Lean-SMT: Automated SMT Integration
- Lean-SMT is a formal tactic that integrates proof-producing SMT solving within Lean to automate discharge of first-order and theory-heavy proof obligations.
- It uses a two-phase methodology of proof-producing preprocessing and first-order encoding to translate Lean’s dependent-type goals into SMT logic.
- It features modular proof reconstruction that ensures soundness by replaying external solver proofs through Lean's minimal trusted kernel and a compact CPC interpreter.
Lean-SMT is a formal tactic that integrates proof-producing SMT solving into the Lean proof assistant, enabling automatic discharge of first-order and theory-heavy proof obligations with reduced trusted code and strong proof reconstruction. Developed to parallel the “hammer” approach in Isabelle/HOL, Lean-SMT translates Lean’s dependent-type goals into SMT logic, calls an external SMT solver to generate certificates, and reconstructs the results as kernel-checked Lean proofs. This mechanism automates a broad set of reasoning tasks in Lean while maintaining a small and auditable trusted core (Mohamed et al., 21 May 2025).
1. Motivation and Background
Lean is founded on dependent type theory (DTT), requiring explicit construction of terms for proof obligations. Even goals expressible in first-order logic, such as linear arithmetic or equalities, demand labor-intensive lemma applications or manual induction within Lean’s native tactic framework. SMT solvers, particularly state-of-the-art engines like cvc5, provide powerful automation for fragments involving arrays, uninterpreted functions, quantifiers, and various arithmetic theories but operate in a simpler, many-sorted first-order logic.
The Lean-SMT tactic aims to leverage this automation by exporting suitable Lean goals to SMT-LIB, delegating proof search to a highly optimized proof-producing SMT solver, and reconstructing the resulting proof objects within Lean. This reduces user burden, eliminates repetitive low-level scripting, and supports large-scale formal developments with a “single call” tactic analogous to Isabelle’s Sledgehammer (Mohamed et al., 21 May 2025). The reconstructed proofs ensure that soundness and trust remain internal to Lean’s kernel and a small reconstruction layer.
2. Translation: From Dependent Type Theory to SMT-LIB
Direct translation is nontrivial due to Lean’s richer logic. Lean-SMT employs a two-phase approach:
A. Proof-Producing Preprocessing:
- Normalization of universe levels and monomorphization.
- Expansion of type-classes (e.g.,
Group Gbecomes explicit group axioms). - Conversion of higher-order structures to first-order fragments where possible (using the
lean-autotool and custom rewrites).
B. First-Order Encoding:
- Connectives outside SMT-LIB’s native support (e.g.,
↔,¬) are replaced by Boolean equalities or converted using lemmas (“iff-lemma” steps). - Common datatypes such as , , ,
Array, andRatare mapped to corresponding SMT-LIB sorts and theories.
A key step is ensuring that SMT-LIB’s nonemptiness assumption for sorts does not introduce unsoundness. The proof reconstruction system will verify, within Lean, that any necessary nonemptiness is actually constructible via Nonempty α instances. When this fails, proof reconstruction rejects the SMT certificate as unsound.
A canonical example involves translating the uniqueness of a group identity to SMT logic. After preprocessing, an equivalence statement becomes an equality of propositions at the Boolean level.
3. Proof Reconstruction Architecture and Workflow
The core Lean-SMT workflow involves four principal modules:
- Preprocessor: Simplifies the Lean goal to with a preprocessing proof.
- SMT-LIB Translator: Encodes as an SMT-LIB query .
- SMT Solver Invocation: Calls cvc5 via Lean’s FFI. Requests proof output in CPC (Common Proof Calculus) format and receives a structured proof object.
- Reconstructor: Replays the proof object in Lean, checking each logical inference step and composing it with the initial preprocessing certificate.
The raw SMT proof is in the CPC format, which defines inference rules as tuples where the are premises, the 0 are terms, 1 is the conclusion, and 2 is a side condition. Lean-SMT currently implements approximately 200 out of 662 cvc5 CPC rules, covering basic first-order, arithmetic, arrays, and quantifier structures.
Reconstruction modes include:
- Direct replay using pre-proved Lean theorems: For rules with direct Lean correspondents.
- Custom Lean tactics: For rules requiring bundled lemma application or pattern-guided reasoning (e.g., summing inequalities).
- Reflection and verified decision procedures: For normalization-intensive steps or those involving associative-commutative reasoning (e.g., polynomial normalization).
Soundness is guaranteed as all logic is checked through the Lean kernel, with only the kernel and a compact (≈1,000-line) CPC interpreter as the trusted base.
4. Empirical Evaluation and Comparisons
Evaluation comprises both Sledgehammer-analogous FLO (first-order logic) proof goals and SMT-LIB suite benchmarks.
- Sledgehammer Benchmarks: On 5,000 Isabelle/HOL goals, Lean-SMT with cvc5 solves 2,868 and reconstructs 2,847. In comparison, Sledgehammer with veriT reconstructs 2,180 and Duper solves 1,116. Reconstruction time is 31s for 98% of cases; all others are 45s.
- SMT-LIB Benchmarks: Across 24,817 unsat problems (SMT-COMP 2024, logics including UF, IDL, RDL, LIA, LRA, LIRA, and quantifier-free subclasses), Lean-SMT reconstructs 15,271 proofs (71%). By contrast, Ethos (C++ checker) verifies 21,196, and SMTCoq (Coq) 4,178. In quantifier-free subsets, Lean-SMT reconstructs 4,869; Ethos 6,892; SMTCoq all 4,178 of its fragment. Reconstruction times are within an order of magnitude of native checkers.
The observed trade-off is a direct result of Lean-SMT’s kernel-checked integration: it favors correctness and auditability over the fastest raw checking rate. Coverage can be expanded by systematically implementing further CPC rules.
Table: Summary of Proof Success Rates (Selected Benchmarks)
| Suite | Lean-SMT (cvc5) | Sledgehammer (veriT) | Ethos (C++) |
|---|---|---|---|
| Sledgehammer (5000 goals) | 2,847 | 2,180 | — |
| SMT-LIB UNSAT (24,817) | 15,271 | — | 21,196 |
| QF Subset (11,804 goals) | 4,869 | — | 6,892 |
5. Trusted Computing Base and Soundness Guarantees
Lean-SMT’s trust base consists of:
- The Lean kernel (53,000 lines).
- The CPC interpreter and tactic library (61,000 lines).
- Minimal FFI glue to cvc5 (7200 lines).
This contrasts with end-to-end verification approaches (e.g., Ethos, SMTCoq), where additional language kernels and proof checkers fall into the trusted base, or with black-box SMT calls, where entire external solvers must be trusted.
A central consideration is that Lean-SMT’s proof reconstruction approach is modular. Adding support for more CPC rules or new SMT theories, such as bitvectors or floating-point, only expands the scope of the reconstruction library, not the kernel. A plausible implication is that Lean-SMT can track the evolution of SMT solvers’ proof output more flexibly than approaches requiring fully verified low-level checkers.
6. Limitations and Extensions
While Lean-SMT automates a wide class of proof goals, the following limitations are noted:
- Approximately 30% of cvc5’s CPC rules are supported; extending to over 80% is a defined avenue for future work.
- SMT proof reconstruction in Lean remains slower than native C/C++ checkers but is practical for scale: most reconstructions complete in seconds.
- Premise selection and goal-specific lemma relevance are currently less sophisticated than Isabelle’s Sledgehammer, which utilizes machine learning.
- Support for higher-order and inductive reasoning requires integration with superposition-style tactics such as Duper or Aesop.
Potential future enhancements include extending coverage to bitvectors, arrays, and floating-points; deeper machine-learning–guided lemma selection; optimized Lean-native data structures for arithmetic and arrays; and compositional support for higher-order logic and theory combinations (Mohamed et al., 21 May 2025).
7. Impact and Positioning within the Lean Ecosystem
Lean-SMT represents the first large-scale proof-producing SMT integration in Lean. Its architectural choices—preprocessing, translation, external proof search, and kernel-level proof replay—mirror the successful “hammer” approaches of Isabelle and Coq but minimize external trust. By enabling automatic, kernel-checked discharge of substantial fragments of theory-intensive goals, Lean-SMT substantially advances the scope, scalability, and reliability of formal development in Lean and sets the foundation for more comprehensive “Lean hammer” infrastructure (Mohamed et al., 21 May 2025).