On the Geometry of Differential Privacy
Moritz Hardt, Kunal Talwar
Introduction
The problem of Privacy-preserving data analysis has attracted a lot of attention in recent years. Several databases, e.g. those held by the Census Bureau, contain private data provided by individuals, and protecting the privacy of those individuals is an important concern. Differential Privacy is a rigorous notion of privacy that allows statistical analysis of sensitive data while providing strong privacy guarantees even in the presence of an adversary armed with arbitrary auxiliary information. We refer the reader to the survey of Dwork [Dwo08] and the references therein for further motivation and background information.
We consider the following general setting: A database is represented by a vector . The queries that the analyst may ask are linear combinations of the entries of . More precisely, a multidimensional query is a map , and we will restrict ourselves to linear maps with coefficients in the interval $Fd\times nd\leqslant nx\in\Re^{n}F\colon\Re^{n}\to\Re^{d}a\in\Re^{d}.x,x^{\prime}\in\Re^{n}\|x-x^{\prime}\|_{1}\leqslant 1\exp(\varepsilon)\varepsilon>0\varepsilonFxa.$
In this work, we use methods from convex geometry to determine a nearly optimal trade-off between privacy and error. We will see a lower bound on how much error any differentially private mechanism must add. And we present a mechanism whose error nearly matches this lower bound.
As mentioned, the above setup is fairly general. To illustrate it and facilitate comparison with previous work, we will describe some specific instantiations below.
Suppose we have a database , containing private information about individuals. We can think of each individual as belonging to one of types. The database can then naturally be translated to a histogram , i.e., counts the number of individuals of type . Note that in the definition of differential privacy, we require the mechanism to be defined for all and demand that the output distributions be close whenever . This is a stronger requirement than asserting this property only for integer vectors and . It only makes our upper bounds stronger. For the lower bounds, this strengthening allows us to ignore the discretization issues that would arise in the usual definition. However, our lower bounds can be extended for the usual definition for small enough and large enough (see Appendix B). Now, our upper bound holds for any linear query on the histogram. This includes some well-studied and natural classes of queries. For instance, contingency tables (see, e.g., [BCD+07]) are linear queries on the histogram.
Private bits.
In the setting looked at by Dinur and Nissim [DN03], the database consists of one private bit for each individual and each query ask for the number of ’s amongst a (random) subset on . Given such queries, one can define types of individuals, depending on the subset of the queries that ask about an individual. The vector then maps to a histogram in the natural way with denoting the number of individuals of type with their private bit set to . Our results then imply a lower bound of per answer for any -differentially private mechanism. This improves on the bound for from [DN03] for a weaker privacy definition (blatant non-privacy). A closely related rephrasing is to imagine each individual having private attributes so that . The queries that ask for the -way marginals of the input naturally map to a matrix and Theorem 1.1 implies a lower bound of noise per marginal for such queries.
One can also look at itself as a database where each individuals private data is in $nN$. Our results lead to better upper bounds for this setting.
1 Our results
Recall, the term error refers to the expected Euclidean distance between the output of the mechanism and the correct answer to the query .
As it turns out, when is a random Bernoulli matrix our upper bound matches the lower bound up to constant factors. In this case, is a random polytope and its volume and average Euclidean norm have been determined rather recently. Specifically, we apply a volume lower bound of Litvak et al. [LPRN05], and an upper bound on the average Euclidean norm due to Klartag and Kozma [KK09]. Quantitatively, we obtain the following theorem.
Let and Then, for almost all matrices ,
any -differentially private mechanism has error .
the -norm mechanism is -differentially private with error
We remark that Litvak et al. also give an explicit construction of a mapping realizing the lower bound.
Notice that the bound in the previous theorem differs from the lower bound by a factor of A central conjecture in convex geometry, sometimes referred to as the “Hyperplane Conjecture” or “Slicing Conjecture” (see [KK09] for further information) states that
Unfortunately, in general the polytope could be very far from isotropic. In this case, both our volume-based lower bound and the -norm mechanism can be quite far from optimal. We give a recursive variant of our mechanism and a natural generalization of our volume-based lower bound which are nearly optimal even if is non-isotropic.
While we restricted our theorems to , they apply more generally to any linear mapping
Our mechanism is an instantiation of the exponential mechanism and involves sampling random points from rather general high-dimensional convex bodies. This is why our mechanism is not efficient as it is. However, we can use rapidly mixing geometric random walks for the sampling step. These random walks turn out to approach the uniform distribution in a metric that is strong enough for our purposes. It will follow that both of our mechanisms can be implemented in polynomial time.
The mechanisms given in Theorem 1.2 and Theorem 1.5 can be implemented in time polynomial in such that the stated error bound remains the same up to constant factors, and the mechanism achieves -differential privacy.
2 Previous Work
Queries of the kind described above have (total) sensitivity , and hence the work of Dwork et al. [DMNS06] shows that adding Laplace noise with parameter to each entry of ensures -differential privacy. Moreover, adding Laplace noise to the histogram itself leads to another private mechanism. Thus such questions can be answered with noise per entry of . Some specific classes of queries can be answered with smaller error. Nissim, Raskhodnikova and Smith [NRS07] show that one can add noise proportional to a smoothed version of the local sensitivity of the query, which can be much smaller than the global sensitivity for some non-linear queries. Blum, Ligett and Roth [BLR08] show that it is possible to release approximate counts for all concepts in a concept class on with error , where is the VC dimension of the concept class. Their bounds are incomparable to ours, and in particular their improvements over the Laplacian mechanism kick in when the number of queries is larger than the size of the database (a range of parameters we do not consider). Feldman et al. [FFKN09] construct private core sets for the -median problem, enabling approximate computation of the -median cost of any set of facilities in . Private mechanisms with small error, for other classes of queries have also been studied in several other works, see e.g. [BDMN05, BCD+07, MT07, CM08, GLM+10].
3 Overview and organization of the paper
In this section we will give a broad overview of our proof and outline the remainder of the paper.
Section 2 contains some preliminary facts and definitions. Specifically, we describe a linear program that defines the optimal mechanism for any set of queries. This linear program (also studied in [GRS09] for the one-dimensional case) is exponential in size, but in principle, given any query and error function, can be used to compute the best mechanism for the given set of queries. Moreover, dual solutions to this linear program can be used to prove lower bounds on the error. However, the asymptotic behavior of the optimum value of these programs for multi-dimensional queries was not understood prior to this work. Our lower bounds can be reinterpreted as dual solutions to the linear program. The upper bounds give near optimal primal solutions. Also, our results lead to a polynomial-time approximation algorithm for the optimum when is linear.
Indeed, using several results from convex geometry, we observe that our lower and upper bounds match up to constant factors when is drawn at random from . As it turns out the polytope can be interpreted as the symmetric convex hull of the row vectors of When is a random matrix, is a well-studied random polytope. Some recent results on random polytopes give us suitable lower bounds on the volume and upper bounds on the average Euclidean norm. More generally, our bounds are tight whenever is in isotropic position (as pointed out in Section 6). This condition intuitively gives a relation between volume and average distance from the origin. Our bounds are actually only tight up to a factor of the isotropic constant of A well-known conjecture from convex geometry, known as the Hyperplane Conjecture or Slicing Conjecture, implies that
The problem is that when is not drawn at random, could be very far from isotropic. In this case, the -norm mechanism by itself might actually perform poorly. We thus give a recursive variant of the -norm mechanism in Section 7 which can handle non-isotropic bodies. Our approach is based on analyzing the covariance matrix of in order to partition into parts on which our earlier mechanism performs well. Assuming the Hyperplane conjecture, we derive bounds on the error of our mechanism that are optimal to within polylogarithmic factors.
Some complications arise, since we need to repeat the privacy and optimality analysis of our mechanisms in the presence of approximation errors (such as an approximate covariance matrix and an approximate separation oracle for ). The details can be found in Section 8.
We would like to thank Frank McSherry, Aaron Roth, Katrina Ligett, Indraneel Mukherjee, Nikhil Srivastava for several useful discussions, and Adam Smith for discussions and comments on a previous version of the paper.
Preliminaries
1 Differential Privacy
A mechanism is a family of probability measures where each measure is defined on . A mechanism is called -differentially private, if for all such that , we have where the supremum runs over all measurable subsets .
A common weakening of -differential privacy is the following notion of approximate privacy.
A mechanism is called -approximate -differentially private, if for all such that for all measurable subsets whenever,
The definition of privacy is transitive in the following sense.
If is an -differentially private mechanism and satisfy , then for measurable we have
We will consider mappings which possess the Lipschitz property, In this case, we will say that has sensitivity .
Our goal is to show trade-offs between privacy and error. The following standard upper bound, usually called the Laplacian mechanism, is known.
When it comes to approximate privacy, the so-called Gaussian mechanism provides the following guarantee.
2 Isotropic Position
We say a convex body is in isotropic position with isotropic constant if for every unit vector ,
For every convex body , there is a volume-preserving linear transformation such that is in isotropic position.
For an arbitrary convex body , its isotropic constant can then be defined to be where brings to isotropic position. It is known (e.g. [MP89]) that is unique up to an orthogonal transformation and thus this is well-defined.
We refer the reader to the paper of Milman and Pajor [MP89], as well as the extensive survey of Giannopoulos [Gia03] for a proof of this fact and other facts regarding the isotropic constant.
3 Gamma Distribution
4 Linear Programming Characterization
A mechanism is specified by a distribution on for every . Assume for simplicity that and are both finite. Thus a mechanism is fully defined by real numbers , where is the probability that the mechanism outputs answer on databases . The constraints on for an -differentially private mechanism are given by
The expected error (under any given prior over databases) is then a linear function of the variables and can be optimized. Similarly, the worse case (over databases) expected error can be minimized, and we will concentrate on this measure for the rest of the paper. However these linear programs can be prohibitive in size. Moreover, it is not a priori clear how one can use this formulation to understand the asymptotic behavior of the error of the optimum mechanism.
Our work leads to a constant approximation to the optimum of this linear program when is a random in and an -approximation otherwise.
Lower bounds via volume estimates
In this section we show that lower bounds on the volume of the convex body give rise to lower bounds on the error that any private mechanism must have with respect to .
A set of points is called a -packing if for any .
We will now assume that is an -differentially private mechanism with error and lead this to a contradiction for small enough . For this we set . By the assumption on the error, Markov’s inequality implies that for all , we have where is a ball of radius centered at . Since is an -packing, the balls are disjoint for small enough constant .
Since , it follows from -differential privacy with Fact 2.3 that
Since the balls are pairwise disjoint,
for . We have thus obtained a contradiction. ∎
Let and suppose is a linear map and let . Furthermore, let denote the orthogonal projection operator of a -dimensional subspace of for some Then, every -differentially private mechanism must have
Note that a differentially private answer to can be projected down to a (differentially private) answer to and is norm operator. ∎
where the supremum is taken over all and all -dimensional orthogonal projections .
Our lower bound used the fact that the mechanism is defined on all vectors . In Appendix B, we show how the lower bound can be extended when restricting the domain of the mechanism to integer vectors where distance is measured in the Hamming metric.
1 Lower bounds for small number of queries
As shown previously, the task of proving lower bounds on the error of private mechanisms reduces to analyzing the volume of When this is a straightforward task.
This lower bound shows that the standard upper bound from Theorem 2.6 is, in fact, optimal when
The K𝐾K-norm mechanism
In this section we describe a new differentially private mechanism, which we call the -norm mechanism.
Given a linear map and , we let and define the mechanism so that each measure is given by the probability density function
defined over Here denotes the normalization constant
A more concrete view of the mechanism is provided by Figure 2 and justified in the next remark.
We can sample from the distribution as follows:
Indeed, if , then the distribution of as above follows the probability density function
which is in agreement with (5). That is,
The next theorem shows that the -norm mechanism is indeed differentially private. Moreover, we can express its error in terms of the expected distance from the origin of a random point in
When ,
Privacy follows from the fact that the mechanism is a special case of the exponential mechanism [MT07]. For completeness, we repeat the argument.
Suppose that . It suffices to show that for all , the densities of and are within multiplicative , i.e.,
where in the first inequality we used the triangle inequality for . In the second step we used that and hence which means
Hence, the mechanism satisfies -differential privacy. ∎
Matching bounds for random queries
In this section, we will show that our upper bound matches our lower bound when is a random query. A key observation is that is the symmetric convex hull of (random) points , i.e., the convex hull of , where is the th column of . The symmetric convex hull of random points has been studied extensively in the theory of random polytopes. A recent result of Litvak, Pajor, Rudelson and Tomczak-Jaegermann [LPRN05] gives the following lower bound on the volume of the convex hull.
Let and let denote a random Bernoulli matrix. Then,
with probability for any Furthermore, there is an explicit construction of points in whose convex hull achieves the same volume.
We are mostly interested in the range where in which case the theorem was already proved by Giannopoulos and Hartzoulaki [GH02] (up to a weaker bound in the probability and without the explicit construction).
The bound in (7) is tight up to constant factors. A well known result [BF88] shows that the volume of the convex hull of any points on the sphere in of radius is bounded by
Notice, that in our case and in fact the vertices of are points on the -dimensional sphere of radius . However, equation (7) states that the normalized volume of the random polytope will be proportional to the volume of the Euclidean ball of radius rather than When , this means that the volume of will be tiny compared to the volume of the infinity ball . By combining the volume lower bound with Theorem 3.3, we get the following lower bound on the error of private mechanisms.
Let and . Then, for almost all matrices , every -differentially private mechanism must have
We use this paragraph to point out that our lower bound immediately implies a separation between approximate and exact differential privacy.
Theorem 2.7 gives a mechanism providing -approximate -differential privacy with error as long as Our lower bound in Theorem 5.2 on the other hand states that the error of any -differentially private mechanism must be (assuming ). We get the strongest separation when and is constant. In this case, our lower bound is a factor larger than the upper bound for approximate differential privacy.
2 Upper bound on average Euclidean norm
Let be a random Bernoulli matrix and put . Then, there is a constant so that with probability greater than ,
An application of Jensen’s inequality thus gives us the following corollary.
Let and . Then, for almost all matrices , the mechanism is -differentially private with error at most
Approximately isotropic bodies
The following definition is a relaxation of nearly isotropic position used in literature (e.g., [KLS97])
We say a convex body is in -approximately isotropic position if for every unit vector ,
The results of Klartag and Kozma [KK09] referred to in the previous section show that the symmetric convex hull random points from the -dimensional hypercube are in -approximately isotropic position and have . More generally, the -norm mechanism can be shown to be approximately optimal whenever is nearly isotropic.
We can see that the previous upper bound is tight up to a factor of . Estimating for general convex bodies is a well-known open problem in convex geometry. The best known upper bound for a general convex body is due to Klartag [Kla06], improving over the estimate of Bourgain from ’91. The conjecture is that .
There exists such that for every and every convex set , .
Assuming this conjecture we get matching bounds for approximately isotropic convex bodies.
Let Assuming the hyperplane conjecture, for every such that is -approximately isotropic, the -norm mechanism is -differentially private with error at most
Non-isotropic bodies
In this section, we will design a recursive mechanism that can handle such non-isotropic convex bodies. To this end, we will need to introduce a few more notions from convex geometry.
Having defined the covariance matrix, we can describe a recursive mechanism for the case when is not in isotropic position. The idea of the mechanism is to act differently on different eigenspaces of the covariance matrix. Specifically, the mechanism will use a lower-dimensional version of on subspaces corresponding to few large eigenvalues.
The image of above is a -dimensional subspace of We assume that in the recursive call , the -norm mechanism is applied to a basis of this subspace. However, formally the output is a -dimensional vector.
To analyze our mechanism, first observe that the recursive calls terminate after at most steps. For each recursive step , let denote the distribution over the output of the -norm mechanism in step 3. Here, denotes the -dimensional body given in step
The mechanism satisfies -differential privacy.
We claim that for every step , the distribution over is -differentially private. Notice that this claim implies the lemma, since the joint distribution of is -differentially private. In particular, this is true for the final output of the mechanism as it is a function of
The error analysis of our mechanism requires more work. In particular, we need to understand how the volume of compares to the norm of As a first step we will analyze the volume of
2 Volume in eigenspaces of the covariance matrix
Our goal in this section is to express the volume of in eigenspaces of the covariance matrix in terms of the eigenvalues of the covariance matrix. This will be needed in the analysis of our mechanism for non-isotropic bodies.
We start with a formula for the volume of central sections of isotropic bodies. This result can be found in [MP89].
Let be an isotropic body of unit volume. Let denote a -dimensional subspace for . Then,
Here, is an explicitly defined isotropic convex body.
Observe that the contains since is the identity on ∎
We cannot immediately use these results since they only apply to isotropic bodies and we are specifically dealing with non-isotropic bodies. The trick is to apply the previous results after transforming into an isotropic body while keeping track how much this transformation changed the volume.
As a first step, the following lemma relates the volume of projections of an arbitrary convex body to the volume of projections of for some linear mapping .
Let be a symmetric convex body. Let be a linear map which has eigenvectors with eigenvalues . Let and suppose Denote by be the projection operator onto the subspace Then,
For simplicity, we assume that the eigenvectors of are the standard basis vectors ; this is easily achieved by applying a rotation to . Now, it is easy to verify that where . Thus we can write
Before we can finish our discussion, we will need the fact that the isotropic constant of can be expressed in terms of the determinant of
Let be a convex body of unit volume. Then,
We conclude with the following Proposition 7.7.
Let be a symmetric convex body. Let have eigenvectors with eigenvalues . Let with and suppose Denote by be the projection operator onto the subspace Then,
where is . Moreover, assuming the Hyperplane conjecture, .
Since is in isotropic position and has unit volume, Corollary 7.4 implies that
Thus the required inequality holds with an additional term. By assumption on , is at most . Moreover, , so that this additional term is a constant. As discussed above, is by [Kla06], and assuming the Hyperplane Conjecture 6.3. Hence the claim. ∎
3 Arguing near optimality of our mechanism
Our next lemma shows that the expected squared Euclidean error added by our algorithm in each step is bounded by the square of the optimum. We will first need the following fact.
Let be a centered convex body. Let denote the eigenvalues of with a corresponding orthonormal eigenbasis Then, for all ,
Let denote the random variable returned by the -norm mechanism in step (3) in the above description of . Then,
For simplicity, we will assume that is even and hence The analysis of the -norm mechanism (Theorem 4.3 with ) shows that the random variable returned by the -norm mechanism in step (3) satisfies
Since , it follows that
The case of odd is similar except that we define to be the projection onto the first eigenvectors. ∎
We have to sum up the error over all recursive calls of the mechanism. To this end, let denote the output of the -norm mechanism in step projected to the corresponding subspace . Also, let denote the final output of our mechanism. We then have,
Let . Suppose is a linear map. Further, assume the hyperplane conjecture. Then, there is an -differentially private mechanism with error
Efficient implementation of our mechanism
Membership in can be decided efficiently.
is bounded, in the sense that .
Both conditions are naturally satisfied in our case where for some . Indeed, and we may always assume that , for instance, by considering rather than . This will only increase the noise level by in Euclidean distance. Notice that is convex. In order to implement the membership oracle for , we need to be able to decide for a given , whether there exists an such that . These constraints can be encoded using a linear program. In the case of this can be done using convex programming [GLS94].
The mixing time of the Grid walk is usually quantified in terms of the total variation (or ) distance between the random walk and its stationary distribution. The stationary distribution of the grid Walk is the uniform distribution over . Standard arguments show that an -bound gives us -approximate -differential privacy where can be made exponentially small in polynomial time. In order to get exact privacy () we instead need a multiplicative guarantee on the density of the random walk at each point in
In Appendix A, we show that the Grid Walk actually satisfies mixing bounds in the relative -metric which gives us the following theorem. We also need to take care of the fact that the stationary distribution is a priori not uniform over A solution to this problem is shown in the appendix as well.
is -differentially private,
We conclude that the Grid walk gives us an efficient implementation of our mechanism which achieves the same error bound (up to constants) and -differential privacy.
The runtime stated in Theorem 8.1 depends only upon and The polynomial dependence on only comes in when implementing the separation oracle for as described earlier. Since we think of as small compared to , the exact runtime of our algorithm heavily depends upon how efficiently we can implement the separation oracle.
In the non-isotropic case we additionally need to compute the subspaces and to project onto (Step 2 of the algorithm). Note that these subspaces themselves depend only on the query and not on the database . Thus these can be published and the mechanism maintains its privacy for an arbitrary choice of subspaces and . The choice of in Section 7 depended on the covariance matrix , which we do not know how to compute exactly. We next describe a method to choose and that is efficient such that the resulting mechanism has essentially the same error. The sampling from can then be replaced by approximate sampling as in the previous subsection, resulting in a polynomial-time differentially private mechanism with small error.
First note that for any
Generalizations of our mechanism
Moreover, in cases when one does not have a good handle on itself, one can use any convex body containing .
Local Sensitivity.
Nissim, Raskhodnikova and Smith [NRS07] define smooth sensitivity and show that one can design approximately differentially private mechanism that add noise proportional to the smooth sensitivity of the query. This can be significant improvement when the local sensitivity is much smaller than the global sensitivity. Notice that such queries are necessarily non-linear. We point out that one can define a local sensitivity analogue of the -norm mechanism by considering the polytopes and adapting the techniques of [NRS07] accordingly.
References
In this section, we sketch the proof of Theorem 8.1. We will be interested in the mixing properties of Markov chains over some measured state space We will need to compare probability measures over the space
The relative -distance is defined as
For a Markov chain , we will be interested in the mixing time in the -metric. That is the smallest number such that Here, is the distribution of at step and denotes the stationary distribution of The relevance of the -norm for our purposes is given by the following fact.
Suppose is an -differentially private mechanism and suppose satisfies for some and all . Then, is -differentially private.
where we used that for
Now, let satisfy . By the previous inequality, we have
In the last inequality, we used the assumption that is -differentially private. Hence, we have shown that is -differentially private. ∎
Finally, the bound on the moments of the Gamma distribution from Fact 2.10 implies that the expected running time of this algorithm is polynomial in .
Appendix B Lower bounds for Differential Privacy with respect to Hamming Distance
We can then repeat the proof of theorem 3.3, with minor modifications to handle the non-negative integer constraint.
Let and suppose is a linear map and let . Then, every -differentially private mechanism for computing must have
Now we come up with a similar set . For each , we round each randomly up or down, i.e. , with probability , and otherwise. It is easy to check that . so that with probability , . Moreover, and each random choice can change by at most . Thus martingale concentration results imply that with probability , . Thus there exists a choice of so that both these events happen. Let denote the vector and set . This defines our set which is easily seen to be in . In fact, . Moreover, for , is a -packing.
Now assume that is an -differentially private mechanism with error and lead this to a contradiction. By the assumption on the error, Markov’s inequality implies that for all , where is a ball of radius centered at . By the packing property above, the balls are disjoint.
Since , it follows from -differential privacy with Fact 2.3 that
Since the balls are pairwise disjoint,
for . We have thus obtained a contradiction. ∎
Translating the lower bound from Theorem 5.2 to this setting, we get
Let for a universal constant and let . Then there exists a linear map such that every -differentially private mechanism for computing must have
We remark that this lower bound holds for .
Appendix C Dilated Ball containment
Let be a convex body in such that for some . Then a dilation is contained in .
Let be a unit vector. Suppose that . Then by the Separating Hyperplane theorem (see, e.g., [BV04]), there is a hyperplane separating from . Thus there is a unit vector and a scalar such that and for all . Let . Then by triangle inequality, . Moreover,
This however contradicts the assumption that that . Since was arbitrary, the lemma is proved. ∎