Add to collection(s) Add to saved
  1. Math
  2. Advanced Math
  3. Logic

>> Nikhil Swamy: All right. So let's get... Strub. Pierre-Yves is a postdoc at the MSR-INRIA Joint...

advertisement 
>> Nikhil Swamy: All right. So let's get started. I'm really happy to introduce Pierre-Yves
Strub. Pierre-Yves is a postdoc at the MSR-INRIA Joint Centre in Orsay. And we've been
working together on the F* project. Pierre-Yves has been our Coq expert in this project. And
he's going to tell us today about some work that's not so related to F* but more his work in his
Ph.D. related to extending Coq with decision procedures in a tool called Coq Modulo Theory,
which is going to be part of the next release of Coq. So this is going to be the mainline of Coq 9.
So Pierre-Yves.
>> Pierre-Yves Strub: Okay. Thank you. So let me start to introduce this work with formal
methods. So formal methods are tools for proving correctness of programs. And as of today we
start to have some big [inaudible]. So, for example, you have some OS kernel verification in
Coq. You have the CompCert project which satisfied C compiler for big subset of C. And you
have also the ASTRÉE static checker, which is used for checking the absence of [inaudible] error
in some controls of the Airbus 380, for example.
And the idea here is that formal tools are complex programs too. So why should I trust the
machine this time when I'm using the formal tools since I don't trust the machine for my user
complex program.
And so the idea is that you want your formal tools to produce either a certificate that you can
check in the simple verifier or either to be small enough -- small enough to be read and trusted
like no more than 5,000 line of code.
And the Coq Proof Assistant is such a reliable formal tool. So in short the Coq Proof Assistant
was designed to develop mathematical proofs. And so what you can do with it, that it allows you
to write formal specification and to programs -- to write programs and to prove that the programs
comply with a specification.
And why the Coq Proof Assistant is reliable is why you have the Coq Proof Assistant parted into
two parts. First on the top here you have the proof checking part. This part is split into two
subparts which is a formal language, which is not a program but which is the logic you are using
in the Proof Assistant, and then you have the proof checker which is given a proof [inaudible]
which checks that this is indeed the proof for the property we want to proof with [inaudible] to
the formal language.
On top of that, you have the proof construction stack. So this one is bigger. Here you have a
proof engine. So proof engine is a very low-level program which allows you to from some
comments to bridge some proofs for the proof checker. Then you have the proof development
language. So this one is the high-level language for proof constructions. And for these two parts
you are able to bring some libraries of theorems that then you can use for more standard
development.
And so the idea here that to -- okay, to trust your proof, that you trust that the proof checker
is [inaudible] the job. You only have to prove that part, that is the final part which tells you that
is your proof -- your final proof is correct on it. And this part in Coq is small. It's less than
10,000 lines of code of ML. This one is bigger. It's between 100- and 200,000 lines of code.
And if you have a bug there, then the proof checker will detect it and reject your buggy proof.
So here is [inaudible] map of the ecosystem of formal tools. So on this slide you have the power
of the formal tool going from memory safety to functional correctness and to formal math.
On that line I will -- I have the ->>: Can I ask what is the difference in formal math and functional correctness?
>> Pierre-Yves Strub: For functional correctness I won't be able to speak about mathematics, for
example. So this is -- for formal math I have set theory which is more expressive than what I can
express in the functional correctness of formal tool about, okay, my function is seeking some
input, I'm returning some input [inaudible]. With that I cannot uncode the [inaudible] for
example.
>>: Okay. Okay. So you're ->> Pierre-Yves Strub: On [inaudible] I will have automation. So starting from free automated
tools to free interactive one. In the middle I have a gray here where I'm between interactive on
the automated proofs.
So, for example, ML checking is free automated. ML checking [inaudible] but what you obtain
is some memory safety. If you move to the gray here, so this is a kind of tradeoff, you can obtain
functional correctness in a quite automated way. For example, so you have VCC, Boogie, and,
for example, F*, we work with Nikhil here. It's a tradeoff between what you can do
automatically and what you can prove in the system.
And then sure you have Coq. So in Coq you're only totally interactive. You have full
automation in Coq. But you have a very large logic. You can express quite a bit of things. But
now I want to zoom on Coq. Because Coq is not totally only one logic. Coq now is 25 years
old. And there have been some work about the logic. So the very first version of Coq was the
calculus of construction there.
So in the calculus of construction, for example, it was not possible to have a built-in definition of
natural numbers, for example. So you had to do a lot of own codings. And then, for example,
addition was not a function. You have to prove. So each time you want to prove that 1 equals -2 equals 1 proof 1, you have to apply some rules about your own coding.
And then you have this new version of Coq which is a calculus of [inaudible] construction where
you have a [inaudible] types. And then here you are able to define quite a lot of function
[inaudible].
And in that case you get more automation because you have some computations, you have things
that you will be able to recomputation and are more expressive. And then you have CACs, okay,
[inaudible] construction where you can add more computation and you can express more
[inaudible] to encode them.
And so my work here is to quickly push in on that line. You see the more -- we progress the
more you are going to the gray-out [inaudible] the more we are expressive. And here the work is
about going to the gray area.
So first I want to say Coq is not a panacea for studying real programs. Okay. So for doing real
programs, you want to go in here. But it is invaluable for, for example, such things as logical
foundation of your formal tools. And [inaudible] for example I did for formalizing the method
theory of F*, for formalizing the method theory of a previous language, which is F7 for
cryptography.
It can also be used to satisfy the reference implementation of these tools. So it's why, for
example, I did for the certification of the type checker of F*. And also it is invaluable for
formalizing complex mathematics. So you have the group of [inaudible] proving the [inaudible]
Coq, and, for example, [inaudible] more things from library about proving properties of the
elliptic curve. So after proving some cryptography [inaudible] about elliptic curves. So there is
an [inaudible] in being able to express [inaudible] in Coq.
So my thought will be in ->>: Can I ask a question [inaudible]?
>> Pierre-Yves Strub: Yeah.
>>: So, for example, when you certified the F* type checker [inaudible] Coq is the
programming language also [inaudible] the type checker inside Coq also?
>> Pierre-Yves Strub: That could be, but here, no, we -- we define a new methodology where
you first do the metatheory, and then your [inaudible] of F* in F*. But since F* is powerful
enough to express the correctness of the type checker. It's not perfect enough to prove the
correctness of type checker but to express it is powerful enough, then you can import the result
of the type checker in Coq and prove that type checker is [inaudible]. This is okay [inaudible]
application.
But you could also write this program in Coq and instruct it. But as I've said, then Coq is not in
the panacea for doing that thing because you do not have effects, you have to write some
[inaudible] and so on.
So [inaudible] introduce the Coq Proof Assistant. Next I will describe my new calculus, which I
call the Calculus of Presburger Constructions, I will define it, and then I will go to how you can
decide proof checking in this calculus. Then I will speak about kernel security [inaudible] of
Coq and I will conclude.
So what is Coq. So Coq is four things. Coq is a programming language dedicated to processing
mathematics. Then Coq is a set of deduction rules characterizing the logic chosen for expressing
the mathematical statements and also their proofs. Proof in Coq is coming with proof tactics
allowing to construct proofs interactively. And then on top of this you have libraries of proved
theorem.
So let me introduce the two first point, which is programming languages and what are the
deduction rules. So for that we are moving one [inaudible] to Gentzen and to natural deduction.
So in Gentzen natural deduction the idea is that a proof is a tree. You give up the axiomatization
of deductive reasoning and you replace them by inference rules. And for each logical connector,
you will have rules for introducing them and rule for eliminating them.
So what is a proof in natural deduction. So I said it's a tree, and then you have a goal, what you
are proving, which is Q, and you are proving the goal under hypotheses, this PI here. And each
hypothesis will be then justified in turn by some proofs.
>>: You said [inaudible], right?
>> Pierre-Yves Strub: Yeah. So I will focus on the [inaudible] connector. So the rule for
eliminating the [inaudible] tells you that if you have a proof of A in place of B and a proof of A,
then you will have a proof of B.
And what this rule is hiding, this rule hides a total function transforming a proof of A, a proof of
type A, because I remove two types next, to a proof of B. And this is what is a Curry-Howard
isomorphism. You see proposition as types. That is that proposition will be the type A
[inaudible] B, and then you see proofs as programs or programs as proofs.
So how we do this in Coq. So in Coq you introduce a type prop for containing other types.
What will be the inhabitants of prop, there will be proof types or propositions. So, for instance,
if A is a prop and B is a prop, then the arrow typed from A to B is a proof type proposition for
the implication of A in place B. And the proof type is valid, a proposition is valid, if there exists
a program of that type.
So, for example, the function, so this Coq syntax here for the function, taking your X of type A
[inaudible] X this function is taking the arrow and joining the A. So this is a proof of A in place
A.
Now, if I want to move to the full logic for all the [inaudible] I have to -- I need some more
powerful types. So this is now the elimination for the [inaudible] connector. So telling me that
if I have a proof of for all of XP, then I can have a proof of P in which I substitute X by T, by
time T. And so what you want to express, that the proof of all XP is a function taking a T and
returning of proof P of T.
And what we have is the result type depends on the inputs. And we need what we call then
dependant types. That is types depending on the value.
So Coq is coming with these dependent types. So what we do that now we have a type for types,
which is type with a capital T, and then you can define type families. That is for type -- for set
A, you will define a family B of I for I being A. And you will see them as function from A to B.
So you can with that have polymorphism. For example, you can have list of A, which has a
list -- the type of the list of element of type A. And this is a function from type to type. Or you
have vector of size N, which has a list of size N. And then show your [inaudible] going from
natural number to type. And then you can continue, for example, ordinal N is a type of numbers
lower than N.
And so the central predicate. For example, prime N is a type for proposition which says that N is
a prime number. And this one is going from nat to prop, the type of propositions. And so there
is a new type construction which is different projects which can read for all X of T I have the
proposition B, which is [inaudible] the encoding of the for-all quantification. This is a
generalization of the arrow type from A to B. So, for example, if I want to say that for all natural
number 4 times N is not prime, I will write for all N of type nat, not, which is a function from
proposition to proposition, prime 4 times N.
Now so I'm coming back to my [inaudible] to Coq. Now I've said that also Coq so is a logic but
so is coming with proof tactics allowing to construct proofs interactively. That is I will have
proof tactics, I will need from a type of proposition to build a program of that type. That is a
proof for that proposition.
So Coq [inaudible] very low-level tactics like for implication [inaudible] and the construction
proof of [inaudible] over N. But so Coq offers the user a mechanism for proof search. For
example, you can ask Coq for -- do simple search by arithmetic or real arithmetic, first order
logic, polynomial system [inaudible] and also you can -- you have a general mechanism for
[inaudible] oracles.
The common base of all these tactics that [inaudible] which take a proposition as input and
which construct proof [inaudible]. That is a program of the given type, of the given proposition.
And then these proofs are checked by the Coq system.
So up to now I spoke about the deduction. But in proofs there is a very important notion which
is computations. And this notion is coming from [inaudible]. So at that time deduction was
unknown. The only way of doing of doing proofs were computations. And then we move to
bridge where we move to the other extreme. That is only using deduction rule, no computation
at all.
[inaudible] go during these [inaudible] of mathematics, computation went back. So it started
with [inaudible] problem which was is it possible to state mathematical certain as computation
problems and then to solve them automatically. And today we know that not too possible to
solve them automatically by computation [inaudible] assessments. But still we can solve some
of them.
So this is the Poincaré principle. If 2 plus 2 equals 4, a proof or just computation?
If you go to Presburger arithmetic, so here you have [inaudible] this logic, then 2 plus 2 equals 4
is a proof, is a full proof. Okay. This is -- shows this big tree, where you have to apply two
times this [inaudible] and Y times this one.
But if you start to [inaudible] then 2 plus 2 will compute to 4. And then the proof of 2 plus 2
equals 4 is no more a proof, it's just the application of [inaudible], all right, because -- yes?
>>: Now, doesn't it [inaudible] depending on what you define as proof, you're doing a
rewriting ->> Pierre-Yves Strub: No, it's not a rewriting.
>>: [inaudible] rewriting rules?
>> Pierre-Yves Strub: No, it's not a rewriting here. And not -- here I am playing the right rules
because I'm [inaudible] equals by equals. So [inaudible] rewrite rules. But here the computation
is embedded in the logic.
So, yes, you compute using rewrite rules, but this is something which is decidable.
>> So you add -- so your point is you add rewrites in as a proof rule.
>> Pierre-Yves Strub: As a?
>>: As a proof rule.
>> Pierre-Yves Strub: You can see like this, yeah. But it's very telling that in a proof you want
to remove all these computational steps and you want the computer to find them. You want the
computation to hide what the reader is doing implicitly when there is a proof.
>>: There's another part of this example doesn't -- the simplicity in this example, which is
representation, so in this example you were [inaudible] numbers as [inaudible].
>> Pierre-Yves Strub: Yeah.
>>: [inaudible] numbers and some computation on kernel numbers might be more efficient than
proof of kernel numbers, but computation on [inaudible] numbers.
>> Pierre-Yves Strub: You can't -- you cannot -- you can do the same by doing numbers. You
can define the computation [inaudible] using binary numbers. And, yes, it would be more
efficient.
>>: But then there's a question of whether the representation is opaque or transparent to the
proof.
>> Pierre-Yves Strub: Well, yes, when you are doing formal proofs, the equation of [inaudible]
mathematical objects into some sort of proof, yes. You have to take the presentation which
exhibits the root structure for doing a write computation in the list during your proofs. Yes. So
it's not like in math. So we are moving from math where you are considering every object up to
an isomorphism.
Here no. Here the computation is intentional. So you choose a computation and you stick to this
one. And if you want to change your position, you have to do it explicitly. Yes, I agree.
>>: I'm sorry, I didn't understand what you meant by computation.
>> Pierre-Yves Strub: It means that this is something -- so this is -- there is a function taking
your expression [inaudible] function taking your expression and returning a result. And what
you do, for example, here when you apply the [inaudible] so on the left-hand side you have 2
plus 2 and on the right-hand side you have 4 and you try [inaudible] these two terms are
different. So you cannot apply the [inaudible] lemma because you need X and X on both sides.
Here you will [inaudible] terms and call up to computation. So you will apply the function 2
plus 2 [inaudible] evaluation to 1 to 4, and on both side we'll obtain 4 and 4. And then you can
apply [inaudible].
>>: But you're [inaudible] computation is independent of all this proof business, but how can
that be because, I mean, that computation somehow knows the semantics of what 2 means and
what 4 means and what plus means. How do they know all the semantics, this is ->> Pierre-Yves Strub: I took the -- so I -- you take the [inaudible] and you orient. So you do a
compression. So here you orient from left to right. And so the computation is correct with
relation to the initial semantic.
>>: So there's no proof needed; it's correct by [inaudible] you prove that this function
terminates, you're done?
>> Pierre-Yves Strub: Yeah.
>>: That's all you need to prove.
>> Pierre-Yves Strub: Yes.
>>: Prove this [inaudible] oriented rewrites will determine.
>> Pierre-Yves Strub: So you do some computation and you obtain -- so with the computation
complete you obtain a [inaudible] system and, yes, you apply the [inaudible].
And so it seems -- so on this simple 2 plus 2 equals 4, it seems quite trivial. But it means that in
a proof you can change any proof construction by decision procedure descending your problem.
And so Coq, which is base of the calculus of construction, integrate computation in -- sorry -- in
the [inaudible]. So you have [inaudible] that so if in a proof environment for operation big T,
you have a proof small T, and big T is convertible to T prime using some computation, then T -small T [inaudible] proof of big T prime.
And so this [inaudible] this tilde here, which convert [inaudible] T prime, express the
computational power of the system. And so the more you have computation in that rule, in this
tilde, the more your logic is expressive.
In the calculus of constructions, the only things you have in the conversion rule is [inaudible]
meaning evaluation of functions. So here, for example, plus is [inaudible] and then plus is not
evaluating. So when you have 2 plus 2, 2 plus 2 is a free evaluated.
So next -- so this is a big step. Coq moves to the calculus of inductive construction where you
can define [inaudible] some function by induction. So, for example, you can define the natural
number as being the smallest inductive type adding 0 [inaudible] function. And then you can
[inaudible] you can define addition by induction of simple argument, for example, and so we
obtain the [inaudible] with the equation that we wanted from left to right. And we will add that
[inaudible] X plus 2 is convertible to X plus 3.
But what you won't have, for example, is that 0 plus X is convertible to X, because plus has been
defined by induction of second arguments, and you have no rules when, for example, here this X
is 0.
And so my work here, so you have some little steps, you see little steps next [inaudible] this
computational power, my work here will be to give a big -- to have a big step having much more
computational power in [inaudible] do a small demo.
So this is a Coq [inaudible]. So I did some [inaudible] some modules, and I will start with doing
some proposition logic. So, for example, I want to prove that for any proposition ABC, if A plus
B plus C, then A in place B in place A in place C.
So I got my proof, okay, and I have a proof [inaudible] with the proposition and what I have to
prove. So first I'll start to introduce my hypothesis, and then this is what I have to prove. So I'm
starting from the conclusion going to the hypothesis.
So, for example, if I apply this, this is a function giving me a C from a proof of B and a proof of
A. So I do some application and I have two subgoals, one for A and one for B.
And in order to prove it, this is a [inaudible] function so it's exact. Now I'm moving to B. B, I
know how to prove B from A, so I'm applying this lemma, and now I have to prove A and I'm
done.
And so these tactics here, they build a proof term for that proposition. So when I do the
[inaudible] what's going on is that Coq is reading the proof term and sending the proof term to
the Coq checker. And I can put it here. This is a proof term. So this is a [inaudible] proposition,
the proof, and [inaudible] some application.
So this is the same proof [inaudible] but now I'm using some tactic [inaudible] and this is exact.
And I can [inaudible] the proof term here and I have a proof term which is equivalent to the
previous one.
And so, like I said, for example, there is some automation for arithmetic. So I want to prove that
for all [inaudible] then a distant [inaudible] so I could do it by hand, but I can use [inaudible] the
same. This is done automatically.
And okay. So this is [inaudible] computation. Okay. Here you see there is quite a big proof
term. And now, okay, let's go to this 2 plus 2 equals 4.
So I can do the proof like in Presburger arithmetic, meaning doing rewriting [inaudible] by
equal. So from 2 plus 2, I move to 2 plus 1 successor of 2 plus 1, then I move to successor of
successor of 2 plus 0, then I [inaudible] with 2, and then now I have 4 equals 4 [inaudible] done.
And so here we have -- okay. We have really the proof in the -- in Presburger arithmetic with all
the rewrites.
>>: So all the proofs you just mentioned and 2 plus 2 does some proofs, some lemmas in 2 plus
2 equals 4, they are all justified by induction.
>> Pierre-Yves Strub: No, no, no, not by induction here, because induction is closed, so I can
apply -- I can apply the lemma finitely to prove it. If I want to prove that for all XY, successor
of X plus Y is equal to successor of X plus Y, yes, then I need to do induction. But for 2 plus 2
equals 4, the proof is not using induction.
>>: So it's using this [inaudible] computation?
>> Pierre-Yves Strub: Yes. There is a proof of 2 plus 2 equals 4 is this one. And moving from
2 plus 2 to successor of 2 plus 1 to successor of 2 plus 0 and then to 2 plus.
>>: So that thing for all X plus SY is equal to SOX plus Y?
>> Pierre-Yves Strub: Yes ->>: Where did you get that [inaudible] from?
>> Pierre-Yves Strub: So this is proven by induction, yes. This one is proven by proof by
induction, yes.
>>: But that is sort of like [inaudible].
>> Pierre-Yves Strub: Yeah, yeah, yes. But the proof is very simple. So the proof is not -- so
it's not built in the system. That is Coq is [inaudible] these libraries, and libraries is having some
natural numbers and you have all the basically natural numbers, so [inaudible] and the like. Yes.
And so [inaudible] calculus inductive construction, for example, this one is not done by
induction, this one is simply one step of computation. So one done by induction is the one where
the successor is here.
So as for all the theorems I can use some automation, for example, the [inaudible] tactic, and
then I continue to have some big proof here, okay, for 2 plus 2 equals 4. But I can use some
computation. And here I'm using [inaudible]. This is just X equal to X.
And if I look at the proof term now, the proof term is very small. There is nothing that says that
this is a proof of 4 equals 4. And then Coq is computing 2 plus 2 to 4 and [inaudible] that proof.
So, for example, if I want to prove 2 plus 3 equals 4 by [inaudible], then Coq is comprehending
that it cannot unify 4 to 2 plus 3, two computations.
And now entering the real step of that work. So [inaudible] which is [inaudible] I'm using is
coming from -- with some libraries about trees. And so I'm adding some more natural numbers.
And here I can define two matrices.
So the first one is a matrix over the wing R with N holes and N colons. And two of the matrices
[inaudible] R with M holes and P colons. And so it show matrix is a different type. The matrix
is depending on the [inaudible] and on the number of holes and the number of colons.
And here the star M is a matrix multiplication. And what I will say, that if I do M1 times M2,
what I obtain is a matrix of size N holes and P colon. If, for example, I want to multiply M1
with M1, Coq will complain because the multiplication of M1 is invalid for multiplication with
N1 on the left.
So here dependent types is restricting me -- is forbidding me from multiplying matrices of the
wrong size. And so I can see this in the type of multiplication which [inaudible] I take a matrix
of size N plus M and then [inaudible] and what I return is a matrix of size N times P.
And let's take now this very simple function, so the whole matrix. So the whole matrix is taking
two matrices of size M times N1 or M times N2 and returning the matrix where the two matrices
grew together, so size N and N1 plus N2 colons. And now I define three new matrices, B1, B2,
B3, with [inaudible] colons. And I can check, for example, the type of [inaudible] of B1 B2, and
this is a matrix N [inaudible] two colons.
And which is interesting is that if I compute this matrix, the number of colons is A1 plus R2 plus
F3. But if I do some [inaudible] meaning doing B1 with B2 and B3, then now the size is A1 plus
A2 plus F3.
And so the number of colons is equal. I can prove that this number is equal to that number. But
now what I want to say is that B1 and B2 grew go the [inaudible] with B3 is equal to matrix B1
grew with B2 B3. So I want to prove this. And now Coq is complaining. I'm not able to state
that lemma. Because it's telling me on the left you have a matrix of that size and on the right you
have a matrix of that size and the types are not equal because here you must have the same type
on the left-hand side and the right-hand side. I have two computations.
And here the two types are open. They are fully computed. So they are not convertible. And
the Coq is rejecting this. So if I want to express a simple lemma, because this is a simple lemma,
if I want to express a simple lemma in Coq, then -- oops, sorry -- then I must start to use some
guests. So here the guest is taking two proof of qualities, it's taking a proof of N equals N, and
the proof of [inaudible] of addition for error 1, error 2, and error 3. And then you take that -- the
first matrix is equal to the second one, but I'm doing some guest. And if I look at the type of
guest, it's really a function taking a pair of proof of [inaudible] between MN prime and MN
prime and guesting the matrix of size MN to a matrix of size N prime N prime.
And I won't go into the details of how you can prove that lemma [inaudible] is quite hard
because you start to manipulate proof and you have to start speaking about equating between
proofs.
And Coq modulo theory is here for removing the need of having guest for expressing such
statement.
So this work is -- this frame is well known, and some solution has been proposed. So one
solution is extensional [inaudible] construction. So here [inaudible] so you have the function
evaluation with convertibility and you say that any term which are power equal are convertible.
So this solve the problem. You can prove that [inaudible] of addition so any term [inaudible]
will be convertible.
This problem is that it's too powerful. For example, 3 will be convertible to the smallest
integers, smallest natural numbers [inaudible]. You will not be able to encode basically the
[inaudible] in Coq, so in that theory. So it's too powerful. You are using proof checking. Coq is
here for checking your proofs. So if you are not able to check your proof anymore, then you are
losing the point of Coq.
>>: What is the complexity of proof checking [inaudible] in Coq?
>> Pierre-Yves Strub: In what term?
>>: Meaning like polynomial exponential.
>> Pierre-Yves Strub: Yes, like of the size of ->>: Size of the proof.
>> Pierre-Yves Strub: Exponential [inaudible].
>>: It's exponential?
>> Pierre-Yves Strub: Yes. Because element type checking is exponential and Coq type
checking is [inaudible].
>>: And what's the upper bound?
>> Pierre-Yves Strub: That's -- I don't know.
>>: [inaudible].
>> Pierre-Yves Strub: [inaudible].
>>: [inaudible] because you have -- you're inferring types, right, with [inaudible]. But in the
colon you're not doing inference, right? You're fully [inaudible].
>> Pierre-Yves Strub: Yeah, but it's similar in the type. It's ensuring the term. But in practice,
even for full term where you are operating the constants, the power is very high. So sometimes
you have to change [inaudible] the way you prove things to other proof checking work in
practice.
So Coq Modulo Theory, so which is the work now, my work I'm introducing, so it's an extension
of the Coq formal language. It's allows the introduction of decision procedures so -- in the
conversion rule. It is implemented and will be in the mainline of the main version of Coq. And,
as I will describe, you can still trust this Coq version, although you are introducing decision
procedure [inaudible].
So for the talk I will present a restriction of the Coq Modulo Theory which I call the calculus of
Presburger construction where instead of introducing any decision procedure we'll only be able
to introduce a decision procedure for the Presburger arithmetic.
So the calculus of Presburger construction will be consistent extension of the core logic of Coq.
So we'll have function
evaluation, the convertibility. You will have the recursor for
natural numbers, so being able to define induction types and function of your natural numbers.
You will have a decision procedure for Presburger arithmetic in the conversion. You will be
able to -- the decision procedure will be able to use the equation which are available from the
proof of environment. And the type checking, the proof checking is decidable.
As I said, here I'm -- I want to add some power to the conversion rule. So the only things I will
modify in the formal language is the conversion. So that is that [inaudible]. And that [inaudible]
so we include the type convertibility, function evaluation, recursor for natural numbers, so for
fixpoint and match. So this is not generating from standard Coq. And then I will introduce the
validity entailment for the Presburger arithmetic.
And what we want at least is that the conversion must consider equal any pair of
Presburger-equal algebraic terms. So what I call algebraic terms, is any term, Coq term, built
from 0 successor and plus and variables with the right arities.
And, for instance, if here I take the dependent type of list of size depending on the size on the
natural number, so this solves our motivation examples, so telling that this type now is
convertible to that type because that subterm is algebraic, it is built from plus and variables. This
one is algebraic. And N plus M and M plus N are equal in the Presburger arithmetic.
And this could be for definition of Coq -- of Coq with Presburger arithmetic. But this does not
define a sound logic. Why? Because let's take that function. So I take a function, taking N and
M, two natural numbers, and returning some list. And so the type is for all NM of type of nat, I
return a list of size N plus M, because body is built like this.
Using my new conversion rule, I know that this function is also of type for all NM of type nat.
Then I return a list of size N plus M.
But now I'll apply that function to these two natural numbers [inaudible] apply to N1 and N2.
And this one is not algebraic. And so the type of this function now is list of size identity
[inaudible] N1 plus N2. And I want it to be convertible to the list of size N2 plus identity of N1.
But since ID of N1 is not algebraic, then nothing ensures that I can [inaudible] because now the
Presburger arithmetic is not able to speak about that subterm.
So what I do is what is done, for example, when you are missing the decision procedure for the
[inaudible], that you will use the question -- you will use variables to abstract aliens to a subterm
which are not algebraic to communicate with the decision procedure.
So if I take -- so the term list apply to plus, which is applied to two modulo terms, I will call that
some -- some alien. They are not known. The term which are not known by the Presburger
decision procedure.
And what I will do is that I will abstract aliens by variables. For example, F apply to nat from
N2 will be abstracted by the variable C1. And this again will be abstracted by the variable C2.
And this arrow with an A here is the algebraisation process [inaudible] variable. So, for
example, here what I obtain is list applied to C1 plus C2. Here I do the same, but now the aliens
are swept. So the algebraisation process will give me the type list apply to C2 plus C1. And
now this one are convertible.
So I'm solving the previous problem, but still that's not enough. Because I will want this
conversion relation to be transitive for using the metatheory study and for proving that this is
[inaudible].
So the question is that which variable we want to choose when asserting aliens. So that comes
from the list. Now a list is applied to plus. And the first [inaudible] is F applied to N1, P0. And
the second [inaudible] is G applied to N2. So since I know that N to N1, P0 is convertible to N1,
this is convertible to that term. That is list applied to FN1 plus GN2.
And now doing some abstraction, okay, I know that C1 plus C2 is convertible to C2 plus C1, so
[inaudible] this one with C2, this one with C1. I obtain this new type which is convertible to that
one, which is G of N2 plus F of N1.
And then here I use the conversion two times. If doing the algebraisation process, I choose my
variables such that two aliens -- you assign the same variable to two aliens with are convertible,
then what you will do is that to C1, C1 [inaudible] F applied to N1 and the alien F applied to N1
P0. That is reversing this one and that one. To C2 you assign G of N2.
And then again what you have is that the algebraisation of the first one is list of C2 plus C1 -- C1
plus C2. The algebraisation of this less one is list of C2 plus C1, and then they are convertible in
one step.
Now what I want also is to be able to use equations from the proof environment, meaning that if
I know that X is equal to 2 and Z plus N is equal to 5, I want that to be convertible to this.
So what you do is that before doing the conversion you are looking at all the equation, you
extract them and you sum them along to the goal you want to solve.
Of course, for the exact same reasons, you want the equations -- equation to be subject to again
extraction. Meaning that if I replace Z but I [inaudible] apply to Z, and if I replace N plus Z by
N plus [inaudible] Z plus 0 plus N, then I want to abstract this again and that again with the same
variable.
So for proof context gamma, what I will write EQ of gamma will be the set of all the equation I
can find in gamma [inaudible] equation which are not fully algebraic. And now my conversion
relation, which was written with a simple tilde, will be returned tilde gamma within the
conversion under the equation I can find in gamma.
One thing to note is that equations will be introduced by the for-all quantifier. So meaning that,
for example, if I start with the proposition, the function which takes a proof P of the proposition
X is equal to Y and returning a list of size X, then this must be convertible to that type which is
the type -- yes?
>>: I'm sorry. Go ahead.
>> Pierre-Yves Strub: Okay. To the type taking the samples for the property X equal Y but
returning a list of size Y. And what you want is that after the for-all quantification, you must be
able to be -- to -- you want to be able to use the equation which is bound by the for-all
quantification. That is when you convert this list of X to this list of Y, you can use that equation,
and then you have conversion.
>>: So [inaudible] architecture communicating theories, you require that each satellite theory be
able to derive all the implied equalities in order to communicate and you also have this variable
introduction.
>> Pierre-Yves Strub: Yeah.
>>: So here you're not placing such a -- you just have this theory and you -- which -- so I'm
trying to understand the relationship. It seems similar in some senses, but you're also -- you're
trying to figure out the equalities implied automatically here or ->> Pierre-Yves Strub: So the [inaudible] is to be able to implement it here and here and
speaking for a moment about [inaudible] which is complete by a sense. So it's why you can
say -- it's why I can -- I can say that I can abstract -- I can decide if I should [inaudible] by same
variables. [inaudible] giving me this [inaudible]. When I want to implement this, then I need the
same restrictions, yes.
>>: All right.
>> Pierre-Yves Strub: So this slide will highlight your point, meaning this is not an algorithm
for the moment. So here we are also going to give an abstract definition of this relation to
gamma. So first understanding that I want the beta for a function evaluation and the [inaudible]
for the fixpoint evaluation.
Then here this is one integrating the [inaudible]. And so the point here is that [inaudible] when
I'm doing the representation of equations, I do not need to know S because this is -- the
normalization is a global process that is taking all the terms of the calculus of construction,
splitting this set into equivalent classes for that relation and ascending a different variable for
each equivalent class [inaudible].
So it's telling me that if I take all the equation of gamma and I do this general algebraisation and
using Presburger arithmetic I can [inaudible] the algebraisation of S is equal to the algebraisation
of T, okay, then I can deduce that [inaudible] is equivalent to T.
And then the last rule is speaking about this contextual rules meaning that if I know that this is
equivalent to that and this equivalent to that and there's extra equation T1, then the full terms
here are equivalent and I have a set of contextual rules like this for the remaining [inaudible].
So what you have is a calculus that this is a consistent calculus. You have strong normalization
of beta, strong normalization of [inaudible]. You have all the properties you expect about that
calculus. And so now you can prove that you can [inaudible] algorithm.
So what the algorithm show will be a very naive algorithm just to show that you can [inaudible]
gamma. So the first point that extracting equation is very easy. You just search for any term of
that form in the proof environment and you extract them. So now the next point is how to
express [inaudible] gamma.
So we start I will show this with an example. So I have my typing environment. And I have two
equation. I have D equals E for natural numbers or variables and I have that T which is a context
in which C appears is equal to the same context in which E appears. And I want to prove that
that term is equivalent to that term shown returning a list applied to N.
So since now I know that [inaudible] is normalizing, I am furthering head normalization of my
types. So this one is already head normalized. And this one is a lambda applied to an argument,
so this reduced to list applied to TD plus N.
And then I have a hat here which is nonalgebraic, and I do some syntactic equality between the
two hats. These are not syntactically equal, then I reject the conversion check.
And so since they are syntactically equal, they have subterms which are paired, which are
algebraic, which has an algebraic cap at least. So on the left-hand side I have N plus T of C; on
the right-hand side I have T of D and N.
And so now I will do -- I will start a conversion check between the paired algebraic subterms.
So this is here I have a new one, third check, which is this one. And my equation are this one.
And so I will now abstract my [inaudible] by doing a pairwise comparison of all [inaudible]
between them. Okay. I will [inaudible] check this one with this one, this one with this one, this
one with this one.
And what I obtain here is that T of D is convertible to T of E because I know that D equals E as
an equation. So we extract TD and TE with the same variable.
TC is not convertible to TD or T or any of the [inaudible]. So for TC, I will use a different
variable, B. So now what I have to check is that N plus A is equivalent to B plus N, knowing
that D equals E [inaudible] algebraisation that A equals B. And of course this is [inaudible] by
the Presburger arithmetic. So I did use that my initial terms are convertible.
So now why should you trust my implementation of this kernel. First, the real implementation is
not choosing this naive algorithm doing pairwise comparison [inaudible]. We're doing some
construct-based algorithm. And so I said that you trust Coq because the kernel is 5,000 lines of
code, and here I allow you to bring some decision procedures into this kernel which can be big
which can have aggressive optimization. And so you break the trust. Unless, unless decision
procedure is generating some certificates.
And so what you can do is to define two-level kernels. So [inaudible] CC of X is a type checker,
is a kernel for the calculus of construction with some decision procedure X in each conversion.
So this is a kernel, these two box. The kernel has two levels. You have CC of [inaudible], which
is a calculus of construction [inaudible] meaning the old kernel, the one you trust. And CC of T
is a Coq Modulo Theory with the [inaudible] theory T. This is all one you do not trust.
Okay. You want to check that P is a proof of that, of this list of size of N [inaudible] prime and
this is a size N prime plus N. And so you send that to the kernel.
At some point the kernel will have to do some conversion check, and this conversion check will
do a code to the decision procedure asking if N plus N prime is equal to the N prime plus N.
And this decision procedure [inaudible] is this third step, yes, it is. But I give you a certificate,
and the certificate is a Coq proof T of N plus N prime equals N prime plus N. But this one, this
statement is expressible in the old kernel. This one is not. Okay. This is the same problem for
matrices, but this one is -- equates here on natural numbers and is expressible in the old kernel.
So I can send this proof T certificate to the old kernel one [inaudible]. And if my decision
procedure has no bugs, then the Coq kernel shall have to ensure me, yes, this is a [inaudible]
certificate. And then what I did here is that in this two-level kernel [inaudible] of that part to the
[inaudible] of this one, the old one. so I still trust my kernel as long as the decision procedure is
answering with certificates.
>>: So do you really introduce everything to CC of 0 because the checking of the statement in
one still involves the rules of CC of T, right? It's only the proof of the equality that gets reduced
in CC of 0.
>> Pierre-Yves Strub: So in CC [inaudible] CCM0 and CCMT, the only thing changing is a
convertibility check. All the remaining is a [inaudible] meaning that what you have is that in CC
of 0 you have -- you have -- if I have a theory in the CC of X, I mean, you have -- if the only
[inaudible] that if the theory of MT, then I'm doing beta convertibility, otherwise I'm using this
extra decision procedure.
And so you can [inaudible] this. You can trust this. And then the part I am using, the external
decision procedures, this part you do not trust it because you reduce this one to the old code.
>>: Okay. [inaudible] I don't ever trust T [inaudible] but I have to trust CC of T plus CC of 0.
>> Pierre-Yves Strub: No, you have to trust CC and MT plus the function doing the bunching
between CC and MT and CC of T.
>>: The function is part of CC of T.
>> Pierre-Yves Strub: The function is part of CC of X. Yes.
>>: Okay. CC of X. All right. Yes.
>> Pierre-Yves Strub: And still -- so I don't have time to [inaudible] you can remove -- you can
remove CC of T if you modify CC and MT with an extra constructor with implicit guest. Which
is a calculus between CC and CoqMT. And this CC of MT for implicit guest is very small. So
the idea here is that you want to remove this one.
So let me conclude. So it is good I presented Coq Modulo Theory which serve a longstanding
theoretical problem, that is using an extensional equality decided by a decision procedure in type
theory. In this extension the kernel becomes incremental. New theories are added, and they
come with certificates and the certificate checker can be added safely by the user, then reducing
the [inaudible] old one.
This improves a lot over prior reflexion-based solution because you have more typeable terms.
That is it's not only that CoqMT is adding more automation, is that you can express more
statements without relying on coding, like the guest.
It allows an easy use of dependent types. So I show the list of -- about matrices now for the
[inaudible] problem you can state the statement as you want it to be stated.
And also CoqMT is implemented and free available on that address. CoqMT will be integrated
into the next major release of Coq.
And CoqMT has been used already in several developments. For example, I have one example
of formalization of combinators for logical gates where gates is depending on the number of
inputs and then both outputs. It has been used for encoding of mathematical construction, like
taking the [inaudible] union on [inaudible] family of sets, for example.
And CoqMT metatheory has been studied carefully. Currently we have a syntactical model of
the core logic of CoqMT which has been mechanized, and we are also mechanizing a set
theoretical model in Coq [inaudible].
And you can find more information on CoqMT in those conferences which describe the system
implementation and the metatheory.
And for concluding I would like to give a big picture of this work [inaudible] or work I'm
involved in. So here I have my work about Coq Modulo Theory. And as I said, you saw in the
kernel we want to check that certificate for ensuring the security. And before that we need first
evaluation of function in Coq.
So this is a second part that you may not trust in the kernel which is a part which is compiling
Coq terms to a binary function that we evaluate. And we are currently working on satisfying the
kernel compiler of Coq.
And so this work is related to the F* language. As I said, I formalize and mechanize the
metatheory of F* in Coq and also I satisfy this Coq type checker. But I started using, for
example, the Z3 [inaudible] server. And so I work on some program on validated [inaudible]
certificate generated by SMT server.
Also I start introduce for doing some protocol formalization, and we are working as a use case
the TLS formalization from high-level APIs to cryptographic primitives. And for that there are
two related works, which are a formalization of the math behind cryptographic primitives, for
example, elliptic curves, and also some extension of F* to some relational type theory that then
will be integrated into Coq.
And why doing all of that, that is why now formalizing all these tools and going to big use case
is that I think that we are moving from formal tools which were not useable even by expert to
formal tools which now are usable by expert for formalizing big programs. And I think now we
need big use cases because now we need to find how we can move to formal tools usable by
engineer, for example.
Thank you.
[applause]
>> Pierre-Yves Strub: Yeah.
>>: So [inaudible] your decision procedure says that, yes, I have proved this, but the whole
enterprise fails in the proof checking part.
>> Pierre-Yves Strub: Yeah. So if there is a bug, the certificates must be wrong.
>>: So but, I mean, do you think that can happen only when you have bugs in your software, or
is there a theoretical reason for it, that you can't guarantee that whatever work the decision
procedure has done can always be expressed in the -- you know, in whatever this [inaudible] --
>> Pierre-Yves Strub: [inaudible] the logical expressiveness of Coq is more powerful that what
you can express in decision procedures. Basically in Coq you are more powerful than set theory.
So it will be very unlikely that the decision procedure [inaudible] which is more powerful than
Coq.
So there is no reason that you cannot encode your certificate. It doesn't mean that it will be
simple. And perhaps this procedure of rebuilding a certificate for the result of the decision
procedure will be a lengthy procedure. Yes. But you should be able to do it.
>>: Perhaps you can prove it too, right? [inaudible] be able to do it.
>> Pierre-Yves Strub: Yes.
>>: [inaudible] decision procedure.
>> Pierre-Yves Strub: Yes, you can. The problem is that you don't want to lose some time on
that. Meaning each time we will add a new optimization in your decision procedure, you will
have to better prove that your decision procedure is correct.
And, for example, for [inaudible] you have to add optimization every year, because, if not, you
are losing the next set computation.
So you do not want to have to because proving that all optimization are correct will be -- I think
will be complicated and it's why all the community is moving from satisfy a decision procedure
to decision procedures generating certificates.
But, for example, for set in Coq you have [inaudible] which is a decision procedure for set within
Coq, proved in Coq, and then you can use it instead of the tree, but will be slower in the end.
Yeah.
>>: So the logic for equivalence is classical logic where Coq is [inaudible].
>> Pierre-Yves Strub: Yes.
>>: So there's some ->> Pierre-Yves Strub: Okay. If you want to maintain writes on decision procedure which is
classical, you need [inaudible] in Coq, yes. It's a choice.
>>: But you do that, right?
>> Pierre-Yves Strub: No. For example, for [inaudible] I am not using [inaudible].
>>: Oh, so you only have constructive.
>> Pierre-Yves Strub: Yeah.
>>: So I think on the slide you also mentioned that you have inductive definitions as part of
what you do for equivalence checking.
>> Pierre-Yves Strub: Yes.
>>: So how's the integration of the decision procedure [inaudible].
>> Pierre-Yves Strub: Badly. So I haven't described this today, but you have to add some new
restriction from what I describe when you start to have inductive definition for two reason. One,
for example, if you start using equation, for example, you know that X is equal to 0 and you have
a match of an X, then you must be able to replace X by 0 [inaudible]. Meaning that the
[inaudible] must be done modulo the theory in that case.
And next you have also in Coq the ability to construct proofs [inaudible] type by induction
[inaudible] function which take a natural number and returning nat when the central number is
equal to 0 or nat if not. If an arrow expression of an inconsistent set of equations, for example, I
have the hypothesis 0 is equal to 1, then I will have the nat is convertible to this function in place
of 0 which is convertible to this function equals to 1 which computes to nat or is not.
And then now I am able to encode the [inaudible] in Coq with that. So meaning that if you have
[inaudible] you must restrict the expression of my question to only consistent set of equations.
Yes.
>>: I was actually wondering if there were some decision problems in the space of [inaudible].
>> Pierre-Yves Strub: No, no. So theoretically it's desirable. In practice, for example, I added
some restriction to be much more efficient. For example, this [inaudible] the theory is very
inefficient. But as you -- we want to use the decision procedures to do some conversion for
[inaudible] types, and list is a single which is not defined. It's a type constructor, so [inaudible].
So I know that a list applied to a natural number won't put the natural number in the place of a
match. So I know that, for example, in that place I can [inaudible] the conversion. But I will
[inaudible] the conversion in other places which can put the arguments in the context of a
fixpoint of a match.
So, yes, there are much more restrictions. The full definition of the calculus, it's more
complicated [inaudible]. Yes.
>>: So with the extensional equality, you can show that if you prove two things to be equal, that
you can substitute [inaudible] what about if you [inaudible] two things are equal [inaudible]
simulation, can you then substitute them in the same way?
>> Pierre-Yves Strub: Let me think. So [inaudible] in Coq is not well defined, but you should
be able to -- but I have to think about this more precisely. But at first glance I will say yes.
>> Nikhil Swamy: Any other questions? Well, let's thank the speaker again.
[applause]
Related documents
Vocabulary Unit 5
Vocabulary Unit 5
A real Christian is an odd number, anyway. He
A real Christian is an odd number, anyway. He
Oral History Interview with Curtis Smith July 15, 2006
Oral History Interview with Curtis Smith July 15, 2006
O: Are you there ma'am?
O: Are you there ma'am?
CNN November 17, 2007 Saturday
CNN November 17, 2007 Saturday
Download
advertisement