Verifying The Four Colour Theorem Georges Gonthier Microsoft Research Cambridge
150 years of history… 1852 Conjecture (Guthrie → DeMorgan) 1878 Publication (Cayley) 1879 First proof (Kempe) 1880 Second proof (Tait) 1890 Rebuttal (Heawood) 1891 Second rebuttal (Petersen) 1913 Reducibility, connexity (Birkhoff) 1922 Up to 25 regions (Franklin) 1969 Discharging (Heesch) 1976 Computer proof (Appel & Haken) 1995 Streamlining (Robertson & al.) 2004 Self checking proof (Gonthier)
Outline Computer proofs The theorem Proof outline New math Proof techniques Proof vs. test
From proof with programs… proof text statement ?? C compiler Machine code formula ? C program ? C runtime library
… to computer proof ? statement statement Coq proof scripts Coq tactic engine Typed -calculus statement ? Coq runtime kernel
The Theorem open and connected disjoint subsets of R x R Every simple planar map can be colored with only four colors ∃good covering map with at most four regions adjacent regions covered with different colors have a common border point that is not a corner touches more than two regions
Coq definitions Record simple_map [m : map] : Prop := SimpleMap { simple_map_proper :> (proper_map m); map_open : (z : point) (open (m z)); map_connected : (z : point) (connected (m z)) }. Record coloring [m, k : map] : Prop := Coloring { coloring_proper :> (proper_map k); coloring_inmap : (subregion (inmap k) (inmap m)); coloring_covers : (covers m k); coloring_adj : (z1, z2 : point) (k z1 z2) -> (adjacent m z1 z2) -> (m z1 z2) Definition map_colorable [nc : nat; m : map] : Prop := (EXT k | (coloring m k) & (size_at_most nc k)). Theorem four_color : (m : map) (simple_map m) -> (map_colorable (4) m). Definition covers [m, m' : map] : Prop := (z : point) (subregion (m z) (m' z)). Definition size_at_most [n : nat; m : map] : Prop := (EXT f | (z : point) (inmap m z) -> (EX i | (lt i n) & (m (f i) z))). Definition border [m : map; z1, z2 : point] : region := (intersect (closure (m z1)) (closure (m z2))). Definition corner_map [m : map; z : point] : map := [z1, z2](and (m z1 z2) (closure (m z1) z)). Definition not_corner [m : map] : region := [z](size_at_most (2) (corner_map m z)). Definition adjacent [m : map; z1, z2 : point] : Prop := (meet (not_corner m) (border m z1 z2)).
The proof Combinatorial maps The induction The enumeration
Cubic maps
Coloring by induction
Configurations A configuration is a connected map fragment The partial faces of a configuration form a ring A configuration is reducible if it allows coloring by induction All nontrivial rings with fewer than six faces define reducible configurations
double rings By connectedness, all local submaps of radius 2 are double rings
The Euler Formula For any planar map, V + F – E = 2 (Euler never found the proof by flooding !) For a cubical map, #sides = 6 – 12/F A honeycomb on average, but not quite (a football, really)
Proof outline Discretize to hypermaps (= 3 finite permutations) no Jordan Curve Theorem (planarity = Euler) Configurations : data for 633 special hypermaps construction programs with multiple interpretations Unavoidability : configurations occur in internally 5-connnected planar hypermaps branch & bound enumeration Graph theory : counter-example is internally 5-connected combinatorial Jordan Curve Theorem Reducibility : configurations allow coloring by recursion 3 and 4-way decision diagrams
From maps to hypermaps f e dart n node edge
Contractions and friends
Proof techniques Computational reflection: That’s it! reducing mathematics to program verification That’s it!
How to prove 2 + 2 = 4 If 2 ≝ 1+ (1+ 0) and 4 ≝ 1+ (1+ (1+ (1+ 0))) : By deduction : Invoke instances of associativity, neutrality, apply congruence then transitivity. By equations : (1+ (1+ 0)) + 2) = (1 + 1) + 2 = (1 + (1 + 2)) ≝ 4 By computation : (2 + 2 = 4) ≝ (4 = 4) true by reflexivity !
Reflecting reducibility Computational reflection = replacing proof with computation Variable cf : config. Definition check_reducible : bool := … Definition cfreducible : Prop := … Lemma check_reducible_valid : check_reducible -> cfreducible. Usage Lemma cfred232 : (cfreducible (Config 11 33 37 H 2 H 13 Y 5 H 10 H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y)). Proof. Apply check_reducible_valid; By Compute. Qed.
Reflection at every level Large scale reflection: reducibility → proof witnesses Medium-scale reflection: unavoidability → incompleteness + debugging Small-scale reflection: graph theory → primary means of automation
Inside a proof assistant Lemma next_cycle : (p : (seq d); Hp : (cycle p)) (x : d) (p x) -> (e x (next p x)). Proof. Move=> [ | y0 p] //= Hp x. Elim: p {1 3 5}y0 Hp => [ | y' p Hrec] y /=; Rewrite: eqd_sym /setU1. Rewrite: andbT orbF. Move=> Hy Dy. By Rewrite: Dy -(eqP Dy). Case/andP => [Hy Hp]. Case: (y =P x) => [[] | _] //. Apply: Hrec Hp. Qed. 1 subgoal d : dataSet x0 : d e : (rel d) y0 : d x : d y' : d p : (seq d) Hrec : (x0:d) (path x0 (add_last p y0)) ->(setU1 x0 p x) ->(e x (next_at x y0 x0 p)) y : d ============================ (andb (e y y') (path y' (add_last p y0))) ->(or3b y =d x y' =d x (p x)) ->(e x (if (y =d x) then y‘ else (next_at x y0 y' p))) command script context goal
Five proof commands Step label: conjecture By … forward chaining Apply: lemma… => [x y Hxy | n | …] … backward chaining Move: x y Hxy … => z t Hzt … bookkeeping : context goal moves Case: x Hxy … => [a | b c] … decomposition, induction (with Elim) Rewrite: /= orbF -{x}addn0 … partial evaluation, simplification
Proof vs. test Lemma, Step Move Case Apply Rewrite test purpose (formal) test setup (assumptions) test data (partial) use prior test (generic) step & run (use prior run)
Command distribution
Some conclusions Proof assistants can give real proofs of real theorems Machine formalization can lead to new mathematical insights Formally proving programs is easier than formally proving theorems Proving is stepwise testing!