Hostname: page-component-77c89778f8-swr86 Total loading time: 0 Render date: 2024-07-19T06:56:26.909Z Has data issue: false hasContentIssue false
  • English
  • Français

Divergences on monads for relational program logics

Published online by Cambridge University Press:  31 July 2023

Tetsuya Sato Open the ORCID record for Tetsuya Sato [Opens in a new window]  and
Shin-ya Katsumata Open the ORCID record for Shin-ya Katsumata [Opens in a new window]
Tetsuya Sato
Affiliation:
Tokyo Institute of Technology, 2-12-1 Ookayama, Meguro-ku, Tokyo, Japan
Shin-ya Katsumata*
Affiliation:
National Institute of Informatics, 2-1-2 Chiyoda-ku, Tokyo, Japan
*
Corresponding author: Shin-ya Katsumata; Email: s-katsumata@nii.ac.jp
Get access Rights & Permissions [Opens in a new window]

Abstract

Several relational program logics have been introduced for integrating reasoning about relational properties of programs and measurement of quantitative difference between computational effects. Toward a general framework for such logics, in this paper, we formalize the concept of quantitative difference between computational effects as divergences on monads, then develop a relational program logic called approximate computational relational logic (acRL for short). It supports generic computational effects and divergences on them. The semantics of the acRL is given by graded strong relational liftings constructed from divergences on monads. We derive two instantiations of the acRL: (1) for the verification of various kinds of differential privacy of higher-order functional probabilistic programs and (2) the other for measuring difference of distributions of cost between higher-order functional probabilistic programs with a cost counting operator.

Keywords

Relational Hoare logicsgraded monadsrelational liftings
Type
Special Issue: Differences and Metrics in Programs Semantics: Advances in Quantitative Relational Reasoning
Information
Mathematical Structures in Computer Science , Volume 33 , Special Issue 4-5: Differences and Metrics in Programs Semantics: Advances in Quantitative Relational Reasoning , April 2023 , pp. 427 - 485
Check for updates
Copyright
© The Author(s), 2023. Published by Cambridge University Press

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Albarghouthi, A. and Hsu, J. (2018a). Constraint-based synthesis of coupling proofs. In Computer Aided Verification – 30th International Conference, CAV 2018, Proceedings, Part I, vol. 10981. LNCS. Springer, 327–346.Google Scholar
Albarghouthi, A. and Hsu, J. (2018b). Synthesizing coupling proofs of differential privacy. PACMPL 2 (POPL) 58:158:30.Google Scholar
Altenkirch, T., Chapman, J., and Uustalu, T. (2015). Monads need not be endofunctors. Logical Methods in Computer Science 11 (1).Google Scholar
Aumann, R. J. (1961). Borel structures for function spaces. Illinois Journal of Mathematics 5 (4) 614630.CrossRefGoogle Scholar
Azevedo de Amorim, A., Gaboardi, M., Hsu, J., and Katsumata, S. (2019). Probabilistic relational reasoning via metrics. In 34th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2019. IEEE, 1–19.CrossRefGoogle Scholar
Bacci, G., Mardare, R., Panangaden, P., and Plotkin, G. (2021). Tensor of quantitative equational theories. In Gadducci, F. and Silva, A. (eds.), 9th Conference on Algebra and Coalgebra in Computer Science (CALCO 2021), volume 211 of Leibniz International Proceedings in Informatics (LIPIcs), Dagstuhl, Germany: Schloss Dagstuhl – Leibniz-Zentrum für Informatik, 7:1–7:17.Google Scholar
Balan, A., Kurz, A., and Velebil, J. (2019). Extending set functors to generalised metric spaces. Logical Methods in Computer Science 15 (1).Google Scholar
Baldan, P., Bonchi, F., Kerstan, H., and König, B. (2018). Coalgebraic behavioral metrics. Logical Methods in Computer Science 14 (3).Google Scholar
Balle, B., Barthe, G., Gaboardi, M., Hsu, J., and Sato, T. (2020). Hypothesis testing interpretations and renyi differential privacy. In Chiappa, S. and Calandra, R. (eds.), Proceedings of the Twenty Third International Conference on Artificial Intelligence and Statistics (AISTATS 2020), vol. 108. Proceedings of Machine Learning Research, Online. PMLR, 2496–2506.Google Scholar
Barthe, G., Crespo, J. M., and Kunz, C. (2011). Relational verification using product programs. In Butler, M. and Schulte, W., editors, FM 2011: Formal Methods, Berlin, Heidelberg: Springer Berlin Heidelberg, 200214.CrossRefGoogle Scholar
Barthe, G., D’Argenio, P. R., and Rezk, T. (2004). Secure information flow by self-composition. In Proceedings of the 17th IEEE Workshop on Computer Security Foundations, CSFW ’04, vol. 100, USA: IEEE Computer Society.Google Scholar
Barthe, G., Gaboardi, M., Arias, E. J. G., Hsu, J., Kunz, C., and Strub, P. (2014). Proving differential privacy in Hoare logic. In IEEE 27th Computer Security Foundations Symposium, CSF 2014. IEEE Computer Society, 411424.CrossRefGoogle Scholar
Barthe, G., Gaboardi, M., Arias, E. J. G., Hsu, J., Roth, A., and Strub, P. (2015). Higher-order approximate relational refinement types for mechanism design and differential privacy. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2015, Mumbai, India, January 15-17, 2015. ACM, 5568.CrossRefGoogle Scholar
Barthe, G., Gaboardi, M., Grégoire, B., Hsu, J., and Strub, P. (2016). Proving differential privacy via probabilistic couplings. In Proceedings of the 31st Annual ACM/IEEE Symposium on Logic in Computer Science, LICS ’16. ACM, 749758.CrossRefGoogle Scholar
Barthe, G., Grégoire, B., Hsu, J., and Strub, P.-Y. (2017). Coupling proofs are probabilistic product programs. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2017, New York, NY, USA: Association for Computing Machinery, 161–174.CrossRefGoogle Scholar
Barthe, G., Köpf, B., Olmedo, F., and Béguelin, S. Z. (2012). Probabilistic relational reasoning for differential privacy. In Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012. ACM, 97110.CrossRefGoogle Scholar
Barthe, G. and Olmedo, F. (2013). Beyond differential privacy: Composition theorems and relational logic for f-divergences between probabilistic programs. In Automata, Languages, and Programming - 40th International Colloquium, ICALP 2013, Proceedings, Part II, vol. 7966. LNCS. Springer, 49–60.CrossRefGoogle Scholar
Benton, N. (2004). Simple relational correctness proofs for static analyses and program transformations. SIGPLAN Notices 39 (1) 1425.CrossRefGoogle Scholar
Bonchi, F., König, B., and Petrisan, D. (2018). Up-To Techniques for Behavioural Metrics via Fibrations. In 29th International Conference on Concurrency Theory (CONCUR 2018), vol. 118. Leibniz International Proceedings in Informatics (LIPIcs), Dagstuhl, Germany: Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, 17:1–17:17.Google Scholar
Bun, M., Dwork, C., Rothblum, G. N., and Steinke, T. (2018). Composable and versatile privacy via truncated CDP. In Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2018, New York, NY, USA: Association for Computing Machinery, 74–86.CrossRefGoogle Scholar
Bun, M. and Steinke, T. (2016). Concentrated differential privacy: Simplifications, extensions, and lower bounds. In Theory of Cryptography, Berlin, Heidelberg: Springer Berlin Heidelberg, 635–658.CrossRefGoogle Scholar
Çiçek, E., Barthe, G., Gaboardi, M., Garg, D., and Hoffmann, J. (2017). Relational cost analysis. SIGPLAN Notices 52 (1) 316329.CrossRefGoogle Scholar
Csiszár, I. (1963). Eine informationstheoretische Ungleichung und ihre Anwendung auf den beweis der ergodizitat von markoffschen ketten. Magyar. Tud. Akad. Mat. Kutato Int. Kozl. 8 85108.Google Scholar
Csiszár, I. (1967). Information-type measures of difference of probability distributions and indirect observations. Studia Scientiarum Mathematicarum Hungarica 2 299318.Google Scholar
Dwork, C., McSherry, F., Nissim, K., and Smith, A. (2006). Calibrating noise to sensitivity in private data analysis. In Theory of Cryptography, vol. 3876. LNCS. Springer Berlin Heidelberg, 265–284.CrossRefGoogle Scholar
Dwork, C. and Roth, A. (2013). The algorithmic foundations of differential privacy. Foundations and Trends in Theoretical Computer Science 9 (3-4) 211407.CrossRefGoogle Scholar
Gaboardi, M., Haeberlen, A., Hsu, J., Narayan, A., and Pierce, B. C. (2013). Linear dependent types for differential privacy. In The 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’13. ACM, 357370.CrossRefGoogle Scholar
Gaboardi, M., Katsumata, S., Orchard, D., and Sato, T. (2021). Graded hoare logic and its categorical semantics. In Yoshida, N., editor, Programming Languages and Systems – 30th European Symposium on Programming, ESOP 2021, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2021, Luxembourg City, Luxembourg, March 27 - April 1, 2021, Proceedings, vol. 12648. Lecture Notes in Computer Science. Springer, 234–263.CrossRefGoogle Scholar
Gavazzo, F. (2018). Quantitative behavioural reasoning for higher-order effectful programs: Applicative distances. In Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in Computer Science, LICS ’18, New York, NY, USA: Association for Computing Machinery, 452–461.CrossRefGoogle Scholar
Giry, M. (1982). A categorical approach to probability theory. In Banaschewski, B., editor, Categorical Aspects of Topology and Analysis, vol. 915. LNM. Springer, 68–85.CrossRefGoogle Scholar
Hall, R. (2012). New Statistical Applications for Differential Privacy. PhD thesis, Machine Learning Department School of Computer Science Carnegie Mellon University.Google Scholar
Hermida, C. and Jacobs, B. (1995). An algebraic view of structural induction. In Proceedings of CSL ’94, vol. 933. LNCS. Springer-Verlag, 412–426.CrossRefGoogle Scholar
Heunen, C., Kammar, O., Staton, S., and Yang, H. (2017). A convenient category for higher-order probability theory. In 32nd Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2017, 1–12.CrossRefGoogle Scholar
Jacobs, B. (1999). Categorical Logic and Type Theory. Elsevier.Google Scholar
Kairouz, P., Oh, S., and Viswanath, P. (2015). The composition theorem for differential privacy. In Proceedings of the 32nd International Conference on Machine Learning, ICML 2015, Lille, France, 6-11 July 2015, 1376–1385.Google Scholar
Katsumata, S. (2014). Parametric effect monads and semantics of effect systems. In The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’14. ACM, 633646.CrossRefGoogle Scholar
Katsumata, S. and Sato, T. (2013). Preorders on monads and coalgebraic simulations. In Pfenning, F., editor, Foundations of Software Science and Computation Structures, Berlin, Heidelberg: Springer Berlin Heidelberg, 145160.CrossRefGoogle Scholar
Katsumata, S., Sato, T., and Uustalu, T. (2018). Codensity lifting of monads and its dual. Logical Methods in Computer Science 14 (4).Google Scholar
Kurz, A. and Velebil, J. (2016). Relation lifting, a survey. Journal of Logical and Algebraic Methods in Programming 85 (4) 475–499. Relational and algebraic methods in computer science.CrossRefGoogle Scholar
Liese, F. and Vajda, I. (2006). On divergences and informations in statistics and information theory. IEEE Transactions on Information Theory 52 (10) 43944412.CrossRefGoogle Scholar
Lucassen, J. M. and Gifford, D. K. (1988). Polymorphic effect systems. In Conference Record of the Fifteenth Annual ACM Symposium on Principles of Programming Languages. ACM Press, 4757.CrossRefGoogle Scholar
Mac Lane, S. (1998). Categories for the Working Mathematician (Second Edition), vol. 5. Graduate Texts in Mathematics. Springer.Google Scholar
Mardare, R., Panangaden, P., and Plotkin, G. (2016). Quantitative algebraic reasoning. In Proceedings of the 31st Annual ACM/IEEE Symposium on Logic in Computer Science, LICS ’16, New York, NY, USA: Association for Computing Machinery, 700–709.CrossRefGoogle Scholar
Mardare, R., Panangaden, P., and Plotkin, G. (2017). On the axiomatizability of quantitative algebras. In 2017 32nd Annual ACM/IEEE Symposium on Logic in Computer Science (LICS), Los Alamitos, CA, USA: IEEE Computer Society, 1–12.CrossRefGoogle Scholar
Mironov, I. (2017). Rényi differential privacy. In 2017 IEEE 30th Computer Security Foundations Symposium (CSF), 263–275.CrossRefGoogle Scholar
Mitchell, J. C. and Scedrov, A. (1992). Notes on sconing and relators. In Computer Science Logic, 6th Workshop, CSL ’92, vol. 702. LNCS. Springer, 352–378.Google Scholar
Moggi, E. (1991). Notions of computation and monads. Information and Computation 93 (1) 5592.CrossRefGoogle Scholar
Morimoto, T. (1963). Markov processes and the H-theorem. Journal of the Physical Society of Japan 18 (3) 328331.CrossRefGoogle Scholar
Nielson, H. R. and Nielson, F. (2007). Semantics with Applications: An Appetizer. Springer-Verlag, Berlin, Heidelberg.CrossRefGoogle Scholar
Olmedo, F. (2014). Approximate Relational Reasoning for Probabilistic Programs. PhD thesis, Technical University of Madrid.Google Scholar
Prasad, S. and Smith, K. A. (2014). A note on differential privacy: Defining resistance to arbitrary side information. Journal of Privacy and Confidentiality 6 (1).Google Scholar
Radiček, I., Barthe, G., Gaboardi, M., Garg, D., and Zuleger, F. (2017). Monadic refinements for relational cost analysis. Proceedings of the ACM on Programming Languages 2 (POPL) 36:1–36:32.CrossRefGoogle Scholar
Reed, J. and Pierce, B. C. (2010). Distance makes the types grow stronger: A calculus for differential privacy. In Proceeding of the 15th ACM SIGPLAN International Conference on Functional Programming, ICFP 2010. ACM, 157168.CrossRefGoogle Scholar
Rutten, J. J. M. M. (1996). Elements of generalized ultrametric domain theory. Theoretical Computer Science 170 (1–2) 349381.CrossRefGoogle Scholar
Sato, T. (2014). Identifying all preorders on the subdistribution monad. In Jacobs, B., Silva, A. , and Staton, S., editors, Proceedings of the 30th Conference on the Mathematical Foundations of Programming Semantics, MFPS 2014, Ithaca, NY, USA, June 12-15, 2014, volume 308 of Electronic Notes in Theoretical Computer Science, pp. 309–327. Elsevier.CrossRefGoogle Scholar
Sato, T. (2016). Approximate relational hoare logic for continuous random samplings. In The Thirty-second Conference on the Mathematical Foundations of Programming Semantics, MFPS 2016, vol. 325. Electronic Notes in Theoretical Computer Science. Elsevier, 277–298.CrossRefGoogle Scholar
Sato, T., Barthe, G., Gaboardi, M., Hsu, J., and Katsumata, S. (2019). Approximate span liftings: Compositional semantics for relaxations of differential privacy. In 34th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2019, 1–14. IEEE.CrossRefGoogle Scholar
Smirnov, A. (2008). Graded monads and rings of polynomials. Journal of Mathematical Sciences, 151:30323051.CrossRefGoogle Scholar
Sprunger, D., Katsumata, S., Dubut, J., and Hasuo, I. (2021). Fibrational bisimulations and quantitative reasoning: Extended version. Journal of Logic and Computation 31 (6) 15261559.CrossRefGoogle Scholar
Street, R. (1972). The formal theory of monads. Journal of Pure and Applied Algebra 2 (2) 149168.CrossRefGoogle Scholar
Wasserman, L. and Zhou, S. (2010). A statistical framework for differential privacy. Journal of the American Statistical Association 105 (489) 375389.CrossRefGoogle Scholar
Zaks, A. and Pnueli, A. (2008). Covac: Compiler validation by program analysis of the cross-product. In Cuellar, J., Maibaum, T. , and Sere, K. (eds.), FM 2008: Formal Methods, Berlin, Heidelberg: Springer Berlin Heidelberg, 3551.CrossRefGoogle Scholar