Four colours theorem
advertisement
Verifying the
Four Colour Theorem
Georges Gonthier
Microsoft Research Cambridge
150 years of history…
1852 Conjecture (Guthrie → DeMorgan)
1878 Publication (Cayley)
1879 First proof (Kempe)
1880 Second proof (Tait)
1890 Rebuttal (Heawood)
1891 Second rebuttal (Petersen)
1913 Reducibility, connexity (Birkhoff)
1922 Up to 25 regions (Franklin)
1969 Discharging (Heesch)
1976 Computer proof (Appel & Haken)
1995 Streamlining (Robertson & al.)
2004 Self checking proof (Gonthier)
So what about it ?
It shows software can be as reliable
as math.
It’s been done by applying computer
science to mathematics.
The art of computer proving is
maturing.
Outline
The Four Colour Theorem
what it says
how it’s proved
Formal proofs
proving with programs
thinking with programs
Computer proofs
how it’s done
The Theorem
open and connected
disjoint subsets of R x R
Every simple planar map can be
colored with only four colors
∃good covering map
with at most four regions
adjacent regions covered with different colors
have a common border point that is not a corner
touches more than two regions
The formal theorem
Definition covers (m, m' : map) :=
∀z : point, subregion (m z) (m' z).
Definition size_at_most n m :=
∃ f, ∀ z, inmap m z → ∃2 i, i < n & m (f i).
Definition border m z1 z2 :=
intersect (closure (m z1)) (closure (m z2)).
Definition corner_map (m : map) z : map :=
fun z1 z2 ⇒ m z1 z2 ∧ closure (m z1) z.
Definition not_corner m z :=
size_at_most 2 (corner_map m z).
Definition adjacent m z1 z2 :=
meet (not_corner m) (border m z1 z2).
Record simple_map (m : map) : Prop := SimpleMap {
simple_map_proper :> proper_map m;
map_open : ∀z, open (m z);
map_connected : ∀z, connected (m z)
}.
Record coloring (m, k : map) : Prop := Coloring {
coloring_proper :> proper_map k;
coloring_inmap : subregion (inmap k) (inmap m);
coloring_covers : covers m k;
coloring_adj :
∀z1 z2, k z1 z2 → adjacent m z1 z2 → m z1 z2
}.
Definition map_colorable n m :=
∃2 k, coloring m k & size_at_most n k.
Theorem four_color :
∀m, simple_map m → map_colorable 4 m.
Outline
The Four Colour Theorem
what it says
how it’s proved
Formal proofs
proving with programs
thinking with programs
Computer proofs
how it’s done
Colouring by induction
Configuration
ring
reducible
Cubic maps
Euler formula
#sides
2E/R
R + N=–6E- =12/R
2
the world’s a football
Small rings
Any non-trivial ring < 6 defines reducible
configurations (Birkhoff, 1913)
If there are no small rings, then all 2neighborhoods are double rings
look for configurations
in 2-neighborhoods!
The proof in a nutshell
Find a set of configurations such that:
(A) reducibility: Each one can be
coloured to match any planar ring
colouring.
(B) unavoidability: At least one
appears in any planar map.
Verify that the combinatorics fit the
topology (graph theory + analysis).
Progress in verification
1976 A & H
1995 RSST
35-page
paper
2 books
1000’s of
figures
?
C program
reducibility
unavoidability
2005 MSR
35 lines of
definitions
Gallina
reducibility
unavoidability
graph theory
topology
data structures
…
?
IBM 370
reducibility
Outline
The Four Colour Theorem
what it says
how it’s proved
Formal proofs
proving with programs
thinking with programs
Computer proofs
how it’s done
The Poincaré principle
How do you prove:
2+2=4 ?
Given 2 ≝ 1+ (1+ 0)
4 ≝ 1+ (1+ (1+ (1+ 0)))
n + m ≝ if n is 1+ n’ then 1+ (n’ + m) else m
(a recursive program)
a:
0+2=2
b: (1 + 0) + 2 = 1 + (0 + 2)
(neutral left)
(associativity)
c:
2 + 2 = 1 + ((1 + 0) + 2) (def, associativity)
d:
2 + 2 = 1 + (1 + (0 + 2)) (replace b in c)
a:
e:
(def,
calculation)
(replace
a in d, def)
Reflecting reducibility
Setup
Variable cf : config.
Definition cfreducible : Prop := …
Definition check_reducible : bool := …
Lemma check_reducible_valid : check_reducible -> cfreducible.
Usage
Lemma cfred232 : cfreducible (Config 11 33 37 H 2 H 13 Y 5 H 10
H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y).
Proof. apply check_reducible_valid; by compute. Qed.
Border colouring (Tait 1880)
Chord flips (Kempe 1879)
chromogram
colouring
•
)0
•
(
)1
(
•
Model checking colourings
Ξ
Λ
0
1
0
Λi
restrict Λ
Λ
Ξi
Λi+
1
Yes
Ξ, Λ
any ?
No
No
No
decrement Ξ
Ξi+1
Ξ
-1
kempe
Chromogram twiddling
Fixpoint gram_neg_rec (n : nat) (w : chromogram) {struct w}
: chromogram :=
match w, n with
| Adds Gpush w', _ => Adds Gpush (gram_neg_rec (S n) w')
| Adds Gskip w', _ => Adds Gskip (gram_neg_rec n w')
| Adds s w', S n
=> Adds s (gram_neg_rec n w')
| Adds Gpop0 w', O => Adds Gpop1 w'
| Adds Gpop1 w', O => Adds Gpop0 w'
| seq0, _
=> w
end.
Definition gram_neg := gram_neg_rec 0.
Correctness proof
Lemma match_gram_neg : forall b0 et w,
matchg (Seq b0) et (gram_neg w) = matchg (Seq (¬ b0)) et w.
Proof.
move => b0 et w; set sb : bitseq := seq0.
have
Esb: forall b : bool, Adds b sb = add_last sb b by done.
rewrite /gram_neg -[0]/(size sb) 2!{}Esb.
elim:
w et sb => [|s w IHw] et lb; first by case lb.
case
Ds: s; (case: et => [|e et]; first by case lb);
first [ by case: e (IHw et (Adds _ lb)) => /=
| by case: e; case: lb => [|b lb]; rewrite /= ?if_negb ?IHw ].
Qed.
Outline
The Four Colour Theorem
what it says
how it’s proved
Formal proofs
proving with programs
thinking with programs
Computer proofs
how it’s done
Formalizing maps
e
n
f
dart
node
edge
Rings and disks
disk
rest
Pasting configurations
full map
disk
paste
rest
contour cycle
Folkloric proofs?
(3.3) Let K be a configuration appearing in a triangulation T, and let S
be the free completion of K. Then there is a projection ɸ of S into T
such that ɸ (x) = x for all
x ∈ V(G(K)) ∪ E(G(K)) ∪
F(G(K)).
This is a “folklore” theorem, and we omit its [lengthy] proof…
Definition phi x :=
if ac x then h x else
if ac (edge x) then edge (h (edge x)) else
if ac (node x) then face (edge (h (node x))) else
edge (node (node (h (node (edge x))))).
Unavoidable pattern
spoke
spoke
hub
ur
u
u
ul
hl
ul
u
ur
h
ur
hat
hr
ul
f0r
spoke
spoke
hr
hl
f2l
h
left step
f0r
fan
f1r
f0l
f1l
fan
f1l
right step
subpart
f2r
unreachable dart
fan
Topology
Euler: (n + 1)2 + n2 + 1 – 2n(n+1) = 2
Outline
The Four Colour Theorem
what it says
how it’s proved
Formal proofs
proving with programs
thinking with programs
Computer proofs
how it’s done
Proof workbench
Lemma next_cycle : ∀p x,
cycle p → p x → e x (next p x).
Proof.
move⇒ [ | y0 p] x //= Hp.
elim: p {1 3 5}y0 Hp ⇒ [ | y' p IHp] y /=;
rewrite eqdsym /setU1.
- rewrite andbT orbF ⇒ Hy Dy.
by rewrite Dy -(eqP Dy).
move/andP⇒ [Hy Hp].
case: (y =P x) ⇒ [←| _] //.
exact: IHp Hp.
Qed.
2 subgoal
1
Subtree
subgoals
proved!
d : dataSet
context
e : rel d
e
e
============================
y0 : d
forall
p
x
:d
seq
(pd: seq d) (x : d), cycle p -> p recursion
x ->
e
assumption
e :x: dd(next p x)
x
y
y’
e
p p y0)
cycle
p
============================
Hp: seq
Hy
p
: epath
ydy0y0 (add_last
x
============================
Dy
IHp
e y: :y0
yforall
=d
&&x true
x0 : d,
============================
setU1
-> (ypath
=d
y0 px)x0
xe
||->
(add_last
false
e x (next_at
p y0) x y0 y0 p)
->xe(if
e
->
x y(if
setU1
=d
y =d
x then
x0
x then
py0
x y0
else
else
x)ex) goal
next
-> e x (next_at e
x y0 x0
p) p x
subgoal
y : d 2 is:
eHy
============================
y y’
: e&&
y y’path y’ (add_last p y0)
->
Hp
e or3b
y: y’path
&&
(y =d
y’
path
(add_last
x) y’
(y’(add_last
(y'
=d x)
p y0)
(p x)
p y0)
->
============================
->eeor3b
xx(if
(ify(y
y=d
=d
=dxxx)then
then
(y’ =d
y’y’ x) (p x)
-> e xfalse
or3b
(yelse
(if=d
y (y’
=d
x)
next_at
(y’
=d
x then
=d
x) x(p
x)y’
y0
x)
(py’x)p)
-> e x (next_at
(if
else
y =d
next_at
x xthen
y0 xy’y’y0
p) y’ p)
else next_at x y0 y’ p)
proof script
other goal
Five tactic summary
move: x y Hxy … => z t Hzt …
bookkeeping : context goal moves
case: x Hxy … => [a | b c] …
decomposition, induction (with elim)
rewrite /= orbF –[x]addn0 …
partial evaluation, simplification
apply: lemma… => [x y Hxy | n | …] …
match goal (backward chaining)
have label: conjecture by …
set goal (forward chaining)
Some conclusions
Proof assistants can give real proofs
of real theorems
Machine formalization can lead to new
mathematical insights
Formally proving programs can be
easier than formally proving theorems
