Proofs and computations Helmut Schwichtenberg (j.w.w. Kenji - PowerPoint PPT Presentation

Proofs and computations Helmut Schwichtenberg (j.w.w. Kenji Miyamoto) Mathematisches Institut, LMU, M¨ unchen Leeds University, 7. March 2012 Helmut Schwichtenberg Proofs and computations

Formalization and extraction One can extract from a (constructive) proof of a formula with computational content a term that “realizes” (Kleene, Kreisel, Troelstra) the formula. Why should one? ◮ It can be important to know for sure (and to be able to machine check) that in a proof nothing has been overlooked. ◮ The same applies to the algorithm implicit in the proof: even if the latter is correct, errors may occur in the implementation of the algorithm. ◮ Even if the algorithm is correctly implemented, for sensitive applications customers may (and do) require a formal proof that the code implementing the algorithm is correct. Helmut Schwichtenberg Proofs and computations

Consequences ◮ The computational content of a proof should be machine extracted from a formalization of this proof. ◮ The extract should be a term in the underlying language of the formal system (here: T + , a common extension of G¨ odel’s T and Plotkin’s PCF ). ◮ A soundness theorem should be formally proved: the extract realizes the specification (:= the formula being proved). Helmut Schwichtenberg Proofs and computations

Computable functionals ◮ Types: ι | ρ → σ . Ground types ι : free algebras (e.g., N ). ◮ Functionals seen as limits of finite approximations: ideals (Kreisel, Scott, Ershov). ◮ Computable functionals are r.e. sets of finite approximations (example: fixed point functional). ◮ Functionals are partial. Total functionals are defined (by induction over the types). Helmut Schwichtenberg Proofs and computations

Information systems C ρ for partial continuous functionals ◮ Types ρ, σ, τ : from algebras ι by ρ → σ . ◮ C ρ := ( C ρ , Con ρ , ⊢ ρ ). ◮ Tokens a ∈ C ρ (= atomic pieces of information): constructor trees C a ∗ 1 , . . . a ∗ n with a ∗ i a token or ∗ . Example: S ( S ∗ ). ◮ Formal neighborhoods U ∈ Con ρ : { a 1 , . . . , a n } , consistent. ◮ Entailment U ⊢ ρ a . Ideals x ∈ | C ρ | (“points”, here: partial continuous functionals): consistent deductively closed sets of tokens. Helmut Schwichtenberg Proofs and computations

Flat or non flat algebras? ◮ Flat: { 0 } { 1 } { 2 } ... • • • ✟ ✟✟✟✟ � � � • ∅ ◮ Non flat: ... S ( S ( S 0)) • ❅ � ❅ � ❅ � S ( S 0) • • S ( S ( S ∗ )) ❅ � ❅ � ❅ � • • S ( S ∗ ) S 0 ❅ � ❅ � ❅ � • • 0 S ∗ Helmut Schwichtenberg Proofs and computations

Non flat! ◮ Every constructor C generates an ideal in the function space: r C := { ( U , C a ∗ ) | U ⊢ a ∗ } . Associated continuous map: | r C | ( x ) = { C a ∗ | ∃ U ⊆ x ( U ⊢ a ∗ ) } . ◮ Constructors are injective and have disjoint ranges: | r C | ( � x ) ⊆ | r C | ( � y ) ↔ � x ⊆ � y , | r C 1 | ( � x ) ∩ | r C 2 | ( � y ) = ∅ . ◮ Both properties are false for flat information systems (for them, by monotonicity, constructors need to be strict). | r C | ( ∅ , y ) = ∅ = | r C | ( x , ∅ ) , | r C 1 | ( ∅ ) = ∅ = | r C 2 | ( ∅ ) . Helmut Schwichtenberg Proofs and computations

A theory of computable functionals, TCF ◮ A variant of HA ω . ◮ Variables range over arbitrary partial continuous functionals. ◮ Constants for (partial) computable functionals, defined by equations. ◮ Inductively and coinductively defined predicates. Totality for ground types inductively defined. ◮ Induction := elimination (or least-fixed-point) axiom for a totality predicate. ◮ Coinduction := greatest-fixed-point for a coinductively defined predicate. ◮ Minimal logic: → , ∀ only. = (Leibniz), ∃ , ∨ , ∧ (Martin-L¨ of) inductively defined. ◮ ⊥ := ( False = True ). Ex-falso-quodlibet: ⊥ → A provable. ◮ Classical logic as a fragment: ˜ ∃ x A defined by ¬∀ x ¬ A . Helmut Schwichtenberg Proofs and computations

Realizability interpretation ◮ Define a formula t r A , for A a formula and t a term in T + . ◮ Soundness theorem: If M proves A , then et ( M ) r A can be proved. ◮ Decorations ( → c , ∀ c and → nc , ∀ nc ) for removal of abstract data, and fine-tuning: t r ( A → c B ) := ∀ x ( x r A → tx r B ) , t r ( A → nc B ) := ∀ x ( x r A → t r B ) , t r ( ∀ c x A ) := ∀ x ( tx r A ) , t r ( ∀ nc := ∀ x ( t r A ) . x A ) Helmut Schwichtenberg Proofs and computations

Example: decorating the existential quantifier ◮ ∃ x A is inductively defined by the clause ∀ x ( A → ∃ x A ) with least-fixed-point axiom ∃ x A → ∀ x ( A → P ) → P . ◮ Decoration leads to variants ∃ d , ∃ l , ∃ r , ∃ u (d for “double”, l for “left”, r for “right” and u for “uniform”). x ( A → c ∃ d x A → c ∀ c x ( A → c P ) → c P , ∀ c ∃ d x A ) , x ( A → nc ∃ l x A → c ∀ c x ( A → nc P ) → c P , ∀ c ∃ l x A ) , x ( A → c ∃ r x A → c ∀ nc x ( A → c P ) → c P , ∀ nc ∃ r x A ) , x ( A → nc ∃ u x A → nc ∀ nc x ( A → nc P ) → c P . ∀ nc ∃ u x A ) , Helmut Schwichtenberg Proofs and computations

Practical aspects ◮ We need formalized proofs, to allow machine extraction. ◮ Can’t take a proof assistant from the shelf: none fits TCF . Minlog ( http://www.minlog-system.de ) ◮ Natural deduction for → , ∀ , plus inductively and coinductively defined predicates. ◮ Partial functionals are first class citizens. ◮ Allows type and predicate parameters (for abstract developments: groups, fields, reals, . . . ). Helmut Schwichtenberg Proofs and computations

Example: average of two reals Berger and Seisenberger (2009, 2010). ◮ Extraction from a proof dealing with abstract reals. ◮ Proof involving coinduction of the proposition that any two reals in [ − 1 , 1] have their average in the same interval. ◮ B & S informally extract a Haskell program from this proof, which works with stream representations of reals. Aim here: discuss formalization of the proof, and machine extraction of its computational content. Helmut Schwichtenberg Proofs and computations

Free algebra J of intervals ◮ SD := {− 1 , 0 , 1 } signed digits (or { L , M , R } ). ◮ J free algebra of intervals. Constructors the interval [ − 1 , 1] , I C : SD → J → J left, middle, right half . ◮ C 1 I denotes [0 , 1]. ◮ C 0 I denotes [ − 1 2 , 1 2 ]. ◮ C 0 ( C − 1 I ) denotes [ − 1 2 , 0]. C d 0 ( C d 1 . . . ( C d k − 1 I ) . . . ) denotes the interval in [ − 1 , 1] whose reals have a signed digit representation starting with d 0 d 1 . . . d k − 1 . ◮ We consider ideals x ∈ | C J | . Helmut Schwichtenberg Proofs and computations

Total and cototal ideals of base type Generally: ◮ Cototal ideals x : every token (i.e., constructor tree) P ( ∗ ) ∈ x has a “ ≻ 1 -successor” P ( C � ∗ ) ∈ x . ◮ Total ideals: the cototal ones with ≻ 1 well-founded. Examples: ◮ Total ideals of J : 2 k − 1 2 k + 1 2 k , k := [ i 2 k , i for − 2 k < i < 2 k . I i 2 k ] ◮ Cototal ideals of J : reals in [ − 1 , 1], in (non-unique) stream representation using signed digits − 1 , 0 , 1. Helmut Schwichtenberg Proofs and computations

Inductive and coinductive definitions ◮ Inductively define a set I of (abstract) reals, by the clauses Ix → I x + d ∀ nc � � I 0 , x ∀ d . 2 Witnesses are intervals (total ideals in J ). ◮ Coinductively define co I , by the (single) clause y ∃ d ( x = y + d ∀ nc � co Ix → x = 0 ∨ ∃ r ∧ co Iy ) � . x 2 Witnesses are streams of signed digits (cototal ideals in J ). x , y ( co Ix → co Iy → co I x + y ◮ From a formalized proof of ∀ nc 2 ) extract a stream transformer, of type J → J → J . Helmut Schwichtenberg Proofs and computations

x , y ( co Ix → co Iy → co I x + y Proof of ∀ nc 2 ) X := { x + y Y := { x + y + i | x , y ∈ co I } , | x , y ∈ co I , i ∈ SD 2 } . 2 4 with SD 2 := {− 2 , − 1 , 0 , 1 , 2 } . Show (i) X ⊆ Y and (ii) that Y satisfies the clause coinductively defining co I . Hence Y ⊆ co I (by the greatest-fixed-point for co I ). Hence X ⊆ co I , which is our claim. XSubY x ′ , y ′ ∈ co I z = x ′ + y ′ + i z = x + y ∀ nc x , y ∈ co I ∀ nc → ∃ i ∃ r � � . z 2 4 YSatCl z = x + y + i � ∀ i ∀ nc x , y ∈ co I ∀ nc → z = 0 ∨ z 4 z ′ = x ′ + y ′ + j ∧ z = z ′ + d �� ∃ j , d ∃ r x ′ , y ′ ∈ co I ∃ r � . z ′ 4 2 Helmut Schwichtenberg Proofs and computations

Formalization ◮ Use a type variable ρ to denote an abstract type of reals. ◮ Need functions P (plus) of type ρ → ρ → ρ for addition, and H (half) of type ρ → ρ for division by 2, with properties ( x + k ) / 2 + l = ( x + ( k + Z 2 l )) / 2 , ( x + k ) / 4 + l = ( x + ( k + Z 4 l )) / 4 , ( x + k ) / 2 + ( y + l ) / 2 = (( x + y ) + ( k + Z l )) / 2 , x + 0 = x , 0 + y = y , 0 / 2 = 0 , 2 k / 2 = k , k + l = k + Z l . ◮ In the proof of lemma YSatClause we have to solve d ′ + e ′ + 2 i = j + 4 d for given d ′ , e ′ ∈ SD and i ∈ SD 2 . This is a finite problem and hence can be solved by defining J : SD → SD → SD 2 → SD 2 and D : SD → SD → SD 2 → SD explicitly. The validity of d ′ + e ′ + 2 i = J ( d ′ , e ′ , i ) + 4 D ( d ′ , e ′ , i ) is proved by cases. Helmut Schwichtenberg Proofs and computations