Typeclass for simplifying working with labelled data #51
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I like the idea! I think it's okay if there are no lemmas for these specific functions and we rely on the basic ones on |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a (very) rough draft of a general idea to avoid (mostly) needing to explicitly call
get_label, by using a typeclass to manage label extraction from labelled data, particularly for when we come to doing large proofs that tracecan_flowthrough several different objects.I believe this makes proofs more focused on the core idea, and I don't see any obvious drawbacks (it seems like the typeclass resolution works fine in the testing I've done, but maybe there are examples where it wouldn't work so cleanly).
I think an actual implementation should probably be a bit more core, replacing the existing
get_labelhandling everywhere, but it seemed best for a proof of concept to be lighter-weight.One potential drawback I see here is that SMTPats don't appear to work very well on the test lemmas I defined here, because they don't bind the
labelledinstances (but maybe there's a way to work around that with the right patterns).That said, since the definitions being used aren't opaque, we rapidly get back to the
can_flowlemmas which have working SMTPats. This does probably use up additional fuel, though, due to the additional layer of indirection, so if possible it would be better to lift any key SMTPat lemmas that we use aboutcan_flowtoless_secretand hide the definitions.One other possible application that I didn't explore here is to use this not only in the proofs, but also in constructing labels --- in principle, we could make
jointake arbitrarylabellabledata, rather than justlabels, making it somewhat cleaner to write down "new random value x is secret to anyone who knows either data y or data z".Feedback welcome, particularly on the core idea, but also on how this concept might be helpful more generally.