Formal Methods for Probabilistic Systems Annabelle McIver Carroll - - PowerPoint PPT Presentation

formal methods for probabilistic systems
SMART_READER_LITE
LIVE PREVIEW

Formal Methods for Probabilistic Systems Annabelle McIver Carroll - - PowerPoint PPT Presentation

Apr 06, 2024 417 likes •734 views

1 Formal Methods for Probabilistic Systems Annabelle McIver Carroll Morgan Source-level program logic Meta-theorems for loops Examples Probabilistic amplification Uniform selection 2 Probabilistic amplification Is K

slide-1
SLIDE 1

1

Annabelle McIver Carroll Morgan

  • Source-level program logic
  • Meta-theorems for loops
  • Examples
  • Probabilistic amplification
  • Uniform selection

Formal Methods for Probabilistic Systems

slide-2
SLIDE 2

2

There is a Boolean question Q that the program is to answer, in Boolean variable a. But a:= Q is not allowed! Instead, only a:= Q 1/ 2 true can be used. We must therefore “amplify” that 1/ 2 probability towards 1, for which we pay with execution time.

Probabilistic amplification

{ [N 0] (1 - 1/ 2N ) } a,n:= true,N; do n 0 a a:= Q 1/ 2 true; n:= n-1

  • d

{ [a = Q] }

Is K prime? true “yes” false “no” The Miller-Rabin test “puts K to the Question”. If K is prime, it will never confess; but if it is composite, then it will confess with probability 1/ 2. Probabilistic amplification interrogates K a number of times, to increase the probability of confession. (The real Inquisition allowed only three interrogations.)

On e con f ession is en ough... a

slide-3
SLIDE 3

3

Probabilistic amplification

{ [N 0] (1 - 1/ 2N ) } a,n:= true,N; do n 0 a a:= Q 1/ 2 true; n:= n-1

  • d

{ [a = Q] } The probability that a = Q on termination... is at least 1 - 1/ 2N ... provided N 0 initially.

slide-4
SLIDE 4

4

What is the invariant?

do n 0 a a:= Q 1/ 2 true; n:= n-1

  • d

{ [a = Q] } After some experimentation, [a] Q 1 - [a]/ 2n turns out to work well in the calculations. a = Q finally? Q not Q a true 1 - 1/ 2n not a false true

slide-5
SLIDE 5

5

Invariant is preserved

  • [a] Q 1 - [a]/ 2n-1

wp.( n:= n-1 )

  • 1/ 2 ( [Q] Q 1 - [Q]/ 2n-1 )

wp.( a:= Q 1/ 2 true )

+ 1/ 2 ( [true] Q 1 - [true]/ 2n-1 )

  • [a] Q 1 - [a]/ 2n
  • 1/ 2 1 + 1/ 2 ( 1 Q 1 - 1/ 2n-1 )

arithmetic

  • 1 Q 1 - 1/ 2n

arithmetic

  • [a] ( [a] Q 1 - [a]/ 2n ) .

[a] from guard Invariant “at end of loop body” Invariant “at beginning of loop body” Loop guard

do n 0 a a:= Q 1/ 2 true; n:= n-1

  • d
slide-6
SLIDE 6

6

[n=0 ! a] ( [a] Q 1 - [a]/ 2n )

Invariant “at end of loop body”

Invariant establishes overall post-expectation

  • [n=0 ! a] ( [a] Q [! a] )

arithmetic Negated loop guard

  • [a] Q [! a]

drop guard

  • [a=Q] .

arithmetic Overall post-expectation

do n 0 a a:= Q 1/ 2 true; n:= n-1

  • d
slide-7
SLIDE 7

7

  • [N 0] (1 - 1/ 2N ) .

sufficient

[n 0] ( [a] Q 1 - [a]/ 2n )

Invariant “at beginning of loop body”

Invariant... established by initialisation

Termination condition Probability of establishing Q=a is at least this...

  • [N 0] ( [true] Q 1 - [true]/ 2N )

wp.( a,n:=true,N )

  • [N 0] ( 1 Q 1 - 1/ 2N )

arithmetic ...provided termination is guaranteed.

a,n:=true,N; do n 0 a a:= Q 1/ 2 true; n:= n-1

  • d
slide-8
SLIDE 8

8

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { [a] ( [a] Q 1 - [a]/ 2n ) } a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

“postcondition”

slide-9
SLIDE 9

9

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { [a] ( [a] Q 1 - [a]/ 2n ) } a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

“postcondition” invariant

slide-10
SLIDE 10

10

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { [a] ( [a] Q 1 - [a]/ 2n ) } a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

invariant and negated guard

slide-11
SLIDE 11

11

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { [a] ( [a] Q 1 - [a]/ 2n ) } a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

implies postcondition

slide-12
SLIDE 12

12

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { [a] ( [a] Q 1 - [a]/ 2n ) } a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

invariant must be maintained

slide-13
SLIDE 13

13

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { [a] ( [a] Q 1 - [a]/ 2n ) } a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

work backwards

slide-14
SLIDE 14

14

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { [Q] Q 1 - [Q]/ 2n-1 1/ 2 a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

[true] Q 1 - [tru

work backwards

slide-15
SLIDE 15

15

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { [Q] Q 1 - [Q]/ 2n-1 1/ 2 } a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

[true] Q 1 - [true]/ 2n-1

work backwards

slide-16
SLIDE 16

16

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { [Q] Q 1 - [Q]/ 2n-1

1/ 2 }

a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

[true] Q 1 - [true]/ 2n-1

should be implied by invariant and guard

slide-17
SLIDE 17

17

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { 1 Q 1 - 0/ 2n-1

1/ 2 1 Q 1 - 1/ 2n-1 }

a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

simplify

slide-18
SLIDE 18

18

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { 1 Q (1 1/ 2 1 - 1/ 2n-1) } a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

simplify more

slide-19
SLIDE 19

19

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { 1 Q 1 - 1/ 2n } a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

and more

slide-20
SLIDE 20

20

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { [a] ( [a] Q 1 - [a]/ 2n ) } a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

strengthen and “massage”

1 Q 1 - 1/ 2n

slide-21
SLIDE 21

21

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { [a] ( [a] Q 1 - [a]/ 2n ) } a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

is now of the form “guard and invariant”

slide-22
SLIDE 22

22

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { [a] ( [a] Q 1 - [a]/ 2n ) } a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

pre-expectation is invariant and termination condition

slide-23
SLIDE 23

23

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { [a] ( [a] Q 1 - [a]/ 2n ) } a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

backwards through initialisation

slide-24
SLIDE 24

24

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { [a] ( [a] Q 1 - [a]/ 2n ) } a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

weaken, for simplicity

slide-25
SLIDE 25

25

{

{ [N 0] (1 - 1/ 2N ) } { [N 0] ( 1 Q 1 - 1/ 2N ) } a,n:= true,N; { [n 0] ( [a] Q 1 - [a]/ 2n ) } do n 0 a { [a] ( [a] Q 1 - [a]/ 2n ) } a:= Q 1/ 2 true; { [a] Q 1 - [a]/ 2n-1 } n:= n-1 { [a] Q 1 - [a]/ 2n }

  • d

{ [n=0 ! a] ([a] Q 1 - [a]/ 2n) } { [a = Q] }

Summary

  • verall

specification

slide-26
SLIDE 26

26

{ [N 0] (1 - 1/ 2N ) } a,n:= true,N; do n 0 a a:= Q 1/ 2 true; n:= n-1

  • d

{ [a = Q] }

Summary

The probability that question Q is correctly answered by answer a is at least 1 - 1/ 2N, provided N is non-negative. The error probability is at most 1/ 2N.

slide-27
SLIDE 27

27

{ [0 K < N ]/ N } l,h:= 0,N; do l h-1 m:{l < m < h}; | l:= m @ (h-m )/ (h-l ) | h:=m @ (m-l )/ (h-l )

  • d

{ [l = K ] }

Uniform selection

Given a positive integer N, choose uniformly an integer l such that 0 l < N.

Demonic choice of m. “Expanded” syntax for probabilistic choice.

Uses expected 2lg N unbiased bits if the demonic choice is implemented as a binary chop m:= (h-l )÷2 .

slide-28
SLIDE 28

28

What is the invariant?

A pretty clear guess is [l K < h ]/ (h-l ). { [0 K < N ]/ N } l,h:= 0,N; do l h-1 m:{l < m < h}; | l:= m @ (h-m )/ (h-l ) | h:=m @ (m-l )/ (h-l )

  • d

{ [l = K ] }

  • (h-m)/ (h-l ) [m K < h ]/ (h-m )

wp.( ••• | @ ••• )

+ (m-l )/ (h-l ) [l K < m ]/ (m-l ) [l K < h ]/ (h-l )

  • [l K < h ] / (h-l ) .

wp.( m:{l < m < h} ) and standard invariant l < h

The invariant is preserved

m:{l < m < h}; | l:= m @ (h-m)/ (h-l ) | h:=m @ (m-l )/ (h-l )

  • ( [l K < m ] + [m K < h ] ) / (h-l )

arithmetic

  • [l < m < h] [l K < h ] / (h-l )

arithmetic

slide-29
SLIDE 29

29

  • (h-m)/ (h-l ) [m K < h ]/ (h-m )

wp.( ••• | @ ••• )

+ (m-l )/ (h-l ) [l K < m ]/ (m-l ) [l K < h ]/ (h-l )

  • [l K < h ] / (h-l ) .

wp.( m:{l < m < h} ) and standard invariant l < h

The invariant is preserved

m:{l < m < h}; | l:= m @ (h-m)/ (h-l ) | h:=m @ (m-l )/ (h-l )

  • ( [l K < m ] + [m K < h ] ) / (h-l )

arithmetic

  • [l < m < h] [l K < h ] / (h-l )

arithmetic

slide-30
SLIDE 30

30

l,h:= 0,N; do l h-1 m:{l < m < h}; | l:= m @ (h-m )/ (h-l ) | h:=m @ (m-l )/ (h-l )

  • d

Summary

{ [0 K < N ] / N } { [l K < h ] / (h-l ) } { [ l h-1 l K < h ] / (h-l ) } { [l < m < h] [l K < h ] / (h-l ) } { [l K < h ] / (h-l ) } { [l = h-1 l K < h ] / (h-l ) } { [l = K] }

slide-31
SLIDE 31

31

{

{ [0 K < N ] / N } l,h:= 0,N; { [l K < h ] / (h-l ) } do l h-1 { [ l h-1 l K < h ] / (h-l ) } m:{l < m < h}; { [l < m < h] [l K < h ] / (h-l ) } | l:= m @ (h-m )/ (h-l ) | h:=m @ (m-l )/ (h-l ) { [l K < h ] / (h-l ) }

  • d

{ [l = h-1 l K < h ] / (h-l ) } { [l = K] }

Summary

  • verall

specification