Beyond Differential Privacy: Composition Theorems and Relational - PowerPoint PPT Presentation

Beyond Differential Privacy: Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs Gilles Barthe Federico Olmedo IMDEA Software Institute, Madrid, Spain 40 th International Colloquium on Automata, Languages and Programming 2013.09.07

f -divergences are everywhere Cryptography Pattern Information Recognition Theory Image Data f -divergences Processing Mining Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 1 / 14

f -divergences in Crypto Improving security bounds for Key-Alternating Cipher via Hellinger Distance [Steinberger:2012]. Crux of his proof : bounding the f -divergence between two proba- bilistic computations. ∆ f ( c 1 , c 2 ) ≤ δ Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 2 / 14

In this Work Goal Lay the foundations for reasoning about f -divergences between probabilistic programs. ➥ Observe that the notion of distance used to characterize differential privacy (DP) belongs to the family of f -divergences. ➥ Extend techniques from the DP literature to reason about arbitrary f -divergences. . Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 3 / 14

Differential Privacy Primer General Scenario VS Contributor privacy Data mining utility We want to release statistical information about a sensitive dataset without comprising the privacy of individual respondents. Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 4 / 14

Differential Privacy Primer Dwork’s Solution [ICALP ’06] Output The output of the mining process should be indistinguishable when K ( d 1 ) run with two databases d 1 and d 2 K ( d 2 ) differing in a single record. Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 5 / 14

Differential Privacy Primer Dwork’s Solution [ICALP ’06] Output The output of the mining process should be indistinguishable when K ( d 1 ) run with two databases d 1 and d 2 K ( d 2 ) differing in a single record. A randomized mechanism K is ( ǫ, δ ) - differentially private iff ∀ d 1 , d 2 • ∆( d 1 , d 2 ) ≤ 1 = ⇒ ∆ α ( K ( d 1 ) , K ( d 2 )) ≤ δ where α = exp( ǫ ) . Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 5 / 14

f -divergences - Definition The f - divergence between two distributions µ 1 and µ 2 over a set A is defined as � µ 1 ( a ) � � ∆ f ( µ 1 , µ 2 ) � µ 2 ( a ) f µ 2 ( a ) a ∈ A where f : R ≥ 0 → R is a continuous convex function s.t. f (1) = 0 . Some examples f ( t ) = 1 Statistical distance ( ∆ SD ) 2 | t − 1 | Kullback-Leibler ( ∆ KL ) f ( t ) = t ln( t ) √ f ( t ) = 1 t − 1) 2 Hellinger distance ( ∆ HD ) 2 ( Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 6 / 14

f -divergences - Definition The f - divergence between two distributions µ 1 and µ 2 over a set A is defined as � µ 1 ( a ) � � ∆ f ( µ 1 , µ 2 ) � µ 2 ( a ) f µ 2 ( a ) a ∈ A where f : R ≥ 0 → R is a continuous convex function s.t. f (1) = 0 . Some examples f ( t ) = 1 Statistical distance ( ∆ SD ) 2 | t − 1 | Kullback-Leibler ( ∆ KL ) f ( t ) = t ln( t ) √ f ( t ) = 1 t − 1) 2 Hellinger distance ( ∆ HD ) 2 ( α -distance ( ∆ α ) f ( t ) = max { t − α, 0 } Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 6 / 14

f -divergences - Composition Sequential Composition Theorem of DP ( ǫ, δ ) -DP ( ǫ ′ , δ ′ ) -DP ( ǫ + ǫ ′ , δ + δ ′ ) -DP Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 7 / 14

f -divergences - Composition Sequential Composition Theorem of α -distance ∆ α ( _ , _ ) ≤ δ ∆ α ′ ( _ , _ ) ≤ δ ′ ∆ αα ′ ( _ , _ ) ≤ δ + δ ′ Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 7 / 14

f -divergences - Composition Sequential Composition Theorem of f -divergences ∆ f ( _ , _ ) ≤ δ ∆ f ′ ( _ , _ ) ≤ δ ′ ∆ f ′′ ( _ , _ ) ≤ δ + δ ′ Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 8 / 14

f -divergences - Composition Sequential Composition Theorem of f -divergences ∆ f ( _ , _ ) ≤ δ ∆ f ′ ( _ , _ ) ≤ δ ′ ∆ f ′′ ( _ , _ ) ≤ δ + δ ′ We extend the sequential composition theorem of DP by ➥ Introducing the notion of f -divergence composability. ( f, f ′ ) is f ′′ - composable ➥ Showing that ∆ SD , ∆ KL and ∆ HD are self-composable. Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 8 / 14

Relational Hoare Logic for DP Probabilistic Relational Reasoning for DP [Barthe:2012a]. They propose an approximate relational Hoare logic c 1 ∼ α,δ c 2 : Ψ ⇒ Φ A program c is ( ǫ, δ ) -DP iff c ∼ exp( ǫ ) ,δ c : Ψ ⇒ ≡ database equality on adjacency program states Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 9 / 14

Relational Hoare Logic for f -divergences Judgments have the form c 1 ∼ f,δ c 2 : Ψ ⇒ Φ Such a judgment is valid iff for all memories m 1 and m 2 ⇒ ( � c 1 � m 1 ) L δ m 1 Ψ m 2 = f (Φ) ( � c 2 � m 2 ) Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 10 / 14

Relational Hoare Logic for f -divergences Judgments have the form c 1 ∼ f,δ c 2 : Ψ ⇒ Φ Such a judgment is valid iff for all memories m 1 and m 2 ⇒ ( � c 1 � m 1 ) L δ m 1 Ψ m 2 = f (Φ) ( � c 2 � m 2 ) Lifting of Φ to a relation over distributions on program states Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 10 / 14

( f, δ ) -lifting of Relations L δ f ( · ) : P ( A × B ) → P ( D ( A ) ×D ( B )) Generalizes previous lifting operator for the exact setting ( ie δ = 0 ). More or less involved definition for arbitrary relations, but admits simpler characterization for equivalence relations. In the case of equality we have µ 1 L δ f ( ≡ ) µ 2 ⇐ ⇒ ∆ f ( µ 1 , µ 2 ) ≤ δ Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 11 / 14

Relational Hoare Logic for f -divergences - Applications Bound the f -divergence between programs ∆ f ( � c 1 � m 1 , � c 2 � m 2 ) ≤ δ Relate the probability of individual events � Pr [ c 1 ( m 1 ) : E 1 ] � Pr [ c 2 ( m 2 ) : E 2 ] f ≤ δ Pr [ c 2 ( m 2 ) : E 2 ] Model other quantitative notions such as such as continuity or approximate non-interference. Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 12 / 14

Relational Hoare Logic for f -divergences - Proof System Selected Rules Weakening = c 1 ∼ f ′ ,δ ′ c 2 : Ψ ′ ⇒ Φ ′ | Φ ′ ⇒ Φ δ ′ ≤ δ Ψ ⇒ Ψ ′ f ≤ f ′ | = c 1 ∼ f,δ c 2 : Ψ ⇒ Φ Sequential composition ( f 1 , f 2 ) is f 3 -composable 2 : Φ ′ ⇒ Φ = c 1 ∼ f 1 ,δ 1 c 2 : Ψ ⇒ Φ ′ = c ′ 1 ∼ f 2 ,δ 2 c ′ | | = c 1 ; c ′ 1 ∼ f 3 ,δ 1 + δ 2 c 2 ; c ′ | 2 : Ψ ⇒ Φ Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 13 / 14

Summary Contributions We unveil a connection between differential privacy and f -divergences. We generalize the sequential composition theorem of DP to some well-known f -divergences. We introduce a program logic for upper-bounding the f -divergences between probabilistic programs. Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 14 / 14

Thanks for your attention! Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 14 / 14

References I Gilles Barthe, Boris Köpf, Federico Olmedo, and Santiago Zanella-Béguelin. Probabilistic relational reasoning for differential privacy. In 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012 , pages 97–110, New York, 2012. ACM. John Steinberger. Improved security bounds for key-alternating ciphers via hellinger distance. Cryptology ePrint Archive, Report 2012/481, 2012. http://eprint.iacr.org/ . Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 14 / 14

f -divergences in Crypto Improving security bounds for Key-Alternating Cipher via Hellinger Distance [Steinberger:2012]. Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 14 / 14

f -divergences in Crypto Improving security bounds for Key-Alternating Cipher via Hellinger Distance [Steinberger:2012]. E P ( k, · ) : { 0 , 1 } n → { 0 , 1 } n 01001 11010 PERMUTATION Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 14 / 14

f -divergences in Crypto Improving security bounds for Key-Alternating Cipher via Hellinger Distance [Steinberger:2012]. Hard to distinguish E P ( k, · ) from a true random permutation Q E P ( k, · ) Q D Formally stated as an upper bound of � D E P ( k, · ) , D Q � ∆ SD Improved security guarantees by bounding instead the f -divergence � D E P ( k, · ) , D Q � ∆ HD Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs 14 / 14