Higher-Order Relational Refinement Types for Mechanism Design and - - PowerPoint PPT Presentation

Higher-Order Relational Refinement Types for Mechanism Design and Differential Privacy

Gilles Barthe1, Marco Gaboardi2, Emilio Jesús Gallego Arias3,4, Justin Hsu4, Aaron Roth4, Pierre-Yves Strub1

1IMDEA Software, 2University of Dundee, 3CRI Mines–ParisTech, 4University of Pennsylvania

January 15th, 2015

The Application

Mechanism Design

A story One painting for sale

A story One painting for sale How much will you pay?

A story One painting for sale How much will you pay?

$10 million! $50 million! $3

A story One painting for sale How much will you pay?

$10 million! $50 million! $3

Who wins, and for how much?

A story

Top bid pays top price?

• Simple rule
• Can encourage

manipulation...

How much will you pay?

$10 million! $50 million! $3

A story

Top bid pays top price?

• Simple rule
• Can encourage

manipulation...

How much will you pay?

$10 million! $50 million! $10.1 million? $3

What is Mechanism Design?

Algorithm design with strategic inputs

What is Mechanism Design?

Algorithm design with strategic inputs

Rational agents

• Report data
• Care about output
• May lie, strategize

What is Mechanism Design?

Algorithm design with strategic inputs

Rational agents

• Report data
• Care about output
• May lie, strategize

Goal: encourage “good” behavior

Truthfulness

Designing auctions

• Bidders each have personal value v : R for the item

Truthfulness

Designing auctions

• Bidders each have personal value v : R for the item
• Bidder’s happiness is function of price, v, whether they win

Truthfulness

Designing auctions

• Bidders each have personal value v : R for the item
• Bidder’s happiness is function of price, v, whether they win
• Bidder reports a bid b : R to the mechanism

Truthfulness

Designing auctions

• Bidders each have personal value v : R for the item
• Bidder’s happiness is function of price, v, whether they win
• Bidder reports a bid b : R to the mechanism

Property: agent always maximizes happiness with b “ v

A (very) simple auction

Fixed price auction

• Given a fixed price price
• Bidder bids bid, buys item if higher than price

A (very) simple auction

Fixed price auction

• Given a fixed price price
• Bidder bids bid, buys item if higher than price

What is the happiness function for a bidder?

fixedprice price value bid = if bid > price then value

• price

else

The verification strategy

Consider bidder’s happiness function. . .

• First run: bidder bids b “ v (honest)

The verification strategy

Consider bidder’s happiness function. . .

• First run: bidder bids b “ v (honest)
• Second run: bidder bids arbitrarily (maybe not honest)

The verification strategy

Consider bidder’s happiness function. . .

• First run: bidder bids b “ v (honest)
• Second run: bidder bids arbitrarily (maybe not honest)
• Verify: happiness in first run is higher than in second run

The verification strategy

Consider bidder’s happiness function. . .

• First run: bidder bids b “ v (honest)
• Second run: bidder bids arbitrarily (maybe not honest)
• Verify: happiness in first run is higher than in second run

The verification strategy

Consider bidder’s happiness function. . .

• First run: bidder bids b “ v (honest)
• Second run: bidder bids arbitrarily (maybe not honest)
• Verify: happiness in first run is higher than in second run

fixedprice p v v = if v > p then v - p else

ě

fixedprice p v b = if b > p then v - p else

The verification strategy

Consider bidder’s happiness function. . .

• First run: bidder bids b “ v (honest)
• Second run: bidder bids arbitrarily (maybe not honest)
• Verify: happiness in first run is higher than in second run

fixedprice p v v = if v > p then v - p else

ě

fixedprice p v b = if b > p then v - p else

This is a relational property

Introducing HOARe2

A type system with relational refinement types

Refinement types

Judgment

Γ $ e : tx : T | φpxq u

type predicate

Refinement types

Judgment

Γ $ e : tx : T | φpxq u

type predicate

Refinement types

Judgment

Γ $ e : tx : T | φpxq u

type predicate

Refinement types

Judgment

Γ $ e : tx : T | φpxq u

type predicate

“e is a program of type T such that φpeq holds”

Refinement types

Example

Γ $ 3 : tx : Z | x ě 0u

Refinement types

Example

Γ $ 3 : tx : Z | x ě 0u

“3 is a non-negative integer”

Relational Reasoning

Relational Judgment Γ $ e :: tx :: T | φp xŸ, xŹ qu

Relational Reasoning

Relational Judgment Γ $ e :: tx :: T | φp xŸ, xŹ qu

Relational Reasoning

Relational Judgment Γ $ e :: tx :: T | φp xŸ, xŹ qu

φ mentions two runs of program e via xŸ and xŹ

Relational Reasoning

Relational Judgment Γ $ e :: tx :: T | φp xŸ, xŹ qu

φ mentions two runs of program e via xŸ and xŹ Example

ty :: Z | yŸ ď yŹu $ e :: tx :: Z | xŸ ď xŹu

Relational Reasoning

Relational Judgment Γ $ e :: tx :: T | φp xŸ, xŹ qu

φ mentions two runs of program e via xŸ and xŹ Example

ty :: Z | yŸ ď yŹu $ e :: tx :: Z | xŸ ď xŹu

“If y increases, then e increases.”

Relational Reasoning

Relational Judgment Γ $ e :: tx :: T | φp xŸ, xŹ qu

φ mentions two runs of program e via xŸ and xŹ Example

ty :: Z | yŸ ď yŹu $ e :: tx :: Z | xŸ ď xŹu

“If y increases, then e increases.”

Background

• First used in the RF* language, POPL 2014

Typing truthfulness

Happiness function

fixedprice price value bid = if bid > price then value

• price

else

Typing truthfulness

Happiness function

fixedprice price value bid = if bid > price then value

• price

else

Truthfulness in a type

Typing truthfulness

Happiness function

fixedprice price value bid = if bid > price then value

• price

else

Truthfulness in a type

tp :: R | pŸ “ pŹu (Fixed price)

Typing truthfulness

Happiness function

fixedprice price value bid = if bid > price then value

• price

else

Truthfulness in a type

tp :: R | pŸ “ pŹu (Fixed price) Ñ tv :: R | vŸ “ vŹu (Bidder value fixed)

Typing truthfulness

Happiness function

fixedprice price value bid = if bid > price then value

• price

else

Truthfulness in a type

tp :: R | pŸ “ pŹu (Fixed price) Ñ tv :: R | vŸ “ vŹu (Bidder value fixed) Ñ tb :: R | bŸ “ vŸu (Bid “ value on Ÿ run)

Typing truthfulness

Happiness function

fixedprice price value bid = if bid > price then value

• price

else

Truthfulness in a type

tp :: R | pŸ “ pŹu (Fixed price) Ñ tv :: R | vŸ “ vŹu (Bidder value fixed) Ñ tb :: R | bŸ “ vŸu (Bid “ value on Ÿ run) Ñ tu :: R | uŸ ě uŹu (Truthful)

Adding in randomness

A more complex auction

• Unlimited supply of items (e.g., music files)
• Want to use fixedprice, but for what price?

Adding in randomness

A more complex auction

• Unlimited supply of items (e.g., music files)
• Want to use fixedprice, but for what price?

Randomize!

A more realistic example

• n average

Adding in randomness

A more complex auction

• Unlimited supply of items (e.g., music files)
• Want to use fixedprice, but for what price?

Randomize!

A more realistic example

g1 g2

• n average

Adding in randomness

A more complex auction

• Unlimited supply of items (e.g., music files)
• Want to use fixedprice, but for what price?

Randomize!

A more realistic example

g1 g2

• ptimal

price

• ptimal

price

• n average

Adding in randomness

A more complex auction

• Unlimited supply of items (e.g., music files)
• Want to use fixedprice, but for what price?

Randomize!

A more realistic example

g1 g2

• ptimal

price

• ptimal

price

p1 p2

• n average

Adding in randomness

A more complex auction

• Unlimited supply of items (e.g., music files)
• Want to use fixedprice, but for what price?

Randomize!

A more realistic example

g1 g2

• ptimal

price

• ptimal

price

p1 p2

Verify: happiness higher when bid is true value

• n average

Adding in randomness

A more complex auction

• Unlimited supply of items (e.g., music files)
• Want to use fixedprice, but for what price?

Randomize!

A more realistic example

g1 g2

• ptimal

price

• ptimal

price

p1 p2

Verify: happiness higher when bid is true value

• n average

One key ingredient

Monotonicity of expectation

• (One) Distribution µ over A

One key ingredient

Monotonicity of expectation

• (One) Distribution µ over A
• Two functions f1, f2 : A Ñ R with

f1 x ě f2 x for all x : A

One key ingredient

Monotonicity of expectation

• (One) Distribution µ over A
• Two functions f1, f2 : A Ñ R with

f1 x ě f2 x for all x : A

• Then, fact about expected values:

Eµrf1s ě Eµrf2s f1 bigger than f2 on average

One key ingredient

Monotonicity of expectation

• (One) Distribution µ over A
• Two functions f1, f2 : A Ñ R with

f1 x ě f2 x for all x : A

• Then, fact about expected values:

Eµrf1s ě Eµrf2s f1 bigger than f2 on average

Extending HOARe2

Distributions and Higher-order refinements

Relating Distributions

Probabilistic programs

• Reason about two runs of a probabilistic program
• Use type of probability distributions

Relating Distributions

Probabilistic programs

• Reason about two runs of a probabilistic program
• Use type of probability distributions

Typing distributions

Γ $ e :: M0,0rtx :: T | φpxŸ, xŹqus

Relating Distributions

Probabilistic programs

• Reason about two runs of a probabilistic program
• Use type of probability distributions

Typing distributions

Γ $ e :: M0,0rtx :: T | φpxŸ, xŹqus

“e is a distribution over T, with two runs related by φ ”

???

Relating Distributions

Probabilistic programs

• Reason about two runs of a probabilistic program
• Use type of probability distributions

Typing distributions

Γ $ e :: M0,0rtx :: T | φpxŸ, xŹqus

“e is a distribution over T, with two runs related by φ ”

???

Equivalence of Distributions

Γ $ e :: M0,0rtx :: T | φpxŸ, xŹqus

What does this mean?

• Convert relation φ to a relation φ# on distributions over T
• Two runs of e related by φ# (as distributions!)

Equivalence of Distributions

Example

Γ $ e :: M0,0rtx :: T | xŸ “ xŹ us

Equivalence of Distributions

Example

Γ $ e :: M0,0rtx :: T | xŸ “ xŹ us

Equivalence of Distributions

Example

Γ $ e :: M0,0rtx :: T | xŸ “ xŹ us

“e is a distribution over T that is identical in both runs”

Equivalence of Distributions

Example

Γ $ e :: M0,0rtx :: T | xŸ “ xŹ us

“e is a distribution over T that is identical in both runs” Background

• Proposed by Barthe, Köpf, Olmedo, Zanella
• Generalizing 0, 0 to ε, δ models differential privacy

Equivalence of Distributions

Example

Γ $ e :: M0,0rtx :: T | xŸ “ xŹ us

“e is a distribution over T that is identical in both runs” Background

• Proposed by Barthe, Köpf, Olmedo, Zanella
• Generalizing 0, 0 to ε, δ models differential privacy

Our contribution

• Simplify and build into a type system

Higher-Order Refinements

Refinements on functions

Γ $ e :: tf :: T Ñ U | φu

Higher-Order Refinements

Refinements on functions

Γ $ e :: tf :: T Ñ U | φu

“e is a function from T to U that satisfies φ”

Higher-Order Refinements

Refinements on functions

Γ $ e :: tf :: T Ñ U | φu

“e is a function from T to U that satisfies φ”

Our contribution

• Consistency by carefully handling termination

Higher-Order Refinements

Refinements on functions

Γ $ e :: tf :: T Ñ U | φu

“e is a function from T to U that satisfies φ”

Our contribution

• Consistency by carefully handling termination
• Show naïve treatment leads to inconsistency

Expressing monotonicity of expectations

Want to show

E µ f1 ě E µ f2

In HOARe2, type E as. . .

M0,0rtx :: A | xŸ “ xŹus (Same distributions)

Expressing monotonicity of expectations

Want to show

E µ f1 ě E µ f2

In HOARe2, type E as. . .

M0,0rtx :: A | xŸ “ xŹus (Same distributions) Ñ tf :: A Ñ R | @x. fŸ x ě fŹ xu (Higher-order)

Expressing monotonicity of expectations

Want to show

E µ f1 ě E µ f2

In HOARe2, type E as. . .

M0,0rtx :: A | xŸ “ xŹus (Same distributions) Ñ tf :: A Ñ R | @x. fŸ x ě fŹ xu (Higher-order) Ñ te :: R | eŸ ě eŹu (Monotonic)

Expressing monotonicity of expectations

Want to show

E µ f1 ě E µ f2

In HOARe2, type E as. . .

E :: M0,0rtx :: A | xŸ “ xŹus (Same distributions) Ñ tf :: A Ñ R | @x. fŸ x ě fŹ xu (Higher-order) Ñ te :: R | eŸ ě eŹu (Monotonic)

Much more in the paper

Semantics

• Soundness of the system
• Requires termination

Implementation

• Automated, low annotation burden
• Why3 and SMT solvers

Translation

• Embedding of DFuzz, a language for differential privacy

More complex examples

• Verify differential privacy
• Verify MD properties beyond truthfulness

Takeaway points

Wrapping up

Four features, one system

• HOARe2: relational properties for randomized programs
• Combine features in a clean, usable way

Wrapping up

Four features, one system

• HOARe2: relational properties for randomized programs
• Combine features in a clean, usable way

Formal verification for mechanism design!

• Exciting, under-explored area for verification
• Tons of interesting properties, mechanisms
• Strong motivation besides (mere) correctness

Higher-Order Relational Refinement Types for Mechanism Design and Differential Privacy

Gilles Barthe1, Marco Gaboardi2, Emilio Jesús Gallego Arias3,4, Justin Hsu4, Aaron Roth4, Pierre-Yves Strub1

1IMDEA Software, 2University of Dundee, 3CRI Mines–ParisTech, 4University of Pennsylvania

January 15th, 2015