Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Finalizing Proof of Lemma using the Invariant #2

Closed
JaMaeh opened this issue Apr 15, 2024 · 3 comments · Fixed by #6
Closed

Finalizing Proof of Lemma using the Invariant #2

JaMaeh opened this issue Apr 15, 2024 · 3 comments · Fixed by #6
Assignees
@sertel

Comments

@JaMaeh
Copy link
Collaborator

JaMaeh commented Apr 15, 2024
edited
Loading

Due to changes in the protocols/ primitives, the proof of the main invariant Lemma in RA.v does not go through.

The old goal looks like this:

x: 'unit
hin: (get_pk_att, ('unit, 'pubkey)) \in Att_interface
___________________________________________________
(1/1)
⊢ ⦃ full_heap_eq' ⦄
   x0 ← get pk_loc ;;
   ret x0 
≈
   v ← get pk_loc ;;
   ret v 
⦃ λ '(b₀, s₀) '(b₁, s₁), b₀ = b₁ /\ full_heap_eq' (s₀, s₁) ⦄

and is solved like this:

sync_sig_att. 1: { auto_in_fset. }
      move => a; by [apply r_ret].

Now, due to the changes, the code looks as follows:

x: 'unit
hin: (get_pk_att, ('unit, 'pubkey)) \in Att_interface
____________________________________________________
(1/1)
⊢ ⦃ full_heap_eq' ⦄
   #put sk_loc := nfst KeyGen ;;
   #put pk_loc := nsnd KeyGen ;;
   x0 ← get pk_loc ;;
   ret x0 
≈
   #put sk_loc := nfst KeyGen ;;
   #put pk_loc := nsnd KeyGen ;;
   v ← get pk_loc ;;
   ret v 
⦃ λ '(b₀, s₀) '(b₁, s₁), b₀ = b₁ /\ full_heap_eq' (s₀, s₁) ⦄

Common ways to remove the puts such as eapply r_put_vs_put or ssprove_sync_eq => sk_loc. do not work.
@sertel
Copy link
Collaborator

sertel commented Apr 30, 2024

But you cannot use ssprove_sync_eq because our invariant is not an equality.
But I believe that ssprove_sync should actually do the job.

@JaMaeh
Copy link
Collaborator Author

JaMaeh commented Apr 30, 2024
edited
Loading

ssprove_sync throws the following error:

Error: In environment
x : 'unit
hin : (get_pk_att, ('unit, 'pubkey)) \in Att_interface
Unable to unify
 "⊢ ⦃ λ '(s₀, s₁), ?M5596 (s₀, s₁) ⦄ x ← cmd cmd_put ?M5594 ?M5595 ;;
                                     ret x ≈ x ← cmd 
                                             cmd_put ?M5594 ?M5595 ;;
                                             ret x ⦃ λ '(a₀, s₀) '(a₁, s₁),
                                                ?M5596 (s₀, s₁) /\ a₀ = a₁ ⦄"
with
 "⊢ ⦃ full_heap_eq' ⦄ x ← cmd cmd_put sk_loc (nfst KeyGen) ;;
                      ret x ≈ x ← cmd cmd_put sk_loc (nfst KeyGen) ;;
                              ret x ⦃ λ '(a₀, s₀) '(a₁, s₁),
                                        full_heap_eq' (s₀, s₁) /\ a₀ = a₁ ⦄".

@sertel
Copy link
Collaborator

sertel commented Apr 30, 2024

Ah ok.
This actually would work if the precondition would have the right shape. This really is problem in SSProve that we should also provide a fix for.

Thanks for the description. I will take care of that.

@sertel sertel mentioned this issue Jun 12, 2024
Merged
@sertel sertel linked a pull request Jun 12, 2024 that will close this issue
Issue 2 #6
Merged
@sertel sertel closed this as completed in #6 Jun 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sertel sertel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue 2 Barkhausen-Institut/vRATLS
2 participants
@sertel @JaMaeh