Higher-Order Approximate Relational Refinement Types for Mechanism - PowerPoint PPT Presentation

Higher-Order Approximate Relational Refinement Types for Mechanism Design and Differential Privacy Gilles Barthe, Marco Gaboardi, Emilio Jesús Gallego Arias, Justin Hsu, Aaron Roth, Pierre-Yves Strub UPenn-Mines ParisTech, IMDEA Software Institute, Dundee Gallium Seminar, Nov 17 th , 2014 Barthe el al. Verifying MD and DP 1

Motivation Software Verification ◮ Reason formally about programs and their behavior. ◮ Increase trust in software, help programmers/designers. ◮ Has important practical and economical utility. ◮ Expressiveness? Automation? Barthe el al. Verifying MD and DP 2

Motivation Software Verification ◮ Reason formally about programs and their behavior. ◮ Increase trust in software, help programmers/designers. ◮ Has important practical and economical utility. ◮ Expressiveness? Automation? Today: ◮ Verification of probabilistic programs. ◮ Mechanisms : inputs controlled by strategic agents. ◮ Truthfulness: An agent gets best utility when telling the truth. ◮ Privacy: An agent’s information leak is bounded. Barthe el al. Verifying MD and DP 2

The Main Challenges Relational Reasoning Properties of interest are relational, that is, defined over two runs of the same program : ◮ Truthfulness : agent telling the truth vs not. ◮ Privacy : run including the agent vs not. Barthe el al. Verifying MD and DP 3

The Main Challenges Relational Reasoning Properties of interest are relational, that is, defined over two runs of the same program : ◮ Truthfulness : agent telling the truth vs not. ◮ Privacy : run including the agent vs not. Probabilistic Reasoning Interesting algorithms are randomized, properties rely on: ◮ Expected values. ◮ Distance on distributions. Barthe el al. Verifying MD and DP 3

Our Approach: Related/Precursor Work: ◮ Relational logics. ◮ F ∗ , RF ∗ . ◮ CertiCrypt/CertiPriv. ◮ Fuzz/DFuzz. Barthe el al. Verifying MD and DP 4

Our Approach: Related/Precursor Work: ◮ Relational logics. ◮ F ∗ , RF ∗ . ◮ CertiCrypt/CertiPriv. ◮ Fuzz/DFuzz. Our Contributions ◮ Extended type system: ◮ Support for Higher-Order refinements. ◮ Embedding of logical relations! DFuzz soundness proof. ◮ Probabilistic approximate types. ◮ New application domain and examples. ◮ Prototype implementation. Barthe el al. Verifying MD and DP 4

The System: Relational Refinement Types Variables Relational variables, x ∈ X R ; left/right instances x ⊳ , x ⊲ ∈ X R ⋊ ⋉ . Expressions C | x ∈ X m | e e | λ x . e | case e with [ ǫ ⇒ e | x :: x ⇒ e ] e m ::= letrec ↑ f x = e | letrec ↓ f x = e | | e ↑ | let ↑ x = e in e | unit M e | bind M x = e in e Regular Types + | L [ � τ, � σ, . . . ∈ CoreTy ::= • | B | N | R | R τ ] � τ, σ, . . . ∈ Ty ::= � τ | M [ τ ] | C [ τ ] | τ → σ Relational Refinement Types T , U ∈ T τ | M ǫ,δ [ T ] | C [ T ] | Π( x :: T ) . T | { x :: T | φ } ::= � φ, ψ ∈ A Q ( x : τ ) . φ | Q ( x :: T ) . φ ::= ⋉ = e ⋊ ⋉ | e ⋊ ⋉ ≤ e ⋊ C ( φ 1 , . . . , φ n ) | e ⋊ ⋉ | C = { ⊤ / 0 , ⊥ / 0 , ¬ / 1 , ∨ / 2 , ∧ / 2 , ⇒ / 2 } Barthe el al. Verifying MD and DP 5

Relational Refinement Types: Example Regular refinement types no enough to capture some properties. k -sensitive function f Barthe el al. Verifying MD and DP 6

Relational Refinement Types: Example Regular refinement types no enough to capture some properties. k -sensitive function f Barthe el al. Verifying MD and DP 6

Relational Refinement Types: Example Regular refinement types no enough to capture some properties. k -sensitive function f d < k d Barthe el al. Verifying MD and DP 6

Relational Refinement Types: Example Regular refinement types no enough to capture some properties. k -sensitive function f d < k d ∀ x 1 , x 2 . | f ( x 1 ) − f ( x 2 ) | ≤ k · | x 1 − x 2 | Barthe el al. Verifying MD and DP 6

Relational Refinement Types: Example Regular refinement types no enough to capture some properties. k -sensitive function f d < k d ∀ x 1 , x 2 . | f ( x 1 ) − f ( x 2 ) | ≤ k · | x 1 − x 2 | What should the type for f be? Barthe el al. Verifying MD and DP 6

Relational Refinement Types: Example For the property: ∀ x 1 , x 2 . | f ( x 1 ) − f ( x 2 ) | ≤ k · | x 1 − x 2 | Barthe el al. Verifying MD and DP 7

Relational Refinement Types: Example For the property: ∀ x 1 , x 2 . | f ( x 1 ) − f ( x 2 ) | ≤ k · | x 1 − x 2 | we can do a refinement at a higher type: { f : R → R | ∀ x :: R . | f ( x ⊳ ) − f ( x ⊲ ) | ≤ k · | x ⊳ − x ⊲ |} Barthe el al. Verifying MD and DP 7

Relational Refinement Types: Example For the property: ∀ x 1 , x 2 . | f ( x 1 ) − f ( x 2 ) | ≤ k · | x 1 − x 2 | we can do a refinement at a higher type: { f : R → R | ∀ x :: R . | f ( x ⊳ ) − f ( x ⊲ ) | ≤ k · | x ⊳ − x ⊲ |} or we can refer to two copies of the input: f : Π( x :: R ) . { r :: R | k · | r ⊳ − r ⊲ | ≤ | x ⊳ − x ⊲ |} Both types are equivalent in our system, but the pre/post style more convenient for reasoning. Barthe el al. Verifying MD and DP 7

The System: Semantics Semantic subytping for non-relational types: ⊢ e : T Γ | = φ [ x / e ] ⊢ e : { x : T | φ } Barthe el al. Verifying MD and DP 8

The System: Semantics Semantic subytping for non-relational types: ⊢ e : T Γ | = φ [ x / e ] ⊢ e : T ⇒ e ∈ � T � ⊢ e : { x : T | φ } Barthe el al. Verifying MD and DP 8

The System: Semantics Semantic subytping for non-relational types: ⊢ e : T Γ | v ∈ � T � | = φ [ x / e ] = φ ( v ) ⊢ e : T ⇒ e ∈ � T � ⊢ e : { x : T | φ } v ∈ � { x : T | φ ( x ) } � Barthe el al. Verifying MD and DP 8

The System: Semantics Semantic subytping for non-relational types: ⊢ e : T Γ | v ∈ � T � | = φ [ x / e ] = φ ( v ) ⊢ e : T ⇒ e ∈ � T � ⊢ e : { x : T | φ } v ∈ � { x : T | φ ( x ) } � Semantic subtyping for HO relational types: � T � θ ⊆ � | T | � × � | T | � ( d 1 , d 2 ) ∈ � T � θ � φ � θ � x ⊳ �→ d 1 � ( d 1 , d 2 ) ∈ � τ � × � τ � x ⊲ �→ d 2 ( d 1 , d 2 ) ∈ � τ � θ ( d 1 , d 2 ) ∈ � { x :: T | φ } � θ ( f 1 , f 2 ) ∈ � | T | → | U | � ∀ ( d 1 , d 2 ) ∈ � T � θ . ( f 1 ( d 1 ) , f 2 ( d 2 )) ∈ � U � θ � x ⊳ �→ d 1 � x ⊲ �→ d 2 ( f 1 , f 2 ) ∈ � Π( x :: T ) . U � θ Barthe el al. Verifying MD and DP 8

SubTyping G ⊢ T S UB -T RANS G ⊢ T � U G ⊢ U � V S UB -R EFL G ⊢ T � T G ⊢ T � V G ⊢ { x :: T | φ } S UB -L EFT G ⊢ { x :: T | φ } � T G ⊢ T � U �G , x :: U � ⊢ φ ∀ θ. θ ⊢ G , x :: T ⇒ � φ � θ S UB -R IGHT G ⊢ T � { x :: U | φ } S UB -P ROD G ⊢ T 2 � T 1 G , x :: T 2 ⊢ U 1 � U 2 G ⊢ Π( x :: T 1 ) . U 1 � Π( x :: T 2 ) . U 2 Barthe el al. Verifying MD and DP 9

The System: Typing The typing judgment relates two programs to a type: G ⊢ e 1 ∼ e 2 :: T Barthe el al. Verifying MD and DP 10

The System: Typing The typing judgment relates two programs to a type: G ⊢ e 1 ∼ e 2 :: T Soundness G ⊢ e 1 ∼ e 2 :: T ⇒ ∀G ⊢ θ, ( � e 1 � θ , � e 2 � θ ) ∈ � T � θ Barthe el al. Verifying MD and DP 10

The System: Typing The typing judgment relates two programs to a type: G ⊢ e 1 ∼ e 2 :: T Soundness G ⊢ e 1 ∼ e 2 :: T ⇒ ∀G ⊢ θ, ( � e 1 � θ , � e 2 � θ ) ∈ � T � θ Synchronicity In most cases programs are synchronous, so we use: G ⊢ e :: T ≡ G ⊢ e ⊳ ∼ e ⊲ :: T with e ⊳ , e ⊲ projecting the variables in e . Barthe el al. Verifying MD and DP 10

Base Typing Rules V AR x :: T ∈ dom ( G ) G , x :: T ⊢ e :: U A BS G ⊢ x :: T G ⊢ λ x . e :: Π( x :: T ) . U A PP G ⊢ e f :: Π( x :: T ) . U G ⊢ e a :: T G ⊢ e f e a :: U { x �→ e a } Barthe el al. Verifying MD and DP 11

Base Typing Rules V AR x :: T ∈ dom ( G ) G , x :: T ⊢ e :: U A BS G ⊢ x :: T G ⊢ λ x . e :: Π( x :: T ) . U A PP G ⊢ e f :: Π( x :: T ) . U G ⊢ e a :: T G ⊢ e f e a :: U { x �→ e a } G ⊢ e :: L [ � τ ] ∀ θ. θ ⊢ G ⇒ skeleton ( e ⊳ , e ⊲ ) G , { e ⊳ = e ⊲ = ǫ } ⊢ e 1 :: T G , x :: � τ, y :: L [ � τ ] , { e ⊳ = x ⊳ :: y ⊳ ∧ e ⊲ = x ⊲ :: y ⊲ } ⊢ e 2 :: T C ASE G ⊢ case e with [ ǫ ⇒ e 1 | x :: y ⇒ e 2 ] :: T Barthe el al. Verifying MD and DP 11

Typing Rules for Recursion To ensure consistency at higher-types, we must embed non-terminating computations in the partiality monad: G , f :: Π( x :: T ) . U ⊢ λ x . e :: Π( x :: T ) . U G ⊢ Π( x :: T ) . U SN -guard L ET R EC SN G ⊢ letrec ↓ f x = e :: Π( x :: T ) . U Barthe el al. Verifying MD and DP 12

Typing Rules for Recursion To ensure consistency at higher-types, we must embed non-terminating computations in the partiality monad: G , f :: Π( x :: T ) . U ⊢ λ x . e :: Π( x :: T ) . U G ⊢ Π( x :: T ) . U SN -guard L ET R EC SN G ⊢ letrec ↓ f x = e :: Π( x :: T ) . U G ⊢ Π( x :: T ) . C [ U ] G , f :: Π( x :: T ) . C [ U ] ⊢ λ x . e :: Π( x :: T ) . C [ U ] L ET R EC G ⊢ letrec f x = e :: Π( x :: T ) . C [ U ] Barthe el al. Verifying MD and DP 12