1. Verifying The Four Colour Theorem
Georges Gonthier
Microsoft Research Cambridge

2. 150 years of history…  1852 Conjecture (Guthrie → DeMorgan)
1878 Publication (Cayley)
1879 First proof (Kempe)
1880 Second proof (Tait)
1890 Rebuttal (Heawood)
1891 Second rebuttal (Petersen)
1913 Reducibility, connexity (Birkhoff)
1922 Up to 25 regions (Franklin)
1969 Discharging (Heesch)
1976 Computer proof (Appel & Haken)
1995 Streamlining (Robertson & al.)
2004 Self checking proof (Gonthier) 

3. Outline Computer proofs The theorem Proof outline New math
Proof techniques
Proof vs. test 

4. From proof with programs…
proof text
statement ??
C compiler
Machine
code  
formula ?
C program ? 
C runtime
library 

5. … to computer proof  ?  statement statement Coq proof  scripts
Coq tactic
engine
Typed
-calculus
statement  ? 
Coq runtime
kernel 

6. The Theorem
open and connected
disjoint subsets of R x R
Every simple planar map can be colored with only four colors
∃good covering map
with at most four regions
adjacent regions covered with different colors
have a common border point that is not a corner
touches more than two regions 

7. Coq definitions  Record simple_map [m : map] : Prop := SimpleMap {
simple_map_proper :> (proper_map m);
map_open : (z : point) (open (m z));
map_connected : (z : point) (connected (m z)) }.
Record coloring [m, k : map] : Prop := Coloring {
coloring_proper :> (proper_map k);
coloring_inmap : (subregion (inmap k) (inmap m));
coloring_covers : (covers m k);
coloring_adj : (z1, z2 : point) (k z1 z2) ->
(adjacent m z1 z2) -> (m z1 z2)
Definition map_colorable [nc : nat; m : map] : Prop :=
(EXT k | (coloring m k) & (size_at_most nc k)).
Theorem four_color : (m : map)
(simple_map m) -> (map_colorable (4) m).
Definition covers [m, m' : map] : Prop :=
(z : point) (subregion (m z) (m' z)).
Definition size_at_most [n : nat; m : map] : Prop :=
(EXT f | (z : point) (inmap m z) ->
(EX i | (lt i n) & (m (f i) z))).
Definition border [m : map; z1, z2 : point] : region :=
(intersect (closure (m z1)) (closure (m z2))).
Definition corner_map [m : map; z : point] : map :=
[z1, z2](and (m z1 z2) (closure (m z1) z)).
Definition not_corner [m : map] : region :=
[z](size_at_most (2) (corner_map m z)).
Definition adjacent [m : map; z1, z2 : point] : Prop :=
(meet (not_corner m) (border m z1 z2)). 

8. The proof
Combinatorial maps
The induction
The enumeration 

9. Cubic maps 

10. Coloring by induction 

11. Configurations A configuration is a connected map fragment
The partial faces of a configuration form a ring
A configuration is reducible if it allows coloring by induction
All nontrivial rings with fewer than six faces define reducible configurations 

12. double rings
By connectedness, all local submaps of radius 2 are double rings 

13. The Euler Formula For any planar map, V + F – E = 2
(Euler never found the proof by flooding !)
For a cubical map, #sides = 6 – 12/F
A honeycomb on average, but not quite
(a football, really) 

14. Proof outline  Discretize to hypermaps (= 3 finite permutations)
no Jordan Curve Theorem (planarity = Euler)
Configurations : data for 633 special hypermaps
construction programs with multiple interpretations
Unavoidability : configurations occur in internally 5-connnected planar hypermaps
branch & bound enumeration
Graph theory : counter-example is internally 5-connected
combinatorial Jordan Curve Theorem
Reducibility : configurations allow coloring by recursion
3 and 4-way decision diagrams 

15. From maps to hypermaps f e
dart n
node
edge 

16. Contractions and friends

17. Proof techniques Computational reflection: That’s it!
reducing mathematics to program verification
That’s it! 

18. How to prove = 4
If 2 ≝ 1+ (1+ 0) and 4 ≝ 1+ (1+ (1+ (1+ 0))) :
By deduction :
Invoke instances of associativity, neutrality, apply congruence then transitivity.
By equations :
(1+ (1+ 0)) + 2) = (1 + 1) + 2 = (1 + (1 + 2)) ≝ 4
By computation :
(2 + 2 = 4) ≝ (4 = 4) true by reflexivity ! 

19. Reflecting reducibility
Computational reflection = replacing proof with computation
Variable cf : config.
Definition check_reducible : bool := …
Definition cfreducible : Prop := …
Lemma check_reducible_valid : check_reducible -> cfreducible.
Usage
Lemma cfred232 : (cfreducible (Config H 2 H 13 Y 5 H 10 H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y)).
Proof. Apply check_reducible_valid; By Compute. Qed. 

20. Reflection at every level
Large scale reflection: reducibility
→ proof witnesses
Medium-scale reflection: unavoidability
→ incompleteness + debugging
Small-scale reflection: graph theory
→ primary means of automation 

21. Inside a proof assistant
Lemma next_cycle :
(p : (seq d); Hp : (cycle p))
(x : d) (p x) -> (e x (next p x)).
Proof.
Move=> [ | y0 p] //= Hp x.
Elim: p {1 3 5}y0 Hp
=> [ | y' p Hrec] y /=;
Rewrite: eqd_sym /setU1.
Rewrite: andbT orbF.
Move=> Hy Dy.
By Rewrite: Dy -(eqP Dy).
Case/andP => [Hy Hp].
Case: (y =P x) => [[] | _] //.
Apply: Hrec Hp.
Qed.
1 subgoal
d : dataSet
x0 : d
e : (rel d)
y0 : d
x : d
y' : d
p : (seq d)
Hrec : (x0:d)
(path x0 (add_last p y0))
->(setU1 x0 p x)
->(e x (next_at x y0 x0 p))
y : d
============================
(andb (e y y') (path y' (add_last p y0)))
->(or3b y =d x y' =d x (p x))
->(e x (if (y =d x) then y‘
else (next_at x y0 y' p)))
command script
context
goal 

22. Five proof commands  Step label: conjecture By …
forward chaining
Apply: lemma… => [x y Hxy | n | …] …
backward chaining
Move: x y Hxy … => z t Hzt …
bookkeeping : context  goal moves
Case: x Hxy … => [a | b c] …
decomposition, induction (with Elim)
Rewrite: /= orbF -{x}addn0 …
partial evaluation, simplification 

23. Proof vs. test  Lemma, Step Move Case Apply Rewrite
test purpose (formal)
test setup (assumptions)
test data (partial)
use prior test (generic)
step & run (use prior run) 

24. Command distribution 

25. Some conclusions
Proof assistants can give real proofs of real theorems
Machine formalization can lead to new mathematical insights
Formally proving programs is easier than formally proving theorems
Proving is stepwise testing! 