Synthesizing coupling proofs of differential privacy

Differential privacy has emerged as a promising probabilistic formulation of privacy, generating intense interest within academia and industry. We present a push-button, automated technique for verifying ε-differential privacy of sophisticated randomized algorithms. We make several conceptual, algorithmic, and practical contributions: (i) Inspired by the recent advances on approximate couplings and randomness alignment, we present a new proof technique called coupling strategies, which casts differential privacy proofs as a winning strategy in a game where we have finite privacy resources to expend. (ii) To discover a winning strategy, we present a constraint-based formulation of the problem as a set of Horn modulo couplings (HMC) constraints, a novel combination of first-order Horn clauses and probabilistic constraints. (iii) We present a technique for solving HMC constraints by transforming probabilistic constraints into logical constraints with uninterpreted functions. (iv) Finally, we implement our technique in the FairSquare verifier and provide the first automated privacy proofs for a number of challenging algorithms from the differential privacy literature, including Report Noisy Max, the Exponential Mechanism, and the Sparse Vector Mechanism.

[1]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[2]  Danfeng Zhang,et al.  LightDP: towards automating differential privacy proofs , 2016, POPL.

[3]  Benjamin Grégoire,et al.  Proving uniformity and independence by self-composition and coupling , 2017, LPAR.

[4]  Sumit Gulwani,et al.  Synthesis of loop-free programs , 2011, PLDI '11.

[5]  Andreas Haeberlen,et al.  Linear dependent types for differential privacy , 2013, POPL.

[6]  Moni Naor,et al.  On the complexity of differentially private data release: efficient algorithms and hardness results , 2009, STOC '09.

[7]  Cynthia Dwork,et al.  Calibrating Noise to Sensitivity in Private Data Analysis , 2006, TCC.

[8]  Kunal Talwar,et al.  Mechanism Design via Differential Privacy , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[9]  Andreas Haeberlen,et al.  A framework for adaptive differential privacy , 2017, Proc. ACM Program. Lang..

[10]  Albert Oliveras,et al.  SMT Techniques for Fast Predicate Abstraction , 2006, CAV.

[11]  Rajeev Alur,et al.  Syntax-guided synthesis , 2013, 2013 Formal Methods in Computer-Aided Design.

[12]  K. McMillan,et al.  Solving Constrained Horn Clauses using Interpolation , 2013 .

[13]  Gilles Barthe,et al.  Probabilistic Relational Reasoning for Differential Privacy , 2012, TOPL.

[14]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[15]  Benjamin C. Pierce,et al.  Distance makes the types grow stronger: a calculus for differential privacy , 2010, ICFP '10.

[16]  Sanjit A. Seshia,et al.  Combinatorial sketching for finite programs , 2006, ASPLOS XII.

[17]  Sumit Gulwani,et al.  From program verification to program synthesis , 2010, POPL '10.

[18]  Justin Hsu,et al.  Probabilistic Couplings for Probabilistic Reasoning , 2017, ArXiv.

[19]  Nikolaj Bjørner,et al.  Horn Clause Solvers for Program Verification , 2015, Fields of Logic and Computation II.

[20]  Elaine Shi,et al.  Private and Continual Release of Statistics , 2010, TSEC.

[21]  BartheGilles,et al.  Higher-Order Approximate Relational Refinement Types for Mechanism Design and Differential Privacy , 2015 .

[22]  Gilles Barthe,et al.  Proving Differential Privacy in Hoare Logic , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[23]  Andrey Rybalchenko,et al.  Approximation and Randomization for Quantitative Information-Flow Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[24]  Dirk Beyer,et al.  Software model checking via large-block encoding , 2009, 2009 Formal Methods in Computer-Aided Design.

[25]  Benjamin Grégoire,et al.  Coupling proofs are probabilistic product programs , 2016, POPL.

[26]  Gilles Barthe,et al.  Beyond Differential Privacy: Composition Theorems and Relational Logic for f-divergences between Probabilistic Programs , 2013, ICALP.

[27]  Alberto Griggio,et al.  The MathSAT 5 SMT Solver ⋆ , 2012 .

[28]  Viktor Kuncak,et al.  A Verification Toolkit for Numerical Transition Systems - Tool Paper , 2012, FM.

[29]  Alberto Griggio,et al.  The MathSAT5 SMT Solver , 2013, TACAS.

[30]  Gilles Barthe,et al.  Higher-Order Approximate Relational Refinement Types for Mechanism Design and Differential Privacy , 2014, POPL.

[31]  Aaron Roth,et al.  The Algorithmic Foundations of Differential Privacy , 2014, Found. Trends Theor. Comput. Sci..

[32]  Rupak Majumdar,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 1997, Lecture Notes in Computer Science.

[33]  Andrey Rybalchenko,et al.  Synthesizing software verifiers from proof rules , 2012, PLDI.

[34]  Tetsuya Sato,et al.  Approximate Relational Hoare Logic for Continuous Random Samplings , 2016, MFPS.

[35]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[36]  Gilles Barthe,et al.  *-Liftings for Differential Privacy , 2017, ICALP.

[37]  Amir Pnueli,et al.  Translation Validation , 1998, TACAS.

[38]  Benjamin Grégoire,et al.  Proving Differential Privacy via Probabilistic Couplings , 2016, 2016 31st Annual ACM/IEEE Symposium on Logic in Computer Science (LICS).

[39]  Ninghui Li,et al.  Understanding the Sparse Vector Technique for Differential Privacy , 2016, Proc. VLDB Endow..

[40]  Arthur Azevedo de Amorim,et al.  Really Natural Linear Indexed Type Checking , 2014, IFL.

[41]  Swarat Chaudhuri,et al.  A constraint-based approach to solving games on infinite graphs , 2014, POPL.

[42]  Moni Naor,et al.  Differential privacy under continual observation , 2010, STOC '10.

[43]  Gilles Barthe,et al.  Programming language techniques for differential privacy , 2016, SIGL.

[44]  Aws Albarghouthi,et al.  FairSquare: probabilistic verification of program fairness , 2017, Proc. ACM Program. Lang..

[45]  Daniel A. Spielman,et al.  Spectral Graph Theory and its Applications , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[46]  Isil Dillig,et al.  Cartesian hoare logic for verifying k-safety properties , 2016, PLDI.

[47]  George C. Necula,et al.  Translation validation for an optimizing compiler , 2000, PLDI '00.

[48]  Marco Gaboardi,et al.  A semantic account of metric preservation , 2017, POPL.

[49]  Andrey Rybalchenko,et al.  Solving Existentially Quantified Horn Clauses , 2013, CAV.

[50]  Jorge A. Navas,et al.  SeaHorn: A Framework for Verifying C Programs (Competition Contribution) , 2015, TACAS.

[51]  T. Lindvall Lectures on the Coupling Method , 1992 .

[52]  Ashutosh Gupta,et al.  HSF(C): A Software Verifier Based on Horn Clauses - (Competition Contribution) , 2012, TACAS.

[53]  Pierre-Yves Strub,et al.  Advanced Probabilistic Couplings for Differential Privacy , 2016, CCS.

[54]  F. Olmedo Approximate Relational Reasoning for Probabilistic Programs , 2014 .

[55]  Emina Torlak,et al.  Optimizing synthesis with metasketches , 2016, POPL.