Verifying The Four Colour Theorem

Georges GonthierMicrosoft Research Cambridge

150 years of history…

1852 Conjecture (Guthrie → DeMorgan) 1878 Publication (Cayley) 1879 First proof (Kempe) 1880 Second proof (Tait) 1890 Rebuttal (Heawood) 1891 Second rebuttal (Petersen) 1913 Reducibility, connexity (Birkhoff) 1922 Up to 25 regions (Franklin) 1969 Discharging (Heesch) 1976 Computer proof (Appel & Haken) 1995 Streamlining (Robertson & al.) 2004 Self checking proof (Gonthier)

Outline

Computer proofs The theorem Proof outline New math Proof techniques Proof vs. test

C program

From proof with programs…

proof textstatement

formula

C compilerMachine

code

C runtimelibrary

?

?

??

… to computer proof

Coq tacticengine

Typed-calculus

Coq runtimekernel

?

Coqproof

scripts

statement statement

The Theorem

Every simple planar map can be colored with only four colors

disjoint subsets of R x Ropen and connected

∃good covering map with at most four regions

adjacent regions covered with different colors

have a common border point that is not a corner

touches more than two regions

Coq definitions

Definition covers [m, m' : map] : Prop := (z : point) (subregion (m z) (m' z)).

Definition size_at_most [n : nat; m : map] : Prop := (EXT f | (z : point) (inmap m z) -> (EX i | (lt i n) & (m (f i) z))).

Definition border [m : map; z1, z2 : point] : region := (intersect (closure (m z1)) (closure (m z2))).

Definition corner_map [m : map; z : point] : map := [z1, z2](and (m z1 z2) (closure (m z1) z)).

Definition not_corner [m : map] : region := [z](size_at_most (2) (corner_map m z)).

Definition adjacent [m : map; z1, z2 : point] : Prop := (meet (not_corner m) (border m z1 z2)).

Record simple_map [m : map] : Prop := SimpleMap { simple_map_proper :> (proper_map m); map_open : (z : point) (open (m z)); map_connected : (z : point) (connected (m z)) }.

Record coloring [m, k : map] : Prop := Coloring { coloring_proper :> (proper_map k); coloring_inmap : (subregion (inmap k) (inmap m)); coloring_covers : (covers m k); coloring_adj : (z1, z2 : point) (k z1 z2) -> (adjacent m z1 z2) -> (m z1 z2) }.

Definition map_colorable [nc : nat; m : map] : Prop := (EXT k | (coloring m k) & (size_at_most nc k)).

Theorem four_color : (m : map) (simple_map m) -> (map_colorable (4) m).

The proof

Combinatorial maps The induction The enumeration

Cubic maps

Coloring by induction

Configurations

A configuration is a connected map fragment

The partial faces of a configuration form a ring

A configuration is reducible if it allows coloring by induction

All nontrivial rings with fewer than six faces define reducible configurations

double rings

By connectedness, all local submaps of radius 2 are double rings

The Euler Formula

For any planar map, V + F – E = 2(Euler never found the proof by flooding !)

For a cubical map, #sides = 6 – 12/F A honeycomb on average, but not quite

(a football, really)

Proof outline

Discretize to hypermaps (= 3 finite permutations) no Jordan Curve Theorem (planarity = Euler)

Configurations : data for 633 special hypermaps construction programs with multiple interpretations

Unavoidability : configurations occur in internally 5-connnected planar hypermaps branch & bound enumeration

Graph theory : counter-example is internally 5-connected combinatorial Jordan Curve Theorem

Reducibility : configurations allow coloring by recursion 3 and 4-way decision diagrams

From maps to hypermaps

n

f

node

edge

e

dart

Contractions and friends

n

fe

Proof techniques

Computational reflection:reducing mathematics to program

verification That’s it!

How to prove 2 + 2 = 4

If 2 1+ (1+ 0) and ≝ 4 1+ (1+ (1+ (1+ 0))) :≝ By deduction :

Invoke instances of associativity, neutrality, apply congruence then transitivity.

By equations : (1+ (1+ 0)) + 2) = (1 + 1) + 2 = (1 + (1 + 2)) ≝

4 By computation :

(2 + 2 = 4) (4 = 4) true by reflexivity !≝

Reflecting reducibility

Computational reflection = replacing proof with computationVariable cf : config.Definition check_reducible : bool := …Definition cfreducible : Prop := …Lemma check_reducible_valid : check_reducible -> cfreducible.

UsageLemma cfred232 : (cfreducible (Config 11 33 37 H 2 H 13 Y 5 H 10

H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y)).

Proof. Apply check_reducible_valid; By Compute. Qed.

Reflection at every level

Large scale reflection: reducibility → proof witnesses Medium-scale reflection:

unavoidability → incompleteness + debugging Small-scale reflection: graph theory → primary means of automation

Inside a proof assistant

Lemma next_cycle : (p : (seq d); Hp : (cycle p)) (x : d) (p x) -> (e x (next p x)).Proof.Move=> [ | y0 p] //= Hp x.Elim: p {1 3 5}y0 Hp => [ | y' p Hrec] y /=; Rewrite: eqd_sym /setU1. Rewrite: andbT orbF. Move=> Hy Dy. By Rewrite: Dy -(eqP Dy).Case/andP => [Hy Hp].Case: (y =P x) => [[] | _] //.Apply: Hrec Hp.Qed.

1 subgoal d : dataSet x0 : d e : (rel d) y0 : d x : d y' : d p : (seq d) Hrec : (x0:d) (path x0 (add_last p y0)) ->(setU1 x0 p x) ->(e x (next_at x y0 x0 p)) y : d ============================ (andb (e y y') (path y' (add_last p y0))) ->(or3b y =d x y' =d x (p x)) ->(e x (if (y =d x) then y‘ else (next_at x y0 y' p)))

command script goalcontext

Five proof commands

Step label: conjecture By …forward chaining

Apply: lemma… => [x y Hxy | n | …] …backward chaining

Move: x y Hxy … => z t Hzt …bookkeeping : context goal moves

Case: x Hxy … => [a | b c] …decomposition, induction (with Elim)

Rewrite: /= orbF -{x}addn0 …partial evaluation, simplification

Proof vs. test

Lemma, Step Move Case Apply Rewrite

test purpose (formal) test setup (assumptions) test data (partial) use prior test (generic) step & run (use prior run)

Command distribution

Move

Apply

Step

Case

Rewrite

Some conclusions

Proof assistants can give real proofs of real theorems

Machine formalization can lead to new mathematical insights

Formally proving programs is easier than formally proving theorems

Proving is stepwise testing!