sign in sign up
<<
Home , Formal proof, Four color theorem

Formal —The Four- Color Georges Gonthier

The Tale of a Brainteaser even with a language rich enough to express all Francis Guthrie certainly did it, when he coined his . innocent little coloring puzzle in 1852. He man- In 2000 we tried to produce such a proof for aged to embarrass successively his mathematician part of code from [13], just to evaluate how the brother, his brother’s professor, Augustus de Mor- field had progressed. We succeeded, but now a gan, and all of de Morgan’s visitors, who couldn’t new question emerged: was the of the solve it; the Royal Society, who only realized ten correctness proof (the specification) itself correct? years later that Alfred Kempe’s 1879 solution was The only solution to that conundrum was to for- wrong; and the three following generations of malize the entire proof of the Four-Color Theorem, mathematicians who couldn’t fix it [19]. not just its code. This we finally achieved in 2005. Even Appel and Haken’s 1976 triumph [2] had a While we tackled this project mainly to ex- hint of defeat: they’d had a computer do the proof plore the capabilities of a modern proof for them! Perhaps the mathematical controversy system—at first, to benchmark speed—we were around the proof died down with their book [3] pleasantly surprised to uncover new and rather and with the elegant 1995 revision [13] by Robert- elegant nuggets of mathematics in the process. In son, Saunders, Seymour, and Thomas. However hindsight this might have been expected: to pro- something was still amiss: both proofs combined duce a formal proof one must make explicit every a textual , which could reasonably be single logical step of a proof; this both provides checked by inspection, with computer code that new insight in the structure of the proof, and could not. Worse, the empirical evidence provided forces one to use this insight to discover every by running code several times with the same input possible symmetry, simplification, and general- is weak, as it is blind to the most common cause ization, if only to cope with the sheer amount of of “computer” error: programmer error. imposed detail. This is actually how all of sections For some thirty years, computer science has “Combinatorial Hypermaps” (p. 1385) and “The been working out a solution to this problem: for- Formal Theorem” (p. 1388) came about. Perhaps mal program proofs. The idea is to write code that this is the most promising aspect of formal proof: describes not only what the machine should do, it is not merely a method to make absolutely sure but also why it should be doing it—a formal proof we have not made a mistake in a proof, but also a of correctness. The of the proof is an tool that shows us and compels us to understand objective mathematical fact that can be checked why a proof works. by a different program, whose own validity can In this article, the next two sections contain be ascertained empirically because it does run background material, describing the original proof on many inputs. The main technical difficulty is and the we used. The following that formal proofs are very difficult to produce, two sections describe the sometimes new math- Georges Gonthier is a senior researcher at Microsoft ematics involved in the formalization. Then the Research Cambridge. His email address is gonthier@ next two sections go into some detail into the two microsoft.com. main parts of the formal proof: reducibility and

1382 Notices of the AMS Volume 55, Number 11 unavoidability; more can be found in [8]. The Coq code (available at the same address) is the ultimate for the intrepid, who should bone up on Coq [4, 16, 9] beforehand.

The Puzzle and Its Solution Each such configuration consists of a complete kernel face surrounded by a ring of partial faces. Part of the appeal of the four color problem is that Erasing an edge of a digon or triangle yields a its statement smaller , which is four-colorable by induction. This coloring uses at most three colors for the Theorem 1. The regions of any simple planar map ring, leaving us a free color for the kernel face, can be colored with only four colors, in such a way so the original map is also four-colorable. Erasing that any two adjacent regions have different colors. an appropriate pair of opposite edges disposes of can on the one hand be understood even by the square configuration similarly. schoolchildren as “four colors suffice to color any In the pentagon case, however, it is necessary to modify the inductive coloring to free a ring flat map” and on the other hand be given a faith- color for the kernel face. Kempe tried to do this by ful, precise mathematical using only locally inverting the colors inside a two-toned max- basic notions in topology, as we shall see in the imal contiguous group of faces (a “Kempe chain”). section “The Formal Theorem”. By planarity, chains cannot cross, and Kempe The first step in the proof of the Four-Color enumerated their arrangements and showed that Theorem consists precisely in getting rid of the consecutive inversions freed a ring color. Alas, it is topology, reducing an infinite problem in analysis not always possible to do consecutive inversions, to a finite problem in . This is usual- as inverting one chain can scramble other chains. ly done by constructing the of the map, It took ten years to spot this error and almost a and then appealing to the compactness theorem century to fix it. of propositional . However, as we shall see The correct proof gives up on pentagons and below, the graph construction is neither neces- turns to larger reducible configurations for which sary nor sufficient to fully reduce the problem to Kempe’s argument is sound. The first such config- combinatorics. uration, which has ring-size 6, was discovered by Therefore, we’ll simply restrict the rest of this Birkhoff in 1913 [5]: outline to connected finite maps whose regions are finite polygons and which are bridgeless: every edge belongs to exactly two polygons. Every such polyhedral map satisfies the Euler formula

N − E + F = 2 where N, E, and F are respectively the number of Birkhoff also showed that all configurations with ring-size less than 6 are reducible except the vertices (nodes), sides (edges), and regions (faces) pentagon; thus any minimal counter-example to in the map. the theorem must be internally 6-connected (we’ll The next step consists in further reducing to refer to this as the “Birkhoff lemma”). cubic maps, where each node is incident to exactly As we’ll see below, showing that a given config- three edges, by covering each node with a small uration is reducible is fairly straightforward, but polygon. very laborious: the number of cases to consider increases geometrically to about 20,000,000 for ring-size 14, and 137 of the 633 configurations used in the proof [13] are of that size. The final part of the proof shows that reducible In a cubic map we have 3N = 2E, which com- configurations are unavoidable, using a refinement bined with the Euler formula gives us that the of the average-arityargument published by Heesch average number of sides (or arity) of a face is in 1969 [11]. The idea is to look for reducible con- 2E/F = 6 − 12/F. figurations near faces whose arity averaged over The proof proceeds by induction on the size of their 2-neighborhood is less than 6; the “averag- the map; it is best explained as a refinement of ing” is done by transfering (discharging) fractions Kempe’s flawed 1879 proof [12]. Since its average of arities between adjacent faces according to a arity is slightly less than 6, any cubic polyhedral small of local patterns: the “discharged” arity map must contain an n-gon with n < 6, i.e., one of of a face a is the following map fragments. δ(a) = δ(a) + Pb(Tba − Tab)

December 2008 Notices of the AMS 1383 where δ(a) is the original arity of a, and Tba is the Proof types are types that encode logic (they’re arity fraction transfered from b. Thus the average also called “-as-types”). The encod- discharged arity remains 6 − 12/F < 6. ing exploits a strong similarity between type and The proof enumerates all internally 6-connected logic rules, which is most apparent when both 2-neighborhoods whose discharged arity is less are written in style (see [10] in than 6. This is fairly complex, but this issue), e.g., consider application and not as computationally intensive as the reducibil- (MP): ity checks: the search is heavily constrained f : A → B x : A A ⇒ B A as the neighborhoods consist of two disjoint f x : B B concentric rings of 5+-gons. Indeed in [13] re- ducible configurations are always found inside the The rules are identical if one ignores the terms to 2-neighborhoods, and the central face is a 7+-gon. the left of “:”. However these terms can also be included in the correspondence, by interpreting Coq and the Calculus of Inductive x : A and “x proves A” rather than “x is of type A”. Constructions In the above we have that f x proves B because x proves A and f proves A ⇒ B, so the applica- The Coq formal proof system (or assistant) [4, tion f x on the left denotes the MP deduction on 16], which we used for our work is based on the right. This holds in general: proof types are a version of higher-order logic, the Calculus of inhabited by proof objects. inductive Constructions (CiC) [6] whose specific CiC is entirely based on this correspondence, features—propositions as types, dependent types, which goes back to Curry and Howard. CiC is a and reflection—all played an important part in the without a formal logic, a sensible sim- success of our project. plification: as we’ve argued we need types anyway, We have good to leave the familiar, so why add a redundant logic? The availability dead-simple world of untyped first-order logic for of proof objects has consequences both for ro- the more exotic territory of Type [10, 4]. In bustness, as they provide a practical means of first-order logic, higher-level (“meta”) storing and thus independently checking proofs, are second- citizens: they are interpreted as and for expressiveness, as they let us describe informal procedures that should be expanded and prove algorithms that create and process out to primitive to achieve full rigor. proofs—meta-arguments. This is fine in a non-formal proof, but rapidly The correspondence in CiC is not limited to becomes impractical in a formal one because of Herbrand term and ; it interprets ramping complexity. Computer automation can mitigate this, but supplies a much most data and programming constructs common more satisfactory solution, levelling the playing in computer science as useful logical connectives field by providing a language that can express and deduction rules, e.g., pairs as “and” meta-arguments. x : A y : B u : A × B This can indeed be observed even with the hx, yi : A × B u.1: A u.2: B simplest first-order type system. Consider the ∧ commutativity of integer addition, A B A B A ∧ B A B ∀x, y ∈ N, x + y = y + x tagged unions as “or”, conditional (if-then-else) There are two hidden premises, x ∈ N and y ∈ N, as proof by cases, recursive definitions as proof that need to be verified separately every time the by induction, and so on. The correspondence law is used. This seems innocuous enough, except even works backwards for the logical rule of x and y may be replaced by huge expressions for generalization: we have which the x, y ∈ N premises are not obvious, even ⊢ B[x] x not free in for machine automation. By contrast, the typed Γ Γ ⊢ ∀x, B[x]) version of commutativity Γ ∀x, y : Nat, x + y = y + x , x : A ⊢ t[x] : B[x] can be applied to any expression A + B without Γ ⊢ (fun x : A ֏ t[x]) : (∀x : A, B[x]) further checks, because the premises follow from Γ the way A and B are written. We are simply not The proof/typing context is explicit here because Γ allowed to write drivel such as 1 + true, and conse- of the side condition. Generalization is interpret- quently we don’t need to worry about its existence, ed by a new, stronger form of function definition even in a fully formal proof—we have “proof by that lets the type of the result depend on a for- notation”. mal parameter. Note that the nondependent case Our formal proof uses this, and much more: interprets the Deduction Theorem. proof types, dependent types, and reflection, as The combination of these dependent types with we will now explain. proof types leads to the last feature of CiC we wish

1384 Notices of the AMS Volume 55, Number 11 to highlight in this section, computational reflec- In CiC, this 20,000,000-cases proof, is almost as tion. Because of dependent types, data, functions trivial as the Poincaré 2 + 2 = 4: apply the cor- and therefore (potential) computation can appear rectness lemma, then reflexivity up to (a big!) in types. The normal mathematical practice is computation. Note that we make essential use to interpret such meta-data, replacing a constant of dependent and proof types, as the cubic map by its definition, instantiating formal parameters, computed by cfring is passed implicitly inside selecting a case, etc. CiC supports this through the type of the returned ring. cfring mediates a typing rule that lets such computation happen between a string representation of configurations, transparently: well suited to algorithms, and a more mathemat- ical one, better suited for abstract , ≡ t : A A βιδζ B which we shall describe in the next section. t : B This rule states that the βιδζ-computation rules Combinatorial Hypermaps of CiC yield equivalent types. It is a subsumption Although the Four-Color Theorem is superficially rule: there is no record of its use in the proof stated in analysis, it really is a result in com- term t. Aribitrary long computations can thus binatorics, so common sense suggests that the be elided from a proof, as CiC has an ι-rule for bulk of the proof should use solely combinatorial . structure. Oddly, most accounts of the proof use This yields an entirely new way of proving graphs homeomorphically embedded in the results about specific calculations: computing! or , dragging analysis into the combina- Henri Poincaré once pointed out that one does torics. This does allow appealing to the Jordan not “prove” 2 + 2 = 4, one “checks” it. CiC can Curve Theorem in a pinch, but this is hardly help- do just that: if erefl : ∀x, x = x is the reflexivity ful if one does not already have the Jordan Curve , and the constants +, 2, 4 denote a recursive Theorem in store. function that computes integer addition, and the Moreover, graphs lack the data to do geometric representation of the integers 2 and 4, respective- traversals, e.g., traversing the first neighborhood ly, then erefl 4 proves 2+2 = 4 because 2+2 = 4 of a face in clockwise order; it is necessary to go and 4 = 4 are just different denotations of the back to the embedding to recover this informa- same . tion. This will not be easy in a fully formal proof, While the Poincaré example is trivial, we would where one does not have the luxury of appealing probably not have completed our proof with- to pictures or “folklore” when cornered. out computational reflection. At the heart of the The solution to this problem is simply to add reducibility proof, we define the missing data. This yields an elegant and highly symmetrical structure, the combinatorial hyper- check_reducible cf : bool := ... map [7, 17]. Definition cfreducible cf : Prop := c_reducible (cfring cf) (cfcontract cf). Definition 1. A hypermap is a triple of functions where check_reducible cf calls a complex he,n,f i on a finite set d of darts that satisfy the reducibility decision procedure that works on triangular identity e ◦ n ◦ f = 1. a specific encoding of configurations, while Note the circular symmetry of the identity: hn,f,ei c_reducible r c is a logical predicate that as- and hf,e,ni are also hypermaps. Obviously, the serts the reducibility of a configuration map with condition forces all the functions to be permu- ring r and deleted edges (contract) c; cfring cf tations of d, and fixing any two will determine denotes the ring of the map represented by cf. the third; indeed hypermaps are often defined We then prove this way. We choose to go with symmetry instead, Lemma check_reducible_valid : because this lets us use our constructions and the- forall cf : config, orems three times over. The symmetry also clearly check_reducible cf = true -> cfreducible cf. demonstrates that the dual graph construction This is the formal partial correctness proof of plays no part in the proof. the decision procedure; it’s large, but nowhere We have found that the relation between hyper- near the size of an explicit reducibility proof. maps and “plain” polyhedral maps is best depicted With the groundwork done, all reducibility proofs by drawing darts as points placed at the corners become trivial, e.g., of the polygonal faces, and using arrows for the three functions, with the cycles of the f func- Lemma cfred232 : cfreducible (Config 11 33 37 tion going counter-clockwise inside each face, and H2H13Y5H10H1H1Y3H11Y4H9 H1Y3H9Y6Y1Y1Y3Y1YY1Y). those of the n function around each node. On a Proof. plain map each edge has exactly two endpoints, apply check_reducible_valid. and consequently each e cycle is a double-ended vm_compute; reflexivity. arrow cutting diagonally across the n − f − n − f Qed. rectangle that straddles an edge (Figure 1).

December 2008 Notices of the AMS 1385 of a ring face, and end at the “outer half” of a ring face. e Using the fixed local structure of hypermaps, n “inner” and “outer” can be defined locally, by ad- f hering to a certain traversal pattern. Specifically, dart we exclude the e function and fix opposite direc- node tions of travel on n and f : we define contour paths −1 ∪ edge as dart paths for the n f relation. A contour cycle follows the inside border of a face ring, clockwise, listing explicitly all the darts in this border. Note that n or n−1 steps from a contour map cycle always go inside the contour, while f or f −1 steps always go outside. Therefore the Jordan property for hypermap contours is: “any chord must start and end with the same type of step.” This can be further simplified by splicing the ring and cycle, yielding Figure 1. A hypermap. Theorem 2. (the Jordan Curve Theorem for hyper- maps): A hypermap is planar if and only if it has no duplicate-free “Möbius contours” of the form The Euler formula takes a completely symmet- rical form for hypermaps E + N + F = D + 2C where E, N, and F are the number of cycles of the e, n, and f permutations, D and C are the number The x ≠ y condition rules out contour cycles; note of darts and of connected components of e ∪ n ∪ however that we do allow y = n(x). f , respectively. As far as we know this is a new combinatori- We define planar hypermaps as those that sat- al definition of planarity. Perhaps it has escaped isfy this generalized Euler formula, since this attention because a crucial detail, reversing one property is readily computable. Much of the proof of the permutations, is obscured for plain maps can be carried out using only this formula. In (where e−1 = e), or when considering only cycles. particular Benjamin Werner found out that the Since this Jordan property is equivalent to the proof of correctness of the reducibility part was Euler identity, it is symmetrical with respect to most naturally carried out using the Euler formula the choice of the two permutations that define only. As the other unavoidability part of the proof “contours”, despite appearances. Oddly, we know is explicitly based on the Euler formula, one could no simple direct proof of this fact. be misled into thinking that the whole theorem is We show that our Jordan property is equivalent a direct consequence of the Euler formula. This is to the Euler identity by induction on the number not the case, however, because unavoidability also of darts. At each induction step we remove some depends on the Birkhoff lemma. Part of the proof dart z from the hypermap structure, adjusting of the latter requires cutting out the submap the permutations so that they avoid z. We can inside an arbitrary simple ring of 2 to 5 faces. simply suppress z from two of the permutations Identifying the inside of a ring is exactly what the (e.g., n and f ), but then the triangular identity Jordan Curve Theorem does, so we worked out a of hypermaps leaves us no choice for the third combinatorial analogue. We even show that our permutation (e here), and we have to either merge hypermap Jordan property is actually equivalent two e-cycles or split an e-cycle: to the hypermap Euler formula. The naïve of the Jordan Curve

Theorem from the continuous plane to discrete z Walkupe maps fails. Simply removing a ring from a hyper- map, even a connected one, can leave behind any number of components: both the “inside” and the “outside” may turn out to be empty or disconnect- ed. A possible solution, proposed by Stahl [14], is to consider paths (called chords below) that go e from one face of the ring to another (loops are n allowed). The Jordan Curve Theorem then tells us f that such paths cannot start from the “inner half”

1386 Notices of the AMS Volume 55, Number 11 full map

disk

patch

remainder

contour cycle

Figure 2. Patching hypermaps.

Following [14, 18], we call this operation the • The double Walkupf transformation eras- Walkup transformation. The figure on the previ- es an edge in the map, merging the two ous page illustrates the Walkupe transformation; adjoining faces.It is used in the main proof by symmetry, we also have Walkupn and Walkupf to apply a contract. transformations. In general, the three transfor- • The double Walkupe transformation con- mations yield different hypermaps, and all three catenates two successive edges in the map; prove to be useful. However, in the degenerate we apply it only at nodes that have on- case where z is fixed by e, n, or f , all three variants ly two incident edges, to remove edge coincide. subdivisions left over after erasing edges. A Walkup transformation that is degenerate or • The double Walkupn transformation con- that merges cycles does not affect the validity of tracts an edge in the map, merging its end- the hypermap Euler equation E +N +F = D+2C.A points. It is used to prove the correctness splitting transformation preserves the equation if of the reducibility check. and only if it disconnects the hypermap; otherwise Contours provide the basis for a precise defini- it increments the left hand side while decrement- tion of the patch operation, which pastes two maps ing the right hand side. Since the empty hypermap along a border ring to create a larger map. This is planar, we see that planar hypermaps are those operation defines a three-way relation between a that maximize the sum E + N + F for given C map, a configuration submap, and the remainder and D and that a splitting transformation always of that map. Surprisingly, the patch operation disconnects a planar hypermap. (Figure 2) is not symmetrical: To show that planar maps satisfy the Jordan • For one of the submaps, which we shall property we simply exhibit a series of transfor- call the disk map, the ring is an e cycle (a mations that reduce the contour to a 3-dart cycle hyperedge). No two darts on this cycle can that violates the planarity condition. The converse belong to the same face. is much more delicate, since we must apply re- • For the other submap, the remainder map, verse Walkupe transformations that preserve both the ring is an arbitrary n cycle. the existence of a contour and avoid splits (the Let us point out that although the darts on the bor- latter involves a combinatorial analogue of the der rings were linked by the e and n permutations “flooding” proof of the original Euler formula). in the disk and remainder map, respectively, they We also use all three transformations in the are not directly connected in the full map. Howev- main part of proof. Since at this point we are er, because the e cycle is simple in the disk map, it restricting ourselves to plain maps, we always is a subcycle of a contour that delineates the entire perform two Walkup transformations in succes- disk map. This contour is preserved by the con- sion; the first one always has the merge form, struction, which is thus reversible: the disk map the second one is always degenerate, and always can be extracted, using the Jordan property, from yields a plain map. Each variant of this double this contour. The patch operation preserves most Walkup transformation has a different geometric of the geometrical properties we are concerned interpretation and is used in a different part of with (planar, plane, cubic, 4-colorable; bridgeless the proof: requires a side condition).

December 2008 Notices of the AMS 1387 Step 1 Steps 2-3 Step 4

Step 5 Steps 6-7 Step 8

Figure 3. Digitizing the four color problem.

The Formal Theorem Definition 3. Two regions of a map are adjacent if Polishing off our formal proof by actually proving their respective closures have a common point that Theorem 1 came as an afterthought, after we had is not a corner of the map. done the bulk of the work and proved Definition 4. A point is a corner of a map if and Theorem four_color_hypermap : only if it belongs to the closures of at least three forall g : hypermap, planar_bridgeless g -> regions. four_colorable g. The definition of “corner” allows for contiguous We realized we weren’t quite done, because the points, to allow for boundaries with accumulation deceptively simple statement hides fairly tech- points, such as the curve sin 1/x. nical definitions of hypermaps, cycle-counting, The discretization construction (Figure 3) fol- and planarity. While formal verification spares lows directly from the definitions: Pick a non- the skeptical from having to wade through the corner border point for each pair of adjacent complete proof, he still needs to unravel all the regions (1); pick disjoint neighborhoods of these definitions to convince himself that the result lives up to its . points (2), and snap them to a grid (3); pick a The final theorem looks superficially similar to simple polyomino approximation of each region, its combinatorial counterpart that intersects all border rectangles (4), and extend them so they meet (5); pick a grid that covers all Variable R : real_model. Theorem four_color : forall m : map R, the polyominos (6) and construct the correspond- simple_map m -> map_colorable 4 m. ing hypermap (7); construct the contour of each polyomino, and use the converse of the hypermap but itis actually quite different: itis basedon about patch operation to cut out each polyomino (8). 40 lines of elementary topology, and about 100 It is interesting to note that the final hyper- lines axiomatizing real numbers, rather than 5,000 map is planar because the full grid hypermap of lines of sometimes arcane combinatorics. The 40 step 7 is, simply by arithmetic: the map for an lines define simple point topology on R × R, then m × n rectangle has (m + 1)(n + 1) nodes, mn + 1 simply drill down on the statement of Theorem 1: faces, m(n+1)+(m+1)n edges, hence N +F −E = Definition 2. A planar map is a set of pairwise dis- (m+1)(n+1)+(mn+1)−m(n+1)−(m+1)n = 2 joint of the plane, called regions. A simple and the Euler formula holds. The Jordan Curve map is one whose regions are connected open sets. Theorem plays no part in this.

1388 Notices of the AMS Volume 55, Number 11 Checking Reducibility in computing an upper bound of the set of non- Although reducibility is quite demanding compu- suitable colorings and checking that it is disjoint tationally, it also turned out to be the easiest part from the set of contract colorings. of the proof to formalize. Even though we used The upper bound is the limit of a decreasing 0,..., i ,... starting with the set 0 of more sophisticated algorithms, e.g., multiway de- Ξ Ξ Ξ cision diagrams (MDDs) [1], this part of the formal all valid colorings; we simultaneously compute upper bounds 0,..., i,... of the set of chromo- proof was completed in a few part-time months. Λ Λ By comparison, the graph theory in section “Com- grams not consistent with any suitable coloring. Each iteration starts with a set i of suitable binatorial Hypermaps” (p. 1385) took a few years ∆Θ to sort out. colorings, taking the set of ring colorings of the configuration for 0. The reducibility computation consists in iter- ∆Θ ating a formalized version of the Kempe chain (1) We get i+1 by removing all chromograms Λ argument, in order to compute a lower bound for consistent with some θ ∈ i from i ∆Θ Λ the set of colorings that can be “fitted” to match a (2) We remove from i all colorings ξ that are Ξ coloring of the configuration border, using color not consistent with any λ ∈ i+1; this is Λ swaps. Each configuration comes with a set of sound since any coloring that induces ξ one to four edges, its contract [13], and the actual will also induce a chromogram γ ∉ i+1.As Λ check verifies that the lower bound contains all the γ is consistent with both ξ and a suitable colorings of the contract map obtained by erasing coloring θ, there exists a chain inversion the edges of contract. that transforms ξ into θ. −1 (3) Finally we get i+1 by applying ρ and ρ The computation keeps track of both ring col- ∆Θ to the colorings that were deleted from i ; orings and arrangement of Kempe chains. To cut Ξ down on symmetries, their representation uses we stop if there were none. the fact that four-coloring the faces of a cubic We use 3- and 4-way decision diagrams to repre- map is equivalent to three-coloring its edges; this sent the various sets: a {1, 2, 3} edge-labeled tree result goes back Tait in 1880 [15]. Thus a coloring represents a set of colorings, and a {•, [, ]0, ]1} is represented by a word on the alphabet {1, 2, 3}. edge-labeled tree represents a set of chromo- Kempe inversions for edge colorings amount to grams. In the MDD for i , the leaf reached by Ξ inverting the edge colors along a two-toned path following the branch labeled with some ξ ∈ i Ξ (a chain) incident to ring edges. Since the map is stores the number of matching λ ∈ i , so that Λ cubic the chains for any given pair of colors (say step 2 is in amortized constant time (each consis- 2 and 3) are always disjoint and thus define an tent pair is considered at most twice); the MDD outerplanar graph, which is readily represented structures are optimized in several other ways. by a bracket (or Dyck) word on a 4-letter alphabet: The correctness proof consists in showing that traversing the ring edges counterclockwise, write the optimized MDD structure computes the right down sets, mainly by stepping through the functions, and in showing the existence of the chromogram • a • if the edgeisnot part of a chain because γ in step 2 above. Following a suggestion by it has color 1 B. Werner, we do this with a single induction on • a [ if the edge starts a new chain the remainder map, without developing any of • a ] (resp. ] ) if the edge is the end of a 0 1 the informal justification of the procedure: in this chain of odd (resp. even) length case, the formal proof turns out to be simpler than As the chain graph is outerplanar, brackets for the informal proof that inspired it! the endpoints of any chain match. We call such a The 633 configuration maps are the only link four-letter word a chromogram. between the reducibility check and the main proof. Since we can flip simultaneously any of A little analysis reveals that each of these maps the chains, a given chromogram will match any can be built inside-out from a simple construction ring coloring that assigns color 1 to • edges and program. We cast all the operations we need, such those only, and assigns different colors to edges as computing the set of colorings, the contract with matching brackets if and only if the closing map, or even compiling an occurrence check filter, bracket is a ]1. We say that such a coloring is as nonstandard interpretations of this program consistent with the chromogram. (the standard one being the map construction). Let us say that a ring coloring of the remainder This approach affords both efficient implementa- map is suitable if it can be transformed, via a tion and straightforward correctness proofs based sequence alternating chain inversions and a cyclic on simulation relations between the standard and permutation ρ of {1, 2, 3}, into a ring coloring of nonstandard interpretations. the configuration. A configuration will thus be re- The standard interpretation yields a pointed ducible when all the ring colorings of its contract remainder map, i.e., a plain map with a distin- map are suitable. The reducibility check consists guished dart x which is cubic except for the cycle

December 2008 Notices of the AMS 1389 n∗(x). The construction starts from a single edge hypermap constructions for the base map and the and applies a sequence of steps to progressively U, N, and A steps (Figure 7). build the map. It turns out we only need three types of steps. Proving Unavoidability We complete the proof of the Four-Color The- orem proof by showing that in an internally ring ring ring ring 6-connected planar cubic bridgeless map, every 2-neighborhood either contains the kernel of one of the 633 reducible configurations from [13], or has averaged (discharged) arity at least 6. base map R step Y step H step Following [13], we do this by combinatori- al search, making successive complementary as- sumptions about the arity of the various faces of before step the neighborhood, until the accumulated assump- tions imply the desired conclusion. The search is added by step partly guided by data extracted from [13] (from ring boundary both the text and the machine-checked parts), (before/after) partly automated via reflection (similarly to the selected dart reducibility check). We accumulate the assump- (before/after) tions in a data structure called a part, which can be interpreted as the set of 2-neighborhoods that The text of a construction program always starts satisfy all assumptions. with an H and ends with a Y, but is executed right While we embrace the search structure of [13], to left. Thus the program HR3 Y Y constructs the we improve substantially its implementation. In- square configuration: deed, this is the part of the proof where the extra precision of the formal proof pays off most handsomely. Specifically, we are able to show H that if an internally 6-connected map contains 3 a homomorphic copy of a configuration kernel, R base map then the full configuration (comprising kernel and ring) is actually embedded in the map. The latter Y condition is required to apply the reducibility of the configuration but is substantially harder to Y check for. The code supplied with [13] constructs a candidate kernel isomorphism then rechecks its output, along with an additional technical “well- positioned” condition; its correctness relies on the 3 The Ys produce the first two nodes; R swings the structure theorem for 2-neighborhoods from [5], reference point around so the H can close off the and on a “folklore” theorem ([13] theorem (3.3), kernel. p. 12) for extending the kernel isomorphism to We compile the configuration contract by lo- an embedding of the entire configuration. In con- cally rewriting the program text (Figure 4) into strast, our reflectedcode merely checks that arities a program that produces a map with the ring in the part and the configuration kernel are con- same colorings as the contract map (Figure 5). The sistent along a face-spanning tree (called a quiz) of compilation uses three new kinds of steps: the edge graph of the configuration map. The quiz tree is traversed simultaneously in both maps, checking the of the arity at each step, ring ring ring then using n ◦ f −1 and f ◦ n−1 to move to the left and right child. This suffices because • The traversal yields a mapping φ from the kernel K to the map M matching the part, which respects f , and respects e on the spanning tree. U step K step A step • Because M and K are both cubic, φ respects e on all of K. These contract steps are more primitive than • Because K has radius 2 and ring faces of the the H and Y steps; indeed, we can define the H, Y, configuration C have arity at most 6, φ maps e and K steps in terms of U and a rotation variant arrows faithfully on K (hence is bijective). N of K: we have K = R−1 ◦ N ◦ R, hence Y = N ◦ U • Because C and M are both cubic, and C is and H = N ◦ Y. Thus we only need to give precise chordless (only contiguous ring faces are adjacent,

1390 Notices of the AMS Volume 55, Number 11 ring ring ring ring ring ring ring

no step no step U step A step no step no step U step

ring ring ring ring ring edge erased by the contract node erased by the contract K step K step no step Y step Y step

Figure 4. Contract interpretation.

±1 1 ±1 ±1 b c c b ⊕ c b ρ b ρ b c b ρ b ρ b

b b c b c c’ b b c b c

U step K step (b c) A step (c=c’) Y step H step (b c) H step (b=c)

Figure 5. Coloring interpretation.

kernel kernel kernel kernel tree node traversed outer outer outer not ring ring ring traversed outer ring kernel kernel kernel kernel kernel outer ring kernel

Figure 6. Quiz tree interpretation.

A step base map ring

ring added by the step deleted by the step U step N step ring unchanged by the step selected ring ring dart (old/new)

Figure 7. Standard (hypermap) interpretation.

December 2008 Notices of the AMS 1391 spoke spoke r hub u u u l u l h l u u u r h r r l u hat h u spoke

r f0 spoke h r h l f l 2 h left quiz step l r f1 f0 right quiz step fan f r l 1 f0 hat subpart darts f l f r 1 2 unreachable fan dart

Figure 8. The hypermap of a subpart.

because each has arity at least 3), φ extends to an need to distinguish between arities greater than embedding of C in M. 9 (unconstrained faces range over [5, +∞)). It is The last three assertions are proved by induc- easy to simulate a quiz traversal on a part, because tion over the size of the disk map of a contour only 14 of the possible 27 darts of a subpart are containing a counter-example edge. For the third reachable (Figure 8). assertion, the contour is in M and spans at most 5 Finally, we translate the combinatorial search faces because it is the of a simple non-cyclic trees from [13] into an explicit proof script that path in K. Its interior must be empty for otherwise refines a generic part until the lower bound on the it would have to be a single pentagon (because M discharged arity can be broken down into a sum of is internally 6-connected) that would be the image lower bounds (a hubcap) on the fractions of arity of a ring face adjacent to 5 kernel and 2 ring faces, discharged from one or two spokes, which can be contrary to the arity constraint. handled by a reflected decision procedure, or the We check the radius and arity conditions explic- part is a symmetry variant of a previous case. This itly for each configuration, along with the sparsity shallow embedding allowed us to create our own and triad conditions on its contract [13]; the ring scripts for pentagons and hexagons that were not arity conditions are new to our proof. The checks covered by the computer proof in [13]. and the quiz tree selection are formulated as non- standard interpretations; the quiz interpretation (Figure 6) runs programs left-to-right, backwards. [1] S. B. Akers, Binary decision diagrams, IEEE Trans. Because our proof depends only on the Birkhoff Computers 27(6) (1978), 509–516. lemma (which incidentally we prove by reflection [2] K. Appel and W. Haken, Every map is four using a variant of the reducibility check), we do colourable, Bulletin of the American Mathematical not need “cartwheels” as in [13] to represent Society 82 (1976), 711–712. 2-neighborhoods; the unavoidability check uses [3] , Every map is four colourable, 1989. only “parts” and “quizzes”. We also use parts to [4] Yves Bertot and Pierre Castéran, Interac- tive Theorem Proving and Program Development, represent the arity discharging rules, using func- Coq’Art: The Calculus of Inductive Constructions, tions that intersect, rotate, and reflect (mirror) Springer-Verlag, 2004. parts, e.g., a discharging rule applies to a part P if [5] G. D. Birkhoff, The reducibility of maps, American and only if its part subsumes P. Journal of Mathematics 35 (1913), 115–128. The search always starts by fixing the arity [6] T. Coquand and G. Huet, The calculus of construc- of the central “hub” face, so a part is really a tions, Information and Computation 76(2/3) (1988), counterclockwise list of subparts that each store 95–120. a range of arities for each face of a sector of the [7] R. Cori, Un code pour les graphes planaires et ses applications, Astérisque 27 (1975). neighborhood, comprising a single “spoke” face [8] G. Gonthier, A computer-checked proof of the adjacent to the hub, a single “hat” face adjacent to four-colour theorem. the spoke and the preceding subpart, and 0 to 3 [9] G. Gonthier and A. Mahboubi, A small scale reflec- “fan” faces adjacent only to the spoke. There are tion extension for the Coq system, INRIA Technical only 15 possible ranges for arities, as there is no report.

1392 Notices of the AMS Volume 55, Number 11 [10] T. Hales, Formal proofs, Notices of the AMS, this issue. [11] H. Heesch, Untersuchungen zum Vierfarbenprob- lem, 1969. [12] A. B. Kempe, On the geographical problem of the four colours, American Journal of Mathematics 2(3) (1879), 193–200. [13] N. Robertson, D. Sanders, P. Seymour, and R. Thomas, The four-colour theorem, J. Combina- torial Theory, Series B 70 (1997), 2–44. [14] S. Stahl, A combinatorial analog of the Jordan curve theorem, J. Combinatorial Theory, Series B 35 (1983), 28–38. [15] P. G. Tait, Note on a theorem in the geometry of po- sition, Trans. Royal Society of Edinburgh 29 (1880), 657–660. [16] The Coq development team, The Coq Proof Assistant Reference Manual, version 8.1, 2006. [17] W. T. Tutte, Duality and trinity, Colloquium Mathematical Society Janos Bolyai 10 (1975), 1459–1472. [18] D. W. Walkup, How many ways can a permutation be factored into two n-cycles?, 28 (1979), 315–319. [19] R. Wilson, Four Colours Suffice, Allen Lane Science, 2002.

December 2008 Notices of the AMS 1393