Geographical species distribution in the Barents Sea under climate change - results from the BarEcoRe project

This report presents a study of possible changes in species’ spatial distribution in the Barents Sea as a result of possible future changes in the ocean climate. Species Distribution Models (SDMs) are constructed to describe and quantify the relationship between past distribution of species and environmental conditions. On the basis of simple environmental scenarios, the same models are used to project possible changes in individual species’ spatial distributions. The work was conducted under the NFR funded project BarEcoRe: Barents Sea Ecosystem Resilience under global environmental change

Proving uniformity and independence by self-composition and coupling

Proof by coupling is a classical proof technique for establishing probabilistic properties of two probabilistic processes, like stochastic dominance and rapid mixing of Markov chains. More recently, couplings have been investigated as a useful abstraction for formal reasoning about relational properties of probabilistic programs, in particular for modeling reduction-based cryptographic proofs and for verifying differential privacy. In this paper, we demonstrate that probabilistic couplings can be used for verifying non-relational probabilistic properties. Specifically, we show that the program logic pRHL---whose proofs are formal versions of proofs by coupling---can be used for formalizing uniformity and probabilistic independence. We formally verify our main examples using the EasyCrypt proof assistant

Advanced Probabilistic Couplings for Differential Privacy

Differential privacy is a promising formal approach to data privacy, which provides a quantitative bound on the privacy cost of an algorithm that operates on sensitive information. Several tools have been developed for the formal verification of differentially private algorithms, including program logics and type systems. However, these tools do not capture fundamental techniques that have emerged in recent years, and cannot be used for reasoning about cutting-edge differentially private algorithms. Existing techniques fail to handle three broad classes of algorithms: 1) algorithms where privacy depends accuracy guarantees, 2) algorithms that are analyzed with the advanced composition theorem, which shows slower growth in the privacy cost, 3) algorithms that interactively accept adaptive inputs. We address these limitations with a new formalism extending apRHL, a relational program logic that has been used for proving differential privacy of non-interactive algorithms, and incorporating aHL, a (non-relational) program logic for accuracy properties. We illustrate our approach through a single running example, which exemplifies the three classes of algorithms and explores new variants of the Sparse Vector technique, a well-studied algorithm from the privacy literature. We implement our logic in EasyCrypt, and formally verify privacy. We also introduce a novel coupling technique called \emph{optimal subset coupling} that may be of independent interest

Extending Coq with Imperative Features and its Application to SAT Verification

This work was supported in part by the french ANR DECERT initiativeInternational audienceCoq has within its logic a programming language that can be used to replace many deduction steps into a single computation, this is the so-called reflection. In this paper, we present two extensions of the evaluation mechanism that preserve its correctness and make it possible to deal with cpu-intensive tasks such as proof checking of SAT traces

A Modular Integration of SAT/SMT Solvers to Coq through Proof Witnesses

International audienceWe present a way to enjoy the power of SAT and SMT provers in Coq without compromising soundness. This requires these provers to return not only a yes/no answer, but also a proof witness that can be independently rechecked. We present such a checker, written and fully certified in Coq. It is conceived in a modular way, in order to tame the proofs' complexity and to be extendable. It can currently check witnesses from the SAT solver ZChaff and from the SMT solver veriT. Experiments highlight the efficiency of this checker. On top of it, new reflexive Coq tactics have been built that can decide a subset of Coq's logic by calling external provers and carefully checking their answers

Development of thermal barrier coating systems from Al microparticles. Part I: Influence of processing conditions on the mechanisms of formation

International audienc

On Strong Normalization of the Calculus of Constructions with Type-Based Termination

The original publication is available at www.springerlink.comInternational audienceTermination of recursive functions is an important property in proof assistants based on dependent type theories; it implies consistency and decidability of type checking. Type-based termination is a mechanism for ensuring termination that uses types annotated with size information to check that recursive calls are performed on smaller arguments. Our long-term goal is to extend the Calculus of Inductive Constructions with a type-based termination mechanism and prove its logical consistency. In this paper, we present an extension of the Calculus of Constructions (including universes and impredicativity) with sized natural numbers, and prove strong normalization and logical consistency. Moreover, the proof can be easily adapted to include other inductive types

Boolean reflection via type classes

International audienceBoolean reflection is a formalization technique that represents decidable predicates with their decision procedures and where truth values become booleans. Reflection occurs in the small scale: since conjectures are stated using programs their symbolic execution provides a valuable form of automation. In this approach the user faces the " syntactic " (bool) representation of the conjecture and is given tactic-level tools to switch to the " semantic " one (Prop) and back. The SSReflect proof language [1] provides the view mechanism to switch from the computational realm of bool to the semantic one of Prop. To minimize the syntactic noise due to view application SSReflect accepts views as annotations of most linguistic constructs. Still a user needs to mention the view name explicitly, even when there is only one view to be applied. We propose a type-class [2] based machinery to attach canonical views to predicates and connectives to relief the Coq user from some of the bookkeeping required by the boolean reflection formalization technique. Let's take a very simple example. Here the is_true constant is used to state the truth of a boolean predicates. Being declared as a coercion is automatically inserted by Coq around any boolean value occurring in a context expecting a Prop. The support lemmas andP and orP are views linking the boolean connec-tives && and || to their meaning in Prop. The reflect predicate simply states that its first argument, in Prop, holds if and only its second argument, in bool, is equal to true. Definition is_true b := b = true. Coercion is_true : bool >-> Sortclass. (* Prop *) Lemma andP b1 b2 : reflect (b1 /\ b2) (b1 && b2). Lemma orP b1 b2 : reflect (b1 \/ b2) (b1 || b2). Lemma example_bool a b : ((a && b) || a)-> a Proof. by move=> /orP[ /andP[ Ha Hb ] | Ha ]; assumption. Qed. Lemma example_prop a b : ((a /\ b) \/ a)-> a Proof. by move=> [ [ Ha Hb ] | Ha ]; assumption. Qed. The example_bool proof 1 applies the two views in order to de-structure the assumption. The second proof needs no such bookkeeping, since the conjecture is already stated in Prop. We propose a declarative way of associating canonical views to connectives and predicates and a generic view name xP to select the view fitting the current 1 A much simples proof would be to enumerate truth values as in " by case a; case b ". For the sake of clarity we picked an oversimple example