Example of an algorithm that lacks a proof of correctness

Question

We have Hoare logic. Why is it still possible that an algorithm is right but there is no proof that it's correct? Suppose the algorithm is expressed in C. Then we can argue step by step that it's doing what it's supposed to do.

So my question is:

Give me an example of an algorithm that's right but does not have a proof of correctness.

EDIT: I think a little background can help clarify where I'm going. Let me quote Scott Aaronson:

Since the 1970s, there's been speculation that P $\ne$ NP might be independent (that is, neither provable nor disprovable) from the standard axiom systems for mathematics, such as Zermelo-Fraenkel set theory. To be clear, this would mean that either

1. a polynomial-time algorithm for NP-complete problems doesn't exist, but we can never prove it (at least not in our usual formal systems), or else

2. a polynomial-time algorithm for NP-complete problems does exist, but either we can never prove that it works, or we can never prove that it halts in polynomial time.

I'm referring to the second possibility. Since Aaronson can so confidently list it as a possibility, I think there must be an existing example of type 2. That's why I'm asking this question. But it seems a quick and clear answer is not in view.

Answer 1

Here is an algorithm for the identity function:

• Input: $n$
• Check if the $n$th binary string encodes a proof of $0 > 1$ in ZFC, and if so, output $n+1$
• Otherwise, output $n$

Most people suspect this algorithm computes the identity function, but we don't know, and we can't prove it in the commonly accepted framework for mathematics, ZFC.

Answer 2

Most algorithms have not been proven correct in Hoare logic. The main reason is that such correctness proofs are extremely expensive as of Jan 2017, probably by several orders of magnitude in comparison with 'mere' programming. There is a lot of ongoing work to reduce this cost by automation, but it's an uphill struggle.

Another reason why an algorithm might not have a correctness proof, and one that is more relevant in practise than the incompleteness phenomena that Yuval and chi mentioned, is that we might not know what this specification is. This problem has two dimensions.

• The customers don't know what they want. This is a well-known problem in software engineering, and software engineers have developed many approaches to deal with this.

• The specification is difficult. A good example is the correctness of cryptographic algorithms. Only recently Micali & Goldwasser won Turing awards for specifying what cryptographic security means. Note however that that definition is (as far as I'm aware) for "theoretical cryptography" where you have a security parameter $n$ ranging over natural numbers, and adversaries are polynomial time probabilistic Turing machines. To the best of my knowledge (please correct me if I'm wrong) there is a mismatch between theory and practise, and concrete algorithms like AES and SHA256 are not quite within the purview of those theoretical specifications. I don't think there is full specification for such algorithms, hence we cannot, in principle verify them in the sense of e.g. Hoare logic.

Answer 3

This is tied to the incompleteness of the underlying logic. Indeed, Hoare logic usually contains a weakening or "pre-post" rule $$ \dfrac{ P \implies P' \qquad \{P'\}c\{Q'\} \qquad Q' \implies Q' }{ \{P\}c\{Q\} } $$ where the implications $P\implies P', Q\implies Q'$ need to be proved in an underlying logic, usually First-Order Logic (FOL) with some set-theoretic axiomatization like Zermelo-Fraenkel (ZF).

The tricky part is that we know such logic is incomplete, as proved by Gödel almost one century ago. More concretely, there is a predicate on natural numbers $P(n)$ for which we can prove inside the logic $P(0)$, $P(1)$, $P(2)$ and so on for any given natural constant, but there is no way to prove $\forall n\in \mathbb{N}.\ P(n)$.

From the computer science side, this weird behavior can be exemplified using computability theory. Suppose a Turing Machine $M$ when run on the empty tape does not halt in $n$ steps ($P(n)$). Then, in ZF we can prove such fact by essentially unraveling the execution step-by-step in the proof. However, when $M$ diverges, we can not hope to be able to prove divergence in ZF ($\forall n.\ P(n)$). Indeed, if this were possible for all given $M$, then we could semi-decide divergence by enumerating all the possible proofs for $\forall n.\ P(n)$, and halting when one is found. Since we know that divergence is not RE, this is impossible.

Answer 4

Problem: Print "Yes" if every even number ≥ 4 is the sum of two primes, and "No" if there is an even number ≥ 4 that is not the sum of two primes.

Algorithm: Print "Yes"

Most people think that the algorithm is correct. There is no known proof, and it is quite possible that there is no proof.

Answer 5

Any algorithm that is correct but we don't know how long it takes to run can be transformed into an algorithm that stops in a guaranteed amount of time but we aren't sure if it is correct.

For example, to find a prime larger than $n$, start counting up from $n+1$ testing if each number is prime until you find one. Now modify it to give up and return $0$ if we can't find a prime after $\log(n)^2$ tries. If the modified algorithm ever returns $0$, it is incorrect, but nobody knows if that ever happens or not. Even with as many as $\sqrt{n}$ steps we can't prove a prime will always be found.

So, we have an algorithm that is correct but we have no proof that it runs in polynomial time, and an algorithm (the same one, but time-limited) that runs in polynomial time but we have no proof that it is correct. And like with the $P=NP$ problem, for this example it is also plausible that no such proofs exist.