verifying the four colour theorem georges gonthier microsoft research cambridge
TRANSCRIPT
Verifying theFour Colour Theorem
Georges GonthierMicrosoft Research Cambridge
150 years of history…
1852 Conjecture (Guthrie → DeMorgan) 1878 Publication (Cayley) 1879 First proof (Kempe) 1880 Second proof (Tait) 1890 Rebuttal (Heawood) 1891 Second rebuttal (Petersen) 1913 Reducibility, connexity (Birkhoff) 1922 Up to 25 regions (Franklin) 1969 Discharging (Heesch) 1976 Computer proof (Appel & Haken) 1995 Streamlining (Robertson & al.) 2004 Self checking proof (Gonthier)
So what about it ?
It shows software can be as reliable as math.
It’s been done by applying computer science to mathematics.
The art of computer proving is maturing.
Outline
The Four Colour Theoremwhat it sayshow it’s proved
Formal proofsproving with programsthinking with programs
Computer proofshow it’s done
The Theorem
Every simple planar map can be colored with only four colors
disjoint subsets of R x Ropen and connected
∃good covering map with at most four regions
adjacent regions covered with different colors
have a common border point that is not a corner
touches more than two regions
Record simple_map (m : map) : Prop := SimpleMap {
simple_map_proper :> proper_map m; map_open : ∀z, open (m z); map_connected : ∀z, connected (m z) }.
Record coloring (m, k : map) : Prop := Coloring { coloring_proper :> proper_map k; coloring_inmap : subregion (inmap k) (inmap m); coloring_covers : covers m k; coloring_adj : ∀z1 z2, k z1 z2 → adjacent m z1 z2 → m z1 z2
}.
Definition map_colorable n m := ∃2 k, coloring m k & size_at_most n k.
Theorem four_color : ∀m, simple_map m → map_colorable 4 m.
The formal theorem
Definition covers (m, m' : map) := ∀z : point, subregion (m z) (m' z).
Definition size_at_most n m := ∃ f, ∀ z, inmap m z → ∃2 i, i < n & m (f
i).
Definition border m z1 z2 := intersect (closure (m z1)) (closure (m
z2)).
Definition corner_map (m : map) z : map :=
fun z1 z2 ⇒ m z1 z2 ∧ closure (m z1) z.
Definition not_corner m z := size_at_most 2 (corner_map m z).
Definition adjacent m z1 z2 := meet (not_corner m) (border m z1 z2).
Outline
The Four Colour Theoremwhat it sayshow it’s proved
Formal proofsproving with programsthinking with programs
Computer proofshow it’s done
Colouring by induction
Configuration
reduciblering
Cubic maps
Euler formula
R + N – E = 22E/R = 6 - 12/Rthe world’s a football
#sides
Small rings
Any non-trivial ring < 6 defines reducible configurations (Birkhoff, 1913)
If there are no small rings, then all 2-neighborhoods are double rings
look for configurations in 2-neighborhoods!
The proof in a nutshell
Find a set of configurations such that:
(A) reducibility: Each one can be coloured to match any planar ring colouring.
(B) unavoidability: At least one appears in any planar map.
Verify that the combinatorics fit the topology (graph theory + analysis).
10,000 cases1,000,000,000 cases
Progress in verification1976 A & H
IBM 370reducibility
2 books1000’s of
figures
1995 RSST
C programreducibility
unavoidability
35-pagepaper
2005 MSR
Gallinareducibility
unavoidabilitygraph theory
topologydata structures
…
35 lines ofdefinitions
?
?
Outline
The Four Colour Theoremwhat it sayshow it’s proved
Formal proofsproving with programsthinking with programs
Computer proofshow it’s done
The Poincaré principle How do you prove: Given 2 1+ (1+ 0)≝ 4 1+ (1+ (1+ (1+ 0)))≝ n + m ≝ if n is 1+ n’ then 1+ (n’ + m) else m
(a recursive program)
2 + 2 = 4 ?
a: 0 + 2 = 2 (neutral left)
b: (1 + 0) + 2 = 1 + (0 + 2) (associativity)
c: 2 + 2 = 1 + ((1 + 0) + 2) (def, associativity)
d: 2 + 2 = 1 + (1 + (0 + 2)) (replace b in c)
e: (replace a in d, def)a: (def, calculation)
Reflecting reducibility
SetupVariable cf : config.
Definition cfreducible : Prop := …
Definition check_reducible : bool := …
Lemma check_reducible_valid : check_reducible -> cfreducible.
UsageLemma cfred232 : cfreducible (Config 11 33 37 H 2 H 13 Y 5 H 10
H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y).
Proof. apply check_reducible_valid; by compute. Qed.20,000,000 cases
Border colouring (Tait 1880)
Chord flips (Kempe 1879)
(
)0
)1
•
(
•
•
chromogram
colouring
Model checking colourings
1
Ξ
0
Λ
0
Λi
Ξi Λ
Ξ
-1
Λi+1
Yes
No
Ξi+1
Ξ, Λ
restrict Λ
decrement Ξ
any ?
NoNo
kempe
Chromogram twiddling
Fixpoint gram_neg_rec (n : nat) (w : chromogram) {struct w}
: chromogram := match w, n with | Adds Gpush w', _ => Adds Gpush (gram_neg_rec (S n) w') | Adds Gskip w', _ => Adds Gskip (gram_neg_rec n w') | Adds s w', S n => Adds s (gram_neg_rec n w') | Adds Gpop0 w', O => Adds Gpop1 w' | Adds Gpop1 w', O => Adds Gpop0 w' | seq0, _ => w end.
Definition gram_neg := gram_neg_rec 0.
Correctness proof
Lemma match_gram_neg : forall b0 et w, matchg (Seq b0) et (gram_neg w) = matchg (Seq (¬ b0)) et w.Proof.move => b0 et w; set sb : bitseq := seq0.have Esb: forall b : bool, Adds b sb = add_last sb b by
done.rewrite /gram_neg -[0]/(size sb) 2!{}Esb.elim: w et sb => [|s w IHw] et lb; first by case lb.case Ds: s; (case: et => [|e et]; first by case lb); first [ by case: e (IHw et (Adds _ lb)) => /= | by case: e; case: lb => [|b lb]; rewrite /= ?if_negb ?IHw ].Qed.
Outline
The Four Colour Theoremwhat it sayshow it’s proved
Formal proofsproving with programsthinking with programs
Computer proofshow it’s done
Formalizing maps
n
f
node
edge
dart
e
Rings and disks
rest
disk
Pasting configurations
disk
paste
rest
contour cycle
full map
Folkloric proofs?
(3.3) Let K be a configuration appearing in a triangulation T, and let S be the free completion of K. Then there is a projection ɸ of S into T such that ɸ (x) = x for all x ∈ V(G(K)) ∪ E(G(K)) ∪ F(G(K)).
This is a “folklore” theorem, and we omit its [lengthy] proof…
Definition phi x := if ac x then h x else if ac (edge x) then edge (h (edge x)) else if ac (node x) then face (edge (h (node x))) else edge (node (node (h (node (edge x))))).
Unavoidable pattern
u
u l
u r
u l
u r
u r
u l
u
u
h
h
h l
h l
h r
h r
f0r
f1r
f2r
f1l
f1l
f2l
f0l
f0r
hubspoke
spoke
spokehat
fanfan
fan
left step
right step
subpart
unreachable dart
spoke
TopologyEuler: (n + 1)2 + n2 + 1 – 2n(n+1) = 2
Outline
The Four Colour Theoremwhat it sayshow it’s proved
Formal proofsproving with programsthinking with programs
Computer proofshow it’s done
1 subgoal
d : dataSet e : rel d============================ forall (p : seq d) (x : d), cycle p -> p x -> e x (next p x)
1 subgoal d : dataSet e : rel d y0 : d p : seq d x : d Hp : path y0 (add_last p y0)============================ setU1 y0 p x -> e x (next_at x y0 y0 p)
2 subgoals d : dataSet e : rel d y0 : d x : d y : d============================ e y y0 && true -> (y =d x) || false -> e x (if y =d x then y0 else x)
subgoal 2 is: e y y’ && path y’ (add_last p y0) -> or3b (y =d x) (y’ =d x) (p x) -> e x (if y =d x then y’ else next_at x y0 y’ p)
2 subgoals d : dataSet e : rel d y0 : d x : d y : d Hy : e y y0 Dy : y =d x============================ e x (if y =d x then y0 else x)
subgoal 2 is: e y y’ && path y’ (add_last p y0) -> or3b (y =d x) (y' =d x) (p x) -> e x (if y =d x then y’ else next_at x y0 y’ p)
1 subgoal d : dataSet e : rel d y0 : d x : d y’ : d p : seq d IHp : forall x0 : d, path x0 (add_last p y0) -> setU1 x0 p x -> e x (next_at x y0 x0 p) y : d ============================ e y y’ && path y’ (add_last p y0) -> or3b (y =d x) (y’ =d x) (p x) -> e x (if y =d x then y’ else next_at x y0 y’ p)
1 subgoal d : dataSet e : rel d y0 : d x : d y’ : d p : seq d IHp : forall x0 : d, path x0 (add_last p y0) -> setU1 x0 p x -> e x (next_at x y0 x0 p) y : d Hy : e y y’ Hp : path y’ (add_last p y0) ============================ or3b (y =d x) (y’ =d x) (p x) -> e x (if y =d x then y’ else next_at x y0 y’ p)
1 subgoal d : dataSet e : rel d y0 : d x : d y’ : d p : seq d IHp : forall x0 : d, path x0 (add_last p y0) -> setU1 x0 p x -> e x (next_at x y0 x0 p) y : d Hy : e y y’ Hp : path y’ (add_last p y0) ============================ or3b false (y’ =d x) (p x) -> e x (next_at x y0 y’ p)
Subtree proved!
Proof workbench
Lemma next_cycle : ∀p x, cycle p → p x → e x (next p x).Proof.move⇒ [ | y0 p] x //= Hp.elim: p {1 3 5}y0 Hp ⇒ [ | y' p IHp] y /=; rewrite eqdsym /setU1. - rewrite andbT orbF ⇒ Hy Dy. by rewrite Dy -(eqP Dy).move/andP⇒ [Hy Hp].case: (y =P x) ⇒ [←| _] //.exact: IHp Hp.Qed.
proof script
goal
context
other goal
e
e
e
e
e
e
e
x
next p x
cycle pp
recursion assumption
Five tactic summary
move: x y Hxy … => z t Hzt …bookkeeping : context goal moves
case: x Hxy … => [a | b c] …decomposition, induction (with elim)
rewrite /= orbF –[x]addn0 …partial evaluation, simplification
apply: lemma… => [x y Hxy | n | …] …match goal (backward chaining)
have label: conjecture by …set goal (forward chaining)
Some conclusions
Proof assistants can give real proofs of real theorems
Machine formalization can lead to new mathematical insights
Formally proving programs can be easier than formally proving theorems