A Matter of Trust: Skeptical Communication Between Coq and External Provers. (Question de confiance : communication sceptique entre Coq et des prouveurs externes)

This thesis studies the cooperation between the Coq proof assistant and external provers through proof witnesses. We concentrate on two di erent kinds of provers that can return certi cates: rst, answers coming from SAT and SMT solvers can be checked in Coq to increase both the con dence in these solvers and Coq's automation; second, theorems established in interactive provers based on Higher-Order Logic can be exported to Coq and checked again, in order to o er the possibility to produce formal developments which mix these two di erent logical paradigms. It ended up in two software: SMTCoq, a bi-directional cooperation between Coq and SAT/SMT solvers, and HOLLIGHTCOQ, a tool importing HOL Light theorems into Coq. For both tools, we took great care to de ne amodular and e cient architecture, based on three clearly separated ingredients: an embedding of the formalism of the external tool inside Coq which is carefully translated into Coq terms, a certi ed checker to establish the proofs using the certi cates and a Ocaml preprocessor to transform proof witnesses coming from di erent provers into a generic certi cate. This division allows that a change in the format of proof witnesses only a ects the preprocessor, but no proved Coq code. Another fundamental component for e ciency and modularity is computational re ection, which exploits the computational power of Coq to establish generic and small proofs based on the certi cates.