So, the real questions: Howdo proof assistants work? Why do proof assistants work?
Luckily, the internet is full of people who are ready to explain these answers. Unfortunately, almost all of them are not qualified to answer these questions. After much searching, I foundsomeone who was qualified to teach me, and he, H. Geuvers, even wrote apaperon it.
For mostproof assistants, the user inputs what’s called a proof script, which is a list of instructions to guide the proof assistant to accepting the theorem. Then, the proof assistant useslogic rules and reasoning to ensure that the directions the user inputs arelogically correct and justified. Together, the user is guiding the search for the proof and the proof assistant is verifying the proof as it progresses, while recording all the formal proof details.
proof script on the left, proof state on right (Wikipedia)
Exactly how the proof assistant is working with its system of logic and the uservaries. Section 2 of the Geuvers’paperdetailsthe specific features of different systems.
There are several aspects of a well-designed proof assistant, which help elucidate why proof assistants are reliable. In particular, there are four mechanisms formulated by Geuvers which ensure thetrustworthiness of a proof assistant. Most systems don’t incorporate all four of these, but some combination of a couple.
A small kernel : Proof assistantscontain a kernel, which is a set of code thatexecutes the proof. The kernel contains a set of rules from which all proof rules are defined. If the kernel is logically correct, then all steps made in the proof by the proof assistant are logically correct. So, trusting the proofboils down to trusting the kernel’s correctness.Mistakes are theoreticallypossible in the construction of a kernel, just as they are possible in the construction of any proof. Therefore, small kernels are desirable so they’re easy to check manually. No unnecessary assumed knowledge : A proof assistant needs systems of logic and math to be specified so it knows which assumptions, definitions, and inference rulesto use in the proof.Proof assistants which allow the user to specifya description of logic and math to be used in the proof give the user greater control over what the proof assistant uses (assumptions, definitions, and inference rules) in the proof. This also prevents the user from conflictingwith the proof assistant. A capability of being checked by a proof verifier : Manyproof assistants can be checked for correctness by a proof verifier . A proof verifiermechanically checks the proof for logical correctness. It differs from a proof assistant because it doesn’t try to develop any new proofs or take any input from the user; it just checks the logic. After having specified the logic and math used in the proof assistant, the proof verifier checksthat the proof assistant can prove a theorem exactly when that proof is logically sound. This can be accomplished in a couple different ways, but one particular method is expanded upon in the next point. Satisfying the De Bruijn criterion :For the seriously motivated individual, some proof assistants create an independently checkable proof “object” while it’s proving the theorem. A system which doesthis is saidto be achieving the De Bruijn criterion. Thus, someone can write their own proof verifier, then check the proof object with that verifier.Also notable,proof assistants get a lot of attention from some pretty smart people. For instance, theCoq system is the product of over 30 years of research with at least 50 contributors. Mistakes are quite likely to get caught in this context. Of course, it’s possible they slip through the cracks, but hey classic mathematical proofsdon’t have a clean rap sheet either.
ReconciliationPaul Erds explained his views on Appel and Haken’s proof of the four color theorem as: