feat(Query): query complexity framework with sorting examples

kim-em · claude · kim-em · commit ecb8659f0988 · 2026-03-05T05:57:40.000Z
Implements Sebastian Graf's unified approach to query complexity, combining the strengths of leanprover#372 (explicit Prog/FreeM query types) and leanprover#376 (monad-parametric approach). Key design: programs are `Prog Q α` (free monad over query type Q), oracle is supplied *after* the program produces its query plan, giving anti-cheating guarantees for both upper and lower bounds. New files: - `Query/Prog.lean`: Core `Prog` type, `eval`, `queriesOn`, simp lemmas - `Query/Bounds.lean`: `UpperBound` and `LowerBound` definitions - `Query/Sort/LEQuery.lean`: Comparison query type for sorting - `Query/Sort/IsSort.lean`: Correctness specification for comparison sorts - `Query/Sort/Insertion/{Defs,Lemmas}.lean`: Insertion sort with O(n²) upper bound - `Query/Sort/Merge/{Defs,Lemmas}.lean`: Merge sort with correctness proofs Insertion sort is fully proven (correctness + n² upper bound). Merge sort has full correctness proofs; the n·⌈log₂ n⌉ upper bound is stated but left as sorry (the clog recurrence proof is nontrivial). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/Cslib.lean b/Cslib.lean
@@ -1,6 +1,14 @@
 module  -- shake: keep-all
 
 public import Cslib.Algorithms.Lean.MergeSort.MergeSort
+public import Cslib.Algorithms.Lean.Query.Bounds
+public import Cslib.Algorithms.Lean.Query.Prog
+public import Cslib.Algorithms.Lean.Query.Sort.Insertion.Defs
+public import Cslib.Algorithms.Lean.Query.Sort.Insertion.Lemmas
+public import Cslib.Algorithms.Lean.Query.Sort.IsSort
+public import Cslib.Algorithms.Lean.Query.Sort.LEQuery
+public import Cslib.Algorithms.Lean.Query.Sort.Merge.Defs
+public import Cslib.Algorithms.Lean.Query.Sort.Merge.Lemmas
 public import Cslib.Algorithms.Lean.TimeM
 public import Cslib.Computability.Automata.Acceptors.Acceptor
 public import Cslib.Computability.Automata.Acceptors.OmegaAcceptor
diff --git a/Cslib/Algorithms/Lean/Query/Bounds.lean b/Cslib/Algorithms/Lean/Query/Bounds.lean
@@ -0,0 +1,38 @@
+/-
+Copyright (c) 2026 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Kim Morrison, Sebastian Graf
+-/
+module
+
+public import Cslib.Algorithms.Lean.Query.Prog
+
+/-! # Upper and Lower Bounds for Query Complexity
+
+Definitions of upper and lower bounds on the number of queries a program makes,
+quantified over oracles. The oracle is supplied *after* the program produces its query
+plan (the `Prog` tree), so implementations cannot cheat.
+-/
+
+open Cslib.Query
+
+public section
+
+namespace Cslib.Query
+
+/-- Upper bound: for all oracles, inputs of size ≤ n make at most `bound n` queries. -/
+@[expose] def UpperBound (prog : α → Prog Q β)
+    (size : α → Nat) (bound : Nat → Nat) : Prop :=
+  ∀ (oracle : {ι : Type} → Q ι → ι) (n : Nat) (x : α),
+    size x ≤ n → (prog x).queriesOn oracle ≤ bound n
+
+/-- Lower bound: for every size n, there exists an input and oracle
+    making the program perform ≥ `bound n` queries. -/
+@[expose] def LowerBound (prog : α → Prog Q β)
+    (size : α → Nat) (bound : Nat → Nat) : Prop :=
+  ∀ (n : Nat), ∃ (x : α), size x ≤ n ∧
+    ∃ (oracle : {ι : Type} → Q ι → ι), bound n ≤ (prog x).queriesOn oracle
+
+end Cslib.Query
+
+end -- public section
diff --git a/Cslib/Algorithms/Lean/Query/Prog.lean b/Cslib/Algorithms/Lean/Query/Prog.lean
@@ -0,0 +1,88 @@
+/-
+Copyright (c) 2026 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Kim Morrison, Sebastian Graf
+-/
+module
+
+public import Cslib.Foundations.Control.Monad.Free
+
+/-! # Prog: Programs as Free Monads over Query Types
+
+`Prog Q α` is an alias for `FreeM Q α`, representing a program that makes queries of type `Q`
+and returns a result of type `α`. A query type `Q : Type → Type` maps each query to its
+response type.
+
+The key operations are:
+- `Prog.eval oracle p`: evaluate `p` by answering each query using `oracle`
+- `Prog.queriesOn oracle p`: count the queries along the oracle-determined path
+
+Because the oracle is supplied *after* the program produces its query plan (the `Prog` tree),
+a sound implementation of `prog` has no way to "guess" what the oracle would respond.
+This is the foundation of the anti-cheating guarantee for both upper and lower bounds.
+-/
+
+open Cslib
+
+public section
+
+namespace Cslib.Query
+
+/-- A program that makes queries of type `Q` and returns a result of type `α`.
+    This is `FreeM Q α`, the free monad over the query type. -/
+abbrev Prog (Q : Type → Type) (α : Type) := FreeM Q α
+
+namespace Prog
+
+variable {Q : Type → Type} {α β : Type}
+
+/-- Evaluate a program by answering each query using `oracle`. -/
+@[expose] def eval (oracle : {ι : Type} → Q ι → ι) : Prog Q α → α
+  | .pure a => a
+  | .liftBind op cont => eval oracle (cont (oracle op))
+
+/-- Count the number of queries along the path determined by `oracle`. -/
+@[expose] def queriesOn (oracle : {ι : Type} → Q ι → ι) : Prog Q α → Nat
+  | .pure _ => 0
+  | .liftBind op cont => 1 + queriesOn oracle (cont (oracle op))
+
+-- Simp lemmas for eval
+
+@[simp] theorem eval_pure (oracle : {ι : Type} → Q ι → ι) (a : α) :
+    eval oracle (.pure a : Prog Q α) = a := rfl
+
+@[simp] theorem eval_liftBind (oracle : {ι : Type} → Q ι → ι)
+    {ι : Type} (op : Q ι) (cont : ι → Prog Q α) :
+    eval oracle (.liftBind op cont) = eval oracle (cont (oracle op)) := rfl
+
+@[simp] theorem eval_bind (oracle : {ι : Type} → Q ι → ι)
+    (t : Prog Q α) (f : α → Prog Q β) :
+    eval oracle (t.bind f) = eval oracle (f (eval oracle t)) := by
+  induction t with
+  | pure a => rfl
+  | liftBind op cont ih => exact ih (oracle op)
+
+-- Simp lemmas for queriesOn
+
+@[simp] theorem queriesOn_pure (oracle : {ι : Type} → Q ι → ι) (a : α) :
+    queriesOn oracle (.pure a : Prog Q α) = 0 := rfl
+
+@[simp] theorem queriesOn_liftBind (oracle : {ι : Type} → Q ι → ι)
+    {ι : Type} (op : Q ι) (cont : ι → Prog Q α) :
+    queriesOn oracle (.liftBind op cont) = 1 + queriesOn oracle (cont (oracle op)) := rfl
+
+@[simp] theorem queriesOn_bind (oracle : {ι : Type} → Q ι → ι)
+    (t : Prog Q α) (f : α → Prog Q β) :
+    queriesOn oracle (t.bind f) =
+      queriesOn oracle t + queriesOn oracle (f (eval oracle t)) := by
+  induction t with
+  | pure a => simp [FreeM.bind]
+  | liftBind op cont ih =>
+    simp only [FreeM.bind, queriesOn_liftBind, eval_liftBind, ih (oracle op)]
+    omega
+
+end Prog
+
+end Cslib.Query
+
+end -- public section
diff --git a/Cslib/Algorithms/Lean/Query/Sort/Insertion/Defs.lean b/Cslib/Algorithms/Lean/Query/Sort/Insertion/Defs.lean
@@ -0,0 +1,41 @@
+/-
+Copyright (c) 2026 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Kim Morrison, Sebastian Graf
+-/
+module
+
+public import Cslib.Algorithms.Lean.Query.Sort.LEQuery
+
+/-! # Insertion Sort as a Query Program
+
+Insertion sort implemented as a `Prog (LEQuery α)`, making all comparison queries explicit.
+-/
+
+open Cslib.Query
+
+public section
+
+namespace Cslib.Query
+
+/-- Insert `x` into a sorted list using comparison queries. -/
+@[expose] def orderedInsert (x : α) : List α → Prog (LEQuery α) (List α)
+  | [] => pure [x]
+  | y :: ys => do
+    let le ← LEQuery.ask x y
+    if le then
+      pure (x :: y :: ys)
+    else do
+      let rest ← orderedInsert x ys
+      pure (y :: rest)
+
+/-- Sort a list using insertion sort with comparison queries. -/
+@[expose] def insertionSort : List α → Prog (LEQuery α) (List α)
+  | [] => pure []
+  | x :: xs => do
+    let sorted ← insertionSort xs
+    orderedInsert x sorted
+
+end Cslib.Query
+
+end -- public section
diff --git a/Cslib/Algorithms/Lean/Query/Sort/Insertion/Lemmas.lean b/Cslib/Algorithms/Lean/Query/Sort/Insertion/Lemmas.lean
@@ -0,0 +1,168 @@
+/-
+Copyright (c) 2026 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Kim Morrison, Sebastian Graf
+-/
+module
+
+public import Cslib.Algorithms.Lean.Query.Bounds
+public import Cslib.Algorithms.Lean.Query.Sort.IsSort
+public import Cslib.Algorithms.Lean.Query.Sort.Insertion.Defs
+import Mathlib.Data.List.Sort
+import Mathlib.Tactic.Ring
+public import Mathlib.Algebra.Group.Defs
+
+/-! # Insertion Sort: Correctness and Upper Bound
+
+Proofs that `insertionSort` is a correct comparison sort and uses at most `n²` queries.
+All proofs are by plain equational reasoning on `Prog.eval` and `Prog.queriesOn`.
+-/
+
+open Cslib.Query
+
+public section
+
+namespace Cslib.Query
+
+variable {α : Type}
+
+-- ## Evaluation simp lemmas for orderedInsert
+
+@[simp] theorem eval_orderedInsert_nil (oracle : {ι : Type} → LEQuery α ι → ι) (x : α) :
+    (orderedInsert x ([] : List α)).eval oracle = [x] := by
+  simp [orderedInsert]
+
+@[simp] theorem eval_orderedInsert_cons (oracle : {ι : Type} → LEQuery α ι → ι) (x y : α)
+    (ys : List α) :
+    (orderedInsert x (y :: ys)).eval oracle =
+      if oracle (.le x y) then x :: y :: ys
+      else y :: (orderedInsert x ys).eval oracle := by
+  simp [orderedInsert, LEQuery.ask]
+  split <;> simp_all
+
+-- ## Evaluation simp lemmas for insertionSort
+
+@[simp] theorem eval_insertionSort_nil (oracle : {ι : Type} → LEQuery α ι → ι) :
+    (insertionSort (α := α) []).eval oracle = [] := by
+  simp [insertionSort]
+
+@[simp] theorem eval_insertionSort_cons (oracle : {ι : Type} → LEQuery α ι → ι)
+    (x : α) (xs : List α) :
+    (insertionSort (x :: xs)).eval oracle =
+      (orderedInsert x ((insertionSort xs).eval oracle)).eval oracle := by
+  simp [insertionSort]
+
+-- ## Permutation proofs
+
+theorem orderedInsert_perm (oracle : {ι : Type} → LEQuery α ι → ι) (x : α) (xs : List α) :
+    ((orderedInsert x xs).eval oracle).Perm (x :: xs) := by
+  induction xs with
+  | nil => simp
+  | cons y ys ih =>
+    simp only [eval_orderedInsert_cons]
+    split
+    · exact List.Perm.refl _
+    · exact (List.Perm.cons _ ih).trans (List.Perm.swap _ _ _)
+
+theorem insertionSort_perm (oracle : {ι : Type} → LEQuery α ι → ι) (xs : List α) :
+    ((insertionSort xs).eval oracle).Perm xs := by
+  induction xs with
+  | nil => simp
+  | cons x xs ih =>
+    simp only [eval_insertionSort_cons]
+    exact (orderedInsert_perm oracle x _).trans (List.Perm.cons _ ih)
+
+-- ## Sortedness proofs
+
+theorem orderedInsert_sorted
+    (r : α → α → Prop) [DecidableRel r] [Std.Total r] [IsTrans α r]
+    (oracle : {ι : Type} → LEQuery α ι → ι)
+    (horacle : ∀ a b, oracle (.le a b) = decide (r a b))
+    (x : α) (xs : List α) (hxs : xs.Pairwise r) :
+    ((orderedInsert x xs).eval oracle).Pairwise r := by
+  induction xs with
+  | nil => simp
+  | cons y ys ih =>
+    simp only [eval_orderedInsert_cons, horacle]
+    split
+    next h =>
+      have hle : r x y := by simpa [decide_eq_true_eq] using h
+      exact List.pairwise_cons.mpr ⟨fun z hz =>
+        match List.mem_cons.mp hz with
+        | .inl h => h ▸ hle
+        | .inr h => _root_.trans hle (List.rel_of_pairwise_cons hxs h), hxs⟩
+    next h =>
+      have hle : ¬ r x y := by simpa [decide_eq_true_eq] using h
+      have hyx : r y x := (Std.Total.total y x).resolve_right hle
+      have ih' := ih hxs.of_cons
+      have hperm := orderedInsert_perm oracle x ys
+      exact List.pairwise_cons.mpr ⟨fun z hz =>
+        match List.mem_cons.mp (hperm.mem_iff.mp hz) with
+        | .inl h => h ▸ hyx
+        | .inr h => List.rel_of_pairwise_cons hxs h, ih'⟩
+
+theorem insertionSort_sorted
+    (r : α → α → Prop) [DecidableRel r] [Std.Total r] [IsTrans α r]
+    (oracle : {ι : Type} → LEQuery α ι → ι)
+    (horacle : ∀ a b, oracle (.le a b) = decide (r a b))
+    (xs : List α) :
+    ((insertionSort xs).eval oracle).Pairwise r := by
+  induction xs with
+  | nil => simp
+  | cons x xs ih =>
+    simp only [eval_insertionSort_cons]
+    exact orderedInsert_sorted r oracle horacle x _ ih
+
+-- ## Query count proofs
+
+theorem orderedInsert_queriesOn_le (oracle : {ι : Type} → LEQuery α ι → ι)
+    (x : α) (xs : List α) :
+    (orderedInsert x xs).queriesOn oracle ≤ xs.length := by
+  induction xs with
+  | nil => simp [orderedInsert]
+  | cons y ys ih =>
+    unfold orderedInsert LEQuery.ask
+    simp
+    split
+    · simp_all
+    · simp_all; omega
+
+theorem insertionSort_queriesOn_le (oracle : {ι : Type} → LEQuery α ι → ι)
+    (xs : List α) :
+    (insertionSort xs).queriesOn oracle ≤ xs.length ^ 2 := by
+  induction xs with
+  | nil => simp [insertionSort]
+  | cons x xs ih =>
+    have hq : (insertionSort (x :: xs)).queriesOn oracle =
+        (insertionSort xs).queriesOn oracle +
+        (orderedInsert x ((insertionSort xs).eval oracle)).queriesOn oracle := by
+      simp [insertionSort]
+    rw [hq]
+    have hlen : ((insertionSort xs).eval oracle).length = xs.length :=
+      (insertionSort_perm oracle xs).length_eq
+    have hord := orderedInsert_queriesOn_le oracle x ((insertionSort xs).eval oracle)
+    rw [hlen] at hord
+    have h1 := Nat.add_le_add ih hord
+    have hpow : xs.length ^ 2 + xs.length ≤ (xs.length + 1) ^ 2 := by
+      have : (xs.length + 1) ^ 2 = xs.length ^ 2 + 2 * xs.length + 1 := by ring
+      omega
+    simp only [List.length_cons]
+    exact Nat.le_trans h1 hpow
+
+-- ## UpperBound and IsSort instances
+
+public theorem insertionSort_upperBound :
+    UpperBound (insertionSort (α := α)) List.length (· ^ 2) := by
+  intro oracle n x hle
+  exact Nat.le_trans (insertionSort_queriesOn_le oracle x)
+    (Nat.pow_le_pow_left hle 2)
+
+public theorem insertionSort_isSort : IsSort (insertionSort (α := α)) where
+  perm xs oracle := insertionSort_perm oracle xs
+  sorted := by
+    intro xs oracle r _ _ _ horacle
+    exact insertionSort_sorted r oracle horacle xs
+
+end Cslib.Query
+
+end -- public section
diff --git a/Cslib/Algorithms/Lean/Query/Sort/IsSort.lean b/Cslib/Algorithms/Lean/Query/Sort/IsSort.lean
@@ -0,0 +1,40 @@
+/-
+Copyright (c) 2026 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Kim Morrison, Sebastian Graf
+-/
+module
+
+public import Cslib.Algorithms.Lean.Query.Sort.LEQuery
+
+/-! # IsSort: Specification for Comparison Sorts
+
+`IsSort sort` asserts that `sort` is a correct comparison sort when viewed as a `Prog`
+over `LEQuery α`. Correctness means: for any oracle, the result is a permutation of the
+input; and for any oracle implementing a total order, the result is sorted.
+
+Because the oracle is supplied *after* the program produces its query plan, the sort
+cannot cheat by using any built-in ordering on the element type.
+-/
+
+open Cslib.Query
+
+public section
+
+namespace Cslib.Query
+
+/-- A `Prog`-based function is a correct comparison sort if it always produces a permutation
+    of its input, and produces a sorted list when the oracle implements a total order. -/
+structure IsSort (sort : List α → Prog (LEQuery α) (List α)) : Prop where
+  /-- The sort produces a permutation of its input, for any oracle. -/
+  perm : ∀ (xs : List α) (oracle : {ι : Type} → LEQuery α ι → ι),
+    ((sort xs).eval oracle).Perm xs
+  /-- The sort produces a sorted list, when the oracle implements a total order. -/
+  sorted : ∀ (xs : List α) (oracle : {ι : Type} → LEQuery α ι → ι)
+    (r : α → α → Prop) [DecidableRel r] [Std.Total r] [IsTrans α r]
+    (_ : ∀ a b, oracle (.le a b) = decide (r a b)),
+    ((sort xs).eval oracle).Pairwise r
+
+end Cslib.Query
+
+end -- public section
diff --git a/Cslib/Algorithms/Lean/Query/Sort/LEQuery.lean b/Cslib/Algorithms/Lean/Query/Sort/LEQuery.lean
diff --git a/Cslib/Algorithms/Lean/Query/Sort/Merge/Defs.lean b/Cslib/Algorithms/Lean/Query/Sort/Merge/Defs.lean
diff --git a/Cslib/Algorithms/Lean/Query/Sort/Merge/Lemmas.lean b/Cslib/Algorithms/Lean/Query/Sort/Merge/Lemmas.lean
