PBLean: Pseudo-Boolean Proof Certificates for Lean 4

We present PBLean, a method for importing VeriPB pseudo-Boolean (PB) proof certificates into Lean 4. Key to our approach is reflection: a Boolean checker function whose soundness is fully proved in Lean and executed as compiled native code. Our method scales to proofs with tens of thousands of steps that would exhaust memory under explicit proof-term construction. Our checker supports all VeriPB kernel rules, including cutting-plane derivations and proof-by-contradiction subproofs. In contrast to external verified checkers that produce verdicts, our integration yields Lean theorems that can serve as composable lemmas in larger formal developments. To derive theorems about the original combinatorial problems rather than about PB constraints alone, we support verified encodings. This closes the trust gap between solver output and problem semantics since the constraint translation and its correctness proof are both formalized in Lean. We demonstrate the approach on various combinatorial problems.

💡 Research Summary

PBLean introduces a seamless integration of VeriPB pseudo‑Boolean (PB) proof certificates into the Lean 4 proof assistant. Pseudo‑Boolean reasoning extends Boolean reasoning with linear inequality constraints over Boolean variables and relies on cutting‑plane inference rules (addition, scalar multiplication, division with rounding, saturation, and normalization). Existing SAT/SMT proof checkers either work only with clausal formats or, when they support PB, construct a huge Lean expression for each proof step. This explicit construction quickly exhausts memory for proofs containing tens of thousands of steps, and the resulting verdicts cannot be used as lemmas in larger developments.

The core innovation of PBLean is a reflection‑based Boolean checker. A single Lean function check : F → π → Bool takes a set of PB constraints F and a VeriPB proof string π. It parses π into an abstract syntax tree, replays each kernel rule, and updates a hash‑map based constraint database. When a contradictory constraint (e.g., 0 ≥ 1) is derived, the function returns true. The checker is executed as compiled native code via native_decide, so the runtime cost is that of a pure computation rather than of building and type‑checking millions of Lean Exprs.

Soundness is proved in two layers. First, the authors formalize 13 lemmas in Lean that correspond exactly to the six primitive VeriPB kernel operations (addition, multiplication, division, saturation, normalization, deletion) together with auxiliary rules for unit propagation, contradiction, and proof‑by‑contradiction subproofs. Each lemma states that if the premises are satisfied under a valuation, then the conclusion is also satisfied. Second, they prove a single theorem check_sound that says: if check F π = true then the original constraint set F is unsatisfiable. This theorem relies only on Lean’s standard axioms (propext, Classical.choice, Quot.sound) and the trusted compiler flag Lean.trustCompiler. Consequently, the entire trusted base of PBLean is exactly the same as that of Lean’s built‑in bv_decide tactic.

Implementation consists of two modules. PseudoBoolean.lean (~700 lines) defines the data types (Literal, Term, Constr) and the 13 soundness lemmas. Reflect.lean (~1800 lines) implements a line‑by‑line tokenizer, an AST builder, and the interpreter that applies the kernel rules to the constraint database. The interpreter uses the `@