## Communicating and trusting proofs: The case for broad spectrum proof certificates. Available from author’s website (2011)

### Cached

### Download Links

Citations: | 2 - 2 self |

### BibTeX

@MISC{Miller11communicatingand,

author = {Dale Miller and Lix École Polytechnique},

title = {Communicating and trusting proofs: The case for broad spectrum proof certificates. Available from author’s website},

year = {2011}

}

### OpenURL

### Abstract

Abstract. Proofs, both formal and informal, are documents that are intended to circulate within societies of humans and machines distributed across time and space in order to provide trust. Such trust might lead one mathematician to accept a certain statement as true or it might help convince a consumer that a certain software system is secure. Using this general characterization of proofs, we examine a range of perspectives about proofs and their roles within mathematics and computer science that often appear contradictory. We then consider the possibility of defining a broad spectrum proof certificate format that is intended as a universal language for communicating formal proofs among computational logic systems. We identify four desiderata for such proof certificates: they must be (i) checkable by simple proof checkers, (ii) flexible enough that existing provers can conveniently produce such certificates from their internal evidence of proof, (iii) directly related to proof formalisms used within the structural proof theory literature, and (iv) permit certificates to elide some proof information with the expectation that a proof checker can reconstruct the missing information using bounded and structured proof search. We consider various consequences of these desiderata, including how they can mix computation and deduction and what they mean for the establishment of marketplaces and libraries of proofs. In a companion paper we proposal a specific framework for achieving all four of these desiderata. 1

### Citations

1096 | Proof-carrying code
- Necula
- 1997
(Show Context)
Citation Context ...that code if the phone could check that the proof established certain security assertions. The development of such an infrastructure has been extensively studied under the title “proof carrying code” =-=[Nec97]-=-. To meet their goals, societies circulate a wide variety of documents. Among mathematicians such documents include those describing examples, counterexamples, lists of definitions, axioms, and hierar... |

333 | Logic programming with focusing proofs in linear logic - Andreoli - 1992 |

261 |
Investigations into logical deduction
- Gentzen
- 1969
(Show Context)
Citation Context ...e logic that allows for mixing both classical and intuitionistic logic into one logic. Such a possibility seems suggested by Gentzen’s original characterization of the difference between these logics =-=[Gen69]-=- as involving the presence or absence of structural rules (on the right of the sequent arrow) and Girard’s linear logic [Gir87] which gives a flexible and precise notation for relating logical connect... |

228 | Foundational proof-carrying code - Appel - 2001 |

128 |
Proofs and Refutations
- Lakatos
- 1976
(Show Context)
Citation Context ...his proof, he might take certain actions, such as developing consequences of that theorem. 2. Consider a group of mathematician colleagues such as the one featured in Lakatos’s Proofs and Refutations =-=[Lak76]-=-. This society interacts within a lively and narrow spacial dimension with the agents sitting together discussing. The individual also interact across time, of course, as new examples,counter-example... |

96 |
Social processes and proofs of theorems and programs
- Millo, Lipton, et al.
- 1979
(Show Context)
Citation Context ...ies of some other programs. In light of this description of a society working to develop an operating systems, consider some of the criticisms of formal methods raised De Millo, Lipton, and Perlis in =-=[MLP79]-=-. For example, they argued that formal verification in computer science does not play the same role as proofs do in mathematics: this certainly does not seem problematic because of the differences amo... |

78 | Theorem proving modulo
- Hardin, Kirchner
(Show Context)
Citation Context ...lly rely on extensive uses of β-reduction. Via the deduction modulo approach to specifying proof system, theories can, at times, be turned into functional computations that sit within inference rules =-=[DHK03]-=-. The Dedukti proof checker [Boe11] uses deduction modulo by compiling such computations into the functional programming language Haskell. On the other hand, there are proof checkers that are built us... |

67 | SLAM and Static Driver Verifier: Technology transfer of formal methods inside Microsoft
- Ball, Cook, et al.
- 2004
(Show Context)
Citation Context ...ons might be required: for example, certain guarantees about device drivers (low level code used to control devices attached to a computer) might need to be formally verified by, say, a model checker =-=[BCLR04]-=-. 5. In a group of programmers, users, mobile computers, and servers can come together to provide numerous services, machines themselves should be classified as individuals since decisions and actions... |

60 | Efficient representation and validation of proofs
- Necula, Lee
- 1998
(Show Context)
Citation Context ...ke engines that involve unification and (bounded) backtracking search. An early experiment with using logic programming engines to reconstruct missing proof information was reported by Necula and Lee =-=[NL98]-=-. This desideratum forces the design of proof certificates in rather particular directions. While the other desiderata seems general and even obviously desirable, this fourth desideratum is the most c... |

44 | Focusing and polarization in linear, intuitionistic, and classical logics - Liang, Miller - 2009 |

39 | Natural Deduction. Almqvist - Prawitz - 1965 |

37 | Formal methods in safety-critical standards
- Bowen
- 1993
(Show Context)
Citation Context ...r example, some professional and contractual standards (for example, DefStan 0055 of the UK Defence Standards [Min97]) mandate formal proofs for software that is highly critical to system safety (see =-=[Bow93]-=- for an overview of such standards). The cost of going to market with computer system containing an error can, in some cases, prove so expensive that additional assurances arising from formalverifica... |

31 | A machine-checked theory of floating point arithmetic
- Harrison
(Show Context)
Citation Context ...point division algorithm used in an Intel processor proved to be extremely costly for Intel: formal verification was used within Intel to help improve the correctness of its floating point arithmetic =-=[Har99]-=-. Where there is economic value there are opportunities for markets and proof certificates that satisfies desiderata D1 and D2 make it possible to develop a marketplace for proofs in the following sen... |

31 | Troelstra and Helmut Schwichtenberg. Basic Proof Theory - Anne - 1996 |

29 | Structural Proof Theory - Negri, Plato - 2001 |

26 | How to believe a machine-checked proof
- Pollack
- 1998
(Show Context)
Citation Context ...orem prover: in a sense, a proof checker removes the need to have trust in theorem provers. The separation of proof generation from proof checking is a well understood principle: for example, Pollack =-=[Pol98]-=- argues for the value of independent checking of proofs and the Coq proof system has a trusted kernel that checks proposed proof objects before accepting them [Tea02]. Proof checking is likely to be a... |

24 | A linear approach to the proof-theory of least and greatest fixed points - Baelde - 2008 |

13 | The challenge of computer mathematics
- Barendregt, Wiedijk
- 2005
(Show Context)
Citation Context ...ns, and proofs, we need to focus on frameworks that are general and inclusive. This goal has lead us to consider the following selections. Simple Theory of Types Church’s Simple Theory of Types (STT) =-=[Chu40]-=- provides a syntactic framework for unifying propositional, first-order, and higherorder logics. Such formulas allow quantification at all higher-order types which in turns allows for rich forms of ab... |

13 | A unified sequent calculus for focused proofs - Liang, Miller |

11 |
logic. Theoretical Computer Science, 50:1–102
- Linear
- 1987
(Show Context)
Citation Context ...ntzen’s original characterization of the difference between these logics [Gen69] as involving the presence or absence of structural rules (on the right of the sequent arrow) and Girard’s linear logic =-=[Gir87]-=- which gives a flexible and precise notation for relating logical connectives with structural rules. Although there have been at least a couple of efforts to bring these logics together into one proof... |

11 |
Mechanizing Proof
- MacKenzie
- 2001
(Show Context)
Citation Context ...ry of mathematical concepts, it is not a valid criticism (nor was it intended to be) of those building safety critical software where formal proof can play an important role in establishing certainty =-=[Mac01]-=-. For the rest of this paper, we turn our attention to formal proof and how these can be designed to be universal and amenable to communicating and checking. 3 Formulas and logical interpretation Befo... |

9 |
Conception d’un noyau de vérification de preuves pour le λΠcalcul modulo
- Boespflug
- 2011
(Show Context)
Citation Context ...uction. Via the deduction modulo approach to specifying proof system, theories can, at times, be turned into functional computations that sit within inference rules [DHK03]. The Dedukti proof checker =-=[Boe11]-=- uses deduction modulo by compiling such computations into the functional programming language Haskell. On the other hand, there are proof checkers that are built using non-deterministic search princi... |

7 | Le point aveugle, cours de logique, tome 1 : vers l’ imperfection. Editions Hermann, collection, Visions des Sciences - Girard - 2006 |

6 | Lightweight lemmas in Lambda Prolog - Appel, Felty - 1999 |

6 | A proposal for broad spectrum proof certificates
- Miller
- 2011
(Show Context)
Citation Context ...arge objects that could overwhelm communication, storage, and checking resources, proof certificates must also allow for trade offs between proof size and proof checking. We describe in another paper =-=[Mil11]-=- how it should be possible to design such a notion of proof certificate. In this paper, however, we flesh out several consequences of having proof certificates of this style. 2 Characterizing proofs a... |

5 | A framework for proof systems
- Nigam, Miller
(Show Context)
Citation Context ...epresenting one proof system within another proof system is central to our development here, we expand on this topic next. 5.2 Three levels of adequacy When comparing two inference systems, we follow =-=[NM10]-=- by identifying three “levels of adequacy.” The weakest level of adequacy is relative completeness: aformula has a proof in one system if and only if it has a proof in another system. Here, only prov... |

4 | The life of Bertrand Russell - Clark - 1975 |

4 | Prensa Nieto, and Alwen Fernanto Tiu. Expressiveness + automation + soundness: Towards combining SMT solvers and interactive proof assistants - Fontaine, Marion, et al. - 2006 |

4 |
Necula and Shree Prakash Rahul. Oracle-based checking of untrusted software
- George
- 2001
(Show Context)
Citation Context ...og-based proof checker was resolved by supplying the checker with an oracle which was responsible for having all the answers to the question “I have several choices to consider, which should I take?” =-=[NR01]-=-. While placing significant amounts of computation (either functional or relational) into inferences seems necessary for capturing a wide range of proof certificates, this integration comes with some ... |

2 |
Ministry of Defence. UK defence standardization
- K
- 1997
(Show Context)
Citation Context ...s for proofs Formal proofs of software and hardware are developing some economic value. For example, some professional and contractual standards (for example, DefStan 0055 of the UK Defence Standards =-=[Min97]-=-) mandate formal proofs for software that is highly critical to system safety (see [Bow93] for an overview of such standards). The cost of going to market with computer system containing an error can,... |

1 | thesis, Ecole Polytechnique, December 2008. David Baelde. Least and greatest fixed points in linear logic - PhD - 2010 |