The program logic AP RHL

Barthe et al.(2013c) proposed the relational program logicAPRHL as an approximate version ofPRHL, targeting differential privacy. The basic idea is to use approximate liftings in place of exact liftings, tracking the parameters(",δ)in the judgments. We briefly review the language, the judgments, and the logical rules.

The language

The language ofAPRHL is almost identical to the probabilistic imperative language we used forPRHL. The only difference is instead of the uniform distribution, we take the Laplace distribution as primitive:

DE:₌Lap_"(e).

The parameter"quantifies the spread of the distribution, while the parametererepresents its mean; we treat"as a logical variable. Similar to how we defined the Laplace mechanism (Definition4.1.2), we interpretLap_"(e)as a discrete distribution over the integersz_∈Z:

(¹Lap"(e)ºρm)(z)¬

exp(−¹"ºρ· |z−¹eºρm|)

W

where¹eºρmis an integer andW normalizes the distribution to have weight 1:

W¬

X

z∈Z

exp(−¹"ºρ· |z−¹eºρm|).

For example, the Laplace mechanism for a queryq:D_→Zcan be implemented by sampling:

x $

←Lap_"(q(d)).

Judgments and validity

Judgments inAPRHL have the following form:

SKIP `skip∼(0,0)skip:Φ=⇒Φ ASSN `x₁←e₁∼(0,0)x2←e2:Ψ{e1〈1〉,e2〈2〉/x1〈1〉,x2〈2〉}=⇒Ψ LAP x1,x2∈/FV(e1,e2) Φ¬|e1〈1〉 −e2〈2〉| ≤k∧ ∀v∈Z,Ψ{v,v/x1〈1〉,x2〈2〉} `x<sub>1</sub> $ ←Lap<sub>"(</sub>e1)∼(k",0)x2←$ Lap"(e2):Φ=⇒Ψ SEQ `c1∼(",δ)c2:Φ=⇒Ψ `c 0 1∼("0,δ0<sub>)</sub>c<sub>2</sub>0 :Ψ=⇒Θ `c₁;c₁0 ∼("+"0_,δ+δ0₎c₂;c₂0 :Φ=⇒Θ COND |=Φ→e1〈1〉=e2〈2〉 `c1∼(",δ)c2:Φ∧e1〈1〉=⇒Ψ `c 0 1∼(",δ)c02:Φ∧ ¬e1〈1〉=⇒Ψ

`ife₁thenc₁elsec₁0 ∼(",δ)ife2thenc2elsec20 :Φ=⇒Ψ

WHILE

|=Φ∧e_v〈1〉 ≤0→ ¬e_1〈1〉 |=Φ→e_〈1〉=e_〈2〉 ∀K∈N,`c1∼(",δ)c2:Φ∧e1〈1〉 ∧ev〈1〉=K=⇒Φ∧ev〈1〉<K

`whilee₁doc₁∼(N",Nδ)whilee2doc2:Φ∧e〈1〉 ≤N=⇒Φ∧ ¬e1〈1〉

Figure 4.1: Two-sidedAPRHL rules

Just like inPRHL,ΦandΨare assertions on a product memory and refer to variables tagged with〈1〉and 〈2〉. The parameters_",_δare expressions involving constants and logical variables; in particular, they do not mention program variables and do not depend on the program state.

Validity forAPRHL judgments is defined in terms of approximate liftings. Definition 4.3.1. AnAPRHL judgment isvalidin logical contextρ, written

ρ|=c₁∼(",δ)c2:Φ=⇒Ψ,

if for any two memories(m₁,m2)_∈¹Φ_ºρthere exists an approximate lifting relating the output distribu- tions:

¹c1ºρm1¹Ψºρ

](¹"ºρ,¹δºρ)

¹c2ºρm2.

Core proof rules

Most of the rules inAPRHL generalize rules fromPRHL, with special handling for the(",δ)parameters. We present the core proof system and comment on departures fromPRHL.

We begin with the two-sided rules in Fig.4.1. The_[SKIP]and[ASSN]rules are lifted fromPRHL. To

gain intuition for the sampling rule_[LAP], we first consider a special case:

LAP*

`x $

←Lap_"(e)∼(k",0)x←$ Lap"(e):|e〈1〉 −e〈2〉| ≤k=⇒x〈1〉=x〈2〉

Since the meanse〈1〉ande〈2〉may not be equal, the two distributions may have different probabilities of sampling the same value and there may be no exact coupling guaranteeingx〈1〉=x〈2〉. Nevertheless, there is a(k", 0)-approximate coupling when the means differ by at mostk. Since approximate lifting of equality models differential privacy, this rule captures privacy of the Laplace mechanism (Theorem4.1.3).

ASSN-L `x<sub>1</sub>←e<sub>1</sub>∼(0,0)skip:Ψ{e1〈1〉/x1〈1〉}=⇒Ψ ASSN-R `skip∼(0,0)x2←e2:Ψ{e2〈2〉/x2〈2〉}=⇒Ψ LAP-L `x<sub>1</sub> $ ←Lap<sub>"(</sub>e1)∼(0,0)skip:∀v∈Z,Ψ{v/x1〈1〉}=⇒Ψ LAP-R `skip∼(0,0)x2←$ Lap"(e2):∀v∈Z,Ψ{v/x2〈2〉}=⇒Ψ COND-L`c1∼(",δ)c:Φ∧e1〈1〉=⇒Ψ `c 0 1∼(",δ)c:Φ∧ ¬e1〈1〉=⇒Ψ `ife<sub>1</sub>thenc<sub>1</sub>elsec<sub>1</sub>0 ∼(",δ)c:Φ=⇒Ψ COND-R`c∼(",δ)c2:Φ∧e2〈2〉=⇒Ψ `c∼(",δ)c 0 2:Φ∧ ¬e2〈2〉=⇒Ψ `c∼(",δ)ife2thenc2elsec20 :Φ=⇒Ψ WHILE-L `c<sub>1∼(0,0)</sub>skip:Φ∧e<sub>1〈</sub>1〉=⇒Φ |=Φ→Φ1〈1〉 Φ1|=whilee1doc1lossless `whilee₁doc_1∼(0,0)skip:Φ=⇒Φ∧ ¬e_1〈1〉 WHILE-R `skip∼(0,0)c2:Φ∧e2〈2〉=⇒Φ |=Φ→Φ2〈2〉 Φ2|=whilee2doc2lossless `skip∼(0,0)whilee2doc2:Φ=⇒Φ∧ ¬e2〈2〉

Figure 4.2: One-sidedAPRHL rules

The full sampling rule[LAP]proves a general post-conditionΨif it is true as a pre-condition, assuming the two sampled variables are equal.

The sequencing rule[SEQ]is similar to the sequencing rule inPRHL, summing up the approxima- tion parameters. This rule reflects a composition principle for approximate couplings generalizing the sequential composition theorem from differential privacy (Theorem4.1.4).

The conditional rule[COND]is similar to its counterpart fromPRHL. Assuming the guards are equal initially, if there is an(",δ)-coupling of corresponding pairs of branches then there is an(",δ)-coupling of the two conditionals. Finally, the loop rule_[WHILE]applies to loops that run at most a finite number of iterationsN; this is enforced by the strictly decreasing integer variantev. Given an(",δ)-coupling for the loop bodies, the rule produces a(N",Nδ)-coupling of the two loops. Again, this rule corresponds to a sequential composition principle for approximate couplings.

The one-sided rules forAPRHL are presented in Fig.4.2; the structural rules, in Fig.4.3. The one-sided sampling rules, [LAP-L]and [LAP-R], give a(0, 0)-lifting. The rule of consequence [CONSEQ]allows increasing the approximate parameters since larger parameters require a looser bound between the witnesses. The other rules are straightforward generalizations of theirPRHL counterparts.

As expected, the logic is sound.

Theorem 4.3.2(Soundness ofAPRHL). Letρbe a logical context. If a judgment is derivable ρ`c_1∼(",δ)c₂:Φ=⇒Ψ,

CONSEQ`c1∼("0,δ0)c2:Φ 0<sub>=⇒Ψ</sub>0 <sub>|=Φ→Φ</sub>0 <sub>|=Ψ</sub>0<sub>→Ψ |="</sub>0<sub>≤" |=δ</sub>0<sub>≤δ</sub> `c₁∼(",δ)c2:Φ=⇒Ψ EQUIV `c 0 1∼(",δ)c02:Φ=⇒Ψ c1≡c10 c2≡c02 `c₁∼(",δ)c2:Φ=⇒Ψ CASE`c1∼(",δ)c2:Φ∧Θ=⇒Ψ `c1∼(",δ)c2:Φ∧ ¬Θ=⇒Ψ `c<sub>1</sub>∼(",δ)c2:Φ=⇒Ψ TRANS`c1∼(",δ)c2:Φ=⇒Ψ `c2∼("0,δ0)c3:Φ 0<sub>=⇒Ψ</sub>0 `c₁∼("+"0_,exp("0_)δ+δ0₎c₃:Φ0◦Φ=⇒Ψ0◦Ψ FRAME `c1∼(",δ)c2:Φ=⇒Ψ FV(Θ)∩MV(c1,c2) =∅ `c₁∼(",δ)c2:Φ∧Θ=⇒Ψ∧Θ

Figure 4.3: StructuralAPRHL rules

then it is valid:

ρ|=c₁∼(",δ)c2:Φ=⇒Ψ.

Proof sketch. By induction on the derivation. The proof is very similar to the proof of soundness for

APRHL byOlmedo(2014), with some minor adjustments to handle the special element?in our definition of approximate coupling. AppendixBgives a self-contained proof of soundness for the full logic, including the new rules we will soon introduce.

The natural counterpart to soundness iscompleteness: valid judgments should be provable by the proof system.APRHL is incomplete in at least one respect: while valid judgments may relate commands that do not always terminate, derivable judgments can only relate lossless programs.

Lemma 4.3.3. Ifρ_`c_1∼(",δ)c₂:Φ=⇒Ψis derivable, then c₁and c₂are bothΦ-lossless.

Proof. By induction on the derivation. Since the loop rule[WHILE]requires both loops to terminate in at mostniterations and the one-sided variants_[WHILE-L]/[WHILE-R]assume losslessness,c₁andc₂must be lossless under the pre-condition.

This kind of incompleteness aside, it is not known whetherAPRHL is complete for terminating programs (or evenrelatively completein some natural sense); we discuss this issue further in Chapter6.