justhsu
/
justin-site
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
justin-site/files/slides/popl20-tutorial.pdf

1810 lines
49 KiB
Plaintext
Raw Normal View History

Update news.
2020-07-22 21:57:33 +00:00
\newif\ifdraft \drafttrue
\newif\iffull \fulltrue
\newif\ifdark \darktrue
% If you want to change these flags just for yourself, do it by adding
% commands to a files called tex.flags ...
\makeatletter \@input{tex.flags} \makeatother
\documentclass{beamer}
\input{prelude}
\usepackage{framed} % frame boxes
\usepackage[framemethod=TikZ]{mdframed} % fancier boxes (colors)
\usepackage{ulem} % strikethrough and underlines
\renewcommand<>{\sout}[1]{\alt#2{\beameroriginal{\sout}{#1}}{#1}}
\renewcommand{\ULthickness}{1pt} % Set ulem thickness
\newcommand{\superhi}[1]{{\color{superhi}{#1}}}
\renewcommand<>{\superhi}[1]{\alt#2{\beameroriginal{\superhi}{#1}}{#1}}
% Make \sout overlay specification aware
\usepackage{xparse}
\usepackage{mathtools}
\usepackage{lmodern}
\usepackage{booktabs}
\usepackage{tikz}
\usetikzlibrary{positioning, fit}
\usetikzlibrary{shapes.callouts,shapes.arrows}
\tikzset{
invisible/.style={opacity=0,text opacity=0},
visible on/.style={alt=#1{}{invisible}},
alt/.code args={<#1>#2#3}{%
\alt<#1>{\pgfkeysalso{#2}}{\pgfkeysalso{#3}} % \pgfkeysalso doesn't change the path
},
highlight on/.style={alt=#1{}{plain}},
plain/.style={fill=none},
}
% Create a callout
% \mycallout<when>{node+anchor}{text}{width}{angle}{distance}{color}
% Relative position of pointer with respect to _bubble_
\NewDocumentCommand{\mycallout}{r<> O{opacity=0.8,text opacity=1} m m m m m m}{%
\tikz[remember picture, overlay]
{\node[overlay, ellipse callout, align=left, fill=#8, text width=#5,
#2,visible on=<#1>,anchor=pointer,align=center,callout relative
pointer={(#6:#7)}] at (#3) {#4};}
}
% \refbox{node}{text}
% \newcommand{\refbox}[2]{
% \tikz[remember picture, baseline=(#1.base)]{
% \node[anchor=base,rounded corners] (#1) {#2};}
% }
% Tag a bit of math with a tikz node, also fill it with a color
% \refbox{node}{text}{color}
% \newcommand{\refbox}[3]{
% \tikz[remember picture, baseline=(#1.base)]{
% \node[fill=#3!30,anchor=base,rounded corners] (#1) {#2};}
% }
% Tag a bit of math with a tikz node, also fill it with a color
% \refbox<highlight slide>{node}{text}{color}
\NewDocumentCommand{\refbox}{r<> m m m}{
\tikz[remember picture, baseline=(#2.base)]{
\node[fill=#4,anchor=base,rounded corners,highlight on=<#1>] (#2) {#3};}
}
\ifdark
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Dark beamer theme %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% TODO: split out into dark color scheme file.
\setbeameroption{hide notes}
\setbeamertemplate{note page}[plain]
\usetheme{default}
\beamertemplatenavigationsymbolsempty
\hypersetup{pdfpagemode=UseNone} % don't show bookmarks on initial view
% Set fonts
\usefonttheme{professionalfonts}
% \usefonttheme{serif}
% \usepackage{fontspec}
% \setmainfont{helveticaneue}
% \setbeamerfont{note page}{family*=pplx,size=\footnotesize} % Palatino for notes
% \usepackage{libertine}
% \usepackage{libertinust1math}
% \usepackage[T1]{fontenc}
\usepackage{FiraSans}
% Define colors
\definecolor{almostblack}{HTML}{222222}
\definecolor{nearblack}{HTML}{B3B6BB}
\definecolor{darkgrey}{HTML}{363636}
\definecolor{medgrey}{HTML}{656565}
\definecolor{lightgrey}{HTML}{2C2C2C}
\definecolor{lightblue}{HTML}{65BBDF}
\definecolor{lightgreen}{HTML}{85D275}
\definecolor{lightred}{HTML}{CD4F62}
\definecolor{lightorange}{HTML}{CD7053}
\definecolor{lightyellow}{HTML}{DCC453}
\colorlet{foreground}{nearblack}
\colorlet{background}{almostblack}
\colorlet{title}{lightblue}
\colorlet{heading}{lightorange}
\colorlet{hilight}{lightred}
\colorlet{superhi}{lightgreen}
\colorlet{callout}{lightred}
\colorlet{author}{lightgreen}
\colorlet{gray}{lightgrey}
\setbeamercolor{titlelike}{fg=title}
\setbeamercolor{institute}{fg=foreground}
\setbeamercolor{author}{fg=author}
\setbeamercolor{structure}{fg=heading}
\setbeamercolor{alerted text}{fg=hilight}
\setbeamercolor{normal text}{fg=foreground,bg=background}
% Itemize colors
\setbeamercolor{item}{fg=foreground} % color of bullets
\setbeamercolor{subitem}{fg=foreground}
\setbeamercolor{itemize/enumerate subbody}{fg=foreground}
\setbeamertemplate{itemize subitem}{{\textendash}}
\setbeamerfont{itemize/enumerate subbody}{size=\footnotesize}
\setbeamerfont{itemize/enumerate subitem}{size=\footnotesize}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\else
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Light beamer theme %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\usetheme{Pittsburgh}
\usecolortheme{beaver}
\setbeamertemplate{navigation symbols}{}
\colorlet{callout}{green!30}
\colorlet{superhi}{darkred!80!gray}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\fi
% Page numbering
\ifdraft
\setbeamertemplate{footline}{%
\raisebox{5pt}{\makebox[\paperwidth]{\hfill\makebox[20pt]{\color{foreground}
\scriptsize\insertframenumber}}}\hspace*{5pt}}
\fi
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% If monitor supports dual screen
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%\usepackage{pgfpages}
%\setbeameroption{show notes}
%\setbeameroption{show notes on second screen=right}
%\note{blah}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Better title page
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% \setbeamerfont{author}{size=\Large}
% \setbeamerfont{date}{size=\scriptsize}
% \setbeamerfont{title}{size=\Huge}
\setbeamertemplate{title page}{%
\begin{tikzpicture}[remember picture,overlay]
\fill[title]
([yshift=50pt]current page.west) rectangle (current page.north east);
\node[anchor=south east]
at ([yshift=65pt, xshift=-20pt]current page.south east) (author)
{\parbox[t]{\paperwidth}{%
\flushright\usebeamerfont{author}\textcolor{superhi}{\insertauthor}}};
\node[anchor=south east]
at ([yshift=40pt, xshift=-20pt]current page.south east) (institute)
{\parbox[t]{\paperwidth}{%
\flushright\usebeamerfont{institute}\textcolor{foreground}{\insertinstitute}}};
\node[anchor=south west]
at ([yshift=40pt,xshift=20pt]current page.south west) (logo)
{\parbox[t]{.2\paperwidth}{\raggedleft%
\usebeamercolor[fg]{titlegraphic}\inserttitlegraphic}};
\node[anchor=south west]
at ([yshift=50pt,xshift=20pt]current page.west) (title1)
{\parbox[t]{\textwidth}{\usebeamerfont{title}\textcolor{background}{\inserttitle}}};
\node[anchor=north west]
at ([yshift=50pt,xshift=20pt]current page.west) (title2)
{\parbox[t]{\textwidth}{\usebeamerfont{title}\textcolor{title}{\insertsubtitle}}};
\end{tikzpicture}%
}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Section dividers: two lines
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\newcommand{\dividerpage}[2]{%
\begin{tikzpicture}[remember picture,overlay]
\fill[title]
(current page.west) rectangle (current page.north east);
\node[anchor=south west]
at ([xshift=20pt]current page.west) (title1)
{\parbox[t]{\textwidth}{\usebeamerfont{title}\textcolor{background}{#1}}};
\node[anchor=north west]
at ([xshift=20pt]current page.west) (title2)
{\parbox[t]{\textwidth}{\usebeamerfont{title}\textcolor{title}{#2}}};
\end{tikzpicture}%
}
\title{\huge Verifying Probabilistic Properties}
\subtitle{\huge with Probabilistic Couplings}
\author{\LARGE Justin Hsu}
\institute{\large UW--Madison \\ Computer Sciences}
\begin{document}
\begin{frame}[label=titleframe]
\titlepage
\end{frame}
\begin{frame}
\frametitle{Work with brilliant collaborators}
\begin{center}
\begin{tabular}{c c c c}
\includegraphics[width=0.2\textwidth]{images/aws.jpg}
& \includegraphics[width=0.2\textwidth]{images/gilles.jpg}
& \includegraphics[width=0.2\textwidth]{images/thomas.jpg}
& \includegraphics[width=0.2\textwidth]{images/noemie.png}
\\
\includegraphics[width=0.2\textwidth]{images/marco.jpg}
& \includegraphics[width=0.2\textwidth]{images/gregoire.jpg}
& \includegraphics[width=0.2\textwidth]{images/leo.jpg}
& \includegraphics[width=0.2\textwidth]{images/py.jpg}
\end{tabular}
\end{center}
\end{frame}
\begin{frame}
\dividerpage{\huge What Are Probabilistic}{\huge ``Relational Properties''?}
\end{frame}
\begin{frame}
\frametitle{Today's target properties}
\begin{block}{Probabilistic}
\begin{itemize}
\item Programs can take random samples (flip coins)
\item Map (single) input value to a distribution over outputs
\end{itemize}
\end{block}
\begin{block}{Relational}
\begin{itemize}
\item Compare \superhi{two} executions of a program (or: two programs)
\item Describe outputs (\superhi{distributions}) from two related inputs
\item Also known as \superhi{2-properties}, or \superhi{hyperproperties}
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Examples throughout computer science...}
\begin{block}{Security and privacy}
\begin{itemize}
\item Indistinguishability
\item Differential privacy
\end{itemize}
\end{block}
\begin{block}{Machine learning}
\begin{itemize}
\item Uniform stability
\end{itemize}
\end{block}
\begin{block}{... and beyond}
\begin{itemize}
\item Incentive properties (game theory/mechanism design)
\item Convergence and mixing (probability theory)
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Challenges for formal verification}
\begin{block}{Reason about two sources of randomness}
\begin{itemize}
\item Two executions may behave very differently
\item Completely different control flow (even for same program!)
\end{itemize}
\end{block}
\begin{block}{Quantitative reasoning}
\begin{itemize}
\item Target properties describe distributions
\item Probabilities, expected values, etc.
\item Very messy for formal reasoning
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Today: Combine two ingredients}
\begin{center}
\vfill
\structure{\Huge Probabilistic Couplings}
\vfill
\scalebox{5}{\structure{$+$}}
\vfill
\structure{\Huge Relational Program Logics}
\vfill
\end{center}
\end{frame}
\begin{frame}
\dividerpage{\Huge Probabilistic Couplings}{\Huge and ``Proof by Coupling''}
\end{frame}
\begin{frame}
\frametitle{Given: programs $c_1$ and $c_2$, each taking $10$ coin flips}
\begin{columns}
\begin{column}<1->{0.5\textwidth}
\begin{block}{Experiment \#1}
\centerline{\includegraphics[height=0.5\textheight]{images/coins-indep.png}}
\end{block}
\end{column}
\begin{column}<2->{0.5\textwidth}
\begin{block}{Experiment \#2}
\centerline{\includegraphics[height=0.5\textheight]{images/coins-id.png}}
\end{block}
\end{column}
\end{columns}
\begin{center}
\begin{onslide}<3->
\begin{framed}
Distributions equal in Experiment \#1
$\iff$
Distributions equal in Experiment \#2
\end{framed}
\end{onslide}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Given: programs $c_1$ and $c_2$, each taking $10$ coin flips}
\begin{columns}
\begin{column}<1->{0.5\textwidth}
\begin{block}{Experiment \#1}
\centerline{\includegraphics[height=0.6\textheight]{images/coins-indep.png}}
\end{block}
\end{column}
\begin{column}<2->{0.5\textwidth}
\begin{block}{Experiment \#2}
\centerline{\includegraphics[height=0.6\textheight]{images/coins-neg.png}}
\end{block}
\end{column}
\end{columns}
\begin{center}
\begin{onslide}<3->
\begin{framed}
Distributions equal in Experiment \#1
$\iff$
Distributions equal in Experiment \#2
\end{framed}
\end{onslide}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Why ``pretend'' two executions share randomness?}
\begin{block}{Easier to reason about one source of randomness}
\begin{itemize}
\item Fewer possible executions
\item Pairs of coordinated executions follow similar control flow
\end{itemize}
\end{block}
\begin{block}{Reduce quantitative reasoning}
\begin{itemize}
\item Reason on (non-probabilistic) relations between samples
\item Don't need to work with raw probabilities (messy)
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{A bit more precisely\dots}
% \structure{\huge Definition}
\vspace{2ex}
{\LARGE A \superhi{coupling} of two distributions $\mu_1, \mu_2 \in \Dist(A)$
is a joint distribution $\mu \in \Dist(A \times A)$ with
$\pi_1(\mu) = \mu_1$ and $\pi_2(\mu) = \mu_2$.}
\vspace{2ex}
\pause
\begin{center}
\begin{framed}
\Large{A coupling models \superhi{two} distributions \\
sharing \superhi{one} source of randomness}
\end{framed}
\end{center}
\end{frame}
\begin{frame}
\frametitle{For example}
\begin{columns}
\begin{column}{0.5\textwidth}
\begin{center}
\includegraphics[width=\textwidth]{images/coin-id-4}
\vfill
\includegraphics[width=\textwidth]{images/witness-id}
\end{center}
\end{column}
\begin{column}<2>{0.5\textwidth}
\begin{center}
\includegraphics[width=\textwidth]{images/coin-neg-2}
\vfill
\includegraphics[width=\textwidth]{images/witness-neg}
\end{center}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Why are couplings interesting for verification?}
\begin{center}
\huge \structure{\mbox{\superhi{Existence} of a coupling* can imply} \\
a property of two distributions}
\end{center}
\end{frame}
\begin{frame}
\begin{columns}
\begin{column}{0.65\textwidth}
\structure{\superhi{If} there \superhi{exists} a coupling \\
of $(\mu_1, \mu_2)$ where:}
\end{column}
\begin{column}{0.35\textwidth}
\structure{\superhi{then}:}
\end{column}
\end{columns}
\vfill
\centerline{\structure{\rule{\textwidth}{1pt}}}
\vfill
\begin{columns}
\begin{column}{0.65\textwidth}
Two coupled samples differ \\ with small probability
\end{column}
\begin{column}{0.35\textwidth}
$\mu_1$ is ``close'' to $\mu_2$
\end{column}
\end{columns}
\pause
\vfill
\centerline{\structure{\rule{\textwidth}{1pt}}}
\vfill
\begin{columns}
\begin{column}{0.65\textwidth}
Two coupled samples \\ are always equal
\end{column}
\begin{column}{0.35\textwidth}
$\mu_1$ is ``equal'' to $\mu_2$
\end{column}
\end{columns}
\pause
\vfill
\centerline{\structure{\rule{\textwidth}{1pt}}}
\vfill
\begin{columns}
\begin{column}{0.65\textwidth}
First coupled sample is always \\ larger than second sample
\end{column}
\begin{column}{0.35\textwidth}
$\mu_1$ ``dominates'' $\mu_2$
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Our plan to verify these properties}
\begin{block}{Three easy steps}
\begin{enumerate}
\item Start from two given programs
\item \superhi<2->{Show that for two related inputs, there exists a coupling of the
output distributions with certain properties}
\item Conclude relational property of program(s)
\end{enumerate}
\end{block}
\begin{onslide}<3>
\begin{center}
\includegraphics[width=0.9\textwidth]{images/owl}
\end{center}
\end{onslide}
\end{frame}
\begin{frame}
\frametitle{Show existence of a coupling by constructing it}
\begin{framed}
\begin{center}
\huge {A \superhi{coupling proof} is a recipe \\ for constructing a coupling}
\end{center}
\end{framed}
\pause
\begin{enumerate}
\item \superhi{Specify}: How to couple pairs of intermediate samples
\item \superhi{Deduce}: Relation between final coupled samples
\item \superhi{Conclude}: Property about two original distributions
\end{enumerate}
\end{frame}
\begin{frame}
\dividerpage{\Huge Probabilistic Relational}{\Huge Program Logics}
\end{frame}
\begin{frame}{Make statements about imperative programs}
\begin{block}{Imperative language \textsc{While}}
\vspace{-2ex}
\begin{align*}
% e &::= x \in \Var
% \mid n \in \NN
% \mid e + e'
% \mid e \cdot e'
% \mid \cdots
% \\
% b &::= \mathit{true}
% \mid \mathit{false}
% \mid e = e'
% \mid e < e'
% \mid b \land b'
% \mid \cdots
% \\
c &::= \Skip
\mid \Ass{x}{e}
\mid \Cond{b}{c}{c'}
\mid \Seq{c}{c'}
\mid \WWhile{b}{c}
\end{align*}
\end{block}
\pause
\begin{block}{Semantics: \textsc{While} programs transform memories}
\begin{itemize}
\item \superhi{Variables}: Fixed set $\Var$ of program variable names
\item \superhi{Memories} $\Mem$: functions from $\Var$ to values $\Val$ (e.g., 42)
\item Interpret each command $c$ as a \superhi{memory transformer}:
\[
\denot{c} : \Mem \to \Mem
\]
\end{itemize}
\end{block}
\end{frame}
\begin{frame}{Program logics (Floyd-Hoare logics)}
\begin{block}{Logical judgments look like this}
\[
\scalebox{3}{\ensuremath{ \hl{c}{P}{Q} }}
\]
\end{block}
\begin{block}{Interpretation}
\begin{itemize}
\item \superhi{Program} $c$, \textsc{While} program (e.g., $x \gets y; y \gets y + 1$)
\item \superhi{Precondition} $P$, formula over $\Var$ (e.g., $y \geq 0$)
\item \superhi{Postcondition} $Q$, formula over $\Var$ (e.g., $x \geq 0 \land y \geq 0$)
\end{itemize}
\end{block}
\begin{center}
\begin{framed}
If $P$ holds before running $c$, then $Q$ holds after running $c$
\end{framed}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Probabilistic Relational Hoare Logic (\Sprhl) [BGZ-B]}
\begin{block}{Previously}
\begin{itemize}
\item Inspired by Benton's Relational Hoare Logic
\item Foundation of the EasyCrypt system
\item Verified security of many cryptographic schemes
\end{itemize}
\end{block}
\pause
\begin{block}{New interpretation}
\begin{center}
\begin{framed}
\Huge {\Sprhl is a logic for formal \\ proofs by coupling}
\end{framed}
\end{center}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Language and judgments}
\begin{block}{The \textsc{pWhile} imperative language}
\vspace{-2ex}
\[
c ::= \Skip
\mid \Ass{x}{e}
\mid \refbox<2->{samp}{$\Rand{x}{d}$}{callout}
\mid \Cond{e}{c}{c}
\mid \Seq{c}{c}
\mid \WWhile{e}{c}
\]
\vspace{-2ex}
\end{block}
\pause
\begin{block}{Semantics of \textsc{pWhile} programs}
\begin{itemize}
\item Input: a single memory (assignment to variables)
\item Output: a \superhi{distribution} over memories
\item Interpret each command $c$ as:
\[
\denot{c} : \Mem \to \Dist(\Mem)
\]
\end{itemize}
\end{block}
\end{frame}
\begin{frame}{Basic \textsc{pRHL} judgments}
\[
\prhl{c_1}{c_2}{P}{Q}
\]
\begin{itemize}
\item $P$ and $Q$ are formulas over program variables
\item Labeled program variables: $x_1$, $x_2$
\item $P$ is precondition, $Q$ is postcondition
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Interpreting the judgment}
\begin{block}{Logical judgments in \textsc{pRHL} look like this}
\[
\scalebox{3}{\ensuremath{ \prhl{c_1}{c_2}{P}{Q} }}
\]
\end{block}
\pause
\begin{block}{Interpreting pre- and post-conditions}
\begin{itemize}
\item As usual, $P$ is a relation on two memories
\item $Q$ interpreted as a relation $\lift{Q}$ on memory \superhi{distributions}
\end{itemize}
\end{block}
\pause
\begin{definition}[Valid \textsc{pRHL} judgment]
For any \superhi{pair of related inputs} $(m_1, m_2) \in \denot{P}$,
\superhi{there exists a coupling} $\mu \in \Dist(\Mem \times \Mem)$ of the
output distributions $(\denot{c_1}m_1, \denot{c_2}m_2)$ such that
$\supp(\mu) \subseteq \denot{Q}$.
\end{definition}
\end{frame}
\begin{frame}
\frametitle{Encoding couplings with \Sprhl theorems}
\begin{framed}
\begin{center}
\scalebox{2}{$\prhl{c_1}{c_2}{P}{o_1 = o_2}$}
\end{center}
\end{framed}
\begin{block}{Interpretation}
\begin{framed}
If two inputs satisfy $P$, there exists a coupling of the
output distributions where the coupled samples have equal $o$
\end{framed}
\end{block}
\vspace{-1ex}
\pause
\begin{block}{This implies:}
\begin{framed}
If two inputs satisfy $P$, the distributions of $o$ are equal
\end{framed}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Encoding couplings with \Sprhl theorems}
\begin{framed}
\begin{center}
\scalebox{2}{$\prhl{c_1}{c_2}{P}{o_1 \geq o_2}$}
\end{center}
\end{framed}
\begin{block}{This implies:}
\begin{framed}
If two inputs satisfy $P$, then the first distribution of $o$
stochastically dominates the second distribution of $o$
\end{framed}
\end{block}
\end{frame}
\begin{frame}
\dividerpage{\Huge Proving Judgments:}{\Huge The Proof System of \textsc{pRHL}}
\end{frame}
\begin{frame}
\frametitle{More convenient way to prove judgments}
\begin{block}{Inference rules describe:}
\begin{itemize}
\item Judgments that are always true (axioms)
\item How to prove judgment for a program by combining judgments
for components
\end{itemize}
\end{block}
\pause
\begin{block}{Example: sequential composition rule}
\[
\text{\superhi{Given:} \qquad} { \{ P \}\ c_1\ \{ Q \}
\qquad\text{and}\qquad
\{ Q \}\ c_2\ \{ R \} }
\]
\pause
\centerline{\rule{0.8\textwidth}{2pt}}
\[
\text{\superhi{Conclude:} \quad\qquad\qquad}
{ \{ P \}\ c_1 \mathrel{;} c_2\ \{ R \} }
\text{\quad\qquad\qquad}
\]
\end{block}
\end{frame}
\begin{frame}
\frametitle{Reading the rules: \superhi{introduce} couplings}
\begin{center}
\scalebox{1.6}{$
\inferrule*%[Left=FlipEq]
{ }
{ \vdash \prhl{\Rand{x_1}{\mathit{flip}}}{\Rand{x_2}{\mathit{flip}}}{\ }{ x_1 = x_2 } }
$}
\end{center}
\vfill
\centerline{\onslide<2->{\includegraphics[width=\textwidth]{images/coin-id-4}}}
\end{frame}
\begin{frame}
\frametitle{Reading the rules: \superhi{introduce} couplings}
\begin{center}
\scalebox{1.6}{$
\inferrule*%[Left=FlipNeg]
{ }
{ \vdash \prhl{\Rand{x_1}{\mathit{flip}}}{\Rand{x_2}{\mathit{flip}}}{\ }{ x_1 \neq x_2 } }
$}
\end{center}
\vfill
\centerline{\onslide<2->{\includegraphics[width=\textwidth]{images/coin-neg-2}}}
\end{frame}
\begin{frame}
\frametitle{Reading the rules: \superhi{combine} couplings}
\begin{center}
\scalebox{2.5}{$
\inferrule*%[Left=Seq]
{ \vdash \prhl{c_1}{c_2}{P}{Q} \\\\ \vdash \prhl{c_1'}{c_2'}{Q}{R} }
{ \vdash \prhl{c_1; c_1'}{c_2; c_2'}{P}{R} }
$}
\end{center}
\pause
\begin{framed}
\begin{center}
\Huge {Sequence couplings}
\end{center}
\end{framed}
\end{frame}
\begin{frame}
\frametitle{Reading the rules: \superhi{combine} couplings}
\begin{center}
\scalebox{2.5}{$
\inferrule*%[Left=Case]
{ \vdash \prhl{c_1}{c_2}{P \land S}{Q} \\\\ \vdash \prhl{c_1}{c_2}{P \land \neg S}{Q} }
{ \vdash \prhl{c_1}{c_2}{P}{Q} }
$}
\end{center}
\pause
\begin{framed}
\begin{center}
\Huge{Select couplings}
\end{center}
\end{framed}
\end{frame}
\begin{frame}
\frametitle{Reading the rules: \superhi{combine} couplings}
\begin{center}
\[
\inferrule*%[Left=While]
{ \vdash \prhl{c_1}{c_2}{P \land e_1 \land e_2}{P} \\ \superhi<3>{\models P \to e_1 = e_2} }
{ \vdash \prhl{\WWhile{e_1}{c_1}}{\WWhile{e_2}{c_2}}{P}{P \land (\neg e_1 \land \neg e_2)} }
\]
\end{center}
\pause
\begin{framed}
\begin{center}
\Huge{Repeat couplings}
\end{center}
\end{framed}
\end{frame}
\begin{frame}
\frametitle{\superhi{Not} a rule: conjunction}
\begin{center}
\scalebox{2.5}{$
\inferrule*%[Left=Case]
{ \vdash \prhl{c_1}{c_2}{P}{Q} \\\\ \vdash \prhl{c_1}{c_2}{P}{R} }
{ \vdash \prhl{c_1}{c_2}{P}{Q \land R} }
$}
\end{center}
\pause
\begin{framed}
\begin{center}
\Huge{Can't compose this way}
\end{center}
\end{framed}
\end{frame}
\begin{frame}
\dividerpage{\huge Formal Proofs by Coupling}{\huge Ex. 1: Equivalence}
\end{frame}
\begin{frame}
\frametitle{Target property: equivalence}
\begin{block}{$P$'s output distribution is the same for any two inputs}
\begin{itemize}
\item Shows: output distribution is the same for \superhi{any} input
\item Security: input is secret, output is encrypted
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Warmup example: secrecy of one-time-pad (OTP)}
\begin{block}{The program}
\begin{itemize}
\item Program input: a secret boolean $\mathit{sec}$
\item Program output: an encrypted version of the secret
\[
\begin{array}{ll}
\Rand{key}{\mathit{flip}};
&\text{// draw random key}
\\
\Ass{enc}{\mathit{sec} \mathbin{\superhi{\oplus}} \mathit{key}};
\qquad\qquad
&\text{// exclusive or}
\\
\RReturn(\mathit{enc})
&\text{// return encrypted}
\end{array}
\]
\end{itemize}
\end{block}
\begin{block}{Proof by coupling}
\begin{itemize}
\item Either $\mathit{sec}_1, \mathit{sec}_2$ are equal, or unequal
\begin{enumerate}
\item If equal: couple sampling for $\mathit{key}$ to be equal in both
runs
\item If unequal: couple sampling for $\mathit{key}$ to be unequal in
both runs
\end{enumerate}
\item Coupling ensures $\mathit{enc}_1 = \mathit{enc}_2$, hence distributions equal
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Formalizing the proof in \Sprhl}
\begin{block}{Case 1: $\mathit{sec}_1 = \mathit{sec}_2$}
\begin{itemize}
\item By applying identity coupling rule (general version):
\[
\begin{array}{l}
\{ \mathit{sec}_1 = \mathit{sec}_2 \} \\
\Rand{key}{\mathit{flip}}; \\
\{ key_1 = key_2 \} \\
\Ass{enc}{\mathit{sec} \oplus \mathit{key}} \\
\{ enc_1 = enc_2 \}
\end{array}
\]
\item Hence:
\[
\prhl{otp}{otp}
{\mathit{sec}_1 = \mathit{sec}_2}{enc_1 = enc_2}
\]
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Formalizing the proof in \Sprhl}
\begin{block}{Case 2: $\mathit{sec}_1 \neq \mathit{sec}_2$}
\begin{itemize}
\item By applying negation coupling rule (general version):
\[
\begin{array}{l}
\{ \mathit{sec}_1 \neq \mathit{sec}_2 \} \\
\Rand{key}{\mathit{flip}}; \\
\{ key_1 \neq key_2 \} \\
\Ass{enc}{\mathit{sec} \oplus \mathit{key}} \\
\{ enc_1 = enc_2 \}
\end{array}
\]
\item Hence:
\[
\prhl{otp}{otp}
{\mathit{sec}_1 \neq \mathit{sec}_2}{enc_1 = enc_2}
\]
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Formalizing the proof in \Sprhl}
\begin{block}{Combining the cases:}
\[
\inferrule
{
\prhl{otp}{otp}
{\mathit{sec}_1 = \mathit{sec}_2}{enc_1 = enc_2}
\\\\
\prhl{otp}{otp}
{\mathit{sec}_1 \neq \mathit{sec}_2}{enc_1 = enc_2}
}
{
\prhl{otp}{otp}
{\top}{enc_1 = enc_2}
}
\]
and we are done!
\end{block}
\end{frame}
\begin{frame}
\dividerpage{\huge Formal Proofs by Coupling}{\huge Ex. 2: Stochastic Domination}
\end{frame}
\begin{frame}
\frametitle{Target property: stochastic domination}
\begin{block}{Order relation on distributions}
\begin{itemize}
\item Given: ordered set $(A, \leq_A)$
\item Lift to ordering on distributions $(\Dist(A), \leq_{sd})$
\end{itemize}
\end{block}
\begin{block}{For naturals $(\mathbb{N}, \leq)$ \dots}
Two distributions $\mu_1, \mu_2 \in \Dist(\mathbb{N})$ satisfy $\mu_1
\leq_{sd} \mu_2$ if
\[
\text{for all } k \in \mathbb{N},\ \mu_1(\{ n \mid k \leq n \}) \leq \mu_2(\{ n \mid k \leq n \})
\]
\end{block}
\end{frame}
\begin{frame}
\frametitle{Proof by coupling}
\begin{columns}
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{\mathit{ct}}{0}; \\
\FFor{$i$ = 1, \dots, \superhi{T_1}}{} \\
\quad \Rand{r}{\mathit{flip}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \Ass{\mathit{ct}}{\mathit{ct} + 1}; \\
\RReturn(\mathit{ct})
\end{array}
\]
\end{column}
%
\vrule
%
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{\mathit{ct}}{0}; \\
\FFor{$i$ = 1, \dots, \superhi{T_2}}{} \\
\quad \Rand{r}{\mathit{flip}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \Ass{\mathit{ct}}{\mathit{ct} + 1}; \\
\RReturn(\mathit{ct})
\end{array}
\]
\end{column}
\end{columns}
\pause
\begin{block}{Suppose $T_1 \geq T_2$: first loop runs more}
\begin{itemize}
\item Want to prove $\mu_1 \geq_{sd} \mu_2$
\end{itemize}
\end{block}
\pause
\begin{block}{Suffices to construct a coupling where $ct_1 \geq ct_2$}
\begin{itemize}
\item Couple the first $T_2$ samples to be equal across both runs;
establishes $ct_1 = ct_2$
\item Take the remaining $T_1 - T_2$ samples (in the first run) to be
arbitrary; preserves $ct_1 \geq ct_2$
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Formalizing the proof in \Sprhl}
\begin{columns}
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{\mathit{ct}}{0}; \\
\FFor{$i$ = 1, \dots, \superhi{T_1}}{} \\
\quad \Rand{r}{\mathit{flip}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \Ass{\mathit{ct}}{\mathit{ct} + 1}; \\
\RReturn(\mathit{ct})
\end{array}
\]
\end{column}
%
\vrule
%
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{\mathit{ct}}{0}; \\
\FFor{$i$ = 1, \dots, \superhi{T_2}}{} \\
\quad \Rand{r}{\mathit{flip}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \Ass{\mathit{ct}}{\mathit{ct} + 1}; \\
\RReturn(\mathit{ct})
\end{array}
\]
\vfill
\end{column}
\end{columns}
\begin{block}{Goal: prove}
\begin{framed}
\scalebox{1.8}{$\vdash \prhl{c_1}{c_2}{T_1 \geq T_2}{ct_1 \geq ct_2}$}
\end{framed}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Proof sketch}
\begin{block}{Step 1: Rewrite}
\begin{columns}
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{\mathit{ct}}{0}; \\
\FFor{$i$ = 1, \dots, \superhi{T_2}}{} \\
\quad \Rand{r}{\mathit{flip}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \Ass{\mathit{ct}}{\mathit{ct} + 1}; \\
\FFor{$i$ = \superhi{T_2 + 1}, \dots, \superhi{T_1}}{} \\
\quad \Rand{r}{\mathit{flip}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \Ass{\mathit{ct}}{\mathit{ct} + 1}; \\
\RReturn(\mathit{ct})
\end{array}
\]
\end{column}
%
\vrule
%
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{\mathit{ct}}{0}; \\
\FFor{$i$ = 1, \dots, \superhi{T_2}}{} \\
\quad \Rand{r}{\mathit{flip}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \Ass{\mathit{ct}}{\mathit{ct} + 1}; \\
\\
\\
\\
\\
\RReturn(\mathit{ct})
\end{array}
\]
\vfill
\end{column}
\end{columns}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Proof sketch}
\begin{columns}
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{\mathit{ct}}{0}; \\
\FFor{$i$ = 1, \dots, T_2}{} \\
\quad \superhi<3>{\Rand{r}{\mathit{flip}}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \superhi<4>{\Ass{\mathit{ct}}{\mathit{ct} + 1}}
\end{array}
\]
\end{column}
%
\vrule
%
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{\mathit{ct}}{0}; \\
\FFor{$i$ = 1, \dots, T_2}{} \\
\quad \superhi<3>{\Rand{r}{\mathit{flip}}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \superhi<4>{\Ass{\mathit{ct}}{\mathit{ct} + 1}}
\end{array}
\]
\end{column}
\end{columns}
\pause
\begin{block}{Step 2: First loop}
\begin{itemize}
\item<2-> Use sampling rule with identity coupling: \superhi<3>{$r_1 = r_2$}
\item<5-> Establish loop invariant $\superhi{\mathit{ct}_1 = \mathit{ct}_2}$
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Proof sketch}
\begin{columns}
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\FFor{$i$ = \superhi{T_2 + 1}, \dots, \superhi{T_1}}{} \\
\quad \Rand{r}{\mathit{flip}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \Ass{\mathit{ct}}{\mathit{ct} + 1}; \\
\RReturn(\mathit{ct})
\end{array}
\]
\end{column}
%
\vrule
%
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\\
\\
\\
\\
\\
\RReturn(\mathit{ct})
\end{array}
\]
\vfill
\end{column}
\end{columns}
\begin{block}{Step 3: Second loop}
\begin{itemize}
\item Use ``one-sided'' sampling rule
\item Apply ``one-sided'' loop rule to show invariant $\mathit{ct}_1 \geq \mathit{ct}_2$
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\dividerpage{\huge Formal Proofs by Coupling}{\huge Ex. 3: Uniformity}
\end{frame}
\begin{frame}
\frametitle{Simulating a fair coin flip from a biased coin}
\begin{block}{Problem setting}
\begin{itemize}
\item Given: ability to draw \superhi{biased} coin flips $\mathit{flip}(p)$, $p \neq 1/2$
\item Goal: simulate a \superhi{fair} coin flip $\mathit{flip}(1/2)$
\end{itemize}
\end{block}
\pause
\begin{block}{Algorithm (``von Neumann's trick'')}
\[
\begin{array}{ll}
\Ass{x}{\mathit{true}}; \Ass{y}{\mathit{true}}; \qquad\qquad &
\text{// initialize $x = y$} \\
\WWhile{x = y}{} & \text{// if equal, repeat} \\
\qquad \Rand{x}{\mathit{flip}(p)}; & \text{// flip biased coin} \\
\qquad \Rand{y}{\mathit{flip(p)}}; & \text{// flip biased coin} \\
\RReturn(x) & \text{// if not equal, return $x$}
\end{array}
\]
\end{block}
\pause
\begin{center}
\begin{framed}
How to prove that the result $x$ is \superhi{unbiased} (uniform)?
\end{framed}
\end{center}
\end{frame}
\begin{frame}
\frametitle{From existence of coupling, to uniformity}
\begin{block}{Suppose that we know there exist two couplings:}
\begin{enumerate}
\item Under first coupling, $x_1 = \mathit{true}$ implies $x_2 = \mathit{false}$
\item Under second coupling, $x_1 = \mathit{false}$ implies $x_2 = \mathit{true}$
\end{enumerate}
\end{block}
\pause
\begin{block}{As a consequence:}
\begin{itemize}
\item By (1), $\Pr [x_1 = \mathit{true} ] \leq \Pr [x_2 = \mathit{false}]$
\item By (2), $\Pr [x_1 = \mathit{false} ] \leq \Pr [x_2 = \mathit{true}]$
\end{itemize}
\end{block}
\pause
\begin{block}{But $x_1$ and $x_2$ have same distribution}
\begin{itemize}
\item By (1), $\Pr [x_1 = \mathit{true}] \leq \Pr [x_1 = \mathit{false}]$
\item By (2), $\Pr [x_1 = \mathit{false}] \leq \Pr[x_1 = \mathit{true}]$
\item Hence \superhi{uniform}: $\Pr [x_1 = \mathit{true}] = \Pr [x_1 = \mathit{false}]$
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Proof by coupling}
\begin{block}{Algorithm (``von Neumann's trick'')}
\vspace{-3ex}
\[
\begin{array}{ll}
\Ass{x}{\mathit{true}}; \Ass{y}{\mathit{true}}; \qquad\qquad &
\text{// initialize $x = y$} \\
\WWhile{x = y}{} & \text{// if equal, repeat} \\
\qquad \Rand{x}{\mathit{flip}(p)}; & \text{// flip biased coin} \\
\qquad \Rand{y}{\mathit{flip(p)}}; & \text{// flip biased coin} \\
\RReturn(x) & \text{// if not equal, return $x$}
\end{array}
\]
\vspace{-3ex}
\end{block}
\begin{block}{Construct couplings such that:}
\begin{enumerate}
\item Under first coupling, $x_1 = \mathit{true}$ implies $x_2 = \mathit{false}$
\item Under second coupling, $x_1 = \mathit{false}$ implies $x_2 = \mathit{true}$
\end{enumerate}
\end{block}
\begin{block}{Consider the following coupling:}
\begin{itemize}
\item Couple sampling of $x_1$ to be equal to sampling of $y_2$
\item Couple sampling of $x_2$ to be equal to sampling of $y_1$
\item Resulting coupling satisfies \superhi{both} (1) and (2)!
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Formalizing the proof in \Sprhl}
\begin{block}{Relate two (equivalent) versions of the program:}
\begin{columns}
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{x}{\mathit{true}}; \Ass{y}{\mathit{true}}; \\
\WWhile{x = y}{} \\
\qquad \superhi<3>{\Rand{x}{\mathit{flip}(p)}}; \\
\qquad \superhi<5>{\Rand{y}{\mathit{flip(p)}}}; \\
\superhi<7>{\RReturn(x)}
\end{array}
\]
\end{column}
%
\vrule
%
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{x}{\mathit{true}}; \Ass{y}{\mathit{true}}; \\
\WWhile{x = y}{} \\
\qquad \superhi<3>{\Rand{y}{\mathit{flip(p)}}}; \\
\qquad \superhi<5>{\Rand{x}{\mathit{flip}(p)}}; \\
\superhi<7>{\RReturn(x)}
\end{array}
\]
\vfill
\end{column}
\end{columns}
\end{block}
\pause
\begin{block}{Build coupling for loop bodies, then loops}
\begin{itemize}
\item<2-> Use sampling rule with identity coupling: \superhi<3>{$x_1 = y_2$}
\item<4-> Use sampling rule with identity coupling: \superhi<5>{$y_1 = x_2$}
\item<6-> Use loop rule with invariant:
\[
(x_1 = y_1 \to x_1 = y_2)
\land
(x_1 \neq y_1 \to \superhi<7>{x_1 \neq x_2})
\]
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\dividerpage{\Huge Variations on a Theme:}{\Huge Approximate Couplings}
\end{frame}
\begin{frame}
\begin{exampleblock}{}
\vfill
\structure{\Large A new approach to formulating privacy goals: the risk to ones
privacy, or in general, any type of risk \ldots should not substantially
increase as a result of participating in a statistical database.}
\vspace{10ex}
\structure{\Large This is captured by \superhi{differential privacy}.}
\vspace{10ex}
\hspace*\fill{\small--- Cynthia Dwork}
\end{exampleblock}
\end{frame}
\begin{frame}
\frametitle{Increasing interest in differential privacy}
\begin{block}{In research\ldots}
\begin{center}
\includegraphics[width=\textwidth]{images/dp-cites.png}
\end{center}
\end{block}
\pause
\begin{block}{\ldots and in the ``real world''}
\begin{center}
\includegraphics[width=\textwidth]{images/apple-dp.jpg}
% \includegraphics[width=\textwidth]{images/chrome-dp.png}
\end{center}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Differential privacy, pictorially}
\begin{center}
\includegraphics[width=\textwidth]{images/privacy}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Differential privacy, formally}
\begin{block}{Dwork, McSherry, Nissim, and Smith}
Let $\varepsilon \geq 0$ be a parameter, and suppose that $Adj$ is a binary
``adjacency'' relation on $D$. A randomized program $M : D \to \Dist(R)$ is
\superhi{$\varepsilon$-differentially private} if for every set of outputs
$S \subseteq R$ and every pair of adjacent inputs $d_1, d_2$, we have
\vspace{5ex}
\[
\scalebox{1.5}{\ensuremath{
\Pr_{ x \sim M(d_1) } [ x \in S ]
\leq \exp(\varepsilon) \cdot \Pr_{ x \sim M(d_2) } [ x \in S ]
}} .
\]
\end{block}
\end{frame}
\begin{frame}
\frametitle{Approximate couplings}
\begin{definition}
An \superhi{$\varepsilon$-coupling} of two distributions $\mu_1, \mu_2 \in
\Dist(A)$ is a joint distribution $\mu \in \Dist(A \times A)$ with
\[
\scalebox{1.5}{\superhi<3>{$\Delta_\varepsilon(\mu_1, \pi_1(\mu)) \leq 0$}}
\quad\text{and}\quad
\scalebox{1.5}{\superhi<3>{$\Delta_\varepsilon(\mu_2, \pi_2(\mu)) \leq 0$}}
\]
\end{definition}
When $\varepsilon = 0$, recover regular (exact) couplings.
\end{frame}
\begin{frame}
\frametitle{Approximate couplings imply differential privacy}
\begin{block}{If exists coupling of $\mu_1, \mu_2$ that returns equal elements:}
\begin{center}
\begin{framed}
Program produces equal output distr. on related inputs
\end{framed}
\end{center}
\end{block}
\begin{block}{If exists $\varepsilon$-coupling of $\mu_1, \mu_2$ that returns equal elements:}
\begin{center}
\begin{framed}
Program satisfies $\varepsilon$-differential privacy
\end{framed}
\end{center}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Constructing approximate couplings}
\begin{block}{The program logic \Saprhl [BKOZ-B, BO]}
\begin{itemize}
\item Compositional and formalized proofs of privacy
\end{itemize}
\end{block}
\begin{block}{Judgments indexed by $\varepsilon$}
\begin{framed}
\begin{center}
\scalebox{2.5}{$\aprhl{c_1}{c_2}{P}{Q}{\varepsilon}$}
\end{center}
\end{framed}
\end{block}
\end{frame}
\begin{frame}{Differential privacy in \Saprhl}
\[
\scalebox{1.5}{\ensuremath{\aprhl{c}{c} {Adj(d_1, d_2)} {\superhi{res_1 = res_2}} {\varepsilon} }}
\]
\pause
\vspace{2ex}
\begin{center}
\structure{\LARGE Exactly $\varepsilon$-differential privacy}
\end{center}
\end{frame}
\begin{frame}{Proof system}
\begin{overprint}
\only<1>{\centerline{\includegraphics[width=\textwidth]{images/aprhl-rules-0.png}}}
\only<2>{\centerline{\includegraphics[width=\textwidth]{images/aprhl-rules-1.png}}}
\end{overprint}
\end{frame}
\begin{frame}{(Laplace) Sampling rule}
\[
\inferrule*[Right=\textsc{Lap}]
{ }
{\aprhl
{\Rand{x_1}{\Lap_\varepsilon(e_1)}}
{\Rand{x_2}{\Lap_\varepsilon(e_2)}}
{ |e_1 - e_2| \leq \superhi{k} }
{ \superhi{x_1 = x_2} }
{ \superhi{k} \cdot \varepsilon }}
\]
\vfill
\pause
\begin{center}
\structure{\Huge ``Pay'' distance b/t centers}
\vspace{2ex}
\structure{\Huge $\Downarrow$}
\vspace{2ex}
\structure{\Huge Assume samples are equal}
\end{center}
\end{frame}
\begin{frame}{Composition properties, pictorially}
\begin{center}
\includegraphics[width=\textwidth]{images/seq.pdf}
\end{center}
\begin{block}{Whole program is $2 \varepsilon$-private}
\begin{center}
\begin{framed}
Reading: ``Pay'' $\varepsilon$ cost for each step, add up costs
\end{framed}
\end{center}
\end{block}
\end{frame}
\begin{frame}{Composition properties, formally}
\begin{block}{Formally \ldots}
Consider randomized algorithms $M : D \to \Dist(R)$ and $M : R \to D \to
\Dist(R')$. If $M$ is \superhi{${\varepsilon}$}-private and for every $r \in R$,
$M'(r)$ is \superhi{${\varepsilon'}$}-private, then the composition is
\superhi{${(\varepsilon + \varepsilon')}$}-private:
\[
\scalebox{1.5}{\ensuremath{
\Rand{r}{M(d)}; \Rand{res}{M(r, d)}; \RReturn(res)
}}
\]
\end{block}
\end{frame}
\begin{frame}
\frametitle{Composing approximate couplings}
\begin{center}
\scalebox{1.8}{$
\inferrule*%[Left=Seq]
{ \vdash \aprhl{c_1}{c_2}{P}{Q}{\superhi<2>{\varepsilon}} \\\\
\vdash \aprhl{c_1'}{c_2'}{Q}{R}{\superhi<2>{\varepsilon'}} }
{ \vdash \aprhl{c_1; c_1'}{c_2; c_2'}{P}{R}{\superhi<2>{\varepsilon + \varepsilon'}} }
$}
\end{center}
\begin{block}<3>{Generalizes privacy composition}
\begin{center}
\begin{framed}
$Q$, $R$ don't need to be equality assertions!
\end{framed}
\end{center}
\end{block}
\end{frame}
\begin{frame}{New sampling rule: \textsc{[LapNull]}}
\[
\inferrule*
{ x_1 \notin FV(e_1), x_2 \notin FV(e_2) }
{\aprhl
{\Rand{x_1}{\Lap_\varepsilon(e_1)}}
{\Rand{x_2}{\Lap_\varepsilon(e_2)}}
{ \top }
{ \superhi<2>{x_1 - x_2 = e_1 - e_2} }
{\superhi{0}}}
\]
\vfill
\pause
\begin{center}
\structure{\huge ``Pay'' nothing (cost zero)}
\vfill
\structure{\Huge $\Downarrow$}
\vfill
\structure{\huge Distance between samples}
\vspace{2ex}
\structure{\Huge $=$}
\vspace{2ex}
\structure{\huge Distance between centers}
\end{center}
\end{frame}
\begin{frame}{New sampling rule: \textsc{[LapGen]}}
\[
\inferrule*
{ x_1 \notin FV(e_1), x_2 \notin FV(e_2) }
{\aprhl
{\Rand{x_1}{\Lap_\varepsilon(e_1)}}
{\Rand{x_2}{\Lap_\varepsilon(e_2)}}
{ |e_1 - (e_2 + s)| \leq k }
{ \superhi{x_1 = x_2 + s} }
{\superhi<2>{k \cdot {\varepsilon}}}}
\]
\vfill
\pause
\begin{center}
\structure{\Huge ``Pay'' to shift centers}
\vspace{2ex}
\structure{\Huge $\Downarrow$}
\vspace{2ex}
\structure{\Huge Assume shifted samples}
\end{center}
\end{frame}
\begin{frame}
\frametitle{``Pointwise equality''}
\begin{center}
\scalebox{1.6}{$
\inferrule*%[Left=Seq]
{ \superhi<2>{\forall j},\ \vdash \aprhl{c_1}{c_2}{P}{\superhi<2>{e_1 = j \to e_2 = j}}{\varepsilon} }
{ \vdash \aprhl{c_1}{c_2}{P}{\superhi<3>{e_1 = e_2}}{\varepsilon} }
$}
\end{center}
\begin{onslide}<4>
\begin{framed}
\begin{center}
Prove differential privacy, focusing on one output at a time
\end{center}
\end{framed}
\end{onslide}
\end{frame}
\begin{frame}{Logical interpretation}
\begin{block}{Leibniz equality}
\[
\scalebox{1.75}{\ensuremath{(\forall j, (e_1 = j) \to (e_2 = j)) \to e_1 = e_2}}
\]
\end{block}
\begin{block}{Internalizing a universal quantifier}
\begin{itemize}
\item Not sound in general for approximate couplings
\item But: sound for certain equality predicates
\end{itemize}
\end{block}
\end{frame}
\begin{frame}{Logical interpretation}
\begin{center}
\structure{\LARGE $\superhi<2>{\forall}$ values,
$\superhi<2>{\exists}$ a coupling such that \ldots}
\vspace{2ex}
\structure{\Huge $\Downarrow$}
\vspace{2ex}
\structure{\LARGE $\superhi<3>{\exists}$ a coupling such that
$\superhi<3>{\forall}$ values, \ldots}
\end{center}
\end{frame}
\begin{frame}{Applications of approximate couplings}
\begin{block}{Support more proof principles}
\begin{itemize}
\item More sophisticated composition theorems
\item General, $(\epsilon, \delta)$ form of differential privacy
\end{itemize}
\end{block}
\begin{block}{Formalize interesting examples}
\begin{itemize}
\item Sparse Vector Technique (4 buggy versions)
\item Auction mechanisms based on privacy
\end{itemize}
\end{block}
\begin{block}{Enable new verification tools}
\begin{itemize}
\item Automatic proofs via Horn clause encoding [AH]
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\dividerpage{\Huge Variations on a Theme:}{\Huge Expectation Couplings}
\end{frame}
\begin{frame}
\frametitle{Expectation couplings}
\begin{block}{Target: bound distance between expected values}
\begin{itemize}
\item Captured by coupling refined with Kantorovich metric
\item Build a logic around composition of optimal transport
\end{itemize}
\end{block}
\pause
\begin{block}{Kantorovich metric: lift distance to distributions}
\begin{itemize}
\item Given: Two distributions $\mu_1, \mu_2 \in \Dist(A)$
\item Given: ``Base'' distance $d : A \times A \to \mathbb{R}^+$
\item Define: distance on distributions
\[
\scalebox{1.3}{$\displaystyle{d^{\#}(\mu_1, \mu_2)
\triangleq \min_{%
\refbox<3->{couplings}{$\mu \in C(\mu_1, \mu_2)$}{callout}} \mathbb{E}_\mu [ d ]} $}
\]
\mycallout<3->{couplings.south east}{set of all couplings}{3.5cm}{160}{1.8cm}{callout}
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Constructing expectation couplings}
\begin{block}{Build these couplings with the program logic \Seprhl}
\begin{itemize}
\item Verify uniform stability (machine learning)
\item Verify convergence/mixing (statistical physics)
\end{itemize}
\end{block}
\begin{block}{Judgments model probabilistic sensitivity/contraction}
\begin{framed}
\begin{center}
\scalebox{2.5}{$\eprhl{c_1}{c_2}{P; \superhi<2>{d}}{Q; \superhi<2>{d'}}$}
\end{center}
\end{framed}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Wrapping up}
% \begin{block}{Possible directions}
% \begin{itemize}
% \item Theoretical foundations and semantics
% \item Other useful consequences of couplings
% \item Going beyond program logics, automation
% \end{itemize}
% \end{block}
% \pause
% \vfill
\begin{block}{Don't reinvent the wheel}
\begin{itemize}
\item Leverage mental tools used by algorithms researchers
\item Simpler formal proofs, closer to existing proofs
\item More opportunities for automation
\end{itemize}
\begin{center}
\begin{framed}
\huge {Study human proof techniques from a logical perspective}
\end{framed}
\end{center}
\end{block}
\end{frame}
\end{document}