Verifying the Four Colour Theorem Georges Gonthier Microsoft Research Cambridge

150 years of history… 1852 Conjecture (Guthrie DeMorgan) 1878 Publication (Cayley) 1879 First proof (Kempe) 1880 Second proof (Tait) 1890 Rebuttal (Heawood) 1891 Second rebuttal (Petersen) 1913 Reducibility, connexity (Birkhoff) 1922 Up to 25 regions (Franklin) 1969 Discharging (Heesch) 1976 Computer proof (Appel & Haken) 1995 Streamlining (Robertson & al.) 2004 Self checking proof (Gonthier)

So what about it ? It shows software can be as reliable as math. Its been done by applying computer science to mathematics. The art of computer proving is maturing.

Outline The Four Colour Theorem what it says how its proved Formal proofs proving with programs thinking with programs Computer proofs how its done

The Theorem Every simple planar map can be colored with only four colors disjoint subsets of R x Ropen and connected good covering map with at most four regions adjacent regions covered with different colors have a common border point that is not a corner touches more than two regions

Record simple_map (m : map) : Prop := SimpleMap { simple_map_proper :> proper_map m; map_open : z, open (m z); map_connected : z, connected (m z) }. Record coloring (m, k : map) : Prop := Coloring { coloring_proper :> proper_map k; coloring_inmap : subregion (inmap k) (inmap m); coloring_covers : covers m k; coloring_adj : z 1 z 2, k z 1 z 2 adjacent m z 1 z 2 m z 1 z 2 }. Definition map_colorable n m := 2 k, coloring m k & size_at_most n k. Theorem four_color : m, simple_map m map_colorable 4 m. The formal theorem Definition covers (m, m' : map) := z : point, subregion (m z) (m' z). Definition size_at_most n m := f, z, inmap m z 2 i, i < n & m (f i). Definition border m z 1 z 2 := intersect (closure (m z 1 )) (closure (m z 2 )). Definition corner_map (m : map) z : map := fun z 1 z 2 m z 1 z 2 closure (m z 1 ) z. Definition not_corner m z := size_at_most 2 (corner_map m z). Definition adjacent m z 1 z 2 := meet (not_corner m) (border m z 1 z 2 ).

Outline The Four Colour Theorem what it says how its proved Formal proofs proving with programs thinking with programs Computer proofs how its done

Colouring by induction Configuration reducible ring

Cubic maps Euler formula R + N – E = 2 2E/R = /R the worlds a football #sides

Small rings Any non-trivial ring < 6 defines reducible configurations (Birkhoff, 1913) If there are no small rings, then all 2- neighborhoods are double rings look for configurations in 2-neighborhoods!

The proof in a nutshell Find a set of configurations such that: (A) reducibility: Each one can be coloured to match any planar ring colouring. (B) unavoidability: At least one appears in any planar map. Verify that the combinatorics fit the topology (graph theory + analysis). 10,000 cases 1,000,000,000 cases

Progress in verification 1976 A & H IBM 370 reducibility 2 books 1000s of figures 1995 RSST C program reducibility unavoidability 35-page paper 2005 MSR Gallina reducibility unavoidability graph theory topology data structures … 35 lines of definitions ? ?

Outline The Four Colour Theorem what it says how its proved Formal proofs proving with programs thinking with programs Computer proofs how its done

The Poincaré principle How do you prove: Given 2 1+ (1+ 0) 4 1+ (1+ (1+ (1+ 0))) n + m if n is 1+ n then 1+ (n + m) else m (a recursive program) = 4 ? a: = 2 (neutral left) b: (1 + 0) + 2 = 1 + (0 + 2) (associativity) c: = 1 + ((1 + 0) + 2) (def, associativity) d: = 1 + (1 + (0 + 2)) (replace b in c) e: (replace a in d, def) a: (def, calculation)

Reflecting reducibility Setup Variable cf : config. Definition cfreducible : Prop := … Definition check_reducible : bool := … Lemma check_reducible_valid : check_reducible -> cfreducible. Usage Lemma cfred232 : cfreducible (Config H 2 H 13 Y 5 H 10 H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y). Proof. apply check_reducible_valid; by compute. Qed. 20,000,000 cases

Border colouring (Tait 1880)

Chord flips (Kempe 1879) ( )0)0 )1)1 ( chromogram colouring

Model checking colourings 1 Ξ0Ξ0 Λ0Λ0 ΛiΛi ΞiΞi Λ Ξ Λi+1Λi+1 Yes No Ξ i+1 Ξ, Λ restrict Λ decrement Ξ any ? No kempe

Chromogram twiddling Fixpoint gram_neg_rec (n : nat) (w : chromogram) {struct w} : chromogram := match w, n with | Adds Gpush w', _ => Adds Gpush (gram_neg_rec (S n) w') | Adds Gskip w', _ => Adds Gskip (gram_neg_rec n w') | Adds s w', S n => Adds s (gram_neg_rec n w') | Adds Gpop 0 w', O => Adds Gpop 1 w' | Adds Gpop 1 w', O => Adds Gpop 0 w' | seq0, _ => w end. Definition gram_neg := gram_neg_rec 0.

Correctness proof Lemma match_gram_neg : forall b 0 et w, matchg (Seq b 0 ) et (gram_neg w) = matchg (Seq (¬ b 0 )) et w. Proof. move=> b 0 et w; set sb : bitseq := seq 0. have Esb: forall b : bool, Adds b sb = add_last sb b by done. rewrite /gram_neg -[0]/(size sb) 2!{}Esb. elim: w et sb => [|s w IHw] et lb; first by case lb. case Ds: s; (case: et => [|e et]; first by case lb); first [ by case: e (IHw et (Adds _ lb)) => /= | by case: e; case: lb => [|b lb]; rewrite /= ?if_negb ?IHw ]. Qed.

Outline The Four Colour Theorem what it says how its proved Formal proofs proving with programs thinking with programs Computer proofs how its done

Formalizing maps n f node edge dart e

Rings and disks rest disk

Pasting configurations disk paste rest contour cycle full map

Folkloric proofs? (3.3) Let K be a configuration appearing in a triangulation T, and let S be the free completion of K. Then there is a projection ɸ of S into T such that ɸ (x) = x for all x V(G(K)) E(G(K)) F(G(K)). This is a folklore theorem, and we omit its [lengthy] proof… Definition phi x := if ac x then h x else if ac (edge x) then edge (h (edge x)) else if ac (node x) then face (edge (h (node x))) else edge (node (node (h (node (edge x))))).

Unavoidable pattern

Topology Euler: (n + 1) 2 + n – 2n(n+1) = 2

Outline The Four Colour Theorem what it says how its proved Formal proofs proving with programs thinking with programs Computer proofs how its done

1 subgoal d : dataSet e : rel d ============================ forall (p : seq d) (x : d), cycle p -> p x -> e x (next p x) 1 subgoal d : dataSet e : rel d y0 : d p : seq d x : d Hp : path y0 (add_last p y0) ============================ setU1 y0 p x -> e x (next_at x y0 y0 p) 2 subgoals d : dataSet e : rel d y0 : d x : d y : d ============================ e y y0 && true -> (y =d x) || false -> e x (if y =d x then y0 else x) subgoal 2 is: e y y && path y (add_last p y0) -> or3b (y =d x) (y =d x) (p x) -> e x (if y =d x then y else next_at x y0 y p) 2 subgoals d : dataSet e : rel d y0 : d x : d y : d Hy : e y y0 Dy : y =d x ============================ e x (if y =d x then y0 else x) subgoal 2 is: e y y && path y (add_last p y0) -> or3b (y =d x) (y' =d x) (p x) -> e x (if y =d x then y else next_at x y0 y p) 1 subgoal d : dataSet e : rel d y0 : d x : d y : d p : seq d IHp : forall x0 : d, path x0 (add_last p y0) -> setU1 x0 p x -> e x (next_at x y0 x0 p) y : d ============================ e y y && path y (add_last p y0) -> or3b (y =d x) (y =d x) (p x) -> e x (if y =d x then y else next_at x y0 y p) 1 subgoal d : dataSet e : rel d y0 : d x : d y : d p : seq d IHp : forall x0 : d, path x0 (add_last p y0) -> setU1 x0 p x -> e x (next_at x y0 x0 p) y : d Hy : e y y Hp : path y (add_last p y0) ============================ or3b (y =d x) (y =d x) (p x) -> e x (if y =d x then y else next_at x y0 y p) 1 subgoal d : dataSet e : rel d y0 : d x : d y : d p : seq d IHp : forall x0 : d, path x0 (add_last p y0) -> setU1 x0 p x -> e x (next_at x y0 x0 p) y : d Hy : e y y Hp : path y (add_last p y0) ============================ or3b false (y =d x) (p x) -> e x (next_at x y0 y p) Subtree proved! Proof workbench Lemma next_cycle : p x, cycle p p x e x (next p x). Proof. move [ | y 0 p] x //= Hp. elim: p {1 3 5}y 0 Hp [ | y' p IHp] y /=; rewrite eqd sym /setU1. - rewrite andbT orbF Hy Dy. by rewrite Dy -(eq P Dy). move/and P [Hy Hp]. case: (y = P x) [ | _] //. exact: IHp Hp. Qed. proof script goal context other goal e e e e e e e x next p x cycle p p recursion assumption

Five tactic summary move: x y Hxy … => z t Hzt … bookkeeping : context goal moves case: x Hxy … => [a | b c] … decomposition, induction (with elim) rewrite /= orbF –[x]addn0 … partial evaluation, simplification apply: lemma… => [x y Hxy | n | …] … match goal (backward chaining) have label: conjecture by … set goal (forward chaining)

Some conclusions Proof assistants can give real proofs of real theorems Machine formalization can lead to new mathematical insights Formally proving programs can be easier than formally proving theorems