Verifying The Four Colour Theorem

1
Verifying The Four Colour Theorem

• Georges Gonthier
• Microsoft Research Cambridge

2
150 years of history

• 1852 Conjecture (Guthrie ? DeMorgan)
• 1878 Publication (Cayley)
• 1879 First proof (Kempe)
• 1880 Second proof (Tait)
• 1890 Rebuttal (Heawood)
• 1891 Second rebuttal (Petersen)
• 1913 Reducibility, connexity (Birkhoff)
• 1922 Up to 25 regions (Franklin)
• 1969 Discharging (Heesch)
• 1976 Computer proof (Appel Haken)
• 1995 Streamlining (Robertson al.)
• 2004 Self checking proof (Gonthier)

3
Outline

• Computer proofs
• The theorem
• Proof outline
• New math
• Proof techniques
• Proof vs. test

4
From proof with programs
proof text
statement
??
?
formula
C program
?
C runtime library
5
to computer proof
Coq proof scripts
?
statement
?
Coq runtime kernel
6
The Theorem
disjoint subsets of R x R
open and connected
Every simple planar map can be colored with only
four colors
?good covering map
with at most four regions
adjacent regions covered with different colors
have a common border point that is not a corner
touches more than two regions
7
Coq definitions

• Record simple_map m map Prop SimpleMap
• simple_map_proper gt (proper_map m)
• map_open (z point) (open (m z))
• map_connected (z point) (connected (m z))
• .
• Record coloring m, k map Prop Coloring
• coloring_proper gt (proper_map k)
• coloring_inmap (subregion (inmap k) (inmap
  m))
• coloring_covers (covers m k)
• coloring_adj (z1, z2 point) (k z1 z2) -gt
• (adjacent m z1 z2) -gt (m z1 z2)
• .
• Definition map_colorable nc nat m map
  Prop
• (EXT k (coloring m k) (size_at_most nc
  k)).
• Theorem four_color (m map)
• (simple_map m) -gt (map_colorable (4) m).

• Definition covers m, m' map Prop
• (z point) (subregion (m z) (m' z)).
• Definition size_at_most n nat m map Prop
  
• (EXT f (z point) (inmap m z) -gt
• (EX i (lt i n) (m (f i) z))).
• Definition border m map z1, z2 point
  region
• (intersect (closure (m z1)) (closure (m z2))).
• Definition corner_map m map z point map
  
• z1, z2(and (m z1 z2) (closure (m z1) z)).
• Definition not_corner m map region
• z(size_at_most (2) (corner_map m z)).
• Definition adjacent m map z1, z2 point
  Prop
• (meet (not_corner m) (border m z1 z2)).

8
The proof

• Combinatorial maps
• The induction
• The enumeration

9
Cubic maps
10
Coloring by induction
11
Configurations

• A configuration is a connected map fragment
• The partial faces of a configuration form a ring
• A configuration is reducible if it allows
  coloring by induction
• All nontrivial rings with fewer than six faces
  define reducible configurations

12
double rings

• By connectedness, all local submaps of radius 2
  are double rings

13
The Euler Formula

• For any planar map, V F E 2
• (Euler never found the proof by flooding !)
• For a cubical map, sides 6 12/F
• A honeycomb on average, but not quite
• (a football, really)

14
Proof outline

• Discretize to hypermaps ( 3 finite permutations)
• no Jordan Curve Theorem (planarity Euler)
• Configurations data for 633 special hypermaps
• construction programs with multiple
  interpretations
• Unavoidability configurations occur in
  internally 5-connnected planar hypermaps
• branch bound enumeration
• Graph theory counter-example is internally
  5-connected
• combinatorial Jordan Curve Theorem
• Reducibility configurations allow coloring by
  recursion
• 3 and 4-way decision diagrams

15
From maps to hypermaps
16
Contractions and friends
17
Proof techniques

• Computational reflection
• reducing mathematics to program verification
• Thats it!

18
How to prove 2 2 4

• If 2 ? 1 (1 0) and 4 ? 1 (1 (1 (1 0)))
• By deduction
• Invoke instances of associativity, neutrality,
  apply congruence then transitivity.
• By equations
• (1 (1 0)) 2) (1 1) 2 (1 (1 2)) ?
  4
• By computation
• (2 2 4) ? (4 4) true by reflexivity !

19
Reflecting reducibility

• Computational reflection replacing proof with
  computation
• Variable cf config.
• Definition check_reducible bool
• Definition cfreducible Prop
• Lemma check_reducible_valid check_reducible -gt
  cfreducible.
• Usage
• Lemma cfred232 (cfreducible (Config 11 33 37 H
  2 H 13 Y 5 H 10 H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3
  H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y)).
• Proof. Apply check_reducible_valid By Compute.
  Qed.

20
Reflection at every level

• Large scale reflection reducibility
• ? proof witnesses
• Medium-scale reflection unavoidability
• ? incompleteness debugging
• Small-scale reflection graph theory
• ? primary means of automation

21
Inside a proof assistant

• Lemma next_cycle
• (p (seq d) Hp (cycle p))
• (x d) (p x) -gt (e x (next p x)).
• Proof.
• Movegt y0 p // Hp x.
• Elim p 1 3 5y0 Hp
• gt y' p Hrec y /
• Rewrite eqd_sym /setU1.
• Rewrite andbT orbF.
• Movegt Hy Dy.
• By Rewrite Dy -(eqP Dy).
• Case/andP gt Hy Hp.
• Case (y P x) gt _ //.
• Apply Hrec Hp.
• Qed.

• 1 subgoal
• d dataSet
• x0 d
• e (rel d)
• y0 d
• x d
• y' d
• p (seq d)
• Hrec (x0d)
• (path x0 (add_last p y0))
• -gt(setU1 x0 p x)
• -gt(e x (next_at x y0 x0 p))
• y d
• (andb (e y y') (path y' (add_last p y0)))
• -gt(or3b y d x y' d x (p x))
• -gt(e x (if (y d x) then y
• else (next_at x y0 y' p)))

command script
goal
context
22
Five proof commands

• Step label conjecture By
• forward chaining
• Apply lemma gt x y Hxy n
• backward chaining
• Move x y Hxy gt z t Hzt
• bookkeeping context ? goal moves
• Case x Hxy gt a b c
• decomposition, induction (with Elim)
• Rewrite / orbF -xaddn0
• partial evaluation, simplification

23
Proof vs. test

• Lemma, Step
• Move
• Case
• Apply
• Rewrite

• test purpose (formal)
• test setup (assumptions)
• test data (partial)
• use prior test (generic)
• step run (use prior run)

24
Command distribution
25
Some conclusions

• Proof assistants can give real proofs of real
  theorems
• Machine formalization can lead to new
  mathematical insights
• Formally proving programs is easier than formally
  proving theorems
• Proving is stepwise testing!