1 Can Proofs be Animated by Games? Susumu Hayashi Humanistic Informatics Graduate School of Letters Kyoto University April 22, 2005, TLCA’05, Nara, Japan

2 What is the talk about? The subject is 1-backtracking game A join work with S. Berardi and Th. Coquand.

3 1-backtracking game semantics A restriction of the full backtracking game semantics, introduced by Th. Coqunad in , Coquand introduce a form of 1-backtracking game already in

4 Game semantics for PCF? No! It is a semantics for logic. However, it seems related to game semantics of PCF and related calculi. It is conjectured that Coquand’s semantics is isomorphic to J. Laird’s game semantics for PCF+Control, which is an “extension” of the game semantics by Hyland-Ong. (S. Berardi)

5 A different motivation Although our semantics is likely to be related to the game semantics by Hyland-Ong and Laird, our motivation is not full-abstraction. Our motivation is Proof Animation.

6 Proof Animation A technique of “Proof Engineering”. Proof Engineering is my terminology for the engineering to build formal proofs, e.g., the researches and activities in the projects of CafeOBJ, Coq, HOL, Mizar, PVS,… Proof Score Method for CafeOBJ by Futatsugi et al. is a typical example of Proof Engineering. (This afternoon at WRS ’05.)

7 -- ASSUMPTION -- There is a bag. And some white or black marbles are in it. An example of Proof Animation -- CONCLUSION -- All marbles in the bag are of the same color. This is wrong. However, we prove it by mathematical induction!

8 Proof of the theorem The theorem holds for groups A and B, since they have only n marbles. All the marbles are of the same color, since they share a n. a 1, a 2, ・・・, a n, a n+1 group A group B Base case n=1 is easy The induction step What is wrong?

9 The proof is constructive and executable. A wrong lemma was used!: “groups A and B share a marble.” You can introduce the wrong lemma as a subgoal and prove the theorem formally with a proof checker. Then…

10 Proof animation helps to debug formal constructive proofs The proof was constructive and the wrong lemma was detected quickly by executing the proof by Curry-Howard isomorphism. I often used such a technique in my PX project in 1980’s. I could very quickly find bugs in definitions, goals and subgoals by the technique. PX was a constructive proof animator.

11 Proof animation project Build a proof animator which helps formal proof developments not only for constructive mathematics but also for proof developments in general. We must find a means to execute non- constructive proofs.

12 Proof animator for non-constructive proofs? Classical proofs are not directly executable. However, there are many works to “execute” classical proofs: CPS translations, C-combinator,  -calculus,…

13 Constructive interpretations of classical proofs are inadequate These works are theoretically good, but are not adequate for proof animation. Locally legible: each computation step in these semantics is legible enough. Globally illegible: interpretations of proofs with several steps combinatorially explode. Algorithms resulting from even small proofs cannot be understood.

14 An important REMARK The global illegibility is not bad for logicians. If the aim is to unwind classical proofs, such as works by logicians Kreisel, Kohlenbach, and Schwichtenberg, then the illegibility implies non-triviality of their mathematical works. However, our aim is a technology of proof engineering. If one can write an academic paper when he or she could execute a proof by a method executing classical proofs, then the method is bad for proof animation.

15 What we need for proof animation We need a lightweight method executing proofs in everyday proof developments. A tool for proof animation must be easy to use as a test tool for programming languages. Its underlying theory must be easy to understand. It is a tool, not an objective.

16 A solution: Inductive inference from Learning Theory Algorithmic Learning Theory: a discipline to investigate “machine learning” from the viewpoint of theory of computation. (a.k.a. computational learning theory) Inductive inference: the oldest mathematical definition of learning in algorithmic learning theory.

17 An example of learning process by inductive inference (1) MNP (Minimal Number Principle): Let f be a function from Nat to Nat. Then, there is n : Nat such that f(n) is the smallest value among f(0), f(1), f(2),… Nat : the set of natural numbers

18 An example of learning process by inductive inference (2) Such an n is not Turing-computable from f. However, the number n is inferred in finite time from f by a non-stopping algorithm of inductive inference.

19 The inductive inference algorithm for MNP Consider a box containing a natural number. Denote the content of the box by x. Initialize the box by setting x=0. Regard f, as a stream f(0), f(1), f(2),… Compare f(x) with the next element of the stream, say f(n). If the new one is smaller than f(x), then put n in the box. Otherwise, keep the old value in the box. Repeat it forever.

20 It gives the right answer in finite time We have a sequence of natural numbers: f(n 0 )>f(n 1 )>f(n 2 )>… Thus, the content of the box will eventually become a correct answer and after then the content x will never change. In this sense, the non-terminating process infers (or learns) the right answer in finite time. You will eventually get a right answer, although you will never know when you got it.

21 Limit-computable functions The process inferring x is expressed by the limit: lim n  ∞ h(n) = x The functions defined by g(x)=lim n  ∞ f(n,x), for a recursive function f, are called limit- computable functions. The limit-computable functions coincide with the  0 2 -functions.

22 Logic based on limit-computable functions Semantics of constructive mathematics is given by the realizability interpretation based on recursive functions. The  0 2 -functions constitute a domain of abstract recursion theory. Thus, we may replace recursive functions with  0 2 -functions to define a mathematics. The defined mathematics is called Limit-Computable Mathematics (LCM)

23 Execution of LCM proofs All proofs of LCM are “executable” by non-stopping inductive inference algorithms. We can observe that LCM-proofs perpetually approximate right answers, and eventually reach right answers.

24 What kind of mathematics holds in LCM? Not all classical theorems hold. For example, Law of Excluded Middle holds for  0 1 -formulas but not for  0 2 -formulas. However, an unexpectedly large fragment of classical theorems hold. Dixon’s lemma, Hilbert’s invariant theory, Gödel's completeness theorem, Hahn-Banach theorem,… There are reverse mathematics-like researches on the extent of LCM. (Akama et al. LICS ’04, Toftdal ICALP ’04. in the references of the proceedings paper.)

25 It looks fine, however... A technical problem If proofs are interpreted by limits over “time parameter” t=0,1,2,… as the original theory of inductive inference, then plural inductive inference processes are merged into one process to interpret logical inference rules with plural premises. The merged inference process behaves like a CPU executing plural programs in the time- sharing way. Thus its behavior is not legible.

26 Possible solutions Design a calculus of communicating inductive inference processes. Use generalized limits. S. Berardi has introduced limit-interpretations based on such generalized limits. However, there is a much better way. Game theoretical semantics

27 A semantics based on 1-backtracking game There is a game theoretical semantics equivalent to LCM. Good points of games: Avoid the problem of global clock. More interactive. Much easier to understand than realizability interpretation.

28 Game theoretical semantics of logic (1) Due to P. Lorenzen and J. Hinttika. In the semantics, validating a logical formula is counted as a game between two players Abelard (opponent) and Eloise (proponent).

29 Game theoretical semantics of logic (2) For simplicity, we illustrate the semantics by prenex normal forms:  x 1.  y 1.,…,  x n.  y n.A(x 1,y 1,…,x n,y n ), where A is a decidable formula. A play is a sequence of moves by Eloise  and Abelard  Eloise wins by making A(x 1,y 1,…,x n,y n ) true. Otherwise Eloise loses and Abelard wins.

30 A play for  x 1.  y 1.  x 2.  y 2. A(x 1,y 1,x 2,y 2 ) 1. Eloise moves x 1 =5. 2. Abelard moves y 1 = Eloise moves x 2 =7. 4. Abelard moves y 2 =2.  If A(5,11,7,2) is true, then Eloise wins.  If A(5,11,7,2) is false, then Abelard wins.

31 The definition of truth A formula is defined to be true, if and only if, there is a winning strategy for Eloise. A strategy str of Eloise is a set-theoretical function, which returns her next move from the preceding moves, e.g., str([x 1,y 1 ] )= x 2 for  x 1.  y 1.  x 2.  y 2.A(x 1,y 1,x 2,y 2 )

32 Constructive truth and game theoretical semantics Giving a strategy for Eloise means giving Skolem functions. Thus, the game theoretical truth definition is equivalent to Tarski semantics. And, a formula is constructively true (recursively realizable) iff Eloise has a constructive (recursive) strategy.

33 1-backtracking game We introduce a new rule Eloise is allowed to backtrack to any preceding position of the current situation of play and restart from the position. Eloise’s strategy may have a memory to record information on past moves by Abelard and Eloise. Everything is the same besides these two.

34 A recursive winning strategy for  x.  a.((x>0  A(x-1))  (x=0   A(a))) 1. Eloise moves x=0. 2. Abelard moves a= If  A(24) holds, Eloise stops and she wins. If A(24) holds, she backtracks to the stage 1, and moves with x=25, i.e. x= Then, Abelard moves. However, Eloise always wins, since A(x-1) holds with x=24+1. A(x) is assumed to be decidable. Thus the formula (x>0  A(x-1))  (x=0  A(a)) is the decidable part of prenex form.

35 Stack presentation of the strategy:  x.  a.((x>0  A(x-1))  (x=0   A(a))) We consider the case of backtracking, i.e. the case A(24) holds. 1.Eloise moves x=0. 2.Abelard moves a=24. 3.Since A(24) holds, Eloise backtracks and moves with x= Abelard moves, say a=743 5.Eloise wins. The “stack” behaviour [x=0] [x=0, a=24] [ ] backtrack and [x=25] new move 4.[x=25,a=743] 5. Eloise wins, since 25>0  A(24) holds.

36 A play for  x 1.  y 1.  x 2.  y 2. A(x 1,y 1,x 2,y 2 ) 1. Eloise moves x 1 =5. 2. Abelard moves y 1 = Eloise moves x 2 =7. 4. Abelard moves y 2 =2.  If A(5,11,7,2) is true, then Eloise wins.  If A(5,11,7,2) is false, then Abelard wins.

37 The equivalence theorem For any prenex normal formula A, the following conditions are equivalent Eloise has a recursive winning strategy for A. A is LCM-correct, i.e., it has a limit- recursive realizer.

38 Other logical signs Conjunctions and disjunctions can be treated as special kind of quantifiers. Semantics of implication can be given by Hinttika’s notion of “subgame”.

39  0 1 -EM is true in the sense of 1-backtracking game  x.  a.((x>0  A(x-1))  (x=0   A(a))) is constructively equivalent to  0 1 -EM:   x.A(x)   a.  A(a) Eloise  has a recursive winning strategy for  0 1 -EM.

40 A play with disjunction  x.A(x)   a.  A(a) 1.Eloise moves with right 2.Abelard moves a=24. 3.Since A(24) holds, Eloise backtracks and moves with left and x= Abelard moves, say a=743 5.Eloise wins. [right] [right, a=24] [ ] backtrack and go with two new moves [left, x=25]. [left, x=25, a=743] Eloise wins.

41 The convergence property of 1-backtracking winning strategy The Convergence Property: As Abelard attacks Eloise with more and more moves, Eloise’s move after a winning strategy eventually converges in the manner of inductive inference to the right values given by Tarski semantics. The convergences take place from the outside of the formula to the inside of the formula. In the proceedings paper, I called it “stability”, but “convergence property” is better. I changed the name.

42 The Convergence Property caution: over simplified for explanation  x 1.  y 1.  x 2.  y 2.A(x 1,y 1,x 2,y 2 ) X 1 =a 1 X 1 =a 2 X 1 =a 3 X 1 =a 4 X 1 =a 5 X 2 =b 1 X 2 =b 2 X 2 =b 3 X 2 =b 4 When Abelard tries all possible moves for him, a 1, a 2, a 3,… given by Eloise’s winning strategy converges to the right value in the sense of Tarski semantics. In this figure, it is a 5.

43 Remarks The figure is a little bit simplified. In reality, the sequence a 1, a 2, a 3,… converges when all possible plays are considered. But, the figure represents only one play. Eloise may win accidentally with wrong values. The parameter space for the “convergence” or “limit” of a 1, a 2, a 3,… is the directed set of the finite sets of Abelard’s moves with the usual set ordering.

44 The Convergence Property and Proof Animation (1) When one animates a proof by an animation tool, he tests the proof by providing test inputs, sets of Abelard’s moves. The user of animator expects particular values are returned for existential quantifiers for the test inputs by the winning strategy associated to the proof.

45 The Convergence Property and Proof Animation (2) The expected value is the limit of the sequence of trial values a 1, a 2, a 3,… It is just as the inductive inference of MNP example. The behavior of 1-backtracking winning strategy is always in this pattern ! You do not need to worry about other patterns.

46 Full backtracking game and Proof Animation In Coquand’s full backtracking game, Eloise is allowed to backtrack to any point of the “past”. Even if a “stack” configuration was flushed away (popped away) by her own backtracks, she is allowed to return to positions of configurations once flushed away. A strategy for  0 2 -EM already cannot have convergence property. Values returned by the strategy are locally correct, but never globally correct. Thus, it is difficult to understand the behavior of the strategy (proof).

47 Towards Proof Animator with 1-backtracking game A proof animator via 1-backtracking game is now planned. The ultimate goal is to animate proofs of David Hilbert’s theory of algebraic invariants in his 1890 Mathematische Annalen paper.

48 Hilbert ’ s invariant theory This is the theory that Paul Gordan called “not mathematics, but theology”. In 19 th century algebra, solutions had to be given by algorithms. Gordan, who was the king of invariant theory then, realized Hilbert’s proof of the finite basis theorem embodies no algorithm. Hilbert used  0 1 -EM repeatedly in the proof. All other parts were constructive.

49 The “ theology ” is executable “Theology” was  0 1 -EM. When the 1-backtracking animator is built, Hilbert’s theology will run on a computer! Remark: LCM was found through my investigation of history of mathematic on Hilbert’s invariant theory thanks to help of a learning theorist Akihiro Yamamoto.

50 Generalized equivalence theorem Berardi has defined a 1-backtracking game Back(G) for every game G in the sense of set theory, and proved the following theorem: For any recursion theoretic degree a, the following are equivalent: The degree a contains a winning strategy for Back(G). The jump of the degree a contains a winning strategy for G.

51 Iteration Berardi’s Back(-) can be iterated. Thus, we can “climb up” the arithmetical hierarchy by iterating 1-backtracking extension. It might be possible to animate beyond LCM using Berardi’s iteration.

52 Conclusion 1-backtracking game will serve as the right foundations for a proof animation tool. Hilbert’s invariant theory will be animated by the proof animation tool. It might be possible to animate beyond LCM using Berardi’s iteration. It seems to be related to game semantics for the full abstraction problems.

53 Proof Animation/ LCM home page For more information, visit our home page