A Bunched Logic for Conditional Independence Jialu Bao Simon Docherty University of Wisconsin–Madison University College London Justin Hsu Alexandra Silva University of Wisconsin–Madison University College London Abstract—Independence and conditional independence are fun- For instance, criteria ensuring that algorithms do not discrim- damental concepts for reasoning about groups of random vari- inate based on sensitive characteristics (e.g., gender or race) ables in probabilistic programs. Verification methods for inde- can be formulated using conditional independence [8]. pendence are still nascent, and existing methods cannot handle conditional independence. We extend the logic of bunched impli- Aiming to prove independence in probabilistic programs, cations (BI) with a non-commutative conjunction and provide a Barthe et al. [9] recently introduced Probabilistic Separation model based on Markov kernels; conditional independence can be Logic (PSL) and applied it to formalize security for several directly captured as a logical formula in this model. Noting that well-known constructions from cryptography. The key ingre- Markov kernels are Kleisli arrows for the distribution monad, dient of PSL is a new model of the logic of bunched implica- we then introduce a second model based on the powerset monad and show how it can capture join dependency, a non-probabilistic tions (BI), in which separation is interpreted as probabilistic analogue of conditional independence from database theory. independence. While PSL enables formal reasoning about Finally, we develop a program logic for verifying conditional independence, it does not support conditional independence. independence in probabilistic programs. The core issue is that the model of BI underlying PSL provides no means to describe the distribution of one set of variables I. Introduction obtained by fixing (conditioning) another set of variables The study of probabilistic programming languages and their to take specific values. Accordingly, one cannot capture the semantics dates back to the 1980s, starting from the seminal basic statement of conditional independence—X and Y are work of Kozen [1]. The last decade has seen a surge of richer independent random variables conditioned on any value of Z. probabilistic languages [2, 3, 4], motivated by applications In this paper, we develop a logical framework for formal in machine learning, and accompanying research into their reasoning about notions of dependence and independence. semantics [5, 6, 7]. This burst of activity has also created Our approach is inspired by PSL but the framework is more new opportunities and challenges for formal verification. sophisticated: to express conditional independence, we develop Independence and conditional independence are two funda- a novel assertion logic extending BI with new connectives—# mental properties that are poorly handled by existing verifi- and its adjoints. The key intuition is that conditional indepen- cation methods. Intuitively, two random variables are prob- dence can be expressed as independence plus composition of abilistically independent if information about one gives no Markov kernels; as our leading example, we give a kernels information about the other (for example, the results of two model of our logic. coin flips). Conditional independence is more subtle: two Then, we show how to adapt the probabilistic model to random variables X and Y are independent conditioned on other settings. As is well-known in category theory, Markov a third variable Z if for every fixed value of Z, information arXiv:2008.09231v2 [cs.LO] 1 May 2021 kernels are the arrows in the Kleisli category of the distribution about one of X and Y gives no information about the other. monad. By varying the monad, our logic smoothly extends to Both forms of independence are useful for modelling and analogues of conditional independence in other domains. To verification. Probabilistic independence enables compositional demonstrate, we show how replacing the distribution monad reasoning about groups of random variables: if a group of by the powerset monad gives a model where we can cap- random variables are independent, then their joint distribution ture join/multivalued dependencies in relational algebra and is precisely described by the distribution of each variable database theory. We also show that the semi-graphoid laws, in isolation. It also captures the semantics of random sam- introduced by Pearl and Paz [10] in their work axiomatizing pling constructs in probabilistic languages, which generate conditional independence, can be translated into formulas that a fresh random quantity that is independent of the program are valid in both of our models. state. Conditional independence often arises in programs with The rest of the paper is organized as follows. We give probabilistic control flow, as conditioning models probabilistic a bird’s-eye view in Section II, providing intuitions on our branching. Bayesian networks encode conditional indepen- design choices and highlighting differences with existing work. dence statements in complex distributions, and conditional Section III presents the main contribution: the design of independence captures useful properties in many applications. DIBI, a new bunched logic to reason about dependence and independence. We show that the proof system of DIBI is 1 sound and complete with respect to its Kripke semantics. monoidal operations in a partial, non-deterministic setting. Then, we present two concrete models in Section IV, based E.g., we will require: on probability distributions and relations. In Section V, we (⊕ Comm.) z ∈ x ⊕ y → z ∈ y ⊕ x; consider how to express dependencies in DIBI: we show that (⊕ Assoc.) w ∈ t ⊕ z ∧ t ∈ x ⊕ y →∃s(s ∈ y ⊕ z ∧ w ∈ x ⊕ s); the same logical formula captures conditional independence (⊙ Unit Exist.L) ∃e ∈ E. (x ∈ e ⊙ x) and join dependency in our two models, and our models where unbound variables are universally quantified. Crucially, validate the semi-graphoid laws. Finally, in Section VI, we the operation ⊙ need not be commutative: this operation design a program logic with DIBI assertions, and use it to interprets the dependence conjunction #, where commutativity verify conditional independence in two probabilistic programs. is undesirable. In a DIBI frame, ∗ and # are interpreted as: x |= P ∗ Q iff exists x′, y, z s.t. x ⊒ x′ ∈ y ⊕ z, y |= P, and z |= Q II. Overview of the contributions x |= P # Q iff exists y, z s.t. x ∈ y ⊙ z, y |= P, and z |= Q The logic DIBI: The starting point of our work is the logic of bunched implications (BI) [11]. BI extends intuition- In DIBI, ∗ has a similar reading as in PSL: it states that istic propositional logic with substructural connectives to fa- two parts of a distribution can be combined because they are cilitate reasoning about sharing and separation of resources, an independent. In contrast, the new conjunction P # Q asserts idea most prominently realized in Separation Logic’s handling that the Q part of a distribution may depend on the P of heap-manipulating programs [12]. The novel connectives part. Combined with the separating conjunction ∗, the new are a separating conjunction P ∗ Q, intuitively stating that P conjunction # can express more complex dependencies: e.g. and Q hold in separate resources, and its adjoint −∗, called P # (Q ∗ R) asserts that Q and R both may depend on P, and magic wand. We will extend BI with a non-commutative are independent conditioned on P. conjunction, written P # Q. Intuitively, # expresses a possible A sound and complete proof system for DIBI: To reason dependency of Q on P. The end result is a logic with about DIBI validity, in Section III we also provide a Hilbert- two conjunctive connectives—∗ and #—capturing notions of style proof system for DIBI, and prove soundness and com- independence and dependence. We call the logic Dependence pleteness. The proof system extends BI with rules for the new and Independence Bunched Implications (DIBI). connective #, e.g. # Conj, and for the interaction between # and To give a semantics to our logic, we start from the semantics ∗, e.g., RevEx: of BI. The simplest BI models are partial resource monoids: P ⊢ R Q ⊢ S # Conj RevEx Kripke structures (M, ⊑, ◦, e) in which ◦ is an order-preserving, P # Q ⊢ R # S (P # Q) ∗ (R # S ) ⊢ (P ∗ R) # (Q ∗ S ) partial, commutative monoid operation with unit e. The opera- RevEx—reverse-exchange—captures the fundamental interac- tion ◦ allows interpreting the separating conjunction P ∗ Q and tion between the two conjunctions. Computations T = P # Q magic wand P −∗ Q. For example, the probabilistic model of and U = R # S are built from dependent components, yet T BI underlying PSL [9] is a partial resource monoid: by taking and U are independent and hence can be combined with ∗. M to be the set of distributions over program memories and ◦ We can then infer that the building blocks of T and U must to be the independent product of distributions over memories also be pair-wise independent and can be combined, yielding with disjoint variables, the interpretation of P ∗ Q gives the formulas P ∗ R and Q ∗ S . These can then be combined with # desired notion of probabilistic independence. as they retain the dependency of the original building blocks. This is the first point where we fundamentally differ from Models and applications of DIBI: Separation logics are PSL. To capture both dependence and independence, we based on a concrete BI model over program states, together change the structure in which formulas are interpreted. In with a choice of atomic assertions. Before explaining the Section III, we will introduce a structure X = (X, ⊑, ⊕, ⊙, E), models of DIBI, we recall two prior models of BI. a DIBI frame, with two operations ⊕: X2 → P(X) and In the heap model, states are heaps: partial maps from ⊙: X2 → P(X), and a set of units E ⊆ X. Three remarks memory addresses to values. Atomic assertions of the form are in order. First, the preorder ⊑ makes DIBI an intuitionistic x 7→ v indicate that the location to which x points has value logic.