Emulating proof-by-hand with Isabelle Julio Rubio Departamento Matemáticas y Computación Universidad de La Rioja (Spain) (Based on joint work with J. Aransay.

Emulating proof-by-hand with Isabelle

Julio RubioDepartamento Matemáticas y Computación

Universidad de La Rioja (Spain)

(Based on joint work with J. Aransay & C. Ballarin)

(Remarks by a naive user)

Remark 1. Work with a computer-aided proof toolis difficult

(independently of the automation degree).

Remark 2. Thus, a computer-aided version of a prooftends to be considerably more difficultthan the corresponding “by-hand” proof.

(Remarks by a naive user)

Remark 3. In situations where the benefits of acomputer-based proof are relevant(v. g. in problems related to programcertification)

andwhere the underlying mathematicalproblem is non-trivial,

some new resources are needed.

(Remarks by a naive user)

Remark 4. Each “by-hand” proof has an“animating spirit”. (This is why wetalk about different proofs of a sametheorem, beyond syntactic or presentation differences.)

Remark 5. That vaporous spirit cannot becaptured by general strategies, heuristics or tacticals.

(Remarks by a naive user)

Remark 6. These orienting ideas canbe expressed a posteriori by logicaltools, by they are not easily deducedor inferred from logic (they dependon the “universe of discourse”).

Remark 7. But these ideas are rarely linkedto an isolated theorem; so they areopen to reuse (likely in the same“universe of discourse” of the theoremwhich raised them).

(Remarks by a naive user)

Remark 8. In each case, a trade-off betweenimmediacy and genericity must be lookedfor.

Hope 1. This trade-off point can be in many casesfound.

and hopes

Claim 1. This is a way (¿the only one?) in whichthe mechanised reasoning tools can beusable and relevant in “standard” mathematicsand its applications.

and claimstentative

(Tentative)

(Remarks by a naive user)

Hope 2. These informal guidelines can be usedin our problem of constructing a mechanisedproof of the Basic Perturbation Lemma (BPL).

and hopes and claimstentative

Claim 2. The guidelines illustrated in theprevious remarks (or some variantsof them) should have been used inthe successful applications of computer-based proof tools.

(Tentative)

A case-study in mechanised homological algebra

Initial problem: Kenzo, symbolic computation system

for Algebraic Topology (Sergeraert).Brand new results.BPL: the central algorithmic tool in Kenzo.

Approach:formal methods in symbolic computationto increase the reliability of systems.

Previous studies:algebraic specification of the Kenzo data structures.

Definitions (ungraded version)

A group homomorphism f between two differential groups(G1,d1) and (G2,d2) is nothing but a group homomorphismf : G1 G2

A differential group homomorphism f between twodifferential groups (G1,d1) and (G2,d2) is a group homomorphism f : G1 G2 satisfying f d1 = d2 f

A differential group (G,d) is an abelian group G togetherwith a homomorphism d : G G satisfying d d = 0

[ The homology group of a differential group (G,d) is the

quotient group H(G,d) := Ker(d) / Im(d) ]

Definitions (ungraded version)

Those equations imply that: H (G1,d1) H (G2,d2)

A reduction between two differential groups (G1,d1) and (G2,d2) is a triple (f,g,h) where f : (G1,d1) (G2,d2) and g : (G2,d2) (G1,d1) are differential group homomorphisms and h : (G1,d1) (G1,d1) is agroup endomorphism satisfying some simple equations.

A perturbation of a differential group (G,d)is a group homomorphism : G G such thatd + is a new differential on G, i. e. (d + ) (d + ) = 0

A group endomorphism : G G is locally nilpotentif for each x G there exists a natural number n such that n(x) = 0

Statement of the BPL

Let (f,g,h) be a reduction from (G1,d1) to (G2,d2),and let : G1 G1 be a perturbation of (G1,d1) such that ( h) is locally nilpotent. Then a new reduction (f’,g’,h’) from (G1,d1+) to (G2,d2+’) can be explicitly defined by means of a “series”: = 1 - ( h) + ( h)2 - ( h)3 + ...

Proof.- By hand (by Sergeraert’s hand) proof withtwo parts:

Part I. Dealing with the series.Part II. A “quasi”-equational (rather based on

“formula rewriting”) proof.

Part II: Seven lemmas

Lemma 1. Let (f,g,h) be a reduction from (G1,d1) to (G2,d2).Then Im(g f) and (G2,d2) are canonically isomorphic bymeans of F(x) := f(x) and F-1(x) := g(x).

Lemma 1’. Let f : G1 G2, g : G2 G1 two group homomorphisms such that f g = 1.Then Im(g f) and G2 are canonically isomorphic bymeans of F(x) := f(x) and F-1(x) := g(x).

Isabelle proof.- Ad-hoc, reasonable size (1300 code lines),no problem.

Lemma 2. Let (G,d) be a differential group, h : G G a group endomorphism satisfying h h = 0 and hdh = h. Let’s define p := dh + hd.

Then (1-p,i,h) is a reduction from (G,d) to Ker(p).

Lemma 2’. In the same conditions as in Lemma 2. Then 1-p : G Ker(p) and (1-p)h = 0.

Isabelle proof .- Script size explosion:400 code lines before deploying the complete set of hypothesis.

Worst and worst in the next lemmas.No fundamental (in the sense of “foundational”)problem.“Only” a practical one.

Why? Low level of abstraction.

Let’s look at the real by-hand proof...

Lemma 2’. In the same conditions as in Lemma 2(hh = 0, hdh = h, p = dh + hd)

Then 1-p : G Ker(p) and (1-p)h = 0.

Proof.- (1-p)h = h – (dh + hd)h = h – dhh - hdh = h – 0 – h = 0(and p(1-p) = 0, since pp = p) #

So, this is very easy.Almost trivial!No “vaporous spirit”.A student exercise.This really looks like an actual equational proof!

Let’s take it seriously...

Lemma 2’’. Let R be a ring and h,d,p R satisfying:hh = 0, hdh = h, p = dh + hd

Then (1-p)h = 0.

Isabelle proof.- by algebra #

Is this a proof of Lemma 2’ for the BPL ?

by... Clemens Ballarin

In a (loose) sense, yes: there is an abstraction (or interpretation) function:

Isabelle

R

Mathematics

End(G)and then the proof is transferred !

Is this a dirty trick ?

The “representational step” is always present(as in any computer-based mathematics).

Let’s illustrate this point with the example ofhomomorphisms:

f : G1 G2

is a total map satisfying the usual equations.

Now, in Isabelle (the representation of) a grouphas a type , a carrier set on and the correspondingoperations.

So, if G1 has a type 1 and G2 has a type 2, it is natural to think that (the representation of) f has in Isabelletype 1 2

But:1) functions in Isabelle are always total2) f only determines the behaviour of its

representation on (carrier G1) and no on the rest of data in 1

So, the typed nature of Isabelle leds us to a situation:

Isabelle

Total

MathematicsTotal

Partiality?

So, the abstraction function in this case is mandatory:

Isabelle

f :: 1 2

Mathematicsf : G1 G2

such that f(x) := f(x), x (carrier G1)

Abstraction

Isabelle

f :: 1 2

Mathematicsf : G1 G2

such that f(x) := f(x), x (carrier G1)

Abstraction

Obviously, this abstraction function is notinjective:

f1 f2 abstraction equality

This establishes a clear link between mathematicalobjects and its computer counter-parts. This allowsus, for instance, to construct a mechanised proof inIsabelle of the following result:

Theorem. The set End(G) can be endowed witha canonical (non-Abelian) ring structure.

Abstraction is always present (even if unnoticedor in a trivial, literal costume).

Which are the constraints for an abstraction map?

(being a mathematical resource, it can be as complexas imaginable; even broking the barriers between thecomputable and the non-computable).

The answer: it depends on the user’s aims.

The representation given for a group homomorphismis OK ?

It depends...

No, at least if we want to reason in a fully equationalway in Isabelle with it.

f

*

carrier G

f

idid

So, the system will be no capable, automatically,to detect the equality of certain expressions(supposed to be equal in the mathematical setting).

0f

So, we work with a smaller domain:

the completions of homomorphisms.

The abstraction map is the same, but now theabstraction equality is the same as the Isabelleequality for functions (extensional).

Abstraction is injective.Each mathematical object has a canonical representative.Encoding is a function.

Composition is naturally well-defined:compl(f) compl(g) = compl(f g) since f(0)= 0

In Isabelle, there exists another more generalmechanism to deal with partial maps:

restrict(f,D) := x.if x D then f x else arbitrary

where arbitrary is a undetermined value,whose type is induced automatically byIsabelle from the context.

(My personal) Problem: where arbitrary could be “abstracted” ?

f arbitrary = ???

How arbitrary behaves with respect to equality ?

Isabelle Mathematics

f : G1 G2design1

f

carrier G1 carrier G2

2

completion

comp(f)

0encoding

decoding

abstraction

f ’ : U1 U2

computable

Endcompl(G)

Lemma 2’’’. h,d,p Endcompl(G) satisfying:hh = 0, hdh = h, p = dh + hd

Then (1-p)h = 0. Isabelle proof.-

by algebra #Is it enough ?

Lemma 2’. In the same conditions as in Lemma 2(hh = 0, hdh = h, p = dh + hd)

Then 1-p : G Ker(p) and (1-p)h = 0.

There are different groups involved.

The “abstraction” trick ?

No, we need “computational content” in the proof objects.

- equational reasoning +

- the same names are representing differentmorphisms (with different sources and targets)

Lemma 2’. In the same conditions as in Lemma 2(hh = 0, hdh = h, p = dh + hd)

Then 1-p : G Ker(p) and (1-p)h = 0.

Proof.- (1-p)h = h – (dh + hd)h = h – dhh - hdh = h – 0 – h = 0(and p(1-p) = 0, since pp = p)

So, which is the “vaporous spirit” animating this proof?

#

New representation for homomorphisms:

< A, B, f : G1 G2 >

where A <= G1, Im(f) <= B and f is, as before, a completion w.r.t. G1 and G2

The composite of two triples can be defined ina quite general way:

< A, B, f : G1 G2 >< C, D, g : G2 G3 > =

= < A, D, g f : G1 G3 >

assuming that B <= C.

If A and B are fixed, {< A, B, f : G1 G2 >}can be endowed with an Abelian group structure.

If A = B = G1 = G2, it is endowed with a ring structure.

So, this allows equational reasoning, as above.(Isabelle equality is abstraction equality.)

Note that the information in < A, G2, f : G1 G2 >is strictly richer than in f : A G2 because thecompletion on A erases more information than thecompletion on G1.

The essential tool for reasoning (at a very highlevel) with triples (let’s call them morphisms insteadof maps or functions) is almost trivial from a “standard”mathematics point of view:

Laureano’s Lemma.If < C, D, g > < A, B, f > = < A, D, h > and A’<=A, Im(f) <= B’ <= C’, Im(g) <= D’, Im(h)<= D’.Then < C’, D’, g > < A’, B’, f > = < A’, D’,h >

This lemma allows us to “going up” (for equationalreasoning) and to “going down” to obtain the realconclusions (the part “p(1-p) = 0, since pp = p” asin the end of the by-hand proof of Lemma 2’).

Lemma 2’. In the same conditions as in Lemma 2(hh = 0, hdh = h, p = dh + hd)

Then 1-p : G Ker(p) and (1-p)h = 0.

Proof.- By equational reasoning (by algebra) on the ring {< G, G, f : G G >} :

< G, G, 1-p > < G, G, h > = < G, G, 0 >Now, again by algebra,

< G, G, p > < G, G, p > = < G, G, p >and

< G, G, p > < G, G, 1-p > = < G, G, 0 >Thus, Im(1-p) <= Ker(p), and by Laureano’s Lemma on

< G, Ker(p), 1-p > < G, G, h > = < G, Ker(p), 0 > #

(dd=0)

In Isabelle:work in progress...

Claim 3. These two tools (equational reasoning +Laureano’s Lemma) capture the “spirit” ofthe proof-by-hand of Lemma 2’.

(Tentative)

Claim 3’. These tools are enough to emulateaccurately and step-by-step the proofby-hand (as presented in usual mathematicaltexts) of Lemma 2’.

(Tentative)

Remark 9. Very likely the number of Isabelle codelines needed to implement these tools willbe greater than the number of lines neededto prove in Isabelle Lemma 2’, by means ofa “brute-force” strategy.

Hope 3. These tools reach the right trade-off pointbetween immediacy and genericity (i. e. theywill be directly applicable to the rest of lemmasneeded to the proof of the second part of the BPL).

Remark 10. It is quite probable that these tools are notsufficient to end the proof emulating the “by-hand”style.

For instance, it is foreseen that another equality will benecessary:

< Ker(f), B, f : G1 G2 > < Ker(f), B, 0 : G1 G2 >

Conclusions.

Abstraction is always present in automated reasoning.

Ultimate reason: the final users (and interpreters)of formalised proofs are human beings.

Different abstraction degrees can be designed and chosen.

In our concrete problem in formalised homologicalalgebra we have detected three abstraction levels:

1) The symbolic level.2) The point-wise level.3) The morphisms level.

1) Symbolic level.We work in generic rings or groups.

- Very efficient.

- Too rigid and it lacks of “computational content”.

2) Point-wise level. Work with functions, reasoning always with the

elements of the image.

- Sufficiently flexible and complete from anypoint of view.

- Scripts size explosion.

3) Morphisms level.This is an intermediary abstraction degreebetween (1) and (2).

It allows the user a point-less reasoning,where the same “symbol function” can beused in different contexts (i. e. with differentdomains and codomains).

We hope this level is the right one in orderto emulate in Isabelle the “proof-by-hand”of the BPL that we are trying to mechanise.