1. No category

Interoperability between proof systems: The triumvirate of

Interoperability between proof systems:
The triumvirate of
automation, expressivity, and safety
Chantal Keller
th 2016
November, 28
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
1 / 24
Trust automatic devices
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
2 / 24
Trust automatic devices
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
2 / 24
The triumvirate
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
3 / 24
The triumvirate
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
3 / 24
Why so many (general) provers?
A wide range of applications, such as:
deductive verication
proofs of programs
mathematical proofs
formalizing metatheory
induction/coinduction
reasoning on/with computation
...
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
4 / 24
Interoperability: get the best of everything
But:
at what cost/eort?
how agnostic can the systems be?
portability?
automation?
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
5 / 24
Interoperability: get the best of everything
But:
at what cost/eort?
how agnostic can the systems be?
portability?
automation?
In this talk: three examples of interoperability between two systems
A and B
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
5 / 24
1. Autarkic approach (certied provers)
system A
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
6 / 24
1. Autarkic approach (certied provers)
system B
system A
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
6 / 24
1. Autarkic approach (certied provers)
goal
system B
system A
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
6 / 24
1. Autarkic approach (certied provers)
goal
system B
system A
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
6 / 24
Example: Ergo (A = Coq; B = subset of Alt-Ergo)
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
7 / 24
Example: Ergo (A = Coq; B = subset of Alt-Ergo)
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
7 / 24
Example: Ergo (A = Coq; B = subset of Alt-Ergo)
In Coq:
the prover:
ergo : formula → bool
certied:
ergo_correct : ∀f. ergo f = true ⇒ valid f
Show that a formula
f0
is valid:
(ergo_correct)
∀f. ergo f = true ⇒ valid f
valid f0
ergo f0 = true
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
7 / 24
Example: Ergo (A = Coq; B = subset of Alt-Ergo)
In Coq:
the prover:
ergo : formula → bool
certied:
ergo_correct : ∀f. ergo f = true ⇒ valid f
Show that a formula
f0
is valid:
(ergo_correct)
∀f. ergo f = true ⇒ valid f
valid f0
ergo f0 = true
,→ computational reection
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
7 / 24
Advantages and limitations
+ shared representation of formulas
+ correctness established once and for all
+ formal correctness of the algorithms
- really hard to prove
- really hard to maintain or improve (xes the implementation)
- not always possible
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
8 / 24
Our criteria:
at what cost/eort?
statements? none
proofs? huge
how agnostic can the systems be? not at all
portability? none
automation? medium
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety
Chantal Keller
9 / 24
2. Skeptical approach (certifying provers)
system A
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 10 / 24
2. Skeptical approach (certifying provers)
system B
system A
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 10 / 24
2. Skeptical approach (certifying provers)
goal
system B
system A
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 10 / 24
2. Skeptical approach (certifying provers)
goal
proof
system B
system A
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 10 / 24
2. Skeptical approach (certifying provers)
goal
proof
system B
system A
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 10 / 24
2. Skeptical approach (certifying provers)
goal
proof
preprocessor
certicate
system B
system A
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 10 / 24
2. Skeptical approach (certifying provers)
goal
(correctness)
proof
checker
preprocessor
certicate
system B
system A
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 10 / 24
Examples (non-exhaustive list)
Tool
System A
System B
Reconstruction
metis
HOL systems
metis
HOL p.t.
sledgehammer
Isabelle/HOL
SAT/SMT/FO
Isa. tactics
Coq
Zenon
Coq p.t./tactics
Isabelle/HOL
termination
checker
SMTCoq
Coq
SAT/SMT
reexive checker
HOL Light & Coq
Coq
HOL Light
reexive checker
Zenon
CeTA
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 11 / 24
Advantages and limitations
+ correctness easier to establish
+ System B may evolve independently
+ pre-processing
⇒
eciency and various provers
+ caching
- no shared representation of formulas
- if the (transformed) certicate is false?
- System B needs instrumentation
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 12 / 24
Our criteria:
at what cost/eort?
statements? from small to huge
proofs? small
how agnostic can the systems be? only certicates
portability? great
automation? medium to good
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 13 / 24
About embeddings
Dierent ways to embed the terms of System B into System A
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 14 / 24
Deep embedding
Dierent ways to embed the terms of System B into System A
How to proceed:
Data-type in A to represent the objects of B
λ-calculus in Coq:
typeD : Type :=
typeD
typeD → typeD → typeD.
termD : Type :=
string → termD
string → typeD → termD → termD
termD → termD → termD.
Representation of λx : bool .x :
Lam "x" o (Var "x")
Example of the simply typed
Inductive
| o :
| a :
Inductive
| Var:
| Lam:
| App:
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 14 / 24
Shallow embedding
Dierent ways to embed the terms of System B into System A
How to proceed:
Objects of A to represent the objects of B
Example of the simply typed
λ-calculus
in Coq:
Definition typeS := Type.
λx : bool .x :
fun x: bool => x
Representation of
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 14 / 24
Comparison between embeddings
Summary:
Deep
Shallow
Inductive typeD := ...
Inductive termD := ...
Inductive derivD := ...
Definition typeS := Type
A proof in A that the
The theorem is proved in A in
theorem is provable in B
the fragment corresponding to B
Coq proof term
Access the structure of terms
- induction
Concrete Coq terms
- computational reection
API to the external world
Coq theorems
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 15 / 24
Comparison between embeddings
Summary:
Deep
Shallow
Inductive typeD := ...
Inductive termD := ...
Inductive derivD := ...
Definition typeS := Type
A proof in A that the
The theorem is proved in A in
theorem is provable in B
the fragment corresponding to B
Coq proof term
Access the structure of terms
- induction
Concrete Coq terms
- computational reection
API to the external world
,→
Coq theorems
deeply check, then interpret into shallow
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 15 / 24
What is a certicate?
How to prove that 5 divides 45?
Lemma:
∀d n, d |n ⇔ (n = 0) ∨ (n > d ∧ d |(n − d ))
Apply this lemma 10 times:
5 divides 0
thus 5 divides 5
thus . . .
thus 5 divides 45
,→
,→
linear time and space
lemma easy to prove
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 16 / 24
What is a certicate?
How to prove that 5 divides 45?
modulo
∀d n, d |n ⇔ n ≡ 0 (d )
Implement the function
Lemma:
Apply this lemma once and compute:
45
≡ 0(5)
(computation)
thus 5 divides 45
,→
,→
linear time but constant space!
lemma still easy to prove
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 16 / 24
What is a certicate?
How to prove that 5 divides 45?
Implement the divisibility rule of 5
Lemma:
∀n, 5|n ⇔ rule5(n) = true
Apply this lemma once and compute:
rule5(45) = true
(computation)
thus 5 divides 45
,→
,→
constant time and space!
lemma slightly more dicult to establish
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 16 / 24
A good format of certicate
Good certicate:
easy to check
fast to generate
Good checkers:
ecient
modular: accept various formats!
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 17 / 24
A universal format of certicate?
Propositions of standards:
LFSC
veriT/SMTCoq
TPTP
Open Theory
dedukti
ProofCert
exiformal proofs (OpenMath)
...?
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 18 / 24
3.
A priori approaches
Built-in interoperability:
decide in advance the interoperability you want with System B
build System A around it
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 19 / 24
Example: F*
impure functional programming language
rich type system: dependent and rened types
(to express various properties on programs)
type checking: designed to use the Z3 SMT solver
Curry-Howard: programs are proofs
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 20 / 24
Example: F*
impure functional programming language
rich type system: dependent and rened types
(to express various properties on programs)
type checking: designed to use the Z3 SMT solver
Curry-Howard: programs are proofs
val u : nat -> Tot nat
let rec u n = if n = 0 then 0 else u (n-1)
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 20 / 24
Example: F*
impure functional programming language
rich type system: dependent and rened types
(to express various properties on programs)
type checking: designed to use the Z3 SMT solver
Curry-Howard: programs are proofs
val u : nat -> Tot nat
let rec u n = if n = 0 then 0 else u (n-1)
val induction : n:nat -> Lemma (ensures (u n = 0))
let rec induction n =
if n = 0 then () else induction (n-1)
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 20 / 24
Example: Lean
interactive theorem prover
based on proof-irrelevant Type Theory
elaboration mechanism with built-in automation
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 21 / 24
Example: Lean
interactive theorem prover
based on proof-irrelevant Type Theory
elaboration mechanism with built-in automation
definition u : nat → nat
| u 0
:= 0
| u (n+1) := u n
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 21 / 24
Example: Lean
interactive theorem prover
based on proof-irrelevant Type Theory
elaboration mechanism with built-in automation
definition u : nat → nat
| u 0
:= 0
| u (n+1) := u n
theorem induction : ∀ n, u n = 0
| induction 0 := rfl
| induction (n+1) := induction n
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 21 / 24
Our criteria:
at what cost/eort?
statements? from small to huge
proofs? from small to huge
how agnostic can the systems be? good
portability? bad
automation? really good
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 22 / 24
Summary
Criterion
eort (statements)
Autarkic
Skeptical
A priori
++
-
eort (proofs)
++
+
agnostic
++
portability
++
-
automation
+
+
++
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 23 / 24
Takeaway
Some lessons for new systems:
interoperability is hard!
think from the very beginning that people may want to use
your system dierently
certicates (possibly in a standard), API, . . .
Interoperability between proof systems:The triumvirate of automation, expressivity, and safety Chantal Keller 24 / 24

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2025 Paperzz