justin-site/files/slides/popl20-tutorial.pdf

1810 lines
49 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

\newif\ifdraft \drafttrue
\newif\iffull \fulltrue
\newif\ifdark \darktrue
% If you want to change these flags just for yourself, do it by adding
% commands to a files called tex.flags ...
\makeatletter \@input{tex.flags} \makeatother
\documentclass{beamer}
\input{prelude}
\usepackage{framed} % frame boxes
\usepackage[framemethod=TikZ]{mdframed} % fancier boxes (colors)
\usepackage{ulem} % strikethrough and underlines
\renewcommand<>{\sout}[1]{\alt#2{\beameroriginal{\sout}{#1}}{#1}}
\renewcommand{\ULthickness}{1pt} % Set ulem thickness
\newcommand{\superhi}[1]{{\color{superhi}{#1}}}
\renewcommand<>{\superhi}[1]{\alt#2{\beameroriginal{\superhi}{#1}}{#1}}
% Make \sout overlay specification aware
\usepackage{xparse}
\usepackage{mathtools}
\usepackage{lmodern}
\usepackage{booktabs}
\usepackage{tikz}
\usetikzlibrary{positioning, fit}
\usetikzlibrary{shapes.callouts,shapes.arrows}
\tikzset{
invisible/.style={opacity=0,text opacity=0},
visible on/.style={alt=#1{}{invisible}},
alt/.code args={<#1>#2#3}{%
\alt<#1>{\pgfkeysalso{#2}}{\pgfkeysalso{#3}} % \pgfkeysalso doesn't change the path
},
highlight on/.style={alt=#1{}{plain}},
plain/.style={fill=none},
}
% Create a callout
% \mycallout<when>{node+anchor}{text}{width}{angle}{distance}{color}
% Relative position of pointer with respect to _bubble_
\NewDocumentCommand{\mycallout}{r<> O{opacity=0.8,text opacity=1} m m m m m m}{%
\tikz[remember picture, overlay]
{\node[overlay, ellipse callout, align=left, fill=#8, text width=#5,
#2,visible on=<#1>,anchor=pointer,align=center,callout relative
pointer={(#6:#7)}] at (#3) {#4};}
}
% \refbox{node}{text}
% \newcommand{\refbox}[2]{
% \tikz[remember picture, baseline=(#1.base)]{
% \node[anchor=base,rounded corners] (#1) {#2};}
% }
% Tag a bit of math with a tikz node, also fill it with a color
% \refbox{node}{text}{color}
% \newcommand{\refbox}[3]{
% \tikz[remember picture, baseline=(#1.base)]{
% \node[fill=#3!30,anchor=base,rounded corners] (#1) {#2};}
% }
% Tag a bit of math with a tikz node, also fill it with a color
% \refbox<highlight slide>{node}{text}{color}
\NewDocumentCommand{\refbox}{r<> m m m}{
\tikz[remember picture, baseline=(#2.base)]{
\node[fill=#4,anchor=base,rounded corners,highlight on=<#1>] (#2) {#3};}
}
\ifdark
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Dark beamer theme %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% TODO: split out into dark color scheme file.
\setbeameroption{hide notes}
\setbeamertemplate{note page}[plain]
\usetheme{default}
\beamertemplatenavigationsymbolsempty
\hypersetup{pdfpagemode=UseNone} % don't show bookmarks on initial view
% Set fonts
\usefonttheme{professionalfonts}
% \usefonttheme{serif}
% \usepackage{fontspec}
% \setmainfont{helveticaneue}
% \setbeamerfont{note page}{family*=pplx,size=\footnotesize} % Palatino for notes
% \usepackage{libertine}
% \usepackage{libertinust1math}
% \usepackage[T1]{fontenc}
\usepackage{FiraSans}
% Define colors
\definecolor{almostblack}{HTML}{222222}
\definecolor{nearblack}{HTML}{B3B6BB}
\definecolor{darkgrey}{HTML}{363636}
\definecolor{medgrey}{HTML}{656565}
\definecolor{lightgrey}{HTML}{2C2C2C}
\definecolor{lightblue}{HTML}{65BBDF}
\definecolor{lightgreen}{HTML}{85D275}
\definecolor{lightred}{HTML}{CD4F62}
\definecolor{lightorange}{HTML}{CD7053}
\definecolor{lightyellow}{HTML}{DCC453}
\colorlet{foreground}{nearblack}
\colorlet{background}{almostblack}
\colorlet{title}{lightblue}
\colorlet{heading}{lightorange}
\colorlet{hilight}{lightred}
\colorlet{superhi}{lightgreen}
\colorlet{callout}{lightred}
\colorlet{author}{lightgreen}
\colorlet{gray}{lightgrey}
\setbeamercolor{titlelike}{fg=title}
\setbeamercolor{institute}{fg=foreground}
\setbeamercolor{author}{fg=author}
\setbeamercolor{structure}{fg=heading}
\setbeamercolor{alerted text}{fg=hilight}
\setbeamercolor{normal text}{fg=foreground,bg=background}
% Itemize colors
\setbeamercolor{item}{fg=foreground} % color of bullets
\setbeamercolor{subitem}{fg=foreground}
\setbeamercolor{itemize/enumerate subbody}{fg=foreground}
\setbeamertemplate{itemize subitem}{{\textendash}}
\setbeamerfont{itemize/enumerate subbody}{size=\footnotesize}
\setbeamerfont{itemize/enumerate subitem}{size=\footnotesize}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\else
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Light beamer theme %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\usetheme{Pittsburgh}
\usecolortheme{beaver}
\setbeamertemplate{navigation symbols}{}
\colorlet{callout}{green!30}
\colorlet{superhi}{darkred!80!gray}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\fi
% Page numbering
\ifdraft
\setbeamertemplate{footline}{%
\raisebox{5pt}{\makebox[\paperwidth]{\hfill\makebox[20pt]{\color{foreground}
\scriptsize\insertframenumber}}}\hspace*{5pt}}
\fi
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% If monitor supports dual screen
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%\usepackage{pgfpages}
%\setbeameroption{show notes}
%\setbeameroption{show notes on second screen=right}
%\note{blah}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Better title page
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% \setbeamerfont{author}{size=\Large}
% \setbeamerfont{date}{size=\scriptsize}
% \setbeamerfont{title}{size=\Huge}
\setbeamertemplate{title page}{%
\begin{tikzpicture}[remember picture,overlay]
\fill[title]
([yshift=50pt]current page.west) rectangle (current page.north east);
\node[anchor=south east]
at ([yshift=65pt, xshift=-20pt]current page.south east) (author)
{\parbox[t]{\paperwidth}{%
\flushright\usebeamerfont{author}\textcolor{superhi}{\insertauthor}}};
\node[anchor=south east]
at ([yshift=40pt, xshift=-20pt]current page.south east) (institute)
{\parbox[t]{\paperwidth}{%
\flushright\usebeamerfont{institute}\textcolor{foreground}{\insertinstitute}}};
\node[anchor=south west]
at ([yshift=40pt,xshift=20pt]current page.south west) (logo)
{\parbox[t]{.2\paperwidth}{\raggedleft%
\usebeamercolor[fg]{titlegraphic}\inserttitlegraphic}};
\node[anchor=south west]
at ([yshift=50pt,xshift=20pt]current page.west) (title1)
{\parbox[t]{\textwidth}{\usebeamerfont{title}\textcolor{background}{\inserttitle}}};
\node[anchor=north west]
at ([yshift=50pt,xshift=20pt]current page.west) (title2)
{\parbox[t]{\textwidth}{\usebeamerfont{title}\textcolor{title}{\insertsubtitle}}};
\end{tikzpicture}%
}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Section dividers: two lines
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\newcommand{\dividerpage}[2]{%
\begin{tikzpicture}[remember picture,overlay]
\fill[title]
(current page.west) rectangle (current page.north east);
\node[anchor=south west]
at ([xshift=20pt]current page.west) (title1)
{\parbox[t]{\textwidth}{\usebeamerfont{title}\textcolor{background}{#1}}};
\node[anchor=north west]
at ([xshift=20pt]current page.west) (title2)
{\parbox[t]{\textwidth}{\usebeamerfont{title}\textcolor{title}{#2}}};
\end{tikzpicture}%
}
\title{\huge Verifying Probabilistic Properties}
\subtitle{\huge with Probabilistic Couplings}
\author{\LARGE Justin Hsu}
\institute{\large UW--Madison \\ Computer Sciences}
\begin{document}
\begin{frame}[label=titleframe]
\titlepage
\end{frame}
\begin{frame}
\frametitle{Work with brilliant collaborators}
\begin{center}
\begin{tabular}{c c c c}
\includegraphics[width=0.2\textwidth]{images/aws.jpg}
& \includegraphics[width=0.2\textwidth]{images/gilles.jpg}
& \includegraphics[width=0.2\textwidth]{images/thomas.jpg}
& \includegraphics[width=0.2\textwidth]{images/noemie.png}
\\
\includegraphics[width=0.2\textwidth]{images/marco.jpg}
& \includegraphics[width=0.2\textwidth]{images/gregoire.jpg}
& \includegraphics[width=0.2\textwidth]{images/leo.jpg}
& \includegraphics[width=0.2\textwidth]{images/py.jpg}
\end{tabular}
\end{center}
\end{frame}
\begin{frame}
\dividerpage{\huge What Are Probabilistic}{\huge ``Relational Properties''?}
\end{frame}
\begin{frame}
\frametitle{Today's target properties}
\begin{block}{Probabilistic}
\begin{itemize}
\item Programs can take random samples (flip coins)
\item Map (single) input value to a distribution over outputs
\end{itemize}
\end{block}
\begin{block}{Relational}
\begin{itemize}
\item Compare \superhi{two} executions of a program (or: two programs)
\item Describe outputs (\superhi{distributions}) from two related inputs
\item Also known as \superhi{2-properties}, or \superhi{hyperproperties}
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Examples throughout computer science...}
\begin{block}{Security and privacy}
\begin{itemize}
\item Indistinguishability
\item Differential privacy
\end{itemize}
\end{block}
\begin{block}{Machine learning}
\begin{itemize}
\item Uniform stability
\end{itemize}
\end{block}
\begin{block}{... and beyond}
\begin{itemize}
\item Incentive properties (game theory/mechanism design)
\item Convergence and mixing (probability theory)
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Challenges for formal verification}
\begin{block}{Reason about two sources of randomness}
\begin{itemize}
\item Two executions may behave very differently
\item Completely different control flow (even for same program!)
\end{itemize}
\end{block}
\begin{block}{Quantitative reasoning}
\begin{itemize}
\item Target properties describe distributions
\item Probabilities, expected values, etc.
\item Very messy for formal reasoning
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Today: Combine two ingredients}
\begin{center}
\vfill
\structure{\Huge Probabilistic Couplings}
\vfill
\scalebox{5}{\structure{$+$}}
\vfill
\structure{\Huge Relational Program Logics}
\vfill
\end{center}
\end{frame}
\begin{frame}
\dividerpage{\Huge Probabilistic Couplings}{\Huge and ``Proof by Coupling''}
\end{frame}
\begin{frame}
\frametitle{Given: programs $c_1$ and $c_2$, each taking $10$ coin flips}
\begin{columns}
\begin{column}<1->{0.5\textwidth}
\begin{block}{Experiment \#1}
\centerline{\includegraphics[height=0.5\textheight]{images/coins-indep.png}}
\end{block}
\end{column}
\begin{column}<2->{0.5\textwidth}
\begin{block}{Experiment \#2}
\centerline{\includegraphics[height=0.5\textheight]{images/coins-id.png}}
\end{block}
\end{column}
\end{columns}
\begin{center}
\begin{onslide}<3->
\begin{framed}
Distributions equal in Experiment \#1
$\iff$
Distributions equal in Experiment \#2
\end{framed}
\end{onslide}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Given: programs $c_1$ and $c_2$, each taking $10$ coin flips}
\begin{columns}
\begin{column}<1->{0.5\textwidth}
\begin{block}{Experiment \#1}
\centerline{\includegraphics[height=0.6\textheight]{images/coins-indep.png}}
\end{block}
\end{column}
\begin{column}<2->{0.5\textwidth}
\begin{block}{Experiment \#2}
\centerline{\includegraphics[height=0.6\textheight]{images/coins-neg.png}}
\end{block}
\end{column}
\end{columns}
\begin{center}
\begin{onslide}<3->
\begin{framed}
Distributions equal in Experiment \#1
$\iff$
Distributions equal in Experiment \#2
\end{framed}
\end{onslide}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Why ``pretend'' two executions share randomness?}
\begin{block}{Easier to reason about one source of randomness}
\begin{itemize}
\item Fewer possible executions
\item Pairs of coordinated executions follow similar control flow
\end{itemize}
\end{block}
\begin{block}{Reduce quantitative reasoning}
\begin{itemize}
\item Reason on (non-probabilistic) relations between samples
\item Don't need to work with raw probabilities (messy)
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{A bit more precisely\dots}
% \structure{\huge Definition}
\vspace{2ex}
{\LARGE A \superhi{coupling} of two distributions $\mu_1, \mu_2 \in \Dist(A)$
is a joint distribution $\mu \in \Dist(A \times A)$ with
$\pi_1(\mu) = \mu_1$ and $\pi_2(\mu) = \mu_2$.}
\vspace{2ex}
\pause
\begin{center}
\begin{framed}
\Large{A coupling models \superhi{two} distributions \\
sharing \superhi{one} source of randomness}
\end{framed}
\end{center}
\end{frame}
\begin{frame}
\frametitle{For example}
\begin{columns}
\begin{column}{0.5\textwidth}
\begin{center}
\includegraphics[width=\textwidth]{images/coin-id-4}
\vfill
\includegraphics[width=\textwidth]{images/witness-id}
\end{center}
\end{column}
\begin{column}<2>{0.5\textwidth}
\begin{center}
\includegraphics[width=\textwidth]{images/coin-neg-2}
\vfill
\includegraphics[width=\textwidth]{images/witness-neg}
\end{center}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Why are couplings interesting for verification?}
\begin{center}
\huge \structure{\mbox{\superhi{Existence} of a coupling* can imply} \\
a property of two distributions}
\end{center}
\end{frame}
\begin{frame}
\begin{columns}
\begin{column}{0.65\textwidth}
\structure{\superhi{If} there \superhi{exists} a coupling \\
of $(\mu_1, \mu_2)$ where:}
\end{column}
\begin{column}{0.35\textwidth}
\structure{\superhi{then}:}
\end{column}
\end{columns}
\vfill
\centerline{\structure{\rule{\textwidth}{1pt}}}
\vfill
\begin{columns}
\begin{column}{0.65\textwidth}
Two coupled samples differ \\ with small probability
\end{column}
\begin{column}{0.35\textwidth}
$\mu_1$ is ``close'' to $\mu_2$
\end{column}
\end{columns}
\pause
\vfill
\centerline{\structure{\rule{\textwidth}{1pt}}}
\vfill
\begin{columns}
\begin{column}{0.65\textwidth}
Two coupled samples \\ are always equal
\end{column}
\begin{column}{0.35\textwidth}
$\mu_1$ is ``equal'' to $\mu_2$
\end{column}
\end{columns}
\pause
\vfill
\centerline{\structure{\rule{\textwidth}{1pt}}}
\vfill
\begin{columns}
\begin{column}{0.65\textwidth}
First coupled sample is always \\ larger than second sample
\end{column}
\begin{column}{0.35\textwidth}
$\mu_1$ ``dominates'' $\mu_2$
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Our plan to verify these properties}
\begin{block}{Three easy steps}
\begin{enumerate}
\item Start from two given programs
\item \superhi<2->{Show that for two related inputs, there exists a coupling of the
output distributions with certain properties}
\item Conclude relational property of program(s)
\end{enumerate}
\end{block}
\begin{onslide}<3>
\begin{center}
\includegraphics[width=0.9\textwidth]{images/owl}
\end{center}
\end{onslide}
\end{frame}
\begin{frame}
\frametitle{Show existence of a coupling by constructing it}
\begin{framed}
\begin{center}
\huge {A \superhi{coupling proof} is a recipe \\ for constructing a coupling}
\end{center}
\end{framed}
\pause
\begin{enumerate}
\item \superhi{Specify}: How to couple pairs of intermediate samples
\item \superhi{Deduce}: Relation between final coupled samples
\item \superhi{Conclude}: Property about two original distributions
\end{enumerate}
\end{frame}
\begin{frame}
\dividerpage{\Huge Probabilistic Relational}{\Huge Program Logics}
\end{frame}
\begin{frame}{Make statements about imperative programs}
\begin{block}{Imperative language \textsc{While}}
\vspace{-2ex}
\begin{align*}
% e &::= x \in \Var
% \mid n \in \NN
% \mid e + e'
% \mid e \cdot e'
% \mid \cdots
% \\
% b &::= \mathit{true}
% \mid \mathit{false}
% \mid e = e'
% \mid e < e'
% \mid b \land b'
% \mid \cdots
% \\
c &::= \Skip
\mid \Ass{x}{e}
\mid \Cond{b}{c}{c'}
\mid \Seq{c}{c'}
\mid \WWhile{b}{c}
\end{align*}
\end{block}
\pause
\begin{block}{Semantics: \textsc{While} programs transform memories}
\begin{itemize}
\item \superhi{Variables}: Fixed set $\Var$ of program variable names
\item \superhi{Memories} $\Mem$: functions from $\Var$ to values $\Val$ (e.g., 42)
\item Interpret each command $c$ as a \superhi{memory transformer}:
\[
\denot{c} : \Mem \to \Mem
\]
\end{itemize}
\end{block}
\end{frame}
\begin{frame}{Program logics (Floyd-Hoare logics)}
\begin{block}{Logical judgments look like this}
\[
\scalebox{3}{\ensuremath{ \hl{c}{P}{Q} }}
\]
\end{block}
\begin{block}{Interpretation}
\begin{itemize}
\item \superhi{Program} $c$, \textsc{While} program (e.g., $x \gets y; y \gets y + 1$)
\item \superhi{Precondition} $P$, formula over $\Var$ (e.g., $y \geq 0$)
\item \superhi{Postcondition} $Q$, formula over $\Var$ (e.g., $x \geq 0 \land y \geq 0$)
\end{itemize}
\end{block}
\begin{center}
\begin{framed}
If $P$ holds before running $c$, then $Q$ holds after running $c$
\end{framed}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Probabilistic Relational Hoare Logic (\Sprhl) [BGZ-B]}
\begin{block}{Previously}
\begin{itemize}
\item Inspired by Benton's Relational Hoare Logic
\item Foundation of the EasyCrypt system
\item Verified security of many cryptographic schemes
\end{itemize}
\end{block}
\pause
\begin{block}{New interpretation}
\begin{center}
\begin{framed}
\Huge {\Sprhl is a logic for formal \\ proofs by coupling}
\end{framed}
\end{center}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Language and judgments}
\begin{block}{The \textsc{pWhile} imperative language}
\vspace{-2ex}
\[
c ::= \Skip
\mid \Ass{x}{e}
\mid \refbox<2->{samp}{$\Rand{x}{d}$}{callout}
\mid \Cond{e}{c}{c}
\mid \Seq{c}{c}
\mid \WWhile{e}{c}
\]
\vspace{-2ex}
\end{block}
\pause
\begin{block}{Semantics of \textsc{pWhile} programs}
\begin{itemize}
\item Input: a single memory (assignment to variables)
\item Output: a \superhi{distribution} over memories
\item Interpret each command $c$ as:
\[
\denot{c} : \Mem \to \Dist(\Mem)
\]
\end{itemize}
\end{block}
\end{frame}
\begin{frame}{Basic \textsc{pRHL} judgments}
\[
\prhl{c_1}{c_2}{P}{Q}
\]
\begin{itemize}
\item $P$ and $Q$ are formulas over program variables
\item Labeled program variables: $x_1$, $x_2$
\item $P$ is precondition, $Q$ is postcondition
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Interpreting the judgment}
\begin{block}{Logical judgments in \textsc{pRHL} look like this}
\[
\scalebox{3}{\ensuremath{ \prhl{c_1}{c_2}{P}{Q} }}
\]
\end{block}
\pause
\begin{block}{Interpreting pre- and post-conditions}
\begin{itemize}
\item As usual, $P$ is a relation on two memories
\item $Q$ interpreted as a relation $\lift{Q}$ on memory \superhi{distributions}
\end{itemize}
\end{block}
\pause
\begin{definition}[Valid \textsc{pRHL} judgment]
For any \superhi{pair of related inputs} $(m_1, m_2) \in \denot{P}$,
\superhi{there exists a coupling} $\mu \in \Dist(\Mem \times \Mem)$ of the
output distributions $(\denot{c_1}m_1, \denot{c_2}m_2)$ such that
$\supp(\mu) \subseteq \denot{Q}$.
\end{definition}
\end{frame}
\begin{frame}
\frametitle{Encoding couplings with \Sprhl theorems}
\begin{framed}
\begin{center}
\scalebox{2}{$\prhl{c_1}{c_2}{P}{o_1 = o_2}$}
\end{center}
\end{framed}
\begin{block}{Interpretation}
\begin{framed}
If two inputs satisfy $P$, there exists a coupling of the
output distributions where the coupled samples have equal $o$
\end{framed}
\end{block}
\vspace{-1ex}
\pause
\begin{block}{This implies:}
\begin{framed}
If two inputs satisfy $P$, the distributions of $o$ are equal
\end{framed}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Encoding couplings with \Sprhl theorems}
\begin{framed}
\begin{center}
\scalebox{2}{$\prhl{c_1}{c_2}{P}{o_1 \geq o_2}$}
\end{center}
\end{framed}
\begin{block}{This implies:}
\begin{framed}
If two inputs satisfy $P$, then the first distribution of $o$
stochastically dominates the second distribution of $o$
\end{framed}
\end{block}
\end{frame}
\begin{frame}
\dividerpage{\Huge Proving Judgments:}{\Huge The Proof System of \textsc{pRHL}}
\end{frame}
\begin{frame}
\frametitle{More convenient way to prove judgments}
\begin{block}{Inference rules describe:}
\begin{itemize}
\item Judgments that are always true (axioms)
\item How to prove judgment for a program by combining judgments
for components
\end{itemize}
\end{block}
\pause
\begin{block}{Example: sequential composition rule}
\[
\text{\superhi{Given:} \qquad} { \{ P \}\ c_1\ \{ Q \}
\qquad\text{and}\qquad
\{ Q \}\ c_2\ \{ R \} }
\]
\pause
\centerline{\rule{0.8\textwidth}{2pt}}
\[
\text{\superhi{Conclude:} \quad\qquad\qquad}
{ \{ P \}\ c_1 \mathrel{;} c_2\ \{ R \} }
\text{\quad\qquad\qquad}
\]
\end{block}
\end{frame}
\begin{frame}
\frametitle{Reading the rules: \superhi{introduce} couplings}
\begin{center}
\scalebox{1.6}{$
\inferrule*%[Left=FlipEq]
{ }
{ \vdash \prhl{\Rand{x_1}{\mathit{flip}}}{\Rand{x_2}{\mathit{flip}}}{\ }{ x_1 = x_2 } }
$}
\end{center}
\vfill
\centerline{\onslide<2->{\includegraphics[width=\textwidth]{images/coin-id-4}}}
\end{frame}
\begin{frame}
\frametitle{Reading the rules: \superhi{introduce} couplings}
\begin{center}
\scalebox{1.6}{$
\inferrule*%[Left=FlipNeg]
{ }
{ \vdash \prhl{\Rand{x_1}{\mathit{flip}}}{\Rand{x_2}{\mathit{flip}}}{\ }{ x_1 \neq x_2 } }
$}
\end{center}
\vfill
\centerline{\onslide<2->{\includegraphics[width=\textwidth]{images/coin-neg-2}}}
\end{frame}
\begin{frame}
\frametitle{Reading the rules: \superhi{combine} couplings}
\begin{center}
\scalebox{2.5}{$
\inferrule*%[Left=Seq]
{ \vdash \prhl{c_1}{c_2}{P}{Q} \\\\ \vdash \prhl{c_1'}{c_2'}{Q}{R} }
{ \vdash \prhl{c_1; c_1'}{c_2; c_2'}{P}{R} }
$}
\end{center}
\pause
\begin{framed}
\begin{center}
\Huge {Sequence couplings}
\end{center}
\end{framed}
\end{frame}
\begin{frame}
\frametitle{Reading the rules: \superhi{combine} couplings}
\begin{center}
\scalebox{2.5}{$
\inferrule*%[Left=Case]
{ \vdash \prhl{c_1}{c_2}{P \land S}{Q} \\\\ \vdash \prhl{c_1}{c_2}{P \land \neg S}{Q} }
{ \vdash \prhl{c_1}{c_2}{P}{Q} }
$}
\end{center}
\pause
\begin{framed}
\begin{center}
\Huge{Select couplings}
\end{center}
\end{framed}
\end{frame}
\begin{frame}
\frametitle{Reading the rules: \superhi{combine} couplings}
\begin{center}
\[
\inferrule*%[Left=While]
{ \vdash \prhl{c_1}{c_2}{P \land e_1 \land e_2}{P} \\ \superhi<3>{\models P \to e_1 = e_2} }
{ \vdash \prhl{\WWhile{e_1}{c_1}}{\WWhile{e_2}{c_2}}{P}{P \land (\neg e_1 \land \neg e_2)} }
\]
\end{center}
\pause
\begin{framed}
\begin{center}
\Huge{Repeat couplings}
\end{center}
\end{framed}
\end{frame}
\begin{frame}
\frametitle{\superhi{Not} a rule: conjunction}
\begin{center}
\scalebox{2.5}{$
\inferrule*%[Left=Case]
{ \vdash \prhl{c_1}{c_2}{P}{Q} \\\\ \vdash \prhl{c_1}{c_2}{P}{R} }
{ \vdash \prhl{c_1}{c_2}{P}{Q \land R} }
$}
\end{center}
\pause
\begin{framed}
\begin{center}
\Huge{Can't compose this way}
\end{center}
\end{framed}
\end{frame}
\begin{frame}
\dividerpage{\huge Formal Proofs by Coupling}{\huge Ex. 1: Equivalence}
\end{frame}
\begin{frame}
\frametitle{Target property: equivalence}
\begin{block}{$P$'s output distribution is the same for any two inputs}
\begin{itemize}
\item Shows: output distribution is the same for \superhi{any} input
\item Security: input is secret, output is encrypted
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Warmup example: secrecy of one-time-pad (OTP)}
\begin{block}{The program}
\begin{itemize}
\item Program input: a secret boolean $\mathit{sec}$
\item Program output: an encrypted version of the secret
\[
\begin{array}{ll}
\Rand{key}{\mathit{flip}};
&\text{// draw random key}
\\
\Ass{enc}{\mathit{sec} \mathbin{\superhi{\oplus}} \mathit{key}};
\qquad\qquad
&\text{// exclusive or}
\\
\RReturn(\mathit{enc})
&\text{// return encrypted}
\end{array}
\]
\end{itemize}
\end{block}
\begin{block}{Proof by coupling}
\begin{itemize}
\item Either $\mathit{sec}_1, \mathit{sec}_2$ are equal, or unequal
\begin{enumerate}
\item If equal: couple sampling for $\mathit{key}$ to be equal in both
runs
\item If unequal: couple sampling for $\mathit{key}$ to be unequal in
both runs
\end{enumerate}
\item Coupling ensures $\mathit{enc}_1 = \mathit{enc}_2$, hence distributions equal
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Formalizing the proof in \Sprhl}
\begin{block}{Case 1: $\mathit{sec}_1 = \mathit{sec}_2$}
\begin{itemize}
\item By applying identity coupling rule (general version):
\[
\begin{array}{l}
\{ \mathit{sec}_1 = \mathit{sec}_2 \} \\
\Rand{key}{\mathit{flip}}; \\
\{ key_1 = key_2 \} \\
\Ass{enc}{\mathit{sec} \oplus \mathit{key}} \\
\{ enc_1 = enc_2 \}
\end{array}
\]
\item Hence:
\[
\prhl{otp}{otp}
{\mathit{sec}_1 = \mathit{sec}_2}{enc_1 = enc_2}
\]
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Formalizing the proof in \Sprhl}
\begin{block}{Case 2: $\mathit{sec}_1 \neq \mathit{sec}_2$}
\begin{itemize}
\item By applying negation coupling rule (general version):
\[
\begin{array}{l}
\{ \mathit{sec}_1 \neq \mathit{sec}_2 \} \\
\Rand{key}{\mathit{flip}}; \\
\{ key_1 \neq key_2 \} \\
\Ass{enc}{\mathit{sec} \oplus \mathit{key}} \\
\{ enc_1 = enc_2 \}
\end{array}
\]
\item Hence:
\[
\prhl{otp}{otp}
{\mathit{sec}_1 \neq \mathit{sec}_2}{enc_1 = enc_2}
\]
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Formalizing the proof in \Sprhl}
\begin{block}{Combining the cases:}
\[
\inferrule
{
\prhl{otp}{otp}
{\mathit{sec}_1 = \mathit{sec}_2}{enc_1 = enc_2}
\\\\
\prhl{otp}{otp}
{\mathit{sec}_1 \neq \mathit{sec}_2}{enc_1 = enc_2}
}
{
\prhl{otp}{otp}
{\top}{enc_1 = enc_2}
}
\]
and we are done!
\end{block}
\end{frame}
\begin{frame}
\dividerpage{\huge Formal Proofs by Coupling}{\huge Ex. 2: Stochastic Domination}
\end{frame}
\begin{frame}
\frametitle{Target property: stochastic domination}
\begin{block}{Order relation on distributions}
\begin{itemize}
\item Given: ordered set $(A, \leq_A)$
\item Lift to ordering on distributions $(\Dist(A), \leq_{sd})$
\end{itemize}
\end{block}
\begin{block}{For naturals $(\mathbb{N}, \leq)$ \dots}
Two distributions $\mu_1, \mu_2 \in \Dist(\mathbb{N})$ satisfy $\mu_1
\leq_{sd} \mu_2$ if
\[
\text{for all } k \in \mathbb{N},\ \mu_1(\{ n \mid k \leq n \}) \leq \mu_2(\{ n \mid k \leq n \})
\]
\end{block}
\end{frame}
\begin{frame}
\frametitle{Proof by coupling}
\begin{columns}
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{\mathit{ct}}{0}; \\
\FFor{$i$ = 1, \dots, \superhi{T_1}}{} \\
\quad \Rand{r}{\mathit{flip}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \Ass{\mathit{ct}}{\mathit{ct} + 1}; \\
\RReturn(\mathit{ct})
\end{array}
\]
\end{column}
%
\vrule
%
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{\mathit{ct}}{0}; \\
\FFor{$i$ = 1, \dots, \superhi{T_2}}{} \\
\quad \Rand{r}{\mathit{flip}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \Ass{\mathit{ct}}{\mathit{ct} + 1}; \\
\RReturn(\mathit{ct})
\end{array}
\]
\end{column}
\end{columns}
\pause
\begin{block}{Suppose $T_1 \geq T_2$: first loop runs more}
\begin{itemize}
\item Want to prove $\mu_1 \geq_{sd} \mu_2$
\end{itemize}
\end{block}
\pause
\begin{block}{Suffices to construct a coupling where $ct_1 \geq ct_2$}
\begin{itemize}
\item Couple the first $T_2$ samples to be equal across both runs;
establishes $ct_1 = ct_2$
\item Take the remaining $T_1 - T_2$ samples (in the first run) to be
arbitrary; preserves $ct_1 \geq ct_2$
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Formalizing the proof in \Sprhl}
\begin{columns}
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{\mathit{ct}}{0}; \\
\FFor{$i$ = 1, \dots, \superhi{T_1}}{} \\
\quad \Rand{r}{\mathit{flip}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \Ass{\mathit{ct}}{\mathit{ct} + 1}; \\
\RReturn(\mathit{ct})
\end{array}
\]
\end{column}
%
\vrule
%
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{\mathit{ct}}{0}; \\
\FFor{$i$ = 1, \dots, \superhi{T_2}}{} \\
\quad \Rand{r}{\mathit{flip}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \Ass{\mathit{ct}}{\mathit{ct} + 1}; \\
\RReturn(\mathit{ct})
\end{array}
\]
\vfill
\end{column}
\end{columns}
\begin{block}{Goal: prove}
\begin{framed}
\scalebox{1.8}{$\vdash \prhl{c_1}{c_2}{T_1 \geq T_2}{ct_1 \geq ct_2}$}
\end{framed}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Proof sketch}
\begin{block}{Step 1: Rewrite}
\begin{columns}
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{\mathit{ct}}{0}; \\
\FFor{$i$ = 1, \dots, \superhi{T_2}}{} \\
\quad \Rand{r}{\mathit{flip}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \Ass{\mathit{ct}}{\mathit{ct} + 1}; \\
\FFor{$i$ = \superhi{T_2 + 1}, \dots, \superhi{T_1}}{} \\
\quad \Rand{r}{\mathit{flip}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \Ass{\mathit{ct}}{\mathit{ct} + 1}; \\
\RReturn(\mathit{ct})
\end{array}
\]
\end{column}
%
\vrule
%
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{\mathit{ct}}{0}; \\
\FFor{$i$ = 1, \dots, \superhi{T_2}}{} \\
\quad \Rand{r}{\mathit{flip}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \Ass{\mathit{ct}}{\mathit{ct} + 1}; \\
\\
\\
\\
\\
\RReturn(\mathit{ct})
\end{array}
\]
\vfill
\end{column}
\end{columns}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Proof sketch}
\begin{columns}
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{\mathit{ct}}{0}; \\
\FFor{$i$ = 1, \dots, T_2}{} \\
\quad \superhi<3>{\Rand{r}{\mathit{flip}}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \superhi<4>{\Ass{\mathit{ct}}{\mathit{ct} + 1}}
\end{array}
\]
\end{column}
%
\vrule
%
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{\mathit{ct}}{0}; \\
\FFor{$i$ = 1, \dots, T_2}{} \\
\quad \superhi<3>{\Rand{r}{\mathit{flip}}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \superhi<4>{\Ass{\mathit{ct}}{\mathit{ct} + 1}}
\end{array}
\]
\end{column}
\end{columns}
\pause
\begin{block}{Step 2: First loop}
\begin{itemize}
\item<2-> Use sampling rule with identity coupling: \superhi<3>{$r_1 = r_2$}
\item<5-> Establish loop invariant $\superhi{\mathit{ct}_1 = \mathit{ct}_2}$
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Proof sketch}
\begin{columns}
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\FFor{$i$ = \superhi{T_2 + 1}, \dots, \superhi{T_1}}{} \\
\quad \Rand{r}{\mathit{flip}}; \\
\quad \Condt{r = \text{heads}}{} \\
\quad\quad \Ass{\mathit{ct}}{\mathit{ct} + 1}; \\
\RReturn(\mathit{ct})
\end{array}
\]
\end{column}
%
\vrule
%
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\\
\\
\\
\\
\\
\RReturn(\mathit{ct})
\end{array}
\]
\vfill
\end{column}
\end{columns}
\begin{block}{Step 3: Second loop}
\begin{itemize}
\item Use ``one-sided'' sampling rule
\item Apply ``one-sided'' loop rule to show invariant $\mathit{ct}_1 \geq \mathit{ct}_2$
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\dividerpage{\huge Formal Proofs by Coupling}{\huge Ex. 3: Uniformity}
\end{frame}
\begin{frame}
\frametitle{Simulating a fair coin flip from a biased coin}
\begin{block}{Problem setting}
\begin{itemize}
\item Given: ability to draw \superhi{biased} coin flips $\mathit{flip}(p)$, $p \neq 1/2$
\item Goal: simulate a \superhi{fair} coin flip $\mathit{flip}(1/2)$
\end{itemize}
\end{block}
\pause
\begin{block}{Algorithm (``von Neumann's trick'')}
\[
\begin{array}{ll}
\Ass{x}{\mathit{true}}; \Ass{y}{\mathit{true}}; \qquad\qquad &
\text{// initialize $x = y$} \\
\WWhile{x = y}{} & \text{// if equal, repeat} \\
\qquad \Rand{x}{\mathit{flip}(p)}; & \text{// flip biased coin} \\
\qquad \Rand{y}{\mathit{flip(p)}}; & \text{// flip biased coin} \\
\RReturn(x) & \text{// if not equal, return $x$}
\end{array}
\]
\end{block}
\pause
\begin{center}
\begin{framed}
How to prove that the result $x$ is \superhi{unbiased} (uniform)?
\end{framed}
\end{center}
\end{frame}
\begin{frame}
\frametitle{From existence of coupling, to uniformity}
\begin{block}{Suppose that we know there exist two couplings:}
\begin{enumerate}
\item Under first coupling, $x_1 = \mathit{true}$ implies $x_2 = \mathit{false}$
\item Under second coupling, $x_1 = \mathit{false}$ implies $x_2 = \mathit{true}$
\end{enumerate}
\end{block}
\pause
\begin{block}{As a consequence:}
\begin{itemize}
\item By (1), $\Pr [x_1 = \mathit{true} ] \leq \Pr [x_2 = \mathit{false}]$
\item By (2), $\Pr [x_1 = \mathit{false} ] \leq \Pr [x_2 = \mathit{true}]$
\end{itemize}
\end{block}
\pause
\begin{block}{But $x_1$ and $x_2$ have same distribution}
\begin{itemize}
\item By (1), $\Pr [x_1 = \mathit{true}] \leq \Pr [x_1 = \mathit{false}]$
\item By (2), $\Pr [x_1 = \mathit{false}] \leq \Pr[x_1 = \mathit{true}]$
\item Hence \superhi{uniform}: $\Pr [x_1 = \mathit{true}] = \Pr [x_1 = \mathit{false}]$
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Proof by coupling}
\begin{block}{Algorithm (``von Neumann's trick'')}
\vspace{-3ex}
\[
\begin{array}{ll}
\Ass{x}{\mathit{true}}; \Ass{y}{\mathit{true}}; \qquad\qquad &
\text{// initialize $x = y$} \\
\WWhile{x = y}{} & \text{// if equal, repeat} \\
\qquad \Rand{x}{\mathit{flip}(p)}; & \text{// flip biased coin} \\
\qquad \Rand{y}{\mathit{flip(p)}}; & \text{// flip biased coin} \\
\RReturn(x) & \text{// if not equal, return $x$}
\end{array}
\]
\vspace{-3ex}
\end{block}
\begin{block}{Construct couplings such that:}
\begin{enumerate}
\item Under first coupling, $x_1 = \mathit{true}$ implies $x_2 = \mathit{false}$
\item Under second coupling, $x_1 = \mathit{false}$ implies $x_2 = \mathit{true}$
\end{enumerate}
\end{block}
\begin{block}{Consider the following coupling:}
\begin{itemize}
\item Couple sampling of $x_1$ to be equal to sampling of $y_2$
\item Couple sampling of $x_2$ to be equal to sampling of $y_1$
\item Resulting coupling satisfies \superhi{both} (1) and (2)!
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Formalizing the proof in \Sprhl}
\begin{block}{Relate two (equivalent) versions of the program:}
\begin{columns}
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{x}{\mathit{true}}; \Ass{y}{\mathit{true}}; \\
\WWhile{x = y}{} \\
\qquad \superhi<3>{\Rand{x}{\mathit{flip}(p)}}; \\
\qquad \superhi<5>{\Rand{y}{\mathit{flip(p)}}}; \\
\superhi<7>{\RReturn(x)}
\end{array}
\]
\end{column}
%
\vrule
%
\begin{column}[t]{0.45\textwidth}
\[
\begin{array}{l}
\Ass{x}{\mathit{true}}; \Ass{y}{\mathit{true}}; \\
\WWhile{x = y}{} \\
\qquad \superhi<3>{\Rand{y}{\mathit{flip(p)}}}; \\
\qquad \superhi<5>{\Rand{x}{\mathit{flip}(p)}}; \\
\superhi<7>{\RReturn(x)}
\end{array}
\]
\vfill
\end{column}
\end{columns}
\end{block}
\pause
\begin{block}{Build coupling for loop bodies, then loops}
\begin{itemize}
\item<2-> Use sampling rule with identity coupling: \superhi<3>{$x_1 = y_2$}
\item<4-> Use sampling rule with identity coupling: \superhi<5>{$y_1 = x_2$}
\item<6-> Use loop rule with invariant:
\[
(x_1 = y_1 \to x_1 = y_2)
\land
(x_1 \neq y_1 \to \superhi<7>{x_1 \neq x_2})
\]
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\dividerpage{\Huge Variations on a Theme:}{\Huge Approximate Couplings}
\end{frame}
\begin{frame}
\begin{exampleblock}{}
\vfill
\structure{\Large A new approach to formulating privacy goals: the risk to ones
privacy, or in general, any type of risk \ldots should not substantially
increase as a result of participating in a statistical database.}
\vspace{10ex}
\structure{\Large This is captured by \superhi{differential privacy}.}
\vspace{10ex}
\hspace*\fill{\small--- Cynthia Dwork}
\end{exampleblock}
\end{frame}
\begin{frame}
\frametitle{Increasing interest in differential privacy}
\begin{block}{In research\ldots}
\begin{center}
\includegraphics[width=\textwidth]{images/dp-cites.png}
\end{center}
\end{block}
\pause
\begin{block}{\ldots and in the ``real world''}
\begin{center}
\includegraphics[width=\textwidth]{images/apple-dp.jpg}
% \includegraphics[width=\textwidth]{images/chrome-dp.png}
\end{center}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Differential privacy, pictorially}
\begin{center}
\includegraphics[width=\textwidth]{images/privacy}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Differential privacy, formally}
\begin{block}{Dwork, McSherry, Nissim, and Smith}
Let $\varepsilon \geq 0$ be a parameter, and suppose that $Adj$ is a binary
``adjacency'' relation on $D$. A randomized program $M : D \to \Dist(R)$ is
\superhi{$\varepsilon$-differentially private} if for every set of outputs
$S \subseteq R$ and every pair of adjacent inputs $d_1, d_2$, we have
\vspace{5ex}
\[
\scalebox{1.5}{\ensuremath{
\Pr_{ x \sim M(d_1) } [ x \in S ]
\leq \exp(\varepsilon) \cdot \Pr_{ x \sim M(d_2) } [ x \in S ]
}} .
\]
\end{block}
\end{frame}
\begin{frame}
\frametitle{Approximate couplings}
\begin{definition}
An \superhi{$\varepsilon$-coupling} of two distributions $\mu_1, \mu_2 \in
\Dist(A)$ is a joint distribution $\mu \in \Dist(A \times A)$ with
\[
\scalebox{1.5}{\superhi<3>{$\Delta_\varepsilon(\mu_1, \pi_1(\mu)) \leq 0$}}
\quad\text{and}\quad
\scalebox{1.5}{\superhi<3>{$\Delta_\varepsilon(\mu_2, \pi_2(\mu)) \leq 0$}}
\]
\end{definition}
When $\varepsilon = 0$, recover regular (exact) couplings.
\end{frame}
\begin{frame}
\frametitle{Approximate couplings imply differential privacy}
\begin{block}{If exists coupling of $\mu_1, \mu_2$ that returns equal elements:}
\begin{center}
\begin{framed}
Program produces equal output distr. on related inputs
\end{framed}
\end{center}
\end{block}
\begin{block}{If exists $\varepsilon$-coupling of $\mu_1, \mu_2$ that returns equal elements:}
\begin{center}
\begin{framed}
Program satisfies $\varepsilon$-differential privacy
\end{framed}
\end{center}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Constructing approximate couplings}
\begin{block}{The program logic \Saprhl [BKOZ-B, BO]}
\begin{itemize}
\item Compositional and formalized proofs of privacy
\end{itemize}
\end{block}
\begin{block}{Judgments indexed by $\varepsilon$}
\begin{framed}
\begin{center}
\scalebox{2.5}{$\aprhl{c_1}{c_2}{P}{Q}{\varepsilon}$}
\end{center}
\end{framed}
\end{block}
\end{frame}
\begin{frame}{Differential privacy in \Saprhl}
\[
\scalebox{1.5}{\ensuremath{\aprhl{c}{c} {Adj(d_1, d_2)} {\superhi{res_1 = res_2}} {\varepsilon} }}
\]
\pause
\vspace{2ex}
\begin{center}
\structure{\LARGE Exactly $\varepsilon$-differential privacy}
\end{center}
\end{frame}
\begin{frame}{Proof system}
\begin{overprint}
\only<1>{\centerline{\includegraphics[width=\textwidth]{images/aprhl-rules-0.png}}}
\only<2>{\centerline{\includegraphics[width=\textwidth]{images/aprhl-rules-1.png}}}
\end{overprint}
\end{frame}
\begin{frame}{(Laplace) Sampling rule}
\[
\inferrule*[Right=\textsc{Lap}]
{ }
{\aprhl
{\Rand{x_1}{\Lap_\varepsilon(e_1)}}
{\Rand{x_2}{\Lap_\varepsilon(e_2)}}
{ |e_1 - e_2| \leq \superhi{k} }
{ \superhi{x_1 = x_2} }
{ \superhi{k} \cdot \varepsilon }}
\]
\vfill
\pause
\begin{center}
\structure{\Huge ``Pay'' distance b/t centers}
\vspace{2ex}
\structure{\Huge $\Downarrow$}
\vspace{2ex}
\structure{\Huge Assume samples are equal}
\end{center}
\end{frame}
\begin{frame}{Composition properties, pictorially}
\begin{center}
\includegraphics[width=\textwidth]{images/seq.pdf}
\end{center}
\begin{block}{Whole program is $2 \varepsilon$-private}
\begin{center}
\begin{framed}
Reading: ``Pay'' $\varepsilon$ cost for each step, add up costs
\end{framed}
\end{center}
\end{block}
\end{frame}
\begin{frame}{Composition properties, formally}
\begin{block}{Formally \ldots}
Consider randomized algorithms $M : D \to \Dist(R)$ and $M : R \to D \to
\Dist(R')$. If $M$ is \superhi{${\varepsilon}$}-private and for every $r \in R$,
$M'(r)$ is \superhi{${\varepsilon'}$}-private, then the composition is
\superhi{${(\varepsilon + \varepsilon')}$}-private:
\[
\scalebox{1.5}{\ensuremath{
\Rand{r}{M(d)}; \Rand{res}{M(r, d)}; \RReturn(res)
}}
\]
\end{block}
\end{frame}
\begin{frame}
\frametitle{Composing approximate couplings}
\begin{center}
\scalebox{1.8}{$
\inferrule*%[Left=Seq]
{ \vdash \aprhl{c_1}{c_2}{P}{Q}{\superhi<2>{\varepsilon}} \\\\
\vdash \aprhl{c_1'}{c_2'}{Q}{R}{\superhi<2>{\varepsilon'}} }
{ \vdash \aprhl{c_1; c_1'}{c_2; c_2'}{P}{R}{\superhi<2>{\varepsilon + \varepsilon'}} }
$}
\end{center}
\begin{block}<3>{Generalizes privacy composition}
\begin{center}
\begin{framed}
$Q$, $R$ don't need to be equality assertions!
\end{framed}
\end{center}
\end{block}
\end{frame}
\begin{frame}{New sampling rule: \textsc{[LapNull]}}
\[
\inferrule*
{ x_1 \notin FV(e_1), x_2 \notin FV(e_2) }
{\aprhl
{\Rand{x_1}{\Lap_\varepsilon(e_1)}}
{\Rand{x_2}{\Lap_\varepsilon(e_2)}}
{ \top }
{ \superhi<2>{x_1 - x_2 = e_1 - e_2} }
{\superhi{0}}}
\]
\vfill
\pause
\begin{center}
\structure{\huge ``Pay'' nothing (cost zero)}
\vfill
\structure{\Huge $\Downarrow$}
\vfill
\structure{\huge Distance between samples}
\vspace{2ex}
\structure{\Huge $=$}
\vspace{2ex}
\structure{\huge Distance between centers}
\end{center}
\end{frame}
\begin{frame}{New sampling rule: \textsc{[LapGen]}}
\[
\inferrule*
{ x_1 \notin FV(e_1), x_2 \notin FV(e_2) }
{\aprhl
{\Rand{x_1}{\Lap_\varepsilon(e_1)}}
{\Rand{x_2}{\Lap_\varepsilon(e_2)}}
{ |e_1 - (e_2 + s)| \leq k }
{ \superhi{x_1 = x_2 + s} }
{\superhi<2>{k \cdot {\varepsilon}}}}
\]
\vfill
\pause
\begin{center}
\structure{\Huge ``Pay'' to shift centers}
\vspace{2ex}
\structure{\Huge $\Downarrow$}
\vspace{2ex}
\structure{\Huge Assume shifted samples}
\end{center}
\end{frame}
\begin{frame}
\frametitle{``Pointwise equality''}
\begin{center}
\scalebox{1.6}{$
\inferrule*%[Left=Seq]
{ \superhi<2>{\forall j},\ \vdash \aprhl{c_1}{c_2}{P}{\superhi<2>{e_1 = j \to e_2 = j}}{\varepsilon} }
{ \vdash \aprhl{c_1}{c_2}{P}{\superhi<3>{e_1 = e_2}}{\varepsilon} }
$}
\end{center}
\begin{onslide}<4>
\begin{framed}
\begin{center}
Prove differential privacy, focusing on one output at a time
\end{center}
\end{framed}
\end{onslide}
\end{frame}
\begin{frame}{Logical interpretation}
\begin{block}{Leibniz equality}
\[
\scalebox{1.75}{\ensuremath{(\forall j, (e_1 = j) \to (e_2 = j)) \to e_1 = e_2}}
\]
\end{block}
\begin{block}{Internalizing a universal quantifier}
\begin{itemize}
\item Not sound in general for approximate couplings
\item But: sound for certain equality predicates
\end{itemize}
\end{block}
\end{frame}
\begin{frame}{Logical interpretation}
\begin{center}
\structure{\LARGE $\superhi<2>{\forall}$ values,
$\superhi<2>{\exists}$ a coupling such that \ldots}
\vspace{2ex}
\structure{\Huge $\Downarrow$}
\vspace{2ex}
\structure{\LARGE $\superhi<3>{\exists}$ a coupling such that
$\superhi<3>{\forall}$ values, \ldots}
\end{center}
\end{frame}
\begin{frame}{Applications of approximate couplings}
\begin{block}{Support more proof principles}
\begin{itemize}
\item More sophisticated composition theorems
\item General, $(\epsilon, \delta)$ form of differential privacy
\end{itemize}
\end{block}
\begin{block}{Formalize interesting examples}
\begin{itemize}
\item Sparse Vector Technique (4 buggy versions)
\item Auction mechanisms based on privacy
\end{itemize}
\end{block}
\begin{block}{Enable new verification tools}
\begin{itemize}
\item Automatic proofs via Horn clause encoding [AH]
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\dividerpage{\Huge Variations on a Theme:}{\Huge Expectation Couplings}
\end{frame}
\begin{frame}
\frametitle{Expectation couplings}
\begin{block}{Target: bound distance between expected values}
\begin{itemize}
\item Captured by coupling refined with Kantorovich metric
\item Build a logic around composition of optimal transport
\end{itemize}
\end{block}
\pause
\begin{block}{Kantorovich metric: lift distance to distributions}
\begin{itemize}
\item Given: Two distributions $\mu_1, \mu_2 \in \Dist(A)$
\item Given: ``Base'' distance $d : A \times A \to \mathbb{R}^+$
\item Define: distance on distributions
\[
\scalebox{1.3}{$\displaystyle{d^{\#}(\mu_1, \mu_2)
\triangleq \min_{%
\refbox<3->{couplings}{$\mu \in C(\mu_1, \mu_2)$}{callout}} \mathbb{E}_\mu [ d ]} $}
\]
\mycallout<3->{couplings.south east}{set of all couplings}{3.5cm}{160}{1.8cm}{callout}
\end{itemize}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Constructing expectation couplings}
\begin{block}{Build these couplings with the program logic \Seprhl}
\begin{itemize}
\item Verify uniform stability (machine learning)
\item Verify convergence/mixing (statistical physics)
\end{itemize}
\end{block}
\begin{block}{Judgments model probabilistic sensitivity/contraction}
\begin{framed}
\begin{center}
\scalebox{2.5}{$\eprhl{c_1}{c_2}{P; \superhi<2>{d}}{Q; \superhi<2>{d'}}$}
\end{center}
\end{framed}
\end{block}
\end{frame}
\begin{frame}
\frametitle{Wrapping up}
% \begin{block}{Possible directions}
% \begin{itemize}
% \item Theoretical foundations and semantics
% \item Other useful consequences of couplings
% \item Going beyond program logics, automation
% \end{itemize}
% \end{block}
% \pause
% \vfill
\begin{block}{Don't reinvent the wheel}
\begin{itemize}
\item Leverage mental tools used by algorithms researchers
\item Simpler formal proofs, closer to existing proofs
\item More opportunities for automation
\end{itemize}
\begin{center}
\begin{framed}
\huge {Study human proof techniques from a logical perspective}
\end{framed}
\end{center}
\end{block}
\end{frame}
\end{document}