Probabilistic Couplings for Probabilistic Reasoning

This thesis explores proofs by coupling from the perspective of formal verification. Long employed in probability theory and theoretical computer science, these proofs construct couplings between the output distributions of two probabilistic processes. Couplings can imply various guarantees comparing two runs of a probabilistic computation. We first show that proofs in the program logic pRHL describe couplings. We formalize couplings that establish various probabilistic properties, including distribution equivalence, convergence, and stochastic domination. Then we give a proofs-as-programs interpretation: a coupling proof encodes a probabilistic product program, whose properties imply relational properties of the original programs. We design the logic xpRHL to construct the product, with extensions to model shift coupling and path coupling. We then propose an approximate version of probabilistic coupling and a corresponding proof technique---proof by approximate coupling---inspired by the logic apRHL, a version of pRHL for building approximate liftings. Drawing on ideas from existing privacy proofs, we extend apRHL with novel proof rules for constructing new approximate couplings. We give an approximate coupling proof of privacy for the Sparse Vector mechanism, a well-known algorithm from the privacy literature whose privacy proof is notoriously subtle, and produce the first formalized proof of privacy for Sparse Vector in apRHL. Finally, we propose several more sophisticated constructions for approximate couplings: a principle for showing accuracy-dependent privacy, a generalization of the advanced composition theorem, and an optimal approximate coupling relating two subsets. We also show equivalences between our approximate couplings and other existing definitions. These ingredients support the first formalized proof of privacy for the Between Thresholds mechanism.

[1]  Gilles Barthe,et al.  Probabilistic Relational Reasoning for Differential Privacy , 2012, TOPL.

[2]  Aws Albarghouthi,et al.  Synthesizing coupling proofs of differential privacy , 2017, Proc. ACM Program. Lang..

[3]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[4]  Tetsuya Sato,et al.  Codensity Liftings of Monads , 2015, CALCO.

[5]  Benjamin C. Pierce,et al.  Distance makes the types grow stronger: a calculus for differential privacy , 2010, ICFP '10.

[6]  Cliff B. Jones,et al.  The Early Search for Tractable Ways of Reasoning about Programs , 2003, IEEE Ann. Hist. Comput..

[7]  Krishnendu Chatterjee,et al.  Stochastic invariants for probabilistic termination , 2016, POPL.

[8]  T. Lindvall Lectures on the Coupling Method , 1992 .

[9]  Éva Tardos,et al.  Algorithm design , 2005 .

[10]  James Worrell,et al.  Towards Quantitative Verification of Probabilistic Transition Systems , 2001, ICALP.

[11]  Hongseok Yang,et al.  Relational separation logic , 2007, Theor. Comput. Sci..

[12]  Yuxin Deng,et al.  The Kantorovich Metric in Computer Science: A Brief Survey , 2009, QAPL.

[13]  John C. Reynolds,et al.  Intuitionistic reasoning about shared mutable data structure , 1999 .

[14]  H. Thorisson Coupling, stationarity, and regeneration , 2000 .

[15]  Yuxin Deng,et al.  Logical, Metric, and Algorithmic Characterisations of Probabilistic Bisimulation , 2011, ArXiv.

[16]  Roberto Segala,et al.  Approximated Computationally Bounded Simulation Relations for Probabilistic Automata , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[17]  Benjamin Grégoire,et al.  Proving expected sensitivity of probabilistic programs , 2017, Proc. ACM Program. Lang..

[18]  Scott A. Smolka,et al.  Algebraic Reasoning for Probabilistic Concurrent Systems , 1990, Programming Concepts and Methods.

[19]  Benjamin Grégoire,et al.  EasyCrypt: A Tutorial , 2013, FOSAD.

[20]  Marco Gaboardi,et al.  A semantic account of metric preservation , 2017, POPL.

[21]  Benjamin Grégoire,et al.  Proving Differential Privacy via Probabilistic Couplings , 2016, 2016 31st Annual ACM/IEEE Symposium on Logic in Computer Science (LICS).

[22]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[23]  Annabelle McIver,et al.  A new rule for almost-certain termination of probabilistic and demonic programs , 2016, ArXiv.

[24]  Abbas Edalat,et al.  Bisimulation for labelled Markov processes , 1997, Proceedings of Twelfth Annual IEEE Symposium on Logic in Computer Science.

[25]  Nancy A. Lynch,et al.  Probabilistic Simulations for Probabilistic Processes , 1994, Nord. J. Comput..

[26]  Peter W. O'Hearn,et al.  Resources, Concurrency and Local Reasoning , 2004, CONCUR.

[27]  Arthur Azevedo de Amorim,et al.  Really Natural Linear Indexed Type Checking , 2014, IFL.

[28]  D. A. Edwards On the existence of probability measures with given marginals , 1978 .

[29]  David Sands,et al.  Sampling and partitioning for differential privacy , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[30]  Prakash Panangaden,et al.  Labelled Markov Processes , 2009 .

[31]  Krzysztof R. Apt,et al.  Ten Years of Hoare's Logic: A Survey—Part I , 1981, TOPL.

[32]  Martin E. Dyer,et al.  Path coupling: A technique for proving rapid mixing in Markov chains , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[33]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[34]  V. S. Anil Kumar,et al.  Coupling vs. conductance for the Jerrum-Sinclair chain , 2001, Random Struct. Algorithms.

[35]  Krzysztof R. Apt,et al.  Ten Years of Hoare's Logic: A Survey Part II: Nondeterminism , 1984, Theor. Comput. Sci..

[36]  Benjamin Grégoire,et al.  Relational Reasoning via Probabilistic Coupling , 2015, LPAR.

[37]  Krishnendu Chatterjee,et al.  Algorithmic analysis of qualitative and quantitative termination problems for affine probabilistic programs , 2015, POPL.

[38]  Danfeng Zhang,et al.  LightDP: towards automating differential privacy proofs , 2016, POPL.

[39]  Thomas P. Hayes,et al.  Variable length path coupling , 2004, SODA '04.

[40]  Catuscia Palamidessi,et al.  Differential Privacy for Relational Algebra: Improving the Sensitivity Bounds via Constraint Systems , 2012, QAPL.

[41]  Cynthia Dwork,et al.  Calibrating Noise to Sensitivity in Private Data Analysis , 2006, TCC.

[42]  Isil Dillig,et al.  Cartesian hoare logic for verifying k-safety properties , 2016, PLDI.

[43]  Mathieu Tracol,et al.  Computing Distances between Probabilistic Automata , 2011, QAPL.

[44]  Gilles Barthe,et al.  Higher-Order Approximate Relational Refinement Types for Mechanism Design and Differential Privacy , 2014, POPL.

[45]  Krishnendu Chatterjee,et al.  Termination Analysis of Probabilistic Programs Through Positivstellensatz's , 2016, CAV.

[46]  Pramod Viswanath,et al.  The Composition Theorem for Differential Privacy , 2013, IEEE Transactions on Information Theory.

[47]  W. Rudin Principles of mathematical analysis , 1964 .

[48]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[49]  Radha Jagadeesan,et al.  Approximating labelled Markov processes , 2003, Inf. Comput..

[50]  Gilles Barthe,et al.  Computer-Aided Verification for Mechanism Design , 2015, WINE.

[51]  David Bruce Wilson,et al.  Exact sampling with coupled Markov chains and applications to statistical mechanics , 1996, Random Struct. Algorithms.

[52]  R AptKrzysztof Ten Years of Hoare's Logic: A SurveyPart I , 1981 .

[53]  Gilles Barthe,et al.  Programming language techniques for differential privacy , 2016, SIGL.

[54]  Benjamin Grégoire,et al.  Probabilistic relational verification for cryptographic implementations , 2014, POPL.

[55]  Guy N. Rothblum,et al.  Boosting and Differential Privacy , 2010, 2010 IEEE 51st Annual Symposium on Foundations of Computer Science.

[56]  Prakash Panangaden,et al.  Expressiveness of Probabilistic Modal Logics, Revisited , 2017, ICALP.

[57]  Ninghui Li,et al.  Understanding the Sparse Vector Technique for Differential Privacy , 2016, Proc. VLDB Endow..

[58]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[59]  Andreas Haeberlen,et al.  Linear dependent types for differential privacy , 2013, POPL.

[60]  Benjamin Grégoire,et al.  Formal certification of code-based cryptographic proofs , 2009, POPL '09.

[61]  Benjamin Grégoire,et al.  Coupling proofs are probabilistic product programs , 2016, POPL.

[62]  Gilles Barthe,et al.  Beyond Differential Privacy: Composition Theorems and Relational Logic for f-divergences between Probabilistic Programs , 2013, ICALP.

[63]  D. Aldous Random walks on finite groups and rapidly mixing markov chains , 1983 .

[64]  François Laviolette,et al.  Approximate Analysis of Probabilistic Processes: Logic, Simulation and Games , 2008, 2008 Fifth International Conference on Quantitative Evaluation of Systems.

[65]  Kim G. Larsen,et al.  Bisimulation through Probabilistic Testing , 1991, Inf. Comput..

[66]  James Worrell,et al.  An Algorithm for Quantitative Verification of Probabilistic Transition Systems , 2001, CONCUR.

[67]  Ilya Mironov,et al.  Rényi Differential Privacy , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[68]  Dilsun Kirli Kaynar,et al.  Formal Verification of Differential Privacy for Interactive Systems , 2011, ArXiv.

[69]  Gilles Barthe,et al.  Beyond 2-Safety: Asymmetric Product Programs for Relational Program Verification , 2013, LFCS.

[70]  Dexter Kozen,et al.  Semantics of probabilistic programs , 1979, 20th Annual Symposium on Foundations of Computer Science (sfcs 1979).

[71]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[72]  Kim Guldstrand Larsen,et al.  Specification and refinement of probabilistic processes , 1991, [1991] Proceedings Sixth Annual IEEE Symposium on Logic in Computer Science.

[73]  Yoram Singer,et al.  Train faster, generalize better: Stability of stochastic gradient descent , 2015, ICML.

[74]  Radha Jagadeesan,et al.  Metrics for labelled Markov processes , 2004, Theor. Comput. Sci..

[75]  C. Villani Optimal Transport: Old and New , 2008 .

[76]  Holger Hermanns,et al.  Probabilistic Termination , 2015, POPL.

[77]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[78]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[79]  Thomas Steinke,et al.  Concentrated Differential Privacy: Simplifications, Extensions, and Lower Bounds , 2016, TCC.

[80]  Pierre-Yves Strub,et al.  Advanced Probabilistic Couplings for Differential Privacy , 2016, CCS.

[81]  F. Olmedo Approximate Relational Reasoning for Probabilistic Programs , 2014 .

[82]  Kunal Talwar,et al.  Mechanism Design via Differential Privacy , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[83]  Andreas Haeberlen,et al.  A framework for adaptive differential privacy , 2017, Proc. ACM Program. Lang..

[84]  Sharon Goldberg,et al.  Calibrating Data to Sensitivity in Private Data Analysis , 2012, Proc. VLDB Endow..

[85]  Dexter Kozen,et al.  A probabilistic PDL , 1983, J. Comput. Syst. Sci..

[86]  V. Climenhaga Markov chains and mixing times , 2013 .

[87]  Thomas Steinke,et al.  Make Up Your Mind: The Price of Online Queries in Differential Privacy , 2016, SODA.

[88]  Amir Pnueli,et al.  CoVaC: Compiler Validation by Program Analysis of the Cross-Product , 2008, FM.

[89]  Gilles Barthe,et al.  *-Liftings for Differential Privacy , 2017, ICALP.

[90]  Tim Roughgarden,et al.  Universally utility-maximizing privacy mechanisms , 2008, STOC '09.

[91]  André Elisseeff,et al.  Stability and Generalization , 2002, J. Mach. Learn. Res..

[92]  Gilles Barthe,et al.  Proving Differential Privacy in Hoare Logic , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[93]  Aaron Roth,et al.  The Algorithmic Foundations of Differential Privacy , 2014, Found. Trends Theor. Comput. Sci..

[94]  Justin Hsu,et al.  A Program Logic for Probabilistic Programs , 2017 .

[95]  Tetsuya Sato,et al.  Approximate Relational Hoare Logic for Continuous Random Samplings , 2016, MFPS.

[96]  Formal Certification of Randomized Algorithms , 2016 .

[97]  Benjamin Grégoire,et al.  Proving uniformity and independence by self-composition and coupling , 2017, LPAR.

[98]  Mark Jerrum,et al.  A Very Simple Algorithm for Estimating the Number of k-Colorings of a Low-Degree Graph , 1995, Random Struct. Algorithms.

[99]  Annabelle McIver,et al.  Probabilistic predicate transformers , 1996, TOPL.

[100]  Gilles Barthe,et al.  Relational Verification Using Product Programs , 2011, FM.

[101]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[102]  Guy N. Rothblum,et al.  Concentrated Differential Privacy , 2016, ArXiv.

[103]  David Sands,et al.  Differential Privacy , 2015, POPL.

[104]  Ron Aharoni,et al.  The Max-Flow Min-Cut theorem for countable networks , 2009, J. Comb. Theory, Ser. B.

[105]  Ken Kennedy,et al.  Compiling programs for distributed-memory multiprocessors , 2004, The Journal of Supercomputing.

[106]  Gilles Barthe,et al.  Reasoning about Divergences for Relaxations of Differential Privacy , 2017, ArXiv.

[107]  David Sands,et al.  Featherweight PINQ , 2015, J. Priv. Confidentiality.

[108]  Aaron Roth,et al.  Privacy Odometers and Filters: Pay-as-you-Go Composition , 2016, NIPS.

[109]  Larry A. Wasserman,et al.  Random Differential Privacy , 2011, J. Priv. Confidentiality.

[110]  Peter W. O'Hearn,et al.  Local Reasoning about Programs that Alter Data Structures , 2001, CSL.