Using Isabelle to verify special relativity,
with application to hypercomputation theory
Abstract
Logicians at the Rényi Mathematical Institute in Budapest have spent several years developing versions of relativity theory (special, general, and other variants) based wholly on first order logic, and have argued in favour of the physical decidability, via exploitation of cosmological phenomena, of formally undecidable questions such as the Halting Problem and the consistency of set theory.
The Hungarian theories are very extensive, and their associated proofs are intuitively very satisfying, but this brings its own risks since intuition can sometimes be misleading. As part of a joint project, researchers at Sheffield have recently started generating rigorous machineverified versions of the Hungarian proofs, so as to demonstrate the soundness of their work. In this paper, we explain the background to the project and demonstrate an Isabelle proof of the theorem “No inertial observer can travel faster than light”.
This approach to physical theories and physical computability has several payoffs: (a) we can be certain our intuition hasn’t led us astray (or if it has, we can identify where this has happened); (b) we can identify which axioms are specifically required in the proof of each theorem and to what extent those axioms can be weakened (the fewer assumptions we make upfront, the stronger the results); and (c) we can identify whether new formal proof techniques and tactics are needed when tackling physical as opposed to mathematical theories.
Categories and Subject Descriptors:
F.4.1
[Mathematical Logic and Formal Languages]
Mathematical Logic—Mechanical theorem proving;
J.2
[Computer Applications]
Physical Sciences and Engineering—Physics
General Terms: Theory, Verification
Additional Key Words and Phrases: Firstorder relativity theory, hypercomputation, physics and computation
1 Introduction
In his seminal analysis of computation, Turing [Tur36] discussed the nature of human computation, and showed that certain tasks – most famously, the Halting Problem (HP) – are not decidable by computational means. Subsequent theoretical investigation by various researchers suggests, however, that physical systems may exist which can in fact decide HP by exploiting cosmological phenomena [Hog92, EN93, EN02, Hog04, Man10, ANS12]. This claim is, of course, highly controversial; we therefore begin by explaining the loophole in Turing’s analysis which allows ‘hypercomputational’ systems of this kind to be designed [Sta06, Sta13].
We then focus on one particular scheme for cosmological hypercomputation [EN02], and consider the extent to which it rests on secure logical foundations. Doing so will require us to explain recent work by the Hungarian team of Andréka et al, who have formalised a series of relativity theories (including special and general relativity) using firstorder logic [AMN04, AMNS08]. These firstorder foundations ensure that their theories are easy to reason about, but also introduce a number of nonstandard features. We have, therefore, recently started a joint project verifying their theories using the Isabelle proof assistant [Wen12]. We explain our approach below, and outline an Isabelle proof of the wellknown statement “No inertial observer can travel faster than light” [Ein20, AMNS12]. Finally, we summarise the work that remains to be done, and invite participation in the solution of several open questions.
2 Circumventing Turing’s analysis
Turing’s [Tur36] analysis of (human) computation provides a convincing demonstration that certain problems cannot be solved by computational means. In particular, if is a fixed enumeration of all programs^{1}^{1}1For simplicity, we will think of programs as being written in a modern highlevel language, running on a standard PC with access to unbounded memory. that take a single natural number as input, it is not possible to compute the function given by
Powerful as it is, Turing’s analysis is nonetheless susceptible to attack due to an unexamined assumption built into his description of human computation. For, as he explains [Tur50]:
The human computer is supposed to be following fixed rules; he has no authority to deviate from them in any detail. We may suppose that these rules are supplied in a book, which is altered whenever he is put on to a new job. He has also an unlimited supply of paper on which he does his calculations. He may also do his multiplications and additions on a “desk machine,” but this is not important.
In fact, the consequences of using a “desk machine” cannot be so readily dismissed, because this implies that the computation may involve coordination between two physically separated agents (the human and the machine) [Sta13]. Being physically separated, the two agents may be subject to different forces and accelerations, and this can affect the rate at which they perceive each other’s clocks to be running. This in turn provides scope for extreme computational speedup, to the extent that HP becomes solvable. For example, astronomical observations suggest the presence of a massive slowly rotating (“slow Kerr”) black hole at the centre of the Milky Way [GET09]. Such black holes are associated, in relativity theory, with a computationally useful spacetime geometry (MalamentHogarth spacetime [EN93]), containing a worldline and a point (not on ), with the following properties:

has infinite proper length;

it is possible to send a signal to from any point along .
Suppose, then, that we are given and , and want to determine whether or not P will eventually halt. We send a PC along having first loaded an interpreter with behaviour:
run P; send a signal to spacetime location p
If P doesn’t halt, the second instruction will never be reached, and no signal will be sent. On the other hand, because has infinite proper length, the PC has unbounded time available to it for its computation, and so P has enough time to run to completion if this is its underlying behaviour. Consequently, a signal will arrive at if and only if eventually halts. It is therefore enough for us to follow a trajectory that takes us through . When we arrive there, we look for the presence of the signal, saying if the signal is present, and otherwise.
3 Logical foundations
We now turn to Andréka et al’s [AMN04, AMNS12] firstorder formalisation of relativity theory. This focus on firstorder logic (FOL) is motivated by several important considerations. Foremost is the Hungarian team’s desire to demystify relativity theory by expressing its postulates and conclusions in a form that is intelligible to as large an audience as possible. By choosing simple language and a very simple axiom system, the underlying assumptions of the theory are made as straightforward as possible (see Sect. 4.2), while the use of firstorder logic and its simple reliance on Modus Ponens makes it relatively easy for newcomers to follow the proofs. Having reformulated relativity in purely logical terms, the group is also able to investigate which axioms underpin which results and which are superfluous. Given the physical nature of the theory in question, this information can then be reflected back into physics: if an axiom plays no role in establishing an experimentally observed result, then that result can neither support nor undermine the validity of the axiomatic property in question.
It is important to note, however, that the use of firstorder logic has important consequences when attempting to model physical phenomena, because FOL is not powerful enough to characterise the real number field, – the numbers typically used to represent coordinates, masses, and so forth, in physical models. Consequently, many of the realnumber properties we take for granted in physics, like the existence of limits of bounded sequences, are unavailable in a rigorous firstorder logical proof.^{2}^{2}2For completeness, we note that this difficulty can be solved within FOL by focussing attention on definable sets. For example, the statement that any decreasing sequence of real numbers, bounded below, has a greatest lower bound is not a first order statement, because it refers to ordered sets of real values.^{3}^{3}3There are fields which have the same firstorder properties as , but which contain infinitesimals. In such a field, the bounded decreasing sequence has no greatest lower bound. For suppose were its greatest lower bound; then given any positive infinitesimal , the value would be a slightly larger lower bound, thereby contradicting the definition of . Moreover, as Andréka and her colleagues have shown, many interesting theorems can be proven using less restrictive fields like the rationals, , for which the realnumber property every positive number has a positive square root fails^{4}^{4}4The statement cited is firstorder: . (such fields are said to be nonEuclidean), cf. [Szé09].
3.1 The need for formal verification
Given that “firstorder numbers” need not exhibit the properties typically expected of them by physicists, it is important that we treat traditional explanations of relativistic phenomena with caution. To this end, and as part of a Royal Society International Exchanges Scheme project, researchers in Sheffield joined forces with the Hungarian team at the start of 2012, to develop a comprehensive formal framework for relativity theory, with full machineverification of all derived theorems. To the best of our knowledge, this is the first time such a largescale physical theory has been treated in this way (but cf. [GS11, SBT12]), and it is hoped that the lessons learned will be useful in extending the approach more widely. The project has been planned in four main stages, and it is hoped that the end result will be a formal machineverified proof of the controversial claim that the power of a computational system depends on the nature of its spacetime environment, with superTuring capabilities emerging in the context of more complex spacetime geometries.
The project itself has four broad aims:

Implement firstorder axiomatizations of general relativity using the proof assistant Isabelle [Wen12];

Add a general model of computational mobility to the theory, to enable the modelling of computations carried out by machines travelling along specific spacetime trajectories;

Consider how the power of these computational systems changes according to the underlying topology of spacetime [CVGS12];

Select a recursively uncomputable problem P (for example, the Halting Problem) and machineverify the following claims:

in simpler relativistic settings, P remains uncomputable;

in some spacetimes, P can be solved.

Taken together, these steps are intended to add weight to the claim that the computational power of a device depends on the physical setting in which it finds itself.
4 The theories and their implementation
There are various versions of relativity theory, depending on what is being modelled. For special relativity (SpecRel) the two key axioms (suitably formalised) are [Ein20]:
Principle of relativity: The laws of nature are the same for every inertial observer;
Light postulate: Any ray of light moves in the ‘stationary’ system of coordinates with the determined velocity , whether the ray be emitted by a stationary or by a moving body;
while for general relativity (GenRel) we add the
Equivalence Principle: It is not possible to distinguish between the effects of acceleration and those of gravity.
In addition to special and general relativity, Székely and his colleagues have made a detailed study of accelerated observers (with or without the equivalence principle in place). The corresponding theory, AccRel, provides a convenient stepping stone from special to general relativity [Szé09].
Our Isabelle implementation^{5}^{5}5The files referred to in this paper are available from http://www.dcs.shef.ac.uk/~mps/isabelle/noFTLobserver. has been constructed in three parts, a program structure that ensures that different versions of relativity theory can easily be added later. For example, to add GenRel we would simply add a new file GenRel.thy which merges the required axiom classes and includes proofs of relevant theorems. We focus here on the firstorder theory SpecRel of special relativity. This theory is 2sorted, the sorts being Quantities (the values used to specify coordinates, speeds, masses, etc) and Body (bodies or test particles).
4.1 Background geometry (SpaceTime.thy, approx. 830 lines)
This Isabelle/HOL code file models the geometric structures common to all models of spacetime (Vectors, Points, Lines, Planes, Cones), each represented as a separate record structure with axioms attached. The axioms describe basic geometric relationships including, for example, what it means for three points to be collinear, what it means for two vectors to be orthogonal, and so forth. In particular, a key lemma for our main proof is the assertion that distinct parallel lines cannot meet (the proof is by contradiction). Having defined these classes, we take SpaceTime to be their conjunction:
class SpaceTime = Quantities + Vectors + Points + Lines + Planes + Cones
The set of Quantities is assumed to carry an ordered field structure. We shall sometimes need to assume that the field is also Euclidean – i.e., that square roots exist for positive values – but this is not a general requirement, so it will be added as a separate axiom class later. Since Isabelle/HOL already includes a suitable class, the implementation of Quantities is particularly simple:
class Quantities = linordered_field
For simplicity we assume that spacetime is dimensional (one time dimension + three space dimensions), so that Points and Vectors are both specified as 4tuples of Quantities. In more complex relativity theories, we allow both the number of space dimensions, and the number of time dimensions, to vary. Lines are specified by giving a point (the line’s basepoint) and a vector (its direction), while planes are specified by a basepoint and two vectors.
Because we are dealing here with special relativity, all lightcones can be considered to be ‘upright’ (for general relativity we need to allow cones that are ‘tilted’ by curvature effects); each cone can therefore be specified by giving a point (its vertex) and a quantity (its slope). However, the freedom with which we can specify quantities has certain concomitant sideeffects, and these need to be taken into account. In realnumber physics, we would consider the slope of the cone
to be , but when Quantities is nonEuclidean we cannot be certain that is defined. Consequently, we take the slope of the cone to be rather than , and adjust all associated formulae and proofs accordingly.
4.2 Axioms (Axioms.thy, approx. 260 lines)
This file includes various axioms used by the Hungarian group, each implemented as a separate class. Different relativity theories can then be constructed by merging the relevant axiom classes and omitting those that are not required; we focus here on the axioms that will be needed to specify SpecRel.
The axioms describe the events in which bodies can participate, and how their descriptions change from one observer’s viewpoint to another. Here, a Body can be either a photon (which always travels at constant speed) or an inertial observer (which always travels at constant speed, and in addition is capable of making observations). Since we do not assume a priori that the classes of photons and inertial observers are disjoint, we represent bodies using an Isabelle/HOL record structure:
record Body = Ph :: "bool" IOb :: "bool"
For more complex relativistic theories we also need to consider noninertial observers (those which can accelerate), as well as more general types of body, and in this regard the use of Isabelle/HOL record structures is particularly convenient, since we can easily extend the Body record structure to include new descriptions. The distinction between inertial observers and more general body types emerges in these more advanced theories. For example, we demonstrate below that inertial observers can never travel faster than (what they consider to be) the speed of light, but this property need not be provable of more general bodies [NS12, Szé12].
In addition to the ordered field axioms associated with Quantities, SpecRel is formally generated using just the four axioms described below (AxPh, AxEv, AxSelf, AxSym), but in practice we have found it sensible to replace Quantities with a larger WorldView class (below) so as to have available the necessary abbreviations and functions. This simplifies proofs considerably. Moreover, our proof that inertial observers cannot travel faster than light requires us to find the intersection of a line with a cone, and this in turn requires the existence of square roots – we have therefore included the Euclidean axiom (AxEuclidean). Finally, we make use of various additional properties of cones, lines and planes (given in SpaceTime.thy). These define various relatively complicated concepts, such as what it means for a plane to be tangent to a (light)cone:
class Cones = Quantities + Lines + Planes +
fixes
tangentPlane :: "’a Point ’a Cone ’a Plane"
assumes (* The basepoint of the tangentplaneate is e *)
AxTangentBase: "pbasepoint (tangentPlane e cone) = e"
and (* The tangent plane contains the vertex *)
AxTangentVertex: "inPlane (vertex cone) (tangentPlane e cone)"
and (* The tangent plane meets the cone in a line *)
AxConeTangent: "(onCone e cone)
(inPlane pt (tangentPlane e cone) onCone pt cone)
collinear (vertex cone) e pt)"
and (* The tangent plane is tangential to all cones with vertex
in that plane, and the intersection lines are parallel. *)
AxParallelCones: "(onCone e econe e vertex econe
onCone f fcone f vertex fcone
inPlane f (tangentPlane e econe))
(samePlane (tangentPlane e econe) (tangentPlane f fcone)
((lineJoining (vertex econe) e) (lineJoining (vertex fcone) f)))"
and (* If f is outside a cone, there is a tangent plane to that cone which
contains f. The tangent plane is determined by some e lying on
the intersection line with the cone. *)
AxParallelConesE: "outsideCone f cone (e.(onCone e cone
e vertex cone inPlane f (tangentPlane e cone)))"
AxEuclidean
This axiom states that every positive quantity has a positive square root, and defines the sqrt function.
class AxEuclidean = Quantities +
assumes
AxEuclidean: "(x (0::’a)) (r. ((r 0) (r*r = x)))"
begin
fun sqrt :: "’a ’a" where
"sqrt x = (SOME r. ((r (0::’a)) (r*r = x)))"
end
Notice, however, that we do not assume that the positive square root is uniquely defined (instead, this is a theorem). Consequently, even though sqrt is defined using the fun keyword, it is not in fact defined to be a function, because the use of SOME technically allows a different value to be selected each time sqrt is referenced.
The WorldView relation
Two key features of firstorder relativity theory are the worldview relation (W) and the worldview transformation (wvt).
class WorldView = SpaceTime +
fixes
(* Worldview relation *)
W :: "Body Body ’a Point bool" ("_ sees _ at _")
and
(* Worldview transformation *)
wvt :: "Body Body ’a Point ’a Point"
assumes
AxWVT: " IOb m; IOb k (W k b x W m b (wvt m k x))"
and
AxWVTSym: " IOb m; IOb k (y = wvt k m x x = wvt m k y)"
begin
end
The relation W tells us which bodies an inertial observer sees at each spacetime location. Thus, W m b p is True precisely when m considers the body (whether inertial observer or photon) b to be present at location p. We can use W to define various standard concepts; for example, the worldline of b (from m’s point of view) is simply the set {p . W m b p}.
The worldview transformation tells us how one observer’s viewpoint is related to another. As AxWVT explains, if wvt m k x is y, this means that whatever k sees at x, m sees at y.
AxPh
The photon axiom says that for any inertial observer, the speed of light () is the same in every (spatial) direction everywhere and is positive. Furthermore, it is possible to send out a light signal in any (spatial) direction. (The auxiliary functions space2 and time2 give the squared spatial and temporal separations, respectively, of two spacetime locations x and y.)
class AxPh = WorldView +
assumes
AxPh: "IOb(m)
(v. ( (v (0::’a)) ( x y . (
(p. (Ph p W m p x W m p y))
(space2 x y = (v * v)*(time2 x y))
))))"
begin
fun c :: "Body ’a" where
"c m = (SOME v. ( (v (0::’a)) ( x y . (
p. (Ph p W m p x W m p y))
(space2 x y = (v * v)*(time2 x y))
)))"
fun lightcone :: "Body ’a Point ’a Cone" where
lightcone m v = mkCone v (c m)"
(* various lemmas follow that are not included here *)
Notice, however, that the speed of light is not assumed to be the same for all observers: the value is therefore parametrised according to the inertial observer in question. As before, the use of SOME suggests that c m need not be uniquely defined, but uniqueness becomes provable within SpecRel due to the inclusion of additional axioms. Note also that c p is technically specified when p is a photon; but in this case the precondition required to establish the value’s existence cannot be established using AxPh. In this way we avoid the (non)question “at what speed does one photon consider another photon to be travelling?”
AxEv
The event axiom says that all inertial observers are participating in the same universe – if one observer sees two bodies meeting at some spacetime location, they all see them meeting (though they may disagree as to where that meeting takes place).
class AxEv = WorldView +
assumes
AxEv: " IOb m; IOb k (y. (b. (W m b x W k b y)))"
begin
end
AxSelf
The self axiom says that inertial observers consider themselves to be stationary in space (so they consider their worldline to be the time axis)
class AxSelf = WorldView +
assumes
AxSelf: "IOb m (W m m x) (onAxisT x)"
begin
end
AxSym
The symmetry axiom says that inertial observers agree as to the spatial distance between two spacetime events if these two events are simultaneous for both of them.
class AxSym = WorldView +
assumes
AxSym: " IOb m; IOb k
(W m e x W m f y W k e x’ W k f y’
tval x = tval y tval x’ = tval y’ )
(space2 x y = space2 x’ y’)"
begin
end
4.3 SpecRel (SpecRel.thy, approx. 340 lines)
This file defines the theory SpecRel,
class SpecRel = WorldView + AxPh + AxEv + AxSelf + AxSym (* The following proof assumes that the quantity field is Euclidean. *) + AxEuclidean (* We also assume for now that lines, planes and lightcones are preserved by the worldview transformation. This can be proven. *) + AxLines + AxPlanes + AxCones
together with our proof of the standard claim that no inertial observer can travel faster than the speed of light.
5 The proof
The statement we wish to prove (“no inertial observer can travel faster than light”) can be formalised as:
lemma noFTLObserver:
assumes iobm: "IOb m"
and iobk: "IOb k"
and mke: "m sees k at e"
and mkf: "m sees k at f"
and enotf: "e f"
shows "space2 e f (c m * c m) * time2 e f"
To see why, notice that the statement “k cannot travel faster than light” is meaningless as it stands. We need to say in whose opinion this statement is true, since the speed of light might depend on the observer. We therefore have to introduce a second inertial observer, m, in whose opinion the judgment is to be made. To find the speed at which k is moving, m needs to observe k at two different locations, e and f, and then determine the (square of the) ratio of the associated spatial and temporal separations.
The proof itself is in five basic stages.
Step 1. Assume the converse
Suppose k is going faster than light (FTL) from m’s viewpoint:
assume converse: "space2 e f > (c m * c m) * time2 e f"
Informally, we are saying that f lies outside m’s lightcone at e.
Step 2. Consider the cone at e
Consider m’s lightcone at e, and note that e is itself on this cone (since it is the cone’s vertex).
def eCone "mkCone e (c m)"
have e_on_econe: "onCone e eCone" by (simp add: eCone_def)
Step 3. Identify the tangent plane containing f
Step 1 tells us to assume that f is outside the cone. We can use the cone axioms to find a tangent plane containing f. Being a tangent plane, it will necessarily contain the vertex, e, as well. In addition, the axioms allow us to fix a point g so that the line joining g to the vertex is the line of intersection between the cone and the tangent plane. Notice that g is distinct from both e and f, and together the three points define the tangent plane.
have e_is_vertex: "e = vertex eCone" by (simp add: eCone_def)
have cm_is_slope: "c m = slope eCone" by (simp add: eCone_def)
hence outside: "outsideCone f eCone"
by (metis (lifting) e_is_vertex cm_is_slope converse outsideCone.simps)
have "outsideCone f eCone
(x.(onCone x eCone x vertex eCone
inPlane f (tangentPlane x eCone)))"
by (rule AxParallelConesE)
hence tplane_exists: "x.(onCone x eCone x vertex eCone
inPlane f (tangentPlane x eCone))"
by (smt outside)
then obtain g where g_props: "(onCone g eCone g vertex eCone
inPlane f (tangentPlane g eCone))"
by auto
have g_on_eCone: "onCone g eCone" by (metis g_props)
have g_not_vertex: "g vertex eCone" by (metis g_props)
(* ... and more ... *)
Step 4. Switch to k’s viewpoint
Because m sees k at the distinct points e and f, k should also see himself at (his transformed versions of) those points, by AxEv. But each observer considers himself to be stationary, so k considers e and f to be distinct points on his time axis, by AxSelf. If k’s worldline also passed through g, the points e, f and g would be collinear in k’s worldview, and hence also in m’s, and we know this not to be the case because e and g are both in the tangent intersection line, while f is outside the cone. Consequently, g is not on k’s time axis.
def wvte "wvt k m e"
def wvtf "wvt k m f"
def wvtg "wvt k m g"
have "W k k wvte" by (metis wvte_def AxWVT mke iobm iobk)
hence wvte_onAxis: "onAxisT wvte" by (metis AxSelf iobk)
have "W k k wvtf" by (metis wvtf_def AxWVT mkf iobm iobk)
hence wvtf_onAxis: "onAxisT wvtf" by (metis AxSelf iobk)
have wvte_inv: "e = wvt m k wvte" by (metis AxWVTSym iobk iobm wvte_def)
have wvtf_inv: "f = wvt m k wvtf" by (metis AxWVTSym iobk iobm wvtf_def)
have wvtg_inv: "g = wvt m k wvtg" by (metis AxWVTSym iobk iobm wvtg_def)
have e_not_g: "e g" by (metis e_is_vertex g_not_vertex)
have f_not_g: "f g" by (metis outside lemOutsideNotOnCone g_on_eCone)
have wvt_e_not_f: "wvte wvtf" by (metis wvte_inv wvtf_inv enotf)
have wvt_f_not_g: "wvtf wvtg" by (metis wvtf_inv wvtg_inv f_not_g)
have wvt_g_not_e: "wvtg wvte" by (metis wvtg_inv wvte_inv e_not_g)
have if_g_onAxis: "onAxisT wvtg collinear wvte wvtg wvtf"
by (metis lemAxisIsLine wvte_onAxis wvtf_onAxis
wvt_e_not_f wvt_f_not_g wvt_g_not_e)
have "collinear wvte wvtg wvtf collinear e g f"
by (metis AxLines iobm iobk wvte_inv wvtf_inv wvtg_inv)
hence "onAxisT wvtg collinear e g f" by (metis if_g_onAxis)
hence wvtg_offAxis: " (onAxisT wvtg)" by (metis g_not_collinear)
Step 5. Find a point z with impossible properties
We have seen that e and f define the time axis (from k’s point of view), and g lies off this axis. Consequently, because all lightcones are upright in special relativity, the line joining e to g has nonempty intersection with the klightcone at f. Call the point of intersection z, and observe that the klightcone at z contains both e and f. [Notice, however, that determining the coordinates of the point z typically involves the use of square roots, which is why we have assumed AxEuclidean.]
Having obtained z, we will prove that its properties are contradictory.
have "s.(p.( collinear wvte wvtg p
(space2 p wvtf = (s*s)*time2 p wvtf)))"
by (metis lemSlopedLineInVerticalPlane
wvte_onAxis wvtf_onAxis wvtg_offAxis wvt_e_not_f)
hence exists_wvtz: "p.( collinear wvte wvtg p
(space2 p wvtf = (c k * c k)*time2 p wvtf))"
by metis
then obtain wvtz where
wvtz_props: "collinear wvte wvtg wvtz
(space2 wvtz wvtf = (c k * c k)*time2 wvtz wvtf)" by auto
hence wvtf_speed: "space2 wvtz wvtf = (c k * c k)*time2 wvtz wvtf"
by metis
def z "wvt m k wvtz"
We know that f is on k’s lightcone at z, and that lightcones are mapped to lightcones under worldview transformations. We can therefore switch to m’s viewpoint, and at the same time deduce that z is on the lightcone at f.
(* f is on the lightcone at z *)
def zCone "lightcone m z"
have z_is_vertex: "z = vertex zCone" by (simp add: zCone_def)
have cm_is_zSlope: "c m = slope zCone" by (simp add: zCone_def)
have f_on_zCone: "onCone f zCone"
by (metis wvtf_inv wvtf_on_wvtzCone zCone_def)
(* whence z is on the lightcone at f *)
hence "space2 (vertex zCone) f
= (slope zCone * slope zCone)*time2 (vertex zCone) f"
by (simp add: zCone_def)
hence "space2 z f = (c m * c m)*time2 z f"
by (metis z_is_vertex cm_is_zSlope)
hence fz_speed: "space2 f z = (c m * c m)*time2 f z"
by (metis lemSpace2Sym lemTime2Sym)
def fCone "lightcone m f"
have f_is_fVertex: "f = vertex fCone" by (simp add: fCone_def)
have cm_is_fSlope: "c m = slope fCone" by (simp add: fCone_def)
hence "space2 (vertex fCone) z
= ((slope fCone) *(slope fCone))*time2 (vertex fCone) z"
by (metis fz_speed f_is_fVertex cm_is_fSlope)
hence z_on_fCone: "onCone z fCone" by (metis onCone.simps)
Similarly, we can show that z is on the lightcone at e. However, the cones at e and f share the same tangent plane (because f lies in that plane), whence the intersection lines at e and f are parallel (this is part of what it means to be a tangent plane, as expressed in the cone axioms). It follows that we have two distinct lines that intersect in a common point, z, despite being parallel.
This provides the required contradiction.
6 Discussion
In practice, the most timeconsuming part of this proof involved describing the geometric properties of spacetime – for example, deciding the best way to represent lines and planes, what it means for points to be collinear or coplanar, or what it means for two lines to be parallel. This suggests that Isabelle/HOL should provide an excellent vehicle for constructing future proofs relating to the more complex versions of relativity theory, because all standard models of general relativity are locally special relativistic. Consequently, we expect that work already invested in the construction of SpaceTime.thy (itself built on top of existing Isabelle/HOL libraries) will largely be reusable.
There remains, of course, a great deal more to be done. In addition to completing the proofs of other standard features of special relativity (for example, time dilation), we need to extend our work to both accelerating observers and their associated theorems (for example, the “twin paradox”), and observers in a gravitational field. Only then will we be in a position to model what it means for a spacetime to exhibit the MalamentHogarth timing structures relevant to existing suggestions for cosmological (hyper)computation. We also plan to continue the investigation into the physical realisticity of computing with MalamentHogarth spacetimes started in [ND06, NA06], not necessarily sticking with Kerr spacetime (cf. [Man10]).
Finally, we would like to know to what extent the work developed here can be extended to encompass other physical systems – for example quantum mechanics – and whether new proof techniques or capabilities would be useful in that effort. For example, in the proof above it was necessary for us to determine the existence of a point z with certain coordinates. Although it was straightforward to compute those coordinates by hand, it would be convenient to have a system built into Isabelle/HOL that could do the construction on our behalf, or at least tell us whether a suitable point z exists.
Acknowledgements
This research is supported under the Royal Society International Exchanges Scheme (ref. IE110369). Németi’s research was supported by OTKA grant No 81188. This work was partially undertaken whilst Stannett was a visiting fellow at the Isaac Newton Institute for the Mathematical Sciences in the programme Semantics & Syntax: A Legacy of Alan Turing.
References
 [AMN04] H. Andréka, J. X. Madarász, and I. Németi. Logical analysis of relativity theories. In Hendricks et al., editors, FirstOrder Logic Revisited, pages 1–30. LogosVerlag, Berlin, 2004.
 [AMNS08] H. Andréka, J. X. Madarász, I. Németi, and G. Székely. Axiomatizing Relativistic Dynamics without Conservation Postulates. Studia Logica, 89(2):163–186, 2008.
 [AMNS12] H. Andréka, J. X. Madarász, I. Németi, and G. Székely. A logic road from special relativity to general relativity. Synthese, 186(3):633–649, June 2012.
 [ANS12] H. Andréka, I. Németi, and G. Székely. Closed Timelike Curves in Relativistic Computation, 2012. Online: arXiv:1105.0047[grqc].
 [CVGS12] E. CsuhajVarjú, M. Gheorghe, and M. Stannett. P Systems Controlled by General Topologies. In J. DurandLose and N. Jonoska, editors, UCNC, volume 7445 of Lecture Notes in Computer Science, pages 70–81, Berlin, 2012. Springer.
 [Ein20] A. Einstein. Relativity: The Special and General Theory. Henry Holt, New York, 1920.
 [EN93] J. Earman and J. Norton. Forever is a Day: Supertasks in Pitowsky and MalamentHogarth Spacetimes. Philosophy of Science, 5:22–â42, 1993.
 [EN02] G. Etesi and I. Németi. NonTuring computations via MalamentHogarth spacetimes. Int. J. Theoretical Physics, 41:341–370, 2002. Online: arXiv:grqc/0104023v2.
 [GET09] S. Gillessen, F. Eisenhauer, S. Trippe, T. Alexander, R. Genzel, F. Martins, and T. Ott. Monitoring stellar orbits around the Massive Black Hole in the Galactic Center. The Astrophysical Journal, 692:1075–1109, 23 February 2009.
 [GS11] M. Gömöri and L. Szabó. On the formal statement of the special principle of relativity. Online: http://philsciarchive.pitt.edu/9151/4/MGLESzmathrelpreprintv3.pdf, 2011.
 [Hog92] M. Hogarth. Does General Relativity Allow an Observer to View an Eternity in a Finite Time? Foundations of Physics Letters, 5:173–181, 1992.
 [Hog04] M. Hogarth. Deciding Arithmetic using SAD Computers. The British Journal for the Philosophy of Science, 55:681–691, 2004.
 [Man10] J.B. Manchak. On the Possibility of Supertasks in General Relativity. Foundations of Physics, 40:276–288, 2010.
 [NA06] I. Németi and H. Andréka. Can general relativistic computers break the Turing barrier? In A. Beckmann, U. Berger, B. Löwe, and J.V. Tucker, editors, Logical Approaches to Computational Barriers, Second Conference on Computability in Europe, CiE 2006, Swansea, UK, July 2006, Proceedings, volume 3988 of Lecture Notes in Computer Science, pages 398–412. Springer, Berlin Heidelberg, 2006.
 [ND06] I. Németi and G. Dávid. Relativistic computers and the Turing barrier. Applied Mathematics and Computation, 178:118–142, 2006.
 [NS12] P. Németi and G. Székely. Existence of Faster than Light Signals Implies Hypercomputation already in Special Relativity. In S.B. Cooper, A. Dawar, and B. Löwe, editors, How the World Computes: Turing Centenary Conference and 8th Conference on Computability in Europe, CiE 2012, Cambridge, UK, June 1823, 2012. Proceedings, volume 7318 of Lecture Notes in Computer Science, pages 528–538. Springer, Berlin Heidelberg, 2012.
 [SBT12] N. Sundar G., S. Bringsjord, and J. Taylor. Proof Verification and Proof Discovery for Relativity. In First International Conference on Logic and Relativity: honoring István Németi’s 70th birthday, September 8–12, 2012, Budapest. Rényi Institute, Budapest, 2012. Online: http://www.renyi.hu/conferences/nemeti70/LR12Talks/govindarejulubringsjord.pdf.
 [Sta06] M. Stannett. The case for hypercomputation. Applied Mathematics and Computation, 178:8–24, 2006.
 [Sta13] M. Stannett. Membrane Systems and Hypercomputation. In Proceedings of the 13th International Conference on Membrane Computing, August 28–31, 2012, Budapest, Hungary, Lecture Notes in Computer Science. SpringerVerlag, Berlin, in press, 2013.
 [Szé09] G. Székely. FirstOrder Logic Investigation of Relativity Theory with an Emphasis on Accelerated Observers. PhD thesis, Eötvös Loránd University, 2009. Online: http://arxiv.org/pdf/1005.0973.pdf.
 [Szé12] G. Székely. The existence of superluminal particles is consistent with the kinematics of Einstein’s special theory of relativity. Online: arXiv:1202.5790[physics.genph], 2012.
 [Tur36] A. M. Turing. On computable numbers, with an application to the Entscheidungsproblem. Proc. London Math. Soc., Series 2, 42:230–265, 1937, submitted May 1936.
 [Tur50] A. M. Turing. Computing machinery and intelligence. Mind, 59:433–460, 1950.
 [Wen12] M. Wenzel. The Isabelle/Isar Reference Manual. Online: http://isabelle.in.tum.de/dist/Isabelle2012/doc/isarref.pdf, 2012.