Upload
doantu
View
226
Download
0
Embed Size (px)
Citation preview
Sound auction specification and implementation
Marco Caminati1 Manfred Kerber1
Christoph Lange2 Colin Rowat3
1Computer Science, University of Birmingham2Fraunhofer IAS and University of Bonn3Economics, University of Birmingham
18 June, 2015EC’15
https://github.com/formare/auctions
1 / 24
Introduction
Outline
1 Introduction
2 Successes of mechanised reasoning
3 Combinatorial Vickrey’s auctions
4 Sound specification
5 Code extraction
6 Conclusions
2 / 24
Introduction
Two problems & a unified solution
How can we be sure that:1 an auction design is soundly specified, possessing the properties
that its designers wish it to have?2 an actual auction faithfully implements the intended design?
failure on either front can be very costlytypical solution: playtest the design
Dijkstra: “testing shows the presence, not the absence of bugs”our unified solution
1 use mechanised reasoning to prove properties on the design2 extract verified executable code to run it
mechanised reasoners perform logical operations1 check existing proofs / codify knowledge2 search for new proofs
we work with Isabelle, a higher-order logic theorem prover
3 / 24
Successes of mechanised reasoning
Outline
1 Introduction
2 Successes of mechanised reasoning
3 Combinatorial Vickrey’s auctions
4 Sound specification
5 Code extraction
6 Conclusions
4 / 24
Successes of mechanised reasoning
Pure maths
Example (Four colour-map theorem [AH77; AHK77; Gon08])exhaustive computations required to originally prove the theoremin doing so, corrected some human experts’ calculationsmechanized proof checkers have confirmed these results formally
Example (Kepler’s conjecture (1611) [Hal05; Hal12])Hales’ original proof: 120 pages and > 500MB of computer code12 referees took five years to become “99% certain” he was rightHales founds Project Flyspeck to establish a formal proof2014: Flyspeck complete
Example (Robbins’ conjecture [HMT71; McC97])beguilingly simple, but open for 60 years, a favourite of TarskiMcCune’s solver generated a 17-step proof, later reduced to eight
5 / 24
Successes of mechanised reasoning
Software verification [Woo+09]
a computer programme defines a logical universe within whichcertain statements may or may not be trueproof assistants can seek to prove or disprove these statementsas theorems
Example (commuter rail systems)No two trains shall occupy the same location at the same time.
Example (financial transactions software)Transactions do not create or destroy value, but merely transfer it.
6 / 24
Successes of mechanised reasoning
Hardware verification
Example (1994: Pentium floating point division bug)worst known relative error 0.006%Intel calculated typical user would be affected once in 9 billiondivision operationscost Intel $475mnmodel chips as logical systems (AND, OR, etc. gates)prove theorem for each property to be implemented [Har06]
7 / 24
Successes of mechanised reasoning
Economic theory
Example (Subsuming Arrow’s impossibility theorem [TL09])manual induction proof: Arrow’s theorem holds if it holds on abase case of 2 agents and 3 alternativescomputer exhaustively verifies the theorem on all base casesmanual inspection of the computationally generated base casesidentified a new theorem subsuming Arrow’sChatterjee and Sen [CS14]: “As far as we know . . . the onlyArrow-type result . . . that does not use an axiom other than IIA”
Example (Ranking sets of objects [GE11])which axioms are mutually incompatible [BBP04]?computational sweep of small domains for each set of axiomsgenerated 84 impossibility theorems & resolved an open questioncan also make statistical observations
8 / 24
Combinatorial Vickrey’s auctions
Outline
1 Introduction
2 Successes of mechanised reasoning
3 Combinatorial Vickrey’s auctions
4 Sound specification
5 Code extraction
6 Conclusions
9 / 24
Combinatorial Vickrey’s auctions
A combinatorial Vickrey’s auction [q.v. AM06]
agents: 0, . . . ,N, with 0 the seller, the rest biddersseller’s endowment: Ω , ∅, indivisible goodsallocation: pairwise disjoint subsets of Ω, X0, . . . ,XNbids: bn (X) ,∀X ⊆ Ωsolve for allocations, prices in the winner determination problem:
X ∗ ∈ arg maxX1,...,XN
N∑n=1
bn (Xn) s.t.N⋃
n=1
Xn ⊆ Ω & Xn ∩ Xn′ = ∅ for n , n′
pn ≡ αn −∑m,n
bm (X ∗m) (1)
where
αn ≡ maxXm
m=1,...,N
∑m,n
bm (Xm)∣∣∣ ⋃
m,n
Xm ⊆ Ω & Xm ∩ Xm′ = ∅ for m , m′
is the value when solved without n’s bids.rerun the WDP over random bids to break ties 10 / 24
Sound specification
Outline
1 Introduction
2 Successes of mechanised reasoning
3 Combinatorial Vickrey’s auctions
4 Sound specification
5 Code extraction
6 Conclusions
11 / 24
Sound specification
Formally defining a VCG auction
1 the set of possible allocations2 f (), which solves the WDP3 vcga applies f () twice, the 2nd time with random bids to break ties4 vcgp solves for prices (1)
abbreviation “vcgas N Ω b r == Outsideseller‘((argmax setsum) (randomBids N Ω b r)((argmax setsum) b (allAllocations (seller ∪ N) (set Ω))))”
abbreviation expands “vcgas” (like a preprocessor macro)vcgas takes N,Ω,b and r as arguments
3 applies f () to bids b, returning the value-maximizing allocations2 applies f () to the value-maximising allocations, using randomBids1 “Outsideseller” excludes seller from the domain
12 / 24
Sound specification
VCG auctions are functions
Theorem
Consider a combinatorial VCG auction. Given any set of goods andfeasible bid vectors, and a random number, r, there is exactly onesolution to the WDP at prices pn as defined in equation (1).
as Isabelle accepts vcgas, it is a (total) function, mapping fromevery element of its domain to a unique resultit remains to prove that vcgas returns a singleton
theorem vcgaDefiniteness :assumes “distinct Ω” and “set Ω , ” and “finite N”shows “card (vcgas N Ω b r) = 1”
“distinct” states that Ω contains each good exactly once“card” returns the cardinality of finite sets (n.b. 0 for ∅,∞ sets)
13 / 24
Sound specification
Proving that vcgas returns a singleton
1 proof−2 have “card ((argmax setsum) (randomBids N Ω b r)3 ((argmax setsum) b (allAllocations (N ∪ seller) (set Ω)))) = 1”4 (is “card ?X = 1”) using assms lm08 by blast5 moreover have “(Outside′seller) ‘ ?X = vcgas N Ω b r” by blast6 ultimately show ?thesis using cardOneImageCardOne by blast7 qed
proof begins the proof; the − switch selects manual inferencehave . . . using . . . by structures the proof:
have asserts the expressions to be provedusing introduces the facts to be used in discharging the proofobligationby invokes a specified proof method
14 / 24
Sound specification
Proving that vcgas returns a singleton
lines 2, 3: claims the cardinality of the set of solutions to thesecond WDP (prior to removing the seller’s allocation) is 1line 4: establishes it by applying a proof method called blast to thetheorem’s assumptions, assms, and a pre-existing lemma
blast manipulates ‘simple’ objects in higher-order logicLemma cardOneImageCardOne can quantify over all functions andsets, but need only do so over function Outside′seller and set ofallocations ?X
line 5: Outside′seller‘A is a singleton whenever A isline 6: ultimately refers to previously established results prefixedby moreovershow notes that we next seek to establish ?thesis, the proofobligation at the current level of reasoning
15 / 24
Sound specification
Other theorems formally proved
Theorem
Consider a combinatorial VCG auction. Then the sets X ∗1, . . . ,X∗
N arepairwise disjoint.
Theorem
Consider a combinatorial VCG auction. Then g ∈ X ∗m implies g ∈ Ω.
TheoremFor a VCG auction, the prices defined in (1) are non-negative ∀n ∈ N.
16 / 24
Code extraction
Outline
1 Introduction
2 Successes of mechanised reasoning
3 Combinatorial Vickrey’s auctions
4 Sound specification
5 Code extraction
6 Conclusions
17 / 24
Code extraction
Classical and constructive definitions1 classical definitions
often intuitive, expressed in terms of characterising propertiesno information on how to compute
Example (Classical set maximum)
MaxX ≡x ∈ X
∣∣∣@y ∈ X s.t. y > x
2 constructive definitionsless useful in proving theorems as no mention of characterisingpropertiescomputable
Example (Computable set maximum)
define the helper function max in the usual way on pairs of objects
define the base case for the inductively defined Max a = a
define the recursive step Max (a ∪ A) = max (a,Max a)
18 / 24
Code extraction
Bridging theorems
our classical definition of injections is non-computable
“injections X Y =
R . DomainR = X ∧ Range R ⊆ Y ∧ runiq R ∧ runiq(R−1)”.
for finite sets, we define a computable version
fun injections_algwhere “injections_alg [] Y = []” |
“injections_alg (x#xs) Y = concat [[R + ∗(x , y).y ← sorted_list_of_set(Y − Range R)].R ← injections_alg xs Y ]”
a bridging theorem shows their equivalence
theorem injections_equiv : assumes “finite Y ” and “distinct X ”shows “set (injections_alg X Y) = injections (set X) Y ”
19 / 24
Conclusions
Outline
1 Introduction
2 Successes of mechanised reasoning
3 Combinatorial Vickrey’s auctions
4 Sound specification
5 Code extraction
6 Conclusions
20 / 24
Conclusions
we apply mechanised reasoning to a well-known auction design1 formally prove basic ‘soundness’ properties of that design
2 extract verified code from the sound design to execute it
3 easily alter definitions (e.g. replace vcgp with a 1st price function)all proofs above go through immediately, except non-negative prices(which becomes easier)
in doing so, we are building an auction theory toolbox:https://github.com/formare/auctions
next steps?1 apply the above techniques to novel auctions
more valuable in more complex auctions2 automated search for new results in auction theory
21 / 24
Appendix References
References I
[AH77] Kenneth Appel and Wolfgang Haken. “Every Planar Map is FourColorable Part I: Discharging”. In: Illinois Journal of Mathematics 21.3(1977), pp. 429–490.
[AHK77] Kenneth Appel, Wolfgang Haken, and John Koch. “Every Planar Map isFour Colorable Part II: Reducibility”. In: Illinois Journal of Mathematics21.3 (1977), pp. 491–567.
[AM06] Lawrence M. Ausubel and Paul Milgrom. “The Lovely but Lonely VickreyAuction”. In: Combinatorial auctions. Ed. by Peter Cramton,Yoav Shoham, and Richard Steinberg. MIT Press, 2006. Chap. 1,pp. 17–40.
[BBP04] Salvador Barberà, Walter Bossert, and Prasanta K. Pattanaik. “Rankingsets of objects”. In: Handbook of Utility Theory. Ed. by Salvador Barberà,Peter J. Hammond, and C. Seidl. Vol. II. Dordrecht: Kluwer AcademicPublishers, 2004, pp. 893–977.
22 / 24
Appendix References
References II
[CS14] Siddharth Chatterjee and Arunava Sen. “Automated Reasoning In SocialChoice Theory – Some Remarks”. In: Mathematics in Computer Science8.1 (2014), pp. 5–10.
[GE11] Christian Geist and Ulle Endriss. “Automated search for impossibilitytheorems in social choice theory: ranking sets of objects”. In: Journal ofArtificial Intelligence Research 40 (2011), pp. 143–174.
[Gon08] Georges Gonthier. “Formal proof – the four color theorem”. In: Notices ofthe AMS 55.11 (2008), pp. 1382–1393.
[Hal05] Thomas C. Hales. “A proof of the Kepler conjecture”. In: Annals ofMathematics 162.3 (2005), pp. 1065–1185.
[Hal12] Thomas Hales. Dense Sphere Packings. A Blueprint for Formal Proofs.London Mathematical Society Lecture Note Series 400. CambridgeUniversity Press, Sept. 6, 2012.
[Har06] John Harrison. Floating-Point Verification using Theorem Proving. Ed. byMarco Bernardo and Alessandro Cimatti. Bertinoro, Italy, 2006.
23 / 24
Appendix References
References III
[HMT71] Léon Henkin, James Donald Monk, and Alfred Tarski. Cylindric algebras,Part I. Vol. 64. Studies in Logic. North Holland, 1971.
[McC97] William McCune. “Solution of the Robbins problem”. In: Journal ofAutomated Reasoning 19.3 (1997), pp. 263–276.
[TL09] Pingzhong Tang and Fangzhen Lin. “Computer-aided proofs of Arrow’sand other impossibility theorems”. In: Artificial Intelligence 173.11 (2009),pp. 1041–1053.
[Woo+09] Jim Woodcock et al. “Formal method: practice and experience”. In: ACMComputing Surveys 41.4 (2009), pp. 1–40.
24 / 24