Computer-aided Verification in Mechanism Design
Gilles Barthe, Marco Gaboardi, Emilio Jesús Gallego Arias,
Justin Hsu*, Aaron Roth*, Pierre-Yves Strub
IMDEA Software, École Polytechnique,
University at Buffalo, *University of Pennsylvania
December 14, 2016
1
Mechanism design
=
Algorithm design
+
Strategic inputs
*In computer science
2
Incentive properties
Encourage agents to behave simply
Benefits
I
For the agents: easy to decide what to do
I
For the designer: easy to reason about what agents will do
3
Best case: truthfulness
Model
I
Agents have private type ti ∈ T
I
Mechanism inputs: agents report si ∈ T
I
Mechanism outputs: outcome o ∈ O and payments pi ∈ R
4
Best case: truthfulness
Model
I
Agents have private type ti ∈ T
I
Mechanism inputs: agents report si ∈ T
I
Mechanism outputs: outcome o ∈ O and payments pi ∈ R
Definition (Complete information)
A mechanism is truthful (DSIC) if each agent maximizes their
utility by reporting si = ti , no matter what other agents do.
Definition (Incomplete information)
A mechanism is Bayesian Incentive Compatible (BIC) if each agent
maximizes their expected utility by reporting si = ti , when other
agents report their true type drawn from a known prior µ.
4
Mechanism ≈ Program
Truthfulness ≈ Property
Program verification
for incentive properties
5
But isn’t this really hard?
Divide the task
I
Proof construction: hard
I
Proof checking: easy
6
Why verify properties? Check correctness
7
Why verify incentive properties? Convince agents
What if agents don’t believe incentive property?
I
Incentive properties often not obvious
I
Read the proof (?)
8
Why verify incentive properties? Convince agents
What if agents don’t believe incentive property?
I
Incentive properties often not obvious
I
Read the proof (?)
A possible model
I
Designer constructs formal proof of incentive property
I
Agents check it automatically
8
Our work: A case study
Target
I
Replica-surrogate-matching mechanism (HKM)
I
To prove: BIC
Proof is non-trivial
I
Lots of reasoning about randomization
I
Need incentive property for VCG mechanism
9
Proof construction approaches: basic tradeoff
Simple
proofs
Complex
proofs
10
Proof construction approaches: basic tradeoff
More
automatic
Less
automatic
Simple
proofs
Complex
proofs
10
Proof construction approaches: basic tradeoff
More
automatic
Existing efforts
Less
automatic
Simple
proofs
Complex
proofs
10
Proof construction approaches: basic tradeoff
More
automatic
Our target
Existing efforts
Less
automatic
Simple
proofs
Complex
proofs
10
Idea: incentive properties are relational properties
Program: agent’s report → agent’s (expected) utility
I
First run: agent report equal to agent type (truthful)
I
Second run: agent report arbitrary (non-truthful)
I
Truthfulness: first utility larger than second utility
Leverage specialized tools
I
HOARe2 : for probabilistic relational properties
11
Formally verifying BIC
Four main steps
1. Write program
2. Annotate program with assertions
3. Apply solvers to automatically check assertions
4. Fall back to less automated approaches for remaining steps
12
Formally verifying BIC
Four main steps
1. Write program
2. Annotate program with assertions
3. Apply solvers to automatically check assertions
4. Fall back to less automated approaches for remaining steps
12
Writing the assertions
Basic form
{prog :: S | Φ(prog 1, prog 2)}
13
Writing the assertions
Basic form
{prog :: S | Φ(prog 1, prog 2)}
Incentive Compatibility
{rept :: T | rept 1 = type} → {util :: R | util 1 ≥ util 2 }
13
Applying solvers
Given x1 < x2 , prove:
I
x1 + 1 < x2 + 2 (easy)
I
f (x1 ) < f (x2 ), where f is a program (harder)
14
Applying solvers
Given x1 < x2 , prove:
I
x1 + 1 < x2 + 2 (easy)
I
f (x1 ) < f (x2 ), where f is a program (harder)
Results
I
Almost all assertions (∼ 60) automatically proved (∼ seconds)
I
Solvers run out of time on three assertions
14
Formally verifying BIC
Four main steps
1. Write program
2. Annotate program with assertions
3. Apply solvers to automatically check assertions
4. Fall back to less automated approaches for remaining steps
See paper for details!
15
Perspective
Promising signs: automatic parts
I
Handle complex proofs and mechanisms
I
Solvers usually work, and are fast
Pain points: manual parts
I
When solvers fail: life is hard
I
Crafting program and assertions
16
Needed: more case studies!
Do you have a mechanism that . . .
I
has a tedious proof?
I
uses randomization?
I
satisfies a relational property?
17
Needed: more case studies!
Do you have a mechanism that . . .
I
has a tedious proof?
I
uses randomization?
I
satisfies a relational property?
We want to know!
For brave souls: https://github.com/ejgallego/HOARe2
17
Needed: more case studies!
Do you have a mechanism that . . .
I
has a tedious proof?
I
uses randomization?
I
satisfies a relational property?
We want to know!
For brave souls: https://github.com/ejgallego/HOARe2
(Also, I am looking for a job . . . )
17
Computer-aided Verification in Mechanism Design
Gilles Barthe, Marco Gaboardi, Emilio Jesús Gallego Arias,
Justin Hsu*, Aaron Roth*, Pierre-Yves Strub
IMDEA Software, École Polytechnique,
University at Buffalo, *University of Pennsylvania
December 14, 2016
18
Writing the program
Main program: one agent’s utility
I
Input: agent’s true type and report
I
Output: agent’s expected utility from mechanism
I
Assume: other agents reports drawn from prior (BIC)
Top level code
19
Handling the hard assertions
Hardest step
I
Mechanism transforms each report into a “surrogate” report
I
Key lemma: if report ∼ prior, transformation preserves prior
I
Manually construct proof in different system (EasyCrypt),
∼ 190 out of ∼ 260 total lines of manual proof
20
RSM mechanism (Hartline, Kleinberg, Malekian)
Agent
Algorithm
21
RSM mechanism (Hartline, Kleinberg, Malekian)
Agent
RSM
Transform
Price
Algorithm
21
RSM mechanism (Hartline, Kleinberg, Malekian)
Agent
RSM
Transform
Price
Algorithm
Price
RSM
Transform
Agent
21
RSM mechanism (Hartline, Kleinberg, Malekian)
Agent
RSM
Transform
Price
Algorithm
Price
RSM
Transform
Outcome
Agent
21