Divergences on Monads for Relational Program Logics

We next introduce the category ${\bf BRel}(\mathbb{C})$ of binary relations over $\mathbb{C}$-objects. This category is equivalent to subscones of $\mathbb{C}^{2}$ ([41]). It offers an underlying category for relational reasoning about programs interpreted in $\mathbb{C}$.

• •

  An object in ${\bf BRel}(\mathbb{C})$ is a triple $(I_{1},I_{2},R)$ where $R\subseteq UI\times UJ$.

• •

  A morphism from $(I_{1},I_{2},R)$ to $(J_{1},J_{2},S)$ in ${\bf BRel}(\mathbb{C})$ is a pair of $\mathbb{C}$-morphisms $f_{1}\colon I_{1}\rightarrow J_{1}$ and $f_{2}\colon I_{2}\rightarrow J_{2}$ such that for any $(i_{1},i_{2})\in R$, we have $(f_{1}\mathbin{\bullet}i_{1},f_{2}\mathbin{\bullet}i_{2})\in S$.

When $X$ is a name of a ${\bf BRel}(\mathbb{C})$-object, by $X_{1},X_{2}$ we mean its first and second component, and by $R_{X}$ we mean its third component; so $X=(X_{1},X_{2},R_{X})$. By $(x_{1},x_{2})\in X$ we mean $(x_{1},x_{2})\in R_{X}$. For objects $X,Y\in{\bf BRel}(\mathbb{C})$ and a morphism $(f_{1},f_{2})\colon(X_{1},X_{2})\to(Y_{1},Y_{2})$ in $\mathbb{C}^{2}$, by

we mean that $(f_{1},f_{2})\in{\bf BRel}(\mathbb{C})(X,Y)$, that is, for any $(x_{1},x_{2})\in X$, we have $(f_{1}\mathbin{\bullet}x_{1},f_{2}\mathbin{\bullet}x_{2})\in Y$. We say that $X\in{\bf BRel}(\mathbb{C})$ is an endorelation (over $I$) if $X_{1}=X_{2}(=I)$.

We next define the forgetful functor $p_{\mathbb{C}}:{\bf BRel}(\mathbb{C})\to{\mathbb{C}}^{2}$ by

For $(I_{1},I_{2})\in\mathbb{C}^{2}$, by ${\bf BRel}(\mathbb{C})_{(I_{1},I_{2})}$ we mean the complete boolean algebra $\{X\in{\bf BRel}(\mathbb{C})~{}|~{}X_{1}=I_{1}\wedge X_{2}=I_{2}\}$ with the order given by $X\leq Y\iff R_{X}\subseteq R_{Y}$.

When $\mathbb{C}$ is a C(C)C, so is ${\bf BRel}(\mathbb{C})$ [41, Proposition 4.3]. We specify a final object, a binary product functor and an exponential functor (in case $\mathbb{C}$ is a CCC) on ${\bf BRel}(\mathbb{C})$ by:

To aid in understanding the $E$-unit reflexivity and $E$-composability conditions, we illustrate a few divergences on an elementary monad: the cost count monad $T=\mathbb{N}\times-$ on ${\bf Set}$. Its unit and Kleisli extension are defined by

The monad $T$ can be used to record the cost incurred by deterministic computations. For instance, consider the quick sort algorithm $\mathsf{qsort}$ and the insertion sort algorithm $\mathsf{isort}$, both of which are modified so that they tick a count whenever they compare two elements to be sorted. These two modified sort programs are interpreted as functions $[\![\mathsf{qsort}]\!],[\![\mathsf{isort}]\!]\colon\mathbb{N}^{*}\to T(\mathbb{N}^{*})$, so that the first component of $[\![\mathsf{qsort}]\!](x)$ and that of $[\![\mathsf{isort}]\!](x)$ report the number of comparisons performed during sorting $x$.

We first define an $\mathcal{N}$-divergence $\mathsf{C}_{I}$ on $TI$, for each $I\in{\bf Set}$, by

This divergence $\mathsf{C}_{I}$ computes the difference of costs between two computations $(i,x),(j,y)\in TI$, ignoring their return values. The family $\mathsf{C}=\{\mathsf{C}_{I}\}_{I\in{\bf Set}}$ forms a ${\color[rgb]{0,0,0}\mathrm{Top}}$-relative $\mathcal{N}$-divergence on $T$. The ${\color[rgb]{0,0,0}\mathrm{Top}}$-unit reflexivity of $\mathsf{C}$ means that the difference of costs between pure computations is zero:

The ${\color[rgb]{0,0,0}\mathrm{Top}}$-composability of $\mathsf{C}$ says that we can limit the cost difference of two runs of programs $f^{\sharp}(i,x)$ and $g^{\sharp}(j,y)$ by the sum of cost difference of the preceding computations $(i,x),(j,y)$ and that of two programs $f,g\colon I\to TJ$. The latter is measured by taking the sup of cost difference of $f(x)$ and $g(y)$, where $(x,y)$ range over the basic endorelation ${\color[rgb]{0,0,0}\mathrm{Top}}I$.

We remark that $\mathsf{C}$ is not an ${\color[rgb]{0,0,0}\mathrm{Eq}}$-relative $\mathcal{N}$-divergence on $T$ because the ${\color[rgb]{0,0,0}\mathrm{Eq}}$-composability fails: when $f(x)=(0,w)$, $f(y)=(1,w)$ and $f(z)=(0,v)$ (for $z\neq x,y$) we have $\mathsf{C}_{I}((0,x),(0,y))=0$ and $\sup_{(x,y)\in{\color[rgb]{0,0,0}\mathrm{Eq}}I}\mathsf{C}_{J}(f(x),f(y))=0$, but we have $\mathsf{C}_{J}(f^{\sharp}(0,x),f^{\sharp}(0,y))=\mathsf{C}_{J}((0,w),(1,w))=1$.

Alternatively, we may consider the following $\mathcal{N}$-divergence $\mathsf{C}^{\prime}_{I}$ on $TI$ for each $I\in{\bf Set}$:

This divergence is sensitive on return values of computations. When return values of two computations agree, $\mathsf{C}^{\prime}$ measures the cost difference as done in $\mathsf{C}$, but when they do not agree, the cost difference is judged as $\infty$. This divergence is an ${\color[rgb]{0,0,0}\mathrm{Eq}}$-relative $\mathcal{N}$-divergence on $T$.

Deterministic and nondeterministic computations with cost counting can be respectively modeled by the monads $(\mathbb{N}\times-)$ and $P(\mathbb{N}\times-)$ on ${\bf Set}$.

We define the divergences for cost difference as in Table 1. These divergences extract the upper bound of cost difference between two computations. The divergences $\mathsf{C}$ and $\mathsf{NC}$ measure the usual distance of costs for deterministic and nondeterministic computations respectively. The divergence $\mathsf{NCI}$ measures the subtraction of costs of two nondeterministic computations. For results of two nondeterministic computations $A,B\in P(\mathbb{N}\times I)$, the divergence $\mathsf{NCI}_{I}(A,B)$ is an upper bound of $i-j$ for all possible choices of $(i,x)\in A$ and $(j,y)\in B$, where a lower bound of $i-j$ is also given by $-\mathsf{NCI}_{I}(B,A)$. The same idea to measure the difference of costs between two programs by subtraction also appears in ([18, 47]). If either $A$ or $B$ is empty, we fail to get an information of costs. We then have $\mathsf{NCI}_{I}(A,B)=-\infty$. On the other hand, if both $A$ and $B$ are not empty, their cost intervals are defined by

We then have $\mathsf{NCI}_{I}(A,B)=h_{A}-l_{B}$ and $-\mathsf{NCI}_{I}(B,A)=l_{A}-h_{B}$.

Differential privacy (DP for short) is a quantitative definition of privacy of randomized queries in databases. DP is based on the idea of noise-adding anonymization against background-knowledge attacks. In the study of DP, a query is modeled by a measurable function $c\colon I\to GJ$, where $I$ and $J$ are measurable spaces of inputs and outputs respectively, and $GJ$ is the measurable space of all probability measures over $J$; here $G$ itself refers to the Giry monad ([26]; see also Section 13).

To express this definition in terms of divergence on monad, we introduce a doubly-indexed family of $\mathcal{R}^{+}$-divergence $\mathsf{DP}=\{\mathsf{DP}_{J}^{\varepsilon}\}_{\varepsilon\in[0,\infty],J\in{\bf Meas}}$ on $GJ$ by

Then the query $c\colon I\to GJ$ satisfies $(\varepsilon,\delta)$-DP if and only if

The pair $(\varepsilon,\delta)$ indicates the difference between output probability distributions $c(d_{1})$ and $c(d_{2})$ of the query $c$ for given datasets $d_{1}$ and $d_{2}$. Intuitively, the parameter $\varepsilon$ is an upper bound of the ratio $\Pr[c(d_{1})=s]/\Pr[c(d_{2})=s]$ of probabilities which indicates the leakage of privacy. If $\varepsilon$ is large, attackers can distinguish the datasets $d_{1}$ and $d_{2}$ from the outputs of the query $c$. The parameter $\delta$ is the probability of failure of privacy protection.

The family $\mathsf{DP}$ forms an ${\color[rgb]{0,0,0}\mathrm{Eq}}$-relative $\mathcal{R}^{+}$-graded $\mathcal{R}^{+}$-divergence on the Giry monad $G$ [52, Lemma 6]. This is proved by extending the composability of the divergence for DP on discrete probability distributions shown as [12, Lemmas 3 and 6] and [13, Proposition 5], based on the composition theorem of DP [22, Section 3.5].

The conditions in Definition 6 on $\mathsf{DP}$ corresponds to the following basic properties of DP:

(monotonicity)

The monotonicity of $\mathsf{DP}$ corresponds to weakening the differential privacy of queries: if $c$ satisfies $(\varepsilon,\delta)$-DP and $\varepsilon\leq\varepsilon^{\prime}$ and $\delta\leq\delta^{\prime}$ holds, then $c$ satisfies $(\varepsilon^{\prime},\delta^{\prime})$-DP.

(${\color[rgb]{0,0,0}\mathrm{Eq}}$-unit reflexivity)

The ${\color[rgb]{0,0,0}\mathrm{Eq}}$-unit reflexivity of $\mathsf{DP}$ implies $\mathsf{DP}_{J}^{0}(\eta_{J}\circ h(x),\eta_{J}\circ h(x))=0$ for any measurable function $h\colon I\to J$ and $x\in I$. This, together with the composability below, ensures the robustness of DP of a query $c\colon I\to GJ$ with respect to deterministic postprocessing:

$$\forall{h:J\to K}~{}.~{}\text{$c$ is $(\epsilon,\delta)$-DP}\implies\text{$Gh\circ c$ is $(\epsilon,\delta)$-DP}.$$

(2)

In fact, the divergence $\mathsf{DP}$ is reflexive: we have $\mathsf{DP}_{J}^{0}(\mu,\mu)=0$ for every $\mu\in GJ$. Therefore $h\colon J\to K$ and $Gh$ in (2) can be replaced by $h\colon J\to GK$ and $h^{\sharp}$; the replaced condition states the robustness of DP of a query with respect to probabilistic postprocessing.

(${\color[rgb]{0,0,0}\mathrm{Eq}}$-composability)

The ${\color[rgb]{0,0,0}\mathrm{Eq}}$-composability of $\mathsf{DP}$ corresponds to the known property of DP called the sequential composition theorem ([22]). If $c_{1}\colon I\to GJ^{\prime}$ and $c_{2}\colon J^{\prime}\to GJ$ are $(\varepsilon_{1},\delta_{1})$-DP and $(\varepsilon_{2},\delta_{2})$-DP respectively, then the sequential composition $c_{2}^{\sharp}\circ c_{1}\colon I\to GJ$ of the queries $c_{1}$ and $c_{2}$ is $(\varepsilon_{1}+\varepsilon_{2},\delta_{1}+\delta_{2})$-DP.