Verifying the Four Colour Theorem

1
Verifying theFour Colour Theorem

• Georges Gonthier
• Microsoft Research Cambridge

2
150 years of history

• 1852 Conjecture (Guthrie ? DeMorgan)
• 1878 Publication (Cayley)
• 1879 First proof (Kempe)
• 1880 Second proof (Tait)
• 1890 Rebuttal (Heawood)
• 1891 Second rebuttal (Petersen)
• 1913 Reducibility, connexity (Birkhoff)
• 1922 Up to 25 regions (Franklin)
• 1969 Discharging (Heesch)
• 1976 Computer proof (Appel Haken)
• 1995 Streamlining (Robertson al.)
• 2004 Self checking proof (Gonthier)

3
So what about it ?

• It shows software can be as reliable as math.
• Its been done by applying computer science to
  mathematics.
• The art of computer proving is maturing.

4
Outline

• The Four Colour Theorem
• what it says
• how its proved
• Formal proofs
• proving with programs
• thinking with programs
• Computer proofs
• how its done

5
The Theorem
disjoint subsets of R x R
open and connected
Every simple planar map can be colored with only
four colors
?good covering map
with at most four regions
adjacent regions covered with different colors
have a common border point that is not a corner
touches more than two regions
6
The formal theorem

• Record simple_map (m map) Prop SimpleMap
• simple_map_proper gt proper_map m
• map_open ?z, open (m z)
• map_connected ?z, connected (m z)
• .
• Record coloring (m, k map) Prop Coloring
• coloring_proper gt proper_map k
• coloring_inmap subregion (inmap k) (inmap m)
• coloring_covers covers m k
• coloring_adj
• ?z1 z2, k z1 z2 ? adjacent m z1 z2 ? m z1
  z2
• .
• Definition map_colorable n m
• ?2 k, coloring m k size_at_most n k.
• Theorem four_color
• ?m, simple_map m ? map_colorable 4 m.

• Definition covers (m, m' map)
• ?z point, subregion (m z) (m' z).
• Definition size_at_most n m
• ? f, ? z, inmap m z ? ?2 i, i lt n m (f i).
• Definition border m z1 z2
• intersect (closure (m z1)) (closure (m z2)).
• Definition corner_map (m map) z map
• fun z1 z2 ? m z1 z2 ? closure (m z1) z.
• Definition not_corner m z
• size_at_most 2 (corner_map m z).
• Definition adjacent m z1 z2
• meet (not_corner m) (border m z1 z2).

7
Outline

• The Four Colour Theorem
• what it says
• how its proved
• Formal proofs
• proving with programs
• thinking with programs
• Computer proofs
• how its done

8
Colouring by induction
Configuration
reducible
9
Cubic maps
Euler formula
2E/R 6 - 12/R
R N E 2
the worlds a football
10
Small rings

• Any non-trivial ring lt 6 defines reducible
  configurations (Birkhoff, 1913)
• If there are no small rings, then all
  2-neighborhoods are double rings

look for configurations in 2-neighborhoods!
11
The proof in a nutshell

• Find a set of configurations such that
• (A) reducibility Each one can be coloured to
  match any planar ring colouring.
• (B) unavoidability At least one appears in
  any planar map.
• Verify that the combinatorics fit the topology
  (graph theory analysis).

1,000,000,000 cases
10,000 cases
12
Progress in verification
?
?
13
Outline

• The Four Colour Theorem
• what it says
• how its proved
• Formal proofs
• proving with programs
• thinking with programs
• Computer proofs
• how its done

14
The Poincaré principle

• How do you prove
• Given 2 ? 1 (1 0)
• 4 ? 1 (1 (1 (1 0)))
• n m ? if n is 1 n then 1 (n m)
  else m
• (a recursive program)

2 2 4
?
a 0 2 2
(neutral left) b (1 0) 2 1 (0 2)
(associativity) c 2 2 1 ((1
0) 2) (def, associativity) d 2 2
1 (1 (0 2)) (replace b in c) e
(replace a
in d, def)
a
(def, calculation)
15
Reflecting reducibility

• Setup
• Variable cf config.
• Definition cfreducible Prop
• Definition check_reducible bool
• Lemma check_reducible_valid check_reducible -gt
  cfreducible.
• Usage
• Lemma cfred232 cfreducible (Config 11 33 37 H 2
  H 13 Y 5 H 10 H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H
  9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y).
• Proof. apply check_reducible_valid by compute.
  Qed.

20,000,000 cases
16
Border colouring (Tait 1880)
17
Chord flips (Kempe 1879)
chromogram
colouring

)0
(

)1
(

18
Model checking colourings
19
Chromogram twiddling

• Fixpoint gram_neg_rec (n nat) (w chromogram)
  struct w
• chromogram
  
• match w, n with
• Adds Gpush w', _ gt Adds Gpush (gram_neg_rec
  (S n) w')
• Adds Gskip w', _ gt Adds Gskip
  (gram_neg_rec n w')
• Adds s w', S n gt Adds s (gram_neg_rec
  n w')
• Adds Gpop0 w', O gt Adds Gpop1 w'
• Adds Gpop1 w', O gt Adds Gpop0 w'
• seq0, _ gt w
• end.
• Definition gram_neg gram_neg_rec 0.

20
Correctness proof

• Lemma match_gram_neg forall b0 et w,
• matchg (Seq b0) et (gram_neg w) matchg (Seq
  ( b0)) et w.
• Proof.
• move gt b0 et w set sb bitseq seq0.
• have Esb forall b bool, Adds b sb add_last
  sb b by done.
• rewrite /gram_neg -0/(size sb) 2!Esb.
• elim w et sb gt s w IHw et lb first by case
  lb.
• case Ds s (case et gt e et first by case
  lb)
• first by case e (IHw et (Adds _ lb)) gt /
• by case e case lb gt b lb
  rewrite / ?if_negb ?IHw .
• Qed.

21
Outline

• The Four Colour Theorem
• what it says
• how its proved
• Formal proofs
• proving with programs
• thinking with programs
• Computer proofs
• how its done

22
Formalizing maps
23
Rings and disks
disk
rest
24
Pasting configurations
paste
full map
disk
rest
25
Folkloric proofs?

• (3.3) Let K be a configuration appearing in a
  triangulation T, and let S be the free completion
  of K. Then there is a projection ? of S into T
  such that ? (x) x for all x ?
  V(G(K)) ? E(G(K)) ? F(G(K)).
• This is a folklore theorem, and we omit its
  lengthy proof

Definition phi x if ac x then h x else if
ac (edge x) then edge (h (edge x)) else if ac
(node x) then face (edge (h (node x))) else
edge (node (node (h (node (edge x))))).
26
Unavoidable pattern
27
Topology
Euler (n 1)2 n2 1 2n(n1) 2
28
Outline

• The Four Colour Theorem
• what it says
• how its proved
• Formal proofs
• proving with programs
• thinking with programs
• Computer proofs
• how its done

29
Proof workbench
1 subgoal d dataSet e rel
d forall (p seq
d) (x d), cycle p -gt p x -gt e x (next p x)
1 subgoal d dataSet e rel d y0 d
p seq d x d Hp path y0 (add_last p
y0) setU1 y0 p x -gt
e x (next_at x y0 y0 p)
2 subgoals d dataSet e rel d y0 d
x d y d e
y y0 true -gt (y d x) false -gt e x
(if y d x then y0 else x) subgoal 2 is e y y
path y (add_last p y0) -gt or3b (y d x) (y
d x) (p x) -gt e x (if y d x then y
else next_at x y0 y p)
2 subgoals d dataSet e rel d y0 d
x d y d Hy e y y0 Dy y d
x e x (if y d x
then y0 else x) subgoal 2 is e y y path y
(add_last p y0) -gt or3b (y d x) (y' d x) (p
x) -gt e x (if y d x then y else
next_at x y0 y p)

• 1 subgoal
• d dataSet
• e rel d
• y0 d
• x d
• y d
• p seq d
• IHp forall x0 d,
• path x0 (add_last p y0)
• -gt setU1 x0 p x
• -gt e x (next_at x y0 x0 p)
• y d
• e y y path y (add_last p y0)
• -gt or3b (y d x) (y d x) (p x)
• -gt e x (if y d x then y
• else next_at x y0 y p)

• 1 subgoal
• d dataSet
• e rel d
• y0 d
• x d
• y d
• p seq d
• IHp forall x0 d,
• path x0 (add_last p y0)
• -gt setU1 x0 p x
• -gt e x (next_at x y0 x0 p)
• y d
• Hy e y y
• Hp path y (add_last p y0)
• or3b (y d x) (y d x) (p x)
• -gt e x (if y d x then y
• else next_at x y0 y p)

• 1 subgoal
• d dataSet
• e rel d
• y0 d
• x d
• y d
• p seq d
• IHp forall x0 d,
• path x0 (add_last p y0)
• -gt setU1 x0 p x
• -gt e x (next_at x y0 x0 p)
• y d
• Hy e y y
• Hp path y (add_last p y0)
• or3b false (y d x) (p x)
• -gt e x (next_at x y0 y p)

Subtree proved!

• Lemma next_cycle ?p x,
• cycle p ? p x ? e x (next p x).
• Proof.
• move? y0 p x // Hp.
• elim p 1 3 5y0 Hp ? y' p IHp y /
• rewrite eqdsym /setU1.
• - rewrite andbT orbF ? Hy Dy.
• by rewrite Dy -(eqP Dy).
• move/andP? Hy Hp.
• case (y P x) ? ? _ //.
• exact IHp Hp.
• Qed.

p
cycle p
x
e
goal
next p x
proof script
other goal
30
Five tactic summary

• move x y Hxy gt z t Hzt
• bookkeeping context ? goal moves
• case x Hxy gt a b c
• decomposition, induction (with elim)
• rewrite / orbF xaddn0
• partial evaluation, simplification
• apply lemma gt x y Hxy n
• match goal (backward chaining)
• have label conjecture by
• set goal (forward chaining)

31
Some conclusions

• Proof assistants can give real proofs of real
  theorems
• Machine formalization can lead to new
  mathematical insights
• Formally proving programs can be easier than
  formally proving theorems