Models for Probabilistic Programs with an Adversary Robert Rand, - PowerPoint PPT Presentation

Models for Probabilistic Programs with an Adversary Robert Rand, Steve Zdancewic University of Pennsylvania Probabilistic Programming Semantics 2016

Interactive Proofs 2/47

Interactive Proofs 2/47

Interactive Proofs 2/47

Interactive Proofs 2/47

Interactive Proofs 2/47

Interactive Proofs 2/47

Interactive Proofs 2/47

Interactive Proofs 2/47

Interactive Proofs 2/47

Graph Non-Isomorphism A 4 B E 5 3 C D 2 1 3/47

Graph Non-Isomorphism A 4 B E 5 3 C D 2 1 3/47

Graph Non-Isomorphism A 4 B E 5 3 C D 2 1 γ α ǫ δ β 3/47

Graph Non-Isomorphism A 4 B E 5 3 C D 2 1 γ α ǫ δ β 3/47

Arthur Merlin Games 4/47

Arthur Merlin Games 4/47

Arthur Merlin Games 4/47

Arthur Merlin Games 4/47

Arthur Merlin Games 4/47

Arthur Merlin Games 4/47

Why Should We Care? ◮ Mixing probability and nondeterminism is powerful. ◮ Private vs. public coins matter. 5/47

Let’s Start with a Deterministic Semantics... σ ( a ) = n skip / σ ⇓ σ x := a / σ ⇓ σ [ x �→ n ] c 2 / σ ′ ⇓ σ ′′ c 1 / σ ⇓ σ ′ c 1 ; c 2 / σ ⇓ σ ′′ c 1 / σ ⇓ σ ′ σ ( b ) = T if b then c 1 else c 2 / σ ⇓ σ ′ 6/47

F or Point Distributions Θ ::= [ σ ] | Θ ⊕ p Θ [ σ ]( a ) = n skip / [ σ ] ⇓ [ σ ] x := a / [ σ ] ⇓ [ σ [ x �→ n ]] c 2 / Θ ⇓ Θ ′ c 1 / [ σ ] ⇓ Θ c 1 ; c 2 / [ σ ] ⇓ Θ ′ σ ( b ) = T c 1 / [ σ ] ⇓ Θ if b then c 1 else c 2 / [ σ ] ⇓ Θ 7/47

T oss in Some Probability Θ ::= [ σ ] | Θ ⊕ p Θ c 1 / [ σ ] ⇓ Θ 1 c 2 / [ σ ] ⇓ Θ 2 ( c 1 ⊕ p c 2 ) / [ σ ] ⇓ Θ 1 ⊕ p Θ 2 8/47

T oss in Some Probability Θ ::= [ σ ] | Θ ⊕ p Θ c 1 / [ σ ] ⇓ Θ 1 c 2 / [ σ ] ⇓ Θ 2 ( c 1 ⊕ p c 2 ) / [ σ ] ⇓ Θ 1 ⊕ p Θ 2 ⊕ 1 / 3 ( x := 0 ⊕ 1 3 x := 1 ) [ σ ] σ [ x �→ 0 ] σ [ x �→ 1 ] 8/47

And Lift! c / Θ 1 ⇓ Θ ′ c / Θ 2 ⇓ Θ ′ 1 2 c / Θ 1 ⊕ p Θ 2 ⇓ Θ ′ 1 ⊕ p Θ ′ 2 9/47

And Lift! c / Θ 1 ⇓ Θ ′ c / Θ 2 ⇓ Θ ′ 1 2 c / Θ 1 ⊕ p Θ 2 ⇓ Θ ′ 1 ⊕ p Θ ′ 2 y := 5 ⊕ 1 / 3 ⊕ 1 / 3 σ 1 σ 2 σ 1 [ y �→ 5 ] σ 2 [ y �→ 5 ] 9/47

The Toss Command c 1 ⊕ 1 5 c 2 ⊕ 1 / 3 ⊕ 1 / 5 ⊕ 1 / 2 � c 1 � σ 1 � c 2 � σ 1 ⊕ 1 / 5 ⊕ 1 / 5 � c 1 � σ 2 � c 2 � σ 2 � c 1 � σ 3 � c 2 � σ 3 10/47

The Skip Command ⊕ 1 / 3 ⊕ 1 / 3 σ 1 ⊕ 1 / 2 σ 1 ⊕ 1 / 2 skip σ 2 σ 3 σ 2 σ 3 skip skip 11/47

More Direct ⊕ 1 / 3 ⊕ 1 / 3 skip σ 1 ⊕ 1 / 2 σ 1 ⊕ 1 / 2 σ 2 σ 3 σ 2 σ 3 12/47

Direct Semantics σ ( a ) = n skip / Θ ⇓ Θ x := a / Θ ⇓ Θ[ σ i ( x ) �→ n ] c 2 / Θ ′ ⇓ Θ ′′ c 1 / Θ ⇓ Θ ′ c 1 ; c 2 / Θ ⇓ Θ ′′ Pr b (Θ 1 ) = 1 c 1 / Θ 1 ⇓ Θ ′ c 2 / Θ 0 ⇓ Θ ′ Pr b (Θ 0 ) = 0 1 0 if b then c 1 else c 2 / Θ 1 ⊕ p Θ 0 ⇓ Θ ′ 1 ⊕ p Θ ′ 0 c 1 / Θ ⇓ Θ 1 c 2 / Θ ⇓ Θ 2 ( c 1 ⊕ p c 2 ) / Θ ⇓ Θ 1 ⊕ p Θ 2 13/47

Direct Toss c 1 ⊕ 1 5 c 2 ⊕ 1 / 5 � c 1 � ⊕ 1 / 3 � c 2 � ⊕ 1 / 3 σ 1 ⊕ 1 / 2 σ 1 ⊕ 1 / 2 σ 2 σ 3 σ 2 σ 3 14/47

The Distinction Recursive c 1 / [ σ ] ⇓ Θ 1 c 2 / [ σ ] ⇓ Θ 2 ( c 1 ⊔ c 2 ) / [ σ ] ⇓ Θ 1 ( c 1 ⊔ c 2 ) / [ σ ] ⇓ Θ 2 vs. c 1 / Θ ⇓ Θ 1 c 2 / Θ ⇓ Θ 2 ( c 1 ⊔ c 2 ) / Θ ⇓ Θ 1 ( c 1 ⊔ c 2 ) / Θ ⇓ Θ 2 Direct 15/47

Let’s Play a Game! 16/47

Let’s Play a Game! P := ⊕ 1 3 ( ⊕ 1 ) 2 O := ⊔ ⊔ 17/47

Let’s Play a Game! c 1 P := ⊕ 1 3 ( ⊕ 1 ) 2 c 2 O := ⊔ ⊔ 17/47

c 1 : P := ⊕ 1 3 ( ⊕ 1 ) Direct Play 2 18/47

c 1 : P := ⊕ 1 3 ( ⊕ 1 ) Direct Play 2 ⊕ 1 / 3 ⊕ 1 / 2 18/47

c 2 : O := ⊔ ⊔ Direct Play � c 2 � ⊕ 1 / 3 ⊕ 1 / 2 18/47

c 2 : O := ⊔ ⊔ Direct Play � � ⊕ 1 / 3 ⊕ 1 / 2 18/47

c 2 : O := ⊔ ⊔ Direct Play ⊕ 1 / 3 ⊕ 1 / 2 18/47

c 2 : O := ⊔ ⊔ Direct Play ⊕ 1 / 3 L ⊕ 1 / 2 T W 18/47

c 1 : P := ⊕ 1 3 ( ⊕ 1 ) Recursive Play 2 19/47

c 1 : P := ⊕ 1 3 ( ⊕ 1 ) Recursive Play 2 ⊕ 1 / 3 ⊕ 1 / 2 19/47

c 2 : O := ⊔ ⊔ Recursive Play � c 2 � ⊕ 1 / 3 ⊕ 1 / 2 19/47

c 2 : O := ⊔ ⊔ Recursive Play ⊕ 1 / 3 � c 2 � ⊕ 1 / 2 � c 2 � � c 2 � 19/47

c 2 : O := ⊔ ⊔ Recursive Play ⊕ 1 / 3 ⊕ 1 / 2 19/47

c 2 : O := ⊔ ⊔ Recursive Play ⊕ 1 / 3 ⊕ 1 / 2 L L L 19/47

Knowledge The two levels of operational semantics reflect whether the adversary knows the outcome of coin flips. 20/47

Levels of Knowledge 1. Adversary is blind to probabilistic outcomes. ◮ Single choice in (( c 1 ⊔ c 2 ) ⊕ ( c 1 ⊔ c 2 )) ◮ Distinct choices in (( c 1 ⊔ c 2 ) ⊕ ( c 1 ⊔ c 2 )) (Direct) 2. Adversary can see current program state 3. Adversary recalls program history (Recursive) 4. Adversary can foresee all outcomes. ◮ Single coin flip in (( c 1 ⊕ c 2 ) ⊔ ( c 1 ⊕ c 2 )) ◮ Distinct coin flips in (( c 1 ⊕ c 2 ) ⊔ ( c 1 ⊕ c 2 )) 21/47

Levels of Knowledge 1. Adversary is blind to probabilistic outcomes. ◮ Single choice in (( c 1 ⊔ c 2 ) ⊕ ( c 1 ⊔ c 2 )) ◮ Distinct choices in (( c 1 ⊔ c 2 ) ⊕ ( c 1 ⊔ c 2 )) (Direct) 2. Adversary can see current program state 3. Adversary recalls program history (Recursive) 4. Adversary can foresee all outcomes. ◮ Single coin flip in (( c 1 ⊕ c 2 ) ⊔ ( c 1 ⊕ c 2 )) ◮ Distinct coin flips in (( c 1 ⊕ c 2 ) ⊔ ( c 1 ⊕ c 2 )) 21/47

Levels of Knowledge 1. Adversary is blind to probabilistic outcomes. ◮ Single choice in (( c 1 ⊔ c 2 ) ⊕ ( c 1 ⊔ c 2 )) ◮ Distinct choices in (( c 1 ⊔ c 2 ) ⊕ ( c 1 ⊔ c 2 )) (Direct) 2. Adversary can see current program state 3. Adversary recalls program history (Recursive) 4. Adversary can foresee all outcomes. ◮ Single coin flip in (( c 1 ⊕ c 2 ) ⊔ ( c 1 ⊕ c 2 )) ◮ Distinct coin flips in (( c 1 ⊕ c 2 ) ⊔ ( c 1 ⊕ c 2 )) 21/47

Levels of Knowledge 1. Adversary is blind to probabilistic outcomes. ◮ Single choice in (( c 1 ⊔ c 2 ) ⊕ ( c 1 ⊔ c 2 )) ◮ Distinct choices in (( c 1 ⊔ c 2 ) ⊕ ( c 1 ⊔ c 2 )) (Direct) 2. Adversary can see current program state 3. Adversary recalls program history (Recursive) 4. Adversary can foresee all outcomes. ◮ Single coin flip in (( c 1 ⊕ c 2 ) ⊔ ( c 1 ⊕ c 2 )) ◮ Distinct coin flips in (( c 1 ⊕ c 2 ) ⊔ ( c 1 ⊕ c 2 )) 21/47

So... What can we verify? 22/47

Verification: Direct { P } c 1 { Q } { P } c 2 { Q } { P } ( c 1 ⊔ c 2 ) { Q } 23/47

Verification: Recursive { True } b := T { Pr ( b ) = 1 } { True } b := F { Pr ( b ) = 0 } { True } ( b := T ⊔ b := F ) { Pr ( b ) = 1 ∨ Pr ( b ) = 0 } 24/47

Verification: Recursive ⊕ 1 / 2 b = ⊥ b = ⊥ { True } b := T { Pr ( b ) = 1 } { True } b := F { Pr ( b ) = 0 } { True } ( b := T ⊔ b := F ) { Pr ( b ) = 1 ∨ Pr ( b ) = 0 } 24/47

Verification: Recursive ⊕ 1 / 2 b = T b = F { True } b := T { Pr ( b ) = 1 } { True } b := F { Pr ( b ) = 0 } { True } ( b := T ⊔ b := F ) { Pr ( b ) = 1 ∨ Pr ( b ) = 0 } 24/47

Verification: Recursive ⊕ 1 / 2 b = T b = F { True } b := T { Pr ( b ) = 1 } { True } b := F { Pr ( b ) = 0 } { True } ( b := T ⊔ b := F ) { Pr ( b ) = 1 ∨ Pr ( b ) = 0 } 24/47

Verification: Recursive ⊕ 1 / 2 b = T b = F { True } b := T { Pr ( b ) = 1 } { True } b := F { Pr ( b ) = 0 } { True } ( b := T ⊔ b := F ) { Pr ( b ) = 1 ∨ Pr ( b ) = 0 } Q cannot include disjunctions 24/47

Verification: Recursive { Pr ( b ) = 1 2 } skip { Pr ( b ) = 1 2 } { Pr ( b ) = 1 2 } b := ¬ b { Pr ( b ) = 1 2 } { Pr ( b ) = 1 2 } ( skip ⊔ b := ¬ b ) { Pr ( b ) = 1 2 } 25/47

Verification: Recursive ⊕ 1 / 2 b = T b = F { Pr ( b ) = 1 2 } skip { Pr ( b ) = 1 2 } { Pr ( b ) = 1 2 } b := ¬ b { Pr ( b ) = 1 2 } { Pr ( b ) = 1 2 } ( skip ⊔ b := ¬ b ) { Pr ( b ) = 1 2 } 25/47

Verification: Recursive ⊕ 1 / 2 b = F b = F { Pr ( b ) = 1 2 } skip { Pr ( b ) = 1 2 } { Pr ( b ) = 1 2 } b := ¬ b { Pr ( b ) = 1 2 } { Pr ( b ) = 1 2 } ( skip ⊔ b := ¬ b ) { Pr ( b ) = 1 2 } 25/47

Verification: Recursive ⊕ 1 / 2 b = F b = F { Pr ( b ) = 1 2 } skip { Pr ( b ) = 1 2 } { Pr ( b ) = 1 2 } b := ¬ b { Pr ( b ) = 1 2 } { Pr ( b ) = 1 2 } ( skip ⊔ b := ¬ b ) { Pr ( b ) = 1 2 } 25/47

Verification: Recursive ⊕ 1 / 2 b = F b = F { Pr ( b ) = 1 2 } skip { Pr ( b ) = 1 2 } { Pr ( b ) = 1 2 } b := ¬ b { Pr ( b ) = 1 2 } { Pr ( b ) = 1 2 } ( skip ⊔ b := ¬ b ) { Pr ( b ) = 1 2 } P cannot include probabilities in ( 0 , 1 ) 25/47

Verification: Recursive non-probabilistic P { P } c 1 { Q } non-disjunctive Q { P } c 2 { Q } { P } ( c 1 ⊔ c 2 ) { Q } 26/47

C ompositionality ( c 1 ⊔ c 2 ); ( c 3 ⊔ c 4 ) 27/47

C ompositionality { P } ( c 1 ⊔ c 2 ); ( c 3 ⊔ c 4 ) { R } 27/47

C ompositionality { P } ( c 1 ⊔ c 2 ) { Q } ( c 3 ⊔ c 4 ) { R } 27/47

C ompositionality { P } ( c 1 ⊔ c 2 ) { Q } ( c 3 ⊔ c 4 ) { R } 27/47