Download Mathematical Induction - Cambridge Computer Lab

A summation problem
What is 1 + 2 + 3 + · · · + 999 + 1000?
Is there a formula for the general solution?
Automated Reasoning
Answer (due to Gauss):
Lecture 10: Mathematical Induction
1 + 2 + 3 + ··· + n =
Mateja Jamnik
Can we prove such a formula for general solution? Automatically?
University of Cambridge Computer Laboratory, UK
http://www.cl.cam.ac.uk/˜mj201
Rewriting is not powerful enough due to infinite number of cases.
We use the proof technique of induction (this lecture) and the
automation heuristic rippling (next lecture).
CS Part III/MPhil in ACS 2016-17
Mateja Jamnik (Univ. of Cambridge)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
n · (n + 1)
2
1 / 23
Mathematical induction
Mateja Jamnik (Univ. of Cambridge)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
2 / 23
Proving Gauss’ theorem
To prove Gauss’ theorem using this form of induction it is useful to
start our summation at 0 (rather than 1):
Gauss’ theorem can be proved using a technique known as
mathematical induction.
Proof:
The simplest form – a statement holds for all natural numbers:
where:
Induction hypothesis (IH): assume statement for n.
Induction conclusion (IC): prove statement for n + 1.
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
n · (n + 1)
2
Base case: when n = 0 we have 0 = 0·1
2
Step case: assume the formula holds for n; then
0 + 1 + 2 + · · · + n + (n + 1)
= (0 + 1 + 2 + ... + n) + (n + 1)
n · (n + 1)
=
+ 1 · (n + 1)
by induction hypothesis
2
n
= (n + 1) · ( + 1)
2
n+2
= (n + 1) ·
2
(n + 1) · (n + 2)
=
is induction conclusion
2
This shows that the formula holds for n + 1.
(QED)
Base case: Show the statement holds for 0.
Step case: Show that if the statement holds for any natural
number n then it must hold for n + 1.
Mateja Jamnik (Univ. of Cambridge)
0 + 1 + 2 + 3 + ··· + n =
3 / 23
Mateja Jamnik (Univ. of Cambridge)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
4 / 23
Types of mathematical induction
Recursive functions
Functions are often defined recursively (in terms of themselves).
Induction is a natural way to prove properties of such functions, e.g.:
So far, we looked at weak induction:
P(0)
even(0) = true
∀n : nat. P(n) → P(s(n))
∀n : nat. P(n)
even(s(0)) = false
even(s(s(N))) = even(N)
To prove even(2 · n):
Complete induction is stronger:
P(0)
Base case: n = 0 thus even(2 · 0) = even(0) = true.
Step case: assume induction hypothesis even(2 · n). We need to
show even(2 · (n + 1)):
∀n : nat. (∀k : nat. k ≤ n → P(k )) → P(s(n))
∀n : nat. P(n)
even(2 · (n + 1)) = even(s(s(2 · n)))
(by rewriting)
= even(2 · n)
(by definition of even)
= true
(by hypothesis)
Complete induction is used to prove the fundamental theorem of
arithmetic, that every natural number is a product of primes.
This shows that the formula holds for n + 1.
(QED)
Mateja Jamnik (Univ. of Cambridge)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
5 / 23
Recursive datatypes: lists
Mateja Jamnik (Univ. of Cambridge)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
6 / 23
Structural induction
Datatypes, such as lists, sets and trees, are also defined recursively.
A list is defined as:
either the empty list (denoted by nil or [ ]), or
an element combined with a list:
To prove properties of recursive datatypes, we use a generalised
type of induction called structural induction.
Structural induction - to prove that a property holds for any
instance of a recursively-defined structure, it is sufficient to prove:
call the element h (head) and the list t (tail),
the combination is written h :: t or h#t (pronounced ”h cons t”).
Example:
Base case: the property holds for the minimal structures in
the definition.
[a, b, c] = a :: [b, c] = a :: (b :: [c]) = a :: (b :: (c :: [ ])))
Step case: if the property holds for the substructures of an
arbitrary structure S then the property holds for
S also.
The function len can also be defined recursively:
len(nil) = 0
len(H :: T ) = s(len(T ))
Mateja Jamnik (Univ. of Cambridge)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
7 / 23
Mateja Jamnik (Univ. of Cambridge)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
8 / 23
Well-founded orderings
Structural induction for lists
The induction argument uses the step case as follows:
For lists, a structural induction proof that some property P holds
for all lists consists of two parts. We must prove:
P(n) is true because P(n0 ) is true, for some n0 < n; and
P(n0 ) is true because P(n00 ) is true, for some n00 < n0 ; ...
To be valid, this argument cannot go on forever:
it requires an ordering; and
it must terminate (see lecture 7);
this is called a well-founded partial ordering.
CS Part III/MPhil in ACS 2016-17
2
if P(t) is true for some list t, then P(h :: t) must be true for any h.
P(nil)
For the naturals, the usual ordering (less than) works.
For lists, say L0 < L whenever list L0 is the tail of list L. Under this
ordering, nil is the unique minimal element.
Automated Reasoning - Lecture 10
P(nil) is true;
Our induction rule for lists can be written:
Examples:
Mateja Jamnik (Univ. of Cambridge)
1
9 / 23
Recursive definitions (1)
Mateja Jamnik (Univ. of Cambridge)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
10 / 23
Recursive definitions (2)
Reverse a List:
Append Two Lists:
rev (nil) = nil
nil @ L = L
rev (H :: T ) = rev (T ) @ (H :: nil)
(H :: T ) @ L = H :: (T @ L)
(Quickly) Reverse a List:
List Membership:
qrev (nil, L) = L
X mem nil = false
qrev (H :: T , L) = qrev (T , H :: L)
X mem (H :: T ) = (if H = X then true else X mem T )
Rotate a List:
Butlast of a List:
rot(0, L) = L
butlast nil = nil
rot(s(N), nil) = nil
butlast (H :: T ) = (if T = nil then nil else H :: butlast T )
Mateja Jamnik (Univ. of Cambridge)
∀h : A. ∀t : list(A). P(t) → P(h :: t)
∀l : list(A). P(l)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
rot(s(N), H :: T ) = rot(N, T @ (H :: nil))
11 / 23
Mateja Jamnik (Univ. of Cambridge)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
12 / 23
Associativity of @
Proving base case
Conjecture:
∀k , l, m : list(A). k @ (l @ m) = (k @ l) @ m
Rewrite rule (1): nil @ Y ⇒ Y
Equality axiom (reflexivity): X = X
We need to choose a variable to induct on.
Proof:
If we use h :: t-induction on k we get:
by (1)
by (1)
by (reflexivity)
Base Case: nil @ (l @ m) = (nil @ l) @ m
Step Case:
t @ (L @ M) = (t @ L) @ M ` (h :: t) @ (l @ m) = ((h :: t) @ l) @ m
↑
↑
IH
IC
Note:
`
`
`
`
nil @ (l @ m) = (nil @ l) @ m
l @ m = (nil @ l) @ m
l @m=l @m
true
The left of the sequent is empty, because there are no assumptions.
We use the convention that an underlined term is being rewritten to
the purple term in the next line.
(L and M are free variables)
Mateja Jamnik (Univ. of Cambridge)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
13 / 23
Proving step case
Mateja Jamnik (Univ. of Cambridge)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
14 / 23
Fertilization
Rewrite rule (2): (X :: Y ) @ Z ⇒ X :: (Y @ Z )
In proving the step case we aim to make the IC resemble the IH:
Proof:
t @ (L @ M) = (t @ L) @ M
by (2) twice
by (2)
by (replacement)
by (IH)
by (reflexivity)
`
`
`
`
`
`
(h :: t) @ (l @ m) = ((h :: t) @ l) @ m
h :: (t @ (l @ m)) = (h :: (t @ l)) @ m
h :: (t @ (l @ m)) = h :: ((t @ l) @ m)
h = h ∧ t @ (l @ m) = (t @ l) @ m
h=h
true
we want an instance of the IH to appear in the IC.
We then use the IH to prove the IC: strong fertilization.
Rewriting can get blocked before we reach an instance of the IH in
the IC.
However, we may have part of the IH in the IC.
In this situation can use the IH as a rewrite rule: weak fertilization.
Since every step is reversible the induction conclusion is true
given the induction hypothesis.
QED
Mateja Jamnik (Univ. of Cambridge)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
15 / 23
Mateja Jamnik (Univ. of Cambridge)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
16 / 23
Theoretical limitations of inductive inference
Cut elimination
Incompleteness: (Gödel)
Formal theories exclude some truths.
Examples found by Kirby and Paris.
Related to types of induction: there are theories with theorems for
which we cannot find the right type of induction.
Undecidability of Halting Problem: (Turing)
No algorithmic test for termination.
Related to complete induction: need to construct a well-founded
relation for inductive inference, but Turing’s result says there is no
algorithm to determine if an arbitrary relation is well-founded.
Failure of Cut Elimination: (Kreisel)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
17 / 23
Need for intermediate lemmas
Gentzen showed Cut Rule redundant in FOL.
Kreisel showed necessary in inductive theories.
Practical consequences:
Mateja Jamnik (Univ. of Cambridge)
(5)
Rewrite rules:
`
`
CS Part III/MPhil in ACS 2016-17
18 / 23
CS Part III/MPhil in ACS 2016-17
rev (X @ Y ) = rev (Y ) @ rev (X )
Original: Γ ` rev (rev (l)) = l
New: Γ, rev (X @ Y ) = rev (Y ) @ rev (X ) ` rev (rev (l)) = l
Justification: Γ ` rev (X @ Y ) = rev (Y ) @ rev (X )
rev (rev (h :: t)) = h :: t
rev (rev (t) @ (h :: nil)) = h :: t
|
{z
}
blocked!
Automated Reasoning - Lecture 10
Automated Reasoning - Lecture 10
Cut rule introduces required lemma:
rev (nil) ⇒ nil
rev (H :: T ) ⇒ rev (T ) @ (H :: nil)
rev (rev (t)) = t
by (4)
Mateja Jamnik (Univ. of Cambridge)
Cut elimination theorem:
Lemma required:
∀l : list(A). rev (rev (l)) = l
Step case:
lacks subformula property.
Introducing an intermediate lemma
Conjecture:
(3)
(4)
A, Γ ` ∆ Γ ` A
Γ`∆
Need to generalise conjectures.
Need to introduce lemmas.
Need to generalise and introduce lemmas.
Mateja Jamnik (Univ. of Cambridge)
Gentzen’s cut rule:
Heuristics are needed to speculate the lemma.
19 / 23
Mateja Jamnik (Univ. of Cambridge)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
20 / 23
Step case unblocked
A method of inductive proof
rev (rev (t)) = t ` rev (rev (h :: t)) = h :: t
by (4)
` rev (rev (t) @ (h :: nil)) = h :: t (previously blocked)
by (5)
` rev (h :: nil) @ rev (rev (t)) = h :: t
by (4)
` (rev (nil) @ (h :: nil)) @ rev (rev (t)) = h :: t
by (3)
` h :: (nil @ rev (rev (t))) = h :: t
by (1)
by (replacement)
` h :: rev (rev (t)) = h :: t
` h = h ∧ rev (rev (t)) = t (fertilization now possible)
by (IH) - fertilization ` h = h
by (reflexivity)
Mateja Jamnik (Univ. of Cambridge)
Induction THEN
Symbolic evaluation is rewriting using available rewrite rules and
also deciding/evaluating the truth of a formula.
Symbolic evaluation may need lemmas.
` true
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
21 / 23
Summary
Recursive functions and datatypes.
Inductive proofs:
may need to generalise conjecture to prove it;
may need to speculate and prove additional lemmas.
Recommended reading: Robinson & Voronkov book chapter 13
§1-6, Bundy book chapter 11, and Huth & Ryan book §1.4.2 and
§2.1-2.2.
Mateja Jamnik (Univ. of Cambridge)
2
step_cases ⇒ (Symbolic_Evaluation THEN Fertilization)
` (h :: nil) @ rev (rev (t)) = h :: t
by (2)
Symbolic_Evaluation ORELSE
base_cases ⇒ Symbolic_Evaluation
` (nil @ (h :: nil)) @ rev (rev (t)) = h :: t
by (1)
1
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
23 / 23
Mateja Jamnik (Univ. of Cambridge)
Automated Reasoning - Lecture 10
CS Part III/MPhil in ACS 2016-17
22 / 23