Relational ⋆⋆\star-Liftings for Differential Privacy

  title={Relational ⋆⋆\star-Liftings for Differential Privacy},
  author={Gilles Barthe and Thomas Espitau and Justin Hsu and Tetsuya Sato and Pierre-Yves Strub},
  journal={Log. Methods Comput. Sci.},
Recent developments in formal verification have identified approximate liftings (also known as approximate couplings) as a clean, compositional abstraction for proving differential privacy. This construction can be defined in two styles. Earlier definitions require the existence of one or more witness distributions, while a recent definition by Sato uses universal quantification over all sets of samples. These notions have each have their own strengths: the universal version is more general… 

Figures from this paper

Contextual Linear Types for Differential Privacy
Jazz, a language and type system which uses linear types and latent contextual effects to support both advanced variants of differential privacy and higher order programming, achieves higher precision than prior work for a large class of programming patterns.
Certifying Certainty and Uncertainty in Approximate Membership Query Structures
This work describes the framework for systematic decomposition of AMQs and their properties into a series of interfaces and reusable components and provides a library of domain-specific theorems and tactics that allow a high degree of automation in probabilistic proofs.
DDUO: General-Purpose Dynamic Analysis for Differential Privacy
The novel core of the DDuo system is formalized and it is proved it sound for sensitivity analysis via a logical relation for metric preservation, which illustrates DDuo's usability and flexibility through various case studies which implement state-of-the-art machine learning algorithms.
Chorus: a Programming Framework for Building Scalable Differential Privacy Mechanisms
The use of Chorus is demonstrated to build the first highly scalable implementations of complex mechanisms like Weighted PINQ, MWEM, and the matrix mechanism, based on cooperation between the mechanism itself and a high-performance production database management system.
Nawrotzki's Algorithm for the Countable Splitting Lemma, Constructively
The countable splitting lemma is reprove by adapting Nawrotzki’s algorithm which produces a sequence that converges to a solution and is constructive in the sense that each term of the iteratively built approximating sequence as well as the error between the approximants and the solution is computable with finitely many algebraic operations.


Synthesizing coupling proofs of differential privacy
A push-button, automated technique for verifying ε-differential privacy of sophisticated randomized algorithms and provides the first automated privacy proofs for a number of challenging algorithms from the differential privacy literature, including Report Noisy Max, the Exponential Mechanism, and the Sparse Vector Mechanism.
Beyond Differential Privacy: Composition Theorems and Relational Logic for f-divergences between Probabilistic Programs
This paper observes that the notion of α-distance used to characterize approximate differential privacy is an instance of the family of f-divergences, and proposes a relational program logic to prove upper bounds for the f-Divergence between two probabilistic programs.
Advanced Probabilistic Couplings for Differential Privacy
A new formalism extending apRHL, a relational program logic that has been used for proving differential privacy of non-interactive algorithms, and incorporating a HL, a (non-relational) program logic for accuracy properties is addressed, which exemplifies the three classes of algorithms and explores new variants of the Sparse Vector technique.
Proving Differential Privacy via Probabilistic Couplings
This paper develops compositional methods for formally verifying differential privacy for algorithms whose analysis goes beyond the composition theorem, based on deep connections between differential privacy and probabilistic couplings, an established mathematical tool for reasoning about stochastic processes.
Probabilistic Relational Reasoning for Differential Privacy
The central component of CertiPriv is a quantitative extension of probabilistic relational Hoare logic that enables one to derive differential privacy guarantees for programs from first principles, and provides the first machine-checked proofs of correctness of the Laplacian, Gaussian, and exponential mechanisms and of the privacy of randomized and streaming algorithms from the literature.
Concentrated Differential Privacy: Simplifications, Extensions, and Lower Bounds
This work presents an alternative formulation of the concept of concentrated differential privacy in terms of the Renyi divergence between the distributions obtained by running an algorithm on neighboring inputs, which proves sharper quantitative results, establishes lower bounds, and raises a few new questions.
Programming language techniques for differential privacy
This paper presents a rigorous framework for stating and enforcing privacy guarantees on computations over sensitive data, and some examples show how this approach becomes unfeasible when larger programs are considered.
Coupling, stationarity, and regeneration
1 Random Variables.- 1 Introduction.- 2 The i.i.d. Coupling - Positive Correlation.- 3 Quantile Coupling - Stochastic Domination.- 4 Coupling Event - Maximal Coupling.- 5 Poisson Approximation -
Approximate Relational Reasoning for Probabilistic Programs
La seguridad verificada es una metodologia para demostrar propiedades de seguridad de los sistemas informaticos que se destaca por las altas garantias de correccion que provee. Los sistemas