Formalized functional analysis with semilinear maps

Semilinear maps are a generalization of linear maps between vector spaces where we allow the scalar action to be twisted by a ring homomorphism such as complex conjugation. In particular, this generalization unifies the concepts of linear and conjugate-linear maps. We implement this generalization in Lean's \textsf{mathlib} library, along with a number of important results in functional analysis which previously were impossible to formalize properly. Specifically, we prove the Fr\'echet--Riesz representation theorem and the spectral theorem for compact self-adjoint operators generically over real and complex Hilbert spaces. We also show that semilinear maps have applications beyond functional analysis by formalizing the one-dimensional case of a theorem of Dieudonn\'e and Manin that classifies the isocrystals over an algebraically closed field with positive characteristic.


Introduction
Proof assistant users have long recognized the value of abstraction. Working at high levels of generality and specializing only when needed can save significant effort in both the long and short term. In program verification, this principle manifests in the use of stepwise refinement of programs from abstract specifications to executable code [20,30]. Mathematical generalizations that are rarely used in informal presentations are much more common in formal libraries, including the use of filters to generalize limits in topology and analysis [18] and uniform spaces as a generalization of metric spaces [2,8,10].
We propose another such mathematical generalization: linear maps, a fundamental concept in many fields of mathematics, can be seen as a special case of semilinear maps. A linear algebra library built on top of this more general structure can unify concepts that would otherwise be defined separately. In particular, linear and conjugate-linear (or antilinear) maps are both examples of semilinear maps. By relating these, one can avoid a large amount of code duplication and state many theorems more naturally. This generalization is rarely seen explicitly in informal mathematics. Texts tend to focus on the linear case, claiming results about the conjugate-linear or semilinear cases "by analogy" when needed.
Motivated by the desire to formalize theorems from functional analysis at the proper level of abstraction, we have implemented this generalization in mathlib [25], a library of formal mathematics in the Lean proof assistant [13]. When we started this project, much of mathlib was already built on top of standard linear maps. With care and clever notation we were able to make the transition largely invisible. With the generalization complete we were able to state and prove a number of theorems far more elegantly than could have been done before.

10:2 Formalized functional analysis with semilinear maps
Among the results unlocked by this refactor are the Fréchet-Riesz representation theorem, which states that a Hilbert space is either isomorphic or conjugate-isomorphic to its dual space; the generic definition of the adjoint operator on an inner product space over R or C; and the spectral theorem for compact self-adjoint operators on Hilbert spaces, which gives a canonical form for an important class of linear maps by reference to their eigenvectors. This material in turn lays the groundwork for the formalization of vast areas of mathematics: complex Hilbert spaces are the bread and butter of quantum mechanics and are therefore a prerequisite for quantum information theory and a large part of mathematical physics.
Furthermore, as evidence that semilinear maps are useful for more than unifying real and complex vector spaces, we have also formalized the one-dimensional case of a theorem of Dieudonné and Manin [24] that classifies the isocrystals over an algebraically closed field of characteristic p > 0. This is a foundational result in p-adic Hodge theory.
Related literature documents the struggles in other libraries to unify real and complex linear algebra. For instance, Aransay and Divasón [5], working in Isabelle, write: We miss . . . the definition of a "common place" or generic structure representing inner product spaces over real and complex numbers . . . that could permit a definition and formalisation of the Gram-Schmidt process for both structures simultaneously.
Their work introduces a "local" solution to the issue, but we argue that basing a library on semilinear maps is the "global" solution. We discuss related work in more detail in Section 9.
We estimate that over the course of this project we have added 15k lines of code to mathlib, with 1k more lines waiting to be merged. We provide links to our contributions, indicating where they can be found in the library, on the project website. Let us note the two canonical examples: For R 1 = R 2 = R and σ the identity ring homomorphism id R : R → R, the second condition simplifies to f (cx) = cf (x), and therefore an id R -semilinear map is precisely an R-linear map in the classic sense. For R 1 = R 2 = C and σ the complex-conjugation operation conj : C → C, the second condition simplifies to f (cx) = cf (x). Therefore a conj-semilinear map is a conjugatelinear map between complex vector spaces.
The theory of semilinear maps develops along the same lines as the theory of linear maps, with minimal adjustment. The composition of a σ-semilinear map and a τ -semilinear map, for σ : R 1 → R 2 and τ : R 2 → R 3 , is a (τ • σ)-semilinear map. (For example, the composition of two conjugate-linear maps is a linear map.) If σ is bijective, the inverse of a bijective σ-semilinear map is a σ −1 -semilinear map.
Theorems about special classes of linear maps also admit semilinear analogues. Consider, for example, the theorem that a K-linear map f : E 1 → E 2 , for K a normed field and E 1 , E 2 normed spaces over K, is continuous if and only if it is bounded (∥f (x)∥ ≤ M ∥x∥ for some fixed M , for all x). This theorem generalizes to σ-semilinear maps, for σ : K 1 → K 2 , if the ring homomorphism σ is an isometry.

Conjugate-linear maps in functional analysis
An inner product space is a vector space E over a scalar field K ∈ {R, C} equipped with an inner product ⟨·, ·⟩, namely a K-valued function of two arguments which is conjugate-linear in the first argument and linear in the second argument and which has symmetry and positivity properties: 1. for all u, v, w ∈ E, ⟨u + v, w⟩ = ⟨u, w⟩ + ⟨v, w⟩ and ⟨w, u + v⟩ = ⟨w, u⟩ + ⟨w, v⟩; 2. for all c ∈ K and v, w ∈ E, ⟨cv, w⟩ = c⟨v, w⟩ and ⟨v, cw⟩ = c⟨v, w⟩; 3. for all v, w ∈ E, ⟨v, w⟩ = ⟨w, v⟩; 4. for all v ∈ E, the quantity ⟨v, v⟩ (which by (3) is real) is nonnegative, and strictly positive unless v = 0. For the case of real scalars, K = R, we consider the conjugation operation as being the identity; this allows a development of the complex case to subsume the simpler real case.
An inner product space has an associated norm ∥v∥ = ⟨v, v⟩ and hence a metric structure. A Hilbert space is an inner product space for which this metric is complete. This condition is automatic in finite dimension.
The dual of an inner product space E is the K-vector space of continuous linear maps φ : E → K. There is a natural conjugate-linear map from E to its dual E * : the vector v ∈ E is mapped to the vector ⟨v, ·⟩ in E * . To see the conjugate-linearity of this map, observe that ⟨cv, ·⟩ = c⟨v, ·⟩. It is not difficult to see that, for an appropriate norm on E * , this map is an isometry. A more subtle theorem, the Fréchet-Riesz representation theorem, asserts that for a Hilbert space E this conjugate-linear map is bijective.
Given Hilbert spaces E, F over K and a continuous linear map T : E → F , it can be proved that there is a unique continuous linear map T * : F → E, the adjoint of T , such that for all v ∈ E and w ∈ F , ⟨T v, w⟩ = ⟨v, T * w⟩. It turns out that the operation of sending T : E → F to its adjoint T * : F → E is a conjugate-linear map from E → F to F → E. To see the conjugate-linearity in this case, observe that ⟨v, (cT ) * w⟩ = ⟨(cT )v, w⟩ = c⟨T v, w⟩ = c⟨v, T * w⟩ = ⟨v, (cT * )w⟩.
Like the conjugate-linear map appearing in the Fréchet-Riesz representation theorem, the adjoint map T → T * turns out to be bijective and (for an appropriate norm) isometric.
Several important classes of continuous linear maps are defined using the adjoint. A continuous linear map T : The Hilbert sum i∈ι E ι of a family of inner product spaces (E i ) i∈ι is an inner product space whose elements are choices (v i ) i∈ι of an element from each E i , such that the collection of chosen elements is square-summable in the sense that i∈ι ∥v i ∥ 2 < ∞. Elements in the Hilbert sum i∈ι E i can be added and scalar-multiplied in the obvious way. The inner product on the Hilbert sum is given by A linear map T : E → F between normed spaces is compact if the image under T of the unit ball in E is precompact (that is, has compact closure) in F . This condition implies the 10:4 Formalized functional analysis with semilinear maps continuity of T but is more restrictive. The spectral theorem states that a normal (over C) or self-adjoint (over R or C), compact linear map T : E → E is equivalent to a diagonal map, in the sense that there exists a bijective linear isometry Φ from E to a Hilbert sum i∈ι F i , such that the linear map Φ • T • Φ −1 is diagonal. In fact, the F i may be chosen to be the eigenspaces of T , with the µ i chosen to be the associated eigenvalues.
In finite dimension, every linear map is compact. In this setting the spectral theorem reduces to the more elementary diagonalization theorem for a normal endomorphism T of a finite-dimensional inner product space E: there exists a bijective linear isometry Φ from E to a finite direct sum of finite-dimensional inner product spaces (F i ) i∈ι , such that the linear map Φ • T • Φ −1 is diagonal.

Frobenius-semilinear maps
Given a commutative ring R and a prime p, there is a classical construction [17] of an associated commutative ring W(R), the ring of p-typical Witt vectors of R. The elements of this ring are sequences of elements of R, but the definitions of addition and multiplication are rather elaborate. The motivating example is that for R the finite field Z/pZ, the ring W(Z/pZ) is the ring of p-adic integers.
The ring W(R) admits a canonical ring-endomorphism, the Frobenius endomorphism. Concretely, when R has characteristic p, it operates by sending a sequence ( In the example of the p-adic integers W(Z/pZ), this endomorphism is the identity, so the construction becomes interesting only for more complicated rings R, such as field extensions of Z/pZ.
For R an integral domain of characteristic p, the ring W(R) is also an integral domain, and therefore has a well-defined field of fractions. In this case, the Frobenius endomorphism of W(R) extends to an endomorphism of its field of fractions. If moreover the ring R is perfect, then the Frobenius endomorphism is an automorphism (that is, bijective), as is the induced automorphism of its field of fractions.
Let us fix an algebraically closed field R of characteristic p (which is necessarily a perfect integral domain), and denote by K the field of fractions of W(R) and by φ : K → K the Frobenius automorphism of K. There is a very well-developed theory of φ-semilinear maps between vector spaces over K. Notably, an important theorem of Dieudonné and Manin [24] provides an analogue of the spectral theorem. For a finite-dimensional vector space V over K, it classifies the isocrystals (bijective φ-semilinear maps f : V → V ), by constructing for such an f a decomposition of V as a direct sum of vector spaces V i which are preserved by f and on each of which the map f has a certain canonical form.
In the one-dimensional case this classification can be stated in a fairly elementary way. Let f : K → K be a φ-semilinear automorphism of K, considered as a vector space over itself. Then there exists an invertible element a of K and an integer m ∈ Z, such that for all v ∈ K, f (v) = p m a −1 φ(av).

Lean preliminaries
The mathlib library builds its algebraic hierarchy using type classes [25,27]. Baanen [6] gives an in depth account of mathlib's use of type classes, which we summarize very briefly. Each argument to a Lean declaration is declared as explicit (()), implicit ({}), or instanceimplicit ([]). Explicit arguments must be provided when the declaration is applied; implicit arguments are inferred by unification; instance-implicit arguments are inferred by type class instance resolution. This type class says that the additive monoid M has an R-module structure: it supports scalar multiplication by elements of the semiring R, and this scalar multiplication behaves properly with respect to addition on M. When R is a field instead of a semiring, an R-module is in fact a vector space. Many definitions and theorems apply in the more general setting, and when the vector space setting is needed, the transition is invisible.
A type class is a structure (i.e. a record type) that takes zero or more parameters and has zero or more fields. In the above, the arguments R and M are parameters, as are the arguments that R is a semiring and M is an additive commutative monoid. In order to elaborate the type module R M, Lean's type class inference algorithm must be able to infer the latter arguments automatically. The fields of module are add_smul and zero_smul, and a projection to distrib_mul_action R M. To construct a term of type module R M, the user must provide these values; given a term of type module R M, the user can access these values. The extends keyword can be read as "inherits from." An assumption distrib_mul_action R M is available while defining the fields add_smul and zero_smul, and indeed, the scalar action used in these fields is derived from this instance.
By default the parameters to a type class are input parameters. Lean will begin its instance search when all input parameters are known. By denoting certain parameters as output parameters, the user can instruct Lean to begin searching for instances of that class before those parameters are known; they will be determined by the solution to the search. Baanen [6, Section 5.1] describes output parameters in more detail.
Like mathlib, we freely use classical logic and do not focus on defining things computably. Within code blocks in this paper, we omit the bodies of definitions and theorems when only the type is relevant, omit some implicit arguments when the types are clear from context, and occasionally rename declarations for the sake of presentation.

Semilinear maps in Lean
Section 2 covered the mathematical motivation for semilinear maps. Here we focus on our implementation of this generalization in Lean. This work is done in the context of mathlib [25], a project with over 860k lines of code, 240 contributors, and countless users. Given the difficulty and importance of maintaining such a large library [28], we were motivated to make this refactor with as little disruption as possible.

Defining semilinear maps
Before beginning our refactor to use semilinear maps, mathlib's linear algebra development was based on the more familiar concept of linear maps.
Given two R-modules M 1 and M 2 , a linear map is an additive homomorphism M 1 → M 2 that respects the multiplicative action of R. A mul_action_hom is a homomorphism between types acted on by the same type of scalars [29]. I T P 2 0 2 2 10:6

Formalized functional analysis with semilinear maps
For readers unfamiliar with Lean syntax, it may be clarifying to see what information goes in to defining such a linear map. Despite the intimidating syntax, the input information is exactly as expected: if you have types R, M 1 , and M 2 with the appropriate operations and structure, you can construct a linear map by providing a function M 1 → M 2 and proofs that this function factors through addition and scalar multiplication.
As noted in Section 2, the domain and codomain of a linear map are modules over the same semiring. The same is true in the definition of linear equivalences: The type signature of a semilinear map 2 is more complicated, involving two scalar semirings and a ring homomorphism between them. It no longer makes sense to extend mul_action_hom, since the multiplicative actions are over different scalar types, so we instead add the field map_smul directly. The arguments R and S can be inferred from σ and are thus marked as implicit. The type R →+ * S is the type of ring homomorphisms from R to S.
While the type signature has grown more complicated, the constructor for a semilinear map is quite similar to that of a linear map: The generalization to semilinear equivalences is similar, but more involved in order to gracefully handle inversion of such maps. The additional parameter σ ′ and the ring_hom_inv_pair type class are explained in Section 4.3.
Between modules; factors over addition and scalar multiplication Continuous map Between normed modules; a normpreserving equivalence Figure 1 Notation for various classes of (semi)linear operators that appear in this paper.

Notation for semilinear maps
One can see from these definitions that semilinear maps are not a drop-in replacement for linear maps. The type signature is different, even when looking only at explicit arguments.
To convert an R-linear map to a semilinear map, one must know to invoke ring_hom.id R, the identity ring homomorphism on R.
Given how frequently linear maps appear in mathlib, this refactor threatened to be painful. Our job was made immensely easier by the use of notation. Before our refactor mathlib used the notation M 1 → l [R] M 2 to stand for for linear_map R M 1 M 2 . By redefining this notation to stand for semilinear_map (ring_hom.id R) M 1 M 2 we were largely able to avoid breaking definitions and proofs throughout the library. The same approach, with notation M 1 ≃ l [R] M 2 , worked to generalize linear equivalences to semilinear equivalences. We introduced similar notation M 1 → sl [σ] M 2 to stand for semilinear_map σ M 1 M 2 , and M 1 → l ⋆[R] M 2 to stand for a semilinear map with respect to a fixed involution such as complex conjugation.
The composition of linear maps proved to be a complication. As we note in Section 4.3, an additional type class must be inferred to justify that two semilinear maps can be composed. This inference was fragile in the presence of other features, like implicit coercions, that complicate elaboration. We introduced notation • l for the composition of linear maps, using ring_hom.id to justify the composition, and manually inserted this notation where needed.
For our new definition to be useful, theorems stated for linear maps M 1 → l [R] M 2 needed to be upgraded to theorems about semilinear maps M 1 → sl [σ] M 2 when possible. Doing so is mostly mechanical and our use of notation let us approach this without hurry. Because theorems generalized to semilinear maps still apply directly to the linear case we were able to do this generalization incrementally from the bottom up. In particular, several more specialized classes of linear maps and equivalences are also present in mathlib (Figure 1). Our bottom-up approach allowed us to break down the refactor into more manageable pieces by generalizing these one at a time.

Composition of semilinear maps
Composition of maps is complicated by this generalization. The composition of two linear maps is straightforward: it is easy to check that the composition of the underlying functions preserves addition and scalar multiplication. With semilinear maps one must also compose the homomorphisms between scalar rings. . This statement is not type-correct, since the ring homomorphism on the left is σ 12 .comp σ 21 and the one on the right is the identity. Such an issue appears in practice, for example, when defining the adjoint as a conjugate-linear map (Section 6).
To solve this issue, we introduce a type class ring_hom_comp_triple that states that two ring homomorphisms compose to a third.
We register a number of global instances of this class. We then use the ring_hom_comp_ triple type class in the definition of composition.
While this may appear to be a rather verbose type signature for the composition of maps, it allows us to avoid the above problem without introducing further complications. In common situations, the appropriate global instances generate the necessary ring_hom_comp_triple argument without input from the user. For example, the following global instance allows for the composition of two (genuine) linear maps, or more generally for the composition of a semilinear map with a linear map. We expand on the types here in Section 5.1; in concrete terms, this instance says that the conjugation operation on a type supporting conjugation is an involution. This allows us to compose two conjugate-linear maps to obtain, definitionally, a linear map. The intention is that users should never work directly with a composition g.

Fréchet-Riesz representation theorem
In the following three sections we describe results that we were able to formalize at the proper level of generality thanks to our refactor. By the "proper level" of generality, we mean that our results hold generically over the real and complex numbers without case splits or separate declarations.

The is_R_or_C type class
Many results in functional analysis, including those presented here, hold for a field K ∈ {R, C}.
Such results are usually presented in the literature by giving proofs for the complex case, with the real case following in the obvious way: replace complex conjugation by the identity, i by zero, and so on. Before beginning our refactor, we introduced a type class is_R_or_C to mathlib used to formalize this kind of result. A type that instantiates is_R_or_C is a complete nondiscrete field with (real) norm containing an element i and functions conj, re and im that satisfy a number of ad-hoc axioms chosen to mimic the behavior of a field that is either R or C. The conj operator is an involutive ring homomorphism, enabling the notation discussed in Section 4.3. Two global instances stating is_R_or_C R and is_R_or_C C allow theorems over the generic type class to be specialized immediately to either concrete type. The conjugation operator conj is definitionally equal to the identity function in the real case and the complex conjugation function in the complex case. We note an experiment with a similar type class in Isabelle [5].

Figure 2
The is_R_or_C type class is satisfied only by fields isomorphic to R or C. The star_ring assumption endows K with an involutive operator conj that respects addition and multiplication.

Fréchet-Riesz representation theorem
Our first application of semilinear maps is in proving the Fréchet-Riesz representation theorem. While the real case has been formalized in Coq [7] and Mizar [26], and the complex case in Isabelle [11], we are not aware of a development that unifies the two. 4 Given a Hilbert space E, its dual space E * consists of the set of continuous linear functionals on E (i.e. E * = {f : E → K | f is linear and continuous}). The dual space certainly includes elements of the form f v that map w ∈ E to ⟨v, w⟩, and the Fréchet-Riesz representation theorem states that all elements of the dual space are of this form. That is, there exists an (in fact, isometric) equivalence between E and E * that maps v to to f v .
The difficulty in formalizing this is that while this equivalence is linear in the real case, in the complex case, it is conjugate-linear. The challenge is to construct this object in such a way that (1) there is a common definition for both the real and complex case, and (2) the added complication of conjugate-linearity is completely transparent in the real case. Before our refactor mathlib simply had two separate constructions. We are able to replace those two constructions with the following, which satisfies both requirements stated above: Read aloud this definition says that "a real or complex Hilbert space E is isometrically conjugate-isomorphic to its dual space." But when specialized to the real case, the statement is definitionally equal to "E is isometrically isomorphic to its dual space." Our proof of this theorem does not differ from the real version of the proof in mathlib prior to our refactor. In fact, the patch unifying the real and complex versions 5 added only 45 lines of code and removed 79; the only change beyond rearranging and documentation was to generalize the statement of the theorem. The Lean implementation of the orthogonal projection on real inner product spaces, a tool used in the proof, had been written by Zhouhang Zhou as a port of work in Coq by Boldo et al. [7].

Adjoints of operators on Hilbert spaces
Given a continuous linear map A between two Hilbert spaces E and F , the adjoint of A is the unique continuous linear map A * : F → E such that for all x ∈ E and y ∈ F , ⟨y, Ax⟩ F = ⟨A * y, x⟩ E . The adjoint satisfies a number of properties: it is involutive (i.e. (A * ) * = A), it is an isometry, and, most importantly for our purposes here, it is conjugate-linear. Hence, it was natural to bundle it in mathlib as a conjugate-linear isometric equivalence as follows: This definition fully exploits the algebraic formalism built for semilinear maps, including the composition mechanism of Section 4.3. For example, the statement that the composition of the adjoint operation with itself is equal to the identity map from E →L[K] F to itself (a "true" K-linear map) would not typecheck without the ring_hom_comp_triple mechanism.
In finite dimension, every linear map is a continuous linear map, so the adjoint construction actually applies to every linear map. We provide this construction as linear_map.adjoint for the benefit of future users interested only in the finite-dimensional setting.
An operator T on a Hilbert space is said to be self-adjoint if T = T * and normal if T * T = T T * . We allow these definitions to apply both to the finite-dimensional setting with linear_map.adjoint and to the general setting with continuous_linear_map.adjoint by in fact writing these definitions in the more general context of a star_ring, a ring equipped with a fixed involutive ring homomorphism.

7
Versions of the spectral theorem

The ℓ 2 construction
The spectral theorem, in finite dimension also known as the diagonalization theorem, expresses an operator on a Hilbert space in the canonical form of a "diagonal" operator. To describe this canonical form, one needs some version of the Hilbert sum or ℓ 2 -space constructions. Before we started, mathlib already had a finitary version of this construction, namely the following construction for an inner product space structure on the product of finitely many inner product spaces. Note that the p parameter is not used in the definition of pi_Lp. A normed space structure that depends on p is defined on this family of types.
We require the general version of this construction, with a possibly-infinite index set ι. We first define a predicate mem_ℓp f p on dependent functions in Π (i : ι), G i which, for p = 2, amounts to the norm-squared of the function being a convergent sum. The associated subset of Π (i : ι), G i is named lp G p, proved to be an additive subgroup, and for p = 2 equipped with an inner product space structure. This inner product space is called the Hilbert sum of the family G. In the general version we allow p to be an extended nonnegative real. This is a reasonably labor-intensive construction (some 500 lines of code), the difficulties being a series of small analytic arguments about the convergence of the sums involved. It is closely analogous to Rémy Degenne's mathlib construction of the inner product space structure on L 2 (X, G), with related work in Isabelle [15]. However, neither construction is a strict generalization of the other: the L 2 construction allows for integrals with respect to an arbitrary measure rather than just sums, whereas the ℓ 2 construction applies to dependent functions of type Π (i : ι), G i in which the "codomain" varies depending on the argument. We in fact need this dependent property for the spectral theorem.
A further analytic argument establishes the completeness of ℓ p . The key step here is an argument that a pointwise limit of a uniformly-bounded sequence of elements of ℓ p is itself in ℓ p . is A Hilbert space is by definition a complete inner product space and therefore this establishes that the Hilbert sum lp G 2 is a Hilbert space. Finally, given a Hilbert space E of interest, an important argument establishes a mechanism for "collating" a family of isometries from the summands G i into E to an isometric isomorphism from lp G 2 into E. It is sufficient (and necessary) that the images of the family of isometries form a mutually-orthogonal family of subspaces of E, and that their joint span be dense in E.
We also provide the finitary, i.e. pi_Lp, version of this construction.

Common outline of the spectral theorems
A diagonal operator on lp G 2 or pi_Lp 2 G is an operator that, for some fixed sequence of scalars µ : ι → K, sends each dependent function f : Π (i : ι), G i to the pointwiserescaled function λ i, µ i · f i. The spectral theorem for compact self-adjoint (respectively, normal) operators states that such an operator over is_R_or_C (respectively, C) is equivalent to a diagonal operator on lp G 2, for some family of inner product spaces G. The finitedimensional special case, the diagonalization theorem, states that a normal endomorphism of a finite-dimensional inner product space over C is equivalent to a diagonal operator on some The key point of all such theorems, which we defer discussing to Section 7.3, is a proof that every operator from the stated class has an eigenvalue (unless the operator is the trivial operator on the trivial vector space). The proof of this important point is what differs from theorem to theorem. In this subsection we discuss the common part of the proofs of the theorems, namely the reduction to the existence of an eigenvalue.
This part is essentially algebraic and is carried out for a endomorphism of an inner product space E that satisfies the following property, common to those three cases: We first show that the eigenspaces of such an operator are mutually orthogonal.
This puts us in a position to apply the final construction from Section 7.1 to the collection of eigenspaces of T . Specifically, if the completeness property ( (µ : K), (eigenspace T µ)).topological_closure = ⊤ or its finite-dimensional analogue can be established, then those results establish an isometric isomorphism between E and the Hilbert sum of its own eigenspaces. It is easy to check that the operator T , when transferred by this isometric isomorphism to the Hilbert sum, is diagonal.
A further sequence of lemmas leads to this completeness property, and it is here that the eigenvalue existence result is required. It is shown that an inner_product_space.is_normal operator preserves orthogonal complements of eigenspaces.
Such an operator preserves the mutual orthogonal complement of all its eigenspaces.
The restriction of such an operator to this mutual orthogonal complement, which is therefore well-defined, itself has no eigenvalues.
From here, if the existence of an eigenvalue for all nontrivial operators in the class considered is known, by contraposition the subspace ( (µ : K), eigenspace T µ) ⊥ (being the domain of the operator T.restrict (orthogonal_supr_eigenspaces_invariant hT), which has no eigenvalues) must be trivial. Standard Hilbert space theory implies that the subspace (µ : K), eigenspace T µ must be dense, the desired completeness result.

Existence of an eigenvalue
The first version of the spectral theorem we prove is for normal endomorphisms of a finitedimensional inner product space over C.
We also provide the more classical version of this theorem, stating that there exists an orthonormal basis of eigenvectors of T. For this class of operators, the proof of the existence of an eigenvalue is straightforward. In finite dimension, an endomorphism has a well-defined characteristic polynomial. Over an algebraically closed field this polynomial must have a root, and this root is an eigenvalue.
The second version of the spectral theorem we prove is for self-adjoint compact operators on a Hilbert space. Here a map between normed spaces is said to be compact, if the image of every bounded subset has compact closure. A compact linear map is automatically continuous, so it is no loss of generality to take T to be of type E →L[K] E. In this setting we state the spectral theorem as follows.
For this class of operators, the proof of the existence of an eigenvalue comes from a long and delicate calculation involving the Rayleigh quotient, some 700 lines of code. It is proved that local maxima/minima of the Rayleigh quotient are eigenvectors, that the operator norm of T is the supremum of the absolute value of the Rayleigh quotient, and (using the compactness of T) that the Rayleigh quotient of T achieves its maximum.
Having established in this project the basic properties of compact operators, the infinitedimensional theorem of the spectral theorem for compact normal operators is also within reach. There, the proof of the existence of an eigenvalue comes from an argument about the resolvent, a holomorphic function with values in the Banach space E → l [C] E. The current development of complex analysis in mathlib by Yury Kudryashov [19] is sufficiently general for this setting. However, this would not supersede the spectral theorem we prove for compact self-adjoint operators: the latter works generically over R and C, which is more elegant than to deduce it in the real setting from the normal-operator version over C by making an argument about the operator's complexification.

Frobenius-semilinear maps and isocrystals
Our formal development of semilinear maps was motivated by applications in functional analysis to unify statements and proofs over R and C. But these maps are interesting and fruitful objects of study in their own right. As an example of an interesting result about semilinear maps that are not linear or conjugate-linear, we formalize the one-dimensional case of a theorem of Dieudonné and Manin [24] (see Demazure [14, chapter 4] for a classical exposition and Lurie [21] for a modern outline without proof), which classifies the isocrystals over an algebraically closed field of characteristic p > 0 (Section 2.3). We denote the ring of p-typical Witt vectors over k by W k and the field of fractions of this ring by K(p, k). This was defined in mathlib by Commelin and Lewis [12], along with the Frobenius endomorphism frobenius : W k →+ * W k.
For the remainder of this section, we work in a context where p is a prime natural number and k is an integral domain of characteristic p with a pth root function. Since the base ring k has characteristic p, frobenius satisfies the following property: lemma coeff_frobenius_char_p (x : W k) (n : N) : (frobenius x).coeff n = (x.coeff n)^p The additional hypothesis that k has a pth root function implies that frobenius is in fact an automorphism, and with k an integral domain, this induces an automorphism on the field of fractions K(p, k). Locally we let φ(p, k) denote this map. We will be interested in maps between K(p, k)-vector spaces that are semilinear in φ ("Frobenius-semilinear"). To facilitate the use of these maps, we add an instance of ring_hom_inv_pair (Section 4.3) for φ and its inverse. We also introduce notation V → f l [p, k] V 2 and V ≃ f l [p, k] V 2 for the types of Frobenius-semilinear maps and equivalences.
An isocrystal is a vector space over the field K(p, k) additionally equipped with a Frobenius-semilinear automorphism.
We denote the map frob by Φ(p, k). We say two isocrystals over K(p, k) are equivalent The Dieudonné-Manin theorem classifies the isocrystal structures in every finite dimension, up to this notion of equivalence, over an algebraically closed field k. We restrict our attention to the one-dimensional case, where the classification can be stated quite explicitly. The field K(p, k) is naturally a vector space over itself with dimension 1. There is a standard family of Frobenius-semilinear automorphisms K(p, k) ≃ f l [p, k] K(p, k) indexed by the integers, namely p^m · φ(p, k) for each m : Z, where the Frobenius automorphism φ(p, k) is itself considered as a Frobenius-semilinear automorphism. This induces a Z-indexed family of distinct isocrystals which we refer to as standard_one_dim_isocrystal p k m, and we prove that any one-dimensional isocrystal is equivalent to one of the these standard isocrystals. The key to proving this statement is finding, for any a, b : W k with nonzero leading coefficients, a vector x : W k such that frobenius x * a = x * b. We define such an x coefficient by coefficient by an intricate recursion that invokes the algebraic closedness of k at each step to solve a new polynomial equation. The argument requires us to mediate between different "levels" of polynomials -universal multivariate polynomials over Z, and multivariate and univariate polynomials over k -which proved challenging. Arithmetic operations on Witt vectors are notoriously complicated, and the machinery for universal calculations introduced by Commelin and Lewis [12] does not apply here. This key lemma takes 550 lines to establish.
The remainder of the proof of the isocrystal classification theorem was remarkably straightforward. We needed to extend mathlib's Witt vector library to show that when k is an integral domain, W k is too. Modulo this and the previous key lemma, the proof (including the definitions of Frobenius-semilinear maps and isocrystals) takes only 100 lines.

Related work
Given the fundamental importance of linear algebra, it is no surprise that theories have been developed in many proof assistants. To our knowledge, none of these libraries define semilinear maps, none prove the spectral theorem for compact operators, and none prove any of the results we describe generically over R and C.
Mahmoud, Aravantinos, and Tahar [23] and Afshar et al. [3] both describe developments in HOL Light of complex vector spaces. Both use encodings inherently specific to the complex case; they do not generalize the work over the reals by Harrison [16].
Aransay and Divasón [4] introduce vector spaces over arbitrary fields to Isabelle/HOL, using a careful combination of type classes and Isabelle's locale feature. A paper by the same authors [5] describes an experiment to generalize the Isabelle definition of a real inner product space to a larger class of fields, using a type class that seems analogous to our class is_R_or_C (Section 5.1). Implementing this idea systematically would probably involve providing a locale-based generalization of euclidean-space at the beginning of the Isabelle/HOL mathematical analysis library, and the authors do not take this project on, despite noting how useful the generalization would be.
An Isabelle Archive of Formal Proofs entry by Caballero and Unruh [11] duplicates much of the real vector space development in the complex setting, in the process introducing conjugate-linear maps and the complex adjoint operator. Little infrastructure seems to be shared between the real and complex cases. Their development includes a proof of Fréchet-Riesz over C, but does not indicate how it might specialize to R. Also motivated by applications in quantum computation, Bordg et al. [9] define the conjugate-transpose, the analogue of the adjoint in the matrix setting, but again do not generalize to arbitrary fields.
Perhaps related to the more expressive type theory, Coq developments of linear algebra have taken more advantage of type polymorphism. The Mathematical Components library [22] features a theory of modules over arbitrary scalar rings, as does Coquelicot [8]. Building on both these libraries, MathComp-Analysis [1] develops structures used in functional analysis. A linear_for predicate in Mathematical Components expresses a concept which is mathematically slightly more general than our semilinear_map definition, but which has less convenient properties under composition and inversion. In a branch of the Mathematical Components repository, 6 Cohen defines Hermitian forms, which diverge in behavior over R and C similar to conjugate-linear maps. The approach here has some similarities to ours, but preserves fewer definitional equalities; in particular, our conjugate-linear maps on R are definitionally linear maps, while the analogous statement does not hold for the Mathematical Components approach to Hermitian forms.
Boldo et al. [7] prove the real case of Fréchet-Riesz using Coquelicot, on the way to the Lax-Milgram theorem, but do not address the complex case. Narita et al. [26] do the same in Mizar. Cohen proves the diagonalization theorem for normal matrices in the same of the Mathematical Components repository. 6 This is mathematically equivalent to the diagonalization theorem for normal endomorphisms of a finite-dimensional space described at the start of Section 7.3. Cohen's matrix version could more easily be converted for use in verified numerical analysis, whereas the abstract linear-map version we provide is more convenient in mathematical applications and also admits a more streamlined proof.