340 likes | 434 Vues
Emulating proof-by-hand with Isabelle. Julio Rubio Departamento Matemáticas y Computación Universidad de La Rioja (Spain) ( Based on j oint work with J. Aransay & C. Ballarin). (Remarks by a naive user). Remark 1 . Work with a computer-aided proof tool is difficult
E N D
Emulating proof-by-hand with Isabelle Julio Rubio Departamento Matemáticas y Computación Universidad de La Rioja (Spain) (Based on joint work with J. Aransay & C. Ballarin)
(Remarks by a naive user) Remark 1. Work with a computer-aided proof tool is difficult (independently of the automation degree). Remark 2. Thus, a computer-aided version of a proof tends to be considerably more difficult than the corresponding “by-hand” proof.
(Remarks by a naive user) Remark 3. In situations where the benefits of a computer-based proof are relevant (v. g. in problems related to program certification) and where the underlying mathematical problem is non-trivial, some new resources are needed.
(Remarks by a naive user) Remark 4. Each “by-hand” proof has an “animating spirit”. (This is why we talk about different proofs of a same theorem, beyond syntactic or presentation differences.) Remark 5. That vaporous spirit cannot be captured by general strategies, heuristics or tacticals.
(Remarks by a naive user) Remark 6. These orienting ideas can be expressed a posteriori by logical tools, by they are not easily deduced or inferred from logic (they depend on the “universe of discourse”). Remark 7. But these ideas are rarely linked to an isolated theorem; so they are open to reuse (likely in the same “universe of discourse” of the theorem which raised them).
tentative and hopes and claims (Remarks by a naive user) Remark 8. In each case, a trade-off between immediacy and genericity must be looked for. Hope 1. This trade-off point can be in many cases found. Claim 1. This is a way (¿the only one?) in which the mechanised reasoning tools can be usable and relevant in “standard” mathematics and its applications. (Tentative)
tentative Claim 2. The guidelines illustrated in the previous remarks (or some variants of them) should have been used in the successful applications of computer-based proof tools. (Tentative) and hopes and claims (Remarks by a naive user) Hope 2. These informal guidelines can be used in our problem of constructing a mechanised proof of the Basic Perturbation Lemma (BPL).
A case-study in mechanised homological algebra Initial problem: Kenzo, symbolic computation system for Algebraic Topology (Sergeraert). Brand new results. BPL: the central algorithmic tool in Kenzo. Approach: formal methods in symbolic computation to increase the reliability of systems. Previous studies: algebraic specification of the Kenzo data structures.
Definitions (ungraded version) A differential group (G,d) is an abelian group G together with a homomorphism d :G G satisfying d d = 0 [The homology group of a differential group (G,d) is the quotient group H(G,d) := Ker(d) / Im(d) ] A group homomorphism f between two differential groups (G1,d1) and (G2,d2) is nothing but a group homomorphism f : G1 G2 A differential group homomorphism f between two differential groups (G1,d1) and (G2,d2) is a group homomorphism f : G1 G2 satisfying f d1 = d2 f
Definitions (ungraded version) A reduction between two differential groups (G1,d1) and (G2,d2) is a triple (f,g,h) where f : (G1,d1) (G2,d2) and g : (G2,d2) (G1,d1) are differential group homomorphisms and h : (G1,d1) (G1,d1) is a group endomorphism satisfying some simple equations. Those equations imply that: H (G1,d1) H (G2,d2) A perturbation of a differential group (G,d) is a group homomorphism : G G such that d + is a new differential on G, i. e. (d + ) (d + ) = 0 A group endomorphism : G G is locally nilpotent if for each x G there exists a natural number n such that n(x) = 0
Statement of the BPL Let (f,g,h) be a reduction from (G1,d1) to (G2,d2), and let : G1 G1 be a perturbation of (G1,d1) such that ( h) is locally nilpotent. Then a new reduction (f’,g’,h’) from (G1,d1+) to (G2,d2+’) can be explicitly defined by means of a “series”: = 1 - ( h) + ( h)2 - ( h)3 + ... Proof.- By hand (by Sergeraert’s hand) proof with two parts: Part I. Dealing with the series. Part II. A “quasi”-equational (rather based on “formula rewriting”) proof. Part II: Seven lemmas
Lemma 1. Let (f,g,h) be a reduction from (G1,d1) to (G2,d2). Then Im(g f) and (G2,d2) are canonically isomorphic by means of F(x) := f(x) and F-1(x) := g(x). Lemma 1’. Let f : G1 G2, g : G2 G1 two group homomorphisms such that f g = 1. Then Im(g f) and G2 are canonically isomorphic by means of F(x) := f(x) and F-1(x) := g(x). Isabelle proof.- Ad-hoc, reasonable size (1300 code lines), no problem. Lemma 2. Let (G,d) be a differential group, h : G G a group endomorphism satisfying h h = 0 and hdh = h. Let’s define p := dh + hd. Then (1-p,i,h) is a reduction from (G,d) to Ker(p).
Lemma 2’. In the same conditions as in Lemma 2. Then 1-p : G Ker(p) and (1-p)h = 0. Isabelle proof .- Script size explosion: 400 code lines before deploying the complete set of hypothesis. Worst and worst in the next lemmas. No fundamental (in the sense of “foundational”) problem. “Only” a practical one. Low level of abstraction. Why? Let’s look at the real by-hand proof...
Lemma 2’. In the same conditions as in Lemma 2 (hh = 0, hdh = h, p = dh + hd) Then 1-p : G Ker(p) and (1-p)h = 0. Proof.- (1-p)h = h – (dh + hd)h = h – dhh - hdh = h – 0 – h = 0 (and p(1-p) = 0, since pp = p) # So, this is very easy. Almost trivial! No “vaporous spirit”. A student exercise. This really looks like an actual equational proof! Let’s take it seriously...
Isabelle Mathematics End(G) R Lemma 2’’. Let R be a ring and h,d,p R satisfying: hh = 0, hdh = h, p = dh + hd Then (1-p)h = 0. Isabelle proof.- by algebra by... Clemens Ballarin # Is this a proof of Lemma 2’ for the BPL ? In a (loose) sense, yes: there is an abstraction (or interpretation) function: and then the proof is transferred ! Is this a dirty trick ?
The “representational step” is always present (as in any computer-based mathematics). Let’s illustrate this point with the example of homomorphisms: f : G1 G2 is a total map satisfying the usual equations. Now, in Isabelle (the representation of) a group has a type, a carrier set on and the corresponding operations. So, if G1 has a type 1 and G2 has a type 2, it is natural to think that (the representation of) f has in Isabelle type 12
So, the typed nature of Isabelle leds us to a situation: Mathematics Isabelle Partiality? Total Total So, the abstraction function in this case is mandatory: Mathematics Isabelle Abstraction f : G1 G2 such that f(x) := f(x), x (carrier G1) f :: 12 But: 1) functions in Isabelle are always total 2) f only determines the behaviour of its representation on (carrier G1) and no on the rest of data in 1
Mathematics Isabelle Abstraction f : G1 G2 such that f(x) := f(x), x (carrier G1) f :: 12 Obviously, this abstraction function is not injective: f1 f2 abstraction equality This establishes a clear link between mathematical objects and its computer counter-parts. This allows us, for instance, to construct a mechanised proof in Isabelle of the following result: Theorem. The set End(G) can be endowed with a canonical (non-Abelian) ring structure.
Which are the constraints for an abstraction map? (being a mathematical resource, it can be as complex as imaginable; even broking the barriers between the computable and the non-computable). Abstraction is always present (even if unnoticed or in a trivial, literal costume). The answer: it depends on the user’s aims. The representation given for a group homomorphism is OK ? It depends... No, at least if we want to reason in a fully equational way in Isabelle with it.
* f carrier G id id f So, the system will be no capable, automatically, to detect the equality of certain expressions (supposed to be equal in the mathematical setting).
So, we work with a smaller domain: f 0 the completions of homomorphisms. Abstraction is injective. Each mathematical object has a canonical representative. Encoding is a function. Composition is naturally well-defined: compl(f) compl(g) = compl(f g) since f(0)= 0 The abstraction map is the same, but now the abstraction equality is the same as the Isabelle equality for functions (extensional).
In Isabelle, there exists another more general mechanism to deal with partial maps: restrict(f,D) := x.if x D then f x else arbitrary where arbitrary is a undetermined value, whose type is induced automatically by Isabelle from the context. f arbitrary = ??? How arbitrary behaves with respect to equality ? (My personal) Problem: where arbitrary could be “abstracted” ?
Mathematics Isabelle 1 2 f carrierG1 carrierG2 0 f ’ : U1 U2 comp(f) computable f : G1 G2 design abstraction completion encoding decoding Endcompl(G)
Lemma 2’’’.h,d,pEndcompl(G) satisfying: hh = 0, hdh = h, p = dh + hd Then (1-p)h = 0. Isabelle proof.- by algebra # Is it enough ? Lemma 2’. In the same conditions as in Lemma 2 (hh = 0, hdh = h, p = dh + hd) Then 1-p : G Ker(p) and (1-p)h = 0. There are different groups involved. The “abstraction” trick ? No, we need “computational content” in the proof objects.
Lemma 2’. In the same conditions as in Lemma 2 (hh = 0, hdh = h, p = dh + hd) Then 1-p : G Ker(p) and (1-p)h = 0. Proof.- (1-p)h = h – (dh + hd)h = h – dhh - hdh = h – 0 – h = 0 (and p(1-p) = 0, since pp = p) # So, which is the “vaporous spirit” animating this proof? - equational reasoning + • the same names are representing different • morphisms (with different sources and targets)
New representation for homomorphisms: < A, B, f : G1 G2 > where A <= G1, Im(f) <= B and f is, as before, a completion w.r.t. G1 and G2 The composite of two triples can be defined in a quite general way: <C, D, g : G2 G3> < A, B, f : G1 G2 > = < A, D, g f : G1 G3> = assuming that B <= C.
{< A, B, f : G1 G2 >} If A and B are fixed, can be endowed with an Abelian group structure. If A = B = G1 = G2, it is endowed with a ring structure. So, this allows equational reasoning, as above. (Isabelle equality is abstraction equality.) Note that the information in < A, G2, f : G1 G2 > is strictly richer than in f : A G2 because the completion on A erases more information than the completion on G1.
The essential tool for reasoning (at a very high level) with triples (let’s call them morphisms instead of maps or functions) is almost trivial from a “standard” mathematics point of view: Laureano’s Lemma. If <C, D, g > < A, B, f > = < A, D,h>and A’<=A, Im(f) <= B’ <= C’, Im(g) <= D’, Im(h)<= D’. Then <C’, D’, g > < A’, B’, f > = < A’, D’,h> This lemma allows us to “going up” (for equational reasoning) and to “going down” to obtain the real conclusions (the part “p(1-p) = 0, since pp = p” as in the end of the by-hand proof of Lemma 2’).
Proof.- By equational reasoning (by algebra) on the ring {<G, G, f : G G>} : In Isabelle: work in progress... <G, G, 1-p> <G, G, h>= <G, G, 0> Now, again by algebra, <G, G, p> <G, G, p>= <G, G, p> and <G, G, p> <G, G, 1-p>= <G, G, 0> Lemma 2’. In the same conditions as in Lemma 2 (hh = 0, hdh = h, p = dh + hd) Then 1-p : G Ker(p) and (1-p)h = 0. (dd=0) Thus, Im(1-p) <= Ker(p), and by Laureano’s Lemma on <G, Ker(p), 1-p> <G, G, h>= <G, Ker(p), 0> #
Claim 3. These two tools (equational reasoning + Laureano’s Lemma) capture the “spirit” of the proof-by-hand of Lemma 2’. (Tentative) Claim 3’. These tools are enough to emulate accurately and step-by-step the proof by-hand (as presented in usual mathematical texts) of Lemma 2’. (Tentative) Remark 9. Very likely the number of Isabelle code lines needed to implement these tools will be greater than the number of lines needed to prove in Isabelle Lemma 2’, by means of a “brute-force” strategy.
For instance, it is foreseen that another equality will be necessary: < Ker(f), B, f : G1 G2 > < Ker(f), B, 0 : G1 G2 > Hope 3. These tools reach the right trade-off point between immediacy and genericity (i. e. they will be directly applicable to the rest of lemmas needed to the proof of the second part of the BPL). Remark 10. It is quite probable that these tools are not sufficient to end the proof emulating the “by-hand” style.
Conclusions. Abstraction is always present in automated reasoning. Ultimate reason: the final users (and interpreters) of formalised proofs are human beings. In our concrete problem in formalised homological algebra we have detected three abstraction levels: • The symbolic level. • The point-wise level. • The morphisms level. Different abstraction degrees can be designed and chosen.
Symbolic level. • We work in generic rings or groups. - Very efficient. - Too rigid and it lacks of “computational content”. 2) Point-wise level. Work with functions, reasoning always with the elements of the image. • Sufficiently flexible and complete from any • point of view. - Scripts size explosion.
3) Morphisms level. This is an intermediary abstraction degree between (1) and (2). It allows the user a point-less reasoning, where the same “symbol function” can be used in different contexts (i. e. with different domains and codomains). We hope this level is the right one in order to emulate in Isabelle the “proof-by-hand” of the BPL that we are trying to mechanise.