of course: it effectively means you can assume an oracle that constructs this object without hitting any contradiction.

I don’t think that logic holds in mainstream mathematics (it will hold in constructive mathematics by definition, and may hold in slightly more powerful philosophies op mathematics) because there, we can prove the existence of many functions and numbers that aren’t computable.

by Someone

4/27/2026 at 8:48:47 PM

The whole point of oracles is to posit the ability to compute things that aren't (in the general case) computable.

by zozbot234

4/27/2026 at 7:16:07 PM

Intuitionistic logic is a refinement of classical logic, not a limitation: for every proposition you can prove in classical logic there is at least one equivalent proposition in intuitionistic logic. But when your use of LEM is tracked by the logic (in intuitionistic logic a proof by LEM can only prove ¬¬A, not A, which are not equivalent) it's a constant temptation to try to produce a constructive proof that lets you erase the sin marker.

In compsci that's actually sometimes relevant, because the programs you can extract from a ¬¬A are not the same programs you can extract from an A.

by Twey

4/27/2026 at 4:48:19 PM

There are non-computational interpretations of intuitionistic logic too, like every single thing mentioned on this page: https://ncatlab.org/nlab/show/synthetic+mathematics

I think stuff like "synthetic topology", "synthetic differential geometry", "synthetic computability theory", "synthetic algebraic geometry" are the most promising applications at the moment.

It can also find commonalities between different abstract areas of maths, since there are a lot of exotic interpretations of intuitionistic logic, and doing mathematics within intuitionistic logic allows one to prove results which are true in all these interpretations simultaneously.

I'm not sure if intuitionism has a "killer app" yet, but you could say the same about every piece of theory ever, at least over its initial period of development. I think the broad lesson is that the rules of logic are a "coordinate system" for doing mathematics, and changing the rules of logic is like changing to a different coordinate system, which might make certain things easier. In some areas of maths, like modern Algebraic Geometry, the standard rules of logic might be why the area is borderline impenetrable.

by ogogmad

4/27/2026 at 5:01:04 PM

These are more like computational-ish interpretations of sheaves, topological spaces, synthetic geometry etc. The link of intuitionistic logic to computation is close enough that these things don't really make it "non-computational". One can definitely argue though that many mathematicians are finding out that things like "expressing X in a topos" are effectively roundabout ways of discussing constructive logic and constructivity concerns.

by zozbot234

4/27/2026 at 6:09:14 PM

You're walking down a corridor. After hours and hours you ask "is it possible to figure how far it is to the nearest exit?". Your classical logic friend answers: "Yes, either there is no exit then the answer is infinity. Or there is an exit then we just have to keep walking until we find it. QED"

This kind of wElL AcTUaLly argument is not allowed in constructive logic.

by ngruhn

4/27/2026 at 3:49:04 PM

As far as I understand it, classical mathematics is non-constructive. This means there are quite a few proofs that show that some value exists, but not what that value is. And in mathematics, a proof often depends on the existence of some value (you can't do an operation on nothing).

The thing is it can be quite useful to always know what a value is, and there's some cool things you can do when you know how to get a value (such as create an algorithm to get said value). I'm still learning this stuff myself, but inuitionistic logic gets you a lot of interesting properties.

by smj-edison

4/27/2026 at 4:13:20 PM

> As far as I understand it, classical mathematics is non-constructive.

It's not as simple as that. Classical mathematics can talk about whether some property is computationally decidable (possibly with further tweaks, e.g. modulo some oracle, or with complexity constraints) or whether some object is computable (see above), express decision/construction procedures etc.; it's just incredibly clunky to do so, and it may be worthwhile to introduce foundations that make it natural to talk about these things.

by zozbot234

4/27/2026 at 4:28:42 PM

Would it be fair to say then that classical mathematics does not require computability, so it requires a lot more bookkeeping, while intuitionistic logic requires constructivism, so it's the air you live and breathe in, which is much more natural?

by smj-edison

4/27/2026 at 4:33:50 PM

Intuitionistic logic is not really constrained to talking about constructive things: you just stuff everything else in the negative fragment. Does that ultimately make sense? Maybe, maybe not. Perhaps that goes too far in obscuring the inherent duality of classical logic, which is still very useful.

by zozbot234

4/27/2026 at 5:20:15 PM

It’s not intuitive, it’s intuitionist. I’m not saying that to nitpick it’s just important to make the distinction in this case because it really isn’t intuitive at all in the usual sense.

Why you would use it is it’s an alternative axiomatic framework so you get different results. The analogy is in geometry if you exclude the parallel postulate but use all of the other axioms from Euclid you get hyperbolic geometry. It’s a different geometry and is a worthy subject of study. One isn’t right and the other wrong, although people get very het up about intuitionism and other alternative axiomatic frameworks in mathematics like constructivism and finitism.

by seanhunter

4/27/2026 at 6:20:45 PM

> if you exclude the parallel postulate but use all of the other axioms from Euclid you get hyperbolic geometry

No, you don't.

(You need to replace the parallel postulate with a different one)

by BigTTYGothGF

4/27/2026 at 7:02:32 PM

Thank you for the correction I actually didn't realise that so have learned something.

Specifically for people who are interested it seems you have to replace the parallel postulate with a postulate that says every point is a saddle point (which is like the centre point of a pringle if you know what that looks like).

https://en.wikipedia.org/wiki/Pringles

by seanhunter

4/28/2026 at 1:08:30 AM

You can also replace it with a different postulate and get projective geometry, IIRC.

by lmm

4/27/2026 at 5:35:42 PM

I think they called it intuitive, because I called it intuitive in my original post, so that's on me :)

by smj-edison

4/28/2026 at 5:57:11 AM

I thought of a concrete example of why you might use intuitionist logic. Take for example the “Liar’s paradox”, which centres around a proposition such as

A: this statement (A) is false

In classical logic, statements are either true or false. So suppose A is true. If A is true, then it therefore must be false. But suppose A is false. Well if it is false then when it says it is false it is correct and therefore must be true.

Now there are various ways in classical logic [1] to resolve this paradox but in general there is a category of things for which the law of the excluded middle seems unsatisfactory. So intuitionist logic would allow you to say that A is neither true nor false, and working in that framework would allow you to derive different results from what you would get in classical logic.

It’s important to realise that when you use a different axiomatic framework the results you derive may only be valid in the alternative axiomatic system though, and not in general. Lean (to bring this back to the topic of TFA) allows you to check what axioms you are using for a given proof by doing `#print axioms`. https://lean-lang.org/doc/reference/latest/ValidatingProofs/...

[1] eg you can say that all statements include an implicit assertion of their own truth. So if I say “2 + 2 = 4” I am really saying “it is true that 2+2=4”. So the statement A resolves to “This statement is true and this statement is false”, which is therefore just false in classical logic and not any kind of paradox.

by seanhunter

4/27/2026 at 10:52:04 PM

We still care about computation and algorithms even when proving theorems in a classical setting!

For e.g., imagine I'm trying to prove the theorem "x divides 6 => x != 5". Of course, one way would be to develop some general lemma about non-divisibility, but a different hacky way might be to say "if x divides 6 then x ∈ {1, 2, 3, 6}, split into 4 cases, check that x != 5 holds in all cases". That first step requires an algorithm to go from a given number to its list of divisors, not just an existence proof that such a finite list exists.

by zodiac

4/27/2026 at 4:20:47 PM

In constructive logic, a proof of "A or B" consists of a pair (T,P). If T equals 0, then P proves A. If T equals 1, then P proves B. This directly corresponds to tagged union data types in programming. A "Float or Int" consists of a pair (Tag, Union). If Tag equals 0, then Union stores a Float. If Tag equals 1, then Union stores an Int.

In classical logic, a proof of "A or not A" requires nothing, a proof out of thin air.

Obviously, we want to stick with useful data structures, so we use constructive logic for programming.

by amavect

4/27/2026 at 5:11:28 PM

> Obviously, we want to stick with useful data structures, so we use constructive logic for programming.

I don't know who "we" are, but most proofs of algorithm correctness use classical logic.

Also, there's nothing "obvious" about what you said unless you want proof objects, and why you'd want that is far from obvious in itself.

by pron

4/27/2026 at 7:43:09 PM

Well, to translate my words to your liking: "In my opinion, everyone already uses a sort of constructive logic for programming."

I challenge you on "most proofs of algorithm correctness use classical logic". That means double negation elimination, or excluded middle. I bet most proofs don't use those. Give examples.

by amavect

4/27/2026 at 8:35:36 PM

Oh, if you mean that most algorithm correctness proofs are finitary and therefore don't need to explicitly rely on the excluded middle, that may well be the case, but they certainly don't try to avoid it either. Look at any algorithm paper with a proof of correctness and see how many of them explicitly limit themselves to constructive logic. My point isn't that most algorithm/program proofs need the excluded middle, it's that they don't benefit from not having it, either.

by pron

4/27/2026 at 8:39:06 PM

> My point isn't that most algorithm/program proofs need the excluded middle, it's that they don't benefit from not having it, either.

Because if they benefited from it (in surfacing computational content, which is the whole point of constructive proof) they'd be comprised within the algorithm, not the proof.

by zozbot234

4/27/2026 at 8:42:30 PM

> in surfacing computational content, which is the whole point of constructive proof

The point of a constructive proof is that the proof itself is in some way computational [1], not that the algorithm is. When I wrote formal proofs, I used either TLA+ or Isabelle/HOL, neither of which are constructive. It's easy to describe the notion of "constructive computation" in a non-constructive logic without any additional effort (that's because non-constructive logics are a superset of constructive logics; i.e. they strictly admit more theorems).

[1]: Disregarding computational complexity

by pron

4/27/2026 at 8:54:07 PM

> When I wrote formal proofs, I used either TLA+ or Isabelle/HOL, neither of which are constructive.

True, but this requires using different formal systems for the algorithm and the proof. Isabelle/HOL being non-constructive means you can't fully express proof-carrying code in that single system, without tacking on something else for the "purely computational" added content.

by zozbot234

4/28/2026 at 12:17:17 AM

That's not true. Non-constructive logics are extensions of constructive logics. You can express any algorithm in TLA+, and much more than algorithms.

You are right that when using non constructive logics, it's not guaranteed that the proof is executable as a program, but that's not a downside. Having the proof be a program in some sense is interesting, but it's not particularly useful.

by pron

4/28/2026 at 1:17:20 AM

How do you express computational content in non-constructive logic while both making it usable from proofs (e.g. if I have some algorithm that turns A's into B's, I want that to be directly referenceable in a proof - if A's have been posited, I must be able to turn them into B's) and keeping its character as specifically computational? Expressing algorithms in a totally separate way from proofs is arguably not much of a solution.

by zozbot234

4/28/2026 at 1:57:15 AM

Not only is it easy, the ability to extend the computable into the non-computable is quite convenient. For example, computable numbers can be directly treated as a subset of the reals.

This is exactly how TLA+ works: https://pron.github.io/posts/tlaplus_part3

by pron

4/28/2026 at 2:25:10 AM

You create a subset or model of what's computable. Then, work in it. You might also prove refinements from high- to low-level forms.

Interestingly, we handle static analysis the same way by using language subsets. The larger chunk is unprovable. So, we just work with what's easy to analyze. Then, wrap it in types or contracts to use it properly.

And plenty of testing for when the specs are wrong.

by nickpsecurity

4/27/2026 at 7:54:39 PM

Proofs of safety are proving a negative: they're all about what an algorithm won't do. So constructivism is irrelevant to those, because the algorithm has provided all the constructive content already! Proofs of liveness/termination are the interesting case.

You might also add designing an algorithm to begin with, or porting it from a less restrictive to a more restrictive model of computation, as kinds of proofs in CS that are closely aligned to what we'd call constructive.

by zozbot234

4/27/2026 at 5:24:19 PM

The difference only becomes evident when proving liveness/termination (since if your algorithm terminates successfully it has to construct something, and it only has to be proven that it's not incorrect) and then it turns out that these proofs do use something quite aligned to constructive logic.

by zozbot234

4/27/2026 at 6:34:54 PM

... and also to classical logic. Liveness proofs typically require finding a variant that converges to some terminal value, and that's just as easy to do in classical logic as in constructive logic.

I've been using formal methods for years now and have yet to see where constructive logic makes things easier (I'm not saying it necessarily makes things harder, either).

by pron

4/27/2026 at 4:28:23 PM

You aren’t giving any justification why proofs should necessarily map to data structures.

by layer8

4/27/2026 at 4:38:03 PM

Not necessarily, I only argue for utility. You can find better justification in the Curry-Howard correspondence.

by amavect

4/27/2026 at 5:13:12 PM

How have you used the Curry Howard correspondence to make proving the correctness of non-trivial algorithms easier (than, say, Isabelle/HOL or TLA+ proofs)?

by pron

4/27/2026 at 7:41:40 PM

I hardly use automated formal methods. Disappointing, I know. I use it for thinking through C and Labview programs. It helps with recognizing patterns in data structures and reasoning through code.

For example, malloc returns either null or a pointer. That is an "or" type, but C can't represent that. I use an if statement to decide which (or-elimination), and then call exit() in case of a null. exit() returns an empty type, but C can't represent that properly (maybe a Noreturn function attribute). I wrap all of this in my own malloc_or_error function, and I conclude that it will only return a valid pointer.

Instead of automating a correctness proof in a different language, I run it in my own head. I can make mistakes, but it still helps me write better code.

by amavect

4/27/2026 at 8:24:28 PM

Oh, so I have used formal methods for many years (and have written about them [1]), including proof assistants, and have never found that constructive logic in general and type theory in particular makes proofs of program correctness any easier. The Curry-Howard correspondence is a cute observation (and it is at the core of Agda), but it's not really practically useful as far as proving algorithm correctness is concerned.

[1]: https://pron.github.io

by pron

4/27/2026 at 9:14:00 PM

I think for a cute observation, the metaphor helps me grasp where I can apply logic. I'll read your blog in my free time, thanks for sharing.

by amavect

4/27/2026 at 4:01:45 PM

Excluded-middle `true` means "[provable] OR [impossible to disprove]".

Intuitionist/Constructivist `true` means, "provable".

The question you are asking determines what answers are acceptable.

Why build an airplane, if you already know it must be possible?

by gowld

4/27/2026 at 5:16:26 PM

This isn’t quite right. Classical logic doesn’t permit going from “it is impossible to disprove” to “true”. For example, the continuum hypothesis cannot be disproven in ZFC (which is formulated in classical logic (the axiom of choice implies the law of the excluded middle)), but that doesn’t let us conclude that the continuum hypothesis is true.

Rather, in classical logic, if you can show that a statement being false would imply a contradiction, you can conclude that the statement is true.

In intuitionistic logic, you would only conclude that the statement is not false.

And, I’m not sure identifying “true” with “provable” in intuitionistic logic is entirely right either?

In intuitionistic logic, you only have a proof if you have a constructive proof.

But, like, that doesn’t mean that if you don’t have a constructive proof, that the statement is therefore not true?

If a statement is independent of your axioms when using classical logic, it is also independent of your axioms when using intuitionistic logic, as intuitionistic logic has a subset of the allowed inference rules.

If a statement is independent, then there is no proof of it, and there is no proof of its negation. If a proposition being true was the same thing as there being a proof of it, then a proposition that is independent would be not true, and its negation would also be not true. So, it would be both not true and not false, and these together yield a contradiction.

Intuitionistic logic only lets you conclude that a proposition is true if you have a constructive/intuitionistic proof of it. It doesn’t say that a proposition for which there is no proof, is therefore not true.

As a core example of this, in intuitionistic logic, one doesn’t have the LEM, but, one certainly doesn’t have that the LEM is false. In fact, one has that the LEM isn’t false.

by drdeca

4/27/2026 at 5:03:46 PM

> Excluded-middle `true` means "[provable] OR [impossible to disprove]".

> Intuitionist/Constructivist `true` means, "provable".

This is completely wrong. Excluded-middle `true` means "provable" and only "provable". "Impossible to disprove" is `independent`, not `true`.

by thaumasiotes

4/27/2026 at 4:22:31 PM

Ah, so if you had ¬p, and you negated it, you could technically construct ¬¬p in intuitionist logic, but only in classical logic could you reduce that to p? Since truth in classical logic means what you said here, where you didn't actually construct what p is, so you can't reduce it in intuitionistic logic.

by smj-edison

4/28/2026 at 12:24:27 AM

Yes.

by ted_dunning

4/27/2026 at 3:34:34 PM

For ideological reasons.

by thaumasiotes

4/27/2026 at 3:28:19 PM

This makes it good for formal maths, but bad for philosophy, since it means it can’t encode the speculative movement

by bowsamic

4/27/2026 at 5:21:16 PM

Which logic are you saying “can’t encode the speculative moment”?

I think the two logics can emulate one another? Or, at the very least, can describe what the other concludes. I know intuitionistic logic can have classical logic embedded in it through some sort of “put double negation on everything”. I think if you add some sort of modal operator to classical logic you could probably emulate intuitionistic logic in a similar way?

by drdeca

4/27/2026 at 5:36:18 PM

You don't even need to add a modal operator since modal logic itself can be embedded in classical logic via possible-world semantics. Of course the whole thing becomes a bit clunky - but that's the argument for starting with intuitionistic logic, where you wouldn't need to do that.

by zozbot234

4/27/2026 at 5:32:57 PM

Any logic with LEM

by bowsamic

4/27/2026 at 3:06:37 PM

We need more of this.

For every "well of course, just...X, that's what everybody does" group-think argument there's a cogent case to be made for at least considering the alternatives. Even if you ultimately reject the alternatives and go with the crowd, you will be better off knowing the landscape.

by MarkusQ

4/28/2026 at 1:13:21 AM

Completely disagree; IMO we build far too many frameworks and alternatives (probably because it's fun) instead of a) enhancing the things that already exists to have the thing we want or b) just getting on with the actual work. The whole field would be much better off if we had half as many languages, half as many libraries, half as many build tools...

by lmm

4/27/2026 at 3:52:00 PM

It depends!

Every time you go off the beaten path, you're locking yourself into less documentation, more bugs (since there's less exploration of the dark corners), and fewer people you can go to for help. If you've got 20+ choices to make, picking the standard option is the right choice on average, so you can just do it and move on. You have finite attention, so doing a research report on every dependency means you're never actually working on the core problem.

The exceptions to this are when a) it becomes apparent that the standard tool doesn't actually fit your use case, or b) the standard tool significantly overlaps the core problem you're trying to solve.

by sdenton4

4/27/2026 at 6:17:41 PM

> You have finite attention, so doing a research report on every dependency means you're never actually working on the core problem.

Reading that took five minutes and gave a good intro to the counter argument to Curry-Howard-all-the-things monomania. If having invested those five minutes, Lean still seems like the way to go (for whatever reason) fine. You are making a (closer to) informed choice, and likely better off than if you'd spent those five minutes doubling down on the conventional solution.

Most deviations from the group consensus are mistakes, but all progress comes from seeing past the group consensus. So making frequent small bets on peeking around your blinders is a good strategy.

by MarkusQ

4/27/2026 at 6:08:06 PM

Which shows the lie of the common engineering trope "use the right tool for the job."

It really should be "use the same tool that everyone else is using so you don't have decide which tool is the right one -- the herd made that decision for you!"

by c-linkage

4/27/2026 at 6:00:47 PM

Feels like all the write ups that point out the short comings of eg Python for scientific computing.

Sure, except that once you have a community at critical mass around a reasonably good tool, that trumps most other things. Momentum builds. People write tutorials, explainers, better documentation, etc. it hits escape velocity.

Feels like Lean, with Terrance Tao as a strong proponent / cheerleader, is in that space.

Everyone who argues “but language X is better” … may not be wrong, but they are not making the argument that matters. Is it better than the thing everyone else knows and can use and has more people hours going into it to improve it?

Feels like a “worse is better” situation; or maybe “good and popular is good enough”.

by pstoll

4/27/2026 at 10:00:25 PM

I think the point that LLMs should enable effective translation between different formalisms is a good one. So I don't see the choice as being a big issue. This is especially the case here because to a large extent the translations can be checked automatically.

by pfdietz

4/27/2026 at 7:29:30 PM

> once you have a community at critical mass around a reasonably good tool, that trumps most other things

This matters a lot less in the age of AI. AI doesn't need a massive number of community-built libraries, it can just write its own. It doesn't need a million tutorials floating out there on the interwebs because unlike most programmers, it will actually read the spec and documentation (tutorials are just projections of the docs/spec anyway). AI doesn't have to avoid languages with no job market because it just needs to do the job at hand, not build a career. This makes it easier for small languages and DSLs to gain usage where they never would have before.

I think AI might spell the end of the language monoculture (top 20 are mostly slight variations on languages circling the same design) that has persisted in programming.

by ModernMech

4/27/2026 at 8:27:37 PM

It's the opposite and has been recognized for years. AI depends on training data and this nearly freezes the use of languages that were popular at the time of inception. Hopefully that is not true.

AI needs community libraries if there is to be interoperability and baseline quality between systems. At least at this level of quality and development.

by tehjoker

4/27/2026 at 11:12:16 PM

> Hopefully that is not true.

I'm here saying this "PL ossification theory" is probably wrong, that it's not going to be the case at all. Yes, AI depends on training data, but that doesn't imply that AI can only use those programming languages or only reason in languages that existed at the time of their training. In fact the AI is able to reason able new languages the same way humans can -- by drawing inferences to the next closest language that it knows, pattern matching to things that are different from other languages, and also figuring out the semantics and reasoning through execution itself where it doesn't have training examples.

> AI needs community libraries if there is to be interoperability and baseline quality between systems.

Not everyone is looking to do the kind of work you're doing, and that's my point. Up until now, programming languages have been written by and for people who want to do businey/mathy/sciencey things with computers. But there's a huge world out there of other stuff to do with programming languages that have never been considered because the proposition of making languages for those domains is daunting and outside of the wheelhouse of normal people.

Now, DSLs are sprouting up where they have no business existing because of AI, just proliferating all over the place. Some of them are going to find communities (of people, AI, or both) and they will flourish completely apart from the systems we are building now in the tech world. It's not going to be the case that AI writes in Python for the rest of time because it writes in and was trained on Python today.

by ModernMech

4/27/2026 at 5:56:26 PM

"I believe that almost anything that has been formalised today in any system could have been formalised in AUTOMATH. Its main drawbacks were its notation, which really was horrible, and its complete lack of automation. Proofs were long and unreadable." That's like saying that anything that could be programmed today in your modern language of choice could have been programmed 50 years ago in assembly. Technically yes, economically no.

by loglog

4/27/2026 at 6:02:50 PM

Well, assembly languages are generally Turing complete. Not sure what the parallel would be in proof engines.

by strbean

4/27/2026 at 6:09:08 PM

[dead]

by rowanG077

4/28/2026 at 3:49:53 AM

I remember trying to play around with Coq/Rocq and a few others about 15 years ago, and I couldn’t make heads or tails of them. Not the concepts, but the software. What’s weird about proof assistants/interactive provers is that the “interactive” part makes it a combo of IDE and language and they seem to get pretty tightly coupled in practice. You can’t talk about the language without talking about the environment you use it in.

I’m not the biggest VS code fan, but a battle honed extensible IDE used by zillions and maintained by $$$ has proved itself miles ahead of the environments for alternatives. As far as i can tell, the excellent onboarding path that is the Natural Numbers Game is possible because of VS code’s hackability and ecosystem.

My main concern as I’m learning lean is that the syntax extensibility seems to be a double edged sword. Once i’ve learned a language, i want to be able to read code written in it. If everything is in a project’s own DSL, that can get out of hand, but that comes down to community/ecosystem so i’m crossing my fingers.

by ianhorn

4/27/2026 at 9:20:30 PM

Lean isn't the most loved proof assistant by mathematicians, it's not the most suited to formal verification of software, it just sort of works for both. Yet it's got the thing that's arguably the hardest to achieve, momentum. Compounded by the fact that in the AI age, the amount of publicly available human-written code directly affects how well agents can produce new code.

by c7b

4/27/2026 at 5:45:03 PM

One of those names that forces a double take when seen disconnected from context:

'Lean or purple drank is a polysubstance drink used as a recreational drug. It is prepared by mixing prescription-grade cough or cold syrup containing an opioid drug '

proving that one of the hardest problem in CS - 'naming things' still keeps on keeping on.

by rzerowan

4/27/2026 at 11:20:20 PM

The two hardest problems in CS: * naming * cache invalidation * off by one errors

by bradleyy

4/28/2026 at 12:26:32 PM

Wait till you hear what Rocq was originally called!

by InkCanon

4/28/2026 at 3:10:50 AM

Can someone ELI5 that for me?

Is this the mathematician's variant of "my language is better than your language", or what does this post actually discus? Something fundamental in the philosophy underpinning things or just the way to express them?

by still_grokking

4/28/2026 at 4:45:21 AM

Paulson is a lead developer of Isabelle , a proof assistant that is not based on dependent types.

> Is this the mathematician's variant of "my language is better than your language",

Almost. A closer analogy is comparing paradigms, say OOP vs functional programming.

Isabelle is different from the big three - rocq. lean and agda. The latter three have propositions as types. The type of your function is the theorem statement. The function body is the proof. Isabelle works differently. Author makes a convoluted argument that (a) one doesn't have to stick to the currently popular paradigm and (b) in conjunction with AI, Isabelle offers distinct benefits.

by BlanketLogic

4/28/2026 at 4:04:12 AM

> I have been told that when proposing to formalise mathematics these days, you have to explain why you are not using Lean....Amidst the hype around today’s progress, we must remember how we got here. It was not by people following the crowd.

Im not a mathmatician, but in my experience if you are trying to do something novel, you should follow the crowd except for things that impact what you are trying to achieve. Otherwise you spend a lot of extra time sorting through issues on the part that doesn't matter which could be better spent on the novel part.

by bawolff

4/27/2026 at 11:11:50 PM

I do not get why not needing proof objects is desirable. It seems good to have a defined way to store proofs that has a very tight spec and can thus have competing implementations, like in https://arena.lean-lang.org/. The LCF approach couples the proof format to the module system of a programming language.

Occasionally, inspecting that proof term is useful to see what happened in a proof.

Then again, I also like dependent types.

by jojomodding

4/27/2026 at 11:37:31 PM

You can use reflection in dependently-typed proof systems to avoid storing proof objects for expensive computations and replace them with a proof of a general algorithm instead (much like in the LCF approach: the general algorithm proof is the equivalent of a compiler checking that the module system use in a LCF tactic is sound).

by zozbot234

4/27/2026 at 8:56:46 PM

People interested in alternatives to Lean should also look at Metamath. It has nowhere near the adoption that Lean is getting, but is holding its own in [100] theorems results.

It has some advantages and compelling properties, not least of which is that it's very simple, so much so that there are many implementations of checkers; most other proof systems are ultimately defined by a single implementation. It's also astonishingly efficient — the entire database can be checked in less than a second. Set theory is also a familiar foundation for mathematicians, though the question of which is a better foundation compared with type theory is very controversial. Mario Carneiro pushed forward the development of Metamath in his thesis [0].

There are downsides also, including junk theorems, and automation is weaker. It's possible that types really help with the latter. Even so, I think it's worthy of study and understanding.

[0]: https://digama0.github.io/mm0/thesis.pdf

[100]: https://www.cs.ru.nl/~freek/100/

by raphlinus

4/27/2026 at 5:18:39 PM

It’s been decades since I could claim to know anything about this field so I’m probably completely wrong in how I read this, but the idea that one might build a theorem prover (“ML!”) for one’s non-ML programming language and have the prover itself accidentally be a really good general purpose programming language … is very funny.

by gorgoiler

4/28/2026 at 5:00:06 AM

To clarify: ML started out as a scripting language for Robin Milner's proof assistant, LCF. The formal system, or "logic," is implemented in a minimal, trusted kernel, and the proof data structure is protected as an abstract data type that can only be constructed through the trusted kernel. On top of the kernel, tactic scripts may be defined to manipulate proof objects and facilitate proof search/automation.

Then, ML grew into a general-purpose programming language (both OCaml and Standard ML are dialects).

by hutao

4/27/2026 at 8:41:40 PM

I am going to build an alternative to Lean called Purple Drank

by asdfman123

4/28/2026 at 12:43:01 PM

I was going to call my project that but Claude said that wasn't professional. rip "a delightful mixture of lean"

by asparagui

4/27/2026 at 11:19:26 PM

Do not be surprised when I fork and call it Sizzurp.

by bradleyy

4/27/2026 at 7:32:21 PM

The most important thing is keeping up the momentum to formalize more proofs and continue to strengthen the libraries and foundational work.

If that momentum is strongest with Lean so be it. At the same time things become more machine verifiable, converting to a new system will also become easier. It can already be strongly assisted using a general agent like Claude Code.

by WhitneyLand

4/27/2026 at 7:28:23 PM

What about the performance characteristics of the Lean programs? I know it is a natively compiled language, but is the code it produces comparable to that of modern system programming languages in terms of performance?

by ibobev

4/28/2026 at 12:46:30 AM

Oddly enough, most uses of Lean never actually run the program. The fact that it type checks is enough to prove the theorem in question.

That said, if execution is seriously required for your problem along with strong logic on the side, you may prefer Dafny which transpiles the computation part of your proof to C++ or Go.

by ted_dunning

4/28/2026 at 2:18:41 PM

But still, Lean is executable and can be used as an ordinary programming language.

by ibobev

4/28/2026 at 1:29:28 PM

Formal proofs are made to be done by AI.

If a green checkmark goes away so be it. AI might or may not understand how to fix it but it's no burden to the user / developer.

by singularity2001

4/27/2026 at 8:54:39 PM

ngl assumed this was about supply management or purple drank

> Propositions as types is a duality linking the logical signs ∀ , ∃ , → , ∧ , ∨ with the type constructors Π , Σ , → , × , + . It is beautiful, fascinating and theoretically fruitful, but it is not the only game out there. I have seen “proof assistant”

by red-iron-pine

4/27/2026 at 8:29:58 PM

I keep seeing articles about Lean recently on HN. Never heard of it before. I'm not a mathematician and not a professional developer so my opinion might not mean shit, but I can't make head nor tail of it. I can't understand what half of what the website is talking about.

by ifh-hn

4/27/2026 at 11:04:44 PM

Its a software where you type your maths proofs in and a "yes" comes out. Except if your proof is broken, then a "no" comes out. Of course, sometimes the computer is just a bit dumb at intuiting the intermediate steps, so you need to explain like a 10-year-old child (or else you get a "no" as you failed to convince the computer). And storing all these explanations takes memory. And you have to speak the somewhat idiosyncratic language of the computer, which you can imagine a bit like LaTeX but more easily parseable and less ambiguous.

The blog article author is saying that Lean is like a younger child (that needs more intermediate steps explained), stores proofs more inefficiently (taking more memory) and that its computer proof language is harder to read for humans. Additionally there is a technical point about dependent types, which are the principle around which the computer proof language is organized (the same way a programming language might be organized around object-orientism).

by jojomodding

4/28/2026 at 6:32:27 AM

Thanks for taking the time to explain, rather than drive by downvote. It doesn't seem like this would be useful to me, or certainly I have no use for it that I can think of.

by ifh-hn

4/27/2026 at 9:14:47 PM

It's a paradigm shift, that's for sure.

I'm still in the throes of learning it myself, and it's quite the journey. I love the promises behind it, but I'm not yet far enough along to know if they are kept or if it's just kool aid (or perhaps purple drank?)

by icosahedron

4/28/2026 at 6:34:07 AM

I've never heard of purple drank before, not American. Which came first? The language or drug?

by ifh-hn

4/28/2026 at 3:02:57 AM

I think the author is confkating two different things. There are technical problems with sticking to constructive purity when it comes to mathematics (setoid hell, avoiding excluded middle, real number formalization etc). Then there are social aspects. The community's 'cultist' ( his words) adherence to constructive logic. Saying this is the reason rocq lost out to lean seems wrong.

Firstly, there is value of the attempt. By staying true to constructive logic, there was a lot of progress (compcert verified c compiler, cubical agda etc).

Secondly, there were other confounding variables (tooling, network effects). Claiming rocq lost out to lean due to community's obsession is a bit of reductive argument.

But author is an expert. I will defer to him. His point about sledgehammer approach working well in the new AI world is very interesting though.

by BlanketLogic

4/28/2026 at 8:47:50 AM

[dead]

by arjunthazhath

4/27/2026 at 5:48:54 PM

>The recommended way to install Lean is through VS Code

Is that enough reason?

by heliumtera

4/28/2026 at 6:59:07 AM

Yes.

I am tired of my time in tech being just using MS products that all depend on each other.

by EFreethought

4/27/2026 at 4:57:23 PM

[flagged]

by shaguoer

4/27/2026 at 3:40:17 PM

[flagged]

by waffletower

4/27/2026 at 10:01:57 PM

If you write an article shitting on a popular thing because it eclipses the popularity of your favorite thing (and essentially calling the people who use it ignorant sheep), chances are good you are part of a self-fulfilling prophecy, pushing people away from your community.

by j2kun

4/27/2026 at 3:08:52 PM

Good post! +1

by zermelo44

4/27/2026 at 3:34:38 PM

Type theory and lean is more interesting to people who like computers than to people who like math.

by groundzeros2015

4/27/2026 at 3:38:29 PM

Terence Tao, one of the most important living mathematicians, specifically embraces Lean and has been helping the community embrace it.

What you've done here is an overgeneralization. "People who like math" and "people who like computers" are massive demographics with considerable overlap.

by soulofmischief

4/27/2026 at 7:18:46 PM

Formalised proofs and Lean in particular are still too cumbersome for the ``working'' mathematician to use it day-to-day for research-level math. But clearly there is some interest on where it may take us in future.

by vitriol83

4/27/2026 at 4:19:11 PM

> one of the most important living

Maybe. But more clearly one of the most popular online.

by groundzeros2015

4/27/2026 at 7:19:53 PM

He's a Field's Medalist so that's automatically one of the most important living. He is good at explaining things; I leaned on his Analysis textbooks when I was taking analysis and functional analysis to great effect; in a research class I was trying to calculate Fourier transforms of algebraic sets and found various almost throw away comments on his blog that were extremely enlightening (alas only to the extent I could follow them). He's a legit great mind of modern mathematics - and also able to communicate well; a historical rarity indeed.

The topic being discussed here has been addressed specifically in his mastodon posts - the pre-LLM math process was understood to be "state a proof, validate a proof" - but the real aim was the not explicit "digest the proof so we can extend to other results" - with LLM/lean making the first two a lot easier and possible to do without accomplishing the digestion into the mathematical community; so we need to add "digesting proofs (from where ever)" into the job description. Thread starts here: https://mathstodon.xyz/@tao/116477351524980995

by lanstin

4/27/2026 at 3:50:38 PM

The set theorists decided that mathematics is the overarching superdomain over all study of structure. You don't get to pick and choose. Either mathematics is a suburb of logic and these two things are separate, or they're not and ZFC dogmatics need to accept they don't have a monopoly on math.

I of course fully support reinstating logicism, but the same dogmatics love putting up a fight over that as well.

by ux266478

4/27/2026 at 4:40:38 PM

I think the most surprising thing I've learned taking formal math in college is just how much mathematicians are pragmatists (at least for my teacher with sample size n=1). They're much more interested in new ways to think about ideas, with a side effect of proofs for correctness. The proof is more about explaining why something works, not that it does.

I'm going to take a formal logic class in the fall, and my professor said something akin to "definitely take it if you're interested, just be aware that it probably won't come in use in most of the mathematics done today." The thing is the foundations are mostly laid, and people are interested in using said foundations for interesting things, not for constantly revisiting the foundations.

I think this is one reason most mathematicians don't see a need for formal proof assistants, since from their perspective it's one very small part of math, and not the interesting one.

This is not to say that proof assistants are a dead end—I find them fascinating and hope they continue to grow—but there's a reason that they haven't had a ton of traction.

by smj-edison

4/27/2026 at 6:09:50 PM

I think that's a good way of putting it. I would addend that most people working in mathematics aren't generalists, their primary interest isn't in a broad picture. Rather, most are hyperfocused into a single domain with a strong backbone of reflexive intuition built up. By virtue of sheer human limitation, there's only so much someone can care about what's happening outside of their world while still making serious contributions within it. This doesn't even just extend all the way to shifting foundations, but number theorists can hardly be expected to keep up with the forefront of graph theory, for example.

For the pragmatists Logic as a field commits the immortal sin: it blasphemes the intuition that mathematicians spend years honing by obliterating it. Not just for a singular domain, but for all domains. Of course, that doesn't really explain the whole picture. Formalism built a holy walled city. Logicians, by nature of their work, leave the safety of the walled city to survey, exploit and die in the tangled jungle outside. Some don't even speak the holy language of the glorious walled city, they talk in absolutely gibberish modalities and hyperstructures. There is a political tension held against logic and logicians as a result.

by ux266478

4/27/2026 at 3:55:03 PM

Mathematicians use logic to talk about the mathematical world. But logic is not the world.

by groundzeros2015

4/27/2026 at 4:13:17 PM

Not even the most dogmatic of the set theorists ever argued mathematics was possible without reason, however. For mathematics, logic is the world, as the copula makes no distinction between substance and existence. In the same sense that the earth is not matter itself, but it is a material thing.

Putting that aside, to make things more clear: computer science is mathematics. Computer scientists are mathematicians. That was a categorization decided long before you and I ever lived. In the sense that you mean, you're only referring to a very small fraction of what "mathematics" refers to In the true sense of the word. It is just as irreconcilably disjointed as Logic is, not unified and fundamentally non-unifiable.

I too think it would be better if "mathematics" was reserved for the gated suburb of ZFC. But that's not the world we live in, courtesy of the same people who pushed ZFC as a foundation to begin with.

by ux266478

4/27/2026 at 4:17:56 PM

> For mathematics, logic is the world, as the copula makes no distinction between substance and existence.

No. There are truths about the subject not captured in any single formal system. Which is why objects are studied form many perspectives.

> Computer scientists are mathematicians.

Some are and some aren’t.

by groundzeros2015

4/27/2026 at 7:04:50 PM

I would’ve expected that people who like computers will converge around something like Idris. It’s marketed as a development tool, not a tool for formalizing mathematics even though it could be used as a proof assistant.

by kccqzy

4/27/2026 at 3:38:11 PM

citation needed, Tao certainly is on record using Lean and that carries some weight.

also, https://en.wikipedia.org/wiki/Curry%E2%80%93Howard_correspon... i.e. there's no reason it should be as you say.

by baq

4/27/2026 at 3:50:48 PM

The link is exactly what I’m saying. I only hear cs people talk about it.

For mathematicians a proof is a means to an end, or a medium of expression - they care about what they say and why.

The correspondence isn’t about C programs corresponding to proofs in math papers. It’s a very a specific claim about kinds of formal systems which don’t resemble how math or programming is done.

by groundzeros2015

4/27/2026 at 4:03:47 PM

Mathematicians care about interesting ideas, not whether their theorems are true :-)

by gowld

4/27/2026 at 4:28:34 PM

They care about if it’s true. But the role of the formal proof is a kind of spell checker or static analysis after they have the idea.

by groundzeros2015

4/27/2026 at 4:50:04 PM

> They care about if it’s true.

Not always.

If it is NOT true, they sometimes simply play "what if" and construct a new system where it could be true.

by j16sdiz

4/27/2026 at 6:27:19 PM

> If it is NOT true, they sometimes simply play "what if" and construct a new system where it could be true.

I trust you have some examples of this?

by BigTTYGothGF

4/28/2026 at 3:31:29 AM

Complex numbers and Schwartz distributions (the thing the dirac delta is) come immediately to mind. “Not all numbers have square roots, but what if they did?” It seems like a common pattern.

by ianhorn

4/27/2026 at 6:46:58 PM

I think they're talking about conjectures that are unproven but seem "likely true" and people build further math off the assumption. E.G Reimann hypothesis

by sincerely