-
Notifications
You must be signed in to change notification settings - Fork 63
[theories/modules] law of total probability #968
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
alleystoughton
wants to merge
3
commits into
main
Choose a base branch
from
total-probability
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+254
−0
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,254 @@ | ||
| (*^ This theory proves a module-based law of total probability for | ||
| distributions with finite support, and then specializes it to | ||
| `DBool.dbool`, `drange` and `duniform`. ^*) | ||
|
|
||
| require import AllCore List StdOrder StdBigop Distr DBool Finite. | ||
| require EventPartitioning. | ||
| import RealOrder Bigreal BRA. | ||
|
|
||
| (*& General abstract theory &*) | ||
|
|
||
| abstract theory TotalGeneral. | ||
|
|
||
| (*& theory parameter: additional input &*) | ||
|
|
||
| type input. | ||
|
|
||
| (*& theory parameter: type of distribution &*) | ||
|
|
||
| type t. | ||
|
|
||
| (*& A module with a `main` procedure taking in an input plus | ||
| a value of type `t`, and returning a boolean result. &*) | ||
|
|
||
| module type T = { | ||
| proc main(i : input, x : t) : bool | ||
| }. | ||
|
|
||
| (*& For a module `M` with module type `T` and a distribution `dt` for | ||
| `t` plus an input `i`, `Rand(M).f(dt, i)` samples a value `x` from | ||
| `dt`, passes it to `M.main` along with `i`, and returns the | ||
| boolean `M.main` returns. &*) | ||
|
|
||
| module Rand(M : T) = { | ||
| proc f(dt : t distr, i : input) : bool = { | ||
| var b : bool; var x : t; | ||
| x <$ dt; | ||
| b <@ M.main(i, x); | ||
| return b; | ||
| } | ||
| }. | ||
|
|
||
| (* skip to end of section for main lemma *) | ||
|
|
||
| section. | ||
|
|
||
| declare module M <: T. | ||
|
|
||
| local module RandAux = { | ||
| var x : t (* a global variable *) | ||
|
|
||
| proc f(dt : t distr, i : input) : bool = { | ||
| var b : bool; | ||
| x <$ dt; | ||
| b <@ M.main(i, x); | ||
| return b; | ||
| } | ||
| }. | ||
|
|
||
| local clone EventPartitioning as EP with | ||
| type input <- t distr * input, | ||
| type output <- bool | ||
| proof *. | ||
|
|
||
| local clone EP.ListPartitioning as EPL with | ||
| type partition <- t | ||
| proof *. | ||
|
|
||
| local op x_of_glob_RA (g : (glob RandAux)) : t = g.`2. | ||
| local op phi (_ : t distr * input) (g : glob RandAux) (_ : bool) : t = | ||
| x_of_glob_RA g. | ||
| local op E (_ : t distr * input) (_ : glob RandAux) (o : bool) : bool = o. | ||
|
|
||
| local lemma RandAux_partition_eq (dt' : t distr) (i' : input) (x' : t) &m : | ||
| Pr[RandAux.f(dt', i') @ &m : res /\ x_of_glob_RA (glob RandAux) = x'] = | ||
| mu1 dt' x' * Pr[M.main(i', x') @ &m : res]. | ||
| proof. | ||
| byphoare | ||
| (_ : | ||
| dt = dt' /\ i = i' /\ (glob M) = (glob M){m} ==> | ||
| res /\ x_of_glob_RA (glob RandAux) = x') => //. | ||
| proc; rewrite /x_of_glob_RA /=. | ||
| seq 1 : | ||
| (RandAux.x = x') | ||
| (mu1 dt' x') | ||
| Pr[M.main(i', x') @ &m : res] | ||
| (1%r - mu1 dt x') | ||
| 0%r | ||
| (i = i' /\ (glob M) = (glob M){m}) => //. | ||
| auto. | ||
| rnd (pred1 x'); auto. | ||
| call (_ : i = i' /\ x = x' /\ glob M = (glob M){m} ==> res). | ||
| bypr => &hr [#] -> -> glob_eq. | ||
| byequiv (_ : ={i, x, glob M} ==> ={res}) => //; sim. | ||
| auto. | ||
| hoare; call (_ : true); auto; smt(). | ||
| qed. | ||
|
|
||
| lemma total_prob' (dt' : t distr) (supp : t list) (i' : input) &m : | ||
| is_lossless dt' => is_finite_for (support dt') supp => | ||
| Pr[Rand(M).f(dt', i') @ &m : res] = | ||
| big predT | ||
| (fun x' => mu1 dt' x' * Pr[M.main(i', x') @ &m : res]) | ||
| supp. | ||
| proof. | ||
| move => dt'_ll [uniq_supp supp_iff]. | ||
| have -> : | ||
| Pr[Rand(M).f(dt', i') @ &m : res] = Pr[RandAux.f(dt', i') @ &m : res]. | ||
| byequiv (_ : ={dt, i, glob M} ==> ={res}) => //; proc; sim. | ||
| rewrite (EPL.list_partitioning RandAux (dt', i') E phi supp &m) //. | ||
| have -> /= : | ||
| Pr[RandAux.f(dt', i') @ &m: res /\ ! (x_of_glob_RA (glob RandAux) \in supp)] = | ||
| 0%r. | ||
| byphoare (_ : dt = dt' /\ i = i' ==> _) => //; proc. | ||
| seq 1 : | ||
| (RandAux.x \in supp) | ||
| 1%r | ||
| 0%r | ||
| 0%r | ||
| 1%r => //. | ||
| auto. | ||
| hoare; call (_ : true); auto; smt(). | ||
| rnd pred0; auto; smt(mu0). | ||
| congr; apply fun_ext => x'; by rewrite RandAux_partition_eq. | ||
| qed. | ||
|
|
||
| end section. | ||
|
|
||
| (*& total probability lemma for distributions with finite support &*) | ||
|
|
||
| lemma total_prob (M <: T) (dt : t distr) (supp : t list) (i : input) &m : | ||
alleystoughton marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| is_lossless dt => is_finite_for (support dt) supp => | ||
| Pr[Rand(M).f(dt, i) @ &m : res] = | ||
| big predT | ||
| (fun (x : t) => mu1 dt x * Pr[M.main(i, x) @ &m : res]) | ||
| supp. | ||
| proof. | ||
| move => dt_ll iff_supp_dt_supp. | ||
| by apply (total_prob' M). | ||
| qed. | ||
|
|
||
| end TotalGeneral. | ||
|
|
||
| (*& Specialization to `DBool.dbool` &*) | ||
|
|
||
| abstract theory TotalBool. | ||
|
|
||
| clone include TotalGeneral with | ||
| type t <- bool | ||
| proof *. | ||
|
|
||
| (*& total probability lemma for `DBool.dbool` &*) | ||
|
|
||
| lemma total_prob_bool (M <: T) (i : input) &m : | ||
| Pr[Rand(M).f(DBool.dbool, i) @ &m : res] = | ||
| Pr[M.main(i, true) @ &m : res] / 2%r + | ||
| Pr[M.main(i, false) @ &m : res] / 2%r. | ||
| proof. | ||
| rewrite (total_prob M DBool.dbool [true; false]) //. | ||
| rewrite dbool_ll. | ||
| smt(supp_dbool). | ||
| by rewrite 2!big_cons big_nil /= /predT /predF /= 2!dbool1E. | ||
| qed. | ||
|
|
||
| end TotalBool. | ||
|
|
||
| (*& Specialization to `drange` &*) | ||
|
|
||
| abstract theory TotalRange. | ||
|
|
||
| clone include TotalGeneral with | ||
| type t <- int | ||
| proof *. | ||
|
|
||
| lemma big_weight_simp (M <: T) (m n : int, i : input, ys : int list) &m : | ||
| (forall y, y \in ys => m <= y < n) => | ||
| big predT | ||
| (fun (x : int) => mu1 (drange m n) x * Pr[M.main(i, x) @ &m : res]) | ||
| ys = | ||
| big predT | ||
| (fun (x : int) => Pr[M.main(i, x) @ &m : res] / (n - m)%r) | ||
| ys. | ||
| proof. | ||
| elim ys => [// | y ys IH mem_impl]. | ||
| rewrite 2!big_cons (_ : predT y) //=. | ||
| rewrite drange1E (_ : m <= y < n) 1:mem_impl //=. | ||
| rewrite IH => [z z_in_ys | //]. | ||
| by rewrite mem_impl /= z_in_ys. | ||
| qed. | ||
|
|
||
| (*& total probability lemma for `drange` &*) | ||
|
|
||
| lemma total_prob_drange (M <: T) (m n : int, i : input) &m : | ||
| m < n => | ||
| Pr[Rand(M).f(drange m n, i) @ &m : res] = | ||
| bigi predT | ||
| (fun (j : int) => Pr[M.main(i, j) @ &m : res] / (n - m)%r) | ||
| m n. | ||
| proof. | ||
| move => lt_m_n. | ||
| rewrite (total_prob M (drange m n) (range m n)). | ||
| by rewrite drange_ll. | ||
| rewrite /is_finite_for. | ||
| smt(range_uniq mem_range supp_drange). | ||
| rewrite (big_weight_simp M) //; by move => j /mem_range. | ||
| qed. | ||
|
|
||
| end TotalRange. | ||
|
|
||
| (*& Specialization to `duniform` &*) | ||
|
|
||
| abstract theory TotalUniform. | ||
|
|
||
| (*& theory parameter: type &*) | ||
|
|
||
| type t. | ||
|
|
||
| clone include TotalGeneral with | ||
| type t <- t | ||
| proof *. | ||
|
|
||
| lemma big_weight_simp (M <: T) (xs : t list, i : input, ys : t list) &m : | ||
| uniq xs => | ||
| (forall y, y \in ys => y \in xs) => | ||
| big predT | ||
| (fun (x : t) => mu1 (duniform xs) x * Pr[M.main(i, x) @ &m : res]) | ||
| ys = | ||
| big predT | ||
| (fun (x : t) => Pr[M.main(i, x) @ &m : res] / (size xs)%r) | ||
| ys. | ||
| proof. | ||
| move => uniq_xs. | ||
| elim ys => [// | y ys IH mem_impl]. | ||
| rewrite 2!big_cons (_ : predT true) //=. | ||
| rewrite duniform1E_uniq // (_ : y \in xs) 1:mem_impl //=. | ||
| rewrite IH => [z z_in_ys | //]; by rewrite mem_impl /= z_in_ys. | ||
| qed. | ||
|
|
||
| (*& total probability lemma for `duniform` &*) | ||
|
|
||
| lemma total_prob_uniform (M <: T) (xs : t list, i : input) &m : | ||
| uniq xs => xs <> [] => | ||
| Pr[Rand(M).f(duniform xs, i) @ &m : res] = | ||
| big predT | ||
| (fun (x : t) => Pr[M.main(i, x) @ &m : res] / (size xs)%r) | ||
| xs. | ||
| proof. | ||
| move => uniq_xs xs_ne_nil. | ||
| rewrite (total_prob M (duniform xs) xs). | ||
| by rewrite duniform_ll. | ||
| smt(supp_duniform). | ||
| by rewrite (big_weight_simp M). | ||
| qed. | ||
|
|
||
| end TotalUniform. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might be easier to use if
suppwas computed asto_seq (support dt'), requiringis_finite (support dt'), instead of taking it as an argument.I suppose the existing variant is simpler if you already have a
suppthat might be distinct fromto_seq (support dt'). Maybe it makes sense to have both variants? For the existing variant it might be better to movesuppto the front of the argument list since this cannot be inferred from the LHS in rewrites. If the intention is to rewrite in the other direction wheresuppcan be inferred it might make sense to swap the sides of the equality.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the suggestion. I'd missed that there was this operator.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That worked out nicely, at least as easy to use.