 record yeah I do it's good yeah let's try that yeah that's too dark I think this is good okay okay everyone welcome to GSS today we have our second speaker of semesters my dear office mate and roommate Clyde Newstead just because you are here is the excitement so he's gonna tell us about something about computers and how to prove things okay okay thank you for the introduction son okay so my talk is entitled formalization or why I turned to how how I learned to stop worrying I love the computer which is a plan on the film Dr. Strangelove which is called Dr. Strangelove or how I learned to stop worrying about the bomb so in this case the computer is the bomb and so I guess we'll see what I mean so what I'll be talking about today is why we might want to use computers to do mathematics and when I when I say do mathematics I mean do the kind of math that we do so proving stuff not like you know using ball from alpha to factorize a polynomial but actually proving stuff using a computer I'll then talk about interactive theorem Provers which is the main you know kind of thing that I'm hoping to talk about of course when you're using a computer to do math you need to worry about whether the computer is actually doing what it's supposed to do and and also how you expect to be able to translate your mathematics into the programming language of a computer or something and so we have to talk about some of the foundational issues that arise if we want to keep using our normal foundations or if you want to switch to something else I'll let do a demo and I have no idea how well the demo is going to go so you'll have to bear with me and this is using an interactive theorem group will lean which I'll talk about more soon and then I'll talk about some considerations for the future things that may or may not go wrong or right in the future and things that are working and not working but before I get started can anyone tell me what they think a proof is something concept students do badly it's something that concept students do badly at the beginning of concepts and something they do a little bit better at the end of concepts anything else what is the thing that they're trying to do come on we we literally do this all day every day so hopefully we know what we're doing Andy you start with some assumptions and inference rules and you want to build a sentence out of those assumptions and inference okay so start with some basic assumptions axioms build up a bunch of theorems based on their building the things up and ending with what we're trying to prove sure great wow sequence of well-formed formulas yeah any other slightly more human answers for you sure that's not what concept students do they don't write down a well-formed formula followed by a well-formed for you you can you take some points after you you uh yeah I mean often concept students write down ill-formed formulae but they're not just writing down formulae they're doing other stuff I don't know so I'll start giving you some other answers now you know I'm sure that when you're in your office doing your research you're not writing down well-formed formula formula so one thing might be an argument that convinces yourself that the proposition p that you're trying to prove is correct that's a step that might not be satisfactory because you might want to convince others that he is correct because otherwise you're just kind of speaking to yourself so an argument that convinces others that p is correct is already getting fairly complicated because who are others you've got to consider like who you're writing your proof for or who are you you know giving a talk to that kind of thing you know how much detail we really need to go into for them to be convinced etc the answer that Andy and Greg gave is a logically coherent sequence of statements beginning with axioms or known results and ending with the thing that you're trying to prove so this is more of a sort of formal perspective and the stuff that I'll be talking about really falls what under this viewpoint of what a proof is and there is sort of ongoing future work by people much cleverer than I am trying to go from number three here to numbers like one two based on one of these logically coherent sequences of statements how can you get something that's human readable that other people might be able to read and actually understand and believe it's possible that all of the above are concepts of proof and that's something else entirely is the concept of a proof and it doesn't really matter what you think proof is the kind of proof that I'll be talking about really is this this thing here and so I'm going to make three observations about the state of the mathematical community and you know where we are situated within the sciences right now so the first observation I'm going to make is about the mathematical literature so about the papers that we publish and the things that go in the archive and so most of what I'm going to say balls down to the fact the mathematicians are really human well most of us potion alone might not be so we make lots of errors and those errors ended getting published and some of them are just typos and some of them are things that like oh I made this false assumption but if I correct it slightly even it's something that I can fix and sometimes it's something really fundamental and you only discovered that it's an error after 500 people cited your paper we're lazy we don't like to put all the details into our paper because they're too tedious to type out we make leaps of faith all the time we expect our readers to fill in the details and it's it's difficult as well given all the time pressure that we're under to write a well-motivated mathematical paper within a background that I read it and really understand it whatever else we rely very heavily on our intuition so you know when you start learning your field of mathematics you get really bogged down in the details of like what's the actual definition of a pullback of two morphisms in a category and you have to check the universal property and all this kind of stuff but then after you've been doing that for a couple of years you're like oh pullback yeah blah blah blah blah blah you've kind of got this like post post complicated way of thinking about things and so we were like very heavily on intuition and also we really just have no idea what we're doing I think it was John von Neumann also I think it was John von Neumann said that you never really understand mathematics you just get used to it and I I really feel when I look at my own research that this is the case I have got used to it and locally I understand what's going on and then I try and think about how this translates to other areas of math and I've stopped and so a consequence of all of this is that we can't have full faith in the literature when I say the full faith I mean like what we're doing as mathematicians we're supposed to be completely correct you know this is our like in moral moral superior intellectual high ground is like mathematics is the purest of the sciences we're doing what we want with complete certainty except we're not because we're throwing in errors and we don't really understand what everyone else is doing and so on the second observation is that math is really hard really really hard and this is something that I certainly encountered during my PhD and I'm sure that most of you are as well so it takes a long time for us to get to grips with the theory which means that to even attempt to prove a theorem we need to be able to understand the statements of the theorem and even get into the point where we fully understand the statement of a conjecture or something it takes us years that's why we spend the first two years of our PhDs taking classes proof techniques are never guaranteed to work so you end up spending a long time cranking a handle and then all of a sudden like it just doesn't work lots of what we do is very tedious and I'm sure this differs from field to field but I've definitely seen some analysts with long strings of integrals and all sorts of you know differential equations or whatever else and then I personally in my own research had to give up a proof we just give up even trying to do a proof because the details were just so tedious and annoying that I just couldn't even I just didn't have enough time to write down all the details and so we ended up wasting a lot of time and effort and we could be using our brains for things other than you know cranking a handle and doing all these computational steps so another observation is that we're not very good at speaking to each other and we even worse at speaking to people that are not mathematicians and what I mean by this is that there are very there's very little communication between fields son who introduced me a few minutes ago and I share an office and an apartment and I have no idea what he does and he has no idea what I do and yet we're at the same PhD program in the same university and that's just because I do logic and category theory and he does analysis and PDE and we just don't know we don't know the words we don't know the language it's often difficult to tell if something's already been proved and so you know if you have a diligent advisor that's very knowledgeable in the literature and they've really read sort of everything and they're 90 years old or whatever else then they might have some idea of someone's already proved the thing that you're trying to prove but it happens a lot that you prove something and you find out that someone's already done it and it's in this paper that was published in 1983 it's very difficult to read papers in other areas and so you know I've encountered times in my own research where I've had to delve into papers that are more close to like algebraic topology than the orthologic or the more close to the geometry than the orthologic and just the basic concepts of those fields are already so difficult to grasp that when it comes to reading a research paper you're just doomed like you it takes weeks to read a single paper and we alienate non-mathematicians it's not that we try to we just do you know it's difficult enough for us who have our undergraduate degrees in mathematics to read other math papers how are people in stats trying to learn about algebraic topology to do persistent homology supposed to kind of get their foot in the door of algebraic topology just doesn't it doesn't make any sense and so we end up with a very isolated community in a very disjointed community so we're separated from the world and we're separated from each other intellectually speaking and this is a problem I mean this is this really is a problem and it's you know part of the reason why I guess governments try to encourage like interdisciplinary collaboration or whatever but it we it's something that we really need to address in the long run even if not in the near future and so the idea is that we might be able to get some help from computers in solving some of these problems and so the first of the problems in terms of making errors and filling in the gaps the hope might be that we can use computers to verify the correctness if we have a sequence you know like we're saying a proof should be a sequence of valid formulas that follow from basic assumptions to conclusions a computer should be able to check if all of those you know steps that we're doing in our proofs are actually valid they should be able to assist with the process of proving a result so this is kind of helping with the difficulty of doing mathematics if a computer has access to all theorems of mathematics and you need to fill in a gap somewhere in your proof it's going to find it a lot easier as a computer to just scan the whole database and fill in the gap with whatever theorem you know like a jigsaw fits in there then it is for you to go and read decades where the papers of randomism theorem and they can provide extensive databases and so once we've got all of our math into a computer it should theoretically be possible to have searchable libraries where if you're presented with an equation that you don't know of the form of for example you could type it in and I'll come up and say oh look that's Pell's equation or something and then you can look at all the results that relate to that kind of equation and so on it just makes navigating the literature a lot more easy and so hopefully computers might be able to do this of course I have to say this is just in theory because doing this is it's not like this is going to be easy to do all this stuff so anyway so that's all the motivation I wanted to get so there any are there any questions about why I care about this before we get started talking about it but do I care about an employee actually I'm going to get to that later so yeah unemployment is something that we do have to worry about any other questions so I'll talk about interactive theorem proofers these are also called proof assistance and I guess I'll tell you what they are so a interactive theorem proofer is a type of computer program and it consists of a few different components one of them you need to have some underlying logical system this provides you with the language that you need to translate your math into something that you're going to put into a computer and it tells you what the steps of deduction are valid it's what allows you to build all of your formulas and theorems and define your definitions and whatever else and it has a trusted kernel and so ideally so this is going to be the main part of the program it should be very very small because a smaller the smaller a program it is it is the more like convinced you can be that it's actually correct and the kernel is going to be the thing that actually does all of the verifying that the things are correct it will have an elaborator which is some kind of addition to the kernel and this is what's going to be able to tell you how to prove stuff and so you start writing down the proof when you're stuck and then you ask your computer how do I keep going and the elaborators what what's going to tell you what you need to do next it's at least going to tell you what you should be trying to do next and it should hopefully also be able to suggest some steps to get towards that process of doing that thing and it will have one or possibly several libraries and the libraries are the the places where you can access all of the definitions that you've made and the results that you've proved and so on so this is kind of what an interactive therapy consists of I'm not really going to refer to all of these things specifically anymore in the talk as well to give you some idea but these are not new these things have been around for a long long time they've been around for decades and there are some examples and cock is a very big one Agda Hall stands for higher order logic in this very popular one so Isabelle new pearl classic examples of proof assistance that have all been around for a reasonably long period of time they have established mathematical databases cock especially in Agda and yeah I mean these first few have very substantial mathematical libraries there's a lot of math that has already been put in in these proof assistance and lean the one I bolded at the end is the one I'm going to be demonstrating later it was born a few years ago it's been developed by Microsoft research and a lot of the work being done with the lean proof assistant is happening in Pittsburgh so I'll be talking a little bit more about that but just to give you some idea of what a proof in one of these proof assistance look like here is a proof that the square root of 2 is irrational in the proof assistant is about and so you can see it looks a lot like you don't need to read it all you can see it looks a lot like some sort of hybrid between writing down a proof you can see lots of you know hensers and like with this we have this and you know QED and thus and you know using this result and whatever else it looks a bit like we're writing a proof but it also looks a lot like a programming language we have you know it's a monospace font and everything that's like highlighted in different colors and they set out on different lines and you kind of got this very like linear structure to the whole proof and the idea of what's going on here is we sort of state a theorem you give the theorem a name here square root 2 not rational and then you state the theorem which says the square root of 2 considered as a real number is not an element of Q the rational numbers and then you start the proof and then this is where the interaction between you and the computer begins you might say like let X be one of these things and assume that X is rational and then somehow we're going to obtain a contradiction that's down here this false using odd one by blast which sounds pretty epic so the so when you assume that the square root of 2 is rational what you end up deducing is that 2 divides 1 that's what this step means but then up here I guess somewhere in the library so it's not stated here but somewhere in your library you have a result called odd one which tells you that the number one is odd and so you're saying this false using odd one by blast and so blast will be some kind of what we call a tactic which the elaborator uses so the elaborator will look at odd one it will look at blast and say I need to find something that contradicts odd one it will find this statement here that 2 divides 1 and then bang outcomes false and then QED because you've proved your contradiction so this is just kind of one example of what a proof and a proof of system might look like and as you can see it's the kind of thing that like getting to grips with these things is going to be pretty difficult and so I'll be talking a slight more about that later as well but there are lots of big results that have been verified in various prefixes proof assistance so one of them in 2005 when Aaron Gontier proved well published their proof of the four color theorem using Cox so the four color theorem was proved using the help of a computer originally but not using a proof assistance the proof wasn't formalized they used a computer to check like thousands of cases in this thing right and one of the big problems that came out when they published this proof originally was that like well you've just reduced the problem of proving a theorem to trusting the correctness of an entire computer program and like how can you really do that and so I told them until 2005 to actually formalize this within cock so now the proof of the four color theorem has been you know has a stamp of approval from a proficiency and one of them dirge lace theorem so this is the one about every arithmetic progression where the number you start with in the distance a co-prime content infinitely many primes so this was formalized in whole light which is a variant of the hydrologic for a prover by John Harrison 2010 the fight Thompson's theorem so this is the one that says that every finite group of odd order is soluble and is a component in the classification theorem finance in groups that was you know that proof formalized proof was published by George Contier in 2012 the capital conjecture so this is the result that says that if you have a bunch of oranges and you want to stack them up in the most space efficient way possible then you're gonna like build a pyramid out of them essentially so the capital conjecture is something that Tom Hales who is a professor just down the street at the University of Pittsburgh he proved this in I think the 90s but the proof was so long it was hundreds of pages that the referees gave up they stopped trying to check the results with correct because it was so long and so involved and so crazy that they allowed it to be published but their comments were on the lens of like we sort of believe the essential correctness of this proof and whatever else and it was like yeah you know this had been a big conjecture for a long time it's the kind of thing you want to be pretty sure about before you publish it and get your name put on the paper and so what Tom Hales did after he proved this was he decided to formalize it and so he and a massive group of people including some former students of CMU he also partners with the University of Vietnam interestingly so lots of the co-authors on this paper of Vietnamese so they formalize it and along the way they found hundreds and hundreds of errors in the original proof and of course they had to correct them and correct them they did and in 2014 or 2015 well in 2014 they announced the proof 2015 they published it and so that was like one of the big big steps he gave a talk over a pit I went it was very epic and Green's theorem so I don't want to bore the analysts here but Green's theorem is a theorem of mathematical analysis and had not been proved for a very one time until a couple of Australians proved it in Isabel two years ago in 2016 so these these terms are all things that are like you know these four especially are like big difficult results Green's theorem is something that involves lots of integral mathematical analysis partial derivatives triple integrals double integrals whatever whatever you've got going but now we have these formalized proofs but there are many results still up for grabs and so if you want to formalize them as last theorem for example that's still up for grabs if you want to formalize the independence of the continuum hypothesis that's still up for grabs the independence of the continuum hypothesis sounds like it should be within reach so I don't know I I don't know what I'm talking about though so like it might be very very difficult but I feel like it should be within reach so there are loads and loads and loads of results for grabs and anything that you publish in your you know thesis hopefully is not already a known right so I believe so yeah so when they published these results in journals which they do they publish papers that say how it works and how it works and like all of the code that they have but the point is that all of these proofs are using these proof assistants and these proof assistants have these trusted kernels which are very very very small and so you know there's one of them I forget which one that's so small that the developer of it like in normal size font made a t-shirt with the code for the kernel printed on it right so it's a very small program and the point is that these like these small kernels will spit out errors if there is anything wrong in the proofs of these theorems and so if you have stated the theorem accurately and the proof assistant doesn't spit out an error then either your computer is broken but you know they check it on what to do for computers whatever or there's something wrong with the kernel but the kernel so small that you'll convince that there's nothing wrong with it and so in some sense like these are much more trustable than hundred page proofs in journals that rely on hundreds of years of cumulative error error print papers but yes they they are refereed before they get published but I guess one of the hopes is that they may no longer need to be so that's a different discussion and so to give you some idea of what's happening in Pittsburgh there is lots happening at CMU and at Pitt surprisingly none of the well as far as I'm aware none of the work being done at CMU is being done in the mathematics department and so the standard library of lean so what I mean by standard library is just like standard classical mathematics just results from math number theory combinatorics like whatever you want just algebra topology like they are being formalized in the philosophy department by amongst others Jeremy Adagard he's a professor there Rob Lewis actually graduated he got his PhD like few weeks ago so he's disappeared now he lives in Amsterdam and so the lean standard library is being developed in the philosophy department and it's surprising yeah they're doing a lot of mathematics over there homotopy theory or more accurately synthetic homotopy theory so sort of abstract homotopy and that kind of thing is being formalized by a group of people that are interested in homotopy type theory so Steve Howardy who is my PhD advisor although I'm not involved in this project myself Flores van Doorn, Egbert Reich, they're both PhD students, Jonas Fry and Felix Weller, and they're both postdocs so there is this group of like essentially topologists and logicians that are working on like homotopy theory and formalizing it using lean and at Pitt oh sorry not quite there yet in the computer science department there's a group of people developing a new proof of system called Red Pearl I don't know any of the details about this red comes from a reference to communism because John Sterling is like an ardent communist and he's the one that initiated this thing so that's where Red Pearl comes from so anyway yeah they're developing that and they're also formalizing stuff in more classical proof of existence like Adder and Clark and at Pitt we have Tom Hale so he's the one that proved the capital conjecture with stacking all the oranges obviously he got very involved in formalization as a result of that and he has started a project called formal abstracts in mathematics and this is using the lean proof assistant and there is a postdoc currently advertised at Pitt in exactly this I think the deadline may have passed so it's too late to apply but there may be more in the future and the goal of this project is to formalize the definitions and all of the definitions and all of the statements of theorems in all published mathematical journals ever so that's the goal and their reason behind this and not formalizing the proofs and so there's no proof checking it's just formalizing getting the statements of all of the theorems down into a proof assistant and the whole reason why they're doing this is because they want to make the mathematical literature more navigable and to be able to do things like if you stumble upon a thing and you're not familiar with that area just go and like list all of the theorems about that thing that there are and pick the one that and then find the reference to the literature that you can read more about it so that's the goal of the formal abstracts in mathematics project we'll see how that goes I've seen some pretty convincing talks about it though so it's one to keep your eye open for I imagine there will be some talks advertised at the Pitt like algebra combinatorics and geometry seminar or something like that and so it's worth keeping that open for okay so any questions before I start telling you a bit more mathematical nitty gritty yes um are these languages like mutually intelligible one another like if I had a formal proof in one can I port it to the other some of them yes so there are ways of porting between cock and agda I know there are definitely ways of porting from one into another but the problem with doing this is that the proofs in one after you've ported them become these just unrecognizable piles of junk and so from a human readability point of view the code that you obtain is correct but human readably just not good so if you go back to this whole this proof in interval of this you know the proof that square root of 2 is irrational this is all computer code but you can still sort of read it right if you were to port this into another language it would slice and dice it so that it turns it into the language in whatever way it has to it would reduce things to normal forms and it would expand terms and it would do all sorts of crazy stuff and what you would end up with is like a pages and pages and pages long pile of gibberish and like all of these names of variables like to DVD and simp and whatever else the names wouldn't be respected by the thing that's porting it so well theoretically it's possible it's not a nice thing to do but we want to we want the code to be readable to humans because we're making these mathematical libraries and if you want to be able to turn one of these code proofs into a written proof you need to be able to understand it to what extent are these languages to what extent can you use them to just do a regular programming so any extent whatsoever they're all cheering complete so you know you might not want to they're not the most practical languages ever it would be like using a functional programming language like Haskell to do everything which some people do i know you know there are people that do real programming using Haskell so you could theoretically in these do whatever you wanted you could write an operating system right but you wouldn't want to okay so moving on i'm gonna briefly but not very much talk about foundational issues and so most formal mathematics when i say formal i refer to this whole process of writing down these sequential sort of logical proofs are done using some other tranquil set theory with the axiom of choice with or without the axiom of choice mostly with these days and some of these proof assistants do use set theory as their basis so it's not impossible to use set theory but there are some challenges that you encounter when trying to get a computer to verify proofs that are written using set theory and so one of them is for example consider this statement is this true or false so this so this says for every x y and z whenever they may be if you multiply x and y first and then z that's equal to multiplying x to the y and z it's saying you know associativity of multiplication whenever this multiplication may be but then the problem is with this i mean for a start like we don't have a bounded quantify here so we don't know what x y and z actually refer to but like not only that we don't know where this dot refers to we don't know like what exactly is going on here and so if we knew then we might be able to do something about this but if you plug this into a proof assistant in set theory it's not going to know what to do unless you give it some more information i'll come back to that in just a moment so another one is to consider this so the the binomial theorem is true in any commutative ring right so if you know x plus y to the n i have i've left out all the the quantifiers but this is true for all x y in whatever ring you're working in all natural numbers x so if you look at this statement there's a lot kind of going on here that you might think is perfectly legit ring theoretically and it is but this like this summation thing like we're used to defining this over like numbers like real numbers for example but you have to define this simple here recursively over a ring and you would need to do this every single time if you were going to work with it you have a natural number here n2k multiplying elements of a ring but how do you multiply a natural number by elements of a ring well you add the elements of the ring together natural number many times um but then again like every time you define a new ring you can have to define this expression differently um another thing is what does two refer to so if i write down two right we all know what two is yeah okay now in set theory if i were to ask a zemelefringle set theorist what two is or especially if they follow the von lohm convention what they will say is it's the set containing the empty set and the singleton containing the empty set right so it's the set containing zero and one and zero is the empty set and one is the singleton of the empty set so if but then that's not quite true right because that's two as a natural number but the integers are constructed as equivalence classes of pairs of natural numbers so if i want to write two and it refers to an integer then what i have is not just a set of two elements it's an equivalence class of pairs of sets with you know one of natural numbers if i want to consider two as a rational number while two is then an equivalence class of pairs of integers so it's an equivalence class of pairs of equivalence classes of pairs of natural numbers if i want to consider two as a real number then two is like a dedicated cut so it's like a downward closed like unbounded above like blah blah blah like set of equivalence classes so the number two like when you write it down if your proof of existence is using set theory it doesn't know which set you're referring to it could be any of these sets and like how are you encoding it and so that has to be obvious somewhere and so the the key problem with this is that when we write stuff down in usual first-order logic with with set theory like single-soldered first-order logic so when we're looking for set theory the role of an object is not inherent to the object so you know the number two considered as a natural number empty set single to empty set could be just you could just want to be thinking about it as a set and so two on the one hand you want to think about it as a number but you can also think about it as a set and so you know the role of an object is not inherent to the object but that means that when you're trying to use this object to prove stuff about other objects it's less clear what to do with it when you're presented with it and so the solution to this would be to use type theory and in type theory everything every object which is called a term like two has a unique type and so whenever you talk about two you might say like two of type natural numbers and in practice you would not write this subscript so the elaborator or the kernel of your proof assistant would know to interpret it in whichever way it needs to based on the context of what you're trying to do I could consider two as the integer so this colon you can think of as being like an element hood relation but we can think about it in other ways too there's the function which sends x to x squared so the type of that is r arrow r we still use this location when we're doing set theory but really this says this is a term and this is its type r arrow r is the type of functions from the reals to the reals um the natural numbers is a type so it's a term of type type and so don't ask me what type type has it's like a whole thing of a cumulative hierarchy of universes whatever else going on so everything is a unique type but not only that so whereas in set theory you have your logic and the line the set theory and then the set theory built on top in type theory everything is just terms and types there is no logical system distinct from the theory of types they're just one and the same thing which means that we can interpret the types as being propositions things that we want to prove and the terms as being proofs it doesn't make that much sense to think that two is a proof of the natural numbers so we don't do this universally but we're going to have a special type called prop whose terms are types that we think of as propositions so some examples of this um so suppose you give me a proof of capital a little a and you give me a proof of capital b little b right so you've got a proof little a of big a and a proof little b of big b how would you get a proof of a and b anyone teaching concepts should hopefully know this answer just concatenate the proofs right so if i want to prove a and b just prove a and prove b so i obtain a proof of a and b by taking a proof of a and a proof of b and so i just paste them together and so in type theory i could say a is a term of type a and b is a term of type b then this gives me a term a b of type a cross b a cross b is the same as conjunction and i'll go through more of these analogies momentarily um and so you may notice that this is the same as the cartesian product so if you think about a instead of being a proposition as being the setable proofs of that proposition and b is being the setable proofs of b then a cross b is the setable proofs of a and b right um and so there's lots of analogies here so a cross b considered as a set you think of it as the cartesian product considered as a proposition you think of it as conjunction we have co-product which gives you disjoint union in sets and disjunction as propositions which is to say something is an element of this set if it's an element of a and an element of b to prove a or b while you prove a or you prove b right um a arrow b so in set theory it's the function set as a propositionist implication so as a function set giving me an element of a and i will give you an element of b in proposition give me a proof of a i'll give you a proof of b so a implies b right um so sigma and pi so this is index disjoint union if you consider them as sets so it's an element of one of these sets for one of these indices or you can think of it as existential quantification so to prove there exists something there exists an x such that b of x is true find an x that is find one of these indices and then find an element of the thing that is referring to and likewise with dependent products the elements of this thing are functions in set theory and the proofs for any x that b of x is true in type theory and then terms well again so ordered pairs correspond with pairs of proofs an element of a or b is a proof of a or it's a proof of b i kind of said this already so you get a proof of b from a proof of a given any function like this and then likewise for the these are called dependent types so i won't get to listen to much more detail but as you can see this is kind of nice because you can use the same language for talking about things that you want to think of as sets and things that you want to think of as propositions without going to be blinking an eyelid and it's something that's really hard to get used to if you've been raised on set theory like i was um and i still use set theory all the time so i'm not going to pretend that this is how i think uh but i think there's a really nice nice way of doing mathematics um and there are some advantages for you know using this to prove your mathematical theorems because type theory mirrors programming if you do programming everything you do has a type uh it might be a you know type int so it's an integer or float like a floating point or it might be a list or it might be you know whatever when you do programming your things are types and they behave in exactly this kind of way um it's constructive and don't worry you can still do non-constructive mathematics within type theory but the constructive character means that when you're building proofs you're it's easier to piece them together when you are able to construct for example witnesses of existence so when you say there exists something that makes a thing true if you can actually find the thing that makes it true then that's going to simplify your proofs later on provided you can do it um and you can't always do it and there are translations of non-constructive mathematics into this framework uh a very sort of brute force approach is to double negate everything and then you obtain a perfectly valid thing but we don't need to do that it's proof relevant and so what i mean by this is that when we're saying that a theorem is true so when we're saying for example sorry to do this say i'm saying that a is true then i would say little a colon a i don't just say a is true i say here's a proof that a is true so i'm keeping track of my proofs as i go which means that when i'm pasting them together i just need to find the proof and stick it in there wherever it's needed so that's what proof relevance means and it makes heavy use of induction and recursion so whenever you declare a new type it has some kind of induction principle and some kind of recursion principle and these are precisely the things that computers need to be able to do computer stuff with them right and so you do computer stuff with them so like to do programming these things are very important um and so like that's kind of nice if you were to translate most of what you do most mathematicians logicians are definitely not included in this so i would definitely notice a shift but most mathematicians wouldn't notice a detect in the foundational shift so if you were to encode your mathematics using type theory rather than set theory to you like you wouldn't really notice anything because like how often do you refer to the axiom of foundation when you're doing analysis like you don't right you just do your stuff with functions and real numbers you don't really care about how they're encoded as sets um and so most mathematicians wouldn't wouldn't detect a foundation or shift so with no further ado unless there's any questions and please do ask some questions if you want them i'm going to give you a little demo okay right so the demo i'm going to give you is using lean which is the pre-existence that i was just telling you about do you see what they did with the e in the a that's pretty clever so the lean theorem prover you can get it yourself it's free to download and it's free to use and it's open source and even though it's Microsoft research it's open source um you could go to leanprover.github.io if you really want to you can follow along with my demo if you click documentation then there's like a bunch of tutorials or whatever else there was actually a class where is it maybe it's not on here there was a a course at kanji melon which was in parallel with concepts and it filled the same requirement it was taught in the philosophy department and they used lean to formalize all the proofs that they did in that course which i think is really cool anyway there is an online version where you can use emacs and i have not got used to emacs yet so i just used it for a little bit so i'm gonna delete all of this and i'm gonna make it logic so hopefully you can all see you can read okay good so so let's talk about like let's just prove some basic thing from like propositional logic like day like week two of concepts kind of proof okay so so let's have a look at this so let's start we want to have some propositions to talk about and so i'm going to introduce some constants they're going to be propositions and they're going to call pq and r and so if i want to find out the type of something i do hashtag check and then i'll get a message over here so it tells me that p is a proposition right i can form new propositions from all propositions so for example i could do hashtag check p wedge q the nice thing about this is that you can use latex commands and the code actually accepts unicode characters and so you can read the code a lot more clearly with the unicode so you'll see here like p and q is a proposition so that's nice um so what's there want to do um say i want to have a proof of p then i could like introduce one and i could do like hashtag check p and so what this says is that um oh sorry little p so big p is a proposition little p is a type p i'm going to get rid of all of these checks because they're going to get in the way um okay so let's let's prove a theorem about these things um so the theorem that i want to prove is something like uh it's like conjunction is associative so how about uh con doing the spacing backwards is really difficult i can't i would normally mirror my screen but when i did that my laptop crashed so i can't do it with a screen which is really irritating so i'm going to tilt myself slightly more okay so i'm going to say conjunction is associative and so this theorem has to have a type um and the type is going to say well it's going to take in some arguments so it's going to take in pq and r as propositions and the type of this thing is going to be so it's the theorem that i want to prove is that p and q and r implies p and q and r i'm going to put sorry there for the moment so sorry is what you write if you don't have to prove something right you apologize to the proof assistant and then if you were to say like if you were to say check uh conjunction is associative then it will tell you that the type of this thing says for all propositions p q and r if p and q and r is true then p and q and r is true the fact there's no parentheses here just means that it wants to associate the parentheses to the right and it doesn't write them in that case so let's prove this and so well first of all how are we going to prove this well we want to assume that the thing before the arrow is true so i'm going to do assume h i'm going to go to a new line if i write an underscore here it'll tell me what i'm trying to do so here like above this little v dash simple here i now have h is a term of type p and q and r and i want to get the term of type p and q and r now the way i introduce a term of a new type is using what's called an introduction rule and so i'm going to use this introduction rule i'm going to give it a term of type p and i'm going to give a term of type q and r so the introduction rule funnily enough is called and dot intro and i'm going to do these things and put little underscores so now it's going to give me some errors which is fine um so here you can see that like here nine eight means row nine character eight it's saying what it wants is a proof of p and down here line 12 character eight it's saying what it wants is a proof of q and r so let's prove p well i want to get p i want to get something that proves p and i have a proof that p and q and r is true so how do i get from p and q and r to p well if you know a and b are true you know a is true i'm going to do that twice so the opposite of introduction is elimination and so i'm going to do and dot illin left that's going to give me the first component and i'm going to do the and dot illin left h so this says give me the first component of h and then give me the first component of that component so this is saying give me a proof of p and q and then give me a proof of p and you will notice that the error has disappeared and so the only way that you know your proof is correct is that there's no error message right so you don't get any positive reinforcement for this thing it's a lack of error message that gives you the satisfaction that you're correct um can anyone guess how i'm going to give a proof of q and r i'm going to do an intro and so the intro well first of all i'm going to have to give a proof of q doing this it's very difficult i'm going to have to give a proof of r so you see here i've left those that is q r so now i need to give a proof of q i won't bore you with explaining everything anymore so a proof of q well i'm going to take the first i'm going to take the proof of p and q by doing the and ilim left and i'm going to do the proof of q using and ilim right so here i get and ilim right of and ilim left h you can see the error message for that thing went away and so h remember is of type p and q and r and so if i do and ilim right h then away goes the error message okay now this wasn't much fun right so there are ways of simplifying all of this and there are ways of doing shortcuts and there are ways there are ways where you don't even need to type out all of this code you just sort of you would say begin and then you would write a bunch of commands to try stuff out and then press n then you could probably prove this in my two lines of code um but i won't go into too much detail because i want to show you some other cool things that lean can do um so another thing that lean can do how about this so we can give like inductive definitions of stuff um so suppose i want to def on motion suppose i want to define a factorial function so my definition of factorial is going to be a function from the naturals to naturals i'm going to define it using the fact that the natural numbers are defined inductively by saying that zero is a natural number and the successor of every natural number is a new natural number right and so what i have to do to define a function from the naturals to the naturals is say what it does on zero well the factorial of zero is one and say what it does on successes well the factorial of n plus one is n plus one times the factorial of n away goes the error messages right and so you may notice that like when i was halfway through doing this i had errors once the error's gone away what this tells you is that this really does define a function from the natural numbers to the natural numbers so whereas up here the error messages went away when it said i have a proof of this proposition down here it's saying i have a function from the naturals to the naturals but they're actually just the same thing they're both saying i have a term of the type you said i did um and so you can check that this works by doing hashtag reduce and i might want to find the factorial of six which should be oh i should say i don't reduce fact and this is like what the computer actually does when it's computing these factorials but so you find you fact six seven twenty how about that how about i want to do something a little bit more complicated so suppose i want to define a binomial coefficient so binomial coefficient takes in two natural numbers and it splits out another natural number equivalently it takes in a natural number and then it takes in a natural number and then it takes in a natural number and so what i'm going to do now is tell you what it does when i give it zero and zero what it does when i give it n plus one and zero what it does when i give it zero and k plus one and what it does when i give it n plus one and k plus one so this is going to be an inductive definition of binomial coefficients so what zero two zero anybody how many zero elements subsets of the empty set are there one very good okay n plus one two zero how many zero element subsets of a set of size m plus one one how many sets how many uh k plus one element subsets of the empty set are there none okay and in terms of smaller numbers how many subsets of size k plus one are there of a set of size m plus one anyone teaching concepts this semester and you'll remember the binomial thing you go up in the group right so it's n choose k plus n choose k plus one okay and i'm going to introduce a notation i'm going to write notation n choose k is binomial nk and so now what i'm going to do is say hashtag reduce um five choose three which should give me ten it works yes so i'm just trying to understand the types here so because i think of binomial as a function from n cross n to n yes so what's going on here with this sort of like a triple function so when you write the triple like this you're associating to the right so this takes in a natural number and it spits out a function for the natural okay yeah and there's a bijection a natural bijection between such functions and functions that take in pairs so taking in a pair in is the same as spitting out a function yep when you do some kind of um in in notation or you're going to recall because of definition yeah does it does it do it does the does whatever mean is um do anything to check whether it's a well-defined equation or anything yeah it will give you an error if it isn't uh and and does this like a real time as in if you yeah can you put the brackets in the first so if i do this then what it will want me to do is take in a function and spit out a natural number and you will notice i have errors because like it was expecting to find something of this type and it got something else so actually the example here the the reason why this fails is like at the very beginning at this zero here it wants n r n to be a structure that has a notion of zero and so actually and the next thing i'm going to do is define a structure and has zero is a structure that says that your thing has a unit for an addition more and so going back to that thing you know when i said what does x times y times z equals whatever mean so as soon as you know the types of x y and z if you if you know that your type has the structure of something like multiplication then what your proof assistant is going to do is look through the library find the proof that it has that multiplication and then it will tell you what to do when you see the plus sign and the zero sign but i'm going to take away those so i don't get any more error messages so this is a gss talk and every gss talk must contain a definition of a what a graph i've continued to be disappointed by the lack of definitions of graphs that have been happening and so i'm going to give you one now um but first of all i'm going to define a quiver everyone knows what a quiver is right it's a thing you put arrows in yes i'm actually going to put two arrows in my quiver and what are the arrows i'm going to put in my quiver the pointy arrow it's going to give you a source and a target so a quiver is a directed multigraph with loops or put more simply i'm going to be defining let's get this right did i delete this now i didn't get so i'm going to define a structure so this is a structure that you can put on a thing i'm going to call the structure quiver which i'm going to spell correctly and so i'm defining a structure so i do this thing and to make my structure what i'm going to need i'm going to need a type of vertices a type of edges i guess i don't need those spaces and for each edge i'm going to need a source vertex and for each edge i'm going to need a target vertex you don't actually need these latex things i could have just done dash arrow but it just looks nicer to do the latex stuff so i do it okay so there's a quiver that's how you define a quiver um and so i could give you an example of a quiver i'm not going to instead i'm going to tell you what a directed graph is so what's a directed graph it's a quiver yeah so whether or not you want loops is we could put it in we will allow these to have loops um so a directed graph is going to be a quiver where every edge has a unique source where sorry where every pair of vertices has at most one edge going between them right so you can't have like from this arrow from this block to this block you can't have several edges going there and so what i'm going to say is that a directed graph is a quiver and so i'm going to say extends quiver by doing extends what i've just done is say whenever i prove anything about a quiver it's going to hold of a directed graph it's going to hold of the underlying quiver of any directed graph that you do and so we're not duplicating our efforts and this is very important for defining algebraic structures for example um okay so in addition to having the structure of a quiver it's going to have a proof that every pair of vertices has at most one edge between it and so i'm going to say let's get this right client because that'll be embarrassing if you don't okay so i guess i should have a proof so no duplicates is going to be a term of a type which is a proof of a proposition the proposition it's going to be a proof of is for all say e and f i hate to call it f but i will for for now of type edge q dot uh sorry q dot don't want edge yes so for every edge of type q if the source of e is the source of f and i really hope i don't get any error messages after this and the target of e is the target of f then equals f now what's going wrong yeah well it's q here so q ah there we go maybe i just needed e you're right sorry i was getting ahead of myself because i was going to actually define a quiver okay so a structure is a directed graph if it's a quiver and it has no duplicates which means that i'm able to present it with a proof that for every pair of edges e and f if their sources are equal and their targets are equal then the edges are equal and finally and there were definitely easier ways of defining graph but i couldn't work out how to do it so i did it this way instead so now suppose i want to define a graph by extending a directed graph how are we going to do it no loops um okay so let's do no loops no loops so i guess this is going to say for every edge the source of e is not equal to the target of e and symmetric it's symmetric right a symmetric directed graph with no loops is the same as just a graph and so symmetric is going to say uh for all oh i made a definition before that okay before i do this i'm going to make a quick definition so i'm going to say goes to um is going to take in a quiver and it's going to say that a vertex u goes to a vertex v if uh so this is going to be a proposition that's going to be defined by saying that there exists an edge whose source is u and whose target is v that's a proposition i guess there's something wrong with a q dot v and a q dot v over there there we go no error and so now i can say okay so it's symmetric if for every pair of vertices if u goes to v then v goes to u and i called them the wrong name no i didn't it was wrong syntactical error there we go so it says for every pair of vertices u and v if u goes to v then v goes to u so there's an edge from u to v then there's an edge from v to u okay so anyway i've defined a graph so i feel happy with this talk and that concludes the demo and so for the last couple of minutes i'm not going to keep you for much longer um i'm going to talk a bit more about these programming languages so there we go okay so considerations for the future since the future is all that there is left in the world so something's going well in the world of formalization um one of them is that it is a fun thing to do so i had fun maybe you didn't have fun watching me but you could go home and you could download lean and you could play around with it you could look at the manuals the the manuals are really good and they have interactive manuals that have the textbook on one side and the same JavaScript thing on the right hand panel and you can follow along as you as you read the manuals that's really cool um there's lots of interest in theorem proving right now um theoretically all of this stuff you know there's nothing special about mathematics that makes it verifiable you can apply this to programming languages you can verify the correctness of a program you can even verify the correctness of hardware the fact that it won't fail and so this is very crucial for things like medical technology and they are used in those in those fields just with different logical systems obviously to be able to formulate the programs rather than mathematical proofs um the technology is getting better and better every day the speed that it takes to check a proof is correct gets smaller and that kind of thing um and there are lots of non-mathematicians becoming interested in mathematics so much so like i said that all of the formalization being done at CMU is not in the math department so like that you know case in point um and the libraries are getting bigger so there are loads and loads and loads of theorems being formalized on a daily basis and put into publicly accessible digitized formalized verified libraries which is really cool um things something's not going as well and so the first one is it's a very steep learning curve learning how to do this takes a long time it takes at least you know a year probably if you want to be able to do this fluently it's going to take you at least a year of just struggle before you get that um it feels a lot like programming which for some people is a bonus but for me it is not because i don't really enjoy programming as much as i enjoy proving stuff um there's little consensus about anything and so not just consensus about which theorem proof it is used but consensus about which foundational system used by which theorem proof is the right one to formulate mathematics in and yada yada yada um additionally there's not much money in it so you know although these projects have gained interest in industry compare this to something like automated like you know driving like what do you call it like driverless cars like there is just not as much money in this stuff as there is in that and so it's hard to invest the people power into this that's needed to develop technology um and i'll talk about mathematics mathematics and skeptics and so you know i took a risk by giving you this talk but hopefully i've convinced you at least a little bit of the worth of these things but the mathematical community as a whole especially the older walker modernity types are never going to trust a computer over hundreds of years of mathematical papers because they just don't like technology and they trust people more than computers that's something that our generation finds odd the fact that you would trust a person more than a computer to be correct um but the older generations of the other way around um and i guess just some considerations for the future there's lots of issues coming our way and so one of them is is it really necessary to use a single foundation in a single theorem proof and to prove everything or could it be the results in homotopy theory approved in lean and results in mathematical analysis approved in isabel results in combinatorics approved in this other proof of system and it's just a case of like you decide which theorem which branch of math you're in and then go down that route um user-friendliness is something that could be vastly improved to the point where it would be nice to be able to write down a proof in grammatically correct english and have your computer interpret it formally right and tell you where the gaps that need to be filled are and maybe do it for you um the right level of interactivity is so on the one hand there's no interactivity and that's kind of the proofs that i was doing right i was just writing every step myself there are tools in lean that i didn't even show you where lean will just do those things for you and you won't have to write and dot intro you know and and dot ilim underscore left and all that kind of stuff it just does it for you um and so the question is like what's the right level clearly no interactivity is not good because then it's still really difficult to formalize these things complete interactivity which again is like no interactivity but on the other end is you type in a theorem and if it's correct it says yes and if it isn't it says no and this then comes back to sun's question about unemployment like do we have to worry about computers taking our jobs right and so uh i don't know that i don't think about these things very much perhaps i should but i we're not there yet so you know decades in the future maybe we can worry about that um you know i i still have hopes that humans are the only people that are capable of finding out whether a mathematical result is interesting whatever interesting means i don't know um if we are going to get more widespread use of these things then it's going to have to be incorporated into the mathematical education and so like i was saying Jeremy Avogad taught this philosophy course last actually it was Jeremy combined with Florence Van Dorn and Rob Lewis maybe maybe not Rob i don't remember it was Jeremy and a couple of other people um they have already taught a course in this and in fact in i think the spring of 2015 there was a course in using lean by Jeremy Avogad and that's where i got um that's where i got my first exposure to lean from um so it's being incorporated at CMU in the philosophy department maybe one day it will expand a little bit um and the other thing is that these proofs especially when you're using so-called tactics that do the proofs for you turning those into human readable proofs things that you would actually read in a journal is a challenge and can be done in basic cases but not necessarily completely so they're just things to keep in mind for the future all right that's everything so thank you for listening the slides are on my website any questions don't have you found that you know the amount that you understand about how to work um believe and maybe other things has actually been useful for what you're doing in your research theoretically it would be um so the reason i say that is because my a lot of my research concerns homotopy type theory and pretty much everything that's done in homotopy type theory since it's in like since its first inception has been formalized as a point of principle and so like there is this whole field where everything is formalized and that's just like you publish a paper and you you say like and you can find the formalized version on this web you know this github page or something so in some sense yes in another sense no i work with um high dimensional categories doing semantics of homotopy type theory and those structures just haven't been formalized yet and there isn't a theory in lean or in any other proof assistant to really talk about those things and so while it would be worthwhile in the long run for me to formalize that and that would have helped me get over the problem that i was talking about earlier where i couldn't work out all the details of this proof i could have had the proof assistant doing for me but i would have to develop all of the theory first and so like you know if i had minions to do the hard work first and then i crank to handle myself and it'll be fine but so like so yes in theory but no in practice yes so like uh i'm wondering how this like system handles my numerical terms so like for yeah go on so like um for basic like numerical like analysis class there's always some example like plus minus plus minus and then something instead of plus plus plus and then minus minus minus which there's supposed to be the same but they're not like numerical yeah but but how does the complete system get around with this so with this i would say that doesn't arise quite so much because you're normally proving high level things you're not you know whenever you define a quantity you're defining it you know you define like a variable you might use integers sometimes but you're not going to be you're not going to be doing calculations that involve real limits to a high level of precision for example because there are already systems out there to do that theoretically in the future maybe you would but how it actually handles it i don't know so lean is so actually one of the main drawbacks of lean is that oops it is written in c plus plus and c plus plus like its kernel is in c plus plus so to trust its kernel you have to trust c plus plus and that language is ridiculously massive so you can't really trust lean's kernel in the same way that you trust other kernels unless you trust c plus plus but i would imagine that it handles those errors in the same way that c plus plus would but i could be wrong and also i know no computer science and so i can't tell you anymore so how successful has this various theorem prover's been tackling like more spatial topics like typology if i want to formalize or something like that i don't really know so synthetic homotopy theory is only a new application of this which is very much not point set because it's independent of the like the construction of the interval for example you know abstract interval you just need a thing with two endpoints like that's that's an interval it doesn't have to be the real one um so i really don't know i don't know it strikes me as something that should be like not it should have been done already in something like isabel or how they have some unique i don't know what they have but they have some default new metric spaces and oh do they yeah i don't know what they have okay okay cool okay let's