diff --git a/examples/cosmos/ics23/README.md b/examples/cosmos/ics23/README.md index 09090a50a..e5e9bfc73 100644 --- a/examples/cosmos/ics23/README.md +++ b/examples/cosmos/ics23/README.md @@ -1,60 +1,48 @@ -This is a formal specification and invariants of [ICS23 Spec][] in Quint and TLA+: +This is a formal specification and invariants of [ICS23 Spec][] in Quint. +If this is the first Quint specification you see, we recommend checking simpler +specifications first. This one is quite advanced. ## Quint specification Specification [ics23.qnt](./ics23.qnt) is the Quint specification that contains four modules: - - Module `basics` contains basic type definitions and auxiliary definitions. + - Module `hashes` introduces a specification of hashes via a symbolic + representation of irreversible hashes. - - Module `ics23` contains membership and non-membership proofs. + - Module `ics23` contains membership and non-membership proofs, + following the ICS23 code. - - Module `ics23pbt` contains definitions for randomized tests similar to PBT. + - Module `ics23test` contains basic unit tests that demonstrate simple + scenarios of membership and non-membership verification. - - Module `trees` contains advanced randomized tests that use tree generation. + - Module `treeGen` contains advanced randomized tests + that generate randomized tests for ICS23. **Unit tests.** You can use Quint REPL to run basic unit tests as follows: ```sh -$ quint repl ->>> .load ics23.qnt ->>> import ics23test.* ->>> allTests +$ quint test ics23test.qnt ``` -**Randomized generation of examples.** You can run randomized tests to produce -examples of successful membership and non-membership verification as follows: - -```sh -$ quint repl ->>> .load ics23.qnt ->>> import ics23pbt.* ->>> _test(1000, 10, "Init", "Next", "TestVerify") ->>> _test(1000, 10, "Init", "Next", "TestNonMem") -``` - -**Randomized invariant checking.** Finally, you can check membership and +**Randomized invariant checking.** Also, you can check membership and non-membership invariants with the random simulator: ```sh -$ quint repl ->>> .load ics23.qnt ->>> import trees.* ->>> _test(1000, 1, "Init", "Next", "NonMemInv") ->>> _test(1000, 1, "Init", "Next", "MemInv") +$ quint run --invariant=nonMemInv --max-samples=1000 treeGen.qnt +$ quint run --invariant=memInv --max-samples=1000 treeGen.qnt ``` -## TLA+ specification +If the simulator finds a violation to the above invariants, please let us know, +as these invariants should hold true. -Specifications [ics23.tla](./ics23.tla) and [ics23trees.tla](./ics23trees.tla) -is the manual translation from Quint to TLA+. The main value of this -specification is the ability to check the invariants with Apalache: +If you would like to produce several examples of checking membership and +non-membership, run the simulator as follows: ```sh -$ apalache-mc check --inv=MemInv ics23trees.tla -$ apalache-mc check --inv=NonMemInv ics23trees.tla +$ quint run --invariant=memExample --max-samples=1000 treeGen.qnt +$ quint run --invariant=nonMemExample --max-samples=1000 treeGen.qnt ``` - [ICS23 Spec]: https://github.com/cosmos/ibc/tree/main/spec/core/ics-023-vector-commitments [ICS23]: https://github.com/confio/ics23/ diff --git a/examples/cosmos/ics23/hashes.qnt b/examples/cosmos/ics23/hashes.qnt new file mode 100644 index 000000000..20a2abc3f --- /dev/null +++ b/examples/cosmos/ics23/hashes.qnt @@ -0,0 +1,153 @@ +/// A symbolic specification of a string that is suitable for reasoning about +/// strings and hashes (such as SHA256). The exact hash function is irrelevant. +/// The only assumption is that a hash is irreversible. +/// +/// Similar to symbolic reasoning by Dolev and Yao, we would like to represent: +/// - a raw sequence of bytes, e.g., [ 1, 2, 3 ], +/// - a hashed sequence, e.g., h([ 1, 2, 3 ]), +/// - a concatenation of a raw sequence and a hash (in any order), +/// e.g., [ 1, 2 ] + h([ 3, 4 ])], +/// - nested hashes, e.g., h([ 1, 2 ] + h([ 3, 4 ])). +/// +/// So the idea is basically to represent words as terms, where the atoms are +/// sequences of integers, and terms are constructed as n-ary applications +/// of the symbol "h", which means "hash". Since Quint enforces strict typing +/// and it does not allow for inductive/recursive algebraic data types, +/// we represent terms as maps that encode trees. For instance, +/// the term h([ 1, 2 ] + h([ 3, 4 ])) + [ 5, 6 ] corresponds to the tree: +/// +/// * +/// / \ +/// Hash [ 5, 6 ] +/// / \ +/// [ 1, 2 ] Hash +/// / +/// [ 3, 4 ] +/// +/// The above tree is represented as a map in Quint. Each key corresponds to a path in the tree; for example, the first root's child is [ 0 ], the second root's child is [ 1 ], the first child of [ 0 ] is [ 0, 0], etc. +/// +/// Map([ 0 ] -> Hash, +/// [ 0, 0 ] -> Raw([1, 2]), +/// [ 0, 1 ] -> Hash, +/// [ 0, 1, 0 ] -> Raw([ 3, 4 ]), +/// [ 1 ] -> Raw[ 5, 6 ]) +/// +/// Igor Konnov, Informal Systems, 2022-2023 +module hashes { + /// A sequence of bytes is simply a list of integers + type Bytes = List[int] + pure val Hash256_ZERO = + raw([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]) + + /// compare two lists of integers (e.g., bytes) lexicographically + pure def lessThan(w1: Bytes, w2: Bytes): bool = { + pure val len1 = length(w1) + pure val len2 = length(w2) + or { + len1 < len2 and indices(w1).forall(i => w1[i] <= w2[i]), + and { + len1 == len2, + indices(w1).exists(i => and { + w1[i] < w2[i], + indices(w1).forall(j => j < i implies w1[j] == w2[j]) + }) + } + } + } + + /// A tree node that represents a fragment of a term + type TERM_NODE_T = Hash | Raw(Bytes) + + /// A word is a map from a path to the term node. + /// The first root's child is [ 0 ], the second root's child is [ 1 ], + /// the first child of [ 0 ] is [ 0, 0], etc. + type Term = Bytes -> TERM_NODE_T + + /// Compute term length in bytes, + /// assuming that a hash occupies 32 bytes (as SHA256 does) + pure def termLen(term: Term): int = { + // the roots' children + pure val top = + keys(term).filter(p => length(p) == 1).map(p => term.get(p)) + top.fold(0, (s, t) => match(t) { + | Hash => s + 32 + | Raw(bytes) => s + length(bytes) + }) + } + + /// Construct the term that encodes a raw sequence of bytes + pure def raw(bytes: Bytes): Term = { + Map([ 0 ] -> Raw(bytes)) + } + + /// Is the term representing a raw term? + pure def isRaw(term: Term): bool = { + size(keys(term)) == 1 and term.get([0]) != Hash + } + + /// Hash a term + pure def termHash(term: Term): Term = { + // add Hash on top, which has the key [ 0 ], and attach term to it + pure val paths = Set([ 0 ]).union(keys(term).map(p => [ 0 ].concat(p))) + paths.mapBy(p => + if (p == [ 0 ]) { + Hash + } else { + term.get(p.slice(1, length(p))) + } + ) + } + + /// Concatenate two terms. Special attention is paid to the case when the + /// both terms are raw sequences, which requires them to be merged. + pure def termConcat(left: Term, right: Term): Term = { + pure val l = if (isRaw(left)) left.get([0]) else Hash + pure val r = if (isRaw(right)) right.get([0]) else Hash + + pure def mergeTerms(left: Term, right: Term): Term = { + // Merge the arguments as trees representing terms. + // The number of root's children in the left term: + pure val lwidth = size(keys(left).filter(p => length(p) == 1)) + // the paths of the right term shifted to the right by lwidth + pure val rshifted = + keys(right).map(p => [ lwidth + p[0] ].concat(p.slice(1, length(p)))) + // the paths of the concatenation + pure val paths = keys(left).union(rshifted) + // the resulting term as a map + paths.mapBy(p => + if (p[0] < lwidth) { + left.get(p) + } else { + right.get( [ p[0] - lwidth ].concat(p.slice(1, length(p)))) + } + ) + } + + match(l) { + | Raw(lBytes) => match(r) { + | Raw(rBytes) => + // both arguments are raw sequences, produce a single raw sequence + raw(lBytes.concat(rBytes)) + | Hash => if (lBytes == []) right else mergeTerms(left, right) + } + | Hash => match(r) { + | Raw(rBytes) => if (rBytes == []) left else mergeTerms(left, right) + | Hash => mergeTerms(left, right) + } + } + } + + /// Slice a raw sequence represented by a term. + /// Non-raw sequences are returned unmodified. + pure def termSlice(term: Term, start: int, end: int): Term = { + if (size(keys(term)) != 1) { + term + } else { + pure val first = term.get([ 0 ]) + match(first) { + | Raw(bytes) => raw(bytes.slice(start, end)) + | _ => term + } + } + } +} diff --git a/examples/cosmos/ics23/ics23.qnt b/examples/cosmos/ics23/ics23.qnt index 7b67b2627..40b1f6fd5 100644 --- a/examples/cosmos/ics23/ics23.qnt +++ b/examples/cosmos/ics23/ics23.qnt @@ -1,4 +1,3 @@ -// -*- mode: Bluespec; -*- // This is a protocol specification of ICS23, tuned towards the IAVL case. // // For details of ICS23, see: @@ -7,142 +6,89 @@ // For the implementation of ICS23, see: // https://github.com/confio/ics23/ // -// We still have to parameterize the spec with the data structure parameters -// such as MinPrefixLen, MaxPrefixLen, ChildSize, and hash. -// For the moment, the main goal of this spec is to understand the algorithm -// and test it with the simulator. -// -// 1. To execute the unit tests in REPL, type the following: -// $ quint repl -// >>> .load ics23.qnt -// >>> import ics23test.* -// >>> allTests -// -// REPL should display 'true'. -// -// 2. To execute simple PBT-like tests for 1000 runs of length up to 10 steps -// in REPL, type the following: -// $ quint repl -// >>> .load ics23.qnt -// >>> import ics23pbt.* -// >>> _test(1000, 10, "Init", "Next", "TestVerify") -// >>> _test(1000, 10, "Init", "Next", "TestNonMem") -// -// If REPL displays 'false', it has found an example, -// which can be inspected with q::lastTrace. -// -// 3. To execute advanced PBT-like tests for 1000 runs in REPL, -// type the following: -// $ quint repl -// >>> .load ics23.qnt -// >>> import trees.* -// >>> _test(1000, 1, "Init", "Next", "NonMemInv") -// >>> _test(1000, 1, "Init", "Next", "MemInv") -// -// If REPL displays 'false', it has found an example, -// which can be inspected with q::lastTrace. We expect these tests to -// always return 'true'. Otherwise, this indicates an invariant violation. -// -// Igor Konnov, Informal Systems, 2022 - -module basics { - /// We represent byte sequences as lists of integers - type WORD_T = List[int] - - /// we interpret the empty word as nil - def isNil(word) = length(word) == 0 - - /// compare two integer words lexicographically - def lessThan(w1, w2) = { - val len1 = length(w1) - val len2 = length(w2) - or { - len1 < len2 and w1.indices().forall(i => w1[i] == w2[i]), - and { - len1 == len2, - w1.indices().exists(i => and { - w1[i] < w2[i], - w1.indices().forall(j => j < i implies w1[i] == w2[j]) - }) - } - } - } -} +// Igor Konnov, Informal Systems, 2022-2023 +// Josef Widder, Informal Systems, 2024 +// Aleksandar Ignjatijevic, Informal Systems, 2024 +// Gabriela Moreira, Informal Systems, 2024 // This is a specification of the membership and non-membership proofs -// of ICS23 for IAVL trees: +// of ICS23: // // https://github.com/confio/ics23/blob/master/go/proof.go module ics23 { - import basics.* + import basicSpells.* from "../../spells/basicSpells" + import hashes.* from "./hashes" - // ICS23 proof checking for IavlSpec. - // In contrast to the ICS32 implementation, we specialize it to binary trees: + // ICS23 proof checking. + // In contrast to the ICS23 implementation, we specialize it to binary trees: // https://github.com/confio/ics23/tree/master/go + type InnerSpec = { + minPrefixLength: int, + maxPrefixLength: int, + childSize: int, + emptyChild: Term, + childOrder: List[int], + } - // type aliases for readability - type KEY_T = WORD_T - type VALUE_T = WORD_T - type CommitmentRoot_T = WORD_T - type CommitmentProof_T = WORD_T - - // ICS23 IavlSpec has: - // MinPrefixLength = 4 - // MaxPrefixLength = 12 - // ChildSize = 33 - // - // To ease spec testing, we set: - val MinPrefixLen = 1 - val MaxPrefixLen = 2 - // It is crucial to make sure that ChildSize > MaxPrefixLen - val ChildSize = 3 // with length byte - // Empty child is a predefined sequence that fills an absent child. - val EmptyChild = [ 0, 0, 0 ] + pure val IavlSpec: InnerSpec = { + minPrefixLength: 4, + maxPrefixLength: 12, + childSize: 33, + emptyChild: Hash256_ZERO, + childOrder: [0, 1] + } - /// We need a hash that returns ChildSize elements, - /// with 32 being in the head. - /// For simulation, we are just summing up the word elements modulo 8. - /// For verification, we should use an injective function as a perfect hash. - def hash(word) = [ 32, 0, word.foldl(0, (i, j) => i + j) % 8 ] + type Padding = { + minPrefix: int, + maxPrefix: int, + suffix: int, + } - type LEAF_T = { + type LeafOp = { // The implementation additionally stores hashing and length functions: // hash, prehashKey, prehashValue, len. Since we fix the spec to IAVL, // we do not have to carry them around. - prefix: WORD_T + prefix: Term } - type INNER_T = { + type InnerOp = { // The implementation additionally stores the hashing function. // Since we fix the spec to IAVL, we do not have to carry it around. - prefix: WORD_T, - suffix: WORD_T + prefix: Term, + suffix: Term } /// a proof of existence of (key, value) - type ExistsProof_T = { - key: KEY_T, value: VALUE_T, leaf: LEAF_T, path: List[INNER_T] + type ExistenceProof = { + key: Bytes, value: Bytes, leaf: LeafOp, path: List[InnerOp] } /// a proof of non-existence of a key - type NonExistsProof_T = { - key: KEY_T, left: ExistsProof_T, right: ExistsProof_T + type NonExistenceProof = { + key: Bytes, left: Option[ExistenceProof], right: Option[ExistenceProof] + } + + pure def hashLeaf(key: Bytes, value: Bytes, prefix: Term): Term = { + termHash(prefix + // TODO: use encodeVarintProto + // https://github.com/cosmos/ics23/blob/d0edf8e9cd38f7fc1bfc4311b2814e5d2ea966e8/go/proof.go#L67 + .termConcat(raw([length(key)])) + .termConcat(raw(key)) + .termConcat(raw([32])) + .termConcat(termHash(raw(value)))) + } /// calculate a hash from an exists proof - def existsCalculate(p): - (ExistsProof_T) => CommitmentProof_T = { - // this is how the leaf hash is computed - val leafHash = - hash(p.leaf.prefix - .append(length(p.key)) - .concat(hash(p.key)) - .append(length(p.value)) - .concat(hash(p.value))) + def existsCalculate(p: ExistenceProof): Term = { + // This is how the leaf hash is computed. + // Notice that the key is not hashed. + val leafHash = hashLeaf(p.key, p.value, p.leaf.prefix) // the inner node nodeHashes are concatenated and hashed upwards p.path.foldl(leafHash, - (child, inner) => hash(inner.prefix.concat(child).concat(inner.suffix))) + (child, inner) => + termHash(inner.prefix.termConcat(child).termConcat(inner.suffix))) } /// verify that a proof matches a root @@ -156,8 +102,8 @@ module ics23 { /// proof is an ExistenceProof for the given key and value AND /// calculating the root for the ExistenceProof matches /// the provided CommitmentRoot - def verifyMembership(root, proof, key, value): - (CommitmentRoot_T, ExistsProof_T, KEY_T, VALUE_T) => bool = { + def verifyMembership(root: Term, + proof: ExistenceProof, key: Bytes, value: Bytes): bool = { // TODO: specify Decompress // TODO: specify the case of CommitmentProof_Batch // TODO: CheckAgainstSpec ensures that the proof can be verified @@ -166,109 +112,129 @@ module ics23 { } /// checks if an op has the expected padding - def hasPadding(inner, minPrefixLen, maxPrefixLen, suffixLen) = and { - length(inner.prefix) >= minPrefixLen, - length(inner.prefix) <= maxPrefixLen, - // When inner turns left, suffixLen == ChildSize, + pure def hasPadding(op: InnerOp, pad: Padding): bool = and { + q::debug("min ok", op.prefix.termLen() >= pad.minPrefix), + q::debug("max ok", op.prefix.termLen() <= pad.maxPrefix), + // When inner turns left, suffixLen == child_size, // that is, we store the hash of the right child in the suffix. // When inner turns right, suffixLen == 0, // that is, we store the hash of the left child in the prefix. - length(inner.suffix) == suffixLen + q::debug("ok", op.suffix.termLen() == pad.suffix), + } + + pure def getPadding(spec: InnerSpec, branch: int): Option[Padding] = { + match spec.childOrder.findFirst(x => x == branch) { + | Some(idx) => { + pure val prefix = idx * spec.childSize + pure val suffix = spec.childSize * (spec.childOrder.length() - 1 - idx) + Some({ + minPrefix: prefix + spec.minPrefixLength, + maxPrefix: prefix + spec.maxPrefixLength, + suffix: suffix, + }) + } + | None => None + } } - /// This will look at the proof and determine which order it is... + /// This will look at the proof and determine which order it is. /// So we can see if it is branch 0, 1, 2 etc... to determine neighbors - /// https://github.com/confio/ics23/blob/a4daeb4c24ce1be827829c0841446abc690c4f11/go/proof.go#L400-L411 - def orderFromPadding(inner) = { - // Specialize orderFromPadding to IavlSpec: - // ChildOrder = { 0, 1 } - // branch = 0: minp, maxp, suffix = MinPrefixLen, MaxPrefixLen, ChildSize - // branch = 1: minp, maxp, suffix = - // ChildSize + MinPrefixLen, ChildSize + MaxPrefixLen, 0 - if (hasPadding(inner, MinPrefixLen, MaxPrefixLen, ChildSize)) { - // the node turns left - (0, true) - } else if (hasPadding(inner, ChildSize + MinPrefixLen, - ChildSize + MaxPrefixLen, 0)) { - // the node turns right - (1, true) - } else { - // error - (0, false) - } + pure def orderFromPadding(spec: InnerSpec, op: InnerOp): Option[int] = { + pure val len = spec.childOrder.length() + range(0, len).find_first(branch => { + match getPadding(spec, branch) { + | Some(padding) => hasPadding(op, padding) + | None => false // This should actually early return but this is impossible for our InnerSpec + } + }) } /// leftBranchesAreEmpty returns true if the padding bytes correspond to all /// empty siblings on the left side of a branch, ie. it's a valid placeholder /// on a leftmost path - def leftBranchesAreEmpty(inner) = and { - // the case of leftBranches == 0 returns false - val order = orderFromPadding(inner) - order._2 and order._1 != 0, - // the remaining case is leftBranches == 1, see orderFromPadding - // actualPrefix = len(inner.prefix) - 33 - length(inner.prefix) >= ChildSize, - // getPosition(0) returns 0 - val fromIndex = length(inner.prefix) - ChildSize - inner.prefix.slice(fromIndex, fromIndex + ChildSize) == EmptyChild + def leftBranchesAreEmpty(spec: InnerSpec, op: InnerOp): bool = { + pure val idx = orderFromPadding(spec, op) + pure val leftBranches = idx.unwrap() + and { + idx != None, + leftBranches != 0, + op.prefix.termLen() >= leftBranches * spec.childSize, + pure val actualPrefix = op.prefix.termLen() - leftBranches * spec.childSize + 0.to(leftBranches - 1).forall(i => { + pure val idx = spec.childOrder.findFirst(x => x == i).unwrap() + val from_index = actualPrefix + idx * spec.childSize + spec.emptyChild == op.prefix.termSlice(from_index, from_index + spec.childSize) + }) + } } /// IsLeftMost returns true if this is the left-most path in the tree, /// excluding placeholder (empty child) nodes - def isLeftMost(path) = { - // Calls getPadding(0) => idx = 0, prefix = 0. - // We specialize the constants to IavlSpec. - path.indices().forall(i => - val step = path[i] - or { - // the path goes left - hasPadding(step, MinPrefixLen, MaxPrefixLen, ChildSize), - // the path goes right, but the left child is empty (a gap) - leftBranchesAreEmpty(step) + def isLeftMost(spec: InnerSpec, path: List[InnerOp]): bool = { + match getPadding(spec, 0) { + | Some(pad) => { + path.indices().forall(i => + val step = path[i] + or { + // the path goes left + hasPadding(step, pad), + // the path goes right, but the left child is empty (a gap) + leftBranchesAreEmpty(spec, step) + } + ) } - ) + | None => false + } } /// rightBranchesAreEmpty returns true if the padding bytes correspond /// to all empty siblings on the right side of a branch, /// i.e. it's a valid placeholder on a rightmost path - def rightBranchesAreEmpty(inner) = and { - // the case of rightBranches == 0 returns false - val order = orderFromPadding(inner) - order._2 and order._1 != 1, - // the remaining case is rightBranches == 1, see orderFromPadding - length(inner.suffix) == ChildSize, - // getPosition(0) returns 0, hence, from == 0 - inner.suffix == EmptyChild + def rightBranchesAreEmpty(spec: InnerSpec, op: InnerOp): bool = and { + val idx = orderFromPadding(spec, op) + pure val rightBranches = spec.childOrder.length() - 1 - idx.unwrap() + and { + idx != None, + rightBranches != 0, + op.suffix.termLen() == spec.childSize, + 0.to(rightBranches - 1).forall(i => { + pure val idx = spec.childOrder.findFirst(x => x == i).unwrap() + val from_index = idx * spec.childSize + spec.emptyChild == op.suffix.termSlice(from_index, from_index + spec.childSize) + }) + } } /// IsRightMost returns true if this is the left-most path in the tree, /// excluding placeholder (empty child) nodes - def isRightMost(path) = { - // Specialize to IavlSpec - // Calls getPadding(1) => minPrefix, maxPrefix, - // suffix = ChildSize + MinPrefixLen, ChildSize + MaxPrefixLen, 0 - path.indices().forall(i => - val step = path[i] - or { - // the path goes right - hasPadding(step, ChildSize + MinPrefixLen, ChildSize + MaxPrefixLen, 0), - // the path goes left, but the right child is empty (a gap) - rightBranchesAreEmpty(step) + def isRightMost(spec: InnerSpec, path: List[InnerOp]): bool = { + pure val idx = spec.childOrder.length() - 1 + match getPadding(spec, idx) { + | Some(pad) => { + path.indices().forall(i => + val step = path[i] + or { + // the path goes right + hasPadding(step, pad), + // the path goes left, but the right child is empty (a gap) + rightBranchesAreEmpty(spec, step) + } + ) } - ) + | None => false + } } /// isLeftStep assumes left and right have common parents /// checks if left is exactly one slot to the left of right - def isLeftStep(left, right) = { + def isLeftStep(spec: InnerSpec, left: InnerOp, right: InnerOp): bool = { // 'left' turns left, and 'right' turns right - val lorder = orderFromPadding(left) - val rorder = orderFromPadding(right) + val lorder = q::debug("lorder", orderFromPadding(spec, q::debug("l op", left))) + val rorder = q::debug("rorder", orderFromPadding(spec, q::debug("r op", right))) and { - lorder._2, - rorder._2, - rorder._1 == lorder._1 + 1 + lorder != None, + rorder != None, + rorder.unwrap() == lorder.unwrap() + 1 } } @@ -280,7 +246,7 @@ module ics23 { /// Validate that LPath[len-1] is the left neighbor of RPath[len-1]. /// For step in LPath[0..len-1], validate step is right-most node. /// For step in RPath[0..len-1], validate step is left-most node. - def isLeftNeighbor(lpath, rpath) = { + def isLeftNeighbor(spec: InnerSpec, lpath: List[InnerOp], rpath: List[InnerOp]): bool = { // count common tail (from end, near root) // cut the left and right paths lpath.indices().exists(li => @@ -291,596 +257,65 @@ module ics23 { // dist == 0 holds for the root. val dist = length(lpath) - 1 - li // the prefixes and suffixes match just above the cut points - 1.to(dist).forall(k => + q::debug("path match", 1.to(dist).forall(k => val lnode = lpath[li + k] val rnode = rpath[ri + k] and { lnode.prefix == rnode.prefix, lnode.suffix == rnode.suffix } - ), + )), // Now topleft and topright are the first divergent nodes // make sure they are left and right of each other. // Actually, lpath[li] and rpath[ri] are an abstraction // of the same tree node: // the left one stores the hash of the right one, whereas // the right one stores the hash of the left one. - isLeftStep(lpath[li], rpath[ri]), + q::debug("isLeftStep", isLeftStep(spec, lpath[li], rpath[ri])), // left and right are remaining children below the split, // ensure left child is the rightmost path, and visa versa - isRightMost(lpath.slice(0, li)), - isLeftMost(rpath.slice(0, ri)), + isRightMost(spec, lpath.slice(0, li)), + isLeftMost(spec, rpath.slice(0, ri)), }) ) } /// VerifyNonMembership returns true iff - /// proof is (contains) a NonExistenceProof - /// both left and right sub-proofs are valid existence proofs (see above) or nil - /// left and right proofs are neighbors (or left/right most if one is nil) + /// proof is (contains) a NonExistenceProof, + /// both left and right sub-proofs are valid existence proofs (see above) or nil, + /// left and right proofs are neighbors (or left/right most if one is nil), /// provided key is between the keys of the two proofs - def verifyNonMembership(root, np, key): - (CommitmentRoot_T, NonExistsProof_T, KEY_T) => bool = and { - // getNonExistProofForKey - isNil(np.left.key) or lessThan(np.left.key, key), - isNil(np.right.key) or lessThan(key, np.right.key), + def verifyNonMembership(root: Term, + np: NonExistenceProof, key: Bytes): bool = and { // implicit assumption, missing in the code: // https://github.com/informalsystems/ics23-audit/issues/14 np.key == key, // Verify - not(isNil(np.left.key)) or not(isNil(np.right.key)), - isNil(np.left.key) or and { - verify(np.left, root, np.left.key, np.left.value), - lessThan(np.left.key, key), - }, - isNil(np.right.key) or and { - verify(np.right, root, np.right.key, np.right.value), - lessThan(key, np.right.key), + np.left != None or np.right != None, + np.left != None implies { + pure val left = np.left.unwrap() + and { + lessThan(left.key, key), + verify(left, root, left.key, left.value), + lessThan(left.key, key), + } }, - if (isNil(np.left.key)) { - isLeftMost(np.right.path) - } else if (isNil(np.right.key)) { - isRightMost(np.left.path) - } else { - isLeftNeighbor(np.left.path, np.right.path) - } - } -} - -// a few unit tests to improve our understanding of the specification -module ics23test { - import ics23.* - - // test data - val a = [5] - val b = [6] - val c = [7] - val d = [8] - val ab = [5, 6] - val ba = [6, 5] - val abc = [5, 6, 7] - val abcd = [5, 6, 7, 8] - - val allStrings = Set([], a, ab, ba, abc, abcd, [1], [2], [3], [4]) - - val test1 = { - existsCalculate({ - key: [5], - value: [5, 6], - leaf: { prefix: [5, 6, 7] }, - path: [ - { prefix: [5, 6], suffix: [8] }, - { prefix: [5], suffix: [7] } - ] - }) == [32, 0, 4] - } - - val test2 = - isLeftMost([ - { prefix: [1], suffix: [3, 4, 5] }, - { prefix: [2], suffix: [3, 4, 5] }, - { prefix: [3], suffix: [3, 4, 5] } - ]) - - val test3 = - isLeftMost([ - { prefix: [1, 0, 0, 0], suffix: [] }, - { prefix: [2], suffix: [3, 4, 5] }, - { prefix: [3], suffix: [3, 4, 5] } - ]) - - val test4 = - isLeftMost([ - { prefix: [1], suffix: [3, 4, 5 ] }, - { prefix: [2, 0, 0, 0], suffix: [] }, - { prefix: [3], suffix: [3, 4, 5] } - ]) - - val test5 = - isRightMost([ - { prefix: [1, 4, 5, 6], suffix: [] }, - { prefix: [2, 4, 5, 6], suffix: [] }, - { prefix: [3, 3, 4, 5], suffix: [] } - ]) - - val test6 = - isRightMost([ - { prefix: [1, 4, 5, 6], suffix: [] }, - { prefix: [2], suffix: [0, 0, 0] }, - { prefix: [3, 3, 4, 5], suffix: [] } - ]) - - val test7 = - isLeftStep( - { prefix: [1], suffix: [4, 5, 6] }, - { prefix: [2, 7, 8, 9], suffix: [] } - ) - - val test8 = - isLeftNeighbor( - [ - { prefix: [1], suffix: [4, 5, 6] }, - { prefix: [2, 7, 8, 9], suffix: [] } - ], - [ - { prefix: [1, 4, 5, 6], suffix: [] }, - { prefix: [2, 7, 8, 9], suffix: [] } - ] - ) - - val test9 = - // * - // / \ - // 2,3 4,5 - val lhash = existsCalculate({ - key:[2], value: [3], leaf: { prefix: [ 0 ] }, path: [] - }) - val rhash = existsCalculate({ - key:[4], value: [5], leaf: { prefix: [ 0 ] }, path: [] - }) - val left = { - key: [ 2 ], - value: [ 3 ], - leaf: { prefix: [ 0 ] }, - path: [{ prefix: [0], suffix: rhash }] - } - val right = { - key: [ 4 ], - value: [ 5 ], - leaf: { prefix: [ 0 ] }, - path: [{ prefix: [0].concat(lhash), suffix: [] }] - } - val root = [32, 0, 2] - val nilProof = { key: [], value: [], leaf: { prefix: [] }, path: [] } - and { - val np1 = { key: [1], left: nilProof, right: left } - verifyNonMembership(root, np1, [ 1 ]), - val np2 = { key: [2], left: left, right: right } - not(verifyNonMembership(root, np2, [ 2 ])), - val np3 = { key: [3], left: left, right: right } - verifyNonMembership(root, np3, [ 3 ]), - val np4 = { key: [2], left: left, right: right } - not(verifyNonMembership(root, np4, [ 4 ])), - val np5 = { key: [5], left: right, right: nilProof } - verifyNonMembership(root, np5, [ 5 ]), - } - - val allTests = and { - test1, test2, test3, test4, test5, test6, test7, test8, test9 - } -} - -// Simple property-based tests for ics23. They happened to be not very useful, -// as random simulation alone cannot produce even simple examples of sound -// non-membership proofs. For more advanced property-based testing, see the -// module 'trees' below. -module ics23pbt { - import basics.* - import ics23.* - - // an non-membership proof - var nonMemProof: NonExistsProof_T - // a key to test - var inputKey: WORD_T - - // We limit the letters to a very small set, - // including '32' for hash headers. - val Byte = 0.to(3).union(Set(32)) - - def toWord(m) = - m.keys().fold([], (l, i) => l.append(m.get(i))) - - action genKey = - nondet i = Byte.oneOf() - inputKey' = [i] - - action Init = all { - genKey, - // we start with leafs in the initial state - nondet lk = Byte.oneOf() - nondet lv = Byte.oneOf() - nondet lp = Byte.oneOf() - nondet rk = Byte.oneOf() - nondet rv = Byte.oneOf() - nondet rp = Byte.oneOf() - nondet pk = Byte.oneOf() - val lproof = { - key: [ lk ], value: [ lv ], - leaf: { prefix: [ lp ] }, path: [] - } - val rproof = { - key: [ rk ], value: [ rv ], leaf: { prefix: [ rp ] }, path: [] - } - nonMemProof' = { key: [ pk ], left: lproof, right: rproof } - } - - def extend(proof, dir, word) = - val node = - if (dir == "turnLeft") { - prefix: word, - suffix: [] - } else { - prefix: word.slice(0, MaxPrefixLen), - suffix: word.slice(MaxPrefixLen, MaxPrefixLen + ChildSize) + np.right != None implies { + pure val right = np.right.unwrap() + and { + lessThan(key, right.key), + verify(right, root, right.key, right.value), + lessThan(key, right.key), } - proof.with("path", proof.path.append(node)) - - /// grow the proof on the left - action growLeft = - nondet dir = Set("turnLeft", "turnRight").oneOf() - nondet m = 1.to(MaxPrefixLen + ChildSize).setOfMaps(Byte).oneOf() - nonMemProof' = - nonMemProof.with("left", nonMemProof.left.extend(dir, toWord(m))) - - /// grow the proof on the right - action growRight = - nondet dir = Set("turnLeft", "turnRight").oneOf() - nondet m = 1.to(MaxPrefixLen + ChildSize).setOfMaps(Byte).oneOf() - nonMemProof' = - nonMemProof.with("right", nonMemProof.right.extend(dir, toWord(m))) - - action Next = all { - genKey, - any { - growLeft, - growRight }, - } - - /// by checking this invariant, we may produce an example of when - /// verifyMembership succeeds - val TestVerify = { - val root = existsCalculate(nonMemProof.left) - not(verifyMembership(root, - nonMemProof.left, inputKey, nonMemProof.left.value)) - } - - /// by checking this invariant, we may produce an example of when - /// verifyNonMembership succeeds - val TestNonMem = or { - lessThan(inputKey, nonMemProof.left.key), - lessThan(nonMemProof.right.key, inputKey), - val root = existsCalculate(nonMemProof.left) - not(verifyNonMembership(root, nonMemProof, inputKey)) - } -} - -// Advanced randomized simulation (a la PBT) by generating -// random sorted binary trees of small heights over a small set of keys. -// -// We specify arbitrary binary trees, whose keys (in the leafs) are sorted. -// We do not have to specify IAVL+ trees to produce test data for ICS23. -// Note that this module is needed only for testing of ICS23, -// not for the operation of ICS23. -module trees { - import basics.* - import ics23.* - - /// We represent a binary tree as a collection of maps, - /// whose keys are simply integer values 1..n, with 1 being the root. - /// Similar to pointer-based representations of trees (e.g., in C), - /// this data structure requires additional invariants to make sure - /// that it actually defines a binary tree. - /// This is in contrast to the typical data structures in - /// programming languages. - type TREE_T = { - // every leaf has a key and value assigned - leafs: int -> { key: WORD_T, value: WORD_T }, - // intermediate nodes have left and/or right children - left: int -> int, - right: int -> int - } - - /// the tree generated so far - var tree: TREE_T - /// the node nodeHashes - var nodeHashes: int -> WORD_T - /// the keys to use for non-membership proofs - var leftKey: int - var rightKey: int - /// the key whose non-membership or membership we want to prove - var inputKey: int - - /// limit values to a small set - val Byte = 0.to(7).union(Set(32)) - - /// the maximum tree height - val height = 3 - - /// Compute all parents from the binary representation of the index. - /// To simplify random generation of the trees, we are using - /// the binary encoding. For example, if a leaf has the index 4, - /// that is, 100b, then it has the parents 3 = 10b and 1 = 1b. - def parents(i) = 1.to(height).map(h => i / (2^h)).exclude(Set(0)) - - /// is a given key a node (inner or leaf) of a tree - def isNode(t, key) = or { - key == 1, - t.leafs.keys().contains(key), - t.left.keys().contains(key), - t.right.keys().contains(key), - } - - /// Compute nodeHashes of all nodes into a map. - def computeHashes(t) = { - // compute the hash of a single node, assuming that the children's - // nodeHashes have been computed - def putNodeHash(hashMap, key): (int -> List[int], int) => (int -> List[int]) = { - val h = - if (t.leafs.keys().contains(key)) { - // a leaf - val leaf = t.leafs.get(key) - // Hash the leaf as in ics23.existsCalculate. - // In our trees, prefixes are always 0. - hash([0].append(length(leaf.key)) - .concat(hash(leaf.key)) - .append(length(leaf.value)) - .concat(hash(leaf.value))) - } else { - // an inner node, assuming that the children nodeHashes were computed - def hashOrEmpty(childMap) = - if (childMap.keys().contains(key)) { - hashMap.get(childMap.get(key)) - } else { - EmptyChild - } - // hash the prefix ([0]) and the hash of the children - hash([0].concat(hashOrEmpty(t.left)).concat(hashOrEmpty(t.right))) - } - // store the hash - hashMap.put(key, h) - } - // go over the nodes from max to min - val maxNode = 2^height - 0.range(2^height) - .foldl(Map(), - (m, key) => - if (isNode(t, maxNode - key)) putNodeHash(m, maxNode - key) else m - ) - } - - /// It's very easy to produce binary trees by picking an arbitrary graph and - /// restricting it with the predicate isTree. However, this approach produces - /// very sparse sets of states, to be explored by random search. Hence, we - /// use a more algorithmic approach that represents trees with binary words. - action Init = { - // produce an arbitrary tree with leafs in e.g. [2, 8) - nondet idx = 2.to(2^height - 1).powerset().oneOf() - // remove those numbers that should serve as intermediate nodes - val leafKeys = idx.filter(i => idx.forall(j => not(i.in(parents(j))))) - // compute all parents - val allParents = leafKeys.map(i => parents(i)).flatten() - // all intermediate nodes that have a left successor - val leftKeys = allParents.filter(i => - allParents.union(leafKeys).exists(j => 2 * i == j)) - // all intermediate nodes that have a right successor - val rightKeys = allParents.filter(i => - allParents.union(leafKeys).exists(j => 2 * i + 1 == j)) - // left mapping - val left = leftKeys.mapBy(i => 2 * i) - // right mapping - val right = rightKeys.mapBy(i => 2 * i + 1) - all { - // assign values to the keys - nondet vs = leafKeys.setOfMaps(Byte).oneOf() - val leafs = vs.keys().mapBy(k => { key: [k], value: [vs.get(k)] }) - // the resulting tree - val t = { leafs: leafs, left: left, right: right } - all { - tree' = t, - nodeHashes' = computeHashes(t), - }, - // pick arbitrary left and right keys for non-membership proofs - nondet i = leafKeys.oneOf() - leftKey' = i, - nondet i = leafKeys.oneOf() - rightKey' = i, - // pick an arbitrary input key - nondet i = Byte.oneOf() - inputKey' = i - } - } - - /// convert a tree leaf to an exists proof - def leafToExistsProof(key) = - val value = tree.leafs.get(key).value - // encode all intermediate nodes upwards - val path = range(1, height + 1) - .foldl([], - (p, h) => - if (key < 2^h) { - p - } else { - val parent = key / (2^h) - def hashOrChild(childMap) = - if (childMap.keys().contains(parent)) { - nodeHashes.get(childMap.get(parent)) - } else { - EmptyChild - } - // depending on whether the node is going to left or right, - // push the hashes in the prefix and the suffix - if (key == 2 * parent) { - val right = hashOrChild(tree.right) - p.append({ prefix: [0], suffix: right }) - } else { - val left = hashOrChild(tree.left) - p.append({ prefix: [0].concat(left), suffix: [] }) - } - } - ) - // return the exists proof, where the key is the index itself - { - key: [key], - value: tree.leafs.get(key).value, - leaf: { prefix: [0] }, - path: path, - } - - /// The transition does nothing. The state was computed in Init. - action Next = all { - // nothing changes - tree' = tree, - nodeHashes' = nodeHashes, - leftKey' = leftKey, - rightKey' = rightKey, - inputKey' = inputKey, - } - - /// make sure that the proofs are the same for all the leafs - val TreeProofInv = - and { - leftKey.in(tree.leafs.keys()), - rightKey.in(tree.leafs.keys()) - } implies { - val lroot = existsCalculate(leafToExistsProof(leftKey)) - val rroot = existsCalculate(leafToExistsProof(rightKey)) - lroot == rroot - } - - /// The invariant of membership verification: - /// If the input key belongs to the leafs, - /// we should be able to prove its membership. - val MemInv = or { - not(inputKey.in(tree.leafs.keys())), - val proof = leafToExistsProof(inputKey) - val root = existsCalculate(proof) - verifyMembership(root, proof, [inputKey], proof.value) - } - - /// check this property to produce an example of where MemInv is violated - val MemExample = - not(MemInv) - - // A few lemmas for NonMemInv: - // MemberShouldFalsify, NonMemberInTheMiddle, NonMemberLeft, NonMemberRight - def MemberShouldFalsify(lproof, rproof) = and { - // if the input key belongs to the leafs, - // we should not be able to disprove its membership - inputKey.in(tree.leafs.keys()), - val nproof = { key: [inputKey], left: lproof, right: rproof } - val root = existsCalculate(lproof) - not(verifyNonMembership(root, nproof, [inputKey])) - } - - def NonMemberInTheMiddle(lproof, rproof) = and { - // we should be able to prove its non-membership, - // unless the choice of the keys is bad - not(inputKey.in(tree.leafs.keys())), - val nproof = { key: [inputKey], left: lproof, right: rproof } - val root = existsCalculate(lproof) - val noKeyInTheMiddle = and { - // there is no leaf between leftKey and rightKey - tree.leafs.keys().forall(k => k <= leftKey or k >= rightKey), - // the keys are not misplaced - leftKey < inputKey, - inputKey < rightKey, - } - noKeyInTheMiddle iff verifyNonMembership(root, nproof, [inputKey]) - } - - def NonMemberLeft(lproof, rproof) = and { - // the input key is to the left - isNil(lproof.key), - // non-membership is true when the right key is left-most - and { - tree.leafs.keys().forall(k => rightKey <= k), - inputKey < rightKey, - } iff and { - // or there is a proof - val root = existsCalculate(rproof) - val nproof = { key: [inputKey], left: lproof, right: rproof } - verifyNonMembership(root, nproof, [inputKey]) - } - } - - def NonMemberRight(lproof, rproof) = and { - // the input key is to the right - isNil(rproof.key), - // non-membership is true when the left key is the right-most - and { - tree.leafs.keys().forall(k => (k <= leftKey)), - inputKey > leftKey, - } iff and { - // or there is a proof - val root = existsCalculate(lproof) - val nproof = { key: [inputKey], left: lproof, right: rproof } - verifyNonMembership(root, nproof, [inputKey]) - } - } - - // The invariant of non-membership verification. - // Consider all possible positions of the input key and the left/right keys. - val NonMemInv = - def proofOrNil(key) = { - if (tree.leafs.keys().contains(key)) - leafToExistsProof(key) - else - { key: [], value: [], leaf: { prefix: [] }, path: [] } - } - val lproof = proofOrNil(leftKey) - val rproof = proofOrNil(rightKey) - or { - MemberShouldFalsify(lproof, rproof), - NonMemberInTheMiddle(lproof, rproof), - NonMemberLeft(lproof, rproof), - NonMemberRight(lproof, rproof), - // trivial cases: - inputKey < rightKey and not(isNil(lproof.key)), - inputKey > leftKey and not(isNil(rproof.key)), + pure val spec = IavlSpec + if (np.left == None) { + isLeftMost(spec, np.right.unwrap().path) + } else if (np.right == None) { + isRightMost(spec, np.left.unwrap().path) + } else { + q::debug("isLeftNeighbor", isLeftNeighbor(spec, np.left.unwrap().path, np.right.unwrap().path)) } - - /// check this property to produce an example of where NonMemInv is violated - val NonMemExample = - not(NonMemInv) - - /// Predicate isTree(t) is true iff t defines an ordered binary tree starting - /// with 1. It's probably hard to read. However, it is what one has to specify - /// to express that an arbitrary graph is an ordered tree. - def isTree(t: TREE_T): bool = and { - t.leafs.keys().intersect(t.left.keys()) == Set(), - t.leafs.keys().intersect(t.right.keys()) == Set(), - 1.in(t.leafs.keys().union(t.left.keys().union(t.right.keys()))), - // we impose an order on the keys, to break cycles and DAGs - t.left.keys().forall(k => t.left.get(k) > k), - t.right.keys().forall(k => t.right.get(k) > k), - t.left.keys().intersect(t.right.keys()) - .forall(k => t.left.get(k) < t.right.get(k)), - // the leafs are ordered w.r.t. their keys - val leafKeys = t.leafs.keys() - tuples(leafKeys, leafKeys).forall(kk => - kk._1 < kk._2 implies lessThan(t.leafs.get(kk._1).key, t.leafs.get(kk._2).key) - ), - // all nodes have a parent - (t.leafs.keys().union(t.left.keys()).union(t.right.keys())) - .forall(k => or { - // the root - k == 1, - // there is a left parent - t.left.keys().exists(p => t.left.get(p) == k), - // there is a right parent - t.right.keys().exists(p => t.right.get(p) == k), - }), } } diff --git a/examples/cosmos/ics23/ics23.tla b/examples/cosmos/ics23/ics23.tla deleted file mode 100644 index 5de97e3e0..000000000 --- a/examples/cosmos/ics23/ics23.tla +++ /dev/null @@ -1,265 +0,0 @@ ---------------------------- MODULE ics23 -------------------------------------- -\* A hand-written translation of ics23.qnt -EXTENDS Integers, Sequences, Apalache - -\* basics -\* -\* @typeAlias: word = Seq(Int); -\* @typeAlias: key = $word; -\* @typeAlias: value = $word; -\* @typeAlias: commitmentRoot = $word; -\* @typeAlias: commitmentProof = $word; -\* @typeAlias: leaf = { prefix: $word }; -\* @typeAlias: inner = { prefix: $word, suffix: $word }; -\* @typeAlias: existsProof = { -\* key: $word, value: $word, leaf: $leaf, path: Seq($inner) -\* }; -\* @typeAlias: nonExistsProof = { -\* key: $word, left: $existsProof, right: $existsProof -\* }; -ics23_aliases == TRUE - -\* we interpret the empty word as nil -IsNil(word) == Len(word) = 0 - -\* compare two integer words lexicographically -\* @type: ($word, $word) => Bool; -LessThan(w1, w2) == - LET len1 == Len(w1) IN - LET len2 == Len(w2) IN - \//\ len1 < len2 - /\ \A i \in DOMAIN w1: - w1[i] = w2[i] - \//\ len1 = len2 - /\ \E i \in DOMAIN w1: - /\ w1[i] < w2[i] - /\ \A j \in DOMAIN w1: - (j < i) => w1[i] = w2[i] - - -\* Golang slice lst[start:end] slices in the interval [start, end). -\* Golang indices start with 0. -\* We define this operator for compatibility with the Golang code. -GoSlice(lst, start, end) == SubSeq(lst, start + 1, end) - -\* base spec - -\* TODO: introduce CONSTANTS instead -MinPrefixLen == 1 -MaxPrefixLen == 2 -ChildSize == 3 - -\* @type: $word; -EmptyChild == <<0, 0, 0>> - -\* We need a hash that returns ChildSize - 1 elements. -\* For simulation, we are just summing up the word elements modulo 8. -\* For verification, we should use an injective function as a perfect hash. -\* -\* TODO: introduce Hash as a CONSTANT -\* -\* @type: $word => $word; -Hash(word) == - <<32, 0, ApaFoldSeqLeft(LAMBDA i, j: i + j, 0, word) % 8>> - -\* calculate a hash from an exists proof -\* @type: $existsProof => $commitmentProof; -ExistsCalculate(p) == - \* this is how the leaf hash is computed - LET leafHash == - Hash(Append(Append(p.leaf.prefix, Len(p.key)) \o Hash(p.key), - Len(p.value)) \o Hash(p.value)) - IN - \* the inner node hashes are concatenated and hashed upwards - LET \* @type: ($word, $inner) => $word; - AddHash(child, inner) == - Hash(inner.prefix \o child \o inner.suffix) - IN - ApaFoldSeqLeft(AddHash, leafHash, p.path) - - -\* verify that a proof matches a root -\* @type: ($existsProof, $word, $key, $value) => Bool; -Verify(proof, root, key, value) == - /\ key = proof.key - /\ value = proof.value - /\ root = ExistsCalculate(proof) - -\* VerifyMembership returns true iff -\* proof is an ExistenceProof for the given key and value AND -\* calculating the root for the ExistenceProof matches -\* the provided CommitmentRoot -\* @type: ($word, $existsProof, $key, $value) => Bool; -VerifyMembership(root, proof, key, value) == - \* TODO: specify Decompress - \* TODO: specify the case of CommitmentProof_Batch - \* TODO: CheckAgainstSpec ensures that the proof can be verified - \* by the spec checker - Verify(proof, root, key, value) - - -\* checks if an op has the expected padding -\* @type: ($inner, Int, Int, Int) => Bool; -HasPadding(inner, minPrefixLen, maxPrefixLen, suffixLen) == - /\ Len(inner.prefix) >= minPrefixLen - /\ Len(inner.prefix) <= maxPrefixLen - \* When inner turns left, suffixLen == ChildSize, - \* that is, we store the hash of the right child in the suffix. - \* When inner turns right, suffixLen == 0, - \* that is, we store the hash of the left child in the prefix. - /\ Len(inner.suffix) = suffixLen - -\* This will look at the proof and determine which order it is... -\* So we can see if it is branch 0, 1, 2 etc... to determine neighbors -\* https:\*github.com/confio/ics23/blob/a4daeb4c24ce1be827829c0841446abc690c4f11/go/proof.go#L400-L411 -\* @type: $inner => <>; -OrderFromPadding(inner) == - \* Specialize orderFromPadding to IavlSpec: - \* ChildOrder = { 0, 1 } - \* branch = 0: minp, maxp, suffix = MinPrefixLen, MaxPrefixLen, ChildSize - \* branch = 1: minp, maxp, suffix = - \* ChildSize + MinPrefixLen, ChildSize + MaxPrefixLen, 0 - IF HasPadding(inner, MinPrefixLen, MaxPrefixLen, ChildSize) - \* the node turns left - THEN <<0, TRUE>> - ELSE IF HasPadding(inner, ChildSize + MinPrefixLen, - ChildSize + MaxPrefixLen, 0) - \* the node turns right - THEN <<1, TRUE>> - ELSE - \* error - <<0, FALSE>> - -\* leftBranchesAreEmpty returns true if the padding bytes correspond to all -\* empty siblings on the left side of a branch, ie. it's a valid placeholder -\* on a leftmost path -\* @type: $inner => Bool; -LeftBranchesAreEmpty(inner) == - \* the case of leftBranches == 0 returns false - LET order == OrderFromPadding(inner) IN - /\ order[2] /\ order[1] /= 0 - \* the remaining case is leftBranches == 1, see orderFromPadding - \* actualPrefix = len(inner.prefix) - 33 - /\ Len(inner.prefix) >= ChildSize - \* getPosition(0) returns 0 - /\ LET from == Len(inner.prefix) - ChildSize IN - GoSlice(inner.prefix, from, from + ChildSize) = EmptyChild - -\* IsLeftMost returns true if this is the left-most path in the tree, -\* excluding placeholder (empty child) nodes -\* @type: Seq($inner) => Bool; -IsLeftMost(path) == - \* Calls getPadding(0) => idx = 0, prefix = 0. - \* We specialize the constants to IavlSpec. - \A i \in DOMAIN path: - LET step == path[i] IN - \* the path goes left - \/ HasPadding(step, MinPrefixLen, MaxPrefixLen, ChildSize) - \* the path goes right, but the left child is empty (a gap) - \/ LeftBranchesAreEmpty(step) - -\* rightBranchesAreEmpty returns true if the padding bytes correspond -\* to all empty siblings on the right side of a branch, -\* i.e. it's a valid placeholder on a rightmost path -\* @type: $inner => Bool; -RightBranchesAreEmpty(inner) == - \* the case of rightBranches == 0 returns false - LET order == OrderFromPadding(inner) IN - /\ order[2] /\ order[1] /= 1 - \* the remaining case is rightBranches == 1, see orderFromPadding - /\ Len(inner.suffix) = ChildSize - \* getPosition(0) returns 0, hence, from == 0 - /\ inner.suffix = EmptyChild - -\* IsRightMost returns true if this is the left-most path in the tree, -\* excluding placeholder (empty child) nodes -\* @type: Seq($inner) => Bool; -IsRightMost(path) == - \* Specialize to IavlSpec - \* Calls getPadding(1) => minPrefix, maxPrefix, - \* suffix = ChildSize + MinPrefixLen, ChildSize + MaxPrefixLen, 0 - \A i \in DOMAIN path: - LET step == path[i] IN - \* the path goes right - \/ HasPadding(step, ChildSize + MinPrefixLen, ChildSize + MaxPrefixLen, 0) - \* the path goes left, but the right child is empty (a gap) - \/ RightBranchesAreEmpty(step) - -\* isLeftStep assumes left and right have common parents -\* checks if left is exactly one slot to the left of right -\* @type: ($inner, $inner) => Bool; -IsLeftStep(left, right) == - \* 'left' turns left, and 'right' turns right - LET lorder == OrderFromPadding(left) IN - LET rorder == OrderFromPadding(right) IN - /\ lorder[2] - /\ rorder[2] - /\ rorder[1] = lorder[1] + 1 - -\* IsLeftNeighbor returns true if `right` is the next possible path -\* right of `left` -\* -\* Find the common suffix from the Left.Path and Right.Path and remove it. -\* We have LPath and RPath now, which must be neighbors. -\* Validate that LPath[len-1] is the left neighbor of RPath[len-1]. -\* For step in LPath[0..len-1], validate step is right-most node. -\* For step in RPath[0..len-1], validate step is left-most node. -IsLeftNeighbor(lpath, rpath) == - \* count common tail (from end, near root) - \* cut the left and right paths - \E li \in DOMAIN lpath, ri \in DOMAIN rpath: - \* they are equidistant from the root - /\ Len(lpath) - li = Len(rpath) - ri - \* The distance to the root (the indices are 0-based). - \* dist == 0 holds for the root. - \* Note: we are compensating for 1-based indices here. - /\ LET dist == Len(lpath) (*- 1*) - li IN - \* The prefixes and suffixes match just above the cut points. - \* Note that we are using a filter over the domain of lpath, - \* as Apalache needs a bounded set, instead of 1..dist. - \A k \in { j \in DOMAIN lpath: j <= dist }: - LET lnode == lpath[li + k] IN - LET rnode == rpath[ri + k] IN - /\ lnode.prefix = rnode.prefix - /\ lnode.suffix = rnode.suffix - \* Now topleft and topright are the first divergent nodes - \* make sure they are left and right of each other. - \* Actually, lpath.nth(li) and rpath.nth(ri) are an abstraction - \* of the same tree node: - \* the left one stores the hash of the right one, whereas - \* the right one stores the hash of the left one. - /\ IsLeftStep(lpath[li], rpath[ri]) - \* Left and right are remaining children below the split, - \* ensure left child is the rightmost path, and visa versa. - \* Note that we are writing `li - 1` and `ri - 1`, - \* as `li` and `ri` are 1-based. - /\ IsRightMost(GoSlice(lpath, 0, li - 1)) - /\ IsLeftMost(GoSlice(rpath, 0, ri - 1)) - -\* VerifyNonMembership returns true iff -\* proof is (contains) a NonExistenceProof -\* both left and right sub-proofs are valid existence proofs (see above) or nil -\* left and right proofs are neighbors (or left/right most if one is nil) -\* provided key is between the keys of the two proofs -\* @type: ($word, $nonExistsProof, $word) => Bool; -VerifyNonMembership(root, np, key) == - \* getNonExistProofForKey - /\ IsNil(np.left.key) \/ LessThan(np.left.key, key) - /\ IsNil(np.right.key) \/ LessThan(key, np.right.key) - \* implicit assumption, missing in the code: - \* https://github.com/informalsystems/ics23-audit/issues/14 - /\ np.key = key - \* Verify - /\ ~IsNil(np.left.key) \/ ~IsNil(np.right.key) - /\ \/ IsNil(np.left.key) - \/ /\ Verify(np.left, root, np.left.key, np.left.value) - /\ LessThan(np.left.key, key) - /\ \/ IsNil(np.right.key) - \/ /\ Verify(np.right, root, np.right.key, np.right.value) - /\ LessThan(key, np.right.key) - /\ IF IsNil(np.left.key) - THEN IsLeftMost(np.right.path) - ELSE IF IsNil(np.right.key) - THEN IsRightMost(np.left.path) - ELSE IsLeftNeighbor(np.left.path, np.right.path) -=============================================================================== diff --git a/examples/cosmos/ics23/ics23pbt.tla b/examples/cosmos/ics23/ics23pbt.tla deleted file mode 100644 index 429ee34ea..000000000 --- a/examples/cosmos/ics23/ics23pbt.tla +++ /dev/null @@ -1,102 +0,0 @@ -------------------------- MODULE ics23pbt -------------------------------------- -\* property-based tests for ICS23 -\* This is a hand-written translation of the module ics23pbt in ics23.qnt -EXTENDS Integers, Sequences, Apalache, ics23 - -VARIABLE - \* @type: $nonExistsProof; - nproof, - \* @type: $word; - inputKey - -\* We limit the letters to a very small set, -\* including '32' for checksums. -Byte == 0..7 \union { 32 } - -\* @type: (Int -> Int) => $word; -ToWord(m) == - LET Add(l, i) == Append(l, m[i]) IN - ApaFoldSet(Add, <<>>, DOMAIN m) - -GenKey == - \E i \in Byte: - inputKey' = <> - -\* @type: Seq({ prefix: $word, suffix: $word }); -EmptyPath == <<>> - -\* @type: $word; -EmptyWord == <<>> - -\* @type: Int => $word; -Single(k) == <> - -Init == - /\ \E i \in Byte: - inputKey = Single(i) - /\ \E lk, lv, lp, rk, rv, rp, pk \in Byte: - LET \* @type: $existsProof; - lproof == [ - key |-> Single(lk), - value |-> Single(lv), - leaf |-> [ prefix |-> Single(lp) ], - path |-> EmptyPath - ] - IN - LET \* @type: $existsProof; - rproof == [ - key |-> Single(rk), - value |-> Single(rv), - leaf |-> [ prefix |-> Single(rp) ], - path |-> EmptyPath - ] - IN - nproof = [ key |-> Single(pk), left |-> lproof, right |-> rproof ] - -\* @type: ($existsProof, Str, $word) => $existsProof; -Extend(proof, dir, word) == - LET node == - IF dir = "turnLeft" - THEN [ prefix |-> word, suffix |-> EmptyWord ] - ELSE [ - prefix |-> GoSlice(word, 0, MaxPrefixLen), - suffix |-> GoSlice(word, MaxPrefixLen, MaxPrefixLen + ChildSize) - ] - IN - [ proof EXCEPT !.path = Append(@, node) ] - -\* grow the proof on the left -GrowLeft == - \E dir \in { "turnLeft", "turnRight" }: - \E m \in [ 1..(MaxPrefixLen + ChildSize) -> Byte ]: - nproof' = [ nproof EXCEPT !.left = Extend(@, dir, ToWord(m)) ] - -\* grow the proof on the right -GrowRight == - \E dir \in { "turnLeft", "turnRight" }: - \E m \in [ 1..(MaxPrefixLen + ChildSize) -> Byte ]: - nproof' = [ nproof EXCEPT !.right = Extend(@, dir, ToWord(m)) ] - -Next == - /\ GenKey - /\ \/ GrowLeft - \/ GrowRight - -\* By checking this invariant, we may produce an example of when -\* verifyNonMembership succeeds -NonMem == - \/ LessThan(inputKey, nproof.left.key) - \/ LessThan(nproof.right.key, inputKey) - \/ ~VerifyNonMembership(ExistsCalculate(nproof.left), nproof, inputKey) - -\* The version of NonMem, where the left path has at least three nodes -NonMem3 == - \/ LessThan(inputKey, nproof.left.key) - \/ LessThan(nproof.right.key, inputKey) - \/ ~VerifyNonMembership(ExistsCalculate(nproof.left), nproof, inputKey) - \/ Len(nproof.left.path) <= 3 - -View == - ExistsCalculate(nproof.left) - -=============================================================================== diff --git a/examples/cosmos/ics23/ics23test.qnt b/examples/cosmos/ics23/ics23test.qnt new file mode 100644 index 000000000..5f30bd62b --- /dev/null +++ b/examples/cosmos/ics23/ics23test.qnt @@ -0,0 +1,188 @@ +/// A few unit tests to improve our understanding of the specification. +/// +/// To execute the unit tests, type the following: +/// +/// $ quint test ics23test.qnt +/// +/// Igor Konnov, Informal Systems, 2022-2023 +module ics23test { + import basicSpells.* from "../../spells/basicSpells" + import hashes.* from "./hashes" + import ics23.* from "./ics23" + + // prepend the hash with the length marker + pure def termHashWithLen(term: Term): Term = { + raw([ 32 ]).termConcat(termHash(term)) + } + + // test data + val a = [5] + val b = [6] + val c = [7] + val d = [8] + val ab = [5, 6] + val ba = [6, 5] + val abc = [5, 6, 7] + val abcd = [5, 6, 7, 8] + + val allStrings = Set([], a, ab, ba, abc, abcd, [1], [2], [3], [4]) + + pure val existsCalculateTest = { + pure val result = existsCalculate({ + key: [ 5 ], + value: [ 5, 6 ], + leaf: { + prefix: raw([ 9, 10, 11, 12 ]) + }, + path: [ + { prefix: raw([ 5, 6, 7, 8, 9 ]), suffix: raw([ 8 ]) }, + { prefix: raw([ 5, 6, 7, 8 ]), suffix: raw([ 7 ]) } + ] + }) + // a map representation of the term with hashes + pure val expected = Map( + [0, 0] -> Raw([5, 6, 7, 8]), + [0, 1, 0] -> Raw([5, 6, 7, 8, 9]), + [0, 1, 1, 0] -> Raw([9, 10, 11, 12, 1, 5, 32]), + [0, 1, 1, 1, 0] -> Raw([5, 6]), + [0, 1, 1, 1] -> Hash, + [0, 1, 1] -> Hash, + [0, 1, 2] -> Raw([8]), + [0, 1] -> Hash, + [0, 2] -> Raw([7]), + [0] -> Hash + ) + assert(expected == result) + } + + pure val isLeftMost1Test = { + assert(isLeftMost(IavlSpec, [ + { prefix: raw([1, 2, 3, 4]), suffix: termHashWithLen(raw([3, 4, 5])) }, + { prefix: raw([2, 3, 4, 5]), suffix: termHashWithLen(raw([3, 4, 5])) }, + { prefix: raw([3, 4, 5, 6]), suffix: termHashWithLen(raw([3, 4, 5])) } + ])) + } + + pure val isLeftMost2Test = + assert(isLeftMost(IavlSpec, [ + { prefix: termConcat(raw([ 1, 2, 3, 4, 5 ]), Hash256_ZERO), suffix: raw([]) }, + { prefix: raw([ 2, 3, 4, 5, 6 ]), suffix: termHashWithLen(raw([3, 4, 5])) }, + { prefix: raw([ 3, 4, 5, 6, 7 ]), suffix: termHashWithLen(raw([3, 4, 5])) } + ])) + + pure val isLeftMost3Test = { + assert(isLeftMost(IavlSpec, [ + { prefix: raw([ 1, 2, 3, 4 ]), suffix: termHashWithLen(raw([3, 4, 5])) }, + { prefix: termConcat(raw([ 2, 3, 4, 5 ]), Hash256_ZERO), suffix: raw([]) }, + { prefix: raw([3, 4, 5, 6]), suffix: termHashWithLen(raw([3, 4, 5])) } + ])) + } + + pure val isRightMost1Test = + assert(isRightMost(IavlSpec, [ + { prefix: termConcat(raw([1, 2, 3, 4 ]), termHashWithLen(raw([ 4, 5, 6 ]))), suffix: raw([]) }, + { prefix: termConcat(raw([2, 3, 4, 5 ]), termHashWithLen(raw([4, 5, 6]))), suffix: raw([]) }, + { prefix: termConcat(raw([3, 4, 5, 6 ]), termHashWithLen(raw([4, 5, 6]))), suffix: raw([]) } + ])) + + pure val isRightMost2Test = + assert(isRightMost(IavlSpec, [ + { prefix: termConcat(raw([1, 2, 3, 4]), termHashWithLen(raw([4, 5, 6]))), suffix: raw([]) }, + { prefix: raw([2, 3, 4, 5]), suffix: Hash256_ZERO }, + { prefix: termConcat(raw([2, 3, 4, 5]), termHashWithLen(raw([3, 4, 5]))), suffix: raw([]) } + ])) + + pure val isLeftStep1Test = + assert(isLeftStep( + IavlSpec, + { prefix: raw([1, 2, 3, 4]), suffix: termHashWithLen(raw([4, 5, 6])) }, + { prefix: termConcat(raw([2, 3, 4, 5]), termHashWithLen(raw([7, 8, 9]))), suffix: raw([]) } + )) + + pure val isLeftNeighborTest = + assert(isLeftNeighbor( + IavlSpec, + [ + { prefix: raw([1, 2, 3, 4]), suffix: termHashWithLen(raw([4, 5, 6])) }, + { prefix: termConcat(raw([2, 3, 4, 5]), termHashWithLen(raw([7, 8, 9]))), suffix: raw([]) } + ], + [ + { prefix: termConcat(raw([1, 2, 3, 4]), termHashWithLen(raw([4, 5, 6]))), suffix: raw([]) }, + { prefix: termConcat(raw([2, 3, 4, 5]), termHashWithLen(raw([7, 8, 9]))), suffix: raw([]) } + ] + )) + + + // Test setup to verify non membership + // 1 + // / \ + // 2 3 + // / / + // 4:3 6:5 + pure val hash4 = hashLeaf([4], [7], raw([0])) + pure val hash6 = hashLeaf([6], [4], raw([0])) + pure val hash2 = termHash(raw([0]).termConcat(hash4).termConcat(Hash256_ZERO)) + pure val hash3 = termHash(raw([0]).termConcat(hash6).termConcat(Hash256_ZERO)) + // the left proof + pure val lproof: ExistenceProof = { + key: [ 4 ], + value: [ 7 ], + leaf: { prefix: raw([ 0 ]) }, + path: [ + { prefix: raw([0]), suffix: Hash256_ZERO }, + { prefix: raw([0]), suffix: hash3 } + ] + } + // the right proof + pure val rproof: ExistenceProof = { + key: [ 6 ], + value: [ 4 ], + leaf: { prefix: raw([ 0 ]) }, + path: [ + { prefix: raw([0]), suffix: Hash256_ZERO }, + { prefix: raw([0]).termConcat(hash2), suffix: Map() }, + ] + } + + pure val root = termHash(raw([0]).termConcat(hash2).termConcat(hash3)) + + run rootTest = and { + assert(root == existsCalculate(lproof)), + assert(root == existsCalculate(rproof)), + } + + run verifyNonMembership1Test = { + pure val np1 = { key: [1], left: None, right: Some(lproof) } + assert(verifyNonMembership(root, np1, [ 1 ])) + } + + run verifyNonMembership2Test = { + pure val np2 = { key: [2], left: None, right: Some(lproof) } + assert(verifyNonMembership(root, np2, [ 2 ])) + } + + run verifyNonMembership3Test = { + pure val np3 = { key: [3], left: None, right: Some(lproof) } + assert(verifyNonMembership(root, np3, [ 3 ])) + } + + run verifyNonMembership4Test = { + pure val np4 = { key: [4], left: Some(lproof), right: Some(rproof) } + assert(not(verifyNonMembership(root, np4, [ 4 ]))) + } + + run verifyNonMembership5Test = { + pure val np5 = { key: [5], left: Some(lproof), right: Some(rproof) } + assert(verifyNonMembership(root, np5, [ 5 ])) + } + + run verifyNonMembership6Test = { + pure val np6 = { key: [6], left: Some(lproof), right: Some(rproof) } + assert(not(verifyNonMembership(root, np6, [ 6 ]))) + } + + run verifyNonMembership7Test = { + pure val np7 = { key: [7], left: Some(rproof), right: None } + assert(verifyNonMembership(root, np7, [ 7 ])) + } +} diff --git a/examples/cosmos/ics23/ics23trees.tla b/examples/cosmos/ics23/ics23trees.tla deleted file mode 100644 index 497853e77..000000000 --- a/examples/cosmos/ics23/ics23trees.tla +++ /dev/null @@ -1,285 +0,0 @@ ----------------------- MODULE ics23trees -------------------------------------- -\* Proving invariants with model checking. -\* This is a hand-written translation of the module trees in ics23.qnt -\* -\* To check the basic invariants of ICS23, run Apalache as follows: -\* -\* apalache-mc check --inv=MemInv ics23trees.tla -\* apalache-mc check --inv=NonMemInv ics23trees.tla -EXTENDS Integers, Sequences, Apalache, ics23 - -(* - @typeAlias: tree = { - leafs: Int -> { key: $word, value: $word }, - left: Int -> Int, - right: Int -> Int - }; - *) -ics23trees_alises == TRUE - -\* the maximum tree height -Height == 4 - -VARIABLE - \* @type: $tree; - tree, - \* @type: Int -> $word; - nodeHashes, - \* @type: Int; - leftKey, - \* @type: Int; - rightKey, - \* @type: Int; - inputKey - -\* We limit the letters to a very small set, -\* including '32' for checksums. -Byte == 0..7 \union { 32 } - -\* @type: (Int -> Int) => $word; -ToWord(m) == - LET Add(l, i) == Append(l, m[i]) IN - ApaFoldSet(Add, <<>>, DOMAIN m) - -Range(start, end) == - MkSeq(end - start, LAMBDA i: start + i) - -\* @type: Seq({ prefix: $word, suffix: $word }); -EmptyPath == <<>> - -\* @type: $word; -EmptyWord == <<>> - -\* @type: Int => $word; -Single(k) == <> - -\* Compute all parents from the binary representation of the index. -\* To simplify random generation of the trees, we are using -\* the binary encoding. For example, if a leaf has the index 4, -\* that is, 100b, then it has the parents 3 = 10b and 1 = 1b. -Parents(key) == - { key \div (2^h): h \in 1..Height } \ { 0 } - -\* Is a given key a node (inner or leaf) of a tree. -\* @type: ($tree, Int) => Bool; -IsNode(t, key) == - \/ key = 1 - \/ key \in DOMAIN t.leafs - \/ key \in DOMAIN t.left - \/ key \in DOMAIN t.right - -\* Compute nodeHashes of all nodes into a map. -\* @type: $tree => (Int -> $word); -ComputeHashes(t) == - \* compute the hash of a single node, assuming that the children's - \* nodeHashes have been computed - LET \* @type: (Int -> $word, Int) => (Int -> $word); - PutNodeHash(hashMap, key) == - LET h == - IF key \in DOMAIN t.leafs - \* a leaf - THEN LET leaf == t.leafs[key] IN - \* Hash the leaf as in ics23.existsCalculate. - \* In our trees, prefixes are always 0. - Hash(Append(Append(Single(0), Len(leaf.key)) \o Hash(leaf.key), - Len(leaf.value)) - \o Hash(leaf.value)) - ELSE - \* an inner node, assuming that the children nodeHashes were computed - LET \* @type: (Int -> Int) => $word; - HashOrEmpty(childMap) == - IF key \in DOMAIN childMap - THEN hashMap[childMap[key]] - ELSE EmptyChild - IN - \* hash the prefix ([0]) and the hash of the children - Hash(Single(0) \o HashOrEmpty(t.left) \o HashOrEmpty(t.right)) - IN - \* store the hash - [ k \in (DOMAIN hashMap) \union { key} |-> - IF k = key THEN h ELSE hashMap[k] ] - IN - \* go over the nodes from 2^Height to 1 - LET seq == MkSeq(2^Height, LAMBDA h: 2^Height - h + 1) IN - LET emptyMap == [ h \in {} |-> Single(0) ] IN - LET Add(m, key) == - IF IsNode(t, key) - THEN PutNodeHash(m, key) - ELSE m - IN - ApaFoldSeqLeft(Add, emptyMap, seq) - -\* It's very easy to produce binary trees by picking an arbitrary graph and -\* restricting it with the predicate isTree. However, this approach produces -\* very sparse sets of states, to be explored by random search. Hence, we -\* use a more algorithmic approach that represents trees with binary words. -Init == - \* produce an arbitrary tree with leafs in e.g. [2, 8) - \E idx \in SUBSET (2..(2^Height - 1)): - \* remove those numbers that should serve as intermediate nodes - LET leafKeys == { i \in idx: \A j \in idx: i \notin Parents(j) } IN - \* compute all parents - LET allParents == UNION { Parents(i): i \in leafKeys } IN - \* all intermediate nodes that have a left successor - LET leftKeys == { - i \in allParents: - \E j \in allParents \union leafKeys: - 2 * i = j - } IN - \* all intermediate nodes that have a right successor - LET rightKeys == { - i \in allParents: - \E j \in allParents \union leafKeys: - 2 * i + 1 = j - } IN - \* left mapping - LET left == [ i \in leftKeys |-> 2 * i ] IN - \* right mapping - LET right == [ i \in rightKeys |-> 2 * i + 1 ] IN - \* assign values to the keys - /\ \E vs \in [ leafKeys -> Byte ]: - LET leafs == [ k \in DOMAIN vs |-> - [ key |-> Single(k), value |-> Single(vs[k]) ] ] IN - LET t == [ leafs |-> leafs, left |-> left, right |-> right ] IN - /\ tree' = t - /\ nodeHashes = ComputeHashes(t) - \* pick arbitrary left and right keys for non-membership proofs - /\ leftKey' \in leafKeys - /\ rightKey' \in leafKeys - \* pick an arbitrary input key - /\ inputKey \in Byte - -\* convert a tree leaf to an exists proof -LeafToExistsProof(key) == - LET value == tree.leafs[key].value IN - \* encode all intermediate nodes upwards - LET \* @type: (Seq($inner), Int) => Seq($inner); - Add(path, h) == - IF key < 2^h - THEN path - ELSE - LET parent == key \div (2^h) IN - LET \* @type: (Int -> Int) => $word; - HashOrChild(childMap) == - IF parent \in DOMAIN childMap - THEN nodeHashes[childMap[parent]] - ELSE EmptyChild - IN - \* depending on whether the node is going to left or right, - \* push the hashes in the prefix and the suffix - IF key = 2 * parent - THEN LET right == HashOrChild(tree.right) IN - Append(path, [ prefix |-> Single(0), suffix |-> right ]) - ELSE LET left == HashOrChild(tree.left) IN - Append(path, [ prefix |-> Single(0) \o left, suffix |-> EmptyWord]) - IN - LET path == ApaFoldSeqLeft(Add, EmptyPath, Range(1, Height + 1)) IN - \* return the exists proof, where the key is the index itself - [ - key |-> Single(key), - value |-> tree.leafs[key].value, - leaf |-> [ prefix |-> Single(0) ], - path |-> path - ] - -\* The transition does nothing. The state was computed in Init. -Next == - UNCHANGED <> - -\* make sure that the proofs are the same for all the leafs -TreeProofInv == - (leftKey \in DOMAIN tree.leafs /\ rightKey \in DOMAIN tree.leafs) - => - LET lroot == ExistsCalculate(LeafToExistsProof(leftKey)) IN - LET rroot == ExistsCalculate(LeafToExistsProof(rightKey)) IN - lroot = rroot - -\* The invariant of membership verification: -\* If the input key belongs to the leafs, -\* we should be able to prove its membership. -MemInv == - \/ inputKey \notin DOMAIN tree.leafs - \/ LET proof == LeafToExistsProof(inputKey) IN - LET root == ExistsCalculate(proof) IN - VerifyMembership(root, proof, Single(inputKey), proof.value) - -\* check this property to produce an example of where MemInv is violated -MemExample == - ~MemInv - -\* A few lemmas for NonMemInv: -\* MemberShouldFalsify, NonMemberInTheMiddle, NonMemberLeft, NonMemberRight - -MemberShouldFalsify(lproof, rproof) == - \* if the input key belongs to the leafs, - \* we should not be able to disprove its membership - /\ inputKey \in DOMAIN tree.leafs - /\ LET nproof == - [ key |-> Single(inputKey), left |-> lproof, right |-> rproof ] - IN - LET root == ExistsCalculate(lproof) IN - ~VerifyNonMembership(root, nproof, Single(inputKey)) - -NonMemberInTheMiddle(lproof, rproof) == - \* we should be able to prove its non-membership, - \* unless the choice of the keys is bad - /\ inputKey \notin DOMAIN tree.leafs - /\ LET nproof == - [ key |-> Single(inputKey), left |-> lproof, right |-> rproof ] - IN - LET root == ExistsCalculate(lproof) IN - LET noKeyInTheMiddle == - \* there is no leaf between leftKey and rightKey - /\ \A k \in DOMAIN tree.leafs: - k <= leftKey \/ k >= rightKey - \* the keys are not misplaced - /\ leftKey < inputKey - /\ inputKey < rightKey - IN - noKeyInTheMiddle <=> VerifyNonMembership(root, nproof, Single(inputKey)) - -NonMemberLeft(lproof, rproof) == - \* the input key is to the left - /\ IsNil(lproof.key) - \* non-membership is true when the right key is left-most - /\ (inputKey < rightKey /\ \A k \in DOMAIN tree.leafs: rightKey <= k) - <=> - \* or there is a proof - LET root == ExistsCalculate(rproof) IN - LET nproof == - [ key |-> Single(inputKey), left |-> lproof, right |-> rproof ] IN - VerifyNonMembership(root, nproof, Single(inputKey)) - -NonMemberRight(lproof, rproof) == - \* the input key is to the right - /\ IsNil(rproof.key) - \* non-membership is true when the left key is the right-most - /\ (inputKey > leftKey /\ \A k \in DOMAIN tree.leafs: k <= leftKey) - <=> - \* or there is a proof - LET root == ExistsCalculate(lproof) IN - LET nproof == - [ key |-> Single(inputKey), left |-> lproof, right |-> rproof ] - IN - VerifyNonMembership(root, nproof, Single(inputKey)) - -\* The invariant of non-membership verification. -\* Consider all possible positions of the input key and the left/right keys. -NonMemInv == - LET ProofOrNil(key) == - IF key \in DOMAIN tree.leafs - THEN LeafToExistsProof(key) - ELSE [ key |-> EmptyWord, value |-> EmptyWord, - leaf |-> [ prefix |-> EmptyWord ], path |-> EmptyPath ] - IN - LET lproof == ProofOrNil(leftKey) IN - LET rproof == ProofOrNil(rightKey) IN - \/ MemberShouldFalsify(lproof, rproof) - \/ NonMemberInTheMiddle(lproof, rproof) - \/ NonMemberLeft(lproof, rproof) - \/ NonMemberRight(lproof, rproof) - \* trivial cases: - \/ inputKey < rightKey /\ ~IsNil(lproof.key) - \/ inputKey > leftKey /\ ~IsNil(rproof.key) - -=============================================================================== diff --git a/examples/cosmos/ics23/treeGen.qnt b/examples/cosmos/ics23/treeGen.qnt new file mode 100644 index 000000000..8277c8d69 --- /dev/null +++ b/examples/cosmos/ics23/treeGen.qnt @@ -0,0 +1,333 @@ +/// Advanced randomized simulation (a la PBT) by generating +/// random sorted binary trees of small heights over a small set of keys. +/// +/// We specify arbitrary binary trees, whose keys (in the leafs) are sorted. +/// We do not have to specify IAVL+ trees to produce test data for ICS23. +/// Note that this module is needed only for testing of ICS23, +/// not for the operation of ICS23. +/// +/// To execute advanced PBT-like tests for 1000 runs in the simulator, +/// type the following: +/// +/// $ quint run --invariant=nonMemInv treeGen.qnt +/// $ quint run --invariant=memInv treeGen.qnt +/// +/// We expect these tests to always pass. If the simulator reports +/// a counterexample, there must be an error somewhere. +/// +/// Igor Konnov, Informal Systems, 2022-2023 +module treeGen { + import basicSpells.* from "../../spells/basicSpells" + import hashes.* from "./hashes" + import ics23.* from "./ics23" + + /// We represent a binary tree as a collection of maps, + /// whose keys are simply integer values 1..n, with 1 being the root. + /// Similar to pointer-based representations of trees (e.g., in C), + /// this data structure requires additional invariants to make sure + /// that it actually defines a binary tree. + /// This is in contrast to the typical data structures in + /// programming languages. + type Tree = { + // every leaf has a key and value assigned + leafs: int -> { key: Bytes, value: Bytes }, + // intermediate nodes have left and/or right children + left: int -> int, + right: int -> int + } + + /// the tree generated so far + var tree: Tree + /// the node hashes + var nodeHashes: int -> Term + /// the keys to use for non-membership proofs + var leftKey: int + var rightKey: int + /// the key whose non-membership or membership we want to prove + var inputKey: int + + /// limit values to a small set + val Byte = 0.to(7).union(Set(32)) + + /// the maximum tree height + val height = 3 + + /// Compute all parents from the binary representation of the index. + /// To simplify random generation of the trees, we are using + /// a binary encoding. For example, if a leaf has the index 4, + /// that is, 100b, then it has the parents 3 = 10b and 1 = 1b. + /// See the exact definition below. + def parents(i) = 1.to(height).map(h => i / (2^h)).exclude(Set(0)) + + /// is a given key a node (inner or leaf) of a tree + def isNode(t: Tree, key: int): bool = or { + key == 1, // the root + t.leafs.keys().contains(key), + t.left.keys().contains(key), + t.right.keys().contains(key), + } + + /// Compute nodeHashes of all nodes into a map. + def computeHashes(t) = { + // compute the hash of a single node, assuming that the children's + // nodeHashes have been computed + def putNodeHash(hashMap: int -> Term, key: int): (int -> Term) = { + val h = + if (t.leafs.keys().contains(key)) { + val leaf = t.leafs.get(key) + hashLeaf(leaf.key, leaf.value, raw([0])) + } else { + // an inner node, assuming that the children nodeHashes were computed + def hashOrZeroes(childMap) = + if (childMap.keys().contains(key)) { + hashMap.get(childMap.get(key)) + } else { + Hash256_ZERO + } + // hash the prefix ([0]) and the hash of the children + termHash(raw([0]) + .termConcat(hashOrZeroes(t.left)) + .termConcat(hashOrZeroes(t.right))) + } + // store the hash + hashMap.put(key, h) + } + // go over the nodes from max to min + val maxNode = 2^height + 0.range(2^height) + .foldl(Map(), + (m, key) => + if (isNode(t, maxNode - key)) putNodeHash(m, maxNode - key) else m + ) + } + + /// We use an algorithmic approach that represents trees with binary words. + action init = { + // produce an arbitrary tree with leafs in e.g. [2, 8) + nondet idx = 2.to(2^height - 1).powerset().oneOf() + // remove those numbers that should serve as intermediate nodes + val leafKeys = idx.filter(i => idx.forall(j => not(i.in(parents(j))))) + // compute all parents + val allParents = leafKeys.map(i => parents(i)).flatten() + val allNodes = allParents.union(leafKeys) + // all intermediate nodes that have a left successor + val leftKeys = allParents.filter(i => allNodes.contains(2 * i)) + // all intermediate nodes that have a right successor + val rightKeys = allParents.filter(i => allNodes.contains(2 * i + 1)) + // left mapping + val left = leftKeys.mapBy(i => 2 * i) + // right mapping + val right = rightKeys.mapBy(i => 2 * i + 1) + all { + // ignore the case of empty trees + leafKeys != Set(), + // assign values to the keys + nondet vs = leafKeys.setOfMaps(Byte).oneOf() + val leafs = vs.keys().mapBy(k => { key: [k], value: [vs.get(k)] }) + // the resulting tree + val t = { leafs: leafs, left: left, right: right } + all { + tree' = t, + nodeHashes' = computeHashes(t), + }, + // pick arbitrary left and right keys for proofs + nondet i = leafKeys.oneOf() + leftKey' = i, + nondet i = leafKeys.oneOf() + rightKey' = i, + // pick an arbitrary input key + nondet i = Byte.oneOf() + inputKey' = i + } + } + + /// convert a tree leaf to an exists proof + def leafToExistsProof(key: int): ExistenceProof = + val value = tree.leafs.get(key).value + // encode all intermediate nodes upwards + val path = range(1, height + 1) + .foldl([], + (p, h) => + if (key < 2^h) { + p + } else { + val parent = key / (2^h) + val parentsChild = key / (2^(h - 1)) + def hashOrZeroes(childMap) = + if (childMap.keys().contains(parent)) { + nodeHashes.get(childMap.get(parent)) + } else { + Hash256_ZERO + } + // depending on whether the node is going to left or right, + // push the hashes in the prefix and the suffix + if (parentsChild % 2 == 0) { + // going to the left + val right = hashOrZeroes(tree.right) + p.append({ prefix: raw([0]), suffix: right }) + } else { + // going to the right + val left = hashOrZeroes(tree.left) + p.append({ prefix: raw([0]).termConcat(left), suffix: Map() }) + } + } + ) + // return the exists proof, where the key is the index itself + { + key: [key], + value: value, + leaf: { prefix: raw([0]) }, + path: path, + } + + /// The transition does nothing. The state was computed in `init`. + action step = all { + // nothing changes + tree' = tree, + nodeHashes' = nodeHashes, + leftKey' = leftKey, + rightKey' = rightKey, + inputKey' = inputKey, + } + + /// make sure that the roots obtained from the proofs are the same for all the leafs + val treeProofInv = + and { + leftKey.in(tree.leafs.keys()), + rightKey.in(tree.leafs.keys()) + } implies { + val lroot = existsCalculate(leafToExistsProof(leftKey)) + val rroot = existsCalculate(leafToExistsProof(rightKey)) + val rootHash = nodeHashes.get(1) + and { + lroot == rootHash, + rroot == rootHash, + } + } + + /// The invariant of membership verification: + /// If the input key belongs to the leafs, + /// we should be able to prove its membership. + val memInv = or { + not(inputKey.in(tree.leafs.keys())), + val proof = leafToExistsProof(inputKey) + val root = existsCalculate(proof) + verifyMembership(root, proof, [inputKey], proof.value) + } + + /// check this property to produce an example of where MemInv is violated + val memExample = not(memInv) + + // A few lemmas for NonMemInv: + // memberShouldFalsify, nonMemberInTheMiddle, nonMemberLeft, nonMemberRight + + def memberShouldFalsify(lproof, rproof) = and { + // if the input key belongs to the leafs, + // we should not be able to disprove its membership + inputKey.in(tree.leafs.keys()), + val nproof: NonExistenceProof = { key: [inputKey], left: lproof, right: rproof } + val root = if (lproof != None) existsCalculate(lproof.unwrap()) else existsCalculate(rproof.unwrap()) + not(verifyNonMembership(root, nproof, [inputKey])) + } + + def nonMemberInTheMiddle(lproof, rproof) = and { + // we should be able to prove its non-membership, + // unless the choice of the keys is bad + not(inputKey.in(tree.leafs.keys())), + val nproof = { key: [inputKey], left: lproof, right: rproof } + val root = if (lproof != None) existsCalculate(lproof.unwrap()) else existsCalculate(rproof.unwrap()) + val noKeyInTheMiddle = and { + // there is no leaf between leftKey and rightKey + tree.leafs.keys().forall(k => k <= leftKey or k >= rightKey), + // the keys are not misplaced + leftKey < inputKey, + inputKey < rightKey, + } + noKeyInTheMiddle iff verifyNonMembership(root, nproof, [inputKey]) + } + + def nonMemberLeft(lproof, rproof) = and { + // the input key is to the left + lproof == None, + // non-membership is true when the right key is left-most + and { + tree.leafs.keys().forall(k => rightKey <= k), + inputKey < rightKey, + } iff and { + // or there is a proof + val root = existsCalculate(rproof.unwrap()) + val nproof = { key: [inputKey], left: lproof, right: rproof } + verifyNonMembership(root, nproof, [inputKey]) + } + } + + def nonMemberRight(lproof, rproof) = and { + // the input key is to the right + rproof == None, + // non-membership is true when the left key is the right-most + and { + tree.leafs.keys().forall(k => (k <= leftKey)), + inputKey > leftKey, + } iff and { + // or there is a proof + val root = existsCalculate(lproof.unwrap()) + val nproof = { key: [inputKey], left: lproof, right: rproof } + verifyNonMembership(root, nproof, [inputKey]) + } + } + + // The invariant of non-membership verification. + // Consider all possible positions of the input key and the left/right keys. + val nonMemInv = + def proofOrNil(key) = { + if (tree.leafs.keys().contains(key)) + Some(leafToExistsProof(key)) + else + None + } + val lproof = proofOrNil(leftKey) + val rproof = proofOrNil(rightKey) + or { + memberShouldFalsify(lproof, rproof), + nonMemberInTheMiddle(lproof, rproof), + nonMemberLeft(lproof, rproof), + nonMemberRight(lproof, rproof), + // trivial cases: + inputKey < rightKey and lproof != None, + inputKey > leftKey and rproof != None, + } + + pure def maxOrNone(s: Set[int]): Option[int] = { + if (s == Set()) None else Some(s.fold(0, (a, b) => if (a > b) a else b)) + } + + pure def minOrNone(s: Set[int]): Option[int] = { + if (s == Set()) None else Some(s.fold(99999, (a, b) => if (a < b) a else b)) + } + + val verifyMembershipInv = { + 2.to(2^height - 1).forall(key => { + if (tree.leafs.has(key)) { + // TODO + true + } else { + val left = q::debug("prev", tree.leafs.keys().filter(k => k < key).maxOrNone()) + val right = q::debug("post", tree.leafs.keys().filter(k => k > key).minOrNone()) + val lproof = if (left != None) Some(leafToExistsProof(left.unwrap())) else None + val rproof = if (right != None) Some(leafToExistsProof(right.unwrap())) else None + val nproof = { key: [key], left: lproof, right: rproof } + val rootHash = nodeHashes.get(1) + verifyNonMembership(rootHash, nproof, [q::debug("key", key)]) + } + }) + } + + /// check this property to produce an example of where NonMemInv is violated + val nonMemExample = not(nonMemInv) + + val allInvariants = all { + if (treeProofInv) true else q::debug("treeProofInv", false), + if (memInv) true else q::debug("memInv", false), + if (nonMemInv) true else q::debug("nonMemInv", false), + } +} diff --git a/examples/spells/basicSpells.qnt b/examples/spells/basicSpells.qnt index 1022b49da..c0e54fe23 100644 --- a/examples/spells/basicSpells.qnt +++ b/examples/spells/basicSpells.qnt @@ -328,9 +328,31 @@ module basicSpells { /// - @param f: a function that takes an element of the list and returns a boolean /// - @returns the first element of `l` that satisfies `f`, or None pure def findFirst(l, f) = l.foldl(None, (a, i) => if (a == None and f(i)) Some(i) else a) + // FIXME: #1560 (remove the copy when fixed) + pure def find_first(l, f) = l.foldl(None, (a, i) => if (a == None and f(i)) Some(i) else a) run findFirstTest = all { assert(findFirst([1, 2, 3], x => x > 1) == Some(2)), assert(findFirst([1, 2, 3], x => x == 4) == None), } + + pure def unwrap(value: Option[a]): a = { + match value { + | None => Map().get(value) + | Some(x) => x + } + } + + pure def safeGet(m: a -> b, k: a): Option[b] = { + if (m.has(k)) Some(m.get(k)) else None + } + + pure def filterMap(s: Set[a], f: (a) => Option[b]): Set[b] = { + s.fold(Set(), (acc, e) => { + match f(e) { + | Some(x) => acc.union(Set(x)) + | None => acc + } + }) + } }