Hi there, my name's David A. Wheeler and
I'm here to talk about Metamath Proof Explorer as a modern Principia Mathematica.
Mathematics has proven much from just a few principles.
However, omitted steps and lack of rigor
can lead to opaqueness and invalid proofs.
For example, Pasch in 1882 identified a
missing axiom in Euclid's Elements, one
that had not been noticed for over 2,000
years.
One work that was designed in part to counter these problems was Whitehead and Russell's Principia Mathematica, which
really was an extraordinary work. It
attempted to describe axioms and
inference rules from which all math
truths could in principle be proven.
Now, Goedel's later incompleteness theorem showed limitations with this approach,
and not everyone agrees on some specific
set of axioms and rules.  Still, this was
an extraordinary achievement. But there
are problems with Principia Mathematica.
It uses an obsolete "dotted" notation that
very few people use today, and most people
find hard to read. Some of the axioms are
not widely used or accepted - it was built
on a concept of a hierarchy of types.
Today most work uses the Zermelo-
Fraenkel set theory with the axiom of choice instead.  It doesn't go very far in
mathematics -
this shouldn't be terribly surprising
since it takes volume 2 before can reach
one plus one equals two. Navigation is
simply not as easy as web pages, and how
can we be confident in its proofs?
Yes they were smart, but even smart
people make mistakes.
Many find rigorous proofs, created from the
most basic principles, to be very
compelling - what can be done better?
In particular, can we use computers today
to help? Currently computers often can't
develop deep mathematical proofs, but
computers are excellent at verifying that a
claimed proof is correct, given some
axioms and rules of inference to use.
They can also greatly simplify
navigation - simply add hyperlinks.
This leads us to Metamath. Metamath is
both software and a language for
abstract mathematics. It was developed in
1992 by Norman Megill. It's an extremely
minimal and stable mechanism. It
basically defines a very simple language
that lets you state axioms and theorem proofs, and those proofs can build on other proofs.
It also includes software that performs
proof verification and exposition.
All the proof steps use only one rule:
substitution. That means that proof steps
are not hidden in code - every step is
shown.  This has some interesting
ramifications. Proofs can be followed by
even non-mathematicians - all you have to do
is learn one rule, and every step can be
drilled down to axioms via hyperlinks.
The verifier is relatively simple, so it can
be easily implemented, leading to very
high confidence. By re-implementation we can counter potential implementation errors -
it's a lot like having multiple human
reviewers. There are at least 13
verifiers that exist for Metamath today. A Python version, for example,
has 350 lines of code that
includes everything - reading the lines,
everything. There's one in Mathematica that only takes 74 lines.  And [verification] can be
incredibly fast - 28,000 theorems can be
verified in five seconds in a version of
portable C, or about one second in
parallel Rust.
This leads us to the Metamath Proof
Explorer. The Metamath Proof Explorer, or MPE,
uses Metamath to define classical
mathematical axioms and related
definitions. It first starts out by
defining classical propositional
calculus - things like modus ponens,
implies, not, biconditional, and, or
constant true, and constant false. But those are only about truth and falsehood.
It then includes predicate calculus, which lets us talk about objects, things like equality,
for-all, there-exists, and those two parts can be called logic.  But logic can only prove
truths from other truths - we need to have
something to talk about!  That leads us to
ZFC set theory, which defines the axioms for set theory that are typically used today.
It also includes the Tarski-Grothendieck axiom - this is useful for some portions
of category theory.  You could in theory
just use those directly, but that could be...
very unfortunate, difficult.  So it also
includes something called the theory of
classes, in particular a class builder
notation: { "y" where something-is-true }.
A class builder is essentially the set builder notation, however
these are actually classes.  A class
contains zero or more sets, but not every
class is actually a set. It also includes
definitions of common terms and
abbreviations, and proves numbers exist
from the axioms.  This is proved
in theorems based on Dedekind cuts, and
then they are reintroduced as axioms to easily identify their use later.
MPE has produced a remarkable number of
results. As I'm speaking there are over
28,000 theorems proven, with more being
continuously added. This includes the
majority of the formalizing 100 theorems
list that serve a challenge list for
tools for formalizing mathematics.
Here's just a sampler of the many many proofs
that are included in the Metamath Proof Explorer.
Now here are some remarkable things about MPE.
You can see every step, no exceptions.
They're not just hints for
a machine or mathematician to then
puzzle through - it shows every step, and every step uses a theorem or axiom - just click on
the step to see it. It lists all the symbols
and actions that are used, via hyperlinks,
so once you learn the [substitution] rule you can follow any proof, including all the
supporting proofs. MPE is constantly
verified by four independently-
implemented computer verifiers; they've
been implemented by 4 different people in four
different programming languages.
This provides extremely high confidence
that the proofs are correct.
There are over 30 contributors that have contributed to MPE.
Here's an example of a sample proof.
This is the proof that two plus two is equal
to four. More steps than you're used to,
I'm sure, but each one of these [steps] is very simple and very straightforward.
Let's focus on those first two steps. The
first step is justified by reference to
by df-2. What is df-2? Well,
if you click on it, you'll find that it is the
definition for the symbol "2". In MPE, two is
defined as 1+1, which seems like a
fairly plausible definition of 2 to me.
Unsurprisingly, you can use definitions
in proofs. And so, in fact, step 1 just refers to an existing definition.
Step 2 is justified by a reference to oveq2i.  What in the world is that? Well, if you clicked on that, you'd find [that] it's
another theorem, and this theorem says that if A equals B, then C F A is equal to C F B.
We don't need to see the steps that
proved this particular theorem, we're just
going to use this theorem to prove other
things, and it simply says that if A equals B,
then if there's some operation F and
its left hand [expression] is exactly the
same, and its right hand [expressions] are equal to each other, then the whole expressions
[are] equal to each other. But we can't use
this theorem unless we can find
something to match its hypothesis. Can we?
Yes, we can... step [two] can refer
to step one, which indeed has this form.
Two equals one plus one does indeed have the form A equals B!  That means that we can
assign, when we use use oveq2i this time,
A to be 2, and B to be (1+1).  If we do that,
then in this use of oveq2i A must [also] be 2,
and B must [also] be (1+1) in the result.
C and F, however, don't have any
other constraints, so they can be
whatever we want, subject to certain
constraints like syntax constraints. That
means that we can assign the following
substitution: A equals 2, B equals 1+1,
C equals two, and F equals +, producing
the result that 2+2 is equal to
2+(1+1). This is
substitution - once you master this rule,
you can follow every step, in every proof,
no exceptions.
But can math really be formalized?
Some think that math
formalization is essentially impossible.
Wang, for example, says that yes, there is a
theory that corresponds to 1000+2000=3000,
but it'd be forbiddingly long.
Megill notes that although many people
have conveyed that the absolute rigor provided by Metamath is some sort of impossible dream,
they seem to assume that you have to break down a proof into its individual primitive steps.
This isn't necessary; it's certainly not how
ordinary informal mathematics is done.
So there's an invalid hidden assumption!
This [page] is a complete formal proof that
1000+2000=3000.
It rigorously traces all the way back to
set theory and logic axioms,
skips absolutely nothing, and has been formally verified by multiple independent verifiers.
Thus, this counter-example
disproves Wang's claim.
So why is formalization realistic in Metamath? There are several reasons.
One is that we can break theorems into smaller lemmas and reusable theorems.
Over time, these reusable theorems accumulate, which means
that each of those reusable theorems
provides a higher level step to future
theorems. It provides a simple consistent
rule, substitution; once you learn the rule
just keep using it. Hyperlinks enable easy
navigation.  If you're not sure why step is justified, click on it. Not sure what this symbol means?
Click on that symbol in the list a
list of symbols, and you can see what
that symbol is all about.
There's also a lot of automation available
so simpler steps are now automated by tools.
For example, the 1,000 + 2000
= 3000 theorem I showed earlier was
generated completely automatically.
In the future,
machine learning may provide
even more gains, since there's now a database
with a large number of steps already
shown that would be an easy starting base
for various kinds of machine learning
algorithms. And of course you can combine
automation tools. That's already done
today in the Metamath community.
Here's another proof; this proves that
the axioms used [here] counter Russell's paradox.
In Russell's paradox [Russell] was
concerned about naive set theory.
[Russell examined] the set of all sets that
don't contain themselves and asked, "does
it contain itself?" The answer in naive
set theory was a contradiction - if it
does then it doesn't, if it doesn't then it
does. However under the ZFC axioms we can
show that the "set of all sets that don't
contain themselves" is in fact not a set.
ZFC axioms were specifically designed to 
counter this kind of contradiction.
Nevertheless, it's good to see that in fact
we can rigorously prove this [contradiction does not apply].
Substitution is very important, so here
are a few comments about [it].
Constants in black represent themselves. Variables are placeholders and they can be
substituted with other expressions of
equal type. The types in MPE are as follows:
well formed formula, which are simply a
true/false expression; set variable, which
substitute with another set variable; and
class variable, which represents a
collection of 0 or more sets. These must be
syntactically valid and meet distinct
variable provisos which are checked. For more information about this, see the documentation.
To learn more, visit the Metamath Proof Explorer (MPE) homepage.
In particular, take a look at its theorem sampler and theorem list, which will give you an idea of what's there.
Or visit the Metamath home page, which includes formalizations of other systems and information on the
book that defines this in much more
detail.
Thank you very much!
