1 / 25

Verifying The F o u r Colour Theorem

Verifying The F o u r Colour Theorem. Georges Gonthier Microsoft Research Cambridge. 150 years of history…. 1852 Conjecture ( Guthrie → DeMorgan ) 1878 Publication ( Cayley ) 1879 First proof ( Kempe ) 1880 Second proof ( Tait ) 1890 Rebuttal ( Heawood )

howe
Download Presentation

Verifying The F o u r Colour Theorem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Verifying The Four Colour Theorem Georges Gonthier Microsoft Research Cambridge

  2. 150 years of history… • 1852 Conjecture (Guthrie → DeMorgan) • 1878 Publication (Cayley) • 1879 First proof (Kempe) • 1880 Second proof (Tait) • 1890 Rebuttal (Heawood) • 1891 Second rebuttal (Petersen) • 1913 Reducibility, connexity (Birkhoff) • 1922 Up to 25 regions (Franklin) • 1969 Discharging (Heesch) • 1976 Computer proof (Appel & Haken) • 1995 Streamlining (Robertson & al.) • 2004 Self checking proof (Gonthier)

  3. Outline • Computer proofs • The theorem • Proof outline • New math • Proof techniques • Proof vs. test

  4. Machine code   C compiler  From proof with programs… proof text statement ?? ? formula C program ? C runtime library

  5. Typed -calculus statement   Coq tactic engine   … to computer proof Coq proof scripts  statement ? Coq runtime kernel

  6. The Theorem open and connected disjoint subsets of R x R Every simple planar map can be colored with only four colors ∃good covering map with at most four regions adjacent regions covered with different colors have a common border point that is not a corner touches more than two regions

  7. Definitioncovers [m, m' : map] : Prop := (z : point) (subregion (m z) (m' z)). Definitionsize_at_most [n : nat; m : map] : Prop := (EXT f | (z : point) (inmap m z) -> (EX i | (lt i n) & (m (f i) z))). Definitionborder [m : map; z1, z2 : point] : region := (intersect (closure (m z1)) (closure (m z2))). Definitioncorner_map [m : map; z : point] : map := [z1, z2](and (m z1 z2) (closure (m z1) z)). Definitionnot_corner [m : map] : region := [z](size_at_most (2) (corner_map m z)). Definitionadjacent [m : map; z1, z2 : point] : Prop := (meet (not_corner m) (border m z1 z2)). Recordsimple_map [m : map] : Prop := SimpleMap { simple_map_proper :> (proper_map m); map_open : (z : point) (open (m z)); map_connected : (z : point) (connected (m z)) }. Recordcoloring [m, k : map] : Prop := Coloring { coloring_proper :> (proper_map k); coloring_inmap : (subregion (inmap k) (inmap m)); coloring_covers : (covers m k); coloring_adj : (z1, z2 : point) (k z1 z2) -> (adjacent m z1 z2) -> (m z1 z2) }. Definitionmap_colorable [nc : nat; m : map] : Prop := (EXT k | (coloring m k) & (size_at_most nc k)). Theoremfour_color : (m : map) (simple_map m) -> (map_colorable (4) m). Coq definitions

  8. The proof • Combinatorial maps • The induction • The enumeration

  9. Cubic maps

  10. Coloring by induction

  11. Configurations • A configuration is a connected map fragment • The partial faces of a configuration form a ring • A configuration is reducible if it allows coloring by induction • All nontrivial rings with fewer than six faces define reducible configurations

  12. double rings By connectedness, all local submaps of radius 2 are double rings

  13. The Euler Formula • For any planar map, V + F – E = 2 (Euler never found the proof by flooding!) • For a cubical map, #sides = 6 – 12/F • A honeycomb on average, but not quite (a football, really)

  14. Proof outline • Discretize to hypermaps (= 3 finite permutations) • no Jordan Curve Theorem (planarity = Euler) • Configurations : data for 633 special hypermaps • construction programs with multiple interpretations • Unavoidability : configurations occur in internally 5-connnected planar hypermaps • branch & bound enumeration • Graph theory : counter-example is internally 5-connected • combinatorial Jordan Curve Theorem • Reducibility : configurations allow coloring by recursion • 3 and 4-way decision diagrams

  15. e n f dart node edge From maps to hypermaps

  16. n e f Contractions and friends

  17. Proof techniques • Computational reflection: • reducing mathematics to program verification • That’s it!

  18. How to prove 2 + 2 = 4 If 2 ≝ 1+ (1+ 0) and 4 ≝ 1+ (1+ (1+ (1+ 0))) : • By deduction : • Invoke instances of associativity, neutrality, apply congruence then transitivity. • By equations : • (1+ (1+ 0)) + 2) = (1 + 1) + 2 = (1 + (1 + 2)) ≝ 4 • By computation : • (2 + 2 = 4) ≝ (4 = 4) true by reflexivity !

  19. Reflecting reducibility • Computational reflection = replacing proof with computation Variablecf : config. Definitioncheck_reducible : bool := … Definitioncfreducible : Prop := … Lemmacheck_reducible_valid: check_reducible -> cfreducible. • Usage Lemmacfred232 : (cfreducible (Config 11 33 37 H 2 H 13 Y 5 H 10 H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y)). Proof. Apply check_reducible_valid; By Compute. Qed.

  20. Reflection at every level • Large scale reflection: reducibility → proof witnesses • Medium-scale reflection: unavoidability → incompleteness + debugging • Small-scale reflection: graph theory → primary means of automation

  21. Lemmanext_cycle : (p : (seq d); Hp : (cycle p)) (x : d) (p x) -> (e x (next p x)). Proof. Move=> [ | y0 p] //= Hp x. Elim: p {1 3 5}y0 Hp => [ | y' p Hrec] y /=; Rewrite: eqd_sym /setU1. Rewrite: andbT orbF. Move=> Hy Dy. ByRewrite: Dy -(eqP Dy). Case/andP => [Hy Hp]. Case: (y =P x) => [[] | _] //. Apply: Hrec Hp. Qed. 1 subgoal d : dataSet x0 : d e : (rel d) y0 : d x : d y' : d p : (seq d) Hrec : (x0:d) (path x0 (add_last p y0)) ->(setU1 x0 p x) ->(e x (next_at x y0 x0 p)) y : d ============================ (andb (e y y') (path y' (add_last p y0))) ->(or3b y =d x y' =d x (p x)) ->(e x (if (y =d x) then y‘ else (next_at x y0 y' p))) Inside a proof assistant context goal command script

  22. Five proof commands • Steplabel: conjectureBy … forward chaining • Apply: lemma… => [x y Hxy | n | …] … backward chaining • Move: x y Hxy … => z t Hzt … bookkeeping : context  goal moves • Case: xHxy … => [a | b c] … decomposition, induction (with Elim) • Rewrite: /= orbF -{x}addn0 … partial evaluation, simplification

  23. Lemma, Step Move Case Apply Rewrite test purpose (formal) test setup (assumptions) test data (partial) use prior test (generic) step & run(use prior run) Proof vs. test

  24. Command distribution

  25. Some conclusions • Proof assistants can give real proofs of real theorems • Machine formalization can lead to new mathematical insights • Formally proving programs is easier than formally proving theorems • Proving is stepwise testing!

More Related