Abstract
Program sensitivity, also known as Lipschitz continuity, describes how small changes in a program’s input lead to bounded changes in the output. We propose an average notion of program sensitivity for probabilistic programs—expected sensitivity—that averages a distance function over a probabilistic coupling of two output distributions from two similar inputs. By varying the distance, expected sensitivity recovers useful notions of probabilistic function sensitivity, including stability of machine learning algorithms and convergence of Markov chains.
Furthermore, expected sensitivity satisfies clean compositional properties and is amenable to formal verification. We develop a relational program logic called EpRHL for proving expected sensitivity properties. Our logic features two key ideas. First, relational pre-conditions and post-conditions are expressed using distances, a real-valued generalization of typical boolean-valued (relational) assertions. Second, judgments are interpreted in terms of expectation coupling, a novel, quantitative generalization of probabilistic couplings which supports compositional reasoning.
We demonstrate our logic on examples beyond the reach of prior relational logics. Our main example formalizes uniform stability of the stochastic gradient method. Furthermore, we prove rapid mixing for a probabilistic model of population dynamics. We also extend our logic with a transitivity principle for expectation couplings to capture the path coupling proof technique by Bubley and Dyer, and formalize rapid mixing of the Glauber dynamics from statistical physics.
Supplemental Material
- Arthur Azevedo de Amorim, Marco Gaboardi, Emilio Jesús Gallego Arias, and Justin Hsu. 2014. Really natural linear indexed type-checking. In Symposium on Implementation and Application of Functional Programming Languages (IFL), Boston, Massachusetts . ACM Press, 5:1–5:12. http://arxiv.org/abs/1503.04522Google Scholar
Digital Library
- Arthur Azevedo de Amorim, Marco Gaboardi, Justin Hsu, Shin-ya Katsumata, and Ikram Cherigui. 2017. A semantic account of metric preservation. In ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages (POPL), Paris, France . 545–556. Google Scholar
Digital Library
- Gilles Barthe, François Dupressoir, Sebastian Faust, Benjamin Grégoire, François-Xavier Standaert, and Pierre-Yves Strub. 2016a. Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model. IACR Cryptology ePrint Archive 2016 (2016), 912. http://eprint.iacr.org/2016/912Google Scholar
- Gilles Barthe, François Dupressoir, Benjamin Grégoire, César Kunz, Benedikt Schmidt, and Pierre-Yves Strub. 2013. EasyCrypt: A Tutorial. In Foundations of Security Analysis and Design VII (FOSAD) (Lecture Notes in Computer Science), Vol. 8604. Springer-Verlag, 146–166. Tutorial Lectures.Google Scholar
- Gilles Barthe, Thomas Espitau, Justin Hsu, Tetsuya Sato, and Pierre-Yves Strub. 2017a. ⋆-Liftings for differential privacy. In International Colloquium on Automata, Languages and Programming (ICALP), Warsaw, Poland (Leibniz International Proceedings in Informatics) , Vol. 80. Schloss Dagstuhl–Leibniz Center for Informatics, 102:1–102:12. https://arxiv.org/abs/ 1705.00133Google Scholar
- Gilles Barthe, Noémie Fong, Marco Gaboardi, Benjamin Grégoire, Justin Hsu, and Pierre-Yves Strub. 2016b. Advanced Probabilistic Couplings for Differential Privacy. In ACM SIGSAC Conference on Computer and Communications Security (CCS), Vienna, Austria . 55–67. Google Scholar
Digital Library
- Gilles Barthe, Marco Gaboardi, Emilio Jesús Gallego Arias, Justin Hsu, Aaron Roth, and Pierre-Yves Strub. 2015. Higher-Order Approximate Relational Refinement Types for Mechanism Design and Differential Privacy. In ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages (POPL), Mumbai, India . 55–68. Google Scholar
Digital Library
- Gilles Barthe, Marco Gaboardi, Emilio Jesús Gallego Arias, Justin Hsu, Aaron Roth, and Pierre-Yves Strub. 2016c. Computeraided verification in mechanism design. In Conference on Web and Internet Economics (WINE), Montréal, Québec. http: //arxiv.org/abs/1502.04052 Google Scholar
Digital Library
- Gilles Barthe, Marco Gaboardi, Benjamin Grégoire, Justin Hsu, and Pierre-Yves Strub. 2016d. Proving Differential Privacy via Probabilistic Couplings. In IEEE Symposium on Logic in Computer Science (LICS), New York, New York. 749–758. Google Scholar
Digital Library
- Gilles Barthe, Benjamin Grégoire, Justin Hsu, and Pierre-Yves Strub. 2017b. Coupling proofs are probabilistic product programs. In ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages (POPL), Paris, France. http: //arxiv.org/abs/1607.03455 Google Scholar
Digital Library
- Gilles Barthe, Benjamin Grégoire, and Santiago Zanella-Béguelin. 2009. Formal Certification of Code-Based Cryptographic Proofs. In ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages (POPL), Savannah, Georgia. New York, 90–101. http://certicrypt.gforge.inria.fr/2013.Journal.pdfGoogle Scholar
- Gilles Barthe, Boris Köpf, Federico Olmedo, and Santiago Zanella Béguelin. 2012. Probabilistic relational reasoning for differential privacy. In ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages (POPL), Philadelphia, Pennsylvania . 97–110. Google Scholar
Digital Library
- Gilles Barthe and Federico Olmedo. 2013. Beyond Differential Privacy: Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs. In International Colloquium on Automata, Languages and Programming (ICALP), Riga, Latvia (Lecture Notes in Computer Science) , Vol. 7966. Springer-Verlag, 49–60. http://certicrypt.gforge.inria. fr/2013.ICALP.pdf Google Scholar
Digital Library
- AT Bharucha-Reid et al. 1976. Fixed point theorems in probabilistic analysis. Bull. Amer. Math. Soc. 82, 5 (1976), 641–657. Google Scholar
Cross Ref
- Olivier Bousquet and André Elisseeff. 2002. Stability and Generalization. Journal of Machine Learning Research 2 (2002), 499–526. http://www.jmlr.org/papers/v2/bousquet02a.htmlGoogle Scholar
Digital Library
- Russ Bubley and Martin Dyer. 1997. Path coupling: A technique for proving rapid mixing in Markov chains. In IEEE Symposium on Foundations of Computer Science (FOCS), Miami Beach, Florida . 223–231. Google Scholar
Cross Ref
- Swarat Chaudhuri, Sumit Gulwani, and Roberto Lublinerman. 2010. Continuity analysis of programs. In ACM SIGPLAN– SIGACT Symposium on Principles of Programming Languages (POPL), Madrid, Spain . 57–70. Google Scholar
Digital Library
- Narendra M Dixit, Piyush Srivastava, and Nisheeth K Vishnoi. 2012. A finite population model of molecular evolution: Theory and computation. Journal of Computational Biology 19, 10 (2012), 1176–1202.Google Scholar
Cross Ref
- Hassan Eldib, Chao Wang, Mostafa M. I. Taha, and Patrick Schaumont. 2015. Quantitative Masking Strength: Quantifying the Power Side-Channel Resistance of Software Code. IEEE Transansactions on CAD of Integrated Circuits and Systems 34, 10 (2015), 1558–1568. Google Scholar
Cross Ref
- André Elisseeff, Theodoros Evgeniou, and Massimiliano Pontil. 2005. Stability of Randomized Learning Algorithms. Journal of Machine Learning Research 6 (2005), 55–79. http://www.jmlr.org/papers/v6/elisseeff05a.htmlGoogle Scholar
Digital Library
- Marco Gaboardi, Andreas Haeberlen, Justin Hsu, Arjun Narayan, and Benjamin C. Pierce. 2013. Linear dependent types for differential privacy. In ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages (POPL), Rome, Italy. 357–370. http://dl.acm.org/citation.cfm?id=2429113 Google Scholar
Digital Library
- Moritz Hardt, Ben Recht, and Yoram Singer. 2016. Train faster, generalize better: Stability of stochastic gradient descent. In International Conference on Machine Learning (ICML), New York, NY (Journal of Machine Learning Research), Vol. 48. JMLR.org, 1225–1234. http://jmlr.org/proceedings/papers/v48/hardt16.htmlGoogle Scholar
- Daniel L. Hartl and Andrew G. Clark. 2006. Principles of Population Genetics (fourth ed.). Sinauer Associates.Google Scholar
- Justin Hsu. 2017. Probabilistic Couplings for Probabilistic Reasoning. Ph.D. Dissertation. University of Pennsylvania. arXiv: cs.LO/1710.09951 https://arxiv.org/abs/1710.09951Google Scholar
- Xiaowei Huang, Marta Kwiatkowska, Sen Wang, and Min Wu. 2017. Safety Verification of Deep Neural Networks. In International Conference on Computer Aided Verification (CAV), Heidelberg, Germany (Lecture Notes in Computer Science) , Rupak Majumdar and Viktor Kuncak (Eds.), Vol. 10426. Springer-Verlag, 3–29. Google Scholar
Cross Ref
- Thomas Jansen. 2013. Analyzing Evolutionary Algorithms: The Computer Science Perspective. Springer-Verlag. Google Scholar
Cross Ref
- Mark Jerrum. 1995. A Very Simple Algorithm for Estimating the Number of k-Colorings of a Low-Degree Graph. Random Structures and Algorithms 7, 2 (1995), 157–166. Google Scholar
Cross Ref
- Benjamin Lucien Kaminski, Joost-Pieter Katoen, Christoph Matheja, and Federico Olmedo. 2016. Weakest Precondition Reasoning for Expected Run-Times of Probabilistic Programs. In European Symposium on Programming (ESOP), Eindhoven, The Netherlands (Lecture Notes in Computer Science) , Vol. 9632. Springer-Verlag, 364–389. Google Scholar
Digital Library
- Guy Katz, Clark W. Barrett, David L. Dill, Kyle Julian, and Mykel J. Kochenderfer. 2017. Reluplex: An Efficient SMT Solver for Verifying Deep Neural Networks. In International Conference on Computer Aided Verification (CAV), Heidelberg, Germany (Lecture Notes in Computer Science) , Rupak Majumdar and Viktor Kuncak (Eds.), Vol. 10426. Springer-Verlag, 97–117. Google Scholar
Cross Ref
- Dexter Kozen. 1979. Semantics of probabilistic programs. In IEEE Symposium on Foundations of Computer Science (FOCS), San Juan, Puerto Rico . 101–114. Google Scholar
Digital Library
- Dexter Kozen. 1985. A Probabilistic PDL. J. Comput. System Sci. 30, 2 (1985), 162–178. Google Scholar
Cross Ref
- Torgny Lindvall. 2002. Lectures on the coupling method. Courier Corporation.Google Scholar
- Carroll Morgan, Annabelle McIver, and Karen Seidel. 1996. Probabilistic Predicate Transformers. ACM Transactions on Programming Languages and Systems 18, 3 (1996), 325–353. Google Scholar
Digital Library
- Ioannis Panageas, Piyush Srivastava, and Nisheeth K. Vishnoi. 2016. Evolutionary Dynamics in Finite Populations Mix Rapidly. In ACM–SIAM Symposium on Discrete Algorithms (SODA), Arlington, Virginia. 480–497. Google Scholar
Cross Ref
- Jason Reed and Benjamin C Pierce. 2010. Distance Makes the Types Grow Stronger: A Calculus for Differential Privacy. In ACM SIGPLAN International Conference on Functional Programming (ICFP), Baltimore, Maryland. http://dl.acm.org/ citation.cfm?id=1863568Google Scholar
Digital Library
- Tetsuya Sato. 2016. Approximate Relational Hoare Logic for Continuous Random Samplings. In Conference on the Mathematical Foundations of Programming Semantics (MFPS), Pittsburgh, Pennsylvania . http://arxiv.org/abs/1603.01445Google Scholar
- Daniel Selsam, Percy Liang, and David L. Dill. 2017. Developing Bug-Free Machine Learning Systems With Formal Mathematics. In International Conference on Machine Learning (ICML), Sydney, Australia (Proceedings of Machine Learning Research) , Doina Precup and Yee Whye Teh (Eds.), Vol. 70. 3047–3056. http://proceedings.mlr.press/v70/selsam17a.htmlGoogle Scholar
- Ohad Shamir. 2016. Without-Replacement Sampling for Stochastic Gradient Methods: Convergence Results and Application to Distributed Optimization. CoRR abs/1603.00570 (2016). http://arxiv.org/abs/1603.00570Google Scholar
- Hermann Thorisson. 2000. Coupling, Stationarity, and Regeneration. Springer-Verlag. Google Scholar
Cross Ref
- Cédric Villani. 2008. Optimal transport: Old and new. Springer-Verlag.Google Scholar
- Nisheeth K. Vishnoi. 2015. The Speed of Evolution. In ACM–SIAM Symposium on Discrete Algorithms (SODA), San Diego, California . 1590–1601. Google Scholar
Cross Ref
- Daniel Winograd-Cort, Andreas Haeberlen, Aaron Roth, and Benjamin C. Pierce. 2017. A framework for adaptive differential privacy. In ACM SIGPLAN International Conference on Functional Programming (ICFP), Oxford, England. 10:1–10:29. https://dl.acm.org/citation.cfm?id=3110254Google Scholar
Index Terms
Proving expected sensitivity of probabilistic programs
Recommendations
Proving expected sensitivity of probabilistic programs with randomized variable-dependent termination time
The notion of program sensitivity (aka Lipschitz continuity) specifies that changes in the program input result in proportional changes to the program output. For probabilistic programs the notion is naturally extended to expected sensitivity. A ...
Program Logic for Higher-Order Probabilistic Programs in Isabelle/HOL
Functional and Logic ProgrammingAbstractThe verification framework PPV (Probabilistic Program Verification) verifies functional probabilistic programs supporting higher-order functions, continuous distributions, and conditional inference. PPV is based on the theory of quasi-Borel spaces ...
Proving Theorems by Program Transformation
To Andrzej Skowron on His 70th BirthdayIn this paper we present an overview of the unfold/fold proof method, a method for proving theorems about programs, based on program transformation. As a metalanguage for specifying programs and program properties we adopt constraint logic programming ...






Comments