[Dijkstra] CIP-159-11c: Prove LEDGER preservation of value (#1187)#1190
Draft
williamdemeo wants to merge 9 commits into
Draft
[Dijkstra] CIP-159-11c: Prove LEDGER preservation of value (#1187)#1190williamdemeo wants to merge 9 commits into
williamdemeo wants to merge 9 commits into
Conversation
5 tasks
williamdemeo
changed the base branch from
master
to
1186-dijkstra-utxo-and-utxow-pov
williamdemeo
force-pushed
the
1186-dijkstra-utxo-and-utxow-pov
branch
from
ca99121 to
aec8700
Compare
williamdemeo
force-pushed
the
1187-dijkstra-ledger-pov
branch
from
cf1eeab to
24e189f
Compare
…CIP-159)
After direct-deposit application moved from LEDGER-V/SUBLEDGER-V into the
POST-CERT rule, the Certs preservation-of-value proofs needed to account for
the `getCoin (DirectDepositsOf Γ)` increase that POST-CERT now produces via
`rewards ∪⁺ directDeposits`.
Statement changes:
- POST-CERT-pov: getCoin s ≡ getCoin s'
→ getCoin s + getCoin (DirectDepositsOf Γ) ≡ getCoin s'
- sts-pov: gains a `+ getCoin (DirectDepositsOf Γ)` term on the LHS
- CERTS-pov: becomes the symmetric "consumed = produced" form
getCoin s₁ + getCoin (DirectDepositsOf Γ)
≡ getCoin sₙ + getCoin (WithdrawalsOf Γ)
Structural changes:
- POST-CERT-pov and sts-pov move into the parameterized `Certs-Pov-lemmas`
sub-module (alongside PRE-CERT-pov), since they now require a fourth
module parameter:
indexedSumᵛ'-∪⁺ : ∀ (m m' : Rewards) → getCoin (m ∪⁺ m') ≡ getCoin m + getCoin m'
This is the natural ∪⁺ analogue of the existing `indexedSumᵛ'-∪` lemma for
`∪ˡ` on disjoint domains, but unconditional because `∪⁺` adds (rather than
drops) values at shared keys. TODO: upstream to agda-sets.
- `Certs-PoV` (in PoV.lagda.md) gains the same parameter and forwards it.
CERT-pov and PRE-CERT-pov are unchanged: the CERT and PRE-CERT rules did
not change in this refactor.
Closes part of #1185.
williamdemeo
force-pushed
the
1186-dijkstra-utxo-and-utxow-pov
branch
from
aec8700 to
8638126
Compare
williamdemeo
force-pushed
the
1187-dijkstra-ledger-pov
branch
from
24e189f to
c20ef17
Compare
williamdemeo
force-pushed
the
1186-dijkstra-utxo-and-utxow-pov
branch
from
89df52c to
f34dd7b
Compare
williamdemeo
force-pushed
the
1186-dijkstra-utxo-and-utxow-pov
branch
from
f34dd7b to
ed32fcc
Compare
williamdemeo
force-pushed
the
1187-dijkstra-ledger-pov
branch
from
c20ef17 to
1a6f0e5
Compare
After moving direct-deposit application from LEDGER-V into POST-CERT, CERTS-pov now produces a symmetric "consumed = produced" equation: getCoin s₁ + getCoin (DirectDepositsOf Γ) ≡ getCoin sₙ + getCoin (WithdrawalsOf Γ) Thread the direct-deposit term through the LEDGER-pov proof: * SUBLEDGERS-certs-pov gains "+ sum (map ddwl stxs)" on the LHS, where ddwl = getCoin ∘ DirectDepositsOf is the per-sub-tx direct-deposit total (analogous to wdrwl). * combined-certs gains "+ allDirectDeps" on the LHS, composing the per-sub CERTS-pov chain with the top-level call. * The main LEDGER-V chain wraps the result in +-cancelʳ-≡ to discharge the asymmetric "+ allDirectDeps" combined-certs introduces. Removed: * The certStateFinal local definition (LEDGER-V no longer applies applyDirectDeposits). * step-ii and the applyDirectDeposits-rewardsBalance module parameter (subsumed by indexedSumᵛ'-∪⁺ inside POST-CERT-pov). * The DD-split module parameter (subsumed by per-tx CERTS-pov chain). * Stale "Key Lemma" subsection and stale commented-out lines in bat'. * Unused imports +-identityʳ and +-0-monoid. * Redundant local aliases in bat's where-block. Documentation: rewrote "Key Differences from Conway" point 2 and the LEDGER-V Proof Outline to reflect the new architecture; clarified the LEDGER-I outline.
4 tasks
williamdemeo
force-pushed
the
1186-dijkstra-utxo-and-utxow-pov
branch
from
ed32fcc to
60167ea
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Closes #1187.
This PR proves the top-level
LEDGER-povtheorem for the Dijkstra era, building on theCertsandUtxo/UtxowPoV machinery from PRs #<new-A>and #<new-B>. It is the third of three replacing the original PR #1169.It targets the branch of PR #
<new-B>so that CI sees the full PoV chain in order; once #<new-B>merges, this PR will be retargeted tomaster.Module
Ledger.Properties.PoVHasCoininstances andLEDGER-povDesign notes
Why the proof reasons about
LEDGER-Vas a single stepThe Dijkstra
LEDGER-povproof does not decompose into independentSUBLEDGERS-povandUTXOW-povpieces, because (i) individualSUBUTXOrules have no balance equation — only the batch-levelconsumedBatch ≡ producedBatch(inUTXO) constrains the total — and (ii) sub-transactions may individually transfer value between UTxO and CertState (via sub-withdrawals, sub-deposits, sub-direct-deposits) without local balancing. Instead, the proof reasons about the entireLEDGER-Vstep at once.applyDirectDepositscancellation is the main new challengeIn
LEDGER-V,certStateFinal = certStateWithDDeps tx certState₂ = record certState₂ { dState = applyDirectDeposits (DirectDepositsOf tx) (DStateOf certState₂) }. Direct deposit value appears inproducedBatch(UTxO side) and incertStateFinal(CertState side), so it cancels in the total. The proof is an equational chain combiningSUBLEDGERS-certs-pov, top-levelCERTS-pov, the batch-UTxO-accounting step, and theapplyDirectDeposits-rewardsBalanceidentity. Per-transaction direct deposit application (PR #1161) makes this slightly cleaner than batch-wide application would have been, because each transaction's direct-deposit total appears next to its ownproducedTxterm inproducedBatch, mirrored by its owncertStateWithDDepsstep.Helpers proved here
SUBLEDGERS-certs-pov— induction over theSUBLEDGERSreflexive-transitive closure, composing per-sub-transactionCERTS-povinvocations.SUBLEDGERS-utxo-coin— parallel induction trackinggetCoin (UTxOStateOf _)through theSUBLEDGERSchain via the per-stepSUBUTXOWcoin equation.LEDGER-pov— bothLEDGER-VandLEDGER-Icases.The
LEDGER-Icase is straightforward:certStateandgovStare unchanged,SUBLEDGERSis a no-op, and only theUTXOWstep affectsgetCoin, which it preserves viautxow-pov-invalid(from PR #<new-B>).Outstanding proof obligations
The following are stated as module parameters of
Ledger.Properties.PoV, with detailed proof sketches in comments. Each will be discharged in a follow-up; the dependencies are now in place.CIP-159–specific or Dijkstra-specific:
applyDirectDeposits-rewardsBalance— should follow from∪⁺properties.subutxow-step-coin— per-stepSUBUTXOWcoin equation. Requires a batch-wide "spend inputs preserved" invariant and freshness of each sub-tx's TxId relative to the running UTxO.utxo₁-tx-spend-eqandfresh-top-tx-id— batch-wide invariants on the post-SUBLEDGERSUTxO state. Both follow from batch-wide input disjointness and TxId freshness, which the outer UTXO rule establishes at the batch level but does not expose per-step.Era-independent (can be discharged in a small standalone follow-up):
posNeg-deposits— deposit-change posPart/negPart identity. Provable from the definition ofcalculateDepositsChangeand the standardy + posPart (x − y) ≡ x + negPart (x − y)lemma.DD-split— aggregation identity forallDirectDeposits. Provable once we confirmallDirectDepositssums top-level and sub-level direct deposits disjointly.sum-map-+— standard list algebra.The shared parameters (
balance-∪,split-balance,outs-disjoint,noMintTx,noMintSubTx,∪ˡ-res-lookup-preserve,sum-map-proj₂≡getCoin,setToList-Unique) are the same ones already taken as parameters in PRs #<new-A>and #<new-B>; they are threaded through here.The invariant properties from §§3–6 of the parent issue #1123 (phantom asset, non-negative balance, direct-deposit registration, balance-interval satisfaction) are mostly straightforward consequences of
UTXO-Premisesconjuncts and are deferred to a follow-up.Checklist
CHANGELOG.md