The complexity of verifying loop-free programs as differentially private

We study the problem of verifying differential privacy for loop-free programs with probabilistic choice. Programs in this class can be seen as randomized Boolean circuits, which we will use as a formal model to answer two different questions: first, deciding whether a program satisfies a prescribed level of privacy; second, approximating the privacy parameters a program realizes. We show that the problem of deciding whether a program satisfies ε-differential privacy is coNP#P-complete. In fact, this is the case when either the input domain or the output range of the program is large. Further, we show that deciding whether a program is (ε,δ)-differentially private is coNP#P-hard, and in coNP#P for small output domains, but always in coNP#P#P. Finally, we show that the problem of approximating the level of differential privacy is both NP-hard and coNP-hard. These results complement previous results by Murtagh and Vadhan showing that deciding the optimal composition of differentially private components is #P-complete, and that approximating the optimal composition of differentially private components is in P

Synthesizing Specifications

Every program should always be accompanied by a specification that describes important aspects of the code's behavior, but writing good specifications is often harder that writing the code itself. This paper addresses the problem of synthesizing specifications automatically. Our method takes as input (i) a set of function definitions, and (ii) a domain-specific language L in which the extracted properties are to be expressed. It outputs a set of properties--expressed in L--that describe the behavior of functions. Each of the produced property is a best L-property for signature: there is no other L-property for signature that is strictly more precise. Furthermore, the set is exhaustive: no more L-properties can be added to it to make the conjunction more precise. We implemented our method in a tool, spyro. When given the reference implementation for a variety of SyGuS and Synquid synthesis benchmarks, spyro often synthesized properties that that matched the original specification provided in the synthesis benchmark