Introduction To Formal Proof - University Of Oxford
Introduction to Formal ProofBernard SufrinTrinity Term 20185: Theories[05-theories]
Introduction to Formal Proof 5: TheoriesTheoriesTheories The subject matter of predicate logic is “all models (over all signatures)” Mathematical logicians consider the soundness and completeness of particular deductivesystems for the logic, and also consider its decidability. The subject matter of much of (formal) mathematics and computer science is (in onesense) more constrained We want to make proofs about models that satisfy certain laws (a.k.a. axioms) We want to use sound deductive systems to make these proofs So we start with a sound deductive system (for FOL) . add a signature (C, F, P) and laws for the models we are interested in . and see what happens next! (i.e. what we can prove) The domain of discourse is left implicit . though we sometimes have a particular domain of discourse in mind! If we add a law that leads to contradiction then no model will satisfy our theory!–1–23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesExample: elementary group theoryExample: elementary group theory Constants: ι Functions: Axiom Schemes (Laws): -assT1 (T2 T3) (T1 T2) T3ι T Tι-id T T ι Example models: the integers with ι 0, ; the nonzero rationals or reals withι 1, ; and (for any set S ) the bijective functions in S S withι IdS , (composition).–2–23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesExample: elementary group theory Consequences can be proven using only equational reasoning, for example: T ι T In the “transitive equalities” presentation style the essence of the proof is:1:2:3:4:4:T ι T ( T T ) (T T ) T ι T T{{{{Fold Unfold -assUnfold Thm T T ιι-id This concise presentation hides the details of the application of the transitivity rules:11Jape treats as right-associative and doesn’t fully bracket T1 (T2 T3 ) in displays.–3–23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesExample: elementary group theory It also relies on a stylized concise form of reporting of “folds” and “unfolds”L1–4–23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesExample: elementary group theory Inverses are unique–5–23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesExample: elementary group theory Completely formal proofs using associativity can be . tedious, for example:Here lines 3-8 could be summarised as: “by associativity of ”, and interactive proofassistants should provide some sort of interface that gets on with the details of “flattening,then rebracketing” under the direction of the user.–6–23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesExample: theory of Natural NumbersExample: theory of Natural Numbers Constants: 0 Functions: succ , , , . Laws:2P4 (injectivity)P3 (0 is the beginning)Γ succ(T ) / 0Γ φ(0)Γ succ(T1) succ(T2) T1 T2Γ, φ(m) φ(succ(m))P5 natinduction (m fresh)Γ φ(T ) Nat induction is a schema parameterized by φ( ) – a formula in which may appear. The “intended model” is the natural numbers. The even numbers also constitute a model; indeed there are infinitely many models! (why?)2LThese were first listed by Dedekind – but are usually attributed to Peano.2–7–23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesExample: theory of Natural Numbers Axiom schemas with parameters T1, T2 (terms)0 T2 T20 T2 0 .0 .0succ(T1) T2 succ(T1 T2)succ(T1) T2 T2 (T1 T2) .1 .1 These schemas characterize addition and multiplication (almost) uniquely(but this needs to be proved) Consequences: commutativity and associativity of , distributivity of through , etc.,etc.L3–8–23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesExample: theory of Natural NumbersAn inductive proof using substitution (equals-elimination) to rewrite equal subterms within successive formulaeThe proof consists of successive formulae that are equivalent up to substitution of equal termsL4–9–23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesExample: theory of Natural NumbersThe same proof: using folds and unfolds, and presented in the transformational styleThis is not exactly the same as the substitutivity proof, but all the “essential” steps in it are the same.– 10 –23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesExample: theory of Natural NumbersComparison between the transformational proof and (a compact form) of the substitutive proof(in the compact form, the uses of ” -e ” are left implicit)– 11 –23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesTheories with several typesTheories with several typesIn which we indicate how to formalize a (rather weak) notion of typesthereby supporting proofs in theories in which several “types” are used For example suppose we want to build a theory of lists of numbers? We expect to be able to prove things about all numbers We expect to be able to prove things about all lists We expect to be able to characterize functions recursively on lists and on numbers The “untyped” induction and definition rules are no longer quite enough– 12 –23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesExample: typed theory of natural numbersExample: typed theory of natural numbers The main idea: supplement signatures with “typing predicates” Constants: 0 Functions: succ , , , . Predicates: N( ) meaning “ is a natural number” Laws:N(T )N0N(0)NsuccN(succ(T ))N(T )succ(T ) / 0Γ N(T )N(T1)P3N(T2)succ(T1) succ(T2) T1 T2Γ φ(0)P4Γ, N(m), φ(m) φ(succ(m))(nat induction)(fresh m)Γ φ(T )(Here φ(.) is – as usual – a “formula abstraction”)– 13 –23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesExample: typed theory of natural numbers Arithmetic expressions are also typed:N(T1)N(T2)N(T1 T2)N(T1)N N(T2)N(T1 T2)N Arithmetic operator definitions get the expected typing antecedents, for example:N(T1)N(T2)0 T2 T2 .0N(T1)N(T2)succ(T1) T2 succ(T1 T2) .1 Theorems now have type premisses, for example -assocN(T1), N(T2), N(T3) T1 (T2 T3) (T1 T2) T3 The typing antecedents of rules needed in the proof of a theorem are trivial to prove fromthe typing premisses– 14 –23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesExample: typed theory of heterogeneous listsExample: typed theory of heterogeneous lists Constants: nil Functions: , . Predicates: L( ) Laws: (the elements of a heterogeneous list need not have the same type)L(TS )LnilL(T TS )L(nil )L(TS )Γ L(T )L(TS ):-T TS / nilL:L(TS ′)T TS T ′ TS ′ T T ′ TS TS ′Γ φ(nil )Γ, L(xs), φ(xs) φ(x xs):-inj(list induction)(fresh x , xs)Γ φ(T )(Here φ(.) is – as usual – a “formula abstraction”)– 15 –23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesExample: typed theory of heterogeneous lists Catenation and reverse defined in the usual way but with typing information addedL(T )Lrevrev (nil ) nilL(rev (T ))L(TS )L(TS L(TS ′)TS ′)L rev.0L(TS )rev (T TS ) rev (T ) (T nil )L(TS ′)L(TS )L(TS )nil TS TS .0(T TS ) TS ′ T (TS TS ′)rev.1 .1 “Typed” theories can be mixed: antecedents stop us inferring nonsense, e.g. nil 0 0 Theorems (as expected) have typing premisses, for example: -assocL(T1), L(T2), L(T3) T1 (T2 T3) (T1 T2) T3 The formal proofs of these theorems are a lot like those we know and love from FP– 16 –23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesExample: typed theory of heterogeneous lists Some additional, but trivial, work is needed to satisfy the typing antecedents: compareL5– 17 –23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesFormal treatment of generalised induction hypothesesFormal treatment of generalised induction hypotheses Notice that we have not used the logical quantifiers in the inductive proof of -assoc. Consider the “catenate-reverse-to” function defined byL(T1)L(T2)L(T1 T2)L L(T1)L(T2)nil T2 T2 .0L(T2)(T T1) T2 T1 (T T2) .1 We want to prove (by induction on T1) thatL(T1), L(T2) T1 T2 rev (T1) T2– 18 –23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesFormal treatment of generalised induction hypotheses Using the list induction recipe blindly we start the proof as follows: But the proof stalls (why?) at the crux – on attempting use the induction hypothesis (8) to bridge 10 and 11 At this point a lecturer or tutor usually uses the mantra: “there is nothing special about T2” This appears to allow the proof to be completed, but the result is highly informal.– 19 –23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesFormal treatment of generalised induction hypothesesThis problem can (only ) be overcome by proving a more general result.– 20 –23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesFormal treatment of generalised induction hypotheses The technique we use is to arrange to prove a more general result by induction on xs,namely:L(xs) ys L(ys) xs ys rev (xs) yswhich will give us the more general induction hypothesis we were seeking in the stalledproof. This is done by setting up a proof of the more general theorem xs L(xs) ys L(ys) xs ys rev (xs) ys The result we originally set out to prove, namely:L(T1), L(T2) T1 T2 rev (T1) T2can now be established (by -e followed by -e) from this theorem.– 21 –23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesContentsContentsExtending Predicate Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Example: elementary group theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Example: theory of Natural Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Theories with several types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Theories with several types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12– 22 –Example: typed theory of natural numbers . . . . . . . . . . . . . . . . . . . . . . .13Example: typed theory of heterogeneous lists . . . . . . . . . . . . . . . . . . . . 15Indispensability of the logical quantifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Formal treatment of generalised induction hypotheses . . . . . . . . . . . . 1823rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesRNotesNote 1:The proof trees shown here were made with Jape, using a system including derived equational “rewrite” rules4Γ T1 T2rewriteLRΓ T [T1 /χ] T [T2 /χ]Γ T1 T2rewriteRLΓ T [T2 /χ] T [T1 /χ]These rules enable the direct use of (equational) laws to rewrite one side or the other of an equation while conducting a goal-directed proof search in anequational theory.The rule rewriteLR is used when we make an “Unfold” goal transformation, such as the move at the at the top right of the tree where we use the theorem(T T ) ι to transform the proof goal (T T ) T T into the proof goal ι T T – whence it is closed by application of the ι-id axiom.The rule rewriteRL is used when we make a “Fold” goal transformation, such as the move at the top left of the tree where the rule the goalT ι T ( T T ) is transformed by using the axiom T T ι to rewrite T ι as T ( T T ).RRRNote 2:7By convention we may omit the “Γ ” in presenting P3 and P4; because they are free of antecedents. It should be clear that we cannot do so in presentingthe induction rule, since one of its antecedents transforms the collection of hypotheses.Note 3:Here, and in future, we apply the convention of omitting the Γ when presenting antecedent-free rules.8Note 4: A derived equality rule9In our inductive proof of associativity of we used the derived ruleT1 T2ϕ[T2 /χ] -e ϕ[T1 /χ]– 23 –23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: TheoriesNotesto simplify the backward proof-search we did in Jape.Note 5:There are two different views of a single proof shown here. The proof was made with Jape set up to satisfy the typing laws automatically.– 24 –17R23rd December, 2012@18:01 [431]
Introduction to Formal Proof 5: Theories Example: theory of Natural Numbers An inductive proof using substitution (equals-elimination) to rewrite equal subterms within successive formulae The proof consists of successive formulae that are equivalent up to substitution of equal terms L 4{ 9 { 23rd December, 2012@18:01 [431]
since 1950 E. German, Suhl choke-bore barrel mark PROOF MARKS: GERMAN PROOF MARKS, cont. PROOF MARKS: ITALIAN PROOF MARKS, cont. ITALIAN PROOF MARKS PrOOF mark CirCa PrOOF hOuse tYPe OF PrOOF and gun since 1951 Brescia provisional proof for all guns since 1951 Gardone provisional proof for all guns
PROOF MARKS: BELGIAN PROOF MARKSPROOF MARKS: BELGIAN PROOF MARKS, cont. BELGIAN PROOF MARKS PrOOF mark CirCa PrOOF hOuse tYPe OF PrOOF and gun since 1852 Liege provisional black powder proof for breech loading guns and rifled barrels - Liege- double proof marking for unfurnished barrels - Liege- triple proof provisional marking for
2154 PROOF MARKS: GERMAN PROOF MARKS, cont. PROOF MARK CIRCA PROOF HOUSE TYPE OF PROOF AND GUN since 1950 E. German, Suhl repair proof since 1950 E. German, Suhl 1st black powder proof for smooth bored barrels since 1950 E. German, Suhl inspection mark since 1950 E. German, Suhl choke-bore barrel mark PROOF MARKS: GERMAN PROOF MARKS, cont.
spectacular example is Gonthier's formal proof of the four-color theorem. His starting point is the second-generation proof by Robertson et al. Although the traditional proof uses a computer and Gonthier uses a computer, the two computer processes differ from one another in the same way that a traditional proof differs from a formal proof.
PROOF MARKS: GERMAN PROOF MARKSPROOF MARKS: GERMAN PROOF MARKS, cont. GERMAN PROOF MARKS Research continues for the inclusion of Pre-1950 German Proofmarks. PrOOF mark CirCa PrOOF hOuse tYPe OF PrOOF and gun since 1952 Ulm since 1968 Hannover since 1968 Kiel (W. German) since 1968 Munich since 1968 Cologne (W. German) since 1968 Berlin (W. German)
2. Lubin-Tate spaces 45 2.1. The height of a formal A-module 46 2.2. Lubin-Tate spaces via formal group laws 49 2.3. Lazard's theorem for formal A-modules 52 2.4. Proof of the lemma of Lazard and Drinfeld 60 2.5. Consequences for formal A-modules 66 2.6. Proof of representability of Lubin-Tate spaces 76 3. Formal schemes 82 3.1. Formal .
1. Community using formal proofs is relatively small Market for formal proofs is small - proof technology not widely used in software - proof technology not widely used in science and math - proof technology not widely used in education Formal proving is still hard work - expansion factor - shallow base of basic mathematical facts
AUTOMOTIVEEMC SAFETY&EMC2011 Table3ISO11452-2severitylevels SeverityLevel Field/(V/m) I25 II50 III75 IV100 V(opentotheusersofthestandard) Figure10Typicalbiconicalantenna
