An Assertion-Based Program Logic for Probabilistic Programs Gilles - PowerPoint PPT Presentation

An Assertion-Based Program Logic for Probabilistic Programs Gilles Barthe, Thomas Espitau, Marco Gaboardi, Benjamin Grégoire, Justin Hsu, and Pierre-Yves Strub 1

Randomized algorithms are everywhere! 2

Complex programs 3

Complex proofs 4

A simple randomized algorithm and property Noisy sum sum ← 0; for i = 1 , . . . , n do toss ← flip ( p ); $ sum ← sum + toss ; return ( sum ) 5

A simple randomized algorithm and property Noisy sum To show: sum not too small sum ← 0; Pr[ sum ≤ n · p − 4 √ n · p ] for i = 1 , . . . , n do toss ← flip ( p ); is at most 0 . 0005 $ sum ← sum + toss ; return ( sum ) 5

A simple randomized algorithm and property Noisy sum To show: sum not too small sum ← 0; Pr[ sum ≤ n · p − 4 √ n · p ] for i = 1 , . . . , n do toss ← flip ( p ); is at most 0 . 0005 $ sum ← sum + toss ; return ( sum ) Proof of correctness, on paper? 1. sum is sum of n independent p -biased coins. 2. Apply standard concentration bound, done. 5

Deductive verification? Not so easy. Expectation-based approaches ◮ Rules manipulate single expected value/probability ◮ Can’t directly express properties like independence ◮ Kozen’s PPDL (1985); Morgan, McIver, Seidel’s pGCL (1996) 6

Deductive verification? Not so easy. Expectation-based approaches ◮ Rules manipulate single expected value/probability ◮ Can’t directly express properties like independence ◮ Kozen’s PPDL (1985); Morgan, McIver, Seidel’s pGCL (1996) Program logic (assertion-based) approaches ◮ Use general boolean assertions on distributions ◮ Complex loop rules, more limited programming languages ◮ Chadha et al. (2007); Rand and Zdancewic (2015) 6

Overall goal: Narrow this gap Work with higher-level properties as much as possible ◮ Minimize reasoning about single probabilities Avoid reasoning at level of program semantics ◮ Side-conditions should be easy to check Incorporate proof methods from paper proofs ◮ Structure the proof, abstract away unimportant details 7

More concretely: Our contributions • A new program logic for probabilistic programs • Embeddings of several specialized proof techniques • Implementation and formalized examples 8

The E llora Framework: A Lightning Tour 9

The core: A program logic for probabilistic programs The pWhile imperative language c ::= x ← e | x ← d | c ; c | if e then c else c | while e do c $ 10

The core: A program logic for probabilistic programs The pWhile imperative language c ::= x ← e | x ← d | c ; c | if e then c else c | while e do c $ Sample from primitive distributions ◮ Biased coin flips, uniform distribution, ... ◮ Geometric distribution, Laplace distribution, ... 10

The core: A program logic for probabilistic programs The pWhile imperative language c ::= x ← e | x ← d | c ; c | if e then c else c | while e do c $ Sample from primitive distributions ◮ Biased coin flips, uniform distribution, ... ◮ Geometric distribution, Laplace distribution, ... Commands transform (sub-)distributions over memories ◮ Distribution over inputs �→ Distribution over outputs 10

Assertion language: two layers State assertions: model memories e = e ′ | e < e ′ | . . . φ, ψ ::= 11

Assertion language: two layers State assertions: model memories e = e ′ | e < e ′ | . . . φ, ψ ::= Distribution assertions: model distributions Φ , Ψ ::= E [ e ] = E [ e ′ ] | E [ e ] < E [ e ′ ] | . . . 11

Assertion language: two layers State assertions: model memories e = e ′ | e < e ′ | . . . φ, ψ ::= Distribution assertions: model distributions Φ , Ψ ::= E [ e ] = E [ e ′ ] | E [ e ] < E [ e ′ ] | . . . Examples: defined notation P [ φ ] � E [1 φ ] � φ � P [ φ ] = 1 11

Proof system Typical program logic judgment { Φ } c { Ψ } 12

Proof system Typical program logic judgment { Φ } c { Ψ } System rules 12

How to reason about loops? Well-known pitfall: naive rule unsound! ◮ Always have: { P [ ⊤ ] = 1 } skip { P [ ⊤ ] = 1 } ◮ But not: { P [ ⊤ ] = 1 } while true do skip { P [ ⊤ ] = 1 } 13

How to reason about loops? Well-known pitfall: naive rule unsound! ◮ Always have: { P [ ⊤ ] = 1 } skip { P [ ⊤ ] = 1 } ◮ But not: { P [ ⊤ ] = 1 } while true do skip { P [ ⊤ ] = 1 } Tradeoff Generality of invariants/allowed termination behavior 13

Our solution: A family of loop rules { Φ ∧ � b } c { Φ } { Φ } while b do c { Φ ∧ � ¬ b } 14

Our solution: A family of loop rules { Φ ∧ � b } c { Φ } { Φ } while b do c { Φ ∧ � ¬ b } Loop: Bounded number of iterations (“for-loops”) ◮ Invariant Φ : arbitrary predicate 14

Our solution: A family of loop rules { Φ ∧ � b } c { Φ } { Φ } while b do c { Φ ∧ � ¬ b } Loop: Bounded number of iterations (“for-loops”) ◮ Invariant Φ : arbitrary predicate Loop: Terminates with probability 1 ◮ Invariant Φ : “topologically closed” (e.g., P [ φ ] = 1 / 2 ) 14

Our solution: A family of loop rules { Φ ∧ � b } c { Φ } { Φ } while b do c { Φ ∧ � ¬ b } Loop: Bounded number of iterations (“for-loops”) ◮ Invariant Φ : arbitrary predicate Loop: Terminates with probability 1 ◮ Invariant Φ : “topologically closed” (e.g., P [ φ ] = 1 / 2 ) Loop: Arbitrary termination ◮ Invariant Φ : “downwards closed” (e.g., P [ φ ] < 1 / 2 ) 14

Adding to the Toolbox: Specialized Proof Techniques 15

Two common properties in paper proofs Probabilistic independence ◮ In our assertions: e # e ′ � ∀ a, b. P [ e = a ∧ e ′ = b ] = P [ e = a ] · P [ e ′ = b ] 16

Two common properties in paper proofs Probabilistic independence ◮ In our assertions: e # e ′ � ∀ a, b. P [ e = a ∧ e ′ = b ] = P [ e = a ] · P [ e ′ = b ] Distribution laws ◮ In our assertions: e ∼ Unif ( A ) � ∀ a ∈ A. P [ e = a ] = 1 / | A | 16

Reasoning about independence and distribution laws Useful facts about independence ( e 1 , e 2 ) # e 3 = ⇒ ( e 1 # e 3 ) ∧ ( e 2 # e 3 ) Combining independence and uniformity e ∼ Unif ( A ) ∧ e ′ ∼ Unif ( A ′ ) ∧ ( e # e ′ ) = ⇒ ( e, e ′ ) ∼ Unif ( A × A ′ ) Incorporating this reasoning in E llora Build a program logic IL around these assertions, soundness by embedding into core program logic. 17

Other tools available in E llora Prior work: union bound logic [ICALP 2016] ◮ Designed for proving proeprties of the form P [ φ ] < β Precondition calculus ◮ Similar to Morgan and McIver’s weakest pre-expectations ◮ Defined on syntax of assertions 18

Implementation and Formalized Examples 19

Implementation Part of the E asyCrypt system ◮ Tactic-based proofs, SMT support Formalization of basic discrete probability theory ◮ Definitions: independence, basic distributions, ... ◮ Theorems: Markov inequality, Chernoff bound, ... 20

Examples: Nine verified algorithms Name Lines of Code Lines of Proof 100 1140 hypercube 27 184 coupon 30 61 vertex-cover 30 231 pairwise-indep 22 80 private-sums 22 32 poly-id-test 16 42 random-walk 10 64 dice-sampling 20 75 matrix-prod-test 21

Examples: Nine verified algorithms Name Lines of Code Lines of Proof 100 1140 hypercube 27 184 coupon 30 61 vertex-cover 30 231 pairwise-indep 22 80 private-sums 22 32 poly-id-test 16 42 random-walk 10 64 dice-sampling 20 75 matrix-prod-test 21

A classic example: Valiant’s hypercube routing Hypergraph network ◮ Nodes: { 0 , 1 } d ◮ Given: permutation π ◮ Edge capacity 1 ◮ Goal: route i to π ( i ) 22

A classic example: Valiant’s hypercube routing Routing 111 to 100 ( d = 3) Hypergraph network ◮ Nodes: { 0 , 1 } d ◮ Given: permutation π 011 111 ◮ Edge capacity 1 001 101 ◮ Goal: route i to π ( i ) 010 110 000 100 22

A classic example: Valiant’s hypercube routing Routing 111 to 100 ( d = 3) Hypergraph network ◮ Nodes: { 0 , 1 } d ◮ Given: permutation π 011 111 ◮ Edge capacity 1 001 101 ◮ Goal: route i to π ( i ) Valiant’s routing plan 010 110 ◮ Uniformly random ρ ( i ) 000 100 ◮ Route: i �→ ρ ( i ) �→ π ( i ) 22

A classic example: Valiant’s hypercube routing Routing 111 to 100 ( d = 3) Hypergraph network ◮ Nodes: { 0 , 1 } d ◮ Given: permutation π 011 111 ◮ Edge capacity 1 001 101 ◮ Goal: route i to π ( i ) Valiant’s routing plan 010 110 ◮ Uniformly random ρ ( i ) 000 100 ◮ Route: i �→ ρ ( i ) �→ π ( i ) Show: with high probability, routes all 2 d packets in O ( d ) steps 22

Future Directions and Open Design Questions 23

The story so far Ellora 24

The story so far Union WP IL Bound Ellora 24

Next steps? Union WP IL Bound Ellora EasyCrypt 25

Next steps? Union WP IL ??? ??? Bound Ellora EasyCrypt 25

Next steps? Union WP IL ??? ??? Bound Ellora EasyCrypt 25

Open design questions How to structure the assertion language? ◮ Need help managing large assertions and invariants 26