
A Computer Scientist Tells Mathematicians How to Write Proofs - xhevahir
http://blogs.scientificamerican.com/roots-of-unity/2014/09/24/how-to-write-proofs/
======
kiyoto
As a math major who went to grad school in CS theory, I find the article's
title vexing. It projects a faux dichotomy of computer scientists v.
mathematicians when, in reality, it's mathematicians v. mathematicians.

Many areas of computer science, at least the areas in which Leslie Lamport is
best known, is a strongly mathematical discipline inspired by models of
computing. Dr. Lamport probably considers himself as a "computer scientist",
but I bet it is really far from what many laypeople (even the HN crowd)
imagine to be computer scientists.

Another issue is, mathematicians have as much to do with mathematical pedagogy
in secondary education as computer scientists have to do with science
experiments in high school. Again, the title is really misleading in this
regard.

Anyway, I am glad that a great mind like Leslie Lamport and David Mumford
(definitely a mathematician) are thinking hard about how to make math
education better.

~~~
vilhelm_s
> Dr. Lamport probably considers himself as a "computer scientist", but I bet
> it is really far from what many laypeople (even the HN crowd) imagine to be
> computer scientists.

Sure, but I guess he is also really far from what most mathematicians imagine
to be mathematicians.

------
j2kun
I agree with the concerns on the false dichotomy between theoretical computer
science and mathematics, but from the mathematician's perspective I think
there's another issue not being discussed due to the typical CS obsession over
automated proof systems.

Mathematics is a social subject, invented by humans largely for their own
amusement. The goal of a mathematical proof is to communicate insight to other
humans. Of course the point is also to be correct, but somehow communicating
insight takes priority. Relying on large bodies of latent knowledge, and
omitting details, is an effective way to do that. Allowing for occasional
mistakes is okay, because mathematics as a whole is fault tolerant (or at
least, history gives evidence to that claim).

Lamport's field is a bit different, because there they study distributed
protocols with the intent of creating value in the real world. So when they
prove a theorem, they're not just proving a theorem to gain understanding
about something, they're proving a theorem so they can improve the security or
fault-tolerance (or whatever else) of some real system. Writing down a 200+
page TLA proof is measurably worth the investment because the users of their
work (applied computer scientists and engineers) want error-free theorems and
a clean CS literature much more than they want insight.

For mathematicians communicating to other mathematicians, a two-paragraph
argument that is convincing and omits the details (that one can verify on
their own) is much more valuable. I'm not trying to make a value judgement
either way, just trying to explain the culture of math proofs and why I think
something like TLA+ will never catch on among mainstream mathematicians. You
might say it's mathematicians defending their job security, but it's also
simply that mathematicians _like_ exploring and inventing and hearing creative
proofs and perspectives. Deferring things to computers removes the a-ha
moment.

[Edit] And the idea that somehow high school students and undergraduates will
magically start reading and understanding proofs because we write them using
TLA+ is a joke.

~~~
noahl
What do you think of the idea of writing proofs in the hierarchical style in
Lamport's section 3, but not using TLA? To me, the hierarchical proofs seemed
very clear and easy to understand, but the TLA (although I only skimmed it)
seemed to introduce too much formalism and thereby hurt readability.

Also, it would be easy to put paragraphs of text in between hierarchical proof
statements, which would preserve the ability to give intuition and proof
sketches. Here I'm thinking of things like analysis, where (at least in my
experience) what you really want to do is see the picture of the proof in your
head and understand it that way, and the written proof is always just a way of
checking it.

~~~
j2kun
I think people already do write things in a hierarchical way. They have one
main theorem which is supported by multiple propositions and lemmas and
corollaries. At least, this is how all good papers I read are organized.

I think Lamport's vision is that the hierarchy extends down to the very last
detail. This is what I'm skeptical of, because no mathematician has time to do
this. To paraphrase Newton, you _need_ to stand on the shoulders of giants to
make progress.

------
lomnakkus
Could anyone with first-hand experience of TLA+ comment on how practical it
actually is?

I've been toying with idea of trying this for a not-quite-trivial
(programming!) project I'm working on, but the documentation and UX have so
far kept me quite skeptical of using this "for real". The fact that I also
can't turn the proof into a program in a semi-automated fashion also seems to
indicate that there's at least some barrier where the "doubled" amount of work
would be justified. (I'm more inclined towards something like Idris or
LiquidHaskell which seem to support practical programming better and will
probably let you get arbitrarily close to "proof" in any practical sense where
proof will matter.)

I take it that this was mostly about mathematics and not implementations of
programs, which may not quite have the same trade-offs. I still would like to
hear from anyone with direct experience :).

~~~
frankmcsherry
I was formerly in the same lab as Leslie. As a side project, we (Tom
Rodeheffer, mainly) used TLA to verify the correctness of Naiad's coordination
protocol. The protocol is very simple (distributed reference counting), and my
initial "proof sketch" was about two paragraphs long (and very unconvincing,
apparently :). Tom's TLA+ version was closing in on 200 pages, available at

[http://research.microsoft.com/pubs/183826/paper.pdf](http://research.microsoft.com/pubs/183826/paper.pdf)

A short publication about it, with some reflective discussion of why it was
hard to write down, is at

[http://research.microsoft.com/pubs/199767/clock-
verif2.pdf](http://research.microsoft.com/pubs/199767/clock-verif2.pdf)

My understanding is that part of the problem was that Tom needed to explain
(re-prove) many meta-facts we take for granted.

~~~
lomnakkus
Very interesting, thanks (and to the other sibling poster).

> Tom's TLA+ version was closing in on 200 pages, available at [snip]

This is one of those things that I forgot to mention, namely the sheer amount
of ambient knowledge we have embedded in our (not our computer's!) background
knowledge of math and logical reasoning. Of course, sometimes we're actually
wrong, so maybe we could stand a little double-checking by computer-based
proof assistants, but I digress...

One thing that's also been mentioned in previous discussions I've been
involved in and which is slightly worrying is that these kinds of languages
tend to be quite anti-modular in that the proofs required for one type of
system often don't transfer very well to other types of systems. (In general
"algebra" proofs should _probably_ transfer pretty well, but we're usually
interested in very specific proofs for our systems.)

Aside: I wonder if Russel & Whiteheads's classic 1+1 proof has yet been
(computer-)formalized?

EDIT: Russel & Whitehead

~~~
SEMW
> I wonder if Russel & Whiteheads's classic 1+1 proof has yet been
> (computer-)formalized?

[http://us.metamath.org/mpegif/pm54.43.html](http://us.metamath.org/mpegif/pm54.43.html)
(though using a slightly different set of axioms to R&W:
[http://us.metamath.org/mpegif/mmset.html#axioms](http://us.metamath.org/mpegif/mmset.html#axioms))

------
mitko
Pretty good read, but the OCD in me could avoid pointing out that the example
they give has a wrong solution:

x2+10x=39. Find x2.

This actually has two solutions for x: 3 and -13, so x^2 is 9 or 169.

It is probably a good example of how referring to preconditions at every step
of the proof would help catch errors. From my experience writing code, I'd
also argue that this would also make proofs more beautiful, because
discovering that some steps require a lot of previous references might prompt
the mathematician to restructure/refactor the proof to make it simpler to
write, thus making it simpler overall.

~~~
Chinjut
There are more solutions than just that; for example, we could take x to be
the matrix [[387, 320], [-480, -397]] (so x^2 = [[-3831, -3200], [4800,
4009]]), or the split-complex number 8j - 5 (so x^2 = 89 - 80j), or 5 in the
ring of integers modulo 36 (so x^2 = -11).

But al-Khwarizmi was presumably writing in the context of familiar quantities
>= 0, which is a perfectly fine thing to do.

~~~
adwn
> _we could take x to be the matrix [[387, 320], [-480, -397]]_

If _x_ is a 2x2 matrix, how can the left side be equal to 39 (a scalar)?

~~~
vlasev
It's 39 x^0 = 39 I

------
fsk
The problem is that, in Math papers in journals, there's charges based on the
number of pages used.

You really would need an electronic format, and a wiki-style format that
graduate students can use, to fill in the details of all the proofs.

When I was a grad student reading papers, it would sometimes take me a day or
two to read a sentence, filling in all the details. I felt bad that there was
no way for me to share my progress with others. Someone else reading the same
paper (other than the author or a couple of other experts) would have to do
the same thing as I did.

I thought it would be a neat project, but my advisor said it would be bad for
my career if I spent time on it, so didn't pursue it. To find a job, it would
be based on the papers I published, and not based on making other people's
research easier to read.

~~~
zhte415
Like a RapGenius of mathematical (or other rigorous) proofs? I think this
would be amazing, especially for academics in fields related to the topic at
hand but not deeply involved, or interested laymen.

As a teaching tool it would be equally useful, even from the first year of
university.

------
vidarh
The article starts with a false equivalence between archaic verbose language
and mathematical notation.

For my part, I usually prefer the prose. Formulas are easier to read for
people _who are used to and have practice with mathematical notation_ , but
even then they are easier to read for those people _when they are sufficiently
complete_ , and formulas seem to often come with huge leaps and unstated
assumptions.

Especially in computer science papers I tend to see extensive use of formulas
over prose or - preferably - code or pseudo-code as big warning signs: Often
it turns out to mean the author is glossing over a massive amount of hugely
important details. E.g. a common problem I saw when studying was papers that
would describe processes, but omit any indications of sensible ranges for
parameters that were essential to getting good results (I was working on
techniques for image processing to improve OCR results), or greatly obscure
details of algorithms that would have taken no more lines to write out in
working code.

~~~
Chinjut
Does prose not also often come with huge leaps and unstated assumptions?

~~~
threatofrain
I think the solution is probably to have it all, according to your taste: code
because you can run it as a working proof, and explanations in both comments
and prose.

~~~
_ikke_
How do you prevent discrapencies between those? You already see it with
comments on source code, which eventually get outdated.

~~~
lomnakkus
I think the answer to this, if my experience as a maintenance programmer is
worth anything, is: don't trust the prose. Trust the code (proof). This is why
strong type systems are so insanely valuable in programming, especially if
they encode proofs of side effects or lack thereof.

Maybe there's a sort of golden middle way here where all mathematical prose-
proofs should be annotated[1] by the associated computer-checked proof. The
trustworthiness of a particular proof could be assessed by the number of such
references and how much coverage (of the prose) they provide...?

[1] Perhaps only by reference, as here. :)

EDIT: Quick edit, I say this as someone who -- earlier in xir career --
probably subjected a lot of people to somewhat verbose comments. In practice,
my comments were usually right and the programming language wasn't powerful
enough to capture the semantics of what I was doing. One hopes this is the
distinction between good and bad comments. Sorry for veering off-topic.

------
putzdown
"I think most of us, including my math-phobic Facebook friends, would find the
second version easier to follow and understand." I guess I'm in the minority.
I preferred the words (though the translation was a bit ungainly).

~~~
bsdetector
I'd say the problem with math notation is that it simply has too many symbols.
It has a different symbol for everything because it was designed as a
handwritten system.

For you mathematicians, think what you would do if you woke up tomorrow and
all the math symbols had been replaced with emoji? I think most normal people
would just learn the four operators and that's all... you know: megaphone,
pizza slice, backpack, and recycle.

Math is what it is, designed for a pre-computer world, but what really kills
me is when programmers use untypeable symbols like α (alpha), which at least
is an actual letter in one language, or worse yet random unicode like ·
("middle dot") or ∕ (division sign, not /). There's just no excuse for that.

~~~
xamuel
The reason for using different scripts (Greek etc.) is to sort symbols by
broad categories. Done right, it actually makes things _more_ readable (to the
sophisticated reader, which is the mathematician's target audience anyway).
It's almost like an implicit type system: (within a particular context) Greek
letters mean ordinals, lowercase Roman letters mean predicate logic variables,
uppercase German letters mean universes... It would be much less fun, and much
harder, to follow an intense mathematical work if the variables were all in
the same font.

~~~
bsdetector
Yes that's the pre-computer I was talking about. Sophisticated mathematicians
should be concerned about if it is _machine_ readable or not. If it's machine
readable then you can use whatever font, color, or any other style you want
that helps you to read it. The viewer can abbreviate descriptive names to
single glyphs if you want.

Programming is much less fun, and harder to follow, without syntax
highlighting. But it doesn't follow that we should manually be color coding
syntax and variables, or that integers should always be blue. That's
essentially the case with the "readability" of mathematics.

~~~
SixSigma
> Programming is much less fun, and harder to follow, without syntax
> highlighting.

That's your opinion.

~~~
spc476
Then there's Color Forth, where color is used as syntax
([http://www.colorforth.com/cf.htm](http://www.colorforth.com/cf.htm)).

------
avodonosov
Leslie Lamport is on this "how to write a proof" subject for long time. At
least from 1995: [http://research.microsoft.com/en-
us/um/people/lamport/pubs/p...](http://research.microsoft.com/en-
us/um/people/lamport/pubs/pubs.html#lamport-how-to-write)

------
westoncb
Since there seems to be some confusion: the article is not about prose vs.
symbolic notation in proofs, or even degree of rigor in proofs; it introduces
a potential way of evolving our presentation of proofs, so that their parts
are hierarchically arranged. This better facilitates reading at variable
levels of detail, promotes reuse of parts, and provides useful hints guiding
comprehension generally.

------
thejaredhooper
This could have been more precise. The example at the start was great, but
there's no example of the lecturer's technique outside of the link to the
actual lecture

~~~
NSMeta
There's a link to his paper:

[http://research.microsoft.com/en-
us/um/people/lamport/pubs/p...](http://research.microsoft.com/en-
us/um/people/lamport/pubs/proof.pdf)

~~~
qznc
After reading that, I think structured proofs should be written with an
outliner [0] interface, where you can actually expand and collapse the
hierarchy. Lamport also knows this. He repeatedly mentions it as "hypertext".
However, he seems to be locked into LaTeX [1] and pdf generation.

[0]
[https://en.wikipedia.org/wiki/Outliner](https://en.wikipedia.org/wiki/Outliner)

[1] Not really surprising. Lamport invented LaTeX.

------
madsravn
I just finished a course in Coq - it was pretty fun. Seems like something of
the same the guys paper is about.

~~~
ipsum2
The article has nothing to do with Coq:

> When I saw the title of the talk, I assumed Lamport would be talking about
> computer proof checking programs or even a proof creating program like the
> one Timothy Gowers has worked on and written about. But Lamport’s advice was
> much more down-to-earth.

~~~
madsravn
I'm a referring the guys paper, which is linked here in the comments
somewhere. There TLA+ is mentioned which is a tool to formally prove
something. The same can be done in Coq - which is why I'm drawing a parallel.

~~~
tel
While that parallel is genuine, it's hard to compare Coq and TLA+ since the
mechanism and style of proof they embody is very different. TLA+ tries to
ensure that you can exhaustively check implied models as its basis of proof (I
believe) while Coq recognizes that types syntactically represent logics and we
can thus construct programs in those logics to represent proofs.

So, one layer deeper they're dramatically different beasts.

~~~
grogers
The TLA+ tools can do exhaustive model checking, as well as mechanically
checked proofs. The proofs typically use an SMT solver to verify them. Of the
two I've only used model checking in a serious way, but you can find Lamport's
proofs of things like paxos and have it turn all the theorems green.

~~~
tel
SMT is still a pretty far cry from type theoretic proof. At the end of the day
it's just another kind of exhaustiveness checker.

------
Tloewald
Basically, do it the way Spivak does. Funny thing is in freshman year we were
taught to do just that, but then abandoned the formality pretty much
immediately after.

~~~
taeric
My understanding from the linked paper in another thread, is not to do it the
way Spivak does. That is, the article says Lamport "walked us through a proof
of a corollary to the mean value theorem from that textbook, pointing out
statements that he felt were not precise or rigorous enough and rewriting the
proof using his technique."

My reading of that is that Lamport found faults in Spivak's approach. Did I
missread that?

I will say that this really looks like a way to write proofs for computers to
read, moreso than a way to write them for other people. Probably has great
value, but not too surprising that it isn't widespread.

~~~
TylerJay
No, you didn't misread it. You can see the example for yourself in the paper.
It's Section 2 here:

[http://research.microsoft.com/en-
us/um/people/lamport/pubs/p...](http://research.microsoft.com/en-
us/um/people/lamport/pubs/proof.pdf)

------
kazinator
> _He says that once you have a hierarchical proof, you can use pieces of it
> in new proofs very easily. For example, if you want to change one assumption
> slightly or focus on solutions that have different properties, you will be
> able to tell very easily which parts of the proof can stay the same and
> which parts will need to change._

If only that were true of a piece of LaTeX moved from one place to another,
haha!

~~~
eridius
If you move a piece of LaTeX from your prose to another proof, there's nothing
at all there to help you ensure you get it right. I think the point here is
this hierarchical system allows you to very easily discover what parts of the
proof depend on what other parts, so if you make a change to one part, you can
"invalidate" everything that depended on it easily. With prose, you have no
assistance in figuring out what pieces of the proof need to be updated for any
given change.

------
seanstickle
This is how I learned proofs:

[http://i.imgur.com/omXqvos.png](http://i.imgur.com/omXqvos.png)

Well, technically I learned proofs from Euclid first. But this book followed
close behind.

Clear and comprehensible (once you learn the basic symbols). Very much
structured. There's hardly any prose in the whole two volumes.

~~~
Enzolangellotti
Care to share the title?

~~~
seanstickle
Principia Mathematica

[http://en.wikipedia.org/wiki/Principia_Mathematica](http://en.wikipedia.org/wiki/Principia_Mathematica)

~~~
Enzolangellotti
Ah, Russell. I've always been put off by people complaining about his somewhat
pedantic approach. I guess I'll give it a try. Thank you.

------
tr352
"His method, which you can read about in more detail on his website (pdf), is
a hierarchical structure that doesn’t seem entirely dissimilar from the two-
column proofs that most of us learned in middle school or high school geometry
class, although he points out that it can handle complex problems that would
be unwieldy in that two-column format. Each line is numbered, and each
assertion is justified with numbers referring to previous lines and
assertions."

This is just too obvious. Every proof has this structure, though sometimes
this structure is left implicit (which may or may not be a good ting).

------
kriro
I think the "you should try it either way since it may clarify your thought
process or reveal problems" is important. It's often good to check your
discoveries with different methods.

Of topic but in a similar vain: in a completely different field I dabble in
reconstructing existing theories in structuralism. There's some very valid
criticism of the method and yet it still unearths issues with theories every
now and then.

[http://en.wikipedia.org/wiki/Structuralism_%28philosophy_of_...](http://en.wikipedia.org/wiki/Structuralism_%28philosophy_of_science%29)

------
mraison
As noted in some comments, writing a non-trivial proof by hand with TLA+ only
seems possible if there exists a good repository of non-trivial propositions
that one can start from.

Does anyone know of interesting initiatives out there to build an open
repository of mathematical proofs?

~~~
uiberto
Something like this?

[http://us.metamath.org/mpegif/mmset.html](http://us.metamath.org/mpegif/mmset.html)

~~~
mraison
Great link, thanks!

------
tormeh
The problem isn't notation in itself; it's rarely used and non-self-
explanatory notation that's a problem. You can achieve the same with words by
inventing your own words and demanding that everyone learn them to understand
you.

~~~
AnimalMuppet
Which is just about the same as using a notation and demanding that everyone
use the notation to understand you - except that a large number of people
already know the notation.

~~~
gnaritas
No, words are better than notation, they're self descriptive; there's a reason
we communicate with words instead of pictographs; words are more flexible and
easier to create abstractions with than symbols.

~~~
sukilot
Words are less precise, so they can be used to approximate ideas we don't
clearly understand.

~~~
gnaritas
Words can be either less or more precise, that's their power.

------
ape4
If this takes off Lamport's paper is going to get more citations than any
other paper.

------
nevergetenglish
As any mathematician knows the difficult part is not to write the proof but to
found it.

------
driven
OK, try writing graph theory proofs algebraically.

------
enupten
To be fair, Leslie Lamport is also a Mathematician (his PhD was in Math).

~~~
avmich
And "computer science is one of the hardest branches of applied mathematics"
(who's the author? Did Dijkstra said something like that?), so Lamport is in
his own field.

~~~
j2kun
I think it's about time theoretical computer science was considered a branch
of pure mathematics. All we do in this field is prove theorems.

