1

Can Proofs be Animated by Games?

Susumu HayashiHumanistic Informatics

Graduate School of LettersKyoto University

April 22, 2005, TLCA’05, Nara, Japan

2

What is the talk about?

The subject is

•1-backtracking game A join work with S. Berardi and

Th. Coquand.

3

1-backtracking game semantics A restriction of the full backtracking

game semantics, introduced by Th. Coqunad in 1991-2 , 1995.• Coquand introduce a form of 1-backtracking

game already in 1991-2

4

Game semantics for PCF?

No! It is a semantics for logic. However, it seems related to game

semantics of PCF and related calculi. It is conjectured that Coquand’s

semantics is isomorphic to J. Laird’s game semantics for PCF+Control, which is an “extension” of the game semantics by Hyland-Ong. (S. Berardi)

5

A different motivation

Although our semantics is likely to be related to the game semantics by Hyland-Ong and Laird, our motivation is not full-abstraction.

Our motivation is Proof Animation.

6

Proof Animation

A technique of “Proof Engineering”. Proof Engineering is my terminology for

the engineering to build formal proofs, e.g., the researches and activities in the projects of CafeOBJ, Coq, HOL, Mizar, PVS,…

Proof Score Method for CafeOBJ by Futatsugi et al. is a typical example of Proof Engineering. (This afternoon at WRS ’05.)

7

-- ASSUMPTION --There is a bag.

And some white or black marbles are in it.

An example of Proof Animation

-- CONCLUSION --All marbles in the bag are of the same color.

This is wrong.

However, we prove it by mathematical induction!

8

Proof of the theorem

• The theorem holds for groups A and B, since they have only n marbles. All the marbles are of the same color, since they share an.

a1, a2, ・・・ , an, an+1

group A

group B

Base case n=1 is easy The induction step

What is wrong?

9

The proof is constructive and executable.

A wrong lemma was used!:“groups A and B share a marble.”You can introduce the wrong lemma as a subgoal and prove the theorem formally with a proof checker. Then…

10

Proof animation helps to debug formal constructive proofs

The proof was constructive and the wrong lemma was detected quickly by executing the proof by Curry-Howard isomorphism.

I often used such a technique in my PX project in 1980’s. I could very quickly find bugs in definitions, goals and subgoals by the technique.

PX was a constructive proof animator.

11

Proof animation project

Build a proof animator which helps formal proof developments not only for constructive mathematics but also for proof developments in general.

We must find a means to execute non-constructive proofs.

12

Proof animator for non-constructive proofs?

Classical proofs are not directly executable.

However, there are many works to “execute” classical proofs: CPS translations, C-combinator, -calculus,…

13

Constructive interpretations of classical proofs are inadequate

These works are theoretically good, but are not adequate for proof animation.

Locally legible: each computation step in these semantics is legible enough.

Globally illegible: interpretations of proofs with several steps combinatorially explode. Algorithms resulting from even small proofs cannot be understood.

14

An important REMARK The global illegibility is not bad for logicians. If the aim is to unwind classical proofs, such

as works by logicians Kreisel, Kohlenbach, and Schwichtenberg, then the illegibility implies non-triviality of their mathematical works.

However, our aim is a technology of proof engineering. If one can write an academic paper when he or she could execute a proof by a method executing classical proofs, then the method is bad for proof animation.

15

What we need for proof animation

We need a lightweight method executing proofs in everyday proof developments.

A tool for proof animation must be easy to use as a test tool for programming languages.

Its underlying theory must be easy to understand. It is a tool, not an objective.

16

A solution: Inductive inference from Learning Theory

Algorithmic Learning Theory: a discipline to investigate “machine learning” from the viewpoint of theory of computation. (a.k.a. computational learning theory)

Inductive inference: the oldest mathematical definition of learning in algorithmic learning theory.

17

An example of learning process by inductive inference (1)

MNP (Minimal Number Principle):Let f be a function from Nat to Nat. Then, there is n : Nat such that f(n) is the smallest value among f(0), f(1), f(2),…

Nat : the set of natural numbers

18

An example of learning process by inductive inference (2)

Such an n is not Turing-computable from f.

However, the number n is inferred in finite time from f by a non-stopping algorithm of inductive inference.

19

The inductive inference algorithm for MNP

Consider a box containing a natural number. Denote the content of the box by x.

Initialize the box by setting x=0. Regard f , as a stream f(0), f(1), f(2),… Compare f(x) with the next element of the

stream, say f(n). If the new one is smaller than f(x), then put n in the box. Otherwise, keep the old value in the box.

Repeat it forever.

20

It gives the right answer in finite time

We have a sequence of natural numbers: f(n0)>f(n1)>f(n2)>…

Thus, the content of the box will eventually become a correct answer and after then the content x will never change.

In this sense, the non-terminating process infers (or learns) the right answer in finite time.

You will eventually get a right answer, although you will never know when you got it.

21

Limit-computable functions

The process inferring x is expressed by the limit:

lim n ∞ h(n) = x The functions defined by g(x)=lim n ∞ f(n,x), for

a recursive function f, are called limit-computable functions.

The limit-computable functions coincide with the 0

2-functions.

22

Logic based on limit-computable functions

Semantics of constructive mathematics is given by the realizability interpretation based on recursive functions.

The02-functions constitute a domain of

abstract recursion theory. Thus, we may replace recursive functions

with 02-functions to define a mathematics.

The defined mathematics is called Limit-Computable Mathematics (LCM)

23

Execution of LCM proofs

All proofs of LCM are “executable” by non-stopping inductive inference algorithms.

We can observe that LCM-proofs perpetually approximate right answers, and eventually reach right answers.

24

What kind of mathematics holds in LCM? Not all classical theorems hold. For example,

Law of Excluded Middle holds for 01-formulas

but not for 02-formulas.

However, an unexpectedly large fragment of classical theorems hold.• Dixon’s lemma, Hilbert’s invariant theory, Gödel's

completeness theorem, Hahn-Banach theorem,… There are reverse mathematics-like

researches on the extent of LCM. (Akama et al. LICS ’04, Toftdal ICALP ’04. in the references of the proceedings paper.)

25

It looks fine, however...A technical problem If proofs are interpreted by limits over “time

parameter” t=0,1,2,… as the original theory of inductive inference, then plural inductive inference processes are merged into one process to interpret logical inference rules with plural premises.

The merged inference process behaves like a CPU executing plural programs in the time-sharing way.

Thus its behavior is not legible.

26

Possible solutions

Design a calculus of communicating inductive inference processes.

Use generalized limits. S. Berardi has introduced limit-interpretations based on such generalized limits.

However, there is a much better way.

Game theoretical semantics

27

A semantics based on 1-backtracking game

There is a game theoretical semantics equivalent to LCM.

Good points of games:• Avoid the problem of global clock.

• More interactive.

• Much easier to understand than realizability interpretation.

28

Game theoretical semantics of logic (1)

Due to P. Lorenzen and J. Hinttika.In the semantics, validating a logical

formula is counted as a game between two players Abelard (opponent) and Eloise (proponent).

29

Game theoretical semantics of logic (2)

For simplicity, we illustrate the semantics by prenex normal forms: x1.y1.,…,xn.yn.A(x1,y1,…,xn,yn) ,where A is a decidable formula.

A play is a sequence of moves by Eloise and Abelard

Eloise wins by making A(x1,y1,…,xn,yn) true. Otherwise Eloise loses and Abelard wins.

30

A play for x1.y1.x2.y2.A(x1,y1,x2,y2)

1. Eloise moves x1=5.

2. Abelard moves y1=11.

3. Eloise moves x2=7.

4. Abelard moves y2=2. If A(5,11,7,2) is true, then Eloise wins. If A(5,11,7,2) is false, then Abelard wins.

31

The definition of truth

A formula is defined to be true, if and only if, there is a winning strategy for Eloise.

A strategy str of Eloise is a set-theoretical function, which returns her next move from the preceding moves, e.g., str([x1,y1] )= x2 for

x1.y1.x2.y2.A(x1,y1,x2,y2)

32

Constructive truth and game theoretical semantics

Giving a strategy for Eloise means giving Skolem functions.

Thus, the game theoretical truth definition is equivalent to Tarski semantics.

And, a formula is constructively true (recursively realizable) iff Eloise has a constructive (recursive) strategy.

33

1-backtracking game We introduce a new rule

• Eloise is allowed to backtrack to any preceding position of the current situation of play and restart from the position.

Eloise’s strategy may have a memory to record information on past moves by Abelard and Eloise.

Everything is the same besides these two.

34

A recursive winning strategy for

x.a.((x>0A(x-1))(x=0A(a)))

1. Eloise moves x=0.

2. Abelard moves a=24.

3. If A(24) holds, Eloise stops and she wins. If A(24) holds, she backtracks to the stage 1, and moves with x=25, i.e. x=24+1.

4. Then, Abelard moves. However, Eloise always wins, since A(x-1) holds with x=24+1.

A(x) is assumed to be decidable. Thus the formula (x>0A(x-1))(x=0A(a)) is the decidable part of prenex form.

35

Stack presentation of the strategy:

x.a.((x>0A(x-1))(x=0A(a)))

We consider the case of backtracking, i.e. the case A(24) holds.

1. Eloise moves x=0. 2. Abelard moves a=24. 3. Since A(24) holds,

Eloise backtracksand moves with x=24+1.

4. Abelard moves, say a=7435. Eloise wins.

The “stack” behaviour• [x=0]• [x=0, a=24]• [ ] backtrack

and [x=25] new move4. [x=25,a=743]5. Eloise wins,

since 25>0A(24) holds.

37

The equivalence theorem

For any prenex normal formula A, the following conditions are equivalent

• Eloise has a recursive winning strategy for A.

• A is LCM-correct, i.e., it has a limit-recursive realizer.

38

Other logical signs

Conjunctions and disjunctions can be treated as special kind of quantifiers.

Semantics of implication can be given by Hinttika’s notion of “subgame”.

39

01-EM is true

in the sense of 1-backtracking game

x.a.((x>0A(x-1))(x=0A(a))) is constructively equivalent to 0

1-EM:

x.A(x) a.A(a) Eloisehas a recursive winning strategy

for 01-EM.

41

The convergence property of 1-backtracking winning strategy

The Convergence Property:

• As Abelard attacks Eloise with more and more moves, Eloise’s move after a winning strategy eventually converges in the manner of inductive inference to the right values given by Tarski semantics.

• The convergences take place from the outside of the formula to the inside of the formula.

In the proceedings paper, I called it “stability”, but “convergence property” is better. I changed the name.

42

The Convergence Propertycaution: over simplified for explanation

x1.y1.x2.y2.A(x1,y1,x2,y2)X1=a1X1=a2

X1=a3

X1=a4

X1=a5

X2=b1

X2=b2 X2=b3

X2=b4

When Abelard tries all possible moves for him, a1, a2, a3,… given by Eloise’s winning strategy converges to the right value in the sense of Tarski semantics. In this figure, it is a5.

44

The Convergence Property and Proof Animation (1)

When one animates a proof by an animation tool, he tests the proof by providing test inputs, sets of Abelard’s moves.

The user of animator expects particular values are returned for existential quantifiers for the test inputs by the winning strategy associated to the proof.

45

The Convergence Property and Proof Animation (2)

The expected value is the limit of the sequence of trial values a1, a2, a3,…

It is just as the inductive inference of MNP example.

The behavior of 1-backtracking winning strategy is always in this pattern ! You do not need to worry about other patterns.

46

Full backtracking game and Proof Animation In Coquand’s full backtracking game, Eloise is

allowed to backtrack to any point of the “past”. Even if a “stack” configuration was flushed

away (popped away) by her own backtracks, she is allowed to return to positions of configurations once flushed away.

A strategy for 02-EM already cannot have

convergence property. Values returned by the strategy are locally correct, but never globally correct. Thus, it is difficult to understand the behavior of the strategy (proof).

47

Towards Proof Animator with 1-backtracking game

A proof animator via 1-backtracking game is now planned.

The ultimate goal is to animate proofs of David Hilbert’s theory of algebraic invariants in his 1890 Mathematische Annalen paper.

48

Hilbert’s invariant theory

This is the theory that Paul Gordan called “not mathematics, but theology”.

In 19th century algebra, solutions had to be given by algorithms. Gordan, who was the king of invariant theory then, realized Hilbert’s proof of the finite basis theorem embodies no algorithm.

Hilbert used 01-EM repeatedly in the proof. All

other parts were constructive.

49

The “theology” is executable

“Theology” was 01-EM.

When the 1-backtracking animator is built, Hilbert’s theology will run on a computer!

Remark: LCM was found through my investigation of history of mathematic on Hilbert’s invariant theory thanks to help of a learning theorist Akihiro Yamamoto.

50

Generalized equivalence theorem

Berardi has defined a 1-backtracking game Back(G) for every game G in the sense of set theory, and proved the following theorem:

For any recursion theoretic degree a, the following are equivalent:• The degree a contains a winning strategy for

Back(G).

• The jump of the degree a contains a winning strategy for G.

51

Iteration

Berardi’s Back(-) can be iterated. Thus, we can “climb up” the arithmetical

hierarchy by iterating 1-backtracking extension.

It might be possible to animate beyond LCM using Berardi’s iteration.

52

Conclusion

1-backtracking game will serve as the right foundations for a proof animation tool.

Hilbert’s invariant theory will be animated by the proof animation tool.

It might be possible to animate beyond LCM using Berardi’s iteration.

It seems to be related to game semantics for the full abstraction problems.

53

Proof Animation/ LCM home page

For more information, visit our home page

http://www.shayashi.jp/PALCM/