Computer-aided Verification in Mechanism Design Gilles Barthe, Marco - - PowerPoint PPT Presentation

computer aided verification in mechanism design
SMART_READER_LITE
LIVE PREVIEW

Computer-aided Verification in Mechanism Design Gilles Barthe, Marco - - PowerPoint PPT Presentation

Oct 08, 2023 186 likes •541 views

Computer-aided Verification in Mechanism Design Gilles Barthe, Marco Gaboardi, Emilio Jes us Gallego Arias, Justin Hsu*, Aaron Roth*, Pierre-Yves Strub IMDEA Software, Ecole Polytechnique, University at Buffalo, *University of

slide-1
SLIDE 1

Computer-aided Verification in Mechanism Design

Gilles Barthe, Marco Gaboardi, Emilio Jes´ us Gallego Arias, Justin Hsu*, Aaron Roth*, Pierre-Yves Strub

IMDEA Software, ´ Ecole Polytechnique, University at Buffalo, *University of Pennsylvania

December 14, 2016

1

slide-2
SLIDE 2

Mechanism design = Algorithm design + Strategic inputs

*In computer science

2

slide-3
SLIDE 3

Incentive properties

Encourage agents to behave simply

Benefits

◮ For the agents: easy to decide what to do ◮ For the designer: easy to reason about what agents will do 3

slide-4
SLIDE 4

Best case: truthfulness

Model

◮ Agents have private type ti ∈ T ◮ Mechanism inputs: agents report si ∈ T ◮ Mechanism outputs: outcome o ∈ O and payments pi ∈ R 4

slide-5
SLIDE 5

Best case: truthfulness

Model

◮ Agents have private type ti ∈ T ◮ Mechanism inputs: agents report si ∈ T ◮ Mechanism outputs: outcome o ∈ O and payments pi ∈ R

Definition (Complete information)

A mechanism is truthful (DSIC) if each agent maximizes their utility by reporting si = ti, no matter what other agents do.

Definition (Incomplete information)

A mechanism is Bayesian Incentive Compatible (BIC) if each agent maximizes their expected utility by reporting si = ti, when other agents report their true type drawn from a known prior µ.

4

slide-6
SLIDE 6

Mechanism ≈ Program Truthfulness ≈ Property Program verification for incentive properties

5

slide-7
SLIDE 7

But isn’t this really hard?

Divide the task

◮ Proof construction: hard ◮ Proof checking: easy 6

slide-8
SLIDE 8

Why verify properties? Check correctness

7

slide-9
SLIDE 9

Why verify incentive properties? Convince agents

What if agents don’t believe incentive property?

◮ Incentive properties often not obvious ◮ Read the proof (?) 8

slide-10
SLIDE 10

Why verify incentive properties? Convince agents

What if agents don’t believe incentive property?

◮ Incentive properties often not obvious ◮ Read the proof (?)

A possible model

◮ Designer constructs formal proof of incentive property ◮ Agents check it automatically 8

slide-11
SLIDE 11

Our work: A case study

Target

◮ Replica-surrogate-matching mechanism (HKM) ◮ To prove: BIC

Proof is non-trivial

◮ Lots of reasoning about randomization ◮ Need incentive property for VCG mechanism 9

slide-12
SLIDE 12

Proof construction approaches: basic tradeoff

Complex proofs Simple proofs

10

slide-13
SLIDE 13

Proof construction approaches: basic tradeoff

Complex proofs Simple proofs More automatic Less automatic

10

slide-14
SLIDE 14

Proof construction approaches: basic tradeoff

Existing efforts Complex proofs Simple proofs More automatic Less automatic

10

slide-15
SLIDE 15

Proof construction approaches: basic tradeoff

Existing efforts Our target Complex proofs Simple proofs More automatic Less automatic

10

slide-16
SLIDE 16

Idea: incentive properties are relational properties

Program: agent’s report → agent’s (expected) utility

◮ First run: agent report equal to agent type (truthful) ◮ Second run: agent report arbitrary (non-truthful) ◮ Truthfulness: first utility larger than second utility

Leverage specialized tools

◮ HOARe2: for probabilistic relational properties 11

slide-17
SLIDE 17

Formally verifying BIC

Four main steps

  • 1. Write program
  • 2. Annotate program with assertions
  • 3. Apply solvers to automatically check assertions
  • 4. Fall back to less automated approaches for remaining steps

12

slide-18
SLIDE 18

Formally verifying BIC

Four main steps

  • 1. Write program
  • 2. Annotate program with assertions
  • 3. Apply solvers to automatically check assertions
  • 4. Fall back to less automated approaches for remaining steps

12

slide-19
SLIDE 19

Writing the assertions

Basic form

{prog :: S | Φ(prog1, prog2)}

13

slide-20
SLIDE 20

Writing the assertions

Basic form

{prog :: S | Φ(prog1, prog2)}

Incentive Compatibility

{rept :: T | rept1 = type} → {util :: R | util1 ≥ util2}

13

slide-21
SLIDE 21

Applying solvers

Given x1 < x2, prove:

◮ x1 + 1 < x2 + 2 (easy) ◮ f (x1) < f (x2), where f is a program (harder) 14

slide-22
SLIDE 22

Applying solvers

Given x1 < x2, prove:

◮ x1 + 1 < x2 + 2 (easy) ◮ f (x1) < f (x2), where f is a program (harder)

Results

◮ Almost all assertions (∼ 60) automatically proved (∼ seconds) ◮ Solvers run out of time on three assertions 14

slide-23
SLIDE 23

Formally verifying BIC

Four main steps

  • 1. Write program
  • 2. Annotate program with assertions
  • 3. Apply solvers to automatically check assertions
  • 4. Fall back to less automated approaches for remaining steps

See paper for details!

15

slide-24
SLIDE 24

Perspective

Promising signs: automatic parts

◮ Handle complex proofs and mechanisms ◮ Solvers usually work, and are fast

Pain points: manual parts

◮ When solvers fail: life is hard ◮ Crafting program and assertions 16

slide-25
SLIDE 25

Needed: more case studies!

Do you have a mechanism that . . .

◮ has a tedious proof? ◮ uses randomization? ◮ satisfies a relational property? 17

slide-26
SLIDE 26

Needed: more case studies!

Do you have a mechanism that . . .

◮ has a tedious proof? ◮ uses randomization? ◮ satisfies a relational property?

We want to know!

For brave souls: https://github.com/ejgallego/HOARe2

17

slide-27
SLIDE 27

Needed: more case studies!

Do you have a mechanism that . . .

◮ has a tedious proof? ◮ uses randomization? ◮ satisfies a relational property?

We want to know!

For brave souls: https://github.com/ejgallego/HOARe2

(Also, I am looking for a job . . . )

17

slide-28
SLIDE 28

Computer-aided Verification in Mechanism Design

Gilles Barthe, Marco Gaboardi, Emilio Jes´ us Gallego Arias, Justin Hsu*, Aaron Roth*, Pierre-Yves Strub

IMDEA Software, ´ Ecole Polytechnique, University at Buffalo, *University of Pennsylvania

December 14, 2016

18

slide-29
SLIDE 29

Writing the program

Main program: one agent’s utility

◮ Input: agent’s true type and report ◮ Output: agent’s expected utility from mechanism ◮ Assume: other agents reports drawn from prior (BIC)

Top level code

19

slide-30
SLIDE 30

Handling the hard assertions

Hardest step

◮ Mechanism transforms each report into a “surrogate” report ◮ Key lemma: if report ∼ prior, transformation preserves prior ◮ Manually construct proof in different system (EasyCrypt),

∼ 190 out of ∼ 260 total lines of manual proof

20

slide-31
SLIDE 31

RSM mechanism (Hartline, Kleinberg, Malekian)

Algorithm Agent

21

slide-32
SLIDE 32

RSM mechanism (Hartline, Kleinberg, Malekian)

RSM Transform

Price Algorithm Agent

21

slide-33
SLIDE 33

RSM mechanism (Hartline, Kleinberg, Malekian)

RSM Transform

Price Agent

RSM Transform

Price Algorithm Agent

21

slide-34
SLIDE 34

RSM mechanism (Hartline, Kleinberg, Malekian)

RSM Transform

Price Agent

RSM Transform

Price Outcome Algorithm Agent

21