Milawa is a "self-verifying" theorem prover for an ACL2-like logic.

We begin with a simple proof checker,
call it *A*, which is short enough to verify by the "social process" of
mathematics.

We then develop a series of increasingly powerful proof checkers, call them
*B*, *C*, *D*, and so on. We show that each of these is
*sound*: they accept only the same formulas as *A*. We use
*A* to verify *B*, and *B* to verify *C*, and so
on. Then, since we trust *A*, and *A* says *B* is sound,
we can trust *B*, and so on for *C*, *D*, and the rest.

Our final proof checker is really a theorem prover; it can carry out a
goal-directed proof search using assumptions, calculation, rewrite rules, and
so on. We use this theorem prover to discover the proofs of soundness for
*B*, *C*, and so on, and to emit these proofs in a format that
*A* can check. Hence, "self verifying."

Milawa is distributed as part
of the ACL2 Books
(under `projects/milawa`).

For documentation on how to compile Milawa, bootstrap its proofs, and check the resulting proofs, see Projects/Milawa in the ACL2 Books User Manual.

