# Correctness proofs. James Aspnes. January 9, 2003

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Correctness proofs James Aspnes January 9, 2003 A correctness proof is a formal mathematical argument that an algorithm meets its specification, which means that it always produces the correct output for any permitted input. Detailed correctness proofs of even moderately complex algorithms can be surprisingly long, so algorithms researchers (and writers of textbooks like [CLRS01]) often write informal arguments giving only an outline of the full proof. The relationship between the informal argument and the underlying proof is analogous to the relationship between an informal definition of an algorithm and a program that implements it: the informal argument is only justified by being backed by an implicit formal proof that is sadly too long, unenlightening, or tiresome to present. So it is important to understand what a detailed formal correctness proof looks like, because otherwise you won t know what somebody (possibly including you!) is really saying with an informal correctness argument. 1 Invariants, preconditions, and postconditions When viewed from a high enough level of abstraction, most correctness proofs look something like this: define a predicate P that is true for correct states of the algorithm. Then prove: 1. P holds in the initial state. 2. P holds after step k if it holds before step k. 3. If P holds when the algorithm terminates, then the output of the algorithm is correct. Such a predicate P is called an invariant of the algorithm. It is called an invariant for the simple reason that it is always true; this follows by induction from the first two statements above. It is a useful invariant because of the third statement. 1

2 Many algorithms are big, and most programs even bigger, so finding a single invariant that applies to an entire program usually makes about as much sense as trying to write the entire program in one line of code. We can break up the problem of proving a program or algorithm correct by approaching it one statement at a time. One technique for doing this is known as Hoare logic [Hoa69], a simplified version of which is described below. 2 Hoare logic for straight-line programs The essential idea of Hoare logic is that we attach to each statement of a program a precondition (something that we demand is true before the statement executes) and a postcondition (something that will then be true after the statement executes). A precondition, statement, and postcondition together form a Hoare triple. Preconditions and postconditions are typically written inside curly braces to distinguish them from program code (Hoare logic predates the C programming language). 1 For example, here is a simple Hoare triple: { x is even } x := x+1 { x is odd } To show that the postcondition follows from the precondition, write x for the old value of x and x for the new value, and observe that x = 0 (mod 2) implies x = x + 1 = 1 (mod 2). This Hoare triple only makes sense in a larger context. There are many programs in which a variable is incremented, but most of the time we don t guarantee that the variable is even beforehand and don t care if the variable is odd afterwards. But suppose that we have some earlier statement whose postcondition guarantees that x is in fact even: { x is an integer } x := 2*x 1 Technical note: Hoare put the program statement in braces instead of the assertion, like this: x = 0{x := x + 1}x = 1. Some writers use this form for partially correct triples, where the postcondition holds only if the statement terminates, reserving the notation {x = 0} x := x + 1 {x = 1} for totally correct triples, where the statement is guaranteed to terminate (see Section 6 for more on this distinction). We will be doing partial correctness, but we are still going to put the assertions in the braces braces because it makes it easier to annotate normal-looking program code. 2

3 { x is even } Now we can string these statements together to produce a program for generating odd numbers: { P: x is an integer } x := 2*x { Q: x is even } x := x+1 { R: x is odd } Here we have labelled the conditions P, Q, and R. Since P implies Q and Q implies R, we have that R holds at the end of the program provided P holds at the beginning. We could thus abstract out the actual program statements and produce yet another Hoare triple: { x is an integer } run the above program { x is odd } People who do this for a living have a formal way of writing rules like the one we just used, which looks like this: {P } S 1 {Q} {Q} S 2 {R}. {P } S 1 ; S 2 {R} This is a fancy way of say that if we have already proven that {P } S 1 {Q} and {Q} S 2 {R} (the stuff on top) are Hoare triples, then we can assert that {P } S 1 ; S 2 {R} (the stuff on the bottom) is also a Hoare triple, where the semicolon denotes sequential execution. Rules like this, which define what new propositions can be deduced from old ones, are called axioms. This particular axiom is called the composition axiom. Here are some other basic axioms of Hoare logic, expressed formally: The pre-strengthening axiom, 2 which says that making the precondition stronger doesn t change the truth of a Hoare triple: {Q} S {R} P Q. {P } S {R} 2 This axiom and the closely related post-weakening axiom were called rules of consequence in Hoare s original paper. 3

4 Real-world example: from {studied 1 hour} take test {test-grade=a+}, we can use pre-strengthening to derive {studied 1 month} take test {test-grade=a+}. Pre-strengthening is mostly used to sneak in extra facts that don t appear explicitly in our original precondition, since it s a standard theorem in logic that whenever Q is true, P P Q is also true. The post-weakening axiom, which says that making the postcondition weaker is also allowed: Real-world example: starting with {P } S {Q} Q R. {P } S {R} {studied 1 month} take test {test-grade=a+ other-grades=f}. we get {studied 1 month} take test {other-grades=f}. Post-weakening is typically used for getting rid of bits of a postcondition we don t care about. Important caveat: The direction of the implications is important. Preweakening and post-strengthening do not produce valid proofs. The assignment axiom: {P [x/t]} x := t {P }. In other words, if a predicate P is true with x replaced by t before the assignment, it is true without the replacement afterwards. Here P [x/t] is just a concise way of writing P with x replaced by t. Examples: {0 = 0} x := 0 {x = 0}. {x + 5 < 12} x := x + 5 {x < 12}. In this second example we might want to apply pre-strengthening to rewrite x + 5 < 12 as the more natural x < 7. 4

5 Finally, the baggage lemma: {P 1 } S {Q 1 } {P 2 } S {Q 2 }. {P P 2 } S {Q 1 Q 2 } The baggage lemma is used to carry along extra baggage that you will need later. It is a lemma rather than an axiom because it follows from the other axioms. 3 For example, suppose you can prove that some very complicated statement S sets x to the square root of z (written formally, {} S {x = z}), but you also need to know that after the statement executes, some variable y that is not assigned to in S is unchanged from its previous value (0, say). Use the assignment, if/then/else, iteration, and composition axioms as needed to prove {y = 0} S {y = 0}, and then use baggage to get {y = 0} S {y = 0 x = z}. Most of the time these axioms will not be applied explicitly, but it is the responsibility of the prover to make sure that anything they do claim can be justified using them. 3 Strategy for proving correctness Using Hoare logic, our general strategy for proving correctness has three steps: 1. Write down the algorithm. 2. Annotate the algorithm by putting the precondition for the algorithm at the top, the postcondition at the bottom, and an assertion in between each pair of statements. 3. Prove for each statement that its postcondition follows from its precondition, using the axioms of Hoare logic and any other theorems we need to drag in from mathematics in general (via prestrengthing and post-weakening). Since the axioms of Hoare logic are pretty simple, the last step is usually tricky only if we chose the wrong preconditions in the middle. Here the axioms of Hoare logic can help us. For example, suppose we want to show {P } x := x + 1 {x mod 2 = 1}, 3 The baggage lemma also did not appear in Hoare s original paper, but it is too useful to leave out. 5

6 but we don t know what to put in for P. Here we can apply the assignment axiom backwards to find the weakest precondition that makes this a Hoare triple: {(x + 1) mod 2 = 1} x := x + 1 {x mod 2 = 1}, which is implied by {x mod 2 = 0} x := x + 1 {x mod 2 = 1}, using pre-strengthening and the fact that (x + 1) mod 2 = 1 is equivalent to x mod 2 = 0, which we can show by adding 1 to both sides. Using weakest preconditions is sometimes a good way to find bugs in algorithms. If you work out that you can only have the algorithm be correct if its input is even, but it s supposed to work for all inputs, then you either need to strengthen your algorithm s precondition (in this case, change the problem so you throw up your hands in despair given an odd input), or fix your algorithm. 4 Proofs for if/then/else statements Special axioms apply for compound statements. Suppose we want to show that the following is a Hoare triple, where P and Q are arbitrary predicates and B is some test: { P } if B then 1 do something else 2 do something else { Q } Here we need to fill in preconditions an postconditions for Lines 1 and 2. The result will look something like this: { P } if B then { P and B } 1 do something { Q } else 6

7 { P and not B } 2 do something else { Q } { Q } And now we just need to prove that Line 1 makes Q true provided P B is true and that Line 2 makes Q true provided P B is true. For example: { x = a } if x < 0 then { x = a and x < 0 (which implies a < 0) } x := -x { x = -a = a } else { x = a and x >= 0 (which implies a >= 0) } do nothing { x = a = a } { x = a } The formal axiom we are using (in addition to a couple of implicit applications of pre-strengthening and post-weakening), is the if/then/else axiom: 5 Proofs for loops {P B} S 1 {Q} {P B} S 2 {Q} {P } if B then S 1 else S 2 {Q}. Now consider the problem of proving correctness for a while loop: { P } while B do body { Q } How do we prove that Q holds at the end of the loop when P holds at the beginning? It is tempting to insist that the body must make Q true, but maybe it takes many passes through the body before Q is true. The solution is to use an invariant R that holds at the beginning and end of each pass through the body, and which implies Q when the loop terminates. 7

8 Here is a simple example of a program that zeroes out an array of n elements, together with the precondition and postcondition we would like to use for it. { A is an array with indices 0..n-1 } i := n while i <> 0 do i := i - 1 A[i] := 0 { A[0]..A[n-1] are all equal to zero } How do we prove the postcondition given the precondition? We need an invariant R that is (1) true at the start of the loop (i.e., it follows from the initial precondition); (2) true after each pass through the body of the loop if it is true at the beginning (i.e., it is both a precondition and postcondition of the body); and (3) implies the postcondition for the program. Here is an attempt at R: we ll insist that A[j] = 0 for all indicies j i. This invariant holds initially because there are no indices j i. If it holds at the end of the loop, then the postcondition is true because i is now 0 (otherwise the loop would not terminate). To show that it is preserved by the body, we annotate the program with additional preconditions and postconditions: { A is an array with indices 0..n-1 } i := n 1 while i <> 0 do { A[j] = 0 for all j >= i } 2 i := i - 1 { A[j] = 0 for all j >= i+1 } 3 A[i] := 0 { A[j] = 0 for all j >= i } { A[0]..A[n-1] are all equal to zero } And now we just have to prove for each line in the body that its precondition implies its postcondition. The proof of correctness for Lines 2 and 3 is left as an exercise to the reader (hint: use the assignment axiom and then clean up with pre-strengthening/post-weakening). Something to think about: what happens if we try to prove the correctness of the following version of the program? 8

9 { A is an array with indices 0..n-1 } i := n while i >= 0 do A[i] := 0 i := i - 1 { A[0]..A[n-1] are all equal to zero } The rule for while loops is that if R holds at the beginning of the loop, and R is preserved by the body when the test B is true, then R B holds when the loop terminates. Written formally, we have the iteration axiom: {R B} S {R} {R} while B do S {R B}. Often we won t bother with remembering that B is true in the body of the loop, and will just show that {R} S {R} holds. If this happens, we can put B back in to get the strict form of the iteration axiom by applying pre-strengthening. Of course, we haven t necessarily shown that the loop actually terminates. This leads us to a useful distinction, between total correctness proofs and partial correctness proofs. 6 Total vs partial correctness In addition to proving that an algorithm produces the right output, we will also want to show that it produces this output in a reasonable amount of time, typically bounded by some function of the size of the input. This latter task is a major part of algorithm analysis, and we will be spending a lot of time on it over the rest of the semester. But since we will be showing running time bounds later, we can often save time in our correctness proof by proving only partial correctness, which says that the algorithm produces the correct answer whenever it terminates, but allows for the possibility that the algorithm does not terminate at all. We will call an algorithm that produces the right answer provided it terminates partially correct, and call it totally correct if it is partially correct and terminates on all inputs. Partial correctness is most useful for algorithms involving while loops, because we can assume that a loop s termination condition is true when the loop finishes, even if we don t understand what is happenning inside the loop. For example, here is a partially correct algorithm that computes the value 1 given any positive integer as input: 9

10 procedure Collatz1(x: integer) returns integer: while x <> 1: if x is even: x := x/2 else: x := 3*x+1 return x end procedure Why do we know this is partially correct? Because the loop won t finish until x equals 1. It is widely believed that the loop body will eventually set x to 1 [Lag85], but at the time of this writing few mathematicians expect to see a proof of this conjecture soon. Sometimes partial correctness is not so useful. Here is a universal partially correct algorithm, which we might call the Exam-Taker s Algorithm: procedure ExamTaker: while true: hope for inspiration end procedure Since the algorithm never terminates, it meets the criterion for partial correctness no matter what answer it is supposed to produce. If you have ever found yourself applying this algorithm, you will understand why this is a problem. Generally, we will only worry about proving the partial correctness of an algorithm, because we will be considering its running time as a separate step in the analysis. Provided we can put a finite bound on the running time, total correctness is immediate (because only terminating algorithms take finite time). 7 Proofs for recursive procedures Partial correctness also comes into play in analyzing recursive procedures. Here is a procedure that implements Euclid s algorithm for computing the greatest common divisor (GCD) of two positive integers: procedure Euclid(x, y: integer) returns integer 10

11 if y = 0 then gcd = x else gcd = Euclid(y, x mod y) return gcd end procedure How do we prove that this procedure works? Let s assume as an induction hypothesis that the recursive call works, i.e. that Euclid(y, x mod y) really does compute the gcd of x and x mod y. We can then fill in preconditions throughout: procedure Euclid(x, y: integer) returns integer { } 1 if y = 0 then { y = 0 } 2 gcd := x { gcd = gcd(x, y) } else { y <> 0 } 3 gcd := Euclid(y, x mod y) { gcd = gcd(x, y) } { gcd = gcd(x, y) } return gcd end procedure { return value = gcd(x, y) } Now to prove partial correctness, we just walk through the lines of the program one at a time and show that each each forms a valid Hoare triple with its precondition and postcondition. For Line 1, apply the if/then/else axiom to the triples for lines 2 and 3. For Line 2, use the assignment axiom to show {y = 0 x = x} Line 2 {gcd = x y = 0}, and then use post-weakening with gcd = x y = 0 gcd = gcd(x, y) to simplify the postcondition (since gcd(x, y) = gcd(x, 0) = x), and 11

12 pre-strengthening to get rid of the extraneous x = x in the precondition (since y = 0 y = 0 x = x). For Line 3, we have to do a little number theory. We want to show that when y 0, gcd(x, y) = gcd(y, x mod y). Observe that if k divides both x and y, then y = km for some m, x = kn for some n, and there is an integer a such that x mod y = x ay = kn kam = k(n am), implying k divides both y and (x mod y). On the other hand, if k divides both y and (x mod y), then x = ay + (x mod y) = kam + kb = k(am + b) and k divides x. So the common divisors of x and y are equal to the common divisors of y and (x mod y), and in particular the greatest common divisors of the two pairs are the same. So Euclid(y, x mod y) = gcd(y, x mod y) = gcd(x, y) is true given our induction hypothesis. Now let s do some Hoare logic. Start with this result of the assignment axiom plus post-weakening (to get rid of the extra y = 0 term): {y 0 Euclid(y, x mod y) = gcd(x, y)} Line 3 {gcd = gcd(x, y)}. Our exercise in number theory showed that P Q, where P is y = 0 and Q is Euclid(y, x mod y) = gcd(x, y). A standard tautology says that in this case P P Q, and so we can drop Q from the precondition using pre-strengthening: which is what we set out to prove. {y 0} Line 3 {gcd = gcd(x, y)}, We have now completed the proof of partial correctness for the Euclid algorithm. Note that we still haven t shown that the algorithm terminates. Indeed, if we reverse the order of y and x mod y in the arguments to the recursive call, the algorithm will still be partially correct (by the same argument), but it will no longer be totally correct. Proving termination will be left for later, when we look at this algorithm s runtime. 8 A practical example Let s put together what we ve learned. Suppose we want to prove the correctness of the following binary search procedure: 12

13 { A[i] < A[j] when i < j; A[i] = t for some 0 <= i < n } 1 l := 0 2 h := n-1 3 while l < h do 4 m = (l + h) / 2 # C-style integer division 5 if A[m] < t then 6 l = m + 1 else 7 h = m { A[h] = t } Working backwards, we see that we need an invariant R for the while loop that implies A[h] = t when l = h. How do we get this invariant? Well, our intuition for binary search is that we are keeping trace of a lower bound l and an upper bound h on the position of t. So we d like to say something like A[l] t A[h]. Let s try plugging this in: { A[i] < A[j] when i < j; A[i] = t for some 0 <= i < n } 1 l := 0 2 h := n-1 { A[l] <= t <= A[h] } 3 while l < h do { A[l] <= t <= A[h] } 4 m = (l + h) / 2 # C-style integer division 5 if A[m] < t then 6 l = m + 1 else 7 h = m { A[l] <= t <= A[h] } { A[h] = t } Now we ll use the if/then/else axiom and the assignment axiom to fill in some preconditions. { A[i] < A[j] when i < j; A[i] = t for some 0 <= i < n } 1 l := 0 13

14 2 h := n-1 { A[l] <= t <= A[h] } 3 while l < h do { A[l] <= t <= A[h] } 4 m = (l + h) / 2 # C-style integer division {??? } 5 if A[m] < t then { A[m] < t; A[m+1] <= t <= A[h] } 6 l = m + 1 { A[l] <= t <= A[h] } else { A[m] < t; A[l] <= t <= A[m] } 7 h = m { A[l] <= t <= A[h] } { A[l] <= t <= A[h] } { A[h] = t } Now we have a big blank space where we need to find a precondition for Line 5 that implies both preconditions for Lines 6 and 7. We know from the precondition on Line 4 that t lies between A[l] and A[h]; so perhaps it is enough to show that m lies between l and h. So let s make the precondition on Line 5 read: { A[l] <= t <= h; l <= m < h } and then use the baggage lemma to carry the precondition at the top throughout: { P: A[i] < A[j] when i < j; A[i] = t for some 0 <= i < n } 1 l := 0 { P; A[l] <= t } 2 h := n-1 { P; A[l] <= t <= A[h] } 3 while l < h do { P; A[l] <= t <= A[h]; l < h } 4 m := (l + h) / 2 # C-style integer division { P; A[l] <= t <= A[h]; l <= m < h } 5 if A[m] < t then { P; A[l] <= t <= A[h]; l <= m < h; A[m] < t } 14

15 6 l := m + 1 { P; A[l] <= t <= A[h] } else { P; A[l] <= t <= A[h]; l <= m < h; A[m] >= t } 7 h := m { P; A[l] <= t <= A[h] } { P; A[l] <= t <= A[h] } { A[h] = t } Here I ve replaced the preconditions we used to have on Lines 6 and 7 with ones that follow from the precondition on Line 5. We ll have to show that these imply the preconditions we really wanted (which means we can use post-strengthening to show that Lines 6 and 7 give Hoare triples). But we ve now finished step 2 of our general proof technique: annotating the program with true propositions in between each statement. What remains is step 3 proving that each statement is the middle of a Hoare triple. Proof for Line 1: Let s start by applying the assignment axiom: {P A[0] t} l := 0 {P A[l] t}. (1) From the precondition we have A[i] = t for some i with 0 i. Since 0 i A[0] A[i] = t, we have P P A[0] A[i]. So now prestrengthening says we can replace the ugly precondition from (1) with the stronger condition {P }. Proof for Line 2: axiom to get Essentially the same as for Line 1. Use the assignment {P A[l] A[t] A[n 1]} h := n 1 {P A[l] A[t] A[h]}, and then apply pre-strengthening as before to get rid of the extra inequality in the precondition. Proof for Line 3: The iteration axiom gives {P A[l] t A[h]} Line 3 {P A[l] t A[h] l h}. But now l h implies A[l] A[h] and we have A[l] t A[h] A[l]. This only works if in fact A[l] = t = A[h]. Now use post-weakening to get rid of everything except A[h] = t. 15

16 Proof for Line 4: The assignment axiom gives us: { P A[l] t A[h] l < h l { m := (l + h)/2 P A[l] t A[h] l < h l l+h 2 } l+h 2 < h }. l+h 2 < h < h+h 2 = h. Now use pre- Observe that l < h implies l l+l 2 strengthening to remove this term from the precondition and post-weakening to remove l < h from the postcondition. Proof for Line 5: Proof for Line 6: Immediate application of the if/then/else axiom. Use the assignment axiom to get: {P A[m + 1] t A[h]} l := m + 1 {P A[l] t A[h]} (2) Now apply pre-strengthening after observing that the precondition to Line 6 implies the precondition in (2): since A[m] < t, there exists i > m for which A[i] = t. But then i m + 1 and so A[m + 1] A[i] = t. Proof for Line 7: This is simpler than the proof of Line 6 because we don t need P. Start with the assignment axiom: {P A[l] t A[m]} h := m {P A[l] t A[h]}, and apply pre-strengthening to add in l m < h and t A[h] and get the full precondition. This completes the proof of partial correctness for the binary search algorithm. As before, we ll defer proving termination to the the running time analysis. 8.1 A note on the invariant We were fortunate that we picked a loop invariant that was (a) true, and (b) strong enough to prove itself. The usual way that proofs like this break down is when the invariant turns out to be false (e.g., consider {A[l] t < A[h]}, or is too weak (we came close to this by not putting l h into the invariant, but in this case P saves us). False invariants sometimes manifest themselves as unproveable postconditions (for example, we can t prove t < A[h] after Line 2 without having t < A[n 1] before, which we don t know to be true), 16

17 but often both false and true invariants break down inside the loop where the precondition on the loop body has to be stronger than the invariant plus the loop test. Whittling an invariant into shape often requires a fair bit of creativity and understanding of the algorithm. If you can t find a good invariant, you may also want to look closely at the algorithm to see if it really works. 8.2 Informal proof of correctness Much of the subconscious education of mathematicians involves learning when one can get away with writing a step of a proof informally, with the understanding that the reader will be able to fill in the details if necessary. The proof we gave above for the binary search algorithm is much more detailed than you would usually see. A more typical proof might look something like this (footnotes are added to show what Hoare logic axioms to appeal to when the reader complains we are cheating): Partial correctness proof: Observe that the precondition P is not affected by any line of the algorithm; so we will assume that it holds throughout. 4 Let the loop invariant consist of P plus the proposition A[l] t A[h]. This invariant clearly holds at the start of the loop since l = 0, h = n 1, and A[0] t A[n 1] from P. 5 To see that it holds at the end of the loop, note that either A[m] < t, in which case t is at position m + 1 or higher and A[l ] = A[m + 1] t, or t A[m], in which case t A[m] = A[h ]. 6 Finally, since h l when the loop exits, we have A[h] A[l] t A[h], where the first inequality follows from P and the remaining inequalities are the invariant, implying A[h] = t as claimed. 7 Here s an even shorter proof: 4 Assignment axiom none of the assignments modify any of the variables in P. 5 Here we omitted the (relatively trivial) proofs for Lines 1 and 2 completely, figuring that the reader remembers how assignment works well enough to believe us. The word clearly in this statement fulfills the same function as the crooked tailors assertion that only intelligent people could see the Emperor s New Clothes it warns the rabble that they will be embarrassed if they complain about leaving the details out and the details turn out to be as trivial as we claim. But beware of using clearly for things that aren t clear, or, even worse, that may be false lest you act out the part of the naked emperor yourself. 6 This is compressing down the proofs of lines 5-7 by appealing to our intuition about where t lives. Note the implicit appeal to the if/then/else axiom where we split into two cases. 7 While axiom. 17

18 Sketch of partial correctness proof: Use A[l] t A[h] as a loop invariant. What style of proof should you write? You should be able to write a detailed Hoare logic proof like the one we did first, where you carefully annotate the program and separately prove that the postcondition on each line follows from its precondition but you generally don t have to unless you are specifically asked to. Most of the correctness proofs you write will look like the medium-compact proof (only without the footnotes). But a confused reader has the right to expect that you could expand your compact proof into a detailed proof if necessary. You will see sketches like the last proof in research papers where the authors were limited for space and had a lot of confidence in their reader s ability to regenerate the entire proof from a single key hint. 8 Some lecturers are also fond of putting up sketchy proof fragments like this and sneaking away. You should probably not use this trick yourself until you ve been publishing successfully for a while. The TA who grades your assignments will most likely not assume that you are just leaving out the boring parts of a proof you understand. References [CLRS01] Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein. Introduction to Algorithms. McGraw-Hill, [Hoa69] [Lag85] C. A. R. Hoare. An axiomatic basis for computer programming. Communications of the ACM, 12: , Jeffrey C. Lagarias. The 3x + 1 problem and its generalizations. American Mathematical Monthly, 92(1):3 23, January Such confidence is not always misplaced the average research paper is only ever read by two people, and both of them are likely to be specialists (one of them is the author). 18

### 2. Methods of Proof Types of Proofs. Suppose we wish to prove an implication p q. Here are some strategies we have available to try.

2. METHODS OF PROOF 69 2. Methods of Proof 2.1. Types of Proofs. Suppose we wish to prove an implication p q. Here are some strategies we have available to try. Trivial Proof: If we know q is true then

### Lecture Notes on Linear Search

Lecture Notes on Linear Search 15-122: Principles of Imperative Computation Frank Pfenning Lecture 5 January 29, 2013 1 Introduction One of the fundamental and recurring problems in computer science is

### Discrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 2

CS 70 Discrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 2 Proofs Intuitively, the concept of proof should already be familiar We all like to assert things, and few of us

### WRITING PROOFS. Christopher Heil Georgia Institute of Technology

WRITING PROOFS Christopher Heil Georgia Institute of Technology A theorem is just a statement of fact A proof of the theorem is a logical explanation of why the theorem is true Many theorems have this

### Lecture 13 - Basic Number Theory.

Lecture 13 - Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that A divides B, denoted

### 3. Mathematical Induction

3. MATHEMATICAL INDUCTION 83 3. Mathematical Induction 3.1. First Principle of Mathematical Induction. Let P (n) be a predicate with domain of discourse (over) the natural numbers N = {0, 1,,...}. If (1)

### Induction. Margaret M. Fleck. 10 October These notes cover mathematical induction and recursive definition

Induction Margaret M. Fleck 10 October 011 These notes cover mathematical induction and recursive definition 1 Introduction to induction At the start of the term, we saw the following formula for computing

### Style Guide For Writing Mathematical Proofs

Style Guide For Writing Mathematical Proofs Adapted by Lindsey Shorser from materials by Adrian Butscher and Charles Shepherd A solution to a math problem is an argument. Therefore, it should be phrased

### Fractions and Decimals

Fractions and Decimals Tom Davis tomrdavis@earthlink.net http://www.geometer.org/mathcircles December 1, 2005 1 Introduction If you divide 1 by 81, you will find that 1/81 =.012345679012345679... The first

### Euclid s Algorithm for the Greatest Common Divisor Desh Ranjan Department of Computer Science New Mexico State University

Euclid s Algorithm for the Greatest Common Divisor Desh Ranjan Department of Computer Science New Mexico State University 1 Numbers, Division and Euclid People have been using numbers, and operations on

### CHAPTER 3 Numbers and Numeral Systems

CHAPTER 3 Numbers and Numeral Systems Numbers play an important role in almost all areas of mathematics, not least in calculus. Virtually all calculus books contain a thorough description of the natural,

### 8 Divisibility and prime numbers

8 Divisibility and prime numbers 8.1 Divisibility In this short section we extend the concept of a multiple from the natural numbers to the integers. We also summarize several other terms that express

### Homework 5 Solutions

Homework 5 Solutions 4.2: 2: a. 321 = 256 + 64 + 1 = (01000001) 2 b. 1023 = 512 + 256 + 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 = (1111111111) 2. Note that this is 1 less than the next power of 2, 1024, which

### (x + a) n = x n + a Z n [x]. Proof. If n is prime then the map

22. A quick primality test Prime numbers are one of the most basic objects in mathematics and one of the most basic questions is to decide which numbers are prime (a clearly related problem is to find

### Elementary Number Theory We begin with a bit of elementary number theory, which is concerned

CONSTRUCTION OF THE FINITE FIELDS Z p S. R. DOTY Elementary Number Theory We begin with a bit of elementary number theory, which is concerned solely with questions about the set of integers Z = {0, ±1,

### WHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT?

WHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT? introduction Many students seem to have trouble with the notion of a mathematical proof. People that come to a course like Math 216, who certainly

### CHAPTER 3. Methods of Proofs. 1. Logical Arguments and Formal Proofs

CHAPTER 3 Methods of Proofs 1. Logical Arguments and Formal Proofs 1.1. Basic Terminology. An axiom is a statement that is given to be true. A rule of inference is a logical rule that is used to deduce

### CLASS 3, GIVEN ON 9/27/2010, FOR MATH 25, FALL 2010

CLASS 3, GIVEN ON 9/27/2010, FOR MATH 25, FALL 2010 1. Greatest common divisor Suppose a, b are two integers. If another integer d satisfies d a, d b, we call d a common divisor of a, b. Notice that as

### a = bq + r where 0 r < b.

Lecture 5: Euclid s algorithm Introduction The fundamental arithmetic operations are addition, subtraction, multiplication and division. But there is a fifth operation which I would argue is just as fundamental

### Factoring & Primality

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

### Introduction to Diophantine Equations

Introduction to Diophantine Equations Tom Davis tomrdavis@earthlink.net http://www.geometer.org/mathcircles September, 2006 Abstract In this article we will only touch on a few tiny parts of the field

### 8 Primes and Modular Arithmetic

8 Primes and Modular Arithmetic 8.1 Primes and Factors Over two millennia ago already, people all over the world were considering the properties of numbers. One of the simplest concepts is prime numbers.

### CS 103X: Discrete Structures Homework Assignment 3 Solutions

CS 103X: Discrete Structures Homework Assignment 3 s Exercise 1 (20 points). On well-ordering and induction: (a) Prove the induction principle from the well-ordering principle. (b) Prove the well-ordering

### So let us begin our quest to find the holy grail of real analysis.

1 Section 5.2 The Complete Ordered Field: Purpose of Section We present an axiomatic description of the real numbers as a complete ordered field. The axioms which describe the arithmetic of the real numbers

### Mathematical Induction

Mathematical Induction (Handout March 8, 01) The Principle of Mathematical Induction provides a means to prove infinitely many statements all at once The principle is logical rather than strictly mathematical,

### A simple algorithm with no simple verication

A simple algorithm with no simple verication Laszlo Csirmaz Central European University Abstract The correctness of a simple sorting algorithm is resented, which algorithm is \evidently wrong" at the rst

### APPLICATIONS OF THE ORDER FUNCTION

APPLICATIONS OF THE ORDER FUNCTION LECTURE NOTES: MATH 432, CSUSM, SPRING 2009. PROF. WAYNE AITKEN In this lecture we will explore several applications of order functions including formulas for GCDs and

### Chapter 11 Number Theory

Chapter 11 Number Theory Number theory is one of the oldest branches of mathematics. For many years people who studied number theory delighted in its pure nature because there were few practical applications

### INCIDENCE-BETWEENNESS GEOMETRY

INCIDENCE-BETWEENNESS GEOMETRY MATH 410, CSUSM. SPRING 2008. PROFESSOR AITKEN This document covers the geometry that can be developed with just the axioms related to incidence and betweenness. The full

### Mathematical Induction

Mathematical Induction In logic, we often want to prove that every member of an infinite set has some feature. E.g., we would like to show: N 1 : is a number 1 : has the feature Φ ( x)(n 1 x! 1 x) How

### 13 Infinite Sets. 13.1 Injections, Surjections, and Bijections. mcs-ftl 2010/9/8 0:40 page 379 #385

mcs-ftl 2010/9/8 0:40 page 379 #385 13 Infinite Sets So you might be wondering how much is there to say about an infinite set other than, well, it has an infinite number of elements. Of course, an infinite

### Chapter 3. Cartesian Products and Relations. 3.1 Cartesian Products

Chapter 3 Cartesian Products and Relations The material in this chapter is the first real encounter with abstraction. Relations are very general thing they are a special type of subset. After introducing

### We now explore a third method of proof: proof by contradiction.

CHAPTER 6 Proof by Contradiction We now explore a third method of proof: proof by contradiction. This method is not limited to proving just conditional statements it can be used to prove any kind of statement

### The Foundations: Logic and Proofs. Chapter 1, Part III: Proofs

The Foundations: Logic and Proofs Chapter 1, Part III: Proofs Rules of Inference Section 1.6 Section Summary Valid Arguments Inference Rules for Propositional Logic Using Rules of Inference to Build Arguments

### Formal Languages and Automata Theory - Regular Expressions and Finite Automata -

Formal Languages and Automata Theory - Regular Expressions and Finite Automata - Samarjit Chakraborty Computer Engineering and Networks Laboratory Swiss Federal Institute of Technology (ETH) Zürich March

### Induction Problems. Tom Davis November 7, 2005

Induction Problems Tom Davis tomrdavis@earthlin.net http://www.geometer.org/mathcircles November 7, 2005 All of the following problems should be proved by mathematical induction. The problems are not necessarily

### Discrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note 11

CS 70 Discrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note Conditional Probability A pharmaceutical company is marketing a new test for a certain medical condition. According

### Elementary Number Theory and Methods of Proof. CSE 215, Foundations of Computer Science Stony Brook University http://www.cs.stonybrook.

Elementary Number Theory and Methods of Proof CSE 215, Foundations of Computer Science Stony Brook University http://www.cs.stonybrook.edu/~cse215 1 Number theory Properties: 2 Properties of integers (whole

### Math 4310 Handout - Quotient Vector Spaces

Math 4310 Handout - Quotient Vector Spaces Dan Collins The textbook defines a subspace of a vector space in Chapter 4, but it avoids ever discussing the notion of a quotient space. This is understandable

### This puzzle is based on the following anecdote concerning a Hungarian sociologist and his observations of circles of friends among children.

0.1 Friend Trends This puzzle is based on the following anecdote concerning a Hungarian sociologist and his observations of circles of friends among children. In the 1950s, a Hungarian sociologist S. Szalai

### Mathematical Induction. Mary Barnes Sue Gordon

Mathematics Learning Centre Mathematical Induction Mary Barnes Sue Gordon c 1987 University of Sydney Contents 1 Mathematical Induction 1 1.1 Why do we need proof by induction?.... 1 1. What is proof by

### Pythagorean Triples. Chapter 2. a 2 + b 2 = c 2

Chapter Pythagorean Triples The Pythagorean Theorem, that beloved formula of all high school geometry students, says that the sum of the squares of the sides of a right triangle equals the square of the

### Mathematics for Computer Science/Software Engineering. Notes for the course MSM1F3 Dr. R. A. Wilson

Mathematics for Computer Science/Software Engineering Notes for the course MSM1F3 Dr. R. A. Wilson October 1996 Chapter 1 Logic Lecture no. 1. We introduce the concept of a proposition, which is a statement

### 5544 = 2 2772 = 2 2 1386 = 2 2 2 693. Now we have to find a divisor of 693. We can try 3, and 693 = 3 231,and we keep dividing by 3 to get: 1

MATH 13150: Freshman Seminar Unit 8 1. Prime numbers 1.1. Primes. A number bigger than 1 is called prime if its only divisors are 1 and itself. For example, 3 is prime because the only numbers dividing

### Intro. to the Divide-and-Conquer Strategy via Merge Sort CMPSC 465 CLRS Sections 2.3, Intro. to and various parts of Chapter 4

Intro. to the Divide-and-Conquer Strategy via Merge Sort CMPSC 465 CLRS Sections 2.3, Intro. to and various parts of Chapter 4 I. Algorithm Design and Divide-and-Conquer There are various strategies we

### Discrete Mathematics Lecture 3 Elementary Number Theory and Methods of Proof. Harper Langston New York University

Discrete Mathematics Lecture 3 Elementary Number Theory and Methods of Proof Harper Langston New York University Proof and Counterexample Discovery and proof Even and odd numbers number n from Z is called

### Euclid s Algorithm for the Greatest Common Divisor Desh Ranjan Department of Computer Science New Mexico State University

Euclid s Algorithm for the Greatest Common Divisor Desh Ranjan Department of Computer Science New Mexico State University 1 Numbers, Division and Euclid Mathematician (to shepherd): Hey, you have exactly

### Handout #1: Mathematical Reasoning

Math 101 Rumbos Spring 2010 1 Handout #1: Mathematical Reasoning 1 Propositional Logic A proposition is a mathematical statement that it is either true or false; that is, a statement whose certainty or

### Theory of Computation Prof. Kamala Krithivasan Department of Computer Science and Engineering Indian Institute of Technology, Madras

Theory of Computation Prof. Kamala Krithivasan Department of Computer Science and Engineering Indian Institute of Technology, Madras Lecture No. # 31 Recursive Sets, Recursively Innumerable Sets, Encoding

### x if x 0, x if x < 0.

Chapter 3 Sequences In this chapter, we discuss sequences. We say what it means for a sequence to converge, and define the limit of a convergent sequence. We begin with some preliminary results about the

### MATH10040 Chapter 2: Prime and relatively prime numbers

MATH10040 Chapter 2: Prime and relatively prime numbers Recall the basic definition: 1. Prime numbers Definition 1.1. Recall that a positive integer is said to be prime if it has precisely two positive

### Reading 13 : Finite State Automata and Regular Expressions

CS/Math 24: Introduction to Discrete Mathematics Fall 25 Reading 3 : Finite State Automata and Regular Expressions Instructors: Beck Hasti, Gautam Prakriya In this reading we study a mathematical model

### MATH 13150: Freshman Seminar Unit 10

MATH 13150: Freshman Seminar Unit 10 1. Relatively prime numbers and Euler s function In this chapter, we are going to discuss when two numbers are relatively prime, and learn how to count the numbers

### Permutation Groups. Rubik s Cube

Permutation Groups and Rubik s Cube Tom Davis tomrdavis@earthlink.net May 6, 2000 Abstract In this paper we ll discuss permutations (rearrangements of objects), how to combine them, and how to construct

### Dedekind s forgotten axiom and why we should teach it (and why we shouldn t teach mathematical induction in our calculus classes)

Dedekind s forgotten axiom and why we should teach it (and why we shouldn t teach mathematical induction in our calculus classes) by Jim Propp (UMass Lowell) March 14, 2010 1 / 29 Completeness Three common

### An Interesting Way to Combine Numbers

An Interesting Way to Combine Numbers Joshua Zucker and Tom Davis November 28, 2007 Abstract This exercise can be used for middle school students and older. The original problem seems almost impossibly

### C H A P T E R Regular Expressions regular expression

7 CHAPTER Regular Expressions Most programmers and other power-users of computer systems have used tools that match text patterns. You may have used a Web search engine with a pattern like travel cancun

### Integer multiplication

Integer multiplication Suppose we have two unsigned integers, A and B, and we wish to compute their product. Let A be the multiplicand and B the multiplier: A n 1... A 1 A 0 multiplicand B n 1... B 1 B

### Regular Languages and Finite Automata

Regular Languages and Finite Automata 1 Introduction Hing Leung Department of Computer Science New Mexico State University Sep 16, 2010 In 1943, McCulloch and Pitts [4] published a pioneering work on a

### How to write proofs: a quick guide

How to write proofs: a quick guide Eugenia Cheng Department of Mathematics, University of Chicago E-mail: eugenia@math.uchicago.edu Web: http://www.math.uchicago.edu/ eugenia October 2004 A proof is like

### The Fundamental Theorem of Arithmetic

The Fundamental Theorem of Arithmetic 1 Introduction: Why this theorem? Why this proof? One of the purposes of this course 1 is to train you in the methods mathematicians use to prove mathematical statements,

### Tastes and Indifference Curves

C H A P T E R 4 Tastes and Indifference Curves This chapter begins a 2-chapter treatment of tastes or what we also call preferences. In the first of these chapters, we simply investigate the basic logic

### Introduction to Algorithms March 10, 2004 Massachusetts Institute of Technology Professors Erik Demaine and Shafi Goldwasser Quiz 1.

Introduction to Algorithms March 10, 2004 Massachusetts Institute of Technology 6.046J/18.410J Professors Erik Demaine and Shafi Goldwasser Quiz 1 Quiz 1 Do not open this quiz booklet until you are directed

### 11 Ideals. 11.1 Revisiting Z

11 Ideals The presentation here is somewhat different than the text. In particular, the sections do not match up. We have seen issues with the failure of unique factorization already, e.g., Z[ 5] = O Q(

### MODULAR ARITHMETIC. a smallest member. It is equivalent to the Principle of Mathematical Induction.

MODULAR ARITHMETIC 1 Working With Integers The usual arithmetic operations of addition, subtraction and multiplication can be performed on integers, and the result is always another integer Division, on

### Vieta s Formulas and the Identity Theorem

Vieta s Formulas and the Identity Theorem This worksheet will work through the material from our class on 3/21/2013 with some examples that should help you with the homework The topic of our discussion

### Rigorous Software Development CSCI-GA 3033-009

Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 11 Semantics of Programming Languages Denotational Semantics Meaning of a program is defined as the mathematical

### The Teacher s Circle Number Theory, Part 1 Joshua Zucker, August 14, 2006

The Teacher s Circle Number Theory, Part 1 Joshua Zucker, August 14, 2006 joshua.zucker@stanfordalumni.org [A few words about MathCounts and its web site http://mathcounts.org at some point.] Number theory

### CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

CHAPTER 5 Number Theory 1. Integers and Division 1.1. Divisibility. Definition 1.1.1. Given two integers a and b we say a divides b if there is an integer c such that b = ac. If a divides b, we write a

### Loop Invariants and Binary Search

Loop Invariants and Binary Search Chapter 4.3.3 and 9.3.1-1 - Outline Ø Iterative Algorithms, Assertions and Proofs of Correctness Ø Binary Search: A Case Study - 2 - Outline Ø Iterative Algorithms, Assertions

### Section IV.1: Recursive Algorithms and Recursion Trees

Section IV.1: Recursive Algorithms and Recursion Trees Definition IV.1.1: A recursive algorithm is an algorithm that solves a problem by (1) reducing it to an instance of the same problem with smaller

### The Prime Numbers. Definition. A prime number is a positive integer with exactly two positive divisors.

The Prime Numbers Before starting our study of primes, we record the following important lemma. Recall that integers a, b are said to be relatively prime if gcd(a, b) = 1. Lemma (Euclid s Lemma). If gcd(a,

### Section 4.2: The Division Algorithm and Greatest Common Divisors

Section 4.2: The Division Algorithm and Greatest Common Divisors The Division Algorithm The Division Algorithm is merely long division restated as an equation. For example, the division 29 r. 20 32 948

### A Few Basics of Probability

A Few Basics of Probability Philosophy 57 Spring, 2004 1 Introduction This handout distinguishes between inductive and deductive logic, and then introduces probability, a concept essential to the study

### Lecture 3: Finding integer solutions to systems of linear equations

Lecture 3: Finding integer solutions to systems of linear equations Algorithmic Number Theory (Fall 2014) Rutgers University Swastik Kopparty Scribe: Abhishek Bhrushundi 1 Overview The goal of this lecture

### Rules and Tips for Writing Mathematics Discrete Math

Rules and Tips for Writing Mathematics Discrete Math Adapted from: Writing in Mathematics by Annalisa Crannell Why Should You Have To Write Papers In A Math Class? For most of your life so far, the only

### CMPS 102 Solutions to Homework 1

CMPS 0 Solutions to Homework Lindsay Brown, lbrown@soe.ucsc.edu September 9, 005 Problem..- p. 3 For inputs of size n insertion sort runs in 8n steps, while merge sort runs in 64n lg n steps. For which

### Arkansas Tech University MATH 4033: Elementary Modern Algebra Dr. Marcel B. Finan

Arkansas Tech University MATH 4033: Elementary Modern Algebra Dr. Marcel B. Finan 3 Binary Operations We are used to addition and multiplication of real numbers. These operations combine two real numbers

### Automata and Formal Languages

Automata and Formal Languages Winter 2009-2010 Yacov Hel-Or 1 What this course is all about This course is about mathematical models of computation We ll study different machine models (finite automata,

### 3 Some Integer Functions

3 Some Integer Functions A Pair of Fundamental Integer Functions The integer function that is the heart of this section is the modulo function. However, before getting to it, let us look at some very simple

### SECTION 10-2 Mathematical Induction

73 0 Sequences and Series 6. Approximate e 0. using the first five terms of the series. Compare this approximation with your calculator evaluation of e 0.. 6. Approximate e 0.5 using the first five terms

### A single minimal complement for the c.e. degrees

A single minimal complement for the c.e. degrees Andrew Lewis Leeds University, April 2002 Abstract We show that there exists a single minimal (Turing) degree b < 0 s.t. for all c.e. degrees 0 < a < 0,

### Quotient Rings and Field Extensions

Chapter 5 Quotient Rings and Field Extensions In this chapter we describe a method for producing field extension of a given field. If F is a field, then a field extension is a field K that contains F.

### 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008

MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.

### Taylor Polynomials and Taylor Series Math 126

Taylor Polynomials and Taylor Series Math 26 In many problems in science and engineering we have a function f(x) which is too complicated to answer the questions we d like to ask. In this chapter, we will

### 15-150 Lecture 11: Tail Recursion; Continuations

15-150 Lecture 11: Tail Recursion; Continuations Lecture by Dan Licata February 21, 2011 In this lecture we will discuss space usage: analyzing the memory it takes your program to run tail calls and tail

### CHAPTER 2. Logic. 1. Logic Definitions. Notation: Variables are used to represent propositions. The most common variables used are p, q, and r.

CHAPTER 2 Logic 1. Logic Definitions 1.1. Propositions. Definition 1.1.1. A proposition is a declarative sentence that is either true (denoted either T or 1) or false (denoted either F or 0). Notation:

### The last three chapters introduced three major proof techniques: direct,

CHAPTER 7 Proving Non-Conditional Statements The last three chapters introduced three major proof techniques: direct, contrapositive and contradiction. These three techniques are used to prove statements

### Kevin James. MTHSC 412 Section 2.4 Prime Factors and Greatest Comm

MTHSC 412 Section 2.4 Prime Factors and Greatest Common Divisor Greatest Common Divisor Definition Suppose that a, b Z. Then we say that d Z is a greatest common divisor (gcd) of a and b if the following

### Revised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m)

Chapter 23 Squares Modulo p Revised Version of Chapter 23 We learned long ago how to solve linear congruences ax c (mod m) (see Chapter 8). It s now time to take the plunge and move on to quadratic equations.

### Session 7 Fractions and Decimals

Key Terms in This Session Session 7 Fractions and Decimals Previously Introduced prime number rational numbers New in This Session period repeating decimal terminating decimal Introduction In this session,

### Notes on Factoring. MA 206 Kurt Bryan

The General Approach Notes on Factoring MA 26 Kurt Bryan Suppose I hand you n, a 2 digit integer and tell you that n is composite, with smallest prime factor around 5 digits. Finding a nontrivial factor

### An Innocent Investigation

An Innocent Investigation D. Joyce, Clark University January 2006 The beginning. Have you ever wondered why every number is either even or odd? I don t mean to ask if you ever wondered whether every number

### Section 6-2 Mathematical Induction

6- Mathematical Induction 457 In calculus, it can be shown that e x k0 x k k! x x x3!! 3!... xn n! where the larger n is, the better the approximation. Problems 6 and 6 refer to this series. Note that

### Equations and Inequalities

Rational Equations Overview of Objectives, students should be able to: 1. Solve rational equations with variables in the denominators.. Recognize identities, conditional equations, and inconsistent equations.

### CS/COE 1501 http://cs.pitt.edu/~bill/1501/

CS/COE 1501 http://cs.pitt.edu/~bill/1501/ Lecture 01 Course Introduction Meta-notes These notes are intended for use by students in CS1501 at the University of Pittsburgh. They are provided free of charge

### PRINCIPLES OF PROBLEM SOLVING

PRINCIPLES OF PROBLEM SOLVING There are no hard and fast rules that will ensure success in solving problems. However, it is possible to outline some general steps in the problem-solving process and to

### The Market-Clearing Model

Chapter 5 The Market-Clearing Model Most of the models that we use in this book build on two common assumptions. First, we assume that there exist markets for all goods present in the economy, and that