Alwen Tiu

A proof theory for generic judgments

The operational semantics of a computation system is often presented as inference rules or, equivalently, as logical theories. Specifications can be made more declarative and high level if syntactic details concerning bound variables and substitutions are encoded directly into the logic using term-level abstractions (λ-abstraction) and proof-level abstractions (eigenvariables). When one wishes to use such logical theories to support reasoning about properties of computation, the usual quantifiers and proof-level abstractions do not seem adequate: proof-level abstraction of variables with scope over sequents (global scope) as well as over only formulas (local scope) seem required for many examples. We will present a sequent calculus that provides this local notion of proof-level abstraction via generic judgment and a new quantifier, ∇, which explicitly manipulates such local scope. Intuitionistic logic extended with ∇ satisfies cut-elimination even when the logic is additionally strengthened with a proof theoretic notion of definitions. The resulting logic can be used to encode naturally a number of examples involving abstractions, and we illustrate the uses of ∇ with the π-calculus and an encoding of provability of an object-logic.

A Local System for Classical Logic

The calculus of structures is a framework for specifying logical systems, which is similar to the one-sided sequent calculus but more general. We present a system of inference rules for propositional classical logic in this new framework and prove cut elimination for it. The system enjoys a decomposition theorem for derivations that is not available in the sequent calculus. The main novelty of our system is that all the rules are local: contraction, in particular, is reduced to atomic form. This should be interesting for distributed proof-search and also for complexity theory, since the computational cost of applying each rule is bounded.

The Bedwyr System for Model Checking over Syntactic Expressions

Bedwyr is a generalization of logic programming that allows model checking directly on syntactic expressions possibly containing bindings. This system, written in OCaml, is a direct implementation of two recent advances in the theory of proof search. The first is centered on the fact that both finite success and finite failure can be captured in the sequent calculus by incorporating inference rules for definitionsthat allow fixed pointsto be explored. As a result, proof search in such a sequent calculus can capture simple model checking problems as well as may and must behavior in operational semantics. The second is that higher-order abstract syntax is directly supported using term-level i¾?-binders and the i¾? quantifier. These features allow reasoning directly on expressions containing bound variables.

A proof theory for generic judgments: an extended abstract

A powerful and declarative means of specifying computations containing abstractions involves meta-level, universally quantified generic judgments. We present a proof theory for such judgments in which signatures are associated to each sequent (used to account for eigenvariables of sequent) and to each formula in the sequent (used to account for generic variables locally scoped over the formula). A new quantifier, /spl nabla/, is introduced to explicitly manipulate the local signature. Intuitionistic logic extended with /spl nabla/ satisfies cut-elimination even when the logic is additionally strengthened with a proof theoretic notion of definitions. The resulting logic can be used to encode naturally a number of examples involving name abstractions, and we illustrate using the /spl pi/-calculus and the encoding of object-level provability.

Automating Open Bisimulation Checking for the Spi Calculus

We consider the problem of automating open bisimulation checking for the spi calculus, an extension of the pi-calculus with cryptographic primitives. The notion of open bisimulation considered here is indexed by a (symbolic) environment, represented as bi-traces (i.e., pairs of symbolic traces), which encode the history of interaction between the intruder with the processes being checked for bisimilarity. A crucial part of the definition of this open bisimulation, that is, the notion of consistency of bi-traces, involves infinite quantification over a certain notion of “respectful substitutions”. We show that one needs only to check a finite number of respectful substitutions in order to check bi-trace consistency. Our decision procedure uses techniques that have been well developed in the area of symbolic trace analysis for security protocols. More specifically, we make use of techniques for symbolic trace refinement, which transform a symbolic trace into a finite set of symbolic traces in a certain “solved form”. Crucially, we show that refinements of a projection of a bitrace can be uniquely extended to refinements of the bi-trace, and that consistency of all instances of the original bi-trace can be reduced to consistency of its finite set of refinements. We then give a sound and complete procedure for deciding open bisimilarity for finite spi processes.

Induction and Co-induction in Sequent Calculus

Proof search has been used to specify a wide range of computation systems. In order to build a framework for reasoning about such specifications, we make use of a sequent calculus involving induction and co-induction. These proof principles are based on a proof theoretic notion of definition, following on work by Schroeder-Heister, Girard, and McDowell and Miller. Definitions are essentially stratified logic programs. The left and right rules for defined atoms treat the definitions as defining fixed points. The use of definitions also makes it possible to reason intensionally about syntax, in particular enforcing free equality via unification. The full system thus allows inductive and co-inductive proofs involving higher-order abstract syntax. We extend earlier work by allowing induction and co-induction on general definitions and show that cut-elimination holds for this extension. We present some examples involving lists and simulation in the lazy λ-calculus. Two prototype implementations are available: one via the Hybrid system implemented on top of Isabelle/HOL and the other in the BLinc system implemented on top of λProlog.

Expressiveness + automation + soundness: towards combining SMT solvers and interactive proof assistants

Formal system development needs expressive specification languages, but also calls for highly automated tools. These two goals are not easy to reconcile, especially if one also aims at high assurances for correctness. In this paper, we describe a combination of Isabelle/HOL with a proof-producing SMT (Satisfiability Modulo Theories) solver that contains a SAT engine and a decision procedure for quantifier-free first-order logic with equality. As a result, a user benefits from the expressiveness of Isabelle/HOL when modeling a system, but obtains much better automation for those fragments of the proofs that fall within the scope of the (automatic) SMT solver. Soundness is not compromised because all proofs are submitted to the trusted kernel of Isabelle for certification. This architecture is straightforward to extend for other interactive proof assistants and proof-producing reasoners.

A local system for intuitionistic logic

This paper presents systems for first-order intuitionistic logic and several of its extensions in which all the propositional rules are local, in the sense that, in applying the rules of the system, one needs only a fixed amount of information about the logical expressions involved. The main source of non-locality is the contraction rules. We show that the contraction rules can be restricted to the atomic ones, provided we employ deep-inference, i.e., to allow rules to apply anywhere inside logical expressions. We further show that the use of deep inference allows for modular extensions of intuitionistic logic to Dummetts intermediate logic LC, Godel logic and classical logic. We present the systems in the calculus of structures, a proof theoretic formalism which supports deep-inference. Cut elimination for these systems are proved indirectly by simulating the cut-free sequent systems, or the hypersequent systems in the cases of Dummetts LC and Godel logic, in the cut free systems in the calculus of structures.

On the Correspondence between Display Postulates and Deep Inference in Nested Sequent Calculi for Tense Logics

We develop a general criterion for cut elimination in sequent calculi for propositional modal logics, which rests on absorption of cut, contraction, weakening and inversion by the purely modal part of the rule system. Our criterion applies also to a wide variety of logics outside the realm of normal modal logic. We give extensive example instantiations of our framework to various conditional logics. For these, we obtain fully internalised calculi which are substantially simpler than those known in the literature, along with leaner proofs of cut elimination and complexity. In one case, conditional logic with modus ponens and conditional excluded middle, cut elimination and complexity were explicitly stated as open in the literature.Deduction modulo is a paradigm which consists in applying the inference rules of a deductive system (such as for instance natural deduction) modulo a rewrite system over terms and propositions. It has been shown that higher-order logic can be simulated into the first-order natural deduction modulo. However, a theorem stated by Godel and proved by Parikh expresses that proofs in second-order arithmetic may be unboundedly shorter than proofs in first-order arithmetic, even when considering only formulae provable in first-order arithmetic. We investigate how deduction modulo can be used to translate proofs of higher-order arithmetic into first-order proofs without inflating their length. First we show how higher orders can be encoded through a quite simple (finite, terminating, confluent, left-linear) rewrite system. Then, a proof in higher-order arithmetic can be linearly translated into a proof in first-order arithmetic modulo this system. Second, in the continuation of a work of Dowek and Werner, we show how to express the whole higher-order arithmetic as a rewrite system. Then, proofs of higher-order arithmetic can be linearly translated into proofs in the empty theory modulo this rewrite system. These results show that the speed-up between first- and second-order arithmetic, and more generally between ith- and i+1st-order arithmetic, can in fact be expressed as computation, and does not lie in the really deductive part of the proofs.

Verification of clock synchronization algorithms: experiments on a combination of deductive tools

We report on an experiment in combining the theorem prover Isabelle with automatic first-order arithmetic provers to increase automation on the verification of distributed protocols. As a case study for the experiment we verify several averaging clock synchronization algorithms. We present a formalization of Schneider’s generalized clock synchronization protocol [Sch87] in Isabelle/HOL. Then, we verify that the convergence functions used in two clock synchronization algorithms, namely, the Interactive Convergence Algorithm (ICA) of Lamport and Melliar-Smith [LMS85] and the Fault-tolerant Midpoint algorithm of Lundelius–Lynch [LL84], satisfy Schneider’s general conditions for correctness. The proofs are completely formalized in Isabelle/HOL. We identify parts of the proofs which are not fully automatically proven by Isabelle built-in tactics and show that these proofs can be handled by automatic first-order provers with support for arithmetics.