a self verifying theorem prover
play

A Self-Verifying Theorem Prover Jared Davis (advertisement by J - PowerPoint PPT Presentation

A Self-Verifying Theorem Prover Jared Davis (advertisement by J Strother Moore) Department of Computer Sciences University of Texas at Austin September 18, 2009 1 Theorem Prover ? Yes Proof Checker Yes No 2 Rules of


  1. A “Self-Verifying” Theorem Prover Jared Davis (advertisement by J Strother Moore) Department of Computer Sciences University of Texas at Austin September 18, 2009 1

  2. φ Theorem Prover ? Yes π Proof Checker Yes No 2

  3. Rules of Inference Prop Schema ¬ A ∨ A A ∨ A Contraction A A Expansion B ∨ A A ∨ ( B ∨ C ) Associativity ( A ∨ B ) ∨ C A ∨ B, ¬ A ∨ C Cut B ∨ C 3

  4. A Instantiation A/σ Induction (ordinals below ǫ 0 ) Rec Defn (ordinals below ǫ 0 ) 4

  5. Axioms Reflexivity x = x Equality x 1 = y 1 → x 2 = y 2 → x 1 = x 2 → y 1 = y 2 Functional Reflexivity x 1 = y 1 → . . . → x n = y n → f ( x 1 , . . . , x n ) = f ( y 1 , . . . , y n ) 5

  6. Beta Reduction (( λx 1 . . . x n .β ) t 1 , . . . , t n ) = β/ [ x 1 ← t 1 , . . . , x n ← t n ] Base Evaluation e.g., 1 + 2 = 3 6

  7. 52 Lisp Axioms e.g., car ( cons ( x, y )) = x 7

  8. Assumed Characteristics Proof Checker: Small (1500 LOC), Trusted, Impractical Theorem Prover: Big (100K LOC), Untrusted, Practical How can we trust the Theorem Prover? 8

  9. Related Work LCF-style (trust depends on type system, time-inefficient) Constructive type theory (trust depends on type system, space-inefficient) Proof Objects (trust depends on proof checker, space- and time-inefficient) 9

  10. Related Work LCF-style (trust depends on type system, time-inefficient) Constructive type theory (trust depends on type system, space-inefficient) Proof Objects (trust depends on proof checker, space- and time-inefficient) 10

  11. � ✁ � � ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ � ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ � ✁ � ✁ � � � � � � � � � � � � � � � � � � � ✁ φ Theorem Prover Proof Generator π Proof Checker Yes No 11

  12. φ Theorem Prover Proof Generator π Proof Checker Yes No 12

  13. Two Alternatives (1) Run the Proof Generator every time and check the proof with the trusted Proof Checker. (2) Prove that the Proof Generator will always generate a proof that succeeds. 13

  14. Two Alternatives (1) Run the Proof Generator every time and check the proof with the trusted Proof Checker. (2) Prove that the Proof Generator will always generate a proof that succeeds. 14

  15. Two Alternatives (1) Run the Proof Generator every time and check the proof with the trusted Proof Checker. (2) Prove that the Proof Generator will always generate a proof that succeeds. But what prover do you use? 15

  16. Correctness wrt Proof Checker (“Fidelity”) When Theorem Prover (“A”) returns “Yes” on φ , • Proof Generator produces a well-formed proof π • Proof π concludes with φ • Proof Checker (“C”) accepts π 16

  17. The Project Suppose you’ve defined the proof checker C as an executable Lisp program. Then use it to • admit the definition of C as an axiom • admit the definition of A as an axiom • check a proof of the correctness formula: 17

  18. Correctness Formula formula ( φ ) ∧ A ( φ ) → ( ∃ π. proof ( π ) ∧ concl ( π ) = φ ∧ C ( π )) 18

  19. What You Must Trust • the program C • the hardware/software platform it runs on • the statement of the correctness theorem (you needn’t bother to read the definition of A if you don’t care how it works) • the fact that there is a proof file that C certifies as a proof of the statement 19

  20. Jared’s Problem generating a checkable proof of the correctness statement 20

  21. ✁ ✁ � ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ � ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ � � ✁ � ✁ ✁ � � � � � � � � � � � � � � � � � � � � ✁ Plan ‘‘I am correct’’ • Prove “I am correct” with Theorem Prover Theorem Prover Proof Generator Π • Generate that proof Π Proof Checker • Check Π with Proof Checker Yes No • Never generate another proof 21

  22. Plan • Prove “I am correct” with φ Theorem Prover Theorem Prover ? Yes • Generate that proof Π • Check Π with Proof Checker • Never generate another proof 22

  23. Unfortunately The proof of correctness, Π , of a practical theorem prover is too big to generate and check. 23

  24. ...because • to be trustworthy, the Proof Checker takes tiny inference steps, so proofs are big, and • the Theorem Prover is a big system 24

  25. Solution ( . . . sort of) Introduce a more powerful trusted proof checker and prove it correct. 25

  26. ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✄ ✂ ✂ ✂ ✂ ✂ ✂ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✂ ✄ ✄ ✄ ✄ ✄ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✄ ✄ ✄ � � � � � � � � � � � � � � � � � � � � � � � � � � � � ✄ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ � ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ � ✄ Solution ( . . . sort of) • Use A to prove A correct wrt B A Gen A • Run Gen A to get B -Level proof Π A B Gen B • Use A to prove B correct wrt C C • Run Gen B ◦ Gen A to get C -Level proof Π B • Check Π B with C • Check Π A with B 26

  27. Solution ( . . . sort of) Let Γ = Gen A ( Gen B (Π A )) . Then: Γ is a C -level proof of the correctness of A Γ is certified by C Γ is (might be) too large to actually construct 27

  28. Unfortunately Just one intermediate proof checker is not enough, i.e., even Π A and Π B are too large to construct. 28

  29. It is important to • increase the size of the inference step, and • decrease the complexity differences between the software systems 29

  30. ✡ ✌ ✌ ✌ ✌ ✌ ✌ ✌ ✌ ☞ ✌ ✌ ✌ ✌ ✌ ✌ ✌ ☞ ☞ ✌ ☞ ☞ ☞ ☞ ☞ ☞ ☞ ☞ ☞ ☞ ☞ ☞ ☞ ☞ ☞ ☞ ✌ ✌ ☞ ✍ ✍ ✍ ✍ ✍ ✍ ✍ ✍ ✍ ✍ ✍ ✍ ✍ ✍ ✍ ✍ ✍ ✍ ✌ ✍ ✌ ✌ ✌ ✌ ✌ ✌ ✍ ✍ ✍ ✍ ✍ ✍ ✍ ✍ ✍ ☞ ☞ ✍ ✡ ✡ ✡ ✡ ✡ ✡ ✡ ✡ ✡ ✡ ✡ ✡ ✡ ✡ ✡ ✡ ✡ ✡ ☛ ✡ ✠ ✠ ✠ ✠ ✓ ✡ ✡ ✡ ✡ ✡ ✡ ✡ ✡ ✡ ✡ ☛ ☛ ☞ ☞ ☛ ☛ ☞ ☞ ☞ ☞ ☞ ☛ ☞ ☞ ☞ ☞ ☞ ☞ ☞ ☛ ☛ ☛ ☛ ☛ ☛ ☛ ☛ ☛ ☛ ☛ ☛ ☛ ☛ ☛ ☛ ☛ ☛ ☛ ✍ ✍ ✠ ✒ ✒ ✒ ✒ ✒ ✒ ✒ ✒ ✑ ✒ ✒ ✒ ✒ ✒ ✒ ✒ ✑ ✑ ✒ ✑ ✑ ✑ ✑ ✑ ✑ ✑ ✑ ✑ ✑ ✑ ✑ ✑ ✑ ✑ ✑ ✒ ✒ ✑ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✒ ✒ ✒ ✒ ✒ ✒ ✒ ✒ ✒ ✒ ✒ ✒ ✒ ✒ ✒ ✒ ✒ ✒ ✑ ✑ ✍ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✏ ✎ ✍ ✍ ✍ ✍ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✏ ✏ ✑ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✑ ✑ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✏ ✠ ✠ ✓ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✄ ✄ ✄ ✂ ✂ ✄ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ✄ ✄ ✂ ☎ ✄ ✄ ✄ ✄ ☎ ☎ ☎ ✄ ☎ ☎ ☎ ☎ ☎ ☎ ☎ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✂ ✂ ☎ � � � � � � � � � � � � � � � � � � � ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ � ✓ ✓ � � � � � � � ✂ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✂ ✁ ✁ � � � � � � � � � ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ☎ ☎ ✠ ✟ ✞ ✞ ✞ ✞ ✞ ✞ ✟ ✞ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✞ ✞ ✟ ✞ ✞ ✞ ✞ ✞ ✞ ✞ ✞ ✞ ✞ ✞ ✞ ✞ ✞ ✞ ✞ ✟ ✟ ✝ ✠ ✠ ✠ ✠ ✠ ✠ ✠ ✠ ✠ ✠ ✠ ✠ ✠ ✠ ✠ ✠ ✠ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✝ ✝ ☎ ✆ ☎ ☎ ✆ ✆ ✆ ✆ ✆ ☎ ✆ ✆ ✆ ✆ ✆ ✆ ✆ ☎ ☎ ✆ ☎ ☎ ☎ ☎ ☎ ☎ ☎ ☎ ☎ ☎ ☎ ☎ ☎ ☎ ☎ ☎ ✆ ✆ ✝ ✝ ✝ ✝ ✝ ✝ ✝ ✝ ✝ ✝ ✝ ✝ ✝ ✝ ✝ ✝ ✝ ✝ ✝ ✆ ✆ ✆ ✆ ✆ ✆ ✆ ✆ ✆ ✝ ✝ ✝ ✝ ✝ ✝ ✝ ✝ ✓ 30 9 Evaluation and unconditional rewriting 8 Audit trails (in prep for rewriting) 3 Rules about primitive functions 4 Miscellaneous ground work 11 Induction and other tactics 5 Assumptions and clauses 2 Propositional reasoning 6 Factoring, splitting help 1 Primitive proof checker 10 Conditional rewriting 7 Case splitting Level Jared’s Stack

Recommend


More recommend