|
| 1 | +======================================================================== |
| 2 | +Tactic: `rnd` |
| 3 | +======================================================================== |
| 4 | + |
| 5 | +In EasyCrypt, the `rnd` tactic is a way of reasoning about program(s) |
| 6 | +that use random sampling statements, i.e., statements of the form |
| 7 | +`x <$ dX;` where `x` is an assigned variable and `dX` is a distribution. |
| 8 | + |
| 9 | +Intuitively, the tactic exposes a probabilistic weakest precondition for |
| 10 | +the sampling statement. |
| 11 | +Therefore, EasyCrypt allows you to apply this rule only when the program |
| 12 | +ends with a sampling statement. |
| 13 | +If the sampling appears deeper in the code, you can first use the `seq` |
| 14 | +tactic (or another tactic such as `wp` that eliminates the subsequent statements) |
| 15 | +to separate the subsequent statements from the conditional. |
| 16 | +Samplings can also be moved earlier or later in the program using the |
| 17 | +`swap` tactic, which can be used to reorder adjacent statements that do |
| 18 | +not have data dependencies. |
| 19 | + |
| 20 | +In the one-sided setting, i.e., in (probabilistic) Hoare logic the tactic allows |
| 21 | +you to reason about the probability that the sampling yields a value satisfying |
| 22 | +a certain property (in pHL) or to simply quantify over all possible sampled |
| 23 | +values (in HL). |
| 24 | +In the two-sided setting, i.e., in probabilistic relational Hoare logic, |
| 25 | +the tactic allows you to couple the two samplings and establish a relation |
| 26 | +between the two sampled values. |
| 27 | + |
| 28 | +.. contents:: |
| 29 | + :local: |
| 30 | + |
| 31 | +------------------------------------------------------------------------ |
| 32 | +Variant: `rnd` (HL) |
| 33 | +------------------------------------------------------------------------ |
| 34 | + |
| 35 | +If the conclusion is an Hoare logic statement judgement whose program ends |
| 36 | + with a random assignment, then `rnd` consumes that random assignment, |
| 37 | + replacing the conclusion's postcondition by the possibilistic |
| 38 | + weakest precondition of the random assignment. |
| 39 | + |
| 40 | +.. ecproof:: |
| 41 | + :title: Hoare logic example |
| 42 | + |
| 43 | + require import AllCore Distr DBool. |
| 44 | + |
| 45 | + module M = { |
| 46 | + proc f() : bool = { |
| 47 | + var y : bool; |
| 48 | + |
| 49 | + y <$ {0,1}; |
| 50 | + |
| 51 | + return (y && !y); |
| 52 | + } |
| 53 | + }. |
| 54 | + |
| 55 | + pred p : glob M. |
| 56 | + |
| 57 | + lemma L : hoare[M.f : p (glob M) ==> !res]. |
| 58 | + proof. |
| 59 | + proc. |
| 60 | + (*$*)rnd. |
| 61 | + (* The post is now quantified over all `y`, in a context where |
| 62 | + `y` is known to have been sampled from the uniform distribution |
| 63 | + over {0,1}. *) |
| 64 | + skip;smt(). |
| 65 | + qed. |
| 66 | +
|
| 67 | + |
| 68 | +------------------------------------------------------------------------ |
| 69 | +Variant: `rnd` (pHL exact) |
| 70 | +------------------------------------------------------------------------ |
| 71 | + |
| 72 | +If the conclusion is a probabilistic Hoare logic statement judgement whose program ends |
| 73 | + with a random assignment, then `rnd` consumes that random assignment, |
| 74 | + replacing the conclusion's postcondition by the probabilistic |
| 75 | + weakest precondition of the random assignment. |
| 76 | + |
| 77 | + This weakest precondition is defined with respect to an event `E`, |
| 78 | + which can be provided explicitly. When $E$ is not |
| 79 | + specified, it is inferred from the current postcondition. |
| 80 | + |
| 81 | +.. ecproof:: |
| 82 | + :title: Probabilistic Hoare logic example (exact probability) |
| 83 | + |
| 84 | + require import AllCore Distr DBool Real. |
| 85 | + |
| 86 | + module M = { |
| 87 | + proc f(x : bool) : bool = { |
| 88 | + var y : bool; |
| 89 | + |
| 90 | + y <$ {0,1}; |
| 91 | + |
| 92 | + return (x = y); |
| 93 | + } |
| 94 | + }. |
| 95 | + |
| 96 | + pred p : glob M. |
| 97 | + |
| 98 | + lemma L : phoare [M.f : p (glob M) ==> res] = (1%r/2%r). |
| 99 | + proof. |
| 100 | + proc. |
| 101 | + (*$*)rnd (fun _y => _y = x). |
| 102 | + (* The post now has two clauses, the first is to prove the |
| 103 | + exact probability of the event, and the second one is to |
| 104 | + prove that the event holding is equivalent to the |
| 105 | + previous postcondition. *) |
| 106 | + skip => *;split. |
| 107 | + + by exact dbool1E. |
| 108 | + by smt(). |
| 109 | + qed. |
| 110 | +
|
| 111 | +------------------------------------------------------------------------ |
| 112 | +Variant: `rnd` (pHL upper bound) |
| 113 | +------------------------------------------------------------------------ |
| 114 | + |
| 115 | +If the conclusion is a probabilistic Hoare logic statement judgement whose program ends |
| 116 | + with a random assignment, then `rnd` consumes that random assignment, |
| 117 | + replacing the conclusion's postcondition by the probabilistic |
| 118 | + weakest precondition of the random assignment. |
| 119 | + |
| 120 | + This weakest precondition is defined with respect to an event `E`, |
| 121 | + which can be provided explicitly. When `E`` is not |
| 122 | + specified, it is inferred from the current postcondition. |
| 123 | + |
| 124 | +.. ecproof:: |
| 125 | + :title: Probabilistic Hoare logic example (upper bound) |
| 126 | + |
| 127 | + require import AllCore Distr DBool Real. |
| 128 | + |
| 129 | + module M = { |
| 130 | + proc f(x : bool) : bool = { |
| 131 | + var y : bool; |
| 132 | + |
| 133 | + y <$ {0,1}; |
| 134 | + |
| 135 | + return (x = y); |
| 136 | + } |
| 137 | + }. |
| 138 | + |
| 139 | + pred p : glob M. |
| 140 | + |
| 141 | + lemma L : phoare [M.f : p (glob M) ==> res] <= (1%r/2%r). |
| 142 | + proof. |
| 143 | + proc. |
| 144 | + (*$*)rnd (fun _y => _y = x). |
| 145 | + (* The post now has two clauses, the first is to prove the |
| 146 | + probability upper bound on the event, and the second one is to |
| 147 | + prove that the event holding implies the |
| 148 | + previous postcondition. *) |
| 149 | + skip => *;split. |
| 150 | + + by smt(dbool1E). |
| 151 | + by smt(). |
| 152 | + qed. |
| 153 | +
|
| 154 | + |
| 155 | +------------------------------------------------------------------------ |
| 156 | +Variant: `rnd` (pRHL) |
| 157 | +------------------------------------------------------------------------ |
| 158 | + |
| 159 | +In probabilistic relational Hoare logic, if the conclusion |
| 160 | +is a judgement whose programs end with random |
| 161 | +assignments `x1 <$ d1` and `x2 <$ d2`, and `f` and `g` are functions |
| 162 | +between the types of `x_1` and `x_2`, then `rnd` consumes those random |
| 163 | +assignments, replacing the conclusion's postcondition by the probabilistic |
| 164 | +weakest precondition of |
| 165 | +the random assignments wrt. `f` and `g`. The new postcondition checks that: |
| 166 | + |
| 167 | +- `f` and `g` are an isomorphism between the distributions `d1` and `d2`; |
| 168 | +- for all elements `u` in the support of `d1`, the result of substituting `u` and `f u` for `x1` and `x2` in the conclusion's original postcondition holds. |
| 169 | + |
| 170 | +When `g` is `f`, it can be omitted. When `f` is the identity, it |
| 171 | +can be omitted. |
| 172 | + |
| 173 | +.. ecproof:: |
| 174 | + :title: Relational Hoare logic example |
| 175 | + |
| 176 | + require import AllCore Distr DBool. |
| 177 | + |
| 178 | + module M = { |
| 179 | + proc f1(x : bool) : bool = { |
| 180 | + var y : bool; |
| 181 | + |
| 182 | + y <$ {0,1}; |
| 183 | + |
| 184 | + return (x = y); |
| 185 | + } |
| 186 | + |
| 187 | + proc f2(x : bool) : bool = { |
| 188 | + var y : bool; |
| 189 | + |
| 190 | + y <$ {0,1}; |
| 191 | + |
| 192 | + return (x = !y); |
| 193 | + } |
| 194 | + |
| 195 | + }. |
| 196 | + |
| 197 | + pred p : glob M. |
| 198 | + |
| 199 | + lemma L : equiv [M.f1 ~ M.f2 : ={x} ==> res{1} = res{2}]. |
| 200 | + proof. |
| 201 | + proc. |
| 202 | + (*$*)rnd (fun _y => !_y). |
| 203 | + (* The post now has two clauses, the first is to prove that |
| 204 | + `f` is an involution, and the second one is to |
| 205 | + prove that the previous post-condition holds under the |
| 206 | + coupling established by `f`. *) |
| 207 | + skip => *;split. |
| 208 | + + by smt(). |
| 209 | + by smt(). |
| 210 | + qed. |
| 211 | +
|
| 212 | + |
| 213 | + |
| 214 | + |
| 215 | +------------------------------------------------------------------------ |
| 216 | +Variant: `rnd {side}` (pRHL) |
| 217 | +------------------------------------------------------------------------ |
| 218 | + |
| 219 | +In the one-sided `rnd` tactic used in pRHL, the user specifies whether |
| 220 | +the random sampling to be consumed on the left or the right |
| 221 | +program. Then, if the conclusion is a judgement whose `{side}` program |
| 222 | +ends with a random assignment, the new post condition requires to prove that for |
| 223 | +all elements `u` in the support of the distribution, the result of substituting |
| 224 | +`u` for the assigned variable (in the correct `{side`} in the conclusion's |
| 225 | +original postcondition holds. Furthermore, the new postcondition also requires to prove |
| 226 | +that the sampling of the assigned variable doesn't fail, i.e. that the distribution |
| 227 | +weight is 1. In other words, we get a possibilistic weakest precondition for |
| 228 | +the sampling statement on the `{side}` program. |
| 229 | + |
| 230 | +.. ecproof:: |
| 231 | + :title: One-sided Relational Hoare logic example |
| 232 | + |
| 233 | + require import AllCore Distr DBool. |
| 234 | + |
| 235 | + op dB : bool distr. |
| 236 | + |
| 237 | + module M = { |
| 238 | + proc f1(x : bool) : bool = { |
| 239 | + var y : bool; |
| 240 | + |
| 241 | + y <$ dB; |
| 242 | + |
| 243 | + return (x && y); |
| 244 | + } |
| 245 | + |
| 246 | + proc f2(x : bool) : bool = { |
| 247 | + |
| 248 | + return (x); |
| 249 | + } |
| 250 | + |
| 251 | + }. |
| 252 | + |
| 253 | + pred p : glob M. |
| 254 | + |
| 255 | + lemma L : |
| 256 | + weight dB = 1%r => |
| 257 | + equiv [M.f1 ~ M.f2 : ={x} /\ !x{1} ==> res{1} = res{2}]. |
| 258 | + proof. |
| 259 | + move => HdB. |
| 260 | + proc. |
| 261 | + (*$*)rnd {1}. |
| 262 | + (* The post now has two clauses, the first is to prove that |
| 263 | + the distribution is lossless, and the second one is to |
| 264 | + prove that the previous post-condition holds for all possible |
| 265 | + sampling outputs. EasyCrypt may automatically detect that |
| 266 | + a losslessness assumption exists and discharges that goal |
| 267 | + automatically. *) |
| 268 | + skip => *;split. |
| 269 | + + by smt(). |
| 270 | + by smt(). |
| 271 | + qed. |
| 272 | +
|
| 273 | +------------------------------------------------------------------------ |
| 274 | +Variant: `rnd` (eHL) |
| 275 | +------------------------------------------------------------------------ |
| 276 | + |
| 277 | +If the conclusion is an expectation Hoare logic statement judgement whose |
| 278 | +program ends with a random assignment, then `rnd` consumes that random |
| 279 | +assignment, and replaces the postcondition by the expectation of the original |
| 280 | +postcondition in the distribution of the sampled variable. |
| 281 | + |
| 282 | +.. ecproof:: |
| 283 | + :title: Expectation Hoare logic example |
| 284 | + |
| 285 | + require import AllCore Distr DBool Real Xreal. |
| 286 | + |
| 287 | + module M = { |
| 288 | + proc f(x : bool) : bool = { |
| 289 | + var y : bool; |
| 290 | + |
| 291 | + y <$ {0,1}; |
| 292 | + |
| 293 | + return (x = y); |
| 294 | + } |
| 295 | + }. |
| 296 | + |
| 297 | + pred p : glob M. |
| 298 | + |
| 299 | + lemma L : ehoare [M.f : (1%r/2%r)%xr ==> res%xr]. |
| 300 | + proof. |
| 301 | + proc. |
| 302 | + (*$*)rnd. |
| 303 | + (* The post is now an expectation. *) |
| 304 | + skip => *;rewrite Ep_dbool;smt(). |
| 305 | + qed. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments