Guaranteed Proofs Using Interval Arithmetic - LRI

Introduction Intervals Improvements ConclusionGuaranteed Proofs Using Interval ArithmeticMarc Daumas, Guillaume Melquiond, César MuñozArénaire, LIP, ENS LyonNational Institute of AerospaceJune 28th 2005Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements ConclusionProving mathematical inequalities◮ A plane flying at 250 knots and with a bank angle of 35 ◦ hasa turn rate of at least 3 ◦ each second:3π180 ≤ g ( ) 35πv tan ,180where g = 9.8m/s 2 and v = 250 5141000 m/s.Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements ConclusionProving mathematical inequalities◮ A plane flying at 250 knots and with a bank angle of 35 ◦ hasa turn rate of at least 3 ◦ each second:3π180 ≤ g ( ) 35πv tan ,180where g = 9.8m/s 2 and v = 250 5141000 m/s.◮ This inequality is trivially true:3π180 ≈ 0.052 and gv tan(35π 180 ) ≈ 0.053.But how to prove it formally yet simply?Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements ConclusionProving mathematical inequalities◮ Let π and π be two rational approximations of π such thatπ ≤ π ≤ π. Since tan is monotonous on [0, π 2[, the inequalityis implied by 3π180 ≤ g 35πvtan(180 ).◮ Let tan be a closed rational function Q → Q such thattan(x) ≤ tan(x). The inequality is then implied by35πtan(180 ).3π180 ≤ g vMarc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements ConclusionProving mathematical inequalities◮ Let π and π be two rational approximations of π such thatπ ≤ π ≤ π. Since tan is monotonous on [0, π 2[, the inequalityis implied by 3π180 ≤ g 35πvtan(180 ).◮ Let tan be a closed rational function Q → Q such thattan(x) ≤ tan(x). The inequality is then implied by35πtan(180 ).3π180 ≤ g v◮ Both members of this new inequality can be computed exactlythrough rational arithmetic and then compared. It can bedone formally and automatically.Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

PlanIntroduction Intervals Improvements ConclusionIntroductionInterval arithmetic and proofsRational interval arithmeticContainment property and proofsElementary functionsNumerical proofs in PVSImproving numerical proofsIntervals and decorrelationImprovements to avoid decorrelationExample: bounding a truncation errorConclusionMarc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements Conclusion Rational intervals Proofs Elementary functions PVSRational interval arithmetic◮ Let x, x be in Q,x = [x, x] = {x | x ≤ x ≤ x}.Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements Conclusion Rational intervals Proofs Elementary functions PVSRational interval arithmetic◮ Let x, x be in Q,x = [x, x] = {x | x ≤ x ≤ x}.◮ Arithmetic operators:◮ x + y = [x + y, x + y],◮ x − y = [x − y, x − y],◮ x × y = [min{xy, xy, xy, xy}, max{xy, xy, xy, xy}],◮ x ÷ y = x × [ 1 y , 1 y], if yy > 0.◮ Furthermore, −x, |x|, x n , ...Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements Conclusion Rational intervals Proofs Elementary functions PVSContainment property and proofs◮ If x ∈ x and y ∈ y then◮ x ⋄ y ∈ x ⋄ y, where ⋄ ∈ {+, −, ×, ÷},◮ −x ∈ −x,◮ |x| ∈ |x|,◮ x n ∈ x n .Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements Conclusion Rational intervals Proofs Elementary functions PVSContainment property and proofs◮ If x ∈ x and y ∈ y then◮ x ⋄ y ∈ x ⋄ y, where ⋄ ∈ {+, −, ×, ÷},◮ −x ∈ −x,◮ |x| ∈ |x|,◮ x n ∈ x n .◮ Let e be a real expression on variables x 1 , . . . , x m , and letx 1 , . . . , x m be interval values such that x i ∈ x i , for 1 ≤ i ≤ m,thene(x 1 , . . . , x m ) ∈ e(x 1 , . . . , x m ),where e is the interval expression corresponding to e.Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements Conclusion Rational intervals Proofs Elementary functions PVSContainment property and proofs◮ If x ∈ x and y ∈ y then◮ x ⋄ y ∈ x ⋄ y, where ⋄ ∈ {+, −, ×, ÷},◮ −x ∈ −x,◮ |x| ∈ |x|,◮ x n ∈ x n .◮ Let e be a real expression on variables x 1 , . . . , x m , and letx 1 , . . . , x m be interval values such that x i ∈ x i , for 1 ≤ i ≤ m,thene(x 1 , . . . , x m ) ∈ e(x 1 , . . . , x m ),where e is the interval expression corresponding to e.Thanks to the containment property, intervals can be used asproofs of inequalities. Because the bounds are exact rationalnumbers, a proof assistant easily computes them and it canautomatically generate the related proofs.Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements Conclusion Rational intervals Proofs Elementary functions PVSBounding algebraic and transcendental functionsSpecial functions are bounded by parametric functionsQ × N → Q.◮ Sine:◮ sin(x, n) = ∑ 2n2i−1xi=1(−1)i−1(2i−1)!◮ sin(x, n) = ∑ 2n+12i−1xi=1(−1)i−1(2i−1)!◮ Square root:◮ sqrt(x, 0) = x + 1◮ sqrt(x, n + 1) = 1 2 (y + x y), where y = sqrt(x, n)◮ sqrt(x, n) =xsqrt(x,n)◮ Furthermore, cos, atan, exp, log, ...Once again, proof generation amounts to doing exactcomputations on rational numbers.Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements Conclusion Rational intervals Proofs Elementary functions PVSProofs by approximation◮ The National Institute of Aerospace and NASA Langley intendto prove the safety of algorithms for airplane collisionavoidance. They do not use numerical tools to this end.◮ What is wrong with numerical tools?Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements Conclusion Rational intervals Proofs Elementary functions PVSProofs by approximation◮ The National Institute of Aerospace and NASA Langley intendto prove the safety of algorithms for airplane collisionavoidance. They do not use numerical tools to this end.◮ What is wrong with numerical tools?Nothing. But they do not provide enough formal guaranteeswhen verifying safety critical systems:> 3 * Pi / 180 evalf(%); evalb(%);( )1760 π ≤ 0.07626459144 tan 36 π0.05235987758 ≤ 0.05340104182true(Maple 9.5)Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements Conclusion Rational intervals Proofs Elementary functions PVSNumerical proofs in PVSInstead of numerical tools, NIA and NASA use PVS, a proofassistant. http://pvs.csl.sri.com/Proofs are constructed by applying strategies to transform thehypotheses and goals of theorems until they match each other. Forproofs by approximation, the assistant will formally guarantee thecorrectness of the computations.Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements Conclusion Rational intervals Proofs Elementary functions PVSNumerical proofs in PVSInstead of numerical tools, NIA and NASA use PVS, a proofassistant. http://pvs.csl.sri.com/Proofs are constructed by applying strategies to transform thehypotheses and goals of theorems until they match each other. Forproofs by approximation, the assistant will formally guarantee thecorrectness of the computations.Our strategy numerical does a proof by approximation: it appliesinterval arithmetic theorems to certify an inequality. The proofassistant will formally guarantee the correctness of thecomputations.Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

16The NATO General, Sir Adrian Bradshaw, has warned that NATO mustmaintain a cohesive system of deterrence on its eastern borders, somethingthat would require help from the European Union, and has stressed thatNATO is pushing ahead with plans for a very high readiness joint taskforce,“in order to convince Russia, or any other state adversary, that any attack onone NATO member will inevitably lead them into a conflict with the wholealliance.” 21Thus, speaking geopolitically, the current buffer zone of the Euro -pean Union — the Eastern partnership countries — is rapidly eroding. Theborders of these countries, earlier showing a clear division of sovereignty,are now becoming frontiers which indicate anything but “a pre-modernworld of vaguer, more informal, overlapping divisions.” 22 Therefore, theexternal border of the European Union is de facto without the buffer zone,and Central Europe, together with the Baltic States, is face to face withRussia. Is Central Europe the next in line to become the crush zone, thusfulfilling the predictions of Mackinder? It depends upon whether the Westwill try to overreach by penetrating this region geostrategically. The geo -politics of Europe could shift. Less dependence on Russia would allow thevision of a truly independent, culturally vibrant Central and Eastern Europeto fully prosper. 23 But those who do not know history are doomed to repeat it.21Russian expansionism may pose existential threat, says Nato general. 20.02.2015. http://www.theguardian.com/world/2015/feb/20/russia-existential-threat-british-nato-general (Homepage of The Guardian; visited 21.02.2015.).22Kaplan R. D. The Revenge of Geography. What the Map Tells Us About Coming Conflicts andthe Battle Against Fate. NY: Random House Trade Paperbacks, 2012, pp. 352–353,23Ibid, p. 350.

Introduction Intervals Improvements Conclusion Decorrelation Improvements ExampleIntervals and decorrelation◮ Let x be [0, 1],However,x × (1 − x) = [0, 1].∀x ∈ x : x · (1 − x) ∈ [0, 1 4 ].◮ The multiple occurrences of an interval are not correlated,hence an overestimation of the final result.◮ In particular, if x is not a singleton,◮ x − x ≠ 0,◮ x ÷ x ≠ 1.Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements Conclusion Decorrelation Improvements ExampleSplitting and Taylor’s seriesTwo additional theorems are used to avoid decorrelation.◮ Interval splitting: let x = ⋃ 1≤i≤n x i,∀ 1 ≤ i ≤ n : x ∈ x i ⊢ e(x) ∈ yx ∈ x ⊢ e(x) ∈ y◮ Taylor’s series expansion: if f is n-times differentiable over x,∀ 1 ≤ i ≤ n : a ∈ x ⊢ di fdx i (a) ∈ y i∀t : t ∈ x ⊢ dn fdx n (t) ∈ y nx ∈ x ⊢ f (x) ∈ Σ n i=0 (y k × (x − a) i )/i!Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements Conclusion Decorrelation Improvements ExampleExample: bounding a truncation error◮ An algorithm relying on the function r(φ) uses a polynomialapproximation ˆr(φ) on [0, φ m ] with φ m = 715512ar(φ) =1 + (1 − f ) 2 tan 2 φˆr(φ) = 4439091 ( 9023647+ t ×44with t = φ 2 m − φ 2)+ t × . . .◮ In order for the algorithm to be certified, the relative errore(φ)r(φ) = r(φ)−ˆr(φ)r(φ)has to be bounded by 1.36 × 10 −7 for any φ.Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements Conclusion Decorrelation Improvements ExampleExample: bounding a truncation error◮ Sufficient parameters for the proof are:◮ tan approximated to the 4th term, sqrt to the 7th,◮ Taylor’s series for e(φ) expanded to the first order,◮ [0, φm ] split into 9935 intervals.◮ The final property of the PVS development reads:PHI : Interval = [|0,715/512|]RI : THEOREM∀ (phi:real) :phi ## PHI IMPLIESe(phi) / r(phi) ## [|-136/1000000000,136/1000000000|]Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements ConclusionConclusion◮ Interval arithmetic can be used as a formal foundation forproofs by approximation. Our implementation as a PVSlibrary provides a high level of confidence.Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements ConclusionConclusion◮ Interval arithmetic can be used as a formal foundation forproofs by approximation. Our implementation as a PVSlibrary provides a high level of confidence.◮ All the PVS strategies are automated. So formally proving anumerical property requires minimal interaction with the proofassistant.Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements ConclusionConclusion◮ Interval arithmetic can be used as a formal foundation forproofs by approximation. Our implementation as a PVSlibrary provides a high level of confidence.◮ All the PVS strategies are automated. So formally proving anumerical property requires minimal interaction with the proofassistant.◮ Interval splitting and Taylor’s expansions are not as efficientas Sturm’s chains or quantifier elimination, but they apply toa lot more than just polynomials.Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic

Introduction Intervals Improvements ConclusionQuestions?◮ E-mail addresses:◮ marc.daumas@ens-lyon.fr◮ guillaume.melquiond@ens-lyon.fr◮ munoz@nianet.org◮ PVS library available athttp://research.nianet.org/~munoz/Interval/Marc Daumas, Guillaume Melquiond, César MuñozGuaranteed Proofs Using Interval Arithmetic