[breaking] fix unsoundness in pHL while rule #226
Conversation
|
@fdupress Is it intentional that the |
|
I suspect PY's force-push to |
|
@strub did your merge of hakyber-jasmin-eclib eat up all of yesterday's merges? |
|
🙈 🙉 🙊 |
|
Am I seeing ghosts, or does this not actually fix #212 ? Sure, I no longer get this spurious Also, this seems not just an issue of (wrongly) combining the |
|
@christian. I think you are perfectly write. |
|
In fact I have just realised that we have forgot to implement the side condition in the paper on delta in the paper. I will send the paper to Christian. |
|
The old unpublished paper.
… On 13 Jul 2022, at 18:56, Christian Doczkal ***@***.***> wrote:
Am I seeing ghosts, or does this not actually fix #212 <#212> ?
lemma bad &m : Pr [ M.p() @ &m : true ] = 0%r.
proof.
byphoare => //; proc; sp.
while true (b2i e) 1 (mu dC p) => //; 1:smt().
- move => ih; seq 2 : true 1%r 0%r 0%r _ => //.
- auto => />; smt(dC_ll).
- by rewrite mu_p /= => z; wp; rnd p; auto => />.
qed.
Sure, I no longer get this spurious if around the w : statement but the proof actually never looked at this ...
Also, this seems not just an issue of (wrongly) combining the <= and >= rules into an = rule, as I can also prove:
lemma bad05 &m : Pr [ M.p() @ &m : true ] <= 1%r/2%r.
proof.
byphoare => //; proc; sp.
while true (b2i e) 1 (mu dC p) => //; 1:smt().
- move => ih. seq 2 : true 1%r (1%r/2%r) 0%r _ => //.
- auto => />; smt(dC_ll).
- by rewrite mu_p /= => z; wp; rnd p; auto => />.
qed.
—
Reply to this email directly, view it on GitHub <#226 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAFBT3D4AZUNPL4EP4U4OJLVT3YNRANCNFSM53ICPWHQ>.
You are receiving this because your review was requested.
|
|
I have re-read the paper. |
|
@bgregoir I move discussions back over to the issue itself (#212) after doing some root causing yesterday. There are two different things going on, including a missing check on the value of the bound in the equality case. I can probably take a call some time today, but might need time to park some things. My intuition there was also that the proofs for Then on top of that, EasyCrypt somehow allows the lower-bound rule to be used to prove an upper-bound. This seems like a problem. |
|
I think that we have now what was written in the paper. |
|
I looked at the IIUC, the |
|
On 15 Jul 2022, at 14:40, Christian Doczkal ***@***.***> wrote:
I looked at the while >= rule, and at first glance that appears to conform to the rule in the paper. From the usability perspective, I think it would be preferable if the while tactic would work on arbitrary programs whose last instruction is a while, taking the first argument to be the $\Psi$ from the rule and having $I$ as an optional argument that defaults to the value given for $\Psi$. If I didn't miss anything, the instances for the existing proofs (as well as my tests) all have $\Psi = I$.
I agree that this is not convenient. But I have the impression that we need to apply a seq rule, and I don’t know which one apply.
Ideas are welcome.
IIUC, the while <= rule is currently disabled. Trying to use it I get: "only judgments with an lower/eq-bounded are supported".
Yes, if you want to prove <= you can use directly the other rule : while inv.
… —
Reply to this email directly, view it on GitHub <#226 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAFBT3HBGQXZMIAX3WZSA33VUFL3LANCNFSM53ICPWHQ>.
You are receiving this because you were mentioned.
|
Now that I've had time to think after our call, Benjamin: the approach taken elsewhere in pHL with the automated
Just to clarify, this is where I was saying that EasyCrypt let you use the rule for |
|
I think this is ready for a fresh review and merge. I'll create a new issue regarding the usability, and potentially baking in a default |
I think it would be good if the tactic for while would be in line with that the remaining pHL tactics are doing. However, my understanding is that the tactic currently also requires a manual conseq for just about every use. So maybe this should be merged as
I guess this is because pHL is one of the most scarcely documented parts of EC. For this rule it would really be nice to have some documentation, even if it is only some plain text description in the example file. Otherwise the only documentation is an unpublished draft. |
|
@fdupress Could you squash this PR with a message that summarises the changes? Then, I think we are good to go. |
|
I still think this should be something like |
This fixes #212 and implements a version of the pHL while rule which does have a(n unpublished) pen-and-paper proof. This (obviously) makes using the pHL while rule generally less simple, but particularly so when the loop condition itself is probabilistically modified by the loop body (as, for example, in rejection sampling). In general, the bound given to the `while` tactic in those cases will need to be conditional. (Essentially capturing control-flow conditions in the bound itself.) Examples of proofs illustrating this case can be found in theories/distributions/Dexcepted.ec (starting line 299, including the conseq) and examples/PIR.ec (starting line 202, including also the conseq). Upper-bounds should be unaffected. On lower bounds, one can no longer apply the upper bound rule. On equalities, we have now added the lower-bound exit check (that if the loop is not entered and the event is true, then the probability should be 1), and further missing checks. In all cases, the inductive reasoning case was simplified to remove duplicated control-flow. co-authored-by: Benjamin Grégoire <[email protected]> co-authored-by: François Dupressoir <[email protected]>
fdupress
force-pushed
the
deploy-fix-212
branch
from
3cd9c5d to
d64c895
Compare
|
@strub Rebased and squashed, with a hopefully meaningful message. I could also clarify the full rules in there, but I'd rather do it somewhere where they can be typeset properly. @chdoc Your comment is noted, but I think we'll introduce the option when we have variants, rather than forcing an option right off the bat without a clear plan to have a sane default behaviour. |
Do as you wish, my hope was that this would clearly document that this is not a finished product and keep proofs using the "core" rule working if we introduce something more user friendly. But then, adapting the proofs would be trivial (add a flag) and maybe prompt people (us?) to use the user-friendly rule instead. 🤷♂️ |
This fixes #212 and implements a version of the pHL
whilerule which does have a(n unpublished) pen-and-paper proof.This (obviously) makes using the pHL
whilerule generally less simple, but particularly so when the loop condition itself is probabilistically modified by the loop body (as, for example, in rejection sampling). Examples of proofs illustrating this case can be found intheories/distributions/Dexcepted.ec(starting line 299, including theconseq) andexamples/PIR.ec(starting line 202, including also theconseq).