sign in sign up
<<
Home , Entscheidungsproblem, Extensionality, Pons asinorum

The Big Proof Agenda1

N. Shankar

Computer Science Laboratory SRI International Menlo Park, CA

June 26, 2017

1 Supported by SRI International. Proofs and Machines

In science nothing capable of proof ought to be accepted without proof. —Richard Dedekind

The development of toward greater precision has led, as is well known, to the formalization of large tracts of it, so one can prove any us- ing nothing but a few mechanical rules. –Kurt G¨odel

Natarajan Shankar Pragmatics of 2/33 Proofs and Machines

Checking mathematical proofs is potentially one of the most interesting and useful applications of automatic computers. —John McCarthy

Science is what we understand well enough to explain to a computer. Art is everything else we do. —Donald Knuth

Natarajan Shankar Pragmatics of Formal Proof 3/33 Overview

Mathematics is the study of abstractions such as collections, maps, graphs, algebras, sequences, etc. It has been “unreasonably effective” as a language and a foundation for a growing number of other disciplines. Proofs are used to rigorously derive irrefutable conclusions using a small number of ‘self-evident’ principles of reasoning. Formal proofs can be constructed from a small number of precisely stated and rules of . Proof Assistants, Decision Procedures, And Theorem Provers make it possible to construct formal proofs and formally verify mathematical claims. The goal of the INI Big Proof program is to define the future direction of proof technology so that it is used by Mathematicians to discover and verify new results Educators to communicate proofs and problems solving techniques

Natarajan Shankar Pragmatics of Formal Proof 4/33 In the Beginning

Thales of Miletus (624 – 547 B.C.): Earliest known person to be credited with and proofs. It was Thales who first conceived the principle of explaining the multitude of phenomena by a small number of hy- potheses for all the various manifesta- tions of matter. of Samos (569–475 B.C.): Sys- tematic study of mathematics for its own sake. ... he tried to use his symbolic method of teaching which was similar in all respects to the lessons he had learnt in Egypt. The Samians were not very keen on this method and treated him in a rude and improper manner.

Natarajan Shankar Pragmatics of Formal Proof 5/33 The Axiomatic Method

Plato (427–347 B.C.): Suggested the idea of a single system for all knowledge. the reality which scientific thought is seek- ing must be expressible in mathematical terms, mathematics being the most pre- cise and definite kind of thinking of which we are capable.

Aristotle (384–322 B.C.) of Stagira: Laid the foun- dation for scientific thought by proposing that all theoretical disciplines must be based on axiomatic principles.

Natarajan Shankar Pragmatics of Formal Proof 6/33 and The Elements

Euclid of Alexandria (325–265 B.C.): Systematic compila- tion and exposition of and .

1 A straight line segment can be drawn joining any two points.

2 Any straight line segment can be extended indefinitely in a straight line.

3 Given any straight line segment, a circle can be drawn having the segment as radius and one endpoint as center.

4 All right are congruent.

5 If two lines are drawn which intersect a third in such a way that the sum of the inner angles on one side is less than two right angles, then the two lines inevitably must intersect each other on that side if extended far enough. This postulate is equivalent to what is known as the .

Natarajan Shankar Pragmatics of Formal Proof 7/33 Euclid’ Pons Asinorum [Wikipedia]

Charles Dodgson, quoted in Ian Stewart, Concepts of Modern Mathematics: MINOS: It is proposed to prove [the theorem] by taking up the isosceles , turning it over, and then lay- ing it down again upon itself. EUCLID: Surely that has too much of the Irish Bull about it, and reminds one a little too vividly of the man who walked down his own throat, to de- serve a place in a strictly philosophi- cal treatise? MINOS: I suppose its defenders would say that it is conceived to leave a trace of itself behind and the re- versed triangle is laid down on the trace so left.

Natarajan Shankar Pragmatics of Formal Proof 8/33 Mechanizing Reasoning: Llull and Leibniz Ramon Llull (1235–1316): Talked of reducing all knowl- edge to first principles. Developed a symbolic notation (Ars Magna) and conceived of a reasoning machine. When he attempted to apply rational thinking to religion, Pope Gregor XI “accused him of confusing faith with reason and condemned his teachings.” Gottfried Leibniz (1646–1716) The idea of a formal lan- guage (characteristica universalis) for expressing scholarly knowledge and a mechanical method for making deductions (calculus ratiocinator). What must be achieved is in fact this: that every paralogism be recognized as an error of calculation, and every sophism when expressed in this new kind of notation, appear as a solecism or barbarism, to be corrected easily by the laws of this philosophical grammar. Once this is done, then when a controversy arises, disputa- tion will no more be needed between two philosophers than between two computers. It will suffice that, pen in hand, they sit down to their abacus and (calling in a friend, if they so wish) say to each other: let us calculate. Natarajan Shankar Pragmatics of Formal Proof 9/33 Formal Arithmetic

Richard Dedekind (1813–1916) : Early theoretic ideas, infinite sets, Dedekind cuts, arithmetic.

Giuseppe Peano (1858–1932) : Modern notation, arithmetic.

0 6= S(x) S(x) = S(y) =⇒ x = y A(0) ∧ (∀x.A(x) =⇒ A(S(x))) =⇒ (∀x.A(x))

Natarajan Shankar Pragmatics of Formal Proof 10/33

Georg Cantor (1845–1918): Set theory, transfinite sets, continuum hypothesis.

Ernst Zermelo (1871–1953): For- malized set theory, , well-ordering principle. : x = y ⇐⇒ (∀z.z ∈ x ⇐⇒ z ∈ y) ∀x.¬x ∈ ∅ Pairing: ∀x, y.∃z.∀u.u ∈ z ⇐⇒ u = x ∨ u = y Union: ∀x.∃y.∀z.z ∈ y ⇐⇒ (∃w.z ∈ w ∧ w ∈ x) Separation: {x ∈ y|A}, for any formula A, y 6∈ vars(A). Infinity: There is a set containing all the finite ordinals. : For any set, we have the set of all its .

Natarajan Shankar Pragmatics of Formal Proof 11/33 Modern Formal Logic

Gottlob Frege (1848–1925): A system of quantifi- cational logic. (1872–1970) and Al- fred North Whitehead (1861–1947): Ramified , rigorous formal development of a significant portion of mathematics. ()i is the type of of order i.

i1 im i (τ1 , . . . , τm ) with i > max(i1,..., in), is the type of propositional functions from τ1 × ... × τm, possibly quantifying over variables of order below i.

Natarajan Shankar Pragmatics of Formal Proof 12/33 Simple Type Theory

Kurt G¨odel(1906–1978): : Every statement has a counter-model or a proof. Incompleteness: Any consistent formal theory for arithmetic contains statements that are nei- ther provable nor disprovable. Such a theory cannot prove its own .

Alonzo Church (1909–1995): , recursive unsolvability, Church’s thesis, simple type theory. The types of individuals i and propositions o at level 0 The type A→B is a type at level n + 1 if A is a type at level at most n and B is a type at level at most n + 1.

Natarajan Shankar Pragmatics of Formal Proof 13/33 Computing Machinery and Intelligence

Turing Machine (TM) as a finite state machine scanning and writing an infinite tape. A Universal (UTM) as an interpreter for a given TM on a given input. The unsolvability of the : Does a TM M diverge on an input i? The unsolvability of the : Is a given sentence in first-order logic valid?

Natarajan Shankar Pragmatics of Formal Proof 14/33 The First Automated Reasoner

In 1954, Martin Davis programmed a decision procedure. Its great triumph was to prove that the sum of two even numbers is even.

Natarajan Shankar Pragmatics of Formal Proof 15/33 Early Proof Assistants [Automath, LCF, Thm/Nqthm/ACL2] John McCarthy N. G. de Bruijn Woody Bledsoe

Robin Milner Bob Boyer J Moore

Natarajan Shankar Pragmatics of Formal Proof 16/33 The Language of Formal Mathematics:

ACL2 (1972–present) is based on Primitive Recursive Arithmetic (adapted to Lisp) and is Adequate for formalizing combinatorial mathematics. Supported by impressive mechanization in the form of induction, simplification, and rewriting.

(DEFUN REV (X) (IF (ENDP X) NIL (APPEND (REV (CDR X)) (LIST (CAR X))))) (DEFTHM REV_OF_REV (IMPLIES (TRUE-LISTP X) (EQUAL (REV (REV X)) X)))

Natarajan Shankar Pragmatics of Formal Proof 17/33 The Language of Formal Mathematics: Higher-Order Logic

Church’s introduced a simple theory of types consisting of Types: bool, nat, A→B Terms: x, c. =A, λx.a, f a. Peter Andrews in the 1970s used higher-order logic in his theorem prover TPS. HOL, HOL-Light, and Isabelle/HOL use classical higher-order logic based on Church’s simple theory of types which Can be interpreted in Zermelo set theory. Captures basic mathematical concepts adequately.

Natarajan Shankar Pragmatics of Formal Proof 18/33 The Language of Formal Mathematics: Dependent Higher-Order Logic

PVS extends higher-order logic with subtypes (e.g., primes, continuity-preserving operators) and dependent types (e.g., finite sequences) Proof obligations are generated to check that an expression has the expected type. Type checking is undecidable since proof obligations can be arbitrary formulas. looks and feels like a mathematical vernacular, and catches lots of errors.

n: VAR nat factorial(n): RECURSIVE posint = (IF n = 0 THEN 1 ELSE n * factorial(n-1) ENDIF) MEASURE n n_choose_k(n, (k : upto(n))): posnat = factorial(n) / (factorial(k) * factorial(n - k))

Natarajan Shankar Pragmatics of Formal Proof 19/33 The Language of Type Theory

The Curry–Howard propositions-as-types exploits the following analogy: A is identified with the set of its proof inhabitants. ⊥ is uninhabited. λ(x : A).b inhabits A =⇒ B if x : A ` b : B. λ(x : A).b(x) inhabits Π(x : A).B(x) if x : A ` b(x): B(x). In Coq, Terms (proofs) can be applied to other terms, e.g., λ(x : A→B).λ(y : A).x(y): B Terms can be applied to types. (polymorphic types), e.g. Λα.λ(x : α).x : ∀α.α→α Types can depend on terms (dependent types), e.g., Π(x : A).B(x) Types can depend on types (type constructors), e.g., in list[α], list : ∗→∗

Natarajan Shankar Pragmatics of Formal Proof 20/33 Univalent Foundations

Martin-L¨oftype theory formulates a propositions-as-types system using dependent typing: Π(x : A).B(x) corresponds to universal quantification Σ(x : A).B(x) corresponds to existential quantification

For each type A, there is a type (proposition) IdA(a, b) (with ra : IdA(a, a) ) expressing the of two terms a and b of type A. The computational interpretation of equality was not specified.

Natarajan Shankar Pragmatics of Formal Proof 21/33 Univalent Foundations

In the Homotopy interpretation Types are topological spaces Term a : A is a point Identity type IdA(a, b) consists of paths p which are continuous maps from [0, 1] to A with p(0) = a and p(1) = b.

The identity type IdIdA(a,b)(p, q) consists of homotopies. There is an increasingly refined notion of equality proofs depending on whether Propositions: Unique equality proof for inhabitants of A. Sets: Equality proofs of equality proofs are unique. Groupoids: Equality proofs of equality proofs of equality proofs are unique. Univalence axiom asserts that isomorphic types are equal.

Natarajan Shankar Pragmatics of Formal Proof 22/33 Libraries

Many proof assistants now have large formalized libraries covering diverse branches of mathematics: Mizar has the Journal of Formalized Mathematics Isabelle maintains an Archive of Formal Proofs NASA Nasalib is a large PVS library Finding information in these libraries is a big challenge. Filling gaps in the libraries is also going to take a lot of work. Once libraries reach a critical mass, proof assistants can be used for formalizing cutting-edge results. Standardized notations like TPTP, SMT-LIB, and OMDoc are also gaining currency as formats for representing problems and formalizations.

Natarajan Shankar Pragmatics of Formal Proof 23/33 Automation: Computer Algebra Systems

Computer algebra systems operate on mathematical expressions to simplify and solve them. They have been around since the 1960s. Modern ones include Maple, Mathematica, Maxima, SageMath, etc. They can be used to 1 Simplify expressions to normal forms 2 Factorize polynomials 3 Compute total and partial derivatives 4 Compute definite and indefinite integrals 5 Solve differential and diffference equations 6 Optimization 7 Quantifier elimination

Natarajan Shankar Pragmatics of Formal Proof 24/33 Automation: SAT Solvers

A satisfiability (SAT) procedure solves a system of Boolean constraints. This is the original NP-complete problem. However, modern SAT solvers can solve extremely large instances of SAT. They typically employ Conflict-Directed Clause Learning which builds on the Davis–Putnam–Logemann–Loveland procedure of 1960-63. In 2016, a SAT solver was used to solve the Boolean Pythagorean Triples problem: Is it possible to 2-color that the positive integers such that there is no monochromatic Pythagorean triple, i.e., ha, b, ci where a2 + b2 = c2? Up to N = 7824, it is possible to ensure that all Pythagorean triple are bichromatic, but not at N = 7825. The SAT solver generates a 200 terabyte proof which has been formally checked.

Natarajan Shankar Pragmatics of Formal Proof 25/33 Automation: SMT Solvers

We can augment Boolean constraints with theory constraints drawn from arithmetic, orderings, arrays, bit-vectors, etc. The resulting problem of satisfiability modulo theories (SMT) is also solvable. Proof assistants like PVS, Dafny, and Isabelle invoke SMT solvers to discharge proof subgoals and to simplify expressions. This leads to a proof style where simplifications are contextual, e.g., x = y =⇒ x + 3 − y > 0. This allows the automation to leap over tedious proof steps and trivial subgoals.

Natarajan Shankar Pragmatics of Formal Proof 26/33 Automation: Proof Search Procedures

Resolution is a semi-decision procedure for first-order

p(a1,..., an) ∨ Γ, ¬p(b1,..., bn) ∨ ∆ σ(Γ ∨ ∆)

where σ = mgu(p(a1,..., an), p(b1,..., bn)) 6= ⊥. Paramodulation generalizes resolution to equality atoms. Robbins conjecture: Given a binary operator + and a unary operator n such that + is associative and commutative: A Robbins algebra satisfies Robbins’ equation n(n(x + y) + n(x + n(y))) = x, A satisfies Huntington’s equation n(n(x) + y) + n(n(x) + n(y)) = x. Is every Robbins algebra Boolean? This was open for sixty years until McCune in 1996 used EQP to show that Robbin’s equation does imply Huntington’s equation.

Natarajan Shankar Pragmatics of Formal Proof 27/33 Will Mathematicians Formalize their ?

Vladimir Voevodsky

But to do the work at the level of rigor and precision I felt was necessary would take an enormous amount of effort and would produce a text that would be very difficult to read. And who would ensure that I did not forget something and did not make a mistake, if even the mistakes in much more simple arguments take years to uncover? I think it was at this moment that I largely stopped doing what is called curiosity driven research and started to think seriously about the future.

Natarajan Shankar Pragmatics of Formal Proof 28/33 Will Mathematicians Formalize their Arguments?

From Laurent Th´ery Date: Thursday 20 September 2012, 20:24 Re: [Coqfinitgroup-commits] r4105 trunk Hi,

Just for fun

Feit Thompson statement in Coq:

Theorem Feit_Thompson (gT : finGroupType) (G : group gT) : odd #|G| -> solvable G.

How big it is:

Number of lines ~ 170 000 Number of definitions ~15 000 Number of theorems ~ 4 200 Fun ~ enormous!

Natarajan Shankar Pragmatics of Formal Proof 29/33 Can We Trust Automation?

. . . we ask whether this guarantee would be weakened by leaving the mechanical verification to a machine. This is a very reasonable, relevant and important question. It is related to proving the correctness of fairly extensive computer programs, and checking the interpretation of the specifications of those programs. And there is more: the hardware, the operating system have to be inspected thoroughly, as well as the , the semantics and the compiler of the . And even if all this would be covered to satisfaction, there is the fear that a computer might make errors without indicating them by total breakdown. I do not see how we ever can get to an absolute guarantee. But one has to admit that compared to human mechanical verification, computers are superior in every respect. N. G. de Bruijn HOL Light has a small kernel ( 500 lines) that has been shown sound in a strengthened version of HOL Light Some theorem provers have been verified down to (models of) hardware.

Natarajan Shankar Pragmatics of Formal Proof 30/33 Social Platforms for Proof

The verification of Hales’ proof of the Kepler con- jecture was carried out as an international collabo- ration. Polymath (https://polymathprojects.org) is a platform for supporting the web-based collaboration for solving hard problems. In 2013, Yitang Zhang proved that there are infinitely many successive primes that are at most N apart for N = 70, 000, 000. Terence Tao led a Polymath project that reduced the bound to 246. Tao’s solution of the Erd¨osDiscrepancy Problem also relied on insights from Polymath.

Natarajan Shankar Pragmatics of Formal Proof 31/33 Conclusions

Mathematics is a castle built on proof. Proofs can be studied, transformed, and mined for information. Programs can carry out provably correct manipulations (e.g., algebra systems, SAT/SMT solvers), build models, generate formal proofs (theorem provers), and check proofs (interactive proof assistants). These technologies can help people (at every level of mathematical expertise) understand and create mathematics. Computer technology scales proof to big proof and expands the audience for mathematical content. The INI Big Proof program is an opportunity to define a technology roadmap and launch projects that need international collaboration.

Natarajan Shankar Pragmatics of Formal Proof 32/33 Further Reading

John Rushby, Formal Methods and their Role in the Certification of Critical Systems, SRI-CSL Technical Report, 1995. Jeremy Avigad and John Harrison. Formally verified mathematics. CACM 57, 2014. Thierry Coquand, Type Theory, http://plato.stanford.edu/entries/type-theory/. N. Shankar, Model Checking and Deduction, Handbook of Model Checking, 2017.

Natarajan Shankar Pragmatics of Formal Proof 33/33