Sensitivity by Parametricity
Authors: 
Elisabet Lobo-Vesga, 
Alejandro Russo, Marco Gaboardi, Carlos Tomé CortiñasAuthors Info & Claims
Elisabet Lobo-Vesga, Alejandro Russo, Marco Gaboardi, Carlos Tomé CortiñasAuthors Info & ClaimsArticle No.: 286, Pages 415 - 441
Abstract
The work of Fuzz has pioneered the use of functional programming languages where types allow reasoning about the sensitivity of programs. Fuzz and subsequent work (e.g., DFuzz and Duet) use advanced technical devices like linear types, modal types, and partial evaluation. These features usually require the design of a new programming language from scratch—a significant task on its own! While these features are part of the classical toolbox of programming languages, they are often unfamiliar to non-experts in this field. Fortunately, recent studies (e.g., Solo) have shown that linear and complex types in general, are not strictly needed for the task of determining programs’ sensitivity since this can be achieved by annotating base types with static sensitivity information. In this work, we take a different approach. We propose to enrich base types with information about the metric relation between values, and we present the novel idea of applying parametricity to derive direct proofs for the sensitivity of functions. A direct consequence of our result is that calculating and proving the sensitivity of functions is reduced to simply type-checking in a programming language with support for polymorphism and type-level naturals. We formalize our main result in a calculus, prove its soundness, and implement a software library in the programming language Haskell–where we reason about the sensitivity of canonical examples. We show that the simplicity of our approach allows us to exploit the type inference of the host language to support a limited form of sensitivity inference. Furthermore, we extend the language with a privacy monad to showcase how our library can be used in practical scenarios such as the implementation of differentially private programs, where the privacy guarantees depend on the sensitivity of user-defined functions. Our library, called Spar, is implemented in less than 500 lines of code.
Supplemental Material
PDF File - Accompanying Material
This document contains the examples, formalizations, and discussions that were not included in the manuscript due to space constraints.
- Download
- 872.72 KB
References
[1]
Chiké Abuah, David Darais, and Joseph P. Near. 2022. Solo: A Lightweight Static Analysis for Differential Privacy. Proc. ACM Program. Lang., 6, OOPSLA2 (2022), Article 150, oct, 30 pages. https://doi.org/10.1145/3563313
[2]
Chiké Abuah, Alex Silence, David Darais, and Joseph P. Near. 2021. DDUO: General-Purpose Dynamic Analysis for Differential Privacy. In 34th IEEE Computer Security Foundations Symposium, CSF 2021, Dubrovnik, Croatia, June 21-25, 2021. IEEE, 1–15. https://doi.org/10.1109/CSF51468.2021.00043
[3]
Amal Ahmed. 2006. Step-Indexed Syntactic Logical Relations for Recursive and Quantified Types. In Proceedings of the 15th European Conference on Programming Languages and Systems (ESOP’06). Springer-Verlag. https://doi.org/10.1007/11693024_6
[4]
Robert Atkey, Patricia Johann, and Andrew Kennedy. 2013. Abstraction and Invariance for Algebraically Indexed Types. In Proceedings of the 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’13). Association for Computing Machinery, New York, NY, USA. 87–100. isbn:9781450318327 https://doi.org/10.1145/2429069.2429082
[5]
Gilles Barthe, Gian Pietro Farina, Marco Gaboardi, Emilio Jesús Gallego Arias, Andy Gordon, Justin Hsu, and Pierre-Yves Strub. 2016. Differentially Private Bayesian Programming. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016. 68–79. https://doi.org/10.1145/2976749.2978371
[6]
Gilles Barthe, Marco Gaboardi, Emilio Jesús Gallego Arias, Justin Hsu, Aaron Roth, and Pierre-Yves Strub. 2015. Higher-Order Approximate Relational Refinement Types for Mechanism Design and Differential Privacy. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’15). Association for Computing Machinery, New York, NY, USA. 55–68. isbn:9781450333009 https://doi.org/10.1145/2676726.2677000
[7]
Jean-Philippe Bernardy, Mathieu Boespflug, Ryan R. Newton, Simon Peyton Jones, and Arnaud Spiwack. 2017. Linear Haskell: practical linearity in a higher-order polymorphic language. Proc. ACM Program. Lang., 2, POPL (2017), Article 5, Dec., 29 pages. https://doi.org/10.1145/3158093
[8]
Jean-Philippe Bernardy, Patrik Jansson, and Ross Paterson. 2010. Parametricity and Dependent Types. In Proceedings of the 15th ACM SIGPLAN International Conference on Functional Programming (ICFP ’10). Association for Computing Machinery, New York, NY, USA. 345–356. isbn:9781605587943 https://doi.org/10.1145/1863543.1863592
[9]
Jean-philippe Bernardy, Patrik Jansson, and Ross Paterson. 2012. Proofs for free: Parametricity for dependent types. Journal of Functional Programming, 22, 2 (2012), March, 107–152. issn:0956-7968 https://doi.org/10.1017/S0956796812000056
[10]
Jean-Philippe Bernardy and Guilhem Moulin. 2012. A Computational Interpretation of Parametricity. In Proceedings of the 2012 27th Annual IEEE/ACM Symposium on Logic in Computer Science (LICS ’12). IEEE Computer Society, USA. 135–144. isbn:9780769547695 https://doi.org/10.1109/LICS.2012.25
[11]
Swarat Chaudhuri, Sumit Gulwani, and Roberto Lublinerman. 2012. Continuity and robustness of programs. Commun. ACM, 55, 8 (2012), Aug., 107–115. issn:0001-0782 https://doi.org/10.1145/2240236.2240262
[12]
Luís Cruz-Filipe, Herman Geuvers, and Freek Wiedijk. 2004. C-CoRN, the Constructive Coq Repository at Nijmegen. In Mathematical Knowledge Management, Andrea Asperti, Grzegorz Bancerek, and Andrzej Trybulec (Eds.). Springer, Berlin, Heidelberg. 88–103. isbn:978-3-540-27818-4 https://doi.org/10.1007/978-3-540-27818-4_7
[13]
Loris D’Antoni, Marco Gaboardi, Emilio Jesús Gallego Arias, Andreas Haeberlen, and Benjamin C. Pierce. 2013. Sensitivity analysis using type-based constraints. In Proceedings of the 1st annual workshop on Functional programming concepts in domain-specific languages, FPCDSL@ICFP 2013, Boston, Massachusetts, USA, September 22, 2013, Richard Lazarus, Assaf J. Kfoury, and Jacob Beal (Eds.). ACM, 43–50. https://doi.org/10.1145/2505351.2505353
[14]
Arthur Azevedo de Amorim, Marco Gaboardi, Emilio Jesús Gallego Arias, and Justin Hsu. 2014. Really Natural Linear Indexed Type Checking. In Proceedings of the 26th 2014 International Symposium on Implementation and Application of Functional Languages, IFL ’14, Boston, MA, USA, October 1-3, 2014, Sam Tobin-Hochstadt (Ed.). ACM, 5:1–5:12. https://doi.org/10.1145/2746325.2746335
[15]
Arthur Azevedo de Amorim, Marco Gaboardi, Justin Hsu, and Shin-ya Katsumata. 2019. Probabilistic Relational Reasoning via Metrics. In 34th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2019, Vancouver, BC, Canada, June 24-27, 2019. IEEE, 1–19. https://doi.org/10.1109/LICS.2019.8785715
[16]
Arthur Azevedo de Amorim, Marco Gaboardi, Justin Hsu, Shin-ya Katsumata, and Ikram Cherigui. 2017. A semantic account of metric preservation. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2017, Paris, France, January 18-20, 2017, Giuseppe Castagna and Andrew D. Gordon (Eds.). ACM, 545–556. https://doi.org/10.1145/3009837.3009890
[17]
Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam Smith. 2006. Calibrating Noise to Sensitivity in Private Data Analysis. In Theory of Cryptography, Shai Halevi and Tal Rabin (Eds.). Springer, Berlin, Heidelberg. 265–284. isbn:978-3-540-32732-5 https://doi.org/10.1007/11681878_14
[18]
Hamid Ebadi and David Sands. 2017. Featherweight PINQ. Journal of Privacy and Confidentiality, 7, 2 (2017), Jan., https://doi.org/10.29012/jpc.v7i2.653
[19]
Fabienne Eigner and Matteo Maffei. 2013. Differential Privacy by Typing in Security Protocols. In 2013 IEEE 26th Computer Security Foundations Symposium, New Orleans, LA, USA, June 26-28, 2013. IEEE Computer Society, 272–286. https://doi.org/10.1109/CSF.2013.25
[20]
Martin Fowler. 2010. Domain Specific Languages (1st ed.). Addison-Wesley Professional. isbn:0321712943
[21]
Daniel Freiermuth. 2023. A type-driven approach for sensitivity checking with branching.
[22]
Marco Gaboardi, Andreas Haeberlen, Justin Hsu, Arjun Narayan, and Benjamin C. Pierce. 2013. Linear dependent types for differential privacy. 48, Association for Computing Machinery, New York, NY, USA. issn:0362-1340 https://doi.org/10.1145/2480359.2429113
[23]
Marco Gaboardi, Michael Hay, and Salil Vadhan. 2020. A programming framework for OpenDP. Manuscript, May.
[24]
Herman Geuvers and Milad Niqui. 2002. Constructive Reals in Coq: Axioms and Categoricity. In Types for Proofs and Programs, Paul Callaghan, Zhaohui Luo, James McKinna, Robert Pollack, and Robert Pollack (Eds.). Springer, Berlin, Heidelberg. 79–95. isbn:978-3-540-45842-5 https://doi.org/10.1007/3-540-45842-5_6
[25]
Andreas Haeberlen, Benjamin C. Pierce, and Arjun Narayan. 2011. Differential privacy under fire. In Proceedings of the 20th USENIX Conference on Security (SEC’11). USENIX Association, USA. 33.
[26]
Noah M. Johnson, Joseph P. Near, Joseph M. Hellerstein, and Dawn Song. 2020. Chorus: a Programming Framework for Building Scalable Differential Privacy Mechanisms. In IEEE European Symposium on Security and Privacy, EuroS&P 2020, Genoa, Italy, September 7-11, 2020. IEEE, 535–551. https://doi.org/10.1109/EuroSP48549.2020.00041
[27]
Mark P. Jones. 1994. A theory of qualified types. Science of Computer Programming, 22, 3 (1994), 231–256. issn:0167-6423 https://doi.org/10.1016/0167-6423(94)00005-0
[28]
Andrew J. Kennedy. 1994. Dimension Types. In Proceedings of the 5th European Symposium on Programming: Programming Languages and Systems (ESOP ’94). Springer-Verlag, Berlin, Heidelberg. 348–362. isbn:3540578803 https://doi.org/10.1007/3-540-57880-3_23
[29]
Andrew J. Kennedy. 1997. Relational Parametricity and Units of Measure. In Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’97). Association for Computing Machinery, New York, NY, USA. 442–455. isbn:0897918533 https://doi.org/10.1145/263699.263761
[30]
Daniel Kifer and Ashwin Machanavajjhala. 2011. No free lunch in data privacy. In Proceedings of the 2011 ACM SIGMOD International Conference on Management of Data (SIGMOD ’11). Association for Computing Machinery, New York, NY, USA. 193–204. isbn:9781450306614 https://doi.org/10.1145/1989323.1989345
[31]
Jeffrey R. Lewis, John Launchbury, Erik Meijer, and Mark B. Shields. 2000. Implicit parameters: dynamic scoping with static types. In Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’00). Association for Computing Machinery, New York, NY, USA. 108–118. isbn:1581131259 https://doi.org/10.1145/325694.325708
[32]
Elisabet Lobo-Vesga. 2021. Let’s not Make a Fuzz about it. In 2021 IEEE/ACM 43rd International Conference on Software Engineering: Companion Proceedings (ICSE-Companion). 114–116. https://doi.org/10.1109/ICSE-Companion52605.2021.00051
[33]
Elisabet Lobo-Vesga, Alejandro Russo, and Marco Gaboardi. 2020. A Programming Framework for Differential Privacy with Accuracy Concentration Bounds. In Proc. IEEE Symp. on Security and Privacy (SP ’20). IEEE Computer Society. https://doi.org/10.1109/SP40000.2020.00086
[34]
Elisabet Lobo-Vesga, Alejandro Russo, Marco Gaboardi, and Carlos Tomé Cortiñas. 2024. Paper Artifact: Sensitivity by Parametricity. https://doi.org/10.5281/zenodo.13622515
[35]
Frank D. McSherry. 2010. Privacy integrated queries: an extensible platform for privacy-preserving data analysis. Commun. ACM, 53, 9 (2010), Sept., 89–97. issn:0001-0782 https://doi.org/10.1145/1810891.1810916
[36]
Joseph P. Near, David Darais, Chike Abuah, Tim Stevens, Pranav Gaddamadugu, Lun Wang, Neel Somani, Mu Zhang, Nikhil Sharma, Alex Shan, and Dawn Song. 2019. Duet: an expressive higher-order language and linear type system for statically enforcing differential privacy. Proc. ACM Program. Lang., 3, OOPSLA (2019), Article 172, oct, 30 pages. https://doi.org/10.1145/3360598
[37]
Divesh Otwani and Richard A. Eisenberg. 2018. The Thoralf plugin: for your fancy type needs. In Proceedings of the 11th ACM SIGPLAN International Symposium on Haskell (Haskell 2018). ACM, New York, NY, USA. 106–118. isbn:9781450358354 https://doi.org/10.1145/3242744.3242754
[38]
Matthew Pickering, Gergő Érdi, Simon Peyton Jones, and Richard A. Eisenberg. 2016. Pattern Synonyms. In Proceedings of the 9th International Symposium on Haskell (Haskell 2016). Association for Computing Machinery, New York, NY, USA. 80–91. isbn:9781450344340 https://doi.org/10.1145/2976002.2976013
[39]
Davide Proserpio, Sharon Goldberg, and Frank McSherry. 2014. Calibrating Data to Sensitivity in Private Data Analysis. PVLDB, 7, 8 (2014), 637–648. https://doi.org/10.14778/2732296.2732300
[40]
Jason Reed and Benjamin C. Pierce. 2010. Distance makes the types grow stronger: a calculus for differential privacy. SIGPLAN Not., 45, 9 (2010), Sept., 157–168. issn:0362-1340 https://doi.org/10.1145/1932681.1863568
[41]
John C. Reynolds. 1983. Types, Abstraction, and Parametric Polymorphism. In Information Processing 83: Proceedings of the IFIP 9th World Computer Congress, Paris, France, September 19-23, 1983. Elsevier Science Publishers B. V. (North-Holland), 513–523.
[42]
Patrick M. Rondon, Ming Kawaguci, and Ranjit Jhala. 2008. Liquid types. In Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’08). Association for Computing Machinery, New York, NY, USA. 159–169. isbn:9781595938602 https://doi.org/10.1145/1375581.1375602
[43]
Josef Svenningsson and Emil Axelsson. 2015. Combining Deep and Shallow Embedding of Domain-Specific Languages. Computer Languages, Systems & Structures, 44 (2015), dec, 143–165. issn:1477-8424 https://doi.org/10.1016/j.cl.2015.07.003
[44]
David Terei, Simon Marlow, Simon Peyton Jones, and David Mazières. 2012. Safe Haskell. In Proceedings of the 2012 Haskell Symposium (Haskell ’12). Association for Computing Machinery, New York, NY, USA. 137–148. isbn:9781450315746 https://doi.org/10.1145/2364506.2364524
[45]
Matías Toro, David Darais, Chike Abuah, Joseph P. Near, Damián Árquez, Federico Olmedo, and Éric Tanter. 2023. Contextual Linear Types for Differential Privacy. ACM Trans. Program. Lang. Syst., 45, 2 (2023), Article 8, may, 69 pages. issn:0164-0925 https://doi.org/10.1145/3589207
[46]
Philip Wadler. 1989. Theorems for free!. In Proceedings of the Fourth International Conference on Functional Programming Languages and Computer Architecture (FPCA ’89). Association for Computing Machinery, New York, NY, USA. 347–359. isbn:0897913280 https://doi.org/10.1145/99370.99404
[47]
Philip Wadler and Stephen Blott. 1989. How to make ad-hoc polymorphism less ad hoc. In Proceedings of the 16th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’89). Association for Computing Machinery, New York, NY, USA. 60–76. isbn:0897912942 https://doi.org/10.1145/75277.75283
[48]
Yuxin Wang, Zeyu Ding, Daniel Kifer, and Danfeng Zhang. 2020. CheckDP: An Automated and Integrated Approach for Proving Differential Privacy or Finding Precise Counterexamples. In CCS ’20: 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, November 9-13, 2020, Jay Ligatti, Xinming Ou, Jonathan Katz, and Giovanni Vigna (Eds.). ACM, 919–938. https://doi.org/10.1145/3372297.3417282
[49]
Yuxin Wang, Zeyu Ding, Guanhong Wang, Daniel Kifer, and Danfeng Zhang. 2019. Proving differential privacy with shadow execution. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019, Phoenix, AZ, USA, June 22-26, 2019, Kathryn S. McKinley and Kathleen Fisher (Eds.). ACM, 655–669. https://doi.org/10.1145/3314221.3314619
[50]
Daniel Winograd-Cort, Andreas Haeberlen, Aaron Roth, and Benjamin C. Pierce. 2017. A framework for adaptive differential privacy. PACMPL, 1, ICFP (2017), 10:1–10:29. https://doi.org/10.1145/3110254
[51]
Danfeng Zhang and Daniel Kifer. 2017. LightDP: towards automating differential privacy proofs. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL ’17). Association for Computing Machinery, New York, NY, USA. 888–901. isbn:9781450346603 https://doi.org/10.1145/3009837.3009884
[52]
Dan Zhang, Ryan McKenna, Ios Kotsogiannis, Michael Hay, Ashwin Machanavajjhala, and Gerome Miklau. 2020. EKTELO: A Framework for Defining Differentially Private Computations. ACM Trans. Database Syst., 45, 1 (2020), Article 2, Feb., 44 pages. issn:0362-5915 https://doi.org/10.1145/3362032
[53]
Hengchu Zhang, Edo Roth, Andreas Haeberlen, Benjamin C. Pierce, and Aaron Roth. 2019. Fuzzi: a three-level logic for differential privacy. Proc. ACM Program. Lang., 3, ICFP (2019), 93:1–93:28. https://doi.org/10.1145/3341697
Index Terms
- Sensitivity by Parametricity
Recommendations
Selective strictness and parametricity in structural operational semantics, inequationally
Parametric polymorphism constrains the behavior of pure functional programs in a way that allows the derivation of interesting theorems about them solely from their types, i.e., virtually for free. The formal background of such 'free theorems' is well ...
The Impact of seq on Free Theorems-Based Program Transformations
Program Transformation: Theoretical Foundations and Basic Techniques. Part 2Parametric polymorphism constrains the behavior of pure functional programs in a way that allows the derivation of interesting theorems about them solely from their types, i.e., virtually for free. Unfortunately, standard parametricity results - ...
The Impact of seq on Free Theorems-Based Program Transformations
Program Transformation: Theoretical Foundations and Basic Techniques. Part 2Parametric polymorphism constrains the behavior of pure functional programs in a way that allows the derivation of interesting theorems about them solely from their types, i.e., virtually for free. Unfortunately, standard parametricity results - ...
Comments
Information & Contributors
Information
Published In
October 2024
2691 pages
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution-ShareAlike International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 08 October 2024
Published in PACMPL Volume 8, Issue OOPSLA2
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
Funding Sources
- STINT
- Swedish Foundation for Strategic Research
- US National Science Foundation
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 226Total Downloads
- Downloads (Last 12 months)226
- Downloads (Last 6 weeks)60
Reflects downloads up to 05 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in